The HSS user profile management function allows the HSS to update the HSS user profile stored in the MME. Whenever the HSS user profile is changed for a user in the HSS, and the changes affect the HSS user profile stored in the MME, the MME shall be informed about these changes by the means of the following procedure:
Insert Subscriber Data procedure, used to add or modify the HSS user profile in the MME.
The MME updates the stored Subscription Data and acknowledges the Insert Subscriber Data message by returning an Insert Subscriber Data Ack (IMSI) message to the HSS. The update result should be contained in the Ack message.
The MME initiates appropriate action according to the changed subscriber data (e.g. MME initiates detach if the UE is not allowed to roam in this network). For received PDN subscription contexts that have no related active PDN connection in the MME, no further action is required except storage in the MME. Otherwise if the subscribed QoS Profile has been modified and the UE is in ECM-CONNECTED state or in ECM-IDLE state when ISR is not activated but the UE is reachable by the MME, the HSS Initiated Subscribed QoS Modification procedure, as described in Figure 184.108.40.206-1, is invoked from step 2a. When ISR is not activated and the UE is in ECM IDLE state and is not reachable by the MME, e.g. when the UE is suspended, when the UE has entered into power saving mode or when the PPF is cleared in the MME, the HSS Initiated Subscribed QoS Modification procedure, as described in Figure 220.127.116.11-1, is invoked from step 2a at the next ECM IDLE to ECM CONNECTED transition. If the UE is in ECM-IDLE state and the ISR is activated, this procedure is invoked at the next ECM-IDLE to ECM-CONNECTED transition. If the UE is in ECM-IDLE state and the ISR is not activated and if the subscription change no longer allows the PDN connection, the MME initiated PDN disconnection procedure in clause 5.10.3 is used to delete the concerned PDN connection. If the MME receives RAT specific Subscribed Paging Time Window that is different from the one stored in the MME MM context, the MME updates RAT specific Subscribed Paging Time Window parameter in the MME MM context to the value received from the HSS.
If the UE is in ECM-CONNECTED state and connected via a CSG or hybrid cell, the MME shall check the received CSG subscription data. If the MME detects that the CSG membership to that cell has changed or expired, the MME initiates the procedure in clause 5.16.
If the MME received a changed Service Gap Time parameter in the updated subscription data, the MME shall provide the new Service Gap Time value to the UE in the next Tracking Area Update Accept message, or, if the UE does not send any Tracking Area Update Request within a certain time period that shall be longer than any PSM or eDRX interval used by the UE, the MME may initiate a detach with reattach required of the UE or an RRC connection release with release cause load balancing TAU required of the UE.
The Purge function allows an MME to inform the HSS that it has deleted the subscription data and MM context of a detached UE. The MME may, as an implementation option, delete the subscription data and MM context of an UE immediately after the implicit or explicit detach of the UE. Alternatively the MME may keep for some time the subscription data and the MM context of the detached UE, so that the data can be reused at a later attach without accessing the HSS.
Guards against unauthorised EPS service usage (authentication of the UE by the network and service request validation).
Provision of user identity confidentiality (temporary identification and ciphering).
Provision of user data and signalling confidentiality (ciphering).
Provision of origin authentication of signalling and user data (integrity protection).
Authentication of the network by the UE.
Security-related network functions for EPS are described in TS 33.401.
The aspects of user plane data integrity protection that involve interactions with the 5G Core are specified in TS 23.501 and TS 23.502.
There are two different levels of the security associations between the UE and the network.
RRC and UP security association is between the UE and E-UTRAN. The RRC security associations protect the RRC signalling between the UE and E-UTRAN (integrity protection and ciphering). The UP security association is between the UE and E-UTRAN and can provide user plane encryption and integrity protection.
NAS security association is between the UE and the MME. It provides integrity protection and encryption of NAS signalling and, when the Control Plane CIoT EPS Optimisation is used, user data.
Some earlier releases of the EPS specifications do not support User Plane Integrity Protection in EPS (EPS-UPIP). Hence UEs that support EPS-UPIP indicate this capability in the security algorithm octets of the UE Network Capability IE as defined in TS 24.301 and use it as described in TS 33.401; and the MME copies this capability into S1-AP signalling sent to the E-UTRAN. The E-UTRAN can be locally configured with a policy (to be used when no explicit EPS UPIP policy is received from the MME), e.g. that the use of EPS-UPIP is "Preferred" for UE(s) that support User Plane Integrity Protection in EPS.
For EPC networks with no 5GC interworking, E-UTRAN can have a preconfigured policy for "preferred" User Plane Integrity Protection that can be used if MME does not provide a security policy for the bearers of an UE and if the E-UTRAN has received an indication that the UE supports User Plane Integrity Protection. This preconfigured policy applies to any bearer of any UE unless the MME provides a User Plane Integrity Protection security policy to the E-UTRAN, in which case the MME policy overwrites the preconfigured E-UTRAN policy.
Differentiated User plane integrity protection beyond preconfigured policy is only supported for PDN connections served by a SMF+PGW-C: to support PDN connections that "Require" the use of EPS-UPIP, the MME shall select a SMF+PGW-C.
The MME triggers the RRC level AS security mode command procedure by sending the needed security parameters to the eNodeB. This enables ciphering of the UP traffic and ciphering and integrity protection of the RRC signalling as described in TS 33.401.
The MME uses the NAS Security Mode Command (SMC) procedure to establish a NAS security association between the UE and MME, in order to protect the further NAS signalling messages. This procedure is also used to make changes in the security association, e.g. to change the security algorithm.
The MME sends NAS Security Mode Command (Selected NAS algorithms, eKSI, ME Identity request, UE Security Capability) message to the UE. ME identity request may be included when NAS SMC is combined with ME Identity retrieval (see clause 18.104.22.168).
The Mobile Equipment Identity Check Procedure permits the operator(s) of the MME and/or the HSS and/or the PDN GW to check the Mobile Equipment's identity (e.g. to check that it has not been stolen, or, to verify that it does not have faults).
The ME Identity can be checked by the MME passing it to an Equipment Identity Register (EIR) and then the MME analysing the response from the EIR in order to determine its subsequent actions (e.g. sending an Attach Reject if the EIR indicates that the Mobile Equipment is prohibited).
The ME identity check procedure is illustrated in Figure 22.214.171.124-1.
If a service-related entity requests the HSS to provide an indication regarding UE reachability on EPS, the HSS stores the service-related entity and sets the URRP-MME parameter to indicate that such request is received. If the value of URRP-MME parameter has changed from "not set" to "set", the HSS sends a UE-REACHABILITY-NOTIFICATION-REQUEST (URRP-MME) to the MME. If the MME has an MM context for that user, the MME sets URRP-MME to indicate the need to report to the HSS information regarding changes in UE reachability, e.g. when the next NAS activity with that UE is detected.
If the MME contains an MM context of the UE and if URRP-MME for that UE is configured to report once that the UE is reachable, the MME shall send a UE-Activity-Notification (IMSI, UE-Reachable) message to the HSS and clears the corresponding URRP-MME for that UE.
When the HSS receives the UE-Activity-Notification (IMSI, UE-Reachable) message or the Update Location message for an UE that has URRP-MME set, it triggers appropriate notifications to the entities that have subscribed to the HSS for this notification and clears the URRP-MME for that UE.
The CSS subscription data management function allows the CSS to update the CSS subscription data stored in the MME.
The CSS subscription data is stored and managed in the MME independently from the Subscription Data received from the HSS.
Whenever the CSS subscription data is changed for a user in the CSS, and the changes affect the CSG subscription information stored in the MME, the MME shall be informed about these changes by the means of the following procedure:
Insert CSG Subscriber Data procedure, used to add or modify the CSS subscription data in the MME.
The MME updates the stored CSG Subscription Data and acknowledges the Insert CSG Subscriber Data message by returning an Insert CSG Subscriber Data Ack (IMSI) message to the CSS. The update result should be contained in the Ack message.
The MME initiates appropriate action according to the changed CSG subscriber data. If the UE is in ECM-CONNECTED state and connected via a CSG or hybrid cell, the MME shall check the received CSG subscriber data. If the MME detects that the CSG membership to that cell has changed or expired, the MME initiates the procedure in clause 5.16.
If the MME, e.g. based on SRVCC capability in NAS, UE Usage Type or local policy, requires more information on the UE radio capabilities support to be able to set the IMS voice over PS Session Supported Indication (see clause 126.96.36.199), then the MME may send a UE Radio Capability Match Request message to the eNodeB. This procedure is typically used during the Initial Attach procedure, during Tracking Area Update procedure for the "first TAU following GERAN/UTRAN Attach" or for "UE radio capability update" or when MME has not received the Voice Support Match Indicator (as part of the MM Context).
The MME indicates whether the MME wants to receive Voice support match indicator. The MME may include the UE Radio Capability information that it has previously received from the eNodeB via a S1-AP UE CAPABILITY INFO INDICATION as described in clause 5.11.2.
Upon receiving a UE Radio Capability Match Request from the MME, if the eNodeB has not already received the UE radio capabilities from the UE or from MME in step 1, the eNodeB requests the UE to upload the UE radio capability information by sending the RRC UE Capability Enquiry.
The eNodeB checks whether the UE radio capabilities are compatible with the network configuration for ensuring voice service continuity of voice calls initiated in IMS.
For determining the appropriate UE Radio Capability Match Response, the eNodeB is configured by the operator to check whether the UE supports certain capabilities required for Voice continuity of voice calls using IMS PS. In a shared network, the eNodeB keeps a configuration separately per PLMN.
The eNodeB provides a Voice Support Match Indicator to the MME to indicate whether the UE capabilities and networks configuration are compatible for ensuring voice service continuity of voice calls initiated in IMS.
The MME stores the received Voice support match indicator in the MM Context and uses it as an input for setting the IMS voice over PS Session Supported Indication.
If eNodeB requested radio capabilities from UE in step 2 and 3, eNodeB also sends the UE radio capabilities to the MME using the S1-AP UE CAPABILITY INFO INDICATION. The MME stores the UE radio capabilities without interpreting them for further provision to the eNodeB in cases described in clause 5.11.2.