Content for  TS 24.303  Word version:  17.0.0

UE and HA can use the IKEv2 CREATE_CHILD_SA exchange procedure to create a child security association to be used to provide integrity protection, confidentiality protection or both, to all data traffic exchanged within the DSMIPv6 tunnel. The procedure can be initiated by the HA or by the UE at any time after the security association between UE and HA has been set up. If both UE and HA independently decide to initiate the child security association establishment, the procedure described in RFC 5996 applies. The profiles for tunnel mode IPsec ESP are defined in TS 33.402.

After establishing the IPsec security association with the HA as described in subclause 5.1.2.2, the UE may initiate the creation of child security association pair to provide integrity protection, confidentiality protection or both. If the UE determines that the trust relationship of the non-3GPP access network is "untrusted" (see TS 24.302), the UE shall not initiate the creation of child security association. If the UE initiates the creation of child security association pair, the UE shall send to the HA a CREATE_CHILD_SA request as described in RFC 4877 and RFC 5996 with the following additions:

1. the content of the Security Association payload is set accordingly for integrity protection, confidentiality protection or both as indicated in RFC 5996 using the IPsec profiles defined in TS 33.402; and
2. the TSi shall contain all the Home Network Prefix assigned to the UE. If prefix delegation is used, the TSi shall also contain all the prefix(es) provided to the UE. If the UE received an IPv4 Home Address, the TSi shall also contain the IPv4 Home Address.

When the UE receives a CREATE_CHILD_SA request from the HA with selectors indicating the DSMIPv6 tunnel traffic, if the UE supports integrity protection, confidentiality protection or both, the UE shall reply with a CREATE_CHILD_SA response selecting the preferred transform proposed by the HA as specified in RFC 5996. If the child SA is created successfully, the UE shall start encapsulating all the uplink packets in the DSMIPv6 tunnel in an IPsec ESP tunnel as negotiated with the HA during the CREATE_CHILD_SA procedure. The UE can stop using integrity protection, confidentiality protection or both, for the DSMIPv6 tunnel traffic. In order to do that, the UE shall delete the respective child security association by sending an INFORMATIONAL request message including the DELETE payload as specified in RFC 5996.

After establishing the IPsec security association with the UE as described in subclause 5.1.3.1, the HA may initiate the creation of child security association pair to provide integrity protection, confidentiality protection or both. If the HA receives the trust relationship indication as "untrusted" from the 3GPP AAA server during the authentication and authorization procedure or the authorization procedure (see TS 29.273), the HA shall not initiate the creation of child security association procedure. If the trust relationship indication is not received, the initiation of the creation of the child security association is implementation dependent (e.g. based on configuration). If the HA initiates the creation of child security association pair, the HA shall send to the UE a CREATE_CHILD_SA request as described in RFC 4877 and RFC 5996 with the following additions:

1. the content of the Security Association payload is set accordingly for integrity protection, confidentiality protection or both as indicated in RFC 5996 using the IPsec profiles defined in TS 33.402; and
2. the TSi shall contain all the Home Network Prefix assigned to the UE. If prefix delegation is used, the TSi shall also contain all the prefix(es) provided to the UE. If the UE received an IPv4 Home Address, the TSi shall also contain the IPv4 Home Address.

When the HA receives a CREATE_CHILD_SA request from the UE with selectors indicating the DSMIPv6 tunnel traffic, if the HA supports integrity protection, confidentiality protection or both, the HA shall check whether the child security association establishment can be accepted or not. If the HA receives the trust relationship indication set to "untrusted" indication from the 3GPP AAA server (see TS 29.273), the HA shall reject the child security association establishment by using the NOTIFY payload of type "NO_ADDITIONAL_SAS" in the CREATE_CHILD_SA response. If HA does not receive the trust relationship indication, whether to accept or reject the child security association is implementation dependent. Otherwise, the HA shall reply with a CREATE_CHILD_SA response selecting the preferred transform proposed by the HA as specified in RFC 5996. If the child SA is created successfully, the HA shall start encapsulating, all the uplink packets in the DSMIPv6 tunnel in an IPsec ESP tunnel as negotiated with the UE during the CREATE_CHILD_SA procedure. The HA can stop using integrity protection, confidentiality protection or both, for the DSMIPv6 tunnel traffic. In order to do that, the HA shall delete the respective child security association by sending an INFORMATIONAL request message including the DELETE payload as specified in RFC 5996.

The operations defined within subclause 5.6 apply to an IFOM capable UE configured for IFOMand a HA supporting IFOM. The attach to additional access network procedure is performed by a UE supporting IFOM that has already established a PDN connection through an access network and decides to extend the PDN connection to another access network. There can be two possible scenarios:

• the existing access network is a home link and the added access network is a foreign link; or
• the existing access network is a foreign link and the added access network is a home link.

The attach to additional access network procedure involves performing the following:

• access specific procedure to connect and configure an IP address for the added access network;
• discovery of a HA IP address if the UE has not obtained the IP address of the HA;
• home link detection;
• setting up a security association if there is no security existing association between the UE and HA; and
• exchange of Binding Update and Binding Acknowledgement with the BID mobility option and FID mobility option between the UE and HA.

The operations defined within this sub-clause apply to an IFOM capable UE configured for IFOM and to HA supporting IFOM. The inter-access flow mobility is performed by the UE supporting IFOM that already established a PDN connection and exchanges packets belonging to the PDN connection through multiple access networks. The UE has previously registered one or more routing rules with the HA. In this procedure, the UE updates the HA by performing any of the following operations:

• assigning one or more routing filters to an access network different from the one those routing filters were previously assigned;
• adding one or more new routing rules to the HA; or
• removing one or more previously registered routing rules from the HA.

The procedure involves the exchange of a Binding Update and a Binding Acknowledgement with BID and FID options between the UE and the HA.

The UE performs the same procedures described in subclause 5.3.2 with the following exceptions:

• the UE shall set the O (Overwrite) flag to 0;
• the UE shall not include any Alternate Care-of Address option in the Binding Update message; and
• the UE shall not include any IPv4 Care-of Address option in the Binding Update message.

In addition, the UE shall extend the Binding Update message with the following options (see RFC 5648, RFC 6089 and RFC 6088):

1. The UE shall include a BID identifier mobility option:
   • the BID field is set to the value identifying the routing address used as IP Source Address of the Binding Update message;
   • if the Binding Update message is sent over a home link, the "H" flag is set to 1;
   • if the Binding Update message is sent over a foreign link, the "H" flag is set to 0;
   • the BID-PRI priority field is set to the priority assigned to the BID as indicated in RFC 6089; and
   • if the routing address is an IPv4 address, a NAT was detected and the UE is not exchanging data traffic, the UE may insert the routing address in the Care-of Address field of the BID mobility option;
2. the UE may create one or more routing rules. For each routing rule that the UE wants to register with the HA, the UE shall include a FID mobility option containing one traffic selector as specified in RFC 6089. Traffic selectors are defined in RFC 6088:
   • the UE shall set the FID field to an arbitrary value;
   • the UE shall set the FID-PRI field to assign the priority to the routing filter as indicated in RFC 6089;
   • the UE shall include a Binding Reference suboption as indicated in RFC 6089. The value assigned to the BID identifies the routing address that the UE wants to use to exchange the packets matching the routing filters; and
   • traffic selector suboption shall be set as specified in RFC 6089 and RFC 6088. The parameters described in the traffic selector suboption represent the routing filter that corresponds to the routing rule that the UE wants to register with the HA;
3. The UE may insert a flow summary mobility option (as described in RFC 6089).
   • If the UE wants to keep some routing rules previously registered unmodified, i.e. no flow handover, the UE lists the values of the FIDs identifying the routing rules that the UE wants to keep unmodified in the flow summary mobility option; and
   • If the UE wants to remove one or more previously registered routing rules, the UE does not include in the flow summary mobility option the FIDs identifying the routing rules that the UE wants to remove; and
4. the UE may modify one or more routing rules with the HA. For each routing rule that the UE wants to modify, the UE shall include a FID mobility option as specified in RFC 6089.
   • the UE shall set the FID field to the value identifying the routing filter the UE wants to handover;
   • the UE shall set the FID-PRI field to assign the priority to the BID as indicated in RFC 6089; and
   • the UE shall include a Binding Reference suboption as indicated in RFC 6089. The value assigned to the BID identifies the routing address that the UE wants to use to exchange the packets matching the routing filters.

The handling of the received Binding Acknowledgement message is the same as specified in subclause 5.1.2.4. In addition, the UE handles the FID and BID mobility options contained in the received Binding Acknowledgment message as specified in RFC 5648, RFC 6089 and RFC 6088.

When receiving a Binding Update from the UE, the HA performs the same procedures described in subclause 5.3.3 and in addition the HA shall validate the Binding Update as described in RFC 5648, RFC 6089 and RFC 6088.

The operations defined within this sub-clause apply to an IFOM capable UE configured for IFOM and to HA supporting IFOM. The removal of an access network from a PDN connection procedure is initiated by a UE which has a PDN connection through multiple access networks. In this procedure, the UE stops using one of the access network for the PDN connection. The procedure involves the exchange of a Binding Update and a Binding Acknowledgement between the UE and the HA. There can be two possible scenarios:

• home link access network is removed and foreign link access network is maintained; or
• foreign link access network is removed and home link access network is maintained.

The operations defined within this subclause apply to IFOM capable UE configured for IFOM and to HA supporting IFOM. The removal of an access network from a PDN connection procedure is initiated by the HA for a UE that has an established PDN connection through multiple access networks with the HA. In this procedure, the HA informs the UE that an entry in the binding cache is no more valid over one of the access network for the PDN connection. The UE then performs the network-initiated removal of an access network from a PDN connection procedure. The procedure involves the exchange of a Binding Revocation Indication (BRI) message and a Binding Revocation Acknowledgement (BRA) between the UE and the HA as specified in RFC 5846. Once the procedure is completed, the UE uses the maintained access network for the PDN connection. There can be two possible scenarios:

• home link access network is removed and foreign link access network is maintained; or
• foreign link access network is removed and home link access network is maintained.