Tech-invite3GPPspecsSIPRFCs
Overview21222324252627282931323334353637384‑5x

Content for  TS 24.502  Word version:  17.0.0

Top   Top   Up   Prev   Next
1…   4…   5…   6…   7…   7.3…   7.3A…   7.4…   7.6…   7.9…   7A…   8…   9…

 

7.3  IKE SA establishment procedure for untrusted non-3GPP access

7.3.1  General

The purpose of this procedure is to establish a secure connection between the UE and the N3IWF over NWu, which is used to securely exchange the NAS signalling messages between the UE and the AMF via the N3IWF. The UE establishes the secure connection by establishing an IKE SA and first child SA to the N3IWF. The IKE SA and first child SA, called signalling IPsec SA, are created between the UE and the N3IWF after the IKE_SA_INIT exchange and after the IKE_AUTH exchange (see IETF RFC 7296 [6]). The signalling IPsec established is used to transfer NAS signalling traffic. Additional child SAs (user plane IPsec SAs) can be established between the UE and the N3IWF to transfer user-plane traffic (see subclause 7.5).
Upon completion of the N3IWF selection procedure (subclause 7.2) the UE initiates an IKE_SA_INIT exchange as specified in IETF RFC 7296 [6]. Upon reception of the IKE_SA_INIT exchange the UE shall inform the upper layers that the access stratum connection is established.
Upon establishment of the access stratum connection, the UE initiates IKE_AUTH exchange (see IETF RFC 7296 [6]) with EAP-5G encapsulation, as specified in subclause 7.3.2.
The UE encapsulates the initial NAS message and the AN parameters using the EAP-5G procedure as described in subclause 7.3.3. The signalling IPsec SA is established after completion of the EAP-5G procedure and IKE_AUTH exchange.
Up

7.3.2  IKE SA and signalling IPsec SA establishment procedureWord‑p. 35

7.3.2.1  IKE SA and signalling IPsec SA establishment initiation

The UE proceeds with the establishment of IKE SA and signalling IPsec SA with the selected N3IWF by initiating an IKE_SA_INIT exchange according to IETF RFC 7296 [6].
The UE shall initiate an IKE_AUTH exchange as specified in IETF RFC 7296 [6] to establish an IKE SA and first child SA (signalling IPsec SA). The UE shall indicate the intention to use EAP by not including the AUTH payload in the initial IKE_AUTH request message as specified in IETF RFC 7296 [6].
Upon reception of the IKE_AUTH request message without AUTH payload, the N3IWF shall respond with an IKE_AUTH response message with an indication to start an EAP-5G session that will be used to convey the initial NAS messages. The EAP-5G procedure is described in subclause 7.3.3.
Up

7.3.2.2  IKE SA and signalling IPsec SA establishment accepted by the network

If IKE SA and signalling IPsec SA establishment is accepted by the network, the UE receives from the N3IWF an IKE_AUTH response message containing an EAP-Success message (as shown in figure 7.3.2-1), which completes the EAP-5G session. No further EAP-5G packets are exchanged.
The UE completes the IKE SA and signalling IPsec SA (first child SA) establishment procedure by initiating an IKE_AUTH exchange including an AUTH payload computed based on the N3IWF key as described in TS 33.501. In the IKE_AUTH request message the UE additionally includes:
  • the UE shall include the INTERNAL_IP4_ADDRESS attribute, the INTERNAL_IP6_ADDRESS attribute, or both, indicating the type of IP address to be used for the IP tunnels, in the CFG_REQUEST configuration payload. The INTERNAL_IP4_ADDRESS attribute shall contain no value and the length field shall be set to 0. The INTERNAL_IP6_ADDRESS attribute shall contain no value and the length field shall be set to 0; and
  • if the UE supports IETF RFC 4555 [23], the UE may include the MOBIKE_SUPPORTED notify payload as specified in IETF RFC 4555 [23].
The N3IWF shall include in the IKE_AUTH response message containing the AUTH payload:
  • a single CFG_REPLY Configuration Payload including the INTERNAL_IP4_ADDRESS attribute with an IPv4 address assigned to the UE, the INTERNAL_IP6_ADDRESS attribute with an IPv6 address assigned to the UE, or both;
  • the NAS_IP4_ADDRESS notify payload with an N3IWF IPv4 address assigned to transport of NAS messages, if the initial IKE_AUTH request message contained a CFG_REQUEST configuration payload with the INTERNAL_IP4_ADDRESS attribute and NAS messages are to be transmitted using IPv4 based inner IP tunnel;
  • the NAS_IP6_ADDRESS notify payload with an N3IWF IPv6 address assigned to transport of NAS messages if the initial IKE_AUTH request message contained a CFG_REQUEST configuration payload with the INTERNAL_IP6_ADDRESS attribute and NAS messages are to be transmitted using IPv6 based inner IP tunnel;
  • the NAS_TCP_PORT notify payload with an N3IWF TCP port number assigned to transport of NAS messages; and
  • the MOBIKE_SUPPORTED notify payload as specified in IETF RFC 4555 [23], if the initial IKE_AUTH request message contained a MOBIKE_SUPPORTED configuration payload with the INTERNAL_IP4_ADDRESS attribute.
The UE may support the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as specified in TS 24.302 subclause 8.2.4.2. If the UE supports the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute, the UE shall include the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute indicating support of receiving timeout period for liveness check in the CFG_REQUEST configuration payload within the IKE_AUTH request message.
The N3IWF may include the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as specified in TS 24.302 subclause 8.2.4.2 indicating the timeout period for liveness check in the CFG_REPLY configuration payload of the IKE_AUTH response message containing the AUTH payload. Presence of the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute in the IKE_AUTH request can be used as input for decision on whether to include the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute in the IKE_AUTH response message containing the AUTH payload.
If the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as specified in TS 24.302 subclause 8.2.4.2 indicating the timeout period for the liveness check is included in the CFG_REPLY configuration payload within the IKE_AUTH response message containing the AUTH payload or the UE has a pre-configured or configured timeout period, the UE shall perform the liveness check procedure as described in subclause 7.8.
This completes the establishment of the IKE SA and signalling IPsec SA (first child SA) between the UE and the N3IWF. Upon completion of the IKE SA and signalling IPsec SA (first child SA) establishment between the UE and the N3IWF, the UE and the N3IWF shall send further NAS messages over the TCP connection within the signalling IPsec SA (first child SA) (see example in figure 7.3.2.2-1).
An example of an IKE SA and first child SA establishment procedure is shown in figure 7.3.2.2-1.
Reproduction of 3GPP TS 24.502, Figure 7.3.2.2-1: IKE SA and first child SA establishment procedure for UE registration over untrusted non-3GPP access
Up

7.3.2.3  IKE SA and signalling IPsec SA establishment not accepted by the networkWord‑p. 37
If IKE SA and signalling IPsec SA establishment is not accepted by the network, the UE receives from the N3IWF an IKE_AUTH response message including a Notify payload with an error type.
Upon receiving the IKE_AUTH response message with a Notify payload with an error type other than a CONGESTION Notify payload, the UE shall pass the error indication to the upper layer along with the encapsulated NAS messages, if any, within EAP/5G-NAS packet.
After the N3IWF receives from the UE an IKE_AUTH request message, the N3IWF shall construct an IKE_AUTH response message including a CONGESTION Notify payload as defined in subclause 9.2.4.2 and a N3GPP_BACKOFF_TIMER Notify payload as defined in subclause 9.3.1.7. if the N3IWF decides to not accept the IKE SA and signalling IPsec SA establishment based on the OVERLOAD START message received from the AMF(s) as specified in TS 29.413.
The N3IWF shall send the IKE_AUTH response message to the UE.Upon reception of the IKE_AUTH response message including:
  1. a CONGESTION Notify payload as defined in subclause 9.2.4.2; and
  2. a N3GPP_BACKOFF_TIMER Notify payload as defined in subclause 9.3.1.7; and
after the UE authenticates the network or the N3IWF as specified in TS 33.501, the UE shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA as specified in IETF RFC 7296 [6]. In addition, the UE shall inform the upper layers that the access stratum connection has been released, and:
  1. if the back-off timer value in N3GPP_BACKOFF_TIMER Notify payload indicates neither zero nor deactivated, the UE shall start the Tw3 timer with the value provided and the UE shall not retry the IKE SA and signalling IPsec SA establishment procedure to the same N3IWF until:
    • timer Tw3 expires;
    • the UE is switched off;
    • the UICC containing the USIM is removed;
    • an access attempt occurs due to emergency services; or
    • the UE needs to request one or more S-NSSAIs that were not included in the requested NSSAI provided to the N3IWF previously;
  2. if the back-off timer value in N3GPP_BACKOFF_TIMER Notify payload indicates that this timer is deactivated, the UE shall not retry the IKE SA and signalling IPsec SA establishment procedure to the same N3IWF until:
    • the UE is switched off;
    • the UICC containing the USIM is removed;
    • an access attempt occurs due to emergency services; or
    • the UE needs to request one or more S-NSSAIs that were not included in the requested NSSAI provided to the N3IWF previously; and
  3. if the back-off timer value in N3GPP_BACKOFF_TIMER Notify payload indicates zero, the UE may retry the IKE SA and signalling IPsec SA establishment procedure to an N3IWF from the same PLMN.
Upon receiving the IKE_AUTH response message with a Notify payload with an error type, if the EAP-5G session establishment has already been started, the UE shall perform a local termination of the EAP-5G session.
Up

7.3.3  EAP-5G session over non-3GPP accessWord‑p. 38

7.3.3.1  General

A vendor-specific EAP method (EAP-5G) is used to encapsulate NAS messages between the UE and the N3IWF. The EAP-5G packets utilize the "Expanded" EAP type and the existing 3GPP Vendor-Id registered with IANA under the SMI Private Enterprise Code registry (i.e. 10415). The EAP-5G method is utilized only for encapsulating the NAS messages. The EAP-5G method is not utilized to authenticate the UE in untrusted non-3GPP network.

7.3.3.1A  EAP-5G session initiation |R16|

The UE and the N3IWF shall exchange EAP-5G messages within IKE_AUTH request and IKE_AUTH response messages. The N3IWF on reception of an IKE_AUTH request with no AUTH payload shall start an EAP-5G session by sending an EAP-Request/5G-Start message.
The UE acknowledges start of the EAP-5G session by sending an EAP-Response/5G-NAS message which shall include:
  1. a NAS-PDU field containing a NAS message, for example, a REGISTRATION REQUEST message; and
  2. an AN-parameters field containing access network parameters, such as GUAMI, selected PLMN ID, requested NSSAI, establishment cause and selected NID if the UE is accessing SNPN services via a PLMN (see TS 23.502).
The N3IWF, on reception of NAS messages from the UE within an EAP-Response/5G-NAS message, shall forward the NAS message to the AMF.
The N3IWF, on reception of NAS messages from the AMF, shall include the NAS message within an EAP-Request/5G-NAS message. The N3IWF shall transmit the EAP-Request/5G-NAS message to the UE.
The EAP-Request/5G-NAS message shall include a NAS-PDU field that contains a NAS message.
Further NAS messages between the UE and the AMF, via the N3IWF, shall be inserted in NAS-PDU field of an EAP-Response/5G-NAS (UE to N3IWF direction) and EAP-Request/5G-NAS (N3IWF to UE direction) message.
Up

7.3.3.2  EAP-5G session completion initiated by the network

Upon completion of successful authentication and on reception of the N3IWF key from the AMF, the N3IWF shall complete the EAP-5G session by sending an EAP-Success message.
On reception of the EAP-Success message from the N3IWF, the UE proceeds to establish an IKE SA and signalling IPsec SA as described in subclause 7.3.2.
An example of an EAP-5G session after successful authentication is shown in figure 7.3.3.2-1.
Reproduction of 3GPP TS 24.502, Figure 7.3.3.2-1: EAP-5G session for successful UE registration over untrusted non-3GPP access
Up

7.3.3.3  EAP-5G session completion initiated by the UEWord‑p. 39
Upon receiving indication from the upper layer that no 5G-NAS messages need to be transmitted between the UE and N3IWF, the UE shall terminate the EAP-5G session by sending an EAP-Response/5G-Stop message to the N3IWF.
On reception of EAP-Response/5G-Stop message, the N3IWF shall complete the EAP-5G session by sending an EAP-Failure message to the UE.
On reception of the EAP-Failure message from the N3IWF, the UE shall delete any context related to IKE SA without requiring an explicit INFORMATIONAL exchange carrying a Delete payload as specified in IETF RFC 7296 [6].
Figure 7.3.3.3-1 shows an example the EAP-5G session completion after registration reject.
Reproduction of 3GPP TS 24.502, Figure 7.3.3.3-1: EAP-5G session when the UE's registration over untrusted non-3GPP access is rejected
Up

7.3.4  Abnormal cases in the UEWord‑p. 40
Apart from the cases specified in IETF RFC 7296 [6], no abnormal cases have been identified.

7.3.5  Abnormal cases in the N3IWF

Apart from the cases specified in IETF RFC 7296 [6], no abnormal cases have been identified.

Up   Top   ToC