The purpose of the user plane IPsec SA creation procedure is to establish a child SA associating to the QoS flows of the PDU session. This procedure shall be initiated by the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access.
One user plane IPsec SA can be associated with one or more QoS flows of the PDU session. During PDU session establishment or PDU session modification via:
-
untrusted non-3GPP access, the N3IWF; or
-
trusted non-3GPP access, the TNGF,
shall determine the number of user plane IPsec child SAs to establish and the QoS profiles associated with each child SA based on local policies, configuration and the QoS profiles received from the network.
The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall initiate the child SA creation procedure by sending a CREATE_CHILD_SA request message to the UE as specified in
RFC 7296.
The CREATE_CHILD_SA request message shall include:
-
a UP_IP4_ADDRESS notify payload or a UP_IP6_ADDRESS notify payload; and
-
5G_QOS_INFO Notify payload as specified in clause 9.3.1.1, which contains:
-
PDU session ID;
-
zero or more QFIs;
-
optionally a DSCP value;
-
optionally an indication of whether the child SA is the default child SA. For a given PDU session ID, there can be only up to one child SA which is the default child SA; and
-
if trusted non-3GPP access, Additional QoS Information or if untrusted non-3GPP access, optionally Additional QoS Information.
The IKE CREATE_CHILD_SA request message also contains the SA payload for the requested child SA.
If the UE accepts the CREATE_CHILD_SA request message with a 5G_QOS_INFO Notify payload:
a)
the UE shall send a CREATE_CHILD_SA response message as specified in
RFC 7296; and
b)
the UE shall associate the created child SA with the:
-
PDU session ID;
-
zero or more QFIs (if indicated);
-
DSCP value (if indicated); and
-
indication of whether the child SA is the default child SA (if indicated);
in the 5G_QOS_INFO Notify payload; and
c)
the UE:
-
in case of trusted non-3GPP access, shall reserve non-3GPP access QoS resources for the created child SA based on the received Additional QoS Information; or
-
in case of untrusted non-3GPP access, may reserve non-3GPP access QoS resources for the created child SA if the UE has received Additional QoS Information.
Any IKEv2 Notify payload indicating an error shall not be included in the CREATE_CHILD_SA response message.
If a user plane IPsec SA establishment for a PDU session is not accepted by the UE, the UE shall send a CREATE_CHILD_SA response message to the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access with a Notify payload with error type.
For trusted non-3GPP access, if the UE fails to reserve QoS resources over non-3GPP access for the child SA associated with the QoS flows according to the Additional QoS information in the 5G_QOS_INFO Notify payload, the UE shall include a Notify payload with a Private Notify Message Error Type
"NO_RESOURCES_OVER_N3GPP" as defined in
clause 9.2.4.2 in the CREATE_CHILD_SA response message.
For untrusted non-3GPP access, if the UE attempts to reserve QoS resources over non-3GPP access for the child SA associated with the QoS flows according to the Additional QoS information in the 5G_QOS_INFO Notify payload but fails the reservation, the UE shall include a Notify payload with a Private Notify Message Error Type
"NO_RESOURCES_OVER_N3GPP" as defined in
clause 9.2.4.2 in the CREATE_CHILD_SA response message.
Upon receiving the CREATE_CHILD_SA response message with a Notify payload of error type:
-
if PDU session establishment over non-3GPP access requires single user plane SA IPsec SA creation, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall stop user plane SA IPsec SA creation procedure and indicate the failure for PDU session establishment over non-3GPP access.
-
if PDU session establishment over non-3GPP access requires multiple user plane SA IPsec SA creation, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access may choose to continue user plane SA IPsec SA creation procedure for other user plane IPsec SAs, or stop user plane SA IPsec SA creation procedure and indicate the failure for PDU session establishment over non-3GPP access.
If the UE receives a CREATE_CHILD_SA request message containing a USE_TRANSPORT_MODE notification, the UE shall send a CREATE_CHILD_SA response message to the N3IWF for untrusted non-3GPP access or the TNGF for trusted non-3GPP access without including the USE_TRANSPORT_MODE notification as specified in
RFC 7296.
Apart from the cases specified in
RFC 7296, no abnormal cases have been identified.