Content for TS 24.502 Word version: 17.0.0
7.4 IKEv2 SA deletion procedure
7.4.1 General
7.4.2 IKE SA deletion procedure initiated by the N3IWF and the TNGF
7.4.3 IKE SA deletion procedure initiated by the UE
7.5 User plane IPsec SA creation procedure
7.5.1 General
7.5.2 Child SA creation procedure initiation
7.5.3 Child SA creation procedure accepted by the UE
7.5.4 Child SA creation procedure not accepted by the UE
7.5.5 Abnormal cases in the UE
7.5.6 Abnormal cases in the N3IWF and the TNGF
...
...
7.4 IKEv2 SA deletion procedure
7.4.1 General
The purpose of the IKE SA deletion procedure via untrusted non-3GPP access and trusted non-3GPP access is to close the IKE SA between the UE and the N3IWFfor untrusted non-3GPP access and the TNGF for trusted non-3GPP access. In addition, deleting the IKE SA implicitly closes any remaining signalling IPsec child SAs and user plane IPsec child SAs associated with IKE SA.
This procedure shall be initiated either by the N3IWF, TNGF or by the UE.
The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access initiate this procedure in the following cases:
- N1 NAS signalling connection release;
- N3IWF-initiated and TNGF-initiated IKE SA rekeying procedure failure;
- N3IWF-initiated and TNGF-intiated IKE SA rekeying procedure completion
- upon receipt of an INITIAL_CONTACT notification as specified in RFC 7296; and
- upon detecting an error in a response packet as specified in RFC 7296.
7.4.2 IKE SA deletion procedure initiated by the N3IWF and the TNGF Word‑p. 45
7.4.2.1 IKE SA deletion initiation
The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall initiate the IKE SA deletion procedure by sending an INFORMATIONAL request message including a Delete payload to the UE as specified in RFC 7296.
The Delete payload shall be defined with the Protocol ID set to "1" and no SPIs included in the Security Parameter Index field in the Delete payload. This indicates that the IKE security association and all IPsec ESP security associations that were negotiated within the IKE security association between:
-
the N3IWF for untrusted non-3GPP access; and
-
the TNGF for trusted non-3GPP access;
and the UE shall be deleted.
7.4.2.2 IKE SA deletion accepted by the UE
Upon reception of the INFORMATIONAL request message from the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access for deletion of the IKE SA, if the UE accepts the IKE SA deletion request, the UE shall send an empty INFORMATIONAL response message to the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access as specified in RFC 7296.
After sending the empty INFORMATIONAL response message, the UE shall close IKE SA and delete all IPsec child SAs associated with the IKE SA. In addition, the UE shall inform the upper layers that the access stratum connection has been released.
Upon receiving the empty INFORMATIONAL response message, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall close IKE SA and delete all IPsec child SAs associated with the IKE SA. In addition, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall inform the AMF that the access stratum connection has been released.
7.4.2.3 Abnormal cases in the N3IWF and the TNGF
If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access does not receive any empty INFORMATIONAL response message from the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the N3IWF for untrusted non-3GPP access and the TNGF for untrusted non-3GPP access shall inform the AMF that the access stratum connection has been released.
7.4.3 IKE SA deletion procedure initiated by the UE Word‑p. 46
7.4.3.1 IKE SA deletion initiation
The UE shall initiate the IKE SA deletion procedure by sending an INFORMATIONAL request message including a Delete payload to the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access as specified in RFC 7296.
The Delete payload shall be defined with the Protocol ID set to "1" and no SPIs included in the Security Parameter Index field in the Delete payload. This indicates that the IKE security association and all IPsec ESP security associations that were negotiated within the IKE security association between:
-
the N3IWF for untrusted non-3GPP access; and
-
the TNGF for trusted non-3GPP access;
and the UE shall be deleted.
7.4.3.2 IKE SA deletion accepted by the N3IWF and the TNGF
Upon reception of the INFORMATIONAL request message from the UE for deletion of the IKE SA, if the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access accepts the IKE SA deletion request, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall send an empty INFORMATIONAL response message to the UE as specified in RFC 7296.
After sending the empty INFORMATIONAL response message, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall close the IKE SA and delete all IPsec child SAs associated with the IKE SA. In addition, the N3IWF for untrusted non-3GPP access and theTNGF for trusted non-3GPP access shall inform the AMF that the access stratum connection has been released.
Upon receiving the empty INFORMATIONAL response message, the UE shall close the IKE SA and delete all IPsec child SAs associated with the IKE SA. In addition, the UE shall inform the upper layers that the access stratum connection has been released.
7.4.3.3 Abnormal cases in the UE
If the UE does not receive any empty INFORMATIONAL response message from the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access, the UE shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the UE shall inform the upper layers that the access stratum connection has been released.
7.4.2.1 IKE SA deletion initiation
The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall initiate the IKE SA deletion procedure by sending an INFORMATIONAL request message including a Delete payload to the UE as specified in RFC 7296.
The Delete payload shall be defined with the Protocol ID set to "1" and no SPIs included in the Security Parameter Index field in the Delete payload. This indicates that the IKE security association and all IPsec ESP security associations that were negotiated within the IKE security association between:
- the N3IWF for untrusted non-3GPP access; and
- the TNGF for trusted non-3GPP access;
7.4.2.2 IKE SA deletion accepted by the UE
Upon reception of the INFORMATIONAL request message from the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access for deletion of the IKE SA, if the UE accepts the IKE SA deletion request, the UE shall send an empty INFORMATIONAL response message to the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access as specified in RFC 7296.
After sending the empty INFORMATIONAL response message, the UE shall close IKE SA and delete all IPsec child SAs associated with the IKE SA. In addition, the UE shall inform the upper layers that the access stratum connection has been released.
Upon receiving the empty INFORMATIONAL response message, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall close IKE SA and delete all IPsec child SAs associated with the IKE SA. In addition, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall inform the AMF that the access stratum connection has been released.
7.4.2.3 Abnormal cases in the N3IWF and the TNGF
If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access does not receive any empty INFORMATIONAL response message from the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the N3IWF for untrusted non-3GPP access and the TNGF for untrusted non-3GPP access shall inform the AMF that the access stratum connection has been released.
7.4.3.1 IKE SA deletion initiation
The UE shall initiate the IKE SA deletion procedure by sending an INFORMATIONAL request message including a Delete payload to the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access as specified in RFC 7296.
The Delete payload shall be defined with the Protocol ID set to "1" and no SPIs included in the Security Parameter Index field in the Delete payload. This indicates that the IKE security association and all IPsec ESP security associations that were negotiated within the IKE security association between:
- the N3IWF for untrusted non-3GPP access; and
- the TNGF for trusted non-3GPP access;
7.4.3.2 IKE SA deletion accepted by the N3IWF and the TNGF
Upon reception of the INFORMATIONAL request message from the UE for deletion of the IKE SA, if the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access accepts the IKE SA deletion request, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall send an empty INFORMATIONAL response message to the UE as specified in RFC 7296.
After sending the empty INFORMATIONAL response message, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall close the IKE SA and delete all IPsec child SAs associated with the IKE SA. In addition, the N3IWF for untrusted non-3GPP access and theTNGF for trusted non-3GPP access shall inform the AMF that the access stratum connection has been released.
Upon receiving the empty INFORMATIONAL response message, the UE shall close the IKE SA and delete all IPsec child SAs associated with the IKE SA. In addition, the UE shall inform the upper layers that the access stratum connection has been released.
7.4.3.3 Abnormal cases in the UE
If the UE does not receive any empty INFORMATIONAL response message from the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access, the UE shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the UE shall inform the upper layers that the access stratum connection has been released.
7.5 User plane IPsec SA creation procedure
7.5.1 General
The purpose of the user plane IPsec SA creation procedure is to establish a child SA associating to the QoS flows of the PDU session. This procedure shall be initiated by the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access.
One user plane IPsec SA can be associated with one or more QoS flows of the PDU session. During PDU session establishment or PDU session modification via:
- untrusted non-3GPP access, the N3IWF; or
- trusted non-3GPP access, the TNGF,
7.5.2 Child SA creation procedure initiation Word‑p. 47
The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall initiate the child SA creation procedure by sending a CREATE_CHILD_SA request message to the UE as specified in RFC 7296.
The CREATE_CHILD_SA request message shall include:
-
a UP_IP4_ADDRESS notify payload or a UP_IP6_ADDRESS notify payload; and
-
5G_QOS_INFO Notify payload as specified in subclause 9.3.1.1, which contains:
-
PDU session ID;
-
zero or more QFIs;
-
optionally a DSCP value;
-
optionally an indication of whether the child SA is the default child SA. For a given PDU session ID, there can be only up to one child SA which is the default child SA; and
-
if trusted non-3GPP access, Additional QoS Information or if untrusted non-3GPP access, optionally Additional QoS Information.
The IKE CREATE_CHILD_SA request message also contains the SA payload for the requested child SA.
7.5.3 Child SA creation procedure accepted by the UE
If the UE accepts the CREATE_CHILD_SA request message with a 5G_QOS_INFO Notify payload:
a)
the UE shall send a CREATE_CHILD_SA response message as specified in RFC 7296; and
b)
the UE shall associate the created child SA with the:
-
PDU session ID;
-
zero or more QFIs (if indicated);
-
DSCP value (if indicated); and
-
indication of whether the child SA is the default child SA (if indicated);
in the 5G_QOS_INFO Notify payload; and
c)
the UE:
-
in case of trusted non-3GPP access, shall reserve non-3GPP access QoS resources for the created child SA based on the received Additional QoS Information; or
-
in case of untrusted non-3GPP access, may reserve non-3GPP access QoS resources for the created child SA if the UE has received Additional QoS Information.
Any IKEv2 Notify payload indicating an error shall not be included in the CREATE_CHILD_SA response message.
7.5.4 Child SA creation procedure not accepted by the UE
If a user plane IPsec SA establishment for a PDU session is not accepted by the UE, the UE shall send a CREATE_CHILD_SA response message to the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access with a Notify payload with error type.
If the UE fails to reserve QoS resources over non-3GPP access for the QoS flows associated with the child SA according to the Additional QoS information in the 5G_QOS_INFO Notify payload, the UE shall include a Notify payload with a Private Notify Message Error Type "NO_RESOURCES_OVER_N3GPP" as defined in subclause 9.2.4.2 in the CREATE_CHILD_SA response message.
Upon receiving the CREATE_CHILD_SA response message with a Notify payload of error type:
-
if PDU session establishment over non-3GPP access requires single user plane SA IPsec SA creation, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall stop user plane SA IPsec SA creation procedure and indicate the failure for PDU session establishment over non-3GPP access.
-
if PDU session establishment over non-3GPP access requires multiple user plane SA IPsec SA creation, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access may choose to continue user plane SA IPsec SA creation procedure for other user plane IPsec SAs, or stop user plane SA IPsec SA creation procedure and indicate the failure for PDU session establishment over non-3GPP access.
7.5.5 Abnormal cases in the UE Word‑p. 48
If the UE receives a CREATE_CHILD_SA request message containing a USE_TRANSPORT_MODE notification, the UE shall send a CREATE_CHILD_SA response message to the N3IWF for untrusted non-3GPP access or the TNGF for trusted non-3GPP access without including the USE_TRANSPORT_MODE notification as specified in RFC 7296.
7.5.6 Abnormal cases in the N3IWF and the TNGF
Apart from the cases specified in IETF RFC 7296 [6], no abnormal cases have been identified.
- a UP_IP4_ADDRESS notify payload or a UP_IP6_ADDRESS notify payload; and
-
5G_QOS_INFO Notify payload as specified in subclause 9.3.1.1, which contains:
- PDU session ID;
- zero or more QFIs;
- optionally a DSCP value;
- optionally an indication of whether the child SA is the default child SA. For a given PDU session ID, there can be only up to one child SA which is the default child SA; and
- if trusted non-3GPP access, Additional QoS Information or if untrusted non-3GPP access, optionally Additional QoS Information.
a)
in the 5G_QOS_INFO Notify payload; and
the UE shall send a CREATE_CHILD_SA response message as specified in RFC 7296; and
b)
the UE shall associate the created child SA with the:
- PDU session ID;
- zero or more QFIs (if indicated);
- DSCP value (if indicated); and
- indication of whether the child SA is the default child SA (if indicated);
c)
Any IKEv2 Notify payload indicating an error shall not be included in the CREATE_CHILD_SA response message.
the UE:
- in case of trusted non-3GPP access, shall reserve non-3GPP access QoS resources for the created child SA based on the received Additional QoS Information; or
- in case of untrusted non-3GPP access, may reserve non-3GPP access QoS resources for the created child SA if the UE has received Additional QoS Information.
- if PDU session establishment over non-3GPP access requires single user plane SA IPsec SA creation, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall stop user plane SA IPsec SA creation procedure and indicate the failure for PDU session establishment over non-3GPP access.
- if PDU session establishment over non-3GPP access requires multiple user plane SA IPsec SA creation, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access may choose to continue user plane SA IPsec SA creation procedure for other user plane IPsec SAs, or stop user plane SA IPsec SA creation procedure and indicate the failure for PDU session establishment over non-3GPP access.
If the UE receives a CREATE_CHILD_SA request message containing a USE_TRANSPORT_MODE notification, the UE shall send a CREATE_CHILD_SA response message to the N3IWF for untrusted non-3GPP access or the TNGF for trusted non-3GPP access without including the USE_TRANSPORT_MODE notification as specified in RFC 7296.
7.5.6 Abnormal cases in the N3IWF and the TNGF
Apart from the cases specified in IETF RFC 7296 [6], no abnormal cases have been identified.
