Tech-invite3GPPspecsSIPRFCs
Overview21222324252627282931323334353637384‑5x

Content for  TS 24.502  Word version:  17.0.0

Top   Top   Up   Prev   Next
1…   4…   5…   6…   7…   7.3…   7.3A…   7.4…   7.6…   7.9…   7A…   8…   9…

 

7.9  Network-initiated liveness check procedure

7.9.1  General

The network-initiated liveness check procedure enables the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access to detect whether the UE is alive.

7.9.2  Network-initiated liveness check procedure initiation

If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access has not received any cryptographically protected IKEv2 or IPsec message for the duration of the timeout period for liveness check selected according to the local policy, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall send an INFORMATIONAL request with no payloads RFC 7296.

7.9.3  Network-initiated liveness check procedure completion

The UE shall handle the INFORMATIONAL request with no payloads as per RFC 7296 and shall send an INFORMATIONAL response.
If an INFORMATIONAL response is received, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall consider the liveness check procedure as successfully completed.

7.9.4  Abnormal cases

If an INFORMATIONAL response is not received, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall deem the IKEv2 security association to have failed.
The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA as specified in RFC 7296. In addition, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall inform the AMF that the access stratum connection has been released.
Up

7.10  IKE SA rekeying procedureWord‑p. 52

7.10.1  General

The N3IWF for untrusted non-3GPP access, the TNGF for trusted non-3GPP access and the UE may support the IKE SA rekeying procedure as specified in RFC 7296. If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access and the UE support the IKE SA rekeying procedure, the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall proactively rekey the IKE SA. Upon rekeying of an IKE SA, the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall maintain the old SA for the incoming data while establishing the new one. The old SA shall be deleted upon the completion of the establishment of the new one by both the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access. The UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access are separately responsible for enforcing their time expiration policies to rekey the SA when needed. RFC 7296 describes how to avoid the simultaneous IPsec SA and IKE SA rekeying.
Up

7.10.2  N3IWF-initiated and TNGF-initiated IKE SA rekeying procedure

7.10.2.1  N3IWF-initiated and TNGF-initiated IKE SA rekeying procedure initiation

The N3IWF for untrusted non-3GPP access, the TNGF for trusted non-3GPP access shall initiate the IKE SA rekeying procedure by sending a CREATE_CHILD_SA request message with a REKEY_SA Notify payload indicating an N3IWF's SPI for untrusted non-3GPP access or an TNGF's SPI for trusted non-3GPP access.

7.10.2.2  N3IWF-initiated and TNGF-initiated IKE SA rekeying procedure completion

Upon reception of the CREATE_CHILD_SA request message in the IKE SA with a REKEY_SA Notify payload indicating an N3IWF's SPI for untrusted non-3GPP access or an TNGF's SPI for trusted non-3GPP access, if the UE accepts the IKE SA rekeying request, the UE shall send a CREATE_CHILD_SA response message without an IKEv2 notify payload indicating an error, shall set the UE's SPI to the SPI created by the CREATE_CHILD_SA request/response pair and shall set:
  1. the N3IWF's SPI for untrusted non-3GPP access to the N3IWF's SPI; or
  2. the TNGF's SPI for trusted non-3GPP access to the TNGF's SPI;
created by the CREATE_CHILD_SA request/response pair.
Up

7.10.2.3  Abnormal cases

If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access receive a CREATE_CHILD_SA response message with an IKEv2 notify payload indicating an error from the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall delete the IKE SA and any associated child SAs as specified in subclause 7.4.
If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access do not receive any CREATE_CHILD_SA response message from the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall inform the AMF that the access stratum connection has been released.
Up

7.10.3  UE-initiated IKE SA rekeying procedure

7.10.3.1  UE-initiated IKE SA rekeying procedure initiation

The UE shall initiate the IKE SA rekeying procedure by sending a CREATE_CHILD_SA request message with a REKEY_SA Notify payload indicating a UE's SPI.

7.10.3.2  UE-initiated IKE SA rekeying procedure completionWord‑p. 53
Upon reception of the CREATE_CHILD_SA request message in the IKE SA with a REKEY_SA Notify payload indicating a UE's SPI, if the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access accept the IKE SA rekeying request, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall send a CREATE_CHILD_SA response message without an IKEv2 notify payload indicating an error, shall set the N3IWF's SPI for untrusted non-3GPP access and the TNGF's SPI for trusted non-3GPP access to the SPI created by the CREATE_CHILD_SA request/response pair and shall set the UE's SPI to the UE's SPI created by the CREATE_CHILD_SA request/response pair.
Up

7.10.3.3  Abnormal cases

If the UE receives a CREATE_CHILD_SA response message with an IKEv2 notify payload indicating an error from the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access, the UE shall delete the IKE SA and any associated child SAs as specified in subclause 7.4.
If the UE does not receive any CREATE_CHILD_SA response message from the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access, the UE shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the UE shall inform the upper layers that the access stratum connection has been released.
Up

7.11  IPsec SA rekeying procedure

7.11.1  General

The N3IWF for untrusted non-3GPP access, the TNGF for trusted non-3GPP access and the UE may support the IPsec SA rekeying procedure as specified in RFC 7296. If the N3IWF for untrusted non-3GPP access, the TNGF for trusted non-3GPP access and the UE support the IPsec SA rekying procedure, the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall proactively rekey the IPsec SA. Upon rekeying of an IPsec SA, the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall maintain the old IPsec for the incoming data while establishing the new one. The old IPsec shall be deleted upon the completion of the establishement of the new one by the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access. The UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access are separately responsible for enforcing their time expiration policies to rekey the IPsec when needed. RFC 7296 describes how to avoid the simultaneous IPsec SA and IKE SA rekeying.
Up

7.11.2  N3IWF-initiated and TNGF-initiated IPsec SA rekeying procedure

7.11.2.1  N3IWF-initiated and TNGF-initiated IPsec SA rekeying procedure initiation

The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall initiate the IPsec SA rekeying procedure by sending a CREATE_CHILD_SA request message with a REKEY_SA Notify payload including a Protocol ID set to "3" and the N3IWF's ESP SPI for untrusted non-3GPP access and the TNGF's ESP SPI for trusted non-3GPP access for the IPsec SA.

7.11.2.2  N3IWF-initiated and TNGF-initiated IPsec SA rekeying procedure completion

Upon reception of the CREATE_CHILD_SA request message with a REKEY_SA Notify payload including a Protocol ID set to "3" and the N3IWF's ESP SPI for untrusted non-3GPP access or the TNGF's ESP SPI for trusted non-3GPP access for the IPsec SA, if the UE accepts the IPsec SA rekeying request, the UE shall send a CREATE_CHILD_SA response message without an IKEv2 notify payload indicating an error, shall set the UE's ESP SPI to the ESP SPI created by the CREATE_CHILD_SA request/response pair and shall set;
  1. the N3IWF's ESP SPI for untrusted non-3GPP access; or
  2. the TNGF's ESP SPI for trsuted non-3GPP access;
to the N3IWF's ESP SPI created by the CREATE_CHILD_SA request/response pair.
Up

7.11.2.3  Abnormal casesWord‑p. 54
If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access receive a CREATE_CHILD_SA response message with an IKEv2 notify payload indicating an error from the UE, the N3IWF shall delete the IPsec SA as specified in subclause 7.7. Additionally, if the IPsec SA is the signalling IPsec SA, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall delete the IKE SA as specified in subclause 7.4.
If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access do not receive any CREATE_CHILD_SA response message from the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall inform the AMF that the access stratum connection has been released.
Up

7.11.3  UE-initiated IPsec SA rekeying procedure

7.11.3.1  UE-initiated IPsec SA rekeying procedure initiation

The UE shall initiate the IPsec SA rekeying procedure by sending a CREATE_CHILD_SA request message with a REKEY_SA Notify payload including a Protocol ID set to "3" and the UE's ESP SPI for the IPsec SA.

7.11.3.2  UE-initiated IPsec SA rekeying procedure completion

Upon reception of the CREATE_CHILD_SA request message with a REKEY_SA Notify payload including a Protocol ID set to "3" and the UE's ESP SPI for the IPsec SA, if the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access accept the IPsec SA rekeying request, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall send a CREATE_CHILD_SA response message without an IKEv2 notify payload indicating an error, shall set:
  1. the N3IWF's ESP SPI for untrusted non-3GPP access; and
  2. the TNGF's ESP SPI for trusted non-3GPP access;
to the ESP SPI created by the CREATE_CHILD_SA request/response pair and shall set the UE's ESP SPI to the UE's ESP SPI created by the CREATE_CHILD_SA request/response pair.
Up

7.11.3.3  Abnormal cases

If the UE receives a CREATE_CHILD_SA response message with an IKEv2 notify payload indicating an error from the N3IWF for untrusted non-3GPP access or the TNGF for trusted non-3GPP access, the UE shall delete the IPsec SA as specified in subclause 7.7. Additionally, if the IPsec SA is the signalling IPsec SA, the UE shall delete the IKE SA as specified in subclause 7.4.
If the UE does not receive any CREATE_CHILD_SA response message from the N3IWF for untrusted non-3GPP access or the TNGF for trusted non-3GPP access, the UE shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the UE shall inform the upper layers that the access stratum connection has been released.
Up

Up   Top   ToC