Content for  TS 24.502  Word version:  19.2.0

The user plane IPsec child SA modification procedure is to update a child SA associating to the QoS flows of the PDU session. The procedure may be initiated by the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access. The IPsec child SA modification may be accepted or rejected by the UE.

The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall perform the IPsec child SA modification by sending an INFORMATIONAL request message as specified in RFC 7296 to the UE with an UP_SA_INFO Notify payload identifying the IPsec child SA and a 5G_QOS_INFO Notify payload indicating modified content associated with the IPsec child SA. If the UE is being treated as a UE with MPS priority (e.g., as identified in clause 7.3.2.1 or 7.3A.2.2), based on operator policy, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access may retry the Child SA modification without the Additional QoS Information.

Upon receipt of an INFORMATIONAL request message containing an 5G_QOS_INFO Notify payload and an UP_SA_INFO Notify payload:

1. if the content of the 5G_QOS_INFO Notify payload is accepted by the UE, the UE shall:
   1. send an empty INFORMATIONAL response message to the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access to acknowledge the reception of the INFORMATIONAL request message; and
   2. update locally the IPsec child SA according to the content of the INFORMATIONAL request message; or
2. if the content of the 5G_QOS_INFO Notify payload is not accepted by the UE, the UE shall:
   1. send the reason for rejecting the IPsec SA modification in the content of an INFORMATIONAL response message; and
   2. not update locally the IPsec child SA according to the content of the INFORMATIONAL request message.

For trusted non-3GPP access, if the UE fails to reserve QoS resources over non-3GPP access for the child SA associated with the QoS flows according to the Additional QoS information in the 5G_QOS_INFO Notify payload, the UE shall include a Notify Payload with a Private Notify Message Error Type "NO_RESOURCES_OVER_N3GPP" as defined in clause 9.2.4.2 in the INFORMATIONAL response message. For untrusted non-3GPP access, if the UE attempts to reserve QoS resources over non-3GPP access for the child SA associated with the QoS flows according to the Additional QoS information in the 5G_QOS_INFO Notify payload but fails the reservation, the UE shall include a Notify Payload with a Private Notify Message Error Type "NO_RESOURCES_OVER_N3GPP" as defined in clause 9.2.4.2 in the INFORMATIONAL response message.

The purpose of the child SA deletion procedure for PDU session release is to delete all the child SAs associated with the PDU session. This procedure shall be initiated either by the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access or by the UE. The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access initiates this procedure in the following cases:

1. upon PDU session release;
2. N3IWF-initiated and TNGF-intiated IPsec SA rekeying procedure failure;
3. N3IWF-initiated and TNGF-intiated IPsec SA rekeying procedure completion; and
4. upon detecting an error in a response packet as specified in RFC 7296.

The UE initiates this procedure in the following cases:

1. UE-initiated IPsec SA rekeying procedure failure;
2. UE-initiated IPsec SA rekeying procedure completion; and
3. upon detecting an error in a response packet as specified in RFC 7296.

Apart from the cases specified in RFC 7296 and clause 7.7.3.3, no abnormal cases have been identified.

Apart from the cases specified in RFC 7296 and clause 7.7.2.3, no abnormal cases have been identified.

The UE-initiated liveness check procedure enables the UE to detect whether the N3IWF for untrusted non-3GPP access or the TNGF for trusted non-3GPP access is alive.

If the UE supports the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as specified in clause 8.2.4.2 of TS 24.302 and the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as specified in clause 8.2.4.2 of TS 24.302 was included in the CFG_REPLY configuration payload within the IKE_AUTH response message received in clause 7.3 the UE shall set the timeout period for the liveness check to the value of the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute. If the UE does not support the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as specified in clause 8.2.4.2 of TS 24.302 or the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as specified in clause 8.2.4.2 of TS 24.302 was not included in the CFG_REPLY configuration payload within the IKE_AUTH response message received in clause 7.3, then the UE shall use the pre-configured value of the timeout period for liveness check. If the UE has not received any cryptographically protected IKEv2 or IPsec message for the duration of the timeout period for liveness check, the UE shall send an INFORMATIONAL request with no payloads as per RFC 7296.

The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall handle the INFORMATIONAL request with no payloads as per RFC 7296 and shall send an INFORMATIONAL response. If an INFORMATIONAL response is received, the UE shall consider the UE-initiated liveness check procedure as successfully completed.

If an INFORMATIONAL response is not received, the UE shall deem the IKEv2 security association to have failed. The UE shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA as specified in RFC 7296]. In addition, the UE shall inform the upper layers that the access stratum connection has been released.