Content for TS 24.502 Word version: 19.2.0

1… 4… 5… 5.3B… 6… 7… 7.2.5… 7.3… 7.3A… 7.4… 7.6… 7.9… 7.10… 8… 9… 9.3… 9.3.2… 9.3.2.2.3… 9.3.3…

7.10 IKE SA rekeying procedure 7.10.1 General 7.10.2 N3IWF-initiated and TNGF-initiated IKE SA rekeying procedure 7.10.3 UE-initiated IKE SA rekeying procedure 7.11 IPsec SA rekeying procedure 7.11.1 General 7.11.2 N3IWF-initiated and TNGF-initiated IPsec SA rekeying procedure 7.11.3 UE-initiated IPsec SA rekeying procedure
...

7.10 IKE SA rekeying procedure p. 73

7.10.1 General p. 73

The N3IWF for untrusted non-3GPP access, the TNGF for trusted non-3GPP access and the UE may support the IKE SA rekeying procedure as specified in RFC 7296. If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access and the UE support the IKE SA rekeying procedure, the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall proactively rekey the IKE SA. Upon rekeying of an IKE SA, the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall maintain the old SA for the incoming data while establishing the new one. The old SA shall be deleted upon the completion of the establishment of the new one by both the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access. The UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access are separately responsible for enforcing their time expiration policies to rekey the SA when needed. RFC 7296 describes how to avoid the simultaneous IPsec SA and IKE SA rekeying.

7.10.2 N3IWF-initiated and TNGF-initiated IKE SA rekeying procedure p. 73

7.10.2.1 N3IWF-initiated and TNGF-initiated IKE SA rekeying procedure initiation p. 73

The N3IWF for untrusted non-3GPP access, the TNGF for trusted non-3GPP access shall initiate the IKE SA rekeying procedure by sending a CREATE_CHILD_SA request message with a REKEY_SA Notify payload indicating an N3IWF's SPI for untrusted non-3GPP access or an TNGF's SPI for trusted non-3GPP access.

7.10.2.2 N3IWF-initiated and TNGF-initiated IKE SA rekeying procedure completion p. 73

Upon reception of the CREATE_CHILD_SA request message in the IKE SA with a REKEY_SA Notify payload indicating an N3IWF's SPI for untrusted non-3GPP access or an TNGF's SPI for trusted non-3GPP access, if the UE accepts the IKE SA rekeying request, the UE shall send a CREATE_CHILD_SA response message without an IKEv2 notify payload indicating an error, shall set the UE's SPI to the SPI created by the CREATE_CHILD_SA request/response pair and shall set:

the N3IWF's SPI for untrusted non-3GPP access to the N3IWF's SPI; or
the TNGF's SPI for trusted non-3GPP access to the TNGF's SPI;

created by the CREATE_CHILD_SA request/response pair.

7.10.2.3 Abnormal cases p. 73

If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access receive a CREATE_CHILD_SA response message with an IKEv2 notify payload indicating an error from the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall delete the IKE SA and any associated child SAs as specified in clause 7.4.

If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access do not receive any CREATE_CHILD_SA response message from the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall inform the AMF that the access stratum connection has been released.

7.10.3 UE-initiated IKE SA rekeying procedure p. 74

7.10.3.1 UE-initiated IKE SA rekeying procedure initiation p. 74

The UE shall initiate the IKE SA rekeying procedure by sending a CREATE_CHILD_SA request message with a REKEY_SA Notify payload indicating a UE's SPI.

7.10.3.2 UE-initiated IKE SA rekeying procedure completion p. 74

Upon reception of the CREATE_CHILD_SA request message in the IKE SA with a REKEY_SA Notify payload indicating a UE's SPI, if the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access accept the IKE SA rekeying request, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall send a CREATE_CHILD_SA response message without an IKEv2 notify payload indicating an error, shall set the N3IWF's SPI for untrusted non-3GPP access and the TNGF's SPI for trusted non-3GPP access to the SPI created by the CREATE_CHILD_SA request/response pair and shall set the UE's SPI to the UE's SPI created by the CREATE_CHILD_SA request/response pair.

7.10.3.3 Abnormal cases p. 74

If the UE receives a CREATE_CHILD_SA response message with an IKEv2 notify payload indicating an error from the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access, the UE shall delete the IKE SA and any associated child SAs as specified in clause 7.4.

If the UE does not receive any CREATE_CHILD_SA response message from the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access, the UE shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the UE shall inform the upper layers that the access stratum connection has been released.

7.11 IPsec SA rekeying procedure p. 74

7.11.1 General p. 74

The N3IWF for untrusted non-3GPP access, the TNGF for trusted non-3GPP access and the UE may support the IPsec SA rekeying procedure as specified in RFC 7296. If the N3IWF for untrusted non-3GPP access, the TNGF for trusted non-3GPP access and the UE support the IPsec SA rekying procedure, the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall proactively rekey the IPsec SA. Upon rekeying of an IPsec SA, the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall maintain the old IPsec for the incoming data while establishing the new one. The old IPsec shall be deleted upon the completion of the establishement of the new one by the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access. The UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access are separately responsible for enforcing their time expiration policies to rekey the IPsec when needed. RFC 7296 describes how to avoid the simultaneous IPsec SA and IKE SA rekeying.

7.11.2 N3IWF-initiated and TNGF-initiated IPsec SA rekeying procedure p. 74

7.11.2.1 N3IWF-initiated and TNGF-initiated IPsec SA rekeying procedure initiation p. 74

The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall initiate the IPsec SA rekeying procedure by sending a CREATE_CHILD_SA request message with a REKEY_SA Notify payload including a Protocol ID set to "3" and the N3IWF's ESP SPI for untrusted non-3GPP access and the TNGF's ESP SPI for trusted non-3GPP access for the IPsec SA.

7.11.2.2 N3IWF-initiated and TNGF-initiated IPsec SA rekeying procedure completion p. 74

Upon reception of the CREATE_CHILD_SA request message with a REKEY_SA Notify payload including a Protocol ID set to "3" and the N3IWF's ESP SPI for untrusted non-3GPP access or the TNGF's ESP SPI for trusted non-3GPP access for the IPsec SA, if the UE accepts the IPsec SA rekeying request, the UE shall send a CREATE_CHILD_SA response message without an IKEv2 notify payload indicating an error, shall set the UE's ESP SPI to the ESP SPI created by the CREATE_CHILD_SA request/response pair and shall set;

the N3IWF's ESP SPI for untrusted non-3GPP access; or
the TNGF's ESP SPI for trsuted non-3GPP access;

to the N3IWF's ESP SPI created by the CREATE_CHILD_SA request/response pair.

7.11.2.3 Abnormal cases p. 75

If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access receive a CREATE_CHILD_SA response message with an IKEv2 notify payload indicating an error from the UE, the N3IWF shall delete the IPsec SA as specified in clause 7.7. Additionally, if the IPsec SA is the signalling IPsec SA, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall delete the IKE SA as specified in clause 7.4.

7.11.3 UE-initiated IPsec SA rekeying procedure p. 75

7.11.3.1 UE-initiated IPsec SA rekeying procedure initiation p. 75

The UE shall initiate the IPsec SA rekeying procedure by sending a CREATE_CHILD_SA request message with a REKEY_SA Notify payload including a Protocol ID set to "3" and the UE's ESP SPI for the IPsec SA.

7.11.3.2 UE-initiated IPsec SA rekeying procedure completion p. 75

Upon reception of the CREATE_CHILD_SA request message with a REKEY_SA Notify payload including a Protocol ID set to "3" and the UE's ESP SPI for the IPsec SA, if the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access accept the IPsec SA rekeying request, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall send a CREATE_CHILD_SA response message without an IKEv2 notify payload indicating an error, shall set:

the N3IWF's ESP SPI for untrusted non-3GPP access; and
the TNGF's ESP SPI for trusted non-3GPP access;

to the ESP SPI created by the CREATE_CHILD_SA request/response pair and shall set the UE's ESP SPI to the UE's ESP SPI created by the CREATE_CHILD_SA request/response pair.

7.11.3.3 Abnormal cases p. 75

If the UE receives a CREATE_CHILD_SA response message with an IKEv2 notify payload indicating an error from the N3IWF for untrusted non-3GPP access or the TNGF for trusted non-3GPP access, the UE shall delete the IPsec SA as specified in clause 7.7. Additionally, if the IPsec SA is the signalling IPsec SA, the UE shall delete the IKE SA as specified in clause 7.4.

If the UE does not receive any CREATE_CHILD_SA response message from the N3IWF for untrusted non-3GPP access or the TNGF for trusted non-3GPP access, the UE shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the UE shall inform the upper layers that the access stratum connection has been released.