Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 24.502  Word version:  18.6.0

Top   Top   Up   Prev   Next
1…   4…   5…   5.3B…   6…   7…   7.2.5…   7.3…   7.3A…   7.4…   7.6…   7.9…   7.10…   8…   9…   9.3…   9.3.2…   9.3.2.2.3…   9.3.3…

 

7.10  IKE SA rekeying procedurep. 72

7.10.1  Generalp. 72

The N3IWF for untrusted non-3GPP access, the TNGF for trusted non-3GPP access and the UE may support the IKE SA rekeying procedure as specified in RFC 7296. If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access and the UE support the IKE SA rekeying procedure, the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall proactively rekey the IKE SA. Upon rekeying of an IKE SA, the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall maintain the old SA for the incoming data while establishing the new one. The old SA shall be deleted upon the completion of the establishment of the new one by both the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access. The UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access are separately responsible for enforcing their time expiration policies to rekey the SA when needed. RFC 7296 describes how to avoid the simultaneous IPsec SA and IKE SA rekeying.
Up

7.10.2  N3IWF-initiated and TNGF-initiated IKE SA rekeying procedurep. 73

7.10.2.1  N3IWF-initiated and TNGF-initiated IKE SA rekeying procedure initiationp. 73

The N3IWF for untrusted non-3GPP access, the TNGF for trusted non-3GPP access shall initiate the IKE SA rekeying procedure by sending a CREATE_CHILD_SA request message with a REKEY_SA Notify payload indicating an N3IWF's SPI for untrusted non-3GPP access or an TNGF's SPI for trusted non-3GPP access.

7.10.2.2  N3IWF-initiated and TNGF-initiated IKE SA rekeying procedure completionp. 73

Upon reception of the CREATE_CHILD_SA request message in the IKE SA with a REKEY_SA Notify payload indicating an N3IWF's SPI for untrusted non-3GPP access or an TNGF's SPI for trusted non-3GPP access, if the UE accepts the IKE SA rekeying request, the UE shall send a CREATE_CHILD_SA response message without an IKEv2 notify payload indicating an error, shall set the UE's SPI to the SPI created by the CREATE_CHILD_SA request/response pair and shall set:
  1. the N3IWF's SPI for untrusted non-3GPP access to the N3IWF's SPI; or
  2. the TNGF's SPI for trusted non-3GPP access to the TNGF's SPI;
created by the CREATE_CHILD_SA request/response pair.
Up

7.10.2.3  Abnormal casesp. 73

If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access receive a CREATE_CHILD_SA response message with an IKEv2 notify payload indicating an error from the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall delete the IKE SA and any associated child SAs as specified in clause 7.4.
If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access do not receive any CREATE_CHILD_SA response message from the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall inform the AMF that the access stratum connection has been released.
Up

7.10.3  UE-initiated IKE SA rekeying procedurep. 73

7.10.3.1  UE-initiated IKE SA rekeying procedure initiationp. 73

The UE shall initiate the IKE SA rekeying procedure by sending a CREATE_CHILD_SA request message with a REKEY_SA Notify payload indicating a UE's SPI.

7.10.3.2  UE-initiated IKE SA rekeying procedure completionp. 73

Upon reception of the CREATE_CHILD_SA request message in the IKE SA with a REKEY_SA Notify payload indicating a UE's SPI, if the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access accept the IKE SA rekeying request, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall send a CREATE_CHILD_SA response message without an IKEv2 notify payload indicating an error, shall set the N3IWF's SPI for untrusted non-3GPP access and the TNGF's SPI for trusted non-3GPP access to the SPI created by the CREATE_CHILD_SA request/response pair and shall set the UE's SPI to the UE's SPI created by the CREATE_CHILD_SA request/response pair.
Up

7.10.3.3  Abnormal casesp. 73

If the UE receives a CREATE_CHILD_SA response message with an IKEv2 notify payload indicating an error from the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access, the UE shall delete the IKE SA and any associated child SAs as specified in clause 7.4.
If the UE does not receive any CREATE_CHILD_SA response message from the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access, the UE shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the UE shall inform the upper layers that the access stratum connection has been released.
Up

7.11  IPsec SA rekeying procedurep. 74

7.11.1  Generalp. 74

The N3IWF for untrusted non-3GPP access, the TNGF for trusted non-3GPP access and the UE may support the IPsec SA rekeying procedure as specified in RFC 7296. If the N3IWF for untrusted non-3GPP access, the TNGF for trusted non-3GPP access and the UE support the IPsec SA rekying procedure, the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall proactively rekey the IPsec SA. Upon rekeying of an IPsec SA, the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall maintain the old IPsec for the incoming data while establishing the new one. The old IPsec shall be deleted upon the completion of the establishement of the new one by the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access. The UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access are separately responsible for enforcing their time expiration policies to rekey the IPsec when needed. RFC 7296 describes how to avoid the simultaneous IPsec SA and IKE SA rekeying.
Up

7.11.2  N3IWF-initiated and TNGF-initiated IPsec SA rekeying procedurep. 74

7.11.2.1  N3IWF-initiated and TNGF-initiated IPsec SA rekeying procedure initiationp. 74

The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall initiate the IPsec SA rekeying procedure by sending a CREATE_CHILD_SA request message with a REKEY_SA Notify payload including a Protocol ID set to "3" and the N3IWF's ESP SPI for untrusted non-3GPP access and the TNGF's ESP SPI for trusted non-3GPP access for the IPsec SA.

7.11.2.2  N3IWF-initiated and TNGF-initiated IPsec SA rekeying procedure completionp. 74

Upon reception of the CREATE_CHILD_SA request message with a REKEY_SA Notify payload including a Protocol ID set to "3" and the N3IWF's ESP SPI for untrusted non-3GPP access or the TNGF's ESP SPI for trusted non-3GPP access for the IPsec SA, if the UE accepts the IPsec SA rekeying request, the UE shall send a CREATE_CHILD_SA response message without an IKEv2 notify payload indicating an error, shall set the UE's ESP SPI to the ESP SPI created by the CREATE_CHILD_SA request/response pair and shall set;
  1. the N3IWF's ESP SPI for untrusted non-3GPP access; or
  2. the TNGF's ESP SPI for trsuted non-3GPP access;
to the N3IWF's ESP SPI created by the CREATE_CHILD_SA request/response pair.
Up

7.11.2.3  Abnormal casesp. 74

If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access receive a CREATE_CHILD_SA response message with an IKEv2 notify payload indicating an error from the UE, the N3IWF shall delete the IPsec SA as specified in clause 7.7. Additionally, if the IPsec SA is the signalling IPsec SA, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall delete the IKE SA as specified in clause 7.4.
If the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access do not receive any CREATE_CHILD_SA response message from the UE, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall inform the AMF that the access stratum connection has been released.
Up

7.11.3  UE-initiated IPsec SA rekeying procedurep. 75

7.11.3.1  UE-initiated IPsec SA rekeying procedure initiationp. 75

The UE shall initiate the IPsec SA rekeying procedure by sending a CREATE_CHILD_SA request message with a REKEY_SA Notify payload including a Protocol ID set to "3" and the UE's ESP SPI for the IPsec SA.

7.11.3.2  UE-initiated IPsec SA rekeying procedure completionp. 75

Upon reception of the CREATE_CHILD_SA request message with a REKEY_SA Notify payload including a Protocol ID set to "3" and the UE's ESP SPI for the IPsec SA, if the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access accept the IPsec SA rekeying request, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall send a CREATE_CHILD_SA response message without an IKEv2 notify payload indicating an error, shall set:
  1. the N3IWF's ESP SPI for untrusted non-3GPP access; and
  2. the TNGF's ESP SPI for trusted non-3GPP access;
to the ESP SPI created by the CREATE_CHILD_SA request/response pair and shall set the UE's ESP SPI to the UE's ESP SPI created by the CREATE_CHILD_SA request/response pair.
Up

7.11.3.3  Abnormal casesp. 75

If the UE receives a CREATE_CHILD_SA response message with an IKEv2 notify payload indicating an error from the N3IWF for untrusted non-3GPP access or the TNGF for trusted non-3GPP access, the UE shall delete the IPsec SA as specified in clause 7.7. Additionally, if the IPsec SA is the signalling IPsec SA, the UE shall delete the IKE SA as specified in clause 7.4.
If the UE does not receive any CREATE_CHILD_SA response message from the N3IWF for untrusted non-3GPP access or the TNGF for trusted non-3GPP access, the UE shall discard all states associated with the IKE SA and any child SAs that were negotiated using that IKE SA. In addition, the UE shall inform the upper layers that the access stratum connection has been released.
Up

7AVoid


Up   Top   ToC