Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  TS 31.102  Word version:  17.6.0

Top   Top   Up   Prev   None
0…   3…   4…   4.2.9…   4.2.17…   4.2.26…   4.2.34…   4.2.44…   4.2.52…   4.2.60…   4.2.68…   4.2.76…   4.2.85…   4.2.93…   4.2.101…   4.2.107…   4.3…   4.4.2…   4.4.2.4…   4.4.3…   4.4.4…   4.4.5…   4.4.6…   4.4.8…   4.4.8.7…   4.4.9…   4.4.11…   4.4.11.7…   4.4.11.16…   4.4.12   4.5…   4.6…   4.7   5…   5.2…   5.3…   5.4…   5.9…   6…   7…   7.1.2…   7.3…   A   B…   D   E…   G   H…   I…   L…   M…

 

M (Normative)  USIM application dedicated for IOPS |R13|p. 347

M.1  Introductionp. 347

IOPS allows to provide network service to Public Safety users even in the case the network has no or only limited backhaul connectivity. One of the main issues in such cases is the missing backhaul to perform authentication. A solution has been defined by using local HSSs which take over the responsibility for authentication in IOPS mode.
A problem identified for IOPS security when making use of local HSS is the higher probability of a compromise of a local HSS. Therefore the security solution described in TS 33.401 uses a local HSS with different authentication credentials than the standard HSS in normal operation. Additionally there might be several local HSSs and to further reduce the impact of possible compromised local HSSs, each local HSS should use different authentication credentials.
The security solution described in TS 33.401 is based on a USIM application dedicated for IOPS and using derived individual keys per local HSS.
3GPP TS 23.401 Annex K specifies a PLMN identity dedicated for IOPS mode of operation. Additionally a USIM dedicated for IOPS uses an Access Control Class of '11' or '15'.
Up

M.2  Features of the USIM dedicated for IOPSp. 347

The USIM dedicated for IOPS may be implemented as a single USIM on a UICC or as a secondary USIM application together with a normal USIM on one UICC. The USIM for IOPS is a regular USIM application and contains all mandatory EFs for a USIM and may also include any of the optional EFs defined for a USIM.
The USIM dedicated for IOPS nevertheless has some specifics:
  • As specified in TS 23.401 Annex K, the Access Control Class in EFACC is set to either '11' or '15'. The specific values for the Access Control Class prevent UEs with different Access Control Classes from trying to attach to the IOPS network.
  • The entry for the USIM dedicated for IOPS in EFDIR has a label starting with 'USIM-IOPS'.
In case multiple local HSSs are to be supported, The USIM should also support:
  • The AMF (Authentication Management Field) mechanism as described in TS 33.401 Annex F.4.1 is supported.
  • An Operator specific mechanism to derive local HSS individual keys is supported (see TS 33.401 Annex F.4).
Up

M.3  Selection mechanismsp. 347

The method for selecting a USIM dedicated for IOPS is left to ME implementation.

N (Normative)  USIM supporting non-IMSI SUPI Type |R16|p. 348

N.1  Introductionp. 348

IMSI based USIM is a USIM Application which is configured with a SUPI of type IMSI (i.e Service No. 130 in the USIM Service Table shall not be "available").
Non-IMSI based USIM is a USIM Application which is configured with a SUPI of type non-IMSI (i.e Service No. 130 in the USIM Service Table shall be "available"). Examples of non-IMSI type are: NSI, GCI and GLI.
Both USIM application types shall use different AID ranges as defined in Annex O of TS 31.101.
Up

N.2  Features of USIM supporting non-IMSI SUPI typep. 348

The non-IMSI based USIM may be implemented as a single USIM application on a UICC or as a secondary USIM application together with an IMSI based USIM on one UICC.
The non-IMSI based USIM is a regular USIM application and shall contain all mandatory EFs defined for a USIM application in the present document and may also include any of the optional EFs defined for a USIM application except EFIMSI.
No additional features are supported by Non-IMSI based USIM.
Up

N.3  Application selection procedurep. 348

Application selection is performed according to the procedures defined in clause 5.1.1.1. The following provisions apply:
The method for selecting a non-IMSI based USIM is based on the presence of the corresponding application with the associated AID in EFDIR, as defined in the Annex O of TS 31.101.
Up

O  Examples of NAS security contexts management in multiple registrations |R16|p. 348

Scenario 1 5GS3GPPLOCI 5GS3GPPNSC 5GSN3GPPLOCI 5GSN3GPPNSC
Record 1 Record 2 Record 1 Record 2
1UE is authenticated to PLMN-A with dual connection (3GPP and non-3GPP)GUTI-A13gppNSC-A1-GUTI-A1n3gppNSC-A1-
2UE switches from PLMN-A to PLMN-B on non-3GPPUse GUTI-A1 from 5GSN3GPPLOCI and
n3gppNSC-A1 from 5GSN3GPPNSC
3UE successful REGISTRATION to PLMN-B on non-3GPPGUTI-A13gppNSC-A1-GUTI-B1n3gppNSC-B1n3gppNSC-A1
4UE successful REGISTRATION to PLMN-B over 3GPPGUTI-B13gppNSC-B1-GUTI-B1n3gppNSC-B1-
5UE switches-off
6UE stores to USIM the 3GPP Security Context (PLMN-B) and the non-3GPP Security Context (PLMN-B)GUTI-B13gppNSC-B1-GUTI-B1n3gppNSC-B1-
7UE clears all Security Contexts
8UE switches-on back
9UE reads from USIM the 3GPP Security Context (PLMN-B) and the non-3GPP Security Context (PLMN-B)GUTI-B13gppNSC-B1-GUTI-B1n3gppNSC-B1-
10UE tries to reconnect to PLMN-C on non-3GPP Security ContextUse GUTI-B1 from 5GSN3GPPLOCI and
n3gppNSC-B1 from 5GSN3GPPNSC
11UE gets REGISTRATION successful on PLMN-C over non-3GPPGUTI-B13gppNSC-B1-GUTI-C1n3gppNSC-C1n3gppNSC-B1
12UE tries to reconnect to PLMN-C on 3GPPUse GUTI-C1 from 5GS3GPPLOCI
13UE gets REGISTRATION successful on PLMN-C over 3GPPGUTI-C23gppNSC-C1-GUTI-C2n3gppNSC-C1-
14UE switches-off
15UE stores to USIM the 3GPP Security Context (PLMN-C) and the non-3GPP Security Context (PLMN-C)GUTI-C23gppNSC-C1-GUTI-C2n3gppNSC-C1-
16UE switches to PLMN-D over non-3GPPGUTI-C23gppNSC-C1-GUTI-D1n3gppNSC-D1n3gppNSC-C1
17UE switches to PLMN-D over 3GPPGUTI-D23gppNSC-D1-GUTI-D2n3gppNSC-D1-
18UE switches to PLMN-C over non-3GPPGUTI-D23gppNSC-D1-GUTI-C3n3gppNSC-C2n3gppNSC-D1
Up

$  Change historyp. 350


Up   Top