Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 33.128  Word version:  18.6.0

Top   Top   Up   Prev   Next
0…   4…   5…   5.7…   6…   6.2.2.2A…   6.2.3…   6.2.3.2.7…   6.2.3.3…   6.2.4…   6.3…   6.3.2.2A…   6.3.3…   6.3.3.2…   6.3.3.2.4…   6.3.3.2A…   7…   7.3…   7.3.3…   7.3.3.2.21…   7.3.3.2.42…   7.3.3.2.63…   7.3.4…   7.4…   7.4.3.8…   7.5…   7.6…   7.7…   7.7.4…   7.8…   7.8.4…   7.9…   7.10…   7.10.4…   7.11…   7.12…   7.13…   7.13.3…   7.13.3.4…   7.14…   7.15…   8…   A…   D…   E…   M…
7.9 LI for services encrypted by CSP-provided keys7.9.1 LI for general AKMA-based service7.9.1.1 General7.9.1.2 Provisioning over LI_X17.9.1.2.1 General7.9.1.2.2 Provisioning of the IRI-POI and IRI-TF in AAnF7.9.1.2.3 Triggering of the IRI-POI in AF7.9.1.3 Generation of xIRI at IRI-POI in AAnF over LI_X27.9.1.3.1 General7.9.1.3.2 AAnF Anchor Key Register7.9.1.3.3 AAnF AKMA application key get7.9.1.3.4 AAnF Start of intercept with established AKMA key material7.9.1.3.5 AAnF AKMA context removal7.9.1.4 Generation of xIRI at IRI-POI in AF over LI_X27.9.1.4.1 General7.9.1.4.2 AF Application key refresh7.9.1.4.3 AF Start of intercept with established AKMA application key7.9.1.4.4 AF Auxiliary security parameter establishment7.9.1.4.5 AF Application key removal7.9.1.5 Generation of IRI over LI_HI2
...

 

7.9  LI for services encrypted by CSP-provided keysp. 273

7.9.1  LI for general AKMA-based servicep. 273

7.9.1.1  Generalp. 273

This clause describes basic IRI-intercept for a generic, encrypted service between a target UE and an application in the CSP network, making use of AKMA-provided cryptographic keys according to TS 33.535.

7.9.1.2  Provisioning over LI_X1p. 273

7.9.1.2.1  Generalp. 273
The IRI-POI in the AAnF (AKMA Anchor Function), the IRI-TF in the AAnF, and the MDF2 shall be provisioned.
Details of provisioning of an IRI-POI at a network internal AF (Application Function) making use of AKMA services of the AAnF is in general service specific and not part of the present clause. Generally, triggering, rather than provisioning, could in some cases be necessary for the AF. An application independent generic triggering mechanism is defined in clause 7.9.1.2.3.
Provisioning of CC-intercept at the AF is service specific and not covered in the present document.
Up
7.9.1.2.2  Provisioning of the IRI-POI and IRI-TF in AAnFp. 273
The IRI-POI and IRI-TF present in the AAnF are provisioned over LI_X1 by the LIPF using the X1 protocol as described in clause 5.2.2.
The IRI-POI and IRI-TF in the AAnF shall support the following target identifier formats:
Table 7.9.1.2-1 shows the minimum details of the LI_X1 ActivateTask message used for provisioning the IRI-POI and IRI-TF in the AAnF.
ETSI TS 103 221-1 [7] field name Description M/C/O
XIDXID assigned by LIPF.M
TargetIdentifiersOne of the target identifiers listed in the paragraph above.M
DeliveryType Set to "X2Only". M
ListOfDIDs Delivery endpoints for LI_X2 for the IRI-POI in the AMF. These delivery endpoints are configured using the CreateDestination message as described in ETSI TS 103 221-1 [7] clause 6.3.1 prior to the task activation.M
Up
7.9.1.2.3  Triggering of the IRI-POI in AFp. 274
The IRI-POI present in the AF shall be triggered by the IRI-TF present in the AAnF over LI_T2 using the X1 protocol as described in clause 5.2.2. An AAnF can provide services for several different types of applications. Triggering could be service/application specific, which can effect whether or not certain conditional fields are included in the xIRI described in clause 7.9.1.4 below.
For all AFs a priori known to match the scope of the warrant, when the IRI-TF in the AAnF detects that an A-KID has been associated with a SUPI (see clause 7.9.1.3.2), it shall send an ActivateTask message to the IRI-POI present in the AF. The same shall apply if the AAnF detects that the A-KID of a target changes due to primary authentication. For AFs not a priori known at the AAnF, the ActivateTask message shall instead be sent when the IRI-TF in the AAnF detects that the AF performs an AKMA application key get associated with the A-KID. The ActivateTask message shall contain at least the following information.
ETSI TS 103 221-1 [7] field name Description M/C/O
XID Allocated by the IRI-TF as per ETSI TS 103 221-1 [7].M
TargetIdentifiers A-KID associated with the AKMA Anchor Key (see Table 7.9.1.3-3 below).M
DeliveryType Set to "X2Only". M
ListOfDIDs Delivery endpoints for LI_X2. These delivery endpoints shall be configured by the IRI-TF in the SMF using the CreateDestination message as described in ETSI TS 103 221-1 [7] clause 6.3.1 prior to first use.M
implicitDeactivationAllowed Shall be set to "True". M
ProductIDShall be set to the XID of the Task Object associated with the interception at the CC-TF. This value shall be used by the CC-POI in the UPF to fill the XID of X3 PDUs.M
Identifier type Owner ETSI TS 103 221-1 [7] TargetIdentifier type Definition
A-KID3GPPTargetIdentifierExtension / AKID.AKID (see XSD schema)
When the IRI-POI present in the AF detects that a UE has requested the use of a targeted A-KID, it shall continue to generate xIRI events for that A-KID until it detects that the UE has requested the use of a different A-KID, at which point it shall implicitly deactivate the previous Task. In addition, the AAnF may at any time issue a DeactivateTask message against the Task, at which point the AF shall cease interception of the A-KID and remove the Task as per ETSI TS 103 221-1 [7] clause 6.2.3.
Up

7.9.1.3  Generation of xIRI at IRI-POI in AAnF over LI_X2p. 274

7.9.1.3.1  Generalp. 274
The IRI-POI present in the AAnF shall send the xIRIs over LI_X2 for each of the events listed in clause 7.9.3.1 of TS 33.127, the details of which are described in the following clauses.
7.9.1.3.2  AAnF Anchor Key Registerp. 274
The IRI-POI in the AAnF shall generate an xIRI containing an AAnFAnchorKeyRegister record when the IRI-POI present in the AAnF detects reception of an AKMA-context, i.e. an (A-KID, KAKMA)-pair associated with a target, from the AUSF, see clause 7.1.2 of TS 33.535.
Field name Value M/C/O
aKIDAKMA Anchor Key Identifier (see clause 4.4.2 of TS 33.535).M
SUPISUPI associated with the A-KID.M
kAKMAAKMA Anchor Key (see clause 5.1 of TS 33.535). Shall be included if available C
Up
7.9.1.3.3  AAnF AKMA application key getp. 275
The IRI-POI in the AAnF shall generate an xIRI containing an AAnFAKMAApplicationKeyGet record when the IRI-POI present in the AAnF detects an AKMA application key get from an AF (directly or via NEF), see clauses 7.1.3 and 7.3.1 of TS 33.535.
Field name Value M/C/O
TypeIndicates whether the AF requesting the key is internal to the network or external.M
aKIDAKMA Anchor Key Identifier.M
keyInfo Key information for the requested derived AF-specific key (see Table 7.9.1.3-3).M
Field name Value M/C/O
aFIDAKMA AF identifier of the AF associated with the derived AF-specific key.M
kAF Derived AF-specific key (see clauses 5.1 and A.4 of TS 33.535).M
kAFExpTimeExpiry time associated with the derived AF-specific key.M
Up
7.9.1.3.4  AAnF Start of intercept with established AKMA key materialp. 275
The IRI-POI in the AAnF shall generate an xIRI containing an AAnFStartOfInterceptWithEstablishedAKMAKeyMaterial record when the IRI-POI present in the AAnF detects that interception is activated on a target UE that has already established AKMA key material.
Field name Value M/C/O
aKIDAKMA Anchor Key Identifier (currently valid).M
kAKMAAKMA Anchor Key associated with aKID.C
aFKeyListList of all available (aFID, kAF, kAFExpTime)-tuples which are available, have not expired and complies with provisioning.C
Up
7.9.1.3.5  AAnF AKMA context removalp. 275
The IRI-POI in the AAnF shall generate an xIRI containing an AAnFAKMAContextRemovalRecord when the IRI-POI present in the AAnF receives a request from an NF to delete AKMA context, see clause 7.1.4 of TS 33.535.
Field name Value M/C/O
aKIDAKMA Anchor Key Identifier.M
nFInstanceIDIdentity of NF originating the request encoded as per clause 5.3.2 of TS 29.571.M
Up

7.9.1.4  Generation of xIRI at IRI-POI in AF over LI_X2p. 276

7.9.1.4.1  Generalp. 276
The IRI-POI present in the AF shall send the xIRIs over LI_X2 for each of the events listed in clause 7.9.3.1 of TS 33.127, the details of which are described in the following clauses.
7.9.1.4.2  AF Application key refreshp. 276
The IRI-POI in the AF shall generate an xIRI containing an AFAKMApplicationKeyRefresh record when the IRI-POI present in the AF detects that a KAF-key previously obtained from an AAnF is being locally refreshed by the Ua* security protocol in use, see clause 6.4.3 of TS 33.535.
Field name Value M/C/O
aFIDAKMA AF identifier.M
aKIDAKMA Anchor Key Identifier.M
kAFNew value of the AF-specific key, after refresh.M
uaStarParamsSet of new Ua* security protocol parameters associated with kAF, if updated.C
Up
7.9.1.4.3  AF Start of intercept with established AKMA application keyp. 276
The IRI-POI in the AF shall generate an xIRI containing an AFStartOfInterceptWithEstablishedAKMAApplicationKey record when the IRI-POI present in the AF detects interception is being triggered on a target UE that has already established AKMA application key.
Field name Value M/C/O
aFFQDNFQDN-part of AKMA AF identifier.M
aKIDAKMA Anchor Key Identifier.M
kAFParamList List of all available all AFSecurityParams (see Table 7.9.1.4-3) which have not expired and where the Ua* security protocol parameters corresponds to the set of security parameters used on the Ua* security protocol instance associated with KAF, see clause 7.9.3.1.5 of TS 33.127. M
Field name Value M/C/O
aFIDAF identifier.M
aKIDAKMA Anchor Key Identifier.M
kAFAKMA derived AF-specific key associated with aKID and Ua* security protocol.M
uaStarParamsSet of Ua* security protocol parameters after complete establishment/update. M
Up
7.9.1.4.4  AF Auxiliary security parameter establishmentp. 276
The IRI-POI in the AF shall generate an xIRI containing an AFAuxiliarySecurityParameterEstablishment record when the IRI-POI present in the AF detects that security parameters for the Ua* security protocol in use have been established with the target UE, or, when they have been updated without the associated AKMA application key having been refreshed according to clause 7.9.1.4.3.
Field name Value M/C/O
aFSecurityParams Auxiliary security parameters established (see Table 7.9.1.4-3).M
Up
7.9.1.4.5  AF Application key removalp. 277
The IRI-POI in the AF shall generate an xIRI containing an AFApplicationKeyRemoval record when the IRI-POI present in the AF detects that an AKMA-derived AF-specific key is deleted or otherwise decommissioned.
Field name Value M/C/O
aFIDAF identifier.M
aKIDAKMA Anchor Key Identifier associated with removed key.M
removalCauseReason for the removal of the application key.M
Up

7.9.1.5  Generation of IRI over LI_HI2p. 277

When an xIRI is received over LI_X2 from the IRI-POI in the AAnF or AF, the MDF2 shall send the IRI message over LI_HI2 without undue delay. The IRI message shall contain a copy of the relevant record received from LI_X2. The record may be enriched by other information available at the MDF.
The timestamp field of the ETSI TS 102 232-1 [9] PSHeader structure shall be set to the time at which the AAnF/AF event was observed (i.e. the timestamp field of the xIRI).
Table 7.9.1.5-1 shows the IRI type (see ETSI TS 102 232-1 [9] clause 5.2.10) to be used for each record type.
IRI message Record type
AAnFAnchorKeyRegisterBEGIN
AAnFKAKMAApplicationKeyGetCONTINUE
AAnFStartOfInterceptWithEstablishedAKMAKeyMaterialBEGIN
AAnFAKMAContextRemovalRecordEND
IRI messages associated with the same A-KID from the same AAnF shall be assigned the same CIN.
IRI message Record type
AFAKMAApplicationKeyGetBEGIN
AFAKMAApplicationKeyRefreshCONTINUE
AFStartOfInterceptWithEstablishedAKMAApplicationKeyBEGIN
AFAuxiliarySecurityParameterEstablishmentCONTINUE
AFApplicationKeyRemovalEND
IRI messages associated with the same AKID from the same AF shall be assigned the same CIN.
Up

Up   Top   ToC