Content for TS 33.256 Word version: 17.2.0
5.2.2 UUAA in EPS
5.2.2.1 General
5.2.2.2 UUAA procedure
5.2.2.3 UUAA re-authentication procedure (EPC)
5.2.2.4 UUAA Revocation
5.2.2 UUAA in EPS p. 15
5.2.2.1 General p. 15
The UAV USS authentication and authorization (UUAA) is the procedure to ensure that the UAV can be authenticated and authorized by a USS before the connectivity for UAS services is enabled. This clause specifies the relationship between authentication and UUAA. An UAV is allowed to perform UUAA with the USS/UTM only after the UAV (UE) has completed successfully authentication with EPC. The SMF+PGW-C triggers the UUAA procedure if the UAV has an Aerial UE subscription and the UAV requests access to UAS services by providing the CAA-Level UAV ID of the UAV when attaching to the network.
The UUAA is performed between the UAV and the USS. The UAV is authenticated based on the CAA-Level UAV ID and credentials associated to the CAA-Level UAV ID. The authentication messages are included in a transparent container and conveyed between the UAV and the USS via a 3GPP UAS NF.
On successful completion of a UUAA, the USS sends UAS security information (if determined by the USS) in the UUAA Authorization Payload to the UAV. The contents of that security information are out of scope of the 3GPP specifications.
The UUAA procedure is described in the clause 5.2.2.2.
5.2.2.2 UUAA procedure p. 15
The UUAA procedure is triggered by an SMF+PGW-C with the details described below, which considers only the security related parameters (see TS 23.256 for full details of the flows).
Step 1.
The SMF+PGW-C decides to trigger the UUAA procedure as described in TS 33.256.
Step 2.
The SMF+PGW-C sends a message Nnef_Auth_Req to the UAS NF, including the GPSI and the CAA-Level UAV ID, and the Aviation Payload if provided by the UE for USS to authenticate the UAV. The SMF+PGW-C may include other information in the request as in TS 23.256.
Step 3.
The UAS NF resolves the USS address based on CAA-Level UAV ID or uses the provided USS address. Only authorized USS shall be used in order to ensure only legitimate entities can provide authorization for UAVs. The UAS NF sends an Authentication Request to the USS. The Authentication Request shall include the GPSI, the CAA-Level UAV ID, a UAS NF Routing information (e.g., a FQDN or IP address) which uniquely identifies the UAS NF located in the 3GPP network that handles the UAV related messages exchanges with the corresponding external USS/UTM and the transparent container. Other information may also be included in this message as in TS 23.256.
Step 4.
The USS and the UE exchange Authentication messages:
Step 4a.
The USS replies to UAS NF with the Authentication Response message. It shall include the GPSI and a transparent container composed of an authentication message.
Step 4b.
The UAS NF sends the transparent container received in 4a to the SMF+PGW-C with the GPSI.
Step 4c.
The SMF+PGW-C forwards the transparent container to the UE over NAS MM transport messages.
Step 4d.
The UE response to the SMF+PGW-C with an Authentication message embedded in a transparent container over a NAS MM transport message.
Step 4e.
The SMF+PGW-C sends a message Nnef_Auth_Req to the UAS NF, including the GPSI and the CAA-Level UAV ID, and the transparent container provided by the UE.
Step 4f.
The UAS NF sends an Authentication Request to the USS. The Authentication Request shall include the GPSI, the CAA-Level UAV ID and the transparent container.
Step 5.
The USS sends the UAS NF an Authentication Response message. The Authentication Response shall include the GPSI, the UUAA result (success/failure), the authorized CAA-level UAV ID, and a UUAA Authorization Payload that contains UAS security information if the USS has such information to send.
The UAS NF stores the GPSI, USS Identifier (and the binding with the GPSI) and the CAA-level UAV ID (and the binding with the GPSI).
Step 6.
The UAS NF sends the SMF+PGW-C an Authentication Response message, including the GPSI, the UUAA result (success/failure), the authorized CAA-level UAV ID, and the UUAA Authorization Payload received in step 5.
Step 7.
The SMF+PGW-C sends to the UE the UUAA result (success/failure) and the UUAA Authorization Payload received in step 5. The message(s) used in step 7 and any further actions the SMF+PGW-C takes are given in TS 23.256.
The SMF+PGW-C stores the results, together with the GPSI and the CAA-level UAV ID.
Step 8.
If UUAA result is success, the UE shall store the authorization information if received such as UAS Security information along with the CAA-level UAV ID.
5.2.2.3 UUAA re-authentication procedure (EPC) p. 17
The USS the Re-authentication procedure for the UAV at any time. The below description considers only the security related parameters (for full details of the flows see TS 23.256).
Step 1.
The USS sends a re-authentication request for the UAV to UAS-NF that includes GPSI, CAA-Level UAV ID, and an Authentication message. It may contain the PDU Session IP address if available. The USS shall use the UAS NF Routing information received during the previous successful UUAA related to GPSI for sending the re-authentication request.
Step 2.
The UAS NF retrieves the UAV UE's context. The UE's context contains identity mapping between the GPSI and the USS identifier that performed UAA. The UAS-NF verifies the USS re-authentication request by checking whether the GPSI and the USS identifier of the USS requesting the re-authentication match the stored mapping of GPSI and USS identifier. The UAS-NF shall only continue the re-authentication procedures if match.
Step 3.
The UAS NF sends to the target SMF+PGW-C the UAA re-authentication request for the UE identified by the GPSI.
Step 4.
The UAS NF responses the USS that the UAA Re-authentication has been initiated.
Step 5.
The SMF+PGW-C initiates re-authentication of the UAV as UUAA described in the clause 5.2.2.2 (step 4c to step 7).
5.2.2.4 UUAA Revocation p. 17
USS may trigger revocation of UUAA at any time. The below description considers only the security related parameters (for full details of the flows see TS 23.256).
Step 1.
The USS sends an UUAA revocation request to UAS-NF. The request includes GPSI and CAA-Level UAV ID.
Step 2.
The UAS NF retrieves the UAV UE's context. The UE's context contains identity mapping between the GPSI and the USS identifier that performed UUAA. The UAS-NF verifies the USS revocation request by checking whether the GPSI and the USS identifier of the USS requesting the revocation match the stored mapping of GPSI and USS identifier. The UAS-NF shall only continue the revocation procedures if they match.
Step 3a.
The UAS NF sends to the target SMF+PGW-C, the UUAA revocation message for the UE identified by the GPSI. The target SMF+PGW-C shall respond to the UAS NF to indicate the revocation has been successful.
Step 3b.
The UAS NF responds back to the USS indicating that authorization revocation request has been successfully initiated as in TS 23.256 and the UAS NF shall delete the UUAA context.
Step 4.
The target SMF+PGW-C on receiving UUAA revocation notification message, determines to send UUAA revocation indication to the UE. The target SMF+PGW-C informs the UE that UUAA is revoked and takes actions as described in TS 23.256 and the SMF+PGW-C shall delete the UUAA context being revoked.
Step 5.
The UE on receiving UAA revocation indication shall delete all UUAA related authorization data corresponding to the CAA-Level-UAV ID.
