Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  TR 33.854  Word version:  17.1.0

Top   Top   Up   Prev   Next
1…   5…   6…   6.1…   6.2…   6.3…   6.4…   6.5…   6.6…   6.7…   6.8…   6.9…   6.10…   6.11…   6.12…   6.13…   6.14…   6.15…   6.16…   7…

 

6.3  Solution #3: UAV authentication and authorization by USS/UTM during Registrationp. 22

6.3.1  Solution overviewp. 22

This solution addresses Key Issue#1 "UAS Authentication and Authorization".
This solution is applicable to 5GS and to both UAV and networked UAV-C.
This solution enables an authentication and authorization (A&A) with a USS/UTM during registration after primary authentication successful completion in a procedure similar to Network Slice Specific Authentication and Authorization (NSSAA). An API-based authentication procedure is triggered by AMF following a Registration procedure based on the UE subscription and capabilities information. The procedure for authentication and authorization (A&A) by the USS/UTM is performed using non-3GPP credentials (e.g. CAA-level UAV ID, certificate). The AMF forwards transparently the authentication messages between the UAV and the USS/UTM. The solution proposes an A&A Proxy function to be used for A&A communication with USS/UTM. This A&A Proxy function may be integrated in the UAS-NF as defined in TR 23.754, clause 8.
The USS/UTM may initiate UAV authorization revocation at any time after successful completion of authorization procedure.
Up

6.3.2  Solution detailsp. 22

6.3.2.1  UAV authentication and authorization by USS/UTMp. 22

The procedure for UAV Authentication and Authorization by USS/UTM during registration, is depicted in Figure 6.3.2.1-1. The same procedure may be used with a networked UAV-C.
Copy of original 3GPP image for 3GPP TS 33.854, Fig. 6.3.2.1-1: Procedure for UAV authentication and authorization with USS/UTM during registration
Up
Pre-condition:
UAV is configured with a long-term UAV ID (e.g. serial number, CAA registration id) and credentials used for authentication by USS/UTM. The UAV ID and credentials are obtained by means outside of 3GPP scope
Step 1.
The UE sends a Registration Request message including its UE id, a UAV id and UAV communications capabilities. UE may provide a USS/UTM address if available.
Step 2.
If the UE is not already authenticated by the network, a primary authentication procedure is performed.
Step 3.
The AMF determines whether a UAV A&A by USS/UTM is required based on:
  • Subscription information (i.e., whether the UE is authorized for UAS operations).
  • If the UAV is undergoing A&A by USS/UTM procedure or UAV has previously performed such procedure successfully and the authorization was allowed and still valid.
Step 4.
AMF sends in the Registration Accept message a pending UAV A&A indication. UE refrains from establishing PDU Session dedicated to UAS communications until the successful completion of the following A&A steps. The Registration Accept message may include some other configuration information such as allowed UAS communication modes/types (e.g. network assisted, direct). The UE sends a Registration Complete if this is an initial Registration.
Step 5.
AMF triggers an API-based UAV A&A by USS/UTM procedure. UE is authenticated using UAV credentials (e.g. CAA-level UAV ID, certificate). During the procedure, the AMF provides the USS/UTM with a 3GPP UAV ID (e.g. GPSI as External id) and AMF may receive a CAA-level UAV id (e.g. a temporary Session id) from USS/UTM. The AMF stores the CAA-level UAV id in the UE context. The AMF may use the CAA-level UAV id to determine whether to perform UAV A&A as described in step 2. The AMF provides the CAA-level UAV id and to the UE in the following step.
Step 6.
Upon successful UAV A&A by USS/UTM, AMF initiates the UE Configuration Update procedure to deliver authorized UAS Configuration parameters to the UE. The UAS Configuration may include the following parameters to be used for UAS communication setup: the CAA-level UAV ID, S-NSSAI/DNN. The CAA-level UAV ID is used for remote or broadcast Remote ID.
Step 7.
The UE establishes a PDU Session using authorized UAS parameters as provided in step 6 (e.g. CAA-level UAV ID).
Step 8.
The UE receives a PDU Session Establishment Accept message authorizing UAS communications.
Step 9.
The UE exchanges UAS traffic with peer UAV-C.
Up

6.3.2.2  USS/UTM triggered UAV authorization revocationp. 24

The procedure for UAV authorization revocation by USS/UTM is depicted in Figure 6.3.2.2-1.
Copy of original 3GPP image for 3GPP TS 33.854, Fig. 6.3.2.2-1: Procedure for USS/UTM triggered UAV authorization revocation
Up
Pre-condition:
UAV has been previously authorized by USS/UTM according to procedure 6.3.2.1.
Step 1.
The USS/UTM determines that the UAV authorization is to be revoked.
Step 2.
The USS/UTM sends an Authorization revocation request to the A&A Proxy providing the 3GPP UAV ID of the target UAV.
Step 3.
The Proxy A&A determines the AMF serving the UAV by requesting UDM providing the 3GPP UAV ID and forwards the request to the AMF.
Step 4.
The AMF checks if there are any active PDU session used for UAS communications (used with USS/UTM and/or UAV-C).
Step 5.
[Conditional] If above check is positive, the AMF initiates a PDU session release procedure for all applicable PDU sessions.
Step 6.
The AMF initiates a UCU procedure to revoke authorization information that was stored in the UE based on procedure 6.3.2.1 or initiate a DeRegistration procedure indicating the cause of deregistration.
Step 7.
The AMF sends an Authorization revocation response to the A&A Proxy confirming revocation of UAV authorization.
Step 8.
The A&A Proxy forwards the Authorization revocation response to the USS/UTM providing the 3GPP UAV ID and CAA-level UAV ID confirming revocation of authorization for the specified UAV.
Up

6.3.3  Solution evaluationp. 25

This solution is aligned with TR 23.754 conclusions for UAV authentication and authorization by USS/UTM (UUAA) during Registration, including the usage of a generic (API based) procedure using a UAS NF.
This solution fully addresses the requirements of Key Issue #1:
  • The solution uses a generic (i.e., API based) procedure for UUAA during Registration via a Proxy A&A (UAS NF). The UE includes its CAA-level UAV ID to register for UAS services. After a successful primary authentication, the AMF triggers a UUAA if the UE has a valid Aerial subscription and if there is no UUAA ongoing or a valid result from a successful prior UUAA run. The AMF triggers UUAA after sending a Registration Accept message indicating a pending UUAA. The authentication method and content of authentication message used for UUAA are not in 3GPP scope.
  • The solution enables the revocation of UAV authorization by the USS/UTM. The revocation request is received by the UAS NF which notifies the AMF. AMF may trigger a PDU Session release for the relevant PDU Sessions (used for communication USS/UTM and/or for C2 communications) and/or a DeRegistration procedure.
  • Authentication of USS/UTM is handled by the Proxy A&A function by means of provisioned aviation domain certificates. USS/UTM address may be obtained from UE or from a trusted resolution function which provides a USS/UTM address based on a CAA-level UAV ID.
API based procedure introduces a new mechanism compared to existing EAP framework.
Up

Up   Top   ToC