Content for TR 33.854 Word version: 17.1.0

1… 5… 6… 6.1… 6.2… 6.3… 6.4… 6.5… 6.6… 6.7… 6.8… 6.9… 6.10… 6.11… 6.12… 6.13… 6.14… 6.15… 6.16… 7…

6.10 Solution #10: Authentication and authorization of UAVs 6.10.1 Solution overview 6.10.2 Solution details 6.10.3 Solution evaluation
...

6.10 Solution #10: Authentication and authorization of UAVs p. 41

6.10.1 Solution overview p. 41

This solution addresses Key issue #1: UAS Authentication and Authorization.

The solution uses a UAV Flight Enablement Subsystem (UFES) as a single point of contact between the PLMN and USS/UTM in order to limit the impact on the 3GPP system, although it is not strictly necessary for authentication and authorization solution to work. The authentication and authorization procedures are shown when connected in 5G and the authentication/authorization takes place after registration, but similar procedures could be used during registration and during PDU connection establishment with the SMF playing the role of the AMF. The procedure in clause 6.10.2.2 are used to authenticate and authorized UAV so connectivity for UAS services can be enabled.

6.10.2.2 Authentication and authorization of a UAV p. 41

Figure 6.10.2.2-1 shows how the UAV can be authenticated and authorized by the USS/UTM to access the 3GPP network as a UAV, i.e. it is assumed in these flow that the authentication and authorization will happen.

Copy of original 3GPP image for 3GPP TS 33.854, Fig. 6.10.2.2-1: Authentication and authorization of a UAV

Figure 6.10.2.2-1: Authentication and authorization of a UAV
(⇒ copy of original 3GPP image)

The steps are as follows:

Step 1.

The UAV sends a Registration Request to the AMF requesting to register as UAV. The UE includes USS/UTM routing information in the Registration Request message.

Step 2.

Primary authentication and NAS security establishment are performed.

Step 3.

The AMF sends the Registration Accept message to the UAV indicating that the UAV needs to be authorized by the USS/UTM.

Step 4.

Based on subscription information and local policies, the AMF requests UAV authentication and authorization from UFES including the USS/UTM routing information. The UFES is selected using the USS/UTM routing information.

Step 5.

The UFES triggers an authentication and authorization request including the CAA-level UAV ID if available from the USS/UTM. The correct USS/UTM is selected using the USS/UTM routing information and a USS/UTM will only be selected if it has been authorized to act as one. The UFES includes the 3GPP UAV ID in the request.

Step 6a. and 6b.

There can be several round trips required for authentication of the UAV by the UTMs depending on the authentication method used by the USS/UTM and UAV. The authentication method and the content of messages used for authentication are out of scope of 3GPP. The content of the messages is carried in containers that are passed along and not processed by the entities between the UAV and USS/UTM.

Step 7.

On a successful authentication and authorization of the UAV, the USS/UTM stores the 3GPP UAV ID with the CAA-level UAV ID. The UTMS/USS informs the UFES that the UAV has been successfully authenticated and authorized by the USS/UTM. The USS/UTM includes authorization information for both the network and the UAV.

Step 8.

The UFES further informs the AMF that the UAV has been successfully authenticated and authorized by the USS/UTM. The UFES passes the received authorization information onto the AMF.

Step 9.

The AMF stores the network authorization information as part of the UE context. The network authorization information further contains the information whether USS/UTM authentication and authorization is required during future registrations and whether to allow UE to establish PDU session(s) dedicated for the UAS service with or without further USS/UTM authentication and authorization.

The AMF triggers a UE Configuration Update (UCU) procedure to inform the UE that the UAV authentication and authorization has been successful. The UCU procedure contains the UAV authorization information. Part of the contents of the UAV authorization information may be passed to the UAV without modification by any entities between USS/UTM and UAV. The UAV uses the UAV authorization information to check if it is authorized by the network to act as a UAV and also to receive any needed aviation information if any, e.g. a CAA-level UAV ID.

6.10.2.3 Revocation p. 42

Figure 6.10.2.3-1 show how the authorization can be revoked.

Copy of original 3GPP image for 3GPP TS 33.854, Fig. 6.10.2.3-1: UAV revocation

Figure 6.10.2.3-1: UAV revocation
(⇒ copy of original 3GPP image)

The steps are as follows:

Step 1.

The USS/UTM decide to revoke the UAV's authorization.

Step 2.

The USS/UTM sends an Authorization Revoke request to the UFES including the 3GPP UAV ID of the UAV to be revoked.

Step 3.

The UFES passes the Authorization Revoke request to the AMF.

Step 4.

The AMF revokes the authorization to act like an UAV. A consequence of the revocation is to release of all connections.

Step 5.

The AMF confirms to the UFES that the revocation has happened.

Step 6.

The UFES confirms to the USS/UTM that the revocation has happened.

6.10.3 Solution evaluation p. 43

This solution addresses key issue #1 during registration to a 5G network. The solution provides a method for the USS/UTM to authenticate and authorize a UAV before the UAV can access UAS services from the 3GPP system. The solution also provides a method of revoking the authorization and only authorized USS/UTMs can provide the authorizations for UAVs.