The solution uses a UAV Flight Enablement Subsystem (UFES) as a single point of contact between the PLMN and USS/UTM in order to limit the impact on the 3GPP system, although it is not strictly necessary for authentication and authorization solution to work. The authentication and authorization procedures are shown when connected to 5GS and the authentication/authorization takes place during PDU connection establishment. The procedure in 220.127.116.11
are used to authenticate and authorize a UAV to allow pairing with a UAVC.
shows how the UAV can be authenticated and authorized by the USS/UTM to allow a connection with a paired UAVC. The flows assume that the UAV has already connected to 5GS and been authorized to act as a UAV (see for example solution #6.8
In the following steps, if multiple PDU sessions are established for UAV to USS/UTM and UAV to UAVC communications, respectively, the first PDU session established is for UAV to USS communications. In case of multiple PDU sessions, the UAV provides the information related to authorizing the pairing between the UAV and UAVC only during the establishment of the PDU session for UAV to UAVC communications.
The steps are as follows:
The UAV sends a PDU Session Establishment Request to the SMF with an indication that the PDU session is for UAV operation. The UAV also include the Aviation Connectivity payload which contains the allocated CAA-Level UAV ID and flight/pairing information.
The SMF obtains the SM information from the UDM.
The SMF requests a UAV authentication and authorization from the UFES and includes the Aviation Connectivity payload in the request.
The UFES forwards the information to the USS/UTM.
Step 5a. and 5b.
There can be several round trips required for authentication of the UAV by the USS/UTM depending on the authentication method used by the USS/UTM and UAV. The authentication method and the content of messages used for authentication are out of scope of 3GPP. The content of the messages is carried in containers that are passed along and not processed by the entities between the UAV and USS/UTM.
On a successful authentication and authorization of the UAV, the USS/UTM stores the 3GPP UAV ID with the CAA-level UAV ID. The UTMS/USS informs the UFES that the UAV has been successfully authenticated and authorized by the USS/UTM. The USS/UTM includes authorization information for both the network and the UAV.
The UFES further informs the SMF that the UAV has been successfully authenticated and authorized by the USS/UTM. The UFES passes the received authorization information onto the SMF. The SMF stores the network authorization information as part of the UE context. The network authorization information further contains the information whether USS/UTM authentication and authorization is required during future registrations and whether to allow UE to establish PDU session(s) dedicated for the UAS service with or without further USS/UTM authentication and authorization. The network part of the authorization data contains authorization information applicable to existing PDU sessions, which influence SMF decisions for the traffic of PDU sessions. For example, the information may indicate to disable all connectivity of the UAV except for the connectivity to USS/UTM.
The SMF triggers a PDU Session Establishment Accept message to the UE. The message procedure contains the UAV authorization information. Part of the contents of the UAV authorization information may be passed to the UAV without modification by any entities between USS/UTM and UAV. The UAV authorization information contains any needed aviation information, e.g. a new CAA-level UAV ID.
If multiple PDU sessions are used, then the UE triggers a PDU establishment for C2 traffic. This follows steps 1 to 8. In the case of C2 traffic, the USS/UTM provides the necessary information on the UAV-C to allow the network to set the traffic filters in the PDU session to allow connectivity to the UAV-C.
The SMF establishes the necessary flow(s) to enable the communication between the UAV and UAVC and C2 traffic can be sent between the UAV and UAVC.
shows how the authorization for some connectivity can be revoked.
The USS/UTM decides to revoke the UAV's authorization for some connectivity.
The USS/UTM sends an Authorization Revoke request to the UFES including the 3GPP UAV ID and details of the connectivity (e.g. UAV-C's IP address) to be revoked (e.g. a pairing with a UAV-C is no longer needed). Before proceeding with the revocation, the UFES checks that the USS/UTM was the one that authorized the UAV.
The UFES passes the Authorization Revoke request to the relevant SMF(s) which are selected based on the details of the connectivity to be revoked.
The SMF removes the connectivity of the UAV based on the received details (e.g. prevents the UAV from communicating with the UAV-C). This is performed using PDU session release (e.g. when removing one of multiple PDU sessions) or PDU session modification (e.g. when restricting connectivity in the single PDU case).
The SMF confirms to the UFES that the revocation of connectivity has happened.
The UFES confirms to the USS/UTM that the revocation of connectivity has happened.