[go: up one dir, main page]

WO2024245615A1 - Établissement de session de données dans un réseau de communication sans fil - Google Patents

Établissement de session de données dans un réseau de communication sans fil Download PDF

Info

Publication number
WO2024245615A1
WO2024245615A1 PCT/EP2024/057807 EP2024057807W WO2024245615A1 WO 2024245615 A1 WO2024245615 A1 WO 2024245615A1 EP 2024057807 W EP2024057807 W EP 2024057807W WO 2024245615 A1 WO2024245615 A1 WO 2024245615A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
data session
access resource
indication
interworking function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2024/057807
Other languages
English (en)
Inventor
Andreas Kunz
Apostolis Salkintzis
Sheeba Backia Mary BASKARAN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Singapore Pte Ltd
Original Assignee
Lenovo Singapore Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Singapore Pte Ltd filed Critical Lenovo Singapore Pte Ltd
Publication of WO2024245615A1 publication Critical patent/WO2024245615A1/fr
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/06Terminal devices adapted for operation in multiple networks or having at least two operational modes, e.g. multi-mode terminals

Definitions

  • the subject matter disclosed herein relates generally to the field of establishing a data session in a wireless communication network.
  • this document defines a user equipment for wireless communication, a processor for wireless communication, a method performed by a user equipment, a first network entity for wireless communication and a method performed by a first network entity.
  • a wireless communications system may include one or multiple network communication devices, such as base stations, which may support wireless communications for one or multiple user communication devices, which may be otherwise known as user equipment (UE), or other suitable terminology.
  • the wireless communications system may support wireless communications with one or multiple user communication devices by utilizing resources of the wireless communication system (e.g., time resources (e.g., symbols, slots, subframes, frames, or the like) or frequency resources (e.g., subcarriers, carriers, or the like).
  • the wireless communications system may support wireless communications across various radio access technologies including third generation (3G) radio access technology, fourth generation (4G) radio access technology, fifth generation (5G) radio access technology, among other suitable radio access technologies beyond 5G (e.g., sixth generation (6G)).
  • the phrase “based on” shall not be construed as a reference to a closed set of conditions. For example, an example step that is described as “based on condition A” may be based on both a condition A and a condition B without departing from the scope of the present disclosure. In other words, as used herein, the phrase “based on” shall be construed in the same manner as the phrase “based at least in part on. Further, as used herein, including in the claims, a “set” may include one or more elements.
  • a user equipment for wireless communication comprising: at least one memory; and at least one processor coupled with the at least one memory and configured to cause the user equipment to: send, to a first network entity via a non-3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network; receive, from the non-3GPP interworking function, a second message for requesting establishment of an access resource for the data session, wherein the second message comprises an indication that the access resource is not security protected; send, to the non-3GPP interworking function, a third message for accepting establishment of the access resource for the data session; and receive, from the first network entity via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • a processor for wireless communication comprising: at least one controller coupled with at least one memory and configured to cause the processor to: send, to a first network entity via a non-3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network; receive, from the non-3GPP interworking function, a second message for requesting establishment of an access resource for the data session, wherein the second message comprises an indication that the access resource is not security protected; send, to the non-3GPP interworking function, a third message for accepting establishment of the access resource for the data session; and receive, from the first network entity via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • a method performed by a user equipment comprising: sending, to a first network entity via a non-3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network; receiving, from the non-3GPP interworking function, a second message for requesting establishment of an access resource for the data session, wherein the second message comprises an indication that the access resource is not security protected; sending, to the non-3GPP interworking function, a third message for accepting establishment of the access resource for the data session; and receiving, from the first network entity via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • a first network entity for wireless communication comprising: at least one memory; and at least one processor coupled with the at least one memory and configured to cause the first network entity to: receive, from a user equipment via a non-3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network; send, to the non-3GPP interworking function, a fifth message for requesting establishment of an access resource for the data session, wherein the fifth message comprises an indication that the access resource is not security protected; and send, to the user equipment via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • a method performed by a first network entity comprising: receiving, from a user equipment via a non-3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network; sending, to the non-3GPP interworking function, a fifth message for requesting establishment of an access resource for the data session, wherein the fifth message comprises an indication that the access resource is not security protected; and sending, to the user equipment via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • Figure 1 illustrates an example of a wireless communications system in accordance with aspects of the present disclosure.
  • Figure 2 illustrates a signalling diagram for a method of establishing a data session in accordance with aspects of the present disclosure.
  • FIG. 3 illustrates an example of a user equipment (UE) 300 in accordance with aspects of the present disclosure.
  • Figure 4 illustrates an example of a processor 400 in accordance with aspects of the present disclosure.
  • Figure 5 illustrates an example of a network equipment (NE) 500 in accordance with aspects of the present disclosure.
  • Figure 6 illustrates a flowchart of a method performed by a UE in accordance with aspects of the present disclosure.
  • Figure 7 illustrates a flowchart of a method performed by a NE in accordance with aspects of the present disclosure.
  • the examples described herein generally relate to access traffic steering, switching and splitting support (ATSSS) in the 5G system architecture in which Quick User datagram protocol Internet Connections (QUIC) is used as a multipath protocol between the User Equipment (UE) and the User Plane Function (UPF).
  • QUIC Quick User datagram protocol Internet Connections
  • IETF Internet Engineering Task Force
  • RFC Request For Comments
  • QUIC requires the mandatory usage of Transport Layer Security (TLS) 1.3 with encryption according to IETF, RFC 8446, titled “The Transport Layer Security (TLS) Protocol” Version 1.3, dated August 2018. This mandatory security is reasonable for the intended use of QUIC in the normal client; for example, an application server environment in the internet.
  • the examples described herein generally relate to QUIC traffic through non- 3 GPP access. Such examples tend to result in encryption on both the QUIC layer and on the access layer. In some examples, having such double encryption may be seen as an unnecessary computational burden. It may therefore be desirable to render encryption optional on the 3 GPP layer in case of non-3GPP access; for example, on untrusted non- 3 GPP access (Wireless Local- Area Network (WLAN) access with internet connectivity to the 5G network, e.g. home WLAN with Voice-over- WLAN feature).
  • WLAN Wireless Local- Area Network
  • FIG. 1 illustrates an example of a wireless communications system 100 in accordance with aspects of the present disclosure.
  • the wireless communications system 100 may include one or more NE 102, one or more UE 104, and a core network (CN) 106.
  • the wireless communications system 100 may support various radio access technologies.
  • the wireless communications system 100 may be a 4G network, such as an LTE network or an LTE-Advanced (LTE-A) network.
  • LTE-A LTE-Advanced
  • the wireless communications system 100 may be a NR. network, such as a 5G network, a 5G-Advanced (5G-A) network, or a 5G ultrawideband (5G-UWB) network.
  • the wireless communications system 100 may be a combination of a 4G network and a 5G network, or other suitable radio access technology including Institute of Electrical and Electronics Engineers (IEEE) 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), IEEE 802.20.
  • IEEE Institute of Electrical and Electronics Engineers
  • Wi-Fi Wi-Fi
  • WiMAX IEEE 802.16
  • IEEE 802.20 The wireless communications system 100 may support radio access technologies beyond 5G, for example, 6G. Additionally, the wireless communications system 100 may support technologies, such as time division multiple access (TDMA), frequency division multiple access (FDMA), or code division multiple access (CDMA), etc.
  • TDMA time division multiple access
  • FDMA frequency division multiple access
  • CDMA code division multiple access
  • the one or more NE 102 may be dispersed throughout a geographic region to form the wireless communications system 100.
  • One or more of the NE 102 described herein may be or include or may be referred to as a network node, a base station, a network element, a network function, a network entity, a radio access network (RAN), a NodeB, an eNodeB (eNB), a next-generation NodeB (gNB), or other suitable terminology.
  • An NE 102 and a UE 104 may communicate via a communication link, which may be a wireless or wired connection.
  • an NE 102 and a UE 104 may perform wireless communication (e.g., receive signalling, transmit signalling) over a Uu interface.
  • An NE 102 may provide a geographic coverage area for which the NE 102 may support services for one or more UEs 104 within the geographic coverage area.
  • an NE 102 and a UE 104 may support wireless communication of signals related to services (e.g., voice, video, packet data, messaging, broadcast, etc.) according to one or multiple radio access technologies.
  • an NE 102 may be moveable, for example, a satellite associated with a non-terrestrial network (NTN).
  • NTN non-terrestrial network
  • different geographic coverage areas associated with the same or different radio access technologies may overlap, but the different geographic coverage areas may be associated with different NE 102.
  • the one or more UE 104 may be dispersed throughout a geographic region of the wireless communications system 100.
  • a UE 104 may include or may be referred to as a remote unit, a mobile device, a wireless device, a remote device, a subscriber device, a transmitter device, a receiver device, or some other suitable terminology.
  • the UE 104 may be referred to as a unit, a station, a terminal, or a client, among other examples.
  • the UE 104 may be referred to as an Internet-of-Things (loT) device, an Internet-of-Everything (loE) device, or machine-type communication (MTC) device, among other examples.
  • LoT Internet-of-Things
  • LoE Internet-of-Everything
  • MTC machine-type communication
  • a UE 104 may be able to support wireless communication directly with other UEs 104 over a communication link.
  • a UE 104 may support wireless communication directly with another UE 104 over a device-to-device (D2D) communication link.
  • D2D device-to-device
  • the communication link may be referred to as a sidelink.
  • a UE 104 may support wireless communication directly with another UE 104 over a PC5 interface.
  • An NE 102 may support communications with the CN 106, or with another NE 102, or both.
  • an NE 102 may interface with other NE 102 or the CN 106 through one or more backhaul links (e.g., SI, N2, N2, or network interface).
  • the NE 102 may communicate with each other directly.
  • the NE 102 may communicate with each other or indirectly (e.g., via the CN 106.
  • one or more NE 102 may include subcomponents, such as an access network entity, which may be an example of an access node controller (ANC).
  • An ANC may communicate with the one or more UEs 104 through one or more other access network transmission entities, which may be referred to as a radio heads, smart radio heads, or transmission-reception points (TRPs).
  • TRPs transmission-reception points
  • the CN 106 may support user authentication, access authorization, tracking, connectivity, and other access, routing, or mobility functions.
  • the CN 106 may be an evolved packet core (EPC), or a 5G core (5GC), which may include a control plane entity that manages access and mobility (e.g., a mobility management entity (MME), an access and mobility management functions (AMF)) and a user plane entity that routes packets or interconnects to external networks (e.g., a serving gateway (S-GW), a Packet Data Network (PDN) gateway (P-GW), or a user plane function (UPF)).
  • EPC evolved packet core
  • 5GC 5G core
  • MME mobility management entity
  • AMF access and mobility management functions
  • S-GW serving gateway
  • PDN gateway Packet Data Network gateway
  • UPF user plane function
  • control plane entity may manage non-access stratum (NAS) functions, such as mobility, authentication, and bearer management (e.g., data bearers, signal bearers, etc.) for the one or more UEs 104 served by the one or more NE 102 associated with the CN 106.
  • NAS non-access stratum
  • the CN 106 may communicate with a packet data network over one or more backhaul links (e.g., via an SI, N2, N2, or another network interface).
  • the packet data network may include an application server.
  • one or more UEs 104 may communicate with the application server.
  • a UE 104 may establish a session (e.g., a protocol data unit (PDU) session, or the like) with the CN 106 via an NE 102.
  • the CN 106 may route traffic (e.g., control information, data, and the like) between the UE 104 and the application server using the established session (e.g., the established PDU session).
  • the PDU session may be an example of a logical connection between the UE 104 and the CN 106 (e.g., one or more network functions of the CN 106).
  • the NEs 102 and the UEs 104 may use resources of the wireless communications system 100 (e.g., time resources (e.g., symbols, slots, subframes, frames, or the like) or frequency resources (e.g., subcarriers, carriers)) to perform various operations (e.g., wireless communications).
  • the NEs 102 and the UEs 104 may support different resource structures.
  • the NEs 102 and the UEs 104 may support different frame structures.
  • the NEs 102 and the UEs 104 may support a single frame structure.
  • the NEs 102 and the UEs 104 may support various frame structures (i.e., multiple frame structures).
  • the NEs 102 and the UEs 104 may support various frame structures based on one or more numerologies.
  • One or more numerologies may be supported in the wireless communications system 100, and a numerology may include a subcarrier spacing and a cyclic prefix.
  • a first subcarrier spacing e.g., 15 kHz
  • a normal cyclic prefix e.g. 15 kHz
  • the first subcarrier spacing e.g., 15 kHz
  • a time interval of a resource may be organized according to frames (also referred to as radio frames).
  • Each frame may have a duration, for example, a 10 millisecond (ms) duration.
  • each frame may include multiple subframes.
  • each frame may include 10 subframes, and each subframe may have a duration, for example, a l ms duration.
  • each frame may have the same duration.
  • each subframe of a frame may have the same duration.
  • a time interval of a resource may be organized according to slots.
  • a subframe may include a number (e.g., quantity) of slots.
  • the number of slots in each subframe may also depend on the one or more numerologies supported in the wireless communications system 100.
  • Each slot may include a number (e.g., quantity) of symbols (e.g., OFDM symbols).
  • the number (e.g., quantity) of slots for a subframe may depend on a numerology.
  • a slot may include 14 symbols.
  • a slot may include 12 symbols.
  • an electromagnetic (EM) spectrum may be split, based on frequency or wavelength, into various classes, frequency bands, frequency channels, etc.
  • the wireless communications system 100 may support one or multiple operating frequency bands, such as frequency range designations FR1 (410 MHz - 7.125 GHz), FR2 (24.25 GHz - 52.6 GHz), FR3 (7.125 GHz - 24.25 GHz), FR4 (52.6 GHz - 114.25 GHz), FR4a or FR4-1 (52.6 GHz - 71 GHz), and FR5 (114.25 GHz - 300 GHz).
  • FR1 410 MHz - 7.125 GHz
  • FR2 24.25 GHz - 52.6 GHz
  • FR3 7.125 GHz - 24.25 GHz
  • FR4 (52.6 GHz - 114.25 GHz
  • FR4a or FR4-1 52.6 GHz - 71 GHz
  • FR5 114.25 GHz - 300 GHz
  • the NEs 102 and the UEs 104 may perform wireless communications over one or more of the operating frequency bands.
  • FR1 may be used by the NEs 102 and the UEs 104, among other equipment or devices for cellular communications traffic (e.g., control information, data).
  • FR2 may be used by the NEs 102 and the UEs 104, among other equipment or devices for short-range, high data rate capabilities.
  • FR1 may be associated with one or multiple numerologies (e.g., at least three numerologies).
  • FR2 may be associated with one or multiple numerologies (e.g., at least 2 numerologies).
  • SP-231802 is a study for 3GPP TSG SA Meeting #102, titled “New SID on
  • N3IWF Non-3GPP Interworking Function
  • IPsec Internet Protocol Security
  • Some examples described herein may relate to the use of a zero-cipher suite for the IPSec tunnel for protected QUIC sessions over untrusted Non-3GPP access.
  • Some examples described herein may relate to the introduction of a NULL cipher suite for the IPsec tunnel between the UE and the N3IWF.
  • the UE establishes an IPsec tunnel with the N3IWF for the NAS Signalling.
  • Multi Access (MA) PDU sessions with QUIC and respective TLS1.3 security between UE and UPF there is no need for the underlying IPsec tunnel between UE and N3IWF for the data traffic. So far the security policies for controlling the security features of a PDU Session are only available for 3 GPP access between the UE and the RAN for Control Plane and User Plane ciphering and/or integrity protection. There are no security policies available for the PDU Sessions over non- 3 GPP access.
  • FIG. 2 illustrates a signalling diagram for a method 200 of establishing a data session in accordance with aspects of the present disclosure.
  • the method 200 illustrates a UE Requested Protocol Data Unit (PDU) Session Establishment via Untrusted non-3GPP Access.
  • the method 200 involves signalling between the following entities: a UE 210, an Untrusted Non-3GPP Access 220, a N3IWF 230 and an Access & Mobility Management Function (AMF) 240.
  • the UE 210 and N3IWF 230 may establish a IPSec Security Association (SA) for Non Access Stratum (NAS) Signalling.
  • SA IPSec Security Association
  • NAS Non Access Stratum
  • the method begins at step 271.
  • the UE 210 sends a “MA PDU Session Establishment Request” message to the AMF.
  • the “MA PDU Session Establishment Request” message may comprise an indication of a flag that “MA Security” is supported.
  • An MA Security flag may indicate the possibility to use a zero-cipher suite for MA PDU Sessions containing security protected data; for example, QUIC data.
  • the “MA PDU Session Establishment Request” message is sent to N3IWF 230 via the IPsec SA for NAS signalling (established at time of registration to the 5G Core (5GC) via the untrusted network) and the N3IWF 230 shall transparently forward it to AMF 240 in the 5GC.
  • the “MA PDU Session Establishment Request” message may further comprise one or more of: a PDU Session ID, a Session and Service Continuity (SSC) Mode and type.
  • SSC Session and Service Continuity
  • step 272a if Multi Path QUIC (MPQUIC) functionality is supported by the UPF (not shown) for the requested MA PDU Session, then the AMF 240 sets the Non- 3GPP (N3GPP) Security Policy to “Not Needed”.
  • N3GPP Non- 3GPP
  • the N3GPP Policy may be retrieved by the AMF 240 from the PCF via the SMF (not shown) with the other policies.
  • the retrieved N3GPP Policy may have already been set to “Not Needed” in the PCF for this MA PDU Session; for example, after checking the MPQUIC support in the UPF. Any flag can be used to indicate the N3IWF 230 that a zero-cipher suite should be used for the creation of a Child Security Association (SA).
  • SA Child Security Association
  • the AMF 240 shall send a “N2 PDU Session Request” message to N3IWF 230 to establish the access resources for this PDU Session.
  • the “N2 PDU Session Request” message may comprise an indication that the N3GPP Security Policy is “Not Needed”.
  • the “N2 PDU Session Request” message may further comprise an indication of one or more of: one or more Quality of Service (QoS) profile(s) and associated QoS Flow Identifier (QFI), PDU Session ID and/or “MA PDU Session Establishment Accept”.
  • QoS Quality of Service
  • QFI QoS Flow Identifier
  • the N3IWF 230 shall determine the number of IPsec Child SAs to establish and the QoS profiles associated with each IPsec Child SA. For example, the N3IWF 230 may decide to establish one IPsec Child SA and associate all QoS profiles with this IPsec Child SA. In this case, all QoS Flows of the PDU Session would be transferred over one IPsec Child SA.
  • steps 274a-274b a first IPsec Child SA 250 is established for the PDU Session.
  • the N3IWF 230 shall send to UE 210 an “Internet Key Exchange (IKE) Create Child SA request” message according to the IKEv2 specification in IEFT, RFC 7296, titled “Internet Key Exchange Protocol Version 2 (IKEv2)”, dated October 2014 to establish the first IPsec Child SA for the PDU Session.
  • the “IKE Create Child SA request” message may indicate that the requested IPsec Child SA shall operate in tunnel mode.
  • This “IKE Create Child SA request” message may include a 3GPP-specific Notify payload which may contain one or more of (a) the QFI(s) associated with the Child SA, (b) the identity of the PDU Session associated with this Child SA, (c) a Differentiated Services Code Point (DSCP) value associated with the Child SA, (d) a Default Child SA indication and/or (e) the additional QoS Information.
  • a 3GPP-specific Notify payload which may contain one or more of (a) the QFI(s) associated with the Child SA, (b) the identity of the PDU Session associated with this Child SA, (c) a Differentiated Services Code Point (DSCP) value associated with the Child SA, (d) a Default Child SA indication and/or (e) the additional QoS Information.
  • DSCP Differentiated Services Code Point
  • the “IKE Create Child SA request” message may also include another 3 GPP-specific Notify payload, which may contain an indication of the UP IP ADDRESS that is specified in step 278 below.
  • the UE 210 and the N3IWF 230 may mark all IP packets sent over this Child SA with this DSCP value. There may be one and only one Default Child SA per PDU session.
  • the UE 210 may send all QoS Flows to this Child SA for which there is no mapping information to a specific Child SA.
  • the “IKE Create Child SA request” message may further comprise indications of other information (for example, as according to RFC 7296) such as the SA payload with the encryption algorithm set to ENCR NULL and the integrity algorithm set to NONE, the Traffic Selectors (TS) for the N3IWF and the UE, and the etc.
  • the UE 210 may reserve non-3GPP Access Network resources according to the Additional QoS Information.
  • step 274b if the UE 210 accepts the new IPsec Child SA, the UE 210 shall send an “IKE Create Child SA response” message according to the IKEv2 specification in RFC 7296. During the IPsec Child SA establishment, the UE 210 may not be assigned an IP address.
  • steps 274c-274d one or more additional IPsec Child SAs 255 are established for the PDU Session.
  • steps 274c-274d if in step 273 the N3IWF 230 determined to establish multiple IPsec Child SAs for the PDU Session, then additional IPsec Child Sas 255 shall be established, each one associated with one or more QFI(s), optionally with a DSCP value, with a UP IP ADDRESS and optionally with the Additional QoS Information.
  • the UE 210 may reserve non-3GPP Access Network resources according to the Additional QoS Information for the IPsec Child SA.
  • the encryption algorithm is set to ENCR NULL and the integrity algorithm is set to NONE if the additional IPsec Child SAs carry protected QUIC traffic.
  • the N3IWF 230 may forward to UE 210 via the signalling IPsec SA the “MA PDU Session Establishment Accept” message received in step 272b.
  • the “MA PDU Session Establishment Accept” message may contain an indication that the N3GPP Security Policy should be set to “Not Needed”. Providing, from the N3IWF 230 to the UE 210, an indication that the N3GPP Security Policy should be set to “Not Needed” may protect against cyber-attacks.
  • the “MA PDU Session Establishment Accept” message in step 275 may be sent via the security protected IPsec SA for the control signalling established between the UE 210 and N3IWF 230.
  • the MA PDU Session Establishment Accept” message may be a NAS Message that is security protected by the NAS layer.
  • the UE 210 may terminate the Child SA.
  • the “MA PDU Session Establishment Accept” message may further comprise one or more of: an IP address, an SSC mode and/or Authorized QoS rules.
  • step 276 the N3IWF 230 shall send to AMF 240 an “N2 PDU Session Response” message.
  • step 277 in some examples: on the user-plane, when the UE 210 transmits an Uplink (UL) PDU, the UE 210 may determine the QFI associated with the UL PDU (for example, by using the QoS rules of the PDU Session). The UE 210 may encapsulate the UL PDU inside a Generic Routing Encapsulation (GRE) packet. The UE 210 may forward the GRE packet to N3IWF 230 via the IPsec Child SA associated with this QFI. In some examples, the header of the GRE packet carries the QFI associated with the UL PDU. In some examples, the UE 210 may encapsulate the GRE packet into an IP packet with source address the "inner" IP address of the UE 210 and destination address the UP IP ADDRESS associated with the Child SA.
  • GRE Generic Routing Encapsulation
  • the N3IWF 230 may use the QFI and the identity of the PDU Session in order to determine the IPsec Child SA to use for sending the DL PDU over an NWu interface between the UE 210 and the N3IWF 230.
  • the N3IWF may encapsulate the DL PDU inside a GRE packet and copies the QFI in the header of the GRE packet.
  • the N3IWF may include also in the GRE header a Reflective QoS Indicator (RQI), which may be used by the UE 210 to enable reflective QoS.
  • RQI Reflective QoS Indicator
  • FIG. 3 illustrates an example of a UE 300 in accordance with aspects of the present disclosure.
  • the UE 300 may include a processor 302, a memory 304, a controller 306, and a transceiver 308.
  • the processor 302, the memory 304, the controller 306, or the transceiver 308, or various combinations thereof or various components thereof may be examples of means for performing various aspects of the present disclosure as described herein. These components may be coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces.
  • the processor 302, the memory 304, the controller 306, or the transceiver 308, or various combinations or components thereof may be implemented in hardware (e.g., circuitry).
  • the hardware may include a processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), or other programmable logic device, or any combination thereof configured as or otherwise supporting a means for performing the functions described in the present disclosure.
  • DSP digital signal processor
  • ASIC application-specific integrated circuit
  • the processor 302 may include an intelligent hardware device (e.g., a general- purpose processor, a DSP, a CPU, an ASIC, an FPGA, or any combination thereof). In some implementations, the processor 302 may be configured to operate the memory 304. In some other implementations, the memory 304 may be integrated into the processor 302. The processor 302 may be configured to execute computer-readable instructions stored in the memory 304 to cause the UE 300 to perform various functions of the present disclosure.
  • an intelligent hardware device e.g., a general- purpose processor, a DSP, a CPU, an ASIC, an FPGA, or any combination thereof.
  • the processor 302 may be configured to operate the memory 304. In some other implementations, the memory 304 may be integrated into the processor 302.
  • the processor 302 may be configured to execute computer-readable instructions stored in the memory 304 to cause the UE 300 to perform various functions of the present disclosure.
  • the memory 304 may include volatile or non-volatile memory.
  • the memory 304 may store computer-readable, computer-executable code including instructions when executed by the processor 302 cause the UE 300 to perform various functions described herein.
  • the code may be stored in a non-transitory computer-readable medium such the memory 304 or another type of memory.
  • Computer-readable media includes both non- transitory computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a non-transitory storage medium may be any available medium that may be accessed by a general -purpose or special-purpose computer.
  • the processor 302 and the memory 304 coupled with the processor 302 may be configured to cause the UE 300 to perform one or more of the functions described herein (e.g., executing, by the processor 302, instructions stored in the memory 304).
  • the processor 302 may support wireless communication at the UE 300 in accordance with examples as disclosed herein.
  • the UE 300 may be configured to support a means for sending, to a first network entity via a non-3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network; receiving, from the non-3GPP interworking function, a second message for requesting establishment of an access resource for the data session, wherein the second message comprises an indication that the access resource is not security protected; sending, to the non-3GPP interworking function, a third message for accepting establishment of the access resource for the data session; and receiving, from the first network entity via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • the controller 306 may manage input and output signals for the UE 300.
  • the controller 306 may also manage peripherals not integrated into the UE 300.
  • the controller 306 may utilize an operating system such as iOS®, ANDROID®, WINDOWS®, or other operating systems.
  • the controller 306 may be implemented as part of the processor 302.
  • the UE 300 may include at least one transceiver 308. In some other implementations, the UE 300 may have more than one transceiver 308.
  • the transceiver 308 may represent a wireless transceiver.
  • the transceiver 308 may include one or more receiver chains 310, one or more transmitter chains 312, or a combination thereof.
  • a receiver chain 310 may be configured to receive signals (e.g., control information, data, packets) over a wireless medium.
  • the receiver chain 310 may include one or more antennas for receive the signal over the air or wireless medium.
  • the receiver chain 310 may include at least one amplifier (e.g., a low-noise amplifier (LN A)) configured to amplify the received signal.
  • the receiver chain 310 may include at least one demodulator configured to demodulate the receive signal and obtain the transmitted data by reversing the modulation technique applied during transmission of the signal.
  • the receiver chain 310 may include at least one decoder for decoding the processing the demodulated signal to receive the transmitted data.
  • a transmitter chain 312 may be configured to generate and transmit signals (e.g., control information, data, packets).
  • the transmitter chain 312 may include at least one modulator for modulating data onto a carrier signal, preparing the signal for transmission over a wireless medium.
  • the at least one modulator may be configured to support one or more techniques such as amplitude modulation (AM), frequency modulation (FM), or digital modulation schemes like phase-shift keying (PSK) or quadrature amplitude modulation (QAM).
  • the transmitter chain 312 may also include at least one power amplifier configured to amplify the modulated signal to an appropriate power level suitable for transmission over the wireless medium.
  • the transmitter chain 312 may also include one or more antennas for transmitting the amplified signal into the air or wireless medium.
  • FIG. 4 illustrates an example of a processor 400 in accordance with aspects of the present disclosure.
  • the processor 400 may be an example of a processor configured to perform various operations in accordance with examples as described herein.
  • the processor 400 may include a controller 402 configured to perform various operations in accordance with examples as described herein.
  • the processor 400 may optionally include at least one memory 404, which may be, for example, an L1/L2/L3 cache. Additionally, or alternatively, the processor 400 may optionally include one or more arithmetic-logic units (ALUs) 406.
  • ALUs arithmetic-logic units
  • One or more of these components may be in electronic communication or otherwise coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces (e.g., buses).
  • the processor 400 may be a processor chipset and include a protocol stack (e.g., a software stack) executed by the processor chipset to perform various operations (e.g., receiving, obtaining, retrieving, transmitting, outputting, forwarding, storing, determining, identifying, accessing, writing, reading) in accordance with examples as described herein.
  • a protocol stack e.g., a software stack
  • operations e.g., receiving, obtaining, retrieving, transmitting, outputting, forwarding, storing, determining, identifying, accessing, writing, reading
  • the processor chipset may include one or more cores, one or more caches (e.g., memory local to or included in the processor chipset (e.g., the processor 400) or other memory (e.g., random access memory (RAM), read-only memory (ROM), dynamic RAM (DRAM), synchronous dynamic RAM (SDRAM), static RAM (SRAM), ferroelectric RAM (FeRAM), magnetic RAM (MRAM), resistive RAM (RRAM), flash memory, phase change memory (PCM), and others).
  • RAM random access memory
  • ROM read-only memory
  • DRAM dynamic RAM
  • SDRAM synchronous dynamic RAM
  • SRAM static RAM
  • FeRAM ferroelectric RAM
  • MRAM magnetic RAM
  • RRAM resistive RAM
  • flash memory phase change memory
  • PCM phase change memory
  • the controller 402 may be configured to manage and coordinate various operations (e.g., signalling, receiving, obtaining, retrieving, transmitting, outputting, forwarding, storing, determining, identifying, accessing, writing, reading) of the processor 400 to cause the processor 400 to support various operations in accordance with examples as described herein.
  • the controller 402 may operate as a control unit of the processor 400, generating control signals that manage the operation of various components of the processor 400. These control signals include enabling or disabling functional units, selecting data paths, initiating memory access, and coordinating timing of operations.
  • the controller 402 may be configured to fetch (e.g., obtain, retrieve, receive) instructions from the memory 404 and determine subsequent instruction(s) to be executed to cause the processor 400 to support various operations in accordance with examples as described herein.
  • the controller 402 may be configured to track memory address of instructions associated with the memory 404.
  • the controller 402 may be configured to decode instructions to determine the operation to be performed and the operands involved.
  • the controller 402 may be configured to interpret the instruction and determine control signals to be output to other components of the processor 400 to cause the processor 400 to support various operations in accordance with examples as described herein.
  • the controller 402 may be configured to manage flow of data within the processor 400.
  • the controller 402 may be configured to control transfer of data between registers, arithmetic logic units (ALUs), and other functional units of the processor 400.
  • ALUs arithmetic logic units
  • the memory 404 may include one or more caches (e.g., memory local to or included in the processor 400 or other memory, such RAM, ROM, DRAM, SDRAM, SRAM, MRAM, flash memory, etc.
  • the memory 404 may reside within or on a processor chipset (e.g., local to the processor 400). In some other implementations, the memory 404 may reside external to the processor chipset (e.g., remote to the processor 400).
  • the memory 404 may store computer-readable, computer-executable code including instructions that, when executed by the processor 400, cause the processor 400 to perform various functions described herein.
  • the code may be stored in a non-transitory computer-readable medium such as system memory or another type of memory.
  • the controller 402 and/or the processor 400 may be configured to execute computer-readable instructions stored in the memory 404 to cause the processor 400 to perform various functions.
  • the processor 400 and/or the controller 402 may be coupled with or to the memory 404, the processor 400, the controller 402, and the memory 404 may be configured to perform various functions described herein.
  • the processor 400 may include multiple processors and the memory 404 may include multiple memories. One or more of the multiple processors may be coupled with one or more of the multiple memories, which may, individually or collectively, be configured to perform various functions herein.
  • the one or more ALUs 406 may be configured to support various operations in accordance with examples as described herein.
  • the one or more ALUs 406 may reside within or on a processor chipset (e.g., the processor 400).
  • the one or more ALUs 406 may reside external to the processor chipset (e.g., the processor 400).
  • One or more ALUs 406 may perform one or more computations such as addition, subtraction, multiplication, and division on data.
  • one or more ALUs 406 may receive input operands and an operation code, which determines an operation to be executed.
  • One or more ALUs 406 be configured with a variety of logical and arithmetic circuits, including adders, subtractors, shifters, and logic gates, to process and manipulate the data according to the operation. Additionally, or alternatively, the one or more ALUs 406 may support logical operations such as AND, OR, exclusive-OR (XOR), not-OR (NOR), and not- AND (NAND), enabling the one or more ALUs 406 to handle conditional operations, comparisons, and bitwise operations.
  • logical operations such as AND, OR, exclusive-OR (XOR), not-OR (NOR), and not- AND (NAND)
  • the processor 400 may support wireless communication in accordance with examples as disclosed herein.
  • the processor 400 may be configured to or operable to support a means for sending, to a first network entity via a non-3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network; receiving, from the non-3GPP interworking function, a second message for requesting establishment of an access resource for the data session, wherein the second message comprises an indication that the access resource is not security protected; sending, to the non-3GPP interworking function, a third message for accepting establishment of the access resource for the data session; and receiving, from the first network entity via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • FIG. 5 illustrates an example of a NE 500 in accordance with aspects of the present disclosure.
  • the NE 500 may include a processor 502, a memory 504, a controller 506, and a transceiver 508.
  • the processor 502, the memory 504, the controller 506, or the transceiver 508, or various combinations thereof or various components thereof may be examples of means for performing various aspects of the present disclosure as described herein. These components may be coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces.
  • the processor 502, the memory 504, the controller 506, or the transceiver 508, or various combinations or components thereof may be implemented in hardware (e.g., circuitry).
  • the hardware may include a processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), or other programmable logic device, or any combination thereof configured as or otherwise supporting a means for performing the functions described in the present disclosure.
  • DSP digital signal processor
  • ASIC application-specific integrated circuit
  • the processor 502 may include an intelligent hardware device (e.g., a general- purpose processor, a DSP, a CPU, an ASIC, an FPGA, or any combination thereof). In some implementations, the processor 502 may be configured to operate the memory 504. In some other implementations, the memory 504 may be integrated into the processor 502. The processor 502 may be configured to execute computer-readable instructions stored in the memory 504 to cause the NE 500 to perform various functions of the present disclosure.
  • an intelligent hardware device e.g., a general- purpose processor, a DSP, a CPU, an ASIC, an FPGA, or any combination thereof.
  • the processor 502 may be configured to operate the memory 504. In some other implementations, the memory 504 may be integrated into the processor 502.
  • the processor 502 may be configured to execute computer-readable instructions stored in the memory 504 to cause the NE 500 to perform various functions of the present disclosure.
  • the memory 504 may include volatile or non-volatile memory.
  • the memory 504 may store computer-readable, computer-executable code including instructions when executed by the processor 502 cause the NE 500 to perform various functions described herein.
  • the code may be stored in a non-transitory computer-readable medium such the memory 504 or another type of memory.
  • Computer-readable media includes both non- transitory computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a non-transitory storage medium may be any available medium that may be accessed by a general -purpose or special-purpose computer.
  • the processor 502 and the memory 504 coupled with the processor 502 may be configured to cause the NE 500 to perform one or more of the functions described herein (e.g., executing, by the processor 502, instructions stored in the memory 504).
  • the processor 502 may support wireless communication at the NE 500 in accordance with examples as disclosed herein.
  • the NE 500 may be configured to support a means for receiving, from a user equipment via a non-3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network; sending, to the non-3GPP interworking function, a fifth message for requesting establishment of an access resource for the data session, wherein the fifth message comprises an indication that the access resource is not security protected; and sending, to the user equipment via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • the controller 506 may manage input and output signals for the NE 500.
  • the controller 506 may also manage peripherals not integrated into the NE 500.
  • the controller 506 may utilize an operating system such as iOS®, ANDROID®, WINDOWS®, or other operating systems.
  • the controller 506 may be implemented as part of the processor 502.
  • the NE 500 may include at least one transceiver 508. In some other implementations, the NE 500 may have more than one transceiver 508.
  • the transceiver 508 may represent a wireless transceiver.
  • the transceiver 508 may include one or more receiver chains 510, one or more transmitter chains 512, or a combination thereof.
  • a receiver chain 510 may be configured to receive signals (e.g., control information, data, packets) over a wireless medium.
  • the receiver chain 510 may include one or more antennas for receive the signal over the air or wireless medium.
  • the receiver chain 510 may include at least one amplifier (e.g., a low-noise amplifier (LNA)) configured to amplify the received signal.
  • the receiver chain 510 may include at least one demodulator configured to demodulate the receive signal and obtain the transmitted data by reversing the modulation technique applied during transmission of the signal.
  • the receiver chain 510 may include at least one decoder for decoding the processing the demodulated signal to receive the transmitted data.
  • a transmitter chain 512 may be configured to generate and transmit signals (e.g., control information, data, packets).
  • the transmitter chain 512 may include at least one modulator for modulating data onto a carrier signal, preparing the signal for transmission over a wireless medium.
  • the at least one modulator may be configured to support one or more techniques such as amplitude modulation (AM), frequency modulation (FM), or digital modulation schemes like phase-shift keying (PSK) or quadrature amplitude modulation (QAM).
  • the transmitter chain 512 may also include at least one power amplifier configured to amplify the modulated signal to an appropriate power level suitable for transmission over the wireless medium.
  • the transmitter chain 512 may also include one or more antennas for transmitting the amplified signal into the air or wireless medium.
  • Figure 6 illustrates a flowchart of a method in accordance with aspects of the present disclosure.
  • the operations of the method may be implemented by a UE as described herein.
  • the UE may execute a set of instructions to control the function elements of the UE to perform the described functions.
  • the method may include sending, to a first network entity via a non- 3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network.
  • the operations of 602 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 602 may be performed by a UE as described with reference to Figure 3.
  • the method may include receiving, from the non-3GPP interworking function, a second message for requesting establishment of an access resource for the data session, wherein the second message comprises an indication that the access resource is not security protected.
  • the operations of 604 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 604 may be performed by a UE as described with reference to Figure 3.
  • the method may include sending, to the non-3GPP interworking function, a third message for accepting establishment of the access resource for the data session.
  • the operations of 606 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 606 may be performed a UE as described with reference to Figure 3.
  • the method may include receiving, from the first network entity via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • the operations of 608 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 608 may be performed a UE as described with reference to Figure 3.
  • Figure 7 illustrates a flowchart of a method in accordance with aspects of the present disclosure.
  • the operations of the method may be implemented by a NE as described herein.
  • the NE may execute a set of instructions to control the function elements of the NE to perform the described functions.
  • the method may include receiving, from a user equipment via a non- 3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network.
  • the operations of 702 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 702 may be performed by a NE as described with reference to Figure 5.
  • the method may include sending, to the non-3GPP interworking function, a fifth message for requesting establishment of an access resource for the data session, wherein the fifth message comprises an indication that the access resource is not security protected.
  • the operations of 704 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 704 may be performed by a NE as described with reference to Figure 5.
  • the method may include sending, to the user equipment via the non- 3GPP interworking function, a fourth message for accepting establishment of the data session.
  • the operations of 706 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 706 may be performed a NE as described with reference to Figure 5.
  • a user equipment for wireless communication comprising: at least one memory; and at least one processor coupled with the at least one memory and configured to cause the user equipment to: send, to a first network entity via a non-3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network; receive, from the non-3GPP interworking function, a second message for requesting establishment of an access resource for the data session, wherein the second message comprises an indication that the access resource is not security protected; send, to the non-3GPP interworking function, a third message for accepting establishment of the access resource for the data session; and receive, from the first network entity via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • Such a user equipment enables a reduced computational burden in handling the data session by reducing the security protection between the user equipment and non-3GPP interworking function.
  • the user equipment may be a remote device.
  • the user equipment may be a mobile communication device.
  • the user equipment may be a mobile phone.
  • the user equipment may be a cell phone.
  • the user equipment may be a smartphone.
  • Other electronic devices may have user equipment capabilities.
  • the first network entity may comprise an Access and Mobility Management Function (AMF).
  • AMF Access and Mobility Management Function
  • the non-3rd Generation Partnership Project (non-3GPP) interworking function may be an interworking function between the mobile communication network and a non-3GPP access network.
  • the non-3GPP access network may comprise technology that is not based on 3GPP standards.
  • the non-3GPP access network may comprise one or more of Wireless Fidelity (Wi-Fi) technology, Bluetooth technology, ethernet technology, Zigbee technology or satellite technology.
  • Wi-Fi Wireless Fidelity
  • the mobile communication network may be a wireless communication network.
  • the mobile communication network may comprise technology that is based on 3GPP standards.
  • the mobile communication network may be one or more of a Global System for Mobile communications (GSM) network, Long Term Evolution network, 5th Generation (5G) network or 6th Generation (6G) network.
  • GSM Global System for Mobile communications
  • 5G 5th Generation
  • 6G 6th Generation
  • the mobile communication network may comprise the first network entity.
  • the mobile communication network may comprise an AMF.
  • the mobile communication network may comprise a User Plane Function (UPF).
  • the data session may be established between the user equipment and the UPF.
  • UPF User Plane Function
  • the second message may comprise an indication that the access resource comprises an encryption algorithm set to none.
  • the second message may comprise an indication that the access resource comprises an integrity algorithm set to none.
  • the second message may comprise an indication that the access resource in unsecured. Not security protected may mean unsecured. Not security protected may mean unencrypted. Not security protected may mean not integrity protected.
  • the data session may be a protocol data unit (PDU) session.
  • the PDU session may be according to the 3 GPP standard.
  • the data session may be a Multi Access Protocol Data Unit (MA PDU) session.
  • the data session may carry security protected data traffic.
  • the data session may carry Quick User datagram protocol Internet Connections (QUIC) traffic.
  • the QUIC traffic may use TLS 1.3 encryption.
  • the data session may carry MultiPath Quick User datagram protocol Internet Connections (MPQUIC) traffic.
  • the MPQUIC traffic may use TLS 1.3 encryption.
  • the user equipment may establish a first security association with the non-3GPP interworking function according to a non-3GPP (N3GPP) security policy.
  • the user equipment may establish an internet protocol security (IPSec) security association with the N3IWF according to the N3GPP security policy.
  • IPSec internet protocol security
  • the access resource may be a child security association.
  • the access resource may be associated with the N3GPP security policy.
  • the first message may be a Non Access Stratum message.
  • the first message may be a Multi Access (MA) protocol data unit (PDU) session Establishment Request message.
  • the second message may be an Internet Protocol Security (IPsec) message.
  • the second message may be an Internet Key Exchange (IKE) protocol message.
  • the second message may be a IKE Create Child SA Req message.
  • the third message may be an IPsec message.
  • the third message may be an IKE protocol message.
  • the third message may be a IKE Create Child SA Res message.
  • the fourth message may be a Non Access Stratum message.
  • the fourth message may be a MA PDU Session Establishment Accept message.
  • the method may further comprise a step of verifying that the access resource is not security protected.
  • the first message may comprise an indication of a capability to establish the access resource for the data session.
  • the first message may comprise an indication that Multi Access (MA) security is supported.
  • the first message may comprise an indication of a capability to use a zero-cipher suite for the data session.
  • the first message may comprise an indication of a capability to use a zero-cipher suite for protected data in the data session.
  • the first message may comprise an indication of a capability to establish a child security association for the data session that is not security protected.
  • the first message may comprise an indication of a capability to establish a child security association for the data session that is not security protected for protected data in the data session.
  • the second message may further comprise an indication that the access resource does not encrypt data traffic in the data session.
  • the second message may further comprise an indication that the access resource does not encrypt security protected data traffic in the data session.
  • the second message may further comprise an indication that the access resource does not encrypt QUIC traffic in the data session.
  • the second message may further comprise an indication that the access resource does not encrypt MPQUIC traffic in the data session.
  • Security protected data traffic may be encrypted data traffic.
  • Security protected data traffic may be integrity checked data traffic.
  • the second message may further comprise an indication that the access resource does not check data integrity of data traffic in the data session.
  • the second message may further comprise an indication that the access resource does not check data integrity of security protected data traffic in the data session.
  • the second message may further comprise an indication that the access resource does not check data integrity of QUIC traffic in the data session.
  • the second message may further comprise an indication that the access resource does not check data integrity of MPQUIC traffic in the data session.
  • the second message may further comprise an indication that the access resource does not encrypt or check data integrity of security protected data traffic in the data session.
  • the second message may further comprise an indication that the access resource does not encrypt or check data integrity of QUIC traffic in the data session.
  • the second message may further comprise an indication that the access resource does not encrypt or check data integrity of MPQUIC traffic in the data session.
  • the fourth message may comprise an indication that data traffic over the data session is security protected.
  • the fourth message may indicate that the access resource does not need to be security protected.
  • the fourth message may indicate that the N3GPP security policy associated with the access resource is not needed.
  • the at least one processor coupled with the at least one memory may be further configured to cause the user equipment to: establishing a first security association with the non-3GPP interworking function, wherein the first security association is security protected.
  • the first security association may be associated with the N3GPP security policy.
  • the first security association may be an IPsec security association.
  • the first security association may be an IPsec security association for control signalling.
  • the first message may be sent via the first security association.
  • the fourth message may be sent via the first security association.
  • the fourth message may further comprise an indication that the access resource was requested by the mobile communication network.
  • the user equipment may receive the N3GPP security policy from the first network entity via the non-3GPP interworking function.
  • the indication that the access resource is not security protected may comprise an indication that the N3GPP security policy is set to not needed.
  • the indication that the access resource was requested by the mobile communication network in the fourth message may comprise the indication that the access resource is not security protected.
  • the indication that the access resource was requested by the mobile communication network in the fourth message may comprise the indication that the N3GPP security policy is set to not needed.
  • the user equipment may use the indication that the access resource was requested by the mobile communication network to verify that the access resource was requested by the mobile communication network.
  • a processor for wireless communication comprising: at least one controller coupled with at least one memory and configured to cause the processor to: send, to a first network entity via a non-3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network; receive, from the non-3GPP interworking function, a second message for requesting establishment of an access resource for the data session, wherein the second message comprises an indication that the access resource is not security protected; send, to the non-3GPP interworking function, a third message for accepting establishment of the access resource for the data session; and receive, from the first network entity via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • Such a processor enables a reduced computational burden in the data session by reducing the security protection between the user equipment and non-3GPP interworking function.
  • the first message may comprise an indication of a capability to establish the access resource for the data session.
  • the second message may further comprise an indication that the access resource does not encrypt data traffic in the data session.
  • the second message may further comprise an indication that the access resource does not check data integrity of data traffic in the data session.
  • the fourth message may comprise an indication that data traffic over the data session is security protected.
  • the at least one controller coupled with at least one memory may be further configured to cause the processor to: establish a first security association with the non- 3GPP interworking function, wherein the first security association is security protected.
  • the first message may be sent via the first security association.
  • the fourth message may be sent via the first security association.
  • the fourth message may further comprise an indication that the access resource was requested by the mobile communication network.
  • a method performed by a user equipment comprising: sending, to a first network entity via a non-3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network; receiving, from the non-3GPP interworking function, a second message for requesting establishment of an access resource for the data session, wherein the second message comprises an indication that the access resource is not security protected; sending, to the non-3GPP interworking function, a third message for accepting establishment of the access resource for the data session; and receiving, from the first network entity via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • Such a method enables a reduced computational burden in the data session by reducing the security protection between the user equipment and non-3GPP interworking function.
  • the first message may comprise an indication of a capability to establish the access resource for the data session.
  • the second message may further comprise an indication that the access resource does not encrypt data traffic in the data session.
  • the second message may further comprises an indication that the access resource does not check data integrity of data traffic in the data session.
  • the fourth message may comprise an indication that data traffic over the data session is security protected.
  • the method may further comprise establishing a first security association with the non-3GPP interworking function, wherein the first security association is security protected.
  • the first message may be sent via the first security association.
  • the fourth message may be sent via the first security association.
  • the fourth message may further comprise an indication that the access resource was requested by the mobile communication network.
  • a first network entity for wireless communication comprising: at least one memory; and at least one processor coupled with the at least one memory and configured to cause the first network entity to: receive, from a user equipment via a non-3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network; send, to the non-3GPP interworking function, a fifth message for requesting establishment of an access resource for the data session, wherein the fifth message comprises an indication that the access resource is not security protected; and send, to the user equipment via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • Such a first network entity enables a reduced computational burden in the data session by reducing the security protection between the user equipment and non-3GPP interworking function.
  • the fifth message may be a N2 PDU Session Request message.
  • the at least one processor coupled with the at least one memory may be further configured to cause the first network entity to: determine that the data session comprises security protected data traffic.
  • the first message may comprise an indication of a capability to establish the access resource for the data session.
  • the second message may further comprise an indication that the access resource does not encrypt data traffic in the data session.
  • the second message may further comprise an indication that the access resource does not check data integrity of data traffic in the data session.
  • the fourth message may comprise an indication that data traffic over the data session is security protected.
  • the fourth message may further comprise an indication that the access resource was requested by the mobile communication network.
  • a method performed by a first network entity comprising: receiving, from a user equipment via a non-3GPP interworking function, a first message for requesting establishment of a data session with a mobile communication network; sending, to the non-3GPP interworking function, a fifth message for requesting establishment of an access resource for the data session, wherein the fifth message comprises an indication that the access resource is not security protected; and sending, to the user equipment via the non-3GPP interworking function, a fourth message for accepting establishment of the data session.
  • Such a method enables a reduced computational burden in the data session by reducing the security protection between the user equipment and non-3GPP interworking function.
  • the fifth message may be a N2 PDU Session Request message.
  • the method may further comprise determining that the data session comprises security protected data traffic.
  • the first message may comprise an indication of a capability to establish the access resource for the data session.
  • the second message may further comprise an indication that the access resource does not encrypt data traffic in the data session.
  • the second message may further comprise an indication that the access resource does not check data integrity of data traffic in the data session.
  • the fourth message may comprise an indication that data traffic over the data session is security protected.
  • the fourth message may further comprise an indication that the access resource was requested by the mobile communication network.
  • the performance in the N3IWF 230 can be improved by deactivating the encryption on the IPSec layer.
  • a security policy for the Non-3GPP access is created with “Not Needed” for the Multi Access PDU Session carrying the protected QUIC traffic.
  • Some examples described herein may relate to the use of a zero cipher suite for the IPsec tunnel for protected QUIC sessions over untrusted Non-3GPP access.
  • the UE 210 provides an indication that it supports zero cipher suite; for example the indication may comprise a flag in the “MA PDU Session establishment request” message from the UE 210 to the AMF 240.
  • the AMF 240 may then, if the UPF supports MPQUIC for the PDU Session, create or receive from the PCF, a Non-3GPP Security Policy set to “Not Needed”.
  • the AMF 240 may then provide the Non-3GPP Security Policy to the N3IWF 230, which sets the integrity and encryption algorithms to “None” in the Child SA establishment.
  • the N3IWF 230 may provide the Non-3GPP Security Policy in a protected message later to the UE 210 to avoid bidding down attacks.
  • an apparatus comprising: a transceiver; and a processor coupled to the transceiver, the processor and the transceiver configured to cause the apparatus to: send to a first network function on another apparatus (e.g., an AMF) a Multi Access PDU Session Establishment Request message comprising a Multi-Access security flag for a Multi Access PDU session; receive from a second network function on another apparatus (e.g., an N3IWF) an IKE Create Child SA Request message, comprising an encryption algorithm set to None and an integrity algorithm set to None; send a Create Child SA Response message to the second network function on another apparatus; receive a MA PDU Session Establishment Accept message as a response from the first network function on another apparatus (e.g., the AMF), comprising a N3GPP Security Policy set to “not Needed”
  • a first network function on another apparatus e.g., an AMF
  • a Multi Access PDU Session Establishment Request message comprising a Multi-Access security flag for a
  • the processor and the transceiver may be further configured to cause the apparatus to: verify that the N3GPP Security policy matches the algorithm settings for encryption and integrity for the Child SA creation.
  • an apparatus comprising: a transceiver; and a processor coupled to the transceiver, the processor and the transceiver configured to cause the apparatus to: receive from a remote unit on another apparatus (e.g., a UE) a Multi Access PDU Session Establishment Request message comprising a Multi-Access security flag for a Multi Access PDU session; receive from a first network function on another apparatus (e.g., a Session Management Function (SMF) or PCF) a message comprising a N3GPP Security Policy for the MA PDU Session.
  • a remote unit on another apparatus e.g., a UE
  • a Multi Access PDU Session Establishment Request message comprising a Multi-Access security flag for a Multi Access PDU session
  • receive from a first network function on another apparatus e.g., a Session Management Function (SMF) or PCF
  • SMS Session Management Function
  • the processor and the transceiver may be further configured to cause the apparatus to: receive from a first network function on another apparatus (e.g., the SMF or UPF) a message comprising an indication of the support of MPQUIC functionality.
  • the message comprising an indication of the support of MPQUIC functionality may be sent via the SMF from the UPF).
  • the processor and the transceiver may be further configured to cause the apparatus to: verify that the N3GPP Security Policy is set to “Not Needed” if the MPQUIC functionality is supported,
  • the processor and the transceiver may be further configured to cause the apparatus to: send to a second network function on another apparatus (e.g., N3IWF) a MA PDU Session Establishment Request comprising the N3GPP Security Policy.
  • a second network function on another apparatus e.g., N3IWF
  • a MA PDU Session Establishment Request comprising the N3GPP Security Policy.
  • the processor and the transceiver may be further configured to cause the apparatus to: receive from the second network function on another apparatus (e.g., N3IWF) a response message to the MA PDU Session Establishment Request.
  • N3IWF another apparatus
  • 5GC - 5G Core Network 5GS - 5G System
  • AMF Access and Mobility Management Function
  • AS Access Stratum
  • AUSF Authentication Server Function
  • EAP Extensible Authentication Protocol
  • eNB Evolved Node-B
  • EPCZEPS Evolved packet core / Evolved packet system
  • ID - Identity IE - Information Element
  • IKEv2 Internet Key Exchange Protocol Version 2
  • MPQUIC - Multipath QUIC NAI - Network Access Identifier
  • NAS Non Access Stratum
  • NEF Network Exposure Function
  • NF - Network Function NR - New Radio
  • PCF Policy Control Function
  • PDCP Packet Data Convergence Protocol
  • PDU Protocol Data Unit
  • PLMN Public Land Mobile Network
  • RAN Radio Access Network
  • RAT Radio Access Technology /Type
  • SA IKE Security Association

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Divers aspects de la présente divulgation concernent un équipement utilisateur pour une communication sans fil, comprenant : au moins une mémoire ; et au moins un processeur couplé à la au moins une mémoire et configuré pour amener l'équipement utilisateur à : envoyer, à une première entité de réseau via une fonction d'interfonctionnement non 3GPP, un premier message pour demander l'établissement d'une session de données avec un réseau de communication mobile ; recevoir, en provenance de la fonction d'interfonctionnement non 3GPP, un deuxième message pour demander l'établissement d'une ressource d'accès pour la session de données, le deuxième message comprenant une indication que la ressource d'accès n'est pas protégée en termes de sécurité ; envoyer, à la fonction d'interfonctionnement non 3GPP, un troisième message pour accepter l'établissement de la ressource d'accès pour la session de données ; et recevoir, en provenance de la première entité de réseau via la fonction d'interfonctionnement non 3GPP, un quatrième message pour accepter l'établissement de la session de données.
PCT/EP2024/057807 2024-02-02 2024-03-22 Établissement de session de données dans un réseau de communication sans fil Pending WO2024245615A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GR20240100071 2024-02-02
GR20240100071 2024-02-02

Publications (1)

Publication Number Publication Date
WO2024245615A1 true WO2024245615A1 (fr) 2024-12-05

Family

ID=90545292

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2024/057807 Pending WO2024245615A1 (fr) 2024-02-02 2024-03-22 Établissement de session de données dans un réseau de communication sans fil

Country Status (1)

Country Link
WO (1) WO2024245615A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2025088526A1 (fr) * 2023-10-24 2025-05-01 Nokia Technologies Oy Désactivation de chiffrement de plan utilisateur et/ou de protection d'intégrité pour trafic mpquic

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on Access Traffic Steering, Switch and Splitting support in the 5G system architecture Phase 2 (Release 17)", no. V1.0.0, 9 September 2020 (2020-09-09), pages 1 - 84, XP051925998, Retrieved from the Internet <URL:ftp://ftp.3gpp.org/Specs/archive/23_series/23.700-93/23700-93-100.zip 23700-93-100.docx> [retrieved on 20200909] *
"New SID on Multi-Access (DualSteer and ATSSS_Ph4", SP-231802 IS A STUDY FOR 3GPP TSG SA MEETING #102
"Security architecture and procedures for 5G system", 3GPP TS 33.501, September 2022 (2022-09-01)
LENOVO MOTOROLA MOBILITY: "Discussion on ATSSS Enhancements", vol. SA WG2, no. E (e-meeting); 20210517 - 20210528, 10 May 2021 (2021-05-10), XP052004882, Retrieved from the Internet <URL:https://ftp.3gpp.org/tsg_sa/WG2_Arch/TSGS2_145E_Electronic_2021-05/Docs/S2-2104582.zip S2-2104582_DP_ATSSS in R18-v2.pptx> [retrieved on 20210510] *
WIRELESS BROADBAND ALLIANCE: "5G and Wi-Fi RAN Convergence Aligning the Industry on Opportunities and Challenges", no. 20201201, 25 June 2021 (2021-06-25), XP052028898, Retrieved from the Internet <URL:https://ftp.3gpp.org/tsg_sa/WG2_Arch/TSGS2_146E_Electronic_2021-08/Docs/S2-2105231.zip WBA 5G and Wi-Fi RAN Convergence Whitepaper (3GPP) V1.0.pdf> [retrieved on 20210625] *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2025088526A1 (fr) * 2023-10-24 2025-05-01 Nokia Technologies Oy Désactivation de chiffrement de plan utilisateur et/ou de protection d'intégrité pour trafic mpquic

Similar Documents

Publication Publication Date Title
WO2024245615A1 (fr) Établissement de session de données dans un réseau de communication sans fil
US20250112780A1 (en) User equipment parameter update header protection
WO2024235491A1 (fr) Enregistrement d&#39;équipement utilisateur
WO2024087745A1 (fr) Procédé et appareil de prise en charge de rapport de temps d&#39;arrivée de rafale (bat)
US20250344265A1 (en) Apparatus and Method for Establishing a Direct Communication Connection to a Network Via an Access Point of a Different Network Type
US20250233728A1 (en) Authenticated encryption with associated data (aead) modes for non-access stratum (nas) and access stratum (as) security
US20250234252A1 (en) Authenticated encryption with associated data (aead) modes during mobility scenarios
US20250159581A1 (en) Ambient internet of things (iot) device integration
WO2025123706A1 (fr) Procédés et appareils pour prendre en charge de multiples accès d&#39;un ue à un réseau central
US20250358764A1 (en) Techniques for configuring an access stratum security for a non-terrestrial network
US20250350935A1 (en) Secure transmission of commands to restricted devices
US20250350939A1 (en) Authentication and connection establishment for reduced capability devices
WO2024175225A1 (fr) Procédé de sécurité de couche de strate d&#39;accès sélective pour quic
US20250220736A1 (en) Techniques for sequence numbering with packet duplication and reordering for udp packets
WO2025134096A1 (fr) Application de protocoles de sécurité sur la base de capacités d&#39;équipement utilisateur (ue) dans des systèmes de communication sans fil
WO2025181699A1 (fr) Communication par stockage et transfert sécurisée par réseau non terrestre
WO2025120623A1 (fr) Introduction d&#39;un niveau de sécurité amélioré (par exemple 256-bits) dans un réseau et/ou dans diverses entités de réseau
WO2025055352A1 (fr) Procédé et appareil de prise en charge de rapport de faisceau
US20250081140A1 (en) Confidentiality and privacy protection of messages from restricted devices
WO2025030889A1 (fr) Double connectivité dans une architecture basée sur un service
WO2024146704A1 (fr) Connexion de données multi-accès dans un réseau de communication sans fil
WO2025150020A1 (fr) Communication sécurisée et différée par réseau non terrestre
WO2025229235A1 (fr) Appareils et procédés de communication sécurisée dans un système de communication sans fil
WO2025229236A1 (fr) Appareils et procédés pour une communication sécurisée dans un système de communication sans fil
WO2025169174A1 (fr) Appareil et procédé d&#39;attribution d&#39;une identité temporaire à un dispositif à utiliser dans un réseau sans fil

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24714920

Country of ref document: EP

Kind code of ref document: A1