[go: up one dir, main page]

WO2025114990A1 - Techniques for preventing bidding down attacks - Google Patents

Techniques for preventing bidding down attacks Download PDF

Info

Publication number
WO2025114990A1
WO2025114990A1 PCT/IB2025/050664 IB2025050664W WO2025114990A1 WO 2025114990 A1 WO2025114990 A1 WO 2025114990A1 IB 2025050664 W IB2025050664 W IB 2025050664W WO 2025114990 A1 WO2025114990 A1 WO 2025114990A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
access restriction
access
network access
restriction information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/IB2025/050664
Other languages
French (fr)
Inventor
Sheeba Backia Mary BASKARAN
Andreas Kunz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Singapore Pte Ltd
Original Assignee
Lenovo Singapore Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Singapore Pte Ltd filed Critical Lenovo Singapore Pte Ltd
Publication of WO2025114990A1 publication Critical patent/WO2025114990A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions

Definitions

  • the present disclosure relates to wireless communications, and more specifically to techniques for preventing bidding down attacks.
  • a wireless communications system may include one or multiple network communication devices, such as base stations, which may support wireless communications for one or multiple user communication devices, which may be otherwise known as user equipment (UE), or other suitable terminology.
  • the wireless communications system may support wireless communications with one or multiple user communication devices by utilizing resources of the wireless communication system (e.g., time resources (e.g., symbols, slots, subframes, frames, or the like) or frequency resources (e.g., subcarriers, carriers, or the like).
  • the wireless communications system may support wireless communications across various radio access technologies including third generation (3G) radio access technology, fourth generation (4G) radio access technology, fifth generation (5G) radio access technology, among other suitable radio access technologies beyond 5G (e.g., sixth generation (6G)).
  • the phrase “based on” shall not be construed as a reference to a closed set of conditions. For example, an example step that is described as “based on condition A” may be based on both a condition A and a condition B without departing from the scope of the present disclosure. In other words, as used herein, the phrase “based on” shall be construed in the same manner as the phrase “based at least in part on.” Further, as used herein, including in the claims, a “set may include one or more elements.
  • Some implementations of the method and apparatuses described herein may receive an indication of a network access restriction enforcement capability of a UE, determine network access restriction information, transmit the network access restriction information to the UE, and apply at least one network access restriction based on the indication of the network access restriction enforcement capability of the UE and the determined network access restriction information.
  • Some implementations of the method and apparatuses described herein may receive an indication of a network access restriction enforcement capability of a UE, determine network access restriction information for the UE, configure the network access restriction information for the UE in subscription data associated with the UE, and transmit the network access restriction information.
  • Some implementations of the method and apparatuses described herein may transmit an indication of a network access restriction enforcement capability of the UE as part of a non-access stratum (NAS) message with a first network, receive network access restriction information for the UE indicating restrictions on second networks that the UE may access, store the network access restriction information, and prevent connecting to the second networks as indicated in the network access restriction information in response to the first network being unavailable.
  • NAS non-access stratum
  • Figure 1 illustrates an example of a wireless communications system in accordance with aspects of the present disclosure.
  • Figure 2 illustrates an example procedure flow for securely provisioning and enforcing the Universal Terrestrial Radio Access Network (UTRAN) and GSM EDGE Radio Access Network (GERAN) access restriction information during a registration procedure in accordance with aspects of the present disclosure.
  • UTRAN Universal Terrestrial Radio Access Network
  • GERAN GSM EDGE Radio Access Network
  • Figure 3 illustrates an example procedure flow for securely provisioning UTRAN and GERAN access restrictions using UE configuration update procedure in accordance with aspects of the present disclosure.
  • Figure 4 illustrates an example procedure flow for securely provisioning UTRAN and GERAN access restrictions using UE parameters update procedure in accordance with aspects of the present disclosure.
  • Figure 5 A illustrates a first part of an example procedure flow for indicating UTRAN and GERAN access restriction information using an anti-bidding down between architectures (ABBA) value for bidding down protection in accordance with aspects of the present disclosure.
  • ABBA anti-bidding down between architectures
  • Figure 5B illustrates a second part of an example procedure flow for indicating UTRAN and GERAN access restriction information using an ABBA value for bidding down protection in accordance with aspects of the present disclosure.
  • Figure 6 illustrates an example of a UE in accordance with aspects of the present disclosure.
  • Figure 7 illustrates an example of a processor in accordance with aspects of the present disclosure.
  • Figure 8 illustrates an example of a network equipment (NE) in accordance with aspects of the present disclosure.
  • Figure 9 illustrates a flowchart of method performed by an NE in accordance with aspects of the present disclosure.
  • Figure 10 illustrates a flowchart of method performed by an NE in accordance with aspects of the present disclosure.
  • Figure 11 illustrates a flowchart of method performed by a UE in accordance with aspects of the present disclosure.
  • 2G/3G False Base Stations In wireless communications, 2G/3G False Base Stations (FBSs) remain a serious security threat to mobile networks. In these networks, critical security features are missing, for example, mutual authentication, integrity protection, strong security algorithms, and/or the like. If a UE connects to a 2G/3G FBS from a 4G or 5G network, then it is vulnerable to a bidding down attack, e.g., a fraudulent SMS or phone call, which could cause significant financial losses for subscribers. [0020] There are several existing procedures for UEs connected to 4G/5G to establish a connection with 2G/3G base station.
  • the UE when it is in a CONNECTED state in 4G, it may use an inter-radio access technology (RAT) handover procedure (e.g., as specified in 5.5.2 in TS 23.401, incorporated herein by reference) or circuit-switched fallback (CSFB) procedure, which includes redirection from 4G to 2G/3G (e.g., as specified in TS 23.272, incorporated herein by reference) to connect to a 2G/3G base station.
  • RAT inter-radio access technology
  • CSFB circuit-switched fallback
  • the UE When the UE is in an IDLE state in 4G, it may use a routing area update (RAU) procedure (e.g., as specified in 5.3.3.3 or 5.3.3.6 in TS 23.401, incorporated herein by reference) or cell selection once 4G signalling is not available to connect to a 2G/3G base station.
  • RAU routing area update
  • the UE when the UE is in a CONNECTED state in 5G, it may use Single Radio Voice Call Continuity (SRVCC) procedure (as in TS 23.216, incorporated herein by reference) to connect to a 3G base station.
  • SRVCC Single Radio Voice Call Continuity
  • the UE when the UE is in an IDLE or INACTIVE state in 5G, it may use cell selection once 4G and 5G signaling is not available to connect to a 2G/3G base station.
  • One existing solution for preventing bidding down attacks is directed to mobility restrictions, e.g., as described in TS 23.501 (incorporated herein by reference), which may include RAT restrictions, Forbidden Areas, Service Area Restrictions, Core Network type restrictions and Closed Access Group information.
  • mobility restrictions e.g., as described in TS 23.501 (incorporated herein by reference)
  • RAT restrictions Forbidden Areas, Service Area Restrictions, Core Network type restrictions and Closed Access Group information.
  • NR New Radio
  • E-UTRAN Evolved UTRAN
  • Another existing solution is directed to a security solution for SRVCC from 5Gto 3G, as described in TS 33.501 (incorporated herein by reference).
  • SRVCC security solution for SRVCC from 5Gto 3G
  • TS 33.501 incorporated herein by reference.
  • the gNB may initiate SRVCC related handover from 5G to 3G for voice continuity, thereby leading to a bidding down attack.
  • 2G/3G cell selection may occur, which causes the UE to connect to a 2G/3G network, resulting in a successful bidding down attack.
  • FIG. 1 illustrates an example of a wireless communications system 100 in accordance with aspects of the present disclosure.
  • the wireless communications system 100 may include one or more NE 102, one or more UE 104, and a core network (CN) 106.
  • the wireless communications system 100 may support various radio access technologies.
  • the wireless communications system 100 may be a 4G network, such as an LTE network or an LTE-Advanced (LTE-A) network.
  • LTE-A LTE-Advanced
  • the wireless communications system 100 may be a NR network, such as a 5G network, a 5G-Advanced (5G-A) network, or a 5G ultrawideband (5G- UWB) network.
  • the wireless communications system 100 may be a combination of a 4G network and a 5G network, or other suitable radio access technology including Institute of Electrical and Electronics Engineers (IEEE) 802. 11 (WiFi), IEEE 802.16 (WiMAX), IEEE 802.20.
  • IEEE Institute of Electrical and Electronics Engineers
  • WiFi WiFi
  • WiMAX IEEE 802.16
  • IEEE 802.20 The wireless communications system 100 may support radio access technologies beyond 5G, for example, 6G. Additionally, the wireless communications system 100 may support technologies, such as time division multiple access (TDMA), frequency division multiple access (FDMA), or code division multiple access (CDMA), etc.
  • TDMA time division multiple access
  • FDMA frequency division multiple access
  • CDMA code division multiple access
  • the one or more NE 102 may be dispersed throughout a geographic region to form the wireless communications system 100.
  • One or more of the NE 102 described herein may be or include or may be referred to as a network node, a base station, a network element, a network function, a network entity, a radio access network (RAN), a NodeB, an eNodeB (eNB), a next-generation NodeB (gNB), or other suitable terminology.
  • An NE 102 and a UE 104 may communicate via a communication link, which may be a wireless or wired connection.
  • an NE 102 and a UE 104 may perform wireless communication (e.g., receive signaling, transmit signaling) over a Uu interface.
  • An NE 102 may provide a geographic coverage area for which the NE 102 may support services for one or more UEs 104 within the geographic coverage area.
  • an NE 102 and a UE 104 may support wireless communication of signals related to services (e.g., voice, video, packet data, messaging, broadcast, etc.) according to one or multiple radio access technologies.
  • an NE 102 may be moveable, for example, a satellite associated with a non-terrestrial network (NTN).
  • NTN non-terrestrial network
  • different geographic coverage areas 112 associated with the same or different radio access technologies may overlap, but the different geographic coverage areas may be associated with different NE 102.
  • the one or more UE 104 may be dispersed throughout a geographic region of the wireless communications system 100.
  • a UE 104 may include or may be referred to as a remote unit, a mobile device, a wireless device, a remote device, a subscriber device, a transmitter device, a receiver device, or some other suitable terminology.
  • the UE 104 may be referred to as a unit, a station, a terminal, or a client, among other examples.
  • the UE 104 may be referred to as an Intemet-of-Things (loT) device, an Intemet-of-Everything (loE) device, or machinetype communication (MTC) device, among other examples.
  • LoT Intemet-of-Things
  • LoE Intemet-of-Everything
  • MTC machinetype communication
  • a UE 104 may be able to support wireless communication directly with other UEs 104 over a communication link.
  • a UE 104 may support wireless communication directly with another UE 104 over a device-to-device (D2D) communication link.
  • D2D device-to-device
  • the communication link 114 may be referred to as a sidelink.
  • a UE 104 may support wireless communication directly with another UE 104 over a PC5 interface.
  • An NE 102 may support communications with the CN 106, or with another NE 102, or both.
  • an NE 102 may interface with other NE 102 or the CN 106 through one or more backhaul links (e.g., SI, N2, N2, or network interface).
  • the NE 102 may communicate with each other directly.
  • the NE 102 may communicate with each other or indirectly (e.g., via the CN 106.
  • one or more NE 102 may include subcomponents, such as an access network entity, which may be an example of an access node controller (ANC).
  • An ANC may communicate with the one or more UEs 104 through one or more other access network transmission entities, which may be referred to as a radio heads, smart radio heads, or TRPs.
  • the CN 106 may support user authentication, access authorization, tracking, connectivity, and other access, routing, or mobility functions.
  • the CN 106 may be an evolved packet core (EPC), or a 5G core (5GC), which may include a control plane entity that manages access and mobility (e.g., a mobility management entity (MME), an access and mobility management functions (AMF)) and a user plane entity that routes packets or interconnects to external networks (e.g., a serving gateway (S-GW), a Packet Data Network (PDN) gateway (P-GW), or a user plane function (UPF)).
  • EPC evolved packet core
  • 5GC 5G core
  • MME mobility management entity
  • AMF access and mobility management functions
  • S-GW serving gateway
  • PDN gateway Packet Data Network gateway
  • UPF user plane function
  • control plane entity may manage non-access stratum (NAS) functions, such as mobility, authentication, and bearer management (e.g., data bearers, signal bearers, etc.) for the one or more UEs 104 served by the one or more NE 102 associated with the CN 106.
  • NAS non-access stratum
  • the CN 106 may communicate with a packet data network over one or more backhaul links (e.g., via an S I, N2, N2, or another network interface).
  • the packet data network may include an application server.
  • one or more UEs 104 may communicate with the application server.
  • a UE 104 may establish a session (e.g., a protocol data unit (PDU) session, or the like) with the CN 106 via an NE 102.
  • the CN 106 may route traffic (e.g., control information, data, and the like) between the UE 104 and the application server using the established session (e.g., the established PDU session).
  • the PDU session may be an example of a logical connection between the UE 104 and the CN 106 (e.g., one or more network functions of the CN 106).
  • the NEs 102 and the UEs 104 may use resources of the wireless communications system 100 (e.g., time resources (e.g., symbols, slots, subframes, frames, or the like) or frequency resources (e.g., subcarriers, carriers)) to perform various operations (e.g., wireless communications).
  • the NEs 102 and the UEs 104 may support different resource structures.
  • the NEs 102 and the UEs 104 may support different frame structures.
  • the NEs 102 and the UEs 104 may support a single frame structure.
  • the NEs 102 and the UEs 104 may support various frame structures (i.e., multiple frame structures).
  • the NEs 102 and the UEs 104 may support various frame structures based on one or more numero logics.
  • One or more numerologies may be supported in the wireless communications system 100, and a numerology may include a subcarrier spacing and a cyclic prefix.
  • a time interval of a resource may be organized according to frames (also referred to as radio frames).
  • Each frame may have a duration, for example, a 10 millisecond (ms) duration.
  • each frame may include multiple subframes.
  • each frame may include 10 subframes, and each subframe may have a duration, for example, a 1 ms duration.
  • each frame may have the same duration.
  • each subframe of a frame may have the same duration.
  • a time interval of a resource may be organized according to slots.
  • a subframe may include a number (e.g., quantity) of slots.
  • the number of slots in each subframe may also depend on the one or more numerologies supported in the wireless communications system 100.
  • Each slot may include a number (e.g., quantity) of symbols (e.g., OFDM symbols).
  • the number (e.g., quantity) of slots for a subframe may depend on a numerology.
  • a slot may include 14 symbols.
  • a slot may include 12 symbols.
  • an electromagnetic (EM) spectrum may be split, based on frequency or wavelength, into various classes, frequency bands, frequency channels, etc.
  • the wireless communications system 100 may support one or multiple operating frequency bands, such as frequency range designations FR1 (410 MHz - 7.125 GHz), FR2 (24.25 GHz - 52.6 GHz), FR3 (7.125 GHz - 24.25 GHz), FR4 (52.6 GHz - 114.25 GHz), FR4a or FR4-1 (52.6 GHz - 71 GHz), and FR5 (114.25 GHz - 300 GHz).
  • FR1 410 MHz - 7.125 GHz
  • FR2 24.25 GHz - 52.6 GHz
  • FR3 7.125 GHz - 24.25 GHz
  • FR4 (52.6 GHz - 114.25 GHz
  • FR4a or FR4-1 52.6 GHz - 71 GHz
  • FR5 114.25 GHz - 300 GHz
  • the NEs 102 and the UEs 104 may perform wireless communications over one or more of the operating frequency bands.
  • FR1 may be used by the NEs 102 and the UEs 104, among other equipment or devices for cellular communications traffic (e.g., control information, data).
  • FR2 may be used by the NEs 102 and the UEs 104, among other equipment or devices for short-range, high data rate capabilities.
  • FR1 may be associated with one or multiple numerologies (e.g., at least three numerologies).
  • FR2 may be associated with one or multiple numerologies (e.g., at least 2 numerologies).
  • the solutions discussed herein relate to techniques for preventing bidding down attacks.
  • the subject matter disclosed herein describe features for provisioning UTRAN (3G) and GERAN (2G) access restrictions to network entities such as the AMF, the gNB, and the UE to avoid handovers as well as cell selections related to 2G or 3G access, such as GERAN and UTRAN, to prevent bidding down attacks.
  • the embodiments below describe various techniques to secure the UTRAN (3G) and GERAN (2G) access restriction information provisioning to the UE using NAS security, AS security, and UPU security.
  • a first embodiment is directed to securely provisioning the UTRAN and GERAN access restriction information to prevent 2G/3G cell selection or UTRAN/GERAN handover using NAS/AS security.
  • a mobile network operator may have decommissioned 2G/3G networks, and it may not be desirable to allow UE connections in 5G to fallback/handover to a 2G/3G network connection.
  • This embodiment describes how the UTRAN and/or GERAN access restriction information can be provided to the AMF (if not configured locally), and RAN (e.g., gNB/NR) to avoid inter RAT handovers to UTRAN / GERAN. Further this embodiment describes provisioning a UE with UTRAN and/or GERAN access restriction information to avoid UTRAN/GERAN selection (e.g., 2G/3G cell selection when 5G signal is unavailable).
  • the UTRAN and GERAN access restriction information can be sent to the UE in a NAS message after the establishment of NAS security or can be sent in a radio resource control (RRC) message after the establishment of AS security.
  • RRC radio resource control
  • Figure 2 illustrates an example procedure flow for securely provisioning and enforcing the UTRAN and GERAN access restriction information during a registration procedure in accordance with aspects of the present disclosure.
  • GERAN and UTRAN access restriction information can be provided to the UE in a NAS message (e.g., a registration accept message, a NAS transport, or the like).
  • the GERAN and UTRAN access restriction information can be indicated as part of network access restriction information, where the network access restriction information may contain various restriction information such as UTRAN not allowed, GERAN not allowed, 2G not allowed, 3G not allowed, and/or the like.
  • existing RAT access restrictions can include UTRAN not allowed/UTRAN, GERAN not allowed/GERAN, and in such case, enhanced RAT restrictions containing information on UTRAN and GERAN restrictions can be sent to the UE, RAN, and AMF to apply the 2G and 3G related RAT restrictions.
  • the UE 201 sends an initial NAS message that includes an indication of the UE’s capabilities to support GERAN access restrictions and UTRAN access restrictions.
  • the UE 201 sends an initial NAS message that includes support of network access restriction enforcement capability.
  • the network access restriction enforcement capability(ies) information element contains information to indicate support of GERAN access restrictions and UTRAN access restrictions.
  • the initial NAS message in 1 may be an initial registration request message, a mobility registration update request message, a service request message, and/or the like.
  • the network may initiate and primary authentication with the UE 201 to perform mutual authentication (e.g., using EAP-AKA’, 5G AKA, or an EAP method).
  • mutual authentication e.g., using EAP-AKA’, 5G AKA, or an EAP method.
  • the AMF 205 may fetch subscription data from the UDM 209 by sending an Nudm SubscriberDataManagement (SDM) get request with a subscription permanent identifier (SUPI) and network access restriction enforcement capability (if received in 1) for the UE 201.
  • SDM Nudm SubscriberDataManagement
  • SUPI subscription permanent identifier
  • network access restriction enforcement capability if received in 1
  • the UDM/UDR 209 manages GERAN and UTRAN access restrictions as part of the network access restriction requirements for the UE 201 in the subscription data (e.g., as part of UE access and mobility context). In one implementation, the UDM/UDR 209 manages GERAN and UTRAN access restrictions as part of mobility or RAT restriction information for the UE 201 in the subscription data (e.g., as part of UE access and mobility context).
  • the UDM 209 sends a Nudm SDM Get response message, which includes the network access restriction information (UTRAN access restricted, GERAN access restricted) along with other subscription data, as needed.
  • the network access restriction information UTRAN access restricted, GERAN access restricted
  • the AMF 205 if the AMF 205 receives the network access restriction information (UTRAN access restricted, GERAN access restricted) from the UDM 209, the AMF 205 stores the network access restriction information as part of the UE context along with the SUPI.
  • the network access restriction information UTRAN access restricted, GERAN access restricted
  • the AMF 205 based on the received network access restriction information from the UDM 209 and the network access restriction enforcement capability received from UE 201 in 1, performs one or more access restriction actions, such as not initiating inter-RAT handover to UTRAN/GERAN, not initiating/forwarding relocation requests related to SRVCC- specific handover from 5G to 3G or 2G, provisioning the network access restriction information (UTRAN access restricted, GERAN access restricted) to RAN 203 and UE 201 to enforce the UTRAN and GERAN access restrictions for the UE 201 at the RAN 203 and UE 201 side, and/or the like.
  • one or more access restriction actions such as not initiating inter-RAT handover to UTRAN/GERAN, not initiating/forwarding relocation requests related to SRVCC- specific handover from 5G to 3G or 2G, provisioning the network access restriction information (UTRAN access restricted, GERAN access restricted) to RAN 203 and UE 201 to enforce the UTRAN and GERAN access restrictions for the
  • the AMF 205 sends a NAS security mode command message to establish NAS security.
  • the AMF 205 may include, for example, replay network access restriction enforcement capability(ies), if received in 1.
  • the AMF 205 may send the network access restriction information (UTRAN access restricted, GERAN access restricted) to the UE 201 in 6.
  • the UE 201 sends a NAS security mode complete message, which may include the complete initial NAS message along with the network access restriction enforcement capability, if sent in 1 (for initial NAS message protection if it is not protected in 1).
  • the AMF 205 sends to the RAN 203 the network access restriction information (UTRAN access restricted, GERAN access restricted) in an N2 message (e.g., initial context set up message).
  • the network access restriction information UTRAN access restricted, GERAN access restricted
  • an N2 message e.g., initial context set up message
  • the RAN 203 if the RAN 203 receives the network access restriction information (UTRAN access restricted, GERAN access restricted) from the AMF 205, the RAN 203 stores the network access restriction information as part of the UE context. Further based on the received network access restriction information, the RAN 203 performs one or more access restriction actions such as not initiating inter-RAT handover to UTRAN/GERAN, not initiating SRVCC from 5Gto 3G or 2G, provisioning the network access restriction information (UTRAN access restricted, GERAN access restricted) to the UE 201, and/or the like.
  • the network access restriction information UTRAN access restricted, GERAN access restricted
  • the RAN 203 establishes AS security with the UE 201 (based on an AS security mode command procedure).
  • the RAN 203 sends an RRC message to the UE 201 that includes the network access restriction information (UTRAN access restricted, GERAN access restricted) received in 8.
  • the RAN 203 provides network access restriction information to the UE 201 in 1 la if network access restriction information is not provided to the UE 201 by the AMF 205 in 7 or 1 lb.
  • the AMF 205 sends network access restriction information (UTRAN access restricted, GERAN access restricted) to the UE 201 in a NAS message (such as a registration accept message or another message over the NAS transport).
  • network access restriction information UTRAN access restricted, GERAN access restricted
  • the UE 201 stores the network access restriction information (UTRAN access restricted, GERAN access restricted), does not select UTRAN access (3G) or GERAN access (2G) even if the 5G signal or 4G signal is not available, and waits until the 5G/4G signal is available to prevent a bidding down attack.
  • UTRAN access restricted UTRAN access restricted
  • GERAN access restricted UTRAN access restricted
  • 3G UTRAN access restricted
  • GERAN access 2G GERAN access 2G
  • the network access restriction information (UTRAN access restricted, GERAN access restricted) can be sent to AMF 205, RAN 203, and the UE 201 as individual IES instead of sending them as part of network access restriction information in 4, 5, 6, 8, 9, 1 la, and 1 lb.
  • the network access restriction information (UTRAN access restricted, GERAN access restricted) from one AMF 205, can be sent to another AMF (e.g., during a UE mobility or handover within 5G system) along with the UE context (as part of mobility restrictions information or as individual information elements) using a Namf Communication UEContextTransfer service operation (Request/Response) message.
  • UTRAN access restricted GERAN access restricted
  • GERAN access restricted GERAN access restricted
  • a second embodiment is directed to securely provisioning the UTRAN and GERAN access restriction information to prevent 2G/3G cell selection or UTRAN/GERAN handover using a UE configuration update procedure.
  • UTRAN and GERAN access restriction information can be provided to the UE using the UE configuration update procedure as shown in Figure 3.
  • Figure 3 illustrates an example procedure flow for securely provisioning UTRAN and GERAN access restrictions using UE configuration update procedure in accordance with aspects of the present disclosure.
  • this procedure is initiated by the AMF 305 when the AMF 305 wants to update access and mobility management related parameters (including network access restriction information such as UTRAN and GERAN access restriction information) in the UE configuration.
  • the UE Configuration Update can be sent over the Access Type (e.g., 3GPP access or non-3GPP access) and applied, when applicable.
  • the UE 301 sends an initial NAS message that includes an indication of the UE’s capabilities to support GERAN access restrictions and UTRAN access restrictions.
  • the UE 301 sends an initial NAS message that includes support of network access restriction enforcement capability in an information element (IE).
  • the network access restriction enforcement capability(ies) IE contains information to indicate support of GERAN access restrictions and UTRAN access restrictions. It is noted that the initial NAS message in A may be an initial registration request message, a mobility registration update request message, a service request message, and/or the like.
  • the AMF 305 determines the necessity of a UE configuration update due to various reasons such as a UE mobility change, a NW policy, reception of Subscriber Data Update Notification from the UDM 309, change of Network Slice configuration (including due to the operator’s local policy on decommissioned 2G/3G networks and related UE access restrictions to 2G/3G network e.g., access restrictions to UTRAN and/or GERAN; due to change of the network slice simultaneous usage group (NSSRG) information in subscription information, e.g., as specified in clause 5.15.12 of TS 23.501 (incorporated herein by reference); or due to change of network slice as group (NSAG) Information, e.g., as specified in clause 5.15.14 of TS 23.501), or to remove single network slice selection assistance information (S- NSSAI) from the allowed NS SAI due to expiry of slice deregistration inactivity timer or to provide the UE 301 with an updated Slice Usage Policy,
  • S- NSSAI single network slice selection assistance information
  • CM-CONNECTED connection management
  • the AMF 305 may include a Mobility Restriction List (by including network access restriction information such as UTRAN and GERAN access restriction information) in an N2 message that delivers a UE Configuration Update Command to the UE 301 if the service area restriction for the UE 301 is updated.
  • a Mobility Restriction List by including network access restriction information such as UTRAN and GERAN access restriction information
  • the AMF 305 if the AMF 305 receives network access restriction enforcement capability information from the UE 301 as described in A, then the AMF 305 sends a UE Configuration Update Command containing network access restriction information such as UTRAN and GERAN access restriction information along with one or more other UE parameters such as a Configuration Update Indication, a 5G-GUTI (global unique temporary identifier), a tracking area identity (TAI) List, an allowed NS SAI, a mapping of allowed NSSAIs, and/or the like.
  • the AMF 305 may include in the UE Configuration Update Command Configuration Update Indication parameters indicating whether the UE acknowledges the command.
  • the UE 301 stores the network access restriction information (UTRAN access restricted, GERAN access restricted) received in la and determines not to select UTRAN access (3G) or GERAN access (2G), even if the 5G signal or 4G signal is not available, and waits until the 5G/4G signal is available to prevent a bidding down attack.
  • UTRAN access restricted UTRAN access restricted, GERAN access restricted
  • the UE Configuration Update Indication or network access restriction information indicating UTRAN and GERAN access restrictions requires acknowledgement of the UE Configuration Update Command, then the UE 301 sends a UE Configuration Update complete message to the AMF 305.
  • the AMF 305 uses the Nudm SDM Info service operation to provide an acknowledgment to the UDM 309 that the UE 301 received network access restriction information indicating UTRAN and GERAN access restrictions as part of the Mobility Restrictions, if the network access restriction information was provided or updated, and acted upon it.
  • the AMF 305 if the AMF 305 has configured the UE 301 with a PLMN-assigned UE Radio Capability ID and/or network access restriction information indicating UTRAN and GERAN access restrictions, the AMF 305 informs NG-RAN 303 of the UE Radio Capability ID and/or network access restriction information indicating UTRAN and GERAN access restrictions, when it receives an acknowledgement from the UE 301 in 2a.
  • the UE 301 passes the new 5G-GUTI to its 3GPP access’ lower layers.
  • the RAN 303 receives the network access restriction information (UTRAN access restricted, GERAN access restricted) from the AMF 305, it is stored in the RAN 303 as part of the UE context along with the 5G-GUTI. Further, in one implementation, based on the received network access restriction information, the RAN 303 does not initiate any inter-RAT handover to UTRAN/GERAN and/or does not initiate SRVCC from 5G to 3G or 2G.
  • the network access restriction information UTRAN access restricted, GERAN access restricted
  • a third embodiment is directed to securely provisioning the UTRAN and GERAN access restriction information to prevent 2G/3G cell selection or UTRAN/GERAN handover using a UE parameter update security.
  • Figure 4 illustrates an example procedure flow for securely provisioning UTRAN and GERAN access restrictions using UE parameters update procedure in accordance with aspects of the present disclosure.
  • the UE if it supports network access restriction enforcement, it sends a message to the AMF 403, e.g., in a NAS/N1 message, that indicates support of network access restriction enforcement capability.
  • the message includes an IE that includes the network access restriction enforcement capability(ies) information to indicate support of GERAN and UTRAN access restrictions.
  • the AMF 403, in one embodiment, can send/forward the received indication about the UE’s support of network access restriction enforcement capability to the UDM 407 in a Nudm service operation message or in a Namf service operation message.
  • the UDM 407 performs a UE Parameters Update (UPU) using a control plane procedure while the UE is registered to the 5G system. If the final consumer of the UE parameters to be updated (e .g ., the updated Routing ID Data) is the universal subscriber identity module (USIM), the UDM protects these parameters using a secured packet mechanism (e.g., as described in 3 GPP TS 31.115 (incorporated herein by reference)) to update the parameters stored on the USIM.
  • UPU UE Parameters Update
  • the UDM 407 then prepares the UE Parameters Update Data (UPU Data) by including the parameters protected by the secured packet, if any, as well as any UE parameters for which the final consumer is the UE 401 (e.g., as described in TS 24.501 (incorporated herein by reference)).
  • UPU Data UE Parameters Update Data
  • the UDM 407 receives the network access restriction enforcement capability information from the UE 401 via the AMF 403 (e.g., as received earlier, for example, during an authentication/registration procedure/subscription data management for a UE 401), and if the UDM/UDR 407 contains network access restriction information indicating UTRAN and GERAN access restrictions forthe UE 401 (e.g., as part ofthe subscription data or UE access and mobility context), based on the Operator’s local policy, then the UDM 407 provides network access restriction information to the UE 401 (e.g., as part of the UPU data).
  • the UDM 407 provides network access restriction information to the UE 401 (e.g., as part of the UPU data).
  • the UDM 407 invokes a Nausf UPUProtection service operation message by including the UPU Data (e.g., network access restriction information), to the AUSF 405 to get UPU-MAC-IAUSF and Counterupu-
  • the UDM 407 may select the AUSF 405 that holds the latest KAUSF of the UE 401.
  • the UDM 409 decides that the UE 401 is to acknowledge the successful security check of the received UE Parameters Update Data, then the UDM 409 includes the ACK Indication in the Nausf UPUProtection service operation message to signal that it also needs the expected UPU-XMAC-IUE.
  • the inclusion of UE Parameters Update Data in the calculation of UPU-MAC-IAUSF allows the UE 401 to verify that it has not been tampered with by any intermediary.
  • the expected UPU-XMAC-IUE allows the UDM 409 to verify that the UE 401 received the UE Parameters Update Data (along with network access restriction information) correctly.
  • the AUSF 407 calculates the UPU-MAC-IAUSF as described below using UE 401 specific home key (KAUSF) along with the UE Parameters Update Data (containing network access restriction information) received from the requester NF, e.g., the UDM 409, and delivers the UPU-MAC-IAUSF and Counterupu to the requester NF. If the ACK Indication input is present, then the AUSF 407 also computes the UPU-XMAC-IUE as shown below and returns the computed UPU- XMAC-IUE in the response.
  • KUSF UE 401 specific home key
  • the input key Key can be KAUSF and the UPU-MAC-IAUSF is identified with the 128 least significant bits of the output of the KDF.
  • the input key Key can be KAUSF and the UPU-MAC- IUE/UPU-XMAC-IUE is identified with the 128 least significant bits of the output of the KDF.
  • the UDM 407 invokes Nudm SDM Notification service operation, which includes the UPU transparent container if the AMF 403 supports UPU transparent container or includes individual IES comprising the UE Parameters Update Data (e.g., network access restriction information), UPU-MAC-IAUSF, and Counterupu within the Access and Mobility Subscription data. If the UDM 407 requests an acknowledgement, it temporarily stores the expected UPU- XMAC-IUE.
  • the AMF 403 upon receiving the Nudm SDM Notification message, the AMF 403 sends a DL NAS Transport message to the served UE 401 along with network access restriction information as part of the UPU Data.
  • the AMF 403 includes in the DLNAS Transport message the transparent container, if received from the UDM 407 in 4. Otherwise, if the UDM 407 provided individual IES in 4, then the AMF 403 constructs a UPU transparent container.
  • the AMF 403 if the AMF 403 receives the network access restriction information (UTRAN access restricted, GERAN access restricted) from the UDM 407, it is stored at the AMF 403 as part of the UE context along with the SUPI. Further, based on the received network access restriction information from the UDM 407 and the network access restriction enforcement capability received from UE 407 (in 1), the AMF 403 performs one or more actions such as not initiating any inter-RAT handover to UTRAN/GERAN, not initiating or forwarding relocation requests related to SRVCC specific handover from 5G to 3G or 2G (even if its initiated by the RAN), and provisioning the network access restriction information (UTRAN access restricted, GERAN access restricted) to RAN in an N2 message to enforce the UTRAN and GERAN access restrictions for the UE 401 at the RAN side.
  • the network access restriction information UTRAN access restricted, GERAN access restricted
  • the UE 401 upon receiving the DL NAS Transport message, calculates the UPU-MAC-IAUSF in the same way as the AUSF 405 (as shown in 2 and 3) on the received UE Parameters Update Data (containing network access restriction information), and the Counterupu and verifies whether it matches the UPU-MAC-IAUSF value received within the UPU transparent container in the DL NAS Transport message.
  • the UE 401 If the verification of UPU-MAC-IAUSF is successful and the UPU Data contains parameters that are protected by secured packet (see, e.g., 3GPP TS 31.115 (incorporated herein by reference)), the UE 401forwards the secured packet to the USIM, e.g., using procedures in 3GPP TS 31.111 (incorporated herein by reference). If the verification of UPU-MAC-IAUSF is successful and the UPU Data contains parameters (e.g., network access restriction information) that are not protected by secure packet, the UE 401 can update its stored parameters with the received parameters in UDM Updata Data.
  • parameters e.g., network access restriction information
  • the UE 401 can send the UL NAS Transport message to the serving AMF 403.
  • the UE 401 then generates the UPU-MAC-IuE(as specified in 2 and 3, same as AUSF 405) and include the generated UPU-MAC-IUE in a transparent container in the UL NAS Transport message.
  • the UE 401 stores the network access restriction information (UTRAN access restricted, GERAN access restricted) and does not select UTRAN access (3G) or GERAN access (2G) even if the 5G signal or 4G signal is not available and the UE 401 waits until the 5G/4G signal is available to prevent a bidding down attack.
  • UTRAN access restricted UTRAN access restricted, GERAN access restricted
  • 3G UTRAN access restricted
  • GERAN access 2G GERAN access 2G
  • the AMF 403 sends a Nudm SDM Info request message with the transparent container to the UDM 407.
  • the UDM 407 if the UDM 407 indicates that the UE 401 is to acknowledge the successful security check of the received UE Parameters Update Data, then the UDM 407 compares the received UPU-MAC-IUE with the expected UPU-XMAC-IUE that the UDM 407 stored temporarily in 4.
  • the UDM 407 may trigger a primary authentication to refresh the UPU counter based on the value of the counter received in 3.
  • Figures 5A and 5B illustrate an example procedure flow for indicating UTRAN and GERAN access restriction information using an ABBA value for bidding down protection in accordance with aspects of the present disclosure.
  • the network access restrictions such as UTRAN and GERAN access restrictions are enforced using anew ABBA value during the primary authentication (e.g., during registration or a service access).
  • the new ABBA parameter value may be defined and set by the SEAF 505 to indicate any one or more of the following: ‘UTRAN and GERAN Access Restricted’, ‘UTRAN Access Restricted’, ‘GERAN Access Restricted’, ‘Only 5G access allowed’, ‘Only 5G access’, and ‘EPS access allowed’.
  • the ABBA value is provided to the UE 501 following a successful authentication to prevent the bidding down attack related to 3G/2G redirections, handovers, mobility, cell selection, and/or the like.
  • Figures 5A and 5B depict the enhanced primary authentication procedure to send the network access restrictions specific ABBA parameter to the UE 501 and RAN 503.
  • the UE 501 sends an initial NAS message that includes an indication of UE’s capabilities to support GERAN and UTRAN access restrictions.
  • the UE sends an initial NAS message that includes an IE that includes information indicating support of network access restriction enforcement capability.
  • the network access restriction enforcement capability(ies) IE contains information to indicate support of GERAN and UTRAN access restrictions.
  • the SEAF 505 sends a Nausf UEAuthentication Authenticate Request message to the AUSF 507 that contains the Subscription Concealed Identifier (SUCI)ZSUPI, serving network (SN)-name, and the UE’s network access restriction enforcement capability (received in la).
  • SUCI Subscription Concealed Identifier
  • SN serving network
  • UE network access restriction enforcement capability
  • the AUSF 507 sends a Nausf UEAuthentication Authenticate Request to the UDM 509 that contains the SUCI/SUPI, SN-name, and the UE’s network access restriction enforcement capability (received in la).
  • the UDM 509 upon reception of the Nudm UE Authentication Get Request, invokes a Subscriber Identity Deconcealing Function (SIDF) if a SUCI is received.
  • SIDF Subscriber Identity Deconcealing Function
  • SIDF may de-conceal SUCI to gain SUPI before the UDM 509 can process the request.
  • the UDM/UDR 509 manages GERAN and UTRAN access restrictions as part of the network access restriction requirements for the UE(s) 501 in the subscription data (e.g., as part of UE access and mobility context), which can be configured in the UDM 509 based on operator policy.
  • the UDM/UDR 509 manages GERAN and UTRAN access restrictions as part of mobility restrictions or RAT restrictions information for the UE(s) 501 in the subscription data (e.g., as part of UE access and mobility context).
  • the UDM 509 sends a Nudm UE Authentication Get Response to the AUSF 507 with authentication vector (AV), SUPI, SN-name, and network access restriction information indicating UTRAN and GERAN access restrictions for the UE 50L
  • AV authentication vector
  • SUPI SUPI
  • SN-name network access restriction information indicating UTRAN and GERAN access restrictions for the UE 50L
  • the AUSF 507 sends the Nausf UEAuthentication Authenticate Response message with EAP-Request/AKA'- Challenge message/5G SE AV, network access restriction information indicating UTRAN and GERAN access restrictions to the SEAF 505.
  • the SEAF 505 forwards the network access restriction information indicating UTRAN and GERAN access restrictions (if received in 3a) to the AMF 505.
  • the SEAF 505 uses the network access restriction information indicating UTRAN and GERAN access restrictions and sets the ABBA values.
  • the ABBA parameter is a variable length parameter that indicates a value related to the 2G/3G access restrictions or 5G and 4G access limitations as shown in the Table 1 below:
  • Table 1 New ABBA values related to network access restrictions.
  • the SEAF 505 sets the ABBA parameter to 0x0000.
  • the UE 501 may use the ABBA parameter provided by the SEAF 505 in the calculation of KAMF.
  • the AMF 505 receives the network access restriction information (UTRAN access restricted, GERAN access restricted) from the UDM 509, it is stored at the AMF 505 as part of the UE context along with SUPI. Further, based on the received network access restriction information from the UDM 509 and the network access restriction enforcement capability received from the UE 501 (in 1), the AMF 505 performs various actions including not initiating inter-RAT handover to UTRAN/GERAN, not initiating or forwarding relocation requests related to SRVCC specific handover from 5G to 3G or 2G (even if its initiated by the RAN 503), and provisioning the network access restriction information (UTRAN access restricted, GERAN access restricted) to RAN 503 in an N2 message to enforce the UTRAN and GERAN access restrictions for the UE 501 at the RAN 503 side.
  • the network access restriction information UTRAN access restricted, GERAN access restricted
  • the SEAF 505 transparently forwards the EAP-Request/AKA'-Challenge message (if received) along with the network access restriction information (UTRAN access restricted, GERAN access restricted) to the UE 501 in a NAS message Authentication Request message.
  • the UE forwards the random number (RAND) and the authentication token (AUTN) received in EAP-Request/AKA'-Challenge message to the USIM.
  • This message may include the ngKSI and ABBA parameter indicating network access restriction information (UTRAN access restricted, GERAN access restricted).
  • the SEAF 505 may include the ngKSI and ABBA parameter indicating network access restriction information (UTRAN access restricted, GERAN access restricted) in all EAP-Authentication request messages.
  • the ngKSI may be used by the UE 501 and AMF 505 to identify the partial native security context that is created if the authentication is successful.
  • the SEAF 505 may set the ABBA parameter based on network access restriction information (UTRAN access restricted, GERAN access restricted).
  • the value of the ngKSI and the ABBA parameter indicating network access restriction information (UTRAN access restricted, GERAN access restricted) sent by the SEAF 505 to the UE 501 may not be changed.
  • the SEAF 505 needs to understand that the authentication method used is an EAP method by evaluating the type of authentication method based on the Nausf UEAuthentication Authenticate Response message.
  • the USIM verifies the freshness of the AV by checking whether AUTN can be accepted, e.g., as described in TS 33.102 (incorporated herein by reference). If so, the USIM computes a response result (RES). The USIM may return RES, cipher key (CK), and integrity key (IK) to the UE 501.
  • RES response result
  • CK cipher key
  • IK integrity key
  • the USIM computes a Kc (e.g., GPRS Kc) from CK and IK using conversion function c3, e.g., as described in TS 33.102, and sends it to the UE 501, then the UE 501 may ignore such GPRS Kc and not store the GPRS Kc on USIM or in the UE 501.
  • Kc e.g., GPRS Kc
  • the UE 501 sends the EAP -Response/ AKA'-Challenge/RES* message to the SEAF 505 in a NAS Auth-Resp message.
  • the SEAF 505 transparently forwards the EAP-Response/AKA'-Challenge/RES* message to the AUSF 507 in a Nausf UEAuthentication Authenticate Request message.
  • the AUSF 507 verifies the message by comparing the expected result (XRES) and the RES, and if the AUSF 507 has successfully verified this message, it continues as follows, otherwise it returns an error to the SEAF 505.
  • the AUSF 507 informs the UDM 509 about the authentication result.
  • the AUSF 507 and the UE 501 may exchange EAP-Request/AKA'-Notification and EAP-Response/AKA'-Notification messages (if EAP -AKA’ is used) via the SEAF 505.
  • the SEAF 505 may transparently forward these messages.
  • the AUSF 507 derives the Extended Master Session Key (EMSK) from CK’ and IK’ (if EAP -AKA’ is used) as described in RFC 5448.
  • EMSK Extended Master Session Key
  • the AUSF 507 uses the most significant 256 bits of EMSK as the KAUSF and then calculates KSEAF from KAUSF.
  • the AUSF 507 send an EAP Success message to the SEAF 505 inside Nausf UEAuthentication Authenticate Response.
  • the SEAF 505 may forward the EAP Success message transparently to the UE 501 along with the ABBA indicating network access restriction information (UTRAN access restricted, GERAN access restricted).
  • the Nausf UEAuthentication Authenticate Response message contains the KSEAF. If the AUSF 507 received a SUCI from the SEAF 505 when the authentication was initiated, then the AUSF 507 may also include the SUPI in the Nausf UEAuthentication Authenticate Response message. The AUSF 507 stores the KAUSF based on the home network operator's policy.
  • the SEAF 505 sends the EAP Success (if EAP -AKA’ is used) or authentication result as success message to the UE 501 in the N1 message.
  • This message may also include the ngKSI and the ABBA parameter indicating network access restriction information (UTRAN access restricted, GERAN access restricted).
  • the UE 501 derives the Kamf from Kseaf, ABBA indicating network access restriction information (UTRAN access restricted, GERAN access restricted), and SUPI.
  • the UE 501 sends the NAS security mode complete message to the AMF 505.
  • FIG. 6 illustrates an example of a UE 600 in accordance with aspects of the present disclosure.
  • the UE 600 may include a processor 602, a memory 604, a controller 606, and a transceiver 608.
  • the processor 602, the memory 604, the controller 606, or the transceiver 608, or various combinations thereof or various components thereof may be examples of means for performing various aspects of the present disclosure as described herein. These components may be coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces.
  • the processor 602, the memory 604, the controller 606, or the transceiver 608, or various combinations or components thereof may be implemented in hardware (e.g., circuitry).
  • the hardware may include a processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), or other programmable logic device, or any combination thereof configured as or otherwise supporting a means for performing the functions described in the present disclosure.
  • DSP digital signal processor
  • ASIC application-specific integrated circuit
  • the processor 602 may include an intelligent hardware device (e.g., a general- purpose processor, a DSP, a CPU, an ASIC, an FPGA, or any combination thereof). In some implementations, the processor 602 may be configured to operate the memory 604. In some other implementations, the memory 604 may be integrated into the processor 602. The processor 602 may be configured to execute computer-readable instructions stored in the memory 604 to cause the UE 600 to perform various functions of the present disclosure.
  • an intelligent hardware device e.g., a general- purpose processor, a DSP, a CPU, an ASIC, an FPGA, or any combination thereof.
  • the processor 602 may be configured to operate the memory 604. In some other implementations, the memory 604 may be integrated into the processor 602.
  • the processor 602 may be configured to execute computer-readable instructions stored in the memory 604 to cause the UE 600 to perform various functions of the present disclosure.
  • the memory 604 may include volatile or non-volatile memory.
  • the memory 604 may store computer-readable, computer-executable code including instructions when executed by the processor 602 cause the UE 600 to perform various functions described herein.
  • the code may be stored in a non-transitory computer-readable medium such the memory 604 or another type of memory.
  • Computer-readable media includes both non- transitory computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a non-transitory storage medium may be any available medium that may be accessed by a general-purpose or special-purpose computer.
  • the processor 602 and the memory 604 coupled with the processor 602 may be configured to cause the UE 600 to perform one or more of the functions described herein (e.g., executing, by the processor 602, instructions stored in the memory 604).
  • the processor 602 may support wireless communication at the UE 600 in accordance with examples as disclosed herein.
  • the UE 600 may be configured to support a means to transmit an indication of a network access restriction enforcement capability of the UE as part of a NAS message with a first network, receive network access restriction information for the UE indicating restrictions on second networks that the UE may access, store the network access restriction information, and prevent connecting to the second networks as indicated in the network access restriction information in response to the first network being unavailable.
  • the indication of the network access restriction enforcement capability of the UE indicates whether the UE supports GERAN access restrictions, UTRAN access restrictions, or a combination thereof.
  • the second networks comprise a GERAN, a UTRAN, or a combination thereof.
  • the NAS message comprises at least one of a Registration Request message, Security mode complete message, or a combination thereof.
  • the UE 600 may be configured to support a means to receive the network access restriction information as part of the NAS message, the NAS message comprising at least one of a NAS security mode command message, a Registration accept message, a Registration complete message, an authentication request message, an authentication response message, a UE configuration update message, and UPU data.
  • the network access restriction information comprises an ABBA parameter value that indicates at least one of UTRAN and GERAN access restricted, UTRAN access restricted, GERAN access restricted, only 5G access allowed, and EPS access allowed.
  • the controller 606 may manage input and output signals for the UE 600.
  • the controller 606 may also manage peripherals not integrated into the UE 600.
  • the controller 606 may utilize an operating system such as iOS®, ANDROID®, WINDOWS®, or other operating systems.
  • the controller 606 may be implemented as part of the processor 602.
  • the UE 600 may include at least one transceiver 608. In some other implementations, the UE 600 may have more than one transceiver 608.
  • the transceiver 608 may represent a wireless transceiver.
  • the transceiver 608 may include one or more receiver chains 610, one or more transmitter chains 612, or a combination thereof.
  • a receiver chain 610 may be configured to receive signals (e.g., control information, data, packets) over a wireless medium.
  • the receiver chain 610 may include one or more antennas for receiving the signal over the air or wireless medium.
  • the receiver chain 610 may include at least one amplifier (e.g., a low-noise amplifier (LNA)) configured to amplify the received signal.
  • the receiver chain 610 may include at least one demodulator configured to demodulate the received signal and obtain the transmitted data by reversing the modulation technique applied during transmission of the signal.
  • the receiver chain 610 may include at least one decoder for decoding and processing the demodulated signal to receive the transmitted data.
  • a transmitter chain 612 may be configured to generate and transmit signals (e.g., control information, data, packets).
  • the transmitter chain 612 may include at least one modulator for modulating data onto a carrier signal, preparing the signal for transmission over a wireless medium.
  • the at least one modulator may be configured to support one or more techniques such as amplitude modulation (AM), frequency modulation (FM), or digital modulation schemes like phase-shift keying (PSK) or quadrature amplitude modulation (QAM).
  • the transmitter chain 612 may also include at least one power amplifier configured to amplify the modulated signal to an appropriate power level suitable for transmission over the wireless medium.
  • the transmitter chain 612 may also include one or more antennas for transmitting the amplified signal into the air or wireless medium.
  • FIG. 7 illustrates an example of a processor 700 in accordance with aspects of the present disclosure.
  • the processor 700 may be an example of a processor configured to perform various operations in accordance with examples as described herein.
  • the processor 700 may include a controller 702 configured to perform various operations in accordance with examples as described herein.
  • the processor 700 may optionally include at least one memory 704, which may be, for example, an L1/L2/L3 cache. Additionally, or alternatively, the processor 700 may optionally include one or more arithmetic -logic units (ALUs) 706.
  • ALUs arithmetic -logic units
  • One or more of these components may be in electronic communication or otherwise coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces (e.g., buses).
  • the processor 700 may be a processor chipset and include a protocol stack (e.g., a software stack) executed by the processor chipset to perform various operations (e.g., receiving, obtaining, retrieving, transmitting, outputting, forwarding, storing, determining, identifying, accessing, writing, reading) in accordance with examples as described herein.
  • a protocol stack e.g., a software stack
  • operations e.g., receiving, obtaining, retrieving, transmitting, outputting, forwarding, storing, determining, identifying, accessing, writing, reading
  • the processor chipset may include one or more cores, one or more caches (e.g., memory local to or included in the processor chipset (e.g., the processor 700) or other memory (e.g., random access memory (RAM), read-only memory (ROM), dynamic RAM (DRAM), synchronous dynamic RAM (SDRAM), static RAM (SRAM), ferroelectric RAM (FeRAM), magnetic RAM (MRAM), resistive RAM (RRAM), flash memory, phase change memory (PCM), and others).
  • RAM random access memory
  • ROM read-only memory
  • DRAM dynamic RAM
  • SDRAM synchronous dynamic RAM
  • SRAM static RAM
  • FeRAM ferroelectric RAM
  • MRAM magnetic RAM
  • RRAM resistive RAM
  • flash memory phase change memory
  • PCM phase change memory
  • the controller 702 may be configured to manage and coordinate various operations (e.g., signaling, receiving, obtaining, retrieving, transmitting, outputting, forwarding, storing, determining, identifying, accessing, writing, reading) of the processor 700 to cause the processor 700 to support various operations in accordance with examples as described herein.
  • the controller 702 may operate as a control unit of the processor 700, generating control signals that manage the operation of various components of the processor 700. These control signals include enabling or disabling functional units, selecting data paths, initiating memory access, and coordinating timing of operations.
  • the controller 702 may be configured to fetch (e.g., obtain, retrieve, receive) instructions from the memory 704 and determine subsequent instruction(s) to be executed to cause the processor 700 to support various operations in accordance with examples as described herein.
  • the controller 702 may be configured to track memory address of instructions associated with the memory 704.
  • the controller 702 may be configured to decode instructions to determine the operation to be performed and the operands involved.
  • the controller 702 may be configured to interpret the instruction and determine control signals to be output to other components of the processor 700 to cause the processor 700 to support various operations in accordance with examples as described herein.
  • the controller 702 may be configured to manage flow of data within the processor 700.
  • the controller 702 may be configured to control transfer of data between registers, arithmetic logic units (ALUs), and other functional units of the processor 700.
  • ALUs arithmetic logic units
  • the memory 704 may include one or more caches (e.g., memory local to or included in the processor 700 or other memory, such RAM, ROM, DRAM, SDRAM, SRAM, MRAM, flash memory, etc. In some implementations, the memory 704 may reside within or on a processor chipset (e.g., local to the processor 700). In some other implementations, the memory 704 may reside external to the processor chipset (e.g., remote to the processor 700).
  • caches e.g., memory local to or included in the processor 700 or other memory, such RAM, ROM, DRAM, SDRAM, SRAM, MRAM, flash memory, etc.
  • the memory 704 may reside within or on a processor chipset (e.g., local to the processor 700). In some other implementations, the memory 704 may reside external to the processor chipset (e.g., remote to the processor 700).
  • the memory 704 may store computer-readable, computer-executable code including instructions that, when executed by the processor 700, cause the processor 700 to perform various functions described herein.
  • the code may be stored in a non-transitory computer-readable medium such as system memory or another type of memory.
  • the controller 702 and/or the processor 700 may be configured to execute computer-readable instructions stored in the memory 704 to cause the processor 700 to perform various functions.
  • the processor 700 and/or the controller 702 may be coupled with or to the memory 704, the processor 700, the controller 702, and the memory 704 may be configured to perform various functions described herein.
  • the processor 700 may include multiple processors and the memory 704 may include multiple memories.
  • One or more of the multiple processors may be coupled with one or more of the multiple memories, which may, individually or collectively, be configured to perform various functions herein.
  • the one or more ALUs 706 may be configured to support various operations in accordance with examples as described herein.
  • the one or more ALUs 706 may reside within or on a processor chipset (e.g., the processor 700).
  • the one or more ALUs 706 may reside external to the processor chipset (e.g., the processor 700).
  • One or more ALUs 706 may perform one or more computations such as addition, subtraction, multiplication, and division on data.
  • one or more ALUs 706 may receive input operands and an operation code, which determines an operation to be executed.
  • One or more ALUs 706 be configured with a variety of logical and arithmetic circuits, including adders, subtractors, shifters, and logic gates, to process and manipulate the data according to the operation.
  • the one or more ALUs 706 may support logical operations such as AND, OR, exclusive-OR (XOR), not-OR (NOR), and not-AND (NAND), enabling the one or more ALUs 706 to handle conditional operations, comparisons, and bitwise operations.
  • the processor 700 may support wireless communication in accordance with examples as disclosed herein.
  • the processor 700 may be configured to or operable to support a means to receive an indication of a network access restriction enforcement capability of a UE, determine network access restriction information, transmit the network access restriction information to the UE, and apply at least one network access restriction based on the indication of the network access restriction enforcement capability of the UE and the determined network access restriction information.
  • the processor 700 may be configured to or operable to support a means to receive an indication of a network access restriction enforcement capability of a UE, determine network access restriction information, configure the network access restriction information for the UE in subscription data associated with the UE, and transmit the network access restriction information.
  • the processor 700 may be configured to or operable to support a means to transmit an indication of a network access restriction enforcement capability of a UE as part of a NAS message with a first network, receive network access restriction information for the UE indicating restrictions on second networks that the UE may access, store the network access restriction information, and prevent connecting to the second networks as indicated in the network access restriction information in response to the first network being unavailable.
  • Figure 8 illustrates an example of a NE 800 in accordance with aspects of the present disclosure.
  • the NE 800 may include a processor 802, a memory 804, a controller 806, and a transceiver 808.
  • the processor 802, the memory 804, the controller 806, or the transceiver 808, or various combinations thereof or various components thereof may be examples of means for performing various aspects of the present disclosure as described herein. These components may be coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces.
  • the processor 802, the memory 804, the controller 806, or the transceiver 808, or various combinations or components thereof may be implemented in hardware (e.g., circuitry).
  • the hardware may include a processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), or other programmable logic device, or any combination thereof configured as or otherwise supporting a means for performing the functions described in the present disclosure.
  • DSP digital signal processor
  • ASIC application-specific integrated circuit
  • the NE 800 may be configured to support a means to receive an indication of a network access restriction enforcement capability of a UE, determine network access restriction information, transmit the network access restriction information to the UE, and apply at least one network access restriction based on the indication of the network access restriction enforcement capability of the UE and the determined network access restriction information.
  • the indication of the network access restriction enforcement capability of the UE indicates whether the UE supports GERAN access restrictions, UTRAN access restrictions, or a combination thereof.
  • the at least one processor is configured to cause the NE to store the network access restriction information as part of a UE context.
  • the NE 800 may be configured to support a means to apply the at least one network access restriction by not initiating inter-RAT handover to GERAN, UTRAN, or a combination thereof.
  • the NE 800 may be configured to support a means to apply the at least one network access restriction by not initiating or forwarding relocation requests related to SRVCC for handover to GERAN, UTRAN, or a combination thereof.
  • the NE 800 may be configured to support a means to transmit the network access restriction information to a RAN associated with the UE to enforce the network access restriction for the UE at the RAN.
  • the NE 800 may be configured to support a means to transmit the network access restriction information to the UE in a NAS security message. In one embodiment, the NE 800 may be configured to support a means to transmit the network access restriction information to the UE as part of a UE configuration update command.
  • the NE 800 may be configured to support a means to transmit an acknowledgement to a UDM network function indicating that the UE received the network access restriction information.
  • the network access restriction information comprises an ABBA parameter value that indicates at least one of UTRAN and GERAN access restricted, UTRAN access restricted, GERAN access restricted, only 5G access allowed, and EPS access allowed.
  • the NE 800 may be configured to support a means to determine the network access restriction information based on a configuration at the NE, the network access restriction information comprising an indication of UTRAN access restricted/not allowed, GERAN access restricted/not allowed, or a combination thereof.
  • the NE 800 may be configured to support a means to fetch the network access restriction information from a UDM network function, the network access restriction information comprising an indication of UTRAN access restricted/not allowed, GERAN access restricted/not allowed, or a combination thereof.
  • the NE 800 may be configured to support a means to receive an indication of a network access restriction enforcement capability of a UE, determine network access restriction information for the UE, configure the network access restriction information for the UE in subscription data associated with the UE, and transmit the network access restriction information.
  • the NE 800 may be configured to support a means to configure the network access restriction information for the UE in UPU data. In one embodiment, the NE 800 may be configured to support a means to configure the network access restriction information for the UE in subscription data associated with the UE based on a local policy.
  • the NE 800 may be configured to support a means to configure the network access restriction information for the UE in subscription data associated with the UE based on GERAN, a UTRAN, or a combination thereof being decommissioned.
  • the NE 800 may be configured to support a means to configure the network access restriction information for the UE in subscription data associated with the UE as part of mobility restrictions for the UE, RAT restrictions for the UE, or a combination thereof.
  • the processor 802 may include an intelligent hardware device (e.g., a general- purpose processor, a DSP, a CPU, an ASIC, an FPGA, or any combination thereof). In some implementations, the processor 802 may be configured to operate the memory 804. In some other implementations, the memory 804 may be integrated into the processor 802. The processor 802 may be configured to execute computer-readable instructions stored in the memory 804 to cause the NE 800 to perform various functions of the present disclosure.
  • an intelligent hardware device e.g., a general- purpose processor, a DSP, a CPU, an ASIC, an FPGA, or any combination thereof.
  • the processor 802 may be configured to operate the memory 804. In some other implementations, the memory 804 may be integrated into the processor 802.
  • the processor 802 may be configured to execute computer-readable instructions stored in the memory 804 to cause the NE 800 to perform various functions of the present disclosure.
  • the memory 804 may include volatile or non-volatile memory.
  • the memory 804 may store computer-readable, computer-executable code including instructions when executed by the processor 802 causes the NE 800 to perform various functions described herein.
  • the code may be stored in a non-transitory computer-readable medium such the memory 804 or another type of memory.
  • Computer-readable media includes both non- transitory computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a non-transitory storage medium may be any available medium that may be accessed by a general-purpose or special-purpose computer.
  • the processor 802 and the memory 804 coupled with the processor 802 may be configured to cause the NE 800 to perform one or more of the functions described herein (e.g., executing, by the processor 802, instructions stored in the memory 804).
  • the processor 802 may support wireless communication at the NE 800 in accordance with examples as disclosed herein.
  • the controller 806 may manage input and output signals for the NE 800.
  • the controller 806 may also manage peripherals not integrated into the NE 800.
  • the controller 806 may utilize an operating system such as iOS®, ANDROID®, WINDOWS®, or other operating systems.
  • the controller 806 may be implemented as part of the processor 802.
  • the NE 800 may include at least one transceiver 808. In some other implementations, the NE 800 may have more than one transceiver 808.
  • the transceiver 808 may represent a wireless transceiver.
  • the transceiver 808 may include one or more receiver chains 810, one or more transmitter chains 812, or a combination thereof.
  • a receiver chain 810 may be configured to receive signals (e.g., control information, data, packets) over a wireless medium.
  • the receiver chain 810 may include one or more antennas for receiving the signal over the air or wireless medium.
  • the receiver chain 810 may include at least one amplifier (e.g., a low-noise amplifier (LNA)) configured to amplify the received signal.
  • the receiver chain 810 may include at least one demodulator configured to demodulate the received signal and obtain the transmitted data by reversing the modulation technique applied during transmission of the signal.
  • the receiver chain 810 may include at least one decoder for decoding and processing the demodulated signal to receive the transmitted data.
  • a transmitter chain 812 may be configured to generate and transmit signals (e.g., control information, data, packets).
  • the transmitter chain 812 may include at least one modulator for modulating data onto a carrier signal, preparing the signal for transmission over a wireless medium.
  • the at least one modulator may be configured to support one or more techniques such as amplitude modulation (AM), frequency modulation (FM), or digital modulation schemes like phase-shift keying (PSK) or quadrature amplitude modulation (QAM).
  • the transmitter chain 812 may also include at least one power amplifier configured to amplify the modulated signal to an appropriate power level suitable for transmission over the wireless medium.
  • the transmitter chain 812 may also include one or more antennas for transmitting the amplified signal into the air or wireless medium.
  • Figure 9 illustrates a flowchart of a method in accordance with aspects of the present disclosure.
  • the operations of the method may be implemented by an NE as described herein.
  • the NE may execute a set of instructions to control the function elements of the NE to perform the described functions.
  • the method may receive an indication of a network access restriction enforcement capability of a UE.
  • the operations of 902 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 902 may be performed by an NE as described with reference to Figure 8.
  • the method may determine network access restriction information.
  • the operations of 904 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 904 may be performed by an NE as described with reference to Figure 8.
  • the method may transmit the network access restriction information to the UE.
  • the operations of 906 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 906 may be performed by an NE as described with reference to Figure 8.
  • the method may apply at least one network access restriction based on the indication of the network access restriction enforcement capability of the UE and the determined network access restriction information.
  • the operations of 908 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 908 may be performed by an NE as described with reference to Figure 8.
  • Figure 10 illustrates a flowchart of a method in accordance with aspects of the present disclosure.
  • the operations of the method may be implemented by an NE as described herein.
  • the NE may execute a set of instructions to control the function elements of the NE to perform the described functions.
  • the method may receive an indication of a network access restriction enforcement capability of a UE.
  • the operations of 1002 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1002 may be performed by an NE as described with reference to Figure 8.
  • the method may determine network access restriction information for the UE.
  • the operations of 1004 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1004 may be performed by an NE as described with reference to Figure 8.
  • the method may configure the network access restriction information for the UE in subscription data associated with the UE.
  • the operations of 1006 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1006 may be performed by an NE as described with reference to Figure 8.
  • the method may transmit the network access restriction information.
  • the operations of 1008 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1008 may be performed by an NE as described with reference to Figure 8.
  • Figure 11 illustrates a flowchart of a method in accordance with aspects of the present disclosure.
  • the operations of the method may be implemented by a UE as described herein.
  • the UE may execute a set of instructions to control the function elements of the UE to perform the described functions.
  • the method may transmit an indication of a network access restriction enforcement capability of the UE as part of a NAS message with a first network.
  • the operations of 1102 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1102 may be performed by a UE as described with reference to Figure 6.
  • the method may receive network access restriction information for the UE indicating restrictions on second networks that the UE may access.
  • the operations of 1104 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1104 may be performed by a UE as described with reference to Figure 6.
  • the method may store the network access restriction information.
  • the operations of 1106 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1106 may be performed by a UE as described with reference to Figure 6.
  • the method may prevent connecting to the second networks as indicated in the network access restriction information in response to the first network being unavailable.
  • the operations of 1108 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1108 may be performed by a UE as described with reference to Figure 6.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Various aspects of the present disclosure relate to techniques for preventing bidding down attacks. A network entity (NE) is configured to receive an indication of a network access restriction enforcement capability of a user equipment (UE), determine network access restriction information, transmit the network access restriction information to the UE, and apply at least one network access restriction based on the indication of the network access restriction enforcement capability of the UE and the determined network access restriction information.

Description

TECHNIQUES FOR PREVENTING BIDDING DOWN ATTACKS
TECHNICAL FIELD
[0001] The present disclosure relates to wireless communications, and more specifically to techniques for preventing bidding down attacks.
BACKGROUND
[0002] A wireless communications system may include one or multiple network communication devices, such as base stations, which may support wireless communications for one or multiple user communication devices, which may be otherwise known as user equipment (UE), or other suitable terminology. The wireless communications system may support wireless communications with one or multiple user communication devices by utilizing resources of the wireless communication system (e.g., time resources (e.g., symbols, slots, subframes, frames, or the like) or frequency resources (e.g., subcarriers, carriers, or the like). Additionally, the wireless communications system may support wireless communications across various radio access technologies including third generation (3G) radio access technology, fourth generation (4G) radio access technology, fifth generation (5G) radio access technology, among other suitable radio access technologies beyond 5G (e.g., sixth generation (6G)).
SUMMARY
[0003] An article “a” before an element is unrestricted and understood to refer to “at least one” of those elements or “one or more” of those elements. The terms “a,” “at least one,” “one or more,” and “at least one of one or more” may be interchangeable. As used herein, including in the claims, “or” as used in a list of items (e.g., a list of items prefaced by a phrase such as “at least one of’ or “one or more of’ or “one or both of’) indicates an inclusive list such that, for example, a list of at least one of A, B, or C means A or B or C or AB or AC or BC or ABC (i.e., A and B and C). Also, as used herein, the phrase “based on” shall not be construed as a reference to a closed set of conditions. For example, an example step that is described as “based on condition A” may be based on both a condition A and a condition B without departing from the scope of the present disclosure. In other words, as used herein, the phrase “based on” shall be construed in the same manner as the phrase “based at least in part on.” Further, as used herein, including in the claims, a “set may include one or more elements.
[0004] Some implementations of the method and apparatuses described herein may receive an indication of a network access restriction enforcement capability of a UE, determine network access restriction information, transmit the network access restriction information to the UE, and apply at least one network access restriction based on the indication of the network access restriction enforcement capability of the UE and the determined network access restriction information.
[0005] Some implementations of the method and apparatuses described herein may receive an indication of a network access restriction enforcement capability of a UE, determine network access restriction information for the UE, configure the network access restriction information for the UE in subscription data associated with the UE, and transmit the network access restriction information.
[0006] Some implementations of the method and apparatuses described herein may transmit an indication of a network access restriction enforcement capability of the UE as part of a non-access stratum (NAS) message with a first network, receive network access restriction information for the UE indicating restrictions on second networks that the UE may access, store the network access restriction information, and prevent connecting to the second networks as indicated in the network access restriction information in response to the first network being unavailable.
BRIEF DESCRIPTION OF THE DRAWINGS
[0007] Figure 1 illustrates an example of a wireless communications system in accordance with aspects of the present disclosure.
[0008] Figure 2 illustrates an example procedure flow for securely provisioning and enforcing the Universal Terrestrial Radio Access Network (UTRAN) and GSM EDGE Radio Access Network (GERAN) access restriction information during a registration procedure in accordance with aspects of the present disclosure.
[0009] Figure 3 illustrates an example procedure flow for securely provisioning UTRAN and GERAN access restrictions using UE configuration update procedure in accordance with aspects of the present disclosure. [0010] Figure 4 illustrates an example procedure flow for securely provisioning UTRAN and GERAN access restrictions using UE parameters update procedure in accordance with aspects of the present disclosure.
[0011] Figure 5 A illustrates a first part of an example procedure flow for indicating UTRAN and GERAN access restriction information using an anti-bidding down between architectures (ABBA) value for bidding down protection in accordance with aspects of the present disclosure.
[0012] Figure 5B illustrates a second part of an example procedure flow for indicating UTRAN and GERAN access restriction information using an ABBA value for bidding down protection in accordance with aspects of the present disclosure.
[0013] Figure 6 illustrates an example of a UE in accordance with aspects of the present disclosure.
[0014] Figure 7 illustrates an example of a processor in accordance with aspects of the present disclosure.
[0015] Figure 8 illustrates an example of a network equipment (NE) in accordance with aspects of the present disclosure.
[0016] Figure 9 illustrates a flowchart of method performed by an NE in accordance with aspects of the present disclosure.
[0017] Figure 10 illustrates a flowchart of method performed by an NE in accordance with aspects of the present disclosure.
[0018] Figure 11 illustrates a flowchart of method performed by a UE in accordance with aspects of the present disclosure.
DETAILED DESCRIPTION
[0019] In wireless communications, 2G/3G False Base Stations (FBSs) remain a serious security threat to mobile networks. In these networks, critical security features are missing, for example, mutual authentication, integrity protection, strong security algorithms, and/or the like. If a UE connects to a 2G/3G FBS from a 4G or 5G network, then it is vulnerable to a bidding down attack, e.g., a fraudulent SMS or phone call, which could cause significant financial losses for subscribers. [0020] There are several existing procedures for UEs connected to 4G/5G to establish a connection with 2G/3G base station. For instance, when the UE is in a CONNECTED state in 4G, it may use an inter-radio access technology (RAT) handover procedure (e.g., as specified in 5.5.2 in TS 23.401, incorporated herein by reference) or circuit-switched fallback (CSFB) procedure, which includes redirection from 4G to 2G/3G (e.g., as specified in TS 23.272, incorporated herein by reference) to connect to a 2G/3G base station. When the UE is in an IDLE state in 4G, it may use a routing area update (RAU) procedure (e.g., as specified in 5.3.3.3 or 5.3.3.6 in TS 23.401, incorporated herein by reference) or cell selection once 4G signalling is not available to connect to a 2G/3G base station.
[0021] In another example, when the UE is in a CONNECTED state in 5G, it may use Single Radio Voice Call Continuity (SRVCC) procedure (as in TS 23.216, incorporated herein by reference) to connect to a 3G base station. When the UE is in an IDLE or INACTIVE state in 5G, it may use cell selection once 4G and 5G signaling is not available to connect to a 2G/3G base station.
[0022] It is worth noting that, as mobile network systems continuously evolve and improve, operators periodically shift focus and investment to the newest generation network and decommission older generation networks, which is happening with 2G and 3G networks. In these circumstances, it is no longer appropriate to allow a UE supporting 2G or 3G networks to continue selecting such networks. In fact, due to weaker security measures in these older generation networks, if UEs are deceived into selecting such networks, then they will be vulnerable to many known attacks pertaining to 2G and 3G, e.g., see 3GPP SP-231789, incorporated herein by reference.
[0023] One existing solution for preventing bidding down attacks is directed to mobility restrictions, e.g., as described in TS 23.501 (incorporated herein by reference), which may include RAT restrictions, Forbidden Areas, Service Area Restrictions, Core Network type restrictions and Closed Access Group information. However, a limitation of this solution is that the access restriction is limited to preventing New Radio (NR) or Evolved UTRAN (E-UTRAN) access; it does not consider 2G and 3G access and, therefore, no access restrictions to UTRAN and/or GERAN are supported.
[0024] Another existing solution is directed to a security solution for SRVCC from 5Gto 3G, as described in TS 33.501 (incorporated herein by reference). However, when the UE is handed over from 5G to 3G in the SRVCC scenario, further bidding down to 2G is not prevented. Further, even if the mobile network operator has decommissioned the 3G and 2G network, the gNB may initiate SRVCC related handover from 5G to 3G for voice continuity, thereby leading to a bidding down attack. Moreover, if the mobile network operator has decommissioned the 3G/2G network, and if 5G signaling is not available (e.g., 5G signals blocked by an attacker), 2G/3G cell selection may occur, which causes the UE to connect to a 2G/3G network, resulting in a successful bidding down attack.
[0025] Solutions to the foregoing problems and limitations of existing solutions are described below with reference to the figures. Aspects of the present disclosure are described in the context of a wireless communications system.
[0026] Figure 1 illustrates an example of a wireless communications system 100 in accordance with aspects of the present disclosure. The wireless communications system 100 may include one or more NE 102, one or more UE 104, and a core network (CN) 106. The wireless communications system 100 may support various radio access technologies. In some implementations, the wireless communications system 100 may be a 4G network, such as an LTE network or an LTE-Advanced (LTE-A) network. In some other implementations, the wireless communications system 100 may be a NR network, such as a 5G network, a 5G-Advanced (5G-A) network, or a 5G ultrawideband (5G- UWB) network. In other implementations, the wireless communications system 100 may be a combination of a 4G network and a 5G network, or other suitable radio access technology including Institute of Electrical and Electronics Engineers (IEEE) 802. 11 (WiFi), IEEE 802.16 (WiMAX), IEEE 802.20. The wireless communications system 100 may support radio access technologies beyond 5G, for example, 6G. Additionally, the wireless communications system 100 may support technologies, such as time division multiple access (TDMA), frequency division multiple access (FDMA), or code division multiple access (CDMA), etc.
[0027] The one or more NE 102 may be dispersed throughout a geographic region to form the wireless communications system 100. One or more of the NE 102 described herein may be or include or may be referred to as a network node, a base station, a network element, a network function, a network entity, a radio access network (RAN), a NodeB, an eNodeB (eNB), a next-generation NodeB (gNB), or other suitable terminology. An NE 102 and a UE 104 may communicate via a communication link, which may be a wireless or wired connection. For example, an NE 102 and a UE 104 may perform wireless communication (e.g., receive signaling, transmit signaling) over a Uu interface.
[0028] An NE 102 may provide a geographic coverage area for which the NE 102 may support services for one or more UEs 104 within the geographic coverage area. For example, an NE 102 and a UE 104 may support wireless communication of signals related to services (e.g., voice, video, packet data, messaging, broadcast, etc.) according to one or multiple radio access technologies. In some implementations, an NE 102 may be moveable, for example, a satellite associated with a non-terrestrial network (NTN). In some implementations, different geographic coverage areas 112 associated with the same or different radio access technologies may overlap, but the different geographic coverage areas may be associated with different NE 102.
[0029] The one or more UE 104 may be dispersed throughout a geographic region of the wireless communications system 100. A UE 104 may include or may be referred to as a remote unit, a mobile device, a wireless device, a remote device, a subscriber device, a transmitter device, a receiver device, or some other suitable terminology. In some implementations, the UE 104 may be referred to as a unit, a station, a terminal, or a client, among other examples. Additionally, or alternatively, the UE 104 may be referred to as an Intemet-of-Things (loT) device, an Intemet-of-Everything (loE) device, or machinetype communication (MTC) device, among other examples.
[0030] A UE 104 may be able to support wireless communication directly with other UEs 104 over a communication link. For example, a UE 104 may support wireless communication directly with another UE 104 over a device-to-device (D2D) communication link. In some implementations, such as vehicle-to-vehicle (V2V) deployments, vehicle-to-everything (V2X) deployments, or cellular-V2X deployments, the communication link 114 may be referred to as a sidelink. For example, a UE 104 may support wireless communication directly with another UE 104 over a PC5 interface.
[0031] An NE 102 may support communications with the CN 106, or with another NE 102, or both. For example, an NE 102 may interface with other NE 102 or the CN 106 through one or more backhaul links (e.g., SI, N2, N2, or network interface). In some implementations, the NE 102 may communicate with each other directly. In some other implementations, the NE 102 may communicate with each other or indirectly (e.g., via the CN 106. In some implementations, one or more NE 102 may include subcomponents, such as an access network entity, which may be an example of an access node controller (ANC). An ANC may communicate with the one or more UEs 104 through one or more other access network transmission entities, which may be referred to as a radio heads, smart radio heads, or TRPs.
[0032] The CN 106 may support user authentication, access authorization, tracking, connectivity, and other access, routing, or mobility functions. The CN 106 may be an evolved packet core (EPC), or a 5G core (5GC), which may include a control plane entity that manages access and mobility (e.g., a mobility management entity (MME), an access and mobility management functions (AMF)) and a user plane entity that routes packets or interconnects to external networks (e.g., a serving gateway (S-GW), a Packet Data Network (PDN) gateway (P-GW), or a user plane function (UPF)). In some implementations, the control plane entity may manage non-access stratum (NAS) functions, such as mobility, authentication, and bearer management (e.g., data bearers, signal bearers, etc.) for the one or more UEs 104 served by the one or more NE 102 associated with the CN 106.
[0033] The CN 106 may communicate with a packet data network over one or more backhaul links (e.g., via an S I, N2, N2, or another network interface). The packet data network may include an application server. In some implementations, one or more UEs 104 may communicate with the application server. A UE 104 may establish a session (e.g., a protocol data unit (PDU) session, or the like) with the CN 106 via an NE 102. The CN 106 may route traffic (e.g., control information, data, and the like) between the UE 104 and the application server using the established session (e.g., the established PDU session). The PDU session may be an example of a logical connection between the UE 104 and the CN 106 (e.g., one or more network functions of the CN 106).
[0034] In the wireless communications system 100, the NEs 102 and the UEs 104 may use resources of the wireless communications system 100 (e.g., time resources (e.g., symbols, slots, subframes, frames, or the like) or frequency resources (e.g., subcarriers, carriers)) to perform various operations (e.g., wireless communications). In some implementations, the NEs 102 and the UEs 104 may support different resource structures. For example, the NEs 102 and the UEs 104 may support different frame structures. In some implementations, such as in 4G, the NEs 102 and the UEs 104 may support a single frame structure. In some other implementations, such as in 5G and among other suitable radio access technologies, the NEs 102 and the UEs 104 may support various frame structures (i.e., multiple frame structures). The NEs 102 and the UEs 104 may support various frame structures based on one or more numero logics.
[0035] One or more numerologies may be supported in the wireless communications system 100, and a numerology may include a subcarrier spacing and a cyclic prefix. A first numerology (e.g., i=0) may be associated with a first subcarrier spacing (e.g., 15 kHz) and a normal cyclic prefix. In some implementations, the first numerology (e.g., =0) associated with the first subcarrier spacing (e.g., 15 kHz) may utilize one slot per subframe. A second numerology (e.g., i=l) may be associated with a second subcarrier spacing (e.g., 30 kHz) and a normal cyclic prefix. A third numerology (e.g., ^=2) may be associated with a third subcarrier spacing (e.g., 60 kHz) and a normal cyclic prefix or an extended cyclic prefix. A fourth numerology (e.g., ju=3) may be associated with a fourth subcarrier spacing (e.g., 120 kHz) and a normal cyclic prefix. A fifth numerology (e.g., [1=4) may be associated with a fifth subcarrier spacing (e.g., 240 kHz) and a normal cyclic prefix.
[0036] A time interval of a resource (e.g., a communication resource) may be organized according to frames (also referred to as radio frames). Each frame may have a duration, for example, a 10 millisecond (ms) duration. In some implementations, each frame may include multiple subframes. For example, each frame may include 10 subframes, and each subframe may have a duration, for example, a 1 ms duration. In some implementations, each frame may have the same duration. In some implementations, each subframe of a frame may have the same duration.
[0037] Additionally or alternatively, a time interval of a resource (e.g., a communication resource) may be organized according to slots. For example, a subframe may include a number (e.g., quantity) of slots. The number of slots in each subframe may also depend on the one or more numerologies supported in the wireless communications system 100. For instance, the first, second, third, fourth, and fifth numerologies (i.e., [1=0, [1=1, [1=2, [1=3, [1=4) associated with respective subcarrier spacings of 15 kHz, 30 kHz, 60 kHz, 120 kHz, and 240 kHz may utilize a single slot per subframe, two slots per subframe, four slots per subframe, eight slots per subframe, and 16 slots per subframe, respectively. Each slot may include a number (e.g., quantity) of symbols (e.g., OFDM symbols). In some implementations, the number (e.g., quantity) of slots for a subframe may depend on a numerology. For a normal cyclic prefix, a slot may include 14 symbols. For an extended cyclic prefix (e.g., applicable for 60 kHz subcarrier spacing), a slot may include 12 symbols. The relationship between the number of symbols per slot, the number of slots per subframe, and the number of slots per frame for a normal cyclic prefix and an extended cyclic prefix may depend on a numerology. It should be understood that reference to a first numerology (e.g., i=0) associated with a first subcarrier spacing (e.g., 15 kHz) may be used interchangeably between subframes and slots.
[0038] In the wireless communications system 100, an electromagnetic (EM) spectrum may be split, based on frequency or wavelength, into various classes, frequency bands, frequency channels, etc. By way of example, the wireless communications system 100 may support one or multiple operating frequency bands, such as frequency range designations FR1 (410 MHz - 7.125 GHz), FR2 (24.25 GHz - 52.6 GHz), FR3 (7.125 GHz - 24.25 GHz), FR4 (52.6 GHz - 114.25 GHz), FR4a or FR4-1 (52.6 GHz - 71 GHz), and FR5 (114.25 GHz - 300 GHz). In some implementations, the NEs 102 and the UEs 104 may perform wireless communications over one or more of the operating frequency bands. In some implementations, FR1 may be used by the NEs 102 and the UEs 104, among other equipment or devices for cellular communications traffic (e.g., control information, data). In some implementations, FR2 may be used by the NEs 102 and the UEs 104, among other equipment or devices for short-range, high data rate capabilities.
[0039] FR1 may be associated with one or multiple numerologies (e.g., at least three numerologies). For example, FR1 may be associated with a first numerology (e.g., ^=0), which includes 15 kHz subcarrier spacing; a second numerology (e.g., ^=1), which includes 30 kHz subcarrier spacing; and a third numerology (e.g., ^=2), which includes 60 kHz subcarrier spacing. FR2 may be associated with one or multiple numerologies (e.g., at least 2 numerologies). For example, FR2 may be associated with a third numerology (e.g., i =2), which includes 60 kHz subcarrier spacing; and a fourth numerology (e.g., i=3), which includes 120 kHz subcarrier spacing.
[0040] The solutions discussed herein relate to techniques for preventing bidding down attacks. In general, the subject matter disclosed herein describe features for provisioning UTRAN (3G) and GERAN (2G) access restrictions to network entities such as the AMF, the gNB, and the UE to avoid handovers as well as cell selections related to 2G or 3G access, such as GERAN and UTRAN, to prevent bidding down attacks. Further, the embodiments below describe various techniques to secure the UTRAN (3G) and GERAN (2G) access restriction information provisioning to the UE using NAS security, AS security, and UPU security.
[0041] A first embodiment is directed to securely provisioning the UTRAN and GERAN access restriction information to prevent 2G/3G cell selection or UTRAN/GERAN handover using NAS/AS security. In such an embodiment, a mobile network operator may have decommissioned 2G/3G networks, and it may not be desirable to allow UE connections in 5G to fallback/handover to a 2G/3G network connection.
[0042] This embodiment describes how the UTRAN and/or GERAN access restriction information can be provided to the AMF (if not configured locally), and RAN (e.g., gNB/NR) to avoid inter RAT handovers to UTRAN / GERAN. Further this embodiment describes provisioning a UE with UTRAN and/or GERAN access restriction information to avoid UTRAN/GERAN selection (e.g., 2G/3G cell selection when 5G signal is unavailable). In one embodiment, the UTRAN and GERAN access restriction information can be sent to the UE in a NAS message after the establishment of NAS security or can be sent in a radio resource control (RRC) message after the establishment of AS security.
[0043] Figure 2 illustrates an example procedure flow for securely provisioning and enforcing the UTRAN and GERAN access restriction information during a registration procedure in accordance with aspects of the present disclosure. It is noted that in this embodiment, GERAN and UTRAN access restriction information can be provided to the UE in a NAS message (e.g., a registration accept message, a NAS transport, or the like). Alternatively, the GERAN and UTRAN access restriction information can be indicated as part of network access restriction information, where the network access restriction information may contain various restriction information such as UTRAN not allowed, GERAN not allowed, 2G not allowed, 3G not allowed, and/or the like. Moreover, in another implementation, existing RAT access restrictions can include UTRAN not allowed/UTRAN, GERAN not allowed/GERAN, and in such case, enhanced RAT restrictions containing information on UTRAN and GERAN restrictions can be sent to the UE, RAN, and AMF to apply the 2G and 3G related RAT restrictions. [0044] In one embodiment, at 1 (see messaging 202), the UE 201 sends an initial NAS message that includes an indication of the UE’s capabilities to support GERAN access restrictions and UTRAN access restrictions. In one embodiment, the UE 201 sends an initial NAS message that includes support of network access restriction enforcement capability. In such an embodiment, the network access restriction enforcement capability(ies) information element (IE) contains information to indicate support of GERAN access restrictions and UTRAN access restrictions. In one embodiment, the initial NAS message in 1 may be an initial registration request message, a mobility registration update request message, a service request message, and/or the like.
[0045] At 2 (see messaging 204), in one embodiment, the network may initiate and primary authentication with the UE 201 to perform mutual authentication (e.g., using EAP-AKA’, 5G AKA, or an EAP method).
[0046] At 3a (see messaging 206), in one embodiment, the AMF 205 may fetch subscription data from the UDM 209 by sending an Nudm SubscriberDataManagement (SDM) get request with a subscription permanent identifier (SUPI) and network access restriction enforcement capability (if received in 1) for the UE 201.
[0047] At 3b (see block 208), in one embodiment, based on an operator’s local policy (or if the 2G/3G networks are decommissioned), the UDM/UDR 209 manages GERAN and UTRAN access restrictions as part of the network access restriction requirements for the UE 201 in the subscription data (e.g., as part of UE access and mobility context). In one implementation, the UDM/UDR 209 manages GERAN and UTRAN access restrictions as part of mobility or RAT restriction information for the UE 201 in the subscription data (e.g., as part of UE access and mobility context).
[0048] At 4 (see messaging 210), in one embodiment, the UDM 209 sends a Nudm SDM Get response message, which includes the network access restriction information (UTRAN access restricted, GERAN access restricted) along with other subscription data, as needed.
[0049] At 5 (see block 212), in one embodiment, if the AMF 205 receives the network access restriction information (UTRAN access restricted, GERAN access restricted) from the UDM 209, the AMF 205 stores the network access restriction information as part of the UE context along with the SUPI. Further, in one implementation, based on the received network access restriction information from the UDM 209 and the network access restriction enforcement capability received from UE 201 in 1, the AMF 205 performs one or more access restriction actions, such as not initiating inter-RAT handover to UTRAN/GERAN, not initiating/forwarding relocation requests related to SRVCC- specific handover from 5G to 3G or 2G, provisioning the network access restriction information (UTRAN access restricted, GERAN access restricted) to RAN 203 and UE 201 to enforce the UTRAN and GERAN access restrictions for the UE 201 at the RAN 203 and UE 201 side, and/or the like.
[0050] At 6 (see messaging 214), in one embodiment, the AMF 205 sends a NAS security mode command message to establish NAS security. In such an implementation, the AMF 205 may include, for example, replay network access restriction enforcement capability(ies), if received in 1. In one implementation, the AMF 205 may send the network access restriction information (UTRAN access restricted, GERAN access restricted) to the UE 201 in 6.
[0051] At 7 (see messaging 216), in one embodiment, the UE 201 sends a NAS security mode complete message, which may include the complete initial NAS message along with the network access restriction enforcement capability, if sent in 1 (for initial NAS message protection if it is not protected in 1).
[0052] At 8 (see messaging 218), in one embodiment, the AMF 205 sends to the RAN 203 the network access restriction information (UTRAN access restricted, GERAN access restricted) in an N2 message (e.g., initial context set up message).
[0053] At 9 (see block 220), in one embodiment, if the RAN 203 receives the network access restriction information (UTRAN access restricted, GERAN access restricted) from the AMF 205, the RAN 203 stores the network access restriction information as part of the UE context. Further based on the received network access restriction information, the RAN 203 performs one or more access restriction actions such as not initiating inter-RAT handover to UTRAN/GERAN, not initiating SRVCC from 5Gto 3G or 2G, provisioning the network access restriction information (UTRAN access restricted, GERAN access restricted) to the UE 201, and/or the like.
[0054] At 10 (see messaging 222), in one embodiment, the RAN 203 establishes AS security with the UE 201 (based on an AS security mode command procedure). [0055] At 1 la (see messaging 224), in one embodiment, the RAN 203 sends an RRC message to the UE 201 that includes the network access restriction information (UTRAN access restricted, GERAN access restricted) received in 8. In one implementation, the RAN 203 provides network access restriction information to the UE 201 in 1 la if network access restriction information is not provided to the UE 201 by the AMF 205 in 7 or 1 lb.
[0056] At 11b (see messaging 226), in one embodiment, after successful NAS security establishment, the AMF 205 sends network access restriction information (UTRAN access restricted, GERAN access restricted) to the UE 201 in a NAS message (such as a registration accept message or another message over the NAS transport).
[0057] At 12 (see block 228), in one embodiment, the UE 201 stores the network access restriction information (UTRAN access restricted, GERAN access restricted), does not select UTRAN access (3G) or GERAN access (2G) even if the 5G signal or 4G signal is not available, and waits until the 5G/4G signal is available to prevent a bidding down attack.
[0058] It is noted that in Figure 2, the network access restriction information (UTRAN access restricted, GERAN access restricted) can be sent to AMF 205, RAN 203, and the UE 201 as individual IES instead of sending them as part of network access restriction information in 4, 5, 6, 8, 9, 1 la, and 1 lb.
[0059] It is noted that in Figure 2, the network access restriction information (UTRAN access restricted, GERAN access restricted) from one AMF 205, can be sent to another AMF (e.g., during a UE mobility or handover within 5G system) along with the UE context (as part of mobility restrictions information or as individual information elements) using a Namf Communication UEContextTransfer service operation (Request/Response) message.
[0060] A second embodiment is directed to securely provisioning the UTRAN and GERAN access restriction information to prevent 2G/3G cell selection or UTRAN/GERAN handover using a UE configuration update procedure. In this embodiment, UTRAN and GERAN access restriction information can be provided to the UE using the UE configuration update procedure as shown in Figure 3.
[0061] Figure 3 illustrates an example procedure flow for securely provisioning UTRAN and GERAN access restrictions using UE configuration update procedure in accordance with aspects of the present disclosure. In one embodiment, this procedure is initiated by the AMF 305 when the AMF 305 wants to update access and mobility management related parameters (including network access restriction information such as UTRAN and GERAN access restriction information) in the UE configuration. The UE Configuration Update can be sent over the Access Type (e.g., 3GPP access or non-3GPP access) and applied, when applicable.
[0062] At A (a precondition, see messaging 302), the UE 301 sends an initial NAS message that includes an indication of the UE’s capabilities to support GERAN access restrictions and UTRAN access restrictions. In one implementation, the UE 301 sends an initial NAS message that includes support of network access restriction enforcement capability in an information element (IE). In one embodiment, the network access restriction enforcement capability(ies) IE contains information to indicate support of GERAN access restrictions and UTRAN access restrictions. It is noted that the initial NAS message in A may be an initial registration request message, a mobility registration update request message, a service request message, and/or the like.
[0063] At B (a precondition, see block 304), the AMF 305 determines the necessity of a UE configuration update due to various reasons such as a UE mobility change, a NW policy, reception of Subscriber Data Update Notification from the UDM 309, change of Network Slice configuration (including due to the operator’s local policy on decommissioned 2G/3G networks and related UE access restrictions to 2G/3G network e.g., access restrictions to UTRAN and/or GERAN; due to change of the network slice simultaneous usage group (NSSRG) information in subscription information, e.g., as specified in clause 5.15.12 of TS 23.501 (incorporated herein by reference); or due to change of network slice as group (NSAG) Information, e.g., as specified in clause 5.15.14 of TS 23.501), or to remove single network slice selection assistance information (S- NSSAI) from the allowed NS SAI due to expiry of slice deregistration inactivity timer or to provide the UE 301 with an updated Slice Usage Policy, e.g., as specified in clause 5.15.15 of TS 23.501, need to assign public land mobile network (PLMN)- assigned UE Radio Capability ID, change of Enhanced Coverage Restriction information in the UE context, informing mobile base station relay (MBSR) (integrated access and backhaul (lAB)-UE) authorization state changes, e.g., as specified in clause 5.35A.4 of TS 23.501, based on operator configuration, a change related to discontinuous coverage (e.g., out-of-coverage period change), need to notify the UE 301 to reconnect to the network due to NG-RAN timing synchronization status change, e.g., as specified in clause 4. 15.9.4) or that the UE 301 needs to perform a Registration Procedure. If a UE 201 is in connection management (CM)-IDLE, the AMF 305 can wait until the UE 301 is in CM-CONNECTED state or triggers Network Triggered Service Request (e.g., in clause 4.2.3.3).
[0064] In one embodiment, the AMF 305 may include a Mobility Restriction List (by including network access restriction information such as UTRAN and GERAN access restriction information) in an N2 message that delivers a UE Configuration Update Command to the UE 301 if the service area restriction for the UE 301 is updated.
[0065] At la (see messaging 306), in one embodiment, if the AMF 305 receives network access restriction enforcement capability information from the UE 301 as described in A, then the AMF 305 sends a UE Configuration Update Command containing network access restriction information such as UTRAN and GERAN access restriction information along with one or more other UE parameters such as a Configuration Update Indication, a 5G-GUTI (global unique temporary identifier), a tracking area identity (TAI) List, an allowed NS SAI, a mapping of allowed NSSAIs, and/or the like. In one embodiment, the AMF 305 may include in the UE Configuration Update Command Configuration Update Indication parameters indicating whether the UE acknowledges the command.
[0066] At lb (see block 308), in one embodiment, the UE 301 stores the network access restriction information (UTRAN access restricted, GERAN access restricted) received in la and determines not to select UTRAN access (3G) or GERAN access (2G), even if the 5G signal or 4G signal is not available, and waits until the 5G/4G signal is available to prevent a bidding down attack.
[0067] At 2a (see messaging 310), in one embodiment, if the UE Configuration Update Indication or network access restriction information indicating UTRAN and GERAN access restrictions requires acknowledgement of the UE Configuration Update Command, then the UE 301 sends a UE Configuration Update complete message to the AMF 305.
[0068] At 2b (see messaging 312), in one embodiment, the AMF 305 uses the Nudm SDM Info service operation to provide an acknowledgment to the UDM 309 that the UE 301 received network access restriction information indicating UTRAN and GERAN access restrictions as part of the Mobility Restrictions, if the network access restriction information was provided or updated, and acted upon it.
[0069] At 2c (see messaging 314), in one embodiment, if the AMF 305 has configured the UE 301 with a PLMN-assigned UE Radio Capability ID and/or network access restriction information indicating UTRAN and GERAN access restrictions, the AMF 305 informs NG-RAN 303 of the UE Radio Capability ID and/or network access restriction information indicating UTRAN and GERAN access restrictions, when it receives an acknowledgement from the UE 301 in 2a.
[0070] At 2d (see block 316), in one embodiment, if the UE 301 is configured with a new 5G-GUTI in 2a via non-3GPP access and the UE 301 is registered to the same PLMN via both 3 GPP and non-3GPP access, then the UE 301 passes the new 5G-GUTI to its 3GPP access’ lower layers.
[0071] At 2e (see block 318), in one embodiment, if the RAN 303 receives the network access restriction information (UTRAN access restricted, GERAN access restricted) from the AMF 305, it is stored in the RAN 303 as part of the UE context along with the 5G-GUTI. Further, in one implementation, based on the received network access restriction information, the RAN 303 does not initiate any inter-RAT handover to UTRAN/GERAN and/or does not initiate SRVCC from 5G to 3G or 2G.
[0072] A third embodiment is directed to securely provisioning the UTRAN and GERAN access restriction information to prevent 2G/3G cell selection or UTRAN/GERAN handover using a UE parameter update security. Figure 4 illustrates an example procedure flow for securely provisioning UTRAN and GERAN access restrictions using UE parameters update procedure in accordance with aspects of the present disclosure.
[0073] At 0 (precondition, see messaging 402 and 404), in one embodiment, if the UE supports network access restriction enforcement, it sends a message to the AMF 403, e.g., in a NAS/N1 message, that indicates support of network access restriction enforcement capability. In one embodiment, the message includes an IE that includes the network access restriction enforcement capability(ies) information to indicate support of GERAN and UTRAN access restrictions. The AMF 403, in one embodiment, can send/forward the received indication about the UE’s support of network access restriction enforcement capability to the UDM 407 in a Nudm service operation message or in a Namf service operation message.
[0074] At 1 (see block 406), in one embodiment, the UDM 407 performs a UE Parameters Update (UPU) using a control plane procedure while the UE is registered to the 5G system. If the final consumer of the UE parameters to be updated (e .g ., the updated Routing ID Data) is the universal subscriber identity module (USIM), the UDM protects these parameters using a secured packet mechanism (e.g., as described in 3 GPP TS 31.115 (incorporated herein by reference)) to update the parameters stored on the USIM. The UDM 407 then prepares the UE Parameters Update Data (UPU Data) by including the parameters protected by the secured packet, if any, as well as any UE parameters for which the final consumer is the UE 401 (e.g., as described in TS 24.501 (incorporated herein by reference)). If the UDM 407 receives the network access restriction enforcement capability information from the UE 401 via the AMF 403 (e.g., as received earlier, for example, during an authentication/registration procedure/subscription data management for a UE 401), and if the UDM/UDR 407 contains network access restriction information indicating UTRAN and GERAN access restrictions forthe UE 401 (e.g., as part ofthe subscription data or UE access and mobility context), based on the Operator’s local policy, then the UDM 407 provides network access restriction information to the UE 401 (e.g., as part of the UPU data).
[0075] At 2 (see messaging 408), in one embodiment, the UDM 407 invokes a Nausf UPUProtection service operation message by including the UPU Data (e.g., network access restriction information), to the AUSF 405 to get UPU-MAC-IAUSF and Counterupu- The UDM 407 may select the AUSF 405 that holds the latest KAUSF of the UE 401. In one embodiment, if the UDM 409 decides that the UE 401 is to acknowledge the successful security check of the received UE Parameters Update Data, then the UDM 409 includes the ACK Indication in the Nausf UPUProtection service operation message to signal that it also needs the expected UPU-XMAC-IUE.
[0076] In one embodiment, the inclusion of UE Parameters Update Data in the calculation of UPU-MAC-IAUSF allows the UE 401 to verify that it has not been tampered with by any intermediary. The expected UPU-XMAC-IUE allows the UDM 409 to verify that the UE 401 received the UE Parameters Update Data (along with network access restriction information) correctly. [0077] At 3 (see messaging 410), in one embodiment, the AUSF 407 calculates the UPU-MAC-IAUSF as described below using UE 401 specific home key (KAUSF) along with the UE Parameters Update Data (containing network access restriction information) received from the requester NF, e.g., the UDM 409, and delivers the UPU-MAC-IAUSF and Counterupu to the requester NF. If the ACK Indication input is present, then the AUSF 407 also computes the UPU-XMAC-IUE as shown below and returns the computed UPU- XMAC-IUE in the response.
[0078] For the UPU-MAC-IAUSF generation function, when deriving a UPU-MAC- IAUSF from KAUSF, the following parameters are used by the AUSF 407 to form the input S to the key derivation function (KDF) - FC = 0x7B; P0 = UE Parameters Update Data includes network access restriction information, e.g., UE parameters update list as given in clause 9.11.3.53A of TS 24.501 (starting from octet 23) (incorporated herein by reference); L0 = length of UE Parameters Update Data; Pl = CounterUPU; LI = length of CounterUPU.
[0079] In one embodiment, the input key Key can be KAUSF and the UPU-MAC-IAUSF is identified with the 128 least significant bits of the output of the KDF.
[0080] In one embodiment, for the UPU-MAC-IUE/UPU-XMAC-IUE generation function, when deriving a UPU-MAC-IUE/UPU-XMAC-IUE from KAUSF, the following parameters are used by the AUSF 407 to form the input S to the KDF - FC = 0x7C; P0 = 0x01 (UPU Acknowledgement: Verified the UE Parameters Update Data successfully); L0 = length of UPU Acknowledgement (i.e. 0x00 0x01); Pl = CounterUPU; LI = length of CounterUPU.
[0081] In one embodiment, the input key Key can be KAUSF and the UPU-MAC- IUE/UPU-XMAC-IUE is identified with the 128 least significant bits of the output of the KDF.
[0082] At 4 (see messaging 412), in one embodiment, the UDM 407 invokes Nudm SDM Notification service operation, which includes the UPU transparent container if the AMF 403 supports UPU transparent container or includes individual IES comprising the UE Parameters Update Data (e.g., network access restriction information), UPU-MAC-IAUSF, and Counterupu within the Access and Mobility Subscription data. If the UDM 407 requests an acknowledgement, it temporarily stores the expected UPU- XMAC-IUE. [0083] At 5 (see messaging 414), in one embodiment, upon receiving the Nudm SDM Notification message, the AMF 403 sends a DL NAS Transport message to the served UE 401 along with network access restriction information as part of the UPU Data. The AMF 403 includes in the DLNAS Transport message the transparent container, if received from the UDM 407 in 4. Otherwise, if the UDM 407 provided individual IES in 4, then the AMF 403 constructs a UPU transparent container.
[0084] In one embodiment, if the AMF 403 receives the network access restriction information (UTRAN access restricted, GERAN access restricted) from the UDM 407, it is stored at the AMF 403 as part of the UE context along with the SUPI. Further, based on the received network access restriction information from the UDM 407 and the network access restriction enforcement capability received from UE 407 (in 1), the AMF 403 performs one or more actions such as not initiating any inter-RAT handover to UTRAN/GERAN, not initiating or forwarding relocation requests related to SRVCC specific handover from 5G to 3G or 2G (even if its initiated by the RAN), and provisioning the network access restriction information (UTRAN access restricted, GERAN access restricted) to RAN in an N2 message to enforce the UTRAN and GERAN access restrictions for the UE 401 at the RAN side.
[0085] At 6 (see block 416), in one embodiment, upon receiving the DL NAS Transport message, the UE 401 calculates the UPU-MAC-IAUSF in the same way as the AUSF 405 (as shown in 2 and 3) on the received UE Parameters Update Data (containing network access restriction information), and the Counterupu and verifies whether it matches the UPU-MAC-IAUSF value received within the UPU transparent container in the DL NAS Transport message. If the verification of UPU-MAC-IAUSF is successful and the UPU Data contains parameters that are protected by secured packet (see, e.g., 3GPP TS 31.115 (incorporated herein by reference)), the UE 401forwards the secured packet to the USIM, e.g., using procedures in 3GPP TS 31.111 (incorporated herein by reference). If the verification of UPU-MAC-IAUSF is successful and the UPU Data contains parameters (e.g., network access restriction information) that are not protected by secure packet, the UE 401 can update its stored parameters with the received parameters in UDM Updata Data.
[0086] At 7a (see messaging 418), in one embodiment, if the UDM 407 has requested an acknowledgement from the UE 401 and (i) the UE 401 has successfully verified and updated the UE Parameters Update Data provided by the UDM 407, then the UE 401 can send the UL NAS Transport message to the serving AMF 403. The UE 401 then generates the UPU-MAC-IuE(as specified in 2 and 3, same as AUSF 405) and include the generated UPU-MAC-IUE in a transparent container in the UL NAS Transport message.
[0087] At 7b (see block 422), in one embodiment, the UE 401 stores the network access restriction information (UTRAN access restricted, GERAN access restricted) and does not select UTRAN access (3G) or GERAN access (2G) even if the 5G signal or 4G signal is not available and the UE 401 waits until the 5G/4G signal is available to prevent a bidding down attack.
[0088] At 8 (see messaging 420), in one embodiment, if a transparent container with the UPU-MAC-IUE is received in the UL NAS Transport message, the AMF 403 sends a Nudm SDM Info request message with the transparent container to the UDM 407.
[0089] At 9 (see block 424), in one embodiment, if the UDM 407 indicates that the UE 401 is to acknowledge the successful security check of the received UE Parameters Update Data, then the UDM 407 compares the received UPU-MAC-IUE with the expected UPU-XMAC-IUE that the UDM 407 stored temporarily in 4.
[0090] In one embodiment, if the UDM 407 supports home triggered authentication, the UDM 407, based on its local policy, may trigger a primary authentication to refresh the UPU counter based on the value of the counter received in 3.
[0091] Figures 5A and 5B illustrate an example procedure flow for indicating UTRAN and GERAN access restriction information using an ABBA value for bidding down protection in accordance with aspects of the present disclosure. In such an embodiment, the network access restrictions such as UTRAN and GERAN access restrictions are enforced using anew ABBA value during the primary authentication (e.g., during registration or a service access).
[0092] In one embodiment, the new ABBA parameter value may be defined and set by the SEAF 505 to indicate any one or more of the following: ‘UTRAN and GERAN Access Restricted’, ‘UTRAN Access Restricted’, ‘GERAN Access Restricted’, ‘Only 5G access allowed’, ‘Only 5G access’, and ‘EPS access allowed’. The ABBA value is provided to the UE 501 following a successful authentication to prevent the bidding down attack related to 3G/2G redirections, handovers, mobility, cell selection, and/or the like. Figures 5A and 5B depict the enhanced primary authentication procedure to send the network access restrictions specific ABBA parameter to the UE 501 and RAN 503.
[0093] At la (see messaging 502), in one embodiment, the UE 501 sends an initial NAS message that includes an indication of UE’s capabilities to support GERAN and UTRAN access restrictions. In one embodiment, the UE sends an initial NAS message that includes an IE that includes information indicating support of network access restriction enforcement capability. In one embodiment, the network access restriction enforcement capability(ies) IE contains information to indicate support of GERAN and UTRAN access restrictions.
[0094] At lb (see messaging 504), in one embodiment, the SEAF 505 sends a Nausf UEAuthentication Authenticate Request message to the AUSF 507 that contains the Subscription Concealed Identifier (SUCI)ZSUPI, serving network (SN)-name, and the UE’s network access restriction enforcement capability (received in la).
[0095] At 1c (see messaging 506), in one embodiment, the AUSF 507 sends a Nausf UEAuthentication Authenticate Request to the UDM 509 that contains the SUCI/SUPI, SN-name, and the UE’s network access restriction enforcement capability (received in la).
[0096] At Id (see block 508), in one embodiment, upon reception of the Nudm UE Authentication Get Request, the UDM 509 invokes a Subscriber Identity Deconcealing Function (SIDF) if a SUCI is received. SIDF may de-conceal SUCI to gain SUPI before the UDM 509 can process the request.
[0097] At le (see block 510), in one embodiment, based on operator’s local policy (or if the 2G/3G networks are decommissioned), the UDM/UDR 509 manages GERAN and UTRAN access restrictions as part of the network access restriction requirements for the UE(s) 501 in the subscription data (e.g., as part of UE access and mobility context), which can be configured in the UDM 509 based on operator policy.
[0098] In one embodiment, the UDM/UDR 509 manages GERAN and UTRAN access restrictions as part of mobility restrictions or RAT restrictions information for the UE(s) 501 in the subscription data (e.g., as part of UE access and mobility context).
[0099] At 2 (see messaging 512), in one embodiment, the UDM 509 sends a Nudm UE Authentication Get Response to the AUSF 507 with authentication vector (AV), SUPI, SN-name, and network access restriction information indicating UTRAN and GERAN access restrictions for the UE 50L
[0100] At 3a (see messaging 514), in one embodiment, the AUSF 507 sends the Nausf UEAuthentication Authenticate Response message with EAP-Request/AKA'- Challenge message/5G SE AV, network access restriction information indicating UTRAN and GERAN access restrictions to the SEAF 505.
[0101] At 3b (see block 516), in one embodiment, the SEAF 505 forwards the network access restriction information indicating UTRAN and GERAN access restrictions (if received in 3a) to the AMF 505. The SEAF 505 uses the network access restriction information indicating UTRAN and GERAN access restrictions and sets the ABBA values. In one embodiment, the ABBA parameter is a variable length parameter that indicates a value related to the 2G/3G access restrictions or 5G and 4G access limitations as shown in the Table 1 below:
Figure imgf000024_0001
Table 1: New ABBA values related to network access restrictions.
[0102] In one embodiment, the SEAF 505 sets the ABBA parameter to 0x0000. The UE 501 may use the ABBA parameter provided by the SEAF 505 in the calculation of KAMF.
[0103] In one embodiment, if the AMF 505 receives the network access restriction information (UTRAN access restricted, GERAN access restricted) from the UDM 509, it is stored at the AMF 505 as part of the UE context along with SUPI. Further, based on the received network access restriction information from the UDM 509 and the network access restriction enforcement capability received from the UE 501 (in 1), the AMF 505 performs various actions including not initiating inter-RAT handover to UTRAN/GERAN, not initiating or forwarding relocation requests related to SRVCC specific handover from 5G to 3G or 2G (even if its initiated by the RAN 503), and provisioning the network access restriction information (UTRAN access restricted, GERAN access restricted) to RAN 503 in an N2 message to enforce the UTRAN and GERAN access restrictions for the UE 501 at the RAN 503 side.
[0104] At 4 (see messaging 518), in one embodiment, the SEAF 505 transparently forwards the EAP-Request/AKA'-Challenge message (if received) along with the network access restriction information (UTRAN access restricted, GERAN access restricted) to the UE 501 in a NAS message Authentication Request message. The UE forwards the random number (RAND) and the authentication token (AUTN) received in EAP-Request/AKA'-Challenge message to the USIM. This message may include the ngKSI and ABBA parameter indicating network access restriction information (UTRAN access restricted, GERAN access restricted).
[0105] In one embodiment, the SEAF 505 may include the ngKSI and ABBA parameter indicating network access restriction information (UTRAN access restricted, GERAN access restricted) in all EAP-Authentication request messages. The ngKSI may be used by the UE 501 and AMF 505 to identify the partial native security context that is created if the authentication is successful. The SEAF 505 may set the ABBA parameter based on network access restriction information (UTRAN access restricted, GERAN access restricted). During an EAP authentication, in one embodiment, the value of the ngKSI and the ABBA parameter indicating network access restriction information (UTRAN access restricted, GERAN access restricted) sent by the SEAF 505 to the UE 501 may not be changed. In one embodiment, the SEAF 505 needs to understand that the authentication method used is an EAP method by evaluating the type of authentication method based on the Nausf UEAuthentication Authenticate Response message.
[0106] At 5a (see block 520), in one embodiment, at receipt of the RAND and AUTN, the USIM verifies the freshness of the AV by checking whether AUTN can be accepted, e.g., as described in TS 33.102 (incorporated herein by reference). If so, the USIM computes a response result (RES). The USIM may return RES, cipher key (CK), and integrity key (IK) to the UE 501. If the USIM computes a Kc (e.g., GPRS Kc) from CK and IK using conversion function c3, e.g., as described in TS 33.102, and sends it to the UE 501, then the UE 501 may ignore such GPRS Kc and not store the GPRS Kc on USIM or in the UE 501.
[0107] Referring to Figure 5B, at 6 (see messaging 524), in one embodiment, the UE 501 sends the EAP -Response/ AKA'-Challenge/RES* message to the SEAF 505 in a NAS Auth-Resp message.
[0108] At 7 (see messaging 526), in one embodiment, the SEAF 505 transparently forwards the EAP-Response/AKA'-Challenge/RES* message to the AUSF 507 in a Nausf UEAuthentication Authenticate Request message.
[0109] At 8 (see block 528), in one embodiment, the AUSF 507 verifies the message by comparing the expected result (XRES) and the RES, and if the AUSF 507 has successfully verified this message, it continues as follows, otherwise it returns an error to the SEAF 505. The AUSF 507 informs the UDM 509 about the authentication result.
[0110] At 9 (see messaging 530), in one embodiment, the AUSF 507 and the UE 501 may exchange EAP-Request/AKA'-Notification and EAP-Response/AKA'-Notification messages (if EAP -AKA’ is used) via the SEAF 505. The SEAF 505 may transparently forward these messages.
[0111] At 10 (see block 532), in one embodiment, the AUSF 507 derives the Extended Master Session Key (EMSK) from CK’ and IK’ (if EAP -AKA’ is used) as described in RFC 5448. The AUSF 507 uses the most significant 256 bits of EMSK as the KAUSF and then calculates KSEAF from KAUSF. The AUSF 507 send an EAP Success message to the SEAF 505 inside Nausf UEAuthentication Authenticate Response. The SEAF 505 may forward the EAP Success message transparently to the UE 501 along with the ABBA indicating network access restriction information (UTRAN access restricted, GERAN access restricted). In one embodiment, the Nausf UEAuthentication Authenticate Response message contains the KSEAF. If the AUSF 507 received a SUCI from the SEAF 505 when the authentication was initiated, then the AUSF 507 may also include the SUPI in the Nausf UEAuthentication Authenticate Response message. The AUSF 507 stores the KAUSF based on the home network operator's policy.
[0112] At 11 (see messaging 534), in one embodiment, the SEAF 505 sends the EAP Success (if EAP -AKA’ is used) or authentication result as success message to the UE 501 in the N1 message. This message may also include the ngKSI and the ABBA parameter indicating network access restriction information (UTRAN access restricted, GERAN access restricted).
[0113] At 12 (see block 536), in one embodiment, the UE 501 derives the Kamf from Kseaf, ABBA indicating network access restriction information (UTRAN access restricted, GERAN access restricted), and SUPI.
[0114] At 13 (see messaging 538), the UE 501 sends the NAS security mode complete message to the AMF 505.
[0115] Figure 6 illustrates an example of a UE 600 in accordance with aspects of the present disclosure. The UE 600 may include a processor 602, a memory 604, a controller 606, and a transceiver 608. The processor 602, the memory 604, the controller 606, or the transceiver 608, or various combinations thereof or various components thereof may be examples of means for performing various aspects of the present disclosure as described herein. These components may be coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces.
[0116] The processor 602, the memory 604, the controller 606, or the transceiver 608, or various combinations or components thereof may be implemented in hardware (e.g., circuitry). The hardware may include a processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), or other programmable logic device, or any combination thereof configured as or otherwise supporting a means for performing the functions described in the present disclosure.
[0117] The processor 602 may include an intelligent hardware device (e.g., a general- purpose processor, a DSP, a CPU, an ASIC, an FPGA, or any combination thereof). In some implementations, the processor 602 may be configured to operate the memory 604. In some other implementations, the memory 604 may be integrated into the processor 602. The processor 602 may be configured to execute computer-readable instructions stored in the memory 604 to cause the UE 600 to perform various functions of the present disclosure.
[0118] The memory 604 may include volatile or non-volatile memory. The memory 604 may store computer-readable, computer-executable code including instructions when executed by the processor 602 cause the UE 600 to perform various functions described herein. The code may be stored in a non-transitory computer-readable medium such the memory 604 or another type of memory. Computer-readable media includes both non- transitory computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A non-transitory storage medium may be any available medium that may be accessed by a general-purpose or special-purpose computer.
[0119] In some implementations, the processor 602 and the memory 604 coupled with the processor 602 may be configured to cause the UE 600 to perform one or more of the functions described herein (e.g., executing, by the processor 602, instructions stored in the memory 604). For example, the processor 602 may support wireless communication at the UE 600 in accordance with examples as disclosed herein.
[0120] The UE 600 may be configured to support a means to transmit an indication of a network access restriction enforcement capability of the UE as part of a NAS message with a first network, receive network access restriction information for the UE indicating restrictions on second networks that the UE may access, store the network access restriction information, and prevent connecting to the second networks as indicated in the network access restriction information in response to the first network being unavailable.
[0121] In one embodiment, the indication of the network access restriction enforcement capability of the UE indicates whether the UE supports GERAN access restrictions, UTRAN access restrictions, or a combination thereof.
[0122] In one embodiment, the second networks comprise a GERAN, a UTRAN, or a combination thereof. In one embodiment, the NAS message comprises at least one of a Registration Request message, Security mode complete message, or a combination thereof.
[0123] In one embodiment, the UE 600 may be configured to support a means to receive the network access restriction information as part of the NAS message, the NAS message comprising at least one of a NAS security mode command message, a Registration accept message, a Registration complete message, an authentication request message, an authentication response message, a UE configuration update message, and UPU data. [0124] In one embodiment, the network access restriction information comprises an ABBA parameter value that indicates at least one of UTRAN and GERAN access restricted, UTRAN access restricted, GERAN access restricted, only 5G access allowed, and EPS access allowed.
[0125] The controller 606 may manage input and output signals for the UE 600. The controller 606 may also manage peripherals not integrated into the UE 600. In some implementations, the controller 606 may utilize an operating system such as iOS®, ANDROID®, WINDOWS®, or other operating systems. In some implementations, the controller 606 may be implemented as part of the processor 602.
[0126] In some implementations, the UE 600 may include at least one transceiver 608. In some other implementations, the UE 600 may have more than one transceiver 608. The transceiver 608 may represent a wireless transceiver. The transceiver 608 may include one or more receiver chains 610, one or more transmitter chains 612, or a combination thereof.
[0127] A receiver chain 610 may be configured to receive signals (e.g., control information, data, packets) over a wireless medium. For example, the receiver chain 610 may include one or more antennas for receiving the signal over the air or wireless medium. The receiver chain 610 may include at least one amplifier (e.g., a low-noise amplifier (LNA)) configured to amplify the received signal. The receiver chain 610 may include at least one demodulator configured to demodulate the received signal and obtain the transmitted data by reversing the modulation technique applied during transmission of the signal. The receiver chain 610 may include at least one decoder for decoding and processing the demodulated signal to receive the transmitted data.
[0128] A transmitter chain 612 may be configured to generate and transmit signals (e.g., control information, data, packets). The transmitter chain 612 may include at least one modulator for modulating data onto a carrier signal, preparing the signal for transmission over a wireless medium. The at least one modulator may be configured to support one or more techniques such as amplitude modulation (AM), frequency modulation (FM), or digital modulation schemes like phase-shift keying (PSK) or quadrature amplitude modulation (QAM). The transmitter chain 612 may also include at least one power amplifier configured to amplify the modulated signal to an appropriate power level suitable for transmission over the wireless medium. The transmitter chain 612 may also include one or more antennas for transmitting the amplified signal into the air or wireless medium.
[0129] Figure 7 illustrates an example of a processor 700 in accordance with aspects of the present disclosure. The processor 700 may be an example of a processor configured to perform various operations in accordance with examples as described herein. The processor 700 may include a controller 702 configured to perform various operations in accordance with examples as described herein. The processor 700 may optionally include at least one memory 704, which may be, for example, an L1/L2/L3 cache. Additionally, or alternatively, the processor 700 may optionally include one or more arithmetic -logic units (ALUs) 706. One or more of these components may be in electronic communication or otherwise coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces (e.g., buses).
[0130] The processor 700 may be a processor chipset and include a protocol stack (e.g., a software stack) executed by the processor chipset to perform various operations (e.g., receiving, obtaining, retrieving, transmitting, outputting, forwarding, storing, determining, identifying, accessing, writing, reading) in accordance with examples as described herein. The processor chipset may include one or more cores, one or more caches (e.g., memory local to or included in the processor chipset (e.g., the processor 700) or other memory (e.g., random access memory (RAM), read-only memory (ROM), dynamic RAM (DRAM), synchronous dynamic RAM (SDRAM), static RAM (SRAM), ferroelectric RAM (FeRAM), magnetic RAM (MRAM), resistive RAM (RRAM), flash memory, phase change memory (PCM), and others).
[0131] The controller 702 may be configured to manage and coordinate various operations (e.g., signaling, receiving, obtaining, retrieving, transmitting, outputting, forwarding, storing, determining, identifying, accessing, writing, reading) of the processor 700 to cause the processor 700 to support various operations in accordance with examples as described herein. For example, the controller 702 may operate as a control unit of the processor 700, generating control signals that manage the operation of various components of the processor 700. These control signals include enabling or disabling functional units, selecting data paths, initiating memory access, and coordinating timing of operations. [0132] The controller 702 may be configured to fetch (e.g., obtain, retrieve, receive) instructions from the memory 704 and determine subsequent instruction(s) to be executed to cause the processor 700 to support various operations in accordance with examples as described herein. The controller 702 may be configured to track memory address of instructions associated with the memory 704. The controller 702 may be configured to decode instructions to determine the operation to be performed and the operands involved. For example, the controller 702 may be configured to interpret the instruction and determine control signals to be output to other components of the processor 700 to cause the processor 700 to support various operations in accordance with examples as described herein. Additionally, or alternatively, the controller 702 may be configured to manage flow of data within the processor 700. The controller 702 may be configured to control transfer of data between registers, arithmetic logic units (ALUs), and other functional units of the processor 700.
[0133] The memory 704 may include one or more caches (e.g., memory local to or included in the processor 700 or other memory, such RAM, ROM, DRAM, SDRAM, SRAM, MRAM, flash memory, etc. In some implementations, the memory 704 may reside within or on a processor chipset (e.g., local to the processor 700). In some other implementations, the memory 704 may reside external to the processor chipset (e.g., remote to the processor 700).
[0134] The memory 704 may store computer-readable, computer-executable code including instructions that, when executed by the processor 700, cause the processor 700 to perform various functions described herein. The code may be stored in a non-transitory computer-readable medium such as system memory or another type of memory. The controller 702 and/or the processor 700 may be configured to execute computer-readable instructions stored in the memory 704 to cause the processor 700 to perform various functions. For example, the processor 700 and/or the controller 702 may be coupled with or to the memory 704, the processor 700, the controller 702, and the memory 704 may be configured to perform various functions described herein. In some examples, the processor 700 may include multiple processors and the memory 704 may include multiple memories. One or more of the multiple processors may be coupled with one or more of the multiple memories, which may, individually or collectively, be configured to perform various functions herein. [0135] The one or more ALUs 706 may be configured to support various operations in accordance with examples as described herein. In some implementations, the one or more ALUs 706 may reside within or on a processor chipset (e.g., the processor 700). In some other implementations, the one or more ALUs 706 may reside external to the processor chipset (e.g., the processor 700). One or more ALUs 706 may perform one or more computations such as addition, subtraction, multiplication, and division on data. For example, one or more ALUs 706 may receive input operands and an operation code, which determines an operation to be executed. One or more ALUs 706 be configured with a variety of logical and arithmetic circuits, including adders, subtractors, shifters, and logic gates, to process and manipulate the data according to the operation. Additionally, or alternatively, the one or more ALUs 706 may support logical operations such as AND, OR, exclusive-OR (XOR), not-OR (NOR), and not-AND (NAND), enabling the one or more ALUs 706 to handle conditional operations, comparisons, and bitwise operations.
[0136] The processor 700 may support wireless communication in accordance with examples as disclosed herein. The processor 700 may be configured to or operable to support a means to receive an indication of a network access restriction enforcement capability of a UE, determine network access restriction information, transmit the network access restriction information to the UE, and apply at least one network access restriction based on the indication of the network access restriction enforcement capability of the UE and the determined network access restriction information.
[0137] The processor 700 may be configured to or operable to support a means to receive an indication of a network access restriction enforcement capability of a UE, determine network access restriction information, configure the network access restriction information for the UE in subscription data associated with the UE, and transmit the network access restriction information.
[0138] The processor 700 may be configured to or operable to support a means to transmit an indication of a network access restriction enforcement capability of a UE as part of a NAS message with a first network, receive network access restriction information for the UE indicating restrictions on second networks that the UE may access, store the network access restriction information, and prevent connecting to the second networks as indicated in the network access restriction information in response to the first network being unavailable. [0139] Figure 8 illustrates an example of a NE 800 in accordance with aspects of the present disclosure. The NE 800 may include a processor 802, a memory 804, a controller 806, and a transceiver 808. The processor 802, the memory 804, the controller 806, or the transceiver 808, or various combinations thereof or various components thereof may be examples of means for performing various aspects of the present disclosure as described herein. These components may be coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces.
[0140] The processor 802, the memory 804, the controller 806, or the transceiver 808, or various combinations or components thereof may be implemented in hardware (e.g., circuitry). The hardware may include a processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), or other programmable logic device, or any combination thereof configured as or otherwise supporting a means for performing the functions described in the present disclosure.
[0141] The NE 800 may be configured to support a means to receive an indication of a network access restriction enforcement capability of a UE, determine network access restriction information, transmit the network access restriction information to the UE, and apply at least one network access restriction based on the indication of the network access restriction enforcement capability of the UE and the determined network access restriction information.
[0142] In one embodiment, the indication of the network access restriction enforcement capability of the UE indicates whether the UE supports GERAN access restrictions, UTRAN access restrictions, or a combination thereof. In one embodiment, the at least one processor is configured to cause the NE to store the network access restriction information as part of a UE context.
[0143] In one embodiment, the NE 800 may be configured to support a means to apply the at least one network access restriction by not initiating inter-RAT handover to GERAN, UTRAN, or a combination thereof.
[0144] In one embodiment, the NE 800 may be configured to support a means to apply the at least one network access restriction by not initiating or forwarding relocation requests related to SRVCC for handover to GERAN, UTRAN, or a combination thereof. [0145] In one embodiment, the NE 800 may be configured to support a means to transmit the network access restriction information to a RAN associated with the UE to enforce the network access restriction for the UE at the RAN.
[0146] In one embodiment, the NE 800 may be configured to support a means to transmit the network access restriction information to the UE in a NAS security message. In one embodiment, the NE 800 may be configured to support a means to transmit the network access restriction information to the UE as part of a UE configuration update command.
[0147] In one embodiment, the NE 800 may be configured to support a means to transmit an acknowledgement to a UDM network function indicating that the UE received the network access restriction information.
[0148] In one embodiment, the network access restriction information comprises an ABBA parameter value that indicates at least one of UTRAN and GERAN access restricted, UTRAN access restricted, GERAN access restricted, only 5G access allowed, and EPS access allowed.
[0149] In one embodiment, the NE 800 may be configured to support a means to determine the network access restriction information based on a configuration at the NE, the network access restriction information comprising an indication of UTRAN access restricted/not allowed, GERAN access restricted/not allowed, or a combination thereof.
[0150] In one embodiment, the NE 800 may be configured to support a means to fetch the network access restriction information from a UDM network function, the network access restriction information comprising an indication of UTRAN access restricted/not allowed, GERAN access restricted/not allowed, or a combination thereof.
[0151] In one embodiment, the NE 800 may be configured to support a means to receive an indication of a network access restriction enforcement capability of a UE, determine network access restriction information for the UE, configure the network access restriction information for the UE in subscription data associated with the UE, and transmit the network access restriction information.
[0152] In one embodiment, the NE 800 may be configured to support a means to configure the network access restriction information for the UE in UPU data. In one embodiment, the NE 800 may be configured to support a means to configure the network access restriction information for the UE in subscription data associated with the UE based on a local policy.
[0153] In one embodiment, the NE 800 may be configured to support a means to configure the network access restriction information for the UE in subscription data associated with the UE based on GERAN, a UTRAN, or a combination thereof being decommissioned.
[0154] In one embodiment, the NE 800 may be configured to support a means to configure the network access restriction information for the UE in subscription data associated with the UE as part of mobility restrictions for the UE, RAT restrictions for the UE, or a combination thereof.
[0155] The processor 802 may include an intelligent hardware device (e.g., a general- purpose processor, a DSP, a CPU, an ASIC, an FPGA, or any combination thereof). In some implementations, the processor 802 may be configured to operate the memory 804. In some other implementations, the memory 804 may be integrated into the processor 802. The processor 802 may be configured to execute computer-readable instructions stored in the memory 804 to cause the NE 800 to perform various functions of the present disclosure.
[0156] The memory 804 may include volatile or non-volatile memory. The memory 804 may store computer-readable, computer-executable code including instructions when executed by the processor 802 causes the NE 800 to perform various functions described herein. The code may be stored in a non-transitory computer-readable medium such the memory 804 or another type of memory. Computer-readable media includes both non- transitory computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A non-transitory storage medium may be any available medium that may be accessed by a general-purpose or special-purpose computer.
[0157] In some implementations, the processor 802 and the memory 804 coupled with the processor 802 may be configured to cause the NE 800 to perform one or more of the functions described herein (e.g., executing, by the processor 802, instructions stored in the memory 804). For example, the processor 802 may support wireless communication at the NE 800 in accordance with examples as disclosed herein. [0158] The controller 806 may manage input and output signals for the NE 800. The controller 806 may also manage peripherals not integrated into the NE 800. In some implementations, the controller 806 may utilize an operating system such as iOS®, ANDROID®, WINDOWS®, or other operating systems. In some implementations, the controller 806 may be implemented as part of the processor 802.
[0159] In some implementations, the NE 800 may include at least one transceiver 808. In some other implementations, the NE 800 may have more than one transceiver 808. The transceiver 808 may represent a wireless transceiver. The transceiver 808 may include one or more receiver chains 810, one or more transmitter chains 812, or a combination thereof.
[0160] A receiver chain 810 may be configured to receive signals (e.g., control information, data, packets) over a wireless medium. For example, the receiver chain 810 may include one or more antennas for receiving the signal over the air or wireless medium. The receiver chain 810 may include at least one amplifier (e.g., a low-noise amplifier (LNA)) configured to amplify the received signal. The receiver chain 810 may include at least one demodulator configured to demodulate the received signal and obtain the transmitted data by reversing the modulation technique applied during transmission of the signal. The receiver chain 810 may include at least one decoder for decoding and processing the demodulated signal to receive the transmitted data.
[0161] A transmitter chain 812 may be configured to generate and transmit signals (e.g., control information, data, packets). The transmitter chain 812 may include at least one modulator for modulating data onto a carrier signal, preparing the signal for transmission over a wireless medium. The at least one modulator may be configured to support one or more techniques such as amplitude modulation (AM), frequency modulation (FM), or digital modulation schemes like phase-shift keying (PSK) or quadrature amplitude modulation (QAM). The transmitter chain 812 may also include at least one power amplifier configured to amplify the modulated signal to an appropriate power level suitable for transmission over the wireless medium. The transmitter chain 812 may also include one or more antennas for transmitting the amplified signal into the air or wireless medium.
[0162] Figure 9 illustrates a flowchart of a method in accordance with aspects of the present disclosure. The operations of the method may be implemented by an NE as described herein. In some implementations, the NE may execute a set of instructions to control the function elements of the NE to perform the described functions.
[0163] At 902, the method may receive an indication of a network access restriction enforcement capability of a UE. The operations of 902 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 902 may be performed by an NE as described with reference to Figure 8.
[0164] At 904, the method may determine network access restriction information. The operations of 904 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 904 may be performed by an NE as described with reference to Figure 8.
[0165] At 906, the method may transmit the network access restriction information to the UE. The operations of 906 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 906 may be performed by an NE as described with reference to Figure 8.
[0166] At 908, the method may apply at least one network access restriction based on the indication of the network access restriction enforcement capability of the UE and the determined network access restriction information. The operations of 908 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 908 may be performed by an NE as described with reference to Figure 8.
[0167] Figure 10 illustrates a flowchart of a method in accordance with aspects of the present disclosure. The operations of the method may be implemented by an NE as described herein. In some implementations, the NE may execute a set of instructions to control the function elements of the NE to perform the described functions.
[0168] At 1002, the method may receive an indication of a network access restriction enforcement capability of a UE. The operations of 1002 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1002 may be performed by an NE as described with reference to Figure 8.
[0169] At 1004, the method may determine network access restriction information for the UE. The operations of 1004 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1004 may be performed by an NE as described with reference to Figure 8.
[0170] At 1006, the method may configure the network access restriction information for the UE in subscription data associated with the UE. The operations of 1006 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1006 may be performed by an NE as described with reference to Figure 8.
[0171] At 1008, the method may transmit the network access restriction information. The operations of 1008 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1008 may be performed by an NE as described with reference to Figure 8.
[0172] Figure 11 illustrates a flowchart of a method in accordance with aspects of the present disclosure. The operations of the method may be implemented by a UE as described herein. In some implementations, the UE may execute a set of instructions to control the function elements of the UE to perform the described functions.
[0173] At 1102, the method may transmit an indication of a network access restriction enforcement capability of the UE as part of a NAS message with a first network. The operations of 1102 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1102 may be performed by a UE as described with reference to Figure 6.
[0174] At 1104, the method may receive network access restriction information for the UE indicating restrictions on second networks that the UE may access. The operations of 1104 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1104 may be performed by a UE as described with reference to Figure 6.
[0175] At 1106, the method may store the network access restriction information. The operations of 1106 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1106 may be performed by a UE as described with reference to Figure 6.
[0176] At 1108, the method may prevent connecting to the second networks as indicated in the network access restriction information in response to the first network being unavailable. The operations of 1108 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1108 may be performed by a UE as described with reference to Figure 6.
[0177] It should be noted that the method described herein describes A possible implementation, and that the operations and the steps may be rearranged or otherwise modified and that other implementations are possible.
[0178] The description herein is provided to enable a person having ordinary skill in the art to make or use the disclosure. Various modifications to the disclosure will be apparent to a person having ordinary skill in the art, and the generic principles defined herein may be applied to other variations without departing from the scope of the disclosure. Thus, the disclosure is not limited to the examples and designs described herein but is to be accorded the broadest scope consistent with the principles and novel features disclosed herein.

Claims

CLAIMS What is claimed is:
1 . A network equipment (NE) for wireless communication, comprising: at least one memory; and at least one processor coupled with the at least one memory and configured to cause the NE to: receive an indication of a network access restriction enforcement capability of a user equipment (UE); determine network access restriction information; transmit the network access restriction information to the UE; and apply at least one network access restriction based on the indication of the network access restriction enforcement capability of the UE and the determined network access restriction information.
2. The NE of claim 1, wherein the indication of the network access restriction enforcement capability of the UE indicates whether the UE supports GSM EDGE Radio Access Network (GERAN) access restrictions, Universal Terrestrial Radio Access Network (UTRAN) access restrictions, or a combination thereof.
3. The NE of claim 1, wherein the at least one processor is configured to cause the NE to store the network access restriction information as part of a UE context.
4. The NE of claim 1, wherein the at least one processor is configured to cause the NE to apply the at least one network access restriction by not initiating interradio access technology (RAT) handover to GSM EDGE Radio Access Network (GERAN), Universal Terrestrial Radio Access Network (UTRAN), or a combination thereof.
5. The NE of claim 1, wherein the at least one processor is configured to cause the NE to apply the at least one network access restriction by not initiating or forwarding relocation requests related to single radio voice call continuity (SRVCC) for handover to GSM EDGE Radio Access Network (GERAN), Universal Terrestrial Radio Access Network (UTRAN), or a combination thereof.
6. The NE of claim 1, wherein the at least one processor is configured to cause the NE to transmit the network access restriction information to a radio access network (RAN) associated with the UE to enforce the network access restriction for the UE at the RAN.
7. The NE of claim 1, wherein the at least one processor is configured to cause the NE to transmit the network access restriction information to the UE in a non- access stratum (NAS) security message.
8. The NE of claim 1, wherein the at least one processor is configured to cause the NE to transmit the network access restriction information to the UE as part of a UE configuration update command.
9. The NE of claim 1, wherein the at least one processor is configured to cause the NE to transmit an acknowledgement to a unified data management (UDM) network function indicating that the UE received the network access restriction information.
10. The NE of claim 1, wherein the network access restriction information comprises an anti-bidding down between architectures (ABBA) parameter value that indicates at least one of Universal Terrestrial Radio Access Network (UTRAN) and GSM EDGE Radio Access Network (GERAN) access restricted, UTRAN access restricted, GERAN access restricted, only 5G access allowed, and evolved packet system (EPS) access allowed.
11. The NE of claim 1, wherein the at least one processor is configured to cause the NE to determine the network access restriction information based on a configuration at the NE, the network access restriction information comprising an indication of Universal Terrestrial Radio Access Network (UTRAN) access restricted/not allowed, GSM EDGE Radio Access Network (GERAN) access restricted/not allowed, or a combination thereof.
12. The NE of claim 1, wherein the at least one processor is configured to cause the NE to fetch the network access restriction information from a unified data management (UDM) network function, the network access restriction information comprising an indication of Universal Terrestrial Radio Access Network (UTRAN) access restricted/not allowed, GSM EDGE Radio Access Network (GERAN) access restricted/not allowed, or a combination thereof.
13. A processor for wireless communication, comprising: at least one controller coupled with at least one memory and configured to cause the processor to: receive an indication of a network access restriction enforcement capability of a user equipment (UE); determine network access restriction information; transmit the network access restriction information to the UE; and apply at least one network access restriction based on the indication of the network access restriction enforcement capability of the UE and the determined network access restriction information.
14. A method performed by a network equipment (NE), the method comprising: receiving an indication of a network access restriction enforcement capability of a user equipment (UE); determining network access restriction information; transmitting the network access restriction information to the UE; and applying at least one network access restriction based on the indication of the network access restriction enforcement capability of the UE and the determined network access restriction information.
15. A user equipment (UE) for wireless communication, comprising: at least one memory; and at least one processor coupled with the at least one memory and configured to cause the UE to: transmit an indication of a network access restriction enforcement capability of the UE as part of a non-access stratum (NAS) message with a first network; receive network access restriction information for the UE indicating restrictions on second networks that the UE may access; store the network access restriction information; and prevent connecting to the second networks as indicated in the network access restriction information in response to the first network being unavailable.
16. The UE of claim 15, wherein the indication of the network access restriction enforcement capability of the UE indicates whether the UE supports GSM EDGE Radio Access Network (GERAN) access restrictions, Universal Terrestrial Radio Access Network (UTRAN) access restrictions, or a combination thereof.
17. The UE of claim 15, wherein the second networks comprise a GSM EDGE Radio Access Network (GERAN), a Universal Terrestrial Radio Access Network (UTRAN), or a combination thereof.
18. The UE of claim 15, wherein the NAS message comprises at least one of a Registration Request message, Security mode complete message, or a combination thereof.
19. The UE of claim 15, wherein the at least one processor is configured to cause the UE to receive the network access restriction information as part of the NAS message, the NAS message comprising at least one of a NAS security mode command message, a Registration accept message, a Registration complete message, an authentication request message, an authentication response message, a UE configuration update message, and UE parameters update (UPU) data.
20. The UE of claim 15, wherein the network access restriction information comprises an anti-bidding down between architectures (ABBA) parameter value that indicates at least one of Universal Terrestrial Radio Access Network (UTRAN) and GSM EDGE Radio Access Network (GERAN) access restricted, UTRAN access restricted, GERAN access restricted, only 5G access allowed, and evolved packet system (EPS) access allowed.
PCT/IB2025/050664 2024-01-23 2025-01-22 Techniques for preventing bidding down attacks Pending WO2025114990A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202463624215P 2024-01-23 2024-01-23
US63/624,215 2024-01-23

Publications (1)

Publication Number Publication Date
WO2025114990A1 true WO2025114990A1 (en) 2025-06-05

Family

ID=94598892

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2025/050664 Pending WO2025114990A1 (en) 2024-01-23 2025-01-22 Techniques for preventing bidding down attacks

Country Status (1)

Country Link
WO (1) WO2025114990A1 (en)

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"3 rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security architecture and procedures for 5G system (Release 17)", 4 January 2024 (2024-01-04), XP052576186, Retrieved from the Internet <URL:https://ftp.3gpp.org/3guInternal/3GPP_ultimate_versions_to_be_transposed/sentToDpc/33501-hc0.zip 33501-hc0.doc> [retrieved on 20240104] *
AO LEI ET AL: "New study proposal on Mitigations on Bidding Down Attack", vol. SA WG3, no. Chicago, US; 20231106 - 20231110, 30 October 2023 (2023-10-30), XP052533728, Retrieved from the Internet <URL:https://www.3gpp.org/ftp/TSG_SA/WG3_Security/TSGS3_113_Chicago/Docs/S3-234624.zip S3-234624-New Study Proposal on Mitigations on Bidding Down Attack.docx> [retrieved on 20231030] *
KARAKOC BEDRAN ET AL: "Never Let Me Down Again: Bidding-Down Attacks and Mitigations in 5G and 4G", 28 June 2023 (2023-06-28), pages 1 - 12, XP093263917, Retrieved from the Internet <URL:https://dl.acm.org/doi/pdf/10.1145/3558482.3581774> *

Similar Documents

Publication Publication Date Title
US20250112780A1 (en) User equipment parameter update header protection
WO2024094231A1 (en) Methods and apparatuses for a discovery mechanism in a relay case with multiple hops
WO2024183312A1 (en) Methods and apparatuses for both intra-bs and inter-bs ltm procedures
WO2024109116A1 (en) Methods and apparatuses for cho related to a nes mode
WO2024245615A1 (en) Data session establishment in a wireless communication network
WO2025114990A1 (en) Techniques for preventing bidding down attacks
US20250234252A1 (en) Authenticated encryption with associated data (aead) modes during mobility scenarios
WO2025123706A1 (en) Methods and apparatuses for supporting multiple accesses of ue to core network
WO2025114991A1 (en) Techniques for enabling legacy network access restrictions
US20250159581A1 (en) Ambient internet of things (iot) device integration
WO2025107663A1 (en) Methods and apparatuses of a mobility robustness optimization (mro) mechanism for a subsequent conditional primary secondary cell group cell (pscell) addition or change (cpac) procedure
WO2024087675A1 (en) Methods and apparatuses for ta acquisition and calculation
WO2024159783A1 (en) Method and apparatus for failure handling, path addition and path switch in a multipath scenario
US20250358764A1 (en) Techniques for configuring an access stratum security for a non-terrestrial network
US20250350939A1 (en) Authentication and connection establishment for reduced capability devices
US20250350935A1 (en) Secure transmission of commands to restricted devices
WO2024098839A1 (en) Indirect path addition for u2n communication
WO2024179019A1 (en) Method and apparatus for l2 reset indication and ue-measured ta indication in ltm scenario
WO2025035789A1 (en) AIoT DEVICE DISCOVERY AND UPDATE
WO2024082736A1 (en) Method and apparatus for mobility robustness optimization
US20250233728A1 (en) Authenticated encryption with associated data (aead) modes for non-access stratum (nas) and access stratum (as) security
WO2025050684A1 (en) Methods and apparatuses for an l1/l2-triggered mobility (ltm) procedure and a conditional handover (cho) procedure
WO2025150020A1 (en) Secure store and forward non-terrestrial network communication
WO2025123740A1 (en) Support aiot service
WO2024239683A1 (en) Methods and apparatuses for a prediction operation related to a failure or an abnormal handover

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 25704646

Country of ref document: EP

Kind code of ref document: A1