Configuring UP Integrity Protection

SMF applies UP Integrity Protection at gNB based on UP integrity protection parameters.

To configure the UP integrity protection parameters, use the following sample configuration:

config 
    profile dnn dnn_profile_name 
        upip status { required | preferred | not-needed } 
        upip data-rate dl { 64kbps | max-ue-rate | null } ul { 64kbps | max-ue-rate | null } restrict-action { continue | terminate } } 
        end 

NOTES:

  • upip status { required | preferred | not-needed } —Specify local configuration for UPIP if not received in subscription from UDM.

  • upip data-rate dl { 64kbps | max-ue-rate | null } ul { 64kbps | max-ue-rate | null } restrict-action { continue | terminate } } —Configure the UPIP data rate for downlink and uplink traffic.

    Specify one of the following actions to be taken based on the configured data rate and UE capable data rate.

    • continue

    • terminate

    Default action is terminate for UPIP status=required and continue for other UPIP status.

    If continue is configured, then call will be continued without enabling UPIP. Please note that retrict-action configuration is applicable only for UPIP status “REQUIRED”.

The following is an example of the UP integrity protection configuration.

profile dnn intershat
 network-element-profiles chf chf1
 network-element-profiles amf amf1
 network-element-profiles pcf pcf1
 network-element-profiles udm udm1
 charging-profile chgprf1
 virtual-mac      b6:6d:47:47:47:47
 ssc-mode 2 allowed [ 3 ]
 session type IPV4 allowed [ IPV6 IPV4V6 ]
 upf apn intershat
 dcnr true
 upip status required
 upip data-rate dl max-ue-rate ul max-ue-rate restrict-action terminate
 exit

Verifying UP Integrity Protection Configuration

To display the UPIP enforcement status and the UPIP enforcement data rates, use the show subscriber command at the global configuration level.

The following is an output of the show subscriber command.

Upip-enforcement-status: [required|preferred]: [performed|not-perfomed]
Upip-enforcement-datarate-dl: 64kbps/max-ue-rate
Upip-enforcement-datarate-ul: 64kbps/max-ue-rate
Note

The performed/not-performed details are applicable only to “preferred” UPIP status which is updated based on the gNB response. The data rates are visible only in UPIP enabled cases (required/preferred:performed).

To display the number of subscribers with UPIP enforcements active, use the show subscriber count command. This output is updated on receiving N2 Modification indication with fulfil or not-fulfil.

To display the number of sessions activated with UPIP, use the subscriber namespace smf count upip true command.