This section describes how the user data packets between UE and gNB are integrity protected.
SMF retrieves UP security subscription per DNN from UDM during 5G session creation and gives priority to the UPIP status (UP
integrity values) received from UDM over local configuration.
SMF decides UPIP enforcement status and UPIP enforcement data rate based on UP security subscription, local configuration,
and the UPIP data rate values received from UE. Then, the SMF sends the appropriate UPIP enforcement status and data rate
to gNB through PDU Session Resource Setup Request message during PDU establishment procedure.
SMF includes the following information in Security Indication in the N2 setup request message.
-
Integrity Protection Indication IE with UPIP enforcement status
-
Maximum Integrity Protection Data Rate Uplink or Downlink IE with UPIP enforcement data rate
-
Confidentiality Protection Indication IE with “not-needed” as the value
If gNB cannot meet the UPIP enforcement data rates and if the Integrity Protection Indication IE is set as “required”, it
rejects PDU session resource setup request with cause “up-integrity-protection-not-possible”. Then, the SMF clears the call
and sends N1 release to the UE.
If gNB cannot meet the enforcement data rates and if the Integrity Protection Indication IE is set as “preferred”, it includes
Security Result with integrity protection result set to “not performed” in PDU Session Resource Setup Response message.
If gNB is able to enforce UPIP data rates and if the Integrity Protection Indication IE is set as “preferred”, it includes
Security Result with integrity protection result set to “performed” in PDU Session Resource Setup Response message.
SMF populates the UPIP enforcement values in N2 messages based on the algorithms specified in the following tables.
Table 47. Negotiated UPIP Status based on UDM Subscription and Local Configuration
UPIP Subscription
|
Local Configuration
|
UPIP Status
|
Required
|
Not Applicable
|
Required
|
Preferred
|
Not Applicable
|
Preferred
|
Not needed
|
Not Applicable
|
Not needed
|
Not received
|
Required
|
Required
|
Not received
|
Preferred
|
Preferred
|
Not received
|
Not needed
|
Not needed
|
Not received
|
Not configured
|
None
|
Table 48. Negotiated UPIP Data Rate based on UE Supported Values and Local Configuration
UE Requested Data Rate
|
Local Configuration
|
UPIP Data Rate
|
64 kbps
|
Not configured
|
64 kbps
|
Null
|
Not configured
|
Null
|
Null
|
Configured
|
Null
|
Full rate
|
Not configured
|
Full rate
|
64 kbps
|
64 kbps
|
64 kbps
|
Full rate
|
64 kbps
|
64 kbps
|
64 kbps
|
Null
|
Null
|
Full rate
|
Null
|
Null
|
64 kbps
|
Full rate
|
Null
|
Full rate
|
Full rate
|
Full rate
|
Table 49. N2 UPIP based on UPIP Status and UPIP Data Rate Output
UPIP Status
|
UPIP Data Rate
|
N2 UPIP Indication
|
N2 Security Data Rate
|
N2 Security Result
|
Comment
|
Required
|
64 kbps
|
Required
|
64 kbps
|
Not Applicable
|
Call is cleared if N2 failure received due to one of the following reasons:
|
Required
|
Null
|
Not Applicable
|
Not Applicable
|
Not Applicable
|
Call is cleared with N1 cause= #82 "maximum data rate per UE for user plane integrity protection is too low".
N11 SmContextCreate error is sent with cause INTEGRITY_ PROTECTION_ MDR_NOT _ACCEPTABLE (forbidden).
|
Required
|
Full rate
|
Required
|
Full rate
|
Not Applicable
|
Call is cleared if N2 failure received due to one of the following reasons:
|
Preferred
|
64 kbps
|
Preferred
|
64 kbps
|
Performed or Not performed
|
|
Preferred
|
Null
|
IE not included
|
IE not included
|
Not Applicable
|
|
Preferred
|
Full rate
|
Preferred
|
Full rate
|
Performed or Not performed
|
|
Not required or none
|
Not Applicable
|
IE not included
|
IE not included
|
Not Applicable
|
|
Not required or none
|
Not Applicable
|
IE not included
|
IE not included
|
Not Applicable
|
|
Not required or none
|
Not Applicable
|
IE not included
|
IE not included
|
Not Applicable
|
|
If the data rate configured locally on SMF is less than the UE requested value, SMF sends the UE requested value to gNB unless
the locally configured value is null.
SMF receives the maximum data rate per UE for user plane integrity protection in N1 PDU session establishment request. If
the UP security subscription indicates that UPIP is required, then the SMF compares the UE requested data rate with the configured
data rate. If the UE requested data rate is low, SMF rejects PDU establishment with 5GSM cause value #82 "maximum data rate
per UE for user-plane integrity protection is too low". SMF triggers N11 response including SmContextCreateError with 403
forbidden-- INTEGRITY_PROTECTED_MDR_NOT_ACCEPTABLE failure message.
For details on the configuration of UPIP status and data rates, see the Configuring UP Integrity Protection section.
If the CLI command is configured to continue, then call will be continued without enabling UPIP. This CLI is applicable to
UPIP status "REQUIRED" only.
SMF marks interworking functionality (IWK) as disabled if the UPIP indication is sent as “required” in N2 Security Indication
in the N2 setup request during PDU session establishment. For such sessions, the EBI assignment procedure is not triggered
and MappedEpsbearerContext is not included in ePCO.
SMF rejects N11 retrieve message with 403 forbidden, if IWK is marked as disabled. NR to Wi-Fi HO is rejected if UPIP is active
in NR with indication set to “required”. CSR from Wi-Fi RAT with HI=1 is rejected with cause "Denied in RAT"
Session create request in 4G or Wi-Fi RAT is rejected with cause “Denied in RAT", if UDM subscription indicates UPIP is “required”
or if configuration indicates UPIP is “required”.
Session create request in 4G or Wi-Fi RAT is accepted if UDM subscription or local configuration indicates that UPIP is “preferred”.
4G to 5G Handover (HO) for a UPIP active session with “preferred” is accepted, but UPIP is not enabled if UE capable data
rate is not available.
UE triggers an N1 modification to update data rate and SMF enables UPIP during subsequent N2 setup (that is, idle mode exit
or subsequent HO to 5G).
SMF includes N2 security indication with UPIP indication and UPIP data rate in N2 message during UE triggered service request
procedure if the UPIP enforcement status indicates one of the following values:
-
required
-
preferred:performed
-
preferred:not-performed
UPIP Status Handling in Handovers and Other Procedures
This section describes how the UPIP enforcement value is calculated and UPIP is negotiated during the different handover scenarios
and other procedures.
In the case of first HO to NR from EUTRA, hSMF extracts UPIP data rate and applies the algorithm to decide UPIP enforcement
values.
If UPIP enforcement value is preferred and if the gNB is unable to fulfill the data rate, vSMF includes NotifyList in HSMFUpdateData
with notification cause set as UP_SEC_NOT_FULFILLED and forwards the security result that is received from gNB to hSMF in
securityResult IE in N16 HSMFUpdateData.
UPIP Negotiation During Xn Handover
Path switch transfer IE in path switch request contains user plane security information which has Security Result and Security
Indication. If the locally stored value is different from what is received in path switch, SMF includes the local value in
Security Indication in Path Switch Acknowledge Transfer message. The SMF logs this event as a warning. If the Security Indication
that is received in the path switch acknowledge is different than what is already applied, target gNB corrects the value and
sends N2 modification indication.
If the target gNB is unable to provide the UPIP which was active in source gNB before Xn handover for “upip required” case,
the SMF triggers the release of specific PDU sessions by including “pdu session resource failed to setup list” with the corresponding
PDU session ID in the path switch request. If the target gNB unable to provide UPIP for any of the active sessions, then it
rejects the handover attempt and source gNB decides to release the session.
SMF changes the UPIP status from not-performed to performed during Xn HO, if the source gNB indicates the incapability to
support the requested UPIP before HO and security result in path switch indicates “performed”.
UPIP Negotiation During 4G or Wi-Fi to 5G Handover
For preferred cases, UPIP is disabled during HO from 5G to 4G or Wi-Fi. Similarly, UPIP is enabled during HO from 4G or Wi-Fi
to 5G.
UPIP Negotiation During Idle to Active Transition
If N2 setup failure is received with cause “UE maximum integrity protected data rate reason”, SMF triggers session release.
UPIP status is enabled (performed) or disabled (not-performed) during idle mode exit and the UPIP status is updated in CDL.
UPIP Negotiation During N2 Handover
SMF sends the UP security policy of UE to the target gNB through the target AMF. The target gNB rejects all PDU sessions if
it cannot comply with the corresponding UP security policy and indicates the reject cause to the SMF through the target AMF.
For all other PDU sessions, the target gNB activates UP integrity protection per DRB according to the UP security policy.
If N2 failure is received with cause “UE maximum integrity protected data rate reason”, SMF triggers session release.
SMF receives indication on the integrity protection rate capability from gNB by including security result in PDU Resource
Modify Indication Transfer message. SMF updates the UPIP enforcement action (performed or not-performed) in “preferred” case
based on the integrity protection rate capability. SMF does not take any other action on receiving this. This is applicable
only for preferred case.