WO2018085427A1

WO2018085427A1 - Defense against non-access stratum denial-of-service attack

Info

Publication number: WO2018085427A1
Application number: PCT/US2017/059569
Authority: WO
Inventors: Robert Zaus
Original assignee: Intel IP Corporation
Priority date: 2016-11-04
Filing date: 2017-11-01
Publication date: 2018-05-11

Abstract

An apparatus of a user equipment (UE) comprises one or more baseband processors to generate a first list of areas forbidden for circuit-switched (CS) services and a second list of areas forbidden for packet-switched (PS) services, and to process a reject message from a cell. The reject message indicates if the reject is due to a lack of subscription for CS services or lack of subscription for PS services. If the reject message is not integrity protected, an area identity of the cell is added to the first list if the UE does not have a subscription for CS services, or is added to the second list if the UE does not have a subscription for PS services. A memory stores the first list and the second list, and optionally a third list of areas forbidden for both CS services and PS services.

Description

DEFENSE AGAINST NON-ACCESS STRATUM DENIAL-OF-SERVICE ATTACK

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] The present application claims the benefit of US Provisional Application No. 62/418,090 (P111766Z) filed November 4, 2016. Said Application No. 62/418,090 is hereby incorporated herein by reference in its entirety.

BACKGROUND

[0002] The original denial-of-service (DoS) attack in Third Generation Partnership Project

(3GPP) networks as described by A Shaik et al. may be successful because according to 3GPP Technical Specification (TS) 24.301, the user equipment (UE) needs to react on the tracking area update (TAU) Reject message even if the message is not integrity protected. The UE behavior was specified that way because for certain use cases, for example Evolved Packet System (EPS) Mobility Management (EMM) cause #8 "EPS services and non-EPS services not allowed" or cause #11 for a Public Land Mobile Network (PLMN) "PLMN not allowed", it is not possible to protect the message in a genuine network because there is no integrity key (IK) shared by the UE and the network. The Reject message with EMM cause #8 "EPS services and non-EPS services not allowed" indicates that the subscriber does not have a valid subscription for packet-switched (PS) and circuit- switched (CS) services. Therefore, the network also does not have any security credentials stored in the Authentication Center (AuC), and security including integrity protection of signaling messages cannot be started. The Reject message with EMM cause #11 "PLMN not allowed" indicates that the operator of the visited PLMN (VPLMN) does not have a roaming agreement with the operator of the subscriber's home PLMN (HPLMN). For that case, the HPLMN will not provide any security vectors to the VPLMN, and again security cannot be started. For 3GPP TS 24.008 the corresponding attack may be started using a routing area update (RAU) Reject message with General Packet Radio Service (GPRS) Mobility Management (GMM) cause #8 "GPRS services and non-GPRS services not allowed" or cause #11 "PLMN not allowed".

[0003] One point to note in this type of attack is that the attack remains effective even after the false NodeB, or false evolved NodeB (eNB), is removed from the network because the status of the Universal Subscriber Identity Module (USIM) remains "invalid for EPS (and non-EPS) services" until the UE is switched off and on again or the USIM is removed. Thus, if the attack goes unnoticed, for example because the UE is carried in the subscriber's pocket, the subscriber can become unreachable for mobile terminating services such as for incoming voice over Long- Term Evolution (VoLTE) or CS calls.

[0004] Due to the increased interest by the operators to develop countermeasures against this kind of attacks, 3GPP CT1 agreed a set of change requests (CRs) for the Release 13 versions of 3 GPP TS 24.301 and 3 GPP TS 24.008 specifying new UE requirements for the case when a non-access stratum (NAS) request message is answered by the network with a not integrity protected NAS reject message. For these new requirements, CT1 had to take into account that the UE can receive the unprotected Reject message also from a genuine network, and for such a case the reasons for the original UE requirements, to protect the network and the UE from the unnecessary signaling which only causes a waste of radio resources and a power drain on the UE side, are still valid and should be taken into account.

[0005] A general mechanism used for the new requirements in 3GPP TS 24.008/24.301 is that the UE starts a timer T3247 with a random value between 30 and 60 minutes, and upon expiry of T3247 the UE revokes the actions it performed due to the receipt of the reject message. For example, if upon receipt of the reject message the USIM was set to invalid for GPRS and non- GPRS services, then upon expiry of T3247 the USIM is reset to valid again; or if the location area identity (LAI) of the cell where the reject message was received was added to a list of "forbidden location areas for roaming", then the LAI is removed again from that list, and so on. It should be noted that in 3 GPP TS 24.008, the UE can also operate with a Subscriber Identity Module (SIM) instead of a USIM. In general, both SIM and USIM include applications running on a chip card called Universal Integrated Circuit (UICC) card.

[0006] For the "USIM invalid" condition, the solution in 3 GPP TS 24.008 also specifies an implementation option which uses two additional counters, one for the CS domain and one for the PS domain. Essentially, the CS counter is counting how often the UE receives a Location Updating Reject message which causes the USIM becoming invalid for non-GRPS services without receiving a Location Updating Accept message in between. When a certain, UE implementation specific, maximum value is reached for the counter, the UE finally deems that the network sending the reject messages is genuine assuming that a false NodeB or false eNodeB attack would be of limited duration, shorter than "max. value x 30 minutes", and the USIM is no longer reset to valid when the timer T3247 expires. In a comparable way, the PS counter is counting the number Attach/TAU/RAU Reject messages which cause the USIM to be set invalid for GPRS services or GPRS and non-GPRS services.

[0007] One issue currently not solved satisfactorily in 3GPP TS 24.008 is the case where the UE receives a Location Update Reject message with MM cause #2 "IMSI unknown in HLR" or an Attach Reject or Routing Area Update Reject with GMM cause #7 "GPRS services not allowed". The first cause typically is used by a genuine network when the UE has a valid subscription for PS services, but not for CS services. The second cause is used for the reverse case, that is when the UE has a valid subscription for CS services but not for PS services. A UE implementing Release 12 or an earlier version of the 3GPP standards will set the USIM invalid for CS services for the former case or invalid for PS services for the latter case, but in a genuine network the UE will still be able to receive services via the other domain, the PS domain or CS domain, respectively. A fake NodeB in the UTRAN, however, could wait for the UE to first perform a location update and then a routing area update, and answer to both requests with reject messages with the appropriate cause value, thus preventing the UE from getting any CS or PS services.

DESCRIPTION OF THE DRAWING FIGURES

[0008] Claimed subject matter is particularly pointed out and distinctly claimed in the concluding portion of the specification. However, such subject matter may be understood by reference to the following detailed description when read with the accompanying drawings in which:

[0009] FIG. 1 is a diagram of a user equipment (UE) having independent subscriptions for access to both a circuit-switched (CS) domain and a packet- switched (PS) domain in accordance with one or more embodiments;

[00010] FIG. 2 is a diagram illustrating a security attack in a Third Generation Partnership Project (3 GPP) network and the related UE reactions of a UE without any counter measures to the attack in accordance with one or more embodiments;

[00011 ] FIG. 3 is a diagram illustrating an approach to defending a security attack for a 3 GPP network in accordance with one or more embodiments;

[00012] FIG. 4 A and FIG. 4B show a diagram illustrating an approach to defending a security attack in a 3 GPP network wherein the CS domain and the PS domain may be handled separately in accordance with one or more embodiments;

[00013] FIG. 5 illustrates an architecture of a system of a network in accordance with one or more embodiments;

[00014] FIG. 6 illustrates example components of a device in accordance with one or more embodiments; and

[00015] FIG. 7 illustrates example interfaces of baseband circuitry in accordance with one or more embodiments.

[00016] It will be appreciated that for simplicity and/or clarity of illustration, elements illustrated in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity. Further, if considered appropriate, reference numerals have been repeated among the figures to indicate corresponding and/or analogous elements. DETAILED DESCRIPTION

[00017] In the following detailed description, numerous specific details are set forth to provide a thorough understanding of claimed subject matter. It will, however, be understood by those skilled in the art that claimed subject matter may be practiced without these specific details. In other instances, well-known methods, procedures, components and/or circuits have not been described in detail.

[00018] Referring now to FIG. 1, a diagram of a user equipment (UE) having independent subscriptions for access to both a circuit-switched (CS) domain and a packet-switched (PS) domain in accordance with one or more embodiments will be discussed. As shown in FIG. 1, network 100 may comprise Universal Terrestrial Radio Access Network (UTRAN) 110 and core network (CN) 112. UTRAN 110 may include a Node B 116 to provide base station access to network 100 for one or more user equipment (UE) 114 devices. UTRAN 110 also may include a radio network controller (RNC) 118 to couple the UTRAN 110 to the core network 112. Core network 112 in turn may comprise a mobile switching center (MSC) server 120 that also may provide visitor location register (VLR) functionality to allow UE 114 to connect to a circuit-switched (CS) domain 122 via network 122. Similarly, core network 112 may comprise serving General Packet Radio Service (GPRS) support node (SGSN) 124 to allow UE 114 to connect to a packet- switched (PS) domain 126 via network 100. The UE 114 may have independent subscriptions for both the CS domain 122 and the PS domain 126.

[00019] Referring now to FIG. 2, a diagram illustrating a security attack in a Third Generation Partnership Project (3GPP) network and the related UE reactions of a UE without any counter measures to the attack in accordance with one or more embodiments will be discussed. As shown in procedure 200 of FIG. 2, UE 114 may send a location updating request 212 to a false NodeB 210. The false NodeB 210 may be disposed in a location closer to the UE 114 than a legitimate NodeB 116. As a result, the signal from false NodeB 210 may be stronger and/or of better quality than the signal from NodeB 116, therefore the UE 114 may attempt to attach to false NodeB 210 via a location updating request message 212 for the CS domain, or with an attach or routing area update (RAU) request message 218 for the PS domain. Thus, the false NodeB 210 causes the security attack on UE 114 by causing UE 210 to connect with the false NodeB 210 rather than to a legitimate NodeB 116 of the network 100 which is shown in FIG. 1.

[00020] In reply to the location updating request 212, the false NodeB 210 may send a location updating reject message 214 to UE 114 with Mobility Management (MM) cause #2 for the International Mobile Subscriber Identity (IMSI) number not being known in the home location register (HLR) "IMSI UNKNOWN IN HLR". The USIM of the UE 114 is then set as invalid for non-GPRS services at operation 216, i.e. invalid for the CS domain 122. As a consequence, the UE 114 will no longer attempt to access the CS domain until the UE is switched off and on again or the USIM is removed. If the UE 114 then sends and attach or RAU request message 218 to the false NodeB 210, the false NodeB 210 responds to UE 114 with an attach/RAU reject message 220 with General Packet Radio Service (GPRS) Mobility Management (GMM) cause #7 for GPRS services "GPRS SERVICES NOT ALLOWED". The USIM of the UE 114 is then set as invalid for GRPS services, i.e. invalid for the PS domain 126. As a consequence, the UE 114 will no longer attempt to access the PS domain until the UE is switched off and on again or the USIM is removed. Thus, as shown in FIG. 2, the false NodeB 210 may cause UE 114 to attach to the false NodeB 210, reject attach and set the USIM of the UE 114 invalid for both CS domain calls and for PS domain calls, e.g. Voice over Internet Protocol (IP) Multimedia Subsystem (IMS) calls, thereby preventing the UE 114 from receiving any calls.

[00021 ] Referring now to FIG. 3, a diagram illustrating one approach to defending a security attack for a 3GPP network in accordance with one or more embodiments will be discussed. FIG. 3 shows a security attack and the related UE reactions of a UE implemented according to 3 GPP Release 13. In the procedure 300 shown in FIG. 3, the UE 114 may send a Location Updating Request message 310 to a false NodeB 210. Upon receipt of the Location Updating Reject message 312 with MM cause #2 "IMSI UNKNOWN IN HLR", the UE 114 starts time T3247, if not already running, increments the CS counter by 1 , and searches for a cell in another location or tracking area at procedure 314. The UE 114 then sends a Location Updating Request message 316 to a genuine NodeB 116, and the Location Updating Request message is forwarded to MSC 120 for processing. The MSC 120 then sends a Location Updating Accept message 320 to the genuine NodeB 116, which in turn sends a Location Updating Accept message 322 to UE 114. The UE resets the CS counter to 0 at process 324. Due to better radio conditions with the false NodeB 210, the UE 114 then may reselect to the original cell served by the false NodeB 210 at process 326 by sending another Locating Updating Request message 328 to the false NodeB 210. After rejection by the false NodeB 210 with Locating Updating Reject message 330, the UE 114 starts the next location update attempt with the genuine NodeB 116, and so on, thereby causing the UE 114 to "ping-pong" between the false NodeB 116 and the genuine NodeB 116.

[00022] In 3 GPP Release 13, due to the CR 24.008-2927r6 agreed by CT1, the UE may have three options. In Option 1, the UE 114 does not implement the CS counter, or PS counter, as mentioned above. Upon receipt of a reject message with the appropriate cause, the UE 114 starts timer T3247, if not running, and sets the USIM invalid for GPRS or non-GPRS services or both. The UE 114 then resets the USIM to valid for GPRS and non-GPRS services each time the timer T3247 expires. Option 1 ensures that the UE 114 will recover from a security attack after 30 to 60 minutes, but on the other hand, for example if the user does not have a subscription for PS services, then in a genuine network 100 the UE 114will attempt to attach for PS services every 30 to 60 minutes until the UE 114 is switched off or runs out of battery power.

[00023] Option 2 is similar to Option 1, but the UE 114 implements the CS counter and PS counter as mentioned above. In a genuine network, for example if the UE 114 does not have a subscription for PS services, after some time it will stop sending further attach requests. In Option 3, the UE implements the CS counter and the PS counter, but upon receiving the reject message the UE 114 will not set the USIM invalid. Instead, for example if the UE 114 receives a Location Updating Reject message with MM cause #2, the UE 114 will perform the following actions: If the CS counter is smaller than the maximum value, the UE shall:

-delete any Location Area Identity (LAI), Temporary Mobile Subscriber Identity (TMSI), and ciphering key sequence number stored in the SIM/USIM, reset the location update attempt counter, and set the update status to ROAMING NOT ALLOWED, and store it in the SIM/USIM according to sub clause 4.1.2.2);

-delete the list of equivalent PLMNs;

-increment the counter for "SIM/USIM considered invalid for non-GPRS services" events;

-reset the location update attempt counter; and

-search for a suitable cell in another location area or a tracking area according to 3 GPP TS 43.022 [82] and 3 GPP TS 25.304 [98] or 3 GPP TS 36.304 [121].

If the maximum value has been reached for the counter for "SIM/USIM considered invalid for non-GPRS services" events, the UE shall:

-set the USIM invalid for non-GPRS services, and stick to this even if T3247 expires.

It should be noted that the counter for "SIM/USIM considered invalid for non-GPRS services" events in 3GPP TS 24.008 is the same counter which in general may be referred to herein as a "CS counter".

[00024] The purpose of the operation "search for a suitable cell in another location area or a tracking area" is that the UE 114 leaves its current cell or first cell which is potentially operated by a fake NodeB 210 and attempts to get CS services in another cell. One problem with this approach is that, even if at its current geographical location, the UE 114 finds a suitable cell in another location area or tracking area, and performs a successful location update, or a combined attach or tracking area update via that cell, the UE 114 then may quickly reselect to the first cell, for example if the radio conditions for the first cell are better. In the first cell, the UE 114 will then initiate another location update procedure and receive another reject message with cause #2.

[00025] If the reject is sent by a fake or false NodeB 210, the UE 114 will increment the CS counter for each Location Updating Reject message received from the false NodeB 210, but then the UE 114 will reset the CS counter when it reselects to a genuine network cell served by a genuine NodeB 116 and receives a Location Updating Accept message via that cell. Thus, the reselection, or "ping-pong", back and forth between fake cell and the genuine cell can go on forever, and the UE 114 will spend roughly about half of the time in the false cell and not be able to use CS services. This means the security attack remains effective as long as the false NodeB 210 is in operation, and it cannot be guaranteed that with Option 3 the subscriber will get better service than with Option 1 or Option 2.

[00026] If the reject is sent by a genuine NodeB 116, the UE 114 will increment the CS counter for each Location Updating Reject message received. When the counter reaches its maximum value, which can occur within a short time, as the UE 114 may quickly reselect, or "ping-pong", between the first cell and a second cell where it will also receive Location Updating Reject messages, the UE 114 will finally set the USIM invalid for CS services and refrain from further location update attempts.

[00027] For Option 4, which in contrast to the other options is not described in 3GPP TS 24.008, in addition to the requirements of Option 3, before searching for a suitable cell in another location area or a tracking area, the UE 114 adds the Location Area Identity (LAI) of the cell where the reject message was received to the list of "forbidden location areas for roaming". For the case that the reject message was sent by a false NodeB 210, adding the LAI to the list of "forbidden location areas for roaming" may prevent the UE 114 from getting into the ping-pong situation. After selecting a genuine, suitable cell belonging to another location area and performing a successful location update, the UE 114 will not be able to reselect immediately to the original UTRAN cell because cells belonging to one of the "forbidden location areas for roaming" are considered unsuitable for cell selection and cell reselection. Only when T3247 expires, the UE 114 will erase the list of "forbidden location areas for roaming", and the original cell will become suitable again.

[00028] One disadvantage of Option 4, however, is that for the case where the UE 114 is in a genuine network 100 and the UE 114 only has a subscription for one of the two domains, the UE 114 may not be able to receive services for any of the two domains for a long time. The reason for this is that when the UE 114 selects a suitable cell of another location area, the UE 114 will again attempt to register there for both domains. Since the UE 114 has a subscription for only one of the two domains, the UE 114 will again receive a reject message for the other domain and will have to add also the new location area to the list of "forbidden location areas for roaming". This process is repeated until the counter for the domain for which the UE 114 does not have a subscription finally reaches the maximum value, the UE 114 sets the USIM invalid for the respective domain and can receive services for the other domain. In the worst case it may take several hours until the UE 114 reaches this status. In one exception, the UE 114 may be able to find a short cut to this procedure if the UE 114 has a subscription for PS services only and the network supports the use of combined GMM/EMM procedures. For that case the network 100 will respond to the combined Attach/RAU/TAU Request message with an Attach/RAU/TAU Accept message with GMM/EMM cause #2 "IMSI unknown in HLR" with integrity protection, thus accepting the request for the PS domain only and informing the UE 114 that it does not have a subscription for CS services. In UTRAN and E-UTRAN, any Accept message needs to be integrity protected, and consequently the UE 114 will be able to verify that the information about the lack of a CS subscription is provided by a genuine network.

[00029] Referring now to FIG. 4A and FIG. 4B, a diagram illustrating an approach to defending a security attack in a 3 GPP network wherein the CS domain and the PS domain may be handled separately in accordance with one or more embodiments will be discussed. FIG. 4A and FIG. 4B show a process 400 of defending a security attack and the related UE reactions of a UE 114 according to a variant of Option 1 as discussed above in combination with a variant Option 3 or Option 4.

[00030] UE 114 sends a Location Updating Request message 410 to false NodeB 210, and false NodeB 210 replies with a Location Updating Reject message without integrity protection 412. If the UE 114 receives the Location Updating Reject message 412 with MM cause #2 without integrity protection, UE 114 starts timer T3247 at operation 414, if not already running, increments the CS counter by 1, adds LAI to the list of "LAs forbidden for CS services", and searches for another suitable cell.

[00031 ] When the UE 114 finds such a cell, it selects the cell, served by a genuine NodeB 116, where the next location update attempt is successful via Location Updating Request message, Location Updating Request message 418, Location Updating Accept message 420, and Locating Updating Accept message 422. The CS counter may then be reset to 0 at procedure 424. The UE 114 also performs a successful attach or routing area updating procedure for PS services via Attach/RAU Request message 426, Attach/RAU Request message 428, Attach RAU Accept message 430, Attach/RAU Accept message 432, Attach/RAU Complete message 434, and Attach/RAU Complete message 436.

[00032] Due to the better radio conditions at false NodeB 210, the UE 114 then may reselect to the original cell served by the false NodeB 210 at procedure 438 in FIG. 4B. As that particular cell belongs to a location area included in the list of "LAs forbidden for CS services", the UE 114 does not start a location update, but only a routing area update by sending Attach/RAU Request Message 440. When this routing area update is rejected by the false NodeB 210 which sends an Attach/RAU Reject message without integrity protection 442 to UE 114, the UE 114 starts timer T3247 if not running, increments PS counter by 1, adds the location area identity LAI to the list of "LAs forbidden for roaming" which makes the cell "unsuitable", and then searches for a suitable cell at process 444. When the UE 114 finds such a suitable cell, the UE 114 initiates another location update procedure 446, similar to operations 3 to operations 6 as shown in FIG. 4A, and another attach procedure 448, similar to operations 7 to operations 12 as shown in FIG. 4A. The UE 114 will then not reselect back to the false UTRAN cell, because the location area identity of that cell is included in the list of "LAs forbidden for roaming". Only when the timer T3247 expires, for example after 30 minutes to 60 minutes, and the UE 114 erases the list of "LAs forbidden for roaming", the UE 114 may reselect back to the false UTRAN cell. By then, however, the false NodeB 210 may have already been removed from the network 100.

[00033] In accordance with one or more embodiments, to address a security attack from a false NodeB 210, one or more variants of Option 1, Option 2, and/or Option 3 as listed above may be implemented. In one embodiment, Variant 1, the UE 114 may behave in a manner similar as for Option 3, but with the following modifications. The UE 114 maintains two lists comprising a first list of "forbidden location areas for non-GPRS services (i.e., CS services)" and a second list of "forbidden location areas for GPRS services (i.e., PS services)". Instead of searching for a suitable cell in another location area or tracking area, the UE 114 behaves as follows. When the UE 114 receives a reject message which causes the UE to set the USIM invalid for one of the two domains, either the CS domain or the PS domain, the UE 114 checks whether the LAI of the cell where the UE 114 received the reject message is already included in the domain-specific list of forbidden location areas for the other domain. If not, then the UE 114 adds the LAI to the domain- specific list of forbidden location areas for the domain for which the reject was received. Additionally, the UE 114 stays on the current cell, attempts to register for the other domain if not done already, and to receive services via that other domain. Otherwise, if the UE 114 is now barred from receiving PS services and CS services, then the UE 114 adds the LAI to the list of "forbidden location areas for roaming". Additionally, the UE 114 searches for a suitable cell in another location area or a tracking area. This list of "forbidden location areas for roaming" is applicable to both domains. A cell belonging to any of the location areas stored in that list is considered by the UE as "not suitable", i.e., unsuitable, for cell selection/re-selection, and the UE 114 will try to avoid this cell as long as it can find another, suitable cell. [00034] In another embodiment, Variant 2, the UE 114 maintains a first list of "forbidden cells for non-GPRS services (i.e., CS services)" and a second list of "forbidden cells for GPRS services (i.e., PS services)". When the UE 114 receives a reject message which causes the UE 114 to set the USIM invalid for one of the two domains, the CS domain or the PS domain, the UE 114 checks whether the cell ID of the cell where the UE 114 received the reject message is already included in the domain- specific list of forbidden cells for the other domain. If not, then the UE 114 adds the cell ID to the domain- specific list of forbidden cells for the domain for which the reject was received. Additionally, the UE 114 stays on the current cell, attempts to register for the other domain if not done already, and to receive services via that other domain. Otherwise, if the UE 114 is now barred from receiving any services via the cell, then the UE 114 requests its access stratum (AS) to bar the cell for a certain time and search for a suitable cell. If the cell is barred, it is not considered as "suitable", and the UE 114 is not permitted to select/re- select this cell, not even for emergency calls.

[00035] In yet another embodiment, Variant 3, which may be combined with Variant 1 or Variant 2, the UE 114 additionally attempts to search for another suitable cell which may belong to the same location area. The objective in this embodiment is to have the UE 114 leave the fake UTRAN cell of false NodeB 210 if possible and receive services via a genuine cell of a genuine NodeB 116. In another embodiment, Variant 4, which may be combined with Variant 1 or Variant 2, the UE 114 additionally attempts to search for a suitable cell in another location or tracking area. The objective in this embodiment is to have the UE 114 leave the fake UTRAN cell of false NodeB 210 if possible and receive services for both domains via a genuine cell of genuine NodeB 116.

[00036] Compared to Option 1 and Option 2 currently specified in 3 GPP TS 24.008, one advantage of the embodiments shown in and described with respect to FIG. 4A and FIG. 4B is that the UE 114 does not set the USIM invalid for one domain. For example, if the reject for the PS domain was sent by a false NodeB 210, the UE 114 is not completely barred from receiving any PS services during the next 30 to 60 minutes, but it can receive PS services if it succeeds in finding a genuine cell of a genuine NodeB 116. Compared to Option 1, an additional advantage of the embodiments shown in and described with respect to FIG. 4A and FIG. 4B may be as follows. If the reject is genuine, that is if the UE 114 has a subscription for one domain only, then due to the maintenance of the counters for the CS domain and the PS domain, after a certain number of attempts the UE 114 refrains from further registration attempts for the respective domain.

[00037] Compared to Option 3, if the reject is received from a false NodeB 210, the embodiments shown in and described with respect to FIG. 4A and FIG. 4B avoid the ping-pong effect of reselection back and forth between a fake UTRAN cell and a genuine UTRAN cell, because after adding the LAI to the respective domain-specific list the UE 114 refrains from further registration attempts for the respective domain in the cell where the reject message is received. It should be noted that when the LAI is added only to one of the domain- specific forbidden lists, the cell does not become an unsuitable cell. As a result, another advantage of embodiments described herein is that the UE 114 is still able to camp on the original cell and receive services for the other domain, if the cell is the only one available to the UE 114. If the reject is received from a genuine NodeB 116, then compared to Option 3 the embodiments described herein reduce the amount of new registration attempts, as the UE 114 is allowed to stay on the current cell and receive services for the other domain.

[00038] Compared to Option 4, the embodiments shown in and described with respect to FIG. 4A and FIG. 4B avoid the selection of another cell where additional registration attempts for both domains need to be performed. Instead, the UE 114 accepts the limitation to services from one domain until it leaves the current location area or the timer T3247 expires. Especially for the case that the reject is received from a genuine NodeB 116, this means that the UE 114 can immediately use services via the other domain, whereas for Option 4 the UE 114 will not be able to receive any services until the counter for the domain for which the UE 114 does not have a subscription reaches its maximum value which for example could take several hours.

[00039] In Variant 2 of the embodiments described herein, where the UE 114 maintains a first list of "forbidden cells for non-GPRS services" and a second list of "forbidden cells for GPRS services", the effect of a false NodeB 210 attack can be limited to the false cell, whereas for Variant

1 a whole location area could be affected. If the UE 114 succeeds in finding a genuine neighbor cell, the UE 114 can receive services for both domains there whereas for Variant 1 the UE 114 will need to find a genuine neighbor cell in another location area. Generally, however, if the UE 114 receives a reject message without integrity protection, the UE 114 may to attempt to select a cell different from the current cell, because if the current cell is a false and/or malicious cell, then that cell should not be used for services via the other domain. Therefore, Variant 1 or Variant 2 could be combined with Variant 3 or Variant 4 in one or more embodiments, although the scope of the claimed subject matter is not limited in this respect.

[00040] In one or more embodiments Variant 1 or Variant 2 may be combined with Variant 3 or Variant 4 when the UE 114 is additionally required to search another suitable cell as in Variant 3, or a suitable cell in another location area or tracking area as Variant 4. For such a case, Variant

2 may be particularly effective for the case of a false NodeB 210 attack because only a single cell is marked as forbidden. If the reject is sent by a genuine NodeB 116, if the subscriber indeed has a subscription for one domain only, for Variant 2 the UE 114 will attempt registration in more cells in its neighborhood until all of them have been added to one of the forbidden lists and the UE 114 can remain on a cell and receive services for the other domain there. In some instances, the probability for a false NodeB 210 attack using MM cause #2 or GMM cause #7 may be smaller than the probability that the subscriber indeed has a subscription for CS services or PS services only. In such embodiments, the combination of Variant 1 with Variant 3 or Variant 4 may be applied, although the scope of the claimed subject matter is not limited in this respect.

[00041 ] In one or more embodiments, the following changes may be implemented to 3GPP TS 24.008 to realize the embodiments described herein with the changes being marked with underline and/or strikethrough, and ellipses "..." indicating where text from 3GPP TS 24.008 was omitted.

4.1.1.6A Specific requirements for the MS when receiving non-integrity protected reject messages

This subclause specifies the requirements for an MS that is not configured to use timer T3245 (see 3 GPP TS 24.368 [135] or 3 GPP TS 31.102 [112]) and receives a LOCATION UPDATING REJECT, CM SERVICE REJECT, ABORT, ATTACH REJECT, ROUTING AREA UPDATE REJECT or SERVICE REJECT message without integrity protection.

NOTE 1: Additional MS requirements for this case and requirements for the case when the MS receives a successfully integrity checked reject message are specified in subclauses 4.4.4.7, 4.5.1.1, 4.7.3.1.4, 4.7.3.2.4, 4.7.5.1.4, 4.7.5.2.4 and 4.7.13.4.

The MS may maintain a list of PLMN-specific attempt counters and a list of PLMN- specific PS-attempt counters. The maximum number of possible entries in each list is implementation dependent.

Additionally, the MS may maintain one counter for "SIM/USIM considered invalid for non-GPRS services" events and one counter for "SIM/USIM considered invalid for GPRS services" events.

The MS may also maintain a list of "forbidden location areas for non-GPRS services" and a list of "forbidden location areas for GPRS services". If the MS is in a location area which is included in the list of "forbidden location areas for non-GPRS services", the MS shall not initiate any MM procedure. If the MS is in a location area which is included in the list of "forbidden location areas for GPRS services", the MS shall not initiate any GMM procedure.

If the MS receives a LOCATION UPDATING REJECT message without integrity protection before the network has activated the integrity protection for the CS domain, the MS shall start timer T3247 with a random value uniformly drawn from the range between 30 minutes and 60 minutes, if the timer is not running, and take the following actions:

1) if the MM cause value received is #3 or #6, and a) if the MS maintains a counter for "SIM/USIM considered invalid for non-GPRS services" events and the counter has a value less than an MS implementation- specific maximum value, the MS shall:

1) delete any LAI, TMSI and ciphering key sequence number stored in the SIM/USIM, reset the location update attempt counter, and set the update status to ROAMING

NOT ALLOWED (and store it in the SIM/USIM according to subclause 4.1.2.2);

delete the list of equivalent PLMNs; increment the counter for "SIM/USIM considered invalid for non-GPRS services" events;

reset the location update attempt counter;

store the current LAI in the list of "forbidden location areas for roaming"; and search for a suitable cell in another location area or a tracking area according to 3 GPP TS 43.022 [82] and 3 GPP TS 25.304 [98] or 3 GPP TS 36.304 [121]; or

ii) proceed as specified in subclause 4.4.4.7 and;

increment the counter for "SIM/USIM considered invalid for non-GPRS services" events; and

b) else the MS shall proceed as specified in subclause 4.4.4.7;

2) if the MM cause value received is #2, and

a) if the MS maintains a counter for "SIM/USIM considered invalid for non-GPRS services" events and the counter has a value less than an MS implementation- specific maximum value, the MS shall:

i) if the MS maintains a list of "forbidden location areas for non-GPRS services":

delete any LAI, TMSI and ciphering key sequence number stored in the

SIM/USIM, reset the location update attempt counter, and set the update status to ROAMING NOT ALLOWED (and store it in the SIM/USIM according to subclause 4.1.2.2);

delete the list of equivalent PLMNs;

increment the counter for "SIM/USIM considered invalid for non-GPRS services" events;

reset the location update attempt counter;

if the current LAI is included in the list of "forbidden location areas for GPRS services", store the current LAI in the list of "forbidden location areas for roaming"; otherwise store the current LAI in the list of "forbidden location areas for non-GPRS services"; and

search for another suitable cell in another location area or a tracldng area according to 3 GPP TS 43.022 [82] and 3 GPP TS 25.304 [98] or 3 GPP TS 36.304 [121]; or

ii) proceed as specified in subclause 4.4.4.7 and; increment the counter for "SIM/USIM considered invalid for non-GPRS services" events; and

b) else the MS shall proceed as specified in subclause 4.4.4.7;

3) if the MM cause value received is #12, #13 or #15, the MS shall additionally proceed as specified in subclause 4.4.4.7;

4) if the MM cause value received is #11 and the MS is in its HPLMN or in a PLMN that is within the EHPLMN list:

the MS shall delete any LAI, TMSI and ciphering key sequence number stored in the SIM/USIM, reset the location update attempt counter, and set the update status to ROAMING NOT ALLOWED (and store it in the SIM/USIM according to subclause 4.1.2.2). Additionally, the MS shall reset the location update attempt counter. The MS shall store the current LAI in the list of "forbidden location areas for roaming"; and

the MS shall search for a suitable cell in another location area or a tracking area according to 3 GPP TS 43.022 [82] and 3 GPP TS 25.304 [98] or 3 GPP TS 36.304 [121]; and 5) if the MM cause value received is #11 and if the MS is not in its HPLMN or in a

PLMN that is within the EHPLMN list, in addition to the MS requirements specified in subclause

4.4.4.7,

if the MS maintains a list of PLMN- specific attempt counters and the PLMN- specific attempt counter for the PLMN sending the reject message has a value less than an MS implementation- specific maximum value, the MS shall increment the PLMN- specific attempt counter for the PLMN.

If the MS receives a CM SERVICE REJECT or ABORT message with MM cause value #6 without integrity protection before the network has activated the integrity protection for the CS domain, the MS shall start timer T3247 with a random value uniformly drawn from the range between 30 minutes and 60 minutes, if the timer is not running, and

i) proceed as specified in subclauses 4.5.1.1 or 4.3.5.2 respectively with the exception that the MS shall not consider the SIM/USIM as invalid for non-GPRS services and;

delete the list of equivalent PLMNs;

reset the location update attempt counter;

ii) proceed as specified in subclauses 4.5.1.1 or 4.3.5.2 respectively and;

b) else the MS shall proceed as specified in subclause 4.5.1.1 or 4.3.5.2 respectively.

If the MS receives an ATTACH REJECT or ROUTING AREA UPDATE REJECT message without integrity protection before the network has activated the integrity protection for the PS domain, the MS shall start timer T3247 with a random value uniformly drawn from the range between 30 minutes and 60 minutes, if the timer is not running, and shall take the following actions:

6) if the GMM cause value received is #3, #6, or #8, and

a) if the MS maintains a counter for "SIM/USIM considered invalid for GPRS services" events and the counter has a value less than an MS implementation- specific maximum value, the MS shall:

i) set the GPRS update status to GU3 ROAMING NOT ALLOWED (and shall store it according to subclause 4.1.3.2) and shall delete any RAI, P-TMSI, P-TMSI signature and GPRS ciphering key sequence number;

delete the list of equivalent PLMNs;

increment the counter for "SIM/USIM considered invalid for GPRS services" events;

if the MS maintains a counter for "SIM/USIM considered invalid for non-GPRS services" events and the counter has a value less than an MS implementation- specific maximum value, increment the counter for "SIM/USIM considered invalid for non-GPRS services" events; - if a GPRS attach or routing area updating procedure was performed, reset the GPRS attach attempt counter or the routing area updating attempt counter, respectively;

store the current LAI in the list of "forbidden location areas for roaming" and enter the state GMM-DEREGISTERED.LIMITED-SERVICE; and

search for a suitable cell in another location area or a tracking area according to 3 GPP TS 43.022 [82] and 3 GPP TS 25.304 [98] or 3 GPP TS 36.304 [121]; or

ii) proceed as specified in subclauses 4.7.3.1.4, 4.7.3.2.4, 4.7.5.1.4, 4.7.5.2.4 and 4.7.13.4; and

and b) else the MS shall proceed as specified in subclause 4.7.3.1.4, 4.7.3.2.4, 4.7.5.1.4, 4.7.5.2.4 and 4.7.13.4;

7) if the GMM cause value received is #7, and

i) if the MS maintains a list of "forbidden location areas for GPRS services":

set the GPRS update status to GU3 ROAMING NOT ALLOWED (and shall store it according to subclause 4.1.3.2) and shall delete any RAI, P-TMSI, P-TMSI signature and GPRS ciphering key sequence number;

delete the list of equivalent PLMNs;

if a GPRS attach or routing area updating procedure was performed, reset the GPRS attach attempt counter or the routing area updating attempt counter, respectively;

enter the state GMM-DEREGISTERED.LIMITED-SERVICE;

if the current LAI is included in the list of "forbidden location areas for non-GPRS services", store the current LAI in the list of "forbidden location areas for roaming"; otherwise store the current LAI in the list of "forbidden location areas for GPRS services"; and

b) else the MS shall proceed as specified in subclause 4.7.3.1.4, 4.7.3.2.4, 4.7.5.1.4, 4.7.5.2.4 and 4.7.13.4;

8) if the GMM cause value received is #12, #13 or #15, the MS shall additionally proceed as specified in subclauses 4.7.3.1.4, 4.7.3.2.4, 4.7.5.1.4, 4.7.5.2.4 and 4.7.13.4;

9) if the GMM cause value received is #11 or #14 and the MS is in its HPLMN or in a PLMN that is within the EHPLMN list:

the MS shall set the GPRS update status to GU3 ROAMING NOT ALLOWED (and shall store it according to subclause 4.1.3.2) and shall delete any RAI, P-TMSI, P-TMSI signature and GPRS ciphering key sequence number. The MS shall delete the list of equivalent PLMNs. Additionally, if a GPRS attach or the routing area updating procedure was performed, the MS shall reset the GPRS attach attempt counter or the routing area updating attempt counter respectively;

the MS shall store the current LAI in the list of "forbidden location areas for roaming", and enter the state GMM-DEREGISTERED.LIMITED-SERVICE;

- if SI mode is supported in the MS, the MS shall handle the EMM parameters EMM state, EPS update status, GUTI, last visited registered TAI, TAI list, KSI and attach attempt counter or tracking area updating attempt counter as specified in 3GPP TS 24.301 [120] for the case when the procedure is rejected with the EMM cause with the same value without integrity protection; and

- the MS shall search for a suitable cell in another location area or in another tracking area according to 3 GPP TS 43.022 [82] and 3 GPP TS 25.304 [98] or 3 GPP TS 36.304 [121].

10) if the GMM cause value received is #11 and the MS is not in its HPLMN or in a PLMN that is within the EHPLMN list, the MS shall additionally proceed as specified in subclauses 4.7.3.1.4, 4.7.3.2.4, 4.7.5.1.4, 4.7.5.2.4 and 4.7.13.4:

- Furthermore, if the MS maintains a list of PLMN-specific attempt counters and the

PLMN-specific attempt counter for the PLMN sending the reject message has a value less than an MS implementation- specific maximum value, the MS shall increment the PLMN-specific attempt counter for the PLMN.

11) if the GMM cause value received is #14 and the MS is not in its HPLMN or in a PLMN that is within the EHPLMN list, the MS shall additionally proceed as specified in subclauses 4.7.3.1.4, 4.7.3.2.4, 4.7.5.1.4, and 4.7.5.2.4:

Furthermore, if the MS maintains a list of PLMN-specific PS-attempt counters and the PLMN-specific PS-attempt counter for the PLMN sending the reject message has a value less than an MS implementation- specific maximum value, the MS shall increment the PLMN-specific PS-attempt counter for the PLMN.

If the MS receives a SERVICE REJECT message without integrity protection with GMM cause value #3, #6, #7, #8, #11, #12, #13 or #15 before the network has activated the integrity protection for the PS domain, the MS shall start timer T3247 with a random value uniformly drawn from the range between 30 minutes and 60 minutes, if the timer is not running, and proceed as specified under items 6, 7, 8, 9 and 10 above.

Upon expiry of timer T3247, the MS shall:

erase the list of "forbidden location areas for regional provision of service" and the list of "forbidden location areas for roaming";

set the SIM/USIM to valid for non-GPRS services, if the MS does not maintain a counter for "SIM/USIM considered invalid for non- GPRS services" events; or

the MS maintains a counter for "SIM/USIM considered invalid for non-GPRS services" events and this counter has a value less than an MS implementation- specific maximum value.

set the SIM/USIM to valid for GPRS services, if

the MS does not maintain a counter for "SIM/USIM considered invalid for GPRS services" events; or

the MS maintains a counter for "SIM/USIM considered invalid for GPRS services" events and this counter has a value less than an MS implementation-specific maximum value. _z erase the list of "forbidden location areas for non-GPRS services" and the list of

"forbidden location areas for GPRS services", if the MS maintains these lists;

if the MS maintains a list of PLMN-specific attempt counters, for each PLMN- specific attempt counter that has a value greater than zero and less than an MS implementation- specific maximum value, remove the respective PLMN from the forbidden PLMN list;

if the MS maintains a list of PLMN-specific PS-attempt counters, for each PLMN- specific PS-attempt counter that has a value greater than zero and less than an MS implementation- specifc maximum value, remove the respective PLMN from the "forbidden PLMNs for GPRS service" list. If the resulting "forbidden PLMNs for GPRS service" list is empty and the MS is supporting SI mode, the MS re-enables the E-UTRA capability as specified in 3 GPP TS 24.301 [120] for the case when timer T3247 expires;

if the MS is supporting SI mode, handle the list of "forbidden tracking areas for regional provision of service" and the list of "forbidden tracking areas for roaming" as specified in 3 GPP TS 24.301 [120] for the case when timer T3247 expires; and

- initiate a location updating procedure, GPRS attach procedure or routing area updating procedure, if still needed, dependent on MM state and update status, and GMM state and GPRS update status, or perform a PLMN selection according to 3 GPP TS 23.122 [14].

If the MS maintains a list of PLMN-specific attempt counters and PLMN-specific PS- attempt counters, when the MS is switched off, the MS shall, for each PLMN-specific attempt counter that has a value greater than zero and less than the MS implementation-specific maximum value, remove the respective PLMN from the forbidden PLMN list. When the SIM/USIM is removed, the MS should perform this action.

NOTE 2: If the respective PLMN was stored in the extension of the "forbidden PLMNs" list, then according to 3 GPP TS 23.122 [14] the MS will delete the contents of this extension when the SIM/USIM is removed. 4.4.4.6 Location updating accepted by the network

If the location updating is accepted by the network a LOCATION UPDATING ACCEPT message is transferred to the mobile station. If the MS receives the LOCATION UPDATING ACCEPT message from a PLMN for which a PLMN-specific attempt counter or PLMN-specific PS-attempt counter is maintained (see subclause 4.1.1.6A), then the MS shall reset these counters. If the MS maintains a counter for "SIM/USIM considered invalid for non-GPRS services", then the MS shall reset this counter. 4.7.3.1.3 GPRS attach accepted by the network

During an attach for emergency bearer services, if not restricted by local regulations, the network shall not check for mobility and access restrictions, regional restrictions, subscription restrictions, or perform CSG access control when processing the ATTACH REQUEST message. The network shall not apply subscribed APN based congestion control during an attach procedure for emergency bearer services.

If the MS receives the ATTACH ACCEPT message from a PLMN for which a PLMN- specific attempt counter or PLMN-specific PS-attempt counter is maintained (see subclause 4.1.1.6A), then the MS shall reset these counters. If the MS maintains a counter for "SIM/USIM considered invalid for GPRS services", then the MS shall reset this counter.

4.7.5.1.3 Normal and periodic routing area updating procedure accepted by the network

If the routing area updating request has been accepted by the network, a ROUTING AREA UPDATE ACCEPT message shall be sent to the MS. The network may assign a new P-TMSI and/or a new P-TMSI signature for the MS. If a new P-TMSI and/or P-TMSI signature have been assigned to the MS, it/they shall be included in the ROUTING AREA UPDATE ACCEPT message together with the routing area identification. In a shared network, if the MS is a network sharing supporting MS, the network shall indicate the PLMN identity of the CN operator that has accepted the routing area updating request in the RAI contained in the ROUTING AREA UPDATE ACCEPT message; if the MS is a network sharing non- supporting MS, the network shall indicate the PLMN identity of the common PLMN (see 3 GPP TS 23.251 [109]).

If the MS receives the ROUTING AREA UPDATE ACCEPT message from a PLMN for which a PLMN-specific attempt counter or PLMN-specific PS-attempt counter is maintained (see subclause 4.1.1.6A), then the MS shall reset these counters. If the MS maintains a counter for "SIM/USIM considered invalid for GPRS services", then the MS shall reset this counter.

[00042] FIG. 5 illustrates an architecture of a system 500 of a network in accordance with some embodiments. The system 500 is shown to include a user equipment (UE) 501 and a UE 502. The UEs 501 and 502 are illustrated as smartphones (e.g., handheld touchscreen mobile computing devices connectable to one or more cellular networks), but may also comprise any mobile or non-mobile computing device, such as Personal Data Assistants (PDAs), pagers, laptop computers, desktop computers, wireless handsets, or any computing device including a wireless communications interface.

[00043] In some embodiments, any of the UEs 501 and 502 can comprise an Internet of Things (IoT) UE, which can comprise a network access layer designed for low-power IoT applications utilizing short-lived UE connections. An IoT UE can utilize technologies such as machine-to-machine (M2M) or machine-type communications (MTC) for exchanging data with an MTC server or device via a public land mobile network (PLMN), Proximity-Based Service (ProSe) or device-to-device (D2D) communication, sensor networks, or IoT networks. The M2M or MTC exchange of data may be a machine-initiated exchange of data. An IoT network describes interconnecting IoT UEs, which may include uniquely identifiable embedded computing devices (within the Internet infrastructure), with short-lived connections. The IoT UEs may execute background applications (e.g., keep-alive messages, status updates, etc.) to facilitate the connections of the IoT network.

[00044] The UEs 501 and 502 may be configured to connect, e.g., communicatively couple, with a radio access network (RAN) 510— the RAN 510 may be, for example, an Evolved Universal Mobile Telecommunications System (UMTS) Terrestrial Radio Access Network (E- UTRAN), a NextGen RAN (NG RAN), or some other type of RAN. The UEs 501 and 502 utilize connections 503 and 504, respectively, each of which comprises a physical communications interface or layer (discussed in further detail below); in this example, the connections 503 and 504 are illustrated as an air interface to enable communicative coupling, and can be consistent with cellular communications protocols, such as a Global System for Mobile Communications (GSM) protocol, a code-division multiple access (CDMA) network protocol, a Push-to-Talk (PTT) protocol, a PTT over Cellular (POC) protocol, a Universal Mobile Telecommunications System (UMTS) protocol, a 3 GPP Long Term Evolution (LTE) protocol, a fifth generation (5G) protocol, a New Radio (NR) protocol, and the like.

[00045] In this embodiment, the UEs 501 and 502 may further directly exchange communication data via a ProSe interface 505. The ProSe interface 505 may alternatively be referred to as a sidelink interface comprising one or more logical channels, including but not limited to a Physical Sidelink Control Channel (PSCCH), a Physical Sidelink Shared Channel (PSSCH), a Physical Sidelink Discovery Channel (PSDCH), and a Physical Sidelink Broadcast Channel (PSBCH).

[00046] The UE 502 is shown to be configured to access an access point (AP) 506 via connection 507. The connection 507 can comprise a local wireless connection, such as a connection consistent with any IEEE 802.11 protocol, wherein the AP 506 would comprise a wireless fidelity (WiFi®) router. In this example, the AP 506 is shown to be connected to the Internet without connecting to the core network of the wireless system (described in further detail below).

[00047] The RAN 510 can include one or more access nodes that enable the connections 503 and 504. These access nodes (ANs) can be referred to as base stations (BSs), NodeBs, evolved NodeBs (eNBs), next Generation NodeBs (gNB), RAN nodes, and so forth, and can comprise ground stations (e.g., terrestrial access points) or satellite stations providing coverage within a geographic area (e.g., a cell). The RAN 510 may include one or more RAN nodes for providing macrocells, e.g., macro RAN node 511, and one or more RAN nodes for providing femtocells or picocells (e.g., cells having smaller coverage areas, smaller user capacity, or higher bandwidth compared to macrocells), e.g., low power (LP) RAN node 512.

[00048] Any of the RAN nodes 511 and 512 can terminate the air interface protocol and can be the first point of contact for the UEs 501 and 502. In some embodiments, any of the RAN nodes 511 and 512 can fulfill various logical functions for the RAN 510 including, but not limited to, radio network controller (RNC) functions such as radio bearer management, uplink and downlink dynamic radio resource management and data packet scheduling, and mobility management.

[00049] In accordance with some embodiments, the UEs 501 and 502 can be configured to communicate using Orthogonal Frequency-Division Multiplexing (OFDM) communication signals with each other or with any of the RAN nodes 511 and 512 over a multicarrier communication channel in accordance various communication techniques, such as, but not limited to, an Orthogonal Frequency-Division Multiple Access (OFDMA) communication technique (e.g., for downlink communications) or a Single Carrier Frequency Division Multiple Access (SC- FDMA) communication technique (e.g., for uplink and ProSe or sidelink communications), although the scope of the embodiments is not limited in this respect. The OFDM signals can comprise a plurality of orthogonal subcarriers.

[00050] In some embodiments, a downlink resource grid can be used for downlink transmissions from any of the RAN nodes 511 and 512 to the UEs 501 and 502, while uplink transmissions can utilize similar techniques. The grid can be a time-frequency grid, called a resource grid or time-frequency resource grid, which is the physical resource in the downlink in each slot. Such a time-frequency plane representation is a common practice for OFDM systems, which makes it intuitive for radio resource allocation. Each column and each row of the resource grid corresponds to one OFDM symbol and one OFDM subcarrier, respectively. The duration of the resource grid in the time domain corresponds to one slot in a radio frame. The smallest time- frequency unit in a resource grid is denoted as a resource element. Each resource grid comprises a number of resource blocks, which describe the mapping of certain physical channels to resource elements. Each resource block comprises a collection of resource elements; in the frequency domain, this may represent the smallest quantity of resources that currently can be allocated. There are several different physical downlink channels that are conveyed using such resource blocks.

[00051 ] The physical downlink shared channel (PDSCH) may carry user data and higher- layer signaling to the UEs 501 and 502. The physical downlink control channel (PDCCH) may carry information about the transport format and resource allocations related to the PDSCH channel, among other things. It may also inform the UEs 501 and 502 about the transport format, resource allocation, and H-ARQ (Hybrid Automatic Repeat Request) information related to the uplink shared channel. Typically, downlink scheduling (assigning control and shared channel resource blocks to the UE 102 within a cell) may be performed at any of the RAN nodes 511 and 512 based on channel quality information fed back from any of the UEs 501 and 502. The downlink resource assignment information may be sent on the PDCCH used for (e.g., assigned to) each of the UEs 501 and 502.

[00052] The PDCCH may use control channel elements (CCEs) to convey the control information. Before being mapped to resource elements, the PDCCH complex-valued symbols may first be organized into quadruplets, which may then be permuted using a sub-block interleaver for rate matching. Each PDCCH may be transmitted using one or more of these CCEs, where each CCE may correspond to nine sets of four physical resource elements known as resource element groups (REGs). Four Quadrature Phase Shift Keying (QPSK) symbols may be mapped to each REG. The PDCCH can be transmitted using one or more CCEs, depending on the size of the downlink control information (DCI) and the channel condition. There can be four or more different PDCCH formats defined in LTE with different numbers of CCEs (e.g., aggregation level, L=l, 2, 4, or 8).

[00053] Some embodiments may use concepts for resource allocation for control channel information that are an extension of the above-described concepts. For example, some embodiments may utilize an enhanced physical downlink control channel (EPDCCH) that uses PDSCH resources for control information transmission. The EPDCCH may be transmitted using one or more enhanced the control channel elements (ECCEs). Similar to above, each ECCE may correspond to nine sets of four physical resource elements known as an enhanced resource element groups (EREGs). An ECCE may have other numbers of EREGs in some situations.

[00054] The RAN 510 is shown to be communicatively coupled to a core network (CN) 520 — via an SI interface 513. In embodiments, the CN 520 may be an evolved packet core (EPC) network, a NextGen Packet Core (NPC) network, or some other type of CN. In this embodiment the SI interface 513 is split into two parts: the Sl-U interface 514, which carries traffic data between the RAN nodes 511 and 512 and the serving gateway (S-GW) 522, and the Sl-mobility management entity (MME) interface 515, which is a signaling interface between the RAN nodes 511 and 512 and MMEs 521.

[00055] In this embodiment, the CN 520 comprises the MMEs 521, the S-GW 522, the Packet Data Network (PDN) Gateway (P-GW) 523, and a home subscriber server (HSS) 524. The MMEs 521 may be similar in function to the control plane of legacy Serving General Packet Radio Service (GPRS) Support Nodes (SGSN). The MMEs 521 may manage mobility aspects in access such as gateway selection and tracking area list management. The HSS 524 may comprise a database for network users, including subscription-related information to support the network entities' handling of communication sessions. The CN 520 may comprise one or several HSSs

524, depending on the number of mobile subscribers, on the capacity of the equipment, on the organization of the network, etc. For example, the HSS 524 can provide support for routing/roaming, authentication, authorization, naming/addressing resolution, location dependencies, etc.

[00056] The S-GW 522 may terminate the SI interface 513 towards the RAN 510, and routes data packets between the RAN 510 and the CN 520. In addition, the S-GW 522 may be a local mobility anchor point for inter-RAN node handovers and also may provide an anchor for inter-3GPP mobility. Other responsibilities may include lawful intercept, charging, and some policy enforcement.

[00057] The P-GW 523 may terminate an SGi interface toward a PDN. The P-GW 523 may route data packets between the EPC network 523 and external networks such as a network including the application server 530 (alternatively referred to as application function (AF)) via an Internet Protocol (IP) interface 525. Generally, the application server 530 may be an element offering applications that use IP bearer resources with the core network (e.g., UMTS Packet Services (PS) domain, LTE PS data services, etc.). In this embodiment, the P-GW 523 is shown to be communicatively coupled to an application server 530 via an IP communications interface

525. The application server 530 can also be configured to support one or more communication services (e.g., Voice-over-Internet Protocol (VoIP) sessions, PTT sessions, group communication sessions, social networking services, etc.) for the UEs 501 and 502 via the CN 520.

[00058] The P-GW 523 may further be a node for policy enforcement and charging data collection. Policy and Charging Enforcement Function (PCRF) 526 is the policy and charging control element of the CN 520. In a non-roaming scenario, there may be a single PCRF in the Home Public Land Mobile Network (HPLMN) associated with a UE's Internet Protocol Connectivity Access Network (IP-CAN) session. In a roaming scenario with local breakout of traffic, there may be two PCRFs associated with a UE's IP-CAN session: a Home PCRF (H-PCRF) within a HPLMN and a Visited PCRF (V-PCRF) within a Visited Public Land Mobile Network (VPLMN). The PCRF 526 may be communicatively coupled to the application server 530 via the P-GW 523. The application server 530 may signal the PCRF 526 to indicate a new service flow and select the appropriate Quality of Service (QoS) and charging parameters. The PCRF 526 may provision this rule into a Policy and Charging Enforcement Function (PCEF) (not shown) with the appropriate traffic flow template (TFT) and QoS class of identifier (QCI), which commences the QoS and charging as specified by the application server 530.

[00059] FIG. 6 illustrates example components of a device 600 in accordance with some embodiments. In some embodiments, the device 600 may include application circuitry 602, baseband circuitry 604, Radio Frequency (RF) circuitry 606, front-end module (FEM) circuitry 608, one or more antennas 610, and power management circuitry (PMC) 612 coupled together at least as shown. The components of the illustrated device 600 may be included in a UE or a RAN node. In some embodiments, the device 600 may include less elements (e.g., a RAN node may not utilize application circuitry 602, and instead include a processor/controller to process IP data received from an EPC). In some embodiments, the device 600 may include additional elements such as, for example, memory/storage, display, camera, sensor, or input/output (I/O) interface. In other embodiments, the components described below may be included in more than one device (e.g., said circuitries may be separately included in more than one device for Cloud- RAN (C-RAN) implementations).

[00060] The application circuitry 602 may include one or more application processors. For example, the application circuitry 602 may include circuitry such as, but not limited to, one or more single-core or multi-core processors. The processor(s) may include any combination of general-purpose processors and dedicated processors (e.g., graphics processors, application processors, etc.). The processors may be coupled with or may include memory/storage and may be configured to execute instructions stored in the memory/storage to enable various applications or operating systems to run on the device 600. In some embodiments, processors of application circuitry 602 may process IP data packets received from an EPC. [00061 ] The baseband circuitry 604 may include circuitry such as, but not limited to, one or more single-core or multi-core processors. The baseband circuitry 604 may include one or more baseband processors or control logic to process baseband signals received from a receive signal path of the RF circuitry 606 and to generate baseband signals for a transmit signal path of the RF circuitry 606. Baseband processing circuity 604 may interface with the application circuitry 602 for generation and processing of the baseband signals and for controlling operations of the RF circuitry 606. For example, in some embodiments, the baseband circuitry 604 may include a third generation (3G) baseband processor 604 A, a fourth generation (4G) baseband processor 604B, a fifth generation (5G) baseband processor 604C, or other baseband processor(s) 604D for other existing generations, generations in development or to be developed in the future (e.g., second generation (2G), sixth generation (6G), etc.). The baseband circuitry 604 (e.g., one or more of baseband processors 604A-D) may handle various radio control functions that enable communication with one or more radio networks via the RF circuitry 606. In other embodiments, some or all of the functionality of baseband processors 604A-D may be included in modules stored in the memory 604G and executed via a Central Processing Unit (CPU) 604E. The radio control functions may include, but are not limited to, signal modulation/demodulation, encoding/decoding, radio frequency shifting, etc. In some embodiments, modulation/demodulation circuitry of the baseband circuitry 604 may include Fast-Fourier Transform (FFT), precoding, or constellation mapping/demapping functionality. In some embodiments, encoding/decoding circuitry of the baseband circuitry 604 may include convolution, tail-biting convolution, turbo, Viterbi, or Low Density Parity Check (LDPC) encoder/decoder functionality. Embodiments of modulation/demodulation and encoder/decoder functionality are not limited to these examples and may include other suitable functionality in other embodiments.

[00062] In some embodiments, the baseband circuitry 604 may include one or more audio digital signal processor(s) (DSP) 604F. The audio DSP(s) 604F may be include elements for compression/decompression and echo cancellation and may include other suitable processing elements in other embodiments. Components of the baseband circuitry may be suitably combined in a single chip, a single chipset, or disposed on a same circuit board in some embodiments. In some embodiments, some or all of the constituent components of the baseband circuitry 604 and the application circuitry 602 may be implemented together such as, for example, on a system on a chip (SOC).

[00063] In some embodiments, the baseband circuitry 604 may provide for communication compatible with one or more radio technologies. For example, in some embodiments, the baseband circuitry 604 may support communication with an evolved universal terrestrial radio access network (EUTRAN) or other wireless metropolitan area networks (WMAN), a wireless local area network (WLAN), a wireless personal area network (WPAN). Embodiments in which the baseband circuitry 604 is configured to support radio communications of more than one wireless protocol may be referred to as multi-mode baseband circuitry.

[00064] RF circuitry 606 may enable communication with wireless networks using modulated electromagnetic radiation through a non-solid medium. In various embodiments, the RF circuitry 606 may include switches, filters, amplifiers, etc. to facilitate the communication with the wireless network. RF circuitry 606 may include a receive signal path which may include circuitry to down-convert RF signals received from the FEM circuitry 608 and provide baseband signals to the baseband circuitry 604. RF circuitry 606 may also include a transmit signal path which may include circuitry to up-convert baseband signals provided by the baseband circuitry 604 and provide RF output signals to the FEM circuitry 608 for transmission.

[00065] In some embodiments, the receive signal path of the RF circuitry 606 may include mixer circuitry 606a, amplifier circuitry 606b and filter circuitry 606c. In some embodiments, the transmit signal path of the RF circuitry 606 may include filter circuitry 606c and mixer circuitry 606a. RF circuitry 606 may also include synthesizer circuitry 606d for synthesizing a frequency for use by the mixer circuitry 606a of the receive signal path and the transmit signal path. In some embodiments, the mixer circuitry 606a of the receive signal path may be configured to down- convert RF signals received from the FEM circuitry 608 based on the synthesized frequency provided by synthesizer circuitry 606d. The amplifier circuitry 606b may be configured to amplify the down-converted signals and the filter circuitry 606c may be a low-pass filter (LPF) or bandpass filter (BPF) configured to remove unwanted signals from the down-converted signals to generate output baseband signals. Output baseband signals may be provided to the baseband circuitry 604 for further processing. In some embodiments, the output baseband signals may be zero-frequency baseband signals, although this is not a requirement. In some embodiments, mixer circuitry 606a of the receive signal path may comprise passive mixers, although the scope of the embodiments is not limited in this respect.

[00066] In some embodiments, the mixer circuitry 606a of the transmit signal path may be configured to up-convert input baseband signals based on the synthesized frequency provided by the synthesizer circuitry 606d to generate RF output signals for the FEM circuitry 608. The baseband signals may be provided by the baseband circuitry 604 and may be filtered by filter circuitry 606c.

[00067] In some embodiments, the mixer circuitry 606a of the receive signal path and the mixer circuitry 606a of the transmit signal path may include two or more mixers and may be arranged for quadrature downconversion and upconversion, respectively. In some embodiments, the mixer circuitry 606a of the receive signal path and the mixer circuitry 606a of the transmit signal path may include two or more mixers and may be arranged for image rejection (e.g., Hartley image rejection). In some embodiments, the mixer circuitry 606a of the receive signal path and the mixer circuitry 606a may be arranged for direct downconversion and direct upconversion, respectively. In some embodiments, the mixer circuitry 606a of the receive signal path and the mixer circuitry 606a of the transmit signal path may be configured for super-heterodyne operation.

[00068] In some embodiments, the output baseband signals and the input baseband signals may be analog baseband signals, although the scope of the embodiments is not limited in this respect. In some alternate embodiments, the output baseband signals and the input baseband signals may be digital baseband signals. In these alternate embodiments, the RF circuitry 606 may include analog-to-digital converter (ADC) and digital-to- analog converter (DAC) circuitry and the baseband circuitry 604 may include a digital baseband interface to communicate with the RF circuitry 606.

[00069] In some dual-mode embodiments, a separate radio IC circuitry may be provided for processing signals for each spectrum, although the scope of the embodiments is not limited in this respect. In some embodiments, the synthesizer circuitry 606d may be a fractional-N synthesizer or a fractional N/N+l synthesizer, although the scope of the embodiments is not limited in this respect as other types of frequency synthesizers may be suitable. For example, synthesizer circuitry 606d may be a delta-sigma synthesizer, a frequency multiplier, or a synthesizer comprising a phase-locked loop with a frequency divider.

[00070] The synthesizer circuitry 606d may be configured to synthesize an output frequency for use by the mixer circuitry 606a of the RF circuitry 606 based on a frequency input and a divider control input. In some embodiments, the synthesizer circuitry 606d may be a fractional N/N+l synthesizer.

[00071 ] In some embodiments, frequency input may be provided by a voltage controlled oscillator (VCO), although that is not a requirement. Divider control input may be provided by either the baseband circuitry 604 or the applications processor 602 depending on the desired output frequency. In some embodiments, a divider control input (e.g., N) may be determined from a lookup table based on a channel indicated by the applications processor 602.

[00072] Synthesizer circuitry 606d of the RF circuitry 606 may include a divider, a delay- locked loop (DLL), a multiplexer and a phase accumulator. In some embodiments, the divider may be a dual modulus divider (DMD) and the phase accumulator may be a digital phase accumulator (DP A). In some embodiments, the DMD may be configured to divide the input signal by either N or N+l (e.g., based on a carry out) to provide a fractional division ratio. In some example embodiments, the DLL may include a set of cascaded, tunable, delay elements, a phase detector, a charge pump and a D-type flip-flop. In these embodiments, the delay elements may be configured to break a VCO period up into Nd equal packets of phase, where Nd is the number of delay elements in the delay line. In this way, the DLL provides negative feedback to help ensure that the total delay through the delay line is one VCO cycle.

[00073] In some embodiments, synthesizer circuitry 606d may be configured to generate a carrier frequency as the output frequency, while in other embodiments, the output frequency may be a multiple of the carrier frequency (e.g., twice the carrier frequency, four times the carrier frequency) and used in conjunction with quadrature generator and divider circuitry to generate multiple signals at the carrier frequency with multiple different phases with respect to each other. In some embodiments, the output frequency may be a LO frequency (fLO). In some embodiments, the RF circuitry 606 may include an IQ/polar converter.

[00074] FEM circuitry 608 may include a receive signal path which may include circuitry configured to operate on RF signals received from one or more antennas 610, amplify the received signals and provide the amplified versions of the received signals to the RF circuitry 606 for further processing. FEM circuitry 608 may also include a transmit signal path which may include circuitry configured to amplify signals for transmission provided by the RF circuitry 606 for transmission by one or more of the one or more antennas 610. In various embodiments, the amplification through the transmit or receive signal paths may be done solely in the RF circuitry 606, solely in the FEM 608, or in both the RF circuitry 606 and the FEM 608.

[00075] In some embodiments, the FEM circuitry 608 may include a TX/RX switch to switch between transmit mode and receive mode operation. The FEM circuitry may include a receive signal path and a transmit signal path. The receive signal path of the FEM circuitry may include an LNA to amplify received RF signals and provide the amplified received RF signals as an output (e.g., to the RF circuitry 606). The transmit signal path of the FEM circuitry 608 may include a power amplifier (PA) to amplify input RF signals (e.g., provided by RF circuitry 606), and one or more filters to generate RF signals for subsequent transmission (e.g., by one or more of the one or more antennas 610).

[00076] In some embodiments, the PMC 612 may manage power provided to the baseband circuitry 604. In particular, the PMC 612 may control power-source selection, voltage scaling, battery charging, or DC-to-DC conversion. The PMC 612 may often be included when the device 600 is capable of being powered by a battery, for example, when the device is included in a UE. The PMC 612 may increase the power conversion efficiency while providing desirable implementation size and heat dissipation characteristics.

[00077] While FIG. 6 shows the PMC 612 coupled only with the baseband circuitry 604. However, in other embodiments, the PMC 6 12 may be additionally or alternatively coupled with, and perform similar power management operations for, other components such as, but not limited to, application circuitry 602, RF circuitry 606, or FEM 608.

[00078] In some embodiments, the PMC 612 may control, or otherwise be part of, various power saving mechanisms of the device 600. For example, if the device 600 is in an RRC_Connected state, where it is still connected to the RAN node as it expects to receive traffic shortly, then it may enter a state known as Discontinuous Reception Mode (DRX) after a period of inactivity. During this state, the device 600 may power down for brief intervals of time and thus save power.

[00079] If there is no data traffic activity for an extended period of time, then the device 600 may transition off to an RRC_Idle state, where it disconnects from the network and does not perform operations such as channel quality feedback, handover, etc. The device 600 goes into a very low power state and it performs paging where again it periodically wakes up to listen to the network and then powers down again. The device 600 may not receive data in this state, in order to receive data, it must transition back to RRC_Connected state.

[00080] An additional power saving mode may allow a device to be unavailable to the network for periods longer than a paging interval (ranging from seconds to a few hours). During this time, the device is totally unreachable to the network and may power down completely. Any data sent during this time incurs a large delay and it is assumed the delay is acceptable.

[00081 ] Processors of the application circuitry 602 and processors of the baseband circuitry 604 may be used to execute elements of one or more instances of a protocol stack. For example, processors of the baseband circuitry 604, alone or in combination, may be used execute Layer 3, Layer 2, or Layer 1 functionality, while processors of the application circuitry 604 may utilize data (e.g., packet data) received from these layers and further execute Layer 4 functionality (e.g., transmission communication protocol (TCP) and user datagram protocol (UDP) layers). As referred to herein, Layer 3 may comprise a radio resource control (RRC) layer, described in further detail below. As referred to herein, Layer 2 may comprise a medium access control (MAC) layer, a radio link control (RLC) layer, and a packet data convergence protocol (PDCP) layer, described in further detail below. As referred to herein, Layer 1 may comprise a physical (PHY) layer of a UE/RAN node, described in further detail below.

[00082] FIG. 7 illustrates example interfaces of baseband circuitry in accordance with some embodiments. As discussed above, the baseband circuitry 604 of FIG. 6 may comprise processors 604A-604E and a memory 604G utilized by said processors. Each of the processors 604A-604E may include a memory interface, 704A-704E, respectively, to send/receive data to/from the memory 604G. [00083] The baseband circuitry 604 may further include one or more interfaces to communicatively couple to other circuitries/devices, such as a memory interface 712 (e.g., an interface to send/receive data to/from memory external to the baseband circuitry 604), an application circuitry interface 714 (e.g., an interface to send/receive data to/from the application circuitry 602 of FIG. 6), an RF circuitry interface 716 (e.g., an interface to send/receive data to/from RF circuitry 606 of FIG. 6), a wireless hardware connectivity interface 718 (e.g., an interface to send/receive data to/from Near Field Communication (NFC) components, Bluetooth® components (e.g., Bluetooth® Low Energy), Wi-Fi® components, and other communication components), and a power management interface 720 (e.g., an interface to send/receive power or control signals to/from the PMC 612.

[00084] The following are example implementations of the subject matter described herein. It should be noted that any of the examples and the variations thereof described herein may be used in any permutation or combination of any other one or more examples or variations, although the scope of the claimed subject matter is not limited in these respects.

[00085] In example one, an apparatus of a user equipment (UE) comprises one or more baseband processors to generate a first list of areas forbidden for circuit-switched (CS) services "forbidden location areas for CS services" and a second list of areas forbidden for packet-switched (PS) "forbidden location areas for PS services", to process a reject message from a cell, wherein the reject message comprises a cause information element indicating that the reject is due to a lack of subscription for CS services or lack of subscription for PS services, or a combination thereof, and to add an area identity of the cell to the first list if the UE does not have a subscription for CS services and the reject message is not integrity protected, or to add the area identity of the cell to the second list if the UE does not have a subscription for PS services and the reject message is not integrity protected, and a memory to store the first list and the second list. Example two may include the subject matter of example one or any of the examples described herein, wherein the circuit-switched (CS) services include non-Global Packet Radio Service (GPRS) services and the packet-switched services (PS) include GPRS services. Example three may include the subject matter of example one or any of the examples described herein, wherein the one or more baseband processors are to prevent the UE from initiating a signaling procedure for the CS if the UE is connected to a cell with an area identity included in the first list. Example four may include the subject matter of example one or any of the examples described herein, wherein the one or more baseband processors are to prevent the UE from initiating a signaling procedure for the PS domain if the UE is connected to a cell with an area identity included in the second list. Example five may include the subject matter of example one or any of the examples described herein, wherein an area identity of the cell from which reject message was received is a location area identity, a cell identity, or a public land mobile network (PLMN) identity. Example may include the subject matter of example one or any of the examples described herein, wherein the one or more baseband processors are to cause the UE to attempt to change to another suitable cell or to a suitable cell belonging to another location area or tracking area if the reject message is not integrity protected. Example may include the subject matter of example one or any of the examples described herein, wherein the one or more baseband processors are to initiate a signaling procedure for PS services if the UE is coupled with a cell with an area identity belonging to the first list but not to the second list. Example may include the subject matter of example one or any of the examples described herein, wherein the one or more baseband processors are to initiate a signaling procedure for CS services if the UE is coupled with a cell with an area identity included belonging to second list but not to the first list. Example may include the subject matter of example one or any of the examples described herein, wherein the one or more baseband processors are to generate a third list of area identities forbidden for both CS services and PS services, and the one or more baseband processors are to cause the UE to remain on a cell with an area identity that does not belong to the third list. Example may include the subject matter of example one or any of the examples described herein, wherein the third list comprises a list of forbidden location areas for roaming. Example eleven may include the subject matter of example one or any of the examples described herein, wherein the one or more baseband processors are to add an area identity to the third list if the area identity is to be added to the first list and the area identity is already in the second list or if the area identity is to be added to the second list and the area identity is already in the first list. Example twelve may include the subject matter of example one or any of the examples described herein, wherein the one or more baseband processors are to start a timer if an area identity of the cell from which the reject message was received is to be added to the first list or the second list and the timer is not already running. Example thirteen may include the subject matter of example one or any of the examples described herein, wherein the one or more baseband processors are to erase the first list and the second list, and to erase a third list of areas forbidden for both CS services and PS services, if the timer expires. Example fourteen may include the subject matter of example one or any of the examples described herein, wherein the one or more baseband processors are to run a first counter for the CS services and to run a second counter for PS services, and the one or more baseband processors are to increment the first counter by 1 if the area identity of the cell from which the reject message is received is added to the first list, and to increment the second counter by 1 if the area identity of the cell from which the reject message is received is added to the second list. Example fifteen may include the subject matter of example one or any of the examples described herein, wherein the one or more baseband processors are to run a Universal Subscriber Identity Module (USIM) application, and the one or more baseband processors are to set the USIM invalid for CS services if the first counter is incremented to a maximum value for CS services, or to set the USIM invalid for PS services if the second counter is incremented to a maximum value for PS services. Example sixteen may include the subject matter of example one or any of the examples described herein, wherein the one or more baseband processors are to set the first counter to 0 if the one or more baseband processors perform a successful registration for CS services, or to set the second counter to 0 if the one or more baseband processors perform a successful registration for PS services.

[00086] In example seventeen, one or more machine-readable media may have instructions stored thereon that, if executed by an apparatus of a user equipment (UE), result in generating a first list of areas forbidden for circuit-switched (CS) services "forbidden location areas for CS services" and a second list of areas forbidden for packet-switched (PS) "forbidden location areas for PS services", processing a reject message from a cell, wherein the reject message comprises a cause information element indicating that the reject is due to a lack of subscription for CS services or lack of subscription for PS services, or a combination thereof, and adding an area identity of the cell to the first list if the UE does not have a subscription for CS services and the reject message is not integrity protected, or adding the area identity of the cell to the second list if the UE does not have a subscription for PS services and the reject message is not integrity protected. Example eighteen may include the subject matter of example seventeen or any of the examples described herein, wherein the circuit- switched (CS) services include non-Global Packet Radio Service (GPRS) services and the packet-switched services (PS) include GPRS services. Example nineteen may include the subject matter of example seventeen or any of the examples described herein, wherein the instructions, if executed, further result in preventing the UE from initiating a signaling procedure for the CS if the UE is connected to a cell with an area identity included in the first list. Example twenty may include the subject matter of example seventeen or any of the examples described herein, wherein the instructions, if executed, further result in preventing the UE from initiating a signaling procedure for the PS domain if the UE is connected to a cell with an area identity included in the second list. Example twenty-one may include the subject matter of example seventeen or any of the examples described herein, wherein an area identity of the cell from which reject message was received is a location area identity, a cell identity, or a public land mobile network (PLMN) identity. Example twenty-two may include the subject matter of example seventeen or any of the examples described herein, wherein the instructions, if executed, further result in causing the UE to attempt to change to another suitable cell or to a suitable cell belonging to another location area or tracking area if the reject message is not integrity protected. Example twenty-three may include the subject matter of example seventeen or any of the examples described herein, wherein the instructions, if executed, further result in initiating a signaling procedure for PS services if the UE is coupled with a cell with an area identity belonging to the first list but not to the second list. Example twenty-four may include the subject matter of example seventeen or any of the examples described herein, wherein the instructions, if executed, further result in initiating a signaling procedure for CS services if the UE is coupled with a cell with an area identity included belonging to second list but not to the first list. Example twenty-five may include the subject matter of example seventeen or any of the examples described herein, wherein the instructions, if executed, further result in generating a third list of area identities forbidden for both CS services and PS services, and causing the UE to remain on a cell with an area identity that does not belong to the third list. Example twenty-six may include the subject matter of example seventeen or any of the examples described herein, wherein the third list comprises a list of forbidden location areas for roaming. Example twenty-seven may include the subject matter of example seventeen or any of the examples described herein, wherein the instructions, if executed, further result in adding an area identity to the third list if the area identity is to be added to the first list and the area identity is already in the second list or if the area identity is to be added to the second list and the area identity is already in the first list. Example twenty-eight may include the subject matter of example seventeen or any of the examples described herein, wherein the instructions, if executed, further result in starting a timer if an area identity of the cell from which the reject message was received is to be added to the first list or the second list and the timer is not already running. Example twenty-nine may include the subject matter of example seventeen or any of the examples described herein, wherein the instructions, if executed, further result in erasing the first list and the second list, and erasing a third list of areas forbidden for both CS services and PS services, if the timer expires. Example thirty may include the subject matter of example seventeen or any of the examples described herein, wherein the instructions, if executed, further result in running a first counter for the CS services and running a second counter for PS services, and incrementing the first counter by 1 if the area identity of the cell from which the reject message is received is added to the first list, and incrementing the second counter by 1 if the area identity of the cell from which the reject message is received is added to the second list. Example thirty- may include the subject matter of example seventeen or any of the examples described herein, wherein the instructions, if executed, further result in running a Universal Subscriber Identity Module (USIM) application, and setting the USIM invalid for CS services if the first counter is incremented to a maximum value for CS services, or setting the USIM invalid for PS services if the second counter is incremented to a maximum value for PS services. Example thirty-two may include the subject matter of example seventeen or any of the examples described herein, wherein the instructions, if executed, further result in setting the first counter to 0 if a registration for CS services is successful, or setting the second counter to 0 if a registration for PS services is successful.

[00087] In example thirty-three, an apparatus of a user equipment (UE) comprises means for generating a first list of areas forbidden for circuit-switched (CS) services "forbidden location areas for CS services" and a second list of areas forbidden for packet- switched (PS) "forbidden location areas for PS services", means for processing a reject message from a cell, wherein the reject message comprises a cause information element indicating that the reject is due to a lack of subscription for CS services or lack of subscription for PS services, or a combination thereof, means for adding an area identity of the cell to the first list if the UE does not have a subscription for CS services and the reject message is not integrity protected, and means adding the identity of the cell to the second list if the UE does not have a subscription for PS services and the reject message is not integrity protected. Example thirty-four may include the subject matter of example thirty-three or any of the examples described herein, wherein the circuit-switched (CS) services include non-Global Packet Radio Service (GPRS) services and the packet-switched services (PS) include GPRS services. Example thirty-five may include the subject matter of example thirty- three or any of the examples described herein, further comprising means for preventing the UE from initiating a signaling procedure for the CS if the UE is connected to a cell with an area identity included in the first list. Example thirty-six may include the subject matter of example thirty-three or any of the examples described herein, further comprising means for preventing the UE from initiating a signaling procedure for the PS domain if the UE is connected to a cell with an area identity included in the second list. Example thirty-seven may include the subject matter of example thirty-three or any of the examples described herein, wherein an area identity of the cell from which reject message was received is a location area identity, a cell identity, or a public land mobile network (PLMN) identity. Example thirty-eight may include the subject matter of example thirty-three or any of the examples described herein, further comprising means for causing the UE to attempt to change to another suitable cell or to a suitable cell belonging to another location area or tracking area if the reject message is not integrity protected. Example thirty-nine may include the subject matter of example thirty-three or any of the examples described herein, further comprising means for initiating a signaling procedure for PS services if the UE is coupled with a cell with an area identity belonging to the first list but not to the second list. Example forty may include the subject matter of example thirty-three or any of the examples described herein, further comprising means for initiating a signaling procedure for CS services if the UE is coupled with a cell with an area identity included belonging to second list but not to the first list. Example forty- one may include the subject matter of example thirty-three or any of the examples described herein, further comprising means for generating a third list of area identities forbidden for both CS services and PS services, and means for causing the UE to remain on a cell with an area identity that does not belong to the third list. Example forty-two may include the subject matter of example thirty- three or any of the examples described herein, wherein the third list comprises a list of forbidden location areas for roaming. Example forty-three may include the subject matter of example thirty- three or any of the examples described herein, further comprising means for adding an area identity to the third list if the area identity is to be added to the first list and the area identity is already in the second list or if the area identity is to be added to the second list and the area identity is already in the first list. Example forty-four may include the subject matter of example thirty-three or any of the examples described herein, further comprising means for starting a timer if an area identity of the cell from which the reject message was received is to be added to the first list or the second list and the timer is not already running. Example forty-five may include the subject matter of example thirty-three or any of the examples described herein, further comprising means for erasing the first list and the second list, and means for erasing a third list of areas forbidden for both CS services and PS services, if the timer expires. Example forty-six may include the subject matter of example thirty-three or any of the examples described herein, further comprising means for running a first counter for the CS services and to run a second counter for PS services, means for incrementing the first counter by 1 if the area identity of the cell from which the reject message is received is added to the first list, and means for incrementing the second counter by 1 if the area identity of the cell from which the reject message is received is added to the second list. Example forty-seven may include the subject matter of example thirty-three or any of the examples described herein, further comprising means for running a Universal Subscriber Identity Module (USIM) application, means for setting the USIM invalid for CS services if the first counter is incremented to a maximum value for CS services, and means for setting the USIM invalid for PS services if the second counter is incremented to a maximum value for PS services. Example forty- eight may include the subject matter of example thirty-three or any of the examples described herein, further comprising means for setting the first counter to 0 if a registration for CS services is successful, and means for setting the second counter to 0 if a registration for PS services is successful. In example forty-nine, machine -readable storage may include machine-readable instructions, when executed, to realize an apparatus as claimed in any preceding claim.

[00088] In the description herein and/or claims, the terms coupled and/or connected, along with their derivatives, may be used. In particular embodiments, connected may be used to indicate that two or more elements are in direct physical and/or electrical contact with each other. Coupled may mean that two or more elements are in direct physical and/or electrical contact. Coupled, however, may also mean that two or more elements may not be in direct contact with each other, but yet may still cooperate and/or interact with each other. For example, "coupled" may mean that two or more elements do not contact each other but are indirectly joined together via another element or intermediate elements. Finally, the terms "on," "overlying," and "over" may be used in the following description and claims. "On," "overlying," and "over" may be used to indicate that two or more elements are in direct physical contact with each other. It should be noted, however, that "over" may also mean that two or more elements are not in direct contact with each other. For example, "over" may mean that one element is above another element but not contact each other and may have another element or elements in between the two elements. Furthermore, the term "and/or" may mean "and", it may mean "or", it may mean "exclusive-or", it may mean "one", it may mean "some, but not all", it may mean "neither", and/or it may mean "both", although the scope of claimed subject matter is not limited in this respect. In the description herein and/or claims, the terms "comprise" and "include," along with their derivatives, may be used and are intended as synonyms for each other.

[00089] Although the claimed subject matter has been described with a certain degree of particularity, it should be recognized that elements thereof may be altered by persons skilled in the art without departing from the spirit and/or scope of claimed subject matter. It is believed that the subject matter pertaining defense against non-access stratum denial-of-service attack and many of its attendant utilities will be understood by the forgoing description, and it will be apparent that various changes may be made in the form, construction and/or arrangement of the components thereof without departing from the scope and/or spirit of the claimed subject matter or without sacrificing all of its material advantages, the form herein before described being merely an explanatory embodiment thereof, and/or further without providing substantial change thereto. It is the intention of the claims to encompass and/or include such changes.

Claims

What is claimed is: 1. An apparatus of a user equipment (UE), comprising:

one or more baseband processors to generate a first list of areas forbidden for circuit- switched (CS) services "forbidden location areas for CS services" and a second list of areas forbidden for packet-switched (PS) "forbidden location areas for PS services", to process a reject message from a cell, wherein the reject message comprises a cause information element indicating that the reject is due to a lack of subscription for CS services or lack of subscription for PS services, or a combination thereof, and to add an area identity of the cell to the first list if the UE does not have a subscription for CS services and the reject message is not integrity protected, or to add the area identity of the cell to the second list if the UE does not have a subscription for PS services and the reject message is not integrity protected; and

a memory to store the first list and the second list.

2. The apparatus of claim 1, wherein the circuit-switched (CS) services include non-Global Packet Radio Service (GPRS) services and the packet- switched services (PS) include GPRS services.

3. The apparatus of any one of claims 1-2, wherein the one or more baseband processors are to prevent the UE from initiating a signaling procedure for the CS if the UE is connected to a cell with an area identity included in the first list.

4. The apparatus of any one of claims 1-3, wherein the one or more baseband processors are to prevent the UE from initiating a signaling procedure for the PS domain if the UE is connected to a cell with an area identity included in the second list.

5. The apparatus of any one of claims 1-4, wherein an area identity of the cell from which reject message was received is a location area identity, a cell identity, or a public land mobile network (PLMN) identity.

6. The apparatus of any one of claims 1-5, wherein the one or more baseband processors are to cause the UE to attempt to change to another suitable cell or to a suitable cell belonging to another location area or tracking area if the reject message is not integrity protected.

7. The apparatus of any one of claims 1-6, wherein the one or more baseband processors are to initiate a signaling procedure for PS services if the UE is coupled with a cell with an area identity belonging to the first list but not to the second list.

8. The apparatus of any one of claims 1-7, wherein the one or more baseband processors are to initiate a signaling procedure for CS services if the UE is coupled with a cell with an area identity included belonging to second list but not to the first list.

9. The apparatus of any one of claims 1-8, wherein the one or more baseband processors are to generate a third list of area identities forbidden for both CS services and PS services, and the one or more baseband processors are to cause the UE to remain on a cell with an area identity that does not belong to the third list.

10. The apparatus of claim 9, wherein the third list comprises a list of forbidden location areas for roaming.

11. The apparatus of claim 9, wherein the one or more baseband processors are to add an area identity to the third list if the area identity is to be added to the first list and the area identity is already in the second list or if the area identity is to be added to the second list and the area identity is already in the first list.

12. The apparatus of any one of claims 1-11, wherein the one or more baseband processors are to start a timer if an area identity of the cell from which the reject message was received is to be added to the first list or the second list and the timer is not already running.

13. The apparatus of claim 12, wherein the one or more baseband processors are to erase the first list and the second list, and to erase a third list of areas forbidden for both CS services and PS services, if the timer expires.

14. The apparatus of claim 12, wherein the one or more baseband processors are to run a first counter for the CS services and to run a second counter for PS services, and the one or more baseband processors are to increment the first counter by 1 if the area identity of the cell from which the reject message is received is added to the first list, and to increment the second counter by 1 if the area identity of the cell from which the reject message is received is added to the second list.

15. The apparatus of claim 14, wherein the one or more baseband processors are to run a Universal Subscriber Identity Module (USIM) application, and the one or more baseband processors are to set the USIM invalid for CS services if the first counter is incremented to a maximum value for CS services, or to set the USIM invalid for PS services if the second counter is incremented to a maximum value for PS services.

16. The apparatus of claim 14, wherein the one or more baseband processors are to set the first counter to 0 if the one or more baseband processors perform a successful registration for CS services, or to set the second counter to 0 if the one or more baseband processors perform a successful registration for PS services.

17. One or more machine-readable media having instructions stored thereon that, if executed by an apparatus of a user equipment (UE), result in:

generating a first list of areas forbidden for circuit- switched (CS) services "forbidden location areas for CS services" and a second list of areas forbidden for packet-switched (PS) "forbidden location areas for PS services";

processing a reject message from a cell, wherein the reject message comprises a cause information element indicating that the reject is due to a lack of subscription for CS services or lack of subscription for PS services, or a combination thereof; and

adding an area identity of the cell to the first list if the UE does not have a subscription for CS services and the reject message is not integrity protected; or

adding the area identity of the cell to the second list if the UE does not have a subscription for PS services and the reject message is not integrity protected.

18. The one or more machine-readable media of claim 17, wherein the circuit- switched (CS) services include non-Global Packet Radio Service (GPRS) services and the packet- switched services (PS) include GPRS services.

19. The one or more machine-readable media of any one of claims 17-18, wherein the instructions, if executed, further result in preventing the UE from initiating a signaling procedure for the CS if the UE is connected to a cell with an area identity included in the first list.

20. The one or more machine-readable media of any one of claims 17-19, wherein the instructions, if executed, further result in preventing the UE from initiating a signaling procedure for the PS domain if the UE is connected to a cell with an area identity included in the second list.

21. The one or more machine-readable media of any one of claims 17-20, wherein an area identity of the cell from which reject message was received is a location area identity, a cell identity, or a public land mobile network (PLMN) identity.

22. The one or more machine-readable media of any one of claims 17-21, wherein the instructions, if executed, further result in causing the UE to attempt to change to another suitable cell or to a suitable cell belonging to another location area or tracking area if the reject message is not integrity protected.

23. The one or more machine-readable media of any one of claims 17-22, wherein the instructions, if executed, further result in initiating a signaling procedure for PS services if the UE is coupled with a cell with an area identity belonging to the first list but not to the second list.

24. The one or more machine-readable media of any one of claims 17-23, wherein the instructions, if executed, further result in initiating a signaling procedure for CS services if the UE is coupled with a cell with an area identity included belonging to second list but not to the first list.

25. The one or more machine-readable media of any one of claims 17-24, wherein the instructions, if executed, further result in generating a third list of area identities forbidden for both CS services and PS services, and the one or more baseband processors are to cause the UE to remain on a cell with an area identity that does not belong to the third list.

26. The one or more machine-readable media of claim 25, wherein the third list comprises a list of forbidden location areas for roaming.

27. The one or more machine-readable media of claim 25, wherein the instructions, if executed, further result in adding an area identity to the third list if the area identity is to be added to the first list and the area identity is already in the second list or if the area identity is to be added to the second list and the area identity is already in the first list.

28. The one or more machine-readable media of any one of claims 17-27, wherein the instructions, if executed, further result in starting a timer if an area identity of the cell from which the reject message was received is to be added to the first list or the second list and the timer is not already running.

29. The one or more machine-readable media of claim 28, wherein the instructions, if executed, further result in erasing the first list and the second list, and erasing a third list of areas forbidden for both CS services and PS services, if the timer expires.

30. The one or more machine-readable media of claim 28, wherein the instructions, if executed, further result in running a first counter for the CS services and to run a second counter for PS services, and incrementing the first counter by 1 if the area identity of the cell from which the reject message is received is added to the first list, and to increment the second counter by 1 if the area identity of the cell from which the reject message is received is added to the second list.

31. The one or more machine-readable media of claim 30, wherein the instructions, if executed, further result in running a Universal Subscriber Identity Module (USIM) application, and setting the USIM invalid for CS services if the first counter is incremented to a maximum value for CS services, or setting the USIM invalid for PS services if the second counter is incremented to a maximum value for PS services.

32. The one or more machine-readable media of claim 30, wherein the instructions, if executed, further result in setting the first counter to 0 if a registration for CS services is successful, or setting the second counter to 0 if a registration for PS services is successful.