WO2020254205A1 - Amf reallocation handling using security context - Google Patents

Amf reallocation handling using security context Download PDF

Info

Publication number
WO2020254205A1
WO2020254205A1 PCT/EP2020/066308 EP2020066308W WO2020254205A1 WO 2020254205 A1 WO2020254205 A1 WO 2020254205A1 EP 2020066308 W EP2020066308 W EP 2020066308W WO 2020254205 A1 WO2020254205 A1 WO 2020254205A1
Authority
WO
WIPO (PCT)
Prior art keywords
initial
amf
security context
target
target amf
Prior art date
Application number
PCT/EP2020/066308
Other languages
French (fr)
Inventor
Vlasios Tsiatsis
Peter Hedman
Ivo Sedlacek
Noamen BEN HENDA
Qian Chen
Monica Wifvesson
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Publication of WO2020254205A1 publication Critical patent/WO2020254205A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • Embodiments presented herein relate to methods for reallocation of an Access and Mobility Management Function, AMF, for wireless communications between a User Equipment, UE, and a Radio Access Node, RAN. Embodiments also relate to a corresponding initial AMF and target
  • mobile networks standardized by the 3 rd Generation Partnership Project (3GPP) can be said to comprise of a user equipment (UE), radio access network (RAN), and core network (CN), as shown in Figure 1.
  • the UE is a mobile device used by the user to wirelessly access the network.
  • the RAN comprises one or more base stations (BSs), which are responsible for providing wireless radio communication to the UE and connecting the UE to the CN.
  • the CN comprises several types of core network functions, which are responsible for various functions, such as handling the mobility of the UE, interconnecting to a data network, packet routing and forwarding, etc.
  • Mobile networks are operated, and their services are offered by the so-called mobile network operators (MNOs).
  • MNOs mobile network operators
  • users are required to have a contractual relationship with that MNO, where that relationship is generally called a subscription.
  • the MNOs provide services to the users with valid subscriptions. These users use the services, e.g., send short message service (SMS) messages, make phone calls, and get internet access.
  • SMS short message service
  • the MNOs charge these users for the services they have used through the MNOs' billing or charging systems. The users pay according to the billed amount.
  • This business model is supported by several security features built into the mobile networks. For example, the network can authenticate the users and determine if they have valid subscriptions; the traffic belonging to services such as SMS, phone calls, internet data, etc., are transported in a secure way so that the users are billed correctly according to their usage of the traffic.
  • the traffic itself is of two types in general: control plane (CP) traffic and user plane (UP) traffic.
  • the CP traffic is used for management of the traffic, and the UP traffic carries the actual data.
  • the secure transport of the traffic is achieved by confidentiality/ciphering and integrity protection.
  • Confidentiality/ciphering in this context means encryption of messages, which makes it infeasible for unauthorized parties to decrypt and read the original message.
  • Integrity protection in this context means the sender adding a security token or a message authentication code (MAC) to the message that the receiver can verify, which makes it infeasible for unauthorized parties to tamper with the original message without the receiver detecting the tampering.
  • MAC message authentication code
  • a UE is typically connected to a single base station in order to use the mobile network services, such as phone calls, messaging, and data transmissions.
  • mobile network services such as phone calls, messaging, and data transmissions.
  • AMF Access and Mobility Management Function
  • Issues may arise when an initially established AMF is not the best AMF, or even is not an appropriate AMF, for a UE or for the particular services requested by the UE, which requires AMF reallocation.
  • AMF Access and Mobility Management Function
  • the embodiments provide the identifier for the initial security context (established between the initial AMF and the UE) to the target AMF via the RAN to address the situation where the initial AMF cannot communicate directly with the target AMF.
  • the solution presented herein uses existing mechanisms and an existing security context instead of deleting it and re-establishing it, which saves resources and simplifies AMF reallocation.
  • One exemplary embodiment comprises a method of reallocation of an Access and Mobility Management Function (AMF) for wireless communications between a User Equipment (UE) and a Radio Access Node (RAN).
  • the method is implemented by an initial AMF and comprises establishing an initial security context between the initial AMF and the UE, selecting a target AMF different from the initial AMF to provide one or more services requested by the UE, and transferring the initial security context from the initial AMF to the target AMF via the RAN to establish a new security context between the target AMF and the UE.
  • AMF Access and Mobility Management Function
  • the initial and new security contexts comprise initial and new Non-Access Stratum security contexts.
  • the selecting the target AMF comprises selecting the target AMF capable of providing the one or more services requested by the UE.
  • an initial AMF identifier identifies the initial AMF and an initial security context identifier identifies the initial security context.
  • the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN to enable the target AMF to fetch the initial security context from the initial AMF to take ownership of the initial security context as the new security context.
  • the method further comprises storing the initial security context in a shared network entity, wherein an initial security context identifier identifies the initial security context, and the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending an identifier for the shared network entity and the initial security context identifier to the target AMF via the RAN to enable the target AMF to fetch the initial security context from the shared network entity to take ownership of the initial security context as the new security context.
  • an initial AMF identifier identifies the initial AMF and an initial security context identifier identifies the initial security context
  • the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN to initiate execution of a validation process between the initial AMF and the target AMF to transfer the initial security context to the target AMF as the new security context.
  • the executing of the validation process comprises receiving a plain authentication request from the target AMF, protecting a plain authentication request using the initial security context, sending the protected authentication request to the UE via the target AMF, receiving a protected authentication response from the UE via the target AMF, verifying a protection of the received protected authentication response using the initial security context to generate a plain authentication response, and forwarding the plain authentication response to the target AMF to initiate a security mode command at the target AMF to establish the new security context between the target AMF and the UE.
  • At least part of the validation process between the initial AMF and the target AMF occurs using communications between the initial AMF and the target AMF via the RAN, occurs using direct communications between the initial AMF and the target AMF, and/or occurs using communications between the initial AMF and the target AMF via a shared network entity.
  • an initial AMF identifier identifies the initial AMF and an initial security context identifier identifies the initial security context
  • the establishing the initial security context between the AMF and the UE comprises the initial AMF implementing a horizontal key derivation to derive the initial security context
  • the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN to enable the target AMF to retrieve the initial security context from the initial AMF to establish the new security context between the target AMF and the UE using the initial security context.
  • an initial AMF identifier identifies the initial AMF and an initial security context identifier identifies the initial security context
  • the establishing the initial security context between the AMF and the UE comprises the initial AMF implementing a horizontal key derivation to derive the initial security context and storing the initial security context in a shared network entity
  • the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending an identifier for the shared network entity and the initial security context identifier to the target AMF via the RAN to enable the target AMF to retrieve the initial security context from the shared network entity to establish the new security context between the target AMF and the UE using the initial security context.
  • One exemplary embodiment comprises a method of reallocation of an Access and Mobility Management Function (AMF) for wireless communications between a User Equipment (UE) and a Radio Access Node (RAN).
  • the method is implemented by a target AMF and comprises receiving an initial security context identifier from an initial AMF via the RAN, the initial security context identifier identifying an initial security context established between the initial AMF and the UE, and establishing a new security context between the target AMF and the UE responsive to the received initial security context identifier.
  • AMF Access and Mobility Management Function
  • the initial and new security contexts comprise initial and new Non-Access Stratum security contexts.
  • the target AMF is capable of providing one or more services requested by the UE that are not provided by the initial AMF.
  • the establishing the new security context between the target AMF and the UE comprises the target AMF receiving an identifier for the initial AMF from the initial AMF via the RAN, and the target AMF fetching the initial security context form the initial AMF to take ownership of the initial security context as the new security context.
  • the establishing the new security context between the target AMF and the UE comprises the target AMF receiving the initial security context identifier and an identifier for a shared network entity from the shared network entity, and the target AMF fetching the initial security context form the shared network entity to take ownership of the initial security context as the new security context.
  • the establishing the new security context between the target AMF and the UE comprises executing a validation process between the initial AMF and the target AMF to transfer the initial security context to the target AMF as the new security context.
  • the executing the validation process comprises sending a plain authentication request to the initial AMF, receiving a protected authentication request from the initial AMF, sending the protected authentication request to the UE, receiving a protected authentication response from the UE, forwarding the protected authentication response to the initial AMF, receiving a plain authentication response from the initial AMF, and initiating a securing mode command in response to the received plain authentication response to establish the new security context between the target AMF and the UE.
  • at least part of the validation process between the initial AMF and the target AMF occurs using communications between the initial AMF and the target AMF via the RAN, occurs using direct communications between the initial AMF and the target AMF, and/or occurs using
  • the initial security context between the AMF and the UE is the result of a horizontal key derivation implemented by the initial AMF
  • the establishing the new security context between the target AMF and the UE comprises retrieving the initial security context from the initial AMF, and using the initial security context retrieved from the initial AMF to establish the new security context between the target AMF and the UE.
  • the initial security context between the AMF and the UE is the result of a horizontal key derivation implemented by the initial AMF
  • the establishing the new security context between the target AMF and the UE comprises receiving an identifier for a shared network entity and the initial security context identifier from the shared network entity via the RAN, retrieving the initial security context from the shared network entity, and using the initial security context retrieved from the shared network entity to establish the new security context between the target AMF and the UE.
  • using the initial security context retrieved from the initial AMF to establish the new security context between the target AMF and the UE comprises executing a security mode command with the UE using the initial security context to establish the new security context between the target AMF and the UE.
  • One exemplary embodiment comprises an initial Access and Mobility Management Function (AMF) for wireless communications between a User Equipment (UE) and a Radio Access Node (RAN).
  • the initial AMF is comprised in a core network node and comprises one or more processing circuits configured to establish an initial security context between the initial AMF and the UE, select a target AMF different from the initial AMF to provide one or more services requested by the UE, and transfer the initial security context from the initial AMF to the target AMF via the RAN to establish a new security context between the target AMF and the UE.
  • One exemplary embodiment comprises a target Access and Mobility Management Function (AMF) for wireless communications between a User Equipment (UE) and a Radio Access Node (RAN).
  • the target AMF is comprised in a core network node and comprises one or more processing circuits configured to receive an initial security context identifier from an initial AMF via the RAN, the initial security context identifier identifying an initial security context established between the initial AMF and the UE, and establish a new security context between the target AMF and the UE responsive to the received initial security context identifier.
  • Figure 1 shows an example of a simplified mobile network.
  • Figure 2 shows an exemplary general registration procedure.
  • Figure 3 shows an exemplary AMF reallocation procedure.
  • Figure 4 shows an exemplary method implemented by the initial AMF according to exemplary embodiments of the solution presented herein.
  • Figure 5 shows an exemplary method implemented by the target AMF according to exemplary embodiments of the solution presented herein.
  • Figure 6 shows an exemplary AMF reallocation procedure via the RAN according to exemplary embodiments of the solution presented herein.
  • Figure 7 shows an exemplary AMF reallocation procedure via the RAN according to exemplary embodiments of the solution presented herein.
  • Figure 8 shows an exemplary AMF reallocation procedure via the RAN according to exemplary embodiments of the solution presented herein.
  • Figure 9 shows an exemplary AMF reallocation procedure via the RAN according to exemplary embodiments of the solution presented herein.
  • Figure 10 shows an exemplary AMF reallocation procedure via the RAN according to exemplary embodiments of the solution presented herein.
  • Figure 11 shows an exemplary block diagram of the core network according to the solution presented herein.
  • a registration procedure takes place as a first step.
  • the detailed registration procedure is outlined in 3GPP TS 23.502“Procedures for the 5G System; Stage 2 (Rel. 15), version 16.0.2, e.g. clause“4.2.2.2.2 General Registration,” reproduced for convenience in Figure 2.
  • AMF reallocation (e.g., Figure 3) covers the case of an AMF reallocation when because, for example, to slicing requirements or AMF set deployment constraints, the UE cannot be served by the Initial AMF which used to serve the UE.
  • the AMF reallocation procedure outlined in Figure 3 results in the UE and Initial AMF sharing a security context (after step 2 in Figure 3 or after step 9 in Figure 2). Therefore, encryption and integrity protection keys could be used for the secure communication between the UE and the Initial AMF.
  • the last part of step 9 in Figure 2 is the non-access stratum (NAS) Security Mode Command (SMC) that takes the security context into use between the UE and the Initial AMF.
  • NAS non-access stratum
  • SMC Security Mode Command
  • the Initial AMF receives the initial registration request, which may have slicing information, such as Network Slice Selection Assistance Information (NSSAI). Based on this slicing information, the Initial AMF may determine that it is not the right AMF to serve the UE and so performs a look up for an appropriate AMF (e.g., steps 6a, 6b in Figure 3).
  • NSSAI Network Slice Selection Assistance Information
  • the Initial AMF may determine that it is not the right AMF to serve the UE and so performs a look up for an appropriate AMF (e.g., steps 6a, 6b in Figure 3).
  • the problematic situation is case (B) in Figure 3, when the Target AMF (the AMF that was discovered to fulfil the requirements to serve the UE with respect to slicing) cannot be contacted by the Initial AMF in order to transfer the security context shared between the UE and the Initial AMF.
  • step 8 in Figure 3 will be followed, which implies that the Target AMF will try to authenticate the UE again by issuing an unprotected NAS message (AUTHENTICATION REQUEST, or AUTHRQ for short).
  • AUTHENTICATION REQUEST or AUTHRQ for short.
  • NAS Non-Access Stratum
  • Stage 3 Rel. 15
  • Integrity checking of NAS signalling messages in the UE this unprotected AUTHRQ message will be dropped by the UE because it already has a security context with the network (with the Initial AMF though, not the Target AMF).
  • the Target AMD has the security context with which it could protect the AUTHRQ.
  • 3GPP TDoc S3-191411 a solution is proposed in contribution 3GPP TDoc S3-191413.
  • the problem with solution 3GPP TDoc S3- 191413 is that it introduces a new message“AMF reallocation notification message,” which cause the UE to delete the security context shared between itself and the Initial AMF. This new message solution is not ideal because the UE removes a working security context before the next security context is established.
  • the solution presented herein enables the network to reuse the existing security context between the Initial AMF and the UE to perform AMF reallocation with a target AMF. In so doing, the solution presented herein uses existing mechanisms and an existing security context instead of deleting it and re-establishing it, which saves resources and simplifies AMF reallocation.
  • Figure 4 shows one exemplary method 400 of the solution presented herein as implemented by the initial AMF 100 (see Figure 11).
  • the initial AMF 100 establishes an initial security context between the initial AMF and the UE (block 410).
  • the initial AMF 100 may select a target AMF 200 that is different from the initial AMF 100 (block 420).
  • the initial AMF 100 may select a target AMF 200 that can provide the requested services.
  • the initial AMF 100 then transfers the initial security context to the target AMF 200 via the RAN to establish a new security context between the target AMF 200 and the UE (block 430).
  • Figure 5 shows one exemplary method 500 of the solution presented herein as implemented by the target AMF 200.
  • the target AMF 200 receives an initial security context identifier from the initial AMF via the RAN (block 510), where the initial security context identifier identifies an initial security context established between the initial AMF 100 and the UE.
  • the target AMF 200 then establishes a new security context between the target AMF and the UE responsive to the initial security context identifier (block 520).
  • the Target AMF performs authentication via the Initial AMF, with message passing via the RAN, as shown in Figure 6.
  • the Initial AMF is used for protection/verification (integrity protection/verification or integrity +
  • the Initial AMF provides Initial AMF identity to (R)AN in step 7a of figure 3, and (R)AN provides the Initial AMF identity to the Target AMF.
  • the procedure includes the following steps:
  • the Initial AMF cannot communicate directly to the Target AMF so alternative (B) of step 7 in Figure 3 is performed.
  • the Initial AMF provides its address or identity (the Initial AMF identity) and identity of the security context identifier for the UE in initial AMF (Initial AMF UE's context identifier) to (R)AN in step 7a of Figure 3 and (R)AN provides the Initial AMF identity and the Initial AMF UE's security context identifier to the Target AMF.
  • the Target AMF initiates an authentication request by requesting new authentication vectors from the Authentication Server Function (AUSF).
  • AUSF Authentication Server Function
  • the AUSF provides the new authentication vectors
  • the Target AMF sends the plain AUTHENTICATION REQUEST(s) to the Initial AMF either:
  • Target AMF directly sends the plain AUTHENTICATION REQUEST and the Initial AMF UE's security context identifier to the Initial AMF identified by the initial AMF identity; or
  • Target AMF indicates the plain
  • AUTHENTICATION REQUEST, the Initial AMF identity, and the Initial AMF UE s security context identifier to the shared network entity, and the shared network entity provides the plain AUTHENTICATION REQUEST and the Initial AMF UE’s security context identifier to the AMF identified by the Initial AMF identity.
  • the Initial AMF protects the plain AUTHENTICATION REQUEST using the current 5G NAS security context identified by the Initial AMF UE's security context identifier
  • the Initial AMF returns the protected AUTHENTICATION REQUEST to the Target AMF either:
  • the Target AMF sends the protected AUTHENTICATION REQUEST to the UE
  • the UE sends the protected AUTHENTICATION RESPONSE(s) to the Target AMF
  • the Target AMF forwards the protected AUTHENTICATION RESPONSE(s) to the Initial AMF either:
  • Target AMF directly sends the protected AUTHENTICATION RESPONSE and the Initial AMF UE's security context identifier to the Initial AMF identified by the Initial AMF identity; or
  • Target AMF indicates the protected
  • the Initial AMF verifies the protection of the received protected AUTHENTICATION RESPONSE(s) using the current 5G NAS security context identified by the Initial AMF UE's security context identifier
  • the Initial AMF forwards the plain AUTHENTICATION RESPONSE(s) to the Target AMF either:
  • AUTHENTICATION RESPONSE to the shared network entity, and the shared network entity provides the protected AUTHENTIATION RESPONSE to the Target AMF
  • the message exchange omits the details of the AUTHENTICATION REQUEST and AUTHENTICATION RESPONSE messages but the end result is a new key agreement between the UE and the Target AMF.
  • the Target AMF can subsequently perform a NAS Security Mode Command to put the newly created security context into use.
  • the advantage of this solution is that there is no impact on the UE.
  • a shared network entity is an entity that is shared between the Network Slices that the Initial AMF and Target AMF serve.
  • One example is a default AMF, which can be regarded as shared between all or many Network slices.
  • Target AMF fetches the security context with respect to a horizontal key derivation performed by the Initial AMF, as shown in Figure 7.
  • the idea is the following.
  • Steps 1-6 from Figure 3 are performed. 1.
  • the Initial AMF performs horizontal key derivation.
  • the Initial AMF cannot communicate directly to the Target AMF so alternative (B) of step 7 in Figure 3 is performed.
  • the additional step is that the Initial AMF sends its address or identity (the Initial AMF identity) and identity of the security context identifier for the UE in initial AMF (Initial AMF UE's context identifier) along with the NAS message in steps 7a and (R)AN provides the Initial AMF identity and the Initial AMF UE's context identifier to the Target AMF 7b of Figure 3.
  • the Target AMF initiates a security context fetch from the Initial AMF, using the Initial AMF identity and Initial AMF UE's context identifier.
  • Target AMF performs NAS SMC with the UE with K_AMF_change_flag. Target AMF does not do horizontal key derivation itself, since the horizontal key derivation has already been done in the Initial AMF.
  • Target AMF fetches the security context with respect to a horizontal key derivation performed by the Initial AMF, as shown in Figure 8.
  • the idea is the following.
  • the Initial AMF performs horizontal key derivation.
  • the Initial AMF stores the UE security context in a shared network entity.
  • the Initial AMF cannot communicate directly to the Target AMF so alternative (B) of step 7 in Figure 3 is performed.
  • the additional step is that the Initial AMF sends the address or identity of the shared network entity (the Shared Network Entity identity), if more than one exist in PLMN of the Initial AMF, and the identity of the security context identifier for the UE in the shared network entity (Shared Network Entity UE’s context identifier), along with the NAS message in steps 7a and the (R)AN provides the shared network entity identity and the Shared network entity UE’s context identifier to the Target AMF (7b of Figure 3).
  • the Target AMF initiates a security context fetch from the Shared Network Entity, using the Shared Network Identity and the Shared Network Entity UE’s context identifier.
  • Target AMF performs NAS SMC with the UE with K_AMF_change_flag. Target AMF does not do horizontal key derivation itself, since the horizontal key derivation has already been done in the Initial AMF.
  • Target AMF fetches the security context without performing horizontal key derivation, as shown in Figure 9.
  • the idea is the following.
  • the Initial AMF cannot communicate directly to the Target AMF so alternative (B) of step 7 in Figure 3 is performed.
  • the additional step is that the Initial AMF sends its address or identity (the Initial AMF identity) and identity of the security context identifier for the UE in initial AMF (Initial AMF UE's context identifier) along with the NAS message in steps 7a and (R)AN provides the Initial AMF identity and the Initial AMF identity.
  • the Target AMF initiates a security context fetch from the Initial AMF, using the Initial AMF identity and Initial AMF UE's context identifier.
  • Target AMF fetches the security context without performing horizontal key derivation, as shown in Figure 10.
  • the idea is the following.
  • the Initial AMF stores the UE security context in a shared network entity.
  • the Initial AMF cannot communicate directly to the Target AMF so alternative (B) of step 7 in Figure 3 is performed.
  • the additional step is that the Initial AMF sends the address or identity of the shared network entity (the shared network entity identity), if more than one exist in PLMN of the Initial AMF, and the identity of the security context identifier for the UE in the shared network entity (shared network entity UE's context identifier) along with the NAS message in steps 7a, and the (R)AN provides the shared network entity identity and the shared network entity UE's context identifier to the Target AMF 7b of Figure 3.
  • the shared network entity identity the shared network entity identity
  • the Target AMF initiates a security context fetch from the shared network entity, using the shared network entity identity and the shared network entity UE's context identifier.
  • Figure 11 shows an exemplary core network comprising a plurality of AMFs, where at least one of the AMFs in the core network comprises an initial AMF 100 and a target AMF 200.
  • the initial AMF 100 includes one or more processing circuits 110, as well as any necessary memory circuits (not shown) configured to implement the methods shown and discussed herein.
  • the target AMF 200 includes one or more processing circuits 210, as well as any necessary memory circuits (not shown) configured to implement the methods shown and discussed herein.
  • the core network may further comprise an optional shared network entity 300, which in some embodiments, communicates with the RAN, initial AMF 100, and/or target AMF 200.
  • the shared network entity may comprise an entity that is shared between the Network Slices that the Initial AMF and Target AMF serve.
  • One example is a default AMF, which can be regarded as shared between all or many Network slices.
  • the Initial AMF when the Initial AMF realizes it cannot provide at least some of the services requested by the UE, e.g., network slicing services, it selects a Target AMF that is better suited. If the Initial AMF can communicate directly with the Target AMF, then it does so to reallocate the AMF (e.g., (A) in Figure 3)).
  • the AMF e.g., (A) in Figure 3
  • the solution presented herein has the Initial AMF send at least its (initial) security context identifier to the RAN (along with the ID for the selected Target AMF), and the RAN forwards the initial security context identifier to the Target AMF.
  • the Target AMF then establishes a new security context with the UE using the received initial security context ID (i.e. , according to any one of the embodiments disclosed herein).
  • the Target AMF may take ownership of the security context (previously owned by the Initial AMF), e.g., by communicating directly with the initial AMF (even though the initial AMF could not communicate directly with the target AMF.
  • the Target AMF is allowed to fetch something from the Initial AMF, but not the opposite e.g., due to prior knowledge by the Target AMF or configuration or access rules (e.g., Target AMF may have more privileges than Initial AMF).
  • neither communication direction is possible (e.g., both Initial AMF to Target AMF and Initial AMF from Target AMF are not possible), but it is possible for the initial and target AMFs to
  • the RAN communicates via other nodes, in this case e.g., the RAN.
  • an initial AMF establishes an initial security context between the initial AMF and the UE, selects a target AMF different from the initial AMF to provide one or more services requested by the UE, and transfers the initial security context from the initial AMF to the target AMF via the RAN in order to establish a new security context between the target AMF and the UE.
  • the initial and the new security contexts may comprise initial and new Non-Access Stratum, NAS, security contexts, and the selecting of the target AMF may comprise selecting the target AMF capable of providing the one or more services requested by the UE.
  • An initial AMF identifier may identify the initial AMF
  • an initial security context identifier may identify the initial security context
  • the transfer of the initial security context from the initial AMF to the target AMF via the RAN may comprise the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN, in order to enable the target AMF to fetch the initial security context from the initial AMF to take ownership of the initial security context as the new security context.
  • the initial security context may be stored in a shared network entity, wherein an initial security context identifier identifies the initial security context, and the transfer of the initial security context from the initial AMF to the target AMF via the RAN may comprise the initial AMF sending an identifier for the shared network entity and the initial security context identifier to the target AMF via the RAN, in order to enable the target AMF to fetch the initial security context from the shared network entity to take ownership of the initial security context as the new security context.
  • An initial AMF identifier may identify the initial AMF
  • an initial security context identifier may identify the initial security context
  • the transfer of the initial security context from the initial AMF to the target AMF via the RAN may comprise the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN, in order to initiate execution of a validation process between the initial AMF and the target AMF, and in order to transfer the initial security context to the target AMF as the new security context.
  • the execution of the validation process may comprise receiving a plain authentication request from the target AMF, protecting a plain authentication request using the initial security context, and sending the protected authentication request to the UE via the target AMF. It may further comprise receiving a protected authentication response from the UE via the target AMF, verifying a protection of the received protected authentication response using the initial security context to generate a plain authentication response, and forwarding the plain authentication response to the target AMF to initiate a security mode command at the target AMF in order to establish the new security context between the target AMF and the UE. At least part of the validation process between the initial AMF and the target AMF may occur using communications between the initial AMF and the target AMF via the RAN, using direct communications between the initial AMF and the target AMF or using
  • An initial AMF identifier may identify the initial AMF
  • an initial security context identifier may identify the initial security context.
  • the establishing of the initial security context between the AMF and the UE may comprise the initial AMF implementing a horizontal key derivation to derive the initial security context
  • the transfer of the initial security context from the initial AMF to the target AMF via the RAN may comprise the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN, in order to enable the target AMF to retrieve the initial security context from the initial AMF, to establish the new security context between the target AMF and the UE using the initial security context.
  • An initial AMF identifier may identify the initial AMF, and an initial security context identifier may identify the initial security context.
  • Establishing the initial security context between the AMF and the UE may comprise the initial AMF implementing a horizontal key derivation to derive the initial security context and storing the initial security context in a shared network entity.
  • the transfer of the initial security context from the initial AMF to the target AMF via the RAN may comprise the initial AMF sending an identifier for the shared network entity and the initial security context identifier to the target AMF via the RAN, in order to enable the target AMF to retrieve the initial security context from the shared network entity to establish the new security context between the target AMF and the UE, using the initial security context.
  • Another embodiment is directed to a method of reallocation of an AMF for wireless communications between a UE and a RAN, the method implemented by a target AMF, and comprising receiving an initial security context identifier from an initial AMF via the RAN, the initial security context identifier identifying an initial security context established between the initial AMF and the UE, and establishing a new security context between the target AMF and the UE responsive to the received initial AMF identifier and the received initial security context identifier.
  • the initial and the new security contexts may comprise initial and new Non-Access Stratum, NAS, security contexts, and the target AMF is capable of providing one or more services requested by the UE that are not provided by the initial AMF.
  • the establishing of the new security context between the target AMF and the UE may comprise the target AMF receiving an identifier for the initial AMF from the initial AMF via the RAN, and the target AMF fetching the initial security context form the initial AMF to take ownership of the initial security context as the new security context.
  • the establishing of the new security context between the target AMF and the UE may comprise the target AMF receiving the initial security context identifier and an identifier for a shared network entity from the shared network entity, and the target AMF fetching the initial security context form the shared network entity to take ownership of the initial security context as the new security context.
  • the establishing of the new security context between the target AMF and the UE may comprise executing a validation process between the initial AMF and the target AMF to transfer the initial security context to the target AMF as the new security context.
  • the execution of the validation process may comprise sending a plain authentication request to the initial AMF, receiving a protected authentication request from the initial AMF, sending the protected authentication request to the UE, receiving a protected authentication response from the UE, forwarding the protected authentication response to the initial AMF, receiving a plain authentication response from the initial AMF, and initiating a securing mode command in response to the received plain authentication response to establish the new security context between the target AMF and the UE.
  • At least part of the validation process between the initial AMF and the target AMF may occur using communications between the initial AMF and the target AMF via the RAN, using direct communications between the initial AMF and the target AMF, or using communications between the initial AMF and the target AMF via a shared network entity.
  • the initial security context between the AMF and the UE may be the result of a horizontal key derivation implemented by the initial AMF, and the establishing of the new security context between the target AMF and the UE may comprise retrieving the initial security context from the initial AMF and using the initial security context retrieved from the initial AMF to establish the new security context between the target AMF and the UE.
  • the initial security context between the AMF and the UE may be the result of a horizontal key derivation implemented by the initial AMF, and the establishing of the new security context between the target AMF and the UE may comprise receiving an identifier for a shared network entity and the initial security context identifier from the shared network entity via the RAN, retrieving the initial security context from the shared network entity, and using the initial security context retrieved from the shared network entity to establish the new security context between the target AMF and the UE.
  • Using the initial security context retrieved from the initial AMF to establish the new security context between the target AMF and the UE may comprise executing a security mode command with the UE, using the initial security context to establish the new security context between the target AMF and the UE.
  • Another embodiment is directed to an AMF for wireless communications between a UE and a RAN, wherein the AMF is comprised in a core network node and comprises one or more processing circuits configured to implement the methods performed by the initial AMF according to any of the embodiments described herein.
  • Another embodiment is directed to an AMF for wireless communications between a UE and a RAN, wherein the AMF is comprised in a core network node and comprises one or more processing circuits configured to implement the methods performed by the target AMF according to any of the embodiments described herein.
  • Another embodiment is directed to a computer program product for controlling an initial AMF for wireless communications between a UE and a RAN, wherein the computer program product comprises software instructions which, when run on at least one processing circuit in the initial AMF, causes the initial AMF to execute the method according to any of the embodiment
  • Another embodiment is directed to a computer program product for controlling a target AMF for wireless communications between a UE and a RAN, wherein the computer program product comprises software instructions which, when run on at least one processing circuit in the target AMF, causes the target AMF to execute the method according to any one of embodiments described herein.
  • a further embodiment is directed to a computer-readable medium comprising any of the computer program products described herein, and wherein the computer-readable medium may comprise a non-transitory computer-readable medium.

Abstract

Related to reallocation of an Access and Mobility Management Function (AMF) for wireless communications between a User Equipment (UE) and a Radio Access Node (RAN). The method comprises establishing an initial security context between an initial AMF and the UE, selecting a target AMF (200) different from the initial AMF to provide one or more services requested by the UE, and transferring the initial security context from the initial AMF to the target AMF via the RAN to establish a new security context between the target AMF and the UE.

Description

AMF REALLOCATION HANDLING USING SECURITY CONTEXT
TECHNICAL FIELD
Embodiments presented herein relate to methods for reallocation of an Access and Mobility Management Function, AMF, for wireless communications between a User Equipment, UE, and a Radio Access Node, RAN. Embodiments also relate to a corresponding initial AMF and target
AMF.
BACKGROUND
On a very high level, mobile networks standardized by the 3rd Generation Partnership Project (3GPP) can be said to comprise of a user equipment (UE), radio access network (RAN), and core network (CN), as shown in Figure 1. The UE is a mobile device used by the user to wirelessly access the network. The RAN comprises one or more base stations (BSs), which are responsible for providing wireless radio communication to the UE and connecting the UE to the CN. The CN comprises several types of core network functions, which are responsible for various functions, such as handling the mobility of the UE, interconnecting to a data network, packet routing and forwarding, etc.
Mobile networks are operated, and their services are offered by the so-called mobile network operators (MNOs). To use a particular mobile network offered by a particular MNO, users are required to have a contractual relationship with that MNO, where that relationship is generally called a subscription.
In simple terms, the business model works as follows. The MNOs provide services to the users with valid subscriptions. These users use the services, e.g., send short message service (SMS) messages, make phone calls, and get internet access. The MNOs charge these users for the services they have used through the MNOs' billing or charging systems. The users pay according to the billed amount. This business model is supported by several security features built into the mobile networks. For example, the network can authenticate the users and determine if they have valid subscriptions; the traffic belonging to services such as SMS, phone calls, internet data, etc., are transported in a secure way so that the users are billed correctly according to their usage of the traffic.
The traffic itself is of two types in general: control plane (CP) traffic and user plane (UP) traffic. The CP traffic is used for management of the traffic, and the UP traffic carries the actual data. The secure transport of the traffic is achieved by confidentiality/ciphering and integrity protection. Confidentiality/ciphering in this context means encryption of messages, which makes it infeasible for unauthorized parties to decrypt and read the original message. Integrity protection in this context means the sender adding a security token or a message authentication code (MAC) to the message that the receiver can verify, which makes it infeasible for unauthorized parties to tamper with the original message without the receiver detecting the tampering.
A UE is typically connected to a single base station in order to use the mobile network services, such as phone calls, messaging, and data transmissions. When a UE does not have any data to send, its connection is idle. For the UE to join a network, a registration procedure takes place as a first step. This registration includes Access and Mobility Management Function (AMF) allocation, which among other things, provides access authentication and authorization, as well as provides security functions. Issues may arise when an initially established AMF is not the best AMF, or even is not an appropriate AMF, for a UE or for the particular services requested by the UE, which requires AMF reallocation. Thus, there remains a need for improvements to AMF reallocation. SUMMARY
It is an object of the exemplary embodiments described herein to address at least some of the issues mentioned above, and this object and others are achieved by the methods and the Access and Mobility Management Functions according to the appended independent claims, and by the embodiments according to the dependent claims.
Advantageously, the embodiments provide the identifier for the initial security context (established between the initial AMF and the UE) to the target AMF via the RAN to address the situation where the initial AMF cannot communicate directly with the target AMF. In so doing, the solution presented herein uses existing mechanisms and an existing security context instead of deleting it and re-establishing it, which saves resources and simplifies AMF reallocation.
One exemplary embodiment comprises a method of reallocation of an Access and Mobility Management Function (AMF) for wireless communications between a User Equipment (UE) and a Radio Access Node (RAN). The method is implemented by an initial AMF and comprises establishing an initial security context between the initial AMF and the UE, selecting a target AMF different from the initial AMF to provide one or more services requested by the UE, and transferring the initial security context from the initial AMF to the target AMF via the RAN to establish a new security context between the target AMF and the UE.
In one exemplary embodiment, the initial and new security contexts comprise initial and new Non-Access Stratum security contexts.
In one exemplary embodiment, the selecting the target AMF comprises selecting the target AMF capable of providing the one or more services requested by the UE.
In one exemplary embodiment, an initial AMF identifier identifies the initial AMF and an initial security context identifier identifies the initial security context. In this embodiment, the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN to enable the target AMF to fetch the initial security context from the initial AMF to take ownership of the initial security context as the new security context.
In one exemplary embodiment, the method further comprises storing the initial security context in a shared network entity, wherein an initial security context identifier identifies the initial security context, and the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending an identifier for the shared network entity and the initial security context identifier to the target AMF via the RAN to enable the target AMF to fetch the initial security context from the shared network entity to take ownership of the initial security context as the new security context.
In one exemplary embodiment, an initial AMF identifier identifies the initial AMF and an initial security context identifier identifies the initial security context, and the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN to initiate execution of a validation process between the initial AMF and the target AMF to transfer the initial security context to the target AMF as the new security context. In this embodiment, the executing of the validation process comprises receiving a plain authentication request from the target AMF, protecting a plain authentication request using the initial security context, sending the protected authentication request to the UE via the target AMF, receiving a protected authentication response from the UE via the target AMF, verifying a protection of the received protected authentication response using the initial security context to generate a plain authentication response, and forwarding the plain authentication response to the target AMF to initiate a security mode command at the target AMF to establish the new security context between the target AMF and the UE. In this embodiment, at least part of the validation process between the initial AMF and the target AMF occurs using communications between the initial AMF and the target AMF via the RAN, occurs using direct communications between the initial AMF and the target AMF, and/or occurs using communications between the initial AMF and the target AMF via a shared network entity.
In one exemplary embodiment, an initial AMF identifier identifies the initial AMF and an initial security context identifier identifies the initial security context, the establishing the initial security context between the AMF and the UE comprises the initial AMF implementing a horizontal key derivation to derive the initial security context, and the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN to enable the target AMF to retrieve the initial security context from the initial AMF to establish the new security context between the target AMF and the UE using the initial security context.
In one exemplary embodiment, an initial AMF identifier identifies the initial AMF and an initial security context identifier identifies the initial security context, the establishing the initial security context between the AMF and the UE comprises the initial AMF implementing a horizontal key derivation to derive the initial security context and storing the initial security context in a shared network entity, and the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending an identifier for the shared network entity and the initial security context identifier to the target AMF via the RAN to enable the target AMF to retrieve the initial security context from the shared network entity to establish the new security context between the target AMF and the UE using the initial security context.
One exemplary embodiment comprises a method of reallocation of an Access and Mobility Management Function (AMF) for wireless communications between a User Equipment (UE) and a Radio Access Node (RAN). The method is implemented by a target AMF and comprises receiving an initial security context identifier from an initial AMF via the RAN, the initial security context identifier identifying an initial security context established between the initial AMF and the UE, and establishing a new security context between the target AMF and the UE responsive to the received initial security context identifier.
In one exemplary embodiment, the initial and new security contexts comprise initial and new Non-Access Stratum security contexts.
In one exemplary embodiment, the target AMF is capable of providing one or more services requested by the UE that are not provided by the initial AMF.
In one exemplary embodiment, the establishing the new security context between the target AMF and the UE comprises the target AMF receiving an identifier for the initial AMF from the initial AMF via the RAN, and the target AMF fetching the initial security context form the initial AMF to take ownership of the initial security context as the new security context.
In one exemplary embodiment, the establishing the new security context between the target AMF and the UE comprises the target AMF receiving the initial security context identifier and an identifier for a shared network entity from the shared network entity, and the target AMF fetching the initial security context form the shared network entity to take ownership of the initial security context as the new security context.
In one exemplary embodiment, the establishing the new security context between the target AMF and the UE comprises executing a validation process between the initial AMF and the target AMF to transfer the initial security context to the target AMF as the new security context. In this embodiment, the executing the validation process comprises sending a plain authentication request to the initial AMF, receiving a protected authentication request from the initial AMF, sending the protected authentication request to the UE, receiving a protected authentication response from the UE, forwarding the protected authentication response to the initial AMF, receiving a plain authentication response from the initial AMF, and initiating a securing mode command in response to the received plain authentication response to establish the new security context between the target AMF and the UE. In this exemplary embodiment, at least part of the validation process between the initial AMF and the target AMF occurs using communications between the initial AMF and the target AMF via the RAN, occurs using direct communications between the initial AMF and the target AMF, and/or occurs using
communications between the initial AMF and the target AMF via a shared network entity.
In one exemplary embodiment, the initial security context between the AMF and the UE is the result of a horizontal key derivation implemented by the initial AMF, and the establishing the new security context between the target AMF and the UE comprises retrieving the initial security context from the initial AMF, and using the initial security context retrieved from the initial AMF to establish the new security context between the target AMF and the UE.
In one exemplary embodiment, the initial security context between the AMF and the UE is the result of a horizontal key derivation implemented by the initial AMF, and the establishing the new security context between the target AMF and the UE comprises receiving an identifier for a shared network entity and the initial security context identifier from the shared network entity via the RAN, retrieving the initial security context from the shared network entity, and using the initial security context retrieved from the shared network entity to establish the new security context between the target AMF and the UE. In this exemplary embodiment, using the initial security context retrieved from the initial AMF to establish the new security context between the target AMF and the UE comprises executing a security mode command with the UE using the initial security context to establish the new security context between the target AMF and the UE.
One exemplary embodiment comprises an initial Access and Mobility Management Function (AMF) for wireless communications between a User Equipment (UE) and a Radio Access Node (RAN). The initial AMF is comprised in a core network node and comprises one or more processing circuits configured to establish an initial security context between the initial AMF and the UE, select a target AMF different from the initial AMF to provide one or more services requested by the UE, and transfer the initial security context from the initial AMF to the target AMF via the RAN to establish a new security context between the target AMF and the UE.
One exemplary embodiment comprises a target Access and Mobility Management Function (AMF) for wireless communications between a User Equipment (UE) and a Radio Access Node (RAN). The target AMF is comprised in a core network node and comprises one or more processing circuits configured to receive an initial security context identifier from an initial AMF via the RAN, the initial security context identifier identifying an initial security context established between the initial AMF and the UE, and establish a new security context between the target AMF and the UE responsive to the received initial security context identifier.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 shows an example of a simplified mobile network.
Figure 2 shows an exemplary general registration procedure.
Figure 3 shows an exemplary AMF reallocation procedure.
Figure 4 shows an exemplary method implemented by the initial AMF according to exemplary embodiments of the solution presented herein.
Figure 5 shows an exemplary method implemented by the target AMF according to exemplary embodiments of the solution presented herein.
Figure 6 shows an exemplary AMF reallocation procedure via the RAN according to exemplary embodiments of the solution presented herein.
Figure 7 shows an exemplary AMF reallocation procedure via the RAN according to exemplary embodiments of the solution presented herein.
Figure 8 shows an exemplary AMF reallocation procedure via the RAN according to exemplary embodiments of the solution presented herein.
Figure 9 shows an exemplary AMF reallocation procedure via the RAN according to exemplary embodiments of the solution presented herein. Figure 10 shows an exemplary AMF reallocation procedure via the RAN according to exemplary embodiments of the solution presented herein.
Figure 11 shows an exemplary block diagram of the core network according to the solution presented herein.
DETAILED DESCRIPTION
For the UE to join a network, a registration procedure takes place as a first step. The detailed registration procedure is outlined in 3GPP TS 23.502“Procedures for the 5G System; Stage 2 (Rel. 15), version 16.0.2, e.g. clause“4.2.2.2.2 General Registration,” reproduced for convenience in Figure 2.
Clause“4.2.2.2.3 Registration with AMF reallocation” (e.g., Figure 3) covers the case of an AMF reallocation when because, for example, to slicing requirements or AMF set deployment constraints, the UE cannot be served by the Initial AMF which used to serve the UE. The AMF reallocation procedure outlined in Figure 3 results in the UE and Initial AMF sharing a security context (after step 2 in Figure 3 or after step 9 in Figure 2). Therefore, encryption and integrity protection keys could be used for the secure communication between the UE and the Initial AMF. The last part of step 9 in Figure 2 is the non-access stratum (NAS) Security Mode Command (SMC) that takes the security context into use between the UE and the Initial AMF. After the NAS SMC procedure, the Initial AMF receives the initial registration request, which may have slicing information, such as Network Slice Selection Assistance Information (NSSAI). Based on this slicing information, the Initial AMF may determine that it is not the right AMF to serve the UE and so performs a look up for an appropriate AMF (e.g., steps 6a, 6b in Figure 3). The problematic situation is case (B) in Figure 3, when the Target AMF (the AMF that was discovered to fulfil the requirements to serve the UE with respect to slicing) cannot be contacted by the Initial AMF in order to transfer the security context shared between the UE and the Initial AMF. As a result, step 8 in Figure 3 will be followed, which implies that the Target AMF will try to authenticate the UE again by issuing an unprotected NAS message (AUTHENTICATION REQUEST, or AUTHRQ for short). According to the rules in 3GPP TS 24.501“Non-Access Stratum (NAS) protocol for 5G System (5Gs); Stage 3 (Rel. 15), version 16.0.2, e.g., clause“4.4.4.2 Integrity checking of NAS signalling messages in the UE,”, this unprotected AUTHRQ message will be dropped by the UE because it already has a security context with the network (with the Initial AMF though, not the Target AMF).
It will be appreciated that in the case 7(A), there is no problem because the security context is transferred from the Initial AMF to the Target AMF. Therefore, regardless of whether it decides to re-authenticate the UE, the Target AMD has the security context with which it could protect the AUTHRQ.
The problem is stated in the contribution 3GPP TDoc S3-191411 , and a solution is proposed in contribution 3GPP TDoc S3-191413. The problem with solution 3GPP TDoc S3- 191413 is that it introduces a new message“AMF reallocation notification message,” which cause the UE to delete the security context shared between itself and the Initial AMF. This new message solution is not ideal because the UE removes a working security context before the next security context is established.
The solution presented herein enables the network to reuse the existing security context between the Initial AMF and the UE to perform AMF reallocation with a target AMF. In so doing, the solution presented herein uses existing mechanisms and an existing security context instead of deleting it and re-establishing it, which saves resources and simplifies AMF reallocation.
Figure 4 shows one exemplary method 400 of the solution presented herein as implemented by the initial AMF 100 (see Figure 11). The initial AMF 100 establishes an initial security context between the initial AMF and the UE (block 410). In some circumstances, the initial AMF 100 may select a target AMF 200 that is different from the initial AMF 100 (block 420). For example, when the initial AMF 100 realizes it cannot provide the services requested by the UE, the initial AMF 100 may select a target AMF 200 that can provide the requested services. The initial AMF 100 then transfers the initial security context to the target AMF 200 via the RAN to establish a new security context between the target AMF 200 and the UE (block 430).
Figure 5 shows one exemplary method 500 of the solution presented herein as implemented by the target AMF 200. The target AMF 200 receives an initial security context identifier from the initial AMF via the RAN (block 510), where the initial security context identifier identifies an initial security context established between the initial AMF 100 and the UE. The target AMF 200 then establishes a new security context between the target AMF and the UE responsive to the initial security context identifier (block 520).
The following provides further details for various embodiments for implementing the methods of Figures 4-5.
In one exemplary embodiment, the Target AMF performs authentication via the Initial AMF, with message passing via the RAN, as shown in Figure 6. In this embodiment, the Initial AMF is used for protection/verification (integrity protection/verification or integrity +
confidentiality protection/verification) on behalf of the Target AMF. In order to do so, the Initial AMF provides Initial AMF identity to (R)AN in step 7a of figure 3, and (R)AN provides the Initial AMF identity to the Target AMF.
All the communication between the Initial AMF and the Target AMF is performed through the RAN or it is initiated by Target AMF. The procedure includes the following steps:
0. Steps 1-6 from Figure 3 are performed.
1. The Initial AMF cannot communicate directly to the Target AMF so alternative (B) of step 7 in Figure 3 is performed. The Initial AMF provides its address or identity (the Initial AMF identity) and identity of the security context identifier for the UE in initial AMF (Initial AMF UE's context identifier) to (R)AN in step 7a of Figure 3 and (R)AN provides the Initial AMF identity and the Initial AMF UE's security context identifier to the Target AMF. The Target AMF initiates an authentication request by requesting new authentication vectors from the Authentication Server Function (AUSF).
The AUSF provides the new authentication vectors
The Target AMF sends the plain AUTHENTICATION REQUEST(s) to the Initial AMF either:
a. via the (R)AN, where the Target AMF indicates the plain AUTHENTICATION REQUEST, the Initial AMF identity and the Initial AMF UE's security context identifier to (R)AN and (R)AN provides the plain AUTHENTICATION REQUEST and the Initial AMF UE's security context identifier to the AMF identifies by the Initial AMF identity; or
b. the Target AMF directly sends the plain AUTHENTICATION REQUEST and the Initial AMF UE's security context identifier to the Initial AMF identified by the initial AMF identity; or
c. via a shared network entity, where the Target AMF indicates the plain
AUTHENTICATION REQUEST, the Initial AMF identity, and the Initial AMF UE’s security context identifier to the shared network entity, and the shared network entity provides the plain AUTHENTICATION REQUEST and the Initial AMF UE’s security context identifier to the AMF identified by the Initial AMF identity.
The Initial AMF protects the plain AUTHENTICATION REQUEST using the current 5G NAS security context identified by the Initial AMF UE's security context identifier
The Initial AMF returns the protected AUTHENTICATION REQUEST to the Target AMF either:
a. via the (R)AN where the Initial AMF indicates the protected AUTHENTICATION REQUEST to (R)AN and (R)AN provides the protected AUTHENTICATION REQUEST to the Target AMF; or b. by the Initial AMF directly sending the protected AUTHENTICATION REQUEST to the Target AMF; or
c. via a shared network entity, where the Initial AMF indicates the protected
AUTHENTICATION REQUEST to the shared network entity, and the shared network entity provides the protected AUTHENTIATION REQUEST to the Target
AMF.
The Target AMF sends the protected AUTHENTICATION REQUEST to the UE
The UE sends the protected AUTHENTICATION RESPONSE(s) to the Target AMF The Target AMF forwards the protected AUTHENTICATION RESPONSE(s) to the Initial AMF either:
a. via (R)AN where the Target AMF indicates the protected AUTHENTICATION RESPONSE, the Initial AMF identity and the Initial AMF UE's security context identifier to (R)AN and (R)AN provides the protected AUTHENTICATION
RESPONSE and the Initial AMF UE's security context identifier to the AMF identifies by the Initial AMF identity; or
b. by the Target AMF directly sends the protected AUTHENTICATION RESPONSE and the Initial AMF UE's security context identifier to the Initial AMF identified by the Initial AMF identity; or
c. via a shared network entity, where the Target AMF indicates the protected
AUTHENTICATION RESPONSE, the Initial AMF identity, and the Initial AMF
UE’s security context identifier to the shared network entity, and the shared network entity provides the protected AUTHENTICATION RESPONSE and the Initial AMF UE’s security context identifier to the AMF identified by the Initial AMF identity. 10. The Initial AMF verifies the protection of the received protected AUTHENTICATION RESPONSE(s) using the current 5G NAS security context identified by the Initial AMF UE's security context identifier
11. The Initial AMF forwards the plain AUTHENTICATION RESPONSE(s) to the Target AMF either:
a. via (R)AN where the Initial AMF indicates the protected AUTHENTICATION
RESPONSE to (R)AN and (R)AN provides the protected AUTHENTICATION RESPONSE to the Target AMF; or
b. by the Initial AMF directly sending the protected AUTHENTICATION RESPONSE to the Target AMF; or
c. via a shared network entity, where the Initial AMF indicates the protected
AUTHENTICATION RESPONSE to the shared network entity, and the shared network entity provides the protected AUTHENTIATION RESPONSE to the Target AMF
The message exchange omits the details of the AUTHENTICATION REQUEST and AUTHENTICATION RESPONSE messages but the end result is a new key agreement between the UE and the Target AMF. The Target AMF can subsequently perform a NAS Security Mode Command to put the newly created security context into use. The advantage of this solution is that there is no impact on the UE.
It should be noted that a shared network entity is an entity that is shared between the Network Slices that the Initial AMF and Target AMF serve. One example is a default AMF, which can be regarded as shared between all or many Network slices.
In another exemplary embodiment, the Target AMF fetches the security context with respect to a horizontal key derivation performed by the Initial AMF, as shown in Figure 7. In this embodiment, the idea is the following.
0. Steps 1-6 from Figure 3 are performed. 1. The Initial AMF performs horizontal key derivation.
2. The Initial AMF cannot communicate directly to the Target AMF so alternative (B) of step 7 in Figure 3 is performed. The additional step is that the Initial AMF sends its address or identity (the Initial AMF identity) and identity of the security context identifier for the UE in initial AMF (Initial AMF UE's context identifier) along with the NAS message in steps 7a and (R)AN provides the Initial AMF identity and the Initial AMF UE's context identifier to the Target AMF 7b of Figure 3.
3. The Target AMF initiates a security context fetch from the Initial AMF, using the Initial AMF identity and Initial AMF UE's context identifier.
4. The Target AMF performs NAS SMC with the UE with K_AMF_change_flag. Target AMF does not do horizontal key derivation itself, since the horizontal key derivation has already been done in the Initial AMF.
In another exemplary embodiment, the Target AMF fetches the security context with respect to a horizontal key derivation performed by the Initial AMF, as shown in Figure 8. In this embodiment, the idea is the following.
0. Steps 1-6 from Figure 3 are performed.
1. The Initial AMF performs horizontal key derivation.
2. The Initial AMF stores the UE security context in a shared network entity.
3. The Initial AMF cannot communicate directly to the Target AMF so alternative (B) of step 7 in Figure 3 is performed. The additional step is that the Initial AMF sends the address or identity of the shared network entity (the Shared Network Entity identity), if more than one exist in PLMN of the Initial AMF, and the identity of the security context identifier for the UE in the shared network entity (Shared Network Entity UE’s context identifier), along with the NAS message in steps 7a and the (R)AN provides the shared network entity identity and the Shared network entity UE’s context identifier to the Target AMF (7b of Figure 3). 4. The Target AMF initiates a security context fetch from the Shared Network Entity, using the Shared Network Identity and the Shared Network Entity UE’s context identifier.
5. The Target AMF performs NAS SMC with the UE with K_AMF_change_flag. Target AMF does not do horizontal key derivation itself, since the horizontal key derivation has already been done in the Initial AMF.
In another exemplary embodiment, the Target AMF fetches the security context without performing horizontal key derivation, as shown in Figure 9. In this embodiment, the idea is the following.
0. Steps 1-6 from Figure 3 are performed.
1. The Initial AMF cannot communicate directly to the Target AMF so alternative (B) of step 7 in Figure 3 is performed. The additional step is that the Initial AMF sends its address or identity (the Initial AMF identity) and identity of the security context identifier for the UE in initial AMF (Initial AMF UE's context identifier) along with the NAS message in steps 7a and (R)AN provides the Initial AMF identity and the Initial
AMF UE's context identifier to the Target AMF 7b of Figure 3.
2. The Target AMF initiates a security context fetch from the Initial AMF, using the Initial AMF identity and Initial AMF UE's context identifier.
The flow is the same as Figure 7 but steps 1 and 4 of Figure 7 are skipped.
In another exemplary embodiment, the Target AMF fetches the security context without performing horizontal key derivation, as shown in Figure 10. In this embodiment, the idea is the following.
0. Steps 1-6 from Figure 3 are performed.
1. The Initial AMF stores the UE security context in a shared network entity.
2. The Initial AMF cannot communicate directly to the Target AMF so alternative (B) of step 7 in Figure 3 is performed. The additional step is that the Initial AMF sends the address or identity of the shared network entity (the shared network entity identity), if more than one exist in PLMN of the Initial AMF, and the identity of the security context identifier for the UE in the shared network entity (shared network entity UE's context identifier) along with the NAS message in steps 7a, and the (R)AN provides the shared network entity identity and the shared network entity UE's context identifier to the Target AMF 7b of Figure 3.
3. The Target AMF initiates a security context fetch from the shared network entity, using the shared network entity identity and the shared network entity UE's context identifier.
The flow is the same as Figure 8 but steps 1 and 5 of Figure 8 are skipped.
The introduction of new options in existing messages or new messages enables the passing of the UE security context form the Initial AMF to the Target AMF.
Figure 11 shows an exemplary core network comprising a plurality of AMFs, where at least one of the AMFs in the core network comprises an initial AMF 100 and a target AMF 200. The initial AMF 100 includes one or more processing circuits 110, as well as any necessary memory circuits (not shown) configured to implement the methods shown and discussed herein. The target AMF 200 includes one or more processing circuits 210, as well as any necessary memory circuits (not shown) configured to implement the methods shown and discussed herein. The core network may further comprise an optional shared network entity 300, which in some embodiments, communicates with the RAN, initial AMF 100, and/or target AMF 200. As noted above, the shared network entity may comprise an entity that is shared between the Network Slices that the Initial AMF and Target AMF serve. One example is a default AMF, which can be regarded as shared between all or many Network slices.
In summary, when the Initial AMF realizes it cannot provide at least some of the services requested by the UE, e.g., network slicing services, it selects a Target AMF that is better suited. If the Initial AMF can communicate directly with the Target AMF, then it does so to reallocate the AMF (e.g., (A) in Figure 3)). But if the Initial AMF cannot communicate directly with the Target AMF (e.g., (B) in Figure 3), e.g., due to deployment choices by th operator, the solution presented herein has the Initial AMF send at least its (initial) security context identifier to the RAN (along with the ID for the selected Target AMF), and the RAN forwards the initial security context identifier to the Target AMF. The Target AMF then establishes a new security context with the UE using the received initial security context ID (i.e. , according to any one of the embodiments disclosed herein). For example, the Target AMF may take ownership of the security context (previously owned by the Initial AMF), e.g., by communicating directly with the initial AMF (even though the initial AMF could not communicate directly with the target AMF. In another embodiment, the Target AMF is allowed to fetch something from the Initial AMF, but not the opposite e.g., due to prior knowledge by the Target AMF or configuration or access rules (e.g., Target AMF may have more privileges than Initial AMF). In yet another embodiment, neither communication direction is possible (e.g., both Initial AMF to Target AMF and Initial AMF from Target AMF are not possible), but it is possible for the initial and target AMFs to
communicate via other nodes, in this case e.g., the RAN.
Further, according to embodiments, it is disclosed a method of reallocating an AMF for wireless communications between a UE and a RAN, wherein an initial AMF establishes an initial security context between the initial AMF and the UE, selects a target AMF different from the initial AMF to provide one or more services requested by the UE, and transfers the initial security context from the initial AMF to the target AMF via the RAN in order to establish a new security context between the target AMF and the UE.
The initial and the new security contexts may comprise initial and new Non-Access Stratum, NAS, security contexts, and the selecting of the target AMF may comprise selecting the target AMF capable of providing the one or more services requested by the UE.
An initial AMF identifier may identify the initial AMF, and an initial security context identifier may identify the initial security context, and the transfer of the initial security context from the initial AMF to the target AMF via the RAN may comprise the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN, in order to enable the target AMF to fetch the initial security context from the initial AMF to take ownership of the initial security context as the new security context.
The initial security context may be stored in a shared network entity, wherein an initial security context identifier identifies the initial security context, and the transfer of the initial security context from the initial AMF to the target AMF via the RAN may comprise the initial AMF sending an identifier for the shared network entity and the initial security context identifier to the target AMF via the RAN, in order to enable the target AMF to fetch the initial security context from the shared network entity to take ownership of the initial security context as the new security context.
An initial AMF identifier may identify the initial AMF, and an initial security context identifier may identify the initial security context, and the transfer of the initial security context from the initial AMF to the target AMF via the RAN may comprise the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN, in order to initiate execution of a validation process between the initial AMF and the target AMF, and in order to transfer the initial security context to the target AMF as the new security context.
The execution of the validation process may comprise receiving a plain authentication request from the target AMF, protecting a plain authentication request using the initial security context, and sending the protected authentication request to the UE via the target AMF. It may further comprise receiving a protected authentication response from the UE via the target AMF, verifying a protection of the received protected authentication response using the initial security context to generate a plain authentication response, and forwarding the plain authentication response to the target AMF to initiate a security mode command at the target AMF in order to establish the new security context between the target AMF and the UE. At least part of the validation process between the initial AMF and the target AMF may occur using communications between the initial AMF and the target AMF via the RAN, using direct communications between the initial AMF and the target AMF or using
communications between the initial AMF and the target AMF via a shared network entity.
An initial AMF identifier may identify the initial AMF, and an initial security context identifier may identify the initial security context. The establishing of the initial security context between the AMF and the UE may comprise the initial AMF implementing a horizontal key derivation to derive the initial security context, and the transfer of the initial security context from the initial AMF to the target AMF via the RAN may comprise the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN, in order to enable the target AMF to retrieve the initial security context from the initial AMF, to establish the new security context between the target AMF and the UE using the initial security context.
An initial AMF identifier may identify the initial AMF, and an initial security context identifier may identify the initial security context. Establishing the initial security context between the AMF and the UE may comprise the initial AMF implementing a horizontal key derivation to derive the initial security context and storing the initial security context in a shared network entity. The transfer of the initial security context from the initial AMF to the target AMF via the RAN may comprise the initial AMF sending an identifier for the shared network entity and the initial security context identifier to the target AMF via the RAN, in order to enable the target AMF to retrieve the initial security context from the shared network entity to establish the new security context between the target AMF and the UE, using the initial security context.
Another embodiment is directed to a method of reallocation of an AMF for wireless communications between a UE and a RAN, the method implemented by a target AMF, and comprising receiving an initial security context identifier from an initial AMF via the RAN, the initial security context identifier identifying an initial security context established between the initial AMF and the UE, and establishing a new security context between the target AMF and the UE responsive to the received initial AMF identifier and the received initial security context identifier.
The initial and the new security contexts may comprise initial and new Non-Access Stratum, NAS, security contexts, and the target AMF is capable of providing one or more services requested by the UE that are not provided by the initial AMF.
The establishing of the new security context between the target AMF and the UE may comprise the target AMF receiving an identifier for the initial AMF from the initial AMF via the RAN, and the target AMF fetching the initial security context form the initial AMF to take ownership of the initial security context as the new security context.
The establishing of the new security context between the target AMF and the UE may comprise the target AMF receiving the initial security context identifier and an identifier for a shared network entity from the shared network entity, and the target AMF fetching the initial security context form the shared network entity to take ownership of the initial security context as the new security context.
The establishing of the new security context between the target AMF and the UE may comprise executing a validation process between the initial AMF and the target AMF to transfer the initial security context to the target AMF as the new security context.
The execution of the validation process may comprise sending a plain authentication request to the initial AMF, receiving a protected authentication request from the initial AMF, sending the protected authentication request to the UE, receiving a protected authentication response from the UE, forwarding the protected authentication response to the initial AMF, receiving a plain authentication response from the initial AMF, and initiating a securing mode command in response to the received plain authentication response to establish the new security context between the target AMF and the UE.
At least part of the validation process between the initial AMF and the target AMF may occur using communications between the initial AMF and the target AMF via the RAN, using direct communications between the initial AMF and the target AMF, or using communications between the initial AMF and the target AMF via a shared network entity.
The initial security context between the AMF and the UE may be the result of a horizontal key derivation implemented by the initial AMF, and the establishing of the new security context between the target AMF and the UE may comprise retrieving the initial security context from the initial AMF and using the initial security context retrieved from the initial AMF to establish the new security context between the target AMF and the UE.
The initial security context between the AMF and the UE may be the result of a horizontal key derivation implemented by the initial AMF, and the establishing of the new security context between the target AMF and the UE may comprise receiving an identifier for a shared network entity and the initial security context identifier from the shared network entity via the RAN, retrieving the initial security context from the shared network entity, and using the initial security context retrieved from the shared network entity to establish the new security context between the target AMF and the UE.
Using the initial security context retrieved from the initial AMF to establish the new security context between the target AMF and the UE may comprise executing a security mode command with the UE, using the initial security context to establish the new security context between the target AMF and the UE.
Another embodiment is directed to an AMF for wireless communications between a UE and a RAN, wherein the AMF is comprised in a core network node and comprises one or more processing circuits configured to implement the methods performed by the initial AMF according to any of the embodiments described herein.
Another embodiment is directed to an AMF for wireless communications between a UE and a RAN, wherein the AMF is comprised in a core network node and comprises one or more processing circuits configured to implement the methods performed by the target AMF according to any of the embodiments described herein. Another embodiment is directed to a computer program product for controlling an initial AMF for wireless communications between a UE and a RAN, wherein the computer program product comprises software instructions which, when run on at least one processing circuit in the initial AMF, causes the initial AMF to execute the method according to any of the embodiment
Another embodiment is directed to a computer program product for controlling a target AMF for wireless communications between a UE and a RAN, wherein the computer program product comprises software instructions which, when run on at least one processing circuit in the target AMF, causes the target AMF to execute the method according to any one of embodiments described herein.
A further embodiment is directed to a computer-readable medium comprising any of the computer program products described herein, and wherein the computer-readable medium may comprise a non-transitory computer-readable medium.
The solution presented herein may, of course, be carried out in other ways than those specifically set forth herein without departing from essential characteristics of the solution. The present embodiments are to be considered in all respects as illustrative and not restrictive, and all changes coming within the meaning and equivalency range of the appended embodiments are intended to be embraced therein.

Claims

1. A method of reallocation of an Access and Mobility Management Function, AMF, for wireless communications between a User Equipment, UE, and a Radio Access Node, RAN, the method implemented by an initial AMF and comprising:
establishing (410) an initial security context between the initial AMF and the UE;
selecting (420) a target AMF different from the initial AMF to provide one or more services requested by the UE; and
transferring (430) the initial security context from the initial AMF to the target AMF via the RAN to establish a new security context between the target AMF and the UE.
2. The method of claim 1 wherein the initial and new security contexts comprise initial and new Non-Access Stratum, NAS, security contexts.
3. The method of any one of claim 1-2 wherein the selecting the target AMF comprises selecting the target AMF capable of providing the one or more services requested by the UE.
4. The method of any one of claim 1-3 wherein:
an initial AMF identifier identifies the initial AMF and an initial security context identifier identifies the initial security context;
the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN to enable the target AMF to fetch the initial security context from the initial AMF to take ownership of the initial security context as the new security context.
5. The method of any one of claim 1-3 further comprising storing the initial security context in a shared network entity, wherein:
an initial security context identifier identifies the initial security context; and
the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending an identifier for the shared network entity and the initial security context identifier to the target AMF via the RAN to enable the target AMF to fetch the initial security context from the shared network entity to take ownership of the initial security context as the new security context.
6. The method of any one of claim 1-3 wherein:
an initial AMF identifier identifies the initial AMF and an initial security context identifier identifies the initial security context;
the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN to initiate execution of a validation process between the initial AMF and the target AMF to transfer the initial security context to the target AMF as the new security context.
7. The method of claim 6 wherein the executing of the validation process comprises: receiving a plain authentication request from the target AMF;
protecting a plain authentication request using the initial security context;
sending the protected authentication request to the UE via the target AMF;
receiving a protected authentication response from the UE via the target AMF;
verifying a protection of the received protected authentication response using the initial security context to generate a plain authentication response; and forwarding the plain authentication response to the target AMF to initiate a security mode command at the target AMF to establish the new security context between the target AMF and the UE.
8. The method of any one of claim 6-7 wherein at least part of the validation process between the initial AMF and the target AMF occurs using communications between the initial AMF and the target AMF via the RAN.
9. The method of any one of claim 6-7 wherein at least part of the validation process between the initial AMF and the target AMF occurs using direct communications between the initial AMF and the target AMF.
10. The method of any one of claim 6-7 wherein at least part of the validation process between the initial AMF and the target AMF occurs using communications between the initial AMF and the target AMF via a shared network entity.
11. The method of any one of claim 1-3 wherein:
an initial AMF identifier identifies the initial AMF and an initial security context identifier
identifies the initial security context;
the establishing the initial security context between the AMF and the UE comprises the initial AMF implementing a horizontal key derivation to derive the initial security context; the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending the initial AMF identifier and the initial security context identifier to the target AMF via the RAN to enable the target AMF to retrieve the initial security context from the initial AMF to establish the new security context between the target AMF and the UE using the initial security context.
12. The method of any one of claim 1-3 wherein:
an initial AMF identifier identifies the initial AMF and an initial security context identifier
identifies the initial security context;
the establishing the initial security context between the AMF and the UE comprises the initial AMF implementing a horizontal key derivation to derive the initial security context and storing the initial security context in a shared network entity;
the transferring the initial security context from the initial AMF to the target AMF via the RAN comprises the initial AMF sending an identifier for the shared network entity and the initial security context identifier to the target AMF via the RAN to enable the target AMF to retrieve the initial security context from the shared network entity to establish the new security context between the target AMF and the UE using the initial security context.
13. A method of reallocation of an Access and Mobility Management Function, AMF, for wireless communications between a User Equipment, UE, and a Radio Access Node, RAN, the method implemented by a target AMF and comprising:
receiving (510) an initial security context identifier from an initial AMF via the RAN, the initial security context identifier identifying an initial security context established between the initial AMF and the UE; and
establishing (520) a new security context between the target AMF and the UE responsive to the received initial AMF identifier and the received initial security context identifier.
14. The method of claim 13 wherein the initial and new security contexts comprise initial and new Non-Access Stratum, NAS, security contexts.
15. The method of any one of claim 13-14 wherein the target AMF is capable of providing one or more services requested by the UE that are not provided by the initial AMF.
16. The method of any one of claim 13-15 wherein the establishing the new security context between the target AMF and the UE comprises:
the target AMF receiving an identifier for the initial AMF from the initial AMF via the RAN; and
the target AMF fetching the initial security context form the initial AMF to take ownership of the initial security context as the new security context.
17. The method of any one of claim 13-15 wherein the establishing the new security context between the target AMF and the UE comprises:
the target AMF receiving the initial security context identifier and an identifier for a shared network entity from the shared network entity; and
the target AMF fetching the initial security context form the shared network entity to take ownership of the initial security context as the new security context.
18. The method of any one of claim 13-15 wherein the establishing the new security context between the target AMF and the UE comprises executing a validation process between the initial AMF and the target AMF to transfer the initial security context to the target AMF as the new security context.
19. The method of claim 18 wherein the executing the validation process comprises:
sending a plain authentication request to the initial AMF;
receiving a protected authentication request from the initial AMF;
sending the protected authentication request to the UE; receiving a protected authentication response from the UE;
forwarding the protected authentication response to the initial AMF;
receiving a plain authentication response from the initial AMF; and
initiating a securing mode command in response to the received plain authentication
response to establish the new security context between the target AMF and the UE.
20. The method of any one of claim 18-19 wherein at least part of the validation process between the initial AMF and the target AMF occurs using communications between the initial AMF and the target AMF via the RAN.
21. The method of any one of claim 18-19 wherein at least part of the validation process between the initial AMF and the target AMD occurs using direct communications between the initial AMF and the target AMF.
22. The method of any one of claim 18-19 wherein at least part of the validation process between the initial AMF and the target AMF occurs using communications between the initial AMF and the target AMF via a shared network entity.
23. The method of any one of claim 13-15 wherein:
the initial security context between the AMF and the UE is the result of a horizontal key derivation implemented by the initial AMF;
the establishing the new security context between the target AMF and the UE comprises: retrieving the initial security context from the initial AMF; and
using the initial security context retrieved from the initial AMF to establish the new
security context between the target AMF and the UE.
24. The method of any one of claim 13-15 wherein:
the initial security context between the AMF and the UE is the result of a horizontal key derivation implemented by the initial AMF;
the establishing the new security context between the target AMF and the UE comprises: receiving an identifier for a shared network entity and the initial security context identifier from the shared network entity via the RAN;
retrieving the initial security context from the shared network entity; and
using the initial security context retrieved from the shared network entity to establish the new security context between the target AMF and the UE.
25. The method of any one of claim 23-24 wherein using the initial security context retrieved from the initial AMF to establish the new security context between the target AMF and the UE comprises executing a security mode command with the UE using the initial security context to establish the new security context between the target AMF and the UE.
26. An initial Access and Mobility Management Function, AMF, (100) for wireless communications between a User Equipment, UE, and a Radio Access Node, RAN, the initial AMF comprised in a core network node and comprising one or more processing circuits (110) configured to:
establish an initial security context between the initial AMF and the UE;
select a target AMF different from the initial AMF to provide one or more services requested by the UE; and
transfer the initial security context from the initial AMF to the target AMF via the RAN to establish a new security context between the target AMF and the UE.
27. The initial Access and Mobility Management Function, AMF, (100) according to claim 26, wherein the one or more processing circuits (110) are further configured to implement the method of any one of claims 2 - 12.
28. A target Access and Mobility Management Function, AMF, (200) for wireless
communications between a User Equipment, UE, and a Radio Access Node, RAN, the target AMF comprised in a core network node and comprising one or more processing circuits (210) configured to:
receive an initial security context identifier from an initial AMF via the RAN, the initial security context identifier identifying an initial security context established between the initial
AMF and the UE; and
establish a new security context between the target AMF and the UE responsive to the
received initial AMF identifier and the received initial security context identifier.
29. The target Access and Mobility Management Function, AMF, (200), according to claim
28, wherein the one of more processing circuits are further configured to implement the method of any one of claims 14 - 25.
PCT/EP2020/066308 2019-06-17 2020-06-12 Amf reallocation handling using security context WO2020254205A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201962862343P 2019-06-17 2019-06-17
US62/862343 2019-06-17

Publications (1)

Publication Number Publication Date
WO2020254205A1 true WO2020254205A1 (en) 2020-12-24

Family

ID=71094355

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2020/066308 WO2020254205A1 (en) 2019-06-17 2020-06-12 Amf reallocation handling using security context

Country Status (1)

Country Link
WO (1) WO2020254205A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018236819A1 (en) * 2017-06-19 2018-12-27 Idac Holdings, Inc. Methods and systems for privacy protection of 5g slice identifier

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018236819A1 (en) * 2017-06-19 2018-12-27 Idac Holdings, Inc. Methods and systems for privacy protection of 5g slice identifier

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "Handling of mobility scenarios involving an AMF key change for the initial NAS protection mechanism", vol. SA WG3, no. Spokane (US); 20181112 - 20181116, 12 November 2018 (2018-11-12), XP051564823, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Meetings%5F3GPP%5FSYNC/SA3/Docs/S3%2D183590%2Ezip> [retrieved on 20181112] *
HUAWEI ET AL: "eNS IDLE mobility", vol. SA WG2, no. Santa Cruz - Tenerife, Spain; 20190225 - 20190301, 1 March 2019 (2019-03-01), XP051611142, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/tsg%5Fsa/WG2%5FArch/TSGS2%5F131%5FTenerife/Docs/S2%2D1902753%2Ezip> [retrieved on 20190301] *
HUAWEI ET AL: "Registration failure in registration procedure with AMF reallocation caused by slicing", vol. SA WG3, no. Reno (US); 20190506 - 20190510, 29 April 2019 (2019-04-29), XP051721574, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/tsg%5Fsa/WG3%5FSecurity/TSGS3%5F95%5FReno/Docs/S3%2D191411%2Ezip> [retrieved on 20190429] *

Similar Documents

Publication Publication Date Title
CN110798833B (en) Method and device for verifying user equipment identification in authentication process
KR102200113B1 (en) Enhanced registration process for mobile systems supporting network slicing
US10306432B2 (en) Method for setting terminal in mobile communication system
CN105052184B (en) Method, equipment and controller for controlling user equipment to access service
US20070249323A1 (en) Simplified dual mode wireless device authentication apparatus and method
CN110831243B (en) Method, device and system for realizing user plane security policy
US10826945B1 (en) Apparatuses, methods and systems of network connectivity management for secure access
CN109922474B (en) Method for triggering network authentication and related equipment
JP2022502908A (en) Systems and methods for securing NAS messages
CN102378170A (en) Method, device and system of authentication and service calling
KR20070007373A (en) Improved subscriber authentication for unlicensed mobile access signaling
US8914867B2 (en) Method and apparatus for redirecting data traffic
CN103354640A (en) Authenticating a wireless device in a visited network
WO2018079690A1 (en) Communication system, network device, authentication method, communication terminal and security device
CN111132305B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN113543121A (en) Protection method for updating terminal parameter and communication device
US20220053334A1 (en) Using a network requirements field to provide a station access to a network
US9137661B2 (en) Authentication method and apparatus for user equipment and LIPA network entities
KR20220159455A (en) Method and communication device for protecting terminal parameter update
WO2006079953A1 (en) Authentication method and device for use in wireless communication system
WO2010124569A1 (en) Method and system for user access control
WO2020254205A1 (en) Amf reallocation handling using security context
JP6732794B2 (en) Method for establishing a connection of a mobile terminal to a mobile wireless communication network and a communication network device
CN114342472A (en) Handling of NAS containers in registration requests upon AMF reallocation
CN113904781B (en) Slice authentication method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20732862

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20732862

Country of ref document: EP

Kind code of ref document: A1