WO2022241144A1 - Security handling of 5gs to epc reselection - Google Patents

Security handling of 5gs to epc reselection Download PDF

Info

Publication number
WO2022241144A1
WO2022241144A1 PCT/US2022/029035 US2022029035W WO2022241144A1 WO 2022241144 A1 WO2022241144 A1 WO 2022241144A1 US 2022029035 W US2022029035 W US 2022029035W WO 2022241144 A1 WO2022241144 A1 WO 2022241144A1
Authority
WO
WIPO (PCT)
Prior art keywords
security context
tau request
mapped
network entity
context
Prior art date
Application number
PCT/US2022/029035
Other languages
English (en)
French (fr)
Inventor
Dominique Francois BRESSANELLI
Osama Lotfallah
Cogol TINA
Abhishek Bhatnagar
Vitaly Drapkin
Lenaig Genevieve CHAPONNIERE
Original Assignee
Qualcomm Incorporated
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US17/662,978 external-priority patent/US20220369176A1/en
Application filed by Qualcomm Incorporated filed Critical Qualcomm Incorporated
Priority to KR1020237038281A priority Critical patent/KR20240007908A/ko
Priority to EP22733260.8A priority patent/EP4338451A1/en
Priority to JP2023565953A priority patent/JP2024519200A/ja
Priority to CN202280033306.XA priority patent/CN117322025A/zh
Publication of WO2022241144A1 publication Critical patent/WO2022241144A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/08Testing, supervising or monitoring using real traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/18Selecting a network or a communication service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • H04W60/04Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration using triggered events
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks

Definitions

  • the present disclosure relates generally to communication systems, and more particularly, to security features and security mechanisms employed in communication systems.
  • Wireless communication systems are widely deployed to provide various telecommunication services such as telephony, video, data, messaging, and broadcasts.
  • Typical wireless communication systems may employ multiple-access technologies capable of supporting communication with multiple users by sharing available system resources. Examples of such multiple-access technologies include code division multiple access (CDMA) systems, time division multiple access (TDMA) systems, frequency division multiple access (FDMA) systems, orthogonal frequency division multiple access (OFDMA) systems, single-carrier frequency division multiple access (SC-FDMA) systems, and time division synchronous code division multiple access (TD-SCDMA) systems.
  • CDMA code division multiple access
  • TDMA time division multiple access
  • FDMA frequency division multiple access
  • OFDMA orthogonal frequency division multiple access
  • SC-FDMA single-carrier frequency division multiple access
  • TD-SCDMA time division synchronous code division multiple access
  • 5G New Radio is part of a continuous mobile broadband evolution promulgated by Third Generation Partnership Project (3GPP) to meet new requirements associated with latency, reliability, security, scalability (e.g., with Internet of Things (IoT)), and other requirements.
  • 3GPP Third Generation Partnership Project
  • 5G NR 2 includes services associated with enhanced mobile broadband (eMBB), massive machine type communications (mMTC), and ultra-reliable low latency communications (URLLC).
  • eMBB enhanced mobile broadband
  • mMTC massive machine type communications
  • URLLC ultra-reliable low latency communications
  • Some aspects of 5G NR may be based on the 4G Long Term Evolution (LTE) standard.
  • LTE Long Term Evolution
  • An apparatus may include a user equipment (UE).
  • the example apparatus may transmit, to a first network entity, a first tracking area update (TAU) request, the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity.
  • TAU tracking area update
  • RAT radio access technology
  • the example apparatus may also transmit, to the first network entity, a second TAU request, the second TAU request including the first set of information, the second TAU request being integrity protected using a second uplink count.
  • the example apparatus may also derive a mapped security context based on the first security context and at least one of the first uplink count or the second uplink count. Additionally, the example apparatus may communicate with the first network entity based on the mapped security context.
  • An apparatus may include a UE.
  • the example apparatus may transmit, to a first network entity, a first TAU request when performing a change from a first cell associated with a first RAT to connect to 3 a second cell associated with a second RAT different than the first RAT, the first network entity associated with the second RAT, the first TAU request encoded using a first security context associated with the first RAT, and the first TAU request being integrity protected using a first uplink count based on the first security context.
  • the example apparatus may also derive a first integrity key based on the first security context, the first uplink count, and a first mapped security context.
  • the example apparatus may transmit to the first network entity, a repetition of the first TAU request, the repetition of the first TAU request being integrity protected using a second uplink count that is different than the first uplink count.
  • the example apparatus may also derive a second integrity key based on the first security context, the second uplink count, and a second mapped security context.
  • the example apparatus may also receive, from the first network entity, a downlink transmission. Additionally, the example apparatus may perform an integrity check on the downlink transmission using at least one of the first integrity key and the second integrity key.
  • the example apparatus may also set a master security key of the UE when the integrity check on the downlink transmission is successful using a derived integrity key, the master security key being setbasedon the first mapped security context or the second mapped security context used to derive the derived integrity key.
  • An apparatus may include a first network entity, such as a Mobility Management Entity (MME).
  • MME Mobility Management Entity
  • the example apparatus may receive a first TAU request generated by a UE, the first TAU request encoded using a first security context associated with a first RAT, the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity.
  • the example apparatus may also output, based on the first TAU request, a first context request for a second network entity, the second network entity associated with the first RAT.
  • the example apparatus may receive, based on the first context request, a first mapped security context, the first mapped security context derived from the first security context and the first uplink count.
  • the example apparatus may also receive a second TAU request, the second TAU request encoded using the first security context, the second TAU request being integrity protected using a second uplink count that is different than the first uplink count, and the second TAU request 4 including the first set of information.
  • the example apparatus may also output, based on the second TAU request, a second context request for the second network entity.
  • the example apparatus may also receive, based on the second context request, a second mapped security context, the second mapped security context derived from the first security context and the second uplink count. Additionally, the example apparatus may transmit a downlink message based on the second mapped security context
  • An apparatus may include a second network entity, such as an Access and Mobility Management Function (AMF).
  • the example apparatus may receive a first context request, the first context request including at least a first TAU request generated by a UE, the first TAU request being integrity protected using a first uplink count, the first TAU request encoded using a first security context associated with a first RAT, the first RAT different than a second RAT associated with a first network entity.
  • the example apparatus may also derive a first mapped security context when a first integrity check on the first TAU request is successful.
  • the example output the first mapped security context for the first network entity.
  • the example apparatus may receive a second context request, the second context request including at least a second TAU request generated by the UE, the second TAU request being integrity protected using a second uplink count different than the first uplink count.
  • the example apparatus may also derive a second mapped security context when a second integrity check on the second TAU request is successful. Additionally, the example apparatus may output the second mapped security context for the first network entity.
  • a method, a computer-readable medium, and an apparatus are provided for wireless communication at a first network entity, such as an MME.
  • An example apparatus may receive, from a UE, a first TAU request, the first TAU request encoded using a first security context associated with a first RAT, the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity.
  • the example apparatus may also transmit, to a second network entity based on the first TAU request, a first context request, the second network entity associated with the first RAT.
  • the example apparatus may receive, from the second 5 network entity based on the first context request, a first mapped security context, the first mapped security context derived from the first security context and the first uplink count. Further, the example apparatus may receive, from the UE, a second TAU request, the second TAU request encoded using the first security context, the second TAU request being integrity protected using a second uplink count different than the first uplink count, and the second TAU request including the first set of information. The example apparatus may also transmit, to the second network entity based on the second TAU request, a second context request.
  • the example apparatus may also receive, from the second network entity based on the second context request, a second mapped security context, the second mapped security context derived from the first security context and the second uplink count. Additionally, the example apparatus may transmit, to the UE, a downlink message based on the second mapped security context.
  • a method, a computer-readable medium, and an apparatus are provided for wireless communication at a second network entity, such as an AMF.
  • An example apparatus may receive, from a first network entity, a first context request, the first context request including at least a first TAU request generated by aUE, the first TAU request being integrity protected using a first uplink count, the first TAU request encoded using a first security context associated with a first RAT, the first RAT different than a second RAT associated with the first network entity.
  • the example apparatus may also derive a first mapped security context when an integrity check on the first TAU request is successful Additionally, the example apparatus may transmit, to the first network entity, the first mapped security context.
  • the example apparatus may also receive, from the first network entity, a second context request, the second context request including at least a second TAU request generated by the UE, the second TAU request being integrity protected using a second uplink count different than the first uplink count. Additionally, the example apparatus may derive a second mapped security context when an integrity check on the second TAU request is successful. The example apparatus may also transmit, to the first network entity, the second mapped security context.
  • a method, a computer-readable medium, and an apparatus are provided for wireless communication at a UE.
  • An example apparatus may transmit, to a first network entity, a first TAU request, the first TAU request encoded using a first security context associated with a first RAT, the first TAU 6 request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity.
  • the example apparatus may also derive a first mapped security context based on the first security context and the first uplink count.
  • the example apparatus may transmit, to the first network entity, a second TAU request, the second TAU request encoded using the first security context, the second TAU request being integrity protected using a second uplink count different than the first uplink count, and the second TAU request including the first set of information.
  • the example apparatus may also derive a second mapped security context based on the first security context and the second uplink count. Additionally, the example apparatus may communicate with the first network entity based on the second mapped security context.
  • An example apparatus may transmit, to a first network entity, a first TAU request when performing a change from a first cell associated with a first RAT to connect to a second cell associated with a second RAT different than the first RAT, the first network entity associated with the second RAT, the first TAU request encoded using a first security context associated with the first RAT, the first TAU request being integrity protected using a first uplink count based on the first security context, the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity
  • the example apparatus may also transmit, to the first network entity, a repetition of the first TAU request, the repetition of the first TAU request including the first set of information, the repetition of the first TAU request being integrity protected using the first uplink count. Additionally, the example apparatus may derive a mapped security context based on the first security context
  • a method, a computer-readable medium, and an apparatus are provided for wireless communication at a UE.
  • An example apparatus may transmit, to a first network entity, a first TAU request when performing a change from a first cell associated with a first RAT to connect to a second cell associated with a second RAT different than the first RAT, the first network entity associated with the second RAT, the first TAU request encoded using a first security context associated 7 with the first RAT, and the first TAU request being integrity protected using a first uplink count based on the first security context.
  • the example apparatus may also derive a first integrity key based on the first security context, the first uplink count, and a first mapped security context.
  • the example apparatus may transmit, to the first network entity, a repetition of the first TAU request, the repetition of the first TAU request being integrity protected using a second uplink count different than the first uplink count.
  • the example apparatus may also derive a second integrity key based on the first security context, the second uplink count, and a second mapped security context.
  • the example apparatus may receive, from the first network entity, a downlink transmission.
  • the example apparatus may also perform an integrity check on the downlink transmission using at least one of the first integrity key and the second integrity key.
  • the example apparatus may set a master security key of the UE when the performing of the integrity check on the downlink transmission is successful using a derived integrity key, the master security key being set based on the respective integrity key.
  • the one or more aspects comprise the features hereinafter fully described and particularly pointed out in the claims.
  • the following description and the drawings set forth in detail certain illustrative features of the one or more aspects. These features are indicative, however, of but a few of the various ways in which the principles of various aspects may be employed.
  • FIG. 1 is a diagram illustrating an example of a wireless communications system and an access network.
  • FIG. 2A is a diagram illustrating an example of a first frame, in accordance with various aspects of the present disclosure.
  • FIG. 2B is a diagram illustrating an example of DL channels within a subframe, in accordance with various aspects of the present disclosure.
  • FIG. 2C is a diagram illustrating an example of a second frame, in accordance with various aspects of the present disclosure.
  • FIG. 2D is a diagram illustrating an example of UL channels within a subframe, in accordance with various aspects of the present disclosure. 8
  • FIG. 3 is a diagram illustrating an example of a base station and user equipment (UE) in an access network.
  • FIG. 4 is a diagram illustrating an example of a wireless communications system and an access network including a first network node, a second network node, a UE, an Evolved Packet Core (EPC), and a core network (e.g., a 5G Core (5GC)), in accordance with the teachings disclosed herein.
  • EPC Evolved Packet Core
  • 5GC 5G Core
  • FIG. 5 depicts examples of different security contexts, in accordance with the teachings disclosed herein.
  • FIG. 6 is an example communication flow depicting idle mode mobility from a first RAT to a second RAT, in accordance with the teachings disclosed herein.
  • FIG. 7 is a flowchart of a method of wireless communication at a UE, in accordance with the teachings disclosed herein.
  • FIG. 8 is a flowchart of a method of wireless communication at a UE, in accordance with the teachings disclosed herein.
  • FIG. 9 is a flowchart of a method of wireless communication at a UE, in accordance with the teachings disclosed herein.
  • FIG. 10 is a flowchart of a method of wireless communication at a UE, in accordance with the teachings disclosed herein.
  • FIG. 11 is a diagram illustrating an example of a hardware implementation for an example apparatus, in accordance with the teachings disclosed herein.
  • FIG. 12 is a flowchart of a method of wireless communication at a network entity, in accordance with the teachings disclosed herein.
  • FIG. 13 is a flowchart of a method of wireless communication at a network entity, in accordance with the teachings disclosed herein.
  • FIG. 14 is a flowchart of a method of wireless communication at a network entity, in accordance with the teachings disclosed herein.
  • FIG. 15 is a flowchart of a method of wireless communication at a network entity, in accordance with the teachings disclosed herein.
  • FIG. 16 is a diagram illustrating an example of a hardware implementation for an example network entity.
  • FIG. 17 is a diagram illustrating an example of a hardware implementation for an example network entity.
  • any number of wireless networks may be deployed in a given geographic area. Each wireless network may support a particular radio access technology (RAT) and may operate on one or more frequencies.
  • a UE may be connected to a first cell associated with a first RAT, such as 5G.
  • the first cell may be unable to provide support to the UE.
  • coverage of 5G may be non-ubiquitous in some deployment scenarios.
  • the first RAT may be unable to provide a service, such as voice over in which a voice over service is initiated over the first RAT.
  • the UE and the first RAT may support reselection from the first RAT to a second RAT that may provide support to the UE with respect to the service.
  • the UE and the first cell may support a fallback procedure in which the UE falls back to a second cell associated with the second RAT.
  • the UE may perform a reselection procedure. For example, the UE may perform a 5G to Evolved Packet Core (EPC) reselection procedure.
  • EPC Evolved Packet Core
  • the UE may initiate a TAU procedure to register itself within a tracking area of the second cell and the associated second RAT.
  • each RAT may be associated with a respective security context.
  • network entities of the respective RATs may facilitate mapping a first security context associated with one RAT to a second security context associated with another RAT.
  • a network entity associated with 5G may facilitate mapping a 5G security context to an EPC security context
  • mapping the 5G security context to the EPC security context may include using the 5G security context to derive the EPC security context.
  • the EPC security context may enable the UE to communicate with the second cell associated with the EPC network after switching from the first cell to the second cell. 10
  • a radio link failure may occur after the UE establishes a connection with the second cell and transmits a TAU request message.
  • the UE may retransmit the TAU request message.
  • the mapping of the first security context to the second security context may result in an inconsistency, which may cause communication failure.
  • Examples disclosed herein provide techniques for removing inconsistencies in the handling of repetitions of TAU request messages as described above.
  • disclosed techniques may remove inconsistencies by modifying how the network handles a repetition of a TAU request message.
  • disclosed techniques may remove inconsistencies by modifying how the UE integrity protects the TAU request messages.
  • disclosed techniques may remove inconsistences by modifying how the UE performs integrity verification of messages.
  • the aspects presented herein may enable devices of a wireless communication system to facilitate security handling of 5GS to EPC reselection in cases of RLF and retransmission of Evolved Packet System (EPS) TAU requests facilitating improved mobility support.
  • EPS Evolved Packet System
  • processors include microprocessors, microcontrollers, 11 graphics processing units (GPUs), central processing units (CPUs), application processors, digital signal processors (DSPs), reduced instruction set computing (RISC) processors, systems on a chip (SoC), baseband processors, field programmable gate arrays (FPGAs), programmable logic devices (PLDs), state machines, gated logic, discrete hardware circuits, and other suitable hardware configured to perform the various functionality described throughout this disclosure.
  • processors in the processing system may execute software.
  • Software whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise, shall be construed broadly to mean instructions, instruction sets, code, code segments, program code, programs, subprograms, software components, applications, software applications, software packages, routines, subroutines, objects, executables, threads of execution, procedures, functions, or any combination thereof.
  • the functions described may be implemented in hardware, software, or any combination thereof. If implemented in software, the functions may be stored on or encoded as one or more instructions or code on a computer-readable medium.
  • Computer-readable media includes computer storage media. Storage media may be any available media that can be accessed by a computer.
  • such computer-readable media can comprise a random-access memory (RAM), a read-only memory (ROM), an electrically erasable programmable ROM (EEPROM), optical disk storage, magnetic disk storage, other magnetic storage devices, combinations of the types of computer-readable media, or any other medium that can be used to store computer executable code in the form of instructions or data structures that can be accessed by a computer.
  • RAM random-access memory
  • ROM read-only memory
  • EEPROM electrically erasable programmable ROM
  • optical disk storage magnetic disk storage
  • magnetic disk storage other magnetic storage devices
  • combinations of the types of computer-readable media or any other medium that can be used to store computer executable code in the form of instructions or data structures that can be accessed by a computer.
  • aspects, implementations, and/or use cases are described in this application by illustration to some examples, additional or different aspects, implementations and or use cases may come about in many different arrangements and scenarios. Aspects, implementations, and/or use cases described herein may be implemented across many differing platform types, devices, systems, shapes, sizes, and packaging arrangements. For example, aspects, implementations, and/or use cases may come about via integrated chip implementations and other non-module-component based devices (e.g., end-user devices, vehicles, communication devices, computing devices, industrial equipment, retail/purchasing devices, medical devices, artificial 12 intelligence (Al)-enabled devices, etc.).
  • non-module-component based devices e.g., end-user devices, vehicles, communication devices, computing devices, industrial equipment, retail/purchasing devices, medical devices, artificial 12 intelligence (Al)-enabled devices, etc.
  • aspects, implementations, and/or use cases may range a spectrum from chip-level or modular components to non-modular, non-chip- level implementations and further to aggregate, distributed, or original equipment manufacturer (OEM) devices or systems incorporating one or more techniques herein.
  • OEM original equipment manufacturer
  • devices incorporating described aspects and features may also include additional components and features for implementation and practice of claimed and described aspect.
  • transmission and reception of wireless signals necessarily includes a number of components for analog and digital purposes (e.g., hardware components including antenna, RF-chains, power amplifiers, modulators, buffer, processor(s), interleaver, adders/summers, etc.).
  • Techniques described herein may be practiced in a wide variety of devices, chip-level components, systems, distributed arrangements, aggregated or disaggregated components, end-user devices, etc. of varying sizes, shapes, and constitution.
  • a network node may be implemented in an aggregated or disaggregated architecture.
  • a network entity such as a radio access network (RAN) node, a core network node, a network element, or a network equipment, such as a base station (BS), or one or more units (or one or more components) performing base station functionality
  • RAN radio access network
  • BS base station
  • one or more units or one or more components
  • aBS such as a Node B (NB), evolved NB (eNB),NRBS, 5GNB, access point (AP), a transmit receive point (TRP), or a cell, etc.
  • NB Node B
  • eNB evolved NB
  • 5GNB 5GNB
  • AP access point
  • TRP transmit receive point
  • a cell etc.
  • a BS may be implemented as an aggregated base station (also known as a standalone BS or a monolithic BS) or a disaggregated base station.
  • An aggregated base station may be configured to utilize a radio protocol stack that is physically or logically integrated within a single RAN node.
  • a disaggregated base station may be configured to utilize a protocol stack that is physically or logically distributed among two or more units (such as one or more central or centralized units (CUs), one or more distributed units (DUs), or one or more radio units (RUs)).
  • CUs central or centralized units
  • DUs distributed units
  • RUs radio units
  • a CU may be implemented within a RAN node, and one or more DUs may be co-located with the CU, or alternatively, may be geographically or virtually distributed throughout one or multiple other RAN nodes.
  • the DUs may be implemented to communicate with one or more RUs.
  • Each of the CU, DU and RU 13 can be implemented as virtual units, i.e., a virtual central unit (VCU), a virtual distributed unit (VDU), or a virtual radio unit (VRU).
  • Base station operation or network design may consider aggregation characteristics of base station functionality.
  • disaggregated base stations may be utilized in an integrated access backhaul (IAB) network, an open radio access network (O- RAN (such as the network configuration sponsored by the O-RAN Alliance)), or a virtualized radio access network (vRAN, also known as a cloud radio access network (C-RAN)).
  • IAB integrated access backhaul
  • O- RAN open radio access network
  • vRAN also known as a cloud radio access network
  • Disaggregation may include distributing functionality across two or more units at various physical locations, as well as distributing functionality for at least one unit virtually, which can enable flexibility in network design.
  • the various units of the disaggregated base station, or disaggregated RAN architecture can be configured for wired or wireless communication with at least one other unit.
  • FIG. 1 is a diagram 100 illustrating an example of a wireless communications system and an access network.
  • the illustrated wireless communications system includes a disaggregated base station architecture.
  • the disaggregated base station architecture may include one or more CUs (e.g., a CU 110) that can communicate directly with a core network 120 via a backhaul link, or indirectly with the core network 120 through one or more disaggregated base station units (such as a Near-Real Time (Near-RT) RAN Intelligent Controller (RIC) (e.g., aNear-RTRIC 125) via anE2 link, or aNon- Real Time (Non-RT) RIC 115 associated with a Service Management and Orchestration (SMO) Framework (e.g., an SMO Framework 105), or both).
  • a Near-Real Time (Near-RT) RAN Intelligent Controller (RIC) e.g., aNear-RTRIC 125
  • a CU 110 may communicate with one or more DUs (e.g., a DU 130) via respective midhaul links, such as an FI interface.
  • the DU 130 may communicate with one or more RUs (e.g., an RU 140) via respective fronthaul links.
  • the RU 140 may communicate with respective UEs (e.g., a UE 104) via one or more radio frequency (RF) access links.
  • RF radio frequency
  • the UE 104 may be simultaneously served by multiple RUs.
  • Each of the units i.e., the CUs (e.g., a CU 110), the DUs (e.g., a DU 130), the RUs (e.g., anRU 140), as well as the Near-RT RICs (e.g., the Near-RT RIC 125), the Non- RT RICs (e.g., the Non-RT RIC 115), and the SMO Framework 105, may include one or more interfaces or be coupled to one or more interfaces configured to receive or to transmit signals, data, or information (collectively, signals) via a wired or wireless transmission medium.
  • Each of the units, or an associated processor or controller providing instructions to the communication interfaces of the units can be configured to communicate with one or more of the other units via the transmission medium.
  • the units can include a wired interface configured to receive or to transmit signals over a wired transmission medium to one or more of the other units.
  • the units can include a wireless interface, which may include a receiver, a transmitter, or a transceiver (such as an RF transceiver), configured to receive or to transmit signals, or both, over a wireless transmission medium to one or more of the other units.
  • the CU 110 may host one or more higher layer control functions.
  • control functions can include radio resource control (RRC), packet data convergence protocol (PDCP), service data adaptation protocol (SDAP), or the like.
  • RRC radio resource control
  • PDCP packet data convergence protocol
  • SDAP service data adaptation protocol
  • Each control function can be implemented with an interface configured to communicate signals with other control functions hosted by the CU 110.
  • the CU 110 may be configured to handle user plane functionality (i.e., Central Unit - User Plane (CU-UP)), control plane functionality (i.e., Central Unit - Control Plane (CU-CP)), or a combination thereof.
  • the CU 110 can be logically split into one or more CU-UP units and one or more CU-CP units.
  • the CU-UP unit can communicate bidirectionally with the CU-CP unit via an interface, such as an El interface when implemented in an O-RAN configuration.
  • the CU 110 can be implemented to communicate with the DU 130, as necessary, for network control and signaling.
  • the DU 130 may correspond to a logical unit that includes one or more base station functions to control the operation of one or more RUs.
  • the DU 130 may host one or more of a radio link control (RLC) layer, a medium access control (MAC) layer, and one or more high physical (PHY) layers (such as modules for forward error correction (FEC) encoding and decoding, scrambling, modulation, demodulation, or the like) depending, at least in part, on a functional split, such as those defined by 3GPP.
  • the DU 130 may further host one or more low PHY layers. Each layer (or module) can be implemented with an interface configured to communicate signals with other layers (and modules) hosted by the DU 130, or with the control functions hosted by the CU 110.
  • Lower-layer functionality can be implemented by one or more RUs.
  • an RU 140 controlled by a DU 130, may correspond to a logical node that hosts RF processing functions, or low-PHY layer functions (such as performing fast Fourier transform (FFT), inverse FFT (iFFT), digital beamforming, physical random access channel (PRACH) extraction and filtering, or the like), or both, based 15 at least in part on the functional split, such as a lower layer functional split.
  • the RU 140 can be implemented to handle over the air (OTA) communication with one or more UEs (e.g., the UE 104).
  • OTA over the air
  • real-time and non-real-time aspects of control and user plane communication with the RU 140 can be controlled by a corresponding DU.
  • this configuration can enable the DU(s) and the CU 110 to be implemented in a cloud- based RAN architecture, such as a vRAN architecture.
  • the SMO Framework 105 may be configured to support RAN deployment and provisioning of non-virtualized and virtualized network elements.
  • the SMO Framework 105 may be configured to support the deployment of dedicated physical resources for RAN coverage requirements that may be managed via an operations and maintenance interface (such as an 01 interface).
  • the SMO Framework 105 may be configured to interact with a cloud computing platform (such as an open cloud (O-Cloud) 190) to perform network element life cycle management (such as to instantiate virtualized network elements) via a cloud computing platform interface (such as an 02 interface).
  • a cloud computing platform such as an open cloud (O-Cloud) 190
  • network element life cycle management such as to instantiate virtualized network elements
  • Such virtualized network elements can include, but are not limited to, CUs,DUs, RUs and Near-RT RICs.
  • the SMO Framework 105 can communicate with a hardware aspect of a 4G RAN, such as an open eNB (O-eNB) 111, via an 01 interface. Additionally, in some implementations, the SMO Framework 105 can communicate directly with one or more RUs via an 01 interface.
  • the SMO Framework 105 also may include aNon-RT RIC 115 configured to support functionality of the SMO Framework 105.
  • the Non-RT RIC 115 may be configured to include a logical function that enables non-real-time control and optimization of RAN elements and resources, artificial intelligence (AI) / machine learning (ML) (AI/ML) workflows including model training and updates, or policy-based guidance of applications/features in the Near- RT RIC 125.
  • the Non-RT RIC 115 may be coupled to or communicate with (such as via an Al interface) the Near-RT RIC 125.
  • the Near-RT RIC 125 may be configured to include a logical function that enables near-real-time control and optimization of RAN elements and resources via data collection and actions over an interface (such as via an E2 interface) connecting one or more CUs, one or more DUs, or both, as well as an O-eNB, with the Near-RT RIC 125.
  • an interface such as via an E2 interface
  • the Non-RT RIC 115 may receive parameters or external enrichment information from external servers. Such information may be utilized by the Near-RT RIC 125 and may be received at the SMO Framework 105 or the Non-RT RIC 115 from non-network data sources or from network functions. In some examples, the Non-RT RIC 115 or the Near-RT RIC 125 may be configured to tune RAN behavior or performance. For example, the Non-RT RIC 115 may monitor long-term trends and patterns for performance and employ AI/ML models to perform corrective actions through the SMO Framework 105 (such as reconfiguration via 01) or via creation of RAN management policies (such as A1 policies).
  • a base station 102 may include one or more of the CU 110, the DU 130, and the RU 140 (each component indicated with dotted lines to signify that each component may or may not be included in the base station 102).
  • the base station 102 provides an access point to the core network 120 for aUE 104.
  • the base station 102 may include macrocells (high power cellular base station) and/or small cells (low power cellular base station).
  • the small cells include femtocells, picocells, and microcells.
  • a network that includes both small cell and macrocells may be known as a heterogeneous network.
  • a heterogeneous network may also include Home Evolved Node Bs (eNBs) (HeNBs), which may provide service to a restricted group known as a closed subscriber group (CSG).
  • the communication links between the RUs (e g., the RU 140) and the UEs (e g , the UE 104) may include uplink (UL) (also referred to as reverse link) transmissions from a UE 104 to an RU 140 and/or downlink (DL) (also referred to as forward link) transmissions from an RU 140 to a UE 104.
  • the communication links may use multiple- input and multiple- out put (MIMO) antenna technology, including spatial multiplexing, beamforming, and/or transmit diversity.
  • the communication links may be through one or more carriers.
  • the base station 102 / UE 104 may use spectrum up to f MHz (e.g., 5, 10, 15, 20, 100, 400, etc. MHz) bandwidth per carrier allocated in a carrier aggregation of up to a total of Yx MHz (x component carriers) used for transmission in each direction.
  • the carriers may or may not be adjacent to each other. Allocation of carriers may be asymmetric with respect to DL and UL (e.g., more or fewer carriers may be allocated for DL than for UL).
  • the component carriers may include a primary component carrier and one or more secondary component carriers.
  • a primary component carrier 17 may be referred to as a primary cell (PCell) and a secondary component carrier may be referred to as a secondary cell (SCell).
  • PCell primary cell
  • SCell secondary cell
  • D2D communication link 158 may use the DL/UL wireless wide area network (WWAN) spectrum.
  • the D2D communication link 158 may use one or more sidelink channels, such as a physical sidelink broadcast channel (PSBCH), a physical sidelink discovery channel (PSD CH), a physical sidelink shared channel (PSSCH), and a physical sidelink control channel (PSCCH).
  • sidelink channels such as a physical sidelink broadcast channel (PSBCH), a physical sidelink discovery channel (PSD CH), a physical sidelink shared channel (PSSCH), and a physical sidelink control channel (PSCCH).
  • sidelink channels such as a physical sidelink broadcast channel (PSBCH), a physical sidelink discovery channel (PSD CH), a physical sidelink shared channel (PSSCH), and a physical sidelink control channel (PSCCH).
  • D2D communication may be through a variety of wireless D2D communications systems, such as for example, Bluetooth, Wi-Fi based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard,
  • the wireless communications system may further include a Wi-Fi AP 150 in communication with a UE 104 (also referred to as Wi-Fi stations (STAs)) via communication link 154, e.g., in a 5 GHz unlicensed frequency spectrum or the like.
  • a Wi-Fi AP 150 may perform a clear channel assessment (CCA) prior to communicating in order to determine whether the channel is available.
  • CCA clear channel assessment
  • FR1 frequency range designations FR1 (410 MHz - 7.125 GHz) and FR2 (24.25 GHz - 52.6 GHz). Although a portion of FR1 is greater than 6 GHz, FR1 is often referred to (interchangeably) as a “sub-6 GHz” band in various documents and articles.
  • FR2 which is often referredto (interchangeably) as a “millimeter wave” band in documents and articles, despite being different from the extremely high frequency (EHF) band (30 GHz - 300 GHz) which is identified by the International Telecommunications Union (ITU) as a “millimeter wave” band.
  • EHF extremely high frequency
  • ITU International Telecommunications Union
  • FR3 7.125 GHz - 24.25 GHz
  • FR4 71 GHz - 114.25 GHz
  • FR5 114.25 GHz - 300 GHz
  • sub-6 GHz or the like if used herein may broadly represent frequencies that may be less than 6 GHz, may be within FR1, or may include mid-band frequencies.
  • millimeter wave or the like if used herein may broadly represent frequencies that may include mid-band frequencies, may be within FR2, FR4, FR2-2, and/or FR5, or may be within the EHF band.
  • the base station 102 and the UE 104 may each include a plurality of antennas, such as antenna elements, antenna panels, and/or antenna arrays to facilitate beamforming.
  • the base station 102 may transmit a beamformed signal 182 to the UE 104 in one or more transmit directions.
  • the UE 104 may receive the beamformed signal from the base station 102 in one or more receive directions.
  • the UE 104 may also transmit a beamformed signal 184 to the base station 102 in one or more transmit directions.
  • the base station 102 may receive the beamformed signal from the UE 104 in one or more receive directions.
  • the base station 102 / UE 104 may perform beam training to determine the best receive and transmit directions for each of the base station 102 / UE 104.
  • the transmit and receive directions for the base station 102 may or may not be the same.
  • the transmit and receive directions for the UE 104 may or may not be the same.
  • the base station 102 may include and/or be referred to as a gNB, Node B, eNB, an access point, a base transceiver station, a radio base station, a radio transceiver, a transceiver function, a basic service set (BSS), an extended service set (ESS), a transmit reception point (TRP), network node, network entity, network equipment, or some other suitable terminology.
  • the base station 102 can be implemented as an integrated access and backhaul (IAB) node, a relay node, a sidelink node, an aggregated (monolithic) base station with a baseband unit (BBU) (including a CU and a DU) and an RU, or as a disaggregated base station including one or more of a CU, a DU, and/or an RU.
  • IAB integrated access and backhaul
  • BBU baseband unit
  • NG-RAN next generation
  • the core network 120 may include an Access and Mobility Management Function (AMF) (e.g., an AMF 161), a Session Management Function (SMF) (e.g., an SMF 19
  • AMF Access and Mobility Management Function
  • SMF Session Management Function
  • the AMF 161 is the control node that processes the signaling between the UE 104 and the core network 120.
  • the AMF 161 supports registration management, connection management, mobility management, and other functions.
  • the SMF 162 supports session management and other functions.
  • the UPF 163 supports packet routing, packet forwarding, and other functions
  • the UDM 164 supports the generation of authentication and key agreement (AKA) credentials, user identification handling, access authorization, and subscription management.
  • AKA authentication and key agreement
  • the one or more location servers 168 are illustrated as including a Gateway Mobile Location Center (GMLC) (e.g., a GMLC 165) and a Location Management Function (LMF) (e.g., an LMF 166).
  • GMLC Gateway Mobile Location Center
  • LMF Location Management Function
  • the one or more location servers 168 may include one or more location/positioning servers, which may include one or more of the GMLC 165, the LMF 166, a position determination entity (PDE), a serving mobile location center (SMLC), a mobile positioning center (MPC), or the like.
  • PDE position determination entity
  • SMLC serving mobile location center
  • MPC mobile positioning center
  • the GMLC 165 and the LMF 166 support UE location services.
  • the GMLC 165 provides an interface for clients/applications (e.g., emergency services) for accessing UE positioning information.
  • the LMF 166 receives measurements and assistance information from the NG-RAN and the UE 104 via the AMF 161 to compute the position of the UE 104.
  • the NG-RAN may utilize one or more positioning methods in order to determine the position of the UE 104. Positioning the UE 104 may involve signal measurements, a position estimate, and an optional velocity computation based on the measurements The signal measurements may be made by the UE 104 and/or the serving base station (e.g., the base station 102).
  • the signals measured may be based on one or more of a satellite positioning system (SPS) 170 (e.g., one or more of a Global Navigation Satellite System (GNSS), global position system (GPS), non-terrestrial network (NTN), or other satellite position/location system), LTE signals, wireless local area network (WLAN) signals, Bluetooth signals, a terrestrial beacon system (TBS), sensor-based information (e.g., barometric pressure sensor, motion sensor), NR enhanced cell ID (NRE-CID) methods, NRsignals (e.g., multi-round trip time (Multi- RTT), DL angle-of-departure (DL-AoD), DL time difference of arrival (DL-TDOA), UL time difference of arrival (UL-TDOA), and UL angle-of-arrival (UL-AoA) positioning), and/or other systems/signals/sensors.
  • SPS satellite positioning system
  • GNSS Global Navigation Satellite System
  • GPS global position system
  • NTN non-terrestrial network
  • Examples of UEs include a cellular phone, a smart phone, a session initiation protocol (SIP) phone, a laptop, a personal digital assistant (PDA), a satellite radio, a global positioning system, a multimedia device, a video device, a digital audio player (e.g., MP3 player), a camera, a game console, a tablet, a smart device, a wearable device, a vehicle, an electric meter, a gas pump, a large or small kitchen appliance, a healthcare device, an implant, a sensor/actuator, a display, or any other similar functioning device.
  • SIP session initiation protocol
  • PDA personal digital assistant
  • the UEs may be referred to as IoT devices (e g., parking meter, gas pump, toaster, vehicles, heart monitor, etc.).
  • the UE 104 may also be referred to as a station, a mobile station, a subscriber station, a mobile unit, a subscriber unit, a wireless unit, a remote unit, a mobile device, a wireless device, a wireless communications device, a remote device, a mobile subscriber station, an access terminal, a mobile terminal, a wireless terminal, a remote terminal, a handset, a user agent, a mobile client, a client, or some other suitable terminology.
  • the term UE may also apply to one or more companion devices such as in a device constellation arrangement. One or more of these devices may collectively access the network and/or individually access the network.
  • a device in communication with a base station such as the UE 104, may be configured to manage one or more aspects of wireless communication.
  • the UE 104 may include a UE security handling component 198 configured to facilitate security handling of 5GS to EPC reselection in cases of RDF and retransmission of EPS TAU requests.
  • the UE security handling component 198 may be configured to transmit, to a first network entity, a first TAU request, the first TAU request encoded using a first security context associated with a first RAT, the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity.
  • An uplink count may indicate a quantity of communicated uplink messages.
  • the example UE security handling component 198 may also be configured to transmit, to the first network entity, a second TAU request, the second TAU request including the first set of information, the second TAU request being integrity protected using a second uplink count.
  • example UE security handling component 198 may be configured to derive a mapped security context based on the first security context and at least one of the first uplink count or the second uplink count.
  • the example UE security handling 21 component 198 may also be configured to communicate with the first network entity based on the mapped security context.
  • the UE security handling component 198 may be configured to transmit, to a first network entity, a first TAU request when performing a change from a first cell associated with a first RAT to connect to a second cell associated with a second RAT different than the first RAT, the first network entity associated with the second RAT, the first TAU request encoded using a first security context associated with the first RAT, and the first TAU request being integrity protected using a first uplink count based on the first security context.
  • the example UE security handling component 198 may also be configured to derive a first integrity key based on the first security context, the first uplink count, and a first mapped security context.
  • the integrity key may be a key used to perform an integrity check on a communication.
  • the example UE security handling component 198 may be configured to transmit, to the first network entity, a repetition of the first TAU request, the repetition of the first TAU request being integrity protected using a second uplink count that is different than the first uplink count.
  • the example UE security handling component 198 may also be configured to derive a second integrity key based on the first security context, the second uplink count, and a second mapped security context.
  • the example UE security handling component 198 may be configured to receive, from the first network entity, a downlink transmission.
  • the example UE security handling component 198 may also be configured to perform an integrity check on the downlink transmission using at least one of the first integrity key and the second integrity key. The integrity check may be performed using an integrity key and confirm the integrity of the downlink transmission.
  • the example UE security handling component 198 may be configured to set a master security key of the UE when the integrity check on the downlink transmission is successful using a derived integrity key, the master security key being set based on the first mapped security context or the second mapped security context used to derive the derived integrity key.
  • the master security key may be a key used to derive other security keys.
  • the UE security handling component 198 may be configured to transmit, to a first network entity, a first TAU request.
  • the first TAU request may be encoded using a first security context associated with a first RAT.
  • the first TAU request may be integrity protected using a first uplink count based on the first security context, and the first TAU request may include a first set of information including an 22 identifier mapped to a second RAT associated with the first network entity.
  • the example UE security handling component 198 may also be configured to derive a first mapped security context based on the first security context and the first uplink count.
  • the example UE security handling component 198 may also be configured to transmit, to the first network entity, a second TAU request.
  • the second TAU request may be encoded using the first security context, the second TAU request may be integrity protected using a second uplink count different than the first uplink count, and the second TAU request may include the first set of information.
  • the example UE security handling component 198 may also be configured to derive a second mapped security context based on the first security context and the second uplink count.
  • the example UE security handling component 198 may also be configured to communicate with the first network entity based on the second mapped security context.
  • the UE security handling component 198 may be configured to transmit, to a first network entity, a first TAU request when performing a change from a first cell associated with a first RAT to connect to a second cell associated with a second RAT different than the first RAT.
  • the first network entity may be associated with the second RAT.
  • the first TAU request may be encoded using a first security context associated with the first RAT, the first TAU request may be integrity protected using a first uplink count based on the first security context, and the first TAU request may include a first set of information including an identifier mapped to a second RAT associated with the first network entity.
  • the example UE security handling component 198 may also be configured to transmit, to the first network entity, a repetition of the first TAU request.
  • the repetition of the first TAU request may include the first set of information, the repetition of the first TAU request may be integrity protected using the first uplink count.
  • the example UE security handling component 198 may also be configured to derive a mapped security context based on the first security context and the first uplink count. Additionally, the example UE security handling component 198 may be configured to communicate with the first network entity based on the mapped security context.
  • the UE security handling component 198 may be configured to transmit, to a first network entity, a first TAU request when performing a change from a first cell associated with a first RAT to connect to a second cell associated with a 23 second RAT different than the first RAT.
  • the first network entity may be associated with the second RAT.
  • the first TAU request may be encoded using a first security context associated with the first RAT, and the first TAU request may be integrity protected using a first uplink count based on the first security context.
  • the example UE security handling component 198 may also be configured to derive a first integrity key based on the first security context, the first uplink count, and a first mapped security context
  • the example UE security handling component 198 may also be configured to transmit, to the first network entity, a repetition of the first TAU request.
  • the repetition of the first TAU request may be integrity protected using a second uplink count different than the first uplink count.
  • the example UE security handling component 198 may also be configured to derive a second integrity key based on the first security context, the second uplink count, and a second mapped security context.
  • the example UE security handling component 198 may also be configured to receive, from the first network entity, a downlink transmission.
  • the example UE security handling component 198 may also be configured to perform an integrity check on the downlink transmission using at least one of the first integrity key and the second integrity key.
  • the example UE security handling component 198 may also be configured to set a master security key of the UE when the performing of the integrity check on the downlink transmission is successful using a derived integrity key. The master security key being set based on the respective integrity key.
  • a network entity may be configured to manage one or more aspects of wireless communication by facilitating security handling of 5GS to EPC reselection in cases of REF and retransmission of EPS TAU requests facilitating improved mobility support.
  • a network entity may include a network security handling component 199. Aspects of the network security handling component 199 may be implemented by an MME, an AMF (e.g., the AMF 161), and/or abase station (e g., the base station 102).
  • the network security handling component 199 may be configured to receive a first TAU request generated by a UE, the first TAU request encoded using a first security context associated with a first RAT, the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity. Additionally, the network security handling component 199 may be configured to output, based on the first TAU request, a first 24 context request for a second network entity, the second network entity associated with the first RAT.
  • the network security handling component 199 may also be configured to receive, based on the first context request, a first mapped security context, the first mapped security context derived from the first security context and the first uplink count. Additionally, the network security handling component 199 may be configured to receive a second TAU request, the second TAU request encoded using the first security context, the second TAU request being integrity protected using a second uplink count that is different than the first uplink count, and the second TAU request including the first set of information. The network security handling component 199 may also be configured to output, based on the second TAU request, a second context request for the second network entity.
  • the network security handling component 199 may be configured to receive, based on the second context request, a second mapped security context, the second mapped security context derived from the first security context and the second uplink count.
  • the network security handling component 199 may also be configured to transmit a downlink message based on the second mapped security context.
  • the network security handling component 199 may be configured to receive a first context request, the first context request including at least a first TAU request generated by a UE, the first TAU request being integrity protected using a first uplink count, the first TAU request encoded using a first security context associated with a first RAT, the first RAT different than a second RAT associated with a first network entity. Additionally, the network security handling component 199 may be configured to derive a first mapped security context when a first integrity check on the first TAU request is successful. The network security handling component 199 may also be configured to output the first mapped security context for the first network entity.
  • the network security handling component 199 may be configured to receive a second context request, the second context request including at least a second TAU request generated by the UE, the second TAU request being integrity protected using a second uplink count different than the first uplink count.
  • the network security handling component 199 may also be configured to derive a second mapped security context when a second integrity check on the second TAU request is successful. Additionally, the network security handling component 199 may be configured to output the second mapped security context for the first network entity. 25
  • the network security handling component 199 may be configured to receive, from a UE, a first TAU request.
  • the first TAU request may be encoded using a first security context associated with a first RAT
  • the first TAU request may be integrity protected using a first uplink count based on the first security context
  • the first TAU request may include a first set of information including an identifier mapped to a second RAT associated with the first network entity.
  • the example network security handling component 199 may also be configured to transmit, to a second network entity based on the first TAU request, a first context request.
  • the second network entity may be associated with the first RAT.
  • the example network security handling component 199 may also be configured to receive, from the second network entity based on the first context request, a first mapped security context.
  • the first mapped security context may be derived from the first security context and the first uplink count.
  • the example network security handling component 199 may be configured to receive, from the UE, a second TAU request.
  • the second TAU request may be encoded using the first security context
  • the second TAU request may be integrity protected using a second uplink count different than the first uplink count
  • the second TAU request may include the first set of information.
  • the example network security handling component 199 may also be configured to transmit, to the second network entity based on the second TAU request, a second context request.
  • example network security handling component 199 may be configured to receive, from the second network entity based on the second context request, a second mapped security context.
  • the second mapped security context may be derived from the first security context and the second uplink count.
  • the example network security handling component 199 may also be configured to transmit, to the UE, a downlink message based on the second mapped security context.
  • the network security handling component 199 may be configured to receive, from a first network entity, a first context request, the first context request including at least a first TAU request generated by a UE.
  • the first TAU request may be integrity protected using a first uplink count
  • the first TAU request may be encoded using a first security context associated with a first RAT
  • the first RAT may be different than a second RAT associated with the first network entity.
  • the example network security handling component 199 may also be configured to derive a first mapped security context when an integrity check on the first TAU request is successful.
  • the example network security handling component 199 may also be 26 configured to transmit, to the first network entity, the first mapped security context.
  • the example network security handling component 199 may be configured to receive, from the first network entity, a second context request.
  • the second context request may include at least a second TAU request generated by the UE, the second TAU request being integrity protected using a second uplink count different than the first uplink count.
  • the example network security handling component 199 may also be configured to derive a second mapped security context when an integrity check on the second TAU request is successful.
  • the example network security handling component 199 may also be configured to transmit, to the first network entity, the second mapped security context.
  • the aspects presented herein may enable devices of a wireless communication system to facilitate security handling of 5GS to EPC reselection in cases of RLF and retransmission of EPS TAU requests facilitating improved mobility support.
  • the concepts described herein may be applicable to other similar areas, such as LTE, LTE-A, CDMA, GSM, and/or other wireless technologies, in which a UE may perform reselection from a cell associated with a first RAT to a second associated with a second RAT.
  • FIG. 2A is a diagram 200 illustrating an example of a first subframe within a 5G NR frame structure.
  • FIG. 2B is a diagram 230 illustrating an example of DL channels within a 5G NR subframe.
  • FIG. 2C is a diagram 250 illustrating an example of a second subframe within a 5G NR frame structure.
  • FIG. 2D is a diagram 280 illustrating an example of UL channels within a 5G NR subframe.
  • the 5G NR frame structure may be frequency division duplexed (FDD) in which for a particular set of subcarriers (carrier system bandwidth), subframes within the set of subcarriers are dedicated for either DL or UL, or may be time division duplexed (TDD) in which for a particular set of subcarriers (carrier system bandwidth), subframes within the set of subcarriers are dedicated for both DL and UL.
  • FDD frequency division duplexed
  • TDD time division duplexed
  • the 5G NR frame structure is assumed to be TDD, with subframe 4 being configured with slot format 28 (with mostly DL), where D is DL, U is UL, and F is flexible for use between DL/UL, and subframe 3 being configured with slot format 1 (with all UL). While subframes 3, 4 are shown with slot formats 1, 28, respectively, any particular subframe may be configured with any of the various available slot formats 0-61. Slot formats 0, 1 are all DL, UL, respectively. Other slot formats 2-61 27 include a mix of DL, UL, and flexible symbols.
  • UEs are configured with the slot format (dynamically through DL control information (DCI), or semi- statically/statically through radio resource control (RRC) signaling) through a received slot format indicator (SFI).
  • DCI DL control information
  • RRC radio resource control
  • SFI received slot format indicator
  • FIGs. 2A-2D illustrate a frame structure, and the aspects of the present disclosure may be applicable to other wireless communication technologies, which may have a different frame structure and/or different channels.
  • a frame (10 ms) may be divided into 10 equally sized subframes (1 ms). Each subframe may include one or more time slots. Subframes may also include mini-slots, which may include 7, 4, or 2 symbols. Each slot may include 14 or 12 symbols, depending on whether the cyclic prefix (CP) is normal or extended. For normal CP, each slot may include 14 symbols, and for extended CP, each slot may include 12 symbols.
  • the symbols on DL may be CP orthogonal frequency division multiplexing (OFDM) (CP -OFDM) symbols.
  • OFDM orthogonal frequency division multiplexing
  • the symbols on UL may be CP-OFDM symbols (for high throughput scenarios) or discrete Fourier transform (DFT) spread OFDM (DFT-s-OFDM) symbols (also referred to as single carrier frequency-division multiple access (SC-FDMA) symbols) (for power limited scenarios; limited to a single stream transmission).
  • DFT discrete Fourier transform
  • SC-FDMA single carrier frequency-division multiple access
  • the number of slots within a subframe is based on the CP and the numerology.
  • the numerology defines the subcarrier spacing (SCS) and, effectively, the symbol length/duration, which is equal to 1/SCS.
  • the numerology 2 allows for 4 slots per subframe. Accordingly, for normal CP and numerology m, there are 14 28 symbols/slot and 2i* slots/subframe.
  • the symbol length/duration is inversely related to the subcarrier spacing.
  • the slot duration is 0.25 ms
  • the subcarrier spacing is 60 kHz
  • the symbol duration is approximately 16.67 ps.
  • BWPs bandwidth parts
  • Each BWP may have a particular numerology and CP (normal or extended).
  • a resource grid may be used to representthe frame structure.
  • Each time slot includes a resource block (RB) (also referred to as physical RBs (PRBs)) that extends 12 consecutive subcarriers.
  • RB resource block
  • PRBs physical RBs
  • the resource grid is divided into multiple resource elements (REs). The number of bits carried by each RE depends on the modulation scheme.
  • the RS may include demodulation RS (DM-RS) (indicated as R for one particular configuration, but other DM-RS configurations are possible) and channel state information reference signals (CSI-RS) for channel estimation at the UE.
  • DM-RS demodulation RS
  • CSI-RS channel state information reference signals
  • the RS may also include beam measurement RS (BRS), beam refinement RS (BRRS), and phase tracking RS (PT-RS).
  • BRS beam measurement RS
  • BRRS beam refinement RS
  • PT-RS phase tracking RS
  • FIG. 2B illustrates an example of various DL channels within a subframe of a frame.
  • the physical downlink control channel carries DCI within one or more control channel elements (CCEs) (e g., 1, 2, 4, 8, or 16 CCEs), each CCE including six RE groups (REGs), each REG including 12 consecutive REs in an OFDM symbol of an RB.
  • CCEs control channel elements
  • a PDCCH within one BWP may be referred to as a control resource set (CORESET).
  • a UE is configured to monitor PDCCH candidates in a PDCCH search space (e.g., common search space, UE-specific search space) during PDCCH monitoring occasions on the CORESET, where the PDCCH candidates have different DCI formats and different aggregation levels. Additional BWPs may be located at greater and/or lower frequencies across the channel bandwidth.
  • a primary synchronization signal may be within symbol 2 of particular subframes of a frame.
  • the PSS is used by a UE 104 to determine subframe/symbol timing and a physical layer identity.
  • a secondary synchronization signal may be within symbol 4 of particular subframes of a frame.
  • the SSS is used by a UE to determine a 29 physical layer cell identity group number and radio frame timing. Based on the physical layer identity and the physical layer cell identity group number, the UE can determine a physical cell identifier (PCI). Based on the PCI, the UE can determine the locations of the DM-RS.
  • PCI physical cell identifier
  • the physical broadcast channel which carries a master information block (MIB), may be logically grouped with the PSS and SSS to form a synchronization signal (SS)/PBCH block (also referred to as SS block (SSB)).
  • the MIB provides a number of RBs in the system bandwidth and a system frame number (SFN).
  • the physical downlink shared channel (PDSCH) carries user data, broadcast system information not transmitted through the PBCH such as system information blocks (SIBs), and paging messages.
  • SIBs system information blocks
  • some of the REs carry DM-RS (indicated as R for one particular configuration, but other DM-RS configurations are possible) for channel estimation at the base station.
  • the UE may transmit DM-RS for the physical uplink control channel (PUCCH) and DM-RS for the physical uplink shared channel (PUSCH).
  • the PUSCH DM-RS may be transmitted in the first one or two symbols of the PUSCH.
  • the PUCCH DM-RS may be transmitted in different configurations depending on whether short or long PUCCHs are transmitted and depending on the particular PUCCH format used.
  • the UE may transmit sounding reference signals (SRS).
  • the SRS may be transmitted in the last symbol of a subframe.
  • the SRS may have a comb structure, and a UE may transmit SRS on one of the combs.
  • the SRS may be used by a base station for channel quality estimation to enable frequency- dependent scheduling on the UL.
  • FIG. 2D illustrates an example of various UL channels within a subframe of a frame.
  • the PUCCH may be located as indicated in one configuration.
  • the PUCCH carries uplink control information (UCI), such as scheduling requests, a channel quality indicator (CQI), a precoding matrix indicator (PMI), a rank indicator (RI), and hybrid automatic repeat request (HARQ) acknowledgment (ACK) (HARQ-ACK) feedback (i.e ., one or more HARQ ACK bits indicating one or more ACK and/or negative ACK (NACK)).
  • UCI uplink control information
  • CQI channel quality indicator
  • PMI precoding matrix indicator
  • RI rank indicator
  • HARQ-ACK hybrid automatic repeat request acknowledgment
  • the PUSCH carries data, and may additionally be used to carry a buffer status report (BSR), a power headroom report (PHR), and/or UCI.
  • BSR buffer status report
  • PHR power headroom report
  • FIG. 3 is a block diagram that illustrates an example of a first wireless device that is configured to exchange wireless communication with a second wireless device.
  • the first wireless device may include a base station 310
  • the second wireless device may include a UE 350
  • the base station 310 may be in 30 communication with the UE 350 in an access network.
  • the base station 310 includes atransmit processor (TX processor 316), a transmitter 318Tx, a receiver 318Rx, antennas 320, a receive processor (RX processor 370), a channel estimator 374, a controller/processor 375, and memory 376.
  • the example UE 350 includes antennas 352, a transmitter 354Tx, a receiver 354Rx, an RX processor 356, a channel estimator 358, a controller/processor 359, memory 360, and a TX processor 368.
  • the base station 310 and/or the UE 350 may include additional or alternative components.
  • IP Internet protocol
  • the controller/processor 375 implements layer 3 and layer 2 functionality.
  • Layer 3 includes a radio resource control (RRC) layer
  • layer 2 includes a service data adaptation protocol (SDAP) layer, a packet data convergence protocol (PDCP) layer, a radio link control (RLC) layer, and a medium access control (MAC) layer.
  • RRC radio resource control
  • SDAP service data adaptation protocol
  • PDCP packet data convergence protocol
  • RLC radio link control
  • MAC medium access control
  • the controller/processor 375 provides RRC layer functionality associated with broadcasting of system information (e.g., MIB, SIBs), RRC connection control (e.g., RRC connection paging, RRC connection establishment, RRC connection modification, and RRC connection release), inter radio access technology (RAT) mobility, and measurement configuration for UE measurement reporting; PDCP layer functionality associated with header compression / decompression, security (ciphering, deciphering, integrity protection, integrity verification), and handover support functions; RLC layer functionality associated with the transfer of upper layer packet data units (PDUs), error correction through ARQ, concatenation, segmentation, and reassembly of RLC service data units (SDUs), re-segmentation of RLC data PDUs, and reordering of RLC data PDUs; and MAC layer functionality associated with mapping between logical channels and transport channels, multiplexing of MAC SDUs onto transport blocks (TBs), demultiplexing of MAC SDUs from TBs, scheduling information reporting, error correction
  • the TX processor 316 and the RX processor 370 implement layer 1 functionality associated with various signal processing functions.
  • Layer 1 which includes a physical (PHY) layer, may include error detection on the transport channels, forward error correction (FEC) coding/decoding of the transport channels, interleaving, rate matching, mapping onto physical channels, modulation/ demodulation of physical channels, and MIMO antenna processing.
  • the TX processor 316 handles mapping to 31 signal constellations based on various modulation schemes (e.g., binary phase-shift keying (BPSK), quadrature phase-shift keying (QPSK), M-phase-shift keying (M- PSK), M-quadrature amplitude modulation (M-QAM)).
  • BPSK binary phase-shift keying
  • QPSK quadrature phase-shift keying
  • M- PSK M-phase-shift keying
  • M-QAM M-quadrature amplitude modulation
  • Each stream may then be mapped to an OFDM subcarrier, multiplexed with a reference signal (e.g., pilot) in the time and/or frequency domain, and then combined together using an Inverse Fast Fourier Transform (IFFT) to produce a physical channel carrying a time domain OFDM symbol stream.
  • the OFDM stream is spatially precoded to produce multiple spatial streams.
  • Channel estimates from the channel estimator 374 may be used to determine the coding and modulation scheme, as well as for spatial processing.
  • the channel estimate may be derived from a reference signal and/or channel condition feedback transmitted by the UE 350.
  • Each spatial stream may then be provided to a different antenna of the antennas 320 via a separate transmitter (e.g., the transmitter 318Tx).
  • Each transmitter 318Tx may modulate a radio frequency (RF) carrier with a respective spatial stream for transmission.
  • RF radio frequency
  • each receiver 354Rx receives a signal through its respective antenna of the antennas 352. Each receiver 354Rx recovers information modulated onto anRF carrier and provides the information to the RX processor 356.
  • the TX processor 368 and the RX processor 356 implement layer 1 functionality associated with various signal processing functions.
  • the RX processor 356 may perform spatial processing on the information to recover any spatial streams destined for the UE 350. If multiple spatial streams are destined for the UE 350, two or more of the multiple spatial streams may be combined by the RX processor 356 into a single OFDM symbol stream.
  • the RX processor 356 then converts the OFDM symbol stream from the time-domain to the frequency domain using a Fast Fourier Transform (FFT).
  • FFT Fast Fourier Transform
  • the frequency domain signal comprises a separate OFDM symbol stream for each subcarrier of the OFDM signal.
  • the symbols on each subcarrier, and the reference signal are recovered and demodulated by determining the most likely signal constellation points transmitted by the base station 310. These soft decisions may be based on channel estimates computed by the channel estimator 358.
  • the soft decisions are then decoded and deinterleaved to recover the data and control signals that were originally transmitted by the base station 310 on the physical channel.
  • the data and control signals are then provided to the controller/processor 359, which implements layer 3 and layer 2 functionality.
  • the controller/processor 359 can be associated with the memory 360 that stores program codes and data.
  • the memory 360 may be referred to as a computer-readable medium.
  • the controller/processor 359 provides demultiplexing between transport and logical channels, packet reassembly, deciphering, header decompression, and control signal processing to recover IP packets.
  • the controller/processor 359 is also responsible for error detection using an ACK and/or NACK protocol to support HARQ operations.
  • the controller/processor 359 provides RRC layer functionality associated with system information (e g., MIB, SIBs) acquisition, RRC connections, and measurement reporting; PDCP layer functionality associated with header compression / decompression, and security (ciphering, deciphering, integrity protection, integrity verification); RLC layer functionality associated with the transfer of upper layer PDUs, error correction through ARQ, concatenation, segmentation, and reassembly of RLC SDUs, re-segmentation of RLC data PDUs, and reordering of RLC data PDUs; and MAC layer functionality associated with mapping between logical channels and transport channels, multiplexing of MAC SDUs onto TBs, demultiplexing of MAC SDUs from TBs, scheduling information reporting, error correction through HARQ, priority handling, and logical channel prioritization.
  • RRC layer functionality associated with system information (e g., MIB, SIBs) acquisition, RRC connections, and measurement reporting
  • PDCP layer functionality associated with header compression
  • Channel estimates derived by the channel estimator 358 from a reference signal or feedback transmitted by the base station 310 may be used by the TX processor 368 to select the appropriate coding and modulation schemes, and to facilitate spatial processing.
  • the spatial streams generated by the TX processor 368 may be provided to different antenna of the antennas 352 via separate transmitters (e.g., the transmitter 354Tx). Each transmitter 354Tx may modulate an RF carrier with a respective spatial stream for transmission.
  • the UL transmission is processed at the base station 310 in a manner similar to that described in connection with the receiver function at the UE 350.
  • Each receiver 318Rx receives a signal through its respective antenna of the antennas 320.
  • Each receiver 318Rx recovers information modulated onto an RF carrier and provides the information to the RX processor 370.
  • the controller/processor 375 can be associated with the memory 376 that stores program codes and data.
  • the memory 376 may be referred to as a computer-readable medium.
  • the controller/processor 375 provides demultiplexing between 33 transport and logical channels, packet reassembly, deciphering, header decompression, control signal processing to recover IP packets.
  • the controller/processor 375 is also responsible for error detection using an ACK and/or NACK protocol to support HARQ operations.
  • At least one of the TX processor 368, the RX processor 356, and the controller/processor 359 may be configured to perform aspects in connection with the UE security handling component 198 of FIG. 1
  • At least one of the TX processor 316, the RX processor 370, and the controller/processor 375 may be configured to perform aspects in connection with the network security handling component 199 of FIG. 1.
  • FIG. 4 is a diagram illustrating an example of a wireless communications system and an access network 400 including a first network node 402a, a second network node 402b, a UE 404, an Evolved Packet Core (e.g., an EPC 410), and a core network 430 (e.g., a 5G Core (5GC)), as presented herein.
  • Aspects of the first network node 402a and/or the second network node 402b which may be collectively referred to herein as “network nodes 402a/402b,” may be implemented by the base station 102 of FIG. 1 and/or a component of the base station 102, such as a CU 110, a DU 130, and/or an RU 140.
  • Aspects of the UE 404 may be implemented by the UE 104 of FIG. 1.
  • the first network node 402a may be configured for 4G LTE (collectively referred to as Evolved Universal Mobile Telecommunications System (UMTS) Terrestrial Radio Access Network (E-UTRAN)) and may interface with the EPC 410 through first backhaul links 452 (e.g., SI interface).
  • the second network node 402b may be configured for 5G NR (collectively referred to as Next Generation RAN (NG-RAN)) and may interface with the core network 430 through second backhaul links 454.
  • NG-RAN Next Generation RAN
  • the network nodes 402a/402b may perform one or more of the following functions: transfer of user data, radio channel ciphering and deciphering, integrity protection, header compression, mobility control functions (e.g., handover, dual connectivity), inter-cell interference coordination, connection setup and release, load balancing, distribution for non-access stratum (NAS) messages, NAS node selection, synchronization, radio access network (RAN) sharing, multimedia broadcast multicast service (MBMS), subscriber and equipment trace, RAN information management (RIM), paging, positioning, and delivery of warning messages.
  • NAS non-access stratum
  • RAN radio access network
  • MBMS multimedia broadcast multicast service
  • RIM RAN information management
  • the network nodes 402a/402b may communicate directly or indirectly (e.g., through the EPC 410 or the core network 430) with each other over 34 third backhaul links 456 (e.g., X2 interface).
  • the first backhaul links 452, the second backhaul links 454, and the third backhaul links 456 may be wired or wireless.
  • the network nodes 402a/402b may wirelessly communicate with the UE 404. Each of the network nodes 402a/402b may provide communication coverage for a respective geographic coverage area 406. There may be overlapping geographic coverage areas.
  • communication links 408 between the network nodes 402a/402b and the UE 404 may include uplink (UL) (also referred to as reverse link) transmissions from UE 404 to a respective network node and/or downlink (DL) (also referred to as forward link) transmissions from a respective network node to UE 404.
  • the communication links 408 may use MEMO antenna technology, including spatial multiplexing, beamforming, and/or transmit diversity.
  • the communication links may be through one or more carriers.
  • the EPC 410 may include a Mobility Management Entity (e.g., an MME 412), other MMEs 414, a Serving Gateway 416, a Multimedia Broadcast Multicast Service (MBMS) Gateway (e.g., an MBMS GW 418), a Broadcast Multicast Service Center (e.g., a BM-SC 420), and a Packet Data Network (PDN) Gateway (e.g., a PDN Gateway 422).
  • the MME 412 may be in communication with a Home Subscriber Server (e.g., an HSS 424).
  • the MME 412 is the control node that processes the signaling between the UE 404 and the EPC 410. Generally, the MME 412 provides bearer and connection management.
  • IP Internet protocol
  • the PDN Gateway 422 provides UE IP address allocation as well as other functions.
  • the PDN Gateway 422 and the BM-SC 420 are connected to IP Services 426.
  • the IP Services 426 may include the Internet, an intranet, an IP Multimedia Subsystem (IMS), a PS Streaming Service, and/or other IP services.
  • the BM-SC 420 may provide functions for MBMS user service provisioning and delivery.
  • the BM-SC 420 may serve as an entry point for content provider MBMS transmission, may be used to authorize and initiate MBMS Bearer Services within a public land mobile network (PLMN), and may be used to schedule MBMS transmissions.
  • PLMN public land mobile network
  • the MBMS GW 418 may be used to distribute MBMS traffic to the network nodes 402a/402b belonging to a Multicast Broadcast Single Frequency Network (MBSFN) area broadcasting a particular service, and may be responsible for session management (start/stop) and for collecting eMBMS related charging information.
  • MMSFN Multicast Broadcast Single Frequency Network
  • the core network 430 may include an Access and Mobility Management Function (e.g., an AMF 432), other AMFs 434, a Session Management Function (e.g., an SMF 436), and a User Plane Function (e.g., a UPF 438).
  • the AMF 432 may be in communication with a Unified Data Management (e.g., a UDM 440).
  • the AMF 432 is the control node that processes the signaling between the UE 404 and the core network 430. Generally, the AMF 432 provides QoS flow and session management. All user IP packets are transferred through the UPF 438.
  • the UPF 438 provides UE IP address allocation as well as other functions.
  • the UPF 438 is connected to IP Services 442.
  • the IP Services 442 may include the Internet, an intranet, an IP Multimedia Subsystem (IMS), a Packet Switch (PS) Streaming (PSS) Service, and/or other IP services.
  • IMS IP Multimedia
  • the MME 412 and/or the AMF 432 may be configured to manage one or more aspects of wireless communication by facilitating security handling of 5GS to EPC reselection in cases of RLF and retransmission of EPS TAU requests facilitating improved mobility support.
  • the MME 412 and or the AMF 432 may be configured to facilitate a handover from the 5G network associated with the second network node 402b to the EPS network associated with the first network node 402a.
  • the MME 412 and/or the AMF 432 may include a network security handling component 497. Aspects of the network security handling component 497 may be similar to the network security handling component 199 of FIG. 1 and/or FIG. 3.
  • the non-access stratum forms a highest stratum of the control plane between a UE and an MME at the radio interface. Protocols that are part of the NAS provide support of mobility of the UE.
  • NAS security is an additional function of the NAS providing services to the NAS protocols. For example, NAS security may provide integrity protection and ciphering of NAS signaling messages.
  • the security parameters for authentication, integrity protection, and ciphering may be referred to as a security context and identified by a key set identifier (KSI).
  • KKI key set identifier
  • the information representing the security context may be stored at the UE and the network serving the UE (e.g., the serving network).
  • the security context may be referred to as a “NAS security context” and include a key, a key set identifier associated with the key, UE security capabilities (e.g., a set of identifiers corresponding to the ciphering and integrity algorithms implemented by the UE), an uplink NAS count, and a downlink NAS 36 count.
  • the uplink NAS count and the downlink NAS count may each be set to zero, and may be sequentially incremented when a respective NAS message is communicated.
  • the uplink NAS count value may indicate a quantity of communicated uplink NAS messages and the downlink NAS count value may indicate a quantity of communicated downlink NAS messages associated with an active security context.
  • the 5G security context may include a 5G NAS master security key (KAMF) that is identified by a key set identifier in 5G (ngKSI).
  • the 5G NAS master security key may also be referred to as a “5G NAS key” or a “5G master security key” herein.
  • the EPS security context may include an EPS NAS master security key (KASME) that is identified by a key set identifier for EPS (eKSI).
  • KASME EPS NAS master security key
  • eKSI key set identifier for EPS
  • the EPS NAS master security key may also be referred to as an ⁇ R S NAS key” or an “EP S master security key” herein.
  • FIG. 5 depicts examples of different security contexts, as presented herein.
  • FIG. 5 includes a first security context 500, a second security context 520 associated with a 5G network, and a third security context 540 associated with an EPS network.
  • the security contexts include data that may be used to integrity protect NAS signaling, e.g., when transmitting a NAS message and/or when receiving a NAS message.
  • the security context data may be associated with integrity protecting NAS signaling associated with respective RANs.
  • the second security context 520 may include 5G security context data used to transmit 5G NAS messages and/or verify 5G NAS messages.
  • the third security context 540 may include EPS security context data used to transmit EPS NAS messages and/or verify EPS NAS messages.
  • the first security context 500 includes a master security key 502 and a KSI 504 associated with the master security key 502.
  • the KSI 504 may indicate the master security key 502.
  • the first security context 500 also includes UE security capabilities 506 that may include a set of identifiers corresponding to the ciphering and integrity algorithms implemented by the UE.
  • the UE security capabilities 506 may include integrity and encryption keys and the associated identifiers of selected integrity and encryption algorithms.
  • the first security context 500 also includes a NAS count pair including an uplink NAS count 508 and a downlink NAS count 510.
  • the uplink NAS count 508 indicates a quantity of communicated uplink NAS messages and the downlink NAS count 510 indicates a quantity of communicated downlink NAS messages associated with an active 37 security context.
  • the uplink NAS count 508 and the downlink NAS count 510 may be set to a starting value (e.g., may be set to zero). After the NAS count values are set to the starting value, the NAS count value may be incremented when a respective NAS message is communicated.
  • the second security context 520 includes 5G security context data to facilitate integrity protecting 5G NAS messages.
  • the second security context 520 includes a 5G key 522 (KAMF), a 5G KSI 524 (ngKSI), 5G UE security capabilities 526, a 5G uplink NAS count 528, and a 5G downlink NAS count 530.
  • the 5G security context data of the second security context 520 may be similar to the security context data of the first security context 500, but may be configured for the 5G network.
  • the third security context 540 includes EPS security context data to facilitate integrity protecting EPS NAS messages.
  • the third security context 540 includes an EPS key 542 (K AS ME), an EPS KSI 544 (eKSI), EPS UE security capabilities 546, an EPS uplink NAS count 548, and an EPS downlink NAS count 550.
  • the EPS security context data of the third security context 540 may be similar to the security context data of the first security context 500, but may be configured for the EPS network.
  • the security contexts may be associated with a state, such as a “current” state or a “non-current” state.
  • a current security context is a security context that is activated.
  • a non-current security context is a security context that is not the current one (e g., a security context that is not activated).
  • the security contexts may be associated with a type, such as a “native” type or a “mapped” type.
  • a native security context includes a “full native” security context or a “partial native” security context.
  • the security context may be of one type and one state at a time. However, the type of a particular security context may change over time. For example, a partial native security context may transform into a full native security context.
  • a native security context is a security context with a key (e.g., an EPS key KASME or a 5G key KAMF) that is created by a primary authentication procedure and that is identified by a native key set identifier (e.g., a native eKSI or a native ngKSI).
  • the primary authentication procedure may enable mutual authentication between the UE and a network and provide keying material that may be used between the UE and the network in subsequent security procedures.
  • the UE and the network may perform the primary authentication procedure when the UE registers with the 38 network and the native security context may be generated when the primary authentication procedure is successful.
  • the UE may store a copy of the native security context and the network may store a copy of the native security context associated with the UE at a network entity, such as at an MME and/or an AMF.
  • the native security context may include a native KSI that identifies a native key.
  • the native KSI may be derived during the primary authentication procedure and may make it possible for the UE and the network to identify a native security context without invoking an authentication procedure.
  • the native KSI may allow re-use of a native security context during subsequent connection setups between the UE and the network without having to perform an authentication procedure.
  • a native security context may be a partial native security context or a full native security context.
  • a partial native security context is a security context including a key (e.g., the 5G key 522 or the EPS key 542) with the associated key set identifier (e.g., the 5GKSI 524 or the EPS KSI 544), the UE security capabilities, and the NAS count pair (e.g., the uplink NAS count value and the downlink NAS count value).
  • a partial native security context may be created by primary authentication and is in the “non- current” state.
  • a full native security context is a security context that includes the security context data of the partial native security context and also includes the NAS integrity and encryption keys and the associated key set identifiers of the selected NAS integrity and encryption algorithms.
  • a full native security context may be in the “current” state or the “non-current” state.
  • a mapped security context is a security context for which a key is derived from a key associated with a different RAN.
  • a mapped 5G security context includes a mapped 5G key (KAMF) that is derived from EPS keys (e.g., the EPS key 542).
  • a mapped EPS security context includes a mapped EPS key (K ASME )that is derived from 5G keys (e.g., the 5G key 522).
  • the mapped security context may include a mapped KSI of a first network that is associated with a mapped key derived from a native key of a second network.
  • a mapped 5G security context includes a mapped 5G KSI that is associated with a mapped 5Gkey derived from an EPS key of an EP S network.
  • the mapped KSI may be generated at the UE and the network when deriving the mapped key.
  • the mapped KSI may indicate the use of a mapped key.
  • a security context mismatch may occur between a UE and a first network during, for example, reselection from a second network to the first network 39
  • the number of 5GS to EPS reselection procedures performed in a deployment may be high due to, for example, a non-ubiquitous coverage of 5G in deployment scenarios.
  • the 5G network may not initially support IP Multimedia Subsystem (IMS) voice calls.
  • IMS IP Multimedia Subsystem
  • aUE camped on a cell associated with the 5G network may be redirected to a cell associated with the EPS network, for example, to attempt to establish a voice call.
  • FIG. 6 illustrates an example communication flow 600 between a network node 602, a UE 604, an MME 606, and an AMF 608, as presented herein.
  • the communication flow 600 facilitates performing idle mode mobility from 5GS to EPS.
  • the UE 604 may be connected to and/or camped on a first cell associated with a first RAT (e.g., a 5G network) and may be redirected to a second cell associated with a second RAT (e.g., an EPS network or an LTE network).
  • the MME 606 may be associated with an EP S network 607 and the AMF 608 maybe associated with a 5G network 609.
  • the example communication flow 600 may be associated with performing a tracking area update (TAU) request procedure after being redirected to the second cell (e.g., the EPS network 607) or an initial attach procedure with the second cell.
  • TAU tracking area update
  • aspects of the network node 602 may be implemented by the base station 102 of FIG.
  • aspects of the UE 604 may be implemented by the UE 104 of FIG. 1.
  • Aspects of the MME 606 may be implemented by the MME 412 of FIG. 4.
  • Aspects of the AMF 608 may be implemented by the AMF 161 of FIG. 1, the AMF 432 and or the other AMFs 434 of FIG. 4.
  • the UE 604 communicates with the MME 606 via the network node 602.
  • the UE 604 may transmit an uplink message that is received by the network node 602, which then forwards the uplink message to the MME 606.
  • the MME 606 may transmit a message that is received by the network node 602 and then forwarded by the network node 602 to the UE 604.
  • the UE 604 is performing a reselection from the 5G network 609 to the EPS network 607.
  • the UE 604 is configured with a 5G security context 690, such as the second security context 520 of FIG. 5, that is a current (or active) 5G security context.
  • the UE 604 may derive a mapped EPS security context based on the 5G security context data of the current 5G security context to facilitate communication with the MME 606 and the EPS network 607. 40
  • the UE 604 transmits a first TAU request message 610 that is received by the MME 606.
  • the UE 604 may transmit the first TAU request message 610 to update the registration of the actual tracking area of the UE 604 in the EPS network 607.
  • the UE 604 may transmit the first TAU request message 610 via an EPS NAS message.
  • the first TAU request message 610 may include parameters associated with the EPS network 607.
  • the first TAU request message 610 includes a mapped EPS Globally Unique Temporary UE Identity (e g., a mapped EPS GUTI 612) and EPS security capabilities of the UE 604, such as the EPS UE security capabilities 546 of FIG. 5.
  • the mapped EPS GUTI 612 may be derived from a 5G GUTI.
  • the UE 604 may be configured with the 5G GUTI when registering with the 5G network 609.
  • the 5G GUTI may point to an AMF where the 5G key associated with the UE 604 is stored.
  • the mapped EPS GUTI 612 may contain information of the AMF that has the latest security context of the UE 604 in the 5G network 609 and an identifier of the UE within the AMF.
  • the mapped EPS GUTI 612 may contain an address associated with the AMF 608 and a Temporary Mobile Subscription Identifier (e.g., a TMSI 613) associated with the UE 604.
  • the UE 604 may integrity protect the first TAU request message 610 using the 5G security context 690 identified by the 5G GUTI used to derive the mapped EPS GUTI 612. For example, the UE 604 may compute a NAS Message Authentication Code (e.g., a NAS-MAC 614) for the first TAU request message 610. The UE 604 may compute the NAS-MAC 614 similar to computing a NAS-MAC for a 5G NAS message.
  • the uplink NAS count for integrity protection of the first TAU request message 610 may be a same value as the 5G uplink NAS count (e.g., a same value as the 5G uplink NAS count 528of FIG. 5).
  • the first TAU request message 610 may include an eKSI parameter 616 and the UE 604 may include the 5G KSI (ngKSI) corresponding to the 5G security context 690 in the eKSI parameter 616.
  • ngKSI 5G KSI
  • the UE 604 may increment, at 618, the 5G uplink NAS count of the 5G security context 690 by one.
  • the MME 606 may obtain the AMF address of the AMF storing the 5G security context associated with the UE 604. For example, the MME 606 may use the 41 mapped EPS GUTI 612 of the first TAU request message 610 to obtain the AMF address of the AMF 608.
  • the MME 606 may transmit a context request message 622 that is received by the AMF 608.
  • the context request message 622 may include all of the information or a portion of the information of the first TAU request message 610.
  • the context request message 622 may include the NAS-MAC 614 and the eKSI parameter 616.
  • the context request message 622 may also include the mapped EPS GUTI 612.
  • the AMF 608 may identify a 5G NAS security context 692 associated with the UE 604, for example, based on the context request message 622.
  • the AMF 608 may use the 5G KSI included in the eKSI parameter 616 of the context request message 622 to identify the 5G NAS security context 692 associated with the UE 604.
  • the AMF 608 may use the 5G NAS security context 692 to verify the first TAU request message 610.
  • the AMF 608 may verify the first TAU request message 610 as if the first TAU request message 610 was a 5G NAS message. If the AMF 608 successfully verifies the first TAU request message 610, the AMF 608 may generate, at 634, a mapped EPS security context 636. For example, the AMF 608 may derive the mapped EPS security context 636 using the 5G NAS security context 692.
  • the AMF 608 may derive the mapped EPS security context 636, for example, by deriving a mapped EPS key (K A SME’) from the 5G key (KAMF) using the 5G uplink NAS count derived from the first TAU request message 610.
  • K A SME mapped EPS key
  • KAMF 5G uplink NAS count
  • the UE 604 may use the 5G uplink NAS count to integrity protect the first TAU request message 610.
  • the AMF 608 may have the ability to determine the 5G uplink NAS count.
  • the AMF 608 may determine the mapped EPS KSI (eKSI) for the mapped EPS key (KASME’) based on the value taken from the 5G KSI (ngKSI) of the context request message 622.
  • the EPS uplink and downlink NAS count values in the mapped EPS security context 636 may be set to the uplink and downlink NAS count values of the 5G NAS security context 692, respectively.
  • the AMF 608 may set the EPS NAS algorithms to ones previously indicated to the UE 604 (e g., during a connection establishment procedure or a connection reestablishment procedure).
  • the AMF 608 may output a context response message 638 that is received by the MME 606.
  • the context response message 638 may include the 42 mapped EPS security context 636.
  • the AMF 608 may discard (or erase) the 5G NAS security context 692 used to derive the mapped EPS security context 636 after transmitting the context response message 638.
  • the AMF 608 may initiate a timer after transmitting the context response message 638 and discard the 5G NAS security context 692 after the timer expires.
  • the UE 604 may generate, at 640, UE mapped EPS security context 642.
  • the UE 604 may derive the UE mapped EPS security context 642 in a manner similar to the AMF 608 deriving the mapped EPS security context 636.
  • the UE 604 may setthe EPS NAS algorithms to ones previously received from the AMF 608 (e g., during a connection establishment procedure or a connection reestablishment procedure).
  • the UE 604 may activate the UE mapped EPS security context 642 to use for processing of EPS NAS messages received from the MME 606.
  • the MME 606 may compare the UE security algorithms to security algorithms information 694.
  • the MME 606 may be configured with the security algorithms information 694 via network management.
  • the security algorithms information 694 may include a list of algorithms that are allowed for usage.
  • the algorithms in the security algorithms information 694 may be ordered according to priority.
  • the MME 606 may compare the EPS NAS algorithms included in the mapped EPS security context 636 of the context response message 638 to the security algorithms information 694.
  • the MME 606 may compare, at 650, the security algorithms to determine whether to select another EPS NAS algorithm.
  • the MME 606 may select an EPS NAS algorithm from the security algorithms information 694 with the highest priority and that is also available to the UE 604. For example, the MME 606 may use the UE security capabilities of the UE, such as the EPS UE security capabilities 546 of FIG. 5, to determine which EPS NAS algorithm to select from the security algorithms information 694.
  • the MME 606 may perform an NAS security mode command (SMC) procedure (e.g., an NAS SMC procedure 660) to derive new NAS keys with the selected EPS NAS algorithm. If, at 650, the MME 606 determines not to perform an algorithm change, or after the MME 606 and the UE 604 perform the NAS SMC procedure 660, the MME 606 may output a TAU accept message 662 that is received by the UE 604.
  • SMC NAS security mode command
  • the MME 606 may output (e.g., transmit or communicate) the TAU accept message 662 via an EPS NAS message.
  • the UE 604 may perform integrity verification of the TAU accept message 662.
  • the UE 604 may use the mapped EPS key (K A SME’) of the UE mapped EPS security context 642 to perform the integrity verification of the TAU accept message 662. If the integrity verification is successful, the UE 604 may transmit a TAU complete message 666 that is received by the MME 606 If the integrity verification is unsuccessful, the UE 604 may discard the TAU complete message 666.
  • K A SME mapped EPS key
  • the UE 604 may initiate the procedure of FIG. 6 based on a reselection from a first cell associated with the 5G network 609 to a second cell associated with the EPS network 607. However, there may be occurrences when security contexts at the UE 604 and the MME 606 may not match.
  • the UE 604 may experience a radio link failure (RLF).
  • the UE 604 may retransmit the first TAU request message 610, for example, after establishing a new RRC connection with another cell associated with the EPS network 607 or after re establishing the RRC connection with the second cell.
  • the UE 604 may transmit a second TAU request message 670 that is received by the MME 606.
  • the second TAU request message 670 may include the same information as the first TAU request (e g., the first TAU request message 610).
  • the UE 604 may use the updated 5G NAS Uplink count value to integrity protect the second TAU request message 670.
  • the 5G NAS Uplink count value used to integrity protect the first TAU request message 610 may be five and the 5G NAS Uplink count value used to integrity protect the second TAU request message 670 may be six.
  • the MME 606 when the MME 606 receives the second TAU request message 670, the MME 606 may be configured to compare, at 672, the content of the first TAU request message 610 and the second TAU request message 670. In some examples, when the content (e.g., information elements) of the first TAU request message 610 and the second TAU request message 670 are the same, the MME 606 may discard the second TAU request message 670 and continue performing the TAU request procedure of FIG. 6 based on the first TAU request message 610. In such examples, 44 the MME 606 may refrain from sending another context request message to the AMF 608 based on the second TAU request message 670.
  • the MME 606 may refrain from sending another context request message to the AMF 608 based on the second TAU request message 670.
  • refraining from sending another context request message may be sufficient in inter-MME scenarios as no security context mapping may occur. Additionally, refraining from sending another context request message may be sufficient when performing reselection from UMTS to EPS as freshness depending on a NONCE_UE may be used for context mapping.
  • a “NONCE_UE’ refers to a 32-bit pseudo-random number generated by a UE to facilitate the freshness of UMTS to EPS security mapping. The NONCE_UE may be used as an input, along with existing security keys such as 3G security keys, to compute a mapped EPS key (KASME’) ⁇
  • the AMF 608 may use the 5G NAS Uplink count associated with a TAU request message to generate the mapped EPS security context 636 (e.g., at 634). For example, the AMF 608 may use the value five of the 5G NAS Uplink count associated with the first TAU request message 610 to generate the mapped EPS security context 636 that the AMF 608 provides to the MME 606 through the context response message 638.
  • the mapped EPS security context 636 may include an MME EPS key (K A SME’_MME) based on the 5G NAS Uplink count.
  • the MME 606 may be configured with an MME EPS key (KASME’_MME) based on the 5G NAS Uplink count value of five.
  • the UE 604 may use the same 5G NAS Uplink count associated with the TAU request message to generate the UE mapped EPS security context 642 (e.g., at 640). For example, with respect to the first TAU request message 610, the UE 604 may generate, at 640, the UE mapped EPS security context 642 including a first UE EPS key (K A SME _UE).
  • K A SME _UE first UE EPS key
  • the UE 604 may generate, at 680, a new UE mapped EPS security context 682.
  • the new UE mapped EPS security context 682 may be based, at least in part, on the 5G NAS Uplink count value associated with the second TAU request message 670.
  • the new UE mapped EPS security context 682 may be based on the 5G NAS Uplink count value of six associated with the second TAU request message 670.
  • the new UE mapped EPS security context 682 may include a second UE EPS key 45
  • KASME’_UE2 KASME’_UE2
  • the MME EPS key (KASME’_MME) at the MME 606 and the second UE EPS key (KASME’_UE2) may also be different.
  • the UE 604 may drop EPS NAS messages received from the MME 606.
  • the UE 604 may drop or reject EPS NAS messages from the MME 606 (e.g., the TAU accept message 662 and/or messages associated with the NAS SMC procedure 660) due to a disagreement on integrity computations.
  • EPS NAS messages e.g., the TAU accept message 662 and/or messages associated with the NAS SMC procedure 660
  • Such a scenario may result in service interruption and/or dropped calls.
  • Examples disclosed herein provide techniques for removing inconsistencies in the handling of repetitions of TAU request messages as described above.
  • disclosed techniques may remove inconsistencies by modifying how the MME 606 handles a repetition of a TAU request message.
  • disclosed techniques may remove inconsistencies by modifying how the UE 604 performs integrity protection of TAU request messages.
  • disclosed techniques may remove inconsistences by modifying how the UE 604 performs integrity verification of EPS NAS messages.
  • the MME 606 may discard the second TAU request message 670 and refrain from transmitting another context request message to the AMF 608 when the content (e.g., information elements) of the first TAU request message 610 and the second TAU request message 670 are the same.
  • disclosed techniques may remove the inconsistencies described above by modifying how the MME handles the repetition of a TAU request message.
  • the MME 606 may be configured to determine whether to transmit a context request message to the AMF 608 when the MME 606 is able to obtain an AMF address from a TAU request. That is, rather than refraining from transmitting a second context request message based on the first TAU request message 610 and the second TAU request message 670 including the same content (e.g., the same information elements), as described at 672, the MME 606 may determine whether to transmit the second context request message 674 based on whether the MME 606 is 46 able to obtain an AMF address.
  • the MME 606 may determine to transmit the second context request message 674 to the AMF 608 requesting a new mapped EPS security context.
  • the AMF 608 may generate the mapped EPS security context 636 based on the 5G NAS Uplink count associated with the second TAU request message 670 included in the second context request message 674 (e g., the value six).
  • the mapped EPS security context 636 and the new UE mapped EPS security context 682 may be derived based on the same 5G NAS Uplink count (e g., the value six), which may result in the respective mapped EPS keys KASME’_MME, K .ASMt ’_UE2 also being the same.
  • the UE 604 may update, at 684, the security context of the UE 604 from the UE mapped EPS security context 642 to the new UE mapped EPS security context 682 based on the deriving of the new UE mapped EPS security context 682 (e.g., at 680).
  • the MME 606 when the MME 606 receives a mapped EPS security context from the AMF 608, the MME 606 may be configured to update its mapped security context. For example, in some scenarios, the MME 606 may generate EPS NAS messages for transmitting to the UE 604 and may receive a new mapped EPS security context while the transmitting of one or more of the generated EPS NAS messages is pending. In such examples, the MME 606 may be configured to discard the pending EPS NAS messages that are integrity protected using the older mapped EPS security context.
  • the MME 606 may transmit a context request message requesting mapped EPS security context.
  • the address included in the mapped EPS GUTI may correspond to an AMF (e.g., the AMF 608).
  • the address included in the mapped EPS GUTI of the first TAU request message 610 and the second TAU request message 670 may map to an MME.
  • the MME 606 may receive the second TAU request message 670 with the same information elements before transmitting the TAU accept message 662 to the UE 604. In some such examples, the MME 606 may forward the second TAU request message 670 to the AMF 608 (e.g., via the second context request message 674), as described above. In other examples, the MME 606 may perform authentication and activate a new native EPS security context to be used to protect 47 subsequent NAS messages to the UE 604. For example, the MME 606 may determine to perform the NAS SMC procedure 660 with the UE 604 so that the MME 606 and the UE 604 are using the same EPS keys (KASME) for performing integrity verification of EPS NAS messages.
  • KASME EPS keys
  • the MME 606 may receive the second TAU request message 670 with the same information elements after transmitting the TAU accept message 662 to the UE 604.
  • the MME 606 may determine to perform authentication and activate a new native EPS security context to be used to protect subsequent NAS messages to the UE 604.
  • the MME 606 may determine to perform the NAS SMC procedure 660 with the UE 604 so that the MME 606 and the UE 604 are using the same EPS keys (KASME) for performing integrity verification of EPS NAS messages.
  • KASME EPS keys
  • the MME 606 may receive the second TAU request message 670 with the same information elements after transmitting the TAU accept message 662 and before receiving the TAU complete message 666 from the UE 604. For aspects other than an inter-system change from an N1 mode to an SI mode in IDLE mode with the UE 604 operating in a single-registration mode, the MME 606 may resend the TAU accept message 662. In some such examples, the MME 606 may restart a timer (e g., a T3450 timer) if the TAU complete message 666 is expected.
  • a timer e g., a T3450 timer
  • the MME 606 may initiate an authentication procedure with the UE 604 followed by performing a security mode control procedure (e g., the NAS SMC procedure 660) to attempt to take a new partial native EPS security context into use. If the new partial native EPS security context is taken into use successfully, the MME 606 may set the new partial native EPS security context as a full native EPS security context. The MME 606 may also resend the TAU accept message 662 and integrity protect the resending of the TAU accept message 662 using the (new) full native EPS security context. In some examples, the MME 606 may also restart the T3450 timer. In such examples, a retransmission counter related to the T3450 timer may not be incremented.
  • a security mode control procedure e g., the NAS SMC procedure 660
  • the MME 606 may receive the first TAU request message 610 and the second TAU request message 670 and may not yet have sent the TAU accept message 662 or a TAU reject message. If one or more of the information elements in the first TAU request message 610 and the second TAU request message 670 is 48 different, the TAU procedure initiated based on the first TAU request message 610 may be aborted and a new TAU procedure initiated based on the second TAU request message 670 may progress (e.g., may proceed).
  • the MME 606 may continue with the previously initiated TAU procedure (e.g., based on the first TAU request message 610) and discard the second TAU request message 670. That is, the MME 606 may refrain from transmitting the second context request message 674 to the AMF 608 requesting new mapped EPS security context based on the second TAU request message 670.
  • the MME 606 may forward a new TAU request message to the AMF 608 (e.g., through another context request message) to run an integrity check and to obtain the latest mapped EPS security context and to continue with the previous TAU procedure.
  • the MME 606 may forward the second TAU request message 670 to the AMF 608 (e.g., through the second context request message 674).
  • the integrity check may be based on an integrity key, an uplink count, a direction of the transmission (e.g., a 1- bit indicator indicating the downlink direction of the downlink transmission), and the payload of the downlink transmission.
  • the AMF 608 may verify the second TAU request message 670 (e.g., at 632).
  • the AMF 608 may then generate a new mapped EPS security context based on the second TAU request message 670.
  • the new mapped EPS security context may be based, at least in part, on the 5G NAS Uplink count (e.g., the value six) associated with the second TAU request message 670.
  • the mapped EPS security context 636 provided to the MME 606 including the new MME EPS key may be the same as the new UE mapped EPS security context 682 including the newUE EPS key (K A SME’_UE2).
  • the MME 606 uses the new MME EPS key (e.g., K A SME’_MME) to integrity protect subsequent NAS messages (e.g., the TAU accept message 662)
  • the UE 604 may successfully perform the integrity verification, at 664, on the subsequently received NAS messages (e.g., the TAU accept message 662).
  • the UE 604 may update, at 684, the security context of the UE 604 from 49 the mapped EPS security context 642 to the new UE mapped EPS security context 682 based on the deriving of the new UE mapped EPS security context 682 (e.g., at 680).
  • the MME 606 may determine to initiate an authentication procedure followed by a security mode control procedure to take the new partial native EPS security context into use. If the new partial native EPS security context is taken into use successfully (e.g., the NAS SMC procedure 660 is successful), then the MME 606 may set the new partial native EPS security context to the full native EPS security context and the full native EPS security may be used to protect any future NAS messages sent to the UE 604, such as the TAU accept message 662.
  • the UE 604 when the UE 604 transmits the first TAU request message 610 and the second TAU request message 670, the UE 604 integrity protects the respective TAU request message using a respective 5G NAS Uplink count.
  • disclosed techniques may remove inconsistencies by modifying how the UE 604 performs the integrity protection of TAU request messages.
  • the UE 604 may be configured to use the same 5G NAS Uplink count value when transmitting two consecutive TAU request messages, such as the first TAU request message 610 and a repetition of the first TAU request message (e.g., the second TAU request message 670).
  • the UE 604 may skip incrementing, at 618, the 5G uplink NAS count of the 5G security context 690 by one
  • the first TAU request message 610 and the second TAU request message 670 may be integrity protected using the same 5G NAS Uplink COUNT value.
  • the mapped EPS security context 636 generated by the AMF 608 e.g., at 634
  • the new UE mapped EPS security context 682 generated by the UE 604 e.g., at 680
  • integrity verification performed on subsequent NAS messages received at the UE 604 may be successful and communication between the UE 604 and a cell associated with the EPS network 607 may continue successfully.
  • the UE 604 may update, at 684, the security context of the UE 604 from the UE mapped EPS security context 642 to the new UE mapped EPS security 50 context 682 based on the deriving of the new UE mapped EPS security context 682 (e.g., at 680).
  • the respective TAU request messages contain the same content (e.g., the same information elements) and are each integrity protected using the same 5G NAS Uplink COUNT value.
  • the MME 606 may discard the second TAU request message 670 and continue the TAU procedure based on the first TAU request message 610.
  • the MME 606 may use the second TAU request message 670 to perform the TAU procedure of FIG. 6 (e.g., to request the mapped EPS security context from the AMF 608).
  • the mapped EPS keys KASME’_MME, KASME’_UE2 are the same and, thus, communication between the UE 604 and a cell associated with the EPS network 607 may continue successfully.
  • disclosed techniques may remove inconsistencies in the handling of repetitions of TAU request messages by modifying how the UE 604 performs integrity verification of EPS NAS messages. For example, the UE 604 may attempt to perform the integrity verification (e.g., at 664) based on different EPS keys.
  • the UE 604 may derive a first EPS key (KASME’ 1) of the UE mapped EPS security context 642 based on the 5G key (KAMF) and the 5G NAS Uplink count associated with the first TAU request message 610 (e.g., the value five).
  • KASME first EPS key
  • KAMF 5G key
  • NAS_IK1 first NAS integrity key
  • the UE 604 may also derive a second EPS key (KASME’ 2) of the new UE mapped EPS security context 682 based on the 5G key (KAMF) and the 5G NAS Uplink count associated with the second TAU request message 670 (e.g., the value six).
  • KASME second EPS key
  • the UE 604 may then derive a second NAS integrity key (NAS_IK2) from the second EPS key (KASME’ 2).
  • the UE 604 may attempt to perform integrity 51 verification (e.g., at 664) using the NAS integrity keys (e.g., the NAS_IK1 and the NAS_D 2). If one of the NAS integrity keys allows the integrity verification to pass, the UE 604 selects the respective NAS integrity key and proceeds to communicate with a cell associated with the EP S network 607 based on the respective NAS integrity key.
  • the NAS integrity keys e.g., the NAS_IK1 and the NAS_D 2
  • the UE 604 may set the first EPS key (KASME’ 1) as the EPS key (KASME) The UE 604 may also erase the second EPS key (KASME’2) and any other keys derived from the second EPS key (KASME’2). Similarly, if the integrity verification is successful using the second NAS integrity key (NAS_IK2), the UE 604 may set the second EPS key (KASME’2) as the EPS key (KASME) ⁇ The UE 604 may also erase the first EPS key (KASME’ I) and any other keys derived from the first EPS key (KASME’ I). If performing the integrity verification fails using both of the NAS integrity keys (NAS_IK1, NAS_IK2) (e.g., neither of the NAS integrity keys successfully performed integrity verification), then the UE 604 may drop the EPS NAS message.
  • NAS_IK1 e.g., neither of the NAS integrity keys successfully performed integrity verification
  • NAS Uplink COUNT values there may be z possible NAS Uplink COUNT values (e.g., x, x+1, x+2, ... z). If the integrity verification is successfully completed using a NAS integrity key (NAS_IK_y) derived from a y EPS key (KASME’Y) using a 5GNAS Uplink COUNT y, where y is one of the possible z NAS Uplink COUNT values (e.g., x, x+1, x+2, ... z), then the UE 604 may set the y EPS key (KASME’ y) as the EPS key (KASME) and erase all other EPS keys (K A SME’) and their respectively derived keys.
  • NAS_IK_y derived from a y EPS key (KASME’Y) using a 5GNAS Uplink COUNT y, where y is one of the possible z NAS Uplink COUNT values (e.g., x, x+1
  • FIG. 7 is a flowchart 700 of a method of wireless communication.
  • the method may be performed by a UE (e.g., the UE 104, the UE 350, the UE 404, and/or an apparatus 1104 of FIG. 11).
  • the method may facilitate improving communication performance by improving security handling of first cell to second cell reselection in examples including RLF and retransmission of TAU request messages.
  • the UE transmits, to a first network entity, a first TAU request, as described in connection with the first TAU request message 610 of FIG. 6.
  • the first TAU request may be encoded using a first security context associated with a first RAT, such as the 5G security context 690 of FIG. 6.
  • the first TAU request may be integrity protected using a first uplink count based on the first security context, such as the 5G uplink NAS count 528 of FIG. 5.
  • the first TAU request may include a first set of 52 information including an identifier mapped to a second RAT associated with the first network entity, such as the mapped EPS GUTI 612 of FIG. 6.
  • the transmitting of the first TAU request, at 702 may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE may transmit the first TAU request when performing a change from a first cell associated with the first RAT to connect to a second cell associated with the second RAT.
  • the UE may transmit the first TAU request when performing a 5GS to EPS reselection.
  • the second RAT may be different than the first RAT and the first network entity may be associated with the second RAT, as described in connection with the MME 606, the EPS network 607 and the 5G network 609 of FIG. 6.
  • the UE transmits, to the first network entity, a second TAU request, as described in connection with the second TAU request message 670 of FIG. 6.
  • the second TAU request may include the first set of information, as described in connection with the mapped EPS GUTI 612, the NAS-MAC 614, and the eKSI parameter 616 of FIG. 6.
  • the second TAU request may be integrity protected using a second uplink count.
  • the transmitting of the second TAU request, at 704 may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11
  • the UE derives a mapped security context based on the first security context and at least one of the first uplink count or the second uplink count, as described in connection with the UE mapped EPS security context 642 and/or the new UE mapped EPS security context 682 of FIG. 6.
  • the deriving of the mapped security context, at 706, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE communicates with the first network entity based on the mapped security context, as described in connection with the TAU complete message 666 of FIG. 6.
  • the communicating based on the mapped security context, at 714, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11
  • FIG. 8 is a flowchart 800 of a method of wireless communication.
  • the method may be performed by a UE (e.g., the UE 104, the UE 350, the UE 404, and/or an apparatus 1104 of FIG. 11).
  • the method may facilitate improving communication performance 53 by improving security handling of first cell to second cell reselection in examples including RLF and retransmission of TAU request messages.
  • the UE transmits, to a first network entity, a first TAU request, as described in connection with the first TAU request message 610 of FIG. 6.
  • the first TAU request may be encoded using a first security context associated with a first RAT, such as the 5G security context 690 of FIG. 6.
  • the first TAU request may be integrity protected using a first uplink count based on the first security context, such as the 5G uplink NAS count 528 of FIG. 5.
  • the first TAU request may include a first set of information including an identifier mapped to a second RAT associated with the first network entity, such as the mapped EPS GUTI 612 of FIG. 6.
  • the transmitting of the first TAU request, at 802 may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE may transmit the first TAU request when performing a change from a first cell associated with the first RAT to connect to a second cell associated with the second RAT.
  • the UE may transmit the first TAU request when performing a 5GS to EPS reselection.
  • the second RAT may be different than the first RAT and the first network entity may be associated with the second RAT, as described in connection with the MME 606, the EPS network 607 and the 5G network 609 of FIG. 6.
  • the UE transmits, to the first network entity, a second TAU request, as described in connection with the second TAU request message 670 of FIG. 6.
  • the second TAU request may include the first set of information, as described in connection with the mapped EPS GUTI 612, the NAS-MAC 614, and the eKSI parameter 616 of FIG. 6.
  • the second TAU request may be integrity protected using a second uplink count.
  • the transmitting of the second TAU request, at 804 may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11
  • the UE derives a mapped security context based on the first security context and at least one of the first uplink count or the second uplink count, as described in connection with the UE mapped EPS security context 642 and/or the new UE mapped EPS security context 682 of FIG. 6.
  • the deriving of the mapped security context, at 806, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11. 54
  • the UE communicates with the first network entity based on the mapped security context, as described in connection with the TAU complete message 666 of FIG. 6.
  • the communicating based on the mapped security context, at 814, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11
  • the second TAU request may include a repetition of the first TAU request and the second uplink count may be a same value as the first uplink count, as described in connection with the second aspect of FIG. 6 in which the UE 604 removes inconsistencies in repetitions of TAU requests by modifying how the UE 604 performs integrity protection of TAU request messages.
  • the UE may transmit the second TAU request based on an occurrence of a radio link failure.
  • the mapped security context may be associated with the second RAT.
  • the mapped security context may be associated with the UE mapped EPS security context 642 or the new UE mapped EPS security context 682 of FIG. 6.
  • the second TAU request may include a repetition of the first TAU request and the second uplink count, at 804, may be different than the first uplink count and the mapped security context may be a first mapped security context, as described in connection with the UE mapped EPS security context 642 of FIG. 6.
  • the UE may derive, at 808, a second mapped security context based on the first security context and the first uplink count, as described in connection with the new UE mapped EPS security context 682 of FIG. 6.
  • the UE may encode the second TAU request using the first security context and the second TAU request may be integrity protected using the second uplink count.
  • the first TAU request may be integrity protected using an uplink NAS count value of five and the second TAU request may be integrity protected using an uplink NAS count value of six.
  • the deriving of the second mapped security context, at 808, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE may update, based on deriving the first mapped security context, a security context of the UE from the second mapped security context to the first mapped security context, as described in connection with 684 of FIG. 6.
  • the updating of the security context of the UE, at 810, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11. 55
  • the UE may discard after updating the security context of the UE, pending transmissions that are integrity protected using the second mapped security context.
  • the discarding of the pending transmissions, at 812, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • FIG. 9 is a flowchart 900 of a method of wireless communication.
  • the method may be performed by a UE (e.g., the UE 104, the UE 350, the UE 404, and/or an apparatus 1104 of FIG 11).
  • the method may facilitate improving communication performance by improving security handling of first cell to second cell reselection in examples including RLF and retransmission of TAU request messages.
  • the UE transmits, to a first network entity, a first TAU request when performing a change from a first cell associated with a first RAT to connect to a second cell associated with a second RAT different than the first RAT, as described in connection with the first TAU request message 610 of FIG. 6.
  • the first network entity may be associated with the second RAT, as described in connection with the MME 606 and the EPS network 607 of FIG. 7.
  • the first TAU request may be encoded using a first security context associated with the first RAT, such as the g security context 690 of FIG. 6.
  • the first TAU request may be integrity protected using a first uplink count based on the first security context.
  • the transmitting of the first TAU request, at 902, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE derives a first integrity key based on the first security context, the first uplink count, and the first mapped security context, as described in connection with the first NAS integrity key (NAS_IK1). For example, the UE may derive a first EPS key (KASME’ I) of the UE mapped EPS security context 642 based on the 5G key (KAMF) and the 5G NAS Uplink count (e.g., the value five) associated with the first TAU request message 610.
  • KASME’ I first EPS key of the UE mapped EPS security context 642 based on the 5G key (KAMF) and the 5G NAS Uplink count (e.g., the value five) associated with the first TAU request message 610.
  • the UE may then derive a first NAS integrity key (NAS_IK1) from the first EPS key (KASME’ I) ⁇
  • the deriving of the first integrity key at 904, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE transmits, to the first network entity, a repetition of the first TAU request, as described in connection with the second TAU request message 670 of FIG. 6.
  • the repetition of the first TAU request may be integrity protected using a second uplink count different than the first uplink count.
  • the first TAU request may be integrity protected using an uplink NAS count value of five and the second 56
  • TAU request may be integrity protected using an uplink NAS count value of six.
  • the transmitting of the repetition of the first TAU request, at 906, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE derives a second integrity key based on the first security context, the second uplink count, and a second mapped security context, as described in connection with the second NAS integrity key (NAS_D 2) from the second EPS key (KASME’2)
  • the UE may derive a second EPS key (KASME’2) of the new UE mapped EPS security context 682 based on the 5G key (KAMF) and the 5G NAS Uplink COUNT value (e.g., six) associated with the associated with the second TAU request message 670.
  • the UE may then derive a second NAS integrity key (NAS_IK2) from the second EPS key (KASME’2).
  • the deriving of the second integrity key, at 908, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE receives, from the first network entity, a downlink transmission, as described in connection with the TAU accept message 662 of FIG. 6.
  • the receiving of the downlink transmission, at 910, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE performs an integrity check on the downlink transmission using at least one of the first integrity key and the second integrity key, as described in connection with 664 of FIG. 6.
  • the performing of the integrity check, at 912, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11
  • the UE sets a master security key of the UE when the integrity check on the downlink transmission is successful using a derived integrity key.
  • the master security key may be set based on the respective integrity key used to successfully perform the integrity check.
  • the setting of the master security key, at 914, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • FIG. 10 is a flowchart 1000 of a method of wireless communication.
  • the method may be performed by a UE (e.g., the UE 104, the UE 350, the UE 404, and/or an apparatus 1104 of FIG. 11).
  • the method may facilitate improving communication performance by improving security handling of first cell to second cell reselection in examples including RLF and retransmission of TAU request messages.
  • the UE transmits, to a first network entity, a first TAU request when performing a change from a first cell associated with a first RAT to connect to a 57 second cell associated with a second RAT different than the first RAT, as described in connection with the first TAU request message 610 of FIG. 6.
  • the first network entity may be associated with the second RAT, as described in connection with the MME 606 and the EPS network 607 of FIG. 7.
  • the first TAU request may be encoded using a first security context associated with the first RAT, such as the g security context 690 of FIG. 6.
  • the first TAU request may be integrity protected using a first uplink count based on the first security context.
  • the transmitting of the first TAU request, at 1002, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE may derive, at 1004, a first mapped security context based on the first security context and the first uplink count, as described in connection with the UE mapped EPS security context 642 of FIG. 6.
  • the deriving of the first mapped security context, at 1004, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE derives a first integrity key based on the first security context, the first uplink count, and the first mapped security context, as described in connection with the first NAS integrity key (NAS_IK1). For example, the UE may derive a first EPS key (K A SME’ 1) of the UE mapped EPS security context 642 based on the 5G key (KAMF) and the 5G NAS Uplink count (e g., the value five) associated with the first TAU request message 610. The UE may then derive a first NAS integrity key (NAS_IK1) from the first EPS key (K AS E ’l). The deriving of the first integrity key, at 1006, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE transmits, to the first network entity, a repetition of the first TAU request, as described in connection with the second TAU request message 670 of FIG. 6.
  • the repetition of the first TAU request may be integrity protected using a second uplink count different than the first uplink count.
  • the first TAU request may be integrity protected using an uplink NAS count value of five and the second TAU request may be integrity protected using an uplink NAS count value of six.
  • the transmitting of the repetition of the first TAU request, at 1008, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE derives a second integrity key based on the first security context, the second uplink count, and a second mapped security context, as described in connection with the second NAS integrity key (NAS_D 2) from the second EPS key 58
  • the UE may derive a second EPS key (KASME’2) of the new UE mapped EPS security context 682 based on the 5G key (KAMF) and the 5G NAS Uplink COUNT value (e.g., six) associated with the associated with the second TAU request message 670.
  • the UE may then derive a second NAS integrity key (NAS IK2) from the second EPS key (KASME’2).
  • the deriving of the second integrity key, at 1010 may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11
  • the UE receives, from the first network entity, a downlink transmission, as described in connection with the TAU accept message 662 of FIG. 6.
  • the receiving of the downlink transmission, at 1012, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE performs an integrity check on the downlink transmission using at least one of the first integrity key and the second integrity key, as described in connection with 664 of FIG. 6.
  • the performing of the integrity check, at 1014, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE sets a master security key of the UE when the integrity check on the downlink transmission is successful using a derived integrity key.
  • the master security key may be set based on the respective integrity key used to successfully perform the integrity check.
  • the setting of the master security key, at 1016, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE may then discard information related to the other derived integrity keys after setting the master security key. For example, the UE may set, at 1016, the master security key to the first mapped security context. In such examples, the UE may erase, at 1018, the second mapped security context and any keys derived using the second mapped security context when the integrity check on the downlink transmission is successful using the first integrity key. The erasing of the second mapped security context, at 1018, may be performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11.
  • the UE may set, at 1016, the master security key to the second mapped security context.
  • the UE may erase, at 1020, the first mapped security context and any keys derived using the first mapped security context when the integrity check on the downlink transmission is successful using the second integrity key.
  • the erasing of the first mapped security context, at 1020, may be 59 performed by the UE security handling component 198 of the apparatus 1104 of FIG. 11
  • FIG. 11 is a diagram 1100 illustrating an example of a hardware implementation for an apparatus 1104.
  • the apparatus 1104 may be a UE, a component of a UE, or may implement UE functionality.
  • the apparatus 1104 may include a cellular baseband processor 1124 (also referred to as a modem) coupled to one or more transceivers (e g., a cellular RF transceiver 1122).
  • the cellular baseband processor 1124 may include on-chip memory 1124'.
  • the apparatus 1104 may further include one or more subscriber identity modules (SIM) cards 1120 and an application processor 1106 coupled to a secure digital (SD) card 1108 and a screen 1110.
  • SIM subscriber identity modules
  • SD secure digital
  • the application processor 1106 may include on-chip memory 1106'.
  • the apparatus 1104 may further include a Bluetooth module 1112, a WLAN module 1114, an SPS module 1116 (e.g., GNSS module), one or more sensor modules 1118 (e.g., barometric pressure sensor / altimeter; motion sensor such as inertial management unit (IMU), gyroscope, and/or accelerometer(s); light detection and ranging (LIDAR), radio assisted detection and ranging (RADAR), sound navigation and ranging (SONAR), magnetometer, audio and/or other technologies used for positioning), additional memory modules 1126, a power supply 1130, and or a camera 1132.
  • a Bluetooth module 1112 e.g., a WLAN module 1114
  • an SPS module 1116 e.g., GNSS module
  • sensor modules 1118 e.g., barometric pressure sensor / altimeter; motion sensor such as inertial management unit (IMU), gyroscope, and/or
  • the Bluetooth module 1112, the WLAN module 1114, and the SPS module 1116 may include an on-chip transceiver (TRX) (or in some cases, just a receiver (RX)).
  • TRX on-chip transceiver
  • the Bluetooth module 1112, the WLAN module 1114, and the SPS module 1116 may include their own dedicated antennas and/or utilize one or more antennas 1180 for communication.
  • the cellular baseband processor 1124 communicates through transceiver(s) (e.g., the cellular RF transceiver 1122) via one or more antennas 1180 with the UE 104 and/or with an RU associated with a network entity 1102.
  • the cellular baseband processor 1124 and the application processor 1106 may each include a computer-readable medium / memory, such as the on-chip memory 1124', and the on-chip memory 1106', respectively.
  • the additional memory modules 1126 may also be considered a computer-readable medium / memory.
  • Each computer-readable medium / memory e.g., the on-chip memory 1124', the on-chip memory 1106', and/or the additional memory modules 1126
  • the cellular baseband processor 1124 and the application processor 1106 are each responsible for general processing, including the execution of software stored on the computer-readable medium / memory.
  • the software when executed by the cellular 60 baseband processor 1124 / application processor 1106, causes the cellular baseband processor 1124 / application processor 1106 to perform the various functions described supra.
  • the computer-readable medium / memory may also be used for storing data that is manipulated by the cellular baseband processor 1124 / application processor 1106 when executing software.
  • the cellular baseband processor 1124 / application processor 1106 may be a component of the UE 350 and may include the memory 360 and/or at least one of the TX processor 368, the RX processor 356, and the controller/processor 359.
  • the apparatus 1104 may be a processor chip (modem and/or application) and include just the cellular baseband processor 1124 and/or the application processor 1106, and in another configuration, the apparatus 1104 may be the entire UE (e g., see the UE 350 of FIG. 3) and include the additional modules of the apparatus 1104.
  • the apparatus 1104 may be a processor chip (modem and/or application) and include just the cellular baseband processor 1124 and/or the application processor 1106, and in another configuration, the apparatus 1104 may be the entire UE (e g., see the UE 350 of FIG. 3) and include the additional modules of the apparatus 1104.
  • the UE security handling component 198 is configured to: transmit, to a first network entity, a first tracking area update (TAU) request, the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity; transmit, to the first network entity, a second TAU request, the second TAU request including the first set of information, the second TAU request being integrity protected using a second uplink count; derive a mapped security context based on the first security context and at least one of the first uplink count or the second uplink count; and communicate with the first network entity based on the mapped security context.
  • TAU tracking area update
  • RAT radio access technology
  • the UE security handling component 198 may be configured to: transmit, to a first network entity, a first tracking area update (TAU) request when performing a change from a first cell associated with a first radio access technology (RAT) to connect to a second cell associated with a second RAT different than the first RAT, the first network entity associated with the second RAT, the first TAU request encoded using a first security context associated with the first RAT, and the first TAU request being integrity protected using a first uplink count based on the first security context; derive a first integrity key based on the first security context, the first uplink count, and a first mapped security context; transmit, to the first network entity, a repetition of the first TAU request, the repetition of the first TAU request being 61 integrity protected using a second uplink count that is different than the first uplink count; derive a second integrity key based on the first security context, the second uplink count, and a second mapped security context; receive, from the first network entity, a first tracking area update (T
  • the UE security handling component 198 may be within the cellular baseband processor 1124, the application processor 1106, or both the cellular baseband processor 1124 and the application processor 1106.
  • the UE security handling component may be one or more hardware components specifically configured to cariy out the stated processes/algorithm, implemented by one or more processors configured to perform the stated processes/algorithm, stored within a computer- readable medium for implementation by one or more processors, or some combination thereof.
  • the apparatus 1104 may include a variety of components configured for various functions.
  • the UE security handling component may include one or more hardware components that perform each of the blocks of the algorithm in the flowcharts of FIG. 7, FIG. 8, FIG. 9, and/or FIG. 10.
  • the apparatus 1104 includes means for transmitting, to a first network entity, a first tracking area update (TAU) request, the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity; transmitting, to the first network entity, a second TAU request, the second TAU request including the first set of information, the second TAU request being integrity protected using a second uplink count; deriving a mapped security context based on the first security context and at least one of the first uplink count or the second uplink count; and communicating with the first network entity based on the mapped security context.
  • TAU tracking area update
  • RAT radio access technology
  • the example apparatus 1104 also includes means for transmitting the first TAU request when performing a change from a first cell associated with the first RAT to connect to a second cell associated with the second RAT, the second RAT being different than the first RAT, the first network entity being associated with the second RAT.
  • the second TAU request includes a repetition of the first TAU request, and the second uplink count is a same value as the first uplink count
  • the example apparatus 1104 also includes means for transmitting the second TAU request based on an occurrence of a radio link failure.
  • the mapped security context is associated with the second RAT.
  • the second uplink count is different than the first uplink count and the mapped security context is a first mapped security context
  • the example apparatus 1104 also includes means for deriving a second mapped security context based on the first security context and the first uplink count, the second TAU request encoded using the first security context and being integrity protected using the second uplink count, the first mapped security context being derived based on the first security context and the second uplink count.
  • the example apparatus 1104 also includes means for updating, based on deriving the first mapped security context, a security context of the UE from the second mapped security context to the first mapped security context; and discarding, after updating the security context of the UE, pending transmissions that are integrity protected using the second mapped security context.
  • the second TAU request comprises a repetition of the first TAU request.
  • the apparatus 1104 includes means for transmitting, to a first network entity, a first tracking area update (TAU) request when performing a change from a first cell associated with a first radio access technology (RAT) to connect to a second cell associated with a second RAT different than the first RAT, the first network entity associated with the second RAT, the first TAU request encoded using a first security context associated with the first RAT, and the first TAU request being integrity protected using a first uplink count based on the first security context; deriving a first integrity key based on the first security context, the 63 first uplink count, and a first mapped security context; transmitting, to the first network entity, a repetition of the first TAU request, the repetition of the first TAU request being integrity protected using a second uplink count that is different than the first uplink count; deriving a second integrity key based on the first security context, the second uplink count, and
  • TAU tracking area update
  • the example apparatus 1104 also includes means for erasing the second mapped security context and any keys derived using the second mapped security context when the integrity check on the downlink transmission is successful using the first integrity key, where the master security key comprises the first mapped security context.
  • the example apparatus 1104 also includes means for erasing the first mapped security context and any keys derived using the first mapped security context when the integrity check on the downlink transmission is successful using the second integrity key, where the master security key comprises the second mapped security context.
  • the example apparatus 1104 also includes means for deriving the first mapped security context based on the first security context and the first uplink count.
  • the means may be the UE security handling component 198 of the apparatus 1104 configured to perform the functions recited by the means.
  • the apparatus 1104 may include the TX processor 368, the RX processor 356, and the controller/processor 359.
  • the means may be the TX processor 368, the RX processor 356, and/or the controller/processor 359 configured to perform the functions recited by the means.
  • FIG. 12 is a flowchart 1200 of a method of wireless communication.
  • the method may be performed by a first network entity (e.g., the base station 102, or a component of the base station 102, the MME 412, the AMF 432, a network entity 1602 of FIG. 16, and/or a network entity 1760 of FIG. 17).
  • the method may facilitate improving 64 communication performance by improving security handling of first cell to second cell reselection in examples including RLF and retransmission of TAU request messages.
  • the first network entity may be in communication with a UE and a second network entity.
  • the first network entity may include an MME, such as the MME 606 of FIG. 6, and a second network entity may include an AMF, such as the AMF 608 of FIG. 6.
  • the first network entity obtains a first TAU request generated by a UE, as described in connection with the first TAU request message 610 of FIG. 6.
  • the first TAU request may be encoded using a first security context associated with a first RAT, such as the 5G security context 690 of FIG. 6.
  • the first TAU request may be integrity protected using a first uplink count based on the first security context, such as the 5G NAS uplink count associated with the first TAU request message 610.
  • the first TAU request may include a first set of information including an identifier mapped to a second RAT associated with the first network entity, as described in connection with the mapped EPS GUTI 612 of FIG. 6.
  • the obtaining of the first TAU request, at 1202 may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity outputs, based on the first TAU request, a first context request for a second network entity, as described in connection with the context request message 622 and the AMF 608 of FIG. 6.
  • the second network entity may be associated with the first RAT, such as the AMF 608 being associated with the 5G network 609.
  • the first context request may include the identifier mapped to the second RAT, such as the mapped EPS GUTI 612 of the first TAU request message 610 of FIG. 6.
  • the first TAU request may be integrity protected using the first uplink count.
  • the outputting of the first context request, at 1204, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity obtains, based on the first context request, a first mapped security context, as described in connection with the mapped EPS security context 636 of FIG. 6.
  • the first mapped security context may be derived from the first security context and the first uplink count.
  • the obtaining of the first mapped security 65 context, at 1206, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity obtains a second TAU request, as described in connection with the second TAU request message 670 of FIG. 6.
  • the second TAU request may be encoded using the first security context.
  • the second TAU request may be integrity protected using a second uplink count that is different than the first uplink count.
  • the first TAU request may be integrity protected using an uplink NAS count value of five and the second TAU request may be integrity protected using an uplink NAS count value of six.
  • the second TAU request may include the first set of information, as described in connection with the mapped EPS GUTI 612, theNAS- MAC 614, and the eKSI parameter 616 of FIG. 6.
  • the second TAU request may include a repetition of the first TAU request.
  • the obtaining of the second TAU request, at 1208, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity outputs, based on the second TAU request, a second context request for the second network entity, as described in connection with the second context request message 674 of FIG. 6.
  • the outputting of the second context request, at 1210, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity obtains, based on the second context request, a second mapped security context, the second mapped security context derived from the first security context and the second uplink count. Aspects of the obtaining the second mapped security context may be similar to obtaining the first mapped security context, as described in connection with the mapped EPS security context 636 of FIG. 6.
  • the obtaining of the second mapped security context, at 1212, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity outputs a downlink message based on the second mapped security context, as described in connection with the TAU accept message 66 by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • FIG. 13 is a flowchart 1300 of a method of wireless communication.
  • the method may be performed by a first network entity (e.g., the base station 102, or a component of the base station 102, the MME 412, the AMF 432, a network entity 1602 of FIG. 16, and/or a network entity 1760 of FIG. 17).
  • the method may facilitate improving communication performance by improving security handling of first cell to second cell reselection in examples including RLF and retransmission of TAU request messages.
  • the first network entity may be in communication with a UE and a second network entity.
  • the first network entity may include an MME, such as the MME 606 of FIG. 6, and a second network entity may include an AMF, such as the AMF 608 of FIG 6.
  • the first network entity obtains a first TAU request generated by a UE, as described in connection with the first TAU request message 610 of FIG. 6.
  • the first TAU request may be encoded using a first security context associated with a first RAT, such as the 5G security context 690 of FIG. 6.
  • the first TAU request may be integrity protected using a first uplink count based on the first security context, such as the 5G NAS uplink count associated with the first TAU request message 610.
  • the first TAU request may include a first set of information including an identifier mapped to a second RAT associated with the first network entity, as described in connection with the mapped EPS GUTI 612 of FIG. 6.
  • the obtaining of the first TAU request, at 1302, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity may derive, at 1304, an address of the second network entity based on the identifier mapped to the second RAT, as described in connection with 620 of FIG. 6.
  • the deriving of the address of the second network entity, at 1304, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity outputs, based on the first TAU request, a first context request for a second network entity, as described in connection with the context 67 request message 622 and the AMF 608 of FIG. 6.
  • the second network entity may be associated with the first RAT, such as the AMF 608 being associated with the 5G network 609.
  • the first context request may include the identifier mapped to the second RAT, such as the mapped EPS GUTI 612 of the first TAU request message 610 of FIG. 6.
  • the first TAU request may be integrity protected using the first uplink count.
  • the outputting of the first context request, at 1306, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity obtains, based on the first context request, a first mapped security context, as described in connection with the mapped EPS security context 636 of FIG. 6.
  • the first mapped security context may be derived from the first security context and the first uplink count.
  • the obtaining of the first mapped security context, at 1308, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity obtains a second TAU request, as described in connection with the second TAU request message 670 of FIG. 6.
  • the second TAU request may be encoded using the first security context.
  • the second TAU request may be integrity protected using a second uplink count that is different than the first uplink count.
  • the first TAU request may be integrity protected using an uplink NAS count value of five and the second TAU request may be integrity protected using an uplink NAS count value of six.
  • the second TAU request may include the first set of information, as described in connection with the mapped EPS GUTI 612, theNAS- MAC 614, and the eKSI parameter 616 of FIG. 6.
  • the second TAU request may include a repetition of the first TAU request.
  • the obtaining of the second TAU request, at 1310, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity outputs, based on the second TAU request, a second context request for the second network entity, as described in connection with the second context request message 674 of FIG. 6.
  • the outputting of the second context request, at 1312, may be performed by the network security handling component 199 68 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity obtains, based on the second context request, a second mapped security context, the second mapped security context derived from the first security context and the second uplink count. Aspects of the obtaining the second mapped security context may be similar to obtaining the first mapped security context, as described in connection with the mapped EPS security context 636 of FIG 6.
  • the obtaining of the second mapped security context may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity outputs a downlink message based on the second mapped security context, as described in connection with the TAU accept message 662 of FIG. 6.
  • the outputting of the downlink message, at 1316, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity may update, based on obtaining the second mapped security context, a security context of the first network entity from the first mapped security context to the second mapped security context.
  • the updating of the security context of the first network entity, at 1318, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity may discard, after updating the security context of the first network entity, pending downlink transmissions that are integrity protected using the first mapped security context.
  • the discarding of pending downlink transmissions, at 1320 may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the first network entity may obtain the second TAU request message, at 1310, with the same information elements after outputting the downlink message, at 1316, and before obtaining an uplink message in response to the downlink message.
  • the first network entity may obtain the second TAU request 69 message after outputting the TAU accept message 662 and before obtaining the TAU complete message 666.
  • the first network entity may resend the downlink message.
  • the first network entity may restart a T3450 timer when a TAU complete message is expected from the UE, such as the TAU complete message 666 of FIG. 6.
  • the first network entity may also skip incrementing a retransmission counter related to the T3450 timer.
  • the first network entity may initiate an authentication procedure with the UE.
  • the first network entity may also perform a security mode control procedure to transition a new partial native EPS security context to a current full native EPS security context.
  • the first network entity may perform the NAS SMC procedure 660 with the UE to transition a partial native EPS security context to a full native EPS security context to facilitate communicating EPS NAS messages with the UE.
  • the first network entity may output a downlink message repetition, the downlink message repetition being integrity protected using the current full native EPS security context.
  • the first network entity may also restart a T3450 timer when a TAU complete message is expected from the UE, such as the TAU complete message 666 of FIG. 6.
  • the first network entity may also skip incrementing a retransmission counter related to the T3450 timer.
  • the first network entity may skip initiating of a TAU procedure based on the second TAU request.
  • the first network entity may also integrity protect the downlink messaged based on the first mapped security context.
  • the first network entity may determine to initiate a second TAU procedure. For example, the first network entity may output the second context request to the second network entity, at 1312. The first network entity may also integrity protect the downlink message based on the second mapped security context
  • the first network entity may receive the TAU request messages and may not yet have sent the TAU accept message or a TAU reject message. If one or more of the information elements in the TAU request messages differs, the TAU procedure initiated based on the first TAU request message may be aborted and the TAU procedure initiated based on the second TAU request message may progress (e.g., may proceed).
  • the first network entity may continue with the previously initiated TAU procedure (e.g., based on the first TAU request message) and discard the second TAU request message. That is, the first network entity may refrain from transmitting the second context request message to the second network entity requesting new mapped EPS security context based on the second TAU request message.
  • the first network entity may forward a new TAU request message to the second network entity (e.g., through another context request message) to run an integrity check and to obtain the latest mapped EPS security context and to continue with the previous TAU procedure.
  • the first network entity may forward the second TAU request message to the second network entity (e.g., through the second context request message).
  • the second network entity may verify the second TAU request message.
  • the second network entity may then generate a new mapped EPS security context based on second TAU request message.
  • the new mapped EPS security context may be based, at least in part, on the 5G NAS Uplink COUNT value (e.g., six) associated with the second TAU request message.
  • the mapped EPS security context provided to the first network entity including the newMME EPS key 71 may be based, at least in part, on the 5G NAS Uplink COUNT value (e.g., six) associated with the second TAU request message.
  • KASME’_MME KASME’_MME
  • K A SME’_EE2 new UE EPS key
  • the UE may successfully perform the integrity verification on the subsequently received NAS messages (e.g., the TAU accept message).
  • the UE may update the security context of the UE from the mapped EPS security context to the new mapped EPS security context based on the deriving of the new mapped EPS security context.
  • FIG. 14 is a flowchart 1400 of a method of wireless communication.
  • the method may be performed by a second network entity (e.g., the base station 102, or a component of the base station 102, the MME 412, the AMF 432, a network entity 1602 of FIG. 16, and/or a network entity 1760 of FIG. 17).
  • the method may facilitate improving communication performance by improving security handling of first cell to second cell reselection in examples including RLF and retransmission of TAU request messages.
  • the second network entity may be in communication with a first network entity.
  • the first network entity may include an MME, such as the MME 606 of FIG. 6, and a second network entity may include an AMF, such as the AMF 608 of FIG. 6.
  • the second network entity obtains a first context request, the first context request including at least a first TAU request generated by a UE, as described in connection with the context request message 622 of FIG. 6.
  • the first TAU request may be encoded using a first security context associated with a first RAT, such as the 5G security context 690 of FIG. 6.
  • the first TAU request may be integrity protected using a first uplink count based on the first security context, such as the 5G NAS uplink count associated with the first TAU request message 610.
  • the first RAT may be different than a second RAT associated with a first network entity.
  • the first RAT may correspond to the 5G network 609 and the second RAT associated with the first network entity may correspond to the EPS network 607 associated with the MME 606 of FIG. 6.
  • the obtaining of the first context request, at 1402 may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17. 72
  • the second network entity derives a first mapped security context when a first integrity check on the first TAU request is successful, as described in connection with 632, 634, and the mapped EPS security context 636 of FIG. 6.
  • the deriving of the first mapped security context, at 1404, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the second network entity outputs the first mapped security context for the first network entity, as described in connection with the mapped EPS security context 636 and the context response message 638 of FIG. 6.
  • the outputting of the first mapped security context, at 1406, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the second network entity obtains a second context request, the second context request including at least a second TAU request generated by the UE, as described in connection with the second context request message 674 including a TAU request of FIG. 6.
  • the second TAU request may be integrity protected using a second uplink count different than the first uplink count.
  • the first TAU request may be integrity protected using an uplink NAS count value of five and the second TAU request may be integrity protected using an uplink NAS count value of six.
  • the obtaining of the second context request, at 1408, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the second network entity derives a second mapped security context when a second integrity check on the second TAU request is successful. Aspects of deriving the second mapped security context may be similar to the deriving of the first mapped security context, as described in connection with 632, 634, and the mapped EPS security context 636 of FIG. 6.
  • the deriving of the second mapped security context, at 1410 may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the second network entity outputs the second mapped security context for the first network entity. Aspects of outputting the second mapped security context may be similar to outputting the first mapped security context, as described in 73 connection with the mapped EPS security context 636 and the context response message 638 ofFIG. 6.
  • the outputting of the second mapped security context, at 1412, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 ofFIG. 17.
  • FIG. 15 is a flowchart 1500 of a method of wireless communication.
  • the method may be performed by a second network entity (e g., the base station 102, or a component of the base station 102, the MME 412, the AMF 432, a network entity 1602 of FIG. 16, and/or a network entity 1760 of FIG. 17).
  • the method may facilitate improving communication performance by improving security handling of first cell to second cell reselection in examples including RLF and retransmission of TAU request messages.
  • the second network entity may be in communication with a first network entity.
  • the first network entity may include an MME, such as the MME 606 ofFIG. 6, and a second network entity may include an AMF, such as the AMF 608 of FIG. 6.
  • the second network entity obtains a first context request, the first context request including at least a first TAU request generated by a UE, as described in connection with the context request message 622 of FIG. 6.
  • the first TAU request may be encoded using a first security context associated with a first RAT, such as the 5G security context 690 ofFIG. 6.
  • the first TAU request may be integrity protected using a first uplink count based on the first security context, such as the 5G NAS uplink count associated with the first TAU request message 610.
  • the first RAT may be different than a second RAT associated with a first network entity.
  • the first RAT may correspond to the 5G network 609 and the second RAT associated with the first network entity may correspond to the EPS network 607 associated with the MME 606 of FIG. 6.
  • the obtaining of the first context request, at 1502 may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 ofFIG. 17.
  • the first context request may further include an identifier mapped to the second RAT, such as the example mapped EPS GUTI 612 ofFIG. 6.
  • the second network entity derives a first mapped security context when a first integrity check on the first TAU request is successful, as described in connection 74 with 632, 634, and the mapped EPS security context 636 of FIG. 6.
  • the deriving of the first mapped security context, at 1504, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the second network entity may perform the first integrity check on the first TAU request based on the first security context, as described in connection with 632 and the 5G NAS security context 692 of FIG 6.
  • the second network entity outputs the first mapped security context for the first network entity, as described in connection with the mapped EPS security context 636 and the context response message 638 of FIG. 6.
  • the outputting of the first mapped security context, at 1506, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the second network entity may initiate a timer after transmitting the first mapped security context.
  • the initiating of the timer, at 1508, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the second network entity may erase the first mapped security context after the timer expires.
  • the erasing of the first mapped security context, at 1510 may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the second network entity obtains a second context request, the second context request including at least a second TAU request generated by the UE, as described in connection with the second context request message 674 including a TAU request of FIG. 6.
  • the second TAU request may be integrity protected using a second uplink count different than the first uplink count.
  • the first TAU request may be integrity protected using an uplink NAS count value of five and the second TAU request may be integrity protected using an uplink NAS count value of six.
  • the obtaining of the second context request, at 1512 may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17. 75
  • the second TAU request may include a repetition of the first TAU request.
  • the second network entity derives a second mapped security context when a second integrity check on the second TAU request is successful. Aspects of deriving the second mapped security context may be similar to the deriving of the first mapped security context, as described in connection with 632, 634, and the mapped EPS security context 636 of FIG. 6.
  • the deriving of the second mapped security context, at 1514, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • the second network entity outputs the second mapped security context for the first network entity. Aspects of outputting the second mapped security context may be similar to outputting the first mapped security context, as described in connection with the mapped EPS security context 636 and the context response message 638 of FIG. 6. The outputting of the second mapped security context, at 1516, may be performed by the network security handling component 199 of the network entity 1602 of FIG. 16 and/or the network security handling component 497 of the network entity 1760 of FIG. 17.
  • FIG. 16 is a diagram 1600 illustrating an example of a hardware implementation for a network entity 1602.
  • the network entity 1602 may be a BS, a component of a BS, or may implement BS functionality.
  • the network entity 1602 may include at least one of a CU 1610, a DU 1630, or an RU 1640.
  • the network entity 1602 may include the CU 1610; both the CU 1610 and the DU 1630; each of the CU 1610, the DU 1630, and the RU 1640; the DU 1630; both the DU 1630 and the RU 1640; or the RU 1640.
  • the CU 1610 may include a CU processor 1612.
  • the CU processor 1612 may include on-chip memory 1612'. In some aspects, may further include additional memory modules 1614 and a communications interface 1618.
  • the CU 1610 communicates with the DU 1630 through a midhaul link, such as an FI interface.
  • the DU 1630 may include a DU processor 1632.
  • the DU processor 1632 may include on-chip memory 1632'.
  • the DU 1630 may further include additional memory modules 1634 and a communications interface 1638.
  • the DU 1630 communicates with the RU 1640 through a fronthaul link.
  • the RU 1640 may include an RU processor 1642.
  • the RU processor 1642 may include on-chip 76 memory 1642'.
  • the RU 1640 may further include additional memory modules 1644, one or more transceivers 1646, antennas 1680, and a communications interface 1648.
  • the RU 1640 communicates with the UE 104.
  • the on-chip memories e.g., the on-chip memory 1612', the on-chip memory 1632', and/or the on-chip memory 1642'
  • the additional memory modules e g., the additional memory modules 1614, the additional memory modules 1634, and/or the additional memory modules 1644
  • Each computer-readable medium / memory may be non-transitory.
  • Each of the CU processor 1612, the DU processor 1632, the RU processor 1642 is responsible for general processing, including the execution of software stored on the computer- readable medium / memory.
  • the software when executed by the corresponding processor(s) causes the processor(s) to perform the various functions described supra.
  • the computer-readable medium / memory may also be used for storing data that is manipulated by the processor(s) when executing software.
  • the network security handling component 199 is configured to: receive a first tracking area update (TAU) request generated by a user equipment (UE), the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity; output, based on the first TAU request, a first context request for a second network entity, the second network entity associated with the first RAT; receive, based on the first context request, a first mapped security context, the first mapped security context derived from the first security context and the first uplink count; receive a second TAU request, the second TAU request encoded using the first security context, the second TAU request being integrity protected using a second uplink count that is different than the first uplink count, and the second TAU request including the first set of information; output, based
  • the network security handling component 199 may be configured to: receive a first context request, the first context request including at least a first 77 tracking area update (TAU) request generated by a user equipment (UE), the first TAU request being integrity protected using a first uplink count, the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first RAT different than a second RAT associated with a first network entity; derive a first mapped security context when a first integrity check on the first TAU request is successful; output the first mapped security context for the first network entity; receive a second context request, the second context request including at least a second TAU request generated by the UE, the second TAU request being integrity protected using a second uplink count different than the first uplink count; derive a second mapped security context when a second integrity check on the second TAU request is successful; and output the second mapped security context for the first network entity.
  • TAU 77 tracking area update
  • UE user equipment
  • RAT radio access technology
  • the network security handling component 199 may be within one or more processors of one or more of the CU 1610, DU 1630, and the RU 1640.
  • the network security handling component 199 may be one or more hardware components specifically configured to carry out the stated processes/algorithm, implemented by one or more processors configured to perform the stated processes/algorithm, stored within a computer-readable medium for implementation by one or more processors, or some combination thereof.
  • the network entity 1602 may be a first network entity and includes means for obtaining a first tracking area update (TAU) request generated by a user equipment (UE), the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity; outputting, based on the first TAU request, a first context request for a second network entity, the second network entity associated with the first RAT; obtaining, based on the first context request, a first mapped security context, the first mapped security context derived from the first security context and the first uplink count; obtaining a second TAU request, the second TAU request encoded using the first security context, the second TAU request being integrity protected using a second uplink count that is different than the first uplink count, and the second TAU request including the
  • the first context request includes the identifier mapped to the second RAT and the first TAU request is integrity protected using the first uplink count.
  • the example network entity 1602 also includes means for deriving an address of the second network entity based on the identifier mapped to the second RAT.
  • the example network entity 1602 also includes means for updating, based on obtaining the second mapped security context, a security context of the first network entity from the first mapped security context to the second mapped security context; and discarding, after updating the security context of the first network entity, pending downlink transmissions that are integrity protected using the first mapped security context.
  • the second TAU request comprises a repetition of the first TAU request.
  • the first TAU request is obtained based on a non-inter- system change from an Nl mode to an SI mode
  • the UE is configured to operate in a single-registration mode
  • the downlink message includes a TAU accept message
  • the example network entity 1602 also includes means for resending the downlink message.
  • the example network entity 1602 also includes means for restarting a T3450 timer when a TAU complete message is expected from the UE; and skipping incrementing a retransmission counter related to the T3450 timer.
  • the first TAU request is obtained based on an inter-system change from an NT mode to an SI mode
  • the UE is configured to operate in a single - registration mode
  • the downlink message includes a TAU accept message
  • the example network entity 1602 also includes means for initiating an authentication procedure; and performing a security mode control procedure to transition a new partial native evolved packet system (EPS) security
  • EPS partial native evolved packet system
  • the example network entity 1602 also includes means for outputting a downlink message repetition when the security mode control procedure 79 is successful, the downlink message repetition being integrity protected using the current full native EPS security context; restarting a T3450 timer when a TAU complete message is expected from the UE; and skipping incrementing a retransmission counter related to the T3450 timer.
  • the first TAU request is obtained based on a non-inter- system change from an Nl mode to an SI mode
  • the UE is configured to operate in a single-registration mode
  • the example network entity 1602 also includes means for skipping initiating of a TAU procedure based on the second TAU request; and integrity protecting the downlink message based on the first mapped security context.
  • the first TAU request is obtained based on an inter-system change from an N1 mode to an SI mode
  • the UE is configured to operate in a single - registration mode
  • the example network entity 1602 also includes means for determining to initiate a second TAU procedure including: outputting the second context request to the second network entity; and integrity protecting the downlink message based on the second mapped security context.
  • the first network entity includes a Mobility Management Entity (MME) and the second network entity includes an Access and Mobility Management Function (AMF).
  • MME Mobility Management Entity
  • AMF Access and Mobility Management Function
  • the network entity 1602 may be a second network entity and includes means for obtaining a first context request, the first context request including at least a first tracking areaupdate (TAU) request generated by a user equipment (UE), the first TAU request being integrity protected using a first uplink count, the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first RAT different than a second RAT associated with a first network entity; deriving a first mapped security context when a first integrity check on the first TAU request is successful; outputting the first mapped security context for the first network entity; obtaining a second context request, the second context request including at least a second TAU request generated by the UE, the second TAU request being integrity protected using a second uplink count different than the first uplink count; deriving a second mapped security context when a second integrity check on the second TAU request is successful; and outputting the second mapped security context for the first network entity.
  • TAU tracking areaupdate
  • UE user equipment
  • the first context request further includes an identifier mapped to the second RAT. 80
  • the second TAU request comprises a repetition of the first TAU request.
  • the example network entity 1602 also includes means for initiating a timer after outputting the first mapped security context; and erasing the first mapped security context after the timer expires.
  • the example network entity 1602 also includes means for performing the first integrity check on the first TAU request based on the first security context.
  • the first network entity includes a Mobility Management Entity (MME) and the second network entity includes an Access and Mobility Management Function (AMF).
  • MME Mobility Management Entity
  • AMF Access and Mobility Management Function
  • the means may be the network security handling component 199 of the network entity 1602 configured to perform the functions recited by the means.
  • the network entity 1602 may include the TX processor 316, the RX processor 370, and the controller/processor 375.
  • the means may be the TX processor 316, the RX processor 370, and/or the controller/processor 375 configured to perform the functions recited by the means.
  • FIG. 17 is a diagram 1700 illustrating an example of a hardware implementation for a network entity 1760.
  • the network entity 1760 may be within the core network 120.
  • the network entity 1760 may include a network processor 1712.
  • the network processor 1712 may include on-chip memory 1712'.
  • the network entity 1760 may further include additional memory modules 1714.
  • the network entity 1760 communicates via the network interface 1780 directly (e.g., backhaul link) or indirectly (e g., through a RIC) with the CU 1702.
  • the on-chip memory 1712' and the additional memory modules 1714 may each be considered a computer-readable medium / memory. Each computer-readable medium / memory may be non-transitory.
  • the network processor 1712 is responsible for general processing, including the execution of software stored on the computer-readable medium / memory.
  • the software when executed by the corresponding processor(s) causes the processor(s) to perform the various functions described supra.
  • the computer-readable medium / memory may also be used for storing data that is manipulated by the processor(s) when executing software.
  • the network security handling component 497 is configured to: receive a first tracking area update (TAU) request generated by a user equipment 81
  • TAU tracking area update
  • the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity; output, based on the first TAU request, a first context request for a second network entity, the second network entity associated with the first RAT; receive, based on the first context request, a first mapped security context, the first mapped security context derived from the first security context and the first uplink count; receive a second TAU request, the second TAU request encoded using the first security context, the second TAU request being integrity protected using a second uplink count that is different than the first uplink count, and the second TAU request including the first set of information; output, based on the second TAU request, a second context request for the second network entity; receive, based on the second context request, a second mapped security context, the
  • the network security handling component 497 may be configured to: receive a first context request, the first context request including at least a first tracking area update (TAU) request generated by a user equipment (UE), the first TAU request being integrity protected using a first uplink count, the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first RAT different than a second RAT associated with a first network entity; derive a first mapped security context when a first integrity check on the first TAU request is successful; output the first mapped security context for the first network entity; receive a second context request, the second context request including at least a second TAU request generated by the UE, the second TAU request being integrity protected using a second uplink count different than the first uplink count; derive a second mapped security context when a second integrity check on the second TAU request is successful; and output the second mapped security context for the first network entity.
  • TAU tracking area update
  • UE user equipment
  • RAT radio access technology
  • the network security handling component 497 may be within the network processor 1712.
  • the network security handling component 497 may be one or more hardware components specifically configured to carry out the stated processes/algorithm, implemented by one or more processors configured to perform the stated 82 processes/algorithm, stored within a computer-readable medium for implementation by one or more processors, or some combination thereof.
  • the network entity 1760 may include a variety of components configured for various functions.
  • the network entity 1760 may be a first network entity and includes means for obtaining a first tracking area update (TAU) request generated by a user equipment (UE), the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity; outputting, based on the first TAU request, a first context request for a second network entity, the second network entity associated with the first RAT; obtaining, based on the first context request, a first mapped security context, the first mapped security context derived from the first security context and the first uplink count; obtaining a second TAU request, the second TAU request encoded using the first security context, the second TAU request being integrity protected using a second uplink count that is different than the first uplink count, and the second TAU request including the
  • the first context request includes the identifier mapped to the second RAT and the first TAU request is integrity protected using the first uplink count.
  • the example network entity 1760 also includes means for deriving an address of the second network entity based on the identifier mapped to the second RAT.
  • the example network entity 1760 also includes means for updating, based on obtaining the second mapped security context, a security context of the first network entity from the first mapped security context to the second mapped security context; and discarding, after updating the security context of the first network entity, pending downlink transmissions that are integrity protected using the first mapped security context.
  • the second TAU request comprises a repetition of the first TAU request.
  • the first TAU request is obtained based on a non-inter- system change from an Nl mode to an SI mode
  • the UE is configured to operate in a single-registration mode
  • the downlink message includes a TAU accept message
  • the example network entity 1760 also includes means for resending the downlink message.
  • the example network entity 1760 also includes means for restarting a T3450 timer when a TAU complete message is expected from the UE; and skipping incrementing a retransmission counter related to the T3450 timer.
  • the first TAU request is obtained based on an inter-system change from an N1 mode to an SI mode
  • the UE is configured to operate in a single - registration mode
  • the downlink message includes a TAU accept message
  • the example network entity 1760 also includes means for initiating an authentication procedure; and performing a security mode control procedure to transition a new partial native evolved packet system (EPS) security
  • EPS partial native evolved packet system
  • the example network entity 1760 also includes means for outputting a downlink message repetition when the security mode control procedure is successful, the downlink message repetition being integrity protected using the current full native EPS security context; restarting a T3450 timer when a TAU complete message is expected from the UE; and skipping incrementing a retransmission counter related to the T3450 timer
  • the first TAU request is obtained based on a non-inter- system change from an l mode to an SI mode
  • the UE is configured to operate in a single-registration mode
  • the example network entity 1760 also includes means for skipping initiating of a TAU procedure based on the second TAU request; and integrity protecting the downlink message based on the first mapped security context.
  • the first TAU request is obtained based on an inter-system change from an N1 mode to an SI mode
  • the UE is configured to operate in a single - registration mode
  • the example network entity 1760 also includes means for determining to initiate a second TAU procedure including: outputting the second context request to the second network entity; and integrity protecting the downlink message based on the second mapped security context.
  • the first network entity includes a Mobility Management Entity (MME) and the second network entity includes an Access and Mobility Management Function (AMF).
  • MME Mobility Management Entity
  • AMF Access and Mobility Management Function
  • the network entity 1760 may be a second network entity and includes means for obtaining a first context request, the first context request including at least a first tracking areaupdate (TAU) request generated by a user equipment (UE), the first TAU request being integrity protected using a first uplink count, the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first RAT different than a second RAT associated with a first network entity; deriving a first mapped security context when a first integrity check on the first TAU request is successful; outputting the first mapped security context for the first network entity; obtaining a second context request, the second context request including at least a second TAU request generated by the UE, the second TAU request being integrity protected using a second uplink count different than the first uplink count; deriving a second mapped security context when a second integrity check on the second TAU request is successful; and outputting the second mapped security context for the first network entity.
  • TAU tracking areaupdate
  • UE user equipment
  • the first context request further includes an identifier mapped to the second RAT.
  • the second TAU request comprises a repetition of the first TAU request.
  • the example network entity 1760 also includes means for initiating a timer after outputting the first mapped security context; and erasing the first mapped security context after the timer expires.
  • the example network entity 1760 also includes means for performing the first integrity check on the first TAU request based on the first security context.
  • the first network entity includes a Mobility Management Entity (MME) and the second network entity includes an Access and Mobility Management Function (AMF).
  • MME Mobility Management Entity
  • AMF Access and Mobility Management Function
  • the means may be the network security handling component 497 of the network entity 1760 configured to perform the functions recited by the means.
  • the network entity 1760 may include the network processor 1712.
  • the means may be the network processor 1712 configured to perform the functions recited by the means.
  • Examples disclosed herein provide techniques for removing inconsistencies in the handling of repetitions of TAU request messages as described above. For example, disclosed techniques may remove inconsistencies by modifying how the network handles a repetition of a TAU request message. Disclosed techniques may additionally or alternatively remove inconsistencies by modifying how the UE integrity protects the TAU request messages. Additionally, disclosed techniques may remove inconsistences by modifying how the UE performs integrity verification of messages.
  • Combinations such as “at least one of A, B, or C,” “one or more of A, B, or C,” “at least one of A, B, and C,” “one or more of A, B, and C,” and “A, B, C, or any combination thereof’ include any combination of A, B, and/or C, and may include multiples of A, 86 multiples of B, or multiples of C.
  • combinations such as “at least one of A, B, or C,” “one or more of A, B, or C,” “at least one of A, B, and C,” “one or more of A, B, and C and “A, B, C, or any combination thereof’ may be A only, B only, C only, A and B, A and C, B and C, or A and B and C, where any such combinations may contain one or more member or members of A, B, or C.
  • Sets should be interpreted as a set of elements where the elements number one or more. Accordingly, for a set of X, X would include one or more elements.
  • a first apparatus receives data from or transmits data to a second apparatus
  • the data may be received/transmitted directly between the first and second apparatuses, or indirectly between the first and second apparatuses through a set of apparatuses.
  • the phrase “based on” shall not be construed as a reference to a closed set of information, one or more conditions, one or more factors, or the like.
  • the phrase “based on A” (where “A” may be information, a condition, a factor, or the like) shall be construed as “based at least on A” unless specifically recited differently.
  • Aspect 1 is a method of wireless communication at a UE, including: transmitting, to a first network entity, a first tracking area update (TAU) request, the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity; transmitting, to the first network entity, a second TAU request, the second TAU request including the first set of information, the second TAU request being integrity protected using a second uplink count; deriving a mapped security 87 context based on the first security context and at least one of the first uplink count or the second uplink count; and communicating with the first network entity based on the mapped security context.
  • TAU tracking area update
  • RAT radio access technology
  • Aspect 2 is the method of aspect 1, further including: transmitting the first TAU request when performing a change from a first cell associated with the first RAT to connect to a second cell associated with the second RAT, the second RAT being different than the first RAT, the first network entity being associated with the second RAT.
  • Aspect 3 is the method of any of aspects 1 and 2, further including that the second TAU request comprises a repetition of the first TAU request, and the second uplink count is a same value as the first uplink count.
  • Aspect 4 is the method of any of aspects 1 to 3, further including: transmitting the second TAU request based on an occurrence of a radio link failure.
  • Aspect 5 is the method of any of aspects 1 and 2, further including that the mapped security context is associated with the second RAT.
  • Aspect 6 is the method of any of aspects 1 and 2, further including that the second uplink count is different than the first uplink count and the mapped security context is a first mapped security context, the method further including: deriving a second mapped security context based on the first security context and the first uplink count, the second TAU request encoded using the first security context and being integrity protected using the second uplink count, the first mapped security context being derived based on the first security context and the second uplink count
  • Aspect 7 is the method of any of aspects 1 and 6, further including: updating, based on deriving the first mapped security context, a security context of the UE from the second mapped security context to the first mapped security context; and discarding, after updating the security context of the UE, pending transmissions that are integrity protected using the second mapped security context.
  • Aspect 8 is the method of any of aspects 1, 6 and 7, further including that the second TAU request comprises a repetition of the first TAU request.
  • Aspect 9 is an apparatus for wireless communication at a UE including at least one processor coupled to a memory and configured to implement any of aspects 1 to 8.
  • the apparatus of aspect 9 further includes at least one antenna coupled to the at least one processor.
  • the apparatus of aspect 9 or 10 further includes a transceiver coupled to the at least one processor.
  • Aspect 12 is an apparatus for wireless communication including means for implementing any of aspects 1 to 8.
  • the apparatus of aspect 12 further includes at least one antenna coupled to the means to perform the method of any of aspects 1 to 8.
  • the apparatus of aspect 12 or 13 further includes a transceiver coupled to the means to perform the method of any of aspects 1 to 8.
  • Aspect 15 is a non-transitory computer-readable storage medium storing computer executable code, where the code, when executed, causes a processor to implement any of aspects 1 to 8.
  • Aspect 16 is a method of wireless communication at a UE, including: transmitting, to a first network entity, a first tracking area update (TAU) request when performing a change from a first cell associated with a first radio access technology (RAT) to connect to a second cell associated with a second RAT different than the first RAT, the first network entity associated with the second RAT, the first TAU request encoded using a first security context associated with the first RAT, and the first TAU request being integrity protected using a first uplink count based on the first security context; deriving a first integrity key based on the first security context, the first uplink count, and a first mapped security context; transmitting, to the first network entity, a repetition of the first TAU request, the repetition of the first TAU request being integrity protected using a second uplink count that is different than the first uplink count; deriving a second integrity key based on the first security context, the second uplink count, and a second mapped security context; receiving, from the first network entity,
  • Aspect 17 is the method of aspect 16, further including: erasing the second mapped security context and any keys derived using the second mapped security context when the integrity check on the downlink transmission is successful using the first integrity key, where the master security key comprises the first mapped security context.
  • Aspect 18 is the method of aspect 16, further including: erasing the first mapped security context and any keys derived using the first mapped security context when the integrity check on the downlink transmission is successful using the second integrity key, where the master security key comprises the second mapped security context.
  • Aspect 19 is the method of any of aspects 16 to 18, further including: deriving the first mapped security context based on the first security context and the first uplink count.
  • Aspect 20 is an apparatus for wireless communication at a UE including at least one processor coupled to a memory and configured to implement any of aspects 16 to 19.
  • the apparatus of aspect 20 further includes at least one antenna coupled to the at least one processor.
  • the apparatus of aspect 20 or 21 further includes a transceiver coupled to the at least one processor.
  • Aspect 23 is an apparatus for wireless communication including means for implementing any of aspects 16 to 19.
  • the apparatus of aspect 23 further includes at least one antenna coupled to the means to perform the method of any of aspects 16 to 19.
  • the apparatus of aspect 23 or 24 further includes a transceiver coupled to the means to perform the method of any of aspects 16 to 19.
  • Aspect 26 is a non-transitory computer-readable storage medium storing computer executable code, where the code, when executed, causes a processor to implement any of aspects 16 to 19.
  • Aspect 27 is a method of wireless communication at a first network entity, including: obtaining a first tracking area update (TAU) request generated by a user equipment (UE), the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity; outputting, based on the first TAU request, a first context request for a second network entity, the second network entity associated with the first RAT; obtaining, based on the first context request, a first mapped security context, the first mapped security context derived from the first security context and the first uplink count; obtaining a second TAU request, the second TAU 90 request encoded using the first security context, the second TAU request being integrity protected using a second uplink count that is different than the first uplink count, and the second TAU request including the
  • Aspect 28 is the method of aspect 27, further including that the first context request includes the identifier mapped to the second RAT and the first TAU request is integrity protected using the first uplink count.
  • Aspect 29 is the method of any of aspects 27 and 28, further including: deriving an address of the second network entity based on the identifier mapped to the second RAT.
  • Aspect 30 is the method of any of aspects 27 to 29, further including: updating, based on obtaining the second mapped security context, a security context of the first network entity from the first mapped security context to the second mapped security context; and discarding, after updating the security context of the first network entity, pending downlink transmissions that are integrity protected using the first mapped security context.
  • Aspect 31 is the method of any of aspects 27 to 30, further including that the second TAU request comprises a repetition of the first TAU request.
  • Aspect 32 is the method of any of aspects 27 to 31, further including that the first TAU request is obtained based on a non-inter-system change from an N1 mode to an SI mode, the UE is configured to operate in a single-registration mode, and the downlink message includes a TAU accept message, and the method further includes: resending the downlink message.
  • Aspect 33 is the method of any of aspects 27 to 32, further including: restarting a T3450 timer when a TAU complete message is expected from the UE; and skipping incrementing a retransmission counter related to the T3450 timer.
  • Aspect 34 is the method of any of aspects 27 to 31, further including that the first TAU request is obtained based on an inter-system change from an N1 mode to an SI mode, the UE is configured to operate in a single-registration mode, and the downlink message includes a TAU accept message, and the method further includes: initiating 91 an authentication procedure; and performing a security mode control procedure to transition a new partial native evolved packet system (EPS) security context into a current full native EPS security context.
  • EPS partial native evolved packet system
  • Aspect 35 is the method of any of aspects 27 and 34, further including: outputting a downlink message repetition when the security mode control procedure is successful, the downlink message repetition being integrity protected using the current full native EPS security context; restarting a T3450 timer when a TAU complete message is expected from the UE; and skipping incrementing a retransmission counter related to the T3450 timer.
  • Aspect 36 is the method of any of aspects 27 to 31, further including that the first TAU request is obtained based on a non-inter-system change from an N1 mode to an SI mode, the UE is configured to operate in a single-registration mode, and the method further includes: skipping initiating of a TAU procedure based on the second TAU request; and integrity protecting the downlink message based on the first mapped security context.
  • Aspect 37 is the method of any of aspects 27 to 31, further including that the first TAU request is obtained based on an inter-system change from an N1 mode to an SI mode, the UE is configured to operate in a single-registration mode, and the method further includes: determining to initiate a second TAU procedure including : outputting the second context request to the second network entity; and integrity protecting the downlink message based on the second mapped security context.
  • Aspect 38 is the method of any of aspects 27 to 37, further including that the first network entity includes a Mobility Management Entity (MME) and the second network entity includes an Access and Mobility Management Function (AMF).
  • MME Mobility Management Entity
  • AMF Access and Mobility Management Function
  • Aspect 39 is an apparatus for wireless communication at a UE including at least one processor coupled to a memory and configured to implement any of aspects 27 to 38.
  • the apparatus of aspect 39 further includes at least one antenna coupled to the at least one processor.
  • the apparatus of aspect 39 or 40 further includes a transceiver coupled to the at least one processor.
  • Aspect 42 is an apparatus for wireless communication including means for implementing any of aspects 27 to 38.
  • the apparatus of aspect 42 further includes at least one antenna coupled to the means to perform the method of any of aspects 27 to 38. 92
  • the apparatus of aspect 42 or 43 further includes a transceiver coupled to the means to perform the method of any of aspects 27 to 38.
  • Aspect 45 is a non-transitory computer-readable storage medium storing computer executable code, where the code, when executed, causes a processor to implement any of aspects 27 to 38.
  • Aspect 46 is a method of wireless communication at a second network entity, including: obtaining a first context request, the first context request including at least a first tracking area update (TAU) request generated by a user equipment (UE), the first TAU request being integrity protected using a first uplink count, the first TAU request encoded using a first security context associated with a first radio access technology (RAT), the first RAT different than a second RAT associated with a first network entity; deriving a first mapped security context when a first integrity check on the first TAU request is successful; outputting the first mapped security context for the first network entity; obtaining a second context request, the second context request including at least a second TAU request generated by the UE, the second TAU request being integrity protected using a second uplink count different than the first uplink count; deriving a second mapped security context when a second integrity check on the second TAU request is successful; and outputting the second mapped security context for the first network entity.
  • TAU tracking area update
  • UE user
  • Aspect 47 is the method of aspect 46, further including that the first context request further includes an identifier mapped to the second RAT.
  • Aspect 48 is the method of any of aspects 46 and 47, further including that the second TAU request comprises a repetition of the first TAU request.
  • Aspect 49 is the method of any of aspects 46 to 48, further including: initiating a timer after outputting the first mapped security context; and erasing the first mapped security context after the timer expires.
  • Aspect 50 is the method of any of aspects 46 to 49, further including: performing the first integrity check on the first TAU request based on the first security context.
  • Aspect 51 is the method of any of aspects 46 to 50, further including that the first network entity includes a Mobility Management Entity (MME) and the second network entity includes an Access and Mobility Management Function (AMF).
  • MME Mobility Management Entity
  • AMF Access and Mobility Management Function
  • Aspect 52 is an apparatus for wireless communication at a UE including at least one processor coupled to a memory and configured to implement any of aspects 46 to 51. 93
  • the apparatus of aspect 52 further includes at least one antenna coupled to the at least one processor.
  • the apparatus of aspect 52 or 53 further includes a transceiver coupled to the at least one processor.
  • Aspect 55 is an apparatus for wireless communication including means for implementing any of aspects 46 to 51.
  • the apparatus of aspect 55 further includes at least one antenna coupled to the means to perform the method of any of aspects 46 to 51.
  • the apparatus of aspect 55 or 56 further includes a transceiver coupled to the means to perform the method of any of aspects 46 to 51.
  • Aspect 58 is a non-transitory computer-readable storage medium storing computer executable code, where the code, when executed, causes a processor to implement any of aspects 46 to 51.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Alarm Systems (AREA)
PCT/US2022/029035 2021-05-12 2022-05-12 Security handling of 5gs to epc reselection WO2022241144A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
KR1020237038281A KR20240007908A (ko) 2021-05-12 2022-05-12 5gs 대 epc 재선택의 보안 핸들링
EP22733260.8A EP4338451A1 (en) 2021-05-12 2022-05-12 Security handling of 5gs to epc reselection
JP2023565953A JP2024519200A (ja) 2021-05-12 2022-05-12 5gsからepcの再選択のセキュリティハンドリング
CN202280033306.XA CN117322025A (zh) 2021-05-12 2022-05-12 5gs至epc重选的安全性处置

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US202163187784P 2021-05-12 2021-05-12
US63/187,784 2021-05-12
US17/662,978 2022-05-11
US17/662,978 US20220369176A1 (en) 2021-05-12 2022-05-11 Security handling of 5gs to epc reselection

Publications (1)

Publication Number Publication Date
WO2022241144A1 true WO2022241144A1 (en) 2022-11-17

Family

ID=82163404

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2022/029035 WO2022241144A1 (en) 2021-05-12 2022-05-12 Security handling of 5gs to epc reselection

Country Status (5)

Country Link
EP (1) EP4338451A1 (ja)
JP (1) JP2024519200A (ja)
KR (1) KR20240007908A (ja)
TW (1) TW202249508A (ja)
WO (1) WO2022241144A1 (ja)

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"3 Generation Partnership Project; Technical Specification Group Services and System Aspects; Security architecture and procedures for 5G system (Release 17)", vol. SA WG3, no. V17.1.0, 6 April 2021 (2021-04-06), pages 1 - 256, XP052000595, Retrieved from the Internet <URL:https://ftp.3gpp.org/Specs/archive/33_series/33.501/33501-h10.zip 33501-h10_clean.doc> [retrieved on 20210406] *
"3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3 (Release 17)", vol. CT WG1, no. V17.2.0, 2 April 2021 (2021-04-02), pages 1 - 588, XP052000429, Retrieved from the Internet <URL:https://ftp.3gpp.org/Specs/archive/24_series/24.301/24301-h20.zip 24301-h20.doc> [retrieved on 20210402] *
INTEL: "Correction of TAU abnormal case for the network", vol. CT WG1, no. West Palm Beach (FL), USA; 20181126 - 20181130, 9 December 2018 (2018-12-09), pages 1 - 4, XP051547392, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Meetings%5F3GPP%5FSYNC/CT/Docs/CP%2D183070%2Ezip> [retrieved on 20181209] *

Also Published As

Publication number Publication date
TW202249508A (zh) 2022-12-16
EP4338451A1 (en) 2024-03-20
KR20240007908A (ko) 2024-01-17
JP2024519200A (ja) 2024-05-09

Similar Documents

Publication Publication Date Title
US20220369351A1 (en) Indication of scheduling delays for a shared channel with bwp switching in higher frequency bands
US20220369176A1 (en) Security handling of 5gs to epc reselection
WO2022241144A1 (en) Security handling of 5gs to epc reselection
US20230319929A1 (en) Rrc reestablishment between tn and ntn
US20240155456A1 (en) Determination of l2 reset in lower layer mobility
US20240049251A1 (en) Dynamic pdcch skipping for extended reality
US20240114421A1 (en) Multiple secondary cell group configuration
US20240237127A1 (en) Multiple scg configurations in a rrc inactive state
US20240073750A1 (en) Cell activation order for l1/l2 based inter-cell mobility
WO2024092746A1 (en) Signaling to inform a network node a user equipment-to-user equipment link between a remote user equipment and a relay user equipment
WO2024021046A1 (en) Method and apparatus of mobile-terminated small data transmission (mt-sdt)
US20230353301A1 (en) Pdcch on crs symbols
US20230076119A1 (en) Multiple tb configuration in multi-pdsch grant
US20230328719A1 (en) Semi-persistent waveform switching for uplink
WO2024007186A1 (en) Techniques to facilitate avoiding rrc re-establishment
WO2024092602A1 (en) Beam reporting for a candidate cell in l1 and l2 mobility
US20240114420A1 (en) Conditional handover including target mcg and target scgs
WO2024092538A1 (en) Beam reporting for a candidate cell in l1 and l2 mobility
US20240121586A1 (en) Release group of cells using l1/l2 signaling for l1-l2 inter-cell mobility under mtrp
US20240179554A1 (en) Nw assistance for measurement and mobility enhancement
WO2024065237A1 (en) Last dci determination for tci indication dci
US20230354109A1 (en) L1/l2 inter-cell mobility and ca
US20240236654A9 (en) Steering ue capability information based on network capability features
US20240137755A1 (en) Steering ue capability information based on network capability features
US20240196448A1 (en) Enhancement of user equipment location for non-3gpp access

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22733260

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023565953

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 2301007227

Country of ref document: TH

WWE Wipo information: entry into national phase

Ref document number: 202280033306.X

Country of ref document: CN

REG Reference to national code

Ref country code: BR

Ref legal event code: B01A

Ref document number: 112023022986

Country of ref document: BR

WWE Wipo information: entry into national phase

Ref document number: 2022733260

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2022733260

Country of ref document: EP

Effective date: 20231212

REG Reference to national code

Ref country code: BR

Ref legal event code: B01E

Ref document number: 112023022986

Country of ref document: BR

Free format text: APRESENTE A TRADUCAO SIMPLES DA FOLHA DE ROSTO DA CERTIDAO DE DEPOSITO DA PRIORIDADE US 17/662,978 DE 11/05/2022 OU DECLARACAO CONTENDO, OBRIGATORIAMENTE, TODOS OS DADOS IDENTIFICADORES DESTA CONFORME O PARAGRAFO UNICO DO ART. 15 DA PORTARIA/INPI/NO 39/2021, TENDO EM VISTA QUE A DATA NA DECLARACAO APRESENTADA E DIVERGENTE DO PEDIDO REIVINDICADO COMO PRIORIDADE. A EXIGENCIA DEVE SER RESPONDIDA EM ATE 60 (SESSENTA) DIAS DE SUA PUBLICACAO E DEVE SER REALIZADA POR MEIO DA PETICAO GRU CODIGO DE SERVICO 207.

ENP Entry into the national phase

Ref document number: 112023022986

Country of ref document: BR

Kind code of ref document: A2

Effective date: 20231103