WO2024035005A1

WO2024035005A1 - Method and apparatus of secure multi-path transmission for proximity services in wireless communication system

Info

Publication number: WO2024035005A1
Application number: PCT/KR2023/011459
Authority: WO
Inventors: Rohini RAJENDRAN; Rajavelsamy Rajadurai; Nivedya Parambath Sasi
Original assignee: Samsung Electronics Co., Ltd.
Priority date: 2022-08-06
Filing date: 2023-08-04
Publication date: 2024-02-15

Abstract

The disclosure relates to a 5G or 6G communication system for supporting a higher data transmission rate. Embodiments disclosed herein provide a method for secure Multi-path transmission for Proximity Services (ProSe) in a telecommunication network (900) by a UE (102). The method includes determining whether a ProSe multipath security policy received from at least one relay device (102b) is same as ProSe multipath security policy receiving for a second PDU session. In an embodiment, the method performing the ProSe multipath communication with the at least one relay device (102b) when the ProSe multipath security policy received from the at least one relay device is same as the ProSe multipath security policy receiving for the second PDU session. In another embodiment, the method includes rejecting the ProSe multipath communication with the at least one relay device when the ProSe multipath security policy received from the at least one relay device is not same as ProSe multipath security policy receiving for the second PDU session.

Description

METHOD AND APPARATUS OF SECURE MULTI-PATH TRANSMISSION FOR PROXIMITY SERVICES IN WIRELESS COMMUNICATION SYSTEM

The embodiments disclosed herein relate to the field of a wireless communication system. More particularly the embodiments disclosed herein relate to a method and a system for supporting a secure multi-path transmission for proximity services in the wireless communication system.

5G mobile communication technologies define broad frequency bands such that high transmission rates and new services are possible, and can be implemented not only in “Sub 6GHz” bands such as 3.5GHz, but also in “Above 6GHz” bands referred to as mmWave including 28GHz and 39GHz. In addition, it has been considered to implement 6G mobile communication technologies (referred to as Beyond 5G systems) in terahertz (THz) bands (for example, 95GHz to 3THz bands) in order to accomplish transmission rates fifty times faster than 5G mobile communication technologies and ultra-low latencies one-tenth of 5G mobile communication technologies.

At the beginning of the development of 5G mobile communication technologies, in order to support services and to satisfy performance requirements in connection with enhanced Mobile BroadBand (eMBB), Ultra Reliable Low Latency Communications (URLLC), and massive Machine-Type Communications (mMTC), there has been ongoing standardization regarding beamforming and massive MIMO for mitigating radio-wave path loss and increasing radio-wave transmission distances in mmWave, supporting numerologies (for example, operating multiple subcarrier spacings) for efficiently utilizing mmWave resources and dynamic operation of slot formats, initial access technologies for supporting multi-beam transmission and broadbands, definition and operation of BWP (BandWidth Part), new channel coding methods such as a LDPC (Low Density Parity Check) code for large amount of data transmission and a polar code for highly reliable transmission of control information, L2 pre-processing, and network slicing for providing a dedicated network specialized to a specific service.

Currently, there are ongoing discussions regarding improvement and performance enhancement of initial 5G mobile communication technologies in view of services to be supported by 5G mobile communication technologies, and there has been physical layer standardization regarding technologies such as V2X (Vehicle-to-everything) for aiding driving determination by autonomous vehicles based on information regarding positions and states of vehicles transmitted by the vehicles and for enhancing user convenience, NR-U (New Radio Unlicensed) aimed at system operations conforming to various regulation-related requirements in unlicensed bands, NR UE Power Saving, Non-Terrestrial Network (NTN) which is UE-satellite direct communication for providing coverage in an area in which communication with terrestrial networks is unavailable, and positioning.

Moreover, there has been ongoing standardization in air interface architecture/protocol regarding technologies such as Industrial Internet of Things (IIoT) for supporting new services through interworking and convergence with other industries, IAB (Integrated Access and Backhaul) for providing a node for network service area expansion by supporting a wireless backhaul link and an access link in an integrated manner, mobility enhancement including conditional handover and DAPS (Dual Active Protocol Stack) handover, and two-step random access for simplifying random access procedures (2-step RACH for NR). There also has been ongoing standardization in system architecture/service regarding a 5G baseline architecture (for example, service based architecture or service based interface) for combining Network Functions Virtualization (NFV) and Software-Defined Networking (SDN) technologies, and Mobile Edge Computing (MEC) for receiving services based on UE positions.

As 5G mobile communication systems are commercialized, connected devices that have been exponentially increasing will be connected to communication networks, and it is accordingly expected that enhanced functions and performances of 5G mobile communication systems and integrated operations of connected devices will be necessary. To this end, new research is scheduled in connection with eXtended Reality (XR) for efficiently supporting AR (Augmented Reality), VR (Virtual Reality), MR (Mixed Reality) and the like, 5G performance improvement and complexity reduction by utilizing Artificial Intelligence (AI) and Machine Learning (ML), AI service support, metaverse service support, and drone communication.

Furthermore, such development of 5G mobile communication systems will serve as a basis for developing not only new waveforms for providing coverage in terahertz bands of 6G mobile communication technologies, multi-antenna transmission technologies such as Full Dimensional MIMO (FD-MIMO), array antennas and large-scale antennas, metamaterial-based lenses and antennas for improving coverage of terahertz band signals, high-dimensional space multiplexing technology using OAM (Orbital Angular Momentum), and RIS (Reconfigurable Intelligent Surface), but also full-duplex technology for increasing frequency efficiency of 6G mobile communication technologies and improving system networks, AI-based communication technology for implementing system optimization by utilizing satellites and AI (Artificial Intelligence) from the design stage and internalizing end-to-end AI support functions, and next-generation distributed computing technology for implementing services at levels of complexity exceeding the limit of UE operation capability by utilizing ultra-high-performance communication and computing resources.

Currently, there are needs to enhance secure multi-path transmission for proximity services in a wireless communication system.

Embodiments disclosed herein provide a method. for secure multi-path transmission for proximity services (ProSe) in a telecommunication network. The method includes initiating, by a user equipment (UE) in the telecommunication network, a ProSe multipath communication with at least one relay device in the telecommunication network. The at least one relay device establishes a first protocol data unit (PDU) session with a network apparatus in the telecommunication network using a first link over a first network path. Further, the method includes establishing, by the UE, a second PDU session with a network apparatus using a second link over a second network path. Further, the method includes receiving, by the UE, a ProSe multipath security policy from a unified data management (UDM) associated with the network apparatus for the second PDU session. Further, the method includes receiving, by the UE, a ProSe multipath security policy from the network apparatus. Further, the method includes receiving, by the UE, a ProSe multipath security policy from the at least one relay device. Further, the method includes determining, by the UE, whether the ProSe multipath security policy received from the at least one relay device is same as ProSe multipath security policy receiving for the second PDU session. In an embodiment, the method performing the ProSe multipath communication with the at least one relay device when the ProSe multipath security policy received from the at least one relay device is same as the ProSe multipath security policy receiving for the second PDU session. In another embodiment, the method includes rejecting the ProSe multipath communication with the at least one relay device when the ProSe multipath security policy received from the at least one relay device is not same as ProSe multipath security policy receiving for the second PDU session.

In an embodiment, the method includes performing, by the UE, the ProSe multipath communication with the at least one relay device using the first link over the first network path and a PDU data transfer in the second communication with the network device using the second link over the second network path. The ProSe multipath communication with the at least one relay device and the PDU data transfer with the network device is performed using the same ProSe multipath security policy.

In an embodiment, the method includes receiving, by the at least one relay device, a multipath ProSe communication message from the UE. Further, the method includes sending, by the at least one relay device, an authenticated and authorized message for the multipath ProSe communication to an session management function (SMF) device in the telecommunication network. Further, the method includes establishing, by the at least one relay device, the first PDU session with a access and mobility management function (AMF) node (or, entity) associated with the network apparatus using the first link over the first network path after successful authentication and authorization of the at least one relay device the SMF node. Further, the method includes receiving, by the at least one relay device, a radio resource control (RRC) message comprising the ProSe multipath security policy from a master node (MN) associated with the network apparatus. Further, the method includes storing, by the at least one relay device, the ProSe multipath security policy in a memory of the at least one relay device for a temporary period of time. Further, the method includes sending, by the at least one relay device, the ProSe multipath security policy to the UE.

In an embodiment, the method includes selecting, by the AMF node, a SMF supporting ProSe multipath transmission during the authentication and authorization of the relay UE by the SMF node. Further, the method includes sending, by the AMF node, a PDU session request message comprising the SMF supporting ProSe multipath transmission to the SMF node.

In an embodiment, the method includes receiving, by the SMF node associated with the network apparatus, a request to establish the multipath ProSe communication from the delay device. Further, the method includes authenticating and authorizing, by the SMF node, the at least one relay device based on the request. Further, the method includes receiving, by the SMF node, the PDU session request message comprising the SMF supporting ProSe multipath transmission from the AMF node. Further, the method includes sending, by the SMF node, a request to retrieve subscription information to a unified data management (UDM) node associated with the network apparatus. Further, the method includes receiving, by the SMF node, the retrieve subscription comprising the ProSe multipath security policy from the UDM node. Further, the method includes sending, by the SMF node, the ProSe multipath security policy received from the UDM node to the master node.

Embodiments disclosed herein provide a system for secure Multi-path communication for ProSe in a telecommunication network. In an embodiment, the system includes a network apparatus, a UDM node communicating with the network apparatus, a SMF node communicating with the UDM node, an AMF node communicating with the SMF node, a Master node communicating with the AMF node, at least one at least one relay device, and a UE communicating with the network apparatus node and the at least one relay device. The UE includes a Prose multipath communication controller (or a transceiver) communicatively coupled to a memory and a processor. The Prose multipath communication controller is configured to initiate a ProSe multipath communication with a at least one relay device in the telecommunication network. The at least one relay device establishes a first PDU session with a network apparatus in the telecommunication network using a first link over a first network path. Further, the Prose multipath communication controller is configured to establish a second PDU session with a network apparatus using a second link over a second network path. The Prose multipath communication controller is configured to receive a ProSe multipath security policy from a UDM associated with the network apparatus for the second PDU session. The Prose multipath communication controller is configured to receive a ProSe multipath security policy from the network apparatus. Further, the Prose multipath communication controller is configured to receive a ProSe multipath security policy from the at least one relay device. Further, the Prose multipath communication controller is configured to determine whether the ProSe multipath security policy received from the at least one relay device is same as ProSe multipath security policy receiving for the second PDU session. In an embodiment, the Prose multipath communication controller is configured to perform the ProSe multipath communication with the at least one relay device when the ProSe multipath security policy received from the at least one relay device is same as the ProSe multipath security policy receiving for the second PDU session. In another embodiment, the Prose multipath communication controller is configured to reject the ProSe multipath communication with the at least one relay device when the ProSe multipath security policy received from the at least one relay device is not same as ProSe multipath security policy receiving for the second PDU session.

In an embodiment, the Prose multipath communication controller is configured to perform the ProSe multipath communication with the at least one relay device using the first link over the first network path and a PDU data transfer in the second communication with the network device using the second link over the second network path. The ProSe multipath communication with the at least one relay device and the PDU data transfer with the network device is performed using the same ProSe multipath security policy.

In an embodiment, the at least one relay device includes a Prose multipath communication controller communicatively coupled to a memory and a processor. The Prose multipath communication controller is configured to receive a multipath ProSe communication message from the UE. Further, the Prose multipath communication controller is configured to send an authenticated and authorized message for the multipath ProSe communication to the SMF node in the telecommunication network. Further, the Prose multipath communication controller is configured to establish the first PDU session with the AMF node associated with the network apparatus using the first link over the first network path after successful authentication and authorization of the at least one relay device the SMF node. Further, the Prose multipath communication controller is configured to receive a RRC message comprising the ProSe multipath security policy from the MN associated with the network apparatus. Further, the Prose multipath communication controller is configured to store the ProSe multipath security policy in the memory of the at least one relay device for a temporary period of time. Further, the Prose multipath communication controller is configured to send the ProSe multipath security policy to the UE.

In an embodiment, the AMF node includes a Prose multipath communication controller communicatively coupled to a memory and a processor. The Prose multipath communication controller is configured to send a SMF supporting ProSe multipath transmission during the authentication and authorization of the relay UE by the SMF node. Further, the Prose multipath communication controller is configured to send a PDU session request message comprising the SMF supporting ProSe multipath transmission to the SMF node.

In an embodiment, the SMF node includes a Prose multipath communication controller communicatively coupled to a memory and a processor. The Prose multipath communication controller is configured to receive a request to establish the multipath ProSe communication from the delay device. Further, the Prose multipath communication controller is configured to authenticate and authorize the at least one relay device based on the request. Further, the Prose multipath communication controller is configured to receive the PDU session request message comprising the SMF supporting ProSe multipath transmission from the AMF node. Further, the Prose multipath communication controller is configured to send a request to retrieve subscription information to the UDM node associated with the network apparatus. Further, the Prose multipath communication controller is configured to receive the retrieve subscription comprising the ProSe multipath security policy from the UDM node. Further, the Prose multipath communication controller is configured to send the ProSe multipath security policy received from the UDM node to the master node.

These and other aspects of the embodiments herein will be better appreciated and understood when considered in conjunction with the following description and the accompanying drawings. It should be understood, however, that the following descriptions, while indicating preferred embodiments and numerous specific details thereof, are given by way of illustration and not of limitation. Many changes and modifications may be made within the scope of the embodiments herein without departing from the scope thereof, and the embodiments herein include all such modifications.

According to various embodiments of the disclosure, secure multi-path transmission for proximity services in a wireless communication system can be efficiently enhanced.

The embodiments are illustrated in the accompanying drawings, throughout which like reference letters indicate corresponding parts in the various figures. The embodiments herein will be better understood from the following description with reference to the drawings, in which:

FIG. 1 illustrates a UE to network connection via different path i.e., direct path over Uu (Path #1) and indirect path via UE-to-network relay (Path #2 and Path #3), according to the prior art;

FIG. 2 illustrates a user plane stack for L2 UE-to-Network Relay UE, according to the prior art;

FIG. 3 illustrates a control plane for the L2 UE-to-Network Relay UE, according to the prior art;

FIG. 4 illustrates a protocol stack for a ProSe 5G L3 UE-to-Network Relay, according to the prior art;

FIG. 5 illustrates an example scenario of multi-path transmission using UE-to-Network Relay, according to the prior art.

FIG. 6 illustrates a multi-path transmission using a direct Uu path and indirect network communication path, according to prior art;

FIG. 7 illustrates an example scenario for first issue, according to prior art;

FIG. 8A illustrates Example scenarios for second issue, according to prior art;

FIG. 8B illustrates Example scenarios for second issue, according to prior art;

FIG. 9 illustrates SMF determines the security policy for both Uu links and PC5 links, according to the embodiments as disclosed herein;

FIG. 10 illustrates Remote UE determines the security policy over direct path and applies it over PC5 link, according to the embodiments as disclosed herein;

FIG. 11 illustrates a relay UE reporting the security activation status to the NG-RAN in RRC connection reconfiguration complete message, according to the embodiments as disclosed herein;

FIG. 12 shows various hardware components of a UE, according to the embodiments as disclosed herein;

FIG. 13 shows various hardware components of a relay device, according to the embodiments as disclosed herein;

FIG. 14 shows various hardware components of an AMF node, according to the embodiments as disclosed herein;

FIG. 15 shows various hardware components of a SMF node, according to the embodiments as disclosed herein;

FIG. 16 is a flow chart illustrating a method, implemented by the UE, for secure Multi-path transmission for ProSe in the telecommunication network, according to the embodiments as disclosed herein;

FIG. 17 is a flow chart illustrating a method, implemented by the relay device, for secure Multi-path transmission for ProSe in the telecommunication network, according to the embodiments as disclosed herein;

FIG. 18 is a flow chart illustrating a method, implemented by the AMF node, for secure Multi-path transmission for ProSe in the telecommunication network, according to the embodiments as disclosed herein;

FIG. 19 is a flow chart illustrating a method, implemented by the SMF node, for secure Multi-path transmission for ProSe in the telecommunication network, according to the embodiments as disclosed herein;

FIG. 20 is a block diagram illustrating a terminal (or a user equipment (UE)), according to the embodiments as disclosed herein;

FIG. 21 is a block diagram illustrating a base station (BS), according to the embodiments as disclosed herein; and

FIG. 22 is a block diagram illustrating a structure of a network entity according to the embodiment as disclosed herein.

It may be noted that to the extent possible, like reference numerals have been used to represent like elements in the drawing. Further, those of ordinary skill in the art will appreciate that elements in the drawing are illustrated for simplicity and may not have been necessarily drawn to scale. For example, the dimension of some of the elements in the drawing may be exaggerated relative to other elements to help to improve the understanding of aspects of the invention. Furthermore, the one or more elements may have been represented in the drawing by conventional symbols, and the drawings may show only those specific details that are pertinent to the understanding the embodiments of the invention so as not to obscure the drawing with details that will be readily apparent to those of ordinary skill in the art having benefit of the description herein.

In existing approaches, a User Equipment (UE) (102) may be able to access a network (106) (e.g., telecommunication network or the like) via direct network communication or indirect network communication, as shown in FIG. 1. Path #1 is a direct network communication path and path #2 and path #3 are indirect network communication paths via different UE-to-network Relays (104a and 104b). The UE-to-Network relay (104a and 104b) is registered to a 5GS as the UE. To provide service to a remote UE, the UE-to-Network relay (104a and 104b) needs to establish a direct communication interface (e.g., an new radio (NR) PC5 link, or the like) with the Remote UE. For the UE-to-Network relay (104a and 104b), there are two options. First option includes a Layer-2 UE-to-Network relay and the second option includes a Layer-3 UE-to-Network relay. Both the options commonly provide network access service to the remote UE with differences such as in Layer 2 relay, the remote UE is registered to a 5G Core and has an (Access Stratum) AS security context established with a gNB in a connected mode. Whereas in the Layer 3 relay, the remote UE may be registered to the 5GC, but does not have an AS security context. Both these options require a PC5 unicast link between the remote UE and the UE-to-Network relay.

The layer-2 relay UE provides forwarding functionality, which can relay any type of traffic over the PC5 link. For the layer-2 relay, security is enforced at a Packet Data Convergence Protocol (PDCP) layer between endpoints at the remote UE and the gNB. The PDCP traffic is relayed securely over two links, one between the remote UE and the relay and the other between the relay and the gNB without exposing any of the remote UEs plain text data to the relay.

Further, in the existing control and User Plane Protocols (200) for the Layer 2 UE-to-Network Relay, as shown in FIG. 2, the Protocol data unit (PDU) layer corresponds to a PDU carried between the Remote UE and the Data Network (DN) over the PDU session. The two endpoints of the PDCP link are the Remote UE and the gNB. The relay function is performed under the PDCP. This means that data security is ensured between the Remote UE and the gNB without exposing raw data at the UE-to-Network Relay UE.

FIG. 3 illustrates a control plane (300) for L2 UE-to-Network Relay UE, according to the prior art. Non-Access Stratum (NAS) messages are transparently transferred between the Remote UE and gNB over the Layer 2 UE-to-Network Relay UE using:

1. PDCP end-to-end connection where the role of the UE-to-Network Relay UE is to relay the PDUs over the signalling radio bear without any modifications.

2. N2 connection between the gNB and AMF over N2.

3. N11 connection AMF and Session Management Function (SMF) over N11.

The protocol stack (400) for the Layer-3 UE-to-Network Relays is shown in FIG. 4. Hop-by-hop security is supported in the PC5 link and an Uu link.

In a 5G system, upon reception of a UE request for a new PDU session, a Session Management Function (SMF) manages the entire lifecycle of the session. The SMF (or SMF node) determines at PDU session establishment a UP security enforcement information for the user plane of a PDU session based on subscriber information from an UDM (or UDM entity), the UP security policy locally configured per DNN and/or slice in the SMF node and/or the maximum supported data rate per UE for integrity protection per Data Radio Bearer (DRB).

The SMF provides the UP security policy for a PDU session to the ng-eNB/gNB during PDU session establishment procedure as specified in a 3GPP Technical Specification 23.502. The UP security policy indicates whether UP confidentiality and/or UP integrity protection to be activated or not for all DRBs belonging to that PDU session. The UP security policy is used to activate UP confidentiality and/or UP integrity for all DRBs belonging to the PDU session. For Proximity Service (ProSe) unicast mode 5G ProSe Direct Communication is used by two UEs that directly exchange traffic for the ProSe applications running between the peer UEs. PC5 security policy provisioning by 5G DDNMF (5G Direct Discovery Name Management Function) for unicast mode 5G Prose Direct Communication during the restricted 5G ProSe Discovery procedure. Otherwise, the PCF shall be able to provision the PC5 security policies to the UE per ProSe application during service authorization and information provisioning procedure. If the UE receives PC5 security policies from 5G DDNMF, the UE uses the PC5 security policies from 5G DDNMF to establish PC5 unicast communication security instead of the PC5 security policies provisioned by a Policy Control Function (PCF) or pre-configured in UE.

It is desired to address the above mentioned disadvantages or other short comings or at least provide a useful alternative.

A principal object of the embodiments herein is to provide a method and a system for secure Multi-path transmission for ProSe in a telecommunication network.

Another object of the embodiments herein is to determine whether the ProSe multipath security policy received from at least one relay device is same as ProSe multipath security policy receiving for a second PDU session.

Another object of the embodiments herein is to perform the ProSe multipath communication with the at least one relay device when the ProSe multipath security policy received from the at least one relay device is same as the ProSe multipath security policy receiving for the second PDU session.

Another object of the embodiments herein is to reject the ProSe multipath communication with the at least one relay device when the ProSe multipath security policy received from the at least one relay device is not same as ProSe multipath security policy receiving for the second PDU session

The embodiments herein and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. Descriptions of well-known components and processing techniques are omitted so as to not unnecessarily obscure the embodiments herein. Also, the various embodiments described herein are not necessarily mutually exclusive, as some embodiments can be combined with one or more other embodiments to form new embodiments. The term “or” as used herein, refers to a non-exclusive or, unless otherwise indicated. The examples used herein are intended merely to facilitate an understanding of ways in which the embodiments herein can be practiced and to further enable those skilled in the art to practice the embodiments herein. Accordingly, the examples should not be construed as limiting the scope of the embodiments herein.

As is traditional in the field, embodiments may be described and illustrated in terms of blocks which carry out a described function or functions. These blocks, which may be referred to herein as managers, units, modules, hardware components or the like, are physically implemented by analog and/or digital circuits such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuits and the like, and may optionally be driven by a firmware. The circuits may, for example, be embodied in one or more semiconductor chips, or on substrate supports such as printed circuit boards and the like. The circuits constituting a block may be implemented by dedicated hardware, or by a processor (e.g., one or more programmed microprocessors and associated circuitry), or by a combination of dedicated hardware to perform some functions of the block and a processor to perform other functions of the block. Each block of the embodiments may be physically separated into two or more interacting and discrete blocks without departing from the scope of the disclosure. Likewise, the blocks of the embodiments may be physically combined into more complex blocks without departing from the scope of the disclosure.

The accompanying drawings are used to help easily understand various technical features and it should be understood that the embodiments presented herein are not limited by the accompanying drawings. As such, the present disclosure should be construed to extend to any alterations, equivalents and substitutes in addition to those which are particularly set out in the accompanying drawings. Although the terms first, second, etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are generally only used to distinguish one element from another.

Embodiments herein disclose a method for secure Multi-path transmission for ProSe in a telecommunication network. The method includes initiating, by a UE in the telecommunication network, a ProSe multipath communication with at least one relay device in the telecommunication network. The at least one relay device establishes a first PDU session with a network apparatus in the telecommunication network using a first link over a first network path. Further, the method includes establishing, by the UE, a second PDU session with a network apparatus using a second link over a second network path. Further, the method includes receiving, by the UE, a ProSe multipath security policy from a UDM associated with the network apparatus for the second PDU session. Further, the method includes receiving, by the UE, a ProSe multipath security policy from the network apparatus. Further, the method includes receiving, by the UE, a ProSe multipath security policy from the at least one relay device. Further, the method includes determining, by the UE, whether the ProSe multipath security policy received from the at least one relay device is same as ProSe multipath security policy receiving for the second PDU session. In an embodiment, the method performing the ProSe multipath communication with the at least one relay device when the ProSe multipath security policy received from the at least one relay device is same as the ProSe multipath security policy receiving for the second PDU session. In another embodiment, the method includes rejecting the ProSe multipath communication with the at least one relay device when the ProSe multipath security policy received from the at least one relay device is not same as ProSe multipath security policy receiving for the second PDU session.

The proposed method can be used to manage the security policy over direct path (remote UE to NG-RAN via Uu) and indirect path (remote UE to relay PC5 and relay to NG-RAN Uu) such that same setting of encryption and/or integrity protection is applied. Based on the proposed methods, security policy for each path and/or links (PC5 or Uu link) is determined by same network function.

Referring now to the drawings, and more particularly to FIGS. 9 through 19, there are shown preferred embodiments.

A key issue for multi-path transmission is captured in 3GPP TR 23.700-33. Multi-path transmission can be achieved using only one direct network communication path and only one indirect network communication path with UE-to-Network Relay can be used to improve reliability or data rates for the remote UE. As illustrated in FIG. 5, the UE (102) can use path #1 and path #2 for multi-path transmission, where path #1 is direct network communication path, and path #2 is indirect network communication path with UE-to-Network Relay. In this scenario, the following aspects needs to be studied and analysed:

A) Whether and how the network authorizes and the triggers for connection establishment for multi-path transmission.

B) Whether and how to authorize a Remote UE to use the multi-path transmission for specific ProSe service(s).

C) What information is required for and how does a Remote UE or UE-to Network Relay or the network trigger the multi-path connection establishment.

Supporting multi-path connectivity using 3GPP features like (Access Traffic Steering, Switching & Splitting) ATSSS or Multi-Radio Dual Connectivity (MR-DC) is dependent on whether the Remote UE has an AS connection or NAS connection with the Network. Layer-3 Remote UE does not have a 5G connection when connected via Layer-3 UE-to-Network Relay without Non-3GPP Interworking Function (N3IWF). Thus, Application layer mechanisms are used to support multi-path transmission for Layer-3 Remote UE. Application layer can decide when to setup the multi-path connectivity and how to aggregate/split the traffic on both paths. On the other hand, when the Layer-3 Remote UE access the network via a Layer-3 UE-to-Network Relay with N3IWF support, it has NAS connection with the 5GC and PDU session will be used for the application traffic.

Whereas, Layer-2 Remote UE has a NAS connection and AS connection, similar to a UE connected directly to the network via Uu connectivity. Multi-Radio Dual Connectivity (MR-DC) is supported in NG-RAN to allow multi-path transmission for a UE connected to the network via two access nodes. Similar approach can be introduced to support multi-path transmission for a CM-CONNECTED Layer-2 Remote UE that has an AS connection via direct network communication path and indirect network communication path.

As per current state of art, 5GS is already enhanced to support redundant transmission of high reliability communication for URLLC scenario as described 3GPP TS 23.501 and TS 33.501. A UE supporting redundant transmission will set up two redundant PDU Sessions over the 5G network, and the 5GS sets up the user plane paths of the two redundant PDU Sessions.

For the multi-path transmission, the UE acts as a normal UE accessing to its serving NG-RAN directly and as a Remote UE accessing to NG-RAN through UE-to-Network relay (refer FIG. 4). Then two redundant PDU Sessions are established by the interaction between UE and NG-RAN/5GC to transfer the data for the ProSe Services with high reliable requirements. In this case one Remote UE has two active RRC and PDCP connections (direct Uu and indirect Uu via a relay). However, NG-RAN may realize redundant user plane resources for the two PDU sessions with a single NG-RAN node, or by Dual Connectivity with two NG-RAN nodes.

FIG. 6 shows multi-path transmission using a direct Uu path and indirect network communication path. In this case, the two redundant paths may go through two different NG-RANs (108a and 108b) or same NG-RAN, depending on the scenarios. In case of two different NG-RANs (108a and 108b), communication reliability at RAN side is already existing and supported. In case of a same NG-RAN, the NG-RAN (108a and 108b) needs to internally realize the communication reliability, e.g., by allocate different, redundant user plane resources for the each User Plane path, split the PDUs over different path, realize same level of security protection or treatment for the redundant PDUs sent over different paths. However, following issues are identified:

A) In case of remote UE connected to the network via the L3 relay, from the protocol stack for L3 relay (see FIG. 4), it is understood that there are two PDU sessions established with the NG-RAN. (a) PDU-1: Uu between the remote UE and the NG-RAN, (b) PDU-2: Uu between the L3 relay and the NG-RAN. Therefore, the L3 relay needs to realize the multipath redundant PDU session and map the uplink data traffic through ingress PC5 relay RLC to Uu relay RLC and ingress Uu relay RLC to Uu relay PDCP. This issue is illustrated in the FIG. 7.

B) In case of ProSe, the security policy over PC5 direct communication is determined by either 5G Direct Discovery Name Management Function (5GDDNMF) or Policy Control Function (PCF). However, over Uu the security enforcement is determined by UDM or SMF. Re-using the MR-DC approach for ProSe multi-path transmission requires that the multipath approach in ProSe is in compliant with the MR-DC/URLLC approach. As per current state of art, same setting of encryption and integrity protection is applied over two PDU sessions used for redundant data transmission. However, in case of ProSe as a relay UE is involved in between and the security activation over PC5 and Uu (indirect and direct path) may differ. Thus, inconsistent and dissimilar security protection across the PC5 and Uu links will lead to security vulnerability as data may be exposed in an unprotected link during the relay communication. This issue is illustrated in FIGs. 8A and 8B.

C) The 5GS provides multiple interfaces for ProSe communication between UE, relay UE and networks, such as PC5, Uu, N3 like so. Traffic needs to be properly protected especially in air interface. There would be ProSe services that do not have or do not enable application level security but want to leverage the security provided by 5G system over PDCP. As a result, protection selection over PDCP layer or application layer needs to be investigated and managed to avoid situation as unprotected Proximity Service traffic, and/or traffic with redundant protection and/or traffic with mismatched protection.

Therefore, to address the above issue, the system or the network should support means of enabling compatible levels or same setting of confidentiality and integrity protection over Uu links and PC5 links in support of end-to-end security objectives for relay communications.

In an embodinet, a method for L3 relay to realise the multipath redundant PDU session and map the uplink data traffic different paths is proposed. In case of remote UE connected to the network (900) via the L3 relay, from the protocol stack for L3 relay, it is understood that there are two PDU sessions established with the NG-RAN. (a) PDU-1: Uu between remote UE and NG-RAN, (b) PDU-2: Uu between L3 relay and NG-RAN

In order to enhance transmission reliability, either Packet duplication or Packet splitting can take place for ProSe multipath transmission. In case of same NG-RAN node (108a and 108b) as end point, it is proposed that the UE (102) establishes two separate PDU sessions: one over direct path (remote UE to NG-RAN (108a) via Uu) and one over indirect path (remote UE to relay PC5 and relay to NG-RAN Uu). At PDCP layer duplication of PDU is performed where each instance of the duplicate PDU carries the same PDCP sequence number (SN). Based on these two PDU Sessions, two independent paths are set up.

If encryption is enabled between the remote UE (102a) and the NG-RAN (108a) on the first path for a first PDU session (direct Uu path), then encryption should be enabled for redundant PDU transmission over a second path (indirect path) for a second PDU session i.e., encryption should be enabled between remote UE (102a) and relay UE (102b), the relay UE (102b) and the NG-RAN (108a). Similarly, if integrity protection is enabled between the remote UE (102a) and the NG-RAN (108) on the first path, then integrity protection should be enabled for redundant PDU transmission over a second path (indirect path) for a second PDU session i.e., integrity protection should be enabled between the remote UE (102a) and relay UE (102b), the relay UE (102b) and NG-RAN (108).

In an alternative embodiment, a SMF (120) determines the security policy for both Uu links and PC5 links. In this alternative, the SMF (120) determines at PDU session establishment a User Plane Security Enforcement information for the user plane of a PDU session. In an embodiment, PC5 security policy per service/application/S-NSSAI along with the User Plane Security Policy locally configured per (DNN, S-NSSAI) in the SMF (120) that is used when the UDM (122) does not provide User Plane Security Policy information i.e., there is one-to-one mapping between the security policy for both PDU sessions and the PC5 link.

The remote UE/5G ProSe UE-to-Network Relay can be configured to use a set of slices supporting Control Plane based security procedure. An AMF (118) supporting Control Plane based security procedure for 5G ProSe UE-to-Network Relay is selected as part of the slice. In an embodiment the SMF (120) is configured with the security policy based on per remote UE/relay UE per S-NSSAI/set of slices supporting CP based security procedure.

The NG-RAN (108) and remote UE (102a)/relay UE (102b) should ensure that the first PDU path and the redundant PDU sessions path has the same UP security activation status. In case of security policy set to “preferred” the security activation should be handled as follows. That is, if the "Preferred" option of the UP security policy is allowed, the following enhancements for the mechanism as described for URLLC applied:

A) The NG-RAN (108) makes the decision on UP encryption protection and integrity protection according to the UP security policy for these two multipath/redundant PDU transmissions. The NG-RAN for example if security policy says “preferred” and decides to enable encryption and/or integrity, the NG-RAN stores the applied UP security activation status used for the DRB’s established for the first PDU session between the MN and the UE and indicates the security activation to the relay UE in the indirect path.

B) The relay UE (102b) uses the UP security activation status received from the MN to activate the UP security over PC5 for the DRB’s established for the redundant PDU session between the remote UE and NG-RAN via a relay UE.

If the "Preferred" option of the UP security policy is not allowed to be used at the SMF or UDM, which means the SMF or UDM can guarantee the UP security policy for the first and the redundant PDU sessions are the same and only contains "Not needed", or "Required", then the MN forwards the UP security policy to the relay UE and relay UE uses the UP security activation status received from the MN to activate the UP security over PC5 for the DRB’s established for the redundant PDU session between the remote UE and NG-RAN via a relay UE.

FIG. 9 illustrates the scenario in which SMF determines the security policy for both Uu links and PC5 links. Steps of operations are explained below:

1. The remote UE (102a) discovers the relay UE (102b) using Model-A or Model-B procedure as specified in TS 33.503. In an embodiment, the remote UE (102b) sends an indication about multipath ProSe transmission in the direct communication request to the relay UE (102b). In an embodiment, the UDM (122) is configured with security policy for ProSe multipath transmission. This security policy is specific for ProSe multipath transmission and is different/separate from the UP security policy for Uu. In another embodiment, this security policy is mapped one-to-one with the UP security policy for Uu.

2. The Relay UE (102b) is authenticated and authorized by the network to act as relay, as specified in TS 33.503.

3. In this step, the remote UE (102a) and the relay UE (102b) initiates PDU session establishment procedure with the NG-RAN (108). For illustration purpose, in FIG. 4, the two redundant PDU sessions are marked as PDU1 session and PDU2 session.

4. During authentication at step 2, if indicated that the remote UE (102a) supports multipath transmission, the AMF (118) selects the SMF supporting ProSe multipath transmission.

5-6. The SMF (120) retrieves the subscription data from the UDM (122). The subscription data includes at least one of ProSe multipath security policy per Relay service code or ProSe multipath security policy per S-NSSAI and/or an indication to set same security protection over path1, path2, PC5 link.

7-8. The SMF (120) sends the ProSe multipath security policy to the MN (116), where the MN (116) sends the received security policy to the relay UE (102b) during RRC connection reconfiguration procedure.

9. The Relay UE (102b) receives the security policy and stores it temporarily for the session.

10. The Relay UE (102b) sends the received security policy to the remote UE (102a). In an embodiment, the remote UE (102a) checks if the security policy setting is same as applied for PDU2.

In an embodiment, as shown in FIG. 10, the remote UE determines the security policy and/or security protection activation/deactivation over direct path and sets the same security protection over PC5 link. The remote UE sends the remote UE security capabilities and remote UE security policy determined over direct path in Direct Communication Request (DCR). As shown in FIG. 10, At step 0, the NG-RAN (108) sends the ProSe multipath security policy to the relay UE (102b). At step 1, the remote UE (102a) sends the direct Communication Request (including Remote UE security capabilities, Remote UEs security policy based on direct path) to the relay UE (102b). At step 2, the direct auth and key establishment is performed between the remote UE (102a) and the relay UE (102b). At step 3a, the relay UE (102b) sends the direct security mode command (including the remote UE security capabilities, Remote UEs security policy, security policy applied over Uu) to the remote UE (102a). At step 3b, the relay UE (102b) is ready to receive user plane and signalling with new context. At step 4a, remote UE (102a) is ready to send and receive user plane and signalling with new context. At step 4b, the direct security mode complete is between the relay UE (102b) and the remote UE (102b). At step 5, the relay UE (102b) sends the user plane and signalling with new context and deletes old context.

In an embodiment, relay UE checks the security policy sent in DCR and the security protection set over Uu between relay and the NG-RAN (Master Node) is same or not. In an embodiment, if verified successfully the relay UE sends the security policy applied over Uu along with the remote UE security capabilities and remote UE security policy determined over direct path received in Direct Communication Request (DCR). In another embodiment, if verified successfully the relay UE sends the Non-Null security algorithm as the Chosen_algs which indicates that the corresponding security protection is activated and the security algorithm the UEs will use to protect the data in the message. Null security algorithm in the Chosen_algs indicates the corresponding security protection is unprotected. Relay UE returns the remote UEs security capabilities and remote UE security policy to provide protection against bidding down attacks.

The security policy indicates the following:

A) REQUIRED means the UE/NG-RAN should accept the connection if a non-NULL confidentiality or integrity algorithm is used for protection of the traffic.

B) NOT NEEDED means that the UE/NG-RAN should only establish a connection with no security.

C) PREFERRED means for all the traffic on the PDU Session UP integrity protection should apply (based on UP security policy enforcement).

D) PREFFERED means that the UE may try to establish security but may will accept the connection with no security. One use of PREFERRED is to enable a security policy to be changed without updating all UEs at once (based on security policy for PC5 interface as defined in TS 33.536).

In an embodiment, ProSe multipath security policy indicates only the following setting of security protection to avoid any chances of mismatch between both paths:

Ensuring that only a connection with security is used for a ProSe service is guaranteed if the security policy of NG-RAN for ProSe multipath transmission is set to REQUIRED. It is recommended to set this security policy to REQUIRED in order to guarantee security protection over both redundant path. If the indication for security policy enforcement information sent from SMF to the MN, is set to PREFERRED then one of the nodes MN chooses a security activation status and informs it to the Secondary Node. In an embodiment, PREFERRED option is not given to the relay UE i.e., security activation status for the DRB's established for the first PDU session and the second PDU session will be same security activation status to avoid mismatch of security protection issue.

In an embodiment, the security protection i.e., encryption and/or integrity protection is always activated for ProSe multipath transmission.

In an embodiment, UDM determines the security policy for both Uu links and PC5 links. In this alternative, the subscribed User Plane Security Policy is part of SM subscription information received from UDM. Similar to UP security policy, PC5 security policy per service/application/S-NSSAI/Relay Service Code (RSC) along with the User Plane Security Policy part of SM subscription information, which is per (DNN, S-NSSAI). When the remote UE/5G ProSe UE-to-Network Relay is configured to use a set of slices supporting Control Plane based security procedure the SM subscription information should contain the security policy based on per remote UE/relay UE per S-NSSAI/set of slices supporting CP based security procedure.

In an embodiment, on receiving the security policy from the SMF, the gNB determines the security protection over Uu to be activated/deactivated. The gNB reports the security protection to the relay UE. The relay UE sends the information about the security protection applied over Uu to the remote UE. The remote UE follows or applies the same setting of encryption and/or integrity protection over PC5 as well. In an embodiment, the relay UE reports the security activation status to the NG-RAN in RRC connection reconfiguration complete message, as shown in FIG. 11.

As shown in FIG. 11, at step 0, the NG-RAN (108) sends the RRC connection reconfiguration to the relay UE (102b). At step 1, the remote UE (102a) sends the direct Communication Request (including Remote UE security capabilities, Remote UEs security policy based on direct path) to the relay UE (102b). At step 2, the direct auth and key establishment is performed between the remote UE (102a) and the relay UE (102b). At step 3a, the relay UE (102b) sends the direct security mode command (including the remote UE security capabilities, Remote UEs security policy, security policy applied over Uu) to the remote UE (102a). At step 3b, the relay UE (102b) is ready to receive user plane and signalling with new context. At step 4a, remote UE (102a) is ready to send and receive user plane and signalling with new context. At step 4b, the direct security mode complete is between the relay UE (102b) and the remote UE (102b). At step 5, the relay UE (102b) sends the user plane and signalling with new context and deletes old context. At step 6, the relay UE (102b) sends RRC Reconfig Complete (including the security activation status over PC5) to the NG-RAN (108).

In an embodiment, the NG-RAN decides the security protection activation/deactivation over Uu link between NG-RAN and remote UE, Uu between NG-RAN and relay UE. In another embodiment, if there end-points are different i.e., different gNB the SMF sends same set of security policies to both the NG-RAN.

In an embodiment, the PCF determines the security policy for both Uu links and PC5 links. PCF provides the security policy in the PCC rules to the SMF. In an embodiment this PCC rules contains the security policy for multipath transmission service for ProSe. When there is an indication for multipath transmission and/or remote UE is authorized to have multipath transmission service and /or relay UE is authorized to relay multipath transmission service, the PCF provides and/or determines the security policy for both the paths such that it is same setting of encryption and integrity for both the PDU sessions.

In an embodiment a selevtive security Protection enablement over different protocol layer is proposed. This alternative describes the security protection enabling and/or disabling over application and PDCP layer during ProSe multipath transmission and/or ProSe service when connected to the network via a Layer-2/3 relay UE. If the UE indicates the Multi-path policy-provisioning request in the UE Policy Container, the PCF determines whether to provision the Multi-path policy to the UE accessing Layer-2 or Layer-3 UE-to-Network Relay based on the received capability of 5G ProSe Layer-2 or Layer-3 Remote UE from AMF. In an embodiment, PCF also determines that Multi-Path PDU Sessions via direct Uu and Layer-2/3 UE-to-Network Relay is preferred by the UE. The PCF includes an additional indication in the URSP rule to indicate the preferred security protection based on the UE and network security capability.

Table 1 below shows Route Selection Descriptor with additional IE (clause 6.6.2, Table 6.6.2.1-2, TS 23.503).

Table 2 below provides an illustrative example of URSP rules for ProSe multi-path transmission.

In an embodiment, the access type preference IE indicates ProSe multi-path PDU Sessions via direct Uu and Layer-2/3 UE-to-Network Relay is preferred by the UE. Further, the security capabilities IE indicates the preference of security protection over application and/or PDCP layer.

In an embodiment, there are three possible scenarios:

A) Protection over application layer: ENABLED or DISABLED and/or Protection over PDCP layer: DISABLED ALWAYS

B) Protection over application layer: ENABLED and/or Protection over PDCP layer: DISABLED

C) Protection over application layer: ENABLED and/or Protection over PDCP layer: ENABLED

In an embodiment, the UE indicates whether it supports protection over at application layer and/or PDCP layer in the Multi-path policy provisioning request in the UE Policy Container, by indicating it via a security capabilities indication. In another embodiment, the UE includes the indication of the security capabilities during PDU establishment procedure or PDU Session Modification Request or SMC procedure or Registration procedure.

In another embodiment, the subscribed User Plane Security Policy is part of SM subscription information received from UDM includes an indication to indicate the ProSe multi-path PDU Sessions to be authorized via direct Uu and Layer-2/3 UE-to-Network Relay is preferred by the UE. Further, the security capabilities IE indicates the preference of security protection over application and/or PDCP layer.

FIG. 12 shows various hardware components of the UE (102), according to the embodiments as disclosed herein. In an embodiment, the UE (102) includes a processor (1210), a communicator (1220), a memory (1230) and a Prose multipath communication controller (1240). The processor (1210) is coupled with the communicator (1220), the memory (1230) and the Prose multipath communication controller (1240).

The Prose multipath communication controller (1240) initiates the ProSe multipath communication with the relay device (102b) in the telecommunication network (900). The relay device (102b) establishes the first PDU session with the network apparatus in the telecommunication network (900) using the first link over the first network path. Further, the Prose multipath communication controller (1240) establishes the second PDU session with the network apparatus using the second link over the second network path. Further, the Prose multipath communication controller (1240) receives a ProSe multipath security policy from the UDM node (122) associated with the network apparatus for the second PDU session. The Prose multipath communication controller (1240) receives the ProSe multipath security policy from the network apparatus. Further, the Prose multipath communication controller (1240) receives a ProSe multipath security policy from the relay device (102b). Further, the Prose multipath communication controller (1240) determines whether the ProSe multipath security policy received from the relay device (102b) is same as ProSe multipath security policy receiving for the second PDU session. In an embodiment, the Prose multipath communication controller (1240) performs the ProSe multipath communication with the relay device (102b) when the ProSe multipath security policy received from the relay device (102b) is same as the ProSe multipath security policy receiving for the second PDU session. In another embodiment, the Prose multipath communication controller (1240) rejects the ProSe multipath communication with the relay device (102b) when the ProSe multipath security policy received from the relay device (102b) is not same as ProSe multipath security policy receiving for the second PDU session.

In an embodiment, the Prose multipath communication controller (1240) performs the ProSe multipath communication with the relay device (102b) using the first link over the first network path and a PDU data transfer in the second communication with the network device using the second link over the second network path. The ProSe multipath communication with the relay device (102b) and the PDU data transfer with the network device is performed using the same ProSe multipath security policy.

The Prose multipath communication controller (1240) is implemented by analog and/or digital circuits such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuits and the like, and may optionally be driven by firmware.

The processor (1210) may include one or a plurality of processors. The one or the plurality of processors may be a general-purpose processor, such as a central processing unit (CPU), an application processor (AP), or the like, a graphics-only processing unit such as a graphics processing unit (GPU), a visual processing unit (VPU), and/or an AI-dedicated processor such as a neural processing unit (NPU). The processor (1210) may include multiple cores and is configured to execute the instructions stored in the memory (1230).

Further, the processor (1210) is configured to execute instructions stored in the memory (1230) and to perform various processes. The communicator (1220) is configured for communicating internally between internal hardware components and with external devices via one or more networks. The memory (1230) also stores instructions to be executed by the processor (1210). The memory (1230) may include non-volatile storage elements. Examples of such non-volatile storage elements may include magnetic hard discs, optical discs, floppy discs, flash memories, or forms of electrically programmable memories (EPROM) or electrically erasable and programmable (EEPROM) memories. In addition, the memory (1230) may, in some examples, be considered a non-transitory storage medium. The term “non-transitory” may indicate that the storage medium is not embodied in a carrier wave or a propagated signal. However, the term “non-transitory” should not be interpreted that the memory (1230) is non-movable. In certain examples, a non-transitory storage medium may store data that can, over time, change (e.g., in Random Access Memory (RAM) or cache).

Although the FIG. 12 shows various hardware components of the UE (102) but it is to be understood that other embodiments are not limited thereon. In other embodiments, the UE (102) may include less or more number of components. Further, the labels or names of the components are used only for illustrative purpose and does not limit the scope of the invention. One or more components can be combined together to perform same or substantially similar function in the UE (102).

FIG. 13 shows various hardware components of the relay device (102b), according to the embodiments as disclosed herein. In an embodiment, the relay device (102b) includes a processor (1310), a communicator (1320), a memory (1330) and a Prose multipath communication controller (1340). The processor (1310) is coupled with the communicator (1320), the memory (1330) and the Prose multipath communication controller (1340).

In an embodiment, the Prose multipath communication controller (1340) receives the multipath ProSe communication message from the UE (102). Further, the Prose multipath communication controller (1340) sends an authenticated and authorized message for the multipath ProSe communication to the SMF node (120) in the telecommunication network (900). Further, the Prose multipath communication controller (1340) establishes the first PDU session with the AMF node (118) associated with the network apparatus using the first link over the first network path after successful authentication and authorization of the relay device (102b) at the SMF node (120). Further, the Prose multipath communication controller (1340) receives a RRC message comprising the ProSe multipath security policy from the MN (116) associated with the network apparatus. Further, the Prose multipath communication controller (1340) stores the ProSe multipath security policy in the memory (1330) for a temporary period of time. Further, the Prose multipath communication controller (1340) sends the ProSe multipath security policy to the UE (102).

The Prose multipath communication controller (1340) is implemented by analog and/or digital circuits such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuits and the like, and may optionally be driven by firmware.

The processor (1310) may include one or a plurality of processors. The one or the plurality of processors may be a general-purpose processor, such as a central processing unit (CPU), an application processor (AP), or the like, a graphics-only processing unit such as a graphics processing unit (GPU), a visual processing unit (VPU), and/or an AI-dedicated processor such as a neural processing unit (NPU). The processor (1310) may include multiple cores and is configured to execute the instructions stored in the memory (1330).

Further, the processor (1310) is configured to execute instructions stored in the memory (1330) and to perform various processes. The communicator (1320) is configured for communicating internally between internal hardware components and with external devices via one or more networks. The memory (1330) also stores instructions to be executed by the processor (1310). The memory (1330) may include non-volatile storage elements. Examples of such non-volatile storage elements may include magnetic hard discs, optical discs, floppy discs, flash memories, or forms of electrically programmable memories (EPROM) or electrically erasable and programmable (EEPROM) memories. In addition, the memory (1330) may, in some examples, be considered a non-transitory storage medium. The term “non-transitory” may indicate that the storage medium is not embodied in a carrier wave or a propagated signal. However, the term “non-transitory” should not be interpreted that the memory (1330) is non-movable. In certain examples, a non-transitory storage medium may store data that can, over time, change (e.g., in Random Access Memory (RAM) or cache).

Although the FIG. 13 shows various hardware components of the relay device (102b) but it is to be understood that other embodiments are not limited thereon. In other embodiments, the relay device (102b) may include less or more number of components. Further, the labels or names of the components are used only for illustrative purpose and does not limit the scope of the invention. One or more components can be combined together to perform same or substantially similar function in the relay device (102b).

FIG. 14 shows various hardware components of the AMF node (118), according to the embodiments as disclosed herein. In an embodiment, the AMF node (118) includes a processor (1410), a communicator (1420), a memory (1430) and a Prose multipath communication controller (1440). The processor (1410) is coupled with the communicator (1420), the memory (1430) and the Prose multipath communication controller (1440).

The Prose multipath communication controller (1440) sends a SMF supporting ProSe multipath transmission during the authentication and authorization of the relay UE (102b) by the SMF node (120). Further, the Prose multipath communication controller (1440) sends the PDU session request message comprising the SMF supporting ProSe multipath transmission to the SMF node (120).

The Prose multipath communication controller (1440) is implemented by analog and/or digital circuits such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuits and the like, and may optionally be driven by firmware.

The processor (1410) may include one or a plurality of processors. The one or the plurality of processors may be a general-purpose processor, such as a central processing unit (CPU), an application processor (AP), or the like, a graphics-only processing unit such as a graphics processing unit (GPU), a visual processing unit (VPU), and/or an AI-dedicated processor such as a neural processing unit (NPU). The processor (1410) may include multiple cores and is configured to execute the instructions stored in the memory (1430).

Further, the processor (1410) is configured to execute instructions stored in the memory (1430) and to perform various processes. The communicator (1420) is configured for communicating internally between internal hardware components and with external devices via one or more networks. The memory (1430) also stores instructions to be executed by the processor (1410). The memory (1430) may include non-volatile storage elements. Examples of such non-volatile storage elements may include magnetic hard discs, optical discs, floppy discs, flash memories, or forms of electrically programmable memories (EPROM) or electrically erasable and programmable (EEPROM) memories. In addition, the memory (1430) may, in some examples, be considered a non-transitory storage medium. The term “non-transitory” may indicate that the storage medium is not embodied in a carrier wave or a propagated signal. However, the term “non-transitory” should not be interpreted that the memory (1430) is non-movable. In certain examples, a non-transitory storage medium may store data that can, over time, change (e.g., in Random Access Memory (RAM) or cache).

Although the FIG. 14 shows various hardware components of the AMF node (118) but it is to be understood that other embodiments are not limited thereon. In other embodiments, the AMF node (118) may include less or more number of components. Further, the labels or names of the components are used only for illustrative purpose and does not limit the scope of the invention. One or more components can be combined together to perform same or substantially similar function in the AMF node (118).

FIG. 15 shows various hardware components of the SMF node (120), according to the embodiments as disclosed herein. In an embodiment, the SMF node (120) includes a processor (1510), a communicator (1520), a memory (1530) and a Prose multipath communication controller (1540). The processor (1510) is coupled with the communicator (1520), the memory (1530) and the Prose multipath communication controller (1540).

The Prose multipath communication controller (1540) receives the request to establish the multipath ProSe communication from the relay device (102b). Further, the Prose multipath communication controller (1540) authenticates and authorizes the relay device (102b) based on the request. Further, the Prose multipath communication controller (1540) receives the PDU session request message comprising the SMF supporting ProSe multipath transmission from the AMF node (118). Further, the Prose multipath communication controller (1540) sends a request to retrieve subscription information to the UDM node (122) associated with the network apparatus. Further, the Prose multipath communication controller (1540) receives the retrieve subscription comprising the ProSe multipath security policy from the UDM node (122). Further, the Prose multipath communication controller (1540) sends the ProSe multipath security policy received from the UDM node (122) to the master node (116).

The Prose multipath communication controller (1540) is implemented by analog and/or digital circuits such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuits and the like, and may optionally be driven by firmware.

The processor (1510) may include one or a plurality of processors. The one or the plurality of processors may be a general-purpose processor, such as a central processing unit (CPU), an application processor (AP), or the like, a graphics-only processing unit such as a graphics processing unit (GPU), a visual processing unit (VPU), and/or an AI-dedicated processor such as a neural processing unit (NPU). The processor (1510) may include multiple cores and is configured to execute the instructions stored in the memory (1530).

Further, the processor (1510) is configured to execute instructions stored in the memory (1530) and to perform various processes. The communicator (1520) is configured for communicating internally between internal hardware components and with external devices via one or more networks. The memory (1530) also stores instructions to be executed by the processor (1510). The memory (1530) may include non-volatile storage elements. Examples of such non-volatile storage elements may include magnetic hard discs, optical discs, floppy discs, flash memories, or forms of electrically programmable memories (EPROM) or electrically erasable and programmable (EEPROM) memories. In addition, the memory (1530) may, in some examples, be considered a non-transitory storage medium. The term “non-transitory” may indicate that the storage medium is not embodied in a carrier wave or a propagated signal. However, the term “non-transitory” should not be interpreted that the memory (1530) is non-movable. In certain examples, a non-transitory storage medium may store data that can, over time, change (e.g., in Random Access Memory (RAM) or cache).

Although the FIG. 15 shows various hardware components of the SMF node (120) but it is to be understood that other embodiments are not limited thereon. In other embodiments, the SMF node (120) may include less or more number of components. Further, the labels or names of the components are used only for illustrative purpose and does not limit the scope of the invention. One or more components can be combined together to perform same or substantially similar function in the SMF node (120).

FIG. 16 is a flow chart (S1600) illustrating a method, implemented by the UE (102), for secure Multi-path transmission for ProSe in the telecommunication network (900), according to the embodiments as disclosed herein. The telecommunication network (900) can be, for example, but not limited to a fourth generation (4G) network, a fifth generation (5G) network, an Open Radio Access Network (ORAN), a sixth generation (6G) network. The operations (S1602-S1616) are handled by the Prose multipath communication controller (1240).

At step S1602, the method includes initiating the ProSe multipath communication with the relay device (102b). The relay device (102b) establishes the first PDU session with the network apparatus using the first link over the first network path. At step S1604, the method includes establishing the second PDU session with the network apparatus using the second link over the second network path. At step S1606, the method includes receiving the ProSe multipath security policy from the UDM (122) associated with the network apparatus for the second PDU session. At step S1608, the method includes receiving the ProSe multipath security policy from the network apparatus. At step S1610, the method includes receiving the ProSe multipath security policy from the relay device (102b).

At step S1612, the method includes determining whether the ProSe multipath security policy received from the relay device (102b) is same as ProSe multipath security policy receiving for the second PDU session. In an embodiment, at step S1614, the method performing the ProSe multipath communication with the relay device (102b) when the ProSe multipath security policy received from the relay device (102b) is same as the ProSe multipath security policy receiving for the second PDU session. In another embodiment, the method includes rejecting the ProSe multipath communication with the relay device (102b) when the ProSe multipath security policy received from the relay device (102b) is not same as ProSe multipath security policy receiving for the second PDU session.

FIG. 17 is a flow chart (S1700) illustrating a method, implemented by the relay device (102b), for secure Multi-path transmission for the ProSe in the telecommunication network (900), according to the embodiments as disclosed herein. The operations (S702-S1712) are handled by the Prose multipath communication controller (1340).

At step S1702, the method includes receiving the multipath ProSe communication message from the UE (102). At step S1704, the method includes sending the authenticated and authorized message for the multipath ProSe communication to the SMF node (120). At step S1706, the method includes establishing the first PDU session with the AMF node (118) associated with the network apparatus using the first link over the first network path after successful authentication and authorization of the relay device (102b) at the SMF node (120). At step S1708, the method includes receiving the RRC message comprising the ProSe multipath security policy from the MN (116) associated with the network apparatus. At step S1710, the method includes storing the ProSe multipath security policy in the memory (1330) of the relay device (102b) for the temporary period of time. At step S1712, the method includes sending the ProSe multipath security policy to the UE (102).

FIG. 18 is a flow chart (S1800) illustrating a method, implemented by the AMF node (118), for secure Multi-path transmission for ProSe in the telecommunication network (900), according to the embodiments as disclosed herein. The operations (S1802-S1804) are handled by the Prose multipath communication controller (1440).

At step S1802, the method includes selecting the SMF node supporting ProSe multipath transmission during the authentication and authorization of the relay UE (102b) by the SMF node (120). At step S1804, the method includes sending the PDU session request message comprising the SMF supporting ProSe multipath transmission to the SMF node (120).

FIG. 19 is a flow chart (S1900) illustrating a method, implemented by the SMF node (120), for secure Multi-path transmission for ProSe in the telecommunication network (900), according to the embodiments as disclosed herein. The operations (S1902-S1912) are handled by the Prose multipath communication controller (1540).

At step S1902, the method includes receiving the request to establish the multipath ProSe communication from the relay device (102b). At step S1904, the method includes authenticating and authorizing the relay device (102b) based on the request. At step S1906, the method includes receiving the PDU session request message comprising the SMF supporting ProSe multipath transmission from the AMF node (118). At step S1908, the method includes sending the request to retrieve subscription information to the UDM node (122) associated with the network apparatus. At step S1910, the method includes receiving the retrieve subscription comprising the ProSe multipath security policy from the UDM node (122). At step S1912, the method includes sending the ProSe multipath security policy received from the UDM node to the master node (116).

The various actions, acts, blocks, steps, or the like in the flow charts (S1600-S1900) may be performed in the order presented, in a different order or simultaneously. Further, in some embodiments, some of the actions, acts, blocks, steps, or the like may be omitted, added, modified, skipped, or the like without departing from the scope of the invention.

FIG. 20 is a block diagram illustrating a terminal (or a user equipment (UE)), according to the embodiments as disclosed herein.

As shown in FIG. 20, a terminal according to an embodiment may include a transceiver 2010, a memory 2020, and a processor (or a controller) 2030. The transceiver 2010, the memory 2020, and the processor (or controller) 2030 of the terminal may operate according to a communication method of the terminal described above. However, the components of the terminal are not limited thereto. For example, the terminal may include more or fewer components than those described in FIG. 20. In addition, the processor (or controller) 2030, the transceiver 2010, and the memory 2020 may be implemented as a single chip. Also, the processor (or controller) 2030 may include at least one processor. Furthermore, the UE of FIG. 20 corresponds to the UE (102) of FIG. 1, FIG. 5, FIG. 6, FIG. 8B, FIG. 12, UE-to- network relay-1 (104a) and network relay-2 (104b) of FIG. 1, remote UE of FIG. 2, FIG. 3, FIG. 4, UE-to-network relay PC5 of FIG. 2,FIG. 3, UE-NW relay of FIG. 4, UE-to-network relay (104) of FIG 5, FIG. 6, FIG. 7, FIG. 8A, FIG. 8B, remote UE (102a) of FIG. 7, FIG.8A, FIG.9, FIG.10, FIG.11, relay UE (102b) of FIG.9, FIG.10, FIG.11, or relay device (102b) of FIG 13.

The transceiver 2010 collectively refers to a terminal station receiver and a terminal transmitter, and may transmit/receive a signal to/from a base station or another terminal. The signal transmitted or received to or from the terminal may include control information and data. The transceiver 2010 may include a RF transmitter for up-converting and amplifying a frequency of a transmitted signal, and a RF receiver for amplifying low-noise and down-converting a frequency of a received signal. However, this is only an example of the transceiver 2010 and components of the transceiver 2010 are not limited to the RF transmitter and the RF receiver.

Also, the transceiver 2010 may receive and output, to the processor (or controller) 2030, a signal through a wireless channel, and transmit a signal output from the processor (or controller) 2030 through the wireless channel.

The memory 2020 may store a program and data required for operations of the terminal. Also, the memory 2020 may store control information or data included in a signal obtained by the terminal. The memory 2020 may be a storage medium, such as read-only memory (ROM), random access memory (RAM), a hard disk, a CD-ROM, and a DVD, or a combination of storage media.

The processor (or controller) 2030 may control a series of processes such that the terminal operates as described above. For example, the processor (or controller) 2030 may receive a data signal and/or a control signal, and the processor (or controller) 2030 may determine a result of receiving the signal transmitted by the base station and/or the other terminal.

FIG. 21 is a block diagram illustrating a base station (BS), according to the embodiments as disclosed herein.

As shown in FIG. 21 is, the base station of the present disclosure may include a transceiver 2110, a memory 2120, and a processor (or, a controller) 2130. The transceiver 2110, the memory 2120, and the processor (or controller) 2130 of the base station may operate according to a communication method of the base station described above. However, the components of the base station are not limited thereto. For example, the base station may include more or fewer components than those described in FIG. 21. In addition, the processor (or controller) 2130, the transceiver 2110, and the memory 2120 may be implemented as a single chip. Also, the processor (or controller) 2130 may include at least one processor. Furthermore, the base station of FIG. 21 corresponds to the BS (eg., gNB of FIG. 2, FIG. 3, NG-RAN node of FIG. 4, NG-RAN (108a, 108b) of FIG. 6, FIG. 8B, NG-RAN (108) of FIG. 7, FIG. 8A, FIG.10, FIG.11, or MN (116), SN (124) of FIG. 9.

The transceiver 2110 collectively refers to a base station receiver and a base station transmitter, and may transmit/receive a signal to/from a terminal, another base station, and/or a core network function(s) (or entity(s)). The signal transmitted or received to or from the base station may include control information and data. The transceiver 2110 may include a RF transmitter for up-converting and amplifying a frequency of a transmitted signal, and a RF receiver for amplifying low-noise and down-converting a frequency of a received signal. However, this is only an example of the transceiver 2110 and components of the transceiver 2110 are not limited to the RF transmitter and the RF receiver.

Also, the transceiver 2110 may receive and output, to the processor (or controller) 2130, a signal through a wireless channel, and transmit a signal output from the processor (or controller) 2130 through the wireless channel.

The memory 2120 may store a program and data required for operations of the base station. Also, the memory 2120 may store control information or data included in a signal obtained by the base station. The memory 2120 may be a storage medium, such as ROM, RAM, a hard disk, a CD-ROM, and a DVD, or a combination of storage media.

The processor (or controller) 2130 may control a series of processes such that the base station operates as described above. For example, the processor (or controller) 2130 may receive a data signal and/or a control signal, and the processor (or controller) 2130 may determine a result of receiving the signal transmitted by the terminal and/or the core network function.

As shown in FIG. 22, the network entity of the present disclosure may include a transceiver 2210, a memory 2220, and a processor 2230. The transceiver 2210, the memory 2220, and the processor 2230 of the network entity may operate according to a communication method of the network entity described above. However, the components of the terminal are not limited thereto. For example, the network entity may include more or fewer components than those described above. In addition, the processor 2230, the transceiver 2210, and the memory 2220 may be implemented as a single chip. Also, the processor 2230 may include at least one processor. Furthermore, the network entity illustrated in FIG. 22 may correspond to remote UE’s UPF of FIG. 2, remote UE’s AMF and SMF of FIG. 3, UPF of FIG. 4, or AMF node (118) or SMF node (120) illustrated in FIG. 9, FIG. 14, FIG. 15).

The transceiver 2210 collectively refers to a network entity receiver and a network entity transmitter, and may transmit/receive a signal to/from a base station or a UE. The signal transmitted or received to or from the base station or the UE may include control information and data. In this regard, the transceiver 2210 may include a RF transmitter for up-converting and amplifying a frequency of a transmitted signal, and a RF receiver for amplifying low-noise and down-converting a frequency of a received signal. However, this is only an example of the transceiver 2210 and components of the transceiver 2210 are not limited to the RF transmitter and the RF receiver.

Also, the transceiver 2210 may receive and output, to the processor 2230, a signal through a wireless channel, and transmit a signal output from the processor 2230 through the wireless channel.

The memory 2220 may store a program and data required for operations of the network entity. Also, the memory 2220 may store control information or data included in a signal obtained by the network entity. The memory 2220 may be a storage medium, such as ROM, RAM, a hard disk, a CD-ROM, and a DVD, or a combination of storage media.

The processor 2230 may control a series of processes such that the network entity operates as described above. For example, the transceiver 2210 may receive a data signal including a control signal, and the processor 2230 may determine a result of receiving the data signal.

The methods according to the embodiments described in the claims or the detailed description of the present disclosure may be implemented in hardware, software, or a combination of hardware and software.

When the electrical structures and methods are implemented in software, a computer-readable recording medium having one or more programs (software modules) recorded thereon may be provided. The one or more programs recorded on the computer-readable recording medium are configured to be executable by one or more processors in an electronic device. The one or more programs include instructions to execute the methods according to the embodiments described in the claims or the detailed description of the present disclosure.

The programs (e.g., software modules or software) may be stored in random access memory (RAM), non-volatile memory including flash memory, read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), a magnetic disc storage device, compact disc-ROM (CD-ROM), a digital versatile disc (DVD), another type of optical storage device, or a magnetic cassette. Alternatively, the programs may be stored in a memory system including a combination of some or all of the above-mentioned memory devices. In addition, each memory device may be included by a plural number.

The programs may also be stored in an attachable storage device which is accessible through a communication network such as the Internet, an intranet, a local area network (LAN), a wireless LAN (WLAN), or a storage area network (SAN), or a combination thereof. The storage device may be connected through an external port to an apparatus according the embodiments of the present disclosure. Another storage device on the communication network may also be connected to the apparatus performing the embodiments of the present disclosure.

In the afore-described embodiments of the present disclosure, elements included in the present disclosure are expressed in a singular or plural form according to the embodiments. However, the singular or plural form is appropriately selected for convenience of explanation and the present disclosure is not limited thereto. As such, an element expressed in a plural form may also be configured as a single element, and an element expressed in a singular form may also be configured as plural elements.

Although the figures illustrate different examples of user equipment, various changes may be made to the figures. For example, the user equipment can include any number of each component in any suitable arrangement. In general, the figures do not limit the scope of this disclosure to any particular configuration(s). Moreover, while figures illustrate operational environments in which various user equipment features disclosed in this patent document can be used, these features can be used in any other suitable system.

The foregoing description of the specific embodiments will so fully reveal the general nature of the embodiments herein that others can, by applying current knowledge, readily modify or adapt for various applications such specific embodiments without departing from the generic concept, and, therefore, such adaptations and modifications should and are intended to be comprehended within the meaning and range of equivalents of the disclosed embodiments. It is to be understood that the phraseology or terminology employed herein is for the purpose of description and not of limitation. Therefore, while the embodiments herein have been described in terms of preferred embodiments, those skilled in the art will recognize that the embodiments herein can be practiced with modification within the spirit and scope of the embodiments as described herein.

Claims

A method performed by a user equipment (UE) (102) for secure Multi-path transmission for Proximity Services (ProSe) in a telecommunication network (900), the method comprising:

initiating, a ProSe multipath communication with at least one relay device (102b) in the telecommunication network (900), wherein the at least one relay device (102b) establishes a first protocol data unit (PDU) session with a network apparatus in the telecommunication network (900) using a first link over a first network path;

establishing a second PDU session with the network apparatus using a second link over a second network path;

receiving, from a unified data management (UDM) (122) associated with the network apparatus, a first ProSe multipath security policy for the second PDU session;

receiving, from the at least one relay device (102b), a second ProSe multipath security policy;

determining whether the second ProSe multipath security policy is same as the first ProSe multipath security policy.
The method as claimed in claim 1, wherein the method further comprises:

performing the ProSe multipath communication with the at least one relay device (102b) in response that the second ProSe multipath security policy is same as the first ProSe multipath security policy, and

rejecting the ProSe multipath communication with the at least one relay device (102b) in response that the second ProSe multipath security policy is not same as the first ProSe multipath security policy.
The method as claimed in claim 1, wherein the method further comprises:

receiving, from the network apparatus, a third ProSe multipath security policy;

performing the ProSe multipath communication with the at least one relay device (102b) using the first link over the first network path and a PDU data transfer in the second communication with the network apparatus using the second link over the second network path, wherein the ProSe multipath communication with the at least one relay device (102b) and the PDU data transfer with the network apparatus is performed by using an identical ProSe multipath security policy.
The method as claimed in claim 1, wherein the method further comprises:

transmitting, to the at least one relay device (102b), a multipath ProSe communication message;

receiving, from the at least one relay device (102b), the second ProSe multipath security policy.
A user equipment (UE) (102) for secure multi-path transmission for proximity services (ProSe) in a telecommunication network (900), the UE (102) comprising:

a memory (1230);

at least one processor (1210) coupled with the memory (1230); and

a Prose multipath communication controller (1240), coupled with the memory (1230) and the at least one processor (1210), and configured to:

initiate a ProSe multipath communication with at least one relay device (102b) in the telecommunication network (900), wherein the at least one relay device (102b) establishes a first protocol data unit (PDU) session with the network apparatus in the telecommunication network (900) using a first link over a first network path,

establish a second PDU session with the network apparatus using a second link over a second network path,

receive, from a unified data management (UDM) (122) associated with the network apparatus, a first ProSe multipath security policy for the second PDU session;

receive, from the at least one relay device (102b), a second ProSe multipath security policy, and

determine whether the second ProSe multipath security policy is same as the first ProSe multipath security policy.
The UE (102) as claimed in claim 5, wherein the Prose multipath communication controller (1240) is further configured to:

perform the ProSe multipath communication with the at least one relay device (102b) in response that the second ProSe multipath security policy is same as the first ProSe multipath security policy, or

reject the ProSe multipath communication with the at least one relay device (102b) in response that the second ProSe multipath security policy is not same as the first ProSe multipath security policy.
The UE (102) as claimed in claim 5, wherein the Prose multipath communication controller (1240) is further configured to:

receive, from the network apparatus, a third ProSe multipath security policy;

perform, the ProSe multipath communication with the at least one relay device (102b) by using the first link over the first network path and a PDU data transfer in a second communication with the network apparatus by using the second link over the second network path, wherein the ProSe multipath communication with the at least one relay device (102b) and the PDU data transfer with the network apparatus is performed by using an identical ProSe multipath security policy.
The UE (102) as claimed in claim 5, wherein the Prose multipath communication controller (1240) is further configured to:

transmit, to the at least one relay device (102b), a multipath ProSe communication message;

receive, from the at least one relay device (102b), the second ProSe multipath security policy.
A method performed by a relay device (102b) for secure multi-path transmission for proximity services (ProSe) in a telecommunication network (900), the method comprising:

receiving, from a UE (102), a multipath ProSe communication message,

transmitting, to a session management function (SMF) entity (120), an authenticated and authorized message for a multipath ProSe communication in a telecommunication network (900),

establishing a first protocol data unit (PDU) session with an access and mobility management function (AMF) entity (118) associated with a network apparatus using a first link over a first network path after successfully authenticating and authorizing of the relay device (118) at the SMF entity (120),

receiving, from a master node (MN) (116) associated with the network apparatus, a radio resource control (RRC) message comprising a second ProSe multipath security policy,

storing the second ProSe multipath security policy in the memory (1330) for a temporary period of time; and

transmitting, to the UE (102), the second ProSe multipath security policy.
The method as claimed in claim 9, wherein the method further comprises:

transmitting, to the SMF entity (120), a request to establish the multipath ProSe communication,

wherein the request to establish the multipath ProSe communication is related to authentication and authorization of the relay device (102b).
The method as claimed in claim 9, wherein the method further comprises:

performing the ProSe multipath communication with the UE (102) by using the first link over the first network path, and

wherein a PDU data transfer in a second communication with the network apparatus is related to a second link over a second network path.
A relay device (102b) for secure multi-path transmission for proximity services (ProSe) in a telecommunication network (900),the relay device (102b) comprising:

a memory (1330);

at least one processor (1310) coupled with the memory (1330); and

a Prose multipath communication controller (1340), coupled with the memory (1330) and the at least one processor (1310), and configured to:

receive, from a UE (102), a multipath ProSe communication message,

transmit, to a session management function (SMF) entity (120), an authenticated and authorized message for a multipath ProSe communication in a telecommunication network (900),

establish a first protocol data unit (PDU) session with an access and mobility management function (AMF) entity (118) associated with a network apparatus using a first link over a first network path after successfully authenticating and authorizing of the relay device (118) at the SMF entity (120),

receive, from a master node (MN) (116) associated with the network apparatus, a radio resource control (RRC) message comprising a second ProSe multipath security policy,

store the second ProSe multipath security policy in the memory (1330) for a temporary period of time; and

transmit, to the UE (102), the second ProSe multipath security policy.
The relay device (102b) as claimed in claim 12, wherein the Prose multipath communication controller (1340) is further configured to:

transmit, to the SMF entity (120), a request to establish the multipath ProSe communication,

wherein the request to establish the multipath ProSe communication is related to authentication and authorization of the relay device (102b).
The relay device (102b) as claimed in claim 12,

wherein the Prose multipath communication controller (1340) is further configured to perform the ProSe multipath communication with the UE (102) by using the first link over the first network path, and

wherein a PDU data transfer in the second communication with the network apparatus is related to the second link over the second network path.
The relay device (102b) as claimed in claim 14, wherein the ProSe multipath communication and the PDU data transfer is based on an identical ProSe multipath security policy.