WO2024175369A1 - Secondary authentication for remote user equipment - Google Patents

Abstract

Embodiments include methods for a first user equipment (UE) configured to operate as a relay to connect a second UE to a communication network. Such methods include receiving, from a network node or function (NNF) of the communication network, a second message that includes: a first user identifier (ID) associated with the second UE, and a first authentication protocol message associated with secondary authentication of the second UE to access an external data network (DN). Such methods include sending the first authentication protocol message to the first UE and receiving a responsive second authentication protocol message from the first UE. Such methods include sending to the NNF a third message including the first user ID and the second authentication protocol message. Other embodiments include complementary methods for the first NNF, as well as UEs and NNFs configured to perform such methods.

Description

SECONDARY AUTHENTICATION FOR REMOTE USER EQUIPMENT

TECHNICAL FIELD

The present disclosure relates generally to wireless networks and devices, and more specifically to user equipment (UEs) that can communicate with a wireless network indirectly via other UEs that provide relay functionality.

BACKGROUND

The fifth generation (5G) of cellular systems, also referred to as New Radio (NR), is being standardized within the Third-Generation Partnership Project (3GPP). 5G/NR is developed for maximum flexibility to support multiple and substantially different use cases. These include enhanced mobile broadband (eMBB), machine type communications (MTC), ultra-reliable low latency communications (URLLC), side-link device-to-device (D2D), and other use cases. 5G/NR was initially specified in Release 15 (Rel-15) and has evolved in subsequent releases.

5G/NR technology shares many similarities with fourth-generation Long-Term Evolution (LTE). For example, NR uses CP-OFDM (Cyclic Prefix Orthogonal Frequency Division Multiplexing) in the downlink (DL) from network to UE, and both CP-OFDM and DFT-spread OFDM (DFT-S-OFDM) in the uplink (UL) from UE to network. As another example, NR DL and UL time-domain physical resources are organized into equal-sized 1-ms subframes. A subframe is divided into multiple slots of equal duration, with each slot including multiple OFDM-based symbols. Even so, time-frequency resources can be configured much more flexibly for an NR cell than for an LTE cell.

Sidelink (SL) is a type of D2D communication in which UEs communicate with each other directly rather than indirectly via a 3GPP RAN. D2D was first introduced in LTE Rel-12, targeting public safety use cases and proximity-based services (ProSe). Subsequently, various extensions have been introduced to broaden the range of use cases that can benefit from D2D technology. For example, D2D extensions in LTE Rel-14 and Rel-15 include supporting vehicle- to-everything (V2X) communication.

3GPP Rel-16 specifies the NR SL interface and targets advanced V2X services, including four primary groups of use cases: vehicles platooning, extended sensors, advanced driving, and remote driving. The advanced V2X services require a new SL in order to meet the stringent requirements in terms of latency and reliability. The NR SL is designed to provide higher system capacity and better coverage, and to allow for extension to support the future development of even more advanced V2X services and other related services.

Radio resources for NR SL communication are organized into one or more SL resource pools, with each SL resource pool including some number of resource blocks (RBs) that span a range of time and frequency. In the frequency domain, each resource pool is divided into subchannels, where each sub-channel is a group, set, or collection of RBs that are contiguous in frequency.

Furthermore, NR SL is designed such that it is operable both with and without network coverage and with varying degrees of interaction between the UEs and the RAN, including support for standalone, network-less operation. For example, national security and public safety (NSPS) services often need to operate without (or with partial) radio access network (RAN) coverage, such as during indoor firefighting, forest firefighting, earthquake rescue, sea rescue, etc. Network coverage extension is a crucial enabler in these scenarios.

3GPP Rel-17 includes two UE-based relay capabilities for NR SL: UE-to-Network (U2N) relay, where a UE extends network connectivity to another nearby UE by using direct communication; and UE-to-UE (U2U) relay, where a UE uses two direct communication links to connect two UEs in its proximity that otherwise are not able to communicate.

3GPP TR 23.752 (v2.0.0) section 6.6 describes NR L3-based U2N relay functionality - also referred to as “5G ProSe L3 U2N Relay” - that can be used for both public safety and commercial services. A 5G ProSe L3 U2N Relay supports connectivity to the 5GS (i.e., NG-RAN and 5GC) for other UEs that have successfully established a PC5 link to the 5G ProSe L3 U2N Relay. Such UEs are often referred to as “5G ProSe Remote UEs”.

Note that “ProSe” is an acronym for Proximity Services, which are further described in 3GPP TS 23.304 (vl7.4.0) and 3GPP TS 24.554 (v!7.3.0). Security for Proximity Services is currently specified in 3GPP TS 33.503 (vl7.1.0). Even so, there is interest in feasibility of secondary authentication of a 5G ProSe Remote UE via a 5G ProSe L3 U2N Relay and an external Data Network (DN). It is expected that the Extensible Authentication Protocol (EAP) framework specified in IETF RFC 3748 will be used for authentication between the 5G ProSe Remote UE and a DN Authentication, Authorization, and Accounting (AAA) server in the external DN. Note that this is different from secondary authentication defined in 3GPP TS 33.501 (v!7.8.0) for a UE registered in 5G core network (5GC).

SUMMARY

3GPP document S3-223322 describes a current baseline solution for this secondary authentication feature mentioned above. However, this baseline solution has various problems, issues, and/or difficulties. For example, the baseline solution reuses or repurposes certain existing messages, but these messages have preconditions that need to be “faked” because they do not exist in the context of this secondary authentication feature. Moreover, these messages may contain information for multiple remote UEs, making it difficult for the network to determine which remote UE needs secondary authentication. Furthermore, the baseline solution relies on involvement of certain control plane (CP) functions in the 5GC, such that it cannot be used when user plane (UP) security procedures are preferred and/or necessary. Also, in the baseline solution, the DN-AAA may not be able to distinguish whether the remote UE or the relay UE needs secondary authentication.

Embodiments of the present disclosure provide improvements to secondary authentication of remote UEs, such as by providing, enabling, and/or facilitating solutions to overcome exemplary problems summarized above and described in more detail below.

Some embodiments include exemplary methods (e g., procedures) for first UE configured to operate as a relay to connect a second UE to a communication network.

These exemplary methods include receiving, from a network node or function (NNF) of the communication network, a second message that includes: a first user identifier (ID) associated with the second UE, and a first authentication protocol message associated with secondary authentication of the second UE to access an external data network (DN). These exemplary methods also include sending the first authentication protocol message to the first UE and receiving a responsive second authentication protocol message from the second UE. These exemplary methods also include sending to the NNF a third message including the first user ID and the second authentication protocol message.

In some embodiments, the second message indicates that a secondary re-authentication of the second UE is needed for the second UE to access the external DN via the first UE.

In other embodiments, these exemplary methods also include sending to the NNF a first message indicating that secondary authentication of the second UE is needed for the second UE to access the external DN via the first UE. The first message includes the first user ID associated with the second UE, and the second message is received in response to the first message.

In some of these embodiments, these exemplary methods also include the following operations:

• establishing a PDU session with the external DN, by which the first UE provides a relay service to the external DN;

• establishing SL communications with the second UE; and

• receiving, from the second UE via SL, a request to use the relay service to access the external DN.

In such embodiments, the first message is sent in response to the request.

In some of these embodiments, the first message is a non-access stratum (NAS) session management (SM) message that includes a first remote secondary authentication container, and the first user ID is included in the first remote secondary authentication container. In some variants of these embodiments, the first remote secondary authentication container also includes a second user ID associated with the second UE, and the second user ID is specific to the external DN. In some further variants, these exemplary methods also include receiving the second user ID from the second UE via SL in one of the following messages: Direct Communication Request, or Direct Security Command Complete.

In some embodiments, the second message is a NAS SM message that includes a second remote secondary authentication container, and the first user ID and the first authentication protocol message are included in the second remote secondary authentication container. In some embodiments, the third message is a NAS SM message that includes a third remote secondary authentication container, and the first user ID and the second authentication protocol message are included in the third remote secondary authentication container.

In some embodiments, the communication network is a 5G core network (5GC) and the NNF is a session management function (SMF). In some of these embodiments, the second message is received via an access and mobility management function (AMF) in the 5GC.

In some embodiments, the first authentication protocol message is an EAP- Request/Identity and the second authentication protocol message is an EAP-Response/Identity. In some embodiments, the second UE is configured as a 5G ProSe Remote UE and the first UE is configured as a 5G ProSe Layer-3 UE-to-Network Relay. In some embodiments, the first user ID is a control plane ProSe Remote User Key identifier (CP-PRUK ID) or a user plane ProSe Remote User Key identifier (UP-PRUK ID).

In some embodiments, these exemplary methods also include receiving from the NNF a third authentication protocol message indicating successful secondary authorization of the second UE. In some of these embodiments, the third authentication protocol message is received from the NNF in a fourth remote secondary authentication container, which also includes the first user ID.

In some of these embodiments, these exemplary methods also include, based on the third authentication protocol message, sending to the second UE a Direct Communication Accept message to complete connection establishment between first and second UEs

Other embodiments include exemplary methods (e.g., procedures) for an NNF of a communication network.

These exemplary methods include sending, to a first UE configured to operate as a relay to connect a second UE to a communication network, a second message that includes: a first user ID associated with the second UE, and a first authentication protocol message associated with secondary authentication of the second UE to access an external DN. These exemplary methods also include receiving from the first UE a third message including the first user ID and a second authentication protocol message responsive to the first authentication protocol message. These exemplary methods also include sending the second authentication protocol message to an authentication server associated with the external DN.

In some embodiments, the second message indicates that a secondary re-authentication of the second UE is needed for the second UE to access the external DN via the first UE. In some of these embodiments, these exemplary methods also include receiving from the authentication server a request for re-authentication of the second UE to access the external DN. In such case, the second message is responsive to the request.

In other embodiments, these exemplary methods also include receiving from the first UE a first message indicating that a secondary authentication of the second UE is needed for the second UE to access the external DN via the first UE. In such case, the first message includes the first user ID associated with the second UE and the second message is responsive to the first message.

In some of these embodiments, the first message is a NAS SM message that includes a first remote secondary authentication container, and the first user ID is included in the first remote secondary authentication container. In some variants of these embodiments, the first remote secondary authentication container also includes a second user ID associated with the second UE, and the second user ID is specific to the external DN.

In some of these embodiments, these exemplary methods also include the following operations:

• based on the first user ID, determining a subscription identifier associated with the second UE’s subscription to the communication network; and

• based on the subscription identifier, retrieving subscription information for the second UE from a data repository in the communication network.

In such case, the second message is sent based on determining, from the subscription information, that secondary authentication of the second UE is needed for the second UE to access the external DN.

In some embodiments, the second message is a NAS SM message that includes a second remote secondary authentication container, and the first user ID and the first authentication protocol message are included in the second remote secondary authentication container. In some embodiments, the third message is a NAS SM message that includes a third remote secondary authentication container, and the first user ID and the second authentication protocol message are included in the third remote secondary authentication container.

In some embodiments, the communication network is a 5GC and the NNF is an SMF. In some of these embodiments, the second message is received via an AMF in the 5GC. In some embodiments, the first authentication protocol message is an EAP- Request/Identity and the second authentication protocol message is an EAP-Response/Identity. In some embodiments, the second UE is configured as a 5G ProSe Remote UE and the first UE is configured as a 5G ProSe Layer-3 UE-to-Network Relay. In some embodiments, the first user ID is a CP-PRUK ID or a UP-PRUK ID.

In some embodiments, these exemplary methods also include receiving, from the authentication server in response to the second authentication protocol message, a third authentication protocol message indicating successful secondary authorization of the second UE. In some of these embodiments, the exemplary methods also include one or more of the following operations:

• based on the third authentication protocol message, updating a stored context for the first UE to indicate that the second UE is authorized to access the external DN via the first UE; and

• sending the third authentication protocol message to the first UE.

In some variants, the third authentication protocol message is sent to the first UE in a fourth remote secondary authentication container, which also includes the first user ID.

In some embodiments, the second authentication protocol message is sent to the authentication server with one or more of the following: a subscription identifier associated with the second UE, address information associated with the second UE, a subscription identifier associated with the first UE, and address information associated with the first UE.

Other embodiments include UEs (e.g., wireless devices) and NNFs (e.g., SMFs, etc.) configured to perform operations corresponding to any of the exemplary methods described herein. Other embodiments include non-transitory, computer-readable media storing program instructions that, when executed by processing circuitry, configure such UEs and NNFs to perform operations corresponding to any of the exemplary methods described herein.

These and other embodiments described herein can maintain transparent handling of NAS SM messages by AMF, while also facilitating support for secondary authentication of remote UE via U2N relay using either CP -based or UP -based security procedures for the remote UE. Embodiments can also facilitate differentiated handling by DN-AAA for remote UE and relay UE in the same PDU session and for a single SMF in the path between relay UE and DN-AAA.

These and other objects, features, and advantages of embodiments of the present disclosure will become apparent upon reading the following Detailed Description in view of the Drawings briefly described below. BRIEF DESCRIPTION OF THE DRAWINGS

Figure 1 shows exemplary NR user plane (UP) and control plane (CP) protocol stacks.

Figures 2-3 illustrate various aspects of an exemplary 5G network architecture

Figure 4 shows an exemplary arrangement of interfaces between two V2X UEs and a 3 GPP RAN.

Figure 5 shows three example coverage scenarios for two UEs and a gNB serving a cell.

Figure 6 shows three example U2N relay scenarios.

Figures 7A-B show a conventional procedure for PDU session secondary authentication of a 5G ProSe Remote UE via 5G ProSe Layer-3 UE-to-Network Relay.

Figure 8 shows a conventional procedure for EAP Re-Authentication of a 5G ProSe Remote UE via 5G ProSe Layer-3 UE-to-Network Relay.

Figures 9A-B show a procedure for PDU session secondary authentication of a 5G ProSe Remote UE via 5G ProSe Layer-3 UE-to-Network Relay, according to some embodiments of the present disclosure.

Figure 10 shows a procedure for EAP Re-Authenti cation of a 5G ProSe Remote UE via 5G ProSe Layer-3 UE-to-Network Relay, according to some embodiments of the present disclosure.

Figure 11 shows a flow diagram of an exemplary method for a first UE (e.g., wireless device), according to some embodiments of the present disclosure.

Figure 12 shows a flow diagram of an exemplary method for a network node or function (NNF, e.g., SMF) of a communication network, according to some embodiments of the present disclosure.

Figure 13 shows a communication system according to some embodiments of the present disclosure.

Figure 14 shows a UE according to some embodiments of the present disclosure.

Figure 15 shows a network node according to some embodiments of the present disclosure.

Figure 16 shows host computing system according to some embodiments of the present disclosure.

Figure 17 is a block diagram of a virtualization environment in which functions implemented by some embodiments of the present disclosure may be virtualized.

Figure 18 illustrates communication between a host computing system, a network node, and a UE via multiple connections, at least one of which is wireless, according to some embodiments of the present disclosure. DETAILED DESCRIPTION

Embodiments briefly summarized above will now be described more fully with reference to the accompanying drawings. These descriptions are provided by way of example to explain the subject matter to those skilled in the art and should not be construed as limiting the scope of the subject matter to only the embodiments described herein. More specifically, examples are provided below that illustrate the operation of various embodiments according to the advantages discussed above.

In general, all terms used herein are to be interpreted according to their ordinary meaning in the relevant technical field, unless a different meaning is clearly given and/or is implied from the context in which it is used. All references to a/an/the element, apparatus, component, means, step, etc. are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The operations of any methods and/or procedures disclosed herein do not have to be performed in the exact order disclosed, unless an operation is explicitly described as following or preceding another operation and/or where it is implicit that an operation must follow or precede another operation. Any feature of any embodiment disclosed herein can apply to any other disclosed embodiment, as appropriate. Likewise, any advantage of any embodiment described herein can apply to any other disclosed embodiment, as appropriate.

Furthermore, the following terms are used throughout the description given below:

• Radio Access Node: As used herein, a “radio access node” (or equivalently “radio network node,” “radio access network node,” or “RAN node”) can be any node in a radio access network (RAN) that operates to wirelessly transmit and/or receive signals. Some examples of a radio access node include, but are not limited to, a base station (e.g., gNB in a 3GPP 5G/NR network or an enhanced or eNB in a 3 GPP LTE network), base station distributed components (e.g., CU and DU), a high-power or macro base station, a low-power base station (e.g., micro, pico, femto, or home base station, or the like), an integrated access backhaul (IAB) node, a transmission point (TP), a transmission reception point (TRP), a remote radio unit (RRU or RRH), and a relay node.

• Core Network Node: As used herein, a “core network node” is any type of node in a core network. Some examples of a core network node include, e.g., a Mobility Management Entity (MME), a serving gateway (SGW), a PDN Gateway (P-GW), a Policy and Charging Rules Function (PCRF), an access and mobility management function (AMF), a session management function (SMF), a user plane function (UPF), a Charging Function (CHF), a Policy Control Function (PCF), an Authentication Server Function (AUSF), a location management function (LMF), or the like. • Wireless Device: As used herein, a “wireless device” (or “WD” for short) is any type of device that is capable, configured, arranged and/or operable to communicate wirelessly with network nodes and/or other wireless devices. Communicating wirelessly can involve transmitting and/or receiving wireless signals using electromagnetic waves, radio waves, infrared waves, and/or other types of signals suitable for conveying information through air. Unless otherwise noted, the term “wireless device” is used interchangeably herein with the term “user equipment” (or “UE” for short), with both of these terms having a different meaning than the term “network node”.

• Radio Node: As used herein, a “radio node” can be either a “radio access node” (or equivalent term) or a “wireless device.”

• Network Node: As used herein, a “network node” is any node that is either part of the radio access network (c.g, a radio access node or equivalent term) or of the core network (c.g, a core network node discussed above) of a cellular communications network. Functionally, a network node is network equipment capable, configured, arranged, and/or operable to communicate directly or indirectly with a wireless device and/or with other network nodes or equipment in the cellular communications network, to enable and/or provide wireless access to the wireless device, and/or to perform other functions (e.g, administration) in the cellular communications network.

• Node: As used herein, the term “node” (without prefix) can be any type of node that can in or with a wireless network (including RAN and/or core network), including a radio access node (or equivalent term), core network node, or wireless device. However, the term “node” may be limited to a particular type (e.g., radio access node) based on its specific characteristics in any given context.

The above definitions are not meant to be exclusive. In other words, various ones of the above terms may be explained and/or described elsewhere in the present disclosure using the same or similar terminology. Nevertheless, to the extent that such other explanations and/or descriptions conflict with the above definitions, the above definitions should control.

Note that the description given herein focuses on a 3 GPP cellular communications system and, as such, 3GPP terminology or terminology similar to 3GPP terminology is generally used. However, the concepts disclosed herein are not limited to a 3 GPP system, and can be applied in any system that can benefit from the concepts, principles, and/or embodiments described herein.

Figure 1 shows an exemplary configuration of NR user plane (UP) and control plane (CP) protocol stacks between a UE (110), a gNodeB (gNB, e g., base station, 120), and an access and mobility management function (AMF, 130) in the 5G core network (5GC). Physical (PHY), Medium Access Control (MAC), Radio Link Control (RLC), and Packet Data Convergence Protocol (PDCP) layers between the UE and the gNB are common to UP and CP. The PDCP layer provides ciphering/deciphering, integrity protection, sequence numbering, reordering, and duplicate detection for CP and UP.

On CP side, the non-access stratum (NAS) layer is between UE and AMF and handles UE/gNB authentication, mobility management, and security control. The radio resource control (RRC) layer sits below NAS in the UE but terminates in the gNB rather than the AMF. RRC controls communications between UE and gNB at the radio interface as well as the mobility of a UE between cells in the NG-RAN. RRC also broadcasts system information (SI) and establishes, configures, maintains, and releases DRBs and Signaling Radio Bearers (SRBs) used by UEs. Additionally, RRC controls addition, modification, and release of carrier aggregation (CA) and dual-connectivity (DC) configurations for UEs. RRC also performs various security functions such as key management.

After a UE is powered ON it will be in the RRC IDLE state until an RRC connection is established with the network, at which time the UE will transition to RRC_CONNECTED state (e.g., where data transfer can occur). The UE returns to RRC IDLE after the connection with the network is released. In RRC IDLE state, the UE’s radio is active on a discontinuous reception (DRX) schedule configured by upper layers. During DRX active periods (also referred to as “DRX On durations”), an RRC IDLE UE receives SI broadcast in the cell where the UE is camping, performs measurements of neighbor cells to support cell reselection, and monitors a paging channel on physical DL control channel (PDCCH) for pages from 5GC via gNB. A UE in RRC IDLE state is not known to the gNB serving the cell where the UE is camping. However, NR RRC includes an RRC_INACTIVE state in which a UE is known (e g., via context) by the serving gNB.

Figure 2 shows a high-level view of an exemplary 5G network architecture, including a Next Generation Radio Access Network (NG-RAN, 299) and a 5G Core (5GC, 298). As shown in the figure, the NG-RAN can include gNBs (e.g., 210a, b) and ng-eNBs (e.g., 220a, b) that are interconnected with each other via respective Xn interfaces. The gNBs and ng-eNBs are also connected via the NG interfaces to the 5GC, more specifically to the Access and Mobility Management Function (AMF, e.g., 230a, b) via respective NG-C interfaces and to the User Plane Function (UPF, e.g., 240a, b) via respective NG-U interfaces. Moreover, the AMFs can communicate with one or more policy control functions (PCFs, e.g., 250a, b) and network exposure functions (NEFs, e.g., 260a, b).

Each of the gNBs can support the NR radio interface including frequency division duplexing (FDD), time division duplexing (TDD), or a combination thereof. In contrast, each of ng-eNBs can support the LTE radio interface but, unlike conventional LTE eNodeBs (eNBs), connect to the 5GC via the NG interface. Each of the gNBs and ng-eNBs can serve a geographic coverage area including one or more cells (e g., 211a-b and 221a-b in Figure 2). The gNBs and ng-eNBs can also use various directional beams to provide coverage in the respective cells. Depending on the cell in which it is located, a UE (205) can communicate with the gNB or ng- eNB serving that cell via the NR or LTE radio interface, respectively.

The gNBs shown in Figure 2 can include a central (or centralized) unit (CU or gNB-CU) and one or more distributed (or decentralized) units (DU or gNB-DU), which can be viewed as logical nodes. CUs host higher-layer protocols and perform various gNB functions such controlling the operation of DUs, which host lower-layer protocols and can include various subsets of the gNB functions. As such, each of the CUs and DUs can include various circuitry needed to perform their respective functions, including processing circuitry, communication interface circuitry (e.g., for communication via Xn, NG, radio, etc. interfaces), and power supply circuitry.

Another change in 5G networks (e.g., in 5GC) is that traditional peer-to-peer interfaces and protocols found in earlier-generation networks are modified and/or replaced by a Service Based Architecture (SB A) in which Network Functions (NFs) provide one or more services to one or more service consumers. This can be done, for example, by Hyper Text Transfer Protocol/Representational State Transfer (HTTP/REST) application programming interfaces (APIs). In general, the various services are self-contained functionalities that can be changed and modified in an isolated manner without affecting other services. Furthermore, the services are composed of various “service operations”, which are more granular divisions of the overall service functionality. The interactions between service consumers and producers can be of the type “request/response” or “subscribe/notify”.

Figure 3 shows an exemplary non-roaming reference architecture for a 5G network (300). These include the following 3 GPP-defined NFs and service-based interfaces:

• Application Function (AF, with Naf interface) interacts with the 5GC to provision information to the network operator and to subscribe to certain events happening in operator's network. An AF offers applications for which service is delivered in a different layer (i.e., transport layer) than the one in which the service has been requested (i.e., signaling layer), the control of flow resources according to what has been negotiated with the network. An AF communicates dynamic session information to PCF (via N5 interface), including description of media to be delivered by transport layer.

• Policy Control Function (PCF, with Npcf interface) supports unified policy framework to govern the network behavior, via providing PCC rules (e.g., on the treatment of each service data flow that is under PCC control) to the SMF via the N7 reference point. PCF provides policy control decisions and flow based charging control, including service data flow detection, gating, QoS, and flow-based charging (except credit management) towards the SMF. The PCF receives session and media related information from the AF and informs the AF of traffic (or user) plane events.

User Plane Function (UPF)- supports handling of user plane traffic based on the rules received from SMF, including packet inspection and different enforcement actions (e.g., event detection and reporting). UPFs communicate with the RAN (e.g., NG-RNA) via the N3 reference point, with SMFs (discussed below) via the N4 reference point, and with an external packet data network (PDN) via the N6 reference point. The N9 reference point is for communication between two UPFs.

• Session Management Function (SMF, with Nsmf interface) interacts with the decoupled traffic (or user) plane, including creating, updating, and removing Protocol Data Unit (PDU) sessions and managing session context with the User Plane Function (UPF), e g., for event reporting. For example, SMF performs data flow detection (based on filter definitions included in PCC rules), online and offline charging interactions, and policy enforcement.

• Charging Function (CHF, with Nchf interface) is responsible for converged online charging and offline charging functionalities. It provides quota management (for online charging), re-authorization triggers, rating conditions, etc. and is notified about usage reports from the SMF. Quota management involves granting a specific number of units (e.g., bytes, seconds) for a service. CHF also interacts with billing systems.

Access and Mobility Management Function (AMF, with Namf interface) terminates the RAN CP interface and handles all mobility and connection management of UEs (similar to MME in EPC). AMFs communicate with UEs via the N1 reference point and with the RAN (e g., NG-RAN) via the N2 reference point.

• Network Exposure Function (NEF) with Nnef interface - acts as the entry point into operator's network, by securely exposing to AFs the network capabilities and events provided by 3GPP NFs and by providing ways for the AF to securely provide information to 3GPP network. For example, NEF provides a service that allows an AF to provision specific subscription data (e.g., expected UE behavior) for various UEs.

• Network Repository Function (NRF) with Nnrf interface - provides service registration and discovery, enabling NFs to identify appropriate services available from other NFs.

• Network Slice Selection Function (NSSF) with Nnssf interface - a “network slice” is a logical partition of a 5G network that provides specific network capabilities and characteristics, e.g., in support of a particular service. A network slice instance is a set of NF instances and the required network resources (e.g., compute, storage, communication) that provide the capabilities and characteristics of the network slice. The NSSF enables other NFs (e.g., AMF) to identify a network slice instance that is appropriate for a UE’s desired service

• Authentication Server Function (AUSF) with Nausf interface - based in a user’s home network (HPLMN), it performs user authentication and computes security key materials for various purposes.

• Network Data Analytics Function (NWDAF) with Nnwdaf interface - provides network analytics information (e.g., statistical information of past events and/or predictive information) to other NFs on a network slice instance level.

• Location Management Function (LMF) with Nlmf interface - supports various functions related to determination of UE locations, including location determination for a UE and obtaining any of the following: DL location measurements or a location estimate from the UE; UL location measurements from the NG RAN; and non-UE associated assistance data from the NG RAN.

The Unified Data Management (UDM) function supports generation of 3 GPP authentication credentials, user identification handling, access authorization based on subscription data, and other subscriber-related functions. To provide this functionality, the UDM uses subscription data (including authentication data) stored in the 5GC unified data repository (UDR). In addition to the UDM, the UDR supports storage and retrieval of policy data by the PCF, as well as storage and retrieval of application data by NEF. Data Storage Functions (DSF) allow every NF to store its own context.

At a high level, a 5G network includes an access network (AN, e.g., NG-RAN) and a core network (CN, e g., 5GC). The UE communicates with the CN over the Non-Access Stratum (NAS), and with the AN over the Access Stratum (AS). All the NAS communication takes place between UE and AMF via NAS protocol (N1 interface in Figure 2). Security for the communications over these strata is provided by the NAS protocol and PDCP (for AS).

As briefly mentioned above, 3GPP Rel-16 specifies the NR sidelink (SL) interface and targets advanced V2X services including use cases such as vehicles platooning, extended sensors, advanced driving, and remote driving. The advanced V2X services require a new SL to meet service requirements of low latency and high reliability. The NR SL is designed to provide higher system capacity and better coverage, and to allow for extension to support the future development of even more advanced V2X services and other related services.

In general, a V2X UE can support unicast communication via the uplink/downlink radio interface (also referred to as “Uu”) to a 3 GPP RAN, such as the LTE Evolved-UTRAN (E- UTRAN) or the NG-RAN. A V2X UE can also support SL unicast over the PC5 interface. Figure 4 shows an exemplary arrangement of interfaces between two V2X UEs and a RAN. In addition to Uu and PC5 interfaces, the V2X UEs can communicate with a ProSe (Proximity Services) network function (NF) via respective PC3 interfaces. Communication with the ProSe NF requires a UE to establish a connection with the RAN, either directly via the Uu interface or indirectly via PC5 and another UE’s Uu interface. The ProSe function provides the UE various information for network related actions, such as service authorization and provisioning of PLMN-specific information (e.g., security parameters, group IDs, group IP addresses, out-of-coverage radio resources, etc.).

Figure 5 shows three exemplary network coverage scenarios for two UEs (510, 520) and a gNB (530) serving a cell. In the full (or in) coverage scenario at left, both UEs are in the coverage of the cell, such that they both can communicate with the gNB via respective Uu interfaces and directly with each other via the PC5 interface. In the partial coverage scenario (center), only one of the UEs is in coverage of the cell, but the out-of-coverage UE can still communicate with the gNB indirectly via the PC5 interface with the in-coverage UE. In the out-of-coverage scenario, both UEs can only communicate with each other via the PC5 interface.

For example if the UE can detect at least one cell then it can be considered as in coverage. Alternately, if the UE can detect at least one cell on a carrier for which it is configured to perform SL operation, then it can be considered as in coverage. Alternately, if the UE can detect at least one cell on a carrier for which the UE is configured to perform SL operation upon fulfilling the S criterion, then it can be considered as in coverage.

In general, an out-of-coverage UE is one that cannot establish a direct connection to the network and must communicate via either SL standalone or SL relay. UEs that are in coverage can be configured by the network (e.g., gNB) via RRC signaling and/or broadcast system information, either directly (via Uu interface) or indirectly (via PC5 interface and relay UE Uu interface). Out-of-coverage UEs rely on a (pre-)configuration available in their SIMs. These preconfigurations are generally static but can be updated by the network when a UE is in coverage. A “peer UE” refers to a UE that can communicate with the out-of-coverage UE via SL standalone or SL relay (in which case the peer UE is also a relay UE).

In general, the term “SL standalone” refers to direct communication between two SL- capable UEs (e.g., via PC5) in which source and destination are the UEs themselves. In contrast, the term “SL relay” refers to indirect communication between a network node and a remote UE via a first interface (e.g., Uu) between the network node an intermediate (or relay) UE and a second interface (e.g., PC5) between the relay UE and the remote UE. In this case the relay UE is neither the source nor the destination. 3GPP Rel-17 includes two UE-based relay capabilities for NR SL: UE-to-Network (U2N) relay, where a UE extends network connectivity to another nearby UE by using direct communication; and UE-to-UE (U2U) relay, where a UE uses two direct communication links to connect two UEs in its proximity that otherwise are not able to communicate.

LTE U2N relay functionality uses a Layer 3 (L3) architecture in which the relay of data packets via the PC5 interface is performed at the network layer, and UEs connected to a L3 U2N relay are transparent to the network. NR SL U2N relay uses two different architectures: a L3 architecture similar to LTE U2N relay, and a newly defined architecture in which PC5 relaying occurs within Layer 2 (L2), over the RLC sublayer.

3GPP TR 23.752 (v2.0.0) section 6.7 describes L2-based U2N relay functionality, which includes forwarding functionality that can relay any type of traffic over the PC5 interface between two UEs. A L2 U2N Relay UE supports connectivity to the 5GS (i.e., NG-RAN and 5GC) for other UEs that have successfully established a PC5 link to the L2 U2N Relay UE. A UE connected to a L2 U2N relay will be seen by the network as a regular UE., as if it was directly connected to the network. This gives the network control of the connection and services, but requires the definition of several new mechanisms not present or needed in the L3 architecture.

3GPP TR 23.752 (v2.0.0) section 6.6 describes L3-based U2N relay functionality (also referred to as “ProSe 5G U2N Relay”) that can be used for both public safety and commercial services. A 5G ProSe U2N Relay UE supports connectivity to the 5GS (i.e., NG-RAN and 5GC) for other UEs (called “5G ProSe Remote UEs”) that have successfully established a PC5 link to the ProSe 5G U2N Relay UE. Figure 6 shows a reference architecture for 5G ProSe L3 U2N relay.

3GPP Proximity Services (or ProSe) are described in more detail in 3GPP TS 23.304 (vl7.4.0) and TS 24.554 (vl7.3.0). For example, 3GPP TS 23.304 (vl7.4.0) defines the following terms that relate to 3 GPP ProSe:

• 5G ProSe-enabled UE: A UE that supports 5G ProSe requirements and associated procedures.

• 5G ProSe Direct Discovery: A procedure employed by a 5G ProSe-enabled UE to discover other 5G ProSe-enabled UEs in its vicinity based on direct radio transmissions between the two UEs with NR technology.

• 5G ProSe Direct Communication: A communication between two or more UEs in proximity that are 5G ProSe-enabled, by means of user plane transmission using NR technology via a path not traversing any network node.

• 5G ProSe UE-to-Network Relay: A 5G ProSe-enabled UE that provides functionality to support connectivity to the network for 5G ProSe Remote UE(s). • 5G ProSe Remote UE: A 5G ProSe-enabled UE that communicates with a DN via a 5G ProSe UE-to-Network Relay.

• 5G ProSe UE-to-UE Relay: A 5G ProSe-enabled UE that provides functionality to support connectivity between 5G ProSe End UEs.

• 5G ProSe End UE: A 5G ProSe-enabled UE that connects with another 5G ProSe-enabled UE(s) via a 5G ProSe UE-to-UE Relay.

• Application Layer ID: An identifier identifying a 5G ProSe-enabled UE within the context of a specific application. The format of this identifier is outside the scope of 3GPP.

• Direct Network Communication: One mode of network communication, where there is no 5G ProSe UE-to-Network Relay between a UE and the 5G network.

• Indirect Network Communication: One mode of network communication, where there is a 5G ProSe UE-to-Network Relay between a UE and the 5G network.

• Member ID: An identifier uniquely identifying a member in the Application Layer managed group and that is managed by the ProSe application layer.

• Mode of communication: Mode of communication to be used by the 5G ProSe-enabled UE over PC5 reference point, i.e. broadcast mode, groupcast mode or unicast mode.

• Open ProSe Discovery: ProSe Direct Discovery without explicit permission from the 5G ProSe-enabled UE being discovered, according to 3GPP TS 22.278.

• ProSe identifier: A globally unique identifier used to identify the ProSe Application associated with the ProSe operation in 5G ProSe Direct Discovery and 5G ProSe Direct Communication. In this Release, the "Application ID" defined in 3GPP TS 23.303 can be used as the ProSe identifier in 5G ProSe Direct Discovery and in a consequent 5G ProSe Direct Communication.

• Restricted ProSe Discovery: ProSe Direct Discovery that only takes place with explicit permission from the 5G ProSe-enabled UE being discovered, according to 3GPP TS 22.278.

• User Info ID: The User Info ID is configured for Model A or Model B Group Member Discovery and 5G ProSe UE-to-Network Relay Discovery either for public safety or commercial applications based on the policy of the HPLMN or via the ProSe application server that allocates it. The definition of values of User Info ID is out of scope of this specification.

3GPP TS 23.304 (v!7.4.0) defines procedures for 5G ProSe Discovery, specifically how ProSe UEs discovery each other. 3GPP TS 33.503 (v!7.1.0) defines security procedures for protection of 5G ProSe discovery and direct communication messages over the PC5 interface. Note that 5G ProSe Discovery with these security procedures is also referred to as “Restricted 5G ProSe Discovery”. The discovery-related security procedures cover direct discovery between two ProSe-capable UEs (known as “5G ProSe Restricted Direct Discovery”) and discovery of 5G ProSe U2N Relay (known as “5G ProSe U2N Relay Discovery”).

Security for ProSe is currently specified in 3GPP TS 33.503 (vl7.1.0). Even so, there is interest in feasibility of secondary authentication of a 5G ProSe Remote UE via a 5G ProSe L3 U2N Relay and an external Data Network (DN). It is expected that the Extensible Authentication Protocol (EAP) framework specified in IETF RFC 3748 will be used for authentication between the 5G ProSe Remote UE and a DN-AAA server in the external DN Note that this is different from secondary authentication defined in 3GPP TS 33.501 (vl7.8.0) for a UE registered in 5GC.

3GPP document S3-223322 describes a current baseline solution for this secondary authentication feature. The following are some relevant excerpts from this document. Note that in these excerpts, “Figure 6.3.3.3.x.2-1” refers to Figures 7A-B of the present Application, which shows a procedure for PDU session secondary authentication of 5G ProSe Remote UE via 5GProSe Layer-3 UE-to-Network Relay. Also, “Figure 6.3.3.3.X.3-1” refers to Figure 8 of the present Application, which shows a procedure for EAP Re- Authentication of Remote UE via L3 UE-to-Network Relay with an AAA server in an external DN. Additionally, references to 3 GPP TS should be interpreted as referring to the latest version of such document at time of the present Application was filed. In the following, “N3WIF” is an abbreviation for “Non-3GPPP Inter-Working Function”, the “S-NSSAI” is an abbreviation for “Single Network Slice Selection Assistance Information”, and “DNN” is an abbreviation for “Data Network Name”.

*** Begin 3GPP S3-223322 excerpt ***

6.3.3.3.x 5G ProSe Remote UE Secondary Authentication via a 5G ProSe Layer-3 UE-to-

Network Relay without N3IWF

6.3.3.3.x. 1 General

This clause specifies the 5G Prose Remote UE specific secondary authentication between a 5G ProSe Remote UE, which is different from the secondary authentication defined in TS 33.501 [3], via a 5G ProSe Layer-3 UE-to-Network Relay without N3IWF and an external Data Network (DN) based on network-controlled authorization (i.e. using 5G ProSe Remote UE specific authentication) as described in clause 6.3.3.3.2. This procedure is optional to support.

The SMF of the 5G ProSe UE-to-Network Relay triggers the secondary authentication of the 5G ProSe Remote UE based on the subscription information and the local configuration of the SMF when it receives a NAS message (e.g., Remote UE Report) from the 5G ProSe UE-to-Network Relay. The EAP framework specified in IETF RFC 3748 [12] shall be used for authentication between the 5G ProSe Remote UE and a DN-AAA server in the external data network. The following clause describes the procedures for initial secondary authentication of the 5G ProSe Remote UE with the external DN-AAA server.

6.3.3.3.X.2 PDU Session secondary authentication of 5G ProSe Remote UE via 5G ProSe Layer- 3 UE-to-Network Relay

The PDU session secondary authentication of 5G ProSe Remote UE via 5G ProSe Layer-3 UE- to-Network Relay follows the steps shown in Figure 6.3.3.3.x.2-1.

0. During the Registration procedure, authorization and provisioning are performed for 5G ProSe Remote UE(0a) and 5G ProSe Layer-3 UE-to-Network Relay(Ob) as described in clause 5.1.4 of TS 23.304.

1. The 5G ProSe Layer-3 UE-to-Network Relay may establish a PDU session for relaying with default PDU session parameters as described in clause 6.5.1.1 in TS 23.304.

2. Based on the authorization and provisioning in step 0, the 5G ProSe Remote UE performs the discovery of a 5G ProSe Layer-3 UE-to-Network Relay. As part of the discovery procedure, the 5G ProSe Remote UE learns about the connectivity service the 5G ProSe Layer-3 UE-to-Network Relay provides (e g., based on a broadcasted service code) as described in clause 6.3.1.2 or 6.3.1.3 of TS 23.304.

3. The 5G ProSe Remote UE selects a 5G ProSe Layer-3 UE-to-Network Relay and sends a DCR (Direct Communication Request) message including its subscription concealed identifier (SUCI) or a CP-PRUK ID as described in clause 6.3.3.3.2.

4. The Remote UE runs CP based authentication as described in 6.3.3.3.2. In addition, the following procedure may happen in this step as described in clause 6.5.1.1 in TS 23.304.

If there is no PDU session satisfying the requirements of the PC5 connection with the 5G ProSe Remote UE, e.g., S-NSSAI, DNN, QoS, UP security activation status, the 5G ProSe Layer-3 UE-to-Network Relay initiates a new PDU session establishment or modification procedure for relaying.

5. Upon successful network-controlled authentication of 5G ProSe Remote UE procedure, the 5G ProSe Layer-3 UE-to-Network Relay initiates a Direct Security Mode Command procedure with the 5G ProSe Remote UE as described in clause 6.2.3.

6. Upon successful security establishment, the 5G ProSe Layer-3 UE-to-Network Relay stores the CP-PRUK ID as described in clause 6.3.3.3.2 and sends a DCA (Direct Communication Accept) message to the Remote UE. The DCA may include an indication that a PDU Session with secondary authentication is pending if the L3 UE-to-Network Relay determines the DN that is associated with the relay service code requires secondary authentication for the 5G ProSe Remote UE based on the fact that the L3 UE-to-Network Relay performed secondary authentication with the same DN either in step 1 or step 4, and there is no stored authentication information associated with the Remote UE. Based on the indication in the DCA message, the 5G ProSe Remote UE may refrain from sending any data traffic over the PC5 link until the successful completion of subsequent PDU Session secondary authentication.

7. For IP PDU Session Type and IP traffic over the PC5 reference point, the IPv6 prefix or IPv4 address is allocated for the 5G ProSe Remote UE as defined in clause 5.5.1.3 in TS 23.304. In addition, the 5G ProSe Layer-3 UE-to-Network Relay may configure a traffic filter (e g., as a default filter for IP or non-IP traffic) for the PC5 link to prevent any data traffic until the successful completion of subsequent PDU Session secondary authentication.

8. The 5G ProSe Layer-3 UE-to-Network Relay sends a Remote UE Report message to the SMF for the PDU session associated with the 5G ProSe Layer-3 UE-to-Network Relay. The 5G ProSe Layer-3 UE-to-Network Relay shall include the CP-PRUK ID as the Remote User ID and 5G ProSe Remote UE addressing info (e.g., IP or MAC address). The Remote UE Report message includes the 5G ProSe Remote UE info (Remote User ID, addressing info) and excludes other 5G ProSe Remote UEs info. The Relay shall additionally include the CP-PRUK ID in the subsequent NAS messages. The AMF shall select AUSF based on CP-PRUK ID and forward the CP-PRUK ID to the AUSF in Nausf_UEAuthentication_ProseGet Request message. The AUSF shall select PAnF based on CP-PRUK ID and forward the CP-PRUK ID to the PAnF in Npanf Get Request message. The PAnF shall retrieve the Remote UE's subscription public identifier (SUPI) from the Prose context based on CP-PRUK ID and send the Remote UE's SUPI to the AUSF in the PAnF inNpanf_GetRespone message. The AUSF shall forward Remote UE's SUPI to the AMF in Nausf_UEAuthentication_ProseGet Response message. The Relay AMF shall forward the received SUPI and the Remote UE Report message to the SMF in N smf_PDU S essi on_Update SMContext message .

Editor's Notes: How to support multiple Remote User IDs in Remote UE Report is FFS.

NOTE 1 : In the case of Home Routed roaming, the SMF in the call flow is the home SMF (H-SMF) (and the visited SMF, V-SMF, is not shown for simplicity). SMF selection by AMF is performed as per TS 23.502 [13], clause 4.3.2.2.3 (e.g., using PLMN ID of the SUPI, S-NSSAI, etc.).

9. When the SMF receives Remote UE Report the SMF retrieves Remote UE's SM subscription data from the UDM by triggering Nudm_SDM_Get service operation. The SMF may include DNN, S-NSSAI of the PDU Session for relaying in addition to the Remote UE's SUPI as input parameters. The SMF determines based on the subscription data of the 5GProSeRemote UE (i.e. Secondary authentication indication as per TS 23.502 [13], Table 5.2.3.3.1). The SMF may also check whether the 5G ProSe Remote UE has been authenticated by the same DN as indicated in the subscription data and, if secondary authentication is required, the SMF triggers a PDU Session secondary authentication of 5G ProSe Remote UE via 5G ProSe Layer-3 UE-to-Network Relay by sending PDU Session Authentication Command message to the 5 G ProSe Layer-3 UE-to-Network Relay including the CP-PRUK ID of the Remote UE and an EAP-Request/Identity.

Editor's Notes: how SMF is notified with the 5G ProSe remote UE's subscription update is FFS. NOTE 2: The information on a successful authentication between a 5G ProSe Remote UE and an SMF may be saved in SMF and/or UDM.

10. Based on the CP-PRUK ID, the 5G ProSe Layer-3 UE-to-Network Relay forwards the EAP-Request/Identity to the 5GProSe Remote UE via PC5 signalling(lOa). The 5GProSe Remote UE returns the EAP-Response/Identity to the 5G ProSe Layer-3 UE-to-Network Relay via PC5 signalling(lOb).

11. The 5G ProSe Layer-3 UE-to-Network Relay sends PDU Session Authentication Complete message to the SMF including the CP-PRUK ID of the Remote UE and an EAP- Response/Identity received from the 5G ProSe Remote UE.

12. The SMF sends an EAP-Response/Identity to the DN-AAA.

13. The DN AAA server and the UE should exchange EAP messages, as required by the EAP method. The SMF and Relay shall include the CP-PRUK ID in the NAS messages transporting the EAP messages.

14. The DN-AAA sends EAP-Success or EAP -Failure to the SMF.

15. Upon successful PDU Session secondary authentication via the Relay procedure, the SMF stores the 5G ProSe Remote UE information in the 5G ProSe Layer-3 UE-to-Network Relay's SM context including 5GProSe Remote UE identity (e.g., GPSI, SUPI), individual authentication information received from DN-AAA.

16. The SMF sends Remote UE Report Ack message to the 5G ProSe Layer-3 UE-to-Network Relay indicating the result of the PDU Session secondary authentication, including the CP- PRUK ID of the remote UE and an EAP success or failure message. In the case of successful secondary authentication, the message may include QoS authorization info for the 5G ProSe Layer-3 UE-to-Network Relay to enforce. In case the secondary authentication is failed, the NAS message may indicate that the 5G ProSe Layer-3 UE-to- Network Relay should release the PC5 link with the 5G ProSe Remote UE. 17. In the case of successful secondary authentication for the 5G ProSe Remote UE, the 5G ProSe Layer-3 UE-to-Network Relay stores any received authentication info associated with the 5G ProSe Remote UE. In case the secondary authentication is failed, the 5G ProSe UE-to-Network Relay releases the PC5 link with the 5G ProSe Remote UE and may keep the PDU session as the default PDU session or release it if there is no more 5G ProSe Remote UE using the same PDU session.

6.3.3.3.X.3 Re-Authentication of Remote UE via L3 UE-to-Network Relay without N3IWF

The Re-Authenti cation of Remote UE via L3 UE-to-Network Relay follows the steps shown in Figure 6.3.3.3.x.3-1. The call flow is based on the call flow in TS 33.501, Figure 11.1.3-1 with the main difference that the EAP messages for Re-authentication are exchanged between the Remote UE and DN-AAA using PC5 transport provided via the PC5 link with the UE-to-Network Relay.

1-2. Secondary Authentication for the 5G ProSe Remote UE via the 5G ProSe Layer-3 UE-to- Network Relay has been established according to the procedures specified in clause

6.3.3.3.x, PDU Session secondary authentication of the 5G ProSe Remote UE via the 5G ProSe Layer-3 UE-to-Network Relay.

Secondary Re-authentication may either be initiated by the SMF or the external DN-AAA server. If Re-authentication is initiated by the SMF, the procedure proceeds with step 4 (skipping steps 4a and 4b). If Re-authentication is initiated by the external DN/AAA server, the procedure proceeds with the alternative steps 4a and 4b.

3. The SMF decides to initiate Secondary Re-Authenti cation for the 5G ProSe Remote UE.

3a. The DN AAA server decides to initiate Secondary Re-Authentication for the 5G ProSe Remote UE.

3b. The DN AAA shall send a Secondary Re- Authentication request to UPF, and the UPF forwards it to the SMF. The Secondary Re-authentication request contains the GPSI, the IP/MAC address of the UE allocated to the PDU Session, and the MAC address if the PDU session is of Ethernet PDU type for the 5G ProSe Remote UE. The SMF retrieves the corresponding CP-PRUK ID from the 5G ProSe Layer-3 UE-to-Network Relay's SM context using the GPSI. The GPSI of the 5G ProSe Remote UE is obtained by SMF from UDM using Nudm_SDM_Get service operation during the PDU Session secondary authentication (see clause 6.3.3.3.x, step 9).

4. The SMF may send an EAP Request/Identity message to the 5G ProSe Layer-3 UE-to- Network Relay including CP-PRUK ID of the 5G ProSe Remote UE. In case the procedure is initiated by the DN AAA, the SMF retrieves the CP-PRUK ID that is mapped with the received GPSI.

5. The 5G ProSe Layer-3 UE-to-Network Relay forwards the EAP message to the 5G ProSe Remote UE via PC5 signalling.

6. The 5G ProSe Remote UE may respond with an EAP Response/Identity message to the 5G ProSe Layer-3 UE-to-Network Relay via PC5 signalling.

7. The 5G ProSe Layer-3 UE-to-Network Relay forwards the EAP Response/Identity to SMF.

8. SMF forwards the EAP Response/Identity to the UPF, selected during initial authentication, over the N4 interface. Then, the UPF shall forward the EAP Response/Identity message to the DN AAA Server. This establishes an end-to-end connection between the SMF and the external DN-AAA server for EAP exchange.

9. The DN AAA server and the 5G ProSe Remote UE shall exchange EAP messages as required by the EAP method.

10. After the completion of the authentication procedure, DN AAA server either sends an EAP Success or EAP Failure message to the SMF. This completes the Re-authentication procedure at the SMF.

11. If the authentication is successful, EAP-Success and CP-PRUK ID shall be sent to the 5G ProSe Layer-3 UE-to-Network Relay.

12. The 5G ProSe Layer-3 UE-to-Network Relay shall forward the EAP-Success to the corresponding 5G ProSe Remote UE via PC5 signalling.

13. If authentication is not successful, EAP -Failure and CP-PRUK ID shall be sent to the 5G ProSe Layer-3 UE-to-Network Relay.

14. The 5G ProSe Layer-3 UE-to-Network Relay shall forward EAP -Failure to the corresponding 5G ProSe Remote UE via PC5 signalling and shall release the PC5 link with the 5G ProSe Remote UE.

15. The 5G ProSe Layer-3 UE-to-Network Relay shall send a Remote UE Report message indicating the 5G ProSe Remote UE is disconnected to the SMF.

16. The SMF may release the PDU session that was used for the relay service.

6.3.3.3.X.4 Secondary Authentication Revocation of Remote UE via L3 UE-to-Network Relay without N3IWF

At any time, a DN-AAA may revoke the authentication and authorization for a PDU Session and according to the request from the DN-AAA server, the SMF may request the 5G ProSe Layer-3 UE-to-Network Relay to release the PC5 link with the revoked 5G ProSe Remote UE, or release the PDU Session of the 5G ProSe Layer-3 UE-to-Network Relay as specified in clause 4.3.4 of TS 23.502 when it is not used by other 5G ProSe Remote UE(s).

*** End 3 GPP S3 -223322 excerpt ***

To summarize the above excerpt, the current baseline solution is based on various assumptions, conditions, etc. For example, an existing NAS Session Management (SM) message - Remote UE Report - is used by the 5G ProSe Layer-3 UE-to-Network Relay (more simply “relay UE”) to overlay the Secondary Authentication procedure from the 5G ProSe Remote UE (more simply “remote UE”) to the session management function (SMF) in the 5GC for the relay UE, then further to an AAA server in the external DN (“DN-AAA” in Figures 6-7). Second, the same DN-AAA can be used for the normal Secondary Authentication (for the relay UE) for the PDU session that is established by the relay UE for relaying the traffic for one or more remote UEs. Third, the AMF in the 5GC for the relay UE should be able to intercept the NAS SM message, resolve the UE ID of remote UE, and provide it to the SMF to enable it to trigger secondary authentication of the remote UE via U2N relay.

However, this baseline solution has various problems, issues, and/or difficulties. For example, the NAS SM message is normally supposed to be transparent to the AMF, since it is intended for communication between a UE and its serving SMF that normally does not involve AMF.

As another example, the Remote UE Report message is designed to be used by the relay UE to report a connect (or disconnect) event of a remote UE to the SMF for the relay UE, after the PC5 link establishment procedure is successfully completed for the remote UE and the remote UE is authorized to use the U2N relay service. However, the baseline solution described above reuses or repurposes this message, such that a “fake” PC5 link establishment procedure (e g., Direct Communication Accept) must be performed to trigger secondary authentication of the remote UE.

As another example, the relay UE can include reports for one or multiple remote UEs in a single Remote UE Report message. In the case of reports from multiple UEs in a single message, it can be difficult for the SMF of the relay UE to determine which remote UE should be selected for secondary authentication via U2N relay.

As another example, the baseline solution relies on involvement of the AMF of the relay UE, based on its earlier involvement in primary authentication (or ProSe Authentication) of the remote UE. The AMF is in the control plane (CP) of the 5GC. Thus, the solution will not function with user plane (UP) based security procedures that do not include involvement of the AMF.

As another example, the baseline solution assumes that the same DN-AAA would be used for secondary authentication of relay UE and remote UE via SMF of relay UE. However, the DN- AAA may not be able to distinguish whether the remote UE or the relay UE needs secondary authentication or re-authentication. Furthermore, the baseline solution does not specify whether DN-AAA should provide the same or different DN authorization policy for the PDU session (established by the remote UE for relay traffic) when it performs secondary authentication or secondary re-authentication procedures for relay UE or remote UE.

Embodiments of the present disclosure address these problems, issues, and/or drawbacks with flexible and efficient techniques whereby a new NAS SM container message is used by the relay UE to overlay the secondary authentication between remote UE and SMF in 5GC for the relay UE. In this manner, secondary authentication for the remote UE can be performed before PC5 link establishment is successfully completed by the relay UE sending a Direct Communication Accept message to the Remote UE.

The SMF can resolve the remote UE’s ID based on the Remote User ID provided by the relay UE in the NAS SM container message, and can determine whether secondary authentication should be triggered for the remote UE. When secondary authentication should be triggered, the SMF can determine which DN-AAA should be used for the secondary authentication of the remote UE, e.g., whether same or different DN-AAA used for the relay UE. The SMF provides both relay UE ID and remote UE ID to the DN-AAA, thereby distinguishing between the two UEs. This enables the DN-AAA to have selective authorization policies, e g., with respect to secondary reauthentication of relay UE or remote UE.

Embodiments provide various benefits and/or advantages. For example, embodiments maintain transparent handling of NAS SM messages by AMF, while also facilitating support for secondary authentication of remote UE via U2N relay using either CP-based or UP -based security procedures for remote UE. As another example, embodiments facilitate differentiated handling by DN-AAA for remote UE and relay UE in the same PDU session and for a single SMF in the path between relay UE and DN-AAA.

Figures 9A-B shows a signaling diagram of a procedure for secondary authentication of 5G ProSe Remote UE via 5G ProSe Layer-3 UE-to-Network Relay, according to some embodiments of the present disclosure. The procedure involves a remote UE (910, e.g., 5G ProSe Remote UE), a relay UE (920, e.g., 5G ProSe Layer-3 UE-to-Network Relay), an AMF for the relay UE (930), an SMF for the relay UE (940), a UPF for the relay UE (950), and a DN-AAA server (960). Although the operations shown in Figures 9A-B are given numerical labels, this is done to facilitate explanation rather than to require or imply any specific operational order, unless expressly stated otherwise. The terms “operation” and “step” may be used interchangeably in the description of Figures 9A-B. The procedure shown in Figures 9A-B is similar in various ways to the procedure shown in Figures 7A-B and described above with reference to the 3GPP excerpt, so only the differences will be described for the sake of brevity. References to 3GPP specifications should be interpreted as referring to the latest version at the time of the filing of the present Application.

Operation 0 in Figure 9A is identical to operation (or step) 0 shown in Figure 7A. In operation 1 in Figure 9A, the 5G ProSe Layer-3 UE-to-Network Relay may establish a PDU session for relaying with default PDU session parameters as described in clause 6.5.1.1 in 3GPP TS 23.304. The 5G ProSe Layer-3 UE-to-Network Relay may perform EAP based secondary authentication by the DN-AAA as specified in clause 11.1 of 3GPP TS 33.501.

In operation 2 in Figure 9A, based on the authorization and provisioning in operation 0, the 5G ProSe Remote UE performs discovery of a 5G ProSe Layer-3 UE-to-Network Relay. As part of the discovery procedure, the 5G ProSe Remote UE learns about the connectivity service the 5G ProSe Layer-3 UE-to-Network Relay provides (e.g., based on a broadcasted relay service code, RSC) as described in clause 6.3.1.2 or 6.3.1.3 of 3GPP TS 23.304. In operation 3 in Figure 9 A, the 5G ProSe Remote UE selects a 5G ProSe Layer-3 UE-to-Network Relay and performs security procedure for 5G ProSe Communication via 5G ProSe Layer-3 UE to-Network Relay as described in steps 3-5d of 3GPP TS 33.503 clause 6.3.3.2.2 or steps 2-16 of 3GPP TS 33.503 clause 6.3.3.3.2.

In operation 8 in Figure 9A (which follows operation 3), upon successful Direct Security Command Procedure (i.e., PC5 security context has been setup between relay UE and remote UE), if the DN associated with the RSC requires secondary authentication for the 5G ProSe Remote UE and there is no stored DN authentication information associated with the 5G ProSe Remote UE in the 5G ProSe Layer-3 UE-to-Network Relay, the 5G ProSe Layer-3 UE-to-Network Relay sends a NAS SM transport message to the SMF for the PDU session associated with the 5G ProSe Layer-3 UE-to-Network Relay. This message includes a Remote Secondary Authentication Container, which indicates that secondary authentication for the 5G ProSe Remote UE is required. The 5G ProSe Layer-3 UE-to-Network Relay includes the Remote User ID and DN-specific identity of the 5G ProSe Remote UE (if available) in the message. The DN-specific identity shall comply with Network Access Identifier (NAI) format.

In some embodiments, to avoid the additional round-trip in operations 9 to 11 described below, the DN-specific identity may be sent by the 5G ProSe Remote UE to the 5G ProSe Layer- 3 UE-to-Network Relay in a Direct Communication Request message or a Direct Security Command Complete message as part of operation 3.

When it receives the NAS message containing NAS SM transport information from the 5G ProSe Layer-3 UE-to-Network Relay, the AMF informs the SMF by invoking the Nsmf PDUSession UpdateSMContext service operation. In the case of home routed roaming, the V-SMF relays the N1 SM information to the H-SMF using Nsmf_PDUSession_Update service operation. Note that in the case of home routed roaming, the SMF shown in Figures 9A-B is the H-SMF (with the V-SMF not shown for simplicity). SMF selection by AMF is performed as specified in 3GPP TS 23.502 clause 4.3.2.2.3, e.g., using PLMN ID of the SUPI, network slice identifier, S-NSSAI, etc.

In operation 9 in Figure 9A, when the SMF receives the NAS SM transport message with the Remote Secondary Authentication Container, it resolves the included Remote User ID to SUPI and/or generic public subscription identifier (GPSI). For example, SMF can either retrieve GPSI from 5G ProSe key management function (PKMF) or ProSe Anchor Function (PAnF), which in turn retrieves from UDM; or retrieve GPSI from the UDM directly based on SUPI. The SMF retrieves the remote UE's subscription data from the UDM by triggering Nudm_SDM_Get service operation and subscribes to be notified when this subscription data is modified using Nudm_SDM_Subscribe service operation. When performing these operations, the SMF use as input the DNN associated with the RSC, S-NSSAI of the PDU Session for relaying, and the SMF’ s PLMN ID, in addition to the remote UE's SUPI.

The SMF determines whether secondary authentication is required based on the retrieved subscription data of the 5G ProSe Remote UE (i.e., secondary authentication indication as per 3GPP TS 23.502 Table 5.2.3.3.1) and local policies. If secondary authentication is required, the SMF may also check whether the 5G ProSe Remote UE has been authenticated by the same DN. If so, the SMF may skip operations 9 to 15. If a DN-specific identity of the 5G ProSe Remote UE is received in operation 8, the SMF omits operations 9-11 and forms an EAP Response/Identity message that contains the DN-specific identity of the 5G ProSe Remote UE.

When secondary authentication is required, the SMF sends a NAS SM transport message to the 5G ProSe Layer-3 UE-to-Network Relay. The message includes a Remote Secondary Authentication Container indicating a need for secondary authentication of the 5G ProSe Remote UE. The SMF includes Remote User ID of the 5G ProSe Remote UE and an EAP-Request/Identity in the message.

More specifically, the SMF invokes the Namf_Communication_NlN2MessageTransfer service operation on the AMF to transfer the NAS SM transport message sent towards the 5G ProSe Layer-3 UE-to-Network Relay. In the case of home routed roaming, the H-SMF initiates a Nsmf_PDUSession_Update service operation to request the V-SMF to transfer the NAS SM transport message and the V-SMF invokes the Namf_Communication_NlN2MessageTransfer service operation on the AMF to transfer the NAS SM transport message. In operation 10a in Figure 9A, based on the Remote User ID, the 5G ProSe Layer-3 UE- to-Network Relay extracts the Remote Secondary Authentication Container and forwards EAP- Request/Identity to the 5G ProSe Remote UE via PC5 signalling. In operation 10b in Figure 9A, the 5G ProSe Remote UE returns the EAP-Response/Identity to the 5G ProSe Layer-3 UE-to- Network Relay via PC5 signalling. In operation 11 in Figure 9A, the 5G ProSe Layer-3 UE-to- Network Relay encapsulates the message received from remote UE into a NAS SM transport message and sends it to the SMF together with the Remote User ID associated with the remote UE and an EAP-Response/Identity received from the remote UE.

In operation 12 in Figure 9A, the SMF sends an EAP-Response/Identity and GPSI if available to the DN-AAA. In the message, the SMF may also send the Relay UE ID (e.g., GPSI) or UE info of Relay UE and Remote UE (e.g., IP address). The SMF may select the same or different DN-AAA to perform secondary authentication of remote UE, as compared to the DN- AAA used for secondary authentication of relay UE in operation 1. After successful secondary authentication/authorization for the relay UE, a session is maintained between the SMF and the DN-AAA. If the SMF selects the same DN-AAA as used for the relay UE, the SMF may use the same session or establish a different session to perform secondary authentication of remote UE with the same DN-AAA. The SMF can communicate with the external DN-AAA directly or via the UPF. The flows over UPF are not shown in Figures 9A-B for simplicity.

In operation 13 in Figure 9A, the DN-AAA server and the 5G ProSe Remote UE shall exchange EAP messages, as required by the EAP method. The SMF and the 5G ProSe Layer-3 UE-to-Network Relay include the Remote User ID in the NAS SM transport messages transporting the EAP messages. In operation 14 in Figure 9A, the DN-AAA sends EAP-Success or EAP-Failure to the SMF. In addition, the DN-AAA may send additional DN authorization information for the remote UE as defined in 3GPP TS 23.501 clause 5.6.6. The DN authorization information may be the same as or different from the DN authorization information provided for the relay UE in operation 1.

In operation 15 in Figure 9A, upon successful secondary authentication via the 5G ProSe Layer-3 UE-to-Network Relay procedure, the SMF stores the 5G ProSe Remote UE information in the 5G ProSe Layer-3 UE-to-Network Relay's SM context including 5G ProSe Remote UE identity (e.g., GPSI, SUPI, DN-specific ID), individual authentication information received from DN-AAA.

Continuing in Figure 9B, in operation 16, the SMF sends a NAS SM transport message to the 5G ProSe Layer-3 UE-to-Network Relay indicating the result of the remote UE secondary authentication, including the Remote User ID and an EAP success or failure message. When the secondary authentication for the 5G ProSe Remote UE is successful, the message may include QoS authorization information for the 5G ProSe Layer-3 UE-to-Network Relay to enforce. When the secondary authentication for the 5G ProSe Remote UE has failed, the NAS message may indicate that the 5G ProSe Layer-3 UE-to-Network Relay should abort the PC5 link establishment procedure with the 5G ProSe Remote UE.

In operation 17 in Figure 9B, when the secondary authentication for the 5G ProSe Remote UE is successful, the 5G ProSe Layer-3 UE-to-Network Relay stores any received authentication info associated with the 5G ProSe Remote UE. When the secondary authentication has failed, the 5G ProSe UE-to-Network Relay aborts the PC5 link establishment procedure with the 5G ProSe Remote UE. In operation 18 in Figure 9B, when the secondary authentication for the 5G ProSe Remote UE is successful, the 5G ProSe UE-to-Network Relay sends a Direct Communication Accept message to the 5G ProSe Remote UE to complete the PC5 connection establishment procedure.

In operation 19 in Figure 9B, the 5G ProSe Remote UE and 5G ProSe UE-to-Network Relay continues the procedure for the relay service over the secure PC5 link (e.g., IP address allocation) as specified in 3GPP TS 23.304 clause 6.5.1.1. In operation 20 in Figure 9B, the 5G ProSe UE-to-Network Relay sends Remote UE Report (Remote User ID, Remote UE info) to the SMF. In operation 21 in Figure 9B, if requested in operation 14 or if configured so by local policies, the SMF notifies the DN-AAA about the IP/MAC address(es) allocated to the 5G ProSe Remote UE and the GPSI of the 5G ProSe Remote UE.

Figure 10 shows a signaling diagram of a procedure for re-authentication of 5G ProSe Remote UE via 5G ProSe Layer-3 UE-to-Network Relay, according to some embodiments of the present disclosure. The procedure involves a remote UE (1010, e.g., 5G ProSe Remote UE), a relay UE (1020, e.g., 5G ProSe Layer-3 UE-to-Network Relay), an AMF/SEAF for the relay UE (1030), an SMF for the relay UE (1040), a UPF for the relay UE (1050), a DN-AAA server (860), and an authentication server function (AUSF, 1070) for the relay UE. Although the operations shown in Figure 10 are given numerical labels, this is done to facilitate explanation rather than to require or imply any particular operational order, unless expressly stated otherwise. The terms “operation” and “step” may be used interchangeably in the description of Figure 10.

The procedure shown in Figure 10 is similar in various ways to the procedure shown in Figure 8 and described above with reference to the 3GPP excerpt, with the main difference being that the EAP messages for re-authentication are exchanged between remote UE and DN-AAA using PC5 transport provided by the PC5 link with the UE-to-Network Relay. Only the details related to these differences will be described below for the sake of brevity. References to 3GPP specifications should be interpreted as referring to the latest version at the time of the filing of the present Application. In operation 1, a PC5 link is set up between the remote UE and the relay UE. In operation 2, secondary authentication the 5G ProSe Remote UE is performed via the 5G ProSe Layer-3 UE- to-Network Relay, e g., using the procedure shown in Figures 9A-B.

In operation 3a, secondary re-authentication for the 5G ProSe Remote UE may be initiated by the SMF or the external DN-AAA server. If secondary re-authentication is initiated by the SMF, operation 3b is omitted. If secondary re-authentication is initiated by the external DN-AAA server, in operation 3b the DN-AAA server sends a secondary re-authentication request to the relay UE’s UPF, which forwards it to the SMF. The secondary re-authentication request contains the Remote UE ID and/or UE info (e g., GPSI, IP/MAC addresses) of the remote UE, and may also include the Relay UE ID and/or UE info (e.g., GPSI, IP/MAC addresses) of the relay UE. The SMF retrieves the corresponding Remote User ID from the 5G ProSe Layer-3 UE-to-Network Relay's SM context using the GPSI, based on the UE ID /UE info of Remote UE and/or Relay UE.

In operation 4, the SMF sends a NAS SM transport message to the 5G ProSe Layer-3 UE- to-Network Relay. The message includes a Remote Secondary Authentication Container, which indicates a need for secondary re-authentication for the 5G ProSe Remote UE. The message also includes a Remote User ID associated with the 5G ProSe Remote UE and an EAP- Request/Identity. In case the procedure is initiated by the DN-AAA in operation 3a, the SMF retrieves the Remote User ID that is mapped to the GPSI of the 5G ProSe Remote UE.

Operations 5-6 are identical to corresponding operations in Figure 8. In operation 7, the 5G ProSe Layer-3 UE-to-Network Relay sends a NAS SM transport message to SMF, including the Remote User ID of the Remote UE and the EAP-Response/Identity received from the 5G ProSe Remote UE. In operation 8, the SMF forwards the EAP Response/Identity to the UPF over the N4 interface, and the UPF forwards the EAP Response/Identity message to the DN AAA Server. This establishes an end-to-end connection between the SMF and the external DN-AAA server for EAP exchange.

In operation 9, the DN AAA server and the 5G ProSe Remote UE exchange EAP- Request/EAP -Response messages as required by EAP. The SMF and the 5G ProSe Layer-3 UE- to-Network Relay include the Remote User ID in the NAS SM transport messages used to carry the exchanged EAP messages. Similar to operation 8, the messages are sent via UPF on N4 interface. Operations 10-16 are identical to corresponding operations in Figure 8, except that the Remote User ID is used in the messages of operations 11 and 13.

At any time, a DN-AAA may revoke the authentication and authorization for the connection of a 5G ProSe Remote UE. Upon request from the DN-AAA server, the SMF may request the 5G ProSe Layer-3 UE-to-Network Relay to release the PC5 link with the revoked 5G ProSe Remote UE, or release the PDU Session of the 5G ProSe Layer-3 UE-to-Network Relay so long as it is not being used by other 5G ProSe Remote UEs. The parameters in the revoke request from DN-AAA to SMF, as well as how SMF identifies the relay UE’s context and remote UE’s information in that context, can be similar to techniques described above in relation to Figure 10 operation 3b. Aspects of this are described further in 3GPP TS 23.502 clause 4.3.4.

Various features of the embodiments described above correspond to various operations illustrated in Figures 11-12, which show exemplary methods (e.g., procedures) for a first UE and network node or function (NNF) of a communication network, respectively. In other words, various features of the operations described below correspond to various embodiments described above. Furthermore, the exemplary methods shown in Figures 11-12 can be used cooperatively to provide various benefits, advantages, and/or solutions to problems described herein. Although Figures 11-12 show specific blocks in particular orders, the operations of the exemplary methods can be performed in different orders than shown and can be combined and/or divided into blocks having different functionality than shown. Optional blocks or operations are indicated by dashed lines.

In particular, Figure 11 shows an exemplary method (e.g., procedure) for a first UE configured to operate as a relay to connect a second UE to a communication network, according to various embodiments of the present disclosure. The exemplary method can be performed by a UE (e.g., wireless device) such as described elsewhere herein.

The exemplary method includes the operations of block 1150, where the UE receives, from an NNF of the communication network, a second message that includes: a first user identifier (ID) associated with the second UE, and a first authentication protocol message associated with secondary authentication of the second UE to access an external data network (DN). The exemplary method also includes the operations of blocks 1160-1170, where the UE sends the first authentication protocol message to the first UE and receives a responsive second authentication protocol message from the second UE. The exemplary method also includes the operations of block 1180, where the first UE sends, to the NNF, a third message including the first user ID and the second authentication protocol message.

In some embodiments, the second message indicates that a secondary re-authentication of the second UE is needed for the second UE to access the external DN via the first UE. Figure 10 shows an example of these embodiments.

In other embodiments, the exemplary method also includes the operations of block 1140, where the first UE can send to the NNF a first message indicating that secondary authentication of the second UE is needed for the second UE to access the external DN via the first UE. The first message includes the first user ID associated with the second UE, and the second message is received in response to the first message. Figures 9A-B show an example of these embodiments. In some of these embodiments, the exemplary method also includes the following operations, labelled with corresponding block numbers:

• (1110) establishing a PDU session with the external DN, by which the first UE provides a relay service to the external DN;

• (1120) establishing SL communications with the second UE; and

• (1130) receiving, from the second UE via SL, a request to use the relay service to access the external DN.

In such embodiments, the first message is sent in response to the request.

In some of these embodiments, the first message is a non-access stratum (NAS) session management (SM) message that includes a first remote secondary authentication container, and the first user ID is included in the first remote secondary authentication container. In some variants of these embodiments, the first remote secondary authentication container also includes a second user ID associated with the second UE, and the second user ID is specific to the external DN. In some further variants, the exemplary method also includes the operations of block 1135, where the first UE receives the second user ID from the second UE via SL in one of the following messages: Direct Communication Request, or Direct Security Command Complete.

In some embodiments, the second message is a NAS SM message that includes a second remote secondary authentication container, and the first user ID and the first authentication protocol message are included in the second remote secondary authentication container. In some embodiments, the third message is a NAS SM message that includes a third remote secondary authentication container, and the first user ID and the second authentication protocol message are included in the third remote secondary authentication container.

In some embodiments, the communication network is a 5G core network (5GC) and the NNF is a session management function (SMF). In some of these embodiments, the second message is received via an access and mobility management function (AMF) in the 5GC.

In some embodiments, the first authentication protocol message is an EAP- Request/Identity and the second authentication protocol message is an EAP-Response/Identity. In some embodiments, the second UE is configured as a 5G ProSe Remote UE and the first UE is configured as a 5G ProSe Layer-3 UE-to-Network Relay. In some embodiments, the first user ID is a control plane ProSe Remote User Key identifier (CP-PRUK ID) or a user plane ProSe Remote User Key identifier (UP-PRUK ID).

In some embodiments, the exemplary method also includes the operations of block 1190, where the first UE receives from the NNF a third authentication protocol message indicating successful secondary authorization of the second UE. In some of these embodiments, the third authentication protocol message is received from the NNF in a fourth remote secondary authentication container, which also includes the first user ID.

In some of these embodiments, the exemplary method also includes the operations of block 1195, where based on the third authentication protocol message (i.e., indicating successful authentication), the first UE sends to the second UE a Direct Communication Accept message to complete connection establishment between first and second UEs

In addition, Figure 12 shows an exemplary method (e.g., procedure) for a network node or function (NNF) of a communication network, according to various embodiments of the present disclosure. The exemplary method can be performed by any appropriate NNF (e.g., SMF, etc.) such as described elsewhere herein.

The exemplary method includes the operations of block 1260, where the NNF sends, to a first UE configured to operate as a relay to connect a second UE to a communication network, a second message that includes: a first user ID associated with the second UE, and a first authentication protocol message associated with secondary authentication of the second UE to access an external DN. The exemplary method also includes the operations of block 1270, where the NNF receives from the first UE a third message including the first user ID and a second authentication protocol message responsive to the first authentication protocol message. The exemplary method also includes the operations of block 1280, where the NNF sends the second authentication protocol message to an authentication server associated with the external DN.

In some embodiments, the second message indicates that a secondary re-authentication of the second UE is needed for the second UE to access the external DN via the first UE. In some of these embodiments, the exemplary method also includes the operations of block 1210, where the NNF receives from the authentication server a request for re-authentication of the second UE to access the external DN. In such case, the second message is responsive to the request. Figure 10 shows an example of these embodiments.

In other embodiments, the exemplary method also includes the operations of block 1220, where the NNF receives from the first UE a first message indicating that a secondary authentication of the second UE is needed for the second UE to access the external DN via the first UE. In such case, the first message includes the first user ID associated with the second UE and the second message is responsive to the first message. Figures 9A-B show an example of these embodiments.

In some of these embodiments, the first message is a non-access stratum (NAS) session management (SM) message that includes a first remote secondary authentication container, and the first user ID is included in the first remote secondary authentication container. In some variants of these embodiments, the first remote secondary authentication container also includes a second user ID associated with the second UE, and the second user ID is specific to the external DN.

In some of these embodiments, the exemplary method also includes the following operations, labelled with corresponding block numbers:

• (1230) based on the first user ID, determining a subscription identifier associated with the second UE’s subscription to the communication network; and

• (1240) based on the subscription identifier, retrieving subscription information for the second UE from a data repository in the communication network.

In such case, the second message is sent in block 1260 based on the operations of block 1250, where the NNF determines, from the subscription information, that secondary authentication of the second UE is needed for the second UE to access the external DN.

In some embodiments, the second message is a NAS SM message that includes a second remote secondary authentication container, and the first user ID and the first authentication protocol message are included in the second remote secondary authentication container. In some embodiments, the third message is a NAS SM message that includes a third remote secondary authentication container, and the first user ID and the second authentication protocol message are included in the third remote secondary authentication container.

In some embodiments, the communication network is a 5GC and the NNF is an SMF. In some of these embodiments, the second message is received via an AMF in the 5GC.

In some embodiments, the first authentication protocol message is an EAP- Request/Identity and the second authentication protocol message is an EAP-Response/Identity. In some embodiments, the second UE is configured as a 5G ProSe Remote UE and the first UE is configured as a 5G ProSe Layer-3 UE-to-Network Relay. In some embodiments, the first user ID is a CP-PRUK ID or a UP-PRUK ID.

In some embodiments, the exemplary method also includes the operations of block 1285, where the NNF receives, from the authentication server in response to the second authentication protocol message, a third authentication protocol message indicating successful secondary authorization of the second UE. In some of these embodiments, the exemplary method also includes one or more of the following operations, labelled with corresponding block numbers:

• (1290) based on the third authentication protocol message, updating a stored context for the first UE to indicate that the second UE is authorized to access the external DN via the first UE; and

• (1295) sending the third authentication protocol message to the first UE. In some variants of these embodiments, the third authentication protocol message is sent to the first UE in a fourth remote secondary authentication container, which also includes the first user ID

In some embodiments, the second authentication protocol message is sent to the authentication server in block 1280 with one or more of the following: a subscription identifier (e.g., GPSI) associated with the second UE, address information (e.g., MAC, IP, etc.) associated with the second UE, a subscription identifier (e.g., GPSI) associated with the first UE, and address information (e.g., MAC, IP, etc.) associated with the first UE.

Although various embodiments are described above in terms of methods, techniques, and/or procedures, the person of ordinary skill will readily comprehend that such methods, techniques, and/or procedures can be embodied by various combinations of hardware and software in various systems, communication devices, computing devices, control devices, apparatuses, non-transitory computer-readable media, computer program products, etc.

Figure 13 shows an example of a communication system 1300 in accordance with some embodiments. In this example, communication system 1300 includes a telecommunication network 1302 that includes an access network 1304 (e.g., RAN) and a core network 1306, which includes one or more core network nodes 1308. Access network 1304 includes one or more access network nodes, such as network nodes 1310a-b (one or more of which may be generally referred to as network nodes 1310), or any other similar 3GPP access node or non-3GPP access point. Network nodes 1310 facilitate direct or indirect connection of UEs, such as by connecting UEs 1312a-d (one or more of which may be generally referred to as UEs 1312) to core network 1306 over one or more wireless connections.

Example wireless communications over a wireless connection include transmitting and/or receiving wireless signals using electromagnetic waves, radio waves, infrared waves, and/or other types of signals suitable for conveying information without the use of wires, cables, or other material conductors. Moreover, in different embodiments, communication system 1300 may include any number of wired or wireless networks, network nodes, UEs, and/or any other components or systems that may facilitate or participate in the communication of data and/or signals whether via wired or wireless connections. Communication system 1300 may include and/or interface with any type of communication, telecommunication, data, cellular, radio network, and/or other similar type of system.

UEs 1312 may be any of a wide variety of communication devices, including wireless devices arranged, configured, and/or operable to communicate wirelessly with network nodes 1310 and other communication devices. Similarly, network nodes 1310 are arranged, capable, configured, and/or operable to communicate directly or indirectly with UEs 1312 and/or with other network nodes or equipment in telecommunication network 1302 to enable and/or provide network access, such as wireless network access, and/or to perform other functions, such as administration in telecommunication network 1302.

In the depicted example, core network 1306 connects network nodes 1310 to one or more hosts, such as host 1316. These connections may be direct or indirect via one or more intermediary networks or devices. In other examples, network nodes may be directly coupled to hosts. Core network 1306 includes one or more core network nodes (e.g., 1308) that are structured with hardware and software components. Features of these components may be substantially similar to those described with respect to the UEs, network nodes, and/or hosts, such that the descriptions thereof are generally applicable to the corresponding components of core network node 1308. Example core network nodes include functions of one or more of a Mobile Switching Center (MSC), Mobility Management Entity (MME), Home Subscriber Server (HSS), Access and Mobility Management Function (AMF), Session Management Function (SMF), Authentication Server Function (AUSF), Subscription Identifier De-concealing function (SIDF), Unified Data Management (UDM), Security Edge Protection Proxy (SEPP), Network Exposure Function (NEF), and/or a User Plane Function (UPF).

Host 1316 may be under the ownership or control of a service provider other than an operator or provider of access network 1304 and/or telecommunication network 1302, and may be operated by the service provider or on behalf of the service provider. Host 1316 may host a variety of applications to provide one or more service. Examples of such applications include live and pre-recorded audio/video content, data collection services such as retrieving and compiling data on various ambient conditions detected by a plurality of UEs, analytics functionality, social media, functions for controlling or otherwise interacting with remote devices, functions for an alarm and surveillance center, or any other such function performed by a server.

As a whole, communication system 1300 of Figure 13 enables connectivity between the UEs, network nodes, and hosts. In that sense, the communication system may be configured to operate according to predefined rules or procedures, such as specific standards that include, but are not limited to: Global System for Mobile Communications (GSM); Universal Mobile Telecommunications System (UMTS); Long Term Evolution (LTE), and/or other suitable 2G, 3G, 4G, 5G standards, or any applicable future generation standard (e.g., 6G); wireless local area network (WLAN) standards, such as the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards (WiFi); and/or any other appropriate wireless communication standard, such as the Worldwide Interoperability for Microwave Access (WiMax), Bluetooth, Z-Wave, Near Field Communication (NFC) ZigBee, LiFi, and/or any low-power wide-area network (LPWAN) standards such as LoRa and Sigfox. In some examples, telecommunication network 1302 is a cellular network that implements 3GPP standardized features. Accordingly, telecommunication network 1302 may support network slicing to provide different logical networks to different devices that are connected to telecommunication network 1302. For example, telecommunication network 1302 may provide Ultra Reliable Low Latency Communication (URLLC) services to some UEs, while providing Enhanced Mobile Broadband (eMBB) services to other UEs, and/or Massive Machine Type Communication (mMTC)/Massive loT services to yet further UEs.

In some examples, UEs 1312 are configured to transmit and/or receive information without direct human interaction. For instance, a UE may be designed to transmit information to access network 1304 on a predetermined schedule, when triggered by an internal or external event, or in response to requests from access network 1304. Additionally, a UE may be configured for operating in single- or multi -RAT or multi -standard mode. For example, a UE may operate with any one or combination of Wi-Fi, NR (New Radio) and LTE, i.e. being configured for multi-radio dual connectivity (MR-DC), such as E-UTRAN (Evolved-UMTS Terrestrial Radio Access Network) New Radio - Dual Connectivity (EN-DC).

In the example, hub 1314 communicates with access network 1304 to facilitate indirect communication between one or more UEs (e.g., UE 1312c and/or 1312d) and network nodes (e.g., network node 1310b). In some examples, hub 1314 may be a controller, router, content source and analytics, or any of the other communication devices described herein regarding UEs. For example, hub 1314 may be a broadband router enabling access to core network 1306 for the UEs. As another example, hub 1314 may be a controller that sends commands or instructions to one or more actuators in the UEs. Commands or instructions may be received from the UEs, network nodes 1310, or by executable code, script, process, or other instructions in hub 1314. As another example, hub 1314 may be a data collector that acts as temporary storage for UE data and, in some embodiments, may perform analysis or other processing of the data. As another example, hub 1314 may be a content source. For example, for a UE that is a VR headset, display, loudspeaker or other media delivery device, hub 1314 may retrieve VR assets, video, audio, or other media or data related to sensory information via a network node, which hub 1314 then provides to the UE either directly, after performing local processing, and/or after adding additional local content. In still another example, hub 1314 acts as a proxy server or orchestrator for the UEs, in particular in if one or more of the UEs are low energy loT devices.

Hub 1314 may have a constant/persistent or intermittent connection to network node 1310b. Hub 1314 may also allow for a different communication scheme and/or schedule between hub 1314 and UEs (e.g., UE 1312c and/or 1312d), and between hub 1314 and core network 1306. In other examples, hub 1314 is connected to core network 1306 and/or one or more UEs via a wired connection. Moreover, hub 1314 may be configured to connect to an M2M service provider over access network 1304 and/or to another UE over a direct connection. In some scenarios, UEs may establish a wireless connection with network nodes 1310 while still connected via hub 1314 via a wired or wireless connection. In some embodiments, hub 1314 may be a dedicated hub - that is, a hub whose primary function is to route communications to/from the UEs from/to network node 1310b. In other embodiments, hub 1314 may be a non-dedicated hub - that is, a device which is capable of operating to route communications between the UEs and network node 1310b, but which is additionally capable of operating as a communication start and/or end point for certain data channels.

Figure 14 shows a UE 1400 in accordance with some embodiments. Examples of a UE include, but are not limited to, a smart phone, mobile phone, cell phone, voice over IP (VoIP) phone, wireless local loop phone, desktop computer, personal digital assistant (PDA), wireless cameras, gaming console or device, music storage device, playback appliance, wearable terminal device, wireless endpoint, mobile station, tablet, laptop, laptop-embedded equipment (LEE), laptop-mounted equipment (LME), smart device, wireless customer-premise equipment (CPE), vehicle-mounted or vehicle embedded/integrated wireless device, etc. Other examples include any UE identified by 3 GPP, including a narrow band internet of things (NB-IoT) UE, a machine type communication (MTC) UE, and/or an enhanced MTC (eMTC) UE.

A UE may support device-to-device (D2D) communication, for example by implementing a 3GPP standard for sidelink communication, Dedicated Short-Range Communication (DSRC), vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), or vehicle-to-everything (V2X). In other examples, a UE may not necessarily have a user in the sense of a human user who owns and/or operates the relevant device. Instead, a UE may represent a device that is intended for sale to, or operation by, a human user but which may not, or which may not initially, be associated with a specific human user (e.g., a smart sprinkler controller). Alternatively, a UE may represent a device that is not intended for sale to, or operation by, an end user but which may be associated with or operated for the benefit of a user (e.g., a smart power meter).

UE 1400 includes processing circuitry 1402 that is operatively coupled via a bus 1404 to an input/output interface 1406, a power source 1408, a memory 1410, a communication interface 1412, and/or any other component, or any combination thereof. Certain UEs may utilize all or a subset of the components shown in Figure 14. The level of integration between the components may vary from one UE to another UE. Further, certain UEs may contain multiple instances of a component, such as multiple processors, memories, transceivers, transmitters, receivers, etc.

Processing circuitry 1402 is configured to process instructions and data and may be configured to implement any sequential state machine operative to execute instructions stored as machine-readable computer programs in memory 1410. Processing circuitry 1402 may be implemented as one or more hardware-implemented state machines (e.g., in discrete logic, field- programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), etc .); programmable logic together with appropriate firmware; one or more stored computer programs, general-purpose processors, such as a microprocessor or digital signal processor (DSP), together with appropriate software; or any combination of the above. For example, processing circuitry 1402 may include multiple central processing units (CPUs).

In the example, the input/output interface 1406 may be configured to provide an interface or interfaces to an input device, output device, or one or more input and/or output devices. Examples of an output device include a speaker, a sound card, a video card, a display, a monitor, a printer, an actuator, an emitter, a smartcard, another output device, or any combination thereof. An input device may allow a user to capture information into UE 1400. Examples of an input device include a touch-sensitive or presence-sensitive display, a camera (e.g., a digital camera, a digital video camera, a web camera, etc.), a microphone, a sensor, a mouse, a trackball, a directional pad, a trackpad, a scroll wheel, a smartcard, and the like. The presence-sensitive display may include a capacitive or resistive touch sensor to sense input from a user. A sensor may be, for instance, an accelerometer, a gyroscope, a tilt sensor, a force sensor, a magnetometer, an optical sensor, a proximity sensor, a biometric sensor, etc., or any combination thereof. An output device may use the same type of interface port as an input device. For example, a Universal Serial Bus (USB) port may be used to provide an input device and an output device.

In some embodiments, power source 1408 is structured as a battery or battery pack. Other types of power sources, such as an external power source (e.g., an electricity outlet), photovoltaic device, or power cell, may be used. Power source 1408 may further include power circuitry for delivering power from power source 1408 itself, and/or an external power source, to the various parts of UE 1400 via input circuitry or an interface such as an electrical power cable. Delivering power may be, for example, for charging power source 1408. Power circuitry may perform any formatting, converting, or other modification to the power from power source 1408 to make the power suitable for the respective components of UE 1400 to which power is supplied.

Memory 1410 may be or be configured to include memory such as random access memory (RAM), read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), magnetic disks, optical disks, hard disks, removable cartridges, flash drives, and so forth. In one example, memory 1410 includes one or more application programs 1414, such as an operating system, web browser application, a widget, gadget engine, or other application, and corresponding data 1416. Memory 1410 may store, for use by UE 1400, any of a variety of various operating systems or combinations of operating systems.

Memory 1410 may be configured to include a number of physical drive units, such as redundant array of independent disks (RAID), flash memory, USB flash drive, external hard disk drive, thumb drive, pen drive, key drive, high-density digital versatile disc (HD-DVD) optical disc drive, internal hard disk drive, Blu-Ray optical disc drive, holographic digital data storage (HDDS) optical disc drive, external mini-dual in-line memory module (DIMM), synchronous dynamic random access memory (SDRAM), external micro-DIMM SDRAM, smartcard memory such as tamper resistant module in the form of a universal integrated circuit card (UICC) including one or more subscriber identity modules (SIMs), such as a USIM and/or ISIM, other memory, or any combination thereof. The UICC may for example be an embedded UICC (eUICC), integrated UICC (iUICC) or a removable UICC commonly known as ‘SIM card.’ Memory 1410 may allow UE 1400 to access instructions, application programs and the like, stored on transitory or non- transitory memory media, to off-load data, or to upload data. An article of manufacture, such as one utilizing a communication system may be tangibly embodied as or in memory 1410, which may be or comprise a device-readable storage medium.

Processing circuitry 1402 may be configured to communicate with an access network or other network using communication interface 1412. Communication interface 1412 may comprise one or more communication subsystems and may include or be communicatively coupled to an antenna 1422. Communication interface 1412 may include one or more transceivers used to communicate, such as by communicating with one or more remote transceivers of another device capable of wireless communication (e.g., another UE or a network node in an access network). Each transceiver may include a transmitter 1418 and/or a receiver 1420 appropriate to provide network communications (e.g., optical, electrical, frequency allocations, and so forth). Moreover, transmitter 1418 and/or receiver 1420 may be coupled to one or more antennas (e g., 1422) and may share circuit components, software or firmware, or alternatively be implemented separately.

In the illustrated embodiment, communication functions of communication interface 1412 may include cellular communication, Wi-Fi communication, LPWAN communication, data communication, voice communication, multimedia communication, short-range communications such as Bluetooth, near-field communication, location-based communication such as the use of the global positioning system (GPS) to determine a location, another like communication function, or any combination thereof. Communications may be implemented in according to one or more communication protocols and/or standards, such as IEEE 802.11, Code Division Multiplexing Access (CDMA), Wideband Code Division Multiple Access (WCDMA), GSM, LTE, New Radio (NR), UMTS, WiMax, Ethernet, transmission control protocol/intemet protocol (TCP/IP), synchronous optical networking (SONET), Asynchronous Transfer Mode (ATM), QUIC, Hypertext Transfer Protocol (HTTP), and so forth.

Regardless of the type of sensor, a UE may provide an output of data captured by its sensors, through its communication interface 1412, via a wireless connection to a network node. Data captured by sensors of a UE can be communicated through a wireless connection to a network node via another UE. The output may be periodic (e g., once every 15 minutes if it reports the sensed temperature), random (e.g., to even out the load from reporting from several sensors), in response to a triggering event (e.g., an alert is sent when moisture is detected), in response to a request (e g., a user initiated request), or a continuous stream (e.g., a live video feed of a patient).

As another example, a UE comprises an actuator, a motor, or a switch, related to a communication interface configured to receive wireless input from a network node via a wireless connection. In response to the received wireless input the states of the actuator, the motor, or the switch may change. For example, the UE may comprise a motor that adjusts the control surfaces or rotors of a drone in flight according to the received input or to a robotic arm performing a medical procedure according to the received input.

A UE, when in the form of an Internet of Things (loT) device, may be a device for use in one or more application domains, these domains comprising, but not limited to, city wearable technology, extended industrial application and healthcare. Non-limiting examples of such an loT device are a device which is or which is embedded in: a connected refrigerator or freezer, a TV, a connected lighting device, an electricity meter, a robot vacuum cleaner, a voice controlled smart speaker, a home security camera, a motion detector, a thermostat, a smoke detector, a door/window sensor, a flood/moisture sensor, an electrical door lock, a connected doorbell, an air conditioning system like a heat pump, an autonomous vehicle, a surveillance system, a weather monitoring device, a vehicle parking monitoring device, an electric vehicle charging station, a smart watch, a fitness tracker, a head-mounted display for Augmented Reality (AR) or Virtual Reality (VR), a wearable for tactile augmentation or sensory enhancement, a water sprinkler, an animal- or item-tracking device, a sensor for monitoring a plant or animal, an industrial robot, an Unmanned Aerial Vehicle (UAV), and any kind of medical device, like a heart rate monitor or a remote controlled surgical robot. A UE in the form of an loT device comprises circuitry and/or software in dependence of the intended application of the loT device in addition to other components as described in relation to UE 1400 shown in Figure 14.

As yet another specific example, in an loT scenario, a UE may represent a machine or other device that performs monitoring and/or measurements, and transmits the results of such monitoring and/or measurements to another UE and/or a network node. The UE may in this case be an M2M device, which may in a 3GPP context be referred to as an MTC device. As one particular example, the UE may implement the 3GPP NB-IoT standard. In other scenarios, a UE may represent a vehicle, such as a car, a bus, a truck, a ship and an airplane, or other equipment that is capable of monitoring and/or reporting on its operational status or other functions associated with its operation.

In practice, any number of UEs may be used together with respect to a single use case. For example, a first UE might be or be integrated in a drone and provide the drone’s speed information (obtained through a speed sensor) to a second UE that is a remote controller operating the drone. When the user makes changes from the remote controller, the first UE may adjust the throttle on the drone (e g. by controlling an actuator) to increase or decrease the drone’s speed. The first and/or the second UE can also include more than one of the functionalities described above. For example, a UE might comprise the sensor and the actuator, and handle communication of data for both the speed sensor and the actuators.

Figure 15 shows a network node 1500 in accordance with some embodiments. Examples of network nodes include, but are not limited to, access points (e.g., radio access points) and base stations (e.g., radio base stations, Node Bs, eNBs, and gNBs).

Base stations may be categorized based on the amount of coverage they provide (or, stated differently, their transmit power level) and so, depending on the provided amount of coverage, may be referred to as femto base stations, pico base stations, micro base stations, or macro base stations. A base station may be a relay node or a relay donor node controlling a relay. A network node may also include one or more (or all) parts of a distributed radio base station such as centralized digital units and/or remote radio units (RRUs), sometimes referred to as Remote Radio Heads (RRHs). Such remote radio units may or may not be integrated with an antenna as an antenna integrated radio. Parts of a distributed radio base station may also be referred to as nodes in a distributed antenna system (DAS).

Other examples of network nodes include multiple transmission point (multi-TRP) 5G access nodes, multi -standard radio (MSR) equipment such as MSR BSs, network controllers such as radio network controllers (RNCs) or base station controllers (BSCs), base transceiver stations (BTSs), transmission points, transmission nodes, multi-cell/multicast coordination entities (MCEs), Operation and Maintenance (O&M) nodes, Operations Support System (OSS) nodes, Self-Organizing Network (SON) nodes, positioning nodes (e.g., Evolved Serving Mobile Location Centers (E-SMLCs)), and/or Minimization of Drive Tests (MDTs).

Network node 1500 includes processing circuitry 1502, memory 1504, communication interface 1506, and power source 1508. Network node 1500 may be composed of multiple physically separate components (e.g., a NodeB component and a RNC component, or a BTS component and a BSC component, etc.), which may each have their own respective components. In certain scenarios in which network node 1500 comprises multiple separate components (e ., BTS and BSC components), one or more of the separate components may be shared among several network nodes For example, a single RNC may control multiple NodeBs. In such a scenario, each unique NodeB and RNC pair, may in some instances be considered a single separate network node. In some embodiments, network node 1500 may be configured to support multiple radio access technologies (RATs) In such embodiments, some components may be duplicated (e g , separate memory 1504 for different RATs) and some components may be reused (e.g., a same antenna 1510 may be shared by different RATs). Network node 1500 may also include multiple sets of the various illustrated components for different wireless technologies integrated into network node 1500, for example GSM, WCDMA, LTE, NR, WiFi, Zigbee, Z-wave, LoRaWAN, Radio Frequency Identification (RFID) or Bluetooth wireless technologies. These wireless technologies may be integrated into the same or different chip or set of chips and other components within network node 1500.

Processing circuitry 1502 may comprise a combination of one or more of a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application-specific integrated circuit, field programmable gate array, or any other suitable computing device, resource, or combination of hardware, software and/or encoded logic operable to provide, either alone or in conjunction with other network node 1500 components, such as memory 1504, to provide network node 1500 functionality.

In some embodiments, processing circuitry 1502 includes a system on a chip (SOC). In some embodiments, processing circuitry 1502 includes radio frequency (RF) transceiver circuitry 1512 and/or baseband processing circuitry 1514. In some embodiments, RF transceiver circuitry 1512 and/or baseband processing circuitry 1514 may be on separate chips (or sets of chips), boards, or units, such as radio units and digital units. In alternative embodiments, part or all of RF transceiver circuitry 1512 and/or baseband processing circuitry 1514 may be on the same chip or set of chips, boards, or units.

Memory 1504 may comprise any form of volatile or non-volatile computer-readable memory including, without limitation, persistent storage, solid-state memory, remotely mounted memory, magnetic media, optical media, random access memory (RAM), read-only memory (ROM), mass storage media (for example, a hard disk), removable storage media (for example, a flash drive, a Compact Disk (CD) or a Digital Video Disk (DVD)), and/or any other volatile or non-volatile, non-transitory device-readable and/or computer-executable memory devices that store information, data, and/or instructions that may be used by processing circuitry 1502. Memory 1504 may store any suitable instructions, data, or information, including a computer program, software, an application including one or more of logic, rules, code, tables, and/or other instructions (collectively denoted computer program product 1504a) capable of being executed by processing circuitry 1502 and utilized by network node 1500. Memory 1504 may be used to store any calculations made by processing circuitry 1502 and/or any data received via communication interface 1506. In some embodiments, processing circuitry 1502 and memory 1504 is integrated.

Communication interface 1506 is used in wired or wireless communication of signaling and/or data between a network node, access network, and/or UE. As illustrated, communication interface 1506 comprises port(s)/terminal(s) 1516 to send and receive data, for example to and from a network over a wired connection. Communication interface 1506 also includes radio frontend circuitry 1518 that may be coupled to, or in certain embodiments a part of, antenna 1510. Radio front-end circuitry 1518 comprises filters 1520 and amplifiers 1522. Radio front-end circuitry 1518 may be connected to antenna 1510 and processing circuitry 1502. The radio frontend circuitry may be configured to condition signals communicated between antenna 1510 and processing circuitry 1502. Radio front-end circuitry 1518 may receive digital data that is to be sent out to other network nodes or UEs via a wireless connection. Radio front-end circuitry 1518 may convert the digital data into a radio signal having the appropriate channel and bandwidth parameters using a combination of filters 1520 and/or amplifiers 1522. The radio signal may then be transmitted via antenna 1510. Similarly, when receiving data, antenna 1510 may collect radio signals which are then converted into digital data by radio front-end circuitry 1518. The digital data may be passed to processing circuitry 1502. In other embodiments, the communication interface may comprise different components and/or different combinations of components.

In certain alternative embodiments, network node 1500 does not include separate radio front-end circuitry 1518, instead, processing circuitry 1502 includes radio front-end circuitry and is connected to antenna 1510. Similarly, in some embodiments, all or some of RF transceiver circuitry 1512 is part of communication interface 1506. In still other embodiments, communication interface 1506 includes one or more ports or terminals 1516, radio front-end circuitry 1518, and RF transceiver circuitry 1512, as part of a radio unit (not shown), and communication interface 1506 communicates with baseband processing circuitry 1514, which is part of a digital unit (not shown).

Antenna 1510 may include one or more antennas, or antenna arrays, configured to send and/or receive wireless signals. Antenna 1510 may be coupled to radio front-end circuitry 1518 and may be any type of antenna capable of transmitting and receiving data and/or signals wirelessly. In certain embodiments, antenna 1510 is separate from network node 1500 and connectable to network node 1500 through an interface or port.

Antenna 1510, communication interface 1506, and/or processing circuitry 1502 may be configured to perform any receiving operations and/or certain obtaining operations described herein as being performed by the network node. Any information, data and/or signals may be received from a UE, another network node and/or any other network equipment. Similarly, antenna 1510, communication interface 1506, and/or processing circuitry 1502 may be configured to perform any transmitting operations described herein as being performed by the network node. Any information, data and/or signals may be transmitted to a UE, another network node and/or any other network equipment

Power source 1508 provides power to the various components of network node 1500 in a form suitable for the respective components (e.g., at a voltage and current level needed for each respective component). Power source 1508 may further comprise, or be coupled to, power management circuitry to supply the components of network node 1500 with power for performing the functionality described herein. For example, network node 1500 may be connectable to an external power source (e.g., the power grid, an electricity outlet) via an input circuitry or interface such as an electrical cable, whereby the external power source supplies power to power circuitry of power source 1508. As a further example, power source 1508 may comprise a source of power in the form of a battery or battery pack which is connected to, or integrated in, power circuitry. The battery may provide backup power should the external power source fail.

Embodiments of network node 1500 may include additional components beyond those shown in Figure 15 for providing certain aspects of the network node’s functionality, including any of the functionality described herein and/or any functionality necessary to support the subject matter described herein. For example, network node 1500 may include user interface equipment to allow input of information into network node 1500 and to allow output of information from network node 1500. This may allow a user to perform diagnostic, maintenance, repair, and other administrative functions for network node 1500.

Figure 16 is a block diagram of a host 1600, which may be an embodiment of host 1316 of Figure 13, in accordance with various aspects described herein. As used herein, host 1600 may be or comprise various combinations hardware and/or software, including a standalone server, a blade server, a cloud-implemented server, a distributed server, a virtual machine, container, or processing resources in a server farm. Host 1600 may provide one or more services to one or more UEs.

Host 1600 includes processing circuitry 1602 that is operatively coupled via a bus 1604 to an input/output interface 1606, a network interface 1608, a power source 1610, and a memory 1612. Other components may be included in other embodiments. Features of these components may be substantially similar to those described with respect to the devices of previous figures, such as Figures 14 and 15, such that the descriptions thereof are generally applicable to the corresponding components of host 1600. Memory 1612 may include one or more computer programs including one or more host application programs 1614 and data 1616, which may include user data, e.g., data generated by a UE for host 1600 or data generated by host 1600 for a UE. Embodiments of host 1600 may utilize only a subset or all of the components shown. Host application programs 1614 may be implemented in a container-based architecture and may provide support for video codecs (e g., Versatile Video Coding (VVC), High Efficiency Video Coding (HEVC), Advanced Video Coding (AVC), MPEG, VP9) and audio codecs (e.g., FLAC, Advanced Audio Coding (AAC), MPEG, G.711), including transcoding for multiple different classes, types, or implementations of UEs (e g., handsets, desktop computers, wearable display systems, heads-up display systems) Host application programs 1614 may also provide for user authentication and licensing checks and may periodically report health, routes, and content availability to a central node, such as a device in or on the edge of a core network. Accordingly, host 1600 may select and/or indicate a different host for over-the-top services for a UE. Host application programs 1614 may support various protocols, such as the HTTP Live Streaming (HLS) protocol, Real-Time Messaging Protocol (RTMP), Real- Time Streaming Protocol (RTSP), Dynamic Adaptive Streaming over HTTP (MPEG-DASH), etc.

Figure 17 is a block diagram illustrating a virtualization environment 1700 in which functions implemented by some embodiments may be virtualized. In the present context, virtualizing means creating virtual versions of apparatuses or devices which may include virtualizing hardware platforms, storage devices and networking resources. As used herein, virtualization can be applied to any device described herein, or components thereof, and relates to an implementation in which at least a portion of the functionality is implemented as one or more virtual components. Some or all of the functions described herein may be implemented as virtual components executed by one or more virtual machines (VMs) implemented in one or more virtual environments 1700 hosted by one or more of hardware nodes, such as a hardware computing device that operates as a network node, UE, core network node, or host. Further, in embodiments in which the virtual node does not require radio connectivity (e.g., a core network node or host), then the node may be entirely virtualized.

Applications 1702 (which may alternatively be called software instances, virtual appliances, network functions, virtual nodes, virtual network functions, etc.) are run in the virtualization environment 1700 to implement some of the features, functions, and/or benefits of some of the embodiments disclosed herein.

For example, various NFs (or portions thereof) described herein in relation to other figures can be implemented as virtual network functions 1702 in virtualization environment 1700. As a more specific example, an SMF can be implemented as a virtual network function 1702 in virtualization environment 1700. Hardware 1704 includes processing circuitry, memory that stores software and/or instructions (collectively denoted computer program product 1704a) executable by hardware processing circuitry, and/or other hardware devices as described herein, such as a network interface, input/output interface, and so forth. Software may be executed by the processing circuitry to instantiate one or more virtualization layers 1706 (also referred to as hypervisors or virtual machine monitors (VMMs)), provide VMs 1708a-b (one or more of which may be generally referred to as VMs 1708), and/or perform any of the functions, features and/or benefits described in relation with some embodiments described herein. Virtualization layer 1706 may present a virtual operating platform that appears like networking hardware to VMs 1708.

VMs 1708 comprise virtual processing, virtual memory, virtual networking or interface and virtual storage, and may be run by a corresponding virtualization layer 1706. Different embodiments of the instance of a virtual appliance 1702 may be implemented on one or more of VMs 1708, and the implementations may be made in different ways. Virtualization of the hardware is in some contexts referred to as network function virtualization (NFV). NFV may be used to consolidate many network equipment types onto industry standard high volume server hardware, physical switches, and physical storage, which can be located in data centers, and customer premise equipment.

In the context of NFV, each VM 1708 may be a software implementation of a physical machine that runs programs as if they were executing on a physical, non-virtualized machine. Each VM 1708, and that part of hardware 1704 that executes that VM, be it hardware dedicated to that VM and/or hardware shared by that VM with others of the VMs, forms separate virtual network elements. Still in the context of NFV, a virtual network function is responsible for handling specific network functions that run in one or more VMs 1708 on top of the hardware 1704 and corresponds to application 1702.

Hardware 1704 may be implemented in a standalone network node with generic or specific components. Hardware 1704 may implement some functions via virtualization. Alternatively, hardware 1704 may be part of a larger cluster of hardware (e.g. such as in a data center or CPE) where many hardware nodes work together and are managed via management and orchestration 1710, which, among others, oversees lifecycle management of applications 1702. In some embodiments, hardware 1704 is coupled to one or more radio units that each include one or more transmitters and one or more receivers that may be coupled to one or more antennas. Radio units may communicate directly with other hardware nodes via one or more appropriate network interfaces and may be used in combination with the virtual components to provide a virtual node with radio capabilities, such as a radio access node or a base station. In some embodiments, some signaling can be provided with the use of a control system 1712 which may alternatively be used for communication between hardware nodes and radio units.

Figure 18 shows a communication diagram of host 1802 communicating via network node 1804 with UE 1806 over a partially wireless connection in accordance with some embodiments. Example implementations, in accordance with various embodiments, of the UE (such as a UE 1312a of Figure 13 and/or UE 1400 of Figure 14), network node (such as network node 1310a of Figure 13 and/or network node 1500 of Figure 15), and host (such as host 1316 of Figure 13 and/or host 1600 of Figure 16) discussed in the preceding paragraphs will now be described with reference to Figure 18.

Like host 1600, embodiments of host 1802 include hardware, such as a communication interface, processing circuitry, and memory. Host 1802 also includes software, which is stored in or accessible by host 1802 and executable by the processing circuitry. The software includes a host application that may be operable to provide a service to a remote user, such as UE 1806 connecting via an over-the-top (OTT) connection 1850 extending between UE 1806 and host 1802. In providing the service to the remote user, a host application may provide user data which is transmitted using OTT connection 1850.

Network node 1804 includes hardware enabling it to communicate with host 1802 and UE 1806. Connection 1860 may be direct or pass through a core network (like core network 1306 of Figure 13) and/or one or more other intermediate networks, such as one or more public, private, or hosted networks. For example, an intermediate network may be a backbone network or the Internet.

UE 1806 includes hardware and software, which is stored in or accessible by UE 1806 and executable by the UE’s processing circuitry. The software includes a client application, such as a web browser or operator-specific “app” that may be operable to provide a service to a human or non-human user via UE 1806 with the support of host 1802. In host 1802, an executing host application may communicate with the executing client application via OTT connection 1850 terminating at UE 1806 and host 1802. In providing the service to the user, the UE's client application may receive request data from the host's host application and provide user data in response to the request data. OTT connection 1850 may transfer both the request data and the user data. The UE's client application may interact with the user to generate the user data that it provides to the host application through OTT connection 1850.

OTT connection 1850 may extend via a connection 1860 between host 1802 and network node 1804 and via wireless connection 1870 between network node 1804 and UE 1806 to provide the connection between host 1802 and UE 1806. Connection 1860 and wireless connection 1870, over which OTT connection 1850 may be provided, have been drawn abstractly to illustrate the communication between host 1802 and UE 1806 via network node 1804, without explicit reference to any intermediary devices and the precise routing of messages via these devices.

As an example of transmitting data via OTT connection 1850, in step 1808, host 1802 provides user data, which may be performed by executing a host application. In some embodiments, the user data is associated with a particular human user interacting with UE 1806. In other embodiments, the user data is associated with a UE 1806 that shares data with host 1802 without explicit human interaction. In step 1810, host 1802 initiates a transmission carrying the user data towards UE 1806. Host 1802 may initiate the transmission responsive to a request transmitted by UE 1806 The request may be caused by human interaction with UE 1806 or by operation of the client application executing on UE 1806. The transmission may pass via network node 1804, in accordance with the teachings of the embodiments described throughout this disclosure. Accordingly, in step 1812, network node 1804 transmits to UE 1806 the user data that was carried in the transmission that host 1802 initiated, in accordance with the teachings of the embodiments described throughout this disclosure. In step 1814, UE 1806 receives the user data carried in the transmission, which may be performed by a client application executed on UE 1806 associated with the host application executed by host 1802.

In some examples, UE 1806 executes a client application which provides user data to host 1802. The user data may be provided in reaction or response to the data received from host 1802. Accordingly, in step 1816, UE 1806 may provide user data, which may be performed by executing the client application. In providing the user data, the client application may further consider user input received from the user via an input/output interface of UE 1806. Regardless of the specific manner in which the user data was provided, UE 1806 initiates, in step 1818, transmission of the user data towards host 1802 via network node 1804. In step 1820, in accordance with the teachings of the embodiments described throughout this disclosure, network node 1804 receives user data from UE 1806 and initiates transmission of the received user data towards host 1802. In step 1822, host 1802 receives the user data carried in the transmission initiated by UE 1806.

One or more of the various embodiments improve the performance of OTT services provided to UE 1806 using OTT connection 1850, in which wireless connection 1870 forms the last segment. More precisely, embodiments described herein can maintain transparent handling of NAS SM messages by an AMF, while also facilitating support for secondary authentication of a remote UE via U2N relay using either CP -based or UP -based security procedures for the remote UE. Embodiments can also facilitate differentiated handling by an authentication server in an external data network (DN-AAA) for a remote UE and a relay UE in the same PDU session and for a single SMF in the path between the relay UE and the DN-AAA. In this manner, embodiments improve the secure delivery of OTT services via the external DN to the remote UE via the relay UE, which increases the value of such OTT services to end users and service providers.

In an example scenario, factory status information may be collected and analyzed by host 1802. As another example, host 1802 may process audio and video data which may have been retrieved from a UE for use in creating maps. As another example, host 1802 may collect and analyze real-time data to assist in controlling vehicle congestion (e g., controlling traffic lights). As another example, host 1802 may store surveillance video uploaded by a UE. As another example, host 1802 may store or control access to media content such as video, audio, VR or AR which it can broadcast, multicast or unicast to UEs. As other examples, host 1802 may be used for energy pricing, remote control of non-time critical electrical load to balance power generation needs, location services, presentation services (such as compiling diagrams etc. from data collected from remote devices), or any other function of collecting, retrieving, storing, analyzing and/or transmitting data.

In some examples, a measurement procedure may be provided for the purpose of monitoring data rate, latency and other factors on which the one or more embodiments improve. There may further be an optional network functionality for reconfiguring OTT connection 1850 between host 1802 and UE 1806, in response to variations in the measurement results. The measurement procedure and/or the network functionality for reconfiguring the OTT connection may be implemented in software and hardware of host 1802 and/or UE 1806. In some embodiments, sensors (not shown) may be deployed in or in association with other devices through which OTT connection 1850 passes; the sensors may participate in the measurement procedure by supplying values of the monitored quantities exemplified above, or supplying values of other physical quantities from which software may compute or estimate the monitored quantities. The reconfiguring of OTT connection 1850 may include message format, retransmission settings, preferred routing etc.; the reconfiguring need not directly alter the operation of network node 1804. Such procedures and functionalities may be known and practiced in the art. In certain embodiments, measurements may involve proprietary UE signaling that facilitates measurements of throughput, propagation times, latency and the like, by host 1802. The measurements may be implemented in that software causes messages to be transmitted, in particular empty or ‘dummy’ messages, using OTT connection 1850 while monitoring propagation times, errors, etc.

The foregoing merely illustrates the principles of the disclosure. Various modifications and alterations to the described embodiments will be apparent to those skilled in the art in view of the teachings herein. It will thus be appreciated that those skilled in the art will be able to devise numerous systems, arrangements, and procedures that, although not explicitly shown or described herein, embody the principles of the disclosure and can be thus within the spirit and scope of the disclosure. Various embodiments can be used together with one another, as well as interchangeably therewith, as should be understood by those having ordinary skill in the art.

The term unit, as used herein, can have conventional meaning in the field of electronics, electrical devices and/or electronic devices and can include, for example, electrical and/or electronic circuitry, devices, modules, processors, memories, logic solid state and/or discrete devices, computer programs or instructions for carrying out respective tasks, procedures, computations, outputs, and/or displaying functions, and so on, as such as those that are described herein.

Any appropriate steps, methods, features, functions, or benefits disclosed herein may be performed through one or more functional units or modules of one or more virtual apparatuses. Each virtual apparatus may comprise a number of these functional units. These functional units may be implemented via processing circuitry, which may include one or more microprocessor or microcontrollers, as well as other digital hardware, which may include Digital Signal Processor (DSPs), special-purpose digital logic, and the like. The processing circuitry may be configured to execute program code stored in memory, which may include one or several types of memory such as Read Only Memory (ROM), Random Access Memory (RAM), cache memory, flash memory devices, optical storage devices, etc. Program code stored in memory includes program instructions for executing one or more telecommunications and/or data communications protocols as well as instructions for carrying out one or more of the techniques described herein. In some implementations, the processing circuitry may be used to cause the respective functional unit to perform corresponding functions according one or more embodiments of the present disclosure.

As described herein, device and/or apparatus can be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of a device or apparatus, instead of being hardware implemented, be implemented as a software module such as a computer program or a computer program product comprising executable software code portions for execution or being run on a processor. Furthermore, functionality of a device or apparatus can be implemented by any combination of hardware and software. A device or apparatus can also be regarded as an assembly of multiple devices and/or apparatuses, whether functionally in cooperation with or independently of each other. Moreover, devices and apparatuses can be implemented in a distributed fashion throughout a system, so long as the functionality of the device or apparatus is preserved. Such and similar principles are considered as known to a skilled person.

Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. It will be further understood that terms used herein should be interpreted as having a meaning that is consistent with their meaning in the context of this specification and the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.

In addition, certain terms used in the present disclosure, including the specification and drawings, can be used synonymously in certain instances (e.g., “data” and “information”) It should be understood, that although these terms (and/or other terms that can be synonymous to one another) can be used synonymously herein, there can be instances when such words can be intended to not be used synonymously.

Embodiments of the present disclosure also include, but are not limited to, the following enumerated examples.

Al . A method for a first user equipment (UE) configured to operate as a relay to connect a second UE to a communication network, the method comprising: receiving, from a network node or function (NNF) of the communication network, a second message that includes: a first user identifier (ID) associated with the second UE, and a first authentication protocol message associated with secondary authentication of the second UE to access an external data network (DN); sending the first authentication protocol message to the second UE; receiving a responsive second authentication protocol message from the second UE; and sending, to the NNF, a third message including the first user ID and the second authentication protocol message.

A2. The method of embodiment Al, wherein the second message indicates that a secondary re-authentication of the second UE is needed for the second UE to access the external DN via the first UE.

A3. The method of embodiment Al, wherein: the method further comprises sending, to the NNF, a first message indicating that secondary authentication of the second UE is needed for the second UE to access the external DN via the first UE; the first message includes the first user ID associated with the second UE; and the second message is received in response to the first message. A4. The method of embodiment A3, further comprising: establishing a protocol data unit (PDU) session with the external DN, by which the first UE provides a relay service to the external DN; establishing sidelink (SL) communications with the second UE; and receiving, from the second UE via SL, a request to use the relay service to access the external DN, wherein the first message is sent in response to the request.

A5. The method of any of embodiments A3-A4, wherein the first message is a non-access stratum (NAS) session management (SM) message that includes a first remote secondary authentication container, and the first user ID is included in the first remote secondary authentication container.

A6. The method of embodiment A5, wherein the first remote secondary authentication container also includes a second user ID associated with the second UE, and the second user ID is specific to the external DN.

A7. The method of any of embodiments A1-A6, wherein the second message is a non- access stratum (NAS) session management (SM) message that includes a second remote secondary authentication container, and the first user ID and the first authentication protocol message are included in the second remote secondary authentication container.

A8. The method of any of embodiments A1-A7, wherein the third message is a non-access stratum (NAS) session management (SM) message that includes a third remote secondary authentication container, and the first user ID and the second authentication protocol message are included in the third remote secondary authentication container.

A9. The method of any of embodiments A1-A8, wherein the communication network is a 5G core network (5GC) and the NNF is a session management function (SMF).

A10. The method of embodiment A9, wherein the second message is received via an access and mobility management function (AMF) in the 5GC. Al l. The method of any of embodiments A1-A10, wherein the first authentication protocol message is an EAP-Request/Identity and the second authentication protocol message is an EAP-Response/Identity.

A12. The method of any of embodiments Al-Al l, wherein the second UE is configured as a 5G ProSe Remote UE and the first UE is configured as a 5G ProSe Layer-3 UE-to-Network Relay.

A13. The method of any of embodiments A1-A12, wherein the first user ID is a control plane ProSe Remote User Key identifier (CP-PRUK ID).

A14. The method of any of embodiments A1-A13, further comprising receiving from the NNF a third authentication protocol message indicating successful secondary authorization of the second UE.

A15. The method of embodiment A14, wherein the third authentication protocol message is received from the NNF in a fourth remote secondary authentication container, which also includes the first user ID.

Bl. A method for a network node or function (NNF) of a communication network, the method comprising: sending, to a first user equipment (UE) configured to operate as a relay to connect a second UE to a communication network, a second message that includes: a first user identifier (ID) associated with the second UE, and a first authentication protocol message associated with secondary authentication of the second UE to access an external data network (DN); receiving, from the first UE, a third message including the first user ID and a second authentication protocol message responsive to the first authentication protocol message; and sending the second authentication protocol message to an authentication server associated with the external DN.

B2. The method of embodiment Bl, wherein the second message indicates that a secondary re-authentication of the second UE is needed for the second UE to access the external DN via the first UE. B3. The method of embodiment B2, further comprising receiving from the authentication server a request for re-authentication of the second UE to access the external DN, wherein the second message is responsive to the request.

B4. The method of embodiment Bl, wherein: the method further comprises receiving, from the first UE, a first message indicating that a secondary authentication of the second UE is needed for the second UE to access the external DN via the first UE; the first message includes the first user ID associated with the second UE; and the second message is responsive to the first message.

B5. The method of embodiment B4, wherein the first message is a non-access stratum (NAS) session management (SM) message that includes a first remote secondary authentication container, and the first user ID is included in the first remote secondary authentication container.

B6. The method of embodiment B5, wherein the first remote secondary authentication container also includes a second user ID associated with the second UE, and the second user ID is a DN-specific identifier.

B7. The method of any of embodiments B4-B5, further comprising: based on the first user ID, determining a subscription identifier associated with the second UE’s subscription to the communication network; and based on the subscription identifier, retrieving subscription information for the second UE from a data repository in the communication network, wherein the second message is sent based on determining, from the subscription information, that secondary authentication of the second UE is needed for the second UE to access the external DN.

B8. The method of any of embodiments Bl -B7, wherein the second message is a non- access stratum (NAS) session management (SM) message that includes a second remote secondary authentication container, and the first user ID and the first authentication protocol message are included in the second remote secondary authentication container. B9. The method of any of embodiments Bl -B 8, wherein the third message is a non-access stratum (NAS) session management (SM) message that includes a third remote secondary authentication container, and the first user ID and the second authentication protocol message are included in the third remote secondary authentication container.

BIO. The method of any of embodiments B1-B9, wherein the communication network is a 5G core network (5GC) and the NNF is a session management function (SMF).

B 11. The method of embodiment BIO, wherein the second message is sent via an access and mobility management function (AMF) in the 5GC.

B12. The method of any of embodiments Bl -Bl 1, wherein the first authentication protocol message is an EAP-Request/Identity and the second authentication protocol message is an EAP-Response/Identity.

B13. The method of any of embodiments Bl -Bl 2, wherein the second UE is configured as a 5G ProSe Remote UE and the first UE is configured as a 5G ProSe Layer-3 UE-to-Network Relay.

B14. The method of any of embodiments Bl -Bl 3, wherein the first user ID is a control plane ProSe Remote User Key identifier (CP-PRUK ID).

B15. The method of any of embodiments Bl -Bl 4, further comprising receiving, from the authentication server in response to the second authentication protocol message, a third authentication protocol message indicating successful secondary authorization of the second UE.

B16. The method of embodiment B15, further comprising one or more of the following: based on the third authentication protocol message, updating a stored context for the first UE to indicate that the second UE is authorized to access the external DN via the first UE; and sending the third authentication protocol message to the first UE. B17. The method of embodiment B16, wherein the third authentication protocol message is sent to the first UE in a fourth remote secondary authentication container, which also includes the first user ID.

Cl . A first user equipment (UE) configured to operate as a relay to connect a second UE to a communication network, the first UE comprising: communication interface circuitry configured to communicate with the second UE via sidelink (SL) and with a network node or function (NNF) of the communication network; and processing circuitry operatively coupled to the communication interface circuitry, whereby the processing circuitry and the communication interface circuitry are configured to perform operations corresponding to any of the methods of embodiments Al -Al 5.

C2. A first user equipment (UE) configured to operate as a relay to connect a second UE to a communication network, the first UE being further configured to perform operations corresponding to any of the methods of embodiments Al -Al 5.

C3. A non-transitory, computer-readable medium storing computer-executable instructions that, when executed by processing circuitry of a first user equipment (UE) configured to operate as a relay to connect a second UE to a communication network, configure the first UE to perform operations corresponding to any of the methods of embodiments Al -Al 5.

C4. A computer program product comprising computer-executable instructions that, when executed by processing circuitry of a first user equipment (UE) configured to operate as a relay to connect a second UE to a communication network, configure the first UE to perform operations corresponding to any of the methods of embodiments A1-A15.

DI . A network node or function (NNF) of a communication network, the NNF comprising: communication interface circuitry configured to communicate with a first user equipment (UE) and with an authentication server of an external data network (DN); and processing circuitry operatively coupled to the communication interface circuitry, whereby the processing circuitry and the communication interface circuitry are configured to perform operations corresponding to any of the methods of embodiments B1-B17. D2. A network node or function (NNF) of a communication network, the NNF being configured to perform operations corresponding to any of the methods of embodiments B1-B17. D3. A non-transitory, computer-readable medium storing computer-executable instructions that, when executed by processing circuitry of a network node or function (NNF) of a communication network, configure the NNF to perform operations corresponding to any of the methods of embodiments B1-B17. D4. A computer program product comprising computer-executable instructions that, when executed by processing circuitry of a network node or function (NNF) of a communication network, configure the NNF to perform operations corresponding to any of the methods of embodiments B1-B17.

Claims

1. A method for a first user equipment, UE, configured to operate as a relay to connect a second UE to a communication network, the method comprising: receiving (1150), from a network node or function, NNF, of the communication network, a second message that includes: a first user identifier, ID, associated with the second UE, and a first authentication protocol message associated with secondary authentication of the second UE to access an external data network, DN; sending (1160) the first authentication protocol message to the second UE; receiving (1170) a responsive second authentication protocol message from the second UE; and sending (1180), to the NNF, a third message including the first user ID and the second authentication protocol message.

2. The method of claim 1, wherein the second message indicates that a secondary reauthentication of the second UE is needed for the second UE to access the external DN via the first UE.

3. The method of claim 1, wherein: the method further comprises sending, (1140) to the NNF, a first message indicating that secondary authentication of the second UE is needed for the second UE to access the external DN via the first UE; the first message includes the first user ID associated with the second UE; and the second message is received in response to the first message.

4. The method of claim 3, further comprising: establishing (1110) a protocol data unit, PDU, session with the external DN, by which the first UE provides a relay service to the external DN; establishing (1120) sidelink, SL, communications with the second UE; and receiving (1130), from the second UE via SL, a request to use the relay service to access the external DN, wherein the first message is sent in response to the request.

5. The method of any of claims 3-4, wherein: the first message is a non-access stratum, NAS, session management, SM, message that includes a first remote secondary authentication container; and the first user ID is included in the first remote secondary authentication container.

6. The method of claim 5, wherein the first remote secondary authentication container also includes a second user ID associated with the second UE, and the second user ID is specific to the external DN.

7. The method of claim 6, further comprising, prior to sending the first message, receiving the second user ID from the second UE via SL in one of the following messages: Direct Communication Request, or Direct Security Command Complete.

8. The method of any of claims 1-7, wherein: the second message is a non-access stratum, NAS, session management, SM, message that includes a second remote secondary authentication container; and the first user ID and the first authentication protocol message are included in the second remote secondary authentication container.

9. The method of any of claims 1-8, wherein: the third message is a non-access stratum, NAS, session management, SM, message that includes a third remote secondary authentication container; and the first user ID and the second authentication protocol message are included in the third remote secondary authentication container.

10. The method of any of claims 1-9, wherein the communication network is a 5G core network, 5GC, and the NNF is a session management function, SMF.

11. The method of claim 10, wherein the second message is received via an access and mobility management function, AMF, in the 5GC.

12. The method of any of claims 1-11, wherein the first authentication protocol message is an EAP-Request/Identity and the second authentication protocol message is an EAP- Response/Identity.

13. The method of any of claims 1-12, wherein the second UE is configured as a 5G ProSe Remote UE and the first UE is configured as a 5G ProSe Layer-3 UE-to-Network Relay.

14. The method of any of claims 1-13, wherein the first user ID is a control plane ProSe Remote User Key identifier, CP-PRUK ID, or a user plane ProSe Remote User Key identifier, UP-PRUK ID

15. The method of any of claims 1-14, further comprising receiving from the NNF a third authentication protocol message indicating successful secondary authorization of the second UE.

16. The method of claim 15, wherein the third authentication protocol message is received from the NNF in a fourth remote secondary authentication container, which also includes the first user ID.

17. The method of any of claims 15-16, further comprising, based on the third authentication protocol message, sending to the second UE a Direct Communication Accept message to complete connection establishment between first and second UEs.

18. A method for a network node or function, NNF, of a communication network, the method comprising: sending (1260), to a first user equipment, UE, configured to operate as a relay to connect a second UE to the communication network, a second message that includes the following: a first user identifier, ID, associated with the second UE; and a first authentication protocol message associated with secondary authentication of the second UE to access an external data network, DN; receiving (1270), from the first UE, a third message including the following: the first user ID associated with the second UE, and a second authentication protocol message responsive to the first authentication protocol message; and sending (1280) the second authentication protocol message to an authentication server associated with the external DN.

19. The method of claim 18, wherein the second message indicates that a secondary reauthentication of the second UE is needed for the second UE to access the external DN via the first UE.

20. The method of claim 19, further comprising receiving (1210) from the authentication server a request for re-authentication of the second UE to access the external DN, wherein sending (1260) the second message is responsive to the request.

21 The method of claim 18, wherein: the method further comprises receiving (1220) from the first UE a first message indicating that a secondary authentication of the second UE is needed for the second UE to access the external DN via the first UE, the first message includes the first user ID associated with the second UE; and the second message is responsive to the first message.

22. The method of claim 21, wherein: the first message is a non-access stratum, NAS, session management, SM, message that includes a first remote secondary authentication container; and the first user ID is included in the first remote secondary authentication container.

23. The method of claim 22, wherein the first remote secondary authentication container also includes a second user ID associated with the second UE, and the second user ID is a DN- specific identifier.

24. The method of any of claims 22-23, further comprising: based on the first user ID, determining (1230) a subscription identifier associated with the second UE’s subscription to the communication network; and based on the subscription identifier, retrieving (1240) subscription information for the second UE from a data repository in the communication network, wherein the second message is sent based on determining (1250), from the subscription information, that secondary authentication of the second UE is needed for the second UE to access the external DN.

25. The method of any of claims 18-24, wherein: the second message is a non-access stratum, NAS, session management, SM, message that includes a second remote secondary authentication container; and the first user ID and the first authentication protocol message are included in the second remote secondary authentication container.

26. The method of any of claims 18-25, wherein: the third message is a non-access stratum, NAS, session management, SM, message that includes a third remote secondary authentication container; and the first user ID and the second authentication protocol message are included in the third remote secondary authentication container.

27. The method of any of claims 18-26, wherein the communication network is a 5G core network, 5GC, and the NNF is a session management function, SMF.

28. The method of claim 27, wherein the second message is sent via an access and mobility management function, AMF, in the 5GC.

29. The method of any of claims 18-28, wherein the first authentication protocol message is an EAP-Request/Identity and the second authentication protocol message is an EAP- Response/Identity.

30. The method of any of claims 18-29, wherein the second UE is configured as a 5G ProSe Remote UE and the first UE is configured as a 5G ProSe Layer-3 UE-to-Network Relay.

31. The method of any of claims 18-30, wherein the first user ID is a control plane ProSe Remote User Key identifier, CP-PRUK ID, or a user plane ProSe Remote User Key identifier, UP-PRUK ID.

32. The method of any of claims 18-31, further comprising receiving (1285), from the authentication server in response to the second authentication protocol message, a third authentication protocol message indicating successful secondary authorization of the second UE.

33. The method of claim 32, further comprising one or more of the following: based on the third authentication protocol message, updating (1290) a stored context for the first UE to indicate that the second UE is authorized to access the external DN via the first UE; and sending (1295) the third authentication protocol message to the first UE.

34. The method of claim 33, wherein the third authentication protocol message is sent to the first UE in a fourth remote secondary authentication container, which also includes the first user ID.

35. The method of any of claims 18-34, wherein the second authentication protocol message is sent to the authentication server with one or more of the following: a subscription identifier associated with the second UE, address information associated with the second UE, a subscription identifier associated with the first UE, and address information associated with the first UE.

36. A first user equipment, UE (110, 205, 920, 1020, 1312, 1400) configured to operate as a relay to connect a second UE (110, 205, 910, 1010, 1312, 1400) to a communication network (298, 300, 1302), the first UE comprising: communication interface circuitry (1412) configured to communicate with the second UE via sidelink, SL, and with a network node or function, NNF (940, 1040, 1308, 1500, 1702) of the communication network; and processing circuitry (1402) operatively coupled to the communication interface circuitry, whereby the processing circuitry and the communication interface circuitry are configured to: receive from the NNF a second message that includes the following: a first user identifier, ID, associated with the second UE; and a first authentication protocol message associated with secondary authentication of the second UE to access an external data network, DN; send the first authentication protocol message to the second UE; receive a responsive second authentication protocol message from the second UE; and send to the NNF a third message including the first user ID and the second authentication protocol message.

37. The first UE of claim 36, wherein the processing circuitry and the communication interface circuitry are further configured to perform operations corresponding to any of the methods of claims 2-17.

38. A first user equipment, UE (110, 205, 920, 1020, 1312, 1400) configured to operate as a relay to connect a second UE (110, 205, 910, 1010, 1312, 1400) to a communication network (298, 300, 1302), the first UE being further configured to: receive, from a network node or function, NNF (940, 1040, 1308, 1500, 1702) of the communication network, a second message that includes the following: a first user identifier, ID, associated with the second UE; and a first authentication protocol message associated with secondary authentication of the second UE to access an external data network, DN; send the first authentication protocol message to the second UE; receive a responsive second authentication protocol message from the second UE; and send to the NNF a third message including the first user ID and the second authentication protocol message.

39. The first UE of claim 38, being further configured to perform operations corresponding to any of the methods of claims 2-17.

40. A non-transitory, computer-readable medium (1410) storing computer-executable instructions that, when executed by processing circuitry (1402) of a first user equipment, UE (110, 205, 920, 1020, 1312, 1400) configured to operate as a relay to connect a second UE (110, 205, 910, 1010, 1312, 1400) to a communication network (298, 300, 1302), configure the first UE to perform operations corresponding to any of the methods of claims 1-17.

41. A computer program product (1414) comprising computer-executable instructions that, when executed by processing circuitry (1402) of a first user equipment, UE (110, 205, 920, 1020, 1312, 1400) configured to operate as a relay to connect a second UE (110, 205, 910, 1010, 1312, 1400) to a communication network (298, 300, 1302), configure the first UE to perform operations corresponding to any of the methods of claims 1-17.

42. A network node or function, NNF (940, 1040, 1308, 1500, 1702) of a communication network (298, 300, 1302), the NNF comprising: communication interface circuitry (1506, 1704) configured to communicate with an authentication server (960, 1060) of an external data network, DN, and with a first user equipment, UE (110, 205, 920, 1020, 1312, 1400) configured to operate as a relay to connect a second UE (110, 205, 910, 1010, 1312, 1400) to the communication network; and processing circuitry (1502, 1704) operatively coupled to the communication interface circuitry, whereby the processing circuitry and the communication interface circuitry are configured to: send, to the first UE, a second message that includes the following: a first user identifier, ID, associated with the second UE; and a first authentication protocol message associated with secondary authentication of the second UE to access the external DN; receive from the first UE a third message including the following: the first user ID associated with the second UE, and a second authentication protocol message responsive to the first authentication protocol message; and send the second authentication protocol message to the authentication server.

43. The NNF of claim 42, wherein the processing circuitry and the communication interface circuitry are further configured to perform operations corresponding to any of the methods of claims 19-35.

44. A network node or function, NNF (940, 1040, 1308, 1500, 1702) of a communication network (298, 300, 1302), the NNF being configured to: send, to a first user equipment, UE (110, 205, 920, 1020, 1312, 1400) configured to operate as a relay to connect a second UE (110, 205, 910, 1010, 1312, 1400) to the communication network, a second message that includes the following: a first user identifier, ID, associated with the second UE; and a first authentication protocol message associated with secondary authentication of the second UE to access an external data network, DN; receive from the first UE a third message including the following: the first user ID associated with the second UE, and a second authentication protocol message responsive to the first authentication protocol message; and send the second authentication protocol message to an authentication server (960, 1060) associated with the external DN.

45. The NNF of claim 44, being further configured to perform operations corresponding to any of the methods of claims 19-35.

46. A non-transitory, computer-readable medium (1504, 1704) storing computer-executable instructions that, when executed by processing circuitry (1502, 1704) of a network node or function, NNF (940, 1040, 1308, 1500, 1702) of a communication network (298, 300, 1302), configure the NNF to perform operations corresponding to any of the methods of claims 18-35.

47. A computer program product (1504a, 1704a) comprising computer-executable instructions that, when executed by processing circuitry (1502, 1704) of a network node or function, NNF (940, 1040, 1308, 1500, 1702) of a communication network (298, 300, 1302), configure the NNF to perform operations corresponding to any of the methods of claims 18-35.