Search

EP-3574624-B1 - METHODS FOR INTEGRITY PROTECTION OF USER PLANE DATA

EP3574624B1EP 3574624 B1EP3574624 B1EP 3574624B1EP-3574624-B1

Inventors

  • WIFVESSON, MONICA
  • TORVINEN, VESA
  • NORRMAN, KARL
  • NAKARMI, Prajwol Kumar

Dates

Publication Date
20260506
Application Date
20180130

Claims (13)

  1. A method performed by a User Equipment, UE, which UE is configured to connect to a communication network, the method comprising: indicating to the communication network an Integrity Protection for User Plane, IPUP, mode supported by the UE when requesting registration with the communication network; and, indicating to the communication network a UE preference as to the IPUP mode to be used by the communication network for the UE; wherein the IPUP mode comprises one of: use of Integrity Protection for User Plane data exchanged with the UE; non-use of Integrity Protection for User Plane data exchanged with the UE; or use of Integrity Protection for User Plane data, and non-use of Confidentiality Protection for User Plane data.
  2. A method according to claim 1, wherein the indicated UE preference applies to at least one of: all data exchanged with the communication network; or data exchanged with a specific slice or plurality of slices of the communication network.
  3. A method according to any one of the preceding claims, further comprising: receiving from the communication network an indication of an IPUP mode that shall be used by the communication network for the UE.
  4. A method according to claim 3, wherein the indication applies to at least one of: all data exchanged with the communication network; or data exchanged with a specific slice or plurality of slices of the communication network.
  5. A method according to any one of the preceding claims, wherein indicating to the communication network an IPUP mode of use of Integrity Protection for User Plane data exchanged with the UE or use of Integrity Protection for User Plane data, and non-use of Confidentiality Protection for User Plane data comprises: indicating to the communication network a maximum data rate of user plane data for which integrity protection may be applied.
  6. A method according to any one of the preceding claims, further comprising: receiving a message from a target radio access node of the communication network during a procedure for handover of the UE from a source radio access node to the target radio access node, the message including an indication that the target radio access node will use a different IPUP mode for the UE to that used by the source radio access node.
  7. A method performed by a radio access node of a communication network, the method comprising: receiving, from a User Equipment, UE, requesting registration with the communication network, an indication of an Integrity Protection for User Plane, IPUP, mode supported by the UE; and receiving from the UE a UE preference as to the IPUP mode to be used by the communication network for the UE; wherein the IPUP mode comprises one of: use of Integrity Protection for User Plane data exchanged with the UE; non-use of Integrity Protection for User Plane data exchanged with the UE; or use of Integrity Protection for User Plane data, and non-use of Confidentiality Protection for User Plane data; and wherein the indication is received from the UE via the communication network.
  8. A method according to claim 7, wherein receiving from a UE an indicated IPUP mode of use of Integrity Protection for User Plane data exchanged with the UE or use of Integrity Protection for User Plane data, and non-use of Confidentiality Protection for User Plane data comprises: receiving from the UE a maximum data rate of user plane data for which integrity protection may be applied.
  9. A method according to claim 7, further comprising: receiving from a core network node of the communication network an indication of an IPUP mode to be used by the communication network for the UE.
  10. A computer program comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out a method according to the method as claimed in claim 1 or the method as claimed in claim 7.
  11. A computer program product comprising non transitory computer readable media having stored thereon a computer program according to claim 10.
  12. Apparatus for operating a User Equipment, UE, which UE is configured to connect to a communication network, the apparatus configured to: indicate to the communication network an Integrity Protection for User Plane, IPUP, mode supported by the UE when requesting registration with the communication network; and indicate to the communication network a UE preference as to the IPUP mode to be used by the communication network for the UE; wherein the IPUP mode comprises one of: use of Integrity Protection for User Plane data exchanged with the UE; non-use of Integrity Protection for User Plane data exchanged with the UE; or use of Integrity Protection for User Plane data, and non-use of Confidentiality Protection for User Plane data.
  13. Apparatus for operating a radio access node of a communication network, the apparatus configured to: receive, from a User Equipment, UE, requesting registration with the communication network, an indication of an Integrity Protection for User Plane, IPUP, mode supported by the UE; receive from the UE a UE preference as to the IPUP mode taken into account by the radio access node to define a policy of the radio access node to be used by the communication network for the UE; wherein the IPUP mode comprises one of: use of Integrity Protection for User Plane data exchanged with the UE; non-use of Integrity Protection for User Plane data exchanged with the UE; or use of Integrity Protection for User Plane data, and non-use of Confidentiality Protection for User Plane data; and wherein the indication is received from the UE via the communication network.

Description

Technical Field The present disclosure relates to methods for operating a User Equipment (UE), radio access node and core network node in a communication network. The disclosure also relates to apparatus and to a computer program configured to carry out methods for operating a UE, a radio access node and a core network node. Background Integrity protection of User Plane (UP) data between a UE and a core network was introduced for enhanced-GPRS for Internet of Things (IoT) devices in 3GPP Rel-13. Support for Integrity protection of UP data was optional both in the UE and the network, with negotiation of implementation of Integrity protection of UP data taking place at the NAS layer (mobility management layer) and integrity protection supported at the LLC layer in the core network. Negotiation of integrity protection of UP data is not considered in the standards for Long Term Evolution (4G) networks, and integrity protection for UP data is not therefore possible in such networks. Integrity protection of UP data exchanged between a UE and a base station may however be a desirable feature for Next Generation (5G) networks. In Next Generation networks, the Radio Access Network (RAN) may adopt RAN architecture and interfaces set out in TR 33.801 v1.0.0 [x]. Figure 1 illustrates the potential new RAN architecture for Next Generation networks. Referring to Figure 1, it is expected that a gNB 102 and an eLTE eNB 104 may be connected to the same Next Generation Core (NGC) 106. A gNB 102 will be able to connect to other gNBs 102 or (e)LTE eNBs 104 over a new RAN interface named the Xn interface 108. US2017012956A1 describes integrity protection of user plane (UP) data including one or more network nodes implementing network functions enabling a client device to apply a security context to communication with the network in an efficient way which is especially favorable for client devices working in a low power consumption mode. US2015/319652A1 discloses methods and apparatus for differentiating security configurations in a radio local area network. The document discusses primarily management of security settings during handovers between base stations and local access point within radio networks. EP2804409A1 discloses a method, an apparatus, and a system for establishing a security context and relates to the communications field, so as to comprehensively protect UE data. Brief Description of the Drawings For a better understanding of the present disclosure, and to show more clearly how it may be carried into effect, reference will now be made, by way of example, to the following drawings, in which: Figure 1 is a representation of a potential RAN architecture for Next Generation networks;Figures 2a to c show a flow chart illustrating process steps in a method for operating a User Equipment (UE);Figure 3 is a flow chart illustrating process steps in a method for operating a radio access node in a communication network;Figure 4 is a flow chart illustrating process steps in another example of method for operating a radio access node;Figure 5 is a flow chart illustrating process steps in another example of method for operating a radio access node;Figure 6 is a flow chart illustrating process steps in another example of method for operating a radio access node;Figure 7 is a flow chart illustrating process steps in another example of method for operating a radio access node;Figure 8 is a flow chart illustrating process steps in a method for operating a core node in a communication network;Figure 9 is a flow chart illustrating process steps in another example of method for operating a core node;Figure 10 is a flow chart illustrating process steps in another example of method for operating a core node;Figure 11 is a flow chart illustrating process steps in another example of method for operating a core node;Figure 12 is a block diagram illustrating functional units in an apparatus for operating a UE;Figure 13 is a block diagram illustrating functional units in an apparatus for operating a radio access node;Figure 14 is a block diagram illustrating functional units in an apparatus for operating a core node;Figure 15 is a block diagram illustrating functional units in another example of apparatus for operating a UE;Figure 16 is a block diagram illustrating functional units in another example of apparatus for operating a radio access node;Figure 17 is a block diagram illustrating functional units in another example of apparatus for operating a radio access node;Figure 18 is a block diagram illustrating functional units in another example of apparatus for operating a core node;Figure 19 is a block diagram illustrating functional units in another example of apparatus for operating a core node;Figure 20 is a block diagram illustrating functional units in another example of apparatus for operating a core node;Figure 21 is a signalling diagram illustrating a registration procedure for a UE;Figure 22 is a signalling diagram illustrating