5.2.5 Authorization for C2

23.2563GPPRelease 17Stage 2Support of Uncrewed Aerial Systems (UAS) connectivity, identification and trackingTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

5.2.5.1 General

Authorization for C2 is required when a UAV establishes a user plane connection for C2 operations, i.e. to deliver messages with information of command and control for UAV operations from a UAV-C or USS to a UAV or to report telemetry data from a UAV to its UAV-C. Two sides of C2 communication, i.e. UAV and UAV-C, belong to the same UAS.

A UAV shall be authorized by the USS to use a PDU Session/PDN connection for C2. Authorization for C2 includes the following:

– UAV to UAV-C pairing authorization: Authorization for pairing with a networked UAV-C or a UAV-C that connects to the UAV via Internet connectivity, before the UAV and the UAV-C can exchange C2 communication. One UAV can be paired with only one UAV-C at the any time. One UAV-C may be paired with one or more UAVs at the same time.

– Flight Authorization: Authorization for flight when UAV also provides Flight Authorization information.

C2 authorization may be carried out:

– During the UUAA procedure (if UUAA is carried out at PDU session/PDN connection establishment) as described in clause 5.2.3 when the UAV requests establishment of PDU Session/PDN connection for connectivity.

– During PDU Session Modification/ UE requested bearer resource modification when the UAV requires to use an existing PDU session/PDN connection to exchange C2 communication related messages.

– During a new PDU Session/PDN connection establishment, if the UAV requires to use a separate PDU Session/PDN connection for C2 communication.

5.2.5.2 Procedure for C2 authorization in 5GS

5.2.5.2.1 C2 Authorization request during UUAA-SM procedure in 5GS

If C2 authorization is requested during the UUAA-SM procedure the procedure described in clause 5.2.3.2 takes place with the following additions:

– In Step 0, the UE includes pairing information (if available) in a C2 Aviation Payload. which is forwarded further to the USS;

– In step 4, the USS performs C2 authorization taking into account the included pairing information, the Service Level Device Identity/CAA-Level UAV ID and 3GPP UAV ID/GPSI. The USS includes the resulting C2 Authorization result and optionally a C2 authorization payload in the Naf_Authentication_AuthenticateAuthorize response returned to the UAS-NF/NEF and the UAS NF/NEF forwards to the UAV/UE in step 7.

– The USS shall:

– in step 4 include a DN Authorization profile Index specifying a predefined set of PCC-rules in the PCF with initial restriction on the type of traffic allowed to pass on the PDU-session. For example, only traffic exchanged with the USS might be allowed to pass.

Once the authentication is complete, after step 4, the USS subscribes to PDU Session Status Events for the PDU session used for C2 communication, applicable for the GPSI received in step 2.

– when the USS in step 8 receives a PDU Session State Event Report indicating session start and including the PDU Session IP address the USS invokes the USS initiated pairing policy configuration procedure (see figure 5.2.5.4.1-1) with the received PDU Session IP address and authorized paired UAV-C IP-address as input to request corresponding traffic to be allowed on the PDU session in the UPF.

5.2.5.2.2 UE initiated PDU Session Modification for C2 Communication

C2 authorization is requested at PDU session Modification:

– After UUAA-SM is performed and a common PDU session is used for connectivity to USS and C2 communication to a UAV-C (as configured in the UAV); or

– If the UE has already established a PDU session for C2 communication to a UAV-C.

Figure 5.2.5.2.2-1: PDU Session modification for C2 communication (common PDU session for UAS services)

1. The UE establishes a PDU Session for USS communication as described in clause 5.2.3.

2-3. When the UAV needs to establish C2 communication the UAV determines that an existing PDU session can be used and initiates a PDU Session Modification procedure. The UE shall include in the request a CAA-Level UAV ID and shall include a C2 Aviation Payload within a UAS container that includes C2 authorization information. The USS may also use its locally configured pairing information for UAV – UAV-C pairing authorization which takes precedence over UAV provided pairing information. The pairing information includes the CAA-level UAV ID of the requesting UE and also includes identification information of UAV-C to pair if available. The UAV may also include other information such as Flight Authorization information.

NOTE: How the pairing information is configured in the UAV is outside the scope of 3GPP specifications.

4. The SMF determines that authorization is required based on that the DNN/S-NSSAI of the PDU session is dedicated for aerial services (have aerial service indicator set) and that the Service Level Device Identity (CAA-Level UAV ID) is included in the request and Then sends a Nnef_Authentication_AuthenticateAuthorize request to the UAS-NF including the UAS container provided by the UAV in step 2 (including the C2 Aviation Payload), the CAA-Level UAV ID, GPSI, PDU Session IP address, and optionally the UAV location (e.g. Cell ID) provided by the AMF.

5. The UAS-NF forwards the received authorization request as a Naf_Authentication_AuthenticateAuthorize request to the USS.

6. PDU Session Modification procedure completes as in TS 23.502 [3] figure 4.3.3.2-1.

Editor’s note: It is FFS if any indication from SMF to UE is needed on pending C2 authorization.

7. Triggered by step 5, the USS performs C2 authorization based on the received information and invokes, in order to forward the C2 authorization result to the UAV/UE, the UAV Re-authorization procedure (see figure 5.2.4.3-1) including GPSI, CAA-Level UAV-ID (potentially new) and included in the authorization message, the C2 Authorization Result and the C2 Authorization Payload (e.g. containing C2 pairing information and C2 security information).

8. The USS invokes, with the received PDU Session IP address and the IP address of the authorized paired UAV-C as input, the USS initiated pairing policy configuration procedure (see figure 5.2.5.2.4-1) to request corresponding traffic to be allowed on the PDU session in the UPF.

Unless a dedicated QoS is requested for the C2 flows, this procedure does not invoke any interaction with the UE, AMF or RAN.

5.2.5.2.3 UE initiated PDU Session Establishment for C2 Communication

If C2 authorization is requested during PDU session establishment to a PDU session used specifically for C2 communication to UAV-C the UAV requests C2 authorization as follows.

Figure 5.2.5.2.3-1: PDU Session establishment for C2 communication (separate PDU Sessions for UAS services)

0. The UAV has performed a successful UUAA with the USS (UUAA-SM or UUAA-MM) and the USS has for the corresponding GPSI subscribed for PDU Session Status Event from the NEF.

1. When the UAV needs to establish C2 communication the UAV determines that a new dedicated PDU session is required for connectivity to UAV-C. The UE initiates PDU Session establishment procedure for a DNN/S-NSSAI dedicated for connectivity to UAV-C. In the PDU Session establishment request CAA-Level UAV ID and a C2 Aviation Payload to be used for C2 authorization shall be included and forwarded to the SMF. The pairing information includes the CAA-Level UAV IDs of the requesting UAV and identification information for the UAV-C to pair may be included in C2 Aviation Payload. The UAV may also include other information such as Flight Authorization information. The USS may also use its locally configured pairing information for UAV – UAV-C pairing authorization which then takes precedence over UAV provided pairing information.

2. The SMF determines that authorization is required based on that the requested DNN/S-NSSAI combination dedicated for aerial services (have aerial service indicator set), and that the Service Level Device Identity (CAA-Level UAV ID) is included in the request. The SMF then sends a Nnef_Authentication_AuthenticateAuthorize request, which is used to request authorization to pair the UAV with UAV-C, to the UAS NF/NEF that includes the GPSI, CAA-Level UAV ID and C2 Aviation Payload and optionally the UAV location (e.g. Cell ID) if provided by the AMF and the DNN and S-NSSAI of the PDU session.

If the requested DNN/S-NSSAI is dedicated for aerial services but no Service Level Device ID (CAA-Level UAV ID) has been provided with the request, the SMF rejects the PDU session establishment with a cause indicating that USS authorization is required.

The SMF also provides a Notification Endpoint to the UAS NF/NEF. By providing the Notification Endpoint, the SMF is implicitly subscribed to be notified of re-authorization, update authorization data or revocation of C2 connectivity from UAS NF/NEF, if the C2 authorization result is successful in step 5.

3. The UAS NF/NEF checks that a valid UUAA is stored for the GPSI and forwards the received authorization request as a Naf_Authentication_AuthenticateAuthorize request to the USS. If not, the request is not forwarded to the USS and the PDU session is rejected.

The UAS NF/NEF also provides a Notification Endpoint to the USS. By providing the Notification Endpoint, the UAS NF/NEF is implicitly subscribed to be notified of re-authorization, update authorization data or revocation of C2 connectivity from USS, if the UUAA result is successful in step 5.

NOTE: The USS may trigger a UAV re-authentication/re-authorization in response to the query from the UAS NF/NEF.

4. The USS performs C2 authorization based on the received information and sends the Naf_Authentication_AuthenticateAuthorize response to the UAS NF/NEF including the Service Level Device Identity (e.g. the CAA-Level UAV-ID) (potentially new), the C2 Authorization Result and the C2 Authorization Payload (e.g. C2 pairing information and C2 security information).

5. The UAS-NF/NEF forwards the information received from the USS in the Nnef_Authentication_AuthenticateAuthorize response sent to the SMF.

6. To inform the UE about the C2 Authorization Result the SMF includes the authorization result and, optionally, a new CAA-Level UAV ID if received from the USS, in the PDU Session Accept sent to the UE and let the PDU session establishment procedure continue until finalized.

If a failed C2 Authorization Result is received from the USS, the SMF instead rejects the PDU establishment and include a reason code indicating not authorized.

7. [Conditional] If the C2 authorization is successful the USS subscribes via the UAS-NF to a PDU Session Status event for the PDU session used for C2 including in the request the GPSI of the UAV. The UAS NF determines DNN, S-NSSAI corresponding to the PDU session used for C2 communication and uses this DNN, S-NSSAI to subscribe to SMF for PDU Session Status event. The SMF detects, as described in step 6-7 of figure 4.15.3.2.3-1 in TS 23.502 [3], when the PDU Session is established and send the PDU Session Status event report to the UAS NF/NEF by means of Nsmf_EventExposure_Notify message, including GPSI and UE IP Address. The UAS NF/NEF then forwards the event message to the USS.

8. [Conditional] The USS stores the received UE IP address and invokes, with the received PDU Session IP address and the IP-address of the authorized paired UAV-C as input, the USS initiated pairing policy configuration procedure (see figure 5.2.5.2.4-1) to request corresponding traffic to be allowed on the PDU session by the UPF.

Unless a dedicated QoS is requested for the C2 flows, this procedure does not invoke any interaction with the UE, AMF or RAN.

5.2.5.3 Procedure for C2 authorization in EPS

5.2.5.3.0 C2 Authorization request during UUAA-SM procedure in EPS

If C2 authorization is requested during the UUAA-SM procedure the procedure described in clause 5.2.3.3 takes place with the following additions:

– In step 0, the UE includes pairing information (if available) in a C2 Aviation Payload, which is forwarded further to the USS.

– Initially in step 5, the USS performs C2 authorization taking into account the included pairing information, the Service Level Device Identity/CAA-Level UAV ID and 3GPP UAV ID/GPSI. The USS includes the resulting C2 Authorization result in the Naf_Authentication_AuthenticateAuthorize response returned to the UAS-NF/NEF and UAS NF/NEF forwards to the UAV/UE in step 8.

– The USS shall:

– in step 5 include a DN Authorization profile Index specifying a predefined set of PCC-rules in the PCF with initial restriction on the type of traffic allowed to pass on the PDN Connection. For example, only traffic exchanged with the USS might be allowed to pass.

Once the authentication is complete, after step 5, the USS subscribes to PDN Connectivity Status Events for the PDN Connection used for C2 communication, applicable for the GPSI received in step 2.

– when the USS in step 9 receives a PDN Connectivity Status Event Report indicating session start and including the PDN Connection IP address, the USS invokes the USS initiated pairing policy configuration procedure (see figure 5.2.5.4.2-1) with the received PDN Connection IP address and authorized paired UAV-C IP-address as input to request corresponding traffic to be allowed on the PDN Connection in the PGW-U.

5.2.5.3.1 UE requested PDN connectivity for C2 authorization

When the UAV requests to establish connectivity to an additional PDN over E-UTRAN for C2, the procedure described in clause 5.10.2 of TS 23.401 [6] takes place with the following modifications:

Figure 5.2.5.3.1-1: UE requested PDN Connectivity for C2 authorization

0. The UAV has performed a successful UUAA with the USS (UUAA-SM) and the USS has for the corresponding GPSI subscribed for PDN Connectivity Status Event reports from the NEF.

1. Steps 1 – 3 performed as in Figure 5.10.2-1 of TS 23.401 [6].

When the UAV needs to establish C2 communication, the UAV determines that a new PDN Connection is required for connectivity to UAV-C. The UE initiates a UE Requested PDN Connectivity procedure for connectivity to UAV-C. In the PCO in the PDN Connectivity Request, the Service Level Device Identity (e.g. the CAA-Level UAV ID) and a C2 Aviation Payload to be used for C2 authorization shall be included and forwarded to the MME. The pairing information includes the Service Level Device Identity (e.g. CAA-Level UAV IDs) of the requesting UAV and identification information for the UAV-C to pair may be included in C2 Aviation Payload. The UAV may also include other information such as Flight Authorization information. The USS may also use its locally configured pairing information for UAV – UAV-C pairing authorization which then takes precedence over UAV provided pairing information.

If Service Level Device Identity (CAA-Level UAV ID) is provided with the request, the SMF+PGW-C retrieves (if not already available) the Session Management Subscription Data for the UE from the UDM+HSS using the Nudm_SDM_Get service operation.

2. The SMF+PGW-C determines that authorization is required based on that the requested APN/DNN is dedicated for aerial services (have aerial service indicator set) and that the Service Level Device Identity (CAA-Level UAV ID) is included in the request. The SMF+PGW-C then sends a Nnef_Authentication_AuthenticateAuthorize request, which is used to request authorization to pair the UAV with UAV-C, to the UAS NF/NEF that includes the GPSI, Service Level Device Identity (e.g. the CAA-Level UAV ID) and C2 Aviation Payload and optionally the UAV location (e.g. Cell ID) if provided by the MME and the APN/DNN of the PDN Connection.

If the SMF+PGW-C determines that the authorization procedure with the USS is required, but the UAV has not provided the Service Level Device Identity (e.g. the CAA-Level UAV ID), the SMF+PGW-C rejects the PDN Connectivity Request with a cause indicating that USS authorization is required.

5. The UAS NF/NEF forwards the information received from the USS in the Nnef_Authentication_AuthenticateAuthorize response sent to the SMF+PGW C.

6. To inform the UE about the C2 authorization result the SMF+PGW-C includes the C2 Authorization Result and optionally, the Authorization Payload (e.g. C2 pairing information and C2 security information) and a new Service Level Device Identity (e.g. CAA-Level UAV ID) if received from the USS, in the PCO in the PDN Connectivity Accept sent to the UE and let the PDN Connectivity Request procedure continue until finalized.

If a failed C2 authorization result is received from the USS, the SMF+PGW-C instead rejects the PDN Connectivity Request and includes a cause code indicating not authorized.

7. If the C2 authorization is successful the USS subscribes via the UAS NF/NEF to a PDN Connection Status Event report for the PDN Connection used for C2 including in the request the GPSI of the UAV. The UAS NF/NEF determines the APN/DNN and uses this APN/DNN to subscribe to SMF+PGW-C for PDN Connection Status Event. The SMF+PGW-C detects, as described in step 6-7 of figure 4.15.3.2.3-1 in TS 23.502 [3], when the PDN Connection is established and sends the PDN Connection Status Event report to the UAS NF/NEF by means of Nsmf_EventExposure_Notify message, including GPSI and UE IP Address. The UAS NF/NEF then forwards the event message to the USS.

8. The USS stores the received UE IP address and invokes, with the received PDN Connection IP address and the IP-address of the authorized paired UAV-C as input, the USS initiated C2 pairing policy configuration in EPS procedure (see figure 5.2.5.4.2-1) to request corresponding traffic to be allowed on the PDN Connection by the PGW-U.

Unless a dedicated QoS is requested for the C2 flows, this procedure does not invoke any interaction with the UE, MME or RAN.

5.2.5.3.2 UE requested bearer resource modification of an existing PDN connection for C2 authorization

C2 authorization is requested at UE requested bearer resource modification (see clause 5.4.5 of TS 23.401 [6]):

– After UUAA-SM is performed and a common PDN Connection is used for connectivity to USS and C2 communication to a UAV-C (as configured in the UAV); or

– If the UE has already established a PDN Connection for C2 communication to a UAV-C.

Figure 5.2.5.3.2-1: UE requested bearer resource modification of an existing PDN connection for C2 authorization

0. The UE establishes a PDN Connection for USS communication as described in clause 5.2.3.

1. When the UAV needs to establish C2 communication, the UAV determines that an existing PDN Connection can be used and initiates a UE requested bearer resource modification procedure as Steps 1 – 3 in Figure 5.4.5-1 of TS 23.401 [6]. In the PCO in the request, the UE includes a Service Level Device Identity (e.g. CAA-Level UAV ID) and shall include a C2 Aviation Payload that includes C2 authorization information. The USS may also use its locally configured pairing information for UAV – UAV-C pairing authorization which takes precedence over UAV provided pairing information. The pairing information includes the Service Level Device Identity (e.g. CAA-level UAV ID) of the requesting UE and also includes identification information of UAV-C to pair if available. The UAV may also include other information such as Flight Authorization information.

NOTE: How the pairing information is configured in the UAV is outside the scope of 3GPP specifications.

2. The SMF+PGW-C determines that authorization is required based on that the APN/DNN of the PDN Connection is dedicated for aerial services (have aerial service indicator set) and that the Service Level Device Identity (CAA-Level UAV ID) is included in the request and then sends a Nnef_Authentication_AuthenticateAuthorize request to the UAS-NF including the UAS information provided by the UAV in step 1 (including the C2 Aviation Payload), the Service Level Device Identity (e.g. CAA-Level UAV ID), GPSI, PDN Connection IP address, and optionally the UAV location (e.g. Cell ID) provided by the MME.

The UAS-NF forwards the received authorization request as a Naf_Authentication_AuthenticateAuthorize request to the USS.

3. The UE requested bearer resource modification procedure completes as in clause 5.4.5-1 of TS 23.401 [6].

4. Triggered by step 5, the USS performs C2 authorization based on the received information and invokes, in order to forward the C2 authorization result to the UAV/UE, the UAV Re-authorization procedure (see figure 5.2.4.4-1) including GPSI, Service Level Device Identity (e.g. CAA-Level UAV-ID) (potentially new) and, included in the authorization message, the C2 Authorization Result and the C2 Authorization Payload (e.g. containing C2 pairing information and C2 security information).

5. The USS invokes, with the received PDN Connection IP address and the IP address of the authorized paired UAV-C as input, the USS initiated pairing policy configuration procedure (see figure 5.2.5.4.2-1) to request corresponding traffic to be allowed on the PDN Connection in the UPF/PGW-U.

Unless a dedicated QoS is requested for the C2 flows, this procedure does not invoke any interaction with the UE, MME or RAN.

5.2.5.4 USS initiated C2 pairing policy configuration

5.2.5.4.1 USS initiated C2 pairing policy configuration in 5GS

The USS initiated C2 pairing policy configuration Figure 5.2.5.4.1-1.

Figure 5.2.5.4.1-1: USS initiated C2 pairing policy configuration in 5GS

0. The UAV is registered in the network and a PDU session is established as specified in clause 5.2.3.2.

1. The USS initiates the PDU Session modification by invoking the Nnef_AFSessionWithQoS_Create request including USS Identity/AF Identifier, UAV-UAVC Pairing info/Flow description(s), QoS reference. The UAV-UAVC Pairing info/Flow description(s) includes the UAV-C IP address. See step 1 in clause 4.15.6.6 of TS 23.502 [3]: Setting up an AF session with required QoS.

2. UAS NF/NEF authorizes the request from the USS followed by interacting with PCF triggering a Npcf_PolicyAuthorization_Create request and provides relevant parameters to the PCF.

PCF determines whether the request is authorized and if the requested QoS is allowed. PCF informs UAS NF/NEF if the request is accepted by invoking Npcf_PolicyAuthorization_Create response. See steps 2 – 4 in figure 4.15.6.6.6-1 of TS 23.502 [3].

3. UAS NF/NEF sends a Nnef_AFsessionWithQoS_Create response message (Transaction Reference ID, Result) to the USS. Result indicates whether the request is granted or not. See step 5 in figure 4.15.6.6.6-1 of TS 23.502 [3].

NOTE: Use of Nnef_AFSessionWithQoS_Create can be further evaluated with stage 3 work.

4. If the PCF determines that the SMF needs updated policy information, the PCF issues a Npcf_SMPolicyControl_UpdateNotify request with updated policy information. The updated policy information includes the UAV-C IP address. See steps 3 – 5 in figure 4.16.5.2-1 of TS 23.502 [3].

5. The PDU Session Modification continues and completes as in steps 2a – 13 in figure 4.3.3.2-1 of TS 23.502 [3], UE or network requested PDU Session Modification (for non-roaming and roaming with local breakout). Based on the updated policy information received, the SMF determines and provides N4 rules to enable communication between UAV and UAV-C, e.g. Packet Detection Rules, Forwarding Action Rules.

6-7. [Optional] The PCF sends Npcf_PolicyAuthorization_Notify message to the UAS NF/NEF when the modification of the transmission resources corresponding to the QoS update succeeded or failed. The UAS NF/NEF transfers this information to the USS by sending Nnef_AFSessionWithQoS_Notify message. See steps 6 and 7 in figure 4.15.6.6-1 of TS 23.502 [3].

5.2.5.4.2 USS initiated C2 pairing policy configuration in EPS

The USS initiated C2 pairing policy configuration in EPS figure 5.2.5.4.2-1.

Figure 5.2.5.4.2-1: USS initiated C2 pairing policy configuration in EPS

0. The UAV is registered in the network and a PDN Connection is established as specified in clause 5.2.3.3.

1. The USS initiates the PDN Connection modification by invoking the Nnef_AFSessionWithQoS_Create request including USS Identity/AF Identifier, Transaction Reference ID, UAV-UAVC Pairing info/Flow description(s), QoS reference. The UAV-UAVC Pairing info/Flow description(s) includes the UAV-C IP address. See step 1 in clause 4.15.6.6 of TS 23.502 [3]: Setting up an AF session with required QoS.

2. UAS NF/NEF authorizes the request from the USS followed by interacting with PCF triggering a Npcf_PolicyAuthorization_Create request and provides relevant parameters to the PCF.

NOTE: Use of Nnef_AFSessionWithQoS_Create can be further evaluated with stage 3 work.

4. If the PCF determines that the SMF+PGW-C needs updated policy information, the PCF issues a Npcf_SMPolicyControl_UpdateNotify request with updated policy information. The updated policy information includes the UAV-C IP address. See steps 3 – 5 in figure 4.16.5.2-1 of TS 23.502 [3].

5. Based on the updated policy information received, the SMF+PGW-C determines and provides N4 rules to enable communication between UAV and UAV-C, e.g. Packet Detection Rules, Forwarding Action Rules.

6. [Conditional] If QoS needs to be updated: Based on the updated policy information received, the SMF+PGW-C determines N4 rules for QoS update and provides to the PGW-U.

Based on the updated policy information received, the SMF+PGW-C invokes the PDN GW initiated bearer modification with bearer QoS update procedure (clause 5.4.2.1 in TS 23.401 [6]) by sending Update Bearer Request message to the SGW. Steps 2 – 11 in clause 5.4.2.1-1 of TS 23.401 [6] are executed to update QoS in the UE and the RAN.

7-8. [Optional] The PCF sends Npcf_PolicyAuthorization_Notify message to the UAS NF/NEF when the modification of the transmission resources corresponding to the QoS update succeeded or failed. The UAS NF/NEF transfers this information to the USS by sending Nnef_AFSessionWithQoS_Notify message. See steps 6 and 7 in figure 4.15.6.6-1 of TS 23.502 [3].