6.16 Enhanced security support for S2c
23.4023GPPArchitecture enhancements for non-3GPP accessesRelease 18TS
6.16.1 General
Optionally UE and PDN GW may support integrity protection and/or confidentiality protection of user plane traffic exchanged over the S2c tunnel when the UE is in a trusted non-3GPP access.
6.16.2 Activation of enhanced security for S2c
Figure 6.16.1-1: Enhanced security support activation
1) The UE performs an initial attach procedure to a trusted non-3GPP access with S2c as described in clause 6.3 or performs a handover procedure to a trusted non-3GPP access as specified in clause 8.4.2. At the end of this step the UE is connected to a trusted non-3GPP access via S2c.
2) At any time when the UE is connected to a trusted non-3GPP access the UE or the PDN GW may trigger the creation of a child IPsec Security Association for protecting the traffic sent via the S2c reference point. The child SA is created as specified in RFC 4877 [22]. The child SA may provide user plane integrity protection. Additionally, the same child SA may be used also for user plane confidentiality protection.
3) The PDN GW initiates an IP-CAN session modification procedure to provide to the PCRF new tunnel information.
4) Based on the tunnel information provided by the PDN GW, the PCRF initiates a QoS rules provision procedure to the trusted non-3GPP access indicating the new tunnel information.
NOTE 1: If confidentiality protection is activated, the usage of PCC for per UE and/or per IP flow QoS differentiation in the trusted non-3GPP access is not possible in this Release of the specification.
NOTE 2: If confidentiality protection is activated, in roaming scenarios the traffic collected by the VPLMN for legal interception purposes is encrypted.
NOTE 3: If the establishment of the child IPsec Security Association fails, based on operator’s policies and user’s settings the UE or the PDN GW may terminate the S2c session using the PDN disconnection procedures specified in clause 6.5.
6.16.3 De-activation of enhanced security for S2c
Figure 6.16.2-1: Enhanced security support de-activation
1) The UE and the PDN GW have established enhanced security based on clause 6.16.1. As a result user plane traffic exchanged through S2c is integrity protected and/or confidentiality protected.
2) At any time the UE or the PDN GW may trigger the removal of a child IPsec Security Association for protecting the traffic sent via the S2c reference point. The child SA is removed as specified in RFC 4877 [22].
NOTE: Integrity protection and/or confidentiality protection can be de-activated also after the handover to another access and not only from the trusted non-3GPP access it was activated.
3) The PDN GW initiates an IP-CAN session modification procedure to provide to the PCRF new tunnel information.
4) Based on the tunnel information provided by the PDN GW, the PCRF initiates a QoS rules provision procedure to the trusted non-3GPP access indicating the new tunnel information.