4 Services offered by the USS

29.2553GPPRelease 17Stage 3TSUncrewed Aerial System Service Supplier (USS) Services

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

4.1 Introduction

Table 4.1-1 summarizes the corresponding APIs defined for this specification.

Table 4.1-1: API Descriptions

Service Name	Clause	Description	OpenAPI Specification File	apiName	Annex
Naf_Authentication	5.1	USS Authentication and Authorization Service	TS29255_Naf_Authentication.yaml	naf-auth	A.2

4.2 Naf_Authentication Service

4.2.1 Service Description

4.2.1.1 Overview

The Naf_Authentication service as defined in TS 23.256 [14] is provided by the USS via the Naf service-based interface (see TS 23.256 [14]).

This service:

– allows NF consumers to authentication and authorization of the UAV with the USS; and

– notifies NF consumers about reauthentication, reauthorization and revocation.

4.2.1.2 Service Architecture

The Application Function Authentication Service (Naf_Authentication) is part of the Naf service-based interface exhibited by the Application Function (AF) which owns the functionality of USS.

The known NF service consumers of the Naf_Authentication are the Network Exposure Function (NEF) which owns the functionality of UAS-NF.

Figures 4.2.1.2-1 and 4.2.1.2-2 provide the reference model (in service-based interface representation and in reference point representation), with focus on the USS and the scope of the present specification.

Figure 4.2.1.2-1: Reference architecture for Naf_Authentication service: SBI representation

Figure 4.2.1.2-2: Reference architecture for Naf_Authentication service: reference point representation

The functionalities supported by the USS are listed in clause 4.3.2 of TS 23.256 [14].

4.2.1.3 Network Functions

4.2.1.3.1 Uncrewed Aerial System Service Supplier (USS)

The UAS service supplier (USS) application provides authentication and authorization for the UAV.

The UAS service supplier (USS) allows NF consumers to exchange communication messages needed for authentication and authorization procedure. It also notifies NF consumers about reauthentication, reauthorization or revocation of the UAV.

4.2.1.3.2 NF Service Consumers

The Uncrewed Aerial System network function (UAS NF):

– supports authentication and authorization of the UAV with the USS;

– supports subscription for notification of reauthentication, reauthorization and revocation of the UAV from the USS.

4.2.2 Service Operations

4.2.2.1 Introduction

4.2.2.2 Naf_Authentication_AuthenticateAuthorize Service operation

4.2.2.2.1 General

The Naf_Authentication_AuthenticateAuthorize service operation is used by the NF consumers during following procedure:

– UUAA-MM and UUAA-SM procedures (see TS 23.256 [14], clause 5.2.2 and clause 5.2.3, respectively)

– C2 authorization (see TS 23.256 [14], clause 5.2.5.2)

4.2.2.2.2 Authentication and Authorization of the UAV

The Naf_Authentication_AuthenticateAuthorize service operation is invoked by an NF Service Consumer (e.g. an NEF (UAS-NF)) towards the USS, when UUAA-MM is done during 5GS registration, UUAA-SM is done during PDU session establishment, or for authorization for C2 (see TS 23.256 [14]).

The NF Service Consumer (e.g. the NEF (UAS-NF)) shall send the authentication message to USS by sending the HTTP POST request towards the "request-auth" resource as shown in Figure 4.2.2.2.2-1.

Figure 4.2.2.2.2-1: AuthenticateAuthorize Service Operation

1. The NF Service Consumer shall send a POST request to the resource with a UAVAuthInfo object in the request body. The UAVAuthInfo data type shall include:

– "gpsi" attribute that carries the GPSI (in the format of External Identifier) of the UAV;

– "serviceLevelId" attribute that carries the Service Level Device Identity of the UAV;

The UAVAuthInfo data type may include

– "uavLocInfo" attribute that provides the UAV location;

– "notifyUri" attribute that provides the notification URI to receive notifications related to reauthentication, reauthorization or revocation triggered by the USS, which shall be present in the initial request;

– "notifyCorrId" attribute that represents the notification correlation ID and this attribute shall be present when the "notifyUri" attribute is provided;

– "authMsg" attribute that contains the authentication message based on the authentication method used, which is present in the intermediate round-trip messages and not in initial request. This attribute is deprecated; the attribute "authContainer" should be used instead.

– "AuthContainer" data type that contains the AA related data provided by the UE (see TS 23.256 [14]). This attribute deprecates "authMsg" attribute and may contain:

– "authMsgType" attribute that indicates the type of the AA message payload;

– "authMsgPayload" attribute that carries the AA message payload;

NOTE 1: The "authResult" attribute will not be present within the AuthContainer data type, when included within the request sent to USS.

In case of UUAA-SM procedure, the UAVAuthInfo data type may also include:

– "ipAddr" attribute that carries the IP Address associated with the PDU session; and

– "pei" attribute that carries the PEI of the UAV.

2a. If the HTTP request message from the NF service consumer is accepted, the USS shall respond with "200 OK" status code with the message body containing the UAVAuthResponse data type in the response body, which shall include "gpsi" attribute.

If the USS triggers more intermediate round-trip messages, the UAVAuthResponse data shall include a "authMsg" attribute that contains the authentication message or authorization data.

Otherwise, the UAVAuthResponse data type shall contain the "authResult" attribute. If the UAV is authenticated successfully, the USS shall set the "authResult" attribute to "AUTH_SUCCESS". The "authMsg" and "authResult" attributes are deprecated; the "authContainer" attribute should be used instead. The UAVAuthResponse data type shall include the "authContainer" data type that may include:

– AA message payload type within "authMsgType" attribute;

– AA message payload containing the configuration information within "authMsgPayload" attribute;

– AA result within "authResult" attribute, which is set to either "AUTH_SUCCESS" in case of successful AA procedure or to "AUTH_FAIL" in case of failed AA procedure in the final response of the AA procedure.

NOTE 2: The absence of "authResult" attribute within "AuthContainer" data type indicates that the AA procedure is ongoing.

– The "serviceLevelId" attribute containing a new Service Level Device Identity as the authorized Service Level Device Identity to the UAV.

The UAVAuthResponse data type may also include:

– the DN authorization profile index within the "authProfIndex" attribute;

– the DN authorized Session-AMBR within the "authSessAmbr" attribute.

2b. If the USS cannot successfully fulfil the received HTTP POST request due to an internal error or an error in the HTTP POST request, the USS shall send the HTTP error response as specified in clause 5.1.7.

If the UAV authentication is failed, the USS shall reject the request with an HTTP "403 Forbidden" response message including the "cause" attribute of the ProblemDetailsAuthenticateAuthorize data structure set to "FAILED_AUTH". The USS shall also include an indication of "uasResRelInd" attribute in the ProblemDetailsAuthenticateAuthorize data type to indicate if an UAS service related network resource can be released or not, during re-authentication failure, when the service operation is used during Re-authentication procedure.

If the USS determines the received HTTP POST request needs to be redirected, the USS shall send an HTTP redirect response as specified in clause 5.2.10 of TS 29.122 [16].

4.2.2.3 Naf_Authentication_Notification Service operation

4.2.2.3.1 General

The Naf_Authentication_Notification service operation is used by the NF consumers during the following procedure:

– USS Initiated Re-authentication and Re-authorization (see TS 23.256 [14], clause 5.2.4)

– USS Initiated Revocation (see TS 23.256 [14], clause 5.2.7)

4.2.2.3.2 Notification for Reauthentication, Reauthorization or Revocation

The Naf_Authentication_Notification service operation is invoked by the USS to inform a NF Service Consumer (e.g. NEF (UAS-NF)), when USS triggers reauthentication, update authorization data or revoke authorization of the UAV.

The USS shall send the request by sending the HTTP POST method towards the Notification URI as shown in Figure 4.2.2.3.2-1.

Figure 4.2.2.3.2-1: UAV Notification Service Operation

1. The USS shall send a POST request towards the Notification URI received in the Authenticate service operation request (See clause 4.2.2.1). The request body shall contain a ReauthRevokeNotify object containing the reauthentication information, update authorization information or revoke authorization indication. The ReauthRevokeNotify data type shall include:

– the "gpsi" attribute is set to the GPSI (in the format of External Identifier) of the given UAV required to be reauthenticated, reauthorized or revoked;

– the "serviceLevelId" attribute is set to the Service Level Device Identity of the UAV;

– the "notifyCorrId" attribute is set to the same value as the "notifyCorrId" attribute of UAVAuthInfo data type received in the request;

– the "notifyType" attribute is set to REAUTHENTICATE for reauthentication or set to REAUTHORIZE for authorization data update or set to REVOKE for revocation of authorization. In addition, if "notifyType" attribute is set to REAUTHORIZE, then attribute "authMsg" containing the authorization data shall be included. "authMsg" attribute is deprecated; the "authContainer" attribute should be used instead, which carries the authorization data.

NOTE: The "authResult" attribute will not be present within the AuthContainer data type, when included within the Notification request sent by the USS.

The ReauthRevokeNotify may also include:

– the "ipAddr" attribute carries the IP Address associated with the PDU session;

2a. On success, "204 No content" shall be returned without response body. If the "notifyType" attribute in the request indicated REVOKE, then UAS service related network resources are released.

2b. If the NF service consumer cannot successfully fulfil the received HTTP POST request due to an internal error or an error in the HTTP POST request, the NF service consumer shall send an HTTP error response as specified in clause 5.1.7.

If the NF service consumer determines the received HTTP POST request needs to be redirected, the NF service consumer shall send an HTTP redirect response as specified in clause 5.2.10 of TS 29.122 [16].