K.2 LMR E2EE

33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

K.2.1 General

LMR end-to-end security allows the IWF to pass protected media unmodified from the 3GPP system to the LMR system. The LMR end-to-end security mechanisms are out of scope of this document.

This clause assumes a non-3GPP (LMR) layer operating below the 3GPP layer defined in this specification at the UE, and potentially at the IWF. This layer may pass media packets to the 3GPP layer for further processing. The 3GPP layer and the non-3GPP layer act independently of each other.

K.2.2 Interworking E2EE keys and key management

Void.

K.2.3 Interworking E2EE media for MCPTT

Non-3GPP RTP or SRTP packets are generated within the non-3GPP layer of the 3GPP MC UE. The generation method of these media packets within the non-3GPP layer of the 3GPP MC UE is out of scope for this document. The non-3GPP layer may or may not apply non-3GPP security to the media. Any non-3GPP security applied to the media packets within the non-3GPP layer is out of scope for this document. Management of the non-3GPP E2EE interworking keys is defined in clause 11.2.

Once processed by the non-3GPP layer, the packet is passed to the 3GPP application layer for further 3GPP processing. The 3GPP application layer views the packet as an unencrypted RTP stream regardless of whether security has been applied at the non-3GPP layer. If the interworking communication is a private MCPTT call, the 3GPP application layer applies MCPTT private call security to the media packet as defined in clause 7.2. If the interworking communication is a group MCPTT call, the 3GPP application layer applies MCPTT group call security to the media packet as defined in clause 7.3. Once processed by the MC application layer, the media is sent by the MC client to the IWF.

As defined in clause 11.2, the IWF is the 3GPP security endpoint for any private or group call security applied to the interworking RTP packets that is sent to, or received from, the 3GPP system. The IWF applies SeGy security functionality to remove security from the messages sent by the 3GPP system before processing the unencrypted message. Consequently, the IWF processes inbound interworking RTP packets prior to applying SeGy security functionality and sending them into the 3GPP system.

K.2.4 Interworking E2EE media for MCData

Non-3GPP MCData Data payloads sent from a 3GPP MC UE to the IWF are generated within the non-3GPP layer of the 3GPP MC UE. The generation method of the payload within the non-3GPP layer of the 3GPP MC UE is out of scope for this document. The non-3GPP layer may or may not apply MCData security to the payload. Any E2EE non-3GPP security applied to the payload within the non-3GPP layer is out of scope for this document. Management of the non-3GPP E2EE interworking keys is defined in clause 11.2.

For MCData messages sent by the 3GPP system, the non-3GPP layer creates the MCData Data payload and passes to the 3GPP application layer for further 3GPP processing. The 3GPP application layer views the packet as an unencrypted payload regardless of whether security has been applied at the non-3GPP layer. If the interworking communication is a private MCData call, the 3GPP application layer applies MCData private communication security to the payload as defined in clause 8. If the interworking communication is a group MCData communication, the 3GPP application layer applies MCData group communication security to the payload as defined in clause 8. Once processed by the MC application layer, the media is sent by the MC client to the IWF.

As defined in clause 11.2, the IWF is the 3GPP security endpoint for any MCData security applied to the interworking MCData message that is sent to, or received from, the 3GPP system. The IWF applies SeGy security functionality to remove security from the MCData messages sent by the 3GPP system before processing the unencrypted message. Consequently, the IWF processes inbound MCData messages prior to applying SeGy security functionality and sending them into the 3GPP system.

Annex L (normative):
MC Security Gateway (SeGy)