9 Security related aspects

37.3403GPPMulti-connectivityNROverall descriptionRelease 17Stage 2TS

MR-DC can only be configured after security activation in the MN.

In EN-DC and NGEN-DC, for bearers terminated in the MN the network configures the UE with KeNB; for bearers terminated in the SN the network configures the UE with S-KgNB. In NE-DC, for bearers terminated in the MN the network configures the UE with KgNB; for bearers terminated in the SN the network configures the UE with S-KeNB. In NR-DC, for bearers terminated in the MN the network configures the UE with KgNB; for bearers terminated in the SN the network configures the UE with S-KgNB.

In NE-DC and NR-DC, a PCell change without KgNB change does not require a S-KeNB change (NE-DC case) or a S-KgNB change (NR-DC case).

In EN-DC, NGEN-DC and NR-DC, for a PSCell change that does not require a KeNB change (i.e. no simultaneous PCell handover in EN-DC and NGEN-DC) or a KgNB change (in NR-DC), S-KgNB key refresh is not required if the PDCP termination point of the SN is not changed. In NE-DC, a PSCell change always requires a S-KeNB change.

In EN-DC, the UE supports the NR security algorithms corresponding to the E-UTRA security algorithms signalled at NAS level and the UE NR AS Security capability is not signalled to the MN over RRC. Mapping from E-UTRA security algorithms to the corresponding NR security algorithms, where necessary, is performed at the MN. The MN sends the complete UE security capabilities including all security capability bits previously received (after mapping, where necessary) to the SN.

An EN-DCcapable UE supporting user plane integrity protection when connected to E-UTRA/EPC (see TS 24.301 [22]) shall support integrity protection for all DRBs (MN and SN terminated) at any data rate, up to and including the highest data rate supported by the UE for both UL and DL. MN and/or SN terminated DRBs can have UP integrity protection activation either on or off, on a per radio bearer basis.

For MR-DC with 5GC, UP integrity protection can be configured on a per radio bearer basis. All DRBs which belong to the same PDU session always have the same UP integrity protection activation, i.e., either on or off:

– For NR-DC: MN and/or SN terminated DRBs of a PDU session can have UP integrity protection activation either on or off. A UE configured to operate in NR-DC shall support integrity protection for all DRBs (MN and SN terminated) at any data rate, up to and including the highest data rate supported by the UE for both UL and DL (see TS 38.300 [3]).

– For NE-DC: MN terminated DRBs of a PDU session can have UP integrity protection activation on; however, in this case, the MN will not at any point offload any DRB of such PDU session to the SN. A UE configured to operate in NE-DC shall support integrity protection for all MN terminated DRBs at any data rate, up to and including the highest data rate supported by the UE’s radio access capabilities for both UL and DL (see TS 38.300 [3]). SN terminated DRBs of a PDU session always have UP integrity protection activation off.

– For NGEN-DC: Both MN terminated and SN terminated DRBs of a PDU session always have UP integrity protection activation off.

In MR-DC with 5GC, the MN sends the complete UE security capabilities to the SN including all NR and E-UTRA security capability bits previously received by the MN from the Core Network or from another NG-RAN node as specified in TS 38.300 [3].

In (NG)EN-DC and NR-DC, if the SCG is deactivated as described in clause 7.13, whether to perform security key update upon SCG activation is up to network implementation.