8.6 Encryption

3GPP43.318Generic Access Network (GAN)Release 17Stage 2TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

All control and user plane traffic over the Up interface shall be sent through the IPsec tunnel that is established as a result of the authentication procedure. Encryption shall use the negotiated cryptographic algorithm, based on core network policy, enforced by the GANC-SEGW.

The MS and GANC-SEGW set up one Secure Association through which all traffic is sent. A single negotiated ciphering algorithm is applied to the connection.

8.6.1 Establishment of a Secure Association

After the authentication procedure (clause 8.5), the MS shall request an IP address on the network protected by the GANC-SEGW (i.e. the public IP interface of the GANC). The MS shall set up one IPsec Security Association (SA) between MS and GANC-SEGW.

The MS shall initiate the creation of the SA i.e. it shall act as initiator in the Traffic Selector negotiation. The protocol ID field in the Traffic Selectors (TS) shall be set to zero, indicating that the protocol ID is not relevant. The IP address range in the TSi shall be set to the address assigned to the MS (within the network protected by the GANC-SEGW). The IP address range in the TSr shall be set to 0.0.0.0 – 255.255.255.255. The MS and GANC-SEGW shall use the IKEv2 mechanisms for detection of NAT, NAT traversal and keep-alive.

All control and user plane data over the Up interface between MS and GANC shall be sent through the SA.

The ciphering mode is negotiated during connection establishment. During setup of the SA, the MS includes a list of supported encryption algorithms as part of the IKE signalling, which include the mandatory and supported optional algorithms defined in the IPsec profile, and NULL encryption. The GANC-SEGW selects one of these algorithms, and signals this to the MS.

When NULL encryption is applied, both control and user-plane traffic is sent unencrypted. This configuration can be selected e.g. when the connection between the generic IP access network and the GANC is under operator control. The integrity algorithm is the same as for either configuration i.e. non-ciphered traffic is still integrity protected.