Content for  TS 24.502  Word version:  19.0.0

The purpose of the IKE SA deletion procedure via untrusted non-3GPP access and trusted non-3GPP access is to close the IKE SA between the UE and the N3IWFfor untrusted non-3GPP access and the TNGF for trusted non-3GPP access. In addition, deleting the IKE SA implicitly closes any remaining signalling IPsec child SAs and user plane IPsec child SAs associated with IKE SA. This procedure shall be initiated either by the N3IWF, TNGF or by the UE. The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access initiate this procedure in the following cases:

1. N1 NAS signalling connection release;
2. N3IWF-initiated and TNGF-initiated IKE SA rekeying procedure failure;
3. N3IWF-initiated and TNGF-intiated IKE SA rekeying procedure completion
4. upon receipt of an INITIAL_CONTACT notification as specified in RFC 7296; and
5. upon detecting an error in a response packet as specified in RFC 7296.

The UE initiates this procedure in the following cases:

1. UE-initiated IKE SA rekeying procedure failure;
2. UE-initiated IKE SA rekeying procedure completion;
3. upon receipt of an INITIAL_CONTACT notification as specified in RFC 7296; and
4. upon detecting an error in a response packet as specified in RFC 7296.

The purpose of the user plane IPsec SA creation procedure is to establish a child SA associating to the QoS flows of the PDU session. This procedure shall be initiated by the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access. One user plane IPsec SA can be associated with one or more QoS flows of the PDU session. During PDU session establishment or PDU session modification via:

1. untrusted non-3GPP access, the N3IWF; or
2. trusted non-3GPP access, the TNGF,

shall determine the number of user plane IPsec child SAs to establish and the QoS profiles associated with each child SA based on local policies, configuration and the QoS profiles received from the network.

The N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall initiate the child SA creation procedure by sending a CREATE_CHILD_SA request message to the UE as specified in RFC 7296. The CREATE_CHILD_SA request message shall include:

1. a UP_IP4_ADDRESS notify payload or a UP_IP6_ADDRESS notify payload;
2. 5G_QOS_INFO Notify payload as specified in clause 9.3.1.1, which contains:
   1. PDU session ID;
   2. zero or more QFIs;
   3. optionally a DSCP value;
   4. an indication of whether the child SA is the default child SA. For a given PDU session ID, there shall be one and only one default child SA; and
   5. if trusted non-3GPP access, Additional QoS Information or if untrusted non-3GPP access, optionally Additional QoS Information; and
3. the Traffic Selector (TS) set to match all packets as specified in RFC 7296.

The IKE CREATE_CHILD_SA request message also contains the SA payload for the requested child SA.

If the UE accepts the CREATE_CHILD_SA request message with a 5G_QOS_INFO Notify payload: in the 5G_QOS_INFO Notify payload; and Any IKEv2 Notify payload indicating an error shall not be included in the CREATE_CHILD_SA response message.

If a user plane IPsec SA establishment for a PDU session is not accepted by the UE, the UE shall send a CREATE_CHILD_SA response message to the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access with a Notify payload with error type. For trusted non-3GPP access, if the UE fails to reserve QoS resources over non-3GPP access for the child SA associated with the QoS flows according to the Additional QoS information in the 5G_QOS_INFO Notify payload, the UE shall include a Notify payload with a Private Notify Message Error Type "NO_RESOURCES_OVER_N3GPP" as defined in clause 9.2.4.2 in the CREATE_CHILD_SA response message. For untrusted non-3GPP access, if the UE attempts to reserve QoS resources over non-3GPP access for the child SA associated with the QoS flows according to the Additional QoS information in the 5G_QOS_INFO Notify payload but fails the reservation, the UE shall include a Notify payload with a Private Notify Message Error Type "NO_RESOURCES_OVER_N3GPP" as defined in clause 9.2.4.2 in the CREATE_CHILD_SA response message. Upon receiving the CREATE_CHILD_SA response message with a Notify payload of error type:

• if PDU session establishment over non-3GPP access requires single user plane SA IPsec SA creation, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access shall stop user plane SA IPsec SA creation procedure and indicate the failure for PDU session establishment over non-3GPP access.
• if PDU session establishment or PDU session modification over non-3GPP access requires multiple user plane SA IPsec SA creation, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access may choose to continue user plane SA IPsec SA creation procedure for other user plane IPsec SAs, or stop user plane SA IPsec SA creation procedure and indicate the failure for PDU session establishment or PDU session modification over non-3GPP access.
• If the UE is being treated as a UE with MPS priority (e.g., as identified in clause 7.3.2.1 or 7.3A.2.2) based on operator policy, the N3IWF for untrusted non-3GPP access and the TNGF for trusted non-3GPP access may retry the Child SA creation without the Additional QoS Information.

If the UE receives a CREATE_CHILD_SA request message containing a USE_TRANSPORT_MODE notification, the UE shall send a CREATE_CHILD_SA response message to the N3IWF for untrusted non-3GPP access or the TNGF for trusted non-3GPP access without including the USE_TRANSPORT_MODE notification as specified in RFC 7296.

Apart from the cases specified in RFC 7296, no abnormal cases have been identified.