This clause aims to provide some brief details of IAB architecture as background to the rest of the analysis in the present document. A more complete description of architecture is covered in TS 38.401.

The NG-RAN supports multi-hop backhauling for flexible range extension by the IAB-node connecting to the gNB capable of serving the IAB-nodes via NR Uu, named IAB-donor gNB [4].

This clause provides the IAB security architecture diagram and lists the groups of related security aspects.

The IAB security architecture is shown in Figure 4.2-1. There are following groups of security aspects:

It is assumed that the UE is agnostic to the IAB architecture. Therefore, all security mechanisms between the UE and the network (including UE-RAN and UE-CN) are inherited, i.e., remain unchanged, from TS 33.501. However, the present document could study security aspects between the UE and network that are different from TS 33.501, if any. Some security mechanisms that are directly related to the present document and inherited from TS 33.501 are listed below:

1. Authentication procedures between the UE and the CN.
2. AS security mechanism between the UE and the RAN. The key hierarchy is reused for the AS keys. The IAB node is acting as the UE and the IAB donor is acting as the gNB in the key hierarchy.
3. NAS security mechanism between the UE and the CN. The key hierarchy is reused for the NAS keys. The IAB node is acting as the UE in the key hierarchy.
4. Mobility (handovers, RNA update, and mobility registration update) between the UE and the network (RAN/CN).
5. The role of the 5G Core in the IAB architecture is unchanged in the key hierarchy compared to 5GS Rel-15.