Access to the 3GPP Evolved Packet Core (EPC) via non-3GPP access networks

3GPP TS 24.302 V9.7.0 (2011-09)
Technical Specification
3rd Generation Partnership Project;
Technical Specification Group Core Network and Terminals;
Access to the 3GPP Evolved Packet Core (EPC)
via non-3GPP access networks;
Stage 3
(Release 9)


	 EMBED Word.Picture.8  
The present document has been developed within the 3rd Generation Partnership Project (3GPP TM) and may be further elaborated for the purposes of 3GPP.	
The present document has not been subject to any approval process by the 3GPP Organizational Partners and shall not be implemented.	
This Specification is provided for future development work within 3GPP only. The Organizational Partners accept no liability for any use of this Specification.
Specifications and reports for implementation of the 3GPP TM system should be obtained via the 3GPP Organizational Partners' Publications Offices.


Keywords
access, packet mode, UMTS, LTE

3GPP
Postal address

3GPP support office address
650 Route des Lucioles - Sophia Antipolis
Valbonne - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Internet
http://www.3gpp.org

Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© 2011, 3GPP Organizational Partners (ARIB, ATIS, CCSA, ETSI, TTA, TTC).
All rights reserved.

UMTS™ is a Trade Mark of ETSI registered for the benefit of its members
3GPP™ is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners
LTE™ is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners
GSM® and the GSM logo are registered and owned by the GSM Association
Contents
 TOC \o "1-9" Foreword	 PAGEREF _Toc304988714 \h 7
1	Scope	 PAGEREF _Toc304988715 \h 8
2	References	 PAGEREF _Toc304988716 \h 8
3	Definitions, symbols and abbreviations	 PAGEREF _Toc304988717 \h 10
3.1	Definitions	 PAGEREF _Toc304988718 \h 10
3.2	Abbreviations	 PAGEREF _Toc304988719 \h 11
4	General	 PAGEREF _Toc304988720 \h 12
4.1	Trusted and untrusted accesses	 PAGEREF _Toc304988721 \h 12
4.2	cdma2000® HRPD Access System	 PAGEREF _Toc304988722 \h 12
4.3	WiMAX Access System	 PAGEREF _Toc304988723 \h 12
4.4	Identities	 PAGEREF _Toc304988724 \h 12
4.4.1	User identities	 PAGEREF _Toc304988725 \h 12
4.4.2	Identification of IP Services/PDN connections	 PAGEREF _Toc304988726 \h 13
4.4.3	FQDN for ePDG Selection	 PAGEREF _Toc304988727 \h 13
4.4.4 	Access Network Identity	 PAGEREF _Toc304988728 \h 13
5	Network Discovery and Selection	 PAGEREF _Toc304988729 \h 13
5.1	Access network discovery and selection procedures	 PAGEREF _Toc304988730 \h 13
5.1.1	General	 PAGEREF _Toc304988731 \h 13
5.1.2	Access network discovery procedure	 PAGEREF _Toc304988732 \h 13
5.1.2.1	Triggering the discovery of operator preferred access networks with the ANDSF	 PAGEREF _Toc304988733 \h 13
5.1.2.2	Discovering availability of access networks	 PAGEREF _Toc304988734 \h 14
5.1.3	Access network selection procedure	 PAGEREF _Toc304988735 \h 14
5.1.3.1	General	 PAGEREF _Toc304988736 \h 14
5.1.3.2	Specific intra-technology access network selection	 PAGEREF _Toc304988737 \h 14
5.1.3.2.1	cdma2000® HRPD access network selection	 PAGEREF _Toc304988738 \h 14
5.1.3.2.2	WiMAX NAP selection	 PAGEREF _Toc304988739 \h 14
5.2	EPC network selection	 PAGEREF _Toc304988740 \h 14
5.2.1	General	 PAGEREF _Toc304988741 \h 14
5.2.2	Generic EPC network selection procedure	 PAGEREF _Toc304988742 \h 15
5.2.2.1	Identification of the EPC	 PAGEREF _Toc304988743 \h 15
5.2.2.2	Selection at switch-on or recovery from lack of coverage	 PAGEREF _Toc304988744 \h 15
5.2.2.2.1	UE selection modes	 PAGEREF _Toc304988745 \h 15
5.2.2.2.2	Manual EPC network selection	 PAGEREF _Toc304988746 \h 15
5.2.2.2.3	Automatic EPC network selection	 PAGEREF _Toc304988747 \h 15
5.2.3	Access technology specific EPC network selection procedures	 PAGEREF _Toc304988748 \h 15
5.2.3.1	EPC network selection procedures for WiMAX	 PAGEREF _Toc304988749 \h 15
5.2.3.1.1	Identification of the EPC by the WiMAX access network	 PAGEREF _Toc304988750 \h 15
5.2.3.1.2	Selection at switch-on or recovery from lack of coverage	 PAGEREF _Toc304988751 \h 15
5.3	Access Network reselection	 PAGEREF _Toc304988752 \h 16
5.3.1	General	 PAGEREF _Toc304988753 \h 16
5.3.2	UE procedures	 PAGEREF _Toc304988754 \h 16
5.3.3	EPC procedures	 PAGEREF _Toc304988755 \h 16
5.3.4	Periodic EPC network reselection attempts	 PAGEREF _Toc304988756 \h 16
6	UE – EPC Network protocols	 PAGEREF _Toc304988757 \h 17
6.1	General	 PAGEREF _Toc304988758 \h 17
6.2	Trusted and Untrusted Accesses	 PAGEREF _Toc304988759 \h 17
6.2.1	General	 PAGEREF _Toc304988760 \h 17
6.2.2	Pre-configured policies in the UE	 PAGEREF _Toc304988761 \h 17
6.2.3	Dynamic Indication	 PAGEREF _Toc304988762 \h 17
6.2.4	No trust relationship information	 PAGEREF _Toc304988763 \h 17
6.3	IP Mobility Mode Selection	 PAGEREF _Toc304988764 \h 18
6.3.1	General	 PAGEREF _Toc304988765 \h 18
6.3.2	Static configuration of inter-access mobility mechanism	 PAGEREF _Toc304988766 \h 18
6.3.3	Dynamic configuration of inter-access mobility mechanism	 PAGEREF _Toc304988767 \h 18
6.3.3.0	General	 PAGEREF _Toc304988768 \h 18
6.3.3.1	IPMS indication	 PAGEREF _Toc304988769 \h 18
6.3.3.1.1	IPMS indication from UE to 3GPP AAA server	 PAGEREF _Toc304988770 \h 18
6.3.3.1.2	IPMS indication from 3GPP AAA server to UE	 PAGEREF _Toc304988771 \h 19
6.4	Authentication and authorization for accessing EPC via a trusted non-3GPP access network	 PAGEREF _Toc304988772 \h 19
6.4.1	General	 PAGEREF _Toc304988773 \h 19
6.4.2	UE procedures	 PAGEREF _Toc304988774 \h 20
6.4.2.1	Identity Management	 PAGEREF _Toc304988775 \h 20
6.4.2.2	EAP-AKA and EAP-AKA' based Authentication	 PAGEREF _Toc304988776 \h 20
6.4.2.3	Full Authentication and Fast Re-authentication	 PAGEREF _Toc304988777 \h 20
6.4.2.4	Handling of the Access Network Identity	 PAGEREF _Toc304988778 \h 21
6.4.2.4.1	General	 PAGEREF _Toc304988779 \h 21
6.4.2.4.2	ANID indication from 3GPP AAA server to UE	 PAGEREF _Toc304988780 \h 21
6.4.2.4.3	UE check of ANID for HRPD CDMA 2000® access networks	 PAGEREF _Toc304988781 \h 21
6.4.2.4.4	UE check of ANID for WiMAX access networks	 PAGEREF _Toc304988782 \h 21
6.4.2.4.5	UE check of ANID for WLAN access networks	 PAGEREF _Toc304988783 \h 21
6.4.2.4.6	UE check of ANID for ETHERNET access networks	 PAGEREF _Toc304988784 \h 22
6.4.3	3GPP AAA server procedures	 PAGEREF _Toc304988785 \h 22
6.4.3.1	Identity Management	 PAGEREF _Toc304988786 \h 22
6.4.3.2	EAP-AKA and EAP-AKA' based Authentication	 PAGEREF _Toc304988787 \h 22
6.4.3.3	Full authentication and Fast Re-authentication	 PAGEREF _Toc304988788 \h 22
6.4.4	Multiple PDN support for trusted non-3GPP access	 PAGEREF _Toc304988789 \h 22
6.5	Authentication and authorization for accessing EPC via an untrusted non-3GPP access network	 PAGEREF _Toc304988790 \h 23
6.5.1	General	 PAGEREF _Toc304988791 \h 23
6.5.2	Full authentication and authorization	 PAGEREF _Toc304988792 \h 23
6.5.2.1	General	 PAGEREF _Toc304988793 \h 23
6.5.2.2	UE procedures	 PAGEREF _Toc304988794 \h 24
6.5.2.3	3GPP AAA server procedures	 PAGEREF _Toc304988795 \h 24
6.5.3	Multiple PDN support for untrusted non-3GPP access network	 PAGEREF _Toc304988796 \h 24
6.6	UE - 3GPP EPC (cdma2000® HRPD Access)	 PAGEREF _Toc304988797 \h 25
6.6.1	General	 PAGEREF _Toc304988798 \h 25
6.6.2	Non-emergency case	 PAGEREF _Toc304988799 \h 25
6.6.2.1	General	 PAGEREF _Toc304988800 \h 25
6.6.2.2	UE identities	 PAGEREF _Toc304988801 \h 25
6.6.2.3	cdma2000® HRPD access network identity	 PAGEREF _Toc304988802 \h 25
6.6.2.4	PLMN system selection	 PAGEREF _Toc304988803 \h 25
6.6.2.5	Trusted and untrusted accesses	 PAGEREF _Toc304988804 \h 25
6.6.2.6	IP mobility mode selection	 PAGEREF _Toc304988805 \h 26
6.6.2.7	Authentication and authorization for accessing EPC	 PAGEREF _Toc304988806 \h 26
6.6.3	Emergency case	 PAGEREF _Toc304988807 \h 26
6.6.3.1	General	 PAGEREF _Toc304988808 \h 26
6.6.3.2	UE identities	 PAGEREF _Toc304988809 \h 26
6.6.3.3	Authentication and authorization for accessing EPC	 PAGEREF _Toc304988810 \h 26
6.7	UE - 3GPP EPC (WiMAX Access)	 PAGEREF _Toc304988811 \h 26
6.7.1	General	 PAGEREF _Toc304988812 \h 26
6.7.2	Non-emergency case	 PAGEREF _Toc304988813 \h 27
6.7.2.1	General	 PAGEREF _Toc304988814 \h 27
6.7.2.2	UE identities	 PAGEREF _Toc304988815 \h 27
6.7.2.3	WiMAX access network identity	 PAGEREF _Toc304988816 \h 27
6.7.2.4	Selection of the Network Service Provider	 PAGEREF _Toc304988817 \h 27
6.7.2.5	Trusted and untrusted accesses	 PAGEREF _Toc304988818 \h 27
6.7.2.6	IP mobility mode selection	 PAGEREF _Toc304988819 \h 27
6.7.2.7	Authentication and authorization for accessing EPC	 PAGEREF _Toc304988820 \h 27
6.7.3	Emergency case	 PAGEREF _Toc304988821 \h 27
6.8	Communication over the S14	 PAGEREF _Toc304988822 \h 27
6.8.1	General	 PAGEREF _Toc304988823 \h 27
6.8.2	Interaction with the Access Network Discovery and Selection Function	 PAGEREF _Toc304988824 \h 28
6.8.2.1	General	 PAGEREF _Toc304988825 \h 28
6.8.2.2	UE procedures	 PAGEREF _Toc304988826 \h 28
6.8.2.2.1	UE discovering the ANDSF	 PAGEREF _Toc304988827 \h 28
6.8.2.2.1A	ANDSF communication security	 PAGEREF _Toc304988828 \h 29
6.8.2.2.2	Role of UE for Push model	 PAGEREF _Toc304988829 \h 29
6.8.2.2.3	Role of UE for Pull model	 PAGEREF _Toc304988830 \h 30
6.8.2.2.4	UE using information provided by ANDSF	 PAGEREF _Toc304988831 \h 30
6.8.2.2.4.1	General	 PAGEREF _Toc304988832 \h 30
6.8.2.2.4.2	Use of Inter-system Mobility Policy	 PAGEREF _Toc304988833 \h 30
6.8.2.2.4.3	Use of Access Network Discovery Information	 PAGEREF _Toc304988834 \h 30
6.8.2.3	ANDSF procedures	 PAGEREF _Toc304988835 \h 31
6.8.2.3.1	General	 PAGEREF _Toc304988836 \h 31
6.8.2.3.2	Role of ANDSF for Push model	 PAGEREF _Toc304988837 \h 31
6.8.2.3.3	Role of ANDSF for Pull model	 PAGEREF _Toc304988838 \h 31
6.9	Handling of Protocol Configuration Options information	 PAGEREF _Toc304988839 \h 31
7	Tunnel management procedures	 PAGEREF _Toc304988840 \h 32
7.1	General	 PAGEREF _Toc304988841 \h 32
7.2	UE procedures	 PAGEREF _Toc304988842 \h 32
7.2.1	Selection of the ePDG	 PAGEREF _Toc304988843 \h 32
7.2.2	Tunnel establishment	 PAGEREF _Toc304988844 \h 33
7.2.3	Tunnel modification	 PAGEREF _Toc304988845 \h 34
7.2.4	Tunnel disconnection	 PAGEREF _Toc304988846 \h 34
7.2.4.1	UE initiated disconnection	 PAGEREF _Toc304988847 \h 34
7.2.4.2	UE behaviour towards ePDG initiated disconnection	 PAGEREF _Toc304988848 \h 35
7.3	3GPP AAA server procedures	 PAGEREF _Toc304988849 \h 35
7.4	ePDG procedures	 PAGEREF _Toc304988850 \h 35
7.4.1	Tunnel establishment	 PAGEREF _Toc304988851 \h 35
7.4.2	Tunnel modification	 PAGEREF _Toc304988852 \h 36
7.4.3	Tunnel disconnection	 PAGEREF _Toc304988853 \h 36
7.4.3.1	ePDG initiated disconnection	 PAGEREF _Toc304988854 \h 36
7.4.3.2	ePDG behaviour towards UE initiated disconnection	 PAGEREF _Toc304988855 \h 37
8	PDUs and parameters specific to the present document	 PAGEREF _Toc304988856 \h 37
8.1	3GPP specific coding information defined within present document	 PAGEREF _Toc304988857 \h 37
8.1.1	Access Network Identity format and coding	 PAGEREF _Toc304988858 \h 37
8.1.1.1	Generic format of the Access Network Identity	 PAGEREF _Toc304988859 \h 37
8.1.1.2	Definition of Access Network Identities for Specific Access Networks	 PAGEREF _Toc304988860 \h 37
8.2	IETF RFC coding information defined within present document	 PAGEREF _Toc304988861 \h 38
8.2.1	IPMS attributes	 PAGEREF _Toc304988862 \h 38
8.2.1.1	AT_IPMS_IND attribute	 PAGEREF _Toc304988863 \h 38
8.2.1.2	AT_IPMS_RES attribute	 PAGEREF _Toc304988864 \h 39
8.2.2	Access Network Identity indication attribute	 PAGEREF _Toc304988865 \h 40
8.2.2.1	Access Network Identity in the AT_KDF_INPUT attribute	 PAGEREF _Toc304988866 \h 40
8.2.3	Trust relationship indication attribute	 PAGEREF _Toc304988867 \h 40
8.2.3.1	AT_TRUST_IND attribute	 PAGEREF _Toc304988868 \h 40
8.2.4	IKEv2 Configuration Payloads attributes	 PAGEREF _Toc304988869 \h 40
8.2.4.1	HOME_AGENT_ADDRESS attribute	 PAGEREF _Toc304988870 \h 40
Annex A (informative):	Example signalling flows for inter-system change between 3GPP and non-3GPP systems using ANDSF	 PAGEREF _Toc304988871 \h 42
A.1	Scope of signalling flows	 PAGEREF _Toc304988872 \h 42
A.2	Signalling flow for inter-system change between 3GPP access network and non-3GPP access network	 PAGEREF _Toc304988873 \h 42
Annex B (informative):	Assignment of Access Network Identities in 3GPP	 PAGEREF _Toc304988874 \h 45
B.1	Access Network Identities	 PAGEREF _Toc304988875 \h 45
Annex C (informative):	Example usage of ANDSF	 PAGEREF _Toc304988876 \h 46
C.1	Scope of ANDSF Example	 PAGEREF _Toc304988877 \h 46
C.2	Organization of ANDSF Coverage Map for WiMAX Network discovery	 PAGEREF _Toc304988878 \h 46
C.3	Parameters in Pull mode	 PAGEREF _Toc304988879 \h 46
Annex D (informative):	Mismatch of static configuration of mobility mechanism in the UE and in the network	 PAGEREF _Toc304988880 \h 47
Annex E (informative):	UE procedures based on preconfigured and received information	 PAGEREF _Toc304988881 \h 49
Annex F (informative):	Change history	 PAGEREF _Toc304988882 \h 52

Foreword
This Technical Specification has been produced by the 3rd Generation Partnership Project (3GPP).
The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows:
Version x.y.z
where:
x	the first digit:
1	presented to TSG for information;
2	presented to TSG for approval;
3	or greater indicates TSG approved document under change control.
y	the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc.
z	the third digit is incremented when editorial only changes have been incorporated in the document.
1	Scope
The present document specifies the discovery and network selection procedures for access to 3GPP Evolved Packet Core (EPC) via non-3GPP access networks and includes Authentication and Access Authorization using Authentication, Authorization and Accounting (AAA) procedures used for the interworking of the 3GPP EPC and the non-3GPP access networks.
The present document also specifies the Tunnel management procedures used for establishing an end-to-end tunnel from the UE to the ePDG to the point of obtaining IP connectivity and includes the selection of the IP mobility mode.
The non-3GPP access networks considered in this present document are cdma2000® HRPD and Worldwide Interoperability for Microwave Access (WiMAX), and any access technologies covered in 3GPP TS 23.402 [6]. These non-3GPP access networks can be trusted or untrusted access networks.
The present document is applicable to the UE and the network. In this technical specification the network is the 3GPP EPC.
NOTE:	cdma2000® is a registered trademark of the Telecommunications Industry Association (TIA-USA).
2	References
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
References are either specific (identified by date of publication, edition number, version number, etc.) or non‑specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]	3GPP TR 21.905: "Vocabulary for 3GPP Specifications".
[2]	Void.
[3]	3GPP TS 23.003: "Numbering, addressing and identification".
[4]	3GPP TS 23.122: "Non-Access-Stratum (NAS) functions related to Mobile Station (MS) in idle mode".
[5]	Void.
[6]	3GPP TS 23.402: "Architecture enhancements for non-3GPP accesses".
[7]	3GPP TS 33.234: "3G security; Wireless Local Area Network (WLAN) interworking security".
[8]	Void.
[9]	3GPP TS 24.234: "3GPP System to Wireless Local Area Network (WLAN) interworking; WLAN User Equipment (WLAN UE) to network protocols".
[10]	3GPP TS 24.301: "Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS)".
[11]	3GPP TS 24.303: "Mobility management based on Dual-Stack Mobile IPv6".
[12]	3GPP TS 24.304: "Mobility management based on Mobile IPv4; User Equipment (UE) - Foreign Agent interface".
[13]	3GPP TS 24.312: "Access Network Discovery and Selection Function (ANDSF) Management Object (MO)".
[14]	3GPP TS 25.304: "User Equipment (UE) procedures in idle mode and procedures for cell reselection in connected mode".
[15]	3GPP TS 33.402: "3GPP System Architecture Evolution: Security aspects of non-3GPP accesses".
[16]	3GPP TS 36.304: "Evolved Universal Terrestrial Radio Access (E-UTRA); User Equipment (UE) procedures in idle mode".
[16a]	3GPP TS 45.008: "Radio Access Network; Radio subsystem link control".
[17]	3GPP TS 29.273: "Evolved Packet System; 3GPP EPS AAA Interfaces".
[18]	3GPP TS 29.275: "Proxy Mobile IPv6 (PMIPv6) based Mobility and Tunnelling protocols".
[19]	3GPP TS 29.276: "Optimized Handover Procedures and Protocols between EUTRAN Access and cdma2000 HRPD Access".
[20]	3GPP2 X.S0057-A v1.0: "E-UTRAN - HRPD Connectivity and Interworking: Core Network Aspects".
[21]	3GPP2 C.S0087-A v1.0: "E-UTRAN – HRPD and CDMA2000 1x Connectivity and Interworking: Air Interface Aspects".
[22]	Void.
[23]	3GPP2 C.S0024-A v3.0: "cdma2000® High Rate Packet Data Air Interface Specification".
[23a]	3GPP2 C.S0016-D v1.0: "Over-the-Air Service Provisioning of Mobile Stations in Spread Spectrum Standards".
[24]	WiMAX Forum Network Architecture Release 1.0 version 1.2 – Stage 2: "Architecture Tenets, Reference Model and Reference Points", November 2007.
[25]	WiMAX Forum Network Architecture Release 1.0 version 1.2 – Stage 3: "Detailed Protocols and Procedures", November 2007.
[26]	WiMAX Forum Mobile System Profile Release 1.0 Approved Specification Revision 1.4.0, April 2007.
[27]	IEEE Std 802.16e-2005 and IEEE Std 802.16-2004/Cor1-2005: "IEEE Standard for Local and Metropolitan Area Networks, Part 16: Air Interface for Fixed and Mobile Broadband Wireless Access Systems Amendments 2 and Corrigendum 1", February 2006.
[28]	IETF RFC 4306 (December 2005): "Internet Key Exchange (IKEv2) Protocol".
[29]	IETF RFC 3748 (June 2004): "Extensible Authentication Protocol (EAP)".
[30]	IETF RFC 4301 (December 2005): "Security Architecture for the Internet Protocol".
[31]	IETF RFC 4555 (June 2006): "IKEv2 Mobility and Multihoming Protocol (MOBIKE)".
[32]	IETF RFC 4303 (December 2005): "IP Encapsulating Security Payload (ESP)".
[33]	IETF RFC 4187 (January 2006): "Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)"
[34]	IETF RFC 3629 (November 2003): "UTF-8, a transformation format of ISO 10646".
[35]	IETF RFC 1035 (November 1987): "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION".
[36]	Void.
[37]	IETF RFC 6153 (February 2011): "DHCPv4 and DHCPv6 Options for Access Network Discovery and Selection Function (ANDSF) Discovery".
[38]	IETF RFC 5448 (May 2009): "Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA')".
[39]	OMA-ERELD-DM-V1_2: "Enabler Release Definition for OMA Device Management".
[40]	Void
[41]	"Unicode 5.1.0, Unicode Standard Annex #15; Unicode Normalization Forms", March 2008.  HYPERLINK "http://www.unicode.org" http://www.unicode.org.
[42]	3GPP TS 33.220: "Generic Authentication Architecture (GAA); Generic bootstrapping architecture".
[43]	3GPP TS 29.109: "Generic Authentication Architecture (GAA); Zh and Zn Interfaces based on the Diameter protocol".
[44]	3GPP TS 33.222: "Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)".
[45]	3GPP TS 31.102: "Characteristics of the Universal Subscriber Identity Module (USIM) application".
[46]	3GPP TS 24.008: "Mobile radio interface Layer 3 specification; Core network protocols; Stage 3".
[47]	3GPP TS 33.223: "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) Push function".
3	Definitions, symbols and abbreviations
3.1	Definitions
For the purposes of the present document, the terms and definitions given in 3GPP TR 21.905 [1] and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in 3GPP TR 21.905 [1].
Access Network Discovery and Selection Function: In this specification, Access Network Discovery and Selection Function (ANDSF) is a network element specified in 3GPP TS 23.402 [6]. Unless otherwise specified, the term ANDSF is used to refer to both Home and Visited ANDSF.
Emergency session: In this specification, an emergency session is an emergency PDN connection established in E-UTRAN and handed over to a S2a based cdma2000® HRPD access network.
Home ANDSF: In this specification, the Home ANDSF (H-ANDSF) is an ANDSF element located in the home PLMN of a UE.
Set of Access network discovery information: In this specification, a set of Access network discovery information is the access network discovery information from a single ANDSF.
Set of Inter-system mobility policy: In this specification, a set of Inter-system mobility policy is the inter-system policy information received from a single ANDSF.
Visited ANDSF: In this specification, the Visited ANDSF (V-ANDSF) is an ANDSF element located in the visited PLMN of a UE.
For the purposes of the present document, the following terms and definitions given in 3GPP TS 23.122 [4] apply:
EHPLMN
Home PLMN
RPLMN
Visited PLMN
For the purposes of the present document, the following terms and definitions given in 3GPP TS 23.402 [6] apply:
S2a
S2b
S2c
For the purposes of the present document, the following terms and definitions given in 3GPP TS 29.273 [17] apply:
STa
For the purposes of the present document, the following terms and definitions given in 3GPP TS 24.301 [10] apply:
Evolved packet core network
Evolved packet system
For the purposes of the present document, the following terms and definitions given in WiMAX Forum Network Architecture Release 1.0 version 1.2 – Stage 3 [25] apply:
Network Access Provider
Network Service Provider
3.2	Abbreviations
For the purposes of the present document, the abbreviations given in 3GPP TR 21.905 [1] and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in 3GPP TR 21.905 [1].
AAA	Authentication, Authorization and Accounting
ACL	Access Control List
AKA	Authentication and Key Agreement
ANDSF	Access Network Discovery and Selection Function
ANID	Access Network Identity
APN	Access Point Name
DHCP	Dynamic Host Configuration Protocol
DM	Device Management
DNS	Domain Name System
DSMIPv6	Dual-Stack MIPv6
eAN/PCF	Evolved Access Network Packet Control Function
EAP	Extensible Authentication Protocol
EPC	Evolved Packet Core
ePDG	Evolved Packet Data Gateway
EPS	Evolved Packet System
ESP	Encapsulating Security Payload
FQDN	Fully Qualified Domain Name
GAA	Generic Authentication Architecture
GBA	Generic Bootstrapping Architecture
H-ANDSF	Home-ANDSF
HRPD	High Rate Packet Data
HSGW	HRPD Serving Gateway
IEEE	Institute of Electrical and Electronics Engineers
IKEv2	Internet Key Exchange version 2
IPMS	IP Mobility Mode Selection
I-WLAN	Interworking – WLAN
MO	Management Object
NAI	Network Access Identifier
NAP	Network Access Provider
NBM	Network based mobility management
NSP	Network Service Provider
OMA	Open Mobile Alliance
PCO	Protocol Configuration Options
P-GW	PDN Gateway
PDU	Protocol Data Unit
S-GW	Serving Gateway
UE	User Equipment
UICC	Universal Integrated Circuit Card
V-ANDSF	Visited-ANDSF
W-APN	WLAN APN
WiMAX	Worldwide Interoperability for Microwave Access
WLAN	Wireless Local Area Network
WMF	WiMAX Forum
4	General
4.1	Trusted and untrusted accesses
The HPLMN operator of the EPC selects whether a connected non-3GPP IP access network is a trusted or untrusted IP access network.
For a trusted non-3GPP IP access network the communication between the UE and the EPC is secure. For an untrusted non-3GPP IP access network the communication between the UE and the EPC is not trusted to be secure.
For a trusted non-3GPP IP access network, all communication between the access network and the EPC is transferred over pre-established secure links. For an untrusted non-3GPP IP access network an IPSec tunnel needs to be established on a per access basis, if required, to secure communication between the UE and the EPC.
4.2	cdma2000® HRPD Access System
The cdma2000® HRPD system is a wireless mobile system developed under the auspices of 3GPP2. The cdma2000® HRPD system and its access network subsystem is compliant with 3GPP2 X.S0057 [20] and 3GPP2 C.S0087 [21], which define the core network and air interface aspects, respectively.
4.3	WiMAX Access System
The WiMAX system is a wireless mobile broadband system developed under the auspices of the WMF and the IEEE. The WiMAX system and its access network subsystem are compliant with WiMAX Forum Network Architecture Release 1.0 version 1.2 – Stage 2 [24]. The protocol architecture and signalling of the WiMAX system is specified in WiMAX Forum Network Architecture Release 1.0 version 1.2 – Stage 3 [25] which supports the air interface defined in WiMAX Forum Mobile System Profile Release 1.0 Approved Specification Revision 1.4.0 [26] specifying selected profiles of IEEE Std 802.16e-2005 and IEEE Std 802.16-2004/Cor1-2005 [27] that are to be supported. The WiMAX access system correspond to the WiMAX Access Service Network (ASN) and to relevant interfaces, as defined in WiMAX Forum Network Architecture Release 1.0 version 1.2 – Stage 3 [25].
4.4	Identities
4.4.1	User identities
The user identification shall be either the root NAI, or the decorated NAI as defined in 3GPP TS 23.003 [3], when the UE accesses the EPC via non-3GPP access networks, and gets authentication, authorization and accounting services from the EPC. For handover of an emergency session from E-UTRAN to a S2a based cdma2000® HRPD access network, if IMSI is not available (i.e. a UE without USIM) or IMSI is unauthenticated, the IMEI shall be used for the identification, as part of the emergency NAI as defined in 3GPP TS 23.003 [3].
User identification in non-3GPP accesses may require additional identities that are out of the scope of 3GPP.
IETF RFC 4187 [33] and 3GPP TS 23.003 [3] provide definitions for UE and user identities although they use slightly different terms. Similar terms are also used in 3GPP TS 33.402 [15]. The following list provides term equivalencies and describes the relation between various user identities.
-	The Root-NAI as specified in 3GPP TS 23.003 [3] is to be used as the permanent identity as specified in 3GPP TS 33.402 [15].
-	The Fast-Reauthentication NAI as specified in 3GPP TS 23.003 [3] is to be used as the Fast-Reauthentication Identity or the re-authentication ID as specified in 3GPP TS 33.402 [15].
-	The Pseudonym Identity as specified in 3GPP TS 23.003 [3] is to be used as the Pseudonym as specified in 3GPP TS 33.402 [15].
4.4.2	Identification of IP Services/PDN connections
For access to EPC the Access Point Name (APN) is used for identifying IP services/PDN connections. The detailed definition of APN as used for access to EPC is specified in 3GPP TS 23.003 [3]. APN is used in the IKEv2 signaling during tunnel establishment and tunnel modification.
4.4.3	FQDN for ePDG Selection
An ePDG Fully Qualified Domain Name (ePDG FQDN) is constructed by UE and used as input to the DNS mechanism for ePDG selection.
The detailed format of this ePDG FQDN is specified in 3GPP TS 23.003 [3].
4.4.4 	Access Network Identity
For access to EPC through a trusted non-3GPP access network via S2a the UE has to use the Access Network Identity (ANID) in the key derivation (see 3GPP TS 33.402 [15]). The handling of the Access Network Identity is described in subclause 6.4.2.4 and the generic format and specific values for the Access Network Identity are defined in subclause 8.1.1.
5	Network Discovery and Selection
5.1	Access network discovery and selection procedures
5.1.1	General
If PLMN selection specified in 3GPP TS 23.122 [4] and in 3GPP TS 24.234 [9] is applicable (e.g., at switch on, recovery from lack of coverage, or user selection of applicable access technology), the PLMN selection to select the highest priority PLMN according to these specifications is performed before any access network discovery and selection procedures based on ANDSF rules are performed in the selected PLMN.
In the access network discovery procedure the UE may get from the ANDSF information on available access networks in its vicinity. The UE may obtain this information by querying the ANDSF, and may use this information when determining the presence of operator preferred access networks. Determination of the presence of access networks requires using radio access specific procedures, which are not further described here.
The UE can first select an access network and then determine the presence of this access network, or first determine the presence of several access networks and then select between them. If a higher priority access network has been found connected to the same PLMN or a higher priority PLMN, the UE will then attempt to attach via that network.
5.1.2	Access network discovery procedure
5.1.2.1	Triggering the discovery of operator preferred access networks with the ANDSF
The UE may initiate communications with the ANDSF for operator preferred access network discovery:
-	when conditions set up within the policies available in the UE are met; or
-	when a user requests for manual selection.
NOTE 1:	The minimum allowed time interval between two consecutive UE initiated requests towards the ANDSF can be set by operator policies.
NOTE 2:	The UE changing of access networks can override the minimum allowed time interval setting.
5.1.2.2	Discovering availability of access networks
The UE may apply the techniques specific to the non-3GPP access technologies to discover available non-3GPP access networks. Such techniques will not be further described here.
In addition, the UE may signal to the ANDSF to obtain information on operator preferred access networks. The discovery of the ANDSF by the UE, the connection to the ANDSF by the UE and the signalling between the UE and the ANDSF are given in subclause 6.8.
5.1.3	Access network selection procedure
5.1.3.1	General
The access network selection may be classified as inter-technology or intra-technology.
The UE can use information received from ANDSF for inter-technology access network selection; other mechanisms for inter-technology access network selection are out of scope of this specification.
5.1.3.2	Specific intra-technology access network selection
In this release of the specification the use of the following specific intra-technology access network selection procedures is specified.
5.1.3.2.1	cdma2000® HRPD access network selection
The access network selection process for cdma2000® HRPD access networks shall follow 3GPP2 X.S0057 [20].
5.1.3.2.2	WiMAX NAP selection
The access network selection process for WiMAX which encompasses the NAP discovery and access, shall follow the WiMAX Forum Network Architecture Release 1.0 version 1.2 – Stage 3 [25].
5.2	EPC network selection
5.2.1	General
The following EPC network selection procedures are defined:
1)	WiMAX specific;
2)	EPC network selection via cdma2000® HRPD access is given in 3GPP TS 23.122 [4] with any exceptions detailed in subclause 5.3.4.
3)	EPC network selection via WLAN access shall follow the procedures defined for PLMN selection given in subclause 5.2 of 3GPP TS 24.234 [9] with the exception of the tunnel set up procedure. When the UE is connected to EPC through WLAN access, the tunnel is set-up with the ePDG (as described in clause 7 of this document) or with the HA (as described in 3GPP TS 24.303 [11]); and
4)	Generic EPC network selection for other access technologies not listed above.
The UE can utilize information received from ANDSF to which EPCs an access network is connected as described in 3GPP TS 24.312 [13]. Additionally, any technology specific means can be employed to acquire such information, but these are out of scope of this specification.
NOTE: There are no specific EPC network selection procedures specified for emergency access in this version of the specification.
5.2.2	Generic EPC network selection procedure
5.2.2.1	Identification of the EPC
The identification of EPC shall be based on one of the following:
-	PLMN-Id (i.e. pair of MCC+MNC), as specified in 3GPP TS 23.003 [3]; or
-	Home/Visited Network Realm/Domain, as specified in 3GPP TS 23.003 [3].
5.2.2.2	Selection at switch-on or recovery from lack of coverage
5.2.2.2.1	UE selection modes
Two modes of EPC network selection are defined, manual and automatic.
At switch-on or following recovery from lack of coverage, the UE shall select the EPC network according to the selected operating mode.
5.2.2.2.2	Manual EPC network selection
The UE shall present the list of available EPC networks, to which connectivity is provided through the selected non-3GPP access network, to the user. If UE’s HPLMN or PLMNs equivalent to it are in this list, they shall be shown in the highest ranking order. The ordering of the rest of entries in the list is implementation dependent. If available, the UE should display names and/or realms/domains.
If multiple equivalent HPLMNs are available, then the display order among them is UE implementation specific.
5.2.2.2.3	Automatic EPC network selection
The UE may use locally stored data for selecting between EPC networks available for connectivity via the currently selected non-3GPP access network.
If UE’s HPLMN or a PLMN equivalent to it is connected through the selected non-3GPP access network, one of them shall be selected.
If multiple equivalent PLMNs are available, then the choice among them is UE implementation specific.
Additional criteria are out of scope of this specification and remain implementation specific.
5.2.3	Access technology specific EPC network selection procedures
5.2.3.1	EPC network selection procedures for WiMAX
5.2.3.1.1	Identification of the EPC by the WiMAX access network
With WiMAX as a non-3GPP access network, the WiMAX NSP is mapped onto the EPC network operator. The NSP indication can be provided to the UE in accordance to WiMAX Forum Network Architecture Release 1.0 version 1.2 [25]. The WiMAX access network should advertise the NSP identity of the EPC in the MCC, MNC format.
5.2.3.1.2	Selection at switch-on or recovery from lack of coverage
5.2.3.1.2.1	UE selection modes
There are two modes of network selection, namely, manual network selection and automatic network selection.
At switch-on or following recovery from lack of coverage, the UE shall follow one of the following two procedures depending on its operating mode.
5.2.3.1.2.2	Manual EPC network selection
The manual network selection for WiMAX access shall follow the WiMAX Forum Network Architecture Release 1.0 version 1.2 – Stage 3 [25] with the following exceptions and additions:
-	When presenting the list of available networks for user selection, the UE shall provide the network name of the related MCC + MNC pair. If that is not possible, the UE shall provide the MCC + MNC pair; and
-	If the UE is unable to register to the user selected NSP, further UE action is implementation dependent.
5.2.3.1.2.3	Automatic EPC network selection)
The automatic network selection for WiMAX access shall follow the WiMAX Forum Network Architecture Release 1.0 version 1.2 – Stage 3 [25] without any exceptions or additions.
5.3	Access Network reselection
5.3.1	General
The network reselection procedure shall be executed based on the user's request or the operator's policy. Such operator policy for supporting network reselection can be provided by the ANDSF or can be pre-provisioned in the UE.
5.3.2	UE procedures
The UE may retrieve information from ANDSF, which includes available access network and operator's policy as specified in subclause 6.8.2.
The information which is retrieved from the ANDSF shall not impact the PLMN selection and reselection procedures specified in 3GPP TS 23.122 [4] and in 3GPP TS 24.234 [9].
The network reselection procedure can be in automatic mode or manual mode dependent on UE configuration settings. For WiMAX access, the manual mode reselection shall follow the behaviour described in subclause 5.2.3.1.2.2 and the automatic mode reselection shall follow the behaviour described in subclause 5.2.3.1.2.3.
5.3.3	EPC procedures
The ANDSF shall send available access network(s) and operator's policy to the UE in response to the UE’s request or based on the network triggers as specified in subclause 6.8.2.
5.3.4	Periodic EPC network reselection attempts
In automatic mode, when UE is not in its HPLMN or one of its equivalent HPLMNs, the UE shall make a periodic attempt to return to its HPLMN or one of its equivalent HPLMNs. For this purpose the timer value given in the EFHPPLMN as defined in 3GPP TS 31.102 [45] shall be used with the following exceptions:-
-	For UE accessing the EPC via cdma2000® HRPD access networks, the UE's search for a more preferred system shall abide by the parameters and procedures defined in 3GPP2 C.S0016 [23a].
-	For UE accessing the EPC via WiMAX access networks, the time period between periodic network searches is implementation specific.
-	For UE accessing the EPC via any other non-3GPP access networks, unless the UE has availability to EFHPPLMN, the time period between periodic network searches is implementation specific but shall not be less than 30 minutes.
6	UE – EPC Network protocols
6.1	General
6.2	Trusted and Untrusted Accesses
6.2.1	General
For a UE, the trust relationship of a non-3GPP IP access network is determined by the home PLMN operator. That trust relationship is indicated to the UE via the following methods:
-	Pre-configured policies in the UE by the home PLMN operator.
-	Dynamic indication during 3GPP-based access authentication.
For a trusted non-3GPP IP access network, the UE shall follow the access methods given in subclause 6.4. For an untrusted non-3GPP IP access network, the UE shall follow the access methods given in subclause 6.5.
If the dynamic trust relationship indication is received during 3GPP-based access authentication, the UE shall rely on the dynamic trust relationship indication. Otherwise the UE shall follow the pre-configured policies for a specific non-3GPP access network. If no dynamic indicator is received, and no pre-configured policy matches a specific non-3GPP access network where the UE attempts to access, the UE shall follow the procedure defined in subclause 6.2.4.
6.2.2	Pre-configured policies in the UE
The following types of policies can be pre-configured on the UE by the home PLMN operator:
-	Pre-configured trust relationship policies for specific non-3GPP access technologies and/or PLMNs. For example, the UE may be configured to use the procedures for trusted access networks as described in subclause 6.4 as follows:
-	an access network of access technology X1 from PLMN Y1 is trusted; and/or
-	any access network of access technology X2 is trusted; and/or
-	any access network from PLMN Y2 is trusted; and/or
-	any access network is trusted.
The format of the pre-configured policies is not specified in this release of this specification.
6.2.3	Dynamic Indication
If the UE performs 3GPP-based access authentication, the 3GPP AAA server  may send a trust relationship indicator of the non-3GPP access network to the UE during the EAP-AKA or EAP-AKA' based access authentication (i.e. EAP-AKA, EAP-AKA') as specified in 3GPP TS 33.402 [15]. The indicator is sent using a AT_TRUST_IND attribute, by extending the EAP-AKA (and EAP-AKA') protocol as specified in subclause 8.2 of IETF RFC 4187 [33]. This attribute is provided in EAP-Request/AKA-Challenge or EAP- Request/AKA'-Challenge message payload respectively. The detailed coding of this attribute is described in subclause 8.2.3.1.
6.2.4	No trust relationship information
If no dynamic indicator is received, and no pre-configured policies matches a specific non-3GPP access network where the UE attempts to access, the UE shall consider it as untrusted network and operate based on subclause 6.5.
6.3	IP Mobility Mode Selection
6.3.1	General
The IP mobility mechanisms supported between 3GPP and non-3GPP accesses within an operator and its roaming partner's network may be based on either:
a)	Static Configuration; or
b)	Dynamic Configuration.
The choice between a) and b) depends upon operators' preferences or roaming agreement or both.
6.3.2	Static configuration of inter-access mobility mechanism
For networks deploying a single IP mobility management mechanism, the statically configured mobility mechanism can be access type or roaming agreement specific or both. The information about the mechanism to be used in such scenario is expected to be provisioned into the terminal and the network.
In static configuration, if there is a mismatch between the IP mobility mode mechanism parameters pre-configured in the network and in the UE, the UE may not be able to access the EPC. If the UE is able to access the EPC even if there is a mismatch between the IP mobility mode mechanisms, the network may not be able to provide session continuity for the UE. More details of the possible cases of mismatch between the IP mobility mode mechanism are described in the informative annex D.
If the network is configured with a static mobility mechanism and the AAA server implements protocol extensions for a dynamic IP Mobility Mode Selection (IPMS) exchange, the AAA server shall send to the UE an AT_RESULT_IND attribute during the authentication procedure as it is described in subclause 6.3.3.1.2.
6.3.3	Dynamic configuration of inter-access mobility mechanism
6.3.3.0	General
Dynamic IP Mobility Mode Selection (IPMS) consists of:
-	IP mobility management protocol selection between Network Based Mobility (NBM), DSMIPv6 or MIPv4; and
-	Decision on IP address preservation if NBM is selected
Upon initial attachment to a non-3GPP access and upon handoff to non-3GPP accesses, the UE performs IPMS by providing an indication during network access authentication for EPC. For trusted access, the indication is provided before an IP address is allocated to the UE, while in untrusted access network, the indication is provided during IKEv2 signalling for IPSec tunnel establishment with the ePDG.
When the UE provides an explicit indication for IPMS, then the network shall provide the indication to the UE identifying the selected mobility management mechanism.
When the dynamic IP mobility mode selection is used if the UE does not receive any indication of a selected mobility protocol after the UE provided an explicit indication, it is considered as an abnormal case and the UE may not get connectivity to the EPC.
NOTE:	The scenarios for mobility mode selection are described in subclause 4.1.3 of 3GPP TS 23.402 [6].
6.3.3.1	IPMS indication
6.3.3.1.1	IPMS indication from UE to 3GPP AAA server
During network access authentication, UE may provide an explicit indication to the 3GPP AAA server about the supported mobility protocol by using an attribute in the EAP-AKA and EAP-AKA' protocols, to extend these protocols as specified in subclause 8.2 of IETF RFC 4187 [33]. This attribute is provided in EAP-Response/AKA-Challenge and corresponding EAP-AKA' message payload.
The UE may provide the indication for IPMS using AT_IPMS_IND attribute in EAP-AKA or EAP-AKA' if the UE receives the AT_RESULT_IND attribute within the EAP-Request/AKA-Challenge message, or the EAP-Request'/AKA-Challenge' message when EAP-AKA' is used, received from the 3GPP AAA server. If the UE provides the AT_IPMS_IND attribute within the EAP-Response/AKA-Challenge message payload, or the EAP-Response'/AKA-Challenge' message payload when EAP-AKA' is used, the UE shall also provide the AT_RESULT_IND attribute within the message.
If the UE supports IPMS indication, it shall indicate support for one or more mobility protocols in AT_IPMS_IND attribute as follows:
-	the UE shall indicate support for DSMIPv6 if the UE supports DSMIPv6; and
-	the UE shall indicate support for MIPv4 if the UE supports MIPv4; and
-	during initial attach, the UE should indicate support for NBM if the UE supports address preservation based on NBM between the access it is attaching to and all other accesses that the UE supports.; or
-	upon handover, the UE shall indicate support for NBM if the UE supports address preservation based on NBM while moving from source access network to target non-3GPP access network that the UE is attaching to.
If the UE does not support any mobility protocol then the UE shall not send the AT_IPMS_IND attribute to the 3GPP AAA server.
The preference of protocol may be indicated based on the policies configured on the UE. The detailed coding of this attribute is described in subclause 8.2.1.1.
6.3.3.1.2	IPMS indication from 3GPP AAA server to UE
A 3GPP AAA server supporting IPMS shall include the AT_RESULT_IND attribute within the EAP-Request/AKA-Challenge and corresponding EAP-AKA' message payload.
If the UE provided an explicit indication as described in subclause 6.3.3, the 3GPP AAA server shall inform the UE of its decision on the mobility protocol and IP preservation mode by invoking an EAP-Request/AKA-Notification dialogue when EAP-AKA is used or an EAP-Request'/AKA-Notification' dialogue when EAP-AKA' is used.
On selecting the mobility protocol based on UE indication, access network capabilities and network policies, the 3GPP AAA server shall indicate the selected protocol to the UE by using the AT_IPMS_RES attribute. If the 3GPP AAA server does not receive any indication from the UE but knows the UE's policies allow the usage of NBM and knows the home and access network supports NBM, the network shall use NBM shall be used for providing connectivity to the UE.
If the AT_IPMS_RES attribute indicates DSMIPv6 then the UE shall follow the procedures defined in 3GPP TS 24.303 [11].
If the AT_IPMS_RES attribute indicates MIPv4 support, then the UE shall follow the procedures defined in 3GPP TS 24.304 [12].
The detailed coding of this attribute is described in subclause 8.2.1.2.
6.4	Authentication and authorization for accessing EPC via a trusted non-3GPP access network
6.4.1	General
For access to the EPC via a trusted non-3GPP access network, a connection shall be established between the UE and the trusted non-3GPP access network using signalling procedures specific to the trusted non-3GPP access network, which are out of scope of this present document.
Access authentication signalling for access to the EPC shall be executed between the UE and 3GPP AAA server to ensure mutual authentication of the user and the EPC, with the exception of UEs without IMSI (see subclauses 4.4.1 and 6.6.3.2). Such authentication is based on IETF protocols as specified in 3GPP TS 33.402 [15].
EAP-AKA' is used for access authentication in the trusted access network, according to 3GPP TS 33.402 [15], subclause 6.2. According to 3GPP TS 33.402 [15], subclause 6.1, EAP-AKA' can be skipped if conditions listed in subclause 9.2.2.1 of 3GPP TS 33.402 [15] are met.
If the access network does not support EAP-AKA or EAP-AKA' and the UE considers the access network as trusted, the UE shall access to the EPC only via S2c and any authentication method (EAP-based or otherwise) can be used for access authentication as long as the criteria set in 3GPP TS 33.402 [15], subclause 9.2.2.1 are met.
During S2c bootstrapping EAP-AKA authentication is performed between the UE and the PDN-GW as specified in 3GPP TS 24.303 [11] and 3GPP TS 33.402 [15].
6.4.2	UE procedures
6.4.2.1	Identity Management
The user identities to be used by the UE in the authentication and authorization for accessing EPC via a trusted non-3GPP access are the Root-NAI (permanent identity), Fast-Reauthentication NAI (Fast-Reauthentication Identity) and Pseudonym Identity and these identities are described in subclause 4.4.
6.4.2.2	EAP-AKA and EAP-AKA' based Authentication
The UE shall support EAP-AKA based authentication as specified in IETF RFC 4187 [33] and EAP-AKA' based authentication as specified in IETF RFC 5448 [38]. 3GPP TS 33.402 [15] specifies the conditions under which one or the other of these two methods is used.
During network access authentication, the UE may provide an explicit indication for IPMS by adding an attribute in the EAP-AKA or EAP-AKA' payload as defined in subclause 6.3.3.
During network access authentication, the 3GPP AAA server may provide the ANID to the UE, see subclause 6.4.2.4.
6.4.2.3	Full Authentication and Fast Re-authentication
The UE shall support both full authentication and fast re-authentication for EAP AKA as specified in IETF RFC 4187 [33] and for EAP-AKA' as specified in IETF RFC 5448 [38].
Full authentication is performed to generate new keys. The initial authentication shall be a full authentication as specified in 3GPP TS 33.402 [15]. For a full authentication either the Permanent Identity or the Pseudonym Identity is used.
According to 3GPP TS 33.402 [15] the fast re-authentication procedure uses the Fast Re-authentication Identity and is used for renewing the session keys.
The Permanent Identity is based on the IMSI of the UE. The Fast Re-authentication Identity is provided to the UE by the 3GPP AAA server during the previous authentication procedure. The UE shall use the Fast Re-authentication Identity only once. A Pseudonym Identity provided to the UE by the 3GPP AAA Server during a previous authentication procedure can be reused in later authentications until the UE receives a new Pseudonym identity from the 3GPP AAA Server.
NOTE: 	The 3GPP AAA Server will assign a new Pseudonym Identity with a frequency dictated by operator's policy. The allocation of new pseudonyms is required to prevent that the user's movements are tracked by an unauthorized party.
If during an authentication request, the UE receives an EAP-Request/AKA-Identity message containing AT_PERMANENT_ID_REQ, the UE shall return the Permanent Identity in the AT_IDENTITY attribute of the EAP-Response/AKA_Identity. If the UE receives an EAP-Request/AKA'-Identity message containing AT_PERMANENT_ID_REQ, the UE shall return the Permanent Identity in the AT_IDENTITY attribute of the EAP- Response /AKA'-Identity message.
If during an authentication request, the UE receives an EAP-Request/AKA-Identity message which contains AT_FULLAUTH_ID_REQ, the UE shall return the Pseudonym Identity as the AT_IDENTITY within EAP-Response/AKA_Identity message if available. If the UE receives an EAP-Request/AKA'-Identity message containing AT_FULLAUTH_ID_REQ, the UE shall return the Pseudonym Identity as the AT_IDENTITY within the EAP- Response /AKA'-Identity message if available. Otherwise the UE shall return the Permanent Identity.
If during an authentication request, the UE receives an EAP-Request/AKA-Identity message or EAP-Request/AKA'-Identity message respectively, which contains AT_ANY_ID_REQ, the UE shall return the Fast Re-authentication Identity if available as the AT_IDENTITY. Otherwise the UE shall return the Pseudonym Identity.
6.4.2.4	Handling of the Access Network Identity
6.4.2.4.1	General
The 3GPP AAA server provides the UE with the ANID in EAP signalling. The UE can also obtain the ANID by access network specific means, which are out of scope of the present document. For some access networks the ANID can also be configured into the UE and the 3GPP AAA server.
NOTE:	According to 3GPP TS 33.402 [15], the ANID is used by HSS and UE to generate transformed authentication vectors and therefore the ANID needs to be identical in the HSS and in the UE. The trusted non-3GPP access network first sends the ANID to the 3GPP AAA server via the STa reference point and the 3GPP AAA server sends the ANID to HSS via the SWx reference point, see 3GPP TS 29.273 [17], and to the UE as specified in this specification.
6.4.2.4.2	ANID indication from 3GPP AAA server to UE
When the 3GPP AAA server sends an EAP Request' or AKA-Challenge' message to the UE, the 3GPP AAA server shall include the ANID to be used when generating transformed authentication vectors, using the AT_KDF_INPUT attribute as described in subclause 8.2.2. The value and coding of this attribute is described in subclause 8.1.1.
6.4.2.4.3	UE check of ANID for HRPD CDMA 2000® access networks
The UE shall apply the rules for comparison of the locally determined ANID and the one received over EAP-AKA' as specified in IETF RFC 5448 [38]. The UE, or the user, may use the ANID as a basis for an optional decision whether the access network is authorized to serve the UE. E.g. the UE may compare the ANID against a list of preferred or barred ANIDs.
When the UE can locally determine based on physical layer or access network procedures that the UE is connected to a eHRPD network, the locally determined ANID is "HRPD". If the comparison check is successful and if either the optional access network authorization decision in the UE is positive or is not performed, the UE shall proceed; otherwise the UE shall abort the access procedure.
6.4.2.4.4	UE check of ANID for WiMAX access networks
The UE shall apply the rules for comparison of the locally determined ANID and the one received over EAP-AKA' as specified in IETF RFC 5448 [38]. The UE, or the user, may use the ANID as a basis for an optional decision whether the access network is authorized to serve the UE. E.g. the UE may compare the ANID against a list of preferred or barred ANIDs.
When the UE can locally determine based on physical layer or access network procedures that the UE is connected to a WiMAX access network, the locally determined ANID is "WIMAX". If the comparison check is successful and if either the optional access network authorization decision in the UE is positive or is not performed, the UE shall proceed; otherwise the UE shall abort the access procedure.
6.4.2.4.5	UE check of ANID for WLAN access networks
The UE shall apply the rules for comparison of the locally determined ANID and the one received over EAP-AKA' as specified in IETF RFC 5448 [38]. The UE, or the user, may use the ANID as a basis for an optional decision whether the access network is authorized to serve the UE. E.g. the UE may compare the ANID against a list of preferred or barred ANIDs.
When the UE can locally determine based on physical layer or access network procedures that the UE is connected to a WLAN network, the locally determined ANID is "WLAN". If the comparison check is successful and if either the optional access network authorization decision in the UE is positive or is not performed, the UE shall proceed; otherwise the UE shall abort the access procedure.
6.4.2.4.6	UE check of ANID for ETHERNET access networks
The UE shall apply the rules for comparison of the locally determined ANID and the one received over EAP-AKA' as specified in IETF RFC 5448 [38]. The UE, or the user, may use the ANID as a basis for an optional decision whether the access network is authorized to serve the UE. E.g. the UE may compare the ANID against a list of preferred or barred ANIDs.
When the UE can locally determine based on physical layer or access network procedures that the UE is connected to a Ethernet network, the locally determined ANID is "ETHERNET". If the comparison check is successful and if either the optional access network authorization decision in the UE is positive or is not performed, the UE shall proceed; otherwise the UE shall abort the access procedure.
6.4.3	3GPP AAA server procedures
6.4.3.1	Identity Management
The 3GPP AAA selects the pseudonym identity or the Fast Re-authentication Identity and returns the identity to the UE during the Authentication procedure as specified in 3GPP TS 33.402 [15]. The 3GPP AAA server shall maintain a mapping between the UE's permanent identity and the pseudonym identity and between the UE's permanent identity and the Fast Re-authentication Identity.
6.4.3.2	EAP-AKA and EAP-AKA' based Authentication
The 3GPP AAA server shall support EAP AKA based authentication as specified in IETF RFC 4187 [33] and EAP-AKA' based authentication as specified in IETF RFC 5448 [38]. 3GPP TS 33.402 [15] specifies the conditions under which one or the other of these two methods is used. If the UE provides an explicit indication for the supported mobility protocols and the network supports multiple IP mobility mechanisms, the network shall select the protocol to be used and communicate the decision to the UE as defined in subclause 6.3.3.1.2.
6.4.3.3	Full authentication and Fast Re-authentication
The 3GPP AAA shall support full re-authentication and fast re-authentication as specified in IETF RFC 4187 [33].
The decision to use the fast re-authentication process is taken by the home network (i.e. the 3GPP AAA server) and is based on operator policies. If fast re-authentication is to be used, the home network shall indicate this to the UE by providing the Fast Re-authentication Identity to the UE during the authentication process.
When initiating an authentication, the home network shall indicate the type of authentication required by including either AT_PERMANENT_ID_REQ or AT_FULLAUTH_ID_REQ for Full authentication and AT_ANY_ID_REQ for Fast re-authentication in the EAP-Request/AKA_Identity message or the EAP-Request/AKA'-Identity message respectively.
The home network (i.e. the 3GPP AAA server) may upon receiving the Fast Re-authentication Identity in AT_IDENTITY, decide to proceed with the fast re-authentication or choose instead to initiate a full authentication. This decision is based on operator policies.
6.4.4	Multiple PDN support for trusted non-3GPP access
Connectivity to multiple PDNs via trusted non-3GPP access is supported in the EPS when the network policies, the non-3GPP access and user subscription allow it. If the UE supports dynamic mobility management selection the UE shall use the same mobility protocol when multiple connections are established, see 3GPP TS 23.402 [6].
When using the S2a interface to establish connections to additional PDNs the UE shall send a trigger for additional PDN connectivity specific to the non-3GPP access. The UE shall include an APN in this trigger to connect to the desired PDN. The UE shall also indicate the Attach Type to the trusted non-3GPP access during additional PDN connectivity. The Attach Type shall distinguish between Initial Attach and Handover Attach.
NOTE 1:	The indication about Attach Type is non-3GPP access network specific and its coding is out of scope of this specification.
NOTE 2:	The trigger for additional PDN connectivity is non-3GPP access network specific and its coding is out of scope of this specification.
When using the S2c interface, the UE shall follow the procedures described in 3GPP TS 24.303 [11] to connect to multiple PDNs.
If the UE is handing over from a source access network to a target non-3GPP access using PMIP-based S2a and the UE has more than one PDN connection to a given APN in the source access network, and if multiple PDN connections to a single APN are not supported over the target trusted non-3GPP access network, only one PDN connection to the given APN shall be established in the target non-3GPP access as specified in 3GPP TS 23.402 [6]. If multiple PDN connection requests to the same APN are received but the target trusted non-3GPP access network does not support multiple PDN connections to the same APN, the network shall reject the additional PDN connection requests to the same APN received from the UE when one PDN connection to the same APN has already been established. The UE shall determine which PDN connection is re-established in the non-3GPP access based on the home address information (i.e. IPv4 address or IPv6 prefix or both) provided by the network.
NOTE 3:	The protocol details of the PDN connection reject procedure is non-3GPP access network specific and its coding is outside the scope of this specification.
NOTE 4:	When UE supporting IP address preservation for NBM with multiple PDN connections to the same APN hands over to the non-3GPP access network, the UE can, as an implementation option, prioritise the re-establishment for a particular PDN connection before re-establishing the remaining PDN connections. The way a UE prioritizes a particular PDN connection is non-3GPP access network specific and its coding is out of scope of this specification. Another implementation option can be to send multiple re-establishment requests concurrently.
NOTE 5:	Any unsuccessful re-establishment of any of the multiple PDN connections to the same APN can be managed in an implementation specific manner avoiding UE making repeated re-establishment attempts to the network.
6.5	Authentication and authorization for accessing EPC via an untrusted non-3GPP access network
6.5.1	General
In order to attach to the evolved packet core network (EPC) via untrusted non-3GPP IP access, the UE first needs to be configured with a local IP address from the untrusted non-3GPP access network.
During the attach to the untrusted non-3GPP access, the operator of the non-3GPP access network may optionally require toperform a 3GPP based access authentication as specified in 3GPP TS 33.402 [15].
Once the UE is configured with a local IP address, the UE shall select the Evolved Packet Data Gateway (ePDG) as described in subclause 7.2.1 and shall initiate the IPsec tunnel establishment procedure as described in subclause 7.2.2. During these steps authentication and authorization for access to EPC shall be performed.
6.5.2	Full authentication and authorization
6.5.2.1	General
During the establishment of the IPSec tunnel between the UE and the ePDG, 3GPP based authentication signalling for untrusted non-3GPP access to the EPC shall be exchanged between the UE and the 3GPP AAA server in the EPC to ensure mutual authentication of the user and the EPC.
Authorization of EPC access shall be performed by the 3GPP AAA server upon successful user authentication.
The access authentication signalling between the UE and the 3GPP AAA server shall be based on EAP-AKA as specified in IETF RFC 4187 [33] and is further detailed in 3GPP TS 33.402 [15], 3GPP TS 29.273 [17] and procedural descriptions in subclauses 7.2.2 and 7.4.4.
6.5.2.2	UE procedures
When accessing the EPC via the ePDG, the UE shall exchange EAP-AKA signalling with the 3GPP AAA server as specified in 3GPP TS 33.402 [15].
NOTE:	the EAP payload exchanged between UE and 3GPP AAA server is transported within the IKEv2 messages exchanged with ePDG as described in subclause 7.2.2.
6.5.2.3	3GPP AAA server procedures
During the authentication of the UE for accessing the EPC via the ePDG, the 3GPP AAA server shall initiate EAP-AKA based authentication with the UE as specified in 3GPP TS 33.402 [15].
6.5.3	Multiple PDN support for untrusted non-3GPP access network
Connectivity to multiple PDNs via untrusted non-3GPP access is supported in the EPS when the network policies, the non-3GPP access and the user subscription allow it. If the UE supports dynamic mobility management selection the UE shall use the same mobility protocol when multiple connections are established, see 3GPP TS 23.402 [6].
When using the S2b interface to establish additional PDN connections, the UE shall establish an IPSec tunnel with the same ePDG for each PDN connection. For each tunnel establishment procedure, the UE shall indicate to the ePDG an APN to the desired PDN and an attach type indication as specified in subclause 7.2.2.
When using the S2c interface, the UE shall follow the procedures described in 3GPP TS 24.303 [11] when establishing multiple PDN connections. For multiple PDN connections over the S2c interface, the UE shall establish only one IPsec tunnel to the ePDG.
If the UE had more than one PDN connection to a given APN in the source access network and the UE is performing a handover to a target untrusted non-3GPP access network via an ePDG that supports the PMIP-based S2b interface, and if multiple PDN connections to a single APN are not supported over the target untrusted non-3GPP access network, only one PDN connection to that given APN shall be established in the target non-3GPP access network as specified in 3GPP TS 23.402 [6] if NBM is used. The UE, if supporting IP address preservation for NBM, shall include the home address information during the tunnel establishment procedure as specified in subclause 7.2.2. If multiple PDN connection requests to the same APN are received but the network does not support multiple PDN connections to the same APN, the ePDG shall reject the additional PDN connection requests to the same APN received from the UE as described in subclause 7.4.1, in the following circumstances:
-	when one PDN connection to the same APN has already been established;
-	only after the network has successfully established one PDN connection in the case that the additional PDN connections requests were received prior to the successful establishment of a single PDN connection.
In the above cases, the UE shall determine which PDN connection is re-established in the non-3GPP access based on the home address information provided by the network.
The UE behaviour, when PDN connection re-establishment is rejected by the network during handover to the untrusted non-3GPP access network, is described in sublause 7.2.2.
NOTE 1:	When a UE supporting IP address preservation for NBM with multiple PDN connections to the same APN hands over to the non-3GPP access network, the UE can, as an implementation option, prioritise the re-establisment for a particular PDN connection before re-establishing the remaining PDN connections. The UE indicates the prioritised PDN connection by including both the APN in the IDr payload and the home address information in the Handover Attach indicator as specified in subclause 7.2.2. Another implementation option can be to send multiple re-establishment requests concurrently. 
6.6	UE - 3GPP EPC (cdma2000® HRPD Access)
6.6.1	General
3GPP2 X.S0057 [20] defines the interworking architecture for access to the EPC via cdma2000® HRPD access networks. In particular, 3GPP2 X.S0057 [20] describes support for a UE using the cdma2000® HRPD air interface to access the EPC architecture defined in 3GPP TS 23.402 [6] by:
-	specifying the use of the interface across the S2a reference point between the 3GPP2 HRPD Serving Gateway (HSGW) and the PDN Gateway (P-GW) in the EPC by referencing 3GPP TS 29.275 [18];
-	specifying the use of the interface across the S101 reference point between the eAN/PCF in the 3GPP2 HRPD access network and the MME in the EPC by referencing 3GPP TS 29.276 [19];
-	specifying the use of the user plane interface across the S103 reference point between the EPC Serving Gateway (S-GW) and the HSGW by referencing 3GPP TS 29.276 [19]; and
-	describing the internal functions and responsibilities of the HSGW.
3GPP2 C.S0087  [21] defines the signalling requirements and procedures for UEs accessing the EPC via 3GPP2 HRPD access networks using the cdma2000® HRPD air interface. In particular, 3GPP2 C.S0087 [21]:
defines the signalling extensions to the cdma2000® HRPD air interface defined in 3GPP2 C.S0024 [23] necessary to support interworking with the EPC and E‑UTRAN; and
defines the UE and eAN/PCF procedures and signalling formats to support bidirectional handoff between E‑UTRAN and cdma2000® HRPD.
6.6.2	Non-emergency case
6.6.2.1	General
Subclauses 6.6.2.2 through 6.6.2.7 describe the particular requirements for access to the EPC via a cdma2000® HRPD access network in support of non-emergency accesses and services.
6.6.2.2	UE identities
The UE and network shall use the root NAI as specified in 3GPP TS 23.003 [3] for EPC access authentication when the UE obtains service via a cdma2000® HRPD access network connected to an EPC in the UE's HPLMN. 
Additionally, the UE and network shall use the Fast-Reauthentication NAI and the Pseudonym Identity as described in subclause 4.4.
6.6.2.3	cdma2000® HRPD access network identity
The access network identity is described in 3GPP TS 23.003 [3] and in subclause 6.4.2.4 of this specification. For a cdma2000® HRPD network, the value and encoding of the access network identity is described in subclause 8.1.1. The 3GPP AAA server, HSS, and any visited network AAA proxy shall use the access network identity during EAP-AKA' authentication procedures (see 3GPP TS 33.402 [15]).
6.6.2.4	PLMN system selection
The UE shall rely on information provisioned by the home operator to facilitate the PLMN system selection process described in 3GPP TS 23.122 [4].
6.6.2.5	Trusted and untrusted accesses
The UE shall determine the trust relationship for access to the EPC via a cdma2000® HRPD access network as described in subclause 4.1.
6.6.2.6	IP mobility mode selection
The UE and network shall perform IP mobility mode selection as described in subclauses 6.3.3.1 and 6.4.3.2
6.6.2.7	Authentication and authorization for accessing EPC
The UE and 3GPP AAA server shall perform authentication and authorization procedures for access to the EPC as defined in 3GPP TS 33.402 [15].
6.6.3	Emergency case
6.6.3.1	General
Subclauses 6.6.3.2 through 6.6.3.3 describe the particular requirements for access to the EPC via a cdma2000® HRPD access network in support of an emergency session in course of handover from E-UTRAN to HRPD.
In this release of the specification no emergency session related handling other than the handover of an emergency session from E-UTRAN to an S2a based cdma2000® HRPD access network is specified.
6.6.3.2	UE identities
When the UE obtains emergency services via a cdma2000® HRPD access network connected to an EPC in the UE's HPLMN, then the UE and the network shall use the NAI for EPC access authentication as follows:
-	if IMSI is available and authenticated , then the UE and the network shall use the root NAI as specified in 3GPP TS 23.003 [3];
-	if IMSI is not available or unauthenticated, then the emergency NAI as specified in 3GPP TS 23.003 [3] shall be used.
Additionally, the UE and the network shall use the Fast-Reauthentication NAI and the Pseudonym Identity as described in subclause 4.4.1.
6.6.3.3	Authentication and authorization for accessing EPC
If IMSI is available, then the authentication and authorization procedures via STa are executed if the local regulation and network operator option requires authenticating the UE.
If the authentication and authorization procedures fail, then it depends on local regulation and network operator option to allow or reject the emergency services for the UE.
If IMSI is not available, the authentication and authorization procedures via STa are not executed.
6.7	UE - 3GPP EPC (WiMAX Access)
6.7.1	General
The WiMAX system and its access network subsystem are described within WiMAX Forum Network Architecture Release 1.0 version 1.2 – Stage 2 [24]. The protocol architecture and signalling of the WiMAX system is specified in WiMAX Forum Network Architecture Release 1.0 version 1.2 – Stage 3 [25]. This protocol architecture and signalling supports the air interface defined in WiMAX Forum Mobile System Profile Release 1.0 Approved Specification Revision 1.4.0 [26] which specifies selected profiles of IEEE Std 802.16e-2005 and IEEE Std 802.16-2004/Cor1-2005 [27].
6.7.2	Non-emergency case
6.7.2.1	General
Subclauses 6.7.2.2 through 6.7.2.7 describe the particular requirements for access to the EPC via a WiMAX access network in support of non-emergency accesses and services.
6.7.2.2	UE identities
The UE and network shall use the root NAI as specified in 3GPP TS 23.003 [3] for EPC access authentication when the UE obtains service via a WiMAX access network connected to an EPC in the UE's HPLMN.
Additionally, the UE and network shall use the Fast-Reauthentication NAI and the Pseudonym Identity as described in subclause 4.4.
6.7.2.3	WiMAX access network identity
The access network identity is described in 3GPP TS 23.003 [3] and in subclause 6.4.2.4 of this specification. For a WiMAX network, the value and encoding of the access network identity is described in subclause 8.1.1. The 3GPP AAA server, HSS, and any visited network AAA proxy shall use the access network identity during EAP-AKA authentication procedures (see 3GPP TS 33.402 [15]).
6.7.2.4	Selection of the Network Service Provider
The UE shall use WIMAX-specific procedures described in WiMAX Forum Network Architecture Release 1.0 version 1.2 – Stage 3 [25] to discover and select the highest priority Network Service Provider (NSP) which is available and allowable.
6.7.2.5	Trusted and untrusted accesses
The UE shall determine the trust relationship for access to the EPC via a WiMAX access network as described in subclause 4.1.
6.7.2.6	IP mobility mode selection
The UE and network shall perform IP mobility mode selection as described in subclauses 6.3.3.1 and 6.4.3.2.
6.7.2.7	Authentication and authorization for accessing EPC
NOTE:	In line with 3GPP TS 33.402 [15], in this present specification, no particular security provisions are specified for interworking between WiMAX and EPS. Any access specific security procedures for WiMAX as a non-3GPP access network to EPC will be in accordance with WiMAX Forum Network Architecture Release 1.0 version 1.2 – Stage 3 [25] and WiMAX Forum Mobile System Profile Release 1.0 Approved Specification Revision 1.4.0 [26].
6.7.3	Emergency case
NOTE:	Procedures for handling emergency accesses or services are not specificed within this release of the specification
6.8	Communication over the S14
6.8.1	General
In order to assist the UE with performing access network discovery and selection, ANDSF provides a set of information to the UE. This information contains the access network discovery and selection information to assist the UE with selecting the access network or the inter-system mobility policy to control and assist the UE with performing the inter-system change or both.
This set of information can either be provisioned in the UE by the home operator, or provided to the UE by the ANDSF over the S14 reference point via pull or push mechanisms as defined in 3GPP TS 23.402 [6] by means of the access network discovery and selection procedures as described in subclause 6.8.2. While roaming, the UE can receive a set of information from H-ANDSF or V-ANDSF or both.
The UE, located in the home PLMN, needs to discover the H-ANDSF by means of the discovery procedure as described in subclause 6.8.2.2.1. The UE, located in the visited PLMN, needs to discover the H-ANDSF or V-ANDSF or both by means of the discovery procedure as described in subclause 6.8.2.2.1.
Through push mechanisms the ANDSF can provide assistance information to the UE e.g. if the UE has previously used pull based ANDSF procedure or if OMA-DM bootstrapping is used as described in subclause 6.8.2.2.1A. Through pull mechanisms the UE can send a request to the ANDSF in order to get assistance information for access network discovery and selection.
ANDSF shall comply with local, national and regional requirements regarding the privacy and confidentiality of location information.
NOTE:	The regulation and legislations of the home operator of the ANDSF server determines whether the ANDSF server can store the user's location information.
6.8.2	Interaction with the Access Network Discovery and Selection Function
6.8.2.1	General
The S14 interface enables IP level communication between the UE and ANDSF. The protocols supported by the S14 interface are realized above the IP level. Both pull and push mechanisms may be supported for communication between the UE and the ANDSF. A combination of pull and push mechanisms may also be supported. The communication security over the S14 interface is specified in 3GPP TS 33.402 [15].
The UE, located in a home PLMN, can communicate securely with the H-ANDSF. The UE, located in a visited PLMN, can communicate securely with H-ANDSF or V-ANDSF or both.
The information is transferred between the UE and ANDSF using OMA DM as defined in OMA-ERELD-DM-V1_2 [39] with the management object as specified in 3GPP TS 24.312 [13].
6.8.2.2	UE procedures
6.8.2.2.1	UE discovering the ANDSF
The UE shall support DNS lookup by name as specified in IETF RFC 1035 [35] to discover the IP address of ANDSF. Additionally, the UE may support DHCP query as specified in IETF RFC 6153 [37] to discover the IP address of H-ANDSF.
The IP address of the H-ANDSF can be provisioned in the UE by the home operator. If not provisioned in the UE, for the case of a UE located in a home PLMN or an equivalent HPLMN, the IP address of the H-ANDSF can be discovered by the UE using a DHCP query as specified in IETF RFC 6153 [37]. The H-ANDSF IP address by which the UE can contact the H-ANDSF can also be obtained by the UE through a DNS lookup by name as specified in IETF RFC 1035 [35]. The QNAME shall be set to the ANDSF-SN FQDN, as defined in 3GPP TS 23.003 [3].
The V-ANDSF IP address by which the UE can contact the V-ANDSF is obtained by the UE through a DNS lookup by name as specified in IETF RFC 1035 [35]. The QNAME shall be set to the ANDSF-SN FQDN, as defined in 3GPP TS 23.003 [3].
When the UE is in its HPLMN or equivalent HPLMN, the UE may use either DNS lookup or DHCP query to discover the IP address of the H-ANDSF. If the UE implements DHCP query, the following apply:
The preference between DNS lookup and DHCP query is UE implementation dependent; and
If the UE is unable to discover the IP address of the H-ANDSF using one discovery method, the UE may try to use the other discovery method.
When the UE is in a visited PLMN, the UE shall use DNS lookup to discover the IP address of the ANDSF.
When performing a DNS lookup resolution, the UE shall apply the following procedures:
-	For the H-ANDSF discovery, the UE shall build a Fully Qualified Domain Name (FQDN) as defined in 3GPP TS 23.003 [3] for the DNS request and select the IP address of the H-ANDSF included in the DNS response message.
-	For the V-ANDSF discovery, the UE shall build a Fully Qualified Domain Name (FQDN) as defined in 3GPP TS 23.003 [3] for the DNS request and select the IP address of the V-ANDSF included in the DNS response message.
When performing a DHCP query resolution, for the case of a UE located in a home PLMN or an equivalent HPLMN, the UE shall send a DHCP message with the required DHCP option, as specified in IETF RFC 6153 [37], that allows the UE to discover the IP address of the H-ANDSF.
6.8.2.2.1A	ANDSF communication security
According to 3GPP TS 33.402 [15], for the pull model, the UE and ANDSF shall use PSK TLS with GBA based shared key-based mutual authentication to establish a secure connection between UE and ANDSF as specified by subclause 5.4 of 3GPP TS 33.222 [44].
According to 3GPP TS 33.402 [15], for the push model, the UE and ANDSF shall use PSK TLS with GBA push based shared key-based mutual authentication to establish a secure connection between the UE and the ANDSF as specified by subclause 5.1 of 3GPP TS 33.223 [47].
In accordance with 3GPP TS 29.109 [43], the BSF shall provide either the UE's IMSI or IMPI to NAF, ie the ANDSF server.
OMA-DM's application level authentication mechanism does not need to be used with ANDSF, since mutual security association is already established on transport level using PSK-TLS as specified in 3GPP TS 33.402 [15]. According to OMA-ERELD-DM-V1_2 [39], however, each Managed Object (MO) shall have an access control list (ACL) that lists authorized OMA DM servers. In order to comply with OMA-ERELD-DM-V1_2 [39], the ANDSF-SN FQDN shall be used as server name in the ACL list. 
If the UE does not support the ANDSF security mechanism as specified in 3GPP TS 33.402 [15], or if the operator does not implement the GAA bootstrap framework specified in 3GPP TS 33.220 [42], appropriate communication security can be established with the ANDSF using OMA-DM's bootstrap, secure http (https) mechanism and WAP Push according to OMA-ERELD-DM-V1_2 [39].
6.8.2.2.2	Role of UE for Push model
The UE shall implement the push model of ANDSF in accordance with OMA-ERELD-DM-V1_2 [39] using WAP Push, which is applicable for 3GPP access networks only.
In the push model of communication, if the UE receives a notification SMS from the ANDSF, the UE shall establish a secure data connection using the information received in the notification SMS.
In the push model of communication, if the UE receives a SMS message containing a GBA Push Information as specified in 3GPP TS 33.223 [47] from the ANDSF, the UE shall establish a secure data connection to the ANDSF using the GBA Push Information. If the UE does not understand the contents of the SMSfrom the ANDSF, the UE shall follow the pull model procedure as specified in subclause 6.8.2.2.1A to establish a secure data connection with the ANDSF.
Upon establishing a secure connection between the UE and ANDSF, the UE may be provided with updated inter-system policy and information about available access networks. The list of the information is described in subclause 6.8.2.3.3 and the correspondent ANDSF MO is defined in 3GPP TS 24.312 [13].
6.8.2.2.3	Role of UE for Pull model
In the pull model of communication, the UE sends a query to ANDSF to retrieve or update inter-system mobility policy or information about available access networks in its vicinity or both. The UE will wait for an implementation dependent time for an answer from the ANDSF. If ANDSF does not respond within that time, further action by the UE is implementation dependent. The UE may provide to ANDSF the UE's location information including, if available, the location parameters (for example, cell identities) associated with the Radio Access Networks the UE has discovered in its current location at the time the UE sends a query to ANDSF; the format of the location information is described as UE_Location in ANDSF MO defined in 3GPP TS 24.312 [13].
After communicating with ANDSF, the UE may be provided with updated inter-system policy and information about available access networks. The list of the information is described in subclause 6.8.2.3.3 and the correspondent ANDSF MO is defined in 3GPP TS 24.312 [13].
The UE may start Pull model communication with ANDSF based upon the information previously received from the ANDSF (e.g. based on the value of UpdatePolicy leaf defined in 3GPP TS 24.312 [13]).
NOTE:	Mechanisms to limit the frequency of queries transmission from the UE to the ANDSF are implementation dependant. 
6.8.2.2.4	UE using information provided by ANDSF
6.8.2.2.4.1	General
Network detection and selection shall take into account the access network specific requirements and the UE's local policy, e.g. user preference settings, access history, etc, along with the information provided by the ANDSF when selecting an access network. The local policy and the information provided by the ANDSF shall be used by the UE in an implementation dependent way to limit the undesired alternating between access systems, e.g. ping-pong type of inter-system changes. However, the use of such information from the ANDSF shall not be in contradiction to functions specified in 3GPP TS 23.122 [4], 3GPP TS 24.234 [9], 3GPP TS 25.304 [14] and 3GPP TS 36.304 [16].
If the UE is roaming in a VPLMN, the UE may receive Inter-system mobility policies or Access network discovery information or both from H-ANDSF or V-ANDSF or both. The format of the Inter-system mobility policies and Access network discovery information is defined in 3GPP TS 24.312 [13].
The maximum number of sets of Inter-system mobility polices or Access network discovery information or both that the UE may keep is implementation dependent. However, the UE shall retain at least one set of Inter-system mobility policies and one set of Access network discovery information. This information shall be deleted if there is a change of USIM. This information may be deleted when UE is switched off.
6.8.2.2.4.2	Use of Inter-system Mobility Policy
If more than one set of Inter-system mobility policies is available in the UE, the UE shall only use one set of Inter-system mobility policies at any one time. If available, the inter-system mobility policy of the RPLMN takes precedence. For example, when roaming, the Inter-system mobility policy from V-ANDSF of the RPLMN, if available, takes precedence over the Inter-system mobility policy from H-ANDSF. When applying the Inter-system mobility policy the following requirements apply:-
-	the requirements on periodic network reselection as described in subclause 5.3.4 of the present specification; 
-	the PLMN selection rules specified in 3GPP TS 23.122 [4] and in 3GPP TS 24.234 [9];
-	the selection rules specified in 3GPP2 C.P0016-D [23a]; and
-	the 3GPP RAT selection, cell selection and reselection rules specified in 3GPP TS 25.304 [14], 3GPP TS 36.304 [16] and 3GPP TS 45.008 [16a].
6.8.2.2.4.3	Use of Access Network Discovery Information
The UE may use the received Access network discovery information of both the H-ANSDF and V-ANDSF for network discovery and detection. The Access network discovery information received from:-
a)	the H-ANDSF provides guidance for the UE on access networks that have connectivity to the HPLMN or equivalent HPLMNs or both; and
b)	the V-ANDSF provides guidance for the UE on access networks that have connectivity to the corresponding VPLMN or equivalent PLMNs or both.
6.8.2.3	ANDSF procedures
6.8.2.3.1	General
Both the H-ANDSF and the V-ANDSF can provide information about inter-system mobility policy or information about available access networks in the vicinity of the UE or both. The inter-system mobility policies may be organized in a hierarchy and a priority order among multiple policies may determine which policy has the highest priority. The policies may indicate preference of one access network over another or may restrict inter-system mobility to a particular access network under certain conditions. The ANDSF may also specify validity conditions which indicate when a policy is valid. Such conditions may be based on time duration, location, etc. The ANDSF may limit the information provided to the UE. This can be based on UE's current location, UE capabilities, etc. How the ANDSF decides how much information to provide to the UE is dependent on network implementation.
6.8.2.3.2	Role of ANDSF for Push model
If there is no existing valid PSK TLS connection between the UE and ANDSF, the ANDSF, not implementing GBA Push, may send a notification SMS to the UE, without establishing a data connection with the UE. 
If there is no existing valid PSK TLS connection between the UE and ANDSF, the ANDSF, implementing GBA Push, shall send a message via SMS to the UE to establish a secure connection between the UE and ANDSF. The contents of the message shall contain a GBA Push Information as specified in 3GPP TS 33.223 [47].
If there is an existing valid PSK TLS connection between the UE and ANDSF, the ANDSF shall use the existing connection to update the inter-system mobility policy in the UE or inform the UE about available access networks in the vicinity of the UE.
After a secure connection is established according to subclause 6.8.2.2.1A, the ANDSF may update the inter-system mobility policy in the UE or inform the UE about available access networks in the vicinity of the UE.
6.8.2.3.3	Role of ANDSF for Pull model
When contacted by UE, ANDSF may interact with the UE in order to provide the UE with inter-system mobility policy or information about available access networks in the vicinity of the UE or both. In case of information about available access networks, the ANDSF provides the following information about each available access networks in the form of a list containing:
1)	Type of Access network (e.g. WLAN, WiMAX);
2)	Location of Access Network (e.g. 3GPP location);
3)	Access Network specific information (e.g WLAN information, WiMAX information); and
4)	Operator differentiated text field (if supported, e.g. if WNDS MO defined in 3GPP TS 24.312 [13] is used).
The detailed list of information is described in 3GPP TS 24.312 [13].
6.9	Handling of Protocol Configuration Options information
The Protocol Configuration Options (PCO) information element is specified in 3GPP TS 24.008 [46].
The support of PCOs is optional for the UE and the non-3GPP access network.
The content syntax of PCOs for the non-3GPP access UE and non-3GPP access network is access network specific and not in the scope of 3GPP, but if PCO is supported, the UE and the PDN-GW shall handle the PCO contents in accordance with 3GPP TS 24.008 [46].
PCO information is exchanged between the UE and the PDN-GW, see 3GPP TS 23.402 [6] and 3GPP TS 29.275 [18]. The specification of PCO signalling in the non-3GPP access network is access network specific and not in the scope of 3GPP.
7	Tunnel management procedures
7.1	General
The purpose of tunnel management procedures is to define the procedures for establishment or disconnection of an end-to-end tunnel between the UE and the ePDG. The tunnel establishment procedure is always initiated by the UE, whereas the tunnel disconnection procedure can be initiated by the UE or the ePDG.
The tunnel is an IPsec tunnel (see IETF RFC 4301 [30]) established via an IKEv2 protocol exchange IETF RFC 4306 [28] between the UE and the ePDG. The UE may indicate support for IETF RFC 4555 [31]. The security mechanisms for tunnel setup using IPsec and IKEv2 are specified in 3GPP TS 33.234 [7].
7.2	UE procedures
7.2.1	Selection of the ePDG
For dynamic selection of the ePDG the UE shall support the implementation of standard DNS mechanisms in order to retrieve the IP address(es) of the ePDG. The input to the DNS query is an ePDG FQDN as specified in subclause 4.4.3 and in 3GPP TS 23.003 [3]. The ePDG FQDN contains a PLMN ID as Operator Identifier. The UE selects the PLMN ID used in the ePDG FQDN based on the conditions described below.
1.	If the UE is EPS attached or GPRS attached (see 3GPP TS 23.122 [4]) to a Visited PLMN and:
1a)	if the UE is not provided with a list of available PLMN ID(s), the UE shall use the PLMN identity of the RPLMN or an equivalent PLMN (see 3GPP TS 24.301 [10] or 3GPP TS 24.008 [46]) in the creation of the ePDG FQDN (see 3GPP TS 23.003 [3]). If the DNS query with FQDN constructed using RPLMN identity does not return any IP address, then the UE as an implementation option may try again with FQDN constructed using an equivalent PLMN.
1b)	if the UE is provided with a list of available PLMN ID(s) served by the access network, e.g. through the access specific signalling as specified in 3GPP TS 24.234 [9], and the current RPLMN or an equivalent PLMN is contained in the list of available PLMN ID(s), the UE shall include this PLMN identity in the creation of the ePDG FQDN (see 3GPP TS 23.003 [3]); or
1c)	in all other cases, the UE shall include the PLMN identity of the Home PLMN or EHPLMN in the ePDG FQDN. The HPLMN or EHPLMN shall be chosen based on the PLMN selection policy for the access network the UE is accessing e.g. see 3GPP TS 24.234 [9] subclause 5.2.4.
2.	If the UE is EPS attached or GPRS attached to the Home PLMN or EHPLMN and:
2a)	if the UE is not provided with a list of available PLMN ID(s), the UE shall use the PLMN identity of the Home PLMN or EHPLMN in the creation of the ePDG FQDN;
2b)	if the UE is provided with a list of available PLMN ID(s) served by the access network e.g. through the access specific signalling as specified in 3GPP TS 24.234 [9], and the Home PLMN or EHPLMN is contained in the list of available PLMN ID(s), then the UE shall use this PLMN identity in the ePDG FQDN; or
2c)	in all other cases, the UE behaviour is implementation specific; or
3.	If the UE is not attached to any PLMN, the UE performs PLMN selection as described in subclause 5.2.1 and:
3a)	if the UE is provided with a list of available PLMN ID(s) served by the access network e.g. through the access specific signalling as specified in 3GPP TS 24.234 [9], and neither Home PLMN nor EHPLMN is contained in the list, use the PLMN identity of the selected PLMN from PLMN selection in the ePDG FQDN; or
3b)	otherwise, the UE shall include the identity of the Home PLMN or EHPLMN in the ePDG FQDN.

Upon reception of a DNS response containing one or more IP addresses of ePDGs, the UE shall select an IP address of ePDG with the same IP version as its local IP address.
The UE shall select only one ePDG also in case of multiple PDN connections.
NOTE:	During handover between two untrusted non-3GPP access networks, the UE can initiate tunnel establishment to another ePDG while still being attached to the current ePDG.
7.2.2	Tunnel establishment
Once the ePDG has been selected, the UE shall initiate the IPsec tunnel establishment procedure using the IKEv2 protocol as defined in IETF RFC 4306 [28] and 3GPP TS 33.402 [15].
The UE shall send an IKE_SA_INIT request message to the selected ePDG in order to setup an IKEv2 security association. Upon receipt of an IKE_SA_INIT response, the UE shall send an IKE_AUTH request message to the ePDG, including the type of IP address (IPv4 address or IPv6 prefix or both) that needs to be configured in an IKEv2 CFG_REQUEST Configuration Payload. If the UE requests for both IPv4 address and IPv6 prefix, it shall send two configuration attributes in the CFG_REQUEST Configuration Payload, one for the IPv4 address and the other for the IPv6 prefix. The IKE_AUTH request message shall contain in "IDr" payload the APN and in the "IDi" payload the NAI. The UE indicates a request for the default APN by omitting IDr payload, which is in accordance with IKEv2 protocol as defined in IETF RFC 4306 [28]. The IKE_AUTH request message may contain in a notify payload an indication that MOBIKE is supported by the UE.
During the IKEv2 authentication and security association establishment, if the UE supports explicit indication about the supported mobility protocols, it shall provide the indication as described in subclause 6.3.
During the IKEv2 authentication and tunnel establishment for initial attach, the UE shall provide an indication about Attach Type, which indicates Initial Attach. To indicate attach due to initial attach, the UE shall include either the INTERNAL_IP4_ADDRESS or the INTERNAL_IP6_ADDRESS attribute or both in the CFG_REQUEST Configuration Payload within the IKE_AUTH request message. The INTERNAL_IP4_ADDRESS shall contain no value and the length field shall be set to 0. The INTERNAL_IP6_ADDRESS shall contain no value and the length field shall be set to 0.
During the IKEv2 authentication and tunnel establishment for handover, the UE not supporting IP address preservation for NBM shall indicate Initial Attach as described in the previous paragraph.
During the IKEv2 authentication and security association establishment for handover, the UE supporting IP address preservation for NBM, shall provide an indication about Attach Type, which indicates Handover Attach. To indicate attach due to handover, the UE shall include the previously allocated home address information during the IPSec tunnel establishment. Depending on the IP version, the UE shall include either the INTERNAL_IP4_ADDRESS or the INTERNAL_IP6_ADDRESS attribute or both in the CFG_REQUEST Configuration Payload within the IKE_AUTH request message to indicate the home address information which is in accordance with IKEv2 protocol as defined in IETF RFC 4306 [28]. The UE shall support IPSec ESP (see IETF RFC 4303 [32]) in order to provide secure tunnels between the UE and the ePDG as specified in 3GPP TS 33.402 [15].
If NBM is used and if the UE receives from the ePDG an IKE_AUTH response message containing a Notify Payload with a Notify Message Type value 8192 that includes an IP address information in the Notification Data field, the UE shall treat this message as an indication that the PDN connection corresponding to the IP address information has been rejected by the network. The UE shall not attempt to re-establish this PDN connection while connected to the current ePDG and the UE shall close the related IKEv2 security association states.
If NBM is used and if the UE receives from the ePDG an IKE_AUTH response message containing a Notify Payload with a Notify Message Type value 8192 and no Notification Data field, the UE shall treat this message as an indication that the requested IKEv2 security association establishment is rejected, as the network does not accept any additional PDN connections to the given APN. As long as any existing PDN connection to the given APN is not released, the UE shall not attempt to establish additional PDN connections to this APN while connected to the current ePDG. The UE shall close the related IKEv2 security association states.
After the successful authentication with the 3GPP AAA server, the UE receives from the ePDG an IKE_AUTH response message containing a single CFG_REPLY Configuration Payload including the assigned remote IP address information (IPv4 address or IPv6 prefix) as described in subclause 7.4.1. Depending on the used IP mobility management mechanism the following cases can be differentiated:
If DSMIPv6 is used for IP mobility management, the UE configures a remote IP address based on the IP address information contained in the INTERNAL_IP4_ADDRESS or INTERNAL_IP6_SUBNET attribute of the CFG_REPLY Configuration Payload. The UE uses the remote IP address as Care-of-Address to contact the HA.
-	If NBM is used for IP mobility management and the UE performs an initial attach, the UE configures a home address based on the address information from the CFG_REPLY Configuration Payload. Otherwise, if NBM is used and the UE performs a handover attach, the UE continues to use its IP address configured before the handover, if the address information provided in the CFG_REPLY Configuration Payload does match with the UE's IP address configured before the handover. If the UE's IP address does not match with the address information of the CFG_REPLY Configuration Payload, the UE shall configure a new home address based on the IP address information contained in the INTERNAL_IP4_ADDRESS or INTERNAL_IP6_SUBNET attribute of the CFG_REPLY Configuration Payload. In the latter case, the IP address preservation is not possible.
If the UE supports DSMIPv6, the UE may request the HA IP address(es), by including a corresponding CFG_REQUEST Configuration Payload containing a HOME_AGENT_ADDRESS attribute. The HOME_AGENT_ADDRESS attribute content is defined in subclause 8.2.4.1. The HA IP address(es) requested in this attribute are for the APN for which the IPsec tunnel with the ePDG is set-up. In the CFG_REQUEST, the UE sets respectively the IPv6 address field and the optional IPv4 address field of the HOME_AGENT_ADDRESS attribute to 0::0 and to 0.0.0.0.
In case the UE wants to establish multiple PDN connections and if the UE uses DSMIPv6 for mobility management, the UE shall use DNS as defined in 3GPP TS 24.303 [11] to discover the HA IP address(es) for the additional PDN connections after IKEv2 security association was established to the ePDG.
7.2.3	Tunnel modification
This procedure is used if MOBIKE as defined in IETF RFC 4555 [31] is supported by the UE.
When there is a change of local IP address for the UE, the UE shall update the IKE security association with the new address, and shall update the IPsec security association associated with this IKE security association with the new address. The UE shall then send an INFORMATIONAL request containing the UPDATE_SA_ADDRESSES notification to the ePDG.
If, further to this update, the UE receives an INFORMATIONAL request with a COOKIE2 notification present, the UE shall copy the notification to the COOKIE2 notification of an INFORMATIONAL response and send it to the ePDG.
7.2.4	Tunnel disconnection
7.2.4.1	UE initiated disconnection
The UE shall use the procedures defined in the IKEv2 protocol (see IETF RFC 4306 [28]) to disconnect an IPsec tunnel to the ePDG. The UE shall close the incoming security associations associated with the tunnel and instruct the ePDG to do the same by sending the INFORMATIONAL request message including a "DELETE" payload. The DELETE payload shall contain either:
i)	Protocol ID set to "1" and no subsequent Security Parameters Indexes (SPIs) in the payload. This indicates closing of IKE security association, and implies the deletion of all IPsec ESP security associations that were negotiated within the IKE security association; or
ii)	Protocol ID set to "3" for ESP. The Security Parameters Indexes included in the payload shall correspond to the particular incoming ESP security associations at the UE for the given tunnel in question.
7.2.4.2	UE behaviour towards ePDG initiated disconnection
On receipt of the INFORMATIONAL request message including "DELETE" payload, indicating that the ePDG is attempting tunnel disconnection, the UE shall:
i)	Close all security associations identified within the DELETE payload (these security associations correspond to outgoing security associations from the UE perspective). If no security associations were present in the DELETE payload, and the protocol ID was set to "1", the UE shall close the IKE security association, and all IPsec ESP security associations that were negotiated within it towards the ePDG; and
ii)	The UE shall delete the incoming security associations corresponding to the outgoing security associations identified in the "DELETE" payload.
The UE shall send an INFORMATIONAL response message. If the INFORMATIONAL request message contained a list of security associations, the INFORMATIONAL response message shall contain a list of security associations deleted in step (ii) above.
If the UE is unable to comply with the INFORMATIONAL request message, the UE shall send INFORMATION response message with either:
i)	A NOTIFY payload of type "INVALID_SPI", for the case that it could not identify one or more of the Security Parameters Indexes in the message from the ePDG; or
ii)	A more general NOTIFY payload type. This payload type is implementation dependent.
7.3	3GPP AAA server procedures
The UE – 3GPP AAA server procedures are as specified in 3GPP TS 29.273 [17] and 3GPP TS 33.402 [15].
7.4	ePDG procedures
7.4.1	Tunnel establishment
Upon receipt of an IKE_AUTH request message from the UE requesting the establishment of a tunnel, the ePDG shall proceed with authentication and authorization. The basic procedure described in 3GPP TS 33.402 [15], while further details are given below.
During the UE's authentication and authorization procedure, the 3GPP AAA server provides to the ePDG an indication about the selected IP mobility mechanism as specified in 3GPP TS 29.273 [17].
The ePDG shall proceed with IPsec tunnel setup completion and shall relay in the IKEv2 Configuration Payload (CFG_REPLY) of the final IKE_AUTH response message the remote IP address information to the UE. If NBM is used as IP mobility mechanism, the ePDG shall assign either an IPv4 address or an IPv6 Home Network Prefix or both to the UE via a single CFG_REPLY Configuration Payload. If the UE requests for both IPv4 address and IPv6 prefix, but the ePDG only assigns an IPv4 address or an IPv6 Home Network Prefix due to subscription restriction or network preference, the ePDG shall include the assigned remote IP address information (IPv4 address or IPv6 prefix) via a single CFG_REPLY Configuration Payload. If the ePDG assigns an IPv4 address, the CFG_REPLY contains the INTERNAL_IP4_ADDRESS attribute. If the ePDG assigns an IPv6 Home Network Prefix, the CFG_REPLY contains the INTERNAL_IP6_SUBNET configuration attribute. The ePDG obtains the IPv4 address and/or the IPv6 Home Network Prefix during the PBU/PBA exchange with the PDN GW. If the UE does not provide an APN to the ePDG during the tunnel establishment, the ePDG shall include the default APN in the IDr payload of the IKE_AUTH response message.
If DSMIPv6 is used as IP mobility mechanism, depending on the information provided by the UE in the CFG_REQUEST payload the ePDG shall assign to the UE either a local IPv4 address or local IPv6 address (or a local IPv6 prefix) via a single CFG_REPLY Configuration Payload. If the ePDG assigns a local IPv4 address, the CFG_REPLY contains the INTERNAL_IP4_ADDRESS attribute. If the ePDG assigns a local IPv6 address or a local IPv6 prefix the CFG_REPLY contains correspondingly the INTERNAL_IP6_ADDRESS or the INTERNAL_IP6_SUBNET attribute. If the UE provided an APN to the ePDG during the tunnel establishment, the ePDG shall not change the provided APN and shall include the APN in the IDr payload of the IKE_AUTH response message. An IPsec tunnel is now established between the UE and the ePDG.
If NBM is used and if the ePDG needs to reject a PDN connection due to the network policies or the ePDG capabilities, the ePDG shall include in theIKE_AUTH response message containing the IDr payload a Notify Payload with a Notify Message Type value 8192. Additionally if the IKE_AUTH request message from the UE indicated Handover Attach as specified in subclause 7.2.2, the Notification Data field of the Notify Payload shall include the IP address information from the Handover Attach indication. If the UE indicated Initial Attach, the Notification Data field shall be omitted. The Notify Message Type value 8192 is an error notification meaning that the IPsec tunnel for the PDN connection to the APN requested by the UE cannot be established.
If the UE indicates Handover Attach by including the previously allocated home address information and the ePDG obtains one or more PDN GW identities from the 3GPP AAA server, the ePDG shall use these identified PDN GWs in the subsequent PDN GW selection process. If the UE indicates Initial Attach i.e. home address information not included, the ePDG may run its initial PDN GW selection process to determine the PDN GW without using the received PDN GW identities.
The ePDG shall support IPSec ESP (see IETF RFC 4303 [32]) in order to provide secure tunnels between the UE and the ePDG as specified in 3GPP TS 33.402 [15].
During the IKEv2 authentication and tunnel establishment, if the UE requested the HA IP address(es) and if DSMIPv6 was chosen and if the HA IP address(es) are available, the ePDG shall provide the HA IP address(es) (IPv6 address and optionally IPv4 address) for the corresponding APN as specified by the "IDr" payload in the IKE_AUTH request message by including in the CFG_REPLY Configuration Payload a HOME_AGENT_ADDRESS attribute. In the CFG_REPLY, the ePDG sets respectively the IPv6 Home Agent address field and optionally the IPv4 Home Agent address field of the HOME_AGENT_ADDRESS attribute to the IPv6 address of the HA and to the IPv4 address of the HA. If no IPv4 HA address is available at the ePDG or if it was not requested by the UE, the ePDG shall omit the IPv4 Home Agent Address field. If the ePDG is not able to provide an IPv6 HA address for the corresponding APN, then the ePDG shall not include a HOME_AGENT_ADDRESS attribute in the CFG_REPLY.
7.4.2	Tunnel modification
When receiving an INFORMATIONAL request containing the UPDATE_SA_ADDRESSES notification, the ePDG shall check the validity of the IP address and update the IP address in the IKE security association with the values from the IP header. The ePDG shall reply with an INFORMATIONAL response.
The ePDG may initiate a return routability check for the new address provided by the UE, by including a COOKIE2 notification in an INFORMATIONAL request and send it to the UE. When the ePDG receives the INFORMATIONAL response from the UE, it shall check that the COOKIE2 notification payload is the same as the one it sent to the UE. If it is different, the ePDG shall close the IKE security association by sending an INFORMATIONAL request message including a "DELETE" payload.
If no return routability check is initiated by the ePDG, or if a return routability check is initiated and is successfully completed, the ePDG shall update the IPsec security associations associated with the IKE security association with the new address.
7.4.3	Tunnel disconnection
7.4.3.1	ePDG initiated disconnection
The ePDG shall use the procedures defined in the IKEv2 protocol (see IETF RFC 4306 [28]) to disconnect an IPsec tunnel to the UE. The ePDG shall close the incoming security associations associated with the tunnel and instruct the UE to do likewise by sending the INFORMATIONAL request  message including a "DELETE" payload. The DELETE payload shall contain either:
i)	Protocol ID set to "1" and no subsequent Security Parameter Indexes in the payload. This indicates that the IKE security association, and all IPsec ESP security associations that were negotiated within it between ePDG and UE shall be deleted; or
ii)	Protocol ID set to "3" for ESP. The SECURITY PARAMETERS INDEXES s included in the payload shall correspond to the particular incoming ESP SECURITY ASSOCIATION at the UE for the given tunnel in question.
7.4.3.2	ePDG behaviour towards UE initiated disconnection
On receipt of the INFORMATIONAL request message including "DELETE" payload indicating that the UE is initiating tunnel disconnect procedure, the ePDG shall:
i)	Close all security associations identified within the DELETE payload (these security associations correspond to outgoing security associations from the ePDG perspective). If no security associations were present in the DELETE payload, and the protocol ID was set to "1", the ePDG shall close the IKE security association, and all IPsec ESP security associations that were negotiated within it towards the UE; and
ii)	The ePDG shall delete the incoming security associations corresponding to the outgoing security associations identified in the "DELETE" payload.
The ePDG shall send an INFORMATIONAL response message. This shall contain a list of security associations deleted in step (ii) above.
If the ePDG is unable to comply with the INFORMATIONAL request message, the ePDG shall send INFORMATION response message with either:
i)	a NOTIFY payload of type "INVALID_SPI", for the case that it could not identify one or more of the SECURITY PARAMETERS INDEXES  in the message from the UE; or
ii)	a more general NOTIFY payload type. This payload type is implementation dependent.
8	PDUs and parameters specific to the present document
8.1	3GPP specific coding information defined within present document
8.1.1	Access Network Identity format and coding
8.1.1.1	Generic format of the Access Network Identity
The Access Network Identity shall take the generic format of an octet string without terminating null characters. The length indicator for the ANID is 2 bytes long, see IETF RFC 5448 [38]. Representation as a character string is allowed, but this character string shall be converted into an octet string of maximum length 253 according to UTF-8 encoding rules as specified in IETF RFC 3629 [34] before the Access Network Identity is input to the Key Derivation Function, as specified in 3GPP TS 33.402 [15], or used in the Access Network Identity indication from 3GPP AAA server to UE, cf. subclause 8.2.2. The ANID is structured as an ANID Prefix and none, one or more ANID additional character strings separated by the colon character ":". In case additional ANID strings are not indicated the complete ANID consists of the ANID Prefix character string only. The ANID shall be represented by Unicode characters encoded as UTF-8 as specified in IETF RFC 3629 [34] and formatted using Normalization Form KC (NFKC) as specified in Unicode 5.1.0, Unicode Standard Annex #15; Unicode Normalization Forms [41].
8.1.1.2	Definition of Access Network Identities for Specific Access Networks
Table 8.1.1.2 specifies the list of Access Network Identities defined by 3GPP in the context of non-3GPP access to EPC.
Table 8.1.1.2: Access Network Identities
Access Network Identity
Type of Access Network
ANID Prefix
Additional ANID strings

"HRPD" constant character string, see NOTE 1 and NOTE 2
 
No additional ANID string, see NOTE 2 and NOTE 6
cdma2000® HRPD access network
"WIMAX" constant character string, see NOTE 1

No additional ANID string, see NOTE 3 and NOTE 6
WiMAX access network
"WLAN" constant character string, see NOTE 1

No additional ANID string, see NOTE 4 and NOTE 6
WLAN access network
"ETHERNET" constant character string, see NOTE 1

No additional ANID string, see NOTE 5 and NOTE 6
Fixed access network
All other character strings

Not applicable
Not defined, see NOTE 6 and Annex B


NOTE 1:	The quotes are not part of the definition of the character string.

NOTE 2:	The value of the ANID Prefix for cdma2000® HRPD access networks is defined in 3GPP2 X.S0057 [20]. 3GPP2 is responsible for specifying possible additional ANID strings applicable to the "HRPD" ANID Prefix.

NOTE 3:	WiMAX Forum is responsible for specifying possible additional ANID strings applicable to the "WIMAX" ANID Prefix.

NOTE 4: 	IEEE 802 is responsible for specifying possible additional ANID strings applicable to the "WLAN" ANID Prefix.

NOTE 5: 	IEEE 802 is responsible for specifying possible additional ANID strings applicable to the "ETHERNET" ANID Prefix.

NOTE 6:	Additional ANID Prefixes and ANID strings can be added to this table following the procedure described in the informative Annex B.


8.2	IETF RFC coding information defined within present document
8.2.1	IPMS attributes
8.2.1.1	AT_IPMS_IND attribute

7
6
5
5
3
2
1
0


Attribute Type = AT_IPMS_IND
octet 1

Length = 1
octet 2

Value 
octet 3
octet 4
Figure 8.2.1.1: AT_IPMS_IND attribute

Table 8.2.1.1: AT_IPMS_IND attribute
Octet 1 indicates the type of attribute as AT_IPMS_IND with a value of 137.



Octet 2 is the length of this attribute which shall be set to 1 as per IETF RFC 4187 [33]

Octet 3 and 4 is the value of this attribute. Octet 3 is reserved and shall be coded as zero. Octet 4 shall be set as follows. All other values are reserved.
76453210Protocol Supported00000001DSMIPv6 only00000010NBM only00000011MIPv4 only00000100DSMIPv6 and NBM both supported00000101MIPv4 and NBM both supported00000110DSMIPv6 and NBM Supported;DSMIPv6 preferred00000111DSMIPv6 and NBM Supported; NBM preferred00001000MIPv4 and NBM supported; MIPv4 preferred00001001MIPv4 and NBM supported; NBM preferred00001010MIPv4 and DSMIPv6 supported; MIPv4 preferred00001011MIPv4 and DSMIPv6 supported; DSMIPv6 preferred00001100MIPv4, DSMIPv6 and NBM supported; MIPv4 preferred00001101MIPv4, DSMIPv6 and NBM supported; DSMIPv6 preferred00001110MIPv4, DSMIPv6 and NBM supported; NBM preferred
8.2.1.2	AT_IPMS_RES attribute

7
6
5
4
3
2
1
0


Attribute Type = AT_IPMS_RES
octet 1

Length = 1
octet 2

Value 
octet 3
octet 4
Figure 8.2.1.2: AT_IPMS_RES attribute.

Table 8.2.1.2: AT_IPMS_RES attribute
Octet 1 indicates the type of attribute as AT_IPMS_RES with a value of 138.


Octet 2 is the length of this attribute which shall be set to 1 as per IETF RFC 4187 [33]

Octet 3 and 4 is the value of this attribute. Octet 3 is reserved and shall be coded as zero. Octet 4 shall be set as follows. All other values are reserved.
76453210Protocol Selected00000001DSMIPv6 00000010NBM 00000011MIPv4 
8.2.2	Access Network Identity indication attribute
8.2.2.1	Access Network Identity in the AT_KDF_INPUT attribute
The Access Network Identity is indicated in the Network Name Field of the AT_KDF_INPUT attribute as specified in IETF RFC 5448 [38]. The Network Name Field shall contain the Access Network Identity as specified in subclause 8.1.1 of this specification.
NOTE:	IETF in IETF RFC 5448 [38] refers to this specification for the value of the Network Name field.
8.2.3	Trust relationship indication attribute
8.2.3.1	AT_TRUST_IND attribute

7
6
5
5
3
2
1
0


Attribute Type = AT_TRUST_IND
octet 1

Length = 1
octet 2

Value 
octet 3
octet 4
Figure 8.2.3.1-1: AT_TRUST_IND attribute

Table 8.2.3.1-1: AT_TRUST_IND attribute
Octet 1 indicates the type of attribute as AT_TRUST_IND with a value of 139.



Octet 2 is the length of this attribute which shall be set to 1 as per IETF RFC 4187 [33]

Octet 3 and 4 is the value of the attribute. Octet 3 is reserved and shall be coded as zero. Octet 4 shall be set as follows. All other values are reserved.
76453210Indicated Trust Relationship00000001Trusted00000010UnTrusted
8.2.4	IKEv2 Configuration Payloads attributes
8.2.4.1	HOME_AGENT_ADDRESS attribute
The HOME_AGENT_ADDRESS attribute is shown in figure 8.2.4.1-1. The length of the HOME_AGENT_ADDRESS attribute is 16 or 20 bytes. The IPv4 Home Agent Address field is optional. The HA's IPv6 and IPv4 addresses are laid out respectively in IPv6 Home Agent Address and IPv4 Home Agent Address fields in big endian order (aka most significant byte first, or network byte order), see IETF RFC 4306 [28].
Bits

7
6
5
4
3
2
1
0
Octets
R
Attribute Type
1
Attribute Type
2
Length
3, 4
IPv6 Home Agent Address
5 - 20
IPv4 Home Agent Address 
21 - 24
Figure 8.2.4.1-1: HOME_AGENT_ADDRESS attribute
The R bit in the first octet is defined in IETF RFC 4306 [28].
The Attribute Type indicating HOME_AGENT_ADDRESS is of the value 19.
Annex A (informative):
Example signalling flows for inter-system change between 3GPP and non-3GPP systems using ANDSF
A.1	Scope of signalling flows
This annex gives examples of signalling flows for mobility between 3GPP and non-3GPP systems. These signalling flows provide as example detailed information on Network Discovery and Selection aspects involving the use of ANDSF.
A.2	Signalling flow for inter-system change between 3GPP access network and non-3GPP access network
Figure A1 below shows an inter-system change procedure between 3GPP access network and non-3GPP access network using information obtained from ANDSF.
In this example the UE uses DHCP query to obtain the IP address of the ANDSF.
In this example flow, the communication between the UE and ANDSF does not imply use of any specific protocol.
The steps involved in inter-system change between 3GPP access network and non-3GPP access network are as follows.

 EMBED Visio.Drawing.11  
Figure A1. Procedure for Inter-system change between 3GPP access and non-3GPP using ANDSF
1.	Initial connectivity
	The UE is connected to 3GPP network. The current applications are supported over the 3GPP access network.
NOTE:	The procedure remains the same if the UE is initially connected to non-3GPP access network and wants to change to 3GPP access network.
2.	Pre-provisioned policies
	The inter-system mobility policy is pre-provisioned on the UE. Based on pre-provisioned operator policies the UE has preference for different non-3GPP networks such as WLAN, and WiMAX. The UE can select these access networks when they are available.
3.	ANDSF Discovery
	ANDSF discovery is performed as described in subclause 6.8.2.2.1. The UE can discover ANDSF using DHCP query options as specified in IETF RFC 6153 [37], where ANDSF may be identified with a specific sub-option code. Optionally, the home operator can use OMA-DM's bootstrap mechanism as specified in OMA-ERELD-DM-V1_2 [39] to provide ANDSF information and security parameters for application layer authentication. Transport security is ensured by establishing an https tunnel between the UE and ANDSF,
4.	Policy Update based on Network Triggers
	Based on network triggers the ANDSF sends an updated inter-system mobility policy to the UE. The inter-system mobility policy includes validity conditions, i.e. conditions indicating when the policy is valid. Such conditions can include time duration, location area, etc.
5.	Evaluate which non-3GPP networks to discover
	The inter-system mobility policies specify the access networks that the UE can select; the UE has both WLAN and WiMAX radios. In this case, the inter-system mobility policy provided by the operator allows the UE to select either WLAN or WiMAX networks under all conditions. The UE, taking into account of the UE's local policy, e.g. user preference settings, access history, obtains information about availability of both WLAN and WiMAX access networks in its vicinity.
6.	Access Network Information Request
	The UE sends a request to ANDSF to get information about available access networks. The UE also includes its location information in the request. ANDSF can limit the information sent to UE based on internal settings.
7.	Access Network Information Response
	The ANDSF sends a response to the UE which includes the list of available access networks types (in order of operator preferences), access network identifier and PLMN identifier. In this case the ANDSF responds with availability of both WLAN and WiMAX network in the vicinity of the UE.
8.	Evaluate candidate non-3GPP networks
	Based on the received information and UE's local policy, the UE evaluates if it is within the coverage area of the available access networks in the order of preferences. In this case,based on the history and radio quality of WiMAX, the UE prefers WiMAX over WLAN access type. The UE powers on the WiMAX radio and checks for the presence of WiMAX network. The UE can listen to WiMAX broadcast messages (uplink/downlink channel data messages) and determines the presence of WiMAX network. Since the WiMAX network is the preferred network and since the UE has verified the presence of WiMAX network, the UE does not check for presence of WLAN network.
9.	Non-3GPP Network Selection
	The UE selects the most preferred available access network for inter-system mobility. In this case the UE selects the WiMAX access network.
10.	Inter-system change Procedure
	The UE initiates inter-system change procedure to the selected non-3GPP access network. The details of the inter-system change procedure are described elsewhere, see 3GPP TS 23.402 [6].
Annex B (informative):
Assignment of Access Network Identities in 3GPP
This annex describes the recommended assignment procedure of Access Network Identities within 3GPP.
B.1	Access Network Identities
According to 3GPP TS 23.003 [3] the encoding of the Access Network Identity is specified within 3GPP, but the Access Network Identity definition for each non-3GPP access network is under the responsibility of the corresponding standardisation organisation respectively.
If a standardisation organisation for a non-3GPP access network determines they need to define a new Access Network Identity Prefix or additional ANID strings, they can contact the 3GPP TSG-CT WG 1 via a Liaison Statement and indicate the specific values of the Access Network Identity Prefixes or the specific values of, or construction principles for, the additional ANID strings to be specified by 3GPP and give reference to the corresponding specification(s) of the requesting organisation. 3GPP TSG CT WG 1 will then specify the values for the Access Network Identities by updating Table 8.1.1.2 in this specification and inform the requesting standardisation organisation.
Annex C (informative):
Example usage of ANDSF
C.1	Scope of ANDSF Example
This Annex gives an example of organization of ANDSF database and how it can be used to discover access network information. In this example the UE is in 3GPP network and is trying to discover available WiMAX networks. The ANDSF database is provided by the 3GPP operator with PLMN = PLMN_3GPP.
C.2	Organization of ANDSF Coverage Map for WiMAX Network discovery
Table C1 illustrates the organization of ANDSF database for discovering WiMAX and WiFi networks. The ANDSF database provides the coverage mapping information for WiMAX and WiFi networks based on 3GPP cell identifiers. In this example the UE_Location can be specified either in terms of 3GPP parameters (PLMN + Cell Identifier) or in terms of geo spatial co-ordinates.
Table C1: ANDSF Database Organization for PLMN = PLMN_3GPP
UE_Location
- 3GPP (CellId)
- Other (Geopriv)
AccessType = WiMAX
AccessType = WiFi
Locn_1
    Cell_Id = Cell_1
NSP-ID= NSP_1:
    -NAP_ID = NAP_1
    -NAP_ID = NAP_2
NSP-ID = NSP_2
    -NAP_ID = NAP_2
    -NAP_ID = NAP_3
SSID = WiFi1, BSSID = BS1
SSID = WiFi2, BSSID = BS2
Locn_2
    Cell_Id = Cell_2
NSP-ID = NSP_2
    - NAP_ID = NAP_3
N/A
Locn_3
   Cell_Id = Cell_3
N/A
SSID = WiFi1, BSSID = BS3
SSID = WiFi4, BSSID = BS4
…..
…….
…….
Locn_n
   Cell_Id = Cell_n
NSP-ID =  NSP_1
      NAP_ID = NAP_2
SSID = WiFi6, BSSID = BS5


For WiMAX network the database provides information about WiMAX NSP and NAP that provide coverage in respective 3GPP cells. Thus for example in 3GPP Cell_1, WiMAX Service provider NSP_1 provides service to WiMAX radio access providers NAP_1 and NAP-2. Similarly WiMAX Service Provider NSP_2 provides service to Network access providers NAP-2 and NAP_3 as well. Similarly in 3GPP Cell_2 WiMAX Network Service Provider NSP_2 provides service to network Access Provider NAP_3. Further it can be seen that no WiMAX coverage is available in 3GPP cell Cell_3.
C.3	Parameters in Pull mode
The UE is currently in 3GPP network. The UE sends a query to OMA ANDSF server as follows:
ANDSF_Query ( UE_Location, AccessNetworkType=WiMAX )
The UE specifies the UE_Location information in terms of current 3GPP Cell Id (e.g. Cell_2)
On receipt of the query message the ANDSF looks up the UE_Location (Cell_2) in the ANDSF database and searches for a prospective WiMAX entry. In this case the ANDSF retrieves WiMAX Service provider identifier (NSP-ID) NSP_2 and WiMAX Network Access Provider Identifier (NAP-ID) NAP_3. The ANDSF retrieves the network parameters for this combination. The ANDSF fills these parameters in the WNDS MO and sends the information back to the UE.
ANDSF_Response ( UE_Location, AccessNetworkInformationRef MO=WIMAXNDS).
Annex D (informative):
Mismatch of static configuration of mobility mechanism in the UE and in the network
This annex describes the possible cases of mismatch between the statically configured mobility mechanisms in the UE and in the EPC as shown in table D1. Additionally the table shows whether the UE would be able to access EPC services as a consequence of the mismatch.

Table D1: Mismatch of static configuration of mobility mechanism in the UE and in the network

NBM configured in the network
DSMIPv6 configured in the network
MIPv4 configured in the network
NBM configured in the UE
No mismatch
Mismatch. The UE is not able to access EPC services because the UE configures a local IP address and there is no connectivity to the PGW in the EPC. Depending on operator’s policy and roaming agreements, local IP access services (e.g. Internet access) can be provided in the non-3GPP network using the local IP address. However, such local IP access services, where the user traffic does not traverse the EPC, are not described in this specification.
Mismatch. The UE is not able to access EPC services because the UE does not support communication with the Foreign Agent in the trusted non-3GPP network.
DSMIPv6 configured in the UE
Mismatch. The UE can be able to access EPC services. After attach to the non-3GPP network, the UE is on the home link and configures an IP address based on the HNP, however in some cases the UE cannot detect the home link. Since the UE is configured with DSMIPv6, the UE would initiate a DSMIPv6 bootstrapping:
- If the network offers a HA function to the UE and if the bootstrapping is successful, the UE detects that it is attached to the home link. Depending of the UE capabilities and the network configuration, the UE can access EPC services via the S2a/S2b interface, but session continuity is not supported.
- If the network does not offer a HA function or if the bootstrapping to the HA is not successful, the UE is not able to receive its Home Network Prefix and hence the UE cannot detect that it is on the home link. If no APN bound to the configured IP address was received and the access network doesn’t support APN delivery, the UE would not recognize the mismatch and cannot access EPC services. If the access network supports APN delivery and the configured IP address is bound to an APN, the UE can access EPC services.
No mismatch
Mismatch. The UE is not able to access EPC services because the UE does not support communication with the Foreign Agent in the trusted non-3GPP network.
MIPv4 configured in the UE
Mismatch. The UE is not able to access EPC services because no Foreign Agent functionality is supported in the non-3GPP access network.
Mismatch. The UE is not able to access EPC services because no Foreign Agent functionality is supported in the non-3GPP access network.
No mismatch

Annex E (informative):
UE procedures based on preconfigured and received information
The flow diagrams in figure E-1 and figure E-2 show examples of the procedures that the UE can follow in order to establish a PDN connection based on information available to the UE about the authentication method, received or pre-configured access network trust relationship information or received or preconfigured IP mobility mode selection information.
The following symbols are used:
AN_TRUST	trust relationship between the non-3GPP access network and the 3GPP EPC, considered to be applicable by the UE
IPMM	IP mobility mode, considered  applicable by the UE

Initially, at the entry to flow chart the UE has established contact with the non-3GPP access network, but the UE does not know whether it is in a trusted or untrusted access network.

 EMBED Visio.Drawing.11  
Figure E-1. Procedures to be followed by the UE depending on received and preconfigured information - part 1

 EMBED Visio.Drawing.11  
Figure E-2. Procedures to be followed by the UE depending on received and preconfigured information - part 2

Annex F (informative):
Change history
Change history
DateTSG #TSG Doc.CRRevSubject/CommentOldNew2008-01Draft skeleton provided in C1-080125 by rapporteur to CT1#51.0.0.02008-02CT1#51Includes the following contribution agreed by CT1 at CT1#51:
C1-0805680.0.00.1.02008-02CT1#51 bisIncludes the following contributions agreed by CT1 at CT1#51 bis:
C1-080722, C1-080765, C1-080773, C1-080783, C1-080792,
C1-0807930.1.00.2.02008-04CT1#52Includes the following contributions agreed by CT1 at CT1#52:-
C1-080921, C1-081391, C1-081392, C1-081393, C1-0813940.2.00.3.02008-04email reviewIncomplete implementation C1-0809210.3.00.3.12008-05CT1#53Includes the following contributions agreed by CT1 at CT1#53:-
C1-081575, C1-082019, C1-082066, C1-082067, C1-082074, 
C1-082077, C1-082078, C1-082086, C1-082091, C1-082092, 
C1-082093.0.3.10.4.02008-06CT1#54Includes the following contributions agreed by CT1 at CT1#54:-
C1-082470, C1-082563, C1-082567, C1-082569, C1-082688,
C1-082803, C1-082804, C1-082809.0.4.00.5.02008-08CT1#55Includes the following contributions agreed by CT1 at CT1#55:-
C1-082923, C1-082982, C1-083084, C1-083171, C1-083179, 
C1-083262, C1-083466, C1-083480, C1-083481, C1-083512, 
C1-083513, C1-083514, C1-083526, C1-083603, C1-0836170.5.00.6.02008-09Version 1.0.0 created for presentation to TSG CT#41 for information0.6.01.0.02008-10CT1#55bisIncludes the following contributions agreed by CT1 at CT1#55bis:-
C1-083851; C1-083976; C1-084155; C1-084383; C1-084385;
C1-084386; C1-084387; C1-084388; C1-084391; C1-084393;
C1-084394; C1-084395; C1-084396; C1-0844821.0.01.1.02008-11CT1#56Includes the following contributions agreed by CT1 at CT1#56:-
C1-084934; C1-085322; C1-085327; C1-085328; C1-085329;
C1-085331; C1-085333; C1-085335; C1-085336; C1-085338;
C1-085516; C1-085526; C1-085534
Editorial corrections by the rapporteur to align with drafting rules1.1.01.2.02008-11Version 2.0.0 created for presentation to CT#42 for approval1.2.02.0.02008-12CT#42Version 8.0.0 created after approval in CT#422.0.08.0.02009-03CT#43CP-09012900012Rapporteur's cleanup of editorial and typo mistakes8.0.08.1.02009-03CT#43CP-0901310002Trust Relationship Detection8.0.08.1.02009-03CT#43CP-09013000051Removing redundant and out-of-date editor's notes8.0.08.1.02009-03CT#43CP-09012900061Missing specification text on WIMAX ANID8.0.08.1.02009-03CT#43CP-09012500073ANDSF discovery and bootstrapping8.0.08.1.02009-03CT#43CP-09012700081Corrections for authentication in trusted and untrusted access 8.0.08.1.02009-03CT#43CP-09012800092Incorrect protocol type and wrong reference8.0.08.1.02009-03CT#43CP-09012800114Delivering HA-APN information to the UE8.0.08.1.02009-03CT#43CP-09012600122Clarifications for IP mobility mode selection8.0.08.1.02009-03CT#43CP-0901300014System selection 8.0.08.1.02009-03CT#43CP-09012500172ANDSF procedure - align with 24.3128.0.08.1.02009-03CT#43CP-09012900242Clarifying the number of ePDGs8.0.08.1.02009-03CT#43CP-09013000271Restructuring sub-clause 5.18.0.08.1.02009-03CT#43CP-09012900282Refining sub-clause 5.2 on EPC network selection8.0.08.1.02009-03CT#43CP-0901310029Use of decorated NAI for cdma2000 access to EPC8.0.08.1.02009-03CT#43CP-0901260030Clarification of AAA procedures for cdma2000 access8.0.08.1.02009-03CT#43CP-09012600341Clarification on Tunnel establishment for Multiple PDNs8.0.08.1.02009-03CT#43CP-09012600381Cleanup for Static Configuration of Inter-technology Mobility Mechanism8.0.08.1.02009-03CT#43CP-09012700421Cleanup for UE discovering the ANDSF8.0.08.1.02009-03CT#43CP-09013000442Selection of the ePDG – resolution of open issues8.0.08.1.02009-06CT#44CP-09041300433Mismatch in the static configuration of IP mobility mechanisms in the UE and the EPC8.1.08.2.02009-06CT#44CP-09035700482Refining UE procedures for IPSec tunnel management8.1.08.2.02009-06CT#44CP-09041300491Access authentication for untrusted non-3GPP access8.1.08.2.02009-06CT#44CP-09041300511Clarification about ANDSF usage8.1.08.2.02009-06CT#44CP-09041300551IPMS indication to the ePDG and IP address assignment8.1.08.2.02009-06CT#44CP-09041300571ANDSF DHCP Options 8.1.08.2.02009-06CT#44CP-09041300581Network selection and I-WLAN8.1.08.2.02009-09CT#45CP-09065400375Clarifications on UE procedures8.2.08.3.02009-09CT#45CP-09065400565Handover of multiple PDN connections to one APN8.2.08.3.02009-09CT#45CP-09065400602Corrections and clarifications on identity usage8.2.08.3.02009-09CT#45CP-09065400611Periodic network selection attempts for non-3GPP accesses8.2.08.3.02009-09CT#45CP-09065400621Correcting ambiguity of EPC network selection for WLAN as a non-3GPP access8.2.08.3.02009-09CT#45CP-09065400651Correction on how UE uses ANDSF information in Annex A8.2.08.3.02009-09CT#45CP-0906540066Alignment of text for ANDSF and PLMN selection interaction 8.2.08.3.02009-09CT#45CP-09065400681APN information in IKE message8.2.08.3.02009-09CT#45CP-09065400691IP address allocation during IPsec tunnel establishment procedure8.2.08.3.02009-09CT#45CP-0906540070Editorial corrections to subclause 7.2.28.2.08.3.02009-09CT#45CP-09065400712Corrections in IP Mobility Mode selection8.2.08.3.02009-09CT#45CP-09065400724PCO handling on PMIP based interfaces8.2.08.3.02009-09CT#45CP-09065400761Attach to untrusted network correction8.2.08.3.02009-09CT#45CP-09065400772Corrections to sending of IPMS indication8.2.08.3.02009-09CT#45CP-09065400751Description on ANDSF in roaming case8.3.09.0.02009-12CT#46CP-09093700791ANDSF Discovery in roaming scenarios9.0.09.1.02009-12CT#46CP-09093700822ANDSF discovery procedures performed by a UE9.0.09.1.02009-12CT#46CP-09093700833Secure connection between UE and ANDSF9.0.09.1.02009-12CT#46CP-09093400876Implementation of stage 2 requirements for MUPSAP9.0.09.1.02009-12CT#46CP-09090100901Tunnel set up after WLAN PLMN selection 9.0.09.1.02009-12CT#46CP-09090100912UE behavior when connectin to v-ANDSF9.0.09.1.02009-12CT#46CP-09090100952UE’s IP configuration during IPsec tunnel establishemnet with ePDG9.0.09.1.02009-12CT#46CP-09090100972PDN connection reject during the IPsec tunnel establishment9.0.09.1.02009-12CT#46CP-09090100991Removal of outdated or redundant editor's notes ahead of CT#469.0.09.1.02009-12CT#46CP-09090101021Addition of abbreviations9.0.09.1.02009-12Editorial correction9.1.09.1.12010-03CT#47CP-10010700943Removing version identifier from ANDSF information request9.1.19.2.02010-03CT#47CP-10014401004Emergency session handling (for handovers to HRPD access)9.1.19.2.02010-03CT#47CP-10010701041Completion of Network selection procedures9.1.19.2.02010-03CT#47CP-10010701061Corrections to decodes of Value part of EAP attribute9.1.19.2.02010-03CT#47CP-10015001072DHCP discovery of ANDSF for UE while roaming9.1.19.2.02010-03CT#47CP-10015001082UE's use of V-ANDSF information vs H-ANDSF information9.1.19.2.02010-03CT#47CP-10014701091Allowing UE optional behaviour towards networks not supporting MUPSAP9.1.19.2.02010-03CT#47CP-1001470110Resolution of Editor’s note on PDN connection rejection in section 6.4.49.1.19.2.02010-03CT#47CP-10014701132Handling of concurrent PDN connection requests at ePDG9.1.19.2.02010-03CT#47CP-10010701151Correction on attachment with ePDG9.1.19.2.02010-06CT#48CP-1003390118Correction to the Full Authentication and Fast Re-authentication procedures9.2.09.3.02010-06CT#48CP-1003390122Reference Updates9.2.09.3.02010-06CT#48CP-10035401231Corrections to PDN connection reject procedure for S2b interface9.2.09.3.02010-06CT#48CP-1003390125Removing Editor's notes on AT_IPMS_IND, AT_IPMS_RES and AT_TRUST_IND9.2.09.3.02010-09CT#49CP-10050901204Corrections to UE and ANDSF Pull mode procedures9.3.09.4.02010-09CT#49CP-1004850129Removing editor's note on HOME AGENT ADDRESS9.3.09.4.02011-03CT#51CP-11016301442ePDG selection for known VPLMN9.4.09.5.02011-06CT#52CP-11045301571Reference Update for draft-das-mipshop-andsf-dhcp-options9.5.09.6.02011-09CT#53CP-11066001701Removal of duplicate reference and correction of references9.6.09.7.0



























 STYLEREF ZA 3GPP TS 24.302 V9.7.0 (2011-09)
 PAGE 2
 STYLEREF ZGSM Release 9



3GPP