TR 33.926 [4], clause J.2.2.1 Non-compliant UP security policy handling

Priority of UP security policy

TS 23.501 [1], clause 5.10.3

User Plane Security Policy from UDM takes precedence over locally configured User Plane Security Policy as specified in TS 23.501 [1], clause 5.10.3

Verify that the user plane security policy from the UDM takes precedence at the SMF under test over locally configured user plane security policy.

Test environment with AMF and UDM may be simulated.

Both UDM and SMF under test are configured with UP security policy, and the UP security policies are different.

There is no Session Management Subscription data in SMF.

1. The tester triggers PDU session establishment procedure by sending Nsmf_PDUSession_CreateSMContext Request message to the SMF.

2. The SMF under test retrieves the Session Management Subscription data using Nudm_SDM_Get service from UDM, where the Session Management Subscription data includes the user plane security policy stored in UDM.

3. The tester captures the Namf_Communication_N1N2MessageTransfer message sent from the SMF under test to the AMF.

There is a Security Indication IE in the N2 SM information contained in the Namf_Communication_N1N2MessageTransfer message, which is the same with the UP security policy configured in the UDM.

Evidence suitable for the interface, e.g., Screenshot containing the operational results.

TR 33.926 [4], clause J.2.2.1 Non-compliant UP security policy handling

Priority of UP security policy

TS 23.501 [1], clause 5.10.3

Verify that the user plane security policy from the UDM takes precedence at the SMF under test over locally configured user plane security policy.

Test environment with AMF and UDM may be simulated.

Both UDM and SMF under test are configured with UP security policy, and the UP security policies are different.

There is no Session Management Subscription data in SMF.

1. The tester triggers PDU session establishment procedure by sending Nsmf_PDUSession_CreateSMContext Request message to the SMF.

2. The SMF under test retrieves the Session Management Subscription data using Nudm_SDM_Get service from UDM, where the Session Management Subscription data includes the user plane security policy stored in UDM.

3. The tester captures the Namf_Communication_N1N2MessageTransfer message sent from the SMF under test to the AMF.

There is a Security Indication IE in the N2 SM information contained in the Namf_Communication_N1N2MessageTransfer message, which is the same with the UP security policy configured in the UDM.

Evidence suitable for the interface, e.g., Screenshot containing the operational results.

TR 33.926 [4], clause J.2.2.4, Unchecked UP security policy.

UP security policy check.

TS 33.501 [8], clause 6.6.1

According to TS 33.501 [8], clause 6.6.1, the SMF verifies that the UE's UP security policy received from the target ng-eNB/gNB is the same as the UE's UP security policy that the SMF has locally stored. If there is a mismatch, the SMF sends its locally stored UE's UP security policy of the corresponding PDU sessions to the target gNB. This UP security policy information, if included by the SMF, is delivered to the target ng-eNB/gNB in the Path-Switch Acknowledge message. The SMF logs capabilities for this event and may take additional measures, such as raising an alarm.

Verify that the SMF checks the UP security policy that is sent by the ng-eNB/gNB during handover.

The SMF under test is preconfigured with a UE UP security policy.

1. The tester sends the Nsmf_PDUSession_UpdateSMContext Request message to the SMF under test. A UE UP security policy different than the one preconfigured at the SMF under test is included in the Request message.

2. The tester captures the Nsmf_PDUSession_UpdateSMContext Response message sent from the SMF under test.

The preconfigured UE security policy is contained in the 'n2SmInfo' IE in the captured Response message.

Files containing the triggered HTTP messages (e.g. pcap trace).

TR 33.926 [4], clause J.2.2.4, Unchecked UP security policy.

UP security policy check.

TS 33.501 [8], clause 6.6.1

Verify that the SMF checks the UP security policy that is sent by the ng-eNB/gNB during handover.

The SMF under test is preconfigured with a UE UP security policy.

1. The tester sends the Nsmf_PDUSession_UpdateSMContext Request message to the SMF under test. A UE UP security policy different than the one preconfigured at the SMF under test is included in the Request message.

2. The tester captures the Nsmf_PDUSession_UpdateSMContext Response message sent from the SMF under test.

TR 33.926 [4], clause J.2.2.3, "Failure to assign unique Charging ID for a session"

Charging ID uniqueness.

TS 32.255 [6], clause 5.1.2

According to TS 32.255 [6], clause 5.1.2:

• The SMF supports PDU session charging using service based interface.

• The SMF collects charging information per PDU session for UEs served under 3GPP access and non-3GPP access.

• Every PDU session is assigned a unique identity number for billing purposes per PLMN. (i.e. the Charging Id).

Verify that the charging ID generated by the SMF for each PDU session is unique.

Test environment is set up with a Charging Function (CHF), which may be real or simulated, and the SMF under test. The tester is able to capture the traffic between the SMF under test and the CHF.

1. The tester intercepts the traffic between the SMF under test and the CHF.

2. The tester triggers the establishment of the maximum number of concurrent PDU sessions that the SMF under test can handle.

3. The tester captures each Charging Data Request [initial] sent from the SMF under test to the CHF, and verifies the charging ID contained in the 'PDU Session Charging Information' IE in each Charging Data Request [initial] is unique.

The charging ID in each Charging Data Request [initial] is unique.

Files containing the Charging Data Request [initial] messages (e.g. pcap trace).

TR 33.926 [4], clause J.2.2.3, "Failure to assign unique Charging ID for a session"

TS 32.255 [6], clause 5.1.2

• The SMF shall collect charging information per PDU session for UEs served under 3GPP access and non-3GPP access.

• Every PDU session shall be assigned a unique identity number for billing purposes per PLMN. (i.e. the Charging Id). "

Verify that the charging ID generated by the SMF for each PDU session is unique.

Test environment is set up with a Charging Function (CHF), which may be real or simulated, and the SMF under test. The tester is able to capture the traffic between the SMF under test and the CHF.

1. The tester intercepts the traffic between the SMF under test and the CHF.

2. The tester triggers the establishment of the maximum number of concurrent PDU sessions that the SMF under test can handle.

3. The tester captures each Charging Data Request [initial] sent from the SMF under test to the CHF, and verifies the charging ID contained in the 'PDU Session Charging Information' IE in each Charging Data Request [initial] is unique.

The charging ID in each Charging Data Request [initial] is unique.

Files containing the Charging Data Request [initial] messages (e.g. pcap trace).