RADEXT WG                                                  S. Gundavelli
Internet-Draft                                                S. Kishore
Intended status: Standards Track                              M. Grayson
Expires: 24 January 2024                                        O. Pekar
                                                                   Cisco
                                                            23 July 2023


        RADIUS Attributes for 3GPP 5G AKA Authentication Method
                   draft-gundavelli-radext-5g-auth-01

Abstract

   This document proposes extensions to the Remote Authentication Dial-
   In User Service (RADIUS) protocol for supporting the 3rd Generation
   Partnership Project (3GPP) 5G Authentication and Key Agreement (5G-
   AKA) authentication method.

   The 5G-AKA protocol is a key authentication method used in 5G
   networks for mutual authentication and key derivation between user
   devices and the network.  By integrating 5G-AKA into RADIUS,
   enterprises can leverage existing RADIUS-based authentication
   infrastructure for authenticating 5G devices.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 24 January 2024.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.






Gundavelli, et al.       Expires 24 January 2024                [Page 1]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions and Terminology . . . . . . . . . . . . . . . . .   3
     2.1.  Conventions . . . . . . . . . . . . . . . . . . . . . . .   3
     2.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Motivation  . . . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Overview of 5G Security . . . . . . . . . . . . . . . . . . .   5
   5.  RADIUS Support for 5G-AKA Authentication Method . . . . . . .   6
     5.1.  Call Flow . . . . . . . . . . . . . . . . . . . . . . . .   7
   6.  5G-AKA RADIUS Attribute Definitions . . . . . . . . . . . . .   8
     6.1.  5G-Auth-RAND  . . . . . . . . . . . . . . . . . . . . . .   8
     6.2.  5G-Auth-AUTN  . . . . . . . . . . . . . . . . . . . . . .   9
     6.3.  5G-Auth-HXRES-STAR  . . . . . . . . . . . . . . . . . . .  10
     6.4.  5G-Auth-KSEAF . . . . . . . . . . . . . . . . . . . . . .  10
     6.5.  5G-DNN  . . . . . . . . . . . . . . . . . . . . . . . . .  11
     6.6.  5G-SN-NAME  . . . . . . . . . . . . . . . . . . . . . . .  11
     6.7.  User-Name . . . . . . . . . . . . . . . . . . . . . . . .  12
     6.8.  5G-Auth-AUTS  . . . . . . . . . . . . . . . . . . . . . .  13
     6.9.  Table of Attributes . . . . . . . . . . . . . . . . . . .  13
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  14
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  14
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  14
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  14
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  14
     10.2.  Informative References . . . . . . . . . . . . . . . . .  14
   Appendix A.  Standard 5G Authentication and Session Establishment
           Signalling Flow . . . . . . . . . . . . . . . . . . . . .  15
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  17

1.  Introduction

   Authentication and key management are critical for ensuring secure
   communication within the access network.  These mechanisms enable
   mutual authentication between the device and the access network,
   verifying identities and establishing trust.  By validating the
   identities of both parties, these procedures ensure that only
   authorized devices can access the network.  Additionally, these
   procedures derive cryptographic keys that safeguard both signaling



Gundavelli, et al.       Expires 24 January 2024                [Page 2]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


   and user plane data.  By doing so, they protect the integrity and
   confidentiality of the transmitted information, preventing
   unauthorized access and maintaining a secure communication
   environment within cellular networks.

   3GPP 5G System architecture has defined support for different
   authentication methods - 5G AKA, EAP AKA' and EAP TLS and EAP TTLS.
   The 5G system defines a new service based architecture together with
   new network elements (e.g., AUSF, UDM) to support these
   authentication methods.  Appendix A shows signalling exchanges
   associated with 5G registration between the 5G network functions and
   the AUSF and UDM.

   Integrating this authentication method into RADIUS allows network
   operators to leverage existing RADIUS infrastructure for user
   authentication and authorization in enterprise 5G deployments.  This
   document defines new RADIUS attributes to support the 5G-AKA
   procedure, enabling interoperability between RADIUS servers and 5G
   network elements.

2.  Conventions and Terminology

2.1.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.2.  Terminology

   All the mobility terms used in this document are to be interpreted as
   defined in the IETF and 3GPP specifications.  For convenience, the
   definitions for some of the terms are provided below.

   Subscription Permanent Identifier (SUPI))

      A globally unique 5G Subscription Permanent Identifier (SUPI) is
      allocated to each subscriber in the 5G System.  The SUPI value is
      provisioned in USIM and UDM/UDR function in 5G Core.  The
      structure of SUPI and its privacy is specified [TS23501]

   Subscription Concealed Identifier (SUCI)

      The Subscription Concealed Identifier (SUCI) is a privacy
      preserving identifier containing the concealed SUPI.  The UE
      generates a SUCI using the public key of the Home Network
      provisioned to the USIM.  The structure of SUCI is specified in
      3GPP specification [TS33501].



Gundavelli, et al.       Expires 24 January 2024                [Page 3]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


   Permanent Equipment Identifier (PEI)

      In 5G System, the Permanent Equipment Identifier (PEI) is a unique
      identifier of a UE accessing the private 5G System.  The structure
      of the PEI is specified in 3GPP specification [TS23003].

   International Mobile Station Equipment Identifier (IMEI)

      IMEI is a number that uniquely identifies a mobile device in
      Global System for Mobile Communications (GSM) The structure of the
      IMEI is specified in 3GPP specification [TS33102].

   Sequence Number (SQN)

      The sequence number stored in the UE is termed SQN-UE and the
      sequence number stored in the home network is termed SQN-HN.

3.  Motivation

   Enterprises now have the opportunity to expand and enhance their
   wireless coverage density by complementing their existing IEEE
   802.11-based wireless architectures with 3GPP-based 5G access
   networks.

   There are multiple deployment options available for implementing an
   enterprise 5G system.  It can be deployed through a System Integrator
   (SI), a mobile operator, a Wi-Fi operator in collaboration with a
   cellular provider, potentially a cloud provider, or by the enterprise
   IT themselves if they can access 5G spectrum.  While these options
   provide a strong foundation for enabling basic 5G access
   connectivity, there is considerable value in achieving convergence
   across these diverse access architectures and leveraging the already
   deployed network elements.  It is highly desirable for enterprise IT
   to possess the capability to correlate identities across different
   access technologies and enforce consistent enterprise policies.
















Gundavelli, et al.       Expires 24 January 2024                [Page 4]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


               _------_
             _(        )_        +---+
            -(Enterprise)--------|AAA|
             -( Network)-        +---+
               '-----'          (RADIUS)
                  |
                  |
         +---------------+
         |               |
      +-----+         +-----+
      |Wi-Fi|         | P5G |
      +-----+         +-----+
         .               .
         .               .
         .   +------+    .
         . . |Device|  . .
             +------+

                     Figure 1: Enterprise Architecture

   Enterprise network architectures have undergone extensive evolution
   over an extended period, resulting in intricate structures.  These
   architectures are designed to be technology-agnostic, accommodating
   both Ethernet and Wi-Fi-based connections seamlessly.  RADIUS-based
   infrastructure is widely employed for authentication and policy
   management purposes.  As 5G-based private networks become integrated
   into enterprise environments, it is a natural progression to consider
   private 5G as another access technology, allowing the utilization of
   the existing RADIUS infrastructure to authenticate 5G devices.  The
   adoption of a unified authentication and policy infrastructure across
   different access technologies enables the realization of identity
   correlation and ensures consistent policy enforcement.

   Based on this motivation, we put forward proposals for extending the
   RADIUS protocol to support the 5G-AKA authentication method.

4.  Overview of 5G Security

   The 5G security architecture is given below.

      +----+     +-------+    +------+     +-----------------+
      | UE |     | AMF   |    |AUSF  |     |      UDM        |
      |    |     |(SEAF) |    |      |     | (SIDF, ARPF)    |
      +----+     +-------+    +------+     +-----------------+

                     Figure 2: Enterprise Architecture

   ARPF (Authentication credential Repository for Procession Function)



Gundavelli, et al.       Expires 24 January 2024                [Page 5]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


      ARPF is part of UDM as per the standard.  ARPF contains subscriber
      credentials, i.e. long term keys and Subscriber Identifier (SUPI).
      Subscriber credentials may alternatively be stored in UDR
      [TS23003].

   AMF (Access and Mobility Management Function)

      The AMF is a control plane function in the visited network.  It is
      UE responsible for providing registration (authentication and
      authorization) services as well as connectivity and mobility
      management services.

   AUSF (Authentication Server Function)

      It is standalone NF located in subscriber's home network.  It is
      handling authentication in home network based on information
      received from UE and UDM/ARPF

   SEAF (Security Anchor Function)

      SEAF is functionality provided by the AMF It is handling
      authentication in serving network based on information received
      from UE and AUSF.

   SIDF (Subscriber Identifier De-concealing Function)

      SIDF is a service offered by UDM in home network.  It is
      responsible for resolving the SUPI from the SUCI.

   UDM (Unified Data Management)

      UDM is responsible for managing all user data.

   In 5G UE is authenticated by home network(AUSF) and serving
   network(SEAF).

5.  RADIUS Support for 5G-AKA Authentication Method

   In the proposed approach, the RADIUS server will implement the 5G-AKA
   algorithm.  Furthermore, it is assumed that as this is a private 5G
   deployment, there are no requirements to support inter-operator
   roaming.









Gundavelli, et al.       Expires 24 January 2024                [Page 6]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


       +----+     +-------+     +---------------------+
       | UE |     | AMF   |     |      RADIUS         |
       |    |     |(SEAF) |     |      SERVER         |
       +----+     +-------+     +---------------------+


                     Figure 3: Enterprise Architecture

5.1.  Call Flow

   In the proposed approach, the RADIUS server will be the primary
   authentication function.  Following are the interactions between the
   5G system and the RADIUS Server.

        +----+     +-----+     +---------+
        | UE |     | AMF |     | RADIUS  |
        +----+     +-----+     +---------+
          |    1      |            |
          | --------> |            |
          |           |      2     |
          |           | ---------->|
          |           |            |
          |           |     3      |
          |           | <----------|

                    Figure 4: 5G-AKA Authentication Flow

   *  Step-1: UE Sends the NAS Registration Request message to AMF which
      includes SUCI or 5G-GUTI.

   *  Step-2: AMF creates a RADIUS Access-Request message, which
      includes the RADIUS User-Name attribute that contains the 5G
      subscriber identifier in format SUCI or SUPI and the RADIUS 5G-SN-
      NAME attribute that identifies the serving network name.

   *  Step-3: Once the RADIUS server receives the request it converts
      the SUCI to SUPI using SIDF function.  The RADIUS server consults
      the database of users to find the user whose name matches with
      SUPI in the request.  This is equivalent to the ARPF function in
      the UDM.  The RADIUS server generates an Authentication Vector
      using the 5G-AKA algorithm.  This vector consists of RAND, AUTN,
      HXRES* and KAUSF parameters.  The AUSF function takes KAUSF and
      generates KSEAF.  The RADIUS server responds with a RADIUS Access-
      Accept message containing authentication vector attributes 5G-
      Auth-RAND, 5G-Auth-AUTN, 5G-Auth-HXRES-STAR, 5G-Auth-KSEAF, 3GPP-
      IMSI, 5G-DNN, 3GPP-IMEISV.  All key derivations for 5G-AKA shall
      be performed using the key derivation function (KDF) specified in
      Annex B.2.0 of TS 33.220.



Gundavelli, et al.       Expires 24 January 2024                [Page 7]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


   *  On successful lookup of 5G subscriber identity in the database and
      calculation of resulting 5G-AKA authentication vector, the RADIUS
      server sends Access-Accept message that contains the resulting
      authentication vector in 5G authentication RADIUS attributes
      specified in section 6 of this document.

   *  If the RADIUS server fails to execute one or more operations it
      sends a RADIUS Access-Reject message indicating that 5G-AKA
      authentication failed.

   *  Note-1: The RADIUS server must be provided with the 128-bit long K
      and the 128-bit long OPC 5G-AKA parameters per subscriber identity
      SUPI to perform authentication vector calculations according to
      5G-AKA algorithm.

   *  Note-2: The RADIUS server must be provided with the SQN-HN
      parameter that represents a 48-bits long sequence number.  The
      initial value of SQN-HN for 5G subscriber should be 1.  The SQN-HN
      parameter is increased on every 5G-AKA authentication for the
      specific 5G subscriber and when it reaches 0x7FFFFFFFFFFF it is
      rolled over to 1 as specified in TS 33.102 section C.3.2

   *  SQN-HN and SQN-UE sync flow <TBD>

6.  5G-AKA RADIUS Attribute Definitions

   This section describes the attributes that are required for
   supporting 5G-AKA Authentication Method.

   In addition to the new 5G-AKA specific attributes, the standard 3GPP-
   defined vendor specific attributes 3GPP-IMSI and 3GPP-IMEISV are used
   for identity exchange between RADIUS client and RADIUS server.

6.1.  5G-Auth-RAND

   Description

      The 5G-Auth-RAND is of type binary and contains the random number
      which is part of the authentication vector generated by 5G-AKA
      algorithm.  The size of this value is 128 bits.


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |  Length       |            String...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+




Gundavelli, et al.       Expires 24 January 2024                [Page 8]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


   Type

      <TBD>

   Length

      18

   String

      A random value.

6.2.  5G-Auth-AUTN

   Description

      The 5G-Auth-AUTN is of type binary and contains the authentication
      token which is part of the authentication vector generated by 5G-
      AKA algorithm.  The size of this value is 128 bits.  AUTN is
      generated using this formula (SQN ^ AK) || AMF || MAC_A.  AMF is
      set to 0x8000.


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |  Length       |            String...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


   Type

      <TBD>

   Length

      18

   String

      The value of Authentication Token parameter of 5G-AKA algorithm.










Gundavelli, et al.       Expires 24 January 2024                [Page 9]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


6.3.  5G-Auth-HXRES-STAR

   Description

      The 5G-Auth-HXRES-STAR is of type binary and contains the 5G hash
      expected response which is part of the authentication vector
      generated by 5G-AKA algorithm.  Refer TS33.501 Annex A.5 to
      generate this value.  The maximum size of this value is 128 bits.


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |  Length       |            String...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


   Type

      <TBD>

   Length

      18

   String

      The value of Hash Expected Response parameter of 5G-AKA algorithm.

6.4.  5G-Auth-KSEAF

   Description

      The 5G-Auth-KSEAF is of type binary and contains the 128 bit long
      5G security anchor key used to derive KAMF key.  This is part of
      the authentication vector generated by 5G-AKA algorithm.  Refer
      to: TS33.501 Annex A.6 to generate this value.


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |  Length       |            String...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+







Gundavelli, et al.       Expires 24 January 2024               [Page 10]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


   Type

      <TBD>

   Length

      18

   String

      The value of security anchor key of 5G-AKA algorithm.

6.5.  5G-DNN

   Description

      The 5G-DNN is of type string and contains the 5G data network name
      which is basically a address pool name.  This is part of
      authorization attribute.


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |  Length       |            String...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


   Type

      <TBD>

   Length

      >= 3

   String

      The string that contains the 5G data network name.

6.6.  5G-SN-NAME

   Description

      The 5G-SN-NAME is of type string and contains the serving network
      name.





Gundavelli, et al.       Expires 24 January 2024               [Page 11]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |  Length       |            String...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


   Type

      <TBD>

   Length

      >= 3

   String

      The string that represents serving network name in the following
      format:

      *  If NID is not present:
         "5G:mnc<ddd>.mcc<ddd>.3gppnetwork.org", where 'd' is single
         decimal digit

      *  If NID is present:
         "5G:mnc123.mcc456.3gppnetwork.org:CAFECAFECAFE", where 'd' is
         single decimal digit and 'X' is single capitalized hexadecimal
         digit

6.7.  User-Name

   Description

      A standard RADIUS User-Name attribute is used to represent the UE
      Identifier


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |  Length       |            String...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


   Type

      1




Gundavelli, et al.       Expires 24 January 2024               [Page 12]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


   Length

      >= 3

   String

      The User-Name is of type string and contains the UE identifier
      SUPI or SUCI.  The format of SUPI identifier is given below.
      SUPI-xxxxxxxxxxxxxxx (15 digits) e.g.  SUPI-123456789012345.  The
      format of SUCI identifier is given below.  SUCI-SUCI Type - Home
      Network Identifier - Routing Indicator - Protection Scheme - HN
      Public key ID - Protection Scheme Output e.g.  SUCI-
      0-123-456-0-0-0-150000100

6.8.  5G-Auth-AUTS

   Description

      The 5G-Auth-AUTS is of type binary and contains SQN-UE.  The size
      of this value is 112 bits.  AUTS is generated using this formula
      Conc(SQN-UE) || MAC_S.  Refer to: TS33.102 Section 6.3.3 to
      generate this value.


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |  Length       |            String...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


   Type

      <TBD>

   Length

      16

   String

      The value of authentication token used for re-synchronization.

6.9.  Table of Attributes

   The following table provides a guide to which attributes may be found
   in which kinds of packets, and in what quantity.




Gundavelli, et al.       Expires 24 January 2024               [Page 13]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


   Request   Accept   Reject   Challenge   #    Attribute
   1         0-1      0        0            1   User-Name
   0         0-1      0        0          TBD   5G-Auth-RAND
   0         0-1      0        0          TBD   5G-Auth-HXRES-STAR
   0         0-1      0        0          TBD   5G-Auth-KSEAF
   0         0-1      0        0          TBD   5G-Auth-DNN
   0-1       0        0        0          TBD   5G-Auth-SN-NAME
   0         0-1      0        0          TBD   3GPP-IMEISV
   0         0-1      0        0          TBD   3GPP-IMSI


7.  IANA Considerations

   IANA is requested to assign the following values for the new RADIUS
   attributes defined in this document: TBD

8.  Security Considerations

   The security of the 5G-AKA authentication method relies on the
   integrity and confidentiality of the exchanged authentication
   vectors, security algorithms, and cryptographic keys.  Appropriate
   measures must be taken to protect these sensitive attributes during
   transmission between the RADIUS client and server.

9.  Acknowledgements

   TBD

10.  References

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

10.2.  Informative References

   [TS23003]  23.003, 3. T., "Numbering, addressing and identification",
              2021.

   [TS23501]  23.501, 3. T., "Numbering, addressing and identification",
              2021.

   [TS33102]  33.102, 3. T., "3GPP Security Architecture", 2021.





Gundavelli, et al.       Expires 24 January 2024               [Page 14]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


   [TS33501]  33.501, 3. T., "Architecture enhancements for non-3GPP
              accesses", 2021.

Appendix A.  Standard 5G Authentication and Session Establishment
             Signalling Flow

   The standard 5G authentication and session establishment signalling
   flow is illustrated in Figure 5.

   1.   In step 1, the UE sends a registration request.

   2.   The AMF sends a POST to the AUSF with the path /nausf-auth/v1/
        ue-authentications including (supiOrSuci, servingNetworkName).

   3.   The AUSF sends a POST to the UDM with the path /nudm-ueau/
        v1/{suciOrSuci}/security-information/generate-auth-data
        including the (servingNetworkName).

   4.   The UDM responds to the AUSF with a 200 OK incluing (authType,
        authVector(avType,rand,autn,xresStar,kausf)).

   5.   The AUSF responds to the AMF with a 201 OK including
        (authType:5G_AKA,5GAuthData(rand,autn,hxresStar)).

   6.   The AUSF sends the UE an Authentication Request including
        (rand,autn).

   7.   The UE responds to the AMF with an Authentication Response
        including (res*).

   8.   The AMF calculates hres* and compare with hxresStar.

   9.   The AMF sends a PUT to the AUSF with the path /nausf-auth/v1/ue-
        authentications/1/5g-aka-confirmation including (resStar).

   10.  The AUSF compare resStar with xresStar.

   11.  The AUSF responds to the AMF with a 200 OK including
        (authResult,supi,kseaf).

   12.  The AMF sends a PUT to the UDM with the path /nudm-
        uecm/v1/{supiOrSuci}/registrations/amf-3gpp-access including
        (deregCallbackURri, guami,ratType).

   13.  The UDM responds to the AMF with a 201 OK.

   14.  The AMF sends a GET to the UDM with the path /nudm-sdm/
        v2/{supiOrSuci}/am-data.



Gundavelli, et al.       Expires 24 January 2024               [Page 15]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


   15.  The UDM responds ot the AMF with a 200 OK including
        (subscribedUeAmbr,nssai).

   16.  The AMF sends a GET to the UDM with the path /nudm-sdm/
        v2/{supiOrSuci}/smf-select-data.

   17.  The UDM responds to the AMF with a 200 OK including
        (subscribedSnssaiInfos(dnnInfos,defaultDnnIndicator)).

   18.  The AMF sends a GET to the UDM with the path nudm-sdm/
        v2/{supiOrSuci}/ue-context-in-smf-data.

   19.  The UDM responds to the AMF with a 200 OK.

   20.  The AMF sends a POST to the PCF with the path npcf-am-policy-
        control/v1/policies including
        (supi,accessType,servingPlmnueAmbr).

   21.  The PCF repsonds to the AMF with a 201 OK.

   22.  The AMF sends a POST to the SMF with the path nsmf-
        pdusession/v1/sm-contexts including
        (supi,dnn,sNssai,servingnetwork).

   23.  The SMF sends a GET to the UDM with the path nudm-sdm/
        v2/{supiOrSuci}/sm-data including (single-nssai,dnn).

   24.  The UDM responds to the SMF with a 200 OK including
        (singleNssai,dnnconfigurations).

   25.  The SMF responds to the AMF with a 201 OK.

   26.  The AMF responds to the UE with a Registration Accept.

   +------+    +------+    +------+    +------+    +------+    +------+
   |  UE  |    | AMF  |    | SMF  |    | PCF  |    | AUSF |    | UDM  |
   +------+    +------+    +------+    +------+    +------+    +------+
      | 1) REQ1   |           |           |           |           |
      |---------->|           |  2) REQ2  |           |           |
      |           |---------------------------------->| 3) REQ3   |
      |           |           |           |           |---------->|
      |           |           |           |           | 4) RES3   |
      |           |           |  5) RES2  |           |<----------|
      | 6) REQ4   |<----------------------------------|           |
      |<----------|           |           |           |           |
      | 7) RES4   |           |           |           |           |
      |---------->|           |           |           |           |
      |           |--+        |           |           |           |



Gundavelli, et al.       Expires 24 January 2024               [Page 16]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


      |           |  |8)COMP1 |           |           |           |
      |           |<-+        |           |           |           |
      |           |           |  9) REQ5  |           |           |
      |           |---------------------------------->|           |
      |           |           |           |           |--+        |
      |           |           |           |           |  |10)COMP2|
      |           |           |  11) RES5 |           |<-+        |
      |           |<----------------------------------|           |
      |           |           |       12)REQ6         |           |
      |           |---------------------------------------------->|
      |           |           |       13)RES6         |           |
      |           |<----------------------------------------------|
      |           |           |       14)REQ7         |           |
      |           |---------------------------------------------->|
      |           |           |       15)RES7         |           |
      |           |<----------------------------------------------|
      |           |           |       16)REQ8         |           |
      |           |---------------------------------------------->|
      |           |           |       17)RES8         |           |
      |           |<----------------------------------------------|
      |           |           |       18)REQ9         |           |
      |           |---------------------------------------------->|
      |           |           |       19)RES9         |           |
      |           |<----------------------------------------------|
      |           |       20)REQ10        |           |           |
      |           |---------------------->|           |           |
      |           |       21)RES10        |           |           |
      |           |<----------------------|           |           |
      |           | 22)REQ11  |           |           |           |
      |           |---------->|           | 23)REQ12  |           |
      |           |           |---------------------------------->|
      |           |           |           | 24)RES12  |           |
      |           | 25)RES11  |<----------------------------------|
      | 26) RES1  |<----------|           |           |           |
      |<----------|           |           |           |           |
      |           |           |           |           |           |
   +------+    +------+    +------+    +------+    +------+    +------+
   |  UE  |    | AMF  |    | SMF  |    | PCF  |    | AUSF |    | UDM  |
   +------+    +------+    +------+    +------+    +------+    +------+

             Figure 5: Standard 5G Registration Signalling Flow

Authors' Addresses








Gundavelli, et al.       Expires 24 January 2024               [Page 17]


Internet-Draft      3GPP 5G AKA Authentication Method          July 2023


   Sri Gundavelli
   Cisco
   170 West Tasman Drive
   San Jose, CA 95134
   United States of America
   Email: sgundave@cisco.com


   Sangram L Kishore
   Cisco
   Bangalore
   India
   Email: sanl@cisco.com


   Mark Grayson
   Cisco
   11 New Square Park
   Bedfont Lakes
   United Kingdom
   Email: mgrayson@cisco.com


   Oleg Pekar
   Cisco
   1st Floor, EE5-6
   South Netanya
   Israel
   Email: olpekar@cisco.com






















Gundavelli, et al.       Expires 24 January 2024               [Page 18]