In 5G Systems, a UE may be registered simultaneously to the same PLMN over 3GPP access (for example, using an LTE or 5G access node, also referred to as a base station, eNB, gNB, etc.) and non-3GPP access (for example, using a WiFi or satellite node). For this purpose, it is expected that the wireless terminal UE and the network AMF (Access Management Function) maintain one connection for each access type (i.e., one connection for the 3GPP access and one connection for the non-3GPP NAS connection). In such scenarios, TS 23.501 (referred to as reference [1]) further describes which elements of the user context in the AMF would be shared among the connections and which would not. For example, there may be multiple Connection Management (CM) and Registration Management states, one per access type. On the other hand, a common temporary identifier may be used.
As described in TS 33.401 [2], the security mechanisms in legacy systems may provide integrity, confidentiality, and replay protection for NAS messages. The NAS security context includes the KASME key, the derived protection keys KNASint and KNASenc, the key set identifier eKSI and a pair of counters NAS COUNTS, one for each direction (uplink and downlink). These security parameters may be provided for a NAS connection and may be refreshed upon the creation of a new KASME, e.g. following an authentication procedure.
Furthermore, a replay protection mechanism, partly realized by the NAS COUNTS, may rely on assumptions that the protocol is reliable and that NAS procedures are run sequentially such that a new procedure is only started after the termination of the current one. This may provide/guarantee in-order delivery of the NAS messages so that both the UE and the MME need only to store two values for NAS COUNTS, one per direction (i.e., one NAS COUNT for uplink and one NAS COUNT for downlink). These would be the next and the only expected/accepted values.
With multiple connections via 3GPP and non-3GPP accesses, however, in-order delivery of NAS messages via the different connections may be unreliable.