NR U-plane Integrity

This tutorial is mainly for showing how to enable U-plane integrity in NR and how to verify the functionality. U-Plane Integrity (User Plane Integrity) is a new / strengthened security feature added to 5G/NR.

Since the integrity protection feature can require significant resources and not all devices may be able to support it at the maximum data rate, 5G systems allow for negotiation of appropriate data rates for integrity protection. For instance, if a device indicates that it can only support 64 kbps for integrity protected traffic, the network will only activate integrity protection for user plane connections that do not exceed that 64-kbps limit

The support of the integrity protection feature is mandatory for both UE and gNB but the use is optional and under the control of operators.

Table of Contents

• NR U-plane Integrity
• Test Setup
• Key Configuration Parameters
• Configuration
• Perform the test
• Log Analysis

Test Setup

Test setup for this tutorial is as shown below.  

• SIM Card used in this tutorial is the one delivered with the system as it is.
• If you want to change the configuration, The tutorial Configuration Guide would help

Key Configuration Parameters

Followings are important configuration parameters for this tutorial. You may click on the items for the descriptions from Amarisoft documents.

• integrity_protection
• apn_aggregate_max_bitrate_dl
• apn_aggregate_max_bitrate_ul

Configuration

I used the gnb-sa.cfg without any change.

I used mme-ims-integrity.cfg for mme which is copied and modified from mme-ims.cfg.

In gnb-sa.cfg file, I changed the log option as shown below without chaning any other part.

In mme-ims-integrity.cfg , I added the following configuration. Before you set this, you would need to know of UE capability about the bitrate and put appropriate values here

Perform the test

Check basic cell configuration and make it sure that it is configured as per your UE capability.

Power On UE and make it sure that UE get registerred.

Make it sure that UE is assigned with IMS pdn.

Try ping from Callbox to UE and see if the ping goes through.

Log Analysis

First check if the UE support Uplane intetrity. You can check this out with 'Integrity protection maximum data rate' IE in PDU session Establishment Request message.

MME (Core Network) will determine whether it will apply the uplane integrity or not.

The decision (i.e, the decision to apply the integrityProtection) is informed to UE as pdcp-Config in RRC Reconfiguration.