User plane IPSec SA establishment in N3IWF

Hello There,

As the standard specify that the User plane child IPSec SA creation shall be initiated by N3IWF for PDU session(s), is it possible that the IKE_Create_Child_SA request will be initiated by a different IP than the, say NAS_IP4_ADDRESS (i.e. the N3IWF IP address of signalling IPSec tunnel)?
And will it will be sent to UE’s IKE SA address - as the 3GPP TS 23.502 section 4.12.5 says that ‘During the IPsec Child SA establishment the UE shall not be assigned an IP address’? Also on which port of UE this IKE create request will be sent?

Thanx in advance.

Hi @kg_geek15
In the perspective of N3IWF, there are three kinds of associations. They’re IKE SA, signaling IPsec SA, and User plane IPsec SA. In short, IKE SA is like a control plane of IPsec/IKE SA. And the other SAs work as 3GPP CP/UP.

Back to your question, NAS_IP4_ADDRESS is an inner address in signaling IPsec used to send and receive NAS encapsulated by TCP. In my opinion, the N3IWF/Non-3GPP UE will not tackle after receiving an IKE request from signaling IPsec SA. It doesn’t make sense that a 3GPP NAS handler tackles an IKE request. In conclusion, IKE_CREATE_CHILD_SA should be transmitted by IKE SA whose port defined in RFC7296, generally 500 or 4500.

I think that N3IWF has allocated an inner IP address(INTERNAL_IP4_ADDRESS) to UE when IKE_AUTH. It doesn’t give a new one during the PDU session establishment, even though it’s possible in RFC.