no2222

5 Elementary procedures for EPS mobility management

5.1 Overview

5.1.1 General

This clause describes the procedures used for mobility management for EPS
services (EMM) at the radio interface (reference point “LTE-Uu”).

The main function of the mobility management sublayer is to support the mobility
of a user equipment, such as informing the network of its present location and
providing user identity confidentiality.

A further function of the mobility management sublayer is to provide connection
management services to the session management (SM) sublayer and the short
message services (SMS) entity of the connection management (CM) sublayer.

All the EMM procedures described in this clause can only be performed if a NAS
signalling connection has been established between the UE and the network. Else,
the EMM sublayer has to initiate the establishment of a NAS signalling
connection (see 3GPP TS 36.331 [22]).

5.1.2 Types of EMM procedures

Depending on how they can be initiated, three types of EMM procedures can be
distinguished:

  1. EMM common procedures:

An EMM common procedure can always be initiated whilst a NAS signalling
connection exists. The procedures belonging to this type are:

Initiated by the network:

- GUTI reallocation;

- authentication;

- security mode control;

- identification;

- EMM information.

  1. EMM specific procedures:

At any time only one UE initiated EMM specific procedure can be running. The
procedures belonging to this type are:

Initiated by the UE and used to attach the IMSI in the network for EPS services
and/or non-EPS services, and to establish an EMM context and if requested by the
UE, a default bearer:

- attach and combined attach.

Initiated by the UE and used to attach the IMSI or IMEI for emergency bearer
services, and to establish an EMM context and a default bearer to a PDN that
provides emergency bearer services:

- attach.

Initiated by the UE and used to attach the IMSI or IMEI for access to RLOS, and
to establish an EMM context and a default bearer to a PDN connection for RLOS:

- attach.

Initiated by the UE or the network and used to detach the IMSI in the network
for EPS services and/or non-EPS services and to release an EMM context and all
bearers, if any:

- detach and combined detach.

Initiated by the UE and used to detach the IMSI in the network for EPS services
or non-EPS services and to release an EMM context and all bearers, if any:

- eCall inactivity procedure.

Initiated by the UE when an EMM context has been established:

- normal tracking area updating and combined tracking area updating (S1 mode
only);

- periodic tracking area updating (S1 mode only).

The tracking area updating procedure can be used to request also the resource
reservation for sending data.

  1. EMM connection management procedures (S1 mode only):

Initiated by the UE and used to establish a secure connection to the network or
to request the resource reservation for sending data, or both:

- service request.

The service request procedure can only be initiated if no UE initiated EMM
specific procedure is ongoing.

Initiated by the network and used to request the establishment of a NAS
signalling connection or to prompt the UE to re-attach if necessary as a result
of a network failure:

- paging procedure.

Initiated by the UE or the network and used to transport NAS messages:

- transport of NAS messages;

- generic transport of NAS messages.

The transport of NAS messages procedure and the generic transport of NAS
messages procedure cannot be initiated while an EMM specific procedure or a
service request procedure is ongoing.

5.1.3 EMM sublayer states

5.1.3.1 General

In the following subclauses, the EMM protocol of the UE and the network is
described by means of two different state machines. In subclause 5.1.3.2, the
states of the EMM entity in the UE are introduced. The behaviour of the UE
depends on an EPS update status that is described in subclause 5.1.3.3. The
states for the MME side are described in subclause 5.1.3.4.

5.1.3.2 EMM sublayer states in the UE

5.1.3.2.1 General

In the following subclauses, the possible EMM states of an EMM entity in the UE
are described. Subclause 5.1.3.2.2 summarizes the main states of an EMM entity.
The substates that have been defined are described in subclause 5.1.3.2.3 and
subclause 5.1.3.2.4.

It should be noted, however, that this subclause does not include a description
of the detailed behaviour of the UE in the single states and does not cover
abnormal cases. A detailed description of the behaviour of the UE is given in
subclause 5.2. For the behaviour of the UE in abnormal cases refer to the
description of the elementary EMM procedures in subclauses 5.4, 5.5, 5.6 and
5.7.

5.1.3.2.2 Main states
5.1.3.2.2.1 EMM-NULL

EPS services are disabled in the UE. No EPS mobility management function shall
be performed in this state.

5.1.3.2.2.2 EMM-DEREGISTERED

In the state EMM-DEREGISTERED, no EMM context has been established and the UE
location is unknown to an MME and hence it is unreachable by an MME. In order to
establish an EMM context, the UE shall start the attach or combined attach
procedure (see subclause 5.5.1).

5.1.3.2.2.3 EMM-REGISTERED-INITIATED

A UE enters the state EMM-REGISTERED-INITIATED after it has started the attach
or the combined attach procedure and is waiting for a response from the MME (see
subclause 5.5.1).

5.1.3.2.2.4 EMM-REGISTERED

In the state EMM-REGISTERED an EMM context has been established. Additionally a
default EPS bearer context has been activated in the UE:

- if EMM-REGISTERED without PDN connection is not supported by the UE or the
MME; or

- if EMM-REGISTERED without PDN connection is supported by the UE and the MME,
the UE has requested connectivity to a PDN and a default EPS bearer context is
successfully established.

When the UE is in EMM-IDLE mode, the UE location is known to the MME with an
accuracy of a list of tracking areas containing a certain number of tracking
areas. When the UE is in EMM-CONNECTED mode, the UE location is known to the MME
with an accuracy of a serving eNodeB. The UE may initiate sending and receiving
user data and signalling information and reply to paging. Additionally, tracking
area updating or combined tracking area updating procedure is performed (see
subclause 5.5.3).

5.1.3.2.2.5 EMM-DEREGISTERED-INITIATED

A UE enters the state EMM-DEREGISTERED-INITIATED after it has requested release
of the EMM context by starting the detach or combined detach procedure and is
waiting for a response from the MME (see subclause 5.5.2).

5.1.3.2.2.6 EMM-TRACKING-AREA-UPDATING-INITIATED

A UE enters the state EMM-TRACKING-AREA-UPDATING-INITIATED after it has started
the tracking area updating or combined tracking area updatingprocedure and is
waiting for a response from the MME (see subclause 5.5.3).

5.1.3.2.2.7 EMM-SERVICE-REQUEST-INITIATED

A UE enters the state EMM-SERVICE-REQUEST-INITIATED after it has started the
service request procedure and is waiting for a response from the MME (see
subclause 5.6.1).

NOTE: Not all possible transitions are shown in this figure.

Figure 5.1.3.2.2.7.1: EMM main states in the UE

5.1.3.2.3 Substates of state EMM-DEREGISTERED
5.1.3.2.3.1 General

The state EMM-DEREGISTERED is subdivided into a number of substates as described
in this subclause. Valid subscriber data are available for the UE before it
enters the substates, except for the substate EMM-DEREGISTERED.NO-IMSI.

5.1.3.2.3.2 EMM-DEREGISTERED.NORMAL-SERVICE

The substate EMM-DEREGISTERED.NORMAL-SERVICE is chosen in the UE when a suitable
cell has been found and the PLMN or tracking area is not in the forbidden list.

5.1.3.2.3.3 EMM-DEREGISTERED.LIMITED-SERVICE

The substate EMM-DEREGISTERED.LIMITED-SERVICE is chosen in the UE, when it is
known that a selected cell is unable to provide normal service (e.g. the
selected cell is in a forbidden PLMN, is in a forbidden tracking area or the
selected cell is a CSG cell whose CSG ID and associated PLMN identity are not
included in the UE’s Allowed CSG list or in the UE’s Operator CSG List).

5.1.3.2.3.4 EMM-DEREGISTERED.ATTEMPTING-TO-ATTACH

The substate EMM-DEREGISTERED.ATTEMPTING-TO-ATTACH is chosen in the UE if the
attach or combined attach procedure failed due to a missing response from the
network or due to the circumstances described in subclauses 5.5.1.2.5,
5.5.1.2.6, 5.5.1.3.5 and 5.5.2.3.4.

5.1.3.2.3.5 EMM-DEREGISTERED.PLMN-SEARCH

The substate EMM-DEREGISTERED.PLMN-SEARCH is chosen in the UE, if the UE is
searching for PLMNs. This substate is left either when a cell has been selected
(the new substate is NORMAL-SERVICE or LIMITED-SERVICE) or when it has been
concluded that no cell is available at the moment (the new substate is
NO-CELL-AVAILABLE).

5.1.3.2.3.6 EMM-DEREGISTERED.NO-IMSI

The substate EMM-DEREGISTERED.NO-IMSI is chosen in the UE, if the UE has no
valid subscriber data available (SIM/USIM not available, or the SIM/USIM is
considered invalid by the UE) and a cell has been selected.

5.1.3.2.3.7 EMM-DEREGISTERED.ATTACH-NEEDED

Valid subscriber data are available for the UE and for some reason an attach
must be performed as soon as possible. This substate can be entered if the
access class is blocked due to access class control, or if the network rejects
the NAS signalling connection establishment.

5.1.3.2.3.8 EMM-DEREGISTERED.NO-CELL-AVAILABLE

No E-UTRAN cell can be selected. This substate is entered after a first
intensive search failed when in substate EMM-DEREGISTERED.PLMN-SEARCH. Cells are
searched for at a low rhythm. No EPS services are offered.

5.1.3.2.3.9 EMM-DEREGISTERED.eCALL-INACTIVE

The substate EMM-DEREGISTERED.eCALL-INACTIVE is chosen in the UE when:

- the UE is configured for eCall only mode as specified in 3GPP TS 31.102 [17];

- timer T3444 and timer T3445 have expired or are not running;

- a PLMN has been selected as specified in 3GPP TS 23.122 [6];

- the UE does not need to perform an eCall over IMS; and

- the UE does not need to perform a call to a non-emergency MSISDN or URI for
test or terminal reconfiguration service.

In this substate, the UE shall not initiate any signalling towards the network,
except to originate an eCall over IMS, or a call to a non-emergency MSISDN or
URI for test or terminal reconfiguration service.

5.1.3.2.4 Substates of state EMM-REGISTERED
5.1.3.2.4.1 General

The state EMM-REGISTERED is subdivided into a number of substates as described
in this subclause.

5.1.3.2.4.2 EMM-REGISTERED.NORMAL-SERVICE

The substate EMM-REGISTERED.NORMAL-SERVICE is chosen by the UE as the primary
substate when the UE enters the state EMM-REGISTERED.

5.1.3.2.4.3 EMM-REGISTERED.ATTEMPTING-TO-UPDATE

The substate EMM-REGISTERED.ATTEMPTING-TO-UPDATE is chosen by the UE if the
tracking area updating or combined tracking area updating procedure failed due
to a missing response from the network or due to the circumstances described in
subclauses 5.3.9, 5.5.3.2.5, 5.5.3.2.6, 5.5.3.3.5, 5.6.1.5 and 5.6.1.6. No EMM
procedure except the tracking area updating or combined tracking area updating
procedure shall be initiated by the UE in this substate. No data shall be sent
or received.

5.1.3.2.4.4 EMM-REGISTERED.LIMITED-SERVICE

The substate EMM-REGISTERED.LIMITED-SERVICE is chosen in the UE, if the cell the
UE selected is known not to be able to provide normal service.

5.1.3.2.4.5 EMM-REGISTERED.PLMN-SEARCH

The substate EMM-REGISTERED.PLMN-SEARCH is chosen in the UE, while the UE is
searching for PLMNs.

5.1.3.2.4.6 EMM-REGISTERED.UPDATE-NEEDED

The UE has to perform a tracking area updating or combined tracking area
updating procedure, but access to the current cell is barred. This state can be
entered if the access class is blocked due to access class control, or if the
network rejects the NAS signalling connection establishment.

No EMM procedure except:

- tracking area updating;

- combined tracking area updating; or

- service request as a response to paging

shall be initiated by the UE in this substate.

5.1.3.2.4.7 EMM-REGISTERED.NO-CELL-AVAILABLE

E-UTRAN coverage has been lost or PSM is active in the UE. If PSM is active, the
UE can deactivate PSM at any time by activating the AS layer when the UE needs
to send mobile originated signalling or user data. Otherwise, the UE shall not
initiate any EMM procedure except for cell and PLMN reselection.

5.1.3.2.4.8 EMM-REGISTERED.ATTEMPTING-TO-UPDATE-MM

A combined attach procedure or a combined tracking area updating procedure was
successful for EPS services only. User data and signalling information may be
sent and received.

5.1.3.2.4.9 EMM-REGISTERED.IMSI-DETACH-INITIATED

The UE performs a combined detach procedure for non-EPS services only (detach
type “IMSI detach”). This substate is entered if the UE is attached for EPS and
non-EPS services and wants to detach for non-EPS services only. User data and
signalling information may be sent and received.

5.1.3.3 EPS update status

In order to describe the detailed UE behaviour, the EPS update (EU) status
pertaining to a specific subscriber is defined.

The EPS update status is stored in a non-volatile memory in the USIM if the
corresponding file is present in the USIM, else in the non-volatile memory in
the ME, as described in annex C.

The EPS update status value is changed only after the execution of an attach or
combined attach, network initiated detach, authentication, tracking area update
or combined tracking area update, service request or paging for EPS services
using IMSI procedure or due to change in TAI which is not part of TAI list while
timer T3346 is running.

EU1: UPDATED

The last attach or tracking area updating attempt was successful.

EU2: NOT UPDATED

The last attach, service request or tracking area updating attempt failed
procedurally, e.g. no response or reject message was received from the MME.

EU3: ROAMING NOT ALLOWED

The last attach, service request or tracking area updating attempt was correctly
performed, but the answer from the MME was negative (because of roaming or
subscription restrictions).

5.1.3.4 EMM sublayer states in the MME

5.1.3.4.1 EMM-DEREGISTERED

In the state EMM-DEREGISTERED, the MME has no EMM context or the EMM Context is
marked as detached. The UE is detached. The MME may answer to an attach or a
combined attach procedure initiated by the UE (see subclause 5.5.1). The MME may
also answer to a tracking area updating procedure or combined tracking area
updating procedure initiated by a UE if the EMM context is marked as detached.
The MME may also answer to a detach procedure initiated by the UE (see subclause
5.5.1.2.7).

If ISR is not activated or ISR is deactivated during a routing area updating or
combined routing area updating procedure or an inter-system handover to A/Gb
mode or Iu mode, the MME enters the state EMM-DEREGISTERED after the successful
completion of the procedure.

5.1.3.4.2 EMM-COMMON-PROCEDURE-INITIATED

The MME enters the state EMM-COMMON-PROCEDURE-INITIATED, after it has started a
common EMM procedure (see subclause 5.4) and is waiting for a response from the
UE.

5.1.3.4.3 EMM-REGISTERED

In the state EMM-REGISTERED, an EMM context has been established. Additionally a
default EPS bearer context has been activated in the MME:

- if EMM-REGISTERED without PDN connection is not supported by the UE or the
MME; or

- if EMM-REGISTERED without PDN connection is supported by the UE and the MME,
the UE has requested connectivity to a PDN and a default EPS bearer context is
successfully established.

5.1.3.4.4 EMM-DEREGISTERED-INITIATED

The MME enters the state EMM-DEREGISTERED-INITIATED after it has started a
detach procedure and is waiting for a response from the UE (see subclause
5.5.2).

Figure 5.1.3.4.4.1: EMM main states in the MME

5.1.4 Coordination between EMM and GMM

If GMM and EMM are both enabled, a UE capable of S1 mode and A/Gb mode or Iu
mode or both shall maintain one common registration for GMM and EMM indicating
whether the UE is registered for packet services or not.

A UE that is not registered shall be in state GMM-DEREGISTERED and in state
EMM-DEREGISTERED.

If the UE performs a successful attach or combined attach procedure in S1 mode,
it shall enter substates GMM-REGISTERED.NO-CELL-AVAILABLE and
EMM-REGISTERED.NORMAL-SERVICE. The UE resets the attach attempt counter and the
GPRS attach attempt counter (see 3GPP TS 24.008 [13]).

If the UE performs a successful GPRS attach or combined GPRS attach procedure in
A/Gb or Iu mode, it shall enter substates GMM-REGISTERED.NORMAL-SERVICE and
EMM-REGISTERED.NO-CELL-AVAILABLE. The UE resets the attach attempt counter and
the GPRS attach attempt counter (see 3GPP TS 24.008 [13]).

At intersystem change from A/Gb or Iu mode to S1 mode when no PDP context is
active, if EMM-REGISTERED without PDN connection is not supported by the UE or
the MME, the UE shall move to state EMM-DEREGISTERED and state GMM-DEREGISTERED
and then initiate an attach procedure. If EMM-REGISTERED without PDN connection
is supported by the UE and the MME, the UE shall enter substates
EMM-REGISTERED.NORMAL-SERVICE and GMM-REGISTERED.NO-CELL-AVAILABLE and initiate
a tracking area updating procedure.

After successful completion of routing area updating or combined routing area
updating and tracking area updating or combined tracking area updating
procedures in both S1 mode and A/Gb or Iu mode, if the network has indicated
that ISR is activated, the UE shall maintain registration and related periodic
update timers in both GMM and EMM.

NOTE: As specified in subclause 5.5.3.2.4 of this document or subclause
4.7.5.1.3 of 3GPP TS 24.008 [13], the UE does not activate the ISR even if the
network has indicated that the ISR is activated e.g. in the tracking area
updating procedure triggered due to a change in UE network capability. In these
scenarios, the UE only maintains one registration and related periodic update
timer in GMM or EMM.

5.1.5 Coordination between EMM and MM

UEs that operate in CS/PS mode 1 or CS/PS mode 2 of operation shall use the
combined EPS/IMSI attach procedure in order to attach to both EPS and non-EPS
services.

UEs that operate in CS/PS mode 1 or CS/PS mode 2 of operation and are already
attached to both EPS and non-EPS services shall use the combined tracking area
updating and periodic tracking area updating procedures.

UEs that operate in CS/PS mode 1 or CS/PS mode 2 of operation and are already
attached to both EPS and non-EPS services shall perform a combined detach
procedure in order to detach for non-EPS services.

UEs that operate in CS/PS mode 1 or CS/PS mode 2 of operation should not use any
MM timers related to MM specific procedures (e.g. T3210, T3211, T3212, T3213)
while camped on E-UTRAN, unless the re-activation of these timers is explicitly
described. If the MM timers are already running, the UE should not react on the
expiration of the timers.

If the UE is configured for eCall only mode as specified in 3GPP TS 31.102 [17]
and moves from GERAN/UTRAN to E-UTRAN, the UE shall:

- if timer T3242 is running, start timer T3444 with the time left on T3242 and
stop timer T3242;

- if timer T3243 is running, start timer T3445 with the time left on T3243 and
stop timer T3243;

- if the UE is attached for both EPS services and non-EPS services and timer
T3242 or timer T3243 is running, perform a combined tracking area updating
procedure; and

NOTE 1: A UE configured for eCall only mode as specified in 3GPP TS 31.102 [17]
being attached for both EPS services and non-EPS services upon moving from
GERAN/UTRAN to E-UTRAN is only possible in the case when the UE has performed a
combined attach in E-UTRAN, subsequently moved to GERAN/UTRAN and returned to
E-UTRAN before timer T3242 or timer T3243 expires.

- if the UE is attached for non-EPS services only and timer T3242 or timer T3243
is running, perform a combined attach procedure.

NOTE 2: Timers T3242 and T3243 are specified in 3GPP TS 24.008 [13].

5.2 Behaviour of the UE in state EMM-DEREGISTERED and state EMM-REGISTERED

5.2.1 General

In this subclause, the detailed behaviour of the UE in the states
EMM-DEREGISTERED and EMM-REGISTERED is described.

5.2.2 UE behaviour in state EMM-DEREGISTERED

5.2.2.1 General

The state EMM-DEREGISTERED is entered in the UE, when:

- the detach or combined detach is performed either by the UE or by the MME (see
subclause 5.5.2);

- the attach request is rejected by the MME (see subclause 5.5.1);

- the tracking area update request is rejected by the MME (see subclause 5.5.3);

- the service request procedure is rejected by the MME (see subclause 5.6.1);

- the UE deactivates all EPS bearer contexts locally (see subclause 6.4.4.6);

- the UE is switched on;

- an inter-system change from S1 mode to non3GPP access is completed and the
non3GPP access network provides PDN connectivity to the same EPC; or

- the UE attached for emergency bearer services is in EMM-IDLE mode and its
periodic tracking area update timer expires (see subclause 5.3.5).

In state EMM-DEREGISTERED, the UE shall behave according to the substate as
explained in subclause 5.2.2.3.

5.2.2.2 Primary substate selection

5.2.2.2.1 Selection of the substate after power on

For a UE configured for eCall only mode as specified in 3GPP TS 31.102 [17],
timers T3444 and T3445 are considered to have expired at power on. When the UE
is switched on, the substate shall be PLMN-SEARCH if the USIM is available and
valid. See 3GPP TS 23.122 [6] for further details.

The substate chosen after PLMN-SEARCH, following power on is:

- if no cell can be selected, the substate shall be NO-CELL-AVAILABLE;

- if no USIM is present, the substate shall be NO-IMSI;

- if a suitable cell has been found and the PLMN or tracking area is not in the
forbidden list, then the substate shall be NORMAL-SERVICE;

- if the selected cell is known not to be able to provide normal service, then
the UE shall enter the substate LIMITED-SERVICE;

- if the UE is in manual network selection mode and no cell of the selected PLMN
has been found, the UE shall enter the substate NO-CELL-AVAILABLE;

- if the selected cell is a non-3GPP cell, the substate shall be
NO-CELL-AVAILABLE; and

- if the UE is configured for eCall only mode as specified in 3GPP TS 31.102
[17], the substate shall be eCALL-INACTIVE.

5.2.2.3 Detailed description of UE behaviour in state EMM-DEREGISTERED

5.2.2.3.1 NORMAL-SERVICE

The UE shall initiate an attach or combined attach procedure if timer T3346 is
not running. If timer T3346 is running, the UE shall initiate an attach or
combined attach procedure on the expiry of timer T3346.

The UE may initiate attach for emergency bearer services even if timer T3346 is
running.

5.2.2.3.2 LIMITED-SERVICE

The UE shall initiate an attach or combined attach procedure when entering a
cell which provides normal service.

The UE may initiate attach for emergency bearer services.

The UE may initiate attach for access to RLOS.

5.2.2.3.3 ATTEMPTING-TO-ATTACH

The UE:

- shall initiate an attach or combined attach procedure on the expiry of timers
T3411, T3402 or T3346 (see 3GPP TS 24.008 [13]);

- may initiate an attach for emergency bearer services even if timer T3346 is
running;

- shall initiate an attach or combined attach procedure when entering a new
PLMN, if timer T3346 is running and the new PLMN is not equivalent to the PLMN
where the UE started timer T3346, the PLMN identity of the new cell is not in
one of the forbidden PLMN lists and the tracking area is not in one of the lists
of forbidden tracking areas;

- shall initiate an attach or combined attach procedure when the tracking area
of the serving cell has changed, if timer T3346 is not running, the PLMN
identity of the new cell is not in one of the forbidden PLMN lists and the
tracking area of the new cell is not in one of the lists of forbidden tracking
areas;

- shall use requests for non-EPS services for non-emergency call from CM layers
to trigger a combined attach procedure, if timer T3346 is not running (see
subclause 5.5.1.3), or to attempt to select GERAN or UTRAN radio access
technology and proceed with the appropriate MM and CC specific procedures;

- shall use requests for non-EPS services for emergency call from CM layers to
attempt to select GERAN or UTRAN radio access technology and proceed with the
appropriate MM and CC specific procedures;

- may initiate an attach procedure upon receiving a request from upper layers to
transmit user data related to an exceptional event and the UE is allowed to use
exception data reporting (see the ExceptionDataReportingAllowed leaf of the NAS
configuration MO in 3GPP TS 24.368 [15A]) if timer T3346 is not already running
for “MO exception data” and even if timer T3402 or timer T3411 is running;

- may initiate an attach procedure upon request of the upper layers to establish
a PDN connection for emergency bearer services; and

- may initiate an attach procedure upon request of the upper layers to establish
a PDN connection for RLOS, if timer T3346 is not running.

5.2.2.3.4 PLMN-SEARCH

The UE shall perform PLMN selection. If a new PLMN is selected, the UE shall
reset the attach attempt counter and initiate the attach or combined attach
procedure (see subclause 5.5.1).

If the selected cell is known not to be able to provide normal service:

- the UE may initiate attach for emergency bearer services; or

- the UE may initiate attach for access to RLOS.

5.2.2.3.5 NO-IMSI

The UE shall perform cell selection according to 3GPP TS 36.304 [21].

The UE may initiate attach for emergency bearer services.

The UE may initiate attach for access to RLOS.

5.2.2.3.6 ATTACH-NEEDED

The UE shall initiate the attach or combined attach procedure, if still needed,
as soon as the access is allowed in the selected cell for one of the access
classes of the UE.

The UE may initiate attach for emergency bearer services.

The UE may initiate attach for access to RLOS.

5.2.2.3.7 NO-CELL-AVAILABLE

The UE shall perform cell selection according to 3GPP TS 36.304 [21] and choose
an appropriate substate when a cell is found. When the lower layers indicate to
prepare for an S101 mode to S1 mode handover and the PLMN identity of the target
cell provided with this indication is not in one of forbidden PLMN lists, the UE
shall enter substate NORMAL-SERVICE.

NOTE: It is assumed that the UE can determine the PLMN identity of networks
supporting cdma2000® HRPD access from the information broadcast over the radio
interface. For the purpose of S101 mode to S1 mode handover, the UE can use the
PLMN identity of the visited cdma2000® HRPD network also as PLMN identity of the
target cell.

5.2.2.3.8 eCALL-INACTIVE

The UE camps on a suitable cell or an acceptable cell in a PLMN selected as
specified in 3GPP TS 23.122 [6] but initiates no EMM signalling with the network
and ignores any paging requests.

The UE shall leave substate EMM-DEREGISTERED.eCALL-INACTIVE state only when one
of the following events occur:

- if the USIM is removed, the UE enters substate EMM-DEREGISTERED.NO-IMSI;

- if coverage is lost, the UE enters substate EMM-DEREGISTERED.PLMN-SEARCH;

- if the UE is deactivated (e.g. powered off) by the user, the UE enters state
EMM-NULL;

- if the UE receives a request from upper layers to establish an eCall over IMS,
the UE enters state EMM-DEREGISTERED.ATTEMPTING-TO-ATTACH. The UE then uses the
relevant EMM and ESM procedures to establish the eCall over IMS at the earliest
opportunity; or

- if the UE receives a request from upper layers to establish a call to an HPLMN
designated non-emergency MSISDN or URI for test or terminal reconfiguration
service, the UE enters state EMM-DEREGISTERED.ATTEMPTING-TO-ATTACH. Once the
attach procedure is completed, the UE uses the relevant EMM and ESM procedures
to establish the non-emergency call.

5.2.2.4 Substate when back to state EMM-DEREGISTERED from another EMM state

When returning to state EMM-DEREGISTERED, the UE shall select a cell as
specified in 3GPP TS 36.304 [21].

The substate depends on the result of the cell selection procedure, the outcome
of the previously performed EMM specific procedures, on the EPS update status of
the UE, on the tracking area data stored in the UE, on the presence of the USIM,
on the UE configuration and on the reason for moving to EMM-DEREGISTERED:

- If no cell has been found, the substate is NO-CELL-AVAILABLE, until a cell is
found.

- If no USIM is present or if the inserted USIM is considered invalid by the UE,
the substate shall be NO-IMSI.

- If a suitable cell has been found and the PLMN or tracking area is not in the
forbidden list, the substate shall be NORMAL-SERVICE.

- If an attach shall be performed (e.g. network requested re-attach), the
substate shall be ATTEMPTING-TO-ATTACH.

- If a PLMN reselection (according to 3GPP TS 23.122 [6]) is needed, the
substate shall be PLMN-SEARCH.

- If the selected cell is known not to be able to provide normal service, the
substate shall be LIMITED-SERVICE;

- If the selected cell is a non-3GPP cell, the substate shall be
NO-CELL-AVAILABLE; and

- If the UE is configured for eCall only mode as specified in 3GPP TS 31.102
[17], T3444 and T3445 have expired or are not running, and substate PLMN-SEARCH
is not required, the substate shall be eCALL-INACTIVE.

5.2.3 UE behaviour in state EMM-REGISTERED

5.2.3.1 General

The state EMM-REGISTERED is entered at the UE, when:

- the attach or combined attach procedure is performed by the UE (see subclause
5.5.1).

In state EMM-REGISTERED, the UE shall behave according to the substate as
explained in subclause 5.2.3.2.

5.2.3.2 Detailed description of UE behaviour in state EMM-REGISTERED

5.2.3.2.1 NORMAL-SERVICE

The UE:

- shall initiate normal and combined tracking area updating (according to
conditions given in subclause 5.5.3);

- shall perform periodic tracking area updating (see subclause 5.5.3) except
when attached for emergency bearer services (see subclause 5.3.5);

- shall initiate a tracking area updating on the expiry of timer T3411;

- shall respond to paging; and

- if configured for eCall only mode as specified in 3GPP TS 31.102 [17], shall
perform the eCall inactivity procedure at expiry of timer T3444 or T3445 (see
subclause 5.5.4).

5.2.3.2.2 ATTEMPTING-TO-UPDATE

The UE:

- shall not send any user data;

- shall initiate tracking area updating on the expiry of timers T3411, T3402 or
T3346;

- shall initiate tracking area updating when entering a new PLMN, if timer T3346
is running and the new PLMN is not equivalent to the PLMN where the UE started
timer T3346, the PLMN identity of the new cell is not in one of the forbidden
PLMN lists, and the tracking area is not in one of the lists of forbidden
tracking areas;

- shall initiate tracking area updating when the tracking area of the serving
cell has changed, if timer T3346 is not running, the PLMN identity of the new
cell is not in one of the forbidden PLMN lists and the tracking area is not in
one of the lists of forbidden tracking areas;

- may initiate a tracking area updating procedure upon request of the upper
layers to establish a PDN connection for emergency bearer services;

- shall initiate tracking area updating procedure upon request of the upper
layers to establish a PDN connection without the NAS signalling low priority
indication as specified in subclause 5.5.3.2.6, item l), if timer T3346 is
running due to a NAS request message (TRACKING AREA UPDATE REQUEST, CONTROL
PLANE SERVICE REQUEST or EXTENDED SERVICE REQUEST) which contained the low
priority indicator set to "MS is configured for NAS signalling low priority"and
timer T3402 and timer T3411 are not running;

- may detach locally and initiate an attach for emergency bearer services even
if timer T3346 is running;

- shall use requests for non-EPS services from CM layers to trigger a combined
tracking area updating procedure, if timer T3346 is not running (see subclause
5.5.3.3), or to attempt to select GERAN, UTRAN or cdma2000® 1xRTT radio access
technology and proceed with the appropriate MM and CC specific procedures;

- may use requests for an MMTEL voice call or MMTEL video call from the upper
layers to initiate tracking area updating, if timer T3346 is not running;

- shall initiate tracking area updating in response to paging with S-TMSI or
paging with IMSI and domain indicator set to ″CS″;

- shall initiate tracking area updating if the EPS update status is set to EU2
NOT UPDATED, and timers T3411, T3402 and T3346 are not running;

- if configured for eCall only mode as specified in 3GPP TS 31.102 [17], shall
perform the eCall inactivity procedure at expiry of timer T3444 or T3445 (see
subclause 5.5.4);

- may initiate tracking area updating upon receiving a request from upper layers
to transmit user data related to an exceptional event and the UE is allowed to
use exception data reporting (see the ExceptionDataReportingAllowed leaf of the
NAS configuration MO in 3GPP TS 24.368 [15A]) if timer T3346 is not already
running for “MO exception data” and even if timer T3402 or timer T3411 is
running; and

- shall not initiate the detach signalling procedure unless timer T3346 is
running and the current TAI is part of the TAI list.

5.2.3.2.3 LIMITED-SERVICE

The UE:

- shall perform cell selection/reselection according to 3GPP TS 36.304 [21];

- may respond to paging (with IMSI);

- may detach locally and initiate attach for emergency bearer services;

- may detach locally and may initiate attach for access to RLOS; and

- if configured for eCall only mode as specified in 3GPP TS 31.102 [17], shall
perform the eCall inactivity procedure at expiry of timer T3444 or T3445 (see
subclause 5.5.4).

5.2.3.2.4 PLMN-SEARCH

The UE may enter this substate when it is in automatic network selection mode
and the maximum allowed number of subsequently unsuccessful tracking area
updating have been performed. The UE may also enter this substate as a result of
a tracking area update rejected by the network (see subclause 5.5.3) or as a
result of a service request rejected by the network (see subclause 5.6.1). If a
new PLMN is selected, the UE shall reset the tracking area updating attempt
counter and initiate the tracking area updating or combined tracking area
updating procedure (see subclause 5.5.3).

If the selected cell is known not to be able to provide normal service:

- the UE may detach locally and initiate attach for emergency bearer services;
or

- the UE may detach locally and initiate attach for access to RLOS.

5.2.3.2.5 UPDATE-NEEDED

The UE:

- shall not send any user data;

- shall not send signalling information, unless it is a service request as a
response to paging or a tracking area updating or combined tracking area
updating procedure upon request by the upper layers to establish a PDN
connection for emergency bearer services or upon a request from the upper layers
for an MMTEL voice call, MMTEL video call, SMSoIP, SMS over NAS or SMS over
S102;

- shall perform cell selection/reselection according to 3GPP TS 36.304 [21];

- shall enter the appropriate new substate as soon as the access is allowed in
the selected cell for one of the access classes of the UE; and

- if configured for eCall only mode as specified in 3GPP TS 31.102 [17], shall
perform the eCall inactivity procedure at expiry of timer T3444 or T3445 (see
subclause 5.5.4).

5.2.3.2.6 NO-CELL-AVAILABLE

The UE shall perform cell selection/reselection according to 3GPP TS 36.304
[21].

5.2.3.2.7 ATTEMPTING-TO-UPDATE-MM

The UE:

- shall perform cell selection/reselection according to 3GPP TS 36.304 [21];

- shall be able to receive and transmit user data and signalling information;

- shall initiate combined tracking area updating procedure indicating “combined
TA/LA updating with IMSI attach” on the expiry of timers T3411 or T3402 or when
the UE enters a tracking area not in the list of registered tracking areas and
not in one of the lists of forbidden tracking areas;

- shall respond to paging with IMSI or S-TMSI for the PS domain;

- shall use requests for non-EPS services from CM layers to attempt to select
GERAN or UTRAN radio access technology and proceed with the appropriate MM and
CC specific procedures, unless T3402 is running due to receipt of an ATTACH
ACCEPT or TRACKING AREA UPDATING ACCEPT message with EMM cause #22
“congestion”;

- shall use requests for non-EPS services due to emergency call from CM layers
to attempt to select GERAN or UTRAN radio access technology and proceed with the
appropriate MM and CC specific procedures, even if T3402 is running due to
receipt of an ATTACH ACCEPT or TRACKING AREA UPDATING ACCEPT message with EMM
cause #22 “congestion”; and

- if configured for eCall only mode as specified in 3GPP TS 31.102 [17], shall
perform the eCall inactivity procedure at expiry of timer T3444 or T3445 (see
subclause 5.5.4).

5.2.3.2.8 IMSI-DETACH-INITIATED

The UE:

- shall be able to receive and transmit user data and signalling information;

- shall initiate combined tracking area updating procedure (according to
conditions given in subclause 5.5.3.3 or subclause 5.5.2.2.4); and

- if configured for eCall only mode as specified in 3GPP TS 31.102 [17], shall
perform the eCall inactivity procedure at expiry of timer T3444 or T3445 (see
subclause 5.5.4).

5.3 General on elementary EMM procedures

5.3.1 EMM modes and NAS signalling connection

5.3.1.1 Establishment of the NAS signalling connection

When the UE is in EMM-IDLE mode without suspend indication and needs to transmit
an initial NAS message, the UE shall request the lower layer to establish a RRC
connection. In this request to the lower layer the NAS shall provide to the
lower layer the RRC establishment cause and the call type as specified in annex
D of this specification and, for the case specified in subclause 5.6.1.2.2,
shall also provide the initial NAS message, otherwise NAS may also provide the
initial NAS message.

Initial NAS messages are:

- ATTACH REQUEST;

- DETACH REQUEST;

- TRACKING AREA UPDATE REQUEST;

- SERVICE REQUEST;

- EXTENDED SERVICE REQUEST; and

- CONTROL PLANE SERVICE REQUEST.

When the UE is in EMM-IDLE mode with suspend indication, the UE shall proceed
the behaviour as specified in subclauses 5.3.1.3.

For the routing of the initial NAS message to the appropriate MME, the UE NAS
provides the lower layers with either the S-TMSI, the registered globally unique
MME identifier (GUMMEI) that consists of the PLMN ID, the MME group ID, and the
MME code (see 3GPP TS 23.003 [2]), or none of them according to the following
rules:

- If the UE has received the interworking without N26 interface indicator set to
“interworking without N26 interface not supported” from the network, the UE
holds a valid 5G-GUTI and:

a) the UE performs an initial EPS attach procedure or tracking area updating
procedure following an inter-system change from N1 mode to S1 mode; or

b) the UE which was previously registered in N1 mode before entering state
5GMM-DEREGISTERED, performs an initial EPS attach procedure,

then the UE NAS shall provide the lower layers with the MME identifier part of
the mapped GUTI, which is generated from the 5G-GUTI as specified in 3GPP TS
23.003 [4], an indication that the identifier is a native GUMMEI and an
indication that the identifier is mapped from 5GS;

- If the TIN indicates “GUTI” or “RAT-related TMSI”, or the TIN is not
available, and the UE holds a valid GUTI:

a) When the UE in EMM-IDLE mode initiates a tracking area updating or combined
tracking area updating procedure for load balancing purposes, the UE NAS shall
provide the lower layers with neither S-TMSI nor registered MME identifier;

b) When the tracking area of the current cell is in the list of tracking areas
that the UE previously registered in the MME during the NAS signalling
connection establishment, the UE NAS shall provide the lower layers with the
S-TMSI, but shall not provide the registered MME identifier to the lower layers;
or

c) When the tracking area of the current cell is not in the list of tracking
areas that the UE previously registered in the MME during the NAS signalling
connection establishment, the UE NAS shall provide the lower layers with the MME
identifier part of the valid GUTI with an indication that the identifier is a
native GUMMEI.

- If the TIN indicates “P-TMSI”, or the TIN is not available, and the UE holds a
valid P-TMSI and RAI, the UE NAS shall provide the lower layers with the MME
identifier part of the mapped GUTI, which is generated from the P-TMSI and RAI
with an indication that the identifier is a mapped GUMMEI; or

- Otherwise, the UE NAS does not provide the lower layers with the S-TMSI, the
registered GUMMEI and the mapped GUMMEI.

The UE NAS also provides the lower layers with the identity of the selected PLMN
(see 3GPP TS 36.331 [22]). In a shared network, the UE shall choose one of the
PLMN identities as specified in 3GPP TS 23.122 [6].

When an ATTACH REQUEST message, or a TRACKING AREA UPDATE REQUEST message when
the TAI of the current cell is not included in the TAI list, is sent to
establish a signalling connection, the UE NAS also provides the lower layers
with the DCN-ID according to the following rules:

a) if a DCN-ID for the PLMN code of the selected PLMN is available in the UE,
the UE NAS shall provide this DCN-ID to the lower layers; or

b) if no DCN-ID for the PLMN code of the selected PLMN is available but a
Default_DCN_ID value is avaialble in the UE, as specified in 3GPP TS 24.368
[15A] or in USIM file NASCONFIG as specified in 3GPP TS 31.102 [17], the UE NAS
shall provide this DCN-ID to the lower layers.

If a relay node is attaching for relay node operation (see 3GPP TS 23.401 [10]),
the NAS in the relay node shall indicate to the lower layers that the
establishment of the NAS signalling connection is for a relay node.

In S1 mode, when the RRC connection has been established successfully, the UE
shall enter EMM-CONNECTED mode and consider the NAS signalling connection
established.

In S101 mode, when the cdma2000® HRPD access network resources are available for
tunnelled NAS signalling, the UE shall enter EMM-CONNECTED mode and consider the
S101 mode NAS signalling connection established.

5.3.1.2 Release of the NAS signalling connection

5.3.1.2.1 General

The signalling procedure for the release of the NAS signalling connection is
initiated by the network.

In S1 mode, when the RRC connection has been released, the UE shall enter
EMM-IDLE mode and consider the NAS signalling connection released.

If the UE is configured for eCall only mode as specified in 3GPP TS 31.102 [17]
then:

- if the NAS signalling connection that was released had been established for
eCall over IMS, the UE shall start timer T3444; and

- if the NAS signalling connection that was released had been established for a
call to an HPLMN designated non-emergency MSISDN or URI for test or terminal
reconfiguration service, the UE shall start timer T3445.

The UE shall start the SGC timer T3447 with the service gap time value available
in the UE when the NAS signalling connection is released if:

- the UE supports SGC feature, and the service gap timer value is available in
the UE and does not indicate zero; and

- the NAS signalling connection that was released had been established for
mobile originated request for transfer of uplink data.

If the UE receives the “Extended wait time” from the lower layers when no
attach, tracking area updating or service request procedure is ongoing, the UE
shall ignore the “Extended wait time”.

To allow the network to release the NAS signalling connection, the UE:

a) shall start the timer T3440 if the UE receives any of the EMM cause values
#11, #12, #13, #14 (not applicable to the service request procedure), #15,
#25, #31 or #35;

b) shall start the timer T3440 if:

- the UE receives a TRACKING AREA UPDATE ACCEPT message which does not include a
UE radio capability ID deletion indication IE;

- the UE has not set the “active” flag in the TRACKING AREA UPDATE REQUEST
message;

- the UE has not set the “signalling active” flag in the TRACKING AREA UPDATE
REQUEST message;

- the tracking area updating or combined tracking area updating procedure has
been initiated in EMM-IDLE mode; and

- the user plane radio bearers have not been set up;

c) shall start the timer T3440 if the UE receives a DETACH ACCEPT message and
the UE has set the detach type to “IMSI detach” in the DETACH REQUEST message
and user plane radio bearers have not been set up;

d) shall start the timer T3440 if the UE receives a TRACKING AREA UPDATE REJECT
message indicating:

- any of the EMM cause values #9 or #10 and the UE has no CS fallback
emergency call, CS fallback call, 1xCS fallback emergency call, or 1xCS fallback
call pending; or

- the EMM cause values #40, the TRACKING AREA UPDATE message was not triggered
due to receiving a paging for CS fallback or a paging for 1xCS fallback, and the
UE has no CS fallback emergency call, CS fallback call, 1xCS fallback emergency
call, or 1xCS fallback call pending;

e) shall start the timer T3440 if the UE receives a SERVICE REJECT message
indicating any of the EMM cause values #9, #10 or #40 as a response to a
SERVICE REQUEST message CONTROL PLANE SERVICE REQUEST message, or an EXTENDED
SERVICE REQUEST message with service type set to “packet services via S1”;

f) may start the timer T3440 if the UE receives any of the EMM cause values #3,
#6, #7 or #8 or if it receives an AUTHENTICATION REJECT message;

g) shall start the timer T3440 if the UE receives a SERVICE REJECT message
indicating the EMM cause value #39 and the UE has initiated EXTENDED SERVICE
REQUEST in EMM-IDLE and the user plane radio bearers have not been set up; or

h) shall start the timer T3440 if the UE receives a SERVICE REJECT, SERVICE
ACCEPT, ATTACH ACCEPT or TRACKING AREA UPDATE ACCEPT message with control plane
data back-off timer.

Upon expiry of T3440,

- in cases a, b, c, f and h, the UE shall locally release the established NAS
signalling connection; or

- in cases d and e, the UE shall locally release the established NAS signalling
connection and the UE shall initiate the attach procedure as described in
subclause 5.5.3.2.5, 5.5.3.3.5 or 5.6.1.5.

In cases b, c and g,

- upon an indication from the lower layers that the user plane radio bearers are
set up, the UE shall stop timer T3440 and may send uplink signalling via the
existing NAS signalling connection or user data via the user plane bearers. If
the uplink signalling is for CS fallback for emergency call, or for establishing
a PDN connection for emergency bearer services, the UE shall send the uplink
signalling via the existing NAS signalling connection; or

- upon receipt of a DETACH REQUEST message, the UE shall stop timer T3440 and
respond to the network initiated detach as specified in subclause 5.5.2.3.

In case b,

- upon receiving a request from upper layers to send NAS signalling not
associated with establishing either a CS emergency call or a PDN connection for
emergency bearer services, the UE shall wait for the the local release of the
established NAS signalling connection upon expiry of timer T3440 or T3440 being
stopped before proceeding;

- upon receiving a request from upper layers to establish either a CS emergency
call or a PDN connection for emergency bearer services, the UE shall stop timer
T3440 and shall locally release the NAS signalling connection, before proceeding
as specified in subclause 5.6.1;

- upon receipt of ESM DATA TRANSPORT message, as an implementation option, the
UE may reset and restart timer T3440;

- upon receipt of a DOWNLINK NAS TRANSPORT or DOWNLINK GENERIC NAS TRANSPORT
message, the UE which is in EMM-REGISTERED without PDN connections shall stop
timer T3440 and may send uplink signalling via the existing NAS signalling
connection; or

- upon receipt of an ACTIVATE DEFAULT EPS BEARER CONTEXT REQUEST, MODIFY EPS
BEARER CONTEXT REQUEST, DEACTIVATE EPS BEARER CONTEXT REQUEST, DOWNLINK NAS
TRANSPORT or DOWNLINK GENERIC NAS TRANSPORT message, if the UE is using control
plane CIoT EPS optimization, the UE shall stop timer T3440 and may send uplink
signalling via the existing NAS signalling connection.

In case c,

- upon receiving a request from upper layers to send NAS signalling not
associated with establishing a PDN connection for emergency bearer services, the
UE shall wait for the the local release of the established NAS signalling
connection upon expiry of timer T3440 or T3440 being stopped before proceeding;
or

- upon receiving a request from upper layers to establish a PDN connection for
emergency bearer services, the UE shall stop timer T3440 and shall locally
release the NAS signalling connection, before proceeding as specified in
subclause 5.6.1.

In cases d and e,

- upon an indication from the lower layers that the RRC connection has been
released, the UE shall stop timer T3440 and perform a new attach procedure as
specified in subclause 5.5.3.2.5, 5.5.3.3.5 or 5.6.1.5; or

- upon receiving a request from upper layers to establish a PDN connection for
emergency bearer services, the UE shall stop timer T3440 and shall locally
release the NAS signalling connection, before proceeding as specified in
subclause 5.5.1.

In cases a and f,

- upon receiving a request from upper layers to establish a PDN connection for
emergency bearer services, the UE shall stop timer T3440 and shall locally
release the NAS signalling connection, before proceeding as specified in
subclause 5.5.1.

In case g,

- upon receiving a request from upper layers to send NAS signalling not
associated with establishing either a CS emergency call or a PDN connection for
emergency bearer services, the UE shall wait for the the local release of the
established NAS signalling connection upon expiry of timer T3440 or T3440 being
stopped before proceeding; or

- upon receiving a request from upper layers to establish either a CS emergency
call or a PDN connection for emergency bearer services, the UE shall stop timer
T3440 and shall locally release the NAS signalling connection, before proceeding
as specified in subclause 5.6.1.

In case h,

- upon an indication from the lower layers that the user plane radio bearers are
set up or upon receiving a request from upper layers to send NAS signalling not
associated with ESM DATA TRANSPORT, the UE shall stop timer T3440; or

- the UE shall not send ESM DATA TRANSPORT message until expiry of timer T3440
or times T3440 being stopped.

In EMM-CONNECTED mode, if the UE moves to EMM-SERVICE-REQUEST-INITIATED state
upon receipt of a CS SERVICE NOTIFICATION message, the UE shall stop timer
T3440.

In S101 mode, when the cdma2000® HRPD radio access connection has been released,
the UE shall enter EMM-IDLE mode and consider the S101 mode NAS signalling
connection released.

5.3.1.2.2 UE is using EPS services with control plane CIoT EPS optimization

Upon receipt of the indication from the ESM layer to release the NAS signalling
connection (see subclause 6.6.4.2), unless the MME has additional downlink user
data or signalling pending, the MME shall initiate release of the NAS signalling
connection.

5.3.1.3 Suspend and resume of the NAS signalling connection

Suspend of the NAS signalling connection can be initiated by the network in
EMM-CONNECTED mode when user plane CIoT EPS optimization is used. Resume of the
suspended NAS signalling connection is initiated by the UE.

In the UE, when user plane CIoT EPS optimization is used:

- Upon indication from the lower layers that the RRC connection has been
suspended, the UE shall enter EMM-IDLE mode with suspend indication, shall not
consider the NAS signalling connection released and shall not consider the
secure exchange of NAS messages terminated (see subclause 4.4.2.3 and 4.4.5).
Based on further indications provided by the lower layers, the UE shall update
the status of the suspend indication for the EMM-IDLE mode;

- Upon trigger of a procedure using an initial NAS message when in EMM-IDLE mode
with suspend indication, the UE shall:

i) if the initial NAS message is a TRACKING AREA UPDATE REQUEST message which
includes a UE radio capability information update needed IE, enter EMM-IDLE mode
without suspend indication and proceed with the tracking area updating
procedure; and

ii) otherwise, request the lower layer to resume the RRC connection. In this
request to the lower layer the NAS shall provide to the lower layer the RRC
establishment cause and the call type according to annex D of this document;

NOTE 1: In NB-S1 mode, in the request to the lower layer the data volume
information of the initial NAS message is provided to the lower layers.
Interactions between the NAS and the lower layers in order to obtain the data
volume information of the initial NAS message (see 3GPP TS 36.321 [49], 3GPP TS
36.331 [22]) is left to implementations.

- Upon indication from the lower layers that the RRC connection has been resumed
when in EMM-IDLE mode with suspend indication, the UE shall enter EMM-CONNECTED
mode. If the pending NAS message is:

i) a SERVICE REQUEST message;

ii) a CONTROL PLANE SERVICE REQUEST message, and the UE did not include any ESM
message container, NAS message container or EPS bearer context status
information elements; or

iii) an EXTENDED SERVICE REQUEST message, and the Service type information
element indicates “packet services via S1” and the UE did not include any EPS
bearer context status information element,

the message shall not be sent. Otherwise the UE shall cipher the message as
specified in subclause 4.4.5 and send the pending initial NAS message upon
entering EMM-CONNECTED mode;

NOTE 2: If a NAS message is discarded and not sent to the network, the uplink
NAS COUNT value corresponding to that message is reused for the next uplink NAS
message to be sent.

- Upon fallback indication from the lower layers at RRC connection resume when
in EMM-IDLE mode with suspend indication, the UE shall enter EMM-IDLE mode
without suspend indication, send any pending initial NAS message and proceed as
if RRC connection establishment had been requested;

- Upon indication from the lower layers that the RRC connection resume has
failed and indication from the lower layers that the RRC connection is
suspended, the UE shall enter EMM-IDLE mode with suspend indication and restart
the ongoing NAS procedure if required; and

- Upon indication from the lower layers that the RRC connection resume has
failed and indication from the lower layers that the RRC connection is not
suspended, the UE shall enter EMM-IDLE mode without suspend indication and
restart the ongoing NAS procedure if required.

In the network, when user plane CIoT EPS optimization is used:

- Upon indication from the lower layers that the RRC connection has been
suspended, the network shall enter EMM-IDLE mode with suspend indication, shall
not consider the NAS signalling connection released and shall not consider the
secure exchange of NAS messages terminated; and

- Upon indication from the lower layers that the RRC connection has been resumed
when in EMM-IDLE mode with suspend indication, the network shall enter
EMM-CONNECTED mode.

For the case that not all suspended bearers are resumed, see subclause 6.4.4.6.

5.3.2 Lists of forbidden tracking areas

The UE shall store a list of “forbidden tracking areas for roaming”, as well as
a list of “forbidden tracking areas for regional provision of service”. These
lists shall be erased when the UE is switched off or when the UICC containing
the USIM is removed, and periodically (with a period in the range 12 to 24
hours). When the lists are erased, the UE performs cell selection according to
3GPP TS 36.304 [21]. One or more tracking areas is removed from the list of
“forbidden tracking areas for roaming” in the UE, as well as the list of
“forbidden tracking areas for regional provision of service” if, after a
subsequent procedure e.g. attach procedure, tracking area updating procedure and
GUTI reallocation procedure, one or more tracking areas in the lists is received
from the network. If the UE has only one PDN connection established which is for
emergency bearer services, the tracking areas shall not be removed from these
lists if one or more tracking areas in the lists are received from the network.

In S1 mode, the UE shall update the suitable list whenever an ATTACH REJECT,
TRACKING AREA UPDATE REJECT, SERVICE REJECT or DETACH REQUEST message is
received with the EMM cause #12 “tracking area not allowed”, #13 “roaming not
allowed in this tracking area”, or #15 “no suitable cells in tracking area”.

Each list shall accommodate 40 or more TAIs. When the list is full and a new
entry has to be inserted, the oldest entry shall be deleted.

5.3.3 List of forbidden PLMNs for attach in S101 mode

A UE supporting S101 mode shall store a list of “forbidden PLMNs for attach in
S101 mode”. The UE shall erase this list when the UE is switched off or when the
USIM is removed.

In S101 mode, the UE shall add to the “forbidden PLMNs for attach in S101 mode”
list the PLMN identity provided with the indication from the lower layers to
prepare for an S101 mode to S1 mode handover whenever an ATTACH REJECT message
is received with the EMM cause #11 “PLMN not allowed”, #12 “tracking area not
allowed”, #13 “roaming not allowed in this tracking area”, #14 “EPS services
not allowed in this PLMN”, #15 “no suitable cells in tracking area”, or #35
“Requested service option not authorized in this PLMN” as specified in subclause
5.5.1.2.5.

The maximum number of possible entries in the “forbidden PLMNs for attach in
S101 mode” list is implementation dependent, but the list shall accommodate at
least one PLMN identity. When the list is full and a new PLMN identity has to be
inserted, the UE shall delete the oldest PLMN identity.

5.3.3a Forbidden PLMNs for EPS services

The forbidden PLMNs for EPS services are contained in the “forbidden PLMNs for
GPRS service” list, as defined in 3GPP TS 24.008 [13]. The UE updates this list
as part of the attach procedure, tracking area updating procedure and network
initiated detach procedure as described respectively in subclauses 5.5.1, 5.5.3
and 5.5.2.3.2.

5.3.4 Equivalent PLMNs list

The UE shall store a list of equivalent PLMNs. These PLMNs shall be regarded by
the UE as equivalent to each other for PLMN selection and cell
selection/re-selection. The same list is used by EMM, GMM and MM.

The UE shall update or delete this list at the end of each attach or combined
attach or tracking area updating or combined tracking area updating procedure.
The stored list consists of a list of equivalent PLMNs as downloaded by the
network plus the PLMN code of the registered PLMN that downloaded the list. When
the UE is switched off, it shall keep the stored list so that it can be used for
PLMN selection after switch on. The UE shall delete the stored list if the USIM
is removed or when the UE attached for emergency bearer services or access to
RLOS enters the state EMM-DEREGISTERED. The maximum number of possible entries
in the stored list is 16.

5.3.5 Handling of the periodic tracking area update timer and mobile reachable timer (S1 mode only)

The periodic tracking area updating procedure is used to periodically notify the
availability of the UE to the network. The procedure is controlled in the UE by
timer T3412. The value of timer T3412 is sent by the network to the UE in the
ATTACH ACCEPT message and can be sent in the TRACKING AREA UPDATE ACCEPT
message. The UE shall apply this value in all tracking areas of the list of
tracking areas assigned to the UE until a new value is received.

If timer T3412 received by the UE in an ATTACH ACCEPT or TRACKING AREA UPDATE
ACCEPT message contains an indication that the timer is deactivated or the timer
value is zero, then timer T3412 is deactivated and the UE shall not perform the
periodic tracking area updating procedure.

Timer T3412 is reset and started with its initial value, when the UE changes
from EMM-CONNECTED to EMM-IDLE mode. Timer T3412 is stopped when the UE enters
EMM-CONNECTED mode or the EMM-DEREGISTERED state.

If the UE is attached for emergency bearer services, and timer T3412 expires,
the UE shall not initiate a periodic tracking area updating procedure, but shall
locally detach from the network. When the UE is camping on a suitable cell, it
may re-attach to regain normal service.

When a UE is not attached for emergency bearer services, and timer T3412
expires, the periodic tracking area updating procedure shall be started and the
timer shall be set to its initial value for the next start.

If the UE is not attached for emergency bearer services, and is in a state other
than EMM-REGISTERED.NORMAL-SERVICE when timer T3412 expires, the periodic
tracking area updating procedure is delayed until the UE returns to
EMM-REGISTERED.NORMAL-SERVICE.

NOTE 1: When the UE returns to EMM-REGISTERED.NORMAL-SERVICE and it needs to
initiate other EMM procedure than the periodic TAU procedure then, based on UE
implementation, the EMM procedure can take precedence.

If ISR is activated, the UE shall keep both timer T3412 and timer T3312. The two
separate timers run in the UE for updating MME and SGSN independently. The UE
shall start timer T3423, if timer T3412 expires, and timer T3346 is running or
the UE is in one of the following states:

- EMM-REGISTERED.NO-CELL-AVAILABLE;

- EMM-REGISTERED.PLMN-SEARCH;

- EMM-REGISTERED.UPDATE-NEEDED; or

- EMM-REGISTERED.LIMITED-SERVICE.

The UE shall initiate the tracking area updating procedure and stop timer T3423
when it enters state EMM-REGISTERED.NORMAL-SERVICE before timer T3423 expires.
After expiry of timer T3423 the UE shall set its TIN to “P-TMSI”.

If timer T3423 expires the UE shall memorize that it has to initiate a tracking
area updating procedure when it returns to state EMM-REGISTERED.NORMAL-SERVICE.

If the UE is attached to both EPS and non-EPS services, and if timer T3412
expires or timer T3423 expires when the UE is in
EMM-REGISTERED.NO-CELL-AVAILABLE state, then the UE shall initiate the combined
tracking area updating procedure indicating “combined TA/LA updating with IMSI
attach” when the UE returns to EMM-REGISTERED.NORMAL-SERVICE state.

When the network includes T3412 extended value IE in the ATTACH ACCEPT message
or TRACKING AREA UPDATE ACCEPT message, the network uses timer T3412 extended
value IE as the value of timer T3412.

The network supervises the periodic tracking area updating procedure of the UE
by means of the mobile reachable timer.

If the UE is not attached for emergency bearer services, the mobile reachable
timer shall be longer than T3412. In this case, by default, the mobile reachable
timer is 4 minutes greater than timer T3412.

If ISR is not activated, the network behaviour upon expiry of the mobile
reachable timer is network dependent, but typically the network stops sending
paging messages to the UE on the first expiry, and may take other appropriate
actions.

If the UE is attached for emergency bearer services, the MME shall set the
mobile reachable timer with a value equal to timer T3412. When the mobile
reachable timer expires, the MME shall locally detach the UE.

The mobile reachable timer shall be reset and started with the value as
indicated above, when the MME releases the NAS signalling connection for the UE.
The mobile reachable timer shall be stopped when a NAS signalling connection is
established for the UE.

Upon expiry of the mobile reachable timer the network shall start the implicit
detach timer. The value of the implicit detach timer is network dependent. If
ISR is activated, the default value of the implicit detach timer is 4 minutes
greater than timer T3423. If the implicit detach timer expires before the UE
contacts the network, the network shall implicitly detach the UE. If the MME
includes timer T3346 in the TRACKING AREA UPDATE REJECT message or the SERVICE
REJECT message and timer T3346 is greater than timer T3412, the MME sets the
mobile reachable timer and the implicit detach timer such that the sum of the
timer values is greater than timer T3346.

If the network includes the T3324 value IE in the ATTACH ACCEPT message or
TRACKING AREA UPDATE ACCEPT message,and if the UE is not attached for emergency
bearer services and has no PDN connection for emergency bearer services the MME
shall set the active timer to a value equal to the value of timer T3324.

NOTE 2: Timer T3324 is specified in 3GPP TS 24.008 [13].

If the UE has established a PDN connection for emergency services after
receiving the timer T3324 value IE in the ATTACH ACCEPT message or the last
TRACKING AREA UPDATE ACCEPT message, the active timer shall not be started.

The active timer shall be reset and started with the value as indicated above,
when the MME releases the NAS signalling connection for the UE. The active timer
shall be stopped when an NAS signalling connection is established for the UE.

The network behaviour upon expiry of the active timer is network dependent, but
typically the network stops sending paging messages to the UE on the first
expiry, and may take other appropriate actions.

NOTE 3: ISR is not activated when the network includes the T3324 value IE in the
ATTACH ACCEPT message or TRACKING AREA UPDATE ACCEPT message.

The implicit detach timer shall be stopped when a NAS signalling connection is
established for the UE.

5.3.6 Handling of timer T3402

The value of timer T3402 can be sent by the network to the UE in the ATTACH
ACCEPT message and TRACKING AREA UPDATE ACCEPT message. If the value is
different from “deactivated”, the UE shall apply this value in all tracking
areas of the list of tracking areas assigned to the UE, until a new value is
received.

The value of timer T3402 can be sent by the network to the UE in the ATTACH
REJECT message. If an ATTACH REJECT message including timer T3402 value
different from “deactivated”, was received integrity protected, the UE shall
apply this value until a new value is received with integrity protection or a
new PLMN is selected. Otherwise, the default value of this timer is used.

The default value of this timer is also used by the UE in the following cases:

- ATTACH ACCEPT message or TRACKING AREA UPDATE ACCEPT message is received
without a value specified;

- the network indicates that the timer is “deactivated”;

- the UE does not have a stored value for this timer;

- a new PLMN which is not in the list of equivalent PLMNs has been entered, the
tracking area updating fails and the tracking area updating attempt counter is
equal to 5; or

- a new PLMN which is not in the list of equivalent PLMNs has been entered, the
attach procedure fails, the attach attempt counter is equal to 5 and no ATTACH
REJECT message was received from the new PLMN.

5.3.7 Handling of the Local Emergency Numbers List and the Extended Local Emergency Numbers List

The Local Emergency Numbers List and the Extended Local Emergency Numbers list
contain additional local emergency numbers used by the serving network. These
lists can be downloaded by the network to the UE at successful registration and
subsequent registration updates. There is only one Local Emergency Numbers List
and only one Extended Local Emergency Numbers list in the UE. The Local
Emergency Numbers List can be updated with EMM procedures if the UE is in S1
mode, with GMM and MM procedures if the UE is in A/Gb or Iu mode, and with 5GMM
procedures, as specified in 3GPP TS 24.501 [54], if UE is in N1 mode. The
Extended Local Emergency Numbers List can be updated with EMM procedures if the
UE is in S1 mode and with 5GMM procedures, as specified in 3GPP TS 24.501 [54],
if UE is in N1 mode.

The UE shall use the stored Local Emergency Numbers List and the stored Extended
Local Emergency Numbers List received from the network in addition to the
emergency numbers stored on the USIM or user equipment to detect that the number
dialled is an emergency number.

If the UE determines that the number dialled is an emergency number, the
procedures specified in 3GPP TS 23.167 [45] and 3GPP TS 24.229 [13D] are
utilised to select a domain for the emergency session attempt.

If the domain selected for the emergency session attempt is the PS domain, then
the UE shall perform the session establishment procedures specified in 3GPP TS
24.229 [13D] to initiate an emergency session.

If the domain selected for the emergency session attempt is the CS domain (e.g.
the UE has selected GERAN or UTRAN radio access technology), then the UE shall
use the stored Local Emergency Numbers List, in addition to the emergency
numbers stored on the USIM and the ME, to determine if:

- the UE is to send an EXTENDED SERVICE REQUEST message:

  1. for CS fallback, indicating “mobile originating CS fallback or 1xCS
    fallback”; or

  2. for CS fallback for emergency call, indicating “mobile originating CS
    fallback emergency call or 1xCS fallback emergency call”; and

- the call control entity of the UE specified in 3GPP TS 24.008 [13] is to send
an EMERGENCY SETUP message or a SETUP message to the network.

NOTE 1: The checking of whether the dialled number is an emergency number and
the determination of whether an emergency call is to be initiated in the CS
domain, can end once a match is found. The Extended Local Emergency Numbers List
does not apply when the CS domain is selected.

NOTE 2: The user equipment can use the emergency numbers in each of the stored
lists to assist the end user in determining whether the dialled number is
intended for an emergency service or for another destination, e.g. a local
directory service. The possible interactions with the end user are
implementation specific.

NOTE 3: A UE that supports procedures specified in 3GPP TS 24.302 [48], can get
additional local emergency numbers through those procedures, which can be used
based on operator policy, see 3GPP TS 24.302 [48].

The network may send a Local Emergency Numbers List or an Extended Local
Emergency Numbers List or both, in the ATTACH ACCEPT or in the TRACKING AREA
UPDATE ACCEPT messages, by including the Emergency number list IE and the
Extended emergency number list IE, respectively. The user equipment shall store
the Local Emergency Numbers List and the Extended Local Emergency Numbers List,
as provided by the network. The Local Emergency Numbers List stored in the user
equipment shall be replaced on each receipt of the Emergency number list IE. The
Extended Local Emergency Numbers List stored in the user equipment shall be
replaced on each receipt of the Extended emergency number list IE. The received
Local Emergency Numbers List or the received Extended Local Emergency Numbers
list or both shall be provided to the upper layers.

The emergency number(s) received in the Emergency number list IE are valid only
in networks in the same country as the PLMN from which this IE is received. If
no Local Emergency Numbers List is contained in the ATTACH ACCEPT or in the
TRACKING AREA UPDATE ACCEPT message, then the stored Local Emergency Numbers
List in the user equipment shall be kept, except if the user equipment has
successfully registered to a PLMN in a country different from that of the PLMN
that sent the list.

The emergency number(s) received in the Extended emergency number list IE are
valid only in:

- networks in the same country as the PLMN from which this IE is received, if
the Extended Emergency Number List Validity (EENLV) field within the Extended
emergency number list IE indicates “Extended Local Emergency Numbers List is
valid in the country of the PLMN from which this IE is received”; and

- the PLMN from which this IE is received, if the EENLV field within the
Extended emergency number list IE indicates “Extended Local Emergency Numbers
List is valid only in the PLMN from which this IE is received”.

If no Extended Local Emergency Numbers List is contained in the ATTACH ACCEPT or
in the TRACKING AREA UPDATE ACCEPT message, and the registered PLMN has not
changed, then the stored Extended Local Emergency Numbers List in the user
equipment shall be kept. If no Extended Local Emergency Numbers List is
contained in the ATTACH ACCEPT or in the TRACKING AREA UPDATE ACCEPT message,
but the registered PLMN has changed, then:

- if the last received indication in the EENLV field within the Extended
emergency number list IE indicates “Extended Local Emergency Numbers List is
valid only in the PLMN from which this IE is received”, the stored Extended
Local Emergency Numbers List in the user equipment shall be deleted; and

- if the last received indication in the EENLV field within the Extended
emergency number list IE indicates “Extended Local Emergency Numbers List is
valid in the country of the PLMN from which this IE is received” the list shall
be kept except if the user equipment has successfully registered to a PLMN in a
country different from that of the PLMN that sent the list.

NOTE: To prevent the misrouting of emergency calls, all operators within a
country need to follow the regulation or agree on the setting of the Extended
emergency number list IE in accordance to national agreement – either to
indicate validity within a country or to indicate validity only within the PLMN.

The Local Emergency Numbers List and the Extended Local Emergency Numbers List
shall be deleted at switch off and removal of the USIM. The user equipment shall
be able to store up to ten entries in the Local Emergency Numbers List and up to
twenty entries in the Extended Local Emergency Numbers List, received from the
network.

5.3.7a Specific requirements for UE configured to use timer T3245

The following requirement applies for an UE that is configured to use timer
T3245 (see 3GPP TS 24.368 [15A] or 3GPP TS 31.102 [17]):

When the UE adds a PLMN identity to the “forbidden PLMN list”, the “forbidden
PLMNs for attach in S101 mode” list, or the “forbidden PLMNs for GPRS service”
list or sets the USIM as invalid for non-EPS services or EPS services or both,
and timer T3245 (see 3GPP TS 24.008 [13]) is not running, the UE shall start
timer T3245 as specified in 3GPP TS 24.008 [13], subclause 4.1.1.6.

Upon expiry of the timer T3245, the UE shall erase the “forbidden PLMN list”,
the “forbidden PLMNs for GPRS service” list, and the “forbidden PLMNs for attach
in S101 mode” list and set the USIM to valid for non-EPS and EPS services. When
the lists are erased, the UE performs cell selection according to 3GPP TS 36.304
[21].

If the UE is switched off when the timer T3245 is running, the UE shall behave
as follows when the UE is switched on and the USIM in the UE remains the same:

- let t1 be the time remaining for T3245 timeout at switch off and let t be the
time elapsed between switch off and switch on. If t1 is greater than t, then the
timer shall be restarted with the value t1 – t. If t1 is equal to or less than
t, then the UE will follow the behaviour as defined in the paragraph above upon
expiry of the timer T3245. If the UE is not capable of determining t, then the
UE shall restart the timer with the value t1.

5.3.7b Specific requirements for UE when receiving non-integrity protected reject messages

This subclause specifies the requirements for a UE that is not configured to use
timer T3245 (see 3GPP TS 24.368 [15A] or 3GPP TS 31.102 [17]) and receives an
ATTACH REJECT, TRACKING AREA UPDATE REJECT or SERVICE REJECT message without
integrity protection with specific EMM causes.

NOTE 1: Additional UE requirements for this case, requirements for other EMM
causes, and requirements for the case when the UE receives an integrity
protected reject message are specified in subclauses 5.5.1, 5.5.3 and 5.6.1.

The UE may maintain a list of PLMN-specific attempt counters and a list of
PLMN-specific PS-attempt counters (see 3GPP TS 24.008 [13]). The maximum number
of possible entries in each list is implementation dependent.

Additionally, the UE may maintain one counter for “SIM/USIM considered invalid
for non-GPRS services” events and one counter for “SIM/USIM considered invalid
for GPRS services” events (see 3GPP TS 24.008 [13]).

If the UE receives an ATTACH REJECT, TRACKING AREA UPDATE REJECT or SERVICE
REJECT message without integrity protection with EMM cause value #3, #6, #7,
#8, #11, #12, #13, #14, #15, #31 or #35 before the network has
established secure exchange of NAS messages for the NAS signalling connection,
the UE shall start timer T3247 (see 3GPP TS 24.008 [13]) with a random value
uniformly drawn from the range between 30 minutes and 60 minutes, if the timer
is not running, and take the following actions:

  1. if the EMM cause value received is #3, #6, #7 or #8, and

a) if the UE maintains a counter for “SIM/USIM considered invalid for GPRS
services” events and the counter has a value less than a UE
implementation-specific maximum value, the UE shall:

i) set the EPS update status to EU3 ROAMING NOT ALLOWED (and shall store it
according to subclause 5.1.3.3) and shall delete any GUTI, last visited
registered TAI, TAI list and eKSI;

- delete the list of equivalent PLMNs;

- increment the counter for “SIM/USIM considered invalid for GPRS services”
events;

- if the EMM cause value received is #3, #6 or #8, and if the UE maintains a
counter for “SIM/USIM considered invalid for non-GPRS services” and the counter
has a value less than a UE implementation-specific maximum value, increment the
counter;

- if an attach or tracking area updating procedure was performed, reset the
attach attempt counter or the tracking area updating attempt counter,
respectively;

- if A/Gb mode or Iu mode is supported by the UE, handle the GMM parameters GPRS
attach attempt counter or routing area updating attempt counter, GMM state, GPRS
update status, P-TMSI, P-TMSI signature, RAI, GPRS ciphering key sequence number
as specified in 3GPP TS 24.008 [13] for the case when the GPRS attach or routing
area updating procedure is rejected with the GMM cause of the same value in a
NAS message without integrity protection;

- If the UE is operating in single-registration mode, the UE shall in addition
handle the 5GMM parameters 5GMM state, 5GS update status, 5G-GUTI, TAI list,
ngKSI as specified in 3GPP TS 24.501 [54] for the case when the registration
request procedure performed over 3GPP access is rejected with the 5GMM cause
with the same value in a NAS message without integrity protection.

- store the current TAI in the list of “forbidden tracking areas for roaming”,
memorize the current TAI was stored in the list of “forbidden tracking areas for
roaming” for non-integrity protected NAS reject message and enter the state
EMM-DEREGISTERED.LIMITED-SERVICE; and

- search for a suitable cell in another tracking area or in another location
area according to 3GPP TS 36.304 [21]; or

ii) proceed as specified in subclauses 5.5.1, 5.5.3 and 5.6.1;

- increment the counter for “SIM/USIM considered invalid for GPRS services”
events; and

- if the EMM cause value received is #3, #6 or #8, and if the UE maintains a
counter for “SIM/USIM considered invalid for non-GPRS services” and the counter
has a value less than a UE implementation specific maximum value, increment the
counter; and

b) else the UE shall proceed as specified in subclauses 5.5.1, 5.5.3 and 5.6.1;

  1. if the EMM cause value received is #12, #13 or #15, the UE shall
    additionally proceed as specified in subclauses 5.5.1, 5.5.3 and 5.6.1;

  2. if the EMM cause value received is #11, #14 or #35 and the UE is in its
    HPLMN or EHPLMN,

- the UE shall set the EPS update status to EU3 ROAMING NOT ALLOWED (and shall
store it according to subclause 5.1.3.3) and shall delete any GUTI, last visited
registered TAI, TAI list and eKSI. The UE shall delete the list of equivalent
PLMNs. Additionally, if an attach or tracking area updating procedure was
performed, the UE shall reset the attach attempt counter or the tracking area
updating attempt counter, respectively.

- if A/Gb mode or Iu mode is supported by the UE, the UE shall in addition
handle the GMM parameters GMM state, GPRS update status, P-TMSI, P-TMSI
signature, RAI, GPRS ciphering key sequence number and GPRS attach attempt
counter or routing area updating attempt counter as specified in 3GPP TS 24.008
[13] for the case when the procedure is rejected with the GMM cause with the
same value in a NAS message without integrity protection;

- If the UE is operating in single-registration mode, the UE shall in addition
handle the 5GMM parameters 5GMM state, 5GS update status, 5G-GUTI, TAI list,
ngKSI as specified in 3GPP TS 24.501 [54] for the case when the registration
request procedure performed over 3GPP access is rejected with the 5GMM cause
with the same value in a NAS message without integrity protection.

- the UE shall store the current TAI in the list of “forbidden tracking areas
for roaming”, memorize the current TAI was stored in the list of “forbidden
tracking areas for roaming” for non-integrity protected NAS reject message and
enter the state EMM-DEREGISTERED.LIMITED-SERVICE; and

- the UE shall search for a suitable cell in another tracking area or in another
location area in the same PLMN according to 3GPP TS 36.304 [21];

  1. if the EMM cause value received is #11 or #35 and the UE is not in its
    HPLMN or EHPLMN, in addition to the UE requirements specified in subclause
    5.5.1, 5.5.3 and 5.6.1,

if the UE maintains a list of PLMN-specific attempt counters and the
PLMN-specific attempt counter for the PLMN sending the reject message has a
value less than a UE implementation-specific maximum value, the UE shall
increment the PLMN-specific attempt counter for the PLMN; and

  1. if the EMM cause value received is #14 and the UE is not roaming in its
    HPLMN or EHPLMN, in addition to the UE requirements specified in subclause5.5.1,
    5.5.3 and 5.6.1,

if the UE maintains a list of PLMN-specific PS-attempt counter and the
PLMN-specific PS-attempt counter of the PLMN sending the reject message has a
value less than a UE implementation-specific maximum value, the UE shall
increment the PS-attempt counter of the PLMN.

  1. if the EMM cause value received is #31 for a UE that has indicated support
    for CIoT optimizations, the UE may discard the message or alternatively the UE
    should:

- set the EPS update status to EU3 ROAMING NOT ALLOWED (and shall store it
according to subclause 5.1.3.3);

- store the current TAI in the list of “forbidden tracking areas for roaming”,
memorize the current TAI was stored in the list of “forbidden tracking areas for
roaming” for non-integrity protected NAS reject message; and

- search for a suitable cell in another tracking area according to 3GPP TS
36.304 [21].

Upon expiry of timer T3247, the UE shall

- remove all tracking areas from the list of “forbidden tracking areas for
regional provision of service” and the list of “forbidden tracking areas for
roaming”, which were stored in these lists for non-integrity protected NAS
reject message;

- set the USIM to valid for EPS services, if

- the UE does not maintain a counter for “SIM/USIM considered invalid for GPRS
services” events; or

- the UE maintains a counter for “SIM/USIM considered invalid for GPRS services”
events and this counter has a value less than a UE implementation-specific
maximum value;

- set the USIM to valid for non-EPS services, if

- the UE does not maintain a counter for “SIM/USIM considered invalid for
non-GPRS services” events; or

- the UE maintains a counter for “SIM/USIM considered invalid for non-GPRS
services” events and this counter has a value less than a UE
implementation-specific maximum value;

- if the UE maintains a list of PLMN-specific attempt counters, for each
PLMN-specific attempt counter that has a value greater than zero and less than a
UE implementation-specific maximum value, remove the respective PLMN from the
forbidden PLMN list;

- if the UE maintains a list of PLMN-specific PS-attempt counters, for each
PLMN-specific PS-attempt counter that has a value greater than zero and less
than a UE implementation-specifc maximum value, remove the respective PLMN from
the “forbidden PLMNs for GPRS service” list. If the resulting “forbidden PLMNs
for GPRS service” list is empty, the UE shall re-enable the E-UTRA capability
(see subclause 4.5);

- if the UE is supporting A/Gb mode or Iu mode, handle the list of “forbidden
location areas for regional provision of service” and the list of “forbidden
location areas for roaming” as specified in 3GPP TS 24.008 [13] for the case
when timer T3247 expires;

- if the UE is supporting A/Gb mode or Iu mode and maintains a list of
“forbidden location areas for non-GPRS services” and a list of “forbidden
location areas for GPRS services”, handle these lists as specified in 3GPP TS
24.008 [13] for the case when timer T3247 expires; and

- initiate an EPS attach procedure or tracking area updating procedure, if still
needed, dependent on EMM state and EPS update status, or perform PLMN selection
according to 3GPP TS 23.122 [6].

If the UE maintains a list of PLMN-specific attempt counters and PLMN-specific
PS-attempt counters, when the UE is switched off, the UE shall, for each
PLMN-specific attempt counter that has a value greater than zero and less than
the UE implementation-specific maximum value, remove the respective PLMN from
the forbidden PLMN list. When the USIM is removed, the UE should perform this
action.

The PLMN-specific attempt counter and the PLMN-specific PS-attempt counter shall
be reset when the UICC containing the USIM is removed or the PLMN is added to a
list of “forbidden PLMNs” in the USIM as specified in 3GPP TS 23.122 [6].

NOTE 2: If the respective PLMN was stored in the extension of the “forbidden
PLMNs” list, then according to 3GPP TS 23.122 [6] the UE will delete the
contents of this extension when the USIM is removed.

5.3.8 Abnormal cases in the UE

The following abnormal case can be identified:

a) EMM uplink message transmission failure indication by lower layers

When it is specified in the relevant procedure that it is up to the UE
implementation to rerun the ongoing procedure that triggered that procedure, the
procedure can typically be re-initiated using a retransmission mechanism of the
uplink message (the one that has previously failed to be transmitted) with new
sequence number and message authentication code information thus avoiding to
restart the whole procedure.

5.3.9 Handling of NAS level mobility management congestion control

The network may detect EMM signalling congestion and perform NAS level mobility
management congestion control. NAS level mobility management congestion control
consists of general NAS level mobility management congestion control and
subscribed APN based congestion control.

Under general overload conditions the network may reject mobility management
signalling requests from UEs as specified in 3GPP TS 23.401 [10]. The network
should not reject the following requests:

- requests for emergency bearer services;

- DETACH REQUEST message;

- service request or tracking area update request triggered by paging ;

- requests from UEs that were received via NAS signalling connections
established with RRC establishment cause “High priority access AC 11 – 15”; and

- requests for CS fallback emergency call or 1xCS fallback emergency call.

When subscribed APN based mobility management congestion control is active for a
particular APN, the network may reject attach requests from UEs with a
subscription to this APN.

In mobility management the network may detect NAS signalling congestion and
start or stop performing the subscribed APN based congestion control based on
mobility management level criteria such as:

- rate of mobility management NAS messages from a group of UEs with a
subscription to a particular APN exceeds or falls below certain thresholds;
and/or

- setting in network management.

When the NAS level mobility management congestion control is active, the network
may include a value for the mobility management back-off timer T3346 in the
reject messages. The UE starts the timer T3346 with the value received in the
mobility management reject messages. To avoid that large numbers of UEs
simultaneously initiate deferred requests, the network should select the value
for the timer T3346 for the rejected UEs so that timeouts are not synchronised.

For subscribed APN based congestion control the value of timer T3346 for a
particular APN may be APN dependent.

If the timer T3346 is running when the UE enters state EMM-DEREGISTERED, the UE
remains switched on, and the USIM in the UE remains the same, then timer T3346
is kept running until it expires or it is stopped.

If the UE is switched off when the timer T3346 is running, the UE shall behave
as follows when the UE is switched on and the USIM in the UE remains the same:

- let t1 be the time remaining for T3346 timeout at switch off and let t be the
time elapsed between switch off and switch on. If t1 is greater than t, then the
timer shall be restarted with the value t1 – t. If t1 is equal to or less than
t, then the timer need not be restarted. If the UE is not capable of determining
t, then the UE shall restart the timer with the value t1; and

- if prior to switch off, timer T3346 was started due to a NAS request message
(ATTACH REQUEST, TRACKING AREA UPDATE REQUEST, CONTROL PLANE SERVICE REQUEST or
EXTENDED SERVICE REQUEST) which contained the low priority indicator set to “MS
is configured for NAS signalling low priority”, then if timer T3346 is restarted
at switch on, the UE configured for dual priority shall handle mobility
management requests as indicated in subclauses 5.5.1.2.6, 5.5.3.2.6 and 5.6.1.6.

If the UE enters a new PLMN while timer T3346 is running, and the new PLMN is
not equivalent to the PLMN where the UE started timer T3346, the UE shall stop
timer T3346 when initiating mobility management procedures in the new PLMN.

After change in TAI which is not part of TAI list, if the timer T3346 is running
and EMM update status is EU1 UPDATED then UE shall set the EMM update status to
EU2 NOT UPDATED and enter state EMM-REGISTERED.ATTEMPTING-TO-UPDATE.

5.3.9A Handling of congestion control for transport of user data via the control plane

The network may activate congestion control for transport of user data via the
control plane, as specified in 3GPP TS 23.401 [10].

If the congestion control for transport of user data via the control plane is
active and if the UE has indicated support for the control plane data back-off
timer, the network shall include a value for the control plane data back-off
timer T3448 in ATTACH ACCEPT, TRACKING AREA UPDATE ACCEPT, SERVICE ACCEPT or
SERVICE REJECT message, and shall store an control plane data back-off time on a
per UE basis. The UE starts the timer T3448 with the value informed in the
message. To avoid that large numbers of UEs simultaneously initiate deferred
requests, the network should select the value for the timer T3448 for the
informed UEs so that timeouts are not synchronised.

The network sends TRACKING AREA UPDATE ACCEPT message or SERVICE ACCEPT message
without T3448 value IE to stop the timer T3448 running in the UE as specified in
subclause 5.5.3.2.4 and subclause 5.6.1.4.2.

Based on the stored control plane data back-off time for the UE, the network may
reject the transfer of user data via the control plane initiated by the UE.

While the timer T3448 is running, the UE in EMM-IDLE mode shall not initiate the
transport of user data via the control plane procedure (see subclause 6.6.4),
except if the UE is allowed to use exception data reporting (see the
ExceptionDataReportingAllowed leaf of the NAS configuration MO in 3GPP TS 24.368
[15A] or the USIM file EFNASCONFIG in 3GPP TS 31.102 [17]) and the user data is
related to an exceptional event.

Upon entering the state EMM-DEREGISTERED or a new PLMN which is not equivalent
to the PLMN where the UE started the timer T3448, or upon being switched off
while the timer T3448 is running, the UE shall stop the timer T3448. For further
criteria to stop of timer T3448, refer to subclause 5.5.3.2.4 and subclause
5.6.1.4.2.

5.3.10 Access class control

The network can restrict the access for certain groups of UEs by means of
barring their access class.

The UE shall evaluate the access control information as specified in 3GPP TS
36.331 [22] for:

- Access Class Barring;

- Access Control for CSFB and Extended Access Barring (EAB);

- Access Control for Application specific Congestion control for Data
Communication (ACDC), if the UE supports ACDC; and

- Access Barring.

5.3.11 Power saving mode

The UE can request the use of power saving mode (PSM) during an attach or
tracking area updating procedure (see 3GPP TS 23.682 [11A] and 3GPP TS 23.401
[10]). The UE shall not request the use of PSM during:

- an attach for emergency bearer services procedure;

- an attach procedure for initiating a PDN connection for emergency bearer
services with attach type not set to “EPS emergency attach”;

- a tracking area updating procedure for initiating a PDN connection for
emergency bearer services;

- a tracking area updating procedure when the UE has a PDN connection
established for emergency bearer services; or

- an attach for access to RLOS.

The network accepts the use of PSM by providing a specific value for timer T3324
when accepting the attach or tracking area updating procedure. The UE may use
PSM only if the network has provided the T3324 value IE during the last attach
or tracking area updating procedure with a value different from “deactivated”.

NOTE: Timer T3324 is specified in 3GPP TS 24.008 [13].

Upon expiry of the timer T3324 or if the T3324 value provided by the network is
zero, the UE may deactivate the AS layer and activate PSM by entering the state
EMM-REGISTERED.NO-CELL-AVAILABLE if:

a) the UE is not attached for emergency bearer services;

b) the UE has no PDN connection for emergency bearer services;

c) the UE is in EMM-IDLE mode;

d) in the EMM-REGISTERED.NORMAL-SERVICE state; and

e) the UE is not attached for access to RLOS.

If conditions a, b, c and e are fulfilled, but the UE is in a state other than
EMM-REGISTERED.NORMAL-SERVICE when timer T3324 expires, the UE may activate PSM
when the MS returns to state EMM-REGISTERED.NORMAL-SERVICE.

A UE that has already been allocated timer T3324 with a value different from
“deactivated” and the timer T3324 has expired, may activate PSM if it receives
an “Extended wait time” from lower layers.

When PSM is activated all NAS timers are stopped and associated procedures
aborted except for T3412, T3346, T3396, T3447, any backoff timers, and the timer
T controlling the periodic search for HPLMN or EHPLMN or higher prioritized
PLMNs (see 3GPP TS 23.122 [6]).

If the UE is attached for emergency bearer services or has a PDN connection for
emergency bearer services, the UE shall not activate PSM.

If the UE is attached for access to RLOS, the UE shall not activate PSM.

The UE may deactivate PSM and activate the AS layer at any time. Upon
deactivating PSM, the UE may initiate EMM procedures (e.g. for the transfer of
mobile originated signalling or user data).

5.3.12 Extended idle-mode DRX cycle

The UE may request the use of extended idle-mode DRX cycle (eDRX) during an
attach or tracking area updating procedure by including the extended DRX
parameters IE (see 3GPP TS 23.682 [11A] and 3GPP TS 23.401 [10]). The UE shall
not request the use of eDRX during:

- an attach for emergency bearer services procedure;

- a tracking area updating procedure for the UE attached for emergency bearer
services; or

- an attach for access to RLOS.

The UE and the network may negotiate eDRX parameters during a tracking area
updating procedure when the UE has a PDN connection for emergency bearer
services.

The network accepts the request to use the eDRX by providing the extended DRX
parameters IE when accepting the attach or the tracking area updating procedure.
The UE shall use eDRX only if it received the extended DRX parameters IE during
the last attach or tracking area updating procedure and the UE does not have a
PDN connection for emergency bearer services.

NOTE: If the UE wants to keep using eDRX, the UE includes the extended DRX
parameters IE in each attach or tracking area updating procedure.

If the UE received the extended DRX parameters IE during the last attach or
tracking area updating procedure, upon successful completion of the PDN
disconnect procedure of the PDN connection for emergency bearer services or EPS
bearer context deactivation procedure of the EPS bearer context for emergency,
the UE shall resume eDRX.

If the network has provided the extended DRX parameters IE during the last
attach or tracking area updating procedure, upon successful completion of the
PDN disconnect procedure of the PDN connection for emergency bearer services or
EPS bearer context deactivation procedure of the EPS bearer context for
emergency, the network shall resume eDRX.

If the UE or the network locally releases the PDN connection for emergency
bearer service, the UE or the network shall not use eDRX until the UE receives
eDRX parameters during a tracking area updating procedure with EPS bearer
context synchronization or upon successful completion of a service request
procedure.

If the UE did not receive the extended eDRX parameters IE, or if the UE has a
PDN connection for emergency bearer services, the UE shall use the stored UE
specific DRX parameter, if available.

If the network did not accept the request to use eDRX, or if the UE has a PDN
connection for emergency bearer services, the network shall use the stored UE
specific DRX parameter, if available.

If the network provided the extended DRX parameters IE which was different from
the one requested by the UE and also assigned a new GUTI for the UE as described
in subclause 5.5.3.2.4 during the last tracking area updating procedure, the
network shall use the stored UE specific DRX parameter, if available, with the
old GUTI and use the eDRX provided by the network with the new GUTI until the
old GUTI can be considered as invalid by the network (see subclause 5.4.1.4).

5.3.13 Interaction between power saving mode and extended idle mode DRX cycle

The UE can request the use of both PSM and eDRX during an attach or tracking
area updating procedure but it is up to the network to decide to enable none,
one of them or both (see 3GPP TS 23.682 [11A] and 3GPP TS 23.401 [10]).

If the network accepts the use of both PSM (see subclause 5.3.11) and eDRX (see
subclause 5.3.12), the extended DRX parameters IE provided to the UE should
allow for multiple paging occasions before the active timer expires.

5.3.14 Dedicated core network

The network may reject mobility management signalling requests from UEs due to
dedicated core network as specified in 3GPP TS 23.401 [10]. When the network
rejects mobility management signalling requests due to dedicated core network,
the mechanism for general NAS level mobility management congestion control as
specified in subclause 5.3.9 shall be followed.

5.3.15 CIoT EPS optimizations

CIoT EPS optimizations provide improved support of small data and SMS transfer.
A UE supporting CIoT EPS optimizations can indicate the CIoT network behaviour
the UE can support and prefers to use during attach or tracking area updating
procedure (see 3GPP TS 23.401 [10]). The UE may indicate the support for control
plane CIoT EPS optimization, user plane CIoT EPS optimization, EMM-REGISTERED
without PDN connection, S1-U data transfer and header compression (see subclause
9.9.3.34). The UE may also request to use SMS transfer without combined attach
procedure during the attach procedure. Furthermore, the UE may, separately from
the indication of support, indicate preference for control plane CIoT EPS
optimization or user plane CIoT EPS optimization (see subclause 9.9.3.0B). The
indication of preference is also considered as the request to use. A UE
supporting CIoT 5GS optimizations can also indicate the 5GS CIoT network
behaviour the UE can support during attach or tracking area updating procedure.
Furthermore, the UE may, separately from the indication of support, indicate
preference for control plane CIoT 5GS optimization or user plane CIoT 5GS
optimization.

NOTE 1: The UE supporting control plane CIoT EPS optimization and S1-U data
transfer but not user plane CIoT EPS optimization does not indicate preference
for user plane CIoT EPS optimization.

The UE can be in NB-S1 mode or WB-S1 mode when requesting the use of CIoT EPS
optimizations during an attach or tracking area updating procedure. A UE in
NB-S1 mode always indicates support for control plane CIoT EPS optimization. A
UE in NB-S1 mode can also request SMS transfer without combined procedure by
using the normal attach or tracking area updating procedure (see subclause 5.5.1
and 5.5.3).

In NB-S1 mode, the UE, when requesting the use of CIoT EPS optimization, does
not:

- request an attach for emergency bearer services procedure;

- request an attach procedure for initiating a PDN connection for emergency
bearer services with attach type not set to “EPS emergency attach”;

- indicate voice domain preference and UE’s usage setting; or

- request an attach for access to RLOS.

The network does not indicate to the UE support of emergency bearer services
when the UE is in NB-S1 mode (see subclause 5.5.1.2.4 and 5.5.3.2.4).

The control plane CIoT EPS optimization enables support of efficient transport
of user data (IP, non-IP, Ethernet) or SMS messages over control plane via the
MME without triggering data radio bearer establishment. The support of control
plane CIoT EPS optimization is mandatory for the network in NB-S1 mode and
optional in WB-S1 mode. Optional header compression of IP data can be applied to
IP PDN type PDN connections that are configured to support header compression.

The user plane CIoT EPS optimization enables support for change from EMM-IDLE
mode to EMM-CONNECTED mode without the need for using the service request
procedure (see subclause 5.3.1.3).

If the UE indicates support of EMM-REGISTERED without PDN connection in the
attach request, the UE may include an ESM DUMMY MESSAGE instead of a PDN
CONNECTIVITY REQUEST message as part of the attach procedure. If the
EMM-REGISTERED without PDN connection is supported by the network, the UE and
the network can at any time release all the PDN connections and the UE still
remains EPS attached.

NOTE 2: For both the UE and the network, the term “EMM-REGISTERED without PDN
connection” is equivalent to the term “EPS attach without PDN connectivity” as
specified in 3GPP TS 23.401 [10].

In NB-S1 mode, if the UE indicates “SMS only” during a normal attach or tracking
area updating procedure, the MME supporting CIoT EPS optimisations provides SMS
so that the UE is not required to perform a combined attach or tracking area
updating procedure.

If the UE supports user plane CIoT EPS optimization, it shall also support S1-U
data transfer.

If the UE indicates support of one or more CIoT EPS optimizations and the
network supports one or more CIoT EPS optimizations and decides to accept the
attach or tracking area update request, the network indicates the supported CIoT
EPS optimizations to the UE per TAI list when accepting the UE request. Network
indication of support is interpreted by the UE as the acceptance to use the
respective feature. After completion of the attach or tracking area updating
procedure, the UE and the network can then use the accepted CIoT EPS
optimizations for the transfer of user data (IP, non-IP, Ethernet and SMS).

The UE supporting control plane CIoT EPS optimization may indicate support for
control plane MT-EDT during the attach or tracking area updating procedure. For
a UE that supports control plane MT-EDT and for which the network has accepted
the use of control plane CIoT EPS optimization, the network may trigger the
delivery of downlink data to the UE, when available, using procedures for
control plane MT-EDT as specified in 3GPP TS 23.401 [10].

The UE supporting user plane CIoT EPS optimization may indicate support for user
plane MT-EDT during the attach or tracking area updating procedure. For a UE
that supports user plane MT-EDT and for which the network has accepted the use
of user plane CIoT EPS optimization, the network may trigger the delivery of
downlink data to the UE, when available, using procedures for user plane MT-EDT
as specified in 3GPP TS 23.401 [10].

If the UE and the network support both the control plane CIoT EPS optimization
and S1-U data transfer, then when receiving the UE’s request for a PDN
connection, the MME decides whether the PDN connection should be SCEF PDN
connection or SGi PDN connection as specified in 3GPP TS 23.401 [10]:

- if SCEF PDN connection is to be established for non-IP data type, the MME
shall include Control plane only indication for the requested PDN connection;

- if SGi PDN connection is to be established and existing SGi PDN connections
for this UE were established with Control plane only indication, the MME shall
include Control plane only indication for the newly requested SGi PDN
connection;

- if SGi PDN connection is to be established and existing SGi PDN connections
for this UE were established without Control plane only indication, the MME
shall not include Control plane only indication for the newly requested SGi PDN
connection; and

- if SGi PDN connection is to be established and no SGi PDN connection for this
UE exists, the MME determine whether to include Control plane only indication
for the requested SGi PDN connection based on local policies, the UE’s preferred
CIoT network behaviour and the supported CIoT network behaviour.

If the network supports user plane CIoT EPS optimization, it shall also support
S1-U data transfer.

Broadcast system information may provide information about support of CIoT EPS
optimizations (see 3GPP TS 36.331 [22]). At reception of new broadcast system
information, the lower layers deliver it to the EMM layer in the UE. The
information provided by lower layers is per PLMN and used by the UE to determine
whether certain CIoT EPS optimizations are supported in the cell.

The UE shall not attempt to use CIoT EPS optimizations which are indicated as
not supported.

In NB-S1 mode, when the UE requests the lower layer to establish a RRC
connection and the UE requests the use of EMM-REGISTERED without PDN connection
or user plane CIoT EPS optimization, the UE shall pass an indication of the
requested CIoT EPS optimizations to the lower layers. If the UE requests the use
of S1-U data transfer without user plane CIoT optimization, then the UE shall
also pass an indication of user plane CIoT EPS optimization to lower layers.

In WB-S1 mode, when the UE requests the lower layer to establish a RRC
connection and the UE requests the use of EMM-REGISTERED without PDN connection,
control plane CIoT EPS optimization or user plane CIoT EPS optimization, the UE
shall pass an indication of the requested CIoT EPS optimizations to the lower
layers.

5.3.16 Restriction on use of enhanced coverage

In order to deal with use of extensive resources from the network, the operator
may prevent specific subscribers from using enhanced coverage (see 3GPP TS
23.401 [10]). When in NB-S1 mode, the UE shall indicate support for restriction
on use of enhanced coverage. When in WB-S1 mode, the UE supporting either CE
mode A or CE mode B shall indicate support for restriction on use of enhanced
coverage. The UE supporting restriction on use of enhanced coverage indicates
its support for restriction on use of enhanced coverage in the ATTACH REQUEST
and TRACKING AREA UPDATE REQUEST message. If the UE supports restriction on use
of enhanced coverage, the MME indicates whether the use of enhanced coverage is
restricted or not in the ATTACH ACCEPT message and TRACKING AREA UPDATE ACCEPT
message (see subclause 5.5.1.2 and subclause 5.5.3.2). If the use of enhanced
coverage is restricted, the UE shall not use enhanced coverage in the registered
PLMN and in any PLMN which is in the list of equivalent PLMNs.

If the UE supports CE mode B and the network determines that

- the use of enhanced coverage is not restricted for the UE; or

- CE mode B is not restricted for the UE;

the applicable NAS timer values shall be calculated by the network as described
in subclause 4.8.

5.3.17 Service Gap Control

The network may control the frequency UEs can transit from EMM-IDLE mode to
EMM-CONNECTED mode via the service gap control (SGC) as specified in 3GPP TS
23.401 [10]. If the network supports service gap control (SGC) feature and the
service gap time value is available in the EMM context of the UE, the MME shall
consider SGC as active for the UE.

The UE and the network negotiate usage of the service gap control (SGC) feature
during the attach and tracking area updating procedures:

- the UE supporting service gap control indicates its support for service gap
control in the ATTACH REQUEST and TRACKING AREA UPDATE REQUEST message. If the
UE supports service gap control and the the SGC is active for the UE, the MME
shall include service gap timer T3447 value in the ATTACH ACCEPT message and
TRACKING AREA UPDATE ACCEPT message (see subclause 5.5.1.2 and subclause
5.5.3.2). The UE shall store the service gap time value; and

- for UEs that do not support the optional SGC feature when the network rejects
mobility management signalling requests due to service gap control is active in
the network, the mechanism for general NAS level mobility management congestion
control as specified in subclause 5.3.9 applies.

The UE shall start the SGC timer T3447 when the NAS signalling connection is
released and if:

- the UE supports SGC feature, and the service gap timer value is available in
the UE and does not indicate zero; and

- the NAS signalling connection released was not established for:

- paging;

- attach requests without PDN connection request; or

- tracking area update requests without “active” or “signalling active” flag
set.

If the SGC is active in the network, after the UE transitions from EMM-CONNECTED
mode to EMM-IDLE mode except when the UE was in EMM-CONNECTED mode due to:

- paging;

- attach requests without PDN connection request; or

- tracking area update requests without “active” or “signalling active” flag
set,

the network shall start the SGC timer T3447:

- with the service gap time value available in the EMM context minus 4 minutes,
if the UE supports SGC feature and the service gap time value has been sent to
the UE with a non-zero value; or

- with the service gap time value available in the EMM context if the UE does
not support SGC feature.

When the SGC timer T3447 is running, the network allows:

- requests for emergency bearer services;

- requests for exception data reporting;- attach requests without PDN connection
request;

- tracking area update requests without “active” or “signalling active” flag
set;

- requests from UEs that were received via NAS signalling connections
established with RRC establishment cause “High priority access AC 11 – 15”; and

- mobile terminated service requests triggered by paging and subsequent MO
signalling or MO data, if any, until the UE enters EMM-IDLE mode.

If the MME determines that the UE operating in single-registration mode has
performed an inter-system change from S1 mode to N1 mode and the timer T3447 is
running in the MME, the MME stops the T3447.

Upon inter-system change from N1 mode to S1 mode, if the UE supports service gap
control, T3447 is running in the UE, and the T3447 value is included in the
ATTACH ACCEPT message or TRACKING AREA UPDATE ACCEPT message received from the
MME (see subclause 5.5.1.2 and subclause 5.5.3.2), the UE shall keep T3447
running. Additionally, the UE shall store and replace the currently stored T3447
value with the received T3447 value. Upon expiry of the running T3447 timer, the
UE shall use the new value when starting T3447 again.

The UE or the network with a running service gap timer shall keep the timer
running when the UE transits from EMM-IDLE mode to EMM-CONNECTED mode.

NOTE: If the UE transitions from EMM-IDLE mode to EMM-CONNECTED mode due to
attach request without PDN connection request or tracking area update request
without “active” or “signalling active” flag set, the UE initiates no further MO
signalling except for tracking area update request without “active” or
“signalling active” flag set until the UE receives network-initiated signalling
(e.g. DOWNLINK NAS TRANSPORT message for MT SMS) or MT data over user plane, or
after the UE has moved to EMM-IDLE state and the service gap timer is not
running.

If the timer T3447 is running when the UE enters state EMM-DEREGISTERED, the UE
remains switched on, and the USIM in the UE remains the same, then timer T3447
is kept running until it expires.

If the UE is switched off when the timer T3447 is running, the UE shall behave
as follows when the UE is switched on and the USIM in the UE remains the same:

- let t1 be the time remaining for T3447 timeout at switch off and let t be the
time elapsed between switch off and switch on. If t1 is greater than t, then the
timer shall be restarted with the value t1 – t. If t1 is equal to or less than
t, then the timer need not be restarted. If the UE is not capable of determining
t, then the UE shall restart the timer with the value t1.

5.3.18 Restricted local operator services

Restricted local operator services (RLOS) is an optional feature that enables
operators to offer access to restricted local operator services to the
unauthenticated UEs in limited service state (see 3GPP TS 23.401 [10]).
Authenticated UEs in limited service state may also be able to access restricted
local operator services. The UE requests access to RLOS during the attach
procedure by setting the attach type to “EPS RLOS attach” in the ATTACH REQUEST
message. Subject to regulation and local operator policy, if the MME is
configured to support access to RLOS, the MME accepts the UE’s attach request
regardless of the authentication result or skips the authentication procedure.

When the UE requests the lower layer to establish an RRC connection for access
to RLOS, the UE indicates in the RRC signalling that the RRC connection is for
access to RLOS to the lower layers.

Broadcast system information may provide information about support of access to
RLOS (see 3GPP TS 36.331 [22]). At reception of new broadcast system
information, the lower layers deliver it to the EMM layer in the UE. The
information provided by lower layers is per PLMN and used by the UE to determine
the PLMN is configured to support access to RLOS. The UE shall not attempt to
request access to RLOS if the serving PLMN does not support access to RLOS. If
the serving PLMN supports access to RLOS and the UE is in limited service state,
the UE shall verify that the MCC of the PLMN ID of the serving PLMN is present
in the list of access to RLOS allowed MCCs configured in the UE before
requesting access to RLOS. If the UE has a valid USIM, the UE shall additionally
verify that the MCC part of the IMSI configured in the USIM is present in the
list of RLOS allowed MCCs before requesting access to RLOS.

NOTE: Only authorized applications on the UE are allowed to trigger the
initiation of RLOS connection (see 3GPP TS 33.401 [19]).

For UE attached for access to RLOS, only UE originated access to RLOS requests
are supported. Mobile terminated access to RLOS request and network triggered
service request are not allowed. The UE is not allowed to initiate UE requested
PDN connectivity for any additional PDN connection. In addition, intersystem
change to other RAT including GERAN and UTRAN and handover between 3GPP and
non-3GPP accesses are not supported.

Access to RLOS is applicable to the UEs in WB-S1 mode only. The UEs in NB-S1
mode shall not request access to RLOS.

Location service does not apply to access to RLOS.

If a UE attached for access to RLOS needs to initiate an emergency call, the UE
shall first perform a local detach prior to initiating an attach procedure for
emergency bearer services.

5.3.19 Core Network selection and redirection for UEs using CIoT optimizations

5.3.19.1 Core network selection

A UE that supports CIoT optimizations performs core network selection as
specified in subclause 4.8.4A.1 of 3GPP TS 24.501 [54].

5.3.19.2 Redirection of the UE by the core network

The network that supports CIoT optimizations can redirect a UE between EPC and
5GCN as specified in subclause 5.31.3 of 3GPP TS 23.501 [58]. The network can
take into account the UE’s N1 mode capability or S1 mode capability, the CIoT
network behaviour supported and preferred by the UE or the CIoT network
behaviour supported by the network to determine the redirection.

NOTE: It is assumed that the network would avoid redirecting the UE back and
forth between EPC and 5GCN.

The network redirects the UE to 5GCN by rejecting the attach request, or
tracking area update request, or service request with the EMM cause #31
“Redirection to 5GCN required” as specified in subclause 5.5.1.2.5, 5.5.1.3.5,
5.5.3.2.5, 5.5.3.3.5 and 5.6.1.5. Upon receipt of reject message, the UE
disables the E-UTRA capability as specified in subclause 4.5 and enables the N1
mode capability if it was disabled in order to move to 5GCN.

The network that supports CIoT optimizations can also redirect a UE from 5GCN to
EPC as specified in subclause 4.8.4A.2 of 3GPP TS 24.501 [54].

5.3.20 UE radio capability signalling optimisation

UE radio capability signalling optimisation (RACS) is a feature that is optional
at both the UE and the network and which aims to optimise the transmission of UE
radio capability over the radio interface (see 3GPP TS 23.401 [10]). RACS works
by assigning an identifier to represent a set of UE radio capabilities. This
identifier is called the UE radio capability ID. A UE radio capability ID can be
either manufacturer-assigned or network-assigned. The UE radio capability ID is
an alternative to the signalling of the radio capabilities container over the
radio interface.

In this release of the specification, RACS is not applicable to NB-S1 mode.

If the UE supports RACS:

- the UE shall indicate support for RACS by setting the RACS bit to “RACS
supported” in the UE network capability IE of the ATTACH REQUEST and TRACKING
AREA UPDATE REQUEST messages;

- if the UE performs an attach procedure and the UE has an applicable UE radio
capability ID for the current UE radio configuration in the selected network,
the UE shall include the UE radio capability ID availability IE in the ATTACH
REQUEST message and set the IE to “UE radio capability ID available”;

- if the UE performs a tracking area updating procedure and the UE has an
applicable UE radio capability ID for the current UE radio configuration in the
selected network, the UE shall include the UE radio capability ID availability
IE in the TRACKING AREA UPDATE REQUEST message and set the IE to “UE radio
capability ID available”;

- If the UE is requested to provide its UE radio capability ID by the network
during a security mode control procedure, the UE shall include its UE radio
capability ID in the UE radio capability ID IE of the SECURITY MODE COMPLETE
message. If both a network-assigned UE radio capability ID and a
manufacturer-assigned UE radio capability ID are applicable, the UE shall
include the network-assigned UE radio capability ID in the SECURITY MODE
COMPLETE message;

- if the radio configuration at the UE changes (for instance because the UE has
disabled a specific radio capability) then:

a) if the UE has an applicable UE radio capability ID for the new UE radio
configuration, the UE shall initiate a tracking area updating procedure, include
a UE radio capability information update needed IE in the TRACKING AREA UPDATE
REQUEST message and include a UE radio capability ID availability IE set to “UE
radio capability ID available” in the TRACKING AREA UPDATE REQUEST message. If
both a network-assigned UE radio capability ID and a manufacturer-assigned UE
Radio Capability ID are applicable, the UE shall include the network-assigned UE
radio capability ID in the TRACKING AREA UPDATE REQUEST message; and

b) if the UE does not have an applicable UE radio capability ID for the new UE
radio configuration, the UE shall initiate a tracking area updating procedure
and shall include a UE radio capability information update needed IE in the
TRACKING AREA UPDATE REQUEST message;

NOTE: Performing the tracking area updating procedure with the UE radio
capability information update needed IE included in the TRACKING AREA UPDATE
REQUEST message and without the UE radio capability ID availability IE set to
“UE radio capability ID available” in the TRACKING AREA UPDATE REQUEST message
as specified in b) above can trigger the network to assign a new UE radio
capability ID to the UE.

- upon receiving a network-assigned UE radio capability ID in the ATTACH ACCEPT
message or the TRACKING AREA UPDATE ACCEPT message, the UE shall store the
network-assigned UE radio capability ID and the PLMN ID of the serving network
along with a mapping to the current UE radio configuration in its non-volatile
memory as specified in annex C. The UE shall be able to store at least the last
16 received network-assigned UE radio capability IDs with the associated PLMN ID
and the mapping to the corresponding UE radio configuration;

- the UE shall not use a network-assigned UE radio capability ID in PLMNs
equivalent to the PLMN which assigned it; and

- upon receiving a UE radio capability ID deletion indication IE set to “delete
network-assigned UE radio capability IDs” in the ATTACH ACCEPT message or the
TRACKING AREA UPDATE ACCEPT message, the UE shall delete all network-assigned UE
radio capability IDs stored at the UE for the serving network and initiate a
tracking area updating procedure. If the UE has an applicable
manufacturer-assigned UE radio capability ID for the current UE radio
configuration in the selected network, the UE shall include a UE radio
capability ID availability IE set to “UE radio capability ID available” in the
TRACKING AREA UPDATE REQUEST message.

If the network supports RACS:

- if the UE has included the UE radio capability ID availability IE in the
ATTACH REQUEST message and set the IE to “UE radio capability ID available”, the
network shall initiate a security mode control procedure to retrieve the UE
radio capability ID from the UE;

- if the UE has included the UE radio capability ID availability IE in the
TRACKING AREA UPDATE REQUEST message and set the IE to “UE radio capability ID
available”, the network may initiate a security mode control procedure to
retrieve the UE radio capability ID from the UE;

- if the UE has included the UE radio capability ID availability IE in the
TRACKING AREA UPDATE REQUEST message, set the URCIDA bit to “UE radio capability
ID available” in the UE radio capability ID availability IE and no UE radio
capability ID is available in the UE context in the MME, the network shall
initiate a security mode control procedure to retrieve the UE radio capability
ID from the UE;

- the network may assign a network-assigned UE radio capability ID to a UE which
supports RACS by including a UE radio capability ID IE in the ATTACH ACCEPT
message, in the TRACKING AREA UPDATE ACCEPT message or in the GUTI REALLOCATION
COMMAND message; and

- the network may trigger the UE to delete all network-assigned UE radio
capability IDs stored at the UE for the serving network by including a UE radio
capability ID deletion indication IE set to “delete network-assigned UE radio
capability IDs” in the ATTACH ACCEPT message, in the TRACKING AREA UPDATE ACCEPT
message or in the GUTI REALLOCATION COMMAND message.

5.3.21 Wake-up signal assistance

A UE supporting wake-up signal (WUS) assistance can indicate its WUS assistance
capability during attach or tracking area updating procedure (see 3GPP TS 23.401
[10]). The UE supporting WUS assistance may include its UE paging probability
information in the Requested WUS assistance information IEduring an attach or
tracking area updating procedure (see 3GPP TS 23.401 [10]). The UE shall not
include its UE paging probability information during:

- an attach for emergency bearer services procedure; or

- a tracking area updating procedure for the UE attached for emergency bearer
services.

The UE is not attached for emergency bearer services and the network may
negotiate the UE paging probability information during an attach or tracking
area updating procedure when the UE is not attached for emergency bearer
services. The UE paging probability information is an assistance information
used to determine the WUS group for paging UE (see 3GPP TS 23.401 [10], 3GPP TS
36.300 [20]).

NOTE: The determination of UE paging probability information is up to UE
implementation.

If the UE is not attached for emergency bearer services and the network accepts
the use of the WUS assistance for the UE, the network determines the negotiated
UE paging probability information for the UE based on the requested UE paging
probability information, if any, local configuration or previous statistical
information for the UE, and then indicates the negotiated UE paging probability
information in the Negotiated WUS assistance information IE to the UE when
accepting the attach or the tracking area updating procedure. The network shall
store the negotiated UE paging probability information in the EMM context of the
UE for paging.

The UE shall use WUS assistance only if it received the Negotiated WUS
assistance information IE during the last attach or tracking area updating
procedure. If the UE did not receive the Negotiated WUS assistance information
IE during the last attach or tracking area updating procedure, the UE shall not
use WUS assistance.

If the network did not accept the request to use WUS assistance, the network
shall delete the stored negotiated UE paging probability information for the UE,
if available.

When a PDN connection for emergency bearer service is successfully established
after the UE received the Negotiated WUS assistance information IE during the
last attach or tracking area updating procedure, the UE and the network shall
not use WUS assistance information until:

- the successful completion of the PDN disconnect procedure of the PDN
connection for emergency bearer services or EPS bearer context deactivation
procedure of the EPS bearer context for emergency, or

- the UE receives WUS assistance information during a tracking area updating
procedure with EPS bearer context synchronization or upon successful completion
of a service request procedure, if the UE or the network locally releases the
PDN connection for emergency bearer service.

5.4 EMM common procedures

5.4.1 GUTI reallocation procedure

5.4.1.1 General

The purpose of the GUTI reallocation procedure is to allocate a GUTI and
optionally to provide one or more of the following to a particular UE:

- a new TAI list;

- a new DCN-ID; and

- in WB-S1 mode, if the UE supports RACS, either a UE radio capability ID
deletion indication or a UE radio capability ID.

The reallocation of a GUTI is performed by the unique procedure defined in this
subclause. This procedure can only be initiated by the MME in state
EMM-REGISTERED.

The GUTI can also be implicitly reallocated at attach or tracking area updating
procedures. The implicit reallocation of a GUTI is described in the subclauses
which specify these procedures (see subclause 5.5.1 and 5.5.3).

The PLMN identity in the GUTI indicates the current registered PLMN.

NOTE 1: The GUTI reallocation procedure is usually performed in ciphered mode.

NOTE 2: Normally, the GUTI reallocation will take place in conjunction with
another mobility management procedure, e.g. as part of tracking area updating.

5.4.1.2 GUTI reallocation initiation by the network

The MME shall initiate the GUTI reallocation procedure by sending a GUTI
REALLOCATION COMMAND message to the UE and starting the timer T3450 (see example
in figure 5.4.1.2.1).

The GUTI REALLOCATION COMMAND message shall include a GUTI and may include one
or more of the following:

- a TAI list;

- a DCN-ID; and

- in WB-S1 mode, if the UE supports RACS, either a UE radio capability ID
deletion indication or a UE radio capability ID.

Figure 5.4.1.2.1: GUTI reallocation procedure

5.4.1.3 GUTI reallocation completion by the UE

Upon receipt of the GUTI REALLOCATION COMMAND message, the UE shall:

- store the GUTI;

- store the TAI list, if provided;

- store the DCN-ID, if provided;

- in WB-S1 mode, if the UE supports RACS and the GUTI REALLOCATION COMMAND
message includes:

a) a UE radio capability ID deletion indication IE set to “Network-assigned UE
radio capability IDs deletion requested”, delete any network-assigned UE radio
capability IDs associated with the registered PLMN stored at the UE, then the UE
shall, after the completion of the ongoing GUTI reallocation procedure, initiate
a tracking area updating procedure as specified in subclause 5.5.3. If the UE
has an applicable manufacturer-assigned UE radio capability ID for the current
UE radio configuration, the UE shall include the UE radio capability ID
availability IE set to “UE radio capability ID available” in the TRACKING AREA
UPDATE REQUEST message; and

b) a UE radio capability ID IE, store the UE radio capability ID as specified in
annex C; and

- send a GUTI REALLOCATION COMPLETE message to the MME.

The UE considers the new GUTI as valid and the old GUTI as invalid. If the UE
receives a new TAI list in the GUTI REALLOCATION COMMAND message, the UE shall
consider the new TAI list as valid and the old TAI list as invalid; otherwise,
the UE shall consider the old TAI list as valid.

If the GUTI REALLOCATION COMMAND message contains the DCN-ID IE, then the UE
shall store the included DCN-ID value together with the PLMN code of the
registered PLMN in a DCN-ID list in a non-volatile memory in the ME as specified
in annex C.

5.4.1.4 GUTI reallocation completion by the network

Upon receipt of the GUTI REALLOCATION COMPLETE message, the MME shall stop the
timer T3450 and consider the new GUTI as valid and the old GUTI as invalid. If a
new TAI list is provided in the GUTI REALLOCATION COMMAND message, the MME shall
consider the new TAI list as valid and the old TAI list as invalid.

5.4.1.5 Abnormal cases in the UE

The following abnormal cases can be identified:

a) Transmission failure of GUTI REALLOCATION COMPLETE message indication with
TAI change from lower layers

If the current TAI is not in the TAI list, the GUTI reallocation procedure shall
be aborted and a tracking area updating procedure shall be initiated.

If the current TAI is still part of the TAI list, it is up to the UE
implementation how to re-run the ongoing procedure that triggered the GUTI
reallocation procedure.

b) Transmission failure of GUTI REALLOCATION COMPLETE message indication without
TAI change from lower layers

It is up to the UE implementation how to re-run the ongoing procedure that
triggered the GUTI reallocation procedure.

5.4.1.6 Abnormal cases on the network side

The following abnormal cases can be identified:

a) Lower layer failure

If a lower layer failure is detected before the GUTI REALLOCATION COMPLETE
message is received, the old and the new GUTI shall be considered as valid until
the old GUTI can be considered as invalid by the network. If a new TAI list was
provided in the GUTI REALLOCATION COMMAND message, the old and new TAI list
shall also be considered as valid until the old TAI list can be considered as
invalid by the network.

During this period the network:

- may first use the old S-TMSI from the old GUTI for paging within the area
defined by the old TAI list for an implementation dependent number of paging
attempts for network originated transactions. If a new TAI list was provided
with old GUTI in the GUTI REALLOCATION COMMAND message, the new TAI list should
also be used for paging. Upon response from the UE, the network may re-initiate
the GUTI reallocation. If the response is received from a tracking area within
the old and new TAI list, the network shall re-initiate the GUTI reallocation.
If no response is received to the paging attempts, the network may use the new
S-TMSI from the new GUTI for paging for an implementation dependent number of
paging attempts. In this case, if a new TAI list was provided with new GUTI in
the GUTI REALLOCAITON COMMAND message, the new TAI list shall be used instead of
the old TAI list. Upon response from the UE the network shall consider the new
GUTI as valid and the old GUTI as invalid. If no response is received to the
paging attempts, the network may use the IMSI for paging for an implementation
dependent number of paging attempts;

NOTE 1: Paging with IMSI causes the UE to re-attach as described in subclause
5.6.2.2.2.

- shall consider the new GUTI as valid if it is used by the UE and,
additionally, the new TAI list as valid if it was provided with this GUTI in the
GUTI REALLOCATION COMMAND message;

- may use the identification procedure followed by a new GUTI reallocation if
the UE uses the old GUTI; and

- if the network accepted to use eDRX for the UE, may determine the next paging
window from both old GUTI and new GUTI, and may first use the S-TMSI from the
GUTI which led the first eDRX for paging. If no response is received to the
paging attempts for the first eDRX, the network may use the other S-TMSI from
the other GUTI which led the second eDRX for paging. For this paging procedure,
the network shall start timer T3415 long enough to care the paging attempts for
both eDRXs.

NOTE 2: If the second eDRX comes during the first eDRX ongoing, the paging
attempts for the second eDRX can be initiated with stopping further paging
attempts for the first eDRX.

b) Expiry of timer T3450

The GUTI reallocation procedure is supervised by the timer T3450. The network
shall, on the first expiry of timer T3450, reset and restart timer T3450 and
shall retransmit the GUTI REALLOCATION COMMAND. This retransmission is repeated
four times, i.e. on the fifth expiry of timer T3450, the network shall abort the
reallocation procedure and shall follow the rules described for case a above.

c) GUTI reallocation and attach procedure collision

If the network receives an ATTACH REQUEST message before the ongoing GUTI
reallocation procedure has been completed the network shall proceed with the
attach procedure after deletion of the EMM context.

d) GUTI reallocation and UE initiated detach procedure collision

If the network receives a DETACH REQUEST message before the ongoing GUTI
reallocation procedure has been completed, the network shall abort the GUTI
reallocation procedure and shall progress the detach procedure.

e) GUTI reallocation and tracking area updating procedure collision

If the network receives a TRACKING AREA UPDATE REQUEST message before the
ongoing GUTI reallocation procedure has been completed, the network shall abort
the GUTI reallocation procedure and shall progress the tracking area updating
procedure. The network may then perform a new GUTI reallocation.

f) GUTI reallocation and service request procedure collision

If the network receives an EXTENDED SERVICE REQUEST message for CS fallback or
1xCS fallback before the ongoing GUTI reallocation procedure has been completed,
the network shall progress both procedures.

g) Lower layer indication of non-delivered NAS PDU due to handover

If the GUTI REALLOCATION COMMAND message could not be delivered due to an intra
MME handover and the target TA is included in the TAI list, then upon successful
completion of the intra MME handover the MME shall retransmit the GUTI
REALLOCATION COMMAND message. If a failure of the handover procedure is reported
by the lower layer and the S1 signalling connection exists, the MME shall
retransmit the GUTI REALLOCATION COMMAND message.

If there is a different new GUTI and optionally a new TAI list included in a
subsequent GUTI REALLOCATION COMMAND message, the UE always regards the newest
GUTI and the newest TAI list as valid for the recovery time.

5.4.2 Authentication procedure

5.4.2.1 General

The purpose of the EPS authentication and key agreement (AKA) procedure is to
provide mutual authentication between the user and the network and to agree on a
key KASME (see 3GPP TS 33.401 [19]). The cases when the EPS AKA procedure should
be used are defined in 3GPP TS 33.401 [19].

The EPS AKA procedure is always initiated and controlled by the network.
However, the UE can reject the EPS authentication challenge sent by the network.

The UE shall proceed with an EPS authentication challenge only if a USIM is
present.

A partial native EPS security context is established in the UE and the network
when an EPS authentication is successfully performed. During a successful EPS
authentication procedure, the CK and IK are computed by the USIM. CK and IK are
then used by the ME as key material to compute a new key, KASME. KASME is stored
in the EPS security contexts (see 3GPP TS 33.401 [19]) of both the network and
in the volatile memory of the ME while attached to the network, and is the root
for the EPS integrity protection and ciphering key hierarchy.

5.4.2.2 Authentication initiation by the network

When a NAS signalling connection exists, the network can initiate an
authentication procedure at any time. For restrictions applicable after handover
or inter-system handover to S1 mode see subclause 5.5.3.2.3.

The network initiates the authentication procedure by sending an AUTHENTICATION
REQUEST message to the UE and starting the timer T3460 (see example in figure
5.4.2.2.1). The AUTHENTICATION REQUEST message contains the parameters necessary
to calculate the authentication response (see 3GPP TS 33.401 [19]).

If an eKSI is contained in an initial NAS message during an EMM procedure, the
network shall include a different eKSI value in the AUTHENTICATION REQUEST
message when it initiates an authentication procedure.

Figure 5.4.2.2.1: Authentication procedure

5.4.2.3 Authentication response by the UE

The UE shall respond to an AUTHENTICATION REQUEST message. With the exception of
the cases described in subclauses 5.4.2.6 and 5.4.2.7 case k, the UE shall
process the authentication challenge data and respond with an AUTHENTICATION
RESPONSE message to the network.

Upon a successful EPS authentication challenge, the UE shall determine the PLMN
identity to be used for the calculation of the new KASME from the authentication
challenge data according to the following rules:

a) When the UE moves from EMM-IDLE mode to EMM-CONNECTED mode, until the first
handover, the UE shall use the PLMN identity of the selected PLMN; and

b) After handover or inter-system handover to S1 mode,

- if the target cell is not a shared network cell, the UE shall use the PLMN
identity received as part of the broadcast system information;

- if the target cell is a shared network cell and the UE has a valid GUTI, the
UE shall use the PLMN identity that is part of the GUTI; and

- if the target cell is a shared network cell, the UE does not have a valid GUTI
and,

- the EPS authentication challenge is performed after inter-system handover from
A/Gb mode to S1 mode or from Iu mode to S1 mode and the UE has a valid P-TMSI
and RAI, the UE shall use the PLMN identity that is part of the RAI; or

- the EPS authentication challenge is performed after inter-system handover from
N1 mode to S1 mode and the UE has a valid 5G-GUTI, the UE shall use the PLMN
identity that is part of the 5G-GUTI.

Upon a successful EPS authentication challenge, the new KASME calculated from
the authentication challenge data shall be stored in a new EPS security context
in the volatile memory of the ME.

The USIM will compute the authentication response (RES) using the authentication
challenge data received from the ME, and pass RES to the ME.

In order to avoid a synchronisation failure, when the UE receives an
AUTHENTICATION REQUEST message, the UE shall store the received RAND together
with the RES returned from the USIM in the volatile memory of the ME. When the
UE receives a subsequent AUTHENTICATION REQUEST message, if the stored RAND
value is equal to the new received value in the AUTHENTICATION REQUEST message,
then the ME shall not pass the RAND to the USIM, but shall send the
AUTHENTICATION RESPONSE message with the stored RES. If there is no valid stored
RAND in the ME or the stored RAND is different from the new received value in
the AUTHENTICATION REQUEST message, the ME shall pass the RAND to the USIM,
shall override any previously stored RAND and RES with the new ones and start,
or reset and restart timer T3416.

The RAND and RES values stored in the ME shall be deleted and timer T3416, if
running, shall be stopped:

- upon receipt of a

- SECURITY MODE COMMAND,

- SERVICE REJECT,

- SERVICE ACCEPT,

- TRACKING AREA UPDATE REJECT,

- TRACKING AREA UPDATE ACCEPT, or

- AUTHENTICATION REJECT message;

- upon expiry of timer T3416;

- if the UE enters the EMM state EMM-DEREGISTERED or EMM-NULL; or

- if the UE enters EMM-IDLE mode.

5.4.2.4 Authentication completion by the network

Upon receipt of an AUTHENTICATION RESPONSE message, the network stops the timer
T3460 and checks the correctness of RES (see 3GPP TS 33.401 [19]).

If the authentication procedure has been completed successfully and the related
eKSI is stored in the EPS security context of the network, the network shall
include a different eKSI value in the AUTHENTICATION REQUEST message when it
initiates a new authentication procedure.

Upon receipt of an AUTHENTICATION FAILURE message, the network stops the timer
T3460. In the case where the EMM cause #21 “synch failure” is received, the
core network may renegotiate with the HSS/AuC and provide the UE with new
authentication parameters.

5.4.2.5 Authentication not accepted by the network

If the authentication response (RES) returned by the UE is not valid, the
network response depends upon the type of identity used by the UE in the initial
NAS message, that is:

- if the GUTI was used; or

- if the IMSI was used.

If the GUTI was used, the network should initiate an identification procedure.
If the IMSI given by the UE during the identification procedure differs from the
IMSI the network had associated with the GUTI, the authentication should be
restarted with the correct parameters. Otherwise, if the IMSI provided by the UE
is the same as the IMSI stored in the network (i.e. authentication has really
failed), the network should send an AUTHENTICATION REJECT message to the UE.

If the IMSI was used for identification in the initial NAS message, or the
network decides not to initiate the identification procedure after an
unsuccessful authentication procedure, the network should send an AUTHENTICATION
REJECT message to the UE.

Upon receipt of an AUTHENTICATION REJECT message,

a) if the message has been successfully integrity checked by the NAS, the UE
shall set the update status to EU3 ROAMING NOT ALLOWED, delete the stored GUTI,
TAI list, last visited registered TAI and KSIASME. The USIM shall be considered
invalid until switching off the UE or the UICC containing the USIM is removed.
If the UE maintains a counter for “SIM/USIM considered invalid for GPRS
services”, then the UE shall set this counter to UE implementation-specific
maximum value. If the UE maintains a counter for “SIM/USIM considered invalid
for non-GPRS services”, then the UE shall set this counter to UE
implementation-specific maximum value.

If A/Gb or Iu mode is supported by the UE, the UE shall in addition handle the
GMM parameters GMM state, GPRS update status, P-TMSI, P-TMSI signature, RAI and
GPRS ciphering key sequence number and the MM parameters update status, TMSI,
LAI and ciphering key sequence number as specified in 3GPP TS 24.008 [13] for
the case when the authentication and ciphering procedure is not accepted by the
network; and

b) if the message is received without integrity protection, the UE shall start
timer T3247 (see 3GPP TS 24.008 [13]) with a random value uniformly drawn from
the range between 30 minutes and 60 minutes, if the timer is not running (see
subclause 5.3.7b). Additionally, the UE shall:

- if the UE maintains a counter for “SIM/USIM considered invalid for GPRS
services” events and the counter has a value less than a UE
implementation-specific maximum value, proceed as specified in subclause 5.3.7b,
list item 1a for the case that the EMM cause value received is #3; and

- otherwise proceed as specified under list item a above for the case that the
message has been successfully integrity checked.

If the AUTHENTICATION REJECT message is received by the UE, the UE shall abort
any EMM signalling procedure, stop any of the retransmission timers that are
running (e.g. T3410, T3416, T3417, T3430, T3421, T3418 or T3420) and enter state
EMM-DEREGISTERED.

Depending on local requirements or operator preference for emergency bearer
services, if the UE has a PDN connection for emergency bearer services
established or is establishing a PDN connection for emergency bearer services,
the MME need not follow the procedures specified for the authentication failure
in the present subclause. The MME may continue a current EMM specific procedure
or PDN connectivity request procedure. Upon completion of the authentication
procedure, if not initiated as part of another procedure, or upon completion of
the EMM procedure or PDN connectivity request procedure, the MME shall
deactivate all non-emergency EPS bearers, if any, by initiating an EPS bearer
context deactivation procedure. The network shall consider the UE to be attached
for emergency bearer services only.

Depending on local regulation and operator policy, if the UE is requesting
attach for access to RLOS, the MME need not follow the procedures specified for
the authentication failure in the present subclause. The MME may continue a
current EMM specific procedure.

5.4.2.6 Authentication not accepted by the UE

In an EPS authentication challenge, the UE shall check the authenticity of the
core network by means of the AUTN parameter received in the AUTHENTICATION
REQUEST message. This enables the UE to detect a false network.

During an EPS authentication procedure, the UE may reject the core network due
to an incorrect AUTN parameter (see 3GPP TS 33.401 [19]). This parameter
contains three possible causes for authentication failure:

a) MAC code failure:

If the UE finds the MAC code (supplied by the core network in the AUTN
parameter) to be invalid, the UE shall send an AUTHENTICATION FAILURE message to
the network, with the EMM cause #20 “MAC failure”. The UE shall then follow the
procedure described in subclause 5.4.2.7, item c.

b) Non-EPS authentication unacceptable:

If the UE finds that the “separation bit” in the AMF field of AUTN supplied by
the core network is 0, the UE shall send an AUTHENTICATION FAILURE message to
the network, with the EMM cause #26 “non-EPS authentication unacceptable” (see
subclause 6.1.1 in 3GPP TS 33.401 [19]). The UE shall then follow the procedure
described in subclause 5.4.2.7, item d.

c) SQN failure:

If the UE finds the SQN (supplied by the core network in the AUTN parameter) to
be out of range, the UE shall send an AUTHENTICATION FAILURE message to the
network, with the EMM cause #21 “synch failure” and a re-synchronization token
AUTS provided by the USIM (see 3GPP TS 33.102 [18]). The UE shall then follow
the procedure described in subclause 5.4.2.7, item e.

If the UE returns an AUTHENTICATION FAILURE message to the network, the UE shall
delete any previously stored RAND and RES and shall stop timer T3416, if
running.

If the UE has a PDN connection for emergency bearer services established or is
establishing such a PDN connection, additional UE requirements are specified in
subclause 5.4.2.7, under “for items c, d, e”.

If the UE is attached for access to RLOS and has a PDN connection for RLOS
established or is establishing such a PDN connection, additional UE requirements
are specified in subclause 5.4.2.7, under “for items c, d, e”.

5.4.2.7 Abnormal cases

a) Lower layer failure:

Upon detection of lower layer failure before the AUTHENTICATION RESPONSE message
is received, the network shall abort the procedure.

b) Expiry of timer T3460:

The network shall, on the first expiry of the timer T3460, retransmit the
AUTHENTICATION REQUEST message and shall reset and start timer T3460. This
retransmission is repeated four times, i.e. on the fifth expiry of timer T3460,
the network shall abort the authentication procedure and any ongoing EMM
specific procedure and release the NAS signalling connection.

c) Authentication failure (EMM cause #20 “MAC failure”):

The UE shall send an AUTHENTICATION FAILURE message, with EMM cause #20 “MAC
failure” according to subclause 5.4.2.6, to the network and start timer T3418
(see example in figure 5.4.2.7.1). Furthermore, the UE shall stop any of the
retransmission timers that are running (e.g. T3410, T3417, T3421 or T3430). Upon
the first receipt of an AUTHENTICATION FAILURE message from the UE with EMM
cause #20 “MAC failure”, the network may initiate the identification procedure
described in subclause 5.4.4. This is to allow the network to obtain the IMSI
from the UE. The network may then check that the GUTI originally used in the
authentication challenge corresponded to the correct IMSI. Upon receipt of the
IDENTITY REQUEST message from the network, the UE shall send the IDENTITY
RESPONSE message.

NOTE 1: Upon receipt of an AUTHENTICATION FAILURE message from the UE with EMM
cause #20 “MAC failure”, the network may also terminate the authentication
procedure (see subclause 5.4.2.5).

If the GUTI/IMSI mapping in the network was incorrect, the network should
respond by sending a new AUTHENTICATION REQUEST message to the UE. Upon
receiving the new AUTHENTICATION REQUEST message from the network, the UE shall
stop the timer T3418, if running, and then process the challenge information as
normal. If the GUTI/IMSI mapping in the network was correct, the network should
terminate the authentication procedure by sending an AUTHENTICATION REJECT
message (see subclause 5.4.2.5).

If the network is validated successfully (an AUTHENTICATION REQUEST message that
contains a valid SQN and MAC is received), the UE shall send the AUTHENTICATION
RESPONSE message to the network and shall start any retransmission timers (e.g.
T3410, T3417, T3421 or T3430) if they were running and stopped when the UE
received the first failed AUTHENTICATION REQUEST message.

If the UE receives the second AUTHENTICATION REQUEST message while T3418 is
running, and the MAC value cannot be resolved, the UE shall follow the procedure
specified in this subclause, item c, starting again from the beginning, or if
the message contains a UMTS authentication challenge, the UE shall follow the
procedure specified in item d. If the SQN is invalid, the UE shall proceed as
specified in item e.

It can be assumed that the source of the authentication challenge is not genuine
(authentication not accepted by the UE) if any of the following occur:

- the timer T3418 expires;

- the UE detects any combination of the authentication failures: EMM causes #20
“MAC failure”, #21 “synch failure” or #26 “non-EPS authentication
unacceptable”, during three consecutive authentication challenges. The
authentication challenges shall be considered as consecutive only, if the
authentication challenges causing the second and third authentication failure
are received by the UE, while the timer T3418 or T3420 started after the
previous authentication failure is running.

The UE shall stop timer T3418, if the timer is running and the UE enters
EMM-IDLE mode, e.g. upon detection of a lower layer failure, release of the NAS
signalling connection, or as the result of an inter-system handover to A/Gb mode
or Iu mode.

When it has been deemed by the UE that the source of the authentication
challenge is not genuine (i.e. authentication not accepted by the UE), the UE
shall proceed as described in item f.

Figure 5.4.2.7.1: Authentication failure procedure (EMM cause #20 “MAC failure”
or
#26 “non-EPS authentication unacceptable”)

d) Authentication failure (EMM cause #26 “non-EPS authentication
unacceptable”):

The UE shall send an AUTHENTICATION FAILURE message, with EMM cause #26
“non-EPS authentication unacceptable”, to the network and start the timer T3418
(see example in figure 5.4.2.7.1). Furthermore, the UE shall stop any of the
retransmission timers that are running (e.g. T3410, T3417, T3421 or T3430). Upon
the first receipt of an AUTHENTICATION FAILURE message from the UE with EMM
cause #26 “non-EPS authentication unacceptable”, the network may initiate the
identification procedure described in subclause 5.4.4. This is to allow the
network to obtain the IMSI from the UE. The network may then check that the GUTI
originally used in the authentication challenge corresponded to the correct
IMSI. Upon receipt of the IDENTITY REQUEST message from the network, the UE
shall send the IDENTITY RESPONSE message.

NOTE 2: Upon receipt of an AUTHENTICATION FAILURE message from the UE with EMM
cause #26 “non-EPS authentication unacceptable”, the network may also terminate
the authentication procedure (see subclause 5.4.2.5).

If the GUTI/IMSI mapping in the network was incorrect, the network should
respond by sending a new AUTHENTICATION REQUEST message to the UE. Upon
receiving the new AUTHENTICATION REQUEST message from the network, the UE shall
stop the timer T3418, if running, and then process the challenge information as
normal. If the GUTI/IMSI mapping in the network was correct, the network should
terminate the authentication procedure by sending an AUTHENTICATION REJECT
message (see subclause 5.4.2.5).

It can be assumed that the source of the authentication challenge is not genuine
(authentication not accepted by the UE) if any of the following occur:

- the timer T3418 expires;

- the UE detects any combination of the authentication failures: EMM causes #20
“MAC failure”, #21 “synch failure” or #26 “non-EPS authentication
unacceptable”, during three consecutive authentication challenges. The
authentication challenges shall be considered as consecutive only, if the
authentication challenges causing the second and third authentication failure
are received by the UE, while the timer T3418 or T3420 started after the
previous authentication failure is running.

The UE shall stop timer T3420, if the timer is running and the UE enters
EMM-IDLE mode, e.g. upon detection of a lower layer failure, release of the NAS
signalling connection, or as the result of an inter-system handover to A/Gb mode
or Iu mode.

When it has been deemed by the UE that the source of the authentication
challenge is not genuine (i.e. authentication not accepted by the UE), the UE
shall proceed as described in item f.

e) Authentication failure (EMM cause #21 “synch failure”):

The UE shall send an AUTHENTICATION FAILURE message, with EMM cause #21 “synch
failure”, to the network and start the timer T3420 (see example in figure
5.4.2.7.2). Furthermore, the UE shall stop any of the retransmission timers that
are running (e.g. T3410, T3417, T3421 or T3430). Upon the first receipt of an
AUTHENTICATION FAILURE message from the UE with the EMM cause #21 “synch
failure”, the network shall use the returned AUTS parameter from the
authentication failure parameter IE in the AUTHENTICATION FAILURE message, to
re-synchronise. The re-synchronisation procedure requires the MME to delete all
unused authentication vectors for that IMSI and obtain new vectors from the HSS.
When re-synchronisation is complete, the network shall initiate the
authentication procedure. Upon receipt of the AUTHENTICATION REQUEST message,
the UE shall stop the timer T3420, if running.

NOTE 3: Upon receipt of two consecutive AUTHENTICATION FAILURE messages from the
UE with EMM cause #21 “synch failure”, the network may terminate the
authentication procedure by sending an AUTHENTICATION REJECT message.

If the network is validated successfully (a new AUTHENTICATION REQUEST message
is received which contains a valid SQN and MAC) while T3420 is running, the UE
shall send the AUTHENTICATION RESPONSE message to the network and shall start
any retransmission timers (e.g. T3410, T3417, T3421 or T3430), if they were
running and stopped when the UE received the first failed AUTHENTICATION REQUEST
message.

If the UE receives the second AUTHENTICATION REQUEST message while T3420 is
running, and the MAC value cannot be resolved, the UE shall follow the procedure
specified in item c or if the message contains a UMTS authentication challenge,
the UE shall proceed as specified in item d; if the SQN is invalid, the UE shall
follow the procedure specified in this subclause, item e, starting again from
the beginning.

The UE shall deem that the network has failed the authentication check and
proceed as described in item f if any of the following occurs:

- the timer T3420 expires;

- the UE detects any combination of the authentication failures: EMM cause #20
“MAC failure”, #21 “synch failure”, or #26 “non-EPS authentication
unacceptable”, during three consecutive authentication challenges. The
authentication challenges shall be considered as consecutive only if the
authentication challenges causing the second and third authentication failure
are received by the UE while the timer T3418 or T3420 started after the previous
authentication failure is running.

When it has been deemed by the UE that the source of the authentication
challenge is not genuine (i.e. authentication not accepted by the UE), the UE
shall proceed as described in item f.

Figure 5.4.2.7.2: Authentication failure procedure (EMM cause #21 “synch
failure”)

Upon receipt of an AUTHENTICATION REJECT message, the UE shall perform the
actions as specified in subclause 5.4.2.5.

f) Network failing the authentication check:

If the UE deems that the network has failed the authentication check, then it
shall request RRC to locally release the RRC connection and treat the active
cell as barred (see 3GPP TS 36.304 [21]). The UE shall start any retransmission
timers (e.g. T3410, T3417, T3421 or T3430), if they were running and stopped
when the UE received the first AUTHENTICATION REQUEST message containing an
incorrect authentication challenge data causing the authentication failure.

g) Transmission failure of AUTHENTICATION RESPONSE message or AUTHENTICATION
FAILURE message indication from lower layers (if the authentication procedure is
triggered by a tracking area updating procedure)

The UE shall stop any of the timers T3418 and T3420, if running, and re-initiate
the tracking area updating procedure.

h) Transmission failure of AUTHENTICATION RESPONSE message or AUTHENTICATION
FAILURE message indication with TAI change from lower layers (if the
authentication procedure is triggered by a service request procedure)

The UE shall stop any of the timers T3418 and T3420, if running.

If the current TAI is not in the TAI list, the authentication procedure shall be
aborted and a tracking area updating procedure shall be initiated.

If the current TAI is still part of the TAI list, it is up to the UE
implementation how to re-run the ongoing procedure that triggered the
authentication procedure.

i) Transmission failure of AUTHENTICATION RESPONSE message or AUTHENTICATION
FAILURE message indication without TAI change from lower layers (if the
authentication procedure is triggered by a service request procedure)

The UE shall stop any of the timers T3418 and T3420, if running. It is up to the
UE implementation how to re-run the ongoing procedure that triggered the
authentication procedure.

j) Lower layers indication of non-delivered NAS PDU due to handover

If the AUTHENTICATION REQUEST message could not be delivered due to an intra MME
handover and the target TA is included in the TAI list, then upon successful
completion of the intra MME handover the MME shall retransmit the AUTHENTICATION
REQUEST message. If a failure of handover procedure is reported by the lower
layer and the S1 signalling connection exists, the MME shall retransmit the
AUTHENTICATION REQUEST message.

k) Change of cell into a new tracking area

If a cell change into a new tracking area that is not in the TAI list occurs
before the AUTHENTICATION RESPONSE message is sent, the UE may discard sending
the AUTHENTICATION RESPONSE message to the network and continue with the
initiation of tracking area updating procedure as described in subclause 5.5.3.

For items c, d, and e:

  1. Depending on local requirements or operator preference for emergency bearer
    services, if the UE has a PDN connection for emergency bearer services
    established or is establishing a PDN connection for emergency bearer services,
    the MME need not follow the procedures specified for the authentication failure
    specified in the present subclause. The MME may respond to the AUTHENTICATION
    FAILURE message by initiating the security mode control procedure selecting the
    “null integrity protection algorithm” EIA0, “null ciphering algorithm” EEA0 or
    may abort the authentication procedure and continue using the current security
    context, if any. The MME shall deactivate all non-emergency EPS bearer contexts,
    if any, by initiating an EPS bearer context deactivation procedure. If there is
    an ongoing PDN connectivity procedure, the MME shall deactivate all
    non-emergency EPS bearer contexts upon completion of the PDN connectivity
    procedure. The network shall consider the UE to be attached for emergency bearer
    services only.

If a UE has a PDN connection for emergency bearer services established or is
establishing a PDN connection for emergency bearer services and sends an
AUTHENTICATION FAILURE message to the MME with the EMM cause appropriate for
these cases (#20, #21, or #26, respectively) and receives the SECURITY MODE
COMMAND message before the timeout of timer T3418 or T3420, the UE shall deem
that the network has passed the authentication check successfully, stop timer
T3418 or T3420, respectively, and execute the security mode control procedure.

If a UE has a PDN connection for emergency bearer services established or is
establishing a PDN connection for emergency bearer services when timer T3418 or
T3420 expires, the UE shall not deem that the network has failed the
authentication check and not behave as described in item f. Instead the UE shall
continue using the current security context, if any, deactivate all
non-emergency EPS bearer contexts, if any, by initiating UE requested PDN
disconnect procedure. If there is an ongoing PDN connectivity procedure, the UE
shall deactivate all non-emergency EPS bearer contexts upon completion of the
PDN connectivity procedure. The UE shall start any retransmission timers (e.g.
T3410, T3417, T3421 or T3430) if:

- they were running and stopped when the UE received the AUTHENTICATION REQUEST
message and detected an authentication failure;

- the procedures associated with these timers have not yet been completed.

The UE shall consider itself to be attached for emergency bearer services only.

  1. Depending on local regulation and operator policy, if the UE has a PDN
    connection for RLOS established or is establishing a PDN connection for RLOS,
    the MME need not follow the procedures specified for the authentication failure
    specified in the present subclause. The MME may respond to the AUTHENTICATION
    FAILURE message by initiating the security mode control procedure selecting the
    “null integrity protection algorithm” EIA0, “null ciphering algorithm” EEA0 or
    may abort the authentication procedure and continue using the current security
    context, if any. The network shall consider the UE to be attached for access to
    RLOS.

If a UE has a PDN connection for RLOS established or is establishing a PDN
connection for RLOS and sends an AUTHENTICATION FAILURE message to the MME with
the EMM cause appropriate for these cases (#20, #21, or #26, respectively)
and receives the SECURITY MODE COMMAND message before the timeout of timer T3418
or T3420, the UE shall deem that the network has passed the authentication check
successfully, stop timer T3418 or T3420, respectively, and execute the security
mode control procedure.

If a UE has a PDN connection for RLOS established or is establishing a PDN
connection for RLOS when timer T3418 or T3420 expires, the UE shall not deem
that the network has failed the authentication check and not behave as described
in item f. Instead the UE shall continue using the current security context, if
any. The UE shall start any retransmission timers (e.g. T3410, T3417, T3421 or
T3430) if:

- they were running and stopped when the UE received the AUTHENTICATION REQUEST
message and detected an authentication failure;

- the procedures associated with these timers have not yet been completed.

The UE shall consider itself to be attached for access to RLOS.

5.4.3 Security mode control procedure

5.4.3.1 General

The purpose of the NAS security mode control procedure is to take an EPS
security context into use, and initialise and start NAS signalling security
between the UE and the MME with the corresponding EPS NAS keys and EPS security
algorithms.

Furthermore, the network may also initiate the security mode control procedure
in the following cases:

- in order to change the NAS security algorithms for a current EPS security
context already in use;

- in order to change the value of uplink NAS COUNT used in the latest SECURITY
MODE COMPLETE message as described in 3GPP TS 33.401 [19], subclause 7.2.9.2;
and

- in order to request the UE radio capability ID from the UE.

For restrictions concerning the concurrent running of a security mode control
procedure with other security related procedures in the AS or inside the core
network see 3GPP TS 33.401 [19], subclause 7.2.10.

5.4.3.2 NAS security mode control initiation by the network

The MME initiates the NAS security mode control procedure by sending a SECURITY
MODE COMMAND message to the UE and starting timer T3460 (see example in figure
5.4.3.2.1).

The MME shall reset the downlink NAS COUNT counter and use it to integrity
protect the initial SECURITY MODE COMMAND message if the security mode control
procedure is initiated:

- to take into use the EPS security context created after a successful execution
of the EPS authentication procedure;

- upon receipt of TRACKING AREA UPDATE REQUEST message including a GPRS
ciphering key sequence number IE, if the MME wishes to create a mapped EPS
security context (i.e. the type of security context flag is set to “mapped
security context” in the NAS key set identifier IE included in the SECURITY MODE
COMMAND message).

The MME shall send the SECURITY MODE COMMAND message unciphered, but shall
integrity protect the message with the NAS integrity key based on KASME or
mapped K’ASME indicated by the eKSI included in the message. The MME shall set
the security header type of the message to “integrity protected with new EPS
security context”.

The MME shall create a locally generated KASME and send the SECURITY MODE
COMMAND message including a KSI value in the NAS key set identifier IE set to
“000” and EIA0 and EEA0 as the selected NAS security algorithms only when the
security mode control procedure is initiated:

- during an attach procedure for emergency bearer services if no shared EPS
security context is available;

- during an attach procedure for access to RLOS if no valid EPS security context
is available;

- during a tracking area updating procedure for a UE that has a PDN connection
for emergency bearer services if no shared EPS security context is available;

- during a tracking area updating procedure for a UE that has a PDN connection
for access to RLOS if no valid EPS security context is available;

- during a service request procedure for a UE that has a PDN connection for
emergency bearer services if no shared EPS security context is available;

- during a service request procedure for a UE that has a PDN connection for
access to RLOS if no valid EPS security context is available;

- after a failed authentication procedure for a UE that has a PDN connection for
emergency bearer services or that is establishing a PDN connection for emergency
bearer services, if continued usage of a shared security context is not
possible; or

- after a failed authentication procedure for a UE that has a PDN connection for
access to RLOS or that is establishing a PDN connection for access to RLOS, if
continued usage of a valid security context is not possible.

The UE shall process a SECURITY MODE COMMAND message including a KSI value in
the NAS key set identifier IE set to “000” and EIA0 and EEA0 as the selected NAS
security algorithms and, if accepted, create a locally generated KASME when the
security mode control procedure is initiated:

- during an attach procedure for emergency bearer services;

- during an attach procedure for access to RLOS;

- during a tracking area updating procedure when the UE has a PDN connection for
emergency bearer services;

- during a tracking area updating procedure when the UE has a PDN connection for
access to RLOS;

- during a service request procedure when the UE has a PDN connection for
emergency bearer services;

- during a service request procedure when the UE has a PDN connection for access
to RLOS;

- after an authentication procedure when the UE has a PDN connection for
emergency bearer services or is establishing a PDN connection for emergency
bearer services; or

- after an authentication procedure when the UE has a PDN connection for access
to RLOS or is establishing a PDN connection for access to RLOS.

NOTE 1: The process for creation of the locally generated KASME by the MME and
the UE is implementation dependent.

Upon receipt of a TRACKING AREA UPDATE REQUEST message including a GPRS
ciphering key sequence number IE, if the MME does not have the valid current EPS
security context indicated by the UE, the MME shall either:

- indicate the use of the new mapped EPS security context to the UE by setting
the type of security context flag in the NAS key set identifier IE to “mapped
security context” and the KSI value related to the security context of the
source system; or

- set the KSI value “000” in the NAS key set identifier IE if the MME sets EIA0
and EEA0 as the selected NAS security algorithms for a UE that has a PDN
connection for emergency bearer services.

While having a current mapped EPS security context with the UE, if the MME wants
to take the native EPS security context into use, the MME shall include the eKSI
that indicates the native EPS security context in the SECURITY MODE COMMAND
message.

The MME shall include the replayed security capabilities of the UE (including
the security capabilities with regard to NAS, RRC and UP (user plane) ciphering
as well as NAS and RRC integrity, and other possible target network security
capabilities, i.e. UTRAN/GERAN if the UE included them in the message to
network), the replayed nonceUE when creating a mapped EPS security context and
if the UE included it in the message to the network, the selected NAS ciphering
and integrity algorithms and the Key Set Identifier (eKSI). If the MME supports
handling of UE additional security capabilities and the UE included a UE
additional security capability IE in the message to the network, the MME shall
include the replayed additional security capabilities of the UE.

The MME shall include both the nonceMME and the nonceUE when creating a mapped
EPS security context during inter-system change from A/Gb mode to S1 mode or Iu
mode to S1 mode in EMM-IDLE mode.

The MME may initiate a SECURITY MODE COMMAND in order to change the NAS security
algorithms for a current EPS security context already in use. The MME re-derives
the NAS keys from KASME with the new NAS algorithm identities as input and
provides the new NAS algorithm identities within the SECURITY MODE COMMAND
message. The MME shall set the security header type of the message to “integrity
protected with new EPS security context”.

If, during an ongoing attach or tracking area updating procedure, the MME is
initiating a SECURITY MODE COMMAND (i.e. after receiving the ATTACH REQUEST or
TRACKING AREA UPDATE REQUEST message, but before sending a response to that
message) and the ATTACH REQUEST or TRACKING AREA UPDATE REQUEST message is
received without integrity protection or does not successfully pass the
integrity check at the MME, the MME shall calculate the HASHMME of the entire
plain ATTACH REQUEST or TRACKING AREA UPDATE REQUEST message as described in
3GPP TS 33.401 [19] and shall include the HASHMME in the SECURITY MODE COMMAND
message.

Additionally, the MME may request the UE to include its IMEISV in the SECURITY
MODE COMPLETE message.

NOTE 2: The AS and NAS security capabilities will be the same, i.e. if the UE
supports one algorithm for NAS, the same algorithm is also supported for AS.

If:

- the NAS security mode control procedure is initiated during an ongoing attach
procedure in WB-S1 mode;

- the network supports RACS;

- the UE has set the RACS bit to “RACS supported” in the UE network capability
IE of the ATTACH REQUEST message; and

- the UE has set the URCIDA bit to “UE radio capability ID available” in the UE
radio capability ID availability IE of the ATTACH REQUEST message,

then the MME shall request the UE to include its UE radio capability ID in the
SECURITY MODE COMPLETE message.

If:

- the NAS security mode control procedure is initiated during an ongoing
tracking area updating procedure in WB-S1 mode;

- the network supports RACS;

- the UE has set the RACS bit to “RACS supported” in the UE network capability
IE of the TRACKING AREA UDPATE REQUEST message; and

- the UE has set the URCIDA bit to “UE radio capability ID available” in the UE
radio capability ID availability IE of the TRACKING AREA UPDATE REQUEST message,

then the MME may request the UE to include its UE radio capability ID in the
SECURITY MODE COMPLETE message.

If:

- the NAS security mode control procedure is initiated during an ongoing
tracking area updating procedure in WB-S1 mode;

- the network supports RACS;

- the UE has set the RACS bit to “RACS supported” in the UE network capability
IE of the TRACKING AREA UDPATE REQUEST message;

- the UE has set the URCIDA bit to “UE radio capability ID available” in the UE
radio capability ID availability IE of the TRACKING AREA UPDATE REQUEST message;
and

- no UE radio capability ID is available in the UE context in the MME,

then the MME shall request the UE to include its UE radio capability ID in the
SECURITY MODE COMPLETE message.

Figure 5.4.3.2.1: Security mode control procedure

5.4.3.3 NAS security mode command accepted by the UE

Upon receipt of the SECURITY MODE COMMAND message, the UE shall check whether
the security mode command can be accepted or not. This is done by performing the
integrity check of the message and by checking that the received replayed UE
security capabilities, the received replayed UE additional security
capabilities, if included in the SECURITY MODE COMMAND message, and the received
nonceUE have not been altered compared to the latest values that the UE sent to
the network. However, the UE is not required to perform the checking of the
received nonceUE if the UE does not want to re-generate the K’ASME (i.e. the
SECURITY MODE COMMAND message is to derive and take into use a mapped EPS
security context and the eKSI matches the current EPS security context, if it is
a mapped EPS security context). When the UE has a PDN connection for emergency
bearer services established or the UE is establishing a PDN connection for
emergency bearer services or the UE is requesting attach for access to RLOS, the
UE is not required to locally re-generate the KASME (i.e. the SECURITY MODE
COMMAND message is used to derive and take into use a native EPS security
context where the KSI value “000” is included in the NAS key set identifier IE
and the EIA0 and EEA0 are included as the selected NAS security algorithms).

The UE shall accept a SECURITY MODE COMMAND message indicating the “null
integrity protection algorithm” EIA0 as the selected NAS integrity algorithm
only if the message is received for a UE that has a PDN connection for emergency
bearer services established, or a UE that is attached for access to RLOS, or a
UE that is establishing a PDN connection for emergency bearer services or a UE
that is requesting attach for access to RLOS.

If the type of security context flag included in the SECURITY MODE COMMAND
message is set to “native security context” and if the KSI matches a valid
non-current native EPS security context held in the UE while the UE has a mapped
EPS security context as the current EPS security context, the UE shall take the
non-current native EPS security context into use which then becomes the current
native EPS security context and delete the mapped EPS security context.

If the SECURITY MODE COMMAND message can be accepted, the UE shall take the EPS
security context indicated in the message into use. The UE shall in addition
reset the uplink NAS COUNT counter if:

- the SECURITY MODE COMMAND message is received in order to take an EPS security
context into use created after a successful execution of the EPS authentication
procedure;

- the SECURITY MODE COMMAND message received includes the type of security
context flag set to “mapped security context” in the NAS key set identifier IE
the eKSI does not match the current EPS security context, if it is a mapped EPS
security context.

If the SECURITY MODE COMMAND message can be accepted and a new EPS security
context is taken into use and SECURITY MODE COMMAND message does not indicate
the “null integrity protection algorithm” EIA0 as the selected NAS integrity
algorithm, the UE shall:

- if the SECURITY MODE COMMAND message has been successfully integrity checked
using an estimated downlink NAS COUNT equal 0, then the UE shall set the
downlink NAS COUNT of this new EPS security context to 0;

- otherwise the UE shall set the downlink NAS COUNT of this new EPS security
context to the downlink NAS COUNT that has been used for the successful
integrity checking of the SECURITY MODE COMMAND message.

If the SECURITY MODE COMMAND message can be accepted, the UE shall send a
SECURITY MODE COMPLETE message integrity protected with the selected NAS
integrity algorithm and the EPS NAS integrity key based on the KASME or mapped
K’ASME if the type of security context flag is set to “mapped security context”
indicated by the eKSI. When the SECURITY MODE COMMAND message includes the type
of security context flag set to “mapped security context” in the NAS key set
identifier IE, the nonceMME and the nonceUE, then the UE shall either:

- generate K’ASME from both the nonceMME and the nonceUE as indicated in 3GPP TS
33.401 [19];or

- check whether the SECURITY MODE COMMAND message indicates the eKSI of the
current EPS security context, if it is a mapped EPS security context, in order
not to re-generate the K’ASME.

Furthermore, if the SECURITY MODE COMMAND message can be accepted, the UE shall
cipher the SECURITY MODE COMPLETE message with the selected NAS ciphering
algorithm and the EPS NAS ciphering key based on the KASME or mapped K’ASME
indicated by the eKSI. The UE shall set the security header type of the message
to “integrity protected and ciphered with new EPS security context”.

From this time onward the UE shall cipher and integrity protect all NAS
signalling messages with the selected NAS ciphering and NAS integrity
algorithms.

If the MME indicated in the SECURITY MODE COMMAND message that the IMEISV is
requested, the UE shall include its IMEISV in the SECURITY MODE COMPLETE
message.

In WB-S1 mode, if the MME indicated in the SECURITY MODE COMMAND message that
the UE radio capability ID is requested, the UE shall:

- if the UE has an applicable network-assigned UE radio capability ID for the
current UE radio configuration in the selected PLMN, include the applicable
network-assigned UE radio capability ID in the UE radio capability ID IE of the
SECURITY MODE COMPLETE message; and

- if the UE:

a) does not have an applicable network-assigned UE radio capability ID for the
current UE radio configuration in the selected PLMN; and

b) has an applicable manufacturer-assigned UE radio capability ID for the
current UE radio configuration,

include the applicable manufacturer-assigned UE radio capability ID in the UE
radio capability ID IE of the SECURITY MODE COMPLETE message.

If, during an ongoing attach or tracking area updating procedure, the SECURITY
MODE COMMAND message includes a HASHMME, the UE shall compare HASHMME with a
hash value locally calculated as described in 3GPP TS 33.401 [19] from the
entire plain ATTACH REQUEST or TRACKING AREA UPDATE REQUEST message that the UE
had sent to initiate the procedure. If HASHMME and the locally calculated hash
value are different, the UE shall include the complete ATTACH REQUEST or
TRACKING AREA UPDATE REQUEST message which the UE had previously sent in the
Replayed NAS message container IE of the SECURITY MODE COMPLETE message.

5.4.3.4 NAS security mode control completion by the network

The MME shall, upon receipt of the SECURITY MODE COMPLETE message, stop timer
T3460. From this time onward the MME shall integrity protect and encipher all
signalling messages with the selected NAS integrity and ciphering algorithms.

If the SECURITY MODE COMPLETE message contains a Replayed NAS container message
IE with an ATTACH REQUEST or TRACKING AREA UPDATE REQUEST message, the MME shall
complete the ongoing attach or tracking area updating procedure by considering
the ATTACH REQUEST or TRACKING AREA UPDATE REQUEST message contained in the
Replayed NAS message container IE as the message that triggered the procedure.

5.4.3.5 NAS security mode command not accepted by the UE

If the security mode command cannot be accepted, the UE shall send a SECURITY
MODE REJECT message. The SECURITY MODE REJECT message contains an EMM cause that
typically indicates one of the following cause values:

#23: UE security capabilities mismatch;

#24: security mode rejected, unspecified.

Upon receipt of the SECURITY MODE REJECT message, the MME shall stop timer
T3460. The MME shall also abort the ongoing procedure that triggered the
initiation of the NAS security mode control procedure.

Both the UE and the MME shall apply the EPS security context in use before the
initiation of the security mode control procedure, if any, to protect the
SECURITY MODE REJECT message and any other subsequent messages according to the
rules in subclauses 4.4.4 and 4.4.5.

5.4.3.6 Abnormal cases in the UE

The following abnormal cases can be identified:

a) Transmission failure of SECURITY MODE COMPLETE message or SECURITY MODE
REJECT message indication from lower layers (if the security mode control
procedure is triggered by a tracking area updating procedure)

The UE shall abort the security mode control procedure and re-initiate the
tracking area updating procedure.

b) Transmission failure of SECURITY MODE COMPLETE message or SECURITY MODE
REJECT message indication with TAI change from lower layers (if the security
mode control procedure is triggered by a service request procedure)

If the current TAI is not in the TAI list, the security mode control procedure
shall be aborted and a tracking area updating procedure shall be initiated.

If the current TAI is still part of the TAI list, the security mode control
procedure shall be aborted and it is up to the UE implementation how to re-run
the ongoing procedure that triggered the security mode control procedure.

c) Transmission failure of SECURITY MODE COMPLETE message or SECURITY MODE
REJECT message indication without TAI change from lower layers (if the security
mode control procedure is triggered by a service request procedure)

The security mode control procedure shall be aborted and it is up to the UE
implementation how to re-run the ongoing procedure that triggered the security
mode control procedure.

5.4.3.7 Abnormal cases on the network side

The following abnormal cases can be identified:

a) Lower layer failure before the SECURITY MODE COMPLETE or SECURITY MODE REJECT
message is received

The network shall abort the security mode control procedure.

b) Expiry of timer T3460

The network shall, on the first expiry of the timer T3460, retransmit the
SECURITY MODE COMMAND message and shall reset and start timer T3460. This
retransmission is repeated four times, i.e. on the fifth expiry of timer T3460,
the procedure shall be aborted.

NOTE: If the SECURITY MODE COMMAND message was sent to create a mapped EPS
security context during inter-system change from A/Gb mode to S1 mode or Iu mode
to S1 mode, then the network does not generate new values for the nonceMME and
the nonceUE, but includes the same values in the SECURITY MODE COMMAND message
(see the subclause 7.2.4.4 in 3GPP TS 33.401 [19]).

c) Collision between security mode control procedure and attach, service
request, tracking area updating procedure or detach procedure not indicating
switch off

The network shall abort the security mode control procedure and proceed with the
UE initiated procedure.

d) Collision between security mode control procedure and other EMM procedures
than in item c

The network shall progress both procedures.

e) Lower layers indication of non-delivered NAS PDU due to handover

If the SECURITY MODE COMMAND message could not be delivered due to an intra MME
handover and the target TA is included in the TAI list, then upon successful
completion of the intra MME handover the MME shall retransmit the SECURITY MODE
COMMAND message. If a failure of the handover procedure is reported by the lower
layer and the S1 signalling connection exists, the MME shall retransmit the
SECURITY MODE COMMAND message.

5.4.4 Identification procedure

5.4.4.1 General

The identification procedure is used by the network to request a particular UE
to provide specific identification parameters, e.g. the International Mobile
Subscriber Identity (IMSI) or the International Mobile Equipment Identity
(IMEI). IMEI and IMSI definition and structure are specified in 3GPP TS 23.003
[2].

For mobile device supporting both 3GPP access and cdma2000® access a single IMEI
is used to identify the device as specified in 3GPP TS 22.278 [1C].

5.4.4.2 Identification initiation by the network

The network initiates the identification procedure by sending an IDENTITY
REQUEST message to the UE and starting the timer T3470 (see example in figure
5.4.4.2.1). The IDENTITY REQUEST message specifies the requested identification
parameters in the Identity type information element.

Figure 5.4.4.2.1: Identification procedure

5.4.4.3 Identification response by the UE

A UE shall be ready to respond to an IDENTITY REQUEST message at any time whilst
in EMM-CONNECTED mode.

Upon receipt of the IDENTITY REQUEST message the UE shall send an IDENTITY
RESPONSE message to the network. The IDENTITY RESPONSE message shall contain the
identification parameters as requested by the network.

5.4.4.4 Identification completion by the network

Upon receipt of the IDENTITY RESPONSE the network shall stop the timer T3470.

5.4.4.5 Abnormal cases in the UE

The following abnormal cases can be identified:

a) Requested identity is not available

If the UE cannot encode the requested identity in the IDENTITY RESPONSE message,
e.g. because no valid USIM is available, then it shall encode the identity type
as “no identity”.

b) Transmission failure of IDENTITY RESPONSE message indication from lower
layers (if the identification procedure is triggered by a tracking area updating
procedure)

The UE shall abort the identification procedure and re-initiate the tracking
area updating procedure.

c) Transmission failure of IDENTITY RESPONSE message indication with TAI change
from lower layers (if the identification procedure is triggered by a service
request procedure)

If the current TAI is not in the TAI list, the identification procedure shall be
aborted and a tracking area updating procedure shall be initiated.

If the current TAI is still part of the TAI list, the identification procedure
shall be aborted and it is up to the UE implementation how to re-run the ongoing
procedure that triggered the identification procedure.

d) Transmission failure of IDENTITY RESPONSE message indication without TAI
change from lower layers (if the identification procedure is triggered by a
service request procedure)

The identification procedure shall be aborted and it is up to the UE
implementation how to re-run the ongoing procedure that triggered the
identification procedure.

5.4.4.6 Abnormal cases on the network side

The following abnormal cases can be identified:

a) Lower layer failure

Upon detection of a lower layer failure before the IDENTITY RESPONSE is
received, the network shall abort any ongoing EMM procedure.

b) Expiry of timer T3470

The identification procedure is supervised by the network by the timer T3470.
The network shall, on the first expiry of the timer T3470, retransmit the
IDENTITY REQUEST message and reset and restart the timer T3470. This
retransmission is repeated four times, i.e. on the fifth expiry of timer T3470,
the network shall abort the identification procedure and any ongoing EMM
procedure.

c) Collision of an identification procedure with an attach procedure

If the network receives an ATTACH REQUEST message before the ongoing
identification procedure has been completed and no attach procedure is pending
on the network (i.e. no ATTACH ACCEPT/REJECT message has still to be sent as an
answer to an ATTACH REQUEST message), the network shall proceed with the attach
procedure.

d) Collision of an identification procedure with an attach procedure when the
identification procedure has been caused by an attach procedure

If the network receives an ATTACH REQUEST message before the ongoing
identification procedure has been completed and an attach procedure is pending
(i.e. an ATTACH ACCEPT/REJECT message has to be sent as an answer to an earlier
ATTACH REQUEST message), then:

- If one or more of the information elements in the ATTACH REQUEST message
differ from the ones received within the previous ATTACH REQUEST message, the
network shall proceed with the new attach procedure; or

- If the information elements do not differ, then the network shall not treat
any further this new ATTACH REQUEST.

e) Collision of an identification procedure with a UE initiated detach procedure

Detach containing cause “switch off” within the Detach type IE:

If the network receives a DETACH REQUEST message before the ongoing
identification procedure has been completed, the network shall abort the
identification procedure and shall progress the detach procedure.

Detach containing other causes than “switch off” within the Detach type IE:

If the network receives a DETACH REQUEST message before the ongoing
identification procedure has been completed, the network shall complete the
identification procedure and shall respond to the detach procedure as described
in subclause 5.5.2.

f) Collision of an identification procedure with a tracking area updating
procedure

If the network receives a TRACKING AREA UPDATE REQUEST message before the
ongoing identification procedure has been completed, the network shall progress
both procedures.

g) Collision of an identification procedure with a service request procedure

If the network receives an EXTENDED SERVICE REQUEST message for CS fallback or
1xCS fallback before the ongoing identification procedure has been completed,
the network shall progress both procedures.

h) Lower layers indication of non-delivered NAS PDU due to handover

If the IDENTITY REQUEST message could not be delivered due to an intra MME
handover and the target TA is included in the TAI list, then upon successful
completion of the intra MME handover the MME shall retransmit the IDENTITY
REQUEST message. If a failure of the handover procedure is reported by the lower
layer and the S1 signalling connection exists, the MME shall retransmit the
IDENTITY REQUEST message.

5.4.5 EMM information procedure

5.4.5.1 General

The purpose of sending the EMM INFORMATION message is to allow the network to
provide information to the UE. The message implementation is optional in the
network. The UE may use the received information if the UE supports implementing
this message.

The EMM information procedure may be invoked by the network at any time during
an established EMM context.

5.4.5.2 EMM information procedure initiation by the network

The EMM information procedure consists only of the EMM INFORMATION message sent
from the network to the UE (see example in figure 5.4.5.2.1). During an
established EMM context, the network may send none, one, or more EMM INFORMATION
messages to the UE. If more than one EMM INFORMATION message is sent, the
messages need not have the same content.

Figure 5.4.5.2.1: EMM information procedure

5.4.5.3 EMM information procedure in the UE

When the UE (supporting the EMM information message) receives an EMM INFORMATION
message, it shall accept the message and optionally use the contents to update
appropriate information stored within the UE.

If the UE does not support the EMM information message the UE shall ignore the
contents of the message and return an EMM STATUS message with EMM cause #97
“message type non-existent or not implemented”.

5.4.5.4 Abnormal cases on the network side

The following abnormal case can be identified:

a) Lower layers indication of non-delivered NAS PDU due to handover

If the EMM INFORMATION message could not be delivered due to an intra MME
handover and the target TA is included in the TAI list, then upon successful
completion of the intra MME handover the MME shall retransmit the EMM
INFORMATION message. If a failure of the handover procedure is reported by the
lower layer and the S1 signalling connection exists, the MME shall retransmit
the EMM INFORMATION message.

5.5 EMM specific procedures

5.5.1 Attach procedure

5.5.1.1 General

The attach procedure is used to attach to an EPC for packet services in EPS.

The attach procedure is used for the following purposes:

- by a UE in PS mode of operation to attach for EPS services only;

- by a UE in CS/PS mode 1 or CS/PS mode 2 of operation to attach for both EPS
and non-EPS services;

- by a UE supporting NB-S1 mode only in PS mode of operation to attach for EPS
services and “SMS only”;

- to attach for emergency bearer services; or

- an attach for access to RLOS.

The lower layers indicate to NAS that the network does not support emergency
bearer services for the UE in limited service state (3GPP TS 36.331 [22]). This
information is taken into account when deciding whether to initiate attach for
emergency bearer services in WB-S1 mode.

If the MME does not support an attach for emergency bearer services, the MME
shall reject any request to attach with an attach type set to “EPS emergency
attach”.

The lower layers may indicate to NAS whether the network supports access to RLOS
(3GPP TS 36.331 [22]). This information is taken into account when deciding
whether to initiate attach for access to RLOS in WB-S1 mode.

With a successful attach procedure, a context is established for the UE in the
MME. Furthermore, if the UE requested PDN connectivity, a default bearer is
established between the UE and the PDN GW, thus enabling always-on IP
connectivity to the UE. In WB-S1 mode, the network may also initiate the
activation of dedicated bearers as part of the attach procedure. In NB-S1 mode
the network shall not initiate the activation of dedicated bearers.

With a successful attach procedure in NB-S1 mode, a context is established for
the UE in the MME. If the attach request included information to request PDN
connectivity, a default bearer is also established between the UE and the PDN.

If EMM-REGISTERED without PDN connection is supported by the UE and the MME, a
default bearer need not be requested by the UE during the attach procedure. If
EMM-REGISTERED without PDN connection is not supported by the UE or the MME,
then the UE shall request establishment of a default bearer.

During the attach procedure with default bearer establishment, the UE may also
obtain the home agent IPv4 or IPv6 address or both.

In a shared network, the UE shall choose one of the PLMN identities as specified
in 3GPP TS 23.122 [6]. The UE shall construct the TAI of the cell from this
chosen PLMN identity and the TAC received for this PLMN identity as part of the
broadcast system information. The chosen PLMN identity shall be indicated to the
E-UTRAN (see 3GPP TS 36.331 [22]). Whenever an ATTACH REJECT message with the
EMM cause #11 “PLMN not allowed” is received by the UE, the chosen PLMN
identity shall be stored in the “forbidden PLMN list” and if the UE is
configured to use timer T3245 (see 3GPP TS 24.368 [15A] or 3GPP TS 31.102 [17])
then the UE shall start timer T3245 and proceed as described in subclause
5.3.7a. Whenever an ATTACH REJECT message with the EMM cause #14 “EPS services
not allowed in this PLMN” is received by the UE, the chosen PLMN identity shall
be stored in the “forbidden PLMNs for GPRS service” and if the UE is configured
to use timer T3245 (see 3GPP TS 24.368 [15A] or 3GPP TS 31.102 [17]) then the UE
shall start timer T3245 and proceed as described in subclause 5.3.7a. Whenever
an ATTACH REJECT message is received by the UE with the EMM cause #12 “tracking
area not allowed”, #13 “roaming not allowed in this tracking area”, or #15 “no
suitable cells in tracking area”, the constructed TAI shall be stored in the
suitable list.

An attach attempt counter is used to limit the number of subsequently rejected
attach attempts. The attach attempt counter shall be incremented as specified in
subclause 5.5.1.2.6. Depending on the value of the attach attempt counter,
specific actions shall be performed. The attach attempt counter shall be reset
when:

- the UE is powered on;

- a USIM is inserted;

- an attach or combined attach procedure is successfully completed;

NOTE: The attach procedure can be initiated in S1 or S101 mode as described in
subclause 5.5.1.

- a GPRS attach or combined GPRS attach procedure is successfully completed in
A/Gb or Iu mode;

- a registration procedure for initial registration performed over 3GPP access
is successfully completed in N1 mode and the UE is operating in
single-registration mode;

- a combined attach procedure is completed for EPS services only with cause #2,
#16, #17, #18 or #22;

- an attach or combined attach procedure is rejected with cause #11, #12,
#13, #14, #15, #25 or #35:

- a network initiated detach procedure is completed with cause #11, #12, #13,
#14, #15 or #25; or

- a new PLMN is selected.

Additionally the attach attempt counter shall be reset when the UE is in
substate EMM-DEREGISTERED.ATTEMPTING-TO-ATTACH and:

- a new tracking area is entered;

- timer T3402 expires; or

- timer T3346 is started.

5.5.1.2 Attach procedure for EPS services

5.5.1.2.1 General

This procedure can be used by a UE to attach for:

- EPS services only; or

- EPS services and “SMS only” if the UE supports NB-S1 mode only.

When the UE initiates the attach procedure for normal service, the UE shall
indicate “EPS attach” in the EPS attach type IE.

When the UE initiates the attach procedure for emergency bearer services, the UE
shall indicate “EPS emergency attach” in the EPS attach type IE. The attach
procedure for emergency bearer services is not applicable for NB-S1 mode (see
3GPP TS 23.401 [10]).

This procedure can also be used by a UE in limited service state to attach for
access to RLOS.

When the UE initiates the attach procedure for access to RLOS, the UE shall
indicate “EPS RLOS attach” in the EPS attach type IE. The attach procedure for
access to RLOS is not applicable for NB-S1 mode (see 3GPP TS 23.401 [10]).

5.5.1.2.2 Attach procedure initiation

In state EMM-DEREGISTERED, the UE initiates the attach procedure by sending an
ATTACH REQUEST message to the MME, starting timer T3410 and entering state
EMM-REGISTERED-INITIATED (see example in figure 5.5.1.2.2.1). If timer T3402 is
currently running, the UE shall stop timer T3402. If timer T3411 is currently
running, the UE shall stop timer T3411.

The UE shall include the IMSI in the EPS mobile identity IE in the ATTACH
REQUEST message if the selected PLMN is neither the registered PLMN nor in the
list of equivalent PLMNs and:

a) the UE is configured for “AttachWithIMSI” as specified in 3GPP TS 24.368
[15A] or 3GPP TS 31.102 [17]; or

b) the UE is in NB-S1 mode.

For all other cases, the UE shall handle the EPS mobile identity IE in the
ATTACH REQUEST message as follows:

a) if the UE operating in the single-registration mode is performing an
inter-system change from N1 mode to S1 mode or the UE was previously registered
in N1 mode before entering state 5GMM-DEREGISTERED and:

  1. the UE has received the interworking without N26 interface indicator set to
    “interworking without N26 interface supported” from the network and:

i) if the UE holds a valid GUTI, the UE shall include the valid GUTI into the
EPS mobile identity IE, include Old GUTI type IE with GUTI type set to “native
GUTI” and include the UE status IE with a 5GMM registration status set to:

- “UE is in 5GMM-REGISTERED state” if the UE is in 5GMM-REGISTERED state; or

- “UE is in 5GMM-DEREGISTERED state” if the UE is in 5GMM-DEREGISTERED state; or

ii) if the UE does not hold a valid GUTI, the UE shall include the IMSI in the
EPS mobile identity IE; or

  1. the UE has received the interworking without N26 interface indicator set to
    “interworking without N26 interface not supported” from the network and:

i) if the UE holds a valid 5G-GUTI, the UE shall include a GUTI, mapped from
5G-GUTI into the EPS mobile identity IE, include Old GUTI type IE with GUTI type
set to “native GUTI” and include the UE status IE with a 5GMM registration
status set to “UE is in 5GMM-DEREGISTERED state”;

ii) if the UE holds a valid GUTI and does not hold a valid 5G-GUTI, the UE shall
indicate the GUTI in the EPS mobile identity IE and include Old GUTI type IE
with GUTI type set to “native GUTI”; or

iii) if the UE holds neither a valid GUTI nor a vaild 5G-GUTI, the UE shall
include the IMSI in the EPS mobile identity IE; or

NOTE 1: The value of the EMM registration status included by the UE in the UE
status IE is not used by the MME.

b) otherwise:

  1. if the UE supports neither A/Gb mode nor Iu mode, the UE shall include in the
    ATTACH REQUEST message a valid GUTI together with the last visited registered
    TAI, if available. In addition, the UE shall include Old GUTI type IE with GUTI
    type set to “native GUTI”. If there is no valid GUTI available, the UE shall
    include the IMSI in the ATTACH REQUEST message; or

  2. If the UE supports A/Gb mode or Iu mode or both and:

i) if the TIN indicates “P-TMSI” and the UE holds a valid P-TMSI and RAI, the UE
shall map the P-TMSI and RAI into the EPS mobile identity IE, and include Old
GUTI type IE with GUTI type set to “mapped GUTI”. If a P-TMSI signature is
associated with the P-TMSI, the UE shall include it in the Old P-TMSI signature
IE. Additionally, if the UE holds a valid GUTI, the UE shall indicate the GUTI
in the Additional GUTI IE;

NOTE 2: The mapping of the P-TMSI and the RAI to the GUTI is specified in 3GPP
TS 23.003 [2].

ii) if the TIN indicates “GUTI” or “RAT-related TMSI” and the UE holds a valid
GUTI, the UE shall indicate the GUTI in the EPS mobile identity IE, and include
Old GUTI type IE with GUTI type set to “native GUTI”;

iii) if the TIN is deleted and:

- the UE holds a valid GUTI, the UE shall indicate the GUTI in the EPS mobile
identity IE, and include Old GUTI type IE with GUTI type set to “native GUTI”;

- the UE does not hold a valid GUTI but holds a valid P-TMSI and RAI, the UE
shall map the P-TMSI and RAI into the EPS mobile identity IE, and include Old
GUTI type IE with GUTI type set to “mapped GUTI”. If a P-TMSI signature is
associated with the P-TMSI, the UE shall include it in the Old P-TMSI signature
IE; or

- the UE does not hold a valid GUTI, P-TMSI or RAI, the UE shall include the
IMSI in the EPS mobile identity IE; or

iv) otherwise the UE shall include the IMSI in the EPS mobile identity IE.

If the UE is operating in the dual-registration mode and it is in 5GMM state
5GMM-REGISTERED, the UE shall include the UE status IE with the 5GMM
registration status set to “UE is in 5GMM-REGISTERED state”.

NOTE 3: The value of the EMM registration status included by the UE in the UE
status IE is not used by the MME.

If the UE is attaching for emergency bearer services and does not hold a valid
GUTI, P-TMSI or IMSI as described above, the IMEI shall be included in the EPS
mobile identity IE.

If the UE in limited service state is attaching for access to RLOS and does not
hold a valid GUTI, P-TMSI or IMSI as described above, the IMEI shall be included
in the EPS mobile identity IE.

If the UE supports A/Gb mode or Iu mode or if the UE needs to indicate its UE
specific DRX parameter to the network, the UE shall include the UE specific DRX
parameter in the DRX parameter IE in the ATTACH REQUEST message.If the UE in
NB-S1 mode needs to indicate the UE specific DRX parameter in NB-S1 mode to the
network, it shall include the UE specific DRX parameter in NB-S1 mode in the DRX
parameter in NB-S1 mode IE in the ATTACH REQUEST message.

If the UE supports eDRX and requests the use of eDRX, the UE shall include the
extended DRX parameters IE in the ATTACH REQUEST message.

If the UE supports WUS assistance, then the UE shall set the WUSA bit to “WUS
assistance supported” in the UE network capability IE, and if the UE is not
attaching for emergency bearer services, the UE may include its UE paging
probability information in the Requested WUS assistance information IE of the
ATTACH REQUEST message.

If the UE supports SRVCC to GERAN/UTRAN, the UE shall set the SRVCC to
GERAN/UTRAN capability bit to “SRVCC from UTRAN HSPA or E-UTRAN to GERAN/UTRAN
supported”.

If the UE supports vSRVCC from S1 mode to Iu mode, then the UE shall set the
H.245 after handover capability bit to “H.245 after SRVCC handover capability
supported” and additionally set the SRVCC to GERAN/UTRAN capability bit to
“SRVCC from UTRAN HSPA or E-UTRAN to GERAN/UTRAN supported” in the ATTACH
REQUEST message.

If the UE supports PSM and requests the use of PSM, then the UE shall include
the T3324 value IE with a requested timer value in the ATTACH REQUEST message.
When the UE includes the T3324 value IE and the UE indicates support for
extended periodic timer value in the MS network feature support IE, it may also
include the T3412 extended value IE to request a particular T3412 value to be
allocated.

If the UE supports ProSe direct discovery, then the UE shall set the ProSe bit
to “ProSe supported” and set the ProSe direct discovery bit to “ProSe direct
discovery supported” in the UE network capability IE of the ATTACH REQUEST
message.

If the UE supports ProSe direct communication, then the UE shall set the ProSe
bit to “ProSe supported” and set the ProSe direct communication bit to “ProSe
direct communication supported” in the UE network capability IE of the ATTACH
REQUEST message.

If the UE supports acting as a ProSe UE-to-network relay, then the UE shall set
the ProSe bit to “ProSe supported” and set the ProSe UE-to-network relay bit to
“acting as a ProSe UE-to-network relay supported” in the UE network capability
IE of the ATTACH REQUEST message.

If the UE supports NB-S1 mode, Non-IP or Ethernet PDN type, N1 mode, or if the
UE supports DNS over (D)TLS (see 3GPP TS 33.501 [24]), then the UE shall support
the extended protocol configuration options IE.

NOTE 4: Support of DNS over (D)TLS is based on the informative requirements as
specified in 3GPP TS 33.501 [24].

If the UE supports the extended protocol configuration options IE, then the UE
shall set the ePCO bit to “extended protocol configuration options supported” in
the UE network capability IE of the ATTACH REQUEST message.

If the UE supports the restriction on use of enhanced coverage, then the UE
shall set the RestrictEC bit to “Restriction on use of enhanced coverage
supported” in the UE network capability IE of the ATTACH REQUEST message.

If the UE supports the control plane data back-off timer T3448, the UE shall set
the CP backoff bit to “back-off timer for transport of user data via the control
plane supported” in the UE network capability IE of the ATTACH REQUEST message.

If the UE is in NB-S1 mode, then the UE shall set the Control plane CIoT EPS
optimization bit to “Control plane CIoT EPS optimization supported” in the UE
network capability IE of the ATTACH REQUEST message. If the UE is capable of
NB-N1 mode, then the UE shall set the Control plane CIoT 5GS optimization bit to
“Control plane CIoT 5GS optimization supported” in the N1 UE network capability
IE of the ATTACH REQUEST message.

If the UE is in NB-S1 mode, supports NB-S1 mode only, and requests to attach for
EPS services and “SMS only”, the UE shall indicate the SMS only requested bit to
“SMS only” in the additional update type IE and shall set the EPS attach type IE
to “EPS attach” in the ATTACH REQUEST message.

If the UE supports CIoT EPS optimizations, it shall indicate in the UE network
capability IE of the ATTACH REQUEST message whether it supports EMM-REGISTERED
without PDN connection.

If the UE supports S1-U data transfer and multiple user plane radio bearers (see
3GPP TS 36.306 [44], 3GPP TS 36.331 [22]) in NB-S1 mode, then the UE shall set
the Multiple DRB support bit to “Multiple DRB supported” in the UE network
capability IE of the ATTACH REQUEST message.

If the UE supports control plane MT-EDT, then the UE shall set the CP-MT-EDT bit
to “Control plane Mobile Terminated-Early Data Transmission supported” in the UE
network capability IE of the ATTACH REQUEST message.

If the UE supports user plane MT-EDT, then the UE shall set the UP-MT-EDT bit to
“User plane Mobile Terminated-Early Data Transmission supported” in the UE
network capability IE of the ATTACH REQUEST message.

If the UE supports V2X communication over E-UTRA-PC5, then the UE shall set the
V2X PC5 bit to “V2X communication over E-UTRA-PC5 supported” in the UE network
capability IE of the ATTACH REQUEST message.

If the UE supports V2X communication over NR-PC5, then the UE shall set the V2X
NR-PC5 bit to “V2X communication over NR-PC5 supported” in the UE network
capability IE of the ATTACH REQUEST message.

If the UE supports service gap control, then the UE shall set the SGC bit to
“service gap control supported” in the UE network capability IE of the ATTACH
REQUEST message.

If the UE supports dual connectivity with New Radio (NR), then the UE shall set
the DCNR bit to “dual connectivity with NR supported” in the UE network
capability IE of the ATTACH REQUEST message and shall include the UE additional
security capability IE in the ATTACH REQUEST message.

If the UE supports N1 mode, the UE shall set the N1mode bit to “N1 mode
supported” in the UE network capability IE of the ATTACH REQUEST message and
shall include the UE additional security capability IE in the ATTACH REQUEST
message.

If the UE supports signalling for a maximum number of 15 EPS bearer contexts,
then the UE shall set the 15 bearers bit to “Signalling for a maximum number of
15 EPS bearer contexts supported” in the UE network capability IE of the ATTACH
REQUEST message.

If the UE supports ciphered broadcast assistance data and needs to obtain new
ciphering keys, the UE shall include the Additional information requested IE
with the CipherKey bit set to “ciphering keys for ciphered broadcast assistance
data requested” in the ATTACH REQUEST message.

If EMM-REGISTERED without PDN connection is not supported by the UE or the MME,
or if the UE wants to request PDN connection with the attach procedure, the UE
shall send the ATTACH REQUEST message together with a PDN CONNECTIVITY REQUEST
message contained in the ESM message container IE.

If EMM-REGISTERED without PDN connection is supported by the UE and the MME, and
the UE does not want to request PDN connection with the attach procedure, the UE
shall send the ATTACH REQUEST message together with an ESM DUMMY MESSAGE
contained in the ESM message container information element.

In WB-S1 mode, if the UE supports RACS, the UE shall:

a) set the RACS bit to “RACS supported” in the UE network capability IE of the
ATTACH REQUEST message; and

b) if the UE has an applicable UE radio capability ID for the current UE radio
configuration in the selected PLMN, set the URCIDA bit to “UE radio capability
ID available” in the UE radio capability ID availability IE of the ATTACH
REQUEST message.

If the attach procedure is initiated following an inter-system change from N1
mode to S1 mode in EMM-IDLE mode or the UE which was previously registered in N1
mode before entering state 5GMM-DEREGISTERED initiates the attach procedure:

a) if the UE has received an “interworking without N26 interface not supported”
indication from the network and a valid 5G NAS security context exists in the
UE, the UE shall integrity protect the ATTACH REQUEST message combined with the
message included in the ESM message container IE using the 5G NAS security
context;

b) otherwise:

  1. if a valid EPS security context exists, the UE shall integrity protect the
    ATTACH REQUEST message combined with the message included in the ESM message
    container IE using the EPS security context; or

  2. if the UE does not have a valid EPS security context, the ATTACH REQUEST
    message combined with the message included in the ESM message container IE is
    not integrity protected.

Figure 5.5.1.2.2.1: Attach procedure and combined attach procedure

5.5.1.2.3 EMM common procedure initiation

The network may initiate EMM common procedures, e.g. the identification,
authentication and security mode control procedures during the attach procedure,
depending on the information received in the ATTACH REQUEST message (e.g. IMSI,
GUTI and KSI).

If the network receives an ATTACH REQUEST message containing the Old GUTI type
IE and the EPS mobile identity IE with type of identity indicating “GUTI”, and
the network does not follow the use of the most significant bit of the <MME
group id> as specified in 3GPP TS 23.003 [2], subclause 2.8.2.2.2, the network
shall use the Old GUTI type IE to determine whether the mobile identity included
in the EPS mobile identity IE is a native GUTI or a mapped GUTI.

During an attach for emergency bearer services or an attach for access to RLOS,
the MME may choose to skip the authentication procedure even if no EPS security
context is available and proceed directly to the execution of the security mode
control procedure as specified in subclause 5.4.3.

5.5.1.2.4 Attach accepted by the network

During an attach for emergency bearer services, if not restricted by local
regulations, the MME shall not check for mobility and access restrictions,
regional restrictions, subscription restrictions, or perform CSG access control
when processing the ATTACH REQUEST message. The network shall not apply
subscribed APN based congestion control during an attach procedure for emergency
bearer services.

During an attach for access to RLOS, the MME shall not check for access
restrictions, regional restrictions and subscription restrictions when
processing the ATTACH REQUEST message.

If the attach request is accepted by the network, the MME shall send an ATTACH
ACCEPT message to the UE and start timer T3450.

If the attach request included the PDN CONNECTIVITY REQUEST message in the ESM
message container information element to request PDN connectivity, the MME when
accepting the attach request shall:

- send the ATTACH ACCEPT message together with an ESM DUMMY MESSAGE contained in
the ESM message container information element and discard the ESM message
container information element included in the attach request if:

- the UE indicated support of EMM-REGISTERED without PDN connection in the UE
network capability IE of the ATTACH REQUEST message;

- the MME supports EMM-REGISTERED without PDN connection and PDN connection is
restricted according to the user’s subscription data;

- the attach type is not set to “EPS emergency attach” or “EPS RLOS attach”; and

- the request type of the UE requested PDN connection is not set to “emergency”
or “RLOS”;

- otherwise, send the ATTACH ACCEPT message together with an ACTIVATE DEFAULT
EPS BEARER CONTEXT REQUEST message contained in the ESM message container
information element to activate the default bearer (see subclause 6.4.1). In
WB-S1 mode, the network may also initiate the activation of dedicated bearers
towards the UE by invoking the dedicated EPS bearer context activation procedure
(see subclause 6.4.2). In NB-S1 mode the network shall not initiate the
activation of dedicated bearers.

If EMM-REGISTERED without PDN connection is supported by the UE and the MME, and
the UE included an ESM DUMMY MESSAGE in the ESM message container information
element of the ATTACH REQUEST message, the MME shall send the ATTACH ACCEPT
message together with an ESM DUMMY MESSAGE contained in the ESM message
container information element.

If the attach request is accepted by the network, the MME shall delete the
stored UE radio capability information or the UE radio capability ID, if any.

In NB-S1 mode, if the attach request is accepted by the network, the MME shall
set the EMC BS bit to zero in the EPS network feature support IE included in the
ATTACH ACCEPT message to indicate that support of emergency bearer services in
NB-S1 mode is not available.

If the UE has included the UE network capability IE or the MS network capability
IE or both in the ATTACH REQUEST message, the MME shall store all octets
received from the UE, up to the maximum length defined for the respective
information element.

NOTE 1: This information is forwarded to the new MME during inter-MME handover
or to the new SGSN during inter-system handover to A/Gb mode or Iu mode.

NOTE 2: For further details concerning the handling of the MS network capability
and UE network capability in the MME see also 3GPP TS 23.401 [10].

If the UE specific DRX parameter was included in the DRX Parameter IE in the
ATTACH REQUEST message, the MME shall replace any stored UE specific DRX
parameter with the received parameter and use it for the downlink transfer of
signalling and user data in WB-S1 mode.

In NB-S1 mode, if the DRX parameter in NB-S1 mode IE was included in the ATTACH
REQUEST message, the MME shall provide to the UE the Negotiated DRX parameter in
NB-S1 mode IE in the ATTACH ACCEPT message. The MME shall replace any stored UE
specific DRX parameter in NB-S1 mode with the negotiated DRX parameter and use
it for the downlink transfer of signalling and user data in NB-S1 mode.

NOTE 3: In NB-S1 mode, if a DRX parameter was included in the Negotiated DRX
parameter in NB-S1 mode IE in the ATTACH ACCEPT message, then the UE stores and
uses the received DRX parameter in NB-S1 mode (see 3GPP TS 36.304 [21]). If the
UE did not receive a DRX parameter in the Negotiated DRX parameter in NB-S1 mode
IE, or if the Negotiated DRX parameter in NB-S1 mode IE was not included in the
ATTACH ACCEPT message, then the UE uses the cell specific DRX value in NB-S1
mode (see 3GPP TS 36.304 [21]).

In NB-S1 mode, if the UE requested “SMS only” in the Additional update type IE,
supports NB-S1 mode only and the MME decides to accept the attach request for
EPS services and “SMS only”, the MME shall indicate “SMS only” in the Additional
update result IE and shall set the EPS attach result IE to “EPS only” in the
ATTACH ACCEPT message.

The MME shall include the extended DRX parameters IE in the ATTACH ACCEPT
message only if the extended DRX parameters IE was included in the ATTACH
REQUEST message, and the MME supports and accepts the use of eDRX.

If

- the UE supports WUS assistance; and

- the MME supports and accepts the use of WUS assistance,

then the MME shall determine the negotiated UE paging probability information
for the UE, store it in the EMM context of the UE, and if the UE is not
attaching for emergency bearer services, the MME shall include it in the
Negotiated WUS assistance information IE in the ATTACH ACCEPT message. The MME
may take into account the UE paging probability information received in the
Requested WUS assistance information IE when determining the negotiated UE
paging probability information for the UE.

NOTE 4: Besides the UE paging probability information requested by the UE, the
MME can take local configuration or previous statistical information for the UE
into account when determining the negotiated UE paging probability information
for the UE (see 3GPP TS 23.401 [10]).

The MME shall assign and include the TAI list the UE is registered to in the
ATTACH ACCEPT message. The MME shall not assign a TAI list containing both
tracking areas in NB-S1 mode and tracking areas in WB-S1 mode. The UE, upon
receiving an ATTACH ACCEPT message, shall delete its old TAI list and store the
received TAI list.

NOTE 5: When assigning the TAI list, the MME can take into account the eNodeB’s
capability of support of CIoT EPS optimization.

The MME may include T3412 extended value IE in the ATTACH ACCEPT message only if
the UE indicates support of the extended periodic timer T3412 in the MS network
feature support IE in the ATTACH REQUEST message.

The MME shall include the T3324 value IE in the ATTACH ACCEPT message only if
the T3324 value IE was included in the ATTACH REQUEST message, and the MME
supports and accepts the use of PSM.

If the MME supports and accepts the use of PSM, and the UE included the T3412
extended value IE in the ATTACH REQUEST message, then the MME shall take into
account the T3412 value requested when providing the T3412 value IE and the
T3412 extended value IE in the ATTACH ACCEPT message.

NOTE 6: Besides the value requested by the UE, the MME can take local
configuration or subscription data provided by the HSS into account when
selecting a value for T3412 (3GPP TS 23.401 [10] subclause 4.3.17.3).

If the UE indicates support for EMM-REGISTERED without PDN connection in the
ATTACH REQUEST message and the MME supports EMM-REGISTERED without PDN
connection, the MME shall indicate support for EMM-REGISTERED without PDN
connection in the EPS network feature support IE of the ATTACH ACCEPT message.
The UE and the MME shall use the information whether the peer entity supports
EMM-REGISTERED without PDN connection as specified in the present clause 5 and
in clause 6.

If the UE requests “control plane CIoT EPS optimization” in the Additional
update type IE, indicates support of control plane CIoT EPS optimization in the
UE network capability IE and the MME decides to accept the requested CIoT EPS
optimization and the attach request, the MME shall indicate “control plane CIoT
EPS optimization supported” in the EPS network feature support IE.

If the MME supports NB-S1 mode, Non-IP or Ethernet PDN type, inter-system change
with 5GS or the network wants to enforce the use of DNS over (D)TLS (see 3GPP TS
33.501 [24]), then the MME shall support the extended protocol configuration
options IE.

NOTE 7: Support of DNS over (D)TLS is based on the informative requirements as
specified in 3GPP TS 33.401 [19] and it is implemented based on the operator
requirement.

If the MME supports the extended protocol configuration options IE and the UE
indicated support of the extended protocol configuration options IE, then the
MME shall set the ePCO bit to “extended protocol configuration options
supported” in the EPS network feature support IE of the ATTACH ACCEPT message.

If the UE indicates support for restriction on use of enhanced coverage in the
ATTACH REQUEST message, and the network decides to restrict the use of enhanced
coverage for the UE, then the MME shall set the RestrictEC bit to “Use of
enhanced coverage is restricted” in the EPS network feature support IE of the
ATTACH ACCEPT message.

If the UE has indicated support for the control plane data back-off timer, and
the MME decides to activate the congestion control for transport of user data
via the control plane, then the MME shall include the T3448 value IE in the
ATTACH ACCEPT message.

If the UE indicates support for dual connectivity with NR in the ATTACH REQUEST
message, and the MME decides to restrict the use of dual connectivity with NR
for the UE, then the MME shall set the RestrictDCNR bit to “Use of dual
connectivity with NR is restricted” in the EPS network feature support IE of the
ATTACH ACCEPT message.

If the UE indicates support for N1 mode in the ATTACH REQUEST message and the
MME supports inter-system interworking with 5GS, the MME may set the IWK N26 bit
to either:

- “interworking without N26 interface not supported” if the MME supports N26
interface; or

- “interworking without N26 interface supported” if the MME does not support N26
interface

in the EPS network feature support IE in the ATTACH ACCEPT message.

If the UE requests ciphering keys for ciphered broadcast assistance data in the
ATTACH REQUEST message and the MME has valid ciphering key data applicable to
the UE’s subscription, then the MME shall include the ciphering key data in the
Ciphering key data IE of the ATTACH ACCEPT message.

If due to operator policies unsecured redirection to a GERAN cell is not allowed
in the current PLMN, the MME shall set the redir-policy bit to “Unsecured
redirection to GERAN not allowed” in the Network policy IE of the ATTACH ACCEPT
message.

The MME may include the T3447 value IE set to the service gap time value in the
ATTACH ACCEPT message if:

- the UE has indicated support for service gap control; and

- a service gap time value is available in the EMM context.

If the network supports signalling for a maximum number of 15 EPS bearer
contexts and the UE indicated support of signalling for a maximum number of 15
EPS bearer contexts in the ATTACH REQUEST message, then the MME shall set the 15
bearers bit to “Signalling for a maximum number of 15 EPS bearer contexts
supported” in the EPS network feature support IE of the ATTACH ACCEPT message.

Upon receiving the ATTACH ACCEPT message, the UE shall stop timer T3410.

The GUTI reallocation may be part of the attach procedure. When the ATTACH
REQUEST message includes the IMSI or IMEI, or the MME considers the GUTI
provided by the UE is invalid, or the GUTI provided by the UE was assigned by
another MME, the MME shall allocate a new GUTI to the UE. The MME shall include
in the ATTACH ACCEPT message the new assigned GUTI together with the assigned
TAI list. In this case the MME shall enter state EMM-COMMON-PROCEDURE-INITIATED
as described in subclause 5.4.1.

For a shared network, the TAIs included in the TAI list can contain different
PLMN identities. The MME indicates the selected core network operator PLMN
identity to the UE in the GUTI (see 3GPP TS 23.251 [8B]).

If the ATTACH ACCEPT message contains a GUTI, the UE shall use this GUTI as the
new temporary identity. The UE shall delete its old GUTI and store the new
assigned GUTI. If no GUTI has been included by the MME in the ATTACH ACCEPT
message, the old GUTI, if any available, shall be kept.

If A/Gb mode or Iu mode is supported in the UE, the UE shall set its TIN to
“GUTI” when receiving the ATTACH ACCEPT message.

If the ATTACH ACCEPT message contains the T3412 extended value IE, then the UE
shall use the value in T3412 extended value IE as periodic tracking area update
timer (T3412). If the ATTACH ACCEPT message does not contain T3412 extended
value IE, then the UE shall use the value in T3412 value IE as periodic tracking
area update timer (T3412).

If the ATTACH ACCEPT message contains the T3324 value IE, then the UE shall use
the included timer value for T3324 as specified in 3GPP TS 24.008 [13],
subclause 4.7.2.8.

If the ATTACH ACCEPT message contains the DCN-ID IE, then the UE shall store the
included DCN-ID value together with the PLMN code of the registered PLMN in a
DCN-ID list in a non-volatile memory in the ME as specified in annex C.

The MME may also include a list of equivalent PLMNs in the ATTACH ACCEPT
message. Each entry in the list contains a PLMN code (MCC+MNC). The UE shall
store the list as provided by the network, and if the attach procedure is
neither for emergency bearer services nor for access to RLOS, the UE shall
remove from the list any PLMN code that is already in the list of “forbidden
PLMNs” or in the list of “forbidden PLMNs for GPRS service”. In addition, the UE
shall add to the stored list the PLMN code of the registered PLMN that sent the
list. The UE shall replace the stored list on each receipt of the ATTACH ACCEPT
message. If the ATTACH ACCEPT message does not contain a list, then the UE shall
delete the stored list.

If the attach procedure is neither for emergency bearer services nor for access
to RLOS, and if the PLMN identity of the registered PLMN is a member of the list
of “forbidden PLMNs” or the list of “forbidden PLMNs for GPRS service”, any such
PLMN identity shall be deleted from the corresponding list(s).

The network informs the UE about the support of specific features, such as IMS
voice over PS session, location services (EPC-LCS, CS-LCS), emergency bearer
services, or CIoT EPS optimizations, in the EPS network feature support
information element. In a UE with IMS voice over PS capability, the IMS voice
over PS session indicator and the emergency bearer services indicator shall be
provided to the upper layers. The upper layers take the IMS voice over PS
session indicator into account as specified in 3GPP TS 23.221 [8A], subclause
7.2a and subclause 7.2b, when selecting the access domain for voice sessions or
calls. When initiating an emergency call, the upper layers also take both the
IMS voice over PS session indicator and the emergency bearer services indicator
into account for the access domain selection. In a UE with LCS capability,
location services indicators (EPC-LCS, CS-LCS) shall be provided to the upper
layers. When MO-LR procedure is triggered by the UE’s application, those
indicators are taken into account as specified in 3GPP TS 24.171 [13C].

If the RestrictDCNR bit is set to “Use of dual connectivity with NR is
restricted” in the EPS network feature support IE of the ATTACH ACCEPT message,
the UE shall provide the indication that dual connectivity with NR is restricted
to the upper layers.

The UE supporting N1 mode shall operate in the mode for inter-system
interworking with 5GS as follows:

- if the IWK N26 bit in the EPS network feature support IE is set to
“interworking without N26 interface not supported”, the UE shall operate in
single-registration mode;

- if the IWK N26 bit in the EPS network feature support IE is set to
“interworking without N26 interface supported” and the UE supports
dual-registration mode, the UE may operate in dual-registration mode; or

NOTE 8: The registration mode used by the UE is implementation dependent.

- if the IWK N26 bit in the EPS network feature support IE is set to
“interworking without N26 interface supported” and the UE only supports
single-registration mode, the UE shall operate in single-registration mode.

The UE shall treat the interworking without N26 interface indicator as valid in
the entire PLMN and equivalent PLMNs. The interworking procedures required for
coordination between 5GMM and EMM without N26 interface are specified in 3GPP TS
24.501 [54].

If the redir-policy bit is set to “Unsecured redirection to GERAN not allowed”
in the Network policy IE of the ATTACH ACCEPT message, the UE shall set the
network policy on unsecured redirection to GERAN for the current PLMN to
“Unsecured redirection to GERAN not allowed” and indicate to the lower layers
that unsecured redirection to a GERAN cell is not allowed. If the redir-policy
bit is set to “Unsecured redirection to GERAN allowed” or if the Network policy
IE is not included in the ATTACH ACCEPT message, the UE shall set the network
policy for the current PLMN to “Unsecured redirection to GERAN allowed” and
indicate to the lower layers that unsecured redirection to a GERAN cell is
allowed. The UE shall set the network policy on unsecured redirection to GERAN
to “Unsecured redirection to GERAN not allowed” and indicate this to the lower
layers when any of the following events occurs:

- the UE initiates an EPS attach or tracking area updating procedure in a PLMN
different from the PLMN where the UE performed the last successful EPS attach or
tracking area updating procedure;

- the UE is switched on; or

- the UICC containing the USIM is removed.

If the UE has initiated the attach procedure due to manual CSG selection and
receives an ATTACH ACCEPT message; and the UE sent the ATTACH REQUEST message in
a CSG cell, the UE shall check if the CSG ID and associated PLMN identity of the
cell are contained in the Allowed CSG list. If not, the UE shall add that CSG ID
and associated PLMN identity to the Allowed CSG list and the UE may add the HNB
Name (if provided by lower layers) to the Allowed CSG list if the HNB Name is
present in neither the Operator CSG list nor the Allowed CSG list.

When the UE receives the ATTACH ACCEPT message combined with the ACTIVATE
DEFAULT EPS BEARER CONTEXT REQUEST message, and if the UE has requested PDN
connectivity the UE shall forward the ACTIVATE DEFAULT EPS BEARER CONTEXT
REQUEST message to the ESM sublayer. Upon receipt of an indication from the ESM
sublayer that the default EPS bearer context has been activated, the UE shall
send an ATTACH COMPLETE message together with an ACTIVATE DEFAULT EPS BEARER
CONTEXT ACCEPT message contained in the ESM message container information
element to the network.

Additionally, the UE shall reset the attach attempt counter, enter state
EMM-REGISTERED, and set the EPS update status to EU1 UPDATED.

If EMM-REGISTERED without PDN connection is supported by the UE and the MME, and
the UE receives the ATTACH ACCEPT message combined with an ESM DUMMY MESSAGE,
the UE shall send an ATTACH COMPLETE message together with an ESM DUMMY MESSAGE
contained in the ESM message container information element to the network.

If the UE receives the ATTACH ACCEPT message from a PLMN for which a
PLMN-specific attempt counter or PLMN-specific PS-attempt counter is maintained
(see subclause 5.3.7b), then the UE shall reset these counters. If the UE
maintains a counter for “SIM/USIM considered invalid for GPRS services”, then
the UE shall reset this counter.

When the UE receives any ACTIVATE DEDICATED EPS BEARER CONTEXT REQUEST messages
during the attach procedure, and if the UE has requested PDN connectivity the UE
shall forward the ACTIVATE DEDICATED EPS BEARER CONTEXT REQUEST message(s) to
the ESM sublayer. The UE shall send a response to the ACTIVATE DEDICATED EPS
BEARER CONTEXT REQUEST message(s) after successful completion of the attach
procedure.

If the attach procedure was initiated in S101 mode, the lower layers are
informed about the successful completion of the procedure.

Upon receiving an ATTACH COMPLETE message, the MME shall stop timer T3450, enter
state EMM-REGISTERED and consider the GUTI sent in the ATTACH ACCEPT message as
valid.

If the T3448 value IE is present in the received ATTACH ACCEPT message, the UE
shall:

- stop timer T3448 if it is running; and

- start timer T3448 with the value provided in the T3448 value IE.

If the UE is using EPS services with control plane CIoT EPS optimization, the
T3448 value IE is present in the ATTACH ACCEPT message and the value indicates
that this timer is either zero or deactivated, the UE shall consider this case
as an abnormal case and proceed as if the T3448 value IE is not present.

If the UE has indicated “service gap control supported” in the ATTACH REQUEST
message and:

- the ATTACH ACCEPT message contains the T3447 value IE, then the UE shall store
the new T3447 value, erase any previous stored T3447 value if exists and use the
new T3447 value with the T3447 timer next time it is started; or

- the ATTACH ACCEPT message does not contain the T3447 value IE, then the UE
shall erase any previous stored T3447 value if exists and stop the T3447 timer
if running.

In WB-S1 mode, if the UE has set the RACS bit to “RACS supported” in the UE
network capability IE of the ATTACH REQUEST message, the MME may include a UE
radio capability ID IE or a UE radio capability ID deletion indication IE in the
ATTACH ACCEPT message.

In WB-S1 mode, if the UE has set the RACS bit to “RACS supported” in the UE
network capability IE of the ATTACH REQUEST message and the ATTACH ACCCEPT
message includes:

- a UE radio capability ID deletion indication IE set to “Network-assigned UE
radio capability IDs deletion requested”, the UE shall delete any
network-assigned UE radio capability IDs associated with the registered PLMN
stored at the UE, then the UE shall, after the completion of the ongoing attach
procedure, initiate a tracking area updating procedure as specified in subclause
5.5.3 over the existing NAS signalling connection; and

- a UE radio capability ID IE, the UE shall store the UE radio capability ID as
specified in annex C.

5.5.1.2.4A Attach successful for EPS services and not accepted for SMS services

Apart from the actions on the tracking area updating attempt counter, the
description for attach for EPS services as specified in subclause 5.5.1.2.4
shall be followed. In addition, the following description for attach for SMS
services applies.

In NB-S1 mode, if the UE requested “SMS only” in the Additional update type IE
and supports NB-S1 mode only, the MME decides to accept the attach request for
EPS services only and:

- the location update for non-EPS services is not accepted by the VLR as
specified in 3GPP TS 29.118 [16A]; or

- the MME decides to not accept the attach request for “SMS only”,

the MME shall set the EPS attach result IE to “EPS only”, shall not indicate
“SMS only” in the Additional update result IE in the ATTACH ACCEPT message and
shall include an appropriate SMS services status value.

The UE receiving the ATTACH ACCEPT message takes one of the following actions
depending on the value included in the SMS services status IE:

“SMS services not available”

The UE shall stop timer T3410 if still running, shall reset the tracking area
updating attempt counter, shall set the EPS update status to EU1 UPDATED and
shall enter state EMM-REGISTERED.NORMAL-SERVICE. The USIM shall be considered as
invalid for SMS services until switching off or the UICC containing the USIM is
removed or the timer T3245 expires as described in subclause 5.3.7a.

“SMS services not available in this PLMN”

The UE shall stop timer T3410 if still running, shall reset the tracking area
updating attempt counter, shall set the EPS update status to EU1 UPDATED and
shall enter state EMM-REGISTERED.NORMAL-SERVICE.

The UE may provide a notification to the user or the upper layers that the SMS
services are not available.

The UE shall not attempt normal attach or tracking area updating procedures
indicating “SMS only” with current PLMN until switching off the UE or the UICC
containing the USIM is removed. Additionally, the UE may perform a PLMN
selection according to 3GPP TS 23.122 [6].

“Network failure”

The UE shall stop timer T3410 if still running. The tracking area updating
attempt counter shall be incremented, unless it was already set to 5.

If the tracking area updating attempt counter is less than 5:

- the UE shall start timer T3411, shall set the EPS update status to EU1 UPDATED
and shall enter state EMM-REGISTERED.NORMAL-SERVICE. When timer T3411 expires
the normal tracking area updating procedure for EPS services and “SMS only” or
the combined tracking area updating procedure for EPS services and “SMS only” is
triggered.

If the tracking area updating attempt counter is equal to 5:

- the UE shall start timer T3402, shall set the EPS update status to EU1 UPDATED
and shall enter state EMM-REGISTERED.NORMAL-SERVICE. When timer T3402 expires
the normal tracking area updating procedure for EPS services and “SMS only” or
the combined tracking area updating procedure for EPS services and “SMS only” is
triggered.

“Congestion”

The UE shall stop the timer T3410 if still running. The tracking area updating
attempt counter shall be set to 5. The UE shall start the timer T3402, shall set
the EPS update status to EU1 UPDATED, and shall enter state
EMM-REGISTERED.NORMAL-SERVICE. When timer T3402 expires the normal tracking area
updating procedure for EPS services and “SMS only” or the combined tracking area
updating procedure for EPS services and “SMS only” is triggered.

Other values and the case that no SMS services status IE was received are
considered as abnormal cases. The attach procedure shall be considered as failed
for SMS services. The behaviour of the UE in those cases is specified in
subclause 5.5.1.2.6A.

5.5.1.2.5 Attach not accepted by the network

If the attach request cannot be accepted by the network, the MME shall send an
ATTACH REJECT message to the UE including an appropriate EMM cause value.

If EMM-REGISTERED without PDN connection is not supported by the UE or the MME,
the attach request included a PDN CONNECTIVITY REQUEST message, the attach
procedure fails due to:

- a default EPS bearer setup failure;

- an ESM procedure failure; or

- operator determined barring is applied on default EPS bearer context
activation during attach procedure,

the MME shall:

- combine the ATTACH REJECT message with a PDN CONNECTIVITY REJECT message
contained in the ESM message container information element. In this case the EMM
cause value in the ATTACH REJECT message shall be set to #19 “ESM failure”; or

- send the ATTACH REJECT message with the EMM cause set to #15 “No suitable
cells in tracking area”, if the PDN connectivity reject is due to ESM cause #29
subject to operator policies (see 3GPP TS 29.274 [16D] for further details). In
this case, the network may additionally include the Extended EMM cause IE with
value “E-UTRAN not allowed”.

If the attach request is reject

上一篇:Linux学习进程操作相关命令


下一篇:N皇后问题 深搜+剪枝 hdu-2553