There is provided a communication apparatus including: a first communication unit having a first communication range; a second communication unit having a second communication range wider than the first communication range; a control unit which transmits a request signal for starting communication via the second communication unit from the first communication unit to another communication apparatus, and transmits authentication information from the second communication unit to the another communication apparatus in the case where it is determined that communication with the another communication apparatus via the second communication unit is possible based on a response signal after the first communication unit receives the response signal in response to the request signal; and a notification unit which notifies a user after the second communication unit receives a result of authentication based on the authentication information.

A method at a network node of a radio access network (RAN) for managing a context of a user equipment (UE) operating in an inactive mode, the method comprising: receiving, from a second network node, a context retrieval request comprising a UE identifier and a first message, the first message being protected with a first cryptographic key; validating the first message using a stored cryptographic key associated with a UE context indicated by the UE identifier; and sending a context retrieval response message to the second network node containing a relocation indication of whether the UE context is to be relocated to the second network node.

The present disclosure provides a method performed by user equipment, user equipment, and a handover command generation method. The method performed by user equipment includes: receiving a handover command including a handover condition, and storing a handover configuration in the handover command, wherein when the handover condition is met, the user equipment performs the handover configuration corresponding to the handover condition; and if a master cell group (MCG) failure is detected or if it is detected that a security update needs to be performed, performing at least an operation related to the stored handover configuration. Therefore, user equipment can determine the validity of a handover command, thereby avoiding a service interruption caused by a connection failure resulting from a handover performed on the basis of an invalid handover command.

The use of wireless backhaul poses special challenges for in-vehicle base stations. Users that are connected to an in-vehicle base station expect continuous service, even as the in-vehicle base station passes in and out of different wireless backhaul coverage zones, such as when a train passes from a train station with good coverage to a tunnel with poor coverage. The base station thus needs seamless backhaul handover. A system that enables an in-vehicle base station to receive continuous service across different backhaul coverage zones is needed. To solve this problem, a system enabling handover is described. The system involves double-tunneling mobile device data packets in an ESP-UDP IPsec tunnel encapsulated in a GTP-U tunnel. Traffic is transmitted from a mobile device to a specially configured base station that encapsulates mobile device data packets and sends them to the network via wireless backhaul using an LTE UE modem connection.

The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, and sends a key change indication to the UE, either directly or through some other network node. The UE can then derive the new NAS key from the old NAS key. In some embodiments, the AMF may provide a key generation parameter to the UE to use in deriving the new NAS key. In other embodiments, the target AMF may change one or more security algorithms.

Systems, methods, and computer-readable media are provided for an efficient roaming management method using a single association identifier token for associating with different access points. In one aspect of the present disclosure, a network controller includes memory having computer-readable instructions stored therein and one or more processors. The one or more processors are configured to execute the computer-readable instructions to receive a request from an endpoint to connect to a first access point; generate association identification token (e.g., PMK and PMKID) for the endpoint to connect to the first access point; and distribute the association identification token to a second access point prior to the endpoint attempting to connect to the second access point, the association identification token being used by the second access point to validate a subsequent request by the endpoint to connect to the second access point.

Disclosed are a handover method and a terminal device. The method includes that a first access network device triggers at least one of a terminal device or a second access network device to configure a second protocol stack; and before the first access network device triggers the at least one of the terminal device or the second access network device to maintain the sequence of the data packets of the terminal device by use of the second protocol stack, the first access network device sequentially processes data packets to be processed of the terminal device by use of a first protocol stack.

A user equipment (UE), method, and non-transitory computer-readable medium for fast VoWiFi handoff using internet key exchange (IKE) v2 optimization. The UE includes a memory and one or more processors operably connected to the memory, wherein the one or more processors are configured to determine reference signal received power (RSRP) for a long term evolution (LTE) signal and reference signal strength indicator (RSSI) for a WiFi signal, in response to at least the RSSI of the WiFi signal being greater than an RSSI threshold, perform a pre-setup of the IPsec tunnel, determine whether a handoff is to be performed, and in response to a determination that the handoff is to be performed, perform a completion of the IPsec tunnel.

A user equipment (UE) has both cellular and non-cellular links. The network sends it a first indication to maintain using a first set of security keys generated from a parameter specific to a source access node after the UE hands over the cellular link to a target access node without changing a wireless termination (WT) that is connected with the UE via the non-cellular link. The network uses that key to maintain the non-cellular link with the UE after the cellular link handover. From the UE's perspective it uses that key to authenticate its non-cellular link prior to the cellular link handover, but this handover does not change the WT which communicates with the UE via the non-cellular link so the UE can, only in response to receiving a first indication associated with the handover, use that same key to maintain that non-cellular link after the handover.

A user equipment (UE) may be configured to transmit a registration message to a network to establish a secure connection for non-access stratum (NAS) messages between the network and a UE, the secure connection based at least in part on a UE identifier and security capabilities of the UE included in the registration message. The UE may then exchange NAS methods with the network over the secure connection. The UE may also establish, in response to the registration message, an authentication protocol with the network and encrypt subsequent NAS messages based in part on the authentication protocol.