GB2640282A

GB2640282A - Security key or data radio bearer ID change for stationary UE

Info

Publication number: GB2640282A
Application number: GB2405112.0A
Authority: GB
Inventors: Takahashi Hideaki; Sivasiva Ganesan Rakash; Henttonen Tero; Dalsgaard Lars; Zhang Xin; Tomala Malgorzata; Chatterjee Aritra; Manalastas Marvin; Thomas Höhne Hans
Original assignee: Nokia Technologies Oy
Current assignee: Nokia Technologies Oy
Priority date: 2024-04-10
Filing date: 2024-04-10
Publication date: 2025-10-15
Also published as: WO2025215540A1

Abstract

A network node receives an indication that a Packet Data Convergence Protocol (PDCP) count associated with a data radio bearer (DRB) and a security key is about to wrap-around. The network node transmits a release message (e.g. RRC release) to a user equipment (UE). The UE releases a connection to the network node, maintains an information block (a Master Information Block (MIB) or System Information Block 1 (SIB1)) required to stay on a same cell as connected before the connection release, and, without performing a prior cell selection, initiations connection setup (e.g. RRC setup) to the same cell using the maintained information block. The network node maintains the UE’s context while the connection is released and re-initiated by the UE. On connection reestablishment, the UE and network node use a new security key resulting from releasing and reestablishing the connection for ciphering and integrity protecting the PDCP data units that have not yet been ciphered and integrity protected.

Description

SECURITY KEY OR DATA RADIO BEARER ID CHANGE FOR STATIONARY UE

TECHNICAL FIELD

100011 Various example embodiments generally relate to a wireless communication technique. More specifically, measures/mechanisms (including methods and apparatuses) are described for ciphering/de-ciphering and integrity protection/verification in communications between networks and user equipments, in particular, user equipment and Internet-of-Things devices.

BACKGROUND

[0002] Various example embodiments relate to considerations in a (e.g., mobile/wireless) communication system or network (NW), such as a 5G/NR system and a next-generation system beyond 5G, such as 6G. For example, various example embodiments are applicable in a 3GPP-standardized mobile/wireless communication system or network of Release 18 onwards, or a future and not yet standardized mobile/wireless communication system or network like 6G.

[0003] In telecommunications, not all applications require mobility. Fixed Wireless Access (FWA) has seen significant growth with 5G, providing broadband access where wired backhaul lines are unavailable. Low Power Wide Area (LPWA) networks, such as smart meters, often operate in fixed locations. In industrial Internet of Things (loT), e.g., factory robots are controlled via wireless devices within limited areas, not requiring full mobility. With 6G, more fixed or minimally mobile devices are anticipated for applications like XR and digital twinning. Additionally, even mobile devices like smartphones or parked vehicles can be considered stationary for periods of time.

[0004] Nevertheless, security measures for secure communication such as ciphering/deciphering and integrity protection/verification remain necessary regardless of the scenario being stationary or not. For example, in case of a fifth generation (5G) communication system for ciphering and integrity protection several inputs are defined as shown in Figure 4A and 4B, respectively. One of the inputs is the COUNT value defined by the Packet Data Convergence Protocol (PDCP, see 3GPP technical specification TS 38.323). The PDCP COUNT value is composed of a Hyper Frame Number (HFN) and PDCP Sequence Number which is assigned per PDCP Service Data Unit (SDU). The length of COUNT is fixed to 32 bits and other inputs are the bearer ID, the data transfer direction (downlink (DL) or uplink (UL)), the length of key stream and the cipher or integrity protection key (BEARER, DIRECTION, LENGTH and KEY in Figures 4A/4B).

[0005] For each radio bearer (data radio bearer (DRB) or signal radio bearer (SRB)), PDCP maintains individual COUNT values for downlink and uplink. When the fixed-size 32-bit PDCP COUNT reaches its maximum value, it wraps around due to the increment for each PDCP data unit. However, 3GPP standards (TS 33.501, 38.331, and 38.323) prohibit reusing 40 the same PDCP COUNT value for a given security key and radio bearer (RB) ID to prevent eavesdropping and decryption by attackers. The network is responsible to ensure PDCP COUNT reuse prevention. Intra-cell handover (HO), where the user equipment (UE) remains in the same cell, has been prosed as a solution and supports key changes, facilitated by the "Reconfiguration with sync" procedure.

100061 If the UE is considered stationary, regardless of whether it's permanent or temporary, simplifying functionality and processing by omitting mobility features (such as HO support) can save energy for both the UE and the network. While supporting mobility features in stationary scenarios is possible, the simplification for such cases, e.g., by not providing HO support, could be a key value proposition for future wireless communication, e.g., to be added by 6G.

100071 However, when no HO mechanism is supported, using intra-cell HO is no longer possible. And other solutions without using any HO mechanisms are warranted to prevent a UE from using use the same PDCP COUNT value more than once for a given security key and a given RB ID.

100081 According to a first known solution, Before PDCP COUNT wrap-around, the radio bearer is released and added via a single Radio Resource Control (RRC) Reconfiguration message whereby RB ID is changed. Alternatively, RB ID is changed by radio bearer modification procedure done via the RRC Reconfiguration message. This solution prevents using the same inputs for ciphering/integrity protection by changing the RB ID. However, a challenge arises as the PDCP receiver cannot determine precisely when the security input changes. Consequently, for each received PDCP PDU, the receiver is uncertain whether the old or new RB ID was used for encryption/integrity protection. To address this uncertainty, the UE might attempt decryption/verification using both RB IDs, leading to increased processing burden and degraded throughput performance.

100091 According to a second known solution, an RRC connection between UE and NW is released and then re-established. This solution resolves the issue by resetting access stratum/non-access stratum (AS/NAS) security entirely. However, it causes significant interruption in user data delivery. Additionally, after RRC connection release, the network must either initiate paging for UE to establish an RRC connection or wait for UE to initiate it upon UL data arrival.

100101 Accordingly, there is a demand for an improved solution for modifying the security context between a UE and a network node and in particular the inputs for ciphering and integrity protection functions even in cases where HO support is not provided.

LIST OF ACRONYMS AND ABBREVIATIONS

100111 The following acronyms and abbreviations are used throughout the subject

disclosure:

3GPP 3rd Generation Partnership Program AS Access Stratum AM Acknowledge Mode DAPS Dual Active Protocol Stack DRB Data Radio Bearer eMBB enhanced Mobile Broad Band FWA Fixed Wireless Access HFN Hyper Frame Number ID Identifier IoT Internet of Things LCID Logical Channel ID LPWA Low Power Wide Area MIB Master Information Block MM Mobility Management NAS Non-Access Stratum PDCP Packet Data Convergence Protocol PDU Protocol Data Unit QoS Quality of Service RAN Radio Access Network RRC Radio Resource Control SDU Service Data Unit SIB System Information Block SM Session Management SRB Signal Radio Bearer UE User Equipment UPF Use Plane Function

SUMMARY

[0012] It is an object of the subject disclosure to provide improved mechanisms for modifying the inputs of ciphering and integrity protection functions.

[0013] According to some aspects, there is provided the subject matter of the independent claims. Some further aspects are defined in the dependent claims. For reasons of better readability, the term "ciphering and integrity protection, and de-ciphering and integrity verification" is used as a substitute for "ciphering and integrity protection" in the application.

[0014] The application refers to a UE and a network node. Examples of the UE may comprise a terminal, a user device and an Internet-Of-Things (IoT) device. Examples of the network node may comprise a terrestrial or non-terrestrial network node, or a terrestrial or non-terrestrial base station.

[0015] Further, the application refers to data units. For example, the data units may be Service Data Units, SDUs, and/or Protocol Data Units, PDUs.

[0016] According to a first and second aspect of the invention, methods are provided wherein the methods are for ciphering and integrity protecting Packet Data Convergence Protocol, PDCP, data units transmitted via a Data Radio Bearer, DRB, wherein the ciphering and integrity protecting includes using a PDCP COUNT value, a security key and a DRB ID identifying the DRB. According to a third and fourth aspect of the invention, a UE or an apparatus in such a UE, and a network node or an apparatus in such a network node are provided which are configured to execute the methods according the first and second aspect, respectively.

[0017] According to the first aspect of the invention, there is provided a method performed by the UE in the network. The method comprises, upon receiving a release message from a network node, releasing a connection to the network node, maintaining at least one information block required to stay on a same cell as connected before the release of the connection, and, without performing a prior cell selection, initiating the setup of the connection to the same cell using the maintained at least one information block. The method further comprises upon reestablishment of the connection to the network node, using at least a new security key resulting from releasing and re-establishing the connection for ciphering and integrity protecting the PDCP data units that have not yet been ciphered and integrity protected. Advantageously, this way the UE does not have to wait for a paging message by the network node, or incoming downlink/uplink data to be able to initiate the setup of the connection.

[0018] In one group of examples of the first aspect, the method further comprises storing the at least one information block even after releasing the connection for maintaining of the at least one information block. Advantageously, this way the data necessary for re-initiating a setup of the connection are available to the UE without any delay, e.g., waiting time.

[0019] In one group of examples of the first aspect that may further be combined with the previous group of examples, the method further comprises acquiring the at least one information block after releasing the connection for maintaining of the at least one information block the UE. A mixed approach it possible, e.g., in the case of a plurality of information blocks. For example, as in the previous group of examples, some of the plurality of information blocks may be stored even after releasing the connection, and some, as in this group of examples, may be acquired. Advantageously, this way the data necessary for re-initiating a setup of the connection are available to the UE without any waiting time.

100201 In one group of examples of the first aspect that may further be combined with the previous groups of examples, the at least one information block includes at least one of a Master Information Block, MIB, or a System Information Block 1, SIB 1. Advantageously, these are well-tested information blocks for setting up a connection.

100211 In one group of examples of the first aspect that may further be combined with the previous groups of examples, the release message is an RRC Release message, the UE enters an RRC IDLE mode after releasing the connection, and the UE initiates the setup of the 40 connection by initiating an RRC Setup procedure. Advantageously, the RRC Reconfiguration message is a well-tested type of a reconfiguration message. Further, using RRC IDLE mode and RRC Setup are well tested approaches in the field.

[0022] According to the second aspect of the subject disclosure, there is provided a method performed by the network node in the network. The method comprising, upon receiving an indication that a PDCP COUNT value associated with the DRB ID and the security key is about to wrap-around, transmitting a release message to the UE indicating to the UE to release a connection to the network node and to subsequently initiate setup of the connection, and maintaining a UEs context while the connection is released and the setup of the connection reinitiated by the TIE.

[0023] The method further comprises, upon reestablishment of the connection to the 1.3E, using a new security key resulting from releasing and reestablishing the connection for ciphering and integrity protecting the PDCP data units that have not yet been ciphered and integrity protected. In some embodiments the UEs context is further maintained by at least one of a MM, a session management (SM) and a Use Plane Function (UPF). Advantageously, this way the delay, e.g., due to waiting time(s) between release and re-connection can be reduced.

[0024] In one group of examples of the second aspect, the release message further indicates to re-initiate the setup of the connection to the network node immediately after releasing the connection. Advantageously, this may further reduce the delay between release and reconnection.

[0025] According to the third aspect of the subject disclosure, the UE or the apparatus in such a UE is provided. The UE comprises a receiver configured to receive a release message from a network node, at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the UE at least to perform the steps of the method according to the first aspect.

[0026] According to the fourth aspect of the subject disclosure, the network node or the apparatus in such a network node is provided. The network node comprises a transmitter configured to transmit a release message to the UE, at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the network node at least to perform the steps of the method according to the second aspect.

[0027] The following aspects are also part of the invention: [0028] According to a fifth and sixth aspect of the invention, methods are provided wherein the methods are for ciphering and integrity protecting Packet PDCP data units transmitted via a DRB wherein the ciphering and integrity protecting includes using a PDCP COUNT value, a security key and a first DRB ID identifying a first DRB. According to a seventh and eighth aspect of the invention, a UE or an apparatus in such a UE, and a network node or an apparatus in such a network node are provided which are configured to execute the methods according the fifth and sixth aspect, respectively.

[0029] According to the fifth aspect of the invention, there is provided a method performed by the UE in the network. The method comprises, upon receiving a reconfiguration message from a network node indicating an additional DRB configuration for a second DRB with a second DRB ID, applying the reconfiguration by establishing in addition to the first DRB the second DRB with the second DRB ID and mapping it to a Quality of Service (QoS) flow to which the first DRB is mapped. The method further comprises, upon having established the second DRB, using the second DRB ID for ciphering and integrity protecting any PDCP data units that have not yet been ciphered and integrity protected and transmitting such PDCP data units via the second DRB. The method further comprises transmitting all remaining PDCP data units that have already been ciphered and integrity protected using the first DRB ID via the first DRB. Finally, the method further comprises, upon having transmitted all remaining PDCP data units, transmitting an indication to the network node, indicating that all remaining PDCP data units have been transmitted, and, upon receiving a release message from the network node, releasing the first DRB.

[0030] The reconfiguration message may further comprise the first DRB ID to identify the first DRB, or some other indication to identify the QoS flow to which the first DRB is mapped. The PDCP data units that have not yet been ciphered and integrity protected may, e.g., be of a Service Data Adaptation Protocol (SDAP) layer or protocol layer higher than the PDCP layer.

Advantageously, this allows to generate in parallel a second DRB with a second DRB ID different from the first DRB ID, i.e., within the same QoS flow, and to communicate via the indication the moment when the DRB ID is or is to be switched.

[0031] In one group of examples of the fifth aspect, the indication indicating that all remaining PDCP data units have been transmitted is an end-marker packet transmitted via the first DRB indicating that it is the last packet sent via the first DRB. Advantageously, with an end marker-packet a data packet is used, and no new type of message must be generated.

[0032] In one group of examples of the fifth aspect that may further be combined with the previous group of examples, the reconfiguration message and/or the release message are RRC Reconfiguration messages. Advantageously, RRC Reconfiguration messages are well-tested types of reconfiguration or release messages to indicate amendments to the configuration.

[0033] In one group of examples of the fifth aspect that may further be combined with the previous groups of examples, the reconfiguration message further indicates to derive a new security key for the second DRB and, upon receiving the reconfiguration message, the UE derives the second security key and performs ciphering and integrity protecting of all data units to be transmitted via the second DRB additionally or alternatively using the new security key.

Advantageously, the security key can be changed in addition or alternatively to the DRB ID.

[0034] According to the sixth aspect of the subject disclosure, there is provided a method performed by the network node in the network. The method comprises, upon receiving an indication that a PDCP COUNT value associated with the first DRB ID and the security key is about to wrap-around, transmitting a reconfiguration message to a UE, indicating an DRB configuration for a second DRB with a second DRB ID. The method further comprises, upon receiving an indication from the UE that the second DRB has been established, using the second DRB ID for ciphering and integrity protecting the PDCP data units that have not yet been ciphered and integrity protected, and transmitting them via the second DRB, and transmitting, any PDCP data units that have already been ciphered and integrity protected using the first DRB ID via the first DRB. The method further comprises, upon receiving an indication from the UE indicating that all remaining PDCP data units have been transmitted, transmitting a release message to the UP indicating to release the first DRB. Advantageously, this allows to generate a second DRB with a second DRB ID different from the first DRB ID in parallel, i.e., within the same QoS flow.

[0035] In one group of examples of the sixth aspect, the reconfiguration message further indicates to derive a new security key for the second DRB and, upon receiving an indication from the UE indicating that all remaining PDCP data units have been transmitted, the network node performs ciphering and integrity protecting of all data units to be transmitted via the second DRB using, additionally or alternatively, the new security key. Advantageously, the security key can be changed in addition or alternatively to the DRB ID.

[0036] In one group of examples of the sixth aspect that may further be combined with the previous group of examples, the reconfiguration message and the release message are RRC Reconfiguration messages. Advantageously, RRC Reconfiguration messages are well-tested types of a reconfiguration or release messages to indicate performing a reconfiguration of DRB.

[0037] In one group of examples of the sixth aspect that may further be combined with the previous groups of examples, the method further comprises, upon having transmitted the reconfiguration message to the UE, transmitting a PDU Session Resource Modify indication message to an MM indicating the addition of the second DRB to the QoS flow, and, upon having transmitted the release message to the UE, transmitting a PDU Session Resource Modify indication message to the MM indicating the release of the first DRB from the QoS flow.

Advantageously, that way the MM is informed of the modifications of the QoS flow.

[0038] According to the seventh aspect of the subject disclosure, the UE or the apparatus in such a UE is provided. The UE comprises a receiver configured to receive a reconfiguration message and a release message from a network node, a transmitter configured to transmit an indication to the network node, at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the UE at least to perform the steps of the method according to the fifth aspect.

[0039] According to the eighth aspect of the subject disclosure, the network node or the apparatus in such a network node is provided. The network node comprises a transmitter configured to transmit a reconfiguration and a release message to a UE, a receiver configured to receive an indication from the UE, at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the network node at least to perform the steps of the method according to the sixth aspect. For example, the indication may be an end-marker packet, or a completion message, such as a RRC Reconfiguration Complete message.

[0040] In one group of examples of the eighth aspect, the transmitter may further be configured to transmit a PDU Session Resource Modify indication message to the MM, and the instructions, when executed by the at least one processor, further cause the network node to perform the steps of the method according to the sixth aspect insofar as the method refers to the network node transmitting a PDU Session Resource Modify indication message to the MM.

[0041] The following aspects are also part of the invention: [0042] According to a ninth and tenth aspect of the invention, methods are provided wherein the methods are for ciphering and integrity protecting Packet Data Convergence Protocol, PDCP, data units transmitted via a Data Radio Bearer, DRB, wherein the ciphering and integrity protecting includes using a PDCP COUNT value, a first security key and a DRB ID identifying the DRB. According to an eleventh and twelfth aspect of the invention, a UE or an apparatus in such a UE, and a network node or an apparatus in such a network node are provided which are configured to execute the methods according the ninth and tenth aspect, respectively.

[0043] According to the ninth aspect of the invention, there is provided a method performed by the UE in the network. The method comprises, upon receiving a reconfiguration message from a network node indicating to reconfigure the DRB identified by the DRB ID using a modified dual active protocol stack (DAPS) setup and a second logical channel identifier (LCID) setting up the DRB using the modified DAPS setup. The modified DAPS setup comprises: -establishing in addition to a PDCP layer entity, a first RLC layer entity, a media access control (MAC) layer entity and a physical (PHY) layer entity a second RLC layer entity with the same configuration as the first RLC layer entity, - reconfiguring the PDCP layer entity to set up a second ciphering and integrity protection function which uses a second security key in addition to a first ciphering and integrity protection function which uses the first security key, wherein the first ciphering and integrity protection function is assigned to the first RLC layer entity, and the second ciphering and integrity protection function is assigned to the second RLC layer entity, and - establishing a second logical channel with the second LCID having the same configuration as a first logical channel with a first LCD, wherein the MAC layer entity communicates with the first RLC entity using the first logical channel and with the second RLC entity using the second logical channel.

[0044] The method further comprises, upon having reconfigured the DRB, transmitting a first indication to the network node, indicating that the DRB has been successfully reconfigured.

[0045] The method further comprises using the second ciphering and integrity protection function for ciphering and integrity protecting the PDCP data units that have not yet been ciphered and integrity protected and transmitting these PDCP data units via the second RLC layer entity. The method further comprises transmitting all remaining PDCP data units that have already been ciphered and integrity protected using the first ciphering and integrity protection function via the first RLC entity. For example, for any incoming MAC SDU assigned to the second LCID the second ciphering and integrity protection function may be used for deciphering and integrity verification. Advantageously, this way, a second security key can be established in parallel to the first security key.

[0046] In one group of examples of the ninth aspect, the reconfiguration message is an RRC Reconfiguration message, and the first indication is an RRC Reconfiguration Complete message Advantageously, RRC Reconfiguration messages are well-tested types of reconfiguration messages to indicate amendments to be applied to the configuration, and RRC Reconfiguration Complete messages are well-tested types of confirmation messages.

100471 In one group of examples of the ninth aspect that may further be combined with the previous group of examples, the method comprises, upon having transmitted all remaining PDCP data units, transmitting a second indication to the network node, indicating that all remaining PDCP data units have been transmitted. The method of these examples further comprises, upon receiving a release message from the network node, releasing the first RLC entity, the first logical channel, and the first ciphering and integrity protection function and transmitting a third indication to the network node indicating the successful release of the first RLC entity, the first logical channel, and the first ciphering and integrity protection function.

For example, the first ciphering and integrity protection function may be released by reconfiguring the PDCP entity to release the modified DAPS setup and to release the first ciphering and integrity protection function. Advantageously, this way, the additional entities can be release when no longer needed resulting in a reduced computational load.

1110481 In one group of examples of the ninth aspect that may further be combined with the previous groups of examples, the second indication is an end-marker packet transmitted via the first RLC entity and indicating that it is the last packet sent via the first RLC entity. Advantageously, with an end marker-packet a data packet is used, and no new message must be generated.

100491 In one group of examples of the ninth aspect that may further be combined with the previous groups of examples, the release message is an RRC Reconfiguration message, and the third indication is an RRC Reconfiguration Complete message. Advantageously, RRC Reconfiguration messages are well-tested types of a reconfiguration messages to indicate amendments to be applied to the configuration, and RRC Reconfiguration Complete messages are well-tested types of confirmation messages.

100501 According to the tenth aspect of the subject disclosure, there is provided a method performed by the network node in the network. The method comprises, upon receiving an indication that a PDCP COUNT value associated with the DRB ID, and the security key is about to wrap-around, transmitting a reconfiguration message to a UE indicating to reconfigure 30 the DRB identified by the DRB ID using a modified DAPS setup and a second LCID. The modified DAPS setup comprises: - establishing in addition to a PDCP layer entity, a first RLC layer entity, a MAC layer entity and a PHY layer entity a second RLC layer entity with the same configuration as the first RLC layer entity, -reconfiguring the PDCP layer entity to set up in addition to a first ciphering and integrity protection function using the first security key a second ciphering and integrity protection function using a second security key, wherein the first ciphering and integrity protection function is assigned to the first RLC layer entity, and the second ciphering and integrity protection function is assigned to the second RLC layer entity, and -establishing a second logical channel with the second LCID having the same configuration as a first logical channel with a first LCID, wherein the MAC layer entity communicates with the first RLC entity using the first logical channel and with the second RLC entity using the second logical channel.

[0051] The method further comprises, upon receiving a first indication from the UE indicating that the DRB has been successfully reconfigured, using the second ciphering and integrity protection function for ciphering and integrity protecting the PDCP data units that have not yet been ciphered and integrity protected and transmitting these PDCP data units via the second RLC layer entity. The method further comprises transmitting all remaining PDCP data units that have already been ciphered and integrity protected using the first ciphering and integrity protection function via the first RLC entity. For example, for any incoming MAC SDU assigned to the second LCD the second ciphering and integrity protection function may be used for de-ciphering and integrity verification. Advantageously, this way, a second security key can be established in parallel to the first security key.

[0052] In one group of examples of the tenth aspect, the reconfiguration message is an RRC Reconfiguration message, and the first indication is an RRC Reconfiguration Complete 15 message. Advantageously, RRC Reconfiguration messages are well-tested types of reconfiguration messages to indicate amendments to be applied to the configuration, and RRC Reconfiguration Complete messages are well-tested types of confirmation messages.

[0053] In one group of examples of the tenth aspect that may further be combined with the previous groups of examples, the method further comprises, upon receiving a second indication from the UE indicating that all remaining PDCP data units have been transmitted, transmitting a release message to the UE indicating to the UE to release the first RLC entity, the first logical channel, and the first ciphering and integrity protection function. Advantageously, this way, the additional entities can be release when no longer needed resulting in a reduced computational load.

[0054] In one group of examples of the tenth aspect that may further be combined with the previous groups of examples, the release message is an RRC Reconfiguration message, and the second indication is an RRC Reconfiguration Complete message. Advantageously, RRC Reconfiguration messages are well-tested types of reconfiguration messages, and RRC Reconfiguration Complete messages are well-tested types of confirmation messages.

[0055] According to the eleventh aspect of the subject disclosure, the UE or the apparatus in such a UE is provided. The UE comprises a receiver configured to receive a reconfiguration message from a network node, a transmitter configured to transmit an indication to the network node, at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the UE at least to perform the steps of the method according to the ninth aspect.

[0056] In one group examples of the eleventh aspect, the receiver is further configured to receive a release message from the network node, and the instructions, when executed by the at least one processor, cause the UE to further perform the steps of the methods according to the ninth aspect insofar as the methods refer to the UE receiving a release message [0057] According to the twelfth aspect of the subject disclosure, the network node or the apparatus in such a network node is provided. The network node comprises a transmitter configured to transmit a reconfiguration message to a UE, a receiver configured to receive an indication from the UE, at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the network node at least to perform the steps of the method according to the tenth aspect.

[0058] In one group of examples of the twelfth aspect, the transmitter is further configured to transmit a release message to the UE, and the instructions, when executed by the at least one processor, cause the network node to further perform the steps of the methods according to the tenth aspect insofar as the methods refer to the network node transmitting a release message.

[0059] The following aspects are also part of the invention: [0060] According to a thirteenth and fourteenth aspect of the invention, methods are provided wherein the methods are for ciphering and integrity protecting Packet Data Convergence Protocol (PDCP) data units transmitted via a Data Radio Bearer (DRB) wherein the ciphering and integrity protecting includes using a PDCP COUNT value, a security key and a DRB ID identifying the DRB. According to a fifteenth and sixteenth aspect of the invention, a UE or an apparatus in such a UE, and a network node or an apparatus in such a network node are provided which are configured to execute the methods according the first and second aspect, respectively.

[0061] According to the thirteenth aspect of the subject disclosure, there is provided a method performed by the UE in the network. The method comprises, upon receiving a reconfiguration message from a network node indicating to discard all data units to be transmitted via the DRB in at least one protocol layer and to reconfigure the DRB identified by the DRB ID with at least a new DRB ID, discarding all data units to be transmitted via the DRB in at least one protocol layer, and reconfiguring the DRB with at least the new DRB ID. The method further comprises, upon having reconfigured the DRB, using the new DRB ID for ciphering and integrity protecting the PDCP data units that have not yet been ciphered and integrity protected. Advantageously, discarding all data units to be transmitted via the DRB in at least one protocol layer may clearly define the point in time from which on the new DRB ID is to be used for ciphering and integrity protection.

[0062] In one group of examples of the thirteenth aspect, the reconfiguring of the DRB comprises the steps of releasing and re-adding the DRB, or, alternatively, of modifying the DRB. For example, the reconfiguration message may comprise an indication to either perform a DRB release and re-addition with the new DRB ID, or an indication to perform a DRB modification with a new DRB ID. Advantageously, these are well-tested methods of performing a reconfiguration.

[0063] In one group of examples of the thirteenth aspect that may further be combined with the previous group of examples, the method further comprises performing a random-access procedure after discarding all data units in the at least one protocol layer. Advantageously, during the random-access procedure no other data is transmittable. Thus, random access procedure may serve as an indicator for a DRB ID change.

[0064] In one group of examples of the thirteenth aspect that may further be combined with the previous groups of examples, the reconfiguration message is an RRC Reconfiguration message comprising an indication to discard all data units in at the least one protocol layer. Advantageously, the RRC Reconfiguration message is a well-tested way of indicating to perform a reconfiguration of a DRB.

[0065] In one group of examples of the thirteenth aspect that may further be combined with the previous groups of examples, in the discarding step, the UE discards all data units in a PDCP layer and all protocol layers below the PDCP layer. Furthermore, the reconfiguration message received from the network node may indicate to the UE to discard all data units in a PDCP layer and all protocol layers below the PDCP layer. In some of the above examples, data units in protocol layer above the PDCP layer may be discarded as well, and the reconfiguration message may indicate this to the UE. Advantageously, discarding all data units defines the moment from which on no more data units ciphered and integrity protected using the old DRB ID are transmitted.

[0066] As an alternative to the previous group of examples, in one group of examples of the thirteenth aspect that may further be combined with the other previous groups of examples the DE, in the discarding step, discards all data units in all protocol layers below a PDCP layer except the PDCP layer, and the UE ciphers and integrity protects the non-discarded data units in the PDCP layer using the new DRB ID and transmits them to the network node. For example, discarding all data units in all protocol layers below the PDCP layer except the PDCP layer may be performed as part of the DRB release and re-addition or of the DRB modification. As a consequence, all data units in the RLC and PHY layer may be discarded while those in the PDCP layer are maintained. Accordingly, the reconfiguration message may comprise a flag indicating to the UE to discard all data units in all protocol layers below the PDCP layer excluding the PDCP layer as a part of the DRB release and re-addition reconfiguration, or as a part of the DRB modification configuration. In particular, the UE may perform retransmission of all the PDCP PDUs that have already submitted to an acknowledge mode (AM) RLC entity, and a transmission of any remaining PDCP SDU in the buffer using new security inputs, in particular the new DRB ID. After performing ciphering and integrity protection the data units may be submitted to a lower protocol layer, e.g., a radio link control (RLC) layer. Advantageously, by proceeding in this manner any data loss that might result from discarding data units may be avoided, in particular in cases where the AM RLC is used. In some of the above examples, data units in protocol layer above the PDCP layer may be discarded as well, and the reconfiguration message may indicate this to the UE.

[0067] In one group of examples of the thirteenth aspect that may further be combined with the previous groups of examples, the method further comprises the step of, upon having applied the second DRB configuration to the DRB, transmitting a completion message to the network node, indicating the successful reconfiguration of the DRB. Advantageously, this enables the network node, e.g., to communicate the DRB ID switch to other entities, e.g., a mobility management (MM).

[0068] In one group of examples of the thirteenth aspect that may further be combined with the previous groups of examples, the completion message is an RRC Reconfiguration Complete message. Advantageously, the RRC Reconfiguration Complete message is a well-tested method for indicating the successful reconfiguration of a DRB.

[0069] According to the fourteenth aspect of the subject disclosure, there is provided a method performed by the network node in the network. The method comprises, upon receiving an indication that a PDCP COUNT value associated with the DRB ID, and the security key is about to wrap-around, transmitting a reconfiguration message to a UE indicating to discard all data units to be transmitted via the DRB and to reconfigure the DRB identified by the DRB ID with at least a new DRB ID. The method further comprises, upon receiving from the UE a completion message, indicating the successful reconfiguration of the DRB, using the new DRB ID for ciphering and integrity protecting the PDCP data units that have not yet been ciphered and integrity protected. Advantageously, discarding all data units to be transmitted via the DRB in at least one protocol layer helps to clearly define the point in time from which on the new DRB ID is to be used for ciphering and integrity protection.

[0070] In one group of examples of the fourteenth aspect, the reconfiguration message indicates to reconfigure of the DRB by releasing and re-adding the DRB, or, alternatively, by modifying the DRB. Advantageously, including such indications in the reconfiguration message are well-tested ways of transmitting such indications.

[0071] In one group of examples of the fourteenth aspect that may further be combined with the previous group of examples, the reconfiguration message is an RRC Reconfiguration message comprising one or more indications to discard all data units in at least one protocol layer. Advantageously, the RRC Reconfiguration message is a well-tested type of a confirmation message which can be modified to comprise the indication. For example, the indication may be implemented as a flag.

[0072] In one group of examples of the fourteenth aspect that may further be combined with the previous groups of examples, the reconfiguration message indicates to discard all data units in a PDCP data layer and in all protocol layers below the PDCP layer. In some of the above examples, the reconfiguration message may indicate to discard data units in protocol layer above the PDCP layer as well. Advantageously, discarding all data units defines the moment from which on no more data units ciphered and integrity protected using the old DRB ID are transmitted.

[0073] As an alternative to the previous group of examples, in one group of examples of the fourteenth aspect that may further be combined with the other previous groups of examples, the reconfiguration message indicates to discard all data units in all protocol layers below a PDCP layer except the PDCP layer, and to cipher and integrity protect the non-discarded PDCP SDUs and PDCP PDUs using the new DRB ID and to transmit them to the network node. Advantageously, by proceeding in this manner any data loss that might result from discarding data units may be avoided, in particular in cases where the AM RLC is used. In some of the above examples, the reconfiguration message may indicate to discard data units in protocol layer above the PDCP layer as well.

[0074] In one group of examples of the fourteenth aspect that may further be combined with the previous groups of examples, the method further comprises, in response to receiving from the UP a completion message, indicating the successful reconfiguration of the DRB, transmitting a PDU Session Resource Modify indication message to the MM indicating the DRB ID change. For example, the PDU Session Resource Modify indication message may indicate the DRB ID change as a cause for transmitting this message The MM may, in response to receiving the PDU Session Resource Modify indication message, transmit a PDU Session Resource Modify Indication Confirm message to the network node. Advantageously, the MM is informed of the DRB ID change.

[0075] According to the fifteenth aspect of the subject di sclosure, the UE or the apparatus in such a UE is provided. The UE comprises a receiver configured to receive a reconfiguration message from a network node, at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the UE at least to perform the steps of the methods according to the first aspect.

[0076] In one group of examples of the fifteenth aspect, the UE may further comprise a transmitter configured to transmit a completion message to the network node, indicating the successful reconfiguration of the DRB. Further, in this group of examples, the instructions, when executed by the at least one processor, cause the UE to further perform the steps of the methods according to the first aspect insofar as they refer to the UE transmitting a completion message.

[0077] According to the sixteenth aspect of the subject disclosure, the network node or the apparatus in such a network node is provided. The network node comprises a transmitter configured to transmit a reconfiguration message to a UE or to an apparatus in such a UE, at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the network node at least to perform the steps of the methods according to the second aspect.

[0078] In one group of examples of the sixteenth aspect, the network node may further comprise a receiver configured to receive from the UE a completion message and the transmitter may further be configured to transmit a PDU Session Resource Modify indication message to the MM. Further, the instructions, when executed by the at least one processor, cause the network node to further perform the steps of the method according to the second aspect insofar as the method refers to the network node receiving the completion message and/or the network node transmitting the PDU Session Resource Modify indication message to the MM.

[0079] The following aspects are also part of the invention: [0080] According to a seventeenth and eighteenth aspect of the invention, methods are provided wherein the methods are for ciphering and integrity protecting Packet Data Convergence Protocol, PDCP, data units transmitted via a Data Radio Bearer, DRB, wherein the ciphering and integrity protecting includes using a PDCP COUNT value, a current security key and a DRB ID identifying the DRB. According to a nineteenth and twentieth aspect of the invention, a UE or an apparatus in such a UE, and a network node or an apparatus in such a network node are provided which are configured to execute the methods according the seventeenth and eighteenth aspect, respectively.

[0081] According to the seventeenth aspect of the invention, there is provided a method performed by the UE in the network. The method comprises, upon receiving a reconfiguration message from a network node, establishing with the network node an additional inactive non-current security key and, upon receiving an activation message from the network node, activating the non-current security key and transmitting to the network node a first acknowledgement message indicating the successful activation of the non-current security key.

[0082] The method further comprises, upon having activated the non-current security key, using the non-current security key for ciphering and integrity protecting the PDCP data units.

Advantageously, this way, a second security key can be established in parallel to the first security key.

[0083] In one group of examples of the seventeenth aspect, the activation message is an RRC Reconfiguration message, or a PDCP Control message. Advantageously, using RRC Reconfiguration messages and PDCP Control messages are well-tested approaches in the field.

[0084] In one group of examples of the seventeenth aspect that may further be combined with the previous group of examples, the method further includes resetting of the PDCP COUNT value.

[0085] In one group of examples of the seventeenth aspect that may further be combined with the previous groups of examples, the method further comprises, upon receiving a discard message from the network node, discarding all data units in at least one protocol layer, and, upon having discarded all data units in the at least one protocol layer, transmitting a second acknowledgement message to the network node indicating the successful discarding of data units in the at least one protocol layer. For example, the data units may be discarded in one, some, or all protocol layers. Advantageously, discarding all data units in at least one protocol layer may clearly define the point in time from which on the new DRB ID is to be used for ciphering and integrity protection.

[0086] As an alternative to the previous group of examples, in one group of examples of the seventeenth aspect that may further be combined with the other previous groups of examples, the activation message comprises an indication to continue transmitting all data units that have been ciphered and integrity protected using the current security key. Before activating the non-current security key, the UE continues transmitting all remaining PDCP data units that have been ciphered and integrity protected using the current security key.

[0087] The method of this group of examples further comprises, upon having transmitted all remaining PDCP data units, the UE transmits an indication to the network node indicating that all remaining PDCP data units have been transmitted and comprising the first acknowledgement message. Advantageously, by proceeding in this manner any data loss that might result from discarding data units may be avoided.

[0088] In one group of examples of the seventeenth aspect that may further be combined with the previous group of examples, the indication is an end-marker packet, indicating that it is the last packet ciphered and integrity protected using the current security key.

Advantageously, with an end marker-packet no new message must be generated.

[0089] According to the eighteenth aspect of the subject disclosure, there is provided a method performed by the network node in the network. The method comprises, transmitting a reconfiguration message to a UE indicating to establish an additional inactive non-current security key and establishing with the UE an additional non-current inactive security key.

[0090] The method further comprises, upon receiving an indication that the PDCP COUNT value is about to wrap-around, transmitting an activation message to the UE, indicating to the UE to activate the second security key and, upon receiving from the UE a first acknowledgement message indicating the successful activation of the non-current security key, using the non-current security key for ciphering and integrity protecting the PDCP data units.

[0091] In one group of examples of the eighteenth aspect that may further be combined with the previous group of examples, the activation message is an RRC, Reconfiguration 10 message, or a PDCP Control message. Advantageously, RRC Reconfiguration messages and PDCP Control messages are well-tested message types.

[0092] In one group of examples of the eighteenth aspect that may further be combined with the previous groups of examples, the method further comprises, before transmitting the activation message, stopping any further transmission of data units to the UE until receiving the first acknowledgement message from the UE and transmitting a discard message to the UE requesting the UE to discard all data units in at least one protocol layer, wherein the activation message is transmitted by the network node only in response to receiving from the UE a second acknowledgement message indicating the successful discarding of data units in the at least one protocol layer. Advantageously, discarding all data units in at least one protocol layer may clearly define the point in time from which on the new DRB ID is to be used for ciphering and integrity protection.

[0093] As an alternative to the previous group of examples, in one group of examples of the eighteenth aspect that may further be combined with the other previous groups of examples, the activation message further comprises an indication to the UE to continue transmitting all remaining PDCP data units that have been ciphered and integrity protected using the current security key before activating the non-current security key and, upon transmitting the activation message, the UE continues transmitting all remaining PDCP data units that have been ciphered and integrity protected using the current security key until receiving an indication from the UE indicating that all remaining PDCP data units have been transmitted and comprising the first acknowledgement message. Advantageously, by proceeding in this manner any data loss that might result from discarding data units may be avoided.

[0094] According to the nineteenth aspect of the subject disclosure, the UE or the apparatus in such a UE is provided. The UE comprises a receiver configured to receive a reconfiguration message and an activation message from a network node, a transmitter configured to transmit an acknowledgement message to the network node, at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the UE at least to perform the steps of the method according to the seventeenth aspect.

[0095] In one group of examples of the nineteenth aspect, the receiver is further configured to receive at least a discard message from the network node, the transmitter is further configured to transmit a second acknowledgement message to the network node, and the instructions, when executed by the at least one processor, cause the UE to further perform the steps of the methods according to the seventeenth aspect insofar as the methods refer to the UE receiving a discard message and transmitting a second acknowledgement message.

100961 In one group of examples of the nineteenth aspect that may further be combined with the previous group of examples, the transmitter is further configured to transmit an indication to the network node and the instructions, when executed by the at least one processor, cause the UE to further perform the steps of the methods according to the seventeenth aspect insofar as the methods refer to the UE transmitting an indication to the network node.

100971 According to the twentieth aspect of the subject disclosure, the network node or the apparatus in such a network node is provided. The network node comprises a transmitter configured at least to transmit a reconfiguration message and an activation message to a UE, a receiver configured to receive an acknowledgement message from the UE, at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the network node at least to perform the steps of the methods according to the eighteenth aspect.

100981 In one group of examples of the twentieth aspect, the transmitter is further configured to at least transmit a discard message to the UE, the receiver is further configured to at least receive a second acknowledgement message from the UE, and the instructions, when executed by the at least one processor, cause the network node to further perform the steps of the methods according to the eighteenth aspect insofar as the methods refer to the network node transmitting a discard message and receiving a second acknowledgement message.

100991 In one group of examples of the twentieth aspect that may further be combined with the previous group of examples, the receiver is further configured to at least receive an indication from the UE, and the instructions, when executed by the at least one processor, cause the network node to further perform the steps of the methods according to the eighteenth aspect insofar as the methods refer to the network node receiving an indication from the UE.

101001 The following aspects are also part of the invention: 101011 According to a twenty-first and twenty-second aspect of the invention, methods are provided wherein the methods are for ciphering and integrity protecting Packet Data Convergence Protocol, PDCP, data units transmitted via a Data Radio Bearer, DRB, wherein the ciphering and integrity protecting includes using a PDCP COUNT value of a PDCP COUNT, a security key and a DRB ID identifying the DRB. According to a twenty-third and twenty-fourth aspect of the invention, a LIE or an apparatus in such a UE, and a network node or an apparatus in such a network node are provided which are configured to execute the methods according to the twenty-first and twenty-second aspect, respectively.

101021 According to the twenty-first aspect of the subject disclosure, there is provided a method performed by the UE in the network. The method comprises, upon receiving a command message from a network node, indicating at least a non-current PDCP COUNT length being longer than a current PDCP COUNT length, applying the indicated non-current PDCP COUNT length to the PDCP COUNT, such that the current PDCP COUNT length is changed to the non-current PDCP COUNT length. The method further comprises, upon having applied the indicated non-current PDCP COUNT length, using the PDCP COUNT value for ciphering and integrity protecting the PDCP data units. Advantageously, this mitigates the risk of a wraparound of the PDCP COUNT value.

[0103] In one group of examples of the twenty-first aspect, the command message is a Security Mode Command message. Advantageously, using the Security Mode Command

message is a well-tested approach in the field.

[0104] In one group of examples of the twenty-first aspect that may further be combined with the previous group of examples, the method, further comprises, upon having applied the indicated non-current PDCP COUNT length to the PDCP COUNT, transmitting to the network node a completion message indicating the successful applying of the non-current PDCP COUNT length to the PDCP COUNT. Advantageously, this communicates to the network node the moment when the new PDCP COUNT length has been applied.

[0105] In one group of examples of the twenty-first aspect that may further be combined with the previous groups of examples, the completion message is a Security Mode Complete message. Advantageously, using the Security Mode Complete message is a well-tested

approach in the field.

[0106] According to the twenty-second aspect of the subject disclosure, there is provided a method performed by the network node in the network. The method comprises transmitting a command message to a UE indicating at least a non-current PDCP COUNT length being longer than a current PDCP COUNT length. The method further comprises, upon having transmitted the command message to the UE, using the PDCP COUNT value for ciphering and integrity protecting the PDCP data units.

[0107] In one group of examples of the twenty-second aspect, the command message is a Security Mode Command message. Advantageously, using the Security Mode Command message is a well-tested approach in the field.

[0108] In one group of examples of the twenty-second aspect that may further be combined with the previous group of examples, the step of transmitting a command message to the UE is performed according to a service use case and deployment scenario. Advantageously, this increases the flexibility of the network node to adaptively react on different contexts and scenarios of the UE.

[0109] In one group of examples of the twenty-second aspect that may further be combined with the previous groups of examples, the step of transmitting a command message to the UE is performed upon receiving an indication from the UE that the UE is permanently or temporarily stationary. For example, the UE may report to the network node its stationary status, such that the indication may be transmitted by the UE to the network node, e.g., as a message. Further, the UE stationary status may be part of the subscription information (e.g., smart meter), and thus be obtained from the function where the subscription data is managed, e.g., a Policy Control Function, PCF, or a Unified Data Management, UDM. Advantageously, this increases the flexibility of the network node to adaptively react on different contexts and scenarios of the UE.

[0110] In one group of examples of the twenty-second aspect that may further be combined with the previous groups of examples, the step of using the PDCP COUNT value for ciphering and integrity protecting the PDCP data units is performed upon receiving a completion message from the UE. Advantageously, this may prevent the network node using a PDCP COUNT having the non-current PDCP COUNT length before the non-current PDCP COUNT length has been applied.

[0111] In one group of examples of the twenty-second aspect that may further be combined with the previous group of examples, the completion message is a Security Mode Complete message. Advantageously, using the Security Mode Complete message is a well-tested approach in the field.

[0112] According to the twenty-third aspect of the subject disclosure, the UE or the apparatus in such a UE is provided. The UE comprises a receiver configured to receive a command message from a network node, at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the UE at least to perform the steps of the methods according to the twenty-first aspect.

[0113] In one group of examples of the twenty-third aspect, the UE further comprises a transmitter configured to transmit a completion message to the network node, and the instructions, when executed by the at least one processor, cause the UE to further perform the steps of the methods according to the twenty-first aspect insofar as they refer to transmitting a completion message to the network node.

[0114] According to the twenty-fourth aspect of the subject disclosure, the network node or the apparatus in such a network node is provided. The network nodc compriscs a transmitter configured at least to transmit a command message to a UE, at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the network node at least to perform the steps of the methods according to the twenty-second aspect.

[0115] In one group of examples of the twenty-fourth aspect, the network node further comprises a receiver configured to receive a completion message from the UE, and the instructions, when executed by the at least one processor, cause the network node to further perform the steps of the methods according to the twenty-second aspect insofar as they refer to receiving an indication from the UE that the UE is permanently or temporarily stationary.

[0116] In one group of examples of the twenty-fourth aspect that may further be combined with the previous group of examples, the receiver is further configured to at least receive an indication from the UE, and the instructions, when executed by the at least one processor, cause the network node to further perform the steps of the methods according to the twenty-second aspect insofar as they refer to receiving a completion message from the UE.

[0117] In general, in all groups of examples of any of the aspects, the network node may be a 6th Generation (6G) Node B, -gNB.

[0118] Further, in general, in all groups of examples of any of the aspects, the MM may be a 6th Generation Mobility Management, 60-MM.

[0119] Further, in general, in all groups of examples of any of the aspects, a transmitter, be it the HE or the network node, in the PDCP entity can be aware of the wrap-around of the PDCP 40 COUNT value, owing to the fact that the transmitter assigns the PDCP COUNT value for each PDCP data unit, e.g., a PDCP SDU. On the other hand, a receiver, be it the UE or the network node, in the PDCP entity can be aware of the wrap-around of the PDCP COUNT value from the sequence number of the received PDCP data unit, e.g., a PDCP SDU. In practice, it may be the networks responsibility to control and manage the wrap-around issue. Thus, the network, i.e., network node will be aware of the PDCP COUNT value status and decide if an action needs to be taken to prevent the PDCP COUNT value wrap-around. Thus, when the network node receives an indication that the PDCP COUNT value is about to wrap-around, this indication may come from the network node itself, e.g., be an internal indication, or result from the network node observing the PDCP COUNT and its value and detecting that a wrap-around of the PDCP COUNT value is about to happen.

[01201 The above-noted aspects and features may be implemented in systems, apparatuses, methods, articles and/or non-transitory computer-readable media depending on the desired configuration. The subject disclosure may be implemented in and/or used with a number of different types of devices, including but not limited to cellular phones, tablet computers, wearable computing devices, portable media players, and any of various other computing devices.

[0121] This summary is intended to provide a brief overview of some of the aspects and features according to the subject disclosure. Accordingly, it will be appreciated that the above-described features are merely examples and should not be construed to narrow the scope of the subject disclosure in any way. Other features, aspects, and advantages of the subject disclosure will become apparent from the following detailed description, drawings, and claims.

BRIEF DESCRIPTION OF THE DRAWINGS

[01221 A better understanding of the subject disclosure can be obtained when the following detailed description of various embodiments is considered in conjunction with the following drawings, in which: [01231 FIG. 1 shows a schematic diagram of an example (mobile/wireless) communication system or network; [01241 FIG. 2 shows a schematic diagram of an example UE; [0125] FIG. 3 shows a schematic diagram of an example network node; [01261 FIG. 4A shows a schematic diagram illustrating ciphering and de-ciphering using several parameters as input; [0127] FIG. 4B shows a schematic diagram illustrating integrity protection and integrity verification using several parameters as input; [0128] FIG. 5A shows a flowchart showing steps of an example method performed by the UE according to the invention, e.g., the thirteenth aspect of the invention; [0129] FIG. 5B shows a flowchart showing steps of a further example method performed by the UE according to the invention, e.g., the thirteenth aspect of the invention; [0130] FIG. 5C shows a flowchart showing steps of a further example method performed by the UE according to the invention, e.g., the thirteenth aspect of the invention; [0131] FIG. 6 shows a flowchart showing steps of a further example method performed by the network node according to the invention, e.g., the fourteenth aspect of the invention; [0132] FIG. 7 shows a flowchart for a first example of a communication system according to the invention, e.g., the thirteenth to sixteenth aspect, illustrating the steps performed by the user entity, the network node and an MM; [0133] FIG. 8 shows a flowchart for a second example of a communication system according to the invention, e.g., thirteenth to sixteenth aspect, illustrating the steps performed 10 by the user entity, the network node and an MM; [0134] FIG. 9 shows a flowchart showing steps for an example method performed by the UE according to the invention, e.g., the fifth aspect of the invention; [0135] FIG. 10 shows a flowchart showing steps of an example method performed by the network node according to the invention, e.g., the sixth aspect of the invention.

[0136] FIG. 11 shows a flowchart for an example of a communication system according to the invention, e.g., the fifth to eighth aspect, illustrating the steps performed by the user entity, the network node and an MIVI; [0137] FIG. 12 illustrates a flowchart showing steps of an example method performed by the UE according to the invention, e.g., the ninth aspect of the invention.

[0138] FIG. 13 illustrates a flowchart showing steps of example methods performed by the network node according to the invention, e.g., the tenth aspect of the invention.

[0139] FIG. 14 illustrates the structure of the PDCP, RLC, MAC and PHY layer according to a conventional DAPS setup; [0140] FIG. 15 illustrates the structure of the PDCP, RLC, MAC and PHY layer according to a modified DAPS setup; [0141] FIG. 16 shows a flowchart for an example of a communication system according to the invention, e.g., ninth to twelfth aspect, illustrating the steps performed by the user entity, the network node and an MM; [0142] FIG. 17 illustrates a flowchart showing steps of an example method performed by the UE according to the invention, e.g., the first aspect of the invention; [0143] FIG. 18 illustrates a flowchart showing steps of an example method performed by the network node according to the invention, e.g., the second aspect of the invention; [0144] FIG. 19 shows a flowchart for an example of a communication system according to the invention, e.g., the first to fourth aspect, illustrating the steps performed by the user entity, the network node and an MM, a session management and a use plane function; [0145] FIG. 20 shows a flowchart showing steps of an example method performed by the UE according to the invention, e.g., the seventeenth aspect of the invention; [0146] FIG. 21 shows a flowchart showing the steps an example method performed by the network node according to the invention, e.g., the eighteenth aspect of the invention; [0147] FIG. 22 shows a flowchart for an example of a communication system according to the invention, e.g., the seventeenth to twentieth aspect, illustrating the steps performed by the user entity and the network node; [0148] FIG. 23 shows a flowchart showing the steps an example method performed by the UE according to the invention, e.g., the twenty-first aspect of the invention; [0149] FIG. 24 shows a flowchart showing the steps an example method performed by the network node according to the invention, e.g., the twenty-second aspect of the invention; [0150] FIG. 25 illustrates schematically a graphical representation of the PDCP COUNT, and it shows what its length is made up of; [0151] FIG. 26 shows a flowchart for an example of a communication system according to the invention, e.g., the twenty-first to twenty-fourth aspect, illustrating the steps performed by the user entity and the network node; and [0152] FIGS. 27A and 27B illustrate schematic block diagrams showing structures of apparatuses according to embodiments of the subject disclosure.

DETAILED DESCRIPTION

[0153] The examples and embodiments set forth below represent information to enable those skilled in the art to practice the subject disclosure. Upon reading the following description in light of the accompanying drawing figures, those skilled in the art will understand the concepts of the description and will recognize applications of these concepts not particularly addressed herein. It should be understood that these concepts and applications fall within the scope of the description.

[0154] In the following description, numerous specific details are set forth. However, it is understood that embodiments may be practiced without these specific details. In other instances, well-known circuits, structures, and techniques have not been shown in detail in order not to obscure the understanding of the description. Those of ordinary skill in the art, with the included description, will be able to implement appropriate functionality without undue experimentation.

[0155] References in the specification to "one embodiment," "an embodiment," "an example embodiment," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to implement such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.

[01561 It is to be noted that the detailed description, at times, refers to one or more specifications being used as non-limiting and illustrative examples for certain architectures, network configurations and system deployments. More specifically, the detailed description refers to 3GPP standards, being used as non-limiting and illustrative examples. As such, the example embodiments provided herein can specifically employ terminology which is directly related thereto. Such terminology is only used in the context of the non-limiting and illustrative examples and is not intended to limit the example embodiments in any way. Rather, any other system configuration or deployment may be utilized while complying with what is described herein and/or example embodiments are applicable to it.

[0157] For example, various example embodiments are applicable in any (e.g., mobile/wireless) communication system, such as a 5G/NR system and a next-generation system 10 beyond 5G such as 6G. For example, various example embodiments are applicable in a 3GPPstandardized mobile/wireless communication system of Release 18 onwards, or in future 5G standards.

[0158] Hereinafter, various example embodiments are described using several variants and/or alternatives. It is generally to be noted that, according to certain implementations or constraints, all the described variants and/or alternatives may be provided alone or in any conceivable combination (e.g., also including combinations of individual features of these various variants and/or alternatives).

[0159] As used herein, the words "comprising" and "including" should be understood as not limiting the example embodiments to consist of only those features that have been mentioned, and example embodiments may also contain, among other things, e.g., features, structures, units, modules, or the like, that have not been specifically mentioned.

[0160] As used herein, "at least one of the following: <a list of two or more elements>" and "at least one of <a list of two or more elements>" and similar wording, like "one or more of where the list of two or more elements are joined by "and" or "or", mean at least any one of the elements, or at least any two or more of the elements, or at least all the elements.

[0161] As used herein, according to various example embodiments, any operations of sending or receiving may comprise actual transmission or communication operations, i.e., transmitting or communicating associated messages or signals, but may additionally or alternatively comprise related processing operations, i.e., preparing/generating/issuing associated messages or signals before sending and/or obtaining/handling/processing of associated messages or signals after receiving. For example, sending a message at/by an entity may comprise generating/issuing and/or transmitting/communicating thereof or a corresponding signal in/at/by the entity, and receiving a message at/by an entity may comprise obtaining/handling and/or processing thereof or a corresponding signal in/at/by the entity. As used herein, a message may refer to and/or encompass any kind of corresponding information, signal, or the like. Further, security operations like ciphering and integrity protection may additionally or alternatively comprise related processing operations, i.e., deciphering and integrity verification. For better readability, throughout this application ciphering and integrity protection should be understood to encompass also deciphering and integrity verification, depending on the context of a message, data (units) and other information, i.e., whether it is to be transmitted or is received.

101621 In the drawings, it is to be noted that lines/arrows interconnecting individual blocks or entities are generally meant to illustrate an operational coupling there-between, which may be a physical and/or logical coupling, which on the one hand is implementation-independent (e.g., wired, or wireless) and on the other hand may also comprise an arbitrary number of intermediary functional blocks or entities not shown. In flowcharts or sequence diagrams, the illustrated order of operations or actions is generally non-limiting and illustrative, and any other order of respective operations or actions is conceivable, if feasible.

[0163] Before explaining example embodiments in detail, certain general principles of a (mobile/wireless) communication system or network are briefly explained with reference to FIGS. 1 to 3 to assist in understanding the technology underlying the described example embodiments.

[0164] FIG. 1 illustrates an example of a (mobile/wireless) communication system or network 100, for example a 6G network, that may be used for wireless communications. Communication system or network 100 includes wireless devices or entities, such as UEs 110 (e.g. UEs 110A-110C), and network nodes or entities 112. An example for such network nodes or entities 112 are radio access nodes 120 (e.g., 120A-120B) (e.g., eNBs, gNBs, etc.), or the one or more network nodes or entities 130. The different network nodes or entities 112 can be connected to each other via an interconnecting network 125. Communication system or network 100 may use any suitable deployment scenarios. UEs 110 within coverage area 115 may each be capable of communicating directly with radio access nodes 120 over a wireless interface.

[0165] As an example, UE 110A may communicate with radio access node 120A over a wireless interface. That is, UE 110A may transmit wireless signals to and/or receive wireless signals from radio access node 120A. The wireless signals may contain voice traffic, data traffic, control signals, and/or any other suitable information.

[0166] As used herein, the term "user equipment" (UE) has the full breadth of its ordinary meaning and may refer to any type of wireless device or entity which can communicate with a network node or entity and/or with another UE in a cellular or mobile or wireless/mobile communication system. Examples of UE are target device, D2D UE, machine type UE or UE capable of machine-to-machine (M2M) communication, personal digital assistant, tablet, mobile terminal, smartphone, laptop embedded equipped (LEE), laptop mounted equipment (LME), USB dongles, ProSe UE, vehicle-to-vehicle (V2V)UE, V2X UE, MTC UE, eMTC LE, FeMTC UE, UE Cat 0, UE Cat Ml, loT device, narrow band loT (NB-1°T) UE, UE Cat NB1, etc. Example embodiments of a UE are described in more detail below with respect to FIG. 2.

[0167] In some embodiments, an area of wireless signal coverage 115 associated with a radio access node 120 may be referred to as a cell. However, particularly with respect to the 5G New Radio (NR) and potentially also the 6G mobile communication concepts, beams may be used instead of cells and, as such, it is important to note that concepts described herein are equally applicable to both cells and beams.

[0168] With respect to a beam-based mobile communication system, the radio access node 120 (base station) may transmit a beamformed signal to the UE 110 in one or more transmit directions (transmission beam, Tx beam). The UE 110 may receive the beamformed signal from the base station 120 in one or more receive directions (reception beam, Rx beam). The UE 1 1 0 may also transmit a beamformed signal to the base station 120 in one or more directions and the base station 120 may receive the beamformed signal from the UE 110 in one or more directions. The base station 120 and the UE 110 may determine the best receive and transmit directions, e.g., best in the sense of these directions leading to the highest link quality or fulfilling other quality conditions in the most suitable manner, for each of the base station/UE pairs.

[0169] The interconnecting network 125 may refer to any interconnecting system capable of transmitting audio, video, signals, data, messages, etc., or any combination of the preceding.

The interconnecting network 125 may include all or a portion of a public switched telephone network (PSTN), a public or private data network, a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), a local, regional, or global communication or computer network such as the Internet, a wireline or wireless network, an enterprise intranet, or any other suitable communication link, including combinations thereof [0170] In some embodiments, the network node 130 may be a core network node, managing the establishment of communication sessions and other various other functionalities for UEs 110. Examples of network node 130 may include mobile switching center (MSC), MME, serving gateway (SGW), packet data network gateway (PGW), operation and maintenance (O&M), operations support system (OSS), SON, positioning node (e.g., Enhanced Serving Mobile Location Center, E-SMLC), location server node, MDT node, etc. UEs 110 may exchange certain signals with the network node 130 using the non-access stratum (NAS) layer. In non-access stratum signaling, signals between UEs 110 and the network node 130 may be transparently passed through the radio access network. In some embodiments, radio access nodes 120 may interface with one or more network nodes 130 over an internode interface.

[0171] As used herein, the term "network node or entity" has the full breadth of its ordinary meaning and may correspond to any type of radio access node (or radio network node) or any network node, which can communicate with a UE and/or with another network node in a cellular or mobile or wireless communication system. Examples of network nodes are NodeB, MeNB, SeNB, a network node may belonging to MCG or SCG, base station (BS), multi-standard radio (MSR) radio access node such as MSR BS, eNodeB, network controller, radio network controller (RNC), base station controller (BSC), relay, donor node controlling relay, base transceiver station (BTS), access point (AP), transmission point, transmission node, RRU, RRH, node in distributed antenna system (DAS), core network node (e.g., MSC, MIME, etc.), O&M, OSS, Self-organizing Network (SON), positioning node (e.g., E-SMLC), MDT, test equipment, etc. Example embodiments of a network node are described in more detail below with respect to FIG. 3.

[0172] In some embodiments, radio access node 120 may be a distributed radio access node. The components of the radio access node 120, and their associated functions, may be separated into two main units (or sub-radio network nodes) which may be referred to as the central unit (CU) and the distributed unit (DU). Different distributed radio network node architectures are possible. For instance, in some architectures, a DU may be connected to a CU via dedicated wired or wireless link (e.g., an optical fiber cable) while in other architectures, a DU may be connected a CU via a transport network. Also, how the various functions of the radio access node 120 are separated between the CU(s) and DU(s) may vary depending on the chosen architecture.

[0173] Exemplary wireless communication systems are architectures standardized by the 3rd Generation Partnership Project (3GPP). A latest 3GPP based development is often referred to as the long-term evolution (LTE) of the Universal Mobile Telecommunications System (UNITS) radio-access technology (RAT). The various development stages of the 3GPP specifications are referred to as releases. More recent developments of the LTE are often referred to as LTE Advanced (LTE-A). The LTE (LTE-A) employs a radio mobile architecture known as the Evolved Universal Terrestrial Radio Access Network (E-UTRAN) and a core network known as the Evolved Packet Core (EPC). Base stations of such systems are known as evolved or enhanced Node Bs (eNBs) and provide E-UTRAN features such as user plane Packet Data Convergence/Radio Link Control/Medium Access Control/Physical layer protocol (PDCP/RLC/MAC/PHY) and control plane Radio Resource Control (RRC) protocol terminations towards the communication devices. Other RAT examples comprise those provided by base stations of systems that are based on technologies such as WLAN and/or Worldwide Interoperability for Microwave Access (WiMax). A base station can provide coverage for an entire cell or similar radio service area. Core network elements include Mobility Management Entity (MME), Serving Gateway (S-GW) and Packet Gateway (P-GW).

[0174] An example of a suitable communications system is the 50 or NA, or the 6G concept. Network architecture in NR may be similar to that of LTE-A. Base stations of NR systems may be known as next generation or 6G Node Bs (gNBs). Changes to the network architecture may depend on the need to support various radio technologies and finer QoS support, and some on-demand requirements for QoS levels to support Quality of Experience (QoE) of user point of view. Also network aware services and applications, and service and application aware networks may bring changes to the architecture. Those are related to Information Centric Network (ICN) and User-Centric Content Delivery Network (UC-CDN) approaches. NR may use multiple input-multiple output (MIMO) antennas, many more base stations or nodes than the LIE (a so-called small cell concept), including macro sites operating in co-operation with smaller stations and perhaps also employing a variety of radio technologies for better coverage and enhanced data rates.

[0175] Future networks, like 60, may utilize network functions v rtualization (NFV) which is a network architecture concept that proposes virtualizing network node functions into "building blocks" or entities that may be operationally connected or linked together to provide services. A virtualized network function (VNF) may comprise one or more virtual machines running instructions using standard or general type servers instead of customized hardware. Cloud computing or data storage may also be utilized. In radio communications this may mean node operations to be carried out, at least partly, in a server, host or node operationally coupled to a remote radio head. It is also possible that node operations will be distributed among a plurality of servers, nodes, or hosts. It should also be understood that the distribution of labor between core network operations and base station operations may differ from that of the LTE or even be non-existent.

[0176] An example 5G core network (CN) comprises functional entities which may also be present in a 6 G network. The CN is connected to a UE via the radio access network (RAN). An UPF (User Plane Function) whose role is called PSA (PDU Session Anchor) may be responsible for forwarding frames back and forth between the DN (data network) and the tunnels established over the 5G towards the UEs exchanging traffic with the data network (DN). The UPF is controlled by an SMF (Session Management Function) that receives policies from a PCF (Policy Control Function). The CN may also include an AMF (Access & Mobility Function).

[0177] Generally, all concepts disclosed herein may be applicable to different communication networks, comprising but not limited to LTE, LTE-A, 5G, 5G advanced, 6G, and other future or already implemented networks.

[0178] FIG. 2 is a schematic diagram of an example wireless device, UE 110, according to certain example embodiments. UE 110 may include one or more of at least one transceiver 210, at least one processor 220, at least one memory 230, and at least one network interface 240. In certain example embodiments, the transceiver 210 facilitates transmitting wireless signals to and receiving wireless signals from radio access node 120 (e.g., via transmitter(s) (Tx), receiver(s) (Rx) and antenna(s)). The processor 220 executes instructions to provide some or all of the functionalities described herein as being provided by a wireless device/entity or UE, and the memory 230 stores the instructions executed by the processor 220. In some embodiments, the processor 220 and the memory 230 form processing circuitry.

[0179] The processor 220 may include any suitable combination of hardware to execute instructions and manipulate data to perform some or all the described functions of a wireless device or entity, such as the functions of UE 110 described herein. In some embodiments, the processor 220 may include, for example, one or more computers, one or more central processing units (CPUs), one or more microprocessors, one or more application specific integrated circuits (ASICs), one or more field programmable gate arrays (FPGAs) and/or other logic.

[0180] The memory 230 is generally operable to store instructions, such as a computer program, software, an application including one or more of logic, rules, algorithms, code, tables, etc. and/or other instructions capable of being executed by a processor 220. Examples of memory 230 include computer memory (for example, Random Access Memory (RAM) or Read Only Memory (ROM)), mass storage media (for example, a hard disk), removable storage media (for example, a Compact Disk (CD) or a Digital Video Disk (DVD)), and/or or any other volatile or non-volatile, non-transitory computer-readable and/or computer-executable memory devices that store information, data, and/or instructions that may be used by the processor 220 of 13E 110. For example, the memory 230 includes instructions causing the processor 220 to perform processing according to any corresponding methods described herein.

[0181] The network interface 240 is communicatively coupled to the processor 220 and may refer to any suitable device operable to receive input for UE 110, send output from UE 110, perform suitable processing of the input or output or both, communicate to other devices, or any combination thereof. The network interface 240 may include appropriate hardware (e.g., port, modem, network interface card, etc.) and software, including protocol conversion and data processing capabilities, to communicate through a network.

[0182] Other embodiments of UE 110 may include additional components beyond those shown in FIG. 2 that may be responsible for providing certain aspects of the wireless device's functionalities, including any of the functionalities described herein and/or any additional functionalities (including any functionality necessary to support the mechanisms according to the subject disclosure). As an example, UE 110 may include input devices and circuits, output devices, and one or more synchronization units or circuits, which may be part of the processor 220. Input devices include mechanisms for entry of data into UE 110. For example, input devices may include input mechanisms, such as a microphone, input elements, a display, etc. Output devices may include mechanisms for outputting data in audio, video and/or hard copy format. For example, output devices may include a speaker, a display, etc. [0183] In certain example embodiments, the wireless device UE 110 may comprise a series of modules configured to implement the functionalities of the wireless device described herein.

[0184] It will be appreciated that the various modules may be implemented as combination of hardware and software, for instance, the processor, memory, and transceiver(s) of UE 110 shown in FIG. 2. Certain example embodiments may also include additional modules to support additional and/or optional functionalities.

[0185] FIG. 3 is a schematic diagram of an example network node, including radio access node 120 or network node or entity 130, according to certain example embodiments. Radio access node 120 or network node or entity 130 may include one or more of at least one transceiver 310, at least one processor 320, at least one memory 330, and at least one network interface 340. In certain example embodiments, the transceiver 310 facilitates transmitting wireless signals to and receiving wireless signals from wireless devices, such as UE 110 (e.g., via transmitter(s) (Tx), receiver(s) (Rx), and antenna(s)). The processor 320 executes instructions to provide some or all the functionalities described herein as being provided by the radio access node 120 or the network node or entity 130, the memory 330 stores the instructions executed by the processor 320. In some embodiments, the processor 320 and the memory 330 form processing circuitry. The network interface 340 can communicate signals to backend network components, such as a gateway, switch, router, Internet, Public Switched Telephone Network (PSTN), core network nodes or radio network controllers, etc. [0186] The processor 320 can include any suitable combination of hardware to execute instructions and manipulate data to perform some or all the described functions of the radio access node 120 or the network node or entity 130, such as those described herein. In some embodiments, the processor 320 may include, for example, one or more computers, one or more central processing units (CPUs), one or more microprocessors, one or more application specific integrated circuits (ASICs), one or more field programmable gate arrays (FPGAs) and/or other logic.

[0187] The memory 330 is generally operable to store instructions, such as a computer program, software, an application including one or more of logic, rules, algorithms, code, tables, etc. and/or other instructions capable of being executed by a processor 320. Examples of memory 330 include computer memory (for example, Random Access Memory (RAM) or Read Only Memory (ROM)), mass storage media (for example, a hard disk), removable storage media (for example, a Compact Disk (CD) or a Digital Video Disk (DVD)), and/or or any other volatile or non-volatile, non-transitory computer-readable and/or computer-executable memory devices that store information. For example, the memory 330 includes instructions causing the processor 320 to perform processing according to any corresponding methods described herein.

[0188] In certain example embodiments, the network interface 340 is communicatively coupled to the processor 320 and may refer to any suitable device operable to receive input for the radio access node 120 or the network node or entity 130, send output from the radio access node 120 or the network node or entity 130, perform suitable processing of the input or output or both, communicate to other devices, or any combination of the preceding. The network interface 340 may include appropriate hardware (e.g., port, modem, network interface card, etc.) and software, including protocol conversion and data processing capabilities, to communicate through a network.

[0189] Other example embodiments of the radio access node 120 or the network node or entity 130 can include additional components beyond those shown in FIG. 3 that may be responsible for providing certain aspects of the node's functionalities, including any of the functionalities described herein and/or any additional functionalities (including any functionality necessary to support the solutions described herein). The various different types of radio access nodes or network nodes may include components having the same physical hardware but configured (e.g., via programming) to support different radio access technologies, or may represent partly or entirely different physical components.

[0190] Processors, interfaces, and memory similar to those described with respect to FIG. 3 may be included in other nodes or entities (such as UE 110, radio access node 120, etc.). Other nodes or entities may optionally include or not include a wireless interface (such as the transceiver described in FIG. 3).

[0191] In certain example embodiments, the radio access node 120 or the network node or entity 130 may comprise a series of modules configured to implement the functionalities of the radio access node 120 or the network node or entity 130 described herein.

[0192] It will be appreciated that the various modules may be implemented as combination of hardware and software, for instance, the processor, memory, and transceiver(s) of the radio access node 120 or the network node or entity 130 shown in FIG. 3. Certain example embodiments may also include additional modules to support additional and/or optional functionalities.

[0193] FIG. 5A -5C illustrate examples of methods according to the invention, e.g., the thirteenth aspect, that may be performed by the UE 110. These methods start with receiving 502 a reconfiguration method from the network node 112. The reconfiguration message may be an RRC Reconfiguration message. In any case, as FIG. 5A shows, the reconfiguration message includes an indication to discard 504 in at least one protocol layer (e.g., PDCP, RLC and/or MAC layer) all data units that are meant to be transmitted via the DRB, e.g., from the UP to the network node or vice versa. This indication may, e.g., be a flag. The data units may be SDUs and/or PDUs. Further, the reconfiguration message includes an indication to reconfigure 506 a first DRB identified by a first DRB ID. The DRB ID may be included in the reconfiguration message. Further, the reconfiguration message may include a new second DRB ID to be used for the reconfiguration. Further, the reconfiguration message may include a new second DRB configuration, the new DRB ID being a part of this second configuration.

[0194] In response to the reconfiguration message the UE 110 discards 504 in all data units that are meant to be transmitted via the DRB the at least one protocol layer, and reconfigures 506 the DRB using at least the second DRB ID. In any case, as shown in Figs. 5A, 5B and 5C the UE 110 starts to use 508 the second DRB ID for ciphering and integrity protecting any data units that have not yet been ciphered and integrity protected and transmits them to the network node 112.

[0195] Further, Figs SA, 5B, SC show that in any case, the following optional steps (indicated by dashed lines) may be performed. After the reconfiguration 506, 506a 506b of the DRB, the UE 110 may transmit 512 a completion message to the network node 112. The completion message indicates the successful reconfiguration of the DRB. The completion message may be an RRC Reconfiguration Complete message. Further, after the discarding 504 of data units the UE 110 a random-access procedure may be performed 510. E.g., the random-access procedure may be performed 510 after the discarding step 504 and a re-adding step 506b (see FIG. 5B, discussed below), or after the discarding step 504 and a modification step 506c (see FIG. 5C, discussed below).

[0196] FIG. 5B shows a first possibility in which the reconfiguration step 506 is performed including releasing and then re-adding the DRB. Thus, in this case, in a first sub-step 506a the DRB identified by the first DRB ID is released and in a subsequent, second sub-step 506b the DRB is re-added with the second DRB ID. The reconfiguration message may include a corresponding indication to release 506a and re-add 506b the DRB (e.g. it may be a RRC Reconfiguration message including such indications). In this case, the discarding step 504 may be performed between the releasing step 506a and the re-adding step 506b.

[0197] FIG. 5C shows a second possibility in which the reconfiguration step 506 is performed by modifying the DRB identified by the first DRB ID with the new, second DRB ID. In this case, the discarding step 504 may be performed before the modifying step 506c.

[0198] Further several options for the discarding step 506 exist. For example, the discarding step 504 may involve discarding all data units in all protocol layers below the PDCP layer (e.g. PDCP, RLC and MAC layer). The reconfiguration message sent by the network node 112 may comprise a corresponding indication to discard all data units in all protocol layers below the PDCP layer. This way a clear cut is defined after which no further data units are transmitted, in particular no data units ciphered, and integrity protected using the first DRB ID.

However, this may result in a loss of some of the data units, which may not be optimal for user perceived performance.

[0199] To avoid such data loss, an additional option exists. In the discarding step 504 may involve discarding 504 all data units in all protocol layers below the PDCP layer except the PDCP layer (e.g. RLC and MAC layer). For example, the reconfiguration message may comprise a corresponding indication, e.g., in addition to the discarding-indication described above an additional flag indicating data recovery. In this case, the UE 110 discards 504 all data units, in all protocol layers below the PDCP layer except the PDCP layer. To handle the remaining, i.e. non-discarded, data units the UE 110 ciphers and integrity protects 508a all remaining data units using the new security inputs, in particular the new, second DRB ID. In particular, the UE 110 may perform transmission 508b of remaining PDCP data units, e.g. SDUs, in the buffer using at least the new DRB ID for ciphering and integrity protection. In case of, using Acknowledge Mode (AM) RLC, the transmission 508b may in addition involve retransmission of all the PDCP data units, e.g. PDUs, that have already been submitted to the AM RLC entity. The reconfiguration message may comprise one or more corresponding indications to the UE 110. In any case, after the ciphering and integrity protection step 508a, the resulting data units are submitted to the next lower layer, e.g. the RLC layer, to be transmitted to the network node 112.

102001 The two options described above, may be used in combination with any of the examples of the thirteenth aspect and, in particular, with the examples illustrated by Figs. SA, 5B and 5C.

102011 FIG. 6 illustrates examples of methods according to the invention, e.g., the fourteenth aspect, that may be performed by the network node 112. Once the network node 112 receives (602) an indication that the PDCP COUNT value is to wrap around, it transmits 604 a reconfiguration message to the UE 110. What has been written about the recon message in connection with FIG. 5A -5C applies analogously here.

102021 Upon receiving 606 from the UE 110 a completion message that indicates that the DRB has been reconfigured successfully the network node 112 starts using 608 the new security parameters and in particular the new second DRB ID for ciphering and integrity protecting PDCP data units. The network node 112, thus, may mirror the procedure(s) of the UE 110.

102031 Further, optionally and depending on the option that was used for discarding 504 data units, and that may have been indicated in the reconfiguration message, the network node 112 may cipher and integrity protect 608a all remaining data units using the new security inputs, in particular the new, second DRB ID. In particular, the network node 112 may perform transmission of remaining PDCP data units, e.g. SDUs, in the buffer using at least the new DRB ID for ciphering and integrity protection. In case of, using Acknowledge Mode (AM) RLC, the network node 112 may in addition perform retransmission of all the PDCP data units, e.g. PDUs, that have already been submitted to the AM RLC entity. In any case, after the ciphering and integrity protection step 508a, the resulting data units are submitted to the next lower layer, e.g. the RLC layer, to be transmitted to the UE 110.

102041 Further optionally, the network node 112 may transmit 610 a PDU Session Resource Modify indication message to the MM 140 upon receiving the completion message from the UE 110. The DRB ID change may be provided as a reason for sending the PDU Session Resource Modify indication message.

[0205] Figs. 7 and 8 illustrate examples of the steps taken by and the communication between the UE 110 and the network node 112. Furthermore, Figs. 7 and 8 show an MM 140 40 and the communication between the MM 140 and the network node 112.

[0206] As Figs. 7 and 8 show, before receiving an indication that the PDCP COUNT is to wrap-around, security is activated with the first (old) DRB. Thus, a specific security context is used. Further, it is shown that the MM 140 may, in response to receiving the PDU Session Resource Modify indication message, transmit 712 a PDU Session Resource Modify Indication Confirm message to the network node 112. Further, Figs. 7 and 8 show the optional step of ciphering and integrity protecting 508a, 608a the remaining data units and transmitting 508b, 608b them when the step of discarding 504 all data units in all protocol layers below the PDCP layer except the PDCP layer is performed.

[0207] FIG. 7 illustrates examples in which the reconfiguration 506 is performed by releasing 506a and re-adding 506b the DRB.

[0208] FIG. 8 illustrates examples in which reconfiguration 506 is performed by modifying 506c the DRB.

[0209] FIG. 9 shows an example method performed by the UE according to the invention, e.g., the fifth aspect of the invention. At 902 the UE 110 receives 902 a reconfiguration message from a network node 112 which indicates to the UE 110 an additional DRB configuration for a second DRB with a second DRB ID. The reconfiguration message can also indicate to the UE 110 that the second DRB should be added to the same QoS flow 1001 to which an existing first DRB already belongs. The reconfiguration message may, e.g., be an RRC Reconfiguration message.

[0210] In response to receiving 902 the reconfiguration message the UE 110 establishes 904 the second DRB and maps 905 it to the QoS flow 1001 in addition to the first DRB. Thus, two DRBs are existing in parallel in the same QoS flow 1001. Once the second DRB has been established 904 and mapped 905 to the QoS flow 1001, the UE 110 starts using 906 the second DRB for ciphering and integrity protecting the PDCP data units that have not yet been ciphered and integrity protected, e.g. from an SDAP layer or higher protocol layer. For example, the UE terminates transmitting (e.g. in SDAP layer) new data units (e.g. SDAP PDUs) over the first DRB and instead starts transmitting 908 all new data units over the second DRB. The UE 110 then transmits 908 the data units via the second DRB to the network, in particular the network node 112.

[0211] The reconfiguration message may, optionally, indicate to the UE 110 to derive 918 a second security key to be used 916 for ciphering and integrity protecting the data units. If the security key change is indicated by the reconfiguration message, the UE 110 derives 918 a new, second security key. Thus, the second DRB ID and/or the second security key may be used 916 for ciphering and integrity protecting the data units.

[0212] Further, the UE 110 transmits 910 all data units that have already been ciphered and integrity protected using the first DRB ID (remaining data units) via the first DRB. Once all remaining data units have been transmitted via the first DRB, the UE 110 transmits 912 an indication to the network node 112, to indicate that all remaining data units have been successfully transmitted. The indication may be implemented as an end-marker packet sent via the first DRB to the network node 112. Such an end-marker packet indicates that it is the last packet or data unit to be sent via the first DRB. This way, the network node 112 may be informed that all remaining data units have been successfully transmitted, i.e., no more data units are to be expected via the first DRB.

[0213] FIG. 10 shows an example method performed by the network node according to the invention, e.g. the sixth aspect of the invention.

[0214] At 1002, the network node receives an indication that the PDCP COUNT value is about to wrap around. In response to this, the network node 112 transmits 1004 a reconfiguration message to the UE 110. This message may indicate at least a second DRB ID for a second DRB to be additionally mapped to the QoS flow 1001. The message may further indicate add a DRB configuration comprising the second DRB ID.

[0215] At 1006, the network node 112 receives an indication from the UE HO that the second DRB has been established with the second DRB ID. As in case of the UE 100x the indication may be implemented as an end-marker packet sent via the first DRB to the network node 112. In response to this indication the network node 112 starts using 1008 the second DRB ID for ciphering and integrity protecting any PDCP data units that so far have not yet been ciphered and integrity protected. Once ciphered and integrity protected, these data units are transmitted 1010 via the second DRB. For example, the network node 112 terminates transmitting (e.g. in SDAP layer) new data units (e.g. SDAP PDUs) over the first DRB and instead starts transmitting 1010 all new data units over the second DRB. However, any PDCP data units that have already been ciphered and integrity protected using the first DRB ID (remaining PDCP data units) are transmitted 1012 via the first DRB. Thus, in this regard come on the network node 112 minors the procedure of the UE 110. Finally, upon receiving 1014 an indication from the UE 110 indicating the successful transmission of all remaining PDCP data units, the network node 112 transmits 1016 a release message to the UE 110 indicating to the UE 110 to release the first DRB from the QoS flow 1001.

[02161 Optionally, at 1020, the network node 112 may transmit a PDU Session Resource Modify indication message to an MM 140 which indicates the addition of the second DRB to the existing QoS flow 1001. This may happen in response to transmitting 1004 the reconfiguration message, or, upon receiving 1019 a completion message from the UE 110, indicating the successful addition of the second DRB to the QoS flow 1001. The MM may in response to receiving the PDU Session Resource Modify indication message transmit a PDU Session Resource Modify indication confirm message to the network node 112.

[0217] Optionally, at 1022, the network node 112 may transmit a PDU Session Resource Modify indication message to an MIV1 140 which indicates the release of the first DRB from the existing QoS flow 1001. This may happen in response to transmitting 1016 the release message to the UE 110, or, upon receiving 1021 a further completion message from the UE 110 indicating the successful release of the first DRB from the existing QoS flow 1001. The MM may in response to receiving the PDU Session Resource Modify indication message transmit a PDU Session Resource Modify indication confirm message to the network node 112.

102181 FIG. 11 illustrates an example of the steps taken by and the communication between the UE 110 and the network node 112. Furthermore, FIG. 11 shows an MM 140 and the communication between the MM 140 and the network node 112.

[0219] FIG. 12 illustrates a flowchart showing steps of example methods performed by the UE according to the invention, e.g. the ninth aspect. At 1202 the UE 110 receives a reconfiguration message from the network node 112. This message indicates to the UE 110 2 perform a reconfiguration of the DRB identified by the DRB ID. To this end the DRB ID may be included in the reconfiguration message. The reconfiguration message further indicates to perform the reconfiguration using a modified dual active protocol stack, DAPS, setup, and includes a second logical channel identifier, LCID. The reconfiguration message may further comprise an indication to change the current security key (first security key). The reconfiguration message maybe an RRC Reconfiguration message. In response to the reconfiguration message, the UE 110 is sets up the DRB using the modified DAPS setup.

[0220] The modified DAPS setup differs from the conventional DAPS setup as defined, e.g., in 3GPP TS 38.300. The modified DAPS setup comprises establishing 1206 in addition to an existing, first RLC layer entity a second RLC layer entity. Thus, the existing PDCP layer entity, first RLC layer entity, MAC layer entity, and PHY layer entity is maintained and only the second RLC layer entity is added. The second RLC layer entity may have the same configuration as the first RLC layer entity.

[0221] The modified DAPS setup further comprises reconfiguring 1208 the PDCP layer entity to set up a second ciphering and integrity protection function in addition to an existing first ciphering and integrity protection function. The first ciphering and integrity protection function is using a first security key and is assigned to the first RLC layer entity. The second ciphering and integrity protection function is using a second security key different from the first secure key and is assigned to the second RLC layer entity.

[0222] The modified DAPS setup other comprises establishing 1210 in addition to a first logical channel having a first LCID a second logical channel having a second LCID. The second logical channel may have the same configuration as the first logical channel. The MAC layer entity uses the first logical channel for communicating with the first RLC layer entity and the second logical channel for communicating with the second RLC layer entity. Thus, any data unit received by the MAC layer entity can be forwarded to the correct RLC layer entity based on the LCID assigned to the received data unit. E.g., if the UE at the MAC layer receives data unit with the new LCID, the MAC layer delivers the data unit to the second RLC entity, which is then ciphered and integrity protected (in particular, de-ciphered and integrity verified) with the second security key.

[0223] Once having reconfigured the DRB as described above, the UE 110 transmits 1212 a first indication, which may be a completion message, in particular an RRC Reconfiguration Complete message, to the network node 112. The indication indicates that the DRB has been successfully reconfigured. Further, the UE 110 uses 1214 the second ciphering and integrity protection function for PDCP data units that have not yet been ciphered and integrity protected and transmits them 1216 via the second RLC entity.

[0224] All remaining PCP data units that have already been ciphered in integrity protected using the first ciphering and integrity protection function are transmitted 1218 via the first RLC entity.

[0225] Optionally, once the UE 110 has transmitted all remaining PDCP data units, it may transmit 1220 a second indication through the network node 112 which indicates that all remaining PDCP data units have been transmitted. The second indication may be an end-marker packet which indicates that it is the last packet to be sent via the first RLC entity. Thus, the network node 112 can infer from such an end-marker packet that no further data units will be transmitted via the first RLC entity.

[0226] Further optionally, at 1222 the UE 110 may receive a release message from the network node 112 which indicates to release the first RLC entity, the first logical channel, and the first ciphering and integrity protection function. The release message may be an RRC Reconfiguration message. In response to receiving the release message the UE 110 may release 1224 the first RLC entity, the first logical channel, and the first ciphering and integrity protection function. Further the UE 110 may transmit 1226 a third indication to the network node 112 that indicates the successful release of the first RLC entity, the first logical channel, and the first ciphering and integrity protection function. The third indication maybe an RRC Reconfiguration Complete message.

[0227] FIG. 13 illustrates a flowchart showing steps of example methods performed by the network node according to the invention, e.g. the tenth aspect. Upon receiving 1302 an indication that the PDCP count value is about to wrap-around, on the network node 112 transmits 1304 a reconfiguration message to the UE 110 to reconfigure the DRB identified by the first DRB ID using a modified DAPS setup. The reconfiguration message further comprises a second LCID and may, in addition, comprise an indication to change the security key. What has been discussed with respect to the reconfiguration message and the modified DAPS setup in the context of the method performed by the UE 110 applies here analogously. The reconfiguration message may be an RRC Reconfiguration message.

[0228] Once the network node 112 receives 1312 a first indication from the UE110 which may be a completion message, in particular an RRC Reconfiguration Complete message, that indicates the successful reconfiguration of the DRB, the network node 112 start using 1314 the second ciphering and integrity action function established during the modified DAPS setup for all PDCP data units that have not yet been ciphered and integrity protected. The network node 112 then transmits 1316 these data units via the second RLC layer entity established during the modified DAPS setup.

[0229] Finally, the network node 112 transmits 1318 all PDCP data units that have already been ciphered and integrity protected using the first ciphering and integrity protection function (remaining PDCP units) via the first RLC entity.

[0230] Optionally, the network node 112 may receive 1320 a second indication from the UE 110 indicating that all remaining PDCP data units have been transmitted. This indication may be the end-marker packet discussed above in the context of the method performed by the UE 110. The second indication may be a completion message, in particular an RRC Reconfiguration Complete message.

[0231] In response to the second indication, the network node 112 may transmit 1322 a release message to the UE 110 which indicates to release the first RLC entity, the first logical channel, and the first ciphering and integrity protection function. Releasing the first RLC entity, the first logical channel, and the first ciphering and integrity protection function may be summarized as releasing the modified DAPS setup. The release message may be an RRC Reconfiguration message.

[0232] FIG. 14 shows an example of the conventional DAPS setup with one UE being connected in parallel to a source and a target gNB. The conventional DAPS setup is meant for one UE connecting in parallel to two network nodes, e.g. a source gNB and a target gNB. Thus, while source and target gNB each have one entity for each protocol layer (PDCP, RLC MAC and PHY), the UE using conventional DAPS setup for the DRB provides in parallel two entities of the RLC, MAC and PHY protocol layer.

[0233] In contrast, the modified DAPS setup according to the invention is modified to be applied in a scenario when there is only one UE and one network node, e.g., a stationary UE that is not changing cells. FIG. 14 illustrates the transmission between a transmitting side and a receiving side with a modified DAPS setup according to the invention. In particular, in FIG. 15 the transmitting side and the receiving side may be the UE 110 and network node 112. FIG. 14 shows four protocol layers at each side, the PDCP layer, the RLC protocol layer, the MAC protocol layer and the PHY protocol layer. Therefore, there is a single entity of MAC and PHY layers at the transmitting and the receiving side. It is only in the RLC layer where two entities are established, RLC entity #1 and #2. Different LCIDs are assigned to RLC entity #1 and RLC entity #2. This ensures that the MAC layer at the receiver can deliver any received MAC data unit (e.g. MAC SDU) to the associated RLC entity based on the LCID. At the PDCP layer of each of the transmitting and the receiving side two security functions are set up, e.g. ciphering and integrity protection functions #1 and #2 assigned to RLC entities #1 and #2, respectively. This enables ciphering and integrity protection at the transmitting side and de-ciphering and integrity verification at the receiving side.

[0234] After the UE as transmitting side completes (re)transmitting all PDCP data units remained in the buffer, the UE may generate an end-marker packet and transmit it via the RLC entity #1. Upon receiving the end-marker packet via the RLC entity #1 and completing (re)transmitting all PDCP data units remained in the buffer, the network node sends an indication to UE to release the RLC entity #1 and logical channel with LCID #1 and to reconfigure the PDCP entity to release the ciphering and integration protection function #1.

[0235] FIG. 16 shows a flowchart for an example of a communication system according to the invention, e.g. the ninth to twelfth aspect, illustrating the steps performed by the UE 110 and the network node 112. Before performing the steps of the methods by the UE 110 and the network node 112, security, e.g. access stratum (AS) security, is activated 1602 with the first security key, after performing the steps of the methods, security is activated 1604 with the second security key.

102361 FIG. 17 shows an example method performed by the UE 110 according to the invention, e.g. the first aspect. At 1702, the UE 110 receives a release message from the network node 112 indicating to release a connection between the UE 110 and the network node 112 and to initiate a setup of the connection subsequently to the release of the connection. In response to the release message, UE 110 releases 1704 the connection to the network node 112 and maintains 1706 at least one information block that is required to initiate the setup of the connection and to stay on a same cell, to which the UE 110 was connected before releasing 1704 the connection. Without performing any prior cell selection procedure (given that the cell is not to be changed) the UE 110 initiates 1708 the setup of the connection to the same cell to which it was connected before releasing 1704 the connection using the maintained at least one information block. Upon having reestablished the connection to the network node 112, the UE 110 starts using 1710 at least a new security key that results from releasing and re-establishing the connection for ciphering and integrity protecting the PDCP data units that have not yet been ciphered and integrity protected. For example, the UE may start using 1710 a new security context which comprises the new security key and results from releasing and re-establishing the connection.

102371 The least one information block to be maintained 1706 may be, for example, a Master Information Block, MIB, or a System Information Block 1, SIB1, or both. For example, if MIB and SIB1 are the minimum information required to initiate the setup of the connection, both are maintained 1706. Any other SIBs that are not necessary may not be maintained.

However, optionally, any other SIBs broadcast by the network may be stored by the UE 110 and may be continued to be used as long as the SIB information is valid.

[0238] For maintaining 1706 the at least one information block the UE 110 may, for example, store the at least one information block even after releasing 1704 the connection, or, alternatively or additionally, acquire the at least one information block after releasing the connection. It is also possible, that the UE 110 stores some of the information blocks and acquires some other information blocks.

102391 The UE 110 may after releasing 1704 the connection enters 1712 an idle mode, e.g., RRC IDLE mode.

102401 The release message may be an RRC Release message. Further, the UE may initiate 1708 the setup by initiating an RRC Setup.

[0241] FIG. 18 shows an example method performed by the network node 112 according to the invention, e.g. the second aspect. At 1802, the network node 112 receives an indication that the PDCP COUNT value is about to wrap-around. In response to that indication, the network node 112 transmits 1804 a release message to the user equipment UE 110 which indicates to release the connection between the UE 110 and the network node 112. Further, the release message may comprise an indication to initiate a setup of the connection after the release of the connection. Further, the network node 112 maintains 1806, e.g. stores, the UE context, i.e., the context specific to the given UE 110. Optionally, the MM 140, a session management, SM, 150 and a use plane function, UPF, 160 also maintain 1914 the UE context. This UE context may include various parameters and attributes related to the UE 110, such as its identity, capabilities, current location, network registration status, ongoing sessions or connections, QoS requirements, security context, and any other relevant information needed for the network to communicate effectively with the UE and provide services to it. The UE context is maintained and managed by the network's core components, allowing for efficient and seamless communication and service delivery to UEs within the network. For example, for maintaining the UE context, in case of MM 140, access and mobility related parameters may be maintained for the UE 110. For example, the area where UE 110 is allowed to access in case of mobility. The SM 150 may store information of a PDU session for the UE 110. The UPF 160 may store the U-plane data path information, i.e., tunnel endpoint ID, for the UE 110.

[0242] Once the connection between the UE 110 and the network node 112 is reestablished, the network node 112 starts using 1808 a new security key that has been established due to the reestablishment of the connection for ciphering and integrity protecting any PDCP data units that have not yet been ciphered and integrity protected.

[0243] FIG. 19 illustrates a flowchart for an example of a communication system according to the first to fourth aspect illustrating the steps performed by the UE, the network node, the 10 MM, the SM and the UPF.

[0244] From FIG. 19 it can be taken that before performing the methods of the UE 110 and the network node 112 the security is activated 1902 with a current security key and after performing the method activated 1912 with the new security key. Optionally, MM 140, SM 150 and UPF 160 maintain the TIE context during the release 1704 of the connection, in particular, even after the UE 110 releases 1704 the connection and at least until a random-access procedure 1904 is performed. Further, as shown in FIG. 19, an RRC setup 1906 call, a Service Management and Continuity SMC 1908 and a RRC Reconfiguration may be performed after the RRC Setup is initiated 1708.

[0245] Fig 20. shows an example method performed by the UE 110 according to the invention, e.g. the seventeenth aspect. The UE 110 receives a reconfiguration message from the network node 112. In response to receiving 2002 this message, the UE 110 establishes 2004 with the network node 112 an additional non-current security key which is kept inactive for the present.

[0246] Upon receiving 2006 an activation message from the network node 112, the UE activates 2008 the number current security key and acknowledges 2010 to the network node 112 the successful activation of the noncurrent security key, e.g. by transmitting 2010 an acknowledgement message.

[0247] Once the non-current security key has been activated, the UE 110 starts using 2012 the non-current security key for ciphering and integrity protecting the PDCP data units.

[0248] The activation message may be any kind of suitable indication or message, such as an RRC Reconfiguration message or a PDCP Control message.

[0249] The method may, for example, after activating the non-current security key reset the PDCP COUNT value.

[0250] Optionally, the UE 110 may receive 2014 a discard message from the network node 112 and, in response to this message, discard 2016 all data units in at least one protocol layer.

For example, the UE 110 may flush all PDCP uplink and downlink buffers. Once having discarded 2016 all data units in the at least one protocol layer, the UE 110 indicates to the network node 112 the successful discarding of all data units in the at least one protocol layer. For example, the UE 110 may transmit a second acknowledgement message to the network node 112 indicating the successful discarding of all data units in the at least one protocol layer.

102511 Further optionally, the activation message may comprise an indication to continue transmitting all data units that have already been ciphered and integrity protected using the current security key. The UE 110 may in response to this indication continue to transmit 2020 all remaining PDCP data units that have been ciphered and integrity protected using the current security key before activating 2008 the non-current security key. Upon having transmitted all remaining PDCP data units, the UE 110 may transmit 2022 an indication to the network node 112 wherein the indication indicates that all remaining PDCP data units have been transmitted and may comprise the first acknowledgement message. The indication may be implemented as an end-marker packet which indicates that it is the last packet ciphered and integrity protected by using the current security key.

102521 FIG. 21 shows an example method performed by the network node 112 according to the invention, e.g. the eighteenth aspect. In advance to any wrap-round of the PDCP COUNT value, the network node 112 transmits 2102 a reconfiguration message to the you UE 110 which indicates to establish with the network node 112 an additional but inactive non-current security key. The network node 112 then establishes 2104 the additional non-current security key with the UE 110.

102531 Upon receiving 2106 an indication that the PDCP COUNT value is about to wrap-around, the network node 112 transmits 2108 the activation message to the UE 110, comprising an indication to the UE 110 to activate 2008 the second security key. Once the network node 112 receives the first acknowledgment message from the UE 110 indicating the successful activation of the non-current security key it starts using 2112 the non-current security key instead of the current security key for ciphering and integrity protecting the PDCP data units. The activation message may be any kind of suitable indication or message, such as an RRC Reconfiguration message or a PDCP Control message.

102541 Optionally, before the network node 112 transmits 2108 the activation message it may stop 2114 any further transmission of any data units to the UE 110 until it receives the first acknowledgement message from the UE 110. In addition, it may transmit 2116 a discord message to the UE 110 that requests that the UE 110 discards all data unit in at least one protocol layer. The discard message may, for example, instruct the UE 110 to flush the PDCP uplink and downlink buffers. Optionally, the network node 112 may transmit 2108 the activation message only after receiving a second acknowledgement message from the UE 110 that indicates the successful discarding of all data units in the at least one protocol layer.

[0255] Further optionally, the activation message may indicate to the UE 110 to continue transmitting all remaining PCP data units that have been ciphered and integrity protected using the current security key before activating the non-current security key. Further, after having transmitted 2108 such an activation message the network node 112 may continue to transmit 2120 all remaining PCP data units that have been ciphered and integrity protected using the current security key. It may do so until it receives 2122 an indication from the UE 110 that all remaining PDCP data units have been transmitted 2020 and comprising the first acknowledgement message.

[0256] FIG. 22 illustrates a flowchart for an example of a communication system according to the invention, e.g. the seventeenth to twentieth aspect, illustrating the communication between and the steps performed by the UE 110 and the network node 112. Before performing the methods of the UE 110 and the network node 112, security is activated 2302with the current security key, after that security is activated 2304 with the non-current security key which therefore becomes the new current security key.

[0257] FIG. 23 shows a flowchart with the steps of a method performed by the UE 110 according to the invention, for example, the twenty-first aspect.

[0258] For example, the length of PDCP COUNT may be fixed to 32 bits and be comprised of the HFN and the PDCP Serial Number. The length of the HFN may then be derived by the PDCP COUNT length (32 bits) minus the PDCP Serial Number (12 or 19 bits), as shown in FIG. 25. The length of PDCP COUNT is configurable by network (see, e.g., FIG. 26 discussed below). The network can select if the PDCP COUNT length should be increased or not, e.g., according to the service use case and deployment scenario. For example, if the UE 110 is regarded as stationary and expected to be connected to the network for long time, the network can select a longer PDCP COUNT length to mitigate the likelihood of PDCP wrap-around.

[0259] Back to FIG. 23, at 2302 the UE 110 receives 2302a command message from the network node 112 which indicates at least a non-current PDCP COUNT length, i.e. the length of a PDCP COUNT that differs from the length of a currently used PDCP count. In particular, the non-current PDCP COUNT length is longer than the current PDCP COUNT length. In response to receiving the command message the UE 110 applies the indicated non-current PDCP COUNT length to the PDCP COUNT thereby increasing the current length to the noncurrent PDCP COUNT length. Once the non-current PDCP COUNT length has been applied to the PDCP COUNT, the UE HO starts using 2306 the PDCP COUNT value for ciphering and integrity protecting the PDCP data units.

[0260] FIG. 24 shows a flowchart with the steps of a method performed by the network node 112 according to the invention, for example, the twenty-second aspect.

[0261] At 2402, the network node 112 transmits a command message to the UE 110. The command message indicates at least a non-current PDCP COUNT length which is longer than the length of the PDCP COUNT that is currently used. Once having transmitted the command message, the network node 112 starts to use 2404 the PDCP COUNT value of the PDCP COUNT having the non-current PDCP COUNT length for ciphering and integrity protecting the PDCP data units. The command message may, for example, be a Security Mode Command message.

[0262] The transmission 2402 of the command message, may be performed according to a service use case and deployment scenario. In particular, the transmission 2402 of the command message may be performed upon receiving 2406 an indication, e.g. from the UE 110, that the UE 110 is permanently or temporarily stationary.

[0263] The step of using the PDCP COUNT value having the increased non-current PDCP COUNT length may be performed only after receiving 2408 a completion message from the UE 110. The completion method may, for example, be a Security Mode Complete message.

[0264] FIG. 26 shows a flowchart for an example of a communication system according to the invention, e.g. the twenty-first to twenty-fourth aspect, illustrating the communication between and the steps performed by the UE 110 and the network node 112. As can be seen in FIG. 26 the network node 112, e.g. a 6G gNB, decides 2602 to increase the PDCP COUNT length and subsequently transmits 2402 a Security Mode Command message to the UE 110 which applies 2304 the increased non-current PDCP COUNT length to the PDCP COUNT.

Upon having applied the increased non-current PDCP COUNT length, the UE 110 transmits a Security Mode Complete message to the network node 112.

[0265] FIGS. 27A and 27B illustrate schematic block diagrams showing structures of apparatuses according to embodiments of the subject disclosure.

[0266] In FIGS. 27A and 27B, the blocks are basically configured to perform respective methods, procedures and/or functions as described above. It is to be noted that the individual blocks are meant to illustrate respective functional blocks implementing a respective function, process, or procedure, respectively. Such functional blocks are implementation-independent, i.e., may be implemented by means of any kind of hardware or software or combination thereof, respectively.

[0267] An apparatus according to at least one embodiment may represent or realize/embody (e.g., a part of) a UE or loT device as an example of a wireless device or entity. Such apparatus may be illustrated or realized as is shown in FIG. 2. The apparatus or the at least one processor 220 (e.g., together with instructions stored in the at least one memory 230) may be configured to transmit, to a non-terrestrial node, a registration request to authenticate to the network.

[0268] Further, the apparatus or the at least one processor 220 (e.g., together with instructions stored in the at least one memory 230) may be configured to receive, from the non-terrestrial node, a message comprising binding information associated with the non-terrestrial node to be used by the UE or loT device, the binding information being assigned to the UE or IoT device.

[0269] Such apparatus may be illustrated or realized as is shown in FIG. 27A as apparatus 2700. The apparatus 2700 may comprise (at least) one or more unit/means/circuitry, denoted by transmitting section 2710, which represent any implementation for (or configured to) transmitting, to a non-terrestrial node, a registration request to authenticate to the network, and (at least) one or more unit/means/circuitry, denoted by receiving section 2720, which represent any implementation for (or configured to) receiving, from the non-terrestrial node, a message comprising binding information associated with the non-terrestrial node to be used by the UE or loT device, the binding information being assigned to the UE or loT device.

[0270] As indicated by dashed lines, the apparatus 2700 may comprise (at least) one or more unit/means/circuitry, denoted by processing section 2730, which represent any implementation for (or configured to) performing one or more operations described above.

[0271] Further, an apparatus according to at least one embodiment may represent or realize/embody (e.g., a part of) a non-terrestrial network entity (such as any kind of base station, or the like, incorporated in a satellite) as an example of a non-terrestrial network device or 40 entity.

[0272] Such apparatus may be illustrated or realized as is shown in FIG. 3. The apparatus or the at least one processor 320 (e.g., together with instructions stored in the at least one memory 330) may be configured to receive, from a UE or IoT device, a registration request to authenticate to the network.

[0273] Further, the apparatus or the at least one processor 320 (e.g., together with instructions stored in the at least one memory 330) may be configured to store the registration request and assign binding information associated with the non-terrestrial network entity to the UE or IoT device responsive to a link between the non-terrestrial network entity and a terrestrial network entity (e.g., such as any kind of ground-based base station or the like) of the network to forward the registration request not being available. Also, the apparatus or the at least one processor 320 (e.g., together with instructions stored in the at least one memory 330) may be configured to transmit, to the UE or IoT device, a message comprising the binding information to be used by the UE or IoT device.

[0274] Such apparatus may be illustrated or realized as is shown in FIG. 27B as apparatus 2800. The apparatus 2800 may comprise (at least) one or more unit/means/circuitry, denoted by receiving section 2810, which represent any implementation for (or configured to) receiving, from a UE or loT device, a registration request to authenticate to the network, (at least) one or more unit/means/circuitry, denoted by storing and assigning (i.e., processing) section 2820, which represent any implementation for (or configured to) storing the registration request and assigning binding information associated with the non-terrestrial network entity to the UE or IoT device responsive to a link between the non-terrestrial network entity and a terrestrial network entity of the network to forward the registration request not being available, and (at least) one or more unit/means/circuitry, denoted by transmitting section 2830, which represent any implementation for (or configured to) transmitting, to the UE or IoT device, a message comprising the binding information to be used by the TIE or IoT device.

[0275] The apparatus 2800 may comprise (at least) one or more unit/means/circuitry (not shown in FIG. 27B), which represent any implementation for (or configured to) performing one or more operations described above.

[0276] For further details regarding the operability/functionality of the apparatuses (or units/means thereof) according to some embodiments of the subject disclosure, reference is made to the above description in connection with any one of FIGS. 1 to 10, respectively.

[0277] It should be understood that the apparatuses may comprise or be coupled to other units or modules etc., such as radio parts or radio heads, used in or for transmission and/or reception. Although the apparatuses have been described as one entity, different modules and memory may be implemented in one or more physical or logical entities.

[0278] It is noted that whilst embodiments have been described in relation to LTE and 5G NR, similar principles can be applied in relation to other networks and communication systems where enforcing fast connection re-establishment is required. Therefore, although certain embodiments were described above by way of example with reference to certain example architectures for wireless networks, technologies and standards, embodiments may be applied to any other suitable forms of communication systems than those illustrated and described herein.

102791 It is also noted herein that while the above describes exemplary embodiments, there are several variations and modifications which may be made to the disclosed solution without departing from the scope of the subject disclosure.

102801 In general, the various exemplary embodiments may be implemented in hardware or special purpose circuits, software, logic, or any combination thereof Some aspects of the subject disclosure may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor, or other computing device, although the subject disclosure is not limited thereto. While various aspects of the subject disclosure may be illustrated and described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that these blocks, apparatus, systems, techniques, or methods described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof 102811 Example embodiments of the subject disclosure may be implemented by computer software executable by a data processor of the mobile device, such as in the processor entity, or by hardware, or by a combination of software and hardware. Computer software or program, also called program product, including software routines, applets and/or macros, may be stored in any apparatus-readable data storage medium and they comprise program instructions to perform particular tasks. A computer program product may comprise one or more computer-executable components which, when the program is run, are configured to carry out embodiments. The one or more computer-executable components may be at least one software code or portions of it.

102821 Further in this regard it should be noted that any blocks of the logic flow as in the figures may represent program steps, or interconnected logic circuits, blocks and functions, or a combination of program steps and logic circuits, blocks, and functions. The software may be stored on such physical media as memory chips, or memory blocks implemented within the processor, magnetic media such as hard disk or floppy disks, and optical media such as for example DVD and the data variants thereof, CD. The physical media is a non-transitory media.

102831 The memory may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as semiconductor-based memory devices, magnetic memory devices and systems, optical memory devices and systems, fixed memory, and removable memory. The data processors may be of any type suitable to the local technical environment, and may comprise one or more of general-purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs), application specific integrated circuits (ASICs), FPGA, gate level circuits and processors based on multi-core processor architecture, as non-limiting examples.

102841 Example embodiments of the subject disclosure may be practiced in various components such as integrated circuit modules. The design of integrated circuits is by and large a highly automated process. Complex and powerful software tools are available for converting a logic level design into a semiconductor circuit design ready to be etched and formed on a semiconductor substrate.

102851 The foregoing description has provided by way of non-limiting examples a full and informative description of the exemplary embodiment of the subject disclosure. However, various modifications and adaptations may become apparent to those skilled in the relevant arts in view of the foregoing description, when read in conjunction with the accompanying drawings and the appended claims. However, all such and similar modifications of the teachings of this invention will still fall within the scope of the subject disclosure as defined in the appended claims. Indeed, there is a further embodiment comprising a combination of one or more embodiments with any of the other embodiments previously discussed.

Claims

CLAIMS1. A method performed by a user equipment, UE, (110) in a network for ciphering and integrity protecting Packet Data Convergence Protocol, PDCP, data units transmitted via a Data Radio Bearer, DRB, wherein the ciphering and integrity protecting includes using a PDCP COUNT value, a security key and a DRB ID identifying the DRB, the method comprising: a) upon receiving (1702) a release message from a network node (112), a.1) releasing (1704) a connection to the network node (112), a.2) maintaining (1706) at least one information block required to stay on a same cell as connected before the release of the connection, and a 3) without performing a prior cell selection, initiating (1708) the setup of the connection to the same cell using the maintained at least one information block; b) upon reestablishment of the connection to the network node (112), using (1710) at least a new security key resulting from releasing and re-establishing the connection for ciphering and integrity protecting the PDCP data units that have not yet been ciphered and integrity protected.
2. The method of claim 1, wherein for maintaining (1706) of the at least one information block the UE (110) stores the at least one information block even after releasing the connection.
3. The method of claim 1, wherein for maintaining (1706) of the at least one information block the UE (110) acquires the at least one information block after releasing the connection.
4. The method of any of the preceding claims, wherein the at least one information block includes at least a Master Information Block, MIB, or a System Information Block 1, SIB1, or both.
5. The method of any of the preceding claims, wherein the release message is a Radio Resource Control, RRC, Release message, the UE (110) enters (1712) an RRC IDLE mode after releasing the connection, and the UE (110) initiates (1708) the setup of the connection by initiating an RRC Setup 5 procedure.
6. A method performed by a network node (112) in a network for ciphering and integrity protecting Packet Data Convergence Protocol, PDCP, data units transmitted via a Data Radio Bearer, DRB, wherein the ciphering and integrity protecting includes using a PDCP COUNT 10 value, a security key and a DRB ID identifying the DRB, the method comprising: a) upon receiving (1802) an indication that a PDCP COUNT value associated with the DRB ID and the security key is about to wrap-around, a.1) transmitting (1804) a release message to a user equipment, UE, (110) indicating to the UE (110) to release a connection to the network node (112) and to subsequently initiate setup of the connection, and a.2) maintaining (1806) a UEs (110) context while the connection is released and the setup of the connection re-initiated by the UE (110); and b) upon reestablishment of the connection to the UE (110), using (1808) a new security key resulting from releasing and reestablishing the connection for ciphering and integrity protecting the PDCP data units that have not yet been ciphered and integrity protected.
7. A user equipment, UE, (110) configured to perform ciphering and integrity protecting Packet Data Convergence Protocol, PDCP, data units transmitted via a Data Radio Bearer, DRB, wherein the ciphering and integrity protecting includes using a PDCP COUNT value, a security key and a DRB ID identifying the DRB, the UE (110) comprising: a) a receiver configured to receive a release message from a network node (112); b) at least one processor; and c) at least one memory storing instructions that, when executed by the at least one processor, cause the UE (110) at least to perform the steps of the method of any of claims 1 to 5.
8. A network node (112) configured to perform ciphering and integrity protecting Packet Data Convergence Protocol, PDCP, data units transmitted via a Data Radio Bearer, DRB, wherein the ciphering and integrity protecting includes using a PDCP COUNT value, a security key and a DRB ID identifying the DRB, the network node (112) comprising: a) a transmitter configured to transmit a release message to the UE (110); and b) at least one processor; and c) at least one memory storing instructions that, when executed by the at least one processor, cause the network node (112) at least to perform the steps of the method of claim 6.
9. The network node (112) of claim 8, wherein the network node (112) is a 6th Generation 15 Node B, 6G-gNB.