Handover and reestablishment in dual access
The dual access wireless communication system with a common core network addresses the challenge of handovers and radio resource control reestablishments between different radio access technologies by maintaining unified contexts, ensuring seamless transitions and reducing service interruptions.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- MEDIATEK INC
- Filing Date
- 2025-11-20
- Publication Date
- 2026-07-09
Smart Images

Figure CN2025136232_09072026_PF_FP_ABST
Abstract
Description
HANDOVER AND REESTABLISHMENT IN DUAL ACCESSCROSS-REFERENCE TO RELATED APPLICATION (S)
[0001] This application claims the benefits of U.S. Provisional Application Serial No. 63 / 739,711, entitled “AS CP ARCH -HANDOVER AND REESTABLISHMENT IN DUAL ACCESS” and filed on December 30, 2024, which is expressly incorporated by reference herein in its entirety.BACKGROUNDField
[0002] The present disclosure relates generally to wireless communications, and more particularly, to techniques of enabling handover and radio resource control connection reestablishment between different radio access technology generations using a common core network in a dual access wireless communication system. Background
[0003] The statements in this section merely provide background information related to the present disclosure and may not constitute prior art.
[0004] Wireless communication systems are widely deployed to provide various telecommunication services such as telephony, video, data, messaging, and broadcasts. Typical wireless communication systems may employ multiple-access technologies capable of supporting communication with multiple users by sharing available system resources. Examples of such multiple-access technologies include code division multiple access (CDMA) systems, time division multiple access (TDMA) systems, frequency division multiple access (FDMA) systems, orthogonal frequency division multiple access (OFDMA) systems, single-carrier frequency division multiple access (SC-FDMA) systems, and time division synchronous code division multiple access (TD-SCDMA) systems.
[0005] These multiple access technologies have been adopted in various telecommunication standards to provide a common protocol that enables different wireless devices to communicate on a municipal, national, regional, and even global level. An example telecommunication standard is 5G New Radio (NR) . 5G NR is part of a continuous mobile broadband evolution promulgated by Third Generation Partnership Project (3GPP) to meet new requirements associated with latency, reliability, security, scalability (e.g., with Internet of Things (IoT) ) , and other requirements. Some aspects of 5G NR may be based on the 4G Long Term Evolution (LTE) standard. There exists a need for further improvements in 5G NR technology. These improvements may also be applicable to other multi-access technologies and the telecommunication standards that employ these technologies.SUMMARY
[0006] The following presents a simplified summary of one or more aspects in order to provide a basic understanding of such aspects. This summary is not an extensive overview of all contemplated aspects, and is intended to neither identify key or critical elements of all aspects nor delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more aspects in a simplified form as a prelude to the more detailed description that is presented later.
[0007] In an aspect of the disclosure, a method, a computer-readable medium, and an apparatus are provided. The apparatus may be a UE. The UE experiences a radio link failure with a source cell of a source radio access technology (RAT) . In response to the radio link failure, the UE selects a target cell of a target RAT. The target RAT is different from the source RAT. The UE verifies that the target cell is in a same registration area as the source cell. In response to verifying that the target cell is in the same registration area, the UE generates a security token using a security context of the source cell. The UE transmits, to the target cell, a reestablishment request message. The reestablishment request message comprises one or more of the security token, a physical cell identity (PCI) of the source cell, and a Cell-Radio Network Temporary Identifier (C-RNTI) of the UE in the source cell.
[0008] In another aspect of the disclosure, a method, a computer-readable medium, and a target radio access network (RAN) are provided. The target RAN may include one or more network entities. The one or more network entities receive, from a user equipment (UE) , a reestablishment request message comprising one or more of a security token, a physical cell identity (PCI) of a source cell, and a Cell-Radio Network Temporary Identifier (C-RNTI) of the UE in the source cell. The one or more network entities transmit, to a source RAN identified by the PCI of the source cell over an inter-RAN interface, a context request message comprising the security token and the C-RNTI. The one or more network entities receive, from the source RAN over the inter-RAN interface, a context response message comprising one or more of a UE context, a derived target access stratum key, a nexthopChainingCount (NCC) , and a source cell security algorithm. The one or more network entities transmit, to the UE, a reestablishment message comprising the NCC. The reestablishment message is integrity protected using a security key derived from the target access stratum key and the source cell security algorithm. The one or more network entities receive, from the UE, a reestablishment complete message.
[0009] In yet another aspect of the disclosure, a method, a computer-readable medium, and an apparatus are provided. The apparatus may be a UE. The UE receives an inter-radio access technology (inter-RAT) handover command from a source radio access network (RAN) that operates on a first RAT. The handover command instructs the UE to perform a handover to a target RAN that operates on a second RAT. Both the source RAN and the target RAN connect to a common core network. The handover command comprises one or more of the following: an indication of the second RAT, a target RAT-specific Radio Resource Control (RRC) reconfiguration message, and a key generation parameter. The UE reuses a mobility management (MM) context and a session management (SM) context associated with the common core network. The UE performs this reuse without performing context mapping. The UE generates a security key for communication with the target RAN based on the key generation parameter. The UE transmits an RRC reconfiguration complete message to the target RAN.
[0010] In a further aspect of the disclosure, a method, a computer-readable medium, and a source RAN are provided. The source RAN may include one or more network entities. The one or more network entities coordinate an inter-radio access technology (inter-RAT) handover of a user equipment (UE) to a target RAN. The source RAN operates on a first RAT, and the target RAN operates on a second RAT different from the first RAT. The source RAN and the target RAN are connected to a common core network that maintains a mobility management (MM) context and a session management (SM) context for the UE. The one or more network entities obtain a target RAT-specific Radio Resource Control (RRC) reconfiguration message and a key generation parameter for the UE. The one or more network entities transmit, to the UE, an inter-RAT handover command. The inter-RAT handover command comprises an indication of the second RAT, the target RAT-specific RRC reconfiguration message, and the key generation parameter. The one or more network entities reuse the MM context and the SM context for the UE for the handover without context mapping.
[0011] To the accomplishment of the foregoing and related ends, the one or more aspects comprise the features hereinafter fully described and particularly pointed out in the claims. The following description and the annexed drawings set forth in detail certain illustrative features of the one or more aspects. These features are indicative, however, of but a few of the various ways in which the principles of various aspects may be employed, and this description is intended to include all such aspects and their equivalents.BRIEF DESCRIPTION OF THE DRAWINGS
[0012] FIG. 1 is a diagram illustrating an example of a wireless communications system and an access network.
[0013] FIG. 2 is a diagram illustrating a base station in communication with a UE in an access network.
[0014] FIG. 3 illustrates an example logical architecture of a distributed access network.
[0015] FIG. 4 illustrates an example physical architecture of a distributed access network.
[0016] FIG. 5 is a diagram illustrating a dual access wireless communication system architecture that incorporates both fifth generation and sixth generation radio access networks connected to a common evolved fifth generation core network.
[0017] FIG. 6 (A) is a diagram illustrating handover scenarios in a dual access wireless communication system where a user equipment can transition bidirectionally between fifth generation and sixth generation radio access networks while maintaining connectivity through a common evolved core network.
[0018] FIG. 6 (B) is a diagram illustrating radio resource control connection reestablishment scenarios in a dual access wireless communication system where a user equipment attempts to recover from radio link failure by transitioning between different radio access technology generations.
[0019] FIG. 7 (A) is a diagram illustrating a sequence diagram for a handover procedure from a fifth generation radio access network to a sixth generation radio access network using control plane interfaces through the core network.
[0020] FIG. 7 (B) is a diagram illustrating a sequence diagram for a reverse handover procedure from a sixth generation radio access network to a fifth generation radio access network using control plane interfaces through the core network.
[0021] FIG. 8 (A) is a diagram illustrating a sequence diagram for an alternative handover procedure from a fifth generation radio access network to a sixth generation radio access network utilizing a direct inter-radio access network interface for coordination.
[0022] FIG. 8 (B) is a diagram illustrating a sequence diagram for a reverse handover procedure from a sixth generation radio access network to a fifth generation radio access network utilizing a direct inter-radio access network interface for coordination.
[0023] FIG. 9 (A) is a diagram illustrating a sequence diagram for a radio resource control connection reestablishment procedure where a user equipment experiencing radio link failure in a sixth generation cell reestablishes connectivity through a fifth generation cell.
[0024] FIG. 9 (B) is a diagram illustrating a sequence diagram for a reverse radio resource control connection reestablishment procedure where a user equipment experiencing radio link failure in a fifth generation cell reestablishes connectivity through a sixth generation cell.
[0025] FIG. 10 is a flowchart of a procedure for inter-radio access technology handover from a user equipment perspective when transitioning between fifth generation and sixth generation radio access networks.
[0026] FIG. 11 is a flowchart of a procedure for inter-radio access technology radio resource control connection reestablishment from a user equipment perspective when recovering from radio link failure by transitioning between different radio access technology generations.
[0027] FIGs. 12 (A) and 12 (B) are a flow chart illustrating a method for inter-radio access technology radio resource control connection reestablishment performed by a user equipment.
[0028] FIG. 13 is a flow chart illustrating a method for radio resource control connection reestablishment across different radio access technology generations performed by a target radio access network.
[0029] FIG. 14 is a flow chart illustrating a method for inter-radio access technology handover in a dual access wireless communication system performed by a user equipment.
[0030] FIG. 15 is a flow chart illustrating a method for coordinating an inter-radio access technology handover performed by a source radio access network.DETAILED DESCRIPTION
[0031] The detailed description set forth below in connection with the appended drawings is intended as a description of various configurations and is not intended to represent the only configurations in which the concepts described herein may be practiced. The detailed description includes specific details for the purpose of providing a thorough understanding of various concepts. However, it will be apparent to those skilled in the art that these concepts may be practiced without these specific details. In some instances, well known structures and components are shown in block diagram form in order to avoid obscuring such concepts.
[0032] Several aspects of telecommunications systems will now be presented with reference to various apparatus and methods. These apparatus and methods will be described in the following detailed description and illustrated in the accompanying drawings by various blocks, components, circuits, processes, algorithms, etc. (collectively referred to as “elements” ) . These elements may be implemented using electronic hardware, computer software, or any combination thereof. Whether such elements are implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system.
[0033] By way of example, an element, or any portion of an element, or any combination of elements may be implemented as a “processing system” that includes one or more processors. Examples of processors include microprocessors, microcontrollers, graphics processing units (GPUs) , central processing units (CPUs) , application processors, digital signal processors (DSPs) , reduced instruction set computing (RISC) processors, systems on a chip (SoC) , baseband processors, field programmable gate arrays (FPGAs) , programmable logic devices (PLDs) , state machines, gated logic, discrete hardware circuits, and other suitable hardware configured to perform the various functionality described throughout this disclosure. One or more processors in the processing system may execute software. Software shall be construed broadly to mean instructions, instruction sets, code, code segments, program code, programs, subprograms, software components, applications, software applications, software packages, routines, subroutines, objects, executables, threads of execution, procedures, functions, etc., whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise.
[0034] Accordingly, in one or more example aspects, the functions described may be implemented in hardware, software, or any combination thereof. If implemented in software, the functions may be stored on or encoded as one or more instructions or code on a computer-readable medium. Computer-readable media includes computer storage media. Storage media may be any available media that can be accessed by a computer. By way of example, and not limitation, such computer-readable media can comprise a random-access memory (RAM) , a read-only memory (ROM) , an electrically erasable programmable ROM (EEPROM) , optical disk storage, magnetic disk storage, other magnetic storage devices, combinations of the aforementioned types of computer-readable media, or any other medium that can be used to store computer executable code in the form of instructions or data structures that can be accessed by a computer.
[0035] FIG. 1 is a diagram illustrating an example of a wireless communications system and an access network 100. The wireless communications system (also referred to as a wireless wide area network (WWAN) ) includes base stations 102, UEs 104, an Evolved Packet Core (EPC) 160, and another core network 190 (e.g., a 5G Core (5GC) ) . The base stations 102 may include macrocells (high power cellular base station) and / or small cells (low power cellular base station) . The macrocells include base stations. The small cells include femtocells, picocells, and microcells.
[0036] The base stations 102 configured for 4G LTE (collectively referred to as Evolved Universal Mobile Telecommunications System (UMTS) Terrestrial Radio Access Network (E-UTRAN) ) may interface with the EPC 160 through backhaul links 132 (e.g., SI interface) . The base stations 102 configured for 5G NR (collectively referred to as Next Generation RAN (NG-RAN) ) may interface with core network 190 through backhaul links 184. In addition to other functions, the base stations 102 may perform one or more of the following functions: transfer of user data, radio channel ciphering and deciphering, integrity protection, header compression, mobility control functions (e.g., handover, dual connectivity) , inter cell interference coordination, connection setup and release, load balancing, distribution for non-access stratum (NAS) messages, NAS node selection, synchronization, radio access network (RAN) sharing, multimedia broadcast multicast service (MBMS) , subscriber and equipment trace, RAN information management (RIM) , paging, positioning, and delivery of warning messages. The base stations 102 may communicate directly or indirectly (e.g., through the EPC 160 or core network 190) with each other over backhaul links 134 (e.g., X2 interface) . The backhaul links 134 may be wired or wireless.
[0037] The base stations 102 may wirelessly communicate with the UEs 104. Each of the base stations 102 may provide communication coverage for a respective geographic coverage area 110. There may be overlapping geographic coverage areas 110. For example, the small cell 102’ may have a coverage area 110’ that overlaps the coverage area 110 of one or more macro base stations 102. A network that includes both small cell and macrocells may be known as a heterogeneous network. A heterogeneous network may also include Home Evolved Node Bs (eNBs) (HeNBs) , which may provide service to a restricted group known as a closed subscriber group (CSG) . The communication links 120 between the base stations 102 and the UEs 104 may include uplink (UL) (also referred to as reverse link) transmissions from a UE 104 to a base station 102 and / or downlink (DL) (also referred to as forward link) transmissions from a base station 102 to a UE 104. The communication links 120 may use multiple-input and multiple-output (MIMO) antenna technology, including spatial multiplexing, beamforming, and / or transmit diversity. The communication links may be through one or more carriers. The base stations 102 / UEs 104 may use spectrum up to 7 MHz (e.g., 5, 10, 15, 20, 100, 400, etc. MHz) bandwidth per carrier allocated in a carrier aggregation of up to a total of Yx MHz (x component carriers) used for transmission in each direction. The carriers may or may not be adjacent to each other. Allocation of carriers may be asymmetric with respect to DL and UL (e.g., more or fewer carriers may be allocated for DL than for UL) . The component carriers may include a primary component carrier and one or more secondary component carriers. A primary component carrier may be referred to as a primary cell (PCell) and a secondary component carrier may be referred to as a secondary cell (SCell) .
[0038] Certain UEs 104 may communicate with each other using device-to-device (D2D) communication link 158. The D2D communication link 158 may use the DL / UL WWAN spectrum. The D2D communication link 158 may use one or more sidelink channels, such as a physical sidelink broadcast channel (PSBCH) , a physical sidelink discovery channel (PSDCH) , a physical sidelink shared channel (PSSCH) , and a physical sidelink control channel (PSCCH) . D2D communication may be through a variety of wireless D2D communications systems, such as for example, FlashLinQ, WiMedia, Bluetooth, ZigBee, Wi-Fi based on the IEEE 802.11 standard, LTE, or NR.
[0039] The wireless communications system may further include a Wi-Fi access point (AP) 150 in communication with Wi-Fi stations (STAs) 152 via communication links 154 in a 5 GHz unlicensed frequency spectrum. When communicating in an unlicensed frequency spectrum, the STAs 152 / AP 150 may perform a clear channel assessment (CCA) prior to communicating in order to determine whether the channel is available.
[0040] The small cell 102’ may operate in a licensed and / or an unlicensed frequency spectrum. When operating in an unlicensed frequency spectrum, the small cell 102’ may employ NR and use the same 5 GHz unlicensed frequency spectrum as used by the Wi-Fi AP 150. The small cell 102’ , employing NR in an unlicensed frequency spectrum, may boost coverage to and / or increase capacity of the access network.
[0041] A base station 102, whether a small cell 102’ or a large cell (e.g., macro base station) , may include an eNB, gNodeB (gNB) , or another type of base station. Some base stations, such as gNB 180 may operate in a traditional sub 6 GHz spectrum, in millimeter wave (mmW) frequencies, and / or near mmW frequencies in communication with the UE 104. When the gNB 180 operates in mmW or near mmW frequencies, the gNB 180 may be referred to as an mmW base station. Extremely high frequency (EHF) is part of the RF in the electromagnetic spectrum. EHF has a range of 30 GHz to 300 GHz and a wavelength between 1 millimeter and 10 millimeters. Radio waves in the band may be referred to as a millimeter wave. Near mmW may extend down to a frequency of 3 GHz with a wavelength of 100 millimeters. The super high frequency (SHF) band extends between 3 GHz and 30 GHz, also referred to as centimeter wave. Communications using the mmW / near mmW radio frequency band (e.g., 3 GHz -300 GHz) has extremely high path loss and a short range. The mmW base station 180 may utilize beamforming 182 with the UE 104 to compensate for the extremely high path loss and short range.
[0042] The base station 180 may transmit a beamformed signal to the UE 104 in one or more transmit directions 108a. The UE 104 may receive the beamformed signal from the base station 180 in one or more receive directions 108b. The UE 104 may also transmit a beamformed signal to the base station 180 in one or more transmit directions. The base station 180 may receive the beamformed signal from the UE 104 in one or more receive directions. The base station 180 / UE 104 may perform beam training to determine the best receive and transmit directions for each of the base station 180 / UE 104. The transmit and receive directions for the base station 180 may or may not be the same. The transmit and receive directions for the UE 104 may or may not be the same.
[0043] The EPC 160 may include a Mobility Management Entity (MME) 162, other MMEs 164, a Serving Gateway 166, a Multimedia Broadcast Multicast Service (MBMS) Gateway 168, a Broadcast Multicast Service Center (BM-SC) 170, and a Packet Data Network (PDN) Gateway 172. The MME 162 may be in communication with a Home Subscriber Server (HSS) 174. The MME 162 is the control node that processes the signaling between the UEs 104 and the EPC 160. Generally, the MME 162 provides bearer and connection management. All user Internet protocol (IP) packets are transferred through the Serving Gateway 166, which itself is connected to the PDN Gateway 172. The PDN Gateway 172 provides UE IP address allocation as well as other functions. The PDN Gateway 172 and the BM-SC 170 are connected to the IP Services 176. The IP Services 176 may include the Internet, an intranet, an IP Multimedia Subsystem (IMS) , a PS Streaming Service, and / or other IP services. The BM-SC 170 may provide functions for MBMS user service provisioning and delivery. The BM-SC 170 may serve as an entry point for content provider MBMS transmission, may be used to authorize and initiate MBMS Bearer Services within a public land mobile network (PLMN) , and may be used to schedule MBMS transmissions. The MBMS Gateway 168 may be used to distribute MBMS traffic to the base stations 102 belonging to a Multicast Broadcast Single Frequency Network (MBSFN) area broadcasting a particular service, and may be responsible for session management (start / stop) and for collecting eMBMS related charging information.
[0044] The core network 190 may include a Access and Mobility Management Function (AMF) 192, other AMFs 193, a location management function (LMF) 198, a Session Management Function (SMF) 194, and a User Plane Function (UPF) 195. The AMF 192 may be in communication with a Unified Data Management (UDM) 196. The AMF 192 is the control node that processes the signaling between the UEs 104 and the core network 190. Generally, the SMF 194 provides QoS flow and session management. All user Internet protocol (IP) packets are transferred through the UPF 195. The UPF 195 provides UE IP address allocation as well as other functions. The UPF 195 is connected to the IP Services 197. The IP Services 197 may include the Internet, an intranet, an IP Multimedia Subsystem (IMS) , a PS Streaming Service, and / or other IP services.
[0045] The base station may also be referred to as a gNB, Node B, evolved Node B (eNB) , an access point, a base transceiver station, a radio base station, a radio transceiver, a transceiver function, a basic service set (BSS) , an extended service set (ESS) , a transmit reception point (TRP) , or some other suitable terminology. The base station 102 provides an access point to the EPC 160 or core network 190 for a UE 104. Examples of UEs 104 include a cellular phone, a smart phone, a session initiation protocol (SIP) phone, a laptop, a personal digital assistant (PDA) , a satellite radio, a global positioning system, a multimedia device, a video device, a digital audio player (e.g., MP3 player) , a camera, a game console, a tablet, a smart device, a wearable device, a vehicle, an electric meter, a gas pump, a large or small kitchen appliance, a healthcare device, an implant, a sensor / actuator, a display, or any other similar functioning device. Some of the UEs 104 may be referred to as IoT devices (e.g., parking meter, gas pump, toaster, vehicles, heart monitor, etc. ) . The UE 104 may also be referred to as a station, a mobile station, a subscriber station, a mobile unit, a subscriber unit, a wireless unit, a remote unit, a mobile device, a wireless device, a wireless communications device, a remote device, a mobile subscriber station, an access terminal, a mobile terminal, a wireless terminal, a remote terminal, a handset, a user agent, a mobile client, a client, or some other suitable terminology.
[0046] Although the present disclosure may reference 5G New Radio (NR) , the present disclosure may be applicable to other similar areas, such as LTE, LTE-Advanced (LTE-A) , Code Division Multiple Access (CDMA) , Global System for Mobile communications (GSM) , or other wireless / radio access technologies.
[0047] FIG. 2 is a block diagram of a base station 210 in communication with a UE 250 in an access network. In the DL, IP packets from the EPC 160 may be provided to a controller / processor 275. The controller / processor 275 implements layer 3 and layer 2 functionality. Layer 3 includes a radio resource control (RRC) layer, and layer 2 includes a packet data convergence protocol (PDCP) layer, a radio link control (RLC) layer, and a medium access control (MAC) layer. The controller / processor 275 provides RRC layer functionality associated with broadcasting of system information (e.g., MIB, SIBs) , RRC connection control (e.g., RRC connection paging, RRC connection establishment, RRC connection modification, and RRC connection release) , inter radio access technology (RAT) mobility, and measurement configuration for UE measurement reporting; PDCP layer functionality associated with header compression / decompression, security (ciphering, deciphering, integrity protection, integrity verification) , and handover support functions; RLC layer functionality associated with the transfer of upper layer packet data units (PDUs) , error correction through ARQ, concatenation, segmentation, and reassembly of RLC service data units (SDUs) , re-segmentation of RLC data PDUs, and reordering of RLC data PDUs; and MAC layer functionality associated with mapping between logical channels and transport channels, multiplexing of MAC SDUs onto transport blocks (TBs) , demultiplexing of MAC SDUs from TBs, scheduling information reporting, error correction through HARQ, priority handling, and logical channel prioritization.
[0048] The transmit (TX) processor 216 and the receive (RX) processor 270 implement layer 1 functionality associated with various signal processing functions. Layer 1, which includes a physical (PHY) layer, may include error detection on the transport channels, forward error correction (FEC) coding / decoding of the transport channels, interleaving, rate matching, mapping onto physical channels, modulation / demodulation of physical channels, and MIMO antenna processing. The TX processor 216 handles mapping to signal constellations based on various modulation schemes (e.g., binary phase-shift keying (BPSK) , quadrature phase-shift keying (QPSK) , M-phase-shift keying (M-PSK) , M-quadrature amplitude modulation (M-QAM) ) . The coded and modulated symbols may then be split into parallel streams. Each stream may then be mapped to an OFDM subcarrier, multiplexed with a reference signal (e.g., pilot) in the time and / or frequency domain, and then combined together using an Inverse Fast Fourier Transform (IFFT) to produce a physical channel carrying a time domain OFDM symbol stream. The OFDM stream is spatially precoded to produce multiple spatial streams. Channel estimates from a channel estimator 274 may be used to determine the coding and modulation scheme, as well as for spatial processing. The channel estimate may be derived from a reference signal and / or channel condition feedback transmitted by the UE 250. Each spatial stream may then be provided to a different antenna 220 via a separate transmitter 218TX. Each transmitter 218TX may modulate an RF carrier with a respective spatial stream for transmission.
[0049] At the UE 250, each receiver 254RX receives a signal through its respective antenna 252. Each receiver 254RX recovers information modulated onto an RF carrier and provides the information to the receive (RX) processor 256. The TX processor 268 and the RX processor 256 implement layer 1 functionality associated with various signal processing functions. The RX processor 256 may perform spatial processing on the information to recover any spatial streams destined for the UE 250. If multiple spatial streams are destined for the UE 250, they may be combined by the RX processor 256 into a single OFDM symbol stream. The RX processor 256 then converts the OFDM symbol stream from the time-domain to the frequency domain using a Fast Fourier Transform (FFT) . The frequency domain signal comprises a separate OFDM symbol stream for each subcarrier of the OFDM signal. The symbols on each subcarrier, and the reference signal, are recovered and demodulated by determining the most likely signal constellation points transmitted by the base station 210. These soft decisions may be based on channel estimates computed by the channel estimator 258. The soft decisions are then decoded and deinterleaved to recover the data and control signals that were originally transmitted by the base station 210 on the physical channel. The data and control signals are then provided to the controller / processor 259, which implements layer 3 and layer 2 functionality.
[0050] The controller / processor 259 can be associated with a memory 260 that stores program codes and data. The memory 260 may be referred to as a computer-readable medium. In the UL, the controller / processor 259 provides demultiplexing between transport and logical channels, packet reassembly, deciphering, header decompression, and control signal processing to recover IP packets from the EPC 160. The controller / processor 259 is also responsible for error detection using an ACK and / or NACK protocol to support HARQ operations.
[0051] Similar to the functionality described in connection with the DL transmission by the base station 210, the controller / processor 259 provides RRC layer functionality associated with system information (e.g., MIB, SIBs) acquisition, RRC connections, and measurement reporting; PDCP layer functionality associated with header compression / decompression, and security (ciphering, deciphering, integrity protection, integrity verification) ; RLC layer functionality associated with the transfer of upper layer PDUs, error correction through ARQ, concatenation, segmentation, and reassembly of RLC SDUs, re-segmentation of RLC data PDUs, and reordering of RLC data PDUs; and MAC layer functionality associated with mapping between logical channels and transport channels, multiplexing of MAC SDUs onto TBs, demultiplexing of MAC SDUs from TBs, scheduling information reporting, error correction through HARQ, priority handling, and logical channel prioritization.
[0052] Channel estimates derived by a channel estimator 258 from a reference signal or feedback transmitted by the base station 210 may be used by the TX processor 268 to select the appropriate coding and modulation schemes, and to facilitate spatial processing. The spatial streams generated by the TX processor 268 may be provided to different antenna 252 via separate transmitters 254TX. Each transmitter 254TX may modulate an RF carrier with a respective spatial stream for transmission. The UL transmission is processed at the base station 210 in a manner similar to that described in connection with the receiver function at the UE 250. Each receiver 218RX receives a signal through its respective antenna 220. Each receiver 218RX recovers information modulated onto an RF carrier and provides the information to a RX processor 270.
[0053] The controller / processor 275 can be associated with a memory 276 that stores program codes and data. The memory 276 may be referred to as a computer-readable medium. In the UL, the controller / processor 275 provides demultiplexing between transport and logical channels, packet reassembly, deciphering, header decompression, control signal processing to recover IP packets from the UE 250. IP packets from the controller / processor 275 may be provided to the EPC 160. The controller / processor 275 is also responsible for error detection using an ACK and / or NACK protocol to support HARQ operations.
[0054] New radio (NR) may refer to radios configured to operate according to a new air interface (e.g., other than Orthogonal Frequency Divisional Multiple Access (OFDMA) -based air interfaces) or fixed transport layer (e.g., other than Internet Protocol (IP) ) . NR may utilize OFDM with a cyclic prefix (CP) on the uplink and downlink and may include support for half-duplex operation using time division duplexing (TDD) . NR may include Enhanced Mobile Broadband (eMBB) service targeting wide bandwidth (e.g. 80 MHz beyond) , millimeter wave (mmW) targeting high carrier frequency (e.g. 60 GHz) , massive MTC (mMTC) targeting non-backward compatible MTC techniques, and / or mission critical targeting ultra-reliable low latency communications (URLLC) service.
[0055] A single component carrier bandwidth of 100 MHz may be supported. In one example, NR resource blocks (RBs) may span 12 sub-carriers with a sub-carrier bandwidth of 60 kHz over a 0.25 ms duration or a bandwidth of 30 kHz over a 0.5 ms duration (similarly, 50MHz BW for 15kHz SCS over a 1 ms duration) . Each radio frame may consist of 10 subframes (10, 20, 40 or 80 NR slots) with a length of 10 ms. Each slot may indicate a link direction (i.e., DL or UL) for data transmission and the link direction for each slot may be dynamically switched. Each slot may include DL / UL data as well as DL / UL control data.
[0056] The NR RAN may include a central unit (CU) and distributed units (DUs) . A NR BS (e.g., gNB, 5G Node B, Node B, transmission reception point (TRP) , access point (AP) ) may correspond to one or multiple BSs. NR cells can be configured as access cells (ACells) or data only cells (DCells) . For example, the RAN (e.g., a central unit or distributed unit) can configure the cells. DCells may be cells used for carrier aggregation or dual connectivity and may not be used for initial access, cell selection / reselection, or handover. In some cases DCells may not transmit synchronization signals (SS) in some cases DCells may transmit SS. NR BSs may transmit downlink signals to UEs indicating the cell type. Based on the cell type indication, the UE may communicate with the NR BS. For example, the UE may determine NR BSs to consider for cell selection, access, handover, and / or measurement based on the indicated cell type.
[0057] FIG. 3 illustrates an example logical architecture of a distributed RAN 300, according to aspects of the present disclosure. A 5G access node 306 may include an access node controller (ANC) 302. The ANC may be a central unit (CU) of the distributed RAN. The backhaul interface to the next generation core network (NG-CN) 304 may terminate at the ANC. The backhaul interface to neighboring next generation access nodes (NG-ANs) 310 may terminate at the ANC. The ANC may include one or more TRPs 308 (which may also be referred to as BSs, NR BSs, Node Bs, 5G NBs, APs, or some other term) . As described above, a TRP may be used interchangeably with “cell. ”
[0058] The TRPs 308 may be a distributed unit (DU) . The TRPs may be connected to one ANC (ANC 302) or more than one ANC (not illustrated) . For example, for RAN sharing, radio as a service (RaaS) , and service specific ANC deployments, the TRP may be connected to more than one ANC. A TRP may include one or more antenna ports. The TRPs may be configured to individually (e.g., dynamic selection) or jointly (e.g., joint transmission) serve traffic to a UE.
[0059] The local architecture of the distributed RAN 300 may be used to illustrate fronthaul definition. The architecture may be defined that support fronthauling solutions across different deployment types. For example, the architecture may be based on transmit network capabilities (e.g., bandwidth, latency, and / or jitter) . The architecture may share features and / or components with LTE. According to aspects, the next generation AN (NG-AN) 310 may support dual connectivity with NR. The NG-AN may share a common fronthaul for LTE and NR.
[0060] The architecture may enable cooperation between and among TRPs 308. For example, cooperation may be preset within a TRP and / or across TRPs via the ANC 302. According to aspects, no inter-TRP interface may be needed / present.
[0061] According to aspects, a dynamic configuration of split logical functions may be present within the architecture of the distributed RAN 300. The PDCP, RLC, MAC protocol may be adaptably placed at the ANC or TRP.
[0062] FIG. 4 illustrates an example physical architecture of a distributed RAN 400, according to aspects of the present disclosure. A centralized core network unit (C-CU) 402 may host core network functions. The C-CU may be centrally deployed. C-CU functionality may be offloaded (e.g., to advanced wireless services (AWS) ) , in an effort to handle peak capacity. A centralized RAN unit (C-RU) 404 may host one or more ANC functions. Optionally, the C-RU may host core network functions locally. The C-RU may have distributed deployment. The C-RU may be closer to the network edge. A distributed unit (DU) 406 may host one or more TRPs. The DU may be located at edges of the network with radio frequency (RF) functionality.
[0063] FIG. 5 is a diagram 500 illustrating an example of a dual access wireless communication system architecture 500. The system 500 represents a sixth generation (6G) system model according to a first scheme that incorporates both fifth generation and sixth generation radio access technologies with a common core network infrastructure. This architecture includes an evolved fifth generation core network (e5GC) 520, a fifth generation radio access network (5G RAN) 512, and a sixth generation radio access network (6G RAN) 514.
[0064] The e5GC 520 represents an upgraded version of the traditional 5G Core network (5GC) , such as the core network 190 described in FIG. 1. The e5GC 520 has been enhanced with capabilities to connect to both the 5G RAN 512 and the 6G RAN 514, serving as a common core network for multiple radio access technologies. The e5GC 520 may include network functions similar to those found in conventional 5G core networks, such as an AMF for mobility management and an SMF for session management. By providing a unified core network infrastructure, the e5GC 520 enables user equipment to access core network services through either the 5G RAN 512 or the 6G RAN 514.
[0065] The 5G RAN 512 comprises one or more base stations configured to operate according to fifth generation wireless standards, including New Radio (NR) specifications. The 5G RAN 512 may include gNodeBs (gNBs) , such as the gNB 180 described in FIG. 1, that provide wireless coverage to user equipment in various frequency bands. These frequency bands may include sub-6 GHz spectrum for wide area coverage and millimeter wave frequencies for high-capacity communications. The 5G RAN 512 connects to the e5GC 520 through standardized interfaces that support control plane signaling and user plane data transmission.
[0066] The 6G RAN 514 represents a next-generation radio access network designed for sixth generation wireless systems. The 6G RAN 514 incorporates advanced wireless technologies beyond those currently specified in 5G NR. The 6G RAN 514 may include base stations 516 that utilize enhanced physical layer techniques, advanced antenna systems, and potentially new frequency bands. Similar to the 5G RAN 512, the 6G RAN 514 connects to the e5GC 520 through appropriate interfaces that enable communication between the radio access network and the core network.
[0067] This system architecture is referred to as dual access because it enables a user equipment 502 to access the common core network through different radio access technologies. In the dual access architecture, the user equipment 502 can establish connections through either the 5G RAN 512 or the 6G RAN 514, while maintaining its relationship with the same e5GC 520. This differs from traditional multi-RAT deployments where different radio access technologies typically connect to separate core network infrastructures or require complex interworking functions between distinct core networks.
[0068] The interface between the 5G RAN 512 and the e5GC 520 may utilize existing protocols defined for 5G systems, such as the N2 interface for control plane communication and the N3 interface for user plane data transmission. The interface between the 6G RAN 514 and the e5GC 520 may employ evolved versions of these interfaces or newly defined interfaces that maintain compatibility with core network protocols while supporting 6G-specific features. Both radio access networks can communicate with the e5GC 520 simultaneously, allowing the system 500 to support user equipment with different capabilities and enabling gradual migration from 5G to 6G technologies.
[0069] The dual access architecture provides a framework for deploying next-generation wireless systems alongside existing infrastructure. By utilizing a common core network, the architecture maintains unified mobility management and session management contexts for user equipment regardless of which radio access technology is being used. This architectural approach allows network operators to introduce 6G radio access capabilities while preserving investments in existing core network infrastructure and maintaining service continuity for user equipment operating in areas with mixed 5G and 6G coverage.
[0070] FIG. 6 (A) is a diagram 600 illustrating handover scenarios in the dual access wireless communication system where a user equipment (UE) 604 can transition between different radio access technologies while maintaining connectivity through the common e5GC 520. In this example, the UE 604 is a wireless device capable of operating with both fifth generation and sixth generation radio access technologies. The UE 604 can establish connections through either the 5G RAN 512 or the 6G RAN 514, while both radio access networks connect to the same e5GC 520. The e5GC 520 provides unified core network functions including mobility management and session management for the UE 604 regardless of which radio access technology serves the device.
[0071] The diagram 600 illustrates two handover scenarios between the radio access networks. The first scenario, labeled as "5to6 HO" , represents a handover procedure where the UE 604 transitions from being served by the 5G RAN 512 to being served by the 6G RAN 514. The second scenario, labeled as "6to5 HO" , represents the reverse handover where the UE 604 transitions from the 6G RAN 514 to the 5G RAN 512. These bidirectional handover capabilities allow the UE 604 to move between coverage areas of different radio access technology generations while maintaining service continuity.
[0072] In the first scheme, handover between different radio access technology generations constitutes an inter-system handover. For instance, when a device transitions from a fifth generation system to a fourth generation system, it moves from a 5G RAN connected to a 5G core network to a 4G RAN connected to an EPC. Because these systems utilize separate core network infrastructures with different architectures and protocols, the handover procedure requires mapping or conversion of the mobility management (MM) context and the session management (SM) context between the source and target core networks.
[0073] The MM context contains information about the UE’s registration state, tracking area information, security parameters, and other mobility-related data maintained by the core network. The SM context contains information about established protocol data unit (PDU) sessions, quality of service (QoS) parameters, traffic routing information, and other session-related parameters. During inter-system handover between different core networks, these contexts must be translated to equivalent representations in the target system, which adds complexity to the handover procedure and may introduce delays or service interruptions.
[0074] The dual access architecture shown in FIG. 6 (A) presents a different scenario. Because both the 5G RAN 512 and the 6G RAN 514 connect to the same e5GC 520, the UE 604 maintains its relationship with the same core network infrastructure throughout the handover process. The MM context and SM context stored in the e5GC 520 remain valid and accessible regardless of whether the UE 604 is served by the 5G RAN 512 or the 6G RAN 514. The AMF within the e5GC 520 continues to manage the same mobility context for the UE 604, and the SMF continues to manage the same session context, eliminating the need for context mapping or translation.
[0075] The technical problem illustrated in FIG. 6 (A) concerns how to simplify the handover procedures between the 5G RAN 512 and the 6G RAN 514 given the presence of the common e5GC 520. In the first scheme, inter-system handover procedures were designed under the assumption that source and target systems operate with separate core network infrastructures, requiring complex context mapping procedures. In the dual access architecture, applying these procedures would introduce unnecessary overhead and complexity since the core network contexts do not require translation. The challenge is to develop optimized handover procedures that take advantage of the common core network to reduce signaling overhead, minimize handover latency, and maintain seamless service continuity when the UE 604 transitions between the 5G RAN 512 and the 6G RAN 514.
[0076] FIG. 6 (B) is a diagram 650 illustrating radio resource control (RRC) connection reestablishment scenarios in the dual access wireless communication system. The diagram 650 shows the e5GC 520 connected to both the 5G RAN 512 and the 6G RAN 514, with the UE 604 capable of communicating with either radio access network. Unlike the planned handover procedures depicted in FIG. 6 (A) , FIG. 6 (B) illustrates recovery scenarios where the UE 604 attempts to reestablish connectivity after experiencing a radio link failure.
[0077] RRC connection reestablishment is a recovery procedure that allows a UE to quickly restore its RRC connection following a radio link failure. A radio link failure occurs when the UE loses connection with its serving base station due to factors such as deteriorating radio conditions, physical obstructions, or mobility beyond coverage boundaries. When detecting such a failure, the UE attempts to restore connectivity by selecting a suitable cell and initiating an RRC reestablishment procedure. This approach aims to restore the connection more rapidly than would be possible through a complete connection establishment process from idle state, thereby minimizing service interruption and preserving ongoing data sessions where possible.
[0078] The diagram 650 illustrates two cross-RAT reestablishment scenarios. The first scenario, labeled as "5to6 Reestablishment" , represents a situation where the UE 604 experiences a radio link failure while connected to the 5G RAN 512 and subsequently attempts to reestablish its RRC connection through the 6G RAN 514. This scenario might occur when the UE 604 moves from an area where 5G coverage deteriorates into an area where 6G coverage is available and suitable for reestablishment. The second scenario, labeled as "6to5 Reestablishment" , represents the reverse situation where the UE 604 experiences a radio link failure while connected to the 6G RAN 514 and attempts to reestablish the connection through the 5G RAN 512.
[0079] In the first scheme, RRC connection reestablishment procedures operate exclusively within a single radio access technology. For instance, a UE experiencing radio link failure in a 5G cell can attempt reestablishment with another 5G cell, but the first scheme does not provide mechanisms for reestablishing the connection with a cell belonging to a different radio access technology generation. When a UE detects a radio link failure in one RAT and the only available cells belong to a different RAT, the UE must abandon the reestablishment attempt, transition to RRC idle state, and initiate a new connection establishment procedure from the beginning in the target RAT.
[0080] This limitation exists because different radio access technology generations typically employ distinct protocol stacks, security architectures, and connection management mechanisms. The RRC reestablishment procedure relies on the target cell being able to retrieve and verify the UE’s context from the source cell, including security parameters, bearer configurations, and connection identifiers. These context elements and their associated signaling protocols are designed to operate within a single RAT, making cross-RAT context retrieval and verification technically incompatible under existing specifications.
[0081] The dual access architecture presents a unique opportunity to reconsider this limitation. Since both the 5G RAN 512 and the 6G RAN 514 connect to the same e5GC 520, the core network maintains consistent mobility management and session management contexts for the UE 604 regardless of which radio access technology serves the device. The AMF within the e5GC 520 retains the UE’s registration state, security associations, and mobility parameters, while the SMF maintains the established PDU sessions and their associated QoS profiles. This architectural arrangement suggests that the fundamental barrier to cross-RAT reestablishment-the lack of a common context repository-may not apply in the dual access system.
[0082] The technical problem illustrated in FIG. 6 (B) concerns the absence of mechanisms to enable RRC connection reestablishment when the UE 604 needs to recover from radio link failure by transitioning between the 5G RAN 512 and the 6G RAN 514. Without such mechanisms, the UE 604 experiencing radio link failure in one RAT would be forced to undergo a complete connection establishment procedure when moving to the other RAT, even though both radio access networks maintain relationships with the same core network. This results in extended service interruptions, potential loss of ongoing data sessions, and increased signaling overhead that could otherwise be avoided if cross-RAT reestablishment were possible within the dual access architecture.
[0083] The challenge extends beyond simply enabling the procedure; it also involves addressing technical questions about how to maintain security continuity across different radio access technologies, how to handle potentially incompatible RRC context formats between 5G and 6G systems, and how to coordinate the retrieval of UE context information when the source and target cells belong to different technology generations. These considerations become particularly relevant in the dual access system where the common e5GC 520 provides a potential foundation for enabling such cross-RAT procedures, but the radio access network interfaces and protocols must still accommodate the differences between the technology generations.
[0084] FIG. 7 (A) is a sequence diagram 700 illustrating a handover procedure from the 5G RAN 512 to the 6G RAN 514 in the dual access wireless communication system according to a second scheme. The procedure demonstrates how the N2 interface, which provides control plane connectivity between radio access networks and the core network, can be reused for inter-generation handover between fifth generation and sixth generation radio access technologies. The UE 604, initially connected to the 5G RAN 512, transitions to the 6G RAN 514 while maintaining its relationship with the common e5GC 520. Both the 5G RAN 512 and the 6G RAN 514 connect to the e5GC 520 through their respective N2 interfaces, enabling control plane signaling to flow through the core network during the handover process.
[0085] The handover procedure begins with handover preparation signaling between the source 5G RAN 512 and the target 6G RAN 514 through the e5GC 520. During this preparation phase, the target 6G RAN 514 allocates radio resources for the incoming UE 604 and prepares the radio configuration parameters necessary for establishing connectivity in the sixth generation system. The AMF within the e5GC 520 coordinates the handover and manages security key derivation for the target radio access network.
[0086] In step 1 of the procedure shown in FIG. 7 (A) , the 5G RAN 512 transmits a MobilityFromNRCommand message to the UE 604. This handover command instructs the UE 604 to transition from the current fifth generation radio access technology to the sixth generation radio access technology. The MobilityFromNRCommand contains several essential components that enable the cross-generation handover. The message includes an explicit indication that the target RAT is 6G, allowing the UE 604 to understand that it will be transitioning to a different technology generation rather than performing an intra-RAT handover to another 5G cell. The message also encapsulates a 6GRRCReconfiguration message, which contains the complete radio resource configuration for the target 6G cell. This embedded 6GRRCReconfiguration message provides all the parameters necessary for the UE 604 to establish physical layer connectivity, configure radio bearers, and apply other radio-specific settings required by the sixth generation system.
[0087] Security key management during the inter-generation handover can be handled through two alternative approaches, both coordinated by the AMF within the e5GC 520. The first approach employs horizontal access stratum key derivation without modifying the non-access stratum security context. In this approach, the AMF increments its locally maintained nexthopChainingCount (NCC) value by one and computes a corresponding fresh next hop (NH) parameter. The NCC serves as a counter that tracks the sequence of key derivations, while the NH represents a key derivation parameter used to generate new access stratum security keys. The AMF sends both the NCC value and the NH parameter to the target 6G RAN 514 through the N2 interface.
[0088] The target 6G RAN 514 incorporates the received NCC value into a masterKeyUpdate information element within the 6GRRCReconfiguration message. The masterKeyUpdate also includes a keySetChangeIndicator parameter set to FALSE, indicating that the NAS-level security context remains unchanged. The target 6G RAN 514 then sends the composed 6GRRCReconfiguration message back through the e5GC 520, which forwards it to the source 5G RAN 512 via the N2 interfaces. The source 5G RAN 512 embeds this 6GRRCReconfiguration message within the MobilityFromNRCommand before transmitting it to the UE 604. When the UE 604 receives the NCC value in the handover command, it can derive the appropriate access stratum security keys for the target 6G cell using its stored security context and the key derivation functions specified for sixth generation systems.
[0089] The second approach for security key management involves deriving a new horizontal key at the NAS level, specifically generating a fresh KAMF key. In this method, the AMF derives the new KAMF using the current downlink NAS COUNT value as input to the key derivation function. The downlink NAS COUNT is a 32-bit counter maintained synchronously by both the AMF and the UE 604 to provide security protection for NAS signaling. To convey the key derivation information to the UE 604, the AMF includes the 16 least significant bits of the 32-bit downlink NAS COUNT in a Sequence Number information element within a NAS TRANSPARENT CONTAINER. This container is then included as the nas-SecurityParamFromNR parameter in the MobilityFromNRCommand message.
[0090] The UE 604 maintains its own copy of the full 32-bit downlink NAS COUNT and can reconstruct the complete counter value by combining the received 16 least significant bits with the most significant bits from its locally stored counter, accounting for potential wraparound conditions. Using this reconstructed counter value, the UE 604 derives the same new KAMF that was computed by the AMF. With the new NAS-level key established, the UE 604 subsequently derives fresh access stratum security keys for use with the target 6G RAN 514. This approach provides enhanced security isolation between the source and target radio access networks by establishing new security associations at both the NAS and AS levels.
[0091] After receiving and processing the MobilityFromNRCommand message, the UE 604 initiates random access procedures with the target 6G cell using the configuration parameters provided in the 6GRRCReconfiguration message. The UE 604 applies the appropriate security keys based on whichever key management approach was employed by the network. Upon successful synchronization with the target 6G cell and completion of the random access procedure, the UE 604 transmits a 6GRRCReconfigurationComplete message to the 6G RAN 514 in step 2. This completion message confirms that the UE 604 has successfully applied the new configuration and established connectivity with the sixth generation radio access network, finalizing the handover procedure.
[0092] Throughout this inter-generation handover procedure, the mobility management context and session management context maintained by the e5GC 520 remain unchanged and valid. The AMF continues to maintain the same registration state, tracking area information, and mobility parameters for the UE 604 regardless of whether it connects through the 5G RAN 512 or the 6G RAN 514. Similarly, the SMF preserves all established PDU sessions with their associated QoS parameters and traffic routing configurations. This context preservation eliminates the need for complex context mapping procedures that would be required in traditional inter-system handovers between different core network architectures. The UE 604 does not need to perform any MM or SM context translation because both the source and target radio access networks share the same core network infrastructure.
[0093] FIG. 7 (B) is a sequence diagram 750 illustrating the reverse handover procedure from the 6G RAN 514 to the 5G RAN 512 in the dual access system according to the second scheme. This procedure demonstrates the symmetric nature of inter-generation handover capabilities, allowing the UE 604 to transition from sixth generation radio access technology back to fifth generation radio access technology while maintaining its connection with the common e5GC 520. The fundamental mechanisms and principles remain consistent with those employed in the 5G to 6G handover, with appropriate adaptations for the reversed direction of technology transition.
[0094] The procedure shown in FIG. 7 (B) follows a similar pattern to that described for FIG. 7 (A) . In step 1, the 6G RAN 514 transmits a MobilityFrom6GCommand message to the UE 604. This handover command instructs the UE 604 to perform a transition from the current 6G cell to a target 5G cell. The MobilityFrom6GCommand includes an indication that the target RAT is 5G and encapsulates an RRCReconfiguration message containing the complete radio resource configuration for the target fifth generation cell. This RRCReconfiguration message provides all necessary parameters for the UE 604 to establish connectivity using fifth generation radio access technology, including physical layer settings, radio bearer configurations, and other 5G-specific parameters.
[0095] Security key handling for the 6G to 5G handover follows the same two alternative approaches available for the forward direction. When using horizontal AS key derivation, the AMF increments the NCC value and computes a fresh NH parameter, which are provided to the target 5G RAN 512 through the N2 interface. The target 5G RAN 512 includes the NCC value in the masterKeyUpdate information element within the RRCReconfiguration message, with the keySetChangeIndicator set to FALSE. The composed RRCReconfiguration message flows back through the e5GC 520 to the source 6G RAN 514, which embeds it in the MobilityFrom6GCommand sent to the UE 604.
[0096] Alternatively, when NAS-level re-keying is employed, the AMF derives a new KAMFfrom the downlink NAS COUNT and includes the 16 least significant bits of this counter in a nas-SecurityParamFrom6G parameter within the MobilityFrom6GCommand. The UE 604 uses this information to derive the corresponding NAS and AS security keys for the target 5G cell. Regardless of the security approach used, the UE 604 performs random access with the target 5G cell and, upon successful connection establishment, transmits an RRCReconfigurationComplete message to the 5G RAN 512 in step 2, confirming completion of the handover procedure.
[0097] The bidirectional handover capabilities illustrated in FIGs. 7 (A) and 7 (B) address the technical challenges of enabling simplified handover procedures between different radio access technology generations when a common core network is available. By reusing the existing N2 interface for inter-generation handovers, the procedures avoid the need for new interface definitions while maintaining compatibility with established control plane protocols. The presence of the common e5GC 520 serving both radio access networks eliminates the complexity of context mapping between different core network architectures, allowing handovers to proceed as transitions between radio access technologies while core network contexts remain stable. This architectural approach enables seamless mobility between fifth and sixth generation systems, supporting gradual technology migration and ensuring service continuity as networks evolve from 5G to 6G deployments.
[0098] FIG. 8 (A) is a sequence diagram 800 illustrating an alternative handover procedure from the 5G RAN 512 to the 6G RAN 514 in the dual access wireless communication system according to a third scheme. This procedure utilizes a direct inter-RAN interface, designated as Xn*802, which enables communication between the fifth generation and sixth generation radio access networks. The Xn*interface 802 represents an interface specifically designed to interconnect radio access networks of different technology generations, analogous to how the Xn interface connects base stations within the same generation. The system architecture includes the UE 604, the 5G RAN 512, the 6G RAN 514, and the common e5GC 520, where both radio access networks maintain their respective N2 interfaces to the e5GC 520 for core network control plane connectivity.
[0099] The presence of the Xn*interface 802 between the 5G RAN 512 and the 6G RAN 514 enables direct coordination of handover procedures without routing all control signaling through the core network. This direct inter-RAN communication path allows the source and target radio access networks to exchange handover-related information, including radio configurations and security parameters, thereby reducing the signaling load on the e5GC 520 and potentially decreasing handover latency. The diagram shows a handshaking phase for handover preparation that occurs directly between the 5G RAN 512 and the 6G RAN 514 over the Xn*interface 802.
[0100] During the handover preparation phase, the source 5G RAN 512 sends a handover request to the target 6G RAN 514 through the Xn*interface 802. This request contains information about the UE 604, including its capabilities, current radio bearer configurations, and quality of service requirements. The target 6G RAN 514 processes this request and performs admission control to determine whether it can accommodate the incoming UE 604. Upon accepting the handover request, the target 6G RAN 514 allocates radio resources and prepares a 6GRRCReconfiguration message containing the complete radio configuration that the UE 604 will need to establish connectivity with the sixth generation system.
[0101] The 6GRRCReconfiguration message prepared by the target 6G RAN 514 includes physical layer parameters specific to the sixth generation radio access technology, radio bearer configurations adapted for the target system, and a masterKeyUpdate information element containing the nexthopChainingCount (NCC) . The NCC value indicates to the UE 604 which position in the key hierarchy should be used as the basis for deriving new access stratum security keys. After preparing this configuration message, the target 6G RAN 514 sends it back to the source 5G RAN 512 through the Xn*interface 802, enabling the source to incorporate it into the handover command.
[0102] An aspect of this handover procedure involves the security key derivation performed by the source 5G RAN 512. Before sending the handover command to the UE 604, the source 5G RAN 512 generates the target base station key that will be used by the target 6G RAN 514. This key derivation follows one of two approaches. In horizontal key derivation, the source 5G RAN 512 derives the target key from its currently active access stratum key using the target cell’s physical cell identity and downlink frequency as additional inputs. In vertical key derivation, the source 5G RAN 512 uses the next hop (NH) parameter, which was previously provided by the AMF, as the basis for generating the target key. The NH parameter provides stronger key separation in the derivation chain and is selected based on the current NCC value maintained for the UE 604.
[0103] After deriving the target access stratum key, the source 5G RAN 512 forwards both the derived key and the corresponding NCC value to the target 6G RAN 514 over the Xn*interface 802. The target 6G RAN 514 stores this key material as the root access stratum key for securing communications with the UE 604 after the handover completes. This direct key provisioning between radio access networks eliminates the need for the target 6G RAN 514 to request fresh keys from the e5GC 520 during the handover execution phase.
[0104] In step 1 of the procedure, the source 5G RAN 512 transmits a MobilityFromNRCommand message to the UE 604. This command explicitly indicates that the target RAT is 6G, informing the UE 604 that an inter-generation handover to sixth generation radio access technology is being commanded. The MobilityFromNRCommand encapsulates the complete 6GRRCReconfiguration message that was previously prepared by the target 6G RAN 514 and received by the source 5G RAN 512 over the Xn*interface 802. The UE 604 thus receives a fifth generation RRC message from its current serving base station, but embedded within that message is a sixth generation RRC message containing the configuration for the target system.
[0105] Upon receiving the MobilityFromNRCommand, the UE 604 recognizes from the target RAT indication that it must transition to the sixth generation radio access technology. The UE 604 extracts the embedded 6GRRCReconfiguration message and processes its contents to obtain the target cell configuration parameters. The UE 604 also retrieves the NCC value from the masterKeyUpdate information element and uses it to determine which key in its stored hierarchy should be used for deriving the new access stratum security keys. The UE 604 performs the same key derivation calculation that was executed by the source 5G RAN 512, using either its current active key or the appropriate NH parameter based on the NCC value, along with the target cell parameters, to generate the access stratum root key for the target cell.
[0106] After deriving the security keys and applying the target configuration, the UE 604 detaches from the source 5G cell and initiates random access procedures with the target 6G cell according to the parameters specified in the 6GRRCReconfiguration message. Upon successful synchronization and random access completion, the UE 604 establishes secure communication with the 6G RAN 514 using the newly derived keys. In step 2, the UE 604 transmits a 6GRRCReconfigurationComplete message to the 6G RAN 514, confirming successful application of the target configuration and completion of the handover procedure. The 6G RAN 514 verifies this message using the security keys that were provided by the source 5G RAN 512, completing the security context establishment in the target cell.
[0107] Throughout this Xn*-based handover procedure, the mobility management and session management contexts maintained by the e5GC 520 remain unchanged. The AMF continues to maintain the same registration state, tracking area information, and mobility parameters for the UE 604, while the SMF preserves all established PDU sessions with their associated QoS profiles. Because both the source 5G RAN 512 and target 6G RAN 514 connect to the same e5GC 520, the UE 604 does not need to perform any mapping or translation of its NAS-level contexts. This context preservation distinguishes the procedure from traditional inter-system handovers where different core network architectures would require complex context conversion, allowing for simplified and accelerated handover execution.
[0108] FIG. 8 (B) is a sequence diagram 850 illustrating the reverse handover procedure from the 6G RAN 514 to the 5G RAN 512 using the Xn*interface 802 for direct inter-RAN coordination. This procedure demonstrates the bidirectional capability of the Xn*-based handover mechanism, enabling transitions from sixth generation radio access technology back to fifth generation radio access technology through direct communication between the radio access networks. In this example, both radio access networks maintain N2 interfaces to the common e5GC 520 while being interconnected through the Xn*interface 802.
[0109] The handover preparation phase begins with the source 6G RAN 514 sending a handover request directly to the target 5G RAN 512 over the Xn*interface 802. This request provides information about the UE 604 and its current service configuration to enable the target 5G RAN 512 to perform admission control and resource allocation. Upon accepting the handover request, the target 5G RAN 512 prepares an RRCReconfiguration message containing the radio configuration parameters specific to fifth generation radio access technology. This RRCReconfiguration message includes physical layer settings, radio bearer configurations, and the NCC value within its masterKeyUpdate information element.
[0110] The target 5G RAN 512 sends the prepared RRCReconfiguration message back to the source 6G RAN 514 through the Xn*interface 802. This message exchange over the direct inter-RAN interface allows the source 6G RAN 514 to obtain the target cell configuration without involving the e5GC 520 in the detailed radio-level handover preparation. The source 6G RAN 514 receives this fifth generation configuration message and prepares to embed it within the handover command that will be sent to the UE 604.
[0111] Security key derivation for the reverse handover follows the same principles as the forward direction. The source 6G RAN 514 generates the target access stratum key that will be used by the target 5G RAN 512. In horizontal key derivation, the source 6G RAN 514 derives this key from its currently active using the target cell’s physical parameters. In vertical key derivation, the source 6G RAN 514 uses the NH parameter from its security context. The source 6G RAN 514 forwards both the derived key and the NCC value to the target 5G RAN 512 over the Xn*interface 802, providing the target with the necessary security material for protecting communications with the UE 604 after handover completion.
[0112] In step 1 of the procedure, the source 6G RAN 514 transmits a MobilityFrom6GCommand message to the UE 604. This command indicates that the target RAT is 5G and encapsulates the complete RRCReconfiguration message that was prepared by the target 5G RAN 512. The UE 604 receives this sixth generation RRC message containing an embedded fifth generation RRC configuration, providing all the parameters needed for transitioning to the fifth generation radio access technology.
[0113] The UE 604 processes the MobilityFrom6GCommand and extracts the embedded RRCReconfiguration message along with the NCC value from its masterKeyUpdate information element. Using this NCC value, the UE 604 performs the appropriate key derivation to generate the access stratum security keys for the target fifth generation cell. The UE 604 derives the same keys that were computed by the source 6G RAN 514, enabling it to establish secure communication with the target 5G RAN 512. After applying the configuration parameters from the RRCReconfiguration message, the UE 604 performs random access with the target 5G cell.
[0114] Upon successful connection establishment with the target 5G cell, the UE 604 transmits an RRCReconfigurationComplete message to the 5G RAN 512 in step 2, confirming completion of the handover procedure. The 5G RAN 512 verifies this message using the security keys received from the source 6G RAN 514 over the Xn*interface 802, establishing the security context for subsequent communications. As with the forward handover, the mobility management and session management contexts in the e5GC 520 remain stable throughout the procedure, eliminating the need for context mapping or translation.
[0115] The bidirectional handover capabilities illustrated in FIGs. 8 (A) and 8 (B) demonstrate how the Xn*interface 802 enables efficient inter-generation mobility in the dual access architecture. By facilitating direct communication between radio access networks of different technology generations, the Xn*interface 802 allows handover signaling and context transfer to occur without routing through the core network, reducing latency and signaling overhead. The source radio access network takes responsibility for key derivation and directly provisions the target with security material, while the target prepares its radio configuration and sends it back to the source for inclusion in the handover command. This approach complements the N2-based handover procedures by providing an alternative mechanism that minimizes core network involvement while preserving the unified mobility and session management contexts that characterize the dual access system.
[0116] FIG. 9 (A) is a sequence diagram 900 illustrating a radio resource control (RRC) connection reestablishment procedure in the dual access wireless communication system according to a fourth scheme. In this procedure, the UE 604 experiences a radio link failure while connected to the 6G RAN 514 and attempts to reestablish its RRC connection through the 5G RAN 512. This cross-generation reestablishment capability addresses scenarios where radio link failures occur in one radio access technology and recovery must occur through a different technology generation, a capability not supported in conventional wireless systems.
[0117] The system architecture for this procedure includes the UE 604, the 5G RAN 512, the 6G RAN 514, and the e5GC 520. Both radio access networks maintain N2 interfaces to the core network and are interconnected through the Xn*interface 802. The Xn*interface 802 provides direct communication between different generation radio access networks, facilitating context transfer during the reestablishment procedure.
[0118] A requirement for cross-generation reestablishment is that the source 6G cell and target 5G cell must belong to the same registration area. A registration area comprises one or more tracking areas managed by a single AMF instance within the e5GC 520. When the UE 604 registers with the network, the AMF provides the UE 604 with a list of tracking area codes that constitute its current registration area. Each cell broadcasts its tracking area code in System Information Block Type 1 (SIB1) , allowing the UE 604 to determine whether a candidate reestablishment cell belongs to the same registration area. If the target cell resides in a different registration area, cross-generation reestablishment cannot proceed, and the UE 604 must either select another cell or transition to RRC idle state and initiate a new connection establishment in this target cell.
[0119] Prior to the radio link failure, the UE 604 maintains an active RRC connection with the 6G RAN 514. The 6G RAN 514 stores comprehensive context for the UE 604, including radio bearer configurations, quality of service parameters, security keys and algorithms, packet data convergence protocol (PDCP) state information, and a cell radio network temporary identifier (C-RNTI) that uniquely identifies the UE 604 within the 6G cell. When radio link failure occurs, the UE 604 loses connection with the 6G RAN 514 and initiates cell selection to identify a suitable cell for reestablishment. In this scenario, the UE 604 determines that no suitable 6G cells are available but identifies a suitable 5G cell served by the 5G RAN 512.
[0120] In step 1 of the procedure, the UE 604 transmits an RRCReestablishmentRequest message to the 5G RAN 512. This message contains three essential parameters: a security token called shortMAC-I, the C-RNTI that identified the UE 604 in the source 6G cell, and the physical cell identity of the source 6G cell (sourcePCI) . The shortMAC-I represents the sixteen least significant bits of a Message Authentication Code for Integrity (MAC-I) computed using the integrity protection algorithm and KRRCint key from the source 6G cell. The MAC-I calculation takes as input the sourcePCI, the target cell identity, and the source C-RNTI, cryptographically binding the reestablishment request to the specific source cell, target cell, and UE identity.
[0121] In step 2, the target 5G RAN 512 uses the received sourcePCI to identify the source 6G RAN 514 through a database mapping physical cell identities to radio access network nodes. The target 5G RAN 512 transmits a UE CONTEXT REQUEST message 904 to the 6G RAN 514 over the Xn*interface 802, forwarding the shortMAC-I and C-RNTI parameters to facilitate context retrieval and verification.
[0122] In step 3, the source 6G RAN 514 retrieves the UE context associated with the received C-RNTI and verifies the shortMAC-I by recomputing the MAC-I using its stored KRRCint key and comparing the result with the received token. Upon successful verification, the source 6G RAN 514 calculates a new access stratum root key for the target 5G cell. This key derivation uses the target cell’s physical cell identity, the target cell’s absolute radio frequency channel number for downlink (ARFCN-DL) , and either the current base station key KNB or the next hop parameter NH from the UE’s 6G AS security context. The choice between horizontal derivation from KNB or vertical derivation from NH depends on the current state of the key hierarchy. The source 6G RAN 514 transmits a UE CONTEXT RESPONSE message to the target 5G RAN 512 containing the complete UE context, including bearer configurations, PDCP state information, the calculated the corresponding nexthopChainingCount (NCC) value, and the security algorithms used in the source cell.
[0123] In step 4, the target 5G RAN 512 stores the received context, allocates resources for the UE 604, and assigns a new C-RNTI for the 5G cell. The target 5G RAN 512 derives RRC security keys KRRCint and KRRCenc from the received using the security algorithms from the source cell. The target 5G RAN 512 transmits an RRCReestablishment message 908 to the UE 604, which includes the new C-RNTI and the NCC value. This message is integrity protected at the PDCP layer using the newly derived KRRCint key.
[0124] Upon receiving the RRCReestablishment message 908, the UE 604 uses the NCC value to determine the appropriate key derivation path and calculates the same that was computed by the source 6G RAN 514. The UE 604 derives the RRC security keys using this and the security algorithms from the source cell, then verifies the integrity protection of the received message. The preservation of security algorithms from the source cell avoids potential vulnerabilities from algorithm changes during reestablishment. This requirement implies that the target 5G system must support the security algorithms employed by the source 6G system.
[0125] In step 5, after successful integrity verification and configuration application, the UE 604 transmits an RRCReestablishmentComplete message 910 to the 5G RAN 512, confirming successful reestablishment. The message is integrity protected using the established security context. The target 5G RAN 512 subsequently performs path switch procedures toward the e5GC 520, updating the serving radio access network while the AMF and SMF maintain unchanged mobility management and session management contexts for the UE 604.
[0126] FIG. 9 (B) is a sequence diagram 950 illustrating the reverse RRC connection reestablishment procedure, where the UE 604 experiences radio link failure while connected to the 5G RAN 512 and reestablishes through the 6G RAN 514. This procedure demonstrates the bidirectional capability of cross-generation reestablishment in the dual access architecture, following the same principles as FIG. 9 (A) but with reversed source and target roles.
[0127] The procedure begins after the UE 604, having an established connection with the 5G RAN 512, experiences radio link failure and selects a suitable 6G cell for reestablishment. The 5G RAN 512 maintains the UE’s context including bearer configurations, security associations, PDCP state, and the C-RNTI assigned within the 5G cell.
[0128] In step 1, the UE 604 transmits a 6GRRCReestablishmentRequest message 952 to the 6G RAN 514. This message, formatted according to sixth generation specifications, contains the shortMAC-I computed using the 5G security context, the C-RNTI from the 5G connection, and the sourcePCI of the 5G cell. The shortMAC-I calculation uses the integrity protection key KRRCint from the source 5G cell applied to the sourcePCI, target cell identity, and source C-RNTI.
[0129] In step 2, the target 6G RAN 514 identifies the source 5G RAN 512 using the sourcePCI and transmits a UE CONTEXT REQUEST message 954 over the Xn*interface 802, including the shortMAC-I and C-RNTI for context retrieval and verification.
[0130] In step 3, the source 5G RAN 512 verifies the shortMAC-I using its stored security context and, upon successful verification, calculates for the target 6G cell using the target cell parameters and the UE’s 5G AS security context. The source 5G RAN 512 transmits a UE CONTEXT RESPONSE message 956 containing the complete UE context, including the calculated NCC value, and security algorithms.
[0131] In step 4, the target 6G RAN 514 derives RRC security keys from the received using the source cell’s security algorithms and transmits a 6GRRCReestablishment message 958 to the UE 604. This message, integrity protected using the newly derived KRRCinT, contains the NCC value for the UE’s key derivation.
[0132] In step 5, the UE 604 derives the corresponding security keys using the NCC value, verifies the message integrity, and transmits a 6GRRCReestablishmentComplete message 960 to confirm successful reestablishment. The target 6G RAN 514 performs path switch procedures toward the e5GC 520, completing the cross-generation reestablishment.
[0133] The bidirectional reestablishment procedures illustrated in FIGs. 9 (A) and 9 (B) provide rapid connection recovery across technology generations in the dual access architecture. These procedures rely on the common e5GC 520 maintaining unified contexts regardless of serving radio access technology, the Xn*interface 802 facilitating direct context transfer between different generation radio access networks, compatible key hierarchy structures across technology generations, and the preservation of security algorithms to maintain cryptographic continuity. The procedures require that source and target cells belong to the same registration area and assume that both technology generations employ analogous base station key hierarchies with compatible key derivation functions.
[0134] FIG. 10 is a flowchart 1000 illustrating a procedure for inter-radio access technology (RAT) handover executed by the UE 604 when transitioning between the 5G RAN 512 and the 6G RAN 514 in the dual access wireless communication system. The flowchart 1000 depicts the operational sequence from the UE’s perspective as it processes a handover command, manages security contexts, and establishes connectivity with the target radio access network. This procedure applies to both handover directions: from fifth generation to sixth generation radio access technology and from sixth generation to fifth generation radio access technology. The operations shown correspond to the handover procedures described in connection with FIGs. 7 (A) , 7 (B) , 8 (A) , and 8 (B) , which may utilize either the N2 interface through the e5GC 520 or the Xn*interface 802 for direct inter-RAN communication.
[0135] In operation 1002, the UE 604 receives an inter-RAT handover command from its serving radio access network. When transitioning from the 5G RAN 512 to the 6G RAN 514, this command takes the form of a MobilityFromNRCommand message. When transitioning from the 6G RAN 514 to the 5G RAN 512, the command takes the form of a MobilityFrom6GCommand message. The handover command contains three essential components. First, it includes an explicit target RAT indication specifying whether the destination is 5G or 6G radio access technology. Second, it contains a complete RRC reconfiguration message formatted for the target RAT: a 6GRRCReconfiguration message when the target is 6G, or an RRCReconfiguration message when the target is 5G. This embedded reconfiguration message provides all radio configuration parameters necessary for establishing connectivity with the target cell, including physical layer settings, radio bearer configurations, random access parameters, and timing advance information.
[0136] The third component of the handover command comprises target cell key generation parameters that enable secure communication with the target radio access network. These parameters can be provided through two alternative approaches. In the first approach, the command includes a nexthopChainingCount (NCC) value within the masterKeyUpdate information element of the embedded reconfiguration message. The NCC serves as an index into the key hierarchy maintained by both the UE 604 and the network, indicating which next hop (NH) parameter should be used for access stratum key derivation. In the second approach, the command includes a NAS container (nas-SecurityParamFromNR when transitioning from 5G, or nas-SecurityParamFrom6G when transitioning from 6G) containing the least significant n bits of the downlink NAS COUNT, where n typically equals 16. This partial counter value enables the UE 604 to derive a new NAS-level key KAMF before generating the access stratum keys.
[0137] In operation 1004, the UE 604 reuses its existing mobility management and session management contexts without modification. Because both the 5G RAN 512 and the 6G RAN 514 connect to the same e5GC 520, the core network maintains unified contexts for the UE 604 regardless of which radio access technology serves the device. The AMF preserves the registration state, tracking area list, and mobility parameters, while the SMF maintains the protocol data unit (PDU) sessions with their quality of service configurations. This context reuse eliminates the complex mapping procedures required in traditional inter-system handovers between different core network architectures, where mobility and session contexts would need translation between incompatible formats.
[0138] In operation 1006, the UE 604 generates the security keys for communication with the target radio access network. When the handover command provided an NCC value, the UE 604 performs access stratum key derivation by first identifying the appropriate key from its security hierarchy based on the NCC. If the NCC corresponds to the currently active key, the UE 604 performs horizontal derivation from the current base station key. If the NCC indicates a next position in the hierarchy, the UE 604 performs vertical derivation using the corresponding NH parameter. The UE 604 computes the target access stratum root key using the selected input key along with the target cell’s physical cell identity and downlink frequency as additional parameters in the key derivation function.
[0139] When the handover command provided a NAS container with partial downlink NAS COUNT, operation 1006 includes an additional step of horizontal AMF key generation. The UE 604 first reconstructs the complete 32-bit downlink NAS COUNT by combining the received least significant bits with the most significant bits from its locally maintained counter. Using this reconstructed counter value, the UE 604 derives a new horizontal KAMF from its current NAS key. From this new KAMF, the UE 604 then derives a new base station key KNB, which subsequently serves as input for generating the target This two-stage key derivation provides enhanced security isolation by refreshing both NAS and AS security contexts during the handover.
[0140] In operation 1008, the UE 604 performs random access procedures at the target cell using the configuration parameters received in the RRC reconfiguration message from operation 1002. The UE 604 tunes to the target cell’s frequency, synchronizes with the downlink signals, and transmits a random access preamble according to the provided RACH configuration. The RACH procedure may be contention-free if the reconfiguration message included a dedicated preamble, or contention-based if the UE 604 must randomly select a preamble from the available set. Upon receiving the random access response from the target cell, the UE 604 applies the timing advance and establishes uplink synchronization. Throughout this procedure, the UE 604 applies the security keys derived in operation 1006 to protect the signaling exchanges with the target radio access network.
[0141] In operation 1010, after successfully completing the random access procedure and establishing secure communication with the target cell, the UE 604 transmits a reconfiguration response to confirm handover completion. When the target is the 6G RAN 514, the UE 604 sends a 6GRRCReconfigurationComplete message. When the target is the 5G RAN 512, the UE 604 sends an RRCReconfigurationComplete message. This response message, protected by the newly established security context, indicates that the UE 604 has successfully applied the target configuration and completed the transition to the new radio access technology. The target radio access network then performs path switch procedures with the e5GC 520 to redirect user plane traffic, while the core network contexts remain unchanged throughout the entire handover procedure.
[0142] FIG. 11 is a flowchart 1100 illustrating a procedure for inter-radio access technology (RAT) RRC connection reestablishment executed by the UE 604 when recovering from a radio link failure by transitioning between the 5G RAN 512 and the 6G RAN 514 in the dual access wireless communication system. The flowchart 1100 depicts the operational sequence from the UE’s perspective as it attempts to recover its connection through a different radio access technology generation after experiencing radio link failure. This procedure applies to both reestablishment directions: from fifth generation to sixth generation radio access technology when radio link failure occurs in a 5G cell, and from sixth generation to fifth generation radio access technology when radio link failure occurs in a 6G cell. The operations shown correspond to the cross-generation reestablishment procedures described in connection with FIGs. 9 (A) and 9 (B) , which utilize the Xn*interface 802 for direct context transfer between different generation radio access networks.
[0143] In operation 1102, the UE 604 selects a suitable cell which belongs to an inter-RAT configuration, meaning the candidate cell operates using a different radio access technology generation than the cell where radio link failure occurred. After detecting radio link failure with its serving cell, the UE 604 initiates cell selection procedures to identify potential cells for reestablishment. The UE 604 performs measurements on neighboring cells, evaluating their signal quality and determining whether they meet the cell selection criteria defined in the system specifications. When the only suitable cells available belong to a different technology generation, the UE 604 identifies a candidate inter-RAT cell for potential reestablishment. For instance, if radio link failure occurred while connected to the 6G RAN 514, the UE 604 may select a cell from the 5G RAN 512 as the reestablishment candidate. Conversely, if the failure occurred in the 5G RAN 512, the UE 604 may select a cell from the 6G RAN 514.
[0144] In operation 1104, the UE 604 determines whether the selected target cell resides in the same registration area as the source cell where the radio link failure occurred. This verification constitutes a fundamental requirement for cross-generation reestablishment because cells in different registration areas may be managed by different AMF instances within the core network infrastructure. The UE 604 performs this determination by acquiring System Information Block Type 1 (SIB1) from the target cell, which broadcasts the cell’s tracking area code. The UE 604 compares this tracking area code against the list of tracking area codes that constitute its current registration area, which was previously provided by the AMF during the most recent registration procedure with the e5GC 520.
[0145] During registration, the AMF transmits a registration accept message containing one or more tracking area codes that together define the registration area managed by that AMF instance. This list may comprise a single tracking area code or multiple tracking area codes depending on the network configuration and deployment. The UE 604 maintains this registration area list in its mobility management context. When the tracking area code broadcast by the target cell matches any of the tracking area codes in the UE’s stored registration area list, the target cell is determined to reside in the same registration area. This matching confirms that both the source cell and target cell connect to the same AMF instance within the e5GC 520, enabling the cross-generation reestablishment procedure to proceed without requiring inter-AMF coordination.
[0146] If operation 1104 determines that the target cell does not reside in the same registration area, the procedure advances to operation 1106. In operation 1106, the UE 604 either selects another cell for potential reestablishment or transitions to RRC idle state. When selecting another cell, the UE 604 returns to operation 1102 and repeats the cell selection process, attempting to identify a different candidate cell that might belong to the same registration area. This iterative approach allows the UE 604 to explore multiple potential reestablishment targets before abandoning the reestablishment attempt. Alternatively, if no suitable cells in the same registration area are available, the UE 604 transitions to RRC idle state, releasing all radio resource control context information associated with the failed connection. Once in idle state, the UE 604 must initiate a new connection establishment procedure from the beginning, which includes performing random access, establishing RRC connection, and potentially performing registration procedures if the new cell belongs to a different registration area.
[0147] If operation 1104 determines that the target cell resides in the same registration area, the procedure advances to operation 1108. In operation 1108, the UE 604 generates a security token using the source RAT specific algorithm. This security token, designated as shortMAC-I, represents the sixteen least significant bits of a Message Authentication Code for Integrity (MAC-I) computed using security parameters from the source cell where radio link failure occurred. The MAC-I calculation employs the RRC integrity protection algorithm and the integrity protection key KRRCintthat were active in the source cell connection prior to the radio link failure. The inputs to the MAC-I computation include the physical cell identity of the source cell (sourcePCI) , the physical cell identity of the target cell, and the Cell Radio Network Temporary Identifier (C-RNTI) that identified the UE 604 in the source cell.
[0148] The use of the source cell’s security algorithm and keys for generating the shortMAC-I serves a critical authentication purpose. Since the target cell will request the UE context from the source cell, the source cell must be able to verify that the reestablishment request originates from the legitimate UE 604 that previously held that context. By computing the shortMAC-I using the source cell’s security context, the UE 604 creates a cryptographic proof that can only be verified by the source cell using its stored security keys for that particular C-RNTI. This approach maintains security continuity and prevents unauthorized devices from attempting to claim another UE’s context during reestablishment.
[0149] In operation 1110, the UE 604 transmits a reestablishment request message to the target cell. When the target cell belongs to the 6G RAN 514, this message takes the form of a 6GRRCReestablishmentRequest formatted according to sixth generation specifications. When the target cell belongs to the 5G RAN 512, the message takes the form of an RRCReestablishmentRequest formatted according to fifth generation specifications. The reestablishment request message includes three essential parameters: the security token (shortMAC-I) generated in operation 1108, the physical cell identity of the source cell (sourcePCI) , and the C-RNTI that identified the UE 604 in the source cell. The sourcePCI enables the target radio access network to identify which base station holds the UE’s context, while the C-RNTI allows that source base station to locate the specific UE context among the multiple UE contexts it maintains.
[0150] Upon receiving this reestablishment request, the target radio access network initiates context retrieval procedures with the source radio access network over the Xn*interface 802. The target cell uses the sourcePCI to identify the source base station through a database that maps physical cell identities to radio access network nodes. The target cell then forwards the shortMAC-I and C-RNTI to the identified source cell through a UE context request message. The source cell retrieves the context associated with the C-RNTI and verifies the shortMAC-I using its stored KRRCint for that UE context. Upon successful verification, the source cell computes a new access stratum key for the target cell and transmits the complete UE context back to the target cell, including the derived key, the nexthopChainingCount (NCC) , and the security algorithms that were used in the source cell.
[0151] In operation 1112, the UE 604 receives a reestablishment message from the target cell. When the target belongs to the 6G RAN 514, this message takes the form of a 6GRRCReestablishment. When the target belongs to the 5G RAN 512, the message takes the form of an RRCReestablishment. This reestablishment message contains the NCC value received by the target cell during the context retrieval phase and is integrity protected at the packet data convergence protocol (PDCP) layer using a newly calculated RRC integrity protection key KRRCint.
[0152] Upon receiving this message, the UE 604 performs key derivation to establish the same security context as the target cell. The UE 604 uses the received NCC value to identify the appropriate position in its key hierarchy for deriving the base station key KNB. Based on the NCC value, the UE 604 either performs horizontal derivation from its currently active key or vertical derivation using the next hop (NH) parameter corresponding to the indicated NCC. Using this KNBand the target cell parameters, the UE 604 derives the same access stratum root key that was computed by the source cell during context transfer. From the derived the UE 604 generates new RRC security keys, specifically the integrity protection key KRRCint and the ciphering key KRRCenc.
[0153] An aspect of this security establishment is that the UE 604 applies the access stratum security algorithms that were used in the source cell, not new algorithms potentially specified for the target cell. This algorithm preservation maintains cryptographic continuity across the technology generation boundary. The target cell, having received these algorithm identifiers from the source cell during context transfer, uses the same algorithms to protect the reestablishment message. This approach prevents potential security vulnerabilities that could arise from algorithm changes during the recovery procedure and simplifies the security state transition. Using the newly derived KRRCintand the source cell’s integrity algorithm, the UE 604 verifies the integrity protection applied to the received reestablishment message.
[0154] In operation 1114, the UE 604 determines whether the integrity check performed in operation 1112 has passed successfully. This determination involves computing the expected MAC-I value for the received reestablishment message using the derived security keys and the source cell’s integrity algorithm, then comparing it with the MAC-I value included in the message by the target cell. If these values match, the integrity check passes, confirming that the message was generated by the legitimate target base station using the correct security context retrieved from the source cell. A successful integrity check provides cryptographic assurance that the reestablishment message has not been tampered with and that the target cell possesses the authentic UE context from the source cell.
[0155] If operation 1114 determines that the integrity check has failed, the procedure advances to operation 1116. In operation 1116, the UE 604 aborts the reestablishment procedure because the integrity verification failure indicates a potential security threat. A failed integrity check could result from various conditions: an attacker attempting to impersonate a legitimate base station, corruption of the context during transfer between source and target cells over the Xn*interface 802, or a mismatch in key derivation calculations between the UE 604 and the network. Rather than proceeding with a potentially compromised connection, the UE 604 abandons the reestablishment attempt with the current target cell. The UE 604 then either selects another cell and returns to operation 1102 to attempt reestablishment through a different target, or transitions to RRC idle state to initiate a complete connection establishment procedure from the beginning.
[0156] If operation 1114 determines that the integrity check has passed successfully, the procedure advances to operation 1118. In operation 1118, the UE 604 transmits a reestablishment complete message to the target cell. When the target belongs to the 6G RAN 514, this message takes the form of a 6GRRCReestablishmentComplete. When the target belongs to the 5G RAN 512, the message takes the form of an RRCReestablishmentComplete. This completion message is integrity protected using the established security context, specifically using the derived KRRCint and the source cell’s integrity algorithm that has been preserved throughout the reestablishment procedure. The reestablishment complete message confirms to the target radio access network that the UE 604 has successfully applied the target configuration, derived the correct security keys matching those at the network side, and established a secure connection with the target cell.
[0157] Upon receiving this completion message, the target radio access network performs path switch procedures with the e5GC 520 to redirect user plane traffic to the new serving cell. During this path switch, the AMF updates the serving radio access network information while maintaining unchanged mobility management context for the UE 604. Similarly, the SMF preserves all established PDU sessions with their associated quality of service profiles, merely updating the user plane path to route through the new serving radio access network. This context preservation at the core network level distinguishes cross-generation reestablishment in the dual access architecture from traditional inter-system procedures, enabling rapid recovery from radio link failures even when transitioning between different technology generations.
[0158] FIGs. 12 (A) and 12 (B) are a flow chart 1200 of a method for inter-radio access technology RRC connection reestablishment. The method may be performed by a UE, such as the UE 604 described in connection with FIGs. 9 (A) and 9 (B) .
[0159] In operation 1202, in response to a radio link failure with a source cell of a source RAT, the UE selects a target cell of a target RAT. The target RAT is different from the source RAT. After detecting radio link failure with its serving cell, the UE initiates cell selection procedures to identify potential cells for reestablishment. When the only suitable cells available belong to a different technology generation, the UE identifies a candidate inter-RAT cell for potential reestablishment.
[0160] In operation 1204, the UE verifies that the target cell is in a same registration area as the source cell. This verification constitutes a requirement for cross-generation reestablishment because cells in different registration areas may be managed by different AMF instances within the core network infrastructure, such as the e5GC 520.
[0161] If operation 1204 determines that the target cell does not reside in the same registration area, the procedure advances to operation 1206. In operation 1206, the UE performs one of: selecting another cell for reestablishment; or entering an RRC idle state. When selecting another cell, the UE returns to operation 1202 and repeats the cell selection process, attempting to identify a different candidate cell that might belong to the same registration area. Alternatively, if no suitable cells in the same registration area are available, the UE transitions to RRC idle state, releasing all radio resource control context information associated with the failed connection.
[0162] If operation 1204 determines that the target cell resides in the same registration area, the procedure advances to operation 1208. In operation 1208, in response to verifying that the target cell is in the same registration area, the UE generates a security token using a security context of the source cell.
[0163] In operation 1210, the UE transmits, to the target cell, a reestablishment request message comprising one or more of the security token, a PCI of the source cell, and a C-RNTI of the UE in the source cell. When the target cell belongs to the 6G RAN 514, this message takes the form of a 6GRRCReestablishmentRequest formatted according to sixth generation specifications. When the target cell belongs to the 5G RAN 512, the message takes the form of an RRCReestablishmentRequest formatted according to fifth generation specifications.
[0164] In operation 1212, the UE receives, from the target cell, a reestablishment message comprising an NCC. When the target belongs to the 6G RAN 514, this message takes the form of a 6GRRCReestablishment. When the target belongs to the 5G RAN 512, the message takes the form of an RRCReestablishment. This reestablishment message contains the NCC value received by the target cell during the context retrieval phase and is integrity protected at the PDCP layer using a newly calculated RRC integrity protection key.
[0165] In operation 1214, the UE verifies an integrity of the reestablishment message by deriving a security key based on the NCC and using a security algorithm associated with the source cell. The UE uses the received NCC value to identify the appropriate position in its key hierarchy for deriving the base station key. Based on the NCC value, the UE either performs horizontal derivation from its currently active key or vertical derivation using the next hop parameter corresponding to the indicated NCC.
[0166] If operation 1214 determines that the integrity check has failed, the procedure advances to operation 1216. In operation 1216, in response to a failed verification of the integrity, the UE aborts the reestablishment procedure. A failed integrity check could result from various conditions: an attacker attempting to impersonate a legitimate base station, corruption of the context during transfer between source and target cells over the Xn*interface 802, or a mismatch in key derivation calculations between the UE and the network. The UE then either selects another cell and returns to operation 1202 to attempt reestablishment through a different target, or transitions to RRC idle state to initiate a complete connection establishment procedure from the beginning.
[0167] If operation 1214 determines that the integrity check has passed successfully, the procedure advances to operation 1218. In operation 1218, in response to a successful verification of the integrity, the UE transmits, to the target cell, a reestablishment complete message. When the target belongs to the 6G RAN 514, this message takes the form of a 6GRRCReestablishmentComplete. When the target belongs to the 5G RAN 512, the message takes the form of an RRCReestablishmentComplete. This completion message is integrity protected using the established security context.
[0168] In certain implementations, to verify the integrity of the reestablishment message, the UE further derives an access stratum root key for the target cell based on the NCC. The UE derives the same access stratum root key that was computed by the source cell during context transfer. The UE further derives an RRC integrity protection key from the access stratum root key using the security algorithm from the source cell. From the derived the UE generates new RRC security keys, specifically the integrity protection key KRRCint and the ciphering key KRRCenc. The UE applies the access stratum security algorithms that were used in the source cell, maintaining cryptographic continuity across the technology generation boundary.
[0169] In certain implementations, to verify that the target cell is in the same registration area, the UE further acquires a tracking area code from system information broadcast by the target cell. The UE performs this verification by acquiring System Information Block Type 1 (SIB1) from the target cell, which broadcasts the cell’s tracking area code. The UE further compares the acquired tracking area code with a list of tracking area codes defining the registration area, the list being previously provided to the UE by a core network, such as the e5GC 520. During registration, the AMF within the e5GC 520 transmits a registration accept message containing one or more tracking area codes that together define the registration area managed by that AMF instance. The UE maintains this registration area list in its mobility management context. When the tracking area code broadcast by the target cell matches any of the tracking area codes in the UE’s stored registration area list, the target cell is determined to reside in the same registration area.
[0170] In certain implementations, the security token comprises a shortMAC-I computed using an RRC integrity protection key from the source cell. The shortMAC-I represents the sixteen least significant bits of a MAC-I computed using the integrity protection algorithm and KRRCint key from the source cell. The MAC-I calculation takes as input the PCI of the source cell, the target cell identity, and the source C-RNTI, cryptographically binding the reestablishment request to the specific source cell, target cell, and UE identity.
[0171] In certain implementations, the source RAT is a 5G RAT and the target RAT is a 6G RAT, or the source RAT is the 6G RAT and the target RAT is the 5G RAT. This bidirectional reestablishment capability addresses scenarios where radio link failures occur in one radio access technology and recovery must occur through a different technology generation, as illustrated in FIGs. 9 (A) and 9 (B) .
[0172] FIG. 13 is a flow chart 1300 of a method for radio resource control (RRC) connection reestablishment across different radio access technology generations. The method may be performed by a target RAN, such as the 5G RAN 512 in FIG. 9 (A) or the 6G RAN 514 in FIG. 9 (B) .
[0173] In operation 1302, the target RAN receives, from a UE, a reestablishment request message comprising one or more of a security token, a PCI of a source cell, and a C-RNTI of the UE in the source cell. For example, the UE 604 may transmit an RRCReestablishmentRequest message when experiencing radio link failure in a 6G cell and attempting to reestablish through a 5G cell, as described in FIG. 9 (A) . Alternatively, the UE 604 may transmit a 6GRRCReestablishmentRequest message when experiencing radio link failure in a 5G cell and attempting to reestablish through a 6G cell, as described in FIG. 9 (B) . The security token comprises a shortMAC-I representing sixteen least significant bits of a MAC-I computed using security parameters from the source cell.
[0174] In operation 1304, the target RAN transmits, to a source RAN identified by the PCI of the source cell over an inter-RAN interface, a context request message comprising the security token and the C-RNTI. For example, as shown in FIG. 9 (A) , the target 5G RAN 512 transmits a UE CONTEXT REQUEST message 904 to the source 6G RAN 514 in step 2. The target RAN uses the received PCI to identify the source RAN through a database that maps physical cell identities to radio access network nodes.
[0175] In operation 1306, the target RAN receives, from the source RAN over the inter-RAN interface, a context response message comprising one or more of a UE context, a derived target access stratum key, an NCC, and a source cell security algorithm. For example, as shown in FIG. 9 (A) , the target 5G RAN 512 receives a UE CONTEXT RESPONSE message from the source 6G RAN 514 in step 3. The UE context includes bearer configurations, PDCP state information, and quality of service parameters. The derived target access stratum key comprises calculated by the source RAN for the target cell.
[0176] In operation 1308, the target RAN transmits, to the UE, a reestablishment message comprising the NCC, wherein the reestablishment message is integrity protected using a security key derived from the target access stratum key and the source cell security algorithm. For example, as shown in FIG. 9 (A) , the target 5G RAN 512 transmits an RRCReestablishment message 908 to the UE 604 in step 4. The target RAN derives RRC security keys, specifically KRRCint and KRRCenc, from the received using the security algorithms from the source cell. The reestablishment message is integrity protected at the PDCP layer using the newly derived KRRCint key.
[0177] In operation 1310, the target RAN receives, from the UE, a reestablishment complete message. For example, as shown in FIG. 9 (A) , the target 5G RAN 512 receives an RRCReestablishmentComplete message 910 from the UE 604 in step 5. The target RAN verifies this message using the security keys that were derived from the context received from the source RAN, completing the security context establishment in the target cell.
[0178] In certain implementations, the inter-RAN interface is an Xn interface configured to interconnect RANs of different generations. For example, the Xn*interface 802 shown in FIGs. 9 (A) and 9 (B) enables direct communication between the 5G RAN 512 and the 6G RAN 514, facilitating context transfer during the reestablishment procedure.
[0179] In certain implementations, before receiving the context response message, the source RAN performs receiving the context request message, verifying the security token using a stored security context for the UE, deriving the target access stratum key for a target cell of the target RAN, and generating the context response message. The source RAN retrieves the UE context associated with the received C-RNTI and verifies the shortMAC-I by recomputing the MAC-I using its stored KRRCint key and comparing the result with the received token. Upon successful verification, the source RAN calculates the new access stratum root key for the target cell using the target cell’s PCI, the target cell’s ARFCN-DL, and either the current KNB or the NH parameter from the UE’s AS security context.
[0180] In certain implementations, the source RAN and the target RAN are connected to a common core network, and an MM context and an SM context for the UE are maintained in the common core network without modification during the reestablishment. For example, both the 5G RAN 512 and the 6G RAN 514 connect to the same e5GC 520 as shown in FIGs. 9 (A) and 9 (B) . The AMF within the e5GC 520 continues to maintain the same mobility context for the UE 604, and the SMF continues to manage the same session context, eliminating the need for context mapping or translation between different core network architectures.
[0181] In certain implementations, the target RAN performs a path switch procedure toward the common core network after receiving the reestablishment complete message. The target RAN updates the serving radio access network information with the e5GC 520 to redirect user plane traffic to the target cell, while the core network contexts remain unchanged throughout the reestablishment procedure.
[0182] FIG. 14 is a flow chart 1400 of a method for inter-radio access technology handover in a dual access wireless communication system. The method may be performed by a UE, such as the UE 604 described in connection with FIGs. 7 (A) , 7 (B) , 8 (A) , and 8 (B) .
[0183] In operation 1402, the UE receives, from a source RAN operating on a first RAT, an inter-RAT handover command for a handover to a target RAN operating on a second RAT. The source RAN and the target RAN are connected to a common core network. For example, the source RAN may be the 5G RAN 512 and the target RAN may be the 6G RAN 514, both connected to the e5GC 520 as shown in FIG. 5. The handover command comprises one or more of an indication of the second RAT, a target RAT-specific RRC reconfiguration message, and a key generation parameter. The target RAT-specific RRC reconfiguration message contains radio configuration parameters necessary for establishing connectivity with the target cell, including physical layer settings, radio bearer configurations, random access parameters, and timing advance information.
[0184] In operation 1404, the UE reuses a MM context and a SM context associated with the common core network without performing context mapping. Because both the source RAN and the target RAN connect to the same core network, the core network maintains unified contexts for the UE regardless of which RAT serves the device. The AMF preserves the registration state, tracking area list, and mobility parameters, while the SMF maintains the PDU sessions with their QoS configurations. This context reuse eliminates the complex mapping procedures required in traditional inter-system handovers between different core network architectures.
[0185] In operation 1406, the UE generates a security key for communication with the target RAN based on the key generation parameter. In certain implementations, the key generation parameter comprises a NCC, and the UE generates the security key based on the NCC without deriving a new NAS key. The UE performs AS key derivation by identifying the appropriate key from its security hierarchy based on the NCC. If the NCC corresponds to the currently active key, the UE performs horizontal derivation from the current base station key. If the NCC indicates a next position in the hierarchy, the UE performs vertical derivation using the corresponding NH parameter. The UE computes the target AS root key using the selected input key along with the target cell’s physical cell identity and downlink frequency as additional parameters in the key derivation function.
[0186] In certain implementations, the key generation parameter comprises a NAS container including a portion of a downlink NAS sequence number. To generate the security key, the UE derives a new NAS-level key based on the downlink NAS sequence number and derives an AS level security key from the new NAS-level key. The UE reconstructs the complete downlink NAS COUNT by combining the received least significant bits with the most significant bits from its locally maintained counter. Using this reconstructed counter value, the UE derives a new horizontal KAMF from its current NAS key. From this new KAMF, the UE then derives a new base station key KNB, which subsequently serves as input for generating the target
[0187] In operation 1408, the UE performs a random access procedure at a target cell of the target RAN based on a configuration in the target RAT-specific RRC reconfiguration message. The UE tunes to the target cell’s frequency, synchronizes with the downlink signals, and transmits a random access preamble according to the provided RACH configuration. Upon receiving the random access response from the target cell, the UE applies the timing advance and establishes uplink synchronization. Throughout this procedure, the UE applies the security keys derived in operation 1406 to protect the signaling exchanges with the target RAN.
[0188] In operation 1410, the UE transmits an RRC reconfiguration complete message to the target RAN. This response message, protected by the newly established security context, indicates that the UE has successfully applied the target configuration and completed the transition to the new RAT. The target RAN then performs path switch procedures with the common core network to redirect user plane traffic, while the core network contexts remain unchanged throughout the entire handover procedure.
[0189] In certain implementations, the first RAT is a 5G RAT and the second RAT is a 6G RAT. For example, the UE may transition from the 5G RAN 512 to the 6G RAN 514 as shown in FIG. 7 (A) or FIG. 8 (A) . In certain implementations, the first RAT is a 6G RAT and the second RAT is a 5G RAT. For example, the UE may transition from the 6G RAN 514 to the 5G RAN 512 as shown in FIG. 7 (B) or FIG. 8 (B) .
[0190] FIG. 15 is a flow chart 1500 of a method for coordinating an inter-radio access technology handover. The method may be performed by a source RAN, such as the 5G RAN 512 when handing over to the 6G RAN 514, or the 6G RAN 514 when handing over to the 5G RAN 512, as illustrated in FIGs. 7 (A) , 7 (B) , 8 (A) , and 8 (B) .
[0191] In operation 1502, the source RAN coordinates an inter-RAT handover of a UE to a target RAN. The source RAN operates on a first RAT, the target RAN operates on a second RAT different from the first RAT, and the source RAN and the target RAN are connected to a common core network that maintains an MM context and an SM context for the UE. For example, when the source RAN is the 5G RAN 512, the first RAT is fifth generation radio access technology, and when the target RAN is the 6G RAN 514, the second RAT is sixth generation radio access technology. The common core network may be the e5GC 520, which maintains the MM context and SM context for the UE 604 regardless of which radio access technology serves the device.
[0192] In certain implementations, to coordinate the inter-RAT handover, the source RAN further exchanges handover signaling with the target RAN through the common core network via an N2 interface. This approach is illustrated in FIGs. 7 (A) and 7 (B) , where the handover preparation signaling flows between the source and target RANs through the e5GC 520.
[0193] In certain implementations, to coordinate the inter-RAT handover, the source RAN further exchanges handover signaling with the target RAN via a direct inter-RAN interface. For example, the source RAN may communicate with the target RAN over the Xn*interface 802, as shown in FIGs. 8 (A) and 8 (B) . The Xn*interface 802 enables direct coordination between radio access networks of different technology generations.
[0194] In operation 1504, the source RAN obtains a target RAT-specific RRC reconfiguration message and a key generation parameter for the UE. The target RAT-specific RRC reconfiguration message contains the complete radio resource configuration for the target cell. When the target RAN operates on sixth generation radio access technology, the RRC reconfiguration message may be a 6GRRCReconfiguration message. When the target RAN operates on fifth generation radio access technology, the RRC reconfiguration message may be an RRCReconfiguration message. The key generation parameter enables the UE to derive security keys for communication with the target RAN.
[0195] In certain implementations, to obtain the key generation parameter, the source RAN further receives an NCC from an AMF in the common core network. The AMF may increment its locally maintained NCC value and compute a corresponding NH parameter, then send the NCC value and NH parameter to the target RAN through the N2 interface, as described in connection with FIGs. 7 (A) and 7 (B) . The target RAN includes the NCC value in the masterKeyUpdate information element within the target RAT-specific RRC reconfiguration message, which is then provided to the source RAN.
[0196] In certain implementations, the source RAN further derives a target access stratum key for the target RAN. The source RAN may generate the target base station key using either horizontal key derivation from the currently active or vertical key derivation from the NH parameter, as described in connection with FIGs. 8 (A) and 8 (B) . In certain implementations, the source RAN further forwards the target access stratum key to the target RAN via the direct inter-RAN interface. The source RAN may send both the derived key and the corresponding NCC value to the target RAN over the Xn*interface 802, as illustrated in the handover procedures of FIGs. 8 (A) and 8(B) .
[0197] In operation 1506, the source RAN transmits, to the UE, an inter-RAT handover command comprising an indication of the second RAT, the target RAT-specific RRC reconfiguration message, and the key generation parameter. When the source RAN operates on fifth generation radio access technology, the handover command may be a MobilityFromNRCommand message, as shown in FIGs. 7 (A) and 8 (A) . When the source RAN operates on sixth generation radio access technology, the handover command may be a MobilityFrom6GCommand message, as shown in FIGs. 7 (B) and 8 (B) . The indication of the second RAT explicitly informs the UE that the handover destination operates on a different radio access technology. The target RAT-specific RRC reconfiguration message is encapsulated within the handover command and provides all parameters necessary for the UE to establish connectivity using the target radio access technology. The MM context and the SM context for the UE are reused for the handover without context mapping because both the source RAN and target RAN connect to the same common core network, which maintains unified contexts for the UE regardless of which radio access technology serves the device.
[0198] The user equipment (UE) 604, which performs the handover and reestablishment procedures, may be implemented with hardware components similar to those of the UE 250 described in FIG. 2. The UE 604 includes a controller / processor 259, a memory 260, and a transceiver comprising one or more antennas 252, receivers 254RX, and transmitters 254TX. The controller / processor 259, which may be a central processing unit (CPU) or a system-on-chip (SoC) , is configured to execute instructions stored in the memory 260 to perform the radio resource control (RRC) layer functions of the disclosed methods. For inter-RAT reestablishment, the controller / processor 259 is configured to select a target cell, verify that the target cell is in the same registration area by comparing a broadcast tracking area code with a list stored in memory 260, generate a security token (shortMAC-I) using the source cell’s security context, and verify the integrity of a received reestablishment message using a nexthopChainingCount (NCC) and the source cell’s security algorithms. For inter-RAT handover, the controller / processor 259 is configured to process a handover command, reuse the mobility management (MM) and session management (SM) contexts, and generate new security keys based on an NCC or a NAS sequence number. The transceiver, controlled by the processor 259, handles the physical transmission and reception of the RRC messages, such as the RRCReestablishmentRequest and MobilityFromNRCommand, over the wireless communication links 120.
[0199] The network entities, including the radio access network (RAN) nodes (e.g., 5G RAN 512, 6G RAN 514) and the core network nodes (e.g., e5GC 520) , comprise hardware components configured to support the disclosed handover and reestablishment procedures. The RAN nodes, which directly communicate with the UE 604, may be implemented with hardware similar to the base station 210, including a controller / processor 275, a memory 276, and a transceiver (e.g., antennas 220, transmitters 218TX, receivers 218RX) . The controller / processor 275 of a target RAN node is configured to receive a reestablishment request from a UE, request the UE context from a source RAN node over an inter-RAN interface (e.g., Xn*802) , and transmit an integrity-protected reestablishment message. The controller / processor 275 of a source RAN node is configured to verify a security token, derive a target access stratum key, and forward the UE context from its memory 276 to the target RAN. For handovers, the RAN processor 275 coordinates with the target RAN either directly or through the core network and sends the inter-RAT handover command to the UE. The core network nodes of the e5GC 520, such as the Access and Mobility Management Function (AMF) 192 and Session Management Function (SMF) 194, are typically implemented on server-grade hardware comprising one or more processors, non-transitory memory, and high-speed network interfaces. These processors execute instructions to maintain the unified MM and SM contexts for the UE in memory, coordinate N2-based handovers by relaying signaling between RANs, provide security parameters like the NCC to the RAN, and process path switch requests to update the UE’s serving RAN.
[0200] It is understood that the specific order or hierarchy of blocks in the processes / flowcharts disclosed is an illustration of exemplary approaches. Based upon design preferences, it is understood that the specific order or hierarchy of blocks in the processes / flowcharts may be rearranged. Further, some blocks may be combined or omitted. The accompanying method claims present elements of the various blocks in a sample order, and are not meant to be limited to the specific order or hierarchy presented.
[0201] The previous description is provided to enable any person skilled in the art to practice the various aspects described herein. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects. Thus, the claims are not intended to be limited to the aspects shown herein, but is to be accorded the full scope consistent with the language claims, wherein reference to an element in the singular is not intended to mean “one and only one” unless specifically so stated, but rather “one or more. ” The word “exemplary” is used herein to mean “serving as an example, instance, or illustration. ” Any aspect described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects. Unless specifically stated otherwise, the term “some” refers to one or more. Combinations such as “at least one of A, B, or C, ” “one or more of A, B, or C, ” “at least one of A, B, and C, ” “one or more of A, B, and C, ” and “A, B, C, or any combination thereof” include any combination of A, B, and / or C, and may include multiples of A, multiples of B, or multiples of C. Specifically, combinations such as “at least one of A, B, or C, ” “one or more of A, B, or C, ” “at least one of A, B, and C, ” “one or more of A, B, and C, ” and “A, B, C, or any combination thereof” may be A only, B only, C only, A and B, A and C, B and C, or A and B and C, where any such combinations may contain one or more member or members of A, B, or C. All structural and functional equivalents to the elements of the various aspects described throughout this disclosure that are known or later come to be known to those of ordinary skill in the art are expressly incorporated herein by reference and are intended to be encompassed by the claims. Moreover, nothing disclosed herein is intended to be dedicated to the public regardless of whether such disclosure is explicitly recited in the claims. The words “module, ” “mechanism, ” “element, ” “device, ” and the like may not be a substitute for the word “means. ” As such, no claim element is to be construed as a means plus function unless the element is expressly recited using the phrase “means for.”
Claims
A method of wireless communication performed by a user equipment (UE) , the method comprising:in response to a radio link failure with a source cell of a source radio access technology (RAT) , selecting a target cell of a target RAT, wherein the target RAT is different from the source RAT;verifying that the target cell is in a same registration area as the source cell;in response to verifying that the target cell is in the same registration area, generating a security token using a security context of the source cell; andtransmitting, to the target cell, a reestablishment request message comprising one or more of the security token, a physical cell identity (PCI) of the source cell, and a Cell-Radio Network Temporary Identifier (C-RNTI) of the UE in the source cell.The method of claim 1, further comprising:receiving, from the target cell, a reestablishment message comprising a nexthopChainingCount (NCC) ;verifying an integrity of the reestablishment message by deriving a security key based on the NCC and using a security algorithm associated with the source cell; andin response to a successful verification of the integrity, transmitting, to the target cell, a reestablishment complete message.The method of claim 2, wherein verifying the integrity of the reestablishment message comprises:deriving an access stratum root key for the target cell based on the NCC; andderiving an RRC integrity protection key from the access stratum root key using the security algorithm from the source cell.The method of claim 2, further comprising:in response to a failed verification of the integrity, aborting the reestablishment procedure.The method of claim 1, wherein verifying that the target cell is in the same registration area comprises:acquiring a tracking area code from system information broadcast by the target cell; andcomparing the acquired tracking area code with a list of tracking area codes defining the registration area, the list being previously provided to the UE by a core network.The method of claim 1, further comprising:in response to verifying that the target cell is not in the same registration area, performing one of:selecting another cell for reestablishment; orentering a Radio Resource Control (RRC) idle state.The method of claim 1, wherein the security token comprises a short Message Authentication Code for Integrity (shortMAC-I) computed using an RRC integrity protection key from the source cell.The method of claim 1, wherein the source RAT is a fifth-generation (5G) RAT and the target RAT is a sixth-generation (6G) RAT, or wherein the source RAT is the 6G RAT and the target RAT is the 5G RAT.A method of wireless communication performed by a target radio access network (RAN) , the method comprising:receiving, from a user equipment (UE) , a reestablishment request message comprising one or more of a security token, a physical cell identity (PCI) of a source cell, and a Cell-Radio Network Temporary Identifier (C-RNTI) of the UE in the source cell;transmitting, to a source RAN identified by the PCI of the source cell over an inter-RAN interface, a context request message comprising the security token and the C-RNTI;receiving, from the source RAN over the inter-RAN interface, a context response message comprising one or more of a UE context, a derived target access stratum key, a nexthopChainingCount (NCC) , and a source cell security algorithm;transmitting, to the UE, a reestablishment message comprising the NCC, wherein the reestablishment message is integrity protected using a security key derived from the target access stratum key and the source cell security algorithm; andreceiving, from the UE, a reestablishment complete message.The method of claim 9, wherein the inter-RAN interface is an Xn interface configured to interconnect RANs of different generations.The method of claim 9, further comprising, before receiving the context response message, the source RAN performing:receiving the context request message;verifying the security token using a stored security context for the UE;deriving the target access stratum key for a target cell of the target RAN; andgenerating the context response message.The method of claim 9, wherein the source RAN and the target RAN are connected to a common core network, and wherein a mobility management (MM) context and a session management (SM) context for the UE are maintained in the common core network without modification during the reestablishment.The method of claim 12, further comprising:performing a path switch procedure toward the common core network after receiving the reestablishment complete message.A method of wireless communication performed by a user equipment (UE) , the method comprising:receiving, from a source radio access network (RAN) operating on a first RAT, an inter-radio access technology (inter-RAT) handover command for a handover to a target RAN operating on a second RAT, wherein the source RAN and the target RAN are connected to a common core network, and wherein the handover command comprises one or more of:an indication of the second RAT,a target RAT-specific Radio Resource Control (RRC) reconfiguration message, anda key generation parameter;reusing a mobility management (MM) context and a session management (SM) context associated with the common core network without performing context mapping;generating a security key for communication with the target RAN based on the key generation parameter; andtransmitting an RRC reconfiguration complete message to the target RAN.The method of claim 14, further comprising:performing a random access procedure at a target cell of the target RAN based on a configuration in the target RAT-specific RRC reconfiguration message.The method of claim 14, wherein the key generation parameter comprises a nexthopChainingCount (NCC) , and wherein generating the security key is based on the NCC without deriving a new non-access stratum (NAS) key.The method of claim 14, wherein the key generation parameter comprises a Non-Access Stratum (NAS) container including a portion of a downlink NAS sequence number, and wherein generating the security key comprises:deriving a new NAS-level key based on the downlink NAS sequence number; andderiving an Access Stratum (AS) level security key from the new NAS-level key.The method of claim 14, wherein the first RAT is a fifth-generation (5G) RAT and the second RAT is a sixth-generation (6G) RAT, or vice versa.A method of wireless communication performed by a source radio access network (RAN) , the method comprising:coordinating an inter-radio access technology (inter-RAT) handover of a user equipment (UE) to a target RAN, wherein the source RAN operates on a first RAT, the target RAN operates on a second RAT different from the first RAT, and the source RAN and the target RAN are connected to a common core network that maintains a mobility management (MM) context and a session management (SM) context for the UE;obtaining a target RAT-specific Radio Resource Control (RRC) reconfiguration message and a key generation parameter for the UE; andtransmitting, to the UE, an inter-RAT handover command comprising an indication of the second RAT, the target RAT-specific RRC reconfiguration message, and the key generation parameter,wherein the MM context and the SM context for the UE are reused for the handover without context mapping.The method of claim 19, wherein coordinating the inter-RAT handover comprises exchanging handover signaling with the target RAN through the common core network via an N2 interface.The method of claim 20, wherein obtaining the key generation parameter comprises receiving a nexthopChainingCount (NCC) from an Access and Mobility Management Function (AMF) in the common core network.The method of claim 19, wherein coordinating the inter-RAT handover comprises exchanging handover signaling with the target RAN via a direct inter-RAN interface.The method of claim 22, further comprising:deriving a target access stratum key for the target RAN; andforwarding the target access stratum key to the target RAN via the direct inter-RAN interface.