According to the security policy of the PLMN operator, the IMEI verification must be possible during each access attempt, with the exception of IMSI detach, and during an established call at any time when a dedicated radio resource is available. When a UE is IMS registered, it shall also be feasible to execute the IMEI check.

When the network receives any responses from the EIR that are "black-listed" (i.e., on the black list) or "unknown" (i.e., not on the white list), it must end any access attempt or ongoing call. In these situations, the user must be informed that "illegal ME" has occurred. Additionally, since this equates to an authentication failure, the MS is not permitted to make calls, start IMS sessions, or update its location—it is only permitted to make emergency calls. It is also not permitted to respond to paging. Never let the IMEI check process result in terminating an emergency call. [1]

The Identity Check Procedure is typically executed as part of the Attach procedures on 2G&3G&4G Systems, the Combined GPRS / IMSI Attach procedure on 3G&4G systems and the Registration procedure on 5G systems.

• On 5G Systems, the transmission is occured over HTTP 2 links. The main network element is AMF who communicates with the EIR Service.

• On 3G&4G Systems, the transmission is occured over S13/S13" Diameter links. During Attach procedure, the main network element is MME who communicates with the EIR Service and during Combined GPRS / IMSI Attach procedure, the main network element is SGSN.

• On 2G&3G Systems, the transmission is occured over SS7/SIGTRAN MAP links. The main network element is MSC who communicates with the EIR Service.

The architecture of Equipment Identity Check Procedure of EIR on SS7/SIGTRAN MAP, on Diameter interface and on HTTP2 links are shown below.

HTTP 2 Registration Procedure:

During initial registration, a PEI (Permanent Equipment Identifier) ​​is obtained from the UE. AMF operators can use the EIR to validate the PEI. The new Access and Mobility Management Function (AMF) uses the N5g-eir_EquipmentIdentityCheck service to query the EIR to see if the Permanent Equipment Identifier (PEI) is on the banned list or not. AMF forwards the PEI (IMEISV) to UDM, SMF, and PCF, and UDM can save this data to UDR with Nudr_SDM_Update. During the registration procedure, the UE sends an AN message to (R)AN. The N2 message is then forwarded from (R)AN to the new AMF. The new AMF then conditionally sends an Identity Request () to the UE and the UE sends an Identity Response () to the new AMF. AUSF then performs authentication of the UE upon request from AMF. An identity verification procedure will be carried out.

AMF operators use the EIR to validate the PEI. The new Access and Mobility Management Function (AMF) uses the N5g-eir_EquipmentIdentityCheck service to query the EIR to see if the Permanent Equipment Identifier (PEI) is on the banned list or not. AMF forwards the PEI (IMEISV) to UDM, SMF, and PCF. UDM can save this data to UDR with Nudr_SDM_Update. [2,3]

As shown in diagram 2, Defne EIR supports dynamic service detection via central Network Repository Function (NRF), which allows easy management of single services like upgrades and removals.

Diameter Attach Procedure:

If the UE is unknown in both the old MME/SGSN and the new MME/SGSN, the new MME/SGSN sends an Identity Request to the UE to request the IMSI after the UE has made an Attach request to the MME/SGSN. UE responds with Identity Response (IMSI). The setup of NAS security and authentication are therefore optional. Identity Check procedure takes place. The ME-Identity-Check-Request/Answer (ECR/ECA) commands in the Diameter application correspond to the Identity Check procedure. [4,5,6]

SS7/SIGTRAN MAP- Attach Procedure:

The handset tries to register with the MSC or VLR when a subscriber roams to a new MSC or VLR location. This process causes the VLR to transmit a location update message to the HLR in a network lacking the EIR function, informing the HLR of the Mobile Station (MS)/handset's current MSC location. This registration process is stopped to verify the IMEI of the MS/handset attempting when the EIR function is deployed in a network. Following the handset's attempt to register with the MSC or VLR, the identity check process begins. This service is used to request an IMEI check between the VLR and the MSC and between the MSC and the EIR. A MAP CHECK IMEI service indication is transmitted by VLR to the MSC. If the IMEI is not already in the MSC, the MSC will send an IDENTITY REQUEST message to the MS to request it. [7]

• The "Network Element" sends an "Identity Check Request" containing the identity code of the device to the EIR. The message may also include the subscriber's IMSI for the SIM card currently used in the MS/handset.

• During 5G Registration Procedure; Network element is AMF and the 'Check Equipment Identity’ message is transmitted over HTTP2 interface links. Optionally, the SUPI and/or GPSI may also be included in the message.

• During Diameter Attach procedure; Network element is MME and the ‘ECR’ message is transmitted over S13/S13' interface links.

• During Diameter Combined GPRS / IMSI Attach procedure; Network element is SGSN and the ‘Check IMEI’ message is transmitted over S13/S13' interface links.

• During SS7/SIGTRAN MAP Attach Procedure; Network element is MSC and the ‘MAP_CHECK_IMEI service request’ is transmitted over SS7 links.

• Upon receiving the "Check Imei" message, the EIR searches the whitelist, graylist, and blacklist to ensure that the mobile device is recognized.

• During 5G Registration procedure, the equipment identity is checked by checking PEI (Permanent Equipment Identifier) address.

• Within non-3GPP networks (e.g. Wi-Fi based) the PEI could also be a MAC address.

• During MAP and Diameter Attach procedures, the equipment identity is checked by checking IMEI address.

• The EIR returns a response containing a "device status" that indicates whether the requested mobile device is authorized, unauthorized, or not valid.

• During 5G Registration Procedure; EIR returns ME identity check response to the AMF.

• During Diameter Attach procedure; EIR creates an ECA message; and encodes it to send to MME.

• During Diameter Combined GPRS / IMSI Attach procedure; EIR creates an Check IMEI Ack; and encodes it to send to SGSN.

• During SS7/SIGTRAN MAP Attach Procedure; EIR returns MAP_CHECK_IMEI service response to the MSC.

• Upon receiving the Identity Check response from the EIR, the network element examines the device status and determines further action.

• If the mobile equipment is allowed, network element continues the registration procedure.

• If the mobile equipment is disallowed, invalid, or unknown; network element rejects it by sending an Attach Reject.

• Then, typical Attach/Combined GPRS/IMSI Attach procedure continues.

• On MAP Attach Procedure, VLR sends a location update message to the HLR providing the HLR with the current MSC location of the Mobile Station (MS)/handset.

References:

[1 ]https://www.etsi.org/deliver/etsi_ts/122000_122099/122016/10.00.00_60/ts_122016v100000p.pdf

[2] https://www.etsi.org/deliver/etsi_ts/129500_129599/129511/16.02.00_60/ts_129511v160200p.pdf

[3] https://www.etsi.org/deliver/etsi_ts/123500_123599/123502/15.02.00_60/ts_123502v150200p.pdf

[4] https://www.etsi.org/deliver/etsi_ts/123000_123099/123060/10.03.00_60/ts_123060v100300p.pdf

[5] https://www.etsi.org/deliver/etsi_ts/123400_123499/123401/16.08.00_60/ts_123401v160800p.pdf

[6] https://www.etsi.org/deliver/etsi_ts/129200_129299/129272/15.04.00_60/ts_129272v150400p.pdf

[7] https://www.etsi.org/deliver/etsi_ts/129000_129099/129002/15.05.00_60/ts_129002v150500p.pdf