Description in the LTE specification:
If an ATTACH REJECT message including timer T3402 value different from “deactivated”, was received integrity protected, the UE shall apply this value until a new value is received with integrity protection or a new PLMN is selected. Otherwise, the default value of this timer is used.
Input of TPG:
initiate state: UE has established NAS security context / UE has not established NAS security context (added by expert)
condition event: UE receives ATTACH REJECT message including timer T3402 value different from "deactivated", without integrity protection
expected operation: the default value of T3402 is used
(conformance testing)
Reasoned chain and sentences used:
Reason for condition event
>> The condition event is a message transmission to the UE, which can be triggered directly by the testing system. The parameters can be derived from the sentence, which actually is the security requirement (the description of the condition event) here.
condition event: UE receives ATTACH REJECT message including timer T3402 value different from "deactivated", without integrity protection
>> Notably, the default value of timer T3402 is 15 minutes. It could be to set arbitrary value for T3402 except for 15 minutes. So, we set 2 minutes in our test procedure generation.
Reason for expected operation
EDG: use timer T3402 and start timer T3402 --> the timer T3402 will expire
artificial sentence: If UE uses timer T3402 and starts timer T3402, after the period of time as specified by T3402, the timer T3402 will expire.
>> This means that after triggering the condition event, we can trigger the event *start timer T3402* first, and then check whether the operation *timer T3402 will expire* has been taken.
EDG: attach attempt counter is equal to 5 --> UE shall start timer T3402
sentence:
If the attach attempt counter is equal to 5:
the UE shall delete any GUTI, TAI list, last visited registered TAI, list of equivalent PLMNs and KSI, shall set the update status to EU2 NOT UPDATED, and shall start timer T3402.
>> This means that we can trigger the event *attach attempt counter is equal to 5* to indirectly trigger the event *start timer T3402*.
EDG: receives ATTACH REJECT with EMM cause #95 ... --> UE set the attach attempt counter to 5
sentence:
d) ATTACH REJECT, other EMM cause values than those treated in subclause 5.5.1.2.5, and cases of EMM cause values #22, #25 and #31, if considered as abnormal cases according to subclause 5.5.1.2.5
…
If the attach request is neither for emergency bearer services nor for initiating a PDN connection for emergency bearer services with attach type not set to "EPS emergency attach", upon reception of the EMM causes #95, #96, #97, #99 and #111 the UE should set the attach attempt counter to 5.
EDG: UE set the attach attempt counter to 5 == attach attempt counter is equal to 5
by ML model
>> This means that we can trigger the event *issue ATTACH REJECT message with EMM cause #95, or ...* to indirectly trigger the event *attach attempt counter is equal to 5*. Notably, here, the ATTACH REJECT message transmission can be directly triggered by the testing system. So, we stop backward reasoning.
EDG: expiry of timer T3402 --> UE shall initiate an attach procedure
sentence:
The UE:
- shall initiate an attach or combined attach procedure on the expiry of timers T3411, T3402 or T3346 (see 3GPP TS 24.008 [13]);
>> This means that we can use the observation of the event *UE initiate an attach procedure* to indirectly prove the happening of the event *expiry of timer T3402*.
EDG: UE initiate the attach procedure == send an ATTACH REQUEST message
sentence:
In state EMM-DEREGISTERED, the UE initiates the attach procedure by sending an ATTACH REQUEST message to the MME, starting timer T3410 and entering state EMM-REGISTERED-INITIATED (see example in figure 5.5.1.2.2.1).
>> This means that we can use the observation of the event *ATTACH REQUEST message transmission*, which can be directly observed by the testing system, to indirectly prove the happening of the event *UE initiates the attach procedure*.
Note: the colored phrase are the messages to transmit and the parameters required to set.