TECHNICAL FIELD

[0001] The present disclosure relates to wireless communications, and more specifically to cell identity masking in a wireless network.

BACKGROUND

[0002] A wireless communications system may include one or multiple network communication devices, such as base stations, which may support wireless communications for one or multiple user communication devices, which may be otherwise known as user equipment (UE), or other suitable terminology. The wireless communications system may support wireless communications with one or multiple user communication devices by utilizing resources of the wireless communication system (e.g., time resources (e.g., symbols, slots, subframes, frames, or the like) or frequency resources (e.g., subcarriers, carriers, or the like). Additionally, the wireless communications system may support wireless communications across various radio access technologies including third generation (3G) radio access technology, fourth generation (4G) radio access technology, fifth generation (5G) radio access technology, among other suitable radio access technologies beyond 5G (e.g., sixth generation (6G)).

SUMMARY

[0003] An article “a” before an element is unrestricted and understood to refer to “at least one” of those elements or “one or more” of those elements. The terms “a,” “at least one,” “one or more,” and “at least one of one or more” may be interchangeable. As used herein, including in the claims, “or” as used in a list of items (e.g., a list of items prefaced by a phrase such as “at least one of’ or “one or more of’ or “one or both of’) indicates an inclusive list such that, for example, a list of at least one of A, B, or C means A or B or C or AB or AC or BC or ABC (i.e., A and B and C). Also, as used herein, the phrase “based on” shall not be construed as a reference to a closed set of conditions. For example, an example step that is described as “based on condition A” may be based on both a condition A and a condition B without departing from the scope of the present disclosure. In other words, as used herein, the phrase “based on” shall be construed in the same manner as the phrase “based at least in part on. Further, as used herein, including in the claims, a “set” may include one or more elements.

[0004] Some implementations of the method and apparatuses described herein may further include: receiving a radio resource control (RRC) reconfiguration associated with a candidate cell, wherein the RRC reconfiguration comprises a plurality of masks for a cell identity from a source cell of a radio network (RN); performing measurement of and identification of physical cell identities of cells satisfying a measurement reporting criteria associated with the RRC reconfiguration; receiving a cell switch command for a target cell in a same radio network as the source cell; determining whether the cell switch command is genuine; performing mobility in response to determining that the cell switch command is genuine; and announcing arrival of the UE at the target cell.

BRIEF DESCRIPTION OF THE DRAWINGS

[0005] Figure 1 illustrates an example of a wireless communications system in accordance with aspects of the present disclosure.

[0006] Figure 2 illustrates an example of a handover procedure in accordance with aspects of the present disclosure.

[0007] Figures 3A and 3B illustrate an example of another handover procedure in accordance with aspects of the present disclosure.

[0008] Figure 4 illustrates an example of UE mobility timing in accordance with aspects of the present disclosure.

[0009] Figure 5 illustrates an example of a mobility procedure in accordance with aspects of the present disclosure.

[0010] Figure 6 illustrates an example of another mobility procedure in accordance with aspects of the present disclosure.

[0011] Figure 7 illustrates an example of a UE in accordance with aspects of the present disclosure.

[0012] Figure 8 illustrates an example of a processor in accordance with aspects of the present disclosure. [0013] Figure 9 illustrates an example of a network equipment (NE) in accordance with aspects of the present disclosure.

[0014] Figure 10 illustrates a flowchart of a method performed by a UE in accordance with aspects of the present disclosure.

[0015] Figure 11 illustrates a flowchart of another method performed by a UE in accordance with aspects of the present disclosure.

DETAILED DESCRIPTION

[0016] Various aspects of the present disclosure relate to a system that supports masking cell identities in a wireless network. Mobility in the system may be performed based on whether a cell switch command is genuine. As used herein, performing mobility may means that UE starts to synchronize to a target cell and send a handover completion to it. Synchronization (both UL and DL) may be attained at the time of receiving the cell switch command and either the value of UL synchronization in the form of a timing advance value is received in the command, or the UE may precalculate it. The DL synchronization is attained by the UE before receiving the cell switch command. The UE may however need to use this knowledge to DL synchronize to the target side. Once synchronized, the handover completion is sent to the target indicating that the UE has arrived.

[0017] Aspects of the present disclosure are described in the context of a wireless communications system.

[0018] Figure 1 illustrates an example of a wireless communications system 100 in accordance with aspects of the present disclosure. The wireless communications system 100 may include one or more NE 102, one or more UE 104, and a core network (CN) 106. The wireless communications system 100 may support various radio access technologies. In some implementations, the wireless communications system 100 may be a 4G network, such as an LTE network or an LTE-Advanced (LTE-A) network. In some other implementations, the wireless communications system 100 may be a new radio (NR) network, such as a 5G network, a 5G-Advanced (5G-A) network, or a 5G ultrawideband (5G-UWB) network. In other implementations, the wireless communications system 100 may be a combination of a 4G network and a 5G network, or other suitable radio access technology including Institute of Electrical and Electronics Engineers (IEEE) 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), IEEE 802.20. The wireless communications system 100 may support radio access technologies beyond 5G, for example, 6G. Additionally, the wireless communications system 100 may support technologies, such as time division multiple access (TDMA), frequency division multiple access (FDMA), or code division multiple access (CDMA), etc.

[0019] The one or more NE 102 may be dispersed throughout a geographic region to form the wireless communications system 100. One or more of the NE 102 described herein may be or include or may be referred to as a network node, a base station, a network element, a network function, a network entity, a radio access network (RAN), a NodeB, an eNodeB (eNB), a next-generation NodeB (gNB), or other suitable terminology. An NE 102 and a UE 104 may communicate via a communication link, which may be a wireless or wired connection. For example, an NE 102 and a UE 104 may perform wireless communication (e.g., receive signaling, transmit signaling) over a Uu interface.

[0020] An NE 102 may provide a geographic coverage area for which the NE 102 may support services for one or more UEs 104 within the geographic coverage area. For example, an NE 102 and a UE 104 may support wireless communication of signals related to services (e.g., voice, video, packet data, messaging, broadcast, etc.) according to one or multiple radio access technologies. In some implementations, an NE 102 may be moveable, for example, a satellite associated with a non-terrestrial network (NTN). In some implementations, different geographic coverage areas associated with the same or different radio access technologies may overlap, but the different geographic coverage areas may be associated with different NE 102.

[0021] The one or more UE 104 may be dispersed throughout a geographic region of the wireless communications system 100. A UE 104 may include or may be referred to as a remote unit, a mobile device, a wireless device, a remote device, a subscriber device, a transmitter device, a receiver device, or some other suitable terminology. In some implementations, the UE 104 may be referred to as a unit, a station, a terminal, or a client, among other examples. Additionally, or alternatively, the UE 104 may be referred to as an Intemet-of-Things (loT) device, an Intemet-of-Everything (loE) device, or machine-type communication (MTC) device, among other examples. [0022] A UE 104 may be able to support wireless communication directly with other UEs 104 over a communication link. For example, a UE 104 may support wireless communication directly with another UE 104 over a device-to-device (D2D) communication link. In some implementations, such as vehicle-to-vehicle (V2V) deployments, vehicle-to-everything (V2X) deployments, or cellular-V2X deployments, the communication link may be referred to as a sidelink. For example, a UE 104 may support wireless communication directly with another UE 104 over a UE-to-UE interface (PC5 interface).

[0023] An NE 102 may support communications with the CN 106, or with another NE 102, or both. For example, an NE 102 may interface with other NE 102 or the CN 106 through one or more backhaul links (e.g., SI, N2, N2, or network interface). In some implementations, the NE 102 may communicate with each other directly. In some other implementations, the NE 102 may communicate with each other or indirectly (e.g., via the CN 106. In some implementations, one or more NE 102 may include subcomponents, such as an access network entity, which may be an example of an access node controller (ANC). An ANC may communicate with the one or more UEs 104 through one or more other access network transmission entities, which may be referred to as radio heads, smart radio heads, or transmission-reception points (TRPs).

[0024] The CN 106 may support user authentication, access authorization, tracking, connectivity, and other access, routing, or mobility functions. The CN 106 may be an evolved packet core (EPC), or a 5G core (5GC), which may include a control plane entity that manages access and mobility (e.g., a mobility management entity (MME), an access and mobility management functions (AMF)) and a user plane entity that routes packets or interconnects to external networks (e.g., a serving gateway (S-GW), a Packet Data Network (PDN) gateway (P-GW), or a user plane function (UPF)). In some implementations, the control plane entity may manage non-access stratum (NAS) functions, such as mobility, authentication, and bearer management (e.g., data bearers, signal bearers, etc.) for the one or more UEs 104 served by the one or more NE 102 associated with the CN 106.

[0025] The CN 106 may communicate with a packet data network over one or more backhaul links (e.g., via an SI, N2, N2, or another network interface). The packet data network may include an application server. In some implementations, one or more UEs 104 may communicate with the application server. A UE 104 may establish a session (e.g., a protocol data unit (PDU) session, or the like) with the CN 106 via an NE 102. The CN 106 may route traffic (e.g., control information, data, and the like) between the UE 104 and the application server using the established session (e.g., the established PDU session). The PDU session may be an example of a logical connection between the UE 104 and the CN 106 (e.g., one or more network functions of the CN 106).

[0026] In the wireless communications system 100, the NEs 102 and the UEs 104 may use resources of the wireless communications system 100 (e.g., time resources (e.g., symbols, slots, subframes, frames, or the like) or frequency resources (e.g., subcarriers, carriers)) to perform various operations (e.g., wireless communications). In some implementations, the NEs 102 and the UEs 104 may support different resource structures. For example, the NEs 102 and the UEs 104 may support different frame structures. In some implementations, such as in 4G, the NEs 102 and the UEs 104 may support a single frame structure. In some other implementations, such as in 5G and among other suitable radio access technologies, the NEs 102 and the UEs 104 may support various frame structures (i.e., multiple frame structures). The NEs 102 and the UEs 104 may support various frame structures based on one or more numerologies.

[0027] One or more numerologies may be supported in the wireless communications system 100, and a numerology may include a subcarrier spacing and a cyclic prefix. A first numerology (e.g., i=0) may be associated with a first subcarrier spacing (e.g., 15 kHz) and a normal cyclic prefix. In some implementations, the first numerology (e.g., ^=0) associated with the first subcarrier spacing (e.g., 15 kHz) may utilize one slot per subframe. A second numerology (e.g., i=l) may be associated with a second subcarrier spacing (e.g., 30 kHz) and a normal cyclic prefix. A third numerology (e.g., ^=2) may be associated with a third subcarrier spacing (e.g., 60 kHz) and a normal cyclic prefix or an extended cyclic prefix. A fourth numerology (e.g., /z=3) may be associated with a fourth subcarrier spacing (e.g., 120 kHz) and a normal cyclic prefix. A fifth numerology (e.g., i=4) may be associated with a fifth subcarrier spacing (e.g., 240 kHz) and a normal cyclic prefix.

[0028] A time interval of a resource (e.g., a communication resource) may be organized according to frames (also referred to as radio frames). Each frame may have a duration, for example, a 10 millisecond (ms) duration. In some implementations, each frame may include multiple subframes. For example, each frame may include 10 subframes, and each subframe may have a duration, for example, a 1 ms duration. In some implementations, each frame may have the same duration. In some implementations, each subframe of a frame may have the same duration.

[0029] Additionally or alternatively, a time interval of a resource (e.g., a communication resource) may be organized according to slots. For example, a subframe may include a number (e.g., quantity) of slots. The number of slots in each subframe may also depend on the one or more numerologies supported in the wireless communications system 100. For instance, the first, second, third, fourth, and fifth numerologies (i.e., /r=0, ju=l, ,11=2. [1=3, =4) associated with respective subcarrier spacings of 15 kHz, 30 kHz, 60 kHz, 120 kHz, and 240 kHz may utilize a single slot per subframe, two slots per subframe, four slots per subframe, eight slots per subframe, and 16 slots per subframe, respectively. Each slot may include a number (e.g., quantity) of symbols (e.g., orthogonal frequency division multiplexing (OFDM) symbols). In some implementations, the number (e.g., quantity) of slots for a subframe may depend on a numerology. For a normal cyclic prefix, a slot may include 14 symbols. For an extended cyclic prefix (e.g., applicable for 60 kHz subcarrier spacing), a slot may include 12 symbols. The relationship between the number of symbols per slot, the number of slots per subframe, and the number of slots per frame for a normal cyclic prefix and an extended cyclic prefix may depend on a numerology. It should be understood that reference to a first numerology (e.g., i=0) associated with a first subcarrier spacing (e.g., 15 kHz) may be used interchangeably between subframes and slots.

[0030] In the wireless communications system 100, an electromagnetic (EM) spectrum may be split, based on frequency or wavelength, into various classes, frequency bands, frequency channels, etc. By way of example, the wireless communications system 100 may support one or multiple operating frequency bands, such as frequency range designations FR1 (410 MHz - 7.125 GHz), FR2 (24.25 GHz - 52.6 GHz), FR3 (7.125 GHz - 24.25 GHz), FR4 (52.6 GHz - 114.25 GHz), FR4a or FR4-1 (52.6 GHz - 71 GHz), and FR5 (114.25 GHz - 300 GHz). In some implementations, the NEs 102 and the UEs 104 may perform wireless communications over one or more of the operating frequency bands. In some implementations, FR1 may be used by the NEs 102 and the UEs 104, among other equipment or devices for cellular communications traffic (e.g., control information, data). In some implementations, FR2 may be used by the NEs 102 and the UEs 104, among other equipment or devices for short-range, high data rate capabilities.

[0031] FR1 may be associated with one or multiple numerologies (e.g., at least three numerologies). For example, FR1 may be associated with a first numerology (e.g., ^=0), which includes 15 kHz subcarrier spacing; a second numerology (e.g., jU=l), which includes 30 kHz subcarrier spacing; and a third numerology (e.g., jU=2), which includes 60 kHz subcarrier spacing. FR2 may be associated with one or multiple numerologies (e.g., at least 2 numerologies). For example, FR2 may be associated with a third numerology (e.g., jU=2), which includes 60 kHz subcarrier spacing; and a fourth numerology (e.g., jU=3), which includes 120 kHz subcarrier spacing.

[0032] Certain examples found herein may be used when a UE moves from a coverage area of one cell to another cell. At some point a serving cell may need a change to be performed since a current serving cell does not remain a radio viable option. A serving cell change may be triggered by layer 3 (L3) measurements and may be done by an RRC signaling triggered reconfiguration with synchronization for a change of a primary serving cell (PCell) and primary secondary cell group (SCG) cell (PSCell) as well as release for secondary cells (SCells) when applicable. Certain cases may involve complete layer 2 (L2) (and layer 1 (LI)) resets leading to longer latency, larger overhead, and longer interruption time than beam switched mobility. Certain results of LI and/or L2 mobility enhancements may enable a serving cell change via LI and/or L2 signaling to reduce latency, overhead, and/or intermption time.

[0033] In some configurations, for conditional PSCell change (CPC) and/or conditional PSCell addition (CPA), a CPC and/or CPA-configured UE may have to release CPC and/or CPA configurations when completing random access towards a target PSCell. Accordingly, the UE doesn’t have a chance to perform subsequent CPC and/or CPA without prior CPC and/or CPA reconfiguration and re-initialization from a network. This may increase a delay for a cell change and increase signaling overhead, especially for frequent SCG changes when operating FR2. Therefore, multi-radio access technology (RAT) (MR)-dual connectivity (DC) with selective activation of cell groups may enable subsequent CPC and/or CPA after a SCG change without reconfiguration and re-initialization on a CPC and/or CPA preparation from the network. This may result in a reduction of signaling overhead and interrupting time for a SCG change. [0034] In various systems, conditional handover (CHO) and MR-DC cannot be configured simultaneously. This may limit the usefulness of these features when MR- DC is configured. CHO and MR-DC may be configured simultaneously. However, this may not be sufficient to optimize MR-DC mobility, as the radio link quality of the conditionally-configured PSCell may not be good enough or may not be the best candidate PSCell when the UE accesses the target PCell, and this may impact UE throughput. To mitigate this throughput impact, CHO+MRDC may consider CHO including target a main cell group (MCG) and multiple candidate SCGs for CPC and/or CPA.

[0035] RRC connected mobility may be defined in third generation partnership program (3GPP). In such definition, network controlled mobility may apply to UEs in an RRC CONNECTED mode and may be categorized into two types of mobility: cell level mobility and beam level mobility. Beam level mobility includes intra-cell beam level mobility and inter-cell beam level mobility. Moreover, cell level mobility may require explicit RRC signaling to be triggered (i.e., handover). For inter-gNB handover, the signaling procedures may be shown as found in Figure 2.

[0036] Figure 2 illustrates an example of a handover (e.g., inter-gNB handover) procedure 200 in accordance with aspects of the present disclosure. The handover procedure 200 includes communications between a UE 202, a source gNB 204, and a target gNB 206.

[0037] At 208, the source gNB 204 initiates handover and issues a HANDOVER REQUEST over an Xn interface.

[0038] At 210, the target gNB 210 performs admission control and, at 212, the target gNB 210 provides a new RRC configuration as part of a HANDOVER REQUEST ACKNOWLEDGE.

[0039] At 214, the source gNB 204 provides the RRC configuration to the UE 202 by forwarding the RRCReconfiguration message received in the HANDOVER REQUEST ACKNOWLEDGE. The RRCReconfiguration message includes at least a cell identifier (ID) and all information required to access the target cell so that the UE 202 can access the target cell without reading system information. For some cases, the information required for contention-based and contention-free random access can be included in the RRCReconfiguration message. The access information for the target cell may include beam specific information, if any.

[0040] At 216, the UE 202 moves the RRC connection to the target gNB 210 and, at 218, replies with an RRCReconfigurationComplete. User data can also be sent at 218 if a grant allows.

[0041] For dual active protocol stack (DAPS) handover, the UE 202 continues the downlink user data reception from the source gNB 204 until releasing the source cell and continues the uplink user data transmission to the source gNB 204 until there is a successful random access procedure with the target gNB 206.

[0042] Only a source PCell and a target PCell may be used during DAPS handover. Carrier aggregation (CA), DC, supplementary uplink (SUL), multi-TRP, ethemet header compression (EHC), CHO, uplink data compression (UDC), new radio (NR) sidelink configurations and vehicle to everything (V2X) sidelink configurations are released by the source gNB 204 before the handover command is sent to the UE 202 and are not configured by the target gNB 206 until the DAPS handover has completed (e.g., at an earliest time in the same message that releases the source PCell).

[0043] The handover mechanism triggered by RRC may require that the UE 202 at least reset a medium access control (MAC) entity and re-establish radio link control (RLC), except for DAPS handover, where upon reception of the handover command, the UE 202: 1) creates a MAC entity for a target; 2) establishes a RLC entity and an associated dedicated traffic channel (DTCH) logical channel for target for each data radio bearer (DRB) configured with DAPS; 3) for each DRB configured with DAPS, reconfigures the packet data convergence protocol (PDCP) entity with separate security and robust header compression (ROHC) functions for source and target and associates them with the RLC entities configured by source and target respectively; and/or 4) retains the rest of the source configurations until the release of the source.

[0044] In some systems, RRC managed handovers with and without PDCP entity re-establishment are both supported. For DRBs using RLC acknowledge mode (AM) mode, PDCP can either be re-established together with a security key change or initiate a data recovery procedure without a key change. For DRBs using RLC unacknowledged mode (UM) mode, PDCP can either be re-established together with a security key change or remain as it is without a key change. For signaling radio bearers (SRBs), PDCP can either remain as it is, discard its stored PDCP protocol data units (PDUs)/ service data units (SDUs) without a key change or be re-established together with a security key change.

[0045] It should be noted that data forwarding, in-sequence delivery, and duplication avoidance at handover can be guaranteed when the target gNB uses the same DRB configuration as the source gNB.

[0046] In one system, a timer-based handover failure procedure is supported in NR. A RRC connection re-establishment procedure is used for recovering from handover failure except in certain CHO or DAPS handover scenarios, such as: 1) when DAPS handover fails, the UE falls back to the source cell configuration, resumes the connection with the source cell, and reports DAPS handover failure via the source without triggering RRC connection re-establishment if the source link has not been released; and/or 2) when initial CHO execution attempt fails or handover (HO) fails, the UE performs cell selection, and if the selected cell is a CHO candidate and if the network is configured, the UE may try a CHO after handover and/or CHO failure, then the UE attempts CHO execution once, otherwise re-establishment is performed. In some systems, DAPS handover for FR2 to FR2 case is not supported.

[0047] The handover of the integrated access and backhaul (lAB)-mobile terminal (MT) in a standalone (SA) mode may follow the same procedure as described for the UE. After a backhaul has been established, the handover of the IAB-MT may be part of an infra-centralized unit (CU) topology adaptation procedure. Modifications to the configuration of a backhaul adaptation protocol (BAP) sublayer and higher protocol layers above the BAP sublayer may be made.

[0048] Beam level mobility may not require explicit RRC signaling to be triggered. Beam level mobility may be within a cell, or between cells, the latter is referred to as inter-cell beam management (I CBM). For ICBM, a UE can receive or transmit UE dedicated channels and/or signals via a TRP associated with a physical cell identity (PCI) different from the PCI of a serving cell, while non-UE -dedicated channels and/or signals can only be received via a TRP associated with a PCI of the serving cell. The gNB provides, via RRC signaling, the UE with a measurement configuration containing configurations of synchronization signal block (SSB) and/or channel state information (CSI) resources and resource sets and/or reports and trigger states for triggering channel and interference measurements and reports. For ICBM, a measurement configuration includes SSB resources associated with PCIs different from the PCI of a serving cell. Beam level Mobility is then dealt with at lower layers by means of physical layer and MAC layer control signaling, and RRC may not be required to know which beam is being used at a given point in time.

[0049] S SB-based beam level mobility may be based on a SSB associated with an initial downlink (DL) bandwidth part (BWP) and can only be configured for initial DL BWPs and for DL BWPs containing the SSB associated to the initial DL BWP.

For other DL BWPs, beam level mobility may only be performed based on a CSI reference signal (RS) (CSI-RS).

[0050] The intra-NR RAN handover performs the preparation and execution phase of the handover procedure performed without involvement of the 5GC (e.g., preparation messages are directly exchanged between the gNBs). The release of the resources at the source gNB during the handover completion phase is triggered by the target gNB. Figures 3A through 3B illustrate a basic handover scenario where neither the AMF nor the UPF changes.

[0051] Specifically, Figures 3 A and 3B illustrate an example of another handover procedure 300 (e.g., intra-AMF/UPF handover) in accordance with aspects of the present disclosure. The handover procedure 300 includes communications between a UE 302, a source gNB 304, a target gNB 306, an AMF 308, and one or more UPFs 310.

[0052] At 312 and 314, user data is transmitted.

[0053] At 316, the UE context within the source gNB 304 contains information regarding roaming and access restrictions which were provided either at connection establishment or at a last timing advance (TA) update.

[0054] At 318, the source gNB 304 configures UE measurement procedures and the UE 302 reports according to the measurement configuration.

[0055] At 320, the source gNB 304 decides to handover the UE 302 based on a measurement report and radio resource management (RRM) information.

[0056] At 322, the source gNB 304 issues a handover request message to the target gNB passing a transparent RRC container with necessary information to prepare the handover at the target side. The information includes at least the target cell ID, node key (KgNB), the cell (C)- radio network temporary identifier (RNTI) of the UE in the source gNB, RRM-configuration including UE inactive time, basic access stratum (AS)- configuration including antenna info and DL carrier frequency, the current quality of service (QoS) flow to DRB mapping rules applied to the UE, the system information block (SIB) 1 (SIB1) from source gNB, the UE capabilities for different RATs, PDU session related information, and may include the UE reported measurement information including beam-related information if available. The PDU session related information includes the slice information and QoS flow level QoS profile(s). The source gNB may also request a DAPS handover for one or more DRBs. After issuing a handover request, the source gNB may not reconfigure the UE, including performing reflective QoS flow to DRB mapping.

[0057] At 324, admission control may be performed by the target gNB 306. Slice- aware admission control may be performed if the slice information is sent to the target gNB 306. If the PDU sessions are associated with non-supported slices, the target gNB 306 may reject such PDU sessions.

[0058] At 326, the target gNB 306 prepares the handover with LI and/or L2 and sends the HANDOVER REQUEST ACKNOWLEDGE to the source gNB 304, which includes a transparent container to be sent to the UE 302 as an RRC message to perform the handover. The target gNB 306 also indicates if a DAPS handover is accepted. As soon as the source gNB 306 receives the HANDOVER REQUEST ACKNOWLEDGE, or as soon as the transmission of the handover command is initiated in the downlink, data forwarding may be initiated. For DRBs configured with DAPS, downlink PDCP SDUs are forwarded with SN assigned by the source gNB 304, until SN assignment is handed over to the target gNB 306 in 348, for which the normal data forwarding follows.

[0059] At 328, the source gNB 304 triggers the Uu handover by sending an RRC reconfiguration message to the UE 302, containing the information required to access the target cell: at least the target cell ID, the new C-RNTI, the target gNB 306 security algorithm identifiers for the selected security algorithms. It can also include a set of dedicated random access channel (RACH) resources, the association between RACH resources and SSB(s), the association between RACH resources and UE-specific CSI- RS configuration(s), common RACH resources, and system information of the target cell, and so forth. For DRBs configured with DAPS, the source gNB 304 does not stop transmitting downlink packets until it receives the HANDOVER SUCCESS message from the target gNB 306 in 346. In some situations, CHO cannot be configured simultaneously with DAPS handover.

[0060] At 330, the source gNB 304 may deliver buffered data and new data from the UPF(s) 310. Further, at 332, the UE 302 may detach from an old cell and synchronize to a new cell.

[0061] At 334, for DRBs configured with DAPS, the source gNB 304 sends the EARLY STATUS TRANSFER message. The DL COUNT value conveyed in the EARLY STATUS TRANSFER message indicates PDCP sequence number (SN) and hyper-frame number (HFN) of the first PDCP SDU that the source gNB 304 forwards to the target gNB 306. The source gNB 304 does not stop assigning SNs to downlink PDCP SDUs until it sends the SN STATUS TRANSFER message to the target gNB 306 in 348.

[0062] At 336, for DRBs not configured with DAPS, the source gNB 304 sends the SN STATUS TRANSFER message to the target gNB 306 to convey the uplink PDCP SN receiver status and the downlink PDCP SN transmitter status of DRBs for which PDCP status preservation applies (e.g., for RLC AM). The uplink PDCP SN receiver status includes at least the PDCP SN of the first missing UL PDCP SDU and may include a bit map of the receive status of the out of sequence UL PDCP SDUs that the UE 302 needs to retransmit in the target cell, if any. The downlink PDCP SN transmitter status indicates the next PDCP SN that the target gNB 306 shall assign to new PDCP SDUs, not having a PDCP SN yet.

[0063] In case of DAPS handover, the uplink PDCP SN receiver status and the downlink PDCP SN transmitter status for a DRB with RLC-AM and not configured with DAPS may be transferred by the SN STATUS TRANSFER message in 348 instead of 336. For DRBs configured with DAPS, the source gNB 304 may additionally send the EARLY STATUS TRANSFER message(s) between 336 and 348, to inform discarding of already forwarded PDCP SDUs. The target gNB 306 does not transmit forwarded downlink PDCP SDUs to the UE 302, whose COUNT is less than the conveyed DL COUNT value and discards them if transmission has not been attempted already. [0064] At 338 and 340 user data may be transmitted, and, at 342, user data from the source gNB 304 may be buffered.

[0065] At 344, the UE 302 synchronizes to the target cell and completes the RRC handover procedure by sending RRC ReconfigurationComplete message to the target gNB 306. In case of DAPS handover, the UE 302 does not detach from the source cell upon receiving the RRCReconfiguration message. The UE 302 releases the source resources and configurations and stops DL and/or uplink (UL) reception and/or transmission with the source upon receiving an explicit release from the target node. From a RAN point of view, the DAPS handover is considered to only be completed after the UE 302 has released the source cell as explicitly requested from the target node. RRC suspend, a subsequent handover or inter-RAT handover cannot be initiated until the source cell has been released.

[0066] At 346 and 348, for DAPS handover, the target gNB 306 sends the HANDOVER SUCCESS message to the source gNB 304 to inform that the UE 302 has successfully accessed the target cell. In return, the source gNB 304 sends the SN STATUS TRANSFER message for DRBs configured with DAPS for which the description in 336 applies, and the normal data forwarding follows.

[0067] The uplink PDCP SN receiver status and the downlink PDCP SN transmitter status are also conveyed for DRBs with RLC-UM in the SN STATUS TRANSFER message in 348, if configured with DAPS. For DRBs configured with DAPS, the source gNB 304 does not stop delivering uplink QoS flows to the UPF until it sends the SN STATUS TRANSFER message in 348. The target gNB 306 does not forward QoS flows of the uplink PDCP SDUs successfully received in-sequence to the UPF until it receives the SN STATUS TRANSFER message, in which UL HFN and the first missing SN in the uplink PDCP SN receiver status indicates the start of uplink PDCP SDUs to be delivered to the UPF. The target gNB 306 does not deliver any uplink PDCP SDUs which has an UL COUNT lower than the provided.

[0068] At 350, 352, 354, and 356, user data is transmitted.

[0069] At 358, the target gNB 306 sends a PATH SWITCH REQUEST message to the AMF 308 to trigger the 5G core (5GC) to switch the DL data path towards the target gNB 306 and to establish a next generation (NG)-control plane (C) interface instance towards the target gNB 306. [0070] At 360, the 5GC switches the DL data path towards the target gNB 306. The UPF 310 sends one or more "end marker" packets on the old path to the source gNB 304 per PDU session and/or tunnel and then can release any U-plane and/or transport network layer (TNL) resources towards the source gNB 304.

[0071] At 362 and 364 the end marker is transmitted, and, at 366, user data is transmitted.

[0072] At 368, the AMF 308 confirms the PATH SWITCH REQUEST message with the PATH SWITCH REQUEST ACKNOWLEDGE message.

[0073] At 370, upon reception of the PATH SWITCH REQUEST ACKNOWLEDGE message from the AMF 308, the target gNB 306 sends the UE CONTEXT RELEASE to inform the source gNB 304 about the success of the handover. The source gNB 304 can then release radio and C-plane related resources associated to the UE context. Any ongoing data forwarding may continue.

[0074] The RRM configuration can include both beam measurement information (for layer 3 mobility) associated to SSB(s) and CSI-RS(s) for the reported cell(s) if both types of measurements are available. Also, if CA is configured, the RRM configuration can include the list of best cells on each frequency for which measurement information is available. And the RRM measurement information can also include the beam measurement for the listed cells that belong to the target gNB 306.

[0075] The common RACH configuration for beams in the target cell is only associated to the SSB(s). The network can have dedicated RACH configurations associated to the SSB(s) and/or have dedicated RACH configurations associated to CSI- RS(s) within a cell. The target gNB 306 can only include one of the following RACH configurations in the handover command to enable the UE 302 to access the target cell: 1) common RACH configuration; 2) common RACH configuration + dedicated RACH configuration associated with SSB; and/or 3) common RACH configuration + dedicated RACH configuration associated with CSI-RS.

[0076] The dedicated RACH configuration allocates RACH resource(s) together with a quality threshold to use them. When dedicated RACH resources are provided, they are prioritized by the UE 302 and the UE 302 shall not switch to contention-based RACH resources as long as the quality threshold of those dedicated resources is met.

The order to access the dedicated RACH resources is up to UE implementation.

[0077] Upon receiving a handover command requesting DAPS handover, the UE 302 suspends source cell SRBs, stops sending and receiving any RRC control plane signaling toward the source cell, and establishes SRBs for the target cell. The UE 302 releases the source cell SRBs configuration upon receiving source cell release indication from the target cell after successful DAPS handover execution. When DAPS handover to the target cell fails and if the source cell link is available, then the UE 302 reverts back to the source cell configuration and resumes source cell SRBs for control plane signaling transmission.

[0078] Certain configurations may be used to specify mechanisms and procedures of LI and/or L2 based inter-cell mobility for mobility latency reduction such as for: 1) configuration and maintenance for multiple candidate cells to allow fast application of configurations for candidate cells; 2) a dynamic switch mechanism among candidate serving cells (e.g., including SpCell and SCell) for the potential applicable scenarios based on LI and/or L2 signaling; 3) LI enhancements for inter-cell beam management, including LI measurement and reporting, and beam indication; 4) TA management; and/or 5) CU-DU interface signaling to support LI and/or L2 mobility. LR2 specific enhancements are not precluded, if any. The procedure of LI and/or L2 based inter-cell mobility are applicable to the following scenarios: 1) standalone, CA, and NR-DC with serving cell change within one configured grant (CG); 2) intra-DU case and intra-CU inter-DU case (e.g., applicable for Standalone and CA: no new RAN interfaces are expected); 3) both intra-frequency and inter-frequency; 4) both LR1 and LR2; and/or 5) source and target cells may be synchronized or non-synchronized.

[0079] Some systems may specify mechanism and procedures of NR-DC with selective activation of the cell groups (e.g., at least for SCG) via L3 enhancements that may be used to allow a subsequent cell group change after changing CG without reconfiguration and re-initiation of CPC and/or CPA. A harmonized RRC modelling approach may be considered to minimize the workload. Certain systems may specify data forwarding optimizations for CHO including a target MCG and a target SCG in NR-DC. Various systems may specify CHO including target MCG and candidate SCGs for CPC and/or CPA in NR-DC. CHO including target MCG and target SCG may be used as a baseline.

[0080] Figure 4 illustrates an example of UE mobility timing 400 showing a data interruption time in accordance with aspects of the present disclosure. Specifically,

5 Figure 4 shows a timeline of an L3 based mobility procedure. As is visible from Figure 4, and can be read in Table 1, a major component of mobility latency comes from a delay in getting UL synchronization. For this purpose, it has been suggested that a UE may obtain UL synchronization even before receiving Ll/L2-triggered mobility (LTM) (a signaling instruction or a command from the network to the UE asking it to perform a

10 cell switch). This may reduce the latency by up to 19 ms. The procedural aspects, e.g., interactions of early TA procedure and mobility procedure may be defined in 3GPP, and also the corresponding network behavior.

[0081] Table 1 shows a representative latency of various components of an L3 based mobility procedure.

15 Table 1 : Latency of various components of a L3 based Mobility Procedure

[0082] In one configuration, an enhanced lower layer based mobility procedure may be as illustrated in Figure 5. Specifically, Figure 5 illustrates an example of a mobility

5 procedure 500 (e.g., LTM procedure) in accordance with aspects of the present disclosure. The mobility procedure 500 includes communications between a UE 502 and a gNB 504.

[0083] At 506, the UE 502 is in an RRC CONNECTED state. At 508, a measurement report is transmitted. At 510, LTM candidate preparation is performed.

10 [0084] At 512, RRC reconfiguration message is transmitted (e.g., LTM candidate configuration). At 514, an RRC reconfiguration complete message is transmitted.

[0085] At 516, DL synchronization is performed with candidate cells, and, at 518, TA acquisition with candidate cells is performed.

[0086] At 520, an LI measurement report is transmitted, and, at 522, an LTM

15 decision is made. At 524, a cell switch command (e.g., medium access control (MAC) control element (CE)) is transmitted.

[0087] At 526, the UE 502 detaches from a source and applies a target configuration. At 528, a RACH procedure is performed, and, at 530, LTM completion is performed.

20 [0088] The signaling in 520 and 524 are accomplished using LI and L2 (e.g., MAC CE) signaling. Since PDCP is located above MAC (e.g., above RLC) in a 5G protocol stack, the security can’t be provided when using LI and L2 (e.g., MAC CE) signaling, as the ciphering and integrity protection is performed in PDCP layer only. This allows at least the following threats and/or attacks: 1) exposing the measurement results in 520

25 may allow an attacker to trace the UE mobility (e.g., by noticing the cell IDs (e.g., physical cell identities or any such identity) and the corresponding measurement values; and/or 2) a not secured cell change command (also called LTM or cell switch command) enables an attacker to trigger UE mobility to a fake base station or at least cause short term denial of service by triggering UE mobility to another cell not prepared to admit the UE 502.

[0089] In certain configurations, ciphering and integrity protection may be performed in L2. This may secure a cell switch command (e.g., LTM command). Further, the LI measurement reports may be sent using MAC signaling (e.g., using new MAC control elements).

[0090] Examples found herein may bring or replicate ciphering and integrity protection at a MAC layer, thereby turning around various advantages of performing the same at a PDCP layer (e.g., the CU-DU functionality split may be affected, may affect deployments already in use, and may cause backward compatibility issues).

[0091] One example of a message flow that can overcome deficiencies found herein is described in relation to Figure 6. In Figure 6, an RRC connected UE receives a first measurement configuration from its serving cell (e.g., preliminary measurements) and based on the measurement result from a UE, a serving cell (called “source cell”) sends a “First-RRC-Reconfiguration.” In another example, a first-RRC-Reconfiguration may not wait for any preliminary measurement results from a UE. A LI and/or L2 inter-cell mobility candidate configuration is received within an RRC message (e.g., in the “first- RRC-Reconfiguration”) .

[0092] Specifically, Figure 6 illustrates an example of another mobility procedure 600 (e.g., LI L2 inter-cell mobility) in accordance with aspects of the present disclosure. The mobility procedure 600 involves communications between a UE 602, a source DU 604, a target DU 606, and a CU 608.

[0093] At 610, an RRC connected state is obtained. At 612, preliminary measurements are made. At 614, a first-RRC-Reconfiguration is sent. Then, at 616, measurements and early TA acquisition are performed.

[0094] At 618, measurement results are transmitted (enhanced (E)-TA if available). At 620 and 622, a mobility confirmation is transmitted. At 624, an acknowledgment is transmitted. Then, the CU 608 may make PUSCH resource available to the UE 602. [0095] At 626, an acknowledgment may be transmitted. Then, at 628, LTM may be transmitted, and, at 630, a PUSCH transmission may be made.

[0096] In one example, a UE is explicitly transmitted (e.g., signaled) a masked identity (e.g., a random number of length (L)-bits) corresponding to each PCI included and/or configured in the first-RRC -Reconfiguration as shown in Table 2. A masked identity that is an index starting from 1 (or 0) for the first configured PCI and monotonically incremented for the next configured PCIs may be easy to exploit by an attacker as it does not need to understand a corresponding PCI and can just be signaled as a one of two digit integer value in a fake LTM command, and the UE may believe it for a genuine LTM command from the serving gNB-DU. A longer masked identity (e.g., like 10 bits or more) may be used to provide better protection, but this may lead to increased signaling overhead (e.g., especially if there are many cells configured in the first-RRC -Reconfiguration) .

Table 2: Masked PCI

[0097] In another example, a length (L) is variable and is explicitly signaled by a network to a UE in a corresponding field included in a first-RRC -Reconfiguration message. The length may be common to all PCIs configured in the first-RRC- Reconfiguration or may be signaled on a per PCI (or alternatively on a group of PCIs) basis. Irrespective of the signaled value of the length field, while reporting the measurement the UE may always report a cell identity using a fixed value of M-bits (e.g., as shown as “Reported Masked identity” in Table 3). The ‘M’ value may be configured in first-RRC-Reconfiguration message (per PCI or common value for all or a group of PCIs) or may be specified. This may create an extra hurdle for an attacker in guessing an actual length of the masked identities. The length of M >= N. For the remaining (M - N) bits, the UE may include (e.g., append or prepend) a random number. As an example, if M is 20 bits long and N is 16 bits long, the UE may append or prepend any number between 0 and 15 on the received masked identity of a corresponding PCI to derive and report a 20-bit long cell identity.

Table 3 : Reported Masked PCI

[0098] In a further example, for reporting measurement results, a UE may use an index starting from 1 (or 0) for the first configured PCI and monotonically increment a value for the next configured PCIs. This is sensible if the measurement results are reported using a lean signaling where the overhead can’t be too high like in case of LI signaling using a physical uplink control channel (PUCCH). Since an attacker has no access to the contents of the first-RRC -Reconfiguration message, it can’t directly guess the PCIs being indicated in the measurement results.

[0099] In one example, a cell switch command (e.g., LTM command) uses either the N-bits long masked identity or the M-bits long “Reported Masked identity” described herein such that instead of the UE, the gNB-DU generates an M-bits long “Reported Masked identity”.

[0100] In some examples, to overcome signaling overhead being too large, instead of configuring each PCI with an N-bits mask and signaling these with an M-bits mask (e.g., in measurement results by the UE or in an LTM command by the gNB), a network shares a secret with the UE in the first-RRC -Reconfiguration message. The shared secret may be a bitstring of a certain length (e.g., an S-bit secret). Since the S-bit shared secret is sent to the UE in a protected RRC message (e.g., the first-RRC- Reconfiguration message), an attacker may have no knowledge of the shared secret. The length of the shared secret (S-bits) may be separately notified to the UE in the first- RRC -Reconfiguration message or beforehand in a protected RRC and/or non-access stratum (NAS) signaling. A known and/or specified length of a shared secret may be used. The secret may be replayed in the LTM command, and its reception may assure the UE of the integrity of a sender. If the length of the shared secret (S-bits) is variable, while replaying it may be ensured that the reported bitstring has a fixed known length by using an appropriate append or prepend (e.g., similar to operation of the M-bits mask).

[0101] In various examples, there may be a scenario whereby a UE detects some cell identities during measurements and one or more of these cell identities are not included in first-RRC -Reconfiguration (which can happen if the corresponding measurement object contains only frequency level information). In such examples, instead of performing a LI and/or L2 based measurement reporting, a protected RRC based measurement reporting is used by the UE. For the actual mobility, the LTM command may be used as described in any examples herein.

[0102] In another example, a UE and a network may make a handshake (e.g., using the first-RRC-Reconfiguration message fixing the position of the real reported PCIs). As an example, it may be agreed that the UE shall always report 10 PCIs’ measurement results and the real results will be present in the index positions 5, 6, and 9 (as shown in Figure 4).

Table 4: Real PCI indices are secret (and known to the UE and network as a result of a prior secure handshake) [0103] For the “fake” positions of Table 4, the UE may include PCIs that are available in the neighborhood (detected or included in the first-RRC -Reconfiguration) but would otherwise have not been reported since these are of weak radio (and not meeting any measurement reporting trigger). The radio (e.g., reference signal received power (RSRP) and/or reference signal received quality (RSRQ)) quality reported for these are also fake but must corresponding to the genuine reporting criteria (e.g., include RSRP/RSRQ values that will trigger a reporting event). This should make it difficult to discern the UE mobility direction for an attacker.

[0104] Certain examples may relate to a “subsequent” nature of mobility. Since the subsequent mobility based on a lower layer procedure may work without requiring another RRC reconfiguration after a successful mobility to a target cell, the first-RRC- Reconfiguration contains for each PCIs more than one mask. These masks are unique among PCIs included in first-RRC-Reconfiguration and shared among of the DUs controlled by the same CU with respect to a UE context. A UE, upon receiving an LTM command, can trace back a corresponding PCI.

[0105] If a shared secret needs to be used, there may be more than one shared secret included in the first-RRC-Reconfiguration. A subsequent mobility may be accomplished using an unused shared secret. The DUs directly or via CU update the shared secret already used with respect to a UE context.

[0106] In some examples, more than one RNTIs is signaled for each of the SpCellConfig included in the first-RRC-Reconfiguration. The UE and the network use the “next” unused RNTI when the UE arrives at a previously visited cell. For this purpose, both the UE and the network need to remember their previous visit to the cell or they can keep deleting the RNTI in use once the UE has moved out of the cell to another cell. A source DU gets informed of the UE’s successful mobility to a target DU (e.g., directly or via CU on an Fl interface).

[0107] In various examples, a security hole is addressed which exists when a UE needs to come back to a previously visited primary cell of a secondary group (PS Cell) before the Master Key (KgNB) has been changed since this may lead to the same secondary key (SK)-counter being used again with the same KgNB, which leads to potential security breach since all other security input parameters (e.g., SN, HFN, direction, etc.) will be reused. To overcome this, each candidate cell that is configured as a primary serving cell of a candidate secondary cell group is configured with a list of SK-counters. After a subsequent mobility (e.g., next mobility after a first mobility procedure is successful) the next unused SK-counter in the SK-counters list may be used by the UE and by the target cell.

[0108] In one example, a MAC- integrity (I) may be calculated over a shared bitstring, or a ShortMAC-I may be included in an L2 measurement report (e.g., in a new MAC CE) by the UE and/or in an LTM command by the gNB DU transmitted to the UE. The shortMAC-I may be calculated as shown in Table 5.

Table 5 : shortMAC-I Calculation

[0109] Since the input to calculate the MAC-I (e.g., a known shared bitstring) or the ShortMAC-I is pre-known, the MAC-I or the ShortMAC-I may be calculated in PDCP and/or RRC and shared with a MAC. The MAC may include this only when required (e.g., in an L2 Measurement report (in a new MAC CE) by the UE and/or in an LTM command by the gNB DU transmitted to the UE).

[0110] In some examples, verification may be made after a successful mobility if using LTM command based mobility. It can be based on whether data and/or signaling (e.g., RRC if available or a DL PDCP status report) is received with protection (e.g., ciphering and integrity protection) and, if nothing is received within a time duration after UE’s arrival in the target cell, then the UE moves back to the source cell or performs an RRC connection reestablishment procedure. The RRC connection reestablishment procedure may be performed directly on a source cell (e.g., without a starting timer and without doing a cell selection). In one option, when no DL data or signaling is available at a target cell once the UE arrives there, a PDCP status report may be sent to the UE including a MAC-I calculated over the PDCP control PDU. In some configurations, a PDCP control PDU does not have a MAC-I.

[0111] In any examples described herein, a UE performs mobility only if the cell switch command (LTM) contains at least one of a masked cell identity (e.g., cell B) and a shared secret received in the first RRC reconfiguration. Otherwise, the UE reports the not genuine LTM to a radio network (and may even perform RRC connection reestablishment or move to an RRC idle state) and takes no further action on the received cell switch command.

[0112] In various examples, a quick activation and/or deactivation may be made for LTM or a legacy mobility procedure. The network may choose between an LTM and L3 based mobility procedure and activate the procedure using LI, L2, and/or L3 signaling. When an LTM procedure is activated, the UE sends a measurement report using LI and/or L2 signaling, and the network performs mobility using an LTM command. When an LTM procedure is deactivated, the UE sends a measurement report using L3 signaling, and the network performs mobility using RRC based reconfigurationWithSync. In one example, activation and/or deactivation applies only to UE reporting.

[0113] figure 7 illustrates an example of a UE 700 in accordance with aspects of the present disclosure. The UE 700 may include a processor 702, a memory 704, a controller 706, and a transceiver 708. The processor 702, the memory 704, the controller 706, or the transceiver 708, or various combinations thereof or various components thereof may be examples of means for performing various aspects of the present disclosure as described herein. These components may be coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces.

[0114] The processor 702, the memory 704, the controller 706, or the transceiver 708, or various combinations or components thereof may be implemented in hardware (e.g., circuitry). The hardware may include a processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), or other programmable logic device, or any combination thereof configured as or otherwise supporting a means for performing the functions described in the present disclosure. [0115] The processor 702 may include an intelligent hardware device (e.g., a general-purpose processor, a DSP, a CPU, an ASIC, a field programmable gate array (FPGA), or any combination thereof). In some implementations, the processor 702 may be configured to operate the memory 704. In some other implementations, the memory 704 may be integrated into the processor 702. The processor 702 may be configured to execute computer-readable instructions stored in the memory 704 to cause the UE 700 to perform various functions of the present disclosure.

[0116] The memory 704 may include volatile or non-volatile memory. The memory 704 may store computer-readable, computer-executable code including instructions when executed by the processor 702 cause the UE 700 to perform various functions described herein. The code may be stored in a non-transitory computer-readable medium such the memory 704 or another type of memory. Computer-readable media includes both non-transitory computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A non-transitory storage medium may be any available medium that may be accessed by a general-purpose or special-purpose computer.

[0117] In some implementations, the processor 702 and the memory 704 coupled with the processor 702 may be configured to cause the UE 700 to perform one or more of the functions described herein (e.g., executing, by the processor 702, instructions stored in the memory 704). For example, the processor 702 may support wireless communication at the UE 700 in accordance with examples as disclosed herein.

[0118] The controller 706 may manage input and output signals for the UE 700. The controller 706 may also manage peripherals not integrated into the UE 700. In some implementations, the controller 706 may utilize an operating system such as iOS®, ANDROID®, WINDOWS®, or other operating systems. In some implementations, the controller 706 may be implemented as part of the processor 702.

[0119] In some implementations, the UE 700 may include at least one transceiver 708. In some other implementations, the UE 700 may have more than one transceiver 708. The transceiver 708 may represent a wireless transceiver. The transceiver 708 may include one or more receiver chains 710, one or more transmitter chains 712, or a combination thereof. [0120] A receiver chain 710 may be configured to receive signals (e.g., control information, data, packets) over a wireless medium. For example, the receiver chain 710 may include one or more antennas for receive the signal over the air or wireless medium. The receiver chain 710 may include at least one amplifier (e.g., a low-noise amplifier (LNA)) configured to amplify the received signal. The receiver chain 710 may include at least one demodulator configured to demodulate the receive signal and obtain the transmitted data by reversing the modulation technique applied during transmission of the signal. The receiver chain 710 may include at least one decoder for decoding the processing the demodulated signal to receive the transmitted data.

[0121] A transmitter chain 712 may be configured to generate and transmit signals (e.g., control information, data, packets). The transmitter chain 712 may include at least one modulator for modulating data onto a carrier signal, preparing the signal for transmission over a wireless medium. The at least one modulator may be configured to support one or more techniques such as amplitude modulation (AM), frequency modulation (FM), or digital modulation schemes like phase-shift keying (PSK) or quadrature amplitude modulation (QAM). The transmitter chain 712 may also include at least one power amplifier configured to amplify the modulated signal to an appropriate power level suitable for transmission over the wireless medium. The transmitter chain 712 may also include one or more antennas for transmitting the amplified signal into the air or wireless medium.

[0122] Figure 8 illustrates an example of a processor 800 in accordance with aspects of the present disclosure. The processor 800 may be an example of a processor configured to perform various operations in accordance with examples as described herein. The processor 800 may include a controller 802 configured to perform various operations in accordance with examples as described herein. The processor 800 may optionally include at least one memory 804, which may be, for example, an L1/L2/L3 cache. Additionally, or alternatively, the processor 800 may optionally include one or more arithmetic -logic units (ALUs) 806. One or more of these components may be in electronic communication or otherwise coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces (e.g., buses).

[0123] The processor 800 may be a processor chipset and include a protocol stack (e.g., a software stack) executed by the processor chipset to perform various operations (e.g., receiving, obtaining, retrieving, transmitting, outputting, forwarding, storing, determining, identifying, accessing, writing, reading) in accordance with examples as described herein. The processor chipset may include one or more cores, one or more caches (e.g., memory local to or included in the processor chipset (e.g., the processor 800) or other memory (e.g., random access memory (RAM), read-only memory (ROM), dynamic RAM (DRAM), synchronous dynamic RAM (SDRAM), static RAM (SRAM), ferroelectric RAM (FeRAM), magnetic RAM (MRAM), resistive RAM (RRAM), flash memory, phase change memory (PCM), and others).

[0124] The controller 802 may be configured to manage and coordinate various operations (e.g., signaling, receiving, obtaining, retrieving, transmitting, outputting, forwarding, storing, determining, identifying, accessing, writing, reading) of the processor 800 to cause the processor 800 to support various operations in accordance with examples as described herein. For example, the controller 802 may operate as a control unit of the processor 800, generating control signals that manage the operation of various components of the processor 800. These control signals include enabling or disabling functional units, selecting data paths, initiating memory access, and coordinating timing of operations.

[0125] The controller 802 may be configured to fetch (e.g., obtain, retrieve, receive) instructions from the memory 804 and determine subsequent instruction(s) to be executed to cause the processor 800 to support various operations in accordance with examples as described herein. The controller 802 may be configured to track memory address of instructions associated with the memory 804. The controller 802 may be configured to decode instructions to determine the operation to be performed and the operands involved. For example, the controller 802 may be configured to interpret the instruction and determine control signals to be output to other components of the processor 800 to cause the processor 800 to support various operations in accordance with examples as described herein. Additionally, or alternatively, the controller 802 may be configured to manage flow of data within the processor 800. The controller 802 may be configured to control transfer of data between registers, arithmetic logic units (ALUs), and other functional units of the processor 800.

[0126] The memory 804 may include one or more caches (e.g., memory local to or included in the processor 800 or other memory, such RAM, ROM, DRAM, SDRAM, SRAM, MRAM, flash memory, etc. In some implementations, the memory 804 may reside within or on a processor chipset (e.g., local to the processor 800). In some other implementations, the memory 804 may reside external to the processor chipset (e.g., remote to the processor 800).

[0127] The memory 804 may store computer-readable, computer-executable code including instructions that, when executed by the processor 800, cause the processor 800 to perform various functions described herein. The code may be stored in a non- transitory computer-readable medium such as system memory or another type of memory. The controller 802 and/or the processor 800 may be configured to execute computer-readable instructions stored in the memory 804 to cause the processor 800 to perform various functions. For example, the processor 800 and/or the controller 802 may be coupled with or to the memory 804, the processor 800, the controller 802, and the memory 804 may be configured to perform various functions described herein. In some examples, the processor 800 may include multiple processors and the memory 804 may include multiple memories. One or more of the multiple processors may be coupled with one or more of the multiple memories, which may, individually or collectively, be configured to perform various functions herein.

[0128] The one or more ALUs 806 may be configured to support various operations in accordance with examples as described herein. In some implementations, the one or more ALUs 806 may reside within or on a processor chipset (e.g., the processor 800). In some other implementations, the one or more ALUs 806 may reside external to the processor chipset (e.g., the processor 800). One or more ALUs 806 may perform one or more computations such as addition, subtraction, multiplication, and division on data. For example, one or more ALUs 806 may receive input operands and an operation code, which determines an operation to be executed. One or more ALUs 806 be configured with a variety of logical and arithmetic circuits, including adders, subtractors, shifters, and logic gates, to process and manipulate the data according to the operation. Additionally, or alternatively, the one or more ALUs 806 may support logical operations such as AND, OR, exclusive-OR (XOR), not-OR (NOR), and not-AND (NAND), enabling the one or more ALUs 806 to handle conditional operations, comparisons, and bitwise operations. [0129] The processor 800 may support wireless communication in accordance with examples as disclosed herein. The processor 800 may be configured to or operable to support a means for: receiving an RRC reconfiguration associated with a candidate cell, wherein the RRC reconfiguration comprises a plurality of masks for a cell identity from a source cell of a RN; performing measurement of and identification of physical cell identities of cells satisfying a measurement reporting criteria associated with the RRC reconfiguration; receiving a cell switch command for a target cell in a same radio network as the source cell; determining whether the cell switch command is genuine; performing mobility in response to determining that the cell switch command is genuine; and announcing arrival of the UE at the target cell.

[0130] Figure 9 illustrates an example of a NE 900 in accordance with aspects of the present disclosure. The NE 900 may include a processor 902, a memory 904, a controller 906, and a transceiver 908. The processor 902, the memory 904, the controller 906, or the transceiver 908, or various combinations thereof or various components thereof may be examples of means for performing various aspects of the present disclosure as described herein. These components may be coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces.

[0131] The processor 902, the memory 904, the controller 906, or the transceiver 908, or various combinations or components thereof may be implemented in hardware (e.g., circuitry). The hardware may include a processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), or other programmable logic device, or any combination thereof configured as or otherwise supporting a means for performing the functions described in the present disclosure.

[0132] The processor 902 may include an intelligent hardware device (e.g., a general-purpose processor, a DSP, a CPU, an ASIC, an FPGA, or any combination thereof). In some implementations, the processor 902 may be configured to operate the memory 904. In some other implementations, the memory 904 may be integrated into the processor 902. The processor 902 may be configured to execute computer-readable instructions stored in the memory 904 to cause the NE 900 to perform various functions of the present disclosure. [0133] The memory 904 may include volatile or non-volatile memory. The memory 904 may store computer-readable, computer-executable code including instructions when executed by the processor 902 cause the NE 900 to perform various functions described herein. The code may be stored in a non-transitory computer-readable medium such the memory 904 or another type of memory. Computer-readable media includes both non-transitory computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A non-transitory storage medium may be any available medium that may be accessed by a general-purpose or special-purpose computer.

[0134] In some implementations, the processor 902 and the memory 904 coupled with the processor 902 may be configured to cause the NE 900 to perform one or more of the functions described herein (e.g., executing, by the processor 902, instructions stored in the memory 904). For example, the processor 902 may support wireless communication at the NE 900 in accordance with examples as disclosed herein.

[0135] The controller 906 may manage input and output signals for the NE 900. The controller 906 may also manage peripherals not integrated into the NE 900. In some implementations, the controller 906 may utilize an operating system such as iOS®, ANDROID®, WINDOWS®, or other operating systems. In some implementations, the controller 906 may be implemented as part of the processor 902.

[0136] In some implementations, the NE 900 may include at least one transceiver 908. In some other implementations, the NE 900 may have more than one transceiver 908. The transceiver 908 may represent a wireless transceiver. The transceiver 908 may include one or more receiver chains 910, one or more transmitter chains 912, or a combination thereof.

[0137] A receiver chain 910 may be configured to receive signals (e.g., control information, data, packets) over a wireless medium. For example, the receiver chain 910 may include one or more antennas for receive the signal over the air or wireless medium. The receiver chain 910 may include at least one amplifier (e.g., a low-noise amplifier (LNA)) configured to amplify the received signal. The receiver chain 910 may include at least one demodulator configured to demodulate the receive signal and obtain the transmitted data by reversing the modulation technique applied during transmission of the signal. The receiver chain 910 may include at least one decoder for decoding the processing the demodulated signal to receive the transmitted data.

[0138] A transmitter chain 912 may be configured to generate and transmit signals (e.g., control information, data, packets). The transmitter chain 912 may include at least one modulator for modulating data onto a carrier signal, preparing the signal for transmission over a wireless medium. The at least one modulator may be configured to support one or more techniques such as amplitude modulation (AM), frequency modulation (FM), or digital modulation schemes like phase-shift keying (PSK) or quadrature amplitude modulation (QAM). The transmitter chain 912 may also include at least one power amplifier configured to amplify the modulated signal to an appropriate power level suitable for transmission over the wireless medium. The transmitter chain 912 may also include one or more antennas for transmitting the amplified signal into the air or wireless medium.

[0139] Figure 10 illustrates a flowchart of a method 1000 in accordance with aspects of the present disclosure. The operations of the method 1000 may be implemented by a UE as described herein. In some implementations, a UE 700 may execute a set of instructions to control the function elements of a processor to perform the described functions.

[0140] At 1002, the method may include receiving an RRC reconfiguration associated with a candidate cell, wherein the RRC reconfiguration comprises a plurality of masks for a cell identity from a source cell of a RN. The operations of 1002 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1002 may be performed by a UE as described with reference to Figure 7.

[0141] At 1004, the method may include performing measurement of and identification of physical cell identities of cells satisfying a measurement reporting criteria associated with the RRC reconfiguration. The operations of 1004 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1004 may be performed by a UE as described with reference to Figure 7.

[0142] At 1006, the method may include receiving a cell switch command for a target cell in a same radio network as the source cell. The operations of 1006 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1006 may be performed a UE as described with reference to Figure 7.

[0143] At 1008, the method may include determining whether the cell switch command is genuine. The operations of 1008 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1008 may be performed a UE as described with reference to Figure 7.

[0144] At 1010, the method may include performing mobility in response to determining that the cell switch command is genuine. The operations of 1010 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1010 may be performed a UE as described with reference to Figure 7.

[0145] At 1012, the method may include announcing arrival of the UE at the target cell. The operations of 1012 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1012 may be performed a UE as described with reference to Figure 7.

[0146] Figure 11 illustrates a flowchart of another method 1100 in accordance with aspects of the present disclosure. The operations of the method 1100 may be implemented by a UE as described herein. In some implementations, a UE 700 may execute a set of instructions to control the function elements of a processor to perform the described functions.

[0147] At 1102, the method may include receiving, from a source cell of a network, a RRC configuration for a set of candidate cells, wherein each candidate cell of the set of cells is associated with a respective physical cell identity, a set of masks for the respective physical cell identity, and a measurement reporting criteria. The operations of 1102 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1102 may be performed by a UE as described with reference to Figure 7.

[0148] At 1104, the method may include identifying that at least one candidate cell of the set of candidate cells satisfies the measurement reporting criterion based at least partly on a cell measurement, wherein the at least one candidate cell corresponds to a physical cell identity received in the RRC configuration. The operations of 1104 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1104 may be performed by a UE as described with reference to Figure 7.

[0149] At 1106, the method may include masking the physical cell identity associated with the at least one candidate cell based at least partly on the identifying. The operations of 1106 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1106 may be performed by a UE as described with reference to Figure 7.

[0150] At 1108, the method may include transmitting, to the source cell, a report comprising measurement results associated with the cell measurement of the at least one candidate cell and the masked physical cell identity of the at least one candidate cell. The operations of 1108 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1108 may be performed by a UE as described with reference to Figure 7.

[0151] At 1110, the method may include receiving a cell switch command for a target cell of the radio network from the source cell. The operations of 1110 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1110 may be performed by a UE as described with reference to Figure 7.

[0152] At 1112, the method may include performing mobility to the target cell based at least partly on a validity of the command. The operations of 1112 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of 1112 may be performed by a UE as described with reference to Figure 7.

[0153] It should be noted that the method described herein describes A possible implementation, and that the operations and the steps may be rearranged or otherwise modified and that other implementations are possible.

[0154] The description herein is provided to enable a person having ordinary skill in the art to make or use the disclosure. Various modifications to the disclosure will be apparent to a person having ordinary skill in the art, and the generic principles defined herein may be applied to other variations without departing from the scope of the disclosure. Thus, the disclosure is not limited to the examples and designs described herein but is to be accorded the broadest scope consistent with the principles and novel features disclosed herein.