Is NAS security particularly deployed with integrity protection, even if ciphering is an option ?

Question

In LTE, if a NAS packet is going to be sent, the encryption is followed by integrity protection in NAS layer, but in RRC/PDCP layer, When RRC messages are being sent, they are integrity protected first and then encrypted before being sent, unlike NAS messages were. Why the integrity and encryption protection order is different in NAS and AS layer?

Answer 1

I think, In deployment every operator would like to provide protection to its subscribers data/signalling.
At least NAS messages should integrity protected , ciphering may be optional for signalling message.
Data packets may be ciphered but integrity is not required.

Answer 2

50 percent Yes.

NAS security mode command is only Integrity Protected where as NAS security mode complete is Integrity Protected and Ciphered, with activated security context.

So after this message Ciphering is applied to all NAS message except EMM attach request, Tracking Area Update request and of-course NAS security mode command message.

UE <-->MME<-->HSS: Authentication takes place:

If UE context does not present in anywhere in the network and Attach Request which is not Integrity protected OR Integrity Check Fails then and then only Integrity Protection and Ciphering are mandatory otherwise it is optional.

As for Emergency call, MME should not do Authentication process, and for that MME is configured to support UN-Authenticated UE's. So when UE send Attach request with attach type as "emergency call" then MME skips authentication and security and continue with attach procedure.

Source: http://www.linkedin.com/groups/What-exactly-does-Integrity-Protection-1180727.S.174817649