5G Relay Key Procedure Call Flow
5G Relay Key Procedure is the specialized relay-aware NAS security branch used when relay-specific trust must be established before the feature can continue.
It sits above ordinary access trust and determines whether a relay-capable participant may continue into relay-specific authentication and feature use.
Introduction
This procedure is not part of mainstream registration or service setup. It belongs to a specialized relay-security branch with its own request, accept or reject, and feature-authentication continuity.
That makes it especially useful when normal 5G service appears healthy but the relay-specific feature still fails.
What Is Relay Key Procedure in Simple Terms?
- What starts the procedure: A relay-aware feature branch needs dedicated relay-specific security handling.
- What the UE and network want to achieve: Approve and validate relay-specific trust before feature continuation.
- What success looks like: Relay Key is accepted and relay authentication can continue.
- What failure means: The relay-specific branch is denied or loses continuity even though ordinary service may still work.
Why this procedure matters
Relay-specific security is one of the clearest examples of a feature branch that can fail independently of ordinary 5G access. This procedure is where that separation becomes visible.
Quick Fact Sheet
| Procedure name | 5G Relay Key Procedure |
|---|---|
| Domain | 5G relay-aware specialized NAS security |
| Main trigger | A relay-aware feature branch needs dedicated key handling before relay authentication can continue |
| Start state | The participant has entered a relay-aware feature path but does not yet have accepted relay-specific security context |
| End state | Relay-specific key handling is accepted and the branch can continue into relay authentication, or the request is rejected |
| Main nodes | Relay-capable UE or participant, network relay-security handling |
| Main protocols | NAS, relay-specific key handling, relay authentication |
| Main success outcome | Relay Key Request is accepted and the branch continues into relay authentication |
| Main failure outcome | Relay Key Reject stops the specialized feature branch before relay authentication can continue |
| Most important messages | Relay Key Request, Relay Key Accept, Relay Key Reject, Relay Authentication Request, Relay Authentication Response |
| Main specs | TS 24.501, TS 23.501, TS 23.502 |
Preconditions
- The participant is entering a relay-aware feature branch.
- Ordinary 5G subscriber access may already be valid but is not sufficient for the specialized feature.
- The network supports relay-specific NAS security messaging.
- Transaction continuity can be maintained through relay-specific request and authentication phases.
Nodes and Interfaces
Nodes involved
| Node | Role in this procedure |
|---|---|
| Relay-capable UE or participant | Starts the relay-specific security branch and later answers the specialized authentication challenge. |
| Network relay-security handling | Validates the relay request and decides whether the specialized branch may continue. |
Interfaces used
| Interface | Path | Role |
|---|---|---|
| NAS specialized relay branch | Participant <-> network | Carries relay-specific key handling and later relay authentication signaling. |
End-to-End Call Flow
Participant Network
|-- Relay Key Request ----->|
|<- Relay Key Accept/Reject-|
|<- Relay Authentication ---|
|-- Relay Authentication -->|
|==== relay feature continues only if specialized trust succeeds ====|Major Phases
| Phase | What happens |
|---|---|
| 1. Relay feature enters specialized security branch | The participant starts the relay-aware feature path and needs dedicated key handling. |
| 2. Relay key request and decision | The network accepts or rejects the relay-specific key request. |
| 3. Relay authentication | If accepted, the branch continues into relay-specific authentication. |
| 4. Feature continuation | The relay feature continues only if the full specialized branch succeeds. |
Step-by-Step Breakdown
Participant requests relay-specific security handling
Sender -> receiver: Participant -> network
Message(s): Relay Key Request
Purpose: Ask the network to create or accept relay-aware security context for the specialized branch.
State or context change: The feature is now at its first dedicated security checkpoint.
Note: This is separate from ordinary registration trust and should be read as feature-specific authorization and context setup.
Network accepts or rejects the relay key branch
Sender -> receiver: Network -> participant
Message(s): Relay Key Accept or Relay Key Reject
Purpose: Decide whether relay-specific security setup can continue.
State or context change: The branch either progresses into authentication or stops immediately.
Note: If the feature dies here while normal service still works, the problem is isolated to the relay-specific branch.
Network challenges the participant for relay-specific trust
Sender -> receiver: Network -> participant
Message(s): Relay Authentication Request
Purpose: Validate that the participant may continue the specialized relay branch safely.
State or context change: The feature moves from key handling into relay-specific proof of legitimacy.
Note: At this stage the transaction identity from the earlier key exchange becomes one of the most important checks.
Participant returns relay authentication response
Sender -> receiver: Participant -> network
Message(s): Relay Authentication Response
Purpose: Complete the specialized relay-security proof needed for feature continuation.
State or context change: The relay feature either becomes trusted enough to continue or stops at the security gate.
Note: If the response never arrives, inspect uplink continuity and feature-specific transaction handling before blaming subscriber credentials.
Important Messages in This Flow
| Message | Protocol | Direction | Purpose in this procedure | What to inspect briefly |
|---|---|---|---|---|
| Relay Key Request | NAS | Participant -> network | Starts relay-aware key handling. | Inspect transaction identity and feature-specific request parameters. |
| Relay Key Accept | NAS | Network -> participant | Allows relay-aware security continuation. | Check whether acceptance logically matches the request context. |
| Relay Key Reject | NAS | Network -> participant | Stops the relay-specific branch before authentication. | Read the rejection context carefully because ordinary access may still be healthy. |
| Relay Authentication Request | NAS | Network -> participant | Starts the relay-specific trust challenge. | Inspect continuity from the earlier key-handling branch. |
| Relay Authentication Response | NAS | Participant -> network | Returns the specialized proof needed for continuation. | Inspect whether the response remains on the same transaction and feature context. |
Important Parameters to Inspect
| Parameter | What it is | Where it appears | Why it matters | Common issues |
|---|---|---|---|---|
| Relay transaction identity | The feature-specific identity tying the specialized exchange together. | All relay-specific NAS messages | Critical for proving continuity across request, accept or reject, and later authentication. | If it drifts, the feature often fails even with good payloads. |
| Relay feature authorization | Whether the participant is allowed to continue the specialized relay branch. | Relay Key decision logic | Separates ordinary subscriber trust from feature-specific permission. | A valid subscriber can still fail here if the feature itself is not authorized. |
| Accept or reject outcome | The network decision on the key branch. | Relay Key Accept or Reject | Defines whether relay authentication should follow. | Skipping this distinction causes wrong troubleshooting on the wrong phase. |
| Relay authentication continuity | Whether the later challenge and response match the same earlier relay branch. | Relay Authentication Request and Response | Lets engineers prove the specialized trust branch stayed coherent. | Mismatched continuity looks like impossible authentication. |
| Ordinary-service comparison | Whether the UE still has healthy general 5G access while relay-specific behavior fails. | Whole trace comparison | Helps isolate the issue to relay security rather than general access failure. | Without this comparison, the root cause is often generalized too much. |
Success Criteria
- The relay-specific request is accepted with coherent transaction continuity.
- Relay authentication begins only after the key branch succeeds.
- The participant returns the expected relay-authentication response.
- The relay feature continues after specialized security success.
Common Failures and Troubleshooting
| Symptom | Likely cause | Where to inspect | Relevant message(s) | Relevant interface(s) | Likely next step |
|---|---|---|---|---|---|
| Relay Key is rejected immediately | The network did not accept the feature-specific request. | Authorization state, request parameters, and transaction identity. | Relay Key Request, Relay Key Reject | NAS specialized branch | This is the earliest and most decisive relay-specific failure branch. |
| Relay Key is accepted but relay authentication later fails | The branch passed setup but failed later specialized trust validation. | Transaction continuity and later challenge-response details. | Relay Authentication Request, Relay Authentication Response | NAS specialized branch | Do not stop analysis at Relay Key Accept. |
| No Relay Authentication Response appears | The participant did not process the challenge or the specialized branch lost uplink continuity. | Uplink delivery and feature-specific transaction tracking. | Relay Authentication Response | NAS specialized branch | This can be a feature-path transport problem as much as a security problem. |
| Normal service works but relay feature stays broken | Only the relay-specific security branch is failing. | Feature authorization and relay-specific message continuity. | Relay Key and Relay Authentication messages | NAS specialized branch | This is the key clue that the failure is isolated to relay security. |
What to Check in Logs and Traces
- Compare ordinary service health with relay feature health first.
- Track the relay transaction identity across all specialized messages.
- Separate key-branch rejection from later relay-authentication failure.
- If the response is missing, inspect feature-specific uplink continuity before assuming a subscriber issue.
Related Pages
Related sub-procedures
Related message reference pages
- Relay Key Request
- Relay Key Accept
- Relay Key Reject
- Relay Authentication Request
- Relay Authentication Response
Related troubleshooting pages
FAQ
What is the 5G Relay Key Procedure?
It is the specialized relay-security branch that handles relay-specific key setup before relay authentication can continue.
Is it part of normal registration?
No. It is a feature-specific branch layered on top of ordinary 5G access and security.
What should I inspect first?
Start with Relay Key Request and whether the network answered with Accept or Reject for the same relay transaction identity.
Why can the relay feature fail when normal service works?
Because the relay branch has its own authorization and transaction-continuity requirements beyond ordinary subscriber access.
What usually follows Relay Key Accept?
The network normally continues into Relay Authentication Request so the specialized feature trust can be completed.