Network node, UE and method for handling handover with parameter for deriving security context

The invention claimed is: 1 . A method performed in a User Equipment, UE, for handling handover from a source access node to a target access node, comprising: receiving a handover command message from the source access node; wherein the handover command message includes parameters required for deriving a security context associated with the target access node; establishing a radio connection with the target access node; when detecting that a security context switching criterion is fulfilled, stopping to use a security context associated with the source access node, wherein detecting that the security context switching criterion is fulfilled comprises detecting that a control plane data packet on a target radio connection is received from the target access node, wherein the security context switching criterion is configurable and comprises a criterion indicating when the UE has sent a message 3, MSG3, to the target access node. 2 . The method according to claim 1 , further comprising: starting to use the security contexts associated with both the target access node and the source access node after establishing the radio connection with the target access node. 3 . The method according to claim 1 , further comprising: starting to use the security context associated with the target access node in response to the security context switching criterion being fulfilled. 4 . The method according to claim 1 , wherein the security context switching criterion further comprises any one of or a combination of: a reception of a user plane data packet from the target access node; a reception of a control plane data packet from the target access node; a reception of an UL grant from the target access node; a reception of a Media Access Control Element, MAC CE, or Packet Data Unit, PDU, from the target access node; a confirmation message transmitted to the target access node to indicate completion of the handover; a reception of a dummy packet from the target access node; when the UE has sent the PDCP Status Report to the target access node or when the UE has received a confirmation that the PDCP Status Report has been received by the target access node; when the UE has received a confirmation that the MSG3 has been received by the target access node; when the UE transmits an assigned Random Access Preamble in case the non-contention based random access procedure is configured. 5 . The method according to claim 1 , wherein the security context switching criterion comprises a first security context switching criterion, the method further comprising: starting to use the security context associated with the target access node for a first bearer in response to the security context switching criterion being fulfilled for the first bearer. 6 . The method according to claim 1 , wherein the security context switching criterion comprises a second security context switching criterion, the method further comprising: starting to use the security context associated with the target access node for a second bearer in response to the second security context switching criterion being fulfilled for the second bearer. 7 . The method according to claim 1 , wherein the security context switching criterion comprises a second security context switching criterion, the method further comprising: starting to use the security context associated with the target access node for all bearers in response to the second security context switching criterion being fulfilled. 8 . The method according to claim 1 , further comprising: receiving from the source access node configuration data for instructing the UE to apply one or subset out of a set of criteria for triggering switch of security context; and switching security context in accordance with the received configuration data upon fulfillment of the configured criteria or criterion. 9 . The method according to claim 1 , wherein the method further comprises detecting if a security context switching criterion is fulfilled by performing for UL and DL independently with different switching criterion, and wherein switching security context is performed separately for the UL and the DL. 10 . A non-transitory computer-readable medium comprising instructions, which when executed by a processor, causes the processor to perform actions according to claim 1 . 11 . A method performed in a network node for assisting a User Equipment, UE, to handover from a source access node to a target access node comprising: sending a message to the UE comprising configuration data for instructing the UE to apply one or subset out of a set of criteria for triggering switch of security context, wherein in response to sending the message, a security context switching criterion is fulfilled, the security context switching criterion comprises a reception of a control plane data packet on a target radio connection by the UE from the target access node, wherein the security context switching criterion is configurable and comprises a criterion indicating when the UE has sent a message 3, MSG3, to the target access node. 12 . The method of claim 11 , wherein the network node is the source access node or the target access node. 13 . A non-transitory computer-readable medium comprising instructions, which when executed by a processor, causes the processor to perform actions according to claim 11 . 14 . A User Equipment, UE, for handling handover from a source access node to a target access node, the UE being configured to: receive a handover command message from the source access node; wherein the handover command message is adapted to include parameters required for deriving a security context associated with the target access node; establish a radio connection with the target access node; when detecting that a security context switching criterion is fulfilled, stop to use a security context associated with the source access node, wherein detecting that the security context switching criterion is fulfilled comprises detecting that a control plane data packet on a target radio connection is received from the target access node, wherein the security context switching criterion is configurable and comprises a criterion indicating when the UE has sent a message 3, MSG3, to the target access node. 15 . The method according to claim 14 , further being configured to: start to use the security contexts associated with both the target access node and the source access node after establishing the radio connection with the target access node. 16 . The UE according to claim 14 , further being configured to: start to use the security context associated with the target access node in response to the security context switching criterion being fulfilled. 17 . The UE according to claim 14 , wherein the security context switching criterion further comprises any one of or a combination of: a reception of a user plane data packet from the target access node; a reception of a control plane data packet from the target access node; a reception of an UL grant from the target access node; a reception of a Media Access Control Element, MAC CE, or Packet Data Unit, PDU, from the target access node; a confirmation message transmitted to the target access node to indicate completion of the handover; a reception of a dummy packet from the target access node; when the UE has sent the PDCP Status Report to the target access node or when the UE has received a confirmation that the PDCP Status Report has been received by the target access node; when the UE has received