Content for  TR 22.858  Word version:  18.2.0

Multicast service access control is performed at 5GC, which is a mechanism to judge whether an UE is allowed to join a multicast group and receive the corresponding multicast service. When a UE requests to obtain multicast services, it sends an IGMP/MLD Join message to 5GC. When receiving the IGMP/MLD Join message, 5GC checks whether the UE is allowed to join the requested multicast group based on multicast service access control information. If the UE is allowed to join the requested multicast group, 5GC will transmit the corresponding multicast service to the UE. Otherwise, the UE is not allowed to receive the requested multicast service. IPTV service, a kind of multicast service, is defined as multimedia services such as television/video/ audio/text/graphics/data delivered over IP-based networks managed to support the required level of QoS/QoE, security, interactivity and reliability. Set Top Box (STB) is a legacy device used to obtain IPTV service via an eRG, which is connected to 5GC as shown in Figure 5.15.1-1. Currently, the IPTV network access control granularity is RG level, which means that all STBs behind a RG will share the same access right. If network can perform a more granular multicast service access control when multiple devices connect to an eRG, users might have a better service experience.

Mary would like to subscribe to IPTV service which is provided by IPTV network operated by IPTV operators. She needs to buy an eRG and a STB that are placed at home. The eRG is used to connect to the 5GC, while the STB is a legacy device used to obtain IPTV service via the eRG. Mary has two children, who are Jack and David. Jack is a 5-year-old boy, while David is a 14-year-old teenager. Both of them have their own bedrooms.

Mary desires to place one STB in each bedroom so that she and her sons can enjoy IPTV services in their own bedrooms simultaneously. Moreover, she hopes that the STB in each bedroom can obtain different IPTV service according to their hobbies. Therefore, she bought another two STBs which are going to be placed in her sons' bedrooms. For the STB placed in Jack's bedroom, Mary prefer to subscribe some cartoon IPTV channels because Jack loves watching cartoon. For the STB placed in David's bedroom, Mary prefer to subscribe some movie IPTV channels because David is a big fan of movie. As for Mary, she prefers to subscribe to news IPTV channels. Additionally, Mary wishes to restrict both Jack and David from watching IPTV channels with violent content. Mary requests the customised IPTV network access control for her user account to IPTV network operator. IPTV network operator updates the IPTV service access control information to 5GC according to the request from Mary so that 5GC can perform different IPTV service access control for each of the STB.

Mary, Jack and David can enjoy their favourite IPTV channels simultaneously. Moreover, Mary does not need to worry that her sons are exposed to violent content.

Clauses 4.9.1 and 7.7.1 of TS 23.316 mention that:

• The support of IPTV services at 5GC: "The SMF controls the support of IPTV by the UPF acting as PSA using PDR, FAR, QER, URR";
• In the case of IPTV network access control based on the DHCP procedure, 5G-RG may be configured to retrieve via DHCP the IP address that it will use to access IPTV services.
• When the SMF receives the Uplink DHCP message, the SMF may be configured to insert the IPTV access control information as received in subscription data from UDM to the uplink DHCP message.

In Release 16 5WWC, the existing feature of multicast service access control is UE/RG level granularity. Therefore, 5GC does not support to perform different multicast service access control for legacy devices behind a RG.

[PR. 5.15.6-001]

This use case intends to make use of the 5G capabilities (e.g., high performance, long-distance access, mobility and security) to build a secure connection between the 5G LAN and the fixed IP VPN. For example, when people are working from home, they probably need to access the enterprise's intranet by using the devices connecting to the home 5G LAN. The connection of 5G LAN with fixed IP VPN aims to enable the devices within the 5G LAN to access the intranet through the fixed IP VPN.

The following pre-conditions and assumptions apply to this use case:

• There are multiple 5G UEs within a 5G LAN-VN at home.
• There is a fixed IP VPN server deployed by the enterprise for intranet connection.

While having the e-meeting with the colleagues using his phone, John can access the up-to-date data using his mobile phone or laptop or any other authorised devices connected to the home 5G LAN. John can also exchange files or data within the home 5G LAN.

The 5G system supports the interconnection of a UE with a fixed IP VPN. 3GPP TS 22.261 Section 6.26.2.2 "5G LAN-virtual network (5G LAN-VN) " There are existing features that support the on-demand establishment of UE to UE, multicast, and broadcast private communication between members UEs of the same 5G LAN-VN. Multiple types of data communication shall be supported, at least IP and Ethernet. A 5G system shall support 5G LAN-VNs with member UEs numbering between a few to tens of thousands.

[PR. 5.16.6-001]

When a UE under a PRAS coverage, whose communication path remains within the home, is either:

• using an application server on e.g. an eRG or a compute and storage resource in the home; or
• communicating with another UE or non-3GPP device within the home, as described in clauses 5.4 and 5.5.

The use case considers what happens if the eRG or PRAS loses its connectivity with the 5GC.

• The user is using a client application on her UE.
• The UE is connected via a PRAS to an application server available on the eRG.

The connectivity between the eRG and the 5GC is lost, which is detected by the eRG.

The user experiences no interruption with her application, as it is using an application server on the eRG. However, she can no longer use her UE for communications via 5GC.

There are existing features and requirements that cover a similar scenario to the case where the connectivity between eRG or PRAS and the 5GC is lost. From a Home (e)Node B perspective, a requirement in clause 5.2 of TS 22.220 states: From an Isolated E-UTRAN operation for public safety (IOPS) perspective, TS 22.346 supports the scenario with no backhaul with a Fully Isolated E-UTRAN operation using local routing of UE-UE data traffic. From clause 5.3.2 of TS 22.346: This feature is intended to be used for public safety purposes with public safety UEs. Rel-16 IAB as defined in TS 38.331 can provide coverage even if connection to parent node is lost, as there are no mechanisms to disable IAB nodes from continuing to transmit if the connection to the parent node is lost. The latest agreement from RAN2#109bis is that IAB-DU behaviour after RLF declaration is left up to implementation. IAB-DU should be able to send RLF notification when RLF recovery fails. For the detection of loss of connection between the CPN and the wider 5G network (core network), it is expected that this is based on the normal operation of the entities in the CPN that rely on co-ordination with the 5G network. Therefore, a new requirement is not needed to cover this case. For the case where eRG is routing local communications within the CPN, if the connection between the CPN and the wider 5G network (core network) is lost, this requirement is covered within BBF specifications.

[PR. 5.17.6-001] [PR. 5.17.6-002] [PR. 5.17.6-003]

• in the default configuration, or under certain conditions configured by the operator, the PRAS radio interface shall be deactivated; and
• under certain other conditions configured by the operator, the CPN shall continue existing intra-CPN communication, as long as no interaction with the 5G network is needed (e.g. refreshing security keys).

The Customer Premises Network (CPN), including the eRG and PRAS, is at least owned, configured and managed by the customer of a public network operator. This implies that the public network operator is at least not fully in control of the configuration and management of the eRG, PRAS and CPN. Some aspects of the eRG and PRAS can be under control of the public network operator. For example if the PRAS uses licensed frequencies the radio configuration will be under control of the PLMN. Another example could be network settings in the eRG for the interface to the 5G core network. Other settings are configured / managed by the 'customer of the public network operator'. It is proposed to specify more clearly how this configuration and management by the 'customer of the public network operator' works. We are proposing to define the role of an Authorized Administrator. The Authorized Administrator may be authorized to configure / manage a specific node (e.g. a specific PRAS, eRG), or may be authorized to configure / manage a specific customer premises network (including one or more eRGs and/or PRASs).

None

Joe is installing a new Customer Premises Network in his home. First thing, Joe installs is the eRG, in this case a wireline eRG. He has obtained the eRG from the operator and now connects it to the fixed access line. The fixed operator has arranged that various setting in the eRG are automatically configured (e.g. using TR-069 management). The eRG also enables Joe to configure a username / password combination that Joe can use for configuration / management of settings that are not under operator control from any device within the CPN. With this username / password, Joe is now Authorized Administrator for the eRG. The public network operator also provides a service where Joe as Authorized Administrator can manage his eRG via a webpage (Ut interface) provided by the operator. Great aspect of this webpage is that the operator provides help with configuration. Joe is not exactly a network expert. Additionally, Joe can also manage his PRAS via a local webpage, on which some default configuration (e.g. password for the visitor accessing network via the PRAS) can be configured. Joe now connects more devices (e.g. media server, home controller, printer, etc) to the eRG. Within the Customer Premises Network, devices can automatically discover what services other devices may provide (e.g. printer) using existing service discovery mechanisms (UPnP, zero config). Joe wants some of these services to be available also to devices that are connected to the PLMN. As Authorized Administrator of his 5GLAN service Joe can add his eRG to his 5GLAN VN group. Joe now configures which of the services from the devices on the CPN should be exposed to UEs on the PLMN. A specific service that Joe configures to be available for UEs on his 5GLAN is the configuration of his eRG. Now Joe connects a PRAS to the eRG. Joe has obtained credentials for the PRAS from the PLMN. During installation the PRAS connects to the PLMN to obtain the settings under control of the operator (e.g. radio settings). Joe can also log on to the PRAS using credentials (e.g. username / password) that were supplied with the PRAS. Using these credentials, Joe can configure settings of the PRAS via devices on the CPN. An example is that Joe can set whether visitor access network via his PRAS is allowed (allowing all or no visitors, or allowing specific visitors only). Joe can also use a webpage provided by his PLMN to configure his PRAS.

Joe is Authorised Administrator of his Customer Premises Network, including PRAS and eRG. Joe can configure and manage the devices and services on his CPN from anywhere in the CPN and also from UEs that are connected to his 5GLAN VN Group.

Configuring nodes such as an eRG or PRAS is widely supported functionality. Service discovery within a Customer Premises Network (e.g. UPnP, zero config, or proprietary protocols) is existing functionality. Management of fixed eRG settings by an operator are specified by BBF in TR-069.

[PR 5.18.6-001] [PR 5.18.6-002] [PR 5.18.6-003]

• radio settings pertaining to licensed spectrum shall be configured by the PLMN that owns the spectrum.
  Specifically the Authorised Administrator shall be able to configure:
• Whether visitor access network via the PRAS is allowed (allowing all or no visitors, or allowing specific visitors only)

This use case is depicted in Figure 5.19.1-1. It shows the scenario where an eRG can support both wireline connection and 5G NR wireless connection simultaneously.

Lily moved into her new home and got IPTV service combined with internet. The IPTV providers offers 2 eRG solutions, just cable or cable with wireless. Cable provides an order magnitude higher speed but Lily has heard sometimes lot of people use the internet in the evenings and it crashes so she chooses for the one with cable access and the additional wireless capability as the wireless service can both compliment the cable and either can act as a backup in case one fails. The IPTV provider also supports the download of a media server onto the eRG to enable localized access to popular contents that Lily and her family watches often but at different times. The contents have an expiration for when it will be removed from the media server, but Lisa has the option to extend the expiration. The media server also supports streaming live high definition pay-per-view events and is able to utilize both wireless and cable accesses to meet the required QoS. Lily also has a home security alarm system. She is able to configure the eRG so the security alarm system can use the cable access as the primary access and the wireless access as the backup access. In addition, she also has IoT devices such as cameras, window and door sensors, humidity and temperature sensors, etc. Some of the IoT devices do not have subscription for cellular access and the wireless operator can configure the eRG to block traffic from those devices from being routed onto the cellular access. Lily's friend Lisa owns a small business and also employs an eRG that supports both cable and wireless access connectivity. The eRG not only provides communication path redundancy for the business but also network management services for the devices behind the eRG. Lisa is able to configure the eRG so that the security system uses the cable access as the primary access and the wireless access as the backup access. In addition, Lisa has requested from the wireless operator a firewall function that runs on the eRG to provide network security for the business. Both Lisa and the wireless operator are able to configure the firewall for different aspects of the firewall operations. Lisa is able to configure firewall rules while the wireless operator is able to configure and manage the orchestration and update of the firewall software in the eRG.

Home eRG:

1. Lily was watching TV at home, wherein the eRG used wireline connection for service.
2. there was an accident in the building, the wireline was destroyed or partially destroyed. There is a lot of commotion outside with people complaining they have no service.
3. eRG detects that the wireline was out of service or the data rate of wireline connection become very low.
4. eRG turns on the wireless work mode and optional may provide an indication on TV screen that now cable works in multiple connection mode.
5. The IPTV provider automatically downloads popular content Lily and her family watches to the media server when new content becomes available.
6. Lily and her family watch the contents at different times without any service interruption.
7. Lilly's husband and son like to watch professional wrestling and enjoy the live stream of pay-per-view events in high definition.

Business eRG:

1. The wireline network experiences a temporary failure where no connectivity is available for the eRG.
2. The security system sends a normal communication to the cloud server to the eRG.
3. The eRG detects the wireline access is not available and forwards the security system communication to the wireless access.
4. The firewall function monitors all traffic entering the eRG through the wireless and wireline accesses.
5. Lisa is unable to perform a download from a certain site that she knows is trustworthy and discovers the firewall function is blocking the download. Lisa configures the firewall to allow the download for this one instance only and the downloads proceeds.
6. Meanwhile, a security patch for the firewall software is available and the wireless operator informs Lisa of its availability.
7. Lisa schedules the update for a time when the business is close to minimize interruptions.

Lily could continue to watch TV while the people in the same building lose IPTV service combined with internet. Lily's husband and son enjoys live stream of professional wrestling without interruption since the media server is able to use both wireless and cable accesses. The eRG is configured to not send unauthorize traffic onto the cellular access. Lisa is able to protect her business network by configuring rules for the firewall while leaving the maintenance of the firewall software to the wireless operator.

Clause 6.3.2.4 of TS 22.261 Fixed broadband access The 5G system shall support use of a relay UE that supports multiple access types (e.g. 5G RAT, WLAN access, fixed broadband access). The 5G system shall support use of a home base station that supports multiple access types (e.g. 5G RAT, WLAN access, fixed broadband access). 3GPP TS 23.316 may include support for the hybrid access by RG.

[PR 5.19.6-001] [PR 5.19.6-002]

Broadcast/Multicast services in 5GC (5MBS) are available, potentially limited by a given service area. A user can receive such a service either outdoor or at home. The MNO wants to keep the benefits of multicast/broadcast distribution for in-home access. When at home, the user device (Smartphone, TV set, STB, PC, tablet…) can receive the service through the eRG. The device may be a 3GPP UE connected via a PRAS or the CPN access (e.g. Wi-Fi), or a non-3GPP device connected via the CPN access.

To enable this use case, following pre-conditions should be met:

1. The eRG is 5G multicast/broadcast capable.
2. The user is at home.
3. The user device is able to connect to the eRG.

1. The device connects to the eRG.
2. The eRG discovers the available 5G multicast/broadcast services (if not yet discovered).
3. The user selects one of the available 5G multicast/broadcast services.
4. The eRG connects to the 5GC to be provisioned with the selected broadcast/multicast service.
5. The eRG serves the received broadcast/multicast content to the device through the Customer Premise Network.

The user is able to consume the selected broadcast/multicast service at home through the connection to the eRG.

Features described in TS 22.146 are all relevant for devices behind the residential gateway. However, this specific configuration is not explicitly considered, with the exception of clause 4.2.1 of TS 22.146:

• 3b) As an alternative, the Home Environment can join the user to the selected multicast group on behalf of the user, that has previously subscribed to this multicast group.

Related aspects for this use case from TS 22.261: Clause 6.3 of TS 22.261 Multiple access technologies:

• For optimization and resource efficiency, the 5G system will select the most appropriate 3GPP or non-3GPP access technology for a service,
• Based on operator policy, the 5G system shall enable the UE to select, manage, and efficiently provision services over the 3GPP or non-3GPP access.
• The 5G system shall be able to efficiently support connectivity using fixed broadband access.
• The 5G system shall support use of a relay UE that supports multiple access types (e.g. 5G RAT, WLAN access, fixed broadband access).
• The 5G system shall support use of a home base station that supports multiple access types (e.g. 5G RAT, WLAN access, fixed broadband access).

Clause 6.9 of TS 22.261 Connectivity models:

• The UE (remote UE) can connect to the network directly (direct network connection), connect using another UE as a relay UE (indirect network connection), or connect using both direct and indirect connections. Relay UEs can be used in many different scenarios and verticals (inHome, SmartFarming, SmartFactories, Public Safety and others). In these cases, the use of relays UEs can be used to improve the energy efficiency and coverage of the system.

Related aspects for this use case from TS 22.246:

• The user should be able to receive MBMS user services via generic IP access systems.

[PR.5.20.6-001] [PR.5.20.6-002] [PR.5.20.6-003]

To ensure providing the secure connectivity for UEs connected to 5G network via Premises Radio Access Stations (PRAS) behind eRG, this use case illustrates the need to have 5G system support for identification, authentication, and authorization of a PRAS which is not provided by the operators and has not previously been provided with credentials. The use case is to ensure that there is 3GPP mechanism to protect the weak-link between these (assuming untrusted) PRAS(es) not provided by the operators and the eRG.

Alicia purchased a promotion deal from her smartphone's operator Wallowa to upgrade her home network with a bundle package including one eRG and one PRAS-A. When receiving both devices, Alicia installed the eRG and PRAS-A in the second floor and connected both via wireline. Alicia powered on both devices. Both devices register to the 5G network and are provisioned with configuration of operation settings and authorizations from the 5G network. Both eRG and the PRAS-A are up and running well to provide 5G coverage in Alicia's home. Later, Alicia found there were still some coverage holes in the corner of the first floor so she decided to purchase one PRAS-B which is not provided by the operator and has not previously provided with credentials which thus considered as untrusted devices for the operator's network. When returning home, Alicia logs on to her account on Operator Wallowa's portal to upgrade the eRG subscription for allowing connecting this PRAS-B and then add this PRAS-B by configuring the device settings manually or via scanning QR code of the PRAS-B and associating it to the trusted 3GPP device, eRG, which it will be connected with tethering connection. Alicia may e.g. use an application on her smartphone to assist in selecting the correct eRG to connect to and/or to set up the initial connection between the PRAS and the eRG, to avoid the PRAS to connect to the neighbor's eRG and to make it easier to perform the initial setup. Alicia installed the PRAS-B in the first floor and connected the PRAS-B to 5G network via operator's eRG.

The 5G network ensures that the E2E connection from the 5G core network to the UE connected to the operator's PRAS-A and the PRAS-B behind eRG are secure because both PRAS(es) connected via operator's eRG are authenticated, authorized, and managed by the operator. Alicia can now connect her UEs to both PRAS(es). She is happy that she can speak to the phone when walking around the house with good 5G service coverage.

The following service requirement in clause 26a of TS 22.101 provide the principle for user centric identifiers and authentication and authorization by the 3GPP system: In clause 26a of TS 22.101 the 5G network operator can act as an identity provider for Users, e.g. an individual human user, using a UE with a certain subscription, or an application running on or connecting to a UE, or a device ("thing") behind a gateway UE. These Users are associated to the 3GPP devices (UE or gateway UE) which are 5G subscribers of the operator's network. The 5G network can identify and authenticate a User Identity based on the authenticated 3GPP device that is associated to the user. In the context of CPN, the 5G network can also enable support for identifying and authenticating an PRAS which is not provided by the operator and does not have 3GPP credentials based on the authenticated 3GPP device (eRG) that provides tethering connection.

[PR 5.21.6-001] [PR 5.21.6-002] [PR 5.21.6-003] [PR 5.21.6-004]

According to clause 26a of TS 22.101, the 3GPP system can support an operator to act as identity provider and enable auto-log-in and single-sign-on to operator and non-operator services. This use case is extended from the use case 5.2, Identity provisioning to external services, in TR 22.904 which considers the applications are hosted in the cloud. In support of external services provided behind an eRG in CPN, this use case describes the enhancement of functionalities and provides the potential service requirements in addition to those described in [11].

Dora is a subscriber of network operator Cannon-Beach where she has a user account and subscriptions for her UE and the eRG in the CPN. Based on the subscriptions for the eRG, operator Cannon-Beach enables a strong user authentication mechanism at the 5G system to ensure that the users accessing to the eRG in the CPN are authenticated and authorized. Dora installs a local cloud with the application platform on a device connected to the eRG in the CPN in her home. The local cloud provides storage services for files, video, and photo album, etc. Dora configures applications/services information and registers to these applications with her user account of the network operator Cannon-Beach for the local cloud storage services hosted on the device behind the eRG in the CPN, by which each application/service is associated to a User Identity and corresponding User Profiles. When enabling these applications/services in her user account, these services/applications can use strong user authentication from the 5G system to the applications running on the device behind the eRG in the CPN. As such, auto-log-in and single-sign-on is enabled for the applications.

Because of operator's supports for non-operator services on the local cloud in the CPN and the support of strong user authentication by the 5G system, Dora is worries free to install more applications hosted by the local cloud on the devices connected to the eRG in the CPN in her home.

The following service requirement in clause 26a of TS 22.101 provide the principle for user centric identifiers and authentication and authorization by the 3GPP system: 26a.2.1 User Identifiers and user authentication 26a.2.5 Privacy requirements The use case considers that the external services are provided as a local cloud application platform behind an eRG in CPN and proposes to enable 5G system support for identity provisioning to external services behind eRG in CPN.

[PR 5.22.6-001] [PR 5.22.6-002]