The 5G core network (5GCN) supports the connectivity of the UE via non-3GPP access networks. These non-3GPP access networks can be trusted non-3GPP access networks, untrusted non-3GPP access networks or wireline access networks. A trusted or untrusted non-3GPP access network can advertise the PLMNs for which it supports trusted connectivity and the type of supported trusted connectivity. Different types of trusted connectivity can be advertised so that the UE can discover the non-3GPP access networks that can provide trusted connectivity to one or more PLMNs:
information about PLMN list with 5G connectivity using trusted non-3GPP access;
information about PLMN list with 5G connectivity without NAS using trusted non-3GPP access;
information about PLMN list with S2a connectivity using trusted non-3GPP access (access via non-3GPP access to EPC); or
information about SNPN list with 5G connectivity using trusted non-3GPP access.
In wireline access, the 5G-RG can provide connectivity for:
a UE behind the 5G-RG to access the 5GCN via untrusted non-3GPP access network or trusted non-3GPP access network;
an AUN3 device behind the 5G-RG to access the 5GCN via wireline access network; and
an NAUN3 device behind the 5G-RG to access the 5GCN via wireline access.
For an untrusted non-3GPP access network, the communication between the UE and the 5GCN is not trusted to be secure.
For an untrusted non-3GPP access network, to secure communication between the UE and the 5GCN, a UE establishes secure connection to the 5G core network over untrusted non-3GPP access via the N3IWF. The UE performs registration to the 5G core network during the IKEv2 SA establishment procedure as specified in TS 24.501 and RFC 7296. After the registration, the UE supports NAS signalling with 5GCN using the N1 reference point as specified in TS 24.501. The N3IWF interfaces the 5GCN CP function via the N2 interface to the AMF and the 5GCN UP functions via N3 interface to the UPF as described in TS 23.501.
When the UE accesses the 5GCN over non-3GPP access networks, the same permanent identities for 3GPP access are used to identify the subscriber for non-3GPP access authentication, authorization and accounting services.
The Subscription Permanent Identifier (SUPI) is defined in TS 33.501. The SUPI can contain an IMSI, a network specific identifier, a GCI or a GLI as specified in TS 23.501. A SUPI containing an IMSI is defined in TS 23.003. A SUPI containing a network specific identifier, a GCI or a GLI always takes the form of a NAI as defined in TS 23.003.
The Subscription Concealed Identifier (SUCI) is a privacy preserving identifier containing the concealed SUPI as specified in TS 33.501. SUCI is calculated from SUPI. When the SUPI contains an IMSI, the corresponding SUCI is derived as specified in TS 23.003. When the SUPI contains a network specific identifier, a GCI or a GLI, the corresponding SUCI in NAI format is derived as specified in TS 23.003.
User identification in non-3GPP accesses can require additional identities that are out of the scope of 3GPP.
An N3IWF FQDN is either provisioned by the home operator or constructed by the UE in:
the Operator Identifier FQDN format or the Tracking Area Identity FQDN format; or
the Prefixed Operator Identifier FQDN format or the Prefixed Tracking Area Identity FQDN format if the UE is configured with slice-specific N3IWF prefix configuration,
as specified in clause 6.3.6.2 in TS 23.501.
The N3IWF FQDN for onboarding services in SNPN is pre-configured in the UE to select an N3IWF to register the onboarding SNPN via untrusted non-3GPP access.
The detailed format of the N3IWF FQDN is specified in clause 28.3.2.2 of TS 23.003.
The N3IWF FQDN is used as input to the DNS mechanism for N3IWF selection.
In order to access PLMN services via an SNPN, a UE operating in SNPN access operation mode registered to an SNPN has the following restrictions on N3IWF FQDN:
the UE shall only use TAIs from a PLMN to construct a Tracking Area Identity based N3IWF FQDN; and
the UE shall not consider an N3IWF FQDN for N3IWF selection configured by an SNPN.
When the UE accesses the 3GPP 5G System (5GS) via non-3GPP access networks, the same QoS flow based 5G QoS model and principles are followed as described in TS 23.501. For PDU sessions that were established over non-3GPP access, the QoS flow remains to be the finest granularity of QoS differentiation in the PDU Session.
For untrusted non-3GPP access, the N3IWF is the access network node that provides QoS signalling to support QoS differentiation and mapping of QoS flows to non-3GPP access resources.
For trusted non-3GPP access, the TNGF is the access network node that provides QoS signalling to support QoS differentiation and mapping of QoS flows to non-3GPP access resources.
For wireline access, the W-AGF serving the 5G-RG is the access network node that provides QoS signalling to support QoS differentiation and mapping of QoS flows to non-3GPP access resources. For QoS differentiation in the non-3GPP access network behind the 5G-RG, 5G-RG provides QoS signalling to support QoS differentiation and mapping of QoS flows to non-3GPP access resources behind the 5G-RG.
A QoS flow is controlled by the SMF and can be preconfigured, or established via the UE requested PDU Session establishment via non-3GPP access procedure, the UE or network requested PDU session modification via non-3GPP access procedure (see TS 23.502).
During PDU session establishment, based on local policies, pre-configuration and the QoS profiles received:
the N3IWF or the TNGF (depending on whether the UE is connected to untrusted non-3GPP access or trusted non-3GPP access, respectively):
shall determine the number of IPsec child SAs to establish and the QoS profiles associated with each IPsec child SA; and
shall then initiate IPsec SA creation procedure to establish child SAs associating to the QoS flows of the PDU session; or
the W-AGF serving the 5G-RG:
shall determine the number of W-UP resources to establish and the QoS profiles associated with each W-UP resource; and
shall initiate creation of one or more W-UP resources using means out of scope of the present document. The W-AGF serving the 5G-RG shall associate each W-UP resource with a PDU session, zero or more QFIs, and optionally an indication of whether the W-UP resource is the default W-UP resource. For each W-UP resource, the 5G-RG becomes aware using means out of scope of the present document about association of the W-UP resource and the PDU session, the zero or more QFIs, and optionally the indication of whether the W-UP resource is the default W-UP resource; or
During PDU session establishment procedure or PDU session modification procedure as specified in TS 24.501, the 5G-RG may use the Authorized QoS flow descriptions and the N3QAI to reserve the resources in the non-3GPP access network behind the 5G-RG.
In order to support QoS differentiation in the case of access to PLMN services via an SNPN and access to SNPN services via a PLMN, the N3IWF is preconfigured with one or more QoS profiles requiring a dedicated IPsec child SA which can be associated with a DSCP value.
In order to support QoS differentiation in the case of access to PLMN services via 5G ProSe layer-3 UE-to-network relay with N3IWF as specified in clause 5.6.2.2 of TS 23.304, the N3IWF is preconfigured with one or more QoS profiles requiring a dedicated IPsec child SA which can be associated with a DSCP value.
In order to support QoS differentiation in the case of access to PLMN services via a WLAN, the N3IWF and TNGF behaviour is as specified in clause 4.4.2.3, with one or more QoS profiles requiring an IPsec child SA which can be associated with a downlink DSCP value determined by taking into account, according to operator policy, the establishment cause, the 5QI, the Priority Level (if explicitly signalled) and optionally, the ARP priority level.
For uplink of trusted and untrusted non-3GPP accesses, the UE associates an uplink user data packet with a QFI as specified in TS 24.501. In both cases of untrusted non-3GPP access and trusted non-3GPP access, the UE shall then encapsulate the uplink user data packet and the QFI associated with the uplink user data packet in the GRE header and select IPsec child SA based on PDU session and QFI associated with the uplink user data packet as specified in clause 8.3. In case of trusted non-3GPP access, the UE shall reserve non-3GPP access network QoS resources for the IPsec child SA according to the received Additional QoS Information when the selected IPsec child SA is established. In case of untrusted non-3GPP access, the UE may receive an Additional QoS Information from the N3IWF during IPsec child SA establishment. If the UE receives the Additional QoS Information from the N3IWF, the UE may reserve non-3GPP access network QoS resources for the IPsec child SA according to the received Additional QoS Information when the selected IPsec child SA is established.
For uplink of wireline access, the 5G-RG associates an uplink user data packet with a QFI as specified in TS 24.501, shall select a W-UP resource based on the PDU session and the QFI associated with the uplink user data as specified in clause 8.3 and shall transport the uplink user data packet via the selected W-UP resource using means out of scope of the present specification.
For downlink of trusted and untrusted non-3GPP accesses, the UPF maps the user data packet to a QoS flow. In case of untrusted non-3GPP access, the N3IWF shall determine the IPsec child SA to use for sending of the downlink user data packet over NWu based on mapping of the QoS flow to the IPsec child SA based on QFI of the QoS flow of the user data packet and the identity of the PDU session of the user data packet. In case of trusted non-3GPP access, the TNGF shall determine the IPsec child SA to use for sending of the downlink user data packet over NWt based on mapping of the QoS flow to the IPsec child SA based on QFI of the QoS flow of the user data packet and the identity of the PDU session of the user data packet. Furthermore, TNGF may reserve non-3GPP access network QoS resources for the IPsec child SA.
For downlink of wireline access, the UPF maps the user data packet to a QoS flow. In case of wireline access, the W-AGF serving the 5G-RG shall select a W-UP resource for a downlink user data packet based on mapping of the QoS flow to the W-UP resources, based on QFI of the QoS flow of the user data packet and the identity of the PDU session of the user data packet, and shall transport the downlink user data packet and the QFI associated with the downlink user data packet via the selected W-UP resource using means out of scope of the present specification.
For QoS differentiation in the non-3GPP access network behind the 5G-RG, if the network during PDU session establishment or PDU session modification procedure provides the QoS rules, the network may additionally provide Non-3GPP QoS Assistance Information (N3QAI) for each QoS flow to aid in reserving resources in the non-3GPP access network behind the 5G-RG. How the 5G-RG uses the Authorized QoS flow descriptions to reserve the resources in the non-3GPP access network behind the 5G-RG, is out of scope of this specification.
Reflective QoS is also supported when the UE accesses the 5GCN via non-3GPP access network as specified in TS 23.502. If the N3IWF for untrusted non-3GPP access or the TNGF for trusted non-3GPP access receives a downlink user packet associated with Reflective QoS Indicator (RQI), the N3IWF or the TNGF shall set the RQI in the GRE header when encapsulating the downlink user data packet into a GRE encapsulated user data packet as specified in clause 8.3. If the W-AGF serving the 5G-RG receives a downlink user packet associated with Reflective QoS Indicator (RQI), the W-AGF shall transport the RQI together with the downlink user data packet and the QFI associated with the downlink user data packet via the selected W-UP resource over NWu, as described in clause 4.4.2.3.
If the UE is provided with maximum flow bit rate (MFBR) for UL for a QFI as specified in TS 24.501, the UE should send user data packets associated with the QFI with a bitrate lower than or equal to the maximum flow bit rate (MFBR) for UL.
For a trusted non-3GPP access network, the communication between the UE and the 5GCN is secure. A trusted non-3GPP access network is connected to the 5GCN via a trusted non-3GPP gateway function (TNGF) as specified in TS 23.501. The TNGF interfaces the 5GCN CP function via the N2 interface to the AMF and the 5GCN UP functions via N3 interface to the UPF as described in TS 23.501.
For a trusted non-3GPP access network, the UE establishes secure connection to the 5GCN over trusted non-3GPP access to the TNGF. The UE uses 3GPP-based authentication for connecting to a non-3GPP access and establishes an IPsec Security Association (SA) with the TNGF in order to register to the 5GCN by using the registration procedure as specified in TS 24.501. After the registration, the UE supports NAS signalling with the 5GCN using the N1 reference point as specified in TS 24.501.
A list of "forbidden PLMNs for non-3GPP access to 5GCN" contains a list of VPLMNs, 5GCN of which the UE is forbidden to access via non-3GPP access.
The HPLMN (if the equivalent HPLMN list is not present or is empty) or an equivalent HPLMN (if equivalent HPLMN list is present) shall not be stored on the list of "forbidden PLMNs for non-3GPP access".
3GPP TS 24.501 specifies when a VPLMN is added to the list of "forbidden PLMNs for non-3GPP access to 5GCN".
When the UE is configured to use timer T3245 (see TS 24.368 or TS 31.102), the UE adds a PLMN identity to the list of "forbidden PLMNs for non-3GPP access to 5GCN" and timer T3245 (see TS 24.008) is not running, then the UE shall start timer T3245 as specified in clause 4.1.1.6 of TS 24.008.
If the list of "forbidden PLMNs for non-3GPP access to 5GCN" is stored in a non-volatile memory in the ME together with the SUPI from the USIM, this list can only be used if the SUPI from the USIM matches the SUPI stored in the non-volatile memory; else the UE shall delete this list.
A UE that is:
registering for emergency services; or
registered for emergency services;
may access PLMNs in the list of "forbidden PLMNs for non-3GPP access to 5GCN". The UE shall not remove any entry from the list of "forbidden PLMNs for non-3GPP access to 5GCN" as a result of such accesses.
A VPLMN is removed from the list of "forbidden PLMNs for non-3GPP access to 5GCN" if:
there is a successful registration as specified in TS 24.501 over a non-3GPP access after a manual selection of the VPLMN for non-3GPP access connected to 5GCN;
the UE is not configured to use timer T3245, and the value of the PLMN-specific attempt counter for non-3GPP access for the PLMN has a value greater than zero and less than the UE implementation-specific maximum value as defined in clause 5.3.20 in TS 24.501 and T3247 expires;
upon expiry of the timer T3245 if the UE is configured to use timer T3245; or
the UE is not configured to use timer T3245, and the value of the PLMN-specific attempt counter for non-3GPP access for the PLMN has a value greater than zero and less than the UE implementation-specific maximum value as defined in clause 5.3.20 in TS 24.501 when the MS is switched off or the UICC containing the USIM is removed.