Content for TS 24.502 Word version: 19.0.0

1… 4… 5… 5.3B… 6… 7… 7.2.5… 7.3… 7.3A… 7.4… 7.6… 7.9… 7.10… 8… 9… 9.3… 9.3.2… 9.3.2.2.3… 9.3.3…

7.1 General 7.2 N3AN node selection procedure 7.2.1 General 7.2.2 N3AN node configuration information 7.2.3 Determination of the country the UE is located in 7.2.4 N3AN node selection for non-emergency services 7.2.4.1 General 7.2.4.2 Determine if the visited country mandates the selection of N3IWF in this country 7.2.4.3 UE procedure when the UE only supports connectivity with N3IWF 7.2.4.4 UE procedure when the UE supports connectivity with N3IWF and ePDG 7.2.4.4.1 General 7.2.4.4.2 N3AN node selection for IMS service 7.2.4.4.3 N3AN node selection for Non-IMS service
...

7 Security association management procedures p. 33

7.1 General p. 33

The purpose of the security association management procedures is to define the procedures for establishment or disconnection of end-to-end security association between the UE and the N3IWF (for untrusted non-3GPP access) or the UE and the TNGF (for trusted non-3GPP access) via an IKEv2 protocol exchange specified in RFC 7296. The IKE SA and child signalling IPsec SA establishment procedure is always initiated by the UE, whereas the child user plane IPsec SA creation procedures shall be initiated by the N3IWF or the TNGF as specified in TS 23.502.

For untrusted non-3GPP access, the UE selects an N3IWF according to the procedure in clause 7.2. Once the N3IWF has been selected, the security associations are established and managed according to the procedures in clause 7.3 to clause 7.11.

For trusted non-3GPP access, the UE selects a WLAN according to the procedure in clause 5.3. Once the WLAN has been selected, the security associations are established and managed according to the procedures in clause 7.3 to clause 7.11.

If a non-3GPP access network does not support transport of IP fragments, the maximum size of an IKEv2 message including the IP header is equal to the path MTU between the UE and N3IWF or TNGF.

EXAMPLE:

If a non-3GPP access network is an IPv6 only network which does not support transport of IP fragments and the path MTU between the UE and the N3IWF is 1280 octets then the maximum size of an IKEv2 message including IP header is 1280 octets.

7.2 N3AN node selection procedure p. 34

7.2.1 General p. 34

The UE performs N3AN node selection procedure based on:

the N3AN node configuration information provisioned to the UE by the HPLMN, based on the UE's knowledge of the country the UE is located in and the PLMN the UE is registered to via 3GPP access and based on the list of "forbidden PLMNs for non-3GPP access to 5GCN"; or
the N3IWF identifier information provided to the UE in the REGISTRATION REJECT message, if any, when the UE has indicated its support for slice-based N3IWF selection to the AMF as specified in TS 24.501.

Clauses 7.2.1, 7.2.2, 7.2.3, 7.2.4 and 7.2.6 are applicable to a UE selecting an N3AN node in a PLMN. For a UE accessing PLMN services via an SNPN, restrictions on N3IWF FQDN are specified in clause 4.3.2. As part of N3AN node selection, the UE also selects an PLMN for non-3GPP access.

Clause 7.2.5 is applicable to a UE selecting an N3AN node in an SNPN. As part of N3AN node selection, the UE also selects an SNPN for non-3GPP access.

Clause 7.2.7 is applicable to a UE selecting an N3AN node for case b) above.

Clause 7.2.8 is applicable to a UE selecting an N3IWF for onboarding SNPN.

7.2.2 N3AN node configuration information p. 34

The N3AN node configuration information is provisioned to the UE either by the H-PCF, V-PCF or via implementation specific means. The UE shall apply the N3AN node configuration information provisioned via implementation specific means only if the N3AN node configuration information provisioned by the H-PCF is not present in the UE.

The N3AN node configuration information shall consist of the following:

optionally, home N3IWF identifier configuration;
optionally, home ePDG identifier configuration;
optionally, extended home N3IWF identifier configuration; and
optionally, slice-specific N3IWF prefix configuration.

The N3AN node selection information consists of N3AN node selection information entries. Each N3AN node selection information entry contains a PLMN ID and information for the PLMN ID. The N3AN node selection information contains at least an N3AN node selection information entry with information for the HPLMN and an N3AN node selection information entry for "any_PLMN".

The extended home N3IWF identifier configuration contains one or more tuples of a FQDN/IP address of the N3IWF in the HPLMN and S-NSSAIs supported by this N3IWF and subscribed by the UE.

The Slice-specific N3IWF prefix configuration consists of Slice-specific N3IWF prefix entries. Each Slice-specific N3IWF prefix entry contains a slice-specific N3IWF prefix and an S-NSSAI list. Slice-specific N3IWF prefix configuration is valid only in the PLMN that provisioned it.

The N3AN node configuration information provisioned by the H-PCF or the V-PCF is as specified in TS 24.501 Annex D and TS 24.526.

The UE shall support the implementation of standard DNS mechanisms in order to retrieve the IP address(es) of the N3IWF or ePDG. The input to the DNS query is an N3IWF FQDN or ePDG FQDN as specified in TS 23.003.

7.2.3 Determination of the country the UE is located in p. 35

If the UE cannot determine whether it is located in the home country or in a visited country, as required by the N3AN node selection procedure, the UE shall stop the N3AN node selection. Once the UE determines the country the UE is located in, the UE shall proceed with N3AN node selection as specified in clause 7.2.4 for non-emergency services and as specified in clause 7.2.6 for emergency services.

7.2.4 N3AN node selection for non-emergency services p. 35

7.2.4.1 General p. 35

When the UE supports connectivity with N3IWF but does not support connectivity with ePDG, the UE shall perform the procedure in clause 7.2.4.3 for selecting an N3IWF.

When the UE supports connectivity with N3IWF and ePDG, the UE shall perform the procedure in clause 7.2.4.4 for selecting either an N3IWF or an ePDG.

7.2.4.2 Determine if the visited country mandates the selection of N3IWF in this country p. 35

In order to determine if the visited country mandates the selection of N3IWF in this country, the UE shall perform the DNS NAPTR query using Visited Country FQDN as specified in TS 23.003 via the non-3GPP access network.

If the result of this query is:

a set of one or more records containing the service instance names of the form "n3iwf.5gc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org", the UE shall determine that the visited country mandates the selection of the N3IWF in this country; and

NOTE:
The (<MCC>, <MNC>) pair in each record represents PLMN Id (see TS 23.003) in the visited country which can be used for N3IWF selection in clause 7.2.4.3 and clause 7.2.4.4.
no records containing the service instance names of the form "n3iwf.5gc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org", the UE shall determine that the visited country does not mandate the selection of the N3IWF in this country.

7.2.4.3 UE procedure when the UE only supports connectivity with N3IWF p. 36

If the UE only supports connectivity with N3IWF and does not support connectivity with ePDG, the UE shall ignore the following ePDG related configuration parameters if available in the N3AN node configuration information when selecting an N3IWF:

the home ePDG identifier configuration; and
the preference parameter in each N3AN node selection information entry in the N3AN node selection information.

The UE shall proceed as follows:

if the UE is located in its home country:
1. if the N3AN node configuration information is provisioned:
  1. if the extended home N3IWF identifier configuration is provisioned in the N3AN node configuration information, the UE shall use the IP address or the FQDN from the extended home N3IWF identifier entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration procedure over the untrusted non-3GPP access;
  2. if the extended home N3IWF identifier configuration is not provisioned in the N3AN node configuration information and the Slice-specific N3IWF prefix configuration is provisioned, the UE shall construct a Prefixed N3IWF FQDN (see TS 23.003) using the prefix of the Slice-specific N3IWF prefix entry for the HPLMN whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration procedure over the untrusted non-3GPP access. The FQDN format (operator identifier or tracking area identity based) is determined from the FQDN format of the HPLMN's N3AN node selection information entry in the N3AN node selection information; and
  3. if neither the extended home N3IWF identifier configuration nor the Slice-specific N3IWF prefix configuration is provisioned in the N3AN node configuration information and:
    1. if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information and contains an IP address, the UE shall use the IP address of the home N3IWF identifier configuration as the IP address of the N3IWF. The UE shall consider that the HPLMN is selected;
    2. if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information and does not contain an IP address, the UE shall use the FQDN of the home N3IWF identifier configuration as the N3IWF FQDN. The UE shall consider that the HPLMN is selected; and
    3. if the home N3IWF identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the FQDN format of the HPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the HPLMN stored on the USIM as specified in TS 23.003. The UE shall consider that the HPLMN is selected; and
2. if the N3AN node configuration information is not provisioned on the UE, the UE shall construct the N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the HPLMN stored on the USIM. The UE shall consider that the HPLMN is selected;
and for the above cases constructing or using an N3IWF FQDN, the UE shall use the DNS server function to resolve the N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address. If the DNS response contains no records and the UE used an FQDN determined by following step a)-1)-i), the UE shall follow the procedure in bullet a)-1)-ii) assuming that the extended home N3IWF identifier configuration is not provisioned. If the DNS response contains no records and the UE used an FQDN determined by following step a)-1)-ii), the UE shall follow the procedure in bullet a)-1)-iii) assuming that neither the extended home N3IWF identifier configuration nor the Slice-specific N3IWF prefix configuration is provisioned; and
if the UE is not located in its home country:
1. if the Slice-specific N3IWF prefix configuration is provisioned for the VPLMN, the UE is registered to a VPLMN via 3GPP access, the PLMN ID of VPLMN is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", and at least one Slice-specific N3IWF prefix entry is available in the Slice-specific N3IWF prefix configuration, the UE shall construct a Prefixed N3IWF FQDN (see TS 23.003) using the prefix of the Slice-specific N3IWF prefix entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration procedure over the untrusted non-3GPP access in the VPLMN. The FQDN format (operator identifier or tracking area identity based) is determined from the FQDN format of the VPLMN's N3AN node selection information entry in the N3AN node selection information;
2. if the Slice-specific N3IWF prefix configuration is not provisioned for the VPLMN and the N3AN node configuration information is provisioned, the UE is registered to a VPLMN via 3GPP access, the PLMN ID of VPLMN is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", and an N3AN node selection information entry for the VPLMN is available in the N3AN node selection information of the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on FQDN format of the VPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the VPLMN as specified in TS 23.003.The UE shall consider that the VPLMN is selected;
  and for the above cases, the UE shall use the DNS server function to resolve the constructed N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address; and
3. if one of the following is true:
  - the UE is not registered to a PLMN via 3GPP access and the UE uses WLAN;
  - neither the N3AN node configuration information nor the Slice-specific N3IWF prefix configuration are provisioned; or
  - the N3AN node configuration information or the Slice-specific N3IWF prefix configuration is provisioned, the UE is registered to a VPLMN via 3GPP access and:
    1. the PLMN ID of VPLMN is included in the list of "forbidden PLMNs for non-3GPP access to 5GCN"; or
    2. the N3AN node selection information entry for the VPLMN is not present in the N3AN node selection information or the Slice-specific N3IWF prefix configuration for the VPLMN is not present;
  the UE shall perform a DNS query (see TS 23.003) as specified in clause 7.2.4.2 to determine if the visited country mandates the selection of N3IWF in this country and:
  1. if selection of N3IWF in visited country is mandatory:
    1. if the UE is registered to a VPLMN via 3GPP access, the PLMN ID of VPLMN is included in one of the returned DNS records and is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the VPLMN in 3GPP access as described in TS 23.003.The UE shall consider that the VPLMN in 3GPP access is selected; and
    2. if the UE is not registered to a PLMN via 3GPP access or the UE is registered to a VPLMN via 3GPP access and the PLMN ID of VPLMN is not included in any of the returned DNS records or is included in the list of "forbidden PLMNs for non-3GPP access to 5GCN":
      - if the UE has Slice-specific N3IWF prefix configuration for one or more PLMNs included in the DNS response excluding any VPLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall construct a Prefixed N3IWF FQDN (see TS 23.003) using the prefix of the Slice-specific N3IWF prefix entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration procedure over the untrusted non-3GPP access. The FQDN format (operator identifier or tracking area identity based) is determined from the FQDN format of the selected VPLMN's N3AN node selection information entry in the N3AN node selection information;
      - if the Slice-specific N3IWF prefix configuration is not provisioned and the N3AN node configuration information is provisioned, the UE shall select a PLMN included in the DNS response that has highest PLMN priority (see TS 24.526) in the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" and the UE shall construct an N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the selected PLMN as specified in TS 23.003; and
      - if a) neither the Slice-specific N3IWF prefix configuration nor the N3AN node configuration information are provisioned or b) neither the Slice-specific N3IWF prefix configuration nor the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" contain any of the PLMNs in the DNS response, then the selection of a PLMN of the visited country is UE implementation specific. If the UE does not select a PLMN, the UE shall terminate the N3AN node selection procedure. If the UE selects a PLMN, the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the selected PLMN as described in TS 23.003;
    and for the above cases, the UE shall use the DNS server function to resolve the constructed N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address;
  2. if the DNS response contains no records and the UE used Prefixed N3IWF FQDN in the DNS query, the UE shall repeat the DNS query using the same FQDN without the prefix label;
  3. if the DNS response contains no records and the UE did not use the Prefixed N3IWF FQDN in the DNS query, the UE shall further determine if the visited country mandates the selection of ePDG in the visited country using the procedure specified in clause 7.2.1.4 of TS 24.302.
    If the UE determines that the visited country mandates the selection of ePDG in the visited country, the UE shall assume that the selection of N3IWF in the visited country is mandatory and shall terminate the N3AN node selection procedure.
    If the UE determines that the visited country does not mandate the selection of ePDG in the visited country, the UE shall assume that the selection of N3IWF in the visited country is not mandatory, then the UE shall proceed as below:
    1. if the UE has Slice-specific N3IWF prefix configuration the UE shall construct a Prefixed N3IWF FQDN (see TS 23.003) using the prefix of the Slice-specific N3IWF prefix entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration procedure over the untrusted non-3GPP access. The FQDN format (operator identifier or tracking area identity based) is determined from the FQDN format of the selected VPLMN's N3AN node selection information entry in the N3AN node selection information;
    2. if the Slice-specific N3IWF prefix configuration is not provisioned and the N3AN node configuration information is provisioned and the N3AN node selection information of the N3AN node configuration information contains one or more PLMNs in the visited country which are not in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall select a PLMN that has highest PLMN priority (see TS 24.526) in the N3AN node selection information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" and the UE shall construct an N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information as specified in TS 23.003 using the PLMN ID of the selected PLMN; and
    3. if a) neither the Slice-specific N3IWF prefix configuration nor the N3AN node configuration information is provisioned or b) the Slice-specific N3IWF prefix configuration is not provisioned and the N3AN node configuration information is provisioned and the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" contains no PLMNs in the visited country:
      - if the extended home N3IWF identifier configuration is provisioned in the N3AN node configuration information, the UE shall use the IP address or the FQDN from the extended home N3IWF identifier entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration procedure over the untrusted non-3GPP access; and
      - if the extended home N3IWF identifier configuration is not provisioned in the N3AN node configuration information and:
      - if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information (see TS 24.526) and contains an IP address, the UE shall use the IP address of the home N3IWF identifier configuration as the IP address of the N3IWF. The UE shall consider that the HPLMN is selected;
      - if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information (see TS 24.526) and does not contain an IP address, the UE shall use the FQDN of the home N3IWF identifier configuration as the N3IWF FQDN. The UE shall consider that the HPLMN is selected; and
      - if the home N3IWF identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the HPLMN as described in TS 23.003. The UE shall consider that the HPLMN is selected;
      and for the above cases constructing or using an N3IWF FQDN, the UE shall use the DNS server function to resolve the N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address; and
  4. if no DNS response is received, the UE shall terminate the N3AN node selection procedure.

Following bullet a) and b) above, once the UE selected the IP address of the N3IWF, the UE shall initiate the IKEv2 SA establishment procedure as specified in clause 7.3.

If the IKEv2 SA establishment procedure towards an N3IWF in the HPLMN fails due to no response to an IKE_SA_INIT request message, and the selection of N3IWF in the HPLMN is performed using Extended home N3IWF identifier configuration or Home identifier configuration and there are more pre-configured N3IWFs in the HPLMN, the UE shall repeat the tunnel establishment attempt using the next FQDN or IP address(es) of the N3IWF in the HPLMN.

If the IKEv2 SA establishment procedure towards to any of the received IP addresses of the selected N3IWF fails due to no response to an IKE_SA_INIT request message, then the UE shall repeat the N3IWF selection as described in this clause, excluding the N3IWFs for which the UE did not receive a response to the IKE_SA_INIT request message.

If the UE constructed an N3IWF FQDN based on FQDN format of the VPLMN's N3AN node selection information entry (see item b).1)), and the IKEv2 SA establishment procedure towards to each of the received IP addresses of the selected N3IWF failed due to no response to an IKE_SA_INIT request message, the UE considers Slice-specific N3IWF prefix entry and the N3AN node selection information entry for the VPLMN as not present and the UE shall repeat the N3IWF selection as described in this clause.

7.2.4.4 UE procedure when the UE supports connectivity with N3IWF and ePDG p. 39

7.2.4.4.1 General p. 39

If the UE can support connectivity with N3IWF and with ePDG, the UE shall:

if the N3AN node selection is required for an IMS service, follow steps specified in clause 7.2.4.4.2 for N3AN node selection; and
if the N3AN node selection is required for a non-IMS service, follow steps specified in clause 7.2.4.4.3 for N3AN node selection.

7.2.4.4.2 N3AN node selection for IMS service p. 39

If the N3AN node selection is required for an IMS service, the UE shall use the preference parameter in the N3AN node selection information entries of the N3AN node selection information to determine whether selection of N3IWF or ePDG is preferred in a given PLMN.

The UE shall proceed as follows:

if the UE is located in its home country:
1. if the N3AN node configuration information is provisioned:
  1. if the preference parameter in the HPLMN's N3AN node selection information entry of the N3AN node selection information indicates that N3IWF is preferred:
    1. if the extended home N3IWF identifier configuration is provisioned in the N3AN node configuration information, the UE shall use the IP address or the FQDN from the extended home N3IWF identifier entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration procedure over the untrusted non-3GPP access;
    2. if the extended home N3IWF identifier configuration is not provisioned in the N3AN node configuration information and the Slice-specific N3IWF prefix configuration is provisioned, the UE shall construct a Prefixed N3IWF FQDN (see TS 23.003) using the prefix of the Slice-specific N3IWF prefix entry for the HPLMN whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration proceure over the untrusted non-3GPP access. The FQDN format (operator identifier or tracking area identity based) is determined from the FQDN format of the HPLMN's N3AN node selection information entry in the N3AN node selection information; and
      
      NOTE 1:
      In this sub-clause, the Requested S-NSSAI(s) include the S-NSSAI corresponding to the IMS service.
    3. if neither the extended home N3IWF identifier configuration nor the Slice-specific N3IWF prefix configuration is provisioned in the N3AN node configuration information and:
      1. if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information and contains an IP address, the UE shall use the IP address of the home N3IWF identifier configuration as the IP address of the N3IWF. The UE shall consider that the HPLMN is selected;
      2. if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information and does not contain an IP address, the UE shall use the FQDN of the home N3IWF identifier configuration as the N3IWF FQDN. The UE shall consider that the HPLMN is selected; and
      3. if the home N3IWF identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the FQDN format of the HPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the HPLMN stored on the USIM as specified in clause 28 of TS 23.003. The UE shall consider that the HPLMN is selected; and
  2. if the preference parameter in the HPLMN's N3AN node selection information entry of the N3AN node selection information indicates that ePDG is preferred:
    1. if the home ePDG identifier configuration is provisioned in the N3AN node configuration information and contains an IP address, the UE shall use the IP address of the home ePDG identifier configuration as the IP address of the ePDG;
    2. if the home ePDG identifier configuration is provisioned in the N3AN node configuration information and does not contains an IP address, the UE shall use the FQDN of the home ePDG identifier configuration as the ePDG FQDN; and
    3. if the home ePDG identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an ePDG FQDN based on the FQDN format of HPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the HPLMN stored on the USIM as specified in clause 19 of TS 23.003; and
2. if the N3AN node configuration information is not provisioned on the UE, the UE shall construct the N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the HPLMN stored on the USIM. The UE shall consider that the HPLMN is selected;
and for the above cases constructing or using an N3IWF FQDN or ePDG FQDN, the UE shall use the DNS server function to resolve the N3IWF FQDN or ePDG FQDN to the IP address(es) of the N3IWF(s) or ePDG(s). The UE shall select as the IP address of the N3IWF or of the ePDG a resolved IP address of an N3IWF or an ePDG with the same IP version as its local IP address. If the DNS response contains no records and the UE used an FQDN determined by following step a)-1)-i)-I), the UE shall follow the procedure in bullet a)-1)-i)-II) assuming that the extended home N3IWF identifier configuration is not provisioned. If the DNS response contains no records and the UE used an FQDN determined by following step a)-1)-i)-II), the UE shall follow the procedure in bullet a)-1)-i)-III) assuming that neither the extended home N3IWF identifier configuration nor the Slice-specific N3IWF prefix configuration is provisioned; and
if the UE is not located in its home country:
1. if the Slice-specific N3IWF prefix configuration is provisioned for the VPLMN, the UE is registered to a VPLMN via 3GPP access, the PLMN ID of VPLMN is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", and at least one Slice-specific N3IWF prefix entry is available in the Slice-specific N3IWF prefix configuration, the UE shall construct a Prefixed N3IWF FQDN (see TS 23.003) using the prefix of the Slice-specific N3IWF prefix entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration proceure over the untrusted non-3GPP access in the VPLMN. The FQDN format (operator identifier or tracking area identity based) is determined from the FQDN format of the VPLMN's N3AN node selection information entry in the N3AN node selection information;
2. if the Slice-specific N3IWF prefix configuration is not provisioned for the VPLMN and the N3AN node configuration information is provisioned, the UE is registered to a VPLMN via 3GPP access and the PLMN ID of VPLMN is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN":
  1. if an N3AN node selection information entry for the VPLMN is available in the N3AN node selection information of the N3AN node configuration information:
    1. if the preference parameter in the VPLMN's N3AN node selection information entry of the N3AN node configuration information indicates that N3IWF is preferred, the UE shall construct an N3IWF FQDN based on the FQDN format of the VPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the VPLMN as specified in clause 28 of TS 23.003. The UE shall consider that the VPLMN is selected; and
    2. if the preference parameter in the VPLMN's N3AN node selection information entry of the N3AN node configuration information indicates that ePDG is preferred, the UE shall construct an ePDG FQDN based on the FQDN format of the VPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the VPLMN as specified in clause 19 of TS 23.003. The UE shall consider that the VPLMN is selected;
      and for above case, the UE shall use the DNS server function to resolve the constructed N3IWF FQDN or ePDG FQDN to the IP address(es) of the N3IWF(s) or ePDG(s). The UE shall select as the IP address of the N3IWF or the ePDG a resolved IP address of an N3IWF or ePDG with the same IP version as its local IP address; and
3. if one of the following is true:
  - the UE is not registered to a PLMN via 3GPP access and the UE uses WLAN;
  - neither the N3AN node configuration information nor the Slice-specific N3IWF prefix configuration is provisioned; or
  - the N3AN node configuration information or the Slice-specific N3IWF prefix configuration is provisioned, the UE is registered to a VPLMN via 3GPP access and:
    1. the PLMN ID of VPLMN is included in the list of "forbidden PLMNs for non-3GPP access to 5GCN"; or
    2. the N3AN node selection information entry for the VPLMN is not present in the N3AN node selection information or the Slice-specific N3IWF prefix configuration for the VPLMN is not present;
  the UE shall perform a DNS query (see TS 23.003) as specified in clause 7.2.4.2 to determine if the visited country mandates the selection of N3IWF in this country and:
  1. if selection of N3IWF in the visited country is mandatory:
    1. if the UE is registered to a VPLMN via 3GPP access, the PLMN ID of VPLMN is included in one of the returned DNS records and is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the VPLMN as described in clause 28 of TS 23.003.The UE shall consider that the VPLMN is selected; and
    2. if the UE is not registered to a PLMN via 3GPP access, or the UE is registered to a VPLMN via 3GPP access and the PLMN ID of VPLMN is not included in any of the returned DNS records or is included in the list of "forbidden PLMNs for non-3GPP access to 5GCN":
      - if the UE has Slice-specific N3IWF prefix configuration for one or more PLMNs included in the DNS response excluding any VPLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall construct a Prefixed N3IWF FQDN (see TS 23.003) using the prefix of the Slice-specific N3IWF prefix entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration proceure over the untrusted non-3GPP access. The FQDN format (operator identifier or tracking area identity based) is determined from the FQDN format of the selected VPLMN's N3AN node selection information entry in the N3AN node selection information;
      - if the Slice-specific N3IWF prefix configuration is not provisioned and the N3AN node configuration information is provisioned, the UE shall select an a PLMN included in the DNS response that has highest PLMN priority (see TS 24.526) in the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" and the UE shall construct an N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the selected PLMN as specified clause 28 of TS 23.003; and
      - if a) neither the Slice-specific N3IWF prefix configuration nor the N3AN node configuration information is provisioned or b) neither the Slice-specific N3IWF prefix configuration nor the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" contains any of the PLMNs in the DNS response, then the selection of the PLMN is UE implementation specific. The UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the selected PLMN as described clause 28 of TS 23.003;
    and for the above cases, the UE shall use the DNS server function to resolve the constructed N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address;
  2. if the DNS response contains no records and the UE used Prefixed N3IWF FQDN in the DNS query, the UE shall repeat the DNS query using the same FQDN without the prefix label;
  3. if the DNS response contains no records and the UE did not use the Prefixed N3IWF FQDN in the DNS query, the UE shall further determine if the visited country mandates the selection of ePDG in the visited country using the procedure specified in clause 7.2.1.4 of TS 24.302.
    If the UE determines that the visited country mandates the selection of ePDG in the visited country, the UE shall assume that the selection of N3IWF in the visited country is mandatory and shall continue the ePDG selection procedure in the visited country, specified in clause 7.2.1.3 of TS 24.302.
    If the UE determines that the visited country does not mandate the selection of ePDG in the visited country, the UE shall assume that the selection of N3IWF in the visited country is not mandatory and the UE shall proceed as below:
    1. if the UE has Slice-specific N3IWF prefix configuration the UE shall construct a Prefixed N3IWF FQDN (see TS 23.003) using the prefix of the Slice-specific N3IWF prefix entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration procedure over the untrusted non-3GPP access. The FQDN format (operator identifier or tracking area identity based) is determined from the FQDN format of the selected VPLMN's N3AN node selection information entry in the N3AN node selection information;
    2. if the Slice-specific N3IWF prefix configuration is not provisioned and the N3AN node configuration information is provisioned and the N3AN node selection information of the N3AN node configuration information contains one or more PLMNs in the visited country which are not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall select a PLMN that has highest PLMN priority (see TS 24.526) in the N3AN node selection information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" and the UE shall construct an N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the selected PLMN as specified in clause 28 of TS 23.003; and
    3. if a) neither the Slice-specific N3IWF prefix configuration nor the N3AN node configuration information is provisioned or b) the Slice-specific N3IWF prefix configuration is not provisioned and the N3AN node configuration information is provisioned and the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" contains no PLMN in the visited country:
      - if the extended home N3IWF identifier configuration is provisioned in the N3AN node configuration information, the UE shall use the IP address or the FQDN from the extended home N3IWF identifier entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration proceure over the untrusted non-3GPP access; and
      - if the extended home N3IWF identifier configuration is not provisioned in the N3AN node configuration information and:
        
        if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information (see TS 24.526) and contains an IP address, the UE shall use the IP address of the home N3IWF identifier configuration as the IP address of the N3IWF. The UE shall consider that the HPLMN is selected;
        
        if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information (see TS 24.526) and does not contains an IP address, the UE shall use the FQDN of the home N3IWF identifier configuration as N3IWF FQDN.The UE shall consider that the HPLMN is selected; and
        
        if the home N3IWF identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the HPLMN as described in clause 28 of TS 23.003. The UE shall consider that the HPLMN is selected;
    and for the above cases constructing or using an N3IWF FQDN, the UE shall use the DNS server function to resolve the N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address; and
  4. if no DNS response is received, the UE shall terminate the N3AN node selection procedure.

Following bullet a) and b) above, once the UE selected the IP address of the N3IWF or the ePDG:

if the IP address of N3IWF is selected, the UE shall:
1. initiate the IKEv2 SA establishment procedure as specified in clause 7.3;
2. if the IKEv2 SA establishment procedure towards an N3IWF in the HPLMN fails due to no response to an IKE_SA_INIT request message or the UE is informed during registration over non-3GPP access that the IMS voice over PS session is not supported over non-3GPP access, and the selection of N3IWF in the HPLMN is performed using Extended home N3IWF identifier configuration or Home identifier configuration and there are more pre-configured N3IWFs in the HPLMN, repeat the tunnel establishment attempt using the next FQDN or IP address(es) of the N3IWF in the HPLMN. The UE shall consider that the HPLMN is selected;
3. if the IKEv2 SA establishment procedure towards any of the received IP addresses of the selected N3IWF fails due to no response to an IKE_SA_INIT request message or the UE is informed during registration over non-3GPP access that the IMS voice over PS session is not supported over non-3GPP access, attempt to select an ePDG in the same PLMN as specified in TS 24.302 instead;
4. if the UE fails to connect to either N3IWF or ePDG in the same PLMN, repeat the N3AN node selection as described in this clause, excluding the N3IWFs for which the UE did not receive a response to the IKE_SA_INIT request message; and
5. if the UE fails to connect to either N3IWF or ePDG in the VPLMN with which it is registered via 3GPP access, the UE considers the Slice-specific N3IWF prefix entry and the N3AN node selection information entry for the VPLMN as not present and the UE shall repeat the N3IWF selection as described in this clause;
NOTE 2:
The time the UE waits before reattempting access to another N3IWF or to an N3IWF that it previously did not receive a response to an IKE_SA_INIT request message, is implementation specific.
if the IP address of ePDG is selected, the UE shall:
1. initiate tunnel establishment as specified in TS 24.302;
2. if tunnel establishment as specified in TS 24.302 towards an ePDG in the HPLMN fails due to no response to an IKE_SA_INIT request message, and the selection of ePDG in the HPLMN is performed using home ePDG identifier configuration and there are more pre-configured ePDG in the HPLMN, repeat the tunnel establishment attempt using the next FQDN or IP address(es) of the ePDG in the HPLMN;
3. if tunnel establishment as specified in TS 24.302 towards any of the received IP addresses of the selected ePDG fails due to no response to an IKE_SA_INIT request message, attempt to select an N3IWF in the same PLMN instead. The UE shall consider the PLMN where N3IWF is, as selected;
4. if the UE fails to connect to either ePDG or N3IWF in the same PLMN, repeat the N3AN node selection as described in this clause, excluding the ePDGs for which the UE did not receive a response to the IKE_SA_INIT request message; and
5. if the UE fails to connect to either ePDG or N3IWF in the VPLMN with which it is registered via 3GPP access, the UE considers the N3AN node selection information entry for the VPLMN as not present in the N3AN node selection information and the UE shall repeat the N3IWF selection as described in this clause.
NOTE 3:
The time the UE waits before reattempting access to another ePDG or to an ePDG that it previously did not receive a response to an IKE_SA_INIT request message, is implementation specific.

7.2.4.4.3 N3AN node selection for Non-IMS service p. 44

If the N3AN node selection is required for a non-IMS service, the UE shall ignore the preference parameter in the N3AN node selection information entries of the N3AN node selection information.

The UE shall proceed as follows:

if the UE is located in its home country:
1. if the N3AN node configuration information is provisioned:
  1. if the extended home N3IWF identifier configuration is provisioned in the N3AN node configuration information, the UE shall use the IP address or the FQDN from the extended home N3IWF identifier entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration procedure over the untrusted non-3GPP access;
  2. if the extended home N3IWF identifier configuration is not provisioned in the N3AN node configuration information and the Slice-specific N3IWF prefix configuration is provisioned, the UE shall construct a Prefixed N3IWF FQDN (see TS 23.003) using the prefix of the Slice-specific N3IWF prefix entry for the HPLMN whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration procedure over the untrusted non-3GPP access. The FQDN format (operator identifier or tracking area identity based) is determined from the FQDN format of the HPLMN's N3AN node selection information entry in the N3AN node selection information; and
  3. if neither the extended home N3IWF identifier configuration nor the Slice-specific N3IWF prefix configuration is provisioned in the N3AN node configuration information and:
    1. if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information and contains an IP address, the UE shall use the IP address of the home N3IWF identifier configuration as the IP address of the N3IWF. The UE shall consider that the HPLMN is selected;
    2. if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information and does not contain an IP address, the UE shall use the FQDN of the home N3IWF identifier configuration as the N3IWF FQDN. The UE shall consider that the HPLMN is selected; and
    3. if the home N3IWF identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the FQDN format of the HPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the HPLMN stored on the USIM as specified in clause 28 of TS 23.003. The UE shall consider that the HPLMN is selected; and
2. if the N3AN node configuration information is not provisioned, the UE shall construct the N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the HPLMN stored on the USIM. The UE shall consider that the HPLMN is selected;
and for the above cases constructing or using an N3IWF FQDN, the UE shall use the DNS server function to resolve the N3IWF FQDN to the IP address(es) of the N3IWF(s) or ePDG(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address. If the DNS response contains no records and the UE used an FQDN determined by following step a)-1)-i), the UE shall follow the procedure in bullet a)-1)-ii) assuming that the extended home N3IWF identifier configuration is not provisioned. If the DNS response contains no records and the UE used an FQDN determined by following step a)-1)-ii), the UE shall follow the procedure in bullet a)-1)-iii) assuming that neither the extended home N3IWF identifier configuration nor the Slice-specific N3IWF prefix configuration is provisioned; and
if the UE is not located in its home country:
1. if the Slice-specific N3IWF prefix configuration is provisioned for the VPLMN, the UE is registered to a VPLMN via 3GPP access, the PLMN ID of VPLMN is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", and at least one Slice-specific N3IWF prefix entry is available in the Slice-specific N3IWF prefix configuration, the UE shall construct a Prefixed N3IWF FQDN (see TS 23.003) using the prefix of the Slice-specific N3IWF prefix entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration procedure over the untrusted non-3GPP access in the VPLMN. The FQDN format (operator identifier or tracking area identity based) is determined from the FQDN format of the VPLMN's N3AN node selection information entry in the N3AN node selection information;
2. if the Slice-specific N3IWF prefix configuration is not provisioned for the VPLMN and the N3AN node configuration information is provisioned, the UE is registered to a VPLMN via 3GPP access, the PLMN ID of VPLMN is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", and an N3AN node selection information entry for the VPLMN is available in the N3AN node selection information of the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the FQDN format of the VPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the VPLMN as specified in clause 28 of TS 23.003. The UE shall consider that the VPLMN is selected;
  and for above case, the UE shall use the DNS server function to resolve the constructed N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address; and
3. if one of the following is true:
  - the UE is not registered to a PLMN via 3GPP access and the UE uses WLAN;
  - neither the N3AN node configuration information nor the Slice-specific N3IWF prefix configuration is provisioned; or
  - the N3AN node configuration information or the Slice-specific N3IWF prefix configuration is provisioned, the UE is registered to a VPLMN via 3GPP access and:
    1. the PLMN ID of VPLMN is included in the list of "forbidden PLMNs for non-3GPP access to 5GCN"; or
    2. the N3AN node selection information entry for the VPLMN is not present in the N3AN node selection information or the Slice-specific N3IWF prefix configuration for the VPLMN is not present;
  the UE shall perform a DNS query (see TS 23.003) as specified in clause 7.2.4.2 to determine if the visited country mandates the selection of N3IWF in this country and:
  1. if selection of N3IWF in the visited country is mandatory:
    1. if the UE is registered to a VPLMN via 3GPP access, the PLMN ID of VPLMN is included in one of the returned DNS records and is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the VPLMN as described in clause 28 of TS 23.003. The UE shall consider that the VPLMN is selected; and
    2. if the UE is not registered to a PLMN via 3GPP access or the UE is registered to a VPLMN via 3GPP access and the PLMN ID of VPLMN is not included in any of the returned DNS records or is included in the list of "forbidden PLMNs for non-3GPP access to 5GCN":
      - if the UE has Slice-specific N3IWF prefix configuration for one or more PLMNs included in the DNS response excluding any VPLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall construct a Prefixed N3IWF FQDN (see TS 23.003) using the prefix of the Slice-specific N3IWF prefix entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration proceure over the untrusted non-3GPP access. The FQDN format (operator identifier or tracking area identity based) is determined from the FQDN format of the selected VPLMN's N3AN node selection information entry in the N3AN node selection information;
      - if the Slice-specific N3IWF prefix configuration is not provisioned and the N3AN node configuration information is provisioned, the UE shall select an a PLMN included in the DNS response that has highest PLMN priority (see TS 24.526) in the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" and the UE shall construct an N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the selected PLMN as specified in clause 28 of TS 23.003; and
      - if a) neither the Slice-specific N3IWF prefix configuration nor the N3AN node configuration information is provisioned or b) neither the Slice-specific N3IWF prefix configuration nor the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" contains any of the PLMNs in the DNS response, then the selection of the PLMN is UE implementation specific. The UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the selected PLMN as described in clause 28 of TS 23.003;
    and for the above cases, the UE shall use the DNS server function to resolve the constructed N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address;
  2. if the DNS response contains no records and the UE used Prefixed N3IWF FQDN in the DNS query, the UE shall repeat the DNS query using the same FQDN without the prefix label;
  3. if the DNS response contains no records and the UE did not use the Prefixed N3IWF FQDN in the DNS query, the UE shall further determine if the visited country mandates the selection of ePDG in the visited country using the procedure specified in clause 7.2.1.4 of TS 24.302.
    If the UE determines that the visited country mandates the selection of ePDG in the visited country, the UE shall assume that the selection of N3IWF in the visited country is mandatory and shall continue the ePDG selection procedure in the visited country, specified in clause 7.2.1.3 of TS 24.302.
    If the UE determines that the visited country does not mandate the selection of ePDG in the visited country, the UE shall assume that the selection of N3IWF in the visited country is not mandatory and the UE shall proceed as follows:
    1. if the UE has Slice-specific N3IWF prefix configuration the UE shall construct a Prefixed N3IWF FQDN (see TS 23.003) using the prefix of the Slice-specific N3IWF prefix entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration procedure over the untrusted non-3GPP access. The FQDN format (operator identifier or tracking area identity based) is determined from the FQDN format of the selected VPLMN's N3AN node selection information entry in the N3AN node selection information;
    2. if the Slice-specific N3IWF prefix configuration is not provisioned and the N3AN node configuration information is provisioned and the N3AN node selection information of the N3AN node configuration information contains one or more PLMNs in the visited country which are not in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall select a PLMN that has highest PLMN priority (see TS 24.526) in the N3AN node selection information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" and the UE shall construct an N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the selected PLMN as specified in clause 28 of TS 23.003; and
    3. if a) neither the Slice-specific N3IWF prefix configuration nor the N3AN node configuration information is provisioned or b) the Slice-specific N3IWF prefix configuration is not provisioned and the N3AN node configuration information is provisioned and the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" contains no PLMN in the visited country:
      - if the extended home N3IWF identifier configuration is provisioned in the N3AN node configuration information, the UE shall use the IP address or the FQDN from the extended home N3IWF identifier entry whose S-NSSAI list has the best match with the Requested S-NSSAI(s) that the UE is going to use in the registration proceure over the untrusted non-3GPP access; and
      - if the extended home N3IWF identifier configuration is not provisioned in the N3AN node configuration information and:
        
        if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information (see TS 24.526) and contains an IP address, the UE shall use the IP address of the home N3IWF identifier configuration as the IP address of the N3IWF.The UE shall consider that the HPLMN is selected;
        
        if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information (see TS 24.526) and does not contain an IP address, the UE shall use the FQDN of the home N3IWF identifier configuration as N3IWF FQDN. The UE shall consider that the HPLMN is selected; and
        
        if the home N3IWF identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the HPLMN as described in clause 28 of TS 23.003. The UE shall consider that the HPLMN is selected;
      and for the above cases constructing or using an N3IWF FQDN, the UE shall use the DNS server function to resolve the N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address; and
  4. if no DNS response is received, the UE shall terminate the N3AN node selection procedure.

Following bullet a) and b) above, once the UE selected the IP address of the N3IWF:

if the IP address of N3IWF is selected, the UE shall:
1. initiate the IKEv2 SA establishment procedure as specified in clause 7.3;
2. if the IKEv2 SA establishment procedure towards an N3IWF in the HPLMN fails due to no response to an IKE_SA_INIT request message, and the selection of N3IWF in the HPLMN is performed using Extended home N3IWF identifier configuration or Home identifier configuration and there are more pre-configured N3IWFs in the HPLMN, repeat the tunnel establishment attempt using the next FQDN or IP address(es) of the N3IWF in the HPLMN;
3. if the IKEv2 SA establishment procedure towards any of the IP addresses of the N3IWF of the selected PLMN fails due to no response to an IKE_SA_INIT request message, repeat the N3AN node selection as described in this clause with N3IWF of another PLMN;
4. if the IKEv2 SA establishment procedure towards any of the received IP addresses of the N3IWF of any fails due to no response to an IKE_SA_INIT request message, attempt to select an ePDG as specified in TS 24.302 and use tunnel establishment as specified in TS 24.302; and
5. if the UE fails to connect to either N3IWF or ePDG in the VPLMN with which it is registered via 3GPP access, the UE considers the Slice-specific N3IWF prefix entry and the N3AN node selection information entry for the VPLMN as not present in the N3AN node selection information and the UE shall repeat the N3IWF selection as described in this clause;
NOTE 1:
The time the UE waits before reattempting access to another N3IWF or to an N3IWF that it previously did not receive a response to an IKE_SA_INIT request message, is implementation specific.
if the IP address of ePDG is selected, the UE shall:
1. initiate tunnel establishment as specified in TS 24.302;
2. if tunnel establishment as specified in TS 24.302 towards an ePDG in the HPLMN fails due to no response to an IKE_SA_INIT request message, and the selection of ePDG in the HPLMN is performed using home ePDG identifier configuration and there are more pre-configured ePDG in the HPLMN, repeat the tunnel establishment attempt using the next FQDN or IP address(es) of the ePDG in the HPLMN;
3. if tunnel establishment as specified in TS 24.302 towards any of the received IP addresses of the selected ePDG fails due to no response to an IKE_SA_INIT request message, attempt to select an N3IWF in the same PLMN instead. The UE shall consider the PLMN where N3IWF is, as selected;
4. if the UE fails to connect to either ePDG or N3IWF in the same PLMN, repeat the N3AN node selection as described in this clause, excluding the ePDGs for which the UE did not receive a response to the IKE_SA_INIT request message; and
5. if the UE fails to connect to either ePDG or N3IWF in the VPLMN with which it is registered via 3GPP access, the UE considers the N3AN node selection information entry for the VPLMN as not present in the N3AN node selection information and the UE shall repeat the N3IWF selection as described in this clause.
NOTE 2:
The time the UE waits before reattempting access to another ePDG or to an ePDG that it previously did not receive a response to an IKE_SA_INIT request message, is implementation specific.