Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 23.003  Word version:  18.4.0

Top   Top   Up   Prev   Next
1…   2…   2.8…   3…   4…   5…   6…   7…   8…   9…   10…   11   12…   13…   14…   15…   16…   17…   18…   19…   19.4…   19.5…   20…   21…   22…   23…   24…   25…   26…   27…   28…   28.3.2.2…   28.3.2.2.6…   28.3.2.3…   28.4…   28.7…   28.8…   29…   A…   B…   C…   D   E…

 

19  Numbering, addressing and identification for the Evolved Packet Core (EPC) |R8|p. 74

19.1  Introductionp. 74

This clause describes the format of the parameters needed to access the Enhanced Packet Core (EPC). For further information on the use of the parameters see TS 23.401 and TS 23.402. For more information on the ".3gppnetwork.org" domain name and its applicability, see Annex D of the present document
Up

19.2  Home Network Realm/Domainp. 74

The home Network Realm/Domain shall be in the form of an Internet domain name, e.g. operator.com, as specified in RFC 1035 and RFC 1123. The home Network Realm/Domain consists of one or more labels. Each label shall consist of the alphabetic characters (A-Z and a-z), digits (0-9) and the hyphen (-) in accordance with RFC 1035. Each label shall begin and end with either an alphabetic character or a digit in accordance with RFC 1123. The case of alphabetic characters is not significant.
The Home Network Realm/Domain shall be in the form of "epc.­mnc<MNC>.­mcc<MCC>.­3gppnetwork.org", where "<MNC>" and "<MCC>" fields correspond to the MNC and MCC of the operator's PLMN. Both the "<MNC>" and "<MCC>" fields are 3 digits long. If the MNC of the PLMN is 2 digits, then a zero shall be added at the beginning.
For example, the Home Network Realm/Domain of an IMSI shall be derived as described in the following steps:
  1. take the first 5 or 6 digits, depending on whether a 2 or 3 digit MNC is used (see TS 31.102) and separate them into MCC and MNC; if the MNC is 2 digits then a zero shall be added at the beginning;
  2. use the MCC and MNC derived in step 1 to create the "mnc<MNC>.­mcc<MCC>.­3gppnetwork.­org" domain name;
  3. add the label "epc" to the beginning of the domain name.
An example of a Home Network Realm/Domain is:
  • IMSI in use: 234150999999999;
Where:
  • MCC = 234;
  • MNC = 15;
  • MSIN = 0999999999;
Which gives the Home Network Realm/Domain name: epc.mnc015.mcc234.3gppnetwork.org.
Up

19.3  3GPP access to non-3GPP access interworkingp. 75

19.3.1  Introductionp. 75

This clause describes the format of the UE identification needed to access the 3GPP EPC from both 3GPP and non-3GPP accesses.
The NAI is generated respectively by the S-GW at the S5/S8 reference point and by the UE for the S2a, S2b and S2c reference points.
The NAI shall be generated as follows:
  • based on the IMSI when the UE is performing a non-emergency Attach;
  • based on the IMEI when the UE is performing an emergency attach and IMSI is not available (see clause 19.3.6); or
  • based on the IMSI or the IMEI (depending on the interface and information element) when the UE is performing an emergency attach and IMSI is available in the UE, as follows:
    • a UE that has an IMSI shall construct an Emergency NAI based on IMSI (see clause 4.6.1 of TS 23.402 and clause 19.3.9 of this specification);
    • if the IMSI is not authenticated by the network, the network requests the IMEI from the UE and the network shall then construct a NAI based on the IMEI for identifying the user in the EPC (see TS 29.273).
For further information on the use of the parameters see the clauses below and TS 33.402 and TS 29.273.
Up

19.3.2  Root NAIp. 75

The Root NAI shall take the form of an NAI, and shall have the form username@realm as specified in Section 2.1 of RFC 4282.
When the username part is the IMSI, the realm part of Root NAI shall be built according to the following steps:
  1. Convert the leading digits of the IMSI, i.e. MNC and MCC, into a domain name, as described in clause 19.2.
  2. Prefix domain name with the label of "nai".
The resulting realm part of the Root NAI will be in the form:
  • "@nai.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org"
When including the IMSI, the Root NAI is prepended with a specific leading digit when used for EAP authentication (see TS 29.273) in order to differentiate between EAP authentication method. The leading digit is:
  • "0" when used in EAP-AKA, as specified in RFC 4187
  • "6" when used in EAP-AKA', as specified in RFC 5448.
The resulting Root NAI will be in the form:
  • "0<IMSI>@nai.­epc.mnc<MNC>.­mcc<MCC>.­3gppnetwork.­org" when used for EAP AKA authentication
  • "6<IMSI>@nai.­epc.mnc<MNC>.­mcc<MCC>.­3gppnetwork.­org" when used for EAP AKA' authentication
For example, if the IMSI is 234150999999999 (MCC = 234, MNC = 15), the Root NAI takes the form 0234150999999999@­nai.­epc.­mnc015.­mcc234.­3gppnetwork.­org for EAP AKA authentication and the Root NAI takes the form 6234150999999999@­nai.­epc.­mnc015.­mcc234.3gppnetwork.org for EAP AKA' authentication.
The NAI sent in the Mobile Node Identifier field in PMIPv6 shall not include the digit prepended in front of the IMSI based username that is described above.
Up

19.3.3  Decorated NAIp. 76

The Decorated NAI shall take the form of a NAI and shall have the form 'homerealm!username@otherrealm' or 'Visitedrealm!homerealm!username@otherrealm' as specified in Section 2.7 of RFC 4282.
The realm part of Decorated NAI consists of 'otherrealm', see the RFC 4282. 'Homerealm' is the realm as specified in clause 19.2, using the HPLMN ID ('homeMCC' + 'homeMNC)'. 'Visitedrealm' is the realm built using the VPLMN ID ('VisitedMCC' + 'VisitedMNC)', 'Otherrealm' is:
  • the realm built using the PLMN ID (visitedMCC + visited MNC) if the service provider selected as a result of the service provider selection (see TS 24.302) has a PLMN ID; or
  • a domain name of a service provider if the selected service provider does not have a PLMN ID (TS 24.302).
When the username part of Decorated NAI includes the IMSI and the service provider has a PLMN ID, the Decorated NAI shall be built following the same steps as specified for Root NAI in clause 19.3.2.
The result will be a decorated NAI of the form:
  • nai.epc.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org !0<IMSI>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org for EAP AKA authentication.
    or
  • nai.epc.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org !6<IMSI>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org for EAP AKA' authentication.
For example, if the service provider has a PLMN ID and the IMSI is 234150999999999 (MCC = 234, MNC = 15) and the PLMN ID of the Selected PLMN is MCC = 610, MNC = 71, then the Decorated NAI takes the form either as:
  • nai.epc.mnc015.­mcc234.­3gppnetwork.­org!­0234150999999999@nai.­epc.­mnc071.­mcc610.­3gppnetwork.­org for EAP AKA authentication
  • or
  • nai.­epc.­mnc015.­mcc234.­3gppnetwork.­org!­6234150999999999@­nai.­epc.­mnc071.­mcc610.­3gppnetwork.­org for EAP AKA' authentication.
For example, if the domain name of a service provider is 'realm.org' and IMSI-based permanent username is used, then the Decorated NAI takes the form either as:
  • nai.epc.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org !0<IMSI>@realm.org for EAP AKA authentication
    or
  • nai.epc.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org !6<IMSI>@realm.org for EAP AKA' authentication.
If the UE has selected a WLAN that directly interworks with a service provider in the Equivalent Visited Service Providers (EVSP) list provided by the RPLMN, see clause 4.8.2b of TS 23.402, then the decorated NAI is constructed to include the realm of this service provider and the realm of RPLMN. If the domain name of a service provider is 'realm.org' and IMSI-based permanent username is used, then the Decorated NAI with double decoration takes the form either as:
  • nai.epc.mnc<rplmnMNC>.­mcc<rplmnMCC>.­3gppnetwork.­org !nai.­epc.­mnc<homeMNC>.­mcc<homeMCC>.3gppnetwork.org!­0<IMSI>@realm.org for EAP AKA authentication
    or
  • nai.epc.mnc<rplmnMNC>.mcc<rplmnMCC>.­3gppnetwork.­org !nai.­epc.mnc<homeMNC>.­mcc<homeMCC>.­3gppnetwork.org!­6<IMSI>@realm.­org for EAP AKA' authentication.
When the username part of Decorated NAI includes a Fast Re-authentication NAI, the Decorated NAI shall be built following the same steps as specified for the Fast Re-authentication NAI in clause 19.3.4.
When the username part of Decorated NAI includes a Pseudonym, the Decorated NAI shall be built following the same steps as specified for the Pseudonym identity in clause 19.3.5.
Up

19.3.4  Fast Re-authentication NAIp. 77

The Fast Re-authentication NAI shall take the form of a NAI as specified in Section 2.1 of RFC 4282. If the 3GPP AAA server does not return a complete NAI, the Fast Re-authentication NAI shall consist of the username part of the fast re-authentication identity as returned from the 3GPP AAA server and the same realm as used in the permanent user identity. If the 3GPP AAA server returns a complete NAI as the re-authentication identity, then this NAI shall be used. The username part of the fast re-authentication identity shall be decorated as described in clause 19.3.3 if the Selected PLMN is different from the HPLMN.
For EAP-AKA authentication, the username portion of the fast re-authentication identity shall be prepended with the single digit "4" as specified in Section 4.1.1.7 of RFC 4187.
For EAP AKA', see RFC 5448, the Fast Re-authentication NAI shall comply with RFC 4187 except that the username part of the NAI shall be prepended with single digit "8".
EXAMPLE 1:
If the fast re-authentication identity returned by the 3GPP AAA Server is 358405627015, the IMSI is 234150999999999 (MCC = 234, MNC = 15) and EAP-AKA is used, the Fast Re-authentication NAI for the case when NAI decoration is not used takes the form: 4358405627015@­nai.­epc.­mnc015.­mcc234.­3gppnetwork.­org
EXAMPLE 2:
If the fast re-authentication identity returned by the 3GPP AAA Server is "358405627015@­aaa1.­nai.­epc.­mnc015.­mcc234.­3gppnetwork.­org" , the IMSI is 234150999999999 (MCC = 234, MNC = 15) and EAP-AKA' is used, the Fast Re-authentication NAI for the case when NAI decoration is not used takes the form: 8358405627015@­aaa1.­nai.­epc.­mnc015.­mcc234.­3gppnetwork.­org
EXAMPLE 3:
If the fast re-authentication identity returned by the 3GPP AAA Server is 358405627015, the IMSI is 234150999999999 (MCC = 234, MNC = 15), the PLMN ID of the Selected PLMN is MCC = 610, MNC = 71 and EAP-AKA is used, the Fast Re-authentication NAI takes the form: nai.­epc.­mnc015.­mcc234.­3gppnetwork.­org !4358405627015@­nai.­epc.­mnc071.­mcc610.­3gppnetwork.­org.
Up

19.3.5  Pseudonym Identitiesp. 77

The pseudonym shall take the form of an NAI, as specified in Section 2.1 of RFC 4282.
The pseudonym shall be generated as specified in clause 6.4.1 of TS 33.234. This part of the pseudonym shall follow the UTF-8 transformation format specified in RFC 2279 except for the following reserved hexadecimal octet value:
FF
When the pseudonym username is coded with FF, this reserved value is used to indicate the special case when no valid temporary identity exists in the UE (see TS 24.234 for more information). The network shall not allocate a temporary identity with the whole username coded with the reserved hexadecimal value FF.
The username portion of the pseudonym identity shall be prepended with the single digit "2" as specified in Section 4.1.1.7 of RFC 4187 for EAP-AKA. For EAP AKA', see RFC 5448, the pseudonym NAI shall comply with RFC 4187 except that the username part of the NAI shall be prepended with single digit "7".
EXAMPLE 1:
For EAP AKA, if the pseudonym returned by the 3GPP AAA Server is 258405627015 and the IMSI is 234150999999999 (MCC = 234, MNC = 15), the pseudonym NAI for the case when NAI decoration is not used takes the form: 258405627015@­nai.­epc.­mnc015.­mcc234.­3gppnetwork.­org
EXAMPLE 2:
For EAP AKA', if the pseudonym returned by the 3GPP AAA Server is 758405627015 and the IMSI is 234150999999999 (MCC = 234, MNC = 15), the pseudonym NAI for the case when NAI decoration is not used takes the form: 758405627015@­nai.­epc.­mnc015.­mcc234.­3gppnetwork.­org
EXAMPLE 3:
For EAP AKA, if the pseudonym returned by the 3GPP AAA Server is 258405627015 and the IMSI is 234150999999999 (MCC = 234, MNC = 15), and the PLMN ID of the Selected PLMN is MCC = 610, MNC = 71, the pseudonym NAI takes the form: nai.­epc.­mnc015.­mcc234.­3gppnetwork.­org! 258405627015@­nai.­epc.­mnc071.­mcc610.­3gppnetwork.­org
EXAMPLE 4:
For EAP AKA', if the pseudonym returned by the 3GPP AAA Server is 758405627015 and the IMSI is 234150999999999 (MCC = 234, MNC = 15), and the PLMN ID of the Selected PLMN is MCC = 610, MNC = 71, the pseudonym NAI takes the form: nai.­epc.­mnc015.­mcc234.­3gppnetwork.­org! 758405627015@­nai.­epc.­mnc071.­mcc610.­3gppnetwork.­org
Up

19.3.6  Emergency NAI for Limited Service State |R9|p. 78

This clause describes the format of the UE identification needed to access the 3GPP EPC from both 3GPP and non-3GPP accesses, when UE is performing an emergency attach and IMSI is not available or not authenticated (see clause 19.3.1). For more information, see clauses 4.6.1 and 5.2 of TS 23.402.
The Emergency NAI for Limited Service State shall take the form of an NAI, and shall have the form username@realm as specified in Section 2.1 of RFC 4282. The exact format shall be:
imei<IMEI>@sos.invalid
or
mac<MAC>@sos.invalid
For example, if the IMEI is 219551288888888, the Emergency NAI for Limited Service State then takes the form of imei219551288888888@­sos.­invalid.
For example, if the MAC address is 44-45-53-54-00-AB, the Emergency NAI for Limited Service State then takes the form of mac4445535400AB@­sos.­invalid, where the MAC address is represented in hexadecimal format without separators.
Up

19.3.7  Alternative NAI |R12|p. 79

The Alternative NAI shall take the form of a NAI, i.e. 'any_username@REALM' as specified of RFC 4282. The Alternative NAI shall not be routable from any AAA server.
The Alternative NAI shall contain a username part which is not derived from the IMSI. The username part shall not be a null string.
The REALM part of the NAI shall be "unreachable.­3gppnetwork.­org".
The result shall be an NAI in the form of:
"<any_non_null_string>@unreachable.­3gppnetwork.­org".
Up

19.3.8  Keyname NAI |R14|p. 79

The keyname NAI shall take the form of an NAI, and shall have the form username@realm as specified in Section 2.1 of RFC 4282.
The username part is the EMSK name as defined in RFC 6696.
For ERP exchange with an ER server located in the 3GPP AAA Server, the realm part of the keyname NAI shall be the realm part of the Root NAI of the UE as described in clause 19.3.2, i.e. the realm part of the keyName-NAI will be in the form:
"@nai.epc.mnc<MNC>.­mcc<MCC>.­3gppnetwork.­org"
For ERP exchange with an ER server located in the TWAP or in the 3GPP AAA Proxy, the realm part of the keyname NAI shall be the realm discovered by the UE in the non-3GPP access network (received at the lower layer or through an ERP exchange as described in RFC 6696).
Up

19.3.9  IMSI-based Emergency NAI |R14|p. 79

This clause describes the format of the UE identification needed to access the 3GPP EPC from non-3GPP accesses, when UE is performing an emergency attach and IMSI is available. For more information, see clause 4.4.1 of TS 24.302.
The IMSI-based Emergency NAI shall take the form of an NAI and shall be encoded as the Root NAI as specified in clause 19.3.2, but with the realm name prepended by the "sos" label. The resulting realm part of the IMSI-based Emergency NAI will be in the form:
"@sos.nai.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org"
The resulting IMSI-based Emergency NAI will be in the form:
"0<IMSI>@sos.nai.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org" when used for EAP AKA authentication
"6<IMSI>@sos.nai.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org" when used for EAP AKA' authentication
For example, if the IMSI is 234150999999999 (MCC = 234, MNC = 15), the IMSI-based Emergency NAI takes the form 0234150999999999@­sos.­nai.­epc.­mnc015.­mcc234.­3gppnetwork.­org for EAP AKA authentication and it takes the form 6234150999999999@­sos.­nai.­epc.­mnc015.­mcc234.­3gppnetwork.­org for EAP AKA' authentication.
Up

Up   Top   ToC