Content for  TS 23.003  Word version:  18.0.0

This clause describes the NAI formats used in the 5G System.

The NAI for SUPI shall have the form username@realm as specified in Section 2.2 of RFC 7542. A SUPI containing a network specific identifier shall take the form of a Network Access Identifier (NAI). See clause 5.9.2 of TS 23.501 for the definition and use of the network specific identifier. In SNPN scenarios, the realm part of the NAI may include MCC, MNC and the NID of the SNPN (see TS 23.501, clauses 5.30.2.3, 5.30.2.9, 6.3.4, and 6.3.8; for the realm part format see Home Network Domain for an SNPN in clause 28.2). See clauses 28.15.2 and 28.16.2 for the NAI format for a SUPI containing a GCI or a GLI.

When the SUPI is defined as a Network Specific Identifier, the SUCI shall take the form of a Network Access Identifier (NAI). In this case, the NAI format of the SUCI shall have the form username@realm as specified in Section 2.2 of RFC 7542, where the realm part shall be identical to the realm part of the Network Specific Identifier. In SNPN scenarios, the realm part of the NAI may include MCC, MNC and the NID of the SNPN (see TS 23.501, clauses 5.30.2.3, 5.30.2.9, 6.3.4, and 6.3.8; for the realm part format see Home Network Domain for an SNPN in clause 28.2). When the SUPI is defined as an IMSI, the SUCI in NAI format shall have the form username@realm, where the realm part shall be constructed by converting the leading digits of the IMSI, i.e. MNC and MCC, into a domain name, as described in clause 28.2. In SNPN scenarios, the realm part shall additionally include the NID of the SNPN. The resulting realm part of the NAI shall be in the form: The username part of the NAI shall take one of the following forms:

1. for the null-scheme:
   type<supi type>.rid<routing indicator>.schid<protection scheme id>.userid<MSIN or Network Specific Identifier SUPI username>
2. for the Scheme Output for Elliptic Curve Integrated Encryption Scheme Profile A and Profile B:
   type<supi type>.rid<routing indicator>.schid<protection scheme id>.hnkey<home network public key id>.ecckey<ECC ephemeral public key value>.cip<ciphertext value>.mac<MAC tag value>
3. for HPLMN proprietary protection schemes:
   type<supi type>.rid<routing indicator>.schid<protection scheme id>.hnkey<home network public key id>. out<HPLMN defined scheme output>
   See clause 2.2B for the definition and format of the different fields of the SUCI.

EXAMPLES: See clauses 28.15.5 and 28.16.5 for the NAI format for a SUCI containing a GCI or a GLI.

This clause describes the format of the UE identification when UE is performing an emergency registration and IMSI is not available or not authenticated. The Emergency NAI for Limited Service State shall take the form of an NAI, and shall have the form username@realm as specified in Section 2.2 of RFC 7542. The exact format shall be:

• imei<IMEI>@sos.invalid

or if IMEI is not available,

• mac<MAC>@sos.invalid

For example, if the IMEI is 219551288888888, the Emergency NAI for Limited Service State then takes the form of imei219551288888888@sos.invalid. For example, if the MAC address is 44-45-53-54-00-AB, the Emergency NAI for Limited Service State then takes the form of mac4445535400AB@sos.invalid, where the MAC address is represented in hexadecimal format without separators.

The Alternative NAI shall take the form of a NAI, i.e. 'any_username@realm' as specified of RFC 7542. The Alternative NAI shall not be routable from any AAA server. The Alternative NAI shall contain a username part that is not a null string. The realm part of the NAI shall be "unreachable.3gppnetwork.org". The result shall be an NAI in the form of:

While performing the EAP-authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected PLMN (see clause 4.12a of TS 23.502), the UE shall derive a NAI from the identity of the selected PLMN in the following format: where:

1. the username part <any_non_null_string> is any non null string; and
2. the <MNC> and <MCC> identify the PLMN (either HPLMN or VPLMN) to which the UE attempts to connect via the trusted non-3GPP access network as described in clause 6.3.12 in TS 23.501.

While performing the EAP-authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected SNPN (see clause 5.30.2.13 of TS 23.501), the UE shall derive a NAI from the identity of the selected SNPN in the following format: where:

1. the username part <any_non_null_string> is any non null string; and
2. the <MNC>, <MCC> and <NID> identify the SNPN to which the UE attempts to connect via the trusted non-3GPP access network.

While performing the EAP authentication procedure when a non 5G capable over WLAN (N5CW) device attempts to register to 5GCN via a trusted non-3GPP access network (see clause 4.12b in TS 23.502), the N5CW device shall use a NAI in the following format:

• "<5G_device_unique_identity>@nai.5gc-nn.mnc<MNC>.mcc<MCC>.3gppnetwork.org"

Where:

1. the username part <5G_device_unique_identity> is to identify the N5CW device and contains either:
   • SUCI as defined as the username part of the NAI format in clause 28.7.3, if the UE is not registered to 5GCN via NG-RAN; or
   • 5G-GUTI as defined as the username part of the NAI format in clause 28.7.8, if the N5CW device is registered to 5GCN via NG-RAN; and
2. the the label '5gc-nn' in the realm part indicates the NAI is used by N5CW devices via trusted non-3GPP access. <MNC> and <MCC> identify the PLMN (either HPLMN or VPLMN) to which the N5CW device attempts to connect via the trusted non-3GPP access as described in clause 6.3.12 of TS 23.501.

The NAI format of the 5G-GUTI shall have the form username@realm as specified in Section 2.2 of RFC 7542. The username part of the NAI shall take the following form: <5G-TMSI>, <AMF Pointer>, <AMF Set Id> and <AMF Region Id> are the hexadecimal strings of the 5G-TMSI, AMF Pointer, AMF Set ID and AMF Region ID. If there are less than 8 significant digits in <5G-TMSI>, "0" digit(s) shall be inserted at the left side to fill the 8 digits coding. If there are less than 2 significant digits in <AMF Pointer> or <AMF Region Id>, "0" digit(s) shall be inserted at the left side to fill the 2 digits coding of the AMF Pointer or AMF Region Id respectively. If there are less than 3 significant digits in <AMF Set Id>, "0" digit(s) shall be inserted at the left side to fill the 3 digits coding. Example: The NAI for an N5CW device in a PLMN (either HPLMN or VPLMN) with MNC=012 and MCC=345, to which the N5CW device attempts to connect via the trusted non-3GPP access, according to clause 28.7.7 is:

"tmsi06666666.­pt12.­set001.­region48@nai.­5gc-nn.­mnc012.­mcc345.­3gppnetwork.­org"

The Decorated NAI format for SUCI shall take the form of a NAI and shall have the form 'Homerealm!username@otherrealm' as specified in Section 2.7 of RFC 4282. The username part of Decorated NAI shall contain the username of the NAI format for SUCI as specified in clause 28.7.3. 'Homerealm' shall be the realm of the NAI format for SUCI as specified in clause 28.7.3. The realm part of Decorated NAI consists of 'otherrealm', see the IETF RFC 4282. Otherrealm' is the realm built using the PLMN ID (visitedMCC + visited MNC) of the visited PLMN. The result is a decorated NAI of the form: EXAMPLE:

The NAI format for UP-PRUK ID shall have the form username@realm as specified in Section 2.2 of RFC 7542, where:

• the realm part shall be in the form:
  "prose-up.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org"
• the username part shall be a non-empty string which is unique in the realm, as specified in TS 33.503.

The maximum length of a UP-PRUK ID in NAI format is 254 octets.

The NAI format for CP-PRUK ID shall have the form username@realm as specified in Section 2.2 of RFC 7542. The realm part shall be in the form: The username part of the NAI shall take one of the following forms: "rid<routing indicator>.pid<CP-PRUK ID*>"

• the <routing indicator> part is the "Routing Indicator" as specified in clause 2.2B.
• the <CP-PRUK ID*> part is the hexadecimal representation of the CP-PRUK ID* specified in clause A.2 of TS 33.503.

The maximum length of a CP-PRUK ID in NAI format is 254 octets.

When the UE decides to use 5G NSWO to connect to the WLAN access network using its 5GS credentials but without registration to 5GS, the NAI format for 5G NSWO is used. In the 5G NSWO use case, the UE shall use a NAI in the following format: In the above use cases:

1. the username part is defined in clause 28.7.3; and
2. the label '5gc-nswo' in the realm part indicates the NAI is used for 5G NSWO. <MNC> and <MCC> identify the PLMN to which the UE attempts to connect via the 5G NSWO as described in clause 4.2.15 of TS 23.501.

This clause describes the GCI formats used in the 5G System.

A SUPI containing a GCI shall take the form of a Network Access Identifier (NAI). The NAI for SUPI shall have the form username@realm as specified in Section 2.2 of RFC 7542, where:

• the username part shall be the GCI, as defined in clause 28.15.4;
• the realm part shall identify the operator owning the subscription; if the operator owns a PLMN ID, the realm part should be in the form:
  "5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org"

EXAMPLE 1: EXAMPLE 2:

The User Location information for a 5G-CRG/FN-CRG accessing the 5GC via a Wireline 5G Cable Access network (W-5GCAN) shall take the form of an HFC Node ID. The HFC Node ID consists of a string of up to six characters as specified in CableLabs WR-TR-5WWC-ARCH [134].

The GCI uniquely identifies the line connecting the 5G-CRG or FN-CRG to the 5GS. The GCI is a variable length opaque identifier, encoded as specified in CableLabs WR-TR-5WWC-ARCH [134] and CableLabs DOCSIS MULPI [135]. It shall comply with the syntax specified in Section 2.2 of RFC 7542 for the username part of a NAI. EXAMPLE:

The SUCI containing a GCI shall take the form of a Network Access Identifier (NAI). The NAI format of the SUCI shall have the form username@realm as specified in Section 2.2 of RFC 7542, where the realm part shall be identical to the realm part of the SUPI (see clause 28.15.2). The username part of the NAI shall be encoded as specified for the null-scheme in clause 28.7.3, i.e. it shall take the following form: where the username shall be encoded as the username part of the SUPI (see clause 28.15.2). EXAMPLE 1: type3.rid0.schid0.userid00-00-5E-00-53-00@5gc.­mnc012.­mcc345.­3gppnetwork.­org EXAMPLE 2: type3.rid0.schid0.userid00-00-5E-00-53-00@operator.­com

This clause describes the GLI formats used in the 5G System.

A SUPI containing a GLI shall take the form of a Network Access Identifier (NAI). The NAI for SUPI shall have the form username@realm as specified in Section 2.2 of RFC 7542, where:

• the username part shall be the GLI, as defined in clause 28.16.4;
• the realm part shall identify the operator owning the subscription; if the operator owns a PLMN ID, the realm part should be in the form:
  • "5gc.mnc<MNC>.­mcc<MCC>.­3gppnetwork.­org"

The User Location information for a 5G-BRG/FN-BRG accessing the 5GC via a Wireline BBF Access Network (W-5GBAN) shall take the form of a GLI as defined in clause 28.16.4.

The GLI uniquely identifies the line connecting the 5G-BRG or FN-BRG to the 5GS. The GLI is a variable length opaque identifier, consisting of a string of up to 200 base64-encoded characters, representing the GLI value (up to 150 bytes) encoded as specified in BBF WT-470 [133].

The SUCI containing a GLI shall take the form of a Network Access Identifier (NAI). The NAI format of the SUCI shall have the form username@realm as specified in Section 2.2 of RFC 7542, where the realm part shall be identical to the realm part of the SUPI (see clause 28.16.2). The username part of the NAI shall be encoded as specified for the null-scheme in clause 28.7.3, i.e. it shall take the following form: where the username shall be encoded as the username part of the SUPI (see clause 28.16.2).