The NAI for SUPI shall have the form username@realm as specified in Section 2.2 of RFC 7542.
A SUPI containing a network specific identifier shall take the form of a Network Access Identifier (NAI). See clause 5.9.2 of TS 23.501 for the definition and use of the network specific identifier. In SNPN scenarios, the realm part of the NAI may include MCC, MNC and the NID of the SNPN (see TS 23.501, clauses 5.30.2.3, 5.30.2.9, 6.3.4, and 6.3.8; for the realm part format see Home Network Domain for an SNPN in clause 28.2).
See clauses 28.15.2 and 28.16.2 for the NAI format for a SUPI containing a GCI or a GLI.
When the SUPI is defined as a Network Specific Identifier, the SUCI shall take the form of a Network Access Identifier (NAI). In this case, the NAI format of the SUCI shall have the form username@realm as specified in Section 2.2 of RFC 7542, where the realm part shall be identical to the realm part of the Network Specific Identifier. In SNPN scenarios, the realm part of the NAI may include MCC, MNC and the NID of the SNPN (see TS 23.501, clauses 5.30.2.3, 5.30.2.9, 6.3.4, and 6.3.8; for the realm part format see Home Network Domain for an SNPN in clause 28.2).
When the SUPI is defined as an IMSI, the SUCI in NAI format shall have the form username@realm, where the realm part shall be constructed by converting the leading digits of the IMSI, i.e. MNC and MCC, into a domain name, as described in clause 28.2. In SNPN scenarios, the realm part shall additionally include the NID of the SNPN. The resulting realm part of the NAI shall be in the form:
"5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org", or
"5gc.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org" (for SNPN scenarios).
The username part of the NAI shall take one of the following forms:
for the null-scheme:
type<supi type>.rid<routing indicator>.schid<protection scheme id>.userid<MSIN or Network Specific Identifier SUPI username>
for the Scheme Output for Elliptic Curve Integrated Encryption Scheme Profile A and Profile B:
type<supi type>.rid<routing indicator>.schid<protection scheme id>.hnkey<home network public key id>.ecckey<ECC ephemeral public key value>.cip<ciphertext value>.mac<MAC tag value>
for HPLMN proprietary protection schemes:
type<supi type>.rid<routing indicator>.schid<protection scheme id>.hnkey<home network public key id>. out<HPLMN defined scheme output>
See clause 2.2B for the definition and format of the different fields of the SUCI.
EXAMPLES:
Assuming the IMSI 234150999999999, where MCC=234, MNC=15 and MSISN=0999999999, the Routing Indicator 678, and a Home Network Public Key Identifier of 27, the NAI format for the SUCI takes the form:
for the null-scheme:
type0.rid678.schid0.userid0999999999@5gc.mnc015.mcc234.3gppnetwork.org
for the Profile <A> protection scheme:
type0.rid678.schid1.hnkey27.ecckey<ECC ephemeral public key>.cip< encryption of 0999999999>.mac<MAC tag value>@5gc.mnc015.mcc234.3gppnetwork.org
Assuming the Network Specific Identifier user17@example.com, the Routing Indicator 678, and a Home Network Public Key Identifier of 27, the NAI format for the SUCI takes the form:
for the null-scheme:
type1.rid678.schid0.useriduser17@example.com
for an anonymous SUCI:
type1.rid678.schid0.useridanonymous@example.com (with username corresponding to "anonymous"), or
type1.rid678.schid0.userid@example.com (with username corresponding to an empty string)
for the Profile <A> protection scheme:
type1.rid678.schid1.hnkey27.ecckey<ECC ephemeral public key>.cip< encryption of user17>.mac<MAC tag value>@example.com
See clauses 28.15.5 and 28.16.5 for the NAI format for a SUCI containing a GCI or a GLI.
This clause describes the format of the UE identification when UE is performing an emergency registration and IMSI is not available or not authenticated.
The Emergency NAI for Limited Service State shall take the form of an NAI, and shall have the form username@realm as specified in Section 2.2 of RFC 7542. The exact format shall be:
imei<IMEI>@sos.invalid
or if IMEI is not available,
mac<MAC>@sos.invalid
For example, if the IMEI is 219551288888888, the Emergency NAI for Limited Service State then takes the form of imei219551288888888@sos.invalid.
For example, if the MAC address is 44-45-53-54-00-AB, the Emergency NAI for Limited Service State then takes the form of mac4445535400AB@sos.invalid, where the MAC address is represented in hexadecimal format without separators.
The Alternative NAI shall take the form of a NAI, i.e. 'any_username@realm' as specified of RFC 7542. The Alternative NAI shall not be routable from any AAA server.
The Alternative NAI shall contain a username part that is not a null string.
The realm part of the NAI shall be "unreachable.3gppnetwork.org".
The result shall be an NAI in the form of:
While performing the EAP-authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected PLMN (see clause 4.12a of TS 23.502), the UE shall derive a NAI from the identity of the selected PLMN in the following format:
the username part <any_non_null_string> is any non null string; and
the <MNC> and <MCC> identify the PLMN (either HPLMN or VPLMN) to which the UE attempts to connect via the trusted non-3GPP access network as described in clause 6.3.12 in TS 23.501.
While performing the EAP-authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected SNPN (see clause 5.30.2.13 of TS 23.501), the UE shall derive a NAI from the identity of the selected SNPN in the following format:
While performing the EAP authentication procedure when a non 5G capable over WLAN (N5CW) device attempts to register to 5GCN via a trusted non-3GPP access network (see clause 4.12b in TS 23.502), the N5CW device shall use a NAI in the following format:
the username part <5G_device_unique_identity> is to identify the N5CW device and contains either:
SUCI as defined as the username part of the NAI format in clause 28.7.3, if the UE is not registered to 5GCN via NG-RAN; or
5G-GUTI as defined as the username part of the NAI format in clause 28.7.8, if the N5CW device is registered to 5GCN via NG-RAN; and
the the label '5gc-nn' in the realm part indicates the NAI is used by N5CW devices via trusted non-3GPP access. <MNC> and <MCC> identify the PLMN (either HPLMN or VPLMN) to which the N5CW device attempts to connect via the trusted non-3GPP access as described in clause 6.3.12 of TS 23.501.
The NAI format of the 5G-GUTI shall have the form username@realm as specified in Section 2.2 of RFC 7542.
The username part of the NAI shall take the following form:
tmsi<5G-TMSI>.pt<AMF Pointer>.set<AMF Set Id>.region<AMF Region Id>
<5G-TMSI>, <AMF Pointer>, <AMF Set Id> and <AMF Region Id> are the hexadecimal strings of the 5G-TMSI, AMF Pointer, AMF Set ID and AMF Region ID. If there are less than 8 significant digits in <5G-TMSI>, "0" digit(s) shall be inserted at the left side to fill the 8 digits coding. If there are less than 2 significant digits in <AMF Pointer> or <AMF Region Id>, "0" digit(s) shall be inserted at the left side to fill the 2 digits coding of the AMF Pointer or AMF Region Id respectively. If there are less than 3 significant digits in <AMF Set Id>, "0" digit(s) shall be inserted at the left side to fill the 3 digits coding.
Example:
Assuming 5G-TMSI = 06666666 (hexadecimal), AMF Pointer=12 (hexadecimal), AMF Set = 001 (hexadecimal), AMF Region = 48 (hexadecimal), the username part of the NAI is encoded as:
"tmsi06666666.pt12.set001.region48"
The NAI for an N5CW device in a PLMN (either HPLMN or VPLMN) with MNC=012 and MCC=345, to which the N5CW device attempts to connect via the trusted non-3GPP access, according to clause 28.7.7 is:
The Decorated NAI format for SUCI shall take the form of a NAI and shall have the form
'Homerealm!username@otherrealm'
as specified in Section 2.7 of RFC 4282.
The username part of Decorated NAI shall contain the username of the NAI format for SUCI as specified in clause 28.7.3.
'Homerealm' shall be the realm of the NAI format for SUCI as specified in clause 28.7.3.
The realm part of Decorated NAI consists of 'otherrealm', see the IETF RFC 4282. Otherrealm' is the realm built using the PLMN ID (visitedMCC + visited MNC) of the visited PLMN.
The result is a decorated NAI of the form:
5gc-nswo.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!<username of SUCI in NAI format>@5gc-nswo.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
EXAMPLE:
Assuming the IMSI 234150999999999, where MCC=234, MNC=15 and MSISN=0999999999, the Routing Indicator 678, a Home Network Public Key Identifier of 27, the null-scheme, and the service provider has a PLMN ID (MCC = 610, MNC = 71):
the NAI format for the SUCI takes the form:
type0.rid678.schid0.userid0999999999@5gc.mnc015.mcc234.3gppnetwork.org
the Decorated NAI format for the SUCI takes the form:
5gc-nswo.mnc015.mcc234.3gppnetwork.org!type0.rid678.schid0.userid0999999999@5gc-nswo.mnc071.mcc610.3gppnetwork.org
When the UE decides to use 5G NSWO to connect to the WLAN access network using its 5GS credentials but without registration to 5GS, the NAI format for 5G NSWO is used.
In the 5G NSWO use case, the UE shall use a NAI in the following format:
the label '5gc-nswo' in the realm part indicates the NAI is used for 5G NSWO. <MNC> and <MCC> identify the PLMN to which the UE attempts to connect via the 5G NSWO as described in clause 4.2.15 of TS 23.501.
Internal-Group Identifier is a network internal globally unique ID which identifies a set of SUPIs (e.g. MTC devices) from a given network that are grouped together for one specific group related service (see TS 23.501, clause 5.9.7).
An Internal-Group Identifier shall be composed in the same way as IMSI-Group Identifier (see clause 19.9).
If a 5G subscriber's IMSI belongs to an IMSI-Group identified by a given IMSI-Group Identifier X, the IMSI shall also belong to the Internal-Group identified by the Internal-Group Identifier X.
The Presence Reporting Area Identifier (PRA ID) is used to identify a Presence Reporting Area (PRA).
PRAs can be used for reporting changes of UE presence in a PRA, e.g. for policy control or charging decisions. See TS 23.501 and TS 23.503.
A PRA is composed of a short list of TAs and/or NG-RAN nodes and/or cells identifiers in a PLMN.A PRA can be:
either a "UE-dedicated PRA", defined in the subscriber profile;
or a "Core Network predefined PRA", pre-configured in AMF.
PRA IDs used to identify "Core Network predefined PRAs" shall not be used for identifying "UE-dedicated PRAs".
The same PRA ID may be used for different UEs to identify different "UE-dedicated PRAs", i.e. PRA IDs may overlap between different UEs, while identifying different "UE-dedicated PRAs".
The PRA ID shall be formatted as an integer within the following ranges:
0 .. 8 388 607 for UE-dedicated PRA
8 388 608 to 16 777 215 for Core Network predefined PRA.
A Closed Access Group (CAG) within a PLMN is uniquely identified by a CAG-Identifier (see TS 23.501).
The CAG-Identifier shall be a fixed length 32 bit value.
A NF Set Identifier is a globally unique identifier of a set of equivalent and interchangeable CP NFs from a given network that provide distribution, redundancy and scalability (see clause 5.21.3 of TS 23.501).
An NF Set Identifier shall be constructed from the MCC, MNC, NID (for SNPN), NF type and a Set ID.
A NF Set Identifier shall be formatted as the following string:
set<Set ID>.<nftype>set.5gc.mnc<MNC>.mcc<MCC> for a NF Set in a PLMN, or
set<Set ID>.<nftype>set.5gc.nid<NID>.mnc<MNC>.mcc<MCC> for a NF Set in a SNPN.
where:
the <MCC> and <MNC> shall identify the PLMN of the NF Set and shall be encoded as follows:
<MCC> = 3 digits
<MNC> = 3 digits
If there are only 2 significant digits in the MNC, one "0" digit shall be inserted at the left side to fill the 3 digits coding of MNC.
the Network Identifier (NID) shall be encoded as hexadecimal digits as specified in clause 12.7.
the <NFType> shall identify the NF type of the NFs within the NF set and shall be encoded as a value of Table 6.1.6.3.3-1 of TS 29.510 but with lower case characters;
the Set ID shall be a NF type specific Set ID within the PLMN, chosen by the operator, that shall consist of alphabetic characters (A-Z and a-z), digits (0-9) and/or the hyphen (-) and that shall end with either an alphabetic character or a digit;
the case of alphabetic characters is not significant (i.e. two NF Set IDs with the same characters but using different lower and upper cases identify the same NF Set).
For an AMF set, the Set ID shall be set to "<AMF Set ID>.region<AMF Region ID>", with the AMF Region ID and AMF Set ID encoded as defined in TS 29.571.
EXAMPLE 1:
setxyz.smfset.5gc.mnc012.mcc345
EXAMPLE 2:
set12.pcfset.5gc.mnc012.mcc345
EXAMPLE 3:
set0011.region48.amfset.5gc.mnc012.mcc345 (for AMF Region 48 (hexadecimal) and AMF Set 1)
EXAMPLE 4:
setxyz.smfset.5gc.nid000007ed9d5.mnc012.mcc345 for a SNPN with the NID 000007ed9d5 (hexadecimal).
FQDN.
NF Instances of an NF Set are equivalent and share the same MCC, MNC, NID (for SNPN), NF type and NF Set ID.
A NF Service Set Identifier is a globally unique identifier of a set of equivalent and interchangeable CP NF service instances within a NF instance from a given network that provide distribution, redundancy and scalability (see clause 5.21.3 of TS 23.501).
An NF Service Set Identifier shall be constructed from the MCC, MNC, NID (for SNPN), NF instance Identifier, service name and a Set ID.
A NF Service Set Identifier shall be formatted as the following string:
set<Set ID>.sn<Service Name>.nfi<NF Instance ID>.5gc.mnc<MNC>.mcc<MCC> for a NF Service Set in a PLMN, or
set<Set ID>.sn<Service Name>.nfi<NF Instance ID>.5gc.nid<NID>.mnc<MNC>.mcc<MCC> for a NF Service Set in a SNPN.
where:
the <MCC> and <MNC> shall identify the PLMN of the NF Service Set and shall be encoded as follows:
<MCC> = 3 digits
<MNC> = 3 digits
If there are only 2 significant digits in the MNC, one "0" digit shall be inserted at the left side to fill the 3 digits coding of MNC.
the Network Identifier (NID) shall be encoded as hexadecimal digits as specified in clause 12.7.
the NFInstanceID shall identify the NF instance of the NF Service set, as defined by TS 23.501 and TS 29.510;
the ServiceName shall identify the NF service of the NF Service set, as defined by TS 29.510;
the Set ID shall be a service specific Set ID within the NF instance, chosen by the operator that shall consist of alphabetic characters (A-Z and a-z), digits (0-9) and/or the hyphen (-) and that shall end with either an alphabetic character or a digit;
the case of alphabetic characters is not significant (i.e. two NF Service Set IDs with the same characters but using different lower and upper cases identify the same NF Service Set).
setxyz.snnsmf-pdusession.nfi54804518-4191-46b3-955c-ac631f953ed8.5gc.nid000007ed9d5.mnc012.mcc345 for a SNPN with the NID 000007ed9d5 (hexadecimal).
NF service instances from different NF instances are equivalent NF service instances if they share the same MCC, MNC, NID (for SNPN), ServiceName and Set ID.
NF Service Sets belonging to different NF Instances are said to be equivalent, if they share the same MCC, MNC, NID (for SNPN), ServiceName and Set ID.
A Data Network Access Identifier (DNAI) is an operator defined identifier of a user plane access to one or more DN(s) where applications are deployed (see clauses 3.1 and 5.6.7 in TS 23.501). The same DN may also be referred to by multiple DNAIs.
DNAI is represented as an operator specific string (see clause A.2 of TS 29.571. The format of the DNAI is defined by the operator and is not standardized.
A SUPI containing a GCI shall take the form of a Network Access Identifier (NAI).
The NAI for SUPI shall have the form username@realm as specified in Section 2.2 of RFC 7542, where:
the username part shall be the GCI, as defined in clause 28.15.4;
the realm part shall identify the operator owning the subscription; if the operator owns a PLMN ID, the realm part should be in the form:
The User Location information for a 5G-CRG/FN-CRG accessing the 5GC via a Wireline 5G Cable Access network (W-5GCAN) shall take the form of an HFC Node ID. The HFC Node ID consists of a string of up to six characters as specified in CableLabs WR-TR-5WWC-ARCH [134].
The GCI uniquely identifies the line connecting the 5G-CRG or FN-CRG to the 5GS.
The GCI is a variable length opaque identifier, encoded as specified in CableLabs WR-TR-5WWC-ARCH [134] and CableLabs DOCSIS MULPI [135]. It shall comply with the syntax specified in Section 2.2 of RFC 7542 for the username part of a NAI.
EXAMPLE:
The SUCI containing a GCI shall take the form of a Network Access Identifier (NAI).
The NAI format of the SUCI shall have the form username@realm as specified in Section 2.2 of RFC 7542, where the realm part shall be identical to the realm part of the SUPI (see clause 28.15.2).
The username part of the NAI shall be encoded as specified for the null-scheme in clause 28.7.3, i.e. it shall take the following form:
type3.rid0.schid0.userid<username>
where the username shall be encoded as the username part of the SUPI (see clause 28.15.2).
EXAMPLE 1:
type3.rid0.schid0.userid00-00-5E-00-53-00@5gc.mnc012.mcc345.3gppnetwork.org
EXAMPLE 2:
A SUPI containing a GLI shall take the form of a Network Access Identifier (NAI).
The NAI for SUPI shall have the form username@realm as specified in Section 2.2 of RFC 7542, where:
the username part shall be the GLI, as defined in clause 28.16.4;
the realm part shall identify the operator owning the subscription; if the operator owns a PLMN ID, the realm part should be in the form:
The User Location information for a 5G-BRG/FN-BRG accessing the 5GC via a Wireline BBF Access Network (W-5GBAN) shall take the form of a GLI as defined in clause 28.16.4.
The GLI uniquely identifies the line connecting the 5G-BRG or FN-BRG to the 5GS.
The GLI is a variable length opaque identifier, consisting of a string of up to 200 base64-encoded characters, representing the GLI value (up to 150 bytes) encoded as specified in BBF WT-470 [133].
The SUCI containing a GLI shall take the form of a Network Access Identifier (NAI).
The NAI format of the SUCI shall have the form username@realm as specified in Section 2.2 of RFC 7542, where the realm part shall be identical to the realm part of the SUPI (see clause 28.16.2).
The username part of the NAI shall be encoded as specified for the null-scheme in clause 28.7.3, i.e. it shall take the following form:
type2.rid0.schid0.userid<username>
where the username shall be encoded as the username part of the SUPI (see clause 28.16.2).
The 5GC nodes DNS subdomain (DNS zone) shall be derived from the MNC and MCC by adding the label "node" to the beginning of the Home Network Domain for 5GC (see clause 28.2) and shall be constructed as:
node.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org
This DNS subdomain is formally placed into the operator's control. 3GPP shall never take this DNS subdomain back or any zone cut/subdomain within it for any purpose. As a result the operator can safely provision any DNS records it chooses under this subdomain without concern about future 3GPP standards encroaching on the DNS names within this zone.