Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 23.003  Word version:  18.4.0

Top   Top   Up   Prev   Next
1…   2…   2.8…   3…   4…   5…   6…   7…   8…   9…   10…   11   12…   13…   14…   15…   16…   17…   18…   19…   19.4…   19.5…   20…   21…   22…   23…   24…   25…   26…   27…   28…   28.3.2.2…   28.3.2.2.6…   28.3.2.3…   28.4…   28.7…   28.8…   29…   A…   B…   C…   D   E…

 

28.7  Network Access Identifier (NAI)p. 125

28.7.1  Introductionp. 125

This clause describes the NAI formats used in the 5G System.

28.7.2  NAI format for SUPIp. 125

The NAI for SUPI shall have the form username@realm as specified in Section 2.2 of RFC 7542.
A SUPI containing a network specific identifier shall take the form of a Network Access Identifier (NAI). See clause 5.9.2 of TS 23.501 for the definition and use of the network specific identifier. In SNPN scenarios, the realm part of the NAI may include MCC, MNC and the NID of the SNPN (see clauses 5.30.2.3, 5.30.2.9, 6.3.4, and 6.3.8 of TS 23.501 for the realm part format see Home Network Domain for an SNPN in clause 28.2).
See clauses 28.15.2 and 28.16.2 for the NAI format for a SUPI containing a GCI or a GLI.
Up

28.7.3  NAI format for SUCIp. 125

When the SUPI is defined as a Network Specific Identifier, the SUCI shall take the form of a Network Access Identifier (NAI). In this case, the NAI format of the SUCI shall have the form username@realm as specified in Section 2.2 of RFC 7542, where the realm part shall be identical to the realm part of the Network Specific Identifier. In SNPN scenarios, the realm part of the NAI may include MCC, MNC and the NID of the SNPN (see clauses 5.30.2.3, 5.30.2.9, 6.3.4, and 6.3.8 of TS 23.501 for the realm part format see Home Network Domain for an SNPN in clause 28.2).
When the SUPI is defined as an IMSI, the SUCI in NAI format shall have the form username@realm, where the realm part shall be constructed by converting the leading digits of the IMSI, i.e. MNC and MCC, into a domain name, as described in clause 28.2. In SNPN scenarios, the realm part shall additionally include the NID of the SNPN, if available. The resulting realm part of the NAI shall be in the form:
"5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org", or
"5gc.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org" (for SNPN scenarios where the NID is available).
The username part of the NAI shall take one of the following forms:
  1. for the null-scheme:
    type<supi type>.rid<routing indicator>.schid<protection scheme id>.userid<MSIN or Network Specific Identifier SUPI username>
  2. for the Scheme Output for Elliptic Curve Integrated Encryption Scheme Profile A and Profile B:
    type<supi type>.rid<routing indicator>.schid<protection scheme id>.hnkey<home network public key id>.ecckey<ECC ephemeral public key value>.cip<ciphertext value>.mac<MAC tag value>
  3. for HPLMN proprietary protection schemes:
    type<supi type>.rid<routing indicator>.schid<protection scheme id>.hnkey<home network public key id>. out<HPLMN defined scheme output>
    See clause 2.2B for the definition and format of the different fields of the SUCI.
EXAMPLES:
Assuming the IMSI 234150999999999, where MCC=234, MNC=15 and MSISN=0999999999, the Routing Indicator 678, and a Home Network Public Key Identifier of 27, the NAI format for the SUCI takes the form:
  • for the null-scheme:
    type0.rid678.schid0.userid0999999999@5gc.mnc015.mcc234.3gppnetwork.org
  • for the Profile <A> protection scheme:
    type0.rid678.schid1.hnkey27.ecckey<ECC ephemeral public key>.cip< encryption of 0999999999>.mac<MAC tag value>@5gc.mnc015.mcc234.3gppnetwork.org
Assuming the Network Specific Identifier user17@example.com, the Routing Indicator 678, and a Home Network Public Key Identifier of 27, the NAI format for the SUCI takes the form:
  • for the null-scheme:
    type1.rid678.schid0.useriduser17@example.com
  • for an anonymous SUCI:
    type1.rid678.schid0.useridanonymous@example.com (with username corresponding to "anonymous"), or
    type1.rid678.schid0.userid@example.com (with username corresponding to an empty string)
  • for the Profile <A> protection scheme:
    type1.rid678.schid1.hnkey27.ecckey<ECC ephemeral public key>.cip< encryption of user17>.mac<MAC tag value>@example.com
See clauses 28.15.5 and 28.16.5 for the NAI format for a SUCI containing a GCI or a GLI.
Up

28.7.4  Emergency NAI for Limited Service Statep. 127

This clause describes the format of the UE identification when UE is performing an emergency registration and IMSI is not available or not authenticated.
The Emergency NAI for Limited Service State shall take the form of an NAI, and shall have the form username@realm as specified in Section 2.2 of RFC 7542. The exact format shall be:
  • imei<IMEI>@sos.invalid
or if IMEI is not available,
  • mac<MAC>@sos.invalid
For example, if the IMEI is 219551288888888, the Emergency NAI for Limited Service State then takes the form of imei219551288888888@sos.invalid.
For example, if the MAC address is 44-45-53-54-00-AB, the Emergency NAI for Limited Service State then takes the form of mac4445535400AB@sos.invalid, where the MAC address is represented in hexadecimal format without separators.
Up

28.7.5  Alternative NAIp. 127

The Alternative NAI shall take the form of a NAI, i.e. 'any_username@realm' as specified of RFC 7542. The Alternative NAI shall not be routable from any AAA server.
The Alternative NAI shall contain a username part that is not a null string.
The realm part of the NAI shall be "unreachable.3gppnetwork.org".
The result shall be an NAI in the form of:
"<any_non_null_string>@unreachable.3gppnetwork.org".
Up

28.7.6  NAI used for 5G registration via trusted non-3GPP access |R16|p. 127

While performing the EAP-authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected PLMN (see clause 4.12a of TS 23.502), the UE shall derive a NAI from the identity of the selected PLMN in the following format:
"<any_non_null_string>@nai.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org"
where:
  1. the username part <any_non_null_string> is any non null string; and
  2. the <MNC> and <MCC> identify the PLMN (either HPLMN or VPLMN) to which the UE attempts to connect via the trusted non-3GPP access network as described in clause 6.3.12 of TS 23.501.
While performing the EAP-authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected SNPN (see clause 5.30.2.13 of TS 23.501), the UE shall derive a NAI from the identity of the selected SNPN in the following format:
"<any_non_null_string>@nai.5gc.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org";
where:
  1. the username part <any_non_null_string> is any non null string; and
  2. the <MNC>, <MCC> and <NID> identify the SNPN to which the UE attempts to connect via the trusted non-3GPP access network.
While performing the EAP authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected TNGF, the UE shall derive NAI from the identity of the selected TNGF in the following format:
"<any_non_mull_string>@tngfid<TNGF ID>.nai.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org";
where:
  1. The username part <any_non_mull_string> is any non null string; and
  2. The <MNC> and <MCC> identify the PLMN (either HPLMN or VPLMN) to which the UE attempts to connect via the trusted non-3GPP access network; and
  3. <TNGF ID> identifies the TNGF. The TNGF ID value shall comply with the syntax specified in Section 2.2 of RFC 7542 for a label in the realm part of a NAI.
While performing the EAP-authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected SNPN and TNGF, the UE shall derive a NAI from the identity of the selected SNPN and TNGF in the following format:
"<any_non_null_string>@tngfid<TNGF ID>.nai.5gc.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org";
where:
  1. the username part <any_non_null_string> is any non null string; and
  2. the <MNC>, <MCC> and <NID> identify the SNPN to which the UE attempts to connect via the trusted non-3GPP access network; and
  3. <TNGF ID> identifies the TNGF. The TNGF ID value shall comply with the syntax specified in Section 2.2 of RFC 7542 for a label in the realm part of a NAI.
Up

28.7.7  NAI used by N5CW devices via trusted non-3GPP access |R16|p. 128

28.7.7.0  General |R18|p. 128

While performing the EAP authentication procedure when a non 5G capable over WLAN (N5CW) device attempts to register to 5GCN via a trusted non-3GPP access network in a selected PLMN (see clause 4.12b of TS 23.502), the N5CW device shall derive a NAI from the identity of the selected PLMN in the following format:
  • "<5G_device_unique_identity>@nai.5gc-nn.mnc<MNC>.mcc<MCC>.3gppnetwork.org";
where:
  1. the username part <5G_device_unique_identity> is to identify the N5CW device and contains either:
    • SUCI as defined as the username part of the NAI format in clause 28.7.3, if the UE is not registered to 5GCN via NG-RAN; or
    • 5G-GUTI as defined as the username part of the NAI format in clause 28.7.8, if the N5CW device is registered to 5GCN via NG-RAN; and
  2. the the label '5gc-nn' in the realm part indicates the NAI is used by N5CW devices via trusted non-3GPP access. <MNC> and <MCC> identify the PLMN (either HPLMN or VPLMN) to which the N5CW device attempts to connect via the trusted non-3GPP access network as described in clause 6.3.12 of TS 23.501.
While performing the EAP authentication procedure when a non 5G capable over WLAN (N5CW) device attempts to register to 5GCN via a trusted non-3GPP access network in a selected SNPN (see clause 5.30.2.13 of TS 23.501), the N5CW device shall derive a NAI from the identity of the selected SNPN in the following format:
  • "<5G_device_unique_identity>@nai.5gc-nn.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org";
where:
  1. the username part <5G_device_unique_identity> is to identify the N5CW device and contains either:
    • SUCI as defined as the username part of the NAI format in clause 28.7.3; or
    • 5G-GUTI as defined as the username part of the NAI format in clause 28.7.8, if the N5CW device is registered to 5GCN via NG-RAN; and
  2. the label '5gc-nn' in the realm part indicates the NAI is used by N5CW devices via trusted non-3GPP access. <MNC>, <MCC> and <NID> identify the SNPN to which the N5CW device attempts to connect via the trusted non-3GPP access network.
In roaming scenarios, the NAI shall use the decorated NAI format as specified in clause 28.7.7.1 or 28.7.7.2.
Up

28.7.7.1  Decorated NAI used for N5CW devices via trusted non-3GPP accessp. 129

The Decorated NAI used for N5CW devices via trusted non-3GPP access roaming scenarios shall take the form:
"nai.5gc-nn.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!<5G_device_unique_identity>@nai.5gc-nn.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org"
where the <5G_device_unique_identity> is to identify the N5CW device as defined in clause 28.7.7.0.
Up

28.7.7.2  Decorated NAI used for N5CW devices via trusted non-3GPP access for SNPNp. 129

If the credentials holder is constructed based on SNPN, the Decorated NAI used for N5CW devices via trusted non-3GPP access for SNPN scenarios shall take the form:
"nai.5gc-nn.nid<NID_Home>.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!<5G_device_unique_identity>@nai.5gc-nn.nid<NID_visited>.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org"
where the <5G_device_unique_identity> is to identify the N5CW device as defined in clause 28.7.7.0, the <NID_Home> or <NID_visited> shall be encoded as hexadecimal digits as specified in clause 12.7, and the <NID_Home>, <homeMNC>, and <homeMCC> are used to identify the SNPN based credentials holder.
If the credentials holder is constructed based on PLMN, the Decorated NAI used for N5CW devices via trusted non-3GPP access for SNPN shall take the form:
"nai.5gc-nn.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!<5G_device_unique_identity>@nai.5gc-nn.nid<NID_visited>.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org"
where the <5G_device_unique_identity> is to identify the N5CW device as defined in clause 28.7.7.0, the <NID_visited> shall be encoded as hexadecimal digits as specified in clause 12.7, and the <homeMNC> and <homeMCC> are used to identify the PLMN based credentials holder.
Up

28.7.8  NAI format for 5G-GUTI |R16|p. 129

The NAI format of the 5G-GUTI shall have the form username@realm as specified in Section 2.2 of RFC 7542.
The username part of the NAI shall take the following form:
tmsi<5G-TMSI>.pt<AMF Pointer>.­set<AMF Set Id>.­region<AMF Region Id>
<5G-TMSI>, <AMF Pointer>, <AMF Set Id> and <AMF Region Id> are the hexadecimal strings of the 5G-TMSI, AMF Pointer, AMF Set ID and AMF Region ID. If there are less than 8 significant digits in <5G-TMSI>, "0" digit(s) shall be inserted at the left side to fill the 8 digits coding. If there are less than 2 significant digits in <AMF Pointer> or <AMF Region Id>, "0" digit(s) shall be inserted at the left side to fill the 2 digits coding of the AMF Pointer or AMF Region Id respectively. If there are less than 3 significant digits in <AMF Set Id>, "0" digit(s) shall be inserted at the left side to fill the 3 digits coding.
Example:
Assuming 5G-TMSI = 06666666 (hexadecimal), AMF Pointer=12 (hexadecimal), AMF Set = 001 (hexadecimal), AMF Region = 48 (hexadecimal), the username part of the NAI is encoded as:
  • "tmsi06666666.­pt12.­set001.­region48"
The NAI for an N5CW device in a PLMN (either HPLMN or VPLMN) with MNC=012 and MCC=345, to which the N5CW device attempts to connect via the trusted non-3GPP access, according to clause 28.7.7 is:
    "tmsi06666666.­pt12.­set001.­region48@nai.­5gc-nn.­mnc012.­mcc345.­3gppnetwork.­org"
Up

28.7.9  Decorated NAI format for SUCI |R17|p. 130

28.7.9.1  Generalp. 130

The Decorated NAI format for SUCI shall take the form of a NAI and shall have the form
'Homerealm!username@otherrealm'
as specified in Section 2.7 of RFC 4282.
The username part of Decorated NAI shall contain the username of the NAI format for SUCI as specified in clause 28.7.3.
'Homerealm' shall be the realm of the NAI format for SUCI as specified in clause 28.7.3, unless specified otherwise in relevant clauses.
The realm part of Decorated NAI consists of 'otherrealm', see the RFC 4282. Otherrealm' is the realm built using the PLMN ID (visited MCC + visited MNC) of the visited PLMN selected by the UE. In case of the SNPN senarios, the "Otherrealm" is the realm build using the SNPN ID (PLMN ID + NID, where PLMN ID + NID are MCC + MNC + NID of the non-subscribed SNPN).
The 'Homerealm' and the 'otherealm' may be preceded by one or more labels for specific use cases of the Decorated NAI format for SUCI, e.g. for 5G NSWO (see clause 28.7.9.2).
The result is a decorated NAI should take the form as mentioned below:
<one or more labels>.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!<username of SUCI in NAI format>@<one or more labels>.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
For the SNPN scenarios where the credential holder is a subscribed SNPN, the decorated NAI should have the form as mentioned below:
<one or more labels>.nid<subscribedSNPNNID>.mnc<subscribedSNPNMNC>.mcc<subscribedSNPNMCC>.3gppnetwork.org!<username of SUCI in NAI format>@<one or more labels>.nid<nonsubscribedSNPNNID>.mnc<nonsubscribedSNPNMNC>.mcc<nonsubscribedSNPNMCC>.3gppnetwork.org
For the SNPN scenarios where the credential holder is an HPLMN, the decorated NAI should have the form as mentioned below:
<one or more labels>.mnc< homeMNC>.mcc< homeMNC>.3gppnetwork.org!<username of SUCI in NAI format>@<one or more labels>.nid<nonsubscribedSNPNNID>.mnc<nonsubscribedSNPNMNC>.mcc<nonsubscribedSNPNMCC>.3gppnetwork.org
Up

28.7.9.2  Decorated NAI used for 5G NSWOp. 131

The result is a decorated NAI of the form:
5gc-nswo.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!<username of SUCI in NAI format>@5gc-nswo.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
For the SNPN scenarios where the credential holder is a subscribed SNPN, the decorated NAI should have the form as mentioned below:
5g-nswo.nid<subscribedSNPNNID>.mnc<subscribedSNPNMNC>.mcc<subscribedSNPNMCC>.3gppnetwork.org!<username of SUCI in NAI format>@5g-nswo.nid<nonsubscribedSNPNNID>.mnc<nonsubscribedSNPNMNC>.mcc<nonsubscribedSNPNMCC>.3gppnetwork.org
For the SNPN scenarios where the credential holder is an HPLMN, the decorated NAI should have the form as mentioned below:
5g-nswo.mnc<homeMNC >.mcc<homeMCC>.3gppnetwork.org!<username of SUCI in NAI format>@5g-nswo.nid<nonsubscribedSNPNNID>.mnc<nonsubscribedSNPNMNC>.mcc<nonsubscribedSNPNMCC>.3gppnetwork.org
EXAMPLE:
Assuming the IMSI 234150999999999, where MCC=234, MNC=15 and MSISN=0999999999, the Routing Indicator 678, a Home Network Public Key Identifier of 27, the null-scheme, and the Visited PLMN ID (MCC = 610, MNC = 71):
  • the NAI format for the SUCI for 5G NSWO takes the form:
    type0.rid678.schid0.userid0999999999@5gc-nswo.mnc015.mcc234.3gppnetwork.org
  • the Decorated NAI format for the SUCI for 5G NSWO roaming takes the form:
    5gc-nswo.mnc015.mcc234.3gppnetwork.org!type0.rid678.schid0.userid0999999999@5gc-nswo.mnc071.mcc610.3gppnetwork.org
For SNPN scenarios, decorated NAI format for SUCI for 5G-NSWO roaming shall take the following form:
Assuming the IMSI 234150999999999, where the subscribed SNPN that has MCC 234, MNC 015, and NID 345678ABCD and the non-subscribed SNPN (MCC =999, MNC =012, and NID 45678ABCDE).5gc-nswo.nid345678ABCD.mnc015.mcc234.3gppnetwork.org!type0.rid678.schid0.userid0999999999@5gc-nswo.nid45678ABCDE.mnc012.mcc999.3gppnetwork.org
Assuming the IMSI 234150999999999, where the HPLMN that has MCC 234 and MNC 015 and the non-subscribed SNPN (MCC =999, MNC =012, and NID 45678ABCDE).
5gc-nswo.nid345678ABCD.mnc015.mcc234.3gppnetwork.org!type0.rid678.schid0.userid0999999999@5gc-nswo.nid45678ABCDE.mnc012.mcc999.3gppnetwork.org
Up

28.7.10  NAI format for UP-PRUK ID |R17|p. 132

The NAI format for UP-PRUK ID shall have the form username@realm as specified in Section 2.2 of RFC 7542, where:
  • the realm part shall be in the form:
    "prose-up.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org"
  • the username part shall be a non-empty string which is unique in the realm, as specified in TS 33.503.
The maximum length of a UP-PRUK ID in NAI format is 254 octets.
Up

28.7.11  NAI format for CP-PRUK ID |R17|p. 132

The NAI format for CP-PRUK ID shall have the form username@realm as specified in Section 2.2 of RFC 7542.
The realm part shall be in the form:
"prose-cp.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org"
The username part of the NAI shall take one of the following forms:
"rid<routing indicator>.pid<CP-PRUK ID*>"
  • the <routing indicator> part is the "Routing Indicator" as specified in clause 2.2B.
  • the <CP-PRUK ID*> part is the hexadecimal representation of the CP-PRUK ID* specified in clause A.2 of TS 33.503.
The maximum length of a CP-PRUK ID in NAI format is 254 octets.
Up

28.7.12  NAI used for 5G NSWO |R17|p. 132

When the UE decides to use 5G NSWO to connect to the WLAN access network using its 5GS credentials but without registration to 5GS, the NAI format for 5G NSWO in non-roaming scenarios is used. See clause 28.7.9.2 for the NAI format for 5G NSWO in roaming scenarios.
In the 5G NSWO use case, the UE shall use a NAI in the following format:
  • For PLMNs:
    "<username>@5gc-nswo.mnc<MNC>.mcc<MCC>.3gppnetwork.org"
  • For SNPNs:
    "<username>@5gc-nswo.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org"
In the above use cases:
  1. The entire NAI is constructed by the definition of the username part in clause 28.7.3, along with the realm mentioned in this section.
  2. the label '5gc-nswo' in the realm part indicates that the NAI is used for 5G NSWO. For PLMNs, <MNC> and <MCC> identify the PLMN, and for SNPNs, <NID>, <MNC> and <MCC> identify the SNPN, to which the UE attempts to connect via the 5G NSWO as described in clause 4.2.15 of TS 23.501.
For an anonymous SUCI in the 5G NSWO use case, assuming that, a MCC=234, MNC=15 and the Routing Indicator 678, the UE shall use the NAI in the following format:
type1.rid678.schid0.useridanonymous@5gc-nswo.nid<NID>.mnc015.mcc234.3gppnetwork.org (with username corresponding to "anonymous"), or
type1.rid678.schid0.userid@5gc-nswo.nid<NID>.mnc015.mcc234.3gppnetwork.org (with username corresponding to an empty string)
Up

Up   Top   ToC