Content for TS 23.003 Word version: 18.3.0

1… 2… 2.8… 3… 4… 5… 6… 7… 8… 9… 10… 11 12… 13… 14… 15… 16… 17… 18… 19… 19.4… 19.5… 20… 21… 22… 23… 24… 25… 26… 27… 28… 28.3.2.2… 28.3.2.2.6… 28.3.2.3… 28.4… 28.7… 28.8… 29… A… B… C… D E…

28.7 Network Access Identifier (NAI) 28.7.1 Introduction 28.7.2 NAI format for SUPI 28.7.3 NAI format for SUCI 28.7.4 Emergency NAI for Limited Service State 28.7.5 Alternative NAI 28.7.6 NAI used for 5G registration via trusted non-3GPP access 28.7.7 NAI used by N5CW devices via trusted non-3GPP access 28.7.7.0 General 28.7.7.1 Decorated NAI used for N5CW devices via trusted non-3GPP access 28.7.7.2 Decorated NAI used for N5CW devices via trusted non-3GPP access for SNPN 28.7.8 NAI format for 5G-GUTI 28.7.9 Decorated NAI format for SUCI 28.7.9.1 General 28.7.9.2 Decorated NAI used for 5G NSWO 28.7.10 NAI format for UP-PRUK ID 28.7.11 NAI format for CP-PRUK ID 28.7.12 NAI used for 5G NSWO
...

28.7 Network Access Identifier (NAI) p. 125

28.7.1 Introduction p. 125

This clause describes the NAI formats used in the 5G System.

28.7.2 NAI format for SUPI p. 125

The NAI for SUPI shall have the form username@realm as specified in Section 2.2 of RFC 7542.

A SUPI containing a network specific identifier shall take the form of a Network Access Identifier (NAI). See clause 5.9.2 of TS 23.501 for the definition and use of the network specific identifier. In SNPN scenarios, the realm part of the NAI may include MCC, MNC and the NID of the SNPN (see clauses 5.30.2.3, 5.30.2.9, 6.3.4, and 6.3.8 of TS 23.501 for the realm part format see Home Network Domain for an SNPN in clause 28.2).

See clauses 28.15.2 and 28.16.2 for the NAI format for a SUPI containing a GCI or a GLI.

28.7.3 NAI format for SUCI p. 125

When the SUPI is defined as a Network Specific Identifier, the SUCI shall take the form of a Network Access Identifier (NAI). In this case, the NAI format of the SUCI shall have the form username@realm as specified in Section 2.2 of RFC 7542, where the realm part shall be identical to the realm part of the Network Specific Identifier. In SNPN scenarios, the realm part of the NAI may include MCC, MNC and the NID of the SNPN (see clauses 5.30.2.3, 5.30.2.9, 6.3.4, and 6.3.8 of TS 23.501 for the realm part format see Home Network Domain for an SNPN in clause 28.2).

When the SUPI is defined as an IMSI, the SUCI in NAI format shall have the form username@realm, where the realm part shall be constructed by converting the leading digits of the IMSI, i.e. MNC and MCC, into a domain name, as described in clause 28.2. In SNPN scenarios, the realm part shall additionally include the NID of the SNPN, if available. The resulting realm part of the NAI shall be in the form:

"5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org", or

"5gc.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org" (for SNPN scenarios where the NID is available).

The username part of the NAI shall take one of the following forms:

for the null-scheme:
type<supi type>.rid<routing indicator>.schid<protection scheme id>.userid<MSIN or Network Specific Identifier SUPI username>
for the Scheme Output for Elliptic Curve Integrated Encryption Scheme Profile A and Profile B:
type<supi type>.rid<routing indicator>.schid<protection scheme id>.hnkey<home network public key id>.ecckey<ECC ephemeral public key value>.cip<ciphertext value>.mac<MAC tag value>
for HPLMN proprietary protection schemes:
type<supi type>.rid<routing indicator>.schid<protection scheme id>.hnkey<home network public key id>. out<HPLMN defined scheme output>
See clause 2.2B for the definition and format of the different fields of the SUCI.

EXAMPLES:

Assuming the IMSI 234150999999999, where MCC=234, MNC=15 and MSISN=0999999999, the Routing Indicator 678, and a Home Network Public Key Identifier of 27, the NAI format for the SUCI takes the form:

for the null-scheme:

type0.rid678.schid0.userid0999999999@5gc.mnc015.mcc234.3gppnetwork.org
for the Profile <A> protection scheme:
type0.rid678.schid1.hnkey27.ecckey<ECC ephemeral public key>.cip< encryption of 0999999999>.mac<MAC tag value>@5gc.mnc015.mcc234.3gppnetwork.org

Assuming the Network Specific Identifier user17@example.com, the Routing Indicator 678, and a Home Network Public Key Identifier of 27, the NAI format for the SUCI takes the form:

for the null-scheme:
type1.rid678.schid0.useriduser17@example.com
for an anonymous SUCI:
type1.rid678.schid0.useridanonymous@example.com (with username corresponding to "anonymous"), or
type1.rid678.schid0.userid@example.com (with username corresponding to an empty string)
for the Profile <A> protection scheme:
type1.rid678.schid1.hnkey27.ecckey<ECC ephemeral public key>.cip< encryption of user17>.mac<MAC tag value>@example.com

See clauses 28.15.5 and 28.16.5 for the NAI format for a SUCI containing a GCI or a GLI.

28.7.4 Emergency NAI for Limited Service State p. 126

This clause describes the format of the UE identification when UE is performing an emergency registration and IMSI is not available or not authenticated.

The Emergency NAI for Limited Service State shall take the form of an NAI, and shall have the form username@realm as specified in Section 2.2 of RFC 7542. The exact format shall be:

imei<IMEI>@sos.invalid

or if IMEI is not available,

mac<MAC>@sos.invalid

For example, if the IMEI is 219551288888888, the Emergency NAI for Limited Service State then takes the form of imei219551288888888@sos.invalid.

For example, if the MAC address is 44-45-53-54-00-AB, the Emergency NAI for Limited Service State then takes the form of mac4445535400AB@sos.invalid, where the MAC address is represented in hexadecimal format without separators.

28.7.5 Alternative NAI p. 126

The Alternative NAI shall take the form of a NAI, i.e. 'any_username@realm' as specified of RFC 7542. The Alternative NAI shall not be routable from any AAA server.

The Alternative NAI shall contain a username part that is not a null string.

The realm part of the NAI shall be "unreachable.3gppnetwork.org".

The result shall be an NAI in the form of:

"<any_non_null_string>@unreachable.3gppnetwork.org".

28.7.6 NAI used for 5G registration via trusted non-3GPP access |R16| p. 127

While performing the EAP-authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected PLMN (see clause 4.12a of TS 23.502), the UE shall derive a NAI from the identity of the selected PLMN in the following format:

"<any_non_null_string>@nai.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org"

where:

the username part <any_non_null_string> is any non null string; and
the <MNC> and <MCC> identify the PLMN (either HPLMN or VPLMN) to which the UE attempts to connect via the trusted non-3GPP access network as described in clause 6.3.12 of TS 23.501.

While performing the EAP-authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected SNPN (see clause 5.30.2.13 of TS 23.501), the UE shall derive a NAI from the identity of the selected SNPN in the following format:

"<any_non_null_string>@nai.5gc.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org";

where:

the username part <any_non_null_string> is any non null string; and
the <MNC>, <MCC> and <NID> identify the SNPN to which the UE attempts to connect via the trusted non-3GPP access network.

While performing the EAP authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected TNGF, the UE shall derive NAI from the identity of the selected TNGF in the following format:

"<any_non_mull_string>@tngfid<TNGF ID>.nai.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org";

where:

The username part <any_non_mull_string> is any non null string; and
The <MNC> and <MCC> identify the PLMN (either HPLMN or VPLMN) to which the UE attempts to connect via the trusted non-3GPP access network; and
<TNGF ID> identifies the TNGF.

While performing the EAP-authentication procedure when a UE attempts to register to 5GCN via a trusted non-3GPP access network in a selected SNPN and TNGF, the UE shall derive a NAI from the identity of the selected SNPN and TNGF in the following format:

"<any_non_null_string>@tngfid<TNGF ID>.nai.5gc.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org";

where:

the username part <any_non_null_string> is any non null string; and
the <MNC>, <MCC> and <NID> identify the SNPN to which the UE attempts to connect via the trusted non-3GPP access network; and
<TNGF ID> identifies the TNGF.

28.7.7 NAI used by N5CW devices via trusted non-3GPP access |R16| p. 128

28.7.7.0 General |R18| p. 128

While performing the EAP authentication procedure when a non 5G capable over WLAN (N5CW) device attempts to register to 5GCN via a trusted non-3GPP access network in a selected PLMN (see clause 4.12b of TS 23.502), the N5CW device shall derive a NAI from the identity of the selected PLMN in the following format:

"<5G_device_unique_identity>@nai.5gc-nn.mnc<MNC>.mcc<MCC>.3gppnetwork.org";

where:

the username part <5G_device_unique_identity> is to identify the N5CW device and contains either:
- SUCI as defined as the username part of the NAI format in clause 28.7.3, if the UE is not registered to 5GCN via NG-RAN; or
- 5G-GUTI as defined as the username part of the NAI format in clause 28.7.8, if the N5CW device is registered to 5GCN via NG-RAN; and
the the label '5gc-nn' in the realm part indicates the NAI is used by N5CW devices via trusted non-3GPP access. <MNC> and <MCC> identify the PLMN (either HPLMN or VPLMN) to which the N5CW device attempts to connect via the trusted non-3GPP access network as described in clause 6.3.12 of TS 23.501.

While performing the EAP authentication procedure when a non 5G capable over WLAN (N5CW) device attempts to register to 5GCN via a trusted non-3GPP access network in a selected SNPN (see clause 5.30.2.13 of TS 23.501), the N5CW device shall derive a NAI from the identity of the selected SNPN in the following format:

"<5G_device_unique_identity>@nai.5gc-nn.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org";

where:

the username part <5G_device_unique_identity> is to identify the N5CW device and contains either:
- SUCI as defined as the username part of the NAI format in clause 28.7.3; or
- 5G-GUTI as defined as the username part of the NAI format in clause 28.7.8, if the N5CW device is registered to 5GCN via NG-RAN; and
the label '5gc-nn' in the realm part indicates the NAI is used by N5CW devices via trusted non-3GPP access. <MNC>, <MCC> and <NID> identify the SNPN to which the N5CW device attempts to connect via the trusted non-3GPP access network.

In roaming scenarios, the NAI shall use the decorated NAI format as specified in clause 28.7.7.1 or 28.7.7.2.

28.7.7.1 Decorated NAI used for N5CW devices via trusted non-3GPP access p. 128

The Decorated NAI used for N5CW devices via trusted non-3GPP access roaming scenarios shall take the form:

"nai.5gc-nn.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!<5G_device_unique_identity>@nai.5gc-nn.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org"

where the <5G_device_unique_identity> is to identify the N5CW device as defined in clause 28.7.7.0.

28.7.7.2 Decorated NAI used for N5CW devices via trusted non-3GPP access for SNPN p. 129

The Decorated NAI used for N5CW devices via trusted non-3GPP access for SNPN roaming scenarios shall take the form:

"nai.5gc-nn.nid<NID_Home>.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!<5G_device_unique_identity>@nai.5gc-nn.nid<NID_visited>.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org"

where the <5G_device_unique_identity> is to identify the N5CW device as defined in clause 28.7.7.0, and the <NID_Home> or <NID_visited> shall be encoded as hexadecimal digits as specified in clause 12.7.

28.7.8 NAI format for 5G-GUTI |R16| p. 129

The NAI format of the 5G-GUTI shall have the form username@realm as specified in Section 2.2 of RFC 7542.

The username part of the NAI shall take the following form:

tmsi<5G-TMSI>.pt<AMF Pointer>.set<AMF Set Id>.region<AMF Region Id>

<5G-TMSI>, <AMF Pointer>, <AMF Set Id> and <AMF Region Id> are the hexadecimal strings of the 5G-TMSI, AMF Pointer, AMF Set ID and AMF Region ID. If there are less than 8 significant digits in <5G-TMSI>, "0" digit(s) shall be inserted at the left side to fill the 8 digits coding. If there are less than 2 significant digits in <AMF Pointer> or <AMF Region Id>, "0" digit(s) shall be inserted at the left side to fill the 2 digits coding of the AMF Pointer or AMF Region Id respectively. If there are less than 3 significant digits in <AMF Set Id>, "0" digit(s) shall be inserted at the left side to fill the 3 digits coding.

Example:

Assuming 5G-TMSI = 06666666 (hexadecimal), AMF Pointer=12 (hexadecimal), AMF Set = 001 (hexadecimal), AMF Region = 48 (hexadecimal), the username part of the NAI is encoded as:

"tmsi06666666.pt12.set001.region48"

The NAI for an N5CW device in a PLMN (either HPLMN or VPLMN) with MNC=012 and MCC=345, to which the N5CW device attempts to connect via the trusted non-3GPP access, according to clause 28.7.7 is:

"tmsi06666666.pt12.set001.region48@nai.5gc-nn.mnc012.mcc345.3gppnetwork.org"

28.7.9 Decorated NAI format for SUCI |R17| p. 129

28.7.9.1 General p. 129

The Decorated NAI format for SUCI shall take the form of a NAI and shall have the form

'Homerealm!username@otherrealm'

as specified in Section 2.7 of RFC 4282.

The username part of Decorated NAI shall contain the username of the NAI format for SUCI as specified in clause 28.7.3.

'Homerealm' shall be the realm of the NAI format for SUCI as specified in clause 28.7.3, unless specified otherwise in relevant clauses.

The realm part of Decorated NAI consists of 'otherrealm', see the IETF RFC 4282. Otherrealm' is the realm built using the PLMN ID (visitedMCC + visited MNC) of the visited PLMN selected by the UE.

The 'Homerealm' and the 'otherealm' may be preceded by one or more labels for specific use cases of the Decorated NAI format for SUCI, e.g. for 5G NSWO (see clause 28.7.9.2).

The result is a decorated NAI of the form:

<one or more labels>.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!<username of SUCI in NAI format>@<one or more labels>.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org

28.7.9.2 Decorated NAI used for 5G NSWO p. 130

The Decorated NAI used for 5G NSWO roaming scenarios shall take the form of a NAI as defined in clause 28.7.9.1, where the 'Homerealm' and the 'otherealm' shall be preceded by the label '5gc-nswo'.

The result is a decorated NAI of the form:

5gc-nswo.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!<username of SUCI in NAI format>@5gc-nswo.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org

EXAMPLE:

Assuming the IMSI 234150999999999, where MCC=234, MNC=15 and MSISN=0999999999, the Routing Indicator 678, a Home Network Public Key Identifier of 27, the null-scheme, and the Visited PLMN ID (MCC = 610, MNC = 71):

the NAI format for the SUCI for 5G NSWO takes the form:
type0.rid678.schid0.userid0999999999@5gc-nswo.mnc015.mcc234.3gppnetwork.org
the Decorated NAI format for the SUCI for 5G NSWO roaming takes the form:
5gc-nswo.mnc015.mcc234.3gppnetwork.org!type0.rid678.schid0.userid0999999999@5gc-nswo.mnc071.mcc610.3gppnetwork.org

28.7.10 NAI format for UP-PRUK ID |R17| p. 130

The NAI format for UP-PRUK ID shall have the form username@realm as specified in Section 2.2 of RFC 7542, where:

the realm part shall be in the form:

"prose-up.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org"
the username part shall be a non-empty string which is unique in the realm, as specified in TS 33.503.

The maximum length of a UP-PRUK ID in NAI format is 254 octets.

28.7.11 NAI format for CP-PRUK ID |R17| p. 130

The NAI format for CP-PRUK ID shall have the form username@realm as specified in Section 2.2 of RFC 7542.

The realm part shall be in the form:

"prose-cp.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org"

The username part of the NAI shall take one of the following forms:

"rid<routing indicator>.pid<CP-PRUK ID*>"

the <routing indicator> part is the "Routing Indicator" as specified in clause 2.2B.
the <CP-PRUK ID*> part is the hexadecimal representation of the CP-PRUK ID* specified in clause A.2 of TS 33.503.

The maximum length of a CP-PRUK ID in NAI format is 254 octets.

28.7.12 NAI used for 5G NSWO |R17| p. 131

When the UE decides to use 5G NSWO to connect to the WLAN access network using its 5GS credentials but without registration to 5GS, the NAI format for 5G NSWO in non-roaming scenarios is used. See clause 28.7.9.2 for the NAI format for 5G NSWO in roaming scenarios.

In the 5G NSWO use case, the UE shall use a NAI in the following format:

For PLMNs:
"<username>@5gc-nswo.mnc<MNC>.mcc<MCC>.3gppnetwork.org"
For SNPNs:
"<username>@5gc-nswo.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org"

In the above use cases:

the username part is defined in clause 28.7.3; and
the label '5gc-nswo' in the realm part indicates that the NAI is used for 5G NSWO. For PLMNs, <MNC> and <MCC> identify the PLMN, and for SNPNs, <NID>, <MNC> and <MCC> identify the SNPN, to which the UE attempts to connect via the 5G NSWO as described in clause 4.2.15 of TS 23.501.