full Table of Contents for  TS 23.501  Word version:   16.3.0

The security features in the 5G System include:

• Authentication of the UE by the network and vice versa (mutual authentication between UE and network).
• Security context generation and distribution.
• User Plane data confidentiality and integrity protection.
• Control Plane signalling confidentiality and integrity protection.
• User identity confidentiality.
• Support of LI requirements as specified in TS 33.126 subject to regional/national regulatory requirements, including protection of LI data (e.g., target list) that may be stored or transferred by an NF.

Detailed security related network functions for 5G are described in TS 33.501.

Dual Connectivity involves two radio network nodes in providing radio resources to a given UE (with active radio bearers), while a single N2 termination point exists for the UE between an AMF and the RAN. The RAN architecture and related functions to support Dual Connectivity is further described in RAN specifications (e.g. TS 37.340). The RAN node at which the N2 terminates, performs all necessary N2 related functions such as mobility management, relaying of NAS signalling, etc. and manages the handling of user plane connection (e.g. transfer over N3). It is called the Master RAN Node. It may use resources of another RAN node, the Secondary RAN node, to exchange User Plane traffic of an UE. Master RAN node takes into account the RSN to determine if dual connectivity shall be set up and ensure appropriate PDU session handling ensures fully redundant user plane path as described in clause 5.33.2.1.

The 5GC charging supports collection and reporting of charging information for network resource usage, as defined in TS 32.240. The CHF and the interfaces of the CHF are defined in TS 32.240. The SMF supports the interactions towards the charging system, as defined in TS 32.240. The UPF supports functionality to collect and report usage data to SMF. The N4 reference point supports the SMF control of the UPF collection and reporting of usage data. The AMF supports interactions towards the charging system, as defined in TS 32.256.

Network slices may differ for supported features and network functions optimisations, in which case such Network Slices may have e.g. different S-NSSAIs with different Slice/Service Types (see clause 5.15.2.1). The operator can deploy multiple Network Slices delivering exactly the same features but for different groups of UEs, e.g. as they deliver a different committed service and/or because they are dedicated to a customer, in which case such Network Slices may have e.g. different S-NSSAIs with the same Slice/Service Type but different Slice Differentiators (see clause 5.15.2.1). The network may serve a single UE with one or more Network Slice instances simultaneously via a 5G-AN regardless of the access type(s) over which the UE is registered (i.e. 3GPP Access and/or N3GPP Access). The AMF instance serving the UE logically belongs to each of the Network Slice instances serving the UE, i.e. this AMF instance is common to the Network Slice instances serving a UE. NOTE 1: Number of simultaneous connection of Network Slice instances per UE is limited by the number of S-NSSAIs in the Requested/Allowed NSSAI as described in clause 5.15.2.1. NOTE 2: In this Release of the specification it is assumed that in any (home or visited) PLMN it is always possible to select an AMF that can serve any combination of S-NSSAIs that will be provided as an Allowed NSSAI. The selection of the set of Network Slice instances for a UE is triggered by the first contacted AMF in a Registration procedure normally by interacting with the NSSF, and can lead to a change of AMF. This is further described in clause 5.15.5. A PDU Session belongs to one and only one specific Network Slice instance per PLMN. Different Network Slice instances do not share a PDU Session, though different Network Slice instances may have slice-specific PDU Sessions using the same DNN.