Tech-invite  3GPPspecsRELsGlossariesSIP
21222324252627282931323334353637384‑5x

full Table of Contents for  TS 23.501  Word version:   16.3.0

Top   Up   Prev   Next
1…   3…   4…   4.2.4   4.2.5…   4.2.8…   4.2.8.2.2   4.2.8.2.3…   4.2.8.4…   4.2.9…   4.3…   4.3.3   4.3.4   4.3.5   4.4…   4.4.6…   4.4.8   5…   5.3…   5.3.3…   5.4…   5.5…   5.6…   5.6.7…   5.7…   5.8…   5.9…   5.10   5.11…   5.15…   5.16…   5.17…   5.18…   5.19…   5.21…   5.22…   5.27…   5.28…   5.29…   5.30…   5.31…   5.32…   5.33…   5.34…   5.35…   6…   6.3…   7…   7.2…   8…   8.2.4   8.2.5…   8.3…   A…   D…   E…   F   G…   G.3   G.4…   J

 

5.30  Support for non-public networks [R16]Word-p. 264
5.30.1  General
A Non-Public Network (NPN) is a 5GS deployed for non-public use, see TS 22.261, clause 6.25. An NPN may be deployed as:
  • a Stand-alone Non-Public Network (SNPN), i.e. operated by an NPN operator and not relying on network functions provided by a PLMN, or
  • a Public network integrated NPN, i.e. a non-public network deployed with the support of a PLMN.
SNPN 5GS deployments are based on the architecture depicted in clause 4.2.3, the architecture for 5GC with untrusted non-3GPP access (Figure 4.2.8.2.1-1) for access to SNPN services via a PLMN (and vice versa) and the additional functionality covered in clause 5.30.2.
Interworking with EPS is not supported for SNPN.
Public network integrated NPNs can be enabled using network slicing (see Annex D).
5.30.2  Stand-alone non-public networks
5.30.2.1  Identifiers
The combination of a PLMN ID and Network identifier (NID) identifies an SNPN.
NOTE 1: The PLMN ID used for SNPNs is not required to be unique. PLMN IDs reserved for use by private networks can be used for non-public networks, e.g. based on mobile country code (MCC) 999 as assigned by ITU [78]). Alternatively, a PLMN operator can use its own PLMN IDs for SNPN(s) along with NID(s), but registration in a PLMN and mobility between a PLMN and an SNPN are not supported using an SNPN subscription given that the SNPNs are not relying on network functions provided by the PLMN.
The NID shall support two assignment models:
  • Self-assignment: NIDs are chosen individually by SNPNs at deployment time (and may therefore not be unique) but use a different numbering space than the coordinated assignment NIDs as defined in TS 23.003.
  • Coordinated assignment: NIDs are assigned using one of the following two options:
    1. The NID is assigned such that it is globally unique independent of the PLMN ID used; or
    2. The NID is assigned such that the combination of the NID and the PLMN ID is globally unique.
NOTE 2: Which legal entities manage the number space is beyond the scope of this specification.
An optional human-readable network name helps to identify an SNPN during manual SNPN selection.
5.30.2.2  Broadcast system informationWord-p. 265
NG-RAN nodes which provide access to SNPNs broadcast the following information:
  • One or multiple PLMN IDs
  • List of NIDs per PLMN ID identifying the non-public networks NG-RAN provides access to
    NOTE 1: It is assumed that an NG-RAN node supports broadcasting a total of twelve NIDs. Further details are defined in TS 38.331.
    NOTE 2: The presence of a list of NIDs for a PLMN ID indicates that the related PLMN ID and NIDs identify SNPNs.
  • Optionally a human-readable network name per NID.
    NOTE 3: The human-readable network name per NID is only used for manual SNPN selection. The mechanism how human-readable network name is provided (i.e. whether it is broadcasted or unicasted) to the UE is specified in TS 38.331.
  • Optionally information, as described in TS 38.300, TS 38.331 and in TS 38.304, to prevent UEs not supporting SNPNs from accessing the cell, e.g. in case the cell only provides access to non-public networks.
5.30.2.3  UE configuration and subscription aspectsUp
An SNPN-enabled UE is configured with subscriber identifier (SUPI) and credentials for each subscribed SNPN identified by the combination of PLMN ID and NID.
A subscriber of an SNPN is either:
  • identified by a SUPI containing a network-specific identifier that takes the form of a Network Access Identifier (NAI) using the NAI RFC 7542 [20] based user identification as defined in TS 23.003, clause 28.7.2. The realm part of the NAI may include the NID of the SNPN; or
  • identified by a SUPI containing an IMSI.
An SNPN-enabled UE supports the SNPN access mode. When the UE is set to operate in SNPN access mode the UE only selects and registers with SNPNs over Uu as described in clause 5.30.2.4. Emergency services are not supported in SNPN access mode.
NOTE 1: Voice support with emergency services in SNPN access mode is not specified in this release.
If a UE is not set to operate in SNPN access mode, even if it is SNPN-enabled, the UE does not select and register with SNPNs. A UE not set to operate in SNPN access mode performs PLMN selection procedures as defined in clause 4.4 of TS 23.122. For a UE capable of simultaneously connecting to an SNPN and a PLMN, the setting for operation in SNPN access mode is applied only to the Uu interface for connection to the SNPN. Annex D.4 provides more details.
NOTE 2: Details of activation and deactivation of SNPN access mode are up to UE implementation.
5.30.2.4  Network selection in SNPN access modeWord-p. 266
When a UE is set to operate in SNPN access mode the UE does not perform normal PLMN selection procedures as defined in clause 4.4 of TS 23.122.
UEs operating in SNPN access mode read the available PLMN IDs and list of available NIDs from the broadcast system information and take them into account during network selection.
For automatic network selection, the UE selects and attempts to register with the available SNPN identified by a PLMN ID and NID for which the UE has SUPI and credentials. If multiple SNPNs are available that the UE has respective SUPI and credentials for, then the priority order for selecting and attempting to register with SNPNs is based on UE implementation.
For manual network selection UEs operating in SNPN access mode provide to the user the list of NIDs and related human-readable names (if available) of the available SNPNs the UE has respective SUPI and credentials for.
NOTE: The details of SNPN selection will be defined in TS 23.122.
When a UE performs Initial Registration to an SNPN, the UE shall indicate the selected NID and the corresponding PLMN ID to NG-RAN. NG-RAN shall inform the AMF of the selected PLMN ID and NID.
5.30.2.5  Network access control
If a UE performs the registration or service request procedure in an SNPN identified by a PLMN ID and a self-assigned NID and there is no subscription for the UE, then the AMF shall reject the UE with an appropriate cause code to temporarily prevent the UE from automatically selecting and registering with the same SNPN.
If a UE performs the registration or service request procedure in an SNPN identified by a PLMN ID and a coordinated assigned NID and there is no subscription for the UE, then the AMF shall reject the UE with an appropriate cause code to permanently prevent the UE from automatically selecting and registering with the same SNPN.
NOTE: The details of rejection and cause codes will be defined in TS 24.501.
In order to prevent access to SNPNs for authorized UE(s) in case of network congestion/overload, Unified Access Control information is configured per non-public network (i.e. as part of the subscription information that the UE has for a given non-public network).
5.30.2.6  Cell (re-)selection in SNPN access mode
UEs operating in SNPN access mode only select cells and networks broadcasting both PLMN ID and NID of the selected SNPN.
NOTE: Further details on the NR idle and inactive mode procedures for SNPN cell selection will be defined in TS 38.331 and in TS 38.304.
5.30.2.7  Access to PLMN services via stand-alone non-public networks
To access PLMN services, a UE in SNPN access mode that has successfully registered with an SNPN may perform another registration via the SNPN User Plane with a PLMN (using the credentials of that PLMN) following the same architectural principles as specified in clause 4.2.8 and the SNPN taking the role of "Untrusted non-3GPP access". Annex D, clause D.3 provides additional details.
NOTE:
QoS differentiation in the SNPN can be provided on per-IPsec Child Security Association basis by using the UE or network requested PDU Session Modification procedure described in TS 23.502, clause 4.3.3.2. In the PLMN, N3IWF determines the IPsec child SAs as defined in TS 23.502, clause 4.12. The N3IWF is preconfigured by PLMN to allocate different IPsec child SAs for QoS Flows with different QoS profiles.
To support QoS differentiation in the SNPN with network-initiated QoS, the mapping rules between the SNPN and the PLMN are assumed to be governed by an SLA including: 1) mapping between the DSCP markings for the IPsec child SAs on NWu and the corresponding QoS, which is the QoS requirement of the PLMN and is expected to be provided by the SNPN, and 2) N3IWF IP address(es) in the PLMN. The non-alteration of the DSCP field on NWu is also assumed to be governed by an SLA and by transport-level arrangements that are outside of 3GPP scope. The packet detection filters in the SNPN can be based on the N3IWF IP address and the DSCP markings on NWu.
To support QoS differentiation in the SNPN with UE-requested QoS, the UE can request for an IPsec SA the same 5QI from the SNPN as the 5QI provided by the PLMN. It is assumed that UE-requested QoS is used only when the 5QIs used by the PLMN are from the range of standardized 5QIs. The packet filters in the requested QoS rule can be based on the N3IWF IP address and the SPI associated with the IPsec SA.
5.30.2.8  Access to stand-alone non-public network services via PLMNWord-p. 267
To access SNPN services, a UE that has successfully registered with a PLMN may perform another registration via the PLMN User Plane with an SNPN (using the credentials of that SNPN) following the same architectural principles as specified in clause 4.2.8 and the PLMN taking the role of "Untrusted non-3GPP access". Annex D, clause D.3 provides additional details.
NOTE:
QoS differentiation in the PLMN can be provided on per-IPsec Child Security Association basis by using the UE or network requested PDU Session Modification procedure described in TS 23.502, clause 4.3.3.2. In the SNPN, N3IWF determines the IPsec child SAs as defined in TS 23.502, clause 4.12. The N3IWF is preconfigured by SNPN to allocate different IPsec child SAs for QoS Flows with different QoS profiles.
To support QoS differentiation in the PLMN with network-initiated QoS, the mapping rules between the PLMN and the SNPN are assumed to be governed by an SLA including: 1) mapping between the DSCP markings for the IPsec child SAs on NWu and the corresponding QoS, which is the QoS requirement of the SNPN and is expected to be provided by the PLMN, and 2) N3IWF IP address(es) in the SNPN. The non-alteration of the DSCP field on NWu is also assumed to be governed by an SLA and by transport-level arrangements that are outside of 3GPP scope. The packet detection filters in the PLMN can be based on the N3IWF IP address and the DSCP markings on NWu.
To support QoS differentiation in the PLMN with UE-requested QoS, the UE can request for an IPsec SA the same 5QI from the PLMN as the 5QI provided by the SNPN. It is assumed that UE-requested QoS is used only when the 5QIs used by the SNPN are from the range of standardized 5QIs. The packet filters in the requested QoS rule can be based on the N3IWF IP address and the SPI associated with the IPsec SA.
5.30.3  Public network integrated NPN
5.30.3.1  General
Public network integrated NPNs are NPNs made available via PLMNs e.g. by means of dedicated DNNs, or by one (or more) Network Slice instances allocated for the NPN. The existing network slicing functionalities apply as described in clause 5.15. When an NPN is made available via a PLMN, then the UE has a subscription for the PLMN.
NOTE 1: Annex D provides additional consideration to consider when supporting Non-Public Network as a Network Slice of a PLMN.
As network slicing does not enable the possibility to prevent UEs from trying to access the network in areas which the UE is not allowed to use the Network Slice allocated for the NPN, Closed Access Groups may optionally be used to apply access control.
A Closed Access Group identifies a group of subscribers who are permitted to access one or more CAG cells associated to the CAG.
CAG is used for the Public network integrated NPNs to prevent UE(s), which are not allowed to access the NPN via the associated cell(s), from automatically selecting and accessing the associated cell(s).
NOTE 2: CAG is used for authorization at network/cell selection and configured in the subscription as part of the Mobility Restrictions i.e. independent from any S-NSSAI. CAG is not used as input to AMF selection nor Network Slice selection. If NPN isolation is desired, operator can better support NPN isolation by deploying network slicing for PNI-NPN, configuring dedicated S-NSSAI(s) for the given NPN as specified in Annex D, clause D.2 and restricting NPN's UE subscriptions to these dedicated S-NSSAI(s). The following clauses describes the functionality needed for supporting CAGs.
5.30.3.2  IdentifiersWord-p. 268
The following is required for identification:
  • A CAG is identified by a CAG Identifier which is unique within the scope of a PLMN ID;
  • A CAG cell broadcasts one or multiple CAG Identifiers per PLMN;
    NOTE 1: It is assumed that an NG-RAN node supports broadcasting a total of twelve CAG Identifiers. Further details are defined in TS 38.331.
  • A CAG cell may in addition broadcast a human-readable network name per CAG Identifier:
    NOTE 2: The human-readable network name per CAG Identifier is only used for presentation to user when user requests a manual CAG selection.
5.30.3.3  UE configuration, subscription aspects and storage
To support CAG, the UE may be pre-configured or (re)configured with the following CAG information, included in the subscription as part of the Mobility Restrictions:
  • an Allowed CAG list i.e. a list of CAG Identifiers the UE is allowed to access; and
  • optionally, a CAG-only indication whether the UE is only allowed to access 5GS via CAG cells (see TS 38.304 for how the UE identifies whether a cell is a CAG cell);
The HPLMN may configure or re-configure a UE with the above CAG information using the UE Configuration Update procedure for access and mobility management related parameters described in TS 23.502, clause 4.2.4.2.
The above CAG information is provided by the HPLMN on a per PLMN basis. In a PLMN the UE shall only consider the CAG information provided for this PLMN. The UE shall store the latest available CAG information for every PLMN for which it is provided and keep it stored when the UE is de-registered.
NOTE: CAG information has no implication on whether and how the UE accesses 5GS over non-3GPP access.
5.30.3.4  Network and cell (re-)selection, and access controlUp
The following is assumed for network and cell selection, and access control:
  • The CAG cell shall broadcast information such that only UEs supporting CAG are accessing the cell (see TS 38.300, TS 38.304);
    NOTE 1: The above also implies that cells are either CAG cells or normal PLMN cells.
  • In order to prevent access to NPNs for authorized UE(s) in case of network congestion/overload, existing mechanisms defined for Control Plane load control, congestion and overload control in clause 5.19 can be used, as well as the access control and barring functionality described in clause 5.2.5, or Unified Access Control using the access categories as defined in TS 24.501 can be used.
  • For aspects of automatic and manual network selection in relation to CAG, see TS 23.122;
  • For aspects related to cell (re-)selection, see TS 38.304;
  • The Mobility Restrictions shall be able to restrict the UE's mobility according to the Allowed CAG list (if configured in the subscription) and include an indication whether the UE is only allowed to access CAG cells (if configured in the subscription);
  • During transition from CM-IDLE to CM-CONNECTED, if the UE is accessing the 5GS via a CAG cell, the UE shall provide the selected CAG Identifier to NG-RAN and the NG-RAN shall provide the CAG Identifier to the AMF:
    • The AMF shall verify whether UE access is allowed by Mobility Restrictions:
      • If the CAG Identifier received from the NG-RAN is part of the UE's Allowed CAG list, then the AMF accepts the NAS request;
      • If the CAG Identifier received from the NG-RAN is not part of the UE's Allowed CAG list, then the AMF rejects the NAS request with an appropriate cause code, whereas the UE removes that CAG Identifier, if it exists, from its Allowed CAG list, as defined in TS 24.501. The AMF shall then release the NAS signalling connection for the UE by triggering the AN release procedure; and
      • If the UE is accessing the network via a non-CAG cell and the UE's subscription contains an indication that the UE is only allowed to access CAG cells, then the AMF rejects the NAS request with an appropriate cause code, whereas the UE updates its local configuration, as defined in TS 24.501. The AMF shall then release the NAS signalling connection for the UE by triggering the AN release procedure.
  • During transition from RRC Inactive to RRC Connected state:
    • When the UE initiates the RRC Resume procedure for RRC Inactive to RRC Connected state transition in a CAG cell, NG-RAN shall reject the RRC Resume request from the UE if none of the CAG Identifiers supported by the CAG cell are part of the UE's Allowed CAG list according to the Mobility Restrictions received from the AMF.
    • When the UE initiates the RRC Resume procedure for RRC Inactive to RRC Connected state transition in a non-CAG cell, NG-RAN shall reject the UE's Resume request if the UE is only allowed to access CAG cells according to the Mobility Restrictions received from the AMF.
  • During connected mode mobility procedures:
    • Based on the Mobility Restrictions received from the AMF:
      • Source NG-RAN shall not handover the UE to a target NG-RAN node if the target is a CAG cell and none of the CAG Identifiers supported by the CAG cell are part of the UE's Allowed CAG list;
      • Source NG-RAN shall not handover the UE to a non-CAG cell if the UE is only allowed to access CAG cells;
  • Update of Mobility Restrictions:
    • When the AMF receives the Nudm_SDM_Notification from the UDM and the AMF determines that the Allowed CAG list or the indication whether the UE is only allowed to access CAG cells have changed;
      • The AMF shall update the Mobility Restrictions in the UE and NG-RAN accordingly; and
      • If the UE is currently accessing a CAG cell and the CAG Identifier(s) supported by the CAG cell have been removed from the Allowed CAG list or if the UE is currently accessing a non-CAG cell and the indication that the UE is only allowed to access CAG cells has been set in the subscription, then the AMF shall release the NAS signalling connection for the UE by triggering the AN release procedure.
        NOTE 2: When the UE is accessing the network for emergency service the conditions for AMF in clause 5.16.4.3 apply.
    • After UCU, the AMF may release the NAS signalling connection by triggering the AN release procedure to allow the UE to reselect a cell based on the updated Allowed CAG list and CAG-only indication, e.g., if the CAG Identifier of current cell is not part of the updated Allowed CAG list.
5.30.3.5  Support of emergency services in CAG cellsWord-p. 269
Emergency Services are supported in CAG cells, for UEs supporting CAG, whether normally registered or emergency registered as described in clause 5.16.4 and TS 23.502, clause 4.13.4.
A UE supporting CAG may camp on an acceptable CAG cell in limited service state as specified in TS 23.122 and TS 38.304.
NOTE: Support for Emergency services requires the cell to only be connected to AMFs that supports emergency services.
During handover to a CAG cell, if the UE is not authorized to access the target CAG cell and has emergency services, the target NG-RAN node only accepts the emergency PDU sessions and the target AMF releases the non-emergency PDU connections that were not accepted by the NG-RAN node. Upon completion of handover the UE behave as emergency registered.

Up   Top   ToC