Tech-invite3GPPspecsSIPRFCs
Overview21222324252627282931323334353637384‑5x

Content for  TS 23.501  Word version:  17.0.0

Top   Top   Up   Prev   Next
1…   3…   4…   4.2.4   4.2.5…   4.2.8…   4.2.8.2.2   4.2.8.2.3…   4.2.8.4…   4.2.9…   4.3…   4.3.3   4.3.4   4.3.5   4.4…   4.4.6…   4.4.8   5…   5.3…   5.3.3…   5.4…   5.5…   5.6…   5.6.7…   5.7…   5.7.2…   5.7.3…   5.7.4   5.7.5…   5.8…   5.8.2.11…   5.9…   5.10…   5.11…   5.15…   5.16…   5.17…   5.18…   5.19…   5.21…   5.22…   5.27…   5.28…   5.29…   5.30…   5.31…   5.32…   5.33…   5.34…   5.35…   6…   6.3…   7…   7.2…   8…   8.2.4   8.2.5…   8.3…   A…   D…   E…   F   G…   G.3   G.4…   J…

 

5.30  Support for non-public networks |R16|Word‑p. 308

5.30.1  General

A Non-Public Network (NPN) is a 5GS deployed for non-public use, see TS 22.261. An NPN is either:
  • a Stand-alone Non-Public Network (SNPN), i.e. operated by an NPN operator and not relying on network functions provided by a PLMN, or
  • a Public Network Integrated NPN (PNI-NPN), i.e. a non-public network deployed with the support of a PLMN.
Stand-alone NPN are described in clause 5.30.2 and Public Network Integrated NPNs are described in clause 5.30.3.
Up

5.30.2  Stand-alone non-public networks

5.30.2.0  General

SNPN 5GS deployments are based on the architecture depicted in clause 4.2.3, the architecture for 5GC with untrusted non-3GPP access (Figure 4.2.8.2.1-1) for access to SNPN services via a PLMN (and vice versa) and the additional functionality covered in clause 5.30.2.
Alternatively, a Credentials Holder (CH) may authenticate and authorize access to an SNPN separate from the Credentials Holder based on the architecture specified in clause 5.30.2.9.
In this Release, direct access to SNPN is specified for 3GPP access only.
Up

5.30.2.1  Identifiers

The combination of a PLMN ID and Network identifier (NID) identifies an SNPN.
The NID shall support two assignment models:
  • Self-assignment: NIDs are chosen individually by SNPNs at deployment time (and may therefore not be unique) but use a different numbering space than the coordinated assignment NIDs as defined in TS 23.003.
  • Coordinated assignment: NIDs are assigned using one of the following two options:
    1. The NID is assigned such that it is globally unique independent of the PLMN ID used; or
    2. The NID is assigned such that the combination of the NID and the PLMN ID is globally unique.
An optional human-readable network name helps to identify an SNPN during manual SNPN selection. The human-readable network name and how it is used for SNPN manual selection is specified in TS 22.261 and TS 23.122.
Up

5.30.2.2  Broadcast system informationWord‑p. 309
NG-RAN nodes which provide access to SNPNs broadcast the following information:
  • One or multiple PLMN IDs
  • List of NIDs per PLMN ID identifying the non-public networks NG-RAN provides access to
  • Optionally:
    • A human-readable network name per SNPN;
    • Information, as described in TS 38.300, TS 38.331 and in TS 38.304, to prevent UEs not supporting SNPNs from accessing the cell, e.g. if the cell only provides access to non-public networks;
    • An indication per SNPN of whether access using credentials from a Credentials Holder is supported;
    • List of supported Group IDs for Network Selection (GINs) per SNPN. GIN reuses the NID encoding in TS 23.003 and can be self-managed or globally unique;
    • An indication per SNPN of whether the SNPN allows registration attempts from UEs that are not explicitly configured to select the SNPN, i.e. UEs that do not have any PLMN ID and NID nor GIN broadcast by the SNPN in the Credentials Holder controlled prioritized lists of preferred SNPNs/GINs.
Up

5.30.2.3  UE configuration and subscription aspects

An SNPN-enabled UE is configured with the following information for each subscribed SNPN:
  • PLMN ID and NID of the SNPN;
  • Subscriber identifier (SUPI) and credentials;
  • Optionally, an N3IWF FQDN and an identifier of the country where the configured N3IWF is located;
  • Optionally, if the UE supports access to an SNPN using credentials from a Credentials Holder:
    • User controlled prioritized list of preferred SNPNs;
    • Credentials Holder controlled prioritized list of preferred SNPNs;
    • Credentials Holder controlled prioritized list of GINs.
The Credentials Holder controlled prioritized lists of preferred SNPNs and GINs can be updated by the Credentials Holder.
A subscriber of an SNPN is either:
  • identified by a SUPI containing a network-specific identifier that takes the form of a Network Access Identifier (NAI) using the NAI RFC 7542 based user identification as defined in TS 23.003, clause 28.7.2. The realm part of the NAI may include the NID of the SNPN; or
  • identified by a SUPI containing an IMSI.
In the case of access to an SNPN using credentials owned by a Credentials Holder as specified in clause 5.30.2.9.3, the SUPI shall also contain identification for the Credentials Holder (i.e. the realm in the case of Network Specific Identifier based SUPI or the MCC and MNC in the case of an IMSI based SUPI).
An SNPN-enabled UE that supports access to an SNPN using credentials from a Credentials Holder and that is equipped with a PLMN subscription may additionally be configured with the following information for SNPN selection and registration using the PLMN subscription in SNPN access mode:
  • User controlled prioritized list of preferred SNPNs;
  • Credentials Holder controlled prioritized list of preferred SNPNs;
  • Credentials Holder controlled prioritized list of preferred GINs.
The Credentials Holder controlled prioritized lists of preferred SNPNs and GINs can be updated by the Credentials Holder.
Up

5.30.2.4  Network selection in SNPN access modeWord‑p. 310
5.30.2.4.1  General |R17|
An SNPN-enabled UE supports the SNPN access mode. When the UE is set to operate in SNPN access mode the UE only selects and registers with SNPNs over Uu as described in clause 5.30.2.4.
Emergency services are not supported in SNPN access mode.
If a UE is not set to operate in SNPN access mode, even if it is SNPN-enabled, the UE does not select and register with SNPNs. A UE not set to operate in SNPN access mode performs PLMN selection procedures as defined in clause 4.4 of TS 23.122. For a UE capable of simultaneously connecting to an SNPN and a PLMN, the setting for operation in SNPN access mode is applied only to the Uu interface for connection to the SNPN. Clause D.4 provides more details.
An SNPN-enabled UE that supports access to an SNPN using credentials from a Credentials Holder and that is equipped with a PLMN subscription needs to first enter SNPN access mode to be able to select SNPNs. Once the UE has entered SNPN access mode, SNPN selection is performed as described in clause 5.30.2.4. Once an SNPN has been selected the UE attempts registration in the SNPN using the PLMN credentials.
When a UE is set to operate in SNPN access mode the UE does not perform normal PLMN selection procedures as defined in clause 4.4 of TS 23.122.
UEs operating in SNPN access mode read the information described in clause 5.30.2.2 from the broadcast system information and take them into account during network selection.
Up
5.30.2.4.2  Automatic network selection |R17|
For automatic network selection the UE selects and attempts registration on available and allowable SNPNs in the following order:
  • the SNPN the UE was last registered with (if available);
  • the SNPN identified by the PLMN ID and NID for which the UE has SUPI and credentials.;
  • If the UEs supports access to an SNPN using credentials from a Credentials Holder then the UE continues by selecting and attempting registration on available and allowable SNPNs which broadcast the indication that access using credentials from a Credentials Holder is supported in the following order:
    • SNPNs in the user controlled prioritized list of preferred SNPNs (in priority order);
    • SNPNs in the Credentials Holder controlled prioritized list of preferred SNPNs (in priority order);
    • SNPNs, which additionally broadcast a GIN contained in the Credentials Holder controlled prioritized list of preferred GINs (in priority order);
    • SNPNs, which additionally broadcast an indication that the SNPN allows registration attempts from UEs that are not explicitly configured to select the SNPN, i.e. the broadcasted NID or GIN is not present in the Credentials Holder controlled prioritized lists of preferred SNPNs/GINs in the UE.
When a UE performs Initial Registration to an SNPN, the UE shall indicate the PLMN ID and NID as broadcast by the selected SNPN to NG-RAN. NG-RAN shall inform the AMF of the selected PLMN ID and NID.
Up
5.30.2.4.3  Manual network selection |R17|Word‑p. 311
For manual network selection UEs operating in SNPN access mode provide to the user the list of SNPNs (each is identified by a PLMN ID and NID) and related human-readable names (if available) of the available SNPNs the UE has respective SUPI and credentials for. If the UEs supports access to an SNPN using credentials from a Credentials Holder, the UE also presents available SNPNs which broadcast the "access using credentials from a Credentials Holder is supported" indication.
When a UE performs Initial Registration to an SNPN, the UE shall indicate the selected PLMN ID and NID as broadcast by the selected SNPN to NG-RAN. NG-RAN shall inform the AMF of the selected PLMN ID and NID.
Up

5.30.2.5  Network access control

If a UE performs the registration or service request procedure in an SNPN identified by a PLMN ID and a self-assigned NID and there is no subscription for the UE, then the AMF shall reject the UE with an appropriate cause code to temporarily prevent the UE from automatically selecting and registering with the same SNPN.
If a UE performs the registration or service request procedure in an SNPN identified by a PLMN ID and a coordinated assigned NID and there is no subscription for the UE, then the AMF shall reject the UE with an appropriate cause code to permanently prevent the UE from automatically selecting and registering with the same SNPN.
In order to prevent access to SNPNs for authorized UE(s) in the case of network congestion/overload, Unified Access Control information is configured per SNPN (i.e. as part of the subscription information that the UE has for a given SNPN) and provided to the UE as described in TS 24.501.
Up

5.30.2.6  Cell (re-)selection in SNPN access modeWord‑p. 312
UEs operating in SNPN access mode only select cells and networks broadcasting both PLMN ID and NID of the selected SNPN.

5.30.2.7  Access to PLMN services via stand-alone non-public networks

To access PLMN services, a UE in SNPN access mode that has successfully registered with an SNPN may perform another registration via the SNPN User Plane with a PLMN (using the credentials of that PLMN) following the same architectural principles as specified in clause 4.2.8 (including the optional support for PDU Session continuity between PLMN and SNPN using the Handover of a PDU Session procedures in TS 23.502, clauses 4.9.2.1 and 4.9.2.2) and the SNPN taking the role of "Untrusted non-3GPP access". Annex D, clause D.3 provides additional details.
Up

5.30.2.8  Access to stand-alone non-public network services via PLMN

To access SNPN services, a UE that has successfully registered with a PLMN over 3GPP access may perform another registration via the PLMN User Plane with an SNPN (using the credentials of that SNPN) following the same architectural principles as specified in clause 4.2.8 (including the optional support for PDU Session continuity between PLMN and SNPN using the Handover of a PDU Session procedures in TS 23.502, clauses 4.9.2.1 and 4.9.2.2) and the PLMN taking the role of "Untrusted non-3GPP access" of the SNPN, i.e. using the procedures for Untrusted non-3GPP access in clause 4.12.2 of TS 23.502. Annex D, clause D.3 provides additional details. The case where UE that has successfully registered with a PLMN over non-3GPP access to access SNPN services is not specified in this Release.
When the UE accesses the SNPN over Nwu via a PLMN, the AMF in the serving SNPN shall send an indication toward the UE during the Registration procedure to indicate whether an IMS voice over PS session is supported or not.
Up

5.30.2.9  SNPN connectivity for UEs with credentials owned by Credentials Holder |R17|Word‑p. 313
5.30.2.9.1  General
5.30.2.9.2  Credentials Holder using AAA Server for primary authentication and authorization
The AUSF in SNPN may support primary authentication and authorization of UEs that use credentials from an AAA Server in a Credentials Holder (CH).
  • If the UDM instructs AUSF that primary authentication by a AAA server in a CH is required, the AUSF shall discover and select the AAA server, and then forward EAP messages to the AAA server which is acting as the EAP Server for the purpose of primary authentication.
  • The SUPI is used to identify the UE during primary authentication and authorization towards the AAA sever. SUPI privacy is achieved according to existing methods in Annex I.5 of TS 33.501.
  • After completing the primary authentication with the AAA server successfully, the AMF and SMF shall retrieve the UE subscription data from UDM using SUPI.
Figure 5.30.2.9.2-1 depicts the 5G System architecture for SNPN with Credentials Holder using AAA Server for primary authentication and authorization.
(not reproduced yet)
Figure 5.30.2.9.2-1: 5G System architecture with access to SNPN using credentials from Credentials Holder using AAA Server
Up
5.30.2.9.3  Credentials Holder using AUSF and UDM for primary authentication and authorizationWord‑p. 314
Figure 5.30.2.9.3-1 depicts the 5G System architecture for SNPN with Credentials Holder using AUSF and UDM for primary authentication and authorization.
(not reproduced yet)
Figure 5.30.2.9.3-1: 5G System architecture with access to SNPN using credentials from Credentials Holder using AUSF and UDM
Up

5.30.3  Public Network Integrated NPN

5.30.3.1  General

Public Network Integrated NPNs are NPNs made available via PLMNs e.g. by means of dedicated DNNs, or by one (or more) Network Slice instances allocated for the NPN. The existing network slicing functionalities apply as described in clause 5.15. When a PNI-NPN is made available via a PLMN, then the UE shall have a subscription for the PLMN in order to access PNI-NPN.
As network slicing does not enable the possibility to prevent UEs from trying to access the network in areas where the UE is not allowed to use the Network Slice allocated for the NPN, Closed Access Groups may optionally be used to apply access control.
A Closed Access Group identifies a group of subscribers who are permitted to access one or more CAG cells associated to the CAG.
CAG is used for the PNI-NPNs to prevent UE(s), which are not allowed to access the NPN via the associated cell(s), from automatically selecting and accessing the associated CAG cell(s).
The following clauses describes the functionality needed for supporting CAGs.
Up

5.30.3.2  IdentifiersWord‑p. 315
The following is required for identification:
  • A CAG is identified by a CAG Identifier which is unique within the scope of a PLMN ID;
  • A CAG cell broadcasts one or multiple CAG Identifiers per PLMN;
  • A CAG cell may in addition broadcast a human-readable network name per CAG Identifier:
Up

5.30.3.3  UE configuration, subscription aspects and storage

To use CAG, the UE, that supports CAG as indicated as part of the UE 5GMM Core Network Capability, may be pre-configured or (re)configured with the following CAG information, included in the subscription as part of the Mobility Restrictions:
  • an Allowed CAG list i.e. a list of CAG Identifiers the UE is allowed to access; and
  • optionally, a CAG-only indication whether the UE is only allowed to access 5GS via CAG cells (see TS 38.304 for how the UE identifies whether a cell is a CAG cell);
The HPLMN may configure or re-configure a UE with the above CAG information using the UE Configuration Update procedure for access and mobility management related parameters described in TS 23.502, clause 4.2.4.2.
The above CAG information is provided by the HPLMN on a per PLMN basis. In a PLMN the UE shall only consider the CAG information provided for this PLMN.
When the subscribed CAG information changes, UDM sets a CAG information Subscription Change Indication and sends it to the AMF. The AMF shall provide the UE with the CAG information when the UDM indicates that the CAG information within the Access and Mobility Subscription data has been changed. When AMF receives the indication from the UDM that the CAG information within the Access and Mobility Subscription has changed, the AMF uses the CAG information received from the UDM to update the UE. Once the AMF updates the UE and obtains an acknowledgment from the UE, the AMF informs the UDM that the update was successful and the UDM clears the CAG information Subscription Change Indication flag.
The AMF may update the UE using either the UE Configuration Update procedure after registration procedure is completed, or by including the new CAG information in the Registration Accept or in the Registration Reject or in the Deregistration Request or in the Service Reject.
When the UE is roaming and the Serving PLMN provides CAG information, the UE shall update only the CAG information provided for the Serving PLMN while the stored CAG information for other PLMNs are not updated. When the UE is not roaming and the HPLMN provides CAG information, the UE shall update the CAG information stored in the UE with the received CAG information for all the PLMNs.
The UE shall store the latest available CAG information for every PLMN for which it is provided and keep it stored when the UE is de-registered or switched off, as described in TS 24.501.
The CAG information is only applicable with 5GS.
Up

5.30.3.4  Network and cell (re-)selection, and access control

The following is assumed for network and cell selection, and access control:
  • The CAG cell shall broadcast information such that only UEs supporting CAG are accessing the cell (see TS 38.300, TS 38.304);
  • In order to prevent access to NPNs for authorized UE(s) in the case of network congestion/overload, existing mechanisms defined for Control Plane load control, congestion and overload control in clause 5.19 can be used, as well as the access control and barring functionality described in clause 5.2.5, or Unified Access Control using the access categories as defined in TS 24.501 can be used.
  • For aspects of automatic and manual network selection in relation to CAG, see TS 23.122;
  • For aspects related to cell (re-)selection, see TS 38.304;
  • The Mobility Restrictions shall be able to restrict the UE's mobility according to the Allowed CAG list (if configured in the subscription) and include an indication whether the UE is only allowed to access 5GS via CAG cells (if configured in the subscription) as described in clause 5.30.3.3;
  • During transition from CM-IDLE to CM-CONNECTED, if the UE is accessing the 5GS via a CAG cell:
    • The AMF shall verify whether UE access is allowed by Mobility Restrictions:
      • If at least one of the CAG Identifier(s) received from the NG-RAN is part of the UE's Allowed CAG list, then the AMF accepts the NAS request;
      • If none of the CAG Identifier(s) received from the NG-RAN are part of the UE's Allowed CAG list, then the AMF rejects the NAS request and the AMF should include CAG information in the NAS reject message. The AMF shall then release the NAS signalling connection for the UE by triggering the AN release procedure; and
      • If the UE is accessing the network via a non-CAG cell and the UE's subscription contains an indication that the UE is only allowed to access CAG cells, then the AMF rejects the NAS request and the AMF should include CAG information in the NAS reject message. The AMF shall then release the NAS signalling connection for the UE by triggering the AN release procedure.
  • During transition from RRC Inactive to RRC Connected state:
    • When the UE initiates the RRC Resume procedure for RRC Inactive to RRC Connected state transition in a CAG cell, NG-RAN shall reject the RRC Resume request from the UE if none of the CAG Identifiers supported by the CAG cell are part of the UE's Allowed CAG list according to the Mobility Restrictions received from the AMF.
    • When the UE initiates the RRC Resume procedure for RRC Inactive to RRC Connected state transition in a non-CAG cell, NG-RAN shall reject the UE's Resume request if the UE is only allowed to access CAG cells according to the Mobility Restrictions received from the AMF.
  • During connected mode mobility procedures:
    • Based on the Mobility Restrictions received from the AMF:
      • Source NG-RAN shall not handover the UE to a target NG-RAN node if the target is a CAG cell and none of the CAG Identifiers supported by the CAG cell are part of the UE's Allowed CAG list;
      • Source NG-RAN shall not handover the UE to a non-CAG cell if the UE is only allowed to access CAG cells;
      • If the target cell is a CAG cell, target NG-RAN shall reject the N2 based handover procedure if none of the CAG Identifiers supported by the CAG cell are part of the UE's Allowed CAG list in the Mobility Restriction List;
      • If the target cell is a non-CAG cell, target NG-RAN shall reject the N2 based handover procedure if the UE is only allowed to access CAG cells based on the Mobility Restriction List.
  • Update of Mobility Restrictions:
    • When the AMF receives the Nudm_SDM_Notification from the UDM and the AMF determines that the Allowed CAG list or the indication whether the UE is only allowed to access CAG cells have changed;
      • The AMF shall update the Mobility Restrictions in the UE and NG-RAN accordingly under the conditions as described in TS 23.502, clause 4.2.4.2.
Up

5.30.3.5  Support of emergency services in CAG cellsWord‑p. 317
Emergency Services are supported in CAG cells, for UEs supporting CAG, whether normally registered or emergency registered as described in clause 5.16.4 and TS 23.502, clause 4.13.4.
A UE may camp on an acceptable CAG cell in limited service state as specified in TS 23.122 and TS 38.304, based on operator policy defined in TS 38.300.
The UE shall select a PLMN (of a CAG cell or non-CAG cell), as described in TS 23.122 and TS 23.167, when initiating emergency services from limited service state.
During handover to a CAG cell, if the UE is not authorized to access the target CAG cell and has emergency services, the target NG-RAN node only accepts the emergency PDU sessions and the target AMF releases the non-emergency PDU connections that were not accepted by the NG-RAN node. Upon completion of handover the UE behave as emergency registered.
Up


Up   Top   ToC