Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  TS 23.501  Word version:  17.5.0

Top   Top   Up   Prev   Next
1…   3…   4.2.3   4.2.4   4.2.5…   4.2.8…   4.2.8.2.2   4.2.8.2.3…   4.2.8.4…   4.2.9…   4.3…   4.3.3   4.3.4   4.3.5   4.4…   4.4.6…   4.4.8   5…   5.3…   5.3.3…   5.4…   5.5…   5.6…   5.6.7…   5.7…   5.7.2…   5.7.3…   5.7.4   5.7.5…   5.8…   5.8.2.11…   5.9…   5.10…   5.11…   5.15…   5.16…   5.17…   5.18…   5.19…   5.21…   5.22…   5.27…   5.28…   5.29…   5.30…   5.31…   5.32…   5.33…   5.34…   5.35…   6…   6.3…   7…   7.2…   8…   8.2.4   8.2.5…   8.3…   A…   D…   E…   F   G…   G.3   G.4…   J…

 

5.30  Support for non-public networks |R16|Word‑p. 341

5.30.1  GeneralWord‑p. 341

A Non-Public Network (NPN) is a 5GS deployed for non-public use, see TS 22.261. An NPN is either:
  • a Stand-alone Non-Public Network (SNPN), i.e. operated by an NPN operator and not relying on network functions provided by a PLMN, or
  • a Public Network Integrated NPN (PNI-NPN), i.e. a non-public network deployed with the support of a PLMN.
Stand-alone NPN are described in clause 5.30.2 and Public Network Integrated NPNs are described in clause 5.30.3.
Up

5.30.2  Stand-alone non-public networksWord‑p. 341

5.30.2.0  GeneralWord‑p. 341

SNPN 5GS deployments are based on the architecture depicted in clause 4.2.3, the architecture for 5GC with untrusted non-3GPP access (Figure 4.2.8.2.1-1) for access to SNPN services via a PLMN (and vice versa) and the additional functionality covered in clause 5.30.2.
Alternatively, a Credentials Holder (CH) may authenticate and authorize access to an SNPN separate from the Credentials Holder based on the architecture specified in clause 5.30.2.9. Idle mode mobility is supported as defined in clause 5.30.2.11. In this Release, direct access to SNPN is specified for 3GPP access only.
The following 5GS features and functionalities are not supported for SNPNs:
  • Interworking with EPS.
  • Also, emergency services when the UE accesses the SNPN over NWu via a PLMN.
  • Roaming, e.g. roaming between SNPNs. However, it is possible for a UE to access an SNPN with credentials from a CH as described in clause 5.30.2.9.
  • Handover between SNPNs, between SNPN and PLMN or PNI NPN.
  • CIoT 5GS optimizations.
  • CAG.
  • Proximity based Services (ProSe) as defined in TS 23.304.
  • 5G NSWO.
A UE with two or more network subscriptions, where one or more network subscriptions may be for a subscribed SNPN, can apply procedures specified for Multi-USIM UEs as described in clause 5.38. The UE shall use a separate PEI for each network subscription when it registers to the network.
Up

5.30.2.1  IdentifiersWord‑p. 342

The combination of a PLMN ID and Network identifier (NID) identifies an SNPN.
The NID shall support two assignment models:
  • Self-assignment: NIDs are chosen individually by SNPNs at deployment time (and may therefore not be unique) but use a different numbering space than the coordinated assignment NIDs as defined in TS 23.003.
  • Coordinated assignment: NIDs are assigned using one of the following two options:
    1. The NID is assigned such that it is globally unique independent of the PLMN ID used; or
    2. The NID is assigned such that the combination of the NID and the PLMN ID is globally unique.
The GIN shall support two assignment models:
  • Self-assignment: GINs are chosen individually and may therefore not be unique. It is defined as in TS 23.003
  • Coordinated assignment: GIN uses a combination of PLMN ID and NID and is assigned using one of the following two options as defined in TS 23.003.
    1. The GIN is assigned such that the NID is globally unique (e.g. using IANA Private Enterprise Numbers) independent of the PLMN ID used; or
    2. The GIN is assigned such that the combination of the NID and the PLMN ID is globally unique.
An optional human-readable network name helps to identify an SNPN during manual SNPN selection. The human-readable network name and how it is used for SNPN manual selection is specified in TS 22.261 and TS 23.122.
Up

5.30.2.2  Broadcast system informationWord‑p. 342

NG-RAN nodes which provide access to SNPNs broadcast the following information:
  • One or multiple PLMN IDs
  • List of NIDs per PLMN ID identifying the non-public networks NG-RAN provides access to
  • Optionally:
    • A human-readable network name per SNPN;
    • Information, as described in TS 38.300, TS 38.331 and in TS 38.304, to prevent UEs not supporting SNPNs from accessing the cell, e.g. if the cell only provides access to non-public networks;
    • An indication per SNPN of whether access using credentials from a Credentials Holder is supported;
    • List of supported Group IDs for Network Selection (GINs) per SNPN;
    • An indication per SNPN of whether the SNPN allows registration attempts from UEs that are not explicitly configured to select the SNPN, i.e. UEs that do not have any PLMN ID and NID nor GIN broadcast by the SNPN in the Credentials Holder controlled prioritized lists of preferred SNPNs/GINs.
Up

5.30.2.3  UE configuration and subscription aspectsWord‑p. 343

An SNPN-enabled UE is configured with the following information for each subscribed SNPN:
  • PLMN ID and NID of the subscribed SNPN;
  • Subscription identifier (SUPI) and credentials for the subscribed SNPN;
  • Optionally, an N3IWF FQDN and an identifier of the country where the configured N3IWF is located;
  • Optionally, if the UE supports access to an SNPN using credentials from a Credentials Holder:
    • User controlled prioritized list of preferred SNPNs;
    • Credentials Holder controlled prioritized list of preferred SNPNs;
    • Credentials Holder controlled prioritized list of GINs.
For an SNPN-enabled UE with SNPN subscription, the Credentials Holder controlled prioritized lists of preferred SNPNs and GINs may be updated by the Credentials Holder using the Steering of Roaming (SoR) procedure as defined in Annex C of TS 23.122. Updating Credentials Holder controlled prioritized lists of preferred SNPNs and GINs via the Steering of Roaming (SoR) procedure is not applicable for Credentials Holder with AAA Server.
A subscription of an SNPN is either:
  • identified by a SUPI containing a network-specific identifier that takes the form of a Network Access Identifier (NAI) using the NAI RFC 7542 based user identification as defined in clause 28.7.2 of TS 23.003. The realm part of the NAI may include the NID of the SNPN; or
  • identified by a SUPI containing an IMSI.
In the case of access to an SNPN using credentials owned by a Credentials Holder as specified in clause 5.30.2.9.2 and clause 5.30.2.9.3, the SUPI shall also contain identification for the Credentials Holder (i.e. the realm in the case of Network Specific Identifier based SUPI or the MCC and MNC in the case of an IMSI based SUPI). In the case of access to an SNPN using credentials owned by a Credentials Holder using AAA-S as specified in clause 5.30.2.9.2, only Network Specific Identifier based SUPI is supported.
An SNPN-enabled UE that supports access to an SNPN using credentials from a Credentials Holder and that is equipped with a PLMN subscription may additionally be configured with the following information for SNPN selection and registration using the PLMN subscription in SNPN access mode:
  • User controlled prioritized list of preferred SNPNs;
  • Credentials Holder controlled prioritized list of preferred SNPNs;
  • Credentials Holder controlled prioritized list of preferred GINs.
For an SNPN-enabled UE with PLMN subscription, the Credentials Holder controlled prioritized lists of preferred SNPNs and GINs may be updated by the Credentials Holder using the Steering of Roaming (SoR) procedure as defined in Annex C of TS 23.122.
When the Credentials Holder updates a UE with the Credentials Holder controlled prioritized lists of preferred SNPNs and GINs the UE may perform SNPN selection again, e.g. to potentially select a higher prioritized SNPN.
Up

5.30.2.4  Network selection in SNPN access modeWord‑p. 344

5.30.2.4.1  General |R17|Word‑p. 344
An SNPN-enabled UE supports the SNPN access mode. When the UE is set to operate in SNPN access mode the UE only selects and registers with SNPNs over Uu as described in clause 5.30.2.4.
Emergency services are supported in SNPN access mode as defined in clause 5.16.4.1.
If a UE is not set to operate in SNPN access mode, even if it is SNPN-enabled, the UE does not select and register with SNPNs. A UE not set to operate in SNPN access mode performs PLMN selection procedures as defined in clause 4.4 of TS 23.122. For a UE capable of simultaneously connecting to an SNPN and a PLMN, the setting for operation in SNPN access mode is applied only to the Uu interface for connection to the SNPN. Clause D.4 provides more details.
An SNPN-enabled UE that supports access to an SNPN using credentials from a Credentials Holder and that is equipped with a PLMN subscription needs to first enter SNPN access mode to be able to select SNPNs. Once the UE has entered SNPN access mode, SNPN selection is performed as described in clause 5.30.2.4. Once an SNPN has been selected the UE attempts registration in the SNPN using the PLMN credentials.
When a UE is set to operate in SNPN access mode the UE does not perform normal PLMN selection procedures as defined in clause 4.4 of TS 23.122.
UEs operating in SNPN access mode read the information described in clause 5.30.2.2 from the broadcast system information and take them into account during network selection.
Up
5.30.2.4.2  Automatic network selection |R17|Word‑p. 345
For automatic network selection the UE selects and attempts registration on available and allowable SNPNs in the following order:
  • the SNPN the UE was last registered with (if available);
  • the subscribed SNPN, which is identified by the PLMN ID and NID for which the UE has SUPI and credentials.;
  • If the UEs supports access to an SNPN using credentials from a Credentials Holder then the UE continues by selecting and attempting registration on available and allowable SNPNs which broadcast the indication that access using credentials from a Credentials Holder is supported in the following order:
    • SNPNs in the user controlled prioritized list of preferred SNPNs (in priority order);
    • SNPNs in the Credentials Holder controlled prioritized list of preferred SNPNs (in priority order);
    • SNPNs, which additionally broadcast a GIN contained in the Credentials Holder controlled prioritized list of preferred GINs (in priority order);
    • SNPNs, which additionally broadcast an indication that the SNPN allows registration attempts from UEs that are not explicitly configured to select the SNPN, i.e. the broadcasted NID or GIN is not present in the Credentials Holder controlled prioritized lists of preferred SNPNs/GINs in the UE.
When a UE performs Initial Registration to an SNPN, the UE shall indicate the PLMN ID and NID as broadcast by the selected SNPN to NG-RAN. NG-RAN shall inform the AMF of the selected PLMN ID and NID.
Up
5.30.2.4.3  Manual network selection |R17|Word‑p. 345
For manual network selection UEs operating in SNPN access mode provide to the user the list of SNPNs (each is identified by a PLMN ID and NID) and related human-readable names (if available) of the available SNPNs the UE has respective SUPI and credentials for. If the UEs supports access to an SNPN using credentials from a Credentials Holder, the UE also presents available SNPNs which broadcast the "access using credentials from a Credentials Holder is supported" indication and the human-readable names related to the SNPNs (if available).
When a UE performs Initial Registration to an SNPN, the UE shall indicate the selected PLMN ID and NID as broadcast by the selected SNPN to NG-RAN. NG-RAN shall inform the AMF of the selected PLMN ID and NID.
Up

5.30.2.5  Network access controlWord‑p. 345

If a UE performs the registration or service request procedure in an SNPN identified by a PLMN ID and a self-assigned NID and there is no subscription for the UE, then the AMF shall reject the UE with an appropriate cause code to temporarily prevent the UE from automatically selecting and registering with the same SNPN.
If a UE performs the registration or service request procedure in an SNPN identified by a PLMN ID and a coordinated assigned NID and there is no subscription for the UE, then the AMF shall reject the UE with an appropriate cause code to permanently prevent the UE from automatically selecting and registering with the same SNPN.
If a UE performs the registration in an SNPN using credentials from a Credentials Holder and UE is not authorized to access that specific SNPN, then the UDM can reject the UE which results in AMF rejecting the registration request from the UE with an appropriate cause code to prevent the UE from selecting and registering with the same SNPN using credentials from the Credentials Holder as described in TS 24.501.
In order to prevent access to SNPNs for authorized UE(s) in the case of network congestion/overload, Unified Access Control information is configured per SNPN (i.e. as part of the subscription information that the UE has for a given SNPN) and provided to the UE as described in TS 24.501.
Up

5.30.2.6  Cell (re-)selection in SNPN access modeWord‑p. 346

UEs operating in SNPN access mode only select cells and networks broadcasting both PLMN ID and NID of the selected SNPN.

5.30.2.7  Access to PLMN services via stand-alone non-public networksWord‑p. 346

To access PLMN services, a UE in SNPN access mode that has successfully registered with an SNPN may perform another registration via the SNPN User Plane with a PLMN (using the credentials of that PLMN) following the same architectural principles as specified in clause 4.2.8 (including the optional support for PDU Session continuity between PLMN and SNPN using the Handover of a PDU Session procedures in clauses 4.9.2.1 and 4.9.2.2 of TS 23.502) and the SNPN taking the role of "Untrusted non-3GPP access". Annex D, clause D.3 provides additional details.
When the UE accesses the PLMN over NWu via a SNPN, the AMF in the serving PLMN shall send an indication toward the UE during the Registration procedure to indicate whether an IMS voice over PS session is supported or not.
Up

5.30.2.8  Access to stand-alone non-public network services via PLMNWord‑p. 346

To access SNPN services, a UE that has successfully registered with a PLMN over 3GPP access may perform another registration via the PLMN User Plane with an SNPN (using the credentials of that SNPN) following the same architectural principles as specified in clause 4.2.8 (including the optional support for PDU Session continuity between PLMN and SNPN using the Handover of a PDU Session procedures in clauses 4.9.2.1 and 4.9.2.2 of TS 23.502) and the PLMN taking the role of "Untrusted non-3GPP access" of the SNPN, i.e. using the procedures for Untrusted non-3GPP access in clause 4.12.2 of TS 23.502. Annex D, clause D.3 provides additional details. The case where UE that has successfully registered with a PLMN over non-3GPP access to access SNPN services is not specified in this Release.
When the UE accesses the SNPN over NWu via a PLMN, the AMF in the SNPN shall send an indication toward the UE during the Registration procedure to indicate whether an IMS voice over PS session is supported or not.
Up

5.30.2.9  SNPN connectivity for UEs with credentials owned by Credentials Holder |R17|Word‑p. 347

5.30.2.9.1  GeneralWord‑p. 347
SNPNs may support UE access using credentials owned by a Credentials Holder separate from the SNPN. In this case the Session Management procedures (i.e. PDU Sessions) terminate in an SMF in the SNPN.
When an SNPN supports UE access using credentials assigned by a Credentials Holder separate from the SNPN, it is assumed that is supported homogeneously within the whole SNPN.
Credentials Holder using AAA Server for primary authentication and authorization is described in clause 5.30.2.9.2 and Credentials Holder using AUSF and UDM for primary authentication and authorization is described in clause 5.30.2.9.3.
Up
5.30.2.9.2  Credentials Holder using AAA Server for primary authentication and authorizationWord‑p. 347
The AUSF and the UDM in SNPN may support primary authentication and authorization of UEs using credentials from a AAA Server in a Credentials Holder (CH).
  • If the UDM decides that the primary authentication is performed by AAA Server in CH based on the UE's SUPI and subscription data. The Home Network Identifier, is derived by UDM from the SUCI received from AUSF. The UDM then instructs the AUSF that primary authentication by a AAA Server in a CH is required, the AUSF shall discover and select the NSSAAF, and then forward EAP messages to the NSSAAF. The NSSAAF selects AAA Server based on the domain name corresponds to the realm part of the SUPI, relays EAP messages between AUSF and AAA Server (or AAA proxy) and performs related protocol conversion. The AAA Server acts as the EAP Server for the purpose of primary authentication.
  • It is FFS if only SUCI using null scheme with anonymised SUPI should be supported for this use case and will be decided by SA WG3.
  • The SUPI is used to identify the UE during primary authentication and authorization towards the AAA Server. SUPI privacy is achieved according to methods in clause I.5 of TS 33.501.
  • The AMF discovers and selects the AUSF as described in clause 6.3.4 using the Home Network Identifier (realm part) and Routing Indicator present in the SUCI provided by a UE configured as described in clause 5.30.2.3.
  • The AMF and SMF shall retrieve the UE subscription data from UDM using SUPI.
Figure 5.30.2.9.2-1 depicts the 5G System architecture for SNPN with Credentials Holder using AAA Server for primary authentication and authorization.
Reproduction of 3GPP TS 23.501, Fig. 5.30.2.9.2-1: 5G System architecture with access to SNPN using credentials from Credentials Holder using AAA Server
Up
5.30.2.9.3  Credentials Holder using AUSF and UDM for primary authentication and authorizationWord‑p. 348
An SNPN may support primary authentication and authorization of UEs that use credentials from a Credentials Holder using AUSF and UDM. The Credentials Holder may be an SNPN or a PLMN. The Credentials Holder UDM provides to SNPN the subscription data.
Optionally, an SNPN may support network slicing (including Network Slice-Specific Authentication and Authorization, Network Slice Access Control and subscription-based restrictions to simultaneous registration of network slices) for UEs that use credentials from a Credentials Holder using AUSF and UDM. The SNPN retrieves NSSAA and NSSRG information from the UDM of the Credentials Holder.
Figure 5.30.2.9.3-1 depicts the 5G System architecture for SNPN with Credentials Holder using AUSF and UDM for primary authentication and authorization and network slicing.
Reproduction of 3GPP TS 23.501, Fig. 5.30.2.9.3-1: 5G System architecture with access to SNPN using credentials from Credentials Holder using AUSF and UDM
Up

5.30.2.10  Onboarding of UEs for SNPNs |R17|Word‑p. 349

5.30.2.10.1  GeneralWord‑p. 349
Onboarding of UEs for SNPNs allows the UE to access an Onboarding Network (ONN) for the purpose of provisioning the UE with SNPN credentials for primary authentication and other information to enable access to a desired SNPN, i.e. (re-)select and (re-)register with SNPN.
To provision SNPN credentials in a UE that is configured with Default UE credentials (see clause 5.30.2.10.2.4), the UE selects an SNPN as ONN and establishes a secure connection with that SNPN referred to as Onboarding SNPN (ON-SNPN), see more details in clause 5.30.2.10.2.
To provision SNPN credentials in a UE that is equipped with a USIM configured with PLMN credentials, the UE selects a PLMN as ONN and establishes a secure connection with that PLMN, see more details in clause 5.30.2.10.3.
After the secure connection is established, the UE is provisioned with SNPN credentials and possibly other data to enable discovery, (re-)selection and (re-)registration for a desired SNPN, see more details in clause 5.30.2.10.4.
ON-SNPN and SO-SNPN can be roles taken by either an SNPN or different SNPNs. It is possible for the same network to be in both roles with respect to a specific UE.
Up
5.30.2.10.2  Onboarding Network is an SNPNWord‑p. 349
5.30.2.10.2.1  GeneralWord‑p. 349
A UE configured with Default UE credentials may register with an ON-SNPN for the provisioning of SO-SNPN credentials.
5.30.2.10.2.2  ArchitectureWord‑p. 349
Figure 5.30.2.10.2.2-1, Figure 5.30.2.10.2.2-2 and Figure 5.30.2.10.2.2-3 depict the architecture for Onboarding of UEs in an ON-SNPN.
Reproduction of 3GPP TS 23.501, Fig. 5.30.2.10.2.2-1: Architecture for UE Onboarding in ON-SNPN when the DCS includes an AUSF and a UDM
Up
Reproduction of 3GPP TS 23.501, Fig. 5.30.2.10.2.2-2: Architecture for UE Onboarding in ON-SNPN when the DCS includes a AAA Server used for primary authentication
Up
Reproduction of 3GPP TS 23.501, Fig. 5.30.2.10.2.2-3: Architecture for UE Onboarding in ON-SNPN when the DCS is not involved during primary authentication
Up
When the DCS is involved during mutual primary authentication during the Onboarding procedure (as in Figure 5.30.2.10.2.2-1 and Figure 5.30.2.10.2.2-2), the following applies:
  • When the DCS includes an AUSF and a UDM functionality, then the AMF selects AUSF in the DCS domain. The ON-SNPN and DCS domain are connected via N32 and SEPP which are not shown in the Figure 5.30.2.10.2.2-1.
  • When the DCS includes a AAA Server functionality, only NSI based SUPI is supported and the AMF selects AUSF in the ON-SNPN. Based on local configuration (e.g. using the realm part of the Onboarding SUCI), the AUSF skips the UDM selection and directly performs primary authentication towards DCS with AAA Server functionality. The AUSF uses an NSSAAF (and the NSSAAF may use a AAA-P which is not shown in the Figure 5.30.2.10.2.2-2) to relay EAP messages towards the DCS including a AAA Server. The NSSAAF selects AAA Server based on the domain name corresponding to the realm part of the SUPI.
When the DCS is not involved during primary authentication (as in Figure 5.30.2.10.2.2-3), the following applies:
  • The AMF selects a local AUSF as described in clause 5.30.2.10.2.6 and performs primary authentication towards the local AUSF using Default UE credentials as described in TS 33.501.
  • Upon establishment of the PDU Session used for User Plane Remote Provisioning the ON-SNPN may trigger secondary authentication procedure, as described in clause 4.3.2.3 of TS 23.502, with the DCS using Default UE credentials as described in clause 11.1 of TS 33.501. When secondary authentication is used, the SMF identifies the DN-AAA server as defined in clause 4.3.2.3 of TS 23.502.
Up
5.30.2.10.2.3  Broadcast system informationWord‑p. 349
When the SNPN supports Onboarding of UEs for SNPNs (i.e. the SNPN can be used as ON-SNPN), the NG-RAN node additionally broadcasts the following information:
  • An onboarding enabled indication that indicates whether onboarding is currently enabled for the SNPN. The onboarding enabled indication is broadcasted per cell e.g. to allow start of the onboarding procedure only in parts of the SNPN.
Up
5.30.2.10.2.4  UE Configuration AspectsWord‑p. 349
A UE enabled to support UE Onboarding, shall be pre-configured with Default UE credentials, and the UE may be pre-configured with ON-SNPN selection information.
The UE uses the ON-SNPN selection information for selection of ON-SNPN (see clause 5.30.2.10.2.5).
The UE Configuration Data for UP Remote Provisioning is described in the clause 5.30.2.10.4.2.
Up
5.30.2.10.2.5  Network selectionWord‑p. 349
This clause applies only when the UE is in SNPN access mode.
When the UE wants to perform UE onboarding via an SNPN, the UE shall perform ON-SNPN selection as described below. An ON-SNPN is an SNPN providing onboarding access and enabling remote provisioning for a UE registered for onboarding as specified in clause 4.2.2.2.4 of TS 23.502.
For automatic or manual selection, the UE may select and attempt to register to an ON-SNPN which broadcast the Onboarding enabled indication described in clause 5.30.2.10.2.3 and matches the pre-configured ON-SNPN selection information such as SNPN network identifier and/or GIN(s) (if available) described in clause 5.30.2.10.2.4 according to the UE implementation-specific logic. If the registration fails, the UE may select and attempt to register to a different ON-SNPN as defined in clause 4.9.3.1.3 or clause 4.9.3.1.4 of TS 23.122.
Up
5.30.2.10.2.6  Registration for UE onboardingWord‑p. 349
When the user or UE has selected an ON-SNPN according to clause 5.30.2.10.2.5, the UE establishes an RRC connection towards the NG-RAN node of the ON-SNPN. The UE provides an indication in RRC Connection Establishment that the RRC connection is for onboarding as defined in TS 38.331. This indication allows the NG-RAN node to select an appropriate AMF that supports the UE onboarding procedures. The UE indicates the ON-SNPN as the selected network, and the NG-RAN node shall indicate the selected PLMN ID and NID of the ON-SNPN to the AMF.
The UE shall initiate the NAS registration procedure by sending a NAS Registration Request message with the following characteristics:
  • The UE shall set the 5GS Registration Type to the value "SNPN Onboarding" indicating that the registration request is for onboarding.
  • The UE shall provide a SUCI derived from a SUPI as specified in TS 23.003 and TS 33.501. The SUPI shall uniquely identify the UE and shall be derived from the Default UE credentials. The SUPI used for onboarding may contain an IMSI or a network-specific identifier. The ON-SNPN may determine the corresponding DCS identity or address/domain, based on the SUCI (i.e. based on the Home Network Identifier of the SUCI).
The UE does not include a Requested NSSAI in NAS signalling when it registers for UE onboarding purposes to the ON-SNPN.
The AMF supporting UE onboarding is configured with AMF Onboarding Configuration Data that includes e.g.:
  • S-NSSAI and DNN to be used for onboarding or a configured SMF for the S-NSSAI and DNN used for onboarding.
  • Information to use a local AUSF(s) within the ON-SNPN for onboarding of UEs with a SUCI for a DCS with AAA Server or for onboarding of UEs in the case where the DCS is not involved during primary authentication.
When the AMF receives a NAS Registration Request with a 5GS Registration Type set to "SNPN Onboarding", the AMF:
  • starts an authentication procedure towards the AUSF, the authentication procedure is specified in TS 33.501. The AMF may be provided with PVS IP address(es) or PVS FQDN(s) from the DCS during authentication procedure. The AMF selects an appropriate AUSF as described in clause 6.3.4 based on the Home Network Identifier of the SUCI used during onboarding or based on local configuration in the AMF.
  • applies the AMF Onboarding Configuration Data e.g. used to restrict UE network usage to only onboarding for User Plane Remote Provisioning of UE as described in clause 5.30.2.10.4.3.
  • stores in the UE context in AMF an indication that the UE is registered for SNPN onboarding.
Upon successful authentication from AUSF, the AMF informs the UE about the result of the registration. If the UE is not successfully authenticated, the AMF shall reject the registration procedure for onboarding, and the UE may select a different ON-SNPN to attempt to register.
Up
5.30.2.10.2.7  Deregistration from the ON-SNPN for onboarding registered UEWord‑p. 350
Once remote provisioning of SO-SNPN credentials is completed, the UE should initiate deregistration from the ON-SNPN.
Based on ON-SNPN policies, the AMF may start an implementation specific timer once the UE has registered to the ON-SNPN for the purpose of onboarding. Expiry of this timer triggers the AMF to deregister the onboarding registered UE from the ON-SNPN.
The AMF may also deregister the UE when it determines that the PDU Session used for User Plane Remote Provisioning has been released by the SMF.
When AMF re-allocation occurs for a UE registered for SNPN onboarding during mobility registration update procedure as described in TS 23.502, clause 4.2.2.2.4 or during N2 based handover as described in TS 23.502, clause 4.9.1.3, the new AMF supporting SNPN Onboarding should be selected as described in clause 6.3.5. If the new AMF receives in UE context the indication that the UE is registered for SNPN onboarding, the new AMF may start an implementation specific timer for when to deregister the UE when the new AMF completes the Registration procedure (i.e. sends Registration Accept to the UE) or completes the N2 based handover procedure.
Up
5.30.2.10.3  Onboarding Network is a PLMNWord‑p. 354
5.30.2.10.3.1  GeneralWord‑p. 354
A UE configured with PLMN credentials in USIM for primary authentication may register with a PLMN for the provisioning of SO-SNPN credentials.
5.30.2.10.3.2  Network selection and RegistrationWord‑p. 354
This clause applies only when the UE is not in SNPN access mode.
When the UE is using PLMN credentials for accessing a PLMN as the Onboarding Network (ONN), then regular network selection, as per TS 23.122 and regular initial registration procedures apply, as per TS 23.502. After successfully registering to the ON-PLMN, the UE is provisioned with the SO-SNPN credentials via User Plane as in clause 5.30.2.10.4.4.
Up
5.30.2.10.4  Remote Provisioning of UEs in Onboarding NetworkWord‑p. 354
5.30.2.10.4.1  GeneralWord‑p. 354
Remote Provisioning of UEs that registered with an Onboarding Network enables provisioning the UE with SNPN credentials for primary authentication and other information to enable access to the desired SNPN.
Onboarding Services are provided using a PDU Session for DNN and S-NSSAI used for onboarding allowing remote provisioning of UEs via User Plane. The PDU Session may be restricted only to be used for Remote Provisioning of the UE.
5.30.2.10.4.2  Onboarding configuration for the UEWord‑p. 354
In order to enable UP Remote Provisioning of SNPN credentials for a UE, UE Configuration Data for User Plane Remote Provisioning are either pre-configured on the UE or provided by the ONN. UE Configuration Data for User Plane Remote Provisioning provided by the ONN take precedence over corresponding configuration data stored in the UE.
UE Configuration Data for User Plane Remote Provisioning consist of PVS IP address(es) and/or PVS FQDN(s).
If the UE does not have any PVS IP address or PVS FQDN after the establishment of the PDU Session used for User Plane Remote Provisioning, the UE may construct an FQDN for PVS discovery as defined in TS 23.003.
The UE Configuration Data for User Plane Remote Provisioning may be stored in the ME.
The UE Configuration Data for User Plane Remote Provisioning (i.e. PVS IP address(es) or PVS FQDN(s), or both) may be either:
  • locally configured in the SMF of ONN; or
  • provided by the DCS to the AMF of ON-SNPN as part of the authentication procedure as specified in TS 33.501 and sent by the AMF in the Nsmf_PDUSession_CreateSMContext Request message to the SMF
The PVS IP address(es) and/or PVS FQDN(s) provided by the DCS take precedence over the locally configured PVS IP address(es) and/or PVS FQDN(s) in the ON-SNPN.
If the PCF is used for User Plane Remote Provisioning, the SMF provides the UE Configuration Data to the PCF as described in clause 5.30.2.10.4.3.
The UE Configuration Data for User Plane Remote Provisioning may be provided to the UE during the establishment of the PDU Session used for User Plane Remote Provisioning as part of Protocol Configuration Options (PCO) in the PDU Session Establishment Response.
Up
5.30.2.10.4.3  User Plane Remote Provisioning of UEs when Onboarding Network is an ON-SNPNWord‑p. 354
The AMF selects an SMF used for User Plane Remote Provisioning using the SMF discovery and selection functionality as described in clause 6.3.2. The S-NSSAI and DNN of the AMF Onboarding Configuration Data may be used to discover and select an SMF for User Plane Remote Provisioning. Alternatively, for SMF selection, the AMF Onboarding Configuration Data may contain a configured SMF for the S-NSSAI and DNN used for onboarding. The AMF provides Onboarding Indication to SMF via Nsmf_PDUSession_CreateSMContext request message when a PDU Session used for User Plane Remote Provisioning is established. During PDU Session establishment for remote provisioning, the AMF may provide the PVS IP address(es) and/or PVS FQDN(s) to the SMF.
When a UPF is selected for User Plane Remote Provisioning, the UPF selection function described in clause 6.3.3 for normal services is applied considering the S-NSSAI and DNN used for onboarding.
The SMF or the PCF may store S-NSSAI and DNN information used for onboarding. Onboarding Configuration Data available to PCF (for details see TS 23.503) and/or SMF may include PVS FQDN(s) and/or PVS IP address(es). The SMF and the PCF may use Onboarding Indication and DNN and S-NSSAI used for onboarding to access the Onboarding Configuration Data.
When the UE registered for Onboarding (i.e. 5GS Registration Type is set to the value "SNPN Onboarding") successfully completes the User Plane Remote Provisioning of SNPN credentials via the Onboarding Network, then the UE should deregister from the Onboarding Network.
Initial QoS parameters used for User Plane Remote Provisioning are configured in the SMF when dynamic PCC is not used.
Dynamic PCC may be used for a PDU Session used for User Plane Remote Provisioning as described in TS 23.503. If a PCF is used and the AMF provided an Onboarding Indication, the SMF provides Onboarding Indication to the PCF when requesting an SM Policy Association. The SMF may provide the UE Configuration Data (i.e. PVS IP address(es) and/or PVS FQDN(s)) to the PCF when requesting an SM Policy Association.
The QoS Flows of a restricted PDU Session, which is associated with the S-NSSAI/DNN used for Onboarding, shall be dedicated to Onboarding Services. The SMF may configure in the UPF PDR(s) and FAR(s) including PVS and DNS server IP addresses to block any traffic that is not from or to PVS and DNS server addresses.
If the UE is registered for Onboarding (i.e. 5GS Registration Type is set to the value "SNPN Onboarding"), the network should apply S-NSSAI and DNN in the Onboarding Configuration Data for the PDU Session Establishment request from the UE.
Up
5.30.2.10.4.4  User Plane Remote Provisioning of UEs when Onboarding Network is a PLMNWord‑p. 355
Subscription data of such a UE shall contain the DNN and S-NSSAI used for onboarding.
The AMF selects an SMF used for User Plane Remote Provisioning using the SMF discovery and selection functionality as described in clause 6.3.2, considering the DNN and S-NSSAI used for onboarding provided by the UE or the default DNN and S-NSSAI provided by UDM.
The UPF selection function described in clause 6.3.3 is applied, considering the DNN and S-NSSAI used for onboarding.
The SMF may be configured with one or more PVS FQDN(s) and/or PVS IP address(es) per DNN and S-NSSAI used for onboarding. When the UE requests a PDU Session used for User Plane Remote Provisioning by using DNN and S-NSSAI used for onboarding, the SMF sends the PVS FQDN(s) and/or PVS IP address(es) associated to the DNN and S-NSSAI of the PDU Session to the UE as part of Protocol Configuration Options (PCO) in the PDU Session Establishment Response if the following conditions are met:
  • the UE subscription data contains the DNN and S-NSSAI used for onboarding; and
  • the SMF has obtained the PVS FQDN(s) and/or PVS IP address(es) associated to the DNN and S-NSSAI of the PDU Session from local configuration; and
  • the UE has requested PVS information via PCO in PDU Session Establishment Request.
Up

5.30.2.11  UE Mobility support for SNPN |R17|Word‑p. 356

If the UE moves its 3GPP access between SNPN and PLMN, the network selection is performed as specified in TS 23.122 and UE performs initial registration as specified in clause 4.2.2.2.2 of TS 23.502.
If the UE moves its 3GPP access between SNPNs, the network selection is performed as specified in TS 23.122, then the UE performs initial or mobility registration as specified in clause 4.2.2.2.2 of TS 23.502.
Up

5.30.3  Public Network Integrated NPNWord‑p. 357

5.30.3.1  GeneralWord‑p. 357

Public Network Integrated NPNs are NPNs made available via PLMNs e.g. by means of dedicated DNNs, or by one (or more) Network Slice instances allocated for the NPN. The existing network slicing functionalities apply as described in clause 5.15. When a PNI-NPN is made available via a PLMN, then the UE shall have a subscription for the PLMN in order to access PNI-NPN.
As network slicing does not enable the possibility to prevent UEs from trying to access the network in areas where the UE is not allowed to use the Network Slice allocated for the NPN, Closed Access Groups may optionally be used to apply access control.
A Closed Access Group identifies a group of subscribers who are permitted to access one or more CAG cells associated to the CAG.
CAG is used for the PNI-NPNs to prevent UE(s), which are not allowed to access the NPN via the associated cell(s), from automatically selecting and accessing the associated CAG cell(s).
The UE and PNI-NPN may support remote provisioning of credentials for NSSAA or credentials for secondary authentication/authorization to the UE, as specified in clause 5.39.
Support for Proximity based Services (ProSe) as defined in TS 23.304 in conjunction with CAG is not specified in this Release of the specification.
Up

5.30.3.2  IdentifiersWord‑p. 357

The following is required for identification:
  • A CAG is identified by a CAG Identifier which is unique within the scope of a PLMN ID;
  • A CAG cell broadcasts one or multiple CAG Identifiers per PLMN;
  • A CAG cell may in addition broadcast a human-readable network name per CAG Identifier:
Up

5.30.3.3  UE configuration, subscription aspects and storageWord‑p. 358

To use CAG, the UE, that supports CAG as indicated as part of the UE 5GMM Core Network Capability, may be pre-configured or (re)configured with the following CAG information, included in the subscription as part of the Mobility Restrictions:
  • an Allowed CAG list i.e. a list of CAG Identifiers the UE is allowed to access; and
  • optionally, a CAG-only indication whether the UE is only allowed to access 5GS via CAG cells (see TS 38.304 for how the UE identifies whether a cell is a CAG cell);
The HPLMN may configure or re-configure a UE with the above CAG information using the UE Configuration Update procedure for access and mobility management related parameters described in clause 4.2.4.2 of TS 23.502.
The above CAG information is provided by the HPLMN on a per PLMN basis. In a PLMN the UE shall only consider the CAG information provided for this PLMN.
When the subscribed CAG information changes, UDM sets a CAG information Subscription Change Indication and sends it to the AMF. The AMF shall provide the UE with the CAG information when the UDM indicates that the CAG information within the Access and Mobility Subscription data has been changed. When AMF receives the indication from the UDM that the CAG information within the Access and Mobility Subscription has changed, the AMF uses the CAG information received from the UDM to update the UE. Once the AMF updates the UE and obtains an acknowledgment from the UE, the AMF informs the UDM that the update was successful and the UDM clears the CAG information Subscription Change Indication flag.
The AMF may update the UE using either the UE Configuration Update procedure after registration procedure is completed, or by including the new CAG information in the Registration Accept or in the Registration Reject or in the Deregistration Request or in the Service Reject.
When the UE is roaming and the Serving PLMN provides CAG information, the UE shall update only the CAG information provided for the Serving PLMN while the stored CAG information for other PLMNs are not updated. When the UE is not roaming and the HPLMN provides CAG information, the UE shall update the CAG information stored in the UE with the received CAG information for all the PLMNs.
The UE shall store the latest available CAG information for every PLMN for which it is provided and keep it stored when the UE is de-registered or switched off, as described in TS 24.501.
The CAG information is only applicable with 5GS.
Up

5.30.3.4  Network and cell (re-)selection, and access controlWord‑p. 358

The following is assumed for network and cell selection, and access control:
  • The CAG cell shall broadcast information such that only UEs supporting CAG are accessing the cell (see TS 38.300, TS 38.304);
  • In order to prevent access to NPNs for authorized UE(s) in the case of network congestion/overload, existing mechanisms defined for Control Plane load control, congestion and overload control in clause 5.19 can be used, as well as the access control and barring functionality described in clause 5.2.5, or Unified Access Control using the access categories as defined in TS 24.501 can be used.
  • For aspects of automatic and manual network selection in relation to CAG, see TS 23.122;
  • For aspects related to cell (re-)selection, see TS 38.304;
  • The Mobility Restrictions shall be able to restrict the UE's mobility according to the Allowed CAG list (if configured in the subscription) and include an indication whether the UE is only allowed to access 5GS via CAG cells (if configured in the subscription) as described in clause 5.30.3.3;
  • During transition from CM-IDLE to CM-CONNECTED and during Registration after connected mode mobility from E-UTRAN to NG-RAN as described in clause 4.11.1.2.2 of TS 23.502:
    • The AMF shall verify whether UE access is allowed by Mobility Restrictions:
      • If the UE is accessing the 5GS via a CAG cell and if at least one of the CAG Identifier(s) received from the NG-RAN is part of the UE's Allowed CAG list, then the AMF accepts the NAS request;
      • If the UE is accessing the 5GS via a CAG cell and if none of the CAG Identifier(s) received from the NG-RAN are part of the UE's Allowed CAG list, then the AMF rejects the NAS request and the AMF should include CAG information in the NAS reject message. The AMF shall then release the NAS signalling connection for the UE by triggering the AN release procedure; and
      • If the UE is accessing the 5GS via a non-CAG cell and the UE's subscription contains an indication that the UE is only allowed to access CAG cells, then the AMF rejects the NAS request and the AMF should include CAG information in the NAS reject message. The AMF shall then release the NAS signalling connection for the UE by triggering the AN release procedure.
  • During transition from RRC Inactive to RRC Connected state:
    • When the UE initiates the RRC Resume procedure for RRC Inactive to RRC Connected state transition in a CAG cell, NG-RAN shall reject the RRC Resume request from the UE if none of the CAG Identifiers supported by the CAG cell are part of the UE's Allowed CAG list according to the Mobility Restrictions received from the AMF or if no Allowed CAG list has been received from the AMF.
    • When the UE initiates the RRC Resume procedure for RRC Inactive to RRC Connected state transition in a non-CAG cell, NG-RAN shall reject the UE's Resume request if the UE is only allowed to access CAG cells according to the Mobility Restrictions received from the AMF.
  • During connected mode mobility procedures within NG-RAN, i.e., handover procedures as described in clause 4.9.1 of TS 23.502:
    • Source NG-RAN shall not handover the UE to a target NG-RAN node if the target is a CAG cell and none of the CAG Identifiers supported by the CAG cell are part of the UE's Allowed CAG list in the Mobility Restriction List or if no Allowed CAG list has been received from the AMF;
    • Source NG-RAN shall not handover the UE to a non-CAG cell if the UE is only allowed to access CAG cells based on the Mobility Restriction List;
    • If the target cell is a CAG cell, target NG-RAN shall reject the N2 based handover procedure if none of the CAG Identifiers supported by the CAG cell are part of the UE's Allowed CAG list in the Mobility Restriction List or if no Allowed CAG list has been received from the AMF;
    • If the target cell is a non-CAG cell, target NG-RAN shall reject the N2 based handover procedure if the UE is only allowed to access CAG cells based on the Mobility Restriction List.
  • Update of Mobility Restrictions:
    • When the AMF receives the Nudm_SDM_Notification from the UDM and the AMF determines that the Allowed CAG list or the indication whether the UE is only allowed to access CAG cells have changed;
      • The AMF shall update the Mobility Restrictions in the UE and NG-RAN accordingly under the conditions as described in clause 4.2.4.2 of TS 23.502.
Up

5.30.3.5  Support of emergency services in CAG cellsWord‑p. 359

Emergency Services are supported in CAG cells, for UEs supporting CAG, whether normally registered or emergency registered as described in clause 5.16.4 and in clause 4.13.4 of TS 23.502.
A UE may camp on an acceptable CAG cell in limited service state as specified in TS 23.122 and TS 38.304, based on operator policy defined in TS 38.300.
The UE shall select a PLMN (of a CAG cell or non-CAG cell), as described in TS 23.122 and TS 23.167, when initiating emergency services from limited service state.
During handover to a CAG cell, if the UE is not authorized to access the target CAG cell as described in clause 5.30.3.4 and has emergency services, the target NG-RAN node only accepts the emergency PDU Sessions and the target AMF releases the non-emergency PDU Sessions that were not accepted by the NG-RAN node. Upon completion of handover the UE behave as emergency registered.
Up

Up   Top   ToC