Content for TS 23.501 Word version: 18.5.0

1… 3… 4.2.3 4.2.4 4.2.5… 4.2.8… 4.2.8.2.2 4.2.8.2.3… 4.2.8.4… 4.2.9… 4.2.15… 4.3… 4.3.3 4.3.4 4.3.5 4.4… 4.4.6… 4.4.8… 5… 5.3… 5.3.3… 5.4… 5.5… 5.6… 5.6.7… 5.7… 5.7.2… 5.7.3… 5.7.4 5.7.5… 5.8… 5.8.2.11… 5.9… 5.10… 5.11… 5.15… 5.15.11… 5.16… 5.17… 5.18… 5.19… 5.21… 5.22… 5.27… 5.28… 5.29… 5.30… 5.31… 5.32… 5.32.6… 5.33… 5.34… 5.35… 5.38… 5.43… 6… 6.3… 6.3.8… 7… 7.2… 8… 8.2.4 8.2.5… 8.3… A… D… E… F G… G.3 G.4… H… J K… M… N… O… P…

5.30 Support for non-public networks 5.30.1 General 5.30.2 Stand-alone Non-Public Networks 5.30.2.0 General 5.30.2.1 Identifiers 5.30.2.2 Broadcast system information 5.30.2.3 UE configuration and subscription aspects 5.30.2.4 Network selection in SNPN access mode 5.30.2.5 Network access control 5.30.2.6 Cell (re-)selection in SNPN access mode 5.30.2.7 Access to PLMN services via stand-alone non-public networks 5.30.2.8 Access to stand-alone non-public network services via PLMN 5.30.2.9 SNPN connectivity for UEs with credentials owned by Credentials Holder 5.30.2.10 Onboarding of UEs for SNPNs 5.30.2.10.2.1 General 5.30.2.10.2.2 Architecture 5.30.2.10.2.3 Broadcast system information 5.30.2.10.2.4 UE Configuration Aspects 5.30.2.10.2.5 Network selection 5.30.2.10.2.6 Registration for UE onboarding 5.30.2.10.2.7 Deregistration from the ON-SNPN for onboarding registered UE 5.30.2.10.3.1 General 5.30.2.10.3.2 Network selection and Registration 5.30.2.10.4.1 General 5.30.2.10.4.2 Onboarding configuration for the UE 5.30.2.10.4.3 User Plane Remote Provisioning of UEs when Onboarding Network is an ON-SNPN 5.30.2.10.4.4 User Plane Remote Provisioning of UEs when Onboarding Network is a PLMN 5.30.2.11 UE Mobility support for SNPN 5.30.2.12 Access to SNPN services via Untrusted non-3GPP access 5.30.2.13 Access to SNPN services via Trusted non-3GPP access 5.30.2.14 Access to SNPN services via wireline access network 5.30.2.15 Access to SNPN services for N5CW devices 5.30.3 Public Network Integrated NPN
...

5.30 Support for non-public networks |R16| p. 397

5.30.1 General p. 397

A Non-Public Network (NPN) is a 5GS deployed for non-public use, see TS 22.261. An NPN is either:

a Stand-alone Non-Public Network (SNPN), i.e. operated by an NPN operator and not relying on network functions provided by a PLMN, or
a Public Network Integrated NPN (PNI-NPN), i.e. a non-public network deployed with the support of a PLMN.

Stand-alone NPN are described in clause 5.30.2 and Public Network Integrated NPNs are described in clause 5.30.3.

5.30.2 Stand-alone Non-Public Networks p. 398

5.30.2.0 General p. 398

SNPN 5GS deployments are based on:

the architecture depicted in clause 4.2.3;
the architecture for 5GC with Untrusted non-3GPP access (Figure 4.2.8.2.1-1) for either access to SNPN services via a PLMN (and vice versa) or for direct access to SNPN via non-3GPP access;
the architecture for 5GC with Trusted non-3GPP access (Figure 4.2.8.2.1-2); and
the additional functionality covered in clause 5.30.2.

Alternatively, a Credentials Holder (CH) may authenticate and authorize access to an SNPN separate from the Credentials Holder based on the architecture specified in clause 5.30.2.9. Idle and connected mode mobility is supported as defined in clause 5.30.2.11.

Clauses 5.30.2.1 to 5.30.2.11 specify the common SNPN aspects applicable to both 3GPP and non-3GPP access, except where stated differently.

Aspects specific to Untrusted non-3GPP access for SNPN are specified in clause 5.30.2.12.

Aspects specific to Trusted non-3GPP access for SNPN are specified in clause 5.30.2.13.

Aspects specific to N5CW devices accessing SNPN services are specified in clause 5.30.2.15.

The following 5GS features and functionalities are not supported for SNPNs:

Interworking with EPS;
Emergency services when the UE accesses the SNPN over NWu via a PLMN;
Roaming, e.g. roaming between SNPNs. However, it is possible for a UE to access an SNPN with credentials from a CH as described in clause 5.30.2.9 and to move between equivalent SNPNs;
Handover between SNPN and PLMN or PNI-NPN;
CIoT 5GS Optimizations;
CAG; and
Proximity based Services (ProSe) as defined in TS 23.304.

A UE with two or more network subscriptions, where one or more network subscriptions may be for a subscribed SNPN, can apply procedures specified for Multi-USIM UEs as described in clause 5.38. The UE shall use a separate PEI for each network subscription when it registers to the network.

5.30.2.1 Identifiers p. 398

The combination of a PLMN ID and a Network identifier (NID) identifies an SNPN.

The NID shall support two assignment models:

Self-assignment: NIDs are chosen individually by SNPNs at deployment time (and may therefore not be unique) but use a different numbering space than the coordinated assignment NIDs as defined in TS 23.003.
Coordinated assignment: NIDs are assigned using one of the following two options:
1. The NID is assigned such that it is globally unique independent of the PLMN ID used; or
2. The NID is assigned such that the combination of the NID and the PLMN ID is globally unique.

The GIN shall support two assignment models:

Self-assignment: GINs are chosen individually and may therefore not be unique. It is defined as in TS 23.003; or
Coordinated assignment: GIN uses a combination of PLMN ID and NID and is assigned using one of the following two options as defined in TS 23.003:
1. The GIN is assigned such that the NID is globally unique (e.g. using IANA Private Enterprise Numbers) independent of the PLMN ID used; or
2. The GIN is assigned such that the combination of the NID and the PLMN ID is globally unique.

An optional human-readable network name helps to identify an SNPN during manual SNPN selection. The human-readable network name and how it is used for SNPN manual selection is specified in TS 22.261 and TS 23.122.

5.30.2.2 Broadcast system information p. 399

NG-RAN nodes or Trusted non-3GPP access networks which provide access to SNPNs broadcast the following information:

One or multiple PLMN IDs;
List of NIDs per PLMN ID identifying the non-public networks NG-RAN provides access to; and

NOTE 1:
It is assumed that an NG-RAN node supports broadcasting a total of twelve NIDs. Further details are defined in TS 38.331.

NOTE 2:
The presence of a list of NIDs for a PLMN ID indicates that the related PLMN ID and NIDs identify SNPNs.
Optionally:
- A human-readable network name per SNPN;
  
  NOTE 3:
  The human-readable network name per SNPN is only used for manual SNPN selection. If the SNPN supports Localized Service, the human-readable network name of the SNPN can be information related to the Localized Service. The mechanism how human-readable network name is provided (i.e. whether it is broadcasted or unicasted) to the UE is specified in TS 38.331.
- Information, as described in TS 38.300, TS 38.331 and in TS 38.304, to prevent UEs not supporting SNPNs from accessing the cell, e.g. if the cell only provides access to non-public networks;
- An indication per SNPN of whether access using credentials from a Credentials Holder is supported;
- List of supported Group IDs for Network Selection (GINs) per SNPN; and
- An indication per SNPN of whether the SNPN allows registration attempts from UEs that are not explicitly configured to select the SNPN, i.e. UEs that do not have any PLMN ID and NID nor GIN broadcast by the SNPN in the Credentials Holder controlled prioritized lists of preferred SNPNs/GINs.
  
  NOTE 4:
  Further details (including number of supported GINs per SNPN) are defined in TS 38.331.

5.30.2.3 UE configuration and subscription aspects p. 400

An SNPN-enabled UE is configured with the following information for each subscribed SNPN:

PLMN ID and NID of the subscribed SNPN;
Subscription identifier (SUPI) and credentials for the subscribed SNPN;
Optionally, an N3IWF FQDN and the MCC of the country where the configured N3IWF is located;
Optionally, if the UE supports access to an SNPN using credentials from a Credentials Holder:
- User controlled prioritized list of preferred SNPNs;
- Credentials Holder controlled prioritized list of preferred SNPNs;
- Credentials Holder controlled prioritized list of GINs;
Optionally, if the UE supports access to an SNPN using credentials from a Credentials Holder and access to an SNPN providing access for Localized Services:
- User controlled prioritized list of preferred SNPNs;
- Credentials Holder controlled prioritized list of preferred SNPNs for accessing Localized Services, each entry of the list includes:
  - an SNPN identifier;
  - validity information; and
  - optionally, location assistance information;
- Credentials Holder controlled prioritized list of GINs for accessing Localized Services, each entry of the list includes:
  - a GIN;
  - validity information; and
  - optionally, location assistance information;
Protection scheme for concealing the SUPI as defined in TS 33.501.

Validity information consists of:

Time validity information, i.e. time periods (defined by start and end times) when access to the SNPN for accessing Localized Services is allowed; and
optionally, location validity information containing one or more location information as defined in TS 24.501.

Location assistance information consisting of:

Geolocation information, and/or,
Tracking Area information of serving networks, i.e. lists of TACs per PLMN ID or per PLMN ID and NID.

The UE may use the location assistance information to determine where to search for the SNPNs in the Credentials Holder controlled prioritized list of SNPNs and GINs for accessing Localized Services, i.e. the location assistance information is not used for any area restriction enforcement.

For an SNPN-enabled UE with SNPN subscription, the Credentials Holder controlled prioritized lists of preferred SNPNs and GINs, or Credentials Holder controlled prioritized lists of preferred SNPNs and GINs for accessing Localized Services may be updated by the Credentials Holder using the Steering of Roaming (SoR) procedure as defined in Annex C of TS 23.122. Updating Credentials Holder controlled prioritized lists of preferred SNPNs and GINs, or Credentials Holder controlled prioritized lists of preferred SNPNs and GINs for accessing Localized Services via the Steering of Roaming (SoR) procedure is not applicable for Credentials Holder with AAA Server.

A subscription of an SNPN is either:

identified by a SUPI containing a network-specific identifier that takes the form of a Network Access Identifier (NAI) using the NAI RFC 7542 based user identification as defined in clause 28.7.2 of TS 23.003. The realm part of the NAI may include the NID of the SNPN; or
identified by a SUPI containing an IMSI.

In the case of access to an SNPN using credentials owned by a Credentials Holder as specified in clause 5.30.2.9.2 and clause 5.30.2.9.3, the SUPI shall also contain identification for the Credentials Holder (i.e. the realm in the case of Network Specific Identifier based SUPI or the MCC and MNC in the case of an IMSI based SUPI). In the case of access to an SNPN using credentials owned by a Credentials Holder using AAA-S as specified in clause 5.30.2.9.2, only Network Specific Identifier based SUPI is supported.

An SNPN-enabled UE that supports access to an SNPN using credentials from a Credentials Holder and that is equipped with a PLMN subscription may additionally be configured with the following information for SNPN selection and registration using the PLMN subscription in SNPN access mode:

User controlled prioritized list of preferred SNPNs;
Credentials Holder controlled prioritized list of preferred SNPNs;
Credentials Holder controlled prioritized list of preferred GINs.
Optionally if the UE supports access to an SNPN providing access for Localized Services:
- Credentials Holder controlled prioritized list of preferred SNPNs for accessing Localized Services, each entry of the list includes:
  - an SNPN identifier;
  - validity information; and
  - optionally, location assistance information;
- Credentials Holder controlled prioritized list of preferred GINs for accessing Localized Services, each entry of the list includes:
  - a GIN;
  - validity information; and
  - optionally, location assistance information.

Validity information consists of:

Time validity information, i.e. time periods (defined by start and end times) when access to the SNPN for accessing Localized Services is allowed; and
optionally, location validity information containing one or more location information as defined in TS 24.501.

Location assistance information consisting of:

Geolocation information, and/or,
Tracking Area information of serving networks, i.e. lists of TACs per PLMN ID or per PLMN ID and NID.

For an SNPN-enabled UE with PLMN subscription, the Credentials Holder controlled prioritized lists of preferred SNPNs and GINs, or the Credentials Holder controlled prioritized lists of preferred SNPNs and GINs for accessing Localized Services may be updated by the Credentials Holder using the Steering of Roaming (SoR) procedure as defined in Annex C of TS 23.122.

When the Credentials Holder updates a UE with the Credentials Holder controlled prioritized lists of preferred SNPNs and GINs, and/or the Credentials Holder controlled prioritized lists of preferred SNPNs and GINs for accessing Localized Services, the UE may perform SNPN selection again, e.g. to potentially select a higher prioritized SNPN or to potentially select an SNPN that provides access for Localized Services.

5.30.2.4 Network selection in SNPN access mode p. 402

5.30.2.4.1 General |R17| p. 402

An SNPN-enabled UE supports the SNPN access mode. When the UE is set to operate in SNPN access mode the UE selects and registers with SNPNs over Uu as described in clause 5.30.2.4. Network selection in SNPN access mode for access to SNPN services via Untrusted non-3GPP access, Trusted non-3GPP access and Wireline access is specified in clause 5.30.2.12, clause 5.30.2.13 and clause 5.30.2.14 respectively. Access network selection in SNPN access mode for 5G NSWO is specified in clause 6.3.12b.

Emergency services are supported in SNPN access mode over Uu as defined in clause 5.16.4.1. Support for Emergency in SNPN access mode via Untrusted non-3GPP access is specified in clause 5.30.2.12.

If a UE is not set to operate in SNPN access mode, even if it is SNPN-enabled, the UE does not select and register with SNPNs. A UE not set to operate in SNPN access mode performs PLMN selection procedures as defined in clause 4.4 of TS 23.122. For a UE capable of simultaneously connecting to an SNPN and a PLMN, the setting for operation in SNPN access mode is applied to each of the Uu/Yt/NWu interfaces independently. Clause D.4 provides more details.

An SNPN-enabled UE that supports access to an SNPN using credentials from a Credentials Holder and that is equipped with a PLMN subscription needs to first enter SNPN access mode to be able to select SNPNs. Once the UE has entered SNPN access mode, SNPN selection is performed as described in clause 5.30.2.4. Once an SNPN has been selected the UE attempts registration in the SNPN using the PLMN credentials.

When a UE is set to operate in SNPN access mode the UE does not perform normal PLMN selection procedures as defined in clause 4.4 of TS 23.122.

UEs operating in SNPN access mode read the information described in clause 5.30.2.2 from the broadcast system information and take them into account during network selection. Furthermore, if the UE supports access to an SNPN providing access for Localized Services, and the end user enables to access the Localized Services the UE may select an SNPN providing access for Localized Services.

5.30.2.4.2 Automatic network selection |R17| p. 403

If the UE supports accessing an SNPN providing access for Localized Services and the end user enables to access Localized Services, for automatic network selection, the UE shall select and attempts registration on available SNPN in the following order:

if the UE supports access to an SNPN using Credentials from a Credentials Holder then the UE continues by selecting and attempting registration on available and allowable SNPNs which broadcasts the indication that access using credentials from a Credentials Holder is supported in the following order:
1. the SNPN with the validity information the UE was last registered with (if the validity information is met) or the SNPN's equivalent SNPN(s) (if available and the validity information of the SNPN that the UE was last registered with is met);
  
  NOTE 2:
  The equivalent SNPN(s) are assumed to provide access to the same Localized Services as the SNPN the UE was last registered with.
2. SNPNs in the Credentials Holder controlled prioritized list of preferred SNPNs for accessing Localized Services (in priority order) if the validity information is met;
3. SNPNs, which additionally broadcast a GIN contained in the Credentials Holder controlled prioritized list of preferred GINs for accessing Localized Services (in priority order) if validity information is met;
the SNPN without validity information the UE was last registered with (if available) or the equivalent SNPN (if available);
the subscribed SNPN, which is identified by the PLMN ID and NID for which the UE has SUPI and credentials;
the available and allowable SNPNs which broadcast the indication that access using credentials from a Credentials Holder is supported in the following order:
1. SNPNs in the user controlled prioritized list of preferred SNPNs (in priority order);
2. SNPNs in the Credentials Holder controlled prioritized list of preferred SNPNs (in priority order);
3. SNPNs, which additionally broadcast a GIN contained in the Credentials Holder controlled prioritized list of preferred GINs (in priority order);
4. SNPNs, which additionally broadcast an indication that the SNPN allows registration attempts from UEs that are not explicitly configured to select the SNPN, i.e. the broadcasted NID or GIN is not present in the Credentials Holder controlled prioritized lists of preferred SNPNs/GINs, nor in the Credentials Holder controlled prioritized lists of preferred SNPNs/GINs for accessing Localized Services in the UE.

If the location validity information is not available and the time validity information is available, the validity conditions are met when the time validity conditions are met. If both the location validity information and the time validity information are available, the validity conditions are met when both the time validity conditions and the location validity conditions are met.

If the UE supports accessing an SNPN providing access for Localized Services and the end user enables to access Localized Services, the UE shall periodically attempt reselection and registration on a higher priority SNPN 1) based on the order of the above sub-bullets (i) to (iii) of bullet (a), bullet (c), sub-bullets (i) to (iii) of bullet (d) if the UE is not registered to the sub-bullet (i) of bullet (a) or 2) based on the order of the above sub-bullets (ii) to (iii) of bullet (a), bullet (c), sub-bullets (i) to (iii) of bullet (d) if the UE is registered to the sub-bullet (i) of bullet (a) if any of the below conditions is met:

if there are one or more SNPNs with validity information which is met, and the UE is not registered to an SNPN which has highest priority among the one or more SNPNs; or
if there is no SNPN with validity information which is met, and there are one or more GINs with the validity information which is met, and the UE is not registered to an SNPN broadcasting a GIN which has highest priority among the one or more GINs; or
if there is no SNPN with validity information which is met and there is no GIN with validity information which is met, and the UE is not registered to the subscribed SNPN

Otherwise, the UE does not trigger periodic reselection and does not attempt registration on a higher priority SNPN.

If the selected SNPN is an SNPN providing access for Localized Services, and the validity condition for the selected SNPN changes from met to not met, the UE may attempt selection and registration on an SNPN based on the above bullets (a) to (d).

If the selected SNPN is not an SNPN providing access for Localized Services and a validity condition for an entry in Credentials Holder controlled prioritized list of preferred SNPNs/GINs for accessing Localized Services changes from not met to met, the UE may attempt selection and registration on an SNPN based on the above bullets (a) to (d).

If the UE does not support to access an SNPN providing access for Localized Services or the end user does not enable to access the Localized Services, for automatic network selection the UE shall select and attempts registration on available and allowable SNPNs in the following order:

the SNPN without validity information the UE was last registered with (if available) or the equivalent SNPN (if available);
the subscribed SNPN, which is identified by the PLMN ID and NID for which the UE has SUPI and credentials;
If the UEs supports access to an SNPN using credentials from a Credentials Holder then the UE continues by selecting and attempting registration on available and allowable SNPNs which broadcast the indication that access using credentials from a Credentials Holder is supported in the following order:
- SNPNs in the user controlled prioritized list of preferred SNPNs (in priority order);
- SNPNs in the Credentials Holder controlled prioritized list of preferred SNPNs (in priority order);
- SNPNs, which additionally broadcast a GIN contained in the Credentials Holder controlled prioritized list of preferred GINs (in priority order);
  
  NOTE 4:
  If multiple SNPNs are available that broadcast the same GIN, the order in which the UE selects and attempts a registration with those SNPNs is implementation specific.
- SNPNs, which additionally broadcast an indication that the SNPN allows registration attempts from UEs that are not explicitly configured to select the SNPN, i.e. the broadcasted NID or GIN is not present in the Credentials Holder controlled prioritized lists of preferred SNPNs/GINs in the UE.
  
  NOTE 5:
  If multiple SNPNs are available that broadcast the indication that the SNPN allows registration attempts from UEs that are not explicitly configured to select the SNPN, the order in which the UE selects and attempts a registration with those SNPNs is implementation specific.

When a UE performs Registration or Service Request to an SNPN, the UE shall indicate the PLMN ID and NID as broadcast by the selected SNPN to NG-RAN. NG-RAN shall inform the AMF of the selected PLMN ID and NID.

5.30.2.4.3 Manual network selection |R17| p. 405

For manual network selection UEs operating in SNPN access mode provide to the user the list of SNPNs (each is identified by a PLMN ID and NID) and related human-readable names (if available) of the available SNPNs the UE has respective SUPI and credentials for. If the UEs supports access to an SNPN using credentials from a Credentials Holder, the UE also presents available SNPNs which broadcast the "access using credentials from a Credentials Holder is supported" indication and the human-readable names related to the SNPNs (if available).

When a UE performs Initial Registration to an SNPN, the UE shall indicate the selected PLMN ID and NID as broadcast by the selected SNPN to NG-RAN. NG-RAN shall inform the AMF of the selected PLMN ID and NID.

5.30.2.5 Network access control p. 405

If a UE performs the registration or service request procedure in an SNPN identified by a PLMN ID and a self-assigned NID and there is no subscription for the UE, then the AMF shall reject the UE with an appropriate cause code to temporarily prevent the UE from automatically selecting and registering with the same SNPN.

If a UE performs the registration or service request procedure in an SNPN identified by a PLMN ID and a coordinated assigned NID and there is no subscription for the UE, then the AMF shall reject the UE with an appropriate cause code to permanently prevent the UE from automatically selecting and registering with the same SNPN.

If a UE performs the registration in an SNPN using credentials from a Credentials Holder (i.e. the CH is the PLMN/SNPN that owns the UE subscription and controls the access) and the Credentials Holder does not authorize the UE to access that specific SNPN due to access authorization based on subscription data or invalid time for accessing an SNPN that provides access to Localized Services, then the UDM, in the Credentials Holder, can reject the UE which results in AMF rejecting the registration request from the UE with an appropriate cause code to prevent the UE from automatically selecting and registering with the same SNPN using credentials from the Credentials Holder as described in TS 24.501.

In order to prevent access to SNPNs for authorized UE(s) in the case of network congestion/overload, Unified Access Control information is configured per SNPN (i.e. as part of the subscription information that the UE has for a given SNPN) and provided to the UE as described in TS 24.501.

5.30.2.6 Cell (re-)selection in SNPN access mode p. 405

UEs operating in SNPN access mode only select cells and networks broadcasting both PLMN ID and NID of the selected SNPN or its equivalent SNPN.

5.30.2.7 Access to PLMN services via stand-alone non-public networks p. 405

To access PLMN services, a UE in SNPN access mode that has successfully registered with an SNPN may perform another registration via the SNPN User Plane with a PLMN (using the credentials of that PLMN) following the same architectural principles as specified in clause 4.2.8 (including the optional support for PDU Session continuity between PLMN and SNPN using the Handover of a PDU Session procedures in clauses 4.9.2.1 and 4.9.2.2 of TS 23.502) and the SNPN taking the role of "Untrusted non-3GPP access". Annex D, clause D.3 provides additional details.

NOTE:

QoS differentiation in the SNPN can be provided on per-IPsec Child Security Association basis by using the UE or network requested PDU Session Modification procedure described in clause 4.3.3.2 of TS 23.502. In the PLMN, N3IWF determines the IPsec child SAs as defined in clause 4.12 of TS 23.502. The N3IWF is preconfigured by PLMN to allocate different IPsec child SAs for QoS Flows with different QoS profiles.

To support QoS differentiation in the SNPN with network-initiated QoS, the mapping rules between the SNPN and the PLMN are assumed to be governed by an SLA including: 1) mapping between the DSCP markings for the IPsec child SAs on NWu and the corresponding QoS, which is the QoS requirement of the PLMN and is expected to be provided by the SNPN, and 2) N3IWF IP address(es) in the PLMN. The non-alteration of the DSCP field on NWu is also assumed to be governed by an SLA and by transport-level arrangements that are outside of 3GPP scope. The packet detection filters in the SNPN can be based on the N3IWF IP address and the DSCP markings on NWu.

To support QoS differentiation in the SNPN with UE-requested QoS, the UE can request for an IPsec SA the same 5QI from the SNPN as the 5QI provided by the PLMN. It is assumed that UE-requested QoS is used only when the 5QIs used by the PLMN are from the range of standardized 5QIs. The packet filters in the requested QoS rule can be based on the N3IWF IP address and the SPI associated with the IPsec SA.

Refer to clause D.7 for details on how to support QoS differentiation.

When the UE accesses the PLMN over NWu via a SNPN, the AMF in the serving PLMN shall send an indication toward the UE during the Registration procedure to indicate whether an IMS voice over PS session is supported or not.

5.30.2.8 Access to stand-alone non-public network services via PLMN p. 406

To access SNPN services, a UE that has successfully registered with a PLMN over 3GPP access may perform another registration via the PLMN User Plane with an SNPN (using the credentials of that SNPN) following the same architectural principles as specified in clause 4.2.8 (including the optional support for PDU Session continuity between PLMN and SNPN using the Handover of a PDU Session procedures in clauses 4.9.2.1 and 4.9.2.2 of TS 23.502) and the PLMN taking the role of "Untrusted non-3GPP access" of the SNPN, i.e. using the procedures for Untrusted non-3GPP access in clause 4.12.2 of TS 23.502. Annex D, clause D.3 provides additional details. The case where UE that has successfully registered with a PLMN over non-3GPP access to access SNPN services is not specified in this Release.

NOTE:

QoS differentiation in the PLMN can be provided on per-IPsec Child Security Association basis by using the UE or network requested PDU Session Modification procedure described in clause 4.3.3.2 of TS 23.502. In the SNPN, N3IWF determines the IPsec child SAs as defined in clause 4.12 of TS 23.502. The N3IWF is preconfigured by SNPN to allocate different IPsec child SAs for QoS Flows with different QoS profiles.

To support QoS differentiation in the PLMN with network-initiated QoS, the mapping rules between the PLMN and the SNPN are assumed to be governed by an SLA including: 1) mapping between the DSCP markings for the IPsec child SAs on NWu and the corresponding QoS, which is the QoS requirement of the SNPN and is expected to be provided by the PLMN, and 2) N3IWF IP address(es) in the SNPN. The non-alteration of the DSCP field on NWu is also assumed to be governed by an SLA and by transport-level arrangements that are outside of 3GPP scope. The packet detection filters in the PLMN can be based on the N3IWF IP address and the DSCP markings on NWu.

To support QoS differentiation in the PLMN with UE-requested QoS, the UE can request for an IPsec SA the same 5QI from the PLMN as the 5QI provided by the SNPN. It is assumed that UE-requested QoS is used only when the 5QIs used by the SNPN are from the range of standardized 5QIs. The packet filters in the requested QoS rule can be based on the N3IWF IP address and the SPI associated with the IPsec SA.

Refer to clause D.7 for details on how to support QoS differentiation.

When the UE accesses the SNPN over NWu via a PLMN, the AMF in the SNPN shall send an indication toward the UE during the Registration procedure to indicate whether an IMS voice over PS session is supported or not.

5.30.2.9 SNPN connectivity for UEs with credentials owned by Credentials Holder |R17| p. 406

5.30.2.9.1 General p. 406

SNPNs may support UE access using credentials owned by a Credentials Holder separate from the SNPN. In this case the Session Management procedures (i.e. PDU Sessions) terminate in an SMF in the SNPN.

When an SNPN supports UE access using credentials assigned by a Credentials Holder separate from the SNPN, it is assumed that is supported homogeneously within the whole SNPN.

Credentials Holder using AAA Server for primary authentication and authorization is described in clause 5.30.2.9.2 and Credentials Holder using AUSF and UDM for primary authentication and authorization is described in clause 5.30.2.9.3.

5.30.2.9.2 Credentials Holder using AAA Server for primary authentication and authorization p. 407

The AUSF and the UDM in SNPN may support primary authentication and authorization of UEs using credentials from a AAA Server in a Credentials Holder (CH).

Only NSI based SUPI is supported and the SUPI is used to identify the UE during primary authentication and authorization towards the AAA Server. SUPI privacy is achieved according to methods in clause I.5 of TS 33.501.
The AMF discovers and selects the AUSF as described in clause 6.3.4 using the Home Network Identifier (realm part) and Routing Indicator present in the SUCI provided by a UE configured as described in clause 5.30.2.3.
The AMF selects the UDM in the same SNPN, based on local configuration (e.g. using the realm part of the SUCI), or using the NRF procedure defined in clause 4.17.4a of TS 23.502.
If the UDM decides that the primary authentication is performed by AAA Server in CH based on the UE's SUPI and subscription data. The Home Network Identifier, is derived by UDM from the SUCI received from AUSF. If the SUCI was generated using a privacy protection scheme that requires de-concealment, UDM de-conceal the SUCI as defined in TS 33.501. The UDM then instructs the AUSF that primary authentication by a AAA Server in a CH is required, the AUSF shall discover and select the NSSAAF, and then forward EAP messages to the NSSAAF. The NSSAAF selects AAA Server based on the domain name corresponds to the realm part of the SUPI, relays EAP messages between AUSF and AAA Server (or AAA proxy) and performs related protocol conversion. The AAA Server acts as the EAP Server for the purpose of primary authentication.

NOTE 1:
The UDM in SNPN, based on SLA between Credentials Holder and SNPN, is pre-configured with information indicating whether the UE needs primary authentication from AAA Server.

NOTE 2:
It is assumed that the SNPN is configured on per Home Network Identifier basis to determine whether to perform primary authentication with AUSF/UDM or AAA server.
The AMF and SMF shall retrieve the UE subscription data from UDM using SUPI.

Figure 5.30.2.9.2-1 depicts the 5G System architecture for SNPN with Credentials Holder using AAA Server for primary authentication and authorization.

Reproduction of 3GPP TS 23.501, Fig. 5.30.2.9.2-1: 5G System architecture with access to SNPN using credentials from Credentials Holder using AAA Server

Figure 5.30.2.9.2-1: 5G System architecture with access to SNPN using credentials from Credentials Holder using AAA Server

5.30.2.9.3 Credentials Holder using AUSF and UDM for primary authentication and authorization p. 408

An SNPN may support primary authentication and authorization of UEs that use credentials from a Credentials Holder using AUSF and UDM. The Credentials Holder may be an SNPN or a PLMN. The Credentials Holder UDM provides to SNPN the subscription data.

Optionally, an SNPN may support network slicing (including Network Slice-Specific Authentication and Authorization, Network Slice Access Control and subscription-based restrictions to simultaneous registration of network slices) for UEs that use credentials from a Credentials Holder using AUSF and UDM. The SNPN retrieves NSSAA and NSSRG information from the UDM of the Credentials Holder.

Figure 5.30.2.9.3-1 depicts the 5G System architecture for SNPN with Credentials Holder using AUSF and UDM for primary authentication and authorization and network slicing.

Reproduction of 3GPP TS 23.501, Fig. 5.30.2.9.3-1: 5G System architecture with access to SNPN using credentials from Credentials Holder using AUSF and UDM

Figure 5.30.2.9.3-1: 5G System architecture with access to SNPN using credentials from Credentials Holder using AUSF and UDM

5.30.2.10 Onboarding of UEs for SNPNs |R17| p. 409

5.30.2.10.1 General p. 409

Onboarding of UEs for SNPNs allows the UE to access an Onboarding Network (ONN) for the purpose of provisioning the UE with SNPN credentials for primary authentication and other information to enable access to a desired SNPN, i.e. (re-)select and (re-)register with SNPN.

To provision SNPN credentials in a UE that is configured with Default UE credentials (see clause 5.30.2.10.2.4), the UE selects an SNPN as ONN and establishes a secure connection with that SNPN referred to as Onboarding SNPN (ON-SNPN), see more details in clause 5.30.2.10.2.

To provision SNPN credentials in a UE that is equipped with a USIM configured with PLMN credentials, the UE selects a PLMN as ONN and establishes a secure connection with that PLMN, see more details in clause 5.30.2.10.3.

After the secure connection is established, the UE is provisioned with SNPN credentials and possibly other data to enable discovery, (re-)selection and (re-)registration for a desired SNPN, see more details in clause 5.30.2.10.4.

ON-SNPN and SO-SNPN can be roles taken by either an SNPN or different SNPNs. It is possible for the same network to be in both roles with respect to a specific UE.

5.30.2.10.2 Onboarding Network is an SNPN p. 409

5.30.2.10.2.1 General p. 409

A UE configured with Default UE credentials may register with an ON-SNPN for the provisioning of SO-SNPN credentials.

5.30.2.10.2.2 Architecture p. 409

Figure 5.30.2.10.2.2-1, Figure 5.30.2.10.2.2-2 and Figure 5.30.2.10.2.2-3 depict the architecture for Onboarding of UEs in an ON-SNPN.

Reproduction of 3GPP TS 23.501, Fig. 5.30.2.10.2.2-1: Architecture for UE Onboarding in ON-SNPN when the DCS includes an AUSF and a UDM

Figure 5.30.2.10.2.2-1: Architecture for UE Onboarding in ON-SNPN when the DCS includes an AUSF and a UDM

Reproduction of 3GPP TS 23.501, Fig. 5.30.2.10.2.2-2: Architecture for UE Onboarding in ON-SNPN when the DCS includes a AAA Server used for primary authentication

Figure 5.30.2.10.2.2-2: Architecture for UE Onboarding in ON-SNPN when the DCS includes a AAA Server used for primary authentication

Reproduction of 3GPP TS 23.501, Fig. 5.30.2.10.2.2-3: Architecture for UE Onboarding in ON-SNPN when the DCS is not involved during primary authentication

Figure 5.30.2.10.2.2-3: Architecture for UE Onboarding in ON-SNPN when the DCS is not involved during primary authentication

When the DCS is involved during mutual primary authentication during the Onboarding procedure (as in Figure 5.30.2.10.2.2-1 and Figure 5.30.2.10.2.2-2), the following applies:

When the DCS includes an AUSF and a UDM functionality, then the AMF selects AUSF in the DCS domain. The ON-SNPN and DCS domain are connected via N32 and SEPP which are not shown in the Figure 5.30.2.10.2.2-1.
When the DCS includes a AAA Server functionality, only NSI based SUPI is supported and the AMF selects AUSF in the ON-SNPN. Based on local configuration (e.g. using the realm part of the Onboarding SUCI), the AUSF skips the UDM selection and directly performs primary authentication towards DCS with AAA Server functionality using Default UE credentials for primary authentication. The AUSF uses an NSSAAF (and the NSSAAF may use a AAA-P which is not shown in the Figure 5.30.2.10.2.2-2) to relay EAP messages towards the DCS including a AAA Server. The NSSAAF selects AAA Server based on the domain name corresponding to the realm part of the SUPI.

NOTE 5:
The AMF in ON-SNPN uses the Home Network Identifier of the Onboarding SUCI to select the DCS. It is assumed that the ON-SNPN is configured on per Home Network Identifier basis to determine whether to perform primary authentication with AUSF/UDM or AAA server.
Upon establishment of the PDU Session used for User Plane Remote Provisioning the ON-SNPN may trigger secondary authentication procedure, as described in clause 4.3.2.3 of TS 23.502, with a DN-AAA using Default UE credentials for secondary authentication as described in clause I.9.2.4 of TS 33.501.

When the DCS is not involved during primary authentication (as in Figure 5.30.2.10.2.2-3), the following applies:

The AMF selects a local AUSF as described in clause 5.30.2.10.2.6 and performs primary authentication towards the local AUSF using Default UE credentials for primary authentication as described in TS 33.501.
Upon establishment of the PDU Session used for User Plane Remote Provisioning the ON-SNPN may trigger secondary authentication procedure, as described in clause 4.3.2.3 of TS 23.502, with the DCS or with a DN-AAA server using Default UE credentials for secondary authentication, as described in clause I.9.2.4 of TS 33.501. When secondary authentication is used, the SMF identifies the DCS or the DN-AAA server as defined in clause 4.3.2.3 of TS 23.502.

5.30.2.10.2.3 Broadcast system information p. 409

When the SNPN supports Onboarding of UEs for SNPNs (i.e. the SNPN can be used as ON-SNPN), the NG-RAN node or the Trusted non-3GPP access network providing access to SNPN additionally broadcasts the following information:

An onboarding enabled indication that indicates whether onboarding is currently enabled for the SNPN. For access to SNPN via NG-RAN the onboarding enabled indication is broadcasted per cell e.g. to allow start of the onboarding procedure only in parts of the SNPN.

5.30.2.10.2.4 UE Configuration Aspects p. 409

A UE enabled to support UE Onboarding, shall be pre-configured with Default UE credentials, and the UE may be pre-configured with ON-SNPN selection information. The Default UE credentials consist of credentials for primary authentication and optionally credentials for secondary authentication, as described in clause I.9 of TS 33.501.

The UE uses the ON-SNPN selection information for selection of ON-SNPN (see clause 5.30.2.10.2.5).

The UE Configuration Data for UP Remote Provisioning is described in the clause 5.30.2.10.4.2.

5.30.2.10.2.5 Network selection p. 409

This clause applies only when the UE is in SNPN access mode.

When the UE wants to perform UE onboarding via an SNPN, the UE shall perform ON-SNPN selection as described below. An ON-SNPN is an SNPN providing onboarding access and enabling remote provisioning for a UE registered for onboarding as specified in clause 4.2.2.2.4 of TS 23.502.

For automatic or manual selection, the UE may select and attempt to register to an ON-SNPN which broadcast the Onboarding enabled indication described in clause 5.30.2.10.2.3 and matches the pre-configured ON-SNPN selection information such as SNPN network identifier and/or GIN(s) (if available) described in clause 5.30.2.10.2.4 according to the UE implementation-specific logic. If the registration fails, the UE may select and attempt to register to a different ON-SNPN as defined in clause 4.9.3.1.3 or clause 4.9.3.1.4 of TS 23.122.

5.30.2.10.2.6 Registration for UE onboarding p. 409

When the user or UE has selected an ON-SNPN according to clause 5.30.2.10.2.5, the UE establishes an RRC connection towards the NG-RAN node of the ON-SNPN. The UE provides an indication in RRC Connection Establishment that the RRC connection is for onboarding as defined in TS 38.331. This indication allows the NG-RAN node to select an appropriate AMF that supports the UE onboarding procedures. The UE indicates the ON-SNPN as the selected network, and the NG-RAN node shall indicate the selected PLMN ID and NID of the ON-SNPN to the AMF.

The UE shall initiate the NAS registration procedure by sending a NAS Registration Request message with the following characteristics:

The UE shall set the 5GS Registration Type to the value "SNPN Onboarding" indicating that the registration request is for onboarding.
The UE shall provide a SUCI derived from a SUPI as specified in TS 23.003 and TS 33.501. The SUPI shall uniquely identify the UE and shall be derived from the Default UE credentials for primary authentication. The SUPI used for onboarding may contain an IMSI or a network-specific identifier. The ON-SNPN may determine the corresponding DCS identity or address/domain, based on the SUCI (i.e. based on the Home Network Identifier of the SUCI).

The UE does not include a Requested NSSAI in NAS signalling when it registers for UE onboarding purposes to the ON-SNPN.

The AMF supporting UE onboarding is configured with AMF Onboarding Configuration Data that includes e.g.:

S-NSSAI and DNN to be used for onboarding or a configured SMF for the S-NSSAI and DNN used for onboarding.
Information to use a local AUSF(s) within the ON-SNPN for onboarding of UEs with a SUCI for a DCS with AAA Server or for onboarding of UEs in the case where the DCS is not involved during primary authentication.

When the AMF receives a NAS Registration Request with a 5GS Registration Type set to "SNPN Onboarding", the AMF:

starts an authentication procedure towards the AUSF, the authentication procedure is specified in TS 33.501. The AMF may be provided with PVS IP address(es) or PVS FQDN(s) from the DCS during authentication procedure. The AMF selects an appropriate AUSF as described in clause 6.3.4 based on the Home Network Identifier of the SUCI used during onboarding or based on local configuration in the AMF.
applies the AMF Onboarding Configuration Data e.g. used to restrict UE network usage to only onboarding for User Plane Remote Provisioning of UE as described in clause 5.30.2.10.4.3.
stores in the UE context in AMF an indication that the UE is registered for SNPN onboarding.
shall handle the list of equivalent SNPNs as described in TS 24.501.

Upon successful authentication from AUSF, the AMF informs the UE about the result of the registration. If the UE is not successfully authenticated, the AMF shall reject the registration procedure for onboarding, and the UE may select a different ON-SNPN to attempt to register.

5.30.2.10.2.7 Deregistration from the ON-SNPN for onboarding registered UE p. 410

Once remote provisioning of SO-SNPN credentials is completed, the UE should initiate deregistration from the ON-SNPN.

Based on ON-SNPN policies, the AMF may start an implementation specific timer once the UE has registered to the ON-SNPN for the purpose of onboarding. Expiry of this timer triggers the AMF to deregister the onboarding registered UE from the ON-SNPN.

The AMF may also deregister the UE when it determines that the PDU Session used for User Plane Remote Provisioning has been released by the SMF.

When AMF re-allocation occurs for a UE registered for SNPN onboarding during mobility registration update procedure as described in clause 4.2.2.2.4 of TS 23.502 or during N2 based handover as described in clause 4.9.1.3 of TS 23.502 the new AMF supporting SNPN Onboarding should be selected as described in clause 6.3.5. If the new AMF receives in UE context the indication that the UE is registered for SNPN onboarding, the new AMF may start an implementation specific timer for when to deregister the UE when the new AMF completes the Registration procedure (i.e. sends Registration Accept to the UE) or completes the N2 based handover procedure.

5.30.2.10.3 Onboarding Network is a PLMN p. 414

5.30.2.10.3.1 General p. 414

A UE configured with PLMN credentials in USIM for primary authentication may register with a PLMN for the provisioning of SO-SNPN credentials.

5.30.2.10.3.2 Network selection and Registration p. 414

This clause applies only when the UE is not in SNPN access mode.

When the UE is using PLMN credentials for accessing a PLMN as the Onboarding Network (ONN), then regular network selection, as per TS 23.122 and regular initial registration procedures apply, as per TS 23.502. After successfully registering to the ON-PLMN, the UE is provisioned with the SO-SNPN credentials via User Plane as in clause 5.30.2.10.4.4.

5.30.2.10.4 Remote Provisioning of UEs in Onboarding Network p. 414

5.30.2.10.4.1 General p. 414

Remote Provisioning of UEs that registered with an Onboarding Network enables provisioning the UE with SNPN credentials for primary authentication and other information to enable access to the desired SNPN.

Onboarding Services are provided using a PDU Session for DNN and S-NSSAI used for onboarding allowing remote provisioning of UEs via User Plane. The PDU Session may be restricted only to be used for Remote Provisioning of the UE.

5.30.2.10.4.2 Onboarding configuration for the UE p. 414

In order to enable UP Remote Provisioning of SNPN credentials for a UE, UE Configuration Data for User Plane Remote Provisioning are either pre-configured on the UE or provided by the ONN. UE Configuration Data for User Plane Remote Provisioning provided by the ONN take precedence over corresponding configuration data stored in the UE.

UE Configuration Data for User Plane Remote Provisioning consist of PVS IP address(es) and/or PVS FQDN(s).

If the UE does not have any PVS IP address or PVS FQDN after the establishment of the PDU Session used for User Plane Remote Provisioning, the UE may construct an FQDN for PVS discovery as defined in TS 23.003.

The UE Configuration Data for User Plane Remote Provisioning may be stored in the ME.

The UE Configuration Data for User Plane Remote Provisioning (i.e. PVS IP address(es) or PVS FQDN(s), or both) may be:

locally configured in the SMF of ONN; and/or
provided by the DCS to the AMF of ON-SNPN as part of the authentication procedure as specified in TS 33.501 and sent by the AMF in the Nsmf_PDUSession_CreateSMContext Request message to the SMF

If the SNPN acting as ON-SNPN is not capable to provide access to Localized Services, the PVS IP address(es) and/or PVS FQDN(s) provided by the DCS take precedence over the locally configured PVS IP address(es) and/or PVS FQDN(s) in the ON-SNPN. If the SNPN acting as ON-SNPN is capable to provides access to Localized Services, the SMF should include both DCS provided and the locally configured PVS IP address(es) and/or PVS FQDN(s), in the UE Configuration Data for User Plane Remote Provisioning.

If the PCF is used for User Plane Remote Provisioning, the SMF provides the UE Configuration Data to the PCF as described in clause 5.30.2.10.4.3.

The UE Configuration Data for User Plane Remote Provisioning may be provided to the UE during the establishment of the PDU Session used for User Plane Remote Provisioning as part of Protocol Configuration Options (PCO) in the PDU Session Establishment Response.

5.30.2.10.4.3 User Plane Remote Provisioning of UEs when Onboarding Network is an ON-SNPN p. 414

The AMF selects an SMF used for User Plane Remote Provisioning using the SMF discovery and selection functionality as described in clause 6.3.2. The S-NSSAI and DNN of the AMF Onboarding Configuration Data may be used to discover and select an SMF for User Plane Remote Provisioning. Alternatively, for SMF selection, the AMF Onboarding Configuration Data may contain a configured SMF for the S-NSSAI and DNN used for onboarding. The AMF provides Onboarding Indication to SMF via Nsmf_PDUSession_CreateSMContext request message when a PDU Session used for User Plane Remote Provisioning is established. During PDU Session establishment for remote provisioning, the AMF may provide the PVS IP address(es) and/or PVS FQDN(s) to the SMF.

When a UPF is selected for User Plane Remote Provisioning, the UPF selection function described in clause 6.3.3 for normal services is applied considering the S-NSSAI and DNN used for onboarding.

The SMF or the PCF may store S-NSSAI and DNN information used for onboarding. Onboarding Configuration Data available to PCF (for details see TS 23.503) and/or SMF may include PVS FQDN(s) and/or PVS IP address(es). The SMF and the PCF may use Onboarding Indication and DNN and S-NSSAI used for onboarding to access the Onboarding Configuration Data.

When the UE registered for Onboarding (i.e. 5GS Registration Type is set to the value "SNPN Onboarding") successfully completes the User Plane Remote Provisioning of SNPN credentials via the Onboarding Network, then the UE should deregister from the Onboarding Network.

Initial QoS parameters used for User Plane Remote Provisioning are configured in the SMF when dynamic PCC is not used.

Dynamic PCC may be used for a PDU Session used for User Plane Remote Provisioning as described in TS 23.503. If a PCF is used and the AMF provided an Onboarding Indication, the SMF provides Onboarding Indication to the PCF when requesting an SM Policy Association. The SMF may provide the UE Configuration Data (i.e. PVS IP address(es) and/or PVS FQDN(s)) to the PCF when requesting an SM Policy Association.

The QoS Flows of a restricted PDU Session, which is associated with the S-NSSAI/DNN used for Onboarding, shall be dedicated to Onboarding Services. The SMF may configure in the UPF PDR(s) and FAR(s) including PVS and DNS server IP addresses to block any traffic that is not from or to PVS and DNS server addresses.

If the UE is registered for Onboarding (i.e. 5GS Registration Type is set to the value "SNPN Onboarding"), the network should apply S-NSSAI and DNN in the Onboarding Configuration Data for the PDU Session Establishment request from the UE.

5.30.2.10.4.4 User Plane Remote Provisioning of UEs when Onboarding Network is a PLMN p. 415

Subscription data of such a UE shall contain the DNN and S-NSSAI used for onboarding.

The AMF selects an SMF used for User Plane Remote Provisioning using the SMF discovery and selection functionality as described in clause 6.3.2, considering the DNN and S-NSSAI used for onboarding provided by the UE or the default DNN and S-NSSAI provided by UDM.

The UPF selection function described in clause 6.3.3 is applied, considering the DNN and S-NSSAI used for onboarding.

The SMF may be configured with one or more PVS FQDN(s) and/or PVS IP address(es) per DNN and S-NSSAI used for onboarding. When the UE requests a PDU Session used for User Plane Remote Provisioning by using DNN and S-NSSAI used for onboarding, the SMF sends the PVS FQDN(s) and/or PVS IP address(es) associated to the DNN and S-NSSAI of the PDU Session to the UE as part of Protocol Configuration Options (PCO) in the PDU Session Establishment Response if the following conditions are met:

the UE subscription data contains the DNN and S-NSSAI used for onboarding; and
the SMF has obtained the PVS FQDN(s) and/or PVS IP address(es) associated to the DNN and S-NSSAI of the PDU Session from local configuration; and
the UE has requested PVS information via PCO in PDU Session Establishment Request.

5.30.2.11 UE Mobility support for SNPN |R17| p. 416

If the UE moves its 3GPP access between SNPN and PLMN, the network selection is performed as specified in TS 23.122 and UE performs initial registration as specified in clause 4.2.2.2.2 of TS 23.502.

If the UE moves its 3GPP access between SNPNs, the network selection is performed as specified in TS 23.122, then the UE performs initial or mobility registration as specified in clause 4.2.2.2.2 of TS 23.502.

If the UE and network supports equivalent SNPNs, the AMF may provide list of equivalent SNPNs to the UE and NG-RAN. The UE may move its 3GPP access to the SNPN in the list of equivalent SNPNs without performing network selection. A UE supporting equivalent SNPNs gets a new registered SNPN ID during the Registration procedure if serving SNPN is changed.

5.30.2.12 Access to SNPN services via Untrusted non-3GPP access |R18| p. 417

Access to SNPN services via Untrusted non-3GPP access network follows the specification in the previous 5.30.2 clauses with the differences as specified in this clause.

N3IWF selection is supported as follows:

When UE registers to SNPN with credentials owned by the SNPN, UE uses the same N3IWF selection procedure as specified for access to stand-alone non-public network services via PLMN in clause 6.3.6.2a.

Emergency services are supported as follows:

UE initiates N3IWF selection for emergency services when the UE detects a user request for emergency session and determines that Untrusted non-3GPP access is to be used for the emergency access. The UE in SNPN access mode the following:
- If the UE determines that it is located in the same country as the configured N3IWF of the subscribed SNPN, the UE uses the configured N3IWF FQDN for N3IWF selection.
- Otherwise, the UE performs a DNS query using the Visited Country Emergency SNPN FQDN, as specified in clause 28.3.2.2.6.3 of TS 23.003 to determine which SNPNs in the visited country support emergency services in untrusted non-3GPP access via N3IWF; and:
- If the DNS response contains one or more records, the UE selects an SNPN that supports emergency services in untrusted non-3GPP access via N3IWF based on UE implementation specific methods. Each record in the DNS response shall contain the identity of an SNPN (i.e. SNPN ID) in the visited country supporting emergency services in untrusted non-3GPP access via N3IWF.
  
  NOTE 1:
  Self-assigned NIDs are not supported, since a DNS cannot be properly configured for multiple SNPNs using the same self-assigned NID (i.e. in collision scenarios).
- Once the UE has selected an SNPN, the UE selects an N3IWF for Emergency for the selected SNPN, as specified in TS 23.003.
When an N3IWF has been selected, the UE initiates an Emergency Registration. If the Emergency Registration fails, the UE shall select another SNPN supporting emergency services in untrusted non-3GPP access.
If the DNS response of the Visited Country Emergency SNPN FQDN does not contain any record, or if the DNS response contains one or more records but the UE fails to select an SNPN that supports emergency services in untrusted non-3GPP access, or if the Emergency Registration procedure has failed for all SNPNs supporting emergency services in untrusted non-3GPP access, the UE deactivates the SNPN access mode over NWu and attempts emergency services via PLMN untrusted non-3GPP access, by following the N3IWF selection procedure as defined in clause 6.3.6.4.2.

NOTE 2:
If the UE determines that it is located in a different country as the configured N3IWF of the subscribed SNPN, the UE can deactivate the SNPN access mode over NWu and attempts emergency services via PLMN untrusted non-3GPP access, by following the N3IWF selection procedure defined in clause 6.3.6.4.2, without performing a DNS query using the Visited Country Emergency SNPN FQDN.

UE onboarding is supported as follows:

When UE registers to SNPN over Untrusted non-3GPP access for UE Onboarding, if the UE determines that it is located in the country where the configured N3IWF for onboarding is located, the UE may select the N3IWF in the SNPN which supports UE Onboarding by using the configured N3IWF FQDN used for Onboarding.
If the UE determines that it is located in a country different from the country where the configured N3IWF for onboarding is located (called the visited country), then in order to determine which SNPNs in the visited country support Untrusted non-3GPP access for UE Onboarding via N3IWF performs a DNS query using the Visited Country FQDN for SNPN N3IWF supporting Onboarding, as specified in clause 28.3.2.2.6.2 of TS 23.003; and:
- If no DNS response is received, the UE shall stop the N3IWF selection.
- If the DNS response contains one or more records, the UE selects an SNPN that supports Untrusted non-3GPP access for UE Onboarding via N3IWF. Each record in the DNS response shall contain the identity of an SNPN in the visited country supporting Untrusted non-3GPP access for UE Onboarding via N3IWF. In this case:
  - The UE shall select an SNPN based on its own implementation means.
    If the UE cannot select any N3IWF included in the DNS response, then the UE shall stop the N3IWF selection.
- If the DNS response contains no records, then the UE determines that the visited country does not mandate the selection of an N3IWF that supports Untrusted non-3GPP access for UE Onboarding via N3IWF in this country. In this case the UE uses the configured N3IWF for onboarding.
- If the UE has selected an SNPN for onboarding, the UE constructs the Operator Identifier based Onboarding FQDN for SNPN N3IWF as specified in clause 28.3.2.2.7.2 of TS 23.003, based on the SNPN ID of the selected SNPN and performs a DNS query:
  - The DNS response contains the identifier of the N3IWF supporting the onboarding in the SNPN identified by the SNPN ID.
If the PVS is reachable from the local Untrusted non-3GPP access network (e.g. via the Internet) using the local IP connectivity, UE may connect directly (i.e. without being connected to an N3WIF) with a PVS to obtain the SNPN credentials.
As part of UE registration via Untrusted non-3GPP access, in Figure 4.12.2.2-1, step 5 of TS 23.502, the UE provides an onboarding indication inside the AN-Parameters.

5.30.2.13 Access to SNPN services via Trusted non-3GPP access |R18| p. 418

Access to SNPN services via Trusted non-3GPP access network follows the specification in the previous (sub)clauses of clause 5.30.2 with the differences as specified in this clause.

To access SNPN services via a Trusted non-3GPP access network, the UE follows the procedure for accessing a PLMN via a Trusted non-3GPP access network defined in clause 6.3.12.2 with the following clarifications and additions:

A non-3GPP access network may advertise (e.g. with ANQP), not only the PLMNs with which 5G connectivity is supported (as specified in clause 6.3.12.2), but also the SNPNs with which 5G connectivity is supported and the related parameters and indications defined in clause 5.30.2.2 (i.e. human-readable network name(s), GIN(s), indication whether access using credentials from a Credentials Holder is supported, indication whether SNPN allows registration attempts from UEs that are not explicitly configured to select the SNPN, etc.).
The UE initiates the access network selection procedure specified in clause 6.3.12.2 and constructs a list of available SNPNs. This list contains the SNPNs advertised by all discovered non-3GPP access networks.
The UE selects an SNPN that is included in the list of available SNPNs following the procedure in clause 5.30.2.4.
The UE selects a non-3GPP access network that supports 5G connectivity to the selected SNPN and initiates the registration procedure via Trusted non-3GPP access specified in clause 4.12a.2.2 of TS 23.502 in order to register with the selected SNPN via the selected non-3GPP access network. During the EAP authentication procedure the NAI provided by the UE indicates that 5G connectivity to a specific SNPN is required (e.g. NAI = "<username>@nai.5gc.nid<NID>.mnc<MNC>.mcc<MCC>.3gppnetwork.org").

NOTE:
In the case of SNPN ID with self-assigned NID, if the UE, when trying to register with an SNPN ID via TNAN X, is rejected by the AMF with a cause code that temporarily prevents the UE from registering with this SNPN ID, the UE does temporarily not attempt to register with the same SNPN ID, even if the same SNPN ID is advertised via another TNAN.
If there are multiple non-3GPP access networks that support 5G connectivity to the selected SNPN, then the UE places these non-3GPP access networks in a prioritized list and selects the highest priority non-3GPP access network from this list. To determine the priority of a non-3GPP access network, the UE shall apply the WLANSP rules (if provided), and the procedure specified in clause 6.6.1.3 of TS 23.503, "UE procedure for selecting a WLAN access based on WLANSP rules". If the UE is not provided with WLANSP rules, the UE determines the priority of a non-3GPP access network by using implementation means.

UE onboarding via Trusted non-3GPP access is supported as follows:

The non-3GPP access network advertises (e.g. via ANQP) an Onboarding enabled indication, as specified in clause 5.30.2.10.2.3.
The UE selects an SNPN advertising the Onboarding enabled indication following the network selection procedure specified in clause 5.30.2.10.2.5.
As part of UE registration via Trusted non-3GPP access, in Figure 4.12a.2.2-1, step 5 of TS 23.502 the UE provides an onboarding indication inside the AN-Parameters.

5.30.2.14 Access to SNPN services via wireline access network |R18| p. 419

Access to SNPN services via a wireline access network is specified in TS 23.316.

5.30.2.15 Access to SNPN services for N5CW devices |R18| p. 419

Devices that do not support 5GC NAS signalling over WLAN access (referred to as "Non-5G-Capable over WLAN" devices, or N5CW devices for short), may access 5GC in an SNPN via a trusted WLAN access network that supports a TWIF function. To access SNPN services the N5CW device performs the following procedure:

A WLAN access network may advertise (e.g. with ANQP), not only the PLMNs with which "5G connectivity-without-NAS" is supported (as specified in clause 6.3.12a.1), but also the SNPNs with which "5G connectivity-without-NAS" is supported, as well as the related parameters and indications defined in clause 5.30.2.2 (i.e. human-readable network name(s), GIN(s), indication whether access using credentials from a Credentials Holder is supported, indication whether SNPN allows registration attempts from UEs that are not explicitly configured to select the SNPN).
The N5CW device initiates the access network selection procedure by sending an ANQP query to each discovered WLAN access network and constructs a list of available SNPNs with which "5G connectivity-without-NAS" is supported. This list contains the SNPNs with which "5G connectivity-without-NAS" is supported as advertised by all the discovered WLAN access networks.
The N5CW device selects an SNPN that is included in the list of available SNPNs with which "5G connectivity-without-NAS" is supported following the procedure in clause 5.30.2.4.
The N5CW device selects a WLAN access network (e.g. an SSID) that supports "5G connectivity-without-NAS" to the selected SNPN and initiates the "Initial Registration and PDU Session Establishment" procedure specified in clause 4.12b.2 of TS 23.502. If there are multiple WLAN access networks that support "5G connectivity-without-NAS" to the selected SNPN, then the N5CW device selects the highest priority WLAN access network from this list. To determine the priority of a WLAN access network, the N5CW device shall apply the WLANSP rules (if provided), and the procedure specified in clause 6.6.1.3 of TS 23.503, "UE procedure for selecting a WLAN access based on WLANSP rules". If the N5CW device is not provided with WLANSP rules, the N5CW device determines the priority of a WLAN access network by using implementation means.

5.30.3 Public Network Integrated NPN p. 419

5.30.3.1 General p. 419

Public Network Integrated NPNs are NPNs made available via PLMNs e.g. by means of dedicated DNNs, or by one (or more) Network Slice instances allocated for the NPN. The existing network slicing functionalities apply as described in clause 5.15. When a PNI-NPN is made available via a PLMN, then the UE shall have a subscription for the PLMN in order to access PNI-NPN.

As network slicing does not enable the possibility to prevent UEs from trying to access the network in areas where the UE is not allowed to use the Network Slice allocated for the NPN, Closed Access Groups may optionally be used to apply access control.

A Closed Access Group identifies a group of subscribers who are permitted to access one or more CAG cells associated to the CAG.

CAG is used for the PNI-NPNs to prevent UE(s), which are not allowed to access the NPN via the associated cell(s), from automatically selecting and accessing the associated CAG cell(s).

The UE and PNI-NPN may support remote provisioning of credentials for NSSAA or credentials for secondary authentication/authorization to the UE, as specified in clause 5.39.

Support for Proximity based Services (ProSe) as defined in TS 23.304 in conjunction with CAG is not specified in this Release of the specification.

5.30.3.2 Identifiers p. 420

The following is required for identification:

A CAG is identified by a CAG Identifier which is unique within the scope of a PLMN ID;
A CAG cell broadcasts one or multiple CAG Identifiers per PLMN;

NOTE 1:
It is assumed that a cell supports broadcasting a total of twelve CAG Identifiers. Further details are defined in TS 38.331.
A CAG cell may in addition broadcast a human-readable network name per CAG Identifier:

NOTE 2:
The human-readable network name per CAG Identifier is only used for presentation to user when user requests a manual CAG selection.

5.30.3.3 UE configuration, subscription aspects and storage p. 420

To use CAG, the UE, that supports CAG as indicated as part of the UE 5GMM Core Network Capability, may be pre-configured or (re)configured with the following CAG information, included in the subscription as part of the Mobility Restrictions:

an Allowed CAG list i.e. a list of CAG Identifiers the UE is allowed to access; and
each entry of the Allowed CAG list may be associated with time validity information containing one or more time periods; and
optionally, a CAG-only indication whether the UE is only allowed to access 5GS via CAG cells (see TS 38.304 for how the UE identifies whether a cell is a CAG cell);

The HPLMN may configure or re-configure a UE with the above CAG information using the UE Configuration Update procedure for access and mobility management related parameters described in clause 4.2.4.2 of TS 23.502.

The above CAG information is provided by the HPLMN on a per PLMN basis. In a PLMN the UE shall only consider the CAG information provided for this PLMN. The entries of the Allowed CAG list with time validity information are provided to the UE only if the UE indicates support of CAG with validity information.

When the subscribed CAG information changes, UDM sets a CAG information Subscription Change Indication and sends it to the AMF. The AMF shall provide the UE with the CAG information when the UDM indicates that the CAG information within the Access and Mobility Subscription data has been changed. When AMF receives the indication from the UDM that the CAG information within the Access and Mobility Subscription has changed, the AMF uses the CAG information received from the UDM to update the UE. Once the AMF updates the UE and obtains an acknowledgment from the UE, the AMF informs the UDM that the update was successful and the UDM clears the CAG information Subscription Change Indication flag.

The AMF may update the UE using either the UE Configuration Update procedure after registration procedure is completed, or by including the new CAG information in the Registration Accept or in the Registration Reject or in the Deregistration Request or in the Service Reject.

When the UE is roaming and the Serving PLMN provides CAG information, the UE shall update only the CAG information provided for the Serving PLMN while the stored CAG information for other PLMNs are not updated. When the UE is not roaming and the HPLMN provides CAG information, the UE shall update the CAG information stored in the UE with the received CAG information for all the PLMNs.

The UE shall store the latest available CAG information for every PLMN for which it is provided and keep it stored when the UE is de-registered or switched off, as described in TS 24.501.

The CAG information is only applicable with 5GS.

5.30.3.4 Network and cell (re-)selection, and access control p. 421

The following is assumed for network and cell selection, and access control:

The CAG cell shall broadcast information such that only UEs supporting CAG are accessing the cell (see TS 38.300, TS 38.304);

NOTE 1:
The above also implies that cells are either CAG cells or normal PLMN cells. For network sharing scenario between SNPN, PNI-NPN and PLMNs, please see clause 5.18.
In order to prevent access to NPNs for authorized UE(s) in the case of network congestion/overload, existing mechanisms defined for Control Plane load control, congestion and overload control in clause 5.19 can be used, as well as the access control and barring functionality described in clause 5.2.5, or Unified Access Control using the access categories as defined in TS 24.501 can be used.
For aspects of automatic and manual network selection in relation to CAG, see TS 23.122;
For aspects related to cell (re-)selection, see TS 38.304;
If the UE is accessing a CAG cell and the corresponding entry of the Allowed CAG list configured on the UE is associated with time validity information, the UE may trigger cell reselection and/or network selection procedure if the evaluation of the time validity information changes.
The Mobility Restrictions shall be able to restrict the UE's mobility according to the Allowed CAG list (if configured in the subscription) and include an indication whether the UE is only allowed to access 5GS via CAG cells (if configured in the subscription) as described in clause 5.30.3.3;
The AMF shall update the Allowed CAG list in the Mobility Restrictions towards NG-RAN if the evaluation of the time validity information of an entry in the Allowed CAG list changes between true and false, unless the AMF releases the NAS signalling connection to the UE based on operator's policy if the evaluation of the validity condition changes from true to false.
During transition from CM-IDLE to CM-CONNECTED and during Registration after connected mode mobility from E-UTRAN to NG-RAN as described in clause 4.11.1.2.2 of TS 23.502:
- The AMF shall verify whether UE access is allowed by Mobility Restrictions:
  
  NOTE 2:
  It is assumed that the AMF is made aware of the supported CAG Identifier(s) of the CAG cell by the NG-RAN.
  - If the UE is accessing the 5GS via a CAG cell and if at least one of the CAG Identifier(s) received from the NG-RAN is part of the UE's Allowed CAG list (for entries with time validity information if any, the evaluation of the condition is true), then the AMF accepts the NAS request;
  - If the UE is accessing the 5GS via a CAG cell and if none of the CAG Identifier(s) received from the NG-RAN are part of the UE's Allowed CAG list (for entries with time validity information if any, the evaluation of the condition is true), then the AMF rejects the NAS request and the AMF should include CAG information in the NAS reject message. The AMF shall then release the NAS signalling connection for the UE by triggering the AN release procedure; and
  - If the UE is accessing the 5GS via a non-CAG cell and the UE's subscription contains an indication that the UE is only allowed to access CAG cells, then the AMF rejects the NAS request and the AMF should include CAG information in the NAS reject message. The AMF shall then release the NAS signalling connection for the UE by triggering the AN release procedure.
During transition from RRC_INACTIVE to RRC_CONNECTED state:
- When the UE initiates the RRC Resume procedure for RRC_INACTIVE to RRC_CONNECTED state transition in a CAG cell, NG-RAN shall reject the RRC Resume request from the UE if none of the CAG Identifiers supported by the CAG cell are part of the UE's Allowed CAG list according to the Mobility Restrictions received from the AMF or if no Allowed CAG list has been received from the AMF.
- When the UE initiates the RRC Resume procedure for RRC_INACTIVE to RRC_CONNECTED state transition in a non-CAG cell, NG-RAN shall reject the UE's Resume request if the UE is only allowed to access CAG cells according to the Mobility Restrictions received from the AMF.
During connected mode mobility procedures within NG-RAN, i.e. handover procedures as described in clause 4.9.1 of TS 23.502:
- Source NG-RAN shall not handover the UE to a target NG-RAN node if the target is a CAG cell and none of the CAG Identifiers supported by the CAG cell are part of the UE's Allowed CAG list in the Mobility Restriction List or if no Allowed CAG list has been received from the AMF;
- Source NG-RAN shall not handover the UE to a non-CAG cell if the UE is only allowed to access CAG cells based on the Mobility Restriction List;
- If the target cell is a CAG cell, target NG-RAN shall reject the N2 based handover procedure if none of the CAG Identifiers supported by the CAG cell are part of the UE's Allowed CAG list in the Mobility Restriction List or if no Allowed CAG list has been received from the AMF;
- If the target cell is a non-CAG cell, target NG-RAN shall reject the N2 based handover procedure if the UE is only allowed to access CAG cells based on the Mobility Restriction List.
Update of Mobility Restrictions:
- When the AMF receives the Nudm_SDM_Notification from the UDM and the AMF determines that the Allowed CAG list or the indication whether the UE is only allowed to access CAG cells have changed;
  - The AMF shall update the Mobility Restrictions in the UE and NG-RAN accordingly under the conditions as described in clause 4.2.4.2 of TS 23.502.
NOTE 3:
When the UE is accessing the network for emergency services the conditions for AMF in clause 5.16.4.3 apply.

5.30.3.5 Support of emergency services in CAG cells p. 423

Emergency Services are supported in CAG cells, for UEs supporting CAG, whether normally registered or emergency registered as described in clause 5.16.4 and in clause 4.13.4 of TS 23.502.

A UE may camp on an acceptable CAG cell in limited service state as specified in TS 23.122 and TS 38.304, based on operator policy defined in TS 38.300.

The UE shall select a PLMN (of a CAG cell or non-CAG cell), as described in TS 23.122 and TS 23.167, when initiating emergency services from limited service state.

During handover to a CAG cell, if the UE is not authorized to access the target CAG cell as described in clause 5.30.3.4 and has emergency services, the target NG-RAN node only accepts the emergency PDU Session and the target AMF releases the non-emergency PDU Sessions that were not accepted by the NG-RAN node. Upon completion of handover the UE behave as emergency registered.