Content for TS 24.502 Word version: 18.0.0

1… 4… 5… 6… 7… 7.3… 7.3A… 7.4… 7.6… 7.9… 7.10… 8… 9…

7.1 General 7.2 N3AN node selection procedure 7.2.1 General 7.2.2 N3AN node configuration information 7.2.3 Determination of the country the UE is located in 7.2.4 N3AN node selection for non-emergency services 7.2.5 Selection of an N3AN node in an SNPN 7.2.6 N3AN node selection for emergency services
...

7 Security association management procedures p. 27

7.1 General p. 27

The purpose of the security association management procedures is to define the procedures for establishment or disconnection of end-to-end security association between the UE and the N3IWF via an IKEv2 protocol exchange specified in RFC 7296. The IKE SA and child signalling IPsec SA establishment procedure is always initiated by the UE, whereas the child user plane IPsec SA creation procedures shall be initiated by the N3IWF as specified in TS 23.502.

The UE selects an N3IWF according to the procedure in clause 7.2. Once the N3IWF has been selected, the security associations are established and managed according to the procedures in clause 7.3 to clause 7.7.

If a non-3GPP access network does not support transport of IP fragments, the maximum size of an IKEv2 message including the IP header is equal to the path MTU between the UE and N3IWF.

EXAMPLE:

If a non-3GPP access network is an IPv6 only network which does not support transport of IP fragments and the path MTU between the UE and the N3IWF is 1280 octets then the maximum size of an IKEv2 message including IP header is 1280 octets.

7.2 N3AN node selection procedure p. 28

7.2.1 General p. 28

The UE performs N3AN node selection procedure based on the N3AN node configuration information provisioned to the UE by the HPLMN, based on the UE's knowledge of the country the UE is located in and the PLMN the UE is registered to via 3GPP access and based on the list of "forbidden PLMNs for non-3GPP access to 5GCN".

Clauses 7.2.1, 7.2.2, 7.2.3, 7.2.4 and 7.2.6 are applicable to a UE selecting an N3AN node in a PLMN. For a UE accessing PLMN services via an SNPN, restrictions on N3IWF FQDN are specified in clause 4.3.2.

Clause 7.2.5 is applicable to a UE selecting an N3AN node in an SNPN.

7.2.2 N3AN node configuration information p. 28

The N3AN node configuration information is provisioned to the UE either by H-PCF or via implementation specific means. The UE shall apply the N3AN node configuration information provisioned via implementation specific means only if the N3AN node configuration information provisioned by the H-PCF is not present in the UE.

The N3AN node configuration information shall consist of the following:

N3AN node selection information;
optionally, home N3IWF identifier configuration; and
optionally, home ePDG identifier configuration.

The N3AN node selection information consists of N3AN node selection information entries. Each N3AN node selection information entry contains a PLMN ID and information for the PLMN ID. The N3AN node selection information contains at least an N3AN node selection information entry with information for the HPLMN and an N3AN node selection information entry for "any_PLMN".

The N3AN node configuration information provisioned by H-PCF is as specified in TS 24.501 Annex D and TS 24.526.

The UE shall support the implementation of standard DNS mechanisms in order to retrieve the IP address(es) of the N3IWF or ePDG. The input to the DNS query is an N3IWF FQDN or ePDG FQDN as specified in TS 23.003.

7.2.3 Determination of the country the UE is located in p. 28

If the UE cannot determine whether it is located in the home country or in a visited country, as required by the N3AN node selection procedure, the UE shall stop the N3AN node selection. Once the UE determines the country the UE is located in, the UE shall proceed with N3AN node selection as specified in clause 7.2.4 for non-emergency services and as specified in clause 7.2.6 for emergency services.

7.2.4 N3AN node selection for non-emergency services p. 28

7.2.4.1 General p. 28

When the UE supports connectivity with N3IWF but does not support connectivity with ePDG, the UE shall perform the procedure in clause 7.2.4.3 for selecting an N3IWF.

When the UE supports connectivity with N3IWF and ePDG, the UE shall perform the procedure in clause 7.2.4.4 for selecting either an N3IWF or an ePDG.

7.2.4.2 Determine if the visited country mandates the selection of N3IWF in this country p. 29

In order to determine if the visited country mandates the selection of N3IWF in this country, the UE shall perform the DNS NAPTR query using Visited Country FQDN as specified in TS 23.003 via the non-3GPP access network.

If the result of this query is:

a set of one or more records containing the service instance names of the form "n3iwf.5gc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org", the UE shall determine that the visited country mandates the selection of the N3IWF in this country; and

NOTE:
The (<MCC>, <MNC>) pair in each record represents PLMN Id (see TS 23.003) in the visited country which can be used for N3IWF selection in clause 7.2.4.3 and clause 7.2.4.4.
no records containing the service instance names of the form "n3iwf.5gc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org", the UE shall determine that the visited country does not mandate the selection of the N3IWF in this country.

7.2.4.3 UE procedure when the UE only supports connectivity with N3IWF p. 29

wIf the UE only supports connectivity with N3IWF and does not support connectivity with ePDG, the UE shall ignore the following ePDG related configuration parameters if available in the N3AN node configuration information when selecting an N3IWF:

the home ePDG identifier configuration; and
the preference parameter in each N3AN node selection information entry in the N3AN node selection information.

The UE shall proceed as follows:

if the UE is located in its home country:
1. if the N3AN node configuration information is provisioned:
  1. if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information and contains an IP address, the UE shall use the IP address of the home N3IWF identifier configuration as the IP address of the N3IWF;
  2. if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information and does not contain an IP address, the UE shall use the FQDN of the home N3IWF identifier configuration as the N3IWF FQDN; and
  3. if the home N3IWF identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the FQDN format of the HPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the HPLMN stored on the USIM as specified in TS 23.003; and
2. if the N3AN node configuration information is not provisioned on the UE, the UE shall construct the N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the HPLMN stored on the USIM;
and for the above cases constructing or using an N3IWF FQDN, the UE shall use the DNS server function to resolve the N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address; and
if the UE is not located in its home country:
1. if the N3AN node configuration information is provisioned, the UE is registered to a VPLMN via 3GPP access, the PLMN ID of VPLMN is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", and an N3AN node selection information entry for the VPLMN is available in the N3AN node selection information of the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on FQDN format of the VPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the VPLMN as specified in TS 23.003;
  and for the above case, the UE shall use the DNS server function to resolve the constructed N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address; and
2. if one of the following is true:
  - the UE is not registered to a PLMN via 3GPP access and the UE uses WLAN;
  - the N3AN node configuration information is not provisioned; or
  - the N3AN node configuration information is provisioned, the UE is registered to a VPLMN via 3GPP access and:
    1. the PLMN ID of VPLMN is included in the list of "forbidden PLMNs for non-3GPP access to 5GCN"; or
    2. the N3AN node selection information entry for the VPLMN is not present in the N3AN node selection information;
  the UE shall perform a DNS query (see TS 23.003) as specified in clause 7.2.4.2 to determine if the visited country mandates the selection of N3IWF in this country and:
  1. if selection of N3IWF in visited country is mandatory:
    1. if the UE is registered to a VPLMN via 3GPP access, the PLMN ID of VPLMN is included in one of the returned DNS records and is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the VPLMN in 3GPP access as described in TS 23.003; and
    2. if the UE is not registered to a PLMN via 3GPP access or the UE is registered to a VPLMN via 3GPP access and the PLMN ID of VPLMN is not included in any of the returned DNS records or is included in the list of "forbidden PLMNs for non-3GPP access to 5GCN":
      - if the N3AN node configuration information is provisioned, the UE shall select a PLMN included in the DNS response that has highest PLMN priority (see TS 24.526) in the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" and the UE shall construct an N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the selected PLMN as specified in TS 23.003; and
      - if the N3AN node configuration information is not provisioned or the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" does not contain any of the PLMNs in the DNS response, selection of a PLMN of the visited country is UE implementation specific. If the UE does not select a PLMN, the UE shall terminate the N3AN node selection procedure. If the UE selects a PLMN, the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the selected PLMN as described in TS 23.003;
    and for the above cases, the UE shall use the DNS server function to resolve the constructed N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address;
  2. if the DNS response contains no records, the UE shall further determine if the visited country mandates the selection of ePDG in the visited country using the procedure specified in clause 7.2.1.4 of TS 24.302.
    If the UE determines that the visited country mandates the selection of ePDG in the visited country, the UE shall assume that the selection of N3IWF in the visited country is mandatory and shall terminate the N3AN node selection procedure.
    If the UE determines that the visited country does not mandate the selection of ePDG in the visited country, the UE shall assume that the selection of N3IWF in the visited country is not mandatory, then the UE shall proceed as below:
    1. if the N3AN node configuration information is provisioned and the N3AN node selection information of the N3AN node configuration information contains one or more PLMNs in the visited country which are not in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall select a PLMN that has highest PLMN priority (see TS 24.526) in the N3AN node selection information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" and the UE shall construct an N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information as specified in TS 23.003 using the PLMN ID of the selected PLMN; and
    2. if the N3AN node configuration information is not provisioned or the N3AN node configuration information is provisioned and the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" contains no PLMNs in the visited country:
      - if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information (see TS 24.526) and contains an IP address, the UE shall use the IP address of the home N3IWF identifier configuration as the IP address of the N3IWF;
      - if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information (see TS 24.526) and does not contain an IP address, the UE shall use the FQDN of the home N3IWF identifier configuration as the N3IWF FQDN; and
      - if the home N3IWF identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the HPLMN as described in TS 23.003;
    and for the above cases constructing or using an N3IWF FQDN, the UE shall use the DNS server function to resolve the N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address; and
  3. if no DNS response is received, the UE shall terminate the N3AN node selection procedure.

Following bullet a) and b) above, once the UE selected the IP address of the N3IWF, the UE shall initiate the IKEv2 SA establishment procedure as specified in clause 7.3.

If the IKEv2 SA establishment procedure towards an N3IWF in the HPLMN fails due to no response to an IKE_SA_INIT request message, and the selection of N3IWF in the HPLMN is performed using home N3IWF identifier configuration and there are more pre-configured N3IWFs in the HPLMN, the UE shall repeat the tunnel establishment attempt using the next FQDN or IP address(es) of the N3IWF in the HPLMN.

If the IKEv2 SA establishment procedure towards to any of the received IP addresses of the selected N3IWF fails due to no response to an IKE_SA_INIT request message, then the UE shall repeat the N3IWF selection as described in this clause, excluding the N3IWFs for which the UE did not receive a response to the IKE_SA_INIT request message.

If the UE constructed an N3IWF FQDN based on FQDN format of the VPLMN's N3AN node selection information entry (see item b).1)), and the IKEv2 SA establishment procedure towards to each of the received IP addresses of the selected N3IWF failed due to no response to an IKE_SA_INIT request message, the UE considers the N3AN node selection information entry for the VPLMN as not present in the N3AN node selection information and the UE shall repeat the N3IWF selection as described in this clause.

7.2.4.4 UE procedure when the UE supports connectivity with N3IWF and ePDG p. 32

7.2.4.4.1 General p. 32

If the UE can support connectivity with N3IWF and with ePDG, the UE shall:

if the N3AN node selection is required for an IMS service, follow steps specified in clause 7.2.4.4.2 for N3AN node selection; and
if the N3AN node selection is required for a non-IMS service, follow steps specified in clause 7.2.4.4.3 for N3AN node selection.

7.2.4.4.2 N3AN node selection for IMS service p. 32

If the N3AN node selection is required for an IMS service, the UE shall use the preference parameter in the N3AN node selection information entries of the N3AN node selection information to determine whether selection of N3IWF or ePDG is preferred in a given PLMN.

The UE shall proceed as follows:

if the UE is located in its home country:
1. if the N3AN node configuration information is provisioned:
  1. if the preference parameter in the HPLMN's N3AN node selection information entry of the N3AN node selection information indicates that N3IWF is preferred:
    1. if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information and contains an IP address, the UE shall use the IP address of the home N3IWF identifier configuration as the IP address of the N3IWF;
    2. if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information and does not contain an IP address, the UE shall use the FQDN of the home N3IWF identifier configuration as the N3IWF FQDN; and
    3. if the home N3IWF identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the FQDN format of the HPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the HPLMN stored on the USIM as specified in clause 28 of TS 23.003; and
  2. if the preference parameter in the HPLMN's N3AN node selection information entry of the N3AN node selection information indicates that ePDG is preferred:
    1. if the home ePDG identifier configuration is provisioned in the N3AN node configuration information and contains an IP address, the UE shall use the IP address of the home ePDG identifier configuration as the IP address of the ePDG;
    2. if the home ePDG identifier configuration is provisioned in the N3AN node configuration information and does not contains an IP address, the UE shall use the FQDN of the home ePDG identifier configuration as the ePDG FQDN; and
    3. if the home ePDG identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an ePDG FQDN based on the FQDN format of HPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the HPLMN stored on the USIM as specified in clause 19 of TS 23.003; and
2. if the N3AN node configuration information is not provisioned on the UE, the UE shall construct the N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the HPLMN stored on the USIM;
and for the above cases constructing or using an N3IWF FQDN or ePDG FQDN, the UE shall use the DNS server function to resolve the N3IWF FQDN or ePDG FQDN to the IP address(es) of the N3IWF(s) or ePDG(s). The UE shall select as the IP address of the N3IWF or of the ePDG a resolved IP address of an N3IWF or an ePDG with the same IP version as its local IP address; and
if the UE is not located in its home country:
1. if the N3AN node configuration information is provisioned, the UE is registered to a VPLMN via 3GPP access and the PLMN ID of VPLMN is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN":
  1. if an N3AN node selection information entry for the VPLMN is available in the N3AN node selection information of the N3AN node configuration information:
    1. if the preference parameter in the VPLMN's N3AN node selection information entry of the N3AN node configuration information indicates that N3IWF is preferred, the UE shall construct an N3IWF FQDN based on the FQDN format of the VPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the VPLMN as specified in clause 28 of TS 23.003; and
    2. if the preference parameter in the VPLMN's N3AN node selection information entry of the N3AN node configuration information indicates that ePDG is preferred, the UE shall construct an ePDG FQDN based on the FQDN format of the VPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the VPLMN as specified in clause 19 of TS 23.003;
  and for above case, the UE shall use the DNS server function to resolve the constructed N3IWF FQDN or ePDG FQDN to the IP address(es) of the N3IWF(s) or ePDG(s). The UE shall select as the IP address of the N3IWF or the ePDG a resolved IP address of an N3IWF or ePDG with the same IP version as its local IP address; and
2. if one of the following is true:
  - the UE is not registered to a PLMN via 3GPP access and the UE uses WLAN;
  - the N3AN node configuration information is not provisioned; or
  - the N3AN node configuration information is provisioned, the UE is registered to a VPLMN via 3GPP access and:
    1. the PLMN ID of VPLMN is included in the list of "forbidden PLMNs for non-3GPP access to 5GCN"; or
    2. the N3AN node selection information entry for the VPLMN is not present in the N3AN node selection information;
  the UE shall perform a DNS query (see TS 23.003) as specified in clause 7.2.4.2 to determine if the visited country mandates the selection of N3IWF in this country and:
  1. if selection of N3IWF in the visited country is mandatory:
    1. if the UE is registered to a VPLMN via 3GPP access, the PLMN ID of VPLMN is included in one of the returned DNS records and is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the VPLMN as described in clause 28 of TS 23.003; and
    2. if the UE is not registered to a PLMN via 3GPP access, or the UE is registered to a VPLMN via 3GPP access and the PLMN ID of VPLMN is not included in any of the returned DNS records or is included in the list of "forbidden PLMNs for non-3GPP access to 5GCN":
      - if the N3AN node configuration information is provisioned, the UE shall select an a PLMN included in the DNS response that has highest PLMN priority (see TS 24.526) in the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" and the UE shall construct an N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the selected PLMN as specified clause 28 of TS 23.003; and
      - if the N3AN node configuration information is not provisioned or the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" does not contain any of the PLMNs in the DNS response, selection of the PLMN is UE implementation specific. The UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the selected PLMN as described clause 28 of TS 23.003;
    and for the above cases, the UE shall use the DNS server function to resolve the constructed N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address;
  2. if the DNS response contains no records, the UE shall further determine if the visited country mandates the selection of ePDG in the visited country using the procedure specified in clause 7.2.1.4 of TS 24.302.
    If the UE determines that the visited country mandates the selection of ePDG in the visited country, the UE shall assume that the selection of N3IWF in the visited country is mandatory and shall continue the ePDG selection procedure in the visited country, specified in clause 7.2.1.3 of TS 24.302.
    If the UE determines that the visited country does not mandate the selection of ePDG in the visited country, the UE shall assume that the selection of N3IWF in the visited country is not mandatory and the UE shall proceed as below:
    1. if the N3AN node configuration information is provisioned and the N3AN node selection information of the N3AN node configuration information contains one or more PLMNs in the visited country which are not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall select a PLMN that has highest PLMN priority (see TS 24.526) in the N3AN node selection information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" and the UE shall construct an N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the selected PLMN as specified in clause 28 of TS 23.003; and
    2. if the N3AN node configuration information is not provisioned or the N3AN node configuration information is provisioned and the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" contains no PLMN in the visited country:
      - if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information (see TS 24.526) and contains an IP address, the UE shall use the IP address of the home N3IWF identifier configuration as the IP address of the N3IWF;
      - if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information (see TS 24.526) and does not contains an IP address, the UE shall use the FQDN of the home N3IWF identifier configuration as N3IWF FQDN; and
      - if the home N3IWF identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the HPLMN as described in clause 28 of TS 23.003;
    and for the above cases constructing or using an N3IWF FQDN, the UE shall use the DNS server function to resolve the N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address; and
  3. if no DNS response is received, the UE shall terminate the N3AN node selection procedure.

Following bullet a) and b) above, once the UE selected the IP address of the N3IWF or the ePDG:

if the IP address of N3IWF is selected, the UE shall:
1. initiate the IKEv2 SA establishment procedure as specified in clause 7.3;
2. if the IKEv2 SA establishment procedure towards an N3IWF in the HPLMN fails due to no response to an IKE_SA_INIT request message or the UE is informed during registration over non-3GPP access that the IMS voice over PS session is not supported over non-3GPP access, and the selection of N3IWF in the HPLMN is performed using home N3IWF identifier configuration and there are more pre-configured N3IWFs in the HPLMN, repeat the tunnel establishment attempt using the next FQDN or IP address(es) of the N3IWF in the HPLMN;
3. if the IKEv2 SA establishment procedure towards any of the received IP addresses of the selected N3IWF fails due to no response to an IKE_SA_INIT request message or the UE is informed during registration over non-3GPP access that the IMS voice over PS session is not supported over non-3GPP access, attempt to select an ePDG in the same PLMN as specified in TS 24.302 instead;
4. if the UE fails to connect to either N3IWF or ePDG in the same PLMN, repeat the N3AN node selection as described in this clause, excluding the N3IWFs for which the UE did not receive a response to the IKE_SA_INIT request message; and
5. if the UE fails to connect to either N3IWF or ePDG in the VPLMN with which it is registered via 3GPP access, the UE considers the N3AN node selection information entry for the VPLMN as not present in the N3AN node selection information and the UE shall repeat the N3IWF selection as described in this clause;
NOTE 1:
The time the UE waits before reattempting access to another N3IWF or to an N3IWF that it previously did not receive a response to an IKE_SA_INIT request message, is implementation specific.
if the IP address of ePDG is selected, the UE shall:
1. initiate tunnel establishment as specified in TS 24.302;
2. if tunnel establishment as specified in TS 24.302 towards an ePDG in the HPLMN fails due to no response to an IKE_SA_INIT request message, and the selection of ePDG in the HPLMN is performed using home ePDG identifier configuration and there are more pre-configured ePDG in the HPLMN, repeat the tunnel establishment attempt using the next FQDN or IP address(es) of the ePDG in the HPLMN;
3. if tunnel establishment as specified in TS 24.302 towards any of the received IP addresses of the selected ePDG fails due to no response to an IKE_SA_INIT request message, attempt to select an N3IWF in the same PLMN instead;
4. if the UE fails to connect to either ePDG or N3IWF in the same PLMN, repeat the N3AN node selection as described in this clause, excluding the ePDGs for which the UE did not receive a response to the IKE_SA_INIT request message; and
5. if the UE fails to connect to either ePDG or N3IWF in the VPLMN with which it is registered via 3GPP access, the UE considers the N3AN node selection information entry for the VPLMN as not present in the N3AN node selection information and the UE shall repeat the N3IWF selection as described in this clause.
NOTE 2:
The time the UE waits before reattempting access to another ePDG or to an ePDG that it previously did not receive a response to an IKE_SA_INIT request message, is implementation specific.

7.2.4.4.3 N3AN node selection for Non-IMS service p. 35

If the N3AN node selection is required for a non-IMS service, the UE shall ignore the preference parameter in the N3AN node selection information entries of the N3AN node selection information.

The UE shall proceed as follows:

if the UE is located in its home country:
1. if the N3AN node configuration information is provisioned:
  1. if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information and contains an IP address, the UE shall use the IP address of the home N3IWF identifier configuration as the IP address of the N3IWF;
  2. if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information and does not contain an IP address, the UE shall use the FQDN of the home N3IWF identifier configuration as the N3IWF FQDN; and
  3. if the home N3IWF identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the FQDN format of the HPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the HPLMN stored on the USIM as specified in clause 28 of TS 23.003; and
2. if the N3AN node configuration information is not provisioned, the UE shall construct the N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the HPLMN stored on the USIM;
and for the above cases constructing or using an N3IWF FQDN, the UE shall use the DNS server function to resolve the N3IWF FQDN to the IP address(es) of the N3IWF(s) or ePDG(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address; and
if the UE is not located in its home country:
1. if the N3AN node configuration information is provisioned, the UE is registered to a VPLMN via 3GPP access, the PLMN ID of VPLMN is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", and an N3AN node selection information entry for the VPLMN is available in the N3AN node selection information of the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the FQDN format of the VPLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the VPLMN as specified in clause 28 of TS 23.003;
  and for above case, the UE shall use the DNS server function to resolve the constructed N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address; and
2. if one of the following is true:
  - the UE is not registered to a PLMN via 3GPP access and the UE uses WLAN;
  - the N3AN node configuration information is not provisioned; or
  - the N3AN node configuration information is provisioned, the UE is registered to a VPLMN via 3GPP access and:
    1. the PLMN ID of VPLMN is included in the list of "forbidden PLMNs for non-3GPP access to 5GCN"; or
    2. the N3AN node selection information entry for the VPLMN is not present in the N3AN node selection information;
  the UE shall perform a DNS query (see TS 23.003) as specified in clause 7.2.4.2 to determine if the visited country mandates the selection of N3IWF in this country and:
  1. if selection of N3IWF in the visited country is mandatory:
    1. if the UE is registered to a VPLMN via 3GPP access, the PLMN ID of VPLMN is included in one of the returned DNS records and is not included in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the VPLMN as described in clause 28 of TS 23.003; and
    2. if the UE is not registered to a PLMN via 3GPP access or the UE is registered to a VPLMN via 3GPP access and the PLMN ID of VPLMN is not included in any of the returned DNS records or is included in the list of "forbidden PLMNs for non-3GPP access to 5GCN":
      - if the N3AN node configuration information is provisioned, the UE shall select an a PLMN included in the DNS response that has highest PLMN priority (see TS 24.526) in the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" and the UE shall construct an N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the selected PLMN as specified in clause 28 of TS 23.003; and
      - if the N3AN node configuration information is not provisioned or the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" does not contain any of the PLMNs in the DNS response, selection of the PLMN is UE implementation specific. The UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the selected PLMN as described in clause 28 of TS 23.003;
    and for the above cases, the UE shall use the DNS server function to resolve the constructed N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address;
  2. if the DNS response contains no records, the UE shall further determine if the visited country mandates the selection of ePDG in the visited country using the procedure specified in clause 7.2.1.4 of TS 24.302.
    determines that the visited country mandates the selection of ePDG in the visited country, the UE shall assume that the selection of N3IWF in the visited country is mandatory and shall continue the ePDG selection procedure in the visited country, specified in clause 7.2.1.3 of TS 24.302.
    If the UE determines that the visited country does not mandate the selection of ePDG in the visited country, the UE shall assume that the selection of N3IWF in the visited country is not mandatory and the UE shall proceed as follows:
    1. if the N3AN node configuration information is provisioned and the N3AN node selection information of the N3AN node configuration information contains one or more PLMNs in the visited country which are not in the list of "forbidden PLMNs for non-3GPP access to 5GCN", the UE shall select a PLMN that has highest PLMN priority (see TS 24.526) in the N3AN node selection information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" and the UE shall construct an N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the selected PLMN as specified in clause 28 of TS 23.003; and
    2. if the N3AN node configuration information is not provisioned or the N3AN node configuration information is provisioned and the N3AN node selection information of the N3AN node configuration information excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN" contains no PLMN in the visited country:
      - if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information (see TS 24.526) and contains an IP address, the UE shall use the IP address of the home N3IWF identifier configuration as the IP address of the N3IWF;
      - if the home N3IWF identifier configuration is provisioned in the N3AN node configuration information (see TS 24.526) and does not contains an IP address, the UE shall use the FQDN of the home N3IWF identifier configuration as N3IWF FQDN; and
      - if the home N3IWF identifier configuration is not provisioned in the N3AN node configuration information, the UE shall construct an N3IWF FQDN based on the Operator Identifier FQDN format using the PLMN ID of the HPLMN as described in clause 28 of TS 23.003;
      and for the above cases constructing or using an N3IWF FQDN, the UE shall use the DNS server function to resolve the N3IWF FQDN to the IP address(es) of the N3IWF(s). The UE shall select as the IP address of the N3IWF a resolved IP address of an N3IWF with the same IP version as its local IP address; and
if no DNS response is received, the UE shall terminate the N3AN node selection procedure.

Following bullet a) and b) above, once the UE selected the IP address of the N3IWF:

if the IP address of N3IWF is selected, the UE shall:
1. initiate the IKEv2 SA establishment procedure as specified in clause 7.3;
2. if the IKEv2 SA establishment procedure towards an N3IWF in the HPLMN fails due to no response to an IKE_SA_INIT request message, and the selection of N3IWF in the HPLMN is performed using home N3IWF identifier configuration and there are more pre-configured N3IWFs in the HPLMN, repeat the tunnel establishment attempt using the next FQDN or IP address(es) of the N3IWF in the HPLMN;
3. if the IKEv2 SA establishment procedure towards any of the IP addresses of the N3IWF of the selected PLMN fails due to no response to an IKE_SA_INIT request message, repeat the N3AN node selection as described in this clause with N3IWF of another PLMN;
4. if the IKEv2 SA establishment procedure towards any of the received IP addresses of the N3IWF of any fails due to no response to an IKE_SA_INIT request message, attempt to select an ePDG as specified in TS 24.302 and use tunnel establishment as specified in TS 24.302; and
5. if the UE fails to connect to either N3IWF or ePDG in the VPLMN with which it is registered via 3GPP access, the UE considers the N3AN node selection information entry for the VPLMN as not present in the N3AN node selection information and the UE shall repeat the N3IWF selection as described in this clause;
NOTE 1:
The time the UE waits before reattempting access to another N3IWF or to an N3IWF that it previously did not receive a response to an IKE_SA_INIT request message, is implementation specific.
if the IP address of ePDG is selected, the UE shall:
1. initiate tunnel establishment as specified in TS 24.302;
2. if tunnel establishment as specified in TS 24.302 towards an ePDG in the HPLMN fails due to no response to an IKE_SA_INIT request message, and the selection of ePDG in the HPLMN is performed using home ePDG identifier configuration and there are more pre-configured ePDG in the HPLMN, repeat the tunnel establishment attempt using the next FQDN or IP address(es) of the ePDG in the HPLMN;
3. if tunnel establishment as specified in TS 24.302 towards any of the received IP addresses of the selected ePDG fails due to no response to an IKE_SA_INIT request message, attempt to select an N3IWF in the same PLMN instead;
4. if the UE fails to connect to either ePDG or N3IWF in the same PLMN, repeat the N3AN node selection as described in this clause, excluding the ePDGs for which the UE did not receive a response to the IKE_SA_INIT request message; and
5. if the UE fails to connect to either ePDG or N3IWF in the VPLMN with which it is registered via 3GPP access, the UE considers the N3AN node selection information entry for the VPLMN as not present in the N3AN node selection information and the UE shall repeat the N3IWF selection as described in this clause.
NOTE 2:
The time the UE waits before reattempting access to another ePDG or to an ePDG that it previously did not receive a response to an IKE_SA_INIT request message, is implementation specific.

7.2.5 Selection of an N3AN node in an SNPN |R16| p. 38

In order to access SNPN services via a PLMN, an SNPN enabled UE is configured with an N3IWF FQDN for the SNPN and with an MCC of the country where the configured N3IWF is located. To select an N3IWF in an SNPN, the UE shall first determine the country in which the UE is located. If the UE cannot determine the country in which the UE is located, the UE shall stop the SNPN N3IWF selection. If the UE can determine the country in which the UE is located, the UE shall proceed as follows:

if the UE is located in the country where the configured N3IWF is located, the UE shall use the configured N3IWF FQDN for the SNPN N3IWF selection; or
if the UE is located in a country different from the country where the configured N3IWF is located:
1. the UE shall construct a Visited Country FQDN for SNPN N3IWF selection as specified in TS 23.003; and
2. the UE shall perform the DNS NAPTR query using the constructed Visited Country FQDN for SNPN N3IWF selection. If:
  1. the result of this DNS query includes:
    1. a set of one or more records, the UE shall select an N3IWF FQDN included in the DNS response based on UE implementation means and use the selected N3IWF FQDN for the SNPN N3IWF selection; or
      
      NOTE 2:
      If the visited country mandates the selection of the N3IWF in this country and the SNPN does not have the N3IWF in this country, DNS resolution of the selected N3IWF FQDN provides no IP addresses, resulting into stop of the SNPN N3IWF selection.
      
      NOTE 3:
      The identity (i.e. in the corresponding DNS record) of an SNPN's N3IWF in the visited country can be any FQDN and is not required to include the SNPN identity.
    2. no records, the UE shall use the configured N3IWF FQDN for the SNPN N3IWF selection; or
  2. there is no response to the DNS query, the UE shall stop the SNPN N3IWF selection.

7.2.6 N3AN node selection for emergency services |R17| p. 39

7.2.6.1 General p. 39

If the UE is connected to an N3IWF that is in the same country as the country in which the UE is currently in and the AMF has previously indicated support for emergency services over non-3GPP access (see TS 24.501), the UE shall use the existing N3IWF connection for emergency services. Otherwise, the UE shall perform the IKEv2 deletion procedure for the existing N3IWF connection and initiate N3AN node selection procedure for emergency services as described below.

When the UE supports connectivity with N3IWF but does not support connectivity with ePDG, the UE shall perform the procedure in clause 7.2.6.2 for selecting an N3IWF for emergency services.

When the UE supports connectivity with N3IWF and ePDG, the UE shall perform the procedure in clause 7.2.6.3 for selecting either an N3IWF or an ePDG for emergency services.

7.2.6.2 UE procedure when the UE only supports connectivity with N3IWF p. 39

If the UE is in the home country, the UE shall follow the procedure in clause 7.2.4.3 bullet a).

If the UE is in a visited country, the UE shall perform the DNS NAPTR query using Visited Country Emergency N3IWF FQDN as specified in TS 23.003 via the non-3GPP access network to determine PLMNs in the visited country that support emergency services in non-3GPP access via N3IWF. If the DNS response contains one or more records, the UE shall select a PLMN included in the DNS response that has highest PLMN priority (see TS 24.526) in the N3AN node selection information, excluding any PLMN in the list of "forbidden PLMNs for non-3GPP access to 5GCN". The UE shall construct an N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the selected PLMN as specified in TS 23.003. If none of the PLMNs included in the DNS response figures in the N3AN node selection information or the N3AN node selection information is not provisioned, the UE shall select any of the PLMNs included in the DNS response and shall construct an N3IWF FQDN based on the Operator Identifier based N3IWF FQDN format.

If the emergency registration procedure has failed for all attempted PLMNs, or the DNS response in the visited country does not contain any record, the UE shall abort the procedure.

NOTE: The UE can notifiy the user that an emergency session cannot be established.

7.2.6.3 UE procedure when the UE supports connectivity with N3IWF and ePDG p. 39

If the UE is in the home country, the UE shall follow the steps in clause 7.2.4.4.2 bullet a), except that:

in bullet a)1)i), if the emergency registration fails, the UE shall attempt to select an ePDG in the home country using the steps under bullet a)1)ii); and
in bullet a)1)ii):
- Emergency ePDG FQDN shall be used instead of home ePDG identifier; and
- If the emergency registration fails, the UE shall attempt to select an N3IWF in the home country using the steps under bullet a)1)i).

If the UE is in a visited country, the UE shall perform the DNS NAPTR query using Visited Country Emergency N3IWF FQDN and Visited Country Emergency FQDN as specified in TS 23.003 via the non-3GPP access network to determine PLMNs in the visited country that support emergency services in non-3GPP access via N3IWF or ePDG. If the DNS response contains one or more records, the UE shall select a PLMN included in the DNS response that has highest PLMN priority (see TS 24.526) in the N3AN node selection information.

If the N3AN node selection information for the PLMN is available the UE selects first an N3IWF or ePDG based on the the preference parameter in the selected PLMN's N3AN node selection information entry of the N3AN node selection information. If N3IWF is preferred, the UE constructs the N3IWF FQDN based on the FQDN format of the selected PLMN's N3AN node selection information entry in the N3AN node selection information using the PLMN ID of the selected PLMN as specified in TS 23.003. If ePDG is preferred, the UE constructs either the Tracking/Location Area Identity based Emergency ePDG FQDN or the Operator Identifier based Emergency ePDG FQDN as indicated by the FQDN format in the N3AN node selection information for the selected PLMN.
If the N3AN node selection information is not available, the UE shall follow the procedure in clause 7.2.6.2, except that, instead of aborting the procedure in case of a failure, the UE shall perform the procedure for ePDG selection for emergency services specified in TS 24.302, by constructing the Operator Identifier based Emergency ePDG FQDN.

If the emergency registration procedure has failed for all attempted PLMNs, the UE shall abort the procedure.