5G Network Identity SUPI/SUCI

Introduction

In 5G in order to protect UE permanent Identity (SUPI- Subscription Permanent Identifier )  UE never transmit SUPI as it is. UE conceal(encrypt) SUPI using encryption scheme to create SUCI(Subscription Concealed Identifier), before sending it to core network.

Concealing can be done in USIM or ME(Mobile Equipment) depending on the indication configured in USIM by operator. If no indicator present, ME does the concealing.
In core network only UDM has authority to de-conceal the SUCI. 

Identity flow between UE and Network

Decoding of SUCI

SUPI Type: consisting in a value in the range 0 to 7. It identifies the type of the SUPI concealed in the SUCI. The following values are defined

–  0: IMSI
–  1: Network Specific Identifier
–  2 to 7: spare values for future use.

Home Network Identifier: identifying the home network of the subscriber.

When the SUPI Type is an IMSI, the Home Network Identifier is composed of two parts:
–  Mobile Country Code (MCC), consisting of three decimal digits.
–  Mobile Network Code (MNC), consisting of two or three decimal digits.
When the SUPI type is a Network Specific Identifier, the Home Network Identifier consists of a string of characters with a variable length representing a domain name. Ex. abc@xyz.com

Routing Indicator: consisting of 1 to 4 decimal digits assigned by the home network operator and provisioned in the USIM.

Routing Indicator: consisting of 1 to 4 decimal digits assigned by the home network operator and provisioned in the USIM.

Protection Scheme Identifier: consisting in a value in the range of 0 to 15 and represented in 4 bits.

  • null-scheme         0x0;
  • Profile <A>         0x1;
  • Profile <B>         0x2.

Home Network Public Key Identifier: consisting in a value in the range 0 to 255. It represents a public key provisioned by the HPLMN and it is used to identify the key used for SUPI protection. In case of null-scheme being used, this data field shall be set to the value 0;

Scheme Output: consisting of a string of characters with a variable length or hexadecimal digits, dependent on the used protection scheme.

  • Null Scheme – For null scheme no encryption happens and scheme output field is replaced by MSIN(value after taking out MCC and MNC from IMSI) value of IMSI as it is.
  • Elliptic Curve Integrated Encryption Scheme(ECIES) Profile A – In this case scheme out put is further divided in two  parts:
    1. ECC ephemeral public key 64 bits, freshly generated using the provisioned ECIES input parameters.
    2. Ciphered Text, is of variable length 
  • Elliptic Curve Integrated Encryption Scheme(ECIES) Profile B – In this case scheme out put is further divided in two  parts
    1. ECC ephemeral public key 66 bits, freshly generated using the provisioned ECIES input parameters.
    2. Ciphered Text, is of variable length

Note: Detailed into Elliptic Curve Integrated Encryption Scheme(ECIES) will be discussed in another Blog.

5G Network Slicing Concepts

Introduction

In 5G network communication infrastructure is not just confined to mobile voice/text communication, it is now segregated and very diversified to different services like Industrial IoT, Smart home domestic IoT, Low latency Medical communication, high bandwidth mobile broadband etc. And each of these services require different data behavior and QoS from network infrastructure.

In 5G each network node is equipped with special features to serve the purpose of one or multiple services and the kind of service supported by a particular node is defined in NSSF(Network Slice Selection Function). For any particular service request from UE, is served by a set of network entities associated with that Service and called a slice.

NSSAI(Network Slice Selection Assistance Information) Structure and Fundamentals

  • Network Slice configuration Information can have multiple NSSAI
  • Each PLMN can have at most one configured NSSAI
  • Each NSSAI has multiple S-NSSAI slices.
  • Each S-NSSAI slice has multiple DNNs configured.
  • A configured NSSAI can be configured by a serving PLMN or default NSSAI configured by HPLMN.
  • If Serving PLMN doesn’t have specific configured PLMN then it uses default configured NSSAI from HPLMN.
  • UE is pre-configured/provisioned by signalling message with default configured NSSAI by HPLMN.
  • UE is only configured with a set of subscribed S-NSSAIs out of the default configured NSSAI, which is a subset of the S-NSSAIs configured inside default configured NSSAI in HPLMN.
  • Allowed S-NSSAIs provided to the UE can have values, which are not served by Serving PLMN, in that case Serving PLMN updates the allowed S-NSSAI list with mapping to corresponding S-NSSAI of the HPLMN.

S-NSSAI and it’s Structure

Each Slice is identified by S-NSSAI (single network slice selection identifier)

  • SST is required value where was SD is optional
  • SST refer to expected behaviour of the slice.
  • SD is optional and differentiates among multiple slices with same SST.

  • UE during Registration and PDU session Establishment sends S-NSSAI value and optionally HPLMN NSSAI value, if in visiting area.
  • The requested NSSAI signalled by UE to network allows the network to select appropriate serving AMF, Network slice and network slice instance.
  • Based on the subscription data, one UE can have subscription to multiple S-NSSAIs and one of them can be marked as default S-NSSAI.
  • Subscription information for each S-NSSAI may have multiple DNN and one of them is default DNN.

Services provided by NSSF

Nnssf_NSSelection_Get service operation

  • May be invoked during Registration, for serving AMF selection and re-allocation.
  • PDU session establishment procedure, for SMF selection.
  • UE configuration update procedure, to update allowed S-NNAIs to UEs in current serving PLMN.

Nnssf_NSSAIAvailability

  • Nnssf_NSSAIAvailability_Update : In this process, AMF updates NSSF with S-NSSAIs supported by AMF per TA and   gets back availability of S-NSSAIs for each TA.
  • Nnssf_NSSAIAvailability_Notify  : AMF notify NSSF with restricted S-NSSAIs per TA using this procedure.

AMF Re-allocation Procedure

During UE registration procedure, if AMF doesn’t support one or more requested S-NSSAIs which is allowed by SPLMN/HPLMN then it request NSSF to provide the appropriate AMF to redirect the registration request from UE.

5G Way Through Unlicensed Spectrum

Utilizing unlicensed Spectrum

Unlicensed spectrum band is used by low-power devices such as WiFi or Bluetooth devices to communicate wireless signals over short range. For this spectrum band, there is no regulatory to provide license or it is free band as far as the transmission power is low. Some common devices in this category are home security system, WiFi remote camera, cordless phones and Bluetooth speakers/headsets.

5G_Logo

For unlicensed transmission, in order to avoid larger interference, different devices operate in different frequency range like WiFi is regulated to use 2.4 GHz or 5 GHz band.

Good examples of Unlicensed spectrum utilization in communication.

  • WiFi offload: Offloading cellular traffic over WiFi Access points.
  • LTE-U : Transmitting LTE signal over unlicensed spectrum with low power for Home base station to cover small buildings.
  • LAA : License Assisted Access is a LTE aggregation technology(R-13) to aggregate Licensed LTE band(Anchor Band) with unlicensed bands.
  • Higher order MIMO in WiFi: This is multiple antenna WiFi technology(802.11ac) gives higher order MIMO to transmit Gigabits/s of traffic over WiFi access points.

5G System Objectives

5G is more than just another version of mobile network. It has to deal with most diversified communication infrastructures which has very diversified aspects described as below.

High speed radio access: 5G will provide download speeds of up to 20 Gbps. Why would anyone ever need that much speed?, Because of the evaluation of cloud based technology, online gaming and mobile edge computing, all the devices need a high speed and low latency connectivity to other edge nodes. And these are main driving force behind high data rate requirement. And in future this requirement is going to go up. It’s also important to remember that bandwidth is shared by all the users on a cell tower.

Ultra-low latency: 5G networks will be used to control autonomous cars, Health care communication like remote operation theatre and high precision mission-critical system. High reliability and availability at all times is base target for 5G systems.

Massive Connectivity: In this increasing smart world, 5G has to deal with millions of IoT devices and higher order density. By 2020 there will be approximately 21 billions of connected devices, excluding smartphones. Most of the IoT devices are remotely located and operated by batteries and constrained to transmit small amount of data like Smart electricity or water meters and parking sensors.  And 5G has to deal with device transmission power management and scale of the devices.

5G Driving Forces

Speed and scale: Up to 20Gbps wireless connectivity, with help of Carrier aggregation, Massive MIMO, higher order QAM

Unlicensed Spectrum: Mobile Operators, now a days prefer to unlicensed spectrum technologies such as WiFi, LTE-U, LAA or Multifire to cover coverage holes where regular radio network can’t penetrate. And this is one of the preference due to low infrastructure cost, free spectrum availability. 5G defined specs deals with inter working of 5G system with these unlicensed access technologies.

IoT : In cellular technologies, IoT is not new, as it is part of LTE/4G in different transmission technologies such as NB-IoT(Narrow band IoT), CAT-M1. and also non-LTE technologies such as LoRA and Sigfox. 5G is also going to have inbuilt IoT technologies which is going to support massive scale of IoT devices.

Virtualization: NFV enables massive scaling of network functions, easy and quick deployment(elastic network) and early to market are integral feature of 5G system.  5G specs have defined fully virtualised network functions and service based interfaces for cloud based deployment of network elements.

New Radio (NR): 5G NR is a new air interface being developed for 5G which uses millimetre wave ranging frequency band from 2.5 Ghz to 40 GHz. Although 5G NR uses same OFDM modulation as LTE, it is optimised to have better performance.

5G Network Architecture

Network Architecture Diagram

Functional Split of NW entities

 

Above Network functions performed by different 5G Access Network entities

Protocol Stack on different interfaces

     

 

UU User-plane : Radio interface user-plane carries, user Application traffic, which follows UU-U (Above)protocol stack.  User-data is transparent to access nodes like gNB.

UU Control-plane : in control plane RRC, PDCP, RLC, MAC, PHY get terminated at gNB, but NAS termination point is AMF, so gNB transparently passes the NAS messages to AMF.

NG Control-plane(N2): this protocol stack is between gNB and AMF. This stack helps providing access to UE to core network and transports NAS messages. Also helps establishment of  user-plane tunnels for UE.

NG User-plane(N3) : This is the protocol stack between gNB and UPF. This stack carries user data over GTP-U tunnel established during session establishment over N2.

Xn user and control plane : Xn interface is between 2 gNBs or gNB-Ng-eNB. This does necessary signalling and data during mobility.

N4 Interface: This interface is between SMF and UPF, Used for UPF selection and setup of U-plane tunnels and enables PFDs on user plane entities.

Service based interfaces: Most of the core Network entities with Service based end points and they host services performed by them and exposed these services by REST APIs. Details are in below diagram.

Service Based Architecture

In Service based Architecture, Network functions(Ex AMF) opens up services using service based access point(Namf) and other authorized network functions(Service Consumers) access this service through service these service access points. These interfaces are driven by REST APIs(HTTP)

5G PDU Session Establishment

PDU Session Establishment Concepts
  • In 5G, PDU session Establishment is parallel procedure of PDN connection procedure in 4G.
  • This Procedure can be UE requested or NW initiated(In case of emergency call with mobility registration).
  • This procedure is required in case of
    1. UE requested PDU session establishment.
    2. UE initiated PDU session HO between 3GPP and Non-3Gpp.
    3. UE initiated HO from EPS to 5GS.
  • In roaming scenario AMF determines, if the PDU session will be established at LBO(Local Breakout) or Home PLMN network slice.
PDU Session Management State

5G UE PDU Session Establishment

Steps for PDU Session Establishment
  • UE includes following information while sending PDU session establishment.
  • PDU Session Establishment Request is carried over NAS UL Transport
    1. Serving NSSAI-> This is UE preferred network slice or NSSAI where UE was registered before.
    2. DNN -> Data Network Name is same as APN in EPS. This is the data service name UE want to access.
    3. PDU Session ID : This is an unique identifier generated by UE. Can’t be same as any existing PDU session.
    4. Request Type-> This can be “Initial Request”, “Existing Session” or “PDU session Handover”
    5. 5GSM Capability-> This is UE’s session management capabilitys.
    6. PCO-> Protocol Configuration Option, same as EPS, and used to request various NW parameter.
    7. SM PDU DN Request Container -> This include Authorization information to access DN.
  • Based on request Type AMF Determines if it is a new PDU session or associated to any existing PDU session.
  • If NAS message doesn’t contain S-NSSAI. Then AMF selects default NSSAI.
  • If NAS message contains S-NSSAI, but doesn’t contain DNN then AMF selects default DNN for that NSSAI, if UE has subscription to that DNN else a local DNN is selected.
  • If Request type is Initial Request, or HO from EPS or non-3GPP then AMF stores a mapping of S-NSSAI, DNN, PDU-Session ID, SMF-ID, Access Type.
  • When AMF doesn’t have an association with SMF for the PDU session ID provided by UE, AMF sends Nsmf_PDUSession_CreateSMContextRequest. Else Nsmf_PDUSession_UpdateSMContextRequest is sent to SMF.
  • Based on the data provided by UE SMF communicates with UDM and PCF to get relevant information for PDU session creation.
  • If request type is initial request, SMF initiates a N4 Session Establishment Request with selected UPF, Else it sends a N4 Session Modification Request.
  • UPF Acknowledge the request N4 Session Establishment/Modification Response.
  • Using N4 session establishment SMF gets the GTP tunnel info from UPF.
  • After Successful creation of Tunnel end point, SMF sends Namf_Communication_N1N2MessageTransfer with Tunnel Details for N2 message and PDU session details in N1 Container.
  • Upon Reception of above message AMF Sends a NGAP PDU session Setup Request along with N2 parameter from SMF in above message with parameters, PDU Session ID, QFIs, QoS Profile, CN tunnel Info, PDU Session type, Session AMBR.
  • Inside N2 message above, AMF piggyback N1 PDU Session Establishment Accept with NAS Header with session parameters like QoS Rules, UE IP address.
  • Then NG RAN(gNB) Setups the GTP Tunnel based on the N2 information received from AMF and setup the Tunnel End point (or Bearer).
  • And gNB forwarded N1 message to UE for setting of PDU session.
  • gNB after setting up the tunnel, it sends back N2 PDU session setup response to AMF.
  • Then AMF Updates SMF about successful tunnel setup by sending Nsmf_PDUSession_UpdateSMContext_Request and receives response from SMF.

5GC, EPC interworking without N26 Interface

Inter-working Concepts

There can be single or dual registration mode UE supports to register with 5GC and EPC

Single Registration Mode:
  • In single registration mode there is only one active mobility state at any given time.
  • UE can be either in 5GC NAS mode or EPC NAS mode.
  • UE maps EPC-GUTI to 5G-GUTI during mobility between EPC and 5GC.
  • UE keeps 5G context for re-use when moving from 5GC to EPC
Dual Registration mode:
  • In Dual registration mode UE keeps independent registration for 5GC and EPC.
  • In this mode UE maintains 5G-GUTI and EPC-GUTI independently.
  • UE can perform 5GC or EPC re-registration/TAU using corresponding GUTIs.
Inter-working architecture without N26 interface

5G to EPS mobility without N26 interface flow

Message flow steps
  • Initially UE is registered to 5GC and establishes the PDU session.
  • In order to move to EPS system, UE triggers Attach request(to preserver IP address) to EPC.
  • Alternatively UE sends a Tracking area Update which fails and then UE initiates an Attach procedure. In this case there is no IP address preservation.
  • Single Registered mode UEs provide a EPS-GUTI derived from 5GC-GUTI if available else uses IMSI.
  • Dual Registered mode UEs provide 4G GUTI(if allocated earlier) with attach request.
  • In PDN connectivity request, UE sends Request type as “Handover” to indicate that it is moving from 5GS to EPS.
  • If Request Type is Handover and previous node is 5G AMF then MME is configured to send a location update request to HSS/UDM to tell them not to cancel Old AMF registration, as UE may move back to 5GS again.
  • After successful Attach and PDN connection PGW-C/SMF allocates same IP address as the 5GS.
  • And PGW-C/SMF initiates UE De-Registration and PDU Session release from 5GS.
EPS to 5G mobility without N26 interface flow

Message flow Steps
  • Initially UE is Attached to EPC and establishes the PDN Connection.
  • In order to move to 5G system, UE triggers Registration and PDU session procedure in 5GS.
  • In single registration mode, UE provides Registration Type as “mobility Registration update” and provides 5G-GUTI derived from 4G-GUTI.
  • UE in Dual Registration mode Provides Registration type as “initial registration” along with a native 5G-GUTI or SUPI.
  • UE will include, NSSAI from current serving PLMN.
  • AMF supports interworking with EPC, so it treats this as initial registration and skips PDU session status synchronization with SMF.
  • If UE is moving in step 1, then AMF updates UE location in HSS/UDM and tells them not to cancel the MME registration for the UE if any by setting ULR-Flags.
  • During PDU session establishment with 5GS, UE indicates “Existing PDU session” as Request Type to preserve the IP address.
  • After Successful Registration and PDU session establishment, PGW-C triggers the PDN connection release and detach of the UE from EPS.

How 5G Registration works

Background

5G wireless technology is the most recent wireless technology by 3gpp. when the mobile handset tries to connect to a 5G core network, it goes through registration procedure to gain access to the network. As per LTE/4G technology, registration and default PDN connection(IP allocation) was happening simultaneously when mobile is switch on. But it was not the case in older wireless technologies like 3G or 2G. And the same prospective is going to come back in 5G wireless technology again, due to user-plane and Control-plane Separation.

When UE initiates Registration ?
  1. Initial registration during the switch on of the device.
  2. If there is a new tracking area outside the UE’s current registration area.
  3. When UE need to update its capability or protocol parameters  that are negotiated during previous Registration.
  4. Periodic Registration update, if configured.
  5. Emergency Registration.
What UE does during registration ?
  • During initial registration UE updates its location to 5G Core Network.
  • During initial registration UE may use SUPI or 5G GUTI for the registration.
  • UE may provide its PEI(IMEI + IMEIsv) to AMF on demand.
UE Registration States

Registration FLow

Registration Request Contents (Important parameters only)

1.Registration Type-> Initial reg, Mobility Reg, Periodic Reg or Emergency reg

2.User Identity ->5G-GUTI, SUPI, PEI or 5G-GUTI derived from 4G GUTI for inter-working.

3.List of Visited TAI -> last visited TAI list

4.Security Capability-> Integrity and Encryption algos UE Supports.

5.Requested NSSAI -> Any preferred NSSAI on which UE want to camp on.

6.Default NSSAI indication -> If AMF can select default NSSAI if Requested NSSAI is not available.

7.UE Capabilities -> UE Radio capabilities and MM Capabilities.

8.PDU Session Status -> Previously connected PDU sessions under previous PLMN (3Gpp or Non 3Gpp)

9.List of PDU session need to be activated->  If there is some pending UL traffic for a PDU session then UE include that PDU session in the list of PDU sessions.

  • gNB select a AMF based on the 5G-GUTI(SUCI) or existing N2connection for the UE. Else it selects preferred AMF based on NSSAI, if SUPI or PEI are included.
  • After AMF selection, NG-RAN(gNB) forwards Registration request to MME piggybacking on NGAP Initial UE message.
  • If SUCI is not provided in Registration request or retrieved from old AMF then AMF sends Identity request message to get SUCI from UE.
  • Then AMF initiates Authentication procedure with AUSF and UDM.
  • If PEI check is enforced by operator then AMF may send an Identity Request to UE if PEI is not obtained from old AMF.
  • If AMF has changed from last registration or SUPI is provided as identity then AMF will select appropriate UDM and setup a UDM registration for the UE session.
  • AMF retrieves Mobility Subscription data, SMF selection data, UE context in SMF data by using Nudm_SDM_Get.
  • AMF select PCF and communicates with PCF for Policy association for the UE.
  • In case of Emergency Registration and registration type is Mobility Registration, AMF communicates with SMF to activate or Re-activate PDU sessions requested in “List of PDU sessions need to be activated” IE.
  • Once AMF finishes the Registration, It sends back Registration Accept message to UE.
  • In response to Registration Accept message UE sends back Registration Complete message.