Archive 2019

5G Network Identity SUPI/SUCI

Introduction

In 5G in order to protect UE permanent Identity (SUPI- Subscription Permanent Identifier )  UE never transmit SUPI as it is. UE conceal(encrypt) SUPI using encryption scheme to create SUCI(Subscription Concealed Identifier), before sending it to core network.

Concealing can be done in USIM or ME(Mobile Equipment) depending on the indication configured in USIM by operator. If no indicator present, ME does the concealing.
In core network only UDM has authority to de-conceal the SUCI. 

Identity flow between UE and Network

Decoding of SUCI

SUPI Type: consisting in a value in the range 0 to 7. It identifies the type of the SUPI concealed in the SUCI. The following values are defined

–  0: IMSI
–  1: Network Specific Identifier
–  2 to 7: spare values for future use.

Home Network Identifier: identifying the home network of the subscriber.

When the SUPI Type is an IMSI, the Home Network Identifier is composed of two parts:
–  Mobile Country Code (MCC), consisting of three decimal digits.
–  Mobile Network Code (MNC), consisting of two or three decimal digits.
When the SUPI type is a Network Specific Identifier, the Home Network Identifier consists of a string of characters with a variable length representing a domain name. Ex. abc@xyz.com

Routing Indicator: consisting of 1 to 4 decimal digits assigned by the home network operator and provisioned in the USIM.

Routing Indicator: consisting of 1 to 4 decimal digits assigned by the home network operator and provisioned in the USIM.

Protection Scheme Identifier: consisting in a value in the range of 0 to 15 and represented in 4 bits.

  • null-scheme         0x0;
  • Profile <A>         0x1;
  • Profile <B>         0x2.

Home Network Public Key Identifier: consisting in a value in the range 0 to 255. It represents a public key provisioned by the HPLMN and it is used to identify the key used for SUPI protection. In case of null-scheme being used, this data field shall be set to the value 0;

Scheme Output: consisting of a string of characters with a variable length or hexadecimal digits, dependent on the used protection scheme.

  • Null Scheme – For null scheme no encryption happens and scheme output field is replaced by MSIN(value after taking out MCC and MNC from IMSI) value of IMSI as it is.
  • Elliptic Curve Integrated Encryption Scheme(ECIES) Profile A – In this case scheme out put is further divided in two  parts:
    1. ECC ephemeral public key 64 bits, freshly generated using the provisioned ECIES input parameters.
    2. Ciphered Text, is of variable length 
  • Elliptic Curve Integrated Encryption Scheme(ECIES) Profile B – In this case scheme out put is further divided in two  parts
    1. ECC ephemeral public key 66 bits, freshly generated using the provisioned ECIES input parameters.
    2. Ciphered Text, is of variable length

Note: Detailed into Elliptic Curve Integrated Encryption Scheme(ECIES) will be discussed in another Blog.

5G Network Slicing Concepts

Introduction

In 5G network communication infrastructure is not just confined to mobile voice/text communication, it is now segregated and very diversified to different services like Industrial IoT, Smart home domestic IoT, Low latency Medical communication, high bandwidth mobile broadband etc. And each of these services require different data behavior and QoS from network infrastructure.

In 5G each network node is equipped with special features to serve the purpose of one or multiple services and the kind of service supported by a particular node is defined in NSSF(Network Slice Selection Function). For any particular service request from UE, is served by a set of network entities associated with that Service and called a slice.

NSSAI(Network Slice Selection Assistance Information) Structure and Fundamentals

  • Network Slice configuration Information can have multiple NSSAI
  • Each PLMN can have at most one configured NSSAI
  • Each NSSAI has multiple S-NSSAI slices.
  • Each S-NSSAI slice has multiple DNNs configured.
  • A configured NSSAI can be configured by a serving PLMN or default NSSAI configured by HPLMN.
  • If Serving PLMN doesn’t have specific configured PLMN then it uses default configured NSSAI from HPLMN.
  • UE is pre-configured/provisioned by signalling message with default configured NSSAI by HPLMN.
  • UE is only configured with a set of subscribed S-NSSAIs out of the default configured NSSAI, which is a subset of the S-NSSAIs configured inside default configured NSSAI in HPLMN.
  • Allowed S-NSSAIs provided to the UE can have values, which are not served by Serving PLMN, in that case Serving PLMN updates the allowed S-NSSAI list with mapping to corresponding S-NSSAI of the HPLMN.

S-NSSAI and it’s Structure

Each Slice is identified by S-NSSAI (single network slice selection identifier)

  • SST is required value where was SD is optional
  • SST refer to expected behaviour of the slice.
  • SD is optional and differentiates among multiple slices with same SST.

  • UE during Registration and PDU session Establishment sends S-NSSAI value and optionally HPLMN NSSAI value, if in visiting area.
  • The requested NSSAI signalled by UE to network allows the network to select appropriate serving AMF, Network slice and network slice instance.
  • Based on the subscription data, one UE can have subscription to multiple S-NSSAIs and one of them can be marked as default S-NSSAI.
  • Subscription information for each S-NSSAI may have multiple DNN and one of them is default DNN.

Services provided by NSSF

Nnssf_NSSelection_Get service operation

  • May be invoked during Registration, for serving AMF selection and re-allocation.
  • PDU session establishment procedure, for SMF selection.
  • UE configuration update procedure, to update allowed S-NNAIs to UEs in current serving PLMN.

Nnssf_NSSAIAvailability

  • Nnssf_NSSAIAvailability_Update : In this process, AMF updates NSSF with S-NSSAIs supported by AMF per TA and   gets back availability of S-NSSAIs for each TA.
  • Nnssf_NSSAIAvailability_Notify  : AMF notify NSSF with restricted S-NSSAIs per TA using this procedure.

AMF Re-allocation Procedure

During UE registration procedure, if AMF doesn’t support one or more requested S-NSSAIs which is allowed by SPLMN/HPLMN then it request NSSF to provide the appropriate AMF to redirect the registration request from UE.