8 User identity to HSS resolution
29.2723GPPEvolved Packet System (EPS)Mobility Management Entity (MME) and Serving GPRS Support Node (SGSN) related interfaces based on Diameter protocolRelease 17TS
The User identity to HSS resolution mechanism enables the MME, SGSN (for non-roaming case) or Diameter Relay/proxy agents in the home network (for roaming case) to find the identity of the HSS that holds the subscriber data for a given user identity when multiple and separately addressable HSSs have been deployed in the home network. The resolution mechanism is not required in networks that utilise a single HSS.
This User identity to HSS resolution mechanism may rely on routing capabilitites provided by Diameter and be implemented in the home operator network within dedicated Diameter Agents (Redirect Agents or Proxy Agents) responsible for determining the HSS identity based on the provided user identity. If this Diameter based implementation is selected by the Home network operator, the principles described below shall apply.
In non-roaming case, in networks where more than one independently addressable HSS are deployed in the home network, each MME and SGSN shall be configured with the address/identity of a Diameter Agent (Redirect Agent or Proxy Agent) implementing this resolution mechanism.
For support of roaming case, Diameter Relay agents and/or Diameter Proxy agents in the home network receiving the Diameter signalling from visited networks shall be configured with the address/identity of a Diameter Agent (Redirect Agent or Proxy Agent) implementing this resolution mechanism.
To get the HSS identity that holds the subscriber data for a given user identity in the home network, the Diameter request normally destined to the HSS shall be sent to a pre-configured address/identity of a Diameter agent supporting the User identity to HSS resolution mechanism.
– If this Diameter request is received by a Diameter Redirect Agent, the Diameter Redirect Agent shall determine the HSS identity based on the provided user identity and shall return a notification of redirection towards the HSS identity, in response to the Diameter request. Multiple HSS identities may be included in the response, as specified in IETF RFC 6733 [61]. In such a case, the requesting Diameter entity shall send the Diameter request to the first HSS identity in the ordered list received in the Diameter response from the Diameter Redirect Agent. If no successful response to the Diameter request is received, the requesting Diameter entity shall send a Diameter request to the next HSS identity in the ordered list. This procedure shall be repeated until a successful response from an HSS is received. After the user identity to HSS resolution, the MME or the SGSN shall store the determined HSS identity/name/Realm and shall use it in further Diameter requests to the same user identity.
– If this Diameter request is received by a Diameter Proxy Agent, the Diameter Proxy Agent shall determine the HSS identity based on the provided user identity and – if the Diameter load control mechanism is supported (see IETF RFC 8583 [60]) – optionally also based on previously received load values from Load AVPs of type HOST. The Diameter Proxy Agent shall then forward the Diameter request directly to the determined HSS. In this case, the user identity to HSS resolution decision is communicated to the MME/SGSN in the Origin-Host/Origin-Realm AVPs of the response. The MME or the SGSN may store the determined HSS identity/name/Realm and may use it in further Diameter requests to the same user identity.
In roaming case, whereas a Diameter Relay Agent is stateless, a stateful Diameter Proxy Agent in the home network may store the determined HSS identity/name/Realm and use it in further Diameter requests associated to the same user identity.
NOTE: Alternatives to the user identity to HSS resolution Diameter based implementation are outside the scope of this specification.
Annex A (normative):
MME mapping table for S6a and NAS Cause Code values
When the UE initiates Attach, Tracking Area Update or Service Request, there may be the need for the MME to communicate with the HSS via S6a to retrieve authentication data and/or subscription data. If this retrieval is rejected by the HSS, the received Diameter-Result-Code values or Experimental-Result values need to be mapped to appropriate cause codes over NAS to the UE.
This mapping shall be as shown in Table A.1.
If the retrieval is successful, not needed (e.g. because data are already available) or not possible (e.g. because HSS is unavailable or overloaded), detected error conditions need to be mapped to appropriate cause codes over NAS to the UE.
This mapping shall be as shown in Table A.2.
Table A.1: Mapping from S6a error code to NAS Cause Code values
|
Reject indication received at MME over S6a |
NAS Cause Code sent to UE |
|
DIAMETER_ERROR_USER_UNKNOWN (5001) |
#8 "EPS services and non-EPS services not allowed" |
|
DIAMETER_ERROR_UNKNOWN_EPS_SUBSCRIPTION (5420) without Error Diagnostic, or with Error Diagnostic of GPRS_DATA_SUBSCRIBED |
#15 "No suitable cells in tracking area" |
|
DIAMETER_ERROR_UNKNOWN_EPS_SUBSCRIPTION (5420) with Error Diagnostic of NO_GPRS_DATA_SUBSCRIBED |
#7 "EPS services not allowed" |
|
DIAMETER_ERROR_RAT_NOT_ALLOWED (5421) |
#15 "No suitable cells in tracking area", or #13 "Roaming not allowed in this tracking area", or #12 "Tracking area not allowed" (NOTE 1) |
|
DIAMETER_ERROR_ROAMING_NOT_ALLOWED (5004) , without Error Diagnostic |
#11 "PLMN not allowed" |
|
DIAMETER_ERROR_ROAMING_NOT_ALLOWED (5004), with Error Diagnostic of ODB_HPLMN_APN or ODB_VPLMN_APN |
#14 "EPS services not allowed in this PLMN" |
|
DIAMETER_ERROR_ROAMING_NOT_ALLOWED (5004), with Error Diagnostic of ODB_ALL_APN |
#15 "No suitable cells in tracking area" |
|
DIAMETER_AUTHORIZATION_REJECTED (5003) DIAMETER_UNABLE_TO_DELIVER (3002) DIAMETER_REALM_NOT_SERVED (3003) |
#15 "No suitable cells in tracking area", or #17 "Network failure", or #42 "Severe network failure" (NOTE 1) |
|
DIAMETER_UNABLE_TO_COMPLY (5012), DIAMETER_INVALID_AVP_VALUE (5004) DIAMETER_AVP_UNSUPPORTED (5001) DIAMETER_MISSING_AVP (5005) DIAMETER_RESOURCES_EXCEEDED (5006) DIAMETER_AVP_OCCURS_TOO_MANY_TIMES (5009) DIAMETER_AUTHENTICATION_DATA_UNAVAILABLE (4181) (NOTE 2) |
#17 "Network failure" or #42 "Severe network failure" (NOTE 1) |
|
NOTE 1: Any of those NAS Cause Code values may be sent to the UE, depending on operator’s choice. NOTE 2: Any other permanent errors from the Diameter base protocol as defined in IETF RFC 6733 [61], not listed here, should be mapped to NAS Cause Code #17 "Network failure". |
|
Table A.2: Mapping from detected error condition to NAS Cause Code values
|
Condition |
NAS cause code sent to UE |
|
The MME receives a SGsAP-LOCATION-UPDATE-REJECT message from the VLR indicating in the reject cause "IMSI unknown in HLR" or if the UE has packet only subscription. Only used in the Combined Tracking and Location Area Update procedure. |
#2 "IMSI Unknown in HSS" |
|
The MME receives in Update-Location-Answer message an indication of Roaming restricted in MME due to unsupported feature |
#14 "EPS services not allowed in this PLMN" |
|
The MME cannot service an UE generated request because CS domain is not available and SMS in MME is not supported. |
#18 "CS domain not available" |
|
The value OPERATOR_DETERMINED_BARRING is received in the Subscriber-Status AVP |
#15 "No suitable cells in tracking area" |
|
The HSS indicates that due to subscription to a "regionally restricted service" the UE is not allowed to operate in the tracking area. |
#12 "Tracking area not allowed" |
|
The CSG ID of the cell from where the UE has sent the TRACKING AREA UPDATE REQUEST message is not contained in the Allowed CSG list. |
#25 "Not authorized for this CSG" |
|
The MME detects that it cannot communicate with the HSS in the HPLMN of the subscriber. How the MME detect this is implementation specific. |
#15 "No suitable cells in tracking area" #14 "EPS services not allowed in this PLMN" #111 "Protocol error, unspecified" NOTE: Any of those NAS Cause Code values may be sent to the UE, depending on operator’s choice / configuration, e.g. NAS Cause Code #14 is to be sent to the UE if the network is an LTE only network. |
|
The MME detects by internal configuration that roaming is not allowed. |
#11 "PLMN not allowed" |
|
The MME detects that it cannot send a request to the HSS due to HSS overload (see Annex C). |
#22 "Congestion" #42 "Severe network failure" NOTE 1: Cause #22 should be used. In addition, the MME may ask the UE not to retry before a backoff timer expires, based on an operator policy. The eventual timer value may take into account the value received in the corresponding active overload report and operator policy. NOTE 2: Cause #42 may be used, for attach requests, in case of severe overload, according to operator policy. |
Annex B(normative):
SGSN mapping table for S6d and NAS Cause Code values
When the UE initiates Attach, Routing Area Update or Service Request, there may be the need for the SGSN to communicate with the HSS via S6d to retrieve authentication data and/or subscription data. If this retrieval is rejected by the HSS, the received Diameter-Result-Code values or Experimental-Result valuesneed to be mapped to appropriate cause codes over NAS to the UE.
NOTE: Mapping from MAP Gr error codes to NAS Cause Code values is described in the 3GPP TS 29.010 [45].
This mapping shall be as shown in Table B.1.
If the retrieval is successful, not needed (e.g. because data are already available) or not possible (e.g. because HSS is unavailable or overloaded), detected error conditions need to be mapped to appropriate cause codes over NAS to the UE.
This mapping shall be as shown in Table and B.2.
Table B.1: Mapping from S6d error code to NAS Cause Code values
|
Reject indication received at SGSN over S6d |
NAS Cause Code sent to UE |
|
DIAMETER_ERROR_USER_UNKNOWN (5001) |
#8 "GPRS services and non-GPRS services not allowed" |
|
DIAMETER_ERROR_UNKNOWN_EPS_SUBSCRIPTION (5420) |
#7 "GPRS services not allowed" |
|
DIAMETER_ERROR_RAT_NOT_ALLOWED (5421) |
#15 "No suitable cells in location area", or #13 "Roaming not allowed in this location area", or #12 "Location area not allowed" (NOTE 1) |
|
DIAMETER_ERROR_ROAMING_NOT_ALLOWED (5004) , without Error Diagnostic |
#11 "PLMN not allowed" |
|
DIAMETER_ERROR_ROAMING_NOT_ALLOWED (5004), with Error Diagnostic of ODB_HPLMN_APN or ODB_VPLMN_APN |
#14 "GPRS services not allowed in this PLMN" |
|
DIAMETER_ERROR_ROAMING_NOT_ALLOWED (5004), with Error Diagnostic of ODB_ALL_APN |
#15 "No suitable cells in location area" |
|
DIAMETER_AUTHORIZATION_REJECTED (5003) DIAMETER_UNABLE_TO_DELIVER (3002) |
#15 "No suitable cells in location area" |
|
DIAMETER_UNABLE_TO_COMPLY (5012), DIAMETER_INVALID_AVP_VALUE (5004) DIAMETER_AUTHENTICATION_DATA_UNAVAILABLE (4181) and no retry takes place (NOTE 2) |
#17 "Network failure" |
|
NOTE 1: Any of those NAS Cause Code values may be sent to the UE, depending on operator’s choice. NOTE 2: Any other permanent errors from the Diameter base protocol as defined in IETF RFC 6733 [61], not listed here, should be also mapped to NAS Cause Code #17 "Network failure". |
|
Table B.2: Mapping from detected error condition to NAS Cause Code values
|
Condition |
NAS cause code to UE |
|
The SGSN receives a BSSAP+-LOCATION-UPDATE-REJECT message from the VLR indicating in the reject cause "IMSI unknown in HLR" or if the UE has packet only subscription. Only used in the Combined Routing and Location Area Update procedure. |
#2 "IMSI Unknown in HLR" |
|
The SGSN receives in Update-Location-Answer message an indication of Roaming restricted in SGSN due to unsupported feature |
#14 "GPRS services not allowed in this PLMN" |
|
The value OPERATOR_DETERMINED_BARRING is received in the Subscriber-Status AVP |
#15 "No suitable cells in routing area" |
|
The HLR indicates that due to subscription to a "regionally restricted service" the MS is not allowed to operate in the location area. |
#12 "Location area not allowed" |
|
The CSG ID of the cell from where the UE has sent the ROUTING AREA UPDATE REQUEST message is not contained in the Allowed CSG list. |
#25 "Not authorized for this CSG" |
|
The SGSN indicates that the MS has requested "SMS-only services" and the SMS services are provided by the SGSN in the PS domain. |
#28 "SMS provided via GPRS in this routing area" |
|
The SGSN detects that it cannot communicate with the HLR in the HPLMN of the subscriber. How the SGSN detect this is implementation specific. |
#15 "No suitable cells in routing area" #14 "GPRS services not allowed in this PLMN" NOTE: Any of those NAS Cause Code values may be sent to the UE, depending on operator’s choice / configuration, e.g. NAS Cause Code #14 is to be sent to the UE if the network is an LTE only network. |
|
The SGSN detects by internal configuration that roaming is not allowed. |
#11 "PLMN not allowed" |
|
The SGSN detects that it cannot send a request to the HSS due to HSS overload (see Annex C). |
#22 "Congestion". In addition, the MME may ask the UE not to retry before a backoff timer expires, based on an operator policy. The eventual timer value may take into account the value received in the corresponding active overload report and operator policy. |
Annex C (normative):
Diameter overload control mechanism