5 Services offered by the NSSAAF
29.5263GPP5G SystemNetwork Slice-Specific and SNPN Authentication and Authorization servicesRelease 17Stage 3TS
5.1 Introduction
The NSSAAF offers the following services via the Nnssaaf interface:
– Nnssaaf_NSSAA Service
– Nnssaaf_AIW Service
Table 5.1-1 summarizes the corresponding APIs defined for this specification.
Table 5.1-1: API Descriptions
|
Service Name |
Clause |
Description |
OpenAPI Specification File |
apiName |
Annex |
|
Nnssaaf_NSSAA |
5.2 |
Slice-specific authentication and authorization service |
TS29526_Nnssaaf_NSSAA.yaml |
nnssaaf-nssaa |
A.2 |
|
Nnssaaf_AIW |
5.x |
AAA Interworking service |
TS29526_Nnssaaf_AIW.yaml |
nnssaaf-aiw |
A.3 |
5.2 Nnssaaf_NSSAA Service
5.2.1 Service Description
The Nnssaaf_NSSAA service provides slice-specific authentication and authorization for a given UE. The NSSAAF is acting as NF Service Producer, while the AMF is the NF Service Consumer.
Following functionalities are provided by the Nnssaaf_NSSAA service:
– Perform slice-specific authentication and authorization for a given UE;
– Trigger slice-specific re-authentication to a given UE;
– Revoke the slice-specific authentication and authorization for a given UE.
The Nnssaaf_NSSAA service supports the following service operations.
Table 5.2.1-1: Service operations supported by the Nnssaaf_NSSAA service
|
Service Operations |
Description |
Operation Semantics |
Example Consumer(s) |
|
Authenticate |
Perform slice-specific authentication and authorization for a given UE. |
Request/Response |
AMF |
|
Re-Authentication Notification |
Request slice-specific re-authentication and re-authorization for a given UE. |
Callback |
AMF |
|
Revocation Notification |
Request revocation of slice-specific authentication and authorization result for a given UE. |
Callback |
AMF |
5.2.2 Service Operations
5.2.2.1 Introduction
See Table 5.2.1-1 for an overview of the service operations supported by the Nnssaaf_NSSAA service.
5.2.2.2 Authenticate
5.2.2.2.1 General
The Authenticate service operation permits the NF Service Consumer (i.e. the AMF) to initiate slice-specific authentication and authorization, e.g. during a UE Registration procedure or upon reception of a re-authentication notification from the NSSAAF (see clause 5.2.2.3). The NSSAAF may relay the EAP message to an AAA-S and collect the result of slice-specific authentication and authorization from the AAA-S, as specified in clause 4.2.9.2 of 3GPP TS 23.502 [3], and clause 16.3 of 3GPP TS 33.501 [8].
The NF Service Consumer (i.e. the AMF) shall send a POST request to the resource representing slice authentication collection (i.e. …/v1/slice-authentications) to request the NSSAAF to create the corresponding resource context and perform slice-specific authentication and authorization.
Figure 5.2.2.2.1-1: Slice-Specific Authentication and Authorization
1. The NF Service Consumer (AMF) shall send a POST request to the NSSAAF, targeting the resource of slice authentication collection (i.e. …/v1/slice-authentications), to perform slice-specific authentication and authorization.
The payload of the body shall contain the slice authentication information, which includes:
– UE ID (i.e. GPSI), if multiple GPSIs received from the UDM, the NF Service Consumer shall include any one of the GPSIs.
– S-NSSAI
– EAP ID Response message (if it is received from the UE), or the EAP ID Response message with EAP ID stored, or the EAP ID Response message with Null value (if EAP ID is not requested or received);
– optionally, the callback URI of the AMF to receive re-authentication notification from the NSSAAF;
– optionally, the callback URI of the AMF to receive revocation notification from the NSSAAF.
Based on local policy, the AMF may determine to provide callback URI(s) for receiving re-authentication notification or revocation notification. For example, the callback URIs are provided for an UE identified with low mobility characteristic.
If Slice-Specific Authentication and Authorization is triggered by the AMF during a Registration procedure as described in clause 4.2.9.2 of 3GPP TS 23.502 [3], the AMF shall set "status" attribute for the given slice listed in "nssaaStatusList" attribute to "PENDING" (See 3GPP TS 29.518 [16]).
2. The NSSAAF creates slice authentication context for the UE, and starts the slice-specific authentication and authorization procedure. If the AAA-S is involved in slice-specific authentication and authorization procedure, the NSSAAF shall forward the EAP ID Response message to the AAA-S if the EAP ID Response message does not contain the Null value. Depending on the result, either step 3a or step 3b is performed. The NSSAAF obtains the AAA-S address from local configuration, based on S-NSSAI.
3a. On success, "201 Created" shall be returned. The "Location" header shall contain the URI of the created resource (e.g. …/v1/slice-authentications/{authCtxId}). The payload body shall contain the slice authentication context, which includes the EAP message generated by the NSSAAF or from the AAA-S. The NF Service Consumer (i.e. the AMF) shall forward the received EAP message to the UE in NAS message, as specified in clause 4.2.9.2 of 3GPP TS 23.502 [3].
3b. On failure, one of the HTTP status code listed in Table 6.1.7.3-1 shall be returned. For a 4xx/5xx response, the message body containing a ProblemDetails structure with the "cause" attribute set to one of the application error listed in Table 6.1.7.3-1. If the slice is not authorized, the NSSAAF shall use the "SLICE_AUTH_REJECTED" application error code.
3c. On redirection, the appropriate HTTP status code (e.g. "307 Temporary Redirect") shall be returned. A RedirectResponse IE may be included in the payload body of POST response, as specified in table 6.1.3.2.3.1-3.
4. Once receiving EAP message from the UE, the NF Service Consumer (i.e. the AMF) shall send a PUT request to the NSSAAF, targeting the resource of the slice authentication context (i.e. …/v1/slice-authentications/{authCtxId}).
The payload body shall carry the slice authentication confirmation data which includes:
– UE ID (i.e. GPSI)
– S-NSSAI
– AAA-S address
– EAP Message (which is received from the UE)
5. The NSSAAF checks and confirms the slice-specific authentication and authorization. If the AAA-S is involved, the NSSAAF shall forward the EAP Message to the AAA-S to confirm the slice-specific authentication and authorization. Depending on the result, either step 6a or step 6b is performed.
6a. On success, "200 OK" shall be returned. The payload body shall contain the slice authentication confirmation response, which includes the EAP message (e.g. EAP success/failure message) generated by the NSSAAF or from the AAA-S. The NF Service Consumer (i.e. the AMF) shall forward the EAP message to the UE in NAS message.
If the UE is authenticated, the NSSAAF shall set the "authResult" attribute to "EAP_SUCCESS". If failed to authenticate the UE, the "authResult" attribute shall be set to "EAP_FAILURE".
If subsequent EAP message exchange is needed between the UE and the NSSAAF(AAA-S), the NSSAAF shall not include SliceAuthResult in the response message.
6b. On failure, one of the HTTP status codes listed in Table 6.1.7.3-1 shall be returned. For a 4xx/5xx response, the message body containing a ProblemDetails structure with the "cause" attribute set to one of the application error listed in Table 6.1.7.3-1.
6c. On redirection, the appropriate HTTP status code (e.g. "307 Temporary Redirect") shall be returned. A RedirectResponse IE may be included in the payload body of POST response, as specified in table 6.1.3.3.3.1-3.
7-9. If subsequent EAP message exchange is needed between the UE and the NSSAAF to finish the EAP based authentication, step 7-9 are performed. On failure, one of the HTTP status codes listed in Table 6.1.7.3-1 shall be returned. For a 4xx/5xx response, the message body containing a ProblemDetails structure with the "cause" attribute set to one of the application error listed in Table 6.1.7.3-1. On redirection, the appropriate HTTP status code (e.g. "307 Temporary Redirect") shall be returned, and a RedirectResponse IE may be included in the message body, as specified in table 6.1.3.3.3.1-3.
In above steps, if the AAA-S is involved in the slice-specific authentication and authorization procedure while there is no expected response from the AAA-S in the case of time out, the NSSAAF shall return HTTP status code "504 Gateway Timeout", with the message body containing a ProblemDetails structure with the "cause" attribute set to "TIMED_OUT_REQUEST".
After the completion of slice-specific authentication and authorization procedure, it is up to implementation whether the NSSAAF stores the slice authentication context and related resources for a configured period, or deletes the context and resource immediately, e.g. depending on the potential need for AAA-S initiated slice-specific re-authentication/revocation notification.
If the slice-specific authentication and authorization was successful (i.e. "authResult" attribute received from NSSAAF in step 6a is set to "EAP_SUCCESS"), the AMF shall set "status" attribute for the given slice listed in "nssaaStatusList" attribute to "EAP_SUCCESS" (see 3GPP TS 29.518 [16]).
If the slice-specific authentication and authorization finally fails (i.e. "authResult" attribute received from NSSAAF in step 6a is set to "EAP_FAILURE"), the AMF shall set "status" attribute for the given slice listed in "nssaaStatusList" attribute to "EAP_FAILURE" (see 3GPP TS 29.518 [16]). In this case, if there are PDU sessions previously established corresponding to the S-NSSAIs required to be authenticated, the AMF should additionally trigger the release of those PDU sessions.
If the slice-specific authentication and authorization cannot be completed, then:
– If it is due to receiving a response with HTTP status code "504 Gateway Timeout" or due to lack of response from the NSSAAF during an NSSAA procedure, the AMF may later re-initiate slice-specific authentication and authorization procedure based on its policy. The AMF should wait for a configured period before re-initiating slice-specific authentication and authorization procedure. If the retry attempts are exhausted, the AMF stops the slice-specific authentication and authorization procedure.
NOTE 1: It is recommended to limit the number of retry attempts as described in 3GPP TS 29.500 [4].
– If it is due to the UE becoming unreachable during an NSSAA procedure, the AMF stops the slice-specific authentication and authorization procedure.
– If the AMF stops the slice-specific authentication and authorization procedure (i.e. after exhausting the retry attempts or when the UE becomes unreachable), the AMF shall keep the "status" attribute set to "PENDING", for the given slice(s) listed in "nssaaStatusList" attribute (see 3GPP TS 29.518 [16]).
NOTE 2: The AMF initiates the slice-specific authentication and authorization for S-NSSAIs in "PENDING" status at next UE uplink activity.
If an S-NSSAI subject to the NSSAA is rejected due to Network Slice Admission Control as the total number of UEs exceeds the maximum number of UEs allowed to be registered to this slice as specified in clause 5.2.2.2.2 of 3GPP TS 29.536 [17]), the AMF shall keep the "status" attribute stored as not impacted (see clause 4.2.9.1 of 3GPP TS 23.502 [3] and 3GPP TS 29.518 [16]).
5.2.2.3 Re-Authentication Notification
5.2.2.3.1 General
The Re-Authentication Notification service operation shall be used by the NSSAAF to notify the AMF to re-initiate slice-specific authentication and authorization for a given UE, as specified in clause 4.2.9.3 of 3GPP TS 23.502 [3], and clause 16.4 of 3GPP TS 33.501 [8].
If there are two different AMFs serving the UE (e.g. the NSSAAF retrieves two different AMFs from the UDM), the NSSAAF may determine to send the re-authentication notification to both AMFs. Or, the NSSAAF may first send re-authentication notification to one of the AMF, and then send revocation notification to another AMF if EAP authentication fails in first AMF. If EAP authentication succeeds in first AMF then NSSAAF does not notify the other AMF.
Upon receiving the Network Slice-Specific Re-authentication and Re-authorization from an AAA-S, the NSSAAF shall verify whether the AAA-S is authorized to request the procedure, by checking its local configuration. If the AAA-S is authorized to request the re-authentication, the NSSAAF shall notify the NF Service Consumer (i.e. the AMF) by using the HTTP POST method as shown in Figure 5.2.2.3.1-1.
Figure 5.2.2.3.1-1: Re-authentication Notification
1. The NSSAAF shall send a POST request to the callback URI used to receiving re-authentication notification, which is either provided by the NF Service Consumer (i.e. the AMF), or retrieved from the AMF profile stored in the NRF.
The HTTP payload body of the POST request shall contain the SliceAuthReauthNotification data structure, within which:
– the notificationType set to the SliceAuthNotificationType of "SLICE_RE_AUTH";
– the gpsi set to the GPSI of the given UE required to be re-authenticated;
– the snssai set to the S-NSSAI required to be re-authenticated;
– the supi set to the SUPI of the given UE required to be re-authenticated.
NOTE: The NSSAAF can obtain the SUPI of the UE in the response of a previous Nudm_UECM_Get used by the NSSAAF to retrieve the AMF ID.
2a. On success, "204 No Content" shall be returned and the payload body of the POST response shall be empty.
After responding the request, the NF Service Consumer (i.e. the AMF) shall send NAS message to the UE to trigger re-authentication and re-authorization for the given slice.
The AMF then decides to execute the Slice-Specific Authentication and Authorization if needed as described in clause 5.2.2.2.1.
If the S-NSSAI is not in the Mapping Of Allowed NSSAI, the AMF removes any status of the corresponding S-NSSAI subject to Slice-Specific Authentication and Authorization in the UE context it may have kept, so that an Slice-Specific Authentication and Authorization procedure is executed next time the UE requests to register with the S-NSSAI.
2b. On failure, one of the HTTP status code (e.g. "404 Not Found") listed in Table 6.1.7.3-1 shall be returned.
For a 4xx/5xx response, the message body shall contain a ProblemDetails structure with the "cause" attribute set to one of the application error listed in Table 6.1.7.3-1.
2c. On redirection, the appropriate HTTP status code (e.g. "307 Temporary Redirect") shall be returned. A RedirectResponse IE may be included in the payload body of POST response, as specified in table 6.1.5.2.3.1-2.
If the NF Service Consumer (i.e. the AMF) is not able to handle the request, but knows that another NF Service Consumer (i.e. the AMF) is able to handle it, it shall reply with an HTTP 3xx redirect response pointing to the URI of the new NF Service Consumer (i.e. the AMF).
5.2.2.4 Revocation Notification
5.2.2.4.1 General
The Revocation Notification service operation shall be used by the NSSAAF to notify the AMF to revoke slice-specific authentication and authorization result, as specified in clause 4.2.9.4 of 3GPP TS 23.502 [3], and clause 16.5 of 3GPP TS 33.501 [8], and may trigger the AMF to release the corresponding PDU sessions associated to the indicated slice.
If there are two different AMFs serving the UE (e.g. the NSSAAF retrieves two different AMFs from the UDM), the NSSAAF may determine to send revocation notification to both AMFs.
Upon receiving the Network Slice-Specific Authorization Revocation procedure from an AAA-S, the NSSAAF shall verify whether the AAA-S is authorized to request the procedure, by checking its local configuration. If the AAA-S is authorized to request the revocation, the NSSAAF shall notify the NF Service Consumer (i.e. the AMF) by using the HTTP POST method as shown in Figure 5.2.2.4.1-1.
Figure 5.2.2.4.1-1: Revocation Notification
1. The NSSAAF shall send a POST request to the revocation notification callback URI, which is either provided by the NF Service Consumer (i.e. the AMF), or retrieved from the AMF profile stored in the NRF.
The HTTP payload body of the POST request shall contain the SliceAuthRevocNotification data structure, within which:
– the notificationType set to the SliceAuthNotificationType of "SLICE_REVOCATION";
– the gpsi set to the GPSI of the given UE for whom the slice-specific authorization revocation is required;
– the snssai set to the S-NSSAI for which the slice-specific authorization revocation is required;
– the supi set to the SUPI of the given UE for whom the slice-specific authorization revocation is required.
NOTE: The NSSAAF can obtain the SUPI of the UE in the response of a previous Nudm_UECM_Get used by the NSSAAF to retrieve the AMF ID.
2a. On success, "204 No Content" shall be returned and the payload body of the POST response shall be empty.
On receiving the request, the NF Service Consumer (i.e. the AMF) shall revoke the slice-specific authentication and authorization result for the given UE. If there is PDU session associated to the given slice, the AMF shall trigger the PDU session release to the SMF, with appropriate cause value.
The AMF shall remove the "status" for the given slice in "nssaaStatusList" attribute (see 3GPP TS 29.518 [16]).
2b. On failure, one of the HTTP status code (e.g. "404 Not Found") listed in Table 6.1.7.3-1 shall be returned.
For a 4xx/5xx response, the message body shall contain a ProblemDetails structure with the "cause" attribute set to one of the application error listed in Table 6.1.7.3-1.
2c. On redirection, the appropriate HTTP status code (e.g. "307 Temporary Redirect") shall be returned. A RedirectResponse IE may be included in the payload body of POST response, as specified in table 6.1.5.3.3.1-2.
If the NF Service Consumer (i.e. the AMF) is not able to handle the request, but knows that another NF Service Consumer (i.e. the AMF) is able to handle it, it shall reply with an HTTP 3xx redirect response pointing to the URI of the new NF Service Consumer (i.e. the AMF).
5.3 Nnssaaf_AIW Service
5.3.1 Service Description
The Nnssaaf_AIW service provides primary Authentication and Authorization service to the consumer NF (AUSF) by relaying EAP or EAP-TTLS inner method messages towards an AAA Server and performing related protocol conversion as needed. The NSSAAF is acting as NF Service Producer, while the AUSF is the NF Service Consumer.
Following functionalities are provided by the Nnssaaf_AIW service:
– Perform primary authentication and authorization for a given UE towards an AAA Server.
The Nnssaaf_AIW service supports the following service operations.
Table 5.3.1-1: Service operations supported by the Nnssaaf_AIW service
|
Service Operations |
Description |
Operation Semantics |
Example Consumer(s) |
|
Authenticate |
Perform primary authentication and authorization for a given UE towards an AAA Server. |
Request/Response |
AUSF |
5.3.2 Service Operations
5.3.2.1 Introduction
See Table 5.3.1-1 for an overview of the service operations supported by the Nnssaaf_AIW service.
5.3.2.2 Authenticate
5.3.2.2.1 General
The Authenticate service operation permits the NF Service Consumer (i.e., the AUSF) to perform authentication and authorization for a given UE towards an AAA Server.
The NF Service Consumer (i.e., the AUSF) shall send a POST request to the resource representing authentication collection (i.e., …/v1/authentications) to request the NSSAAF to create the corresponding resource context and perform primary authentication and authorization.
Figure 5.3.2.2.1-1: AAA Interworking Authentication and Authorization
1. The NF Service Consumer (AUSF) shall send a POST request (AuthInfo) to the NSSAAF, targeting the resource of authentication collection (i.e., …/v1/authentications), to perform authentication and authorization.
The payload of the body shall contain the authentication information, which may includes:
– UE ID (i.e. SUPI)
– EAP-ID Response message
– EAP-TTLS Inner Method Container
2. The NSSAAF creates an authentication context for the UE and starts the authentication and authorization procedure. The NSSAAF shall send an authentication request message to the AAA-S. Depending on the result, either step 3a or step 3b is performed. The NSSAAF obtains the AAA-S address from local configuration.
3a. On success, "201 Created" shall be returned (AuthContext). The "Location" header shall contain the URI of the created resource (e.g., …/v1/ authentications/{authCtxId}). The payload body shall contain the authentication context, which includes the EAP message generated by the AAA-S.
3b. On failure, one of the HTTP status code listed in Table 6.2.7.3-1 shall be returned with the message body containing a ProblemDetails structure with the "cause" attribute set to one of the application errors listed in Table 6.2.7.3-1.
4. Once receiving EAP message from the UE, the NF Service Consumer (i.e., the AUSF) shall send a PUT request (AuthConfirmationData) to the NSSAAF, targeting the resource of the authentication context (i.e., …/v1/authentications/{authCtxId}).
The payload body shall carry the authentication confirmation data which includes:
– UE ID (i.e., SUPI)
– EAP Message (which is received from the UE)
5. The NSSAAF shall forward the EAP Message to the AAA-S to confirm the authentication and authorization. Depending on the result, either step 6a or step 6b is performed.
6a. On success, "200 OK" shall be returned (AuthConfirmationResponse). The payload body shall contain the authentication confirmation response, which includes the EAP message (e.g., EAP success/failure message) generated by the AAA-S.
If the UE is authenticated, the NSSAAF shall set the "authResult" attribute to "EAP_SUCCESS"; the response message shall contain the MSK received from the AAA-S and may contain the address of the SNPN UE onboarding Provisioning Servers (PVS).
If failed to authenticate the UE, the "authResult" attribute shall be set to "EAP_FAILURE".
If subsequent EAP message exchange is needed between the UE and the NSSAAF (AAA-S), the NSSAAF shall not include AuthResult in the response message.
6b. On failure or redirection, one of the HTTP status codes listed in Table 6.2.7.3-1 shall be returned with the message body containing a ProblemDetails structure with the "cause" attribute set to one of the application errors listed in Table 6.2.7.3-1.
7-9. If subsequent EAP message exchange is needed between the UE and the NSSAAF to finish the EAP based authentication, steps 7-9 are performed. On failure or redirection, one of the HTTP status codes listed in Table 6.2.7.3-1 shall be returned with the message body containing a ProblemDetails structure with the "cause" attribute set to one of the application errors listed in Table 6.2.7.3-1.
In above steps, if there is no expected response from the AAA-S in the case of time out, the NSSAAF shall return HTTP status code "504 Gateway Timeout", with the message body containing a ProblemDetails structure with the "cause" attribute set to "TIMED_OUT_REQUEST".