8 Interworking with DN (IP)

29.5613GPP5G SystemInterworking between 5G Network and external Data NetworksRelease 17Stage 3TS

8.1 General

5GS shall support interworking with DNs based on the Internet Protocol (IP). These interworked networks may be either intranets or the Internet.

8.2 DN Interworking Model

8.2.1 General

When interworking with the IP networks, the 5GS can operate IPv4 and/or IPv6. The interworking point is shown in clause 6.

The UPF for interworking with the IP network is the 5GS access point (see figure 8.2.1-1).

Figure 8.2.1-1: The protocol stacks of UPF for the IP network interworking

Typically, in the IP networks, the interworking with subnetworks is done via IP routers. The N6 reference point is between the UPF and the external IP network. From the external IP network’s point of view, the UPF is seen as a normal IP router. The L2 and L1 layers are operator specific.

It is out of the scope of the present document to standardise the router functions and the used protocols in the N6 reference point.

Interworking with user defined ISPs and private/public IP networks is subject to interconnect agreements between the network operators.

8.2.2 Access to DN through 5G Network

8.2.2.1 Transparent access to DN

Figure 8.2.2.1-1: Example of the DN Interworking Model, transparent case

In figure 8.2.2.1-1, an example DN interworking model for transparent access to the Internet is provided for an UPF in the 5GS and its N6 reference point.

In transparent access to the Internet case:

– the UE is given an IPv4 address and/or an IPv6 prefix belonging to the operator addressing space. The IPv4 address and/or IPv6 prefix is assigned either at subscription in which case it is a static address or at PDU session establishment in which case it is a dynamic address. This IPv4 address and/or IPv6 prefix if applicable is used for packet forwarding between the Internet and the UPF and within the 5GS. With IPv6, Stateless Address Autoconfiguration shall be used to assign an IPv6 address to the UE. These procedures are as described in the IPv6 non-transparent access case except that the addresses belong to the operator addressing space.

– the UE need not send any authentication request at PDU session establishment procedure and the SMF/UPF need not take any part in the user authentication/authorization process.

The transparent case provides at least a basic ISP service. As a consequence of this it may therefore provide a QoS flow service for a tunnel to a private Intranet. The user level configuration may be carried out between the UE and the intranet, the 5GS is transparent to this procedure. The used protocol stack is depicted in figure 8.2.2.1-2.

Figure 8.2.2.1-2: Transparent access to an Intranet

The communication between the PLMN and the Intranet may be performed over any network, even an insecure network e.g. the Internet. There is no specific security protocol between the UPF and the Intranet because security is ensured on an end to end basis between the UE and the intranet by the "Intranet Protocol".

User authentication and encryption of user data are done within the "Intranet Protocol" if either of them is needed. This "Intranet Protocol" may also carry private (IP) addresses belonging to the address space of the Intranet.

An example of an "Intranet Protocol" is IPsec (see IETF RFC 1825 [29]). If IPsec is used for this purpose, then IPsec authentication header or security header may be used for user (data) authentication and for the confidentiality of user data (see IETF RFC 1826 [30] and IETF RFC 1827 [31]). In this case private IP tunnelling within public IP takes place.

8.2.2.2 IPv4 Non-transparent access to DN

In this case:

– a static or a dynamic IPv4 address belonging to the Intranet/ISP addressing space is allocated to a UE at PDU session establishment. The methods of allocating IP address to the UE are specified in 3GPP TS 23.501 [2]. The allocated IPv4 address is used for packet forwarding within the UPF and for packet forwarding on the Intranet/ISP;

– as a part of the PDU session establishment, the SMF may request user authentication from an external DN-AAA server (i.e. RADIUS, Diameter) belonging to the Intranet/ISP;

– the IPv4 address allocation to the UE may be performed based on the subscription or a local address pool, which belongs to the Intranet/ISP addressing space, provisioned in the SMF; or via the address allocation servers (i.e. DHCPv4, RADIUS DN-AAA, Diameter DN-AAA) belonging to the Intranet/ISP;

– if requested by the UE at PDU session establishment, the SMF may retrieve the Protocol Configuration Options or IPv4 configuration parameters from a locally provisioned database in SMF and/or from some external server (i.e. DHCPv4, RADIUS DN-AAA, Diameter DN-AAA) belonging to the Intranet/ISP;

– the communication between the 5GS and the Intranet/ISP may be performed over any network, even an insecure network, e.g. the Internet. In case of an insecure connection between the UPF and the Intranet/ISP, there may be a specific security protocol in between. This security protocol is defined by mutual agreement between PLMN operator and Intranet/ISP administrator.

Table 8.2.2.2-1 summarizes the IPv4 address allocation and parameter configuration use cases between the UE and the SMF that may lead the SMF to interwork with the external DHCPv4, DN-AAA servers. For detailed description of the signalling flows between the UE and the SMF, see the references in the table.

Table 8.2.2.2-1: IPv4 address allocation and parameter configuration use cases

Signalling use cases between UE and SMF

Signalling use cases between SMF and external servers

Authentication via RADIUS or Diameter DN-AAA server (clauses 11 or 12)

(NOTE 1 NOTE 2 and NOTE 4)

IPv4 Address allocation via DHCPv4 or RADIUS or Diameter DN-AAA server (clauses 10, 11 or 12)

(NOTE 1 and NOTE 2)

IPv4 parameter configuration via DHCPv4 or RADIUS or Diameter DN-AAA server
(clauses 10, 11 or 12)

(NOTE 1 and NOTE 2)

(1) IPv4 address allocation and parameter configuration via activation of QoS flow associated with the default QoS rule

(2) IPv4 address allocation and parameter configuration via DHCPv4 signalling from UE towards SMF (NOTE 3)

X

X

X

(3) IPv4 address allocation and parameter configuration in untrusted non-3GPP IP access

X

X

X

NOTE 1: When the SMF interworks with AAA servers, the DNN may be configured to interwork with either Diameter DN-AAA or RADIUS DN-AAA server.

NOTE 2: If RADIUS DN-AAA or Diameter DN-AAA server is used, the authentication, IPv4 address allocation and parameter configuration signalling may be combined. Similarly, if DHCPv4 server is used for IPv4 address allocation and parameter configuration, the signalling towards the DHCPv4 server may be combined.

NOTE 3: If the authentication and authorization procedure towards RADIUS DN-AAA or Diameter DN-AAA is required, it is performed by the SMF before the DHCPv4 signalling when it receives the initial access request (i.e. Nsmf_PDUSession_CreateSMContext).

NOTE 4: The UEs may provide PAP/CHAP user credentials in the ePCO IE when accessing to 5GS or 5GS interworking with EPS on 3GPP and non-3GPP IP accesses. If such information is provided to the SMF or SMF+PGW-C, the SMF or SMF+PGW-C may perform user authentication with the DN-AAA server based on these credentials.

NOTE: External network operators intending to use PAP/CHAP without proper underlying protection for authentication are warned about the respective vulnerabilities of PAP and CHAP protocols from a security point of view. It’s up to the external network operator to perform the risk assessment if PAP/CHAP is used for authentication.

8.2.2.3 IPv6 Non-transparent access to DN

When using IPv6 Address Autoconfiguration, the process of setting up the access to an Intranet or ISP involves two signalling phases. The first signalling phase is done in the control plane and consists of the PDU session establishment for 5GS 3GPP or non-3GPP based access, followed by a second signalling phase done in the user plane.

The user plane signalling phase shall be stateless. The stateless procedure, which involves only the UE and the SMF, is described in clause 10.2. 3.

For DNNs that are configured for IPv6 address allocation, the SMF shall only use the Prefix part of the IPv6 address for forwarding of mobile terminated IP packets. The size of the prefix shall be according to the maximum prefix length for a global IPv6 address as specified in the IPv6 Addressing Architecture, see IETF RFC 4291 [32].

The SMF indicates to the UE that Stateless Autoconfiguration shall be performed by sending Router Advertisements as described in clause 10.2.3 and according to the principles defined in IETF RFC 4861 [33] and IETF RFC 4862 [34].

For UE supporting IPv6, IPv6 Stateless Address Autoconfiguration is mandatory.

In this case, the SMF provides the UE with an IPv6 Prefix belonging to the Intranet/ISP addressing space. A dynamic IPv6 address is given using stateless address autoconfiguration. This IPv6 address is used for packet forwarding within the UPF and for packet forwarding on the Intranet/ISP.

When an SMF receives an initial access request (i.e. Nsmf_PDUSession_CreateSMContext) message, the SMF deduces from local configuration data associated with the DNN:

– The source of IPv6 Prefixes (SMF internal prefix pool, or external address allocation server);

– Any server(s) to be used for address allocation, authentication and/or protocol configuration options retrieval (e.g. IMS related configuration, see 3GPP TS 24.229 [13]);

– The protocol, i.e. RADIUS, Diameter or DHCPv6, to be used with the server(s);

– The communication and security feature needed to communicate with the server(s).

As an example, the SMF may use one of the following options:

– SMF internal Prefix pool for IPv6 prefixes allocation and no authentication;

– SMF internal Prefix pool for IPv6 prefixes allocation and RADIUS for authentication. The RADIUS DN-AAA server responds with either an Access-Accept or an Access-Reject to the RADIUS client in the SMF;

– RADIUS for authentication and IPv6 prefix allocation. The RADIUS DN-AAA server responds with either an Access‑Accept or an Access-Reject to the RADIUS client in the SMF.

The SMF includes the IPv6 address composed of a Prefix and an Interface-Identifier in the initial access response (Namf_Communication_N1N2MessageTransfer). The Interface-Identifier may have any value and it does not need to be unique within or across DNNs. It shall however not conflict with the Interface-Identifier that the SMF has selected for its own side of the UE-SMF link. The Prefix assigned by the SMF or the external DN-AAA server shall be globally or site-local unique (see the Note in clause 11.3 of this document regarding the usage of site-local addresses).

Table 8.2.2.3-1 summarizes the IPv6 prefix allocation and parameter configuration use cases between the UE and the SMF that may lead the SMF to interwork with the external RADIUS DN-AAA, Diameter DN-AAA and DHCPv6 servers. For detailed description of the signalling flows between the UE and the SMF, see the references in the table.

Table 8.2.2.3-1: IPv6 prefix allocation and parameter configuration use cases

Signalling use cases between UE and SMF

Signalling use cases between SMF and external servers

Authentication via RADIUS or Diameter DN-AAA server (clauses 11 or 12)

(NOTE 1 NOTE 2 and NOTE 3)

IPv6 prefix allocation via DHCPv6 or RADIUS or Diameter DN-AAA server (clauses 10, 11 or 12)

(NOTE 1 and NOTE 2)

IPv6 parameter configuration via DHCPv6 or RADIUS or Diameter DN-AAA server
(clauses 10, 11 or 12)

(NOTE 1 and NOTE 2)

(1) IPv6 address allocation and parameter configuration

(2) IPv6 parameter configuration via stateless DHCPv6

X

X

X

(3) IPv6 address allocation and parameter configuration in untrusted non-3GPP IP access

X

X

X

NOTE 1: When the SMF interworks with DN-AAA servers, the DNN may be configured to interwork with either Diameter DN-AAA or RADIUS DN-AAA server.

NOTE 2: If RADIUS DN-AAA or Diameter DN-AAA server is used, the authentication, IPv6 prefix allocation and parameter configuration signalling may be combined. Similarly, if DHCPv6 server is used for IPv6 prefix allocation and parameter configuration, the signalling towards the DHCPv6 server may be combined.

NOTE 3: The UEs may provide PAP/CHAP user credentials in the ePCO IE when accessing to 5GS or 5GS interworking with EPS on 3GPP and non-3GPP IP accesses. If such information is provided to the SMF or SMF+PGW-C, the SMF or SMF+PGW-C may perform user authentication with the DN-AAA server based on these credentials.

NOTE: External network operators intending to use PAP/CHAP without proper underlying protection for authentication are warned about the respective vulnerabilities of PAP and CHAP protocols from a security point of view. It’s up to the external network operator to perform the risk assessment if PAP/CHAP is used for authentication.

For IPv6 the PDU session establishment phase is followed by an address autoconfiguration phase. IPv6 prefix is delivered to UE in Router Advertisement message from the SMF which acts as an access router, in the process of IPv6 Stateless Address Autoconfiguration as described in clause 10.2.2. Besides DHCPv6 protocol, the SMF may also use RADIUS or Diameter protocol for the retrieval of an IPv6 prefix from external DN.