C.2.1 When http URI scheme is used

29.5733GPP5G SystemPublic Land Mobile Network (PLMN) InterconnectionRelease 18Stage 3TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

C.2.1.1 General

The following figure shows the end to end call flow between an NF service consumer and a NF service producer in different PLMNs when:

– the SEPP in each PLMN acts as a security proxy;

– the negotiated security policy between the SEPPs is TLS;

– "http" scheme URI is used between the NF service consumer and NF service producer; and

– "http" scheme URI is used for accessing NRF’s NF discovery service.

NOTE: There may be one or more IPX(s), offering only IP routing serving without content modification or observation of the information, in between the SEPPs.

C.2.1.2 Without TLS protection between NF and SEPP and with TLS security without the 3gpp-Sbi-Target-apiRoot header used over N32f

Figure C.2.1.2-1: End to end call flow when http scheme URI is used and TLS security without the 3gpp-Sbi-Target-apiRoot header used is used between SEPPs

1. The SEPP on the NF service consumer side (c-SEPP) and the SEPP on the NF service producer side (p-SEPP) negotiate the security capabilities using the procedure specified in clause 5.2.2. The SEPPs mutually negotiate to use TLS as the security policy.

2. A TLS connection is setup between the c-SEPP and the p-SEPP for N32-f forwarding.

3. Before the NF service consumer starts using the API of the NF service producer it needs to discover the NF service profile of the producer by querying the NRF. The NF service consumer uses "http" scheme URI to access the Nnrf_NFDiscovery service.

4. The NRF on the NF service consumer side (c-NRF) needs to further initiate a discovery request to the NRF on the NF service producer side (p-NRF). The c-NRF is configured to route all HTTP messages with inter PLMN FQDN as the "authority" part of the URI via the c-SEPP. The c-SEPP acts as a HTTP proxy.

5. The c-SEPP forwards the NF discovery request within the N32-f TLS tunnel established in step 2.

6. The p-SEPP forwards the NF discovery request to the p-NRF.

7. The p-NRF sends the NF discovery response. The NF service profile contains service URI with "http" scheme. The FQDN of the NF service is an inter PLMN FQDN.

8. The p-SEPP forwards the NF discovery response within TLS tunnel to the c-SEPP.

9. The c-SEPP forwards the NF discovery response to c-NRF.

10. The c-NRF sends the NF discovery response to NF service consumer.

11. The NF service profile received at the NF service consumer contains service URI with "http" scheme. The NF service consumer initiates a HTTP message (as supported by the NF service producer API) using "http" scheme URI. The NF service consumer is configured to route all HTTP messages with inter PLMN FQDN as the "authority" part of the URI via the c-SEPP. The c-SEPP acts as a HTTP proxy.

12. The c-SEPP forwards the HTTP service request within the N32-f TLS tunnel established in step 2.

13. The p-SEPP forwards the HTTP service request to the NF service producer.

14. The NF service producer sends the HTTP service response.

15. The p-SEPP forwards the HTTP service response within TLS tunnel to the c-SEPP.

16. The c-SEPP forwards the HTTP service response to the NF service consumer.

C.2.1.3 Without TLS protection between NF and SEPP and with TLS security with the 3gpp-Sbi-Target-apiRoot header used over N32f

Figure C.2.1.3-1: End to end call flow when http scheme URI is used and TLS security with the 3gpp-Sbi-Target-apiRoot header used is used between SEPPs

1. Same as step 1 of Figure C.2.1.2-1.

2. Same as step 3 of Figure C.2.1.2-1

3. Same as step 4 of Figure C.2.1.2-1

4. The c-SEPP setups a TLS connection with the authoritative server for the p-SEPP FQDN (in the apiRoot of the Request URI) and verifies that the certificate presented by the endpoint of the TLS connection belongs to the authoritative server of the p-SEPP. The c-SEPP is configured with the p-SEPP FQDN.

5. The c-SEPP sets the apiRoot in the request URI with the apiRoot of the p-SEPP, inserts the 3gpp-Sbi-Target-apiRoot header set to the apiRoot of the p-NRF, and sends the request towards p-SEPP.

6. The p-SEPP extracts the HTTP message received on the TLS connection, replaces the apiRoot of the p-SEPP FQDN in the request URI with the apiRoot of the p-NRF received in the 3gpp-Sbi-Target-apiRoot header, and then seeing that the URI scheme of the NF discovery service of the p-NRF is "http", the p-SEPP forwards the NF discovery request to the p-NRF.

7 to 11. Same as steps 7 to 11 of Figure C.2.1.2-1.

12. The c-SEPP sets the apiRoot of the p-SEPP FQDN in the request URI, inserts the 3gpp-Sbi-Target-apiRoot header set to the apiRoot of the p-NF, and sends the request towards p-SEPP.

13. The p-SEPP extracts the HTTP message received on the TLS connection, replaces the apiRoot of the p-SEPP FQDN in the request URI with the apiRoot of the p-NF received in the 3gpp-Sbi-Target-apiRoot header and then seeing that the URI scheme of the NF service producer is "http", the p-SEPP forwards the request to the p-NF.

13 to 16. Same as steps 13 to 16 of Figure C.2.1.2-1.