[Intern] 22/09/2022 Roaming architecture in the 5G.

# [Intern] 22/09/2022 Roaming architecture in the 5G. ###### tags: `BMW-Lab`, `Intern` :::success **Goal:** To understand a roaming architecture in the 5G ::: :::success **References** {%youtube rHylPiSGBbg %} - [5G Roaming architecture](https://ieeexplore.ieee.org/document/9609936) ::: ## Background of a roaming architecture The 5G roaming architecture enables operators to expand their existing roaming agreements and networks to incorporate 5GS. However, there are both similarities to and differences between EPS roaming and 5GS roaming that operators need to understand. For example, Service-Based Architecture (SBA) and security functionality to protect the network edge are new in the 5GS, supported by a new network function (NF) called the Security Edge Protection Proxy (SEPP). ![](https://imgur.com/a7eMvmG.png) The figure above shows a simplified roaming architecture that includes interworking with the EPS. I have excluded additional NFs such as those for SMS, location handing and so on. While this architecture supports roaming using only the 5GS in the VPLMN and the Home Public Land Mobile Network (HPLMN), it is based on the assumption that interworking with the EPS will be required in the initial phases of roaming. The architecture shown in the Figure above requires UE capable of using both the EPS and 5GS to be able to roam between the two. The same architecture in the HPLMN can also be used for 4G/NSA UEs and for UEs that are not allowed to use 5GS when roaming, but in those cases only the EPS will be used in the VPLMN. When the UE connects to the VPLMN, it will register with the Access and Mobility Management Function (AMF). The AMF will query the Network Repository Function (NRF), which in this case serves as a visited-NRF (V-NRF), and the V-NRF will query the home-NRF (H-NRF) to find the Authentication Server Function (AUSF) and the Unified Data Management (UDM) in the HPLMN. Both the traffic between the V-NRF and the H-NRF, as well as all other control plane traffic between the VPLMN and HPLMN, will pass through the SEPPs. The UE usually sets up one or more protocol data unit (PDU) sessions, which is similar to the non-roaming call flows except that both the V-NRF and H-NRF, as well as the SEPPs, are involved. The usage of a visited Session Management Function (V-SMF) and the relocation of the V-SMF at mobility are specific to roaming – that is, the V-SMF is only used when the UE is in the VPLMN and the PDU session is anchored in the home-SMF (H-SMF) in the HPLMN. In EPS roaming, the EPC nodes serving gateway (SGW) and packet data network gateway (PDN-GW) are used in a PDN connection, regardless of whether the UE is in the VPLMN or the HPLMN. ## Roaming-specific functionality: ## Home control of authentication In previous generations, the UE authentication is executed at the serving nodes: the Mobility Management Entity (MME) in the EPC and the mobile switching center/serving GPRS support node in 2G/3G. In the case of roaming, this implies that the execution of UE authentication is delegated to the VPLMN. The delegation of authentication to the MME in a VPLMN is also applicable when a 5G user connects to the EPC while roaming. The 5GC increases the control of the execution of the UE authentication procedure in the HPLMN, as the UE authentication is always executed and controlled in the AUSF at the HPLMN. Additionally, the AUSF informs the UDM about the result of each UE authentication procedure, so that the UDM can link the result of the authentication with subsequent procedures. This is useful to prevent certain types of fraud, such as fraudulent requests for registering a serving AMF in UDM for subscribers that are not actually present (that is, not authenticated) in the VPLMN. ## Roaming restrictions When a 5GS-capable UE tries to connect over NR to a 5GC when roaming, the VPLMN requests the HPLMN to authorize the inbound roaming UE to connect from that VPLMN before the VPLMN allows the UE to connect to its 5GC. This is referred to as roaming restriction control at the HPLMN as in EPC. The UDM within the 5GC at the HPLMN determines if the UE is allowed to roam in the VPLMN 5GC. Even if the UE is allowed to roam in the VPLMN 5GC, UE-level roaming restrictions may indicate which HPLMN services can be used while roaming (for example, data services but not voice services). If this is used to restrict the IP Multimedia Subsystem (IMS) voice service when roaming, a voice-centric UE will not connect to the 5GC and will instead look for another radio access in the VPLMN that provides voice service. ## Policy control The home-routed roaming architecture anchors PDU sessions at the H-SMF. As a result, all interactions with the Policy Control Function (PCF) for session management policies take place within the HPLMN domain. At least during an initial phase of 5GC roaming, the VPLMN could apply both UE and access and mobility policies for inbound roaming users based on local configuration at the VPLMN without the burden of establishing and maintaining additional roaming reference points for this purpose. ## Charging Both the V-SMF and H-SMF need to support charging. In the VPLMN, the V-SMF interacts with the visited Charging Function (V-CHF), and in the HPLMN the H-SMF interacts with the home-CHF (H-CHF). The visited User-Plane Function (V-UPF) and the home-UPF (H-UPF) need to support the reporting of charging-related session data to the SMF, but the main charging logic resides in the SMFs. The V-CHF generates CDRs for the inbound roamer traffic, and correspondingly the H-CHF generates call detail records (CDRs) for the outbound roamer traffic. As a result, the VPLMN has full control over the data volumes that inbound roamers consume in the VPLMN RAN. The VPLMN can also create the necessary data for wholesale (inter-operator) settlement using the same principles as in EPS roaming. The details of the wholesale settlement procedures are described in the GSMA. ## QoS control in the visited Session Management Function In roaming scenarios, any QoS settings requested by the HPLMN should be in accordance with the roaming agreement. However, to protect its network against unwanted resource usage, the VPLMN must have control over and, if necessary, downgrade, the requested QoS. While this is performed by the MME in the EPS, the fact that the 5GS introduces a clear split between mobility management handling (by the AMF) and session management (by the SMF) requires the V-SMF to handle QoS control. ## Network slicing when roaming Network slicing is an inherent part of the 5GS that is not available in the EPS. When registering in the AMF, the UE determines the network slices it wants to use, expressed as a list of Single Network Slice Selection Assistance Information (S-NSSAI). This list may be empty. The AMF receives the list of subscribed S-NSSAI from the UDM in the HPLMN, and the AMF (possibly assisted by the Network Slice Selection Function (NSSF)) determines which S-NSSAI the UE is allowed to use. The UE uses the allowed NSSAI to determine which S-NSSAI to use when establishing a PDU session. In the simplest case, there is only one S-NSSAI in the allowed NSSAI. If so, the UE can include this S-NSSAI when establishing a PDU session, and the AMF uses this S-NSSAI to select the V-SMF and the H-SMF. If the UE does not include an S-NSSAI, the AMF determines the S-NSSAI for this PDU session. This principle is likely enough in initial roaming deployment. If there are more than one S-NSSAI in the allowed NSSAI, the UE needs additional information about which S-NSSAI to use when establishing a PDU session. This additional information can be preconfigured on the UE or can be provided by the HPLMN. For the latter, UE Route Selection Policy has been specified, which can be provided by the H-PCF (through the V-PCF and the AMF) to the UE if needed. ## Steering of Roaming 5GS roaming scenarios is related to the PLMN selection at the UE while roaming. Steering of Roaming (SoR) in a 5GS is a control-plane solution that allows the HPLMN to update the UE with the list of preferred PLMN/access-technology combinations. The UE performs PLMN selection based on the received list of preferred PLMN/access-technology combinations. In previous generations, the list of preferred PLMN/access-technology combinations was provided to the UE through Over-the-Air (OTA) mechanisms that were prone to be intercepted and blocked by malicious VPLMNs without the knowledge of the HPLMN. However, not all operators are using SoR today or plan to use SoR in 5GS. ## Security in 5GS roaming 5GS includes two proxy types: the Security Edge Protection Proxy (SEPP) for roaming security in SBA and the Service Communication Proxy (SCP) for indirect communication. ![](https://imgur.com/wbuVVGm.png) ## Security Edge Protection Proxy For roaming in SBA, the SEPP secures signaling across PLMN borders by proxying requests and responses for the PLMN, providing topology hiding, signaling firewall, message filtering and additional policy enforcement capabilities. Every control plane message in inter-PLMN signaling passes both the home and the visited PLMN SEPPs. In this way, the SEPP can ensure the protection of messages before sending them to an external network as well as verifying messages received from outside their own network before forwarding them to the appropriate NFs or next-hop SCP. The figure above shows two IPXs (Internet Protocol Exchanges) between the VPLMN and HPLMN, but it is also possible to have just one or even no IPX (in the case of national roaming, for example). SEPPs authenticate using Transport Layer Security (TLS) over the N32 control plane interface (N32-c), as well as using TLS to protect messages over the N32 forwarding interface (N32-f). Each SEPP must have the credentials of the roaming partner’s SEPP. To provide so-called roaming value-added services, the 3GPP has also standardized PRINS (Protocol for N32 Interconnect Security) over N32-f to allow the IPX to add modifications of certain message elements while keeping the original elements. Even if only one side requires its functionality, PRINS requires the support of both the VPLMN and the HPLMN, which means they both have to accept the complexity that PRINS introduces for contracts, operation and security. While the SEPP provides security for the control plane messages, protection of the user plane messages in inter-PLMN communication is provided by the Inter-PLMN User Plane Security (IPUPS) functionality in the existing UPFs, which are controlled by the V-SMF and H-SMF, as shown in Figure above. IPUPS protects the GTP-U (GPRS Tunneling Protocol-User) traffic by forwarding only valid traffic through the N9 inter-PLMN reference point and discarding the remaining, invalid traffic. ## Service Communication Proxy The SCP was introduced in the 5GS for indirect communication between NFs. SCPs provide centralized monitoring, overload protection and load-balancing functionality. In addition, they provide unified routing and selection logic in determining the destination NF or the next-hop SCP. Routing through the SCP requires the support of the 3gpp-Sbi-Target-apiRoot header to indicate the target NF destination. The receiving SEPP may forward a message directly to the destination NF, or through a next-hop SCP, as shown in the Figure above Likewise, when indirect communication is used, the SCP can support inter-PLMN routing by providing the logic required to route relevant messages to the SEPP centrally. Each operator can decide to deploy SCPs or not, independent of the decision to support roaming. ## Voice and other services when roaming Due to the use of the S8 reference point for routing user traffic and related signaling between the VPLMN and HPLMN, the EPS roaming solution for IMS voice is also known as S8 home routing (S8HR). 5GS roaming for voice follows the same HR principles as for S8HR roaming. 5GS roaming for voice is referred to as N9 home routing (N9HR) and is needed for smartphones. Both EPS fallback and VoNR are possible options as voice solutions. The IMS PDU session is always anchored in H-SMF/UPF and IMS network elements are in the home network (see Figure above). Interworking with 4G will be enabled for EPS fallback and for intersystem handover between VoNR and VoLTE. It is recommended to use VoNR when roaming because the additional call setup delay in EPS fallback will be even greater in roaming cases compared with non-roaming ones. Supporting both EPS fallback and VoNR in the HPLMN maximizes the opportunities for compatible network capabilities with roaming partners. SMS solutions for 5GS roaming are either SMS over IP or SMS over 5G non-access stratum (NAS), and both rely on support for SMS in the HPLMN. SMS over IP has no additional impacts on the VPLMN and is based on the established IMS PDU session to the HPLMN. SMS over 5G NAS depends on the SMSF (the SMS function in 5GC) being present in the VPLMN. ![](https://imgur.com/tqoPCCe.png) Emergency calls for a roaming subscriber are provided by the VPLMN subject to regulatory requirements. This is applicable to 5GS roaming as well as to S8HR roaming. Emergency service in the 5GS is either provided natively over the 5GS or by emergency service fallback to the EPS. The AMF provides the UE with an indication of which of these two solutions is valid during the 5GC registration procedure. The figure above illustrates the difference between architecture for voice in 5GS roaming (top half) and emergency service in 5GS roaming (bottom half). For emergency calls on the 5GS, the UE will establish an emergency PDU session. After resolution by the SMF/UPF in the VPLMN, the emergency call will be connected through the VPLMN IMS to the emergency center. In the case of emergency service fallback, mobility from 5GS to the EPS will take place, and then the emergency call will be set up on the EPS using an emergency PDN, with the VPLMN IMS. As in the EPS, since there is typically no IMS network-to-network interface (NNI) between the VPLMN and the HPLMN, the VPLMN IMS cannot fetch UE/subscriber identifiers from the HPLMN IMS. Instead, it must fetch these identifiers from the VPLMN 5GC before emergency call setup. Any emergency callback from the emergency center to the user will be through the HPLMN IMS just as any other incoming call. For MBB and data access, the PDU session to the internet (which uses the data network name) is also anchored in HPLMN SMF and UPF. The HPLMN UPF and N6 reference points are used to provide subscribers with internet access to the data network. ## Conclusion The majority of mobile network operators will create combined Evolved Packet System (EPS) and 5G System (5GS) networks supporting seamless voice and data services in the years ahead. They will continue to expect roaming to work regardless of whether their partners have both the EPS and the 5GS, or only the EPS. While 5GS roaming has many similarities to previous generations of roaming, it also introduces several new concepts that lead to some important differences that all operators need to understand. One of the main benefits of the 5GS roaming architecture is the possibility to expand an existing EPS roaming solution by using 5GS in the VPLMN and mobility between the 5GS and the EPS when roaming. User equipment that is capable of using both the EPS and the 5GS will also be able to use both EPS and 5GS roaming. The introduction of 5GS roaming is going to demand attention across all domains. There are roaming aspects to consider in the core network, in user data and policies, in services and in backend systems. At the same time, security for roaming partners must also be ensured.