Non-3GPP Interworking Function (N3IWF)

# Non-3GPP Interworking Function (N3IWF) [Need for N3IWF](#Why-we-need-N3IWF) [N3IWF and other 5G Core NF](#How-N3IWF-Interract-with-other-5G-NF-and-RAN?) [N3IWF Protocol Stack](#Protocol-Stack-for-Each-Case) [N3IWF Call Flow](#N3IWF-Operation) ## Why we need N3IWF N3IWF mainly serve as common gateway for untrusted traffic (traffic that isn't controlled by mobile network operator) such as public hotspots, home or corporate WiFi, etc. Common gateway for untrusted traffic have some advantage such as: - Avoiding Data Congestion and Reduce backhaul cost - Provide better coverage in high density traffic area such as bussiness district or countryside - Reduce operational cost with increased capacity and unified management ## How N3IWF Interract with other 5G NF and RAN? ![image](https://hackmd.io/_uploads/BJyCZrhjT.png) As shown in the picture, N3IWF will encrypt outgoing traffic to UE and decrypt ingoing traffic from UE to 5G Core Network. The picture also implies that untrusted Control-Plane traffic and User-Plane traffic will always forwarded to N3IWF. With above specification, N3IWF provide two functionalities : Control-Plane functionalities and User-Plane functionalities. The details of each functionalities as follow: Control-Plane Functionalities: - Support IPSec tunnel establishment with UE using IKEv2/IPSec protocols - Securing traffic between UE and AMF during NAS signaling and PDU session management - Encapsulate decrypted message with NGAP and SCTP protocol before the data forwarded to AMF User-Plane Functionalities: - Termination of N3 Interface using GTPU protocol - Relay for uplink and downlink user data between UE and UPF - Encapsulate and decapsulate data traffic using IPSec (for traffic that go to and from UE) and GTPU (for traffic that go to and from UPF's) ## Protocol Stack for Each Case ![image](https://hackmd.io/_uploads/rkUCHRK3T.png) ### Initial Registration and Authentication ![image](https://hackmd.io/_uploads/r1ZQeRYna.png) As shown in the figure, to register to the 5G Core Network, UE needs to connect to a WLAN access point. After UE configured with a local IP address, the UE needs to select the N3IWF and initiate the IKEv2 establishment procedure. After IKEv2 establishment, N3IWF starts the EAP-5G procedures to initiate UE registration and authentication using NAS protocol with the AMF. The NAS message is transported using EAP-5G/IKEv2 between N3IWF and UE. ### NAS Mobility and Session Management ![image](https://hackmd.io/_uploads/r1kHgRFhp.png) After successful registration, a signalling IPSec SA is established between UE and N3IWF and UE establishes a TCP connection with N3IWF for transporting NAS Mobility and session management messages over inner IP layer. ### User Plane Establishment ![image](https://hackmd.io/_uploads/BynreCKnT.png) During session establishment, N3IWF initiates the establishment of IPSec child SAs with UE using IKEv2 Protocol for tunneling UP traffic ### User Plane Data Transfer ![image](https://hackmd.io/_uploads/B1v8gAtnp.png) As shown in the figure, IPSec tunnel carrying an encrypted original IP user data packet to prevent information security violation which is possible due to WLAN security issues. ## N3IWF Operation #### Registration, Authentication, and Authorization ![image](https://hackmd.io/_uploads/BylFL8_3h6.png) As shown in the picture, before untrusted traffic UE could registerd by AMF, the UE initiate and establish IKE with N3IWF. After IKE has successfully established, UE will perform registration process with the similar step as trusted traffic. #### PDU Session Establishment ![image](https://hackmd.io/_uploads/ryCgddn3T.png) PDU session establishment process for untrusted traffic not so different from trusted traffic. The only difference is IKE child SA establishment after PDU Sessions generated by SMF to secure PDU sessions parameter transmission. ## Reference - https://www.wipro.com/network-edge-providers/untrusted-non-3gpp-access-network-interworking-with-5g-core/