Network Slicing
Release 16 Network Slicing addresses two major limitations of Release 15 in 5GC:
(1) Enhancement of interworking between EPC and 5GC when UE moves from EPC to 5GC, the target serving AMF may not be
able to serve all the PDU sessions that the UE intends to move to the 5GC. More specifically, the following aspects
needs to be addressed:
- Selecting an AMF based on the
slices associated to the active PDU connections that serve the UE in the EPC in
Connected mode and during the Idle mode mobility
- Selecting an appropriate serving
V-SMF based on the slices associated to the active PDN connections that serve
the UE in the EPC in Connected Mode
(2) Support for Network Slice Specific Authentication and Authorization (NSSAA)
- Enable the support for separate
authentication and authorization per Network Slice. The trigger of NSSAA in the 5GC is based on
UE subscription information from UDM and also operator’s policy. However, the UE shall indicate its support
for NSSAA to its serving 5GC.
- The AMF performs the role of the EAP Authenticator and communicates with the AAA-S via the AUSF. The AUSF undertakes any AAA protocol interworking with the AAA protocol supported by the AAA-S.
Enhancement
of Interworking Between EPC and 5GC
During
the mobility from EPS to 5GS, in case of CM-IDLE state, the PGW-C+SMF sends PDU
Session IDs and related S-NSSAIs to AMF in Registration procedure. The AMF
derives S-NSSAI values for the Serving PLMN and determines whether the current
AMF is appropriate to serve the UE. If not, the AMF reallocation may need to be
triggered. For each PDU Session the AMF determines whether the V-SMF need to be
reselected based on the associated S-NSSAI value for the Serving PLMN. If the
V-SMF need be reallocated, the AMF trigger the V-SMF reallocation.
In case
of CM-CONNECTED state, during handover preparation phase the PGW-C+SMF sends
PDU Session IDs and related S-NSSAIs to AMF. Based on the received S-NSSAIs
values, the target AMF derives the S-NSSAI values for the Serving PLMN, the
target AMF reselects a final target AMF if necessary and forwards the handover
request to the final target AMF. When the Handover procedure completes
successfully, the UE proceeds with the Registration procedure. For each PDU
Session based on the associated derived S-NSSAI values, if the V-SMF need be
reallocated, the final target AMF triggers the V-SMF reallocation. The final
target AMF sends the S-NSSAI value for the Serving PLMN to V-SMF to update the
SM context. The V-SMF updates NG RAN with the S-NSSAI value for the Serving
PLMN via N2 SM message.
Network
Slice-Specific Authentication and Authorization (NSSAA)
In
Release-16, based on UE’s 5GMM Core Network Capability and subscription
information, the serving AMF will trigger Network Slice-Specific Authentication
and Authorization for the S-NSSAIs of the HPLMN. If a UE does not support this
feature but requests these S-NSSAIs that are subject to Network Slice-Specific
Authentication and Authorization, these S-NSSAIs will be rejected by the PLMN.
If a UE
supports this feature and requests these S-NSSAIs, which are subject to Network
Slice-Specific Authentication and Authorization, the UE shall leverage the
corresponding credentials for these S-NSSAIs for the Network Slice-Specific
Authentication and Authorization. As for how to these credentials in the UE are
not specified.
To
perform the Network Slice-Specific Authentication and Authorization for an
S-NSSAI, the AMF invokes an EAP- based Network Slice-Specific authorization
procedure for the S-NSSAI.
This
procedure can be invoked for a supporting UE by an AMF at any time, e.g. when:
a. The UE registers with the AMF and
one of the S-NSSAIs of the HPLMN which maps to an S-NSSAI in the Requested
NSSAI is requiring Network Slice-Specific Authentication and Authorization; or
b. The Network Slice-Specific AAA
Server triggers a UE re-authentication and re-authorization for an S-NSSAI; or
c. The AMF, based on operator policy or
a subscription change, decides to initiate the Network Slice-Specific
Authentication and Authorization procedure for a certain S-NSSAI which was
previously authorized.
Based on
the outcome of the Network Slice-Specific Authentication and Authorization, the
Allowed NSSAI for each Access Type will be updated accordingly. It is network policies to decide for which
Access Type to be used if both Access Types are subject for the Network
Slice-Specific Authentication and Authorization. However, if the Network
Slice-Specific Authentication and Authorization fails for all S-NSSAIs in the
Allowed NSSAI, the AMF shall execute the Network-initiated Deregistration
procedure with the appropriate rejection cause value for each Rejected S-NSSAI.
After a
successful or unsuccessful UE Network Slice-Specific Authentication and
Authorization, the UE context in the AMF shall retain the authentication and
authorization status for the UE for the related specific S-NSSAI of the HPLMN
while the UE remains RM-REGISTERED in the PLMN, so that the AMF is not required
to execute a Network Slice-Specific Authentication and Authorization for a UE
at every Periodic Registration Update or Mobility Registration procedure with
the PLMN.
A
Network Slice-Specific AAA server may revoke the authorization or challenge the
authentication and authorization of a UE at any time. When authorization is
revoked for an S-NSSAI that is in the current Allowed NSSAI for an Access Type,
the AMF shall provide a new Allowed NSSAI to the UE and trigger the release of
all PDU sessions associated with the S-NSSAI, for this Access Type.
The AMF
provides the GPSI of the UE related to the S-NSSAI to the AAA Server to allow the
AAA server to initiate the Network Slice-Specific Authentication and
Authorization, or the Authorization revocation procedure, where the UE current
AMF needs to be identified by the system, so the UE authorization status can be
challenged or revoked.