Discussion - mariotlemes/non3GPP-WiFi GitHub Wiki
At this point, we created 2 (two) wireless network interfaces with mac80211_hwsim. The wlan0 interface was instantiated in a namespace "APns" and wlan1 in the namespace "UEns". Dnsmasq was used to provide ip addressing service to hosts connected to the "my5gcore", emulated by the wlan0 interface with the hostapd tool.
In order to register to the 5G Core Network (5GCN) via untrusted non-3GPP IP access, the UE first needs to be configured with a local IP address. With the wpa_supplicant tool, we connected the wlan1 interface to the IEEE 802.11 network (WiFi).
After instantiating the customized scenario (ip addressing for each Network Function (NF), registering the UE to the core and setting up the scenario with namespaces, virtual interfaces and routes), we started all 5G core NFs and the UE. Finally, we started the initial registration process to UE proceeds with the registration, authentication and authorization procedures to access the 5GCN.
A UE accessing the 5GCN through an untrusted IEEE 802.11 network (my5gcore) shall support NAS signalling and shall initially register and authenticate with the 5GCN using the N3IWF and N1 interface. The component of core - AMF (Access and Mobility Management Function) - is used to register the UE and the AUSF (Authentication Server Function) is used to authenticate. The UE shall establish PDU sessions using the IPsec signalling SA and NAS (Non Access Stratum) session management messages with the SMF (Session Management Function) via AMF. The transfer of data packets between the UE and Data Network (DN) uses the secure IPsec tunnel between UE and N3IWF and the GTP-U tunnel between N3IWF and UPF (User Plane Function).
Registration, authentication and authorization
The registration, authentication and authorization procedures are show in figure below:
1) UE initiates the IKEv2/ISAKMP initial exchange with the N3IWF for the establishment of an IKE SA.
2) UE sends to N3IWF the IKE_AUTH Request without the AUTH payload indicating use of EAP-5G.
3) N3IWF responds with an IKE_AUTH Response, including EAP-Request/5G-Start packet informing UE to start sending NAS messages.
4) UE sends the IKE AUTH Request including EAP-Response/5G-NAS with NAS Registration Request and AN (Acess Network) parameters. The AN parameters may include: GUAMI (Globally Unique AMF ID), PLMN ID (Public Land Mobile Network) Identification, Requested NSSAI (Network Slice Selection Assistance Information) and the Establishment Cause.
5) N3IWF selects an AMF based on the received AN parameters and local policy and forwards the registration request received from the UE to the selected AMF within an Initial UE message.
6) When AMF receives the Registration Request, it sends an Authentication Request to N3IWF.
7) N3IWF forwards the Authentication Request to UE.
8) AMF may request the SUCI from the UE with a NAS Identity request that is received back in a NAS Identity Response from the UE (Authentication Request message) to N3IWF.
9) N3IWF forwards this NAS Authentication Response from UE to AMF.
10) AMF selects an AUSF to authenticate the UE based on SUCI (Subscription Concealed Identifier) or SUPI (Subscription Permanent Identifier). The AUSF further selects a UDM (Unified Data Management) to obtain authentication data and executes the EAP-AKA/5G-AKA authentication with the UE. After successful authentication, the AUSF sends the EAP Success SEAF (Security Anchor key) to AMF which derives two keys: the NAS security keys and N3IWF security key. AMF encapsulates the EAP-Success received from AUSF within the NAS Security Mode Command message and sends it to the UE to activate NAS security.
11) N3IWF forwards this Security Mode Command message to UE.
12) UE also derives the SEAF key, NAS security keys and N3IWF key and sends a NAS Security Mode Complete message to the AMF.
13) N3IWF forwards this NAS Security Mode Complete message to AMF.
14) AMF further sends an Initial Context Setup Request message including the N3IWF key to the N3IWF which triggers the N3IWF to send an EAP-Success to UE, which completes the EAP-5G session.
15) N3IWF sends an IKE_AUTH Response to UE which contains an EAP-Success message
16) UE sends a IKE_AUTH Request to establishment of the IPsec tunnel using the common N3IWF key.
17) IPsec SA is established between the UE and N3IWF. All subsequent NAS messages between UE and N3IWF are encapsulated within the established Signalling IPsec SA.
18) N3IWF notifies the AMF that the UE context is created by sending a NGAP Initial Context Setup Response.
19) AMF sends the NAS Registration Accept message including the allowed NSSAI for the access type for the UE to the N3IWF.
20) N3IWF forwards NAS Registration Accept message to the UE through the signalling IPsec SA.
After registration procedures, the UE shall support NAS signalling with 5GCN for mobility and session management functions using the N1 reference point. All communication entities, protocols and messages and their contents are summarized in the table below.
| ID | Src | Dst | Protocol | Message {payload/intention} |
|---|---|---|---|---|
| 1 | UE | N3IWF | IKEv2/ISAKMP | IKE_SA_INIT Request {IKE_SA Init} |
| 2 | UE | N3IWF | IKEv2/ISAKMP | IKE_AUTH Request (1) {no AUTH payload} |
| 3 | N3IWF | UE | IKEv2/ISAKMP | IKE_AUTH Response (1) {EAP-Request/5G-Start} |
| 4 | UE | N3IWF | IKEv2/ISAKMP | IKE_AUTH Request (2) {EAP-Response/5G-NAS/NAS Registration Request} |
| 5 | N3IWF | AMF | NGAP/NAS-5GS | InitialUEMessage Registration Request {EAP-Response/5G-NAS/NAS Registration Request} |
| 6 | AMF | N3IWF | NGAP/NAS-5GS | DownlinkNASTransport/Authentication Request {NAS Identity Request} |
| 7 | N3IWF | UE | ISAKMP | IKE_AUTH Response (2) {Authentication Request/NAS Identity Request} |
| 8 | UE | N3IWF | ISAKMP | IKE_AUTH Request (3) {Authentication Request/NAS Identity Response} |
| 9 | N3IWF | AMF | NGAP/NAS-5GS | UplinkNASTransport/Authentication Response {NAS Identity Response}} |
| 10 | AMF | N3IWF | NGAP/NAS-5GS | DownlinkNASTransport/Security mode command {Authentication Response/EAP-success} |
| 11 | N3IWF | UE | ISAKMP | IKE_AUTH Response (3) {Security mode command/EAP-success} |
| 12 | UE | N3IWF | ISAKMP | IKE_AUTH Request (4) {Security mode complete} |
| 13 | N3IWF | AMF | NGAP/NAS-5GS | UplinkNASTransport/Authentication Request {Security mode complete} |
| 14 | AMF | N3IWF | NGAP | InitialContextSetupRequest {N3IWF key} |
| 15 | N3IWF | UE | ISAKMP | IKE_AUTH Response (4) {EAP-Success} |
| 16 | UE | N3IWF | ISAKMP | IKE_AUTH Request (5) {IPSec SA initializing with common N3IWF key} |
| 17 | N3IWF | UE | ISAKMP | IKE_AUTH Response (5) {IPSec SA complete} |
| 18 | N3IWF | AMF | NGAP | InitialContextSetupResponse {UE context is created} |
| 19 | AMF | N3IWF | NGAP/NAS-5GS | DownlinkNASTransport {NAS Registration Accept} |
| 20 | N3IWF | UE | ESP | NAS Registration Accept {NAS Registration Accept } |
PDU session establishment
The PDU session establishment procedure involves the following steps:
1) UE sends a PDU Session Establishment Request to the N3IWF.
2) N3IWF transparently forwards PDU Session Establishment Request to the AMF.
3) SMF sends a PFCP Session Establishment Request message to the UPF in order to create the PDR (Packet Detection Rule) and FAR (Forwarding Action Rule).
4) UPF sends the message PFCP Session Establishment Response indicating that the PDR and FAR rules have been created.
5) AMF sends an PDU Session Resource Setup Request message to N3IWF to establish the resources for this PDU session.
6) N3IWF sends a path management message called Echo Request to the UPF via N3 interface.
7) UPF sends a Echo Response message to N3IWF indicating that it`s active.
8) N3IWF determines the number of IPsec Child SAs to establish and the QoS profiles associated with each IPsec Child SA based on its own policies, configuration and QoS profiles received. Also, N3IWF sends an IKE Create Child SA Request to establish the first IPsec Child SA for the PDU session.
9) UE sends an IKE Create Child SA Response to N3IWF.
10) N3IWF establishes additional IPsec Child SAs and forwards the PDU Session Establishment Accept message to the UE via the signalling IPsec SA. The N3IWF also sends a PDU Session Resource Setup Response to AMF including GTP-U Tunnel.
The table below shows the messages exchanged between UE and 5G core to PDU session establishment.
| ID | Src | Dst | Protocol | Message {payload/intention} |
|---|---|---|---|---|
| 1 | UE | N3IWF | ESP | PDU Session Establishment Request {PDU session} |
| 2 | N3IWF | AMF | NGAP/NAS-5G/ PDU Session | UplinkNASTransport/Establishment Request {PDU session} |
| 3 | SMF | UPF | PFCP | PFCP Session Establishment Request {PDR/FAR} |
| 4 | UPF | SMF | PFCP | PFCP Session Establishment Response {Request accepted (success)} |
| 5 | AMF | N3IWF | NGAP/NAS-5G | PDUSessionResourceSetupRequest {PDU session request} |
| 6 | N3IWF | UPF | GTP | Echo Request {Is still alived?} |
| 7 | UPF | N3IWF | GTP | Echo Response {Activity confirmation} |
| 8 | N3IWF | UE | IKEv2/ISAKMP | Create Child SA Request {Child SA request} |
| 9 | UE | N3IWF | IKEv2/ISAKMP | Create Child SA Response {Child SA response} |
| 10 | N3IWF | AMF | NGAP | PDU Session Resource Setup Response {PDU session response/GTP-U tunnel} |
Obs: Alternatively, you can download the pcapng file and identify registration, authentication and authorization procedures and the PDU session establishment.