21.9163GPPRelease 16Release descriptionTS
Enhancement of Network Slicing
ZTE, Tricci So
Summary based on the input provided by ZTE Wistron Telecom AB in SP-200125.
The objective of this work item is to address the following aspects:
– Enhance the network slicing interworking support from EPC to 5GC, when UE moves from EPC to 5GC by selecting the proper target serving AMF as well as V-SMF. Note that, the 5GC may not be able to serve all the PDU sessions that the UE intends to move from EPC.
– Provide the network slice based authentication and authorization that uses User Identities and Credentials different from the 3GPP SUPI and that takes place after the primary authentication.
Release 16 Network Slicing addresses two major limitations of Release 15 in 5GC:
(1) Enhancement of interworking between EPC and 5GC when UE moves from EPC to 5GC, the target serving AMF may not be able to serve all the PDU sessions that the UE intends to move to the 5GC. More specifically, the following aspects needs to be addressed:
– Selecting an AMF based on the slices associated to the active PDU connections that serve the UE in the EPC in Connected mode and during the Idle mode mobility
– Selecting an appropriate serving V-SMF based on the slices associated to the active PDN connections that serve the UE in the EPC in Connected Mode
(2) Support for Network Slice Specific Authentication and Authorization (NSSAA)
– Enable the support for separate authentication and authorization per Network Slice. The trigger of NSSAA in the 5GC is based on UE subscription information from UDM and also operator’s policy. However, the UE shall indicate its support for NSSAA to its serving 5GC.
– The AMF performs the role of the EAP Authenticator and communicates with the AAA-S via the AUSF. The AUSF undertakes any AAA protocol interworking with the AAA protocol supported by the AAA-S.
Enhancement of Interworking Between EPC and 5GC
During the mobility from EPS to 5GS, in case of CM-IDLE state, the PGW-C+SMF sends PDU Session IDs and related S-NSSAIs to AMF in Registration procedure. The AMF derives S-NSSAI values for the Serving PLMN and determines whether the current AMF is appropriate to serve the UE. If not, the AMF reallocation may need to be triggered. For each PDU Session the AMF determines whether the V-SMF need to be reselected based on the associated S-NSSAI value for the Serving PLMN. If the V-SMF need be reallocated, the AMF trigger the V-SMF reallocation.
In case of CM-CONNECTED state, during handover preparation phase the PGW-C+SMF sends PDU Session IDs and related S-NSSAIs to AMF. Based on the received S-NSSAIs values, the target AMF derives the S-NSSAI values for the Serving PLMN, the target AMF reselects a final target AMF if necessary and forwards the handover request to the final target AMF. When the Handover procedure completes successfully, the UE proceeds with the Registration procedure. For each PDU Session based on the associated derived S-NSSAI values, if the V-SMF need be reallocated, the final target AMF triggers the V-SMF reallocation. The final target AMF sends the S-NSSAI value for the Serving PLMN to V-SMF to update the SM context. The V-SMF updates NG RAN with the S-NSSAI value for the Serving PLMN via N2 SM message.
Network Slice-Specific Authentication and Authorization (NSSAA)
In Release-16, based on UE’s 5GMM Core Network Capability and subscription information, the serving AMF will trigger Network Slice-Specific Authentication and Authorization for the S-NSSAIs of the HPLMN. If a UE does not support this feature but requests these S-NSSAIs that are subject to Network Slice-Specific Authentication and Authorization, these S-NSSAIs will be rejected by the PLMN.
If a UE supports this feature and requests these S-NSSAIs, which are subject to Network Slice-Specific Authentication and Authorization, the UE shall leverage the corresponding credentials for these S-NSSAIs for the Network Slice-Specific Authentication and Authorization. As for how to these credentials in the UE are not specified.
To perform the Network Slice-Specific Authentication and Authorization for an S-NSSAI, the AMF invokes an EAP- based Network Slice-Specific authorization procedure for the S-NSSAI.
This procedure can be invoked for a supporting UE by an AMF at any time, e.g. when:
a. The UE registers with the AMF and one of the S-NSSAIs of the HPLMN which maps to an S-NSSAI in the Requested NSSAI is requiring Network Slice-Specific Authentication and Authorization; or
b. The Network Slice-Specific AAA Server triggers a UE re-authentication and re-authorization for an S-NSSAI; or
c. The AMF, based on operator policy or a subscription change, decides to initiate the Network Slice-Specific Authentication and Authorization procedure for a certain S-NSSAI which was previously authorized.
Based on the outcome of the Network Slice-Specific Authentication and Authorization, the Allowed NSSAI for each Access Type will be updated accordingly.It is network policies to decide for which Access Type to be used if both Access Types are subject for the Network Slice-Specific Authentication and Authorization. However, if the Network Slice-Specific Authentication and Authorization fails for all S-NSSAIs in the Allowed NSSAI, the AMF shall execute the Network-initiated Deregistration procedure with the appropriate rejection cause value for each Rejected S-NSSAI.
After a successful or unsuccessful UE Network Slice-Specific Authentication and Authorization, the UE context in the AMF shall retain the authentication and authorization status for the UE for the related specific S-NSSAI of the HPLMN while the UE remains RM-REGISTERED in the PLMN, so that the AMF is not required to execute a Network Slice-Specific Authentication and Authorization for a UE at every Periodic Registration Update or Mobility Registration procedure with the PLMN.
A Network Slice-Specific AAA server may revoke the authorization or challenge the authentication and authorization of a UE at any time. When authorization is revoked for an S-NSSAI that is in the current Allowed NSSAI for an Access Type, the AMF shall provide a new Allowed NSSAI to the UE and trigger the release of all PDU sessions associated with the S-NSSAI, for this Access Type.
The AMF provides the GPSI of the UE related to the S-NSSAI to the AAA Server to allow the AAA server to initiate the Network Slice-Specific Authentication and Authorization, or the Authorization revocation procedure, where the UE current AMF needs to be identified by the system, so the UE authorization status can be challenged or revoked.
The Network Slice-Specific Authentication and Authorization requires that the UE Primary Authentication and Authorization of the SUPI has successfully completed. If the SUPI authorization is revoked, then also the Network Slice-Specific authorization is revoked.
List of related CRs: select "TSG Status = Approved" in:
 TS 23.501: "System Architecture for the 5G System; Stage 2".
 TS 23.502: "Procedures for the 5G System; Stage 2".