ENSI

External Network Slice Information

Network Slicing →
Introduced in Rel-16

ENSI is a parameter that identifies a specific network slice instance for a UE when roaming, enabling the home network to provide slice selection information to the visited network.

Category
Network Slicing
Introduced
Rel-16
Where
Security
Specifications
1 specs
ENSI Description Purpose Detected Changes Specifications

Description

External Network Slice Information (ENSI) is a critical component of 3GPP's network slicing framework, particularly for roaming scenarios. It is defined as a string that uniquely identifies a network slice instance. When a User Equipment (UE) roams into a visited Public Land Mobile Network (VPLMN), the home network (HPLMN) can include the ENSI within the subscription data or during the registration procedure to indicate which specific slice instance the UE is authorized to use. The VPLMN uses this information, along with other parameters like the Subscribed Network Slice Selection Assistance Information (S-NSSAI), to map the request to a locally available and equivalent Network Slice Instance (NSI). The ENSI is carried within Non-Access Stratum (NAS) signaling messages, such as the Registration Request, and is processed by the Access and Mobility Management Function (AMF) in both the home and visited networks.

Architecturally, ENSI operates within the Network Slice Selection Function (NSSF) and the AMF. The HPLMN's Unified Data Management (UDM) stores the ENSI as part of the user's subscription context. During initial registration or service request procedures, if the UE is roaming, the HPLMN's AMF or NSSF may determine the appropriate ENSI and include it in the response to the VPLMN. The VPLMN's AMF, upon receiving the ENSI, interacts with its local NSSF. The NSSF performs the mapping from the received S-NSSAI and ENSI pair to a VPLMN-specific NSI. This mapping is crucial because the slice identifiers (S-NSSAIs) are only unique within a single PLMN; the ENSI provides the additional granularity needed for the VPLMN to select the exact slice instance intended by the home operator.

The role of ENSI is to bridge the semantic gap between network slice identifiers in different administrative domains. Without ENSI, a VPLMN might only receive an S-NSSAI, which describes a slice type (e.g., enhanced Mobile Broadband, Massive IoT), but not the specific instance. Multiple instances of the same slice type (e.g., different eMBB slices for different enterprise customers) could exist in the HPLMN. ENSI allows the HPLMN to pinpoint the exact instance, enabling the VPLMN to provide a service experience that aligns with the home network's slice policies, including specific Quality of Service (QoS) characteristics, security policies, and network function configurations. It is a key enabler for advanced roaming agreements involving network slicing, ensuring end-to-end slice consistency and fulfilling Service Level Agreements (SLAs) across operator boundaries.

Purpose & Motivation

ENSI was introduced to solve the problem of network slice selection and identification in inter-PLMN (roaming) scenarios. As 5G networks deployed network slicing to offer tailored logical networks for different services, a mechanism was needed to extend these capabilities to users outside their home network. Prior to ENSI, slice selection was primarily based on the S-NSSAI, which is only unique within a single operator's network. During roaming, a visited network receiving only an S-NSSAI would not know which specific instance of that slice type to assign, potentially leading to incorrect service mapping or the inability to honor detailed slice-specific SLAs.

The creation of ENSI was motivated by the commercial need for global service continuity for enterprise and vertical industry applications using network slices. For example, a multinational corporation using a dedicated URLLC slice for factory automation would require that slice's characteristics to be maintained when an employee's device roams onto a partner network. ENSI provides the technical parameter that allows the home network to express, "Use *this specific* URLLC slice instance," enabling the visited network to fulfill that request if a compatible slice is available under the roaming agreement. It addresses the limitation of previous approaches where slice awareness was confined to a single network, thereby unlocking the full economic and technical potential of 5G network slicing in a global ecosystem.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (20 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 3 changes

In Release 15, the ENSI function was introduced to support the external exposure of network slice information via the NEF, including for token-based authorization. This involved defining security requirements for slice management and enabling the NEF to securely provide internal 5G Core information such as S-NSSAI to external Application Functions. The introduction also included support for mutual authentication between the NEF and the Application Function.

  • CAPIF support for NEF external exposure interface TS 33.501CR0215
  • CR-slice-management-security TS 33.501CR0290
  • Slice information for token-based authorization TS 33.501CR0575
Rel-16 3 changes

In Release 16, the ENSI-related enhancements introduced new procedures for Network Slice-Specific Authentication and Authorization (NSSAA), including a new AAA-Server triggered Slice-Specific Authorization Revocation procedure. The NSSAAF function was specified to handle these requests and support AAA-S triggered re-authentication and authorization revocation. Furthermore, corrections were made to the initial EAP authentication procedure when interacting with an external AAA server.

  • Network slice specific authentication and authorization clauses TS 33.501CR0853
  • Modification on AAA Server triggered Slice-Specific Authorization Revocation procedure TS 33.501CR0909
  • Correction to initial EAP Authentication with an external AAA server TS 33.501CR0830
Rel-17 6 changes

In Release 17, the ENSI function was enhanced with new capabilities for network slice re-authentication and revocation initiated by the AAA-S, requiring the NSSAAF to support these AAA-S triggered procedures. It also introduced specific slice privacy protections within NSSAA-related procedures. Furthermore, the release added authorization for an Application Function to access network slice quota-usage information.

  • AF Authorization for accessing network slice quota-usage information TS 33.501CR1269
  • Protect additional SoR information (CPSOR-CMCI) (future proof alternative) TS 33.501CR1345
  • Change the procedure of network slice re-authentication and revocation by AAA-S TS 33.501CR1091
  • clarification on the internal authentication and an external authentication TS 33.501CR1469
  • Slice privacy protection in NSSAA related procedures (Rel-17) TS 33.501CR1142
  • Editorial changes for ENSI TS 33.501CR1412
Rel-18 5 changes

In Release 18, enhancements to the ENSI function introduced new validation mechanisms for network slice selection, specifically to prevent slice-based attacks and ensure authorization integrity. This included the validation of allowed slices within access token requests at the NRF and the validation of requested slices at the NF service producer. Furthermore, the release defined procedures for the retrieval of EASDF security information to support these security validations.

  • Verification of NSSAIs for preventing slice attack TS 33.501CR1525
  • Retrieval of the EASDF security information from EASDF TS 33.501CR1989
  • Validation of the allowed slices in the access token request at NRF TS 33.501CR2039
  • Validation of the requested slices at NF service producer TS 33.501CR2040
  • Resolution of EN concerning indication from UDM to AUSF to select authentication with external credential holder TS 33.501CR1942
Rel-19 3 changes

In Release 19, the ENSI function was updated with requirements for the secure retrieval of 5G system UE identifiers and privacy-related information. Furthermore, enhancements were made to protect XRM Media-related information in connect-UDP, which included the removal of the EN (Encryption Null) method for protecting this information within the UDP Option.

  • Requirements for secure retrieval of 5G system UE Ids and privacy related information TS 33.501CR2093
  • Protecting XRM Media related information in connect-UDP TS 33.501CR2107
  • Removal of EN for protecting XRM Media related information in UDP Option TS 33.501CR2129

Explore further

Broader topics and technologies where ENSI plays a role.

Topics
OAM (Operations & Maintenance)Authentication (5G-AKA, EAP)NAS (Non-Access Stratum)Roaming & InterconnectMEC (Edge Computing)Lawful Intercept
Technologies
5G

Defining Specifications

3GPP specifications that define or reference ENSI, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20