ICF

Initial Connectivity Function

Security →
Introduced in Rel-9

ICF is a security function for MTC and IoT devices that acts as a trusted intermediary during initial network attachment to facilitate secure bootstrap and credential provisioning.

Category
Security
Introduced
Rel-9
Where
Core Network › 5G Core
Specifications
3 specs
ICF Description Purpose Related Classification Detected Changes Specifications

Description

The Initial Connectivity Function (ICF) is a network-based security entity specified within 3GPP for securing the initial network entry and bootstrap procedure of constrained devices, particularly in the context of Machine-Type Communication (MTC) and Internet of Things (IoT). Its primary role is to act as a trusted third party or a bootstrap server that assists a device, which may have only minimal pre-configured credentials (like a factory-installed Pre-Shared Key (PSK) or a certificate), in establishing a secure connection with its intended service provider or application server. The ICF is part of the broader 3GPP security architecture for MTC, often interacting with the Home Subscriber Server (HSS) and the MTC Interworking Function (MTC-IWF).

Architecturally, the ICF can be located in the home network of the device or in a dedicated service network. How it works begins when an IoT device powers on for the first time and attempts to attach to the network. The device authenticates itself to the network using its initial, limited credentials (e.g., a PSK shared with the ICF). Following successful authentication, the ICF intervenes in the process. It securely communicates with the device, often using a TLS or DTLS tunnel established with the initial credentials. Through this secure channel, the ICF provisions the device with the necessary long-term or service-specific credentials required for subsequent regular network access and communication with its final Application Server (AS). This could involve provisioning a new SIM credential (for eSIM scenarios), an application-specific key, or certificates.

The ICF's key components include secure storage for bootstrap keys, protocols for secure credential delivery (aligned with standards like the IETF's Bootstrapping Remote Secure Key Infrastructures (BRSKI) or Lightweight M2M (LwM2M) bootstrap), and interfaces to credential issuers (like a Certificate Authority) or the HSS. Its role is critical for lifecycle management of IoT devices, enabling 'zero-touch' provisioning at scale. It decouples the manufacturing and shipping process (where a generic bootstrap credential is installed) from the deployment process (where device-specific operational credentials are assigned), enhancing security and operational flexibility. Specifications such as TS 33.127 and TS 33.128 detail the security procedures and architecture involving the ICF.

Purpose & Motivation

The ICF was created to address the significant security and operational challenges associated with deploying massive numbers of IoT devices. Traditional mobile device provisioning, centered around the Universal Integrated Circuit Card (UICC), assumes a manageable lifecycle. For IoT, devices may be deployed in inaccessible locations, have extremely long lifetimes, or be manufactured by one entity and operated by another. Pre-provisioning each device with its final operational credentials at the factory is inflexible and risky. The ICF solves this by enabling a secure, remote bootstrap process.

The historical context stems from 3GPP's work on MTC security starting in Release 9 and evolving through later releases. Early MTC studies identified the need for enhanced security measures for devices that might not have a UICC or might use lightweight authentication methods. The limitation of previous approaches was the lack of a standardized, network-assisted mechanism to transition a device from a simple, factory-default credential to a robust, service-specific credential set in a fully automated and secure manner. The ICF provides this mechanism.

Its creation was motivated by the need for scalable and secure onboarding. It allows device manufacturers to install a single type of bootstrap credential (e.g., a PSK) on all devices, simplifying the supply chain. Network operators or service providers can then later, and remotely, provision the unique credentials required for their specific service through the trusted ICF. This solves problems of credential management, reduces the risk of credential compromise at the factory, and supports business models like device re-sale or service transfer. It is a foundational element for secure massive IoT deployments as envisioned in releases focusing on CIoT and LTE-M/NB-IoT.

Classification

Part ofMTC
Related approachesMTC-IWF

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (5 CRs across 4 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-9, normative work from Rel-16.

Rel-16 1 change

In Release 16, the Initial Connectivity Function (ICF) was introduced as a dedicated Identifier Caching Function responsible for caching temporary and permanent identifier associations received from IEFs over the LI_XER interface. It is managed by the LICF, which ensures its activation state and provides its information to the IQF for handling LEA queries over the LI_XQR interface. The ICF supports query types including single queries and triggered real-time reporting of subsequent identifier changes.

  • Enhanced AMF Location Update Reporting with Dual Connectivity TS 33.128CR0083
Rel-17 1 change

In Release 17, the standardization clarified the terminology and roles of the Identifier Caching Function (ICF) by resolving inconsistent use of terms like IEF, ICF, and IQF. The release specified the LICF's responsibility for managing and auditing IEFs and the ICF, including procedures for activating and deactivating their reporting capabilities and ensuring the ICF is activated before IEFs to prevent data loss.

  • Inconsistent use of IEF, ICF and IQF terminology TS 33.127CR0165
Rel-18 1 change

In Release 18, the specification introduced a formal name change for a key management interface, renaming LI_XEM1 to LI_XER in the context of transmissions to the ICF. This interface is used by the LICF, proxied by the LIPF, to manage and control the activation state of the IEF(s) and the ICF. The update provides clearer terminology for the procedure where the LICF activates or deactivates identifier association reporting capabilities on a per-IEF basis.

  • LI_XEM1 should be LI_XER in 6.2.2A.2.3 Transmission to the ICF TS 33.128CR0625
Rel-19 2 changes

In Release 19, the ICF (Identifier Caching Function) was enhanced to support an ICF Record Update Without 5G-GUTI Association Change, allowing updates to cached identifier associations independently of a change to the 5G-GUTI. Furthermore, support was introduced for mobile IAB nodes, involving the transport of a Mobile IAB Authorized Indicator and UE differentiation information within the Initial Context Setup Request and NAS transport procedures.

  • Mobile IAB Authorized Indicator and UE differentiation information in Initial Context Setup Request, NAS transport initial Information with mobile IAB TS 33.128CR0678
  • ICF Record Update Without 5G-GUTI Association Change TS 33.128CR0694

Explore further

Broader topics and technologies where ICF plays a role.

Topics
Authentication (5G-AKA, EAP)MEC (Edge Computing)LTE / LTE-AdvancedLawful InterceptIoT & MTCManagement & Operations
Technologies
LTE

Defining Specifications

3GPP specifications that define or reference ICF, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 33.127 vj50 Lawful Interception Architecture and Functions Rel-19
TS 33.128 vj50 3GPP TS 33.128: Lawful Interception Protocols Rel-19
TS 33.812 v920 M2M Remote Subscription Management Security Rel-9