N3IWF (Non-3GPP access InterWorking Function) — 3GPP Glossary

The N3IWF is a core network function that enables secure, seamless integration of non-3GPP access networks (like Wi-Fi) into the 5G Core. It acts as a trusted gateway, terminating IPsec tunnels from untrusted non-3GPP access points and relaying traffic to the 5G Core over the N2 and N3 interfaces. This is crucial for providing unified 5G services across heterogeneous access technologies.

Description

The Non-3GPP InterWorking Function (N3IWF) is a critical network function within the 5G Core (5GC) architecture, specifically defined to integrate untrusted non-3GPP access networks. Untrusted non-3GPP access refers primarily to access technologies not specified by 3GPP, such as Wi-Fi, which are considered untrusted from a 5G Core security perspective. The N3IWF serves as the secure point of entry for User Equipment (UE) connecting via such access, establishing itself as a termination point within the operator's trusted domain.

Architecturally, the N3IWF interfaces with the UE over the NWu reference point, which utilizes IKEv2 and IPsec protocols to establish secure tunnels. This ensures confidentiality and integrity for user plane traffic and signaling between the UE and the 5GC. On the network side, the N3IWF connects to other 5GC Network Functions via standard interfaces: it connects to the Access and Mobility Management Function (AMF) over the N2 interface for control plane signaling (e.g., registration, authentication) and to the User Plane Function (UPF) over the N3 interface for user data transfer. This allows the UE to be treated as if it were connected via 3GPP radio access, enabling consistent service continuity and policy enforcement.

The N3IWF's operation involves several key procedures. During initial attachment, the UE discovers an N3IWF and performs IKEv2 authentication and IPsec Security Association (SA) establishment, often leveraging 5G authentication credentials (e.g., from a USIM). The N3IWF then relays the UE's NAS messages (encapsulated within the IPsec tunnel) to the AMF over N2. For user plane, the N3IWF decapsulates incoming IPsec packets from the UE and forwards the inner IP packets to the UPF over a GTP-U tunnel on N3, and vice versa. It also plays a role in supporting mobility events, such as handovers between 3GPP and non-3GPP access.

Key components within the N3IWF's logical design include the termination points for IKEv2 and IPsec, the relay function for N1/N2 NAS signaling, and the GTP-U endpoint for the N3 interface. Its role is fundamental in realizing the 5G vision of access-agnostic service delivery, allowing operators to leverage existing Wi-Fi infrastructure to offload traffic, enhance coverage, and provide a seamless user experience without compromising 5G security and service standards.

Purpose & Motivation

The N3IWF was introduced in 3GPP Release 15 as part of the new 5G System (5GS) architecture to solve the critical problem of integrating non-3GPP access networks into the 5G core in a secure and standardized manner. Prior to 5G, integration of Wi-Fi with cellular networks was handled through separate, often proprietary gateways (like ePDG in EPS for untrusted Wi-Fi) that were not fully aligned with the cloud-native, service-based principles of 5GC. The motivation was to create a unified core that could deliver consistent services, security, and policies regardless of the underlying access technology (3GPP or non-3GPP).

Historically, non-3GPP access (especially untrusted Wi-Fi) presented security risks and management complexities. The N3IWF addresses these by providing a standardized, secure interworking function that applies the same robust 5G authentication and security mechanisms (like 5G-AKA or EAP-AKA') to non-3GPP connections. It solves the problem of access fragmentation, enabling seamless session continuity and service-based architecture exposure for devices connecting via Wi-Fi. This was driven by the industry need to leverage dense Wi-Fi deployments for capacity augmentation, indoor coverage, and fixed wireless access scenarios within the 5G service framework.

Furthermore, the creation of the N3IWF was motivated by the limitation of previous interworking solutions which were often bolt-ons to the core network. In 5G, the N3IWF is a first-class citizen within the SBA, interacting with the AMF and UPF via service-based interfaces. This allows for more flexible deployment, better scalability, and integrated policy control, fulfilling the 5G requirement for convergence of fixed and mobile networks.

Key Features

Terminates IKEv2 and IPsec tunnels from UEs over the NWu interface for secure untrusted non-3GPP access
Relays N1 (UE-AMF) and N2 (AMF-UE) NAS signaling messages between the UE and the AMF
Provides user plane relay function, forwarding data between UE IPsec tunnels and N3 GTP-U tunnels to/from the UPF
Supports 5G authentication procedures (e.g., 5G-AKA, EAP-AKA') for non-3GPP attached UEs
Enables mobility and session continuity policies between 3GPP and non-3GPP access types
Interacts with other 5GC Network Functions (AMF, UPF) via service-based interfaces (N2, N3)

Evolution Across Releases

Rel-15 Initial

Introduced as a new Network Function in the 5G Core for untrusted non-3GPP access interworking. Defined the basic architecture with NWu (IKEv2/IPsec), N2, and N3 interfaces, supporting initial registration, authentication, and PDU session establishment over Wi-Fi.

TS 23.501 TS 24.501 TS 24.502 TS 24.526 TS 24.890 TS 28.828 TS 29.214 TS 29.413 TS 29.518 TS 29.525 TS 29.561 TS 32.255 TS 32.256 TS 33.127 TS 33.501 TS 38.413

Rel-16

Enhanced support for Access Traffic Steering, Switching and Splitting (ATSSS) to allow simultaneous use of 3GPP and non-3GPP accesses. Introduced enhancements for improved handover procedures and support for location services for non-3GPP connected UEs.

TS 23.501 TS 24.501 TS 24.502 TS 24.526 TS 24.890 TS 28.828 TS 29.214 TS 29.413 TS 29.518 TS 29.525 TS 29.561 TS 32.255 TS 32.256 TS 33.127 TS 33.501 TS 38.413

Rel-17

Further refined ATSSS capabilities and support for enhanced non-3GPP access discovery and selection. Introduced optimizations for power saving and support for network slicing over non-3GPP access via the N3IWF.

TS 23.501 TS 24.501 TS 24.502 TS 24.526 TS 24.890 TS 28.828 TS 29.214 TS 29.413 TS 29.518 TS 29.525 TS 29.561 TS 32.255 TS 32.256 TS 33.127 TS 33.501 TS 38.413

Rel-18

Extended support for integration with 5G-Advanced features, including enhanced network slicing and service continuity for new service types. Work on aligning non-3GPP access with evolving 5G-Advanced architecture principles.

TS 23.501 TS 24.501 TS 24.502 TS 24.526 TS 24.890 TS 28.828 TS 29.214 TS 29.413 TS 29.518 TS 29.525 TS 29.561 TS 32.255 TS 32.256 TS 33.127 TS 33.501 TS 38.413

Rel-19

Continued evolution within the 5G-Advanced framework, focusing on integration with AI/ML-based network optimization, enhanced security protocols, and support for more diverse non-3GPP access technologies.

TS 23.501 TS 24.501 TS 24.502 TS 24.526 TS 24.890 TS 28.828 TS 29.214 TS 29.413 TS 29.518 TS 29.525 TS 29.561 TS 32.255 TS 32.256 TS 33.127 TS 33.501 TS 38.413

Rel-20

Further enhancements under development as part of 5G-Advanced and early 6G exploration, expected to include tighter integration with next-generation core network architectures and support for extreme performance scenarios over converged access.

TS 23.501 TS 24.501 TS 24.502 TS 24.526 TS 24.890 TS 28.828 TS 29.214 TS 29.413 TS 29.518 TS 29.525 TS 29.561 TS 32.255 TS 32.256 TS 33.127 TS 33.501 TS 38.413

Defining Specifications

Specification	Title
TS 23.501	3GPP TS 23.501
TS 24.501	3GPP TS 24.501
TS 24.502	3GPP TS 24.502
TS 24.526	3GPP TS 24.526
TS 24.890	3GPP TS 24.890
TS 28.828	3GPP TS 28.828
TS 29.214	3GPP TS 29.214
TS 29.413	3GPP TS 29.413
TS 29.518	3GPP TS 29.518
TS 29.525	3GPP TS 29.525
TS 29.561	3GPP TS 29.561
TS 32.255	3GPP TR 32.255
TS 32.256	3GPP TR 32.256
TS 33.127	3GPP TR 33.127
TS 33.501	3GPP TR 33.501
TS 38.413	3GPP TR 38.413