N3IWF

Non-3GPP access InterWorking Function

Core Network →
Introduced in Rel-15

N3IWF is a core network function that enables secure integration of non-3GPP access networks into the 5G Core by acting as a gateway that terminates IPsec tunnels and relays traffic.

Category
Core Network
Introduced
Rel-15
Where
Core Network › 5G Core
Specifications
16 specs
N3IWF Description Purpose Related Classification Detected Changes Specifications

Description

The Non-3GPP InterWorking Function (N3IWF) is a critical network function within the 5G Core (5GC) architecture, specifically defined to integrate untrusted non-3GPP access networks. Untrusted non-3GPP access refers primarily to access technologies not specified by 3GPP, such as Wi-Fi, which are considered untrusted from a 5G Core security perspective. The N3IWF serves as the secure point of entry for User Equipment (UE) connecting via such access, establishing itself as a termination point within the operator's trusted domain.

Architecturally, the N3IWF interfaces with the UE over the NWu reference point, which utilizes IKEv2 and IPsec protocols to establish secure tunnels. This ensures confidentiality and integrity for user plane traffic and signaling between the UE and the 5GC. On the network side, the N3IWF connects to other 5GC Network Functions via standard interfaces: it connects to the Access and Mobility Management Function (AMF) over the N2 interface for control plane signaling (e.g., registration, authentication) and to the User Plane Function (UPF) over the N3 interface for user data transfer. This allows the UE to be treated as if it were connected via 3GPP radio access, enabling consistent service continuity and policy enforcement.

The N3IWF's operation involves several key procedures. During initial attachment, the UE discovers an N3IWF and performs IKEv2 authentication and IPsec Security Association (SA) establishment, often leveraging 5G authentication credentials (e.g., from a USIM). The N3IWF then relays the UE's NAS messages (encapsulated within the IPsec tunnel) to the AMF over N2. For user plane, the N3IWF decapsulates incoming IPsec packets from the UE and forwards the inner IP packets to the UPF over a GTP-U tunnel on N3, and vice versa. It also plays a role in supporting mobility events, such as handovers between 3GPP and non-3GPP access.

Key components within the N3IWF's logical design include the termination points for IKEv2 and IPsec, the relay function for N1/N2 NAS signaling, and the GTP-U endpoint for the N3 interface. Its role is fundamental in realizing the 5G vision of access-agnostic service delivery, allowing operators to leverage existing Wi-Fi infrastructure to offload traffic, enhance coverage, and provide a seamless user experience without compromising 5G security and service standards.

Purpose & Motivation

The N3IWF was introduced in 3GPP Release 15 as part of the new 5G System (5GS) architecture to solve the critical problem of integrating non-3GPP access networks into the 5G core in a secure and standardized manner. Prior to 5G, integration of Wi-Fi with cellular networks was handled through separate, often proprietary gateways (like ePDG in EPS for untrusted Wi-Fi) that were not fully aligned with the cloud-native, service-based principles of 5GC. The motivation was to create a unified core that could deliver consistent services, security, and policies regardless of the underlying access technology (3GPP or non-3GPP).

Historically, non-3GPP access (especially untrusted Wi-Fi) presented security risks and management complexities. The N3IWF addresses these by providing a standardized, secure interworking function that applies the same robust 5G authentication and security mechanisms (like 5G-AKA or EAP-AKA') to non-3GPP connections. It solves the problem of access fragmentation, enabling seamless session continuity and service-based architecture exposure for devices connecting via Wi-Fi. This was driven by the industry need to leverage dense Wi-Fi deployments for capacity augmentation, indoor coverage, and fixed wireless access scenarios within the 5G service framework.

Furthermore, the creation of the N3IWF was motivated by the limitation of previous interworking solutions which were often bolt-ons to the core network. In 5G, the N3IWF is a first-class citizen within the SBA, interacting with the AMF and UPF via service-based interfaces. This allows for more flexible deployment, better scalability, and integrated policy control, fulfilling the 5G requirement for convergence of fixed and mobile networks.

Classification

Part ofAMF
Specific typesAUN3N3ANN3GNAUN3TNGFTWIF
Related approachesUPFATSSSIPSec

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (279 CRs across 6 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 61 changes

In Release 15, the N3IWF was introduced as a new network function to interconnect untrusted non-3GPP access networks (like WLAN) to the 5G Core Network via the N2 and N3 interfaces. It establishes IPsec tunnels with the UE over the NWu reference point to securely transport both control-plane and user-plane traffic. Furthermore, Release 15 specified its role in interworking scenarios with EPS, including procedures for traffic steering and support for single-registration mode both with and without the N26 interface.

  • Interworking between ePDG/EPC and NG-RAN/5GCN TS 24.501CR0174
  • Interworking between E-UTRAN/EPC and N3IWF/5GCN TS 24.501CR0176
  • User plane IPsec SA establishment not accepted TS 24.502CR0023
  • Clean up on the interworking without 26 indication TS 23.501CR0023
  • Corrections to Combined N3IWF/ePDG Selection TS 23.501CR0057
  • Interworking without N26 corrections TS 23.501CR0071

+ 55 more changes

Rel-16 96 changes

In Release 16, the N3IWF's capabilities were expanded to support Access Traffic Steering, Switching and Splitting (ATSSS) for Multi-Access PDU Sessions, enabling traffic steering across 3GPP and non-3GPP access. It also gained enhanced interworking functions for scenarios like Ethernet PDU sessions and Multi-Access sessions during EPS fallback, including specific support for 5G-RG. Furthermore, new configuration aspects were introduced, such as using an FQDN for N3IWF selection in standalone non-public networks and for accessing services across PLMN and SNPN boundaries.

  • Introduction of ATSSS Support TS 23.501CR0735
  • Support of Steering Functions for ATSSS TS 23.501CR0740
  • ATSSS-SMF and UPF selection TS 23.501CR0761
  • Updating 5.8.2.11 for N4 Rules to support ATSSS TS 23.501CR0785
  • FQDN format of N3IWF in a standalone non-public network TS 23.501CR0841
  • Enhancement on slice interworking--501 TS 23.501CR0850

+ 90 more changes

Rel-17 45 changes

In Release 17, enhancements for the N3IWF included updates to its selection process for emergency services and for network slices (N3SLICE), and introduced derived QoS handling for UDP-encapsulated IPsec packets to improve user plane differentiation. The release also expanded interworking support with EPS, particularly for EAP-based secondary authentication and charging enhancements for CIoT. Furthermore, it provided clarifications and guidelines for session continuity between SNPN and PLMN access and for applying ATSSS steering mode thresholds.

  • Informative guideline on supporting session/service continuity between SNPN and PLMN when using N3IWF TS 23.501CR2563
  • Applying thresholds to Load-Balancing steering mode in ATSSS TS 23.501CR2590
  • Update to N3IWF selection for N3SLICE TS 23.501CR2662
  • Partial ATSSS rule update by using ATSSS rule ID TS 23.501CR2886
  • Resolve ENs in NSAC support for EPC interworking TS 23.501CR3126
  • Derived QoS for UDP encapsulated IPsec packets TS 24.501CR3795

+ 39 more changes

Rel-18 64 changes

In Release 18, key enhancements for the N3IWF focused on enabling slice-aware selection and registration procedures. Specifically, the release introduced mechanisms for a UE to indicate its support for slice-based N3IWF selection and for the network to reject a registration if the selected N3IWF is not compatible with the UE's allowed or required network slices (S-NSSAI). Additionally, it defined extended configuration methods, such as slice-specific N3IWF prefix configuration, to support this refined selection process.

  • N3IWF selection enhancement for support of S-NSSAI needed by UE TS 23.501CR3707
  • RFSP index during interworking TS 23.501CR3713
  • Interworking with TSN network deployed in the transport network TS 23.501CR3811
  • Determining the ATSSS capabilities of a MA PDU Session when the UE supports MPQUIC TS 23.501CR4457
  • N3IWF with slice capability TS 24.501CR4877
  • UE to indicate its support for Slice-based N3IWF selection to the network TS 24.501CR4961

+ 58 more changes

Rel-19 11 changes

In Release 19, key enhancements for the N3IWF included improved handling of Access Traffic Steering, Switching and Splitting (ATSSS) capabilities and status in session management messages, alongside clarifications for UPF selection when the ATSSS feature is used. The release also introduced specific procedures for handling unprotected REGISTRATION REJECT messages with certain cause codes related to NSSAI compatibility and provided corrections and alignments for N3IWF selection logic. Furthermore, security aspects were updated with details on reauthentication for IPSec in non-3GPP access.

  • Inclusion of ATSSS status in related session management messages TS 24.501CR6880
  • Updates to the ATSSS capability handling TS 23.501CR5906
  • Clarification on UPF Selection for ATSSS feature TS 23.501CR5992
  • Handling of unprotected REGISTRATION REJECT message with causes #81 and #82 (Selected N3IWF/TNGF is not compatible with the allowed NSSAI) TS 24.501CR6795
  • Terminology alignment for ATSSS-LL steering functionality TS 24.501CR7001
  • Rel-19 CR 32.255 Correction of category for interworking attributes TS 32.255CR0603

+ 5 more changes

Rel-20 2 changes

In Release 20, the N3IWF's selection procedure was enhanced to consider energy-related information, potentially from the new Energy Information Function (EIF), to support more efficient network operation. Additionally, corrections were made to improve the handling of PDU Session IDs during charging procedures in EPS-5GS interworking scenarios involving a Visiting SMF.

  • N3IWF/TNGF reselection considering energy related information. TS 23.501CR6493
  • Rel-20 CR 32.255 Correction on PDU Session ID Handling for V-SMF Charging in EPS–5GS Interworking TS 32.255CR0622

Explore further

Broader topics and technologies where N3IWF plays a role.

Topics
Authentication (5G-AKA, EAP)Service Based ArchitectureNAS (Non-Access Stratum)MEC (Edge Computing)Lawful InterceptGTP & User Plane
Technologies
5G

Defining Specifications

3GPP specifications that define or reference N3IWF, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.501 vk00 5G System Architecture Stage 2 Rel-20
TS 24.501 vj50 5G NAS Protocols Specification Rel-19
TS 24.502 vj20 5G Core Access via Non-3GPP Networks; Stage 3 Rel-19
TS 24.526 vj30 UE Policies for 5GS; Stage 3 Rel-19
TS 24.890 vg00 5G NAS Protocol for 5GS Stage 3 Rel-16
TR 28.828 vi00 Charging Aspects for Non-Public Networks Rel-18
TS 29.214 vj20 Policy and Charging Control over Rx Rel-19
TS 29.413 vj00 NGAP for Non-3GPP Access Rel-19
TS 29.518 vj50 AMF Service Based Interface Protocol Rel-19
TS 29.525 vj40 5G UE Policy Control Service Stage 3 Rel-19
TS 29.561 vj30 5G Interworking with External Data Networks Rel-19
TS 32.255 vk10 Telecom Management; Charging for 5G Data Connectivity Rel-20
TS 32.256 vj40 5G Connection & Mobility Charging Spec Rel-19
TS 33.127 vj50 Lawful Interception Architecture and Functions Rel-19
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20
TS 38.413 vj10 NG Application Protocol (NGAP) Rel-19