Non-Authenticable Non-3GPP

Description

NAUN3 is a concept defined in 3GPP Release 18 within the context of 5G system access security. It classifies a Non-3GPP access network (N3AN) based on its capability to support authentication procedures with the 5G Core Network. Specifically, a NAUN3 is an N3AN that does not have the functionality to execute the primary authentication and key agreement procedure (5G-AKA or EAP-AKA') between the User Equipment (UE) and the 5G core's Authentication Server Function (AUSF). When a UE connects via a NAUN3, the access network itself is treated as an untrusted conduit. Therefore, the establishment of a secure connection to the 5G core must be achieved through an IPsec tunnel or other secure tunneling mechanism terminated at a Non-3GPP InterWorking Function (N3IWF) in the core network. The N3IWF acts as a security gateway. The UE first establishes a connection to the NAUN3 (e.g., associates with a Wi-Fi AP) and obtains a local IP address. It then initiates an IKEv2/IPsec tunnel establishment procedure with the N3IWF. Within this IKEv2 exchange, the EAP-AKA' authentication method is run, allowing the UE and the AUSF to authenticate each other through the N3IWF. Successful authentication results in the derivation of security keys used to secure the IPsec tunnel. All subsequent user plane and control plane traffic between the UE and the 5G core is carried within this encrypted tunnel, ensuring confidentiality and integrity despite the untrusted and non-authenticable nature of the underlying access network.

Purpose & Motivation

The NAUN3 concept was introduced to formally recognize and define the security treatment of a broad class of existing and future Non-3GPP access networks that lack integrated 3GPP authentication capabilities. This includes most public, private, and home Wi-Fi networks, which are ubiquitous but were not designed with 3GPP security protocols in mind. Prior to this formal categorization, the 5G system treated all Non-3GPP access as either 'trusted' or 'untrusted,' with untrusted access requiring tunneling via an N3IWF. NAUN3 refines the 'untrusted' category by explicitly calling out the inability to perform authentication as a key characteristic. This formalization ensures clear and consistent security procedures in the standards. It addresses the practical problem of securely integrating billions of devices using Wi-Fi and other non-cellular technologies into the 5G service fabric, without requiring upgrades to the access networks themselves. It enables operators to extend 5G services over any IP-based access while maintaining the high security standards of the 3GPP system.

Key Features

• Classification of Non-3GPP access networks that lack 3GPP authentication capability
• Mandates use of N3IWF as a security gateway for connection to the 5G core
• Requires establishment of an IPsec tunnel (using IKEv2 with EAP-AKA') between UE and N3IWF
• Ensures end-to-end security between UE and core network over an untrusted access link
• Enables 5G service continuity over widely available access like standard Wi-Fi
• Defined within the 5G security architecture for consistent policy application

Evolution Across Releases

Defining Specifications