What is NAUN3? Non-Authenticable Non-3GPP

Description

NAUN3 is a concept defined in 3GPP Release 18 within the context of 5G system access security. It classifies a Non-3GPP access network (N3AN) based on its capability to support authentication procedures with the 5G Core Network. Specifically, a NAUN3 is an N3AN that does not have the functionality to execute the primary authentication and key agreement procedure (5G-AKA or EAP-AKA') between the User Equipment (UE) and the 5G core's Authentication Server Function (AUSF). When a UE connects via a NAUN3, the access network itself is treated as an untrusted conduit. Therefore, the establishment of a secure connection to the 5G core must be achieved through an IPsec tunnel or other secure tunneling mechanism terminated at a Non-3GPP InterWorking Function (N3IWF) in the core network. The N3IWF acts as a security gateway. The UE first establishes a connection to the NAUN3 (e.g., associates with a Wi-Fi AP) and obtains a local IP address. It then initiates an IKEv2/IPsec tunnel establishment procedure with the N3IWF. Within this IKEv2 exchange, the EAP-AKA' authentication method is run, allowing the UE and the AUSF to authenticate each other through the N3IWF. Successful authentication results in the derivation of security keys used to secure the IPsec tunnel. All subsequent user plane and control plane traffic between the UE and the 5G core is carried within this encrypted tunnel, ensuring confidentiality and integrity despite the untrusted and non-authenticable nature of the underlying access network.

Purpose & Motivation

The NAUN3 concept was introduced to formally recognize and define the security treatment of a broad class of existing and future Non-3GPP access networks that lack integrated 3GPP authentication capabilities. This includes most public, private, and home Wi-Fi networks, which are ubiquitous but were not designed with 3GPP security protocols in mind. Prior to this formal categorization, the 5G system treated all Non-3GPP access as either 'trusted' or 'untrusted,' with untrusted access requiring tunneling via an N3IWF. NAUN3 refines the 'untrusted' category by explicitly calling out the inability to perform authentication as a key characteristic. This formalization ensures clear and consistent security procedures in the standards. It addresses the practical problem of securely integrating billions of devices using Wi-Fi and other non-cellular technologies into the 5G service fabric, without requiring upgrades to the access networks themselves. It enables operators to extend 5G services over any IP-based access while maintaining the high security standards of the 3GPP system.

Classification

Part ofN3IWF

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (52 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 2 changes

In Release 15, the Non-Authenticable Non-3GPP (NAUN3) function was introduced, enabling a 5G-RG to act on behalf of a connectivity group of one or more NAUN3 devices. This allows the entire group to share a single PDU session for access to the 5G Core Network via an N3IWF or TNGF. Furthermore, Non-3GPP QoS Assistance Information (N3QAI) was defined to allow the 5G-RG to perform QoS differentiation for traffic from these NAUN3 devices.

Interworking between E-UTRAN/EPC and N3IWF/5GCN TS 24.501CR0176
Resolution of editor's note on the information the N3IWF maintains for a registered UE TS 24.501CR0703

Rel-16 6 changes

In Release 16, enhancements for the NAUN3 function included enabling a 5G-RG to request a single PDU Session on behalf of a connectivity group of NAUN3 devices, with all devices sharing that session. Furthermore, the Non-3GPP QoS Assistance Information (N3QAI) was introduced to allow the 5G-RG to perform QoS differentiation for traffic from these NAUN3 devices. The release also specified that a UE could construct packet filters based on the N3IWF destination IP address and Security Parameter Index (SPI) to support QoS differentiation when accessing PLMN services via an SNPN.

Packet filters based on N3IWF IP address and SPI for IPsec SA TS 24.501CR1231
N3IWF FQDN configured in a UE to support access to PLMN/SNPN services via SNPN/PLMN TS 24.502CR0079
Update of requirements on UE to construct packet filters based on the N3IWF destination IP address and the SPI for the IPsec SA TS 24.501CR1364
FQDN for N3IWF selection to access PLMN services via an SNPN TS 24.502CR0102
Extending congestion notification to capture N3IWF or TNGF overload TS 24.502CR0130
Enable N3IWF to initiate TCP connection establishment upon failure TS 24.502CR0131

Rel-17 2 changes

In Release 17, enhancements for the NAUN3 function included enabling a 5G-RG to request a single PDU Session on behalf of a connectivity group of NAUN3 devices, which all share that session. Furthermore, the introduction of Non-3GPP QoS Assistance Information (N3QAI) allowed the 5G-RG to perform QoS differentiation for traffic from these NAUN3 devices. The release also specified procedures for N3IWF selection for emergency services and for access to SNPN services via a PLMN.

N3IWF selection for emergency services TS 24.502CR0194
Update of N3IWF selection procedure for access to SNPN services via a PLMN TS 24.502CR0183

Rel-18 41 changes

In Release 18, the NAUN3 (Non-Authenticable Non-3GPP) function was formally introduced, enabling a 5G-RG to act on behalf of a connectivity group of such devices and establish a shared PDU session for them. The release also enhanced slice-based N3IWF selection, allowing the UE to indicate its support for this capability and defining procedures where the network can reject a registration if the selected N3IWF is incompatible with the allowed network slices. Furthermore, mechanisms were specified for the network to provide an N3IWF identifier in a REGISTRATION REJECT message to guide the UE's subsequent selection attempt.

N3IWF with slice capability TS 24.501CR4877
UE to indicate its support for Slice-based N3IWF selection to the network TS 24.501CR4961
Rejecting the UE Registration due to the selected N3IWF by the UE is not compatible with the used slices TS 24.501CR4963
Aborting registration procedure when the selected N3IWF is not compatible with the allowed NSSAI TS 24.501CR5119
Support of AUN3/NAUN3 device behind 5G-RG TS 24.501CR5421
Protecting the N3IWF/TNGF identifier information in the REGISTRATION REJECT message TS 24.501CR5932

+ 35 more changes

Rel-19 1 change

In Release 19, the NAUN3 function was enhanced to handle specific unprotected REGISTRATION REJECT messages from the network. This includes defining UE behavior upon receiving cause #81, "Selected N3IWF is not compatible with the allowed NSSAI," particularly when the UE supports slice-based N3IWF selection. The specification now allows the UE to use a provided N3IWF identifier from the reject message to select a compatible N3IWF for a subsequent registration attempt.

Handling of unprotected REGISTRATION REJECT message with causes #81 and #82 (Selected N3IWF/TNGF is not compatible with the allowed NSSAI) TS 24.501CR6795

Explore further

Broader topics and technologies where NAUN3 plays a role.

Topics

Authentication (5G-AKA, EAP)MEC (Edge Computing)Lawful Intercept Services & Applications Protocols & Interfaces Core Network

Technologies

Defining Specifications

3GPP specifications that define or reference NAUN3, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

Specification	Title	Release
TS 24.501 vj50	5G NAS Protocols Specification	Rel-19
TS 24.502 vj20	5G Core Access via Non-3GPP Networks; Stage 3	Rel-19
TS 24.526 vj30	UE Policies for 5GS; Stage 3	Rel-19

Non-Authenticable Non-3GPP