ONN

Onboarding Network

IoT
Introduced in Rel-17
An Onboarding Network (ONN) is a trusted network, which may be a PLMN or SNPN, that provides initial network access to a device so it can securely acquire credentials for its target service network (e.g., an SNPN). It acts as a secure bootstrap platform for device provisioning.

Description

The Onboarding Network (ONN) is a fundamental component within the 3GPP onboarding framework, specifically for mechanisms like ON-SNPN. Conceptually, it is a network that a device can initially attach to when it lacks valid credentials for its intended final destination network, which is often a Standalone Non-Public Network (SNPN). The ONN's primary role is to provide a controlled, authenticated, and secure environment where the device can establish IP connectivity and communicate with a remote onboarding server or credential issuer. This server is typically associated with the target SNPN or a trusted third-party service provider.

Architecturally, an ONN can be implemented as a dedicated slice of a Public Land Mobile Network (PLMN), a separate SNPN configured for onboarding purposes, or even a neutral-host network. It includes standard 5G core network functions like the AMF, SMF, and UPF to provide basic data connectivity. Crucially, it also interfaces with an Onboarding Server Function (OSF) or a similar entity responsible for authenticating the device and issuing credentials. The ONN operates with a specific set of network identifiers (a PLMN ID or SNPN ID) that devices are pre-configured to recognize or discover as a trusted entry point for onboarding.

The operational flow involves a UE attempting to register with a network for onboarding. If the UE's target SNPN is not available or the UE lacks credentials, it may search for and select a pre-configured ONN. Upon successful but limited authentication with the ONN (potentially using generic or device-specific initial credentials), the UE is granted restricted data connectivity. Over this secured channel, the UE performs an HTTPS or similar secure session with the onboarding server. The server authenticates the device's immutable identity, validates its right to join the target SNPN, and then provisions it with the necessary subscription credentials (SUPI, authentication keys). After successful provisioning, the UE disconnects from the ONN and uses the new credentials to perform a standard registration procedure with its target SNPN. The ONN thus acts as a secure intermediary, isolating the potentially vulnerable provisioning process from the operational networks.

Purpose & Motivation

The ONN was conceived to address a critical bootstrap problem in large-scale IoT and private network deployments: how does a device with no prior relationship to a network securely obtain the credentials needed to access that network? Without an ONN, the options are limited to impractical or insecure methods like manual configuration, physical interfaces, or pre-provisioning all devices at the factory for a specific customer, which hinders scalability and supply chain efficiency.

The creation of the ONN concept in 3GPP Release 17 was motivated by the need for a standardized, carrier-grade, and secure bootstrap mechanism. It provides a trusted 'landing zone' that is separate from the production SNPN, enhancing security by containing any potential attacks during the provisioning phase to the onboarding environment. This separation of concerns allows SNPN operators to focus on their core operational security without exposing their authentication infrastructure to unauthenticated devices. The ONN enables zero-touch provisioning models, which are essential for cost-effective deployment of thousands of sensors and actuators in industrial settings. It also offers flexibility, as a single ONN (e.g., operated by a device manufacturer or a mobile operator) can serve as the onboarding platform for devices destined for multiple different SNPNs owned by different enterprises.

Key Features

  • Provides initial, restricted IP connectivity to devices lacking final network credentials
  • Can be implemented as a PLMN, an SNPN, or a network slice dedicated to onboarding
  • Interfaces with a trusted Onboarding Server Function for credential issuance
  • Uses specific network identifiers (PLMN ID/SNPN ID) discoverable by onboarding-capable UEs
  • Supports secure protocols (e.g., TLS) for communication between the device and the onboarding server
  • Isolates the credential provisioning process from operational networks for enhanced security

Evolution Across Releases

Rel-17 Initial

Introduced the Onboarding Network (ONN) as a core architectural component supporting the ON-SNPN procedure. Defined its role in providing initial access, its possible instantiations (e.g., as a PLMN), and its functional requirements for interfacing with onboarding servers and devices.

TS 23.501TS 29.512

Defining Specifications

SpecificationTitle
TS 23.501 3GPP TS 23.501
TS 29.512 3GPP TS 29.512