RO

Registration Operator

Management
Introduced in Rel-9
A network operator responsible for registering and managing a User Equipment's (UE) subscription and service profile within a 5G network, particularly in scenarios involving secondary authentication or network slicing. It acts as the home operator for a specific service or slice subscription.

Description

The Registration Operator (RO) is a functional role defined within the 5G System (5GS) architecture, specified in contexts like secondary authentication/authorization and network slice-specific authentication and authorization (NSSAA). Conceptually, the RO is a network operator—distinct from, but possibly the same as, the primary Serving PLMN (Public Land Mobile Network)—that holds the subscription and service profile for a user regarding a particular service or network slice instance. When a UE requests access to a service that requires separate credentials (e.g., an enterprise service, a third-party application service, or a specific network slice), the primary network (the Visited PLMN or Home PLMN) may interact with the RO to authenticate the user specifically for that service context.

Architecturally, the RO interacts with the 5G core network functions, primarily the Authentication Server Function (AUSF) and the Network Slice-Specific Authentication and Authorization Function (NSSAAF). In a secondary authentication flow, the UE establishes a primary connection with its home PLMN (HPLMN). Upon attempting to access a service requiring secondary authentication, the Session Management Function (SMF) may trigger an EAP-based authentication dialogue. The AUSF in the HPLMN then acts as an EAP authenticator, proxying the authentication messages to the RO's authentication server, which holds the user's credentials for that service. The RO validates the credentials and authorizes access to the requested service or slice.

In the NSSAA procedure for network slicing, when a UE requests a slice that requires separate authentication (S-NSSAI with Authentication/Authorization required), the AMF invokes the NSSAAF. The NSSAAF communicates with the RO associated with that specific S-NSSAI. The RO performs the slice-specific authentication and authorization, returning a result to the NSSAAF and AMF, which then allows or denies the UE's registration for that slice. The RO's role is thus to decentralize authentication authority, enabling multi-operator service delivery, enterprise network integration, and flexible business models where the service provider (the RO) is separate from the connectivity provider (the PLMN).

Purpose & Motivation

The Registration Operator concept was introduced to address the evolving business and technical landscape of 5G, particularly network slicing and service-based architecture. Previous generations (4G and earlier) primarily relied on a single, monolithic authentication via the home PLMN using the (U)SIM credentials. This model was insufficient for 5G's vision of supporting diverse vertical industries (e.g., automotive, healthcare, manufacturing) where a third-party service provider (like an enterprise or a cloud provider) needs to control access to its specific network slice or service independently of the mobile network operator providing the radio connectivity.

Its creation solves the problem of delegated authentication and authorization. Without the RO model, the HPLMN would need to manage all credentials for all possible third-party services, creating scalability, security, and business relationship complexities. The RO allows the service provider to retain ownership of the user's service-level identity and policy. This enables new business models, such as a factory owner (the RO) contracting with a mobile operator for a private 5G slice and directly managing which employees or devices can access that slice.

Furthermore, the RO facilitates regulatory and operational separation. In scenarios like neutral host networks or multi-operator core networks (MOCN), different operators might act as the RO for their respective subscribers sharing the same radio infrastructure. It also enhances security by compartmentalizing authentication domains; a breach in a third-party RO's credentials does not compromise the user's primary mobile network subscription. The motivation stems from 3GPP's work on secondary authentication (from EPC) and its formalization in 5G for slice-specific access control, providing the architectural hooks needed for a truly multi-tenant, service-oriented 5G ecosystem.

Key Features

  • Functional role for managing service or slice-specific subscriptions
  • Performs secondary authentication/authorization separate from primary 3GPP auth
  • Interacts with 5GC NFs like AUSF and NSSAAF via standard interfaces
  • Enables multi-operator and third-party service delivery models
  • Central to Network Slice-Specific Authentication and Authorization (NSSAA)
  • Allows service providers to retain control over user access policies

Evolution Across Releases

Rel-9 Initial

The concept of a secondary authentication authority, precursor to the RO, was introduced in EPS for non-3GPP access and PDN Gateway (PGW) initiated dedicated bearer establishment. It allowed an external Packet Data Network (PDN) operator to authenticate a UE using EAP, separate from the 3GPP AAA authentication.

TS 23.222TS 23.700TS 28.628TS 32.522TS 33.812TS 38.864
Rel-15

Formalized as the Registration Operator within the 5G System architecture, particularly in the context of Network Slice-Specific Authentication and Authorization (NSSAA). Defined its role and interactions with the NSSAAF and AUSF to support authentication for individual network slices, enabling flexible service provisioning.

TS 23.222TS 23.700TS 28.628TS 32.522TS 33.812TS 38.864

Defining Specifications

SpecificationTitle
TS 23.222 3GPP TS 23.222
TS 23.700 3GPP TS 23.700
TS 28.628 3GPP TS 28.628
TS 32.522 3GPP TR 32.522
TS 33.812 3GPP TR 33.812
TS 38.864 3GPP TR 38.864