TNGF

Trusted Non-3GPP Gateway Function

Core Network
Introduced in Rel-16
A 5G Core Network function that provides secure, trusted access for User Equipment (UE) connecting via non-3GPP access networks, such as Wi-Fi. It acts as a gateway, authenticating the UE and establishing IPsec tunnels to ensure secure data transmission into the 5G Core. This enables seamless service continuity and unified policy control across 3GPP and non-3GPP access.

Description

The Trusted Non-3GPP Gateway Function (TNGF) is a critical component within the 5G Core Network (5GC) architecture, specifically defined for the Non-3GPP InterWorking Function (N3IWF) in the context of trusted non-3GPP access. Its primary role is to facilitate secure and controlled connectivity for UEs that utilize non-3GPP radio access technologies, most notably trusted Wi-Fi networks. Architecturally, the TNGF resides in the user plane and control plane, interfacing with other core network functions. On the N1 reference point towards the UE, it terminates the N1 interface over the non-3GPP access, managing the signaling connection. It establishes IPsec Security Associations (SAs) with the UE to create secure tunnels for both control plane (N1) and user plane (N3) traffic. The TNGF connects to the Access and Mobility Management Function (AMF) via the N2 interface for control plane procedures and to the User Plane Function (UPF) via the N3 interface for data forwarding.

Operationally, when a UE initiates access via a trusted non-3GPP network, it discovers and selects a TNGF. The UE and TNGF perform mutual authentication and establish IPsec tunnels. The TNGF then acts as a proxy, relaying the UE's registration and session management signaling to the 5G Core via the AMF. It is responsible for encapsulating and decapsulating user plane packets between the IPsec tunnel and the N3 GTP-U tunnel towards the UPF. The TNGF also interacts with the Authentication Server Function (AUSF) and Unified Data Management (UDM) for credential-based authentication (e.g., using 5G-AKA or EAP-AKA').

A key aspect of the TNGF is its 'trusted' designation, which implies that the 5G Core network operator has a trust relationship with the non-3GPP access network provider. This trust can be based on a roaming agreement or direct ownership, allowing the core network to rely on the access network's security to a certain degree, though the TNGF still enforces its own security at the IPsec layer. The TNGF supports mobility and session continuity procedures, enabling handovers between 3GPP (e.g., NG-RAN) and trusted non-3GPP access without dropping the PDU Session. It is a fundamental enabler for the 5G convergence goal, providing a unified core network experience regardless of the underlying access technology.

Purpose & Motivation

The TNGF was introduced in 3GPP Release 16 to formally define and standardize the gateway function for trusted non-3GPP access within the 5G System (5GS). Prior to 5G, non-3GPP interworking (e.g., via ePDG in EPS) was often treated as an untrusted access, requiring heavy security termination at the gateway. The creation of the TNGF addresses the growing importance of high-quality, carrier-grade Wi-Fi and other fixed wireless accesses as integral parts of the mobile operator's service offering. It solves the problem of providing seamless, secure, and policy-coherent access to 5G core services over these alternative networks.

The motivation stems from the need for true access-agnostic service delivery. Operators sought to leverage their Wi-Fi deployments, or partnerships with Wi-Fi providers, as a trusted extension of their 5G radio coverage, especially for indoor environments and fixed wireless access scenarios. The TNGF provides a standardized architecture that ensures security (through mandatory IPsec), supports 5G-specific features like network slicing and QoS over the non-3GPP link, and enables smooth mobility. It addresses limitations of previous non-3GPP interworking solutions by being natively integrated into the 5G Service-Based Architecture (SBA), using the same authentication frameworks and policy control (via the PCF) as 3GPP access, thereby eliminating functional silos.

Key Features

  • Terminates N1 (control plane) and N3 (user plane) interfaces over trusted non-3GPP access
  • Establishes and maintains IPsec Security Associations with the UE for confidentiality and integrity
  • Acts as a signaling relay between the UE and the 5G Core AMF
  • Encapsulates/decapsulates user data between UE IPsec tunnels and N3 GTP-U tunnels towards the UPF
  • Supports 5G authentication procedures (5G-AKA, EAP-AKA') via interaction with AUSF/UDM
  • Enables mobility and session continuity between 3GPP and trusted non-3GPP access

Evolution Across Releases

Rel-16 Initial

Initial introduction of the TNGF as part of the architecture for trusted non-3GPP access to the 5G Core. It defined the functional behavior, reference points (N2, N3, N1 over non-3GPP), and detailed procedures for registration, authentication, PDU session establishment, and handover. Security specifications for IPsec and TNGF-level security were established.

TS 23.501TS 24.501TS 24.502TS 24.526TS 29.214TS 29.413TS 29.502TS 29.510TS 29.525TS 33.127TS 33.128TS 33.501TS 33.807TS 38.413

Defining Specifications

SpecificationTitle
TS 23.501 3GPP TS 23.501
TS 24.501 3GPP TS 24.501
TS 24.502 3GPP TS 24.502
TS 24.526 3GPP TS 24.526
TS 29.214 3GPP TS 29.214
TS 29.413 3GPP TS 29.413
TS 29.502 3GPP TS 29.502
TS 29.510 3GPP TS 29.510
TS 29.525 3GPP TS 29.525
TS 33.127 3GPP TR 33.127
TS 33.128 3GPP TR 33.128
TS 33.501 3GPP TR 33.501
TS 33.807 3GPP TR 33.807
TS 38.413 3GPP TR 38.413