Referring to our previous article about the complementarity between Wifi and 5G, we now touch a topic that pops up in this context.
First, it is important to distinguish between trusted and untrusted Wifi networks from the point of view of the Mobile Network Operator (MNO).
A trusted Wifi network is managed by the MNO itself. It manages the Wifi network and controls the access to it. So the MNO is sure that the traffic over the air is properly secured.
Untrusted Wifi networks are not under the control of the MNO itself, so it has the requirement that any traffic reaching the 5GC must be properly secured.
In the case of untrusted Wifi networks, only the case in considered where the end user device is 3GPPP capable, in technical terms this means that it support NAS communication with the 5GC AMF over N1 interface. It basically means that the device contains a 5G capable (e)SIM. This SIM will be used for authentication for both the Wifi and 5G network.
The secure connection between device SIM and AMF is established over an IPSEC concentrator function called Non-3GPP InterWorking Function.
The UE establishes the N1 connection with AMF across the IPSEC tunnel to the N3IWF. The N3IWF further provides the N2 interface to the AMF to make the device connection seem as if is established
over a 5G RAN network. From there on the standard authentication takes place, with the AMF contacting the AUSF and secure connectivity being established to complete the UE registration.
In the case of trusted Wifi network, it is distinguished between 2 different cases.
The first case is where the device is 3GPPP enabled, i.e. supports NAS communication over N1 interface to AMF.
In the second case the device is not 3GPPP enabled and an intermediate network function is needed to present the N1 interface to the 5GC on behalf of the UE.
Since the communication over the air interface is considered to be secure, there is no need for IPSEC encryption towards the 5GC core.
To allow for consistent programming interfaces between the trusted and untrusted cases, IPSEC encapsulation is also used in the trusted case, be it without encryption (Null).
In case of the NAS capable UE, the gNB N2 interfaces is emulated by the Trusted Network Gateway Function (TNGF).
In case ot the non-NAS capable, both gNB N2 and UE N1 interface need to be emulated by the Trusted Network Interworking Function (TWIF).