Nokia N3IWF: Seamless 5G integration

Introduction
In the dynamic world of telecommunications, Communications Service Providers (CSPs) face the critical challenge of integrating non-3GPP networks with 5G infrastructure. Nokia's N3IWF (Non-3GPP Interworking Function) is a groundbreaking solution that bridges this gap, enabling secure and seamless connectivity between untrusted non-3GPP access and 5G core networks, while at the same time maintaining the compatibility with 4G radio access for UE mobility. This native 3GPP solution ensures CSPs can deliver consistent service quality across all network types while maintaining robust security standards.
The N3IWF, a core component of 5G networks, upholds two fundamental principles: separation of network responsibilities and access-independent architecture. These key features of 5G (and future 6G) networks ensure smooth service delivery and consistent user experience, regardless of how users connect to the network. From an architectural standpoint, the Non-3GPP Interworking Function (N3IWF) works as a security gateway at the network-internet delimitation point, analogous to the security role performed by the gNodeB (gNB) at the radio access interface. These network elements serve as critical security components, establishing protective boundaries for the core network infrastructure. In the event of a security compromise of either component, their architectural positioning ensures they continue to function as containment points, preventing unauthorized access to core network resources. This security-by-design approach implements the principle of defense-in-depth, where these components constitute the primary security perimeter of the network infrastructure.
Core features and architecture
The N3IWF operates through three essential interfaces, each serving a distinct purpose in enabling seamless connectivity:
-
NWu Interface: This interface acts as a secure bridge between user equipment (UE) and the 5G core network. Utilizing advanced IKEv2/ESP protocols, it establishes encrypted tunnels that protect both user data and control signals, ensuring integrity and security over untrusted networks. For user plane traffic, the Protocol Data Units (PDUs) are carried over GRE (Generic Routing Encapsulation) over IPsec.
-
N2 Interface: Serving as the primary communication channel between the Access and Mobility Management Function (AMF) and N3IWF, the N2 interface manages critical network functions such as session control and mobility management. It uses the NGAP protocol, which is similar for both 3GPP and non-3GPP access, ensuring smooth data flow.
-
N3 Interface: Responsible for user data transmission within the core network, the N3 interface uses the GTPv1 protocol to maintain precise mapping between secure tunnels and data sessions. This ensures efficient and secure data delivery to its destination.
Key advantages of N3IWF
- Enhanced security architecture
- N3IWF is directly integrated with the AMF, responsible for authentication procedures towards the AUSF and UDM systems. This integration enhances security by providing a unified authentication and encryption framework for both 5G/6G 3GPP and non-3GPP access networks, ensuring consistent protection of user data across all access technologies.
- The N3IWF operates solely with temporary identifiers, as it never has direct access to permanent subscriber identities (IMSI/SUPI/SUCI) of the User Equipment. These sensitive identifiers are transmitted exclusively within the NAS layer, which maintains end-to-end encryption between the • UE and AMF. This encrypted NAS communication is further secured within the IKEv2 Security Association.
- Since the N3IWF only processes temporary session identifiers and never stores permanent subscriber data, it enhances network security through compartmentalization. This design principle ensures that even if an N3IWF instance is compromised, no sensitive customer information can be exposed, thereby minimizing potential security risks to the network.
- UE authentication to AUSF/UDM is based on EAP-AKA' (prime), ensuring robust security measures.
- Superior service delivery
- N3IWF allows end users to experience the same end-to-end services regardless of whether the UE is connected to 3GPP or non-3GPP access. This includes NAS-based signaling for services like SMS, URSP, ATSSS, XRM, and any 5G or 6G NAS-based service.
- N3IWF offers the same Quality of Service (QoS) design as in 3GPP 5G access. PDU Sessions over UPF and N3 interface are based on QFIs (QoS Flow Identifiers), mapped to one or more Child SA tunnels to UE. This architecture allows operators to have full control of delivered QoS in its finest level of detail.
- N3IWF can offer Network Exposure Functionality capabilities, exactly as in 5G 3GPP access, and allow the operator to offer unique differentiated end user experience based on different factors like Network slicing, QoS control, Policy Enforcement, Data Analytics and Monetization. This native NEF support can leverage highly popular commercial services like Low Latency Gaming, VR/AR Streaming, Immersive Gaming Experience and more.
- Signaling optimization
- No need to re-authenticate during mobility between 3GPP and non-3GPP access, as security material can be derived from previous authentication. This saves signaling, energy, and time during mobility, especially useful for UEs frequently toggling between accesses, such as those in public areas and transport like buses and metros.
What progress have we achieved
Nokia, a pioneer in telecom networks and a true believer in the advantages of 5G/6G architecture and the benefits it offers in the area of non-3GPP access, created the N3IWF gateway as part of its CMG family of gateway products, offering it in a Cloud-Native Function (CNF) environment. As a key differentiator, Nokia’s N3IWF is available as a standalone product or as a combined N3IWF+ePDG solution, besides being cloud native, scalable and robust solution. This combined solution allows pod deployment to serve both ePDG and N3IWF capable UEs simultaneously, offering the best available solution for operators during the migration period towards a fully standalone 5GS solution. Another advantage of the combined N3IWF+ePDG is that the common MG-pod uses shared resources for both ePDG and N3IWF call flow processing, ensuring optimal resource utilization.
Nokia partnership with MediaTek
As one of the largest fabless semiconductor companies, MediaTek Inc. specializes in designing cutting-edge systems-on-chip (SoC) solutions. Their innovative technology drives mobile devices, smart home systems, connectivity solutions, and IoT products. The company's reach is remarkable, with their chips powering approximately 2 billion devices annually, including nearly one-third of all mobile phones globally and supporting technology in 20 percent of households worldwide. Lab tests conducted in partnership with MediaTek successfully enabled support for N3IWF call flows in their SoCs, in the form of IoDT, to ensure the solution complies with 3GPP standards.
The MediaTek and NOKIA solution achieved full support of all 3GPP defined call flows for UE registration/de-registration and authentication, UE context and PDU session setup-modification-termination and all different types of UE Handovers (WiFi<>4G, WiFi<>5G), bringing the solution a step towards carrier-grade live deployment.
Conclusion
Today, Nokia N3IWF supports all 3GPP standards defined call flows for UE authentication/authorization/registration and context/PDU session setup/modification/termination. Nokia is closely working with major UE and chipset vendors, along with tier-1 carriers, to test the N3IWF end-to-end functionality and accelerate the readiness of the UE ecosystem.