Roaming in the 5G System: the 5GS roaming architecture

Ericsson CTO Erik Ekudden’s view on roaming in the 5G System

The deployment of the 5G System (5GS) presents both opportunities and challenges with respect to roaming. Regardless of whether their partners have the Evolved Packet System (EPS), 5GS or both, all communication service providers (CSPs) will reasonably expect roaming services to continue to function without disruption. While 5GS roaming has many similarities to previous generations, there are also some important differences that CSPs need to be aware of to ensure a smooth transition.

This Ericsson Technology Review article provides an overview of the 5GS roaming architecture in 3GPP Release 16, highlighting the similarities and differences to previous generations of roaming. In particular, it explains the various roaming aspects that need to be addressed in the core network, in the area of user data and policies, in services and in backend systems.

Many mobile network operators that are deploying the 5G System (5GS) plan to introduce 5GS roaming as a complement to Evolved Packet System (EPS) roaming. Regardless of where they or their roaming partners are on their 5G journeys, every operator will expect roaming to continue to work as well or better than before. Smooth interworking between EPS roaming and 5GS roaming will therefore be essential.

Roaming extends the coverage of a home operator’s services, allowing its mobile users to use those services within another operator’s network, which may be in another country (international roaming) or in the same country (national roaming).

Voice roaming first emerged in the early days of GSM and was followed by the introduction of data roaming as part of the General Packet Radio System (GPRS). More sophisticated data roaming became available with the Evolved Packet System (EPS), which went on to support voice services as well. All roaming is built on roaming agreements that define where the service is offered, as well as specifying both the technical and commercial components required to enable the service.

While the 5G System (5GS) also supports other use cases such as the Cellular Internet of Things, the industrial Internet of Things and vehicle use cases, we expect mobile broadband (MBB) to be the first 5GS roaming use case. Today, the EPS supports a variety of MBB use cases such as internet access and operator-provided services like voice and messaging. In some cases, EPS deployments have already been upgraded for early support of 5G by non-standalone (NSA) New Radio (NR) in the Evolved Universal Terrestrial Radio Access Network (E-UTRAN) and also support NSA NR when roaming. The 5GS introduces support for NR standalone in next-generation RAN (NG-RAN) and new 5G Core (5GC) [1, 2].

During the migration to 5G when NR coverage is being built out, services requiring wide-area coverage are best supported through interworking between the 5GC and the existing Evolved Packet Core (EPC) [3]. In light of this, consideration of the interworking between the 5GC and EPC when roaming is of critical importance.

The GSMA has provided guidelines for both EPS roaming and 5GS roaming [4, 5]. Work on wholesale agreements and solutions related to 5GS roaming is ongoing. The GSMA has also provided guidelines for the user to network interface of Voice over NR (VoNR) [6] and VoLTE [7], including roaming-related functionality.

Home routing (HR) – the main roaming solution for voice and data today – will also be used for 5GS roaming. The 3GPP has also specified a local breakout (LBO) architecture for roaming, but LBO is not used for voice. LBO for data services is rarely used in EPS roaming today and not expected in early 5GS roaming. It should be noted that roaming also requires the user equipment (UE) to support some, if not all, of the frequency bands used by the Visited Public Land Mobile Network (VPLMN) – not only for NR connected to the 5GC but also for LTE connected to the EPC.

Roaming architecture including interworking with the Evolved Packet System

The 5GS roaming architecture enables operators to expand their existing roaming agreements and networks to incorporate 5GS. However, there are both similarities to and differences between EPS roaming and 5GS roaming that operators need to understand. For example, Service-Based Architecture (SBA) and security functionality to protect the network edge are new in the 5GS, supported by a new network function (NF) called the Security Edge Protection Proxy (SEPP).

Figure 1 shows a simplified roaming architecture that includes interworking with the EPS. For the sake of clarity, we have excluded additional NFs such as those for SMS, location handing and so on. While this architecture supports roaming using only the 5GS in the VPLMN and the Home Public Land Mobile Network (HPLMN), it is based on the assumption that interworking with the EPS will be required in the initial phases of roaming.

The architecture shown in Figure 1 requires UE capable of using both the EPS and 5GS to be able to roam between the two. The same architecture in the HPLMN can also be used for 4G/NSA UEs and for UEs that are not allowed to use 5GS when roaming, but in those cases only the EPS will be used in the VPLMN.

When the UE connects to the VPLMN, it will register with the Access and Mobility Management Function (AMF). The AMF will query the Network Repository Function (NRF), which in this case serves as a visited-NRF (V-NRF), and the V-NRF will query the home-NRF (H-NRF) to find the Authentication Server Function (AUSF) and the Unified Data Management (UDM) in the HPLMN. Both the traffic between the V-NRF and the H-NRF, as well as all other control plane traffic between the VPLMN and HPLMN, will pass through the SEPPs.

The UE usually sets up one or more protocol data unit (PDU) sessions, which is similar to the non-roaming call flows except that both the V-NRF and H-NRF, as well as the SEPPs, are involved. The usage of a visited Session Management Function (V-SMF) and the relocation of the V-SMF at mobility are specific to roaming – that is, the V-SMF is only used when the UE is in the VPLMN and the PDU session is anchored in the home-SMF (H-SMF) in the HPLMN. In EPS roaming, the EPC nodes serving gateway (SGW) and packet data network gateway (PDN-GW) are used in a PDN connection, regardless of whether the UE is in the VPLMN or the HPLMN.

Roaming-specific functionality

While the 3GPP first specified 5GS roaming in Release 15, the roaming-related features that it added and/or revised in Release 16 [8] have made Release 16 the baseline for roaming. The most notable roaming-specific functionality in the 5GS falls into six key areas: home control of authentication, roaming restrictions, policy control, charging, QoS control in the V-SMF, and network slicing when roaming.

Home control of authentication

In previous generations, the UE authentication is executed at the serving nodes: the Mobility Management Entity (MME) in the EPC and the mobile switching center/serving GPRS support node in 2G/3G. In the case of roaming, this implies that the execution of UE authentication is delegated to the VPLMN. The delegation of authentication to the MME in a VPLMN is also applicable when a 5G user connects to the EPC while roaming.

The 5GC increases the control of the execution of the UE authentication procedure in the HPLMN, as the UE authentication is always executed and controlled in the AUSF at the HPLMN. Additionally, the AUSF informs the UDM about the result of each UE authentication procedure, so that the UDM can link the result of the authentication with subsequent procedures. This is useful to prevent certain types of fraud, such as fraudulent requests for registering a serving AMF in UDM for subscribers that are not actually present (that is, not authenticated) in the VPLMN.

Roaming restrictions

When a 5GS-capable UE tries to connect over NR to a 5GC when roaming, the VPLMN requests the HPLMN to authorize the inbound roaming UE to connect from that VPLMN before the VPLMN allows the UE to connect to its 5GC. This is referred to as roaming restriction control at the HPLMN as in EPC.

The UDM within the 5GC at the HPLMN determines if the UE is allowed to roam in the VPLMN 5GC. Even if the UE is allowed to roam in the VPLMN 5GC, UE-level roaming restrictions may indicate which HPLMN services can be used while roaming (for example, data services but not voice services). If this is used to restrict the IP Multimedia Subsystem (IMS) voice service when roaming, a voice-centric UE will not connect to the 5GC and will instead look for another radio access in the VPLMN that provides voice service.

Policy control

The home-routed roaming architecture anchors PDU sessions at the H-SMF. As a result, all interactions with the Policy Control Function (PCF) for session management policies take place within the HPLMN domain.

The 3GPP defines the roles of a visited PCF (V-PCF) and a home-PCF (H-PCF) that interact over the N24 reference point for the exchange of UE policies, and of access and mobility policies for roaming UEs.

At least during an initial phase of 5GC roaming, the VPLMN could apply both UE and access and mobility policies for inbound roaming users based on local configuration at the VPLMN without the burden of establishing and maintaining additional roaming reference points for this purpose. This is why the N24 reference point does not appear in Figure 1.

Charging

Both the V-SMF and H-SMF need to support charging. In the VPLMN, the V-SMF interacts with the visited Charging Function (V-CHF), and in the HPLMN the H-SMF interacts with the home-CHF (H-CHF). The visited User-Plane Function (V-UPF) and the home-UPF (H-UPF) need to support the reporting of charging-related session data to the SMF, but the main charging logic resides in the SMFs.

The V-CHF generates CDRs for the inbound roamer traffic, and correspondingly the H-CHF generates call detail records (CDRs) for the outbound roamer traffic.

As a result, the VPLMN has full control over the data volumes that inbound roamers consume in the VPLMN RAN. The VPLMN can also create the necessary data for wholesale (inter-operator) settlement using the same principles as in EPS roaming. The details of the wholesale settlement procedures are described in the GSMA.

QoS control in the visited Session Management Function

In roaming scenarios, any QoS settings requested by the HPLMN should be in accordance with the roaming agreement. However, to protect its network against unwanted resource usage, the VPLMN must have control over and, if necessary, downgrade, the requested QoS [5]. While this is performed by the MME in the EPS, the fact that the 5GS introduces a clear split between mobility management handling (by the AMF) and session management (by the SMF) requires the V-SMF to handle QoS control.

Network slicing when roaming

Network slicing is an inherent part of the 5GS that is not available in the EPS. When registering in the AMF, the UE determines the network slices it wants to use, expressed as a list of Single Network Slice Selection Assistance Information (S-NSSAI). This list may be empty. The AMF receives the list of subscribed S-NSSAI from the UDM in the HPLMN, and the AMF (possibly assisted by the Network Slice Selection Function (NSSF)) determines which S-NSSAI the UE is allowed to use.

When roaming, it is up to the VPLMN to decide whether inbound roaming UEs use the S-NSSAI provided by the HPLMN or an S-NSSAI provided by the VPLMN. In the latter case, the VPLMN’s S-NSSAI is mapped to the one provided by the HPLMN. Both the NSSF and the AMF can determine this mapping. The AMF provides mapping information to the UE during the registration procedure. This is one of the mechanisms that can be used to have a dedicated network slice for inbound roaming UEs from different HPLMNs or to map inbound roaming UEs to a network slice supported by the VPLMN, while fulfilling the service requirements. The mapping can only be performed meaningfully if the VPLMN knows that the service requirements can be fulfilled by the network slice in question.

The UE uses the allowed NSSAI to determine which S-NSSAI to use when establishing a PDU session. In the simplest case, there is only one S-NSSAI in the allowed NSSAI. If so, the UE can include this S-NSSAI when establishing a PDU session, and the AMF uses this S-NSSAI to select the V-SMF and the H-SMF. If the UE does not include an S-NSSAI, the AMF determines the S-NSSAI for this PDU session. This principle is likely enough in initial roaming deployment. If there are more than one S-NSSAI in the allowed NSSAI, the UE needs additional information about which S-NSSAI to use when establishing a PDU session. This additional information can be preconfigured on the UE or can be provided by the HPLMN. For the latter, UE Route Selection Policy has been specified, which can be provided by the H-PCF (through the V-PCF and the AMF) to the UE if needed. In this case, the N24 reference point is required.

In Release 16, the 3GPP has also defined a mechanism for Network Slice-Specific Authentication and Authorization (NSSAA), where connectivity to certain S-NSSAIs is required to be authenticated and authorized by an external authentication, authorization and accounting (AAA) server. If used in roaming, the AMF in the VPLMN triggers NSSAA requests to the external AAA server through an NSSAA Function in the HPLMN.

Steering of Roaming

One of the new features specified for 5GS roaming scenarios is related to the PLMN selection at the UE while roaming. Steering of Roaming (SoR) in a 5GS is a control-plane solution that allows the HPLMN to update the UE with the list of preferred PLMN/access-technology combinations. The UE performs PLMN selection based on the received list of preferred PLMN/access-technology combinations. In previous generations, the list of preferred PLMN/access-technology combinations was provided to the UE through Over-the-Air (OTA) mechanisms that were prone to be intercepted and blocked by malicious VPLMNs without the knowledge of the HPLMN. However, not all operators are using SoR today or plan to use SoR in 5GS.

Security in 5GS roaming

5GS includes two proxy types: the Security Edge Protection Proxy (SEPP) for roaming security in SBA and the Service Communication Proxy (SCP) for indirect communication.

Security Edge Protection Proxy

For roaming in SBA, the SEPP secures signaling across PLMN borders by proxying requests and responses for the PLMN, providing topology hiding, signaling firewall, message filtering and additional policy enforcement capabilities. Every control plane message in inter-PLMN signaling passes both the home and the visited PLMN SEPPs. In this way, the SEPP can ensure the protection of messages before sending them to an external network as well as verifying messages received from outside their own network before forwarding them to the appropriate NFs or next-hop SCP. Figure 2 shows two IPXs (Internet Protocol Exchanges) between the VPLMN and HPLMN, but it is also possible to have just one or even no IPX (in the case of national roaming, for example).

SEPPs authenticate using Transport Layer Security (TLS) over the N32 control plane interface (N32-c), as well as using TLS to protect messages over the N32 forwarding interface (N32-f). Each SEPP must have the credentials of the roaming partner’s SEPP. To provide so-called roaming value-added services, the 3GPP has also standardized PRINS (Protocol for N32 Interconnect Security) over N32-f to allow the IPX to add modifications of certain message elements while keeping the original elements. Even if only one side requires its functionality, PRINS requires the support of both the VPLMN and the HPLMN, which means they both have to accept the complexity that PRINS introduces for contracts, operation and security.

While the SEPP provides security for the control plane messages, protection of the user plane messages in inter-PLMN communication is provided by the Inter-PLMN User Plane Security (IPUPS) functionality in the existing UPFs, which are controlled by the V-SMF and H-SMF, as shown in Figure 2. IPUPS protects the GTP-U (GPRS Tunneling Protocol-User) traffic by forwarding only valid traffic through the N9 inter-PLMN reference point and discarding the remaining, invalid traffic.

Service Communication Proxy

The SCP was introduced in the 5GS for indirect communication between NFs. SCPs provide centralized monitoring, overload protection and load-balancing functionality. In addition, they provide unified routing and selection logic in determining the destination NF or the next-hop SCP. Routing through the SCP requires support of the 3gpp-Sbi-Target-apiRoot header to indicate the target NF destination. The receiving SEPP may forward a message directly to the destination NF, or through a next-hop SCP, as shown in Figure 2. Likewise, when indirect communication is used, the SCP can support inter-PLMN routing by providing the logic required to route relevant messages to the SEPP centrally. Each operator can decide to deploy SCPs or not, independent of the decision to support roaming.

Voice and other services when roaming

Due to the use of the S8 reference point for routing user traffic and related signaling between the VPLMN and HPLMN, the EPS roaming solution for IMS voice is also known as S8 home routing (S8HR). 5GS roaming for voice follows the same HR principles as for S8HR roaming. 5GS roaming for voice is referred to as N9 home routing (N9HR) and is needed for smartphones. Both EPS fallback and VoNR are possible options as voice solutions.

The IMS PDU session is always anchored in H-SMF/UPF and IMS network elements are in the home network (see Figure 2). Interworking with 4G will be enabled for EPS fallback and for intersystem handover between VoNR and VoLTE. It is recommended to use VoNR when roaming because the additional call setup delay in EPS fallback will be even greater in roaming cases compared with non-roaming ones. Supporting both EPS fallback and VoNR in the HPLMN maximizes the opportunities for compatible network capabilities with roaming partners.

SMS solutions for 5GS roaming are either SMS over IP or SMS over 5G non-access stratum (NAS), and both rely on support for SMS in the HPLMN. SMS over IP has no additional impacts on the VPLMN and is based on the established IMS PDU session to the HPLMN. SMS over 5G NAS depends on the SMSF (the SMS function in 5GC) being present in the VPLMN.

Emergency calls for a roaming subscriber are provided by the VPLMN subject to regulatory requirements. This is applicable to 5GS roaming as well as to S8HR roaming. Emergency service in the 5GS is either provided natively over the 5GS or by emergency service fallback to the EPS. The AMF provides the UE with an indication about which of these two solutions is valid during the 5GC registration procedure. Figure 3 illustrates the difference between architecture for voice in 5GS roaming (top half) and emergency service in 5GS roaming (bottom half).

For emergency calls on the 5GS, the UE will establish an emergency PDU session. After resolution by the SMF/UPF in the VPLMN, the emergency call will be connected through the VPLMN IMS to the emergency center. In the case of emergency service fallback, mobility from 5GS to the EPS will take place, and then the emergency call will be set up on the EPS using an emergency PDN, with the VPLMN IMS. As in the EPS, since there is typically no IMS network-to-network interface (NNI) between the VPLMN and the HPLMN, the VPLMN IMS cannot fetch UE/subscriber identifiers from the HPLMN IMS. Instead, it must fetch these identifiers from the VPLMN 5GC before emergency call setup. Any emergency callback from the emergency center to the user will be through the HPLMN IMS just as any other incoming call.

For MBB and data access, the PDU session to the internet (which uses the data network name) is also anchored in HPLMN SMF and UPF. The HPLMN UPF and N6 reference point are used to provide subscribers with internet access (the data network), as shown in Figure 1.

Conclusion

The majority of mobile network operators will create combined Evolved Packet System (EPS) and 5G System (5GS) networks supporting seamless voice and data services in the years ahead. They will continue to expect roaming to work regardless of whether their partners have both the EPS and the 5GS, or only the EPS. While 5GS roaming has many similarities to previous generations of roaming, it also introduces several new concepts that lead to some important differences that all operators need to understand.

One of the main benefits of the 5GS roaming architecture is the possibility to expand an existing EPS roaming solution by using 5GS in the VPLMN and mobility between the 5GS and the EPS when roaming. User equipment that is capable of using both the EPS and the 5GS will also be able to use both EPS and 5GS roaming.

The introduction of 5GS roaming is going to demand attention across all domains. There are roaming aspects to consider in the core network, in user data and policies, in services and in backend systems. At the same time, security for roaming partners must also be ensured. Fortunately, all of these aspects are addressed in the 3GPP Release 16, the new baseline for roaming.

References

1. Ericsson Technology Review, 5G New Radio RAN and transport choices that minimize TCO, November 7, 2019, Eriksson, A.C; Forsman, M; Ronkainen, H; Willars, P; Östberg, C.
2. 3GPP TS 23.501, System Architecture for the 5G System (5GS)
3. Ericsson Technology Review, 5G migration strategy from EPS to 5G system, February 24, 2020, Keller, R; Cagenius, T; Ryde, A; Castellanos D.
4. GSMA IR.88, LTE and EPC Roaming Guidelines v.22.0, June 8, 2020
5. GSMA NG.113, 5GS Roaming Guidelines v.3.0, December 16, 2019
6. GSMA NG.114, IMS Profile for Voice, Video and Messaging over 5GS V 1.0
7. GSMA, IR.92, IMS Profile for Voice and SMS, January 20, 2020
8. Ericsson Technology Review, 5G evolution: 3GPP releases 16 & 17 overview, March 9, 2020, Peisa, J; Persson, P; Parkvall, S; Dahlman, E; Grøvlen, A; Hoymann, C; Gerstenberger D.