Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN) - NGN Functional Architecture - Network Attachment SubSystem (NASS)

The present document describes the architecture of the Network Attachment SubSystem (NASS) and its role in the TISPAN NGN architecture as defined in ES 282 001 [2].

Zlite telekomunikacijske in internetne storitve ter protokoli za napredno omreženje (TISPAN) - Funkcijska arhitektura omrežja NGN - Podsistem omrežne priključitve (NASS)

General Information

Status
Published
Publication Date
05-Feb-2009
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
12-Jan-2009
Due Date
19-Mar-2009
Completion Date
06-Feb-2009

Buy Standard

Standard
ETSI ES 282 004 V1.3.0 (2008-06) - Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Functional Architecture; Network Attachment SubSystem (NASS)
English language
34 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
ETSI ES 282 004 V1.3.0 (2008-03) - Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Functional Architecture; Network Attachment SubSystem (NASS)
English language
34 pages
sale 15% off
Preview
sale 15% off
Preview
Standardization document
ES 282 004 V1.3.0:2009
English language
34 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

ETSI ES 282 004 V1.3.0 (2008-06)
ETSI Standard


Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN);
NGN Functional Architecture;
Network Attachment SubSystem (NASS)

---------------------- Page: 1 ----------------------
2 ETSI ES 282 004 V1.3.0 (2008-06)



Reference
RES/TISPAN-02050-NGN-R1
Keywords
access, system
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2008.
All rights reserved.

TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI ES 282 004 V1.3.0 (2008-06)
Contents
Intellectual Property Rights.5
Foreword.5
1 Scope.6
2 References.6
2.1 Normative references.6
2.2 Informative references.7
3 Definitions and abbreviations.7
3.1 Definitions.7
3.2 Abbreviations.7
4 General Description of NASS .8
4.1 High level functional overview .8
4.2 High level concepts of NASS.9
4.3 Mobility, Nomadism.9
4.4 Access network level registration.9
4.4.1 Implicit authentication .10
4.4.1.1 Line authentication.10
4.4.2 Explicit authentication .10
4.4.3 CNG remote network configuration .10
4.4.4 TISPAN NGN Service/Applications Subsystems discovery .10
5 Functional Architecture.11
5.1 Overview.11
5.2 Functional Entities.12
5.2.1 Network Access Configuration Function (NACF) .12
5.2.2 Access Management Function (AMF).12
5.2.3 Connectivity session Location and repository Function (CLF) .12
5.2.3.1 Information Model.13
5.2.4 User Access Authorization Function (UAAF).14
5.2.5 Profile DataBase Function (PDBF) .14
5.2.6 CNG Configuration Function (CNGCF).14
5.2.7 Access Relay Function (ARF) .14
5.3 Internal Reference points.14
5.3.1 Reference Point AMF - NACF (a1).14
5.3.2 Reference Point NACF - CLF (a2) .15
5.3.2.1 Bind Indication.15
5.3.2.2 Bind Acknowledgement.15
5.3.2.3 Unbind indication.16
5.3.3 Reference Point AMF - UAAF (a3).16
5.3.4 Reference Point UAAF - CLF (a4).16
5.3.4.1 Access Profile Push.16
5.3.4.2 Access Profile Pull .17
5.3.4.3 Remove Access Profile.18
5.3.5 Reference Point NACF - UAAF .18
5.3.6 Reference Point UAAF - UAAF (e ) .18
5
5.3.6.1 Information exchanged on e .19
5
5.4 Interface with the Resource and Admission Control Subsystem (RACS).19
5.4.1 Interface between CLF and RACF (e ).19
4
5.4.1.1 Access Profile Push.20
5.4.1.2 Access Profile Pull .21
5.4.1.3 IP Connectivity Release Indication.21
5.5 Interfaces between NASS and the application plane and service control subsystems.21
5.5.1 Interface between CLF and service control subsystems (e ).21
2
5.5.1.1 Location Information Query.21
5.5.1.2 Location Information Response.22
ETSI

---------------------- Page: 3 ----------------------
4 ETSI ES 282 004 V1.3.0 (2008-06)
5.6 Reference points between NASS and User Equipment.22
5.6.1 Interface for authentication and IP address allocation (e ).22
1
5.6.2 Interface between CNGCF and CNG (e ).22
3
6 Mapping onto network roles.23
7 Information flows.25
7.1 High level information flows.25
7.2 PPP based authentication.26
7.3 DHCP mode.27
Annex A (informative): Physical Configurations .28
A.1 PPP case.28
A.2 PPP with DHCP configuration.29
A.3 DHCP (option 1) .30
A.4 DHCP (option 2) .31
A.5 PANA-based configuration.31
Annex B (informative): Bibliography.33
History .34

ETSI

---------------------- Page: 4 ----------------------
5 ETSI ES 282 004 V1.3.0 (2008-06)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This ETSI Standard (ES) has been produced by ETSI Technical Committee Telecommunications and Internet
converged Services and Protocols for Advanced Networking (TISPAN).
The present document describes the architecture of the Network Attachment SubSystem (NASS) identified in the
overall TISPAN NGN architecture.
ETSI

---------------------- Page: 5 ----------------------
6 ETSI ES 282 004 V1.3.0 (2008-06)
1 Scope
The present document describes the architecture of the Network Attachment SubSystem (NASS) and its role in the
TISPAN NGN architecture as defined in ES 282 001 [2].
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific.
• For a specific reference, subsequent revisions do not apply.
• Non-specific reference may be made only to a complete document or a part thereof and only in the following
cases:
- if it is accepted that it will be possible to use all future changes of the referenced document for the
purposes of the referring document;
- for informative references.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
For online referenced documents, information sufficient to identify and locate the source shall be provided. Preferably,
the primary source of the referenced document should be cited, in order to ensure traceability. Furthermore, the
reference should, as far as possible, remain valid for the expected life of the document. The reference shall include the
method of access to the referenced document and the full network address, with the same punctuation and use of upper
case and lower case letters.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are indispensable for the application of the present document. For dated
references, only the edition cited applies. For non-specific references, the latest edition of the referenced document
(including any amendments) applies.
[1] ETSI TS 133 203: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); 3G security; Access security for IP-based services (3GPP
TS 33.203)".
[2] ETSI ES 282 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture Release 1".
[3] Void.
[4] ISO/IEC 7498-2: "Information Processing Systems - Open Systems Interconnection - Basic
Reference Model - Part 2: Security Architecture".
[5] IEEE 802.1X: "IEEE Standard for Local and metropolitan area networks - Port Based Network
Access Control".
ETSI

---------------------- Page: 6 ----------------------
7 ETSI ES 282 004 V1.3.0 (2008-06)
2.2 Informative references
The following referenced documents are not essential to the use of the present document but they assist the user with
regard to a particular subject area. For non-specific references, the latest version of the referenced document (including
any amendments) applies.
[6] ETSI TR 121 905: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Vocabulary for 3GPP Specifications (3GPP TR 21.905
Release 7)".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
authentication: property by which the correct identity of an entity or party is established with a required assurance
NOTE: The party being authenticated could be a user, subscriber, home environment or serving network
TR 121 905 [6].
authorization: granting of permission based on authenticated identification. ISO/IEC 7498-2 [4]
NOTE: In some contexts, authorization may be granted without requiring authentication or identification e.g.
emergency call services.
Customer Network Gateway (CNG): gateway between the Customer Premises Network (CPN) and the Access
Network (AN)
NOTE: A Customer Network Gateway may be in its simplest form a bridged or routed modem, and in a more
advanced form be an IAD.
explicit authentication: authentication that requires that the party to be authenticated performs an authentication
procedure (to verify the claimed identity of the party)
NOTE: For example, in IMS security (TS 133 203 [1]), explicit authentication is provided with full AKA directed
towards the IMS client entity (represented by IMPI/IMPU and USIM/ISIM) and also implicit
authentication is provided by means of the IPsec security associations.
implicit authentication: authentication based on a trusted relationship already established between two parties, or based
on one or more outputs of an authentication procedure already established between two parties
Line identification: process that establishes the identity of the line based on the trusted configuration
User Equipment (UE): one or more devices allowing a user to access services delivered by TISPAN NGN networks
NOTE: This includes devices under user control commonly referred to as CPE, IAD, ATA, RGW, TE, etc. but
not network controlled entities such as access gateways.
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AAA Authentication Authorization and Accounting
AF Application Function
AKA Authentication and Key Agreement
AMF Access Management Function
AN Access Network
API Application Programming Interface
A-RACF Access Resource Admission Control Function
ETSI

---------------------- Page: 7 ----------------------
8 ETSI ES 282 004 V1.3.0 (2008-06)
ARF Access Relay Function
ATA Analogue Terminal Adapter
ATM Asynchronous Transfer Mode
BGF Basic Global Function
CLF Connectivity session Location and repository Function
CNG Customer Network Gateway
CNGCF CNG Configuration Function
CPE Customer Premises Equipment
CPN Customer Premises Network
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Server
EAP Extensible Authentication Protocol
EP Enforcement Point
FQDN Fully Qualified Domain Name
IAD Integrated Access Device
IMPU IP Multimedia PUblic identity
IMS IP Multimedia System
IP Internet Protocol
IPMI IP Multimedia Private Identity
ISIM IM Services Identity Module
LIF Location Information Forum
NACF Network Access Configuration Function
NASS Network Attachment SubSystem
PAA PANA Authentication Agent
PaC PANA Client
PANA Protocol for carrying Authentication for Network Access
P-CSCF Proxy-Call Session Control Function
PDBF Profile Data Base Function
PPP Point-to-Point Protocol
RACS Resource Admission Control Subsystem
RCEF Resource Control Emulation Function
RGW Residential Gateway
TE Terminal Equipment
UAAF User Access Authorization Function
UE User Equipment
UPSF User Profile Server Function
USIM Universal Subscriber Identity Module
VC Virtual Circuit
VP Virtual Path
4 General Description of NASS
4.1 High level functional overview
The Network Attachment SubSystem provides the following functionalities:
• Dynamic provision of IP address and other user equipment configuration parameters (e.g. using DHCP).
• User authentication, prior or during the IP address allocation procedure.
• Authorization of network access, based on user profile.
• Access network configuration, based on user profile.
• Location management.
The location of this subsystem in the overall TISPAN architecture can be found in ES 282 001 [2] and is placed here for
information in figure 4.1.
ETSI

---------------------- Page: 8 ----------------------
Other networks
User Equipment
 9 ETSI ES 282 004 V1.3.0 (2008-06)
Applications
Other
User
subsyst ems
Service Layer
profiles
Core IMS
PSTN/ISDN
Em ulat ion
subsystem
Network
Attachment
Subsystem
Resource and
Admission Control
Subsyst em
Transport Layer
Transfer Functions

Figure 4.1: TISPAN NGN Architecture R1 overview
4.2 High level concepts of NASS
The Network Attachment SubSystem (NASS) provides registration at access level and initialization of User Equipment
(UE) for accessing to the TISPAN NGN services. The NASS provides network level identification and authentication,
manages the IP address space of the Access Network and authenticates access sessions. The NASS also announces the
contact point of the TISPAN NGN Service/Applications Subsystems to the UE.
Network attachment through NASS is based on implicit or explicit user identity and authentication credentials stored in
the NASS.
4.3 Mobility, Nomadism
Mobility management functions provided by the NASS in the TISPAN NGN Release 1 are limited to the ability of a
terminal to be moved to different access points and access networks (which may be owned by a different access
network provider) and a user to utilize different terminal, access points and access networks to retrieve their TISPAN
NGN services (even from another network operator). The TISPAN NGN Release 1 does not require the support of
handover and session continuity between access networks without excluding autonomous mobility capabilities provided
within the access networks.
The impact of these nomadism requirements are defined in clause 6.
4.4 Access network level registration
NASS registration involves the identification, authentication, and authorization procedures between the UE and the
NASS to control the access to the NASS. Two authentication types are defined for NASS: implicit authentication, for
example based on line identification, and explicit authentication, for example based on EAP. The relationship between
the identity and the credentials used for authentication must be known to the NASS for any authentication solution to be
possible.
Explicit authentication is required between the UE and the NASS. It requires a signalling procedure to be performed
between the UE and the NASS. Implicit authentication may be performed by the NASS based on the line identification
of the connection to the UE. It is a matter of operator policy which form of authentication is applied. Both implicit
authentication and explicit authentication may be used independently as NASS authentication mechanisms.
ETSI

---------------------- Page: 9 ----------------------
10 ETSI ES 282 004 V1.3.0 (2008-06)
4.4.1 Implicit authentication
Depending on the access network configuration, especially for wired broadband access networks, the implicit access
authentication may rely only on an implicit authentication through physical or logic identity on the layer 2 (L2)
transport layer. A UE can directly access to access network without an explicit authentication procedure.
A CNG shall be able to directly access an access network without an explicit authentication procedure.
Which implicit authentication method applies depends on the operator policies.
4.4.1.1 Line authentication
Line authentication is a form of implicit authentication. Line authentication ensures that an access line is authenticated
and can be accessed from the CNG. Line authentication shall be based on the activation of the L2 connection between
the CNG and the access network.
Line authentication ensures that an access line is authenticated and can be accessed from the CNG. The line ID shall be
used for line authentication. The operator's policy shall decide whether line authentication applies.
4.4.2 Explicit authentication
In case the CNG is a routing modem and the Customer Premises Network (CPN) is a private IP realm, authentication
shall be initiated from the CNG. In case the CNG is a bridge, each UE shall authenticate with the NASS as the IP realm
in the CPN is known to the Access Network (AN).
The relationship between the identity and the credentials used for authentication must be known to the NASS for any
explicit authentication solution to be possible. The identity used for explicit authentication may depend on the
authentication mechanism applied and on the access network which the UE is connected to. Two examples of these
identities are:
• User identity and credentials.
• UE identity.
The type of explicit authentication mechanisms used shall depend on the access network configuration and on the
operator policy.
4.4.3 CNG remote network configuration
This procedure is needed for the initialization of the CNGs accessing to the TISPAN NGN service subsystems.
4.4.4 TISPAN NGN Service/Applications Subsystems discovery
As part of the network registration process, the NASS shall have the possibility to announce the contact information of
the TISPAN NGN Service/Applications Subsystems to the UE. In case the TISPAN NGN Subsystem is the IMS, the
contact information provided by the NASS shall identify the P-CSCF.
The contact information provided by the NASS should either by in the form of the IP address of the contact point or in
the form of the FQDN of the contact point (in which case the NASS provides the IP address of the DNS server that is
able to resolve this FQDN into the IP address of the contact point).
Alternatively, the contact point to the TISPAN NGN Service/Applications Subsystems may be statically configured in
the UE e.g. using fully qualified domain names (FQDN) and DNS resolution to retrieve the contact points IP addresses.
This option applies in the non-roaming case.
ETSI

---------------------- Page: 10 ----------------------
11 ETSI ES 282 004 V1.3.0 (2008-06)
5 Functional Architecture
5.1 Overview
The Network Attachment SubSystem (NASS) comprises the following functional entities:
• Network Access Configuration Function (NACF).
• Access Management Function (AMF).
• Connectivity session Location and repository Function (CLF).
• User Access Authorization Function (UAAF).
• Profile Data Base Function (PDBF).
• CNG Configuration Function (CNGCF).
The NASS has interaction with the following TISPAN NGN functional entities:
• TISPAN Service control subsystems and applications.
• Resource Admission Control Subsystem (RACS).
• Access Relay Function (ARF).
• Customer Premises Equipment (CPE).
One or more functional entities may be mapped onto a single physical entity. If one functional entity is implemented by
two physical entities, the interface between these physical entities is outside the scope of standardization.
Functional entities in the Network Attachment SubSystem (NASS) may be distributed over two administrative domains.
See clause 6 for the impact of roaming on the distribution of NASS.
Figure 5.1 provides an overview of the relationships between these functional entities and other subsystems of the
NGN architecture. Interfaces to charging systems are not represented. Annex A provides informative, potential physical
configurations in which the functional NASS architecture can be applied.
Service control
subsystems and
applications
Resource
e2
e2
e4 and
Admission
CLF
Control
e5
Subsystem
a2
a4
CNGCF UAAF
CPECF NACF PDBF
e3
a3
a1
e1 e1
ARF AMF
TE CNG
UE

Figure 5.1: Network Attachment SubSystem architecture
ETSI

---------------------- Page: 11 ----------------------
12 ETSI ES 282 004 V1.3.0 (2008-06)
5.2 Functional Entities
5.2.1 Network Access Configuration Function (NACF)
The Network Access Configuration Function (NACF) is responsible for the IP address allocation to the UE. It may also
distribute other network configuration parameters such as address of DNS server(s), address of signalling proxies for
specific protocols (e.g. address of the P-CSCF when accessing to the IMS).
The NACF should be able to provide to the UE an access network identifier. This information uniquely identifies the
access network to which the UE is attached. With this information applications should be able to locate the CLF.
NOTE 1: The transport of the access identifier depends on extension in existing protocols (e.g. new DHCP option
or usage of DHCP option 120). If NASS does not have the means to convey this parameter to the UE, this
function will not be supported in this TISPAN Release.
NOTE 2: DHCP servers or
...

Final draft ETSI ES 282 004 V1.3.0 (2008-03)
ETSI Standard


Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN);
NGN Functional Architecture;
Network Attachment SubSystem (NASS)

---------------------- Page: 1 ----------------------
2 Final draft ETSI ES 282 004 V1.3.0 (2008-03)



Reference
RES/TISPAN-02050-NGN-R1
Keywords
access, system
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2008.
All rights reserved.

TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
ETSI

---------------------- Page: 2 ----------------------
3 Final draft ETSI ES 282 004 V1.3.0 (2008-03)
Contents
Intellectual Property Rights.5
Foreword.5
1 Scope.6
2 References.6
2.1 Normative references.6
2.2 Informative references.6
3 Definitions and abbreviations.7
3.1 Definitions.7
3.2 Abbreviations.7
4 General Description of NASS .8
4.1 High level functional overview .8
4.2 High level concepts of NASS.9
4.3 Mobility, Nomadism.9
4.4 Access network level registration.9
4.4.1 Implicit authentication .10
4.4.1.1 Line authentication.10
4.4.2 Explicit authentication .10
4.4.3 CNG remote network configuration .10
4.4.4 TISPAN NGN Service/Applications Subsystems discovery .10
5 Functional Architecture.11
5.1 Overview.11
5.2 Functional Entities.12
5.2.1 Network Access Configuration Function (NACF) .12
5.2.2 Access Management Function (AMF).12
5.2.3 Connectivity Session Location and Repository Function (CLF) .12
5.2.3.1 Information Model.13
5.2.4 User Access Authorization Function (UAAF).14
5.2.5 Profile Database Function (PDBF) .14
5.2.6 CNG Configuration Function (CNGCF).14
5.2.7 Access Relay Function (ARF) .14
5.3 Internal Reference points.14
5.3.1 Reference Point AMF - NACF (a1).14
5.3.2 Reference Point NACF - CLF (a2) .15
5.3.2.1 Bind Indication.15
5.3.2.2 Bind Acknowledgement.15
5.3.2.3 Unbind indication.16
5.3.3 Reference Point AMF - UAAF (a3).16
5.3.4 Reference Point UAAF - CLF (a4).16
5.3.4.1 Access Profile Push.16
5.3.4.2 Access Profile Pull .17
5.3.4.3 Remove Access Profile.18
5.3.5 Reference Point NACF - UAAF .18
5.3.6 Reference Point UAAF - UAAF (e ) .18
5
5.3.6.1 Information exchanged on e .19
5
5.4 Interface with the Resource and Admission Control Subsystem (RACS).19
5.4.1 Interface between CLF and RACF (e ).19
4
5.4.1.1 Access Profile Push.20
5.4.1.2 Access Profile Pull .21
5.4.1.3 IP Connectivity Release Indication.21
5.5 Interfaces between NASS and the application plane and service control subsystems.21
5.5.1 Interface between CLF and service control subsystems (e ).21
2
5.5.1.1 Location Information Query.21
5.5.1.2 Location Information Response.22
ETSI

---------------------- Page: 3 ----------------------
4 Final draft ETSI ES 282 004 V1.3.0 (2008-03)
5.6 Reference points between NASS and User Equipment.22
5.6.1 Interface for authentication and IP address allocation (e ).22
1
5.6.2 Interface between CNGCF and CNG (e ).22
3
6 Mapping onto network roles.23
7 Information flows.25
7.1 High level information flows.25
7.2 PPP based authentication.26
7.3 DHCP mode.27
Annex A (informative): Physical Configurations .28
A.1 PPP case.28
A.2 PPP with DHCP configuration.29
A.3 DHCP (option 1) .30
A.4 DHCP (option 2) .31
A.5 PANA-based configuration.31
Annex B (informative): Bibliography.33
History .34

ETSI

---------------------- Page: 4 ----------------------
5 Final draft ETSI ES 282 004 V1.3.0 (2008-03)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This ETSI Standard (ES) has been produced by ETSI Technical Committee Telecommunications and Internet
converged Services and Protocols for Advanced Networking (TISPAN), and is now submitted for the ETSI standards
Membership Approval Procedure.
The present document describes the architecture of the Network Attachment SubSystem (NASS) identified in the
overall TISPAN NGN architecture.
ETSI

---------------------- Page: 5 ----------------------
6 Final draft ETSI ES 282 004 V1.3.0 (2008-03)
1 Scope
The present document describes the architecture of the Network Attachment SubSystem (NASS) and its role in the
TISPAN NGN architecture as defined in ES 282 001 [2].
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific.
• For a specific reference, subsequent revisions do not apply.
• Non-specific reference may be made only to a complete document or a part thereof and only in the following
cases:
- if it is accepted that it will be possible to use all future changes of the referenced document for the
purposes of the referring document;
- for informative references.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
For online referenced documents, information sufficient to identify and locate the source shall be provided. Preferably,
the primary source of the referenced document should be cited, in order to ensure traceability. Furthermore, the
reference should, as far as possible, remain valid for the expected life of the document. The reference shall include the
method of access to the referenced document and the full network address, with the same punctuation and use of upper
case and lower case letters.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are indispensable for the application of the present document. For dated
references, only the edition cited applies. For non-specific references, the latest edition of the referenced document
(including any amendments) applies.
[1] ETSI TS 133 203: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); 3G security; Access security for IP-based services (3GPP
TS 33.203)".
[2] ETSI ES 282 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture Release 1".
[3] Void.
[4] ISO/IEC 7498-2: "Information Processing Systems - Open Systems Interconnection- Basic
Reference Model - Part 2: Security Architecture".
[5] IEEE 802.1X: "IEEE Standard for Local and metropolitan area networks - Port Based Network
Access Control".
2.2 Informative references
[6] ETSI TR 121 905: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Vocabulary for 3GPP Specifications (Release 7)
(3GPP TR 21.905)".
ETSI

---------------------- Page: 6 ----------------------
7 Final draft ETSI ES 282 004 V1.3.0 (2008-03)
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
authentication: property by which the correct identity of an entity or party is established with a required assurance
NOTE: The party being authenticated could be a user, subscriber, home environment or serving network
TR 121 905 [6].
authorization: granting of permission based on authenticated identification. ISO/IEC 7498-2 [4]
NOTE: In some contexts, authorization may be granted without requiring authentication or identification e.g.
emergency call services.
Customer Network Gateway (CNG): gateway between the Customer Premises Network (CPN) and the Access
Network (AN)
NOTE: A Customer Network Gateway may be in its simplest form a bridged or routed modem, and in a more
advanced form be an IAD.
explicit authentication: authentication that requires that the party to be authenticated performs an authentication
procedure (to verify the claimed identity of the party)
NOTE: For example, in IMS security (TS 133 203 [1]), explicit authentication is provided with full AKA directed
towards the IMS client entity (represented by IMPI/IMPU and USIM/ISIM) and also implicit
authentication is provided by means of the IPsec security associations.
implicit authentication: authentication based on a trusted relationship already established between two parties, or based
on one or more outputs of an authentication procedure already established between two parties
Line identification: process that establishes the identity of the line based on the trusted configuration
User Equipment (UE): one or more devices allowing a user to access services delivered by TISPAN NGN networks
NOTE: This includes devices under user control commonly referred to as CPE, IAD, ATA, RGW, TE, etc. but
not network controlled entities such as access gateways.
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AAA Authentication Authorization and Accounting
AF Application Function
AKA Authentication and Key Agreement
AMF Access Management Function
AN Access Network
API Application Programming Interface
A-RACF Access Resource Admission Control Function
ARF Access Relay Function
ATA Analogue Terminal Adapter
ATM Asynchronous Transfer Mode
BGF Basic Global Function
CLF Connectivity session Location and repository Function
CNG Customer Network Gateway
CNGCF CNG Configuration Function
CPE Customer Premises Equipment
CPN Customer Premises Network
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Server
ETSI

---------------------- Page: 7 ----------------------
8 Final draft ETSI ES 282 004 V1.3.0 (2008-03)
EAP Extensible Authentication Protocol
EP Enforcement Point
FQDN Fully Qualified Domain Name
IAD Integrated Access Device
IMPU IP Multimedia PUblic identity
IMS IP Multimedia System
IP Internet Protocol
IPMI IP Multimedia Private Identity
ISIM IM Services Identity Module
LIF Location Information Forum
NACF Network Access Configuration Function
NASS Network Attachment SubSystem
PAA PANA Authentication Agent
PaC PANA Client
PANA Protocol for carrying Authentication for Network Access
P-CSCF Proxy-Call Session Control Function
PDBF Profile Data Base Function
PPP Point-to-Point Protocol
RACS Resource Admission Control Subsystem
RCEF Resource Control Emulation Function
RGW Residential Gateway
TE Terminal Equipment
UAAF User Access Authorization Function
UE User Equipment
UPSF User Profile Server Function
USIM Universal Subscriber Identity Module
VC Virtual Circuit
VP Virtual Path
4 General Description of NASS
4.1 High level functional overview
The Network Attachment SubSystem provides the following functionalities:
• Dynamic provision of IP address and other user equipment configuration parameters (e.g. using DHCP).
• User authentication, prior or during the IP address allocation procedure.
• Authorization of network access, based on user profile.
• Access network configuration, based on user profile.
• Location management.
The location of this subsystem in the overall TISPAN architecture can be found in ES 282 001 [2] and is placed here for
information in figure 4.1.
ETSI

---------------------- Page: 8 ----------------------
Other networks
User Equipment
 9 Final draft ETSI ES 282 004 V1.3.0 (2008-03)
Applications
Other
User
subsyst ems
Service Layer
profiles
Core IMS
PSTN/ISDN
Em ulat ion
subsystem
Network
Attachment
Subsystem
Resource and
Admission Control
Subsyst em
Transport Layer
Transfer Functions

Figure 4.1: TISPAN NGN Architecture R1 overview
4.2 High level concepts of NASS
The Network Attachment SubSystem (NASS) provides registration at access level and initialization of User Equipment
(UE) for accessing to the TISPAN NGN services . The NASS provides network level identification and authentication,
manages the IP address space of the Access Network and authenticates access sessions. The NASS also announces the
contact point of the TISPAN NGN Service/Applications Subsystems to the UE.
Network attachment through NASS is based on implicit or explicit user identity and authentication credentials stored in
the NASS.
4.3 Mobility, Nomadism
Mobility management functions provided by the NASS in the TISPAN NGN Release 1 are limited to the ability of a
terminal to be moved to different access points and access networks (which may be owned by a different access
network provider) and a user to utilize different terminal, access points and access networks to retrieve their TISPAN
NGN services (even from another network operator). The TISPAN NGN Release 1 does not require the support of
handover and session continuity between access networks without excluding autonomous mobility capabilities provided
within the access networks.
The impact of these nomadism requirements are defined in clause 6.
4.4 Access network level registration
NASS registration involves the identification, authentication, and authorization procedures between the UE and the
NASS to control the access to the NASS. Two authentication types are defined for NASS: implicit authentication, for
example based on line identification, and explicit authentication, for example based on EAP. The relationship between
the identity and the credentials used for authentication must be known to the NASS for any authentication solution to be
possible.
Explicit authentication is required between the UE and the NASS. It requires a signalling procedure to be performed
between the UE and the NASS. Implicit authentication may be performed by the NASS based on the line identification
of the connection to the UE. It is a matter of operator policy which form of authentication is applied. Both implicit
authentication and explicit authentication may be used independently as NASS authentication mechanisms.
ETSI

---------------------- Page: 9 ----------------------
10 Final draft ETSI ES 282 004 V1.3.0 (2008-03)
4.4.1 Implicit authentication
Depending on the access network configuration, especially for wired broadband access networks, the implicit access
authentication may rely only on an implicit authentication through physical or logic identity on the layer 2 (L2)
transport layer. A UE can directly access to access network without an explicit authentication procedure.
A CNG shall be able to directly access an access network without an explicit authentication procedure.
Which implicit authentication method applies depends on the operator policies.
4.4.1.1 Line authentication
Line authentication is a form of implicit authentication. Line authentication ensures that an access line is authenticated
and can be accessed from the CNG. Line authentication shall be based on the activation of the L2 connection between
the CNG and the access network.
Line authentication ensures that an access line is authenticated and can be accessed from the CNG. The line ID shall be
used for line authentication. The operator's policy shall decide whether line authentication applies.
4.4.2 Explicit authentication
In case the CNG is a routing modem and the Customer Premises Network (CPN) is a private IP realm, authentication
shall be initiated from the CNG. In case the CNG is a bridge, each UE shall authenticate with the NASS as the IP realm
in the CPN is known to the Access Network (AN).
The relationship between the identity and the credentials used for authentication must be known to the NASS for any
explicit authentication solution to be possible. The identity used for explicit authentication may depend on the
authentication mechanism applied and on the access network which the UE is connected to. Two examples of these
identities are:
• User identity and credentials.
• UE identity.
The type of explicit authentication mechanisms used shall depend on the access network configuration and on the
operator policy.
4.4.3 CNG remote network configuration
This procedure is needed for the initialization of the CNGs accessing to the TISPAN NGN service subsystems.
4.4.4 TISPAN NGN Service/Applications Subsystems discovery
As part of the network registration process, the NASS shall have the possibility to announce the contact information of
the TISPAN NGN Service/Applications Subsystems to the UE. In case the TISPAN NGN Subsystem is the IMS, the
contact information provided by the NASS shall identify the P-CSCF.
The contact information provided by the NASS should either by in the form of the IP address of the contact point or in
the form of the FQDN of the contact point (in which case the NASS provides the IP address of the DNS server that is
able to resolve this FQDN into the IP address of the contact point).
Alternatively, the contact point to the TISPAN NGN Service/Applications Subsystems may be statically configured in
the UE e.g. using fully qualified domain names (FQDN) and DNS resolution to retrieve the contact points IP addresses.
This option applies in the non-roaming case.
ETSI

---------------------- Page: 10 ----------------------
11 Final draft ETSI ES 282 004 V1.3.0 (2008-03)
5 Functional Architecture
5.1 Overview
The Network Attachment SubSystem (NASS) comprises the following functional entities:
• Network Access Configuration Function (NACF).
• Access Management Function (AMF).
• Connectivity session Location and repository Function (CLF).
• User Access Authorization Function (UAAF).
• Profile Data Base Function (PDBF).
• CNG Configuration Function (CNGCF).
The NASS has interaction with the following TISPAN NGN functional entities:
• TISPAN Service control subsystems and applications.
• Resource Admission Control Subsystem (RACS).
• Access Relay Function (ARF).
• Customer Premises Equipment (CPE).
One or more functional entities may be mapped onto a single physical entity. If one functional entity is implemented by
two physical entities, the interface between these physical entities is outside the scope of standardization.
Functional entities in the Network Attachment SubSystem (NASS) may be distributed over two administrative domains.
See clause 6 for the impact of roaming on the distribution of NASS.
Figure 5.1 provides an overview of the relationships between these functional entities and other subsystems of the
NGN architecture. Interfaces to charging systems are not represented. Annex A provides informative, potential physical
configurations in which the functional NASS architecture can be applied.
Service control
subsystems and
applications
Resource
e2
e2
e4 and
Admission
CLF
Control
e5
Subsystem
a2
a4
CNGCF UAAF
CPECF NACF PDBF
e3
a3
a1
e1 e1
ARF AMF
TE CNG
UE

Figure 5.1: Network Attachment SubSystem architecture
ETSI

---------------------- Page: 11 ----------------------
12 Final draft ETSI ES 282 004 V1.3.0 (2008-03)
5.2 Functional Entities
5.2.1 Network Access Configuration Function (NACF)
The Network Access Configuration Function (NACF) is responsible for the IP address allocation to the UE. It may also
distribute other network configuration parameters such as address of DNS server(s), address of signalling proxies for
specific protocols (e.g. address of the P-CSCF when accessing to the IMS).
The NACF should be able to provide to the UE a access network identifier. This information uniquely identifies the
access network to which the UE is attached. With this information applications should be able to locate the CLF.
NOTE 1: The transport of the access identifier depends on extension in existing protocols (e.g. new DHCP option
or usage of DHCP option 120). If NASS does not have the means to convey this parameter to the UE, this
function will not be supported in this TISPAN Release.
NOTE 2: DHCP servers or RADIUS servers are typical implementations
...

SLOVENSKI STANDARD
SIST ES 282 004 V1.3.0:2009
01-marec-2009
=OLWHWHOHNRPXQLNDFLMVNHLQLQWHUQHWQHVWRULWYHWHUSURWRNROL]DQDSUHGQRRPUHåHQMH
7,63$1 )XQNFLMVNDDUKLWHNWXUDRPUHåMD1*13RGVLVWHPRPUHåQHSULNOMXþLWYH
1$66
Telecommunications and Internet converged Services and Protocols for Advanced
Networking (TISPAN) - NGN Functional Architecture - Network Attachment SubSystem
(NASS)
Ta slovenski standard je istoveten z: ES 282 004 Version 1.3.0
ICS:
33.040.01 Telekomunikacijski sistemi Telecommunication systems
na splošno in general
33.080 Digitalno omrežje z Integrated Services Digital
integriranimi storitvami Network (ISDN)
(ISDN)
SIST ES 282 004 V1.3.0:2009 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST ES 282 004 V1.3.0:2009

---------------------- Page: 2 ----------------------

SIST ES 282 004 V1.3.0:2009

ETSI ES 282 004 V1.3.0 (2008-06)
ETSI Standard


Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN);
NGN Functional Architecture;
Network Attachment SubSystem (NASS)

---------------------- Page: 3 ----------------------

SIST ES 282 004 V1.3.0:2009
 2 ETSI ES 282 004 V1.3.0 (2008-06)



Reference
RES/TISPAN-02050-NGN-R1
Keywords
access, system
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2008.
All rights reserved.

TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
ETSI

---------------------- Page: 4 ----------------------

SIST ES 282 004 V1.3.0:2009
 3 ETSI ES 282 004 V1.3.0 (2008-06)
Contents
Intellectual Property Rights.5
Foreword.5
1 Scope.6
2 References.6
2.1 Normative references.6
2.2 Informative references.7
3 Definitions and abbreviations.7
3.1 Definitions.7
3.2 Abbreviations.7
4 General Description of NASS .8
4.1 High level functional overview .8
4.2 High level concepts of NASS.9
4.3 Mobility, Nomadism.9
4.4 Access network level registration.9
4.4.1 Implicit authentication .10
4.4.1.1 Line authentication.10
4.4.2 Explicit authentication .10
4.4.3 CNG remote network configuration .10
4.4.4 TISPAN NGN Service/Applications Subsystems discovery .10
5 Functional Architecture.11
5.1 Overview.11
5.2 Functional Entities.12
5.2.1 Network Access Configuration Function (NACF) .12
5.2.2 Access Management Function (AMF).12
5.2.3 Connectivity session Location and repository Function (CLF) .12
5.2.3.1 Information Model.13
5.2.4 User Access Authorization Function (UAAF).14
5.2.5 Profile DataBase Function (PDBF) .14
5.2.6 CNG Configuration Function (CNGCF).14
5.2.7 Access Relay Function (ARF) .14
5.3 Internal Reference points.14
5.3.1 Reference Point AMF - NACF (a1).14
5.3.2 Reference Point NACF - CLF (a2) .15
5.3.2.1 Bind Indication.15
5.3.2.2 Bind Acknowledgement.15
5.3.2.3 Unbind indication.16
5.3.3 Reference Point AMF - UAAF (a3).16
5.3.4 Reference Point UAAF - CLF (a4).16
5.3.4.1 Access Profile Push.16
5.3.4.2 Access Profile Pull .17
5.3.4.3 Remove Access Profile.18
5.3.5 Reference Point NACF - UAAF .18
5.3.6 Reference Point UAAF - UAAF (e ) .18
5
5.3.6.1 Information exchanged on e .19
5
5.4 Interface with the Resource and Admission Control Subsystem (RACS).19
5.4.1 Interface between CLF and RACF (e ).19
4
5.4.1.1 Access Profile Push.20
5.4.1.2 Access Profile Pull .21
5.4.1.3 IP Connectivity Release Indication.21
5.5 Interfaces between NASS and the application plane and service control subsystems.21
5.5.1 Interface between CLF and service control subsystems (e ).21
2
5.5.1.1 Location Information Query.21
5.5.1.2 Location Information Response.22
ETSI

---------------------- Page: 5 ----------------------

SIST ES 282 004 V1.3.0:2009
 4 ETSI ES 282 004 V1.3.0 (2008-06)
5.6 Reference points between NASS and User Equipment.22
5.6.1 Interface for authentication and IP address allocation (e ).22
1
5.6.2 Interface between CNGCF and CNG (e ).22
3
6 Mapping onto network roles.23
7 Information flows.25
7.1 High level information flows.25
7.2 PPP based authentication.26
7.3 DHCP mode.27
Annex A (informative): Physical Configurations .28
A.1 PPP case.28
A.2 PPP with DHCP configuration.29
A.3 DHCP (option 1) .30
A.4 DHCP (option 2) .31
A.5 PANA-based configuration.31
Annex B (informative): Bibliography.33
History .34

ETSI

---------------------- Page: 6 ----------------------

SIST ES 282 004 V1.3.0:2009
 5 ETSI ES 282 004 V1.3.0 (2008-06)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This ETSI Standard (ES) has been produced by ETSI Technical Committee Telecommunications and Internet
converged Services and Protocols for Advanced Networking (TISPAN).
The present document describes the architecture of the Network Attachment SubSystem (NASS) identified in the
overall TISPAN NGN architecture.
ETSI

---------------------- Page: 7 ----------------------

SIST ES 282 004 V1.3.0:2009
 6 ETSI ES 282 004 V1.3.0 (2008-06)
1 Scope
The present document describes the architecture of the Network Attachment SubSystem (NASS) and its role in the
TISPAN NGN architecture as defined in ES 282 001 [2].
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific.
• For a specific reference, subsequent revisions do not apply.
• Non-specific reference may be made only to a complete document or a part thereof and only in the following
cases:
- if it is accepted that it will be possible to use all future changes of the referenced document for the
purposes of the referring document;
- for informative references.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
For online referenced documents, information sufficient to identify and locate the source shall be provided. Preferably,
the primary source of the referenced document should be cited, in order to ensure traceability. Furthermore, the
reference should, as far as possible, remain valid for the expected life of the document. The reference shall include the
method of access to the referenced document and the full network address, with the same punctuation and use of upper
case and lower case letters.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are indispensable for the application of the present document. For dated
references, only the edition cited applies. For non-specific references, the latest edition of the referenced document
(including any amendments) applies.
[1] ETSI TS 133 203: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); 3G security; Access security for IP-based services (3GPP
TS 33.203)".
[2] ETSI ES 282 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture Release 1".
[3] Void.
[4] ISO/IEC 7498-2: "Information Processing Systems - Open Systems Interconnection - Basic
Reference Model - Part 2: Security Architecture".
[5] IEEE 802.1X: "IEEE Standard for Local and metropolitan area networks - Port Based Network
Access Control".
ETSI

---------------------- Page: 8 ----------------------

SIST ES 282 004 V1.3.0:2009
 7 ETSI ES 282 004 V1.3.0 (2008-06)
2.2 Informative references
The following referenced documents are not essential to the use of the present document but they assist the user with
regard to a particular subject area. For non-specific references, the latest version of the referenced document (including
any amendments) applies.
[6] ETSI TR 121 905: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Vocabulary for 3GPP Specifications (3GPP TR 21.905
Release 7)".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
authentication: property by which the correct identity of an entity or party is established with a required assurance
NOTE: The party being authenticated could be a user, subscriber, home environment or serving network
TR 121 905 [6].
authorization: granting of permission based on authenticated identification. ISO/IEC 7498-2 [4]
NOTE: In some contexts, authorization may be granted without requiring authentication or identification e.g.
emergency call services.
Customer Network Gateway (CNG): gateway between the Customer Premises Network (CPN) and the Access
Network (AN)
NOTE: A Customer Network Gateway may be in its simplest form a bridged or routed modem, and in a more
advanced form be an IAD.
explicit authentication: authentication that requires that the party to be authenticated performs an authentication
procedure (to verify the claimed identity of the party)
NOTE: For example, in IMS security (TS 133 203 [1]), explicit authentication is provided with full AKA directed
towards the IMS client entity (represented by IMPI/IMPU and USIM/ISIM) and also implicit
authentication is provided by means of the IPsec security associations.
implicit authentication: authentication based on a trusted relationship already established between two parties, or based
on one or more outputs of an authentication procedure already established between two parties
Line identification: process that establishes the identity of the line based on the trusted configuration
User Equipment (UE): one or more devices allowing a user to access services delivered by TISPAN NGN networks
NOTE: This includes devices under user control commonly referred to as CPE, IAD, ATA, RGW, TE, etc. but
not network controlled entities such as access gateways.
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AAA Authentication Authorization and Accounting
AF Application Function
AKA Authentication and Key Agreement
AMF Access Management Function
AN Access Network
API Application Programming Interface
A-RACF Access Resource Admission Control Function
ETSI

---------------------- Page: 9 ----------------------

SIST ES 282 004 V1.3.0:2009
 8 ETSI ES 282 004 V1.3.0 (2008-06)
ARF Access Relay Function
ATA Analogue Terminal Adapter
ATM Asynchronous Transfer Mode
BGF Basic Global Function
CLF Connectivity session Location and repository Function
CNG Customer Network Gateway
CNGCF CNG Configuration Function
CPE Customer Premises Equipment
CPN Customer Premises Network
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Server
EAP Extensible Authentication Protocol
EP Enforcement Point
FQDN Fully Qualified Domain Name
IAD Integrated Access Device
IMPU IP Multimedia PUblic identity
IMS IP Multimedia System
IP Internet Protocol
IPMI IP Multimedia Private Identity
ISIM IM Services Identity Module
LIF Location Information Forum
NACF Network Access Configuration Function
NASS Network Attachment SubSystem
PAA PANA Authentication Agent
PaC PANA Client
PANA Protocol for carrying Authentication for Network Access
P-CSCF Proxy-Call Session Control Function
PDBF Profile Data Base Function
PPP Point-to-Point Protocol
RACS Resource Admission Control Subsystem
RCEF Resource Control Emulation Function
RGW Residential Gateway
TE Terminal Equipment
UAAF User Access Authorization Function
UE User Equipment
UPSF User Profile Server Function
USIM Universal Subscriber Identity Module
VC Virtual Circuit
VP Virtual Path
4 General Description of NASS
4.1 High level functional overview
The Network Attachment SubSystem provides the following functionalities:
• Dynamic provision of IP address and other user equipment configuration parameters (e.g. using DHCP).
• User authentication, prior or during the IP address allocation procedure.
• Authorization of network access, based on user profile.
• Access network configuration, based on user profile.
• Location management.
The location of this subsystem in the overall TISPAN architecture can be found in ES 282 001 [2] and is placed here for
information in figure 4.1.
ETSI

---------------------- Page: 10 ----------------------

Other networks
User Equipment
SIST ES 282 004 V1.3.0:2009
 9 ETSI ES 282 004 V1.3.0 (2008-06)
Applications
Other
User
subsyst ems
Service Layer
profiles
Core IMS
PSTN/ISDN
Em ulat ion
subsystem
Network
Attachment
Subsystem
Resource and
Admission Control
Subsyst em
Transport Layer
Transfer Functions

Figure 4.1: TISPAN NGN Architecture R1 overview
4.2 High level concepts of NASS
The Network Attachment SubSystem (NASS) provides registration at access level and initialization of User Equipment
(UE) for accessing to the TISPAN NGN services. The NASS provides network level identification and authentication,
manages the IP address space of the Access Network and authenticates access sessions. The NASS also announces the
contact point of the TISPAN NGN Service/Applications Subsystems to the UE.
Network attachment through NASS is based on implicit or explicit user identity and authentication credentials stored in
the NASS.
4.3 Mobility, Nomadism
Mobility management functions provided by the NASS in the TISPAN NGN Release 1 are limited to the ability of a
terminal to be moved to different access points and access networks (which may be owned by a different access
network provider) and a user to utilize different terminal, access points and access networks to retrieve their TISPAN
NGN services (even from another network operator). The TISPAN NGN Release 1 does not require the support of
handover and session continuity between access networks without excluding autonomous mobility capabilities provided
within the access networks.
The impact of these nomadism requirements are defined in clause 6.
4.4 Access network level registration
NASS registration involves the identification, authentication, and authorization procedures between the UE and the
NASS to control the access to the NASS. Two authentication types are defined for NASS: implicit authentication, for
example based on line identification, and explicit authentication, for example based on EAP. The relationship between
the identity and the credentials used for authentication must be known to the NASS for any authentication solution to be
possible.
Explicit authentication is required between the UE and the NASS. It requires a signalling procedure to be performed
between the UE and the NASS. Implicit authentication may be performed by the NASS based on the line identification
of the connection to the UE. It is a matter of operator policy which form of authentication is applied. Both implicit
authentication and explicit authentication may be used independently as NASS authentication mechanisms.
ETSI

---------------------- Page: 11 ----------------------

SIST ES 282 004 V1.3.0:2009
 10 ETSI ES 282 004 V1.3.0 (2008-06)
4.4.1 Implicit authentication
Depending on the access network configuration, especially for wired broadband access networks, the implicit access
authentication may rely only on an implicit authentication through physical or logic identity on the layer 2 (L2)
transport layer. A UE can directly access to access network without an explicit authentication procedure.
A CNG shall be able to directly access an access network without an explicit authentication procedure.
Which implicit authentication method applies depends on the operator policies.
4.4.1.1 Line authentication
Line authentication is a form of implicit authentication. Line authentication ensures that an access line is authenticated
and can be accessed from the CNG. Line authentication shall be based on the activation of the L2 connection between
the CNG and the access network.
Line authentication ensures that an access line is authenticated and can be accessed from the CNG. The line ID shall be
used for line authentication. The operator's policy shall decide whether line authentication applies.
4.4.2 Explicit authentication
In case the CNG is a routing modem and the Customer Premises Network (CPN) is a private IP realm, authentication
shall be initiated from the CNG. In case the CNG is a bridge, each UE shall authenticate with the NASS as the IP realm
in the CPN is known to the Access Network (AN).
The relationship between the identity and the credentials used for authentication must be known to the NASS for any
explicit authentication solution to be possible. The identity used for explicit authentication may depend on the
authentication mechanism applied and on the access network which the UE is connected to. Two examples of these
identities are:
• User identity and credentials.
• UE identity.
The type of explicit authentication mechanisms used shall depend on the access network configuration and on the
operator policy.
4.4.3 CNG remote network configuration
This procedure is needed for the initialization of the CNGs accessing to the TISPAN NGN service subsystems.
4.4.4 TISPAN NGN Service/Applications Subsystems discovery
As part of the network registration process, the NASS shall have the possibility to announce the contact information of
the TISPAN NGN Service/Applications Subsystems to the UE. In case the TISPAN NGN Subsystem is the IMS, the
contact information provided by the NASS shall identify the P-CSCF.
The contact information provided by the NASS should either by in the form of the IP address of the contact point or in
the form of the FQDN of the contact point (in which case the NASS provides the IP address of the DNS server that is
able to resolve this FQDN into the IP address of the contact point).
Alternatively, the contact point to the TISPAN NGN Service/Applications Subsystems may be statically configured in
the UE e.g. using fully qualified domain names (FQDN) and DNS resolution to retrieve the contact points IP addresses.
This option applies in the non-roaming case.
ETSI

---------------------- Page: 12 ----------------------

SIST ES 282 004 V1.3.0:2009
 11 ETSI ES 282 004 V1.3.0 (2008-06)
5 Functional Architecture
5.1 Overview
The Network Attachment SubSystem (NASS) comprises the following functional entities:
• Network Access Configuration Function (NACF).
• Access Management Function (AMF).
• Connectivity session Location and repository Function (CLF).
• User Access Authorization Function (UAAF).
• Profile Data Base Function (PDBF).
• CNG Configuration Function (CNGCF).
The NASS has interaction with the following TISPAN NGN functional entities:
• TISPAN Service control subsystems and applications.
• Resource Admission Control Subsystem (RACS).
• Access Relay Function (ARF).
• Customer Premises Equipment (CPE).
One or more functional entities may be mapped onto a single physical entity. If one functional entity is implemented by
two physical entities, the interface between these physical entities is outside the scope of standardization.
Functional entities in the Network Attachment SubSystem (NASS) may be distributed over two administrative domains.
See clause 6 for the impact of roaming on the distribution of NASS.
Figure 5.1 provides an overview of the relationships between these functional entities and other subsystems of the
NGN architecture. Interfaces to charging systems are not represented. Annex A provides informative, potential physical
configurations in which the functional NASS ar
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.