The numerous acronyms introduced with each new 3GPP release can be overwhelming and confusing. We’ve provided a ‘translation table’ to assist those of you already familiar with the terminology for 3G, 4G, or 5G.

Please note that these are simply ‘functions’ that may be delivered as a combined solution with one or more nodes, deployed as containerized functions, or integrated into the same virtual or physical gateway node.

Trusted 3GPP Wi-Fi Access

Trusted non-3GPP (Wi-Fi) access was first introduced with the LTE standard in 3GPP Release 8 (2008). Trusted access typically refers to operator-managed Wi-Fi networks that use encryption (enabled by 802.1x) within the Wi-Fi radio access network (RAN) and secure authentication methods like EAP.

In the case of trusted access, the user device (UE) connects through a Wireless Access Gateway (WAG/TWAG/TNGF/TWIF) in the Wi-Fi core. The gateway, in turn, establishes a secure tunnel directly with the Packet Gateway (GGSN/P-GW/UPF), which is also used for cellular traffic in the Mobile Core. For 5G standalone (5G SA) architectures, a null-encrypted tunnel is utilized between the device and the TNGF/TWIF—more details on this can be found in the Wi-Fi and 5G convergence section.

SIM authentication (EAP-SIM/AKA/AKA′ or 5G-AKA), performed by a 3GPP AAA server, is crucial for trusted non-3GPP access. Beyond authenticating, the device for access to the Wi-Fi network, it also generates cryptographic keys used for the Wi-Fi encryption (WPA2/WPA3).

Untrusted 3GPP Wi-Fi Access

Untrusted non-3GPP (Wi-Fi) access was first introduced in the Wi-Fi specification of 3GPP Release 6 (2005). At that time, Wi-Fi access points with advanced security features were uncommon, so Wi-Fi was generally considered open and unsecured by default.

Untrusted access refers to any Wi-Fi network over which the operator has no control, including public hotspots, subscribers’ home Wi-Fi, and corporate Wi-Fi networks. This also encompasses Wi-Fi networks that lack adequate security mechanisms, such as EAP authentication and radio link encryption (802.1x enabling WPA2/WPA3-Enterprise encryption). Conversely, a Wi-Fi network using EAP and 802.1x outside the operator’s control, for instance, an Enterprise Wi-Fi network, is still considered untrusted.

The flexibility of untrusted non-3GPP access, which works over any Wi-Fi network, makes it the preferred method for services like Wi-Fi Calling (aka Voice over Wi-Fi).

The untrusted model requires no modifications to the Wi-Fi network itself but does impact the device side, as an IPsec client must be deployed natively on the device. The device connects through a secure IPsec tunnel directly to an IPsec Termination Gateway (TTG/ePDG/N3IWF) in the Mobile Core, which is then linked through an encrypted tunnel to the Packet Gateway (GGSN/P-GW/UPF), which handles both cellular and Wi-Fi traffic. This integration means that the device must interact with mobile core network components like the HLR/HSS/AUSF-UDM for SIM-based EAP authentication (EAP-SIM/AKA/AKA′ or 5G-AKA) to establish the IPsec tunnel, but not for granting Wi-Fi access. This ensures the same level of authentication security as in the cellular network.