The interest in 5G and mIoT is exploding. It’s exciting to see so many IT and cybersecurity professionals in my network trying to learn more about 5G and related technologies.
In addition to my usual articles about the societal impacts of these innovations, I’ll start a series of articles introducing key 5G and mIoT technology concepts. Before we move on to technical aspects of 5G security.
Let’s get started with reviewing the 5G core service-based architecture and learning the first few dozen acronyms, out of approximately a gazillion. The cellular industry loves acronyms. Even more than the cybersecurity industry.
5G architecture is an evolution of current 4G architectures but based on a Service-Based Architecture (SBA). The 3GPP defines the SBA for a 5G core network as delivered by a set of interconnected Network Functions (NFs), with authorization to access each other’s services.
Some of the key differences / focus areas:
- In contrast to a fixed-function, hard-wired, appliance-based architecture as was the case for 4G LTE Core (or Evolved Packet Core (EPC)), fully realizing the potential of 5G means moving to a software and cloud-based open platforms.
- EPC (4G Core) elements were architected to be implemented on physical nodes that were virtualized, but not designed to be virtualized from the outset.
- Network elements in 5G core are cloud native; referred to as “functions” vs. “nodes.”
- Automation and programmability are important part of the target 5G architecture.
- With the flexibility, virtualization and programmability, the new architecture would better support possibility for diverging architectures for new service.
In summary – 5G core is designed for three enhancements:
- Control and User Plane Split – Mapping of 4G Core to 5G Core elements Access and Mobility Management Function (AMF), Session Management Function (SMF), User Plane Function (UPF).
- Native support for Network Slicing for the 5G Use Cases including enhanced Mobile Broadband (eMBB), massive Machine Type Communications (mMTC) & critical MTC, and Ultra-Reliable and Low Latency Communications (URLLC).
- Service Based Architecture – A service-based architecture delivers services as a set of “Network Functions”
4G Control and User Plane Separation (CUPS) EPC
The separation of Control and User Plane for the 4G architecture was introduced with 3GPP Release 14. It separated the packet gateways into control and user planes allowing for more flexible deployment and independent scaling achieving benefits in both, CapEx and OpEx.
The next step in the evolution to 5G was to rename core network entities and either split or merge them depending on the functions that fall within the user or control plane in the 5G architecture. For those of you with the 4G background, some 4G CUPS Core elements can be easily mapped to renamed 5G Core elements. Here are the few key ones:
Next generation NB (gNB)
The new radio access technology is called New Radio (NR) and replaces LTE. The new base radio station is called next generation NB (gNB) (or gNodeB). It replaces the eNB (or eNodeB or Evolved Node B) in 4G-LTE, or NodeB in 3G-UMTS.
The gNB handles radio communications with the 5G capable User Equipment (UE) using the 5G New Radio (NR) air interface. Although, some types of gNB may connect to the 4G EPC instead of 5G Core.
The Control Plane – AMF and SMF
The Mobility Management Entity (MME) in LTE is the signaling node for UE access and mobility, establishing the bearer path for UE’s, and mobility between LTE and 2G/3G access networks. Mobility Management Function in LTE is now replaced with:
- Access & Mobility Management Function (AMF) – oversees authentication, connection, mobility management between network and device. It receives connection and session related information from the UE.
- Session Management Function (SMF) – handles session management, IP address allocation, and control of policy enforcement.
The Data Plane – User Plane Function (UPF)
As CUPS decouples Packet Gateway (PGW) control and user plane functions. This enables the data forwarding component (PGW-U) to be decentralized which is mapped to the UPF for the 5G Core.
- The user plane function consists of a single entity User Plane Function (UPF)
- It combines functionality from previous EPC Serving-Gateway (S-GW) and PDN-Gateway (P-GW).
- UPF is responsible for packet routing and forwarding and Quality of Service (QoS).
Network Slicing in 5G
A 5G network is geared towards supporting multiple use cases / applications. Examples of these uses cases include:
- enhanced Mobile Broadband (eMBB) which entails supporting user throughputs in the Gbps range (x Gbps)
- Industrial Internet of things that requires the Ultra-Reliable and Low Latency Communications (URLLC) capabilities (~ 1ms latency)
- massive Machine Type Communications (mMTC)– a network that can support millions of IoT devices
5G supports these multitude of services by leveraging the SBA to support multiple virtual networks that operate on the same physical hardware. The slices that occupy a single physical network are separated, meaning traffic and security breaches from one slice cannot interfere with another slice.
I wrote more about network slicing in 5G Network Slicing Technology: A Primer
In short, a Network Slice is a logical network including the Radio Access and Core Network.
- It provides services and network capabilities, which vary (or not) from slice to slice.
- It lets service providers partition their networks into discrete horizontal slices for specific use cases, services, individual customers or even vertical segments, such as energy, healthcare and manufacturing.
- A dedicated set of physical and virtualized network resources are allocated– from end devices, over the radio access, transport and packet core to application, content delivery and edge cloud domains.
In summary, a network slice is a logical network that provides specific network capabilities and network characteristics. A key component of a Network Slices is the Network Slice Instance (NSI). A Network Slice instance is a set of Network Function instances and the required resources (e.g. compute, storage and networking resources) which form a deployed Network Slice.
In 5G, a Network Slice includes the Core Network Control Plane and User Plane Network Functions as well as the 5G Access Network (AN). The 5G Access Network may be:
- A Next Generation (NG) Radio Access Network (gNB)
- A non-3GPP Access Network where the terminal may use any non-3GPP access to reach the 5G core network via a secured IPSec/IKE tunnel terminated on a Non-3GPP Interworking Function (N3IWF).
5G Core Service-Based Architecture (SBA)
Service-Based Architecture for core 5G networks is defined in 3GPP Technical Specification (TS) 23.501 — “System Architecture for the 5G System”. It uses service-based interfaces between control-plane functions, while user-plane functions connect over point-to-point links.
A good introduction to the SBA is the “Service-Based Architecture in 5G” paper by NGMN Alliance.
For those of you from IT and cloud background, you can imagine the 5G SBA as a hybrid of Service-Oriented Architecture (SOA) and microservices.
In short, it is an architectural approach that enables 5G network functionality to become more granular and decoupled. This allows individual services to be updated independently with minimal impact to other services and deployed on demand allowing for vendor independence, automation and agile operational processes, reduction in delivery and deployment time, and enhanced operational efficiencies.
Basic principles are:
- A Control Plane Network Function can provide one or more NF Services
- A NF Service consist of operations based on either a request-response or a subscribe-notify model
- Common control protocol using e.g. HTTP based API, replacing protocols like e.g. Diameter
Service-based interface (request-reply and subscribe-notify) (Credit: ITU)
The major building blocks of the 5G Core Service-Based Architecture are simplified as follows:
- Network and Resource Management
- Subscriber Data
- Application Function and Network Exposure Function
- Location Services
- Subscriber Management
- Control Plane
- User Plane
- Access Network
The IMS Core Functionality is the same as for 4G.
Network and Resource Management
Network and Resource Management consists of three parts:
Network Repository Function (NRF)
- Allows every network function to discover the services offered by other network functions.
- It serves as a repository of the services;
- supports discovery mechanisms that allows 5G elements to discover each other; and
- enable status updates of the 5G elements.
Network Slice Selection Function (NSSF)
- Selects the Network Slice Instance (NSI) based on information provided during UE attach.
- Redirects traffic to a network slice.
- A set of Access and Mobility Management Function (AMF) are provided to the UE based on which slices the UE has access to.
Network Data Analytics Function (NWDA)
- Responsible for providing network analysis information upon request from network functions.
Security Edge Protection Proxy (SEPP)
- Protects control plane traffic that is exchanged between different 5G operator networks.
Service Communication Proxy (SCP)
- SCP is a decentralized solution and composed of control plane and data plane.
- SCP is deployed along side of 5G Network Functions (NF) for providing routing control, resiliency, and observability to the core network.
Binding Support Function(BSF)
- BSF is used for binding an application-function request to a specific Policy Control Function (PCF) instance.
- It is comparable to Policy and Charging Rules Function (PCRF) binding function provided by a 4G Diameter Routing Agent (DRA), for VoLTE and VoWiFi.
Consists of UDR, UDSF:
Unified Data Repository (UDR)
- A converged repository of subscriber information that can be used to service a number of network functions.
- Stores structured data that can be exposed to an NF.
Unstructured Data Storage Function (UDSF)
- Repository for storage and retrieval of unstructured data by a suitable network function.
- Network Functions (NFs) can store/retrieve “unstructured” data from UDSF.
Application Function and Network Exposure Function
Application Function (AF)
- Supports application influence on traffic routing, accesses NEF, interacts with policy framework for policy control.
Network Exposure Function (NEF)
- Provides a means to securely expose the services and capabilities provided by 3GPP network functions.
- It exposes APIs from/to external systems.
Policy Control Function (PCF)
- Governs the network behavior by supporting a unified policy framework.
- Accesses subscription information for policy decisions taken by the UDR.
- Supports the new 5G QoS policy and charging control functions.
Charging Function (CHF)
- Allows charging services to be offered to authorized network functions.
Authentication Server Function (AUSF)
- Is in a home network and performs authentication with a UE.
- Relies on backend service authenticating data and keying materials when 5G-AKA or EAP-AKA is used.
- Performs the authentication function of 4G Home Subscriber Server (HSS) – a database that contains user
-related and subscriber-related information.
Unified Data Management (UDM)
- Is a converged repository of subscriber information; used to service a number of network functions.
- The 5GUDM (Unified Data Management) can use the UDR to store and retrieve subscription data.
Equipment Identity Register (5G-EIR)
- Enables authentication of devices in the network.
- Protects networks and revenues against the use of stolen and unauthorized devices.
Home Subscriber Server (HSS)
- Is in 4G networks fills a similar function to the UDM for 5G.
- It stores customer profile data and authentication information along with encryption keys.
5G Location Services
Location Management Function (LMF)
Supports the following functionality:
- Location determination for a UE.
- Obtain downlink location measurements or a location estimate from the UE.
- Obtain uplink location measurements from the 5G RAN.
- Obtain non-UE associated assistance data from the 5G RAN.
Gateway Mobile Location Center (GMLC)
Supports the functionality to determine location for a target device:
- Sends location service request to AMF for a target UE or AMF decides to initiate location e.g emergency call;
- the AMF then sends a location services request to an LMF;
- the LMF processes the location services request (e.g. transferring assistance data to the target device);
- the LMF then returns the result of the location service back to the AMF (e.g., a position estimate);
- the AMF returns the location service result to the GMLC.
Access & Mobility Management Function (AMF)
- Oversees authentication, connection, mobility management between network and device.
- It receives connection and session related information from the UE.
Session Management Function (SMF)
- Handles session management, IP address allocation, and control of policy enforcement.
Short Message Service Function (SMSF)
- Supports the transfer of SMS over NAS.
UE radio Capability Management Function (UCMF)
- Used for storage of dictionary entries corresponding to either PLMN-assigned or manufacturer-assigned UE Radio Capability IDs.
User Equipment (UE)
- Any device used directly by an end-user to communicate (a handheld phone, laptop etc.)
4G/5G Radio Access Network (RAN)
- Radio technology that provides access to the core network.
Non-3GPP Interworking Function (N3IWF)
- Responsible for interworking between untrusted non-3GPP networks and the 5G Core.
Trusted Non-3GPP Gateway Function (TNGF)
- Enables the UE to connect to the 5G Core over Trusted WiFi access technology.
Wireline Access Gateway Function (W-AGF)
- Enables wireline access to the 5G Core
Non-3GPP Interworking Function (TWI)
- Enables WiFi & 5G Interworking for Trusted WiFi access technology.
Wi-Fi only devices (with no NAS and no SIM credentials) accessing the 5G services can be accommodated over the Trusted Wi-Fi access. In this scenario a Trusted WLAN Interworking function (TWIF) collocated with the TNGF terminates the N1 signaling for the UE.
User Plane Function
The major benefit of the Service-Based Architecture is that the 5G core components are defined as Network Functions (NF) together with an API that can be used to invoke services. In addition, the 5G core decouples the user-plane (or data plane) from the control plane (CUPS).
A key benefit of this capability is that the control plane can be centralized while the User Plane Function (UPF) can be distributed to various parts of the network to achieve low latency or to offload traffic closer to the actual users.
A key application of the CUPS capability is to allow mobile IP traffic to be broken out at different parts of the network enabling distribution of content delivery depending on the use case.
- Ultra-Reliable Low Latency Communication (URLLC) traffic is terminated within the aggregation network resulting in lower end-to-end latency.
- eMBB traffic is terminated on eMBB caches at the network edge so that this traffic does not need to be carried further into the core.
- Non-critical IoT traffic is terminated at a core location.
The 5G Core network builds on Control and User Plane Separation introduced in 3GPP Release 14. The 5G network architecture is based on the Service Based Architecture. It specifies Network Functions that support a multitude of applications that are knit together as Network Slices. The 10 building blocks of the 5G Core network presented include: Network and Resource Management, Signaling, Subscriber Data, Application Function and Network Exposure Function, Location Services, Subscriber Management, Policy, Control Plane, User Plane and the Access Network.
Due to the number and types of use cases supported by 5G, traffic patterns in a 5G network will be a lot more dynamic. The underlying transport network will need to allow programmatic control to allow it to react in near-real-time to the changing traffic demands of the mobile network.
Appendix: 4G Core Revisited
A comparison of the 5G vs 4G architecture in the following figure. The main component of the 4G RAN include:
- eNodeB (E-UTRAN) connected
- via S1-U (U=User plane) to the Serving Gateway
- via S1-C (C=MME=Control Plane) to the MME
- The Serving Gateway connects to the PDN node via S5
- The Serving Gateway connects to the MME node via S11
- The PDN Gateway (Packet Gateway) connects to the internet via SGi
- The MME is mobility management entity
- user-related and subscriber-related information;
- provides support functions in mobility management;
- call and session setup, user authentication and access authorization.
Serving GW part of the User plane (with the PDN GW). It
- transports IP data traffic between the User Equipment (UE) and the external networks;
- is the point of interconnect between the radio-side and the EPC;
- serves the UE by routing the incoming and outgoing IP packets;
- is the anchor point for the intra-LTE mobility i.e. handover between eNodeBs;
- is also the anchor point for between LTE and other 3GPP accesses;
- is logically connected to the other gateway, the PDN GW.
PDN GW (connects to external IP Network aka Packet Data Networks i.e. PDN GW). It
- is the point of interconnect between the EPC and the external IP networks;
- routes packets to and from the PDNs;
- performs functions e.g. IP address / IP prefix allocation or policy control and charging.
As per 3GPP PDN GW and Serving GW
- are assigned independently may be combined in a single “box”.
MME Mobility Management Entity. It
- deals with the control plane;
- handles the signaling related to mobility;
- security for E-UTRAN access;
- is responsible for the tracking and the paging of UE in idle mode;
- is the termination point of the Non-Access Stratum (NAS).
For over 30 years, Marin Ivezic has been protecting people, critical infrastructure, enterprises, and the environment against cyber-caused physical damage. He brings together cybersecurity, cyber-physical systems security, operational resilience, and safety approaches to comprehensively address such cyber-kinetic risk.
Marin leads Industrial and IoT Security and 5G Security at PwC. Previously he held multiple interim CISO and technology leadership roles in Global 2000 companies. He advised over a dozen countries on national-level cybersecurity strategies.