Fundamentals of Core

Network Engineering
About the course
This comprehensive course provides a deep dive into the
fundamental principles and technologies that underpin modern
core networks. Participants will gain a strong understanding of
network architecture, protocols, and technologies used to
interconnect various network elements, ensuring efficient and
reliable data transmission across large-scale networks.
Course Objective
• The objective of this course is to:
• Understand the core network structure in 4G and 5G networks.
• Familiarize with core network components and their roles.
• Explore how user sessions, data routing, and mobility management are
handled in core networks.
• Understand the key protocols used in core networks.
• Explore the security and QoS mechanisms in core networks.
Course Schedule
Topic Name Day

• Overview of core network architecture in 4G LTE 1

• Introduction to 5G core network structure
• differences between 4G and 5G core networks
• Concept of Service-Based Architecture (SBA) in 5G

• Introduction to core network elements in 4G: MME, SGW, PGW, and HSS 2
• Function and purpose of each network element
• Transition from 4G elements to 5G components
• Introduction to 5G’s SBA elements such as AMF, SMF, UPF, and NRF

• Introduction of IP Protocol with OSI/TCP Reference Model 3

• Overview of SIP (Session Initiation Protocol) and its role in VoLTE
• Introduction to the Diameter protocol for authentication and authorization
• GTP (GPRS Tunneling Protocol) for data tunneling
Course Schedule
Topic Name Day

• Overview of Information Security 4

• Introduction of Security Mechanism for 4G and 5G Mobile Core
• Authentication and encryption techniques in 4G and 5G
• Overview of QoS along with Model 5
• Introduction to Network Slicing and its impact on QoS in 5G..
Day 1 – Agenda

• Overview of core network architecture in 4G LTE

• Introduction to 5G core network structure

• differences between 4G and 5G core networks

• Concept of Service-Based Architecture (SBA) in 5G

LTE Architecture Philosophy
• Single node e-UTRAN

• Packet based while supporting real time

IP Cloud conversational traffic

• Minimize number of interfaces

• Minimizes single points of failure

EPC
• Supports end-to-end QOS

eUTRAN • Supports QOS differentiation between control, user

and O&M traffic

• Flat architecture

• Supports interworking with a variety of wireless

networks
LTE Network
External 3GPP Core
EPC Network
E-UTRAN

S3
S6a
S4
X2
eNodeB S1-MME

Uu
Gx
S11

eNodeB
S1-U S5 / S8

SGi
Combined into SAE -
GW PDN
LTE Core Network (EPC and IMS)
PDN Connectivity Services
E-UTRAN
EPC
Additional Network Elements
PS Interworking
CS Interworking
Non 3GPP Access Interworking
LTE User Services
Transport Network Hierarchy
AG3 AG3 A pair of AG3 routers per site

AG2 AG2 Up to 16 pairs of AG2 routers

Dual-homing with AG3 routers

AG1 AG1
Up to 10 AG1 rings
Up to 4 AG1 routers in a ring
AG1 AG1
eNB CSR Dual-homed ring with AG2 routers
CSR
CSR CSR Up to 4 CSR rings
eNB Up to 5 (fiber) or 4 (MW or fiber + MV)
AG2 node
eNB eNBs per ring
CSR and eNB
eNB Dual-homed with AG1 routers
Introduction to Router
 Router: a network-layer device that forwards data packets on the Internet. Based on the destination
address in a received packet, a router selects a path to send the packet to the next router or destination.
The last router on the path is responsible for sending the packet to the destination host.
 Implementing communication between networks of
the same type or different types
 Isolating broadcast domains
Router
 Maintaining the routing table and running
routing protocols
 Selecting routes and forwarding IP packets
 Implementing WAN access and network
address translation
 Connecting Layer 2 networks established through switches
5G Advanced Communication
4G and 5G Core
3GPP 5GC (the only specification for a 5G
mobile packet core)
3GPP’s 5G System architecture is defined to support data connectivity and services enabling deployments to
use techniques such as e.g. Network Function Virtualization and Software Defined Networking. The 5G System
architecture shall leverage service- based interactions between Control Plane (CP) Network Functions where
identified. Some key principles and concept are to:
Separate the User Plane (UP) functions from the Control Plane (CP) functions, allowing independent scalability,
evolution and flexible deployments e.g. centralized location or distributed (remote) location.
Modularize the function design, e.g. to enable flexible and efficient network slicing.
Wherever applicable, define procedures (i.e. the set of interactions between network functions) as services, so
that their re-use is possible.
Enable each Network Function and its Network Function Services to interact with other NF and its Network
Function Services directly or indirectly via a Service Communication Proxy if required. The architecture does not
preclude the use of another intermediate function to help route Control Plane messages (e.g. like a DRA).
Minimize dependencies between the Access Network (AN) and the Core Network (CN). The architecture is defined
with a converged core network with a common AN – CN interface which integrates different Access Types e.g.
3GPP access and non-3GPP access.
Support a unified authentication framework.
3GPP 5GC (the only specification for a 5G
mobile packet core)
Support “stateless” NFs, where the “compute” resource is decoupled from the “storage” resource.
Support capability exposure.
Support concurrent access to local and centralized services. To support low latency services and access to
local data networks, UP functions can be deployed close to the Access Network.
Support roaming with both Home routed traffic as well as Local breakout traffic in the visited PLMN.
The 5G architecture is defined as service-based and the interaction between network functions is represented in
the following two ways:
A service-based representation(SBA), where network functions (e.g. AMF) within the Control Plane enables other
authorized network functions to access their services. This representation also includes point-to-point reference
points where necessary.
A reference point representation, shows the interaction exist between the NF services in the network functions
described by point-to-point reference point (e.g. N11) between any two network functions (e.g. AMF and SMF).
3GPP 5G Core Network Standard
Feature
Architectural enablers for
virtualized deployment
Enablers for new business
opportunity
Synergy with pre- installed
LTE/Wi-Fi
Dynamic and finer control
of QoS
Differentiated mobility control
for variety of devices
Flexible and optimized network
utilization
Category Detailed Function
■ Service based architecture with service-based interfaces
■ Data Storage architecture enabling Compute and Storage separation
Network
■ Support for AMF resiliency (e.g., AMF change with no service disruption)
Architecture
■ E2E Network Slicing
New Enhancement
■ Support for edge computing and URLLC services
■ Local Area Data Network for specialized service
Multi-RAT ■ Interworking with LTE/EPC
Support ■ Common interface for 3GPP and non-3GPP access
■ Flow-based QoS framework
QoS Control
■ Reflective QoS
Mobility ■ Mobility restriction per UE
Management ■ Support for RRC inactive and MICO* mode
■ Session model supporting ‘Session and Service Continuity’ modes
■ Concurrent (e.g. local and central) access to a data network
Session
■ Application influence on traffic routing
Management
5G Core Implementation
Unlike previous cellular generations, 5G implementation is based on:-
• Cloud-native applications.
• REST services-based integration.
• Virtualized Network Functions.
• Softwarization of Network & IT.
• Support for Stateless Network functions by decoupling Compute and Storage.
• Microservices based design patterns.
• DevOps, CI/CD methodologies for faster time-to-market offerings.
• Network slice-based approach of utilizing the physical network resources.
• Mobile access edge computing for delivering & processing low latency contents & data.
• Providing cellular connections to things & devices and supporting very high density.
• Handling advanced analytics.
• Separation of Control & User planes.
• Network capability exposure via APIs and Service Bus.
• Support for Centralized and Distributed processing.
• etc.
5G Core Evolution
5G Core Evolution
5G

 Service Based (SBA/SBI/NAPS)

 Virtualization & Slicing
 Functional entities
 Softwarization/
 Single Core
 Cloudification Application Programming
 Dedicated protocols
 Interfaces Harmonized protocols (HTTP …)
 Exposure to 3rdParties

 Backward & Forward Compatibility

Deployment Scenario in South Korea
Operator(KT and SK)

The 5G NSA core network can be 2 or 3 in the figure below. In case of KT, it corresponds to 3. SK
Telecom and LG U+ correspond to 2.
Functional blocks within 5G Core Network
Architecture
AUSF = Authentication Server Function UE = User Equipment

UDM = Unified Data Management RAN = Radio Access

NSSF = Network Slice Selection Function Network

CU = Centralised Unit
NEF = Network Exposure Function

NRF = Network Repository Function DU = Distributed Unit

AMF = Core Access and Mobility Management Function UPF = User Plane Function

SMF = Session Management Function DN = Data Network, e.g. operator services, Internet or 3rd party
services
PCF = Policy Control Function

AF = Application Function
NR Reference Point System Architecture
AMF : - Core Access and Mobility Management Function
UPF : - User plane Function
SMF : - Session Management Control Function . DN : - Data
Network (DN)
NSSF : - Network Slice Selection Function.

AUSF : - Authentication Server Function

UDM : - Unified Data Management. PCF : -
Policy Control Function.
AF : - Application Function.

Control Plane Entities

User Plane Entities

 The Reference point Architecture is based upon a set of Network Elements.

 Reference Point Architecture uses point to point interfaces to interconnect those Network Elements.
 Signaling Procedures are specified between each point to point interface.
 LTE NW Architecture is an example of Reference Point Architecture.
 Network Function Spit for Flexible Network
■ Flexibility : AMF-SMF Split, CP-UP Separation
■ New I/F’s : AMF/SMF - Policy Function, AMF/SMF - Subscription DB
■ New NF’s : NSSF for Slice Selection, AUSF for EAP framework
5G interfaces (reference points)
NG1: Reference point between the UE and the Access and Mobility Management function
NG2: Reference point between the gNB and the Access and Mobility Management function
NG3: Reference point between the gNB and the User plane function (UPF)
NG4: Reference point between the Session Management function (SMF) and the User plane function (UPF)
NG5: Reference point between the Policy Function (PCF) and an Application Function (AF)
NG6: Reference point between the User Plane function (UPF) and a Data Network (DN)
NG7: Reference point between the Session Management function (SMF) and the Policy Control function (PCF)
NG8: Reference point between Unified Data Management and AMF
NG9: Reference point between two Core User plane functions (UPFs)
NG10: Reference point between UDM and SMF
NG11: Reference point between Access and Mobility Management function (AMF) and Session Management function (SMF)
NG12: Reference point between Access and Mobility Management function (AMF) and Authentication Server function (AUSF)
NG13: Reference point between UDM and Authentication Server function (AUSF) NG14: Reference point between 2 Access and Mobility
Management function (AMF)
NG15: Reference point between the PCF and the AMF in case of non-roaming scenario, V-PCF and AMF in case of roaming scenario
Service Based Architecture(SBA) Network
The most outstanding change in the 5G Core Control plane is induction of Service based Interface (SBI) or
Service based Architecture (SBA) from traditional Point-to-Point network architecture. With this new change, except for
a few interfaces such as N2 and N4, almost every interface is now defined to use unified interface, using
HTTP/2 protocol.

 Service based architecture is based on a set

Network Functions (NFs)
 NFs provides services to other
NFs Service Base Interface (SBI)
 Reference Point interface is
replaced by a common bus to connect all NFs
Service Based Architecture(SBA) Network
Service Based Architecture is applicable to the control plane only.
The user plane still remains Point to Point only.
All the functions connect to the Bus- there is no point to point interface defined now. There is a
common bus and through this bus all the Network Functions connect.
The HOD of all the functions is Network Function Repository Function (NRF).All the Functions give
their attendance to NRF saying – that I am a function A and I give this service. If any Function need
any service it will ask NRF- who gives this service, so NRF contain details of all Network Elements and
what all functions they give.
Most likely all the Operators will go for Service Based Architecture and not for Reference
Point Architecture.
In Service based Architecture we have a common bus.
The Nodes are called Network Functions
In SBA, Network Functions (NFs) capabilities are exposed via REST APIs and based out of HTTP2.0
protocol.
Interconnection between NFs can be based on the Request/Response model or Subscribe/Notify
model for availing the different 5G Services. 33
Service Based Architecture Network
Network Functions within the 5GC Control Plane (CP) use Service-Based Interfaces (SBI) for their interactions:
A CP NF can provide one or more NF Services Network Function(NF)

■ AF: Application Function

■ AMF: Access and Mobility Management
Function NRF UDM PCF NEF AF
■ AUSF: Authentication Server Function Nnrf Nudm Npcf Nnef Naf
■ NEF: Network Exposure Function
■ NRF: Network Repository Function SBI BUS
Nausf Namf Nsmf
■ PCF: Policy Control Function SBI
■ SMF: Session Management Function
■ UDM: Unified Data Management AUSF AMF SMF Control Plane
■ UPF.: User Plane Function
N1
N2
User Plane
N4
Data Network
N3 N6 (e.g. operator or
Internet)
5G
NG UE RAN UPF

All interactions are abstracted as: Request-Response, Subscription-Notify.

System procedures are described as a sequence of NF service invocations.
38
Mapping NG Core and EPC

Authentication Server Function Policy Control

S1-MME MME S6a HSS
(AUSF) and User Data Management Function (PCF)
PCRF
(UDM)
N13
S11 Gx AUSF UDM PCF
HSS/ AAA PCRF
S1-U S5 SGi N12 N8 N10 N7
SGW PGW

Access & Session

After CUPS Mobility Management
managemenN tG11 Function (SMF)
A MF SMF
S6a HSS
o n ( MF
S1-MME MME PCRF SGW PGW
Mapping the EPC MME N15 MME CP CP
S11 Gx
functions to new N4
SGW PGW 5G CN functions
CP CP
User Plane
N3 FunctioUnPF(UPF) N6
S1-U SGW PGW SGi
UP UP PGW SGW
UP UP
5GC Network Entities Functions
AMF Function : The AMF performs most of the functions that the MME performs in a 4G network.
■ Termination point for RAN CP interfaces (N2)
■ UE Authentication & Access Security.
■ Mobility Management (Reachability, Idle/Active Mode mobility state handling)
■ Registration Area management;
■ Access Authorization including check of roaming rights;
■ Session Management Function (SMF) selection
■ NAS signaling including NAS Ciphering and Integrity protection, termination of MM NAS and forwarding of SM NAS
(N1).

■ AMF obtains information related to MM from UDM.

■ May include the Network Slice Selection Function (NSSF)
■ Attach procedure without session management adopted in CIoT implemented in EPC is defined also in
5GCN (registration management procedure)
■ User Plane (UP) selection and termination of N4 interface (AMF has part of the MME and PGW functionality from
EPC)
5GC Network Entities Functions
SMF Function : The SMF performs the session management functions that are handled by the 4G MME, SGW-C,
and PGW-C.
■ Allocates IP addresses to UEs
■ NAS signaling for session management (SM)
■ Sends QoS and policy information to RAN via the AMF
■ Downlink data notification
■ Select and control UPF for traffic routing. The UPF selection function enables Mobile Edge Computing (MEC) by
selecting a UPF close to the edge of the network.
■ Acts as the interface for all communication related to offered user plane services. SMF determines how the policy and
charging for these services is applied.
■ Lawful intercept – control Plane
PCF Function : The 5G PCF performs the same function as the PCRF in 4G networks.
■ Provides policy rules for control plane functions. This includes network slicing, roaming and mobility management.
■ Accesses subscription information for policy decisions taken by the UDR. Supports the new 5G QoS policy and
charging control functions.
AUSF Function : The AUSF performs the authentication function of 4G HSS.
■ Implements the EAP authentication server
■ Stores keys
5GC Network Entities Functions
UPF Function : The UPF is essentially a fusion of the data plane parts of the SGW and PGW. In the context of the
CUPS architecture: EPC SGW-U + EPC PGW-U → 5G UPF .
The UPF performs the following functions:
■ Packet routing and forwarding
■ Packet inspection and QoS handling. The UPF may optionally integrate a Deep Packet Inspection (DPI) for packet inspection and
classification.

■ Connecting to the Internet POP (Point of Presence). The UPF may optionally integrate the Firewall and Network Address Translation
(NAT) functions.

■ Mobility anchor for Intra RAT and Inter-RAT handovers Lawful intercept Maintains and reports traffic statistics

UDM Function : The UDM performs parts of the 4G HSS function.

■ Generation of Authentication and Key Agreement (AKA) credentials
■ User identification
■ Access authorization
■ Subscription management
5GC CUPS Architecture

20
5G with CUPS
Reconfiguring LTE network functions. Support for native CUPS.
Virtualized NFs on commodity hardware based architecture.
Distributed UPFs to edge to reduce latency and backhaul traffic.
Enabling standard – based MEC by supporting routing to local UPFs located at edge sites.
CUPS extended to RAN
Enabling E2E network slicing by supporting independent parts for each service.

MME N11 MME + GW-C

AMF SMF

NG RAN N4
5GC
NR Uu
Data Network
N3 (e.g. operator or
N6 Internet)
gNB UPF
NR UE

R D C
U U U GW-U
5G Functions Synthesis
5GC (5G Core)

Functions: Authentication Security, Session management and aggregation of traffic from end devices. Use NFV
as an integral design concept with virtualized software functions in the network.

The 5G core network architecture is specified in 3GPP Technical Specification 23.501

5GC Network Functions
Authentication Server Function (AUSF):

EAP authentication server functionality and acts as storage for keys and provides keying material to the
requester NF.

Access and Mobility Management Function (AMF):

Responsible for termination of NAS signaling, NAS ciphering & integrity protection, registration management,
connection management, mobility management, access authentication and authorization, security context
management.

AMF also includes the Network Slice Selection Function (NSSF) and acts as the termination point for RAN CP
interfaces (N2).

Session Management Function (SMF):

It carries out session management (session establishment, modification and release), UE IP address allocation
& management, DHCP functions, termination of NAS signalling related to session management, DL data
notification and traffic steering configuration for UPF for proper traffic routing.
5GC Network Functions
User Plane Function (UPF):

Carries out packet routing & forwarding, packet inspection, QoS handling, acts as external PDU session point of
interconnect to Data Network (DN), and is an anchor point for intra- & inter-RAT mobility. 7

Network Exposure Function (NEF)

Supports exposure of capabilities and events, secure provision of information from external application to 3GPP
network and translation of internal/external information. It acts as an API gateway that allows external users,
such as enterprises or partner operators, the ability to monitor, provision and enforce application policy, for
users inside the operator network. Thus, it

a) Provides security when services or Application Functions (AF) access 5G Core nodes.

b) Acts as a proxy, or API aggregation point, or translator into the Core Network.
5GC Network Functions
NF Repository Function (NRF):

Discovers network function instances. When it receives an NF discovery request from a NF instance, it provides
the discovered NF instances.

Maintains/supports:

a) Profiles of Network Function (NF) instances and their supported services within the network. (Function ID,
function type, network slice identifiers, capacity information, supported services, and endpoint information such as
IP addresses)

b) Service-Based Interfaces, Management & Maintenance.

Control-plane functions communicate with one another, via the NRF, over service-based interfaces. These are self-
contained software modules that are reusable independently of each other and can be thought of as micro
services. The network function is either a producer or consumer of services.
Network Functions
Policy Control Function (PCF):

Carries out unified policy framework, providing policy rules to CP functions, access subscription information for
policy decisions in UDR. This provides a policy framework incorporating network slicing, roaming and mobility
management.

Unified Data Management (UDM)

Stores subscriber data and profiles and carries out generation of Authentication and Key Agreement (AKA)
credentials, user identification handling, access authorization, subscription management.

Application Functions (AF)

Resembles an application server that can interact with the other control-plane NFs. AFs can exist for different
application services, and can be owned by the network operator or by trusted third parties.
Service Based Architecture
5G Core Architecture SA vs NSA Architecture
The 5G Core Network has been designed around services that are invoked using a standard
API.

• Evolution from 4G EPC

The 5G core has evolved from the 4G EPC in three steps:
• Control and User Plane Separation (CUPS) of the 4G EPC
• Reorganizing the 4G EPC CUPS functions into services
• New Control Plane Network functions to enable Network Slicing and SBA

• CUPS (control and user plane separation)

The introduction of control and user plane separation in the 4G EPC is the first step
towards the 5G architecture. The SGW and PGW functions were split into a control and
data plane component.
• SGW → SGW-C and SGW-U
• PGW → PGW-C and PGW-U
5G Core Architecture Service Based Architecture (SBA)
• Service based principles apply between the control plane network functions of the Core Network. It
is delivered by set of interconnected Network Functions (NFs), each with authorization to access each
other’s services. Interfaces toward Radio Access Network (RAN), user equipment or user plane (UP)
functions (N1, N2, N3, N4, N6 and N9) are excluded
• Each Network Function service exposes its functionality through a Service Based Interface (SBI),
• SBA communication protocol is based on HTTP/2 with JSON objects, using a RESTful API (no
more Diameter)
• To mitigate issues around TCP head-of-line (HOL) blocking, Quick UDP Internet Connections (QUIC)
protocol may be used in the future.
• A centralized discovery framework : NF Repository NFs

Function (NRF) maintains a record of available NF

instances and their supported services

Service based interface

SBI
Service-based interfaces in the control plane
A Network Function service is a capability
exposed by a NF (NF Service Producer) to
other NFs (NF Service Consumer) through a
service-based interface.
Network Functions may expose one or more
NF services.

Mechanisms:
Request-Response -> In this, communication
is one-to-one between two NFs (consumer
and producer) and a one-time response within
a certain timeframe

Subscribe-Notify -> The subscription request

from consumer may include notification
requests for periodic updates or notification
triggered through certain events.
5G Core Network UDR

5GC Architecture: Service-based Representation

Authentication Server
Function (AUSF)
Network Slice
Selection Function Unified Data
(NSSF) NSSF AUSF N13 UDM Management (UDM) Application
Function
N22 N12 N8 N10
(AF)

AMF N11 SMF N7 PCF N5 AF

Access and Mobility

N14 N15
Management Function (AMF)
NG- Policy Control
N1 N2 N4 Session Management Function (PCF)
C Function (SMF)

UE (R)AN N3 UPF N6 DN
Uu Data Network (DN) -
NG- operator services,
UE gNB N9 Internet access
U
User Plane Function
(UPF)
Day 2 – Agenda
• Introduction to core network elements in 4G: MME, SGW,
PGW, and HSS

• Function and purpose of each network element

• Transition from 4G elements to 5G components

• Introduction to 5G’s SBA elements such as AMF, SMF, UPF,

and NRF
EPC Network Functions
MME
SGW
PGW
PCRF
HSS
Combined Functionality
Tracking Area
Tracking Area Management
Resilience through pooling
Network Sharing
EPS Area Identities
Node Identifiers
NAS Identifiers
EPC Interfaces
S1Application Protocol (S1-AP)
GTPv1-U Traffic Interfaces
GTP v2 – C Plane Interfaces
Diameter Based Interfaces
EPS Resilience
Interface to CS Networks
Non 3GPP Access Networks
Day 3 – Agenda
• Fundamentals of session management
• Introduction to data routing and mobility management
processes
• 4G’s session and mobility management through MME and
SGW
• How 5G’s AMF and SMF manage sessions and mobility
PDN Connectivity Services
EPS Bearers and UE Connectivity
Default and Dedicated EPS bearers
EPS Bearer termination
Default APN Characterstics
EPS Bearers and underlying bearers
Connection Hierarchies
Transport Identities
IP Addressing
PDN IP Address Allocation
PCS Hierarchy
SDF
SDF Tuple
Traffic Flow Templates
Session and Mobility Management in 5G
Access and Mobility Management Function (AMF)
The AMF hosts the following main functions:
• NAS signaling termination
• NAS signaling security
• Registration Area management
• Idle mode UE Reachability (including control and execution of paging retransmission); Registration
• Mobility management control (subscription and policies), intra-system and inter-system request
mobility;
• AS Security control, Access Authentication including check of roaming rights;
• Access Authorization Support of Network Slicing;
• SMF selection.

AMF UDM

AMF PCF

Creates an AM(Access & mobility) Policy Association

and provides corresponding policies to the AMF
AMF structure

AMF
•A single (virtualized) AMF that can scale in/scale out AMF Region
without signaling towards RAN/UE.
AMF Set-1 AMF Set-2

•Consists of some AMFs that serve a given area and

AMF AMF
Network Slice. All AMFs in a Set have access to the
Ptr - 1 Ptr-1
AMF Set same context in UDSF.
•Load balancing by 5G-AN node is only performed
between AMFs of same AMF set
AMF AMF
RAN
Ptr-2 Ptr-2

AMF Region •Comprises multiple AMF Sets. AMF AMF

Ptr-3 Ptr-3
UE
Globally Unique AMF ID (GUAMI) identifies one or more AMF(s)
Other CP NFs interfacing AMF

MCC MNC AMF Region ID AMF Set ID AMF Pointer Data Storage
Subscriber Identifiers

•Each subscriber in the 5G System shall be allocated one 5G Subscription Permanent Identifier (SUPI) for use
SUPI within the 3GPP system

SUCI •The Subscription Concealed Identifier (SUCI) is a privacy preserving identifier containing the concealed SUPI

For interworking with the EPC, the SUPI allocated to the 3GPP UE shall always be based on an IMSI to enable the UE to present an
IMSI to the EPC.

Subscription Permanent Identifier (SUPI) Example: SUPI : 42004123456789

MCC 420 Saudi Arabia

MCC MNC MSIN MNC 04 Zain

MSIN 123456789
Subscriber Identifiers

The subscription identifier SUPI, contains sensitive subscriber as well as subscription information thus it should not be transferred in
clear text. The SUbscription Concealed Identifier, called SUCI, is a privacy preserving identifier containing the concealed SUPI.

SUPI concealment at the UE

Subscription Permanent Identifier (SUPI) Subscription Concealed Identifier (SUCI)
UE
MCC MNC MSIN MCC MNC Encrypted MSIN

SUPI de-concealment
Subscription Permanent Identifier (SUPI) Subscription Concealed Identifier (SUCI)
ARPF/UD
M MCC MNC Decrypted MSIN MCC MNC Encrypted MSIN
Subscriber Identifiers

•temporary identifier allocated by the AMF

5G-GUTI •common to both 3GPP and non-3GPP access

5G Globally Unique Temporary Identifier (5G-GUTI)

GUAMI 5G-TMSI
The 5G-TMSI is generated by the AMF during
the generation of the subscriber’s 5G-GUTI.
The 5G-TMSI uniquely identifies the UE within
Globally Unique AMF ID (GUAMI) identifies one or more AMF(s) the AMF, across all allocated 5G-GUTIs
MCC MNC AMF Region ID AMF Set ID AMF Pointer

The 5G-S-TMSI is the shortened form of the GUTI

AMF Set ID AMF Pointer 5G-TMSI

•is the shortened form of the GUTI to enable more efficient radio signaling procedures (e.g. during Paging and
5G-S-TMSI Service Request)
 Session and Mobility Management in 5G
Session Management Function (SMF) -> Substitute of SGW-C &
PGW-C
The SMF performs the session management functions that are handled by
the 4G MME, SGW-C, and PGW-C

The Session Management function (SMF) hosts the following main

functions:
• Session Management;
• UE IP address allocation and management
• Selection and control of UP function;
• Configures traffic steering at UPF to route traffic to proper destination;
• Control part of policy enforcement and QoS;
• Downlink Data Notification. PDU Session
Establishment
Request

Npcf_SMPolicyControl
managing the Policy and Charging Control (PCC) rules that govern
service data flows in the user plane and the session rules that
govern individual PDU sessions.
PCC rules control data flow detection, gating, QoS, traffic steering,
flow-based charging and usage reporting. Session rules, however,
control AMBR, default QoS, and usage and condition data
 Session and Mobility Management in 5G
User plane function (UPF) -> Substitute of SGW-U & PGW-U
The UPF is essentially a fusion of the data plane parts of the SGW and PGW. In the context of the
CUPS architecture:
•EPC SGW-U + EPC PGW-U → 5G UPF

The UPF hosts the following main functions:

• Anchor point for Intra-/Inter-RAT mobility (when applicable);
• External PDU session point of interconnect to Data Network;
• Packet routing & forwarding;
• Packet inspection and User plane part of Policy rule enforcement;
• Traffic usage reporting;
• Uplink classifier to support routing traffic flows to a data network;
• Branching point to support multi-homed PDU session;
• QoS handling for user plane, e.g. packet filtering, gating, UL/DL rate enforcement;
• Uplink Traffic verification (SDF to QoS flow mapping);
• Downlink packet buffering and downlink data notification triggering.

The SMF selects a new UPF and using N4 configures the UPF as a new PDU Session
Anchor of the multi-homed PDU Session. In the process, a new IPv6 prefix (IP@2) is
allocated for the PDU Session.

In the Downlink, the UPF uses policy from the PCF and the SMF to identify flows and
adds a QFI tag to downlink packets. Then, the RAN uses the QFI tag and policy to
map flows to Data Radio Bearers (DRBs).

PDU (packet data unit) Session may be associated with multiple IPv6 prefixes
Session and Mobility Management in 5G
Policy Control Function (PCF)

The 5G PCF performs the same function as the PCRF in 4G

networks

A policy decision in PCF is a grouping of cohesive information

elements (IEs) describing a specific type of decisions such as
• QoS data ​: 5QI, ARP, MBR UL/DL, GBR UL/DL etc…
• Charging data​ : Rating Group, Charging Method etc…
• Usage Monitoring data​ : Volume Threshold, Time
Threshold etc…
• Traffic control data​ : Flow Status, Redirect Info etc…

Accesses subscription information for policy decisions taken by the

UDR
Besides QoS and charging, it supports network slicing, roaming and mobility policies.
Session and Mobility Management in 5G
Network Repository Function(NRF)
The NRF supports the following functionality:
• NF registration in the NRF
• NF availability and load monitoring based on NF heartbeats
• Registration data updates from NFs
• NF profile maintenance of available NF instances and their
supported services
• NF and service discovery
• NF status change notifications
• Locality-based NF selection
• TAI-based NF selection
• SUPI-based NF selection
• NRF registration in another NRF
• NF discovery and NF status subscription forwarding between
NRFs

To support these functions, the NRF provides the following

services:
• NF management service – Nnrf_NFManagement
• NF discovery service – Nnrf_NFDiscovery
Session and Mobility Management in 5G
Unified Data Management (UDM)

UDM main functions:

• Generation of 3GPP AKA Authentication key
shared by UE & Home network
• User Identification Handling
• Registration/Mobility management
• Access Authorization
• Subscription management
• SMS management
• UDM uses subscription data and
authentication data that may be stored in
UDR
 .. Continued
Unified Data Repository(UDR)

• It is similar to 4G’s home subscriber service

(HSS), but is cloud-native and designed for 5G.
Unified data management (UDM) is a
centralized way to control network user data.
• A stateful form stores data locally to where the
UDM is running. A stateless form stores data
in a unified data repository (UDR).
• The manager controls data for access
authorization, user registration, and data
network profiles
 Session and Mobility Management in 5G
Network Exposure Function (NEF)
NEF main functions:
UDSF UDR

• NEF allows the operator to expose 5G Core Network

functionalities available to 3rd parties such as service
providers and vertical industries outside the operator’s
domain AUSF SMSF
3rd Party
• Uses the UDR as its data source Apps
• Handles masking of sensitive network information to UDM PCF NEF
external parties
SBA Bus
• Receives service requests from applications, including
operator's applications and 3rd party applications
• Authenticate, authorize and throttle the Application AM SMF NRF NSSF AF
Functions. It translates information F
• Interacts with the corresponding Network Functions
(NFs) to provide the requested services
• Performs charging and load control on exposed
network services
Session and Mobility Management in 5G
Other Network functions
UDSF UDR

Authentication Server Function (AUSF):

Facilitates a common authentication framework for all access types:
3GPP access and untrusted non-3GPP access.
AUSF SMSF

UDM PCF NEF

SMS Function (SMSF): SBA Bus

It’s used for SMS over NAS support. It performs SMS management
subscription data checking and conducting SMS delivery accordingly.
AMF SMF NRF NSSF AF

AMF: Access & Mobility Mgmt. UDM: Unified Data Management

Network Slice Selection Function (NSSF): Function
SMF: Session Management Function
• It determines the allowed slices a UE can use
NRF: NF Repository Function
• It determines the AMF to be used to serve the UE, or, based on NSSF: Network Slice Selection
configuration, a list of candidate AMF(s), possibly by querying the NRF. Function
• And it selects the set of network slice instances serving the UE AF: Application Function
AUSF: Authentication Server
Function
SMSF: SMS Function
PCF: Policy Control Function
NEF: Network Exposure Function
UDR: Unified Data Repository
UDSF: Unstructured Data Storage
Function
OSI Reference Model
TCP/IP Model
 The OSI protocol stack is complex, and the TCP and IP protocols are widely used in the
industry. Therefore, the TCP/IP reference model becomes the mainstream reference
model of the Internet.

Application Layer

Application Layer Presentation Layer Application Layer

Session Layer

Host-to-Host Layer Transport Layer Transport Layer

Internet Layer Network Layer Network Layer

Network Access Data Link Layer Data Link Layer

Layer Physical Layer Physical Layer

Standard TCP/IP model OSI model Equivalent TCP/IP model

Common TCP/IP Protocols
 The TCP/IP protocol stack defines a series of standard protocols.

Telnet FTP TFTP SNMP

Application Layer
HTTP SMTP DNS DHCP
Transport Layer TCP UDP
ICMP IGMP
Network Layer
IP
PPPoE
Data Link Layer
Ethernet PPP
Physical Layer ...
Data Encapsulation on the Sender

DATA Application Layer Data

www.huawei.com

TCP Header DATA Transport Layer Segment

Network Layer Packet

IP Header Payload

Data Link Layer Frame

Eth Header Payload FCS

... Physical Layer Bit

Transmission
0 1 1 0 0 1 0 1 0 1 ...
Media Transmission Media
Data Decapsulation on the Receiver

Application Layer DATA Data

Web server

Transport Layer DATA Segment

Network Layer Payload Packet

Data Link Layer Payload Frame

Physical Layer …… Bit

Transmission 0 1 1 0 0 1 0 1 0 1 ...
Media
Internet Protocol
 IP is short for the Internet Protocol. IP is the name of a protocol file with small content. It defines
and describes the format of IP packets.
 The frequently mentioned IP refers to any content related directly or indirectly to the Internet
Protocol, instead of the Internet Protocol itself.

Function Version

• Provides logical addresses for

devices at the network layer. • IP Version 4 (IPv4)

• Is responsible for addressing and • IP Version 6 (IPv6)

forwarding data packets.
IPv4 Packet Format
Ethernet IP TCP
User data Ethernet tail
header header header

Header Type of
Version Total Length
Length Service
Identification Flags Fragment Offset
Fixed size:
20 bytes TTL Protocol Header Checksum

Source IP Address

Destination IP Address
Optional size:
Options Padding
0–40 bytes
What Is an IP Address?
 An IP address identifies a node (or an interface on a network device) on a network.
 IP addresses are used to forward IP packets on the network.

IP Address

IP 1 IP 5 An IP address identifies a

IP 4
node on a network and is
IP 2
used to find the destination
IP 3 for data.
Data
IP address Notation
 An IPv4 address is 32 bits long.
 It is in dotted decimal notation.

Dotted decimal Decimal 192. 168. 10. 1 4 bytes

notation Binary 11000000 10101000 00001010 00000001 32 bits

27 26 25 24 23 22 21 20
Power
Conversion between 128 64 32 16 8 4 2 1
decimal and binary
systems Bit 1 1 0 0 0 0 0 0

= 128 + 64 = 192
 IPv4 address range is 0.0.0.0–255.255.255.255.
IP address Notation
 An IPv4 address is 32 bits long.
 It is in dotted decimal notation.

Dotted decimal Decimal 192. 168. 10. 1 4 bytes

notation Binary 11000000 10101000 00001010 00000001 32 bits

27 26 25 24 23 22 21 20
Power
Conversion between 128 64 32 16 8 4 2 1
decimal and binary
systems Bit 1 1 0 0 0 0 0 0

= 128 + 64 = 192
 IPv4 address range is 0.0.0.0–255.255.255.255.
IP Addressing
 Network part (network ID): identifies a network.
 Host part: identifies a host and is used to differentiate hosts on a network.
Network part

Community A No. X, Street Y, John

Layer 2 network addressing Layer 3 network addressing

Community A (network bits)
Layer 2 network Gateway Layer 2 network

10.0.1.0/24 10.0.2.0/24

10.0.1.1/24 10.0.2.1/24

No. X, Street Y, John

(host bits)
Layer 3 network
IP Address Classification (Classful Addressing)
 To facilitate IP address management and networking, IP addresses are classified into the
following classes:
Class A 0NNNNNNN NNNNNNNN NNNNNNNN NNNNNNNN 0.0.0.0–127.255.255.255

Assigned to
Class B 10NNNNNN NNNNNNNN NNNNNNNN NNNNNNNN 128.0.0.0–191.255.255.255
hosts

Class C 110NNNNN NNNNNNNN NNNNNNNN NNNNNNNN 192.0.0.0–223.255.255.255

Class D 1110NNNN NNNNNNNN NNNNNNNN NNNNNNNN 224.0.0.0–239.255.255.255 Used for multicast

Class E 1111NNNN NNNNNNNN NNNNNNNN NNNNNNNN 240.0.0.0–255.255.255.255 Used for research

• Default subnet masks of classes A, B, and C

▫ Class A: 8 bits, 0.0.0.0–127.255.255.255/8
Network part
▫ Class B: 16 bits, 128.0.0.0–191.255.255.255/16
Host part
▫ Class C: 24 bits, 192.0.0.0-223.255.255.255/24
Private IP Addresses
 Public IP address: An IP address is assigned by the Internet Assigned Numbers Authority (IANA), and this
address allocation mode ensures that each IP address is unique on the Internet. Such an IP address is a
public IP address.
 Private IP address: In practice, some networks do not need to connect to the Internet. For example, on a
network of a lab in a college, IP addresses of devices need to avoid conflicting with each other only within
the same network. In the IP address space, some IP addresses of class A, B, and C addresses are
reserved for the preceding situations. These IP addresses are called private IP addresses.
 Class A: 10.0.0.0–10.255.255.255
192.168.1.0/24
10.0.0.0/8
 Class B: 172.16.0.0–172.31.255.255
Implemented using network
Internet address translation (NAT)
 Class C: 192.168.0.0–192.168.255.255
10.0.0.0/8 192.168.1.0/24

Connecting a private network to the Internet

IPv4 vs. IPv6
 IPv4 addresses managed by the IANA were exhausted in 2011. As the last public IPv4 address
was allocated and more and more users and devices access the public network, IPv4 addresses
were exhausted. This is the biggest driving force for IPv6 to replace IPv4.

IPv4
• Address length: 32 bits
• Address types: unicast address, broadcast
address, and multicast address
• Characteristics:
▫ IPv4 address depletion
▫ Inappropriate packet header design
▫ ARP dependency-induced flooding
▫ ...
IPv6
• Address length: 128 bits
• Address types: unicast address, multicast
address, and anycast address
• Characteristics:
▫ Unlimited number of addresses
▫ Simplified packet header
▫ Automatic IPv6 address allocation
▫ ...
Day 4 – Agenda
• Overview of SIP (Session Initiation Protocol) and its role in
VoLTE

• Introduction to the Diameter protocol for authentication and

authorization
• GTP (GPRS Tunneling Protocol) for data tunneling

• Comparison of protocol use in 4G and 5G

LTE Voice Options
LTE Voice CS Fallback
LTE Voice - VoLTE
SRVCC
Role of IMS
Accessing the IM CN Subsytem
Introduction to the IMS Architecture
 Overview of VoLTE

 Voice over LTE (VoLTE) is expected to become the mainstream solution for providing voice services in commercial LTE
networks in the upcoming years, it integrates voice over IP (VoIP), LTE radio network (i.e., E-UTRAN), LTE core network
(i.e., EPC), and the IMS (IP Multimedia Subsystem) to support voice services.

 The SIP (Session Initiation protocol) protocol plays a essential role in VoLTE calls. It is used to create, update and
terminate a VoLTE call. During a VoLTE call, there’re SIP messages resembling those in 2G/3G voice call such as CALL
SETUP, SETUP, ALERTING, CONNECT etc.

 SIP messages are transmitted in QCI5, which is a default EPS bearer from UE towards IMS APN, so the SIP Signaling is
actually not in conventional CS(Circuit Switch) domain, but in PS(Packet Switch) domain.
Call Session Control Functions
PCSCF
ICSCF
SCSCF
IM CN Subsystem Entities
IM CN Subsystems Entities Cont..
SIP Signaling and user data flow paths
Internet Multimedia Protocol Stack
IMS NEs
 Voice over LTE (VoLTE) service depends on deployment of IMS which is a complex subsystem, and consist of
many new NEs. Some of the typical NEs are listed in the table below.
 Bearers for VoLTE
 QCI1/QCI2/QCI5 are setup in order to support voice & video call over LTE networks recommended by 3GPP . Each
QCI’s parameters is standardized for different purposes such as priority/PLR etc.

The bellow table lists the relevant QCIs’ Attributes defined by 3GPP
QCI Resource Priority Packet Delay Packet Error Loss QCI purpose
Type Budget Rate

1 2 100 ms 10-2 Conversational Voice

GBR
2 4 150 ms 10-3 Conversational Video (Live Streaming)
5 No-GBR 1 100 ms 10-6 IMS Signalling

 Radio network may setup QCI5&CQI1&QCI2 bearers for VoLTE services. These QCIs have higher priority of scheduling,
Less PLR, lower latency, and so on.
The bellow table shows us the combination of bearers in different scenarios.

Non-VoLTE UE VoLTE UE
Idle Voice call Over LTE Voice & Video call Over LTE

QCI9 QCI5+QCI9 QCI1 + QCI5 + QCI9 QCI1 +QCI2+QCI5+QCI9

 VoLTE Procedures
 The figure below indicates the standard procedures when a VoLTE UE power on, including registration, calling, and
termination.
Session Initiation Protocol
Architecture of SIP stack
 The Session Initiation Protocol (SIP) is an application-layer control protocol (defined in RFC3261) stipulated by IETF for
creating, modifying, and terminating sessions with one or more participants.

 SIP runs on top of IP. The network-layer protocol is IP and the transport-layer protocol is TCP or UDP (recommended).
The bellow figure shows the SIP protocol stack.
SIP Messages
 SIP messages are either requests or responses

 A SIP request is named by a word, to indicate a special purpose.

SIP Messages
 A SIP respond is a Status-Code of 3-digit integer that indicates the outcome of an attempt to
understand and satisfy a request;
 The first digit of the Status-Code defines the class of response
SIP Operation
RTP
RTCP
RTP Sessions
User Identities. USIM, UICC and ISIM
SIP Registration and IMS Authentication
IMS Mobile originated to IMS mobile
Terminated Session
 SRVCC – Architecture and Principle
 VoLTE provides very excellent voice quality and experience to users in LTE hotspot area. However, when UE moves to
weak coverage area of the LTE network, the call may drop and lead to a complaint. SRVCC is an expected mechanism
that can guarantee the voice service continuity.

 When UE moves to weak coverage area

of LTE network, a SRVCC handover
should be triggered, the Voice should be
handover to CS domain of 2G/3G.

 In order to support SRVCC handover

function, 2G/3G CN require to upgrade
to provide Sv interface.
Interface Description Protocol
Sv Sv interface between the Mobility Management Entity (MME) or Serving GPRS Support Node (SGSN) and 3GPP MSC server enhanced for 3GPP TS29.280
SRVCC. Sv interface is used to support Inter-RAT handover from VoIP/IMS over EPS to CS domain over 3GPP UTRAN/GERAN access or
from UTRAN (HSPA) to 3GPP UTRAN/GERAN access. It’s based on GTPv2 protocol.
SRVCC – Media flow
 When a Voice over LTE service with data service accompanied needs SRVCC handover, the MME will handover the
voice service to legacy CS domain with cooperation of eMSC, and the data service to legacy PS domain.

 When SRVCC handover occurs,

service interruption duration is
about 0.5s ~1s, so eSRVCC is
introduced to minimum the service
interruption duration

 ATCF and ATGW are deployed in

IMS as the media anchor to reduce
the service interruption duration to
300ms.
IP Short Message flow
 The SIP messages transported in UU interface contains 4 steps:
1. UE sends a MESSAGE request to the P-CSCF(proxy-call session control function), The P-CSCF forwards the
MESSAGE request to the serving-call session control function (S-CSCF).
2. The IP-SM-GW sends a 202 respond to UE, indicating that the IP-SM-GW has received the short message.
3. The IP-SM-GW sends a MESSAGE request to UE after the short message has been delivered.
4. UE returns a 200 respond to the IP-SM-GW.
SRVCC Session transfer
IMS Deregistration
3GPP Specific Protocols
Diameter Protocol
Diameter Applications
Diameter Operation
GTP Overview
GPRS Tunneling Protocol is:

• The protocol between GPRS Support Nodes

• Includes both the GTP signaling (GTP-C) & data transfer

(GTP-U) procedures

• Is defined for the Gn interface, i.e. the interface between GSNs

within a PLMN

• For the Gp interface between GSNs in different PLMNs

•Allows multi-protocol packets to be tunneled through the

UMTS/GPRS backbone
Access Point Name

An APN identifies a PDN that is configured on and accessible from

A GGSN. APN has two parts.

• APN Network Identifier

• APN Operator Identifier

 The APN network identifier must correspond to a fully qualified

name in DNS e.g. starentnetworks.com

 The access Points that are supported by the GGSN are preconfigured
on the GGSN.

 APN is sent in the create PDP context request message to GGSN.

 APN has several attributes associated associated with its configuration

which specify how the user can access the network at the entry point.
 APN Attributes
• Some of the attributes are
• APN Network Identifier
• Access Mode – Transparent (no authentication) / Non-transparent
• IP address pool
• Primary DHCP server
• Secondary DHCP server
• DHCP gateway address
• RADIUS server
• Backup RADIUS server
• IP address of the next hop for the Gi interface
• Attributes to get logs
• Current allocated IP address count
• Current PDP context count
Legacy GTP
GTP in EPS
GTP V2-C Packet Header
GTP V2-C Message Types
GTP V1-U Packet header
GTP V1-U Message Types
Day 5 – Agenda

• Overview of security challenges in core networks

• Authentication and encryption techniques in 4G and 5G
• QoS mechanisms for reliable data transmission
• Introduction to Network Slicing and its impact on QoS in 5G.
EPC Security Functions
AKA (Authentication and Key Agreement)
User Confidentiality
Ciphering and integrity Protection
Ciphering and integrity protection (Cont..)
Information Security Objective: Protecting Enterprise
Information Assets
 For enterprises, information assets are necessary for maintaining enterprise
continuous operation and management. For example, market report,
research data, plan & solution, and competition information may affect
enterprise operations from various aspects.

Enterprise
Competition
Information Science
Providing CIA Protection for Information Assets

Confidentiality
Private data should not be disclosed to
unauthorized individuals.

Integrity Availability
Information and procedure cannot
I A Systems should provide
be accessed by intentional or services in time and should not
unintentional unauthorized deny authorized users.
manipulation.
 Confidentiality and Leakage Model

Leakage model

Sender Recipient

Ensure that information can only be received by authorized visitors.

Eavesdropper
Integrity and Tampering Model

Tampering model

Sender Recipient

Interpolator
 Prevent data from accidental modification, destruction, or loss by
unauthorized users.
Availability and Anti-sabotage Model

Anti-sabotage model

Sender Recipient

Attacker
 Ensure effectiveness that information and information systems provide
services for authorized users anytime.
What Threatens Information Security?
Risk Confidentiality Integrity Availability
Natural disaster ● ●
Hardware fault ● ● ●
Software defect ● ● ●
Unauthorized access ● ●
DoS ●
Data leakage ● ●
Forging and spoofing ● ●
Wiretapping ●
Computer virus ● ●
Trojan horse ● ●
Backdoor and trap ● ● ●
Electromagnetic radiation ●
Theft ● ● ●
Is Technology Assurance Alone Enough

 Technical measures need to cooperate with correct use methods for

better performance.
Ensuring Information Security Through Information Security
Management

Management Technical
factors factors

Human factors

 To resolve information security issues, we must consider many factors, including personnel and
management, technology and products, work flows and systems.
TCP/IP Protocol Stack - IPv4 Security Risks
Lack of a
confidential
guarantee
mechanism

TCP/IP
(IPv4)

Lack of an Lack of a
integrity data source
verification verification
mechanism mechanism
Common Security Risks of TCP/IP Protocol Stack

Vulnerabilities and attacks to buffer

overflow Application
WEB application attacks, viruses and Trojan layer
horses…
TCP spoofing, TCP DoS, UDP DoS,
port scanning… Transport layer

IP spoofing, Smurf attack, ICMP

attack,
Network layer
address scanning…

MAC spoofing, MAC flood,

ARP spoofing… Data link layer

Device damage,
interception Physical layer
OSI Security System Structure
OSI TCP/IP
Function
Application layer
layer
Representation layer
Application layer
Session layer

Transport layer Transport layer

Network layer Internet layer

Data link layer

Network
interface layer
Security
Physical layer
Authentication mechanisms
service

Data integrity mechanism

Access control mechanism

mechanism
Digital signature
Encryption mechanism

mechanism

Service flow filling

mechanism

mechanism
Authentication switching

Routing control

Compatibility mechanism
Notarization mechanism
Access control
Data integrity
Data
confidentiality
Non-
repudiation
Information Security Technology - Network Security
Network security

Network
protocol Network security device Network architecture security
security

switching devices
Network security

Security of route
interconnection

Network egress
security system

access control

configuration
Open system

VLAN design
address and
architecture

redundancy
Network IP

Network
Firewal Other network security

policy
zone
IDS
l devices

IPS SOC UTM NAC

 Network security management is an important part of information security

management system.
Why Do We Need Firewalls?

 A firewall is mainly used to protect one network area against network

attacks and intrusions from another network area.
Comparing Firewalls with Switches and Routers

Firewall Router
Controlling Addressing and forwarding
packet forwarding Ensuring network interconnection
Defending against
attacks, viruses,
and Trojan

Block

Switch
Aggregation for a LAN
Layer-2/3 fast packet
forwarding

 The essence of routers and switches is forwarding, while the

essence of firewalls is control.
Firewall Development History

Packet Application Stateful

filtering proxy inspection UTM NGFW

1989 1994 1995 2004 2005 2009

Aceess Proxy Session Dedicated Multi- DPI Control based on users,

control technology mechanism device function technology applications,and contents
Why Do We Need Security Zones?
DMZ

Trust
Server area

Manager Untrust

Marketing Firewall
department

Marketing R&D Production

department department

Research Manufacture

 How does a firewall distinguish networks?

Default Security Zones

DMZ

1 How to
Trust indicate the 4 Untrust
2 firewall itself?

Firewall

 Firewalls have three default security zones: Trust, DMZ, and

Untrust.
Attack Defense Application Scenarios
Common user Mail server

Firewall

Enterprise
× intranet
PC
• DDoS attack
• Scanning and sniffing attacks
• Malformed-packet attack
• Special-packet attack Web server
Attacker

Normal traffic, permitted

Attack traffic, blocked

 Firewalls can defend against various common DDoS attacks and

conventional single-packet attacks.
DDoS Attack

Jump-off
Attacker
point
Attack target

Control traffic
Botnet
Attack traffic
Zombie host
 DDoS attackers control zombie hosts to send a large number of attack packets to targets.

 According to attack modes, DDoS attacks can be classified into traffic attacks (SYN Flood
and UDP Flood) and application-layer attacks (HTTP Flood, HTTPS Flood, and DNS Flood).

 NGFWs can defend against common DDoS attacks, such as SYN Flood and UDP Flood.
PCC
Information Storage
LTE & 5G Bearer architecture
LTE Bearer Service 5G Bearer Service Architecture
Architecture
UE eNB S-GW P-GW Peer UE gNB UPF DN
Entity
E2E Service E2E Service

External External
EPS Bearer with QCI PDU Session with QoS Flow
Bearer Bearer

S5/S8
E-RAB
Bearer

SRB/DRB S1 Bearer SRB/DRB

Uu S1 S5/S8 Gi Uu N3 N6
LTE Bearers • EPS Bearer
• Logical pipe between UE and P-GW
• Associated with a set of QoS parameters

• PDN Connection
• IP session between UE and the PDN
• EPS bearers in a PDN connection have
IP / PDN Connection the same IP
PDN
EPS Bearer
UE

EPC
Types of EPS Bearers

• Established along with a

new PDN connection and
Default active for the lifetime of the
bearer PDN connection
• Always a non-GBR bearer

Default Bearer

Dedicated Bearer
UE
• Additional EPS bearer that
Dedicated may be activated based on
EPC demand
bearer
• Can be GBR or non-GBR
Service Data Flow (SDF)

• A set of IP flows corresponding to a

service

• Identified using packet IP headers

SDF1 IP Flow 1
• An SDF corresponds to a QoS / policy
Filtering

IP Flow 2
IP Flow 3
PDN treatment by the policy function

SDF2
• An EPS Bearer can carry only one SDF
Aggregate

EPC
QoS Levels
• Service Data Flows (SDF’s) defined
Service Level
• QoS and policy applied based on the SDF

• Access Point Name (APN) based QoS

Session Level
• Limit AMBR of all non-GBR bearers per APN

• Default (Non-GBR) and Dedicated (GBR or Non-GBR)

Bearer Level bearers defined
• Policy binds Dedicated Bearer to a QCI

• Limits to per-UE AMBR

UE Level
• Enforced by eNodeB
Quality Class Indicator (QCI) Table
QCI Resource Type Priority PDB PELR Example Services

1 2 100 ms 10-2 Conversational Voice

2 4 150 ms 10-3 Conversational Video (Live Streaming)
3 GBR 3 50 ms 10-3 Real Time Gaming
4 5 300 ms 10-6 Non-Conversational Video (Buffered Streaming)
5 1 100 ms 10-6 IMS Signalling

Video (Buffered Streaming), TCP-based (e.g., www, e-

6 6 300 ms 10-6
mail, chat, ftp, p2p file sharing, progressive video, etc.)

Non-GBR
7 7 100 ms 10-3 Voice, Video (Live Streaming), Interactive Gaming

8 8
Video (Buffered Streaming), TCP-based (e.g., www, e-
300 ms 10-6
9 9 mail, chat, ftp, p2p file sharing, progressive video, etc.)

… … … … Operator-specified class
Example of LTE QoS Differentiation
UE eNodeB
QCI & ARP per
bearer

Default Bearer (non-GBR)

APN AMBR UE-AMBR APN-AMBR
Applications (UL) (UL / DL) (UL / DL)
Dedicated Bearer (non-GBR)

GBR (UL / GBR (UL /

MBR (UL) MBR (UL)
DL)
Dedicated Bearer (GBR) MBR (DL)
DL)
Summary
• LTE QoS operates at service, session and bearer levels as well as on a per UE
basis

• A Service Data Flow is defined to determine the policy & QoS treatment to be
applied to a service

• A Quality Class Indicator is used to define different QoS types and priorities

• A UE has Default and Dedicated bearers – logical connections – to the EPC

• QoS uses notions of GBR and AMBR to differentiate between services

5G System QoS model

UE LTE RAN EPC

5G UE NG-RAN 5GC
EPS Bearer #1
DRB#1 N3 Tunnel

QoS QFI-A
Flows
QFI-B
EPC QoS Model

5GS QoS Model

All 3 Services receive same QoS treatment since mapped to
a common QCI Bearer QFI-C
DRB#2

5G has no concept of bearers but instead introduces QoS

UE LTE RAN EPC Flows. All traffic in the same QoS Flow receives the same QoS
treatment.
EPS Bearer #1
QoS Flows are created dynamically without the need for e2e
signaling
EPS Bearer #2
Short lived flows can receive differentiated QoS treatment
without the overhead of establishing EPS bearers
EPS Bearer #3
5G QoS architecture must detect and
QoS Differentiation requires separate bearers be differentiate short-lived sub service flows
established with different QCI’s – brings signaling overhead
QoS Flow ID
5G UE

A QoS Flow ID (QFI) is used to identify a QoS Application AF

Flow in the 5G System PCF
Operating system DN
SMF
AMF
NAS
• UPF uses policy from PCF and SMF to identify Non Access UPF
SDN
flows and adds QFI tag to downlink stratum
Downlink • RAN uses QFI tag and policy to map flows to Data
QFI QFI
Radio Bearers (DRBs)
RRC RRC
QFI QFI Single GTPu tunnel
SDA per PDU Session,
SDAP
P flows marked with
• UE uses either configured policy or “reflective” PDCP PDCP
PDC QFI tags in header
learning approach to learn policies QFI usage to PDCP
Uplink map to DRBs
P
NG-RAN
• RAN and UPF police DRB mapping/QFI usage Access Stratum QoS Flows marking
Data Radio bearers by SDAP
5GS QoS Parameters and Characteristics
QoS Rules: QoS parameters:
 Rule ID QoS Profile:
 QFI  5QI  QoS Characteristics SDF Templates:
 Packet Filters Set  ARP 5G Core  QFI
 Precedence Value  RQA  Reflective QoS ( Non GBR)
Default Rule  Packet Filters Set
 MFBR/GFBR(UL/DL) PCF
may not contain  Notification Control GBR  Precedence Value
Packet Filters  Packet Loss rate DSCP( for DL)
N1  RQI
AMF SMF
N2 N4 user traffic (IP
QoS QFI- DRB SDF Templates packets) is
RRC QoS Profile, QFI
Rules classified into SDF
traffic
User QFI#A
User
Data QFI#B
QFI#C Data
Flows Flows

UE (R)AN UPF

AN Resources PDU N3 QoS

(Data Radio Session Tunnel Flows
Bearers)
5GS QoS
SDAP responsible for QoS Flow
Handling
UE gNB

SDAP SDAP

PDCP PDCP

RLC RLC

MAC MAC •The 5G QoS architecture applies only to the SA

networking scenario
•The QoS object of 5G is PDU Session/QoS Flow, and
PHY PHY that of 4G is E-RAB
5G Network architecture for Network Slicing
. Network slicing is able to create a number of logically isolated networks, or “slices”, out of the same physical infrastructure shared
by multiple tenants (5G operators), and thus can reduce the CAPEX significantly for these operators. Operators can allocate
appropriate amount of resources as per network slice

NSSF supports following functionalities

• Selecting set of network slice instances
serving the user equipment. •RAN may dedicate resources per slice, depending on
RAN implementation
• determining the allowed NSSAI mapping •RAN should have per-slice configurations
subscribed S-NSSAIs.
AF
• determining AMF set to be used to serve
the UE or, based on configuration, a list of
AMFs. N5
NEF NRF UDM NSSF
UE NG-RAN SMF
N2 AMF AUSF PCF N11/
N10/
N7 N4
Slice Common Network Functions

UPF DN
N6
N3 Slice Specific Network Functions
Shared resources

Dedicated resources
Identification and selection of a Network Slice
Say,
SD = 1 => eMBB generic Network Slice Provider A
SD = 2 => eMBB gaming
• Network Slice Selection Assistance Information MBB Slice
NSSAI: • The NSSAI is a collection of up to 8 S-NSSAIs
NSSAI
S-NSSAI SD# Network Slice Provider B
SST#1
#1 A
S-NSSAI SD#
S-NSSAI: • S-NSSAI : Single Network Slice Selection #2
SST#2
B URLLC Slice
Assistance information S-NSSAI SD#
Single NSSAI • It identifies a Network Slice. #3
SST#2
C Network Slice Provider C

S-NSSAI
• A Slice/Service type (SST), which refers to the #n URLLC Slice
expected Network Slice behavior in terms of
features and services
S-NSSAI • A Slice Differentiator (SD). which is optional
SST SST value Characteristics.
information that complements the Slice/Service
is comprised of: type(s) to allow further differentiation for selecting
a Network Slice from the potentially multiple
eMBB
1
Slice suitable for the handling of 5G
enhanced Mobile Broadband.
Network Slices that all comply with the indicated
Slice/Service type Slice suitable for the handling of ultra-
URLLC 2
reliable low latency communications.
Slice suitable for the handling of
S-NSSAI = Slice/Service type (SST) + Slice Differentiator (SD) MIoT 3
massive IoT.
Slice examples in 5G Core and 5G RAN
N1 ( SST#1, SD#A)

SHARED DEDICATED
SST#1: eMBB Service Slice 5G (R)AN
SST#2: eMTC Service Slice
SD#A: Enterprise A N2
AMF SMF SLICE #1
SD#B: Enterprise B
RRC ( SST#1, SD#A) RR
C N2
PDC N3 Enterprise A
UE 1 NSSAI UPF eMBB
P DNN#A
S- SST# RLC
NSSAI#1 1
SD#A UE 1

DEDICATED N2 SMF SLICE #2

AMF
RRC ( SST#1, SD#B; SST#2, SD#B) RR
UE 2 NSSAI C
N2 Enterprise B
PDC N3 UPF eMBB
S- SST# P DNN#B
SD#B
NSSAI#1 1 UE 2 RLC
S- SST#
SD#B
PDC N3
NSSAI#2 2 P
RLC SMF
SLICE #3

MAC Enterprise B
SHARED UPF eMTC
PHY DNN#C

N1 ( SST#1, SD#B; SST#2, SD#B)

CONTROL PLANE
USER PLANE
UE assisted Network Slice selection
The UDM has Subscribed
NSSAI (max 8 S-NSSAIs per
UE)
Subscribed
NSSAI
The UE sends Requested UDM
NSSAI to network (during
registration), and gets S-NSSAI to NSI-ID map /
The UE has Allowed NSSIA in response Allowed S-NSSAI
Configured NSSAI NSSF
Retrieves NFs from NS-ID
NSSAI
RRC NRF
SS NAS
S-NSSAI #1
T
SD (NSSAI)
(NSSAI)
S-NSSAI #n
SS
T
SD UE RAN AMF Slice specific network functions
AMF selection Optionally query
function based NSSF for (S)-NSSAI SMF#1 UPF#1
on Temp ID or – NSI-ID mapping,
NSSAI and AMF (Set)
Network Slice instance is an active Slice which selection
is selected during registration by first AMF, UE Query NRF for SMF#n UPF#n
learns about Allowed S-NSSAIs. This could Functions selections
result in a change of AMF if needed. (like AMF)

S-NSSAI = Slice/Service type (SST) + Slice Differentiator (SD)

UE assisted Network Slice selection
• The Configured NSSAI is a NSSAI configured by default in a UE to be used in a PLMN before any interaction with the PLMN
ever took place.
Configured NSSAI • If the UE did not receive any Allowed NSSAI for the ID of the PLMN that the UE accesses, the UE provides the Configured
NSSAI in RRC and NAS, if the UE has been provided with a Configured NSSAI for that PLMN.

• Allowed NSSAI may include one or more S-NSSAIs. These S-NSSAIs are valid for the current Registration Area provided by
the serving AMF the UE has registered with and can be used simultaneously by the UE.
Allowed NSSAI • UE receives as part of the Initial Access procedure the Allowed NSSAI
• For each PLMN, the UE shall store the Configured NSSAI and, if any, the Allowed NSSAI. When the UE receives an Allowed
NSSAI for a PLMN, it shall store it and override any previously stored Allowed NSSAI for this PLMN.

• Can be either Configured NSSAI (or subset of it), Allowed NSSAI (or subset of it) or a combination of those (or a subset of the
Requested NSSAI combination.

• If an S-NSSAI is marked as default, then the network is expected to serve the UE with the related Network Slice even when
the UE does not send any S-NSSAI to the network in a Registration request.
Default S-NSSAI • At most 8 S-NSSAI can be marked as Default S-NSSAI.
• A single UE may be served by at most 8 Network Slices at a time.
Slice configuration Slice activation in gNB

• Network slicing in Nokia gNB is activated by activation flag NRBTS.actNetworkSlicing parameter*.

• Possible NRBTS.actNetworkSlicing settings:

• value 0 (false) means the slicing in the network is not active.
• value 1 (true) enables the slices to be created for different purposes.
• This parameter is not relevant in Non-Standalone Architecture and before release 5G19A is not used. Therefore if
available it is set to 'false' value.

• Note: If NRBTS.actNetworkSlicing = 1 (TRUE)* and NRBTS.gNbCuType = 1* (value corresponds to Stand Alone mode)
then at least one S-NSSAI instance must be configured.

* NRBTS.actNetworkSlicing parameter is removed in 5G20A therefore, activation of the feature will be based on
NRBTS.gNbCuType (NRBTS.gNbCuType=1 (SA) or NRBTS.gNbCuType=2 (both SA and NSA))
Slice configuration Slice definition in gNB
Slice in gNB can be defined on
the gNB level by setting up the
NSSAI parameters set. One set of
MRBTS/NRBTS/SNSSAI parameters defines one slice
(example on next slides) .

snssaiID snssaiID = [1..20]

This parameter uniquely identifies the Network Slicing (SNSSAI) This gives up to 20 slices to be
instance within the same containing MRBTS/NRBTS instance. setup per gNB (NRBTS)

sst sst = [1, 128..255]

This parameter indicates the slice service type which identifies the eMBB 3GGP defined value (1) and According to 3GPP the
slice type. operator specific values (128..255) SST field may have
standardized values (from 0
to 127) and non-
sd standardized values (128 to
This parameter indicates the slice differentiator. It may differentiate sd = [0..16777214] 255). There are 3
slices of the same type. It is optional parameter. standardized SST values
defined: eMBB (1), URLLC
(2) and MIoT (3).
operationalState operationalState =
This parameter defines the operational state of the Network Slice
instance. It shows if the resource is physically installed and working. [0 - disabled,1 - enabled]
Operational state is the
system set up value which
administrativeState administrativeState =
is set to disabled once
This parameter defines the administrative state of Network Slicing. created and it is change to
It sets permission to use or prohibition against using the resource. [0 - disabled,1 - enabled] enabled when Ng is set
up correctly.

userLabel userLabel =
This parameter denotes a label that can be used for a user-friendly
name of the slice instance. (user friendly name)
Slice configuration Slice in Tracking Area setup

• Each slice is connected to the TA (Tracking Area).

• Single NRCELL can use only one TAC.
• All cells in given TA must use the same slice set assigned to this Tracking Area.
• Example:
TA is assigned to NRBTS

MRBTS/NRBTS/NRCELL/
 trackingAreaDN

MRBTS/NRBTS/TRACKINGAREA/ MRBTS/NRBTS/SNSSAI/
 snssaiDNList  snssaiID = 1
 trackingAreaId  sst = 1 (eMBB)
 fiveGsTac  sd = 1
 operationalState = 1 (enabled)
 administrativeState = 1 (enabled)
 userLabel = "factoryA eMBB slice”
S-NSSAI is assigned to TA
One TA can have more than MRBTS/NRBTS/SNSSAI
one slice (up to 20 –  snssaiID = 2
limitation on NRBTS)
 sst = 128
 sd = (not defined)
 operationalState = 1 (enabled)
 administrativeState = 1 (enabled)
 userLabel = "remote surgery”
Slice configuration Slice in Tracking Area setup

Notes:
• On the NRBTS level it is possible to create support of up to 20 slices
identified by S-NSSAI.
 Delivering QoS Using RAN Slicing
Service Differentiation

UE1 Weight = 1 5QI9 PLMN1 Slice 1 (eMBB - generic)

In same PLMN1, Same service type
served by Weight = 5 5QI6 eMBB (SST#1) hosted on Different
PLMN1 Slices i.e. Slice1 Vs Slice 2 (using SD)
PLMN1 Slice 2 (eMBB – Cloud gaming)
UE2 Weight = 20 5QI6 Core
Network
PLMN 1
DRB
served by Weight = 10 5QI9 PLMN1 Slice 3 (URLLC – Robot factory)
PLMN1
Weight = 40 profile 5QI84
For SA capable UEs, Service
differentiation per Slice per PLMN
PLMN2 Slice 1 (eMBB - generic) can be achieved:
UE3 selection
Weight = 1 5QI8
Core - Multiple services associated with
Network same 5QI can be mapped to
served by PLMN 2 different Slices (and/or different
PLMN2 Slice 2 (eMBB – Streaming)
PLMN2 PLMN), allowing each service to
Weight = 10 5QI6 have different scheduling weight

gNB

Each non GBR DRB profile (based on PLMN ID, Slice ID(S-NSSAI) and 5QI
contains operator configurable settings like -> Scheduling weight, used by
scheduler, RLC profile, PDCP profile, DSCP setting, Logical channel priority
Thank You