01_4g_lte_fundamentals
Part 1: 4G / LTE Fundamentals
Learning Objective: Understand the 4G LTE Evolved Packet Core (EPC) architecture, network functions, interfaces, and subscriber procedures.
Table of Contents
- What is LTE / EPC?
- 4G EPC Architecture
- Control Plane vs User Plane Separation (CUPS)
- Core Network Functions
- Key Interfaces
- Subscriber Lifecycle
- Authentication and Security
What is LTE / EPC?
LTE (Long-Term Evolution) is the 4G radio access technology that replaced 3G UMTS/HSPA. The EPC (Evolved Packet Core) is the all-IP core network that supports LTE.
Key Characteristics
- All-IP architecture (no circuit-switched voice like 2G/3G)
- Flat architecture (fewer network hops than 3G)
- Separation of control and user planes (CUPS)
- Supports VoLTE (Voice over LTE via IMS)
4G EPC Architecture
The EPC consists of control plane functions (for signaling) and user plane functions (for data traffic).
Reading the diagram below: "Core Network Signaling" contains functions that are inherently signaling-only — they were never split because they have no user plane component (there is no "MME-U" or "HSS-U"). "CUPS Gateways" contain functions that CUPS split apart from originally monolithic gateways (SGW, PGW) into control and user halves, reconnected via PFCP (Sxa/Sxb). Thick green lines show the UE's user data path; thin lines are signaling/control interfaces.
graph TB
subgraph "Radio Access Network"
UE[📱 UE
User Equipment]
eNB[📡 eNodeB
Base Station]
end
subgraph "Core Network Signaling"
MME[🎛️ MME
Mobility Management]
HSS[(🔐 HSS
Subscriber DB)]
PCRF[📋 PCRF
Policy & Charging]
end
subgraph "CUPS Gateways - Control"
SGWC[⚙️ SGW-C
Serving GW Control]
PGWC[⚙️ PGW-C/SMF
PDN GW Control]
end
subgraph "CUPS Gateways - User"
SGWU[📦 SGW-U
Serving GW User]
PGWU[📦 PGW-U/UPF
PDN GW User]
end
subgraph "IMS - VoLTE"
AF[📞 AF / P-CSCF
Application Function]
end
Internet[🌐 Internet]
UE <-->|Uu
Air Interface| eNB
eNB <-->|S1-MME
S1AP/SCTP| MME
eNB <-->|S1-U
GTP-U| SGWU
MME <-->|S6a
Diameter| HSS
MME <-->|S11
GTP-C| SGWC
HSS <-->|Cx
Diameter| AF
SGWC <-->|Sxa
PFCP| SGWU
SGWC <-->|S5-C
GTP-C| PGWC
SGWU <-->|S5-U
GTP-U| PGWU
PGWC <-->|Gx
Diameter| PCRF
PGWC <-->|Sxb
PFCP| PGWU
PCRF <-->|Rx
Diameter| AF
PGWU <-->|SGi| Internet
PGWU <-->|SGi
SIP/RTP| AF
style UE fill:#e1f5ff
style eNB fill:#fff4e1
style MME fill:#ffe1e1
style HSS fill:#f0e1ff
style PCRF fill:#e1ffe1
style SGWC fill:#ffe1f0
style SGWU fill:#ffe1f0
style PGWC fill:#fff0e1
style PGWU fill:#fff0e1
style AF fill:#fff8e1
linkStyle 0 stroke:#2ecc71,stroke-width:3px
linkStyle 2 stroke:#2ecc71,stroke-width:3px
linkStyle 8 stroke:#2ecc71,stroke-width:3px
linkStyle 12 stroke:#2ecc71,stroke-width:3px
linkStyle 13 stroke:#2ecc71,stroke-width:3pxControl Plane vs User Plane Separation (CUPS)
CUPS (introduced by the 3GPP — the 3rd Generation Partnership Project, the global body responsible for defining cellular standards) in Release 14 physically separates control and user plane functions for better scalability and independent resource management.
Why CUPS?
In traditional LTE architectures, control and user plane functions were often bundled within the same physical node (e.g., the SGW was one box handling both signaling and forwarding). CUPS explicitly separates these gateway functions:
- Gateway Control Plane (e.g., SGW-C, PGW-C): Handles session signaling, bearer management, and tunnel setup. It acts as the "brain," deciding how traffic should be routed and managed.
- Gateway User Plane (e.g., SGW-U, PGW-U): Responsible for the actual transport and forwarding of user data (IP packets) between the UE and external networks (Internet). It acts as the "brawn," executing the rules defined by the control plane.
CUPS only applies to gateway functions (SGW, PGW, TDF). Core signaling functions like MME, HSS, and PCRF were always signaling-only and are not affected by CUPS.
| Benefit | Description |
|---|---|
| Scalability | Scale control and user planes independently |
| MEC Support | Deploy user plane close to edge (low latency) |
| Cost Efficiency | Use cheaper hardware for user plane forwarding |
| Flexibility | Centralize control, distribute user plane |
CUPS Interfaces
| Interface | Protocol | Description |
|---|---|---|
| Sxa | PFCP | SGW-C ↔ SGW-U: Enables the Control Plane to manage session contexts, usage reporting, and data path selection on the Serving Gateway (SGW) User Plane. |
| Sxb | PFCP | PGW-C ↔ PGW-U: Used by the PDN Gateway (PGW) Control Plane to install Packet Detection Rules (PDRs), Forwarding Action Rules (FARs), and QoS enforcement on the User Plane. |
| Sxc | PFCP | TDF-C ↔ TDF-U: Facilitates communication between the Traffic Detection Function (TDF) Control and User planes for application-specific traffic steering and policy enforcement. |
PFCP (Packet Forwarding Control Protocol) is the signaling protocol (3GPP TS 29.244) that allows the gateway control plane to program its user plane's forwarding behavior without being involved in the data path itself.
Why these three interfaces? Sxa, Sxb, and Sxc are the only interfaces that exist purely because of CUPS. Other EPC interfaces (S1, S6a, S11, Gx, S5, SGi, etc.) predate CUPS and existed in the original monolithic architecture. Without CUPS, the SGW, PGW, and TDF are each a single box with no internal C↔U communication needed — the Sx family was created specifically to reconnect the split halves via PFCP. Sxc (TDF) is included here for completeness per the 3GPP spec, even though Open5GS does not implement a TDF; it is relevant for threat modeling carriers that deploy TDF for DPI or application-aware policy enforcement.
Open5GS implements CUPS by default. In configs, you'll see separate daemons for sgwc/sgwu and smf/upf.
Core Network Functions
MME (Mobility Management Entity)
Role: Main control plane hub for LTE
Responsibilities:
- UE attach/detach: Manages network entry and resource cleanup, ensuring only active devices consume network resources.
- Tracking Area Update (TAU): Maintains UE location awareness for efficient paging without requiring constant active signaling.
- Bearer management: Establishes the end-to-end data paths and enforces Quality of Service (QoS) for user traffic.
- Authentication and security: Validates subscriber identity and protects control-plane signaling from interception or spoofing.
- Paging: Allows the network to reach devices in power-saving (idle) modes when incoming data arrives.
- Handover signaling: Coordinates the seamless transition of a UE between cells to prevent dropped calls or data sessions.
Interfaces:
- S1-MME (to eNB): S1AP (S1 Application Protocol) over SCTP (Stream Control Transmission Protocol) – Transports NAS (Non-Access Stratum) signaling and manages the control link between the radio access and core networks.
- S6a (to HSS): Diameter – Used for mutual authentication, downloading subscriber profiles, and updating the UE's location in the database.
- S11 (to SGW-C): GTPv2-C (GPRS Tunnelling Protocol version 2 - Control Plane) – Communicates bearer management instructions to the Serving Gateway to establish the user-plane data path.
HSS (Home Subscriber Server)
Role: Subscriber database (like a SIM card registry)
Stores:
- IMSI (International Mobile Subscriber Identity): A unique 15-digit number that globally identifies a cellular subscriber.
- K (Subscriber Secret Key): A 128-bit root key shared only between the USIM and the HSS, used to derive all session-specific encryption and integrity keys.
- OPc (Operator Variant Key): A 128-bit value derived from the Operator Key (OP) and the subscriber's secret key (K), used to protect against unauthorized SIM cloning and to authenticate the network to the UE.
- Subscriber Profile: Defines the user's entitlements, including subscribed APNs (Access Point Names), QoS (Quality of Service) class identifiers, and roaming restrictions.
Interfaces:
- S6a (to MME) - Diameter
- Cx (to IMS for VoLTE) - Diameter
PCRF (Policy and Charging Rules Function)
Role: Policy enforcement and charging control
Responsibilities:
- QoS policy (bandwidth limits, priority)
- Charging rules (prepaid/postpaid)
- Application detection (DPI integration)
Interfaces:
- Gx (to PGW-C/SMF) - Diameter (session-level QoS/charging rules)
- Rx (to AF/IMS) - Diameter (application-layer QoS requests, e.g., VoLTE voice bearer)
The Rx interface connects PCRF to an Application Function (AF), such as an IMS P-CSCF for VoLTE. It is not PCRF↔HSS.
AF / P-CSCF (Application Function)
Role: Bridge between application-layer services (e.g., VoLTE) and the EPC policy framework
The Application Function (AF) is a 3GPP-defined logical role for any service that needs to request specific network resources (bandwidth, QoS, priority) from the core network. In practice, the most common AF in LTE deployments is the P-CSCF (Proxy-Call Session Control Function), the entry point into the IMS (IP Multimedia Subsystem) used for VoLTE (Voice over LTE).
The P-CSCF is a server in the carrier's network, not the user's phone. The UE has a built-in SIP client (VoLTE dialer) that connects to the P-CSCF over the LTE data bearer.
What is IMS?
- The IMS (IP Multimedia Subsystem) is the framework that enables voice, video, and messaging over LTE's all-IP network (replacing legacy circuit-switched voice).
- Without IMS, LTE has no native voice capability — calls would fall back to 2G/3G via CSFB (Circuit-Switched Fallback).
- VoLTE = Voice over LTE = SIP (Session Initiation Protocol)-based voice calls routed through IMS.
What does the P-CSCF do?
- Acts as the first contact point for the UE's SIP (Session Initiation Protocol) signaling when making a VoLTE call.
- Requests a dedicated GBR (Guaranteed Bit Rate) bearer (high-priority, low-latency) from the PCRF via the Rx interface so voice packets get guaranteed QoS.
- Authenticates the subscriber for IMS services via the HSS over the Cx interface.
How does UE data reach the P-CSCF?
The P-CSCF sits on the SGi side — the same network side as the Internet. The UE's SIP signaling travels the same GTP tunnel path as regular internet traffic:
📱 UE (SIP client sends SIP REGISTER/INVITE)
↓ [Uu: radio]
📡 eNodeB
↓ [S1-U: GTP-U]
📦 SGW-U
↓ [S5-U: GTP-U]
📦 PGW-U/UPF
↓ [SGi: regular IP]
📞 P-CSCF ← just another IP destination, like the Internet
There is no special "IMS tunnel." The UE sends SIP packets (typically UDP/TCP port 5060 or TLS port 5061) over its existing default bearer. What makes VoLTE different from browsing the web is what happens after the P-CSCF receives the SIP signaling:
- UE sends SIP REGISTER → normal data path → P-CSCF
- P-CSCF asks HSS (via Cx): "Is this subscriber authorized for IMS?"
- UE sends SIP INVITE (initiate a call) → normal data path → P-CSCF
- P-CSCF asks PCRF (via Rx): "Allocate a dedicated GBR bearer for this voice session"
- PCRF tells PGW-C (via Gx): "Create a high-priority bearer"
- PGW-C programs PGW-U (via Sxb): "Install QoS forwarding rules for voice"
- Voice RTP (Real-time Transport Protocol) packets now flow on a separate, prioritized bearer — not competing with web traffic
Interfaces:
- Rx (to PCRF) - Diameter: Requests QoS resources for media sessions (e.g., "allocate a GBR (Guaranteed Bit Rate) bearer at 40 kbps for this VoLTE call")
- Cx (to HSS) - Diameter: Retrieves IMS subscriber profiles and authentication vectors for SIP registration
Open5GS does not include a built-in IMS/P-CSCF. For VoLTE testing in labs, external IMS implementations like Kamailio or sipp are used alongside Open5GS.
SGW-C (Serving Gateway - Control Plane)
Role: Anchor point for inter-eNB handovers
Responsibilities:
- Mobility anchor when UE moves between eNBs
- Buffering downlink data for idle UEs
- Lawful intercept
Interfaces:
- S11 (to MME) - GTP-C
- Sxa (to SGW-U) - PFCP
- S5-C (to PGW-C) - GTP-C
SGW-U (Serving Gateway - User Plane)
Role: User data forwarding
Responsibilities:
- Packet routing between eNB and PGW-U
- QoS enforcement (per-bearer)
- Packet marking (DSCP)
Interfaces:
- S1-U (to eNB) - GTP-U
- Sxa (to SGW-C) - PFCP
- S5-U (to PGW-U) - GTP-U
PGW-C / SMF (PDN Gateway - Control Plane / Session Management Function)
Role: PDN session management and IP address allocation
Responsibilities:
- Assign UE IP address
- Create GTP tunnels
- Policy enforcement (via PCRF)
- Charging triggers
Interfaces:
- S5-C (to SGW-C) - GTP-C
- Gx (to PCRF) - Diameter
- Sxb (to PGW-U) - PFCP
In Open5GS, SMF is the 5G name for PGW-C. It handles both 4G and 5G sessions.
PGW-U / UPF (PDN Gateway - User Plane / User Plane Function)
Role: Gateway to external networks (Internet)
Responsibilities:
- NAT (if using private UE IPs)
- Packet filtering
- Traffic shaping
- Lawful intercept
Interfaces:
- S5-U (to SGW-U) - GTP-U
- Sxb (to PGW-C) - PFCP
- SGi (to Internet) - IP
In Open5GS, UPF is the 5G name for PGW-U. It handles both 4G and 5G user plane traffic.
Key Interfaces
Uu (UE ↔ eNB)
- Protocol: LTE-Uu (air interface)
- Purpose: Radio link between UE and base station (RRC signaling + user data)
- Port: N/A (radio interface)
S1-MME (eNB ↔ MME)
- Protocol: S1AP over SCTP
- Purpose: NAS signaling (attach, TAU, service request)
- Port: 36412
S1-U (eNB ↔ SGW-U)
- Protocol: GTP-U over UDP
- Purpose: User data tunneling
- Port: 2152
S6a (MME ↔ HSS)
- Protocol: Diameter
- Purpose: Authentication vectors, subscriber profile
- Port: 3868
S11 (MME ↔ SGW-C)
- Protocol: GTP-C over UDP
- Purpose: Bearer management signaling
- Port: 2123
S5-C (SGW-C ↔ PGW-C)
- Protocol: GTP-C over UDP
- Purpose: Control plane signaling for session creation between serving and PDN gateways
- Port: 2123
S5-U (SGW-U ↔ PGW-U)
- Protocol: GTP-U over UDP
- Purpose: User plane data tunneling between serving and PDN gateways
- Port: 2152
Gx (PGW-C ↔ PCRF)
- Protocol: Diameter
- Purpose: Policy and charging rules
- Port: 3868
Cx (HSS ↔ IMS / P-CSCF)
- Protocol: Diameter
- Purpose: IMS subscriber authentication and profile retrieval for VoLTE registration
- Port: 3868
Rx (PCRF ↔ AF / P-CSCF)
- Protocol: Diameter
- Purpose: Application-layer QoS requests (e.g., dedicated bearer for VoLTE voice/video)
- Port: 3868
Sxa / Sxb (Control ↔ User Plane)
- Protocol: PFCP (Packet Forwarding Control Protocol) over UDP
- Purpose: Install/modify/delete packet forwarding rules
- Port: 8805
SGi (PGW-U ↔ Internet)
- Protocol: IP
- Purpose: User data to external networks
Subscriber Lifecycle
1. UE Attach Procedure
sequenceDiagram
participant UE as 📱 UE
participant eNB as 📡 eNodeB
participant MME as 🎛️ MME
participant HSS as 🔐 HSS
participant SGWC as ⚙️ SGW-C
participant SGWU as 📦 SGW-U
participant PGWC as ⚙️ PGW-C/SMF
participant PGWU as 📦 PGW-U/UPF
UE->>eNB: RRC Connection Request
eNB->>UE: RRC Connection Setup
UE->>eNB: RRC Connection Setup Complete
(NAS: Attach Request)
eNB->>MME: S1AP: Initial UE Message
(IMSI, Attach Request)
MME->>HSS: S6a: Authentication Info Request
(IMSI)
HSS->>MME: S6a: Authentication Info Answer
(RAND, AUTN, XRES, KASME)
MME->>UE: NAS: Authentication Request
(RAND, AUTN)
UE->>MME: NAS: Authentication Response
(RES)
Note over MME: Verify RES == XRES
MME->>UE: NAS: Security Mode Command
UE->>MME: NAS: Security Mode Complete
MME->>HSS: S6a: Update Location Request
HSS->>MME: S6a: Update Location Answer
(Subscriber Profile)
MME->>SGWC: S11: Create Session Request
(IMSI, APN, QoS)
SGWC->>PGWC: S5-C: Create Session Request
PGWC->>PGWU: Sxb: PFCP Session Establishment
(Install forwarding rules)
PGWU->>PGWC: Sxb: PFCP Session Establishment Response
(UE IP: 10.45.0.2)
PGWC->>SGWC: S5-C: Create Session Response
(UE IP, PGW-U GTP TEID)
SGWC->>SGWU: Sxa: PFCP Session Establishment
SGWU->>SGWC: Sxa: PFCP Session Establishment Response
SGWC->>MME: S11: Create Session Response
(UE IP, SGW-U GTP TEID)
MME->>eNB: S1AP: Initial Context Setup Request
(UE IP, SGW-U TEID, Security Keys)
eNB->>UE: RRC: Connection Reconfiguration
(Radio bearers)
UE->>eNB: RRC: Connection Reconfiguration Complete
eNB->>MME: S1AP: Initial Context Setup Response
MME->>UE: NAS: Attach Accept
(UE IP: 10.45.0.2)
UE->>MME: NAS: Attach Complete
Note over UE,PGWU: GTP-U tunnel established:
UE ↔ eNB ↔ SGW-U ↔ PGW-U ↔ Internet2. PDN Session Establishment
After attach, the UE has:
- IP address (e.g.,
10.45.0.2from Open5GS default pool) - Default bearer (always-on, for control plane)
- GTP tunnel (eNB ↔ SGW-U ↔ PGW-U)
3. User Data Flow
📱 UE (10.45.0.2)
↓ [S1-U: GTP-U tunnel TEID=0x12345678]
📡 eNodeB
↓ [S1-U: GTP-U]
📦 SGW-U
↓ [S5-U: GTP-U]
📦 PGW-U/UPF
↓ [SGi: NAT to public IP]
🌐 Internet (e.g., 8.8.8.8)
4. Tracking Area Update (TAU)
When UE moves to a new Tracking Area:
- UE sends TAU Request to new eNB
- New eNB forwards to MME
- MME updates location in HSS
- If SGW changes, MME triggers path switch
Authentication and Security
AKA (Authentication and Key Agreement)
graph LR
subgraph "SIM Card"
IMSI[IMSI
001010123456789]
K[K
Secret Key
128-bit]
end
subgraph "HSS"
K2[K
Same Secret Key]
OPc[OPc
Operator Key]
end
subgraph "Authentication Vectors"
RAND[RAND
Random Challenge]
AUTN[AUTN
Auth Token]
XRES[XRES
Expected Response]
KASME[KASME
Base Key]
end
K --> RAND
K2 --> RAND
OPc --> RAND
RAND --> AUTN
RAND --> XRES
RAND --> KASME
style K fill:#ff9999
style K2 fill:#ff9999
style KASME fill:#99ff99Key Hierarchy
KASME (256-bit base key from AKA)
├─ KeNB (key for eNB, used for AS security)
│ ├─ KRRCenc (RRC encryption)
│ ├─ KRRCint (RRC integrity)
│ ├─ KUPenc (user plane encryption)
│ └─ ... (other AS keys)
└─ NAS keys
├─ KNASenc (NAS encryption)
└─ KNASint (NAS integrity)
Security Algorithms
| Layer | Algorithm | Purpose |
|---|---|---|
| NAS | EEA0/EEA1/EEA2 | Encryption (EEA0 = null) |
| NAS | EIA0/EIA1/EIA2 | Integrity (EIA0 = null) |
| AS (RRC) | EEA0/EEA1/EEA2 | Encryption |
| AS (RRC) | EIA0/EIA1/EIA2 | Integrity |
Security Gap: S1-U (user plane between eNB and SGW-U) is NOT encrypted by default. This is a known vulnerability exploited by IMSI catchers and rogue eNBs.
🔬 Exercises
- Diagram Exercise: Draw the data path for a UE pinging
8.8.8.8. Label every GTP tunnel (TEID) and interface. - Security Exercise: Which interfaces in the EPC are encrypted by default? Which are not? (Hint: check the Security Warning box above)
- Config Exercise: In the Open5GS
mme.yaml, what happens if you changemcc/mncto999/99? What error would the UE see? - Wireshark Exercise: What Diameter Application-Id would you see on the S6a interface? (Answer: 16777251 for S6a)
Real-World Context
| Operator Example | Detail |
|---|---|
| T-Mobile US | Deployed CUPS in 2019 to prepare for 5G SA migration |
| Vodafone | Uses Diameter Edge Agent (DEA) to secure S6a |
| Open5GS | Implements dual-stack (4G+5G) — SMF handles both PGW-C and 5G session management |
In Open5GS, the same open5gs-smfd binary handles both 4G PGW-C (via GTP-C/Diameter) and 5G SMF (via SBI/HTTP2). This is why the Docker labs use Open5GS in combined mode.
Summary
You now understand:
- ✅ 4G EPC architecture (core signaling + CUPS gateways)
- ✅ CUPS separation (SGW-C/U, PGW-C/U) and why it only applies to gateways
- ✅ All core network functions (MME, HSS, PCRF, SGW, PGW, AF/P-CSCF)
- ✅ IMS and VoLTE fundamentals (P-CSCF, SIP, dedicated bearers)
- ✅ Key interfaces (Uu, S1, S5, S6a, S11, Gx, Cx, Rx, Sxa/Sxb, SGi)
- ✅ UE attach procedure and GTP tunneling
- ✅ AKA authentication and key hierarchy
- ✅ Why Open5GS uses combined 4G/5G mode
Next: Part 2: 5G NSA Architecture →