Part 1: 4G / LTE Fundamentals

Learning Objective: Understand the 4G LTE Evolved Packet Core (EPC) architecture, network functions, interfaces, and subscriber procedures.

Table of Contents

• What is LTE / EPC?
• 4G EPC Architecture
• Control Plane vs User Plane Separation (CUPS)
• Core Network Functions
• Key Interfaces
• Subscriber Lifecycle
• Authentication and Security

What is LTE / EPC?

LTE (Long-Term Evolution) is the 4G radio access technology that replaced 3G UMTS/HSPA. The EPC (Evolved Packet Core) is the all-IP core network that supports LTE.

Key Characteristics

• All-IP architecture (no circuit-switched voice like 2G/3G)
• Flat architecture (fewer network hops than 3G)
• Separation of control and user planes (CUPS)
• Supports VoLTE (Voice over LTE via IMS)

4G EPC Architecture

The EPC consists of control plane functions (for signaling) and user plane functions (for data traffic).

graph TB
    subgraph "Radio Access Network"
        UE[📱 UE
User Equipment]
        eNB[📡 eNodeB
Base Station]
    end
    
    subgraph "Control Plane"
        MME[🎛️ MME
Mobility Management]
        HSS[(🔐 HSS
Subscriber DB)]
        PCRF[📋 PCRF
Policy & Charging]
    end
    
    subgraph "User Plane - CUPS"
        SGWC[⚙️ SGW-C
Serving GW Control]
        SGWU[📦 SGW-U
Serving GW User]
        PGWC[⚙️ PGW-C/SMF
PDN GW Control]
        PGWU[📦 PGW-U/UPF
PDN GW User]
    end
    
    Internet[🌐 Internet]
    
    UE <-->|Uu
Air Interface| eNB
    eNB <-->|S1-MME
S1AP/SCTP| MME
    eNB <-->|S1-U
GTP-U| SGWU
    
    MME <-->|S6a
Diameter| HSS
    MME <-->|S11
GTP-C| SGWC
    
    SGWC <-->|Sxa
PFCP| SGWU
    SGWC <-->|S5-C
GTP-C| PGWC
    SGWU <-->|S5-U
GTP-U| PGWU
    
    PGWC <-->|Gx
Diameter| PCRF
    PGWC <-->|Sxb
PFCP| PGWU
    
    PGWU <-->|SGi| Internet
    
    style UE fill:#e1f5ff
    style eNB fill:#fff4e1
    style MME fill:#ffe1e1
    style HSS fill:#f0e1ff
    style PCRF fill:#e1ffe1
    style SGWC fill:#ffe1f0
    style SGWU fill:#ffe1f0
    style PGWC fill:#fff0e1
    style PGWU fill:#fff0e1

Control Plane vs User Plane Separation (CUPS)

CUPS (3GPP Release 14) physically separates control and user plane functions for better scalability.

Why CUPS?

CUPS Interfaces

Core Network Functions

MME (Mobility Management Entity)

Role: Main control plane hub for LTE

Responsibilities:

• UE attach/detach procedures
• Tracking Area Update (TAU)
• Bearer management (create/modify/delete)
• Authentication and security (NAS encryption/integrity)
• Paging for idle-mode UEs
• Handover signaling

Interfaces:

• S1-MME (to eNB) - SCTP
• S6a (to HSS) - Diameter
• S11 (to SGW-C) - GTP-C

HSS (Home Subscriber Server)

Role: Subscriber database (like a SIM card registry)

Stores:

• IMSI (International Mobile Subscriber Identity)
• K (subscriber secret key)
• OPc (operator variant key)
• Subscriber profile (QoS, APN, roaming permissions)

Interfaces:

• S6a (to MME) - Diameter
• Cx (to IMS for VoLTE) - Diameter

PCRF (Policy and Charging Rules Function)

Role: Policy enforcement and charging control

Responsibilities:

• QoS policy (bandwidth limits, priority)
• Charging rules (prepaid/postpaid)
• Application detection (DPI integration)

Interfaces:

• Gx (to PGW-C/SMF) - Diameter (session-level QoS/charging rules)
• Rx (to AF/IMS) - Diameter (application-layer QoS requests, e.g., VoLTE voice bearer)

SGW-C (Serving Gateway - Control Plane)

Role: Anchor point for inter-eNB handovers

Responsibilities:

• Mobility anchor when UE moves between eNBs
• Buffering downlink data for idle UEs
• Lawful intercept

Interfaces:

• S11 (to MME) - GTP-C
• Sxa (to SGW-U) - PFCP
• S5-C (to PGW-C) - GTP-C

SGW-U (Serving Gateway - User Plane)

Role: User data forwarding

Responsibilities:

• Packet routing between eNB and PGW-U
• QoS enforcement (per-bearer)
• Packet marking (DSCP)

Interfaces:

• S1-U (to eNB) - GTP-U
• Sxa (to SGW-C) - PFCP
• S5-U (to PGW-U) - GTP-U

PGW-C / SMF (PDN Gateway - Control Plane / Session Management Function)

Role: PDN session management and IP address allocation

Responsibilities:

• Assign UE IP address
• Create GTP tunnels
• Policy enforcement (via PCRF)
• Charging triggers

Interfaces:

• S5-C (to SGW-C) - GTP-C
• Gx (to PCRF) - Diameter
• Sxb (to PGW-U) - PFCP

PGW-U / UPF (PDN Gateway - User Plane / User Plane Function)

Role: Gateway to external networks (Internet)

Responsibilities:

• NAT (if using private UE IPs)
• Packet filtering
• Traffic shaping
• Lawful intercept

Interfaces:

• S5-U (to SGW-U) - GTP-U
• Sxb (to PGW-C) - PFCP
• SGi (to Internet) - IP

Key Interfaces

S1-MME (eNB ↔ MME)

• Protocol: S1AP over SCTP
• Purpose: NAS signaling (attach, TAU, service request)
• Port: 36412

S1-U (eNB ↔ SGW-U)

• Protocol: GTP-U over UDP
• Purpose: User data tunneling
• Port: 2152

S6a (MME ↔ HSS)

• Protocol: Diameter
• Purpose: Authentication vectors, subscriber profile
• Port: 3868

S11 (MME ↔ SGW-C)

• Protocol: GTP-C over UDP
• Purpose: Bearer management signaling
• Port: 2123

Gx (PGW-C ↔ PCRF)

• Protocol: Diameter
• Purpose: Policy and charging rules
• Port: 3868

Sxa / Sxb (Control ↔ User Plane)

• Protocol: PFCP (Packet Forwarding Control Protocol) over UDP
• Purpose: Install/modify/delete packet forwarding rules
• Port: 8805

SGi (PGW-U ↔ Internet)

• Protocol: IP
• Purpose: User data to external networks

Subscriber Lifecycle

1. UE Attach Procedure

sequenceDiagram
    participant UE as 📱 UE
    participant eNB as 📡 eNodeB
    participant MME as 🎛️ MME
    participant HSS as 🔐 HSS
    participant SGWC as ⚙️ SGW-C
    participant SGWU as 📦 SGW-U
    participant PGWC as ⚙️ PGW-C/SMF
    participant PGWU as 📦 PGW-U/UPF
    
    UE->>eNB: RRC Connection Request
    eNB->>UE: RRC Connection Setup
    UE->>eNB: RRC Connection Setup Complete
(NAS: Attach Request)
    eNB->>MME: S1AP: Initial UE Message
(IMSI, Attach Request)
    
    MME->>HSS: S6a: Authentication Info Request
(IMSI)
    HSS->>MME: S6a: Authentication Info Answer
(RAND, AUTN, XRES, KASME)
    
    MME->>UE: NAS: Authentication Request
(RAND, AUTN)
    UE->>MME: NAS: Authentication Response
(RES)
    
    Note over MME: Verify RES == XRES
    
    MME->>UE: NAS: Security Mode Command
    UE->>MME: NAS: Security Mode Complete
    
    MME->>HSS: S6a: Update Location Request
    HSS->>MME: S6a: Update Location Answer
(Subscriber Profile)
    
    MME->>SGWC: S11: Create Session Request
(IMSI, APN, QoS)
    SGWC->>PGWC: S5-C: Create Session Request
    PGWC->>PGWU: Sxb: PFCP Session Establishment
(Install forwarding rules)
    PGWU->>PGWC: Sxb: PFCP Session Establishment Response
(UE IP: 10.45.0.2)
    PGWC->>SGWC: S5-C: Create Session Response
(UE IP, PGW-U GTP TEID)
    SGWC->>SGWU: Sxa: PFCP Session Establishment
    SGWU->>SGWC: Sxa: PFCP Session Establishment Response
    SGWC->>MME: S11: Create Session Response
(UE IP, SGW-U GTP TEID)
    
    MME->>eNB: S1AP: Initial Context Setup Request
(UE IP, SGW-U TEID, Security Keys)
    eNB->>UE: RRC: Connection Reconfiguration
(Radio bearers)
    UE->>eNB: RRC: Connection Reconfiguration Complete
    eNB->>MME: S1AP: Initial Context Setup Response
    
    MME->>UE: NAS: Attach Accept
(UE IP: 10.45.0.2)
    UE->>MME: NAS: Attach Complete
    
    Note over UE,PGWU: GTP-U tunnel established:
UE ↔ eNB ↔ SGW-U ↔ PGW-U ↔ Internet

2. PDN Session Establishment

After attach, the UE has:

• IP address (e.g., 10.45.0.2 from Open5GS default pool)
• Default bearer (always-on, for control plane)
• GTP tunnel (eNB ↔ SGW-U ↔ PGW-U)

3. User Data Flow

📱 UE (10.45.0.2)
  ↓ [S1-U: GTP-U tunnel TEID=0x12345678]
📡 eNodeB
  ↓ [S1-U: GTP-U]
📦 SGW-U
  ↓ [S5-U: GTP-U]
📦 PGW-U/UPF
  ↓ [SGi: NAT to public IP]
🌐 Internet (e.g., 8.8.8.8)

4. Tracking Area Update (TAU)

When UE moves to a new Tracking Area:

1. UE sends TAU Request to new eNB
2. New eNB forwards to MME
3. MME updates location in HSS
4. If SGW changes, MME triggers path switch

Authentication and Security

AKA (Authentication and Key Agreement)

graph LR
    subgraph "SIM Card"
        IMSI[IMSI
001010123456789]
        K[K
Secret Key
128-bit]
    end
    
    subgraph "HSS"
        K2[K
Same Secret Key]
        OPc[OPc
Operator Key]
    end
    
    subgraph "Authentication Vectors"
        RAND[RAND
Random Challenge]
        AUTN[AUTN
Auth Token]
        XRES[XRES
Expected Response]
        KASME[KASME
Base Key]
    end
    
    K --> RAND
    K2 --> RAND
    OPc --> RAND
    RAND --> AUTN
    RAND --> XRES
    RAND --> KASME
    
    style K fill:#ff9999
    style K2 fill:#ff9999
    style KASME fill:#99ff99

Key Hierarchy

KASME (256-bit base key from AKA)
  ├─ KeNB (key for eNB, used for AS security)
  │   ├─ KRRCenc (RRC encryption)
  │   ├─ KRRCint (RRC integrity)
  │   ├─ KUPenc (user plane encryption)
  │   └─ ... (other AS keys)
  └─ NAS keys
      ├─ KNASenc (NAS encryption)
      └─ KNASint (NAS integrity)

Security Algorithms

🔬 Exercises

1. Diagram Exercise: Draw the data path for a UE pinging 8.8.8.8. Label every GTP tunnel (TEID) and interface.
2. Security Exercise: Which interfaces in the EPC are encrypted by default? Which are not? (Hint: check the Security Warning box above)
3. Config Exercise: In the Open5GS mme.yaml, what happens if you change mcc/mnc to 999/99? What error would the UE see?
4. Wireshark Exercise: What Diameter Application-Id would you see on the S6a interface? (Answer: 16777251 for S6a)

Real-World Context

Summary

You now understand:

• ✅ 4G EPC architecture (control plane + user plane)
• ✅ CUPS separation (SGW-C/U, PGW-C/U)
• ✅ All core network functions (MME, HSS, PCRF, SGW, PGW)
• ✅ Key interfaces (S1, S6a, S11, Gx, Rx, Sxa/Sxb, SGi)
• ✅ UE attach procedure and GTP tunneling
• ✅ AKA authentication and key hierarchy
• ✅ Why Open5GS uses combined 4G/5G mode

Next: Part 2: 5G NSA Architecture →