03_5g_sa_architecture
Part 3: 5G SA (Standalone) Architecture
Learning Objective: Understand the 5G Standalone core with Service Based Architecture, all network functions, N-series interfaces, and network slicing.
Table of Contents
- What is 5G SA?
- Service Based Architecture (SBA)
- 5G Core Network Functions
- N-Series Reference Points
- 5G Registration Procedure
- Network Slicing
- SUPI/SUCI Privacy
- 5G-AKA Authentication
What is 5G SA?
5G SA (Standalone) is a complete 5G system with:
- 5G Core (5GC) - All-new cloud-native core network
- 5G NR (New Radio) - 5G radio access
- Service Based Architecture - HTTP/2 APIs between network functions
SA vs NSA
| Feature | NSA | SA |
|---|---|---|
| Core | 4G EPC | 5G Core |
| Control Plane | MME | AMF |
| Session Mgmt | MME/SGW/PGW | SMF |
| User Plane | PGW-U | UPF |
| Architecture | Point-to-point | Service-based (HTTP/2) |
| Network Slicing | ❌ No | ✅ Yes |
| Latency | ~20-30ms | ~10ms (URLLC: ~1ms) |
| Edge Computing | Limited | Full MEC support |
Service Based Architecture (SBA)
Unlike 4G's point-to-point interfaces, 5G uses SBA where network functions expose services via HTTP/2 APIs.
graph TB
subgraph "Service Based Interface (SBI) - HTTP/2"
NRF[🗂️ NRF
Service Registry]
SCP[🔀 SCP
Service Proxy]
AMF[📱 AMF
Access & Mobility]
SMF[🔧 SMF
Session Mgmt]
AUSF[🔐 AUSF
Authentication]
UDM[👤 UDM
User Data Mgmt]
UDR[(💾 UDR
Data Repository)]
PCF[📋 PCF
Policy Control]
NSSF[🍕 NSSF
Slice Selection]
BSF[🔗 BSF
Binding Support]
end
subgraph "User Plane"
UPF[📦 UPF
User Plane Function]
end
subgraph "Radio Access"
gNB[📡 gNB
5G Base Station]
UE[📱 UE]
end
Internet[🌐 Internet]
%% Service registrations
AMF -.->|Register| NRF
SMF -.->|Register| NRF
AUSF -.->|Register| NRF
UDM -.->|Register| NRF
PCF -.->|Register| NRF
%% Service discovery
AMF -.->|Discover| NRF
SMF -.->|Discover| NRF
%% SBI communications (via SCP)
AMF <-->|Namf| SCP
SMF <-->|Nsmf| SCP
AUSF <-->|Nausf| SCP
UDM <-->|Nudm| SCP
UDR <-->|Nudr| SCP
PCF <-->|Npcf| SCP
NSSF <-->|Nnssf| SCP
BSF <-->|Nbsf| SCP
%% N-series interfaces
UE <-->|N1
NAS| AMF
gNB <-->|N2
NGAP| AMF
gNB <-->|N3
GTP-U| UPF
SMF <-->|N4
PFCP| UPF
UPF <-->|N6| Internet
style NRF fill:#ff9999
style SCP fill:#99ccff
style AMF fill:#ffcc99
style SMF fill:#99ff99
style UPF fill:#cc99ff
style gNB fill:#ffff99SBA Key Concepts
| Concept | Description |
|---|---|
| Service Producer | NF that exposes services (e.g., AMF exposes Namf_Communication) |
| Service Consumer | NF that consumes services (e.g., SMF calls Namf_Communication) |
| NRF | Service registry (like DNS for services) |
| SCP | Optional proxy for indirect communication |
| SBI | HTTP/2 RESTful APIs (JSON payloads) |
5G Core Network Functions
NRF (NF Repository Function)
Role: Service discovery and registration
Responsibilities:
- NFs register their services (name, version, IP, capacity)
- NFs query NRF to discover other NFs
- Maintains NF profiles and status
Services Exposed:
Nnrf_NFManagement- NF registrationNnrf_NFDiscovery- Service discovery
Important
NRF is the heart of SBA. If NRF fails, NFs cannot discover each other.
SCP (Service Communication Proxy)
Role: Indirect communication between NFs
Benefits:
- Load balancing across NF instances
- Service routing (e.g., route to specific SMF based on DNN)
- Centralized security (mTLS termination)
Communication Models:
- Direct: NF-A → NF-B (no SCP)
- Indirect (Delegated): NF-A → SCP → NF-B (SCP selects target)
- Indirect (Non-Delegated): NF-A tells SCP which NF-B instance to use
AMF (Access and Mobility Management Function)
Role: Replaces 4G MME for access and mobility
Responsibilities:
- UE registration (attach)
- Mobility management (handover, TAU)
- NAS signaling encryption/integrity
- Authentication coordination (via AUSF)
- Slice selection (via NSSF)
Interfaces:
- N1 (to UE) - NAS over RRC
- N2 (to gNB) - NGAP over SCTP
- N8 (to UDM) - Get subscriber data
- N11 (to SMF) - PDU session management
- N12 (to AUSF) - Authentication
- N14 (to other AMF) - Inter-AMF handover
Services Exposed:
Namf_Communication- N11 to SMFNamf_EventExposure- Event subscriptions
SMF (Session Management Function)
Role: Replaces 4G PGW-C for session management
Responsibilities:
- PDU session establishment/modification/release
- UE IP address allocation
- UPF selection and control (via N4/PFCP)
- QoS enforcement
- Charging triggers
Interfaces:
- N4 (to UPF) - PFCP for packet forwarding rules
- N7 (to PCF) - Policy control
- N10 (to UDM) - Subscription data
- N11 (to AMF) - Session management
Services Exposed:
Nsmf_PDUSession- PDU session managementNsmf_EventExposure- Session events
UPF (User Plane Function)
Role: Replaces 4G PGW-U for user data forwarding
Responsibilities:
- Packet routing and forwarding
- QoS enforcement (per-flow)
- Traffic detection and reporting
- Lawful intercept
Interfaces:
- N3 (to gNB) - GTP-U tunnel
- N4 (to SMF) - PFCP control
- N6 (to Data Network) - IP to Internet
- N9 (to other UPF) - UPF-to-UPF forwarding
Note
UPF is the only user plane function in 5G SA (simpler than 4G's SGW-U + PGW-U).
AUSF (Authentication Server Function)
Role: Replaces 4G HSS for authentication
Responsibilities:
- 5G-AKA authentication
- EAP-AKA' for non-3GPP access (WiFi)
- Generate KAUSF key
Interfaces:
- N12 (to AMF) - Authentication requests
- N13 (to UDM) - Get authentication vectors
Services Exposed:
Nausf_UEAuthentication- Authenticate UE
UDM (Unified Data Management)
Role: Subscriber data management (part of 4G HSS)
Responsibilities:
- Generate authentication vectors (RAND, AUTN, XRES)
- Manage subscriber credentials (K, OPc)
- Access authorization
- UE context management
Interfaces:
- N8 (to AMF) - Registration data
- N10 (to SMF) - Session data
- N13 (to AUSF) - Authentication data
Services Exposed:
Nudm_UECM- UE Context ManagementNudm_SDM- Subscriber Data ManagementNudm_UEAuthentication- Auth vector generation
UDR (Unified Data Repository)
Role: Database for subscriber and policy data
Stores:
- Subscriber profiles (SUPI, K, OPc, DNN, S-NSSAI)
- Policy data
- Application data
Interfaces:
- Nudr (to UDM, PCF, NEF) - Data access
Note
In Open5GS, UDR uses MongoDB as the backend database.
PCF (Policy Control Function)
Role: Replaces 4G PCRF for policy control
Responsibilities:
- QoS policies (bandwidth, priority)
- Charging rules
- Application-based policies (e.g., video streaming QoS)
Interfaces:
- N7 (to SMF) - Session policies
- N5 (to AF) - Application policies
- N15 (to AMF) - Access policies
Services Exposed:
Npcf_SMPolicyControl- Session policiesNpcf_AMPolicyControl- Access policies
NSSF (Network Slice Selection Function)
Role: Select network slice for UE
Responsibilities:
- Determine S-NSSAI (Slice/Service Type + Slice Differentiator)
- Select AMF instance for slice
- Slice availability management
Interfaces:
- N22 (to AMF) - Slice selection
Services Exposed:
Nnssf_NSSelection- Slice selection
BSF (Binding Support Function)
Role: Maintain PCF bindings for UE sessions
Responsibilities:
- Store UE ↔ PCF mappings
- Enable PCF discovery for roaming scenarios
Services Exposed:
Nbsf_Management- Binding management
SEPP (Security Edge Protection Proxy)
Role: Secure inter-PLMN communication (roaming)
Responsibilities:
- N32 interface security (mTLS)
- Message filtering between home and visited networks
- Topology hiding
Interfaces:
- N32 (to remote SEPP) - Inter-PLMN security
N-Series Reference Points
| Interface | Between | Protocol | Purpose |
|---|---|---|---|
| N1 | UE ↔ AMF | NAS | Registration, session management |
| N2 | gNB ↔ AMF | NGAP/SCTP | Control plane signaling |
| N3 | gNB ↔ UPF | GTP-U/UDP | User plane data |
| N4 | SMF ↔ UPF | PFCP/UDP | Packet forwarding control |
| N5 | PCF ↔ AF | HTTP/2 | Application policies |
| N6 | UPF ↔ DN | IP | Data network (Internet) |
| N7 | SMF ↔ PCF | HTTP/2 | Session policies |
| N8 | AMF ↔ UDM | HTTP/2 | Subscription data |
| N9 | UPF ↔ UPF | GTP-U/UDP | UPF-to-UPF forwarding |
| N10 | SMF ↔ UDM | HTTP/2 | Session subscription data |
| N11 | AMF ↔ SMF | HTTP/2 | PDU session management |
| N12 | AMF ↔ AUSF | HTTP/2 | Authentication |
| N13 | UDM ↔ AUSF | HTTP/2 | Authentication vectors |
| N14 | AMF ↔ AMF | HTTP/2 | Inter-AMF handover |
| N15 | AMF ↔ PCF | HTTP/2 | Access policies |
| N22 | AMF ↔ NSSF | HTTP/2 | Slice selection |
| N32 | SEPP ↔ SEPP | HTTP/2 | Inter-PLMN security |
5G Registration Procedure
sequenceDiagram
participant UE as 📱 UE
participant gNB as 📡 gNB
participant AMF as AMF
participant AUSF as AUSF
participant UDM as UDM
participant SMF as SMF
participant UPF as UPF
participant NRF as NRF
UE->>gNB: RRC Setup Request
gNB->>UE: RRC Setup
UE->>gNB: RRC Setup Complete
(NAS: Registration Request)
gNB->>AMF: N2: Initial UE Message
(SUCI, Registration Request)
AMF->>NRF: Nnrf_NFDiscovery
(Find AUSF)
NRF->>AMF: AUSF address
AMF->>AUSF: Nausf_UEAuthentication
(SUCI)
AUSF->>UDM: Nudm_UEAuthentication
(SUPI)
UDM->>AUSF: Authentication Vectors
(RAND, AUTN, XRES*, KAUSF)
AUSF->>AMF: RAND, AUTN, XRES*
AMF->>UE: NAS: Authentication Request
(RAND, AUTN)
UE->>AMF: NAS: Authentication Response
(RES*)
Note over AMF: Verify RES* == XRES*
AMF->>UE: NAS: Security Mode Command
UE->>AMF: NAS: Security Mode Complete
AMF->>UDM: Nudm_UECM_Registration
(Register UE context)
UDM->>AMF: Registration complete
AMF->>UDM: Nudm_SDM_Get
(Get subscriber data)
UDM->>AMF: Subscriber profile
(DNN, S-NSSAI, QoS)
AMF->>UE: NAS: Registration Accept
(5G-GUTI, TAI list)
UE->>AMF: NAS: Registration Complete
Note over UE,AMF: UE is now registered (RM-REGISTERED)
UE->>AMF: NAS: PDU Session Establishment Request
(DNN, S-NSSAI)
AMF->>NRF: Nnrf_NFDiscovery
(Find SMF for DNN)
NRF->>AMF: SMF address
AMF->>SMF: Nsmf_PDUSession_CreateSMContext
(SUPI, DNN, S-NSSAI)
SMF->>UDM: Nudm_SDM_Get
(Session subscription data)
UDM->>SMF: Session data
SMF->>UPF: N4: PFCP Session Establishment
(Install forwarding rules)
UPF->>SMF: N4: PFCP Session Establishment Response
(UE IP: 10.45.0.2)
SMF->>AMF: Nsmf_PDUSession_CreateSMContext Response
(UE IP, QoS, N3 tunnel info)
AMF->>gNB: N2: PDU Session Resource Setup Request
(QoS, UPF N3 TEID)
gNB->>UE: RRC: Reconfiguration
(Radio bearers)
UE->>gNB: RRC: Reconfiguration Complete
gNB->>AMF: N2: PDU Session Resource Setup Response
AMF->>SMF: Nsmf_PDUSession_UpdateSMContext
(gNB N3 TEID)
SMF->>UPF: N4: PFCP Session Modification
(Update gNB TEID)
UPF->>SMF: N4: PFCP Session Modification Response
AMF->>UE: NAS: PDU Session Establishment Accept
(UE IP: 10.45.0.2)
Note over UE,UPF: N3 GTP-U tunnel established:
UE ↔ gNB ↔ UPF ↔ InternetNetwork Slicing
Network slicing allows a single physical network to support multiple logical networks (slices) with different characteristics.
S-NSSAI (Single Network Slice Selection Assistance Information)
S-NSSAI = SST + SD
| Field | Description | Example |
|---|---|---|
| SST | Slice/Service Type (8-bit) | 1 = eMBB, 2 = URLLC, 3 = MIoT |
| SD | Slice Differentiator (24-bit, optional) | 0x000001 (custom slice ID) |
Slice Types (SST)
| SST | Type | Use Case | Latency | Bandwidth |
|---|---|---|---|---|
| 1 | eMBB | Enhanced Mobile Broadband | ~20ms | High |
| 2 | URLLC | Ultra-Reliable Low Latency | ~1ms | Medium |
| 3 | MIoT | Massive IoT | ~100ms | Low |
| 4 | V2X | Vehicle-to-Everything | ~10ms | Medium |
Slicing Architecture
graph TB
UE1[📱 UE 1
eMBB User]
UE2[🚗 UE 2
V2X Vehicle]
UE3[📡 UE 3
IoT Sensor]
gNB[📡 gNB
Shared Radio]
subgraph "Slice 1: eMBB (SST=1)"
AMF1[AMF]
SMF1[SMF]
UPF1[UPF]
end
subgraph "Slice 2: URLLC (SST=2)"
AMF2[AMF]
SMF2[SMF]
UPF2[UPF
Edge MEC]
end
subgraph "Slice 3: MIoT (SST=3)"
AMF3[AMF]
SMF3[SMF]
UPF3[UPF]
end
NSSF[🍕 NSSF
Slice Selector]
UE1 --> gNB
UE2 --> gNB
UE3 --> gNB
gNB --> NSSF
NSSF --> AMF1
NSSF --> AMF2
NSSF --> AMF3
AMF1 --> SMF1 --> UPF1
AMF2 --> SMF2 --> UPF2
AMF3 --> SMF3 --> UPF3
style AMF1 fill:#99ccff
style AMF2 fill:#ff9999
style AMF3 fill:#99ff99Slice Selection Process
- UE sends Registration Request with requested S-NSSAI
- AMF queries NSSF for slice selection
- NSSF returns allowed S-NSSAI and target AMF (if different)
- AMF assigns UE to slice
- SMF/UPF instances dedicated to that slice handle sessions
SUPI/SUCI Privacy
Problem: In 4G, IMSI is sent in cleartext → IMSI catchers can track users.
Solution: 5G uses SUCI (encrypted SUPI) for initial registration.
Terminology
| Term | Description | Example |
|---|---|---|
| SUPI | Subscription Permanent Identifier (like IMSI) | imsi-001010123456789 |
| SUCI | Subscription Concealed Identifier (encrypted SUPI) | suci-0-001-01-0-0-abcd1234... |
| 5G-GUTI | 5G Globally Unique Temporary Identifier | Assigned after registration |
SUCI Encryption
graph LR
subgraph "UE"
SUPI[SUPI
imsi-001010123456789]
HomeKey[Home Network
Public Key]
end
subgraph "Encryption"
ECIES[ECIES Encryption
Elliptic Curve]
end
subgraph "Network"
SUCI[SUCI
suci-0-001-01-...]
UDM[UDM
Decrypts with
Private Key]
end
SUPI --> ECIES
HomeKey --> ECIES
ECIES --> SUCI
SUCI --> UDM
UDM --> SUPI
style SUPI fill:#ff9999
style SUCI fill:#99ff99Benefits:
- ✅ IMSI catchers cannot read SUPI
- ✅ User privacy protected
- ✅ Only home network (UDM) can decrypt
5G-AKA Authentication
Similar to 4G AKA, but with enhanced privacy:
Key Differences from 4G
| Aspect | 4G | 5G |
|---|---|---|
| Identifier | IMSI (cleartext) | SUCI (encrypted) |
| Base Key | KASME | KAUSF |
| Auth Server | HSS | AUSF + UDM |
| Anchor Key | KASME | KSEAF (at SEAF in AMF) |
5G Key Hierarchy
KAUSF (at AUSF, derived from CK/IK)
└─ KSEAF (at AMF)
└─ KAMF (at AMF)
├─ KgNB (at gNB, for AS security)
│ ├─ KRRCenc
│ ├─ KRRCint
│ └─ KUPenc
└─ NAS keys
├─ KNASenc
└─ KNASint
Summary
You now understand:
- ✅ 5G SA uses Service Based Architecture (HTTP/2 APIs)
- ✅ All 5G NFs: NRF, SCP, AMF, SMF, UPF, AUSF, UDM, UDR, PCF, NSSF, BSF, SEPP
- ✅ N-series interfaces (N1-N15, N22, N32)
- ✅ 5G registration procedure with NRF service discovery
- ✅ Network slicing (S-NSSAI: SST + SD)
- ✅ SUPI/SUCI privacy (encrypted identifier)
- ✅ 5G-AKA authentication and key hierarchy
Next: Part 4: Docker Lab - 4G EPC →