06_lab_5g_sa_docker

Part 6: Docker Lab - 5G SA Deep Dive

Learning Objective: Explore advanced 5G SA features — SBI traffic analysis, NF service discovery, and multi-slice configuration.

Note

This part builds on the working lab from Part 4. If you haven't completed Part 4, start there first. The same docker-compose.yml and configs are used.

Overview

Part 4 got the core running. This part goes deeper:

Observe SBA in action — watch NFs register and discover each other via NRF
Analyze SBI traffic — capture HTTP/2 API calls between NFs
Add network slicing — configure a second slice (SST=2 URLLC)
Multi-DNN — add a second DNN (data network name)
Understand NF lifecycle — what happens when you kill an NF?

Exercise 1: SBA Service Discovery

Watch NRF Registrations

# See all NF registrations in real-time
docker compose logs -f nrf 2>&1 | grep -i "register\|profile\|discover"

Query NRF via API

The NRF exposes a REST API. From any container on the SBI network:

# List all registered NFs
docker exec -it open5gs_amf curl -s http://172.22.0.10:7777/nnrf-nfm/v1/nf-instances | python3 -m json.tool

# Discover SMF instances
docker exec -it open5gs_amf curl -s \
  "http://172.22.0.10:7777/nnrf-disc/v1/nf-instances?target-nf-type=SMF" | python3 -m json.tool

What You'll See

{
  "nfInstances": [
    {
      "nfInstanceId": "e8c835a4-...",
      "nfType": "SMF",
      "nfStatus": "REGISTERED",
      "ipv4Addresses": ["172.22.0.21"],
      "sNssais": [{"sst": 1}],
      "nfServices": [
        {
          "serviceName": "nsmf-pdusession",
          "versions": [{"apiVersionInUri": "v1"}],
          "scheme": "http"
        }
      ]
    }
  ]
}

Tip

This is exactly how AMF discovers SMF during PDU session setup — it queries NRF's Nnrf_NFDiscovery API. In the Part 9 threat model, we discussed how an attacker could poison NRF by registering a rogue NF.

Exercise 2: SBI Traffic Analysis

Capture SBI between AMF and SMF

# Capture HTTP/2 traffic on the SBI network
docker exec -it open5gs_amf tcpdump -i any -w /tmp/sbi_amf.pcap tcp port 7777

# In another terminal, trigger a new PDU session by restarting UE
docker compose restart ueransim_ue

# Wait 10 seconds, then Ctrl+C the tcpdump
# Copy the capture out
docker cp open5gs_amf:/tmp/sbi_amf.pcap .

Wireshark Analysis

Open the pcap in Wireshark and look for:

Filter	What You'll See
`http2`	SBI API calls between NFs
`http2 && http2.header.name == ":path"`	API endpoints called
`json`	Request/response payloads

Key SBI Calls to Find

POST /nsmf-pdusession/v1/sm-contexts         ← AMF asks SMF to create session
POST /nudm-sdm/v1/{supi}/sm-data             ← SMF asks UDM for subscription data
POST /npcf-smpolicycontrol/v1/sm-policies    ← SMF asks PCF for QoS policy
POST /nausf-auth/v1/ue-authentications        ← AMF asks AUSF to authenticate UE

Exercise 3: Network Slicing — Add URLLC Slice

Step 1: Update AMF Config

Add SST=2 to the plmn_support in config/amf.yaml:

  plmn_support:
    - plmn_id:
        mcc: 001
        mnc: 01
      s_nssai:
        - sst: 1       # eMBB (existing)
        - sst: 2       # URLLC (new)

Step 2: Update SMF Config

Add a second subnet for the URLLC slice in config/smf.yaml:

  subnet:
    - addr: 10.45.0.1/16
      dnn: internet
      s_nssai:
        sst: 1
    - addr: 10.46.0.1/16
      dnn: iot
      s_nssai:
        sst: 2

Step 3: Update UPF Config

Add the second subnet in config/upf.yaml:

  subnet:
    - addr: 10.45.0.1/16
      dnn: internet
    - addr: 10.46.0.1/16
      dnn: iot

Step 4: Add Second UE for URLLC

Create ueransim/ue_urllc.yaml:

supi: 'imsi-001010000000002'
mcc: '001'
mnc: '01'
routingIndicator: '0000'
protectionScheme: 0
homeNetworkPublicKey: ''
homeNetworkPublicKeyId: 1

key: '465B5CE8B199B49FAA5F0A2EE238A6BC'
op: 'E8ED289DEBA952E4283B54E88E6183CA'
opType: 'OPC'

gnbSearchList:
  - 172.23.0.2

sessions:
  - type: 'IPv4'
    apn: 'iot'
    slice:
      sst: 2       # URLLC slice

integrity:
  IA1: true
  IA2: true
  IA3: true

ciphering:
  EA1: true
  EA2: true
  EA3: true

Step 5: Register URLLC Subscriber

In WebUI (http://localhost:9999):

IMSI: 001010000000002
K: 465B5CE8B199B49FAA5F0A2EE238A6BC
OPc: E8ED289DEBA952E4283B54E88E6183CA
DNN: iot
SST: 2

Step 6: Verify Slice Assignment

docker compose logs ueransim_ue_urllc | grep -i "slice\|sst\|pdu"

Expected: UE gets IP from 10.46.0.0/16 range (URLLC slice), not 10.45.0.0/16 (eMBB slice).

Exercise 4: NF Resilience Testing

Kill a Critical NF

# Kill the SMF
docker compose stop smf

# Try to start a new PDU session (restart UE)
docker compose restart ueransim_ue

# Check UE logs — PDU session should fail
docker compose logs ueransim_ue | tail -10

# Restart SMF
docker compose start smf

# UE should recover on retry
docker compose restart ueransim_ue

Kill the NRF

# Kill NRF — what happens to existing sessions?
docker compose stop nrf

# Answer: Existing sessions continue (NFs already have each other's addresses)
# But NEW sessions fail (NFs can't discover each other)

# Verify: existing UE still pings fine
docker exec -it ueransim_ue ping -I uesimtun0 -c 2 8.8.8.8

# Restart NRF
docker compose start nrf

Important

This demonstrates why NRF is the heart of SBA. Losing NRF doesn't kill existing sessions (NFs cache discovery results), but prevents new sessions from being established. In production, NRF must be highly available.

Exercise 5: Metrics and Monitoring

Check Open5GS Metrics

If your NF configs include a metrics section:

  metrics:
    server:
      - address: 172.22.0.20
        port: 9090

You can scrape Prometheus metrics:

docker exec -it open5gs_amf curl -s http://172.22.0.20:9090/metrics | head -30

Look for:

amf_session_total — number of active sessions
amf_registration_total — number of registered UEs

Summary

✅ Queried NRF API to observe SBA service discovery
✅ Captured and analyzed SBI HTTP/2 traffic in Wireshark
✅ Configured multi-slice network (eMBB + URLLC)
✅ Tested NF resilience (SMF kill/recover, NRF failover)
✅ Explored Open5GS Prometheus metrics

Next: Part 7: Kubernetes Deployment →