NG-RAN and 5G-NR. Frédéric Launay
rel="nofollow" href="#fb3_img_img_3af3c7e7-f775-56a9-a749-8a8f34c6144c.jpg" alt="Schematic illustration of QFI management in the user’s plane."/>
Figure 1.10. QFI management in the user’s plane
1.5. Security architecture
The security architecture implemented on the 5G mobile is based on:
1 – mutual authentication between the 5GC core network and mobile (UICC);
2 – ciphering and integrity of NAS signaling messages exchanged between the mobile and the AMF;
3 – AS security through the 5G-NR radio interface between the mobile and the NG-RAN node. Security concerns the integrity control and encryption of RRC messages and IP packets. Integrity on IP packets is optional.
Data integrity:
1 – ensures that the data have not been altered by a third party between transmission and reception;
2 – verifies the transmitting source;
3 – ensures that a message already received is not reused.
Encryption ensures the confidentiality of data exchanged between two entities.
The security of the NAS and AS messages consists of deriving different keys at the level of the mobile and at the level of the following entities (Figure 1.11):
1 – The AMF:
2 – KAMF key;
3 – KNASint key from the KAMF key for the integrity check of the NAS signaling;
4 – KNASenc key from the KAMF key for the encryption of the NAS signaling.
5 – The radio node:
6 – KgNB key from the KAMF key;
7 – KRRCenc key derived from the KgNB key for the encryption of RRC signaling on the 5G-NR interface;
8 – KRRCint key derived from the KgNB key for the integrity check of RRC signaling on the 5G-NR interface;
9 – KUPenc key derived from the KgNB key for encrypting IP traffic on the 5G-NR interface;
10 – optionally, a KUPint key derived from the KgNB key for the integrity check of IP traffic on the 5G-NR interface.
Figure 1.11. Security architecture
The mobile must support the NAS security based on information transmitted by the 5G core network and AS security, according to the indications sent by the NG-RAN access node.
5G security is based on the use of:
1 – NEA encryption algorithms (Encryption Algorithm for 5G);
2 – NIA (Integrity Algorithm for 5G) integrity control algorithms;
3 – the KUPenc, KRRCenc, KNASenc encryption keys consist of 128 bits.
The encryption and integrity control algorithms are similar to those used on the LTE interface:
1 – NEA0/NIA0: no ciphering;
2 – 128-NEA1/128-NIA1: algorithm SNOW 3G (flow ciphering);
3 – 128-NEA2/128-NIA2: algorithm AES (bloc ciphering);
4 – 128-NEA3/128-NIA3: algorithm ZUC (flow ciphering).
Encryption and integrity are based on the following parameters:
1 – a 32-bit counter;
2 – the identity of the 5-bit bearer;
3 – the direction of the connection on one bit;
4 – the length of the message.
Figure 1.12. Ciphering and integrity
1.6. Network slicing
Network slicing is the embodiment of the concept of running multiple logical networks as virtually independent business operations on a common physical infrastructure in an efficient and economical way.
Virtualization is a hardware abstraction to partition network resources into distinct logical segments.
Network partitioning makes it possible to allocate a part of server hardware resources (NFVI: Network Function Virtualization Infrastructure) to network functions (VNF: Virtualized Network Functions).
Hardware capabilities are dynamically managed based on the number of users, on the one hand, and the profile of each user, on the other hand. By default, the 3GPP standard has defined four types of services:
1 – eMBB: evolved Mobile BroadBand to manage smartphone services such as high speeds, several session establishments, handover management, low latency;
2 – mMTC: massive Machine Type Communication to manage the sessions of IoT terminals (low speed, little transmission and mainly in the upstream direction, long delay);
3 – URLLC: Ultra-Reliable Low-Latency communication for critical communications requiring very low latency (less than 1 ms for the user plane) and efficient management of the handover;
4 – V2X: Vehicle to Everything for autonomous vehicles (between vehicles, with radio infrastructure, etc.).
Network slicing provides all the functionality of the 5G network, including optimization of the radio access network and core network entities to meet the service level agreement (SLA) requirements requested by the user.
Virtualization allows us:
1 – to allocate a set of material resources (storage capacity, network performance, computing capacity in terms of the number of CPUs);
2 – to deploy optimized software instances on the hardware resources. The instances correspond to the NFV network functions to be deployed:- in the radio access network by dividing the radio functions into two entities gNB-CU and gNB-DU,- in the 5G core network (AMF, SMF, PCF, etc.),- to deploy optimized network functions (content cache, video optimizer, malware detection, etc.).
The set of hardware and software resources form a Network Slice Instance (NSI). The network instance is split into an RAN Slice Instance (RSI) and a Core Network instance.
From a user point of view, the mobile requests registration on a network instance from the 5GS network. The mobile profile allows the network to define the optimized network instances through the S-NSSAI (Single Network Slice Selection Assistance Information) identifier.
The S-NSSAI indicator is composed of two fields:
1 – SST: Slice Service Type defined user profile (1: eMBB, 2: URLLC, 3: mMTC, 4: V2X);
2 – SD: Slice Differentiator to differentiate specific services within an SST service type.
The S-NSSAI indicator is stored at the UDM database for each user profile and stored in the mobile. Each mobile can subscribe to up to eight S-NSSAI. S-NSSAI indicators are integrated into the NSSAI indicator.
When requesting registration, the mobile sends the desired NSSAI flag in the RRC request. The gNB-CU entity selects the AMF entity from the NSSAI