Emergency Services(E911) FallBack procedures in 5G

1.1     Emergency Services FallBack ES-FB

1.1.1     Introduction

Service Request for emergency: This solution is new in 5GS, i.e., there is no equivalent in 4G. The UE uses service-request for emergency towards AMF if support for this feature has been indicated by the AMF. If receiving the service request for emergency, the AMF interacts with gNB to perform EPS Fallback. In this solution, there is no need for NR and 5GC to support emergency features other than needed for service-request for emergency handling. However, voice over NR (possibly including EPS Fallback) has to be supported on NR and 5GC (otherwise the UE would not even camp on NR).

If the 5GC has indicated Emergency Services Fallback support for the TA and RAT where the UE is currently camping, and if the UE supports emergency services fallback, the UE shall initiate the Emergency Services Fallback procedure described below in section

1.1.2     Registration Procedure (Message / IEs related with Emergency Support)

1.1.3     Emergency Service FallBack     23.502 Call Flow for Emergency Service FallBack (ES-FB)     General Call Flow for Emergency Service FallBack (ES-FB) . Redirection Case

  1. UE camps on E-UTRA or NR cell in the 5GS (in either CM_IDLE or CM_CONNECTED state).
  2. In SIB1 (optional) , NW indicate support for Emergency.
  3. Registration Request from UE set required parameters like “Voice Centric” and “S1 Mode “Flag.
  4. In Registration Accept message, NW indicates  VoPS flag as TRUE and EMF flag as Non Zero (01 – 11) and EMC Flag as 00.
  5. UE sends a Service Request message as requesttype as emergency services fallback. The UE is not required to include the PDU Sessions that are not relevant for the emergency service in the List Of PDU Sessions to be Activated in the Service Request for the emergency service.
  6. For Redirection case, NW trigger Intersystem Redirection by sending RRCRelease message with RedirectInfo as E-ARFCN and VoiceFallBackIndication as TRUE.
  7. RRCConnectionRequest on LTE with establishmentcause as “Emergency” triggered.
  8. TAU procedure triggered with active flag to indicate that the UE has “user data pending”.
  9. After redirection to the target cell the UE establishes a PDN connection for IMS emergency services and performs the IMS procedures for establishment of an IMS emergency session.     Emergency Service FallBack (ES-FB) during QoS Flow Establishment

  1. If Emergency Services Fallback occurs during QoS Flow establishment than this is the same procedure as defined during EPS Fallback ( check older post for EPS – FallBack call flow). Only additional/different procedures for Emergency Services FallBack are mentioned below:
  2. In Registration Accept message, NW indicates that EMF as 01 and EMC as 00 .
  3. INTERNET and IMS PDU Session established.
  4. SoS / Emergency PDU session established and P-CSCF  and IP assigned to the UE.
  5. During E911 call initiation, Call FallBack to EPS due to lack of QoS Flow establishment for Emergency call on 5GS.
  6. Redirection procedure triggered with RRCRelease with E-UTRA ARFCN info and voicefallbackindication flag as TRUE.
  7. As N26 interface supported, UE trigger TAU Request with three (Emergency, Internet, IMS PDN) as Active. RRCCoonectionRequest with establishmentcause as “Emergency” used on EUTRA / EPS.
  8. Once All three PDN become active, Emergency call established on LTE.

1.2     References

  • 24.229
  • 23.502
  • 24.501
  • 24.301
  • 23.501
  • GSMA NG.114
  • 38.331
  • 38.413

EPS Fallback Voice in 5G

1.1     Introduction

Voice over NR with EPS Fallback includes an additional mobility trigger by which the UE falls back from NG-RAN to LTE during call establishment. This may be needed, e.g., in case not all feature for voice over NR are implemented in the UE or in case of temporary lack of radio resources in NR.

EPS fallback is an additional mobility trigger for improving voice KPIs. EPS Fallback enables phones to use the 5GC with NR, but RAN may trigger moving the phone LTE connected to EPC during call establishment. The reason for moving the UE to LTE can be :

  • temporary lack of radio resources in NR for voice
  • the UE is in area where NR in 5GS is not dimensioned and tuned for voice
  • Prior to all needed voice features are in place in the phone.

A smartphone (UE), connected to NR that tries to establish a voice connection, may perform an EPS fallback at call setup, triggered by the attempt to establish the Quality-of-Service (QoS) flow for voice media in NR.

At the attempt to establish the QoS flow for the voice media over NR during call set-up, the NG-RAN rejects the QoS flow setup towards the SMF with an indication that mobility is in progress. The NG-RAN initiates transfer of all PDU sessions from 5GS to EPS, using one of the two standardized procedures:

  • Release with redirect
  • Inter-system handover

1.2     Technical Aspect

When a UE moves from EPC to 5GC, the UE always performs Registration procedure.

When a UE moves from 5GC to EPC, the UE performs either Tracking Area Update or Initial Attach.

The UE performs Tracking Area Update procedure if :

–    Both the UE and the EPC support “attach without PDN connectivity”, or

–    The UE has at least one PDU Session for which Session Continuity is supported during interworking, i.e. the UE has EPS Bearer ID and mapped EPS QoS parameters received as described in clause of 23.502.

The UE performs an initial attach procedure if :

–    The UE is registered without PDU Session in 5GC or the UE is registered only with PDU Session for which Session Continuity is not supported during interworking to EPC, and

     –         Either the UE or the EPC does not support attach without PDN connectivity

1.3     3GPP CallFlow from 3GPP 23.502

Please refer Section of 3GPP 23.502

1.4     General CallFlow in Details

1.4.1     End to End Call Flow (Redirection and N26 Supported)

End to End EPS Fallback with N26 and Redirection Supported
  1. During “Registration Request” from UE, it will indicate UE Usage Settings as “Voice Centric” and “S1 Mode “ is TRUE.
  2. AMF request NGRAN to enquire about IMS Voice Support on NR from UE. NGRAN send UE Capability Enquiry –NR to UE.
  3. UE send UECapabiltyInformtion-NR Capability with VoiceOverNR flag set as FALSE. That means , UE does not support Voice over NR and eventually Fallback Voice call session on EPS.NGRAN inform AMF about IMSVoiceSupportIndicator to FALSE in UERadioCapabiltyCheckResponse message.
  4. AMF inform NGRAN that RedirectionEPSFallbackIndicator as TRUE in IntialContextSetupReq message.
  5. In RegistrationAccept message from NW, IWKN26 bit is set to FALSE (we are assuming that UE support N26 Interface and support Single Registration Mode) and IMS VoPs 3gpp Flag set as TRUE in 5GS Network Feature Support IE.
  6. PDU Session for INTERNET DNN is established.
  7. PDU Session for IMS DNN is established (Please check other post for IMS PDU Session Establishment).
  8. IMS Registration Completed with P-CSCF and UE IP assigned in IMS PDU Session. In REGISTER , SUBSCRIBE message P-Access-Network-Info should be use wit value of NR cell like “3GPP-NR-FDD” and MCC+MNC+TAC+NCI like  :
P-ANI Header (Reference 24.229)
  • For MO Voice call, UE initiate INVITE with P-ANI as “3GPP-NR-FDD” and SDP content with EVS audio Codec. NW sends 183SessionInProgress message and FallBack Procedure triggered during reservation of dedicated resources for Voice Session.
  • During Dedicated QoS Flow Establishment, NGRAN and 5GC take decision to FallBack Voice Call on EPS as Voice over NR cannot be established due to VoiceOverNR Flag is FALSE.
  • NGRAN initiate RRCRelease or HandoverRequest  with ReDirectionInfo with EUTRAN Cell info to Fallback on LTE / EPS.
  • As NW indicate N26 interface supported than UE will send TAU Request message with ”request type “ as “handover” with  IMS PDN and Internet PDN as Active in EBI information. NW mapped these PDN information with INTERNET / IMS PDU session (MME communicate with AMF over N26 interface to fetch UE Context information). Please check next section for other important IEs of TAU.
  • UE will send IMS Re-Register with PANI as “3GPP-EUTRA-FDD” for RAT change.
  • Other SIP messages transferred between UE and IMS Server and Dedicated Bearer for Voice with QCI =1 established on LTE.

1.4.2     Layer 3 Call Flow ( NR – LTE) for EPSFallBack (N26 Supported)

LAyer 3 and TAU procedure details
  • Please refer previous section Except TAU procedure.
  • After receiving RRCRelease (Redirection Case RRC_IDLE) UE will camp on LTE Cell as per ARFCN provided.
  • In TAU Request message (5G Integrity Protected):
    • UE will provide Request Type as “Handover”, UE Status as “5GMM REGISTERED”, Old GUTI (mapped with 5G-GUTI), EPS Bearer status set for INTERNET and IMS PDN as “Active”, PCO – 0001AH as PDU Session ID (mapped for IMS and INTERNET PDN)
  • For TAU Accept, MME interact with AMF on N26 interface and fetch UE context and mapped PDU session (IMS and INTERNET) and assign Bearer ID for IMS and INTERENT PDN. Same UE IP and P-CSCF is used as assigned by 5GC.
  • Once both Default PDN established, Dedicated bearer request procedure for Voice Call QCI = 1 started and Voice call established.

1.5     References

  • 24.229
  • 23.502
  • 24.501
  • 24.301
  • 23.501
  • GSMA NG.114
  • 38.331
  • 38.413

5G Security (5G AKA Authentication)

5G Security Procedure between UE and Network

Security Types in 5G Network

  1. Security required for UE to access network services comes under Network access security. This security mainly cover Authentication, Integrity and ciphering of Signalling and data.
  2. Domain Security mainly covers secure communication between different Network nodes.
  3. Application domain security covers security mechanism between peer applications.
  4. There are two different kind of authentication

Different Authentication, Ciphering and Integrity Algorithms

  • In most cases for Authentication Key Agreement(AKA), operators use Milenage/TUAK algorithm. But some cases proprietary algorithm.
  • For Cyphering and Integrity Protection following Algorithms are used. 

Ciphering Algorithms

Integrity Algorithms

Key Distribution

5G AKA Authentication Procedure

Authentication Flow Steps

  1. After receiving Registration Request, AMF  initiates authentication procedure with UE, if UE security context is not existing with AMF.
  2. AMF sends Nausf_UEAuthentications Request with SUCI or SUPI and Serving network name.
  3. AUSF based on the Serving Network name, determine if AMF is authorised to send this message.
  4. Then AUSF, sends Nudm_UEAuthentication_Get Request with SUPI/SUCI to UDM.
  5. UDM Calculates the 5G HE AV as below. UDM Uses Milenage functions to derive MAC, XRES, CK, IK and AK.
  • UDM derives Kausf is as follows using HMAC-SHA-256(K, S) KDF(Key Derivation Function) function as below.
  • UDM derives XRES* as follows using HMAC-SHA-256(K, S) KDF function.
  • UDM derives 5G HE AV from above derived keys as below and send it to AUSF with message “Nudm_Authentication get Response” 5G HE AV = RAND ‖ XRES* ‖ Kausf ‖ AUTN
  1. Derivation of 5G SE AV at AUSF
  • HXRES* Calculation at AUSF: HXRES* is 128 bit MSB of the output of SHA-256 hash, calculated by passing RAND || XRES* as input to SHA-256 algorithm.
  • AUSF derives Kseaf from Kausf by passing K= Kausf  and S = 0x6C || Serving Network Name || Lenth of Serving Network Name to KDF function.
  • AUSF calculates 5G AV and 5G SE AV as below and send 5G SE AV to AMF. 5G AV = RAND ‖ HXRES* ‖ Kseaf ‖ AUTN 5G SE AV = RAND ‖ HXRES* ‖ AUTN
  1. AMF Sends NAS Authentication Request to UE with RAND and AUTN from 5G SE AV.
  1. UE Uses Milenage functions to derive XMAC, RES, CK, IK as below.
  1. UE Verify the MAC received in AUTN with XMAC calculated above to authenticate the network and check the freshness of AUTN. Here if the comparison fails then it will send authentication failure with AUTS.
  1. UE derives RES* as follows using HMAC-SHA-256(K, S) KDF function. using keys calculated above, and then sends RES* to AMF.
  1. AMF Calculates HRES* from RES* : HRES* is 128 bit MSB of the output of SHA-256 hash, calculated by passing RAND || RES* as input to SHA-256 algorithm.
  1. AMF compares HRES*(Calculated above) with HXRES* received from AUSF to check for successful authentication.
  1. AMF sends RES* received from UE to AUSF with “Authenticate Request” message.
  1. AUSF compares RES* with the XRES*(part of 5G HE AV) received from UDM in step 5.
  1. If Comparison is successful, AUSF sends Authentication Event notification to UDM with “Success”.

5G Quality Of Services (QoS)

The concept of QoS in 5G is flow based. Packets are classified and marked using QFI (QoS Flow Identifier). The 5G QoS flows are mapped in the AN (Access Network) to DRBs (Data Radio Bearers) unlike 4G LTE where mapping is one to one between EPC and radio bearers. It supports following QoS flow types. 

  • GBR QoS flow, requires guaranteed flow bit rate.
  • Non-GBR QoS flow, does not require guaranteed flow bit rate.
  • Delay Critical  QoS flow, For Mission Critical  guaranteed flow bit rate.

The 5G QoS flows are mapped in the AN (Access Network) to DRBs (Data Radio Bearers) unlike 4G LTE where mapping is one to one between EPC and radio bearers.

5G NR QoS Architecture

New Quality Of Experience (QoE) in 5G

How 5G QoS is differ from 4G


The concept of QoS in 4G LTE is based on Bearers. The Concept of QoS in 5G is based on Flow Based.

In 4G, EPS Bearer ID (EBI) is used to distinguish between different Quality Of Services (QoS).

5G uses QoS Flows, each identified by a QoS Flow ID (QFI). As with 4G LTE both non-GBR flows and GBR flows are supported in 5G, along with a new delay-critical GBR. 5G also introduces a new concept – Reflective QoS.

The 5G QoS flows are mapped in the AN (Access Network) to DRBs (Data Radio Bearers) unlike 4G LTE where mapping is one to one between EPC and radio bearers.

4G vs 5G QoS flow parameters

5G – 5GC QoS Packet Filtering

In 5G, QoS Flow mapping happen two times. In the 5GC, there is only a single user plane network function – the UPF – for transport of data between the gNB and the core. In 5G, there is a one-to-many relationship between the GTP-U tunnel on N3 and the DRBs on the air interface. Each QoS flow on N3 is mapped to a single GTP-U tunnel. The gNB may map individual QoS flows to one more DRBs. Therefore, a PDU session may contain multiple QoS flows and several DRBs but only a single N3 GTP-U tunnel. A DRB may transport one or more QoS flows.

5G QoS Parameters / Attributes

QoS flow is identified by QFI within PDU session. This QFI is carried in an encapsulation header over NG-U. 
• For each UE, 5GC establishes one or more PDU sessions and NG-RAN establishes at least one DRB together with PDU session. Additional DRBs are configured for QoS flows of that PDU session consecutively. 
• NG-RAN maps packets which belong to the different PDU sessions to different DRBs.

NAS level packet filters in UE and in 5GC associate UL/DL packets with QoS flows. At NAS level, QoS flow is characterised by QoS profile provided by 5GC to NG-RAN and QoS rules provided by 5GC to UE. 

AS-level mapping rules in UE and in NG-RAN associate UL/DL QoS flows with DRBs. At AS (Access Stratum) level, DRB defines packet treatment on radio interface (Uu). 

5G QoS Flow Descriptions

The network can also provide the UE with one or more QoS flow descriptions associated with a PDU session at the PDU session establishment or at the PDU session modification.

Each QoS flow description contains:

a)  a QoS flow identifier (QFI);

b)  if the flow is a GBR QoS flow:

1)  Guaranteed flow bit rate (GFBR) for UL;

2)  Guaranteed flow bit rate (GFBR) for DL;

3)  Maximum flow bit rate (MFBR) for UL;

4)  Maximum flow bit rate (MFBR) for DL; and

5)  optionally averaging window, applicable for both UL and DL;


If the flow is aNon-GBR QoS flow:

  1. Reflective QoS Attribute (RQA) in DL
  2. Additional QoS Flow Information

c)  5QI, if the QFI is not the same as the 5QI of the QoS flow identified by the QFI; and

d) ARP

e)  optionally, an EPS bearer identity (EBI) if the QoS flow can be mapped to an EPS bearer .

5G QoS Rules

5G Signaled QoS Rule

The NAS protocol enables the network to provide the UE with signalled QoS rules associated with a PDU session.The network can provide the UE with one or more signalled QoS rules associated with a PDU session at the PDU session establishment or at the PDU session modification.

Each signalled QoS rule contains:

a )        an indication of whether the QoS rule is the default QoS rule;

b)         a QoS rule identifier (QRI);

c)         a QoS flow identifier (QFI);

d)         optionally, a set of packet filters; and

e)         a precedence value.

5G Derived  QoS Rule

The reflective QoS in the UE creates derived QoS rules associated with a PDU session based on DL user data packets received via the PDU session.

Each derived QoS rule contains:

a)  a QoS flow identifier (QFI);

b)  a packet filter for UL direction; and

     c)  a precedence value of 80 (decimal)

5G QoS Flow Characteristics

  • Resource Type (GBR, Delay critical GBR or Non-GBR);
  • Priority Level;
  • Packet Delay Budget (including Core Network Packet Delay Budget);
  • Packet Error Rate;
  • Averaging window (for GBR and Delay-critical GBR resource type only);
  • Maximum Data Burst Volume (for Delay-critical GBR resource type only).

5G QoS Flow Table

5G Network Identity SUPI/SUCI


In 5G in order to protect UE permanent Identity (SUPI- Subscription Permanent Identifier )  UE never transmit SUPI as it is. UE conceal(encrypt) SUPI using encryption scheme to create SUCI(Subscription Concealed Identifier), before sending it to core network.

Concealing can be done in USIM or ME(Mobile Equipment) depending on the indication configured in USIM by operator. If no indicator present, ME does the concealing.
In core network only UDM has authority to de-conceal the SUCI. 

Identity flow between UE and Network

Decoding of SUCI

SUPI Type: consisting in a value in the range 0 to 7. It identifies the type of the SUPI concealed in the SUCI. The following values are defined

–  0: IMSI
–  1: Network Specific Identifier
–  2 to 7: spare values for future use.

Home Network Identifier: identifying the home network of the subscriber.

When the SUPI Type is an IMSI, the Home Network Identifier is composed of two parts:
–  Mobile Country Code (MCC), consisting of three decimal digits.
–  Mobile Network Code (MNC), consisting of two or three decimal digits.
When the SUPI type is a Network Specific Identifier, the Home Network Identifier consists of a string of characters with a variable length representing a domain name. Ex. abc@xyz.com

Routing Indicator: consisting of 1 to 4 decimal digits assigned by the home network operator and provisioned in the USIM.

Routing Indicator: consisting of 1 to 4 decimal digits assigned by the home network operator and provisioned in the USIM.

Protection Scheme Identifier: consisting in a value in the range of 0 to 15 and represented in 4 bits.

  • null-scheme         0x0;
  • Profile <A>         0x1;
  • Profile <B>         0x2.

Home Network Public Key Identifier: consisting in a value in the range 0 to 255. It represents a public key provisioned by the HPLMN and it is used to identify the key used for SUPI protection. In case of null-scheme being used, this data field shall be set to the value 0;

Scheme Output: consisting of a string of characters with a variable length or hexadecimal digits, dependent on the used protection scheme.

  • Null Scheme – For null scheme no encryption happens and scheme output field is replaced by MSIN(value after taking out MCC and MNC from IMSI) value of IMSI as it is.
  • Elliptic Curve Integrated Encryption Scheme(ECIES) Profile A – In this case scheme out put is further divided in two  parts:
    1. ECC ephemeral public key 64 bits, freshly generated using the provisioned ECIES input parameters.
    2. Ciphered Text, is of variable length 
  • Elliptic Curve Integrated Encryption Scheme(ECIES) Profile B – In this case scheme out put is further divided in two  parts
    1. ECC ephemeral public key 66 bits, freshly generated using the provisioned ECIES input parameters.
    2. Ciphered Text, is of variable length

Note: Detailed into Elliptic Curve Integrated Encryption Scheme(ECIES) will be discussed in another Blog.

5G Network Slicing Concepts


In 5G network communication infrastructure is not just confined to mobile voice/text communication, it is now segregated and very diversified to different services like Industrial IoT, Smart home domestic IoT, Low latency Medical communication, high bandwidth mobile broadband etc. And each of these services require different data behavior and QoS from network infrastructure.

In 5G each network node is equipped with special features to serve the purpose of one or multiple services and the kind of service supported by a particular node is defined in NSSF(Network Slice Selection Function). For any particular service request from UE, is served by a set of network entities associated with that Service and called a slice.

NSSAI(Network Slice Selection Assistance Information) Structure and Fundamentals

  • Network Slice configuration Information can have multiple NSSAI
  • Each PLMN can have at most one configured NSSAI
  • Each NSSAI has multiple S-NSSAI slices.
  • Each S-NSSAI slice has multiple DNNs configured.
  • A configured NSSAI can be configured by a serving PLMN or default NSSAI configured by HPLMN.
  • If Serving PLMN doesn’t have specific configured PLMN then it uses default configured NSSAI from HPLMN.
  • UE is pre-configured/provisioned by signalling message with default configured NSSAI by HPLMN.
  • UE is only configured with a set of subscribed S-NSSAIs out of the default configured NSSAI, which is a subset of the S-NSSAIs configured inside default configured NSSAI in HPLMN.
  • Allowed S-NSSAIs provided to the UE can have values, which are not served by Serving PLMN, in that case Serving PLMN updates the allowed S-NSSAI list with mapping to corresponding S-NSSAI of the HPLMN.

S-NSSAI and it’s Structure

Each Slice is identified by S-NSSAI (single network slice selection identifier)

  • SST is required value where was SD is optional
  • SST refer to expected behaviour of the slice.
  • SD is optional and differentiates among multiple slices with same SST.

  • UE during Registration and PDU session Establishment sends S-NSSAI value and optionally HPLMN NSSAI value, if in visiting area.
  • The requested NSSAI signalled by UE to network allows the network to select appropriate serving AMF, Network slice and network slice instance.
  • Based on the subscription data, one UE can have subscription to multiple S-NSSAIs and one of them can be marked as default S-NSSAI.
  • Subscription information for each S-NSSAI may have multiple DNN and one of them is default DNN.

Services provided by NSSF

Nnssf_NSSelection_Get service operation

  • May be invoked during Registration, for serving AMF selection and re-allocation.
  • PDU session establishment procedure, for SMF selection.
  • UE configuration update procedure, to update allowed S-NNAIs to UEs in current serving PLMN.


  • Nnssf_NSSAIAvailability_Update : In this process, AMF updates NSSF with S-NSSAIs supported by AMF per TA and   gets back availability of S-NSSAIs for each TA.
  • Nnssf_NSSAIAvailability_Notify  : AMF notify NSSF with restricted S-NSSAIs per TA using this procedure.

AMF Re-allocation Procedure

During UE registration procedure, if AMF doesn’t support one or more requested S-NSSAIs which is allowed by SPLMN/HPLMN then it request NSSF to provide the appropriate AMF to redirect the registration request from UE.

5G Way Through Unlicensed Spectrum

Utilizing unlicensed Spectrum

Unlicensed spectrum band is used by low-power devices such as WiFi or Bluetooth devices to communicate wireless signals over short range. For this spectrum band, there is no regulatory to provide license or it is free band as far as the transmission power is low. Some common devices in this category are home security system, WiFi remote camera, cordless phones and Bluetooth speakers/headsets.

For unlicensed transmission, in order to avoid larger interference, different devices operate in different frequency range like WiFi is regulated to use 2.4 GHz or 5 GHz band.

Good examples of Unlicensed spectrum utilization in communication.

  • WiFi offload: Offloading cellular traffic over WiFi Access points.
  • LTE-U : Transmitting LTE signal over unlicensed spectrum with low power for Home base station to cover small buildings.
  • LAA : License Assisted Access is a LTE aggregation technology(R-13) to aggregate Licensed LTE band(Anchor Band) with unlicensed bands.
  • Higher order MIMO in WiFi: This is multiple antenna WiFi technology(802.11ac) gives higher order MIMO to transmit Gigabits/s of traffic over WiFi access points.

5G System Objectives

5G is more than just another version of mobile network. It has to deal with most diversified communication infrastructures which has very diversified aspects described as below.

High speed radio access: 5G will provide download speeds of up to 20 Gbps. Why would anyone ever need that much speed?, Because of the evaluation of cloud based technology, online gaming and mobile edge computing, all the devices need a high speed and low latency connectivity to other edge nodes. And these are main driving force behind high data rate requirement. And in future this requirement is going to go up. It’s also important to remember that bandwidth is shared by all the users on a cell tower.

Ultra-low latency: 5G networks will be used to control autonomous cars, Health care communication like remote operation theatre and high precision mission-critical system. High reliability and availability at all times is base target for 5G systems.

Massive Connectivity: In this increasing smart world, 5G has to deal with millions of IoT devices and higher order density. By 2020 there will be approximately 21 billions of connected devices, excluding smartphones. Most of the IoT devices are remotely located and operated by batteries and constrained to transmit small amount of data like Smart electricity or water meters and parking sensors.  And 5G has to deal with device transmission power management and scale of the devices.

5G Driving Forces

Speed and scale: Up to 20Gbps wireless connectivity, with help of Carrier aggregation, Massive MIMO, higher order QAM

Unlicensed Spectrum: Mobile Operators, now a days prefer to unlicensed spectrum technologies such as WiFi, LTE-U, LAA or Multifire to cover coverage holes where regular radio network can’t penetrate. And this is one of the preference due to low infrastructure cost, free spectrum availability. 5G defined specs deals with inter working of 5G system with these unlicensed access technologies.

IoT : In cellular technologies, IoT is not new, as it is part of LTE/4G in different transmission technologies such as NB-IoT(Narrow band IoT), CAT-M1. and also non-LTE technologies such as LoRA and Sigfox. 5G is also going to have inbuilt IoT technologies which is going to support massive scale of IoT devices.

Virtualization: NFV enables massive scaling of network functions, easy and quick deployment(elastic network) and early to market are integral feature of 5G system.  5G specs have defined fully virtualised network functions and service based interfaces for cloud based deployment of network elements.

New Radio (NR): 5G NR is a new air interface being developed for 5G which uses millimetre wave ranging frequency band from 2.5 Ghz to 40 GHz. Although 5G NR uses same OFDM modulation as LTE, it is optimised to have better performance.

5G Network Architecture

Network Architecture Diagram

Functional Split of NW entities


Above Network functions performed by different 5G Access Network entities

Protocol Stack on different interfaces



UU User-plane : Radio interface user-plane carries, user Application traffic, which follows UU-U (Above)protocol stack.  User-data is transparent to access nodes like gNB.

UU Control-plane : in control plane RRC, PDCP, RLC, MAC, PHY get terminated at gNB, but NAS termination point is AMF, so gNB transparently passes the NAS messages to AMF.

NG Control-plane(N2): this protocol stack is between gNB and AMF. This stack helps providing access to UE to core network and transports NAS messages. Also helps establishment of  user-plane tunnels for UE.

NG User-plane(N3) : This is the protocol stack between gNB and UPF. This stack carries user data over GTP-U tunnel established during session establishment over N2.

Xn user and control plane : Xn interface is between 2 gNBs or gNB-Ng-eNB. This does necessary signalling and data during mobility.

N4 Interface: This interface is between SMF and UPF, Used for UPF selection and setup of U-plane tunnels and enables PFDs on user plane entities.

Service based interfaces: Most of the core Network entities with Service based end points and they host services performed by them and exposed these services by REST APIs. Details are in below diagram.

Service Based Architecture

In Service based Architecture, Network functions(Ex AMF) opens up services using service based access point(Namf) and other authorized network functions(Service Consumers) access this service through service these service access points. These interfaces are driven by REST APIs(HTTP)

5G PDU Session Establishment

PDU Session Establishment Concepts
  • In 5G, PDU session Establishment is parallel procedure of PDN connection procedure in 4G.
  • This Procedure can be UE requested or NW initiated(In case of emergency call with mobility registration).
  • This procedure is required in case of
    1. UE requested PDU session establishment.
    2. UE initiated PDU session HO between 3GPP and Non-3Gpp.
    3. UE initiated HO from EPS to 5GS.
  • In roaming scenario AMF determines, if the PDU session will be established at LBO(Local Breakout) or Home PLMN network slice.
PDU Session Management State

5G UE PDU Session Establishment

Steps for PDU Session Establishment
  • UE includes following information while sending PDU session establishment.
  • PDU Session Establishment Request is carried over NAS UL Transport
    1. Serving NSSAI-> This is UE preferred network slice or NSSAI where UE was registered before.
    2. DNN -> Data Network Name is same as APN in EPS. This is the data service name UE want to access.
    3. PDU Session ID : This is an unique identifier generated by UE. Can’t be same as any existing PDU session.
    4. Request Type-> This can be “Initial Request”, “Existing Session” or “PDU session Handover”
    5. 5GSM Capability-> This is UE’s session management capabilitys.
    6. PCO-> Protocol Configuration Option, same as EPS, and used to request various NW parameter.
    7. SM PDU DN Request Container -> This include Authorization information to access DN.
  • Based on request Type AMF Determines if it is a new PDU session or associated to any existing PDU session.
  • If NAS message doesn’t contain S-NSSAI. Then AMF selects default NSSAI.
  • If NAS message contains S-NSSAI, but doesn’t contain DNN then AMF selects default DNN for that NSSAI, if UE has subscription to that DNN else a local DNN is selected.
  • If Request type is Initial Request, or HO from EPS or non-3GPP then AMF stores a mapping of S-NSSAI, DNN, PDU-Session ID, SMF-ID, Access Type.
  • When AMF doesn’t have an association with SMF for the PDU session ID provided by UE, AMF sends Nsmf_PDUSession_CreateSMContextRequest. Else Nsmf_PDUSession_UpdateSMContextRequest is sent to SMF.
  • Based on the data provided by UE SMF communicates with UDM and PCF to get relevant information for PDU session creation.
  • If request type is initial request, SMF initiates a N4 Session Establishment Request with selected UPF, Else it sends a N4 Session Modification Request.
  • UPF Acknowledge the request N4 Session Establishment/Modification Response.
  • Using N4 session establishment SMF gets the GTP tunnel info from UPF.
  • After Successful creation of Tunnel end point, SMF sends Namf_Communication_N1N2MessageTransfer with Tunnel Details for N2 message and PDU session details in N1 Container.
  • Upon Reception of above message AMF Sends a NGAP PDU session Setup Request along with N2 parameter from SMF in above message with parameters, PDU Session ID, QFIs, QoS Profile, CN tunnel Info, PDU Session type, Session AMBR.
  • Inside N2 message above, AMF piggyback N1 PDU Session Establishment Accept with NAS Header with session parameters like QoS Rules, UE IP address.
  • Then NG RAN(gNB) Setups the GTP Tunnel based on the N2 information received from AMF and setup the Tunnel End point (or Bearer).
  • And gNB forwarded N1 message to UE for setting of PDU session.
  • gNB after setting up the tunnel, it sends back N2 PDU session setup response to AMF.
  • Then AMF Updates SMF about successful tunnel setup by sending Nsmf_PDUSession_UpdateSMContext_Request and receives response from SMF.

5GC, EPC interworking without N26 Interface

Inter-working Concepts

There can be single or dual registration mode UE supports to register with 5GC and EPC

Single Registration Mode:
  • In single registration mode there is only one active mobility state at any given time.
  • UE can be either in 5GC NAS mode or EPC NAS mode.
  • UE maps EPC-GUTI to 5G-GUTI during mobility between EPC and 5GC.
  • UE keeps 5G context for re-use when moving from 5GC to EPC
Dual Registration mode:
  • In Dual registration mode UE keeps independent registration for 5GC and EPC.
  • In this mode UE maintains 5G-GUTI and EPC-GUTI independently.
  • UE can perform 5GC or EPC re-registration/TAU using corresponding GUTIs.
Inter-working architecture without N26 interface

5G to EPS mobility without N26 interface flow

Message flow steps
  • Initially UE is registered to 5GC and establishes the PDU session.
  • In order to move to EPS system, UE triggers Attach request(to preserver IP address) to EPC.
  • Alternatively UE sends a Tracking area Update which fails and then UE initiates an Attach procedure. In this case there is no IP address preservation.
  • Single Registered mode UEs provide a EPS-GUTI derived from 5GC-GUTI if available else uses IMSI.
  • Dual Registered mode UEs provide 4G GUTI(if allocated earlier) with attach request.
  • In PDN connectivity request, UE sends Request type as “Handover” to indicate that it is moving from 5GS to EPS.
  • If Request Type is Handover and previous node is 5G AMF then MME is configured to send a location update request to HSS/UDM to tell them not to cancel Old AMF registration, as UE may move back to 5GS again.
  • After successful Attach and PDN connection PGW-C/SMF allocates same IP address as the 5GS.
  • And PGW-C/SMF initiates UE De-Registration and PDU Session release from 5GS.
EPS to 5G mobility without N26 interface flow

Message flow Steps
  • Initially UE is Attached to EPC and establishes the PDN Connection.
  • In order to move to 5G system, UE triggers Registration and PDU session procedure in 5GS.
  • In single registration mode, UE provides Registration Type as “mobility Registration update” and provides 5G-GUTI derived from 4G-GUTI.
  • UE in Dual Registration mode Provides Registration type as “initial registration” along with a native 5G-GUTI or SUPI.
  • UE will include, NSSAI from current serving PLMN.
  • AMF supports interworking with EPC, so it treats this as initial registration and skips PDU session status synchronization with SMF.
  • If UE is moving in step 1, then AMF updates UE location in HSS/UDM and tells them not to cancel the MME registration for the UE if any by setting ULR-Flags.
  • During PDU session establishment with 5GS, UE indicates “Existing PDU session” as Request Type to preserve the IP address.
  • After Successful Registration and PDU session establishment, PGW-C triggers the PDN connection release and detach of the UE from EPS.