1

Tutorial on communication between access

networks and the 5G core
Lucas Baleeiro Dominato⇤ , Henrique Carvalho de Resende‡ ,
Cristiano B. Both† , Johann M. Marquez-Barja‡ , Bruno O. Silvestre⇤ , Kleber V. Cardoso⇤
⇤ Universidade Federal de Goiás, Goiânia, GO, Brazil

{lucas.baleeiro, brunoos, kleber}@ufg.br

‡ IDLab—Department of Applied Engineering, University of Antwerp—IMEC, Antwerp, Belgium

{henrique.carvalhoderesende, johann.marquez-barja}@uantwerpen.be
† Applied Computing Graduate Program, University of Vale do Rio dos Sinos, Porto Alegre, RS, Brazil

{cbboth}@unisinos.br

Abstract—Fifth-generation (5G) networks enable a variety

of use cases, e.g., Ultra-Reliable and Low-Latency Commu-
nications, enhanced Mobile Broadband, and massive Machine
Type Communication. To explore the full potential of these
use cases, it is mandatory to understand the communication
between User Equipment (UE), Radio Access Network (RAN),
and 5G Core (5GC), which support new network concepts and
paradigms. For example, network slicing plays a crucial role in
the communication system to address the challenges expected
by the 5G networks. 3rd Generation Partnership Project has
recently published Release 16, including the protocols used to
communicate between RANs and 5GC, i.e., Non-Access Stratum
(NAS) and NG Application Protocol (NGAP). The main goal of
this article is to present a comprehensive tutorial about NAS and
NGAP specifications using a didactic and practical approach.
The tutorial describes the protocol stacks and aspects of the
functionality of these protocols in 5G networks, such as authen-
tication and identification procedures, data session establishment,
and allocation of resources. Moreover, we review message flows
related to these protocols in UE and Next Generation Node B
(gNodeB) registration. To illustrate the concepts presented in the
tutorial, we introduce a 5GC tester that implements NAS and Figure 1. Overview of NAS and NGAP protocols in the 5G system.
NGAP for availing of three open-source 5GC projects on a black-
box testing methodology.
Index Terms—NG-RAN, 5G Core, NGAP, NAS, 3GPP stan- NAS and NGAP are essential protocols for communication
dards, black-box testing. between 5GC, 5G RAN and UE, as shown in Figure 1. These
protocols are used for several network procedures such as
I. I NTRODUCTION registration to the network, handover, and the User Plane
(UP) configuration [3]. Once NAS and NGAP enable the
The evolution of networks towards automation comes as a communication of UE to the network, these protocols are
natural step for optimizing the usage of services and provid- directly related to the Quality of Service (QoS) and dynamicity
ing the assessing the new application requirements such as of the network, managing the creation of UP links and the
Ultra-Reliable and Low-Latency Communications (URLLC), mobility of UEs. NAS and NGAP protocols were specified
enhanced Mobile Broadband (eMBB), and massive Machine by a standardization organization called the 3rd Generation
Type Communication (mMTC) [1]. 5G networks fundamen- Partnership Project (3GPP)1 . The first NAS specification dates
tally changes the network deployment and configuration from back to 2008 [4], while NGAP is an upgraded version of a
a static to a complete dynamic perspective. However, de- protocol named S1 Application Protocol (S1AP) that dates
veloping the foundation for such dynamic networks requires back to 2007 [5]. Given the context in which they were
aligning with state-of-the-art beyond 5G networks concepts designed, these protocols needed to be adapted to fit the
by preparing standards and technologies for future use cases new application requirements and the changes in the mobile
and applications. Therefore, a careful study at the present network core. For instance, 5G networks are being built up
standards and specifications related to protocols such as NAS around a concept called Network Slicing (NS), aiming to
and NGAP, as well as their evaluation with envisioned future dynamically set virtual network layers over a shared infras-
deployments, is essential for the evolution to the next gener-
ation, i.e., 6G networks [2]. 1 3GPP-A Global Initiative: https://www.3gpp.org/
 2

tructure to provide customized network services for different Theoretical approach: In the gNodeB (i), we consider a
application requirements. The evolution of NAS and NGAP brand new gNodeB macrocell installed in a Network Service
considered and implemented changes to empower the new Provider (NSP) infrastructure. The 5G NG Radio Access
dynamic aspects of 5G networks and beyond. However, with Network (NG-RAN) infrastructure starts after setting up the
the constant evolution of research and the emergence of new network communication between the new macrocell and the
application requirements [6], it is fundamental to understand datacenter, where 5GC is deployed. In a high-level abstraction,
these protocols specifications and regularly validate their align- gNodeB will create two main links with 5GC, one for CP and
ment with what is being envisioned in the state-of-the-art. another for UP. After connecting to 5GC functions, gNodeB
registers to the network and enables the connection of new
A. Motivation and Contribution UE using the wireless link. At this point, NAS and NGAP
The validation of the protocols requires constant study spec- protocols cooperate with each other. UE (ii) connects using
ifications and implementation of these protocols. However, the wireless link to gNodeB and sends the first registration
protocols specifications are complex because, by definition, message to 5GC. All the control messages of UE with gNodeB
they need to deal with several details, e.g., define every are intermediated by gNodeB. When creating the UP commu-
message to be exchanged by the system entities given a nication from UE, 5GC communicates to gNodeB to create
particular scenario and state. Therefore, a tutorial explaining a communication channel for this UE UP. Having UP set up,
the protocols considering 5GC could complement the 3GPP UE can exchange data with Data Network (DN) and de-register
specifications by adding a didactic and practical approach from the network, followed by the de-registration of gNodeB
to the academia, supporting 5G and beyond enthusiasts to and the de-activation of the equipment.
validate their ideas in these protocols. Practical approach: The study on hands-on experiments on
This article provides a tutorial about NAS and NGAP proto- 5GC became closer to reality with the introduction of the open-
cols specifications with the main focus on offering additional source 5GC solutions [8], [9], [10]. Nonetheless, the study on
study material using a didactic and a practical approach. The 5GC is only possible if there is an integration of the core
didactic approach would demonstrate simplified call flows on network with real or simulated NG-RAN components. There-
the protocols, highlighting 5G features enablers. Furthermore, fore, the study on the behavior of NAS and NGAP protocols is
the experimental process is done by implementing NAS and essential to enhance the experimentation with 5GC solutions
NGAP protocols and using them as black-box testers [7] to became very important for low-cost research prototypes by
provide a guidance tool for mastering NAS and NGAP, as creating simulated UE and gNodeB behaviors. As a practical
illustrated in Figure 1. Our main contributions are: approach for this tutorial, we will utilize the theoretical use
1) To provide a comprehensive tutorial on the functioning cases as a base for implementing a POC 5GC black-box tester.
of NAS and NGAP protocols, focusing on UE and For that, we provide a guide over the technology, architecture,
gNodeB. and main components of the tester, explaining how it relates
2) To detail the usage of the knowledge on the protocol to NAS and NGAP protocols. We argue that the practical
mechanics to test the expected uses cases for the 5GC. approach is of fundamental importance for a better learning
3) To present and provide a Proof of Concept (POC) outcome. Moreover, the tester can validate the alignment of
5GC tester as a learning tool to reinforce the tutorial 5GC with NAS and NGAP protocols specifications supporting
information about NAS and NGAP availing from 5GC the extension of the protocols for state-of-the-art 5G and
black-box testing. beyond research.
The sections of this article are organized as follows. The
B. Methodology 5GC main components and the RAN are explained in Section
This section describes the didactic approach of this tutorial, II. The protocols NAS and NGAP are detailed in Section III
which uses simplification as a learning methodology. We un- and Section IV, respectively. In Section V, we provide a POC
derstand that for complex subjects of study, the methodology to deepen the NAS and NGAP protocol studies, analyzing
becomes essential to absorb the necessary information. There- three 5GCs open-source projects concerning conformance and
fore, we provide a strong base of knowledge to understand the robustness tests. In Section VI, we discuss open issues and
protocols’ specifications. challenges for 5G and beyond directly related to NAS and
In 5G networks, NAS and NGAP protocols are of fun- NGAP protocols. Finally, we present the concluding remarks
damental importance for registering and connecting UE and and future work for this tutorial in Section VII.
gNodeB to 5GC. Therefore, aiming at simplification, we
divided this work into two parts: the theoretical approach and
II. 5G SYSTEM COMPONENTS AND INTERFACES
the practical approach. In the theoretical part, we focus on
(i) the register of a new gNodeB in the infrastructure and The 5G System (5GS) has as its main objective to provide
management of NAS messages using NGAP, and (ii) a new connectivity for UEs. For this, 5GS enables the registration of
UE registering for the first time to the network and sending UEs in the network via CP procedures and sets up the UP paths
Control Plane (CP) network traffic using NAS. In the practical to DNs. These CP procedures require the communication of
part, we use the information introduced in the theoretical part multiple components from the edge of the network to the core.
to develop a POC, demonstrating how this tutorial can be 3GPP [11] designed a reference architecture to organize the
applied to a practical use case. communication among the 5GS components through reference
 3

5G Core

NSSF NEF NRF PCF UDM AF

Nnssf Nnef Nnrf Npcf Nudm Nnaf

Namf Nsmf Nausf

AMF N11
SMF AUSF

N2 N4
Uu NG Interface
UPF N6
Data Network
N3
UE gNodeB N9

PDU Flow NAS NGAP NAS/NGAP Direct relation NAS/NGAP Indirect relation

Figure 2. 5G Core (5GC) Service-based Architecture (SBA).

points. In this context, we designed a 5GS architecture inspired a GPRS Tunnelling Protocol (GTP)-U, i.e., a GTP tunnel for
by 3GPP’s reference architecture to describe the functioning the UP traffic. This function receives connection requests from
of NAS and NGAP protocols, as shown in Figure 2. The 5GS NG-RAN and creates a GTP tunnel for each UE. After that,
architecture includes two major components: NG-RAN and UPF receives the user data traffic related to UEs and processes
5GC. UE communicates with NG-RAN over a radio interface it by shaping the network traffic and collecting measurements.
named Uu, and NG-RAN communicates with 5GC over the Considering the reference points, 3GPP defines the com-
NG interface. Therefore, all the communication of UE to 5GC munication interfaces with 5GC. In this context, NAS and
is carried over NG interface. A brief overview of the 5GC NGAP protocols work over N1 and N2 reference points to
architecture, presented in following, is necessary to understand the CP communication. For example, the N1 reference point
the overall functions and the NAS and NGAP procedures. is used between UE and AMF through the NAS protocol. The
N2 reference point is the essential interface between NG-RAN
and AMF. Moreover, we have the N11 reference point between
A. 5G Core (5GC)
AMF and SMF. In this case, AMF transfers the NAS messages
5GC was initially specified in Release 15 and it introduced related to a certain SMF instance over the N11 reference point.
the novelty SBA model in this release [12]. This architecture In the following, we describe an overview of NG-RAN related
model promotes the high-decoupling of the code by diving to NAS and NGAP protocols to have a better understanding
it into microservices, a technology commonly employed in of the main components and their interfaces.
cloud environments. 5GC is mainly composed of ten Network
Functions (NFs): (i) Access and Mobility Function (AMF), (ii)
Session Management Function (SMF), (iii) User Plane Func- B. New Generation Radio Access Network (NG-RAN)
tion (UPF), (iv) Network Slice Selection Function (NSSF), NGAP is the protocol for CP communication between a
(v) Network Exposure Function (NEF), (vi) NF Repository NG-RAN node, i.e., a gNodeB and the 5GC over the New
Function (NRF), (vii) Policy Control Function (PCF), (viii) Generation (NG) logical interface. The NG interface considers
Unified Data Management (UDM), (ix) Application Function an infrastructure agnostic, i.e., it works over heterogeneous
(AF), (x) Authentication Server Function (AUSF). However, hardware between NG-RAN node and 5GC. Moreover, this
only AMF, SMF, and UPF are the NFs directly related to interface supports the separation of CP and UP. In this case,
NAS and NGAP protocols. Therefore, we focus mainly on CP over the NG interface is called NG Control-plane Interface
these three 5GC NFs in this tutorial. More information about (NG-C), and UP is called NG User-plane Interface (NG-U).
the 5GC functions can be found in Cardoso et al. [13]. As illustrated in Figure 3, these two interfaces are divided
AMF is responsible for managing all the signaling that is into two groups: Transport Network Layer (TNL) and Radio
not specific to user data, such as mobility or security [12], Network Layer (RNL).
and AMF is one of the end-points for the CP communication. TNL is responsible for transmitting the network packets
SMF handles the control signaling related to user data traffic, between the NG-RAN node and 5GC. RNL regards the control
such as session establishment [12]. These requests related to access to the mobile network. The NG-C TNL stack is
user data traffic coming from AMF over NAS from UE and implemented over Internet Protocol (IP), using Stream Control
NGAP from NG-RAN. SMF itself does not directly connect Transmission Protocol (SCTP) as the transport layer. In this
to the RAN, but, to apply the user data traffic procedures, case, SCTP provides a reliable channel between the NG-RAN
this NF is connected to UPF over Packet Forwarding Control node and AMF for signaling messages. The NG-U stack
Protocol (PFCP), which is the protocol communication to is implemented over User Datagram Protocol (UDP) using
send control messages to UPF. Moreover, UPF represents the a GTP-U tunnel that provides non-guaranteed Packet Data
handling of user data [5], connecting directly to NG-RAN over Unit (PDU) delivery for the UP traffic flowing between the
 4

NG-RAN node and UPF. After this brief description of 5GS A. Procedures
components and interfaces, we present in more detail NAS The 5GMM messages support six main procedures, detailed
and NGAP in the following two sections. in the following:
1) Registration: is responsible for informing AMF that UE
Radio Network wants to perform a specific type of registration, supports
Layer (RNL)
NGAP PDU Sessions the registration state, and carries information relevant
User plane PDUs
between UE and 5GC.
Transport Network 2) Primary authentication and key agreement: supports
Layer (TNL)
GTP-U authentication between UE and 5GC and provides the
necessary keys to security contexts and subsequent val-
SCTP UDP idations. There are two methods of primary authentica-
tion: one based on Extensible Authentication Protocol
IP IP
(EAP) and other based on 5G Authentication and Key
Data link layer Data link layer Agreement (AKA).
3) Identification: is responsible for supporting specific UE
Physical layer Physical layer identification in the 5GC. In general, 5GC may re-
quest UE to provide a specific identification such as
Transport Layers
(a) NG-C Protocol (b) NG-U Protocol Subscription Concealed Identifier (SUCI), International
Network, Link, Stack Stack
and Physical layers Mobile Equipment Identifier (IMEI), International Mo-
bile station Equipment Identity and Software Version
Figure 3. NG-C and NG-U protocol stack. Number (IMEISV), Extended Unique Identifier (EUI)-
64, or the MAC address. The latest two are examples of
Permanent Equipment Identifiers (PEI).
4) Transport: is responsible for carrying payloads between
III. N ON -ACCESS S TRATUM (NAS) AMF and UE. The payload can be other NAS messages,
information related with UE policy containers, location
NAS is used for transmitting signaling between UE and
services messages, SMS, etc.
AMF over the N1 reference point. The communication be-
5) Security mode: is responsible for establishing the NAS
tween AMF and SMF over the N11 reference point also uses
security context between UE and AMF using the key de-
NAS, encapsulated over HTTP protocol. The access can be
rived from the primary authentication and key agreement
3GPP networks over gNodeB or non-3GPP networks over
and supported by algorithms of ciphering and integrity.
technologies such as WiFi or DOCSIS. In these networks,
6) Generic UE configuration update: is responsible for
3GPP [14] highlights the following functions of the protocols
updating the UE configuration concerning access and
that work under NAS: (i) support for UE mobility, includ-
mobility.
ing standard procedures such as authentication, identification,
generic UE configuration update, and security control mode The 5GSM messages support only one procedure:
procedures; (ii) support for session management procedures 1) Session management: is responsible for authentication,
to establish and maintain data connectivity between UE and authorization, establishment, modification, and release
data network DN; and (iii) provisioning of transport for Short of the PDU session. Moreover, this procedure involves
Message Service (SMS), LTE Positioning Protocol (LPP), managing resources as networking slices, QoS, and DNs.
Location Services (LCS), UE policy container, Steering of
Roaming (SOR) transparent container, and UE parameters B. Message flows
update information payload. To comprehensively analyze the NAS protocol, we describe
Two fundamental groups of messages support these three the flows of NAS messages for a UE registration, as illustrated
NAS functions: 5GS Mobility Management (5GMM) and 5GS in Figure 4. The messages from (1) to (8) are associated
Session Management (5GSM). 5GMM works between UE and with the functions of 5GMM. The first message represents the
AMF, dealing with register, mobility, security, and transport Registration Request from UE to 5GC. This message carries
of the 5GSM protocol [15]. 5GSM is employed during the different types of information, e.g., initial registration, mobil-
interaction between UE and SMF through AMF, offering sup- ity registration updating, periodic registration updating, and
port for connectivity management between UE and a specific emergency registration. In this tutorial, we consider the case
DN. This connectivity management named PDU session is of the initial registration. Therefore, UE does not have a valid
part of the overlay network, deployed above resources such context in 5GC and needs to provide a 5GS mobile identity
as the radio network between UE and NG-RAN, and GTP- for identification such as SUCI, or temporary identifiers, e.g.,
U tunnel between NG-RAN and UPF. Currently, different 5G Globally Unique Temporary Identifier (GUTI). Important
types of PDU session are supported, e.g., IPv4, IPv6, IPv4v6, information carried in the initial registration is the request
Ethernet, and unstructured. Considering the relevance of these of Local Area Data Network (LADN) and Network Slices in
5GMM and 5GSM message groups for NAS, we describe their the form of Network Slice Selection Assistance Information
main procedures and message flows. (NSSAI), with two values named Slice/Service Type (SST)
 5

2a. Registration Labels

Reject 10a. DL NAS Transport
UE AMF SMF Failure +
PDU Session
1. Registration 3a. Identity
2b. Identity 9. UL NAS Transport Establishment Accept
Request Response
Request +
5a. Security Mode 6. Registration 7. Registration PDU Session
Complete Accept Complete Establishment Request
3b. Authentication 4a. Security Mode
Response Command

5b. Security Mode

Reject
2c. Authentication 3c. Authentication 4b. Authentication
Request Failure Reject 8. Configuration Update 10b. DL NAS Transport
Command +
PDU Session
Establishment Reject

5GMM 5GSM

Figure 4. Non-Access Stratum (NAS) message flows.

and an optional Slice Differentiator (SD). However, this infor- responses with the Security Mode Complete (5a) message. UE
mation cannot be sent without protection, i.e., as clear-text. sends the Security Mode Reject (5b) message if it does not
AMF processes the Registration Request based on three support the security level, as illustrated in Figure 4. After AMF
possible messages: Registration Reject (2a), Identity Request receives Security Mode Complete, UE has an active 5G NAS
(2b), or Authentication Request (2c), as shown in Figure 4. security context. Therefore, it supports protected information,
Registration Reject advises UE about problems in processing such as non-clear text similar to 5GMM capability, LADN,
the Registration Requested, e.g., protocol errors or invalid and NSSAI requested to 5GC. It is essential to highlight
values. Identity Request treats a request when UE sends an that retransmission of NAS messages can be necessary, what
unknown identification in Registration Request, e.g., a 5G- happens before establishment of NAS security context, such
GUTI unknown to AMF. In this case, 5GC triggers the as Registration Request with confidential information. These
Identity Request to ask for a specific identification to UE, messages are encapsulated in Security Mode Complete for
including in Identity Response (3a) message. Authentication forwarding to AMF. All NAS signaling must have the integrity
Request initiates the primary authentication and key agreement protected and must be ciphered using the new NAS security
indicating that UE completed the identification. In this case, context. The Registration Accept (6) message is sent to UE
Authentication Response (3b) sends the answer to the authen- informing that 5GC accepts initial registration after establish-
tication challenge to 5GC, which checks the value, and if the ing the security NAS context and authentication. This message
key is the same, 5GC terminates the primary authentication. has information such as (i) the registration area of UE, i.e.,
Finally, UE and 5GC can create new keys for requirements Tracking Area List (TAL), (ii) the LADN information, (iii) the
such as protection of (i) NAS signaling, (ii) Radio Resource list of equivalent Public Land Mobile Network (PLMN), (iv)
Control (RRC) signaling, (iii) user plane traffic between UE service area restrictions, (v) allowed networking slices, (vi)
and gNodeB for 3GPP access, and (iv) Internet Key Exchange timers to control periodic update registration, and (vii) the
(IKE) version 2 signaling and user plane traffic between temporary identifier provided by AMF named 5G-GUTI. Fi-
UE and Non-3GPP Interworking Function (N3WIF) for non- nally, the Registration Complete (7) message notifies AMF of
3GPP access. In cases of an authentication fault, UE sends an the receipt of the 5G-GUTI by UE. In this stage, UE is known
Authentication Failure (3c) message allowing synchronization by 5GC regarding location, NAS connection, and security.
of Sequence Number (SQN) and a new challenge to UE. In Thus, AMF can update the UE context with the Configuration
this flow, 5GC sends Authentication Reject (4b) message to Update Command (8) message carrying information such as
finish the primary authentication. The most common failures a new 5G-GUTI, TAL, service area list, LADN information,
in primary authentication are related to different keys that gen- allowed or reject NSSAI, Mobile Initiated Connection Only
erate problems in the verification of Message Authentication (MICO) indication, network name, time zone, etc.
Code (MAC) and the SQN received out of range. The registration messages (Request (1), Reject (2a), Accept
After exchanging messages for identification, primary au- (6), and Complete (7)) are also essential to update the 5GMM
thentication, and key agreement, UE and AMF establish a se- state machine inside UE and AMF. To clarify the change of
curity context in NAS messages. The Security Mode Command states associated with the NAS message flows, we present the
(4a) message transports the label of selected NAS security NAS 5GMM state machine in Figure 5. This figure shows the
algorithms for ciphering and integrity check performed by changes from the Deregistered state to the Registered Initiated
AMF. When UE supports the selected NAS algorithm, it state (a) after sending the Registration Request message into
 6

UE and when receiving the Registration Request message in

AMF. Moreover, the 5GMM state machine presents the change
PDU SESSION
from Registered Initiated to Registered (b) after receiving PDU SESSION
INACTIVE ACTIVE
the Registration Accept message in UE and the Registration (a) (b)
Complete message in AMF. It is worth to highlight that UE
(c)
can request an establishment of one or more PDU sessions to PDU SESSION
ACTIVE
5GC in Registered state. Additionally, the change of states can PENDING
happen from the Registered Initiated state to the Deregistered
state (c) after receiving the Registration Reject message in UE
and sending the Registration Reject message in AMF. Figure 6. NAS 5GSM state machine.

IV. NG A PPLICATION P ROTOCOL (NGAP)

NGAP is the standard protocol for CP communication, e.g.,
DEREGISTERED REGISTERED
RAN and 5GC exchange NGAP messages using the NG-C
(a) (b)
and N2 reference points. NGAP protocol works in the 3GPP
(c) access over gNodeB, Next Generation eNodeB (ng-eNodeB),
REGISTERED
INITIATED and non-3GPP access over a N3WIF, or a Trusted Non-3GPP
Gateway Function (TNGF), or a Trusted WLAN Interworking
Function (TWIF), or a Wireline Access Gateway Function
Figure 5. NAS 5GMM state machine. (W-AGF). NGAP supports the main functions of the mobile
networks such as Paging, UE Context Management, Mobility
The 5GSM functions are represented by messages from Management, PDU Session Management, NAS Transport,
(9) to (10b), which focus on establishing PDU sessions, as Warning Message Transmission, AMF Management, AMF
shown in Figure 4. The UL NAS Transport with PDU sessions Load Balancing, Multiple TNL Associations, Location Report-
Establishment Request (9) message is sent from UE to AMF ing, and UE Radio Capability Management [16]. Considering
with PDU session identification, requested Single-Network the relevance of the NGAP protocol to 5G networks, in this
Slice Selection Assistance Information (S-NSSAI), requested tutorial, we focused in the 3GPP access, describing the main
Data Network Name (DNN), PDU session type, among other procedures and message flows that support these functions.
information fields. These fields inform to 5GC requirements
for the PDU session and which UPF and SMF will be selected A. Procedures
for the PDU session. If 5GC provides the PDU session, the The NGAP messages support four main procedures, listed
selected SMF sends the PDU Session Establishment Accept in the following:
(10a) message to AMF, that encapsulates in DL NAS transport 1) Interface management: is responsible for maintaining
before sending to UE. The PDU Session Establishment Accept the establishment of and managing the NG-C interface,
includes PDU address, QoS rules, Session Aggregate Maxi- where the NGAP and NAS signaling are transported.
mum Bit Rate (AMBR), among other pieces of information. This procedure includes selecting resources as network-
However, when SMF does not support this PDU session, it ing slices based on PLMN in AMF, managing resources
sends the DL NAS Transport and PDU sessions Establishment as TNL connection part of the NGAP stack, and identi-
Reject (10b) message to UE, notifying the cause of rejection. fying between AMF and NG-RAN.
The messages that establish PDU sessions are used to update 2) Transport of NAS messages: is responsible for carry-
the 5GSM state machine in SMF and UE. Therefore, we show ing NAS messages between NG-RAN and AMF. NAS
these states in Figure 6 to complete the analysis associated messages are encapsulated in the NGAP protocol before
with the NAS message flows. The change from the PDU forwarding to the NG-C interface.
Session Inactive state to the PDU Session Active Pending 3) UE context management: provides UE-based informa-
state (a) occurs after sending the PDU Session Establishment tion to NG-RAN, such as security information, PDU
Request message in UE and receiving the PDU Session session context, mobility restriction list, allowed net-
Establishment Request message in SMF. The change from working slices, AMF connected information, UE Radio
the PDU Session Active Pending state to the PDU Session Capability, UE security capabilities, etc.
Active state (b) happens after receiving the PDU Session 4) PDU session management: is responsible for managing
Establishment Accept message in UE and sending the PDU resources necessary for determined PDU sessions. These
Session Establishment Accept message in SMF. Receiving resources are associated with NG-RAN and 5GC, estab-
the PDU Session Establishment Reject message instead of lishing the Radio Interface (Uu) and NG-U interfaces for
the PDU Session Establishment Accept message changes the the data plane.
PDU Session Active Pending state to the PDU Session Inactive
state (c) in UE. Finally, in the PDU Session Active state, UE B. Message flows
actives resources to communicates with a DN using the PDU We describe the flows of NGAP messages for a gNodeB
session(s) requested through 5GSM messages. registration (1, 2a, 2b) in infrastructure and subsequently the
 7

8a. Initial Context

4. Downlink 5. Uplink
Setup Response
2a. NG Setup 3. Initial UE NAS NAS 6a. Initial Context
Response Message Transport Transport Setup Request
1. NG Setup
8b. Initial Context
Request
Setup Failure
2b. NG Setup
Failure 6b. PDU Session 7. PDU Session
Resource Setup Resource Setup
Labels Request Response

gNodeB AMF Failure

Figure 7. NG Application Protocol (NGAP) message flows.

UE registration (3, 4, 5, 6a, 6b, 7, 8a, 8b) to comprehensively

analyze the NGAP protocol in Figure 7. The first NGAP mes-
NG-C NG-C
sage sent by gNodeB represents the NG Setup Request and is Inactive Active
associated with the interface management procedure. NG Setup (a) (b)
Request carries information about gNodeB, e.g., Tracking
(c)
Area (TA), PLMN, RAN node, RAN Node Name, Global NG-C
Pending
Node Identifier, and NSSAI supported list. These information
types allow 5GC to identify the gNodeB connected to the 5G
core, for example, in the Paging function, where TA selects
gNodeBs for broadcast. The answer from AMF to gNodeB is Figure 8. NGAP NG-C state machine.
NG Setup Response (2a) message, including information types
as AMF name, AMF region ID, list of supported slices for
PLMN, and relative AMF capacity. These information types In Figure 7, the Initial UE message (3) is the first NGAP
can be used jointly by gNodeB. For example, based on the message to transport the UE NAS signaling to AMF. In this
information of the AMF capacity and the slices for PLMN first case, the Initial UE message always carries initial NAS
in the selection of AMF for each UE, gNodeB can balance signaling messages, i.e, Registration Request. The Downlink
control load among the set of AMFs. If the NG Setup Request NAS Transport (4) message also carries NAS messages in
information is considered incompatible by AMF, the answer NG-C from AMF to NG-RAN with information about Identity
is the NG Setup Failure (2b) message, notifying the cause Request, Authentication Request, Security Mode Command,
of failure and temporarily ending the control flow in NG-C Registration Accept, and Configuration Update Command.
until AMF and gNodeB interoperate correctly. Examples of Similarly, the Uplink NAS Transport message (5) subsequently
incompatibility are invalid Tracking Area Code (TAC), not- carries NAS messages from NG-RAN to AMF with infor-
identified PLMN, and non-supported slice. mation about Identity Response, Authentication Response,
Security Mode Complete, Registration Complete, and PDU
Between NG-RAN and AMF there is a state machine that Session Establishment Request. Finally, in the NG-C context,
we named NG-C state machine, which is updated by NGAP it is necessary to highlight that the Initial UE Message,
messages. We show the states of this machine in Figure 8 for Downlink NAS Transport, and Uplink NAS Transport also
a better analysis of the NGAP message flows. The change (a) support identifying specific UE NGAP traffic using identifiers
from the NG-C Inactive state to the NG-C Pending state occurs provided by NG-RAN and AMF.
after sending the NG Setup Request message in NG-RAN AMF sends the Initial Context Setup Request (6a) message
and receiving the NG Setup Request in AMF. The change to NG-RAN with several data: identification of the UE NGAP
(b) from the NG-C Pending state to the NG-C Active state connection, information about AMF connected by UE, net-
happens after receiving the NG Setup Response message in work slices allowed to UE, mobility restrictions applied to
NG-RAN and sending the NG Setup Response message in UE in cases of roaming and access, security key activated in
AMF. Additionally, the change (c) can occur from the NG-C communication for UE in RRC signaling and UP signaling,
Pending state to the NG-C Inactive state after receiving the optionally information to establish one or more PDU sessions,
NG Setup Failure message in NG-RAN and sending the NG etc. NG-RAN processes the Initial Context Setup Request by
Setup Failure message in AMF. Finally, in the NG-C active returning two possible messages, i.e., Initial Context Setup
state, NG-RAN and AMF have a new context about each other Response (8a) and Initial Context Setup Failure (8b), as shown
and can manage the control flow based on their priorities. in Figure 7. The Initial Context Setup Response notifies AMF
Following the establishment of NG-C, gNodeB can use to establish the UE context. The Initial Context Setup Failure
the NGAP protocol to transport NAS signaling to AMF. notifies 5GC that NG-RAN cannot establish the UE context
 8

received in the Initial Context Setup Request. This failure by the practical part introduced in the next section.
occurs when NG-RAN does not support the established PDU
session requested. These message flows finish with NG-RAN
sends the Initial Context Setup Response message (8a), in case PDU Session PDU Session
of success, or the Initial Context Setup Failure (8b) message Resource Resource
Inactive Active
notifying the cause of rejection to 5GC, otherwise. (a) (b)
In addition to the transport of NAS messages, the NGAP
(c) PDU Session
protocol provides for NG-RAN relevant information after the Resource
UE registration is completed in the 5GC. In order to establish Pending
the PDU session, the following messages are used: PDU
Session Resource Setup Request (6b), PDU Session Resource
Setup Response (7), Initial Context Setup Request (6a) and Figure 9. NGAP PDU session resource state machine.
Initial Context Setup Response (8a). 5GC sends the PDU
Session Resource Setup Request message (6b) or Initial Con-
text Setup Request (6a) to NG-RAN after receiving the NAS V. P ROOF OF C ONCEPT 5GC TESTER
message PDU Establishment Request. This message transports This section shows a POC with a 5G tester called my5G-
the necessary information to the allocation of resources in RAN to deepen the NAS and NGAP protocols studies. my5G-
NG-RAN for one or more PDU sessions, namely: UPF Tunnel RAN is a tool for testing and monitoring NAS and NGAP
Endpoint Identifier (GTP-TEID) for creation of NG-U inter- procedures in any 5G core. Therefore, initially, we present the
face between UPF and NG-RAN, QoS information to enforce POC architecture details per module and explain the concepts
traffic of determined PDU session tied with Data Radio Bearer behind the development of the POC for a better understanding
(DRB) part of the Uu interface, PDU session type, S-NSSAI of its usage. Next, we describe the experimental environment,
of the PDU session, PDU session identification, the 5GSM including my5G-RAN tester and the evaluated 5GC open-
NAS PDU Session Establishment Accept message, etc. Next, source projects, and present all experiments and related results.
NG-RAN sends the PDU Session Resource Setup Response
message (7) or Initial Context Setup Response (8a) message A. POC architecture
to AMF with the NG-RAN GTP-TEID to create the NG-U
The POC architecture is composed of four major modules,
interface in 5GC side and information about successfully
as illustrated in Figure 10. From bottom to top, the initial
established PDU sessions. After completing this exchange of
three modules correspond to the my5G-RAN tester2 , i.e., (i)
NGAP messages, the data plane path is ready, and UE can
User Interface , (ii) Controller, and (iii) Simulation. The top
send traffic to DN using the PDU session established.
module corresponds to a 5G core under testing as a black
Finally, we present the PDU session resource state machine
box. The main goal of my5G-RAN tester is to support a list
in Figure 9 to clarify the changes of states associated with
of characteristics that simulate the behavior of gNodeB and
the NGAP message flows. This state machine represents the
UE with 5G core via NAS and NGAP protocols to study
changes from PDU Session Resource Inactive state to PDU
the communication between the access network and the 5G
Session Resource Pending state (a) after sending the PDU
core. We designed these modules to have specific levels for
Session Resource Setup Request message or Initial Context
interaction with the user, the generation of tests, and the
Setup Request message from AMF and receiving PDU Session
interaction among the simulated UE, the simulated gNodeB,
Resource Setup Request or Initial Context Setup Request
and 5GC via reference points. Moreover, the my5G-RAN
in NG-RAN. NGAP messages that establish PDU session
tester collects the data provided by this interaction for further
resources per UE in NG-RAN and 5GC control the states in
analysis.
AMF and NG-RAN. The change from PDU Session Resource
We designed the User Interface module with two options.
Pending state to PDU Session Resource Active (b) state occurs
One option is based on Command Line Interface (CLI) and
after receiving the session management context included in
enables the experimenter to develop a script to execute a spe-
PDU Session Resource Setup Response or Initial Context Setup
cific test with parameters and save or gather output information
Response message in SMF and the sending of PDU Session
related to the test. Moreover, CLI allows the experimenter to
Resource Setup Response or Initial Context Setup Response
follow the execution of the selected test in real-time. The other
message in NG-RAN. Additionally, the change of states can
option uses a virtual network interface, where the experimenter
happen from the PDU Session Resource Pending state to
can also integrate third-party software to provided workload
PDU Session Resource Inactive (c) state after receiving the
for testing scenarios.
information about failure to setup determined PDU session.
The Controller module is the central entity of the POC.
This information comes in the PDU Session Resource Setup
This module is responsible for tasks as (i) monitoring and
Response message or in the Initial Context Setup Failure that
analyzing the information provided by the simulation layer
reports the PDU session in the AMF. In this context, when
and also save this information; (ii) providing the logs about the
the process is successful, the resources of the determined PDU
working system; (iii) translating and processing the command
session are allocated, moreover, NG-RAN and 5GC manage
or the workload received from the user interface in a test
the UE traffic based on QoS rules considering the PDU session
type. That is the end of the theoretical part that is improved 2 https://github.com/my5G/my5G-RANTester
 9

or model that can be executed in simulation layer. Theses 16GB RAM, and running Ubuntu 20.04 64 bit, kernel 5.4.90-
tasks are executed by compiler, templates, workload model, 050490-generic. Table I summarizes information about the
and external workload entities. experimental scenarios used in POC. Concerning OpenAirIn-
terface (OAI) software, only the 5GC module was enabled.

Open-source projects Version

5G Core

AMF Other 5G Core UPF free5GC v3.0.5

Functions
Open5GS v2.2.9
N1/N2 interface N3 interface OAI v2021.w28
my5G-RAN tester v1.0.0
Simulation

Control Stack Engine Data Stack Engine Infrastructure Configuration

NAS NGAP IP GTP-U RAM Memory 16GB
Processor Intel Core i7
OS Ubuntu 20.04
Compiler Monitoring
Kernel 5.4.90-050490-generic

Storage
Controller

Logging
Table I. Experimental scenarios.
External Templates Workload Analytics
Workload Model

TUN Interface CLI interface

C. Experimental tests
Interface

The POC is based in two groups of tests for each 5GC

User

Workload Tests Data

Generator Running Monitor Exportation under evaluation. The first refers to conformance tests to verify
the complete range of software testing and quality assurance
Legend requirements defined by 3GPP [18] [3]. The second group
Internal communication Control Plane Data Plane Monitoring considers robustness tests using several inputs for exploring
and Logging the system’s behavior, e.g., error and stability of the system.

Figure 10. POC architecture. Conformance tests

These tests are based on sending only correct messages for
The Simulation module provides the simulation of UE the NAS procedures discussed in Section III.A and NGAP pro-
and the implementation of NAS stack to establish the N1 cedures presented in Section IV.A according to the 3GPP R-16
interface and the simulation of the NG-RAN node with the standard [18] [3]. Table II shows the eleven test procedures
implementation of NGAP and GTP stacks, to establish the and set of exchanged messages for the three 5GC projects.
N2 and N3 interfaces. It is worth to highlight that the radio For each procedure presented in Table II, we verified the reply
interface is not implemented between UE and NG-RAN be- from each 5GC according to following the rules: (i) the state
cause the main focus of my5G-RAN tester is on control and of my5G-RAN tester is compatible with the received message,
data communication between the access network and 5GC. (ii) the message received contains all mandatory fields, (iii) the
Therefore, the radio access network and Access Stratum (AS) information in the message can be understood based on its
functionality are simulated to availing the NAS and NGAP procedure, (iv) the information in the message is valid based
protocols considering the 5GC black box testing. on its procedure. We implement the machines states and flows
Finally, the latest module in the top is a 5G core under described in Section III.B and Section IV.B inside my5G-
testing. In this context, POC enables the work with a 5G core RAN tester to achieve these conformance tests. Moreover,
as a black box. Therefore, my5G-RAN tester was designed we analyze the Primary authentication and key agreement
considering the core’s input under testing and analyzing the procedure based on the 5G-AKA method and the UE con-
expected output [7]. For that reason, the test cases are based text management procedure with and without information for
on the 3GPP specifications which describe in detail the inputs establishing the PDU session. All procedures tested in the
that are supported and how they must be replied [17]. three 5GC projects had the expected behavior according to the
3GPP standard, except by Generic UE configuration update.
B. Experimental scenarios In this case, only the Open5GS project behaves as expected
by sending the Configuration Update Command message to
We designed the experiments using three open-source 5GC my5G-RAN tester in the UE registration flow.
projects to analyze POC, i.e., free5GC [8], Open5GS [9], and
OpenAirInterface [10]. Presently, these are the only functional
5GC projects publicly available. Furthermore, these 5G cores Robustness tests
are analyzed using the my5G-RAN tester on version v1.0.0, We also analyze robustness tests since they are also relevant
sending uplink and downlink messages between the access to assess the quality of the 5GC projects and and their level of
network and 5GC using the NAS and NGAP protocols. The adherence to the 3GPP standard [18] [3]. Therefore, in a not
experiments were run in computer with Intel Core [email protected], exhaustive approach, we defined six main robustness tests for
 10

Procedures on testing Protocols Messages free5GC Open5GS OAI

Registration NAS Registration Request, Registration Accept, and Registra- X X X
tion Complete
Primary authentication and key agreement NAS Authentication Request and Authentication Response X X X
Identification NAS Identity Request and Identity Response X X X
Transport NAS UL NAS transport and DL NAS transport X X X
Security mode NAS Security Mode Command and Security Mode Complete X X X
Generic UE configuration update NAS Configuration Update Command 7 X 7
Session management NAS PDU Establishment Request and PDU Establishment X X X
Accept
Interface management NGAP NG Setup Request and NG Setup Response X X X
Transport NAS messages NGAP Downlink NAS Transport and Uplink NAS Transport X X X
UE context management NGAP Initial Context Setup Request and Initial Context Setup X X X
Response
PDU session management NGAP PDU Session Resource Setup Request and PDU Session X X X
Resource Setup Response

Table II. Conformance tests.

NAS procedures discussed in Section III.A and one robustness Identity Request, but without the NAS security established
test for NGAP procedure discussed in Section IV.A. Table III before. In the second configuration, my5G-RAN tester receives
shows the tests and their results in the three evaluated 5GC the Security Mode Command from AMF and answers with the
projects. Additional details are presented in the following. Security Mode Complete message without the requested re-
In the Registration testing, we evalute two cases in the transmission of the Registration Request information. In this
Registration Request message from the Registration procedure: case, AMF must interrupt the registration process using the
(i) send the request without mobile identity (mandatory field), Registration Reject message. OAI and free5GC ignored the
and (ii) send the request with non-clear text information, such message without re-transmitting the Registration Request, and
as 5GMM capability information. In both cases, my5G-RAN Open5GS sent the reject message to abort the registration.
tester expects AMF to return a Registration Reject message to In the SMF Selection testing, we defined a change in the
interrupt registration flow. Only, Open5GS answered according UL NAS Transport message from the Transport procedure.
to the expected in the two changes. The free5GC and the OAI In this robustness test, my5G-RAN tester sends the UL
did not send the Registration Reject message in the case (i), but NAS Transport message encapsulating PDU Establishment
interrupted the registration flow. In the case (ii), the free5GC Request to 5GC, demanding a PDU session with invalid DNN
and the OAI accepted the Registration Request with non-clear and S-NSSAI information. This wrong information does not
text information and persisted in the UE registration without permit the selection of an available SMF by AMF for the
any warning. requested PDU session. Thus, AMF should reply to my5G-
In the Authentication testing, we defined two operations to RAN tester with the DL NAS Transport message with PDU
analyze the Primary authentication and key agreement proce- Establishment Request, informing that AMF did not forward
dure. First, we used invalid information in the Authentication the request to SMF (with the 5GSM message). We observed
Response message on the 5G-AKA method. We expected that free5GC sent the messages according to the expected.
AMF to abort the Primary authentication and key agreement However, Open5GS and OAI did not attend SMF selection
procedure, sending an Authentication Reject message in this considering invalid DNN and S-NSSAI, and the test was
operation. Second, we forced the situation of synchronization simply interrupted (without further information).
failure by sending of the Authentication Failure message. In In UPF selection testing, we changed the UL NAS Transport
this case, we expected 5GC initiates SQN re-synchronization message from the Transport procedure. Our change makes
to continue the Primary authentication and the key agreement my5G-RAN tester to send the UL NAS Transport message
by sending a new Authentication Request. All three 5GC carrying the PDU Establishment Request to 5GC, asking for
projects replied to the two operations according to the expected a PDU session with wrong information: DNN and S-NSSAI
by the 3GPP standard [18]. invalids. This incorrect information does not permit the se-
For the Security testing, we designed two incorrect configu- lection of an available UPF by SMF for the requested PDU
rations in the Security Mode Complete message from the Se- session. In this case, 5GC must respond with the DL NAS
curity mode procedure. In the first configuration, my5G-RAN Transport message encapsulating the PDU Establishment Re-
tester receives the Security Mode Command message from ject to inform the unsuccessful operation. In this robustness
AMF and replies with Security Mode Complete without the test, the three 5GC projects sent the message according to the
requested IMEISV information. Based on this response, it is 3GPP standard [18].
expected from AMF a notification to my5G-RAN tester using In our last test with the NAS protocol, named NAS flow
the Registration Reject message to stop the registration process validate, we defined a change in the flow of NAS. In this
or an Identity Request asking for the IMEI information. For case, my5G-RAN tester sends the UL NAS Transport message
this robustness test, Open5GS and OAI ignored the message carrying the PDU Establishment Request in an incorrect order,
without IMEISV information. The free5GC project sent the i.e., before receiving the Registration Accept message and
 11

Name Protocols Procedures involved Messages free5GC Open5GS OAI

Registration NAS Registration Registration Request and Registration Reject 7 X 7
Authentication NAS Primary authentication Authentication Request, Authentication Re- X X X
and key agreement sponse, Authentication Failure and Authentica-
tion Reject
Security NAS Security mode, Regis- Security Mode Command, Security Mode Com- 7 7 7
tration and Identifica- plete, Registration Reject, Identity Request and
tion Identity Response
SMF selection NAS Transport UL NAS Transport and DL NAS Transport X 7 7
UPF selection NAS Transport, Session UL NAS Transport, DL NAS Transport, PDU X X X
management Establishment Request and PDU Establishment
Reject
NAS flow validate NAS Security mode, Trans- Security Mode Command, UL NAS Transport, X X 7
port, Session manage- PDU Session Establishment Request, Security
ment and Registration Mode Complete and Registration Accept
Interface management NGAP Interface Management NG Setup Request and NG Setup Failure X X 7

Table III. Robustness tests.

after receiving the Security Command Mode message. In End-to-End (E2E) slicing on 5G considering RAN, transport,
this situation, AMF should ignore the message and re-send and core networks is in its infancy and it still under investiga-
the Security Mode Command message after the expiry of tion in the academy. Moreover, some topics are only basically
the timer of six seconds and wait for the Security Mode addressed in 3GPP Releases 16, 17, and 18. For example,
Complete message instead of the UL NAS Transport message. the Self-Organizing Networks (SON) usage can make the 5G
Based on the 3GPP standard [18], this behavior must be tried networks more adaptive and efficient with the broad adoption
four additional times, considering the expiry of the timer of Machine Learning and Artificial Intelligence, but depends
of six seconds on the every time. In case of failure, the of significant volume of the information. In the following, we
registration process must be aborted, sending a Registration briefly discuss challenges for 5G and beyond directly related
Reject message. In this robustness test, free5GC and Open5GS to NAS and NGAP protocols.
answer according to the expected by the 3GPP standard [18].
However, OAI accepted the UL NAS Transport message,
A. Network slicing
including PDU Establishment Request, and replied with the
DL NAS Transport message carrying PDU Establishment Several contributions are being defined in 3GPP Releases
Accept before the Registration Accept message. 16 and 17, considering the slicing concept in the mobile
Finally, we use the NGAP protocol in the Interface man- network. Moreover, academia introduces new solutions and
agement testing to complete our robustness tests. In this offers opportunities for network slicing research, e.g., authen-
last test, my5G-RAN tester changes the NG Setup Request tication and authorization at different network slice levels
from the Interface Management procedure, sending invalid [19], dynamic allocation of slices considering elasticity of
information for PLMN, TAC, or S-NSSAI that AMF does not computational resources [20], [21]. Through our tutorial on
support. In this context, my5G-RAN tester expects that AMF the functioning of NAS and NGAP protocols, we can obtain
replies with the NG Setup Failure message. In this robustness information about slice selection by UE. These protocols are
testing, only OAI did not reply as expected considering the responsible for authentication between UE and 5GC. Thus, it is
3GPP standard [3]. OAI AMF ignores the NG Setup Request critical to consider the NAS and NGAP protocols in addressing
message with invalid information associated with PLMN, e.g., the challenges and solutions related to slicing in 5GC.
sending S-NSSAI with TAC not supported by AMF, and OAI
AMF does not return any error message. B. Data-driven network
This section sheds some light on the development level
of the open-source 5GC projects. In summary, all of them Network Data Analytics Function (NWDAF) was presented
exhibit satisfactory adherence to the standards considering a in Release 15 and improved in Releases 16 and 17, focused on
normal operation. However, even basic errors may imply an collecting and analyzing data about the functionality of NFs
unexpected behavior in the evaluated 5GCs, especially the OAI in 5GC. The masterminds of NWDAF [22] argue that several
software, which seems a less mature implementation. In the behaviors related to UE’s mobility and load, global network
next section, we present additional insights we collected during performance, network slice performance, data network con-
our study in the form of a discussion about open issues. gestion, among others, can be observed and predicted with the
information stored in NWDAF. Based on the knowledge about
NAS and NGAP protocols that provided of in the previous sec-
VI. O PEN ISSUES tions, we expected that a significant volume of the information
Several countries around the world has started a fast deploy- present in NWDAF is related to NAS and NGAP protocols,
ment of 5G networks in the last years. Naturally, there is still a directly or indirectly. As some examples of these increases
lot of uncertainty, and several forecasts cannot be consolidated in the data volume we can list: information about mobility,
in the first years of using this mobile generation. For example, the signaling of the slicing network, activity/inactivity of
 12

UEs, activity/inactivity of NG-RAN, DNN congestion, load- As future work, we plan to evolve my5G-RAN tester and
balancing among NF, etc. In this context, we highlight that other open-source related tools in several directions, such as:
finding, collecting, and treating these information types carried (i) to enhance the NAS and NGAP protocols considering
by NAS and NGAP protocols are open issues that should be handover and paging procedures; (ii) to design and implement
investigated in the following years. load tests using the NAS and NGAP protocols to emulate
multiple UEs and NG-RANs connected to 5GC; (iii) to add
C. Security new test cases, such as load tests with network slicing and
fuzzy tests; (iv) to improve validations in conformance tests
Several studies [23], [24], [25] show vulnerabilities of NAS based on 3GPP Releases 16, 17, and beyond; (v) to improve
and NGAP protocols for the 5GC system, e.g., the lacking of system monitoring through integration with analytics and data
confidentiality. Moreover, the integrity and replay protection visualization tools, e.g., Grafana and Prometheus.
of the NAS messages can be exposed to Man-in-the-Middle
(MiTM) and Denial-of-Service (DoS) attacks. The sending of ACKNOWLEDGMENT
malformed packets also can trigger crashes in 5G cores related
to restrictions such as buffer overflow and race conditions. This work is supported by the Brazilian National Council
These cases illustrate the challenges to maintaining the stabil- for Research and Development (CNPq) in cooperation with
ity of the 5GC system. Therefore, testing for the 5GC system is the my5G initiative and HAI-SCS project.
gaining relevance with designing and implementation of tools
to simulate NAS and NGAP in industry [26], [27], [28] and R EFERENCES
academia [29], [30], [31]. [1] S. D. A. Shah, M. A. Gregory, and S. Li, “Cloud-Native Network
Slicing Using Software Defined Networking Based Multi-Access Edge
Computing: A Survey,” IEEE Access, vol. 9, pp. 10 903–10 924, 2021.
D. Open RAN [2] N.-N. Dao et al., “Survey on Aerial Radio Access Networks: Toward
a Comprehensive 6G Access Infrastructure,” IEEE Communications
Several studies [32], [33], [34] show the benefits of Open Surveys Tutorials, vol. 23, no. 2, 2021.
RAN environments, such as migrating some RAN functions [3] 3GPP TS 38.413 version 16.4.0 Release 16, 5G; NG-RAN; NG
Application Protocol (NGAP), Jan 2021. [Online]. Available: http:
to a cloud-native ecosystem, bringing more flexibility, interop- //www.etsi.org
erability, efficiency, and customization. In this context, more [4] 3GPP, “Non-Access-Stratum (NAS) protocol for Evolved Packet System
control and management of the RAN functions are expected (EPS),” 3rd Generation Partnership Project-3GPP, Tech. Rep. 3GPP
TS 24.301 V0.1.0, 02 2008, https://www.3gpp.org/ftp/Specs/archive/24
to achieve these objectives. The information carried in the series/24.301/.
NAS and NGAP protocols is essential to help cooperation [5] ——, “S1 Application Protocol (S1AP),” 3rd Generation Partnership
between 5GC and RAN to address the customers’ demands. Project-3GPP, Tech. Rep. 3GPP TS 36.413 v0.0.0, 01 2008, https://www.
3gpp.org/ftp/Specs/archive/36 series/36.413/.
For example, we can highlight the allocation of radio resources [6] S. Chen et al., “Vision, Requirements, and Technology Trend of 6G:
based on requirements of the PDU session established by How to Tackle the Challenges of System Coverage, Capacity, User Data-
UE, de-allocation of radio resources based on UE’s behavior, Rate and Movement Speed,” IEEE Wireless Communications, vol. 27,
no. 2, Apr. 2020.
load-balancing across multiples NG-RAN, on-demand han- [7] G. J. Myers, C. Sandler, and T. Badgett, The Art of Software Testing,
dover management, among others. All these information types 3rd ed. Wiley Publishing, 2011.
should be processed and carried through the open interfaces [8] (2021, september) FREE5GC. https://www.free5gc.org/. National Chiao
Tung University (NCTU). [Online]. Available: https://github.com/
defined by Open RAN initiatives, guaranteeing interoperability free5gc/free5gc
among the devices and networks. [9] (2021, september) OPEN5GS. https://open5gs.org/. OPEN5GS.
[Online]. Available: https://github.com/open5gs/open5gs
[10] (2021, september) OPEN-AIR-INTERFACE.
VII. C ONCLUDING R EMARKS AND F UTURE W ORK https://openairinterface.org/. openairinterface. [Online]. Available:
https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-fed
This article presented a comprehensive tutorial on 5GC [11] 3GPP TS 23.501 version 16.6.0 Release 16, 5G; System architecture for
access focusing on 3GPP access, NAS and NGAP protocols. the 5G System (5GS), Oct 2020. [Online]. Available: http://www.etsi.org
Initially, we introduced the 5G system and its main interfaces. [12] J. Meredith and M. Pope, “3rd Generation Partnership Project Tech-
nical Specification Group Services and Systems Aspects Release 15
After, we described NAS and NGAP protocols showing their Description,” 3rd Generation Partnership Project-3GPP, Sophia Antipo-
roles in 5G networks, e.g., NFs selection, slice networking lis CEDEX, France, Tech. Rep. 3GPP TR21.915 V15.9.0, 12 2018,
selection, authentication, identification, establishing security https://www.3gpp.org/ftp/Specs/archive/21 series/21.915/.
[13] K. V. Cardoso et al., “A softwarized perspective of the 5G networks,”
communication, and allocation of resources. We also discussed CoRR, 2020, https://arxiv.org/abs/2006.10409.
NAS and NGAP messages related to 5G components, states [14] 3GPP, “Non-Access-Stratum (NAS) protocol for 5G System (5GS),”
machine, and call flows. Moreover, we also presented a 3rd Generation Partnership Project-3GPP, Tech. Rep. 3GPP TS 24.501
V16.5.1, 07 2020, https://www.3gpp.org/ftp/Specs/archive/24 series/24.
POC with our my5G-RAN tester to illustrate the background 501/.
provided by this tutorial, emulating the behavior of NAS [15] P. Hedman et al., 5G Core Networks: Powering Digitization, 1st ed.
and NGAP protocols with different implementations of 5G United Kingdom: Elsevier Science & Technology, 2019, vol. 1.
[16] 3GPP, “NG Application Protocol (NGAP),” 3rd Generation Partnership
cores. We evaluate three open-source 5GC projects in terms Project-3GPP, Sophia Antipolis CEDEX, France, Tech. Rep. 3GPP TS
of conformance and robustness, taking the 3GPP standard 38.413 V16.2.0, 08 2020, https://www.3gpp.org/ftp/Specs/archive/38
as reference. We argue that the information present in this series/38.413/.
[17] M. Khan, “Different Approaches To Black box Testing Technique
tutorial helps the understating of 5G networks and contributes For Finding Errors,” International Journal of Software Engineering &
to advance scenarios related to beyond-5G and 6G. Applications, vol. 2, 10 2011.
 13

[18] 3GPP TS 24.501 version 16.8.0 Release 16, 5G; Non-Access-Stratum

(NAS) protocol for 5G System (5GS), Jan 2021. [Online]. Available:
http://www.etsi.org
[19] C.-I. Fan et al., “Cross-Network-Slice Authentication Scheme for the
5th Generation Mobile Communication System,” IEEE Transactions on
Network and Service Management, vol. 18, no. 1, pp. 701–712, 2021.
[20] A. Thantharate, R. Paropkari, V. Walunj, and C. Beard, “Deepslice: A
deep learning approach towards an efficient and reliable network slicing
in 5g networks,” in 2019 IEEE 10th Annual Ubiquitous Computing,
Electronics Mobile Communication Conference (UEMCON), 2019, pp.
0762–0767.
[21] P.-H. Lee and F. Lin, “Tackling iot scalability with 5g nfv-enabled
network slicing,” Advances in Internet of Things, vol. 11, pp. 123–139,
01 2021.
[22] S. Sevgican et al., “Intelligent network data analytics function in 5G
cellular networks using machine learning,” Journal of Communications
and Networks, vol. 22, no. 3, pp. 269–280, 2020.
[23] Y. Hu et al., “Fuzzing Method Based on Selection Mutation of Partition
Weight Table for 5G Core Network NGAP Protocol,” in Innovative
Mobile and Internet Services in Ubiquitous Computing. Cham: Springer
International Publishing, 2022, pp. 144–155.
[24] Z. Salazar et al., “5Greplay: A 5G Network Traffic Fuzzer -
Application to Attack Injection,” ser. ARES 2021. New York, NY,
USA: Association for Computing Machinery, 2021. [Online]. Available:
https://doi.org/10.1145/3465481.3470079
[25] S. Potnuru and P. K. Nakarmi, “Berserker: ASN.1-based Fuzzing
of Radio Resource Control Protocol for 4G and 5G,” CoRR, vol.
abs/2107.01912, 2021. [Online]. Available: https://arxiv.org/abs/2107.
01912
[26] (2021, March) 5G Core Testing. web site. Keysight
Technologies. [Online]. Available: https://www.keysight.com/be/en/
products/network-test/protocol-load-test/5g-core-testing.html
[27] (2021, March) MAPS™ 5GC Network emulator. web site.
GL Communications. [Online]. Available: https://www.gl.com/
5G-NR-Core-network-test-measurement-solution.html
[28] (2021, March) TeraVM. web site. Viavi Solutions. [Online]. Available:
https://www.viavisolutions.com/en-us/products/teravm-5g-core-test
[29] (2021, March) UERANSIM. web site. aligungr. [Online]. Available:
https://github.com/aligungr/UERANSIM
[30] J. B. N. Koonampilli et al., “Demonstration of 5G Core Software System
in India’s Indigenous 5G Test Bed,” in 2021 International Conference on
COMmunication Systems NETworkS (COMSNETS), 2021, pp. 101–103.
[31] J. Larrea, M. K. Marina, and J. Van der Merwe, “Nervion: A cloud
native ran emulator for scalable and flexible mobile core evaluation,”
in Proceedings of the 27th Annual International Conference on Mobile
Computing and Networking, ser. MobiCom ’21. New York, NY, USA:
Association for Computing Machinery, 2021, p. 736–748. [Online].
Available: https://doi.org/10.1145/3447993.3483248
[32] E. Coronado, S. N. Khan, and R. Riggio, “5G-EmPOWER: A Software-
Defined Networking Platform for 5G Radio Access Networks,” IEEE
Transactions on Network and Service Management, vol. 16, no. 2, pp.
715–728, 2019.
[33] M. Khaturia, P. Jha, and A. Karandikar, “5G-Flow: Flexible and Efficient
5G RAN Architecture Using OpenFlow,” CoRR, 2020.
[34] P. Kiri Taksande et al., “Open5G: A Software-Defined Networking
Protocol for 5G Multi-RAT Wireless Networks,” in 2020 IEEE Wireless
Communications and Networking Conference Workshops (WCNCW),
2020, pp. 1–6.