← Book home
Part 4 · RAN, Mobility, and Roaming Security
15

NG-RAN Security

Securing the most exposed equipment in the network

“The core lives in a guarded data center. The gNB lives on a rooftop, a lamppost, or inside a customer’s factory — holding live subscriber keys.” — THE RAN SECURITY PROBLEM

The gNB is where cryptography meets the physical world — and where the network’s keys sit in the most exposed location it operates. Modern 5G RAN is also disaggregated into CU, DU, and RU units connected by new interfaces, each a link to protect. This chapter covers the gNB as a security endpoint, the CU/DU split, the F1/E1/Xn/NG interfaces, physical site security, and secure boot.

🎯 Learning objectives
📘 Standards reference box — Chapter 15
SpecificationTitleRelease / version verified
TS 33.5015G security — RAN security, gNB requirementsRel-18, v18.11.0 (2026-04)
TS 33.511SCAS — gNB security assuranceRel-18 edition
TS 38.401 / 38.470+NG-RAN architecture / F1 interfaceRel-18/19 edition

Checked June 2026 — verify against the latest 3GPP version.

15.1 The gNB as a Security Endpoint

FIGURE 15.1NG-RAN Architecture and the gNB's Trust Role
gNB holds K_gNB + AS keys AMF (N2) UPF (N3) neighbor gNB N2 (NGAP) N3 (GTP-U) Xn (gNB↔gNB) the gNB is the only key-holding NF deployed in physically uncontrolled locations — that combination defines RAN security
Purpose: the RAN's unique risk profile. The gNB does real cryptography (AS security, Chapter 9) and holds live keys, yet sits where an attacker can physically reach it.

15.2 The CU/DU Split — Where Security Terminates

FIGURE 15.2CU/DU/RU Split — Where the Keys Live
RUradio (PHY-low) DUMAC/RLC/PHY-high CU — security terminates HERE CU-CPRRC + PDCP (control)K_gNB, RRC keys🔒 the crypto brain CU-UPPDCP (user)UP keys🔒 data crypto fronthaul F1 E1 (CP↔UP) PDCP (ciphering + integrity) lives in the CU → the CU is the key-bearing element; the DU/RU handle no AS keys
Purpose: disaggregation changes where keys live. Because PDCP runs in the CU, the CU is the crypto-critical unit — and it can be centralized in a more protected location than the cell-site DU/RU.
FIGURE 15.3Key Placement in Split RAN
RU + DU (cell site) physically exposed ∅ no AS keys → less to steal at the tower CU (can be centralized) in a controlled facility 🔑 K_gNB + AS keys here → protect like a small core site security upside centralizing keys in the CU shrinks the exposed key footprint
Purpose: a security benefit of disaggregation. Keeping keys in a centralized CU means the thousands of exposed cell sites (DU/RU) hold nothing worth stealing.

15.3 Protecting the RAN Interfaces

FIGURE 15.4F1 Interface Protection (DU ↔ CU)
DUcell site CUkey-bearing F1-C (SCTP/NGAP-like) → IPsec / DTLS F1-U (GTP-U) → IPsec F1 is the midhaul: it carries RRC and user data between an exposed DU and the CU — unprotected, it exposes exactly what AS security protects on the air
Purpose: the new link disaggregation creates. F1 carries the same traffic that AS security protects over the air — so it needs IPsec/DTLS, or the radio crypto is undone one hop inland.
FIGURE 15.5E1 and Xn Interfaces
E1 (CU-CP ↔ CU-UP) CU-CP CU-UP carries bearer context + security info protect (often within CU platform) Xn (gNB ↔ gNB) handover signaling + key transfer IPsec — carries NH/NCC (Chapter 16)
Purpose: two more links to protect. E1 carries security context inside the CU; Xn carries handover key material between gNBs — both need protection, Xn especially (Chapter 16).
FIGURE 15.6E1 Security Considerations
E1 carries security-sensitive content between CU-CP and CU-UP bearer contexts, security activation, UP security policy enforcement parameters if CU-CP and CU-UP are on different hosts/sites → protect E1 with IPsec like any inter-node link don't assume "inside the CU" means "on the same trusted machine" in cloud-RAN
Purpose: a subtle cloud-RAN gap. "Within the CU" can mean across hosts or even sites when CU-CP and CU-UP are separately virtualized — making E1 a real link to protect.
FIGURE 15.7Xn Interface Security in Detail
gNB-A gNB-B Xn — IPsec requiredcarries handover signaling + key material (K_gNB*, NCC) an unprotected Xn lets an attacker observe/modify handover keys → compromise mobility security (Chapter 16)
Purpose: why Xn protection is non-optional. Handover key material crosses Xn; expose it and you expose the forward-security machinery of Chapter 16.
FIGURE 15.8NG (N2/N3) — the Backhaul to the Core
gNB 5G CoreAMF · UPF N2 (NGAP) → IPsec N3 (GTP-U) → IPsec this is the backhaul of Chapter 14 — IPsec across untrusted transport
Purpose: closing the interface tour. NG is the gNB-to-core backhaul protected by NDS/IP (Chapter 14) — the link most likely to traverse transport you don't own.

15.4 Physical Security and Secure Boot

FIGURE 15.9Cell-Site Physical Threat Model
exposed site physical access → port / console fiber tap on fronthaul/backhaul equipment theft / key extraction countermeasures tamper detection + alarms secure key storage (no extract) disable/lock physical ports centralize keys in CU (15.3)
Purpose: RAN threats that have nothing to do with radio. An attacker at the site can probe ports, tap fiber, or steal equipment — countered by tamper response, secure key storage, and (best) keeping keys in the centralized CU.
FIGURE 15.10gNB Secure Boot and Software Signing Chain
root of trustimmutable, in HW bootloadersignature verified OS / firmwaresignature verified gNB applicationsignature verified verifies → any unsigned or modified stage HALTS the boot → an attacker with physical access can't load malicious gNB software
Purpose: the defense against tampered RAN software. Each stage verifies the next; modified firmware simply won't boot — essential when the hardware is physically reachable.
FIGURE 15.11IAB and Open Fronthaul Security Notes
IAB (wireless backhaul) a gNB relays another gNB's traffic over the air to extend coverage → the backhaul is now a radio link must be secured like any backhaul open fronthaul (O-RAN) multi-vendor RU/DU interfaces open fronthaul carries IQ + control → protect (MACsec/IPsec) + secure timing O-RAN security is its own discipline
Purpose: two modern RAN variants with extra surface. IAB turns backhaul into a radio link; open fronthaul adds multi-vendor interfaces — both expand what must be secured beyond classic gNB-to-core.
FIGURE 15.12RAN Hardening Checklist
NG-RAN HARDENING — THE ESSENTIALS ☑ secure boot + signed software chain ☑ secure key storage in the CU (no extraction) ☑ centralize keys in CU; DU/RU hold none ☑ IPsec/DTLS on F1, IPsec on Xn / N2 / N3 ☑ physical tamper detection + alarms ☑ disable/lock unused physical ports & consoles ☑ protect E1 if CU-CP/CU-UP are split ☑ SCAS 33.511 (gNB) compliance evidence ☑ open fronthaul / IAB: protect the extra links + timing
Purpose: the RAN security job on one card. Combine air-interface crypto (Chapter 9), interface protection (Chapter 14), and physical/platform hardening — none alone is sufficient.

15.5 The Practical Operator View

Common misconfiguration risks

15.6 Threats and Mitigations

ThreatVectorDefense
Key extractionphysical access to gNBsecure storage, keys in CU, tamper response
Malicious RAN softwaretampered firmwaresecure boot + signed software chain
F1/Xn interception/injectiontap on midhaul/XnIPsec/DTLS, IPsec on Xn
Handover key compromiseunprotected XnIPsec on Xn (Chapter 16)
Fronthaul tap (O-RAN)open fronthaul exposureMACsec/IPsec + timing security
Port/console abusephysical site accessport lockdown, access control

15.7 Terminology, Example, Checklist

TermMeaning
CU / DU / RUCentral Unit / Distributed Unit / Radio Unit — the disaggregated gNB
CU-CP / CU-UPCU control plane (RRC, control PDCP) / user plane (user PDCP)
F1 / E1 / XnDU↔CU / CU-CP↔CU-UP / gNB↔gNB interfaces
secure bootVerified boot chain rejecting unsigned/modified software
IABIntegrated Access and Backhaul — wireless gNB backhaul

Real network example. An operator deploying cloud-RAN virtualized the CU-CP and CU-UP as separate workloads — sometimes on different hosts in the edge data center. The team had protected F1 and N2/N3 but treated E1 as "internal to the CU" and left it unprotected, assuming the two halves shared a trusted machine. In reality, E1 traffic — carrying bearer security context — crossed the data-center fabric between hosts, observable to anything on that network segment. Fix: IPsec on E1 between CU-CP and CU-UP, and a policy that any inter-host RAN interface is treated as an untrusted link regardless of logical grouping. In cloud-RAN, "inside the CU" is a logical statement, not a physical guarantee.

Chapter Summary

? Review Questions

  1. Why is the gNB's security profile unique among NFs?
  2. In the CU/DU split, where does PDCP run, and what security advantage does that enable?
  3. Why must F1 be protected, and what is exposed if it isn't?
  4. Why is Xn protection critical for mobility security?
  5. Explain the secure-boot chain and what it prevents.
  6. When is E1 a real link to protect, and why is "inside the CU" not a guarantee?
  7. What extra security surface do O-RAN open fronthaul and IAB introduce?
  8. How does centralizing keys in the CU improve site security?
🧪 Mini lab — map your RAN attack surface

Draw a disaggregated gNB: RU, DU, CU-CP, CU-UP, and the core. Label every link (fronthaul, F1, E1, Xn, N2, N3) and for each: (1) what traffic it carries, (2) where it physically runs, (3) its protection mechanism. Then mark where AS keys live and where they don't. Finally, walk a physical attacker from the cell site inward — at each link, what can they observe or inject if it's unprotected, and which control stops them? This map is exactly what a RAN security audit (Chapter 28) produces — build it once and reuse it.

← Chapter 14 Chapter 15 Chapter 16 →