What is 5G Core (5GC)?

5G Core is the packet core network for 5G, defined in 3GPP TS 23.501. It uses Service-Based Architecture (SBA) where network functions communicate via HTTP/2 REST APIs. Key NFs include AMF, SMF, UPF, NRF, AUSF, UDM, PCF, NSSF, and NEF. It replaced the 4G EPC starting in Release 15 (2018).

What is Service-Based Architecture (SBA)?

SBA is the architectural paradigm of 5G Core where network functions expose services via RESTful HTTP/2 APIs instead of fixed point-to-point interfaces. Any NF can discover and consume services from any other NF via the NRF. This enables cloud-native deployment, independent scaling, and rapid feature updates.

How many Network Functions are in 5G Core?

5G Core has 15+ Network Functions: AMF, SMF, UPF, NRF, AUSF, UDM, UDR, PCF, NSSF, NEF, NWDAF, SCP, SEPP, CHF, AF, plus specialized NFs like NSACF, EASDF, DCCF, MFAF, and TSCTSF added in later releases.

What is the difference between AMF and MME?

AMF (Access and Mobility Management Function) in 5G evolved from MME in 4G. Key differences: AMF uses SBA (HTTP/2 APIs) vs MME's GTP-C/Diameter; AMF is stateless (state in UDM/UDR) vs MME's stateful design; AMF handles only access/mobility while session management moved to separate SMF (MME handled both).

What is Network Slicing in 5G Core?

Network slicing creates multiple virtual end-to-end networks on shared physical infrastructure. Each slice is identified by S-NSSAI (SST + SD). Standardized slice types: SST=1 (eMBB), SST=2 (URLLC), SST=3 (MIoT), SST=4 (V2X). The NSSF selects slices, and each slice can have dedicated AMF, SMF, and UPF instances.

5G Core Network: The Ultimate Deep Dive

01 — Foundation

What is 5G Core?

The 5G Core Network (5GC) is the brain of every 5G network. Defined in 3GPP TS 23.501 (Release 15, 2018), it replaced the 4G Evolved Packet Core (EPC) with a radically new architecture called Service-Based Architecture (SBA). Instead of fixed point-to-point connections between network elements, 5GC uses cloud-native microservices that communicate via HTTP/2 REST APIs.

15+

Network Functions

30+

Interfaces

SBA

Architecture

Rel-15

First Release

HTTP/2

Protocol

Think of it like this

The 4G core (EPC) is a factory with fixed conveyor belts bolted to the floor. Moving one machine means ripping up the belt and rebuilding it. The 5G Core is a modern warehouse with autonomous robots (NFs) that communicate wirelessly (APIs), register themselves in a directory (NRF), and self-organize. Add a new robot? It just announces itself and starts working.

· · ·

02 — Architecture

SBA: The Revolution That Changed Everything

Service-Based Architecture is the single most important innovation in 5G Core. Here’s what makes it revolutionary compared to 4G’s approach:

4G EPC (Legacy)

Fixed interfaces: S1-MME, S11, S5/S8, Gx. Each is a dedicated protocol (GTP-C, Diameter) between specific pairs. Adding a new function means defining new interfaces, new protocols, new testing. Slow, rigid, expensive.

5G Core (SBA)

Every NF exposes services via HTTP/2 + JSON APIs on a common bus. Any NF can discover any other via NRF and consume its services. Want to add a new NF? Register it in NRF. Done. It can immediately interact with every existing NF. Cloud-native, containerized (Kubernetes), CI/CD ready.

The 4 Pillars of SBA

Pillar	What It Means	4G Equivalent
Service Registration	Every NF registers its profile (capabilities, endpoints, capacity) in the NRF	None — hardcoded config
Service Discovery	NFs query NRF to find other NFs. “I need an SMF that supports slice SST=1 in region Tokyo”	None — static DNS/config
Service Communication	HTTP/2 request/response + subscribe/notify. JSON payloads. OAuth2 authorization.	GTP-C (binary), Diameter (AVPs)
CUPS	Control plane (AMF, SMF) fully separated from User plane (UPF). Scale independently.	Partial (S-GW had both)

Key insight: SBA doesn’t just change how NFs communicate. It changes how the network is deployed (containers on Kubernetes), scaled (horizontal auto-scaling), updated (rolling updates, blue-green deploys), and managed (declarative, API-driven). It’s a paradigm shift, not just a protocol change.

· · ·

03 — Network Functions

The 15+ Network Functions of 5G Core

This is the heart of 5GC. Every NF is a microservice with specific responsibilities. Here is the complete 5G Core reference architecture — the most important diagram in telecom:

FIGURE 1 — 5G CORE REFERENCE ARCHITECTURE (3GPP TS 23.501) — ALL NFs, INTERFACES & PLANES

5G CORE SBA MESH — Live NF interactions via HTTP/2 APIs (animated)

Control Plane NFs

🛡️

AMF

Access & Mobility Management

NAS termination, registration, mobility, authentication relay, N2 to gNB. Stateless — state in UDM/UDR.

N1 N2 N8 N11 N12 N14 N15 N22

📋

SMF

Session Management Function

PDU session lifecycle, UPF selection, IP allocation, QoS enforcement via PFCP to UPF.

N4 N7 N10 N11 N16

🔍

NRF

NF Repository Function

Service registry. NF profiles, discovery, subscription, heart-beating. The SBA directory.

Nnrf (all NFs)

🔒

AUSF

Authentication Server Function

Executes 5G-AKA / EAP-AKA’. Stores K_AUSF. SUCI de-concealment via UDM.

N12 N13

💾

UDM / UDR

Unified Data Management

Subscription data, auth vectors, registration management. UDR is the storage backend.

N8 N10 N13 N35 Nudr

⚖️

PCF

Policy Control Function

SM policy, AM policy, UE policy. PCC rules. Replaces PCRF. Uses SBA APIs, not Diameter.

N5 N7 N15 N36

📦

NSSF

Slice Selection Function

Selects allowed NSSAI, determines serving AMF set. Maps S-NSSAI to slice instance.

N22 Nnssf

🔗

NEF

Network Exposure Function

API gateway for external AFs. Exposes network capabilities, translates identifiers.

N33 Nnef

📊

NWDAF

Network Data Analytics

Collects data, provides analytics (load, QoS, abnormality). ML model training (AnLF) and inference (MTLF).

Nnwdaf (all NFs)

📨

SCP

Service Communication Proxy

Message routing, load balancing between NFs. Indirect communication model. Rel-16+.

Between all NFs

User Plane & Security NFs

🚀

UPF

User Plane Function

Packet routing/forwarding, QoS, DPI, usage reporting. N3 (gNB), N6 (DN), N9 (inter-UPF). Can be at edge for MEC.

N3 N4 N6 N9

🛡️

SEPP

Security Edge Protection Proxy

Inter-PLMN security for roaming. N32 interface. Topology hiding, message filtering.

N32-c N32-f

💰

CHF

Charging Function

Converged online/offline charging. Spending limit control. Nchf services.

Nchf

🌐

Application Function

External apps (e.g., IMS P-CSCF). Influences traffic routing and policy via NEF/PCF.

N5 N33

⏱️

TSCTSF

Time Sync & TSN Function

TSN bridge configuration, time synchronization for industrial IoT. Rel-16+.

Ntsctsf

· · ·

04 — Data Flow

PDU Sessions: How Your Data Flows

In 5G, data flows through PDU Sessions (replacing 4G’s EPS Bearers). A PDU session is a logical connection between the UE and a Data Network, established via the SMF and carried by the UPF.

PDU SESSION DATA FLOW — UE → gNB (N3) → UPF (N6) → Internet (animated packets)

PDU Session Types

Type	Description	Use Case
IPv4	Traditional IPv4 connectivity. UPF assigns IP address.	Standard internet, legacy apps
IPv6	IPv6 connectivity. Mandatory for 5G compliance.	IoT, future-proof apps
IPv4v6	Dual-stack. Both IPv4 and IPv6.	Most common deployment
Ethernet	Raw Ethernet frames. No IP layer from network.	Industrial IoT, TSN
Unstructured	Raw user plane data. No IP/Ethernet from core.	Custom protocols, tunneling

Session Continuity Modes

Mode (SSC)	Behavior	When to Use
SSC Mode 1	IP address preserved during mobility. UPF anchor stays same.	VoNR, persistent connections
SSC Mode 2	Session released & re-established with new UPF. IP changes.	Web browsing, non-persistent
SSC Mode 3	New session established before old one released. Make-before-break.	Edge computing, MEC migration

· · ·

05 — Slicing

Network Slicing: Multiple Networks in One

Network slicing is 5G’s killer feature for vertical industries. Each slice is an isolated, end-to-end virtual network on shared physical infrastructure, identified by S-NSSAI (Single Network Slice Selection Assistance Information) = SST (Slice/Service Type) + optional SD (Slice Differentiator).

NETWORK SLICING — Three isolated virtual networks on shared infrastructure (animated)

Standard Slice Types

SST	Slice Type	Optimized For	Example
1	eMBB	High bandwidth, moderate latency	Video streaming, AR/VR
2	URLLC	Ultra-reliable, ultra-low latency	Remote surgery, autonomous driving
3	MIoT	Massive connections, low power	Smart city sensors, meters
4	V2X	Vehicle communication	Vehicle-to-everything
5-127	Operator-defined	Custom per operator	Enterprise, gaming, etc.

· · ·

06 — Quality of Service

QoS Framework: 5QI and QoS Flows

5G replaced 4G’s bearer-based QoS with flow-based QoS. Instead of per-bearer QoS, each PDU session contains multiple QoS Flows, each identified by a QFI (QoS Flow Identifier) and mapped to a 5QI (5G QoS Identifier).

QoS Architecture

App packets → classified by SDF filters → mapped to QoS Flows (QFI) → each flow gets 5QI parameters (priority, delay budget, error rate) → UPF enforces GBR/MBR/AMBR → gNB maps flows to DRBs on air interface.

Key 5QI Values

5QI	Type	Priority	Delay Budget	Error Rate	Use Case
1	GBR	20	100 ms	10^-2	Conversational voice
2	GBR	40	150 ms	10^-3	Conversational video
5	Non-GBR	10	100 ms	10^-6	IMS signalling
9	Non-GBR	90	300 ms	10^-6	Video streaming, web
82	DC-GBR	19	10 ms	10^-4	Discrete automation
85	DC-GBR	21	5 ms	10^-5	Remote surgery (URLLC)

· · ·

07 — Security

Security: SUCI, 5G-AKA & Zero-Trust

5G security (TS 33.501) fixed the biggest flaw in 4G: IMSI exposure. In 4G, your permanent identity (IMSI) was sent in clear text over the air, enabling IMSI catchers. In 5G, it’s encrypted.

SUPI → SUCI: Identity Protection

How SUCI Works

Your permanent ID (SUPI = IMSI equivalent) is never sent over the air. Instead, the UE encrypts it using the home network’s public key (ECIES encryption) to create SUCI (Subscription Concealed Identifier). Only the home UDM can decrypt SUCI back to SUPI. IMSI catchers are dead.

5G-AKA Authentication Flow

UE sends SUCI to AMF

Registration Request with concealed identity (encrypted IMSI).

AMF forwards to AUSF

Nausf_UEAuthentication_Authenticate request.

AUSF queries UDM

UDM de-conceals SUCI → SUPI. Generates auth vector (RAND, AUTN, XRES*, K_AUSF).

Challenge sent to UE

AMF sends Auth-Request (RAND, AUTN) to UE. UE verifies AUTN (mutual auth).

UE responds with RES*

UE calculates RES* from RAND + K. Sends Auth-Response back to AMF.

AUSF verifies RES*

Compares RES* with XRES*. If match: authenticated. Derives K_SEAF → K_AMF → K_NAS, K_gNB.

Key Security Specs: TS 33.501 (5G security architecture), TS 33.535 (AKMA), TS 33.220 (GBA). Algorithms: SNOW, AES-128, ZUC for NAS/AS encryption. 256-bit key support.

· · ·

08 — Procedures

Registration & Key Procedures (TS 23.502)

UE Registration Flow

RRC Connection Setup

UE ↔ gNB establish RRC connection. UE moves to RRC_CONNECTED.

Registration Request (N1)

UE sends NAS Registration Request with SUCI/5G-GUTI, requested NSSAI, UE capabilities.

AMF Selection

gNB selects AMF based on NSSAI, GUAMI. May query NSSF for slice-specific AMF set.

Authentication

AMF → AUSF → UDM: 5G-AKA or EAP-AKA’. Key derivation (K_AMF, K_NAS).

NAS Security Mode

AMF activates NAS encryption & integrity protection. UE confirms.

UDM Registration

AMF registers in UDM (Nudm_UECM_Registration). Gets subscription data.

PCF Policy

AMF retrieves AM policy from PCF (access, mobility, service area restrictions).

Registration Accept

AMF sends Registration Accept with 5G-GUTI, allowed NSSAI, registration area, LADN info.

· · ·

09 — Interfaces

All 30+ Interfaces Mapped

Interface	Between	Protocol	Purpose
N1	UE ↔ AMF	NAS	Registration, authentication, mobility
N2	gNB ↔ AMF	NGAP/SCTP	Control plane (RAN-Core)
N3	gNB ↔ UPF	GTP-U	User plane (RAN-Core)
N4	SMF ↔ UPF	PFCP	Session rules, QoS, forwarding
N5	PCF ↔ AF	HTTP/2	Application policy influence
N6	UPF ↔ DN	IP	Internet / data network access
N7	SMF ↔ PCF	HTTP/2	SM policy, PCC rules
N8	AMF ↔ UDM	HTTP/2	Subscription, registration
N9	UPF ↔ UPF	GTP-U	Inter-UPF tunneling
N10	SMF ↔ UDM	HTTP/2	Session subscription data
N11	AMF ↔ SMF	HTTP/2	PDU session management
N12	AMF ↔ AUSF	HTTP/2	Authentication
N13	AUSF ↔ UDM	HTTP/2	Auth vectors, SUCI decode
N14	AMF ↔ AMF	HTTP/2	Mobility between AMFs
N15	AMF ↔ PCF	HTTP/2	AM policy
N22	AMF ↔ NSSF	HTTP/2	Slice selection
N27	NRF ↔ NRF	HTTP/2	Inter-PLMN NF discovery
N32	SEPP ↔ SEPP	TLS/JWE	Inter-PLMN roaming security
N33	NEF ↔ AF	HTTP/2	Network exposure API
Xn	gNB ↔ gNB	XnAP/GTP-U	Inter-gNB handover

· · ·

10 — Roaming

Roaming Architecture

5G supports two roaming models, protected by SEPP (Security Edge Protection Proxy) at each PLMN boundary:

Model	Where UPF Sits	Data Path	Use Case
Home-Routed (HR)	Home PLMN	UE → V-gNB → V-UPF → H-UPF → DN	Strict data sovereignty, enterprise
Local Breakout (LBO)	Visited PLMN	UE → V-gNB → V-UPF → DN (local)	Low latency, local content

· · ·

11 — AI / ML

NWDAF: AI/ML in 5G Core

The Network Data Analytics Function is 3GPP’s first AI/ML network function (Rel-16). It collects data from all NFs, runs analytics, and provides insights. In Rel-17, it was split into two logical functions:

Component	Role	Outputs
AnLF (Analytics Logical Function)	Runs inference on trained models	Load analytics, QoS sustainability, abnormal behavior, UE mobility prediction
MTLF (Model Training Logical Function)	Trains ML models on collected data	Trained ML models deployed to AnLF or other NFs

NWDAF Analytics IDs (Rel-17): NF load, service experience, QoS sustainability, abnormal behavior, UE mobility, UE communication, expected UE behavioral parameters, network performance, redundant transmission experience, WLAN performance, DN performance.

“NWDAF was designed as an observer — it watches and reports. In 6G (TR 23.801, KI#18), AI agents will become controllers — they act, decide, and optimize autonomously.”

— The bridge from 5G analytics to 6G AI-native

5G Core Network
The Ultimate Deep Dive

What is 5G Core?

SBA: The Revolution That Changed Everything

The 4 Pillars of SBA

The 15+ Network Functions of 5G Core

Control Plane NFs

User Plane & Security NFs

PDU Sessions: How Your Data Flows

PDU Session Types

Session Continuity Modes

Network Slicing: Multiple Networks in One

Standard Slice Types

QoS Framework: 5QI and QoS Flows

Key 5QI Values

Security: SUCI, 5G-AKA & Zero-Trust

SUPI → SUCI: Identity Protection

5G-AKA Authentication Flow

Registration & Key Procedures (TS 23.502)

UE Registration Flow

All 30+ Interfaces Mapped

Roaming Architecture

NWDAF: AI/ML in 5G Core

Abhijeet Kumar

5G Core NetworkThe Ultimate Deep Dive

What is 5G Core?

SBA: The Revolution That Changed Everything

The 4 Pillars of SBA

The 15+ Network Functions of 5G Core

Control Plane NFs

User Plane & Security NFs

PDU Sessions: How Your Data Flows

PDU Session Types

Session Continuity Modes

Network Slicing: Multiple Networks in One

Standard Slice Types

QoS Framework: 5QI and QoS Flows

Key 5QI Values

Security: SUCI, 5G-AKA & Zero-Trust

SUPI → SUCI: Identity Protection

5G-AKA Authentication Flow

Registration & Key Procedures (TS 23.502)

UE Registration Flow

All 30+ Interfaces Mapped

Roaming Architecture

NWDAF: AI/ML in 5G Core

Go Deeper into 5G Core

Abhijeet Kumar

5G Core Network
The Ultimate Deep Dive