TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

4G EPC

The Evolved Packet Core β€” the all-IP mobile core defined in 3GPP Release 8

Type

generation

Generations

4G

Threat level

high
🧩

4G EPC Knowledge Check

10 questions

Questions & comments

Join the discussion

Overview

The Evolved Packet Core (EPC) is the all-IP mobile core network defined in 3GPP Release 8, published in 2008 and commercially deployed from 2009 with the first LTE network launches. It represents the most significant architectural break in mobile core history: the complete elimination of the circuit-switched domain and the transition to a purely packet-based network for all services including voice.

Two decisions defined the EPC's character. First, the separation of control and user planes: the Mobility Management Entity (MME) handles all signalling and control, while the Serving Gateway (S-GW) and PDN Gateway (P-GW) carry user traffic β€” a clean split that allows each element to scale and be secured independently. Second, the replacement of SS7 and MAP with Diameter as the control plane signalling protocol, bringing the mobile core onto an IP-native protocol stack for the first time.

The access network architecture is equally flat. eNodeBs connect directly to the core via the S1 interface, eliminating the BSC and RNC aggregation layers that existed in 2G and 3G. eNodeBs communicate with each other via X2, enabling direct inter-cell handover coordination without traversing the core.

Authentication in the EPC introduced a meaningful security advance over 3G: the EPS Authentication and Key Agreement (EPS-AKA) procedure provides mutual authentication, meaning the UE can cryptographically verify the network it is attaching to. This closes the false base station authentication gap that made IMSI catchers trivially effective against 2G devices.

The EPC remains operationally significant today. Every 5G Non-Standalone (NSA) deployment β€” the dominant 5G deployment model through the mid-2020s β€” uses the EPC as its core network, with 5G NR radio added as a secondary cell under LTE anchor. Hundreds of millions of 5G NSA connections worldwide terminate in EPC infrastructure.

How it works

Control and user plane separation

The EPC rigidly separates two functions that were intermingled in older architectures. The control plane handles all signalling: authentication, session establishment, mobility management, and paging. The user plane carries subscriber IP traffic. These functions run on distinct nodes connected by distinct interfaces, allowing operators to scale user plane capacity independently of control plane capacity and to apply different security treatment at each boundary.

The MME is the control plane hub. It terminates NAS signalling from the UE, interfaces with the HSS for authentication and subscriber profile retrieval, and orchestrates bearer setup across the S-GW and P-GW via GTP-C. The S-GW and P-GW together form the user plane path, with GTP-U tunnels carrying encapsulated subscriber IP packets end-to-end.

Attach procedure

The initial attach procedure illustrates how the planes interact:

  1. The UE sends an Attach Request to its serving eNodeB, which selects an MME and forwards it via S1AP.
  2. The MME initiates authentication by sending a Diameter Authentication- Information-Request to the HSS over S6a.
  3. The HSS derives Authentication Vectors (AVs) from the subscriber's long-term key (K) stored in the HSS and the USIM. Each AV comprises RAND, AUTN, XRES, and KASME.
  4. The MME sends an Authentication Request to the UE carrying RAND and AUTN.
  5. The UE's USIM verifies AUTN β€” this is the mutual authentication step. The UE rejects the attach if AUTN verification fails, providing protection against false base stations. Having verified the network, the UE computes RES and returns it to the MME.
  6. The MME compares RES against XRES. On match, authentication succeeds. KASME becomes the root key for all subsequent key derivation.
  7. NAS Security Mode Command establishes NAS integrity and encryption, deriving KNASint and KNASenc from KASME.
  8. The MME selects an S-GW and sends a Create Session Request via GTP-C over S11. The S-GW in turn sends a Create Session Request to the P-GW over S5 (or S8 for roaming).
  9. The P-GW allocates an IP address, applies policy from the PCRF via Gx, and returns the session response up the chain. The S-GW returns a Create Session Response to the MME carrying the S-GW TEID for the user plane.
  10. The MME sends an Initial Context Setup Request to the eNodeB via S1AP, including the S-GW user plane address and TEID. The eNodeB establishes the radio bearer and returns Initial Context Setup Response.
  11. The UE is now attached. IP traffic flows UE β†’ eNodeB β†’ S-GW β†’ P-GW β†’ SGi β†’ internet, encapsulated in GTP-U tunnels on each segment.

Bearer architecture

The EPC uses an Evolved Packet System (EPS) bearer as its fundamental quality-of-service construct. A bearer is a logical pipe with defined QoS characteristics (QCI class, ARP, GBR/MBR parameters) that runs from the UE to the P-GW. Bearers are implemented as matched GTP-U tunnels: one tunnel between eNodeB and S-GW (on S1-U), and one between S-GW and P-GW (on S5/S8).

Every attached UE has at least one default bearer, established at attach time and maintained as long as the UE is registered. The default bearer uses a non-GBR QCI (typically QCI 9) and carries all traffic not matched by a more specific bearer. Dedicated bearers are established on demand β€” by the P-GW via a PCRF-triggered bearer resource command, or by a UE-initiated bearer resource modification β€” to carry traffic requiring specific QoS, such as VoLTE media streams (QCI 1).

The MME controls bearer lifecycle via GTP-C over S11 and coordinates with the eNodeB over S1AP for the radio access bearer (E-RAB) that maps to each EPS bearer.

Roaming

When a subscriber roams to a visited PLMN, the architecture bifurcates at the S-GW/P-GW split. The visited PLMN provides the MME and S-GW. The home PLMN provides the P-GW and HSS. The S8 interface β€” functionally equivalent to S5 but traversing the inter-operator boundary β€” carries GTP-C and GTP-U between the visited S-GW and the home P-GW. This Home-Routed model keeps the subscriber's IP address and policy enforcement anchored in the home network, preserving continuity across roaming sessions.

Architecture role

The EPC sits at the centre of the 4G network. The E-UTRAN β€” composed of eNodeBs β€” connects to it via the S1 interface, which is split: S1-MME for control plane signalling (S1AP) and S1-U for user plane traffic (GTP-U). The division is deliberate; MME and S-GW can be separately dimensioned and deployed.

The MME is the control plane anchor for all UEs in its tracking area. It handles attach, detach, tracking area updates, paging, handover coordination, and bearer management. It is stateful per UE β€” it maintains the UE context including security parameters, bearer configuration, and mobility state. Multiple MMEs can form a pool (MME pool), with eNodeBs load-balancing across the pool via S1-flex.

The S-GW is the mobility anchor for intra-LTE handovers. When a UE moves between eNodeBs within the same S-GW coverage, the data path is re-established by updating the S1-U binding at the S-GW β€” no P-GW involvement is required. This local anchoring limits handover latency and keeps the P-GW decoupled from radio-layer mobility events.

The P-GW is the IP address anchor and the subscriber's connection to external packet data networks. It allocates and maintains the UE's IP address for the lifetime of the PDN connection, enforces policy from the PCRF, applies deep packet inspection and charging, and connects to the internet or operator services via the SGi interface.

The PCRF (Policy and Charging Rules Function) provides real-time policy decisions to the P-GW via the Gx Diameter interface. It translates subscriber entitlements, service policies, and network conditions into bearer-level QoS rules and charging instructions. The P-GW enforces these rules on the data path.

The HSS (Home Subscriber Server) is the subscriber database. It stores the long-term key K, the subscriber profile (allowed APNs, QoS limits, roaming permissions), and provides authentication vectors to the MME via the S6a Diameter interface. The HSS is the EPC's equivalent of the 3G HLR.

In 5G NSA (Option 3x), the EPC remains the core. The LTE eNodeB (master node) and the 5G NR gNB (secondary node) both connect to the EPC. The eNodeB retains S1-MME and S1-U connectivity; the gNB connects to the S-GW directly for user plane traffic via the S1-U interface, with the eNodeB acting as the control plane anchor. All authentication, session management, and mobility procedures remain EPC functions.

In 5G SA, the EPC is replaced by the 5G Core (5GC). The MME's functions are assumed by the AMF (Access and Mobility Management Function). The S-GW and P-GW are replaced by the SMF (Session Management Function) and UPF (User Plane Function). The HSS evolves into the UDM. The Diameter interfaces are replaced by HTTP/2-based SBI (Service Based Interface) procedures.

Key interfaces

InterfaceBetweenProtocolPurpose
S1-MMEeNodeB ↔ MMES1APNAS signalling, UE context management
S1-UeNodeB ↔ S-GWGTP-UUser plane bearer transport
S11MME ↔ S-GWGTP-CSession and bearer management
S6aMME ↔ HSSDiameterAuthentication vectors, subscriber profile
S5S-GW ↔ P-GWGTP-C/UPDN connection (home PLMN)
S8S-GW ↔ P-GWGTP-C/UPDN connection (visited PLMN, roaming)
GxP-GW ↔ PCRFDiameterPolicy and charging rules
SGiP-GW ↔ InternetIPPDN connectivity to external networks

Security posture

The EPC delivered material security improvements over its 3G predecessor. The most significant is mutual authentication via EPS-AKA: for the first time in mobile history, the subscriber's device can cryptographically verify the network it is connecting to, not merely the reverse. The AUTN parameter included in the MME's Authentication Request carries a MAC computed using the shared key K and a sequence number; a USIM that cannot verify this MAC will reject the attach. This closes the core vulnerability exploited by passive IMSI catchers against 2G and partially against 3G devices.

Key derivation in the EPC is hierarchical and provides domain separation. KASME is the root session key, derived from K and the authentication vector. From KASME, the network derives KNASenc and KNASint for NAS-layer encryption and integrity protection respectively, and KeNB for the radio access security context. KeNB is further derived into keys for RRC and UP encryption and integrity. Compromise of a session key at one layer does not directly expose keys at another.

NAS signalling integrity protection is mandatory. Every NAS message exchanged after security activation carries a message authentication code. This prevents injection or modification of NAS messages in transit β€” a meaningful constraint compared to SS7, where MAP messages carry no integrity protection.

Where the EPC falls short is at the inter-operator boundary. The Diameter protocol that replaced SS7/MAP brings an IP-native stack but inherits a similar trust model: any node that can establish a Diameter connection to a realm can send commands, and the receiving node has no cryptographic means to verify the sender's authority. In practice, Diameter connections between operators traverse the IPX/GRX interconnect, often without TLS in legacy deployments, leaving inter-PLMN Diameter traffic exposed to manipulation within the transit network.

GTP β€” both GTP-C for control and GTP-U for user plane β€” carries no message-level authentication. GTP-C messages on the S8 interface between a visited S-GW and a home P-GW are trusted based solely on IP address, and that trust is often enforced only loosely at roaming boundaries.

Attack surface

Diameter location tracking via S6a

The S6a interface between MME and HSS uses Diameter, and in the inter-PLMN context, Diameter traffic flows through the IPX interconnect between operators. An attacker with access to the Diameter interconnect β€” obtainable via a rogue or compromised operator node β€” can send unsolicited Diameter commands to a target MME or HSS.

The Insert-Subscriber-Data-Request and Provide-Subscriber-Info Diameter commands, when sent to an MME by an entity claiming to be the subscriber's HSS, can elicit subscriber location data. The MME returns the E-UTRAN Cell Global Identity (ECGI) of the serving cell β€” equivalent to cell-level location. Unlike SS7's SRI attack, which targets the HLR, the Diameter equivalent targets the MME directly, and can be harder to detect because MMEs are designed to accept commands from HSS nodes they have active sessions with.

Impact: Cell-level real-time subscriber location exposed without subscriber knowledge or involvement.
Difficulty: Requires access to the Diameter interconnect β€” achievable via a rogue operator node on the IPX network or a compromised interconnect node.

GTP-C injection at the S8 roaming interface

The S8 interface carries GTP-C control messages and GTP-U data between a visited PLMN's S-GW and the subscriber's home PLMN P-GW. GTP-C messages are trusted on the basis of source IP address, with no cryptographic authentication. An attacker positioned on the GTP path β€” within the IPX network or via a rogue IPX participant β€” can inject forged GTP-C messages.

A Create Session Request from an unexpected source can establish a rogue PDN context for an existing subscriber, causing the P-GW to allocate a new IP address and route traffic through attacker-controlled infrastructure. A Modify Bearer Request can redirect the subscriber's existing user plane traffic by substituting the attacker's IP address and TEID as the new S-GW user plane endpoint. The P-GW will update its forwarding state and begin sending subscriber traffic to the specified address.

Impact: User plane traffic interception or diversion; fraudulent data usage billed to the subscriber's account; denial of service by tearing down valid sessions.
Difficulty: Medium. Requires access to the IPX GTP path, which is available to IPX operators and potentially to parties who have compromised an IPX node.

IMSI harvesting during initial attach

Before the EPC completes authentication and assigns a Globally Unique Temporary Identifier (GUTI), a UE that has no prior GUTI β€” or whose GUTI the MME cannot resolve β€” must transmit its IMSI in plaintext in the initial Attach Request. This is transmitted over the radio interface before any security context has been established, and is therefore unprotected.

An attacker operating a false eNodeB (LTE IMSI catcher) can position it to receive attach requests from target devices. The false eNodeB does not need to relay the attach to a real core β€” it need only receive the Attach Request to harvest the IMSI. Modern UEs with a stored GUTI will send the GUTI in the first attach attempt; the false eNodeB can respond with a GUTI resolution failure to force the UE to resend with its IMSI.

Impact: Permanent subscriber identifier (IMSI) exposed. IMSI enables correlation across Diameter and GTP attacks, targeted location tracking, and can be used to clone subscribers in some legacy deployments.
Difficulty: Medium. Requires LTE-capable radio hardware and sufficient signal strength to capture attach requests. Commercial IMSI catcher platforms are available.

2G/3G fallback downgrade

The majority of LTE subscribers in deployed networks retain capability to fall back to 3G or 2G. Network operators maintain multi-generation coverage for geographic completeness, and UEs are configured to fall back automatically when LTE coverage is unavailable. An attacker who can degrade LTE signal quality in a target area β€” through jamming, signal blocking, or exploiting radio layer conditions β€” can force attached UEs to fall back to 2G or 3G.

On 2G, the UE re-attaches via a SGSN or MSC to the legacy core, where SS7 and MAP are the signalling protocols. At this point the full SS7 attack surface applies: location tracking via SRI, SMS interception, Cancel Location denial of service, and IMSI harvesting via ATI. The 4G EPS-AKA security improvements are negated completely; the attacker has moved the UE onto a protocol that has no mutual authentication and no message integrity.

Impact: Full SS7 attack surface re-exposed against a subscriber who was connected via LTE. Particularly effective for targeted surveillance or for intercepting SMS 2FA codes from users assumed to be on a secured LTE network.
Difficulty: Medium. LTE jamming equipment is available; forcing fallback through interference is operationally straightforward. Detection by the operator requires monitoring for anomalous handover patterns or elevated 2G/3G attach rates in localised areas.

Mitigations

Diameter Edge Agent (DEA) with FS.19 filtering. All Diameter traffic crossing the inter-PLMN boundary β€” including S6a proxied via DEAs in the IPX β€” should be mediated by a Diameter Edge Agent implementing GSMA FS.19 category controls. The DEA validates that incoming Diameter commands originate from the appropriate realm, that the command is permitted for the sending node type, and that the combination of command and subscriber context is consistent with expected roaming behaviour. Unsolicited Provide-Subscriber-Info and Insert-Subscriber-Data commands from non-authoritative realms should be dropped and alerted.

IPsec on S8 GTP interfaces. The S8 interface should be protected with IPsec ESP at the boundary between the visited and home networks. IPsec provides cryptographic authentication of GTP-C and GTP-U endpoints, preventing source-IP spoofed injection of forged GTP messages. Operators should additionally deploy GTP-C firewalls at the S8 boundary to validate that Create Session Requests reference valid IMSI ranges for the originating network, that TEID values are within expected ranges, and that source IP addresses are listed in the correspondent's IR.21 data.

GUTI enforcement at MME. MMEs should be configured to reject Identity Responses carrying an IMSI unless the preceding GUTI-based identification unambiguously failed β€” specifically, unless the GUTI was not found in any MME in the pool after a proper inter-MME context transfer attempt. This limits the window during which a false eNodeB can harvest an IMSI, because UEs with a valid stored GUTI will prefer it and the MME should accept GUTI resolution failure only under well-defined conditions.

2G/3G fallback controls. On networks where spectrum permits, operators should evaluate disabling 2G and 3G fallback entirely for LTE subscribers, eliminating the downgrade path. Where fallback must be retained for coverage reasons, monitoring for anomalous concentrations of 2G/3G attach events in localised areas β€” inconsistent with normal traffic patterns β€” provides detection capability for targeted jamming campaigns. Operators should also enforce minimum security algorithms (A5/3 or A5/4 for 2G; UEA2/UIA2 for 3G) to limit the damage when fallback occurs.

GTP-C firewall at roaming boundaries. Beyond IPsec, a dedicated GTP-C firewall should inspect session management messages at the S8 boundary. Validation should include: source IP against IR.21 whitelist for the roaming partner; IMSI prefix against the partner's allocated ranges; TEID value continuity for existing sessions (modification requests that reference unknown TEIDs should be rejected); and rate limiting per partner to detect bulk session injection attempts.

Spec references

  • 3GPP TS 23.401 β€” The primary architecture specification for the EPC. Section 4 defines the overall architecture, node functions, and reference points. Section 5 defines the procedures: attach, detach, tracking area update, handover, and bearer management. This is the normative reference for understanding EPC structure and how its components interact.

  • 3GPP TS 33.401 β€” The EPC security architecture specification. Section 6 defines the security features and the threat model. Section 7 specifies the EPS-AKA procedure in detail, including the key hierarchy, AUTN derivation, and the mutual authentication mechanism. Section 8 covers the network domain security model for inter-node communication. This is the normative reference for EPS-AKA and the key derivation hierarchy.

  • 3GPP TS 29.272 β€” The normative specification for the S6a Diameter interface between the MME and HSS, and the S13 interface between MME and EIR. Defines the Diameter application, command codes, and AVPs used for authentication information retrieval, subscriber data management, and location cancellation. Essential reference for understanding the Diameter attack surface on the S6a interface.

Related topics

The EPC is the control and data plane for 4G. Its constituent nodes β€” MME, HSS, S-GW, P-GW, and PCRF β€” are covered as separate topics with per-node interface and security detail.

The two protocols that carry EPC control signalling are Diameter, which handles subscriber management and policy, and GTP-C, which manages session and bearer state between core nodes. GTP-U carries subscriber IP traffic on the user plane between eNodeB, S-GW, and P-GW.

For the roaming dimension, see Roaming architecture for the full inter-PLMN connectivity model, and S8 Home Routing for the specific architecture of the visited S-GW to home P-GW path.

The EPC's successor architectures are 5G NSA β€” which extends the EPC with 5G NR radio while retaining the EPC core β€” and 5G SA, where the EPC is fully replaced by the 5G Core.

For the security dimension, see Diameter attacks for the attack taxonomy applicable to S6a and Gx, and SS7 attacks for the legacy attack surface that remains accessible via the 2G/3G fallback path.

Relationships