Overview
5G Non-Standalone (NSA) is the deployment architecture defined in 3GPP Release 15 that brought 5G New Radio to commercial networks without requiring a new core. Specified under Option 3 β and its variants Option 3a and Option 3x β NSA couples a 5G NR secondary radio layer to an existing 4G LTE control plane and Evolved Packet Core, allowing operators to offer NR throughput to subscribers while the MME, S-GW, P-GW, HSS, and PCRF continue to handle every aspect of session management, authentication, and policy exactly as they did before 5G existed.
The architectural choice was pragmatic and nearly universal. Most major operators launched commercial 5G using NSA because the economics were compelling: existing EPC infrastructure required no modification, existing SIM cards continued to work, and the NR radio layer could be deployed on new spectrum independently of any core upgrade programme. The LTE eNodeB serves as the Master Node, maintaining the S1-MME control plane connection to the EPC. The 5G en-gNB acts as a Secondary Node, added dynamically via the X2 interface and providing additional radio capacity for data. The UE maintains simultaneous connections to both radio nodes β a configuration known as EN-DC, E-UTRA NR Dual Connectivity.
The security consequence of this architecture is direct and unavoidable. NSA is 4G EPC with a faster radio. Every protocol-level vulnerability in the 4G Diameter interfaces, every GTP exposure at the roaming boundary, every IMSI leak inherent to the 4G NAS stack β all of it carries forward unchanged into an NSA network. The 5G NR radio interface offers marginally stronger cipher suite support, but that is the extent of any security improvement. The control plane, the identity management, the roaming architecture, and the interconnect exposure are identical to a pure LTE deployment. Understanding NSA security is therefore largely an exercise in understanding 4G EPC security, applied to a network that operators and regulators may incorrectly assume has been upgraded.
How it works
The NSA architecture is anchored by the Option 3 family of configurations, each differing in how user plane traffic is routed between the radio nodes and the core.
Option 3, 3a, and 3x:
In the baseline Option 3, the LTE eNB terminates the S1-U GTP-U tunnel from the S-GW and forwards NR-destined traffic to the en-gNB over the X2 interface. The en-gNB has no direct interface to the core. In Option 3a, both the eNB and en-gNB hold direct S1-U GTP-U tunnels to the S-GW β the core delivers split bearers directly to each node. Option 3x, the most widely deployed variant, places the PDCP-layer bearer split at the en-gNB: the en-gNB holds the S1-U tunnel and distributes traffic between its own NR cells and the LTE path via X2. This provides the most efficient NR throughput path and is what most operators mean when they refer to NSA 5G in their commercial networks.
Authentication and registration:
A UE attaching to an NSA network follows the standard 4G EPS-AKA attach procedure. The attach request travels from the eNB to the MME over S1-MME. The MME queries the HSS via the Diameter S6a interface to retrieve authentication vectors. The HSS runs MILENAGE and returns AV tuples. The MME challenges the UE with RAND and AUTN. There is no 5G NAS, no AUSF, no UDM, and no 5G-AKA. The HSS handles all authentication and the MME handles all NAS session management. The resulting EPS security context β KeNB and its derivatives β is used for both the LTE and NR radio interfaces.
Secondary cell addition:
Once the UE has attached and the LTE bearer is established, the network can add the 5G NR secondary cell. The MME sends a UE Context Modification message to the serving eNB, indicating that NR capability is authorised. The eNB sends an SgNB Addition Request to the en-gNB over X2-AP, including the UE's radio capabilities and the requested bearer configuration. The en-gNB responds with its GTP-U TEID for the new S-GW bearer (in Option 3x) or for the X2-forwarded path (in Option 3). The eNB then sends a UE Context Modification to the UE via RRC, instructing it to configure the NR secondary cell. The UE performs NR cell synchronisation and the dual-connectivity configuration becomes active. From this point the radio scheduler decides which bearers are delivered over LTE and which over NR based on load and radio conditions.
NR radio security:
The NR PDCP and RRC layers use security keys derived from the existing KeNB via the 4G key hierarchy. The eNB generates S-KeNB and delivers it to the en-gNB over X2 at the time of secondary node addition. RRC integrity and encryption are applied on the NR path using 128-bit or 256-bit algorithms. The NR radio security is therefore sound at the air interface level β but it rests on a key hierarchy rooted in a 4G EPS security context, with no contribution from the 5G security architecture.
Architecture role
NSA occupies the boundary between two architectural eras. It is, precisely, 4G EPC with a 5G radio overlay: the core is unmodified LTE, the RAN is dual-generation, and the UE must support both LTE and NR simultaneously. The MME remains the NAS anchor. The S-GW remains the user plane gateway. The HSS remains the subscriber database. None of these nodes are aware that the UE is using 5G radio β from the EPC's perspective, it is a standard LTE subscriber.
The en-gNB has no direct signalling relationship with any EPC node. All coordination between the NR radio layer and the core flows through the LTE eNB master node. This means that the 5G radio network cannot independently trigger core procedures, cannot perform 5G-specific authentication, and cannot implement any 5G core security feature. The X2 interface, designed originally for LTE inter-eNB handover coordination, has been extended by the EN-DC specifications to carry the SgNB addition, modification, and release procedures that manage the NR secondary node lifecycle.
NSA deployment enabled operators to activate 5G NR spectrum β both sub-6GHz bands and mmWave β without waiting for 5G Core readiness. In practice, this meant that the first two to three years of commercial 5G, from 2019 onward, delivered NR throughput improvements to subscribers who remained attached to an entirely unmodified 4G EPC. The migration path from NSA to SA requires deploying a full 5G Core β AMF, SMF, UPF, AUSF, UDM β and migrating subscriber profiles from HSS to UDR. During the transition, Option 4 and Option 7 configurations allow the 5G Core to coexist with LTE radio, providing an incremental path that does not require a hard cutover.
Key interfaces
| Interface | Between | Protocol | Purpose |
|---|---|---|---|
| X2 | eNB β en-gNB | X2AP | Dual connectivity setup and coordination |
| S1-MME | eNB β MME | S1AP | Control plane (LTE anchor to EPC) |
| S1-U | eNB β S-GW | GTP-U | LTE user plane bearer |
| S1-U | en-gNB β S-GW | GTP-U | NR user plane bearer via S-GW |
| Xn | eNB β en-gNB | XnAP | Next-generation X2 (later NSA variants) |
Security posture
NSA provides no meaningful security improvements over 4G EPC from a core network perspective. The security architecture is architecturally identical to LTE: the same trust model, the same protocol stack, the same interfaces, and the same vulnerabilities. A security engineer assessing an NSA network must apply the full 4G EPC threat model without discount β the 5G NR radio layer does not change the core exposure.
The most significant missing capability relative to 5G SA is SUCI β the Subscription Concealed Identifier. In 5G SA, the UE encrypts its permanent identifier (SUPI, the 5G successor to IMSI) using the home network's public key before transmitting it over the air. NSA has no such mechanism. The UE uses the IMSI directly in the 4G NAS attach procedure, and an IMSI catcher capable of impersonating an LTE base station can capture the IMSI exactly as it could against a pure 4G network.
At the roaming boundary, NSA operators expose the same S8/GTP and Diameter interconnect as 4G. There is no SEPP β the Security Edge Protection Proxy introduced in 5G SA to mediate inter-PLMN HTTP/2 signalling. Roaming traffic transits the IPX interconnect using the same GTP-C and Diameter paths, with the same exposure to manipulation by parties with IPX access.
The X2 and Xn interfaces between eNB and en-gNB represent a new interface in the RAN that requires appropriate integrity protection. Misconfiguration of secondary node addition procedures or unauthenticated X2 peering creates a surface for unauthorised manipulation of dual-connectivity configurations, potentially forcing UEs onto degraded single-radio paths.
Attack surface
Diameter S6a attacks via inherited 4G EPC core
The MME connects to the HSS over the Diameter S6a interface identically to a pure LTE deployment. The complete taxonomy of 4G Diameter attacks β subscriber location disclosure via Cancel Location and Insert Subscriber Data, policy bypass via Gx manipulation, forced deregistration β applies without modification. NSA introduces no Diameter filtering, no additional authentication of Diameter peers, and no restriction on the operations that can be requested. Every operator running NSA is exposed to the Diameter attack surface in full.
Impact: Subscriber location tracking, forced deregistration, policy and charging bypass.
Difficulty: Same as 4G EPC β requires Diameter interconnect access or a compromised roaming partner.
GTP tunnel manipulation at the S8 roaming interface
NSA operators with international roaming agreements expose the S8 interface between the visited P-GW and the home P-GW using GTP-U and GTP-C, identical to 4G. The absence of SEPP means there is no TLS-based mediation of inter-PLMN signalling at the roaming boundary. An attacker with access to the IPX interconnect can attempt GTP-C injection to manipulate session parameters, craft GTP-U traffic to inject into established tunnels, or perform tunnel hijacking by replaying or forging Modify Bearer Requests.
Impact: User plane traffic manipulation, session hijacking, potential data exfiltration for targeted subscribers.
Difficulty: Requires IPX network access; tooling for GTP manipulation is publicly documented.
IMSI exposure β no SUCI in the NSA NAS stack
Because NSA uses the 4G EPS-AKA authentication procedure and the 4G NAS stack, there is no mechanism to conceal the subscriber's permanent identifier before transmission. When a UE cannot present a valid GUTI β on first attach, after a GUTI invalidation, or after a network reset β the MME requests the IMSI in plaintext over the air. A device impersonating an LTE eNodeB (an IMSI catcher) can trigger this condition and capture the IMSI. Commercial hardware capable of performing this attack is available. The 5G NR radio provides no protection against this attack because NAS-layer identity management occurs at the LTE anchor.
Impact: Permanent subscriber identifier (IMSI) disclosed; enables targeted tracking and further attacks.
Difficulty: Medium β commercial IMSI catcher hardware is available and well-documented.
LTE anchor downgrade to full legacy attack surface
NSA dual-connectivity depends entirely on the LTE anchor eNB remaining operational. An attacker who can force the LTE anchor to drop the UE β through a radio-layer denial of service, a spoofed RRC Release, or an SS7-triggered core deregistration β removes the 5G NR connection simultaneously, since the en-gNB has no independent path to the core. The UE then falls back to LTE-only. If the LTE layer is also disrupted or jammed, the UE falls to 3G or 2G where available, re-exposing it to the full SS7 and UMTS attack surface. NSA provides no mechanism to prevent or detect this cascade.
Impact: Full re-exposure to LTE and legacy attack surfaces; effective 5G downgrade without subscriber awareness.
Difficulty: Radio-layer disruption is medium difficulty; core-triggered deregistration via SS7 is low to medium.
Mitigations
The foundational principle governing NSA security is that no mitigation specific to the 5G NR radio layer substitutes for the full set of 4G EPC defences. Every control that applies to a pure LTE network applies identically to an NSA deployment, without exception.
At the Diameter layer, operators must deploy a Diameter Edge Agent on the S6a interface with filtering rules aligned to GSMA FS.19 categories. The NSA core is EPC-identical, so the FS.19 control framework applies directly: block unsolicited Insert-Subscriber-Data and Cancel-Location from roaming partners, validate Origin-Host and Origin-Realm against IR.21 data, and alert on anomalous query volumes from specific interconnect peers. A Diameter firewall sized and configured for a 4G network provides exactly the correct level of protection for an NSA network.
For roaming exposure, operators should apply GTP-C filtering at the S8 boundary β restricting Create Session Request and Modify Bearer Request messages to expected roaming partner address ranges, and validating TEID values against established session state. This is unchanged from 4G GTP hardening practice.
NAS security configuration should enforce a minimum of 4G EPS integrity and encryption in the NAS Security Mode Command. Where coverage permits, disabling 2G and 3G fallback eliminates the most severe legacy downgrade paths. This must be balanced against coverage obligations but should be treated as the default where rural fallback is not required.
The X2 and Xn interfaces between eNB and en-gNB should be monitored for anomalous secondary node addition and release patterns. Unusual volumes of SgNB Addition Request failures, rapid secondary node cycling, or addition requests targeting UEs that are not in dual-connectivity capable states are indicators of configuration manipulation or reconnaissance activity.
The correct long-term mitigation for the structural security limitations of NSA β the absence of SUCI, the absence of SEPP, the full inheritance of the 4G Diameter and GTP attack surface β is migration to 5G SA. 5G Standalone introduces SUCI-based identity concealment at the NAS layer, SEPP-mediated inter-PLMN signalling that replaces the exposed Diameter and GTP roaming path, and a 5G-AKA authentication procedure that provides superior key separation and home network confirmation. NSA should be treated as a transitional architecture with a defined end state, not a permanent deployment model.
Spec references
-
TS 37.340 β The normative specification for EN-DC dual connectivity. Section 4 defines the architecture options β Option 3, 3a, and 3x β and the roles of Master Node and Secondary Node. Section 10 covers bearer management, including the split bearer configurations that distinguish Option 3x from its variants. This is the primary reference for understanding how NR is added as a secondary cell.
-
TS 33.401 β The operative security specification for NSA, because the core is EPC-based. TS 33.401 defines the EPS security architecture: EPS-AKA, the KeNB derivation hierarchy, NAS security mode procedures, and AS security. Since NSA does not use any 5G SA security features, TS 33.501 is supplementary at best β TS 33.401 is the document that governs NSA security in full.
-
TS 36.300 β The overall E-UTRA and E-UTRAN description. Relevant to NSA for its specification of the X2 interface framework, the LTE RRC procedures that are extended for dual connectivity, and the S1 interface architecture that remains unchanged in NSA deployments.
Related topics
NSA sits directly between 4G EPC and 5G SA in the evolutionary sequence. Its security posture is governed entirely by the 4G EPC architecture β the MME and S-GW remain the operative core nodes, and the Diameter and GTP interfaces they expose are unchanged.
For the Diameter attack surface that NSA fully inherits, see Diameter and the Diameter attacks topic. For the GTP-U exposure at the roaming and user plane boundaries, see GTP-U. For the security improvements that NSA deliberately foregoes β SUCI, SEPP, 5G-AKA β see 5G security and 5G SA.
Specifications
- TS 37.340Evolved Universal Terrestrial Radio Access (E-UTRA) and NR; Multi-connectivity3GPP
- TS 33.4013GPP System Architecture Evolution (SAE): Security architecture3GPP
- TS 36.300Evolved Universal Terrestrial Radio Access (E-UTRA) and Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Overall description3GPP
Relationships