TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

PGW

PDN Gateway β€” the 4G PDN anchor, IP allocation, and policy enforcement point

Type

node

Generations

4G

Threat level

medium
🧩

Quiz coming soon for this topic.

Questions & comments

Join the discussion

Overview

The PGW β€” PDN Gateway β€” is the terminal point of the 4G user plane and the anchor of the subscriber's IP session. It is where the mobile core meets the internet: subscriber traffic arrives from the SGW on S5/S8 inside GTP-U tunnels, the PGW terminates those tunnels, allocates and routes the subscriber's IP address, enforces policy, and forwards plain IP packets to and from the PDN on the SGi interface. Every byte of a subscriber's data session exits and enters the core through the PGW.

The PGW carries the Policy and Charging Enforcement Function (PCEF). This means it is responsible for applying the QoS and charging rules that the PCRF determines on the Gx interface. When a UE establishes a PDN connection, the PGW immediately opens a Gx session with the PCRF (a Diameter CCR-Initial), receives PCC rules in the CCA response, and applies those rules to the bearer: rate limiting, DSCP marking, traffic detection for charging, and flow gating. During the session, the PCRF can push updated rules to the PGW at any time via a Re-Authorization Request (RAR), and the PGW applies them without any signalling back to the UE or MME.

The PGW also handles charging. For prepaid subscribers, it communicates with the Online Charging System (OCS) via Gy β€” a Diameter Credit-Control interface. The PGW requests charging units for a subscriber's traffic; the OCS grants a quota; the PGW counts usage and requests additional units before the quota expires. If the OCS denies a quota request (subscriber out of balance), the PGW gates the bearer closed. For postpaid subscribers, the PGW generates Charging Data Records (CDRs) offline and delivers them to the Offline Charging System (OFCS) via the Gz interface.

The PGW superseded the GGSN from 3G GPRS. Where the GGSN used GTP version 1 and connected directly to the SGSN, the PGW uses GTPv2-C with the SGW as an intermediary. The SGi interface (PGW to PDN) replaced the Gi interface (GGSN to internet) in name only β€” both are plain IP routing interfaces.

How it works

PDN session establishment and Gx session creation

The PGW is the final destination of the Create Session Request chain that originates at the MME.

  1. The MME sends Create Session Request to the SGW on S11 (GTPv2-C).
  2. The SGW forwards a Create Session Request to the PGW on S5 (or S8 in roaming). The message contains the IMSI, APN, Bearer QoS, SGW's S5 TEID, and the subscriber's MSISDN.
  3. The PGW opens a Gx session with the PCRF by sending a Diameter CCR-Initial. The CCR carries subscriber identity (IMSI, MSISDN), the APN, the requested QoS, and the access type (LTE).
  4. The PCRF evaluates applicable PCC rules from the subscriber's profile and any pre-provisioned rules for the APN. It returns a Diameter CCA with the PCC rule set: default bearer QoS (QCI and ARP), any dedicated bearer triggers, charging rules (rating group, reporting level), and any traffic steering rules.
  5. If online charging is required, the PGW opens a Gy session with the OCS (CCR-Initial). The OCS returns an initial quota grant.
  6. The PGW allocates a UE IP address from its local pool (or via external DHCP for enterprise APNs) and creates its internal bearer context.
  7. The PGW returns a Create Session Response to the SGW with the allocated UE IP, the PGW's S5 TEID, and the default bearer QoS. The chain propagates back to the MME and ultimately to the UE.

Dedicated bearer creation

Default bearers carry all traffic for an APN with a single QoS class. Dedicated bearers carry specific traffic flows β€” VoLTE media, for example β€” with guaranteed bitrate QoS separate from the best-effort default.

  1. The PCRF sends a Diameter RAR to the PGW on Gx, requesting a new dedicated bearer (via Charging-Rule-Install or QoS-Rule-Install AVPs carrying GBR QoS and a traffic flow template).
  2. The PGW initiates a Create Bearer Request toward the SGW on S5/S8, carrying the new bearer's QoS parameters and the traffic flow template (TFT) β€” the 5-tuple filter that classifies traffic into this bearer.
  3. The SGW forwards the Create Bearer Request to the MME. The MME activates the dedicated radio bearer with the eNB via S1AP.
  4. On success, the PGW installs the TFT and GBR QoS in its bearer enforcement engine. Traffic matching the TFT is treated with the dedicated bearer's QoS.

Online charging via Gy (DCCA)

For prepaid subscribers, the PGW's PCEF performs Diameter Credit Control via Gy.

  1. On session start, PGW sends CCR-Initial to OCS, requesting units for the initial quota period.
  2. The OCS consults the subscriber's balance and returns a CCA-Initial with a granted units quota (time or volume).
  3. The PGW counts usage against the quota. When approaching the threshold, it sends CCR-Update requesting the next quota. The OCS grants or denies.
  4. If denied (subscriber balance exhausted), the PGW closes the bearer β€” either the full PDN connection or only the affected charging key, depending on policy.
  5. On session end, the PGW sends CCR-Terminate with final usage counts.

Architecture role

The PGW is the PDN anchor β€” the IP address allocated here follows the UE through all intra-LTE mobility. As the UE moves between eNBs and the SGW path is updated, the PGW does not move. This makes it the natural enforcement point: it sees all traffic regardless of which eNB or SGW is currently serving the UE.

In 4G EPC: The PGW is the termination point of the GTP-U tunnel chain from eNB β†’ SGW β†’ PGW. It connects to the PDN (internet or enterprise) on SGi. It enforces PCRF policy on Gx and handles charging.

Compared to GGSN: The GGSN performed the same role in 3G GPRS β€” PDN anchor, IP allocation, Gi interface to internet. The PGW replaces the Gn/Gp GTPv1-C interface with the S5/S8 GTPv2-C interface and adds the Gx Diameter interface to the PCRF for dynamic PCC.

In 5G SA: The PGW's control plane functions (IP allocation, policy via Gx, charging via Gy) were absorbed by the SMF. The PGW's user plane functions (GTP-U termination, IP routing, traffic enforcement) were absorbed by the UPF.

The PGW-U/PGW-C CUPS split (Release 14) was the immediate precursor to the 5G SMF/UPF architecture β€” the same PFCP protocol on the Sxb interface between PGW-C and PGW-U became the N4 interface between SMF and UPF.

Key interfaces

InterfaceBetweenProtocolPurpose
S5PGW ↔ SGWGTPv2-C + GTP-USame-operator PDN connection control and data
S8PGW ↔ SGWGTPv2-C + GTP-URoaming PDN connection (home PGW to visited SGW)
SGiPGW ↔ PDNIPPDN connectivity β€” internet or enterprise DN
GxPGW ↔ PCRFDiameterPCC rule delivery β€” QoS, charging, traffic steering
GyPGW ↔ OCSDiameter (DCCA)Online charging β€” credit control for prepaid
GzPGW ↔ OFCSDiameterOffline charging β€” CDR generation for postpaid
S2aPGW ↔ TWANGTPv2-C + GTP-UTrusted WLAN access (Wi-Fi offload)
S2bPGW ↔ ePDGGTPv2-C + GTP-UUntrusted WLAN access via Evolved Packet Data Gateway

Security posture

The PGW carries all subscriber internet traffic and is directly connected to the public internet via SGi. This makes it the most externally exposed node in the 4G EPC β€” not from the signalling side (its GTPv2-C interfaces face internal or IPX networks), but from the data side. The SGi interface connects to the PDN, which for internet APNs is the public internet. Traffic arriving on SGi from the internet and addressed to a UE's allocated IP passes through the PGW's routing engine before being forwarded β€” the PGW is therefore the last line of network- level defence for inbound traffic to subscribers.

The Gx interface is the policy control channel. The PGW trusts PCRF-issued PCC rules completely β€” a PCRF that returns "MBR unlimited" for all bearers, or "suppress charging for this rating group," will see those rules applied immediately. Gx manipulation is the most direct path to charging bypass or QoS degradation in a 4G network.

Attack surface

SGi traffic interception

The SGi interface carries subscriber IP traffic to and from the internet. Traffic between the PGW and the first IP hop toward the CDN or internet peering point is unencrypted at the network layer (application-level TLS is independent). An attacker positioned between the PGW's SGi interface and the internet peering point can passively observe all unencrypted application traffic from all subscribers β€” without accessing any core signalling whatsoever.

Impact: Passive interception of all unencrypted application traffic for the operator's entire subscriber base.
Difficulty: Variable. Physical access to the SGi segment is required for on-path interception; BGP route hijacking of the operator's IP prefix achieves similar effect without physical access.

Gx policy manipulation

The PGW trusts PCC rule responses from the PCRF on Gx unconditionally. If an attacker can impersonate the PCRF β€” by compromising the Gx Diameter peer connection or registering a rogue Diameter peer with the PGW β€” they can return PCC rules that grant unlimited MBR, suppress charging triggers, or install traffic steering rules redirecting subscriber sessions to attacker-controlled endpoints.

Impact: Charging bypass for targeted subscribers; QoS manipulation; potential traffic redirection for all sessions the PGW serves.
Difficulty: High. Requires either direct compromise of the PCRF or network access to the Gx Diameter segment with a valid Diameter peer connection.

GTPv2-C S5/S8 bearer manipulation

The S5 and S8 interfaces use GTPv2-C without native authentication. An attacker on the S5 network segment who knows an active bearer's TEID can send crafted Modify Bearer Requests β€” changing the SGW's S5 GTP-U TEID to redirect downlink traffic β€” or Delete Session Requests to terminate active PDN connections.

Impact: Session termination (targeted DoS) or user plane redirection (traffic interception) for affected subscribers.
Difficulty: High. Requires access to the S5 network segment between SGW and PGW, and knowledge of valid session TEIDs.

IP address pool exhaustion

An attacker who can trigger PDN connection establishment at scale β€” via compromised UEs, a rogue eNB sending create session requests, or manipulated GTPv2-C from the SGW side β€” can exhaust the PGW's IP address pool for a given APN, preventing legitimate subscribers from obtaining IP addresses for that APN.

Impact: Denial of service for all subscribers attempting to access the affected APN.
Difficulty: Medium if the attacker controls devices or a rogue base station.

Mitigations

  • SGi stateful firewall: Deploy a stateful firewall between the PGW SGi interface and the internet peering point. Apply BCP38 ingress filtering (drop packets with source IPs not in the operator's subscriber address pool). Apply egress filtering to prevent subscriber IP spoofing toward the internet.

  • Gx Diameter TLS and peer validation: Require TLS on the Gx interface. Maintain an explicit allowlist of PCRF Origin-Host FQDNs and validate against it for every Gx session. Monitor Gx PCC rule content β€” alert on MBR values exceeding subscriber subscription, absent charging rules for billable APNs, or traffic steering to IP addresses outside the operator's routing policy.

  • S5/S8 network isolation: Restrict GTPv2-C access on S5 to registered SGW IP addresses. For S8 (roaming), apply a GTP firewall at the IPX boundary that validates GTPv2-C procedure sequences and drops messages referencing TEIDs not associated with sessions established through the local operator's SGW.

  • Online charging failure handling: Configure the PGW to fail-closed on Gy timeout when online charging is required β€” if the OCS is unreachable, deny bearer establishment for prepaid subscribers rather than granting unlimited credit. The fail-open behaviour (grant credit if OCS is unreachable) is common in vendor defaults but enables charging bypass during OCS outages.

  • IP pool monitoring: Monitor IP address pool utilisation per APN. Alert when a pool approaches exhaustion β€” distinguish between legitimate growth and an address exhaustion attack by correlating with session creation rates.

Spec references

  • 3GPP TS 23.401 β€” EPC architecture. Section 4.1.4 defines the PGW's functional role; Section 5.3 defines bearer establishment procedures including the PGW's role in Create Session and Create Bearer.

  • 3GPP TS 29.212 β€” Gx reference point specification. Defines the Diameter CCR/CCA/RAR/RAA commands and all AVPs used between PGW (PCEF) and PCRF for PCC rule delivery.

  • 3GPP TS 29.274 β€” GTPv2-C specification for EPS. Defines all messages used on S5/S8 including Create Session, Modify Bearer, Delete Session, and Create Bearer procedures.

  • 3GPP TS 32.299 β€” Diameter Charging Applications. Covers the Gy (online) and Gz (offline) charging interfaces, including Credit-Control command codes and charging-specific AVPs.

Related topics

The PGW and SGW together form the 4G packet core data path β€” the SGW provides local user plane mobility; the PGW provides the PDN anchor and policy enforcement. Both were superseded in 5G SA: the SMF absorbed their control plane functions; the UPF absorbed their user plane functions.

The PCRF is the PGW's policy authority on Gx. Every active PDN session has a corresponding Gx session between PGW and PCRF. The PCC rules delivered on Gx directly determine what QoS the subscriber receives and what gets charged.

The PGW superseded the GGSN from 3G GPRS. The GGSN served the same PDN anchor role but with GTPv1-C toward the SGSN and the Gi interface to the internet. The SGi and Gi interfaces are functionally equivalent β€” both are plain IP routing toward the PDN.

Diameter underpins three of the PGW's key interfaces: Gx (PCRF), Gy (OCS), and Gz (OFCS). Understanding Diameter base protocol semantics (CCR/CCA, application IDs, session binding) is prerequisite for PGW-PCRF integration work.

For the full 4G architecture, see 4G EPC.

Relationships