TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

PCF

Policy Control Function β€” unified policy engine for 5G SA networks

Type

node

Generations

5G

Threat level

medium
🧩

Quiz coming soon for this topic.

Questions & comments

Join the discussion

Overview

The PCF β€” Policy Control Function β€” is the 5G SA equivalent of the PCRF in 4G EPC. It is the function that decides the rules governing how subscriber traffic is treated: which QoS profile a PDU session receives, what bitrate limits apply, how traffic is charged, whether certain flows are gated or steered to a specific path, and what route selection policy is pushed to the UE device itself. These decisions are communicated to the SMF (for session-level policy) and to the AMF (for UE-level access and mobility policy).

The PCF operates on two levels simultaneously. At the session level, it provides PCC (Policy and Charging Control) rules to the SMF on the N7 interface β€” rules that the SMF translates directly into PFCP forwarding and enforcement instructions on the UPF. At the UE level, it provides access and mobility policy to the AMF on the N15 interface β€” including RFSP (RAT/Frequency Selection Priority) index, service area restrictions, and the URSP (UE Route Selection Policy) rules that guide the UE's own decision about which PDU session to use for a given application.

The PCF consolidates what were, in 4G EPC, two separate policy functions: the PCRF (which handled session-level PCC rules via Gx/Rx Diameter) and the SPR (Subscription Profile Repository, which stored subscriber policy data). In 5G, subscriber policy data is stored in the UDR, accessed by the PCF on N36. The PCF is the policy engine; the UDR is its data store.

The PCF can also be influenced by external Application Functions (AFs) via the N5 interface. An AF β€” such as a video streaming platform, a video conferencing service, or an enterprise application β€” can request dynamic policy changes for a specific UE session: requesting higher QoS, triggering usage monitoring, or requesting traffic steering. This dynamic policy injection is a powerful capability but also the most externally exposed surface of the PCF.

How it works

Session management policy (N7)

When the SMF establishes a new PDU session, it requests policy from the PCF immediately after retrieving subscriber data from the UDM.

  1. The SMF sends Npcf_SMPolicyControl_Create Request to the PCF on N7, providing the SUPI, DNN, S-NSSAI, UE IP address, and access type.
  2. The PCF queries the UDR on N36 for the subscriber's policy profile β€” subscribed MBR/GBR values, default QoS class, roaming restrictions, and any pre-provisioned PCC rules for the DNN.
  3. The PCF evaluates applicable policy rules against the subscriber profile and session attributes, then computes the PCC decision: QoS rules (with 5QI, MBR, GBR, ARP), charging rules (online or offline, rating group, reporting level), and any traffic steering rules.
  4. The PCF returns Npcf_SMPolicyControl_Create Response containing the PCC rules. The SMF translates these directly into PFCP QERs, URRs, and FARs installed on the UPF.
  5. If policy changes during the session β€” triggered by a timer, a subscriber state change in UDR, or an AF request via N5 β€” the PCF sends Npcf_SMPolicyControl_UpdateNotify to the SMF, which applies the update via PFCP Session Modification on the UPF.

Access and mobility policy (N15)

During UE registration, the AMF requests access and mobility policy from the PCF.

  1. The AMF sends Npcf_AMPolicyControl_Create Request to the PCF on N15, providing the SUPI, access type, and serving PLMN.
  2. The PCF retrieves the subscriber's UE policy from the UDR and evaluates applicable access restrictions and priority parameters.
  3. The PCF returns the AM policy decision: RFSP index (used by the RAN to select frequency bands and handover thresholds), service area restrictions (cells or TAs where the UE is permitted), and the URSP rules.
  4. URSP rules instruct the UE which PDU session (which DNN and S-NSSAI) to use for applications matching a given Traffic Descriptor β€” for example, directing a corporate VPN application to a specific enterprise slice rather than the default internet DNN.

Dynamic AF policy via N5

An external Application Function can dynamically influence session policy during an active session β€” the primary use case for video, IMS, and enterprise applications.

  1. The AF sends Npcf_PolicyAuthorization_Create Request to the PCF on N5, providing the UE IP, media component descriptions (SDP-style codec and bitrate parameters), and the desired QoS.
  2. The PCF validates the AF's identity and authority, translates the media component parameters into PCC rules (deriving the 5QI from the media type, e.g., 5QI 1 for conversational voice), and triggers an N7 policy update to the SMF.
  3. The SMF applies the updated QoS on the UPF via PFCP modification.
  4. When the application session ends, the AF sends Npcf_PolicyAuthorization_Delete, the PCF withdraws the dynamic PCC rules, and the SMF reverts the session to default QoS.

Architecture role

The PCF sits at the intersection of subscriber policy, application requirements, and user plane enforcement. It has no direct user plane involvement β€” like the SMF, its output is rules, not packets. But unlike the SMF (which enforces rules in the data path), the PCF computes the rules from subscriber subscription data, operator configuration, and real-time application input.

In 5G SA: The PCF provides session policy to the SMF on N7, UE-level policy to the AMF on N15, and accepts dynamic application requests from AFs on N5. It retrieves subscriber policy data from the UDR (via N36) and charging information from UDM.

Compared to 4G PCRF: The 4G PCRF used Diameter Gx toward the PCEF (co-located with PGW), Rx toward the P-CSCF for IMS policy, and Sp toward the SPR for subscriber data. The 5G PCF replaces all of these with HTTP/2 SBI interfaces β€” N7 (SMF), N5 (AF), and N36 (UDR) β€” using the same SBA framework as every other 5G NF.

The PCF is operationally stateful: it maintains an SM policy association per active PDU session and an AM policy association per registered UE. In a scaled deployment, PCF instances must be consistent in their view of active policy associations, which typically requires a shared external database for policy session state β€” similar to the SMF's session state requirements.

Key interfaces

InterfaceBetweenDirectionPurpose
N5PCF ↔ AFBidirectionalDynamic policy requests from Application Functions
N7PCF ↔ SMFBidirectionalSession-level PCC rules β€” QoS, charging, traffic steering
N15PCF ↔ AMFBidirectionalAccess and mobility policy β€” RFSP, restrictions, URSP
N28PCF ↔ CHFRequest/responseSpending limit checks for online charging control
N36PCF ↔ UDRRequest/responseSubscriber policy profile retrieval from Unified Data Repository

Security posture

The PCF's threat model centres on two attack surfaces: the externally-influenced N5 interface where Application Functions request dynamic policy, and the N7 interface where the SMF trusts PCF output completely. Policy manipulation β€” whether through a rogue AF on N5 or a man-in-the-middle on N7 β€” can grant subscribers unlimited QoS, suppress charging records, or redirect UE traffic to attacker-controlled endpoints via traffic steering rules.

The PCF's N5 interface is the most exposed because it is designed to accept policy input from external entities β€” IMS P-CSCFs, enterprise AF controllers, partner application platforms. These are not fully trusted internal NFs; they are external systems with operator agreements. A malicious or compromised AF on N5 can request QoS upgrades, usage monitoring, or traffic steering for any UE IP address the AF is aware of β€” not just the UE using its own application.

The URSP mechanism on N15 is a particularly interesting vector: URSP rules are pushed to the UE device and instruct it where to route application traffic. A PCF that delivers tampered URSP rules β€” routing a UE's corporate VPN traffic to a default internet DNN rather than the enterprise slice β€” can silently bypass enterprise security policy without the UE user noticing.

Attack surface

N5 AF impersonation for policy injection

The N5 interface is designed to accept dynamic policy from authorised AFs. If an attacker can present themselves as an authorised AF β€” by compromising an AF server, stealing its credentials, or registering a rogue AF with the PCF β€” they can request QoS policy changes for arbitrary UE IP addresses. This could grant a target subscriber unlimited bandwidth (resource exhaustion for the network), suppress charging triggers (charging bypass), or inject traffic steering rules redirecting the subscriber's sessions.

Impact: Charging bypass, QoS manipulation, or traffic redirection for targeted subscribers.
Difficulty: Medium. Requires access to the N5 interface and a credential accepted by the PCF. N5 may be more accessible than internal SBI interfaces if it is used to connect third-party AF systems.

N7 policy response spoofing

The SMF trusts N7 PCC rule responses from the PCF unconditionally, translating them directly into PFCP instructions on the UPF. If an attacker can intercept or spoof N7 responses β€” by impersonating the PCF in the NRF or intercepting an unencrypted N7 connection β€” they can deliver PCC rules that grant unlimited MBR, disable charging URRs, or add traffic steering FARs redirecting sessions.

Impact: The SMF installs the malicious rules into the UPF. All subscriber sessions governed by those rules are affected β€” unlimited bandwidth grants, suppressed charging, or intercepted traffic.
Difficulty: High. Requires either PCF impersonation via NRF or network interception of the N7 segment. Both require high-privilege access.

URSP manipulation

URSP rules delivered to the UE on N15 govern which PDU session the device uses for specific application traffic. A PCF delivering incorrect URSP rules β€” whether through misconfiguration, a compromised UDR, or a rogue PCF β€” can route enterprise or sensitive application traffic to an unintended DNN. For example, routing traffic that should go through an enterprise private DNN to the public internet DNN, bypassing enterprise firewall and security controls.

Impact: Enterprise security policy bypass at the UE level. Sensitive application traffic routed to less-secure or monitored paths.
Difficulty: Medium. Requires the ability to modify the PCF's policy data store (UDR) or deliver manipulated N15 responses.

Mitigations

  • N5 AF allowlisting: The PCF must validate that N5 requests arrive from explicitly provisioned AF instances. Maintain an allowlist of authorised AF IP addresses, certificate identities, and the UE IP ranges or DNNs each AF is permitted to influence. Reject N5 requests from any AF not on the allowlist.

  • N5 subscriber scope enforcement: Validate that an AF requesting policy for a given UE IP is authorised to make policy decisions for that UE. An IMS P-CSCF should only request QoS for UEs with active IMS sessions via that P-CSCF β€” not for arbitrary subscriber IP addresses.

  • N7 mTLS and OAuth2: Enforce mutual TLS and NRF-issued token validation on all N7 connections. The SMF must verify the PCF's certificate and token before trusting any PCC rule response. The PCF must verify the SMF's token before serving any policy request.

  • Anomaly alerting on QoS grants: Monitor N7 PCC rule content. Alert when any session receives an MBR above a configured threshold (e.g., 10x the subscriber's subscribed maximum), when charging rules are absent for a DNN that should always generate CDRs, or when traffic steering FARs specify destinations outside the operator's IP space.

  • URSP audit logging: Log all URSP policy decisions delivered to UEs via N15. Alert on URSP rules that redirect enterprise-DNN-bound traffic to internet DNNs or that change UE traffic routing without a corresponding operator provisioning change.

  • N5 interface network segregation: Place the N5 interface (external AF access) on a separate network segment from the internal SBI mesh. Apply a dedicated firewall policy between the N5 segment and the PCF's SBI interface β€” AF systems should not have direct routing to the NRF or other internal NFs.

Spec references

  • 3GPP TS 23.503 β€” The normative PCC framework for 5G. Defines the full policy architecture, PCC rule structure, charging rule structure, and the interaction model between PCF, SMF, AMF, and external AFs. Essential for understanding PCF policy semantics before reading the API specs.

  • 3GPP TS 29.512 β€” Session Management Policy Control Service (N7). Defines the Npcf_SMPolicyControl API: create, update, delete, and notify operations for session PCC rules.

  • 3GPP TS 29.507 β€” Access and Mobility Policy Control Service (N15). Defines the Npcf_AMPolicyControl API including URSP rule delivery and service area restriction management.

  • 3GPP TS 29.514 β€” Policy Authorization Service (N5). Defines the Npcf_PolicyAuthorization API for AF-initiated dynamic policy requests, including media component descriptions and QoS negotiation.

Related topics

The PCF is the direct successor to the PCRF in 4G, replacing the Diameter Gx and Rx interfaces with HTTP/2 SBI equivalents (N7 and N5). The policy logic β€” PCC rules, QoS class assignment, charging rule activation β€” is largely the same; the transport and discovery mechanism changed.

The SMF is the PCF's primary consumer on N7. Every PDU session managed by the SMF has a corresponding SM policy association with a PCF instance. The SMF translates PCC rules directly into PFCP rules on the UPF β€” the PCF determines what QoS a session gets; the UPF enforces it.

The AMF consumes the PCF's access and mobility policy on N15. The URSP rules and service area restrictions the PCF provides determine how each UE's device routes application traffic and where in the network it is permitted to register.

The NEF is an alternative N5 entry point for external AFs β€” instead of connecting directly to the PCF, third-party applications can go through the NEF, which provides an additional authentication and authorisation layer before forwarding policy requests to the PCF.

For the full context, see 5G SA.

Relationships