TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

PCRF

Policy and Charging Rules Function β€” the 4G EPC policy engine

Type

node

Generations

4G

Threat level

medium
🧩

Quiz coming soon for this topic.

Questions & comments

Join the discussion

Overview

The PCRF β€” Policy and Charging Rules Function β€” is the brain of the 4G EPC policy architecture. It determines, on a per-subscriber per-session basis, what quality of service a data bearer receives, what traffic flows are permitted or gated, and how usage is accounted for in the charging system. These decisions are communicated to the PGW's enforcement function (PCEF) via the Gx Diameter interface in the form of PCC (Policy and Charging Control) rules.

The PCRF is also the coordination point for application-driven QoS. When a UE initiates a VoLTE call, the IMS P-CSCF β€” which knows the codec, bitrate, and SDP parameters of the media session β€” sends an Rx request to the PCRF. The PCRF translates the media session description into a dedicated EPS bearer with GBR (Guaranteed Bit Rate) QoS, installs this as a PCC rule on the PGW, and the PGW triggers dedicated bearer creation. The UE's VoLTE audio stream then runs on a separate, higher-priority bearer than its background data traffic, with the bitrate guaranteed by the radio scheduler. This dynamic QoS coordination between IMS and the packet core is the Rx interface's primary purpose.

The PCRF also holds or accesses subscriber policy profiles via the SPR (Subscription Profile Repository) β€” an internal or external database that stores each subscriber's subscribed QoS entitlements, APN-specific policies, and roaming restrictions. When a Gx session starts, the PCRF queries the SPR for the relevant subscriber, then applies any provisioned rules alongside dynamic Rx input and real-time conditions.

For operators running roaming, the S9 interface connects the visited network's PCRF (V-PCRF) to the home network's PCRF (H-PCRF). In home-routed roaming, the PGW is in the home network and the H-PCRF provides policy directly. In local breakout, the PGW is in the visited network and the V-PCRF must coordinate with the H-PCRF via S9 to enforce home operator policy on the roaming subscriber.

How it works

Gx session establishment (IP-CAN session setup)

The Gx session between PCRF and PGW begins when a subscriber's PDN connection is created.

  1. The PGW receives a Create Session Request from the SGW and opens a Gx Diameter session with the PCRF using a CCR-Initial (Credit-Control Request, type Initial).
  2. The CCR-Initial carries: Subscription-Id (IMSI and MSISDN), Called-Station-Id (APN), IP-CAN-Type (LTE), Bearer-Identifier (the default bearer EBI), and the QoS-Information AVP containing the requested QoS.
  3. The PCRF queries the SPR for the subscriber's policy profile. It evaluates:
    • Subscriber's subscribed maximum QoS for the APN
    • Pre-provisioned PCC rules (e.g., "all subscribers on this APN get QCI 9")
    • Any active Rx session for this subscriber (e.g., an IMS registration)
  4. The PCRF returns a CCA-Initial (Credit-Control Answer, type Initial) with the computed PCC rule set:
    • Charging-Rule-Install AVPs (one per PCC rule): rule name, QoS class (QCI), ARP, MBR/GBR values, charging key (rating group), reporting level
    • Default-EPS-Bearer-QoS AVP: the QoS parameters for the default bearer
  5. The PGW applies the rules: installs TFTs for traffic detection, programs its policy enforcement engine with MBR/GBR limits and DSCP marking, activates charging triggers.

Rx-triggered dedicated bearer (VoLTE QoS)

This is the most common Rx use case in deployed networks β€” IMS requesting QoS for a VoLTE media session.

  1. The UE initiates an IMS call. The P-CSCF processes the SDP offer and sends an Rx AAR (AA-Request) to the PCRF, carrying: the media component descriptions (codec, IP 5-tuples, max bitrate), the UE's IP address, and the IMS application service identifier.
  2. The PCRF associates the Rx session with the existing Gx session for the same UE IP address.
  3. The PCRF derives PCC rules from the media parameters: for voice, QCI 1 (conversational voice), GBR = codec bitrate (e.g., 12.2 kbps for AMR-NB), MBR = max codec bitrate. For video, QCI 2 (conversational video).
  4. The PCRF sends a Gx RAR (Re-Authorization Request) to the PGW with Charging-Rule-Install AVPs for the new dedicated bearer.
  5. The PGW initiates Create Bearer Request toward the SGW/MME/eNB. The dedicated GBR bearer is established.
  6. The P-CSCF receives the Rx AAA (AA-Answer) confirming QoS installation. The SIP 183 Session Progress is returned to the UE. Media begins flowing on the guaranteed-bitrate bearer.

Network-initiated session termination

The PCRF can terminate a session or remove a bearer at any time β€” for example, when a subscriber's data allowance is exhausted or when an operator applies a policy change.

  1. The PCRF sends a Gx RAR to the PGW with a Charging-Rule-Remove AVP (to remove a specific rule) or a Session-Release-Cause AVP (to terminate the entire PDN session).
  2. For bearer removal, the PGW sends Delete Bearer Request toward the SGW/MME.
  3. For session termination, the PGW initiates a Delete Session Request, tearing down the subscriber's PDN connection.

Architecture role

The PCRF has no user plane role and no radio access interface. It is a pure policy brain, sitting behind the PGW and IMS and determining how both treat subscriber traffic. In a well-deployed EPC, every PDN session has a corresponding Gx session in the PCRF, and every VoLTE call has a corresponding Rx session.

In 4G EPC: The PCRF sits between the PGW (Gx) and the IMS core P-CSCF (Rx). It receives policy requests from both sides and delivers unified PCC rules to the PGW's enforcement engine.

Superseded by PCF in 5G SA: The PCF replaces the PCRF in 5G SA. The Gx Diameter interface becomes the N7 HTTP/2 SBI interface; the Rx interface becomes the N5 SBI interface. The policy semantics (QCI→5QI, PCC rules) are broadly preserved — the transport and discovery mechanism changed.

The PCRF is typically deployed in pairs for redundancy β€” an active PCRF and a standby, with session state synchronisation between them. In roaming, each PLMN runs its own PCRF, with the S9 interface connecting home and visited PCRFs for local breakout scenarios.

Key interfaces

InterfaceBetweenProtocolPurpose
GxPCRF ↔ PCEF (PGW)DiameterPCC rule delivery and update β€” the core policy path
RxPCRF ↔ AF/P-CSCFDiameterApplication-layer QoS requests (VoLTE, enterprise)
SpPCRF ↔ SPRInternalSubscriber policy profile retrieval
GxxPCRF ↔ BBERF (SGW)DiameterQoS rule delivery to SGW's BBERF in specific topologies
S9PCRF ↔ PCRFDiameterHome-visited PCRF coordination for roaming LBO

Security posture

The PCRF's threat model centres on the integrity of its two Diameter interfaces. If an attacker can impersonate the PCEF (PGW) on Gx, they can report false usage data, triggering incorrect charging decisions. If they can impersonate an AF on Rx, they can inject QoS requests for any IP flow β€” requesting unlimited GBR bandwidth for a non-existent media session, which the PCRF would then install on the PGW as a real bearer.

The SPR is also a high-value target. If a subscriber's policy profile in the SPR can be modified β€” granting a prepaid subscriber postpaid QoS, or raising a subscriber's MBR from a throttled to a premium tier β€” the PCRF will faithfully enforce those fraudulent parameters.

In practice, the Gx interface faces an internal network segment (the packet core), while the Rx interface may face the IMS core or a third-party AF β€” a slightly larger exposure. For roaming, the S9 interface traverses the IPX.

Attack surface

Rx impersonation β€” rogue AF requesting QoS

The Rx interface accepts QoS requests from trusted Application Functions, primarily the IMS P-CSCF. If an attacker can establish a Diameter connection to the PCRF and present as an AF β€” by compromising an AF system or exploiting a loose Origin-Host matching rule β€” they can send Rx AAR messages requesting GBR QoS for arbitrary UE IP addresses and arbitrary traffic flows. The PCRF would install these as dedicated bearers on the PGW, consuming guaranteed radio resources for attacker-specified IP flows.

Impact: Guaranteed radio resource exhaustion; priority queue manipulation for targeted subscribers; potential for directing high-QoS bearers toward attacker-controlled endpoints.
Difficulty: Medium. Requires a valid Diameter peer connection to the PCRF and knowledge of the Rx AAR command structure.

SPR subscriber profile tampering

The SPR stores each subscriber's policy entitlements. Access to the SPR via its management interface β€” or via the Sp interface if exposed β€” allows an attacker to upgrade a subscriber's allowed MBR, remove a throttling policy, or grant a prepaid subscriber postpaid bearer access. These changes are transparent to the network β€” the PCRF applies them faithfully without any validation against billing systems.

Impact: Charging fraud β€” subscriber receives premium QoS without paying. Resource exhaustion if applied at scale.
Difficulty: Medium. Requires access to the SPR management interface, which may be less secured than Diameter-facing interfaces.

Gx session replay or orphaning

If a PGW crashes and a new Gx session is established for the same subscriber without properly terminating the old session, the PCRF may have two active Gx sessions for the same subscriber β€” resulting in double-counted usage or inconsistent PCC rule application. An attacker who can trigger PGW failures can exploit orphaned Gx sessions to create policy inconsistencies.

Impact: Billing discrepancies; inconsistent policy enforcement for affected subscribers.
Difficulty: Low for an attacker who can induce PGW failures. Session orphaning is also a common operational failure mode in production networks.

Mitigations

  • Strict Origin-Host validation on Gx and Rx: Maintain explicit allowlists of PGW and P-CSCF/AF Origin-Host FQDNs. Reject Diameter connections from any Origin-Host not in the provisioned list. Do not use wildcard matching.

  • Diameter TLS on Gx, Rx, and S9: Require TLS on all PCRF Diameter interfaces. For S9 roaming via IPX, apply GSMA FS.19-equivalent filtering at the DEA/DRA before messages reach the PCRF.

  • PCC rule content monitoring: Deploy monitoring that inspects outgoing Gx CCA and RAR messages. Alert on: MBR values exceeding the operator's maximum subscribed tier, absent charging rules for APNs that should always generate CDRs, QCI 1 or 2 (GBR) bearers installed without a corresponding Rx session.

  • SPR change auditing: All modifications to subscriber policy records in the SPR must be logged with operator identity, timestamp, and the changed field values. Alert on bulk changes (affecting more than N subscribers in a time window) or changes made via API rather than the provisioning portal.

  • Gx session cleanup: Implement Gx session reconciliation: periodically compare active Gx sessions in the PCRF with active PDN sessions in the PGW. Terminate orphaned Gx sessions (sessions in the PCRF with no corresponding PGW session) via CCR-Terminate.

Spec references

  • 3GPP TS 23.203 β€” Policy and Charging Control Architecture. Defines the full PCC framework β€” PCRF role, PCC rules structure, Rx/Gx interaction model, and roaming architecture with S9. Essential before reading the interface specs.

  • 3GPP TS 29.212 β€” Gx reference point specification. Defines all Diameter commands (CCR/CCA/RAR/RAA), AVPs, and procedures between PCRF and PGW (PCEF).

  • 3GPP TS 29.214 β€” Rx reference point specification. Defines AAR/AAA/RAR/RAA/STR/STA commands and AVPs for AF-to-PCRF QoS requests. Section 4 covers the VoLTE media component description procedure in detail.

  • 3GPP TS 29.215 β€” S9 reference point specification. Defines home-visited PCRF interaction for roaming local breakout scenarios.

Related topics

The PCRF is succeeded by the PCF in 5G SA. The core function β€” policy engine for session QoS and charging β€” is preserved; the transport changed from Diameter (Gx/Rx) to HTTP/2 SBI (N7/N5). For anyone who understands PCRF Gx/Rx, the PCF's N7/N5 model is immediately recognisable.

The PGW is the PCRF's primary consumer on Gx. Every active PDN session is associated with a Gx session in the PCRF. The PCRF determines the policy; the PGW's PCEF enforces it in the user plane.

Diameter is the transport for Gx, Rx, Sp, and S9. The PCRF is one of the most Diameter-heavy nodes in the EPC. Understanding Diameter session semantics β€” CCR/CCA, session ID binding, RAR/RAA re-authorisation β€” is prerequisite for PCRF integration and troubleshooting work.

The IMS core connects to the PCRF via Rx through the P-CSCF. This is the path by which VoLTE calls get guaranteed QoS. Without the Rx interface, VoLTE traffic competes with best-effort data on the default bearer.

For the full 4G architecture context, see 4G EPC.

Relationships