TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

SGW

Serving Gateway β€” the 4G user plane anchor for intra-LTE mobility

Type

node

Generations

4G

Threat level

medium
🧩

Quiz coming soon for this topic.

Questions & comments

Join the discussion

Overview

The SGW β€” Serving Gateway β€” is the user plane anchor in a 4G EPC deployment. It sits between the radio access network (eNB on S1-U) and the PDN Gateway (PGW on S5/S8), relaying subscriber data packets while maintaining the bearer tunnel state that allows seamless handover between eNBs. When a UE moves from one eNB to another within the same tracking area, the SGW remains fixed and only the S1-U tunnel endpoint changes β€” the UE's IP address and its PDN connection stay stable.

The SGW performs no intelligent packet processing. It does not allocate IP addresses, enforce policy, or do charging. Its function is bearer relay: it receives GTP-U encapsulated packets from the eNB on S1-U, strips the S1-U GTP-U header, re-encapsulates with the S5/S8 GTP-U TEID toward the PGW, and forwards. Downlink traffic follows the reverse path. The SGW holds the TEID mappings that make this relay possible β€” one TEID pair per bearer per session.

When a UE enters idle mode (RRC_IDLE), the radio connection drops but the SGW retains the bearer context and the UE's IP address. When downlink traffic arrives for the idle UE, the SGW buffers the packet and notifies the MME via a Downlink Data Notification on S11 (GTPv2-C). The MME pages the UE. When the UE re-establishes the radio connection, the SGW resumes forwarding without any IP address change β€” the session appears uninterrupted from the application's perspective.

The SGW's user plane function (SGW-U) and control plane function (SGW-C) were separated in 3GPP Release 14 under the CUPS (Control and User Plane Separation) architecture β€” the direct predecessor to the 5G SMF/UPF split. In CUPS, the SGW-C handles GTPv2-C signalling from the MME on S11 and instructs the SGW-U via PFCP on Sxa. In pre-CUPS deployments, these are unified in a single node.

How it works

Bearer establishment

Bearer creation is initiated by the MME during UE attach or dedicated bearer setup, via GTPv2-C on S11.

  1. The MME sends a Create Session Request to the SGW on S11, containing the IMSI, APN, EPS bearer ID, and the requested QoS (QCI, ARP, GBR, MBR). The MME includes its own S11 TEID for the SGW to respond to.
  2. The SGW allocates a local S11 TEID (for the MME to reach it on), an S1-U TEID (for the eNB to use for uplink), and an S5/S8 TEID pair (for the PGW).
  3. The SGW forwards a Create Session Request to the PGW on S5 (same operator) or S8 (roaming), passing through the APN and QoS parameters and providing its own S5/S8 TEIDs.
  4. The PGW allocates an IP address, applies Gx policy from the PCRF, and returns a Create Session Response with its S5 TEID and the UE's IP address.
  5. The SGW returns a Create Session Response to the MME with all allocated TEIDs and the UE IP. The MME delivers the S1-U TEID to the eNB via S1AP Initial Context Setup, enabling the radio bearer.

Handover bearer path switch

During an X2 handover (direct eNB-to-eNB), the data path must be updated at the SGW once the UE has successfully attached to the target eNB.

  1. The target eNB sends Path Switch Request to the MME via S1AP.
  2. The MME sends a Modify Bearer Request to the SGW on S11, carrying the target eNB's new S1-U IP address and TEID.
  3. The SGW updates its TEID mapping: the S1-U downlink tunnel now points to the target eNB. Buffered downlink packets are immediately forwarded to the new eNB.
  4. The SGW sends an End Marker packet on the old S1-U tunnel to signal the source eNB to stop forwarding, and returns Modify Bearer Response to the MME.

Idle mode and Downlink Data Notification

  1. When no radio bearer is active, the SGW retains the S5/S8 bearer to the PGW but does not hold an active S1-U tunnel.
  2. A downlink packet arrives from the PGW on S5/S8. No S1-U tunnel exists.
  3. The SGW buffers the packet and sends a Downlink Data Notification (DDN) to the MME on S11.
  4. The MME sends Paging via S1AP to the eNBs in the UE's registered tracking area.
  5. The UE responds by initiating a Service Request; the MME re-activates the S1-U bearer via Modify Bearer Request; the SGW resumes forwarding.

Architecture role

The SGW is the local user plane anchor for LTE. As a UE moves between eNBs, the SGW provides continuity β€” the PGW does not need to change, and the UE's IP address remains stable. The SGW absorbs the frequent, small-radius handovers that occur as a mobile subscriber walks or drives through an operator's network.

In 4G EPC: The SGW sits between the eNB (S1-U) and the PGW (S5/S8). It is controlled by the MME via GTPv2-C on S11. All bearer state β€” TEID mappings, bearer QoS parameters, UE state β€” is maintained here.

In 5G SA: The SGW's functions were split between the SMF (control plane β€” GTPv2-C equivalent became PFCP) and the UPF (user plane β€” GTP-U relay became N3 termination). The SGW-C/SGW-U CUPS split was the direct design input for the SMF/UPF architecture.

The SGW also serves 3G mobility: when a subscriber hands over from LTE to 3G, the SGSN interacts with the SGW via S4 (GTPv2-C) instead of S3 (to the MME), allowing the user plane path to be preserved through the SGW and PGW rather than switching to the GGSN/SGSN-based 3G path.

Key interfaces

InterfaceBetweenProtocolPurpose
S1-USGW ↔ eNBGTP-UUplink and downlink user plane bearer traffic
S11SGW ↔ MMEGTPv2-CBearer create/modify/delete, Downlink Data Notification
S5SGW ↔ PGWGTPv2-C + GTP-USame-operator PDN connection control and user plane
S8SGW ↔ PGWGTPv2-C + GTP-URoaming PDN connection (visited SGW to home PGW)
S4SGW ↔ SGSNGTPv2-C3G mobility β€” direct tunnel between SGSN and SGW/PGW
S12SGW ↔ RNC (UTRAN)GTP-UDirect user plane tunnel to UTRAN (where supported)

Security posture

The SGW's threat model is dominated by the absence of authentication in the GTP-U protocol. GTP-U is a bare UDP protocol with no source authentication: any node that can send a UDP packet to the SGW's S1-U port with a valid TEID can inject data into any active bearer. The TEID is a 32-bit identifier that is allocated per bearer β€” it is not secret, and in unencrypted transport environments (most S1-U deployments), it is observable by anyone on the S1 network segment.

The GTPv2-C control plane on S11 and S5 is equally unauthenticated at the protocol level. GTPv2-C relies on network isolation and the TEID matching mechanism for integrity β€” there is no cryptographic binding between a GTPv2-C message and the MME that sent it. An attacker on the S11 segment can send a Modify Bearer Request or Delete Session Request for any TEID they know, silently disrupting the corresponding UE's session.

Attack surface

GTP-U TEID injection on S1-U

GTP-U carries no source authentication. Any node on the eNB-facing S1 network segment that knows an active bearer's TEID can inject encapsulated IP packets into that bearer β€” routing arbitrary traffic through the SGW as if it originated from the legitimate UE. In the downlink direction, an attacker who knows the eNB's S1-U TEID can inject packets that are forwarded by the SGW to the eNB and ultimately to the UE.

Impact: Arbitrary packet injection into active user plane bearers; potential for TCP session hijacking or protocol-level exploitation of unsuspecting UEs.
Difficulty: Medium. Requires network access to the S1 segment and knowledge of an active TEID. TEIDs are observable in plaintext on unencrypted S1 links.

GTPv2-C S11 bearer manipulation

The S11 interface between MME and SGW uses GTPv2-C without cryptographic authentication. If an attacker can reach the SGW's S11 IP β€” for example, from a compromised MME or from any device on the S11 VLAN β€” they can send crafted GTPv2-C messages: Create Session Request (creating ghost bearers), Modify Bearer Request (redirecting a bearer's S1-U tunnel), or Delete Session Request (tearing down live sessions).

Impact: Ghost bearer resource exhaustion; user plane redirection; targeted session termination.
Difficulty: Medium. Requires network access to the S11 interface and knowledge of in-use TEIDs (for modify/delete) or the ability to create new sessions with valid IMSI/APN combinations.

S8 roaming interface abuse

The S8 interface connects the visited SGW to the home PGW across the IPX network. GTPv2-C messages on S8 traverse commercial IPX infrastructure. An attacker positioned at the IPX layer can observe GTPv2-C TEID values in Create Session responses, then use those TEIDs to send Modify Bearer or Delete Session requests that disrupt roaming subscribers' sessions.

Impact: Roaming session disruption; potential user plane redirection for roaming subscribers if S8 GTP-U is also observable.
Difficulty: Medium for session disruption (requires IPX access and GTPv2-C knowledge); High for user plane interception (requires both GTPv2-C and GTP-U visibility).

Mitigations

  • TEID validation on GTP-U ingress: The SGW must maintain a table of active bearer TEIDs and the expected source IP for each. Drop any GTP-U packet whose source IP does not match the registered eNB for the receiving TEID. This prevents TEID injection from off-path attackers.

  • IPsec on S1-U where eNB supports it: IPsec on the S1-U interface provides cryptographic protection against both TEID injection and traffic interception. 3GPP TS 33.401 makes this mandatory for the S1 interface. Enforce it in SGW configuration and monitor for S1-U connections without IPsec.

  • S11/S5 network isolation: Restrict GTPv2-C access on S11 to registered MME IP addresses via firewall ACL. Restrict S5 to registered PGW IPs. These interfaces should not be reachable from the RAN or from any internet-routable address.

  • GTP firewall on S8: Apply a GTP-aware firewall on the S8 roaming interface at the IPX boundary. Filter GTPv2-C to allow only valid procedure messages from known roaming partner PGW address ranges. Block Delete Session and Modify Bearer messages that reference TEIDs not associated with a session the local SGW created.

  • Downlink Data Notification rate limiting: Limit DDN messages per MME connection per time period. A DDN flood β€” sending DDN for thousands of idle UEs simultaneously β€” can trigger a paging storm that overloads MME and RAN paging capacity.

Spec references

  • 3GPP TS 23.401 β€” EPC architecture and procedures. Section 4.1.3 defines the SGW's functional description; Section 5.3 defines bearer establishment, handover path switch, and idle mode procedures involving the SGW.

  • 3GPP TS 29.274 β€” GTPv2-C (Evolved GPRS Tunnelling Protocol for Control Plane). Defines all GTPv2-C messages and IEs used on the S11, S5, S8, and S4 interfaces.

  • 3GPP TS 33.401 β€” SAE security architecture. Section 9 covers S1 interface security (IPsec requirements between eNB and SGW) and the overall user plane security model.

Related topics

The SGW is half of the 4G user plane β€” it holds bearer state for intra-LTE mobility; the PGW is the PDN anchor and policy enforcement point. Together they carry the role that the single UPF performs in 5G SA.

The SGW was split into SGW-C (control) and SGW-U (user plane) under the 4G CUPS architecture in Release 14. The 5G SMF absorbed the SGW-C functions (GTPv2-C toward the MME equivalent, PFCP toward the UPF-C). The UPF absorbed the SGW-U functions (GTP-U relay).

The underlying tunnel protocols are GTP-U (user plane) and GTP-C (control plane via GTPv2-C). The S1-U GTP-U header format in 4G EPC is essentially identical to the N3 GTP-U header in 5G, making the UPF a recognisable evolution of the SGW-U for anyone familiar with 4G bearer mechanics.

For the full EPC architecture, see 4G EPC.

Relationships