Overview
The SGSN β Serving GPRS Support Node β is the packet-domain mobility anchor in 2G GPRS and 3G UMTS networks. Where the MSC manages circuit-switched voice, the SGSN manages packet data: it handles subscriber authentication for data services, tracks which subscribers are currently attached, maintains the state of active data sessions (PDP contexts), and tunnels user-plane traffic to the GGSN.
The SGSN plays the same general role in the 2G/3G packet core as the MME plays in 4G: it is the control-plane node for packet data mobility. Unlike the MME, however, the SGSN also handles the GTP-U user-plane path to the GGSN, making it a combined control-plane and user-plane node. In 4G this function was split β the MME handles the control plane, and the Serving Gateway (SGW) handles the user plane.
Every GPRS attach, PDP context activation, routing area update, and inter-SGSN handoff passes through the SGSN. It queries the HLR via MAP over SS7 to authenticate subscribers and download their GPRS subscription profile. It signals to the GGSN via GTP-C to establish and modify data tunnels. And it manages the radio interface β either the Frame Relay-based Gb interface in 2G, or the Iu-PS interface to the 3G RNC.
From a security perspective, the SGSN sits at the intersection of two attack surfaces: the SS7/MAP interface (Gr) that faces the core signalling network, and the GTP interface (Gn/Gp) that faces peer packet nodes and β in roaming scenarios β the open IPX/GRX network.
How it works
The SGSN operates through four primary procedures that govern the lifecycle of a subscriber's packet data session.
GPRS attach
When a subscriber powers on or moves into packet coverage, the handset initiates a GPRS Attach. The attach request, carrying the subscriber's IMSI or P-TMSI, arrives at the SGSN from the BSC/PCU via the Gb interface (2G) or from the RNC via Iu-PS (3G). The SGSN retrieves the subscriber's IMSI and sends a Send Authentication Info (SAI) MAP request to the HLR to obtain authentication vectors. It challenges the subscriber, then sends an Update GPRS Location MAP message to the HLR to register itself as the serving SGSN. The HLR responds by inserting the subscriber's GPRS subscription data and cancelling the previous serving SGSN if one existed.
PDP context activation
To send or receive data, the subscriber initiates a PDP context β the packet data equivalent of a call setup. The handset sends an Activate PDP Context Request to the SGSN, specifying the requested Access Point Name (APN). The SGSN validates the subscription, selects the appropriate GGSN for that APN, and sends a Create PDP Context Request via GTP-C over the Gn interface. The GGSN allocates an IP address, establishes the GTP-U tunnel, and responds with the tunnel endpoint ID. The SGSN then activates the bearer on the radio interface, and the subscriber's data session is live.
Routing area update
As a subscriber moves between the coverage areas of different SGSNs, the handset detects a change in the broadcast Routing Area Identifier and initiates a Routing Area Update (RAU). If the RAU is inter-SGSN, the new SGSN contacts the old SGSN to retrieve the subscriber's context, then updates the HLR with the new serving address and transfers any active PDP contexts to new GTP tunnels.
Inter-SGSN handover
In 3G, the SGSN also manages handovers triggered by the RNC. When a subscriber moves to a cell served by a different SGSN, the source SGSN forwards the subscriber's context and buffered data to the target SGSN over a direct GTP-C tunnel between them, minimising packet loss during the transition.
Architecture role
In a 2G/3G network, the SGSN pool covers the operator's geographic footprint. Each SGSN connects to a subset of the BSC/PCU pool (2G) or RNC pool (3G), grouping them into routing areas. The SGSN connects to the SS7 network via the STP infrastructure to reach the HLR on the Gr interface, and to the packet core via GTP to reach the GGSN pool.
In 2G GPRS: The Gb interface between the SGSN and BSC/PCU uses Frame Relay or IP over the national backhaul. The SGSN handles both the signalling (LLC, SNDCP, BSSGP) and the user-plane tunnelling to the GGSN.
In 3G UMTS: The Iu-PS interface uses RANAP over SCTP. The signalling path is clean; the user plane tunnels directly from the RNC to the SGSN and onward to the GGSN. 3G also supports Direct Tunnel mode, where GTP-U goes directly from the RNC to the GGSN, bypassing the SGSN for user-plane traffic.
In 4G LTE: The SGSN is not a native 4G node. However, many networks deploy an S4-SGSN β a SGSN that has been extended to support the S4 Diameter interface toward the SGW in addition to its traditional GTP-Gn interface. This allows dual-stack subscribers moving between 3G and 4G coverage to maintain their data session via SGW/PGW rather than needing a full session re-establishment.
Roaming: The Gp interface is the inter-PLMN equivalent of Gn. When a subscriber roams to a foreign network, the visited SGSN establishes GTP-C tunnels over Gp to the home GGSN. The Gp interface traverses the IPX/GRX network and is a key roaming attack surface.
Key interfaces
| Interface | Between | Protocol | Purpose |
|---|---|---|---|
| Gb | SGSN β BSC/PCU | BSSGP/Frame Relay or IP | 2G radio access; user data and signalling |
| Iu-PS | SGSN β RNC | RANAP/SCTP | 3G radio access control and session management |
| Gn | SGSN β GGSN | GTP-C/U | Intra-PLMN tunnel establishment and user-plane forwarding |
| Gp | SGSN β GGSN | GTP-C/U | Inter-PLMN (roaming) GTP tunnelling via IPX/GRX |
| Gr | SGSN β HLR | MAP/SS7 | Authentication, GPRS location update, subscription download |
| Gs | SGSN β MSC/VLR | MAP/SS7 | Combined location update for CS+PS combined attach |
| Ga | SGSN β Charging Gateway | GTP' | Charging data record generation |
Security posture
The SGSN faces threats on two distinct interfaces that require different mitigation strategies. On the SS7/MAP side (Gr interface), the threats are identical to those facing any other MAP-speaking node: lack of authentication means any SS7-connected entity can send Map queries or spoofed Update GPRS Location messages. On the GTP side (Gn/Gp), the threats stem from GTP's own absent authentication model β GTP-C messages carry no cryptographic proof of origin.
The Gp interface is the most exposed attack surface. It connects the SGSN to the open GRX/IPX network used for roaming, and the GTP protocol version 1 (GTPv1) used in this generation has no mechanism to authenticate a peer SGSN or GGSN. A GTP-C message arriving from any IP address claiming a valid IMSI and TEID can potentially create, modify, or delete PDP contexts.
This attack surface motivated the development of GTP firewalls β devices deployed at the Gp interface boundary that validate GTP message types, peer addresses, and protocol state against a known-legitimate baseline.
Attack surface
GTP-C session hijacking
A Create PDP Context Request sent to the GGSN on behalf of a subscriber can be spoofed by any host that can reach the GGSN's GTP port. In roaming scenarios, the Gp interface traverses the IPX network, which is accessible to multiple operator interconnect partners. An attacker can attempt to create a PDP context for a known IMSI, redirecting the subscriber's data session.
Impact: Data session hijacking; subscriber traffic routed through attacker-controlled GGSN. Difficulty: Medium. Requires network access to the Gp interface and knowledge of target IMSI.
Unauthorized inter-SGSN routing area update
An attacker who can send MAP messages can send a spoofed Update GPRS Location to the HLR, claiming to be a new serving SGSN for the subscriber. The HLR cancels the subscriber at the legitimate SGSN, denying them data service until they reattach.
Impact: Targeted denial of data service. Difficulty: Low. One MAP message is sufficient.
SS7 MAP harvesting via Gr interface
The Gr interface is a full MAP connection to the HLR. The SGSN can query the HLR for subscriber authentication data and subscription profiles. An attacker impersonating a legitimate SGSN via SS7 can abuse this interface to harvest subscriber data, as documented in the broader SS7 attack taxonomy.
Impact: Subscriber identity and authentication data disclosure. Difficulty: Low to medium depending on signalling firewall deployment.
Mitigations
-
GTP firewall on Gp: Deploy a dedicated GTP firewall at the Gp interface boundary, validating source IP addresses against the GSMA IR.21 GTP endpoint database for the claimed roaming partner network. Block GTP-C message types not appropriate in roaming context (e.g., Create PDP Context from an unexpected peer).
-
GTP peer IP whitelisting: Maintain a list of known-legitimate GGSN and SGSN IP addresses for each roaming partner. Block GTP-C from unlisted source IPs before it reaches the SGSN.
-
MAP Gr interface filtering: Apply the same GSMA FS.11 signalling firewall controls to the Gr interface that apply to any MAP-speaking node. The SGSN's MAP interface should only accept traffic from known SS7 peer addresses.
-
Rate limiting on inter-SGSN RAU: Monitor and alert on inter-SGSN Routing Area Update volumes from unknown source SGSNs or source point codes outside the expected partner network range.
Spec references
-
3GPP TS 23.060 β GPRS service description. The normative architecture and procedure reference for the SGSN. Sections 6 and 7 define the functional model; Section 9 defines mobility management and session management procedures.
-
3GPP TS 29.060 β GTP across Gn and Gp interfaces. Defines the GTP-C message set used by the SGSN to communicate with the GGSN, including Create PDP Context, Update PDP Context, and Delete PDP Context.
-
GSMA IR.88 β LTE and EPC Roaming Guidelines. Contains GTP security requirements for the Gp interface, including IP address whitelisting and GTP message filtering.
Related topics
The SGSN queries the HLR via MAP over SS7 for authentication and location management. It connects to the GGSN via GTP-C and GTP-U on the Gn/Gp interfaces. The STP routes the SS7 signalling between the SGSN and the HLR.
The SGSN is superseded by the MME (control plane) and Serving Gateway (user plane) in 4G EPC. In the context of roaming security, the Gp interface is the primary attack surface.