Addressing Security for 5G Cloud Radio Access Networks

Small cells have been around for a little more than a decade and they will become ever more important in 5G era. Per the Small Cell Forum’s definition, a small cell is a radio access point with low radio frequency (RF) power output, footprint and range. It is operator controlled and can be deployed indoors or outdoors, and in licensed, shared or unlicensed spectrum.

In addition to small cells, centralized radio access network (CRAN) is evolving, and over time both of these technologies have crossed over - CRAN is one of the preferred modes of small cell deployment. In case of CRAN, the remote radio head (RRH) is physically separated from the baseband unit (BBU) with multiple distributed RRHs connected to a central BBU. A very common use case for such deployment is a multi-tenant dwelling, such as high-rise apartments, where each unit may have an RRH connected over Ethernet to a centralized BBU, potentially somewhere in the basement of multi-tenant dwelling. The BBU, in turn, is connected to a central office over high-capacity fiber.

In case of 5G, CRAN and small cells gain special prominence because 5G will use >6GHz spectrum (in addition to sub-6GHz spectrum), limiting the cell size due to propagation issues at such high frequency. Distribution of RRH and BBU have mostly been left to proprietary implementations with some choosing to keep only the radio physical (PHY) at the RRH, while others have chosen to keep medium access control (MAC) and radio link control (RLC) in RRH. With 5G, 3GPP is working towards standardizing this distribution to drive interoperability.

The figure below shows the 5G service-based architecture (SBA) and end-to-end control plane protocol stack.


5G service-based architecture (SBA), end-to-end control plane protocol stack


With 5G centralized RAN, gNB (5G NR NodeB) gets divided into a gNB distributed unit (gNB-DU), a gNB central-unit control plane (gNB-CU-CP) and a gNB central-unit data plane (gNB-CU-DP). As a result, 3GPP is defining control- and user-plane separation (CUPS) in gNB-CU, as well. Essentially, gNB-DUs are the remote radio head and get distributed, while gNB-CU-CP and gNB-CU-CP form a centralized base band unit. Both gNB-CU-CP and gNB-CU-DP can be virtual network functions running in the cloud, and thus, giving us a 5G cloud RAN. Multiple instances of gNB-CU-DP are controlled by one instance of gNB-CU-CP following the usual CUPS concept for on-demand scale-out. 3GPP has introduced two new protocols, F1 application protocol (F1AP) and E1 application protocol (E1AP). F1AP is used to relay packet data convergence protocol (PDCP) control-plane messages and radio resource control (RRC) messages between the gNB-DU and gNB-CU-CP. This, in turn, uses E1AP to program GTP-U tunnels for the data path in gNB-CU-DP.

An end-to-end data plane 5G protocol stack of cloud RAN is shown in the figure below.


End-to-end data plane 5G protocol stack of cloud RAN


As you can see from the control-plane and data-plane 5G protocol stack figures, interaction among all the distributed gNB components is now on IP infrastructure. gNB-DUs are potentially low-cost units self-deployed and/or self-managed by consumers, similar to WiFi access points today. This introduces points of security vulnerability into the 5G RAN infrastructure requiring protection against traditional threats such as DDoS attacks. Fortunately, traditional security tools such as IPS/IDS and firewalls will help protect 5G cloud RANs against these new threat entry points.

To summarize, while cloud RAN opens up 5G networks to new security vulnerabilities that have been prevalent in WiFi access points and IoT devices, we can leverage current security tools such as firewalls, DDoS protection tools, etc., to address these new security vulnerabilities in 5G networks.

Related links:
5G Security
DDoS protection
Service Provider Solutions