"The 5G New Radio (NR) design was a clean-sheet departure from LTE. Where LTE defined one OFDM numerology (15 kHz subcarrier spacing), 5G NR defines five numerologies, scaling from 15 kHz to 240 kHz, to serve a range of use cases from massive IoT to mmWave high-throughput." — Kurose-Ross, Computer Networking, 9th ed., §7.3.3
Lecture (90 min × 2)
5.1 LTE Architecture: The Evolved Packet System
Long-Term Evolution (LTE) is the 4G cellular standard. Its architecture (the Evolved Packet System, EPS) decomposes into two domains:
Evolved Radio Access Network (E-UTRA or E-UTRAN):
- The eNB (evolved Node B) is the base station. It handles radio scheduling, HARQ (hybrid ARQ retransmission), beamforming, and handover.
- eNBs connect to each other via the X2 interface (direct eNB-to-eNB for handover coordination)
- eNBs connect to the core network (EPC) via the S1 interface
Evolved Packet Core (EPC):
- MME (Mobility Management Entity): Control plane. Manages UE authentication, tracking area updates, paging, handover signaling
- S-GW (Serving Gateway): User-plane anchor during intra-LTE handover; routes user data
- P-GW (PDN Gateway): Connects the LTE network to external IP networks; assigns UE IP addresses; enforces QoS
LTE physical layer:
LTE downlink uses OFDMA (Orthogonal Frequency Division Multiple Access): the available bandwidth is divided into subcarriers (15 kHz spacing) organized into Resource Blocks (RBs). Each RB is 12 subcarriers × 1 slot (0.5 ms) = 12 × 7 OFDM symbols = 84 resource elements.
LTE uplink uses SC-FDMA (Single-Carrier FDMA): similar to OFDMA but with pre-coded DFT spreading to reduce the peak-to-average power ratio (PAPR) -- critical for battery-powered UEs where power efficiency matters.
Random Access Channel (RACH) procedure:
The RACH is how a UE establishes initial contact with the eNB. The 4-step procedure:
- Msg1 (Random Access Preamble): UE selects one of 64 preamble sequences (Zadoff-Chu sequences, which have ideal cyclic autocorrelation) and transmits on PRACH
- Msg2 (Random Access Response): eNB responds with timing advance, temporary CRNTI, and uplink grant
- Msg3 (RRC Connection Request): UE sends its UE identity and connection reason
- Msg4 (Contention Resolution): eNB resolves collisions (multiple UEs selecting the same preamble)
The Zadoff-Chu preamble is the RF-level signature of an LTE RACH event. It is visible in a spectrum capture as a short burst at the PRACH frequency resource.
5.2 OpenAirInterface: Running LTE in Software
OpenAirInterface (OAI) is the open-source implementation of the LTE and 5G NR protocol stacks. It runs on standard Linux servers connected to USRP, bladeRF, or other RF hardware via the UHD or SoapySDR interface.
OAI components:
oai-enb: LTE eNB (base station); runs all E-UTRAN layers (PHY/MAC/RLC/PDCP/RRC)oai-mme: LTE MME (mobility management entity)oai-spgwu: Combined S-GW + P-GWoai-nr-ue: 5G NR UE; supports NSA (non-standalone) and SA (standalone) modesoai-gnb: 5G NR gNB (next-generation base station)
Lab 5 environment (Docker-based):
# Bring up the OAI LTE stack
cd openairinterface5g/docker-compose/
# Use the provided docker-compose.yml for LTE (enb + mme + spgwu)
docker-compose -f docker-compose-enb.yml up -d
# Check logs
docker-compose logs -f oai-enb | grep -E "STATE|ATTACH|RACH"
OAI log anatomy: The OAI eNB log streams PHY layer events. Key events to identify:
[PHY] PRACH_RX subframe 5: preamble_index 37, TA 10, RSSI -82 dBm
[MAC] RA-Msg2: UE RNTI 0x1234 TA=10 ul_grant=...
[RRC] RRC Connection Setup UE RNTI 0x1234
[NAS] ATTACH REQUEST from IMSI 208930000000001
Each line corresponds to one step of the attach procedure at a different protocol layer.
5.3 5G NR: New Radio Architecture
5G New Radio (NR) is the 5G radio standard. It differs from LTE in three key dimensions:
Flexible numerology (μ parameter): LTE has one subcarrier spacing (15 kHz). 5G NR defines five numerologies:
| μ | Subcarrier spacing | Symbol duration | Use case |
|---|---|---|---|
| 0 | 15 kHz | 66.7 μs | Similar to LTE; sub-6 GHz eMBB |
| 1 | 30 kHz | 33.3 μs | Sub-6 GHz eMBB; preferred for 5G |
| 2 | 60 kHz | 16.7 μs | Unlicensed; sub-6 GHz high BW |
| 3 | 120 kHz | 8.33 μs | mmWave; high bandwidth |
| 4 | 240 kHz | 4.17 μs | mmWave reference signal |
Larger subcarrier spacing = shorter symbols = reduced phase noise sensitivity at mmWave = better multipath performance at high carrier frequencies.
Massive MIMO + beamforming: 5G NR gNBs use antenna arrays with 32-256 elements. Beamforming focuses the transmitted energy toward individual UEs, increasing link SNR and enabling spatial multiplexing of multiple UEs on the same time-frequency resource. The beamforming weights are updated per slot (every 0.5 ms or faster); from the UE's perspective, the beam sweep is visible as Reference Signal Received Power (RSRP) variations during cell search.
mmWave bands (FR2): 5G NR operates in two frequency ranges:
- FR1: 410 MHz - 7125 MHz (sub-6 GHz; extends LTE coverage)
- FR2: 24250 MHz - 52600 MHz (mmWave; new spectrum for 5G)
mmWave provides enormous bandwidth (hundreds of MHz per carrier) but limited range and severe blockage by buildings, trees, and even rain. The propagation model for mmWave is fundamentally different from sub-6 GHz.
5.4 The 5G Core: Service-Based Architecture
The 5G Core (5GC) replaces the LTE EPC with a service-based architecture (SBA). Each network function (NF) exposes an HTTP/2 + JSON northbound API. NFs communicate via the Service-Based Interface (SBI), which can be thought of as a microservices bus.
5G Core Network Functions:
| NF | Role | Equivalent LTE element |
|---|---|---|
| AMF (Access and Mobility Management) | UE registration, mobility, paging | MME |
| SMF (Session Management) | PDU session establishment, IP assignment | MME + PGW (control) |
| UPF (User Plane Function) | User data routing and forwarding | S-GW + P-GW (data) |
| UDM (Unified Data Management) | Subscriber database | HSS |
| AUSF (Authentication Server Function) | Authentication and 5G-AKA | HSS |
| PCF (Policy Control Function) | QoS policies | PCRF |
| NRF (NF Repository Function) | Service discovery (like DNS for NFs) | -- |
The control-plane / user-plane separation (CUPS) is explicit in 5G: SMF controls the UPF via the N4 interface (PFCP protocol), but user data never flows through SMF. This enables the UPF to be deployed at the edge (close to the UE) while the SMF remains centralized.
Cross-reference: handouts/cross-chapter-control-plane-architectures.md compares the 5G Core service-based architecture against SDN and Mobile-IP along three axes (control-plane decomposition, routing model, state-management strategy). Read the handout before the Week 7 lab session.
5.5 5G-AKA: Authentication and SUCI/SUPI
The 5G-AKA (Authentication and Key Agreement) protocol is the Belt-5 anchor. The full progression from 802.11i to WPA3 to 5G-AKA is in handouts/cross-chapter-wireless-aka-progression.md -- do not duplicate the handout in this lecture; build on it.
The SUCI mechanism (the central RF-track insight):
In 4G LTE (and 2G/3G), the UE transmits its IMSI in cleartext during initial attach. An IMSI catcher (rogue base station) that impersonates a legitimate base station -- possibly with a stronger signal -- can receive the UE's IMSI. The IMSI is a permanent identifier: knowing it identifies the subscriber.
In 5G, the UE does not transmit the SUPI (Subscription Permanent Identifier, formerly IMSI) in cleartext. Instead, the UE generates a SUCI (Subscription Concealed Identifier) by encrypting the SUPI using the home network's ECIES (Elliptic Curve Integrated Encryption Scheme) public key, which is provisioned in the USIM. Only the home network's AUSF has the corresponding private key. A rogue gNB -- even one that successfully performs the 5G-AKA challenge-response -- cannot decrypt the SUCI because it lacks the home network private key.
5G-AKA sequence (abbreviated):
UE gNB/AMF AUSF/UDM
|-- Registration Request --> | |
| (contains SUCI) |-- NAUSF_UEAuthentication --> |
| | |-- compute AV (RAND, AUTN, HXRES*, KAUSF)
| |<-- AUTN, HXRES*, KAUSF ---- |
|<-- Authentication Request --| |
| (RAND, AUTN) | |
|-- compute RES*, check AUTN | |
|-- Authentication Response ->| |
| (RES*) |-- NAUSF_UEAuthentication --> |
| | (RES*) |-- compare HRES* with HXRES*
| |<-- 5G-AKA success ----------- |
|<-- Security Mode Command --| |
|-- Security Mode Complete ->| |
The AUSF computes HXRES = SHA-256(XRES||RAND)** -- a hash of the expected response. The gNB/AMF only knows HXRES*, not XRES*. This prevents a compromise of the AMF from yielding the authentication vector directly.
From the RF-track perspective: The 5G-AKA exchange produces keying material that protects not just the NAS signaling but also the AS (Access Stratum -- the radio layer). The PDCP layer (the top of the radio stack) is protected by keys derived from the 5G-AKA exchange. A passive receiver cannot decrypt the PDCP payload without the session keys.
5.6 DOCSIS Cross-Reference: Wired RF as Cellular's Cousin
The DOCSIS handout (handouts/cross-chapter-docsis-quad-cross-cut.md) reads the DOCSIS cable-modem PHY/MAC as a structural cousin to the cellular RACH + uplink-grant + symbol-decode pipeline. The comparison:
- DOCSIS upstream TDMA/SC-FDMA vs. LTE uplink SC-FDMA: both use single-carrier transmission from multiple endpoints sharing a medium; both use a ranging/timing-advance procedure (DOCSIS's Initial Ranging; LTE's RACH timing advance) to align upstream transmissions
- DOCSIS burst-mode receiver vs. LTE PUSCH decoder: both must recover timing and phase from per-burst preambles because the upstream burst may have arbitrary timing relative to the receiver
- DOCSIS SB6141 lab target (RE-201's SB6141 hardware): the PHY/MAC analysis in the DOCSIS handout applies directly to the SB6141's DOCSIS 3.0 implementation -- students who complete Lab 10 (cellular RE cross-cut) are positioned to read the SB6141 PHY at the same depth
5.7 Anchor Weave: Kurose-Ross 9e §7.3.3, §7.4, §7.5.3, §8.8.2
The four Kurose-Ross 9e sections are the primary anchors for the cellular week. Read them as one coupled block:
- §7.3.3 (5G New Radio): flexible numerology, massive-MIMO beamforming, mmWave propagation -- the radio side
- §7.4 (5G Core): AMF/SMF/UPF/UDM/AUSF/PCF/NRF, service-based interface, CUPS -- the core network side
- §7.5.3 (5G Mobility): intra-gNB handover, inter-gNB handover, inter-AMF mobility -- the mobility side
- §8.8.2 (5G-AKA): SUCI/SUPI/ECIES, AUSF/UDM, HXRES*, key hierarchy -- the authentication side
The reading commitment: §7.3.3 + §7.4 before the Week 6 lecture; §7.5.3 + §8.8.2 before the Week 7 lecture.
Cross-reference to anchor reading guide: The handouts/cross-chapter-rf-301-anchor-reading-guide.md (already landed) §3-§4 provides the detailed per-section reading walk for these Kurose-Ross anchors. The reading guide is the assignment; this lecture section contextualizes it.
Lab Introduction
Lab 5 (25 pts): OpenAirInterface LTE attach procedure; SNR budget instrumentation across the receiver chain. Part A (LTE): bring up OAI eNB in Docker; connect an authorised UE or srsUE software UE; capture and annotate the RACH + attach procedure. Part B (5G NR): bring up OAI gNB in NSA mode; observe the 5G-AKA exchange in the AMF logs; instrument the SNR across the PUSCH receive chain. See labs/lab-5.md.
Independent Practice
- Kurose-Ross §7.4: draw the 5G Core NF roster on paper with the reference points (N1, N2, N3, N4, N6, N11, N12, etc.). Label which NFs are control-plane-only vs. user-plane-capable
- Read the OAI online documentation for the eNB configuration file (
enb.conf). Identify the parameters for: carrier frequency, system bandwidth (number of RBs), PLMN ID, tracking area code - The
handouts/cross-chapter-wireless-aka-progression.mdhandout is the pre-reading for the 5G-AKA section. After reading it, write a 150-word explanation of why SUCI prevents the classical IMSI catcher from functioning -- at the RF layer (what does the rogue gNB receive? what can it not compute?)