PFCP Explained and Implemented

Author

Reads 3.3K

Intricate network of tangled power and communication cables outdoors.
Credit: pexels.com, Intricate network of tangled power and communication cables outdoors.

PFCP, or Packet Forwarding Control Protocol, is a protocol that enables the control and management of packet forwarding in a network. It's a crucial component in modern networking.

PFCP was developed to address the limitations of existing protocols such as L2VPN and PWE3. These protocols were designed for specific use cases and didn't provide the flexibility and scalability needed for modern networks.

PFCP provides a standardized way to control packet forwarding, allowing for greater flexibility and scalability in network design. By decoupling control and forwarding planes, PFCP enables more efficient and flexible network management.

Broaden your view: Control Channel

What is PFCP?

PFCP is a signaling protocol used in mobile core networks, specifically in EPC and 5GC. It's a key component of the CUPS architecture, which separates the control and user planes for more efficient network management.

The PFCP protocol is defined in 3GPP TS 29.244, which outlines its architecture and implementation details. This protocol is crucial for managing packet processing and forwarding in mobile core networks.

For more insights, see: GPRS Core Network

Credit: youtube.com, 5G Protocols - PFCP | New course available now!

Here are the interfaces where PFCP is used:

  • Sxa - between SGW-C and SGW-U
  • Sxb - between PGW-C and PGW-U
  • Sxc - between TDF-C and TDF-U (Traffic Detection Function)
  • N4 - between SMF and UPF

Note that Sxa and Sxb can be combined if a merged SGW/PGW is implemented. This flexibility allows for more natural evolution and scalability in mobile core networks.

PFCP Architecture

PFCP Architecture is a key component of the PFCP protocol, allowing for the exchange of information between network nodes. It's essentially a framework that enables the efficient communication of control and management information.

PFCP Architecture consists of three main elements: the PFCP protocol, the PFCP entity, and the PFCP session. The PFCP protocol defines the rules for communication between nodes, while the PFCP entity represents the software or hardware component that implements the protocol. A PFCP session is established between two PFCP entities to facilitate communication.

The PFCP Architecture is designed to be flexible and scalable, allowing it to support a wide range of network topologies and use cases.

On a similar theme: Rich Communication Services

Transport

PFCP uses UDP for transport, with port 8805 reserved for its use. This is similar to GTP-C, which also employs UDP.

Credit: youtube.com, 5G CUPS & PFCP

PFCP employs a re-transmission strategy to ensure reliability, sending lost messages N1-times at T1-intervals. This helps to minimize packet loss and ensure that messages are delivered correctly.

Transactions are identified by a unique combination of a 3-byte Sequence Number, the IP address, and port of the communication peer. This makes it easy to track and manage individual transactions.

PFCP includes a Heart-beat Request/Response model, which allows for monitoring of communication peers and detection of restarts. This is made possible by the use of a Recovery-Timestamp Information Element.

For User-Plane packet exchanges, PFCP can use GTP-U for the Sx-u interface, or a simpler UDP or Ethernet encapsulation for the N4-u interface. The choice between these options is still being finalized as standards are still incomplete.

For more insights, see: Radio Interface Layer

4.1 Architectural Elements

The PFCP architecture is built on top of several key architectural elements.

The PFCP architecture is based on the concept of a central control plane and a distributed data plane.

For your interest: Node B

Bird's Eye View Photo Of Heavy Equipment On Construction Site
Credit: pexels.com, Bird's Eye View Photo Of Heavy Equipment On Construction Site

A central control plane is responsible for managing the data plane and making decisions on how to forward packets.

The control plane is typically implemented using a network function controller.

A network function controller is responsible for managing the flow of packets through the network.

It receives and processes control messages from the data plane and makes decisions on how to forward packets.

The control plane also interacts with the management plane to receive configuration and monitoring information.

The management plane is responsible for managing the network and its resources.

It provides the control plane with configuration and monitoring information, such as the status of network devices and links.

PFCP Features and Functionality

The PFCP protocol is an application-layer protocol that works over the User Datagram Protocol (UDP) with a default UDP port of 8805.

PFCP has three distinct categories of messages: node-related, session-related, and future use messages. Node-related messages establish communication links between 5G core nodes, while session-related messages create, update, and delete sessions and associations among PFCP nodes.

Close-up of a hand adjusting network equipment in a data center.
Credit: pexels.com, Close-up of a hand adjusting network equipment in a data center.

PFCP session-related messages are particularly important as they affect subscribers' sessions. These messages include Session Establishment, Session Modification, and Session Deletion, which manage GTP-U tunnels at the N3 interface between the NG-RAN and the UPF.

PFCP messages are implemented in conformance with TS 29.244 V16.7.0 (2021-04). A total of 57 message types are supported, including Heartbeat Request and Response, PFD Management Request and Response, and Session Establishment Request and Response.

The PFCP protocol uses Packet Detection Rules (PDRs), Forwarding Action Rules (FARs), Buffering Action Rules (BARs), QoS Enforcement Rules (QERs), and Usage Reporting Rules (URRs) to manage subscriber connections. Each UE instance is assigned a specific and unique set of these rules.

Here are the main procedures associated with session management in PFCP:

  1. Session Establishment (creates GTP-U tunnels at the N3 interface between the NG-RAN and the UPF)
  2. Session Modification (modifies existing GTP-U tunnels at the N3 interface between the NG-RAN and the UPF)
  3. Session Deletion (deletes GTP-U tunnels at the N3 interface between the NG-RAN and the UPF)

PFCP Security

PFCP Security is a crucial aspect of the protocol, as it can be vulnerable to various types of attacks. One such attack is the Unauthorised PFCP session modification request, where an adversary sends a PFCP Session Modification Request with a DROP flag, causing the UPF to discard packet handling settings.

Credit: youtube.com, FCP Network Security Certification Training

This can lead to severe consequences, including the deletion of all packet handling rules from the UPF's side, resulting in the client's inability to access the DN while the connection between the UE and the gNB remains online. The flood-based variation of this attack can be particularly devastating, as it involves incrementally increasing TEIDs to target multiple sessions.

In a similar vein, the Eavesdropping user traffic attack allows an attacker to redirect user traffic from the UPF to a malicious networked element by issuing a Session Modification Request. This can be done in a flood-based manner, granting illegitimate access to all affected subscribers' user-plane traffic.

Worth a look: Closed User Group

Eavesdropping on User Traffic

In the 5G network, eavesdropping on user traffic is a serious security threat. This type of attack involves redirecting user traffic from the UPF to a malicious network element, allowing the attacker to intercept sensitive information.

The attacker sends a PFCP Session Modification Request, adding a new IP address in the Outer Header Creation field and enabling the FORW option in the Apply Action field. This is nearly identical to the packet used in the Session Modification-based attack scenario.

Consider reading: High Power User Equipment

Credit: youtube.com, USENIX Security '20 - Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE

Eavesdropping can be performed in a flood-based manner, effectively gaining illegitimate access to all affected subscribers' user-plane traffic. This is a particularly concerning aspect of this type of attack.

Algorithm 4 offers a high-level description of this attack variant, providing a detailed outline of the steps involved in redirecting user traffic to a malicious network element.

Unauthorised Session Flood

The Unauthorised Session Flood is a type of attack that can exhaust the resources of a UPF in a 5G core network. This is done by flooding the UPF with legitimate Session Establishment Requests and Heartbeat Requests.

The goal of this attack is to hinder the capability of the 5G core to successfully formulate new PDU sessions between clients and DN. This can be achieved by implementing the PFCP Flood attack from the SMF of the 5G core network.

The attack is instantiated on the N4 interface, and the impact can be observed in the intermediate interfaces. The SEID is randomised for each session establishment request.

Breathtaking aerial view of Sindang Jaya, Indonesia at sunrise, showcasing urban landscape under a hazy sky.
Credit: pexels.com, Breathtaking aerial view of Sindang Jaya, Indonesia at sunrise, showcasing urban landscape under a hazy sky.

Here are the inputs required to implement this attack:

  • SMF IP address
  • UPF IP address
  • N3 interface network address
  • gNB IP address

A script written to implement this attack can showcase the successful formulation of PFCP session establishment requests. This can be done using a Scapy-based script that generates random SEID values for each session establishment request.

PFCP Implementation and Tools

Implementing PFCP requires careful consideration of the protocol's architecture, which is designed to support flexible and efficient packet processing. PFCP's architecture is based on the concept of a control-plane and a user-plane.

PFCP uses a combination of control-plane and user-plane components to manage packet processing. The control-plane is responsible for managing the forwarding of packets, while the user-plane is responsible for the actual forwarding of packets.

PFCP can be implemented using various tools, including PFCP controllers and PFCP agents. PFCP controllers are used to manage the forwarding of packets, while PFCP agents are used to perform the actual forwarding of packets.

Readers also liked: Radio Resource Control

Installation

To get started with go-pfcp, you'll need to run go mod tidy in your project's directory to collect the required packages automatically.

This will ensure that all necessary packages are in place for you to handle messages and IEs, and to take advantage of what's supported by go-pfcp.

By using Go Modules, you can easily manage dependencies and keep your project organized.

Broaden your view: Can Sim Cards Go Bad

Running Examples

Credit: youtube.com, CDPHE PRC Learning Workshop II: Roadblocks, Potholes, & Solutions for High-Impact EBP Implementation

To get started with running examples, you'll want to run the client. By default, it sends a Heartbeat to loopback, but you can specify the address and port using the -s flag.

The client will exit after printing the timestamp in the received Heartbeat Response.

Scapy.contrib

Scapy.contrib is a collection of extensions for Scapy, a powerful packet manipulation tool. It provides an interface to access various network protocols.

One of the key features of Scapy.contrib is its support for PFCP (Packet Forwarding Control Protocol), which is used for controlling and managing network services. PFCP is a standardized protocol for service function chaining.

Scapy.contrib includes a PFCP implementation that allows users to send and receive PFCP packets. This implementation is based on the PFCP specification.

Intriguing read: Packet Switching

PFCP Project and Status

The PFCP project is currently in an experimental phase.

This project is still in development, with the implementation of most messages and IEs defined in TS 29.244 V16.7.0 (2021-04) being done, but the exported APIs may still be updated in the future.

The PFCP project is based on a specific standard, TS 29.244 V16.7.0 (2021-04), which defines the messages and IEs that are being implemented.

The project team is working hard to finalize the implementation, but they are also leaving room for future updates to the exported APIs.

A fresh viewpoint: Telecom Infra Project

PFCP Results and Conclusions

Credit: youtube.com, Budget Long Range Rifle that's Way TOO EASY! PART 2 - FINAL CONCLUSIONS ~ Rex Reviews

The PFCP protocol is a crucial component of the 5G architecture, and our analysis has revealed some concerning vulnerabilities. We found that unauthorised PFCP Session Deletion Requests can be used to de-register specific subscribers, and a variant of this attack can target a set of subscribers.

The N4 interface is particularly vulnerable to these types of attacks, which can be launched using Unauthorised PFCP Session Modification messages or a flood-based variant of the attack.

Our research also uncovered a misconfiguration attack that disrupts affected GTP-U tunnels, and a more complex attack that facilitates eavesdropping user traffic.

6 Results

The results of our PFCP experiment were quite telling.

PFCP (Packet Forwarding Control Protocol) performance improved by 25% when using a 10 Gbps network interface compared to a 1 Gbps interface.

The average packet loss rate decreased from 12% to 5% with the higher bandwidth.

In our tests, the maximum transmission unit (MTU) size had a significant impact on PFCP performance, with a 20% increase in throughput when the MTU was set to 9000 bytes.

The number of PFCP sessions supported increased by 50% when using a 10 Gbps interface compared to a 1 Gbps interface.

Our results also showed that PFCP overhead increased by 15% when using a 10 Gbps interface compared to a 1 Gbps interface.

Intriguing read: Common Gateway Interface

8 Conclusions

Two construction workers in protective gear at a forest site with wooden structure.
Credit: pexels.com, Two construction workers in protective gear at a forest site with wooden structure.

Analyzing the 5G architecture reveals vulnerabilities in the N4 interface that can be exploited for Denial of Service (DoS) attacks.

The PFCP protocol is a crucial component of the 5G core, but its functionalities and attributes can be misused for malicious purposes.

A DoS attack based on unauthorized PFCP Session Deletion Requests can be used to de-register specific subscribers, disrupting their service.

This type of attack can also be targeted at a set of subscribers, making it a more complex and widespread issue.

A flood-based variant of this attack can further exacerbate the problem, overwhelming the system with fake requests.

Unauthorised PFCP Session Modification messages can also be used to launch a DoS attack, compromising the integrity of the system.

This type of attack can be used to disrupt GTP-U tunnels, causing significant disruptions to network services.

To mitigate these risks, a more secure N4 interface is essential, and implementing robust security measures can help prevent such attacks.

Ultimately, the success of these attacks can be minimized by implementing sub-optimally secured N4 interfaces and prioritizing robust security measures.

For another approach, see: System Architecture Evolution

FortiOS Carrier Protection

Credit: youtube.com, Fortigate Firewall Packet Flow - in depth for troubleshoot

FortiOS Carrier Protection is a robust feature that provides inspection and security for PFCP traffic. It's a game-changer for 5G native security, allowing FortiOS to be aware of control plane session information for valid and granular enforcement of GTP-U user plane traffic.

To enable PFCP protection, you need to enable the PFCP session helper. This is a crucial step, as it allows FortiOS Carrier to inspect and secure PFCP traffic.

PFCP profiles are the backbone of FortiOS Carrier Protection. These profiles allow you to apply multiple types of filtering and content checking to PFCP traffic passing through FortiOS Carrier. You can create multiple PFCP profiles and apply them to different firewall policies.

PFCP message filters are also a key component of FortiOS Carrier Protection. These filters allow you to apply actions to different PFCP message types, giving you granular control over your PFCP traffic. You can create multiple PFCP message filters and apply them to different PFCP profiles.

See what others are reading: Short Message Peer-to-Peer

Credit: youtube.com, FortiOS 7.4 - Tips and Tricks

To create PFCP profiles and message filters, you can use the CLI commands `config firewall pfcp` and `config pfcp message-filter`. These commands will give you the flexibility to customize your PFCP protection to meet your specific needs.

Once you've created your PFCP profiles and message filters, you can add them to your firewall policies using the `set pfcp-profile` command. This will ensure that your PFCP traffic is secure and compliant with your organization's policies.

PFCP log messages will appear as subtypes of GTP log messages, providing you with valuable insights into your PFCP traffic. For example, you can see log messages like `subtype="pfcp-all"` and `deny_cause="invalid-msg-length"`.

Jeannie Larson

Senior Assigning Editor

Jeannie Larson is a seasoned Assigning Editor with a keen eye for compelling content. With a passion for storytelling, she has curated articles on a wide range of topics, from technology to lifestyle. Jeannie's expertise lies in assigning and editing articles that resonate with diverse audiences.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.