5G/NR - Initial Aattach

SA Initial Attach Sequence in a Nutshell

Initial Attach is the process that happens when you power on your phone. Followings are the procedures that happens at this stage.
Cell Search and Synchronization: The UE (User Equipment) searches for nearby cells and acquires the synchronization signals (PSS and SSS) to synchronize with the gNB (gNodeB) timing.
RRC Connection Establishment: Process of establishing radio resources.
Network Registration: The Registration Request to AMF to register with the 5G network.
Authentication: Authentication between UE and Network. Network Authenticate UE and UE authenticate Network
Security Setup: The UE and network establish security keys for secure communication. This happens in two phases. NAS security and RRC security
Network Acceptance: The AMF sends a Registration Accept message to the UE, confirming successful registration and providing configuration information such as the UE's 5G-GUTI (Globally Unique Temporary Identifier).
RRC Reconfiguration: Network reconfigures RRC for the registered UE based on various UE capability.
PDU Session Establishment: The process of establishing data pipe. UE initiate the process and network respond to the request and setting up the data pipe.

SA Initial Attach Sequence In Detail

Following is high level sequence of call processing with SA(Stand Alone) initial attach process. For the simplicity, I have listed the sequence that is exchanged between UE and NW(Network) over the air (OTA). In reality, there are a lot of other signalings happending in corenetwork during the attach process.

SA Initial Attach - Overall Signaling Flow
SA Initial Attach - Sequence in Detail

Example 01 > NR SA Initial Registration Sequence - Amarisoft

Get the Test Procedure and Log / Amarisoft TechAcademy

SA Initial Attach - Overall Signaling Flow

A simplified call processing (Signaling Flow) of SA Initial Attach process with focus on OTA (Over The Air) message is illustrated as below. If you want to get more detailed flow including the signaling flow in core network as well, For corenetwork side signaling, refer to ref [2] from event Helix which is very nicely written sequence diagram. In the diagram below, I packed multiple steps (multiple signaling message) into one process for the simplicity. We will get the each and every detailed steps in next section.

Downlink / Uplink Synchronization:

The first step in 5G Standalone (SA) call processing is to synchronize the UE (User Equipment) with the gNB (gNodeB). We can split this into two parts : Downlink synchronization and Uplink synchronization. Downlink sync comes first and then Uplink sync happens.

Downlink Synchronization : the UE performs cell search and acquiring the synchronization signals, Primary Synchronization Signal (PSS) and Secondary Synchronization Signal (SSS), which help the UE to identify the cell and synchronize with its timing.

Uplink Synchronization : This is achieved by RACH Process. The Random Access Channel (RACH) is used by the UE for initial uplink synchronization with the gNB. It involves transmitting a randomly chosen preamble from the UE, which the gNB detects and responds with a timing adjustment. This process enables the UE to align its transmission timing with the gNB, allowing for efficient communication.

RRC Establishment:

After synchronization, the UE initiates the Radio Resource Control (RRC) connection establishment procedure by sending an RRCSetupRequest message to the gNB. The gNB responds with an RRCSetup message, which includes essential configuration information for the UE to access network resources.

Registration Request:

Once the RRC connection is established, the UE sends a Registration Request message to the network (Core Network, specifically the Access and Mobility Management Function, AMF) to register with the 5G network. This message includes important information such as the UE's security credentials and UE's network capability.

Authentication Process:

To ensure secure communication, the network initiates an authentication process. The AMF generates an authentication challenge for the UE, which includes a random number and an expected authentication response. The UE computes the authentication response based on the challenge and its security credentials, and sends it back to the AMF. If the response matches the expected value, the authentication is successful.

Security Process:

After successful authentication, the UE and network establish security keys for secure communication. The AMF sends a Security Mode Command to the UE, specifying the security algorithms to be used for ciphering and integrity protection. The UE acknowledges the command with a Security Mode Complete message.

Registration Accept:

Once the security process is complete, the AMF sends a Registration Accept message to the UE, which includes the UE's 5G-GUTI (Globally Unique Temporary Identifier) and other relevant configuration information. The UE is now successfully registered with the 5G network.

RrcReconfiguration:

After successful registration, the gNB sends an RRCReconfiguration message to the UE, which includes the configuration information necessary for data transmission, such as the Radio Bearer and Physical Layer configurations.

PDU Session Establishment Request:

To establish a data session, the UE sends a PDU (Protocol Data Unit) Session Establishment Request message to the network (specifically, the Session Management Function, SMF). This message includes the UE's data session requirements, SSC Mode, PCO, DNN etc.

PDU Session Establishment Accept:

The SMF processes the PDU Session Establishment Request and allocates the necessary resources for the data session. The SMF sends a PDU Session Establishment Accept message to the UE, which contains the PDU session configuration information, such as the allocated QoS and the IP address. The UE is now ready for data transmission over the established PDU session.

SA Initial Attach - Sequence in Detail

The detailed mechanism for each of these step is very complicated process which cannot be described in the single page. Try follow through the hyperlink at each step if you want further details. Notice that there are multiple linkes even at single step. I am just trying to provide just high level / skeleton in this page.

Step	Direction	Message	Comment
1	UE <- NW	SSB (PSS,SSS,MIB)
2	UE <- NW	PDCCH / CORESET 0 / DCI 1_0
3	UE <- NW	SIB1
4	UE <- NW	PDCCH / DCI 1_0
5	UE <- NW	Other SIBs
6	UE -> NW	Msg1 (PRACH/Preamble)
7	UE <- NW	(PDCCH / DCI 1_0, RA_RNTI)
8	UE <- NW	Msg2 (PDSCH / Random Access Response)
9	UE -> NW	Msg3 (RRC Setup Request)
10	UE <- NW	(PDCCH / DCI 1_0, T_C_RNTI)
11	UE <- NW	Msg4 (PDSCH / CR+RRC Setup)
12	UE <- NW	(PDCCH / DCI 0_0 or 0_1, C_RNTI)
13	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)
14	UE -> NW	(PUSCH) RRCSetupComplete+NAS:RegistrationRequest
15	UE <- NW	(PDCCH/ DCI 1_0 or 1_1, C_RNTI)
16	UE <- NW	(PDSCH) NAS:IdentityRequest
17	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)
18	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
19	UE -> NW	(PUSCH) NAS:IdentityResponse
20	UE <- NW	(PDCCH/ DCI 1_0 or 1_1, C_RNTI)
21	UE <- NW	(PDSCH) NAS:AuthenticationRequest
22	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)
23	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
24	UE -> NW	(PUSCH) NAS:AuthenticationResponse
25	UE <- NW	(PDCCH/ DCI 1_0 or 1_1, C_RNTI)
26	UE <- NW	(PDSCH) NAS:SecurityModeCommand
27	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)
28	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
29	UE -> NW	(PUSCH) NAS:SecurityModeCommandComplete
30	UE <- NW	(PDCCH/ DCI 1_0 or 1_1, C_RNTI)
31	UE <- NW	(PDSCH) RRC:SecurityModeCommand
32	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)
33	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
34	UE -> NW	(PUSCH) RRC:SecurityModeCommandComplete
35	UE <- NW	(PDCCH/ DCI 1_0 or 1_1, C_RNTI)
36	UE <- NW	(PDSCH) RRCReconfiguration + NAS : Registration Accept
37	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)
38	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
39	UE -> NW	(PUSCH) RRCReconfigurationComplete + NAS : Registration Complete
40	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
41	UE -> NW	(PUSCH) ULInformationTransfer + UL NAS Transport + PDU Session Establishment Request
42	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
43	UE <- NW	(PDSCH) DLInformationTransfer + DL NAS Transport + PDU Session Establishment Accept
44	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)

Example 01 > NR SA Initial Registration Sequence - Amarisoft

Following is a sample protocol sequence for NR SA Registration kindly provided by Amarisoft in its web based log viewer

For the example of the contents of these messages click on the message link shown in the above table.

NOTE : If you want to see the contents of full log with Amarisoft Log viewer, go to LogAnalysis section and click on 'Sample Log' in this tutorial of Amarisoft TechAcademy.

Followings are contents of the signaling message for the SA initial sequence. Some of the message are not listed here because it would not be considered mandatory.

[RRC Setup Request]
[RRC Setup]
[Registration Request]
[Authentication Request]
[Authentication Response]
[Security Mode Command - NAS]
[Security Mode Complete - NAS]
[Security Mode Command - RRC]
[Security Mode Complete - RRC]
[Registration Accept]
[Registration Complete]
[RrcReconfiguration]
[PDU Session Establishment Request]
[PDU Session Establishment Accept]

[RRC Setup Request]

This is the first RRC message from UE requesting RrcSetup. It includes a unique binary identifier for the user equipment (UE) under ue-Identity, specifies mobile-originated signaling as the establishment cause under establishmentCause

{

message c1: rrcSetupRequest: {

rrcSetupRequest {

ue-Identity randomValue: '110110011101110100011000000110100000011'B,

establishmentCause mo-Signalling,

spare '0'B

}

[RRC Setup]

This is Rrc Setup message in response to RRC Request. This setup message is structured to provide detailed configurations necessary for the communication between the User Equipment (UE) and the network, covering various aspects like radio bearer setup, cell group configurations, and special cell configurations for both uplink and downlink communication channels.

Overall structure / contents in this example can be summarized as below : (I think it would be a good practice to convert the RRC message into this kind of summary format for you to get familiar with the meaning and structure of this super complicated message)

Radio Bearer Configuration:

Setup of Signalling Radio Bearer (SRB) with identity 1.

Master Cell Group Configuration:

Cell Group ID is set to 0 with various configurations for RLC (Radio Link Control), MAC (Medium Access Control), and Physical Cell group.
Uplink and Downlink configurations for Acknowledgement/Retransmission, Resource allocation, and scheduling requests.

Special Cell Configuration (spCellConfig):

Dedicated configurations for initial Downlink and Uplink Bandwidth Part (BWP) which include:
Control Resource Set and Search Space configurations for downlink. // Check out this note for the details of CORESET

One control resource set defined with ID 2
Frequency domain resources set to the 48RBs from RB0
Duration of 1 slot
Non-interleaved CCE-to-REG mapping
Precoder granularity same as REG bundle
One UE specific search space defined with ID 2
Monitoring periodicity is one slot
Monitoring symbols in slot set to first 6 symbols
Number of PDCCH candidates defined per aggregation level
Search space monitors DCI formats 0-1 and 1-1

PUCCH configurations for uplink control signal resource setup // Check out this note for the details of PUCCH Configuration

Two PUCCH resource sets defined - set 0 with resources 0-7, set 1 with resources 8-11
12 PUCCH format 1 resources defined with different starting PRBs, cyclic shifts and OCCs
4 PUCCH format 2 resources defined with different starting symbols
Format 1 setup has no additional parameters
Format 2 setup specifies max code rate of 0.25
One scheduling request resource defined with ID 1, periodicity/offset of sl40:8, using resource 12
dl-DataToUL-ACK maps DL slots 8,7,6,5,4,12,11 to UL ACK slots

PUSCH configurations for uplink data channel, specifying resource sets and modulation schemes. // Check out this note for the details of PUSCH Configuration

Transmission mode is codebook based.
DMRS mapping type A, with additional DMRS position at pos1.
No transform precoding.

Power control settings
msg3 alpha of alpha1.
Nominal PUSCH power of -84 dBm without grant.
One PUSCH alpha set defined with ID 0.
Pathloss reference RS is SSB index 0.
One PUSCH power control ID 0 defined mapped to pathloss RS 0 and alpha set 0.

Resource allocation is type 1 (dynamic).
Non-coherent codebook subset.
Max rank is 1.
UCI on PUSCH uses beta offsets of 9 for ACK, 7 for CSI part 1 and 2.
UCI scaling is set to f1.

SRS Configuration

One SRS resource set defined with ID 0 containing SRS resource 0.
Resource type is aperiodic with trigger value 1 and slot offset 7.
Usage is codebook based.
Reference power is -84 dBm with pathloss reference as SSB 0.
One SRS resource defined with ID 0.
Port configuration is 1 antenna port.
Comb pattern is n2 with comb offset 0 and cyclic shift 0.
Mapping uses start position 0, n1 symbols, repetition factor 1.
Frequency position is 0 and shift is 5.
Frequency hopping enabled using c-SRS 11 and b-SRS 3, no b-hop.
Neither group nor sequence hopping.
Resource type aperiodic.
Sequence ID 500.

CSI (Channel State Information) Measurement configurations specifying resources and reporting configurations. // Check out this note for the details of CSI framework

5 NZP CSI-RS resources defined with different ports, CDM types, densities and periodicities. one of them is for CSI report and the other four are for TRS.
2 NZP CSI-RS sets - set 0 contains resource 0 (for csi report), set 1 contains resources 1-4 enables TRS (for TRS)
1 CSI-IM resource defined with pattern 1 and periodicity
1 CSI-IM set containing CSI-IM resource 0
3 CSI resource configs defined - one using NZP set 0, one using CSI-IM set 0, one using NZP set 1
1 CSI report config:
Uses resource 0 for channel and resource 1 for interference
Periodic reporting on PUCCH every 80 slots

Reports CRI, RI, PMI, CQI
Wideband CQI and PMI
Codebook type 1 single panel with 2 ports
CQI table 2, subband size 1 RBG

Followings are the entire contents of the message.

{

message c1: rrcSetup: {

rrc-TransactionIdentifier 0,

criticalExtensions rrcSetup: {

radioBearerConfig {

srb-ToAddModList {

{

srb-Identity 1

}

masterCellGroup {

cellGroupId 0,

rlc-BearerToAddModList {

{

logicalChannelIdentity 1,

servedRadioBearer srb-Identity: 1,

rlc-Config am: {

ul-AM-RLC {

sn-FieldLength size12,

t-PollRetransmit ms45,

pollPDU infinity,

pollByte infinity,

maxRetxThreshold t8

dl-AM-RLC {

sn-FieldLength size12,

t-Reassembly ms35,

t-StatusProhibit ms0

}

mac-LogicalChannelConfig {

ul-SpecificParameters {

priority 1,

prioritisedBitRate infinity,

bucketSizeDuration ms5,

logicalChannelGroup 0,

schedulingRequestID 0,

logicalChannelSR-Mask FALSE,

logicalChannelSR-DelayTimerApplied FALSE

}

mac-CellGroupConfig {

schedulingRequestConfig {

schedulingRequestToAddModList {

{

schedulingRequestId 0,

sr-TransMax n64

}

bsr-Config {

periodicBSR-Timer sf20,

retxBSR-Timer sf320

tag-Config {

tag-ToAddModList {

{

tag-Id 0,

timeAlignmentTimer infinity

}

phr-Config setup: {

phr-PeriodicTimer sf500,

phr-ProhibitTimer sf200,

phr-Tx-PowerFactorChange dB3,

multiplePHR FALSE,

dummy FALSE,

phr-Type2OtherCell FALSE,

phr-ModeOtherCG real

skipUplinkTxDynamic FALSE

physicalCellGroupConfig {

pdsch-HARQ-ACK-Codebook dynamic

spCellConfig {

spCellConfigDedicated {

initialDownlinkBWP {

pdcch-Config setup: {

controlResourceSetToAddModList {

{

controlResourceSetId 2,

frequencyDomainResources '111111110000000000000000000000000000000000000'B,

duration 1,

cce-REG-MappingType nonInterleaved: NULL,

precoderGranularity sameAsREG-bundle

}

searchSpacesToAddModList {

{

searchSpaceId 2,

controlResourceSetId 2,

monitoringSlotPeriodicityAndOffset sl1: NULL,

monitoringSymbolsWithinSlot '10000000000000'B,

nrofCandidates {

aggregationLevel1 n0,

aggregationLevel2 n2,

aggregationLevel4 n1,

aggregationLevel8 n0,

aggregationLevel16 n0

searchSpaceType ue-Specific: {

dci-Formats formats0-1-And-1-1

}

pdsch-Config setup: {

dmrs-DownlinkForPDSCH-MappingTypeA setup: {

dmrs-AdditionalPosition pos1

tci-StatesToAddModList {

{

tci-StateId 0,

qcl-Type1 {

referenceSignal ssb: 0,

qcl-Type typeD

}

resourceAllocation resourceAllocationType1,

rbg-Size config1,

prb-BundlingType staticBundling: {

bundleSize wideband

zp-CSI-RS-ResourceToAddModList {

{

zp-CSI-RS-ResourceId 0,

resourceMapping {

frequencyDomainAllocation row4: '100'B,

nrofPorts p4,

firstOFDMSymbolInTimeDomain 8,

cdm-Type fd-CDM2,

density one: NULL,

freqBand {

startingRB 0,

nrofRBs 52

}

periodicityAndOffset slots80: 1

}

p-ZP-CSI-RS-ResourceSet setup: {

zp-CSI-RS-ResourceSetId 0,

zp-CSI-RS-ResourceIdList {

}

firstActiveDownlinkBWP-Id 0,

uplinkConfig {

initialUplinkBWP {

pucch-Config setup: {

resourceSetToAddModList {

{

pucch-ResourceSetId 0,

resourceList {

}

{

pucch-ResourceSetId 1,

resourceList {

10,

}

resourceToAddModList {

{

pucch-ResourceId 0,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 0,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 0

}

{

pucch-ResourceId 1,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 4,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 0

}

{

pucch-ResourceId 2,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 8,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 0

}

{

pucch-ResourceId 3,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 0,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 1

}

{

pucch-ResourceId 4,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 4,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 1

}

{

pucch-ResourceId 5,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 8,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 1

}

{

pucch-ResourceId 6,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 0,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 2

}

{

pucch-ResourceId 7,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 4,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 2

}

{

pucch-ResourceId 8,

startingPRB 1,

intraSlotFrequencyHopping enabled,

secondHopPRB 49,

format format2: {

nrofPRBs 1,

nrofSymbols 2,

startingSymbolIndex 0

}

{

pucch-ResourceId 9,

startingPRB 1,

intraSlotFrequencyHopping enabled,

secondHopPRB 49,

format format2: {

nrofPRBs 1,

nrofSymbols 2,

startingSymbolIndex 2

}

{

pucch-ResourceId 10,

startingPRB 1,

intraSlotFrequencyHopping enabled,

secondHopPRB 49,

format format2: {

nrofPRBs 1,

nrofSymbols 2,

startingSymbolIndex 4

}

{

pucch-ResourceId 11,

startingPRB 1,

intraSlotFrequencyHopping enabled,

secondHopPRB 49,

format format2: {

nrofPRBs 1,

nrofSymbols 2,

startingSymbolIndex 6

}

{

pucch-ResourceId 12,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 8,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 2

}

{

pucch-ResourceId 13,

startingPRB 1,

intraSlotFrequencyHopping enabled,

secondHopPRB 49,

format format2: {

nrofPRBs 1,

nrofSymbols 2,

startingSymbolIndex 8

}

format1 setup: {

format2 setup: {

maxCodeRate zeroDot25

schedulingRequestResourceToAddModList {

{

schedulingRequestResourceId 1,

schedulingRequestID 0,

periodicityAndOffset sl40: 8,

resource 12

}

dl-DataToUL-ACK {

12,

}

pusch-Config setup: {

txConfig codebook,

dmrs-UplinkForPUSCH-MappingTypeA setup: {

dmrs-AdditionalPosition pos1,

transformPrecodingDisabled {

}

pusch-PowerControl {

msg3-Alpha alpha1,

p0-NominalWithoutGrant -84,

p0-AlphaSets {

{

p0-PUSCH-AlphaSetId 0,

p0 0,

alpha alpha1

}

pathlossReferenceRSToAddModList {

{

pusch-PathlossReferenceRS-Id 0,

referenceSignal ssb-Index: 0

}

sri-PUSCH-MappingToAddModList {

{

sri-PUSCH-PowerControlId 0,

sri-PUSCH-PathlossReferenceRS-Id 0,

sri-P0-PUSCH-AlphaSetId 0,

sri-PUSCH-ClosedLoopIndex i0

}

resourceAllocation resourceAllocationType1,

codebookSubset nonCoherent,

maxRank 1,

uci-OnPUSCH setup: {

betaOffsets semiStatic: {

betaOffsetACK-Index1 9,

betaOffsetACK-Index2 9,

betaOffsetACK-Index3 9,

betaOffsetCSI-Part1-Index1 7,

betaOffsetCSI-Part1-Index2 7,

betaOffsetCSI-Part2-Index1 7,

betaOffsetCSI-Part2-Index2 7

scaling f1

}

srs-Config setup: {

srs-ResourceSetToAddModList {

{

srs-ResourceSetId 0,

srs-ResourceIdList {

resourceType aperiodic: {

aperiodicSRS-ResourceTrigger 1,

slotOffset 7

usage codebook,

p0 -84,

pathlossReferenceRS ssb-Index: 0

}

srs-ResourceToAddModList {

{

srs-ResourceId 0,

nrofSRS-Ports port1,

transmissionComb n2: {

combOffset-n2 0,

cyclicShift-n2 0

resourceMapping {

startPosition 0,

nrofSymbols n1,

repetitionFactor n1

freqDomainPosition 0,

freqDomainShift 5,

freqHopping {

c-SRS 11,

b-SRS 3,

b-hop 0

groupOrSequenceHopping neither,

resourceType aperiodic: {

sequenceId 500

}

firstActiveUplinkBWP-Id 0,

pusch-ServingCellConfig setup: {

}

pdcch-ServingCellConfig setup: {

pdsch-ServingCellConfig setup: {

nrofHARQ-ProcessesForPDSCH n16

csi-MeasConfig setup: {

nzp-CSI-RS-ResourceToAddModList {

{

nzp-CSI-RS-ResourceId 0,

resourceMapping {

frequencyDomainAllocation other: '100000'B,

nrofPorts p2,

firstOFDMSymbolInTimeDomain 4,

cdm-Type fd-CDM2,

density one: NULL,

freqBand {

startingRB 0,

nrofRBs 52

}

powerControlOffset 0,

powerControlOffsetSS db0,

scramblingID 500,

periodicityAndOffset slots80: 1,

qcl-InfoPeriodicCSI-RS 0

{

nzp-CSI-RS-ResourceId 1,

resourceMapping {

frequencyDomainAllocation row1: '1'H,

nrofPorts p1,

firstOFDMSymbolInTimeDomain 4,

cdm-Type noCDM,

density three: NULL,

freqBand {

startingRB 0,

nrofRBs 52

}

powerControlOffset 0,

powerControlOffsetSS db0,

scramblingID 500,

periodicityAndOffset slots40: 11,

qcl-InfoPeriodicCSI-RS 0

{

nzp-CSI-RS-ResourceId 2,

resourceMapping {

frequencyDomainAllocation row1: '1'H,

nrofPorts p1,

firstOFDMSymbolInTimeDomain 8,

cdm-Type noCDM,

density three: NULL,

freqBand {

startingRB 0,

nrofRBs 52

}

powerControlOffset 0,

powerControlOffsetSS db0,

scramblingID 500,

periodicityAndOffset slots40: 11,

qcl-InfoPeriodicCSI-RS 0

{

nzp-CSI-RS-ResourceId 3,

resourceMapping {

frequencyDomainAllocation row1: '1'H,

nrofPorts p1,

firstOFDMSymbolInTimeDomain 4,

cdm-Type noCDM,

density three: NULL,

freqBand {

startingRB 0,

nrofRBs 52

}

powerControlOffset 0,

powerControlOffsetSS db0,

scramblingID 500,

periodicityAndOffset slots40: 12,

qcl-InfoPeriodicCSI-RS 0

{

nzp-CSI-RS-ResourceId 4,

resourceMapping {

frequencyDomainAllocation row1: '1'H,

nrofPorts p1,

firstOFDMSymbolInTimeDomain 8,

cdm-Type noCDM,

density three: NULL,

freqBand {

startingRB 0,

nrofRBs 52

}

powerControlOffset 0,

powerControlOffsetSS db0,

scramblingID 500,

periodicityAndOffset slots40: 12,

qcl-InfoPeriodicCSI-RS 0

}

nzp-CSI-RS-ResourceSetToAddModList {

{

nzp-CSI-ResourceSetId 0,

nzp-CSI-RS-Resources {

}

{

nzp-CSI-ResourceSetId 1,

nzp-CSI-RS-Resources {

trs-Info true

}

csi-IM-ResourceToAddModList {

{

csi-IM-ResourceId 0,

csi-IM-ResourceElementPattern pattern1: {

subcarrierLocation-p1 s8,

symbolLocation-p1 8

freqBand {

startingRB 0,

nrofRBs 52

periodicityAndOffset slots80: 1

}

csi-IM-ResourceSetToAddModList {

{

csi-IM-ResourceSetId 0,

csi-IM-Resources {

}

csi-ResourceConfigToAddModList {

{

csi-ResourceConfigId 0,

csi-RS-ResourceSetList nzp-CSI-RS-SSB: {

nzp-CSI-RS-ResourceSetList {

}

bwp-Id 0,

resourceType periodic

{

csi-ResourceConfigId 1,

csi-RS-ResourceSetList csi-IM-ResourceSetList: {

bwp-Id 0,

resourceType periodic

{

csi-ResourceConfigId 2,

csi-RS-ResourceSetList nzp-CSI-RS-SSB: {

nzp-CSI-RS-ResourceSetList {

}

bwp-Id 0,

resourceType periodic

}

csi-ReportConfigToAddModList {

{

reportConfigId 0,

resourcesForChannelMeasurement 0,

csi-IM-ResourcesForInterference 1,

reportConfigType periodic: {

reportSlotConfig slots80: 9,

pucch-CSI-ResourceList {

{

uplinkBandwidthPartId 0,

pucch-Resource 13

}

reportQuantity cri-RI-PMI-CQI: NULL,

reportFreqConfiguration {

cqi-FormatIndicator widebandCQI,

pmi-FormatIndicator widebandPMI

timeRestrictionForChannelMeasurements notConfigured,

timeRestrictionForInterferenceMeasurements notConfigured,

codebookConfig {

codebookType type1: {

subType typeI-SinglePanel: {

nrOfAntennaPorts two: {

twoTX-CodebookSubsetRestriction '111111'B

typeI-SinglePanel-ri-Restriction '03'H

codebookMode 1

}

groupBasedBeamReporting disabled: {

cqi-Table table2,

subbandSize value1

}

tag-Id 0

}

[Registration Request]

The Registration Request message initiates the registration process of the User Equipment (UE) within a 5G network, providing essential UE and network capabilities. It encapsulates identifiers, security credentials, and supported features, ensuring the network and UE have synchronized information. This message is crucial for establishing a secure and functional communication channel between the UE and the network, paving the way for subsequent interactions

Highlights of the contents of this message are :

UE Identification:

5G-GUTI (Globally Unique Temporary Identity) includes Mobile Country Code (MCC), Mobile Network Code (MNC), AMF (Access Management Function) Region ID, Set ID, Pointer, and 5G-TMSI (Temporary Mobile Subscriber Identity).
Last visited registered Tracking Area Identity (TAI) with MCC, MNC, and TAC (Tracking Area Code).

Security Credentials:

Auth code, Security headers, and Sequence number are provided for integrity protection.
UE security capability indicating encryption and integrity algorithms supported for both 5G and E-UTRA (Evolved Universal Terrestrial Radio Access).

UE Capabilities:

5GMM (5G Mobility Management) capability indicating support for various features like handover attachment, S1 mode, etc.
S1 UE network capability revealing support for encryption algorithms, integrity algorithms, and other UE capabilities.

Network Service Access:

Requested NSSAI (Non-Public Subnet Slice Access Information) indicating the desired network slice for the UE.
Network slicing indication for Data Centric Network Indication (DCNI) and NSSAI Configuration Indication (NSSCI).

Registration Type:

Indicates its an initial registration with a follow-on request bit.

5GS Update Type:

Indicates no additional information for EPS-PNB-CIoT and 5GS-PNB-CIoT, NG-RAN-RCU as 0, and SMS requested as 1.

Other Information:

UE's usage setting as Data centric, LADN (Local Area Data Network) indication, and NAS (Non-Access Stratum) message container with repeated registration request information.

The contents of the entiremessage in this example is as follows :

16:36:33.677 [NAS] UL 0064 5GMM: Registration request

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x1 (Integrity protected)

Auth code = 0xc2653407

Sequence number = 0x09

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x41 (Registration request)

5GS registration type:

Follow-on request bit = 1

Value = 1 (initial registration)

ngKSI:

TSC = 0

NAS key set identifier = 2

5GS mobile identity:

5G-GUTI

MCC = 001

MNC = 01

AMF Region ID = 128

AMF Set ID = 4

AMF Pointer = 1

5G-TMSI = 0x2fedc8c7

UE security capability:

0xf0 (5G-EA0=1, 128-5G-EA1=1, 128-5G-EA2=1, 128-5G-EA3=1, 5G-EA4=0, 5G-EA5=0, 5G-EA6=0, 5G-EA7=0)

0x70 (5G-IA0=0, 128-5G-IA1=1, 128-5G-IA2=1, 128-5G-IA3=1, 5G-IA4=0, 5G-IA5=0, 5G-IA6=0, 5G-IA7=0)

0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

NAS message container:

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x41 (Registration request)

5GS registration type:

Follow-on request bit = 1

Value = 1 (initial registration)

ngKSI:

TSC = 0

NAS key set identifier = 2

5GS mobile identity:

5G-GUTI

MCC = 001

MNC = 01

AMF Region ID = 128

AMF Set ID = 4

AMF Pointer = 1

5G-TMSI = 0x2fedc8c7

5GMM capability:

0x03 (SGC=0, 5G-IPHC-CP CIoT=0, N3 data=0, 5G-CP CIoT=0, RestrictEC=0, LPP=0, HO attach=1, S1 mode=1)

UE security capability:

0xf0 (5G-EA0=1, 128-5G-EA1=1, 128-5G-EA2=1, 128-5G-EA3=1, 5G-EA4=0, 5G-EA5=0, 5G-EA6=0, 5G-EA7=0)

0x70 (5G-IA0=0, 128-5G-IA1=1, 128-5G-IA2=1, 128-5G-IA3=1, 5G-IA4=0, 5G-IA5=0, 5G-IA6=0, 5G-IA7=0)

0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

Requested NSSAI:

S-NSSAI

Length of S-NSSAI contents = 1 (SST)

SST = 0x01

Last visited registered TAI:

MCC = 001

MNC = 01

TAC = 0x000064

S1 UE network capability:

0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

0xc0 (UEA0=1, UEA1=1, UEA2=0, UEA3=0, UEA4=0, UEA5=0, UEA6=0, UEA7=0)

0x40 (UCS2=0, UIA1=1, UIA2=0, UIA3=0, UIA4=0, UIA5=0, UIA6=0, UIA7=0)

0x19 (ProSe-dd=0, ProSe=0, H.245-ASH=0, ACC-CSFB=1, LPP=1, LCS=0, 1xSRVCC=0, NF=1)

0x80 (ePCO=1, HC-CP CIoT=0, ERw/oPDN=0, S1-U data=0, UP CIoT=0, CP CIoT=0, ProSe-relay=0, ProSe-dc=0)

0xb0 (15 bearers=1, SGC=0, N1mode=1, DCNR=1, CP backoff=0, RestrictEC=0, V2X PC5=0, multipleDRB=0)

UE's usage setting = 0x01 (Data centric)

LADN indication:

Length = 0

Data =

Network slicing indication = 0x00 (DCNI=0, NSSCI=0)

5GS update type = 0x01 (EPS-PNB-CIoT=no additional information, 5GS-PNB-CIoT=no additional information,

NG-RAN-RCU=0, SMS requested=1)

[Authentication Request]

This is the Authenticaion Request under 5GS Mobility Management, not security protected, aiming to initiate the authentication process. It includes a NAS key set identifier and parameters like ABBA, RAND, and AUTN, essential for authentication, and is part of the process to ensure the integrity and identity of the user equipment in the 5G network.

NOTE : For the details of Authentication process, refer to this note.

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x56 (Authentication request)

ngKSI:

TSC = 0

NAS key set identifier = 3

ABBA:

Length = 2

Data = 00 00

Authentication parameter RAND:

Data = 5c b5 64 3e 28 dd 81 86 5f aa 80 52 f0 57 67 0e

Authentication parameter AUTN:

Length = 16

Data = 0d 6c 88 e7 f1 f6 90 01 5c a4 46 0d 6c a9 77 f0

[Authentication Response]

This is an Authentication Response from the 5G Mobility Management, with an initial part being integrity protected. It carries an authentication code, a sequence number, and a response parameter which are crucial for validating the user equipment's identity in the 5G network. The response parameter, of length 16, contains a specific data string which is likely used to verify the authenticity of the response and proceed with the communication between the user equipment and the network.

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x1 (Integrity protected)

Auth code = 0x315d8f85

Sequence number = 0x0b

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x57 (Authentication response)

Authentication response parameter:

Length = 16

Data = 20 be d8 65 0b 86 58 49 77 5c 59 4e 91 b0 a2 28

[Security Mode Command - NAS]

This is Security Mode Command in the 5G Mobility Management protocol, initially integrity protected with a new 5G NAS security context. It carries an authentication code, a sequence number, and details on selected NAS security algorithms. The message also contains a NAS key set identifier and replayed UE security capabilities for different encryption and integrity algorithms. Additionally, there's a request for International Mobile Equipment Identity Software Version (IMEISV) and some additional 5G security information is provided with specific flags set for RINMR and HDP.

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x3 (Integrity protected with new 5G NAS security context)

Auth code = 0xf3c97ad9

Sequence number = 0x00

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x5d (Security mode command)

Selected NAS security algorithms = 0x02 (5G-EA0, 5G-IA2)

ngKSI:

TSC = 0

NAS key set identifier = 3

Replayed UE security capabilities:

0xf0 (5G-EA0=1, 128-5G-EA1=1, 128-5G-EA2=1, 128-5G-EA3=1, 5G-EA4=0, 5G-EA5=0, 5G-EA6=0, 5G-EA7=0)

0x70 (5G-IA0=0, 128-5G-IA1=1, 128-5G-IA2=1, 128-5G-IA3=1, 5G-IA4=0, 5G-IA5=0, 5G-IA6=0, 5G-IA7=0)

0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

IMEISV request = 1

Additional 5G security information = 0x02 (RINMR=1, HDP=0)

[Security Mode Command Complete - NAS]

This is a Security Mode Complete under 5G Mobility Management protocol, with initially an integrity protected and ciphered security context. It carries an authentication code and a sequence number. The message transitions to a plain 5G NAS message to convey a Registration Request

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x4 (Integrity protected and ciphered with new 5G NAS security context)

Auth code = 0x6483a25f

Sequence number = 0x00

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x5e (Security mode complete)

IMEISV:

IMEISV = 8690570563562913

NAS message container:

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x41 (Registration request)

5GS registration type:

Follow-on request bit = 1

Value = 1 (initial registration)

ngKSI:

TSC = 0

NAS key set identifier = 2

5GS mobile identity:

5G-GUTI

MCC = 001

MNC = 01

AMF Region ID = 128

AMF Set ID = 4

AMF Pointer = 1

5G-TMSI = 0x2fedc8c7

5GMM capability:

0x03 (SGC=0, 5G-IPHC-CP CIoT=0, N3 data=0, 5G-CP CIoT=0, RestrictEC=0, LPP=0, HO attach=1, S1 mode=1)

UE security capability:

0xf0 (5G-EA0=1, 128-5G-EA1=1, 128-5G-EA2=1, 128-5G-EA3=1, 5G-EA4=0, 5G-EA5=0, 5G-EA6=0, 5G-EA7=0)

0x70 (5G-IA0=0, 128-5G-IA1=1, 128-5G-IA2=1, 128-5G-IA3=1, 5G-IA4=0, 5G-IA5=0, 5G-IA6=0, 5G-IA7=0)

0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

Requested NSSAI:

S-NSSAI

Length of S-NSSAI contents = 1 (SST)

SST = 0x01

Last visited registered TAI:

MCC = 001

MNC = 01

TAC = 0x000064

S1 UE network capability:

0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

0xc0 (UEA0=1, UEA1=1, UEA2=0, UEA3=0, UEA4=0, UEA5=0, UEA6=0, UEA7=0)

0x40 (UCS2=0, UIA1=1, UIA2=0, UIA3=0, UIA4=0, UIA5=0, UIA6=0, UIA7=0)

0x19 (ProSe-dd=0, ProSe=0, H.245-ASH=0, ACC-CSFB=1, LPP=1, LCS=0, 1xSRVCC=0, NF=1)

0x80 (ePCO=1, HC-CP CIoT=0, ERw/oPDN=0, S1-U data=0, UP CIoT=0, CP CIoT=0, ProSe-relay=0, ProSe-dc=0)

0xb0 (15 bearers=1, SGC=0, N1mode=1, DCNR=1, CP backoff=0, RestrictEC=0, V2X PC5=0, multipleDRB=0)

UE's usage setting = 0x01 (Data centric)

LADN indication:

Length = 0

Data =

Network slicing indication = 0x00 (DCNI=0, NSSCI=0)

5GS update type = 0x01 (EPS-PNB-CIoT=no additional information, 5GS-PNB-CIoT=no additional information,

NG-RAN-RCU=0, SMS requested=1)

[Security Mode Command - RRC]

This is to initiate RRC Security Setup specifying ciphering algorithm and integrity protection algorithm.

{

message c1: securityModeCommand: {

rrc-TransactionIdentifier 0,

criticalExtensions securityModeCommand: {

securityConfigSMC {

securityAlgorithmConfig {

cipheringAlgorithm nea0,

integrityProtAlgorithm nia2

}

[Security Mode Complete - RRC]

{

message c1: securityModeComplete: {

rrc-TransactionIdentifier 0,

criticalExtensions securityModeComplete: {

}

[Registration Accept]

This is 5G Mobility Management (5GMM) message for Registration Accept, utilized in 5G networks to confirm the registration of a mobile device. Initially, the message is integrity protected and ciphered, later transitioning to a plain 5GS NAS message without security protection.

Highlights of configuration in this specific example is :

A 5G-GUTI identifier is allocated to the mobile device, detailing the mobile country code (MCC), mobile network code (MNC), and other AMF parameters.
The 5GS registration result indicates that SMS is allowed with 3GPP access, but emergency registration and NSSAA are not performed.
The message includes a TAI list, providing essential network information.
An Allowed NSSAI is specified with a single S-NSSAI to indicate the services the device can access.
The 5GS network feature support field denotes support for certain 5G features like IMS-VoPS-N3GPP and IMS-VoPS-3GPP.
A T3512 value of 30 with a unit of 1 minute is included, which might be related to periodic registration updating.
An emergency number list is also provided in the message, giving essential information for emergency services access.

The contents of the entire message is as follows :

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x2 (Integrity protected and ciphered)

Auth code = 0x59b0464b

Sequence number = 0x02

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x42 (Registration accept)

5GS registration result = 0x09 (Emergency registered=0, NSSAA to be performed=0, SMS allowed=1, 3GPP access)

5G-GUTI:

5G-GUTI

MCC = 001

MNC = 01

AMF Region ID = 128

AMF Set ID = 4

AMF Pointer = 1

5G-TMSI = 0x4b63aa9a

TAI list:

Length = 7

Data = 00 00 f1 10 00 00 64

Allowed NSSAI:

S-NSSAI

Length of S-NSSAI contents = 1 (SST)

SST = 0x01

5GS network feature support:

0x03 (MPSI=0, IWK N26=0, EMF=not supported, EMC=not supported, IMS-VoPS-N3GPP=1, IMS-VoPS-3GPP=1)

0x00 (5G-UP CIoT=0, 5G-IPHC-CP CIoT=0, N3 data=0, 5G-CP CIoT=0,

RestrictEC=both CE mode A and CE mode B are not restricted, MCSI=0, EMCN3=0)

T3512 value:

Value = 30

Unit = 5 (1 minute)

Emergency number list:

Length = 8

Data = 03 1f 19 f1 03 1f 11 f2

[Registration Complete]

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x2 (Integrity protected and ciphered)

Auth code = 0xeed69df4

Sequence number = 0x02

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x43 (Registration complete)

[RrcReconfiguration]

This is a RRC Reconfiguration, initiated with a transaction identifier of 0. This would look much simpler than you may expected as RRC configuration. It is because most of the basic configuration is already done by RRCSetup and only the new configuration is applied at this step.

It configures a non-critical extension concerning a master cell group configuration. The dedicated configuration for the spCell configures downlink and uplink configurations. In the downlink, it mentions the setup for PDSCH with resource allocation type 1, RBG size config1, and 256-QAM modulation scheme. It also mentions static bundling with a wideband bundle size for resource block groups. Additionally, it specifies radio link monitoring configurations for failure detection, using a single radio link monitoring resource with an identifier of 0, aimed at radio link failure (RLF) detection with SSB index 0. For the uplink, it configures the setup for PUSCH with a codebook-based transmission configuration, resource allocation type 1, and 256-QAM modulation scheme with non-coherent codebook subset and a maximum rank of 1. There's also a mention of a dedicated NAS message list embedded within the RRC reconfiguration message.

{

message c1: rrcReconfiguration: {

rrc-TransactionIdentifier 0,

criticalExtensions rrcReconfiguration: {

nonCriticalExtension {

masterCellGroup {

cellGroupId 0,

spCellConfig {

spCellConfigDedicated {

initialDownlinkBWP {

pdsch-Config setup: {

resourceAllocation resourceAllocationType1,

rbg-Size config1,

mcs-Table qam256,

prb-BundlingType staticBundling: {

bundleSize wideband

}

radioLinkMonitoringConfig setup: {

failureDetectionResourcesToAddModList {

{

radioLinkMonitoringRS-Id 0,

purpose rlf,

detectionResource ssb-Index: 0

}

uplinkConfig {

initialUplinkBWP {

pusch-Config setup: {

txConfig codebook,

resourceAllocation resourceAllocationType1,

mcs-Table qam256,

mcs-TableTransformPrecoder qam256,

codebookSubset nonCoherent,

maxRank 1

}

tag-Id 0

}

dedicatedNAS-MessageList {

'7E0259B0464B027E004201097....'H

}

[RrcReconfigurationComplete]

{

message c1: rrcReconfigurationComplete: {

rrc-TransactionIdentifier 0,

criticalExtensions rrcReconfigurationComplete: {

}

[PDU Session Establishment Request]

This is PDU Session Establishment Request to initiate the data pipe setup. The configuration shown here is a fairly standard PDU session establishment request to get an IPv4v6 PDU session with integrity protection and common protocol configuration options enabled. No special 5GSM capabilities or custom options indicated.

NOTE : For the details of PDU Session Seutp in terms of NAS signaling check out this note, for the details of data path setup in terms of core network check out this note.

Some highligts are :

It is establishing PDU session 1 for IPv4v6 dual stack connectivity.
Integrity protection for user plane data is requested with 64kbps maximum rates for uplink and downlink.
5GSM capabilities indicate no special features like TPMIC, ATSSS, EPT, MH6-PDU, etc.
Extended protocol configuration options provide:

CHAP parameters for authentication
IPCP parameter indicating IPv4 address request
DNS IPv4/IPv6 address requests
Request for NAS signaling-based IP address allocation
Indicators to support various optional capabilities like bearer control, local address in TFT, short QoS rules, etc.

The entire contents of the message in this example is :

Protocol discriminator = 0x2e (5GS Session Management)

PDU session identity = 1

Procedure transaction identity = 5

Message type = 0xc1 (PDU session establishment request)

Integrity protection maximum data data:

Maximum data rate per UE for user-plane integrity protection for uplink = 0x00 (64 kbps)

Maximum data rate per UE for user-plane integrity protection for downlink = 0x00 (64 kbps)

PDU session type = 0x3 (IPv4v6)

5GSM capability:

0x00 (TPMIC=0, ATSSS-ST=0, EPT-S1=0, MH6-PDU=0, RqoS=0)

Extended protocol configuration options:

Ext = 1

Configuration protocol = 0

Protocol ID = 0xc223 (CHAP)

Data = 01 00 00 16 10 11 f7 7e 7e 11 f7 7e 7e 11 f7 7e 7e 11 f7 7e 7e 2a

Protocol ID = 0xc223 (CHAP)

Data = 02 00 00 16 10 9a 62 f4 9f cd d9 60 54 7a a9 37 58 60 99 f0 77 2a

Protocol ID = 0x8021 (IPCP)

Data = 01 00 00 10 81 06 00 00 00 00 83 06 00 00 00 00

Protocol ID = 0x000d (DNS Server IPv4 Address Request)

Data =

Protocol ID = 0x0003 (DNS Server IPv6 Address Request)

Data =

Protocol ID = 0x000a (IP address allocation via NAS signalling)

Data =

Protocol ID = 0x0005 (MS Support of Network Requested Bearer Control indicator)

Data =

Protocol ID = 0x0010 (IPv4 Link MTU Request)

Data =

Protocol ID = 0x0011 (MS support of Local address in TFT indicator)

Data =

Protocol ID = 0x0023 (QoS rules with the length of two octets support indicator)

Data =

Protocol ID = 0x0024 (QoS flow descriptions with the length of two octets support indicator)

Data =

[PDU Session Establishment Accept]

This is PDU Session Establishment Accept message sent by Network in response to the PDU Session Establishment Request from UE.

NOTE : For the details of PDU Session Seutp in terms of NAS signaling check out this note, for the details of data path setup in terms of core network check out this note.

Some highligts are :

Accepts a PDU session of type IPv4 only, not IPv4v6 as requested.
Default QoS rule created with bidirectional, match-all packet filters, QFI=1.
Session AMBR of 5 Mbps downlink, 2 Mbps uplink.
5GSM cause code indicates IPv4 only PDU session allowed.
PDU IP address allocated to the UE is 192.168.3.2.
S-NSSAI indicates SST=1.
Maps to EPS bearer context #5 with QCI 9.
Authorized QoS flow description #1 mapped to QFI 1 and EPS bearer 5.
Extended PCO provide IPCP IPv4 parameter and DNS server 8.8.8.8
DNN provided as "internet.mnc001.mcc001.gprs".

The entire contents of the message is :

Protocol discriminator = 0x2e (5GS Session Management)

PDU session identity = 1

Procedure transaction identity = 5

Message type = 0xc2 (PDU session establishment accept)

Selected PDU session type = 0x1 (IPv4)

Selected SSC mode = 0x1 (1)

Authorized QoS rules:

QoS rule 1:

QoS rule identifier = 1

Rule operation code = 1 (create new QoS rule)

DQR = 1 (the QoS rule is the default QoS rule)

Number of packet filters = 1

Packet filter identifier = 15

Packet filter direction = 3 (bidirectional)

Match-all

QoS rule precedence = 255

QFI = 1

Session AMBR:

Session-AMBR for downlink = 5000 Mbps

Session-AMBR for uplink = 2000000 kbps

5GSM cause = 0x32 (PDU session type IPv4 only allowed)

PDU address:

SI6LLA = 0

PDU session type = 1 (IPv4)

IPv4 = 192.168.3.2

S-NSSAI:

Length of S-NSSAI contents = 1 (SST)

SST = 0x01

Mapped EPS bearer contexts:

Mapped EPS bearer context 1:

EPS bearer identity = 5

Operation code = 1 (create new EPS bearer)

E = 1 (parameters list is included)

Number of EPS parameters = 2

Mapped EPS QoS parameters:

QCI = 9

APN-AMBR:

APN-AMBR for downlink = 4864000000 bits

APN-AMBR for uplink = 1792000000 bits

Authorized QoS flow descriptions:

QoS flow description 1:

QFI = 1

Operation code = 1 (create new QoS flow description)

E = 1 (parameters list is included)

Number of parameters = 2

5QI = 9

EPS bearer identity = 5

Extended protocol configuration options:

Ext = 1

Configuration protocol = 0

Protocol ID = 0x8021 (IPCP)

Data = 03 00 00 0a 81 06 08 08 08 08

Protocol ID = 0x000d (DNS Server IPv4 Address)

Data = 8.8.8.8

DNN = "internet.mnc001.mcc001.gprs"

Reference

[1] 5G Standalone Access Registration Signaling Messages

[2] 5G Standalone Access: Registration Procedure