Architectural issue in 5G-NSA Option 3X implementation
Most of operators are launching 5G-NSA with eMBB slice and showing remarkable throughput testing with commercial type handsets. We managed to achieve 1.26 Gbps throughput as well. I will clarify the Architectural issue in 5G-NSA Option 3X implementation with IPsec Transport security in this article.
During the initial architecture design phase of NSA option 3X mode, we found a scenario where UL traffic has to travel unnecessary hops due to IPsec tunnel (for transport security). Most of Operators are using Option 3X for NSA deployment and awareness of this issue is very less and User experience may impact severely due to high latency in back-hauling path for Uplink traffic. The issue is related with introduction of IPsec tunnel for 5G traffic as most of existing LTE deployments are using IPsec tunnel in transport network. So by default most operators also put 5G traffic in IPsec tunnel similar to LTE.
Option 3X is the most feasible and cost effective way of deploying 5G-NSA due to many reasons and I’m not going to discuss such details as the article objective is to highlight the architectural issue. Just to ramp up about Options 3X, PDCP control point of the UL/DL data transmission is in gNodeB and X2 interface is playing a critical role in this mode. In another words, eNodeB communicating to MME for CP and gNodeB is communicating to SGW for UP towards EPC direction and vise versa. X2 Interface is communicating to eNodeB for signalling via SCTP/IP protocols and user plan via GTPU protocol. I think, signalling communication between eNodeB & gNideB using X2 interface is fully understandable. But why there is a user plan communication between eNodeB and gNodeB via X2 interface in Option 3X? below will explain the reason.
Here is typical scenario of coverage unbalance in NR UL & DL. Due to limited power in UE, UL coverage in C-Band is very limited. In DL , Massive MIMO is improving DL coverage using beam-forming. So the gap between UL & DL coverage is large. So if you don't have UL/DL decoupling implemented , UE in blue area will use UL of LTE as UE is already dual connected in NSA. So the UL stream from UE will use eUtran air interface and process the stream till RLC layer in eNodeB and then transfer the UL stream to gNodeB PDCP layer to process. So the user plane stream will transfer from eNodeB to gNodeB via X2 interface. Then gNodeB will send the UL stream to SGW.
Issue:
Now here is where the problem of architectural issue exists with IPsec implementation in transport network. X2 Interface between eNodeB and gNodeB is not directly connected locally. (It is possible to connect eNodeB and gNodeB directly locally if they are co-site nodes) . The connectivity is through IPsec Tunnels of eNodeB and gNodeB.
Mostly IPsec Firewalls are not distributed in Access transport network due to high CAPEX in most operators. So the Firewall will be in Aggregation layer of transport network to serve multiple Access network segments according to geography. Above picture is an example. You can see X2 traffic line has to come all the way to aggregation layer and go back to access layer again and connect eNodeB and gNodeB together.
Finally the UL flow is as below:
UE to eNodeB through Uu interface, then eNodeB to firewall via X2 interface , next is firewall to gNodeB via X2 interface, then gNodeB to SGW via S1-U interface. So traffic is in zigzag path where transport layer latency will increase by two times.
Solution :
Two solutions for this issue , you can move your IPsec Functionality to Access layer other than Aggregation layer. But this approach need lots of CAPEX and lot of changes in existing LTE network as well.
Best Solution is to have direct IPsec tunnel between eNodeB and gNodeB without a firewall to form tunnel with them. Most of products in the market can do that. For example Huawei has a feature called "Direct IPsec Tunnel" to do so and Nokia has a feature called "X2 Mesh". So the X2 interface will not enter to aggregation layer. But little work is required in Access layer routing and eNodeB/gNodeB IPsec configurations. steps are as below:
- Remove X2 traffic from existing IPsec Tunnel formed between IPSec Firewall and eNodeB/gNodeB.
- Import routing in Access layer VRF for X2 interface IPs.
- New Feature activation in eNodeB/gNodeB to form direct IPsec tunnel.
Thanks,
Hassan QADI
Director of Technical Services at DRIVE-THRU Consulting Co., Ltd
20+ years in Wireless & Telecom Business Solutions GSM UMTS LTE 5G IoT Small Cell WiFi Rural (Huawei Nokia Siemens Product Sales Bidding) for Carriers & Enterprise Customers. Available for Mexico ???? #OpentoWork
4 年Mr. Hassan. I have read there are other Options (besides Option 3, 7, and 4).... do you have a summary of them that you could share? Why do the operators choose only these option3, 7 and 4?.
20+ years in Wireless & Telecom Business Solutions GSM UMTS LTE 5G IoT Small Cell WiFi Rural (Huawei Nokia Siemens Product Sales Bidding) for Carriers & Enterprise Customers. Available for Mexico ???? #OpentoWork
4 年Greate explanation, thanks.
Let's make things simple !
4 年Informative..thanks for sharing ??