SBI & N4 Interface Reference

A lookup reference for the two control protocols an integrator works with most in the 5GC: the Service-Based Interface (SBI) between control-plane NFs, and PFCP over N4 between the SMF and the UPF. For the architectural context, see Service-Based Architecture & Reference Points.

Governing specifications

Spec	Body	Scope
TS 23.501	3GPP	System architecture - SBA, NFs, and reference points.
TS 23.502	3GPP	Procedures and call flows (the order of service invocations).
TS 29.500	3GPP	SBI technical realization - HTTP/2, error model, versioning.
TS 29.501	3GPP	SBI design principles and OpenAPI conventions.
TS 29.510	3GPP	NRF services (Nnrf_NFManagement, Nnrf_NFDiscovery).
TS 29.502 / 29.518 / …	3GPP	Per-NF service APIs (SMF PDU session, AMF communication, etc.).
TS 29.244	3GPP	PFCP - the N4 protocol between control plane (SMF) and user plane (UPF).

3GPP publishes machine-readable OpenAPI 3 definitions for each SBI service, which is what TOSSI uses to drive contract testing and mock NFs.

---

Part 1 - The Service-Based Interface (SBI)

Transport and encoding

Property	Value
Application protocol	HTTP/2 (RFC 7540), per TS 29.500
Security	TLS 1.2/1.3 for SBI; mutual TLS and OAuth2 access tokens for NF authorization
Serialization	JSON (and multipart for binary, e.g. NAS/N2 payloads)
API description	OpenAPI 3.0 YAML, published per service by 3GPP
Style	RESTful resources + custom operations

URI structure

SBI resources follow a consistent pattern:

{apiRoot}/{apiName}/{apiVersion}/{apiSpecificResourceUriPart}

example:
https://nrf.5gc.local/nnrf-nfm/v1/nf-instances/{nfInstanceId}

• apiName is the service name, conventionally n{nf}-{service} (e.g. nnrf-nfm, nsmf-pdusession, namf-comm).
• apiVersion (v1, v2, …) lets producers and consumers negotiate compatibility.

Service operation styles

TS 29.501 defines three interaction styles:

• Request–response - a consumer calls a producer and gets a synchronous reply (e.g. NF discovery).
• Subscribe–notify - a consumer subscribes to a resource; the producer POSTs notifications to a callback URI (e.g. NF status change).
• Resource CRUD - standard create/read/update/delete on a resource.

NRF - the discovery backbone

The NRF (TS 29.510) is the service most worth knowing by heart, because every interop test starts here.

Register an NF

An NF registers (or updates) its profile by PUT-ing to the NF management service:

PUT /nnrf-nfm/v1/nf-instances/{nfInstanceId} HTTP/2
Content-Type: application/json

{
  "nfInstanceId": "f1c2...",
  "nfType": "SMF",
  "nfStatus": "REGISTERED",
  "fqdn": "smf.5gc.local",
  "sNssais": [{ "sst": 1, "sd": "010203" }],
  "nfServices": [
    { "serviceInstanceId": "smf-pdusession-1",
      "serviceName": "nsmf-pdusession",
      "versions": [{ "apiVersionInUri": "v1" }],
      "scheme": "https" }
  ]
}

Discover an NF

A consumer (e.g. AMF) discovers a producer (e.g. SMF) by querying the discovery service:

GET /nnrf-nfdisc/v1/nf-instances?target-nf-type=SMF&requester-nf-type=AMF&snssais=[{"sst":1,"sd":"010203"}] HTTP/2
Accept: application/json

The NRF returns matching nfInstances with their service endpoints and supported slices.

Authorize (OAuth2)

For SBI authorization the consumer obtains an access token from the NRF’s token endpoint and presents it as a bearer token on subsequent service calls:

POST /oauth2/token HTTP/2
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&nfInstanceId=...&scope=nsmf-pdusession

Commonly referenced SBI services

Service name	Producer	Used for
nnrf-nfm	NRF	NF registration, heartbeat, status subscribe/notify.
nnrf-nfdisc	NRF	NF discovery (find a producer by type + slice).
namf-comm	AMF	N1/N2 message transfer, UE context management.
nsmf-pdusession	SMF	Create/update/release PDU session SM contexts.
nausf-auth	AUSF	UE authentication (5G-AKA / EAP-AKA’).
nudm-sdm / nudm-ueau	UDM	Subscriber data management; auth vector generation.
nudr-dr	UDR	Structured data repository access.
npcf-smpolicycontrol	PCF	Session-management policy for the SMF.

Integrator workflow

TOSSI uses the published OpenAPI documents to (1) contract-test each NF against the spec, (2) stand up mock producers so a single NF can be tested in isolation, and (3) build the NRF interop matrix - cross-checking that consumers from one implementation discover and call producers from another. A green NRF discovery is necessary but not sufficient: the producer must also honour the OpenAPI contract on the actual service call.

Security and PQC

SBI security is the largest classical-crypto surface in the core:

• In place: TLS for confidentiality/integrity, mutual TLS for NF identity, OAuth2 for service authorization.
• Migration target: SBI TLS key exchange moves to hybrid / post-quantum (ML-KEM) and certificate signatures to ML-DSA. NFs adopt PQC either through a post-quantum cryptography library linked into the NF runtime, or via a PQC-enabled TLS provider for OpenSSL-based NFs. See the Post-Quantum Security pillar for the sequencing and the GSMA PQ.05 alignment.

---

Part 2 - N4 and PFCP (SMF ↔ UPF)

N4 is the Control/User Plane Separation (CUPS) interface: the SMF programs forwarding, QoS, and usage rules into the UPF. Unlike the SBI, N4 does not use HTTP - it uses PFCP, a purpose-built binary protocol (TS 29.244).

Transport

Property	Value
Protocol	PFCP (Packet Forwarding Control Protocol), TS 29.244
Transport	UDP, port 8805
Encoding	Binary TLV (type-length-value) Information Elements
Security	IPsec/IKEv2 recommended for N4 transport protection

Core message types

Message	Direction	Purpose
PFCP Association Setup	SMF ↔ UPF	Establish the SMF–UPF association before any session work.
PFCP Session Establishment	SMF → UPF	Create a session and install its forwarding/QoS rules.
PFCP Session Modification	SMF → UPF	Update rules (e.g. on handover, QoS change).
PFCP Session Deletion	SMF → UPF	Tear down the session.
PFCP Session Report	UPF → SMF	Report usage, events, or buffered-packet notifications.
PFCP Heartbeat	SMF ↔ UPF	Liveness and restart detection.

The rule model

A PFCP session is a set of rules the SMF installs into the UPF. These are the IEs an integrator must reason about when matching an SMF to a UPF:

Rule	Name	Role
PDR	Packet Detection Rule	Matches packets (by interface, TEID, IP filters) and points to the other rules.
FAR	Forwarding Action Rule	What to do with matched packets: forward, drop, buffer, duplicate; sets outer header (GTP-U).
QER	QoS Enforcement Rule	Rate limiting and QoS marking (per QFI / flow).
URR	Usage Reporting Rule	Volume/time thresholds that trigger Session Reports (charging, quota).
BAR	Buffering Action Rule	Controls buffering of downlink packets while the UE is idle.

   SMF ──PFCP/N4 (UDP 8805)──► UPF
        Session Establishment
        ├─ PDR  (match: N3 TEID / N6 IP)
        ├─ FAR  (action: forward, GTP-U encap)
        ├─ QER  (QoS: rate, QFI marking)
        └─ URR  (report: volume threshold)

N4 feature negotiation is where UPFs break

PFCP capabilities are negotiated in the Association Setup (the UP Function Features IE). When TOSSI pairs a third-party or eBPF-based UPF (from the eBPF & Dataplane pillar) with a given SMF, the integration check is: does the UPF advertise the PFCP features the SMF expects (e.g. buffering, usage reporting, header enrichment)? A feature mismatch yields sessions that “establish” but silently drop or mis-forward traffic.

N4 and the user-plane reference points

N4 is control only. The packets it governs flow on:

• N3 - GTP-U (TS 29.281) over UDP, gNB ↔ UPF. The FAR’s outer-header-creation IE builds these GTP-U headers.
• N6 - plain IP, UPF ↔ data network.

Both are forwarding paths the eBPF & Dataplane pillar can accelerate with XDP, expressing PDR/FAR logic as eBPF maps for a programmable user plane.

N4 security and PQC

N4 protection uses IPsec/IKEv2. The PQC migration target is hybrid/post-quantum key exchange in IKEv2 (via a PQC-enabled IPsec/IKEv2 daemon, RFC 9370 multiple key exchanges) so the N4 association survives “harvest-now-decrypt-later” - see the Post-Quantum Security pillar.

---

Quick reference card

You need to…	Use	Where
Find which NF provides a service	nnrf-nfdisc (GET nf-instances)	NRF, TS 29.510
Register an NF	nnrf-nfm (PUT nf-instances)	NRF, TS 29.510
Create a PDU session context	nsmf-pdusession	SMF, TS 29.502
Program the UPF	PFCP Session Establishment	N4, TS 29.244
Carry user packets from RAN	GTP-U on N3	TS 29.281
Secure SBI	TLS + OAuth2 (→ PQC)	TS 29.500, PQC
Secure N4/N3	IPsec/IKEv2 (→ PQC)	PQC

Architecture & reference points The NFs and N1–N6 these protocols connect.

Deploy a core in 15 minutes See NRF discovery and an N4-driven PDU session in practice.

Roadmap

Planned reference assets: a downloadable curl collection for the NRF discovery + PDU-session flow, and a PFCP feature-compatibility table auto-generated from each supported UPF’s advertised UP Function Features. Not yet published.