Evaluation of Security-Induced Latency on 5G RAN Interfaces and User Plane Communication

5G promises enhanced performance-not only in bandwidth and capacity, but also latency and security. Its ultra-reliable low-latency configuration targets round-trip times below 1 ms, while optional security controls extend protection across all interfaces, making 5G attractive for mission-critical applications. A key enabler of low latency is the disaggregation of network components, including the RAN, allowing user-plane functions to be deployed nearer to end users. However, this split introduces additional interfaces, whose protection increases latency overhead. In this paper, guided by discussions with a network operator and a 5G manufacturer, we evaluate the latency overhead of enabling optional 5G security controls across internal RAN interfaces and the 5G user plane. To this end, we deploy the first testbed implementing a disaggregated RAN with standardized optional security mechanisms. Our results show that disaggregated RAN deployments retain a latency advantage over monolithic designs, even with security enabled. However, achieving sub-1 ms round-trip times remains challenging, as cryptographic overhead alone can already exceed this target.

💡 Research Summary

The paper presents a comprehensive experimental evaluation of the latency impact caused by optional security mechanisms when applied to internal 5G Radio Access Network (RAN) interfaces and the user‑plane (UP) in a disaggregated architecture. The authors begin by outlining the 5G architectural shift from monolithic, hardware‑centric deployments to cloud‑native, modular designs that separate the Control Plane (CP) and User Plane (UP) functions. This disaggregation enables latency‑critical components such as the Distributed Unit (DU) and User‑Plane Function (UPF) to be placed at the edge, which is essential for achieving the ultra‑low‑latency target of sub‑1 ms round‑trip time (RTT). However, the proliferation of internal interfaces (F1‑C, F1‑U, E1, N2, etc.) in a split RAN expands the attack surface, making optional security controls—IPsec, DTLS, TLS, and the 3GPP‑defined integrity (NIA) and encryption (NEA) algorithms—necessary for protecting data in environments where physical security cannot be guaranteed.

To ground the study in real‑world practice, the authors consulted a major European mobile network operator (MNO) and a leading 5G equipment vendor. These interviews revealed that while traditional monolithic RANs often forego optional security due to bandwidth and performance concerns, disaggregated deployments almost always enable these mechanisms because the functional blocks are distributed across cloud infrastructure. The vendor also highlighted a growing market trend toward virtualized, disaggregated RANs, projected to reach 20 % of deployments by 2028.

The experimental platform builds on the authors’ previous open‑source testbed (Open5GS + UERANSIM) but replaces UERANSIM with OpenAirInterface (OAI) to support a fully disaggregated RAN. Each network function—5GC, CU‑CP, CU‑UP, DU, UPF, and the UE—is containerized and connected via dedicated Docker bridges that emulate the 3GPP interfaces. The testbed implements all optional security controls identified in the 3GPP specifications: six IPsec ESP configurations (varying cipher and authentication algorithms) and a single DTLS configuration (AES‑GCM 128‑bit with three different key‑exchange/authentication methods). Security associations are established once during the discovery phase, mirroring operational networks where re‑handshakes are rare; therefore, measurements focus solely on the per‑packet encryption and integrity‑protection overhead.

Latency measurements across individual interfaces show that IPsec adds only 10–60 µs of extra delay, regardless of the chosen cipher suite, while DTLS incurs slightly higher overhead (≈70–90 µs). Notably, the F1‑U interface—responsible for both user data and control traffic between CU‑UP and DU—exhibits minimal latency increase when secured, contradicting earlier assumptions that user‑plane security would be a bottleneck. The authors also confirm that the N3 interface (CU‑UP ↔ UPF) behaves similarly.

When aggregating the overhead across the full end‑to‑end user‑plane path (UE → CU‑UP → DU → UPF), the cumulative security‑induced latency pushes the RTT beyond the 1 ms target, even though each individual hop remains within the sub‑100 µs range. In a monolithic RAN the baseline RTT is roughly 0.9 ms; disaggregation without security reduces it to about 0.6 ms due to edge placement, but enabling security raises the RTT to 1.2–1.4 ms. This demonstrates that cryptographic processing alone can dominate the latency budget in ultra‑low‑latency scenarios.

The paper’s contributions are fourfold: (1) practical insights from industry partners on security‑performance trade‑offs in disaggregated RANs; (2) the first open‑source testbed that supports all optional internal RAN security controls; (3) a detailed per‑interface latency analysis identifying IPsec as the most latency‑efficient option; and (4) an end‑to‑end user‑plane latency evaluation showing that achieving sub‑1 ms RTT while maintaining strong security remains challenging.

The authors acknowledge limitations: the experiments are conducted in a controlled lab environment with a single UE and limited traffic patterns, and they do not explore hardware acceleration, multi‑user scheduling effects, or large‑scale carrier deployments. Future work is suggested to investigate lightweight cryptographic algorithms, hardware‑based offloading, and adaptive security policies that can dynamically balance latency and protection based on service requirements.

In conclusion, the study provides quantitative evidence that optional security mechanisms, particularly IPsec, can be deployed on disaggregated 5G RAN interfaces with modest per‑hop latency penalties, but the aggregate effect still threatens the ambitious sub‑1 ms RTT goal. Network designers must therefore consider security overhead in their latency budgets and explore optimization techniques—such as cryptographic acceleration or selective security—to reconcile the dual objectives of ultra‑low latency and robust protection in next‑generation mobile networks.