What NAS is and what it does
The radio protocol stack (PHY/MAC/RLC/PDCP/RRC) handles the air interface between UE and gNB. NAS sits one layer above RRC and communicates end-to-end between the UE and the AMF in the 5G Core. The gNB is transparent to NAS — it simply forwards NAS PDUs between UE and AMF.
NAS is split into two sublayers:
5GMM (5G Mobility Management) — handles UE registration, authentication, security, paging, tracking area updates, and emergency services.
5GSM (5G Session Management) — handles PDU session establishment, modification, and release. A PDU session is the connection between the UE and a data network (internet, corporate intranet, IMS).
NAS states
The UE has independent NAS states for mobility management and session management:
| 5GMM State | Meaning | RRC State |
|---|---|---|
| 5GMM-DEREGISTERED | UE not registered. No 5G-GUTI. Cannot receive services. | RRC_IDLE |
| 5GMM-REGISTERED | UE registered. Has 5G-GUTI. Can receive and initiate services. | Any RRC state |
| 5GMM-REGISTERED.NORMAL-SERVICE | Sub-state — full service available | RRC_IDLE/INACTIVE/CONNECTED |
| 5GMM-REGISTERED.LIMITED-SERVICE | Emergency calls only — PLMN not fully accepted | RRC_IDLE |
NAS message structure
Every NAS message has a common header followed by message-specific information elements. The header identifies the protocol discriminator (5GMM or 5GSM), security header type, and message type.
// 5GMM Message Types (Protocol Discriminator = 0x7E): 0x41 Registration Request ← UE → AMF, initiates connection 0x42 Registration Accept ← AMF → UE, assigns 5G-GUTI 0x43 Registration Complete ← UE → AMF, acknowledges 0x44 Registration Reject ← AMF → UE, with cause value 0x45 Deregistration Request ← UE → AMF (UE-initiated power off) 0x54 Authentication Request ← AMF → UE, sends RAND/AUTN 0x55 Authentication Response ← UE → AMF, sends RES* 0x58 Security Mode Command ← AMF → UE, activate ciphering 0x59 Security Mode Complete ← UE → AMF, first NAS-ciphered msg 0x68 DL NAS Transport ← AMF → UE, carries 5GSM PDUs 0x67 UL NAS Transport ← UE → AMF, carries 5GSM PDUs // 5GSM Message Types (carried inside NAS Transport): 0xC1 PDU Session Establishment Request 0xC2 PDU Session Establishment Accept 0xCB PDU Session Modification Request
NAS security
NAS messages are protected by two mechanisms:
Integrity protection — a 32-bit NAS-MAC (Message Authentication Code) appended to each NAS PDU, computed using the NAS integrity algorithm (NIA0/NIA1/NIA2) keyed with K_NASint derived during authentication.
Ciphering — the NAS payload is encrypted using the NAS ciphering algorithm (NEA0/NEA1/NEA2) keyed with K_NASenc. Note: the NAS header (discriminator, security header type, message type) is never ciphered — only the content.
NAS security is activated by the Security Mode Command procedure. From that point, all NAS messages are integrity-protected, and most are also ciphered. The Registration Request (first message) is sent without protection because keys do not exist yet.
NAS transport over RRC
NAS PDUs are carried over SRB1 inside dedicatedNAS-Message or nas-PDU fields within RRC messages. The gNB extracts them and forwards via NGAP to the AMF. The gNB never deciphers NAS content — it has no NAS keys.