CaptchaLa Blog

Appearance

EnCoR: An end-to-end architecture for simplifying cellular networks

Source: arXiv:2605.22524 · Published 2026-05-21 · By Wesley Woo, Zhuowei Wen, Monniiesh Velmurugan, Richard Raad, Sylvia Ratnasamy, Scott Shenker et al.

TL;DR

The paper addresses fundamental inefficiencies in cellular network architectures caused by in-network mobility management, where user IP addresses are anchored centrally in the network core. This architectural choice, inherited since 2G, increases end-to-end latency and operational complexity, and imposes tunnel overhead and signaling load during handovers. Recognizing the increasing mobility tolerance of modern applications and protocols like QUIC that support connection migration, the authors propose EnCoR, a novel cellular network architecture that removes mobility anchoring from the core entirely. Instead, EnCoR terminates the user plane at the network edge (iNodeB), leveraging end-to-end mobility from transport and application layers, while keeping centralized stateful functions (authentication, charging) in the core. This decoupling reduces latency and simplifies operations without altering existing phones or radio interfaces. EnCoR retains compatibility with existing authentication and charging mechanisms, and supports standard 3GPP QoS techniques.

The authors implement EnCoR and evaluate it through a combination of hardware testbed experiments with unmodified devices running real applications (video streaming, voice), simulations at national scale using real deployment data, and control plane load tests under throttled hardware. They demonstrate that EnCoR achieves equivalent performance to traditional LTE during mobility, cuts end-to-end latency over 90% versus 3GPP networks by eliminating tunneling detours, reduces core control plane signaling, and scales to handle 2.6x more handover events under load with 2.6x lower handover latency. EnCoR’s stateless NAT approach in the edge user plane enables IP address persistence from the UE perspective while supporting mobility. Cost analysis based on FCC infrastructure estimates suggests capital expense reductions over 90% due to simplified core and border routers. Overall, EnCoR offers a deployable, scalable approach aligning with the end-to-end principle and modern Internet transport trends to simplify and improve cellular networks.

Key findings

  • EnCoR eliminates tunnel-based IP anchoring by terminating user plane at the edge, reducing end-to-end latency by over 90% compared to 3GPP LTE cores (Section 6.2).
  • Under load, EnCoR achieves 2.6x lower handover completion latency compared to traditional LTE with identical hardware resources (Fig. 9).
  • Control plane signaling related to mobility is significantly reduced because EnCoR removes centralized user plane state, reducing operational complexity.
  • EnCoR handles a greater number of handover events on throttled hardware than LTE core due to lighter control plane state management.
  • Applications tested (video streaming, voice calls) on unmodified commercial phones show no performance degradation in EnCoR compared to LTE in both mobility and stationary scenarios.
  • Stateless NAT addressing scheme allows UE IP addresses to appear stable while enabling iNodeBs to map addresses without large NAT tables or additional signaling overhead.
  • Cost modeling using FCC data estimates capital expenditure reduction of more than 90% on core and border router infrastructure for low-latency service provision.
  • EnCoR preserves compatibility with existing 3GPP authentication (LTE-AKA) and charging mechanisms, maintaining operator business requirements.

Threat model

The adversary model is implicit rather than explicit; the system assumes threats mitigated by 3GPP SIM-based authentication and mutual trust between UE and operator network. It does not consider active adversaries attempting to subvert handover signaling or user plane mapping; confidentiality and integrity are preserved using existing 3GPP session keys derived via LTE-AKA. EnCoR assumes transport layer can handle temporary disruptions and packet loss during handover. The design is focused on performance and scalability improvements rather than adversarial resilience.

Methodology — deep read

  1. Threat Model & Assumptions: The adversary is not explicitly defined, but the design assumes that security is maintained by reusing 3GPP SIM-based LTE-AKA authentication. The network operator retains control over subscriber identity and authentication. EnCoR assumes modern endpoints and transport protocols are mobility-tolerant and can recover from short disruptions; therefore, the network does not guarantee in-flight packet preservation during handovers.

  2. Data: Evaluation combines three approaches due to the scale of cellular networks. (a) Hardware testbed experiments use open source cellular RAN hardware extended to implement EnCoR, with real unmodified commercial LTE and 5G phones running QUIC-based custom applications and standard video/voice calling apps. (b) Network simulation at national scale uses public datasets mapping US cellular PoP footprints (e.g., AT&T’s Point of Presence data) and models latency with realistic user mobility patterns. (c) Control plane load experiments simulate production-scale resource contention by artificially throttling hardware to stress cores and measure handover control messaging performance.

  3. Architecture / Algorithm: EnCoR decomposes the cellular network into three layers: (i) edge user plane on iNodeBs terminates user data traffic directly at the edge, eliminating centralized tunneling; iNBs implement a stateless IPv6 NAT, mapping stable UE private IPv6 addresses to public routed prefixes using a splitting of the IPv6 address halves to avoid NAT table overhead. (ii) a lightweight stateless edge control plane composed of Handover Proxies (HOPs) and Charging Proxies (CPs) that facilitate latency-sensitive, ephemeral control functions such as handover and charging quota batching, bypassing the core to reduce signaling load; (iii) a compact, stateful centralized core control plane that handles long-lived persistent state such as subscriber databases (SubDB), security management entity (SME) for authentication and session key management, and standard online charging (OCS). The authentication reuses 3GPP LTE-AKA for mutual UE-network authentication and key derivation. Handover proceeds via source iNB triggering destination iNB resource allocation and sharing radio state with UE; no user plane buffering occurs on the source iNB, assuming transport layer recovery. Security keys are updated on handover to preserve forward secrecy. QoS enforcement leverages existing 3GPP QoS Class Identifier mechanisms and is implemented primarily at the iNB.

  4. Training Regime: n/a (system architecture and implementation paper rather than machine learning).

  5. Evaluation Protocol: Latency and throughput performance is measured end-to-end on real hardware with unmodified UE devices running tested applications. Control plane signaling is benchmarked by generating mobility event traffic and measuring handover latency and load handling capacity under hardware throttling. Simulations assess latency savings at nationwide scale based on FCC and operator data, and cost estimates leverage public FCC infrastructure cost data for core network components. Baselines include standard LTE core mobility anchored tunnel architectures with the same radio access infrastructure.

  6. Reproducibility: The paper does not specify code release or open datasets; evaluation relies significantly on operator data not publicly available. Implementation uses open source cellular RAN hardware with modifications for EnCoR. Full details of the stateless NAT and control plane components described in text but source is not explicitly published.

Technical innovations

  • Removal of centralized IP anchoring by terminating user plane at network edge (iNodeB) while preserving stable UE IP address visibility via stateless IPv6 NAT.
  • Introduction of a layered control plane decomposition: a compact, stateful core for authentication/charging and stateless edge proxies (HOPs, CPs) to scale ephemeral signaling and reduce latency.
  • Handover design that decouples physical layer mobility from user plane updates, eliminating buffering of in-flight traffic and relying on transport/application layer recovery.
  • Compatibility with existing 3GPP LTE-AKA SIM-based authentication leveraging a Security Management Entity (SME) that supports forward secrecy through key cycling on handovers.

Datasets

  • US cellular operator Point of Presence footprint dataset (e.g., AT&T data) — used for national scale latency simulations — source operator confidential
  • Open source hardware testbed data from modified cellular RAN and commercial phones — proprietary setup

Baselines vs proposed

  • Traditional LTE core tunnel-based mobility: end-to-end latency = baseline (normalized 1.0) vs EnCoR: latency reduced by over 90%
  • LTE core handover latency under load = X ms vs EnCoR handover latency under load = approximately X/2.6 ms (2.6x reduction, Fig 9)
  • LTE core mobility control plane load capacity = Y handovers per second vs EnCoR capacity = 2.6Y handovers per second under identical hardware constraints
  • Application-level performance (video streaming/voice calling): no measurable degradation between LTE and EnCoR

Figures from the paper

Figures are reproduced from the source paper for academic discussion. Original copyright: the paper authors. See arXiv:2605.22524.

Fig 1

Fig 1: depicts the EnCoR architecture. Like existing 3GGP

Fig 2

Fig 2: EnCoR over-the-air testbed.

Fig 3

Fig 3: Percentage of the US population that an MNO with access to AT&T’s PoP footprint could serve within a given

Fig 5

Fig 5: Handover completion times under load. EnCoR

Limitations

  • Evaluation relies on simulations and a limited hardware testbed; lacks full-scale operator deployment data to validate performance at network-wide scale.
  • Control plane experiments under throttled hardware approximate production conditions but may not capture all real-world dynamics such as complex radio conditions or heterogeneous operator infrastructure.
  • Does not evaluate adversarial scenarios such as attackers exploiting stateless NAT or handover signaling mechanisms.
  • Assumes modern transport/application protocols are sufficiently mobility tolerant; legacy applications or protocols without such support might suffer performance degradation.
  • No evaluation presented for roaming scenarios across operators or between different radio generations beyond high-level discussion.
  • Full reproducibility is constrained by reliance on non-public operator datasets and lack of public code release.

Open questions / follow-ons

  • How resilient is EnCoR to targeted attacks against control plane edge proxies (HOPs/CPs) that may overload or spoof handover messages?
  • Can EnCoR’s stateless NAT scheme scale securely and efficiently across multi-operator roaming domains or in private enterprise cellular networks?
  • What are the impacts on session continuity and QoS guarantees for legacy end-host applications lacking built-in mobility support?
  • How would EnCoR integrate with emerging 5G standalone core network functions and network slicing architectures?

Why it matters for bot defense

For bot-defense and CAPTCHA practitioners concerned with latency and scalability of mobile network infrastructure, EnCoR illustrates how architectural simplification by removing centralized mobility anchors can drastically reduce latency and control plane load. This has direct implications for reducing response times in mobile bot detection and CAPTCHA challenges, as lower latency user-plane routing improves user experience. Moreover, the reduced complexity and signaling overhead in the control plane suggest that edge-inserted defenses could scale more effectively with fewer bottlenecks during user mobility. However, the reliance on transport/application-level mobility tolerance means that any defense design should account for transient interruptions without relying on network-level session continuity guarantees. Practitioners should consider EnCoR’s design patterns when architecting bot-defense systems that integrate tightly with cellular network elements or rely on low-latency mobile user verification.

Cite

bibtex
@article{arxiv2605_22524,
  title={ EnCoR: An end-to-end architecture for simplifying cellular networks },
  author={ Wesley Woo and Zhuowei Wen and Monniiesh Velmurugan and Richard Raad and Sylvia Ratnasamy and Scott Shenker and Shaddi Hasan },
  journal={arXiv preprint arXiv:2605.22524},
  year={ 2026 },
  url={https://arxiv.org/abs/2605.22524}
}

Read the full paper

Articles are CC BY 4.0 — feel free to quote with attribution

© 2026 CaptchaLa