Understanding O-RAN: Architecture, Interfaces, Algorithms, Security, and Research Challenges

The Open Radio Access Network (RAN) and its embodiment through the O-RAN Alliance specifications are poised to revolutionize the telecom ecosystem. O-RAN promotes virtualized RANs where disaggregated components are connected via open interfaces and optimized by intelligent controllers. The result is a new paradigm for the RAN design, deployment, and operations: O-RAN networks can be built with multi-vendor, interoperable components, and can be programmatically optimized through a centralized abstraction layer and data-driven closed-loop control. Therefore, understanding O-RAN, its architecture, its interfaces, and workflows is key for researchers and practitioners in the wireless community. In this article, we present the first detailed tutorial on O-RAN. We also discuss the main research challenges and review early research results. We provide a deep dive of the O-RAN specifications, describing its architecture, design principles, and the O-RAN interfaces. We then describe how the O-RAN RAN Intelligent Controllers (RICs) can be used to effectively control and manage 3GPP-defined RANs. Based on this, we discuss innovations and challenges of O-RAN networks, including the Artificial Intelligence (AI) and Machine Learning (ML) workflows that the architecture and interfaces enable, security, and standardization issues. Finally, we review experimental research platforms that can be used to design and test O-RAN networks, along with recent research results, and we outline future directions for O-RAN development.

however, are far from open.Today, RAN components are monolithic units, all-in-one solutions that implement each and every layer of the cellular protocol stack.They are provided by a limited number of vendors and seen by the operators as black-boxes.Reliance on black-box solutions has resulted in: (i) limited reconfigurability of the RAN, with equipment whose operations cannot be fine-tuned to support diverse deployments and different traffic profiles; (ii) limited coordination among network nodes, preventing joint optimization and control of RAN components; and (iii) vendor lock-in, with limited options for operators to deploy and interface RAN equipment from multiple vendors.Under these circumstances, optimized radio resource management and efficient spectrum utilization through real-time adaptation become extremely challenging [19].
To overcome these limitations, in the last decade several research and standardization efforts have promoted the Open RAN as the new paradigm for the RAN of the future.Open RAN deployments are based on disaggregated, virtualized and software-based components, connected through open and standardized interfaces, and interoperable across different vendors [20].Disaggregation and virtualization enable flexible deployments, based on cloud-native principles.This increases the resiliency and reconfigurability of the RAN.Open and standardized interfaces also allow operators to onboard different equipment vendors, which opens the RAN ecosystem to smaller players.Finally, open interfaces and software-defined protocol stacks enable the integration of intelligent, data-driven closed-loop control for the RAN [21].
The O-RAN specifications implement these principles on top of 3GPP LTE and NR RANs [1,22].Specifically, O-RAN embraces and extends the 3GPP NR 7.2 split for base stations [23].The latter disaggregates base station functionalities into a Central Unit (CU), a Distributed Unit (DU), and a Radio Unit (RU).Moreover, it connects them to intelligent controllers through open interfaces that can stream telemetry from the RAN and deploy control actions and policies to it.The O-RAN architecture includes indeed two RAN Intelligent Controllers (RICs) that perform management and control of the network at near-real-time (10 ms to 1 s) and non-realtime (more than 1 s) time scales [24,25].Finally, the O-RAN Alliance is standardizing a virtualization platform for the RAN, and extending the definition of 3GPP and eCPRI interfaces to connect RAN nodes [20].
Contributions.The Open RAN paradigm and, specifically, O-RAN networks will drastically change the design, deployment, and operations of the next generations of cellular networks.They will enable, among other things, transforma-tive applications of ML for optimization and control of the RAN [19].In this paper, we provide a detailed overview of how O-RAN will revolutionize future cellular networks.We do so through a comprehensive analysis of the O-RAN technical specifications, architectural components, of the interfaces connecting them, and of the ML and closed-loop control workflows that O-RAN enables and is standardizing.We also discuss the new security challenges and opportunities introduced by O-RAN, as well as the main publicly available experimental platforms that enable research and development of O-RAN components.Finally, we survey recent results on design and optimization of O-RAN, and discuss the issues that need to be addressed to fully realize the O-RAN vision.The goal is to offer the interested reader a clear picture of the state of the art in O-RAN, and a deep understanding of the opportunities that the Open RAN introduces in the cellular ecosystem.
Other papers [8,19,[26][27][28][29][30] introduce the O-RAN building blocks and architecture, with use cases mostly related to the application of machine learning to the RAN.The literature on Open RAN also includes several high-level white papers that summarize different elements of the O-RAN architecture [15,[31][32][33][34][35][36][37][38][39][40][41][42].Differently from these, we introduce here a multi-faceted perspective on O-RAN, which starts from the foundational principles, covers in details the architectural components and the interfaces, and then connects these elements to highlight AI/ML use cases, security issues, deployment options, testbeds, and future research.Notably, this is the first paper that describes in detail the full set of O-RAN specifications for the RICs and interfaces, including how O-RAN effectively enables control of 3GPP-defined network elements through custom logic running on the intelligent controllers.
Paper structure.The rest of this paper is organized as shown in Figure 1.Sections II to V introduce specific components of O-RAN networks; Sections VI to XI discuss topics that are relevant to the overall O-RAN vision and architecture; Section XII concludes this work.In particular, Section II describes the key principles of the O-RAN architecture, and introduces its components and the control loops that O-RAN enables.The near-real-time RIC and RAN control are dis-RAN (C-RAN) architecture (promoted, among others, by the operator-led C-RAN Alliance [44]) has emerged as a solution to centralize most of the baseband processing for the RAN in virtualized cloud data centers [45,46], connected to remote radio units through high speed fronthaul interfaces.C-RAN enabled more refined signal processing and load balancing techniques by leveraging centralized data and control paths, while reducing costs by multiplexing computational resources.In 2018, these two initiatives joined forces to launch the O-RAN Alliance with the overall goal of standardizing an architecture and a set of interfaces to realize an Open RAN [44].In just four years, the O-RAN Alliance has scaled up to more than 300 members and contributors.Its specifications are expected to drive 50% of RAN-based revenues by 2028 [15].
Overall, it is possible to identify four foundational principles for the Open RAN in the literature and in the O-RAN specifications, as discussed next.These include disaggregation; intelligent, data-driven control with the RICs; virtualization; and open interfaces [20].

A. Disaggregation
As shown in Figure 2, RAN disaggregation splits base stations into different functional units, thus effectively embracing and extending the functional disaggregation paradigm proposed by 3GPP for the NR Next Generation Node Bases (gNBs) [47].The gNB is split into a Central Unit (CU), a Distributed Unit (DU), and a Radio Unit (RU) (called O-CU, O-DU, and O-RU in O-RAN specifications).The CU is further split into two logical components, one for the Control Plane (CP), and one for the User Plane (UP).This logical split allows different functionalities to be deployed at different locations of the network, as well as on different hardware platforms.For example, CUs and DUs can be virtualized on white box servers at the edge (with hardware acceleration for some of the physical layer functionalities) [8,48], while the RUs are generally implemented on Field Programmable Gate Arrays (FPGAs) and Application-specific Integrated Circuits (ASICs) boards and deployed close to RF antennas.
The O-RAN Alliance has evaluated the different RU/DU split options proposed by the 3GPP, with specific interest in alternatives for physical layer split across the RU and the DU [23].The selected 7.2x split strikes a balance between simplicity of the RU and the data rates and latency required on the interface between the RU and DU.In split 7.2x, the RU only performs FFT and cyclic prefix addition/removal operations, which makes the RU inexpensive and easy to deploy.The DU then takes care of the remaining functionalities of the physical layer, and of the Medium Access Control (MAC) and Radio Link Control (RLC) layers [49][50][51].The operations of these three layers are generally tightly synchronized, as the MAC layer generates Transport Blocks (TBs) for the physical layer using data buffered at the RLC layer.Finally, the CU units (CP and UP) implement the higher layers of the 3GPP stack, i.e., the Radio Resource Control (RRC) layer, which manages the life cycle of the connection [52]; the Service Data Adaptation Protocol (SDAP) layer, which manages the Quality of Service (QoS) of the traffic flows (also known as bearers) [53]; and the Packet Data Convergence Protocol (PDCP) layer, which takes care of reordering, packet duplication, and encryption for the air interface, among others [54].

B. RAN Intelligent Controllers and Closed-Loop Control
The second innovation is represented by the RICs, which introduce programmable components that can run optimization routines with closed-loop control and orchestrate the RAN.Specifically, the O-RAN vision includes two logical controllers that have an abstract and centralized point of view on the network, thanks to data pipelines that stream and aggregate hundreds of Key Performance Measurements (KPMs) on the status of the network infrastructure (e.g., number of users, load, throughput, resource utilization), as well as additional context information from sources outside of the RAN.The two RICs process this data and leverage AI and ML algorithms to determine and apply control policies and actions on the RAN.Effectively, this introduces data-driven, closed-loop control that can automatically optimize, for example, network and RAN slicing, load balancing, handovers, scheduling policies, among others [19].The O-RAN Alliance has drafted specifications for a non-real-time RIC, which integrates with the network orchestrator and operates on a time scale longer than 1 s, and a near-real-time RIC, which drives control loops with RAN nodes with a time scale between 10 ms and 1 s.provides an overview of the closed-loop control that the RICs enable throughout the disaggregated O-RAN infrastructure, together with real-time extensions that are considered for future work.In the next paragraphs, we will discuss the role of each RIC and related control loops.
Non-real-time RIC and Control Loop.The non-real-time (or non-RT) RIC is a component of the Service Management and Orchestration (SMO) framework, as illustrated in Figure 4, and complements the near-RT RIC for intelligent RAN operation and optimization on a time scale larger than 1 second [24,55,56].Using the non-real-time control loop, the non-RT RIC provides guidance, enrichment information, and management of ML models for the near-RT RIC [21].Additionally, the non-RT RIC can influence SMO operations, which gives the non-RT RIC the ability to indirectly govern all the components of the O-RAN architecture connected to the SMO, thus making decisions and applying policies that influence thousands of devices.This presents scalability challenges, as shown in Figure 3, which need to be addressed through efficient process and software design.Further details on the non-RT RIC and SMO will be given in Section IV.
Near-real-time RIC and Control Loop.The near-real-time (or near-RT) RIC is deployed at the edge of the network and operates control loops with a periodicity between 10 ms and 1 s [25].As shown in Figure 3 and Figure 4, the near-RT RIC interacts with DUs and CUs in the RAN, as well as with legacy O-RAN-compliant LTE evolved Node Bases (eNBs).The near-RT RIC is usually associated to multiple RAN nodes, thus the near-RT closed-loop control can affect the QoS of hundreds or thousands of User Equipments (UEs).
The near-RT RIC consists of multiple applications supporting custom logic, called xApps, and of the services that are required to support the execution of the xApps.An xApp is a microservice that can be used to perform radio resource management through standardized interfaces and service models.It receives data from the RAN (e.g., user, cell, or slice KPMs, as shown in Figure 3) and (if necessary) computes and sends back control actions.To support xApps, the near-RT RIC includes (i) a database containing information on the RAN (e.g., list of connected RAN nodes, users, etc.) and serving as a shared data layer among xApps; (ii) messaging infrastructure across the different components of the platform, also supporting the subscription of RAN elements to xApps; (iii) terminations for open interfaces and Application Programming Interfaces (APIs), and (iv) conflict resolution mechanisms to orchestrate control of the same RAN function by multiple xApps.We will further discuss characteristics and functionalities of the xApps in Section III.
Future Extensions to Real-Time Control Loops. Figure 3 also includes loops that operate in the real-time domain, i.e., below 10 ms, for radio resource management at the RAN node level, or even below 1 ms, for device management and optimization.Typical examples of real-time control include scheduling, beam management, and feedback-less detection of physical layer parameters (e.g., modulation and coding scheme, interference recognition) [14].These loops, which have a limited scale in terms of devices being optimized, are not part of the current O-RAN architecture, but are mentioned in some specifications [21] as for further study.

C. Virtualization
The third principle of the O-RAN architecture is the introduction of additional components for the management and optimization of the network infrastructure and operations, spanning from edge systems to virtualization platforms.According to [20], all the components of the O-RAN architecture shown in Figure 4 can be deployed on a hybrid cloud computing platform called O-Cloud.Specifically, the O-Cloud is a set of computing resources and virtualization infrastructure that are pooled together in one or multiple physical datacenters.This platform combines physical nodes, software components (e.g., the operating system, virtual machine hypervisors, etc.), and management and orchestration functionalities [57], and specializes the virtualization paradigm for O-RAN [58].It enables (i) decoupling between hardware and software components; (ii) standardization of the hardware capabilities for the O-RAN infrastructure; (iii) sharing of the hardware among different tenants, and (iv) automated deployment and instantiation of RAN functionalities.
The O-RAN Alliance Working Group (WG) 6 is also developing standardized hardware acceleration abstractions (called Acceleration Abstraction Layers (AALs)) that define common APIs between dedicated hardware-based logical processors and the O-RAN softwarized infrastructure, e.g., for channel coding/decoding and Forward Error Correction (FEC) [59,60].These efforts also reflect into commercial hardware-accelerated, virtualized RAN implementations that can support the requirements of 3GPP NR use cases (e.g., Ultra Reliable and Low Latency Communications (URLLC) flows [61]) also on commercial hardware (e.g., the NVIDIA Aerial platform [62], NEC Nuberu [63], and [64] from Intel).The authors of [65] discuss FPGA-based acceleration of the physical layer decoding with a prototype based on OpenAir-Interface.
In parallel, WG 7 is defining the characteristics that white box hardware needs to satisfy to implement an O-RANcompliant piece of equipment, e.g., indoor picocells, outdoor microcells and macrocells (all at sub-6 GHz and mmWaves), integrated access and backhaul nodes, and fronthaul gateways.These cover different architectural elements from Figure 2, including the RAN nodes (CU, DU, RU) and enablers of the fronthaul interface.The specifications clarify the functional parameters corresponding to the scenarios of interest (e.g., frequency bands, bandwidth, inter-site distance, MIMO configurations), and the hardware characteristics (e.g., accelerators, compute, connectivity) of the nodes.
The virtualization for the RAN components and of the O-RAN compute elements is expected to introduce savings and optimization of the power consumption related to the RAN [66].Virtualization makes it possible to easily and dynamically scale up or scale down the compute resources required to support user requirements, thus limiting the power consumption to the actual network functions that are needed [63,67].In this sense, the closed-loop control capabilities described above, together with the virtualization in the RAN, also enable more refined and dynamic sleep cycles for the base stations and the RF components [68,69], which generally are the cause of most of the power consumption in cellular networks [70].

D. Open Interfaces
Finally, the O-RAN Alliance has introduced technical specifications that describe open interfaces connecting a number of different components of the O-RAN architecture.Figure 4 reports the new, open interfaces defined by O-RAN, as well as the intra-RAN interfaces from the 3GPP specifications.The latter is a partial enabler of the gNB disaggregated architecture, which, however, is complemented by the O-RAN Open Fronthaul between the DU and the RU.The O-RAN interfaces, instead, help overcoming the traditional RAN black box approach, as they expose data analytics and telemetry to the RICs, and enable different kinds of control and automation actions, from RAN control to virtualization and deployment optimization.
Without O-RAN, radio resource management and virtual/physical network functions optimization would be closed and inflexible, i.e., the operators would not have the same level of access to the equipment in their RAN, or it would be performed through a custom, piecemeal approach.Standardization of these interfaces is thus a key step toward breaking the vendor lock-in in the RAN, e.g., allowing a near-RT RIC of one vendor to interact with the base stations of another vendor, or again enabling the interoperability of CUs, DUs and RUs from different manufacturers.This also fosters market competitiveness, innovation, faster update/upgrade cycles, and eases the design and introduction of new softwarized components in the RAN ecosystem [19].
Among the O-RAN-specific interfaces, the E2 interface connects the near-RT RIC to the RAN nodes.E2 enables the near-real-time loops shown in Figure 3 through the streaming of telemetry from the RAN and the feedback with control from the near-RT RIC.The near-RT RIC is connected to the non-RT RIC through the A1 interface, which enables a nonreal-time control loop and the deployment of policy, guidance, and intelligent models in the near-RT RIC.The non-RT RIC also terminates the O1 interface, which connects to every other RAN component for management and orchestration of network functionalities.Finally, the non-RT RIC and the SMO also connect to the O-RAN O-Cloud through the O2 interface, and the O-RAN Fronthaul interface connects DUs and RUs.The O-RAN Alliance has also defined a set of standardized tests to promote interoperability across different interface implementations, with an initial focus on the fronthaul interface and E2.We will provide details on each interface in Section V.
Thanks to the open interfaces, the O-RAN architecture described in Figure 4 can be deployed by selecting different network locations (cloud, edge, cell sites) for different pieces of equipment, with multiple configurations described in [8].An example of deployment (i.e., Scenario B [8]) is shown in Figure 2, with the RICs deployed in the cloud, the CUs and DUs at the edge, and the RU cell sites.Other deployment strategies, with the RICs and the RAN nodes co-located are also possible, for example to support local and private 5G networks.

III. NEAR-RT RIC, XAPPS, AND CONTROL OF THE RAN
The near-RT RIC is the core of the control and optimization of the RAN, thanks to the capabilities offered by the E2 interface.In this section, we will discuss the functionalities of the near-RT RIC and the near-RT RIC implementations available in the open source domain.
As discussed in Sections II, the near-RT RIC platform hosts the terminations of three interfaces (O1, A1, and E2), the xApps, and the components required to execute and manage the xApps.The O-RAN specifications describe the requirements and functionalities of the different components of the RIC, so that different standard-compliant implementations can be expected to provide the same set of services, but they do not introduce implementation requirements [25].However, the O-RAN Alliance, through the O-RAN Software Community (OSC), also provides a reference implementation of a functional near-RT RIC that follows the specifications in [25] and can be used to prototype O-RAN solutions.The OSC near-RT RIC is based on multiple components running as microservices on a Kubernetes cluster [71].

A. Near-RT RIC Internal Components
Figure 5 provides an overview of the architecture of a typical near-RT RIC.The main platform components include: • Internal messaging infrastructure.The internal messaging infrastructure connects xApps, platform services, and interface terminations to each other.The specifications do not mandate any specific technology (the OSC uses a custom library called RIC Message Router (RMR) [72]), but they list the requirements and functionalities this sub-system needs to provide.

B. Near-RT RIC xApps
The main components of the near-RT RIC are the xApps.As previously discussed, an xApp is a plug-and-play component that implements custom logic, for example for RAN data analysis and RAN control.xApps can receive data and telemetry from the RAN and send back control using the E2 interface, as we described in Section V-A.
According to the O-RAN specifications [25], an xApp is defined by a descriptor and by the xApp software image (i.e., the set of files needed to deploy the fully-functional xApp).The xApp descriptor (e.g., a YAML or JSON file) includes information on parameters needed to manage the xApp, such as, for example, autoscaling policies, deployment, deletion, and upgrade information.Additionally, it can describe the data types consumed by the xApp as well as its control capabilities.Specifically, in the OSC RIC, the xApp is defined by a Docker image that can be deployed on a Kubernetes infrastructure by applying the descriptor schema, which is a file that specifies the attributes of the container.
At the time of this writing, the O-RAN specifications only mandate a limited set of APIs that the near-RT RIC platform needs to provide to xApps (including the SDL APIs and the registration/discovery/subscription APIs).The definition of a broader set of APIs into a software development kit, however, would foster the development of xApps that can be seamlessly ported across different near-RT RIC implementations.Efforts in this direction have been promoted by the Telecom Infra Project (TIP) RAN Intelligence and Automation (RIA) subgroup [41,42].

C. Open Source Near-RT RIC Implementations
Besides the one provided by the OSC, the open source community includes third-party RIC implementations that enrich the Open RAN ecosystem.An example is ColO-RAN, which is an implementation focused on O-RAN experimentation based on the OSC near-RT RIC [74], described in Section X.The SD-RAN project by the Open Networking Foundation (ONF) is developing an open source and cloudnative implementation of O-RAN near-RT RIC, together with xApps to control the RAN, and an Software Development Kit (SDK) to facilitate the design of new xApps [75,76].These xApps leverage both standard-compliant E2 Service Models (E2SMs), and custom service models developed by the SD-RAN community.The microservices of this RIC, which is based on the Open Networking Operating System (ONOS) controller, include xApp subscription services, network-and user-based information services, distributed data store services for high availability and operator services.FlexRIC, instead, provides a monolithic near-RT RIC and a RAN agent to interface the OpenAirInterface radio stack with the RIC [77].It includes Service Models (SMs) for monitoring and slicing programmability use cases, and an SDK to build specialized service-oriented controllers.Finally, 5G-EmPOWER is a near-RT RIC for heterogeneous RANs [78].It includes nonstandard-compliant functionalities like mobility management for Wi-Fi and cellular networks, multi-tenant support, and deployment of custom resource allocation schema within network slices.

IV. NON-RT RIC AND ORCHESTRATION FRAMEWORK
The second key element of the O-RAN architecture is the SMO framework.This component is in charge of handling all orchestration, management and automation procedures to monitor and control RAN components. 1 Primarily, the SMO hosts the non-RT RIC and provides a set of interfaces (described in detail in Section V) that support the interaction between the different network components as well as data collection capabilities to facilitate network monitoring and control via AI/ML [21,24].
The high-level architecture of the SMO is illustrated in Figure 6.Its building blocks their main functionalities will be detailed in the remainder of this section.It is worth mentioning that at the time of writing, the O-RAN specifications do not provide strict guidelines regarding the split between SMO and non-RT RIC functionalities.However, the specifications group 1 It is worth mentioning that although SMO functionalities are usually referred to as network-wide orchestration and management procedures (e.g., spanning both core and RAN portions of the network), the O-RAN specifications describe SMO operations and functionalities pertaining to RAN components only.such functionalities into three distinct sets [24].The first set (orange-shaded blocks in Figure 6) identifies those functionalities and interfaces that are anchored to the non-RT RIC.

Service Management and Orchestration (SMO) Framework
A second set (green-shaded blocks) identifies functionalities anchored outside the non-RT RIC, while the functionalities from the remaining set (yellow-shaded blocks) are either not yet anchored to any specific SMO component or they span multiple components.Similarly to Figure 5, the non-RT RIC architecture embeds implementation-specific interfaces that interconnect and regulate the interactions between functionalities and components within the non-RT RIC and the SMO domains.This infrastructure is depicted as the internal messaging infrastructure in Figure 6.
The goal of the next sections is to describe these functionalities and interfaces, as well as to highlight their relevance to O-RAN systems and operations.

A. Non-real-time RIC
The non-RT RIC is one of the core components of the O-RAN architecture.Similarly to the near-RT RIC, it enables closed-loop control of the RAN with timescales larger than 1 s.Moreover, it also supports the execution of third-party applications, i.e., the rApps, which are used to provide valueadded services to support and facilitate RAN optimization and operations, including policy guidance, enrichment information, configuration management and data analytics.
As shown in Figure 6, the non-RT RIC hosts the R1 termination, which allows rApps to interface with the non-RT RIC.This allows them to obtain access to data management and exposure services, AI/ML functionalities, as well as A1, O1 and O2 interfaces through the internal messaging infrastructure.It is worth mentioning that although rApps can support the same control functionalities provided by xApps (e.g., traffic steering, scheduling control, handover management) at larges timescales, they have been standardized to derive control policies that operate at a higher level and affect a larger number of users and network nodes.Relevant examples of rApps for non-RT RAN control applications include frequency and interference management, RAN sharing, performance diagnostics, end-to-end Service Level Agreement (SLA) assurance and network slicing [56].
To provide a flexible architecture in which the behavior of each and every network component and functionality can be adjusted in real time to meet the intents and goals of the operators, the non-RT RIC offers the following two high-level management and orchestration services [55]: (i) intent-based network management, and (ii) intelligent orchestration.
Intent-based Network Management.This functionality allows operators to specify their intent via a high-level language through a human-machine interface (it is expected that intents will follow practices used in currently available SMOs, and formalized as YAML or XML configuration files).Intents are then automatically parsed by the non-RT RIC, which determines the policies and the set of rApps and xApps that need to be deployed and executed to satisfy them.
In this context, the efforts of the OSC, which is working toward a non-RT RIC implementation that hosts a humanmachine interface (i.e., the Intent Interface [79]), are worth mentioning.
Intelligence Orchestration.Indeed, the O-RAN architecture enables and facilitates the development, deployment, execution and maintenance of network intelligence.However, this inevitably makes network control more complex due to the increasing number of xApps and rApps that execute at different RICs and locations of the network.This calls for solutions that are capable of coordinating and orchestrating these applications.Specifically, the non-RT RIC is in charge of orchestrating network intelligence [21] to make sure that selected xApps and rApps are: (i) well-suited to satisfy operator intents and meet their requirements; (ii) instantiated at the appropriate RIC location to ensure control over the specific RAN elements specified in the intent; (iii) fed with relevant data; and (iv) robust enough not to generate conflicts due to multiple applications controlling the same functionalities and/or parameters simultaneously.For example, if the operator has instantiated multiple network slices and wants to control and optimize scheduling policies for each slice in near real time for a selected set of base stations close to a landmark of interest, the non-RT RIC must be able to determine automatically that only xApps executing at a specific near-RT RIC can satisfy the timing requirement.Moreover, the non-RT RIC must select only those xApps that are able to control scheduling decisions, and eventually dispatch them to the near-RT RICs that control the base stations deployed in the area of interest, and are thus capable of generating data to be fed to the xApps.

B. Other SMO/Non-RT RIC functionalities
In this section, we describe the functionalities and architectural components that can reside both at the SMO and at the non-RT RIC [24,55].
The internal messaging infrastructure is a composite of several SMO functions that allow all components within the SMO (even those included in the non-RT RIC) to access and utilize interfaces, data and functionalities offered by both the SMO and the non-RT RIC.For example, all interface terminations are tied to interface-specific functions included in the internal messaging infrastructure that are designed to facilitate the exchange of messages between terminations.In this way, policies computed by rApps can reach the non-RT RIC through the R1 termination, and eventually reach the near-RT RIC through the A1 interface.
Data Management and Exposure Services.The O-RAN specifications also include data management and exposure services pertaining to the SMO/non-RT RIC framework.To this purpose, O-RAN follows a consumer/producer protocol in which data producers in the SMO/non-RT RIC can advertise and publish data (e.g., performance reports or AI-based prediction of KPMs and network load).On the other hand, data consumers (e.g., rApps that determine high-level control policies) can discover, subscribe, receive and consume relevant data types from a selected number of nodes in the SMO/non-RT RIC domain.In order to fully support AI/ML solutions, the SMO/non-RT RIC can also perform collection of all data being produced, as well as relevant AI/ML pre-processing operations involving data analytics (e.g., correlation analysis), labeling, and normalization.
AI/ML Workflow.Another important capability offered by the non-RT RIC is the possibility to oversee the entire AI life cycle, and cover all aspects of AI/ML development, including data collection, training, validation, deployment and execution.This AI/ML workflow, which will be detailed in Section VI, is illustrated in Figure 13.

C. SMO Framework and Open Source SMO Implementations
Besides hosting the non-RT RIC, the SMO also offers additional functionalities and interfaces, summarized in Figure 6.These include management and interactions with the O-Cloud via the O2 interface (see Section V-E) as well as other O-RAN components via the O1 interface.The SMO takes care of FCAPS management procedures as well as service and resource inventory, topology and network configuration, as well as policy management for network orchestration services.
Although several members of the O-RAN Alliance have announced the development and availability of proprietary SMOs compliant with the latest O-RAN releases, these SMOs are closed solutions not open to the general public and whose implementation details and offered functionalities are not generally available.For this reason, we focus on two open-source solutions-with publicly-available code and functionalitiesthat are currently being integrated with the O-RAN architecture [8]: Open Network Automation Platform (ONAP) [80,81] and Open Source Management and Orchestration (OSM) [82].
Both ONAP and OSM are comprehensive platforms that enable automation and orchestration in virtualized and softwarized networks.ONAP is one of the main projects being developed and maintained by the Linux Foundation, while OSM is hosted by European Telecommunications Standards Institute (ETSI) and follows ETSI Virtual Network Function (VNF) standard specifications [82].Being maintained by the Linux Foundation, ONAP provides native integration with other major projects such as Kubernetes, Akraino, Acumos and OpenDaylight [83].This makes ONAP quite a complex environment compared to OSM which, instead, offers similar services in a more lightweight framework.Although the development of SMO functionalities and the integration of O-RAN components with the SMO is still at its early stages, ONAP is already being used by the OSC (which is a joint effort between the Linux Foundation and the O-RAN Alliance) as the preferred SMO platform for open-source O-RAN code releases [79].It is also worth mentioning that in May 2021 ETSI signed a cooperation agreement with the O-RAN Alliance [84].Because of this, the integration efforts between OSM and the O-RAN architecture are still at an early stage [85].

V. THE O-RAN OPEN INTERFACES
As discussed in Section II, the control loops supported by near-RT and non-RT RICs are enabled by a set of standardized interfaces.Each interface enables services (e.g., reporting of telemetry from the RAN) through the combination of welldefined procedures (e.g., the subscription and indication procedures for E2).Procedures involve the exchange of messages between the endpoints of an interface (e.g., the indication message for E2).This section reviews the logical abstractions and procedures that define such interfaces, providing insights on their role in the Open RAN ecosystem.Specifically, the E2 interface is described in Section V-A, the O1 interface in Section V-B, the A1 interface in Section V-C, and the fronthaul interface in Section V-D.Finally, Section V-E reviews the remaining O-RAN and 3GPP interfaces.

A. E2 Interface
The E2 interface is an open interface between two endpoints, i.e., the near-RT RIC and the so-called E2 nodes, i.e., DUs, CUs, and O-RAN-compliant LTE eNBs [86].The E2 allows the RIC to control radio resource management and other functionalities of the E2 nodes.Moreover, this interface also enables the collection of metrics from the RAN to the near-RT RIC, either periodically or after pre-defined trigger events.Both control and data collection procedures can pertain to one or more cells, slices, QoS classes, or specific UEs.
To support the above operations, the O-RAN Alliance uses a variety of unique identifiers.Specifically, O-RAN uses identifiers based on 3GPP specifications for the gNB, slice, and QoS class [87].Regarding specific UEs, the O-RAN Alliance has instead introduced a common user identifier (i.e., the UE-ID) across its specifications.This provides a consistent and uniform user identity across the system without exposing sensitive information related to the user.The E2 interface has been logically organized in two protocols: E2 Application Protocol (AP) and E2 SM.The E2 AP [88] is a basic procedural protocol that coordinates how the near-RT RIC and the E2 nodes communicate with each other, and provides a basic set of services, as shown in Figure 7. E2AP messages can embed different E2 SMs [89], which implement specific functionalities (i.e., the reporting of RAN metrics or the control of RAN parameters).The E2 interface runs on top of the SCTP protocol [90].

E2 Interface
Each E2 node exposes a number of RAN functions, i.e., the services and capabilities it supports.For example, DUs from different vendors may expose different control knobs depending on which parameters and functionalities can be tuned, as well as their capability in collecting and reporting different performance metrics.By using publish-subscribe mechanics, E2 nodes can publish their data and the xApps on the near-RT RIC can subscribe to one or more of these RAN functions through the E2 interface.This makes it possible to clearly separate the capabilities of each node and to define how the xApps interact with the RAN.
At the lowest level, the E2AP handles interface management (setup, reset, reporting of errors for the E2 interface itself) and near-RT RIC service updates (i.e., the exchange of the list of the RAN functions supported by the E2 node).As an example, the E2 setup procedure is shown in Figure 8a.At first, the SCTP connection is established between the near-RT RIC and the E2 node (which is aware of the IP address and port of the E2 termination of the near-RT RIC).Then, the E2 node transmits an E2 setup request, in which it lists the RAN functions and configuration it supports, together with the identifiers for the node.The near-RT RIC processes this information and replies with an E2 setup response.
After the connection is established, the E2AP provides four services which can be combined in different ways to implement an E2SM [89].These services, also shown in Figure 7, are [88]:   this periodicity, a timer is set in the E2 node and a report is sent whenever the timer expires.The RIC Indication message is of type report.• E2 Insert.Similarly, the insert service involves messages sent from an E2 node to an xApp in the near-RT RIC to notify the xApp about a specific event in the E2 node (e.g., a UE signaling the possibility to perform a handover).It is activated upon subscription from an xApp and involves a RIC Indication message (of type insert).In this case, the trigger is associated to a RAN radio resource management procedure which is suspended when the insert message is sent.A wait timer is also started, and, if the RIC does not reply before the timer expires, the procedure in the E2 node can be resumed or definitely halted.• E2 Control.The control service can be autonomously initiated by the RIC, or it can be the consequence of the reception of an insert message at the near-RT RIC.This service is based on a procedure with two messages, a RIC Control Request from the RIC to the E2 node, and a RIC Control Acknowledge in the opposite direction.The control services can influence parameters exposed by the RAN functions of the E2 node.• E2 Policy.This service involves a subscription procedure that specifies (i) an event trigger, and (ii) a policy that the E2 node should autonomously follow to perform radio resource management.
These services are then combined to create a service model.The service model message is inserted as payload in one of the E2AP messages, as shown in Figure 7.The actual content is encoded using ASN.1 notation, i.e., through well-defined types for numbers and key-value pairs [91].We provide examples of an E2 Subscription Request message and of an E2 Indication message (of type report) in Appendices A and B, respectively.
The E2SM KPM [92] reports performance metrics from the RAN, using the E2 report service.The procedures associated to the KPM service model are shown in Figure 8b.During the E2 setup procedures, the E2 node advertises the metrics it can expose.An xApp in the near-RT RIC can then send a subscription message specifying which KPMs are of interest, and whether the reporting is periodic or trigger-based.Finally, the E2 node uses E2 Indication messages of type report to stream the selected KPMs.Different KPM messages are generated from different E2 nodes, i.e., the specifications defines performance metrics containers with different fields to be populated for DU, CU-UP, and CU-CP.Additionally, the recent Version 2 of the KPM specifications [92] has introduced cell-specific and user-specific performance containers, which are based on the metrics defined in 3GPP technical specifications for LTE and NR [95,96].
The E2SM NI [93] is used to take the messages received by the E2 node on specific network interfaces and forward them to the near-RT RIC domain via E2 report messages over the E2 interface.The E2 node advertises which interfaces it supports during the subscription procedure, and they include X2 (which connects LTE eNBs), Xn (which connects different NR gNBs), and F1, which connects DUs and CUs).
Closed-loop control with E2SM RAN Control (RC).One of the goals of the xApps is to optimize the radio resource management in the E2 nodes.The E2SM RC, introduced in July 2021, implements control functionalities through E2 control services.The first release of the specifications for E2SM includes a broad set of control domains: • radio bearer control, to modify parameters for the bearers of an E2 node or of a specific • idle mobility control, to modify functions for mobility procedures of UEs in a RRC idle state, including cell re-selection priorities and idle timers.E2SM RC also provides capabilities for UE identification and UE information reporting.The control actions and policies that E2SM specifies relate to specific parameters standardized by the 3GPP, i.e., the control action will usually carry the value for a 3GPP Information Element (IE) defined in the E2SM specifications [94].For example, the handover control IE includes (among other things) a target cell ID for the handover encoded as a 3GPP Target Cell Global ID IE in [97, Section 9.2.3.25].
To effectively implement control actions and/or enforce policies, the E2SM leverages a combination of the E2 services described in Section V-A. Figure 9 shows an example of the E2 messages that an E2 node and an xApp in the near-RT RIC can exchange during a typical control procedure.First, the xApp subscribes to the E2 node, which needs to expose a specific RAN function called RAN control.During the subscription phase, the xApp can specify a triggering event or a timer.Then, if the timer expires or the condition defined in the trigger is verified, the E2 node sends an E2 Insert message to the RIC.For example, this may happen when a metric that the gNB monitors exceeds a certain threshold, e.g., when the Reference Signal Received Power (RSRP) for a neighboring cell (or target cell) becomes better than that of the current cell plus an offset (also called A3 event in the 3GPP specifications [52]).In this case, the E2 node sends a handover control request insert  message (in which it can also specify the target cell defined by the E2 node itself), suspends the radio resource management procedure, and starts a timer.Three different outcomes can follow this event.The near-RT RIC can reply with an E2 control message that either denies the control request, or accepts it and replies with a control action (for example, a target cell ID selected by the xApp).Alternatively, if the E2 node timer expires before the reception of a message from the RIC, the procedure may continue autonomously, or it may be halted, according to the specific procedure and configuration of the E2 node.
The control action sent by the xApp can also be asynchronous, i.e., it does not depend on the reception of an insert message from the E2 node.Additionally, the E2SM can also be used to specify policies, i.e., to alter pre-defined behaviors in the E2 nodes.Policies can be of two different types: (i) control policies that allow the E2 node to perform radio resource management actions without the interaction with the RIC, when certain conditions are satisfied, and (ii) offset policies, which change 3GPP-or vendor-defined thresholds by adding or removing offsets and thus modifying how the E2 node performs specific functions.

B. O1 Interface
Besides E2, the other interface that connects O-RAN specific components with RAN nodes is the O1 interface [98].In general, O-RAN-managed elements (including the near-RT RIC, RAN nodes) are connected via O1 to the SMO and the non-RT RIC.The O1, thus, is an open interface which adopts and extends standardized practices for operations and maintenance.

O1 Interface
The O1 interface supports Management Services (MnS), which include the management of the life-cycle of O-RAN components (from startup and configuration to fault tolerance and heartbeat services [99]), performance assurance and trace collection through Key Performance Indicators (KPIs) reports, and software and file management (see Figure 10).The O1 interface generally connects one MnS provider (i.e., generally the node managed by the SMO) to one MnS consumer (i.e., the SMO).
The Provisioning Management Services allow the SMO to push configurations to the managed nodes, and the reporting of external configuration updates from managed nodes to the SMO.For this, O1 uses a combination of REST/HTTPS APIs and NETCONF [100], which is a protocol standardized by the Internet Engineering Task Force (IETF) for the lifecycle management of networked functions.The supported provisioning services include those defined in 3GPP technical specifications [101,102].An additional Fault Supervision MnS is used to report errors and events to the SMO.It is also based on 3GPP-defined fault events [99,[102][103][104], and can be used by the RAN nodes to report errors (through standardized JSON payloads) using REST APIs.For each node, the SMO can also query a list of alarms (i.e., probes that monitor the status of specific elements and components in the node), and, in case, acknowledge or clear them.Finally, the SMO can provision heartbeats on the devices it manages, through the Heartbeat MnS, and manage not only virtual but also Physical Network Functions (PNFs).Heartbeat messages are used to monitor the status and availability of services and nodes.
The Performance Assurance MnS can be used to stream (in real time) or report in bulk (through file transfer) performance data to the SMO, to enable, for example, data analytics and data collection for AI/ML.The SMO can select the KPIs (also referred to as counters) to be reported and the frequency of reporting.It relies on use cases and formats for KPI reporting defined by the 3GPP [99,102,104,105] or by the VNF Event Stream (VES) project.The performance metrics are also either based on 3GPP documents [95], vendor specific, or standardized by the different WGs of the O-RAN Alliance.For bulk transfer, a file-ready notification is first sent from the MnS provider (e.g., the specific node of the RAN) to the SMO through HTTP APIs.Then, a file transfer through SFTP is performed.The SMO can also download files for which the file-ready notification was received in previous instants.A WebSocket is instead used for real-time streaming, following a handshake.The SMO can also monitor trace-based events through the Trace MnS, e.g., to profile calls, RRC connection establishment or radio link failures.The O1 interface can also be used to push and/or download files on the nodes managed by the SMO.This enables, for example, software updates, new beamforming configuration files for the RUs, and deployment of ML models and security certificates.

C. A1 Interface
The A1 interface connects two O-RAN-specific components, i.e., the non-RT RIC (or SMO) and the near-RT RIC, as shown in Figure 4 [106].It allows the non-RT RIC to deploy policy-based guidance for the near-RT RIC (e.g., to set high-level optimization goals), to manage ML models used, for example, in xApps, and to negotiate and orchestrate the transfer of enrichment information for the near-RT RIC.This is done through standard-defined mechanisms that are based on a specific syntax (based on JSON schema) which can express policies and high-level intent.The policies, ML models, and enrichment information can refer to a group of UEs, or even to a specific UE.Notice that, at the time of writing, the A1based ML model management is still considered for further study [21,106].
The A1 interface, illustrated in Figure 11, relies on the A1AP application protocol, whose functionalities are then further specified for each service it supports [107].The A1AP is based on a 3GPP framework for policy deployment for network functions [87], which combines REST APIs over HTTP for the transfer of JSON objects.For each service, both the non-RT and the near-RT RICs feature a pair of HTTP clients and servers, which are used alternatively for service management and for the actual data transfer and/or notifications.
The A1 Policy management is used by the non-RT RIC to drive the functionalities of the near-RT RIC to achieve highlevel intent for the RAN, as we will discuss in Section IV.This intent is generally defined through QoS or KPI goals for all users or subsets of users (e.g., a slice) and monitored using the reporting functionalities of the O1 interface and feedback over A1. 3 The policies are defined by the non-RT RIC and then deployed over A1.The non-RT RIC is also tasked with monitoring and managing the life cycle of the policies, thanks to APIs for deleting, updating, and querying policies in the near-RT RIC.
Each policy is based on specific JSON schema which are grouped according to different policy types [108].All JSON schema have in common a policy identifier, which is unique for the non-RT RIC, a scope identifier, and one or more policy statements.The scope can be a single UE, a group of UEs, slices, cells, bearers, and application classes.The policy itself is then expressed through a sequence of policy statements, which can cover policy resources (i.e., the conditions for resource usage for a policy) and policy objectives (i.e., the goal of the policy in terms of QoS or KPI targets).The O-RAN technical specification [108] lists several standardized types for policy statements, which depend on specific use cases (e.g., throughput maximization, traffic steering preferences, QoS targets, among others).
Finally, the A1 Enrichment Information (EI) service aims at improving RAN performance by providing information that is generally not available to the RAN itself (e.g., capacity forecasts, information elements from sources outside the RAN, aggregate analytics).The non-RT RIC and the SMO have indeed a global perspective on the network and access to external sources of information, and can relay it to the xApps in the near-RT RIC using A1 EI.The flow of information can also bypass the non-RT RIC, which can instruct the near-RT RIC (over A1) to connect directly to sources of EI.

D. O-RAN Fronthaul
The O-RAN Fronthaul (FH) interface connects a DU to one or multiple RUs inside the same gNB [109,110].The O-RAN FH interface makes it possible to distribute the physical layer functionalities between the RU and the DU, and to control RU operations from the DU.As discussed in Section II, the O-RAN Alliance has selected a specific configuration (split 7.2x) for the splitting of the physical layer among those proposed by the 3GPP [23].As shown in Figure 12, the lower part of the physical layer (low PHY) resides in the RU and performs Orthogonal Frequency Division Multiplexing (OFDM) phase compensation [111], the inverse FFT and CP insertion for frequency-to-time conversion in downlink, and FFT and CP removal in uplink.More capable RUs (i.e., category B RUs) can also perform precoding.This functionality is implemented at the DU for less capable RUs (i.e., category A).To complement the DU capabilities, category A RUs need to support low PHY processing for at least 8 data streams.The physical layer in the DU (high PHY) performs scrambling, modulation, layer mapping, and resource element mapping.
According to O-RAN specifications [109], the 7.2x split strikes a balanced trade-off among the simplicity of the interface and of the RU design, the potential for interoperability (fewer parameters to configure than higher layer splits), and the data rate required for fronthaul transport (lower with respect to configurations that split the physical layer even further).The latter can be based on Ethernet or UPD/IP encapsulation, carrying either an eCPRI [112]   1914.3 [113] payload.Note that one DU can support more than one RU, e.g., to serve carriers of the same cells from different RUs, or to process multiple cells with one DU and multiple RUs.To do this, the O-RAN FH specifications foresee an additional component which multiplexes a fronthaul stream to multiple RUs, or the daisy-chaining of RUs.In addition, the O-RAN FH interface has been designed to support reliable, low-latency communications between DUs and RUs with timing that matches the requirements of URLLC flows.For example, the fronthaul interface includes different modulation compression techniques, to reduce the load on the fronthaul network [114], and fronthaul networks can be designed to support URLLC flows with minimal jitter [115].
The O-RAN FH protocol includes four different functionalities (or planes).Besides the user (U-) and control (C-) planes (for transport of data and PHY-layer control commands) [109], the O-RAN FH also features a synchronization plane (Splane), for timing management among DUs and RUs [109], and a management plane (M-plane), for the configuration of the RU functionalities from the DU itself [110,116].In the following, we describe the functionalities of the different FH planes.
C-plane.The C-plane takes care of transferring commands from the high-PHY in the DU to the low-PHY of the RU, including scheduling and beamforming configurations, management of different NR numerologies in different subframes, downlink precoding configuration, and spectrum sharing control.For the latter, the specifications include Licensed-Assisted Access (LAA) procedures, such as the possibility to perform listen-before-talk in the RU and DU pair, and dynamic spectrum sharing operations, with the possibility to specify which PRBs are dedicated to spectrum sharing between LTE and NR.
The C-plane messages are encapsulated in eCPRI or IEEE 1914.3 headers and payloads, with specific fields and commands for the different control procedures.The O-RAN FH specifications also provide details on how specific C-plane directives (e.g., related to the usage of a specific beamforming vector) can be coupled with specific U-plane packets (and thus symbols to be transmitted).
The combination of C-plane and M-plane can be used to configure and manage beamforming capabilities of the RU, a key feature in 5G networks, especially at FR2 [117].In particular, each RU can support multiple antenna panels, each with multiple Transmitter (TX) or Receiver (RX) arrays [110].Each array can be mapped to one or more data flows.The fronthaul interface allows the control of amplitude and phase of the radiating elements in the phased arrays of the RU (for beamforming in the time domain), or the selection of digital precoding weights (for beamforming in the frequency domain), with four different beamforming options.With predefinedbeam beamforming, the DU dynamically selects (through the C-plane) time and/or frequency beamforming vectors 4 that the RU advertises as available at startup (through the M-plane).Alternatively, with attributed-based beamforming, the DU can select beams based on specific attributes, e.g., azimuth and elevation angles.With weight-based beamforming, the DU also specifies the weights for generic time and/or frequency domain beamforming vectors.The last option is channel-informationbased beamforming, in which the DU provides the RU with Channel State Information (CSI) for a specific user and the RU computes the beamforming weights.The O-RAN FH supports a well-defined model for the RU antennas, so that the DU can unambiguously identify antenna elements, their polarization, position, and orientation of the panel.
U-plane.The main functionality of the U-plane is transferring I/Q samples in the frequency domain between the RU and the DU.Typically, a C-plane message specifies scheduling and beamforming configuration, and is followed by one or more U-plane messages with the I/Q samples to be transmitted in the corresponding transmission opportunities.The U-plane also takes care of timing the transmission of its messages so that they are received at the RU with enough time for processing before transmission.Additionally, the U-plane specifies the digital gain of the I/Q samples, and can compress them for more efficient data transfer.
S-plane.The S-plane takes care of time, frequency, and phase synchronization between the clocks of the DUs and of the RUs.This is key to a correct functioning of a timeand frequency-slotted system distributed across multiple units.Thanks to the shared clock reference, the DU and RU can properly align time and frequency resources for the transmission and reception of the different LTE and NR data and control channels.
The O-RAN FH S-plane can be deployed with different topologies, specified in [109], which differ according to whether a direct DU-RU link exists, or if the two elements are connected through a fabric of Ethernet switches.Additionally, the FH specifications include different synchronization profiles, based on different protocols, such as Physical Layer Frequency Signals (PLFS) or Precision Time Protocol (PTP), which can achieve sub-microsecond time accuracy [119].
M-plane.The O-RAN FH M-plane is a protocol that runs in parallel to the C-, U-, and S-planes, with dedicated endpoints in the DU and RU that establish an IPv4 or IPv6 tunnel [110].It enables the initialization and the management of the connection between the DU and the RU, and the configuration of the RU.In this context, the specifications foresee two architectural options, i.e., hierarchical, in which the SMO manages the DU and the DU manages the RU, and hybrid, in which the SMO can also interact directly with the RU.The M-plane of the O-RAN FH can thus function as the O1 interface of the RU.As for O1, the management directives are based on NETCONF.Finally, contrary to the C-, U-, and S-planes, the M-plane is end-to-end encrypted through SSH and/or TLS.
The M-plane takes care of several operations related to the life cycle of the RU.First, it manages the start-up, during which the RU establishes the management with the DU and/or the SMO thanks to pre-defined IP addresses or DHCP configurations.Then, it enables software updates, configuration management, performance and fault monitoring, and file management for bulk transfer of data.Among others, the M-plane manages the registration of the RU as PNF, the parameters of the RU-to-DU link (including timing), and the update of beamforming vectors (from the deployment of new codebooks, to the tilting of existing ones, and calibration of the antennas).
Besides standardizing the FH interface, the O-RAN Alliance is also developing a set of specifications to characterize the transport and synchronization capabilities of an open fronthaul or crosshaul network that supports the connectivity between DUs and RUs.For example, [120] reviews network-enabled synchronization, by discussing PTP profiles, support required by the Ethernet substrate, points of failures, among others.Other areas of interest are related to the management of the open fronthaul network, wave-division-multiplexing-based networks, and packet-switched architectures with modern features such as, for example, slicing.

E. Other Interfaces
The O2 interface connects the SMO to the O-RAN O-Cloud, enabling the management and provisioning of network functions in a programmatic manner [121].It allows the definition of an inventory of the facilities controlled by the O-Cloud, monitoring, provisioning, fault tolerance and updates.For this interface, the O-RAN Alliance WG6 is considering the adoption of well-known standards and open-source solutions, e.g., relevant ETSI Network Function Virtualization (NFV) standards, 3GPP service-based interfaces, and the Kubernets, Open Stack, and ONAP/OSM projects.
Finally, as shown in Figure 4, the O-RAN disaggregated architecture also leverages additional interfaces defined by the 3GPP.Notably, the E1 interface connects the CU control and user functions [122].The F1 interface connects the CU to the DU, with dedicated sub-interfaces for user and control planes [123].The Xn (X2) interface connects different gNBs (eNBs), for example to perform handovers and to enable dual connectivity [97,124].The Uu interface exists between an UE and the gNB [47], and the NG interface connects the gNB to the 5G core, i.e., to the User Plane Function (UPF) for the user plane and the Access and Mobility Management Function (AMF) for the control plane [47].

VI. AI/ML WORKFLOWS
The goal of this section is to provide a detailed overview of the procedures and operational steps that regulate the AI/ML workflow in the O-RAN architecture.In the following, we provide a step-by-step guide on the life cycle of this workflow-from data collection to the actual deployment and execution of network intelligence in real time-that relies on the architectural components described in Sections II, III, and IV, and on the interfaces discussed in Section V.
The AI/ML workflow is being standardized by O-RAN WG2, with its specifications described in [21].However, not all the procedures, features and functionalities have been finalized yet, with some of them left for further studies.This workflow is composed of six main steps, which we will describe next: (i) data collection and processing, (ii) training; (iii) validation and publishing; (iv) deployment; (v) AI/ML execution and inference, and (vi) continuous operations.
For the sake of illustration and clarity, in the following we will describe the procedures involved in the AI/ML lifecycle within O-RAN systems.We take as an example the case where an operator aims at developing, training and deploying an xApp that controls RAN slicing policies by adapting them in near real time according to current network load and traffic demand via AI-based algorithms.In this example, each base station hosts three slices, namely a URLLC slice for ultralow latency services, an Enhanced Mobile Broadband (eMBB) slice for high-throughput traffic (e.g., video streaming and file transfer), and a Massive Machine-Type Communications (mMTC) slice to handle traffic generated, for example, by small sensors and Internet of Things (IoT) devices.The goal of the xApp is to control RAN slicing policies by assigning the available PRBs to each slice so that the diverse performance requirements of each slice are satisfied.
Data Collection and Processing.First, data is collected over the O1, A1 and E2 interfaces and stored in large datasets (e.g., data lake centralized repositories [125]) where it can be extracted upon request.Since different AI/ML solutions might use different KPM types collected over different time periods and with different granularity (e.g., throughput, latency, Modulation and Coding Scheme (MCS), Channel Quality Information (CQI), data demand, jitter, to name a few), the O-RAN specifications consider a preliminary data pre-processing (or preparation) step.In this step, data for both training and online inference is shaped and formatted according to the input size of the specific AI/ML model being considered [126].Example: with respect to the xApp controlling RAN slicing policies, this step involves collecting data and performance metrics over the O1 interface to generate a training dataset to be used in the next step (i.e., training phase).For example, since the xApp must be able to adapt RAN slicing policies for the different slices according to current data demand and required minimum performance levels, the collected data must include how many PRBs are necessary to transmit the data requested by each user of the three slices, as well as throughput (eMBB), number of transmitted packets (mMTC) and latency (URLLC) measurements.In this, data processing might include the use of autoencoders for dimensionality reduction [19,127], as well as well-established AI data processing procedures such as normalization, scaling and reshaping.
Training.The O-RAN specifications do not allow the deployment of any untrained data-driven solution [21].All the AI/ML models are required to go through an offline training phase to ensure the reliability of the intelligence and avoid inaccurate predictions, classifications and/or actions that might result in outages or inefficiencies in the network [128][129][130].However, this does not preclude online training, which is still supported by O-RAN provided that it is only used to finetune and update a model previously trained offline [21,131].Example: In our example, the operator can train a variety of AI algorithms all controlling the number of PRBs allocated to each slice but differing one from another with respect to their implementation details.For example, the operator can train a set of Deep Reinforcement Learning (DRL) agents and decision trees and explore different combination and input formats (e.g., the specific subset of KPMs and their amount), different architectures (e.g., depth and width of a DRL agent, number of neurons, among others).The goal of this procedure is to train a large number of AI algorithms and identify which ones are the most suitable to accomplish a specific task.
Validation and Publishing.Once models are trained, they go through a validation phase to make sure they are reliable, robust and effective in performing classification, prediction or control tasks.If the validation is successful-and the models are deemed ready for deployment-they are published and stored in an AI/ML catalog on the SMO/non-RT RIC.Otherwise, they are required to go through additional re-design and re-training phases until the validation tests are successful [132].Example: Once training has been completed, the different AI algorithms are compared one another and against diverse validation datasets including previously unseen data to identify which models are the most effective in controlling RAN slicing policies.For example, a typical validation test includes evaluating how well diverse AI solutions perform under diverse traffic patterns and demand, number and distribution of users, available bandwidth and operational frequencies.This procedure can either point out AI solutions that are not performing well and need to be retrained, as well as determine the subset of AI algorithms that can be published to the AI/ML catalog as well as provide side information on the ideal network conditions (e.g., network load, mobility pattern, size of deployment) under which the specific AI solution delivers the best performance so that the operator can deploy the AI solution that is best suited to a specific deployment.
Deployment.Models stored in the AI/ML catalog can be downloaded, deployed and executed following two different options, namely image-based and file-based deployments.In both cases, the deployment of the model is performed by using the O1 interface, and the node where the model executes is  referred to as inference host.
In the image-based deployment, the AI/ML model executes as a containerized image in the form of an O-RAN application (e.g., xApps and rApps) deployed at the O-RAN nodes, where it is executed to perform online inference.At the time of this writing, these nodes are limited to the RICs and the execution of AI at the CUs/DUs is left for further studies.The file-based deployment, instead, considers the case where the AI/ML model is downloaded as a standalone file that executes within an inference environment-outside the O-RAN application domain-that forwards the inference output of the model to one or more O-RAN applications.Example: In our case, the operator will select the pre-trained AI-based RAN slicing models from the AI/ML catalog and deploy them as xApps that will be executed in the near-RT RIC.
AI/ML Execution and Inference.Once models are deployed on the inference host, they are fed with data to perform diverse online inference tasks.These include classification and prediction tasks, deriving policies at both RICs (transmitted over the A1 and E2 interfaces), and taking management and control actions (over the O1 and E2 interfaces, respectively).Example: Once the xApp has been deployed on the near-RT RIC, RAN slicing control is performed by executing the operations described in Fig. 9 where the xApp (i) is fed with KPMs (e.g., requested PRBs, latency and throughput measurements) collected over the E2 interface; and (ii) computes control actions that are used to pilot the DU and assign the available PRBs to the different slices in near-RT.
Continuous Operations.An important aspect of the AI/ML workflow is the ability to monitor and analyze the intelligence deployed throughout the network to verify that the inference outputs of AI/ML models are effective, accurate and do not negatively affect the performance of the network.Continuous operations ensure that models that perform poorly online can be refined and re-trained to improve their functionalities [133][134][135].Example: In our case, the operator can monitor constantly the performance of the RAN slicing xApp and, if any anomalies or inefficiencies are detected, it can decide to retrain the AI/ML model embedded in the xApp over new data collected through the O1 and E2 interfaces.

A. AI/ML deployment scenarios
One of the main features of 5G networks is the ability to support a large variety of use-cases and applications.Given the diversity of the 5G ecosystem, it is clear that a one-size-fitsall solution in deploying and controlling network intelligence is unlikely to exist.For this reason, the O-RAN Alliance has specified five different deployment scenarios that define the location where the different components of the AI/ML workflow of Figure 13 are instantiated and executed [21].Although these deployment scenarios, which are shown in Figure 14, cover a large set of real-world use cases, practical deployments might deviate from them to accommodate operator-and applicationspecific requirements.As mentioned before, O-RAN specifications are specifically designed for the RAN portion of the network and its functionalities.However, it is worth mentioning that O-RAN and its RICs can influence decisions regarding the core network and the Multi-access Edge Computing (MEC) infrastructure.Indeed, the SMO can act as a gateway between the RAN and other network components, as it has the capability of orchestrating functionalities across the whole network.In this way, xApps and rApps executing within the O-RAN environment can be leverage to gather information on the RAN (e.g., traffic load forecast, mobility prediction, network state dynamics) that can be used by the SMO (e.g., ONAP or OSM) to take informed decisions about MEC service instantiation and delivery as well as network slicing policies in the core network [11].

B. Gathering inputs for online inference
Data for online inference can be collected from multiple data producers over the O1, A1 and E2 interfaces, which are designed to support O-RAN control loops operating at different time scales.The O1 interface allows components in the SMO/non-RT RIC domain to gather data from any O-RAN management component and perform non-real-time optimization.The A1 interface can be used by the non-RT RIC to send enrichment information from the SMO/non-RT RIC domain to the near-RT RIC and its applications.For example, an rApp in the non-RT RIC can send enrichment information to the near-RT RIC on the predicted KPI evolution over the next few seconds.Finally, the E2 interface allows the near-RT RIC and its xApps to collect data from E2 nodes (e.g., KPMs) for near-RT control of the RAN.It is worth mentioning that the O-RAN specifications consider the case where input data might be generated within the same inference host by different data producers [21].This is the case of chained AI/ML models, where one control task consists of the execution of several subtasks, each involving a different AI/ML model and requiring diverse input data and types.
To regulate data production and consumption between applications hosted in the same node (e.g., the near-RT RIC), the O-RAN specifications lay the basis for a data access platform that regulates data production, sharing and access.This platform acts as a middleware between the applications and a common data repository where data is stored and shared.To provide a high-level example of this, in Figure 15 we show how data produced by different sources can be consumed by O-RAN applications performing heterogeneous tasks.We consider the case of an rApp X forecasting traffic load (data type A).Two xApps (xApp Y and xApp Z) leverage AI to control network slicing and scheduling strategies, respectively.xApp Y consumes data type A received from the data access platform and produces a slicing profile (data type C), while xApp Z consumes data types A, B and C coming from the data access platform (with type B consisting of KPMs sent from a DU over the E2 interface) and selects a scheduling profile D to be used by the controlled DU.

VII. OPEN RAN USE CASES AND RESEARCH
The capabilities introduced by the RICs, the open interfaces, and the AI/ML workflow described in Sections III-VI make it possible to support advanced use cases and scenarios for the RAN control and deployment self-optimization.
Recent years have seen an increase of O-RAN-driven research on applications and use cases, e.g., on the design of xApps and rApps or on the optimal configuration of O-RAN networks.This section describes the areas where the application of the Open RAN paradigm is the most promising, and recent research results that show how O-RAN-based solutions can be used to optimize the RAN.
The O-RAN Alliance has collected an extensive list of 19 exemplary use cases for Open RAN deployments in [136,137], and the literature further discusses at a high level some of these in [15,[26][27][28][29][31][32][33][34][35][36][37][38][39][40][41][42].At a high level, the scenarios and use cases can be classified in different ways, e.g., by considering the control knob or inference target, or the domain that is being controlled or optimized (e.g., a UE, a slice, a RAN node, or the whole network).In terms of control knobs, we discussed E2specific targets in Section V-A.More generally, it is possible to identify several areas of interest, as follows.
Mobility.Open RAN networks can influence the mobility management or the performance of mobile users by tuning handover, load balancing, multi-connectivity, access barring, and beamforming parameters in the RAN.Differently than in traditional 3GPP networks, this can be done in a closedloop fashion by exploiting knowledge on the state of multiple base stations, and predictions on the user mobility based on information from the RAN or external enrichment information.For example, [18] presents an Open-RAN-based mechanism for the prediction of the load of multiple base stations in a cellular network, with application to the dynamic routing of autonomous vehicles to avoid introducing congestion.The O-RAN documents [136,137] also include context-based handover for vehicular scenarios, in which xApps exploiting enrichment information from the non-RT RIC and inference on AI/ML RAN data to manage handovers, and applications related to Unmanned Aerial Vehicles (UAVs), with configuration of RAN parameters based on the expected trajectory of the UAV.
Resource allocation.Control in this area spans network slicing, scheduling, and provisioning of services and network functions.As for mobility control, the advantages of Open RAN compared to traditional cellular networks lie in the possibility of adapting to dynamic, evolving contexts, to new user requirements (e.g., for different slices), and to external events that alter the state and configurations of the RAN.
In this sense, the research on intelligent O-RAN control has adopted network slicing as one of the most interesting and promising areas for ML-based optimization.Bonati et al. analyze data-driven approaches in O-RAN, and provide the first demonstration of closed-loop control of a softwarized cellular network instantiated on a large-scale experimental platform [19].The performance of the RAN-implemented on the Colosseum testbed (see Section X)-is optimized through xApps that control the scheduling policies of various network slices on the base stations.The slices have different optimization targets, e.g., for the URLLC slice the reward minimizes the buffer occupancy as a proxy for the end-to-end latency.Polese [138,139].Sarikaya and Onur consider the placement of RAN slices in a multi-tier 5G Open RAN and formulate it mathematically, showing the benefits of flexible functional splits compared to fixed split options [140].Niknam et al. analyze the principles and requirements of the O-RAN specifications, and propose an intelligent scheme for the management of radio resources and traffic congestion.The effectiveness of this solution has been proved on realworld operator data [141].Similarly, Mungari assesses the performance of ML-driven radio resource management in O-RAN-managed networks through an xApp deployed on the near-RT RIC, and evaluates it in a small laboratory setup [142].The authors of [143] focus on the cell selection process, showing how O-RAN can help improve the allocation of users to specific cells based on forecasted throughput metrics rather than simply signal level metrics.
Lien et al. [144] and Filali et al. [145] explicitly consider xApp-based optimization of radio resources for URLLC users.In particular, the first paper shows how a reinforcement learning agent running in the near-RT RIC can effectively control the instantiation of new URLLC guaranteed bitrate sessions and configure the session-level parameters to increase the probability of successfully onboarding new URLLC users [144].The paper by Filali et al., instead, studies an O-RAN-based slicing mechanism that controls the resource allocation for URLLC users and manages to achieve quality of service targets [145].
Additional examples can be found in [136,137], e.g., resource allocation for mobile users (including UAVs) with anticipatory mobility prediction, and QoS-based resource allocation.The latter aims at dynamically provisioning the set of resources that selected users require to satisfy their QoS, for example through ad hoc slicing and subsequent allocation of PRBs to the QoS-driven slices.Finally, the O-RAN infrastructure can also be used to predict the emergence of congestion and apply appropriate remediations by adding more resources (e.g., carriers, MIMO layers, cells).
QoE/QoS-based control.The optimization of RAN resources to meet specific QoS and Quality of Experience (QoE) requirements also extends beyond resource allocation.For example, Bertizzolo et al. consider drone-enabled video streaming applications and propose a control system for the Open RAN for the joint optimization of transmission directionality and the location of the drone [146].This solution is evaluated both experimentally, in a multi-cell outdoor RAN testbed, and through numerical simulations.
The O-RAN Alliance use cases also include a QoE optimization scenario, where inputs from external systems, monitoring of application performance, and multi-dimensional data are combined to identify the best RAN configuration for the optimization of the QoE on a user basis [136].Here, O-RAN interfaces play a unique role, as they make it possible to combine and fuse data input from different, heterogeneous sources (RAN, external) in a way that is not usually possible in closed, traditional RAN deployments.
RAN sharing.This use case covers different scenarios, from spectrum sharing to infrastructure sharing on a neutral host architecture, which are expected to increase the spectral and energy efficiencies, and to reduce operational and capital expenditures.This scenario combines the flexibility of O-RAN softwarization and virtualization with the dynamicity and reconfigurability of closed-loop control (including with external information).The O-RAN specifications include multiple mechanisms for spectrum sharing, including slicing and control of dynamic spectrum access at the DU/RU.
In this regard, [147] studies a sharing scenario between a 5G RAN and a low-Earth orbit satellite constellation (in particular, the uplink between a ground station and a satellite), managed by a RIC.The study includes input from a RAN-independent spectrum-sensing framework and a sharing mechanism applied on a UE-basis by the RIC.Paper [148] also proposes an intertechnology spectrum sharing solution enabled by O-RAN, but, in this case, the sensing is performed inside the DU and RU themselves, with I/Q-based deep learning analysis of the received signals.The proposed sharing scheme detects Wi-Fi users (or unknown users occupying the spectrum of interest) and adapts the configuration of the RAN to avoid interference.[149] proposes a framework based on the aggregation of contextual information from multiple sources to create spectrum maps that are then used by xApps for dynamic spectrum access control.An outlook to spectrum sharing enabled by O-RAN controllers in future 6G applications is provided in [150], where a backhaul link carrier frequency is changed by a centralized controller based on external information on incumbents that may suffer from interference from the communication links.
Blockchain-based approaches are also considered in [151,152].Notably, [151] embeds a blockchain framework on top of the O-RAN infrastructure to enable secure and trusted exchange of RAN resources (as for example DUs, RUs, etc.) among multiple operators.[152] combines Open-RANenabled neutral infrastructure and dynamic allocation based on blockchain as a practical way to bridge the digital divide gap.Finally, [153] explores the usage of smart contracts to activate and deactivate carrier aggregation across different operators on a shared O-RAN infrastructure.
Massive MIMO.This technology represents a key enabler of 5G networks.Through an Open RAN architecture, it is possible to embed dynamic control and adaptability to the configuration of the MIMO codebook (or group of beams 6 ) or of the beam selection process, and to make mobile experience more reliable and robust.
From the signal processing point of view, there is an extensive body on research that benefits from C-RAN and virtualized, centralized CUs and DUs [46,154].Paper [155] studies how channel state information available at the RU or DU may need to be shared across the two nodes.The authors consider specifically the capabilities provided by the O-RAN FH.In this context, [114,156] discuss different compressions schemes for the O-RAN FH interface, also considering multi-stream capabilities typical of MIMO setups.Finally, the authors of [157] analyze different beamforming options based on the O-RAN 7.2x split of the physical layer.
When it comes to the RICs introduced by O-RAN, the control and optimization is generally related to beam parameters and to the codebook or group of beams in the DU and RU.For example, the O-RAN technical document on use cases investigates two different data-driven solutions [136].The first adapts the group of beams based on telemetry collected at the non-RT RIC, e.g., user activity and reports, measurement reports, GPS coordinates, and reconfiguration through the O1 and O-RAN FH interfaces.The second is an optimization on the near-RT RIC of the mobility configuration, e.g., the beam-specific offsets that will determine whether a user should change beam or not.Another scenario of interest is the grouping of the users into multi-and single-user MIMO groups, which would then benefit from capacity enhancement or diversity.This can be done through policy guidance and enrichment information from the non-RT RIC, and with the actual control being performed by the near-RT RIC.The dynamic, data-driven reconfiguration of beamforming with the RICs is relatively unexplored in the Open RAN literature.
Security.We will discuss security in details in Section VIII.New applications.The next generations of wireless cellular networks also embed and expand to other use cases.An example is the support for UAVs and vehicular communications, which we discussed as part of the mobility and resource allocation use cases.
Another example is represented by industrial IoT scenarios, which require high reliability and precise timing and synchronization achieved with data duplication, multi-connectivity, dedicated QoS and packet compression techniques [158].
Considering the number of parameters that can be tuned in this context, the closed-loop control enabled by the O-RAN RICs can provide elastic configurations that adapt to the evolving conditions on the factory floor.
Moving away from communication scenarios, 5G networks from Release 16 also support positioning through dedicated signals on the air interfaces (both LTE and NR) and a location management function in the core network [159].Location services will be used, for example, in indoor scenarios (e.g., factories, malls), to provide value-added services, or to implement location-based safety information broadcasting.However, relaying the location information to the core for analysis and processing may be affected by delays or jitter, making precise and timely estimation more difficult.In this case, the O-RAN specifications [136] see the near-RT RIC with a dedicated positioning xApp as an alternative to the 5G core location management function, leveraging the deployment of the near-RT RIC at the edge of the network.
O-RAN deployments optimization.Besides optimization of the RAN through O-RAN, several papers also study how to optimize the deployment of the Open RAN components themselves (e.g., RICs, xApps and rApps, RAN nodes).This leverages the management functionalities of the SMO, as well as its centralized point of view and the telemetry and statics from the RAN.D'Oro et al. design a zero-touch orchestration framework that optimizes network intelligent placement in O-RANmanaged networks, and prototype it at scale on Colosseum using open source RIC and RAN components [160].In this context, the paper [135] introduces the concept of RLOps, or reinforcement learning operations, i.e., a framework to manage the life-cycle of intelligence (specifically, reinforcement learning) for Open RAN.RLOps cover the whole end-to-end workflow of AI/ML for the RAN (Section IV), from the design and development to the operations (i.e., deployment, updates), and the management of safety and security during the overall intelligence life-cycle.Huff et al., instead, develop a library, namely RFT, to make xApps fault-tolerant while preserving high scalability [161].This is achieved through techniques such as state partitioning, partial replication and fast re-route with role awareness.
Other papers focus on the virtualized components and of the disaggregated base stations.Tamim et al. maximize the network availability by proposing deployment strategies for the virtualized O-RAN units in the O-Cloud [162].Pamuklu et al. propose a function split technique for green Open RANs [68].The proposed solution, which is based on DRL, is evaluated on a real-world dataset.The authors of [163] develop a matching scheme between DUs and RUs with a 2D bin packing problem.Finally, the O-RAN specifications consider a similar use case, with data-driven pooling of the CUs and DUs on shared, virtualized resources [136], orchestrated through the non-RT RIC.
O-RAN white papers and surveys.Finally, overviews of O-RAN and of its components are given by Lee et al. in [26], which implements AI/ML workflows through opensource software frameworks; by Abdalla et al. in [27], which reviews O-RAN capabilities and shortcomings; by Garcia-Saavedra and Costa-Perez in [28], which gives a succinct overview of O-RAN building blocks, interfaces and services; and by Brik et al. in [29] and Arnaz et al. in [30], which discuss deep learning and artificial intelligence applications for the Open RAN.[8] discusses open source software that can be used to deploy 5G and Open RAN networks.Several white papers [15,[31][32][33][34][35][36][37][38][39][40][41][42] provide high-level overviews of the Open RAN vision and of the O-RAN architecture.Differently from the above works, in this paper, we present a comprehensive overview of the O-RAN specifications, deep-diving into the standardized interfaces, protocols and services, and discussing in detail use cases, AI/ML workflows, deployment scenarios, and open platforms for O-RAN-enabled experimental research.

VIII. SECURITY IN THE OPEN RAN
It is undeniable that the introduction of new architectural components, open interfaces, disaggregation, and the integration of custom and possibly data-driven control logic will make next-generation cellular networks more efficient and flexible.On the other hand, however, this revolution comes with unprecedented security challenges that primarily stem from the fact that the distributed and disaggregated nature of the O-RAN infrastructure effectively extends the attack surface for malicious users, thus posing severe threats to the network and its users [38].At the same time, the unparalleled monitoring capabilities, the intelligence and the cloud-native deployment that characterize O-RAN architectures truly add insights on the state of the network and provide the necessary tools to implement advanced solutions to monitor, detect, prevent and counteract threats [37].In this regard, the O-RAN Alliance has created a dedicated working group for the analysis and definition of threat models for O-RAN networks, as well as for the definition of security measures and policies for the components of the O-RAN architecture toward a zerotrust model [164][165][166].

A. Security Stakeholders
The O-RAN Security Focus Group (SFG) (recently promoted to a full WG, i.e., WG11) has defined a list of stakeholders that need to proactively secure the RAN.This extends the interested parties beyond those considered in traditional 4G and 5G networks, e.g., vendors, operators, and system integrators.As also discussed in [37], operators will assume a more predominant role in securing the infrastructure, as the openness of the platform and the usage of multivendor components allows them to customize the build (and thus the security) of the infrastructure.This also means that operators can assess and vet the security standard of the open components introduced in the network, which is often not possible in close architectures that are fully vendor-driven.[37] also identifies network functions and virtualization platform vendors as new stakeholders (e.g., third-party xApp and rApps developers, O-Cloud providers), along with administrator profiles that manage virtualized and disaggregated components.In addition, the orchestrator (e.g., the entity that manages the SMO) also has a role in securing the operations of the network.

B. Extended Threat Surface
According to the threat analysis in [164], the O-RAN Alliance plans to complement the 3GPP security requirements and specifications [167][168][169][170][171] to address security issues specific to the O-RAN architecture.SFG has identified seven threat categories: • Threats against the O-RAN system.The Open RAN architecture introduces new architectural elements and interfaces (from the fronthaul to control and management interfaces), which become part of an extended threat surface.These components can be subject to different attacks, which may compromise (i) the availability of the infrastructure (e.g., unauthorized access to disaggregated RAN components aiming at deteriorating the performance of the network, or the malicious deployment of xApps that intentionally introduce conflicts with other xApps); (ii) data and infrastructure integrity (e.g., compromised software trust chains or the misconfiguration of interfaces), and (iii) data confidentiality (e.g., through attacks that disable over-the-air encryption, or facilitate unregulated access of user data from xApps and rApps).Data-related threats encompass (i) information transported over O-RAN interfaces for control, management, and configuration of the RAN; (ii) data used for training and testing of the ML models; (iii) sensitive data on the users, e.g., their identities; and (iv) the cryptographic keys deployed on the elements of the network.The threat surface also expands to the new logical components of the architecture, i.e., the RICs, the SMO, and the software frameworks (e.g., xApps, rApps) that execute on the RICs.Finally, attacks on the Open Fronthaul 7.2x split interface are also often mentioned as a potential vulnerability [38].As of today, the 7.2x interface is not encrypted on the control plane, because of the challenging timing requirements that encryption would introduce.This introduces man-in-the-middle attacks, in which the attacker impersonates the DU (or RU), and compromises user data or configurations in either of the two endpoints.Another attack can be carried out against the S-Plane, with a malicious actor compromising the synchronization infrastructure and thus causing performance degradation.• Threats against the AI/ML components.Finally, the O-RAN specification [164] and the literature [37,38] also describe a new class of threats, i.e., attacks against AI/ML models used for inference and control in xApps and rApps.A practical instances of such an attack is that of poisoning attacks, in which an attacker exploits unregulated access to the data stored in the SMO/non-RT RIC to inject altered and misleading data into the datasets used for offline training of AI/ML algorithms.Another example is that of an adversary gaining unrestricted control over one or more O-RAN nodes to produce synthetic data fed in real time to AI/ML solutions being finetuned online, or being used to perform online inference.These attacks are extremely relevant as they might result in AI/ML solutions that output wrong predictions, or make wrong control decisions that result in performance degradation or-even worse-outages.Similar attacks can also target the ML model directly (e.g., by modifying the weights or configurations of the model) [172].Based on this security analysis, the O-RAN SFG has identified 30 O-RAN-specific critical assets related to interfaces and data, and 12 related to logical components, also partially discussed in [37,38,173].

C. O-RAN Security Principles and Opportunities
While the new architecture and its interfaces introduce new threats and opportunities for attackers, they also come with the opportunity to re-think the security principles and best practices for designing, deploying and operating cellular networks and align them to the best practices of cloud-native deployments [37].In general, openness is associated with increased visibility into the processes and operations of the RAN, which puts operators in control of their network.The O-Cloud and the virtualized nature of the O-RAN platforms enable quick deployment of security patches and updates, automated testing and deployment, with full control over the entire end-to-end process including information on vendors and software components being used at any moment.The   [165,166].
Finally, the availability of data and the insights on the RAN that the different interfaces (E2, O1) provide can also be leveraged to increase the security of the RAN itself.This is due to the intelligent, data-driven self-monitoring of the RAN performance, which can automatically trigger warnings and alarms in case unintended behaviors are detected [174,175].

IX. O-RAN STANDARDIZATION
The O-RAN Alliance is a consortium of operators, vendors, research institutions, and industry partners that focuses on reshaping the RAN ecosystem toward an intelligent, open, virtualized and interoperable architecture.To this aim, the efforts of the Alliance cover three macro-areas [176]

X. EXPERIMENTAL WIRELESS PLATFORMS FOR O-RAN
The recent adoption of the softwarization paradigm in next generation cellular networking, and the emergence of open frameworks and interfaces for the Open RAN, such as the ones described in this work, bring unprecedented opportunities to the field of experimental research on cellular networks.In this regard, experimental research will be fundamental in developing and validating the use cases described in Section VII.Once hard to experiment upon-due to the complex, hardware-based and closed implementations of RAN nodes, e.g., the base stations-in recent years, the cellular networking ecosystem has seen this task facilitated by open and opensource protocol stacks (e.g., srsRAN [180] and OpenAirInterface [181]).These software-based implementations enable the instantiation of 3GPP-compliant network elements on generalpurpose, off-the-shelf devices, allowing virtually anyone to instantiate a complete and operational cellular network with

5G outdoors
Framework O-RAN-compatible Deployment OpenRAN Gym [177] yes end-to-end pipeline for AI/ML O-RAN research Open AI Cellular [187,188] yes AI-enabled framework multiple nodes, and to experimentally validate solutions for cellular applications.
Thanks to the open protocol stacks mentioned above, in the last few years, the wireless community has seen the creation and broader adoption of publicly-available platforms and frameworks open and available to the research community.The prominent ones are summarized in Table III.These platforms play a vital role as they provide the means-and scale-to virtualize cellular stacks and controllers on their publiclyavailable infrastructure, and to design and prototype solutions in deployments as close as possible to those of commercial networks.Moreover, when it comes to AI/ML solutionswhich require large amounts of data for the training and testing processes-they operate as wireless data factories, providing users with the tools to perform data collection at scale in controlled-yet realistic-wireless environments.
Open RAN experimentation relies on a combination of (i) compute resources, to run the virtualized O-RAN components (e.g., the RICs); and (ii) radio resources, to host the overthe-air component of the RAN.For example, the base stations can be implemented through open and softwarized protocol stacks, such as srsRAN [180] and OpenAirInterface [181].These stacks leverage Software-defined Radios (SDRs) (e.g., NI USRPs) as radio front-ends, and serve users implemented through analogous protocol stacks, or via commercial smartphones.The O-RAN software can be either developed ad hoc, e.g., as FlexRIC [77], or be based on the OSC, ONF, Linux foundation, or ETSI open source frameworks, as discussed in Sections III and IV.For example, when focusing on RAN control, the research pipeline generally involves a near-RT RIC, the RAN, the E2 interface, and custom xApps implementing the desired control on the RIC.
All the platforms in Table III provide these two ingredients, at different extents, and are thus fit for Open RAN research.Some of them, as discussed next, are already equipped with software and pipelines for this, while others can be used in combination with other frameworks.

A. Experimental Open RAN research with OpenRAN Gym
The Open RAN experimental workflow is enabled, for example, by OpenRAN Gym [177].OpenRAN Gym combines software-defined cellular stacks with a lightweight RIC, which can be deployed on multiple experimental platforms from Table III, E2 termination, and an end-to-end AI/ML pipeline for O-RAN.
OpenRAN Gym offers a ready-to-use Linux Container (LXC)-based implementation with the main components of the OSC near-RT RIC, as shown in Figure 16  Through the E2 termination, the near-RT RIC can connect to the E2 nodes (e.g., CUs/DUs) to implement softwarized control of the RAN (see Figure 16, left).In OpenRAN Gym, the latter can be implemented through the SCOPE framework that extends srsRAN [180] with additional slicing, MAC-and PHY-layer functionalities, control APIs, and data collection capabilities [189].This can be paired with the OSC RAN-side E2 termination to interface with the E2 termination on the near-RT RIC.

B. Colosseum and Arena
Two of the prominent platforms that allow users to instantiate an O-RAN-compliant network (e.g., with OpenRAN Gym) and components on a white-box infrastructure are Colosseum and Arena [178,182].Colosseum is the world's largest wireless network emulator with hardware-in-the-loop. Through a first-of-its-kind FPGA fabric, Colosseum empowers researchers with the tools to capture and reproduce different conditions of the wireless channel, and to experiment at scale through 256 USRP X310 SDRs [178].Colosseum provides researchers with access to 128 Standard Radio Nodes (SRNs), i.e., a combination of a server and of an USRP X310 SDR acting as a RF front-end.SRNs can be used to instantiate the RICs (without considering the radio component) or softwarized base stations and users.Colosseum also provides data storage and NVIDIA Graphics Processing Units (GPUs) for the training of ML models (see Figure 16, right).These resources can be used, for example, as a component of the SMO/non-RT RIC.
Finally, the SDRs are connected through coaxial RF cables to Colosseum Massive Channel Emulator-which takes care of emulating in FPGA different conditions of the wireless environment (Figure 16, left)-and through the traffic network to Colosseum Traffic Generator-which leverages Multi-Generator [190] to generate and stream IP traffic flows to the SRNs.
After prototyping O-RAN-powered solutions on Colosseum with the setup of Figure 16, users can port them to other experimental testbeds, such as Arena and the platforms of the U.S. PAWR program [182,191].Arena is an indoor testbed with 24 SDRs (16 USRPs N210 and 8 USRPs X310) connected to a ceiling grid with 64 antennas and controlled by a set of 12 high-performance servers.The combination of servers, SDRs, and antenna layout offer the ideal setup for testing of MEC capabilities [11] and private indoor cellular deployments [13,192].An example of O-RAN-related research that combines Colosseum and Arena is described in [74].

C. Other Experimental Research Platforms
Other publicly-available testbeds include the city-scale platforms of the U.S. National Science Foundation PAWR program [191].These consist of POWDER [185], focused on sub-6 GHz cellular deployments, COSMOS [193], on mmWave communications, and AERPAW [183], on aerial cellular deployments. 7Namely, all of these platforms are compatible with the O-RAN paradigm, as they allow users to instantiate whitebox base stations managed by the O-RAN RICs.However, at the time of this writing, the only testbed that offers a readyto-use O-RAN implementation (in the form of a pre-compiled container image) is POWDER [138,195].OpenRAN Gym has been tested on POWDER and COSMOS.
In Europe, the 5GENESIS consortium is working toward the implementation of various 5G components, and the validation of different use cases across its several testbeds [186].These include edge-computing NFV-enabled heterogeneous radio infrastructure, orchestration and management frameworks, terrestrial and satellite communications, and ultra-dense network deployments.Upon completion, these testbeds will be compatible with the O-RAN ecosystem.
Among the notable open-source initiatives, Open AI Cellular (OAIC) proposes a framework that is integrated with the O-RAN ecosystem.This framework allows users to manage cellular networks through AI-enabled controllers, and to interact with systems that locate implementation, system-level, and security flaws in the network itself [188,196].

XI. FUTURE RESEARCH AND DEVELOPMENT DIRECTIONS
While the foundational principles and the main specifications for O-RAN have been drafted, partially enabling the use cases described in Section VII, there are still several open issues for both standardization, development, and research.We identified some of them as follows:  [197].These elements can work together with xApps to leverage data that cannot be transferred for analysis from the RAN to the RIC (e.g., I/Q samples, or fine-grained channel estimation information).• Multi-time-scale control.When considering the full O-RAN architecture (and possible extensions as discussed above), different control loops will operate and have visibility on the system at different time scales.This opens challenges in terms of multi-scale control.Further research is required on the design of the multi-scale algorithms, on the identification of instability in the system as well as conflicts across the different control loops, and on the automated selection of the optimal control loops that can be used to reach specific high-level intents [160].

XII. CONCLUSIONS
This paper presented a comprehensive overview of the O-RAN specifications, architectures and operations.We first introduced the main architectural building blocks and the principles behind the design of O-RAN networks.Then, we described the components of the near-RT and non-RT RICs and of the SMO, and discussed the O-RAN interfaces, including E2, O1, A1, the fronthaul interface, and O2.The second part of this paper focused on topics spanning multiple components and interfaces in the O-RAN architecture.We provided details on the AI and ML workflow that O-RAN enables, on O-RAN use cases and research, and on the O-RAN security challenges and potential.Finally, we reviewed the structure and standardization efforts of the O-RAN Alliance, and discussed research platforms, and future research directions.
We believe that these insights, together with the deep dive on the O-RAN specifications, architecture, and interfaces, will foster and promote further efforts toward more open, programmable, virtualized, and efficient wireless networks.Listing 1: Example of E2 Subscription Request message, compliant with E2AP V2.0 [88].Generated using the E2 simulator library from [198].

APPENDIX
In the following appendices, we provide examples for messages exchanged over the E2 interface (the subscription message, in Appendix A, and the Indication message of type report, in Appendix B), and a list of acronyms used throughout this work (Appendix C).

A. Example of E2 Subscription Request Message
Listing 1 shows an example of the fields of an E2AP message for a subscription request, which is generated in the near-RT RIC and sent to the E2 termination of an E2 node.The XML format is used to describe the set of fields and their entries (i.e., the IEs), then the actual message is encoded in ASN.1 format (i.e., a sequence of bytes) before being encapsulated and transmitted on the SCTP socket.The first field is the message type, which contains a procedure code (8 for the subscription) and the actual type of message (an initiating message, as it begins a procedure on E2).Then, the message contains two IDs, one that uniquely identifies the RIC request, and the other the RAN function to which the RIC wants to subscribe.The core of the message is the set of IEs with details on the subscription request.In particular, the message defines a list of actions (with only one entry in this example).Each action has a type (in this case, report), a definition (which is optional, and depends on what the specific RAN function supports), and, possibly, a subsequent action to perform once the first is completed (in this case, continue, after waiting for a timer of 10 ms to expire).

B. Example of E2 Indication (Report) Message.
Listing 2 features the XML for an E2AP Indication message, which is generated by the E2 node and sent to the near-RT RIC upon triggering of an event defined through the related subscription procedure.As for the E2 Subscription Request message, also this message is encoded using ASN.1, and Listing 2: Example of E2 Indication message of type report, compliant with E2AP V2.0 [88].Generated using the E2 simulator library from [198].
features the message type and procedure code at the beginning of the message.Then, it lists IEs related to the RIC request, the function identifier, the corresponding action identifier (which is a unique value for each RIC request), a sequence number (which is optional), and the type of indication, which in this case is report (the possible values are insert or report).The last three fields (indication header, indication message, and call process identifier) are encoded by the E2AP message but their semantics are defined by the specific E2SM used to populate the message (e.g., E2SM KPM).

Figure 3 ControlFig. 3 :
Fig. 3: Closed-loop control enabled by the O-RAN architecture, and possible extensions, adapted from [19].The control loops are represented by the dashed arrows over the architectural diagram.

Fig. 4 :
Fig. 4: O-RAN architecture, with components and interfaces from O-RAN and 3GPP.O-RAN interfaces are drawn as solid lines, 3GPP ones as dashed lines.

Fig. 7 :
Fig. 7: Representation of an O-RAN E2AP packet (bottom left), which includes an E2SM payload (top left).The E2 payload is then encapsulated in SCTP and IP headers (right).The top part of the figure also summarizes the services provided by the E2 interface.

•
(a) Procedure for the setup of an E2 session between the near-RT RIC and an E2 node.The procedure is initiated by the E2 node which interacts with the near-RT RIC.Packet delay/loss rate/drop rate • Radio resource utilization • UE throughput • CQI-related measurements • QoS flow monitoring • Handover-related measurements RIC indication (report: KPM) xApp starts a new subscription xApp receives KPMs xApp receives KPMs (b) Procedures related to the streaming of KPMs from the E2 node to the near-RT RIC.The subscription procedure is started by an xApp on the near-RT RIC, which then receives the reports.

Fig. 8 :
Fig. 8: Procedures for E2 setup and E2SM KPM.The vertical lines represent the temporal evolution of the process, while horizontal lines are the messages exchanged by the near-RT RIC and the E2 node.

Fig. 9 :
Fig.9: E2 insert service with subsequent E2 control service response.The vertical lines represent the temporal evolution of the process, while horizontal lines are the messages exchanged by the near-RT RIC and the E2 node.
Fig. 10: O-RAN O1 interface and Management Services payload (left), which is encapsulated in HTTPS/TCP/IP packets (right).

Fig. 11 :
Fig. 11: O-RAN A1 JSON payload (left), which is encapsulated in HTTP-S/TCP/IP packets (right).The figure also summarizes the services that can be provided over A1.

Fig. 12 :
Fig.12: O-RAN fronthaul interface and fronthaul planes.This interface enables the 7.2x split of the physical layer functionalities across DU and RU, with data and control between the PHY-high and PHY-low transported over the Control and User-(CU-) planes.The S-plane provides synchronization, and the M-plane management and orchestration functionalities.

Fig. 13 :
Fig.13: AI/ML workflow in the O-RAN architecture.The RAN infrastructure provides data through O-RAN interfaces to the data collection and preparation logical blocks.The AI/ML models are then trained, validated, and deployed, and execute on O-RAN nodes (e.g., the RICs).Models can be further refined through monitoring and continuous optimization based on performance feedback from the RAN.

Fig. 14 :
Fig.14:O-RAN AI/ML deployment scenarios, adapted from[21].Different scenarios embed different components of the O-RAN AI/ML workflows in different components of the RAN, from the SMO/non-RT RIC to the near-RT RIC or the RAN nodes.

Fig. 15 :
Fig. 15: An example of chained AI/ML models with diverse input types and data producers.Letter A indicates the traffic forecast generated by rApp X. Letter B represents the KPMs from the RAN.xApp Y uses data A to generate control action C (i.e., a slicing profile).xApp Z, instead, using data A, B and control C as input to generated a new control action D (i.e., a scheduling profile).
et al. propose ColO-RAN, a pipeline for the design, training, testing and experimental evaluation of DRLbased control loops in O-RAN [74].The capabilities of ColO-RAN-prototyped on the Colosseum and Arena testbeds-are showcased through xApps to control the RAN slicing allocation and scheduling policies, and for the online training of ML models.Johnson et al. propose NexRAN, an xApp to perform the closed-loop control of the slicing resources of softwarized base stations, and demonstrate it on the POWDER platform of the U.S. PAWR program [74].This can be instantiated on top of any bare metal compute and includes RIC services implemented as Docker containers.They include the O-RAN E2 termination, manager and message routing containers, which are used to communicate with the E2 nodes, and Redis database container, used to keep a record of the E2 nodes associated with the near-RT RIC.Additionally, external xApps can be instantiated in what is shown in the figure as xApp space.As part of OpenRAN Gym, we provide a sample xApp that manages the connectivity to and from the RIC platform.

PHYFig. 16 :
Fig.16: OpenRAN Gym components[177] deployed on the Colosseum experimental testbed[178], adapted from[74].The non-RT RIC, near-RT RIC, and RAN nodes (either base stations or users) are deployed as containers on different Colosseum Standard Radio Nodes (SRNs).Different Colosseum networks can be used to provide application traffic and support for the O-RAN interfaces, while the wireless communications among RAN components is emulated by the Massive Channel Emulator (MCHEM).
environments.Possible attacks include (i) compromising virtual network functions, either being executed or their snapshots or images (e.g., to leak embedded cryptographic secrets); (ii) exploitation of the O2 interface between the O-Cloud and the SMO to gain access and escape isolation; (iii) misuse of containers or virtual machines for network functions to attack other entities in the network; and (iv) spoofing or compromising the underlying networking or auxiliary services.•

TABLE I :
O-RAN working groups.

TABLE II :
O-RAN focus groups.

Table I :
: (i) specification, aimed at extending RAN standards to include openness and intelligence; (ii) software development, focused on developing and contributing open source software for the RAN components of the O-RAN architecture, and (iii) testing and integration, in which it provides guidance to members of the Alliance willing to perform testing and integration of the O-RAN-compliant solutions they develop.The specification tasks of the O-RAN Alliance are divided among 10 WGs, each responsible for specific parts of the O-RAN architecture.The main focus of each of these WGs is summarized in • WG1: Use Cases and Overall Architecture.This WG identifies key O-RAN use cases, deployment scenarios and development tasks of the overall O-RAN architecture.WG11: Security Work Group (SWG).This WG focuseson the security aspects of the O-RAN ecosystem, as discussed in Section VIII.Besides WGs, O-RAN also includes groups that focus on topics that are relevant to the whole Alliance.These are named Focus Groups (FGs) and they are summarized in TableII: •

TABLE III :
Experimental wireless platforms and frameworks for O-RAN.

•
Identification of key O-RAN use cases.While O-RAN provides the infrastructure to implement RAN closedloop control, the identification of a key set use cases that leverage these extended capabilities is still ongoing.to be O-RAN compliant.Indeed, the near-RT RIC effectiveness for RAN analysis and control ultimately depends on the E2 service models implemented in the RAN.• Interoperability and testing.O-RAN has made significant steps toward enabling interoperability among vendors and networking components, thanks to the definition of open interfaces.This key principle needs to be realized in practice, with vendors that fully commit to implementing standard-compliant interfaces.In addition, a truly interoperable ecosystem will foster the development of xApps and rApps that can be ported across multiple near-RT and non-RT RICs.In this sense, the standardization of APIs or of a SDK for the RICs is a key interoperability enabler.Finally, the fronthaul interface and the deployment of efficient, scalable fronthaul networks is one of the key challenges in the design and scaling of Open RAN deployments.• O-RAN Architecture and its evolution.The foundational elements of the O-RAN architecture include the disaggregated RAN nodes (CUs, DUs, RUs) and the near-RT and non-RT RICs hosting xApps and rApps, respectively.There are several open questions as of how this architecture can be effectively deployed, e.g., in terms of distribution of networking elements across the edge and cloud network, or ratio among RAN nodes and RIC elements.In addition, further research can help designing further extensions of the O-RAN architecture, which, for example, enable real-time control in the RAN nodes through what we define as dApps in • Service models development and implementation.As discussed in Section V, the E2 service models play a key role in the definition of what O-RAN and, specifically, the near-RT RIC can control in a 3GPP-defined RAN.As new use cases for O-RAN and xApp-driven control are identified, it is important to design service models that are comprehensive, and to identify profiles and basic set of functionalities that RAN equipment vendors need to implement Spectrum sharing solutions enabled by Open RAN.Network controllers and programmable RAN nodes open new opportunities for the development of spectrum sharing systems [148].The O-RAN specifications already include capabilities for LTE/NR dynamic spectrum sharing, but the design of algorithms to enable this is still an open issue.Future research can investigate how to practically enable O-RAN-based sensing, reactive and proactive spectrum adaptation solutions, considering 3GPP and non-3GPP systems, as well as sharing-related extensions of the O-RAN architecture.• Security in O-RAN.As discussed in Section VIII, the openness of the RAN increases the threat surface but also enables new approaches to network security.For example, the improved visibility into the RAN performance and telemetry and the possibility of deploying plug-in xApps and rApps for security analysis and threat identification make it possible to explore novel approaches for securing wireless networks and make them more robust and resilient.The research and development of security approaches that leverage O-RAN capabilities and improve the integrity, resiliency, and availability of its deployments is a key step toward making Open RAN approaches a viable and future-proof alternative to traditional RAN deployments.• Energy efficiency with Open RAN.As discussed in Section II, virtualization and closed-loop control provide useful primitives for the dynamic network function allocation and thus for the energy efficiency maximization.Further research is required to develop orchestration routines at the non-RT RIC/SMO that embed energy efficiency in the optimization goal, as well as xApps and rApps that adopt control actions or policies that include energy efficiency targets.
[74] training and testing datasets that are heterogeneous and representative of large-scale deployments; (ii) test and/or refine data-driven solutions through online training without compromising the production RAN performance, and (iii) design AI/ML algorithms that work with real, unreliable input, and can easily generalize to different deployment conditions[74].• 3GPP 3rd Generation Partnership Project AAL Acceleration Abstraction Layer AI Artificial Intelligence AMF Access and Mobility Management Function AP Application Protocol API Application Programming Interface AR Augmented Reality ASIC Application-specific Integrated Circuit C-RAN Cloud RAN CA Carrier Aggregation CP Control Plane CP Cyclic Prefix CQI Channel Quality Information CSI Channel State Information CU Central Unit DC Dual Connectivity DRL Deep Reinforcement Learning DU Distributed Unit E2SM E2 Service Model EI Enrichment Information eMBB Enhanced Mobile Broadband eNB evolved Node Base ETSI European Telecommunications Standards Institute FCAPS Fault, Configuration, Accounting, Performance, Security FEC Forward Error Correction FFT Fast Fourier Transform FG Focus Group FH Fronthaul FPGA Field Programmable Gate Array gNB Next Generation Node Base GPU Graphics Processing Unit IE Information Element IETF Internet Engineering Task Force IoT Internet of Things KPI Key Performance Indicator KPM Key Performance Measurement LAA Licensed-Assisted Access LTE Long Term Evolution LXC Linux Container MAC Medium Access Control MCHEM Massive Channel Emulator MCS Modulation and Coding Scheme MEC Multi-access Edge Computing MGEN Multi-Generator MIMO Multiple Input, Multiple Output ML Machine Learning mMTC Massive Machine-Type Communications MnS Management Services NFV Network Function Virtualization NI Network Interfaces NIB Network Information Base OAM Operations, Administration and Maintenance OFDM Orthogonal Frequency Division Multiplexing ONAP Open Network Automation Platform ONF Open Networking Foundation ONOS Open Networking Operating System OSC O-RAN Software Community OSFG Open Source Focus Group OSM Open Source Management and Orchestration PAWR Platforms for Advanced Wireless Research PDCP Packet Data Convergence Protocol PLFS Physical Layer Frequency Signals PNF Physical Network Function PRB Physical Resource Block PTP Precision Time Protocol QoE Quality of Experience QoS Quality of Service R-NIB RAN NIB RAN Radio Access Network RC RAN Control RF Radio Frequency RIC RAN Intelligent Controller RLC Radio Link Control RMR RIC Message Router RRC Radio Resource Control RSRP Reference Signal Received Power RU Radio Unit RX Receiver SCTP Stream Control Transmission Protocol SDAP Service Data Adaptation Protocol SDFG Standard Development Focus Group SDK Software Development Kit SDL Shared Data Layer SDN Software-defined Networking SDR Software-defined Radio SFG Security Focus Group SLA Service Level Agreement SM Service Model SMO Service Management and Orchestration SRN Standard Radio Node SWG Security Work Group TB Transport Block TGEN Traffic Generator TIFG Test & Integration Focus Group TSC Technical Steering Committee TX Transmitter UAV Unmanned Aerial Vehicle UE User Equipment UP User Plane UPF User Plane Function URLLC Ultra Reliable and Low Latency Communications USRP Universal Software Radio Peripheral VES VNF Event Stream VNF Virtual Network Function VR Virtual Reality WG Working Group