New networks and new usage habits require new security tools and techniques. As operators deploy 5G standalone (SA) networks, they must overhaul old security techniques to manage end-users wanting to access 5G while roaming. Security edge protection proxy (SEPP) can solve this issue, but which architecture is the right approach?
5G SA deployments are accelerating. According to research by the GSA, 116 operators in 53 countries and regions worldwide have invested in 5G SA networks, with 35 operators in 24 countries having launched public 5G SA networks. Furthermore, 24 operators are conducting 5G SA public network deployment or trials, and 31 operators are planning to deploy the 5G technology. 5G SA is definitely taking off.
As 5G SA increases in use around the world, it brings with it a shift from a purely telecom world to an IT-oriented communications world. In addition to devices and equipment communicating with each other, virtualized functions will be called upon according to the service they provide. This new network architecture network will require new, increased levels of security. This is where security edge protection proxy (SEPP) comes in.
Roaming in 5G is largely similar to previous technologies but introduces new elements that mobile operators need to manage. 5G SA is “secure by design”; in 5G roaming, the security protocol TLS (transport layer security) secures the communication between the user and the network by encrypting the data at the transport layer. This means that certificates are exchanged between the home and visited networks. And, more significantly, certificates are exchanged between the SEPP of the home network, and the SEPP of the visited network.
The SEPP is the function that ensures communication with external networks in the context of roaming. SEPP equipment enables end-to-end encryption, based on the HTTPS protocol, of 5G signaling between two roaming partners. It works much like a firewall for the signaling in the network, and SEPP operates on the transport, IP and application layers. SEPP provides signaling transit (control plane) with the SEPPs of other external operators, it enables traffic filtering with other core networks, and manages the N32 interface with other SEPPs.
SEPP has been developed and introduced to reinforce the security and integrity of traffic flow in 5G SA networks. It contributes to making 5G SA “secure by design”. However, the best way to deploy a SEPP in 5G SA networks is not yet entirely established.
There are three ways that SEPP can be implemented and deployed, and each comes with benefits and potential challenges.
In this approach, each operator has their own SEPP, and the IPX carrier transports messages across the network with no knowledge of what they contain. So far, bilateral design is the only approach approved by the GSMA. It also has the benefit of being the most secure option so far.
In terms of challenges however, there are a few: starting with the fact that there are numerous connections to between SEPPs that must be managed by each operator who offers 5G SA roaming. So, every operator needs to have their own SEPP connected to every one of their roaming partners. Which in practice means a large operator would need to have its own SEPP connected to potentially hundreds of MNOs.
There’s also the fact that interconnecting SEPPs at scale means a lot of work for operators exchanging certificates, again, potentially hundreds of them at a given moment. Further, the encrypted nature of signalling traffic means you can’t use IPX value-add services like “Welcome to” SMS messages on arrival in a roaming country.
With this method, the IPX carrier implements one SEPP in its network per operator, and the IPX carrier manages the technical complexity. The IPX carrier can see message content and can therefore offer value-added services, but it can’t interfere with them.
The benefits for the operator include being able to delegate technical complexity to the IPX carrier. This means that the operator can benefit from cost reductions, since the IPX carrier will be providing the service to multiple operators and buying higher volumes of equipment, so they should benefit from economies of scale. There’s also a potential benefit of the IPX carrier being able to offer value-add services. On the downside for operators, however, they do potentially lose control of critical equipment. To alleviate this risk, the IPX carrier must offer SLAs that guarantee the same levels of security, reliability and performance as the operator would achieve if they kept SEPP equipment inhouse.
In this model, each operator has its own SEPP which they connect to a hosted SEPP on the IPX carrier’s premises. The IPX carrier’s SEPP holds one instance of software for each operator. There is one hosted SEPP per operator and this approach means that there are multiple N32 connections to manage.
Benefits of hosted SEPP include that the operator has only one connection to the IPX carrier’s SEPP to manage, making it a simpler exercise. In addition, having a SEPP locally helps comply with regulatory requirements that require a SEPP to be located in a specific geographic location.
On the downside, increasing the number of SEPPs across networks multiplies the number of N32 connections that the IPX carrier needs to manage.
SEPP promises to deliver the increased security needed by roaming in 5G SA, though some questions remain to be answered.
According to Aymeric Castelain, Head of Mobile Services Products & Offers Marketing at Orange Wholesale International, “SEPP operates on the transport, IP and application layers, and has been adopted by GSMA and 3GPP for 5G roaming. It is part of the ‘secure by design’ architecture of 5G SA defined by the 3GPP and adopted by GSMA. But the best SEPP deployment architectures for MNOs and carriers, remain under discussion. Each design has pros and cons regarding security, ease of operations, and ability to provide roaming VAS. As an IPX carrier, we believe architecture choices should remain open to adapt to the different needs, skills, and resources that telecom operators may have.”