5G Security When Roaming

By Paul Tommassen, iBASIS 5G Principal Architect

5G is coming. In fact, it is already here! As Mobile Network Operators (MNOs) prepare their networks for 5G, they often start by upgrading their Radio Access with 5G NR (New Radio), while maintaining their existing 4G Evolved Packet Core (EPC). This combination of 5G NR with a 4G EPC is referred to as NSA mode (Non-Standalone Access). 5G NR with a 5G core, SA mode (Standalone Access), is also already deployed by some MNOs next to their 2G/3G and/or 4G core networks, as well as by some new entrants to the market that don’t have a legacy network.

This article illuminates the fundamental architecture changes of 5G and latest discussions within standards organizations, in particular GSMA, to design a secure signaling and roaming environment to meet the growing requirements from MNOs, IoT service providers, private network initiatives and even enterprises.


There are fundamental differences between 4G and 5G core networks. Where the 4G core is an appliance-based architecture, the 5G architecture is a Service Based Architecture (SBA). SBAs have been in use in the software industry, especially for internet, to improve the modularity of products. It is a framework that covers control plane functionalities and data repositories.

The 5G’s core network is delivered by a set of interconnected network functions (NFs) with authorization to access each other’s services. There is also a difference in the protocol that is used between the Network Elements (NEs) in 4G, which is Diameter, or the NFs in 5G, which is HTTP/2.
Of course, there are also analogous functions between what the NEs (or a combination of them) in 4G and NFs in 5G do. Some of these are listed in the table below.

While the 4G network core architecture was designed to consist of NEs all carrying out a specific task, the 5G SBA is designed as a set of NFs, making it more scalable, flexible, modular and easily programmable for whatever functions you need to create an architecture for a new service. 


Just like with 4G, with 5G, MNOs want to offer their customers the same services whether in the home network (HPLMN) or in a visited network (VPLMN), and here the SEPP plays an important role.

The SEPP is defined in 3GPP specification TS 29.573 and is used as sole ingress and egress point for signaling messages to and from a 5G core. It serves to negotiate the security policy between the SEPPs in the HPLMN and VPLMN (the interface is named N32) and can be used for message filtering, topology hiding, policing, etc.

In the case of roaming, unless an MNO maintains direct relations with all other MNOs, IPX providers come into play. MNOs are normally connected to one or a few IPX providers. IPX providers maintain interconnections (peerings) between each other and so, solve the 1-to-N problem for MNOs.

In 4G, IPX providers might also perform message mediation or provide other Value Added Services (VAS) to MNOs. Especially in the international roaming scenarios, SS7 and Diameter have turned out to be rather sensitive for fraud.

In 5G roaming, the goal is to build an ‘end-to-end security by design’. Several Working Groups in GSMA are investigating the best approach and multiple scenarios to provide VAS and maintain security on the connection between VPLMN and HPLMN in the case of 5G roaming. In 3GPP it is specified that Transport Layer Security (TLS) shall be used between SEPPs if no IPX providers are in the path and PRINS (Protocol for N32 Interconnect Security) if IPX providers are in the path.


The PRINS is rather difficult to implement and maintain. In summary, the MNO agrees with its IPX providers and every roaming partner which Information Elements can be changed by the IPX provider. When the IPX Provider makes a change, it signs off that change with a certificate, and the receiving MNO can verify who made the change and whether it was allowed.


Because of the complexity of the PRINS model, MNOs might want to apply VAS in their own domain with the help of a VAS provider, traditionally an IPX provider. ‘Hairpin’ refers to the message flow from MNO to VAS provider and back to the MNO. After the hairpin, a direct SEPP-to-SEPP connection with TLS is used between the VPLMN and the HPLMN.


In the case of the ‘Direct TLS’ model, the 1-to-N problem appears again. A solution for an MNO could be to outsource the SEPP function to its IPX providers. This concept is also known in 4G as ‘hosted DEA’. When the IPX provider hosts the SEPP function, it can apply the necessary VAS and apply TLS to the SEPP of the other MNO (or the IPX provider of the other MNO).


A hybrid model combining the ‘Direct TLS’ model and the ‘hosted SEPP’ variant is also possible. The MNO uses its own SEPP for its most important roaming relationships, applying VAS in its own domain if required, but uses its IPX provider, who also applies VAS for the ‘long tail’, for all other roaming relations.


iBASIS, as IPX and VAS provider, is ready to provide a seamless 5G roaming test experience via its 5G test environment (sandbox), providing various architectural options and different use cases.

We will continue to work with the industry and roaming community to further explore each model and work with our customers and partners to bring the best solution in terms of efficiency, reliability and security. We will obviously continue the discussion, so feel free to reach out here or contact@iBASIS.net to find out more.

Recommended Posts