Skip to content
Close
SEARCH
CONTACT
E-MAIL: info@titaniumplatform.com
CUSTOMER PORTAL
E-MAIL: info@titaniumplatform.com
CUSTOMER PORTAL

5G Security Edge Protection Proxy (SEPP)

For more information

Securing the Future of 5G Roaming: Understanding SEPP

5G networks are rapidly changing how we communicate, and with these changes come new challenges in keeping our data safe and ensuring different networks can work together seamlessly. This is where the Security Edge Protection Proxy (SEPP) comes in. SEPP is a crucial part of 5G networks that's changing the game for mobile operators, especially when it comes to roaming. In simpler terms, SEPP is like a security guard and translator rolled into one, helping to keep our mobile communications safe and smooth as we move between different networks. Let's explore what SEPP is all about and why it's so important for the future of how we use our mobile devices.

What is SEPP?

SEPP, or Security Edge Protection Proxy, serves as a gateway between different operators' networks for roaming purposes in 5G core networks. It's designed to provide a secure, interoperable, and scalable pathway for HTTP/2 signaling within a negotiated security context.

Key Features of Titan.ium SEPP

Titan.ium SEPP is a leading implementation of the SEPP concept, offering a range of features that make it stand out:

  • Standards-Based 5G Core Interconnectivity: Fully compliant with 3GPP and GSMA specifications, ensuring interoperability with other vendors' 5G core Network Functions (NFs), Service Communication Proxies (SCPs), and SEPPs.
  • N32 Control Interface: Used for security handshake negotiation between 5G core signaling networks, as specified by 3GPP TS 29.573.
  • N32 Forwarding: Ensures messages are only forwarded to the connected 5G core or remote PLMN SEPP for established security contexts.
  • Flexible Message Routing: Implements highly flexible routing based on customizable rules, allowing any HTTP/2 information element to be used in routing decisions.
  • Message Screening: Operators can establish Black- or Whitelists using any information element in incoming requests for screening purposes.
  • TDR Generation: Supports configurable generation of Transaction Detail Records (TDRs) for inbound and/or outbound messages.

Benefits of Titan.ium SEPP

  • Secure Interconnection: Provides standards-compliant secure interconnection between home and visited 5G PLMNs, supporting both direct MNO-MNO interconnections and hosted SEPP scenarios.
  • Configuration Flexibility: Powered by Titan.ium's dissector-based rules engine, allowing for project-specific rules for message transformation, re-routing, or filtering.
  • Cloud-Native Architecture: Delivered on the high-performance cloud-native Titan.ium platform, offering automated scaling, efficient resource use, and strong security.
  • Multi-Tenancy Support: Can be deployed on behalf of a group of operators, as foreseen by GSMA 5GMRR for hosted and outsourced SEPP deployment models.

 

Why SEPP Matters for 5G Roaming

As 5G networks continue to expand globally, the need for secure and efficient roaming solutions becomes increasingly critical. SEPP addresses this need by:

  • Ensuring secure communication between different operators' networks
  • Validating and screening messages before forwarding them to the 5G core
  • Providing mutual TLS security and context validation
  • Supporting flexible deployment options to meet various operator needs


By providing a secure, flexible, and standards-compliant solution, SEPP is enabling mobile operators to offer seamless and safe roaming experiences to their customers in the 5G era.

ACCESS TO THE DATA SHEET
TITAN.IUM PRODUCT

Security Edge Protection Proxy Overview

Mobile interconnect fraud is an expensive problem in the 2G/3G/4G world. In developing standards for 5G, 3GPP called for secure communications between home and visited 5G networks. The task of implementing that security was mandated to a new network element, the Security Edge Protection Proxy (SEPP).

The SEPP performs many critical functions to fulfill this mandate. Key among them are:

  • Act as a secure signaling relay between PLMNs
  • Provide a mutually authenticated secure communication path between networks
  • Act as a reverse proxy, providing a single point of access to all network functions
  • Provide inter-PLMN topology hiding
  • Provide traffic filtering, policing and overload protection

 

sepp overview

 

5G SEPP Business Benefits

Provides standards-compliant secure interworking between home and visited 5G PLMNs, virtually eliminating mobile interconnect fraud for 5G roamers.

  • Implements a key element of the 5G Core “security by design” architecture.
  • Incorporates a powerful Rules Engine enabling highly flexible message filtering and routing as well as customer provisioned rules entry.
  • Delivered on Titan.ium’s InterGENerationalTM cloud native framework.
  • Provides “capacity on demand” via cloud native fully containerized implementation.
  • Extremely flexible deployment models: on premises or in the cloud, via Containers.

The Titan.ium 5G SEPP Solution

PLMN SEPP type

Forwards requests between PLMN core (SBI) and external networks(N32).

  • Local SEPP – SEPP inside a PLMN.
  • Outsourced SEPP – SEPP in an IPX serving a customer MNO with no local SEPP.

PLMN SEPP type

 

IPX SEPP type

Forwards requests between external networks. Has no core network (SBI) attached.

  • Hosted SEPP – SEPP in an IPX serving a customer MNO that has a local/outsourced SEPP.
  • Multi-tenant Hosted SEPP: SEPP in an IPX serving multiple customer MNOs having local/outsourced SEPP, with dedicated FQDN for each customer MNO in the public interface towards 3rd party operators.
  • Service-HUB SEPP – SEPP in an IPX/RHUB serving multiple customer MNOs with local/outsourced SEPP, with a single FQDN belonging to the IPX/RHUB in the public interface towards 3rd party operators.

IPX SEPP type

 

5G SEPP Key Capabilities

Secure Inter-PLMN Communications

SEPP provides secure end-to-end inter-PLMN communications using security negotiation over the N32-c link and inter-PLMN NF message forwarding over the N32-f link, protected by the agreed TLS mutual authentication, Server Name Indication (SNI) support and TLSv1.2/TLSv1.3.

5G Standards Compliant

SEPP supports 3GPP TS 23.501, TS 23.502, TS 29.573, and TS 33.501 standards, along with GSMA FS.36.

High Performance HTTP/2 Stack

SEPP relies on a high-performance HTTP/2 stack with rich configuration options, including connections, buffers, traffic classes, and TLS.

Anti-Spoofing Protection

SEPP verifies that the sending SEPP is authorized to use the PLMN ID they are asserting and performs full cross layer validation of FQDN/PLMN IDs. Spoofed messages can be dropped, rejected, etc.

Message Filtering, Rate Limiting, Overload Protection

SEPP provides message filtering (e.g.: blocking of messages that should not target home subscribers), full stack parameter checking, malformed message protection and rate limiting/overload protection.

PLMN Topology Hiding, Telescopic FQDNs

Titan.ium’s SEPP provides full support for Topology Hiding, masking internal network element details from external PLMNs. This is accomplished by obscuring internal network node information via full telescopic FQDNs generated using TLS wildcard certificates.

Dissectors

SEPP’s Dissector facility includes predefined and user-defined HTTP/2 dissectors allowing retrieval of any information element contained in an HTTP/2 message, which can then be used for filtering and routing.

Dissector-based Rules Engine

Filtering and routing processing is supported by SEPP’s powerful Rules Engine allowing provisionable logical expressions (And/Or/Not) on one or more HTTP/2 information elements as needed. Also provided are pre-defined functions that can be applied to optimize user provisionable rule entry.

Flexible Message Routing

Titan.ium’s SEPP implements highly flexible routing of messages between home and visited PLMNs based on rules for matching criteria. This allows any HTTP/2 information element to be used in any routing decision.

Secure Local Key Management

SEPP provides a secure local capability for N32 key management, storage and recall.

Statistics and Key Performance Indicators (KPI)

SEPP generates statistics and KPIs that can be retrieved by external servers and used for health and performance tracking purposes. It also uses these statistics for congestion control and for routing decisions based on load/latency of route entries.

Highly Flexible Deployment Models

SEPP supports a wide range of on-premise and cloud-based deployment models, easing network integration. It can be delivered on existing customer-provided CNF infrastructure or on existing
customer-provided VNF infrastructure.

5G SEPP Optional Features

The following features may optionally be added to the SEPP deployment as needed.

HTTP2 Message Transformation

This feature enables the operator to invoke configurable message Dissectors and Rules-based Actions to transform message content as needed, for example to aid in 5G to 3G/4G interworking.

HTTP2 Traffic Mirroring

Traffic mirroring interface towards external Probing/Monitoring/Analytics system via gRPC protocol. It provides observability over alarms, events and statistics.

Message Screening

This feature enables the operator to invoke rule-instances using rule-engine, functions and dissectors to identify messages to be blocked.

Additional Related Products

Titan.ium also offers an Element Management System (EMS) system which may be used forcentralized configuration, performance and fault management of distributed SEPPs as needed.

5G Container-Native Architecture

5G Container-Native Architecture

The SEPP is implemented as a set of containerized micro-services, decomposed into the following; Service-Router function; SEPP compute front-end functions; and back-end Data Store micro-service for persistent storage. All component micro-services may be replicated within a Kubernetes (K8S) Cluster both for resiliency & scalability purposes. In addition, two or more K8S Clusters may comprise a single Titan.ium system deployment to achieve multi-site system geo-redundancy, with cross-site Datastore replication to assure a common view of SEPP persistent data.

The Service-Router provides HTTP1/2 routing services & securely exposes SBI interfaces to external IP networks. All Titan.ium 5G NF’s share a common “Network Function Control Agent” (NFCA) microservice responsible for common NF management, e.g., to handle Registration of NF-Profiles to their assigned NRF(s) and keep these NF-Profile registrations up to date via heart-beats.