5G Security Edge Protection Proxy (SEPP)
Security Edge Protection Proxy Overview
Mobile interconnect fraud is an expensive problem in the 2G/3G/4G world. In developing standards for 5G, 3GPP called for secure communications between home and visited 5G networks. The task of implementing that security was mandated to a new network element, the Security Edge Protection Proxy (SEPP).
The SEPP performs many critical functions to fulfill this mandate. Key among them are:
- Act as a secure signaling relay between PLMNs
- Provide a mutually authenticated secure communication path between networks
- Act as a reverse proxy, providing a single point of access to all network functions
- Provide inter-PLMN topology hiding
- Provide traffic filtering, policing and overload protection
5G SEPP Business Benefits
Provides standards-compliant secure interworking between home and visited 5G PLMNs, virtually eliminating mobile interconnect fraud for 5G roamers.
- Implements a key element of the 5G Core “security by design” architecture.
- Incorporates a powerful Rules Engine enabling highly flexible message filtering and routing as well as customer provisioned rules entry.
- Delivered on Titan.ium’s InterGENerationalTM cloud native framework.
- Provides “capacity on demand” via cloud native fully containerized implementation.
- Extremely flexible deployment models: on premises or in the cloud, via Containers.
The Titan.ium 5G SEPP Solution
PLMN SEPP type
Forwards requests between PLMN core (SBI) and external networks(N32).
- Local SEPP – SEPP inside a PLMN.
- Outsourced SEPP – SEPP in an IPX serving a customer MNO with no local SEPP.
IPX SEPP type
Forwards requests between external networks. Has no core network (SBI) attached.
- Hosted SEPP – SEPP in an IPX serving a customer MNO that has a local/outsourced SEPP.
- Multi-tenant Hosted SEPP: SEPP in an IPX serving multiple customer MNOs having local/outsourced SEPP, with dedicated FQDN for each customer MNO in the public interface towards 3rd party operators.
- Service-HUB SEPP – SEPP in an IPX/RHUB serving multiple customer MNOs with local/outsourced SEPP, with a single FQDN belonging to the IPX/RHUB in the public interface towards 3rd party operators.
5G SEPP Key Capabilities
Secure Inter-PLMN Communications
SEPP provides secure end-to-end inter-PLMN communications using security negotiation over the N32-c link and inter-PLMN NF message forwarding over the N32-f link, protected by the agreed TLS mutual authentication, Server Name Indication (SNI) support and TLSv1.2/TLSv1.3.
5G Standards Compliant
SEPP supports 3GPP TS 23.501, TS 23.502, TS 29.573, and TS 33.501 standards, along with GSMA FS.36.
High Performance HTTP/2 Stack
SEPP relies on a high-performance HTTP/2 stack with rich configuration options, including connections, buffers, traffic classes, and TLS.
Anti-Spoofing Protection
SEPP verifies that the sending SEPP is authorized to use the PLMN ID they are asserting and performs full cross layer validation of FQDN/PLMN IDs. Spoofed messages can be dropped, rejected, etc.
Message Filtering, Rate Limiting, Overload Protection
SEPP provides message filtering (e.g.: blocking of messages that should not target home subscribers), full stack parameter checking, malformed message protection and rate limiting/overload protection.
PLMN Topology Hiding, Telescopic FQDNs
Titan.ium’s SEPP provides full support for Topology Hiding, masking internal network element details from external PLMNs. This is accomplished by obscuring internal network node information via full telescopic FQDNs generated using TLS wildcard certificates.
Dissectors
SEPP’s Dissector facility includes predefined and user-defined HTTP/2 dissectors allowing retrieval of any information element contained in an HTTP/2 message, which can then be used for filtering and routing.
Dissector-based Rules Engine
Filtering and routing processing is supported by SEPP’s powerful Rules Engine allowing provisionable logical expressions (And/Or/Not) on one or more HTTP/2 information elements as needed. Also provided are pre-defined functions that can be applied to optimize user provisionable rule entry.
Flexible Message Routing
Titan.ium’s SEPP implements highly flexible routing of messages between home and visited PLMNs based on rules for matching criteria. This allows any HTTP/2 information element to be used in any routing decision.
Secure Local Key Management
SEPP provides a secure local capability for N32 key management, storage and recall.
Statistics and Key Performance Indicators (KPI)
SEPP generates statistics and KPIs that can be retrieved by external servers and used for health and performance tracking purposes. It also uses these statistics for congestion control and for routing decisions based on load/latency of route entries.
Highly Flexible Deployment Models
SEPP supports a wide range of on-premise and cloud-based deployment models, easing network integration. It can be delivered on existing customer-provided CNF infrastructure or on existing
customer-provided VNF infrastructure.
5G SEPP Optional Features
The following features may optionally be added to the SEPP deployment as needed.
HTTP2 Message Transformation
This feature enables the operator to invoke configurable message Dissectors and Rules-based Actions to transform message content as needed, for example to aid in 5G to 3G/4G interworking.
HTTP2 Traffic Mirroring
Traffic mirroring interface towards external Probing/Monitoring/Analytics system via gRPC protocol. It provides observability over alarms, events and statistics.
Message Screening
This feature enables the operator to invoke rule-instances using rule-engine, functions and dissectors to identify messages to be blocked.
Additional Related Products
Titan.ium also offers an Element Management System (EMS) system which may be used forcentralized configuration, performance and fault management of distributed SEPPs as needed.
5G Container-Native Architecture
The SEPP is implemented as a set of containerized micro-services, decomposed into the following; Service-Router function; SEPP compute front-end functions; and back-end Data Store micro-service for persistent storage. All component micro-services may be replicated within a Kubernetes (K8S) Cluster both for resiliency & scalability purposes. In addition, two or more K8S Clusters may comprise a single Titan.ium system deployment to achieve multi-site system geo-redundancy, with cross-site Datastore replication to assure a common view of SEPP persistent data.
The Service-Router provides HTTP1/2 routing services & securely exposes SBI interfaces to external IP networks. All Titan.ium 5G NF’s share a common “Network Function Control Agent” (NFCA) microservice responsible for common NF management, e.g., to handle Registration of NF-Profiles to their assigned NRF(s) and keep these NF-Profile registrations up to date via heart-beats.