Chapter 1

Securing the 5G SA roaming frontier

TLS hop-by-hop vs PRINS

Securing the 5G SA roaming frontier
Setting the scene

An overview of 5G SA roaming security

From interoperability challenges to adapting to new standards, the road to seamless and secure 5G Standalone (SA) roaming is far from smooth for mobile operators. This whitepaper provides an in-depth comparative analysis between Transport Layer Security (TLS) hop-by-hop and Protocol for Reliable Inter-Networking of Security gateways (PRINS) methods for managing 5G SA  roaming services. 

 

While PRINS has often been praised as the cutting-edge solution, this whitepaper sheds light on its scalability issues and security vulnerabilities. The TLS hop-by-hop approach as detailed in NG.140 is presented as a strong alternative due to its simplicity, established trust hierarchy, and versatility in integrating value-added services, all while aligning with industry needs and compliance standards.  

The goal of this comparative analysis is to provide mobile operators, service providers, and other stakeholders within the 5G SA roaming landscape with the knowledge to make informed choices about the security and operational efficiency of their roaming services. 

The goal of this comparative analysis is to provide mobile operators, service providers, and other stakeholders within the 5G SA roaming landscape with the knowledge to make informed choices about the security and operational efficiency of their roaming services. 

Trust models of the current roaming ecosystem

Navigating the landscape of roaming relations in the era of 5G requires a nuanced understanding of trust dynamics among the various entities involved. In a simplified world of direct roaming relations, only mobile operators are trusted endpoints for any communication related to roaming. This established trust is the cornerstone upon which the integrity of roaming exchanges is built. 
 
However, the operational reality extends beyond this direct exchange, with intermediary entities that carry significant implications for security discussions. Paradoxically, these intermediaries, such as IPX carriers, are often seen as more trustworthy than the actual roaming partners, as they provide a wide range of value-added services to assist mobile operators in simplifying the complexities of roaming business operations. These services operate with strict confidentiality and are meticulously managed via dedicated IPX access lines, which remain completely isolated from external access.  
 
IN 5G, TLS connections provide additional security by encrypting control plane traffic, safeguarding against potential breaches of points-of-interconnect or brute-force access to physical data links.

Consider this: The TLS protocol, in existence since 1999, has played a pivotal role in ensuring secure communication.

It’s the very technology that secures HTTPS connections, making our web browsing experience safe. Therefore, it stands as a well-known, well-established protocol.  

The TLS hop-by-hop philosophy acknowledges this reality and introduces trusted parties on the route from the visited mobile network to the home mobile network and vice versa. These trusted parties will act as credential holders, serving as valid endpoints of control plane connection. This role is indicated by the N32 interface reference point defined by the GSMA’s 3GPP standards.

This enables a straightforward 5G SA roaming setup, similar to what we’ve seen in previous mobile generations. However, it doesn’t prevent mobile network operators from directly connecting using N32 connections if they choose to do so.

TLS hop-by-hop doesn’t undermine the fundamental trust model between the User Equipment (UE) and the operator. Instead, it establishes a built-in hierarchy of trust on the control plane. In this hierarchy, the next hop is considered more trustworthy than any other party in the communication chain.

Meanwhile, PRINS introduces an Application Security Layer (ALS) on top of the existing TLS protocol, which is negotiated end-to-end between mobile operators using the N32c protocol.

This layer allows for the establishment of security policies that are tailored for each roaming connection, addressing specific requirements of the communicating networks.

 

PRINS gives more granular control over the data shared during roaming by employing security patches that are agreed upon between operators. These patches can alter or obscure certain information elements based on predefined policies, adding an extra level of security to the roaming traffic. This is particularly important in scenarios where sensitive information needs to be shielded from intermediate entities like IPX carriers, even if they are considered trustworthy.

 

The potential of PRINS lies in its capability to provide a customizable and secure environment that caters to the unique needs of each roaming partnership. However, it is crucial to weigh these benefits against the added complexity and the potential scalability issues that PRINS introduces, ensuring that the solution aligns with the operational efficiency and security objectives of the involved parties.

On this whitepaper

TLS hop-by-hop: Practical benefits

TLS hop-by-hop: Practical benefits

Chapter 2

Read more
PRINS: Uncovering the limitations

PRINS: Uncovering the limitations

Chapter 3

Read more
BICS 5G SA Service Hub

BICS 5G SA Service Hub

Chapter 4 | One-click 5G SA roaming relation

Read more
Technical solutions based on TLS hop-by-hop

Technical solutions based on TLS hop-by-hop

Chapter 5

Read more
Conclusion

Conclusion

Chapter 6 | TLS hop-by-hop vs PRINS

Read more

Contact our expert