Home|Securing the 5G SA roaming frontier|PRINS: Uncovering the limitations
Chapter 3

PRINS

Uncovering the limitations

PRINS

TLS and ALS

PRINS is essentially a TLS hop-by-hop method with an additional Application Security Layer (ALS), negotiated end-to-end between mobile operators using the N32c protocol. This in itself introduces unnecessary overhead and even scalability problems in case of TLS-only connections. 

 

While the handling of TLS certificates could be simplified (same as TLS hop-by-hop without ALS), there is the added complexity of agreeing on a suitable security policy for each of the 5000+ information elements with each roaming partner. And this may depend on whatever service the roaming partner has outsourced to his international IPX carrier. 

 

Furthermore, the mobile operator must negotiate cryptographical material with his international IPX provider out-of-band and provide public keys to each roaming partner for patch verification. 

 

A simpler approach would be to avoid any patching. However, by doing this, the economic viability of this method would be even more restricted.  

Roaming routes and filtering complexity

Roaming routes and filtering complexity

The structuring of roaming routes with PRINS presents significant challenges. When using FQDN within the PRINS framework, nodes are perceived as statically configured HTTP proxies from the perspective of mobile network operator SEPPs. Dynamic SEPP discovery does not apply to PRINS nodes.

N32f filtering capabilities are restricted to what the IPX carrier can access, based on the security policy negotiated by the mobile operators. These policies, which vary from one roaming relationship to another, render the filtering process less effective. PRINS nodes are also bound to have problems with scalability and N32c context management.

Value-added services

PRINS is designed to allow real-time adaptations to control plane traffic by adjusting information elements (IE) according to the agreed-upon security policy. Yet, this approach faces several constraints: 

  • roaming_mobile_managed-roaming-service

    Value-added services are rarely a straightforward change from one IE value to another; more often, they necessitate contextual awareness, which makes services based on network function (NF) more suitable.

  • security_secure-link

    The patching method inherent to PRINS may inadvertently reveal the services an operator offers to all its roaming partners, contradicting the business imperative of maintaining service confidentiality.

  • telco_mobile_managed-services

    Service level assurance (SLA) becomes more complex, as the execution of value-added services depends on external entities correctly applying patches.

  • security_file-lock

    Security policies are dependent on which service is outsourced, effectively making in/outsourcing contingent on the cooperation of roaming partners.

Although ongoing refinements aim to address these limitations, such as patching a complete message to simulate message injection, these solutions are anticipated in R18 and may not completely resolve the current concerns.

Although ongoing refinements aim to address these limitations, such as patching a complete message to simulate message injection, these solutions are anticipated in R18 and may not completely resolve the current concerns.

Security and liability trade-offs

While PRINS arguably prevents intermediates from making changes unnoticed, and can conceal sensitive information from them, the question remains whether this aligns with the industry’s needs, or whether it generates too much overhead for too little gain.

 

The reality is that PRINS is less secure than TLS-only, as any security policy compromises the integrity of an otherwise strictly closed end-to-end pipe.

 

The inability to visually trace patches applied by IPX carriers complicates the process for the originating operator, leading to an increased dependency on audit trails for issue resolution and dispute management. Some may question then the actual gains of this model in operational terms.

Demands on performance

The use of HTTPS instead of Diameter will already demand a significant performance increase of control plane nodes when transitioning from 4G to 5G SA roaming. ALS, and especially patching, will further exacerbate the need for control plane resources. 

Product availability

Furthermore, as of now, the marketplace lacks available products that cater to the combined/cumulative performance implications (c/pIPX) introduced by PRINS, underscoring the need for further development and innovation in this space. 

01.

Title

Text

Button

On this whitepaper

Securing the 5G SA roaming frontier

Securing the 5G SA roaming frontier

Chapter 1 | TLS hop-by-hop vs PRINS

Read more
TLS hop-by-hop: Practical benefits

TLS hop-by-hop: Practical benefits

Chapter 2

Read more
BICS 5G SA Service Hub

BICS 5G SA Service Hub

Chapter 4 | One-click 5G SA roaming relation

Read more
Technical solutions based on TLS hop-by-hop

Technical solutions based on TLS hop-by-hop

Chapter 5

Read more
Conclusion

Conclusion

Chapter 6 | TLS hop-by-hop vs PRINS

Read more

Contact our expert