TLS hop-by-hop

Practical benefits

TLS certificates

In a strict world of direct roaming relations, the mobile network must manage trust anchors and TLS certificates for every single roaming partner.

This process relies on mutual trust and involves the exchange of root certificates with each and every roaming partner (other mobile network). Often, the management of these root certificates is manual or semi-automated, and failure in proper management can disrupt roaming services for end customers.

For efficient 5G SA roaming scalability, TLS certificate management needs optimization. The TLS hop-by-hop approach allows mobile operators to streamline this management by relying on a single or very limited number of trusted service providers.

Ready to automate certificate management?

Roaming routes and filtering

Instead of establishing direct TLS connections with each roaming partner, the TLS hop-by-hop method enables the aggregation of traffic to multiple roaming destinations through TLS connections to a few (or single) trusted service provider(s), without the additional PRINS overhead. Service providers can actively manage roaming routes and filter traffic at the N32f level based on mandatory headers.

Dynamic SEPP discovery, currently reliant on well-known Fully Qualified Domain Names (FQDN), can easily be expanded to include well-known service provider FQDNs or any other FQDNs agreed upon by the connected parties.

Value-added services

There are no restrictions on how value-added services are designed or integrated between service provider and mobile operators. With TLS hop-by-hop, services can seamlessly integrate using the standard N32 interface, without depending on the availability of NEF APIs, Service Based Integration (SBI), or other proprietary methods. As a result, this model is versatile and can accommodate all types of mobile operators, including those who rely on their IPX carrier for delivery of value-added-services like steering-of-roaming, troubleshooting tools, fraud detection and prevention, analytics tools, and more.

Security and liability

The end-to-end security paradigm aims to defend against man-in-the-middle attacks and uphold the confidentiality and integrity of data exchanged between trusted partners. Specifically, in the context of TLS connection endpoints within 5G SA roaming.

Criticism often surrounds TLS hop-by-hop due to its simplified trust model between mobile operators. In this model, the intermediate entities have access to all information in the control plane and can make changes without being detected. A primary concern arises from the lack of traceability in case of a security breach, potentially leading to sensitive data leakage to unauthorized parties.

In practice, intermediates like international IPX carriers are quicker at addressing issues than remote roaming partners.

While maintaining an audit trail doesn’t always lead to faster resolution, withdrawing TLS certificates is not recommended as a solution.

When considering data sensitivity, one can argue that service providers do not necessarily require access to all information available in the control plane. However, practical implementation becomes complex due to the sheer number of information elements–over 5000–that would need universally applicable policies. Common sense and adherence to GDPR rules dictate that such information should be obscured to prevent misuse.

Interestingly, security breaches more often result from unauthorized database access rather than intercepting east-west interfaces between mobile operators and international carriers.

Discover BICS 5G Roaming Service Hub