Roaming is an essential part of the mobile service that allows subscribers to connect to mobile networks in foreign countries when travelling. Its operation is taken for granted by its users but roaming involves a very complex infrastructure between around 800 mobile networks worldwide. The GSMA facilitates the exchange of the business and technical aspects of the roaming contracts between the mobile operators.
This global roaming infrastructure was established as part of the earlier 2G/3G systems. In the early days it was a rather simple environment between nationwide mobile operators with only TDM connections, based on direct trust between the roaming partners and via physically separated transmission paths. The growth of this global roaming infrastructure to its current size and variety happened in the early years of this millennium given the fast market penetration of the mobile services, liberalization of the telecom markets, and it was technically simplified with the transition from TDM to IP interconnection.
This worldwide roaming infrastructure for 2G/3G (including the CDMA variant in the USA) was based on the SS7 signaling system for the exchange of location updates and other control messages for subscribers roaming in foreign networks. The SS7 signaling system itself, was developed without inbuilt security measures (given its original trusted environment and status of technology). So, no surprise that over the years more and more security flaws were revealed through publications and striking documentaries, enabling abuse by intruders for banking fraud, location tracking and other irregularities. Consequently, mobile operators were forced (and pushed by regulatory actions) to secure their SS7 networks with stricter roaming practices and the implementation of SS7 firewalls.
With 4G/LTE the security situation became worse when the Diameter protocol started to be used as a direct replacement of the SS7 roaming associations – given the more error prone hop-by-hop routing, which is very sensitive to spoofing practices where the sender of signaling messages becomes hidden to the receiver. This is one of the reasons for the relative slow uptake and still limited use of Diameter in roaming and the ongoing popularity of SS7 for roaming support. Only if operators mutually agree to add the GSMA defined Diameter End-to-end Signaling Security (DESS) procedure as part of their roaming arrangements, does Diameter becomes a more secure replacement for SS7.
Given this background, the mobile industry generally agreed that security in the 5G era should no longer be treated as an afterthought with only firewalls and stricter roaming practices but should adopt the “security by design” principle. The solution for 5G is fundamentally different to support confidentiality, authentication and integrity protection by design. This implies the following basic elements and leads to:
- Use of Mutual Authentication: Confirming sender and receiver have an established trust and that the end-to-end relationship is secured.
- A presumed “open” network: Removing any assumption of safety from overlaid product(s) or process(es).
- An acknowledgment that all links could be tapped: Mandating encryption of inter/intra-network traffic, ensuring the encrypted information is worthless when intercepted
This implies a paradigm shift to existing Telco practices as this “security by design” principle requires the mandatory encryption of inter/intra-network and privacy sensitive information under all circumstances.
Note that even with having mutual authentication and encryption measures at hand, signaling firewalls will still continue to play a major role in securing 5G roaming interconnects for two main reasons:
- 5G SA end-to-end roaming scenarios: In the native 5G Stand Alone (SA) scenarios with HTTP/2 signaling between 5G Core networks at both ends, it is still of utmost importance for security and fraud prevention to judge if the HTTP/2 signaling messages are received in the right context.
- 5G NSA end-to-end roaming scenarios: In all other 5G Non-Stand Alone (NSA) scenarios SS7 and Diameter firewalls will still be needed to secure 5G users. So, in all other roaming cases, the end-to-end roaming connection will fall back to SS7 or Diameter signaling. This will be the default situation for a long time as most of the mobile networks in the world will not be 5G for many years to come, nor will they be upgraded to 5G SA.
The present 3GPP standards for 5G (Release 15 and Release 16) describe two technical solutions for 5G roaming. These solutions were partly included as a last-minute effort in the standards, based on the IPX practices for 2G/3G/LTE roaming without an in-depth involvement of the broader IPX community.
Around spring 2020 several IPX carriers started to realize that the 5G roaming solutions were far more complex to operate than what they are used to for 2G/3G/LTE roaming. Subsequent discussions across different GSMA groups found other limitations and issues, that would not fully resolve the existing vulnerabilities with 2G/3G/LTE roaming.
The existing 5G roaming solutions in the 3GPP standards allow for 2 different deployment options and is Security Edge Protection Proxy (SEPP) centric (no use of SCP):
- TLS (Transport Layer Security) – The most secure variant with all signaling encrypted end-to-end in TLS tunnels between mobile roaming partners. However, this solution is complex to operate with n*n roaming connections which more principally, completely excludes the role of roaming VAS operators, roaming HUBs and degrades the role of IPX carriers to an IP routing service. So, this option only works for the top roaming relations but not for all roaming relations in the global eco-system of around 800 mobile network operators.
- PRINS (PRotocol for N32 INterconnect Security) – This is an application layer security solution whereby part of the signaling information is sent in the clear, to enable roaming VAS operators, roaming HUBs and for IPX carriers to inspect and/or modify signaling traffic in transit. This is technically rather complex and comes with operational hassle as the terminating mobile operators need to verify the modifications from the intermediate carriers. More problematic is that the sending operator is not in control of what is modified and by whom, so again an open door to fraud/abuse and not resolving all the present vulnerabilities with 2G/3G/LTE roaming.
- SEPP (Security Edge Protection Proxy) – The existing 3GPP standards mandates operators to deploy this 5G NF as the network border element for their inter-operator HTPP/2 signaling on the N32 interface for 5G Roaming. The standards define the SCP (Service Communication Proxy) only for intra-operator usage. However, this SEPP centric definition restricts the options for roaming VAS operators and IPX carriers.
As a result, the GSMA established the 5G Mobile Roaming Revisited (5GMRR) Task Force with the mission to define a scalable, usable and secure solution for 5G mobile roaming. 5GMRR brings together experts from the Networks Group (NG), the Wholesale Agreements and Solutions Group (WAS) and the Fraud and Security Group (FASG) to ensure the technical, business and security requirements are identified and that these are reflected in the solutions that are ultimately defined.
The foreseen perspective of the solution that will be defined by the GSMA 5GMRR task force is as follows:
- Guidance was received via a survey among mobile operators, roaming VAS operators and IPX carriers. There is a strong wish to have only a single solution that is simpler to operate and overcomes the issues with TLS and PRINS and removes the dependencies between MNOs.
- Most likely the GSMA will recommend a single solution around TLS as multiple solutions increase the complexity and introduce dependencies, and noting that PRINS and TLS are not mutually compatible. This is similar to what happened recently for LTE roaming where the GSMA decided for S8HR (S8 Home Routing) only and removed LBO (Local Break Out) from the GSMA guidelines for LTE roaming.
- In support of roaming VAS operators and IPX carriers, the so-called hairpin model is a serious candidate whereby locally mobile operators have the ability to involve such services before the signaling information is sent, with TLS end-to-end sessions between SEPPs. In such a scenario, the roaming VAS services of an operator occur independent of the peer roaming operator. It removes operator dependencies while it continues to rely on secure TLS connections between operator SEPPs.
- The present discussions in the GSMA point to solutions whereby the SCP may be given a more prominent role and could be used for inter-operator purposes e.g., for the local connections between mobile operators and their adjacent roaming VAS operators and IPX carriers.
- Around end 2020 / begin 2021 the aim is that the task force has concluded on the high-level principles of the solution. The solution is likely to be reflected in change requests to existing GSMA documents (typical candidates are NG.113, FS.21 and FS.36). Whether there is a need for new features in 3GPP standards is to be seen, but it is possible the impact can be limited to a documentation and clarification exercise.
5G Security is the priority theme for FASG this year (2020) and the work this Task Force will undertake not only maps to that theme but is, perhaps, one of the most important activities to be undertaken by GSMA Working Groups for quite some time. Clearly, agreeing the enablers for 5G roaming is essential and selecting options that meet the future needs of our industry is a critically important task.
NetNumber Senior Manager of Product Development Pieter Veenstra is honoured to be appointed as chair of the 5GMRR task force as it underlines the commitment of the company to all the work being done in the GSMA, with the aim to provide simple operational security solutions to the mobile industry, and to maintain trust in mobile services for all subscribers worldwide considering the growing importance and dependency of these services in our daily lives and for business processes.
Contact email@example.com for further details.