What is EPS-UPIP? EPS User-Plane Integrity Protection

Description

EPS User-Plane Integrity Protection (EPS-UPIP) is a security enhancement defined in 3GPP specifications TS 24.301 (NAS) and TS 24.501, introduced to provide integrity protection for user-plane (UP) data packets in EPS networks. Prior to its introduction, EPS primarily relied on encryption (ciphering) for UP confidentiality, but integrity protection was typically only applied to control-plane signaling (NAS and RRC). EPS-UPIP extends integrity safeguards to the actual user data traversing the radio access between the UE and the eNodeB, ensuring data has not been altered, replayed, or injected by an attacker.

The feature operates by having the UE and the network apply an integrity algorithm to user-plane data packets, generating an integrity tag (or MAC) that is appended to or associated with the data. This process occurs at the Packet Data Convergence Protocol (PDCP) layer for the radio interface. The integrity key used is derived from the existing EPS security key hierarchy. Specifically, it utilizes keys derived from K_eNB, which itself originates from K_ASME. The activation of UP integrity protection is negotiated during the security mode command procedure between the UE and the network, based on network policies and UE capabilities.

Architecturally, EPS-UPIP involves the UE, the eNodeB, and the MME. The MME determines whether to activate the feature based on subscription data, local policy, and the UE's security capabilities indicated during attachment. The actual integrity protection and verification are performed by the PDCP entities in the UE and the eNodeB. The introduction of this feature required updates to the PDCP protocol and the security mode control procedures to support the negotiation and activation of integrity algorithms for the user plane. It represents a significant shift towards aligning EPS security with the more comprehensive 'always-on' integrity protection model pioneered in 5G (NR) systems.

Purpose & Motivation

EPS-UPIP was introduced in 3GPP Release 17 to address the growing security threats to user data in mobile networks, particularly the risk of active attacks on the radio interface. Prior to Release 17, EPS user-plane security focused almost exclusively on encryption (confidentiality), leaving data vulnerable to malicious tampering, injection, or replay attacks that could corrupt data streams or inject malicious content without detection. The motivation came from the increased sensitivity of services (e.g., industrial IoT, financial transactions, remote operations) and the desire to elevate 4G security to be more consistent with 5G principles.

Its creation was driven by lessons from 5G design, where user-plane integrity protection is a default and fundamental part of the security architecture. EPS-UPIP allows operators to enhance the security posture of their existing EPS deployments, especially for critical IoT and enterprise services, without requiring a full migration to 5G. It solves the problem of data authenticity and integrity for the vast installed base of LTE devices and networks, closing a known security gap. The feature is part of the broader 'EPS security enhancements' work item aimed at backward-porting key 5G security features to the EPS architecture.

Classification

Part ofPDCP

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (129 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 18 changes

In Release 15, EPS-UPIP (EPS User-Plane Integrity Protection) was introduced, with specific corrections made to define the maximum data rate per UE for integrity protection for DRBs (Data Radio Bearers). The release also included corrections for the establishment of user-plane resources and addressed integrity protection for PDU sessions transferable between non-3GPP and 3GPP access. Furthermore, it defined mechanisms for the lower layer indication on the establishment and release of these user-plane resources.

SUCI encoding format and protection scheme TS 24.501CR0254
Protection of initial NAS messages – overall description TS 24.501CR0424
Support for protection of initial NAS messages TS 24.501CR0425
Protection of EPS attach for 5GC interworking TS 24.301CR3132
Cases where 5G NAS security context is used to integrity protect an ATTACH REQUEST message TS 24.301CR3169
Correction for establishment of user-plane resources TS 24.501CR0013

+ 12 more changes

Rel-16 55 changes

In Release 16, enhancements for EPS User-Plane Integrity Protection (EPS-UPIP) were introduced alongside clarifications for handling non-integrity protected NAS messages, particularly focusing on reject messages and service reject procedures within EPS. The release specified UE behaviors for maintaining security, such as actions upon receiving non-integrity protected NAS reject messages with specific 5GMM cause values, and reinforced the requirement for integrity protection in NAS signalling after successful security mode control. These updates aimed to strengthen security robustness, especially in scenarios involving CIoT EPS optimizations and the handling of abnormal network-side cases.

RLOS integrity and authentication handling TS 24.301CR3266
PDU session ID usage when the UE is a 5G-RG and requests establishment of a PDN connection as a user-plane resource of a MA PDU session TS 24.301CR3326
UE behaviour upon receiving non-integrity protected NAS reject messages in 5GS TS 24.501CR0998
User plane CIoT 5GS optimization TS 24.501CR1130
Idle mode optimizations for 5G Control plane CIoT small data transfer t TS 24.501CR1311
Header compression for control plane user datat TS 24.501CR1318

+ 49 more changes

Rel-17 29 changes

In Release 17, the new EPS-UPIP (EPS User-Plane Integrity Protection) function introduced a specific support indication for this capability within the system. The release also defined new procedures, such as an EMM Service Request procedure, to handle scenarios where the network sends a reject message that lacks integrity protection. Furthermore, it specified the storage of counters related to such non-integrity protected reject messages to enhance security management.

Using Service Request procedure for removing paging restrictions in EPS for MUSIM UE that uses the control plane CIoT EPS optimization TS 24.301CR3564
Introduction of user-plane integrity protection in EPS support indication TS 24.301CR3619
Using Service Request procedure for removing paging restrictions in 5GS for MUSIM UE that uses the control plane CIoT 5GS optimization TS 24.501CR3439
Introduction of EPS-UPIP support indication in 5GC TS 24.501CR3701
Handling of cause #8, #14, #35 for non-integrity protected reject messages TS 24.301CR3487
Add 5GMM SR procedure for non-integrity protected reject message TS 24.301CR3524

+ 23 more changes

Rel-18 15 changes

In Release 18, a key enhancement for EPS-UPIP was the correction of a missing bit for EPS-UPIP support in the S1 UE network capability Information Element within mobility and periodic REGISTRATION REQUEST messages. This ensures the UE can accurately signal its capability for user plane integrity protection to the network. Additionally, the release clarified procedures for handling reject messages, specifically those containing EMM cause value #78, when such messages are received without integrity protection.

User plane positioning capability indication TS 24.501CR5015
User plane positioning capability TS 24.501CR5285
UL/DL NAS transport updates for user plane positioning TS 24.501CR5215
control plane user data associated with S-NSSAI not allowed in current TA TS 24.501CR5612
Support indications for user plane positioning TS 24.501CR5501
Handling of a reject message including EMM cause value #78 without integrity protection TS 24.301CR3945

+ 9 more changes

Rel-19 12 changes

In Release 19, the EPS-UPIP function was enhanced with specific corrections and clarifications for handling non-integrity protected messages and timer interactions, particularly for devices using control plane CIoT EPS optimizations. The updates included corrections to the handling of the S&F wait timer and reject messages when integrity protection is not applied, as well as refined procedures for the T3440 and T3540 timers in conjunction with the control plane data back-off timer T3448. These changes ensure more robust security context management and service continuity for UEs utilizing EPS services with control plane CIoT EPS optimization and its overhead reduction variant.

Handling of non-integrity protected S&F reject TS 24.301CR4580
Correction to T3440 timer handling with control plane data back-off timer T3448 TS 24.301CR4424
Correction of UE initiated transport of user data via the control plane with overhead reduction TS 24.301CR4533
Correction of S&F wait time duration in control plane CIoT EPS optimization with overhead reduction TS 24.301CR4538
Correction of network procedures for negotiation of control plane CIoT EPS optimization with overhead reduction TS 24.301CR4623
Corrections to S&F wait timer in case of non-integrity protected reject messages TS 24.301CR4640

+ 6 more changes

Explore further

Broader topics and technologies where EPS-UPIP plays a role.

Topics

SON (Self-Organizing Networks)RRC (Radio Resource Control)Authentication (5G-AKA, EAP)NAS (Non-Access Stratum)Encryption & Integrity LTE / LTE-Advanced

Technologies

LTE 5G

Defining Specifications

3GPP specifications that define or reference EPS-UPIP, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

Specification	Title	Release
TS 24.301 vj60	NAS protocol for Evolved Packet System	Rel-19
TS 24.501 vj50	5G NAS Protocols Specification	Rel-19

EPS User-Plane Integrity Protection