Internet Protocol Security

Description

Internet Protocol Security (IPSec) is a framework of open standards, defined by the IETF and adopted by 3GPP, that provides security services at the IP layer. It operates by adding security headers (Authentication Header - AH and Encapsulating Security Payload - ESP) to IP packets, which can provide data origin authentication, integrity, confidentiality (encryption), and anti-replay protection. In 3GPP architectures, IPSec is implemented in two main modes: Transport Mode, which secures the payload of the IP packet, and Tunnel Mode, which encapsulates and secures the entire original IP packet within a new IP packet, creating a secure tunnel.

Within a 3GPP network, IPSec works by establishing a Security Association (SA) between two endpoints, such as between a gNB and the 5G Core's User Plane Function (UPF), or between network functions within the Service-Based Architecture (SBA). The SA defines the cryptographic algorithms (e.g., AES for encryption, SHA-256 for integrity), keys, and other parameters for the secure channel. The Internet Key Exchange (IKEv2) protocol is typically used for the automated negotiation and management of these SAs. Key components include the IPSec-enabled network functions, the IKEv2 daemon for key management, and the security policies that dictate which traffic must be protected.

Its role is critical for network slicing, CUPS (Control and User Plane Separation), and interconnection between network operators or between RAN and core network over non-trusted IP networks (e.g., public internet for fronthaul/backhaul). It ensures that sensitive control plane signaling (e.g., N2, N4 interfaces) and user data cannot be intercepted, modified, or spoofed. In 5G, with its cloud-native and service-based core, IPSec is a fundamental tool for implementing the 'zero-trust' security principle, ensuring secure communication between distributed, potentially cloud-hosted, network functions.

Purpose & Motivation

IPSec was integrated into 3GPP standards to address the growing need for robust, standardized security for IP-based traffic as mobile networks evolved. Early mobile networks relied on security primarily at the radio interface (e.g., A5 encryption in GSM) and within closed, trusted operator domains. The shift to all-IP networks, the use of untrusted transport (like public internet for backhaul), and the separation of control and user planes created new threat vectors where data could be vulnerable on the wire between network nodes.

The creation and adoption of IPSec were motivated by the necessity to protect network infrastructure itself. It solves the problem of securing peer-to-peer communication between network elements over potentially insecure IP networks, which was not adequately addressed by link-layer security or physical security of cables. This became especially critical with LTE and 5G, where network functions can be geographically dispersed and hosted in data centers. IPSec provides a layer-3 solution that is independent of the underlying transport technology, offering a flexible and powerful way to authenticate network elements and ensure the privacy and integrity of all inter-node communication, which is essential for lawful interception, billing integrity, and protection against denial-of-service and man-in-the-middle attacks.

Key Features

• Provides data confidentiality through encryption (ESP)
• Ensures data integrity and origin authentication (AH/ESP)
• Supports anti-replay protection to detect packet duplication
• Operates in both Transport and Tunnel modes for flexibility
• Uses IKEv2 for automated Security Association and key management
• Integrates with 3GPP network architecture for N2, N3, N4, N6 interface protection

Evolution Across Releases

Defining Specifications