Inter-PLMN User Plane Security

Description

Inter-PLMN User Plane Security (IPUPS) is a 3GPP security mechanism designed to protect user plane data as it travels between two different Public Land Mobile Networks (PLMNs). Its primary focus is securing the N9 interface, which is the reference point between the User Plane Functions (UPFs) of two separate networks, a common scenario in roaming or when a user's data session is anchored in a home network while connected via a visited network. IPUPS ensures both confidentiality (preventing eavesdropping) and integrity (preventing tampering) of the user's IP packets.

The architecture of IPUPS involves security gateways (SEGs) or the UPFs themselves acting as security endpoints. These endpoints establish a secure tunnel, typically using IPsec, between the two PLMNs. The system utilizes the 3GPP-defined security protocol suite, Network Domain Security (NDS/IP), which specifies how to implement IPsec for 3GPP network interfaces. Key management is handled through the use of Internet Key Exchange protocol version 2 (IKEv2), often with certificate-based authentication to establish a trusted relationship between the operators' networks. The policies for which traffic requires protection (e.g., all roaming traffic, traffic for certain APNs) are configured within the network functions.

Operationally, when user plane data needs to be sent from the Visited PLMN (VPLMN) to the Home PLMN (HPLMN), the source UPF or SEG encapsulates the original GTP-U and user IP packets within an IPsec Encapsulating Security Payload (ESP) tunnel. The tunnel terminates at the peer entity in the other network, which decrypts and verifies the packet before forwarding it to the target UPF. This process is transparent to the end-user device. IPUPS is a critical component in the 5G security architecture, extending the 'security-by-design' principle to inter-operator links, which are potential points of vulnerability in a globally interconnected mobile ecosystem.

Purpose & Motivation

IPUPS was created to address a significant security gap in inter-operator connectivity. Historically, user plane traffic between different operators' networks (e.g., for roaming users) often traversed the public internet or private interconnects without mandatory encryption, relying on the security of the underlying transport network. This made the data vulnerable to interception, manipulation, or analysis by intermediaries. The increasing sensitivity of user data and the rise of regulatory requirements for data protection (like GDPR) necessitated a standardized, robust security solution.

The motivation for IPUPS stemmed from the 5G design principle of providing end-to-end security, which includes the 'network-to-network' segment. It solves the problem of securing user data once it leaves the relatively controlled environment of a single operator's network. By mandating or strongly recommending IPsec on the N9 interface, 3GPP ensures that user privacy is maintained even during roaming, and it protects against threats like man-in-the-middle attacks on inter-PLMN links. Its introduction in Release 16 aligns with the enhanced security requirements of 5G, supporting new use cases that demand higher trust, such as network slicing for enterprises and critical IoT communications.

Key Features

• Confidentiality and integrity protection for inter-PLMN user plane (N9 interface)
• Based on standardized 3GPP NDS/IP and IPsec framework
• Utilizes IKEv2 with certificate-based authentication for key management
• Protects GTP-U tunnels and encapsulated user IP packets
• Can be implemented by UPFs or dedicated Security Gateways (SEGs)
• Supports both mandatory and optional application per operator policy

Evolution Across Releases

Defining Specifications