What is IPUPS? Inter-PLMN User Plane Security

Description

Inter-PLMN User Plane Security (IPUPS) is a 3GPP security mechanism designed to protect user plane data as it travels between two different Public Land Mobile Networks (PLMNs). Its primary focus is securing the N9 interface, which is the reference point between the User Plane Functions (UPFs) of two separate networks, a common scenario in roaming or when a user's data session is anchored in a home network while connected via a visited network. IPUPS ensures both confidentiality (preventing eavesdropping) and integrity (preventing tampering) of the user's IP packets.

The architecture of IPUPS involves security gateways (SEGs) or the UPFs themselves acting as security endpoints. These endpoints establish a secure tunnel, typically using IPsec, between the two PLMNs. The system utilizes the 3GPP-defined security protocol suite, Network Domain Security (NDS/IP), which specifies how to implement IPsec for 3GPP network interfaces. Key management is handled through the use of Internet Key Exchange protocol version 2 (IKEv2), often with certificate-based authentication to establish a trusted relationship between the operators' networks. The policies for which traffic requires protection (e.g., all roaming traffic, traffic for certain APNs) are configured within the network functions.

Operationally, when user plane data needs to be sent from the Visited PLMN (VPLMN) to the Home PLMN (HPLMN), the source UPF or SEG encapsulates the original GTP-U and user IP packets within an IPsec Encapsulating Security Payload (ESP) tunnel. The tunnel terminates at the peer entity in the other network, which decrypts and verifies the packet before forwarding it to the target UPF. This process is transparent to the end-user device. IPUPS is a critical component in the 5G security architecture, extending the 'security-by-design' principle to inter-operator links, which are potential points of vulnerability in a globally interconnected mobile ecosystem.

Purpose & Motivation

IPUPS was created to address a significant security gap in inter-operator connectivity. Historically, user plane traffic between different operators' networks (e.g., for roaming users) often traversed the public internet or private interconnects without mandatory encryption, relying on the security of the underlying transport network. This made the data vulnerable to interception, manipulation, or analysis by intermediaries. The increasing sensitivity of user data and the rise of regulatory requirements for data protection (like GDPR) necessitated a standardized, robust security solution.

The motivation for IPUPS stemmed from the 5G design principle of providing end-to-end security, which includes the 'network-to-network' segment. It solves the problem of securing user data once it leaves the relatively controlled environment of a single operator's network. By mandating or strongly recommending IPsec on the N9 interface, 3GPP ensures that user privacy is maintained even during roaming, and it protects against threats like man-in-the-middle attacks on inter-PLMN links. Its introduction in Release 16 aligns with the enhanced security requirements of 5G, supporting new use cases that demand higher trust, such as network slicing for enterprises and critical IoT communications.

Classification

Part ofNDS/IP

Related approaches

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (488 CRs across 6 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 150 changes

In Release 15, the Inter-PLMN User Plane Security (IPUPS) function was newly introduced as part of the architectural solution for User Plane (UP) Security policy and User Plane Integrity Protection. This provided a standardized mechanism to secure user plane data traversing between different Public Land Mobile Networks (PLMNs). The introduction addressed security requirements for roaming scenarios, ensuring data confidentiality and integrity across operator boundaries.

Clarifications to security requirements and features (clause 5) TS 33.501CR0161
Security Negotiation for RRC INACTIVE TS 33.501CR0183
Protection of internal gNB interfaces TS 33.501CR0209
Introduction of DTLS for protection of Xn-C and N2 interfaces TS 33.501CR0210
Security Mechanism for Steering of Roaming TS 33.501CR0214
CAPIF support for NEF external exposure interface TS 33.501CR0215

+ 144 more changes

Rel-16 131 changes

In Release 16, the new Inter-PLMN User Plane Security (IPUPS) functionality was introduced to enhance security for user data in roaming scenarios. This function specifically provides security protection for the N9 interface between UPFs located in different PLMNs. The feature builds upon the existing 5G security architecture to ensure confidentiality and integrity of the user plane across operator network boundaries.

Introduction of data transfer in Control Plane CIoT 5GS Optimisation TS 23.501CR0889
Introduction of Inter-RAT mobility support to and from NB-IoT TS 23.501CR0895
General description of solution 1 in 23.725 for user plane redundancy TS 23.501CR0753
Enhancement on slice interworking--501 TS 23.501CR0850
UPF Selection influenced by the indication of the identity/identities of 5G AN N3 User Plane capability TS 23.501CR0862
Use of analytics for user plane function selection TS 23.501CR0899

+ 125 more changes

Rel-17 77 changes

In Release 17, the IPUPS (Inter-PLMN User Plane Security) function introduced User Plane Integrity Protection Policy Handling specifically for inter-system handover from EPS to 5GS. This enhancement ensures security policy continuity when a user's session moves from the 4G network to the 5G System. The update provides a defined mechanism to manage integrity protection during this critical mobility scenario.

Informative guideline on supporting session/service continuity between SNPN and PLMN when using N3IWF TS 23.501CR2563
Service Assistance Information for 3GPP Advanced Interactive Service TS 23.501CR2653
New 5QI values to support Advance Interactive Services (AIS) in 5G TS 23.501CR2701
Enabling restricted PDU Session for remote provisioning of UE via User Plane TS 23.501CR2709
New standardized 5QI values for Advanced Interactive Services TS 23.501CR2740
User Plane Remote Provisioning of UEs if PLMN as ON TS 23.501CR2802

+ 71 more changes

Rel-18 78 changes

In Release 18, the new Inter-PLMN User Plane Security (IPUPS) function introduced specific security handling for network sharing scenarios. This included defining security aspects for enhanced support of Non-Public Networks in their second phase. Furthermore, the release added security provisions for the user plane positioning capability of the Location Management Function (LMF).

RFSP index during interworking TS 23.501CR3713
Interworking with TSN network deployed in the transport network TS 23.501CR3811
Edge Relocation within the same hosting PLMN's EHEs TS 23.501CR3820
KI#4: Support for Centralized NSACF in a PLMN with multi-service areas TS 23.501CR3822
Support of high data rate low latency services, XR and interactive media services TS 29.244CR0696
User plane inactivity detection update TS 29.244CR0731

+ 72 more changes

Rel-19 49 changes

In Release 19, the new IPUPS (Inter-PLMN User Plane Security) function introduced specific security procedures for inter-CU LTM and defined security aspects for the MSGin5G service. It also added security for the N6 delay measurements and established security for a PLMN hosting an NPN. These enhancements expanded the security framework for user plane traffic across different network domains.

NF discovery and selection by target PLMN TS 23.501CR5399
Exposure enhancements for static UE IP address assignment and 5G VN group's User Plane Security Policy TS 23.501CR5492
Control Plane and User Plane Protocol stacks involving the MWAB node TS 23.501CR5561
Support of handling of headers in N4 interface TS 29.244CR0882
Security related protocol-specific configuration parameters for N6 delay measurement TS 29.244CR0975
Provision of I-UPF ID over N4 Interface TS 29.244CR0985

+ 43 more changes

Rel-20 3 changes

In Release 20, the new Inter-PLMN User Plane Security (IPUPS) function introduced the capability for mitigation actions based on new analytics for abnormal user plane traffic. It also defined a procedure to make certain security parameters visible to RIs (Roaming Interconnects). Furthermore, the release corrected a specification misalignment by replacing appended PLMN ID access token claims with PLMN ID specific claims for roaming scenarios.

Mitigation actions based on New Abnormal user plane traffic Analytics TS 23.501CR6507
Procedure to making some security parameters visible to RIs TS 33.501CR2191
Correction of misalignment with TS 29.510: Replace appended PLMN ID access token claims with PLMN ID specific claims in roaming TS 33.501CR2214

Explore further

Broader topics and technologies where IPUPS plays a role.

Topics

OAM (Operations & Maintenance)Authentication (5G-AKA, EAP)Roaming & Interconnect Encryption & Integrity MEC (Edge Computing)Privacy (SUPI, SUCI)

Technologies

Defining Specifications

3GPP specifications that define or reference IPUPS, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

Specification	Title	Release
TS 23.501 vk00	5G System Architecture Stage 2	Rel-20
TS 29.244 vj40	PFCP Specification for Control/User Plane Separation	Rel-19
TS 29.510 vj50	NRF Service Based Interface Protocol	Rel-19
TS 33.501 vk00	5G Security Architecture and Procedures	Rel-20