Network Domain Security

Description

Network Domain Security (NDS) is a cornerstone 3GPP security architecture that provides confidentiality, integrity, and replay protection for control plane (signaling) and user plane data traversing network domains. A 'network domain' is defined as a portion of the network managed by a single administrative authority, such as an operator's core network or a partner's network. NDS ensures that communications between Network Functions (NFs) or between network elements across different domains are secure, preventing eavesdropping, tampering, and spoofing. It operates primarily at the IP layer, securing IP-based protocols used within the 3GPP architecture.

The architecture of NDS is built around the concept of Security Gateways (SEGs) and the application of Internet Protocol Security (IPsec). In its classic form, used for inter-operator interfaces like Za (between SEPPs), traffic between security domains passes through SEGs at each domain's border. These SEGs establish IPsec Encapsulating Security Payload (ESP) tunnels in tunnel mode, providing end-to-end security between the gateways. Within a single, trusted operator domain, NDS/IP (a profile of NDS) can be applied, often using IPsec in transport mode directly between network functions, or increasingly relying on Transport Layer Security (TLS) as specified in modern architectures. NDS defines security policies, key management procedures (often using Internet Key Exchange protocol versions like IKEv1 or IKEv2), and the cryptographic algorithms to be used.

Its role is pervasive and critical. NDS secures vital interfaces such as the N2 (between the (R)AN and the AMF), N3 (between the (R)AN and the UPF), N4 (between the SMF and UPF), and N6 (between the UPF and the Data Network). In the 5G Service-Based Architecture (SBA), NDS principles are extended through the use of TLS for HTTP/2-based service-based interfaces (e.g., N8, N10, N12) between producer and consumer NFs. The framework ensures that even if the underlying transport network is untrusted, the payload remains protected. It is a mandatory layer of defense that isolates the trusted 3GPP core from external IP networks and secures internal communications against insider threats.

Purpose & Motivation

NDS was created to address the fundamental shift of telecom networks from closed, circuit-switched systems using SS7 signaling to open, IP-based packet-switched architectures. Legacy SS7 networks had inherent physical security but were vulnerable to logical attacks. The migration to IP in 3GPP Release 4 onwards exposed signaling and user data to all the threats prevalent on the public internet, such as interception, manipulation, and denial-of-service attacks. A standardized, robust security framework for the network layer was urgently needed.

Before NDS, security was often implemented in an ad-hoc manner or was limited to the radio access link (e.g., using algorithms like A5 in GSM). There was no unified standard for securing the core network backhaul and inter-operator connections. NDS solved this by adopting and profiling well-established IETF protocols like IPsec and IKE, tailoring them for the specific reliability, scalability, and interoperability needs of carrier-grade networks. It provided a clear model for securing domain boundaries, enabling secure interconnection between different operators' networks (a key requirement for roaming) and creating a 'walled garden' of trust for the operator's own infrastructure, which became increasingly critical with the move towards all-IP networks in 4G and 5G.

Key Features

• End-to-end security for signaling and user data across network domains
• Based on IPsec (ESP) and IKE for key management and tunnel establishment
• Defines Security Gateway (SEG) architecture for inter-domain security
• Specifies cryptographic algorithm suites and security policies
• Extended to support TLS for 5G Service-Based Interfaces (SBIs)
• Provides mandatory confidentiality and integrity protection for specified interfaces

Evolution Across Releases

Defining Specifications