Network Domain Security for IP based Protocols

Description

Network Domain Security for IP based Protocols (NDS/IP) is a specialized implementation profile of the broader Network Domain Security (NDS) framework. While NDS broadly covers inter-domain security (e.g., between operators), NDS/IP focuses on providing security *within* a single administrative IP network domain that is considered to have a certain level of inherent trust, but where additional layer 3/4 security is still required. Its primary goal is to protect IP-based protocol exchanges between network elements, such as between a Mobility Management Entity (MME) and a Home Subscriber Server (HSS) in 4G, or between various Network Functions (NFs) in 5G, against threats originating from within the IP transport network.

NDS/IP operates by applying security directly between communicating peers, without the mandatory intermediary Security Gateways (SEGs) used in the inter-domain NDS model. The most common mechanism specified is the use of IPsec, particularly the Encapsulating Security Payload (ESP) protocol, configured in transport mode. In transport mode, IPsec headers are inserted between the original IP header and the payload, protecting the higher-layer protocols (like SCTP carrying Diameter, or GTP-U) while leaving the original IP addresses visible for routing. This is more efficient than tunnel mode for direct communications. Key management is achieved using the Internet Key Exchange (IKE) protocol. In modern 5G deployments, NDS/IP's principles are also realized using Transport Layer Security (TLS) for the HTTP/2-based Service-Based Interfaces (SBIs), as mandated by 3GPP for intra-domain communication between NFs.

The role of NDS/IP is to create a secure overlay on the operator's internal IP backbone. It mitigates risks such as insider attacks, misconfigured network equipment, or compromised hosts within the domain that could eavesdrop on or manipulate sensitive signaling traffic (e.g., Diameter, GTP-C) and user plane data. By enforcing peer authentication, data origin authentication, integrity, and confidentiality, it ensures that even within the 'trusted' domain, critical communications adhere to the principle of least privilege and defense in depth. It is a key enabler for network virtualization (NFV), where functions may run on shared commercial off-the-shelf hardware, making logical isolation via NDS/IP crucial.

Purpose & Motivation

NDS/IP was developed to address the security requirements of an operator's internal network domain as it transitioned to an all-IP architecture. While the inter-domain NDS framework with SEGs was essential for borders, operators needed a standardized, efficient method to secure the vast amount of traffic flowing *inside* their own networks. Relying solely on physical security of the backbone was insufficient, especially with the rise of distributed architectures and the potential for lateral movement by attackers who breached the perimeter.

Prior to NDS/IP, intra-domain security was often neglected or implemented using non-standard, vendor-specific methods, leading to potential gaps and interoperability issues. The creation of NDS/IP provided a 3GPP-standardized profile that defined how to correctly and consistently apply IPsec (and later TLS) for intra-domain protection. It solved the problem of how to efficiently secure peer-to-peer links without the overhead of full tunnel-mode gateways, while still providing robust cryptographic protection. This was particularly important for signaling protocols like Diameter, which carry sensitive subscriber authentication and policy data, ensuring that this information remained protected across the entire path from its source to its destination within the operator's cloud.

Key Features

• Profile of NDS for intra-domain (within one operator) security
• Primarily uses IPsec ESP in transport mode for direct peer security
• Utilizes IKE for automated key management and peer authentication
• Protects IP-based control plane (e.g., Diameter, GTP-C) and user plane protocols
• Evolution to include mandatory TLS for 5G Service-Based Interfaces
• Enables defense-in-depth within a trusted administrative domain

Evolution Across Releases

Defining Specifications