What is NDS/IP? Network Domain Security for IP based Protocols

Description

Network Domain Security for IP based Protocols (NDS/IP) is a specialized implementation profile of the broader Network Domain Security (NDS) framework. While NDS broadly covers inter-domain security (e.g., between operators), NDS/IP focuses on providing security *within* a single administrative IP network domain that is considered to have a certain level of inherent trust, but where additional layer 3/4 security is still required. Its primary goal is to protect IP-based protocol exchanges between network elements, such as between a Mobility Management Entity (MME) and a Home Subscriber Server (HSS) in 4G, or between various Network Functions (NFs) in 5G, against threats originating from within the IP transport network.

NDS/IP operates by applying security directly between communicating peers, without the mandatory intermediary Security Gateways (SEGs) used in the inter-domain NDS model. The most common mechanism specified is the use of IPsec, particularly the Encapsulating Security Payload (ESP) protocol, configured in transport mode. In transport mode, IPsec headers are inserted between the original IP header and the payload, protecting the higher-layer protocols (like SCTP carrying Diameter, or GTP-U) while leaving the original IP addresses visible for routing. This is more efficient than tunnel mode for direct communications. Key management is achieved using the Internet Key Exchange (IKE) protocol. In modern 5G deployments, NDS/IP's principles are also realized using Transport Layer Security (TLS) for the HTTP/2-based Service-Based Interfaces (SBIs), as mandated by 3GPP for intra-domain communication between NFs.

The role of NDS/IP is to create a secure overlay on the operator's internal IP backbone. It mitigates risks such as insider attacks, misconfigured network equipment, or compromised hosts within the domain that could eavesdrop on or manipulate sensitive signaling traffic (e.g., Diameter, GTP-C) and user plane data. By enforcing peer authentication, data origin authentication, integrity, and confidentiality, it ensures that even within the 'trusted' domain, critical communications adhere to the principle of least privilege and defense in depth. It is a key enabler for network virtualization (NFV), where functions may run on shared commercial off-the-shelf hardware, making logical isolation via NDS/IP crucial.

Purpose & Motivation

NDS/IP was developed to address the security requirements of an operator's internal network domain as it transitioned to an all-IP architecture. While the inter-domain NDS framework with SEGs was essential for borders, operators needed a standardized, efficient method to secure the vast amount of traffic flowing *inside* their own networks. Relying solely on physical security of the backbone was insufficient, especially with the rise of distributed architectures and the potential for lateral movement by attackers who breached the perimeter.

Prior to NDS/IP, intra-domain security was often neglected or implemented using non-standard, vendor-specific methods, leading to potential gaps and interoperability issues. The creation of NDS/IP provided a 3GPP-standardized profile that defined how to correctly and consistently apply IPsec (and later TLS) for intra-domain protection. It solved the problem of how to efficiently secure peer-to-peer links without the overhead of full tunnel-mode gateways, while still providing robust cryptographic protection. This was particularly important for signaling protocols like Diameter, which carry sensitive subscriber authentication and policy data, ensuring that this information remained protected across the entire path from its source to its destination within the operator's cloud.

Classification

Part ofIPSec

Specific typesIPUPS SEA SEK SIK

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (14 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-8, normative work from Rel-15.

Rel-15 1 change

In Release 15, the NDS/IP function was updated to include application layer crypto profiles within its scope. This enhancement specifically addresses the security protocol requirements for the Common API Framework (CAPIF), ensuring a common security model for API implementations to provide confidentiality and integrity protection. The update supports the secure exposure of service APIs to invokers both inside and outside the PLMN trust domain.

Update NDS/IP scope with application layer crypto profiles TS 33.210CR0050

Rel-16 2 changes

In Release 16, the NDS/IP function was updated to include application layer cryptographic profiles within its scope, thereby expanding its security specifications. This release also incorporated editorial corrections to the existing NDS/IP documentation to improve clarity and accuracy.

Update NDS/IP scope with application layer crypto profiles TS 33.210CR0056
Editorial corrections to NDS/IP TS 33.210CR0068

Rel-17 6 changes

In Release 17, the NDS/IP updates focused on modernizing security protocols and references. This included updating IPsec references from obsolete RFCs to current standards like RFC 8247 and RFC 8221, as well as implementing specific security updates for cryptographic algorithms and the SEAL-S protocol. These changes ensured the continued robustness and relevance of the security mechanisms for IP-based network interfaces.

Clarification on location based group for SS_GroupManagement API TS 29.549CR0068
Security updates for algorithms and protocols for 33.210 TS 33.210CR0072
SEAL-S security update for Release-17 TS 29.549CR0080
Update IPSec references to rfc8221 TS 33.210CR0073
Update IPSec reference from obsolete RFC 7296 to RFC 8247 TS 33.210CR0074
SEAL-S security update TS 29.549CR0087

Rel-18 2 changes

In Release 18, the NDS/IP function introduced new security considerations for API invokers accessing service APIs from outside the PLMN trust domain, specifically requiring mechanisms to hide the service topology from those external invokers. This was aligned with the ongoing work on a common security protocol model for all API implementations within the CAPIF framework. Furthermore, the release addressed the need for a minimum common protocol stack model to ensure consistency across different API implementations.

VAL Service area – Location based group TS 29.549CR0140
Aligning DNS and ICMP security for non-3GPP access with 3GPP access TS 33.402CR0148

Rel-19 3 changes

In Release 19, the NDS/IP function was updated with specific corrections and enhancements to the security clause for the Common API Framework (CAPIF). These updates included further study on mechanisms for topology hiding when API invokers access services from outside a trust domain and on defining a common security protocol model for all API implementations to ensure confidentiality and integrity.

Support of Short-Range based positioning information procedure TS 29.549CR0385
Updates and corrections to the CAPIF related Security clause TS 29.549CR0460
Resolve the ENs of short range based positioning management TS 29.549CR0438

Explore further

Broader topics and technologies where NDS/IP plays a role.

Topics

Authentication (5G-AKA, EAP)Encryption & Integrity MEC (Edge Computing)Diameter & Radius Lawful Intercept GTP & User Plane

Technologies

LTE 5G

Defining Specifications

3GPP specifications that define or reference NDS/IP, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

Specification	Title	Release
TS 23.722 vf10	Common API Framework (CAPIF) for 3GPP Northbound APIs	Rel-15
TS 29.549 vj40	SEAL API Specification for Vertical Applications	Rel-19
TS 33.141 vj00	Security for Presence Service (Ut reference point)	Rel-19
TS 33.210 vj20	UMTS Security for IP Networks	Rel-19
TS 33.402 vj00	Security for non-3GPP access to EPS	Rel-19