NDS

Network Domain Security

Security →
Introduced in Rel-8 Also in: Core Network, Services, Radio Access Network

NDS is the 3GPP security framework for protecting signaling and user data exchanges within and between network domains by establishing security associations, encryption, and integrity protection.

Category
Security
Introduced
Rel-8
Where
Security
Also touches
3 segments
Specifications
17 specs
NDS Description Purpose Related Classification Detected Changes Specifications

Description

Network Domain Security (NDS) is a cornerstone 3GPP security architecture that provides confidentiality, integrity, and replay protection for control plane (signaling) and user plane data traversing network domains. A 'network domain' is defined as a portion of the network managed by a single administrative authority, such as an operator's core network or a partner's network. NDS ensures that communications between Network Functions (NFs) or between network elements across different domains are secure, preventing eavesdropping, tampering, and spoofing. It operates primarily at the IP layer, securing IP-based protocols used within the 3GPP architecture.

The architecture of NDS is built around the concept of Security Gateways (SEGs) and the application of Internet Protocol Security (IPsec). In its classic form, used for inter-operator interfaces like Za (between SEPPs), traffic between security domains passes through SEGs at each domain's border. These SEGs establish IPsec Encapsulating Security Payload (ESP) tunnels in tunnel mode, providing end-to-end security between the gateways. Within a single, trusted operator domain, NDS/IP (a profile of NDS) can be applied, often using IPsec in transport mode directly between network functions, or increasingly relying on Transport Layer Security (TLS) as specified in modern architectures. NDS defines security policies, key management procedures (often using Internet Key Exchange protocol versions like IKEv1 or IKEv2), and the cryptographic algorithms to be used.

Its role is pervasive and critical. NDS secures vital interfaces such as the N2 (between the (R)AN and the AMF), N3 (between the (R)AN and the UPF), N4 (between the SMF and UPF), and N6 (between the UPF and the Data Network). In the 5G Service-Based Architecture (SBA), NDS principles are extended through the use of TLS for HTTP/2-based service-based interfaces (e.g., N8, N10, N12) between producer and consumer NFs. The framework ensures that even if the underlying transport network is untrusted, the payload remains protected. It is a mandatory layer of defense that isolates the trusted 3GPP core from external IP networks and secures internal communications against insider threats.

Purpose & Motivation

NDS was created to address the fundamental shift of telecom networks from closed, circuit-switched systems using SS7 signaling to open, IP-based packet-switched architectures. Legacy SS7 networks had inherent physical security but were vulnerable to logical attacks. The migration to IP in 3GPP Release 4 onwards exposed signaling and user data to all the threats prevalent on the public internet, such as interception, manipulation, and denial-of-service attacks. A standardized, robust security framework for the network layer was urgently needed.

Before NDS, security was often implemented in an ad-hoc manner or was limited to the radio access link (e.g., using algorithms like A5 in GSM). There was no unified standard for securing the core network backhaul and inter-operator connections. NDS solved this by adopting and profiling well-established IETF protocols like IPsec and IKE, tailoring them for the specific reliability, scalability, and interoperability needs of carrier-grade networks. It provided a clear model for securing domain boundaries, enabling secure interconnection between different operators' networks (a key requirement for roaming) and creating a 'walled garden' of trust for the operator's own infrastructure, which became increasingly critical with the move towards all-IP networks in 4G and 5G.

Classification

Part ofIPSec

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (158 CRs across 6 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-8, normative work from Rel-15.

Rel-15 60 changes

In Release 15, key NDS enhancements included the introduction of application layer crypto profiles for the N32 interface and the specification of security mechanisms for non-Service Based Architecture interfaces within the 5G Core. The release also provided extensive clarifications to foundational NDS/IP requirements, such as IPsec implementation, security domains, and security handling during mobility and state transitions. Furthermore, it introduced new security mechanisms for specific functions like Steering of Roaming and the UE Parameters Update procedure via the UDM control plane.

  • Update NDS/IP scope with application layer crypto profiles TS 33.210CR0050
  • Clarifications to security requirements and features (clause 5) TS 33.501CR0161
  • Security Negotiation for RRC INACTIVE TS 33.501CR0183
  • Security Mechanism for Steering of Roaming TS 33.501CR0214
  • CR-slice-management-security TS 33.501CR0290
  • Security mechanisms for non-SBA interfaces in 5GC TS 33.501CR0374

+ 54 more changes

Rel-16 26 changes

In Release 16, the NDS/IP scope was updated with application layer crypto profiles, and new security requirements were introduced for 5GLAN services, SeCoP, and the Inter-PLMN User Plane Security (IPUPS) Function. The release also added security provisions for non-public networks, SRVCC for 5G to UTRAN CS, and roaming interfaces in indirect communication. Furthermore, it incorporated security aspects for DNS and ICMP, TSC services including access and UP security, 5G URLLC, 5WWC, and the F1 interface security set-up procedure.

  • Update NDS/IP scope with application layer crypto profiles TS 33.210CR0056
  • Security for non-public networks TS 33.501CR0641
  • Security for SRVCC for 5G to UTRAN CS TS 33.501CR0660
  • Security for roaming interfaces in indirect communication TS 33.501CR0675
  • Security requirements for SeCoP TS 33.501CR0692
  • Security for 5GLAN services TS 33.501CR0704

+ 20 more changes

Rel-17 32 changes

In Release 17, the NDS function was updated with new security algorithms and protocols across its core specifications, including TS 33.203, 33.210, and 33.310. The release also introduced specific security annexes and aspects for new features like Edge computing, 5MBS, and eNPN. Furthermore, it updated critical technical references, such as replacing the obsolete IPSec RFC 7296 with RFC 8247.

  • Security updates for algorithms and protocols in 33.203 TS 33.203CR0262
  • Security updates for algorithms and protocols for 33.210 TS 33.210CR0072
  • Security updates for algorithms and protocols in 33.310 TS 33.310CR0120
  • Security updates for algorithms and protocols for 33.310 TS 33.310CR0124
  • New Annex for Edge computing security TS 33.501CR1222
  • Security aspects of eNPN TS 33.501CR1252

+ 26 more changes

Rel-18 22 changes

In Release 18, the NDS function was expanded with new security specifications for emerging services and architectures, including enhanced security for MSGin5G, Non-Public Networks, and AI/ML model storage and sharing. It introduced specific security procedures for EAS discovery in both roaming and non-roaming scenarios and for user plane positioning in 5G location services. The release also provided clarifications and vulnerability fixes for existing mechanisms, such as updates to transport security between MSGin5G servers and alignment of security profiles for PRINS and SEPP certificates.

  • Security aspects of MSGin5G Service in rel-18 TS 33.501CR1565
  • Security aspects of enhanced support of Non-Public Networks phase 2 TS 33.501CR1671
  • Security of EAS discovery procedure via V-EASDF in roaming Scenario TS 33.501CR1741
  • Security handling in network sharing scenario TS 33.501CR1744
  • Security in 5G system location services to support user plane positioning TS 33.501CR1765
  • Security aspects of enablers for Network Automation for 5G TS 33.501CR1786

+ 16 more changes

Rel-19 17 changes

In Release 19, the NDS function was expanded with new security specifications for several emerging services and network functions. Key additions include security for the MSGin5G service, N6 delay measurements, and Core Network Enhanced Support for AIML, alongside new procedures for inter-CU LTM security and 5GC Signaling Traffic Monitoring. The release also provided updates and corrections to existing security frameworks, such as those for CAPIF, IPSec reauthentication in non-3GPP access, and security handling in Control Plane CIoT 5GS Optimization.

  • Updates and corrections to the CAPIF related Security clause TS 29.549CR0460
  • Adding security aspects of MSGin5G service Ph3 TS 33.501CR2047
  • Security of Signalling Traffic Monitoring TS 33.501CR2089
  • Security of N6 delay measurements TS 33.501CR2092
  • Security for PLMN hosting a NPN TS 33.501CR2137
  • Security procedure for inter-CU LTM TS 33.501CR2153

+ 11 more changes

Rel-20 1 change

In Release 20, the new development for NDS was the introduction of a procedure to make specific security parameters visible to RIs (Relying Parties). This enhancement, detailed in the update to the Diameter-based security procedures, explicitly defines the handling of the FQDN from the DiameterURI AVP for use in the Destination-Host and Destination-Realm AVPs within accounting requests. The procedure clarifies how the parent domain is derived and that the number of labels for the Destination-Realm is a pre-provisioned configuration option.

  • Procedure to making some security parameters visible to RIs TS 33.501CR2191

Explore further

Broader topics and technologies where NDS plays a role.

Topics
OAM (Operations & Maintenance)Authentication (5G-AKA, EAP)Service Based ArchitectureEncryption & IntegrityRoaming & InterconnectLawful Intercept
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference NDS, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 29.229 vj10 Diameter Protocol for Cx/Dx Interfaces Rel-19
TS 29.329 vj10 Diameter Protocol for Sh Interface Rel-19
TS 29.335 vj00 Ud Interface Protocol for UDC (Stage 3) Rel-19
TS 29.549 vj40 SEAL API Specification for Vertical Applications Rel-19
TS 32.372 vj00 Security Service for IRP Information Service Rel-19
TS 32.843 vd00 PS Domain Online Charging in Roaming Rel-13
TS 33.203 vj10 IMS Security Specification Rel-19
TS 33.204 vj00 TCAP Security (TCAPsec) Stage 2 Specification Rel-19
TS 33.210 vj20 UMTS Security for IP Networks Rel-19
TS 33.310 vj50 3GPP Authentication Framework for Network Nodes Rel-19
TS 33.402 vj00 Security for non-3GPP access to EPS Rel-19
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20
TR 33.841 vg10 Security aspects; Study on 256-bit algorithms for 5G Rel-16
TR 33.938 vj10 3GPP Cryptographic Inventory for 5G Rel-19
TR 33.969 vj00 Security for Public Warning System (PWS) Rel-19
TS 36.401 vj00 E-UTRAN Overall Architecture Description Rel-19
TS 38.401 vj10 NG-RAN Architecture Specification Rel-19