SEGW

Security Gateway

Security
Introduced in Rel-8
A network node that provides secure IPsec tunneling for control plane and user plane traffic between 3GPP and non-3GPP networks. It is crucial for protecting inter-network communication, especially for trusted non-3GPP access and IoT deployments, by establishing encrypted tunnels and performing security gateway functions.

Description

The Security Gateway (SEGW) is a critical functional entity defined within the 3GPP architecture, primarily for securing connectivity between a 3GPP core network (like the Evolved Packet Core or 5G Core) and external, non-3GPP IP networks. It operates as a termination point for IPsec (Internet Protocol Security) tunnels, which are established between the User Equipment (UE) or an external network node and the SEGW itself. The SEGW's primary role is to authenticate the remote endpoint, negotiate security associations using protocols like IKEv2 (Internet Key Exchange version 2), and enforce security policies for the encrypted traffic traversing the tunnel.

Architecturally, the SEGW is often deployed at the edge of the operator's trusted domain. For scenarios like trusted non-3GPP access (e.g., Wi-Fi interworking), the UE establishes an IPsec tunnel directly with the SEGW. This tunnel encapsulates all traffic destined for the 3GPP core, protecting it as it traverses the untrusted non-3GPP network. The SEGW then decrypts the traffic and forwards it to the appropriate core network functions, such as the Packet Data Network Gateway (PGW) in EPC or the User Plane Function (UPF) in 5GC. It acts as a security anchor, hiding the core network's internal topology and providing a first line of defense.

The SEGW's operation involves several key components and procedures. It maintains security policy databases that define which traffic selectors are permitted and what cryptographic algorithms to use. During tunnel establishment, it performs mutual authentication with the UE, often using EAP-AKA or certificates. Once the IPsec Security Association (SA) is established, the SEGW handles the encryption/decryption of packets and optionally performs Network Address Translation (NAT) traversal functions. Its role is distinct from, but can be co-located with, other gateway functions like the ePDG (evolved Packet Data Gateway), which is a specific type of SEGW for untrusted non-3GPP access.

In the broader network ecosystem, the SEGW is essential for enabling secure enterprise access, IoT deployments (like those defined for Critical Communications), and seamless mobility between 3GPP and non-3GPP radio technologies. It ensures that confidentiality, integrity, and often anti-replay protection are maintained for traffic entering the operator's domain from external networks, forming a foundational element of the 3GPP security architecture for heterogeneous access.

Purpose & Motivation

The SEGW was introduced to address the growing need for secure interconnection between 3GPP mobile networks and external IP-based networks, particularly as operators began to integrate non-3GPP access technologies like Wi-Fi. Prior to its standardization, securing such interconnections was often handled through proprietary solutions or generic firewalls, lacking a unified, interoperable method for establishing trusted, encrypted tunnels with mobile devices. The SEGW provides a standardized mechanism to extend the security perimeter of the mobile core network.

The primary problem it solves is the protection of control and user plane traffic as it traverses potentially untrusted networks. For example, when a user connects via a public Wi-Fi hotspot, the traffic between their device and the mobile core is vulnerable to eavesdropping and manipulation. The SEGW, in conjunction with the UE, creates a secure IPsec tunnel, effectively making the untrusted access link a virtual wire into the operator's trusted domain. This was a key enabler for standards like GAN (Generic Access Network) and later for trusted and untrusted non-3GPP access into the EPC and 5GC.

Historically, its development was motivated by the 3GPP's work on system architecture evolution and fixed-mobile convergence. Specifications like 43.318 (for GAN) and later 23.402 (for architecture enhancements for non-3GPP access) formalized its role. The SEGW allows operators to offer seamless and secure services regardless of the underlying access technology, which is a cornerstone for providing consistent quality of experience and security in today's multi-access networks.

Key Features

  • Termination point for IPsec tunnels (IKEv2/IPsec)
  • Mutual authentication of tunnel endpoints using EAP or certificates
  • Enforcement of security policies for encrypted traffic
  • Support for NAT traversal mechanisms
  • Can serve as a security anchor for trusted non-3GPP access
  • Interworks with core network functions (PGW, UPF) for user plane forwarding

Evolution Across Releases

Rel-8 Initial

Initially introduced as part of the Generic Access Network (GAN) and system architecture evolution. Provided the foundational architecture for a Security Gateway to establish IPsec tunnels with UEs over untrusted IP access networks, enabling secure access to the 3GPP core network services.

TS 43.318TS 43.902TS 44.318

Defining Specifications

SpecificationTitle
TS 43.318 3GPP TR 43.318
TS 43.902 3GPP TR 43.902
TS 44.318 3GPP TR 44.318