Description
The Security Edge Protection Proxy (SEPP) is a fundamental security node introduced in the 5G Core (5GC) architecture. It operates as a non-transparent proxy for all HTTP/2-based Service-Based Interface (SBI) messages that traverse network boundaries, primarily between different Public Land Mobile Networks (PLMNs) in roaming scenarios. The SEPP's primary function is to protect the N32 interface, which is the reference point for interconnectivity between SEPPs of different operators. It sits at the perimeter of a network, inspecting all inbound and outbound SBI traffic to and from Network Functions (NFs) like the AMF, SMF, and NRF.
Architecturally, the SEPP is a dedicated Network Function that implements application-layer security. It works in conjunction with the Network Repository Function (NRF) for service discovery and policy control. For outbound messages destined for another PLMN, the home SEPP receives the SBI request from a producer NF, applies security processing (including potential encryption and integrity protection), and forwards it to the visited PLMN's SEPP. The visited SEPP then validates the message, removes the security encapsulation, and routes it to the appropriate consumer NF within its network. This hop-by-hop security model ensures that the internal network topology and NF identities are hidden from external entities.
The SEPP employs two main security mechanisms for the N32 interface: N32-c and N32-f. N32-c is a control plane interface used for security context establishment and parameter negotiation between two SEPPs before data exchange. N32-f is the forwarding interface that carries the actual protected SBI messages. Protection can be applied using JSON Web Encryption (JWE) for confidentiality and JSON Web Signature (JWS) for integrity and authentication of the HTTP messages. The SEPP also performs message filtering and topology hiding, stripping or modifying sensitive routing information in headers to prevent external networks from mapping the internal NF deployment. Its role is critical for enabling secure roaming, network slicing across operators, and the exposure of network capabilities to third-party application providers via the Network Exposure Function (NEF).
Purpose & Motivation
The SEPP was created to address the significant security challenges introduced by the 5G Core's Service-Based Architecture (SBA) and its reliance on HTTP/2 APIs (the SBI). In previous generations (4G EPC), inter-operator signaling used diameter-based protocols like S6a and S8, which had their own security mechanisms (e.g., IPsec, diameter security). The shift to RESTful APIs and the need for more flexible network exposure created a new attack surface. Without a dedicated edge proxy, HTTP/2 messages between operators would be vulnerable to eavesdropping, tampering, and spoofing, and would expose internal network structures.
The primary problems the SEPP solves are securing the inter-PLMN communication for roaming and enabling safe third-party access. Roaming in 5G requires numerous SBI messages to flow between the home and visited network for authentication, session management, and policy control. The SEPP ensures these messages are authenticated, authorized, and protected end-to-end between the network perimeters. Furthermore, it facilitates topology hiding, which is a regulatory and security requirement for operators to conceal their internal network configuration from partners and potential attackers.
Its creation was motivated by the 3GPP's push for a cloud-native, web-friendly core network. The SBA allows for agile service deployment but inherits web security concerns. The SEPP is the standardized answer to applying robust, application-layer security tailored for telecom needs, replacing ad-hoc security gateways and ensuring a consistent, interoperable security baseline for global 5G deployment, especially for network slicing across administrative domains.
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (217 CRs across 6 releases). Complements the general historical overview above with the evidence-based evolution of this function.
In Release 15, the SEPP (Security Edge Protection Proxy) was introduced as a new network entity to secure the interconnection between PLMNs in roaming scenarios, specifically protecting the N32 interface. It acts as a proxy to hide network topology and provides application layer security for inter-PLMN control plane messages. The architecture also allows for the SEPP to be deployed in a fully redundant configuration alongside the next-hop IPX proxy.
- Clarifications to: Protection at the network or transport layer, Authorization and authentication between network functions and the NRF TS 33.501CR0147
- Clarifications to security requirements and features (clause 5) TS 33.501CR0161
- Security Negotiation for RRC INACTIVE TS 33.501CR0183
- Protection of internal gNB interfaces TS 33.501CR0209
- Introduction of DTLS for protection of Xn-C and N2 interfaces TS 33.501CR0210
- Security Mechanism for Steering of Roaming TS 33.501CR0214
+ 81 more changes
In Release 16, the SEPP's role was expanded to secure new roaming interfaces and services, specifically for indirect communication scenarios and to protect the N9 interface in home-routed roaming via the new Inter-PLMN User Plane Security (IPUPS) function. Furthermore, the SEPP's security mechanisms were enhanced to support TLS between Network Functions and the SEPP based on custom HTTP headers. These updates strengthened the SEPP's function as the security proxy for inter-PLMN control plane and, newly, user plane traffic.
- Exchange IPX security information lists TS 29.573CR0020
- Clarification to Initial NAS message protection TS 33.501CR0636
- Security for non-public networks TS 33.501CR0641
- Security for SRVCC for 5G to UTRAN CS TS 33.501CR0660
- Security for roaming interfaces in indirect communication TS 33.501CR0675
- Security requirements for SeCoP TS 33.501CR0692
+ 37 more changes
In Release 17, key enhancements for the SEPP included the introduction of SEPP capability negotiation and a mechanism to discover the SEPP via the NRF, which are new functionalities compared to the previous release. Additionally, the release provided clarifications on the SEPP's role and its reference architecture within the security framework for inter-PLMN interfaces like N32.
- EPS User Plane Integrity Protection using SMF+PGW-C TS 23.501CR3009
- SEPP capability negotation TS 29.573CR0079
- New Annex for Edge computing security TS 33.501CR1222
- Security aspects of eNPN TS 33.501CR1252
- User Plane Integrity Protection Policy Handling in IW handover from EPS to 5GS TS 33.501CR1253
- Security aspects of 5MBS TS 33.501CR1255
+ 30 more changes
In Release 18, key enhancements for the SEPP included strengthening the robustness of the interfaces and protocols defined for the SEPP and introducing the ability to negotiate security profiles. Furthermore, specific procedures were defined for the N32-f interface with TLS security and for the protection of sensitive information in the request line, refining the security mechanisms for inter-PLMN communication.
- Support the negotiation of security profiles TS 29.573CR0174
- Security aspects of MSGin5G Service in rel-18 TS 33.501CR1565
- Security aspects of enhanced support of Non-Public Networks phase 2 TS 33.501CR1671
- Security of EAS discovery procedure via V-EASDF in roaming Scenario TS 33.501CR1741
- Security handling in network sharing scenario TS 33.501CR1744
- Security in 5G system location services to support user plane positioning TS 33.501CR1765
+ 24 more changes
In Release 19, the SEPP function was enhanced to support new security procedures for inter-PLMN User Plane security (IPUPS) on the N9 interface and for proxying IP and Ethernet traffic via HTTP/MPQUIC. The release also introduced specific security requirements for 5GC Signaling Traffic Monitoring and for handling N6 delay measurements. Furthermore, corrections and updates were made to the SEPP service description, N32 security capabilities, and the security handling for UPU headers.
- Exposure enhancements for static UE IP address assignment and 5G VN group's User Plane Security Policy TS 23.501CR5492
- Support QoS of proxying IP and Ethernet in HTTP over MPQUIC TS 23.501CR5527
- Adding security aspects of MSGin5G service Ph3 TS 33.501CR2047
- Security of Signalling Traffic Monitoring TS 33.501CR2089
- Security of N6 delay measurements TS 33.501CR2092
- Security for PLMN hosting a NPN TS 33.501CR2137
+ 14 more changes
In Release 20, the SEPP function was enhanced with a new procedure to make certain security parameters visible to RIs (Roaming Intermediaries). This update builds upon the SEPP's established role in securing the N32 inter-PLMN interface and protecting network topology.
- Procedure to making some security parameters visible to RIs TS 33.501CR2191
Explore further
Broader topics and technologies where SEPP plays a role.
Defining Specifications
3GPP specifications that define or reference SEPP, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TS 23.501 vk00 | 5G System Architecture Stage 2 | Rel-20 |
| TR 26.930 vj00 | WebRTC Enhancements for Immersive RTC over 5G | Rel-19 |
| TS 29.500 vj50 | 5GC Service Based Architecture Specification | Rel-19 |
| TS 29.513 vj40 | 5G PCC Signalling Flows & QoS Mapping | Rel-19 |
| TS 29.573 vj50 | PLMN/SNPN Interconnection Interface Stage 3 | Rel-19 |
| TS 33.117 vk00 | Catalogue of General Security Assurance Requirements | Rel-20 |
| TS 33.501 vk00 | 5G Security Architecture and Procedures | Rel-20 |
| TS 33.517 vk00 | 5G Security Assurance Specification (SCAS) | Rel-20 |
| TS 33.776 vj00 | Study of ACME for 5G SBA | Rel-19 |
| TR 33.841 vg10 | Security aspects; Study on 256-bit algorithms for 5G | Rel-16 |