IP User Plane Integrity Protection

Description

IP User Plane Integrity Protection (UP) is a cryptographic security feature designed to guarantee the integrity of user data traffic. It operates by generating and verifying integrity checksums, known as Message Authentication Codes (MACs), for IP packets traversing the user plane. The process involves a security algorithm and a secret integrity key shared between the User Equipment (UE) and the network node terminating the protection, typically the gNB in 5G or the eNB in 4G. For each outgoing packet, the sender computes a MAC over the packet payload and certain header fields, appending this MAC to the packet. The receiver independently computes the expected MAC using the same algorithm and key; if the computed MAC matches the received one, the packet's integrity is verified. If not, the packet is discarded, preventing corrupted or tampered data from being processed.

The architecture for UP is integrated within the Packet Data Convergence Protocol (PDCP) layer in both LTE and NR radio access networks. The PDCP entity is responsible for applying ciphering and, when configured, integrity protection for the user plane. The decision to activate UP is controlled by the network via Radio Resource Control (RRC) signaling, based on policy, subscriber profile, and the sensitivity of the data service. The integrity key used is derived as part of the 3GPP Authentication and Key Agreement (AKA) procedure, ensuring it is unique to the session and securely established.

UP's role is to provide end-to-end integrity protection for the data link between the UE and the radio access network, safeguarding against over-the-air attacks such as packet injection, replay, or manipulation by a malicious actor. It does not typically provide integrity protection for the entire end-to-end path to the application server, as that is the responsibility of higher-layer protocols like TLS or IPsec. However, within the 3GPP trust boundary, UP is a fundamental layer of defense, enhancing the overall security posture for services like financial transactions, industrial control, and critical communications where data authenticity is paramount.

Purpose & Motivation

UP was introduced to address the growing need for robust security in mobile data services beyond traditional confidentiality protection. Early 3GPP standards primarily focused on ciphering user data to ensure privacy but did not mandate integrity protection for the user plane, leaving it vulnerable to data manipulation attacks. As mobile networks evolved to carry sensitive traffic like mobile banking, corporate VPN access, and IoT command-and-control, the risk of undetected data tampering became a significant concern. Integrity protection ensures that data received is exactly the data sent, which is a critical requirement for trust in digital services.

The motivation for UP's specification stemmed from threat analyses identifying that an attacker with radio access could alter user data packets without detection, potentially leading to fraud, service disruption, or safety issues. For instance, in an unsecured scenario, an attacker could modify transaction amounts in financial data or send false commands to an IoT device. UP solves this by providing a mechanism to detect any modification, ensuring data authenticity and non-repudiation within the radio access segment. Its creation was part of a broader 3GPP effort to strengthen security architecture across releases, aligning with regulatory and industry demands for more secure telecommunications infrastructure.

Initially optional, the adoption and importance of UP have grown with each generation, particularly in 5G where it is a key feature for enabling enhanced Mobile Broadband (eMBB), Ultra-Reliable Low-Latency Communications (URLLC), and massive IoT services. It addresses limitations of previous approaches that relied solely on application-layer security or network perimeter defenses, which might not protect the vulnerable radio link. By integrating integrity at the PDCP layer, UP provides a standardized, efficient, and mandatory-enforceable security baseline for all user plane traffic.

Key Features

• Integrity protection for user plane IP packets at the PDCP layer
• Utilizes Message Authentication Codes (MACs) for tamper detection
• Key derivation based on 3GPP AKA for secure session keys
• Network-controlled activation via RRC signaling based on policy
• Protection against packet injection, replay, and modification attacks
• Standardized security algorithms (e.g., 128-bit SNOW 3G, AES, ZUC)

Evolution Across Releases

Defining Specifications