Description
IP User Plane Integrity Protection (UP) is a cryptographic security feature designed to guarantee the integrity of user data traffic. It operates by generating and verifying integrity checksums, known as Message Authentication Codes (MACs), for IP packets traversing the user plane. The process involves a security algorithm and a secret integrity key shared between the User Equipment (UE) and the network node terminating the protection, typically the gNB in 5G or the eNB in 4G. For each outgoing packet, the sender computes a MAC over the packet payload and certain header fields, appending this MAC to the packet. The receiver independently computes the expected MAC using the same algorithm and key; if the computed MAC matches the received one, the packet's integrity is verified. If not, the packet is discarded, preventing corrupted or tampered data from being processed.
The architecture for UP is integrated within the Packet Data Convergence Protocol (PDCP) layer in both LTE and NR radio access networks. The PDCP entity is responsible for applying ciphering and, when configured, integrity protection for the user plane. The decision to activate UP is controlled by the network via Radio Resource Control (RRC) signaling, based on policy, subscriber profile, and the sensitivity of the data service. The integrity key used is derived as part of the 3GPP Authentication and Key Agreement (AKA) procedure, ensuring it is unique to the session and securely established.
UP's role is to provide end-to-end integrity protection for the data link between the UE and the radio access network, safeguarding against over-the-air attacks such as packet injection, replay, or manipulation by a malicious actor. It does not typically provide integrity protection for the entire end-to-end path to the application server, as that is the responsibility of higher-layer protocols like TLS or IPsec. However, within the 3GPP trust boundary, UP is a fundamental layer of defense, enhancing the overall security posture for services like financial transactions, industrial control, and critical communications where data authenticity is paramount.
Purpose & Motivation
UP was introduced to address the growing need for robust security in mobile data services beyond traditional confidentiality protection. Early 3GPP standards primarily focused on ciphering user data to ensure privacy but did not mandate integrity protection for the user plane, leaving it vulnerable to data manipulation attacks. As mobile networks evolved to carry sensitive traffic like mobile banking, corporate VPN access, and IoT command-and-control, the risk of undetected data tampering became a significant concern. Integrity protection ensures that data received is exactly the data sent, which is a critical requirement for trust in digital services.
The motivation for UP's specification stemmed from threat analyses identifying that an attacker with radio access could alter user data packets without detection, potentially leading to fraud, service disruption, or safety issues. For instance, in an unsecured scenario, an attacker could modify transaction amounts in financial data or send false commands to an IoT device. UP solves this by providing a mechanism to detect any modification, ensuring data authenticity and non-repudiation within the radio access segment. Its creation was part of a broader 3GPP effort to strengthen security architecture across releases, aligning with regulatory and industry demands for more secure telecommunications infrastructure.
Initially optional, the adoption and importance of UP have grown with each generation, particularly in 5G where it is a key feature for enabling enhanced Mobile Broadband (eMBB), Ultra-Reliable Low-Latency Communications (URLLC), and massive IoT services. It addresses limitations of previous approaches that relied solely on application-layer security or network perimeter defenses, which might not protect the vulnerable radio link. By integrating integrity at the PDCP layer, UP provides a standardized, efficient, and mandatory-enforceable security baseline for all user plane traffic.
Classification
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (177 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.
In Release 15, the UP (User Plane) Integrity Protection function saw specific enhancements and clarifications, including its activation mechanism and its application for Early Data Transmission (EDT). The release also introduced corrections and clarifications to the overall UP security policy confirmation and the related security mechanisms. Furthermore, integrity protection was extended to cover the scenario of User Plane over Control Plane utilizing NAS-level security.
- User plane IPsec SA establishment not accepted TS 24.502CR0023
- Clarifications to: Protection at the network or transport layer, Authorization and authentication between network functions and the NRF TS 33.501CR0147
- Protection of internal gNB interfaces TS 33.501CR0209
- Introduction of DTLS for protection of Xn-C and N2 interfaces TS 33.501CR0210
- Security mechanism for UE Parameters Update via UDM Control Plane Procedure TS 33.501CR0484
- Control Plane latency reduction TS 36.331CR3453
+ 68 more changes
In Release 16, the User Plane Integrity Protection (UP IP) function was updated with new capabilities and clarifications. These included the introduction of security for the N9 interface and the definition of security requirements for the Inter-PLMN User Plane Security (IPUPS) function. The release also provided corrections and clean-up for procedures like PDCP duplication and handling of the N9 roaming user plane.
- Clarification to Initial NAS message protection TS 33.501CR0636
- UP security in TSC TS 33.501CR0707
- Protection of N9 interface TS 33.501CR0689
- Security requirements for Inter-PLMN User Plane Security (IPUPS) Function TS 33.501CR0754
- F1 interface security set-up procedure TS 33.501CR0844
- Common CP/UP aspects of CIoT UEs when connected to 5GC TS 38.413CR0153
+ 32 more changes
In Release 17, the key new development for User Plane Integrity Protection (UP IP) was the introduction of its support for EPC-connected architectures that utilize NR PDCP. This release also specified the handling of UP Integrity Protection Policy during interworking handovers from EPS to 5GS and defined the mapping of EPS integrity algorithms to their NR counterparts. However, support for UP IP in LTE-LTE Dual Connectivity was explicitly not included in this release.
- Per Slice UP Resource Allocatoin and Usage Report TS 29.244CR0582
- User Plane (In)Activity Detection and Reporting over N4mb TS 29.244CR0608
- User Plane Integrity Protection Policy Handling in IW handover from EPS to 5GS TS 33.501CR1253
- Introducing support of UP IP for EPC connected architectures using NR PDCP TS 36.331CR4763
- Introducing support of UP IP for EPC connected architectures using NR PDCP TS 38.331CR2904
- 5GS User Plane Node TS 29.244CR0558
+ 28 more changes
In Release 18, the enhancements to the User Plane (UP) Integrity Protection function included a clarification on the activation of UP IP in Dual Connectivity (DC) scenarios. Additionally, corrections were made to the security protection procedures when a User Equipment (UE) accesses the network through a trusted non-3GPP access. These updates provided more precise technical guidance for ensuring integrity, defined as the avoidance of unauthorized modification of information, within the user plane.
- UP Function Features for Time Sensitive Communication, Time Synchronization,Time Sensitive Networking and Deterministic Networking TS 29.244CR0701
- User plane inactivity detection update TS 29.244CR0731
- Security in 5G system location services to support user plane positioning TS 33.501CR1765
- Protection of the direct discovery set - clarification TS 33.503CR0157
- Protection against improper reselection to GERAN/UTRAN [RESELECTION_TO GSM_AND_UTRAN] TS 36.331CR4971
- Support for XR UP design using new container TS 38.410CR0048
+ 18 more changes
In Release 19, the updates for the User Plane (UP) function primarily involved clarifications and corrections to existing procedures rather than introducing new integrity protection features. Specifically, this included a clarification on the User Plane Inactivity Timer and a correction on the interaction with other procedures related to User Plane Failure. Additionally, an editorial change was made regarding security handling in Control Plane CIoT 5GS Optimization.
- Add charging trigger for store and forward satellite operation with UP CIoT TS 32.251CR0522
- Add charging information for store and forward satellite operation with UP CIoT TS 32.251CR0523
- Introduction of low-power wake-up signal and receiver for NR TS 38.413CR1261
- User Plane Inactivity Timer clarification TS 29.244CR0971
- Editorial change on Security handling in Control Plane CIoT 5GS Optimization TS 33.501CR2096
- Correction of the interaction with other procedures related to the User Plane Failure TS 38.413CR1270
+ 1 more changes
Explore further
Broader topics and technologies where UP plays a role.
Defining Specifications
3GPP specifications that define or reference UP, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TR 21.905 vj00 | 3GPP Technical Terms and Definitions | Rel-19 |
| TS 23.153 vj00 | Out-of-Band Transcoder Control Stage 2 | Rel-19 |
| TS 23.714 ve00 | Study on CP-UP separation in EPC | Rel-14 |
| TR 23.730 ve00 | Study on extended CIoT architecture | Rel-14 |
| TR 23.799 ve00 | Study on Next Generation System Architecture | Rel-14 |
| TS 23.868 v900 | Study on IMS Emergency Calls | Rel-9 |
| TR 23.910 v1400 | UMTS Circuit Switched Bearer Services Overview | Rel-5 |
| TR 23.977 vj00 | Bandwidth/Resource Savings & Speech Quality Requirements | Rel-19 |
| TS 24.502 vj20 | 5G Core Access via Non-3GPP Networks; Stage 3 | Rel-19 |
| TS 25.305 vj00 | UTRAN UE Positioning Stage 2 | Rel-19 |
| TS 25.331 vj00 | UTRAN RRC Protocol Specification | Rel-19 |
| TS 25.410 vj00 | Iu Interface Introduction for UTRAN | Rel-19 |
| TS 25.415 vj00 | Iu Interface User Plane Protocol | Rel-19 |
| TR 26.919 vj00 | Study on 5G Conversational Media Handling | Rel-19 |
| TS 28.531 vk00 | Management and Orchestration | Rel-20 |
| TS 29.244 vj40 | PFCP Specification for Control/User Plane Separation | Rel-19 |
| TS 29.412 v1810 | Trunking Gateway Control Procedures | Rel-8 |
| TS 29.414 vj00 | Nb Interface Bearer Transport & Control Protocols | Rel-19 |
| TS 29.522 vj40 | 5G NEF Northbound APIs Stage 3 | Rel-19 |
| TR 29.820 vh00 | Study on PFCP Best Practice | Rel-17 |
| TS 29.844 ve00 | Control and User Plane Separation for EPC Nodes | Rel-14 |
| TS 29.892 vg00 | Study on User Plane Protocol in 5GC | Rel-16 |
| TS 32.251 vj00 | PS Domain Charging Management | Rel-19 |
| TR 32.972 vj00 | Energy Efficiency Study for 5G Networks | Rel-19 |
| TS 33.401 vj10 | EPS Security Architecture | Rel-19 |
| TS 33.501 vk00 | 5G Security Architecture and Procedures | Rel-20 |
| TS 33.503 vj20 | Security for Proximity Services (ProSe) in 5G | Rel-19 |
| TR 33.740 vi10 | Security and Privacy Aspects of Proximity Based Services in 5G System Phase 2 | Rel-18 |
| TS 33.820 v1830 | Home NodeB/eNodeB Security Architecture | Rel-8 |
| TS 33.825 vg01 | Security for 5G URLLC Services | Rel-16 |
| TR 33.851 vh10 | Security for Industrial IoT in 5G | Rel-17 |
| TR 33.853 vh00 | Study on User Plane Integrity Protection | Rel-17 |
| TS 33.859 vb10 | UTRAN Key Hierarchy Enhancement Study | Rel-11 |
| TS 33.863 ve20 | Security for Battery-Efficient IoT Device to Enterprise | Rel-14 |
| TS 36.331 vj00 | LTE RRC Protocol Specification | Rel-19 |
| TS 36.425 vj00 | X2 User Plane Protocol for Dual Connectivity | Rel-19 |
| TS 36.938 v900 | E-UTRAN to 3GPP2/Mobile WiMAX Mobility | Rel-9 |
| TS 38.331 vj00 | NR Radio Resource Control (RRC) Protocol Specification | Rel-19 |
| TS 38.410 vj10 | NG Interface Introduction for NG-RAN to 5GC | Rel-19 |
| TS 38.413 vj10 | NG Application Protocol (NGAP) | Rel-19 |
| TS 38.415 vj10 | PDU Session User Plane Protocol | Rel-19 |
| TS 48.103 vj00 | A Interface User Plane Transport Protocols | Rel-19 |