Virtual Private Network

Description

Within the 3GPP architecture, a Virtual Private Network (VPN) refers to a service capability that allows the creation of logically isolated network segments over a shared public mobile network infrastructure. It is not a single protocol but a framework of features and architectures defined across multiple specifications (e.g., TS 22.153, TS 23.501) that enable enterprise and vertical-specific communications. A 3GPP VPN provides connectivity between a group of subscribers (e.g., enterprise employees, IoT sensors) and potentially their corporate network, with policies enforcing that communication remains within the VPN group and is protected from the general public internet traffic.

The architecture for 3GPP VPNs has evolved significantly. Initially, in earlier releases, VPN services were often realized through dedicated APNs (Access Point Names) and IPsec tunnels from the device to a corporate gateway. In the 5G System, VPN support is deeply integrated and more flexible. Key architectural components include the User Plane Function (UPF), which can be deployed as a dedicated UPF for the VPN to anchor user plane traffic, and the Session Management Function (SMF) which enforces VPN-specific session policies. The Network Exposure Function (NEF) may expose VPN capabilities to enterprise applications. Traffic for a VPN is isolated using mechanisms like VLANs, VXLANs, or MPLS labels in the transport network, and specific QoS flows within the PDU session.

How a VPN works in a 5G context begins with subscription. A UE's subscription profile in the Unified Data Management (UDM) contains information about the VPN groups it belongs to. When the UE establishes a PDU Session, it may request connectivity to a specific Data Network Name (DNN) associated with a VPN. The network selects a SMF and UPF capable of supporting that VPN. The UPF may implement traffic steering, applying uplink classifiers to direct traffic meant for the corporate network to a specific N6 interface (towards the enterprise's on-premises network), while other traffic goes to the public internet. Security is paramount; authentication is strengthened, and data confidentiality and integrity can be provided end-to-end between the UE and the corporate network using IPsec or TLS, often facilitated by the mobile network's security functions. The 3GPP VPN framework thus provides a comprehensive, carrier-managed solution for secure mobile workforce and IoT connectivity.

Purpose & Motivation

The standardization of VPN capabilities in 3GPP was motivated by the growing demand from enterprises for secure, reliable, and manageable mobile connectivity for their employees and machines. Prior to integrated 3GPP VPN features, enterprises often relied on overlay solutions like client-based IPsec VPNs, which could be complex to manage at scale, offered inconsistent performance, and lacked integration with mobile network features like QoS and seamless mobility.

3GPP VPNs solve these problems by providing network-native VPN services. They address the need for traffic isolation, ensuring sensitive corporate data does not traverse the public internet unprotected. They solve the problem of scalable access control, allowing enterprises to define policies based on user groups and device types directly within the mobile network operator's systems. Furthermore, they enable advanced features like network slicing, where a VPN can be mapped to a specific network slice to guarantee performance parameters (latency, bandwidth) tailored to enterprise applications.

Historically, work on VPNs in 3GPP gained significant momentum with the focus on vertical industries and Mission Critical Services in Releases 13/14, and became a cornerstone of 5G's enterprise offerings from Release 15 onwards. The evolution addresses the limitations of bolt-on solutions by deeply integrating VPN support into the 5G core architecture. This allows operators to offer VPN as a managed service with guaranteed Service Level Agreements (SLAs), seamless handover between radio access types, and inherent support for a massive number of IoT devices, which is critical for Industry 4.0 and other digital transformation initiatives.

Key Features

• Logical isolation of user traffic from public internet and other VPNs
• Integration with 5G Network Slicing to provide guaranteed performance SLAs
• Support for both Layer 3 (IP) and Layer 2 (Ethernet) VPN service types
• Centralized policy control for access, QoS, and routing within the VPN
• Seamless mobility and session continuity for VPN users across the network
• Exposure of VPN capabilities to enterprises via APIs (e.g., via NEF) for self-management

Evolution Across Releases

Defining Specifications