The LTE network architecture project began with 3GPP in 2004 to enhance the UMTS architecture and optimize the radio air interface and access architecture. What is commonly referred to as “LTE” today is actually standardized as the Evolved Packet System (EPS), consisting of two distinct architectures – the Evolved UMTS Terrestrial Radio Access Network (E-UTRAN) addressing the radio aspects, and the Evolved Packet Core (EPC) addressing the non-radio aspects. Together, the E-UTRAN and EPC provide the network system that enables mobile devices, or User Equipment (UE), to access various network operator and non-operator services, including voice, video, and general Internet services.
Included in the 3GPP standards is a clearly defined security architecture. This is documented in the 3GPP Technical Specification 33.102. This includes IP network security and network element security. Embedding security into the overall mobile network architecture is critically important as this network is based on IP technologies for both the network control plane and user data plane traffic. In contrast, the previous 2G systems did not have IP-based security mechanisms embedded into the core of the network as the 2G system was not based on IP standards. The 3G/4G adoption of packet switching and IP technologies requires that the open and accessible protocols associated with IP be specifically addressed in the security architecture. The security specifications create a defense-in-depth strategy, as security is enforced at multiple points and layers in the overall 3GPP architecture. It is well understood that security cannot be a bolt-on afterthought; it must be embedded into the system from inception. Security services that are required include authentication, confidentiality, and integrity.
The 3GPP 33.102 security specification defines five functional areas for securing the mobile network: Network Access, Network Domain, User Domain, Application Domain, and also includes the visibility and configuration of security. This blog series will focus on Network Domain Security (NDS), specified in 3GPP 33.210, which defines the features needed for securing the communications between EPC nodes, including the backhaul links. The NDS is clearly focusing on the security aspects of the IP network layer.
The NDS specification introduces “security domains” to the 3GPP EPS. While a single mobile provider manages its own domain from an administrative perspective, the mobile provider often divides its network into multiple security domains. These security domains typically align to the operational domains that mobile providers use; with specific security for devices, backhaul networks, EPC, services and applications, and OSS/BSS. In this way, security and defense-in-depth can be provided within each security domain which allows greater control and easier manageability. The question then becomes: How does the provider secure the communications between the security domains? The NDS specifically requires a Security Gateway (SEG) node on each side of the security domain to concentrate and protect all traffic entering or leaving each security domain.
That is a somewhat simple use case for security services. A more interesting use case involves LTE subscriber roaming and true inter-domain communications between mobile providers.
As depicted in the above home routed roaming architecture diagram, the roaming subscriber is attached to a visited Public Land Mobile Network (PLMN) but requires authentication, policy, and PDN/IP services from its home PLMN. The inter-domain connectivity between the Serving Gateway (SGW) and the Packet Data Network Gateway (PGW) becomes a critical interface for encryption services. This S8 interface provides the inter-PLMN reference point for the user data plane traffic. The traffic on this connection should be encrypted since the S8 is an external interface and this encryption capability must perform at a high level of performance, so as not to negatively impact real-time applications and the associated user experience. There are additional challenges in terms of scale and ease of deployment for providing this aggregated data plane encryption; including the additional cost for providing this type of inter-domain security.
This inter-domain use case for encryption services in the mobile EPC is very similar to the enterprise and service provider use case for encryption services on Inter-DC connections. Most of these Inter-DC connections are now being encrypted due to the high degree of sensitivity of the traffic that is transported between data-centers. This Inter-DC traffic is typically a mixture of customer user data traffic and internal enterprise application traffic. Both of these traffic types benefit from encryption services if they can be provided at the required scale and performance levels, while meeting an acceptable price point.
As part of the New IP paradigm, it is clear that network architecture decisions have a direct impact to the success of your business. When mobile network providers include encryption services from inception, this creates a solid and stable network foundation for providing high value services.
This post was co-written with my colleague Ed O’ Connell.