Have you read part one of our blog? Check it out here.
International Wholesale Roaming ecosystem
As we have learnt in part one of this blog, mobile networks use signalling between internal network nodes/functions to provide services to users.
However, mobile networks don’t just communicate internally. They also interconnect with other networks, both domestically for national roaming and cross-border for international roaming. And in 5G, this means that all the external roaming Signalling traffic also needs encrypting from end-to-end. In line with the Security-by-design mantra for 5G, the 3GPP has baked the end-to-end encryption of signalling into the standards and specifications for 5GS (5G System) Roaming.
Anyone who knows anything about the Wholesale Roaming business will know how complex this is. There are around 950 Mobile Operators worldwide and most of them interact with each other for each one of the multiple services that we all consume (Voice, SMS & Data/Internet) as well as in different areas and departments (at network level, invoicing & settlement departments). Typically, one Mobile Operator will have somewhere between 250 and 550 roaming partners worldwide. Managing all of this is a lot of work.
Intermediary Roaming Service Providers
That is why the International Wholesale Roaming ecosystem includes numerous different so-called roaming intermediaries, which are companies offering the necessary network-related and commercial-related services. Mobile Operators rely on these intermediaries to reduce the complexity and operational overhead of managing all their roaming partners. Roaming intermediaries are typically IPX Service Providers, Roaming Hub Service Providers and Roaming Value-Added-Service Providers.
End-to-end TLS encryption on signalling means no intermediaries are allowed
As we have discovered, the 3GPP has mandated that between Mobile Operators the end-to-end TLS encryption method must be deployed, meaning that there are no intermediaries allowed by default. If a Mobile Operator wants to use an intermediary, the 3GPP has mandated the use of an additional application layer security (ALS) protocol called PRINS, which gives the Mobile Operator the control of which intermediary can access and modify the Signalling messages and how. It was made very clear, either end-to-end TLS without intermediaries or PRINS with intermediaries.
3GPP specifications and GSMA standards
The GSMA (GSM Association) is the industry organisation that represents the interests of mobile network operators worldwide.
The 3GPP focuses on the technical aspects of mobile communication systems and defines specifications, which the GSMA uses a basis to define standards in a broader operational and business framework. The cooperation between these two organisations ensures that the mobile telecommunications ecosystem is technically sound, operationally efficient and commercially viable.
5GS standardisation
The GSMA originally gave 3GPP the strict security requirements to be included in the standards for 5G. The 3GPP delivered their specifications in line with these requirements. But, when the wider Mobile Operator and intermediary (especially IPX Providers) companies received the 3GPP specifications, there was much opposition.
The reason for the opposition was because both options (TLS end-to-end and PRINS) would equate to a large increase in operational management and complexity for Mobile Operators and IPX Providers alike. It would simply not be sustainable for the roaming ecosystem to rollout 5G SA Roaming.
Interconnect security and wholesale roaming
To summarise, the 3GPP standards are viewed by many as being not operationally viable and do not allow for needed flexibility. A large Mobile Operator will not establish and manage 500 separate network connections with its roaming partners to achieve this goal. Even if technically possible, this endeavour would severely constrain business growth lead to a very slow 5G SA Roaming adoption.
The shift to the ‘security by design’ approach in 5GS presents numerous dilemmas and controversies, making it challenging to develop a scalable, practical, and secure 5G SA roaming solution that aligns with industry needs while preserving the existing 2G, 3G, and 4G roaming ecosystem.
This is the reason that the GSMA and has been working closely with the 3GPP during the past few years to adapt the original 3GPP 5GS Roaming specifications by addressing the complexity of the roaming business operations.
Roaming & security – oxymoron or not?
Fact is though, as soon as you start trying to address the roaming business requirements, you realise that the adoption of the strict security requirements is in direct contradiction. Therein lies the challenge of the hour. If we try to deploy the current roaming business operations for 5G SA Roaming, we immediately reduce the level security, which 3GPP does not accept.
To be or not to be… compliant
A Mobile Operator who wants or needs to adopt the totally secure, end-to-end encrypted Signalling method with no intermediary hops will be 3GPP compliant and will be able to enforce stricter security rules. However, it will also have large additional operational overheads to manage. This additional operational overhead would require more internal resources, either with existing engineers or with new hires. This may not be operationally or commercially viable for Mobile Operators.
Does operational and business viability need to equal less security?
Mobile Operators who do not want to or need to adopt this fully end-to-end secure model, will continue to work with intermediaries such as IPX Service Providers, Roaming Hub Providers and Roaming VAS Providers when they rollout 5G SA Roaming, just like they do for 2G, 3G & 4G/LTE roaming. They will be GSMA compliant but not 3GPP compliant. However, they will have less operational overhead to manage because they have outsourced the work to their IPX, Roaming Hub and/or Roaming VAS Providers.
Hybrid deployment model – directs, in-directs and hops
Some Network Operators, which are more concerned with a high level of security, will want (or need) to implement the 3GPP model with some of their roaming partners. Perhaps only with their top ten roaming partners for instance. For the rest they will choose to work with IPX Service Providers and Roaming Hub Providers, whereby these MNOs, will push their service providers to have direct 5G Signalling links with as many of their roaming partners as possible. A Roaming Intermediary with direct signalling links to other Mobile Operators, means that the security minded Mobile Operator only needs to trust one intermediary (referred to as a “hop”), the one that the Mobile Operator has a services contract with.
One intermediary IPX hop using a Hosted SEPP or an Outsourced SEPP
According to the standards described in the GSMA PRD NG.113 – 5GS Roaming Guidelines document, the two specified deployment models; Hosted SEPP and Outsourced SEPP will support Mobile Operators by reducing the operational complexity of managing all individual roaming connections and the cryptographic key management overhead. These models are intended to apply to roaming relations with roaming partners, who are also directly connected to the same IPX Service Provider. So, one hop only. But, while this model is considered GSMA compliant, it will not be considered 3GPP to be compliant.
IPX 5G signalling peering means 2 hops
But what if the IPX Service Provider does not have direct 5G Signalling links to every roaming partner of the security conscious Mobile Operator? This, by the way, is the case for every IPX Service Provider because none of them have full global direct MNO coverage.
Either the Mobile Operator needs to work with multiple other IPX Service Providers to obtain coverage to all their roaming partners or they accept that the IPX Service Provider relies on peering arrangements with other IPX Service Providers to reach the rest of their roaming partners. Most likely it will be both. Just like we have been doing in the 2G, 3G and LTE roaming ecosystem. So, this equates to relying on two intermediary hops when signalling messages are being routed between the originating Mobile Operator and the destination Mobile Operator in international roaming scenarios.
In this scenario, two different intermediaries will be handling the Signalling Traffic of the Mobile Operator, one with which the Mobile Operator has a contract with, and one with which the Mobile Operator does not have a direct relationship and contract with.
Trusting a service provider that you have a contract with (typically including SLAs and security guarantees) is one thing and according to the 3GPP not even this is acceptable but allowing a 3rd party provider to be in the loop with access to the content of the signalling messages, will be considered by some to simply be “insecure by design”!
IPX and Roaming Hub service providers have security measures
But why do IPX and Roaming Hub Service providers get such a bad rap when it comes to security? They also need to lock down and secure their networks just like Mobile Operators need to do. If not, their networks will be compromised, and they will be out of business. They have customers and reputations to uphold and cannot afford to be lax with their security measures.
Additionally, the intermediary IPX Service providers have peering agreements with each other. So, there is a cascaded trust chain that exists in the ecosystem.
The new trust model is zero-trust
The principle behind zero-trust is that no access should be granted implicitly or by default. All access should be explicitly authenticated, authorised and monitored. If the IPX Service Providers comply with these rules, they could and should be deemed to be trusted.
Perhaps more contractual obligations around security can be added to the SLAs, which are signed between the Mobile Operators and their IPX Service Providers, to increase accountability.
The same could apply to the peering arrangements between the IPX Service Providers and Roaming Hub providers.
The important role and responsibilities of the Roaming Services Providers
This is where trusted IPX, Roaming Hub and VAS providers will step up and support the Mobile Operators. These companies provide indispensable value for Mobile Operators and are crucial to the successful implementation of 5G SA Roaming.
But just as the Mobile Operators need to address security concerns in the deployment of 5G technologies, as do the Roaming Service Providers.
Security must also be at the forefront of 5G SA Roaming Solution deployments for IPX, Roaming Hub and VAS providers with measures such as end-to-end TLS on all connections with reliable cryptographic key management solutions, the use of PRINS where necessary, secure SEPP deployments, Signalling Firewall solutions across 2G, 3G and 4G, a fully secure IPX backbone and IPX access methods and finally but also importantly, relation policing and screening at Signalling level.
The distinctive features of 5G SA unlock unparalleled opportunities while also presenting intricate security challenges. Tackling these issues requires a comprehensive, multi-layered strategy that integrates advanced technologies, industry best practices, and robust regulatory adherence. As operators and vendors work to build secure 5G networks, emphasizing cybersecurity will be essential to harnessing 5G’s full potential while safeguarding user trust and data integrity.
When it comes to deciding on which type of 5G SA Roaming deployment model and security architecture to choose, Mobile Operators will need to strike a balance between security needs, operational complexity and business goals by working with the right Roaming Intermediary Services Providers, which provide the necessary services and measures.
Feel free to reach out to the team at Comfone to discuss 5G SA Roaming and Cybersecurity.
