Sign in Subscribe

Roaming with SEPP in 5G: Architecture, Security, and Deployment

Last updated on 
Roaming with SEPP in 5G: Architecture, Security, and Deployment
Roaming with SEPP in 5G: Architecture, Security, and Deployment
5G & 6G Prime Membership Telecom

Roaming with SEPP in 5G: Architecture, Security, and Deployment

As mobile networks shift from LTE to 5G service-based architecture (SBA), roaming has become a bit trickier. In traditional LTE, operators communicated directly using Diameter signaling, but 5G brings in HTTP/2-based service communication, which ramps up the need for better security. This is where Security Edge Protection Proxy (SEPP) comes into play.

The diagram uploaded, titled Roaming with SEPP, shows how the visited PLMN (V-PLMN) and home PLMN (H-PLMN) use SEPP to keep things secure during communication.

In this blog, we’ll discuss:

What SEPP is and its importance in 5G roaming.

The detailed architecture of roaming using SEPP.

Key network functions at play.

The benefits of SEPP for both operators and users.

Challenges in deployment and what the future might hold.

What is SEPP in 5G?

SEPP (Security Edge Protection Proxy) is a required network function in the architecture for 5G roaming. It acts as a security gateway sitting at the boundary between two operators' networks (V-PLMN and H-PLMN).

Its main jobs include:

Safeguarding inter-PLMN signaling traffic.

Providing authentication, integrity protection, and encryption.

Supporting topology hiding, so sensitive network details stay under wraps.

In short, SEPP secures the service-based interfaces (SBI) that rely on HTTP/2 for signaling across different network domains.

Why SEPP is Necessary in 5G

Unlike LTE, which depended on Diameter-based interfaces for roaming, 5G leans heavily on HTTP/2 APIs for communication between network functions. While HTTP/2 offers flexibility, it does come with vulnerabilities if not properly protected.

Here are some of the challenges SEPP tackles:

Wider attack surface: More APIs are open to external networks.

Data integrity issues: There's a risk of messages being tampered with during transit.

Topology exposure: Sensitive information like IP addresses or internal node names might get exposed.

Trust concerns: Operators need to ensure that signaling messages are both authentic and secure.

That’s why SEPP is essential for all 5G roaming scenarios, securing the connections between operators.

Architecture of Roaming with SEPP

The diagram shows how SEPP fits into the 5G roaming setup:

  1. V-PLMN (Visited Public Land Mobile Network)

This is the network where the roaming subscriber is currently located. It consists of:

UE (User Equipment): The subscriber’s device.

gNB (5G base station): Provides radio access.

UPF (User Plane Function): Manages user data forwarding.

AMF (Access and Mobility Management Function): Takes care of mobility and access signaling.

SMF (Session Management Function): Handles session setup and policy enforcement.

PCF (Policy Control Function): Sets policy rules for sessions.

NEF (Network Exposure Function): Facilitates exposing capabilities to third-party apps.

i-NEF: Interworking NEF for roaming situations.

NSSF (Network Slice Selection Function): Assigns slices based on service needs.

NRF (Network Repository Function): Aids in discovering available network functions.

The V-PLMN connects with H-PLMN through SEPP, ensuring secure signaling exchange.

  1. H-PLMN (Home Public Land Mobile Network)

This is the network of the subscriber’s home operator, responsible for authentication and subscriber data. It includes:

UDM (Unified Data Management): Stores subscriber profiles.

AUSF (Authentication Server Function): Manages authentication requests.

PCF: Provides home policy control.

NEF: Oversees exposure of home operator services.

NRF: Ensures discovery of network functions in H-PLMN.

hSEPP: The SEPP node on the home side.

The hSEPP receives messages from the V-PLMN’s SEPP, validates and decrypts them, and forwards the info to the right network functions.

  1. SEPP's Role in Communication

The V-PLMN SEPP encrypts and secures HTTP/2 signaling before sending it to the H-PLMN SEPP.

The H-PLMN SEPP decrypts the messages and checks their integrity before passing them to internal network functions (like UDM, AUSF).

Both SEPPs perform topology hiding, ensuring that operators don't see each other’s internal network details.

Key Interfaces in Roaming with SEPP

Based on the diagram, the following interfaces are crucial:

N1/N2/N3/N4/N6/N9: Standard interfaces connecting UE, gNB, UPF, AMF, and SMF.

Nnef, Npcf, Nnssf, Naf, Namf, Nsmf: Service-based interfaces used within the V-PLMN.

Nudm, Nausf, Nnef, Npcf: Service-based interfaces in the H-PLMN.

SEPP ↔ SEPP: Secure interconnect for all inter-PLMN signaling.

Benefits of SEPP in 5G Roaming

Implementing SEPP brings several key advantages:

End-to-End Security: Guarantees the integrity, confidentiality, and authentication of signaling.

Topology Hiding: Shields internal network structure from being exposed to other operators.

Fraud Prevention: Minimizes the risks of signaling fraud and attacks.

Regulatory Compliance: Aligns with 3GPP security standards for roaming.

Interoperability: Offers a standardized security framework for multi-operator roaming.

Subscriber Trust: Ensures users enjoy secure roaming without experiencing service degradation.

Comparison: LTE Roaming vs 5G Roaming with SEPP

Feature LTE (Diameter)5G (HTTP/2 with SEPP)Signaling Protocol Diameter HTTP/2-based SBI Security Gateway Optional Mandatory (SEPP)Topology Hiding Limited Strong topology hiding Encryption Basic TLS Enhanced with SEPP Roaming Trust Model Diameter peer trust SEPP-secured interconnect

Challenges in Deploying SEPP

While SEPP boosts roaming security, it does come with its share of deployment hurdles:

Complex Implementation: Needs integration with various network functions.

Vendor Interoperability: Different SEPP providers must work together smoothly.

Performance Overhead: Encryption and decryption could introduce some latency.

Policy Alignment: Coordination between home and visited networks is essential.

Operators need to invest in testing, automation, and interconnect agreements to maximize the benefits of SEPP.

Future Outlook

As 5G roaming spreads out globally, SEPP is set to evolve further:

AI-driven SEPP: Future versions may use AI for spotting anomalies and predictive security.

Inter-operator Blockchain: Blockchain tech might work alongside SEPP for secure interconnections.

5G-Advanced Roaming: Enhanced SEPP capabilities will be necessary to support network slicing and readiness for 6G.

SEPP will remain a key element of secure roaming for the time ahead.

Conclusion

The Roaming with SEPP architecture marks a significant advancement in securing 5G roaming. By introducing mandatory encryption, integrity protection, and topology hiding, SEPP ensures trust and security between V-PLMN and H-PLMN operators.

For telecom professionals, grasping SEPP is vital for designing and managing secure, scalable, and interoperable 5G roaming frameworks.

With 5G adoption speeding up, SEPP isn't just an option—it’s becoming a must-have for operators looking to provide secure global roaming experiences.