Fortinet black logo

SecGW for Mobile Networks Architecture

Home FortiGate / FortiOS 7.0.0 SecGW for Mobile Networks Architecture
7.0.0
7.0.0

Introduction

Introduction

The SecGW (security gateway) is a security component in a 3GPP wireless network, such as 4G LTE or 5G: fundamentally, it provides a security layer between access (Radio Access Network or RAN) and core.

The role of SecGW was first introduced in 2008 in Release 8 by 3GPP, as the evolution from 3G to 4G LTE was defined and ratified. The adoption from Release 8 was in part driven by the evolution to all-IP networks known as SAE.

This all-IP approach utilizes IP-based protocols for communication across the network and logical functions. SecGW focuses on the RAN and its communication with core elements. This communication consists of a distinct, logical reference interface named S1. This S1 reference interface provides two subset logical interfaces:

  • S1-MME to carry control plane communications between the eNB and the MME (using S1-AP protocol messages)

  • S1-U to carry user plane communications between the eNB and the SGW (using GTP-U)

These logical reference interfaces utilize a common set of protocols for transporting the control and user plane communications:

  • SCTP is used for transporting the S1-AP control plane communications.

  • UDP is used for transporting GTP-U.

As the SAE has evolved with 5G, some of these interfaces have changed slightly. Logically two distinct reference interfaces are still used: N2 and N3. The N2 interface carries the control plane communications from the gNB to the AMF (using NG-AP protocol messages), and the N3 interface carries the user plane communications from the gNB to the UPF (using GTP-U).

An important factor is that neither SCTP nor the S1-AP/NG-AP messages it carries have any inherent security functions or controls. The same is true for UDP and the GTP-U messages it carries. As a result the messages and data are carried in clear without any form of confidentiality, integrity protection, or authorization. This presents a security risk for a variety of reasons not covered in this document. However, some additional technology can mitigate this security risk to ensure a level of security for these critical communications.

Because of the need to support a standards-based approach, IKEv2 with IPsec was chosen as the most appropriate solution to achieve a number of key requirements:

  • Protect the core network from RAN security threats.

  • Authenticate RAN network elements, specifically radio base stations, such as eNBs and gNBs, to ensure only authenticated and authorized network elements can connect to the core domain.

  • Provide integrity, confidentiality, and replay protection to both user and control planes.

Previous
Next

Introduction

The SecGW (security gateway) is a security component in a 3GPP wireless network, such as 4G LTE or 5G: fundamentally, it provides a security layer between access (Radio Access Network or RAN) and core.

The role of SecGW was first introduced in 2008 in Release 8 by 3GPP, as the evolution from 3G to 4G LTE was defined and ratified. The adoption from Release 8 was in part driven by the evolution to all-IP networks known as SAE.

This all-IP approach utilizes IP-based protocols for communication across the network and logical functions. SecGW focuses on the RAN and its communication with core elements. This communication consists of a distinct, logical reference interface named S1. This S1 reference interface provides two subset logical interfaces:

  • S1-MME to carry control plane communications between the eNB and the MME (using S1-AP protocol messages)

  • S1-U to carry user plane communications between the eNB and the SGW (using GTP-U)

These logical reference interfaces utilize a common set of protocols for transporting the control and user plane communications:

  • SCTP is used for transporting the S1-AP control plane communications.

  • UDP is used for transporting GTP-U.

As the SAE has evolved with 5G, some of these interfaces have changed slightly. Logically two distinct reference interfaces are still used: N2 and N3. The N2 interface carries the control plane communications from the gNB to the AMF (using NG-AP protocol messages), and the N3 interface carries the user plane communications from the gNB to the UPF (using GTP-U).

An important factor is that neither SCTP nor the S1-AP/NG-AP messages it carries have any inherent security functions or controls. The same is true for UDP and the GTP-U messages it carries. As a result the messages and data are carried in clear without any form of confidentiality, integrity protection, or authorization. This presents a security risk for a variety of reasons not covered in this document. However, some additional technology can mitigate this security risk to ensure a level of security for these critical communications.

Because of the need to support a standards-based approach, IKEv2 with IPsec was chosen as the most appropriate solution to achieve a number of key requirements:

  • Protect the core network from RAN security threats.

  • Authenticate RAN network elements, specifically radio base stations, such as eNBs and gNBs, to ensure only authenticated and authorized network elements can connect to the core domain.

  • Provide integrity, confidentiality, and replay protection to both user and control planes.

Previous
Next