The role of SEPP in 5G Standalone (SA) core network deployment
The telecom industry is gearing up to deploy 5G Standalone (SA) Core and unlock its potential to open new revenue streams. Supporting this transformation is the Security Edge Protection Proxy (SEPP), a key technology for enabling secure and seamless 5G roaming.
As operators around the globe adopt SEPP, it’s important to understand why it matters, how it’s evolving, and why independent vendors like BroadForward are leading the way.
The need for SEPP in 5G roaming
5G Standalone (SA) networks are designed to support secure signaling for roaming. This marks a significant shift from earlier generations like 4G and 2G/3G, which relied on intermediary systems (such as a Gateway STP and DEA) to handle roaming traffic without securing end-to-end integrity/encryption. The SEPP deals with this omission by securing the communication between roaming partners and protecting signaling traffic.
Analysts Kaleido Intelligence predict 5G roaming traffic will grow rapidly in the coming years. By 2028, 5G is expected to account for 78% of global roaming traffic. To achieve this, the SEPP is required as a mandatory security element for roaming. This is especially important as 5G introduces advanced services like ultra-low latency and massive IoT. It requires robust security frameworks as these services become more widely adopted and integral to society. A case in point is UK telecommunications specialists Beamer, which reported that in 2024 hackers attacked remotely controlled IoT devices most frequently.
Changes in SEPP standardization
Despite a growing number of service providers adopting SEPP, its standardization is still evolving. A key topic of debate is the security model, particularly whether to use PRINS (Protocol for N32 Interconnect Security) next to Hop-by-Hop TLS for IPX providers. PRINS enables end-to-end integrity/encryption by negotiating security levels between operators, offering stronger security but also adding complexity. Until now the 3GPP specifications prescribed the application of PRINS for IPX connections. Recently the GSMA nuanced the 3GPP specification (TS 29.573) by stating that hop-by-hop TLS is also an accepted option next to PRINS for IPX connections. The GSMA Permanent Reference Document NG.113 describes these options in table 4 (Model and security mechanisms) as shown below:
| Model | Security mechanism |
| Model 1 ̶ Direct Bilateral | TLS |
| Model 2.1 ̶ Outsourced SEPP | TLS |
| Model 2.2 ̶ Hosted SEPP | TLS |
| Model 2.3 ̶ Operator Group | TLS |
| Model 3 ̶ Service Hub architecture | Hop-by-Hop TLS or PRINS |
| Model 4 ̶ Roaming Hub architecture | Hop-by-Hop TLS or PRINS |
End-to-End vs. Hop-by-Hop encryption
The choice between end-to-end (PRINS) and hop-by-hop security (TLS) highlights the challenges of security in 5G roaming. End-to-end integrity/encryption ensures data stays protected throughout its journey, passing multiple in-between routing hops, while offering higher security. But it requires operators to coordinate encryption keys carefully to allow for the in-between routing hops to perform their IPX services.
Hop-by-hop encryption is simpler, as it encrypts data between two individual SEPP nodes representing one hop, but it introduces vulnerabilities where data is decrypted and re-encrypted on each hop. IPX providers need to find the right balance based on industry security needs, technical capabilities, and, most importantly, the services to be applied on the traversing messages.
Encryption and authentication keys, often exchanged using Public Key Infrastructure (PKI), are essential for secure communication. These mechanisms also affect the role of IPX providers, who have traditionally acted as intermediaries in roaming scenarios, adding value to the communication with bespoke services. With PRINS security, this becomes significantly more challenging. End-to-end encryption requires every intermediate (IPX) partner to be included in the PKI exchange between networks. This is needed for the IPX providers to decrypt and validate the messages, apply their bespoke services, and secure the message again for the next leg towards its destination. Details are described in FS.34 – GSMA Key Management.
Hosted vs. Outsourced SEPP solutions
While traditional roaming hubs and value-added services may face challenges in deploying 5G security, IPX providers have the opportunity to expand their offerings by providing hosted or outsourced SEPP solutions. The key distinction between these models lies in where the SEPP is deployed and who manages it within the 5G interconnect security architecture.
In the Hosted SEPP model 2.2, the Mobile Network Operator (MNO) hosts and operates its own SEPP within its domain. This Public Mobile Network SEPP (PMN SEPP* in the image below) resides within the operator’s network, ensuring direct control over security, integrity/encryption, and interconnect signaling traffic towards the Service Provider SEPP (SP SEPP) via the N32s interface. To facilitate secure interconnection with external networks, the MNO relies on a Service Provider SEPP (SP SEPP) provided by an IPX partner or hosting provider. This setup allows the MNO to maintain independent security policies while leveraging external infrastructure for roaming services and interconnectivity. The IPX-hosted SEPP (HS SEPP) acts as a secure intermediary for signaling traffic between multiple operators, handling encryption, integrity protection, and interconnect security functions.
source: GSMA PRD NG.113
In the Outsourced SEPP model 2.1 (as shown in the image below), the MNO relies on an IPX provider to host and manage the SEPP on its behalf, rather than deploying its own SEPP infrastructure. The outsourced SEPP also means less control over security policies and key management, as these are handled by the IPX provider rather than the MNO itself. Model 2.1 allows operators to adopt secure 5G roaming more quickly without investing in their own SEPP infrastructure. A drawback of this model 2.1 is that operators should expose their SBI interfaces outside of their own network. These SBI interfaces must be secured by TLS or any VPN connection between the PLMN and the Outsourced SEPP. It is particularly beneficial for smaller MNOs, as it provides a cost-effective, scalable alternative that helps them compete with larger players, despite the disadvantages.
source: GSMA PRD NG.113
Future of SEPP and 5G roaming
As the GSMA and the 5GMRR group continue to refine SEPP standards such as the 5G Roaming Guidelines (NG.113), service providers are moving ahead with deployments. Independent vendors like BroadForward have already been deploying SEPP, and have been bridging gaps where standardization lags.
IPX providers play a key role in the momentum of 5G penetration, offering hosted SEPP solutions that make secure 5G roaming accessible to more operators. As 5G roaming expands, the combined efforts of operators, vendors, and IPX providers are building a more secure and interoperable future.
BroadForward’s leadership in SEPP technology
BroadForward is a leader in SEPP technology, offering flexible, feature-rich, and cost-efficient solutions that have accelerated global 5G adoption. The BroadForward SEPP powered the first international 5G SA roaming connection. BroadForward’s technology is highly attractive due to its seamless integration with multiple generations of network functionality across different vendors. This interoperability eliminates vendor lock-in, while giving operators the flexibility to adapt as network technologies evolve.