Security Edge Protection Proxy (SEPP)

The BroadForward Security Edge Protection Proxy (BroadForward SEPP) enables secure interconnect between 5G networks. The SEPP ensures end-to-end confidentiality and/or integrity between source and destination network for all 5G interconnect roaming messages.

5G interconnect: achieving end-to-end confidentiality and integrity
The BroadForward SEPP enables operators to achieve end-to-end confidentiality and integrity between source and destination network for designated message elements. Unlike its 4G predecessor (DEA), the SEPP is defined as a mandatory function for MNO interconnect for roaming between standalone 5G cores which can be found in the 5G standards (e.g. 3GPP TS 23.501 and TS 23.502).

Realization of the use for a SEPP in a 5G Service Based Architecture (SBA) core is defined in TS 29.500. Additional technical specifications such as for 5G security and SEPP in particular are defined in TS 33.501 and TS 29.573.  The SEPP provides 5G core signaling functionality:

• A separate security negotiation interface (N32-c) and an end-to-end encrypted application interface (N32-f)
• TLS security as a minimum between two SEPPs for N32c and N32f interfaces
• Optional encapsulation of HTTP/2 core signaling messages using JOSE protection for N32-f transmission (PRINS)
• Trusted intermediary IPX nodes to read and possibly modify specific IEs in the HTTP message, while completely protecting sensitive information end-to-end when PRINS is applied.

For 5G networks interconnect links between two network domains must be secured by at least a TLS connection. Unlike the currently used unsecured TCP and SCTP Diameter connections in 4G with the Diameter Edge Agent (DEA). This greatly improves security in interconnect scenarios between (5G) networks and makes it more difficult for fraudsters to read, alter or manipulate message content. When PRINS is applied, operators (MNOs) control what JSON information elements are readable or non-readable (encrypted) and which elements can be manipulated in the intermediate IPX crossings making end-to-end encryption possible by applying encryption on the application layer (layer 7) preventing intermediate hops access to the message content without prior consent. This control is provided using JSON Web Encryption (JWE), JSON Web Security (JWS) and the ability to specify which information elements can be modified by the IPX.
IPX providers need a public key provided by the MNO’s to access message content to perform mediation for the agreed elements.

BroadForward SEPP
The BroadForward SEPP runs on BFX, a single engine product design enabling operators to achieve consolidation of network functions, operations, management and licenses. The BroadForward SEPP offers a turn-key unique flexible solution through an extensive, integrated set of routing and service creation capabilities. It supports the SEPP specific standards defined in TS 29.573 and the 5G security standard defined in TS 33.501 as well as the general 5G Service Based Architecture definition defined in TS 29.501. In addition the HTTP/2 interface developed by BroadForward is based on open standards (RFC 9113) and supports all signaling scenarios for both direct NF connectivity as well as via a Service Communication Proxy (SCP). The BroadForward SEPP automatically registers itself in any available NRF function for easy integration with other 5G Network Functions in the hPLMN. Optionally the BroadForward SEPP can support Dynamic (SEPP) peer discovery using available DNS systems to establish connections to remote SEPPs anywhere in the world without prior peer configuration. The use of its List Profile function allows operators to create interconnect path preferences. This allows operators to specify a preferred connection path for a specific destination. For an IPX provider the same List Profile function can be used to create interconnect roaming policies.

 The BroadForward SEPP is a 100% software solution by design including support for:

• NRF registration for SEPP
• N32c interface support with TLS
• N32f interface support with TLS
• Dynamic peer discovery via DNS for remote SEPP service
• NRF service discovery, subscription and notification
• OAuth2 support for peer authentication
• Certificate management (creation, upload/download, validity checking)
• Flexible routing on any parameter (non-encrypted for IPX SEPP)
• Powerful (any-to-any) interworking across all supported protocols (including SS7, Diameter, RADIUS, HTTP, LDAP, ENUM, etc.)
• Single view, reporting, GUI based management, provisioning
• License mix across all supported protocols, not just HTTP/2
• Single IT integration (List provisioning, lookups, reporting, etc.)
• Support for the N32-f and the N32-c interfaces
• Support for PRINS (PRotocol for N32 INterconnect Security, JWE/JWS) – Final scope is pending ongoing discussions and decision-making in the industry specification bodies regarding 5G roaming (roadmap)
• Support for transport layer security (TLS) up to version 1.3
• Support security key management with time-overlap support (roadmap)
• Supports message modification instruction inclusion via JSON PATCH method (roadmap)
• Support for remote SEPP authorization/authentication including OAuth2
• Support for malformed N32 messages detection
• Support for 5G firewalling according FS.36 (roadmap)
• Support for load balancing
• Support for Egress/Ingress limitation
• Supporting high available and geo-redundant deployment models
• Full GUI based signaling orchestration and system management, configurable service logic, no need for scripting or development
• Optional (on-board) support for:
  • BroadForward Diameter Edge Agent (DEA)
  • BroadForward 5G Service Communication Proxy (SCP)
  • BroadForward 5G Steering of Roaming (5GSoR TS 29.550)
  • BroadForward Signaling Transfer Point (STP)

Combining network functions
The BroadForward SEPP runs on a unique single engine software design, allowing operators to combine multiple functions on the same platform. This provides many benefits, such as:

• Reduction of integration points, and on-board capability for interworking and interoperability
• Centralized and uniform IT integration, signaling management, configuration, provisioning, route management, reporting and control
• Centralized and uniform use of common network applications (e.g. Firewall, Number Portability, Steering of Roaming)
• Strong capability to interwork between different technologies (e.g. HTTP/2 & Diameter)
• Easy to operate, uniform operations across domains
• Single capacity license with free traffic mix across supported protocols

Hardware-agnostic solution, supporting Kubernetes, NFV
The BroadForward SEPP runs on any off-the-shelf hardware or in a virtualized environment. It is a 100% software-based solution, hardware-agnostic and support virtualization and cloud deployment as well as containerized application deployment. The BroadForward SEPP does not rely on specialist hardware or proprietary operating systems. The ability to deploy the BroadForward SEPP on a common (shared) platform supports operators and vendors in migrating away from proprietary based appliance systems to a standards based, hardware agnostic, software only, infrastructure.