GTP and The Evolution of Roaming
Mobile traffic using GPRS Tunneling Protocol (GTP) has exploded over the last couple years, largely due to elimination of international roaming price barriers that previously discouraged subscribers from using the service. Global international roaming traffic – voice and data – is expected to grow 32X by 2022 and to reach over 1.5 Mb per subscriber annually.
How will GTP and roaming change with 5G and what will operators need to do to secure that traffic and their network? This blog post describes roaming and its use of GTP and discusses the evolution of GTP and roaming in 5G, rise of new threats and the GTP firewall solution offered by A10 Networks.
How will Roaming Evolve with 5G?
The 5G evolution will impact all aspects of “mobile roaming,” including the network requirements, the subscriber usage, and business models.
Roaming Network Requirements
The roaming network specifications were created to enable subscribers to move seamlessly between networks and to provide operators a mechanism to recoup costs from traffic generated by non-subscribers. In 4G networks, roaming partners are connected through the S8 interface using GTP.
According to 3GPP (release 15), in roaming architectures for 5G standalone networks, the GTP user plane is separated from the control plane. The user plane will still use GTP, but for the control plane, the home roaming partners are connected through a new function, the Security Protection Proxy (SEPP), using http/2 protocol. The embedded application layer encryption at the SEPP will provide additional protection against the known inter-exchange/roaming vulnerabilities that exist in SS7 and DIAMETER protocols, but an Layer 7 firewall will still be required to protect the SEPP control plane. 5G will also add native support for a secure steering of roaming (SoR).
The 5G SoR solution enables the home network operator to steer its customers while roaming to its preferred visited partner networks to enhance roaming customers’ experience, reduce roaming charges and preventing roaming fraud.
Figure 1. Firewalls needed in 5G Security Edge Protection Proxy
Subscriber Traffic and Usage
Over the next five years, mobile subscriptions will increase a modest 2 percent annually to 8.9 billion, according to Ericsson, but cellular IoT connections will quadruple to over 4 billion. Data traffic per smartphone will increase six-fold to 21 GB/month (Ericsson Mobility Report, November 2018). This includes all types of cellular devices – smartphones, IoT wearables, tablets and others – which will all roam with the subscriber.
5G is needed to carry the volume and diversity of this traffic, with seamless interconnection everywhere a vital part of every MNO value proposition.
The 2017 EU Roam Like at Home legislation now prohibits excessive roaming fees, and many other non-EU countries are following suit. With worldwide international tourist arrivals (overnight visitors) reaching a 1.4 billion in 2018, mobile operators have realized that their subscribers expect a seamless (and reasonably priced) experience – wherever they travel and whatever devices they use.
“European subscribers have enjoyed being able to ‘Roam Like at Home’ and now seek high quality, affordable roaming services, wherever they travel. This is forcing operators in other regions outside of the EU to match the European offering by coming together to offer more cost-effective packages to subscribers, while optimising traffic flow at the back-end.”
Roaming Business Model
Besides the technical interconnection requirements, roaming includes a contractual arrangement between operators who agree to carry traffic for each other’s subscribers through bi-lateral peering agreements or through agreements with GRX/IPX providers.
In roaming scenarios, generally, the subscriber is billed by his home network operator for roaming use and the visited network bills the home network operator for carrying the traffic – per the roaming agreement. If a GRX is used, then there is a settlements process. This type of interconnection model and the mobile charging models (originator or calling party pays) is very different than that adopted by the internet ecosystem. This model is based on bandwidth consumption and uses peering agreements where both origination and termination parties are charged.
There is debate in the mobile industry about the inefficiencies and complexity of the roaming model. Concerns with this model include the high cost of international calls where a home network effectively pays for termination into its own market and the administrative costs for volume forecasts and commitments, base rates, incremental rates and manual accounting that often lead to settlement disagreements. As mobile networks move closer to the all-IP internet model and operators compete with OTT and other service providers for subscribers and traffic, the roaming interconnection model as is can put mobile operators at a competitive disadvantage.
According to the GMSA (“Next-generation Interconnection and Roaming Analysis for Mobile Services”, July 2016),
There could be an opportunity to shape a next-generation interconnection model in a less complex way and therefore reduce costs for implementation of charging. The next generation interconnection model could be made to be closer to the existing internet interconnection regimes (IP peering and transit), at least for any service beyond voice
Roaming was originally designed based on a trust model. That is, it assumes that the operator has at least a moderate trust relationship with any roaming partner. Otherwise, why would they allow that operator’s subscribers to use the network? It was a reasonable assumption since originally, roaming traffic was not that high; the number of potential roaming partners was relatively small and they were limited to like-minded mobile network operators. Although GTP used in roaming has known vulnerabilities, the authentication mechanisms of each roaming partner plus the roaming agreement were considered adequate by many operators to prevent unintentional or malicious peer activity. As such, many did not deploy a GTP firewall in their 4G implementations.
However, the mobile roaming ecosystem, traffic dynamics and threat landscape have dramatically changed over the last few years and will continue to change as 5G progresses. For 5G, as described earlier, the roaming interconnection model defined by 3GPP includes additional security measures, but GTP will continue to be used.
What is GTP?
GPRS Tunneling Protocol (GTP) is an IP-based communications protocol, including control and data plane components, that is used to carry general packet radio service (GPRS) within GSM, UMTS (3G) and LTE (4G) networks as specified by 3GPP in various interface points. In LTE networks, these interfaces include roaming (S8), RAN-SGW (S1-U), and between core network elements SGW-PGW (S5), and MME-SGW (S11). GTP includes a user plane component (GTP-U) and a signaling or control plane component (GTP-C). GTP is used to establish a GTP tunnel, or channel between user equipment and mobile network nodes (serving gateways and packet gateways) in order to exchange user and control data.
Figure 2. GTP and Firewalls used in 4G and 5G NSA Networks
Risks and Vulnerabilities of GTP
GTP is extremely useful in facilitating the transmission of mobile data traffic within and between mobile networks and it has been used in 2.5G, 3G and 4G networks. However, it was designed when mobile networks were considered unbreachable, and so it has no inherent security. GTP depends instead upon security provided through the authentication or authorization of the UE and subscriber from the home network operator. As a result, GTP has a number of security vulnerabilities that can be exploited by malicious actors or careless roaming partners.
GTP was never designed with security in mind, and therefore, it has no inherent security mechanisms such as validating message integrity or sender authenticity. The GTP protocol security vulnerabilities and attack vectors have been well known by the industry and are documented in GSMA FS.20 – GPRS Tunneling Protocol Security and IR.88, LTE and EPC Roaming Guidelines, and others. Three categories of common attacks are identified in FS.20 – information gathering, subscriber denial of service and fraud, in addition to more advanced attacks from malicious peers or faulty peer behavior. There are a number of counter measures available, including the deployment of a GTP firewall between the EPC and IPX roaming network.
Most operators have experienced the common GTP attacks. Attackers try to exploit vulnerabilities by abusing GTP interfaces exposed to the network. These attackers can include cybercriminals or malicious peers that have been able to control the GRX/IPX roaming links. These attacks target both mobile subscribers and mobile network infrastructure. Common GTP security issues include confidential data disclosures, denial of service, network overloads, and a range of fraud activities. And as traffic volume and usage has grown in 4G and soon in 5G, so do the risks.
In 5G, additional security measures have been added, but GTP will continue to play an important role, especially in roaming.
As operators move towards 5G, with likely a 4G common core for many years, the risks inherent in GTP continue to grow against a much larger volume of traffic and applications. Roaming traffic, with its high complexity and large number of interconnect partners and hubs, can be an especially vulnerable and attractive target for malicious actors.
A10 Networks’ GTP firewall protects networks and subscribers against the GTP vulnerabilities identified by the GSMA. The highly scalable 5G solution is available in physical, virtual, and container forms and so assures operators that they can protect their networks and subscribers, and maintain the high performance demanded by subscribers throughout the entire 4G to 5G journey.
For more information, please download the GTP Firewall solution brief