Introduction
The SecGW (security gateway) is a security component in a 3GPP wireless network, such as 4G LTE or 5G: fundamentally, it provides a security layer between access (Radio Access Network or RAN) and core.
The role of SecGW was first introduced in 2008 in Release 8 by 3GPP, as the evolution from 3G to 4G LTE was defined and ratified. The adoption from Release 8 was in part driven by the evolution to all-IP networks known as SAE.
This all-IP approach utilizes IP-based protocols for communication across the network and logical functions. SecGW focuses on the RAN and its communication with core elements. This communication consists of a distinct, logical reference interface named S1. This S1 reference interface provides two subset logical interfaces:
-
S1-MME to carry control plane communications between the eNB and the MME (using S1-AP protocol messages)
-
S1-U to carry user plane communications between the eNB and the SGW (using GTP-U)
These logical reference interfaces utilize a common set of protocols for transporting the control and user plane communications:
-
SCTP is used for transporting the S1-AP control plane communications.
-
UDP is used for transporting GTP-U.
As the SAE has evolved with 5G, some of these interfaces have changed slightly. Logically two distinct reference interfaces are still used: N2 and N3. The N2 interface carries the control plane communications from the gNB to the AMF (using NG-AP protocol messages), and the N3 interface carries the user plane communications from the gNB to the UPF (using GTP-U).
An important factor is that neither SCTP nor the S1-AP/NG-AP messages it carries have any inherent security functions or controls. The same is true for UDP and the GTP-U messages it carries. As a result the messages and data are carried in clear without any form of confidentiality, integrity protection, or authorization. This presents a security risk for a variety of reasons not covered in this document. However, some additional technology can mitigate this security risk to ensure a level of security for these critical communications.
Because of the need to support a standards-based approach, IKEv2 with IPsec was chosen as the most appropriate solution to achieve a number of key requirements:
-
Protect the core network from RAN security threats.
-
Authenticate RAN network elements, specifically radio base stations, such as eNBs and gNBs, to ensure only authenticated and authorized network elements can connect to the core domain.
-
Provide integrity, confidentiality, and replay protection to both user and control planes.