Mobile traffic using GPRS Tunnelling Protocol (GTP) has exploded over the last couple years. This is largely due to the elimination of international roaming price barriers that previously discouraged subscribers from using the service. Global international roaming traffic – voice and data – is expected to grow 32X by 2022 and to reach over 1.5 Mb per subscriber annually.
How will GTP and roaming change with 5G? What will operators need to do to secure that traffic and their network? This article describes roaming and its use of GTP. It also discusses the evolution of GTP and roaming in 5G, rise of new threats and utilising a GTP firewall solution.
How will Roaming Evolve with 5G?
The 5G evolution will impact all aspects of “mobile roaming,” including the network requirements, the subscriber usage, and business models.
Roaming Network Requirements
The roaming network specifications were created to enable subscribers to move seamlessly between networks. They also provide operators a mechanism to recoup costs from traffic generated by non-subscribers. In 4G networks, roaming partners are connected through the S8 interface using GTP.
According to 3GPP, a global initiative that unites telecommunications standard development organisations, in roaming architectures for 5G standalone networks, the GTP user plane is separated from the control plane. The user plane will still use GTP. However, for the control plane, the home roaming partners are connected through a new function, the Security Protection Proxy (SEPP), using http/2 protocol.
The embedded application layer encryption at the SEPP will provide additional protection against the known inter-exchange/roaming vulnerabilities that exist in SS7 and DIAMETER protocols. However, an L7 firewall will still be required to protect the SEPP control plane. 5G will also add native support for a secure steering of roaming (SoR). The 5G SoR solution enables the home network operator to steer its customers while roaming to its preferred visited partner networks. This allows them to enhance roaming customers’ experience, reduce roaming charges and prevent roaming fraud.
Subscriber Traffic and Usage
Over the next five years, Ericsson claims mobile subscriptions will increase a modest 2 percent annually to 8.9 billion. By comparison, cellular IoT connections will quadruple to over 4 billion. Data traffic per smartphone will increase six-fold to 21 GB/month (Ericsson Mobility Report, November 2018). This includes all types of cellular devices – smartphones, IoT wearables, tablets and others – which will all roam with the subscriber.
5G is needed to carry the volume and diversity of this traffic, with seamless interconnection everywhere a vital part of every MNO value proposition.
The 2017 EU Roam Like at Home legislation now prohibits excessive roaming fees, and many other non-EU countries are following suit. Worldwide international tourist arrivals (overnight visitors) reached 1.4 billion in 2018. Mobile operators know that their subscribers expect a seamless (and reasonably priced) experience – wherever they travel and whatever devices they use.
Roaming Business Model
Besides the technical interconnection requirements, roaming includes a contractual arrangement between operators. The agreement is that they carry traffic for each other’s subscribers through bi-lateral peering agreements or through agreements with GRX/IPX providers.
In roaming scenarios, generally, the subscriber is billed by his home network operator for roaming use. The visited network bills the home network operator for carrying the traffic – per the roaming agreement. If a GRX is used, then there is a settlements process. This type of interconnection model and the mobile charging models (originator or calling party pays) is very different than that adopted by the internet ecosystem. This model is based on bandwidth consumption and uses peering agreements where both origination and termination parties are charged.
There is debate in the mobile industry about the inefficiencies and complexity of the roaming model. Concerns with this model include:
- The high cost of international calls where a home network effectively pays for termination into its own market
- The administrative costs for volume forecasts and commitments.
- Base rates.
- Incremental rates
- Manual accounting that often lead to settlement disagreements.
Mobile networks are moving closer to the all-IP internet model. Operators are competing with OTT and other service providers for subscribers and traffic. The result is that the roaming interconnection model as is, can put mobile operators at a competitive disadvantage.
According to the GMSA (“Next-generation Interconnection and Roaming Analysis for Mobile Services”, July 2016), “There could be an opportunity to shape a next-generation interconnection model in a less complex way and therefore reduce costs for implementation of charging. The next generation interconnection model could be made to be closer to the existing internet interconnection regimes (IP peering and transit), at least for any service beyond voice.”
Roaming Security
Roaming was originally designed based on a trust model. That is, it assumes that the operator has at least a moderate trust relationship with any roaming partner. Otherwise, why would they allow that operator’s subscribers to use the network? It was a reasonable assumption since originally:
- Roaming traffic was not that high.
- The number of potential roaming partners was relatively small.
- They were limited to like-minded mobile network operators.
Although GTP used in roaming has known vulnerabilities, the authentication mechanisms of each roaming partner plus the roaming agreement were considered adequate by many operators to prevent unintentional or malicious peer activity. As such, many did not deploy a GTP firewall in their 4G implementations.
However, the mobile roaming ecosystem, traffic dynamics and threat landscape have dramatically changed over the last few years. They will continue to change as 5G progresses. For 5G, as described earlier, the roaming interconnection model defined by 3GPP includes additional security measures, but GTP will continue to be used.
What is GTP?
GPRS Tunnelling Protocol (GTP) is an IP-based communications protocol, including control and data plane components. It is used to carry general packet radio service (GPRS) within GSM, UMTS (3G) and LTE (4G) networks as specified by 3GPP in various interface points. In LTE networks, these interfaces include roaming (S8), RAN-SGW (S1-U), and between core network elements SGW-PGW (S5), and MME-SGW (S11).
GTP includes a user plane component (GTP-U) and a signalling or control plane component (GTP-C). GTP is used to establish a GTP tunnel, or channel between user equipment and mobile network nodes (serving gateways and packet gateways) in order to exchange user and control data.
Risks and Vulnerabilities of GTP
GTP is extremely useful in facilitating the transmission of mobile data traffic within and between mobile networks. It has been used in 2.5G, 3G and 4G networks. However, designed when mobile networks were considered unbreachable, it has no inherent security. GTP depends instead upon security provided through the authentication or authorization of the UE and subscriber from the home network operator. As a result, GTP has several security vulnerabilities that can be exploited by malicious actors or careless roaming partners.
Most operators have experienced the common GTP attacks. Attackers try to exploit vulnerabilities by abusing GTP interfaces exposed to the network. These attackers include cybercriminals or malicious peers that have been able to control the GRX/IPX roaming links. Attacks target both mobile subscribers and mobile network infrastructure. Common GTP security issues include confidential data disclosures, denial of service, network overloads, and a range of fraud activities. As traffic volume and usage has grown in 4G and soon in 5G, so do the risks.
Additional security measures have been added in 5G. However, GTP will continue to play an important role, especially in roaming.
Operators moving towards 5G will use a 4G common core for many years. This means the risks inherent in GTP will continue to grow against a much larger volume of traffic and applications. Roaming traffic, with its high complexity and large number of interconnect partners and hubs, can be an especially vulnerable and attractive target for malicious actors.
A GTP firewall protects networks and subscribers against the GTP vulnerabilities identified by the GSMA. A highly scalable 5G solution is available in physical, virtual, and container forms. It assures operators that they can protect their networks and subscribers, and maintain the high performance demanded by subscribers throughout the entire 4G to 5G journey.
A10 Networks (NYSE: ATEN) provides Reliable Security Always™, with a range of high-performance application networking solutions that help organisations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, Calif., and serves customers globally with offices worldwide.
