This section includes information about the role of
Security Edge Protection Proxy (SEPP) in 5G Service Based Architecture. The
SEPP, although not a Network Function instance, can also be deployed fully
distributed, fully redundant, stateless, and fully scalable.
The Security Edge Protection Proxy (SEPP) is a non-transparent proxy
that sits at the perimeter of the PLMN network and enables secured
communication between inter-PLMN network messages. The SEPP supports the
following functions:
- Provides authentication,
confidentiality protection and integration protection for inter-PLMN SBI
signaling traffic between 5GC NF's
- Implements N32 interface
towards interconnect between vSEPP network elements:
-
N32-C: Used
for context management for security capability negotiation and parameter
exchange which includes cipher suite negotiation and protection policies.
Protection policies allows modification of message by intermediate IPX
providers.
- N32-F: Used for forwarding
inter-NF signaling across PLMN
- Provides topology hiding
functionality by hiding the internal topology information of a PLMN from the
external parties.
- Flexible routing control and
resiliency features of SEPP allows routing of inter-PLMN ingress messages to
core network NF’s and routing of inter-PLMN egress messages to interconnect.
SEPP also supports alternate routing in the case of an error message from the
vSEPP or retry the request with the same provider in the case of a timeout.
- Supports configuration of
roaming partner profiles & IPX provider profiles which is used for
inter-PLMN routing of messages.
To protect messages that are sent over the N32 interface, SEPP:
- receives all service layer
messages from the Network Function (NF) and protects them before sending them
out of the network on the N32 interface and
- receives all messages on the
N32 interface and forwards them to the appropriate Network Function after
verifying security, where present.
The SEPP implements transport layer security (TLS) for all the service
layer information exchanged between two NFs across two different PLMNs.
