1

When using 4g or other cellular networks, while roaming, mobile carriers transfer data between each other, something I've seen refered to as "ITS: Internation Transit Service" how does that work and how is it secured?

Does anyone have some insight into what sort of security measures are taken between mobile carriers when roaming, is there a standard, or how do they even integrate?

Jim Wolff
  • 131
  • 4

1 Answers1

1

TL;DR: Thanks to IPX interconnections and thus thanks to IPSec most of the time.

A good reference about this would be the official IR.88 LTE and EPC Roaming Guidelines by the GSM Association. Otherwise a good read, although not specifically about roaming would the the Wikipedia IMS Security page.

The communication between NGN networks is typically secured using IPSec ESP tunnels with IKE between their SEGs (security gateways) (or SEPP for 5G (Security Edge Protection Proxy)). These SEG comes from 3GPP 33.310 specification (and also the older 33.210) along with its cross-certification and Bridge CA guidelines that enables mutual trust between the operators. This spec also mentions the IPSec ESP tunnels and the way IKE is used to establish a connection. SEGs are meant to provide access control through authentication, and traffic confidentiality and integrity through encryption.

Now, about the specifics for roaming, in order to enable 4G roaming, you need links between the mobile networks LTE/ePC (when roaming LTE), which means:

  • Signalling links SCTP/IP for the DIAMETER traffic between the guest network and the home network. This links are required to exchange the signalling between the MME/S4-SGSN of the guest network and the HSS of the host network. This typically uses IPSec EPS tunnels.
  • Interconnection links for transporting the IP packets from the guest to the home network, this is also known as IPX (IP Exchange) network.
    Notice that the IPX network is not addressable from the Internet, which is supposed to make attacks more difficult, but is akin to security by obscurity... But individual operator traffic is segregated, which effectively makes any security breach a "local concern" rather than a global one. Overall the IPX network is considered "trusted", but again IPSec EPS is the usual security protocol for these channels.

Now things can be a bit different for roaming CSFB or for roaming VoLTE, but the IPX and IPSec are still there.

Also, sometimes IPX is replaced by GRX and its GPT tunnels instead, but GPT tunnels are typically protected using... you've guessed: IPSec!

Notice that when communicating with traditional VoIP networks, this changes a bit and the security is usually relying on TLS connection to the P-CSCF, and you'll have the S-CSCF (Serving Call Session Control Function) server that handle access control.

Now, you might ask "Why is IPSec everywhere here?", well, this is simply because IPSec is a good way to secure things at the "network layer" (layer 3 as per OSI model), which is "deep down", compared to TLS that is operating (as it names implies) at the transport layer or above (it is often considered layer 6 or 7). This means that IPSec is ideal to wrap these "higher" protocols such as SCTP that is operating at the transport level, layer 4, or DIAMETER that is operating at the application layer, layer 7.

Lery
  • 138
  • 5