5G NR International Roaming SEPP

Article by Abhijeet Kumar

1. What is SEPP?

SEPP is a logical network function in the 5G Core, designed to secure inter-PLMN communication when a subscriber is roaming.

• It sits at the edge of the operator’s network, acting as a gateway for signaling traffic between networks.
• It works on the N32 interface, which is dedicated for communication between different PLMNs.

👉 Without SEPP, HTTP/2 signaling messages between operators would be exposed to threats.

2. Why SEPP is Needed in 5G

In legacy networks:

• 2G/3G used SS7 signaling (insecure, easily hackable).
• 4G used Diameter (better but still exposed to attacks).
• 5G uses HTTP/2-based Service-Based Architecture (SBA), which brings flexibility but also new risks.

Threats in 5G roaming:

• Eavesdropping: Sensitive subscriber info (IMSI, keys) could be leaked.
• Topology exposure: Reveals IPs and NF (Network Function) names of the operator.
• Tampering: Attackers could modify signaling messages in transit.
• Spoofing & Replay attacks: Fake or reused messages could disrupt service.

👉 SEPP was introduced to encrypt, validate, and hide critical roaming signaling.

3. Key Functions of SEPP

🔐 (a) Security

• Confidentiality: Uses JWE (JSON Web Encryption) to protect sensitive information inside signaling messages.
• Integrity: Uses JWS (JSON Web Signature) to ensure the message has not been altered.
• Authentication: Certificates ensure only trusted SEPPs can talk.

📍 Example: Subscriber’s SUPI (IMSI) or authentication vectors are encrypted before leaving one PLMN.

🧭 (b) Topology Hiding

• SEPP removes or masks sensitive details about the internal network:

👉 This prevents one operator from learning how another’s network is built, protecting confidential business information.

🔄 (c) Message Filtering & Validation

• Every signaling message passing through SEPP is checked and validated.
• If a message is malformed, unauthorized, or malicious → blocked.
• This prevents:

📍 Example: A message claiming to be from AMF is verified against allowed certificates.

🤝 (d) Inter-PLMN Trust Establishment

• SEPPs use PKI (Public Key Infrastructure) for authentication.
• Each SEPP has a digital certificate signed by a trusted Root CA.
• N32-f interface is encrypted and authenticated using these certificates.

👉 This ensures only genuine operators can exchange roaming data.

📡 (e) Routing

• SEPP forwards HTTP/2 signaling messages between operators securely.
• It hides internal addressing schemes while still ensuring delivery.
• Works similar to a Diameter Routing Agent (DRA) in LTE, but for 5G HTTP/2.

4. Architecture Position of SEPP

SEPP is always deployed at the PLMN boundary.

• In the Visited PLMN (VPLMN): UE → gNodeB → AMF → VPLMN SEPP → HPLMN SEPP
• In the Home PLMN (HPLMN): HPLMN SEPP → UDM/AUSF/SMF → provides authentication, subscription data, and policies.

👉 All roaming traffic must pass through SEPPs → no direct NF-to-NF connections between operators.

WHY LBO

1. What is LBO Roaming?

In roaming, there are two main models defined by 3GPP:

• Home Routed (HR) Roaming → All user traffic goes back to the Home PLMN (like in LTE default model).
• Local BreakOut (LBO) Roaming → User traffic breaks out locally in the Visited PLMN, without routing it back to Home.

👉 In LBO, the user’s control plane (signaling) still interacts with the Home PLMN, but the user plane (actual data traffic) is served directly in the Visited PLMN.

2. Why LBO in 5G?

The idea of LBO came because:

• In 4G, all traffic routed back to Home PLMN caused latency issues (especially for video, gaming, voice).
• For local services (like streaming, banking, calling within visited country), sending traffic back to Home is inefficient.
• 5G services (URLLC, VoNR, edge computing) require low latency → hence breakout locally is preferred.

👉 LBO makes roaming faster and cheaper by keeping traffic in the visited country.

1. What is HR Roaming?

• In Home Routed (HR), the control plane (signaling) and the user plane (data traffic) are both anchored in the Home PLMN (HPLMN).
• The Visited PLMN (VPLMN) only provides radio access (RAN and AMF).
• All UE traffic → goes back to Home UPF before reaching the Internet or service.

👉 This is the default roaming model (also in 4G/LTE).

2. Why HR Roaming?

• Home operator retains control of charging, billing, and policy.
• Easier for lawful interception (since all traffic goes home).
• Simpler for security (HPLMN keeps subscriber’s data traffic under its UPF).

⚠️ Downside → High latency because data must travel back to home country, even for local apps.

5. Standards & References

• 3GPP TS 23.501 → Defines 5G architecture and SEPP’s place.
• 3GPP TS 29.573 → Defines the N32 interface (protocols, message structure).
• 3GPP TS 33.501 → Defines security requirements (encryption, signatures, certificates).