STATUS: ACTIVE
SECTOR: MAPPINGS
LEVEL: UNCLASSIFIED // RESEARCH
Tactical Mapping: 3GPP Release 16 (SA/UP Security)
This document provides the Tactical Realization of ITU Recommendations for 3GPP Rel-16 networks โ the release that closed the single largest security gap left open in Rel-15: User-Plane Integrity Protection (UPIP).
๐๏ธ Architecture & Core Security Enhancements
- ITU Rec: Y.3101 (Requirements for IMT-2020 networks) + X.805 (Integrity security dimension)
- 3GPP Implementation: TS 33.501 Amendment 1 and TS 38.300 Rel-16.
- Key Tactical Features:
- User-Plane Integrity Protection (NR-UP-IP): Rel-15 left UP integrity as optional and disabled by default. Rel-16 mandates UP integrity negotiation between gNB and UPF (realizing X.805 Integrity for the data plane).
- Home-Routed SUCI: Rel-16 enforces that the SUPI concealment (SUCI) is always decrypted only at the home network AUSF โ preventing visited networks from learning the permanent identity.
- IMS Emergency Security: Secure emergency call procedures for unauthenticated subscribers (realizing itu-t H.248 emergency handling with privacy).
๐ Security Dimensions (X.805) โ Rel-16 Delta
| Dimension | Rel-15 State | Rel-16 Enhancement | 3GPP Spec |
|---|---|---|---|
| Integrity (UP) | Optional / disabled by default | Mandatory negotiation โ NIA2 (AES-128-EIA2) for NR-UP | TS 33.501 ยง9.3.3 |
| Privacy (SUCI) | Home-routed optional | Home-routed mandated for SUPI concealment | TS 33.501 ยง6.12 |
| Confidentiality | AES/SNOW/ZUC on NAS/RRC | Extended to NR User-Plane via PDCP sublayer | TS 38.323 |
| Availability | AMF load control | Network slice-aware congestion control (NSAC) | TS 23.501 ยง5.15 |
| Non-repudiation | NFV-level logging | Enhanced NF instance logging with unique NF-ID | TS 29.510 |
๐ก Radio Access Network (NR) โ Rel-16
- ITU Rec: M.2150 (IMT-2020 security requirements for Radio interface)
- 3GPP Implementation: TS 38.300 Rel-16, TS 38.323 (PDCP sublayer).
- Tactical Focus: UP integrity enforcement at PDCP layer; DRB (Data Radio Bearer) encryption negotiation must not fall back to NIA0 (null integrity) for non-emergency bearers.
๐ New Interfaces in Rel-16
| Interface | Purpose | Security Requirement |
|---|---|---|
| N9 (UPF โ UPF) | Uplink Classifier for roaming user-plane | mTLS + TEID validation at inter-PLMN UPF boundary |
| N14 (AMF โ AMF) | AMF handover coordination | OAuth2 token required for NF-to-NF communication |
| PC5 (V2X Sidelink) | Vehicle-to-everything direct comms | Certificate-based entity auth (ECDSA P-256) |
!TIPAudit Hint โ UP Integrity: When auditing a Rel-16 deployment, verify that the
UPIntegrityProtectionIndicationIE in the PDU Session Establishment Request (TS 24.501) is not set toNOT_NEEDED. Any network acceptingNOT_NEEDEDwithout a valid policy reason is violating the Rel-16 baseline and creating an active data manipulation vulnerability.
Temporal SignatureSYNC_ID: 19E40412F1E
ITU-T Navigator v4.0.0
IntegritySIGNAL: SECURE