itu-t Series-Q: Switching and Signalling

Official Scope

Study Group: SG11 — Signalling Requirements, Protocols and Test Specifications
Active Status: Ongoing

Defines technical specifications for switching and signalling across all network generations: SS7/MAP (Q.700 series), ISDN Q.931, Diameter protocols, IMS SIP-based signaling, and IMT-2020 security signaling. Includes requirements for signaling authentication, attack mitigation, and signaling firewall standards.

Tactical Security Significance

• Relevance: 🟢 High — SS7/Diameter Security, Anti-Spoofing, Signaling Firewalls, CLI Authentication
• Key Security Concepts: SS7 MAP Vulnerability Class (location tracking, call interception), Diameter Security (Q.3062), Signaling Attack Mitigation (Q.3066), IMT-2020 Signaling Security (Q.3057)
• Attack Surface: SS7 SCCP/MAP interfaces at interconnect borders, Diameter DEA/DRA without category filtering, SIP registrar without authentication, Q.931 PRI without CLI validation

Key Recommendations

Security Mapping

SS7 MAP Vulnerability Class — Location Tracking and Interception

The SS7 protocol stack (Q.700 series) was designed in the 1980s with no authentication — every network element inherently trusts messages from interconnected peers. This trust model enables a rogue or compromised operator to query location, intercept calls/SMS, and redirect traffic for any subscriber worldwide.

Critical SS7 attack types and their Q-series context:

• Mitigation: Deploy Q.3066-compliant Signaling Firewalls (SS7 FW) at all SS7 interconnect points; implement GSMA FS.11 category filtering (Category 1/2/3 blocking); monitor for SS7 reconnaissance patterns (high-volume SRI-SM from a single interconnect peer)

Diameter Security — Q.3062 / Q.3066

The Diameter protocol (IETF RFC 6733) replaced SS7 MAP for LTE but inherits the same trust model problem. Q.3062 defines authentication requirements for Diameter nodes; Q.3066 defines signaling attack mitigation categories for Diameter.

• Threat: A compromised Diameter peer (e.g., rogue roaming partner) sends unauthorized S6a-ULR messages to the HSS → extracts subscriber authentication vectors that can be used for 4G MITM attacks
• Mitigation: Deploy Q.3066 Diameter Edge Agents (DEA) with category filtering; require Q.3062 mutual TLS authentication for all Diameter peers; block Diameter messages from unauthorized origin hosts

Q.3057 — IMT-2020 Signaling Security for 5G

Q.3057 defines the security requirements for signaling in 5G systems — bridging the ITU security requirement domain with 3GPP's implementation. Key 5G signaling security controls that Q.3057 mandates:

1. SEPP (Security Edge Protection Proxy): Mutual TLS (N32 interface) for all inter-PLMN signaling
2. NF OAuth2 authorization: Every SBA API call requires a valid OAuth2 access token from NRF
3. Signaling integrity: N2 (AMF-gNB) and N11 (AMF-SMF) must use TLS 1.2+ with valid certificates

sequenceDiagram
    participant Peer as Interconnect Peer (Foreign PLMN)
    participant SigFW as Signaling Firewall (Q.3066)
    participant DEA as Diameter Edge Agent (Q.3062)
    participant HSS as HSS / UDM

    Peer->>SigFW: SS7 MAP SRI-SM / Diameter ULR
    SigFW->>SigFW: Category filter (GSMA FS.11 / Q.3066)
    alt Unauthorized message type
        SigFW-->>Peer: Discard / REJECT
    else Authorized message from verified peer
        SigFW->>DEA: Forward for mTLS verification (Q.3062)
        DEA->>HSS: Authenticated Diameter request
        HSS-->>DEA: Response
        DEA-->>SigFW: Authenticated response
        SigFW-->>Peer: Forwarded response
    end

Operational Audit

• Q.3066 Signaling Firewall Audit Checklist: Systematic checklist for auditing SS7 and Diameter signaling firewall deployments.

Generation-Specific Bridges

• 3GPP Rel-15: 5G Security Baseline: Q.3057 → TS 33.501 SEPP and SBA signaling security
• 3GPP Rel-17: 6G Preparation: Q.3062 evolution toward 6G inter-operator trust frameworks

!NOTE This series is part of the master Series Tracker.