B.2 Policy discrimination of GTP-C and GTP-U

33.2103GPPIP network layer securityNetwork Domain Security (NDS)Release 17TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

It shall be possible to discriminate between GTP-C messages, which shall receive protection, and other messages, including GTP-U, that shall not be protected. Since GTP-C is assigned a unique UDP port-number in (TS29.060 [6]) IPsec can easily distinguish GTP-C datagrams from other datagrams that may not need IPsec protection.

Security policies shall be checked for all traffic (both incoming and outgoing) so datagrams can be processed in the following ways:

– discard the datagram;

– bypass the datagram (do not apply IPsec);

– apply IPsec.

Under this regime GTP-U will simply bypass IPsec while GTP-C will be further processed by IPsec in order to provide the required level of protection. The SPD has a pointer to an entry in the Security Association Database (SAD) which details the actual protection to be applied to the datagram.

NOTE 1: Selective protection of GTP-C relies on the ability to uniquely distinguish GTP-C datagrams from GTP-U datagrams. For R99 and onwards this is achieved by having unique port number assignments to GTP-C and GTP-U. For previous version of GTP this is not the case and provision of selective protection for the control plane parts of pre-R99 versions of GTP is not possible. Although NDS/IP was not designed for protection of pre-R99 versions of GTP, it is recognized that NDS/IP may also be used for protection of GTP pre-R99. It should be noted that NDS/IP support for pre-R99 versions of GTP is not mandatory.

NOTE 2: NDS/IP has been designed to protect control plane protocols. However, it is recognized that NDS/IP may also be used to protect GTP-U. It should be noted that NDS/IP support for GTP-U is outside the scope of this specification.