charto

Q: What is the security mechanism of Sx/N4 interface?

A: In a sense, there is none. Of course, a PFCF node may implement an allowed list or disallowed list that screens the peer it would like to talk with. However, this approach does not guarantee the integrity and the confidentiality. So it is not an ideal approach.

In fact, a UPF, such as an edge UPF, may not be deployed in a trusted environment, or say, in the same security domain of SMF. The security concern is true.

Subclause 9.9 in 3GPP TS 33.501 specifies that “NDS/IP shall be used as specified in 3GPP TS 33.210, unless security is provided by other means, e.g. physical security. A SEG may be used to terminate the NDS/IP IPsec tunnels.” Consequently, a PFCF node may choose to implement such functionality. Alternatively, a security gateway can be deployed at the edge of a security domain.