5G-ENSURE Architecture

5G is a platform that goes beyond current IT approaches and will be far more decoupled from specific hardware and physical control of the network. 5G is a key economic driver for the EU especially when it comes to the new business it will enable. However, for this to happen it is necessary for the 5G architecture to be secured from the start, and also for 5G secure systems to be enabled.

The needs of 5G are mainly characterised in terms of manageability, usability, trust and privacy. Identity management and privacy-preserving mechanisms are treated as key enablers and anchored against a common security architecture to increase assurance and confidence in 5G networks. Trust will therefore influence development, adoption and business potential.

5G-ENSURE defines and delivers a 5G reference security architecture, shared and agreed with various 5G stakeholders supporting its use through useful and useable security enablers addressing core concerns.

The focus of the 5G-ENSURE Security Architecture lies on a logical and functional architecture and omits (most) aspects related to physical/deployment architecture. This focus is motivated by general trends such as network deperimeterisation as well as 5G systems strong dependency on software defined networking and virtualization in general. The security architecture builds on and extends the current 3GPP security architecture.


5G-ENSURE Security Architecture

The core of the 5G-ENSURE architecture for 5G networks extends and revises the 3GPP security architecture from TS 33.401 to integrate key features and the domain concept from 3GPP TS 23.101 to support trust models for a 5G vision beyond “telecom” and “mobile broadband”.

  • Infrastructure domains and tenant domains to capture the physical and logical aspects.
  • Management domains to capture orchestration and security management.
  • Identity Management (IM) domains to re-use existing industrial AAA for device authentication.
  • Internet Protocol (IP) domains to model external IP networks.
  • Slice domains to capture network slicing, application domains transversal to others.

The logical "dimension" of the 5G-ENSURE architecture captures first of all security aspects associated with the various domains that are involved in delivering services over 5G networks. This part is therefore also strongly associated with the project's trust model. Additionally, the logical part captures security aspects associated with network layers and/or special types of network traffic.

The architecture comprises a set of security capabilities required to protect and uphold the security of the various domains and strata. A stratum is a grouping of protocols, data, and functions related to one aspect of the services provided by one or several domains. The figure on the right illustrates the following strata:

  • The Application Stratum represents the application process itself, provided to the end-user.  
  • The Home Stratum contains the protocols and functions related to the handling and storage of subscription data and home network specific services.
  • The Serving Stratum is a sub-stratum of the home stratum and consists of protocols and functions to route and forward data/information, user or network generated, from source to destination.  
  • The Transport Stratum supports the transport of user data and network control signalling from other strata through the network.
  • The Access Stratum is a sub-stratum of the transport stratum.  
  • The Management Stratum comprises aspects related to conventional network management (configuration, software upgrades, user account management, log collection/analysis) and, in particular, security management aspects (security monitoring audit, key and certificate management, etc.). Aspects related to management of virtualization and service creation/composition (orchestration, network slice management, isolation and VM management, etc.) belong to this stratum.

For more information, see D2.7 5G-ENSURE Security Architecture (Final)