← Book home
Part 3 · Core Network and SBA Security
14

Network Domain Security

Protecting the wires between the boxes — the layer everyone forgets

“Perfect air-interface crypto means nothing if the backhaul carrying it runs in clear over a leased line. Subscriber security and infrastructure security are different jobs.” — THE NDS/IP REMINDER

NAS and AS security protect subscriber traffic. But the links between network nodes — gNB to core, NF to NF, SMF to UPF — carry signaling and user packets that need their own protection. That is Network Domain Security for IP (NDS/IP, TS 33.210): IPsec and TLS securing the infrastructure itself. This chapter covers the NDS/IP model, IPsec/IKEv2, security gateways, backhaul protection, and certificate enrollment.

🎯 Learning objectives
📘 Standards reference box — Chapter 14
SpecificationTitleRelease / version verified
TS 33.210Network Domain Security — IP layer (NDS/IP)Rel-18 edition
TS 33.310NDS — authentication framework / PKI (CMPv2)Rel-18 edition
TS 33.5015G security — transport protection of interfacesRel-18, v18.11.0 (2026-04)

Checked June 2026 — verify against the latest 3GPP version.

14.1 The NDS/IP Model

NDS/IP organizes the network into security domains (typically per operator or per administrative region). Traffic within a domain may be trusted; traffic between domains — or across any untrusted transport — must be protected, classically by IPsec between security gateways (SEGs) at each domain’s edge.

FIGURE 14.1NDS/IP Model — Domains and Security Gateways
SECURITY DOMAIN A NF NF SEG-Adomain edge Zb (intra, optional) SECURITY DOMAIN B SEG-B NF NF Za — IPsec (mandatory inter-domain) untrusted transport between domains
Purpose: the classic NDS/IP picture. SEGs sit at domain boundaries; inter-domain traffic (Za) gets mandatory IPsec, intra-domain (Zb) is protected as policy requires.
FIGURE 14.2Za and Zb Reference Points
Za — inter-domain (SEG ↔ SEG) across untrusted transport / between operators protection MANDATORY (IPsec) Zb — intra-domain (NF ↔ SEG) inside one trusted domain protection OPERATOR OPTION (risk-based)
Purpose: the two NDS reference points. Za is non-negotiable; Zb is a risk decision — and in cloud/shared environments, “intra-domain is trusted” is an assumption worth re-examining (Chapter 29).

14.2 IPsec ESP and IKEv2

FIGURE 14.3IPsec ESP Tunnel Mode — Packet Anatomy
new IP hdr ESP hdr ENCRYPTED: orig IP + payload ESP trailer ESP auth (ICV) ↑ confidentiality (encryption) ↑ integrity (ICV over the packet) tunnel mode wraps the WHOLE original packet — used for SEG-to-SEG and gNB-to-core protection
Purpose: what IPsec actually does to a packet. ESP in tunnel mode encrypts and authenticates the entire original packet, hiding even the internal addressing from the transport.
FIGURE 14.4IKEv2 — Establishing the Secure Tunnel
gNB / SEG-A core SEG-B ① IKE_SA_INIT — negotiate crypto, DH key exchange ② IKE_SA_INIT response ③ IKE_AUTH — authenticate by CERTIFICATE, set up IPsec SA ④ tunnel up → ESP-protected traffic flows
Purpose: how the tunnel is born. IKEv2 negotiates keys and — crucially — authenticates the peers by certificate, so only legitimate gNBs/SEGs can establish protected links to the core.
FIGURE 14.5Security Gateway Deployment Patterns
integrated IPsec terminates in the gNB and the core NF directly simple, fewer hops dedicated SEG a security-gateway appliance at each domain edge clear trust boundary centralized SEG farm many gNBs → a SEG cluster in front of the core scales for large RAN
Purpose: the deployment choices for backhaul protection. Large operators typically front the core with SEG farms terminating thousands of gNB tunnels; small ones integrate IPsec directly.

14.3 Protecting the RAN Transport

FIGURE 14.6Backhaul Protection — gNB ↔ Core
gNB untrusted transport leased line · microwave · internet core SEG → 5GCAMF (N2), UPF (N3) IPsec ESP tunnel — protects N2 (NGAP) + N3 (GTP-U) without IPsec: NGAP signaling and GTP-U user packets ride in CLEAR — capture, inject, or modify them anywhere on the path
Purpose: the most common NDS gap. A gNB on a rooftop reaches the core over transport you may not own — IPsec is what stops that path from being a tap into your signaling and user traffic.
FIGURE 14.7TLS vs IPsec for Intra-Domain Links
IPsec (network layer) protects ALL IP traffic on a link good for N2/N3/N4, mixed protocols transparent to applications choose for transport links TLS (transport/app layer) native to SBI (HTTP/2) pairs with OAuth per call (Ch 10) per-connection identity (mTLS) choose for SBI between NFs
Purpose: both protect, at different layers. SBI uses TLS (Chapter 10); IP transport links (N2/N3/N4 over untrusted networks) typically use IPsec — and many deployments use both in depth.
FIGURE 14.8Certificate Enrollment with CMPv2 (TS 33.310)
new gNB / NF operator CA / RA ① CMPv2 request (vendor cert / initial secret) ② operator certificate issued ③ gNB now has the cert for IKEv2 / TLS zero-touch: a gNB shipped from the factory enrolls itself and becomes trusted — no manual key handling at thousands of sites
Purpose: how trust scales to a national RAN. CMPv2 lets each gNB obtain its operator certificate automatically — the only practical way to manage IPsec/TLS identity across tens of thousands of sites.
FIGURE 14.9Fronthaul / Midhaul / Backhaul Protection Map
RU DU CU 5G Core fronthaulO-RAN: IEEE 1588 + (MACsec/IPsec) midhaul (F1)IPsec / DTLS backhaul (N2/N3)IPsec CU/DU/RU disaggregation (Chapter 15) multiplies the links that need protecting — fronthaul especially is often overlooked
Purpose: disaggregated RAN means more wires to protect. Each split (RU–DU fronthaul, DU–CU midhaul, CU–core backhaul) is a transport link with its own protection requirement — Chapter 15 goes deeper.
FIGURE 14.10Transport Attacks on Unprotected Links
attack on an unprotected transport link defense passive tap → read NGAP signaling + GTP-U user packetsIPsec ESP encryption active injection → forge handover/session commandsIPsec integrity (ICV) rogue node impersonates a gNB or NFIKEv2/TLS certificate authentication replay captured packetsIPsec anti-replay window these are the infrastructure-layer twins of the subscriber-layer attacks — different layer, same need for confidentiality, integrity, and authentication
Purpose: why NDS/IP exists. The transport between nodes faces the same triad of threats as the air interface — and needs the same triad of protections, one layer down.

14.4 The Practical Operator View

Common misconfiguration risks

14.5 Threats and Mitigations

ThreatVectorDefense
Signaling/user interceptionpassive tap on transportIPsec ESP encryption
Signaling forgerypacket injectionIPsec integrity (ICV)
Node impersonationrogue gNB/NFIKEv2/TLS certificate auth
Replaycaptured packets resentIPsec anti-replay window
Cert outage/breachmanual cert mgmt at scaleCMPv2 automation, rotation, revocation
Fronthaul exposureunprotected O-RAN fronthaulMACsec/IPsec + timing security

14.6 Terminology, Example, Checklist

TermMeaning
NDS/IPNetwork Domain Security for IP — inter-node protection (TS 33.210)
SEGSecurity Gateway — IPsec terminator at a domain edge
Za / ZbInter-domain (mandatory) / intra-domain (optional) reference points
ESP / IKEv2IPsec encapsulation / key-exchange & authentication protocol
CMPv2Certificate Management Protocol for automated enrollment (TS 33.310)

Real network example. A regional operator leased backhaul from a third-party transport provider to reach rural gNBs. A security audit discovered the N2/N3 traffic on those links ran without IPsec — the rollout team had assumed the leased line was “private.” In practice, the transport provider (and anyone with access to its equipment) could observe NGAP signaling and GTP-U user packets, and potentially inject forged handover commands. Fix: deploy a SEG farm in front of the core, enable IPsec ESP tunnels from every affected gNB, and auto-enroll gNB certificates via CMPv2 so the rollout could scale. “Leased” is not “secure” — anyone on the path is on the path.

Chapter Summary

? Review Questions

  1. Distinguish NDS/IP from NAS/AS security: what does each protect, and why are both needed?
  2. What protection is mandatory on Za and optional on Zb, and why might the Zb assumption be risky in the cloud?
  3. Describe what IPsec ESP tunnel mode does to a packet and which security properties it provides.
  4. What does IKEv2 authenticate, and why does that stop rogue-node attacks?
  5. Why is gNB backhaul over a leased line not automatically secure?
  6. When would you use IPsec vs TLS for a given core link?
  7. Why is CMPv2 essential for a large RAN, and what does it automate?
  8. Name the three RAN transport segments in a disaggregated deployment and a protection option for each.
🧪 Mini lab — protect a backhaul link

In a lab (or on paper with a real IPsec stack like strongSwan): (1) Establish an IKEv2/IPsec ESP tunnel between two endpoints standing in for gNB and core SEG, authenticated by certificates. (2) Capture traffic before and after — confirm that without the tunnel the inner packets are readable, and with it only ESP is visible. (3) Verify anti-replay by attempting to replay a captured ESP packet. (4) Reflect on scale: with 20,000 gNBs, how would CMPv2 auto-enrollment replace manual certificate installation, and what breaks if a SEG's certificate expires un-rotated? You've now built the infrastructure-layer twin of the air-interface protection from Chapter 9.

← Chapter 13 Chapter 14 · end of Part 3 Chapter 15 →