Mobile roaming enables users to seamlessly access internet and communication services across the globe. These services are facilitated by Mobile Network Operators (MNOs) through extensive roaming agreements with numerous international counterparts. As a result, roaming interfaces have evolved into highly complex interconnection points, supporting a wide array of protocols and multiple generations of mobile network technologies. Large-scale MNOs, serving millions of inbound and outbound roaming users, must efficiently manage high volumes of network traffic — often processing thousands of packets per second. Even when focusing solely on control plane messages, this traffic generates substantial data, all of which passes through firewalls and contributes to extensive logging activity. Beyond firewall logs, several other data sources — such as diameter routing agents, DNS servers, and passive monitoring systems — offer valuable insights and can be integrated into a comprehensive analysis.

The aim of this research internship is to explore selected data sources within a controlled environment to identify correlations, uncover trends, and propose innovative approaches for leveraging this data in operational network management. The investigation will focus on a 4G roaming scenario, analyzing and comparing two distinct one-hour timeframes: A high-traffic hour during an international event, characterized by elevated roaming activity, and a regular hour on a typical day with no special events. Through this comparative analysis, the student will gain hands-on experience in data interpretation, network behavior analysis, and the development of actionable insights for real-world mobile network operations.

Objectives

1. Work into different data sources.
a) Firewall logs.
b) Diameter Routing Agent logs.
c) DNS server logs.
d) Logs from passive monitoring.
2. Investigate trends and correlations between the data sources.
3. Investigate the possible detection special events.
4. Investigate differences between the two distinct data sets.
5. Evaluate results and draw conclusions on the applicability of the collected information.
6. What can be done in future work?

Prerequisites

Mobile networks have evolved significantly over the years—from older generations like 2G, 3G, and 4G to the latest 5G technology. Each generation brings new features and changes in how data is handled and secured.

In older networks (2.5G to 4G), a special type of firewall called a GTP-Firewall was used to protect both the control signals (which manage the connection) and the actual user data (like videos or messages). These firewalls could see and filter all the traffic because it was sent in a readable format. 

With 5G, things are changing. The control signals now use a different protocol (HTTP/2), and the user data might be encrypted using IPSec. This makes it harder for traditional firewalls to inspect and secure the traffic in the same way.

To address this, a new function called IPUPS was introduced in the 5G standard. It helps secure user data but works differently—it doesnot allow the same kind of visibility as the old firewalls. This is fine in a pure 5G network, but it becomes tricky when 4G and 5G are combined in one system, especially when users move between the two (a process called handover). 

This research internship will explore how to combine the old and new approaches to security in a way that works smoothly in a mixed 4G/5G network. The goal is to understand the challenges and propose solutions that ensure both security and performance.

Objectives

1. Analyze the architectural and security differences between legacy GTP-Firewalls and the 5G IPUPS function.

2. Investigate the implications of HTTP/2-based CP and IPSec-protected UP on traffic inspection and security enforcement.

3. Design a hybrid model that enables secure and efficient CP and UP handling in a 4G/5G Combo Core.

4. Evaluate the model in terms of:
• Handover performance (4G <-> 5G)
• Security (visibility, integrity, confidentiality)
• Operability and maintainability

5. Compare the hybrid modes with standalone 5G and legacy 4G implementations.

Prerequisites

The 5G Service-Based Architecture (SBA) introduces new challenges and opportunities in the design of roaming interfaces between mobile network operators. Central to secure inter-operator communication are the Security Edge Protection Proxy (SEPP) and IP eXchange (IPX) network provider entities, which facilitate secure signaling across trust boundaries.

An existing Python-based simulation framework models a fixed 5G roaming topology with four entities: vSEPP, vIPX, hIPX, and hSEPP. While this setup is suitable for basic testing, it lacks scalability and flexibility for simulating realistic, multi-operator roaming scenarios.

This thesis aims to refactor and extend the SEPP and IPX implementations to support scalable, multi-connection environments, enabling dynamic routing and connection management across a larger simulated network. The SEPP must unify the roles of vSEPP and hSEPP, while the IPX must support parallel connections and enforce routing rules based on operator policies and network topology. To achieve realistic routing behavior, the thesis will incorporate the FRRouting (FRR) suite, an open-source routing stack supporting protocols such as BGP, OSPF, and IS-IS. FRR will be used to simulate routing decisions and path selection within the IPX network, enabling policy-based and topology-aware message forwarding.

Objectives

1. Unified SEPP Design: Develop a single SEPP module that combines both vSEPP and hSEPP functionalities, capable of handling multiple concurrent connections and maintaining session state.
2. Enhanced IPX Module: Extend the IPX implementation to support: Multiple parallel connections. Routing logic based on operator identifiers, trust relationships, and message types. Integrate with the FRRouting suite to simulate realistic routing behavior.
3. Scalability Framework: Design a flexible configuration system to instantiate multiple SEPP and IPX entities dynamically, simulating a larger roaming network.
4. Testing & Validation: Create test scenarios to validate connection handling, routing correctness, and protocol compliance.
5. Documentation & Thesis Writing: Produce comprehensive documentation and a formal thesis de-

tailing design decisions, implementation, and evaluation results.

Prerequisites

The fifth generation of mobile networks (5G) is revolutionizing connectivity with its promise of ultra-low latency, high throughput, and massive device support. As users increasingly roam across national and international networks, ensuring secure and seamless roaming becomes a critical challenge.

While the control plane, responsible for signaling and session management, has been studied and fortified to an extend, the user plane, which carries actual user data (e.g., voice, video, internet traffic), remains a critical area for security enhancement. In roaming scenarios, user data traverses multiple operator networks, making it vulnerable to interception, manipulation, and privacy breaches.

This data is typically transported using the GPRS Tunneling Protocol for User Plane (GTP-U), a protocol originally designed for earlier generations of mobile networks. While GTP-U enables efficient tunneling of user data between network entities, it lacks built-in security features, making it susceptible to threats such as spoofing, tampering, and data leakage.

This internship aims to implement, and evaluate security mechanisms for the 5G roaming user plane, focusing on GTP-U, encryption, integrity protection, and secure tunneling. The implementation will be done in Python, and integrated into a Dockerized testbed that includes a roaming control plane module, enabling end-to-end simulation and analysis.

Objectives

• Literature Review: Study 3GPP specifications and academic research on 5G roaming, the GPT-U protocol, and user plane security.
• Implementation: Develop Python modules to simulate user plane trafficd encapsulated by GTP-U and apply security mechanisms, e.g. IPSec.
• Integration: Dockerize the user plane module and integrate it with an existing roaming control plane setup.
• Evaluation: Simulate roaming scenarios and assess performance, scalability, and security.
• Documentation: Prepare technical documentation and a final report.

Prerequisites

With the rise of Industry 4.0, industrial networks require not only low-latency and deterministic communication but also robust and integrated security solutions. Time-Sensitive Networking (TSN) provides a suite of standards that enable precise timing and predictable communication over Ethernet, which is critical for real-time industrial protocols like PROFINET and OPC UA Pub/Sub. However, integrating advanced security features into these protocols while maintaining real-time performance presents a significant challenge.

This thesis aims to investigate and optimize secure communication for these industrial protocols over TSN-enabled Linux systems. The evaluation will be conducted using the open-source Real-Time Communication (RTC) testbench, allowing reproducible measurements of key performance metrics under different system and hardware configurations.

Objectives:

• Implement secure communication features (e.g., encryption and authentication) for PROFINET and OPC UA Pub/Sub protocols with TSN support on a Linux platform.
• Evaluate the performance metrics such as jitter, cycle times, throughput, and latency, alongside security measures, using an RTC testbench.
• Test and optimize these metrics across different hardware configurations, including NICs and CPUs.
• Identify best practices and configurations for achieving optimal network performance and security. 

Testing and Evaluation:

• Utilize the RTC testbench to simulate network conditions and measure performance metrics, including security overhead.
• Conduct experiments with and without encryption to assess the impact on jitter, latency, cycle times, and throughput.
• Perform tests across different hardware setups, varying NICs, TPM and CPUs to evaluate their impact on network performance and security.
• Analyze data collected from the RTC testbench to validate the effectiveness of the implemented solutions.

5G is the latest generation of mobile networks, offering high data rates, ultra-low latency, and support for a wide range of applications. A key component of the 5G Core is the Security Edge Protection Proxy (SEPP), which ensures secure communication between Public Land Mobile Networks (PLMNs) in roaming scenarios.

To secure the control plane traffic between SEPPs, 3GPP defines the N32 interface, which is split into two parts: N32-c (for capability negotiation) and N32-f (for control message forwarding). While N32-c is secured using end-to-end Transport Layer Security (TLS), N32-f can either use TLS or a new protocol called PRotocol for N32 INterconnect Security (PRINS).

PRINS is designed to provide application-layer security using the Javascript Object Signing and Encryption (JOSE) framework, while still allowing intermediate IP Exchange Network (IPX) providers to route messages. This hybrid approach introduces new security challenges, especially in the presence of potentially untrusted intermediaries.

This thesis aims to conduct a formal security analysis of the PRINS protocol using the Tamarin Prover, a state-of-the-art tool for symbolic protocol verification. The goal is to model PRINS, define its security goals (e.g., confidentiality, integrity, authentication), and verify whether these goals are met under realistic threat models.

Objectives:

1. Study the PRINS protocol as defined in 3GPP specifications (e.g.,TS 29.573 and TS 33.501).
2. Model the protocol in Tamarin, including key exchange, message protection, and verification steps.
3. Define formal security properties, such as secrecy, authentication, and replay protection.
4. Analyze the protocol under different attacker models (e.g., compromised IPX, key leakage).
5. Compare PRINS with TLS-based N32-f in terms of formal guarantees.
6. Optionally, extend the model to include protocol variants or optimizations.

Prerequisites

The deployment of User Plane Function (UPF) at the network edge—commonly referred to as Edge-UPF—is gaining attention in the context of 5G networks, particularly for its potential to reduce latency and improve data handling efficiency. This thesis focuses on evaluating the performance and security aspects of Edge-UPF solutions, specifically within a roaming use case where user traffic traverses between different network operators.

A key aspect of the investigation is the trade-off between user plane latency, which affects data throughput and responsiveness, and control plane latency, which influences session setup and mobility management. Understanding this balance is especially relevant in roaming scenarios, where control signaling may remain centralized while user data is offloaded closer to the edge.

The practical part of the thesis is based on a testbed setup using Open5GS as the core network implementation and UERANSIM as the simulated radio access network. These tools enable controlled experiments to measure performance metrics such as latency, throughput, and resource usage under different deployment configurations. Basic security considerations related to edge deployment are also discussed.

The goal of this work is to provide a clear and structured evaluation of Edge-UPF behavior in a roaming context, contributing to a better understanding of its practical implications and limitations.

5G is the newest generation of mobile networks allowing for higher data-rates, lower latency and many new features like network slicing. Its central element is the 5G Core, which is a network of specialised Network Functions (NFs). Roaming allows subscribers to connect to the internet via other network operator’s networks if they have a roaming agreement. We are looking for a student to help implement and maintain a 5G Roaming testbed. At first, that is planned as an open source testbed leveraging Open5GS. Later, the plan is to connect this open source testbed to the LKN campus network.

This working student position may run parallel to Master Theses with more focused implementation and evaluation works. The working student is welcome to follow up on this work with his/ her own research internship or Master’s thesis.

Objectives

The primary objective of this work is to help implement and maintain a 5G Roaming testbed. This testbed shall then be used for investigation of security mechansims and performance measurements. Those are not the main job of the student, but the student is supposed to help.

1. Work into 5G Roaming

2. Implement missing Roaming functionalities into Open5GS

3. Maintain Roaming Testbed

4. Connect open source 5G Roaming testbed with Campus Network (once possible)

5. Aid in security investigations

6. Aid in performance measurements

7. Potentially add other NFs later

Prerequisites