The fifth generation of mobile networks (5G) is revolutionizing connectivity with its promise of ultra-low latency, high throughput, and massive device support. As users increasingly roam across national and international networks, ensuring secure and seamless roaming becomes a critical challenge.

While the control plane, responsible for signaling and session management, has been studied and fortified to an extend, the user plane, which carries actual user data (e.g., voice, video, internet traffic), remains a critical area for security enhancement. In roaming scenarios, user data traverses multiple operator networks, making it vulnerable to interception, manipulation, and privacy breaches.

This data is typically transported using the GPRS Tunneling Protocol for User Plane (GTP-U), a protocol originally designed for earlier generations of mobile networks. While GTP-U enables efficient tunneling of user data between network entities, it lacks built-in security features, making it susceptible to threats such as spoofing, tampering, and data leakage.

This master's thesis aims to implement, and evaluate security mechanisms for the 5G roaming user plane, focusing on GTP-U, encryption, integrity protection, and secure tunneling. The implementation will be done within Open5GS, and integrated into an existing dockerized roaming testbed.

Objectives

• StrongSwan Integration: Integrate and configure the StrongSwan IPsec application within the Open5GS UPF containers for the Home Routed (HR) roaming scenario.
• IKEv2 Configuration Evaluation: Implement and evaluate the impact of different Internet Key Exchange (IKEv2) settings (e.g., algorithms, key lifetimes) on the secure tunnel between the UPFs.
• Includes an investigation into using post-quantum key exchange certificates (PQKE) for IKEv2.
• IPsec Configuration Evaluation: Analyze the performance and security trade-offs of various IPsec settings, including different CIPHER suites (e.g., AES-GCM, ChaCha20-Poly1305) for integrity protection and encryption.
• Security Assessment: Man-in-the-Middle (MITM): Design and execute simulations of a Man-in-the-Middle (MITM) attack between the serving and home UPFs to assess the robustness of the implemented IPsec security measures.

Voraussetzungen

Background and Motivation

The 5G Core Network utilizes Service-Based Interfaces (SBI), which rely on RESTful APIs for communication between network functions. This design enables direct service-to-service interaction but introduces limitations such as:

• High latency due to HTTP session setup.

• Tight coupling and dependency on complete routing knowledge within services or the Service Communication Proxy (SCP).

To address these challenges, Release 16 introduced the SCP for indirect communication, and Release 18 added Service Sets for service grouping. However, both approaches still depend on centralized routing logic and synchronous communication models.

Problem Statement

The current REST-based communication paradigm in 5G Core Networks may not scale efficiently for Beyond 5G (B5G) systems, which demand ultra-low latency, high throughput, and dynamic service orchestration. There is a need to explore alternative communication models that support asynchronous, decoupled, and scalable messaging.

Proposed Solution

This thesis proposes the integration of Publish-Subscribe (Pub-Sub) messaging mechanisms—commonly used in distributed event streaming platforms such as Apache Kafka, Redis Streams, Google Pub/Sub, and Data Distribution Service (DDS) into the 5G Core Network architecture.

These platforms are capable of handling gigabit-scale data rates and millions of messages per second, making them suitable candidates for intra-core communication in future mobile networks.

Objectives

• Evaluate the feasibility of Pub-Sub messaging for 5G and 6G core network communication.

• Compare performance metrics (latency, throughput, scalability) between REST-based and Pub-Sub-based communication.

• Analyze architectural implications and integration strategies for Pub-Sub in service-based mobile core networks.

The 5G Service-Based Architecture (SBA) introduces new challenges and opportunities in the design of roaming interfaces between mobile network operators. Central to secure inter-operator communication are the Security Edge Protection Proxy (SEPP) and IP eXchange (IPX) network provider entities, which facilitate secure signaling across trust boundaries.

An existing Python-based simulation framework models a fixed 5G roaming topology with four entities: vSEPP, vIPX, hIPX, and hSEPP. While this setup is suitable for basic testing, it lacks scalability and flexibility for simulating realistic, multi-operator roaming scenarios.

This thesis aims to refactor and extend the SEPP and IPX implementations to support scalable, multi-connection environments, enabling dynamic routing and connection management across a larger simulated network. The SEPP must unify the roles of vSEPP and hSEPP, while the IPX must support parallel connections and enforce routing rules based on operator policies and network topology. To achieve realistic routing behavior, the thesis will incorporate the FRRouting (FRR) suite, an open-source routing stack supporting protocols such as BGP, OSPF, and IS-IS. FRR will be used to simulate routing decisions and path selection within the IPX network, enabling policy-based and topology-aware message forwarding.

Objectives

1. Unified SEPP Design: Develop a single SEPP module that combines both vSEPP and hSEPP functionalities, capable of handling multiple concurrent connections and maintaining session state.
2. Enhanced IPX Module: Extend the IPX implementation to support: Multiple parallel connections. Routing logic based on operator identifiers, trust relationships, and message types. Integrate with the FRRouting suite to simulate realistic routing behavior.
3. Scalability Framework: Design a flexible configuration system to instantiate multiple SEPP and IPX entities dynamically, simulating a larger roaming network.
4. Testing & Validation: Create test scenarios to validate connection handling, routing correctness, and protocol compliance.
5. Documentation & Thesis Writing: Produce comprehensive documentation and a formal thesis de-

tailing design decisions, implementation, and evaluation results.

Voraussetzungen

Mobile roaming enables users to seamlessly access internet and communication services across the globe. These services are facilitated by Mobile Network Operators (MNOs) through extensive roaming agreements with numerous international counterparts. As a result, roaming interfaces have evolved into highly complex interconnection points, supporting a wide array of protocols and multiple generations of mobile network technologies. Large-scale MNOs, serving millions of inbound and outbound roaming users, must efficiently manage high volumes of network traffic — often processing thousands of packets per second. Even when focusing solely on control plane messages, this traffic generates substantial data, all of which passes through firewalls and contributes to extensive logging activity. Beyond firewall logs, several other data sources — such as diameter routing agents, DNS servers, and passive monitoring systems — offer valuable insights and can be integrated into a comprehensive analysis.

The aim of this research internship is to explore selected data sources within a controlled environment to identify correlations, uncover trends, and propose innovative approaches for leveraging this data in operational network management. The investigation will focus on a 4G roaming scenario, analyzing and comparing two distinct one-hour timeframes: A high-traffic hour during an international event, characterized by elevated roaming activity, and a regular hour on a typical day with no special events. Through this comparative analysis, the student will gain hands-on experience in data interpretation, network behavior analysis, and the development of actionable insights for real-world mobile network operations.

Objectives

1. Work into different data sources.
a) Firewall logs.
b) Diameter Routing Agent logs.
c) DNS server logs.
d) Logs from passive monitoring.
2. Investigate trends and correlations between the data sources.
3. Investigate the possible detection special events.
4. Investigate differences between the two distinct data sets.
5. Evaluate results and draw conclusions on the applicability of the collected information.
6. What can be done in future work?

Voraussetzungen

Mobile networks have evolved significantly over the years—from older generations like 2G, 3G, and 4G to the latest 5G technology. Each generation brings new features and changes in how data is handled and secured.

In older networks (2.5G to 4G), a special type of firewall called a GTP-Firewall was used to protect both the control signals (which manage the connection) and the actual user data (like videos or messages). These firewalls could see and filter all the traffic because it was sent in a readable format. 

With 5G, things are changing. The control signals now use a different protocol (HTTP/2), and the user data might be encrypted using IPSec. This makes it harder for traditional firewalls to inspect and secure the traffic in the same way.

To address this, a new function called IPUPS was introduced in the 5G standard. It helps secure user data but works differently—it doesnot allow the same kind of visibility as the old firewalls. This is fine in a pure 5G network, but it becomes tricky when 4G and 5G are combined in one system, especially when users move between the two (a process called handover). 

This research internship will explore how to combine the old and new approaches to security in a way that works smoothly in a mixed 4G/5G network. The goal is to understand the challenges and propose solutions that ensure both security and performance.

Objectives

1. Analyze the architectural and security differences between legacy GTP-Firewalls and the 5G IPUPS function.

2. Investigate the implications of HTTP/2-based CP and IPSec-protected UP on traffic inspection and security enforcement.

3. Design a hybrid model that enables secure and efficient CP and UP handling in a 4G/5G Combo Core.

4. Evaluate the model in terms of:
• Handover performance (4G <-> 5G)
• Security (visibility, integrity, confidentiality)
• Operability and maintainability

5. Compare the hybrid modes with standalone 5G and legacy 4G implementations.

Voraussetzungen

5G is the latest generation of mobile networks, offering high data rates, ultra-low latency, and support for a wide range of applications. A key component of the 5G Core is the Security Edge Protection Proxy (SEPP), which ensures secure communication between Public Land Mobile Networks (PLMNs) in roaming scenarios.

To secure the control plane traffic between SEPPs, 3GPP defines the N32 interface, which is split into two parts: N32-c (for capability negotiation) and N32-f (for control message forwarding). While N32-c is secured using end-to-end Transport Layer Security (TLS), N32-f can either use TLS or a new protocol called PRotocol for N32 INterconnect Security (PRINS).

PRINS is designed to provide application-layer security using the Javascript Object Signing and Encryption (JOSE) framework, while still allowing intermediate IP Exchange Network (IPX) providers to route messages. This hybrid approach introduces new security challenges, especially in the presence of potentially untrusted intermediaries.

This thesis aims to conduct a formal security analysis of the PRINS protocol using the Tamarin Prover, a state-of-the-art tool for symbolic protocol verification. The goal is to model PRINS, define its security goals (e.g., confidentiality, integrity, authentication), and verify whether these goals are met under realistic threat models.

Objectives:

1. Study the PRINS protocol as defined in 3GPP specifications (e.g.,TS 29.573 and TS 33.501).
2. Model the protocol in Tamarin, including key exchange, message protection, and verification steps.
3. Define formal security properties, such as secrecy, authentication, and replay protection.
4. Analyze the protocol under different attacker models (e.g., compromised IPX, key leakage).
5. Compare PRINS with TLS-based N32-f in terms of formal guarantees.
6. Optionally, extend the model to include protocol variants or optimizations.

Voraussetzungen

5G is the newest generation of mobile networks allowing for higher data-rates, lower latency and many new features like network slicing. Its central element is the 5G Core, which is a network of specialised Network Functions (NFs). Roaming allows subscribers to connect to the internet via other network operator’s networks if they have a roaming agreement. We are looking for a student to help implement and maintain a 5G Roaming testbed. At first, that is planned as an open source testbed leveraging Open5GS. Later, the plan is to connect this open source testbed to the LKN campus network.

This working student position may run parallel to Master Theses with more focused implementation and evaluation works. The working student is welcome to follow up on this work with his/ her own research internship or Master’s thesis.

Objectives

The primary objective of this work is to help implement and maintain a 5G Roaming testbed. This testbed shall then be used for investigation of security mechansims and performance measurements. Those are not the main job of the student, but the student is supposed to help.

1. Work into 5G Roaming

2. Implement missing Roaming functionalities into Open5GS

3. Maintain Roaming Testbed

4. Connect open source 5G Roaming testbed with Campus Network (once possible)

5. Aid in security investigations

6. Aid in performance measurements

7. Potentially add other NFs later

Voraussetzungen