26 Jun 2020 - David Rupprecht
The plenary meeting of the 3GPP Security Group is held from 30. June to 3. July 2020. In preparation for the meeting, the Deutsche Telekom AG released a discussion paper with the title “Way forward on User Plane Integrity Protection.” [1] In this document, they identified seven observations regarding mandatory full-rate integrity protection, which I will partly comment on in the following. Based on this document, 3GPP will decide on the security of future 5G networks.
First of all, this document is backed by the support of many powerful providers, e.g., AT&T, Telefonica, and Vodafone, but also by import equipment manufacturers, e.g., Broadcom, Huawei, and HiSilicon. The providers’ support shows that they have understood the need for mandatory full-rate integrity protection for 5G. Further, the backing of some network equipment vendors let me hope that full-rate protection is technically feasible.
The document demands mandatory full-rate integrity protection of user plane traffic to the 5G specification (release 16). As observation #1 states: “requirement for a mandatory and full-rate user plane integrity protection Researchers [2] and GSMA [1] documented the need for changes in the 5G specifications to mandate full rate user plane integrity protection to address the known and prevent from potential future attacks and secure 5GS.”
Observation #2 and #3 demand to support of full-rate protection of the network side and the UE. Stated as follows: “Supporting User Plane Integrity Protection is mandatory for the network. Full rate is implicit because there is no speed limit defined. If vendors declared ‘full compliance’ with 3GPP TS 33.501, it shall be supported.” Interestingly, the observation #2 explicitly mention the network side, until I have assumed that the UE side in the main problem of implementing full-rate protection. However, it is equally essential that the network side supports full-rate protection. Observation #3, which demands the UE side to support full-rate protection, reads as follows: “UEs are already now able to use full rate UPIP up to the maximum speed. The requirement for mandating full rate UPIP is technically correct and only needs to be implemented.”
Together with other 3GPP members, the Deutsche Telekom AG has already tried to specify mandatory integrity protection. However, the attempts got reject (3GPP term “noted”) with the argument of performance impairments. Observation #4 comments on this issue “Statements were received that mandating full rate UPIP will consume significant processing power and will therefore deteriorate the potential throughput of the UE. Currently although requested several times, no figure has been provided by vendors on the calculated impact.” I agree with this observation and demand the vendors to discuss the performance impairments openly. Only if we know the issues can we solve the problems and implement full-rate algorithm, e.g., with a more performant algorithm design. Further, the support of other vendors (Broadcom, Huawei, and HiSilicon) shows that it is only a question of implementation and not infeasible. This puts blocking 3GPP vendors in the position of providing figures regarding their performance impairments.
Further interesting is observation #7. To circumvent a discussion of full-rate integrity protection, Qualcomm and Samsung focused on adding security measures for ICMP and DNS to the specification at a meeting in April 2020. Observation #7 comments on this attempt as follows: “However, changes have been agreed on proposals for Security Aspects of DNS and ICMP [8]. These are captured in an informative Annex. It is common understanding that such informative Annexes will hardly lead to implementation and are not relevant for standards compliance.” This demonstrates that those suggestions not lead to any implementation and, therefore, render an ineffective mitigation. Further, the attack remains feasible even if those suggestions are in place, which I will outline in a future blog post.
Again: Adding mandatory full-rate integrity protection is the essential security measure for our future 5G networks! Not specifying it in the next release (16) make our upcoming 5G networks vulnerable to substantial attacks. The members standing behind this document have understood the need, but blocking vendors prevent secure 5G networks. The next SA plenary meeting aims to decide on this issue, and I hope that we can trust our future 5G networks.