By: Peter Nas & Ronen Shpirer
FortiOS v7.0.1 introduced support for the Packet Forwarding Control Protocol or PFCP. This is an essential enhancement to an already rich set of features and capabilities that FortiOS and the FortiGate provide to 4G and 5G mobile operators worldwide. To understand why this is a valuable enhancement, you need to know what PFCP is, why it’s important, and what security use cases are made possible with FortiGate’s support for PFCP.
PFCP was first made available with 3GPP Release 14’s introduction of Control and User Plane Separation, or CUPS. CUPS enabled a new network architecture that allows Service Providers to independently scale and evolve their network for Control Plane resources without modifying their User Plane resources. PFCP is used between the control plane and the user plane function in 4G CUPS-based EPC.
While CUPS and PFCP are not mandatory in 4G, they are required in 5G Stand Alone (SA) networks, where the Session Management Function (SMF) in the SBA control plane communicates with the User Plane Function (UPF) in the user plane and the Inter-PLMN User Plane Security Function (IPUPS).
In 4G, user plane data is transported by GTP-U and managed by GTP-C. In 5G, user plane data is transported by the GTP-U protocol and the PFCP protocol. This is very similar to how GTP-C is used to allow the control plane to manage the user plane data flow.
In that respect, support for PFCP is crucial as it provides essential session information required by the GTP-U firewall—the FortiGate—to identify the Terminal Endpoint Identifier (TEID) for a GTP-U user plane session. This provides pin-holing and protection from GTP-based threats that might originate from non-trusted networks, such as IPX/roaming partners, MVNOs, etc.
FortiGate’s PFCP support lends itself to several security use cases in CUPS-based 4G and 5G, briefly described below.
Use Case #1: GTP Firewall in a CUPS-based 4G and 5G Networks
GTP firewalls need to be deployed to protect the network from GTP-based threats to the 4G PGW-U and the UPF in the case of 5G. Implementing a CUPS-based (virtual) EPC (Evolved packet Core) enables a Service Provider to take full advantage of independent scaling of the Control Plane versus the User Plane.
To enable the GTP firewall to decide if the TEID (Terminal Endpoint IDentifier) from the GTP-U traffic should be allowed to pass or be blocked, it needs to learn the TEIDs for the negotiated GTP-U tunnels from control plane to user plane communication.
In CUPS-based 4G and in 5G, the ability to read the TEID (as signaled with PFCP via the Sxb interface between PGW-C and PGW-U and the N4 interface between SMF and UPF) is only possible with the support of PFCP.
Use Case #2: PFCP Firewall for Non-Public Mobile Networks (NPMN)
Numerous options exist for a Service Provider that wants to offer a Non-Public Mobile Network (NPMN) or private mobile network solution. These range from a fully private network dedicated to the enterprise to a slice on a public network. In a fully private network, all components are isolated from the public 5G networks and only serve the enterprise.
In more flexible and less expensive NPMN offerings, some network components, such as the core, are provided via the public network. Imagine a private network architecture where the RAN and MEC are private to the enterprise and completely isolated from the public network, but the control plane, or core of the network, is the one used in the public 4G or 5G network.
In this scenario, the MEC includes the UPF, and both are isolated from the public mobile network. This is only possible in CUPS-based 4G and in 5G as it allows the decentralization of the control plane, which remains in the operator’s DC, and the user plane, which is at the private MEC of their customer. This keeps the private network’s data local in enterprise UPF and from there to the applications in the MEC or a local data network (such as an enterprise IT network or the Internet). But it is only enabled via the utilization of PFCP between the public 4G or 5G core and the private user plane components.
FortiGate’s support for PFCP-enabled user plane security in the MEC protects the public core from malformed or malicious PFCP packets and performs additional relevant checks on source and content.
Use Case #3: User Plane Data Protection in 5G Roaming
When roaming between two 5G Stand Alone networks, user data is sent encapsulated in GTP-U tunnels between the home network’s UPF and the visited network’s UPF on the N9 interface. 3GPP and GSMA recommend using an Inter-PLMN User Plane Security (IPUPS) function to secure this communication.
The basic functionality of an IPUPS is to create pinholes for the authorized session on the N9 interface. This is done by obtaining the roaming user data of the F-TEID (Fully qualified Terminal Endpoint IDentifier, which is like the TEID used in 4G) that has been signaled between the roaming partners. If the F-TEID is not known to the IPUPS, it should block the User Data. Home and the Visited Network’s SMFs communicate this information to the IPUPS function via the PFCP protocol on the N4 interface.
The FortiGate now provides IPUPS capability, pin holing, and GTP-U firewalling for the 5G roaming user plane data. It can further offload the UPF by providing IPsec between a home UPF and a visited UPF, as mandated by 3GPP and GSMA.
The use cases outlined above are based on real customer projects and demonstrate Fortinet’s commitment to continuous security innovation in 4G and 5G mobile networks. But they are only a sample. Many more use cases are possible.
