1) The document discusses securing 5G cloud native infrastructure using the Service Proxy for Kubernetes (SPK) and Secure Communication Proxy (SCP). 2) SPK provides ingress and egress services for telco protocols like HTTP/2, Diameter, and SIP to secure Kubernetes deployments. SCP simplifies and secures communications between network functions. 3) SCP and SPK work together to provide a secure "onion model" architecture for distributed 5G core deployments using mutual TLS and traffic management capabilities.

1. Securing the Onion:
5G Cloud Native Infrastructure

2. ©2023 F5
2
Agenda
• Architecture Transformation to 5G
Service Based Architecture (5G SBA)
• 3GPP Releases Update
• Important component in securing 5G
SBA
• Service Proxy for Kubernetes
(SPK)
• Secure Communication Proxy
(SCP)
Service Proxy for Kubernetes
(SPK)
3GPP REL 14 TO REL 15 JOURNEY
• Ingress and Egress Requirement
to Secure Cloud Native
Infrastructure (Kubernetes)
• Kubernetes Networking
Weaknesses in Addressing Carrier
Grade needs
• Handling Ingress traffic with SPK
Ingress
• Handling Egress traffic with SPK
Service Mesh
Secure Communication Proxy
(SCP)
3GPP REL 15 TO REL 16 JOURNEY
• Intelligently and Securely Simplify
5G Core Operation
• Bridging 4G/5G in Multiple
Domains
• 5G SBA Secure Signaling Flow
• Securing Distributed 5G Network
Deployment
• 5G Core Security in Onion Model
with SCP and SPK

3. ©2023 F5
3
5G: Functional and Architectural Transformation
5G Service-Based Architecture (SBA)
MME
SGSN
PCRF
HSS
SGW PGW
2G/3G
4G
Data
network
S3 (GTP)
S6a
(Diameter)
Gx (Diameter)
S1-MME
S1-U (GTP) S5/S8
S4 (GTP)
4G Core: Telco Architecture
HTTP/2
Microservices API centric Telco cloud
Web protocol CUPS
5G SBA Technology Principles
(derived from IT industry)
Data network
HTTP/2 JSON API
5G-AN
Non 3GPP Access
N
6
N1
N2
N3
N4
N3IWF
Control and Signaling
Edge
(CUPS)
UPF
User data and
packet gateway
Regional
Central
5G Core: IT Architecture
NSSF NEF NRF PCF UDM AF
AUSF AMF SMF

4. ©2023 F5
4
3GPP Releases Updates
SERVICE BASED
ARCHITECTURE
RELEASE 15
RELEASE 14 RELEASE 16
Control Plane Control Plane Control Plane
EHANCED SERVICE
BASED ARCHITECTURE
CONTROL USER
PLANE SEPARATION
CONTAINERS
VIRTUALIZATION LAYER
COMPUTE NETWORK STORAGE
VIRTUAL MACHINES
CNF 1 CNF 2
CNF n
VNF 1 VNF 2 VNF n
RELEASE 17
Enabling Edge
Application
CONTAINERS

5. ©2023 F5
5
Security Threat within 5G Service Based Architecture
... and some additional security points to pay attention to
(R)AN
Access
UE
Nnssf Npcf Nchf
Namf
N1
N2
N3 DN
networks
Networks
Interworking
Nnrf
Nsmf
Nudm
Nausf
Naf Nnef
N9
N6
UPF
Data Plane
AMF
Mobility
AUSF
Authentication
SMF
Sessions
CHF
Charging
NEF
Exposure
AF
Application
UDM
Sub Repo
PCF
Policy
NRF
Repository
NSSF
Slicing
“HSS”
“PCRF”
“OCS”
“HSS”
“MME”
“PGW-C”
“PGW-U”
IPX
partners
Billing
environment
Networks
Apps and APIs

6. ©2023 F5
6
Security Threat within 5G Service Based Architecture
... and some additional security points to pay attention to
(R)AN
Access
UE
Nnssf Npcf Nchf
Namf
N1
N2
N3 DN
networks
Networks
Interworking
Nnrf
Nsmf
Nudm
Nausf
Naf Nnef
N9
N6
UPF
Data Plane
AMF
Mobility
AUSF
Authentication
SMF
Sessions
CHF
Charging
NEF
Exposure
AF
Application
UDM
Sub Repo
PCF
Policy
NRF
Repository
NSSF
Slicing
“HSS”
“PCRF”
“OCS”
“HSS”
“MME”
“PGW-C”
“PGW-U”
IPX
partners
Billing
environment
Networks
Apps and APIs
SCP + (BSF) + SPK

7. ©2023 F5
7
Security Threat within 5G Service Based Architecture
... and some additional security points to pay attention to
(R)AN
Access
UE
Nnssf Npcf Nchf
Namf
N1
N2
N3 DN
networks
Networks
Interworking
Nnrf
Nsmf
Nudm
Nausf
Naf Nnef
N9
N6
UPF
Data Plane
AMF
Mobility
AUSF
Authentication
SMF
Sessions
CHF
Charging
NEF
Exposure
AF
Application
UDM
Sub Repo
PCF
Policy
NRF
Repository
NSSF
Slicing
“HSS”
“PCRF”
“OCS”
“HSS”
“MME”
“PGW-C”
“PGW-U”
IPX
partners
Billing
environment
Networks
Apps and APIs
SCP + (BSF) + SPK
• Enhanced ingress security
with per-service secure
proxy
• scalability CNF’s
• dynamic network
elasticity
• Multi-protocol support
• SBA Security, mTLS
• Routing, LB, Message
Prioritisation, Persistence,
Session Binding, etc.
• HTTP/2 Protocol Validation

8. ©2023 F5
8
Securing Cloud Native Infrastructure (K8s) with
Service Proxy Kubernetes (SPK)
SERVICE BASED
ARCHITECTURE
RELEASE 15
RELEASE 14
Control Plane
CONTROL USER
PLANE SEPARATION

9. ©2023 F5
9
Securing Cloud Native (Kubernetes)Telco Cloud
Requirement for Telco Cloud Infrastructure
• Ingress for 5G SBA HTTP/2 traffic
• Automation through Kubernetes control plane
• Support for non-HTTP traffic*
• SCTP, GTP/PFCP for 5G*
• Diameter, GTP, SIP for hybrid 4G/5G deployment*
• Full proxy (ingress + egress) for network-centric
deployment*
• Support for multi-vendor environment*
• Proxying HTTP/2 traffic
• Policy driven through Kubernetes control plane
• Mutual TLS encryption
• Packet capture and legal intercept*
• Analytics and visibility*
• Certificate management*
• Support for multi-vendor environment*
* Additional functions not supported natively in Kubernetes
East/West Traffic (Service Mesh)
North/South Traffic (Service Proxy)

10. ©2023 F5
10
Kubernetes Networking Weaknesses Addressed
Additional abilities applied to Kubernetes ingress/egress is powerful for telco deployment
Kubernetes provides flexibility,
scalability, and efficiency that
will be key for service providers
• 5G packet cores
• Edge computing / Edge sites
• Digital transformation
But is not designed for service providers
Traditionally developed for web and enterprise use:
• Difficulty with telco protocols
• NGAP/SCTP, 5G HTTP/2, Diameter, GTP, SIP, lawful intercept, others
• Limited egress capabilities
• Lack of routing integration with service provider networks
• Lack of security controls
• Lack of visibility and revenue controls
• Difficulty with public cloud providers

11. ©2023 F5
11
F5 Service Proxy for Kubernetes (SPK) for 5G Core
Kubernetes ingress and egress services for telco protocols
User Internet, other DNs
Telco Cloud
cscf pcrf
upf ocs
Virtualisation / Containerisation Layer
Service Proxy for Kubernetes
(SPK)
scp
Far Edge (MEC) Near Edge (MEC) Regional PoP Central PoP
HTTP/2
Diameter
SIP
Multiprotocol
Ingress
Security
Visibility
L7 Routing
4G/5G Core Functions
Other
Other
Kubernetes Platform
Typical Telco Locations
Kubernetes Platform
Like GTP, but also
considering adding PFCP

12. ©2023 F5
12
F5 SPK is the Modern Telco grade Ingress Proxy
Ingress Proxy & Egess GW
Signaling control
• Routing
• Load balancing
• Rate limiting
Traffic Management
• Load Balance
• Persistence
• Service continuity
Diameter
SIP
HTTP/2
TCP
SCTP
UDP
Egress GW
• Routing
• Traffic control policy
• Topology(IP) hiding
Egress
NGAP

13. ©2023 F5
13
E.g. Egress Security Control Use Case
No control on container egress
Without firewall function to regulate
the risk of data leak/loss is real
Central DC
Edge
CNF
CNF
CNF
CNF
SPK secures Telco everywhere
Enables Telco cloud to control network
flow and Core CNF topology hiding
Central DC
Edge
SPK
SPK
CNF
SPK SPK
CNF
#1 NSM for Telco in a controlled ACL
and topology hiding for workloads to
interact with NF from another network
or another PLMN
#2 Virtual Stop Gap deployed as
policy for public cloud or untrusted
environment to restrict traffic leaving
CNF and Telco application container.

14. ©2023 F5
14
Simplify, Scale and Securing NF communication
with Service Communication Proxy (SCP)
RELEASE 16
Control Plane
EHANCED SERVICE
BASED ARCHITECTURE
SERVICE BASED
ARCHITECTURE
RELEASE 15
Control Plane

15. ©2023 F5
15
What’s New in 3GPP Release 16
5G SA Core Control Plane Communications Model Options
3GPP Release 15: With Or without NRF Interaction
3GPP Release 16: SCP for Routing Selection and Load Balancing
A NF consumers are configured with the producer
and perform selection of producer
Direct Communication WITHOUT NRF
B Every NF consumer interacts with NRF for
service discovery and has to support
discovery result caching, and selection
Direct Communication WITH NRF
C SCP aggregates Hypertext Transfer Protocol
(HTTP) links, and provides centralized
signaling monitoring
SCP WITHOUT delegated discovery
D
In addition to characteristics in Model C, SCP
takes over service discovery and selection for
NF consumers. Hence, NF consumers need not
to perform discovery and selection of producer
SCP WITH delegated discovery

16. ©2023 F5
16
Service Communication Proxy (SCP)
Helps to build a reliable, robust and secure 5G Standalone Core
5G NF 5G NF 5G NF
5G NF 5G NF
5G NF 5G NF 5G NF
5G NF 5G NF
SIMPLIFY
§ Move from a full mesh
between all Networks
Functions (NFs) by acting as a
hub/proxy for all NF traffic.
SCALE
§ Real-Time traffic
management and network
scalability
§ Internetworking Functions to
simplify inter-vendor deployments.
SECURE
§ Secure Communications with
mTLS protection & OAuth2.0
authentication between NFs.
§ Restrict unknown connection
or abnormal traffic flow
SERVICE COMMUNICATION PROXY (SCP)

17. ©2023 F5
17
SCP+ Intelligently and Securely Simplify 5G Core Operation
Leading the movement toward using AI/ML mechanism F5 SCP+ increase network resiliency
1
2
3
4
5G NF
5G NF 5G NF
5G NF
5G NF 5G NF 5G NF 5G NF
5G NF
5G NF
Intelligent Load Balancing maximize 5G service
availability and minimize 5G service disruption
Advanced Overload Protection to improve
network resiliency
5G aware DDoS Protection with deep
insights
5G aware metrics provide deep insight to
address transient events and feed for SBI
encrypted traffic visibility
CONFIDENTIAL
Data
Collection
SCP+

18. ©2023 F5
18
SCP+ Bridging 4G/5G in Multiple Domains
Support 4G/5G telco protocols to reduce complexity and integration to 4G/5G services
HTTP/2 Request Message
Diameter-Request-Message
5G NF
5G NF 5G NF
5G NF
5G NF
SCP+
5G NF
5G NF
5G NF 5G NF
Nxxx-request-message (HTTP/2)
4G Nodes
4G Nodes
4G Nodes
Nxxx-message (HTTP/2)
Diameter-Request-Message
ß--------->
Diameter Message
4G Nodes
4G Nodes

19. ©2023 F5
19
5G SBA Secure Signaling Flow
Mitigate spoofing messages from unknown or abnormal traffic flow
NF PRODUCER SET
NF CONSUMER SET NRF
Request Token Validate Token
Auth
HTTP Request
Unknown
Consumer
• TLS connections terminate in SCP
• Decrypts traffic from NF Consumer and
encrypts traffic to NF Producers
• Identify unknown or abnormal traffic flow
• Restrict connection from any unknown
peer and drop the message
CONFIDENTIAL
X
SIMPLIFY SCALE SECURE
SCP
mTLS
NF Consumer
NF Producer 1
HTTP Request
mTLS
Oauth 2.0
Oauth 2.0
• Consumer interacts with NRF first for Discovery and then for Auth before sending a service request message with authorization token embedded to a SCP.
• SCP verify the “Subject” in the token against the information present in the Consumer’s TLS certificate* and presents to the producer a valid access token that
was issued to the NF service consumer
• SCP support TLS 1.2/1.3 to securely transport the tokens in 5G Signaling, makes it easier to terminate security directly in the network function
• NF Producer then will verify the integrity of the access token before granting the NF service consumer access to its services.
• Service Request is passed on to NF
Producer after successful verification,
• Verify the “Subject” in the token

20. ©2023 F5
20
Securing Distributed 5G Network Deployment
e.g. handling interaction between different network locations or domain
SIMPLIFY SCALE SECURE
5G Edge
5G Core

21. ©2023 F5
21
5G Core Security with Onion Model with SCP and SPK
Telco Cloud
• All CNF traffic via
ingress/egress proxy
• Proxy deployed as separate
pod(s) within CNF namespace
• Proxy deployment model
same for external, inter-
cluster, and intra-cluster
SCP+
SCP+
Management
Access
network
N2
Ingress/Egress
Non- Exposed Services Cluster
SBI
mTLS
namespace
NSSF
SPK
namespace
NRF
SPK
namespace
PCF
SPK
namespace
CHF
SPK
Kubernetes
control plane
Secure Services Cluster
SBI
mTLS
namespace
UDM
SPK
namespace
AUSF
SPK
Kubernetes
control plane
Exposed Services Cluster
namespace
AMF
SPK
Kubernetes
control plane
SBI
namespace
NEF
SPK
mTLS
namespace
SEPP
SPK
namespace
SMF
SPK
namespace
UPF
SPK
namespace
IPUPS
SPK
N9
N32
N6
Diameter
N33
CHF info to OCS via NEF
or via direct CAPIF link
Potentially
shared RAN
Intercluster security
Intercluster security
SCTP
proxy
TCP proxy
SCP+
Intercluster-FW
Intercluster-FW
SPK
API/Management
Firewalling
N6-FW
SIG-FW
API-FW SECGW
SCTP-FW
SPK