LBO vs HR roaming, SEPP N32 PRINS, NRF federation, IPX interconnect, visitor UE registration, roaming fraud, Oman/GCC roaming specifics
1. What Is 5G Roaming — The Simple Version
Roaming is when a subscriber from one operator (the Home PLMN, HPLMN) uses another operator’s network (the Visited PLMN, VPLMN) for connectivity. In 4G, roaming via Diameter and GTP-C was well understood but also well-exploited — SS7 and Diameter attacks against roaming infrastructure were widespread. In 5G, roaming uses the SBA on both HPLMN and VPLMN sides, with SEPP (Security Edge Protection Proxy) providing message-level security on the N32 inter-PLMN interface.
For GCC operators, roaming agreements are commercially critical — inbound tourists, business travellers, and high-value government subscribers all roam. Getting 5G roaming right from launch means subscribers experience seamless 5G on arrival, not a downgrade to 4G at the border.
| 3GPP Reference |
| 3GPP TS 23.501 Section 5.17 — Roaming Architecture |
| 3GPP TS 29.573 — Public Land Mobile Network Interconnection; 5G interconnect security |
| 3GPP TS 33.501 Section 13.3 — SEPP and N32 security |
| GSMA IR.88 — LTE and EPC Roaming Guidelines (being extended for 5G SA) |
2. Architecture — Two Roaming Models
| Dimension | Local Breakout (LBO) | Home Routed (HR) |
| Data path | VPLMN UPF → internet directly | VPLMN UPF (I-UPF) → N9 → HPLMN UPF (H-UPF) → internet |
| Latency for data | Low — internet breakout is local | Higher — all data traverses IPX back to home country |
| Charging | VPLMN charges home operator per agreed wholesale rate | Home operator charges subscriber; VPLMN earns transit |
| Policy (PCF) | VPLMN PCF applies policy (V-PCF) for basic rules; H-PCF optional for advanced | H-PCF (home) controls all policy — full control retained |
| Data sovereignty | Data exits VPLMN network — may violate home country data rules | Data returns to HPLMN — home country regulations apply |
| Use case | Consumer roaming — simplest for tourist/business | Enterprise, regulated data, premium services where HPLMN retains full control |
| SMF | V-SMF in VPLMN | V-SMF in VPLMN + I-SMF optionally; H-SMF in HPLMN coordinating |
Table 1 — LBO vs Home Routed roaming. LBO is simpler and lower latency. HR gives HPLMN full control. Most consumer roaming today uses LBO.
3. Step-by-Step — Visitor UE Registering in 5G Visited Network
Here is what happens when an Oman subscriber (HPLMN = Ooredoo Oman, MCC 422, MNC 02) travels to UAE and connects to e& 5G SA (VPLMN = Etisalat, MCC 424, MNC 02):
Step 1 — UE powers on. Selects VPLMN (e&) based on PLMN list. Sends NAS Registration Request with SUCI (encrypted IMSI, home operator public key). gNB sends NGAP Initial UE Message to V-AMF.
Step 2 — V-AMF receives SUCI. Extracts home PLMN MCC+MNC (422-02 = Ooredoo Oman). V-AMF must authenticate via the home network. V-AMF contacts V-SEPP.
Step 3 — V-SEPP sends N32 message to H-SEPP (Ooredoo Oman). N32 is HTTP/2 over TLS + PRINS body signing via IPX (e.g. BICS or Syniverse as IPX provider). H-SEPP receives and validates, forwards to H-AUSF.
Step 4 — H-AUSF → H-UDM: get authentication vectors for this SUPI (after SIDF decrypts SUCI to SUPI). 5G-AKA challenge returned through H-SEPP → V-SEPP → V-AMF → UE. UE authenticates. KAMF established.
Step 5 — V-AMF fetches roaming restrictions from H-UDM via N8 (through SEPP). H-UDM returns: allowed VPLMN list, subscribed S-NSSAIs, roaming restrictions (barred DNNs, maximum UE-AMBR for roaming).
Step 6 — V-NSSF maps HPLMN S-NSSAIs to VPLMN S-NSSAIs. The subscriber’s home S-NSSAI (SST=1) is mapped to VPLMN equivalent (also SST=1 if standard eMBB). If home S-NSSAI is operator-specific (custom SD), V-NSSF must have an explicit mapping table for this roaming partner.
Step 7 — Registration Accept sent to UE with Allowed NSSAI (mapped VPLMN S-NSSAIs). V-AMF assigns 5G-GUTI in VPLMN format. UE now registered and can establish PDU sessions via V-SMF.
4. SEPP N32 — The Security Perimeter
The SEPP sits at the PLMN boundary. Every inter-PLMN SBI message passes through SEPP. The N32 interface between H-SEPP and V-SEPP has two security layers working together:
Layer 1 — TLS transport: the N32 HTTP/2 connection is TLS-encrypted end-to-end between H-SEPP and V-SEPP. IPX provider sees the routing headers but cannot read the payload.
Layer 2 — PRINS (Protection of Interconnect): individual JSON field values in the HTTP/2 message body are signed using JWS (JSON Web Signature) by the originating SEPP. The receiving SEPP verifies each field signature. An IPX intermediary that modifies a PRINS-protected field: the signature verification at the receiving SEPP fails and the message is rejected. This addresses the Diameter attack surface where IPX providers could modify roaming messages.
| N32 Configuration Item | What to Configure | Why |
| SEPP TLS certificate | Operator-issued certificate for N32 TLS. Must include PLMN ID in Subject Alternative Name. | Partner SEPP validates PLMN identity from TLS cert. Expired cert = N32 down = roaming down. |
| Partner SEPP FQDN/IP | Destination SEPP endpoint for each roaming partner, provided by partner via GSMA document. | Roaming partners exchange SEPP endpoints via GSMA IR.88 / roaming agreement process. |
| PRINS protection profiles | Which SBI message fields are PRINS-signed. Configure per-service, per-roaming partner. | At minimum: subscriber identity fields (SUPI), authentication data, policy data. Agree with partner. |
| IPX SLA | Bandwidth, latency, and reliability SLA with IPX provider for N32 traffic. | N32 RTT directly adds to roaming registration latency. Target < 100ms across IPX for nearby GCC partners. |
| NRF federation | VPLMN NRF and HPLMN NRF must exchange NF profile information for roaming NF discovery. | Without NRF federation: V-AMF cannot discover H-AUSF or H-UDM. Registration fails. |
Table 2 — N32 SEPP configuration checklist. SEPP certificate exchange and NRF federation must be completed with each roaming partner before enabling roaming traffic.
5. Key Parameters and Technical Terms
| Term | Definition | Operational Significance |
| HPLMN | Home PLMN — where the subscriber has their subscription. | Provides: authentication, subscriber profile, policy control, charging. Retains full subscriber control. |
| VPLMN | Visited PLMN — the network the subscriber is physically using. | Provides: radio access, user plane (LBO), or transit (HR). Earns wholesale roaming revenue. |
| V-AMF | Visited AMF. Handles UE registration in the VPLMN. | All NAS terminates at V-AMF. It contacts HPLMN via SEPP for auth and subscription data. |
| SEPP | Security Edge Protection Proxy. Every inter-PLMN message goes through SEPP. | SEPP failure = all roaming down. Deploy 2 SEPPs (active-standby). Monitor N32 TLS health. |
| PRINS | Protection of Interconnect Routing and Signalling. JWS signing of individual message fields. | Prevents IPX manipulation of roaming signalling. Required for 5G SA roaming. |
| NRF Federation | HPLMN and VPLMN NRFs exchange NF profile information for roaming NF discovery. | Without federation: V-AMF cannot discover H-AUSF/UDM endpoints. Auth fails. |
| N32-c | N32 control plane — TLS-protected connection for PRINS key exchange and security parameter negotiation. | Established before any subscriber traffic. If N32-c setup fails: N32-f cannot be used. |
| N32-f | N32 forwarding plane — carries actual inter-PLMN SBI messages with PRINS protection. | All auth, subscription, and roaming policy messages flow on N32-f. |
| S8HR | S8 Home Routed — legacy interface name for GTP-based home routing. In 5G replaced by N9 home routing. | Some operators transitioning from 4G HR to 5G SA HR. 4G used S8 GTP-C/U. 5G uses N9 GTP-U + H-SMF. |
| IMT-2020 Roaming | ITU designation for 5G international roaming. Requires SA-to-SA roaming capability. | Not all operators have SA-to-SA roaming enabled yet. Some use 4G fallback for international roamers. |
Table 3 — Roaming key parameters. SEPP, NRF federation, and PRINS are the three items that must be completed before any 5G SA roaming traffic can flow.
6. Common Issues in the Field
| Field Note: S-NSSAI Mapping Gap — Visitor Gets 4G Instead of 5G |
| Ooredoo Oman subscriber travelling to Saudi Arabia. STC SA deployed. |
| Subscriber had custom S-NSSAI (SST=1, SD=0xOOR001) for premium eMBB service. |
| V-NSSF at STC had no mapping for SD=0xOOR001. Fell back to standard eMBB (SST=1, no SD). |
| Subscriber registered on 5G but on standard eMBB slice — not the premium slice. |
| Appeared as degraded QoS to subscriber. Diagnosed only when subscriber filed complaint. |
| Fix: operator must pre-agree S-NSSAI mapping table for all custom SD values with each roaming partner. |
| Field Note: SEPP Certificate Expiry — All Roaming Down for 4 Hours |
| SEPP TLS certificate expired at 00:00. No monitoring alert configured for N32 certificate expiry. |
| All N32 connections to roaming partners dropped simultaneously. Every inbound roamer: auth failure. |
| Outbound roamers: same. Revenue loss from wholesale roaming: significant. |
| NOC discovered at 04:00 when roaming complaint volume triggered manual investigation. |
| Fix: emergency certificate renewal + N32 restart. Monitor SEPP certificate expiry with 30-day advance alert. |
| Automate N32 certificate renewal via cert-manager integration with SEPP. |
7. Troubleshooting
| Symptom | Root Cause | Check | Fix |
| Inbound roamer cannot register | N32 SEPP failure or NRF federation missing H-AUSF/UDM endpoints | V-AMF logs: N32 error on auth request; H-SEPP reachability; NRF federation status | Verify N32 TLS; check NRF federation with home operator; validate SEPP certificate |
| Roaming registration works but PDU fails | S-NSSAI mapping missing in V-NSSF for home S-NSSAI | V-NSSF: roaming S-NSSAI mapping table; V-SMF: DNN authorisation for roamer | Add home S-NSSAI → VPLMN S-NSSAI mapping to V-NSSF; check DNN authorisation for roaming SUPI |
| All roaming down after midnight | SEPP TLS certificate expired | openssl s_client to SEPP N32 endpoint: check certificate validity dates | Renew certificate; restart SEPP N32 connections. Prevention: cert expiry monitoring. |
| Roaming latency very high (> 3s registration) | N32 IPX path latency; home network slow to respond via SEPP | traceroute to partner SEPP via IPX; measure H-UDM response time on N13 | Optimise IPX routing (direct peering if available); escalate to partner for UDM latency |
| PRINS signature verification failing | Partner SEPP PRINS key mismatch after certificate rotation | V-SEPP/H-SEPP logs: JWS verification failure; check partner PRINS public key | Re-exchange PRINS keys with partner; coordinate certificate rotation procedure |
Table 4 — Roaming troubleshooting. SEPP certificate and NRF federation are the two most common roaming failures in SA deployments.
8. Summary — Key Takeaways
| Topic | Key Takeaway |
| LBO vs HR | LBO: local data breakout, lower latency, simpler. HR: all data via HPLMN, HPLMN retains full control. Consumer default = LBO. |
| SEPP mandatory | Deploy SEPP before enabling roaming. N32 without SEPP = subscriber data unprotected across IPX. 2 SEPPs for HA. |
| PRINS | JWS field-level signing on N32-f. Prevents IPX manipulation. Configure protection profile with each roaming partner. |
| NRF federation | V-AMF must discover H-AUSF/UDM via SEPP. Configure NRF federation per roaming partner. Without it: auth fails. |
| S-NSSAI mapping | For any custom SD values: pre-agree mapping table with every roaming partner. Gap = visitor gets wrong slice silently. |
| Certificate monitoring | Monitor SEPP N32 certificate expiry with 30-day advance alert. SEPP cert expiry = all roaming down simultaneously. |
| GCC context | Most GCC operator 5G roaming is currently NSA-to-NSA or mixed (SA home, NSA visited). SA-to-SA with SEPP/PRINS is the target. Exchange SEPP endpoints early — IPX provisioning takes weeks. |
Table 5 — Post 16 summary. 5G SA roaming requires SEPP, PRINS, and NRF federation to be configured and tested before go-live.
Next: Post 17 — Network Slicing E2E Operations