SEPP
Security Edge Protection Proxy: a 5GC entity at the PLMN border that protects signaling messages exchanged between different operator networks via the N32 interface.
The SEPP is the bouncer at the edge of an operator's 5G core. All service-based (SBI) signalling that leaves the network for another operator — roaming traffic, mostly — goes through it, and all inbound signalling arrives through the far operator's SEPP. The two SEPPs talk over the N32 interface and together protect what is otherwise plain HTTP/2 between network functions: they handle authentication of the peer network, integrity and confidentiality, and topology hiding so you don't expose your internal NF addressing to a roaming partner.
This is genuinely new in 5G. In the Diameter world, inter-operator security leaned heavily on the trust of the IPX/signalling network and was a known soft spot. The SEPP makes that boundary an explicit, enforced control point. One subtlety it has to handle: roaming hubs in the middle sometimes need to read or rewrite certain header fields, so N32 supports an application-layer security mode (PRINS) that protects message contents while still allowing authorised intermediaries to modify specific, agreed parts.
Related terms
Related comparisons
Want to truly understand SEPP? Learn it in context — free for 7 days.
SEPP is taught inside our 5G Security course with diagrams, labs and a TelcoMentor AI coach. Start a free 7-day Pro trial — no credit card.
- No credit card
- Full Pro access
- 21 verifiable certs
- TELCOMA since 2009
Get weekly 5G/LTE engineering deep-dives
One technical breakdown every Tuesday — plus first access to new tools and lessons. No spam, no marketing, just engineering. Unsubscribe in one click.