Assessing the Latency of Network Layer Security in 5G Networks
Sotiris Michaelides, Jonathan Mucke, Martin Henze
TL;DR
This study addresses the latency impact of network-layer security in 5G, particularly IPsec over the N3 interface for user data and over SBI for control data, and compares WireGuard as an alternative. It deploys an open, containerized testbed (Open5GS, UERANSIM, strongSwan, WireGuard) to measure latency across 12 IPsec configurations, TLS variants, and a WireGuard baseline, evaluating both UP and CP paths, as well as warm and cold conditions. The results show that properly configured IPsec, especially in start mode, incurs sub-millisecond overhead for latency-critical paths, with WireGuard offering lower resource usage but slightly higher latency in most cases; TLS performs competitively in some CP scenarios. These findings guide operators in selecting security configurations that balance robust protection with ultra-low latency requirements, and point to future work on optimization and post-quantum considerations for evolving 5G/6G architectures.
Abstract
In contrast to its predecessors, 5G supports a wide range of commercial, industrial, and critical infrastructure scenarios. One key feature of 5G, ultra-reliable low latency communication, is particularly appealing to such scenarios for its real-time capabilities. However, 5G's enhanced security, mostly realized through optional security controls, imposes additional overhead on the network performance, potentially hindering its real-time capabilities. To better assess this impact and guide operators in choosing between different options, we measure the latency overhead of IPsec when applied over the N3 and the service-based interfaces to protect user and control plane data, respectively. Furthermore, we evaluate whether WireGuard constitutes an alternative to reduce this overhead. Our findings show that IPsec, if configured correctly, has minimal latency impact and thus is a prime candidate to secure real-time critical scenarios.
