Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x
Top   in Index   Prev   Next

TR 33.739
Study on Security enhancement of support for
Edge Computing
Phase 2

3GPP‑Page  
V18.1.0 (Wzip)  2023/12  … p.
Rapporteur:
Dr. Zhang, Bo
HUAWEI TECHNOLOGIES Co. Ltd.

full Table of Contents for  TR 33.739  Word version:  18.0.0

Here   Top
1 Scope2 References3 Definitions of terms, symbols and abbreviations4 Overview of Edge Computing - Phase 25 Key issues6 Proposed solutions7 Conclusions$ Change history

 

1  Scopep. 9

The present document studies the security aspects related to the new features and procedures resulting from the continuation of the work on Edge Computing support in 5G Systems, i.e. 5G System Enhancements for Edge Computing in TR 23.700-48, and enhanced architecture for enabling Edge Applications in TR 23.700-98. The study bases on the work done in the TS 33.558 and TR 33.839.
Up

2  Referencesp. 9

3  Definitions of terms, symbols and abbreviationsp. 10

3.1  Termsp. 10

3.2  Symbolsp. 10

3.3  Abbreviationsp. 10

4  Overview of Edge Computing - Phase 2p. 10

5  Key issuesp. 10

5.1  Generalp. 10

5.2  Key issues related with 5G System Enhancements for Edge Computingp. 10

5.2.1  Key issue #1.1: How to authorize PDU session to support local traffic routing to access an EHE in the VPLMNp. 10

5.2.1.1  Key issue detailsp. 10

5.2.1.2  Threatsp. 11

5.2.1.3  Potential security requirementsp. 11

5.2.2  Key issue #1.2: Security of EAS discovery procedure via V-EASDF in VPLMNp. 11

5.2.2.1  Key issue detailsp. 11

5.2.2.2  Threatsp. 11

5.2.2.3  Potential security requirementsp. 11

5.3  Key issues related with enhanced architecture for enabling Edge Applicationsp. 11

5.3.1  Key Issue #2.1: Authentication and authorization of the EEC/UE by the ECS/EESp. 11

5.3.1.1  Key issue detailsp. 11

5.3.1.2  Security threatsp. 12

5.3.1.3  Potential security requirementsp. 12

5.3.2  Key issue #2.2: Authentication mechanism selection between EEC and ECS/EESp. 12

5.3.2.1  Key issue detailsp. 12

5.3.2.2  Security threatsp. 12

5.3.2.3  Potential security requirementp. 12

5.3.3  Key issue #2.3: Authentication and Authorization between V-ECS and H-ECSp. 13

5.3.3.1  Key issue detailsp. 13

5.3.3.2  Threatsp. 13

5.3.3.3  Potential security requirementsp. 13

5.3.4  Key issue #2.4: Transport security for the EDGE10 interfacep. 13

5.3.4.1  Key issue detailsp. 13

5.3.4.2  Threatsp. 13

5.3.4.3  Potential security requirementsp. 13

5.3.5  Key issue #2.5: Authentication and Authorization between AC and EECp. 13

5.3.5.1  Key issue detailsp. 13

5.3.5.2  Threatsp. 14

5.3.5.3  Potential security requirementsp. 14

5.3.6  Key issue #2.6: New KI on authorization between EESesp. 14

5.3.6.1  Key issue detailsp. 14

5.3.6.2  Threatsp. 14

5.3.6.3  Potential security requirementsp. 14

5.3.7  Key issue #2.7: EEC provided information verificationp. 15

5.3.7.1  Key issue detailsp. 15

5.3.7.2  Threatsp. 15

5.3.7.3  Potential security requirementsp. 15

6  Proposed solutionsp. 15

6.0  Mapping of Solutions to Key Issuesp. 15

6.1  Solution #1: Authentication and authorization between EEC hosted in the roaming UE and ECSp. 17

6.1.1  Solution overviewp. 17

6.1.2  Solution detailsp. 17

6.1.3  Solution evaluationp. 18

6.2  Solution #2: Authentication and authorization between EEC hosted in the roaming UE and EESp. 18

6.2.1  Solution overviewp. 18

6.2.2  Solution detailsp. 19

6.2.3  Solution evaluationp. 20

6.3  Solution #3: Authentication mechanism selection between EEC and ECSp. 21

6.3.1  Solution overviewp. 21

6.3.2  Solution detailsp. 21

6.3.2.1  ECS configurationp. 21

6.3.3  Solution evaluationp. 22

6.4  Solution #4: Authentication mechanism selection between EEC and EESp. 22

6.4.1  Solution overviewp. 22

6.4.2  Solution detailsp. 22

6.4.2.1  EES profilep. 23

6.4.3  Solution evaluationp. 23

6.5  Solution #5: 5GC-based authentication mechanism selection between EEC and ECS/EESp. 23

6.5.1  Solution overviewp. 23

6.5.2  Solution detailsp. 24

6.5.3  Solution evaluationp. 25

6.6  Solution #6: ECS/EES authentication method information provisioningp. 25

6.6.1  Solution overviewp. 25

6.6.2  Solution detailsp. 25

6.6.3  Solution evaluationp. 25

6.7  Solution #7: Negotiation procedure for the Authentication and Authorizationp. 26

6.7.1  Solution overviewp. 26

6.7.2  Solution detailsp. 26

6.7.3  Solution evaluationp. 27

6.8  Solution #8: Authentication mechanisms selected by ECS/EESp. 27

6.8.1  Solution overviewp. 27

6.8.2  Solution detailsp. 27

6.8.2.1  Authentication between EEC and ECSp. 27

6.8.2.2  Authentication between EEC and EESp. 27

6.8.3  Solution evaluationp. 27

6.9  Solution #9: Authentication mechanism selection procedure between EEC and ECSp. 27

6.9.1  Solution overviewp. 27

6.9.2  Solution detailsp. 28

6.9.3  Solution evaluationp. 28

6.10  Solution #10: Authentication mechanism selection procedure between EEC and EESp. 28

6.10.1  Solution overviewp. 28

6.10.2  Solution detailsp. 28

6.10.3  Solution evaluationp. 29

6.11  Solution #11: Authentication mechanism selection procedure among EEC, ECS, and EESp. 29

6.11.1  Solution overviewp. 29

6.11.2  Solution detailsp. 29

6.11.3  Solution evaluationp. 30

6.12  Solution #12: Authorization for PDU session supporting local traffic routing to access an EHE in the VPLMNp. 31

6.12.1  Introductionp. 31

6.12.2  Solution detailsp. 31

6.12.3  Solution evaluationp. 31

6.13  Solution #13: A solution for authentication of EEC/UE and GPSI verification by EES/ECSp. 31

6.13.1  Solution overviewp. 31

6.13.2  Solution detailsp. 31

6.13.3  Solution evaluationp. 33

6.14  Solution #14: A solution for authentication of UE and GPSI verification by EES/ECSp. 33

6.14.1  Solution overviewp. 33

6.14.2  Solution detailsp. 33

6.14.3  Solution evaluationp. 34

6.15  Solution #15: Authentication algorithm selection procedure between EEC and ECSp. 34

6.15.1  Solution overviewp. 34

6.15.2  Solution detailsp. 34

6.15.3  Solution evaluationp. 36

6.16  Solution #16: Authentication algorithm selection procedure between EEC and EESp. 36

6.16.1  Solution overviewp. 36

6.16.2  Solution detailsp. 36

6.16.3  Solution evaluationp. 37

6.17  Solution #17: Using existing AKMA/GBA negotiation mechanismp. 38

6.17.1  Solution overviewp. 38

6.17.2  Solution detailsp. 38

6.17.2.1  Shared key based EEC/UE authentication and certificate based ECS/EES authenticationp. 38

6.17.2.2  Shared key based mutual authenticationp. 38

6.17.2.2.1  Shared key based mutual authentication in TLS 1.2p. 38
6.17.2.2.2  Shared key based mutual authentication in TLS 1.3p. 39

6.17.2.3  Handling EEC authentication negotiation failurep. 39

6.17.2.4  GPSI verificationp. 39

6.17.3  Solution evaluationp. 39

6.18  Solution #18: Authentication and Authorization between V-ECS and H-ECSp. 40

6.18.1  Solution overviewp. 40

6.18.2  Solution detailsp. 40

6.19  Solution #19: Authorization of V-ECS in roaming scenariop. 40

6.19.1  Solution overviewp. 40

6.19.2  Solution detailsp. 40

6.19.3  Solution evaluationp. 41

6.20  Solution #20: Transport security for the EDGE10 interfacep. 41

6.20.1  Solution overviewp. 41

6.20.2  Solution detailsp. 41

6.20.3  Solution evaluationp. 42

6.21  Solution #21: Using local policy on authorization between EESesp. 42

6.21.1  Solution overviewp. 42

6.21.2  Solution detailsp. 42

6.21.3  Solution evaluationp. 42

6.23  Solution #23: EAS discovery procedure protectionp. 43

6.23.1  Solution overviewp. 43

6.23.2  Solution detailsp. 43

6.23.3  Solution evaluationp. 43

6.24  Solution #24: Public key signature based ECS/EES authenticationp. 44

6.24.1  Solution overviewp. 44

6.24.2  Solution detailsp. 44

6.24.3  Solution evaluationp. 44

6.25  Solution #25: Utilizing Token-Based Solutions for EEC authenticationp. 44

6.25.1  Solution overviewp. 44

6.25.2  Solution detailsp. 45

6.25.3  Solution evaluationp. 45

6.26  Solution #26: Using authorization token on authorization between EESesp. 45

6.26.1  Solution overviewp. 45

6.26.2  Solution details - Target EES Decided ACRp. 45

6.26.3  Solution details: Source EAS decided ACRp. 47

6.26.4  Solution details: S-EES executed ACRp. 48

6.26.5  Solution evaluationp. 50

6.27  Solution #27: Token-based solution for authorization between EESesp. 50

6.27.1  Solution overviewp. 50

6.27.2  Solution detailsp. 50

6.27.3  Solution evaluationp. 51

6.28  Solution #28: Usage of randomly generated ticket to verify EEC provided IP addressp. 51

6.28.1  Solution overviewp. 51

6.28.2  Solution detailsp. 51

6.28.3  Solution evaluationp. 52

6.29  Solution #29: Authorizing the Service Consumer when Resolving an IP Address to a UE IDp. 53

6.29.1  Solution overviewp. 53

6.29.2  Solution detailsp. 53

6.29.3  Solution evaluationp. 53

6.30  Solution #30: Usage of existing public IP address to verify EEC provided IP addressp. 56

6.30.1  Solution overviewp. 56

6.30.2  Solution detailsp. 56

6.30.3  Solution evaluationp. 57

6.31  Solution #31: AKMA/GBA based verification of EEC provided IP addressp. 58

6.31.1  Solution overviewp. 58

6.31.2  Solution detailsp. 58

6.31.3  Solution evaluationp. 59

6.32  Solution #32: KDF based verification of EEC provided IP addressp. 59

6.32.1  Solution overviewp. 59

6.32.2  Solution detailsp. 59

6.32.3  Solution evaluationp. 59

6.33  Solution #33: Verification of EEC provided IP addressp. 60

6.33.1  Solution overviewp. 60

6.33.2  Solution detailsp. 60

6.33.3  Solution evaluationp. 60

6.34  Solution #34: Verification of EEC provided IP address using access tokenp. 61

6.34.1  Solution overviewp. 61

6.34.2  Solution detailsp. 61

6.34.3  Solution evaluationp. 61

7  Conclusionsp. 62

7.1  Conclusions for Key Issue #2.4p. 62

7.2  Conclusions for Key Issue #2.3p. 62

7.3  Conclusions for Key Issue #2.5p. 62

7.4  Conclusions for Key Issue #1.1p. 62

7.5  Conclusions for Key Issue #2.1p. 62

7.6  Conclusions for Key Issue#2.2p. 62

7.7  Conclusions for Key Issue #2.6p. 63

7.8  Conclusions for Key Issue #1.2p. 63

7.9  Conclusions for Key Issue #2.7p. 63

$  Change historyp. 64

Up   Top