Content for TR 33.926 Word version: 17.6.0

1… 4… 5… 6… A… B… C… D… E… F… G… H… I… J… K… L… M… O… P…

B.1 Network product class description for the PGW B.2 Assets and threats specific to the PGW B.2.1 Critical assets B.2.2 Threats related to IP Address Allocation B.2.3 Packet Forwarding B.2.4 Emergency PDN Connection B.2.5 Threats related to charging relevant data
...

B Aspects specific to the network product class PGW |R15| p. 34

B.1 Network product class description for the PGW p. 34

B.1.1 Introduction p. 34

The present document captures the network product class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that are believed to apply to more than one network product class, while Annexes cover the aspects specific to one network product class.

B.1.2 Minimum set of functions defining the PGW network product class p. 34

As part of the PGW network product, it is expected that the PGW to contain PGW application, a set of running processes (typically more than one) executing the software package for the PGW functions and OAM functions that are specific to the PGW network product model. Functionalities specific to the PGW network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.250.

B.2 Assets and threats specific to the PGW p. 34

B.2.1 Critical assets p. 34

In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the eNB to be protected are:

PGW Application;
Session related data: UE network usage and charging data e.g. subscriber's identities (e.g. IMSI), TEID, Charging ID, packet count, etc.
User plane data;
The interfaces of PGW to be protected and which are within SCAS scope: for example
- SGi interface
- S5/S8 interfaces
- Console interface, for local access: local interface on PGW
- OAM interface, for remote access: interface between PGW and OAM system
NOTE 1:
The detailed interfaces of the PGW class are described in clause 4, Network Product Class Description of the present document.
PGW Software: binary code or executable code

NOTE 2:
PGW files may be any file owned by a user (root user as well as non root users), including User account data and credentials, Log data, configuration data, OS files, PGW application, or PGW Software.

B.2.2 Threats related to IP Address Allocation p. 35

B.2.2.1 IP Address Reallocation Continuously p. 35

Threat name: IP Address Reallocation Continuously
Threat Category: Tampering
Threat Description: If an IP address is reallocated to a UE immediately after released from another UE, then the network side might be mistaken that the same UE keeps using the IP address continuously. Consequently, some network functions (e.g. PCRF) will execute policies on the wrong target UE. And some mis-operations (e.g. mischarging) will be executed on UEs.
Threatened Asset: Session related data

B.2.3 Packet Forwarding p. 35

B.2.3.1 Sending unauthorized packets to other UEs p. 35

Threat name: Sending unauthorized packets to other UEs
Threat Category: Tampering, DoS
Threat Description: If the destination address of uplink packets sent by a UE is another UE in the same PGW, the packets will not pass through the PGW and will be forwarded directly to the target UE. In this case, mutual access between two UEs within the same PGW might be requested. If such access is enabled, an attacker can gain control of a UE to send malicious packets (e.g. fraudulent information, malicious trojans, virus packs, etc.) directly to other UEs without security measures (e.g. firewall) at network side.
Threatened Asset: User plane data

B.2.4 Emergency PDN Connection p. 35

B.2.4.1 Inactive Emergency PDN Connection Release p. 35

Threat Name: Prolonged inactive emergency PDN connections
Threat Category: Denial of Service
Threat Description: The PGW is expected to release all bearers corresponding to emergency inactive PDN connections after the configured timeout. If emergency bearers of inactive PDN connections are not released, it may lead to system resource exhaustion.
Threatened Asset: Sufficient Processing Capacity

B.2.5 Threats related to charging relevant data |R16| p. 36

B.2.5.1 Failure to assign unique TEID or Charging ID for a session p. 36

Threat name: Failure to assign unique TEID or Charging ID for a session
Threat Category: Spoofing Identity, Tampering
Threat Description: Both Charging ID and TEID are the identities used for linking the network usage data per UE. If the Charging ID is not unique per IP-CAN session, or the TEID is not unique per GTP tunnel, the charging information for a PDU session would be wrongly correlated, creating charging errors.
Threatened Asset: Session related data