Tech-invite  3GPPspecsRELsGlossariesSIP
Info21222324252627282931323334353637384‑5x

full Contents for  TS 23.501  Word version:   16.4.0

Top   Up   Prev   Next
1…   3…   4…   4.2.4   4.2.5…   4.2.8…   4.2.8.2.2   4.2.8.2.3…   4.2.8.4…   4.2.9…   4.3…   4.3.3   4.3.4   4.3.5   4.4…   4.4.6…   4.4.8   5…   5.3…   5.3.3…   5.4…   5.5…   5.6…   5.6.7…   5.7…   5.7.2…   5.7.3…   5.7.4   5.7.5…   5.8…   5.8.2.11…   5.9…   5.10…   5.11…   5.15…   5.16…   5.17…   5.18…   5.19…   5.21…   5.22…   5.27…   5.28…   5.29…   5.30…   5.31…   5.32…   5.33…   5.34…   5.35…   6…   6.3…   7…   7.2…   8…   8.2.4   8.2.5…   8.3…   A…   D…   E…   F   G…   G.3   G.4…   J…

 

5.10  Security aspectsWord-p. 188
5.10.1  General
The security features in the 5G System include:
  • Authentication of the UE by the network and vice versa (mutual authentication between UE and network).
  • Security context generation and distribution.
  • User Plane data confidentiality and integrity protection.
  • Control Plane signalling confidentiality and integrity protection.
  • User identity confidentiality.
  • Support of LI requirements as specified in TS 33.126 subject to regional/national regulatory requirements, including protection of LI data (e.g., target list) that may be stored or transferred by an NF.
Detailed security related network functions for 5G are described in TS 33.501.
Up
5.10.2  Security Model for non-3GPP access
5.10.2.1  Signalling Security
When a UE is connected via a NG-RAN and via a standalone non-3GPP accesses, the multiple N1 instances are secured using independent NAS security contexts, each created based on the security context in the corresponding SEAF (e.g. in the common AMF when the UE is served by the same AMF) derived from the UE authentication.
5.10.3  PDU Session User Plane Security
The User Plane Security Enforcement information provides the NG-RAN with User Plane security policies for a PDU session. It indicates:
  • whether UP integrity protection is:
    • Required: for all the traffic on the PDU Session UP integrity protection shall apply.
    • Preferred: for all the traffic on the PDU Session UP integrity protection should apply.
    • Not Needed: UP integrity protection shall not apply on the PDU Session.
  • whether UP confidentiality protection is:
    • Required: for all the traffic on the PDU Session UP confidentiality protection shall apply.
    • Preferred: for all the traffic on the PDU Session UP confidentiality protection should apply.
    • Not Needed: UP confidentiality shall not apply on the PDU Session.
User Plane Security Enforcement information applies only over 3GPP access. Once determined at the establishment of the PDU Session the User Plane Security Enforcement information applies for the life time of the PDU Session.
The SMF determines at PDU session establishment a User Plane Security Enforcement information for the user plane of a PDU session based on:
  • subscribed User Plane Security Policy which is part of SM subscription information received from UDM; and
  • User Plane Security Policy locally configured per (DNN, S-NSSAI) in the SMF that is used when the UDM does not provide User Plane Security Policy information.
  • The maximum supported data rate per UE for integrity protection for the DRBs, provided by the UE in the Integrity protection maximum data rate IE during PDU Session Establishment.
The SMF may, based on local configuration, reject the PDU Session Establishment request depending on the value of the maximum supported data rate per UE for integrity protection.
NOTE 1:
Reasons to reject a PDU Session Establishment request can e.g. be that the UP Integrity Protection is determined to be "Required" while the maximum supported data rate per UE for integrity protection is less than the expected required data rate for the DN.
NOTE 2:
The operator can take care to reduce the risk of such rejections when configuring the subscribed User Plane Security Policy for a DNN. For example, the operator may apply integrity protection "Required" only in scenarios where it can be assumed that the UE maximum supported data rate per UE for integrity protection is likely to be adequate for the DN.
The User Plane Security Policy provide the same level of information than User Plane Security Enforcement information.
User Plane Security Policy from UDM takes precedence over locally configured User Plane Security Policy.
The User Plane Security Enforcement information, including the maximum supported data rate for integrity protection provided by the UE, is communicated from SMF to the NG-RAN for enforcement as part of PDU session related information. If the UP Integrity Protection is determined to be "Required" or "Preferred", the SMF also provides the maximum supported data rate per UE for integrity protection as received in the Integrity protection maximum data rate IE. This takes place at establishment of a PDU Session or at activation of the user plane of a PDU Session. The NG-RAN rejects the establishment of UP resources for the PDU Session when it cannot fulfil User Plane Security Enforcement information with a value of Required. The NG-RAN may also take the maximum supported data rate per UE for integrity protection into account in its decision on whether to accept or reject the establishment of UP resources. In this case the SMF releases the PDU Session. The NG-RAN notifies the SMF when it cannot fulfil a User Plane Security Enforcement with a value of Preferred.
NOTE 3:
For example, the NG-RAN cannot fulfill requirements in User Plane Security Enforcement information with UP integrity protection set to "Required" when it cannot negotiate UP integrity protection with the UE.
It is responsibility of the NG-RAN to enforce that the maximum UP integrity protection data rate delivered to the UE in downlink is not exceeding the maximum supported data rate for integrity protection.
It is expected that generally the UP integrity protection data rate applied by the UE in uplink will not exceed the indicated maximum supported data rate, but the UE is not required to perform strict rate enforcement.
User Plane Security Enforcement information and the maximum supported data rate per UE for integrity protection is communicated from source to target NG-RAN node at handover. If the target RAN node cannot support requirements in User Plane Security Enforcement information, the target RAN node rejects the request to setup resources for the PDU Session. In this case the PDU Session is not handed over to the target RAN node and the PDU Session is released.
PDU Sessions with UP integrity protection of the User Plane Security Enforcement information set to Required are not handed over to EPS:
  • In the case of mobility without N26, the PGW-C+SMF shall reject a PDN connectivity request in EPS with handover indication if the UP integrity protection of the User Plane Security Enforcement is set to Required.
  • NOTE 4:
    As described in clause 5.17.2.3.3, the UE does not know before trying to move a given PDU Session to EPC, whether that PDU session can be transferred to EPC.
  • In the case of mobility with N26 to EPS, the source NG-RAN ensures that a PDU Session with UP integrity protection of the User Plane Security Enforcement information set to Required is not handed over to EPS.
PDU Sessions with UP confidentiality protection of the User Plane Security Enforcement information set to Required and UP integrity protection of the User Plane Security Enforcement information not set to Required, are allowed to be handed over to EPS regardless of how UP confidentiality protection applies in EPS.
In the case of dual connectivity, the Integrity Protection is set to "Preferred", the Master NG-RAN node may notify the SMF when it cannot fulfil a User Plane Security Enforcement with a value of Preferred. The SMF handling of the PDU session with respect to the Integrity Protection status is up to SMF implementation decision.
Up

Up   Top   ToC