TS 33.518
5G Security Assurance Specification (SCAS) –
NF Repository Function (NRF)

3GPP‑Page ETSI‑search CONTENT_↓

V18.0.0 (Wzip) 2023/06 … p.

V17.0.0 (PDF) 2022/03 13 p.

V16.2.0 2020/06 13 p.

Rapporteur:: Mr. Orkopoulos, Stawros
Nokia Germany

Content for TS 33.518 Word version: 17.0.0

4.1 Introduction 4.2 NRF-specific adaptations of security functional requirements and related test cases 4.3 NRF-specific adaptations of hardening requirements and related test cases 4.4 NRF-specific adaptations of basic vulnerability testing requirements and related test cases

1 Scope p. 6

The present document contains objectives, requirements and test cases that are specific to the NRF network product class. It refers to the Catalogue of General Security Assurance Requirements and formulates specific adaptions of the requirements and test cases given there, as well as specifying requirements and test cases unique to the NRF network product class.

2 References p. 6

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.

References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.

[1]

TR 21.905: "Vocabulary for 3GPP Specifications".

[2]

TS 33.117: "Catalogue of general security assurance requirements".

[3]

TS 33.501: v15 "Security architecture and procedures for 5G system".

[4]

TS 23.502: "Procedures for the 5G System".

[5]

TS 29.510: "5G System; Network function repository services; Stage 3".

[6]

TR 33.926: "Security Assurance Specification (SCAS) threats and critical assets in 3GPP network product classes".

3 Definitions of terms, symbols and abbreviations p. 6

3.1 Terms p. 6

For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.

3.2 Symbols p. 6

Void.

3.3 Abbreviations p. 6

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.

Network Function

NRF

Network Repository Function

4 NRF-specific security requirements and related test cases p. 7

4.1 Introduction p. 7

NRF specific security requirements include both requirements derived from NRF-specific security functional requirements in relevant specifications as well as the security requirements introduced in the present document derived from the threats specific to NRF as described in TR 33.926.

4.2 NRF-specific adaptations of security functional requirements and related test cases p. 7

4.2.1 Introduction p. 7

The present clause describes the security functional requirements and the corresponding test cases for NRF network product class. The proposed security requirements are classified in two groups:

Security functional requirements derived from TS 33.501 and detailed in clause 4.2.2.
General security functional requirements which include requirements not already addressed in TS 33.501 but whose support is also important to ensure that NRF conforms to a common security baseline detailed in clause 4.2.3.

4.2.2 Security functional requirements on the NRF deriving from 3GPP specifications and related test cases p. 7

4.2.2.1 Security functional requirements on the NRF deriving from 3GPP specifications - general approach p. 7

In addition to the requirements and test cases in clause 4.2.2 of TS 33.117, a NRF shall satisfy the following:

It is assumed for the purpose of the present SCAS that a NRF conforms to all mandatory security-related provisions pertaining to a NRF in:

3GPP TS 33.501: "Security architecture procedures for 5G system";
other 3GPP specifications that make reference to TS 33.501 or are referred to from TS 33.501.

Security procedures pertaining to a NRF are typically embedded in NF discovery/registration/access token request procedures and are hence assumed to be tested together with them.

4.2.2.2 NF discovery procedure p. 7

4.2.2.2.1 NF discovery authorization for specific slice p. 7

Requirement Name:

NF discovery authorization for specific slice

Requirement Reference:

Clause 5.9.2.1 of TS 33.501, clause 4.17.4 of TS 23.502, and clause 6.2.3.2.3.1 of TS 29.510.

Requirement Description:

"NRF shall be able to ensure that NF Discovery and registration requests are authorized" as specified in clause 5.9.2.1 of TS 33.501.

"The NRF authorizes the Nnrf_NFDiscovery_Request. Based on the profile of the expected NF/NF service and the type of the NF service consumer, the NRF determines whether the NF service consumer is allowed to discover the expected NF instance(s). If the expected NF instance(s) or NF service instance(s) are deployed in a certain network slice, NRF authorizes the discovery request according to the discovery configuration of the Network Slice, e.g. the expected NF instance(s) are only discoverable by the NF in the same network slice".

as specified in clause 4.17.4 of TS 23.502.

"If included, the requester-snssais IE shall contain the list of S-NSSAI of the requester NF. The NRF shall use this to return only those NF profiles of NF Instances allowing to be discovered from the slice(s) identified by this IE, according to the "allowedNssais" list in the NF Profile and NF Service" as specified in TS 29.510, clause 6.2.3.2.3.1.

Threat References:

Clause H.2.2.1 of TR 33.926, No slice specific authorization for NF discovery

Test Case:

Test Name:

TC_DISC_AUTHORIZATION_SLICE_NRF

Purpose:

Verify that the NRF under test does not authorize slice specific discovery request for the NF instance which is not part of the requested slice, according to the slice specific discovery configuration of the requested NF instance.

Procedure and execution steps:

Pre-Conditions:

Test environment with the NF1 and NF2, which may be simulated.
The NF2 is configured with a list of S-NSSAI, which contains slice A but not slice B.
The NF1 is configured as a NF instance belonging to slice B and is connected in emulated/real network environment.
The NF1 and NF2 is successfully authenticated with the NRF under test.

Execution Steps

The NF2 registers at the NRF under test with a list of S-NSSAI.
The NF1 sends an Nnrf_NFDiscovery_Request to the NRF under test with the expected service name of NF2, NF type of the expected NF2.
The NRF under test determines that NF2 instance only allows discovery from NFs belonging to slice A, according to the "allowedNssais" list stored in NF2 Profile.

Expected Results:

The NRF under test returns a response with "403 Forbidden" status code, as specified in clause 5.3.2.2.2 of TS 29.510.

Expected format of evidence:

Evidence suitable for the interface, e.g., evidence can be presented in the form of screenshot/screen-capture.

4.2.3 Technical Baseline p. 8

4.2.3.1 Introduction p. 8

The present clause provides baseline technical requirements.

4.2.3.2 Protecting data and information p. 8

4.2.3.2.1 Protecting data and information - general p. 8

There are no NRF-specific additions to clause 4.2.3.2.1 of TS 33.117.

4.2.3.2.2 Protecting data and information - unauthorized viewing p. 8

There are no NRF-specific additions to clause 4.2.3.2.2 of TS 33.117.

4.2.3.2.3 Protecting data and information in storage p. 9

There are no NRF-specific additions to clause 4.2.3.2.3 of TS 33.117.

4.2.3.2.4 Protecting data and information in transfer p. 9

There are no NRF-specific additions to clause 4.2.3.2.4 of TS 33.117.

4.2.3.2.5 Logging access to personal data p. 9

There are no NRF-specific additions to clause 4.2.3.2.5 of TS 33.117.

4.2.3.3 Protecting availability and integrity p. 9

There are no NRF-specific additions to clause 4.2.3.3 of TS 33.117.

4.2.3.4 Authentication and authorization p. 9

There are no NRF-specific additions to clause 4.2.3.4 of TS 33.117.

4.2.3.5 Protecting sessions p. 9

There are no NRF-specific additions to clause 4.2.3.5 of TS 33.117.

4.2.3.6 Logging p. 9

There are no NRF-specific additions to clause 4.2.3.6 of TS 33.117.

4.2.4 Operating Systems p. 9

There are no NRF-specific additions to clause 4.2.4 of TS 33.117.

4.2.5 Web Servers p. 9

There are no NRF-specific additions to clause 4.2.5 of TS 33.117.

4.2.6 Network Devices p. 9

There are no NRF-specific additions to clause 4.2.6 of TS 33.117.

4.3 NRF-specific adaptations of hardening requirements and related test cases p. 9

4.3.1 Introduction p. 9

The requirements proposed hereafter (with the relative test cases) aim to securing NRF by reducing its surface of vulnerability. In particular, the identified requirements aim to ensure that all the default configurations of NRF (including operating system software, firmware and applications) are appropriately set.

4.3.2 Technical baseline p. 9

All text from clause 4.3.2 of TS 33.117 also applies to NRFs. There are no NRF-specific adaptations or additions to clause 4.3.2 of TS 33.117.

4.3.3 Operating systems p. 10

There are no NRF-specific additions to clause 4.3.3 of TS 33.117.

4.3.4 Web servers p. 10

There are no NRF-specific additions to clause 4.3.4 of TS 33.117.

4.3.5 Network devices p. 10

There are no NRF-specific additions to clause 4.3.5 of TS 33.117.

4.3.6 Network functions in service-based architecture p. 10

There are no NRF-specific additions to clause 4.3.6 in TS 33.117.

4.4 NRF-specific adaptations of basic vulnerability testing requirements and related test cases p. 10

All text from clause 4.4 of TS 33.117 also applies to NRFs. There are no NRF-specific adaptations or additions to clause 4.4 of TS 33.117.