Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x
Top   in Index   Prev   Next

TS 33.522
5G Security Assurance Specification (SCAS) –
Service Communication Proxy (SCP)

V17.1.0 (PDF)  2022/03  12 p.
Rapporteur:
Miss Jerichow, Anja
Nokia Germany

Content for  TS 33.522  Word version:  17.1.0

Here   Top

1  ScopeWord‑p. 6

The present document contains objectives, requirements and test cases that are specific to the SCP network product class. It refers to the Catalogue of General Security Assurance Requirements and formulates specific adaptions of the requirements and test cases given there, as well as specifying requirements and test cases unique to the SCP network product class.

2  ReferencesWord‑p. 6

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TS 33.117: "Catalogue of general security assurance requirements".
[3]
TS 33.501: "Security architecture and procedures for 5G system" (Release 16).
[4]
TR 23.501: "System architecture for the 5G System (5GS); Stage 2" (Release 16).
[5]
TS 33.926: "Security Assurance Specification (SCAS) threats and critical assets in 3GPP network product classes".
[6]
TS 23.502: "Procedures for the 5G System (5GS)" (Release 16).
[7]
TS 29.500: "5G System; Technical Realization of Service Based Architecture; Stage 3" (Release 16).
Up

3  Definitions, symbols and abbreviationsWord‑p. 6

3.1  DefinitionsWord‑p. 6

For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.

3.2  SymbolsWord‑p. 6

Void.

3.3  AbbreviationsWord‑p. 6

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.

4  SCP-specific security requirements and related test casesWord‑p. 7

4.1  IntroductionWord‑p. 7

The structure of the present document is aligned with TS 33.117 such that the SCP-specific adaptation of a generic requirements in clause 4 of TS 33.117, can always be found in clause 4 of the present document. The text on pre-requisites for testing in clause 4.1.1 of TS 33.117 applies also to the present document.
SCP-specific security requirements include both requirements derived from SCP-specific security functional requirements in relevant specifications as well as security requirements introduced in the present document derived from the threats specific to SCP as described in TR 33.926.
Up

4.2  SCP-specific adaptations of security functional requirements and related test casesWord‑p. 7

4.2.1  IntroductionWord‑p. 7

The present clause describes the security functional requirements and the corresponding test cases for SCP network product class. The proposed security requirements are classified in two groups:
  • Security functional requirements derived from TS 33.501 and detailed in clause 4.2.2.
  • General security functional requirements which include requirements not already addressed in TS 33.501 but whose support is also important to ensure that SCP conforms to a common security baseline detailed in clause 4.2.3.
Up

4.2.2  Security functional requirements on the SCP derived from 3GPP specifications and related test casesWord‑p. 7

4.2.2.1  Security functional requirements on the SCP derived from 3GPP specifications - general approachWord‑p. 7

In addition to the requirements and test cases in TS 33.117, clause 4.2.2, an SCP shall satisfy the following:
It is assumed for the purpose of the present SCAS that an SCP conforms to all mandatory security-related provisions pertaining to an SCP in:
Security procedures pertaining to an SCP are typically embedded in NF/NF indirect communication, delegated discovery, message forwarding and routing, and are hence assumed to be tested together with them in interoperability testing at PLMN level, shared-slice level and slice-specific level.
Up

4.2.2.2  Security functional requirements of SBI aspectsWord‑p. 8

4.2.2.2.1  IntroductionWord‑p. 8
According to TS 23.501, although the SCP is not a Network Function instance and does not expose services itself, it still needs to support service-based interface. Therefore, the general baseline requirements supported by all Network Functions (NF) utilizing Service-Based Interfaces (SBI) as defined in TS 33.117, clause 4.2.2.2 shall also be applicable to the SCP network product class. This clause contains SCP-specific adaptations to the general SBI requirements and related test cases.
Up
4.2.2.2.2  Protection at the transport layerWord‑p. 8
There are no SCP-specific additions to clause 4.2.2.2.2 of TS 33.117.
4.2.2.2.3  Authorization of NF service accessWord‑p. 8
The SCP is not a network function instance and does not provide any services to any consumer NF. It supports OAuth 2.0 based service access authorization for NF service access, but it does not verify access tokens as NF producers do. Therefore, the requirements and test cases in clause 4.2.2.2.3 of TS 33.117 are not applicable to the SCP network product class.

4.2.3  Technical BaselineWord‑p. 8

4.2.3.1  IntroductionWord‑p. 8

The present clause provides baseline technical requirements.

4.2.3.2  Protecting data and informationWord‑p. 8

4.2.3.2.1  Protecting data and information - generalWord‑p. 8
There are no SCP-specific additions to clause 4.2.3.2.1 of TS 33.117.
4.2.3.2.2  Protecting data and information - unauthorized viewingWord‑p. 8
There are no SCP-specific additions to clause 4.2.3.2.2 of TS 33.117.
4.2.3.2.3  Protecting data and information in storageWord‑p. 8
There are no SEPP-specific additions to clause 4.2.3.2.3 of TS 33.117.
4.2.3.2.4  Protecting data and information in transferWord‑p. 8
There are no SCP-specific additions to clause 4.2.3.2.4 of TS 33.117.
4.2.3.2.5  Logging access to personal dataWord‑p. 8
There are no SCP-specific additions to clause 4.2.3.2.5 of TS 33.117.

4.2.3.3  Protecting availability and integrityWord‑p. 8

There are no SCP-specific additions to clause 4.2.3.3 of TS 33.117.

4.2.3.4  Authentication and authorizationWord‑p. 8

There are no SCP-specific additions to clause 4.2.3.4 of TS 33.117.

4.2.3.5  Protecting sessionsWord‑p. 9

There are no SCP-specific additions to clause 4.2.3.5 of TS 33.117.

4.2.3.6  LoggingWord‑p. 9

There are no SCP-specific additions to clause 4.2.3.6 of TS 33.117.

4.2.4  Operating SystemsWord‑p. 9

There are no SCP-specific additions to clause 4.2.4 of TS 33.117.

4.2.5  Web ServersWord‑p. 9

There are no SCP-specific additions to clause 4.2.5 of TS 33.117.

4.2.6  Network DevicesWord‑p. 9

There are no SCP-specific additions to clause 4.2.6 of TS 33.117.

4.3  SCP-specific adaptations of hardening requirements and related test casesWord‑p. 9

4.3.1  IntroductionWord‑p. 9

The requirements proposed hereafter (with the relative test cases) aim to securing SCP by reducing its surface of vulnerability. In particular, the identified requirements aim to ensure that all the default configurations of SCP (including operating system software, firmware and applications) are appropriately set.

4.3.2  Technical BaselineWord‑p. 9

There are no SCP-specific additions to clause 4.3.2 in TS 33.117.

4.3.3  Operating SystemsWord‑p. 9

There are no SCP-specific additions to clause 4.3.3 in TS 33.117.

4.3.4  Web ServersWord‑p. 9

There are no SCP-specific additions to clause 4.3.4 in TS 33.117.

4.3.5  Network DevicesWord‑p. 9

There are no SCP-specific additions to clause 4.3.5 in TS 33.117.

4.3.6  Network Functions in service-based architectureWord‑p. 9

There are no SCP-specific additions to clause 4.3.6 in TS 33.117.

4.4  SCP-specific adaptations of basic vulnerability testing requirements and related test casesWord‑p. 9

There are no SCP-specific additions to clause 4.4 of TS 33.117.

$  Change historyWord‑p. 10


Up   Top