Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x
Top   in Index   Prev   Next

TR 33.739
Study on Security enhancement of support for
Edge Computing
Phase 2

3GPP‑Page   fToC   Partial Content
V18.1.0 (Wzip)  2023/12  66 p.
Rapporteur:
Dr. Zhang, Bo
HUAWEI TECHNOLOGIES Co. Ltd.

full Table of Contents for  TR 33.739  Word version:  18.1.0

each clause number in 'red' refers to the equivalent title in the Partial Content
Here   Top
1Scope  p. 9
2References  p. 9
3Definitions of terms, symbols and abbreviations  p. 10
3.1Terms  p. 10
3.2Symbols  p. 10
3.3Abbreviations  p. 10
4Overview of Edge Computing - Phase 2  p. 11
5Key issues  p. 12
5.1General  p. 12
5.2Key issues related with 5G System Enhancements for Edge Computing  p. 12
5.2.1Key issue #1.1: How to authorize PDU session to support local traffic routing to access an EHE in the VPLMN  p. 12
5.2.1.1Key issue details  p. 12
5.2.1.2Threats  p. 12
5.2.1.3Potential security requirements  p. 12
5.2.2Key issue #1.2: Security of EAS discovery procedure via V-EASDF in VPLMN  p. 12
5.2.2.1Key issue details  p. 12
5.2.2.2Threats  p. 12
5.2.2.3Potential security requirements  p. 13
5.3Key issues related with enhanced architecture for enabling Edge Applications  p. 13
5.3.1Key Issue #2.1: Authentication and authorization of the EEC/UE by the ECS/EES  p. 13
5.3.1.1Key issue details  p. 13
5.3.1.2Security threats  p. 13
5.3.1.3Potential security requirements  p. 13
5.3.2Key issue #2.2: Authentication mechanism selection between EEC and ECS/EES  p. 14
5.3.2.1Key issue details  p. 14
5.3.2.2Security threats  p. 14
5.3.2.3Potential security requirement  p. 14
5.3.3Key issue #2.3: Authentication and Authorization between V-ECS and H-ECS  p. 14
5.3.3.1Key issue details  p. 14
5.3.3.2Threats  p. 14
5.3.3.3Potential security requirements  p. 14
5.3.4Key issue #2.4: Transport security for the EDGE10 interface  p. 15
5.3.4.1Key issue details  p. 15
5.3.4.2Threats  p. 15
5.3.4.3Potential security requirements  p. 15
5.3.5Key issue #2.5: Authentication and Authorization between AC and EEC  p. 15
5.3.5.1Key issue details  p. 15
5.3.5.2Threats  p. 15
5.3.5.3Potential security requirements  p. 15
5.3.6Key issue #2.6: New KI on authorization between EESes  p. 15
5.3.6.1Key issue details  p. 15
5.3.6.2Threats  p. 16
5.3.6.3Potential security requirements  p. 16
5.3.7Key issue #2.7: EEC provided information verification  p. 16
5.3.7.1Key issue details  p. 16
5.3.7.2Threats  p. 16
5.3.7.3Potential security requirements  p. 17
6Proposed solutions  p. 17
6.0Mapping of Solutions to Key Issues  p. 17
6.1Solution #1: Authentication and authorization between EEC hosted in the roaming UE and ECS  p. 18
6.1.1Solution overview  p. 18
6.1.2Solution details  p. 19
6.1.3Solution evaluation  p. 20
6.2Solution #2: Authentication and authorization between EEC hosted in the roaming UE and EES  p. 20
6.2.1Solution overview  p. 20
6.2.2Solution details  p. 21
6.2.3Solution evaluation  p. 22
6.3Solution #3: Authentication mechanism selection between EEC and ECS  p. 22
6.3.1Solution overview  p. 22
6.3.2Solution details  p. 23
6.3.2.1ECS configuration  p. 23
6.3.3Solution evaluation  p. 24
6.4Solution #4: Authentication mechanism selection between EEC and EES  p. 24
6.4.1Solution overview  p. 24
6.4.2Solution details  p. 24
6.4.2.1EES profile  p. 25
6.4.3Solution evaluation  p. 25
6.5Solution #5: 5GC-based authentication mechanism selection between EEC and ECS/EES  p. 25
6.5.1Solution overview  p. 25
6.5.2Solution details  p. 26
6.5.3Solution evaluation  p. 27
6.6Solution #6: ECS/EES authentication method information provisioning  p. 27
6.6.1Solution overview  p. 27
6.6.2Solution details  p. 27
6.6.3Solution evaluation  p. 27
6.7Solution #7: Negotiation procedure for the Authentication and Authorization  p. 28
6.7.1Solution overview  p. 28
6.7.2Solution details  p. 28
6.7.3Solution evaluation  p. 29
6.8Solution #8: Authentication mechanisms selected by ECS/EES  p. 29
6.8.1Solution overview  p. 29
6.8.2Solution details  p. 29
6.8.2.1Authentication between EEC and ECS  p. 29
6.8.2.2Authentication between EEC and EES  p. 29
6.8.3Solution evaluation  p. 29
6.9Solution #9: Authentication mechanism selection procedure between EEC and ECS  p. 29
6.9.1Solution overview  p. 29
6.9.2Solution details  p. 30
6.9.3Solution evaluation  p. 30
6.10Solution #10: Authentication mechanism selection procedure between EEC and EES  p. 30
6.10.1Solution overview  p. 30
6.10.2Solution details  p. 30
6.10.3Solution evaluation  p. 31
6.11Solution #11: Authentication mechanism selection procedure among EEC, ECS, and EES  p. 31
6.11.1Solution overview  p. 31
6.11.2Solution details  p. 31
6.11.3Solution evaluation  p. 32
6.12Solution #12: Authorization for PDU session supporting local traffic routing to access an EHE in the VPLMN  p. 33
6.12.1Introduction  p. 33
6.12.2Solution details  p. 33
6.12.3Solution evaluation  p. 33
6.13Solution #13: A solution for authentication of EEC/UE and GPSI verification by EES/ECS  p. 33
6.13.1Solution overview  p. 33
6.13.2Solution details  p. 33
6.13.3Solution evaluation  p. 35
6.14Solution #14: A solution for authentication of UE and GPSI verification by EES/ECS  p. 35
6.14.1Solution overview  p. 35
6.14.2Solution details  p. 35
6.14.3Solution evaluation  p. 36
6.15Solution #15: Authentication algorithm selection procedure between EEC and ECS  p. 36
6.15.1Solution overview  p. 36
6.15.2Solution details  p. 36
6.15.3Solution evaluation  p. 38
6.16Solution #16: Authentication algorithm selection procedure between EEC and EES  p. 38
6.16.1Solution overview  p. 38
6.16.2Solution details  p. 38
6.16.3Solution evaluation  p. 39
6.17Solution #17: Using existing AKMA/GBA negotiation mechanism  p. 40
6.17.1Solution overview  p. 40
6.17.2Solution details  p. 40
6.17.2.1Shared key based EEC/UE authentication and certificate based ECS/EES authentication  p. 40
6.17.2.2Shared key based mutual authentication  p. 40
6.17.2.2.1Shared key based mutual authentication in TLS 1.2  p. 40
6.17.2.2.2Shared key based mutual authentication in TLS 1.3  p. 41
6.17.2.3Handling EEC authentication negotiation failure  p. 41
6.17.2.4GPSI verification  p. 41
6.17.3Solution evaluation  p. 41
6.18Solution #18: Authentication and Authorization between V-ECS and H-ECS  p. 42
6.18.1Solution overview  p. 42
6.18.2Solution details  p. 42
6.19Solution #19: Authorization of V-ECS in roaming scenario  p. 42
6.19.1Solution overview  p. 42
6.19.2Solution details  p. 42
6.19.3Solution evaluation  p. 43
6.20Solution #20: Transport security for the EDGE10 interface  p. 43
6.20.1Solution overview  p. 43
6.20.2Solution details  p. 43
6.20.3Solution evaluation  p. 44
6.21Solution #21: Using local policy on authorization between EESes  p. 44
6.21.1Solution overview  p. 44
6.21.2Solution details  p. 44
6.21.3Solution evaluation  p. 44
6.23Solution #23: EAS discovery procedure protection  p. 45
6.23.1Solution overview  p. 45
6.23.2Solution details  p. 45
6.23.3Solution evaluation  p. 45
6.24Solution #24: Public key signature based ECS/EES authentication  p. 46
6.24.1Solution overview  p. 46
6.24.2Solution details  p. 46
6.24.3Solution evaluation  p. 46
6.25Solution #25: Utilizing Token-Based Solutions for EEC authentication  p. 46
6.25.1Solution overview  p. 46
6.25.2Solution details  p. 47
6.25.3Solution evaluation  p. 47
6.26Solution #26: Using authorization token on authorization between EESes  p. 47
6.26.1Solution overview  p. 47
6.26.2Solution details - Target EES Decided ACR  p. 47
6.26.3Solution details: Source EAS decided ACR  p. 49
6.26.4Solution details: S-EES executed ACR  p. 50
6.26.5Solution evaluation  p. 52
6.27Solution #27: Token-based solution for authorization between EESes  p. 52
6.27.1Solution overview  p. 52
6.27.2Solution details  p. 52
6.27.3Solution evaluation  p. 53
6.28Solution #28: Usage of randomly generated ticket to verify EEC provided IP address  p. 53
6.28.1Solution overview  p. 53
6.28.2Solution details  p. 53
6.28.3Solution evaluation  p. 54
6.29Solution #29: Authorizing the Service Consumer when Resolving an IP Address to a UE ID  p. 55
6.29.1Solution overview  p. 55
6.29.2Solution details  p. 55
6.29.3Solution evaluation  p. 55
6.30Solution #30: Usage of existing public IP address to verify EEC provided IP address  p. 58
6.30.1Solution overview  p. 58
6.30.2Solution details  p. 58
6.30.3Solution evaluation  p. 59
6.31Solution #31: AKMA/GBA based verification of EEC provided IP address  p. 60
6.31.1Solution overview  p. 60
6.31.2Solution details  p. 60
6.31.3Solution evaluation  p. 61
6.32Solution #32: KDF based verification of EEC provided IP address  p. 61
6.32.1Solution overview  p. 61
6.32.2Solution details  p. 61
6.32.3Solution evaluation  p. 61
6.33Solution #33: Verification of EEC provided IP address  p. 62
6.33.1Solution overview  p. 62
6.33.2Solution details  p. 62
6.33.3Solution evaluation  p. 62
6.34Solution #34: Verification of EEC provided IP address using access token  p. 63
6.34.1Solution overview  p. 63
6.34.2Solution details  p. 63
6.34.3Solution evaluation  p. 63
7Conclusions  p. 64
7.1Conclusions for Key Issue #2.4  p. 64
7.2Conclusions for Key Issue #2.3  p. 64
7.3Conclusions for Key Issue #2.5  p. 64
7.4Conclusions for Key Issue #1.1  p. 64
7.5Conclusions for Key Issue #2.1  p. 64
7.6Conclusions for Key Issue#2.2  p. 64
7.7Conclusions for Key Issue #2.6  p. 65
7.8Conclusions for Key Issue #1.2  p. 65
7.9Conclusions for Key Issue #2.7  p. 65
$Change history  p. 66

Up   Top