Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x
Top   in Index   Prev   Next

TR 33.757
Study on Security for a PLMN hosting a Non-Public Network (NPN)

3GPP‑Page   fToC   Partial Content
V19.0.0 (Wzip)  2025/03  68 p.
Rapporteur:
Ms. Shen, Jun
China Telecommunications

full Table of Contents for  TR 33.757  Word version:  19.0.0

each clause number in 'red' refers to the equivalent title in the Partial Content
Here   Top
1Scope  p. 8
2References  p. 8
3Definitions of terms, symbols and abbreviations  p. 8
3.1Terms  p. 8
3.2Symbols  p. 9
3.3Abbreviations  p. 9
4Overview  p. 9
5Security assumptions  p. 11
6Key issues  p. 11
6.1Key Issue #1: Security for dedicated UPF interacting with PLMN through N4 interface  p. 11
6.1.1Key issue details  p. 11
6.1.2Security threats  p. 11
6.1.3Potential security requirements  p. 11
6.2Key Issue #2: Dedicated NFs interacting with PLMN through SBA interface  p. 12
6.2.1Key issue details  p. 12
6.2.2Security threats  p. 12
6.2.3Potential security requirements  p. 12
6.3Key issue #3: SUPI privacy issue in PLMN hosting NPN scenario  p. 13
6.3.1Key issue details  p. 13
6.3.2Security Threats  p. 13
6.3.3Potential security requirements  p. 14
7Solutions  p. 14
7.0Mapping solutions to key issues  p. 14
7.1Solution #1: Secure N4 interface with Security Gateway  p. 14
7.1.1Introduction  p. 14
7.1.2Solution details  p. 15
7.1.2.0System architecture  p. 15
7.1.2.1Topology information hiding  p. 15
7.1.2.2Signalling inspection and message filtration  p. 15
7.1.2.3Security between the dedicated UPF and the Security Gateway  p. 16
7.1.2.3.0General  p. 16
7.1.2.3.1Authentication  p. 16
7.1.2.3.2Transport protection between the dedicated UPF and the Security Gateway  p. 16
7.1.2.4Access control  p. 16
7.1.3Evaluation  p. 17
7.2Solution #2: CIWF for N4 interface  p. 17
7.2.1Introduction  p. 17
7.2.2Solution details  p. 17
7.2.2.1General  p. 17
7.2.2.2Procedure for CIWF deployed only in the PLMN operational domain  p. 18
7.2.2.3Procedure for CIWF deployed in the PLMN and PNI-NPN operational domain  p. 19
7.2.2.4Procedure for CIWF deployed only in the PNI-NPN operational domain  p. 20
7.2.3Evaluation  p. 21
7.3Solution #3: A perimeter security gateway for N4 and SBI interface.  p. 21
7.3.1Introduction  p. 21
7.3.2Solution details  p. 22
7.3.2.0General  p. 22
7.3.2.1Authentication and Authorization between HNSPP and NFs  p. 23
7.3.2.2Authentication and Authorization between HNSPPs  p. 23
7.3.2.3Authentication between NFs and Authorization of NF service access  p. 23
7.3.3Evaluation  p. 23
7.4Solution #4: Security protection to avoid UE information disclosure  p. 24
7.4.1Introduction  p. 24
7.4.2Solution details  p. 24
7.4.3Evaluation  p. 25
7.5Solution #5: Secure SBA interface with Security Gateway  p. 25
7.5.1Introduction  p. 25
7.5.2Solution details  p. 26
7.5.2.0General  p. 26
7.5.2.1Topology information hiding  p. 26
7.5.2.2Signalling inspection and message filtration  p. 27
7.5.2.3Security between the NF in customer premise and the Security Gateway  p. 27
7.5.2.3.0General  p. 27
7.5.2.3.1Authentication  p. 27
7.5.2.3.2Authorization  p. 28
7.5.2.3.3Transport protection between the Security Gateway and the NF in PLMN  p. 28
7.5.2.4Security between the Security Gateway and the NF in PLMN  p. 28
7.5.2.5Access control  p. 28
7.5.3Evaluation  p. 28
7.6Solution #6: CIWF as a gateway for SBA interface  p. 28
7.6.1Introduction  p. 28
7.6.2Solution details  p. 29
7.6.2.1General  p. 29
7.6.2.2Procedure for CIWF deployed only in the PLMN operational domain  p. 30
7.6.2.3Procedure for CIWF deployed in the PLMN and PNI-NPN operational domain  p. 32
7.6.2.4Procedure for CIWF deployed only in the PNI-NPN operational domain  p. 34
7.6.3Evaluation  p. 36
7.7Solution #7: CIWF as a delegate for SBA interface  p. 36
7.7.1Introduction  p. 36
7.7.2Solution details  p. 36
7.7.2.1General  p. 36
7.7.2.2Procedure for CIWF deployed only in the PLMN operational domain  p. 38
7.7.2.3Procedure for CIWF deployed in the PLMN and PNI-NPN operational domain  p. 39
7.7.2.4Procedure for CIWF deployed only in the PNI-NPN operational domain  p. 41
7.7.3Evaluation  p. 42
7.8Solution #8: NRF based service and information exchange restriction  p. 43
7.8.1Introduction  p. 43
7.8.2Solution details  p. 43
7.8.2.1NF Service Producer registration with NRF  p. 43
7.8.2.2NF Service Consumer obtaining access token  p. 43
7.8.2.3NF Service Consumer requesting service access with an access token  p. 44
7.8.3Evaluation  p. 45
7.9Solution #9: DNS Security in PLMN hosting NPN scenario  p. 46
7.9.1Introduction  p. 46
7.9.2Solution details  p. 46
7.9.3Evaluation  p. 46
7.10Solution #10: SCP based topology hiding and message handling  p. 47
7.10.1Introduction  p. 47
7.10.2Solution details  p. 47
7.10.3Evaluation  p. 49
7.11Solution #11: SUPI privacy protection in hosted NPN  p. 49
7.11.1Introduction  p. 49
7.11.2Solution details  p. 49
7.11.3Evaluation  p. 51
7.12Solution #12: Secure sensitive data with secure environment  p. 51
7.12.1Introduction  p. 51
7.12.2Solution details  p. 51
7.12.3Evaluation  p. 52
7.13Solution #13: Extended SEG to support topology hiding and message inspection  p. 52
7.13.1Introduction  p. 52
7.13.2Solution details  p. 52
7.13.3Evaluation  p. 53
7.14Solution #14: Extended SCP  p. 53
7.14.1Introduction  p. 53
7.14.2Solution details  p. 53
7.14.3Evaluation  p. 57
7.15Solution #15: SUPI privacy protection based on AMF register with UDM  p. 57
7.15.1Introduction  p. 57
7.15.2Solution details  p. 57
7.15.3Evaluation  p. 58
7.16Solution #16: Use a new PLMNNPN UE ID to resolve the SUPI privacy issue  p. 58
7.16.1Introduction  p. 58
7.16.2Solution details  p. 58
7.16.3Evaluation  p. 59
7.17Solution #17: SUPI privacy protection  p. 60
7.17.1Introduction  p. 60
7.17.2Solution details  p. 60
7.17.3Evaluation  p. 61
7.18Solution #18: Enforcing policy checks for NF Consumer in PNI-NPN  p. 62
7.18.1Introduction  p. 62
7.18.2Solution details  p. 62
7.18.2.1Determining the domain of the NF Consumer  p. 62
7.18.2.2Enforcing security checks  p. 62
7.18.2.3Policy checks to be enforced  p. 64
7.18.3Evaluation  p. 64
7.19Solution #19: Re-use of existing SMF/UPF/SEG functionality  p. 64
7.19.1Introduction  p. 64
7.19.2Solution details  p. 65
7.19.3Evaluation  p. 65
7.20Solution #20: SEAF in PLMN operational domain for SUPI privacy protection  p. 65
7.20.1Introduction  p. 65
7.20.2Solution details  p. 65
7.20.3Evaluation  p. 65
8Conclusions  p. 66
8.1Conclusion for KI#1: Security for dedicated UPF interacting with PLMN through N4 interface  p. 66
8.2Conclusion for KI#2: Dedicated NFs interacting with PLMN through SBA interface  p. 66
8.3Conclusion for KI#3: SUPI privacy issue in PLMN hosting NPN scenario  p. 67
$Change history  p. 68

Up   Top