Tech-invite   3GPPspecs   RFCs   Search in Tech-invite

Gen21222324252627282931323334353637384‑5x
FsNEsRPsSBIsIDs Ti+
Top   in Index   Prev   Next

TR 33.855 (SA3) ☆ (Rel-16 draft)
Study on Security aspects
of the 5G Service Based Architecture (SBA)

use "3GPP‑Page" to get the Word version
for a better overview, the Table of Contents (ToC) is reproduced
V1.5.0 (Wzip)  2019/05  66 p.

Rapporteur:  Dr. Jost, Christine

TS 23.501 defines 5G services with a new service based architecture (SBA) approach. The present document reviews the interactions in this new architecture, determines key issues relating to the security of SBA elements and interfaces, details potential solutions and recommends normative work for releases 15 and 16.

full Table of Contents for  TR 33.855  Word version:   1.5.0

 

Here   Top

 

1  ScopeWord-p. 9
2  References
3  Definitions, symbols and abbreviationsWord-p. 10
4  Key Issues
4.1  General SBA Key Issues
4.1.1  Key Issue #1: Confidentiality protection of signalling messages
4.1.2  Key Issue #2: Integrity protection of signalling messages while allowing for modifications
4.1.3  Key Issue #3: Replay protection of signalling messages
4.1.4  Key Issue #4: NF-NF Authentication
4.1.5  Key Issue #5: NF-NF Authorization
4.1.6  Key Issue #6: NF-NRF Authentication
4.1.7  Key Issue #7: NF-NRF Authorization
4.1.8  Key Issue #8: NRF-NRF AuthenticationWord-p. 14
4.1.9  Key Issue #9: NRF-NRF Authorization
4.1.10  Key Issue #20: Protection of SeCoP interfaces
4.1.11  Key Issue #21: Secure message transport via the SeCoP
4.1.12  Key Issue #22: Authorization of NF service access in Indirect CommunicationWord-p. 16
4.1.13  Key Issue #23: NF to NF authenticaton and authorization in Indirect communication
4.1.14  Key Issue #24: Service access authorization within a NF Set or a NF Service SetWord-p. 17
4.1.15  Key Issue #25: Indirect communication in roaming scenarios
4.1.16  Key Issue #26: Protection of N9 interface
4.1.17  Key Issue #27: Support of a UP gateway function on the N9 interfaceUp
4.1.18  Key Issue #28: Service access authorization in the delegated "Subscribe-Notify" scenarios
4.2  SEPP-/N32-specific Key Issues
4.2.1  Key Issue #10: Termination points of N32 security
4.2.2  Key Issue #11: Local provisioning of SEPP protection policies
4.2.3  Key Issue #12: Provisioning of SEPP protection policies over N32Word-p. 21
4.2.4  Key Issue #13: SEPP session setup
4.2.5  Key Issue #14: Application of ciphering and integrity protection to JSON object using JOSE
4.2.6  Key Issue #15: Malicious messages received on the N32 interface
4.2.7  Key Issue #16: N32 error signallingWord-p. 25
4.2.8  Key Issue #17: Modifications by authorized intermediaries on N32
4.2.9  Key Issue #18: Inter-PLMN routing and TLSWord-p. 26
4.2.10  Key Issue #19: Configurational error handling by the SEPP
5  General Requirements
6  SolutionsWord-p. 28
6.1  Solution #1: Authorization of NF service access
6.2  Solution #2: Application layer protection based on JSON Object Signing and Encryption (JOSE)
6.3  Solution #3: NF service registration process
6.4  Solution #4: Authorization of NF service accessWord-p. 36
6.5  Solution #5: Using mediation services with end-to-end encryption
6.6  Solution #6: Policies for protection on the N32 interfaceWord-p. 43
6.7  Solution #7: Signaling based provisioning of message protection policy in partner SEPPsWord-p. 44
6.8  Solution #8: Inter PLMN routing and TLS: Solution Options
6.9  Solution #9: N32 message anti-spoofing within the SEPP
6.10  Solution #10: Mitigation against fraudulent registration attack between SEPPs
6.11  Solution #11: Security policy provisioning for SEPP
6.12  Solution #12: End-to-end data protection in hop-by-hop network communication links
6.13  Solution #13: Content and structure of protection policiesWord-p. 51
6.14  Solution #14: Provisioning and negotiation of protection policies
6.15  Solution #15: Service access authorization in the delegated "Subscribe-Notify" interaction scenarios
6.16  Solution #16: OAuth 2.0 based authorization for Indirect communication without Delegated Discovery (Model C)
6.17  Solution #17: Protection of SeCoP interfaces
6.18  Solution #18: Support NDS/IP on the inter-PLMN N9 interfaceWord-p. 56
6.19  Solution #19: Service access authorization within a NF Set
6.20  Solution #20: UP Gateway function on the inter-PLMN N9 interfaceWord-p. 58
6.21  Solution #21: OAuth 2.0 based authorization for Indirect communication with Delegated Discovery (Model D)Word-p. 60
6.22  Solution #22: Authentication and authorization between Network Functions for Indirect Communication models
7  Conclusions
8  RecommendationsWord-p. 62
A  Working AgreementsWord-p. 63
B  Options for integrity protection on the N32 interfaceWord-p. 65
X  Change historyWord-p. 66

Up   Top