| 6.0 | Mapping of solutions to key issues p. 30
|
| 6.1 | Solution #1: Verification of the entity sending the service response in indirect communication without delegated discovery p. 31
|
| 6.2 | Solution #2: Authorization between NFs and SCP p. 33
|
| 6.3 | Solution #3: Using existing procedures for authorization of SCP to act on behalf of an NF Service Consumer p. 34
| 6.3.1 | Introduction p. 34
|
| 6.3.2 | Solution details p. 35
| 6.3.2.1 | Request of access token on behalf of the consumer p. 35
|
| 6.3.2.2 | Service request on behalf of the consumer p. 35
|
| 6.3.2.4 | Protection of the NF Service Consumer's CCA p. 36
|
|
| 6.3.3 | Evaluation p. 37
|
|
| 6.4 | Solution #4: Service request authenticity verification in indirect communication p. 37
|
| 6.5 | Solution #5: End-to-end integrity protection of HTTP body and method p. 38
|
| 6.6 | Solution #6: Verification of Service Response from a NF Service Producer at the expected NF Set p. 41
| 6.6.1 | Introduction p. 41
|
| 6.6.2 | Solution details p. 41
| 6.6.2.1 | For indirect communication without delegated discovery procedure p. 41
|
| 6.6.2.2 | For indirect communication with delegated discovery p. 42
|
| 6.6.2.3 | Client credentials assertion of NF Service Producer p. 43
|
|
| 6.6.3 | Evaluation p. 44
|
|
| 6.7 | Solution #7: Access token request for NF Set p. 44
|
| 6.8 | Solution #8: Integrity protection of HTTP message in consideration of update by SCP p. 47
|
| 6.9 | Solution #9: Authorization mechanism negotiation p. 48
|
| 6.10 | Solution #10: NRF deployment clarifications p. 49
|
| 6.11 | Solution #11: Registered NF Profile changes for Inter-Slice Access p. 50
|
| 6.12 | Solution #12: Authorization of notification endpoint in "Subscribe-Notify" scenarios p. 51
|
| 6.13 | Solution #13: Authentication of NF Service Producer in Indirect Communication p. 53
|
| 6.14 | Solution #14: SCP trust domain or technical domain grouping p. 54
|
| 6.15 | Solution #15: Authorization mechanism for the involved NFs in the delegated "Subscribe-Notify" scenario. p. 56
|
| 6.16 | Solution #16: Selective End of End Protection of HTTP Request and Response in Indirect Communication p. 58
|
| 6.17 | Solution #17: Authorization mechanism negotiation using existing methods p. 59
|
| 6.18 | Solution #18: Avoiding slice isolation violation p. 61
|
| 6.19 | Solution #19: Hosted SEPP requirements p. 62
|
| 6.20 | Solution #20: PRINS for Roaming Hubs p. 63
| 6.20.1 | Introduction p. 63
|
| 6.20.2 | Solution details p. 64
|
| 6.20.3 | RH Proxy Resolves pSEPP Well-Known FQDN p. 67
|
| 6.20.4 | Evaluation p. 67
|
|
| 6.21 | Solution #21: Certificate solution for NRF validation of NFc for access token requests p. 68
| 6.21.1 | Introduction p. 68
|
| 6.21.2 | Solution details p. 68
| 6.21.2.1 | NF Service Consumer information to validate at Service Request Authorization p. 68
|
| 6.21.2.2 | Certificates p. 68
|
| 6.21.2.3 | NRF validation solution p. 68
|
|
| 6.21.3 | Evaluation p. 69
|
|
| 6.22 | Solution #22: Combined certificate and profile solution for NRF validation of NFc for access token requests p. 69
| 6.22.1 | Introduction p. 69
|
| 6.22.2 | Solution details p. 69
| 6.22.2.1 | NF Service Consumer information to validate at Service Request Authorization p. 69
|
| 6.22.2.2 | O&M Provisioning solution p. 69
|
| 6.22.2.3 | Certificates p. 69
|
| 6.22.2.4 | NRF validation solution p. 70
|
|
| 6.22.3 | Evaluation p. 70
|
|
| 6.23 | Solution #23: SCP authorization check by NRF p. 70
| 6.23.1 | Introduction p. 70
|
| 6.23.2 | Solution details p. 70
| 6.23.2.1 | Enabling NRF to check on SCP information p. 70
|
| 6.23.2.2 | Including service request information into the CCA p. 71
|
|
| 6.23.3 | Evaluation p. 72
|
|
| 6.24 | Solution #24: Authorization negotiation with bootstrapping mechanism p. 72
|
| 6.25 | Solution #25: Solution on N32 security profiles p. 73
|
| 6.26 | Solution #26: Authorization of NF Service Consumer accessing Nnrf_AccessToken service p. 75
|
