Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 33.501  Word version:  18.4.0

Top   Top   Up   Prev   Next
1…   4…   5…   5.3…   5.9…   5.10…   6…   6.1.3…   6.1.4…   6.2…   6.2.2…   6.3…   6.4…   6.5…   6.6…   6.7…   6.8…   6.9…   6.10…   6.11   6.12…   6.13   6.14…   6.15…   6.16…   7…   7A…   7A.2.3…   7B…   8…   9…   10…   11…   12…   13…   13.2.2…   13.2.4…   13.3…   13.4…   14…   15…   16…   A…   B…   C…   D…   E…   F…   G…   I…   I.9…   J…   K…   M…   N…   O…   P…   R   S…   T…   U…   V…   W…   X…   Y…   Z…

 

15  Management security for network slicesp. 209

15.1  Generalp. 209

The creation, modification, and termination of a Network Slice Instance (NSI) is part of the Management Services provided by the 5G management systems. A management service is accessed by management service consumers via standardized service interfaces given in TS 28.533. The typical service consumers for the above NSI provisioning and NSI provisioning exposure are operators and vertical industry respecitively, as described in TS 28.531. These management services are securely protected through mutual authentication and authorization below.
Up

15.2  Mutual authenticationp. 209

If a management service consumer resides outside the 3GPP operator's trust domain, mutual authentication shall be performed between the management service consumer and the management service producer using TLS. TLS shall follow, the profile given in clause 6.2 of TS 33.210 and either 1) the client and server certificates with the profiles given in clause 6.1.3a of TS 33.310 or 2) pre-shared keys following RFC 5489 for TLS 1.2 and RFC 8446 for TLS 1.3. The structure of the PKI used for the certificates is out of scope of the present document. The identities in the end entity certificates shall be used for authentication and policy checks. The key distribution of pre-shared keys for TLS is up to the operator's security policy and out of scope of the present document.
Up

15.3  Protection of management interactions between the management service consumer and the management service producerp. 209

TLS shall be used to provide mutual authentication, integrity protection, replay protection and confidentiality protection for the interface between the management service producer and the management service consumer residing outside the 3GPP operator's trust domain. Security profiles for TLS implementation and usage shall follow the TLS profile given in clause 6.2 of TS 33.210 and the certificate profile given in clause 6.1.3a of TS 33.310. The identities in the end entity certificates shall be used for authentication and policy checks.
Up

15.4  Authorization of management service consumer's requestp. 209

After the mutual authentication, the management service producer determines whether the management service consumer is authorized to send requests to the management service producer. The management service producer shall authorize the requests from the management service consumer using the one of the following two options: 1) OAuth-based authorization mechanism following RFC 6749; 2) based on the local policy of the management service producer.
Up

Up   Top   ToC