Tech-invite3GPPspaceIETF RFCsSIP

Content for  TS 33.501  Word version:  18.0.0

Top   Top   Up   Prev   Next
1…   4…   5…   6…   6.1.3…   6.1.4   6.2…   6.2.2…   6.3…   6.5…   6.7…   6.8…   6.9…   6.10…   6.12…   6.14   6.15   6.16   7…   7A…   7A.2.3…   7B…   8…   9…   10…   11…   13…   13.2.2…   13.2.4   13.3…   13.4…   14…   15…   A…   B…   C…   D…   G…   I…   J…   K…   O…   P…   S…   U…   X…   Y…


P  Security Aspects of DNS and ICMP |R16|p. 260

P.1  Generalp. 260

This Annex specifies security measures to protect DNS and ICMP messages. These security measures are intended when integrity protection over the user plane can not be used.

P.2  Security aspects of DNSp. 260

It is recommended that the UE and DNS server(s) support DNS over (D)TLS as specified in RFC 7858 and RFC 8310. The DNS server(s) that are deployed within the 3GPP network can enforce the use of DNS over (D)TLS. The UE can be pre-configured with the DNS server security information (out-of-band configurations specified in the IETF RFCs like, credentials to authenticate the DNS server, supported security mechanisms, port number, etc.), or the core network can configure the DNS server security information to the UE.
When DNS over (D)TLS is used, a TLS cipher suite that supports integrity protection needs to be negotiated.

P.3  Security aspects of ICMPp. 260

ICMP (Internet Control Message Protocol) is part of the internet protocol (IP) suite. The lack of security in ICMP may be exploited to launch further attacks on the 3GPP system. To mitigate such attacks, it is recommended that the use of ICMP is restricted in the UE and the UPF (e.g., by default, use of ICMP is not allowed). In scenarios where the use of ICMP is required, it is recommended that one or more of following mitigations be enforced:
  • Disable the UE from responding to ICMP requests received over 3GPP network interface(s).
  • Install IP filter(s) at the UPF in order to block ICMP messages. This filter can be activated either on a per N4 Session basis or on a UPF basis. For ICMPv6, the recommendations in RFC 4890 can be used for filtering ICMPv6 messages.
  • Limit the maximum size of ICMP messages (e.g., to 64 bytes). Any ICMP messages that are greater than this limit needs to be dropped by the UE as well as by the UPF.

Q  Security and privacy in 5G system location services |R16|p. 260

Q.1  Generalp. 260

For security and privacy in 5GS LCS (5G System Location Services), the mechanisms defined in TS 23.273 and TS 38.305 apply.

R  Authorization aspects in communication models for NF/NF services interaction |R16|p. 261

TS 23.501, Annex E, summarizes the different communication models that NF and NF services can use to interact with each other.
Figure R-1 and Figure R-2 provide an overview of the authorization aspects in the different models, as described in detail in clause 13.
Reproduction of 3GPP TS 33.501, Fig. R-1: Illustration of authorization aspects in direct deployment models
Reproduction of 3GPP TS 33.501, Fig. R-2: Illustration of authorization aspects in indirect deployment models

Up   Top   ToC