Tech-invite3GPPspaceIETF RFCsSIP
index21222324252627282931323334353637384‑5x

Content for  TS 33.501  Word version:  18.0.0

Top   Top   Up   Prev   Next
1…   4…   5…   6…   6.1.3…   6.1.4   6.2…   6.2.2…   6.3…   6.5…   6.7…   6.8…   6.9…   6.10…   6.12…   6.14   6.15   6.16   7…   7A…   7A.2.3…   7B…   8…   9…   10…   11…   13…   13.2.2…   13.2.4   13.3…   13.4…   14…   15…   A…   B…   C…   D…   G…   I…   J…   K…   O…   P…   S…   U…   X…   Y…
X Security aspects of enablers for Network Automation (eNA) for the 5G system (5GS) Phase 2X.1 GeneralX.2 Authorization of NF Service Consumers for data access via DCCFX.3 Authorization of NF Service Consumers for data access via DCCF when notification sent via MFAFX.4 Security protection of data via Messaging FrameworkX.5 Protection of data transferred between AF and NWDAFX.6 Protection of UE data in transit between NFsX.7 User consent requirements

 

X (Normative)  Security aspects of enablers for Network Automation (eNA) for the 5G system (5GS) Phase 2 |R17|p. 275

X.1  Generalp. 275

This Annex provides security requirements and procedures for the Network Automation features.
The feature for enablers for Network Automation by 5GS is described in 3GPP TS23.501[2] and 3GPP TS23.288 [105].

X.2  Authorization of NF Service Consumers for data access via DCCFp. 275

The detailed procedure for NF Service Consumer to receive data from Service Producers via DCCF is depicted in Figure X.2-1:
Reproduction of 3GPP TS 33.501, Fig. X.2-1: NF Service Consumer Authorization to receive data from NF Service Producers via DCCF
Figure X.2-1: NF Service Consumer Authorization to receive data from NF Service Producers via DCCF
Up
Step 1-3.
NF Service Consumer shall send a request to the NRF to receive an access token to request services of DCCF, to be used for data collection request. NRF after verifying shall generate access token and sends it to the NF Service Consumer.
Step 4.
The NF Service Consumer initiates a NF service request to the DCCF which includes the access_token_nwdaf. The NF Service Consumer shall also generate a Client Credentials Assertion (CCA) token (CCA_NWDAF) as described in the clause 13.3.8 and include it in the request message in order to authenticate itself towards the NF Service Producers.
Step 5.
The DCCF shall verify if the access_token_nwdaf is valid and executes the service.
Step 6.
The DCCF determines the NF Service Producer(s) from where the data is to be collected (as specified in clause 6.2.6.3.2 in TS 23.288).
Step 7.
The DCCF sends a Nnrf_AccessToken_Get request to NRF including the information to identify the target NF (NF Service Producer), the source NF (NF Service Consumer e.g. NWDAF), the NF Instance ID of DCCF and the CCA_NWDAF provided by the NF Service Consumer.
Step 8.
The NRF shall check whether the DCCF and the NF Service Consumer (e.g. NWDAF) are allowed to access the service provided by the identified NF Service Producers , and the DCCF as the proxy is allowed to request the service from the identified NF Service Producers on behalf the NF Service Consumer. NRF authenticates both DCCF and NWDAF based on one of the SBA methods described in clause 13.3.1.2. DCCF may include an additional CCA for authentication.
Step 9.
The NRF after successful verification then generates and provides an access token to the DCCF as described in the clause 13.4.1.1.2, with NF Service Consumer Instance (subject), and an additional access token claim containing the identity of DCCF, in order to authorize both NF Service Consumer (e.g. NWDAF) and DCCF to consume the services of NF Service Producer.
Step 10.
The DCCF requests service from the NF Service Producer. The request also consists of CCA_NWDAF, so that the NF Service Producer(s) authenticates the NF Service Consumer (e.g. NWDAF).
Step 11.
The NF Service Producer(s) authenticate the NF Service Consumer and verify the access token as specified in the Clause 13.4.1.1.2 and ensures that the DCCF identity is included as an access token additional claim. If the DCCF identity is not included in the access token additional claims, e.g., NRF is Release 16 or prior, the NF Service Producer shall authorize the DCCF locally. After authentication and authorization is successful, the NF Service Producer(s) assure that the DCCF as the proxy is allowed to receive the response message on behalf the NF Service Consumer, and execute the service after successful verification. DCCF may include an additional CCA for authentication.
12. The NF Service Producer(s) shall provide requested data to the DCCF.
13. The DCCF forwards the received data to the NF Service Consumer(s).
Up

X.3  Authorization of NF Service Consumers for data access via DCCF when notification sent via MFAFp. 279

The detailed procedure for NF Service Consumer to receive data from Service Producers via DCCF when notification is sent via MFAF is depicted in Figure X.3-1:
Reproduction of 3GPP TS 33.501, Fig. X.3-1: Service Consumer Authorization to receive data from Service Producers via MFAF
Figure X.3-1: Service Consumer Authorization to receive data from Service Producers via MFAF
Up
Steps 1-9 are same as Steps 1 - 9 of Annex X.2
Step 10-11.
The DCCF sends an access token request to the NRF to request service from MFAF. NRF after verifying sends access_token_dccf to DCCF to consume the services of MFAF.
Step 12.
DCCF shall then send the Nmfaf_3daDataManagement_Configure request to MFAF (as specified in the Clause 6.2.6.3.2 in TS 23.288) along with the access_token_dccf.
Steps 13 - 14 are same as Steps 10 - 11 of Annex X.2
Step 15.
The NF Service Producer(s) shall provide requested data to the MFAF.
Step 16.
The MFAF forwards the received data to the data consumer(s).
Up

X.4  Security protection of data via Messaging Frameworkp. 280

The transfer of the data between the data source and data consumer via the messaging framework shall be confidentiality, integrity, and replay protected.
Confidentiality protection, integrity protection, and replay-protection shall be supported on the new interfaces between 3GPP entities and MFAF by reusing the existing security mechanism defined for SBA in Clause 13.

X.5  Protection of data transferred between AF and NWDAFp. 280

As specified in TS 23.288, the NWDAF may interact with an AF to collect data from UE Application(s) as an input for analytics generation. The AF can be in the MNO domain or an AF external to MNO domain. To enhance the 5GS to support collection and utilisation of UE related data for providing the inputs to generate analytics information (to be consumed by other NFs), the communication between AF and NWDAF needs to be secured.
The NWDAF interacts with the 5GC NFs and the AF using Service-based Interfaces. The existing 5G security mechanism can be reused for the transfer of UE data over the SBA interface between AF and NWDAF. When the AF is located in the operator's network, the NWDAF uses Service-Based Interface as depicted in clause 13 to communicate with the AF directly. When the AF is located outside the operator's network, the NEF is used to exchange the messages between the AF and the NWDAF. The security aspects of NEF is specified in clause 12.
Up

X.6  Protection of UE data in transit between NFsp. 280

According to clause 13.1.0, all network functions shall support mutually authenticated TLS and HTTPS. TLS shall be used for transport protection within a PLMN unless network security is provided by other means. Thus, communication between NFs is integrity, confidentiality and replay protected.
NFs shall obtain an access token from NRF for requesting analytics from an analytics function or providing analytics data to the analytics function.
Up

X.7  User consent requirementsp. 280

The user consent requirements for enablers of network automation shall comply with Annex V of the present document and TS 23.288.

Up   Top   ToC