Content for TS 33.501 Word version: 18.2.0

1… 4… 5… 5.3… 5.9… 5.10… 6… 6.1.3… 6.1.4… 6.2… 6.2.2… 6.3… 6.4… 6.5… 6.6… 6.7… 6.8… 6.9… 6.10… 6.11 6.12… 6.13 6.14… 6.15… 6.16… 7… 7A… 7A.2.3… 7B… 8… 9… 10… 11… 12… 13… 13.2.2… 13.2.4… 13.3… 13.4… 14… 15… 16… A… B… C… D… E… F… G… I… I.9… J… K… M… N… O… P… R S… T… U… V… W… X… Y… Z…

X.1 General X.2 Authorization of NF Service Consumers for data access via DCCF X.3 Authorization of NF Service Consumers for data access via DCCF when notification sent via MFAF X.4 Security protection of data via Messaging Framework X.5 Protection of data transferred between AF and NWDAF X.6 Protection of UE data in transit between NFs X.7 User consent requirements
...

X (Normative) Security aspects of enablers for Network Automation (eNA) for the 5G system (5GS) Phase 2 |R17| p. 287

X.1 General p. 287

This Annex provides security requirements and procedures for the Network Automation features.

The feature for enablers for Network Automation by 5GS is described in 3GPP TS23.501[2] and 3GPP TS23.288 [105].

X.2 Authorization of NF Service Consumers for data access via DCCF p. 287

The detailed procedure for NF Service Consumer to receive data from Service Producers via DCCF is depicted in Figure X.2-1:

Reproduction of 3GPP TS 33.501, Fig. X.2-1: NF Service Consumer Authorization to receive data from NF Service Producers via DCCF

Figure X.2-1: NF Service Consumer Authorization to receive data from NF Service Producers via DCCF

Step 1-3.

NF Service Consumer shall send a request to the NRF to receive an access token to request services of DCCF, to be used for data collection request. NRF after verifying shall generate access token and sends it to the NF Service Consumer.

Step 4.

The NF Service Consumer initiates a NF service request to the DCCF which includes the access_token_nwdaf. The NF Service Consumer shall also generate a Client Credentials Assertion (CCA) token (CCA_NWDAF) as described in the clause 13.3.8 and includes it in the request message in order to authenticate itself towards the NF Service Producers.

Step 5.

The DCCF shall verify if the access_token_nwdaf is valid and executes the service. If the NRF does not support authorization of the source NF (e.g. NWDAF) for data access via the DCCF (e.g. if the NRF is Rel-16), the DCCF authorizes the data access of the NF Service Consumer.

Step 6.

The DCCF determines the NF Service Producer(s) from where the data is to be collected (as specified in clause 6.2.6.3.2 in TS 23.288).

Step 7.

The DCCF sends a Nnrf_AccessToken_Get request to NRF including the information to identify the target NF (NF Service Producer), the source NF (NF Service Consumer e.g. NWDAF), the NF Instance ID of DCCF and the CCA_NWDAF provided by the NF Service Consumer. The nfInstanceId IE attribute in the access token request (Nnrf_AccessToken_Get) indicates the NF instance ID of the DCCF as intermediate NF Service Consumer, whereas the sourceNfInstanceId IE attribute indicates the source NF instance ID (NF Service Consumer e.g., NWDAF).

Step 8.

The NRF shall check whether the DCCF and the NF Service Consumer (e.g. NWDAF) are allowed to access the service provided by the identified NF Service Producers, and the DCCF as the proxy is allowed to request the service from the identified NF Service Producers on behalf the NF Service Consumer. NRF authenticates both DCCF and NWDAF based on one of the SBA methods described in clause 13.3.1.2.

Step 9.

The NRF after successful verification then generates and provides an access token to the DCCF as described in the clause 13.4.1.1.2, with NF Instance ID of the DCCF (subject), and an additional access token claim containing the identity ofthe source NF Service Consumer, in order to authorize both DCCF and NF Service Consumer (e.g.. NWDAF) to consume the services of NF Service Producer.

Step 10.

In the case the NRF is from Rel-16 or earlier, the NRF generates an OAuth2.0 access token with "subject" claim mapped to the intermediate NF Service Consumer, i.e., in this case DCCF, and no additional claim for the source NF Service Consumer (e.g., NWDAF) identity is added.

Step 11.

The NF Service Producer(s) authenticates the NF Service Consumer and ensures that the source NF Service Consumer identity is included as an access token additional claim. The NF Service Producer authenticates and authorizes the DCCF following clauses 13.3.2 and 13.4.1. After authentication and authorization is successful, the NF Service Producer(s) executes the service.

Step 12.

The NF Service Producer(s) shall provide requested data to the DCCF.

Step 13.

The DCCF forwards the received data to the NF Service Consumer(s).

X.3 Authorization of NF Service Consumers for data access via DCCF when notification sent via MFAF p. 291

The detailed procedure for NF Service Consumer to receive data from Service Producers via DCCF when notification is sent via MFAF is depicted in Figure X.3-1:

Reproduction of 3GPP TS 33.501, Fig. X.3-1: Service Consumer Authorization to receive data from Service Producers via MFAF

Figure X.3-1: Service Consumer Authorization to receive data from Service Producers via MFAF

Steps 1-9 are same as Steps 1 - 9 of Annex X.2.

Step 10-11.

The DCCF sends an access token request to the NRF to request service from MFAF. NRF after verifying sends access_token_dccf to DCCF to consume the services of MFAF.

Step 12.

DCCF shall then send the Nmfaf_3daDataManagement_Configure request to MFAF (as specified in the Clause 6.2.6.3.2 in TS 23.288) along with the access_token_dccf.

Steps 13 - 14 are same as Steps 10 - 11 of Annex X.2

Step 15.

The NF Service Producer(s) shall provide requested data to the MFAF.

Step 16.

The MFAF forwards the received data to the data consumer(s).

X.4 Security protection of data via Messaging Framework p. 292

The transfer of the data between the data source and data consumer via the messaging framework shall be confidentiality, integrity, and replay protected.

Confidentiality protection, integrity protection, and replay-protection shall be supported on the new interfaces between 3GPP entities and MFAF by reusing the existing security mechanism defined for SBA in Clause 13.

X.5 Protection of data transferred between AF and NWDAF p. 292

As specified in TS 23.288, the NWDAF may interact with an AF to collect data from UE Application(s) as an input for analytics generation. The AF can be in the MNO domain or an AF external to MNO domain. To enhance the 5GS to support collection and utilisation of UE related data for providing the inputs to generate analytics information (to be consumed by other NFs), the communication between AF and NWDAF needs to be secured.

The NWDAF interacts with the 5GC NFs and the AF using Service-based Interfaces. The existing 5G security mechanism can be reused for the transfer of UE data over the SBA interface between AF and NWDAF. When the AF is located in the operator's network, the NWDAF uses Service-Based Interface as depicted in clause 13 to communicate with the AF directly. When the AF is located outside the operator's network, the NEF is used to exchange the messages between the AF and the NWDAF. The security aspects of NEF is specified in clause 12.

X.6 Protection of UE data in transit between NFs p. 292

According to clause 13.1.0, all network functions shall support mutually authenticated TLS and HTTPS. TLS shall be used for transport protection within a PLMN unless network security is provided by other means. Thus, communication between NFs is integrity, confidentiality and replay protected.

NFs shall obtain an access token from NRF for requesting analytics from an analytics function or providing analytics data to the analytics function.

X.7 User consent requirements p. 292

The user consent requirements for enablers of network automation shall comply with Annex V of the present document and TS 23.288.

For scenarios where local regulations permit, for example vPLMN and hPLMN subject to the same regulatory requirements, the NWDAF shall be deemed to be the enforcement point and shall be subject to the requirement specified in Annex V.