Content for TR 33.855 Word version: 16.1.0
6 Solutions
7 Conclusions
B Options for integrity protection on the N32 interface
C Deployment options for the UP gateway
$ Change history
6 Solutions p. 32
6.1 Solution #1: Authorization of NF service access p. 32
6.1.1 Introduction p. 32
6.1.2 Solution details p. 33
6.1.2.1 Service authorization procedure for non-roaming scenarios p. 33
6.1.2.2 Authorization of NF service access for roaming scenario p. 34
6.1.3 Evaluation p. 34
6.2 Solution #2: Application layer protection based on JSON Object Signing and Encryption (JOSE) p. 34
6.2.1 General p. 34
6.2.2 Application layer protection based on JOSE p. 35
6.2.2.1 JSON based IEs that require protection (WHAT) p. 35
6.2.2.2 Integrity and Confidentiality protection schemes (HOW) p. 35
6.2.2.2.1 Integrity protection based on JSON patch p. 35
6.2.2.2.2 Authorization of modifications based on JSON patch p. 38
6.2.2.2.3 Authentication of intermediaries p. 39
6.2.2.2.4 Rewriting of HTTP message into JSON-object p. 39
6.2.2.3 Void
6.2.3 Evaluation p. 39
6.3 Solution #3: NF service registration process p. 40
6.4 Solution #4: Authorization of NF service access p. 40
6.4.1 Introduction p. 40
6.4.2 Solution details p. 41
6.4.2.1 Authorization of NF service access in the same PLMN p. 41
6.4.2.2 Authorization of NF service access in different PLMNs p. 43
6.4.3 Evaluation p. 44
6.5 Solution #5: Using mediation services with end-to-end encryption p. 44
6.5.1 Generic p. 44
6.5.2 End-to-end encryption using HTTPS or TLS p. 44
6.5.3 End-to-end security using JOSE p. 45
6.5.4 Migration paths after accepting this solution p. 47
6.5.5 Possible deployments p. 47
6.5.6 Evaluation p. 47
6.6 Solution #6: Policies for protection on the N32 interface p. 48
6.7 Solution #7: Signaling based provisioning of message protection policy in partner SEPPs p. 49
6.8 Solution #8: Inter PLMN routing and TLS: Solution Options p. 50
6.8.1 Introduction p. 50
6.8.3 TLS tunnel or VPN from NF to SEPP p. 50
6.8.4 Using local SEPP FQDN in request URI p. 50
6.8.5 Mapped FQDN in request URI p. 51
6.8.6 Evaluation p. 52
6.9 Solution #9: N32 message anti-spoofing within the SEPP p. 52
6.10 Solution #10: Mitigation against fraudulent registration attack between SEPPs p. 52
6.11 Solution #11: Security policy provisioning for SEPP p. 53
6.12 Solution #12: End-to-end data protection in hop-by-hop network communication links p. 53
6.12.1 Introduction p. 53
6.12.2 Integrity protection with non-repudiation and traceability of changes p. 54
6.12.3 Integrity protection with non-repudiation, traceability of changes, and authorization p. 54
6.12.4 Confidentiality protection with authorization p. 55
6.13 Solution #13: Content and structure of protection policies p. 55
6.13.1 Introduction p. 55
6.13.2 Data-type encryption policy p. 56
6.13.3 NF API data-type placement mapping p. 56
6.13.4 Modification policy p. 56
6.13.5 Evaluation p. 57
6.14 Solution #14: Provisioning and negotiation of protection policies p. 57
6.14.1 Introduction p. 57
6.14.2 Provisioning of the policies in the SEPP p. 57
6.14.3 Negotiation of protection policies p. 57
6.14.4 Evaluation p. 57
6.15 Solution #15: Service access authorization in the delegated "Subscribe-Notify" interaction scenarios p. 58
6.16 Solution #16: OAuth 2.0 based authorization for Indirect communication without Delegated Discovery (Model C) p. 61
6.17 Solution #17: Protection of SeCoP interfaces p. 61
6.18 Solution #18: Support NDS/IP on the inter-PLMN N9 interface p. 62
6.19 Solution #19: Service access authorization based on NF Set in non-roaming scenario p. 63
6.19.1 Introduction p. 63
6.19.2 Solution details p. 63
6.19.2.0 General p. 63
6.19.2.1 Service access authorization for NF producers within a NF set (Model B) p. 63
6.19.2.2 Service access authorization based on NF Set by verifying the token on the service producer (Model C) p. 65
6.19.3 Evaluation p. 65
6.20 Solution #20: UP Gateway function on the inter-PLMN N9 interface p. 66
6.20.1 Introduction p. 66
6.20.2 Solution details p. 66
6.20.2.1 Interface between SEPP-U and Core Network control plane entity p. 66
6.20.2.2 Interface between UPFs and SEPP-U p. 67
6.20.3 Evaluation p. 67
6.21 Solution #21: OAuth 2.0 based authorization for Indirect communication with Delegated Discovery (Model D) p. 68
6.21.1 Introduction p. 68
6.21.2 Solution details p. 69
6.21.2.1 SeCoP obtaining access token on behalf of the NF consumer p. 69
6.21.2.2 SeCoP authorizing NF consumer based on token verification p. 70
6.21.2.4 SeCoP includes access token in the Service Response message p. 70
6.21.3 Evaluation p. 70
6.22 Solution #22: Authentication and authorization between Network Functions for Indirect Communication models p. 71
6.23 Solution #23: Token-based authorization for Scenario D using stateless SeCoP p. 71
6.23.1 Introduction p. 71
6.23.2 Solution Description p. 72
6.23.2.1 General p. 72
6.23.2.2 Assumptions on authentication and interface protection p. 72
6.23.2.3 Authorization and service invocation procedure p. 72
6.23.2.4 Trust model p. 73
6.23.3 Solution Evaluation p. 73
6.24 Solution #24: Token-based authorization for Scenario C using stateless SeCoP p. 73
6.24.1 Introduction p. 73
6.24.2 Solution Description p. 74
6.24.2.1 General p. 74
6.24.2.2 Assumptions on authentication and interface protection p. 74
6.24.2.3 Authorization and service invocation procedure p. 74
6.24.2.4 Trust model p. 75
6.24.3 Solution Evaluation p. 75
6.25 Solution #25: NF service consumer verification during service access authorization in the direct communication scenario p. 75
6.25.1 Introduction p. 75
6.25.2 Solution details for the non-roaming scenario p. 75
6.25.2.0 General p. 75
6.25.2.1 Access token generation with the certificate of the NF service consumer p. 76
6.25.2.2 NF service Producer authenticates NF consumer p. 77
6.25.3 Solution details for the roaming scenario p. 77
6.25.4 Evaluation p. 78
6.26 Solution #26: OAuth 2.0 based resource level authorization of NF service consumers p. 79
6.27 Solution #27: Policy based authorization for Indirect communication between Network functions p. 80
6.27.1 Introduction p. 80
6.27.2 Solution Description p. 81
6.27.2.1 Policy files p. 81
6.27.2.2 Procedure p. 81
6.27.3 Solution Evaluation p. 82
6.28 Solution #28: Authorization between Network Functions in Scenario D p. 82
6.29 Solution #29: Telescopic FQDN for the SeCoP p. 82
6.30 Solution #30: Token-based authorization for NF Sets / NF Service Sets by existing methods p. 83
6.31 Solution #31: Service access authorization based on of a NF Set in roaming scenario p. 83
6.31.1 Introduction p. 83
6.31.2 Solution details p. 83
6.31.2.0 General p. 83
6.31.2.1 Service access authorization for NF producers within a NF set (Model C) p. 84
6.31.3 Solution Evaluation p. 84
6.32 Solution #32: OAuth 2.0 based resource level authorization of NF service consumers p. 85
6.32.1 Introduction p. 85
6.32.2 Solution Description p. 85
6.32.2.0 General p. 85
6.32.2.1 NF OAuth 2.0 client (NF service consumer) registration with the OAuth 2.0 authorization server (NRF) p. 85
6.32.2.2 NF OAuth 2.0 resource server (NF service producer) registration with the OAuth 2.0 authorization server (NRF) p. 86
6.32.2.3 NF Access token request before service access p. 86
6.32.2.4 NF Service access request based on token verification p. 88
6.32.3 Solution Evaluation p. 89
6.33 Solution #33: NF service consumer verification during service access authorization in indirect communication scenario p. 89
6.33.1 Introduction p. 89
6.33.2 Solution Description p. 89
6.33.2.1 General p. 89
6.33.2.2 Solution details for the scenario C p. 89
6.33.2.2.0 General p. 89
6.33.2.2.1 Access token generation with the certificate of the NF service consumer p. 90
6.33.2.2.2 SeCoP authenticates NF consumer p. 91
6.33.2.3 Solution details for the scenario D p. 91
6.33.2.3.0 General p. 91
6.33.2.3.1 Access token generation with the certificate of the NF service consumer p. 92
6.33.2.3.2 SeCoP authenticates NF consumer p. 93
6.33.2.4 Solution details for the roaming scenario p. 93
6.33.3 Evaluation p. 94
6.34 Solution #34: Security of indirect communication in roaming scenarios p. 94
6.35 Solution #35: Service access authorization in the non-delegated "Subscribe-Notify" interaction scenarios p. 95
7 Conclusions p. 97
7.1 Conclusion on KI #20 p. 97
7.2 Conclusions on Key Issue #21: Secure message transport via the SeCoP p. 97
7.3 Conclusions on Key issue #22: Authorization of NF service access in indirect communication p. 97
7.4 Conclusion on KI #23 p. 97
7.5 Conclusion on KI #24 p. 98
7.6 Conclusions on Key issue #25: Indirect communication in roaming scenarios p. 98
7.7 Conclusion on KI #26 p. 98
7.8 Conclusion on KI #27 p. 98
7.9 Conclusion on KI #29 p. 98
A Void
B Options for integrity protection on the N32 interface p. 100
C Deployment options for the UP gateway p. 101
C.1 Deployment option 1: UP Gateway per slice p. 101
C.2 Deployment option 2: UP Gateway as shared appliance p. 101
$ Change history p. 103
