Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  TR 33.855  Word version:  16.1.0

Top   Top   Up   Prev   None
1…   4…   6…
6 Solutions7 ConclusionsB Options for integrity protection on the N32 interfaceC Deployment options for the UP gateway$ Change history

 

6  SolutionsWord‑p. 32

6.1  Solution #1: Authorization of NF service accessWord‑p. 32

6.1.1  IntroductionWord‑p. 32

6.1.2  Solution detailsWord‑p. 33

6.1.2.1  Service authorization procedure for non-roaming scenariosWord‑p. 33

6.1.2.2  Authorization of NF service access for roaming scenarioWord‑p. 34

6.1.3  EvaluationWord‑p. 34

6.2  Solution #2: Application layer protection based on JSON Object Signing and Encryption (JOSE)Word‑p. 34

6.2.1  GeneralWord‑p. 34

6.2.2  Application layer protection based on JOSEWord‑p. 35

6.2.2.1  JSON based IEs that require protection (WHAT)Word‑p. 35

6.2.2.2  Integrity and Confidentiality protection schemes (HOW)Word‑p. 35

6.2.2.2.1  Integrity protection based on JSON patchWord‑p. 35
6.2.2.2.2  Authorization of modifications based on JSON patchWord‑p. 38
6.2.2.2.3  Authentication of intermediariesWord‑p. 39
6.2.2.2.4  Rewriting of HTTP message into JSON-objectWord‑p. 39

6.2.2.3Void

6.2.3  EvaluationWord‑p. 39

6.3  Solution #3: NF service registration processWord‑p. 40

6.3.1Void

6.3.2  Solution DetailsWord‑p. 40

6.3.3  EvaluationWord‑p. 40

6.4  Solution #4: Authorization of NF service accessWord‑p. 40

6.4.1  IntroductionWord‑p. 40

6.4.2  Solution detailsWord‑p. 41

6.4.2.1  Authorization of NF service access in the same PLMNWord‑p. 41

6.4.2.2  Authorization of NF service access in different PLMNsWord‑p. 43

6.4.3  EvaluationWord‑p. 44

6.5  Solution #5: Using mediation services with end-to-end encryptionWord‑p. 44

6.5.1  GenericWord‑p. 44

6.5.2  End-to-end encryption using HTTPS or TLSWord‑p. 44

6.5.3  End-to-end security using JOSEWord‑p. 45

6.5.4  Migration paths after accepting this solutionWord‑p. 47

6.5.5  Possible deploymentsWord‑p. 47

6.5.6  EvaluationWord‑p. 47

6.6  Solution #6: Policies for protection on the N32 interfaceWord‑p. 48

6.6.1Void

6.6.2  Solution detailsWord‑p. 48

6.6.3  EvaluationWord‑p. 48

6.7  Solution #7: Signaling based provisioning of message protection policy in partner SEPPsWord‑p. 49

6.7.1Void

6.7.2  Solution detailsWord‑p. 49

6.7.3  EvaluationWord‑p. 49

6.8  Solution #8: Inter PLMN routing and TLS: Solution OptionsWord‑p. 50

6.8.1  IntroductionWord‑p. 50

6.8.3  TLS tunnel or VPN from NF to SEPPWord‑p. 50

6.8.4  Using local SEPP FQDN in request URIWord‑p. 50

6.8.5  Mapped FQDN in request URIWord‑p. 51

6.8.6  EvaluationWord‑p. 52

6.9  Solution #9: N32 message anti-spoofing within the SEPPWord‑p. 52

6.9.1Void

6.9.2  Solution DetailsWord‑p. 52

6.9.3  EvaluationWord‑p. 52

6.10  Solution #10: Mitigation against fraudulent registration attack between SEPPsWord‑p. 52

6.10.1  IntroductionWord‑p. 52

6.10.2  Solution DetailsWord‑p. 52

6.10.3  EvaluationWord‑p. 52

6.11  Solution #11: Security policy provisioning for SEPPWord‑p. 53

6.11.1Void

6.11.2  Solution DetailsWord‑p. 53

6.11.3  EvaluationWord‑p. 53

6.12  Solution #12: End-to-end data protection in hop-by-hop network communication linksWord‑p. 53

6.12.1  IntroductionWord‑p. 53

6.12.2  Integrity protection with non-repudiation and traceability of changesWord‑p. 54

6.12.3  Integrity protection with non-repudiation, traceability of changes, and authorizationWord‑p. 54

6.12.4  Confidentiality protection with authorizationWord‑p. 55

6.13  Solution #13: Content and structure of protection policiesWord‑p. 55

6.13.1  IntroductionWord‑p. 55

6.13.2  Data-type encryption policyWord‑p. 56

6.13.3  NF API data-type placement mappingWord‑p. 56

6.13.4  Modification policyWord‑p. 56

6.13.5  EvaluationWord‑p. 57

6.14  Solution #14: Provisioning and negotiation of protection policiesWord‑p. 57

6.14.1  IntroductionWord‑p. 57

6.14.2  Provisioning of the policies in the SEPPWord‑p. 57

6.14.3  Negotiation of protection policiesWord‑p. 57

6.14.4  EvaluationWord‑p. 57

6.15  Solution #15: Service access authorization in the delegated "Subscribe-Notify" interaction scenariosWord‑p. 58

6.15.1  IntroductionWord‑p. 58

6.15.2  Solution detailsWord‑p. 58

6.15.3  EvaluationWord‑p. 60

6.16  Solution #16: OAuth 2.0 based authorization for Indirect communication without Delegated Discovery (Model C)Word‑p. 61

6.16.1  IntroductionWord‑p. 61

6.16.2  Solution detailsWord‑p. 61

6.16.3  EvaluationWord‑p. 61

6.17  Solution #17: Protection of SeCoP interfacesWord‑p. 61

6.17.1  IntroductionWord‑p. 61

6.17.2  Solution detailsWord‑p. 62

6.17.3  EvaluationWord‑p. 62

6.18  Solution #18: Support NDS/IP on the inter-PLMN N9 interfaceWord‑p. 62

6.18.1  IntroductionWord‑p. 62

6.18.2  Solution detailsWord‑p. 62

6.18.3  EvaluationWord‑p. 63

6.19  Solution #19: Service access authorization based on NF Set in non-roaming scenarioWord‑p. 63

6.19.1  IntroductionWord‑p. 63

6.19.2  Solution detailsWord‑p. 63

6.19.2.0  GeneralWord‑p. 63

6.19.2.1  Service access authorization for NF producers within a NF set (Model B)Word‑p. 63

6.19.2.2  Service access authorization based on NF Set by verifying the token on the service producer (Model C)Word‑p. 65

6.19.3  EvaluationWord‑p. 65

6.20  Solution #20: UP Gateway function on the inter-PLMN N9 interfaceWord‑p. 66

6.20.1  IntroductionWord‑p. 66

6.20.2  Solution detailsWord‑p. 66

6.20.2.1  Interface between SEPP-U and Core Network control plane entityWord‑p. 66

6.20.2.2  Interface between UPFs and SEPP-UWord‑p. 67

6.20.3  EvaluationWord‑p. 67

6.21  Solution #21: OAuth 2.0 based authorization for Indirect communication with Delegated Discovery (Model D)Word‑p. 68

6.21.1  IntroductionWord‑p. 68

6.21.2  Solution detailsWord‑p. 69

6.21.2.1  SeCoP obtaining access token on behalf of the NF consumerWord‑p. 69

6.21.2.2  SeCoP authorizing NF consumer based on token verificationWord‑p. 70

6.21.2.4  SeCoP includes access token in the Service Response messageWord‑p. 70

6.21.3  EvaluationWord‑p. 70

6.22  Solution #22: Authentication and authorization between Network Functions for Indirect Communication modelsWord‑p. 71

6.22.1  IntroductionWord‑p. 71

6.22.2  Solution detailsWord‑p. 71

6.22.3  EvaluationWord‑p. 71

6.23  Solution #23: Token-based authorization for Scenario D using stateless SeCoPWord‑p. 71

6.23.1  IntroductionWord‑p. 71

6.23.2  Solution DescriptionWord‑p. 72

6.23.2.1  GeneralWord‑p. 72

6.23.2.2  Assumptions on authentication and interface protectionWord‑p. 72

6.23.2.3  Authorization and service invocation procedureWord‑p. 72

6.23.2.4  Trust modelWord‑p. 73

6.23.3  Solution EvaluationWord‑p. 73

6.24  Solution #24: Token-based authorization for Scenario C using stateless SeCoPWord‑p. 73

6.24.1  IntroductionWord‑p. 73

6.24.2  Solution DescriptionWord‑p. 74

6.24.2.1  GeneralWord‑p. 74

6.24.2.2  Assumptions on authentication and interface protectionWord‑p. 74

6.24.2.3  Authorization and service invocation procedureWord‑p. 74

6.24.2.4  Trust modelWord‑p. 75

6.24.3  Solution EvaluationWord‑p. 75

6.25  Solution #25: NF service consumer verification during service access authorization in the direct communication scenarioWord‑p. 75

6.25.1  IntroductionWord‑p. 75

6.25.2  Solution details for the non-roaming scenarioWord‑p. 75

6.25.2.0  GeneralWord‑p. 75

6.25.2.1  Access token generation with the certificate of the NF service consumerWord‑p. 76

6.25.2.2  NF service Producer authenticates NF consumerWord‑p. 77

6.25.3  Solution details for the roaming scenarioWord‑p. 77

6.25.4  EvaluationWord‑p. 78

6.26  Solution #26: OAuth 2.0 based resource level authorization of NF service consumersWord‑p. 79

6.26.1  IntroductionWord‑p. 79

6.26.2  Solution DescriptionWord‑p. 79

6.26.3  Solution EvaluationWord‑p. 80

6.27  Solution #27: Policy based authorization for Indirect communication between Network functionsWord‑p. 80

6.27.1  IntroductionWord‑p. 80

6.27.2  Solution DescriptionWord‑p. 81

6.27.2.1  Policy filesWord‑p. 81

6.27.2.2  ProcedureWord‑p. 81

6.27.3  Solution EvaluationWord‑p. 82

6.28  Solution #28: Authorization between Network Functions in Scenario DWord‑p. 82

6.28.1  IntroductionWord‑p. 82

6.28.2  Solution detailsWord‑p. 82

6.28.3  EvaluationWord‑p. 82

6.29  Solution #29: Telescopic FQDN for the SeCoPWord‑p. 82

6.29.1  IntroductionWord‑p. 82

6.29.2  Solution DescriptionWord‑p. 82

6.29.3  Solution EvaluationWord‑p. 82

6.30  Solution #30: Token-based authorization for NF Sets / NF Service Sets by existing methodsWord‑p. 83

6.30.1  IntroductionWord‑p. 83

6.30.2  Solution DescriptionWord‑p. 83

6.30.3  Solution EvaluationWord‑p. 83

6.31  Solution #31: Service access authorization based on of a NF Set in roaming scenarioWord‑p. 83

6.31.1  IntroductionWord‑p. 83

6.31.2  Solution detailsWord‑p. 83

6.31.2.0  GeneralWord‑p. 83

6.31.2.1  Service access authorization for NF producers within a NF set (Model C)Word‑p. 84

6.31.3  Solution EvaluationWord‑p. 84

6.32  Solution #32: OAuth 2.0 based resource level authorization of NF service consumersWord‑p. 85

6.32.1  IntroductionWord‑p. 85

6.32.2  Solution DescriptionWord‑p. 85

6.32.2.0  GeneralWord‑p. 85

6.32.2.1  NF OAuth 2.0 client (NF service consumer) registration with the OAuth 2.0 authorization server (NRF)Word‑p. 85

6.32.2.2  NF OAuth 2.0 resource server (NF service producer) registration with the OAuth 2.0 authorization server (NRF)Word‑p. 86

6.32.2.3  NF Access token request before service accessWord‑p. 86

6.32.2.4  NF Service access request based on token verificationWord‑p. 88

6.32.3  Solution EvaluationWord‑p. 89

6.33  Solution #33: NF service consumer verification during service access authorization in indirect communication scenarioWord‑p. 89

6.33.1  IntroductionWord‑p. 89

6.33.2  Solution DescriptionWord‑p. 89

6.33.2.1  GeneralWord‑p. 89

6.33.2.2  Solution details for the scenario CWord‑p. 89

6.33.2.2.0  GeneralWord‑p. 89
6.33.2.2.1  Access token generation with the certificate of the NF service consumerWord‑p. 90
6.33.2.2.2  SeCoP authenticates NF consumerWord‑p. 91

6.33.2.3  Solution details for the scenario DWord‑p. 91

6.33.2.3.0  GeneralWord‑p. 91
6.33.2.3.1  Access token generation with the certificate of the NF service consumerWord‑p. 92
6.33.2.3.2  SeCoP authenticates NF consumerWord‑p. 93

6.33.2.4  Solution details for the roaming scenarioWord‑p. 93

6.33.3  EvaluationWord‑p. 94

6.34  Solution #34: Security of indirect communication in roaming scenariosWord‑p. 94

6.34.1  IntroductionWord‑p. 94

6.34.2  Solution DescriptionWord‑p. 94

6.34.3  Solution EvaluationWord‑p. 95

6.35  Solution #35: Service access authorization in the non-delegated "Subscribe-Notify" interaction scenariosWord‑p. 95

6.35.1  IntroductionWord‑p. 95

6.35.2  Solution detailsWord‑p. 95

6.35.3  EvaluationWord‑p. 97

7  ConclusionsWord‑p. 97

7.1  Conclusion on KI #20Word‑p. 97

7.2  Conclusions on Key Issue #21: Secure message transport via the SeCoPWord‑p. 97

7.3  Conclusions on Key issue #22: Authorization of NF service access in indirect communicationWord‑p. 97

7.4  Conclusion on KI #23Word‑p. 97

7.5  Conclusion on KI #24Word‑p. 98

7.6  Conclusions on Key issue #25: Indirect communication in roaming scenariosWord‑p. 98

7.7  Conclusion on KI #26Word‑p. 98

7.8  Conclusion on KI #27Word‑p. 98

7.9  Conclusion on KI #29Word‑p. 98

AVoid

B  Options for integrity protection on the N32 interfaceWord‑p. 100

C  Deployment options for the UP gatewayWord‑p. 101

C.1  Deployment option 1: UP Gateway per sliceWord‑p. 101

C.2  Deployment option 2: UP Gateway as shared applianceWord‑p. 101

$  Change historyWord‑p. 103

Up   Top