The present document captures the network product class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that are believed to apply to more than one network product class, while Annexes cover the aspects specific to one network product class.
As part of the PGW network product, it is expected that the PGW to contain PGW application, a set of running processes (typically more than one) executing the software package for the PGW functions and OAM functions that are specific to the PGW network product model. Functionalities specific to the PGW network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.250.
Threat Description: If an IP address is reallocated to a UE immediately after released from another UE, then the network side might be mistaken that the same UE keeps using the IP address continuously. Consequently, some network functions (e.g. PCRF) will execute policies on the wrong target UE. And some mis-operations (e.g. mischarging) will be executed on UEs.
Threat name: Sending unauthorized packets to other UEs
Threat Category: Tampering, DoS
Threat Description: If the destination address of uplink packets sent by a UE is another UE in the same PGW, the packets will not pass through the PGW and will be forwarded directly to the target UE. In this case, mutual access between two UEs within the same PGW might be requested. If such access is enabled, an attacker can gain control of a UE to send malicious packets (e.g. fraudulent information, malicious trojans, virus packs, etc.) directly to other UEs without security measures (e.g. firewall) at network side.
Threat Description: The PGW is expected to release all bearers corresponding to emergency inactive PDN connections after the configured timeout. If emergency bearers of inactive PDN connections are not released, it may lead to system resource exhaustion.
Threat name: Failure to assign unique TEID or Charging ID for a session
Threat Category: Spoofing Identity, Tampering
Threat Description: Both Charging ID and TEID are the identities used for linking the network usage data per UE. If the Charging ID is not unique per IP-CAN session, or the TEID is not unique per GTP tunnel, the charging information for a PDU session would be wrongly correlated, creating charging errors.