Content for TR 33.926 Word version: 17.6.0

1… 4… 5… 6… A… B… C… D… E… F… G… H… I… J… K… L… M… O… P…

H.1 Network product class description for the NRF H.2 Assets and threats specific to the NRF H.2.1 Critical assets H.2.2 Threats related to NRF authorization
...

H Aspects specific to the network product class NRF |R16| p. 52

H.1 Network product class description for the NRF p. 52

H.1.1 Introduction p. 52

The present document captures the network product class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that are believed to apply to more than one network product class, while this clause covers the aspects specific to the NRF network product class.

H.1.2 Minimum set of functions defining the NRF network product class p. 52

According to TR 33.916, a network product class is a class of products that all implement a common set of 3GPP-defined functionalities. Therefore, in order to define the NRF network product class, it is necessary to define the common set of 3GPP-defined functionalities that is constitutive for a NRF. As part of the NRF network product, it is expected that the NRF contains NRF application, a set of running processes (typically more than one) executing the software package for the NRF functions and OAM functions that are specific to the NRF network product model. Functionalities specific to the NRF network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.518.

H.2 Assets and threats specific to the NRF p. 52

H.2.1 Critical assets p. 52

In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the NRF to be protected are:

NRF Application;
NF profile of available NF instances: e.g. NF instance ID, NF type, PLMN ID, network slice related identifiers, FQND or IP address of NF, NF capacity information, NF priority information, Names of supported services, NF Specific Service authorization information, Location information for the NF instance, etc., as described in clause 6.2.6 of TS 23.501.
OAuth 2.0 Access Tokens for NF-NF authorization;
The interfaces of NRF to be protected and which are within SECAM scope:
- Service Based Interfaces to other NFs.
- N27.
- Console interface, for local access: local interface on NRF.
- OAM interface, for remote access: interface between NRF and OAM system.
NOTE 1:
The detailed interfaces of the NRF network product class are described in clause 4.3.6 of the present document.
NRF Software: binary code or executable code

NOTE 2:
NRF files could be any file owned by a user (root user as well as non root users), including user account data and credentials, log data, configuration data, OS files, NRF application, NF profile of available NF instances, OAuth 2.0 Access Tokens, or NRF Software.

H.2.2 Threats related to NRF authorization p. 53

H.2.2.1 No slice specific authorization for NF discovery p. 53

Threat name: No slice specific authorization for NF discovery.
Threat Category: Information Disclosure, Elevation of privilege.
Threat Description: If NF discovery authorization for specific slice is not supported by the NRF, the NF instance in one slice can discover NF instances belonging to other slices. This can result in reduced assurance level of slice data isolation, making the system easily attacked as well as wasting resource.
Threatened asset: NF profile of available NF instances.