Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TR 33.926  Word version:  19.1.0

Top   Top   Up   Prev   Next
1…   4…   5…   6…   A…   B…   C…   D…   E…   F…   G…   H…   I…   J…   K…   L…   M…   N…   O…   P…   Q…   R…   S…   T…   U…   V…   W…   X…   Y…

 

H  Aspects specific to the network product class NRF |R16|p. 56

H.1  Network product class description for the NRFp. 56

H.1.1  Introductionp. 56

The present document captures the network product class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that are believed to apply to more than one network product class, while this clause covers the aspects specific to the NRF network product class.

H.1.2  Minimum set of functions defining the NRF network product classp. 56

According to TR 33.916, a network product class is a class of products that all implement a common set of 3GPP-defined functionalities. Therefore, in order to define the NRF network product class, it is necessary to define the common set of 3GPP-defined functionalities that is constitutive for a NRF. As part of the NRF network product, it is expected that the NRF contains NRF application, a set of running processes (typically more than one) executing the software package for the NRF functions and OAM functions that are specific to the NRF network product model. Functionalities specific to the NRF network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.518.
Up

H.2  Assets and threats specific to the NRFp. 56

H.2.1  Critical assetsp. 56

In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the NRF to be protected are:
  • NRF Application;
  • NF profile of available NF instances: e.g. NF instance ID, NF type, PLMN ID, network slice related identifiers, FQND or IP address of NF, NF capacity information, NF priority information, Names of supported services, NF Specific Service authorization information, Location information for the NF instance, etc., as described in clause 6.2.6 of TS 23.501.
  • OAuth 2.0 Access Tokens for NF-NF authorization;
  • The interfaces of NRF to be protected and which are within SECAM scope:
    • Service Based Interfaces to other NFs.
    • N27.
    • Console interface, for local access: local interface on NRF.
    • OAM interface, for remote access: interface between NRF and OAM system.
  • NRF Software: binary code or executable code
Up

H.2.2  Threats related to NRF authorizationp. 57

H.2.2.1  No Authorization of NF discovery based on Authorization Parametersp. 57

  • Threat name: No profile-based authorization for NF discovery.
  • Threat Category: Information Disclosure, Elevation of privilege.
  • Threat Description: If the NRF does not verify the authorization parameters of an NF instance against the parameters provided in the discovery request, an unauthorized NF instance can discover other NF instances that it is not permitted to access. Depending on the parameters, this can result in different severity risks. For instance, not verifying the NSSASIs can allow the discovery of NF instances belonging to other slices. Overall, this misbehavior can break the authorization mechanism and therefore lower the assurance level of network isolation, making the system more susceptible to attacks and wasting resources.
  • Threatened asset: NF profile of available NF instances.
Up

Up   Top   ToC