Tech-invite3GPPspaceIETF RFCsSIP

Content for  TR 33.926  Word version:  17.5.0

Top   Top   Up   Prev   Next
1…   4…   5…   6…   A…   B…   C…   D…   E…   F…   G…   H…   I…   J…   K…   L…   M…   O…   P…


H  Aspects specific to the network product class NRF |R16|p. 52

H.1  Network product class description for the NRFp. 52

H.1.1  Introductionp. 52

The present document captures the network product class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that are believed to apply to more than one network product class, while this clause covers the aspects specific to the NRF network product class.

H.1.2  Minimum set of functions defining the NRF network product classp. 52

According to TR 33.916, a network product class is a class of products that all implement a common set of 3GPP-defined functionalities. Therefore, in order to define the NRF network product class, it is necessary to define the common set of 3GPP-defined functionalities that is constitutive for a NRF. As part of the NRF network product, it is expected that the NRF contains NRF application, a set of running processes (typically more than one) executing the software package for the NRF functions and OAM functions that are specific to the NRF network product model. Functionalities specific to the NRF network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.518.

H.2  Assets and threats specific to the NRFp. 52

H.2.1  Critical assetsp. 52

In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the NRF to be protected are:
  • NRF Application;
  • NF profile of available NF instances: e.g. NF instance ID, NF type, PLMN ID, network slice related identifiers, FQND or IP address of NF, NF capacity information, NF priority information, Names of supported services, NF Specific Service authorization information, Location information for the NF instance, etc., as described in clause 6.2.6 of TS 23.501.
  • OAuth 2.0 Access Tokens for NF-NF authorization;
  • The interfaces of NRF to be protected and which are within SECAM scope:
    • Service Based Interfaces to other NFs.
    • N27.
    • Console interface, for local access: local interface on NRF.
    • OAM interface, for remote access: interface between NRF and OAM system.
  • NRF Software: binary code or executable code

H.2.2  Threats related to NRF authorizationp. 53

H.2.2.1  No slice specific authorization for NF discoveryp. 53

  • Threat name: No slice specific authorization for NF discovery.
  • Threat Category: Information Disclosure, Elevation of privilege.
  • Threat Description: If NF discovery authorization for specific slice is not supported by the NRF, the NF instance in one slice can discover NF instances belonging to other slices. This can result in reduced assurance level of slice data isolation, making the system easily attacked as well as wasting resource.
  • Threatened asset: NF profile of available NF instances.

Up   Top   ToC