Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  TR 33.926  Word version:  17.5.0

Top   Top   Up   Prev   Next
1…   4…   5…   6…   A…   B…   C…   D…   E…   F…   G…   H…   I…   J…   K…   L…   M…   O…   P…

 

I  Aspects specific to the network product class NEF |R16|p. 54

I.1  Network product class description for the NEFp. 54

I.1.1  Introductionp. 54

This annex captures the aspects specific to network product class NEF.

I.1.2  Minimum set of functions defining the NEF network product classp. 54

As part of the NEF network product, it is expected that the NEF to contain NEF application, a set of running processes (typically more than one) executing the software package for the NEF functions and OAM functions that are specific to the NEF network product model. Functionalities specific to the NEF network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.519.
Up

I.2  Assets and threats specific to the NEFp. 54

I.2.1  Critical assetsp. 54

In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the NEF to be protected are:
  • NEF Application;
  • NF and User Data: e.g. NF capabilities and events, network and user sensitive information (e.g. DNN, S-NSSAI, etc.), structured data retrieved from UDR, 5G LAN group information, NWDAF analytics, etc.
  • The interfaces of NEF to be protected and which are within SECAM scope:
    • Service based interface, Nnef, for providing services to SMF, and AF
    • Service based interface for consuming services from AMF, UDM, PCF, SMF, UDR, Binding Support Function, NRF
    • Console interface, for local access: local interface on NEF
    • OAM interface, for remote access: interface between NEF and OAM system
  • NEF Software: binary code or executable code
Up

I.2.2  Threats related to NEF assetsp. 55

I.2.2.1  No authentication on application functionp. 55

  • Threat name: No Authentication on application function
  • Threat Category: Information Disclosure, tampering
  • Threat Description: If the authentication of the Application Function is not supported, the application function without a legal certificates, or pre-shared key could be able to establish a TLS connection with the NEF. The data stored in the NEF may be exposed to an attacker.
  • Threatened Asset: NF and User Data
Up

I.2.2.2  No authorization on northbound APIsp. 55

  • Threat name: No Authorization on northbound APIs
  • Threat Category: Elevation of Privilege, Information Disclosure
  • Threat Description: A malicious AF without OAuth-based authorization or with an incorrect access token may invoke the NEF services arbitrarily. For example, an attacker may invoke the Nnef_EventExposure_Subscribe service provide by the NEF without authorization. The Event data related with this subscribe will be leaked to the attacker.
  • Threatened Asset: Sufficient Processing Capacity, NF and User Data
Up

Up   Top   ToC