This Annex covers the aspects specific to the UPF network product class.

As part of the UPF network product, it is expected that the UPF contains UPF application, a set of running processes (typically more than one) executing the software package for the UPF functions and OAM functions that are specific to the UPF network product model. Functionalities specific to the UPF network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.513.

In addition to the critical assets of a GNP has been described in clause 5.2 of the present document, the critical assets specific to the UPF to be protected are:

• UPF Application;
• User plane data;
• Session related data, e.g. CN Tunnel information, packet detection rules, network usage, traffic detection information, and etc.;
• Security data, i.e. cryptographic materials for N3, N4 and N9 interfaces
• The interfaces of the UPF to be protected and which are within SECAM scope:
  • N3 interface between the UPF and the gNB/ng-eNB
  • N4 interface between the UPF and the SMF
  • N6 interface between the UPF and the DN
  • N9 interface between two UPFs
  • Console interface, for local access: local interface on the UPF
  • OAM interface, for remote access: interface between the UPF and the OAM system
• UPF Software: binary code or executable code

• Threat name: No protection or weak protection for user plane data.
• Threat Category: Tampering, Information Disclosure.
• Threat Description: User traffic is transported between the gNB/ng-eNB and the UPF via N3 interface, or between two UPFs within a PLMN via N9 interface. If the user traffic transported over the interfaces is not confidentiality protected, it can be subject to eavesdropping. Information is leaked to unauthorized parties. If the user traffic is not integrity protected, attackers can tamper with user traffic at will. The receiver of the user traffic obtain false user traffic. If the user traffic is not replay protected, attackers can insert historical legitimate user traffic. This can lead to false network usage reported by the UPF, and consequently resulting in billing fraudulence. If the protection implemented for the user plane data transported over the N3 interface and the N9 interface within a PLMN uses the wrong security profile, which may contain weak security algorithms or protocol versions known to be vulnerable, the level of the security of the user plane data may be degraded and fail to fulfil the required security.
• Threatened Asset: User plane data.

• Threat name: No protection or weak protection for signalling data over N4 interface
• Threat Category: Denial of service, tampering.
• Threat Description: SMF controls the user plane path of PDU sessions through N4 interfaces. If the signalling data over N4 interface is not protected e.g. against tampering, the user traffic may be wrongly routed and fail to arrive at the intended recipient. This can create Denial of Service. To support billing, UPF reports network usage to SMF over N4 interface. Unprotected network usage report can lead to billing fraud.
  If the protection implemented for the signalling data over the N4 interface uses the wrong security profile, which may contain weak security algorithms or protocol versions known to be vulnerable, the security level of the signalling data transported over N4 interface may be degraded and fail to fulfil the required security.
• Threatened Asset: session related data.

• Threat name: Failure to assign unique TEID for a session.
• Threat Category: Tampering.
• Threat Description: TEID, as part of the CN Tunnel information, is used by the UPF and gNB/ng-eNB for user plane routing. The failure to guarantee the uniqueness of the TEID for a PDU session interrupts the routing of user traffic. It also interrupts charging. If multiple PDU sessions were to share the same TEID at the same time, the counts for the network usage of a single PDU session will be in fact the counts for the network usage of multiple sessions, creating charging errors.
• Threatened Asset: session related data.

• Threat name: invalid user plane data forwarding.
• Threat Category: Tampering, Information Disclosure, Denial of Service.
• Threat Description: User plane traffic is transported between UPFs over the N9 interface. If the UPF with IPUPS functionality fails to discard GTP-U packets that do not belong to any active PDU sessions, routing of user plane traffic could be interrupted or Denial of Service attacks to the network could be possible.This threat only applies if the UPF implements the IPUPS functionality.
• Threatened Asset: User plane data.

• Threat name: Threats of malformed GTP-U messages.
• Threat Category: Denial of service.
• Threat Description: Malicious sender may send malformed GTP-U messages to a victim UPF with IPUPS functionality. If the malformed GTP-U messages are not filtered, they may consume the processing resource of the victim UPF with IPUPS functionality, and even cause the victim UPF functionality to crash, causing denial of service attack.
• Threatened Asset: Sufficient Processing Capacity.