Content for TR 28.817 Word version: 17.0.0
1 Scope p. 8
The present document studies access control for management services produced by 3GPP management system.
The document investigates use cases related to access control, proposed requirements on 3GPP management system and possible solutions to support access control.
The document also provides recommendation for the normative specifications work.
2 References p. 8
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TS 28.541: "5G Network Resource Model (NRM); Stage 2 and stage 3".
[3]
TS 28.533: "Management and orchestration; Architecture framework".
[4]
TS 28.622: "Telecommunication management; Generic Network Resource Model (NRM) Integration Reference Point (IRP); Information Service (IS)".
[5]
TS 28.623: "Telecommunication management; Generic Network Resource Model (NRM) Integration Reference Point (IRP); Solution Set (SS) definitions".
[6]
TS 28.532: "Management and orchestration; Generic management services".
[7]
NIST Special Publication 800-39 (2011): "Managing Information Security Risk".
[8]
ETSI GS NFV-SEC 003: "Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance".
3 Definitions
3.1 Terms p. 8
For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
Internal MnS consumer:
It is a digital tool owned by the operator who provides the 3GPP management system and network.
External MnS consumer:
It is a digital tool owned by the vertical customer and deployed outside of data centre of the operator.
Digital tool:
It is a machine to access MnS (which is always machine-faced-interface), which can be e.g., digital portal, digital frontend, another management tool, management function, network function, application, client, etc.
Internal user of 3GPP management system:
It is a human working for the operator, e.g. an administrator of the operator, who operates on the 3GPP management system through a portal for provisioning and monitoring the 3GPP network.
External user of 3GPP management system:
It is a human working for a customer of the operator, e.g. an administrator of the customer of the operator, who operates on the 3GPP management system through a portal/store front for monitoring and optionally provisioning the 3GPP network allocated to the customer.
3.2 Symbols p. 9
Void.
3.3 Abbreviations p. 9
For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
ANS
Authentication Service
ARS
Authorization Service
ANS
Audit Service
4 Concepts and overview p. 9
4.1 Overview p. 9
Service based architecture of 3GPP management system enables a management service (MnS) consumer to access and utilize capabilities of a MnS producer to provision or monitor logical networks, services or resources allocated to the consumer. 3GPP management system is built on multiple management domains (see [3]). There are interactions between external entities and the 3GPP management system, between Management Functions (MnFs) of different management domains, or between MnFs in the same management domain.
Without access control for management services/interface, an attacker may gain access to capabilities of the 3GPP management system to exhaust the network resources and potentially bring down the networks and services. Attackers may also modify the configuration of other customers' networks and resources to fail their SLA. In addition, attackers could intercept management data of other customers and infer the competitor's business secrete and damage reputation of the management service provider. Therefore, access control for protecting MnSs provided by 3GPP management system is essential for service and network management and orchestration, especially in commercial environment where the network resource and management capabilities are shared by multiple consumers/tenants.
The present document will investigate use cases related access control for the 3GPP management system, raise potential capability requirement for 3GPP management system and propose solutions to solve the issues. Access from external machine entities, between machine entities of same or different management domains, as well as from machine entities on behalf of human users will be considered in the present document.
4.2 Concept p. 9
4.2.1 Access control p. 9
Access control in 3GPP management system represents the set of features and procedures that allow controlling how management service consumer and management service producer communicate and interact with each other, hence protect the 3GPP management system and managed services as well as resources from unauthorized access.
Access control component(s) could determine the level of authorization of a consumer after an authentication procedure has successfully completed. In addition, access control component(s) could track the access activities of a consumer to enforce accountability for the consumer's actions.
4.2.2 Authentication p. 10
Authentication in 3GPP management system represents the set of security features and procedures that allow proving a management service consumer or producer is what it claims to be, based on its identity and one or more of the three factors: something a consumer/producer knows (e.g. password), something a consumer/producer has (e.g. ID badge, cryptographic key/token), something a consumer/producer is (e.g. fingerprint or other biometric data),
4.2.3 Authorization p. 10
Authorization in 3GPP management system represents the set of features and procedures that allow ensuring an authenticated management service consumer has the corresponding access rights to services/resources related to location, time and reasons.
