Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x
Top   in Index   Prev   Next

TR 33.858
Study on Security aspects of enhanced support of Non-Public Networks (NPN)
Phase 2

3GPP‑Page  
V18.1.0 (Wzip)  2023/09  35 p.
Rapporteur:
Dr. Jost, Christine
Ericsson LM

full Table of Contents for  TR 33.858  Word version:  18.1.0

Here   Top
1 Scope2 References3 Definitions of terms, symbols and abbreviations4 Assumptions5 Key issues6 Proposed solutions7 Conclusions$ Change history

 

1  Scopep. 8

The aim of the present document is to study the security aspects for any potential enhancements to be developed based on the outcome of the study in TR 23.700-08. For each of the objectives in the scope of the study in TR 23.700-08, potential security aspects that are to be covered in this study are as follows:
  • Support for enhanced mobility by enabling support for idle and connected mode mobility between SNPNs without new network selection.
    • Study if existing security mechanisms for mobility between PLMNs can be reused for SNPNs or if new security mechanisms are needed.
  • Support for non-3GPP access for SNPN
    • Study if existing security mechanisms for enabling non-3GPP access in a PLMN can be reused for enabling non-3GPP access in an SNPN or if new security mechanisms are needed.
  • Address new requirements (e.g., TS 22.261 requirements for Providing Access to Local Services) related to NPN
    • Study the trust model for the resulting architecture for enabling Localized Services via a local hosting NPN.
    • Study if existing mechanisms for a UE to access an NPN can be reused for enabling a UE to authenticate with and access the local hosting NPN and the localized services via the hosting NPN with proper authorization, or if new security mechanisms are needed.
Up

2  Referencesp. 8

3  Definitions of terms, symbols and abbreviationsp. 9

3.1  Termsp. 9

3.2  Symbolsp. 9

3.3  Abbreviationsp. 9

4  Assumptionsp. 9

5  Key issuesp. 9

5.1  Key issue #1: Security of non-3GPP access for SNPNp. 9

5.1.1  Key issue detailsp. 9

5.1.2  Threatsp. 9

5.1.3  Potential security requirementsp. 10

5.2  Key issue #2: Authentication for UE access to hosting networkp. 10

5.2.1  Key issue detailsp. 10

5.2.2  Threatsp. 10

5.2.3  Potential security requirementsp. 10

6  Proposed solutionsp. 11

6.0  Mapping of solutions to key issuesp. 11

6.1  Solution #1: Authentication mechanism for untrusted non-3GPP Access in SNPN scenariosp. 11

6.1.1  Introductionp. 11

6.1.2  Solution detailsp. 12

6.1.3  System impactp. 12

6.1.4  Evaluationp. 12

6.2  Solution #2: Authentication mechanism for trusted non-3GPP Access in SNPN scenariosp. 12

6.2.1  Introductionp. 12

6.2.2  Solution detailsp. 13

6.2.3  System impactp. 13

6.2.4  Evaluationp. 13

6.3  Solution #3: Use of anonymous SUCI in trusted non-3GPP access for SNPNp. 13

6.3.1  Introductionp. 13

6.3.2  Solution detailsp. 14

6.3.3  System impactp. 14

6.3.4  Evaluationp. 14

6.4  Solution #4: Authentication for devices that do not support 5GC NAS over WLAN access in SNPN scenariosp. 14

6.4.1  Introductionp. 14

6.4.2  Solution detailsp. 14

6.4.3  System impactp. 15

6.4.4  Evaluationp. 15

6.5  Solution #5: Anonymous authentication during connection establishment in trusted non-3GPP network access.p. 15

6.5.1  Introductionp. 15

6.5.2  Solution detailsp. 15

6.5.3  System impactp. 16

6.5.4  Evaluationp. 16

6.6  Solution #6: Trusted non-3GPP Access for SNPNp. 16

6.6.1  Introductionp. 16

6.6.2  Solution detailsp. 16

6.6.3  System impactp. 16

6.6.4  Evaluationp. 16

6.7  Solution #7: Untrusted non-3GPP Access for SNPNp. 16

6.7.1  Introductionp. 16

6.7.2  Solution detailsp. 17

6.7.3  System impactp. 17

6.7.4  Evaluationp. 17

6.8  Solution #8: Reusing Existing N3GPP Security for SNPNp. 17

6.8.1  Introductionp. 17

6.8.2  Solution detailsp. 17

6.8.3  Evaluationp. 17

6.9  Solution #9: NSWO support in SNPN using any key-generating EAP-methodp. 18

6.9.1  Introductionp. 18

6.9.2  Solution detailsp. 18

6.9.3  System impactp. 19

6.9.4  Evaluationp. 19

6.10  Solution #10: Access to localized services using existing mechanismsp. 19

6.10.1  Introductionp. 19

6.10.2  Solution detailsp. 19

6.10.2.1  Solution for access to localized services based on Home Network Credentialsp. 19

6.10.2.2  Solution for access to localized services based on Onboarding Mechanismp. 19

6.10.3  System Impactp. 22

6.10.4  Evaluationp. 22

6.11  Solution #11: High-level solution on authentication for UE access to hosting networkp. 22

6.11.1  Introductionp. 22

6.11.2  Solution detailsp. 22

6.11.3  System impactp. 23

6.11.4  Evaluationp. 23

6.12  Solution #12: Localised service authentication through onboarding procedure and registration afterwards.p. 23

6.12.1  Introductionp. 23

6.12.2  Solution detailsp. 24

6.12.3  System impactp. 24

6.12.4  Evaluationp. 24

6.13  Solution #13: Home network primary authentication - secondary authentication towards localised servicep. 25

6.13.1  Introductionp. 25

6.13.2  Solution detailsp. 25

6.13.3  System impactp. 25

6.13.4  Evaluationp. 26

6.14  Solution #14: NSWO support in SNPN using any key-generating EAP-method for SNPN using CH AUSF/UDMp. 26

6.14.1  Introductionp. 26

6.14.2  Solution detailsp. 26

6.14.3  System impactp. 26

6.14.4  Evaluationp. 27

6.15  Solution #15: NSWO using SNPN credentials from CH AAAp. 27

6.15.1  Introductionp. 27

6.15.2  Solution detailsp. 27

6.15.3  System impactp. 27

6.15.4  Evaluationp. 27

6.16  Solution #16: Localized Service related authentication and network accessp. 27

6.16.1  Introductionp. 27

6.16.2  Solution detailsp. 28

6.16.3  System impactp. 29

6.16.4  Evaluationp. 29

6.17  Solution #17: Authentication for UE to access hosting network and receive localized services using existing mechanisms.p. 29

6.17.1  Introductionp. 29

6.17.2  Solution detailsp. 29

6.17.3  System impactp. 30

6.17.4  Evaluationp. 30

6.18  Solution #18: UE creates the identifier in trusted non-3GPP accessp. 30

6.18.1  Introductionp. 30

6.18.2  Solution detailsp. 30

6.18.3  System impactp. 31

6.18.4  Evaluationp. 31

6.19  Solution #19: Supporting CH using AAA for N3GPP Security in SNPNp. 31

6.19.1  Introductionp. 31

6.19.2  Solution detailsp. 31

6.19.3  Evaluationp. 31

6.20  Solution #20: NSWO using SNPN credentials from CH AAA via 5GCp. 31

6.20.1  Introductionp. 31

6.20.2  Solution detailsp. 32

6.20.3  System impactp. 32

6.20.4  Evaluationp. 32

7  Conclusionsp. 32

7.1  Conclusions for KI#1 Security of non-3GPP access for SNPNp. 32

7.1.1  Scopep. 32

7.1.2  Conclusion for Untrusted N3GPP access to SNPNp. 33

7.1.3  Conclusion for Trusted N3GPP access to SNPNp. 33

7.1.4  Conclusion for N5CW device access to SNPNp. 33

7.1.5  Conclusion for NSWO support in SNPNp. 34

7.2  Conclusions for KI#2 Authentication for UE access to hosting networkp. 34

7.3  Other conclusionsp. 34

$  Change historyp. 35

Up   Top