Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 33.320  Word version:  18.0.0

Top   Top   Up   Prev   None
1…   4…
4 Overview of Security Architecture and Requirements5 Security Features6 Security Procedures in H(e)NB7 Security Procedures between H(e)NB and SeGW8 Security Aspects of H(e)NB Management9 Security Aspects of Emergency Call Handling10 Security Aspects for Mobility11 Security Procedures for Direct Interfaces between Base StationsA Authentication Call-flowsB Location Verification Examples$ Change History

 

4  Overview of Security Architecture and Requirementsp. 8

4.1  System architecture of H(e)NBp. 8

4.2  Network Elementsp. 9

4.2.1  H(e)NBp. 9

4.2.2  Security Gateway (SeGW)p. 9

4.2.3  H(e)NB Management System (H(e)MS)p. 10

4.2.4  UEp. 10

4.2.5  H(e)NB Gateway (H(e)NB-GW) and MMEp. 10

4.2.6  AAA Server and HSSp. 10

4.2.7Void

4.2.8  Local Gateway (L-GW) |R10|p. 10

4.3  Interfaces (Reference Points)p. 10

4.3.1  Backhaul Linkp. 10

4.3.2  H(e)MS Interfacep. 10

4.3.3  Interface between SeGW and AAA Server, AAA Server and HSSp. 10

4.3.4  Interface between H(e)NBs |R11|p. 11

4.4  Security Requirements and Principlesp. 11

4.4.1  Operationp. 11

4.4.2  Requirements on H(e)NBp. 11

4.4.3  Requirements on SeGWp. 12

4.4.4  Requirements on H(e)MSp. 12

4.4.5  Requirements on Backhaul Linkp. 13

4.4.6  Requirements on H(e)MS Linkp. 13

4.4.7  Requirements on Local Gateway (L-GW) |R10|p. 13

4.4.8  Requirements on the Direct Link between H(e)NBs |R11|p. 14

4.4.9  Requirements on Verification of H(e)NB Identity and Operating Access Mode |R11|p. 14

5  Security Featuresp. 15

5.1  Secure Storage and Executionp. 15

5.1.1  Hosting Party Modulep. 15

5.1.2  Trusted Environment (TrE)p. 15

5.1.2.1  Generalp. 15

5.2  Device Mutual Authenticationp. 15

5.3  Hosting Party Mutual Authenticationp. 16

5.4  Other security featuresp. 16

6  Security Procedures in H(e)NBp. 18

6.1  Device Integrity Checkp. 18

6.1.1  Device Integrity Check Procedurep. 18

6.1.2  Protection of Trusted Reference Value(s)p. 18

6.2Void

6.3  Measures for Clock Protectionp. 18

6.3.1  Clock Synchronization Security Mechanisms for H(e)NBp. 18

7  Security Procedures between H(e)NB and SeGWp. 19

7.1  Device Validationp. 19

7.2  Device Authenticationp. 19

7.2.1  Generalp. 19

7.2.2  SeGW and Device Mutual Authentication Procedurep. 20

7.2.3  H(e)NB/IKEv2 Processing Requirements for SeGW Certificatesp. 21

7.2.4  SeGW/IKEv2 Processing Requirements for H(e)NB Certificatesp. 21

7.2.5  Security Profilesp. 22

7.2.5.1  Profile for IKEv2p. 22

7.2.5.2  IKEv2 Certificate Profilep. 22

7.2.5.2.1  IKEv2 Entity Certificatesp. 22
7.2.5.2.2  IKEv2 CA Certificatesp. 22

7.3  Hosting Party Authenticationp. 23

7.4  IPsec Tunnel Establishmentp. 23

7.5  Device Authorizationp. 23

8  Security Aspects of H(e)NB Managementp. 25

8.1  Location Verificationp. 25

8.1.1  Generalp. 25

8.1.2  IP Address provided by H(e)NBp. 25

8.1.3  IP Address and/or access line location identifier provided by broadband access providerp. 25

8.1.4  Surrounding macro-cell information provided by H(e)NBp. 25

8.1.5  GNSS information provided by H(e)NBp. 25

8.1.6  Requirementsp. 26

8.2  Access Control Mechanisms for H(e)NBp. 26

8.2.1  Non-CSG Methodp. 26

8.2.2  CSG Methodp. 26

8.3  Protection of H(e)MS traffic between H(e)MS and H(e)NBp. 26

8.3.1  Connection to H(e)MS accessible on MNO Intranetp. 26

8.3.2  Connection to H(e)MS accessible on public Internetp. 27

8.3.2.1  Generalp. 27

8.3.2.2  Device Validationp. 28

8.3.3  TLS certificate profilep. 28

8.3.3.1  TLS entity certificatesp. 28

8.3.3.2  TLS CA certificatesp. 29

8.3.4  TR-069 protocol profilep. 29

8.4  Protection of SW Downloadp. 29

8.5  Enrolment of H(e)NB to an Operator PKI |R11|p. 30

8.5.1  Generalp. 30

8.5.2  Enrolment Procedurep. 30

8.5.3  Certificate Validationp. 30

9  Security Aspects of Emergency Call Handlingp. 31

10  Security Aspects for Mobilityp. 32

10.1  Inbound mobilityp. 32

10.2  Outbound mobilityp. 32

11  Security Procedures for Direct Interfaces between Base Stations |R11|p. 33

11.1  Generalp. 33

11.2  Direct Link between two H(e)NBsp. 33

A  Authentication Call-flowsp. 34

A.1  Device Authentication Call-flow Examplep. 34

A.2  Combined Device and HP Authentication Call-flow Examplep. 35

B  Location Verification Examplesp. 38

B.1  Example of Location verification based on IP address and line identifier in NASSp. 38

B.2  Example process of location verification when the verifying node receive different types of location informationp. 38

$  Change Historyp. 40

Up   Top