This Annex specifies security measures to protect DNS and ICMP messages. These security measures are intended when integrity protection over the user plane can not be used.

It is recommended that the UE and DNS server(s) support DNS over (D)TLS as specified in RFC 7858 and RFC 8310. The DNS server(s) that are deployed within the 3GPP network can enforce the use of DNS over (D)TLS. The UE can be pre-configured with the DNS server security information (out-of-band configurations specified in the IETF RFCs like, credentials to authenticate the DNS server, supported security mechanisms, port number, etc.), or the core network can configure the DNS server security information to the UE. When DNS over (D)TLS is used, a TLS cipher suite that supports integrity protection needs to be negotiated.

ICMP (Internet Control Message Protocol) is part of the internet protocol (IP) suite. The lack of security in ICMP may be exploited to launch further attacks on the 3GPP system. To mitigate such attacks, it is recommended that the use of ICMP is restricted in the UE and the UPF (e.g., by default, use of ICMP is not allowed). In scenarios where the use of ICMP is required, it is recommended that one or more of following mitigations be enforced:

• Disable the UE from responding to ICMP requests received over 3GPP network interface(s).
• Install IP filter(s) at the UPF in order to block ICMP messages. This filter can be activated either on a per N4 Session basis or on a UPF basis. For ICMPv6, the recommendations in RFC 4890 can be used for filtering ICMPv6 messages.
• Limit the maximum size of ICMP messages (e.g., to 64 bytes). Any ICMP messages that are greater than this limit needs to be dropped by the UE as well as by the UPF.

For security and privacy in 5GS LCS (5G System Location Services), the mechanisms defined in TS 23.273 and TS 38.305 apply.

The UE establishes a user plane connection to the LMF or AF as specified in TS 23.273. For the protection of the interface, a TLS based mechanism shall be supported.