Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TR 33.739  Word version:  18.1.0

Top   Top   Up   Prev   None
1…   5…
5 Key issues6 Proposed solutions7 Conclusions$ Change history

 

5  Key issuesp. 12

5.1  Generalp. 12

5.2  Key issues related with 5G System Enhancements for Edge Computingp. 12

5.2.1  Key issue #1.1: How to authorize PDU session to support local traffic routing to access an EHE in the VPLMNp. 12

5.2.1.1  Key issue detailsp. 12

5.2.1.2  Threatsp. 12

5.2.1.3  Potential security requirementsp. 12

5.2.2  Key issue #1.2: Security of EAS discovery procedure via V-EASDF in VPLMNp. 12

5.2.2.1  Key issue detailsp. 12

5.2.2.2  Threatsp. 12

5.2.2.3  Potential security requirementsp. 13

5.3  Key issues related with enhanced architecture for enabling Edge Applicationsp. 13

5.3.1  Key Issue #2.1: Authentication and authorization of the EEC/UE by the ECS/EESp. 13

5.3.1.1  Key issue detailsp. 13

5.3.1.2  Security threatsp. 13

5.3.1.3  Potential security requirementsp. 13

5.3.2  Key issue #2.2: Authentication mechanism selection between EEC and ECS/EESp. 14

5.3.2.1  Key issue detailsp. 14

5.3.2.2  Security threatsp. 14

5.3.2.3  Potential security requirementp. 14

5.3.3  Key issue #2.3: Authentication and Authorization between V-ECS and H-ECSp. 14

5.3.3.1  Key issue detailsp. 14

5.3.3.2  Threatsp. 14

5.3.3.3  Potential security requirementsp. 14

5.3.4  Key issue #2.4: Transport security for the EDGE10 interfacep. 15

5.3.4.1  Key issue detailsp. 15

5.3.4.2  Threatsp. 15

5.3.4.3  Potential security requirementsp. 15

5.3.5  Key issue #2.5: Authentication and Authorization between AC and EECp. 15

5.3.5.1  Key issue detailsp. 15

5.3.5.2  Threatsp. 15

5.3.5.3  Potential security requirementsp. 15

5.3.6  Key issue #2.6: New KI on authorization between EESesp. 15

5.3.6.1  Key issue detailsp. 15

5.3.6.2  Threatsp. 16

5.3.6.3  Potential security requirementsp. 16

5.3.7  Key issue #2.7: EEC provided information verificationp. 16

5.3.7.1  Key issue detailsp. 16

5.3.7.2  Threatsp. 16

5.3.7.3  Potential security requirementsp. 17

6  Proposed solutionsp. 17

6.0  Mapping of Solutions to Key Issuesp. 17

6.1  Solution #1: Authentication and authorization between EEC hosted in the roaming UE and ECSp. 18

6.1.1  Solution overviewp. 18

6.1.2  Solution detailsp. 19

6.1.3  Solution evaluationp. 20

6.2  Solution #2: Authentication and authorization between EEC hosted in the roaming UE and EESp. 20

6.2.1  Solution overviewp. 20

6.2.2  Solution detailsp. 21

6.2.3  Solution evaluationp. 22

6.3  Solution #3: Authentication mechanism selection between EEC and ECSp. 22

6.3.1  Solution overviewp. 22

6.3.2  Solution detailsp. 23

6.3.2.1  ECS configurationp. 23

6.3.3  Solution evaluationp. 24

6.4  Solution #4: Authentication mechanism selection between EEC and EESp. 24

6.4.1  Solution overviewp. 24

6.4.2  Solution detailsp. 24

6.4.2.1  EES profilep. 25

6.4.3  Solution evaluationp. 25

6.5  Solution #5: 5GC-based authentication mechanism selection between EEC and ECS/EESp. 25

6.5.1  Solution overviewp. 25

6.5.2  Solution detailsp. 26

6.5.3  Solution evaluationp. 27

6.6  Solution #6: ECS/EES authentication method information provisioningp. 27

6.6.1  Solution overviewp. 27

6.6.2  Solution detailsp. 27

6.6.3  Solution evaluationp. 27

6.7  Solution #7: Negotiation procedure for the Authentication and Authorizationp. 28

6.7.1  Solution overviewp. 28

6.7.2  Solution detailsp. 28

6.7.3  Solution evaluationp. 29

6.8  Solution #8: Authentication mechanisms selected by ECS/EESp. 29

6.8.1  Solution overviewp. 29

6.8.2  Solution detailsp. 29

6.8.2.1  Authentication between EEC and ECSp. 29

6.8.2.2  Authentication between EEC and EESp. 29

6.8.3  Solution evaluationp. 29

6.9  Solution #9: Authentication mechanism selection procedure between EEC and ECSp. 29

6.9.1  Solution overviewp. 29

6.9.2  Solution detailsp. 30

6.9.3  Solution evaluationp. 30

6.10  Solution #10: Authentication mechanism selection procedure between EEC and EESp. 30

6.10.1  Solution overviewp. 30

6.10.2  Solution detailsp. 30

6.10.3  Solution evaluationp. 31

6.11  Solution #11: Authentication mechanism selection procedure among EEC, ECS, and EESp. 31

6.11.1  Solution overviewp. 31

6.11.2  Solution detailsp. 31

6.11.3  Solution evaluationp. 32

6.12  Solution #12: Authorization for PDU session supporting local traffic routing to access an EHE in the VPLMNp. 33

6.12.1  Introductionp. 33

6.12.2  Solution detailsp. 33

6.12.3  Solution evaluationp. 33

6.13  Solution #13: A solution for authentication of EEC/UE and GPSI verification by EES/ECSp. 33

6.13.1  Solution overviewp. 33

6.13.2  Solution detailsp. 33

6.13.3  Solution evaluationp. 35

6.14  Solution #14: A solution for authentication of UE and GPSI verification by EES/ECSp. 35

6.14.1  Solution overviewp. 35

6.14.2  Solution detailsp. 35

6.14.3  Solution evaluationp. 36

6.15  Solution #15: Authentication algorithm selection procedure between EEC and ECSp. 36

6.15.1  Solution overviewp. 36

6.15.2  Solution detailsp. 36

6.15.3  Solution evaluationp. 38

6.16  Solution #16: Authentication algorithm selection procedure between EEC and EESp. 38

6.16.1  Solution overviewp. 38

6.16.2  Solution detailsp. 38

6.16.3  Solution evaluationp. 39

6.17  Solution #17: Using existing AKMA/GBA negotiation mechanismp. 40

6.17.1  Solution overviewp. 40

6.17.2  Solution detailsp. 40

6.17.2.1  Shared key based EEC/UE authentication and certificate based ECS/EES authenticationp. 40

6.17.2.2  Shared key based mutual authenticationp. 40

6.17.2.2.1  Shared key based mutual authentication in TLS 1.2p. 40
6.17.2.2.2  Shared key based mutual authentication in TLS 1.3p. 41

6.17.2.3  Handling EEC authentication negotiation failurep. 41

6.17.2.4  GPSI verificationp. 41

6.17.3  Solution evaluationp. 41

6.18  Solution #18: Authentication and Authorization between V-ECS and H-ECSp. 42

6.18.1  Solution overviewp. 42

6.18.2  Solution detailsp. 42

6.19  Solution #19: Authorization of V-ECS in roaming scenariop. 42

6.19.1  Solution overviewp. 42

6.19.2  Solution detailsp. 42

6.19.3  Solution evaluationp. 43

6.20  Solution #20: Transport security for the EDGE10 interfacep. 43

6.20.1  Solution overviewp. 43

6.20.2  Solution detailsp. 43

6.20.3  Solution evaluationp. 44

6.21  Solution #21: Using local policy on authorization between EESesp. 44

6.21.1  Solution overviewp. 44

6.21.2  Solution detailsp. 44

6.21.3  Solution evaluationp. 44

6.23  Solution #23: EAS discovery procedure protectionp. 45

6.23.1  Solution overviewp. 45

6.23.2  Solution detailsp. 45

6.23.3  Solution evaluationp. 45

6.24  Solution #24: Public key signature based ECS/EES authenticationp. 46

6.24.1  Solution overviewp. 46

6.24.2  Solution detailsp. 46

6.24.3  Solution evaluationp. 46

6.25  Solution #25: Utilizing Token-Based Solutions for EEC authenticationp. 46

6.25.1  Solution overviewp. 46

6.25.2  Solution detailsp. 47

6.25.3  Solution evaluationp. 47

6.26  Solution #26: Using authorization token on authorization between EESesp. 47

6.26.1  Solution overviewp. 47

6.26.2  Solution details - Target EES Decided ACRp. 47

6.26.3  Solution details: Source EAS decided ACRp. 49

6.26.4  Solution details: S-EES executed ACRp. 50

6.26.5  Solution evaluationp. 52

6.27  Solution #27: Token-based solution for authorization between EESesp. 52

6.27.1  Solution overviewp. 52

6.27.2  Solution detailsp. 52

6.27.3  Solution evaluationp. 53

6.28  Solution #28: Usage of randomly generated ticket to verify EEC provided IP addressp. 53

6.28.1  Solution overviewp. 53

6.28.2  Solution detailsp. 53

6.28.3  Solution evaluationp. 54

6.29  Solution #29: Authorizing the Service Consumer when Resolving an IP Address to a UE IDp. 55

6.29.1  Solution overviewp. 55

6.29.2  Solution detailsp. 55

6.29.3  Solution evaluationp. 55

6.30  Solution #30: Usage of existing public IP address to verify EEC provided IP addressp. 58

6.30.1  Solution overviewp. 58

6.30.2  Solution detailsp. 58

6.30.3  Solution evaluationp. 59

6.31  Solution #31: AKMA/GBA based verification of EEC provided IP addressp. 60

6.31.1  Solution overviewp. 60

6.31.2  Solution detailsp. 60

6.31.3  Solution evaluationp. 61

6.32  Solution #32: KDF based verification of EEC provided IP addressp. 61

6.32.1  Solution overviewp. 61

6.32.2  Solution detailsp. 61

6.32.3  Solution evaluationp. 61

6.33  Solution #33: Verification of EEC provided IP addressp. 62

6.33.1  Solution overviewp. 62

6.33.2  Solution detailsp. 62

6.33.3  Solution evaluationp. 62

6.34  Solution #34: Verification of EEC provided IP address using access tokenp. 63

6.34.1  Solution overviewp. 63

6.34.2  Solution detailsp. 63

6.34.3  Solution evaluationp. 63

7  Conclusionsp. 64

7.1  Conclusions for Key Issue #2.4p. 64

7.2  Conclusions for Key Issue #2.3p. 64

7.3  Conclusions for Key Issue #2.5p. 64

7.4  Conclusions for Key Issue #1.1p. 64

7.5  Conclusions for Key Issue #2.1p. 64

7.6  Conclusions for Key Issue#2.2p. 64

7.7  Conclusions for Key Issue #2.6p. 65

7.8  Conclusions for Key Issue #1.2p. 65

7.9  Conclusions for Key Issue #2.7p. 65

$  Change historyp. 66

Up   Top