Content for TR 33.926 Word version: 19.1.0

1… 4… 5… 6… A… B… C… D… E… F… G… H… I… J… K… L… M… N… O… P… Q… R… S… T… U… V… W… X… Y…

M.2 Network product class description for the N3IWF M.3 Assets and threats specific to the N3IWF
...

M Aspects specific to the network product class N3IWF |R18| p. 70

M.2 Network product class description for the N3IWF p. 70

M.2.1 Introduction p. 70

This Annex covers the aspects specific to the N3WF network product class.

M.2.2 Minimum set of functions defining the N3IWF network product class p. 70

As part of the N3IWF network product, it is expected that the N3IWF to contain N3IWF application, a set of running processes (typically more than one) executing the software package for the N3IWF functions and OAM functions that is specific to the N3IWF network product model. Functionalities specific to the N3IWF network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.520.

M.3 Assets and threats specific to the N3IWF p. 70

M.3.1 Critical assets p. 70

In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the N3IWF to be protected are:

N3IWF Application;
Mobility and Session Management data: e.g. subscriber's identities (e.g. SUCI), subscriber keys (I.e. KN3IWF), APN name, data related to mobility management like UE status, UE's IP address, etc., session management like PDN type, QoS and so on, etc.
The interfaces of N3IWF to be protected and which are within SECAM scope:
- Reference point interfaces:
  - N2.
  - N3.
  - Y2.
- Console interface, for local access: local interface on N3IWF
- OAM interface, for remote access and data collection: interface between N3IWF and OAM system
NOTE 1:
The detailed interfaces of the N3IWF class are described in clause 4, Network Product Class Description of the present document.
N3IWF Software: binary code or executable code

NOTE 2:
N3IWF files may be any file owned by a user (root user as well as non-root uses), including User account data and credentials, Log data, configuration data, OS files, cryptographic material, N3IWF application, or N3IWF Software.

M.3.2 Threats related to EAP procedure p. 71

Threat name: N3IWF sends EAP-Identity Request
Threat Category: Denial of service.
Threat Description: EAP-5G is used between UE and N3IWF. As specified in TS 33.501, the N3IWF shall refrain from sending an EAP-Identity request. The UE may ignore an EAP Identity request or respond with the SUCI it sent in the Registration Request. This means if the N3IWF happens to send an EAP-Identity Request to the UE, the N3IWF shall not look forward an EAP-Identity Reply. This is different from normal EAP framework. If the N3IWF behaves the same as normal EAP framework, the N3IWF will wait for a reply till time expires. This may cause that the UE cannot access to the network via an N3IWF.
Threatened Asset: GNP services.