Security Capability Negotiation

/exchange-capability

POST

This is the N32 capability exchange API used to negotiate the security capabilities between SEPPs or tear down the N32-f TLS connection.

Parameter Exchange

/exchange-params

POST

This is the N32 parameter exchange API used to exchange the cipher suites and protection policies.

N32-f Context Terminate

/n32f-terminate

POST

This is the N32-f context termination procedure API.

N32-f Error Reporting

/n32f-error

POST

This is the N32-f error reporting procedure API.

apiRoot

string

See clause 6.1.1.

SecNegotiateReqData

M

1

The IE shall contain the security capabilities of the initiating SEPP.

SecNegotiateRspData

M

1

200 OK

This represents the successful processing of the requested security capabilities. The responding SEPP shall provide the security capabilities that it has selected, in the response.

ProblemDetails

O

0..1

403 Forbidden

The "cause" attribute may be used to indicate one of the following application errors:

– REQUESTED_PURPOSE_NOT_ALLOWED

When the receiving SEPP fails to negotiate the security capability, the "cause" attribute shall be set to "NEGOTIATION_NOT_ALLOWED".

NOTE: The mandatory HTTP error status codes for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4]).

apiRoot

string

See clause 6.1.1.

SecParamExchReqData

M

1

The IE shall contain the parameters requested by the requesting SEPP.

SecParamExchRspData

M

1

200 OK

This represents the successful processing of the requested parameters. The SEPP shall provide the selected parameters (i.e selected cipher suite and/or selected data type encryption policy) depending on what was requested by the requesting SEPP and what is supported by the responding SEPP, or the SEPP shall provide the modification policy and/or security information lists of the connected IPXs.

ProblemDetails

O

0..1

409 Conflict

The "cause" attribute may be used to indicate one of the following application errors:

– REQUESTED_PARAM_MISMATCH

NOTE: The mandatory HTTP error status codes for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4]).

apiRoot

string

See clause 6.1.1.

N32fContextInfo

M

1

The IE shall contain the information about the N32-f context requested to be terminated by the requesting SEPP.

N32fContextInfo

M

1

200 OK

This represents the successful deletion of the request N32-f context. The responding SEPP shall return the "n32fContextId" it had towards the initiating SEPP, in this IE.

NOTE: The mandatory HTTP error status codes for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4]).

apiRoot

string

See clause 6.1.1.

N32fErrorInfo

M

1

The IE shall contain the information about the N32-f message that failed to process at the SEPP initiating the N32-f error reporting procedure, together with information related to the nature of the error.

204 No Content

This represents the successful processing of the N32-f error report at the receiving SEPP.

NOTE: The mandatory HTTP error status codes for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4]).

SecNegotiateReqData

6.1.5.2.2

Defines the security capabilities of a SEPP sent to a receiving SEPP.

SecNegotiateRspData

6.1.5.2.3

Defines the selected security capabilities by a SEPP.

SecurityCapability

6.1.5.3.3

Enumeration of security capabilities.

SecParamExchReqData

6.1.5.2.4

Request data structure for parameter exchange

SecParamExchRspData

6.1.5.2.5

Response data structure for parameter exchange

ProtectionPolicy

6.1.5.2.6

The protection policy to be negotiated between the SEPPs.

ApiIeMapping

6.1.5.2.7

API URI to IE mapping on which the protection policy needs to be applied.

IeInfo

6.1.5.2.8

Protection and modification policy for the IE

ApiSignature

6.1.5.2.9

API URI of the service operation

N32fContextInfo

6.1.5.2.10

N32-f context information

N32fErrorInfo

6.1.5.2.11

N32-f error information.

FailedModificationInfo

6.1.5.2.12

Information on N32-f modifications block that failed to process.

N32fErrorDetail

6.1.5.2.13

Details about the N32f error.

CallbackName

6.1.5.2.14

Callback Name.

IpxProviderSecInfo

6.1.5.2.15

Defines the security information list of an IPX.

IntendedN32Purpose

6.1.5.2.16

Defines the intended N32 establishment purpose.

HttpMethod

6.1.5.3.4

Enumeration of HTTP methods.

IeType

6.1.5.3.5

Enumeration of types of IEs (i.e kind of IE) to specify the protection policy.

IeLocation

6.1.5.3.6

Location of the IE in a HTTP message.

N32fErrorType

6.1.5.3.7

Type of error while processing N32-f message.

FailureReason

6.1.5.3.8

Reason for failure to reconstruct a HTTP/2 message from N32-f message.

Fqdn

3GPP TS 29.571 [12]

SupportedFeatures

3GPP TS 29.571 [12]

Used to negotiate the applicability of the optional features defined in table 6.1.7-1.

sender

Fqdn

M

1

This IE shall uniquely identify the SEPP that is sending the request. This IE is used to identify and store the negotiated security capability against the right SEPP.

supportedSecCapabilityList

array(SecurityCapability)

M

1..N

This IE shall contain the list of security capabilities that the requesting SEPP supports.

To tear down the N32-f TLS connection, this IE shall set SecurityCapability as "NONE".

3GppSbiTargetApiRootSupported

boolean

C

0..1

This IE should be present and indicate that the 3gpp-Sbi-Target-apiRoot HTTP header is supported, if TLS security is supported for N32f message forwarding.

When present, it shall indicate if TLS security using the 3gpp-Sbi-Target-apiRoot HTTP header is supported:

– true: supported

– false (default): not supported

(NOTE 1)

plmnIdList

array(PlmnId)

O

1..N

A list of PLMN IDs associated with the SEPP, which is sending the request. The list to be stored by the receiving SEPP in a N32-f Context (see clause 5.9.3 in 3GPP TS 33.501 [6])

snpnIdList

array(PlmnIdNid)

O

1..N

A list of SNPN IDs associated with the SEPP, which is sending the request. The list to be stored by the receiving SEPP in a N32-f Context (see clause 5.9.3 in 3GPP TS 33.501 [6])

targetPlmnId

PlmnId

O

1

When present, this IE shall contain a PLMN ID of the target SEPP.

See clause 5.2.2 step 1.

targetSnpnId

PlmnIdNid

O

0..1

When present, this IE shall contain a SNPN ID of the target SEPP. See clause 5.2.2 step 1.

intendedUsagePurpose

array(IntendedN32Purpose)

O

1..N

This attribute notifies the list of requested usage purpose the N32 is established for.

supportedFeatures

SupportedFeatures

C

0..1

This IE shall be present if at least one optional feature defined in clause 6.1.7 is supported

senderN32fFqdn

Fqdn

O

0..1

This IE may be present if TLS is present in the supportedSecCapabilityList IE, and the sending SEPP wishes the receiving SEPP to establish the N32-f connection towards a specific FQDN, if TLS is selected as the security option for N32-f.

(NOTE 2)

senderN32fPort

Uinteger

O

0..1

This IE may be present if TLS is present in the supportedSecCapabilityList IE, and the sending SEPP wishes the receiving SEPP to establish the N32-f connection using a specific port number, if TLS is selected as the security option for N32-f.

(NOTE 3)

NOTE 1: The attribute name does not follow the naming conventions specified in 3GPP TS 29.501 [5]. The attribute name is kept though as defined in the current specification for backward compatibility reason.

NOTE 2: If the senderN32fFqdn IE is absent, the receiving SEPP establishes the N32-f connection towards the sending SEPP using the N32-c FQDN and/or local configuration. SEPP implementations complying with earlier releases of the specification may not support this IE.

NOTE 3: If the senderN32fPort IE is absent, the receiving SEPP shall use a locally configured port if any, otherwise the default HTTPs port number, i.e., TCP port 443 for "https" URIs as specified in IETF RFC 7540 [7]. SEPP implementations complying with earlier releases of the specification may not support this IE.

sender

Fqdn

M

1

This IE shall uniquely identify the SEPP that is sending the response. This IE is used to identify and store the negotiated security capability against the right SEPP.

selectedSecCapability

SecurityCapability

M

1

This IE shall contain the security capability selected by the responding SEPP.

When the request is for tearing down the N32-f TLS connection, the responding SEPP shall add SecurityCapability as "NONE".

3GppSbiTargetApiRootSupported

boolean

C

0..1

This IE should be present and indicate that the 3gpp-Sbi-Target-apiRoot HTTP header is supported, if TLS security is negotiated for N32f message forwarding and the initiating SEPP indicated support of this header.

When present, it shall indicate if TLS security using the 3gpp-Sbi-Target-apiRoot HTTP header is supported:

– true: supported

– false (default): not supported

(NOTE 1)

plmnIdList

array(PlmnId)

O

1..N

A list of PLMN IDs of a single PLMN associated with the SEPP, which is sending the response. The list to be stored by the receiving SEPP in a N32-f Context (see clause 5.9.3 in 3GPP TS 33.501 [6]).

If different PLMNs are represented by different PLMN IDs supported by a SEPP, then the SEPP shall select the PLMN as specified in clause 5.2.2 step 2a.

snpnIdList

array(PlmnIdNid)

O

1..N

A list of SNPN IDs of a single SNPN associated with the SEPP, which is sending the response. The list to be stored by the receiving SEPP in a N32-f Context (see clause 5.9.3 in 3GPP TS 33.501 [6]).

If different SNPNs are represented by different SNPN IDs supported by a SEPP, then the SEPP shall select the SNPN as specified in clause 5.2.2 step 2a.

allowedUsagePurpose

array(IntendedN32Purpose)

O

1..N

This attribute notifies the list of allowed usage purpose the N32 is established for.

IntendedN32Purpose shall not include attribute "cause".

rejectedUsagePurpose

array(IntendedN32Purpose)

O

1..N

This attribute notifies the list of rejected usage purpose the N32 is established for.

Shall only be present if any of the requested usage purpose is rejected.

supportedFeatures

SupportedFeatures

C

0..1

This IE shall be present if at least one optional feature defined in clause 6.1.7 is supported

senderN32fFqdn

Fqdn

O

0..1

This IE may be present if TLS is present in the selectedSecCapability IE, and the sending SEPP wishes the receiving SEPP to establish the N32-f connection towards a specific FQDN.

(NOTE 2)

senderN32fPort

Uinteger

O

0..1

This IE may be present if TLS is present in the supportedSecCapabilityList IE, and the sending SEPP wishes the receiving SEPP to establish the N32-f connection using a specific port number.

(NOTE 3)

NOTE 1: The attribute name does not follow the naming conventions specified in 3GPP TS 29.501 [5]. The attribute name is kept though as defined in the current specification for backward compatibility reason.

NOTE 2: If the senderN32fFqdn IE is absent, the receiving SEPP establishes the N32-f connection towards the sending SEPP using the N32-c FQDN and/or local configuration. SEPP implementations complying with earlier releases of the specification may not support this IE.

NOTE 3: If the senderN32fPort number is absent, the receiving SEPP shall use a locally configured port, if any, otherwise the default HTTPs port number, i.e., TCP port 443 for "https" URIs as specified in IETF RFC 7540 [7]. SEPP implementations complying with earlier releases of the specification may not support this IE.

n32fContextId

string

M

1

This IE shall contain the context identifier to be used by the responding SEPP for subsequent JOSE protected message forwarding procedure over N32-f towards the initiating SEPP. The initiating SEPP shall use this context identifier to locate the cipher suite and protection policy exchanged and agreed to be used with the responding SEPP, for the message forwarding procedure over N32-f.

The n32fContextId shall encode a 64-bit integer in hexadecimal representation. Each character in the string shall take a value of "0" to "9" or "A" to "F" and shall represent 4 bits. The most significant character representing the 4 most significant bits of the N32-f context Id shall appear first in the string, and the character representing the 4 least significant bit of the N32-f context Id shall appear last in the string.

Pattern: ‘^[A-Fa-f0-9]{16}$’

Example: "0600AD1855BD6007".

jweCipherSuiteList

array(string)

C

1..N

This IE shall be present during the parameter exchange procedure for cipher suite negotiation (see clause 5.2.3.2). When present, this IE shall contain the ordered list of JWE cipher suites supported by the requesting SEPP. Valid values for the string are as specified in clause 5.1 of IETF RFC 7518 [13].

jwsCipherSuiteList

array(string)

C

1..N

This IE shall be present during the parameter exchange procedure for cipher suite negotiation (see clause 5.2.3.2). When present, this IE shall contain the ordered list of JWS cipher suites supported by the requesting SEPP. Valid values for the string are as specified in clause 3.1 of IETF RFC 7518 [13].

protectionPolicyInfo

ProtectionPolicy

C

0..1

This IE shall be present during the parameter exchange procedure for protection policy exchange (see clause 5.2.3.3). When present, this IE shall contain the data type encryption policy requested by the requesting SEPP and/or the modification policy supported by the IPX(s) on the side of the requesting SEPP.

ipxProviderSecInfoList

array(IpxProviderSecInfo)

C

1..N

This IE includes the list of IPX security information.

sender

Fqdn

C

0..1

This IE shall be present if the Parameter Exchange request is sent on a different N32-c HTTP connection than the one used to perform the Security Capability Negotiation procedure. It may be present otherwise.

When present, it shall uniquely identify the SEPP that is sending the request. This IE is used to store the exchanged parameters against the right SEPP.

n32fContextId

string

M

1

This IE shall contain the context identifier to be used by the initiating SEPP for subsequent JOSE protected message forwarding procedure over N32-f towards the responding SEPP. The responding SEPP shall use this context identifier to locate the cipher suite and protection policy exchanged and agreed to be used with the initiating SEPP, for the message forwarding procedure over N32-f.

The n32fContextId shall encode a 64-bit integer in hexadecimal representation. Each character in the string shall take a value of "0" to "9" or "A" to "F" and shall represent 4 bits. The most significant character representing the 4 most significant bits of the N32-f context Id shall appear first in the string, and the character representing the 4 least significant bit of the N32-f context Id shall appear last in the string.

Pattern: ‘^[A-Fa-f0-9]{16}$’

Example: "0600AD1855BD6007".

selectedJweCipherSuite

string

C

1

This IE shall be present during the parameter exchange procedure for cipher suite negotiation (see clause 5.2.3.2). When present, this IE shall contain the JWE cipher suite selected by the responding SEPP.

selectedJwsCipherSuite

string

C

1

This IE shall be present during the parameter exchange procedure for cipher suite negotiation (see clause 5.2.3.2). When present, this IE shall contain the JWS cipher suite selected by the responding SEPP.

selProtectionPolicyInfo

ProtectionPolicy

C

0..1

This IE shall be present during the parameter exchange procedure for protection policy exchange (see clause 5.2.3.3). When present, this IE shall contain the data type encryption policy selected by the responding SEPP and/or the modification policy supported by the IPX(s) on the side of the responding SEPP.

ipxProviderSecInfoList

array(IpxProviderSecInfo)

C

1..N

This IE includes the list of IPX security information.

sender

Fqdn

C

0..1

This IE shall be present if the Parameter Exchange response is sent on a different N32-c HTTP connection than the one used to perform the Security Capability Negotiation procedure. It may be present otherwise.

When present, it shall uniquely identify the SEPP that is sending the response. This IE is used to store the exchanged parameters against the right SEPP.

apiIeMappingList

array(ApiIeMapping)

M

1..N

Contains an array of API URI to IE type – IE name mapping. The mapping includes an indication against each IE if that IE is allowed to be modified by the IPX on the side of the SEPP or not.

dataTypeEncPolicy

array(IeType)

C

1..N

This IE shall be present when the SEPPs need to exchange the IE protection policies. When present, this IE shall contain the list of IE types that the SEPP intends to protect by ciphering.

apiSignature

ApiSignature

M

1

This IE shall contain:

– The API URI of the NF service operations following request/response semantic; or

– The API URI of the subscribe / unsubscribe service operation

apiMethod

HttpMethod

M

1

This IE shall contain the HTTP method used by the API.

IeList

array(IeInfo)

M

1..N

This IE shall contain the array of Ies in the API.

(NOTE)

NOTE: The attribute name does not follow the naming conventions specified in 3GPP TS 29.501 [5]. The attribute name is kept though as defined in the current specification for backward compatibility reason.

ieLoc

IeLocation

M

1

This IE shall contain the location of the IE mentioned in "reqBodyIePath" or "rspBodyIePath" (i.e URI parameter or JSON body or multipart message)

ieType

IeType

M

1

This IE shall contain the type of the IE, representing the nature of the information the IE is carrying.

reqIe

string

C

0..1

This IE shall be included when the Ies in HTTP/2 request messages of an API need to be protected when forwarded over N32-f. When present, this IE shall contain:

– The JSON pointer representation of the IE to be protected, if the "ieLoc" indicates "BODY". Only the JSON pointer of the leaf IEs are included;

– The name of the URI query attribute to be protected, if the "ieLoc" indicates "URI_PARAM";

– The name of the HTTP header, if the "ieLoc" indicates "HEADER";

– The JSON pointer representation of the attribute defined with the RefToBinaryData type if the "ieLoc" indicates "MULTIPART_BINARY". It shall be encoded as: <JSON Pointer of the attribute defined with the RefToBinaryData type>/data.

rspIe

string

C

0..1

This IE shall be included when the IEs in HTTP/2 response messages of an API need to be protected when forwarded over N32-f. When present, this IE shall contain:

– The JSON pointer representation of the IE to be protected, if the "ieLoc" indicates "BODY". Only the JSON pointer of the leaf IEs are included;

– The name of the URI query attribute to be protected, if the "ieLoc" indicates "URI_PARAM";

– The name of the HTTP header, if the "ieLoc" indicates "HEADER";

– The JSON pointer representation of the attribute defined with the RefToBinaryData type if the "ieLoc" indicates "MULTIPART_BINARY". It shall be encoded as: <JSON Pointer of the attribute defined with the RefToBinaryData type>/data.

isModifiable

boolean

C

0..1

This IE shall be included if the IE is allowed to be modified by all IPX(s) on the side of the SEPP sending the API IE mapping. When present,

– true, indicates that the IE is allowed to be modified by all IPX(s) on the side of the SEPP;

– false, indicates that the IE is not allowed to be modified by any IPX on the side of the SEPP;

– default is false.

When the IE is not included, the default value shall be applied.

(NOTE)

isModifiableByIpx

map(boolean)

C

0..1

This IE shall be included if the IE is allowed to be modified by some of (but not all) the IPX(s) on the side of the SEPP sending the API IE mapping. The key of the map is the ipxProviderId for which the boolean applies.

When present, each element carries the isModifiable indication for the IPX indicated by the key.

(NOTE)

NOTE: Either isModifiable or isModifiableByIpx may be present, but not both.

Uri

1

API URI of a request/response or subscribe/unsubscribe NF service operation as specified in the respective API specification with the variable parts other than {apiVersion} unresolved.

Examples:

"{apiRoot}/nsmf-pdusession/v1/sm-contexts", for the SMF PDUSession Create SM Context service operation.

"{apiRoot}/nsmf-pdusession/v1/sm-contexts/{smContextRef}/modify", for the SMF PDUSession Update SM Context service operation.

.

CallbackName

1

A value identifying the type of callback.

n32fContextId

string

M

1

This IE shall contain the N32-f context identifier of the receiving SEPP.

The n32fContextId shall encode a 64-bit integer in hexadecimal representation. Each character in the string shall take a value of "0" to "9" or "A" to "F" and shall represent 4 bits. The most significant character representing the 4 most significant bits of the N32-f context Id shall appear first in the string, and the character representing the 4 least significant bit of the N32-f context Id shall appear last in the string.

Pattern: ‘^[A-Fa-f0-9]{16}$’

Example: "0600AD1855BD6007".

n32fMessageId

string

M

1

This IE shall contain the N32-f message identifier received over N32-f (see clause 6.2.5.2.9).

n32fErrorType

N32fErrorType

M

1

This IE shall contain the type of processing error encountered by the SEPP initiating the N32-f error reporting procedure.

n32fContextId

string

C

0..1

This IE shall be present if available.

When present, this IE shall contain the n32fContextId of the SEPP receiving N32-f error reporting message, which is exchanged between the SEPPs during the parameter exchange procedure (see clause 5.2.3).

The n32fContextId shall encode a 64-bit integer in hexadecimal representation. Each character in the string shall take a value of "0" to "9" or "A" to "F" and shall represent 4 bits. The most significant character representing the 4 most significant bits of the N32-f context Id shall appear first in the string, and the character representing the 4 least significant bit of the N32-f context Id shall appear last in the string.

Pattern: ‘^[A-Fa-f0-9]{16}$’

Example: "0600AD1855BD6007".

failedModificationList

array(FailedModificationInfo)

C

1..N

This IE shall be present if the n32ErrorType is "INTEGRITY_CHECK_ON_MODIFICATIONS_FAILED" or "MODIFICATIONS_INSTRUCTIONS_FAILED". When present this IE shall contain a list of FQDNs of the IPX-es whose inserted modifications failed to process at the SEPP initiating the N32-f error reporting procedure, together with the reason for the failure to process.

errorDetailsList

array(N32fErrorDetail)

O

1..N

This IE may be included when the n32ErrorType IE indicates "MESSAGE_RECONSTRUCTION_FAILED ". When present, this IE shall contain a list of JSON pointers to the IEs that failed to process together with the reason for the failure to process that IE.

ipxId

Fqdn

M

1

This IE shall identify the IPX.

n32fErrorType

N32fErrorType

M

1

This IE shall contain the type of processing error on the modifications block, encountered by the SEPP initiating the N32-f error reporting procedure. The value shall be one of the following:

INTEGRITY_CHECK_ON_MODIFICATIONS_FAILED;

MODIFICATIONS_INSTRUCTIONS_FAILED

attribute

string

M

1

Contains either a HTTP header name or the JSON pointer of an attribute within the N32-f message that failed to reconstruct. The value shall be one of the values of the iePath attribtue (see clause 6.2.5.2.8) in the received N32-f message.

msgReconstructFailReason

FailureReason

M

1

Indicates the reason for the failure to reconstruct the attribute.

callbackType

string

M

1

This IE shall contain a string identifying the type of callback. The value shall be one of the values specified in 3GPP 29.500 [4], Annex B.

ipxProviderId

Fqdn

M

1

This IE shall uniquely identify the IPX.

rawPublicKeyList

array(string)

C

1..N

This IE includes the list of raw public keys for the IPX.

When present, each array item shall contain a raw public key for the IPX, with textual encoding as specified in clause 13 of IETF RFC 7468 [21].

certificateList

array(string)

C

1..N

This IE includes the list of certificates for the IPX.

When present, each array item shall contain a certificate for the IPX, with textual encoding as specified in IETF RFC 7468 [21].

NOTE: Either the rawPublicKeyList attribute, or the certificateList attribute, shall be present.

usagePurpose

N32Purpose

M

1

This attribute provides the one purpose of the intended N32 establishment.

additionalInfo

String

O

0..1

This attribute provides any additional information necessary to characterize the intention for N32 establishment.

cause

String

O

0..1

This attribute, if present, provided the reason for the reject for the purpose described in other attributes are rejected (e.g. "NO_CONTRACT").

This attribute shall be absent if the intended purpose is allowed.

"TLS"

TLS security.

"PRINS"

PRotocol for N32 INterconnect Security.

"NONE"

N32-f TLS connection termination

NFTLST

"GET"

HTTP GET Method.

"PUT"

HTTP PUT Method.

"POST"

HTTP POST Method.

"DELETE"

HTTP DELETE Method.

"PATCH"

HTTP PATCH Method.

"HEAD"

HTTP HEAD Method.

"OPTIONS"

HTTP OPTIONS Method.

"CONNECT"

HTTP CONNECT Method.

"TRACE"

HTTP TRACE Method.

"UEID"

These are IEs which carry the UE identity (i.e. SUPI and GPSI). This also includes the long-lasting identity Charging ID.

An example of a UEID IE is gpsi IE defined in 3GPP TS 29.518 [25].

"LOCATION"

These are IEs which carry location information (i.e. cell-id and TAI).

An example of a LOCATION IE is ncgi IE defined in 3GPP TS 29.571 [12].

"KEY_MATERIAL"

These are IEs which carry keying material as KSEAF and UPU related information.

An example of a KEY_MATERIAL IE is upuInfo IE defined in 3GPP TS 29.503 [26].

"AUTHENTICATION_MATERIAL"

These are IEs which carry authentication material like authentication vectors and EAP payload.

An example of an AUTHENTICATION_MATERIAL IE is authenticationVector IE defined in 3GPP TS 29.503 [26].

"AUTHORIZATION_TOKEN"

These are IEs which carry authorization Token. The oauth2 access_token would be of this type.

An example of an AUTHORIZATION_TOKEN IE is access_token IE defined in 3GPP TS 29.510 [18].

"OTHER"

These are IEs which do not fall into one of the above types, but they would be considered sensitive, and which protection policies may wish to apply confidentiality protection.

"NONSENSITIVE"

These are IEs which carry information that are not sensitive. A protection policy would not normally encrypt (confidentiality protect) these.

"URI_PARAM"

IE is located in the URI parameters.

"HEADER"

IE is located in the HTTP header.

"BODY"

IE is located in the body.

"MULTIPART_BINARY"

IE is located in the message body but encoded as a multipart message information in binary format.

"INTEGRITY_CHECK_FAILED"

The integrity check verification on the received N32-f message failed.

"INTEGRITY_CHECK_ON_MODIFICATIONS_FAILED"

The integrity check verification on the modifications block of the received N32-f message failed.

"MODIFICATIONS_INSTRUCTIONS_FAILED"

Failed to apply the JSON patch instructions in the modifications block of the received N32-f message, e.g. the references to encBlockIndex is inserted or relocated by IPX (see clause 5.9.3.2 of 3GPP TS 33.501 [6]).

"DECIPHERING_FAILED"

The deciphering of the encrypted block of the received N32-f message failed.

"MESSAGE_RECONSTRUCTION_FAILED"

The reconstruction of the original HTTP/2 message from the received N32-f message failed.

"CONTEXT_NOT_FOUND"

The n32fContextId is unknown in the receiving SEPP. (NOTE)

"INTEGRITY_KEY_EXPIRED"

The integrity keys in the receiving SEPP have expired.

"ENCRYPTION_KEY_EXPIRED"

The encryption keys in the receiving SEPP have expired.

"POLICY_MISMATCH"

The encryption policy verification on the received N32-f message has failed, e.g. protected IEs are not ciphered, or unprotected IEs are ciphered.

NOTE: This enumeration value is deprecated and shall not be used by N32-f error reporting procedure over the N32-c interface.

"INVALID_JSON_POINTER"

The JSON pointer value in iePath attribute (see clause 6.2.5.2.8) is invalid.

"INVALID_INDEX_TO_ENCRYPTED_BLOCK"

The value part of the HttpPayload attribute (see clause 6.2.5.2.8) or HttpHeader attribute (see clause 6.2.5.2.7) is pointing to an invalid index to the encrypted block.

"INVALID_HTTP_HEADER"

The name of the header in the received HttpHeader attribute is invalid.

"ROAMING"

Usage dedicated to roaming

"INTER_PLMN_MOBILITY"

Usage corresponding to any inter-mobility transactions

"SMS_INTERCONNECT"

Usage dedicated to SMS interconnect, e.g. SMS sent between subscribers of two different networks

"ROAMING_TEST"

Usage dedicated to roaming, and allowed only for tests, e.g. to allow traffic for test subscribers/SUPI or sessions

"INTER_PLMN_MOBILITY_TEST"

Usage corresponding to any inter-mobility transactions and allowed only for tests, e.g. to allow traffic for test subscribers/SUPI or sessions

"SMS_INTERCONNECT_TEST"

Usage dedicated to SMS interconnect, e.g. SMS sent between subscribers of two different networks, and allowed only for tests, e.g. to allow traffic for test subscribers/SUPI or sessions

"SNPN_INTERCONNECT"

Usage dedicated to an interconnection with an SNPN

"SNPN_INTERCONNECT_TEST"

Usage corresponding to any interconnection with an SNPN and allowed only for tests, e.g. to allow traffic for test subscribers/SUPI or sessions

"DISASTER_ROAMING"

Usage dedicated to Disaster Roaming (see clause 5.40 of 3GPP TS 23.501 [2]).

"DISASTER_ROAMING_TEST"

Usage dedicated to Disaster Roaming (see clause 5.40 of 3GPP TS 23.501 [2]) and allowed only for tests, e.g. to allow traffic for test subscribers/SUPI or sessions.

REQUESTED_PARAM_MISMATCH

409 Conflict

This represents a parameter mismatch has been detected by the receiving SEPP, i.e. received data-type encryption or modification policy conflict with the one manually configured for the specific roaming partner, interconnect partner and IPX provider

REQUESTED_PURPOSE_NOT_ALLOWED

403 Forbidden

This represents that all the requested purposes included in the request was rejected by the receiving SEPP.

NEGOTIATION_NOT_ALLOWED

403 Forbidden

This represents a security capability negotiation failure at the receiving SEPP, i.e., the received security capability from the peer SEPP is not configured to be supported at the receiving SEPP.

1

NFTLST

O

N32-f TLS Connection Termination Support

A SEPP that supports this feature shall support handling of Security Capability Negotiation procedure to tear down the N32-f TLS connection as specified in clause 5.2.2).

Feature number: The order number of the feature within the supportedFeatures attribute (starting with 1).

Feature: A short name that can be used to refer to the bit and to the feature.

M/O: Defines if the implementation of the feature is mandatory ("M") or optional ("O").

Description: A clear textual description of the feature.

JOSE Protected Forwarding

/n32f-process

POST

This is the N32f forwarding API used to forward a reformatted and JOSE protected message to a receiving SEPP.

JOSE Protected Forwarding Options

/n32f-process

OPTIONS

Discover the communication options supported by the next hop (IPX or SEPP) for N32-f message processing.

apiRoot

string

See clause 6.1.1.

N32fReformattedReqMsg

M

1

This IE shall contain the reformatted HTTP/2 message comprising the plain text part, encrypted information, meta data and modification chain information. See clause 6.2.5.2.2.

N32fReformattedRspMsg

M

1

200 OK

This represents the successful processing of the reformatted JOSE protected message at the responding SEPP. The responding SEPP shall provide the reformatted and JOSE protected content of the corresponding HTTP/2 response message received from the NF service producer, or the HTTP/2 notification response message received from the NF service consumer.

ProblemDetails

O

0..1

403 Forbidden

When the receiving SEPP fails to process the reconstructed message due to PLMN ID verification failure, the "cause" attribute shall be set to "PLMNID_MISMATCH".

When the receiving SEPP receives HTTP requests over N32-f with purpose, marked using 3gpp-Sbi-Interplmn-Purpose header as specified in 3GPP TS 29.500 [4], that does not match with any of the purposes exchanged via the Security Capability Negotiation procedure, then the "cause" attribute shall be set to "REQUESTED_PURPOSE_NOT_ALLOWED".

When the receiving SEPP fails to process the reconstructed message due to the n32fContextId is unknown, the "cause" attribute shall be set to "CONTEXT_NOT_FOUND".

When the receiving SEPP fails to process the reconstructed message, and the error is reported by N32f error reporting procedure as specified in clause 5.2.5, the "cause" attribute shall be set to "UNSPECIFIED".

NOTE: The mandatory HTTP error status codes for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4]).

3gpp-Sbi-Message-Priority

string

O

0..1

3gpp-Sbi-Message-Priority header, defined in 3GPP TS 29.500 [4].

3gpp-Sbi-Message-Priority

string

O

0..1

3gpp-Sbi-Message-Priority header, defined in 3GPP TS 29.500 [4].

apiRoot

string

See clause 6.1.1.

n/a

n/a

n/a

204 No Content

ProblemDetails

O

0..1

405 Method Not Allowed

ProblemDetails

O

0..1

501 Not Implemented

NOTE: The mandatory HTTP error status codes for the OPTIONS method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4]).

Accept-Encoding

string

O

0..1

Accept-Encoding, described in IETF RFC 7694 [24]

N32fReformattedReqMsg

6.2.5.2.2

Contains the reformatted HTTP/2 request message

N32fReformattedRspMsg

6.2.5.2.3

Contains the reformatted HTTP/2 response message

DataToIntegrityProtectAndCipherBlock

6.2.5.2.4

HTTP header to be encrypted or the value of a JSON attribute to be encrypted

DataToIntegrityProtectBlock

6.2.5.2.5

Data to be integrity protected

RequestLine

6.2.5.2.6

Contains the request line of the HTTP API request being reformatted and forwarded over N32-f

HttpHeader

6.2.5.2.7

Contains the encoding of HTTP headers in the API request / response

HttpPayload

6.2.5.2.8

Contains the encoding of JSON payload in the API request / response

MetaData

6.2.5.2.9

Contains the meta data information needed for replay protection

Modifications

6.2.5.2.10

Information on inserting of the modifications entry

FlatJweJson

6.2.5.2.11

Contains the integrity protected reformatted block

FlatJwsJson

6.2.5.2.12

Contains the modification from IPXes on path

IndexToEncryptedValue

6.2.5.2.13

Index to the encrypted value

EncodedHttpHeaderValue

6.2.5.2.14

HTTP header value or index to the HTTP header value

HttpMethod

6.1.5.3.5

IeLocation

6.1.5.3.6

PatchItem

3GPP TS 29.571 [12]

UriScheme

3GPP TS 29.571 [12]

Fqdn

3GPP TS 29.571 [12]

reformattedData

FlatJweJson

M

1

This IE shall contain the integrity protected reformatted block as well as the ciphered part of the reformatted block of the HTTP/2 request message sent between NF service producer and consumer.

The SEPP shall reformat the HTTP/2 request message as:

– The part of original HTTP/2 request message headers and the payload that needs to be only integrity protected is first reformatted into "DataToIntegrityProtectBlock" and then fed as input for the "aad" parameter of the FlatJweJson after subjecting to BASE64URL encoding.

The part of the original HTTP/2 request message headers and payload that require integrity protection and ciphering is first reformatted into "DataToIntegrityProtectAndCipherBlock" and then fed as input for JWE ciphering and the JWE ciphered block is then BASE64URL encoded and set into the "ciphertext" parameter of the FlatJweJson.

modificationsBlock

array(FlatJwsJson)

C

1..N

This IE shall be included if the IPXes on path are allowed to apply modification policies and if they have any specific modification to be applied on the message contained in the DataToIntegrityProtectBlock.

reformattedData

FlatJweJson

M

1

This IE shall contain the integrity protected reformatted block as well as the ciphered part of the reformatted block of the HTTP/2 response message sent between NF service producer and consumer.

The SEPP shall reformat the HTTP/2 response message as:

– The part of original HTTP/2 response message headers and the payload that needs to be only integrity protected is first reformatted into "DataToIntegrityProtectBlock" and then fed as input for the "aad" parameter of the FlatJweJson after subjecting to BASE64URL encoding.

– The part of the original HTTP/2 response message headers and payload that require integrity protection and ciphering is first reformatted into "DataToIntegrityProtectAndCipherBlock" and then fed as input for JWE ciphering and the JWE ciphered block is then BASE64URL encoded and set into the "ciphertext" parameter of the FlatJweJson.

modificationsBlock

array(FlatJwsJson)

C

1..N

This IE shall be included if the IPXes on path are allowed to apply modification policies and if they have any specific modification to be applied on the message contained in the DataToIntegrityProtectBlock.

dataToEncrypt

array(Any Type)

M

1..N

This IE shall contain the input for ciphering as a JSON object block containing an array of values with arbitrary types. Each entry of the array shall contain the value of a HTTP header to be encrypted or the value of a JSON attribute to be encrypted.

metaData

MetaData

C

0..1

This IE shall be included if the SEPP encodes additional information for replay protection. When present this IE shall contain the meta data information needed for replay protection.

requestLine

RequestLine

C

1

This IE shall be included when a JOSE protected API "request" is forwarded over N32-f. When present, this IE shall contain the request line of the HTTP API request being reformatted and forwarded over N32-f.

statusLine

string

C

0..1

This IE shall be included when a JOSE protected API "response" is forwarded over N32-f. When present, this IE shall contain the status line of the HTTP API response being reformatted and forwarded over N32-f.

headers

array(HttpHeader)

C

1..N

This IE shall be included when a JOSE protected API request / response contains HTTP headers. When present this IE shall contain the encoding of HTTP headers in the API request / response.

payload

array(HttpPayload)

C

1..N

This IE shall be included when a JOSE protected API request / response contains JSON payload that needs to be sent in clear text. When present this IE shall contain the encoding of JSON payload in the API request / response.

method

HttpMethod

M

1

This IE shall contain the HTTP method of the API invoked by the NF service consumer / producer behind the SEPP towards its peer NF service in the other PLMN.

scheme

UriScheme

M

1

This IE shall contain the HTTP scheme of the API.

authority

string

M

1

This IE shall contain the authority part of the URI of the API being invoked.

path

string

M

1

This IE shall contain the path part of the URI of the API being invoked.

protocolVersion

string

M

1

This IE shall contain the HTTP protocol version. The version shall be 2 in this release of this specification.

queryFragment

string

C

0..1

This IE shall contain the query fragment part of the API, if available.

header

string

M

1

This IE shall contain the name of the HTTP header to encoded.

value

EncodedHttpHeaderValue

M

1

This IE shall contain the value of the HTTP header. The value of the HTTP header shall be encoded as:

– value field of the EncodedHttpHeaderValue structure specified in clause 6.2.5.2.14 if the HTTP header is not to be encrypted.

– IndexToEncryptedValue structure specified in clause 6.2.5.2.13 if the value of the HTTP header is to be encrypted.

iePath

string

M

1

This IE identifies the JSON pointer representation (see IETF RFC 6901 [17]) of full JSON path of the IE to be encoded. IEs that are of type object shall be flattened into each individual attribute’s full JSON path and the HttpPayload IE shall only contain the final leaf attribute IE path and its corresponding value.

ieValueLocation

IeLocation

M

1

This IE shall identify where the IE value is located – i,e in the JSON body or in the multipart message part.

value

object

M

1

This IE shall contain the value of the IE corresponding to "iePath", encoded as a free form object.

If the value of this IE is encrypted, then the value part shall be encoded as

{

"encBlockIndex": <array index in DataToIntegrityProtectAndCipherBlock>

}

(see clause 6.2.5.2.4).

If the value of this IE is a RefToBinary data type (see 3GPP TS 29.571 [12], then value shall contain the value of the Content-ID header field of the referenced binary body part.

The referenced binary body part of the multipart/related message shall be either encrypted or not encrypted depending on the protection policy exchanged between the SEPPs.

If the referenced binary body part is required to be encrypted, then the binary part is first base64 encoded into a byte array and then inserted into the "DataToIntegrityProtectAndCipherBlock". Then two HttpPayload instances with the following values shall be added immediately after this HttpPayload instance in the "DataToIntegrityProtectBlock"

{

"iePath": <JSON Pointer of the attribute defined with theRefToBinaryData type >/contenttype

"ieValueLocation": "MULTIPART_BINARY"

"value": <value of the content type of multipart binary>

},

{

"iePath": <JSON Pointer of the attribute defined with the RefToBinaryData type>/data,

"ieValueLocation": "MULTIPART_BINARY"

"value": {"encBlockIndex": <array index in DataToIntegrityProtectAndCipherBlock that contains the byte array>}

}

If the referenced binary body part is not required to be encrypted, then the binary part is first base64 encoded into a byte array and then inserted as new instance of HttpPayload IE in " DataToIntegrityProtectBlock" as

{

"iePath": <JSON Pointer of the attribute defined with the RefToBinaryData type>/contenttype

"ieValueLocation": "MULTIPART_BINARY"

"value": <value of the content type of multipart binary>

},

{

"iePath": <JSON path of the attribute defined with the RefToBinaryData type>/data,

"ieValueLocation": "MULTIPART_BINARY"

"value": <base64 encoded byte array>

}

See NOTE 1.

NOTE 1: In this release of this specification only N16 interface has binary content and there is no sensitive information carried over N16 interface. Consequently ciphering of binary part is not required in this release of this specification. The encoding specified here is to provide a N32-f framework in a future proof manner so that if a binary part need to be encrypted in future this structure can be used.

n32fContextId

string

M

1

This IE shall contain the n32fContextId of the SEPP receiving the message, which is exchanged between the SEPPs during the parameter exchange procedure (see clause 5.2.3).

The n32fContextId shall encode a 64-bit integer in hexadecimal representation. Each character in the string shall take a value of "0" to "9" or "A" to "F" and shall represent 4 bits. The most significant character representing the 4 most significant bits of the N32-f context Id shall appear first in the string, and the character representing the 4 least significant bit of the N32-f context Id shall appear last in the string.

Pattern: ‘^[A-Fa-f0-9]{16}$’

Example: "0600AD1855BD6007".

messageId

string

M

1

This IE identifies a particular request that is transformed by the SEPP. The value of this IE shall be encoded in hexadecimal representation of a 64 bit integer. This identifier is used in the N32-f error reporting procedure as specified in clause 6.1.4.5.

Pattern: ^[a-fA-F0-9]{1, 16}$

authorizedIpxId

string

M

1

This IE identifies the first hop IPX that is authorized to insert modifications block. The identifier of the IPX shall be an FQDN. When there is no IPX that’s authorized to update, the value of this IE is set to the string "NULL".

operations

array(PatchItem)

C

1..N

This IE shall be included if an intermediary IPX inserts modification instructions on the JSON data carried in the "DataToIntegrityProtectBlock" part of the N32-f forwarded message. For the first modifications entry, this IE shall not be included, since the first entry is inserted by the SEPP.

identity

Fqdn

M

1

This IE shall contain the identity of the entity inserting the modifications entry. The identity shall be encoded in the form of an URI.

tag

string

C

0..1

This IE shall be present when the JWE Authentication Tag value is non-empty as specified in IETF RFC 7515 [16]. When present, this IE shall contain the BASE64URL(JWE Authentication Tag).

protected

string

C

0..1

This IE shall be present if there is a JWE Protected Header part of the JOSE header to encode as specified in IETF RFC 7516 [14]. When present, this IE shall contain the BASE64URL(UTF8(JWE Protected Header)) encoding of the JWE protected header.

unprotected

object

C

0..1

This IE shall be present if there is a JWE unprotected header part of the JOSE header that is shared across recipients, to encode as specified in IETF RFC 7515 [16]. This value is represented as

an unencoded free form JSON object, rather than as a string. These Header Parameter values are not integrity protected.

header

object

C

0..1

This IE shall be present if there is a JWE unprotected header part of the JOSE header that is specific for the recipient, to encode as specified in IETF RFC 7515 [16]. This value is represented as

an unencoded free form JSON object, rather than as a string. These Header Parameter values are not integrity protected.

encrypted_key

string

C

0..1

This IE shall be present when the JWE Encrypted Key for the recipient is non empty. When present this IE shall contain BASE64URL(JWE Encrypted Key).

(NOTE)

aad

string

C

0..1

This IE shall be present when the JWE AAD value is non-empty as specified in IETF RFC 7515 [16]. When present, this IE shall contain BASE64URL encoding of the DataToIntegrityProtectBlock JSON object (see clause 6.2.5.2.5).

iv

string

C

0..1

This IE shall be present when the JWE Initialization Vector is non-empty as specified in IETF RFC 7515 [16]. When present, this IE shall contain the BASE64URL(JWE Initialization Vector).

ciphertext

string

M

1

This IE shall contain BASE64URL(JWE Ciphertext). The input for JWE ciphering is the DataToIntegrityProtecAndCiphertBlock (see clause 6.2.5.2.5).

tag

string

C

0..1

This IE shall be present when the JWE Authentication Tag value is non-empty as specified in IETF RFC 7515 [16]. When present, this IE shall contain the BASE64URL(JWE Authentication Tag).

NOTE: The attribute name does not follow the naming conventions specified in 3GPP TS 29.501 [5]. The attribute name is kept though as defined in the current specification for backward compatibility reason.

payload

string

M

1

This IE shall contain the BASE64URL encoding of the Modifications JSON object (see clause 6.2.5.2.10).

protected

string

C

0..1

This IE shall be present if there is a JWS Protected Header part of the JOSE header to encode as specified in IETF RFC 7515 [16]. When present, this IE shall contain the BASE64URL(UTF8(JWS Protected Header)) encoding of the JWS protected header.

header

object

C

0..1

This IE shall be present if there is a JWS unprotected header part of the JOSE header to encode as specified in IETF RFC 7515 [16]. This value is represented as

an unencoded free form JSON object, rather than as a string. These Header Parameter values are not integrity protected.

signature

string

M

1

This IE shall contain the BASE64URL encoded value of the calculated JWS signature.

encBlockIndex

Uinteger

M

1

Index to the value in DataToIntegrityProtectAndCipherBlock

string

1

HTTP header value.

IndexToEncryptedValue

1

Index to encrypted HTTP header in the DataToIntegrityProtectAndCipherBlock

PLMNID_MISMATCH

403 Forbidden

The PLMN ID in the Bearer token carried in the "Authorization" header of the reconstructed message does not match the PLMN ID of the N32-f context.

REQUESTED_PURPOSE_NOT_ALLOWED

403 Forbidden

The purpose indicated in 3gpp-Sbi-Interplmn-Purpose header as specified in 3GPP TS 29.500 [4] of the reconstructed message does not match with any of the purposes exchanged via the Security Capability Negotiation procedure.

CONTEXT_NOT_FOUND

403 Forbidden

The n32fContextId is unknown in the receiving SEPP.

UNSPECIFIED

403 Forbidden

The receiving SEPP fails to process the reconstructed message, and the error is reported by N32f error reporting procedure as specified in clause 5.2.5.

Mapping

/mapping

GET

Retrieve the mapping between the FQDN in a foreign PLMN and a telescopic FQDN, or viceversa.

apiRoot

string

See clause 6.3.1

foreign-fqdn

Fqdn

O

0..1

This parameter shall contain the FQDN of the NF in the foreign network, that needs to be flattened to a telescopic FQDN in the local network (i.e. an FQDN that points to the local SEPP).

telescopic-label

string

O

0..1

This parameter shall contain the first label used in a telescopic FQDN (i.e. an FQDN that points to the local SEPP) that needs to be mapped to an NF in the foreign network.

NOTE: The parameters "foreign-fqdn" and "telescopic-label" shall not be present simultaneously.

n/a

TelescopicMapping

M

1

200 OK

Upon success, a response body containing a TelescopicMapping object shall be returned

ProblemDetails

O

0..1

404 Not Found

The mapping between a foreign FQDN and a telescopic FQDN could not be found.

TelescopicMapping

6.3.4.2.2

Contains the Telescopic mapping data

Fqdn

3GPP TS 29.571 [12]

ProblemDetails

3GPP TS 29.571 [12]

Common data type for error responses

telescopicLabel

string

C

0..1

This parameter shall contain the first label to be used in a telescopic FQDN (i.e. an FQDN that points to the local SEPP) that corresponds to a given NF in the foreign network.

In a successful response, this parameter shall be included when the query parameter "foreign-fqdn" is present in the request.

seppDomain

Fqdn

C

0..1

This parameter shall contain the FQDN of the domain of the local SEPP that needs to be appended after the "telescopicLabel" to compose the complete flattened telescopic FQDN.

In a successful response, this parameter shall be included when the query parameter "foreign-fqdn" is present in the request.

foreignFqdn

Fqdn

C

0..1

This parameter shall contain the FQDN of the NF in the foreign network.

In a successful response, this parameter shall be included when the query parameter "telescopic-label" is present in the request.