6 gNB-CU-UP-specific security requirements and related test cases
33.7423GPP5G Security Assurance Specification (SCAS)Release 18Split gNB product classesTS
6.1 Introduction
gNB-CU-UP specific security requirements include both requirements derived from gNB-CU-UP-specific security functional requirements as well as security requirements derived from threats specific to gNB-CU-UP as described in TR 33.926 [4]. Generic security requirements and test cases common to other network product classes have been captured in TS 33.117 [2] and are not repeated in the present document.
6.2 Security functional adaptations of requirements and related test cases6.2.1 Introduction
The present clause contains gNB-CU-UP-specific security functional adaptations of requirements and related test cases. Many of the security functional requirements are directly inherited from the gNB product class.
6.2.2 Requirements and test cases deriving from 3GPP specifications
6.2.2.1 Security functional requirements on the gNB-CU-UP deriving from 3GPP specifications – TS 33.501 [3]
6.2.2.1.1 Security functional requirements inherited from gNB
The following security functional requirements from clause 4.2.2.1 of TS 33.511 [6] apply to the gNB-CU-UP by changing the gNB to gNB-CU-UP for the entity under test in the test cases and with the below changes of threat reference:
4.2.2.1.5 UP integrity check failure
Threat References: TR 33.926 [4], clause Y.2.2.4 – User plane data integrity protection.
4.2.2.1.8 Replay protection of user data between the UE and the gNB
Threat References: TR 33.926 [4], clause Y.2.2.4 – User plane data integrity protection.
6.2.2.1.2 Control plane data confidentiality protection over E1 interface
NOTE 1: This is based on the security functional requirement on the gNB given in 4.2.2.1.16 of TS 33.511 [6] but modified as the gNB-CU-UP only supports the E1 interface.
Requirement Name: Control plane data confidentiality protection over E1 interface
Requirement Reference: TS 33.501 [3], clauses 5.3.10.
Requirement Description: " The E1 interface between CU-CP and CU-UP shall be confidentiality, integrity and replay protected." as specified in TS 33.501 [3], clauses 5.3.10.
Threat References: TR 33.926 [4], clause Y.2.2.1 – Control plane data confidentiality protection.
Test Case: the test case in subclause 4.2.3.2.4 of TS 33.117 [2].
6.2.2.1.3 Control plane data integrity protection over E1 interface
NOTE 1: This is based on the security functional requirement on the gNB given in 4.2.2.1.17 of TS 33.511 [6] but modified as the gNB-CU-UP only supports the E1 interface.
Requirement Name: Control plane data integrity protection over E1 interface
Requirement Reference: TS 33.501 [3], clauses 5.3.10.
Requirement Description: " The E1 interface between CU-CP and CU-UP shall be confidentiality, integrity and replay protected." as specified in TS 33.501 [3], clauses 5.3.10.
Threat References: TR 33.926 [4], clause Y.2.2.2 – Control plane data integrity protection.
Test Case: the test case in subclause 4.2.3.2.4 of TS 33.117 [2].
Editor’s note: The user plane over network interface cases need to be added.
6.2.3 Technical Baseline
6.2.4 Operating systems
6.2.5 Web servers
6.2.6 Network devices
6.3 Adaptations of hardening requirements and related test cases
6.3.1 Introduction
6.3.2 Technical Baseline
6.3.3 Operating Systems
6.3.4 Web Servers
6.3.5 Network Devices
6.3.6 Network Functions in service-based architecture
The requirements and test cases in clause 4.3.6 of TS 33.117 [2] are not applicable to the gNB-CU-UP network products.