7 gNB-DU-specific security requirements and related test cases

33.7423GPP5G Security Assurance Specification (SCAS)Release 18Split gNB product classesTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

7.1 Introduction

gNB-DU specific security requirements include both requirements derived from gNB-DU-specific security functional requirements as well as security requirements derived from threats specific to gNB-DU as described in TR 33.926 [4]. Generic security requirements and test cases common to other network product classes have been captured in TS 33.117 [2] and are not repeated in the present document.

7.2 Security functional adaptations of requirements and related test cases

7.2.1 Introduction

The present clause contains gNB-DU-specific security functional adaptations of requirements and related test cases.

7.2.2 Requirements and test cases deriving from 3GPP specifications

7.2.2.1 Security functional requirements on the gNB-DU deriving from 3GPP specifications – TS 33.501 [3]

7.2.2.1.1 Control plane data confidentiality protection over F1 interface

NOTE 1: This is based on the security functional requirement on the gNB given in 4.2.2.1.16 of TS 33.511 [6] but modified as the gNB-DU only supports the F1 interface.

Requirement Name: Control plane data confidentiality protection over F1 interface

Requirement Reference: TS 33.501 [3], clauses 5.3.9.

Requirement Description: "F1-C interface shall support confidentiality, integrity and replay protection." as specified in TS 33.501 [3], clauses 5.3.9.

Threat References: TR 33.926 [4], clause Z.2.2.1 – Control plane data confidentiality protection.

Test Case: the test case in subclause 4.2.3.2.4 of TS 33.117 [2]

7.2.2.1.2 Control plane data integrity protection over F1 interface

NOTE 1: This is based on the security functional requirement on the gNB given in 4.2.2.1.17 of TS 33.511 [6] but modified as the gNB-DU only supports the F1 interface.

Requirement Name: Control plane data integrity protection over F1 interface

Requirement Reference: TS 33.501 [3], clauses 5.3.9.

Requirement Description: "F1-C interface shall support confidentiality, integrity and replay protection." as specified in TS 33.501 [3], clauses 5.3.9.

Threat References: TR 33.926 [4], clause Z.2.2.2 – Control plane data integrity protection.

Test Case: the test case in subclause 4.2.3.2.4 of TS 33.117 [2].

7.2.2.1.3 User plane data confidentiality protection over F1 interface

NOTE 1: This is based on the security functional requirement on the gNB given in 4.2.2.1.R of TS 33.511 [6] but modified as the gNB-DU only supports the F1 interface.

Requirement Name: User plane data confidentiality protection over F1 interface.

Requirement Reference: TS 33.501 [2], clauses 5.3.9.

Requirement Description: "The gNB shall support confidentiality, integrity and replay protection on the gNB DU-CU F1-U interface [33] for user plane" as specified in TS 33.501 [2], clauses 5.3.9.

Threat References: TR 33.926 [4], clause Z.2.2.3 – User plane data confidentiality protection at gNB.

Test Case: the test case in subclause 4.2.3.2.4 of TS 33.117 [3].

7.2.2.1.4 User plane data integrity protection over F1 interface

NOTE 1: This is based on the security functional requirement on the gNB given in 4.2.2.1.S of TS 33.511 [6] but modified as the gNB-DU only supports the F1 interface.

Requirement Name: User plane data integrity protection over F1 interface.

Requirement Reference: TS 33.501[2], clauses 5.3.9.

Requirement Description: "The gNB shall support confidentiality, integrity and replay protection on the gNB DU-CU F1-U interface [33] for user plane" as specified in TS 33.501 [2], clauses 5.3.9.

Threat References: TR 33.926 [4], clause Z.2.2.4 – User plane data integrity protection.

Test Case: the test case in subclause 4.2.3.2.4 of TS 33.117 [3].

7.2.3 Technical Baseline

7.2.4 Operating systems

7.2.5 Web servers

7.2.6 Network devices

7.3 Adaptations of hardening requirements and related test cases

7.3.1 Introduction

7.3.2 Technical Baseline

7.3.3 Operating Systems

7.3.4 Web Servers

7.3.5 Network Devices

7.3.6 Network Functions in service-based architecture

The requirements and test cases in clause 4.3.6 of TS 33.117 [2] are not applicable to the gNB-DU network products.

7.4 Adaptations of basic vulnerability testing requirements and related test cases

Annex <A> (normative):
<Normative annex for a Technical Specification>

Annex <B> (informative):
<Informative annex for a Technical Specification>