3GPP TSG SA WG5 MEETING 136E S5212243 ELECTRONIC MEETING

CABINET 13TH MARCH 2012 MEETING COMMENCED 1000AM ADJOURNED
 ROUND TABLE ON SUSTAINABLE DEVELOPMENT ANNOTATED AGENDA MEETING
3GPP TSG RAN2 WG33 MEETING R3023017 NOVEMBER 1215 2002

---

0 COTERV046 21ST COMMISSION MEETING – 19
0 – HIGHLEVEL GLOBAL THEMATIC MEETING ON INTERNATIONAL
12 SEVENTH REGULAR MEETING OF THE OEASERWXIII67

---

3GPP Contribution

3GPP TSG SA WG5 Meeting 136-e S5-212243

electronic meeting, online, 1^st - 10^th March 2021 revision for S5-21xxxx

Source: Nokia, Nokia Shanghai Bell

Title: use case – trust relationship between MnS producer and consumer

Document for: Approval

Agenda Item:

1 Decision/action requested

The group is asked to discuss and approve the proposal..

2 References

[1] 3GPP TR 28.817: "Management and orchestration; Study on access control for management service"

[2] 3GPP TS 28.533: "Management and orchestration; Architecture framework"

[3] ETSI GS NFV-SEC 003: "NFV Security; Security and Trust Guidance"

[4] NIST Special Publication 800-39: "Managing Information Security Risk"

3 Rationale

From LS reply of SA3 on study items for security on management aspect (S3-202688), SA3 suggested documenting the underlying assumptions (i.e. trust model), especially for aspects that are involving multiple stakeholders. The suggestion is quite valid as 3GPP management system covered multiple domains owned/operated by different stakeholders. The security controls should adapt various, even dynamically changed trust relationship between MnS producers and consumers from different the stakeholders.

This pCR is to study trust relationship between MnS producer and consumer and potential capabilities of the system to apply corresponding access controls based on trust relationship.

4 Detailed proposal

Start of 1st Change

5.x use case – trust relationship between MnS producer and consumer

5.x.1 Description

Mutual Trust should be established between MnS consumer and producer inside a management domain or inter different management domains before they interact with each other, to ensure confidentially, integrity, availability and regulation compliance of the management systems.

To build trust relationship between different entities (e.g. MnS consumer and producer), traditionally, there’re several trust models defined to establish trust relationship between different entities and allow one entity to obtain the levels of trust needed to form partnerships, collaborate with other organizations, share information, or receive information/services. The typical trust models were defined in NIST800-39 including validated trust, direct historical trust, mediated trust, mandated trust, and hybrid trust. Similarly, ETSI NFV introduced several trust models, e.g. direct trust, transitive trust, delegating trust (see ETSI GS NFV-SEC 003)

As shown in below diagram extracted from TS 28.533 ( see Figure 5.3-1: An example of Management Service deployment framework), a MnS consumer and a MnS producer could be in the same management domain, or different domains of same operation, or management domains of different stakeholders, e.g. MnS consumer is in a vertical OT system and MnS producer is in an operator’s management system.

The trust relationship between MnS consumer and producer is different for different scenarios aforementioned, therefore trust model for these scenarios could be different, and corresponding access control between MnS consumer and producer would be different as well. E.g. Validated trust model could be applied to MnFs (as MnS producer and consumer) in the same 3GPP management domain, then single factor authentication and predefined authorization policies could be used for access control between the two MnFs. Mediated, mandated, or hybrid trust model could be more suitable for MnF (as MnS producer) in 3GPP management system and MnS consumer in vertical OT system, accordingly multi-factor authentication and SLA based authorization policies could be used for access control between the producer and consumer.

In addition, the trust relationship between same MnS consumer and producer could be changed dynamically as security context change of either MnS consumer or producer. E.g. change of operational status, package upgrade to support new features, scale to other region, security compromising, etc. Therefore, the trust model and related access control need to be updated accordingly to adapt dynamically changed situation.

Note: zero-trust model is most stringent trust model but also implies high cost. how to pragmatically apply zero-trust model in to 3GPP management system is FFS.

5.x.2 Issue and gaps

Trust relationship and trust model for 3GPP management system have not been specified or studies in 3GPP or other SDOs. Applying same trust model and security control for different trust relationship could incur either undue control (e.g. apply strict access control everywhere that caused complexity and high cost) or lack of protection on some susceptible interfaces (e.g. underestimate the threats and risks on external interfaces that resulted successful attack ).

Therefore, building correct and adaptive trust model for MnS producer and consumer of 3GPP management system, and applying appropriate access control according to the trust model need to be studied and supported by 3GPP management system.

End of Change

Start of 2nd Change

6 Potential requirements for access control for MnS

• REQ-MNSAC-x The 3GPP management system couldmay have the capability to support evaluating trust relationship (or trust level) between MnS producer and consumer.

• REQ-MNSAC-y The 3GPP management system couldmay have the capability to support creating trust model for MnS producer and consumer based on trust relationship between MnS producer and consumer.

• REQ-MNSAC-z The 3GPP management system couldmay have the capability to support defining access control polices for interaction between MnS producer and consumer based on trust model for the MnS producer and consumer.

Note: e.g. access control policies could be multi-factor authentication, access allowed in specific time or for specific duration, access allowed in specific region, etc.

• REQ-MNSAC-xx The 3GPP management system couldmay have the capability to support reevaluating trust relationship (or trust level) between MnS producer and consumer based on changes of either MnS consumer or producer, and update trust mode and corresponding access control polices accordingly.

End of Change

2 MEETING DATE 80410 (1) ORDINANCE NO
2 MEETING OF NATIONAL AUTHORITIES OEASER KXXXIX
26TH MEETING OF THE COUNCIL OF GOVERNORS

Tags: meeting 136-e, meeting, s5212243, electronic

---

• POWŁOKI I PODPOWŁOKI ELEKTRONOWE 1 CELE LEKCJI
• PROFESSIONAL DEVELOPMENT NEEDS ASSESSMENT HIGH SCHOOL FUNCTIONS STANDARDS
• КУРС WEBТЕХНОЛОГИИ ДЛЯ СОЗДАНИЯ ИНТЕРНЕТ–ПРИЛОЖЕНИЙ АВТОР ГАЛЯМОВА
• HORAIRE ANNÉE 20202021 LUNDI 16H30 À 17H20
• FOTOS PARA PASAPORTE SUECOY RESIDENCIA SUECA LAS FOTOS
• PERFORMANCE OF BT COTTON CULTIVATION IN KARNATAKA REPORT OF
• MENÚ SIN HUEVO – ABRIL 2021 JUEVES VIERNES
• ADDITIONAL GUIDANCE ON CASE CLOSURE IN RELATION TO SECTION
• ADRESAR KLUBOVA ŽUPANIJKSE LIGE MUŠKI 1RUKOMETNI KLUB “
• SINDIKAT DELAVCEV PRAVOSODJA PODRAVJE TERMIN KORIŠČENJA POČITNIŠKIH KAPACITET PO
• NOME DOCUMENTO PROCEDURA PER L’ELIMINAZIONE DELLE INTERFERENZE TRA LE
• RULE 500 COLORADO BOARD OF MEDICAL EXAMINERS RULES DEFINING
• NA OSNOVU ČLANA 13 STAV 1 ZAKONA O BEZBEDNOSTI
• SEDIMENTARY ROCKS J ALLISON & D MCCALLUM DICHOTOMOUS KEY
• YÖNETİM BİLİMİ OCAK 1 2010 [YÖNETIM BELLI BIR AMACIN
• MUHAMMAD THE PROPHET OF MERCY MUHAMMAD (PEACE BE UPON
• 10 PENDAHULUAN LATAR BELAKANG ENERGI IALAH SESUATU YANG PENTING
• SUPORT A L’ENSENYAMENT EN VALENCIÀ ACTIVITATS DE LECTURA I
• INFORMATIONSBLATT FÜR NICHT ERKRANKTE SCHÜLERINNEN UND SCHÜLER IN DEREN
• STANDARD BOARDING AGREEMENT THIS AGREEMENT FOR GOOD AND VALUABLE
• LA FIGURA DE LA RELIGIOSA ACOMPAÑANTE “DIOS PONE SU
• UNIVERSIDADE DOS AÇORES ANO LECTIVO 20 DISCIPLINA 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
• ENTER DISTRICT NAME HERE FUNCTIONAL BEHAVIOR ASSESSMENT DATE(S)
• X CONGRESO REGIONAL DE LA SOCIEDAD MURCIANA DE CARDIOLOGÍA
• FRAMES FRAMES CAN ALSO BE REGARDED AS AN
• ZADANIA PRE 1ROČEŠ STROJÁRSKE TECHNOLÓGIE A MATERIÁLY II
• EELNÕU JÕELÄHTME VALLAVOLIKOGU O T S U S
• ANTRAG AUF EINE BEWILLIGUNG UM DIE TÄTIGKEIT ALS SCHAUSTELLER
• TÍTULO VI CUOTA ÍNTEGRA ARTÍCULO 76 CONCEPTO DE
• KLUBOVI ČLANICE SPORTSKOG SAVEZA GRADA MOSTARA NOGOMETNI KLUBOVI 1

• 1733204 INFORMATION R DU TAF NICHT LÖSCHEN BITTE
• SURFACE PREPARATION STANDARDS SYSTEM SSPC CODES NACE CDN GOVT
• PROGRAMA MARTES 10 1830 INAUGURACIÓN CON LA PRESENCIA DE
• 16 МІНІСТЕРСТВО ОСВІТИ ТА НАУКИ УКРАЇНИ ОДЕСЬКИЙ НАЦІОНАЛЬНИЙ УНІВЕРСИТЕТ
• ZAŁĄCZNIK A DO SIWZ DOTYCZY ZAMÓWIENIA NR WZP271542020 O
• DISCUSSION OF BRONSON (30 MIN) STEP ONE TAKE
• CM BISTRIŢANĂSĂUD UMF “IULIU HAŢIEGANU” CLUJNAPOCA PROGRAM CONFERINŢA JUDEŢEANĂ
• UNIUNEA NAŢIONALĂ A BAROURILOR DIN ROMÂNIA CONGRESUL AVOCAŢILOR BUCUREŞTI
• University of Nigeria Nsukka University of Nigeria Electoral Commission
• UNIVERSITÀ DEGLI STUDI DI UDINE DIPARTIMENTO DI SCIENZE DEGLI
• INCULTURACIÓN Y ESPACIO LITÚRGICO GUILLERMO ROSAS SSCC DOCTOR
• MOD 7514 REV 05 CENTRO PER L’IMPIEGO DI VIA
• NAME ANSCHRIFT ARZT NR SOZIALVERSNR WIEN AN DEN
• G EF CONCEPT NOTE RENEWABLE ENERGY ENTERPRISE DEVELOPMENT GLOBAL
• VODIČ ZA POSTUPAK ISHOĐENJA IZVODA IZ MATIČNE SLUŽBE SLUŽBA
• GLOBAL WARMING WEB SITE HTTPEPAGOVCLIMATECHANGEKIDSGLOBALWARMINGVERSION2HTML  CLICK ON
• STUDENTŲ PRIĖMIMO Į VILNIAUS KOOPERACIJOS KOLEGIJOS NEUNIVERSITETINES STUDIJAS 2009
• INSTRUKCJA ZWROTU OPŁAT REKRUTACYJNYCH ZWROT OPŁAT REKRUTACYJNYCH 1 WNIOSKOWAĆ
• LENGUAJE Y COMUNICACIÓN PROFESORA CAROLINA AGUILAR M CAGUILARMARCHANTGMAILCOM GUÍA
• ASUNTO SOLUCIONADO EN LA QUEJA 123299 QUEJA Nº 123299