By Mirko Cano Soveri, MCC (ETSI), Zander Lei, 3GPP SA3 Rapporteur on Network Slicing Security

Network Slicing is one of the key features introduced in 5G systems since Release 15. It allows operators to provide customized networks flexibly with different functionalities for diverse services or to serve groups of users with specific service requirements. However, network slicing also poses new challenges when it comes to security design. On the one hand, the fact that common infrastructure and resources are shared amongst network slices needs to be taken into consideration for 5G systems pursuing the security-by-design principle. On the other hand, new security requirements, e.g. user privacy requirements and high security control demand from verticals need to be met.

3GPP SA3 working group takes a balanced approach and introduces new security measures for network slicing in phases. Specifically, the following new security features for network slicing have been specified from Release 15 to Release 17 and a new study is ongoing intending to address potential security issues in Release 18.

• Release 15: Management security for network slices, UE authorization to access network slices, confidentiality and Integrity protection of network slice identifiers), network slice specific Network Function (NF) authorization
• Release 16: Network Slice Specific Authentication and Authorization (NSSAA)
• Release 17: Application Function (AF) authorization with confidentiality protection of network slice identifiers 

Management security for network slices

The first and uppermost task to secure network slices is to make sure network slices are created, updated, and deleted securely. Thus, the first set of security measures are introduced to secure the standardized service interfaces for management functions and protect creation, modification, and termination of a Network Slice Instance (NSI).  These secure measures specified are

• Mutual authentication between the management service consumer and the management service producer using transport layer security (TLS). This is to prevent unauthorized access to the management exposure interfaces and also support service-based architecture being adopted for management functions.
• Protection of management interactions between the management service consumer and the management service producer based on TLS. This is to support integrity protection, replay protection and confidentiality protection for the interface in additional to the mutual authentication.
• Authorization of management service consumer by the management service producer based on the OAuth-based authorization mechanism and operators’ local policy to ensure only the authorized services are provided to the management service consumer.

UE Authorization to access network slices

This security measure is to make sure only an authorized user equipment (UE) is allowed to access resources of network slices. In Release 15, this task is centralized and performed in the operators’ network. Specifically, a UE is authorized to access a network slice if

• the UE is a legitimate subscriber of the operator’s network and is able to successfully authenticated by the network through the Primary Authentication, and
• the UE has a valid subscription stored in the Unified Data Management (UDM) of the operator’s core network

Once the UE is authorized, the authorization information, e.g. the Single-Network Slice Selection Assistance Information (S-NSSAI) of an authorized network slice is included in the “Allowed NSSAI” list stored at the core network, e.g. Access and Mobility Management Function (AMF) and the UE.

Confidentiality and Integrity protection of network slice identifiers

The S-NSSAI can be considered as the identifier of a network slice. There are potential security risks to transmit the identifier over the air if unprotected. Sensitive information, e.g. the topology of the network or specific user group information may be deduced from the S-NSSAI by an eavesdropper. In order to mitigate these risks, two security measures have been introduced since Release 15:

• Non-Access-Stratum (NAS) Signaling: S-NSSAI can be included in NAS signaling to improve system performance through prevention of potential AMF relocation. In order not to leak potential sensitive information due to S-NSSAI, it is specified that S-NSSAI is only transmitted in NAS signaling after the NAS security is established. S-NSSAI will be transmitted with activated confidentiality protection and integrity protection.
• Access-Stratum (AS) Signaling: S-NSSAI can be included in AS signaling to allow base stations to select a proper AMF and again to prevent potential AMF relocation. In order to allow S-NSSAI to be transmitted even before AS security is established at the same time mitigating the risk of leaking sensitive information, a two-stage approach is adopted. At the first stage or when a UE registers to a network at the very first time, no S-NSSAI is transmitted in AS signaling by default. After this first registration, the network can configure the UE with two set of S-NSSAIs, one deemed no sensitive information can be deduced from and the other may contain sensitive information. For the former, UE can send in plain text in AS signaling while the later is not allowed to be included in AS signaling.

Network slice specific authorization for Network Functions (NFs)

Service based architecture is instituted in 5G core network where NFs communicate with each other over a service-based interface (SBI) after NFs are authenticated and authorized. This has also implications to network slicing security. If NFs are authorized in a traditional way based on entity, e.g. NF, an authorized NF to handle one network slice will be able to have processing rights to all other network slices. This scenario is undesired and against the security design principle, e.g. Principle of Least Privilege. Therefore, the network slice specific authorization mechanism is enabled in the SBI security, where an NF can be authorized to handle specific network slices. All other slices not authorized will not be accessible to the NF.

Network Slice Specific Authentication and Authorization (NSSAA)

5G Release 16 starts to focus more on enhancements to meet demand from verticals. In terms of network slicing security, the Network Slice Specific Authentication and Authorization (NSSAA) is brought about to allow verticals have more controls over their devices or subscriptions. Specifically, NSSAA allows verticals to provision their devices with their own credentials, based on which a totally different authentication method can be employed at the discretion of verticals. 

NSSAA is performed between a UE and an Authentication Authorization and Accounting (AAA) Server (may be owned by verticals) with respect to a particular network slice identified by an S-NSSAI, after the UE has successfully completed primary authentication. NSSAA uses a User ID and credentials determined by verticals and are different from the subscription credentials used for the primary authentication.

The EAP framework specified in IETF RFC 3748 is used to support multiple EAP methods at choice of verticals. The AMF takes the role of the EAP Authenticator and a dedicated network function (NSSAA function or NSSAAF) is defined and undertakes any AAA protocol interworking with the AAA Server. Both re-authentication and revocation procedures initiated by verticals are also supported.

Application Function (AF) authorization with confidentiality protection of network slice identifiers

The 3GPP 5G Release 17 brings in a new feature, i.e. Network Slice Admission Control (NSAC) to better manage and operate network slices. An NSAC Function (NSACF) can monitor and control the number of registered UEs and established Protocol Data Unit (PDU) sessions per network slice and feed the information to an Application Function (AF) for analysis and further processing. Since the AF could be deployed outside the operator domain, additional security measures are put in place in order to mitigate potential security risks.

On top of securing the application-layer interface between the AF and the 3GPP network, the identifier of the network slice is masked to prevent leakage of the sensitive information. In addition, the AF is authorized to access only specific network slices in order to prevent the AF from accessing information for other network slices unauthorized.

Moving forward in future Releases

The network slicing security is expected to continue its evolution incorporating new security features, in tandem with continuous enhancements to network slices in future releases.  For example, the 3GPP SA3 working group has already initiated a Release-18 Study Item to investigate the security procedures to support the Home Network providing the Visiting Network slice-specific network priority information to its roaming UEs, enhanced authorization procedures for a UE to access network slices supporting new services, optimizing NSAC security procedures etc. The investigation will be documented in TR 33.886 and Release 18 specifications may be updated if required.

List of Work Items and Study items: