Home | Reports | Technical Documents | Tech-Blog | One-Shot Gallery | Korea ICT News | Korea Communication Market Data | List of Contributors | Become a Contributor |    
 
 
Section 5G 4G LTE C-RAN/Fronthaul Gigabit Internet IPTV/Video Streaming IoT SDN/NFV Wi-Fi KT SK Telecom LG U+ Network Protocol Samsung   Korean Vendors
 
CHANNELS HFRFRONTHAUL NetvisionMPTCP Springwave1588 PTP        
Defining the Roads to 5G System Security Architecture
March 07, 2018 | By Saad Sheikh @ Saudi Telecom Company (snasrullah.c@stc.com.sa)
Online viewer:
Comments (1)
8

We are pleased to share with you all an interesting article contributed by Saad Sheikh who is the Chief Architect Consultant in Saudi Telecom Company primarily responsible for Network Deployment and planning for CSP Digital transformation involving domains of NFV, SDN, Telco Cloud, 5G. Always interested in those disruptive technology driving the industry transformation, Author hails from Telco CSP background and since 2013 working on Telco Cloud domain including Amazon, Huawei, Mirantis, VMware, RedHat etc.

 
 

Saad Sheikh

Chief Architect – Consultant NFV, SDN, Telco Cloud, 5G

at Saudi Telecom Company (STC)

 

All Articles by Saad Sheikh

 
     
  How to contribute your article to Netmanias.com !  
     
  List of Contributors  

 

 
     
 
System plethora is not like network, from incarnation to practice
 
So finally the Frenzy of 5G Networks and how they will bridge the gaps between different industries and societies seems finally come to materialization .As most of the Tier1 Operators are working to build the Use cases that will support for early launch and market capture catalyst for early movers in the area still the area of 5G security seems gloomy with still lacking much detailed standards being output by ETSI and other SDO’s compared to 5G technology itself.
 
There are many questions in the air need to address both from architecture point of view and from End to End working solution perspective. For example 
  1. Is 5G security same or conflicting with NV/SDN security? 
  1. How operators will develop a unified solution that can meet requirements from all industries 
  1. If a standard solution exist will it scale? Or finally in 2-3 Years down the road we need to live with lot of customized solution difficult to assure?
  1. What about solution relevance in Open source networks with many players around
  1. Finally how to imbue Cyber security dilemmas in the 5G Telco Networks
  1. Will End user privacy will be a killer decision in 5G
 
I think this list gives author enough challenges faced by 5G and verticals and in this paper I shall try to build a high level model to address them in a unified UML model.
 
In a world where computing is ubiquitous,
where a mist of data and devices diffuses into our lives,
where that mist becomes inseparable- indistinguishable-from reality, trustworthy
computing is but axiomatic. (David James Marcos /NSA)
 
1. Decentralized Architecture: The biggest problem that lies ahead is that the Telco Networks are programmed to work not the way around. It actually means they do not predict and obviously do not interpolate to the scale of issues 5G will go to face. This is an architecture issue because like in 3G/4G source of security seems like in Core Network, in NFV/SDN it seem to imbue in the platform but for 5G planning a single control unit to handle and process all data seems impossible. But if we decentralize how to control it. We cannot decentralize without control it and how to control a device we do not trust? I think 5G must model a concept like Block Chain in Banking sector to share security but in a trusted manner and in addition not point of failure due to compromise in a unit or layer.
 
The understanding of 5G System architecture and how it will influence the present Telco Services migration along with how it can make a thriving eco system is key area of interest for the architect. There are different dimensions like first we need to understand 5G is based on a SBA architecture which requires whole network separated from Infrastructure which makes NFV/SDN almost an inevitable enabler for it . It will allow the deployment of network a slice to support each use case separately. Currently how to model one solution and can it be applicable to customize it for each offering is key area of discussion in ETSI.
 
 
2. Resource demarcation: This is a scary topic because IMT2000 already divided network in three domains as per latency use case requirement. The dilemma is that it require different RF resource need to map to a different NFV/SDN DC resource in the Cloud is biggest problem that lies ahead is that the Telco Networks are programmed to work not the way around. It actually means they do not predict and obviously do not interpolate to the scale of issues 5G will go to face. This is an architecture issue because like in 3G/4G source of security seems like in Core Network, in NFV/SDN it seem to imbue in the platform but for 5G planning, so in a broad sense multi RAT for each slice may not be the right approach.
 
3. 5G Network Threat Model extension: This host VNF’s which are source or sunk of user workload like DNS, AAA, IPAM is east use case but introducing middle Box VNF like AS, Control plan and Media boxes means we need to introduce Telco Concepts like multihoming,  A/S architectures, CSLB and on top of it complex dependence on IT Network redundancy like Bonds, bridges and it makes the Security a big issue of concern . Obviously introducing a disparate solution means security threat boundary will extend than it is originally supposed to be. 
 
 
4. 5G Security Frame work for 5G SA System: Well I will not go in to the details here because an expert buddy has just done it perfectly watch Hitchhikers guide here  https://www.linkedin.com/pulse/hitchhikers-guide-5g-security-special-edition-junny-song/
 
However I do want summarize a bit as follows the 5G Rel15 specifications consider EN-DC (E-UTRAN New Radio Dual Connectivity) as the defacto standard for 5G security at least in 2018 or let’s say till H1 2019 reason is obvious because the final Standalone Security specification  TS33.501 will freezed in Dec, 2018 http://www.tech-invite.com/3m33/tinv-3gpp-33-501.html#toc. Why EN-DC security is important but same time not very difficult to embrace is that The EN-DC security is based on the existing LTE security specification, TS 33.401 with EN-DC enhancement as shown below.
 
 
The Good news about EN-DC is that it works almost the same way the LTE-DC runs the concepts of Key Generation, Key Management, Ciphering and Integrity Protection are re-used from LTE –DC concept TS23.501 while the DRB <Data Radio Bearer Security> context is added with regard to 5G Core Network. For EN-DC security, new X2 Information Elements, "SgNB security Key" and "UE Security Capabilities" is newly defined.
 
Here shows EN-DC bearers and PDCP termination points from Network side. MN is the master eNB and SN is the secondary gNB. If the PDCP/NR-PDCP is terminated in the MN, LTE security works, on the other hand, if the NR-PDCP is terminated in the SgNB, NR security covers. EEA is redefined as NEA, EIA is also now called NIA. As you can guess NEA, NIA stands for NR Encryption Algorithm and NR Integrity Algorithm.
 
A good analysis of 5G security protocol can be seen in below. 
 
 
  • In 2018 implement EN-DC architecture almost same as LTE DC
  • Use existing USIM but program USIM/UICC it need USIM vendor support
  • 5G Success depend on e-SIM trial special for IoT
 
5. Assuring NFV/SDN security for 5G: 5G Network is not about a network but about a system. It involves a plethora of NFV, SDN and Network automation in context of Enablers for 5G to support the future SBA based architecture. These days biggest question we have been talking in the ETSI ISG Security group and in TMforum is actually do Network automation a bliss or curse for security assurance.
 
6. Scalable Security solution: Historically the Telco companies and 3GPP must be credited of building a robust security architecture, it can be reflected in 2G/3G/4G and same is expected in 5G with only problem that scale of 5G devices is billions not millions and a solution to expand only Core network and related Authentication servers is not enough . It require inclusion of distributed security architectures and above all IAM solutions which best use network API exposure to guarantee security. It means in future Security as a service can be possible and that an operator can open the network to guarantee whole system security using best offering from the third party. Anyways it will not change 5G Security Frame work for 5G SA System as I explained in Point5 of this paper.
 
The scalable solution also means that security can be provisioned for each use case in an orchestrated manner something very similar like VNF OLM management where security policy, test criteria all can be customizable as per required use case and SLA.
 
7. Security assessment and Verification: The 5G system is complex and include plethora of many technologies. The security context of IT, Cyber, Information security all are added along with the Telco security but till  now even ETSI SA3 have not finalized the detailed scnerio. 
 

The 5G System is big and complex , the 3GPP SA3 is doing a remarkable work to get the standard readiness and proto type before Rel-16 Stage-3 specs are output in June this year . The main focus of this year SA3 key targets are 1. Key hierarchy 2. Key derivation 3. Mobility 4. Access Stratum security 5. Non-Access Stratum security 6. Security context 7. Visibility and Configuration 8. Primary authentication 9. Secondary authentication 10. Inter working 11. non-3GPP access 12. Network Domain Security 13. Service based architecture 14. Privacy . I hope to refresh the material for whole 5G security by the time i got more visibility based on SA3 work and till the time got more inputs from vendors of exactly how they will be approaching this critical but important point in 5G .

 

References

  • National Security Agency review of Emerging Technologies
  • 3GPP TR.501
  • 3GPP TS28.891
  • 3GPP TS 23.799
  • 3GPP TS28.531
  • 3GPP TS38.300
  •  NFV EVE 011
  • NFV SOL03 ,04
     
Chung-A Song @ Brightstar via LinkedIn 2018-03-13 15:21:26

Thank you for sharing informative article with 5G Security framework.

Thank you for visiting Netmanias! Please leave your comment if you have a question or suggestion.
Related Contents
04/05/2018
Netmanias Blog
02/22/2018
Netmanias Blog
11/15/2017
Netmanias Blog
09/22/2016
Netmanias Blog
09/05/2016
Netmanias Blog
View All (791)
4.5G (1) 5G (80) AI (6) AR (1) ARP (3) AT&T (1) Akamai (1) Authentication (5) Big Data (2) Blockchain (3) C-RAN/Fronthaul (17) CDN (4) CPRI (4) Carrier Ethernet (3) China (1) China Mobile (2) Cisco (1) Cloud (5) CoMP (6) Connected Car (4) DHCP (5) Edge Computing (1) Ericsson (2) FTTH (6) GSLB (1) GiGAtopia (2) Gigabit Internet (19) Google (7) Google Global Cache (3) HLS (5) HSDPA (2) HTTP Adaptive Streaming (5) Handover (1) Huawei (1) IEEE 802.1 (1) IP Routing (7) IPTV (21) IoST (3) IoT (54) KT (41) Korea (19) Korea ICT Market (1) Korea ICT Service (13) Korea ICT Vendor (1) LG U+ (18) LSC (1) LTE (78) LTE-A (16) LTE-B (1) LTE-H (2) LTE-M (3) LTE-U (4) LoRa (7) MPLS (1) MPTCP (3) MWC 2015 (8) NB-IoT (6) Netflix (2) Network Protocol (20) Network Slicing (4) New Radio (9) Nokia (1) OSPF (2) OTT (3) PCRF (1) Platform (2) QoS (3) RCS (3) SD-WAN (15) SDN/NFV (66) SK Broadband (2) SK Telecom (33) Samsung (5) Security (16) Self-Driving (1) Small Cell (2) Spectrum Sharing (2) Switching (6) TAU (2) UHD (5) VR (2) Video Streaming (12) VoLTE (8) VoWiFi (2) Wi-Fi (29) YouTube (6) blockchain (1) eICIC (1) eMBMS (1) iBeacon (1) security (1) telecoin (1) uCPE (2)
Password confirmation
Please enter your registered comment password.
Password