TR 33.926 [7], Clause L.2.2, "No protection or weak protection for user plane data ".

Confidentiality protection of user data transported over N3 interface.

TS 33.501 [2], Clause 9.3

"The transported user data between gNB and UPF shall be confidentiality protected." As specified in TS 33.501 [2], clause 9.3.

Verify that the transported user data between gNB and UPF are confidentiality protected over N3 interface.

• UPF network product is connected in simulated/real network environment.

• The tunnel mode IPsec ESP and IKE certificate authentication is implemented.

• Tester shall have knowledge of the security parameters of tunnel for decrypting the ESP packets.

• Tester shall have access to the N3 interface between gNB and UPF.

• Tester shall have knowledge of the confidentiality algorithm and confidentiality protection keys used for encrypting the encapsulated payload.

The requirement mentioned in this clause is tested in accordance with the procedure mentioned in clause 4.2.3.2.4 of TS 33.117 [3].

The user data transported between gNB and UPF is confidentiality protected.

Evidence suitable for the interface, e.g., evidence can be presented in the form of screenshot/screen-capture.

TR 33.926 [7], Clause L.2.2, "No protection or weak protection for user plane data ".

Confidentiality protection of user data transported over N3 interface.

TS 33.501 [2], Clause 9.3

Verify that the transported user data between gNB and UPF are confidentiality protected over N3 interface.

• UPF network product is connected in simulated/real network environment.

• The tunnel mode IPsec ESP and IKE certificate authentication is implemented.

• Tester shall have knowledge of the security parameters of tunnel for decrypting the ESP packets.

• Tester shall have access to the N3 interface between gNB and UPF.

• Tester shall have knowledge of the confidentiality algorithm and confidentiality protection keys used for encrypting the encapsulated payload.

The requirement mentioned in this clause is tested in accordance with the procedure mentioned in clause 4.2.3.2.4 of TS 33.117 [3].

The user data transported between gNB and UPF is confidentiality protected.

Evidence suitable for the interface, e.g., evidence can be presented in the form of screenshot/screen-capture.

TR 33.926 [7], Clause L.2.2, "No protection or weak protection for user plane data"

Integrity protection of user data transported over N3 interface.

TS 33.501 [2], Clause 9.3

"The transported user data between gNB and UPF shall be integrity protected" as specified in TS 33.501 [2], clause 9.3.

Verify that the transported user data between gNB and UPF are integrity protected over N3 interface.

• UPF network product is connected in simulated/real network environment.

• The tunnel mode IPsec ESP and IKE certificate authentication is implemented.

• Tester shall have knowledge of the security parameters of tunnel for decrypting the Encapsulated Security Payload (ESP) packets.

• Tester shall have knowledge of the authentication algorithm (Hash Message Authentication Code) and the protection keys.

The requirement mentioned in this clause is tested in accordance to the procedure mentioned in clause 4.2.3.2.4 of TS 33.117 [3].

The user data transported between gNB and UPF is integrity protected.

Evidence suitable for the interface, e.g., evidence can be presented in the form of screenshot/screen-capture.

TR 33.926 [7], Clause L.2.2, "No protection or weak protection for user plane data"

Integrity protection of user data transported over N3 interface.

TS 33.501 [2], Clause 9.3

Verify that the transported user data between gNB and UPF are integrity protected over N3 interface.

• UPF network product is connected in simulated/real network environment.

• The tunnel mode IPsec ESP and IKE certificate authentication is implemented.

• Tester shall have knowledge of the security parameters of tunnel for decrypting the Encapsulated Security Payload (ESP) packets.

• Tester shall have knowledge of the authentication algorithm (Hash Message Authentication Code) and the protection keys.

The requirement mentioned in this clause is tested in accordance to the procedure mentioned in clause 4.2.3.2.4 of TS 33.117 [3].

The user data transported between gNB and UPF is integrity protected.

Evidence suitable for the interface, e.g., evidence can be presented in the form of screenshot/screen-capture.

TR 33.926 [7], Clause L.2.2, "No protection or weak protection for user plane data"

Replay protection of user data transported over N3 interface

TS 33.501 [2], Clause 9.3

"The transported user data between gNB and UPF shall be replay protected." As specified in TS 33.501, clause 9.3.

Verify that the transported user data between gNB and UPF are replay protected.

The following procedure is executed if UPF supports IPsec.

• UPF network product is connected in simulated/real network environment.

• The tunnel mode IPsec ESP and IKE certificate authentication is implemented.

• Tester shall have knowledge of the security parameters of tunnel for decrypting the ESP packets.

• Tester shall have access to the original user data transported via N3 reference point between gNB and UPF.

The requirement mentioned in this clause is tested in accordance with the procedure mentioned in clause 4.2.3.2.4 of TS 33.117 [3].

The user data transported between UE and UPF is replay protected.

Evidence suitable for the interface, e.g., evidence can be presented in the form of screenshot/screen-capture.

TR 33.926 [7], Clause L.2.2, "No protection or weak protection for user plane data"

Replay protection of user data transported over N3 interface

TS 33.501 [2], Clause 9.3

Verify that the transported user data between gNB and UPF are replay protected.

The following procedure is executed if UPF supports IPsec.

• UPF network product is connected in simulated/real network environment.

• The tunnel mode IPsec ESP and IKE certificate authentication is implemented.

• Tester shall have knowledge of the security parameters of tunnel for decrypting the ESP packets.

• Tester shall have access to the original user data transported via N3 reference point between gNB and UPF.

The requirement mentioned in this clause is tested in accordance with the procedure mentioned in clause 4.2.3.2.4 of TS 33.117 [3].

The user data transported between UE and UPF is replay protected.

Evidence suitable for the interface, e.g., evidence can be presented in the form of screenshot/screen-capture.

TR 33.926 [7], Clause L.2.2, "No protection or weak protection for user plane data "

Protection of user data transported over N9 within a PLMN.

TS 33.501 [2], Clause 9.9

As specified in clause 9.9 in TS 33.501 [2], "Interfaces internal to the 5G Core can be used to transport signalling data as well as privacy sensitive material, such as user and subscription data, or other parameters, such as security keys. Therefore, confidentiality and integrity protection is required.

For the protection of the non-SBA internal interfaces, such as N4 and N9, NDS/IP shall be used as specified in [3]."

Verify that the protection mechanism implemented for user data transport over N9 interface in a PLMN conforms to the selected security profile.

• UPF network products are connected in simulated/real network environment.

• The tunnel mode IPsec ESP and IKE certificate authentication is implemented.

• Tester shall have knowledge of the security parameters of tunnel for decrypting the ESP packets.

• Tester shall have access to the N9 interface between two UPFs within a PLMN.

• Tester shall have knowledge of the confidentiality algorithm and confidentiality protection keys used for encrypting the encapsulated payload.

The requirement mentioned in this clause is tested in accordance with the procedure mentioned in clause 4.2.3.2.4 of TS 33.117 [3].

The user data transported on N9 within a PLMN is protected.

Evidence suitable for the interface, e.g., evidence can be presented in the form of screenshot/screen-capture.

TR 33.926 [7], Clause L.2.2, "No protection or weak protection for user plane data "

Protection of user data transported over N9 within a PLMN.

TS 33.501 [2], Clause 9.9

Verify that the protection mechanism implemented for user data transport over N9 interface in a PLMN conforms to the selected security profile.

• UPF network products are connected in simulated/real network environment.

• The tunnel mode IPsec ESP and IKE certificate authentication is implemented.

• Tester shall have knowledge of the security parameters of tunnel for decrypting the ESP packets.

• Tester shall have access to the N9 interface between two UPFs within a PLMN.

• Tester shall have knowledge of the confidentiality algorithm and confidentiality protection keys used for encrypting the encapsulated payload.

The requirement mentioned in this clause is tested in accordance with the procedure mentioned in clause 4.2.3.2.4 of TS 33.117 [3].

The user data transported on N9 within a PLMN is protected.

Evidence suitable for the interface, e.g., evidence can be presented in the form of screenshot/screen-capture.

TR 33.926 [7], Clause L.2.3, "No protection or weak protection for signalling data over N4 interface"

Protection of signalling data transported over N4 interface.

TS 33.501 [2], Clause 9.9

As specified in clause 9.9 in TS 33.501 [2], "Interfaces internal to the 5G Core can be used to transport signalling data as well as privacy sensitive material, such as user and subscription data, or other parameters, such as security keys. Therefore, confidentiality and integrity protection is required.

For the protection of the non-SBA internal interfaces, such as N4 and N9, NDS/IP shall be used as specified in [3]."

Verify that the protection mechanism implemented for signalling data transmitted over N4 conforms to selected security profile.

• UPF and SMF network products are connected in simulated/real network environment.

• The tunnel mode IPsec ESP and IKE certificate authentication is implemented.

• Tester shall have knowledge of the security parameters of tunnel for decrypting the ESP packets.

• Tester shall have access to the N4 interface between SMF and UPF.

• Tester shall have knowledge of the confidentiality algorithm and confidentiality protection keys used for encrypting the encapsulated payload.

The requirement mentioned in this clause is tested in accordance with the procedure mentioned in clause 4.2.3.2.4 of TS 33.117 [3].

The signalling data transported over N4 interface is protected.

Evidence suitable for the interface, e.g., evidence can be presented in the form of screenshot/screen-capture.

TR 33.926 [7], Clause L.2.3, "No protection or weak protection for signalling data over N4 interface"

Protection of signalling data transported over N4 interface.

TS 33.501 [2], Clause 9.9

Verify that the protection mechanism implemented for signalling data transmitted over N4 conforms to selected security profile.

• UPF and SMF network products are connected in simulated/real network environment.

• The tunnel mode IPsec ESP and IKE certificate authentication is implemented.

• Tester shall have knowledge of the security parameters of tunnel for decrypting the ESP packets.

• Tester shall have access to the N4 interface between SMF and UPF.

• Tester shall have knowledge of the confidentiality algorithm and confidentiality protection keys used for encrypting the encapsulated payload.

The requirement mentioned in this clause is tested in accordance with the procedure mentioned in clause 4.2.3.2.4 of TS 33.117 [3].

The signalling data transported over N4 interface is protected.

Evidence suitable for the interface, e.g., evidence can be presented in the form of screenshot/screen-capture.

TR 33.926 [7], Clause L.2.4, "Failure to assign unique TEID for a session"

TEID uniqueness.

"Allocation and release of CN Tunnel Info is performed when a new PDU Session is established or released. This functionality is supported either by SMF or UPF, based on operator's configuration on the SMF" as specified in TS 23.501[4], clause 5.8.2.3.1.

"Tunnel Endpoint Identifier (TEID): This field unambiguously identifies a tunnel endpoint in the receiving GTP U protocol entity. The receiving end side of a GTP tunnel locally assigns the TEID value the transmitting side has to use" as specified in TS 29.281[5], clause 5.1.

"The TEID is a unique identifier within one IP address of a logical node." As specified in TS 23.060 [6], clause 14.6.

Verify that the TEID generated by UPF under test for each new GTP tunnel is unique.

Test environment is set up with SMF, which may be real or simulated, and UPF under test. The tester is able to trace traffic between the UPF under test and the SMF (real or simulated). SMF configures UPF under test to generate the TEIDs.

1. The tester intercepts the traffic between the UPF under test and the SMF.

2. The tester triggers the maximum number of concurrent N4 session establishment requests.

3. The tester captures the N4 session establishment responses sent from UPF to SMF and verifies that the F-TEID created for each generated response is unique.

The F-TEID set in each different N4 session establishment response is unique.

Files containing the triggered GTP messages (e.g. pcap trace).

TR 33.926 [7], Clause L.2.4, "Failure to assign unique TEID for a session"

TEID uniqueness.

Verify that the TEID generated by UPF under test for each new GTP tunnel is unique.

Test environment is set up with SMF, which may be real or simulated, and UPF under test. The tester is able to trace traffic between the UPF under test and the SMF (real or simulated). SMF configures UPF under test to generate the TEIDs.

1. The tester intercepts the traffic between the UPF under test and the SMF.

2. The tester triggers the maximum number of concurrent N4 session establishment requests.

3. The tester captures the N4 session establishment responses sent from UPF to SMF and verifies that the F-TEID created for each generated response is unique.

The F-TEID set in each different N4 session establishment response is unique.

TR 33.926 [7], Clause L.2.5, "invalid user plane data forwarding"

NOTE 1: This test case is only applicable to UPF supporting IPUPS.

IPUPS packeting handling

TS 33.501[8], clause 5.9.3.4

"The IPUPS shall only forward GTP-U packets that contain an F-TEID that belongs to an active PDU session and discard all others." as specified in TS 33.501[5], clause 5.9.3.4.

Verify that the packets not belonging to an active PDU session is discarded.

Test environment is set up with a V-SMF, an H-SMF, an H-UPF and a gNB which may be simulated.

1. The V-SMF requests the UPF with IPUPS functionality under test to establish an N4 session for a PDU session in home-routing roaming. The UPF with IPUPS functionality under test responds to the SMF with the F-TEID for the N9 tunnel towards the H-UPF, and the F-TEID for the N3 tunnel towards the gNB.

2. The V-SMF requests the H-SMF to establish a PDU session providing the received F-TEID for the N9 tunnel.

3. The H-SMF requests the H-UPF to establish an N4 session providing the received F-TEID for the N9 tunnel. H-UPF in the response provides its F-TEID for the N9 tunnel. The H-SMF provides the received F-TEID from the H-UPF to the V-SMF.

4. The V-SMF requests the gNB to allocate resource for the PDU session providing the F-TEID for the N3 tunnel received at step 1. The gNB replies with its F-TEID for the N3 tunnel to the V-SMF.

5. The V-SMF provides the UPF with IPUPS functionality under test with the received F-TEID assigned by the gNB for the N3 tunnel and the received F-TEID assigned by the H-UPF for the N9 tunnel.

6. The H-UPF is triggered to send GTP-U packets using the F-TEID assigned by the V-UPF for the N9 tunnel.

7. The H-UPF is triggered to send GTP-U packets using an F-TEID different than the one assigned by V-UPF for N9 tunnel.

When the H-UPF is triggered to send GTP-U packets using the F-TEID assigned by the V-UPF for the N9 tunnel (step 6 in the execution steps), GTP-U packets are witnessed over the N3 tunnel.

When the H-UPF is triggered to send GTP-U packets using an F-TEID different than the one assigned by the V-UPF (step 7 in the execution steps), no GTP-U packets are witnessed over the N3 tunnel.

Files recording the GTP packets captured (e.g. pcap trace).

TR 33.926 [7], Clause L.2.5, "invalid user plane data forwarding"

NOTE 1: This test case is only applicable to UPF supporting IPUPS.

IPUPS packeting handling

Verify that the packets not belonging to an active PDU session is discarded.

Test environment is set up with a V-SMF, an H-SMF, an H-UPF and a gNB which may be simulated.

1. The V-SMF requests the UPF with IPUPS functionality under test to establish an N4 session for a PDU session in home-routing roaming. The UPF with IPUPS functionality under test responds to the SMF with the F-TEID for the N9 tunnel towards the H-UPF, and the F-TEID for the N3 tunnel towards the gNB.

2. The V-SMF requests the H-SMF to establish a PDU session providing the received F-TEID for the N9 tunnel.

3. The H-SMF requests the H-UPF to establish an N4 session providing the received F-TEID for the N9 tunnel. H-UPF in the response provides its F-TEID for the N9 tunnel. The H-SMF provides the received F-TEID from the H-UPF to the V-SMF.

4. The V-SMF requests the gNB to allocate resource for the PDU session providing the F-TEID for the N3 tunnel received at step 1. The gNB replies with its F-TEID for the N3 tunnel to the V-SMF.

5. The V-SMF provides the UPF with IPUPS functionality under test with the received F-TEID assigned by the gNB for the N3 tunnel and the received F-TEID assigned by the H-UPF for the N9 tunnel.

6. The H-UPF is triggered to send GTP-U packets using the F-TEID assigned by the V-UPF for the N9 tunnel.

7. The H-UPF is triggered to send GTP-U packets using an F-TEID different than the one assigned by V-UPF for N9 tunnel.

When the H-UPF is triggered to send GTP-U packets using the F-TEID assigned by the V-UPF for the N9 tunnel (step 6 in the execution steps), GTP-U packets are witnessed over the N3 tunnel.

When the H-UPF is triggered to send GTP-U packets using an F-TEID different than the one assigned by the V-UPF (step 7 in the execution steps), no GTP-U packets are witnessed over the N3 tunnel.

Files recording the GTP packets captured (e.g. pcap trace).

TR 33.926 [7], Clause L.2.6, "Threats of malformed GTP-U messages"

NOTE 1: This test case is only applicable to UPF supporting IPUPS.

Protection against malformed GTP-U messages

TS 33.501[8], clause 5.9.3.4

"The IPUPS shall discard malformed GTP-U messages." as specified in TS 33.501[8], clause 5.9.3.4.

Verify that malformed messages are discarded by UPF.

The pre-conditions in clause 4.4.4 of TS 33.117 [3] apply, except that fuzzing tools supporting GTP-U protocol is available.

The execution steps follow those in clause 4.4.4 of TS 33.117 [3], except that the protocol the fuzzing tool is executed against is GTP-U and the interface is N9.

The expected results in clause 4.4.4 of TS 33.117 [3] apply except that the protocol and the interface contained in the testing documentation are GTP-U and N9 respectively.

The expected format of evidence in clause 4.4.4 of TS 33.117 [3] apply.

TR 33.926 [7], Clause L.2.6, "Threats of malformed GTP-U messages"

NOTE 1: This test case is only applicable to UPF supporting IPUPS.

Protection against malformed GTP-U messages

Verify that malformed messages are discarded by UPF.

The pre-conditions in clause 4.4.4 of TS 33.117 [3] apply, except that fuzzing tools supporting GTP-U protocol is available.

The execution steps follow those in clause 4.4.4 of TS 33.117 [3], except that the protocol the fuzzing tool is executed against is GTP-U and the interface is N9.

The expected results in clause 4.4.4 of TS 33.117 [3] apply except that the protocol and the interface contained in the testing documentation are GTP-U and N9 respectively.

The expected format of evidence in clause 4.4.4 of TS 33.117 [3] apply.