| rfc9310.original | rfc9310.txt | |||
|---|---|---|---|---|
| Network Working Group R. Housley | Internet Engineering Task Force (IETF) R. Housley | |||
| Internet-Draft Vigil Security | Request for Comments: 9310 Vigil Security | |||
| Intended status: Standards Track S. Turner | Category: Standards Track S. Turner | |||
| Expires: 2 June 2023 sn3rd | ISSN: 2070-1721 sn3rd | |||
| J. P. Mattsson | J. Preuß Mattsson | |||
| D. Migault | D. Migault | |||
| Ericsson | Ericsson | |||
| 29 November 2022 | December 2022 | |||
| X.509 Certificate Extension for 5G Network Function Types | X.509 Certificate Extension for 5G Network Function Types | |||
| draft-ietf-lamps-5g-nftypes-08 | ||||
| Abstract | Abstract | |||
| This document specifies the certificate extension for including | This document specifies the certificate extension for including | |||
| Network Function Types (NFTypes) for the 5G System in X.509v3 public | Network Function Types (NFTypes) for the 5G System in X.509 v3 public | |||
| key certificates as profiled in RFC 5280. | key certificates as profiled in RFC 5280. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 2 June 2023. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9310. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology | |||
| 3. Network Functions Certificate Extension . . . . . . . . . . . 3 | 3. Network Function Types Certificate Extension | |||
| 4. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . . . 4 | 4. ASN.1 Module | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 5. Security Considerations | |||
| 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 5 | 6. Privacy Considerations | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 7. IANA Considerations | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 | 8. References | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 8.1. Normative References | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 8.2. Informative References | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 6 | Appendix A. NFType Strings | |||
| Appendix A. NFType Strings . . . . . . . . . . . . . . . . . . . 7 | Appendix B. Example Certificate Containing a NFTypes Extension | |||
| Appendix B. Example Certificate Containing a NFTypes | Acknowledgements | |||
| Extension . . . . . . . . . . . . . . . . . . . . . . . . 8 | Authors' Addresses | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | ||||
| 1. Introduction | 1. Introduction | |||
| The 3rd Generation Partnership Project (3GPP) has specified several | The 3rd Generation Partnership Project (3GPP) has specified several | |||
| Network Functions (NFs) as part of the service-based architecture | Network Functions (NFs) as part of the service-based architecture | |||
| within the 5G System. There are 49 NF Types defined for 3GPP Release | within the 5G System. There are 56 NF Types defined for 3GPP Release | |||
| 17; they are listed in Table 6.1.6.3.3-1 of [TS29.510], and each NF | 17; they are listed in Table 6.1.6.3.3-1 of [TS29.510], and each NF | |||
| type is identified by a short ASCII string. | type is identified by a short ASCII string. | |||
| Operators of 5G systems make use of an internal PKI to identify | Operators of 5G Systems make use of an internal PKI to identify | |||
| interface instances in the NFs in a 5G system. X.509v3 public key | interface instances in the NFs in a 5G System. X.509 v3 public key | |||
| certificates [RFC5280] are used, and the primary function of a | certificates [RFC5280] are used, and the primary function of a | |||
| certificate is to bind a public key to the identity of an entity that | certificate is to bind a public key to the identity of an entity that | |||
| holds the corresponding private key, known as the certificate | holds the corresponding private key, known as the certificate | |||
| subject. The certificate subject and the subjectAltName certificate | subject. The certificate subject and the SubjectAltName certificate | |||
| extension can be used to support identity-based access control | extension can be used to support identity-based access control | |||
| decisions. | decisions. | |||
| This document specifies the NFTypes certificate extension to support | This document specifies the NFTypes certificate extension to support | |||
| role-based access control decisions by providing a list of NF Types | role-based access control decisions by providing a list of NF Types | |||
| associated with the certificate subject. The NFTypes certificate | associated with the certificate subject. The NFTypes certificate | |||
| extension can be used by operators of 5G systems or later. | extension can be used by operators of 5G Systems or later. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. Network Functions Certificate Extension | 3. Network Function Types Certificate Extension | |||
| This section specifies the NFTypes certificate extension, which | This section specifies the NFTypes certificate extension, which | |||
| provides a list of NF Types associated with the certificate subject. | provides a list of NF Types associated with the certificate subject. | |||
| The NFTypes certificate extension MAY be included in public key | The NFTypes certificate extension MAY be included in public key | |||
| certificates [RFC5280]. The NFTypes certificate extension MUST be | certificates [RFC5280]. The NFTypes certificate extension MUST be | |||
| identified by the following object identifier: | identified by the following object identifier: | |||
| id-pe-nftypes OBJECT IDENTIFIER ::= | id-pe-nftype OBJECT IDENTIFIER ::= | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-pe(1) 34 } | security(5) mechanisms(5) pkix(7) id-pe(1) 34 } | |||
| This extension MUST NOT be marked critical. | This extension MUST NOT be marked critical. | |||
| The NFTypes extension MUST have the following syntax: | The NFTypes extension MUST have the following syntax: | |||
| NFTypes ::= SEQUENCE SIZE (1..MAX) OF NFType | NFTypes ::= SEQUENCE SIZE (1..MAX) OF NFType | |||
| NFType ::= IA5String (SIZE (1..32)) | NFType ::= IA5String (SIZE (1..32)) | |||
| skipping to change at page 3, line 46 ¶ | skipping to change at line 128 ¶ | |||
| Each NFType MUST contain only an ASCII string; however, the string | Each NFType MUST contain only an ASCII string; however, the string | |||
| MUST NOT include control characters (values 0 through 31), the space | MUST NOT include control characters (values 0 through 31), the space | |||
| character (value 32), or the delete character (value 127). | character (value 32), or the delete character (value 127). | |||
| Each NFType MUST contain at least one ASCII character and MUST NOT | Each NFType MUST contain at least one ASCII character and MUST NOT | |||
| contain more than 32 ASCII characters. | contain more than 32 ASCII characters. | |||
| The NFTypes MUST NOT contain the same NFType more than once. | The NFTypes MUST NOT contain the same NFType more than once. | |||
| If the NFTypes contain more than one NFType, the NFTypes MUST appear | If the NFTypes contain more than one NFType, the NFTypes MUST appear | |||
| in ascending sort order. | in ascending lexicographic order using the ASCII values. | |||
| The NFType uses the IA5String type to permit inclusion of the | The NFType uses the IA5String type to permit inclusion of the | |||
| underscore character ('_'), which is not part of the PrintableString | underscore character ('_'), which is not part of the PrintableString | |||
| character set. | character set. | |||
| 4. ASN.1 Module | 4. ASN.1 Module | |||
| This section provides an ASN.1 module [X.680] for the NFTypes | This section provides an ASN.1 Module [X.680] for the NFTypes | |||
| certificate extension, and it follows the conventions established in | certificate extension, and it follows the conventions established in | |||
| [RFC5912] and [RFC6268]. | [RFC5912] and [RFC6268]. | |||
| <CODE BEGINS> | <CODE BEGINS> | |||
| NFTypeCertExtn | NFTypeCertExtn | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-nftype(106) } | id-mod-nftype(106) } | |||
| DEFINITIONS IMPLICIT TAGS ::= | DEFINITIONS IMPLICIT TAGS ::= | |||
| skipping to change at page 4, line 35 ¶ | skipping to change at line 164 ¶ | |||
| id-mod-pkixCommon-02(57) } ; | id-mod-pkixCommon-02(57) } ; | |||
| -- NFTypes Certificate Extension | -- NFTypes Certificate Extension | |||
| ext-NFType EXTENSION ::= { | ext-NFType EXTENSION ::= { | |||
| SYNTAX NFTypes | SYNTAX NFTypes | |||
| IDENTIFIED BY id-pe-nftype } | IDENTIFIED BY id-pe-nftype } | |||
| -- NFTypes Certificate Extension OID | -- NFTypes Certificate Extension OID | |||
| id-pe-nftype OBJECT IDENTIFIER ::= | id-pe-nftype OBJECT IDENTIFIER ::= | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-pe(1) 34 } | security(5) mechanisms(5) pkix(7) id-pe(1) 34 } | |||
| -- NFTypes Certificate Extension Syntax | -- NFTypes Certificate Extension Syntax | |||
| NFTypes ::= SEQUENCE SIZE (1..MAX) OF NFType | NFTypes ::= SEQUENCE SIZE (1..MAX) OF NFType | |||
| NFType ::= IA5String (SIZE (1..32)) | NFType ::= IA5String (SIZE (1..32)) | |||
| END | END | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 5. Security Considerations | 5. Security Considerations | |||
| The Security Considerations of [RFC5280] are applicable to this | The security considerations of [RFC5280] are applicable to this | |||
| document. | document. | |||
| Some of the ASCII strings that specify the NF Types are standard. | Some of the ASCII strings that specify the NF Types are standard. | |||
| See Appendix A for values defined in 3GPP. Additionally, an operator | See Appendix A for values defined in 3GPP Release 17. Additionally, | |||
| MAY assign its own NF Types for use in their own network. Since the | an operator MAY assign its own NF Types for use in their own network. | |||
| NF Type is used for role-based access control decisions, an operator- | Since the NF Type is used for role-based access control decisions, an | |||
| assigned NF Type MUST NOT overlap with a value already defined in the | operator-assigned NF Type MUST NOT overlap with a value already | |||
| commonly defined set. Use of the same ASCII string by two different | defined in the commonly defined set. Use of the same ASCII string by | |||
| operators for different roles could lead to confusion or incorrect | two different operators for different roles could lead to confusion | |||
| access control decisions. The mechanism for an operator to determine | or incorrect access control decisions. The mechanism for an operator | |||
| whether an ASCII string associated with a NF Type is unique across | to determine whether an ASCII string associated with a NF Type is | |||
| operators is outside the scope of this document. | unique across operators is outside the scope of this document. | |||
| The certificate extension supports many different forms of role-based | The certificate extension supports many different forms of role-based | |||
| access control to support the diversity of activities that NFs are | access control to support the diversity of activities that NFs are | |||
| trusted to perform in the overall system. Different levels of | trusted to perform in the overall system. Different levels of | |||
| confidence that the NFTypes were properly assigned might be needed to | confidence that the NFTypes were properly assigned might be needed to | |||
| contribute to the overall security of the 5G system. For example, | contribute to the overall security of the 5G System. For example, | |||
| more confidence might be needed to make access control decisions | more confidence might be needed to make access control decisions | |||
| related to a scarce resource than implementation of filtering | related to a scarce resource than implementation of filtering | |||
| policies. As a result, different operators might have different | policies. As a result, different operators might have different | |||
| trust models for NFTypes certificate extension. | trust models for the NFTypes certificate extension. | |||
| 6. Privacy Considerations | 6. Privacy Considerations | |||
| In some security protocols, such as TLS 1.2 [RFC5246], certificates | In some security protocols, such as TLS 1.2 [RFC5246], certificates | |||
| are exchanged in the clear. In other security protocols, such as TLS | are exchanged in the clear. In other security protocols, such as TLS | |||
| 1.3 [RFC8446], the certificates are encrypted. The inclusion of | 1.3 [RFC8446], the certificates are encrypted. The inclusion of the | |||
| NFType certificate extension can help an observer determine which | NFTypes certificate extension can help an observer determine which | |||
| systems are of most interest based on the plaintext certificate | systems are of most interest based on the plaintext certificate | |||
| transmission. | transmission. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| For the NFType certificate extension in Section 3, IANA is requested | For the NFTypes certificate extension defined in Section 3, IANA has | |||
| to assign an object identifier (OID) for the certificate extension. | assigned an object identifier (OID) for the certificate extension. | |||
| The OID for the certificate extension should be allocated in the "SMI | The OID for the certificate extension has been allocated in the "SMI | |||
| Security for PKIX Certificate Extension" registry (1.3.6.1.5.5.7.1). | Security for PKIX Certificate Extension" registry (1.3.6.1.5.5.7.1). | |||
| For the ASN.1 Module in Section 4, IANA is requested to assign an | For the ASN.1 Module defined in Section 4, IANA has assigned an OID | |||
| object identifier (OID) for the module identifier. The OID for the | for the module identifier. The OID for the module has been allocated | |||
| module should be allocated in the "SMI Security for PKIX Module | in the "SMI Security for PKIX Module Identifier" registry | |||
| Identifier" registry (1.3.6.1.5.5.7.0). | (1.3.6.1.5.5.7.0). | |||
| 8. Acknowledgements | ||||
| Many thanks to Ben Smeets, Michael Li, Tim Hollebeek, Roman Danyliw, | ||||
| Bernie Volz, and Eric Vyncke for their review, comments, and | ||||
| assistance. | ||||
| 9. References | 8. References | |||
| 9.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <https://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [TS23.003] 3rd Generation Partnership Project, "Technical | [TS29.510] 3rd Generation Partnership Project, "Technical | |||
| Specification Group Core Network and Terminals; Numbering, | Specification Group Core Network and Terminals; 5G System; | |||
| addressing and identification (Release 17)", 3GPP | Network Function Repository Services; Stage 3 (Release | |||
| TS:23.003 V17.5.0 , March 2022, | 17)", 3GPP TS:29.510 V17.8.0, December 2022, | |||
| <https://www.3gpp.org/ftp/Specs/ | ||||
| archive/23_series/23.003/23003-h50.zip>. | ||||
| [TS29.510] 3rd Generation Partnership Project, "5G System; Network | ||||
| Function Repository Services; Stage 3 (Release 17)", 3GPP | ||||
| TS:29.510 V17.5.0 , March 2022, | ||||
| <https://www.3gpp.org/ftp/Specs/ | <https://www.3gpp.org/ftp/Specs/ | |||
| archive/29_series/29.510/29510-h50.zip>. | archive/29_series/29.510/29510-h80.zip>. | |||
| [TS33.310] 3rd Generation Partnership Project, "Network Domain | [TS33.310] 3rd Generation Partnership Project, "Technical | |||
| Security (NDS); Authentication Framework (AF) (Release | Specification Group Services and System Aspects; Network | |||
| 17)", 3GPP TS:33.310 V17.2.0 , March 2022, | Domain Security (NDS); Authentication Framework (AF) | |||
| (Release 17)", 3GPP TS:33.310 V17.4.0, September 2022, | ||||
| <https://www.3gpp.org/ftp/Specs/ | <https://www.3gpp.org/ftp/Specs/ | |||
| archive/33_series/33.310/33310-h20.zip>. | archive/33_series/33.310/33310-h40.zip>. | |||
| [X.680] ITU-T, "Information technology -- Abstract Syntax Notation | [X.680] ITU-T, "Information technology -- Abstract Syntax Notation | |||
| One (ASN.1): Specification of basic notation", ITU-T | One (ASN.1): Specification of basic notation", ITU-T | |||
| Recommendation X.680, ISO/IEC 8824-1:2021, February 2021, | Recommendation X.680, ISO/IEC 8824-1:2021, February 2021, | |||
| <https://www.itu.int/rec/T-REC-X.680>. | <https://www.itu.int/rec/T-REC-X.680>. | |||
| 9.2. Informative References | 8.2. Informative References | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, | (TLS) Protocol Version 1.2", RFC 5246, | |||
| DOI 10.17487/RFC5246, August 2008, | DOI 10.17487/RFC5246, August 2008, | |||
| <https://www.rfc-editor.org/info/rfc5246>. | <https://www.rfc-editor.org/info/rfc5246>. | |||
| [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the | [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the | |||
| Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, | Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, | |||
| DOI 10.17487/RFC5912, June 2010, | DOI 10.17487/RFC5912, June 2010, | |||
| <https://www.rfc-editor.org/info/rfc5912>. | <https://www.rfc-editor.org/info/rfc5912>. | |||
| skipping to change at page 7, line 25 ¶ | skipping to change at line 284 ¶ | |||
| [RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules | [RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules | |||
| for the Cryptographic Message Syntax (CMS) and the Public | for the Cryptographic Message Syntax (CMS) and the Public | |||
| Key Infrastructure Using X.509 (PKIX)", RFC 6268, | Key Infrastructure Using X.509 (PKIX)", RFC 6268, | |||
| DOI 10.17487/RFC6268, July 2011, | DOI 10.17487/RFC6268, July 2011, | |||
| <https://www.rfc-editor.org/info/rfc6268>. | <https://www.rfc-editor.org/info/rfc6268>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [TS29.571] 3rd Generation Partnership Project, "5G System; Common | [TS29.571] 3rd Generation Partnership Project, "Technical | |||
| Data Types for Service Based Interfaces; Stage 3 (Release | Specification Group Core Network and Terminals; 5G System; | |||
| 17)", 3GPP TS:29.571 V17.5.0 , March 2022, | Common Data Types for Service Based Interfaces; Stage 3 | |||
| (Release 17)", 3GPP TS:29.571 V17.8.0, December 2022, | ||||
| <https://www.3gpp.org/ftp/Specs/ | <https://www.3gpp.org/ftp/Specs/ | |||
| archive/29_series/29.571/29571-h50.zip>. | archive/29_series/29.571/29571-h80.zip>. | |||
| Appendix A. NFType Strings | Appendix A. NFType Strings | |||
| Table 6.1.6.3.3-1 of [TS29.510] defines the ASCII strings for the NF | Table 6.1.6.3.3-1 of [TS29.510] defines the ASCII strings for the NF | |||
| Types specified in 3GPP documents, which are listed below in | Types specified in 3GPP documents; these enumeration values in 3GPP | |||
| alphabetical order. This list is not exhaustive. | Release 17 are listed below in ascending lexicographic order. This | |||
| list is not exhaustive. | ||||
| "5G_DDNMF" "ICSCF" "SCEF" | "5G_DDNMF" "LMF" "PKMF" | |||
| "5G_EIR" "IMS_AS" "SCP" | "5G_EIR" "MBSF" "SCEF" | |||
| "AANF" "LMF" "SCSAS" | "AANF" "MBSTF" "SCP" | |||
| "ADRF" "MB-SMF" "SCSCF" | "ADRF" "MB_SMF" "SCSAS" | |||
| "AF" "MB-UPF" "SEPP" | "AF" "MB_UPF" "SCSCF" | |||
| "AMF" "MFAF" "SMF" | "AMF" "MFAF" "SEPP" | |||
| "AUSF" "MME" "SMSF" | "AUSF" "MME" "SMF" | |||
| "BSF" "N3IWF" "SOR_AF" | "BSF" "MNPF" "SMSF" | |||
| "CBCF" "NEF" "SPAF" | "CBCF" "N3IWF" "SMS_GMSC" | |||
| "CEF" "NRF" "TSCTSF" | "CEF" "NEF" "SMS_IWMSC" | |||
| "CHF" "NSACF" "UCMF" | "CHF" "NRF" "SOR_AF" | |||
| "DCCF" "NSSAAF" "UDM" | "DCCF" "NSACF" "SPAF" | |||
| "DRA" "NSSF" "UDR" | "DRA" "NSSAAF" "TSCTSF" | |||
| "EASDF" "NSWOF" "UDSF" | "EASDF" "NSSF" "UCMF" | |||
| "GBA_BSF" "NWDAF" "UPF" | "GBA_BSF" "NSWOF" "UDM" | |||
| "GMLC" "PCF" | "GMLC" "NWDAF" "UDR" | |||
| "HSS" "PCSCF" | "HSS" "PANF" "UDSF" | |||
| "ICSCF" "PCF" "UPF" | ||||
| "IMS_AS" "PCSCF" | ||||
| Appendix B. Example Certificate Containing a NFTypes Extension | Appendix B. Example Certificate Containing a NFTypes Extension | |||
| The example certificate conformes to certificate profile in | The example certificate conforms to the certificate profile in | |||
| Table 6.1.3c.3-1 of [TS33.310]. In addition, the NFTypes certificate | Table 6.1.3c.3-1 of [TS33.310]. In addition, the NFTypes certificate | |||
| is included with only one NFType, and it is "AMF". The | is included with only one NFType, and it is "AMF". The | |||
| SubjectAltName certificate extension contains a fully qualified | SubjectAltName certificate extension contains a fully qualified | |||
| domain names (FQDN) and a uniformResourceIdentifier, which carries | domain name (FQDN) and a uniformResourceIdentifier, which carries the | |||
| the NF Instance ID as specified in Clause 5.3.2 of [TS29.571]. | NF Instance ID as specified in Clause 5.3.2 of [TS29.571]. | |||
| -----BEGIN CERTIFICATE----- | -----BEGIN CERTIFICATE----- | |||
| MIIC0DCCAlagAwIBAgIUDD5o44zEdfSghT2hMK+P/EjGHlowCgYIKoZIzj0EAwMw | MIIC0DCCAlagAwIBAgIUDD5o44zEdfSghT2hMK+P/EjGHlowCgYIKoZIzj0EAwMw | |||
| FTETMBEGA1UECgwKRXhhbXBsZSBDQTAeFw0yMjExMjkxODE0NThaFw0yMzExMjkx | FTETMBEGA1UECgwKRXhhbXBsZSBDQTAeFw0yMjExMjkxODE0NThaFw0yMzExMjkx | |||
| ODE0NThaMDkxCzAJBgNVBAYTAlVTMSowKAYDVQQKEyE1Z2MubW5jNDAwLm1jYzMx | ODE0NThaMDkxCzAJBgNVBAYTAlVTMSowKAYDVQQKEyE1Z2MubW5jNDAwLm1jYzMx | |||
| MS4zZ3BwbmV0d29yay5vcmcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATJ6IFHI683 | MS4zZ3BwbmV0d29yay5vcmcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATJ6IFHI683 | |||
| q/JJjsJUfEiRFqGQ6uKDGJ0oqDP6wEhRAuvyEyz5pgRmz/7Mze1+s1qcnPU9mo1v | q/JJjsJUfEiRFqGQ6uKDGJ0oqDP6wEhRAuvyEyz5pgRmz/7Mze1+s1qcnPU9mo1v | |||
| rIW9rjKhb/Hm8H9TPvnMQwCRCtKvCD90MkWvc/G8qyCBpCms3zNOJOijggFBMIIB | rIW9rjKhb/Hm8H9TPvnMQwCRCtKvCD90MkWvc/G8qyCBpCms3zNOJOijggFBMIIB | |||
| PTATBggrBgEFBQcBIgQHMAUWA0FNRjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMDAw | PTATBggrBgEFBQcBIgQHMAUWA0FNRjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMDAw | |||
| DgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBRM | DgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBRM | |||
| skipping to change at page 12, line 4 ¶ | skipping to change at line 493 ¶ | |||
| : } | : } | |||
| 30 10: SEQUENCE { | 30 10: SEQUENCE { | |||
| 06 8: OBJECT IDENTIFIER ecdsaWithSHA384 (1 2 840 10045 4 3 3) | 06 8: OBJECT IDENTIFIER ecdsaWithSHA384 (1 2 840 10045 4 3 3) | |||
| : } | : } | |||
| 03 104: BIT STRING, encapsulates { | 03 104: BIT STRING, encapsulates { | |||
| 30 101: SEQUENCE { | 30 101: SEQUENCE { | |||
| 02 48: INTEGER | 02 48: INTEGER | |||
| : 4B 50 12 EB 7D 91 E9 64 88 C2 0C 47 E4 33 91 23 | : 4B 50 12 EB 7D 91 E9 64 88 C2 0C 47 E4 33 91 23 | |||
| : 46 22 E4 77 D0 BA F6 DD FB 5A AC B8 BD C0 CA 77 | : 46 22 E4 77 D0 BA F6 DD FB 5A AC B8 BD C0 CA 77 | |||
| : 65 12 09 61 08 1A 01 67 3A 82 67 F7 31 50 29 ED | : 65 12 09 61 08 1A 01 67 3A 82 67 F7 31 50 29 ED | |||
| 02 49: INTEGER | 02 49: INTEGER | |||
| : 00 A3 28 60 0B 70 E6 CA E4 36 31 3E 66 0E 82 A8 | : 00 A3 28 60 0B 70 E6 CA E4 36 31 3E 66 0E 82 A8 | |||
| : 49 1F F5 FD 9B 6A 71 65 B5 1B 8F 6D 3A 78 07 45 | : 49 1F F5 FD 9B 6A 71 65 B5 1B 8F 6D 3A 78 07 45 | |||
| : EB 6B 3E 73 FE 39 F7 34 33 CC F5 AB 5A 48 75 31 | : EB 6B 3E 73 FE 39 F7 34 33 CC F5 AB 5A 48 75 31 | |||
| : 39 | : 39 | |||
| : } | : } | |||
| : } | : } | |||
| : } | : } | |||
| Acknowledgements | ||||
| Many thanks to Ben Smeets, Michael Li, Tim Hollebeek, Roman Danyliw, | ||||
| Bernie Volz, and Éric Vyncke for their review, comments, and | ||||
| assistance. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Russ Housley | Russ Housley | |||
| Vigil Security, LLC | Vigil Security, LLC | |||
| Herndon, VA, | Herndon, VA | |||
| United States of America | United States of America | |||
| Email: housley@vigilsec.com | Email: housley@vigilsec.com | |||
| Sean Turner | Sean Turner | |||
| sn3rd | sn3rd | |||
| Washington, DC, | Washington, DC | |||
| United States of America | United States of America | |||
| Email: sean@sn3rd.com | Email: sean@sn3rd.com | |||
| John Preuß Mattsson | John Preuß Mattsson | |||
| Ericsson | Ericsson | |||
| Kista | Kista | |||
| Sweden | Sweden | |||
| Email: john.mattsson@ericsson.com | Email: john.mattsson@ericsson.com | |||
| Daniel Migault | Daniel Migault | |||
| End of changes. 42 change blocks. | ||||
| 126 lines changed or deleted | 120 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||