Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

5G-WAVE: A Core Network Framework with Decentralized Authorization for Network Slices

Pragya Sharma, Tolga Atalay, Hans-Andrew Gibbs, Dragoslav Stojadinovic, Angelos Stavrou, Haining Wang

TL;DR

The paper addresses the security and performance vulnerabilities of a centralized NRF OAuth-based inter-VNF authorization in 5G cores. It introduces 5G-WAVE, a decentralized authorization framework using WAVE attestations and Side-Car Proxies (wSCP/rSCP) within a Kubernetes-based 5G core, implemented atop the OpenAirInterface platform. Experimental results show an authorization overhead of approximately 155 ms per HTTP transaction and scalable behavior with network growth (1.4x latency increase for a 10x larger network), along with a security analysis that highlights mitigation of OAuth-related vulnerabilities and alignment with several 3GPP security issues. The work demonstrates that decentralized inter-VNF authorization can reduce attack surfaces and improve resilience in multi-slice 5G deployments, with practical implications for operator security postures and future multi-operator networks.

Abstract

5G mobile networks leverage Network Function Virtualization (NFV) to offer services in the form of network slices. Each network slice is a logically isolated fragment constructed by service chaining a set of Virtual Network Functions (VNFs). The Network Repository Function (NRF) acts as a central OpenAuthorization (OAuth) 2.0 server to secure inter-VNF communications resulting in a single point of failure. Thus, we propose 5G-WAVE, a decentralized authorization framework for the 5G core by leveraging the WAVE framework and integrating it into the OpenAirInterface (OAI) 5G core. Our design relies on Side-Car Proxies (SCPs) deployed alongside individual VNFs, allowing point-to-point authorization. Each SCP acts as a WAVE engine to create entities and attestations and verify incoming service requests. We measure the authorization latency overhead for VNF registration, 5G Authentication and Key Agreement (AKA), and data session setup and observe that WAVE verification introduces 155ms overhead to HTTP transactions for decentralizing authorization. Additionally, we evaluate the scalability of 5G-WAVE by instantiating more network slices to observe 1.4x increase in latency with 10x growth in network size. We also discuss how 5G-WAVE can significantly reduce the 5G attack surface without using OAuth 2.0 while addressing several key issues of 5G standardization.

5G-WAVE: A Core Network Framework with Decentralized Authorization for Network Slices

TL;DR

The paper addresses the security and performance vulnerabilities of a centralized NRF OAuth-based inter-VNF authorization in 5G cores. It introduces 5G-WAVE, a decentralized authorization framework using WAVE attestations and Side-Car Proxies (wSCP/rSCP) within a Kubernetes-based 5G core, implemented atop the OpenAirInterface platform. Experimental results show an authorization overhead of approximately 155 ms per HTTP transaction and scalable behavior with network growth (1.4x latency increase for a 10x larger network), along with a security analysis that highlights mitigation of OAuth-related vulnerabilities and alignment with several 3GPP security issues. The work demonstrates that decentralized inter-VNF authorization can reduce attack surfaces and improve resilience in multi-slice 5G deployments, with practical implications for operator security postures and future multi-operator networks.

Abstract

5G mobile networks leverage Network Function Virtualization (NFV) to offer services in the form of network slices. Each network slice is a logically isolated fragment constructed by service chaining a set of Virtual Network Functions (VNFs). The Network Repository Function (NRF) acts as a central OpenAuthorization (OAuth) 2.0 server to secure inter-VNF communications resulting in a single point of failure. Thus, we propose 5G-WAVE, a decentralized authorization framework for the 5G core by leveraging the WAVE framework and integrating it into the OpenAirInterface (OAI) 5G core. Our design relies on Side-Car Proxies (SCPs) deployed alongside individual VNFs, allowing point-to-point authorization. Each SCP acts as a WAVE engine to create entities and attestations and verify incoming service requests. We measure the authorization latency overhead for VNF registration, 5G Authentication and Key Agreement (AKA), and data session setup and observe that WAVE verification introduces 155ms overhead to HTTP transactions for decentralizing authorization. Additionally, we evaluate the scalability of 5G-WAVE by instantiating more network slices to observe 1.4x increase in latency with 10x growth in network size. We also discuss how 5G-WAVE can significantly reduce the 5G attack surface without using OAuth 2.0 while addressing several key issues of 5G standardization.
Paper Structure (21 sections, 11 figures, 5 tables)

This paper contains 21 sections, 11 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. 5G Core Overview
  4. 5G Core Authorization - Current Standard
  5. Side-car Proxy and Service Mesh
  6. Authorization in WAVE
  7. 5G-WAVE Integrated Platform
  8. 5G-WAVE Integrated System Overview
  9. 5G-WAVE Integrated Network Slicing Overview
  10. Authorization Chain Message Exchange
  11. wSCP and rSCP Message Flows
  12. Implementation Details
  13. Experimental Setup
  14. Performance Evaluation
  15. Single slice authorization overhead
  16. ...and 6 more sections

Figures (11)

  • Figure 1: 5G core service-based architecture
  • Figure 2: NRF as OAuth2.0 server for inter-VNF authorization
  • Figure 3: Side-car proxy overview in Kubernetes environment
  • Figure 4: Overview of the 5G-WAVE integrated platform to achieve decentralized inter-VNF authorization in the 5G core
  • Figure 5: Overview of intra/inter network slice interactions for the integrated 5G-WAVE platform
  • ...and 6 more figures