[{"name":"S2-1906849","title":"LS from TSG SA: Reply LS on Nudr Sensitive Data Protection","source":"TSG SA","contact":"Krister S\u00e4llberg","contact-id":11978,"tdoctype":"LS in","for":"Action","abstract":"TSG SA thanks SA WG2 for the LS on Nudr Sensitive Data Protection. SA has discussed the proposal by SA WG3 to disallow the storage of the authentication data in the UDR in Release 15 and concluded that it is not agreeable. This is because Release 15 is frozen and storing authentication data in the UDR is in-line with the current functional requirement specified in TS 23.501 and how it was done in previous generations following SA WG3 guidance and recommendation during the earlier work on User Data Convergence (UDC). SA would like to ask SA WG3 to take into account the deployment option where the authentication data is stored encrypted in the UDR and adequately document the security requirements to enable 1) the storage of sensitive data such as authentication credentials in the UDR and 2) the transfer of such data over the Nudr interface and 3) a stateless UDM as per SA WG2 requirements. Storage of the authentication credentials in the ARPF and the interface between the ARPF and the UDM\/HSS should be considered and specified in Rel-16, as per normal working procedures. Action: TSG SA kindly asks SA WG2 and CT WG4 to take the above into account.","secretary_remarks":"Noted in parallel session","agenda_item_sort_order":21,"ainumber":"6.5.4","ainame":"Security related functions and flows","tdoc_agenda_sort_order":11970,"status":"noted","reservation_date":"2019-06-10 18:36:16","uploaded":"2019-06-12 11:37:53","revisionof":"","revisedto":"","release":"","crspec":"","crspecversion":"","workitem":"","crnumber":"","crrevision":"","crcategory":"","tsg_crp":"","lsreplyto":"","lsto":"SA WG2, SA WG3, CT WG4","Cc":"TSG CT","lsoriginalls":"SP-190581","lsreply":"","link":"http:\/\/www.3gpp.org\/ftp\/tsg_sa\/WG2_Arch\/TSGS2_134_Sapporo\/Docs\/S2-1906849.zip","group":"S2","meeting":"S2-134","year":2019,"uicc_affected":null,"me_affected":null,"ran_affected":null,"cn_affected":null,"clauses_affected":null,"crsinpack":null,"crsinpacknumber":0},
{"name":"S2-1907072","title":"Discrepancy with TS 33.501 with respect to Secondary Authentication","source":"Intel","contact":"Saso Stojanovski","contact-id":24932,"tdoctype":"CR","for":"Approval","abstract":"Summary of change: Clause 2: Added a reference to TS 29.561. Clause 4.3.2.3: - Clarified that the UE can provide the DN-specific identity inside the 'SM PDU DN Request' container in the PDU Session Establishment Request or inside the EAP message in the PDU Session Authentication Complete message. - Clarified that the authentication procedure with the DN-AAA server authenticates the DN-specific identity provided by the UE (it does not forward the 'SM PDU DN Request Container' as stated in the current text). - Fixed the NOTE stating where 'SM PDU DN Request container' is defined and moved it upwards.","secretary_remarks":"Agreed in parallel session. This was Block approved","agenda_item_sort_order":21,"ainumber":"6.5.4","ainame":"Security related functions and flows","tdoc_agenda_sort_order":12070,"status":"agreed","reservation_date":"2019-06-14 15:27:26","uploaded":"2019-06-17 14:47:55","revisionof":"","revisedto":"","release":"Rel-15","crspec":23.502,"crspecversion":"15.6.0","workitem":[{"winame":"5GS_Ph1"}],"crnumber":1497.0,"crrevision":"","crcategory":"F","tsg_crp":"SP-190601","lsreplyto":"","lsto":"","Cc":"","lsoriginalls":"","lsreply":"","link":"http:\/\/www.3gpp.org\/ftp\/tsg_sa\/WG2_Arch\/TSGS2_134_Sapporo\/Docs\/S2-1907072.zip","group":"S2","meeting":"S2-134","year":2019,"uicc_affected":null,"me_affected":null,"ran_affected":null,"cn_affected":null,"clauses_affected":null,"crsinpack":null,"crsinpacknumber":0},
{"name":"S2-1907074","title":"Discrepancy with TS 33.501 with respect to Secondary Authentication","source":"Intel","contact":"Saso Stojanovski","contact-id":24932,"tdoctype":"CR","for":"Approval","abstract":"Rel-16 mirror CR: Summary of change: Clause 2: Added a reference to TS 29.561. Clause 4.3.2.3: - Clarified that the UE can provide the DN-specific identity inside the 'SM PDU DN Request' container in the PDU Session Establishment Request or inside the EAP message in the PDU Session Authentication Complete message. - Clarified that the authentication procedure with the DN-AAA server authenticates the DN-specific identity provided by the UE (it does not forward the 'SM PDU DN Request Container' as stated in the current text). - Fixed the NOTE stating where 'SM PDU DN Request container' is defined and moved it upwards.","secretary_remarks":"Agreed in parallel session. This was Block approved","agenda_item_sort_order":21,"ainumber":"6.5.4","ainame":"Security related functions and flows","tdoc_agenda_sort_order":12080,"status":"agreed","reservation_date":"2019-06-14 15:32:29","uploaded":"2019-06-17 14:47:55","revisionof":"","revisedto":"","release":"Rel-16","crspec":23.502,"crspecversion":"16.1.1","workitem":[{"winame":"5GS_Ph1"}],"crnumber":1498.0,"crrevision":"","crcategory":"A","tsg_crp":"SP-190601","lsreplyto":"","lsto":"","Cc":"","lsoriginalls":"","lsreply":"","link":"http:\/\/www.3gpp.org\/ftp\/tsg_sa\/WG2_Arch\/TSGS2_134_Sapporo\/Docs\/S2-1907074.zip","group":"S2","meeting":"S2-134","year":2019,"uicc_affected":null,"me_affected":null,"ran_affected":null,"cn_affected":null,"clauses_affected":null,"crsinpack":null,"crsinpacknumber":0},
{"name":"S2-1907084","title":"Discrepancy with TS 33.501 with respect to Secondary Authentication","source":"Intel","contact":"Saso Stojanovski","contact-id":24932,"tdoctype":"CR","for":"Approval","abstract":"Summary of change: Clause 5.6.6: clarified that if the UE has not provided a DN-specific identity as part of the PDU Session Establishment Request, the SMF uses EAP procedures to request the UE to indicate a DN-specific identity.","secretary_remarks":"Agreed in parallel session. This was Block approved","agenda_item_sort_order":21,"ainumber":"6.5.4","ainame":"Security related functions and flows","tdoc_agenda_sort_order":12090,"status":"agreed","reservation_date":"2019-06-14 15:57:46","uploaded":"2019-06-17 14:47:55","revisionof":"","revisedto":"","release":"Rel-15","crspec":23.501,"crspecversion":"15.6.0","workitem":[{"winame":"5GS_Ph1"}],"crnumber":1493.0,"crrevision":"","crcategory":"F","tsg_crp":"SP-190601","lsreplyto":"","lsto":"","Cc":"","lsoriginalls":"","lsreply":"","link":"http:\/\/www.3gpp.org\/ftp\/tsg_sa\/WG2_Arch\/TSGS2_134_Sapporo\/Docs\/S2-1907084.zip","group":"S2","meeting":"S2-134","year":2019,"uicc_affected":null,"me_affected":null,"ran_affected":null,"cn_affected":null,"clauses_affected":null,"crsinpack":null,"crsinpacknumber":0},
{"name":"S2-1907086","title":"Discrepancy with TS 33.501 with respect to Secondary Authentication","source":"Intel","contact":"Saso Stojanovski","contact-id":24932,"tdoctype":"CR","for":"Approval","abstract":"Rel-16 mirror CR: Summary of change: Clause 5.6.6: clarified that if the UE has not provided a DN-specific identity as part of the PDU Session Establishment Request, the SMF uses EAP procedures to request the UE to indicate a DN-specific identity.","secretary_remarks":"Revised in parallel session to S2-1907835.","agenda_item_sort_order":21,"ainumber":"6.5.4","ainame":"Security related functions and flows","tdoc_agenda_sort_order":12010,"status":"revised","reservation_date":"2019-06-14 16:02:35","uploaded":"2019-06-17 14:47:55","revisionof":"","revisedto":"S2-1907835","release":"Rel-16","crspec":23.501,"crspecversion":"16.1.0","workitem":[{"winame":"5GS_Ph1"}],"crnumber":1494.0,"crrevision":"","crcategory":"A","tsg_crp":"","lsreplyto":"","lsto":"","Cc":"","lsoriginalls":"","lsreply":"","link":"http:\/\/www.3gpp.org\/ftp\/tsg_sa\/WG2_Arch\/TSGS2_134_Sapporo\/Docs\/S2-1907086.zip","group":"S2","meeting":"S2-134","year":2019,"uicc_affected":null,"me_affected":null,"ran_affected":null,"cn_affected":null,"clauses_affected":null,"crsinpack":null,"crsinpacknumber":0},
{"name":"S2-1907835","title":"Discrepancy with TS 33.501 with respect to Secondary Authentication","source":"Intel","contact":"Saso Stojanovski","contact-id":24932,"tdoctype":"CR","for":"Approval","abstract":"Rel-16 mirror CR: Summary of change: Clause 5.6.6: clarified that if the UE has not provided a DN-specific identity as part of the PDU Session Establishment Request, the SMF uses EAP procedures to request the UE to indicate a DN-specific identity.","secretary_remarks":"Revision of S2-1907086. Agreed in parallel session. This was Block approved","agenda_item_sort_order":21,"ainumber":"6.5.4","ainame":"Security related functions and flows","tdoc_agenda_sort_order":12110,"status":"agreed","reservation_date":"2019-07-04 09:08:20","uploaded":"2019-07-04 09:17:56","revisionof":"S2-1907086","revisedto":"","release":"Rel-16","crspec":23.501,"crspecversion":"16.1.0","workitem":[{"winame":"5GS_Ph1"}],"crnumber":1494.0,"crrevision":1.0,"crcategory":"A","tsg_crp":"SP-190601","lsreplyto":"","lsto":"","Cc":"","lsoriginalls":"","lsreply":"","link":"http:\/\/www.3gpp.org\/ftp\/tsg_sa\/WG2_Arch\/TSGS2_134_Sapporo\/Docs\/S2-1907835.zip","group":"S2","meeting":"S2-134","year":2019,"uicc_affected":null,"me_affected":null,"ran_affected":null,"cn_affected":null,"clauses_affected":null,"crsinpack":null,"crsinpacknumber":0}]