by Barry Manz, Editor, Microwave Product Digest
In the evolving telecommunications and information technology landscape, one term that has been gaining prominence in recent years is “network slicing” because it can potentially revolutionize network management, creating a fundamental shift in how communications networks are designed, deployed, and operated.
Network slicing allows network operators to partition a single physical network into multiple virtual networks tailored to specific user needs (Figure 1). This flexibility empowers providers to offer diverse services and applications, from ultra-reliable low-latency communication for vehicles to massive IoT deployments, all on the same infrastructure. With network slicing, bandwidth, processing power, and storage resources can be dynamically allocated to meet varying demands. This ensures optimal utilization of network assets, reducing wastage and enhancing the overall network efficiency.
There are three basic alternatives to network slicing. Custom 4G technology, 4G access point name or 5G data network name can logically separate some network traffic. Still, only some functionality of an end-to-end network slice is retained. A Mobile Virtual Network Operator (MVNO) model can also be used but requires significant investment in cost and time. Finally, a private 5G non-standalone or private 5G standalone can implement 5G network slices or a combination of private 5G non-standalone and private 5G standalone.
In summary, network slicing is a superior solution due to its unmatched customization, efficiency, security, revenue potential, and adaptability to emerging technologies. As connectivity demands continue to evolve, network slicing in 5G represents a forward-looking approach that offers benefits compared to traditional network management alternatives.
Figure 2 illustrates a sample composition of network slices. Each network slice is a logical resource provisioned to deliver a level of service. The level of service delivered by a composition of network slices typically differs from the level of service delivered by each component network slice. That level can be higher, lower, or the same as the service levels of each component network slice.
How it Works
Network slicing allows a network “slice” to act as an isolated end-to-end network tailored to fulfill diverse requirements of a particular application request. In the context of mobile networks, network slicing evolved from the RAN-sharing concept introduced in LTE and examples include multi-operator radio access networks (MORAN) and multi-operator core networks (MOCN) that allow network operators to share common resources within the same radio access network (RAN), Figure 3.
An operator can use network slicing to logically allocate physical resources across one or more slices, where each slice may have a different Quality of Service (QoS) and other performance characteristics, as well as configurations and policies to meet a variety of use cases and possible Service Level Agreements (SLAs). For example, a slice supporting mobile broadband users requires high data rates and traffic volumes, a slice supporting Internet of Things devices may optimize high-density devices and power consumption, and a slice supporting vehicle safety systems may provide high reliability and low latency communications.
A 5G standalone network enables multiplexing independent logical networks that can share the same physical resources, such as computers, networking, network resources, management, and administrators, enabling more efficient resource utilization and cost savings. A network slice provides a virtual network service that connects an application running on the user equipment, such as a smartphone or IoT sensor, with applications running on other user equipment or servers connected to a data network.
With network slicing, the needs of each organization can be fulfilled with multiple logical networks created on top of shared physical infrastructure — the Radio Access Network (RAN), Core Network, Transport Network (TN), and a service orchestrator. Communications carry the network through logical isolation of traffic via the control and user planes. Network functions and other compute workloads and storage of subscriber profiles and other data can help protect the information in one slice if another is compromised.
Many threat vectors affect a 5G network slice (Figure 4). Denial of Service (DoS) attacks on the signaling plane, misconfiguration attacks, and Man-in-the-Middle (MITM) attacks pose significant risks to network slicing. Relative to the commonly known confidentiality, integrity, and availability triad, DoS directly attacks the availability of the system and its functionality, including loss of access to the 5G infrastructure, access to remote data, or compromised communication services.
With network slicing, authentication, authorization, and specialized policies and configurations can be applied on a per-slice basis. Security elements, monitoring, and analytics could also be customized per slice. Many of these concepts would help apply a Zero Trust Architecture (ZTA) paradigm to the network slice itself, as the capabilities and options for a network slice may vary by operator and do not address zero trust beyond the slice in the operator’s network, external data networks, and the application itself.
The logical isolation of network slicing means tasks are separated in virtual machines or containers, and those workloads may or may not be run on the same physical machine or interconnected set of physical machines. In the case of the same physical machine, the workloads can share the same hypervisor and container execution engine. In the case of separate physical machines but interconnected groups of machines, the systems share network connectivity, and the workloads may share the same orchestration system.
Taking logical isolation further, a specific network slice can be configured to execute its network functions and related workloads only on a dedicated set of physical machines that host no other computing tasks. However, the isolated physical machines can share network connectivity, orchestration systems, and human administrators with other slices.
From a security perspective, network slicing is a logical part of a more extensive system, where security is inherently intertwined, and it provides benefits and trade-offs from functional and security perspectives. The life cycle management of a slice includes slice design, the virtualized network function (VNF) on-boarding, network preparation to support the slice, slice creation and instantiation, operationalizing, and day-to-day management of the slices, including scaling in/out based on service assurance. Service assurance is provided by constant supervision/monitoring, reporting, and modifying the network in an automated manner. Modifications may involve configuration changes, instantiation of networks and network function resources.
ZTA can help harden a 5G deployment and can be accomplished using authorization and audit techniques. Proper implementation of authentication and authorization also helps prevent threats from misconfiguration attacks.
Both misconfiguration attacks and MITM attacks can have a broad range of adverse effects on confidentiality, integrity, and availability. Misconfiguration attacks refer to adversaries taking advantage of misconfigured system controls. It might include security features inadvertently turned off or system monitoring services being disabled.
MITM attacks imply that the adversary secretly relays and possibly alters the communications between two endpoints. Attacks like these could be devastating as misinformation and disinformation could result. If ZTA principles are applied, this could effectively mitigate these MITM 5G attacks.
Cyber hygiene must be followed to minimize cyber impacts due to inherent system vulnerabilities and misconfigurations. ZTA requires AAA techniques employed within and between all 5G components and supporting infrastructure-connected elements. Cyber risk assessment must be performed periodically as new and emerging threats continue to be introduced to the operating environment.
The core network consists of several well-defined network functions. A network function can be an abstract service definition or an instance of that service. Multiple NSs may share an instance of a network function or may be allocated exclusively to one slice. The data network (DN) is a non-5G TN that connects elements in the core network to applications or services outside of the 5G network. Service orchestration frameworks (Management and Network Orchestration (MANO), Open Network Automation Platforms (ONAP), etc.) are popular means to manage a network slice and services life cycle.
A network slice may use entirely physical resources or a mix of physical and virtual resources. In 5G, network slicing allows operators to create logical data pipelines and control/management functions for each type of service, thereby assuring the requirements of each one. In addition to authentication and authorization measures, confidentiality requires data protection within a network slice while that data is in transit or at rest (i.e., stored in transient or persistent storage). Transmission methods include shared memory, data buses or networks within a computing platform, and networks between computer platforms.
Storage includes any persistent or transient storage device. Two methods used to protect against data leakage are physical or virtual isolation and encryption. Dedicated physical resources are required for physical isolation and may be accomplished using virtual resources such as sessions or virtual storage with restricted access. The level of isolation and encryption are governed by the SLRs specified for a network slice. Implementing the network slice ensures that all functional components sufficiently support the confidentiality, integrity, and availability requirements.
A Network Slice Selection Assistance Information (NSSAI) is used to identify a network slice unique to the NOP domain. The UE subscription information can contain at least one default NSSAI to be used when the UE performs initial registration. The AMF or the NSSF of the serving Public Mobile Network (PLMN) maps the subscribed NSSAI values from the home PLMN to the respective NSSAI values used in the serving PLMN. This mapping is based on PLMN policy or agreements between the visited and home PLMNs.
Network Slice Service Level Characteristics
Organizations like the 3GPP, GSMA, IETF, and MEF have specified service level characteristics (SLCs) that describe aspects of a provided network slice. From their documents, a working group of government and industry experts led by ESF identified over 90 independent SLCs. Service level characteristics can be used to specify service level requirements (SLRs), including security and others, on a network slice. When applicable, additional SLCs, such as described in the GSMA Generic Network Slice Template (NEST) document, can be used. SLCs related to QoS are defined in the 3GPP TS 23.501 document.
Each network slice can provide the agreed service level for specific functionality requested by different service providers or tenants on a network slice specify NSC requirements. A meaningful implementation of a network slice must be able to determine when a customer’s requirements are not met. Each network slice SLC is intended to specify a measurable metric within a network slice implementation.
Each SLR specifies a value for SLC. That value is then used to determine if the implementation meets the SLRs. Multiple values may be specified for a SLC that is an array.
Example: An SLR on the latency between a UE and the UPF can be specified as a requirement that the packet delay budget is 300 ms.
Two strategies are used to simplify the specification of SLRs: First, there is no need to specify a SLC when any of its possible values are sufficient to meet the customer’s requirements. No implementation assumptions are to be made for service level characteristics that an SLR does not reference. Second, the remaining SLCs can be bundled into standard or industry-defined subsets called network slice profiles (e.g., 3GPP 5G QoS Identifier (5QI)). When applicable, standardized 5QI values described here can be used.
Any Open RAN implementation must meet the following security objectives to ensure:
- The confidentiality, integrity, and availability triad of the network slice user data in transit within the Open RAN
- Integrity of the physical and logical path of the network slice user data within the Open RAN
- Confidentiality of the identity of the owner of the network slice user data within the Open RAN
- Confidentiality of the geographic location of the network slice user data within the Open RAN
Although there are many methods to compromise a network slice, the design of an Open RAN implementation should specifically mitigate unauthorized access and misconfiguration compromises.
Unauthorized access to a network slice within an O-RAN system requires access to the 5G user plane and control plane. The 5G system provides for optional Packet Data Convergence Protocol (PDCP) confidentiality and data integrity mechanisms to prevent unauthorized access to the user plane and control plane within the O-RAN system. If an operator does not implement these mechanisms, an attacker could access the user and control planes within the entire O-RAN system.
O-RAN supports optional 3GPP confidentiality and data integrity mechanisms for the backhaul interfaces between the 5G RAN and the 5G core. If an operator does not implement these optional mechanisms, a threat actor could access the system user plane and control plane between the O-RAN system and the 5G core.
Like any component of a 5G RAN, the control unit requires security controls to prevent unauthorized access to the user plane and control plane. A virtualized centralized unit requires similar security controls. Misconfiguration exploits target the availability and integrity of a network slice. An O-RAN system misconfiguration attack on the availability of a network slice could deny service with precision ranging from targeting an operator RAN down to a specific network slice. An O-RAN system misconfiguration attack on the integrity of a network slice could modify the physical and/or logical path of the network slice user data in transit from the radio unit to the control unit.
The high level potential threats identified concerning the core network include attacks that may originate from UEs, unauthorized humans, and unauthorized machines towards the core NFs. The attacks may include spoofing of customer-specific NSSAI by the UEs and other identity thefts. Other attacks of this class include unauthorized access to customer NFs by NFs from another slice using the control plane. For example, when Unified Data Management (UDM) in one slice requests subscription information from members of another slice to a unified data repository (UDR) in a different slice. Misconfiguration and tampering attacks can lead to Denial-of-Services (DoS) to legitimate slice users.
Passive or active eavesdropping could lead to leakage of highly sensitive customer slices, such as leakage of NSSAI over the air, subscriber information, UE location information, subscription information, and slice information as to who is using which slice may be leaked between slices. Also, leakage of slice-specific Network Information (e.g., routing information from NRF) and sensitive slice information to external networks (e.g., application function).
Note: A more detailed description of threats to network slicing and the technology in general can be found in the document “5G Network Slicing: Security Considerations for Design, Deployment, and Maintenance,” published by the National Security Agency and the Cybersecurity and Infrastructure Security Agency and can be found at https://media.defense.gov/2023/Jul/17/2003260829/-1/-1/0/ESF 5G NETWORK SLICING-SECURITY CONSIDERATIONS FOR DESIGN, DEPLOYMENT, AND MAINTENANCE_FINAL.PDF