Skip to content

Commit 24c830d

Browse files
committed
add NAS encryption config
1 parent fca8696 commit 24c830d

File tree

3 files changed

+19
-5
lines changed

3 files changed

+19
-5
lines changed

articles/private-5g-core/modify-packet-core.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,8 @@ The following changes will trigger components of the packet core software to res
4040
- Static UE IP pool prefixes
4141
- Network address and port translation parameters
4242
- DNS addresses
43-
- Changing the UE Maximum Transmission Unit (MTU) signaled by the packet core.
43+
- Changing the UE maximum transmission unit (MTU) signaled by the packet core.
44+
- Changing the non-access stratum (NAS) encryption type.
4445

4546
The following changes will trigger the packet core to reinstall, during which your service will be unavailable for up to two hours:
4647

@@ -101,6 +102,7 @@ To modify the packet core and/or access network configuration:
101102
- Use the information you collected in [Collect packet core configuration values](collect-required-information-for-a-site.md#collect-packet-core-configuration-values) for the top-level configuration values.
102103
- Use the information you collected in [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) for the configuration values under **Access network**.
103104
- If you want to enable UE usage monitoring, use the information collected in [Collect UE usage tracking values](collect-required-information-for-a-site.md#collect-ue-usage-tracking-values) to fill out the **Azure Event Hub Namespace**, **Event Hub name** and **User Assigned Managed Identity** values.
105+
- If you want to change the non-access stratum (NAS) encryption type, use the **Advanced configuration** tab. You can set up to three levels of preference. For example, you could set the first preference to `NEA2/EEA2`, the second preference to `NEA1/EEA1` and the third preference to `none` to ensure that one of the two encryption algorithms is used and NEA0/EEA0 (null encryption) is not permitted.
104106
1. Choose the next step:
105107
- If you've finished modifying the packet core instance, go to [Submit and verify changes](#submit-and-verify-changes).
106108
- If you want to configure a new or existing data network and attach it to the packet core instance, go to [Attach a data network](#attach-a-data-network).

articles/private-5g-core/private-5g-core-overview.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -125,13 +125,13 @@ Azure Private 5G Core supports the following authentication methods:
125125
- 5G Authentication and Key Agreement (5G-AKA) for mutual authentication between 5G UEs and the network.
126126
- Evolved Packet System based Authentication and Key Agreement (EPS-AKA) for mutual authentication between 4G UEs and the network.
127127

128-
The packet core instance performs ciphering and integrity protection of 5G non-access stratum (NAS). During UE registration, the UE includes its security capabilities for 5G NAS with 128-bit keys.
128+
The packet core performs ciphering and integrity protection of 5G non-access stratum (NAS). During UE registration, the UE includes its security capabilities for 5G NAS with 128-bit keys.
129129

130130
Azure Private 5G Core supports the following algorithms for ciphering and integrity protection:
131131

132-
- 5GS null encryption algorithm
133-
- 128-bit Snow3G
134-
- 128-bit Advanced Encryption System (AES) encryption
132+
- NEA2: 128-bit Advanced Encryption System (AES) encryption
133+
- NEA1: 128-bit Snow3G
134+
- NEA0: 5GS null encryption algorithm
135135

136136
### UE-to-UE traffic
137137

articles/private-5g-core/security.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,18 @@ Azure Private 5G Core provides write-only access to SIM credentials. SIM credent
5050

5151
As these credentials are highly sensitive, Azure Private 5G Core won't allow users of the service read access to the credentials, except as required by law. Sufficiently privileged users may overwrite the credentials, or revoke them.
5252

53+
## NAS encryption
54+
55+
Non-access stratum (NAS) signaling runs between the UE and the AMF (5G) or MME (4G). It carries the information to allow mobility and session management operations that enable data plane connectivity between the UE and network.
56+
57+
The packet core performs ciphering and integrity protection of NAS. During UE registration, the UE includes its security capabilities for NAS with 128-bit keys. By default, Azure Private 5G Core supports the following algorithms in order of preference:
58+
59+
- NEA2: 128-bit Advanced Encryption System (AES) encryption
60+
- NEA1: 128-bit Snow3G
61+
- NEA0: 5GS null encryption algorithm
62+
63+
This enables the highest level of encryption that the UE supports while still allowing UEs that do not support encryption. To make encryption mandatory, you can disallow NEA0. You can change these preferences after deployment by [modifying the packet core configuration](modify-packet-core.md).
64+
5365
## Access to local monitoring tools
5466

5567
### Secure connectivity using TLS/SSL certificates

0 commit comments

Comments
 (0)