<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="info" docName="draft-si-ztcpp-5g-securityframework-00"
     ipr="trust200902">
  <front>
    <title>Security Capability Coordination Execution Framework for 5G Core
    Networks</title>

    <author fullname="Xuan" surname="Si">
      <organization>China Telecom</organization>

      <address>
        <postal>
          <street>Kangqiao Town, Pudong New District</street>

          <city>Shanghai</city>

          <region/>

          <code>201315</code>

          <country>China</country>
        </postal>

        <email>six1@chinatelecom.cn</email>
      </address>
    </author>

    <date day="5" month="July" year="2026"/>

    <abstract>
      <t>This document defines a security capability coordination execution
      framework for 5G core networks. The framework employs a set of Security
      Coordination Components (SCC) that work collaboratively with core
      network functions to achieve continuous trust verification and
      least-privilege access control. It specifies the division of
      responsibilities between the Network Function Security Agent and the
      Management Security Controller. This document aims to provide a 
      standardized architecture reference for the ZTCPP working group.</t>
    </abstract>

    <note title="Requirements Language">
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
      "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
      document are to be interpreted as described in <xref target="RFC2119"/>
      <xref target="RFC8174"/> when, and only when, they appear in all
      capitals, as shown here.</t>
    </note>
  </front>

  <middle>
    <section anchor="intro" title="Introduction">
      <section anchor="background" title="Background and Motivation">
        <t>The evolution of 5G networks has led to a significant expansion of
        the attack surface, a surge in east-west traffic, and dynamic scaling
        of network functions, resulting in blurred trust boundaries.
        Traditional perimeter-based security models cannot perceive threat
        behaviors inside network functions and struggle to adapt to rapid
        changes in virtualized environments.</t>

        <t>To address these issues, we propose a security capability
        coordination approach: deploy lightweight security agents near 5G core
        network functions, achieving zero-trust control and policy enforcement
        through local monitoring and execution without invading the core
        network functions themselves. This mode preserves the independence of
        the core network while providing fine-grained security
        enhancement.</t>

        <t>This document defines a zero-trust security enforcement framework
        for 5G core networks, consisting of two types of attached security
        coordination components:</t>


        <t><list style="symbols">
          <t>Network Function Security Agent (NF-SA): deployed alongside each 
	  5G network function instance, responsible for local monitoring, 
	  micro-segmentation enforcement, and asset data collection.</t>
          <t>Management Security Controller (MSC): deployed centrally, 
	  responsible for policy decision, event correlation, asset management, 
	  and component orchestration.</t>
          </list></t>

        <t/>
      </section>

      <section anchor="scope" title="Scope">
        <t>The security capability coordination execution framework defined in 
        this document applies to 5G core network environments. The framework 
        focuses on the coordination between security components and core 
        network functions and does not involve modifications to the core network 
        functions themselves.</t>

      </section>
    </section>

    <section anchor="terminology" title="Terminology and Definitions">
      <t>The following terms are used in this document:</t>

      <t><list style="hanging">
          <t hangText="Security Coordination Component (SCC):">A set of
          software modules deployed independently from 5G core network
          functions but closely collaborating with them to provide security
          capabilities. Includes NF-SA and MSC.</t>

          <t hangText="Network Function Security Agent (NF-SA):">An
          independent process running in the same virtual machine or container
          as a 5G network function (e.g., AMF, SMF, UPF), performing
          monitoring and enforcement through local operating system
          interfaces.</t>

          <t hangText="Management Security Controller (MSC):">Can be deployed
          independently or co-located with the local management system,
          aggregating data from multiple NF-SAs for global policy decision and
          event analysis.</t>

          <t hangText="Micro-Segmentation:">Fine-grained access control
          between network functions, VMs, Pods, and management systems based
          on identity labels rather than IP addresses alone.</t>

          <t hangText="Trust Score:">A numerical value dynamically computed
          based on observed security events, reflecting the trustworthiness of
          a network function or workload, and serving as input to policy
          decisions.</t>

        </list></t>
    </section>

    <section anchor="problem" title="Problem Statement">
      <t>Current security deployments in 5G core networks face the following
      challenges:</t>

      <t><list style="symbols">
          <t>Trust Drift: Static security policies quickly become outdated
          when VNFs are instantiated, migrated, or scaled, creating blind
          spots.</t>

          <t>Lateral Movement: Once an attacker compromises one network
          function, they can exploit internal implicit trust relationships to
          spread laterally across the network.</t>

          <t>Insufficient Granularity: IP-based policies cannot distinguish
          different services within the same Pod, leading to overly permissive
          rules.</t>

          <t>Disjointed Orchestration: The security policy lifecycle is
          decoupled from the network service lifecycle managed by NFVO/VNFM,
          making coordination difficult.</t>
        </list></t>

      <t>Security Coordination Components, deployed close to network
      functions, can sense the state of network functions in real time and
      adjust policies dynamically, effectively mitigating the above problems.
      This framework provides a standardized architecture for this
      solution.</t>
    </section>

    <section anchor="arch" title="Architecture Overview">
      <section anchor="components" title="Logical Components">
        <t>Figure 1 shows the high-level architecture.</t>

        <figure anchor="fig-arch">
          <artwork>
+---------------------+
|  Upper Security     |
|  Platform (SOC/SIEM)|
+----------+----------+
           |
   Northbound Interface
           |
+----------+----------+
|  MSC (PDP)          |
|  - Policy Decision  |
|  - Event Correlator |
|  - Asset Manager    |
+----------+----------+
           |
   Southbound Interface
           |
+----------+----------+
|  NF-SA (PEP/Sensor) |
|  - Micro-seg. Engine|
|  - Intrusion Det.   |
|  - Asset Collector  |
+----------+----------+
           |
+----------+----------+
|  5G NF Instance     |
|  (AMF/SMF/UPF etc.) |
+---------------------+
          </artwork>
        </figure>

        <t>The NF-SA coexists as a sidecar with the network function instance
        in the same virtual machine or container. It obtains the runtime
        status of the network function through operating system interfaces
        (e.g., eBPF, netlink) and enforces access control policies. There is
        no direct business coupling between the NF-SA and the network
        function; they exchange necessary information only through local
        IPC.</t>

        <t>The MSC centrally manages all NF-SAs, maintains a network-wide
        asset view and event correlation, and generates new policy
        instructions based on preconfigured policies or dynamic trust scores,
        delivering them via the southbound interface.</t>
      </section>
    </section>

    <section title="Key Technical Elements" anchor="tech">
      <section title="Identity-Based Micro-Segmentation" anchor="microseg">
        <t>Traditional micro-segmentation relies on IP five-tuples, which are 
        costly to maintain in dynamic environments. This framework uses identity 
        labels instead of static addresses. Labels include:</t>
        <t><list style="symbols">
          <t>VNF name</t>
          <t>NF type</t>
          <t>Service name</t>
          <t>Deployment region</t>
          <t>Trust level</t>
        </list></t>
        <t>Policy rules are based on label matching. The NF-SA translates 
        abstract rules into underlying enforcement rules based on the current 
        mapping between IP addresses and labels.</t>
        <t>The framework supports automatic learning of baseline connectivity 
        patterns: during a learning period, the NF-SA records all normal 
        connections, and the MSC generates whitelist policies accordingly. When 
        business flows and ports change, the MSC synchronously updates 
        security policies and delivers them to the relevant NF-SAs.</t>
      </section>

      <section title="Local Intrusion Detection and Trust Scoring" anchor="ids">
        <t>The NF-SA incorporates a lightweight intrusion detection engine 
        that can monitor the following types of events:</t>
        <t><list style="symbols">
          <t>Malware: Rootkit, Webshell, Reverse Shell</t>
          <t>Intrusion Attempt: Brute force (including seven subtypes: 
          single-target fast, single-target slow, multi-target fast, multi-target 
          slow, password spraying, distributed brute force, slow login attempt), 
          password guessing</t>
          <t>Account Anomaly: Unauthorized account creation, unauthorized 
          password change, user privilege escalation, file privilege escalation, 
          process privilege escalation</t>
          <t>File Integrity: Shell file tampering, critical file tampering, illegal file 
          download</t>
          <t>Kernel Anomaly: Hidden processes/ports, VM escape attempt</t>
        </list></t>
        <t>Each event carries a severity level (info, low, medium, high, critical) 
        and a unique event class identifier. After collecting events, the MSC 
        computes a trust score for each network function using a configurable 
        algorithm. For example, deduct points when a critical event occurs, and 
        slowly recover during event-free periods.</t>
        <t>The trust score can directly influence policies: when a network 
        function's trust score falls below a threshold, the MSC automatically 
        issues an isolation policy, allowing only management-plane 
        communication.</t>
      </section>

      <section title="Policy Information Model Overview" anchor="model">
        <t>To enable vendor-neutral policy representation, this framework 
        defines a policy information model containing the following core 
        elements:</t>
        <t><list style="symbols">
          <t>Policy Identifier: Uniquely identifies a policy.</t>
          <t>Subject: The asset object to which the policy applies, specified 
          by asset type or label.</t>
          <t>Condition: Conditions under which the policy takes effect, including 
          time range, trust score range, triggering event class, etc.</t>
          <t>Action: The action type to be enforced, including allow, deny, alert, 
          isolate, etc.</t>
          <t>Target: The target asset on which the action operates, similarly 
          specified by asset type or label.</t>
          <t>Priority: The basis for resolving conflicts among multiple policies.</t>
          <t>Status: Whether the policy is active or inactive.</t>
        </list></t>
        <t>The detailed data model definition will be provided in a future version 
        of this draft.</t>
      </section>
    </section>

    <section title="Interfaces and Protocols" anchor="interfaces">
      <section title="Southbound Interface (Policy Provisioning)" anchor="south">
        <t>The southbound interface connects the MSC (PDP) to the NF-SA (PEP) 
        for policy configuration, updates, and health checks. The transport layer 
        MUST be secured with TLS or SSH for mutual authentication and encryption.</t>
        <t>Request data fields include: security event ID, source asset ID, 
        destination asset ID, source address, destination address, source port, 
        destination port, communication protocol (UDP/TCP), service name, 
        policy type (add to whitelist/blacklist). Response data fields include 
        error code and failure detail message.</t>
      </section>

      <section title="Northbound Interface (Event Reporting)" anchor="north">
        <t>The northbound interface exports security events and asset 
        information to an upper security platform. The event format contains 
        fields such as priority, version, timestamp, hostname, app-name, 
        procid, msgid, and message content. The message content contains 
        specific security event fields: event ID, affected asset ID/name/type/IP, 
        affected business asset information, event type, event name, event class, 
        event level, evidence, attack status, occurrence time, first/last 
        occurrence time, source IP/port, attacker IP, destination IP/port, 
        victim IP, username, user group, source asset ID, service name, etc.</t>
      </section>

      <section title="Asset Data Interface" anchor="asset">
        <t>The asset data interface is used for asset inventory synchronization 
        between the NF-SA and the MSC. Asset data fields include: region ID, 
        network function ID, network function name, manufacturer ID, VM list 
        (including VM ID, attributes, hostname, network interface information, 
        IP address, broadcast address, description, destination address, MAC 
        address, name, netmask, NIC type, NAT address list, etc.), operating 
        system attributes (distribution version, name, patch level, kernel version), 
        database/middleware/web application attribute list (installation path, 
        component name, component open port, component version, project 
        list, plugin list, etc.).</t>
      </section>
    </section>

    <section title="Security Considerations" anchor="security">
      <t>The Security Coordination Components themselves need to be protected:</t>
      <t><list style="symbols">

        <t>Sensitive data MUST be encrypted at rest and in transit.</t>
        <t>NF-SA and MSC should implement integrity verification and 
        anti-tampering mechanisms.</t>
        <t>Resource consumption of NF-SA must be limited to avoid impacting 
        network function performance.</t>
        <t>Policy conflicts must be resolved deterministically, with logging.</t>
      </list></t>
    </section>

    <section anchor="IANA" title="IANA Considerations">
      <t>None</t>
    </section>
  </middle>

  <back>
    <references title="Normative References">
      <reference anchor="RFC2119"
                 target="https://www.rfc-editor.org/info/rfc2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement
          Levels</title>

          <author fullname="Scott Bradner" initials="S." surname="Bradner"/>

          <date month="March" year="1997"/>
        </front>
      </reference>

      <reference anchor="RFC8174"
                 target="https://www.rfc-editor.org/info/rfc8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>

          <author fullname="Barry Leiba" initials="B." surname="Leiba"/>

          <date month="May" year="2017"/>
        </front>
      </reference>
    </references>

  </back>
</rfc>