5G mobile networks leverage Network Function Virtualization (NFV) to offer services in the form of network slices. Each network slice is a logically isolated fragment constructed by service chaining a set of Virtual Network Functions (VNFs). The Network Repository Function (NRF) acts as a central OpenAuthorization (OAuth) 2.0 server to secure inter-VNF communications resulting in a single point of failure. Thus, we propose 5G-WAVE, a decentralized authorization framework for the 5G core by leveraging the WAVE framework and integrating it into the OpenAirInterface (OAI) 5G core. Our design relies on Side-Car Proxies (SCPs) deployed alongside individual VNFs, allowing point-to-point authorization. Each SCP acts as a WAVE engine to create entities and attestations and verify incoming service requests. We measure the authorization latency overhead for VNF registration, 5G Authentication and Key Agreement (AKA), and data session setup and observe that WAVE verification introduces 155ms overhead to HTTP transactions for decentralizing authorization. Additionally, we evaluate the scalability of 5G-WAVE by instantiating more network slices to observe 1.4x increase in latency with 10x growth in network size. We also discuss how 5G-WAVE can significantly reduce the 5G attack surface without using OAuth 2.0 while addressing several key issues of 5G standardization.

翻译：5G移动网络利用网络功能虚拟化（NFV）以网络切片形式提供服务。每个网络切片是由一组虚拟网络功能（VNF）通过服务链构建的逻辑隔离片段。网络存储库功能（NRF）作为中央开放授权（OAuth）2.0服务器保障VNF间通信安全，导致单点故障。为此，我们提出5G-WAVE——一种面向5G核心网的去中心化授权框架，通过利用WAVE框架并将其集成至OpenAirInterface（OAI）5G核心网实现。我们的设计依赖于部署在各VNF旁的Side-Car代理（SCP），支持点对点授权。每个SCP充当WAVE引擎以创建实体和证明，并验证传入服务请求。我们测量了VNF注册、5G认证与密钥协商（AKA）以及数据会话建立过程中的授权延迟开销，观察到WAVE验证为去中心化授权在HTTP事务中引入了155ms延迟。此外，我们通过实例化更多网络切片评估5G-WAVE的可扩展性，发现网络规模增长10倍时延迟增加1.4倍。我们还讨论了5G-WAVE如何在无需使用OAuth 2.0的情况下显著减少5G攻击面，同时解决5G标准化中的若干关键问题。