NF Screening

NF Screening supports the functionality to screen the service requests received from 5G Network Functions (NFs) before allowing access to OCNRF services.

In this feature, OCNRF screens the incoming service operations from NFs on the basis of some attributes against set of rules configured at OCNRF. Once screening is passed successfully, OCNRF allows the Network Functions to perform the service operations.

This feature will provide extra security by restricting the NF that can use the service of OCNRF. Operator can decide which NF with required attributes can access the services provided by OCNRF. To implement this, operator can configure various screening lists in which attributes can be configured to tell which attribute is allowed or not.

Note:

By default, NF Screening feature is globally disabled. This feature can be enabled by setting the nfScreeningRulesListStatus attribute as "ENABLED" using REST based Interface.

For Configuring NF Screening feature, see Configuring NF Screening

Screening Lists

The screening can be in the form of Whitelists or Blacklists.

When a screening list is configured to operate as a whitelist, the request is allowed to access the service only if the corresponding attribute value is present in the whitelist.
When a screening list is configured to operate as a blacklist, the request is allowed to access the service only if the corresponding attribute value is not present in the blacklist.

Screening Lists can have rules for global and for each NF type.

The global level screening lists allows operators to configure screening that is common to all NFs .
Each NF Type level rules provides additional flexibility/granularity for screening that can be controlled on a per NF type basis.

It should be noted that an operator can configure rules at both Global level and Per NF Type level and requests are processed through both lists if configured. The only list that is available only at the global level and not at the per NF type is the "NF type list allowed to Register".

NF Screening feature supports following screening lists:

Management Service Screening Lists: The screening lists identified in the Table 4-1 apply exclusively to NRF management service request.

Table 4-1 Management Service Screening Lists

S.No.	Screening List	Supported Screening Type	Screening Scope	Attribute in Request	Comment
1	NF FQDN list	Whitelist, Blacklist	Global, Per NF Type	fqdn in NFProfile fqdn in NFService	NRF screens the FQDN present in the request before allowing access to management service.
2	NF IP endpoint list	Whitelist, Blacklist	Global, Per NF Type	ipv4Addresses, ipv6Addresses in NFProfile ipEndPoints in NFService	NRF screens the IP endpoint/s present in the request before allowing access to management service.
3	Callback URI FQDN and IP list	Whitelist, Blacklist	Global, Per NF Type	defaultNotificationSubscriptions in NFProfile and NFService (Implicit subscription) nfStatusNotificationUri in SubscriptionData (explicit subscription)	NRF screens the callback URI present in the request before allowing access to management service. Host present in callback URI (FQDN+port or IP+port) should be used for screening. Check the callback URI format in section 4.4.3 (Callback URI structure) in TS 29.501-f20.
4	PLMN id list	Whitelist, Blacklist	Global, Per NF Type	plmnList in NFProfile	NRF screens the PLMN ID present in the request before allowing access to management service.
5	NF types allowed to Register	Whitelist	Global	nfType in NFProfile	NRF screens the NF type present in the request before allowing registration to 5G NFs.