What is GNP? Generic Network Product Class

Description

The Generic Network Product Class (GNP) is a framework defined within 3GPP security specifications, particularly in TS 33.926, to categorize network products based on their implemented 3GPP functionalities for the purpose of security evaluation and assurance. A GNP represents a class of network products—such as specific types of Mobility Management Entities (MMEs), Serving Gateways (S-GWs), or Access and Mobility Management Functions (AMFs)—that all provide the same standardized set of capabilities as defined by 3GPP. The core idea is that security requirements, test cases, and evaluation methodologies can be defined at the class level, rather than for each individual product, streamlining the certification process and ensuring a consistent security baseline across the industry.

Architecturally, the GNP concept is part of the 3GPP Security Assurance Specification (SCAS) methodology. It works by first defining the generic network product class based on the 3GPP technical specifications for a given network function. For each GNP, a detailed set of security requirements is derived from the 3GPP security specifications (TS 33. series) and broader security best practices. These requirements cover areas such as authentication, data confidentiality, integrity, availability, and secure logging. Vendors developing a product that falls under a specific GNP must design and implement their product to satisfy these class-level requirements. The product then undergoes evaluation against a standardized Security Assurance Specification (SCAS) for that GNP.

The process involves several key components: the GNP definition itself, the associated SCAS document detailing security requirements and test cases, and the evaluation methodology performed by accredited laboratories. For example, the GNP for a 5G Core Access and Mobility Management Function (AMF) would list all mandatory and optional 3GPP features an AMF must support. The corresponding SCAS would specify how to test the AMF's implementation of security protocols like NAS security, its resilience to denial-of-service attacks, and its secure management interfaces. This structured approach ensures that regardless of the vendor, any AMF certified under that GNP meets the same rigorous security standards.

The role of GNP in the network is foundational to building trust in multi-vendor, interoperable 3GPP systems. By providing a clear, standardized target for security evaluation, it reduces ambiguity for vendors, operators, and regulators. Network operators procuring equipment can reference the GNP certification as evidence of security compliance, simplifying their own risk assessments. Furthermore, it facilitates global market acceptance by aligning security evaluations across different national certification schemes (like those based on Common Criteria). The GNP framework, evolving since Rel-13, is a critical enabler for securing complex 5G networks, particularly in areas like network slicing and edge computing, where security boundaries and responsibilities must be clearly defined and assured.

Purpose & Motivation

The Generic Network Product Class (GNP) framework was created to address the critical challenge of ensuring consistent and verifiable security across multi-vendor 3GPP network deployments. Prior to its introduction, security evaluations of network products were often ad-hoc, vendor-specific, or based on generic IT security standards that did not fully capture the unique threats and requirements of telecommunications networks. This resulted in potential security gaps, increased costs for operators conducting individual assessments, and barriers to market entry for vendors facing disparate national certification demands.

The motivation for GNP arose with the increasing complexity and software-defined nature of network functions, especially as networks evolved towards 5G and cloud-native architectures. The traditional approach of testing physical "black boxes" was insufficient for virtualized network functions (VNFs) and cloud-native network functions (CNFs). 3GPP, in collaboration with standards bodies like GSMA and regulatory groups, developed the Security Assurance Specification (SCAS) work item, with GNP as its cornerstone. It solves the problem by defining security at the level of a product's *functionality* (as per 3GPP specs) rather than its *implementation*, allowing for a standardized yet flexible assurance process.

Furthermore, GNP addresses the need for scalable security in an ecosystem with numerous vendors and rapid innovation cycles. By establishing common security requirements for a class of products (e.g., all 5G User Plane Functions), it ensures a baseline level of protection is built into the network fabric. This is particularly vital for network slicing, where a slice instance may rely on products from different vendors; GNP certification provides confidence in the security of each component. In essence, the GNP framework transforms network security from an opaque, post-deployment concern into a transparent, design-phase requirement that fosters trust, interoperability, and faster, more secure innovation in the 3GPP ecosystem.

Classification

Part ofSCAS

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (16 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-13, normative work from Rel-15.

Rel-15 1 change

In Release 15, the GNP (Generic Network Product Class) function was newly introduced to provide a foundational security assurance framework applicable to a broad range of 3GPP network products. This introduction established a minimum set of common 3GPP-defined functionalities to define the class membership and created a corresponding GNP Security Assurance Specification (SCAS) containing security requirements and test cases. Additionally, Release 15 added a specific security consideration for the GNP class by introducing a generic threat on "User Session Tampering."

Adding a generic threat on “User Session Tampering” TS 33.926CR0002

Rel-16 1 change

In Release 16, the work on the Generic Network Product (GNP) class included clarifications specific to the network product classes for the Unified Data Management (UDM) and the Access and Mobility Management Function (AMF). This provided more precise guidance for applying the GNP security assurance methodology to these core 5G network functions. The updates helped delineate the specific threats and critical assets for these product classes within the overarching GNP framework.

Clarification on aspects specific to the network product class UDM and AMF TS 33.926CR0030

Rel-17 5 changes

In Release 17, the GNP (Generic Network Product Class) function was updated to include new Security Assurance Specification (SCAS) annexes and threat assessments for specific network functions. This included adding assets, descriptions, and threats for the NWDAF (Network Data Analytics Function) and the SCP (Service Communication Proxy), as detailed in new annexes to TR 33.926. Furthermore, corrections and threat additions related to Release 16 features for network products, such as the gNB, were incorporated into the specification.

Adding asset, description and threats to TR 33.926 for NWDAF SCAS TS 33.926CR0041
IMS SCAS: living doc for the threats TS 33.926CR0044
CR to add threat related to R-16 features of network products to 33.926 TS 33.926CR0045
New Annex with Assets and Threats specific to SCAS SCP TS 33.926CR0049
Proposed correction to Annex D on gNB network product class TS 33.926CR0061

Rel-18 5 changes

In Release 18, the GNP function was updated by adding new, product-class-specific annexes detailing critical assets and threats. Specifically, these additions covered the MnF (Management Function), PCF (Policy Control Function), and NSSAAF (Network Slice-Specific Authentication and Authorization Function) network product classes. The release also included general updates for Release 17 features and reference corrections within the SCAS framework.

Addition of critical assets and threats specific to MnF network product class TS 33.926CR0070
SCAS updates to threats and assets for Release 17 features TS 33.926CR0074
Annex regarding assets and threats specific to the PCF network product class TS 33.926CR0086
SCAS release reference corrections TS 33.926CR0071
Addition of critical assets and threats specific to NSSAAF network product class TS 33.926CR0079

Rel-19 4 changes

In Release 19, the Generic Network Product (GNP) function was updated to include a dedicated Security Assurance Specification (SCAS) for the Session Management Function (SMF), adding specific threats and critical assets for this network product class. Additionally, corrections and additions were made to the SCAS for the Non-3GPP InterWorking Function (N3IWF) network product class. These changes expand the security assurance framework to cover new, specific network functions within the generic product class model.

Add annexure to Security Assurance Specification (SCAS) threats and critical assets in 3GPP network product classes specific to SMSF TS 33.926CR0085
Security Assurance Specification (SCAS) threats specific to SMSF TS 33.926CR0099
Add a new clause in annexure to Security Assurance Specification (SCAS) threats and critical assets in 3GPP network product classes specific to SMSF TS 33.926CR0105
Corrections and additions for the N3IWF network product class TS 33.926CR0096

Explore further

Broader topics and technologies where GNP plays a role.

Topics

Authentication (5G-AKA, EAP)NAS (Non-Access Stratum)Testing & Conformance MEC (Edge Computing)LTE / LTE-Advanced Lawful Intercept

Technologies

LTE 5G

Defining Specifications

3GPP specifications that define or reference GNP, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

Specification	Title	Release
TR 33.926 vk00	Security Assurance Specification (SCAS)	Rel-20

Generic Network Product Class