ETSI TS 103 931 V1.1.1 (2024-01)

TECHNICAL SPECIFICATION
Cyber Security (CYBER);
Network Router Security Requirements

2 ETSI TS 103 931 V1.1.1 (2024-01)

Reference
DTS/CYBER-0081
Keywords
cybersecurity, router
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from:
https://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure Program:
https://www.etsi.org/standards/coordinated-vulnerability-disclosure
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2024.
All rights reserved.
ETSI
3 ETSI TS 103 931 V1.1.1 (2024-01)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
1 Scope . 5
2 References . 5
2.1 Normative references . 5
2.2 Informative references . 5
3 Definition of terms, symbols and abbreviations . 6
3.1 Terms . 6
3.2 Symbols . 6
3.3 Abbreviations . 6
4 Network router introduction . 7
5 Security objectives for threat mitigation . 8
6 Network router security requirements . 9
6.1 Objectives . 9
6.2 Prerequisites . 9
6.3 Access control . 10
6.4 Authenticity . 11
6.5 Data confidentiality . 11
6.6 Communication security . 11
6.7 Data integrity . 12
6.8 Availability/Resilience . 13
6.9 Privacy . 14
6.10 Non-repudiation . 14
7 Rationales . 14
History . 17

ETSI
4 ETSI TS 103 931 V1.1.1 (2024-01)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI Web server (https://ipr.etsi.org/).
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its

Members. 3GPP™ and LTE™ are trademarks of ETSI registered for the benefit of its Members and of the 3GPP
Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of the ®
oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Cyber Security (CYBER).
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

ETSI
5 ETSI TS 103 931 V1.1.1 (2024-01)
1 Scope
The present document defines security requirements for the network routers to mitigate the threats analysed in ETSI
TR 103 869 [i.1].
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
https://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
Not applicable.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI TR 103 869: "Cybersecurity; Network Router Security Threat Analysis".
[i.2] IETF RFC 4272: "BGP Security Vulnerabilities Analysis".
[i.3] IETF RFC 6518: "Keying and Authentication for Routing Protocols Design Guidelines".
[i.4] IETF RFC 8210: "The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1".
[i.5] IETF RFC 8572: "Secure Zero Touch Provisioning (SZTP)".
[i.6] ISO/IEC 9899: "Information technology - Programming languages - C".
[i.7] ETSI TS 103 848 (V1.1.1): "Cyber Security for Home Gateways; Security Requirements as
vertical from Consumer Internet of Things".
[i.8] ETSI EN 303 645: "CYBER; Cyber Security for Consumer Internet of Things: Baseline
Requirements".
[i.9] ETSI TS 101 331: "Lawful Interception (LI); Requirements of Law Enforcement Agencies".
[i.10] IEEE 802.1AE™: "Media Access Control (MAC) Security".
ETSI
6 ETSI TS 103 931 V1.1.1 (2024-01)
3 Definition of terms, symbols and abbreviations
3.1 Terms
For the purposes of the present document, the following terms apply:
administrator: entity with the valid identity for operation and maintenance of the network router through the login to
the device
lawful interception: action (based on the law), performed by a communications service provider, of making available
certain information and providing that information to a law enforcement monitoring facility
NOTE: This term is referenced from ETSI TS 101 331 [i.9].
least privilege: granting an authenticated administrator the minimum set of execution and access rights to the network
router resources to perform the essential operation the administrator is authorized for
user: entity external to the network which utilizes connections through the network for communication, e.g. the
customer of the IP network operator
3.2 Symbols
Void.
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AAA Authentication, Authorization, and Accounting
ACL Access Control List
ARP Address Resolution Protocol
ASLR Address Space Layout Randomization
BGP Border Gateway Protocol
BNG Broadband Network Gateway
CAR Committed Access Rate
CFI Control Flow Integrity
CPU Central Processing Unit
DDoS Distributed Denial of Service
DTLS Datagram Transport Layer Security
HG Home Gateway
ICMP Internet Control Message Protocol
ID IDentifier
IEC International Electrotechnical Commission
IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
IP Internet Protocol
IPsec Internet Protocol security
ISO International Organization for Standardization
ISP Internet Service Provider
L3VPN Layer 3 Virtual Private Network
MAC Media Access Control
MACsec Media Access Control security
ND Neighbour Discovery
NMS Network Management System
NX No eXecute
OS Operating System
PE Provider Edge router
PIE Position Independent Executables
QoS Quality of Service
ETSI
7 ETSI TS 103 931 V1.1.1 (2024-01)
RADIUS Remote Authentication Dial-In User Service
RFC Request for Comments
SSH Secure SHell
SZTP Secure Zero Touch Provisioning
TLS Transport Layer Security
UPE User-end Provider Edge router
VLAN Virtual Local Area Network
VPN Virtual Private Network
4 Network router introduction
In the Internet model, constituent networks are connected by IP datagram forwarders which are called routers or
IP routers.
There are many types of routers. The home and small office routers, which simply forward IP packets between the
home computers and the Internet, are out of the scope of the present document. The present document only discusses
the network routers that are enterprise routers or ISP routers. The following two examples briefly show how network
routers are used, and clause 4 of ETSI TR 103 869 [i.1] provides more detailed introductions about the network router.
In the IP Backbone network scenario as shown in Figure 1, the network routers are the Provider Router and Provider
Edge Router.
P P
PE PE
P P
P: Provider Router
PE: Provider Edge Router
Figure 1: Topology of IP Backbone Network
In the IP Metro network scenario as shown in Figure 2, the network routers are the User-end Provider Edge Router and
Broadband Network Gateway.
IP Backbone
HG
UPE BNG
Layer 2 network
HG: Home Gateway
UPE: User-end Provider Edge Router
BNG: Broadband Network Gateway

Figure 2: Topology of IP Metro Network
The logical architecture of a network router consists of three planes: data plane, control plane, and management plane,
as shown in Figure 3.
ETSI
8 ETSI TS 103 931 V1.1.1 (2024-01)
Data Plane Control Plane Mgmt. Plane
Routing Control Operation Mgmt.
Data Forwarding
Maintenance Mgmt.
Access Control
User Mgmt.
Traffic Control
Links Control
Security Mgmt.
VPN Service Control Device Mgmt.
Operating System
Hardware
Figure 3: Logical architecture of a network router
5 Security objectives for threat mitigation
As described in clause 5.1 of ETSI TR 103 869 [i.1], the security objectives for threat mitigation include eight
dimensions: Access control, Authenticity, Non-repudiation, Data confidentiality, Communication security, Data
integrity, Availability/Resilience, and Privacy. The mitigations should include mechanisms of different security
objectives to counter different threats, which are described below.
To counter the threats of unauthorized interception, it is necessary to prevent the attackers from accessing data and
obtaining original information:
• To prevent the attackers from accessing data, the mitigations should include Access control and Authenticity
mechanisms.
• To prevent the attackers from obtaining original information, the mitigations should include Data
confidentiality, Communication security, and Privacy mechanisms.
• To ensure the correct security configuration of the system, the mitigations should include
Availability/Resilience mechanisms.
To counter the threats of unauthorized access, it is necessary to protect system permissions and prevent tampering with
critical data:
• To protect system permissions, the mitigations should include Access control and Authenticity mechanisms.
• To prevent the tampering of critical data, the mitigations should include Data confidentiality,
Communication security, and Data integrity mechanisms.
• To provide isolation mechanisms to prevent the spread of intrusion attacks, the mitigations should include
Availability/Resilience mechanisms.
To counter the threats of masquerade, it is necessary to protect system permissions and communication data:
• To protect system permissions, the mitigations should include Access control and Authenticity mechanisms.
• To protect communication data, the mitigations should include Data confidentiality and Communication
security mechanisms.
To counter the threats of forgery, it is necessary to prevent the attackers from accessing communication data and
enhance communication data security mechanisms:
• To prevent the attackers from accessing communication data, the mitigations should include Access control
mechanisms.
• To enhance communication data security, the mitigations should include Communication security and Data
integrity mechanisms.
ETSI
9 ETSI TS 103 931 V1.1.1 (2024-01)
• To provide system security detection and recovery mechanisms to cut down the impact of attacks, the
mitigations should include Availability/Resilience mechanisms.
To counter the threats of loss or corruption of information, it is necessary to protect the network router system
account and enhance the data security mechanisms:
• To protect the network router system account, the mitigations should include Authenticity mechanisms.
• To enhance the data security, the mitigations should include Data confidentiality, Communication security
and Privacy mechanisms.
• To provide system security detection mechanisms to cut down the impact of attacks, the mitigations should
include Availability/Resilience mechanisms.
To counter the threats of repudiation, it is necessary to protect the network router system account and record security-
related activities. The mitigations should include Authenticity and Non-repudiation mechanisms.
To counter the threats of denial of service, it is necessary to provide system security policy and limit DDoS attack
traffic.
• To provide system security policy, the mitigations should include Access control and Authenticity
mechanisms.
• To limit DDoS attack traffic, the mitigations should include Availability/Resilience mechanisms.
6 Network router security requirements
6.1 Objectives
The objectives of this clause are to identify a possible common set of measures which are able to mitigate the threats
faced by the network router, which have been identified in clause 5 of ETSI TR 103 869 [i.1], and to provide guidance
for designing a robust security framework of products.
6.2 Prerequisites
The mitigation measures defined in the present document adhere to the following prerequisites:
• The mitigation measures defined in the present document are security requirements for the network router
itself and are based on the network router architecture introduced in clause 4.2 of ETSI TR 103 869 [i.1]. The
present document does not provide security requirements for other entities, such as network operators. For
example, to mitigate physical attacks that cause damage to the device hardware, such as tearing network wires
off or smashing it with a hammer, the network operator should provide physical protection mechanisms such
as enclosed equipment rooms and professional security teams, and the network router should provide the
necessary functions such as logging and alarming to meet the record and audit requirements. The mitigation
measures defined in the present document cover only the latter type.
• The measures to mitigate the impacts to the network caused by the device failure of the network router are out
of the scope of the present document. These impacts can be mitigated by network resilience design including
commensurate redundancies.
• The network operator designs patching programs to ensure that became known vulnerabilities of network
routers are fixed on short term. Since a vulnerability mitigation might require development time, the network
operator should immediately take protective measures to repel the exploitation of the known vulnerability.
ETSI
10 ETSI TS 103 931 V1.1.1 (2024-01)
6.3 Access control
Requirement.AC.001: The network router shall control the access to the OS by following the pr
...