ETSI TS 187 003 V1.7.1 (2008-02)

Technical Specification
Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN);
NGN Security;
Security Architecture
2 ETSI TS 187 003 V1.7.1 (2008-02)

Reference
RTS/TISPAN-07024-NGN-R1
Keywords
architecture, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2008.
All rights reserved.
TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
ETSI
3 ETSI TS 187 003 V1.7.1 (2008-02)
Contents
Intellectual Property Rights.5
Foreword.5
1 Scope.6
2 References.6
2.1 Normative references.6
2.2 Informative references.9
3 Definitions and abbreviations.9
3.1 Definitions.9
3.2 Abbreviations.10
4 NGN Security.11
4.1 NGN security architecture.12
4.2 Security domains.14
4.3 NASS and RACS security architecture .15
4.3.1 NASS-IMS Bundled security.17
4.4 IMS security architecture .18
4.4.1 NASS-IMS Bundled security.20
4.5 PES Security architecture.21
4.5.1 Security for H.248 within PES.21
4.5.2 IMS-based PES security .22
4.6 Application security architecture.22
5 Mapping of security requirements to security services and NGN FEs.23
5.1 Security services in NGN R1 security architecture .23
5.2 Security Services in NGN FEs .24
5.3 Security Services on NGN Interfaces.28
5.4 Mapping of 3GPP security FEs to NGN FEs .30
6 NGN IMS Residential Gateway.32
Annex A (informative): NGN-relevant security interfaces .34
A.1 Network attachment security interfaces .34
A.1.1 Reference point e1 (CNG - AMF).35
A.1.2 Reference point e2 (CLF - AF) .35
A.1.3 Reference point a3 (AMF - UAAF) .35
A.1.4 Reference point e5 (UAAF - UAAF) .35
A.2. Service layer security interfaces.36
A.2.1 NGN IP Multimedia Subsystem (IMS) .36
A.2.1.1 Reference point Gm (UE/IMS Residential Gateway - P-CSCF) .36
A.2.1.2 Reference point Cx (CSCF - UPSF) .37
A.2.1.3 Reference point Gq' (P-CSCF - RACS).37
A.2.1.4 Reference point Iw (IWF - non-compatible SIP).37
A.2.1.5 Reference point Ic (IBCF - IMS).37
A.2.1.6 Void.37
A.2.1.7 Reference point Ut (UE - AS).37
A.3 Interconnection security interfaces.38
A.3.1 Interconnecting security at the transport layer.39
A.3.2 Interconnecting security at the service layer .39
Annex B (informative): Mapping of NGN R1 Security Requirements to Security Services .40
Annex C (informative): Implementation notes on the IMS Residential Gateway.48
C.1 B2BUA registration.48
ETSI
4 ETSI TS 187 003 V1.7.1 (2008-02)
C.2 B2BUA originating session establishment.51
C.3 B2BUA terminating session establishment.52
Annex D (informative): Supplementary information on NASS-IMS bundled authentication.54
D.1 Flow diagram for NASS bundled authentication .54
Annex E (informative): Open issues in NGN security.56
Annex F (informative): Bibliography.57
History .58

ETSI
5 ETSI TS 187 003 V1.7.1 (2008-02)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Telecommunications and Internet
converged Services and Protocols for Advanced Networking (TISPAN).
ETSI
6 ETSI TS 187 003 V1.7.1 (2008-02)
1 Scope
The present document defines the security architecture of NGN Release 1. The definition complies with the
requirements of ITU-T Recommendation I.130 [32] at stage 2.
The present document addresses the security architecture required to fulfil the NGN R1 security requirements defined in
TS 187 001 [1] and includes the definition of security architectures to provide protection for each of the NGN
functional architecture (ES 282 001 [3]) and its subsystems (ES 282 004 [6], ES 282 002 [4], ES 282 007 [27],
ES 283 003 [26] and ES 282 003 [5]). Where appropriate the present document endorses security mechanisms defined
in other specifications.
The present document addresses the security issues of the NGN core network and the NGN access network(s) up to and
including the NGN Network Termination (NGN NT) in the residential customer domain. The NGN NT denotes a
logical demarcation point between the residential customer domain and the NGN core and access networks and covers
the corresponding interfaces.
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific.
• For a specific reference, subsequent revisions do not apply.
• Non-specific reference may be made only to a complete document or a part thereof and only in the following
cases:
- if it is accepted that it will be possible to use all future changes of the referenced document for the
purposes of the referring document;
- for informative references.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
For online referenced documents, information sufficient to identify and locate the source shall be provided. Preferably,
the primary source of the referenced document should be cited, in order to ensure traceability. Furthermore, the
reference should, as far as possible, remain valid for the expected life of the document. The reference shall include the
method of access to the referenced document and the full network address, with the same punctuation and use of upper
case and lower case letters.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are indispensable for the application of the present document. For dated
references, only the edition cited applies. For non-specific references, the latest edition of the referenced document
(including any amendments) applies.
[1] ETSI TS 187 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN SECurity (SEC); Requirements".
[2] Void.
[3] ETSI ES 282 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture Release 1".
[4] ETSI ES 282 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation Sub-system (PES); Functional
architecture".
ETSI
7 ETSI TS 187 003 V1.7.1 (2008-02)
[5] ETSI ES 282 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Resource and Admission Control Sub-system (RACS);
Functional Architecture".
[6] ETSI ES 282 004: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture; Network Attachment
Sub-System (NASS)".
[7] ETSI TS 183 033: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia; Diameter based protocol for the interfaces
between the Call Session Control Function and the User Profile Server Function/Subscription
Locator Function; Signalling flows and protocol details [3GPP TS 29.228 V6.8.0 and
3GPP TS 29.229 V6.6.0, modified]".
[8] ETSI TS 133 203: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); 3G security; Access security for IP-based services
(3GPP TS 33.203)".
[9] ETSI TS 133 210: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); 3G security; Network Domain Security (NDS); IP network
layer security (3GPP TS 33.210)".
[10] ETSI TS 133 310: "Universal Mobile Telecommunications System (UMTS); Network domain
security; Authentication framework (NDS/AF) (3GPP TS 33.310)".
[11] ETSI TS 133 141: "Universal Mobile Telecommunications System (UMTS); Presence service;
Security (3GPP TS 33.141)".
[12] ETSI TS 133 222: "Universal Mobile Telecommunications System (UMTS); Generic
Authentication Architecture (GAA); Access to network application functions using Hypertext
Transfer Protocol over Transport Layer Security (HTTPS) (3GPP TS 33.222)".
[13] ETSI TS 133 220: "Universal Mobile Telecommunications System (UMTS); Generic
Authentication Architecture (GAA); Generic bootstrapping architecture (3GPP TS 33.220)".
[14] ETSI TS 122 048: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Security Mechanisms for the (U)SIM application toolkit;
Stage 1 (3GPP TS 22.048)".
[15] ETSI TS 123 048: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Security mechanisms for the (U)SIM application toolkit;
Stage 2 (3GPP TS 23.048)".
[16] ETSI TS 131 101: "Universal Mobile Telecommunications System (UMTS); UICC-terminal
interface; Physical and logical characteristics (3GPP TS 31.101)".
[17] ETSI TS 131 102: "Universal Mobile Telecommunications System (UMTS); Characteristics of the
Universal Subscriber Identity Module (USIM) application (3GPP TS 31.102)".
[18] ETSI TS 131 103: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Characteristics of the IP Multimedia Services Identity
Module (ISIM) application (3GPP TS 31.103)".
[19] ETSI TS 129 329: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Sh interface based on the Diameter protocol; Protocol
details (3GPP TS 29.329)".
[20] ETSI ES 283 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation Subsystem (PES); NGN Release 1
H.248 Profile for controlling Access and Residential Gateways".
[21] ETSI ES 283 018: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN);Resource and Admission Control: H.248 Profile for controlling
Border Gateway Functions (BGF) in the Resource and Admission Control Subsystem (RACS);
Protocol specification".
ETSI
8 ETSI TS 187 003 V1.7.1 (2008-02)
[22] ETSI TS 183 019: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Network Attachment; Network Access xDSL and WLAN
Access Networks; Interface Protocol Definitions".
[23] ETSI ES 283 035: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networks (TISPAN); Network Attachment Sub-System (NASS); e2 interface based on
the DIAMETER protocol".
[24] ETSI ES 283 034: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Network Attachment Sub-System (NASS); e4 interface based
on the DIAMETER protocol".
[25] ETSI ETR 232: "Security Techniques Advisory Group (STAG); Glossary of security
terminology".
[26] ETSI ES 283 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Endorsement of "IP Multimedia Call Control Protocol based on
Session Initiation Protocol (SIP) and Session Description Protocol (SDP) Stage 3 (Release 6)" for
NGN Release 1".
[27] ETSI ES 282 007: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Subsystem (IMS); Functional architecture".
[28] ETSI TS 182 006: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Subsystem (IMS); Stage 2 description
(3GPP TS 23.228 V7.2.0, modified)".
[29] IETF RFC 3261: "SIP: Session Initiation Protocol".
[30] ISO/IEC 10181-1: 1996: "Information technology - Open Systems Interconnection - Security
frameworks for open systems: Overview".
[31] ISO/IEC 11770-1: 1996: "Information technology - Security techniques - Key management -
Part 1: Framework".
[32] ITU-T Recommendation I.130: "Method for the characterization of telecommunication services
supported by an ISDN and network capabilities of an ISDN".
[33] ITU-T Recommendation X.810 (1995): "Information technology - Open Systems Interconnection -
Security frameworks for open systems: Overview".
[34] ITU-T Recommendation X.811: "Information Technology - Open Systems Interconnection -
Security Frameworks for Open Systems: Authentication Framework".
[35] ITU-T Recommendation X.812: "Information Technology - Open Systems Interconnection -
Security Frameworks for Open Systems: Access Control Framework".
[36] ITU-T Recommendation X.814: "Information Technology - Open Systems Interconnection -
Security Frameworks for Open Systems: Confidentiality Framework".
[37] ITU-T Recommendation X.815: "Information Technology - Open Systems Interconnection -
Security Frameworks for Open Systems: Integrity Frameworks".
[38] ETSI TS 183 017: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN);Resource and Admission Control: DIAMETER protocol for
session based policy set-up information exchange between the Application Function (AF) and the
Service Policy Decision Function (SPDF); Protocol specification".
[39] IETF RFC 2617: "HTTP Authentication: Basic and Digest Access Authentication".
[40] ETSI TS 183 043: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation; IMS-based PSTN/ISDN Emulation
Call Control Protocol based on Session Initiation Protocol (SIP) and Session Description Protocol
(SDP); Protocol specification".
ETSI
9 ETSI TS 187 003 V1.7.1 (2008-02)
[41] ETSI TS 182 012: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IMS-based PSTN/ISDN Emulation Subsystem; Functional
architecture".
[42] ETSI TS 133 102: "Universal Mobile Telecommunications System (UMTS); 3G security; Security
architecture (3GPP TS 33.102)".
[43] ETSI ES 283 026: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN);.Resource and Admission Control; Protocol for QoS reservation
information exchange between the Service Policy Decision Function (SPDF) and the
Access-Resource and Admission Control Function (A-RACF) in the Resource and Protocol
specification".
[44] ETSI EG 202 238: "Telecommunications and Internet Protocol Harmonization Over Networks
(TIPHON); Evaluation criteria for cryptographic algorithms".
[45] IEEE 802.1x: "IEEE Standard for Local and Metropolitan Area Networks Port-Based Network
Access Control".
[46] ETSI TS 123 002: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Network architecture (3GPP TS 23.002)".
[47] ETSI TS 133 234: "Universal Mobile Telecommunications System (UMTS); 3G security;
Wireless Local Area Network (WLAN) interworking security (3GPP TS 33.234)".
2.2 Informative references
[48] ETSI TR 182 005: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN); Organization of user data".
[49] ETSI TR 187 002 (Release 2): "Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN); TISPAN NGN Security (NGN-SEC); Threat,
Vulnerability and Risk Analysis".
[50] ETSI TR 183 032: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Feasibility study into mechanisms for the support of
encapsulated ISUP information in IMS".
[51] ETSI TR 183 014: "Telecommunications and Internet converged Services and Protocols for
Advanced Networks (TISPAN); Development and Verification of PSTN/ISDN emulation".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
Authentication Service (AUTH): See ITU-T Recommendation X.811 [34].
Authorization Service (AUTHOR): See ITU-T Recommendation X.812 [35].
Confidentiality Service (CONF): See ITU-T Recommendation X.814 [36].
data: any information conveyed in communication packets as well as any other information such as topology
information
Integrity Service (INT): See ITU-T Recommendation X.815 [37].
Key Management Service (KM): See ISO/IEC 11770-1 [31].
ETSI
10 ETSI TS 187 003 V1.7.1 (2008-02)
NGN Network Termination (NGN NT): reference point which denotes a logical demarcation point between the
residential customer domain and the NGN core via access networks. It covers the corresponding interfaces
Policy Enforcement Function (PEF): security function that enforces policy rules
NOTE: The PEF encompasses functions for filtering and topology hiding such as typically found in firewalls
and/or session border controllers.
security domain: set of elements made of security policy, security authority and set of security relevant activities in
which the set of elements are subject to the security policy for the specified activities, and the security policy is
administered by the security authority for the security domain
NOTE: The activities of a security domain involve one or more elements from that security domain and, possibly,
elements of other security domains
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
rd
3G 3 Generation
rd
3GPP 3 Generation Partnership Project
AAA Authentication, Authorization, Accounting
AF Application Functions
AGCF Access Gateway Control Function
AGW Access GateWay
AKA Authentication and Key Agreement
AMF Access Management Function
AN Access Network
AN Access Node
AP Access Point
AP Authentication Proxy
A-RACF Access-Resource Admission Control Function
AS Application Server
ASP Application Service Provider
AuC Authentication Center
AUTH AUTHentication Service
AUTHOR AUTHORization Service
BGCF Breakout Gateway Control Function
BSF Bootstrapping Server Functionality
CLF Connectivity session and repository Location Function
CONF CONFidentiality service
CPE Customer Premises Equipment
CSCF Call Session Control Function
DoS Denial-of-Service
ESP Encapsulating Security Protocol
FE Functional Entity
GAA Generic Authentication Architecture
GBA Generic Bootstrapping Architecture
GE Generic Entities
GRE Generic Routing Encapsulation
HLR Home Location Register
HSS Home Subscriber Server
HTTP HyperText Transport Protocol
IBCF Interconnection Border Control Function
I-BGF Interconnection-Border Gateway Function
I-CSCF Interrogating-Call Session Control Function
ID IDentity
IETF Internet Engineering Task Force
IF InterFace
IKE Internet Key Exchange
IMPI IMS Private User ID
IMPU IMS Public User ID
ETSI
11 ETSI TS 187 003 V1.7.1 (2008-02)
IMS IP Multimedia Subsystem
INT INTegrity service
IP Internet Protocol
IPsec Internet Protocol security
IRG IMS Residential Gateway
ISIM IMS Subscriber Identity Module
IUA ISDN Q.921-User Adaptation
KM Key Management service
MGC Media Gateway Controller
MGCF Media Gateway Control Function
n.a. not applicable
NAF Network Application Function
NASS Network Access SubSystem
NAT Network Address Translation
NDS Network Domain Security
NGN NT NGN Network Termination
NGN Next Generation Network
P-CSCF Proxy-Call Session Control Function
PDBF Profile DataBase Function
PEF Policy Enforcement Function
PS Packet Switched
R1 NGN Release 1
RACS Resource Admission Control Subsystem
RAND RANDom
RGW Residential GateWay
SA Security Association
SCS OSA Service Capability Server
S-CSCF Serving-Call Session Control Function
SEGF SEcurity Gateway Function
SIP Session Initiation Protocol
SLF Subscription Locator Function
SPD Security Policy Database
SPDF Service Policy Decision Function
THF Topology Hiding Function
THIG Topology Hiding Interconnection Gateway
TISPAN Telecommunication and Internet converged Services and Protocols for Advanced Networking
TLS Transport Layer Security
TS Technical Specification
UA User Agent
UAAF User Access Authorization Function
UE User Equipment
UICC Universal Integrated Circuit Card
UMTS Universal Mobile Telecommunication System
UPSF User Profile Server Function
USIM UMTS Subscriber Identity Module
VGW Voice over IP GateWay
WLAN Wireless Local Area Network
XCAP XML Configuration Access Protocol
XML eXtensible Markup Language
4 NGN Security
This clause provides an overview of the NGN security document. The entire document can be seen as a documented
output of a security process that loops through several stages; see figure 1, where arrows indicate logical steps and
dependencies.
ETSI
12 ETSI TS 187 003 V1.7.1 (2008-02)
The present document assumes existence of a well-defined NGN architecture (ES 282 001 [3]) that includes the IMS
architecture (TS 123 002 [46]), the network attachment subsystem (NASS) architecture (ES 282 004 [6]), the resource
admission subsystem (RACS) architecture (ES 282 003 [5]), and the PSTN/ISDN emulation (PES) architecture
(ES 282 002 [4]). Likewise, the present document assumes the corresponding IMS security architecture
(TS 133 102 [42]). IMS architecture and IMS security architecture are shown as dashed boxes; those prerequisites are
not specified further in the present document.
The description of the NGN release 1 security architecture has been divided in a number of smaller blocks describing
the security interfaces, the security functions and security protocols, security building blocks and security components.

NGN architecture (NASS, RACS, PES, IMS)
IMS Security Architecture
NGN Release 1 Security
Requirements (TS 187 001)
NGN Release 1 Threat & Risk Analysis
(TR 187 002)
NGN Release 1 Security Architecture with security interfaces for NASS, RACS, PES, IMS (TS 187 003)
Security Domains
Security ServicSecures ity Functions Security Functions Countermeasures
Security Building Blocks
Security Components/ Security Building Blocks
NGN Release 2 Security Architecture with security interfaces (ffs)

Figure 1: Overview of NGN security documents
Security architecture(s) for further and future NGN releases beyond NGN Release 1 will be specified by separate
documents.
4.1 NGN security architecture
The NGN R1 security architecture basically consists of the following major parts:
• NGN security domains (see clause 4.3).
• Security services (see clause 5):
- authentication;
- authorization;
- policy enforcement;
- key management;
- confidentiality; and
- integrity.
• Security protocols including those contained in:
- IMS Access Security (TS 133 203 [8]);
- SIP HTTP-digest (RFC 3261 [29]) (for NGN legacy UE);
ETSI
13 ETSI TS 187 003 V1.7.1 (2008-02)
- XCAP (TS 183 033 [7]), presence security (TS 133 141 [11]).
• Application specific key management.
• SEGFs to secure signalling and control communication among network entities/FEs. Security gateways
(SEGs) for IMS network domain security - as defined by TS 133 210 [9] - are considered primarily functional
components. The present document endorses SEGs and calls them Security Gateway Function (SEGF).
• IMS Residential Gateway to secure access of legacy UEs (see clause 6).
• NGN-specific security mechanisms at various protocols/logical layers such as:
- NASS authentication based on explicit line authentication;
- NASS authentication based on implicit physical line authentication; and
- NASS-IMS bundled authentication.
• NGN subsystem specific security measures (e.g. for PES).
Figure 2 provides a high level overview of the security FEs within the NGN security architecture. Three logical security
planes with respective FEs are distinguished:
• NASS security plane;
• IMS security plane;
• GAA/GBA key management plane.
(GBA Bootstrapping, opt)
ISIM
-
GBA U mode
DIAMETER BSF
Ut
Secure session
NAF/AS
IMS AKA
Security Association
setup
ISIM
AKA mode
UPSF
P- CS CF S- CSCF
NASS Authentication
(e.g. IEEE 802.1x/PANA )
NASS
credentials
PDBF
V- H-
AMF UAAF UAAF
Figure 2: Usage of security FEs in the NGN security architecture
The NASS security plane encompasses the security operations during network attachment for gaining access to the
NGN access network. The visited UAAF (V-UAAF) in a visited access network relays authentication message to/from
the home NGN network; the V-UAAF (if present) may be a proxy while the home UAAF (H-UAAF) shall process the
authentication message and decide authorization. The H-UAAF takes into account user profile information that is stored
in the PDBF. The PDBF shall hold the profiles of the NASS user. In NGN, an IMS subscriber may register over an IP
access session established by a NASS subscriber, which may not be the same as the IMS subscriber. Hence, in such
cases, there is no relation at all between the profile/credentials used at the NASS level and at the IMS level. However,
the PDBF may be co-located with the UPSF.
ETSI
14 ETSI TS 187 003 V1.7.1 (2008-02)
NOTE: The dashed lines between H-UAAF and PDBF and between the NAS/AS and the UPSF indicate
interfaces which are not defined and standardized in the present document. Specification of such
interfaces is left as further study. Nevertheless, such an UAAF-PDBF interface is generally required for
carrying out authentication at NASS level.
The IMS security plane encompasses the P-CSCF, S-CSCF, I-CSCF (not shown in figure 2) and the UPSF. P-CSCF,
S-CSCF and I-CSCF shall be involved in the IMS security procedures for authenticating UE and core network, deciding
authorization, as well as for supplying fresh key material as specified in TS 133 203 [8]. The UPSF shall hold the user
profiles used at the IMS level.
The GBA/GAA security plane (optional) encompasses the NAF and BSF FEs for application layer security.
This clause describes the NGN security architecture for Release 1.
4.2 Security domains
A security domain (see ISO/IEC 10181-1 [30] and ITU-T Recommendation X.810 [33]) is a set of elements under a
given security policy administered by a single security authority for some specific security relevant activities. The
activities of a security domain involve one or more elements from that domain, however at least one of the elements
must be in that domain.
In general, a security domain is required to:
• protect the integrity, and optionally the confidentiality, of its functional elements and activities;
• ensure the availability of, and account for the use of, the elements and activities under its protection.
The following principal security domains are identified in the general case where the visited network provider hosts
some IMS services and the core IMS provider in the home network domain further provides IMS services:
• Customer's domain that includes UE (owned by customer or by operator).
• Access network security domain with FEs hosted by the access network provider.
• Visited NGN network security domain with FEs hosted by a visited network provider where the visited
network may provide access to some application services (AF). The visited network provider may host some
applications and may own an own database of subscribers. Alternatively, or additionally, the visited network
rd
provider may outsource some application services to the home network provider or even to a 3 application
provider.
• Home NGN network security domain with FEs hosted by the home network provider where the home network
may provide some application services (AF). The home network provider hosts some applications and owns a
database of subscribers.
rd
• 3 party application network security domain with FEs hosted by the ASP where the ASP provides some
application services (AF). The ASP may be a separate service provider different from the visited or the home
network provider. The ASP may need to deploy authorization information offered by the visited or home
network provider.
Figure 3 shows the partitioning of the NGN network into security domains.
NOTE: The box labelled "APPL" denotes hosted applications; applications are optional.
ETSI
15 ETSI TS 187 003 V1.7.1 (2008-02)

APPL
APPL
rd
3 party ASP Network
rd
3 party ASP Network Security Domain Security Domain
Access Network Security
Visited NGN Network
Domain
Home NGN Network
Security Domain
Security Domain
UE
Figure 3: NGN security domains
4.3 NASS and RACS security architecture
Figure 4 shows a high-level view of the NASS and RACS subsystems as mapped to the five NGN security domains.
rd
3 party ASP Network
rd
3 party ASP Network Security Domain
Security Domain
APPL
APPL
NASS
NASS
NASS
UE
RACS RACS
RACS
Access Network Security Domain
Visited NGN Network Security Domain Home NGN Network
Security Domain
Figure 4: NASS and RACS NGN architecture with security domains
SEGFs security shall protect the interdomain interfaces between the NGN network security domains.
Figure 4 shows the most general case. NASS and RACS functional entities are mapped to the networking domains such
as access transport network, visited NGN network and home NGN network. Those networking domains equally
represent security domains in the sense of TS 133 210 [9] assuming that each networking domain is being operated by a
distinct operator. SEcurity Gateway Functions (SEGFs) within each security domain shall protect the exposed interfaces
in-between security domains and ensure that a minimal security policy among security domains is enforced.
SEGFs may also optionally protect the (less exposed, internal) interfaces within a security domain; this is left to the
discretion of the network operator. The general security architecture case for NASS and RACS subsystems can be
collapsed iteratively into fewer (security) domains (not shown): e.g. home network and visited network within one
rd
security domain, or access, visited, home network and ASP network all in one security domain. If 3 party ASP
network security domain and home network security domain coincide, then the home network actually hosts the
rd
application. The same holds true for the visited network security and the 3 party ASP network security domain.
ETSI
16 ETSI TS 187 003 V1.7.1 (2008-02)
It is noted that not all interfaces might occur:
• In NASS scenario 1, the interface e2 with the branches V-CLF-to-H_CLF, V-CLF-to-AF and V-PDBF do not
occur.
• In NASS scenario 2, the interface e2 with the branch V-CLF-to-AF and V-PDBF do not occur.
• In NASS scenario 3, the interfaces e5 and e2 with the branches V-UAAF-to-H-UAAF and V-CLF-to-H-CLF
do not occur.
• In NASS scenario 4, the interfaces e5 and e2 with the branches V-UAAF-to-H-UAAF and V-CLF-to-AF do
not occur.
It is further noted, that several SEGFs shown as separate functional entities may be co-located; such as for example, the
SEGFs around Rq and Di interfaces.
It is noted that there might be further application-specific security protocols (not shown) on top of the Za interfaces.
Such security protocols (if any) remain for further study.
NOTE: On the SEG CA in ASP domains it is observed that those CAs are not peering CAs as among the
home/visited and access provider. It remains for further study how such SEG CAs could be deployed in
the context of NGN.
FE1 and FE2 are located in two
distinct security domains. All
If
signaling traffic across interface If
SEGF
SEGF
exchanged between FE1 and FE2
FE1 FE2
shall be routed through security
gateway functions (SEGF).
Zb Za Zb
Za interface (IKE+ESP tunnel) is
mandatory to implement; Zb
Security domain 1
(IKE+ESP tunnel) is optional to Security domain 2
implement; see TS 133 210 [10]
clause 5.6.2.
Proprietary, non-standard local
FE1 FE2
interface (in NGN R1).
FE
NASS functional entity RACS functional entity
FE
Application functional entity AF
Functional entity in the visited
V-FE H-FE
(home) NGN network
(Potentially) co-located functional
FE1 FE2
entity
SEG Certification Authority
SEG CA
Interconnection Certification Interconnection
Authority CA
Figure 5: Legend
ETSI
17 ETSI TS 187 003 V1.7.1 (2008-02)
rd rd
3 party ASP Netw ork
3 party ASP Network
SEG CA
Interconnection
CA
AF
AF
SEG CA AF
SEGF
Interconnection
SEGF
CA
Gq’ e2 e2
SEG CA
SEG C A SEG C A
Interconnection
Interconnection
Interconnection
CA
CA
CA
e3
CNGCF SEGF
UE
SEGF
e1
a1
e1
NACF
AMF
ARF
a2
H-
a3
e5
V-
UAAF
UAAF
a4
H-
V-
SEGF
PDBF
PDBF
e4
e2
A-
V-CLF
H-CLF
RACF
Ra Rq
Re
SPDF
Ia
RCEF
Ds
Di
V -BGF H-BGF
Access
L2TP
Core Border Node
Node
Core Border Node
IP Edge
Home NGN Network
Visited NG N N etw ork
Access Transport N etwork
Figure 6: NGN NASS and RACS security architecture with FEs and security gateway functional
components around inter-domain interfaces in access, visited, home and other operator's networks
4.3.1 NASS-IMS Bundled security
Please refer to clause 4.4.1.
ETSI
18 ETSI TS 187 003 V1.7.1 (2008-02)
4.4 IMS security architecture
The IMS security architecture for both 3G environments and for NGN environments is defined in TS 133 203 [8].

Home NGN
NGN-UE
UPSF
ISIM 1
soft
3 3
MM IP
I-CSCF 5 S-CSCF
networks
4/5 4/5
Visited NGN
P-CSCF
UA
Generic IP
GE GE
Transport
Figure 7: IMS Security architecture in an NGN environment (TS 133 203 [8])
Figure 7 depicts the IMS security architecture in an NGN environment as defined in TS 133 203 [8], where the 3GPP
specific transport domain is replaced by the Generic IP transport domain. The following observations support figure 7.
• The IMS is independent of the transport network.
• Generic Entities (GE) equivalent to the 3GPP transport entities will be present in the Generic IP transport
domain.
• In NGN the AuC functionality is performed by UPSF.
• The Security Associations (SA) (referring to the corresponding arrows in figure 7) are retained.
- SA-1, SA-3, SA-4 and SA-5 are endorsed as described in TS 133 203 [8].
- SA-2 is endorsed with the extension to ensure transport across NAT/Firewall boundaries.
There exist other interfaces and reference points in IMS, which have not been addressed above. Those interfaces and
reference points reside within the IMS, either within the same security domain or between different security domains
(see figure 8). The protection of all such interfaces and reference points (which may include subsystems like
NASS/RACS) apart from the Gm reference point are protected as specified in TS 133 210 [9].
The present document endorses the interfaces (1) to (5) of TS 133 203 [8].
Figure 8 details figure 7 by showing the IMS functional entities in the NGN that runs over a generic IP transport.
ETSI
19 ETSI TS 187 003 V1.7.1 (2008-02)

Visited Net.
NGN-UE Home Network
I-CSCF
I-CSCF
Zb
Zb
UPSF
NGN-UE P-CSCF
Zb
HSS
UPE
Zb
Zb
Zb
S-CSCF
S-CSCF
Generic IP
transport
Figure 8: Generic IP Transport underneath IMS ( [8])
In the following, IMS components are segregated into the different security domains. Figure 9 shows the IMS
components in five different domains. The interconnection between the different IMS components is not shown in the
figure and it should be in accordance with ES 282 007 [27]. The segregation is explained below.
1) Customer's domain includes UE and optionally some Residential Gateways (which may be owned by the
user/operator). The Residential Gateway shall have ISIM, which has the credentials for IMS authentication.
2) Access network domain is hosted by the access network provider. The access network provider may or may
not be the same as the NGN provider.
3) Visited network domain is hosted by a visited network provider. The visited network provider may offer
multimedia services and may have his own subscribers. Alternatively, the visited network provider may have
rd
agreement with some 3 party Application Service Provider (ASP) to offer services. The visited network
domain
...