ETSI TR 187 002 V2.1.1 (2008-12)

ETSI TR 187 002 V2.1.1 (2008-12)
Technical Report


Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN);
TISPAN NGN Security (NGN_SEC);
Threat, Vulnerability and Risk Analysis

---------------------- Page: 1 ----------------------
2 ETSI TR 187 002 V2.1.1 (2008-12)



Reference
RTR/TISPAN-07030-NGN-R2
Keywords
analysis, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2008.
All rights reserved.

TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TR 187 002 V2.1.1 (2008-12)
Contents
Intellectual Property Rights . 7
Foreword . 7
1 Scope . 8
2 References . 8
2.1 Normative references . 8
2.2 Informative references . 9
3 Definitions and abbreviations . 11
3.1 Definitions . 11
3.2 Abbreviations . 12
4 NGN-relevant Security Interfaces and Scenarios . 13
4.1 Security-relevant NGN Scenarios . 13
4.1.1 Basic NGN scenario (ECN&S model) . 14
4.1.2 IMS scenarios . 14
4.1.2.1 3GPP IMS . 14
4.1.2.2 Generic or NGN IMS . 15
4.1.3 Nomadic user security scenario . 17
5 Threat and risk analysis . 17
5.1 PES Analysis . 17
5.1.1 PES objectives and security objectives . 17
5.1.2 Stage 2 model of PES (UML) . 18
5.1.2.1 Identification of assets . 19
5.1.2.2 Missing considerations in PES . 19
5.1.2.2.1 ECN technology . 19
5.1.2.2.2 Protocol stack . 20
5.1.2.2.3 Cardinality of relationships . 20
5.1.2.2.4 Deployment . 20
5.1.3 Points of attack in PES. 20
5.1.3.1 Interfaces . 20
5.1.3.2 Implicit relationships . 20
5.1.4 Risk analysis . 21
5.1.4.1 Overview . 21
5.1.4.2 Interception . 21
5.1.4.2.1 Interception at the customer to MGW interface . 21
5.1.4.2.2 Interception within the fixed network . 21
5.1.4.3 Manipulation . 21
5.1.4.3.1 Manipulation at the customer interface . 22
5.1.4.3.2 Manipulation in the fixed parts of the network . 22
5.1.4.3.3 Manipulation in links between networks . 23
5.1.4.4 Denial-of-Service . 23
5.1.5 PES unwanted incidents . 24
5.1.6 Existing PES security provisions . 24
5.1.7 Security capabilities in PES . 24
5.1.7.1 H.248 ETSI_ARGW . 24
5.1.7.1.1 Authentication . 24
5.1.7.1.2 Confidentiality of signalling . 24
5.1.7.1.3 Confidentiality of traffic . 24
5.1.7.1.4 Integrity of signalling . 25
5.1.7.1.5 Integrity of traffic . 25
5.1.8 Role of NGN subsystems in PES . 25
5.1.8.1 Transport plane . 25
5.1.8.1.1 NASS . 25
5.1.8.1.2 RACS . 25
5.1.8.1.3 Transport elements . 25
ETSI

---------------------- Page: 3 ----------------------
4 ETSI TR 187 002 V2.1.1 (2008-12)
5.1.8.2 Service plane . 25
5.1.8.2.1 IMS . 25
5.1.8.2.2 PSS . 25
5.1.8.3 Recommendations . 25
5.2 Analysis of NASS . 26
5.2.1 NASS-IMS bundled authentication analysis . 26
5.2.1.1 NASS-IMS bundled Authentication objectives and security objectives . 26
5.2.1.2 Stage 2 model of NASS-IMS bundled authentication . 26
5.2.1.2.1 Identification of assets . 27
5.2.1.2.2 Missing considerations in NASS . 28
5.2.1.3 Points of attack on the NASS-IMS bundled authentication . 29
5.2.1.3.1 Interfaces . 29
5.2.1.4 Risk analysis . 29
5.2.1.4.1 Overview . 29
5.2.1.4.2 Interception . 29
5.2.1.4.3 Manipulation . 30
5.2.1.4.4 IP Address and Identity spoofing . 32
5.2.1.4.5 Invalidation of IP address not signalled . 33
5.2.1.4.6 Denial-of-Service . 33
5.2.1.4.7 "line-id poisoning" attack with malicious P-Access-Network-Info . 34
5.2.1.5 NASS-IMS bundled authentication related unwanted incidents . 35
5.3 Analysis of RACS . 35
5.4 Analysis of NGN-IMS . 35
5.5 Analysis of DNS and ENUM in NGN. 35
5.6 Analysis of SIP in NGN . 35
6 Conclusions for NGN-R1 . . 36
Annex A: TVRA of RACS in NGN-R2 . 39
A.1 Scope of the TVRA . 39
A.2 Identification of the ToE . 39
A.2.1 Overview . 39
A.2.2 Scenarios for analysis and derivation of ToE . 41
A.2.2.1 Summary . 41
A.2.2.2 Single trust domain deployment scenario . 41
A.2.2.3 Two separate trust domains deployment scenario . 42
A.2.2.4 Two collaborating trust domains deployment scenario. 43
A.2.2.5 Multi trust domain deployment scenarios . 44
A.3 Analysis of ToE elements. 45
A.3.1 Transport processing functions . 45
A.3.2 SPDF . 46
A.3.3 46
A.3.4 Reference points . 46
A.3.5 Information flow analysis . 47
A.4 Security objectives . 51
A.5 Threats to RACS and threat agents to enable them . 52
A.6 Countermeasures for risk mitigation in RACS . 53
A.6.1 Functional requirements . 53
A.6.2 Detail requirements . 54
Annex B: TVRA of Media transport NGN-R2 . 55
B.1 Description of ToE . 55
B.2 Identification of objectives . 57
B.3 Step 2: Identification of requirements . 57
Annex C: Example TVRA for use of ENUM in NGN . 60
ETSI

---------------------- Page: 4 ----------------------
5 ETSI TR 187 002 V2.1.1 (2008-12)
C.1 Overview and introduction . 60
C.1.1 Security critical ENUM operations . 62
C.1.1.1 Registration of an E.164 number in the ENUM database . 62
C.1.1.2 Processes for creation, modification and deletion of NAPTR Records in the Tier 2 database . 63
C.1.1.3 Processes for removal of E.164 numbers from ENUM databases . 64
C.1.1.4 Processes for changing Registrars . 65
C.1.2 ENUM assets . 66
C.1.2.1 NAPTR records . 66
C.1.2.2 ENUM query . 66
C.2 DNSSEC. 66
C.3 Unwanted incidents in use of ENUM in NGN (eTVRA Step 1) . 67
C.4 Security requirements for ENUM in the NGN (eTVRA Step 2) . 67
C.5 ENUM assets (eTVRA Step 3) . 69
C.5.1 NNA provisioning scenario . 69
C.5.2 Signalling scenario . 70
C.5.3 Identification of assets . 71
C.5.4 Logical Assets . 72
C.5.5 Physical Assets . 72
C.5.6 Summary of assets . 73
C.5.7 Relationships between assets . 74
C.6 Vulnerabilities in ENUM (eTVRA Step 4) . 75
C.6.1 Weakness in ENUM (eTVRA Step 4a) . 75
C.6.2 Threat agents in ENUM (eTVRA Step 4b) . 76
C.6.3 Identification of vulnerabilities in ENUM (eTVRA Step 4.1) . 77
C.7 Risk assessment for ENUM (eTVRA Step 5) . 78
C.8 ENUM risk classification (eTVRA Step 6) . 79
C.9 ENUM countermeasure framework (eTVRA Step 7) . 81
C.10 Completed eTVRA proforma for ENUM. 83
Annex D: TVRA of IPTV in NGN-R2 . 86
D.1 Step 0: Description of ToE (IPTV) . 86
D.1.1 IPTV stakeholders . 86
D.2 Step 1: Identification of objectives . 88
D.2.2 (System) Security Objectives . 88
D.2.2.1 Security objective category authentication . 88
D.2.2.2 Security objective category accountability . 89
D.2.2.3 Security objective category confidentiality . 89
D.2.2.4 Security objective category integrity . 89
D.2.2.5 Security objective category availability . 89
D.3 Step 2: Identification of requirements . 89
D.3.1 Security requirements category authentication . 89
D.3.2 Security requirement category accountability . 90
D.3.3 Security requirement category confidentiality. 91
D.3.4 Security requirement category integrity . 92
D.3.5 Security requirement category availability: . 92
D.4 Step 3: Inventory of the assets . 93
Annex E: TVRA of NAT and NAT-T in NGN-R2 . 94
E.1 Step 0: Description of NAT and NAT-T in NGN-R2 . 94
E.2 Step 1: Identification of objectives . 96
E.2.1 (System) Security Objectives . 96
E.3 Step 2: Identification of requirements . 97
ETSI

---------------------- Page: 5 ----------------------
6 ETSI TR 187 002 V2.1.1 (2008-12)
E.4 Step 3: Inventory of the assets . 100
E.5 Vulnerabilities in R2 NAT traversal (eTVRA Step 4) . 101
E.5.1 Weakness in R2 NAT traversal (eTVRA Step 4a) . 101
E.5.2 Threat agents in R2 NAT traversal (eTVRA Step 4b). 101
E.6 Threats to NAT-T and threat agents to enable them (TVRA steps 4 and 5) . 102
E.6.1 Identification of threats and threat agents in STUN . 102
E.6.1.1 Manipulation threats and threat agents . 102
E.6.1.1.1 Attacker in NAT-T path . 102
E.6.1.1.1.1 Interception of STUN messages. . 102
E.6.1.1.1.2 Manipulation of STUN messages. . 102
E.6.1.1.1.3 Construction of integrity check value . 103
E.6.1.1.1.4 Manipulation of STUN protocol . 103
E.6.1.1.2 Attacker in NAT-T endpoint . 104
E.6.1.2 STUN usage attacks . 104
E.6.1.2.1 DDoS Against a Target . 104
E.6.1.2.2 Silencing a Client . 104
E.6.1.2.3 Masquerade as a known Client . 104
E.6.1.2.4 Eavesdropping . 104
E.6.1.2.5 Risk analysis for use of ICE . 105
E.6.1.2.6 Risk analysis for use of Outbound . 105
E.6.2 Risk analysis for use of IMS-ALG . 105
Annex F: TVRA of UC in NGN-R2 . . 106
Annex G: Change history . 107
History . 108

ETSI

---------------------- Page: 6 ----------------------
7 ETSI TR 187 002 V2.1.1 (2008-12)
Intellectual Property Right
...