ETSI TS 187 003 V2.1.1 (2009-02)

ETSI TS 187 003 V2.1.1 (2009-02)
Technical Specification


Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN);
NGN Security;
Security Architecture

---------------------- Page: 1 ----------------------
2 ETSI TS 187 003 V2.1.1 (2009-02)



Reference
RTS/TISPAN-07029-NGN-R2
Keywords
architecture, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2009.
All rights reserved.

TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
LTE™ is a Trade Mark of ETSI currently being registered
for the benefit of its Members and of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TS 187 003 V2.1.1 (2009-02)
Contents
Intellectual Property Rights.5
Foreword.5
1 Scope.6
2 References.6
2.1 Normative references.6
2.2 Informative references.9
3 Definitions and abbreviations.9
3.1 Definitions.9
3.2 Abbreviations.10
4 NGN Security.12
4.1 NGN security architecture.13
4.2 Security domains.15
4.3 NASS and RACS security architecture .16
4.3.1 NASS-IMS Bundled Security.18
4.4 IMS security architecture .19
4.4.1 NASS-IMS Bundled Security.21
4.5 PES Security Architecture.22
4.5.1 Security for H.248 within PES.22
4.5.2 IMS-based PES Security.23
4.6 Application security architecture.23
4.6.1 Generic Authentication Architecture (GAA).23
4.6.1.1 Generic Bootstrapping Architecture (GBA).24
4.6.1.2 Support for Subscriber Certificates (SSC) .24
4.6.1.3 Access to NAF using HTTPS.24
5 Mapping of Security Requirements to Security Services and NGN FEs .24
5.1 Security services in NGN security architecture.24
5.2 Security Services in NGN FEs .26
5.3 Security Services on NGN Interfaces.30
5.4 Mapping of 3GPP security FEs to NGN FEs .32
6 NGN IMS Residential Gateway.34
7 Security for H248.35
7.1 R-MGF Context.35
7.2 A-MGF Context.35
8 Security Architectures for Media Security.35
9 Security Architectures for IPTV.35
10 Security Architecture for Customer Premises Networking .35
11 Security Architecture for Fixed Mobile Convergence .35
12 Interfaces out of scope.35
12.1 Interconnect Iz interface I BGF.35
12.2 RI' and Gq'.35
13 Security Architecture for Corporate Networks.36
13.1 Subscription Based Business Trunking .36
13.2 Peering Based Business Trunking .36
14 Security Architecture for Host Enterprise .36
Annex A (informative): NGN-relevant security interfaces .37
A.1 Network attachment security interfaces .37
ETSI

---------------------- Page: 3 ----------------------
4 ETSI TS 187 003 V2.1.1 (2009-02)
A.1.1 Reference Point e1 (CNG - AMF).38
A.1.2 Reference Point e2 (CLF - AF) .38
A.1.3 Reference Point a3 (AMF - UAAF) .38
A.1.4 Reference Point e5 (UAAF - UAAF).38
A.2 Service layer security interfaces.39
A.2.1 NGN IP Multimedia Subsystem (IMS) .39
A.2.1.1 Reference Point Gm (UE/IMS Residential Gateway - P-CSCF) .39
A.2.1.2 Reference Point Cx (CSCF - UPSF).40
A.2.1.3 Reference Point Gq' (P-CSCF - RACS).40
A.2.1.4 Reference Point Iw (IWF - non-compatible SIP).40
A.2.1.5 Reference Point Ic (IBCF - IMS).40
A.2.1.6 Void.40
A.2.1.7 Reference Point Ut (UE - AS) .40
A.3 Interconnection security interfaces.41
A.3.1 Interconnecting security at the transport layer.42
A.3.2 Interconnecting security at the service layer .42
Annex B (informative): Mapping of NGN Security Requirements to Security Services .43
Annex C (informative): Implementation notes on the IMS Residential Gateway.50
C.1 B2BUA registration.50
C.2 B2BUA originating session establishment.53
C.3 B2BUA terminating session establishment.54
Annex D (informative): Supplementary Information on NASS-IMS Bundled Authentication .56
D.1 Flow Diagram for NASS Bundled Authentication.56
Annex E (informative): Open Issues in NGN Security .58
Annex F (informative): IPTV content security elements and their interactions .59
F.1 IPTV-Unicast authorized Content Delivery Option A .60
F.2 IPTV-Unicast authorized Content Delivery Option B .60
F.3 IPTV-Multicast Content Delivery.61
F.4 Mapping Content Security to IPTV architecture.62
F.5 Text contributed during release 2.63
Annex G (informative): Bibliography.66
History .67

ETSI

---------------------- Page: 4 ----------------------
5 ETSI TS 187 003 V2.1.1 (2009-02)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Telecommunications and Internet
converged Services and Protocols for Advanced Networking (TISPAN).
ETSI

---------------------- Page: 5 ----------------------
6 ETSI TS 187 003 V2.1.1 (2009-02)
1 Scope
The present document defines the security architecture of NGN. The definition complies with the requirements of
ITU-T Recommendation I.130 [29] at stage 2.
The present document addresses the security architecture required to fulfil the NGN security requirements defined in
TS 187 001 [1] and includes the definition of security architectures to provide protection for each of the NGN
functional architecture (ES 282 001 [2]) and its subsystems (ES 282 004 [5], ES 282 001 [3], ES 282 007 [24],
ES 283 003 [23] and ES 282 003 [4]). Where appropriate the present document endorses security mechanisms defined
in other specifications.
The present document addresses the security issues of the NGN core network and the NGN access network(s) up to and
including the NGN Network Termination (NGN NT) in the residential customer domain. The NGN NT denotes a
logical demarcation point between the residential customer domain and the NGN core and access networks and covers
the corresponding interfaces.
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific.
• For a specific reference, subsequent revisions do not apply.
• Non-specific reference may be made only to a complete document or a part thereof and only in the following
cases:
- if it is accepted that it will be possible to use all future changes of the referenced document for the
purposes of the referring document;
- for informative references.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are indispensable for the application of the present document. For dated
references, only the edition cited applies. For non-specific references, the latest edition of the referenced document
(including any amendments) applies.
[1] ETSI TS 187 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN SECurity (SEC); Requirements".
[2] ETSI ES 282 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture".
[3] ETSI ES 282 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation Sub-system (PES); Functional
architecture".
[4] ETSI ES 282 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Resource and Admission Control Sub-system (RACS);
Functional Architecture".
[5] ETSI ES 282 004: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture; Network Attachment
Sub-System (NASS)".
ETSI

---------------------- Page: 6 ----------------------
7 ETSI TS 187 003 V2.1.1 (2009-02)
[6] ETSI TS 183 033: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia; Diameter based protocol for the interfaces
between the Call Session Control Function and the User Profile Server Function/Subscription
Locator Function; Signalling flows and protocol details [3GPP TS 29.228 V6.8.0 and 3GPP
TS 29.229 V6.6.0, modified]".
[7] ETSI TS 133 203: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); 3G security; Access security for IP-based services (3GPP
TS 33.203)".
[8] ETSI TS 133 210: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); 3G security; Network Domain Security (NDS); IP network
layer security (3GPP TS 33.210)".
[9] ETSI TS 133 141: "Universal Mobile Telecommunications System (UMTS); Presence service;
Security (3GPP TS 33.141)".
[10] ETSI TS 133 222: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Generic Authentication Architecture (GAA); Access to
network application functions using Hypertext Transfer Protocol over Transport Layer Security
(HTTPS) (3GPP TS 33.222)".
[11] ETSI TS 133 220: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Generic Authentication Architecture (GAA); Generic
bootstrapping architecture (3GPP TS 33.220)".
[12] ETSI TS 122 048: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Security Mechanisms for the (U)SIM application toolkit;
Stage 1 (3GPP TS 22.048)".
[13] ETSI TS 123 048: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Security mechanisms for the (U)SIM application toolkit;
Stage 2 (3GPP TS 23.048)".
[14] ETSI TS 131 101: "Universal Mobile Telecommunications System (UMTS); UICC-terminal
interface; Physical and logical characteristics (3GPP TS 31.101)".
[15] ETSI TS 131 102: "Universal Mobile Telecommunications System (UMTS); Characteristics of the
Universal Subscriber Identity Module (USIM) application (3GPP TS 31.102)".
[16] ETSI TS 131 103: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Characteristics of the IP Multimedia Services Identity
Module (ISIM) application (3GPP TS 31.103)".
[17] ETSI TS 129 329: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Sh interface based on the Diameter protocol; Protocol
details (3GPP TS 29.329)".
[18] ETSI ES 283 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation Subsystem (PES); NGN Release 1
H.248 Profile for controlling Access and Residential Gateways".
[19] ETSI ES 283 018: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN); Resource and Admission Control: H.248 Profile for controlling
Border Gateway Functions (BGF) in the Resource and Admission Control Subsystem (RACS);
Protocol specification".
[20] ETSI TS 183 019: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Network Attachment; Network Access xDSL and WLAN
Access Networks; Interface Protocol Definitions".
[21] ETSI ES 283 035: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Network Attachment Sub-System (NASS); e2 interface based
on the DIAMETER protocol".
ETSI

---------------------- Page: 7 ----------------------
8 ETSI TS 187 003 V2.1.1 (2009-02)
[22] ETSI ES 283 034: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Network Attachment Sub-System (NASS); e4 interface based
on the DIAMETER protocol".
[23] ETSI ES 283 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Call Control Protocol based on Session Initiation
Protocol (SIP) and Session Description Protocol (SDP) Stage 3".
[24] ETSI ES 282 007: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Subsystem (IMS); Functional architecture".
[25] ETSI TS 182 006: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Subsystem (IMS); Stage 2 description (3GPP
TS 23.228 v7.2.0, modified)".
[26] IETF RFC 3261: "SIP: Session Initiation Protocol".
[27] ISO/IEC 10181-1 (1996): "Information technology - Open Systems Interconnection - Security
frameworks for open systems: Overview".
[28] ISO/IEC 11770-1 (1996): "Information technology - Security techniques - Key
management - Part 1: Framework".
[29] ITU-T Recommendation I.130: "Method for the characterization of telecommunication services
supported by an ISDN and network capabilities of an ISDN".
[30] ITU-T Recommendation X.810 (1995): "Information technology - Open Systems
Interconnection - Security frameworks for open systems: Overview".
[31] ITU-T Recommendation X.811: "Information Technology - Open Systems
Interconnection - Security Frameworks for Open Systems: Authentication framework".
[32] ITU-T Recommendation X.812: "Information Technology - Open Systems
Interconnection - Security Frameworks for Open Systems: Access control framework".
[33] ITU-T Recommendation X.814: "Information Technology - Open Systems
Interconnection - Security Frameworks for Open Systems: Confidentiality framework".
[34] ITU-T Recommendation X.815: "Information Technology - Open Systems
Interconnection - Security Frameworks for Open Systems: Integrity framework".
[35] ETSI TS 183 017: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Resource and Admission Control: DIAMETER protocol for
session based policy set-up information exchange between the Application Function (AF) and the
Service Policy Decision Function (SPDF); Protocol specification".
[36] IETF RFC 2617: "HTTP Authentication: Basic and Digest Access Authentication".
[37] ETSI TS 183 043: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IMS-based PSTN/ISDN Emulation; Stage 3 specification".
[38] ETSI TS 182 012: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IMS-based PSTN/ISDN Emulation Sub-system (PES);
Functional architecture".
[39] ETSI TS 133 102: "Universal Mobile Telecommunications System (UMTS); 3G security; Security
architecture (3GPP TS 33.102)".
[40] ETSI ES 283 026: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Resource and Admission Control; Protocol for QoS reservation
information exchange between the Service Policy Decision Function (SPDF) and the Access-
Resource and Admission Control Function (A-RACF) in the Resource and Protocol specification".
[41] ETSI ES 202 238: "Telecommunications and Internet Protocol Harmonization Over Networks
(TIPHON); Evaluation criteria for cryptographic algorithms".
ETSI

---------------------- Page: 8 ----------------------
9 ETSI TS 187 003 V2.1.1 (2009-02)
[42] IEEE 802.1x: "Standard for Local and Metropolitan Area Networks - Port-Based Network Access
Control".
[43] ETSI TS 181 005: "Telecommunications and Internet converged Services and Protocols for
Advanced Networks (TISPAN); Service and Capability Requirements".
[44] ETSI TS 124 229: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Internet Protocol (IP) multimedia call control protocol
based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP); Stage 3".
[45] ETSI TS 123 002: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Network architecture".
[46] ETSI TS 133 234: "Universal Mobile Telecommunications System (UMTS); 3G security;
Wireless Local Area Network (WLAN) interworking security".
2.2 Informative references
The following referenced documents are not essential to the use of the present document but they assist the user with
regard to a particular subject area. For non-specific references, the latest version of the referenced document (including
any amendments) applies.
[i.1] ETSI TR 133 919: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); 3G Security; Generic Authentication Architecture (GAA);
System description (3GPP TR 33.919)".
[i.2] ETSI TR 133 221: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Generic Authentication Architecture (GAA); Support for
subscriber certificates (3GPP TS 33.221)".
[i.3] ETSI TS 182 027: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IPTV Architecture; IPTV functions supported by the IMS
subsystem".
[i.4] ETSI TR 183 032: "Telecommunications and Internet converged Services and Protocols for
Advanced Networks (TISPAN); Feasibility study into mechanisms for the support of encapsulated
ISUP information in IMS".
[i.5] ETSI TR 182 005: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Organization of user data".
[i.6] ETSI TR 183 014: "Telecommunications and Internet converged Services and Protocols for
Advanced Networks (TISPAN); Development and Verification of PSTN/ISDN Emulation".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
AUTHentication service (AUTH): See ITU-T Recommendation X.811 [31].
AUTHORization service (AUTHOR): See ITU-T Recommendation X.812 [32].
CONFidentiality service (CONF): See ITU-T Recommendation X.814 [33].
content protection: protection of content (files or streams) post-delivery
NOTE: It ensures that a user can only use the content in accordance with the license that they have been granted,
e.g. play/view/hear multiple times or hours, etc.
ETSI

---------------------- Page: 9 ----------------------
10 ETSI TS 187 003 V2.1.1 (2009-02)
data: any information conveyed in communication packets as well as any other information such as topology
information
INTegrity service (INT): See ITU-T Recommendation X.815 [34].
Key Management service (KM): See ISO/IEC 11770-1 [28].
license: data package which represents the granted Rights to a specific user and the key related to the protected content
NGN Network Termination (NGN NT): reference point which denotes a logical demarcation point between the
residential customer domain and the NGN core via access networks
NOTE: It covers the corresponding interfaces.
Policy Enforcement Function (PEF): security function that enforces policy rules
NOTE: The PEF encompasses functions for filtering and topology hiding such as typically found in firewalls
and/or session border controllers.
rights: pre-defined set of usage entitlement to the content
NOTE: The entitlement may include the permissions (e.g. to view/hear, copy, modify, record, distribute, etc.),
constraints (e.g. play/view/hear multiple times or hours), etc.
security domain: set of elements made of security policy, security authority and set of security relevant activities in
which the
...