ETSI TS 187 003 V1.7.1 (2008-02)

ETSI TS 187 003 V1.7.1 (2008-02)
Technical Specification


Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN);
NGN Security;
Security Architecture

---------------------- Page: 1 ----------------------
2 ETSI TS 187 003 V1.7.1 (2008-02)



Reference
RTS/TISPAN-07024-NGN-R1
Keywords
architecture, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2008.
All rights reserved.

TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TS 187 003 V1.7.1 (2008-02)
Contents
Intellectual Property Rights.5
Foreword.5
1 Scope.6
2 References.6
2.1 Normative references.6
2.2 Informative references.9
3 Definitions and abbreviations.9
3.1 Definitions.9
3.2 Abbreviations.10
4 NGN Security.11
4.1 NGN security architecture.12
4.2 Security domains.14
4.3 NASS and RACS security architecture .15
4.3.1 NASS-IMS Bundled security.17
4.4 IMS security architecture .18
4.4.1 NASS-IMS Bundled security.20
4.5 PES Security architecture.21
4.5.1 Security for H.248 within PES.21
4.5.2 IMS-based PES security .22
4.6 Application security architecture.22
5 Mapping of security requirements to security services and NGN FEs.23
5.1 Security services in NGN R1 security architecture .23
5.2 Security Services in NGN FEs .24
5.3 Security Services on NGN Interfaces.28
5.4 Mapping of 3GPP security FEs to NGN FEs .30
6 NGN IMS Residential Gateway.32
Annex A (informative): NGN-relevant security interfaces .34
A.1 Network attachment security interfaces .34
A.1.1 Reference point e1 (CNG - AMF).35
A.1.2 Reference point e2 (CLF - AF) .35
A.1.3 Reference point a3 (AMF - UAAF) .35
A.1.4 Reference point e5 (UAAF - UAAF) .35
A.2. Service layer security interfaces.36
A.2.1 NGN IP Multimedia Subsystem (IMS) .36
A.2.1.1 Reference point Gm (UE/IMS Residential Gateway - P-CSCF) .36
A.2.1.2 Reference point Cx (CSCF - UPSF) .37
A.2.1.3 Reference point Gq' (P-CSCF - RACS).37
A.2.1.4 Reference point Iw (IWF - non-compatible SIP).37
A.2.1.5 Reference point Ic (IBCF - IMS).37
A.2.1.6 Void.37
A.2.1.7 Reference point Ut (UE - AS).37
A.3 Interconnection security interfaces.38
A.3.1 Interconnecting security at the transport layer.39
A.3.2 Interconnecting security at the service layer .39
Annex B (informative): Mapping of NGN R1 Security Requirements to Security Services .40
Annex C (informative): Implementation notes on the IMS Residential Gateway.48
C.1 B2BUA registration.48
ETSI

---------------------- Page: 3 ----------------------
4 ETSI TS 187 003 V1.7.1 (2008-02)
C.2 B2BUA originating session establishment.51
C.3 B2BUA terminating session establishment.52
Annex D (informative): Supplementary information on NASS-IMS bundled authentication.54
D.1 Flow diagram for NASS bundled authentication .54
Annex E (informative): Open issues in NGN security.56
Annex F (informative): Bibliography.57
History .58

ETSI

---------------------- Page: 4 ----------------------
5 ETSI TS 187 003 V1.7.1 (2008-02)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Telecommunications and Internet
converged Services and Protocols for Advanced Networking (TISPAN).
ETSI

---------------------- Page: 5 ----------------------
6 ETSI TS 187 003 V1.7.1 (2008-02)
1 Scope
The present document defines the security architecture of NGN Release 1. The definition complies with the
requirements of ITU-T Recommendation I.130 [32] at stage 2.
The present document addresses the security architecture required to fulfil the NGN R1 security requirements defined in
TS 187 001 [1] and includes the definition of security architectures to provide protection for each of the NGN
functional architecture (ES 282 001 [3]) and its subsystems (ES 282 004 [6], ES 282 002 [4], ES 282 007 [27],
ES 283 003 [26] and ES 282 003 [5]). Where appropriate the present document endorses security mechanisms defined
in other specifications.
The present document addresses the security issues of the NGN core network and the NGN access network(s) up to and
including the NGN Network Termination (NGN NT) in the residential customer domain. The NGN NT denotes a
logical demarcation point between the residential customer domain and the NGN core and access networks and covers
the corresponding interfaces.
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific.
• For a specific reference, subsequent revisions do not apply.
• Non-specific reference may be made only to a complete document or a part thereof and only in the following
cases:
- if it is accepted that it will be possible to use all future changes of the referenced document for the
purposes of the referring document;
- for informative references.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
For online referenced documents, information sufficient to identify and locate the source shall be provided. Preferably,
the primary source of the referenced document should be cited, in order to ensure traceability. Furthermore, the
reference should, as far as possible, remain valid for the expected life of the document. The reference shall include the
method of access to the referenced document and the full network address, with the same punctuation and use of upper
case and lower case letters.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are indispensable for the application of the present document. For dated
references, only the edition cited applies. For non-specific references, the latest edition of the referenced document
(including any amendments) applies.
[1] ETSI TS 187 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN SECurity (SEC); Requirements".
[2] Void.
[3] ETSI ES 282 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture Release 1".
[4] ETSI ES 282 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation Sub-system (PES); Functional
architecture".
ETSI

---------------------- Page: 6 ----------------------
7 ETSI TS 187 003 V1.7.1 (2008-02)
[5] ETSI ES 282 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Resource and Admission Control Sub-system (RACS);
Functional Architecture".
[6] ETSI ES 282 004: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture; Network Attachment
Sub-System (NASS)".
[7] ETSI TS 183 033: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia; Diameter based protocol for the interfaces
between the Call Session Control Function and the User Profile Server Function/Subscription
Locator Function; Signalling flows and protocol details [3GPP TS 29.228 V6.8.0 and
3GPP TS 29.229 V6.6.0, modified]".
[8] ETSI TS 133 203: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); 3G security; Access security for IP-based services
(3GPP TS 33.203)".
[9] ETSI TS 133 210: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); 3G security; Network Domain Security (NDS); IP network
layer security (3GPP TS 33.210)".
[10] ETSI TS 133 310: "Universal Mobile Telecommunications System (UMTS); Network domain
security; Authentication framework (NDS/AF) (3GPP TS 33.310)".
[11] ETSI TS 133 141: "Universal Mobile Telecommunications System (UMTS); Presence service;
Security (3GPP TS 33.141)".
[12] ETSI TS 133 222: "Universal Mobile Telecommunications System (UMTS); Generic
Authentication Architecture (GAA); Access to network application functions using Hypertext
Transfer Protocol over Transport Layer Security (HTTPS) (3GPP TS 33.222)".
[13] ETSI TS 133 220: "Universal Mobile Telecommunications System (UMTS); Generic
Authentication Architecture (GAA); Generic bootstrapping architecture (3GPP TS 33.220)".
[14] ETSI TS 122 048: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Security Mechanisms for the (U)SIM application toolkit;
Stage 1 (3GPP TS 22.048)".
[15] ETSI TS 123 048: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Security mechanisms for the (U)SIM application toolkit;
Stage 2 (3GPP TS 23.048)".
[16] ETSI TS 131 101: "Universal Mobile Telecommunications System (UMTS); UICC-terminal
interface; Physical and logical characteristics (3GPP TS 31.101)".
[17] ETSI TS 131 102: "Universal Mobile Telecommunications System (UMTS); Characteristics of the
Universal Subscriber Identity Module (USIM) application (3GPP TS 31.102)".
[18] ETSI TS 131 103: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Characteristics of the IP Multimedia Services Identity
Module (ISIM) application (3GPP TS 31.103)".
[19] ETSI TS 129 329: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Sh interface based on the Diameter protocol; Protocol
details (3GPP TS 29.329)".
[20] ETSI ES 283 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation Subsystem (PES); NGN Release 1
H.248 Profile for controlling Access and Residential Gateways".
[21] ETSI ES 283 018: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN);Resource and Admission Control: H.248 Profile for controlling
Border Gateway Functions (BGF) in the Resource and Admission Control Subsystem (RACS);
Protocol specification".
ETSI

---------------------- Page: 7 ----------------------
8 ETSI TS 187 003 V1.7.1 (2008-02)
[22] ETSI TS 183 019: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Network Attachment; Network Access xDSL and WLAN
Access Networks; Interface Protocol Definitions".
[23] ETSI ES 283 035: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networks (TISPAN); Network Attachment Sub-System (NASS); e2 interface based on
the DIAMETER protocol".
[24] ETSI ES 283 034: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Network Attachment Sub-System (NASS); e4 interface based
on the DIAMETER protocol".
[25] ETSI ETR 232: "Security Techniques Advisory Group (STAG); Glossary of security
terminology".
[26] ETSI ES 283 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Endorsement of "IP Multimedia Call Control Protocol based on
Session Initiation Protocol (SIP) and Session Description Protocol (SDP) Stage 3 (Release 6)" for
NGN Release 1".
[27] ETSI ES 282 007: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Subsystem (IMS); Functional architecture".
[28] ETSI TS 182 006: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Subsystem (IMS); Stage 2 description
(3GPP TS 23.228 V7.2.0, modified)".
[29] IETF RFC 3261: "SIP: Session Initiation Protocol".
[30] ISO/IEC 10181-1: 1996: "Information technology - Open Systems Interconnection - Security
frameworks for open systems: Overview".
[31] ISO/IEC 11770-1: 1996: "Information technology - Security techniques - Key management -
Part 1: Framework".
[32] ITU-T Recommendation I.130: "Method for the characterization of telecommunication services
supported by an ISDN and network capabilities of an ISDN".
[33] ITU-T Recommendation X.810 (1995): "Information technology - Open Systems Interconnection -
Security frameworks for open systems: Overview".
[34] ITU-T Recommendation X.811: "Information Technology - Open Systems Interconnection -
Security Frameworks for Open Systems: Authentication Framework".
[35] ITU-T Recommendation X.812: "Information Technology - Open Systems Interconnection -
Security Frameworks for Open Systems: Access Control Framework".
[36] ITU-T Recommendation X.814: "Information Technology - Open Systems Interconnection -
Security Frameworks for Open Systems: Confidentiality Framework".
[37] ITU-T Recommendation X.815: "Information Technology - Open Systems Interconnection -
Security Frameworks for Open Systems: Integrity Frameworks".
[38] ETSI TS 183 017: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN);Resource and Admission Control: DIAMETER protocol for
session based policy set-up information exchange between the Application Function (AF) and the
Service Policy Decision Function (SPDF); Protocol specification".
[39] IETF RFC 2617: "HTTP Authentication: Basic and Digest Access Authentication".
[40] ETSI TS 183 043: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation; IMS-based PSTN/ISDN Emulation
Call Control Protocol based on Session Initiation Protocol (SIP) and Session Description Protocol
(SDP); Protocol specification".
ETSI

---------------------- Page: 8 ----------------------
9 ETSI TS 187 003 V1.7.1 (2008-02)
[41] ETSI TS 182 012: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IMS-based PSTN/ISDN Emulation Subsystem; Functional
architecture".
[42] ETSI TS 133 102: "Universal Mobile Telecommunications System (UMTS); 3G security; Security
architecture (3GPP TS 33.102)".
[43] ETSI ES 283 026: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN);.Resource and Admission Control; Protocol for QoS reservation
information exchange between the Service Policy Decision Function (SPDF) and the
Access-Resource and Admission Control Function (A-RACF) in the Resource and Protocol
specification".
[44] ETSI EG 202 238: "Telecommunications and Internet Protocol Harmonization Over Networks
(TIPHON); Evaluation criteria for cryptographic algorithms".
[45] IEEE 802.1x: "IEEE Standard for Local and Metropolitan Area Networks Port-Based Network
Access Control".
[46] ETSI TS 123 002: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Network architecture (3GPP TS 23.002)".
[47] ETSI TS 133 234: "Universal Mobile Telecommunications System (UMTS); 3G security;
Wireless Local Area Network (WLAN) interworking security (3GPP TS 33.234)".
2.2 Informative references
[48] ETSI TR 182 005: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN); Organization of user data".
[49] ETSI TR 187 002 (Release 2): "Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN); TISPAN NGN Security (NGN-SEC); Threat,
Vulnerability and Risk Analysis".
[50] ETSI TR 183 032: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Feasibility study into mechanisms for the support of
encapsulated ISUP information in IMS".
[51] ETSI TR 183 014: "Telecommunications and Internet converged Services and Protocols for
Advanced Networks (TISPAN); Development and Verification of PSTN/ISDN emulation".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
Authentication Service (AUTH): See ITU-T Recommendation X.811 [34].
Authorization Service (AUTHOR): See ITU-T Recommendation X.812 [35].
Confidentiality Service (CONF): See ITU-T Recommendation X.814 [36].
data: any information conveyed in communication packets as well as any other information such as topology
information
Integrity Service (INT): See ITU-T Recommendation X.815 [37].
Key Management Service (KM): See ISO/IEC 11770-1 [31].
ETSI

---------------------- Page: 9 ----------------------
10 ETSI TS 187 003 V1.7.1 (2008-02)
NGN Network Termination (NGN NT): reference point which denotes a logical demarcation point between the
residential customer domain and the NGN core via access networks. It covers the corresponding interfaces
Policy Enforcement Function (PEF): security function that enforces policy rules
NOTE: The PEF encompasses functions for filtering and topology hiding such as typically found in firewalls
and/or session border controllers.
security domain: set of elements made of security policy, security authority and set of security relevant activities in
which the set of elements are subject to the security policy for the specified activities, and the security policy is
administered by the security authority for the security domain
NOTE: The activities of a security domain involve one or more elements from that security domain and, possibly,
elements of other security domains
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
rd
3G 3 Generation
rd
3GPP 3 Generation Partnership Project
AAA Authentication, Authorization, Accounting
AF Application Functions
AGCF Access Gateway Control Function
AGW Access GateWay
AKA Authentication and Key Agreement
AMF Access Management Function
AN Access Network
AN Access Node
AP Access Point
AP Authentication Proxy
A-RACF Access-Resource Admission Control Function
AS Application Server
ASP Application Service Provider
AuC Authentication Center
AUTH AUTHentication Service
AUTHOR AUTHORization Service
BGCF Breakout Gateway Control Function
BSF Bootstrapping Server Functionality
CLF Connectivity session and repository Location Function
CONF CONFidentiality service
CPE Customer Premises Equipment
CSCF Call Session Control Function
DoS Denial-of-Service
ESP Encapsulating Security Protocol
FE Functional Entity
GAA Generic Authentication Architecture
GBA Generic Bootstrapping Architecture
GE Generic Entities
GRE Generic Routing Encapsulation
HLR Home Location Register
HSS Home Subscriber Server
HTTP HyperText Transport Protocol
IBCF Interconnection Border Control Function
I-BGF Interconnection-Border Gateway Function
I-CSCF Interrogating-Call Session Control Function
ID IDentity
IETF Internet Engineering Task Force
IF InterFace
IKE Internet Key Exchange
IMPI IMS Private User ID
IMPU IMS Public User ID
ETSI

---------------------- Page: 10 ----------------------
11 ETSI TS 187 003 V1.7.1 (2008-02)
IMS IP Multimedia Subsystem
INT INTegrity service
IP Internet Protocol
IPsec Internet Protocol security
IRG IMS Residential Gateway
ISIM IMS Subscriber Identity Module
IUA ISDN Q.921-User Adaptation
KM Key Management service
MGC Media Gateway Controller
MGCF Media Gateway Control Function
n.a. not applicable
NAF Network Application Function
NASS Network Access SubSystem
NAT Network Address Translation
NDS Network Domain Security
NGN NT NGN Network Termination
NGN Next Generation Network
P-CSCF Proxy-Call Session Control Function
PDBF Profile DataBase Function
PEF Policy Enforcement Function
PS Packet Switched
R1 NGN Release 1
RACS Resource Admission Control Subsystem
RAND RANDom
RGW Residential GateWay
SA Security Association
SCS OSA Service Capability Server
S-CSCF Serving-Call Session Control Function
SEGF SEcurity Gateway Function
SIP Session Initiation Protocol
SLF Subscription Locator Function
SPD Security Policy Database
SPDF Service Policy Decision Function
THF Topology Hiding Function
THIG Topology Hiding Interconnection Gateway
TISPAN Telecommunication and Internet converged Services and Protocols for Advanced Networking
TLS Transport Layer Security
TS Technical Specification
UA User Agent
UAAF User Access Authorization Function
UE User Equipment
UICC Universal Integrated Circuit Card
UMTS Universal Mobile Telecommunication System
UPSF User Profile Server Function
USIM UMTS Subscriber Identity Module
VGW Voice over IP GateWay
WLAN Wireless Local Area Network
XCAP XML Configuration Access Protocol
XML eXtensible Markup Language
4 NGN Security
This clause provides an overview of the NGN security document. The entire document can be seen as a documented
output of a security process that loops through several stages; see figure 1, where arrows indicate logical steps and
dependencies.
ETSI

---------------------- Page: 11 ----------------------
12 ETSI TS 187 003 V1.7.1 (2008-02)
The present document assumes existence of a well-defined NGN architecture (ES 282 001 [3]) that includes the IMS
architecture (TS 123 002 [46]), the network attachment subsystem (NASS) architecture (ES 282 004 [6]), the resource
admission subsystem (RACS) architecture (ES 282 003 [5]), and the PSTN/ISDN emulation (PES) architecture
(ES 282 002 [4]). Likewise, the present document assumes the corresponding IMS security architecture
(TS 133 102 [42]). IMS architecture and IMS security architecture are shown as dashed boxes; those prerequisites are
not specified further in the present document.
The description of the NGN release 1 security architecture has been divided in a number of smaller blocks de
...