ETSI TS 187 003 V3.4.1 (2011-03)

Technical Specification
Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN);
NGN Security;
Security Architecture
2 ETSI TS 187 003 V3.4.1 (2011-03)

Reference
RTS/TISPAN-07038-NGN-R3
Keywords
architecture, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2011.
All rights reserved.
TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
LTE™ is a Trade Mark of ETSI currently being registered
for the benefit of its Members and of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI TS 187 003 V3.4.1 (2011-03)
Contents
Intellectual Property Rights . 5
Foreword . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 8
3 Definitions and abbreviations . 9
3.1 Definitions . 9
3.2 Abbreviations . 9
4 NGN Security . 12
4.0 Overview . 12
4.0a Security services identified in TS 187 001 and TR 187 002 . 12
4.1 NGN security architecture . 13
4.2 Security domains . 17
4.3 Void . 18
4.4 Void . 18
4.5 PES Security Architecture . 18
4.5.1 Security for H.248 within PES. 18
4.6 Application security architecture . 19
4.6.1 Generic Authentication Architecture (GAA) . 19
4.6.1.1 Generic Bootstrapping Architecture (GBA) . 20
4.6.1.2 Support for Subscriber Certificates (SSC) . 20
4.6.1.3 Access to NAF using HTTPS. 20
4.6.2 HTTP Digest authentication for UICC-less CNDs . 20
5 Void . 22
6 Void . 22
7 Void . 22
7.1 Void . 22
7.2 Void . 22
8 Void . 22
9 Security Architectures for IPTV . 22
9.1 Content Protection . 22
9.1.2 Reference Points . 23
9.1.2.1 LIF – UE (s-cp-1) . 23
9.1.2.2 KMF – LIF (s-cp-2) . 23
9.1.2.3 KMF – CEF (s-cp-3) . 23
9.1.2.4 CEF – MDF (s-cp-4) . 24
9.2 Service Protection. 24
9.3 Optional solutions. 24
9.3.1 Any Content Protection . 24
9.3.1.1 Reference Points . 25
9.3.1.2 Procedures . 25
9.3.1.2.1 Content Preparation . 25
9.3.1.2.2 Content Delivery . 25
9.3.1.2.3 Right and Key Delivery . 25
9.3.2 OMA BCAST . 25
9.3.2.1 OMA BCAST Functional Architecture . 26
9.3.2.2 Mapping between TISPAN IPTV Architecture and OMA BCAST Service Protection Functional
Architecture . 27
9.3.2.3 Mapping between TISPAN IPTV Service Protection based on 4-layer Key Hierarchy and OMA
BCAST Service Protection Functional Architecture . 29
ETSI
4 ETSI TS 187 003 V3.4.1 (2011-03)
9.3.2.4 OMA BCAST Smart Card Profile adaptation to MPEG-2 TS . 30
9.3.2.4.1 STKM Transport in MPEG-2 TS . 30
9.3.2.4.2 STKM and MPEG-2 TS encryption . 32
10 Void . 33
11 Void . 33
12 Void . 33
12.1 Void . 33
12.2 Void . 33
13 Security Architecture for Corporate Networks . 33
13.1 Subscription Based Business Trunking . 33
13.2 Peering Based Business Trunking . 33
14 Security Architecture for Host Enterprise . 33
Annex A (informative): NGN-relevant security interfaces . 34
A.1 Network attachment security interfaces . 34
A.1.1 Reference Point e1 (CNG - AMF) . 35
A.1.2 Reference Point e2 (CLF - AF) . 35
A.1.3 Reference Point a3 (AMF - UAAF) . 35
A.1.4 Reference Point e5 (UAAF - UAAF) . 35
A.2 Service layer security interfaces . 36
A.2.1 NGN IP Multimedia Subsystem (IMS) . 36
A.2.1.1 Reference Point Gm (UE - P-CSCF) . 36
A.2.1.2 Reference Point Cx (CSCF - UPSF) . 37
A.2.1.3 Reference Point Gq' (P-CSCF - RACS) . 37
A.2.1.4 Reference Point Iw (IWF - non-compatible SIP) . 37
A.2.1.5 Reference Point Ic (IBCF - IMS) . 37
A.2.1.6 Void . 37
A.2.1.7 Reference Point Ut (UE - AS) . 37
A.3 Interconnection security interfaces . 38
A.3.1 Interconnecting security at the transport layer . 39
A.3.2 Interconnecting security at the service layer . 39
Annex B (informative): Mapping of NGN Security Requirements to Security Services . 40
Annex C: Void . 46
Annex D: Void . 47
Annex E (informative): Open Issues in NGN Security . 48
Annex F: Void . 49
Annex G (informative): Bibliography . 50
Annex H (informative): Change history . 52
History . 53

ETSI
5 ETSI TS 187 003 V3.4.1 (2011-03)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Telecommunications and Internet
converged Services and Protocols for Advanced Networking (TISPAN).
ETSI
6 ETSI TS 187 003 V3.4.1 (2011-03)
1 Scope
The present document defines the security architecture of NGN.
The present document addresses the security architecture required to fulfil the NGN security requirements defined in
TS 187 001 [1] and includes the definition of security architectures to provide protection for each of the NGN
functional architecture (ES 282 001 [2]) and its subsystems (NASS ES 282 004 [5], PES ES 282 002 [3],
ES 282 007 [15], SIP and SDP call control ES 283 003 [14] and RACS ES 282 003 [4]). Where appropriate the present
document endorses security mechanisms defined in other specifications.
The present document addresses the security issues of the NGN core network and the NGN access network(s) and the
Customer Premises network (CPN).
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are necessary for the application of the present document.
[1] ETSI TS 187 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN SECurity (SEC); Requirements".
[2] ETSI ES 282 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture".
[3] ETSI ES 282 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation Sub-system (PES); Functional
architecture".
[4] ETSI ES 282 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Resource and Admission Control Sub-System (RACS):
Functional Architecture".
[5] ETSI ES 282 004: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture; Network Attachment
Sub-System (NASS)".
[6] ETSI TS 183 033: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia; Diameter based protocol for the interfaces
between the Call Session Control Function and the User Profile Server Function/Subscription
Locator Function; Signalling flows and protocol details [3GPP TS 29.228 V6.8.0 and 3GPP
TS 29.229 V6.6.0, modified]".
[7] ETSI TS 133 203: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; 3G security; Access security for IP-based services
(3GPP TS 33.203)".
ETSI
7 ETSI TS 187 003 V3.4.1 (2011-03)
[8] ETSI TS 133 210: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; 3G security; Network Domain Security (NDS); IP
network layer security (3GPP TS 33.210)".
[9] ETSI TS 133 222: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; Generic Authentication Architecture (GAA); Access
to network application functions using Hypertext Transfer Protocol over Transport Layer Security
(HTTPS) (3GPP TS 33.222)".
[10] ETSI TS 133 220: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; Generic Authentication Architecture (GAA); Generic
Bootstrapping Architecture (GBA) (3GPP TS 33.220)".
[11] ETSI ES 283 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation Subsystem (PES); NGN Release 1
H.248 Profile for controlling Access and Residential Gateways".
[12] ETSI TS 183 019: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Network Attachment; User-Network Interface Protocol
Definitions".
[13] ETSI ES 283 035: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Network Attachment Sub-System (NASS); e2 interface based
on the DIAMETER protocol".
[14] ETSI ES 283 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Call Control Protocol based on Session Initiation
Protocol (SIP) and Session Description Protocol (SDP) Stage 3".
[15] ETSI ES 282 007: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Subsystem (IMS); Functional architecture".
[16] ETSI TS 182 006: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Subsystem (IMS); Stage 2 description
(3GPP TS 23.228 v7.2.0, modified)".
[17] ISO/IEC 11770-1 (2010): "Information technology - Security techniques - Key management -
Part 1: Framework".
[18] ITU-T Recommendation X.811: "Information Technology - Open Systems Interconnection -
Security frameworks for open systems: Authentication framework".
[19] ITU-T Recommendation X.812: "Information Technology - Open Systems Interconnection -
Security frameworks for open systems: Access control framework".
[20] ITU-T Recommendation X.814: "Information Technology - Open Systems Interconnection -
Security frameworks for open systems: Confidentiality framework".
[21] ITU-T Recommendation X.815: "Information Technology - Open Systems Interconnection -
Security frameworks for open systems: Integrity framework".
[22] ETSI TS 183 017: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Resource and Admission Control: DIAMETER protocol for
session based policy set-up information exchange between the Application Function (AF) and the
Service Policy Decision Function (SPDF); Protocol specification".
[23] IETF RFC 2617: "HTTP Authentication: Basic and Digest Access Authentication".
[24] IEEE 802.1x: "Standard for Local and Metropolitan Area Networks - Port-Based Network Access
Control".
[25] ETSI TS 181 005: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Service and Capability Requirements".
[26] ETSI TS 187 003 Release 1: "Telecommunications and Internet converged Services and Protocols
for Advanced Networking (TISPAN); NGN Security; Security Architecture".
ETSI
8 ETSI TS 187 003 V3.4.1 (2011-03)
[27] ETSI TS 185 003: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN); Customer Network Gateway (CNG) Architecture and
Reference Points".
[28] ISO/IEC 13818-1 (2007): "Information technology -- Generic coding of moving pictures and
associated audio information: Systems".
[29] Open Mobile Alliance OMA-AD-BCAST-v1-0: "Mobile Broadcast Services Architecture".
[30] Open Mobile Alliance OMA-TS-BCAST-SvcCntProtection-v1-0: "Service and Content Protection
for Mobile Broadcast Services".
[31] ETSI TS 182 027: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IPTV Architecture; IPTV functions supported by the IMS
subsystem".
[32] ETSI TS 102 165-2: " Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Methods and protocols; Part 2: Protocol Framework Definition;
Security Counter Measures".
[33] OMA DRM v2.0: "OMA Digital Rights Management V2.0".
NOTE: Available at: http://www.openmobilealliance.org/Technical/release_program/drm_v2_0.aspx.
[34] DVB: "DVB-SI | CA-System-ID".
NOTE: Available at: http://www.dvbservices.com/identifiers/ca_system_id.
2.2 Informative references
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI TR 133 919: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; 3G Security; Generic Authentication Architecture
(GAA); System description (3GPP TR 33.919)".
[i.2] ETSI TS 133 221: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; Generic Authentication Architecture (GAA); Support
for subscriber certificates (3GPP TS 33.221)".
[i.3] ETSI TS 102 165-1: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Methods and protocols; Part 1: Method and proforma for
Threat, Risk, Vulnerability Analysis ".
[i.4] ETSI TS 103 197: "Digital Video Broadcasting (DVB); Head-end implementation of DVB
SimulCrypt".
[i.5] ETSI TS 182 028: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN integrated IPTV subsystem Architecture".
[i.6] ETSI TS 183 063: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IMS-based IPTV stage 3 specification".
[i.7] ETSI TS 183 064: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN integrated IPTV subsystem stage 3 specification".
[i.8] DVB bluebook A125: "Digital Video Broadcasting (DVB); Support for use of DVB Scrambling
Algorithm version 3 within digital broadcast systems, DVB Document A125", July 2008.
[i.9] ETSI EG 202 238: "Telecommunications and Internet Protocol Harmonization Over Networks
(TIPHON); Evaluation criteria for cryptographic algorithms".
ETSI
9 ETSI TS 187 003 V3.4.1 (2011-03)
[i.10] ETSI TR 187 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); TISPAN NGN Security (NGN-SEC); Threat, Vulnerability and
Risk Analysis ".
[i.11] ETSI ETR 289: "Digital Video Broadcasting (DVB); Support for use of scrambling and
Conditional Access (CA) within digital broadcasting systems"; October 1996.
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document the terms and definitions in ITU-T Recommendations X.811 [18], X.812 [19],
X.814 [20], X.815 [21], ISO/IEC 11770-1 [17] and the following apply:
content protection: protection of content or content assets during its entire lifetime
NOTE: It ensures that a user can only use the content in accordance with the license that they have been granted,
e.g. play/view/hear multiple times or hours, etc.
data: any information conveyed in communication packets as well as any other information such as topology
information
license: data package which represents the granted Rights to a specific user and the key related to the protected content
NGN Network Termination (NGN NT): reference point which denotes a logical demarcation point between the
residential customer domain and the NGN core via access networks
NOTE: It covers the corresponding interfaces.
Policy Enforcement Function (PEF): security function that enforces policy rules
NOTE: The PEF encompasses functions for filtering and topology hiding such as typically found in firewalls
and/or session border controllers.
rights: pre-defined set of usage entitlement to the content
NOTE: The entitlement may include the permissions (e.g. to view/hear, copy, modify, record, distribute, etc.),
constraints (e.g. play/view/hear multiple times or hours), etc.
security domain: set of elements made of security policy, security authority and set of security relevant activities in
which the set of elements are subject to the security policy for the specified activities, and the security policy is
administered by the security authority for the security domain
NOTE: The activities of a security domain involve one or more elements from that security domain and, possibly,
elements of other security domains
service protection: protection of content (data or media stream) during the delivery time or the time of transmission
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
rd
3G 3 Generation
rd
3GPP 3 Generation Partnership Project
AAA Authentication, Authorization, Accounting
ACK ACKnowledge
ACR Anonymous Communications Rejection
AF Application Functions
AGCF Access Gateway Control Function
AGW Access GateWay
AKA Authentication and Key Agreement
ETSI
10 ETSI TS 187 003 V3.4.1 (2011-03)
AMF Access Management Function
AN Access Network
AP Access Point
AP Authentication Proxy
A-RACF Access-Resource Admission Control Function
ARF Access Relay Function
AS Application Server
ASP Application Service Provider
AUTH AUTHentication service
AUTHOR AUTHORization service
AUTN AUthentication TokeN
BDS Broadcast Distribution Service
BGCF Breakout Gateway Control Function
BSD/A BCAST Service Distribution/Application
BSF Bootstrapping Server Functionality
BSM BCAST Subscription Management
CA Certification Authority
CA-PID Conditional Access-Packet Identifier
CAS Conditional Access System
C-BGF Core Border Gateway Function
CEF Content Encryption Function
CLF Connectivity session and repository Location Function
CND Customer Network Device
CNG Customer Network Gateway
CONF CONFidentiality service
CPE Customer Premises Equipment
CPN Customer Premises Network
CSCF Call Session Control Function
DoS Denial-of-Service
DRM Digital Rights Management
ECM Entitlement Control Message
EMM Entitle Management Message
FA File Application Component
FD File Delivery Component
FE Functional Entity
FFS For Further Study
GAA Generic Authentication Architecture
GBA Generic Bootstrapping Architecture
GRE Generic Routing Encapsulation
HLR Home Location Register
HSS Home Subscriber Server
HTTP HyperText Transport Protocol
IBCF Interconnection Border Control Function
I-BGF Interconnection Border Gateway Function
I-CSCF Interrogating Call Session Control Function
ID IDentity
IETF Internet Engineering Task Force
IF InterFace
IKE Internet Key Exchange
IMPI IMS Private User ID
IMPU IMS Public User ID
IMS IP Multimedia Subsystem
INT INTegrity service
INTF INTegrity Function
IP Internet Protocol
IPsec Internet Protocol security
IPTV Internet Protocol TeleVision
IRG IMS Residential Gateway
ISIM IMS Subscriber Identity Module
ISUP ISDN User Part
IUA ISDN Q.921-User Adaptation
KM Key Management service
ETSI
11 ETSI TS 187 003 V3.4.1 (2011-03)
KMF Key Management Function
LIF Licensing Issuing Function
LTKM Long Term Key Message
MBMS Multimedia Broadcast Multicast Service
MDF Media Delivery Function
ME Mobile Equipment
MGC Media Gateway Controller
MGCF Media Gateway Control Function
MRFC Multimedia Resource Function Controller
MRFP Multimedia Resource Function Processor
NACF Network Access Configuration Function
NAF Network Application Function
NASS Network Access SubSystem
NAT Network Address Translation
NDS Network Domain Security
NGCN Next Generation Corporate Network
NGN NT NGN Network Termination
NGN Next Generation Network
OIR Originating Identity Presentation
P-CSCF Proxy Call Session Control Function
PDBF Profile DataBase Function
PEF Policy Enforcement Function
PEK Programme Encryption Key
PES PSTN/ISDN Emulation
PID Packet Identifier
PMT Programme Map table
RACS Resource Admission Control Subsystem
RGW Residential GateWay
SAA Service Access Authentication
SCF Service Control Function
SCP SmartCard Profile
S-CSCF Serving Call Session Control Function
SDP Session Description Protocol
SEG Security Gateway
SEGF SEcurity Gateway Function
SEK Service Encryption Key
SG Service Guide
SGF Signalling Gateway Function
SIP Session Initiation Protocol
SKMF Service Key Management function
SLF Subscription Locator Function
SMF Service Membership Function
SP Service Protection
SPDF Service Policy Decision Function
SP-E Service Protection Encryption Component
SPF Service Protection function
SP-KD Service Protection Key Distribution Component
SP-M Service Protection Management Component
SSC Support for Subscriber Certificates
SSF Service Selection Function
STKM Short Term Key Message
TE Terminal Equipment
THIG Topology Hiding Interconnection Gateway
TISPAN Telecommunication and Internet converged Services and Protocols for Advanced Networking
TLS Transport Layer Security
TS Technical Specification
UA User Agent
UAAF User Access Authorization Function
UE User Equipment
UICC Universal Integrated Circuit Card
UMTS Universal Mobile Telecommunication System
UPSF User Profile Server Function
ETSI
12 ETSI TS 187 003 V3.4.1 (2011-03)
USIM UMTS Subscriber Identity Module
WLAN Wireless Local Area Network
XCAP XML Configuration Access Protocol
XML eXtensible Markup Language
4 NGN Security
4.0 Overview
This clause provides an overview of the NGN security document.
The NGN security architecture is designed to support the requirements for NGN Security defined in TS 187 001 [1] that
have been derived from the results of application of the ETSI Threat, Vulnerability and Risk Analysis (TVRA) method
defined in TS 102 165-1 [i.3] and captured in TR 187 002 [i.10].

Figure 1: The main documents of the TISPAN Security suite
4.0a Security services identified in TS 187 001 and TR 187 002
TR 187 002 [i.10] has identified those threats and threat agents that when enacted against the NGN lead to a level of
risk that has to be mitigated. TR 187 002 [i.10] identifies the security services required to provide mitigation that are
then documented as requirements to be met by the NGN in TS 187 001 [1]. Table 1 summarises the services identified
in each of TR 187 002 [i.10] and TS 187 001 [1]. The services are implemented using the framework defined in
TS 102 165-2 [32].
Table 1: Summary of security services identified in TR 187 002 [i.10] and TS 187 001 [1]
Threat Identifier Security Threat Primary NGN Security Security service
Subsystem/Feature: short description Requirement [1] identified
T-8 PES: Attack potential for denial-of-service on R-AD-1 Availability
publicly addressable interfaces R-AD-3
T-16 NASS-IMS bundled: IP Spoofing R-AA-24 Authentication
R-AA-13
R-NF- 2
T-11 NASS-IMS bundled: Interception at the customer R-CD-18 Confidentiality
interface, air interface present
T-14 NASS-IMS bundled: Attack potential for R-CD-13 Integrity
manipulation at the customer interface, air interface
present
T-18 NASS-IMS bundled: Attack potential for R-AD-1 Availability
ETSI
13 ETSI TS 187 003 V3.4.1 (2011-03)
Threat Identifier Security Threat Primary NGN Security Security service
Subsystem/Feature: short description Requirement [1] identified
manipulation at the customer interface (denial-of-
service )
T-19 NASS-IMS bundled: "line-id poisoning" attack R-AA-24 Authentication
R-AA-13
R-NF- 2
T-5 PES: Attack potential for manipulation between R-CD-2 Integrity
networks (without SEG)
T-1 PES: Attack potential for interception at the R-CD-15 Confidentiality
customer interface R-CD-16
T-3 PES: Attack potential for manipulation at the R-CD-13 Integrity
customer interface
T-10 NASS-IMS bundled: Attack potential for R-CD-20 Confidentiality
interception at the customer interface, no air
interface
T-13 NASS-IMS bundled: Attack potential for R-CD-15 Integrity
manipulation at the customer interface, No air
interface present
T-9 PES: Attack potential for denial-of-service on non- R-AD-3 Availability
publicly addressable interfaces
T-4 PES: Attack potential for manipulation in the fixed R-CD-16 Integrity
network
T-7 PES: Attack potential for manipulation between R-CD-16 Integrity
networks (with SEG)
T-12 NASS-IMS bundled: Attack potential for R-CD-8 Confidentiality
interception at the customer interface (e1 IF)
T-2 PES: Attack potential for interception at the R-CD-19 Confidentiality
customer interface
T-15 NASS-IMS bundled: Attack potential for R-CD-15 Integrity
manipulation at the customer interface (e1 IF)
T-17 NASS-IMS bundled: Invalidation of IP address not R-CD-13 Authentication
signalled R-CD-8
The NGN shall support security associations for each of Authentication, Authorisation (in support of availability),
Integrity and Confidentiality.
4.1 NGN security architecture
The NGN security architecture extends the abstract security architecture defined in clause 4 of TS 102 165-2 [32] (see
Figure 2) and provides the mappings shown in Table 2. In addition the security architecture overlays the core NGN
architecture defined in ES 282 001 [2].
ETSI
User Equipment
14 ETSI TS 187 003 V3.4.1 (2011-03)
ApoA
A2ApoA
Application Application
A2SpoA
S2SpoA
SpoA
ApplSeicrvatiiceon ApplSeicrvatiiceon
S2TpoA
TpoA
T2TpoA
Transport Transport
NOTE: For NGN an example of the service is Voice over IMS;
For NGN the transport layer is represented by NASS; and
- For NGN an example of the application layer is IPTV.

Figure 2: Abstract architecture for security countermeasure application
Subsystem-
speciifc
reference
points
Service Layer
Ut
e3
NASS
Transport Layer
e1
Dj
Transport Processing
A-MGF
Analog/
ISDN
NOTE 1: As considered in TR 187 002 [i.10] the e1 reference point does not terminate in NASS.
NOTE 2: As considered in TR 187 002 [i.10] the e3 reference point is a management reference point only and only
exists when the UE is a CNG, and has no bearing on the communications architecture.
NOTE 3: As considered in TR 187 002 [i.10] Ut is an application layer reference point.
NOTE 4: The Gm reference point between the UE and the IMS service platform is not shown.
NOTE 5: The Dj reference point is a media point and is used to carry RTP and RTCP data only.

Figure 3: UE reference points from ES 282 001 [2]
ETSI
15 ETSI TS 187 003 V3.4.1 (2011-03)
Table 2: Mapping from TS 102 165-2 [32] abstract reference points to NGN architecture
Abstract reference NGN Security service Authentication Location of SEGF applies
point reference building block principal security at Za
(from TS 102 165-2 [32]) point defined association (TS 133 210 [8])
definition (see note 3)
TpoA e1 Authentication Network Access IEEE 802.1x [24] as No
Confidentiality Identifier (NAI) defined in
Integrity TS 183 019 [12]
Key management (note 1)
Dj n/a
Z n/a
ST n/a
SpoA Gm Authentication IMSI, IMPU TS 133 203 [7] No
Confidentiality (note 2)
Integrity
Key management
ApoA Ut  No
T2TpoA e5 Authentication  Yes
Confidentiality
Integrity
Key management
Iz n/a
S2SpoA   Yes
A2ASpoA   Yes
A2SpoA   Yes
S2TpoA e2 Authentication ES 283 035 [13] Yes
Confidentiality
Integrity
Key management
Gq' Authentication TS 183 017 [22] Yes
Confidentiality
Integrity
Key management
NOTE 1: IEEE 802.1x [24] is defined for use to secure Ethernet access and makes the assumption that the NASS
architecture (see ES 282 004 [5]) is modified to combine the ARF/AMF to the authenticator function and the
UAAF/SPDF acting as the authentication server.
NOTE 2: TS 133 203 [7] provides support for a number of authentication schemes including SIP/HTTP-digest and the
NASS bundled options (i.e. authentication at NASS is accepted by IMS without invoking any IMS specific
authentication functions).
NOTE 3: A SEGF is used where the domains are discrete and is mandatory for all exposed inter-domain interfaces
providing integrity and confidentiality of signalling content with source address authentication. Connections
between the different NGN components within the same NGN network are the "Zb" interfaces. These
interfaces are mandatory for implementation and optional for use, depending on operator risk assessment

The following reference points are wholly within the transport domain and are not exposed:
• a1, a2, a3, a4 and thus are assumed to be in the security domain of the transport domain
The following reference points are wholly within the service domain and are not exposed:
The NGN architecture is described by the following elements:
• NGN security domains
• NGN Security services (see the mappings given in Table 1 and Table 2):
• NGN Security protocols supporting the security services
In addition the security architecture endorses Security Gateways (SEGs) defined by TS 133 210 [8] and renames them
for the NGN application as Security Gateway Function (SEGF) to secure signalling and control communication among
network entities/FEs.
ETSI
16 ETSI TS 187 003 V3.4.1 (2011-03)
In addition to security domains the NGN security architecture also defines logical security planes across multiple
domains supporting the abstract model of Figure 2 mapped to specific NGN functionality:
• Transport instantiated in the NASS security plane.
• Service instantiated in the IMS security plane.
• Application instantiated in the GAA/GBA key management plane.

NOTE 1: The terminology of V-UUAF and H-UAAF is not consistent with that used in the NASS stage 2 document
ES 282 004 [5] where the terms UAAF Proxy and UAAF Server are used.
NOTE 2: The interface Zh between BSF and UPSF is defined in 3GPP but not endorsed in TISPAN NGN.
NOTE 3: No functional decomposition of UPSF, PDPF and HSS has been carried out therefore any sharing of
functionality between these elements is not considered in the present document.
NOTE 4: In the IMS the HSS and UPSF functions overlap.

Figure 4: Usage of security FEs in the NGN security architecture
For NASS an authentication security association shall be established between the UE and the PDPF/H-UAAF. The
NASS principal shall be the NAI with the role of authenticator being taken by the PDPF/H-UAAF.
NOTE 1: It is assumed that the PDPF hold the credentials for authentication of the NASS with the H-UAAF
carrying out the authentication process.
ETSI
17 ETSI TS 187 003 V3.4.1 (2011-03)
The NASS security plane encompasses the security operations during network attachment for gaining access to the
NGN access network. The visited UAAF (V-UAAF) in a visited access network relays authentication message to/from
the home NGN network (equivalent in operation to the VSS or VLR in PLMN); the V-UAAF (if present) may be a
proxy while the home UAAF (H-UAAF) shall process the authentication message and decide authorization (equivalent
in operation to the HSS or HLR in PLMN). The H-UAAF takes into account user profile information that is stored in
the PDBF (equivalent to the Authentication Centre in PLMN). The PDBF shall hold the profiles of the NASS user.
NOTE 2: In the NGN, an IMS subscriber may register over an IP access session established by a NASS subscriber,
which may not be the same as the IMS subscriber. In such cases there is no relation between the
pro
...