ETSI TS 187 021 V3.2.1 (2014-04)
Security services and mechanisms for customer premises networks connected to NGN
Security services and mechanisms for customer premises networks connected to NGN
RTS/NTECH-00009-SEC-CPN
General Information
Standards Content (Sample)
ETSI TS 187 021 V3.2.1 (2014-04)
Technical Specification
Security services and mechanisms for customer premises
networks connected to NGN
---------------------- Page: 1 ----------------------
2 ETSI TS 187 021 V3.2.1 (2014-04)
Reference
RTS/NTECH-00009-SEC-CPN
Keywords
gateway, IP, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88
Important notice
The present document can be downloaded from:
http://www.etsi.org
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.
© European Telecommunications Standards Institute 2014.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM TM
3GPP and LTE are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
---------------------- Page: 2 ----------------------
3 ETSI TS 187 021 V3.2.1 (2014-04)
Contents
Intellectual Property Rights . 5
Foreword . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definitions and abbreviations . 7
3.1 Definitions . 7
3.2 Abbreviations . 7
4 General overview . 8
5 Firewalling . 9
5.1 Firewalling: basic description. 9
5.2 Firewalling: arc hitecture . 9
5.3 Firewalling: implementation details . 10
5.3.1 Stateful inspection . 10
5.3.2 Communication technologies. 10
5.3.3 Security policy . 11
5.3.4 ALG for standard protocols support . 11
5.3.5 Firewall management . 11
5.3.6 Logging . 12
6 SP and/or CP secure upgrade . 12
6.1 SP and/or CP secure upgrade: introduction and scope . 12
6.1.1 Introduction. 12
6.1.2 Scope . 13
6.2 SP and/or CP secure upgrade: architecture . 13
6.2.1 SP and/or CP upgrade stakeholders . 13
6.2.1a CND secure upgrade trust hierarchy . 15
6.2.1a.1 IPTV trust authority . 15
6.2.1a.2 Registration operator trust authority . 16
6.2.1a.3 ISP trust authority . 16
6.2.1a.4 IPTV service provider trust authority . 16
6.2.1a.5 SP/CP trust authority . 16
6.2.1a.6 CND trust authority . 16
6.2.1a.7 Chip manufacturer trust authority . 16
6.2.1a.8 IPTV service provider specific trusted platform software and applications . 17
6.2.1a.9 IPTV service provider common applications . 17
6.2.2 SP and/or CP upgrade architecture . 17
6.2.2.1 Overview . 17
6.2.2.2 Functional entities . 17
6.2.2.3 Affected interfaces and reference points . 18
6.2.3 SP and/or CP upgrade use cases . 19
6.2.3.1 General . 19
6.2.3.2 User changes service provider. 19
6.2.3.3 A stakeholder X requests to be firmware owner . 20
6.2.3.4 Firmware owner requests upgrade of firmware. 21
6.2.3.5 A stakeholder Y requests to be SP owner . 21
6.2.3.6 SP owner requests upgrade of SP software module . 22
6.2.3.7 A stakeholder Y requests to be CP owner . 22
6.2.3.8 CP owner requests upgrade of CP software module . 23
6.2.4 SP and/or CP upgrade security architecture . 23
6.2.4.1 Trusted environment architecture for SP/CP . 23
6.2.4.1.1 Hardware supported trusted environment preventing Hi-Jacking . 23
6.2.4.1.2 Hardware supported trusted environment, protecting the key flow . 27
ETSI
---------------------- Page: 3 ----------------------
4 ETSI TS 187 021 V3.2.1 (2014-04)
6.3 SPCP secure upgrade: implementation details . 27
6.3.1 Aspects of end to end security . 27
6.3.2 Secure upgrade using TR-069 CWMP. 28
6.3.2.1 A stakeholder Y requests to be SP owner . 28
6.3.2.1.1 ACS initiates a remote management connection with the IPTV CND . 28
6.3.2.1.2 perform mutual authentication between ACS and the IPTV CND . 28
6.3.2.1.3 Instruct IPTV CND to download the SP loader package . 28
6.3.2.1.4 Instruct IPTV CND to download the SP Software Module . 29
6.3.2.1.5 Install EU where EE is secure execution environment for SPCP . 29
7 Network Access Control (NAC) . 29
7.1 NAC: basic description . 29
8 Hosted-NAT solution for RTSP based services . 32
8.1 Hosted-NAT for RTSP: basic description . 32
8.2 Hosted-NAT for RTSP: architecture . 33
Annex A (informative): Example of a secure boot protocol . 35
A.1 Type 1 STB architecture. 35
A.1.1 Primary boot loader . 35
A.1.2 Secondary boot loader . 36
A.1.3 Secure boot process flow . 37
A.1.4 Error handing and recovery procedures . 37
A.1.4.1 General . 37
A.1.4.2 Recovery sources . 37
A.1.4.3 Recovery success verification & re-try . 38
A.1.4.4 Recovery firmware . 38
A.1.4.5 Automated re-imaging of 'recovery partition' . 38
A.1.4.6 Recovery user interface . 39
A.1.4.7 Recovery functionality . 39
A.1.4.8 UI recovery screen . 39
A.1.4.9 Start-up animation sequence . 39
A.1.4.10 Start-up scripts & driver initialization . 39
Annex B (informative): Examples of a secure run time protocols . 40
B.1 Type 1 STB architecture. 40
B.1.1 Secure CND run time protocol . 40
TM
B.1.2 Kernel signing patch . 40
Annex C (informative): Example of a secure package download protocol . 42
C.1 Type 1 STB architecture. 42
C.1.1 Secure package download overview. 42
C.1.2 Secure package download protocol . 43
Annex D (informative): Bibliography . 47
History . 48
ETSI
---------------------- Page: 4 ----------------------
5 ETSI TS 187 021 V3.2.1 (2014-04)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://ipr.etsi.org).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Network Technologies (NTECH).
ETSI
---------------------- Page: 5 ----------------------
6 ETSI TS 187 021 V3.2.1 (2014-04)
1 Scope
The present document specifies the functional models and information flows (stage 2) and protocols (stage 3) which
implement the security services and mechanisms required to provide security in a Customer Premises Network (CPN)
to support the overall security architecture for NGN release 3. CPN security services and mechanisms are used either
singly or in combination to realize the CPN security requirements specified in TS 187 001 [1] (NGN Security
requirements). Reference will be made to TR 185 012 [i.1] for security mechanisms that have been shown to be
appropriate for CPN environment.
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are necessary for the application of the present document.
[1] ETSI TS 187 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN SECurity (SEC); Requirements".
[2] ETSI TS 185 006: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Customer Devices architecture and Reference Points".
[3] ETSI TS 185 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Customer Network Gateway (CNG) Architecture and
Reference Points".
[4] ETSI TS 187 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Security; Security Architecture".
[5] Broadband Forum TR-069 Amendment 3: "CPE WAN Management Protocol", November 2010.
[6] Broadband Forum TR-157 Amendment 3: "Component Objects for CWMP", November 2010.
[7] IETF RFC 5246: "The Transport Layer Security (TLS) Protocol Version 1.2".
2.2 Informative references
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI TR 185 012: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN) Feasibility study of security mechanisms for customer premises
networks connected to TISPAN NGN".
[i.2] IETF RFC 5209 (June 2008): "Network Endpoint Assessment (NEA): Overview and
Requirements".
[i.3] ETSI ES 282 003: "Telecommunications and Internet converged Services and Protocols for
advanced Networking (TISPAN); Resource and Admission Control Sub-System (RACS):
Functional Architecture".
ETSI
---------------------- Page: 6 ----------------------
7 ETSI TS 187 021 V3.2.1 (2014-04)
[i.4] ETSI TS 102 825 (all parts): "Digital Video Broadcasting (DVB); Content Protection and Copy
Management (DVB-CPCM)".
[i.5] ETSI TS 183 065: "Telecommunications and Internet converged Services and Protocols for
Advanced Networks(TISPAN); Customer Network Gateway Configuration Function; e3 Interface
based upon CWMP".
[i.6] Broadband Forum TR-069: "CPE WAN Management Protocol".
[i.7] IEEE 802.16: "IEEE Standard for Local and metropolitan area networks Part 16: Air Interface for
Broadband Wireless Access Systems".
[i.8] IEEE 802.1b: "IEEE Standard for Local and Metropolitan Area Networks - Local and
Metropolitan Area Network: LAN/MAN Management".
[i.9] Home Gateway Initiative: "Home Gateway Technical Requirements V.1.0".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in TS 187 003 [4] and Broadband Forum
TR-157 [6] apply.
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ACS Auto-Configuration Server
AKA Authentication and Key Agreement
ALG Application Level Gateway
API Application programming Interface
B2BUA Back to back User Agent
BGF Border Gateway Function
BL1 Boot Loader image
CA Conditional Access
C-BGF Core- Border Gateway Function
CND Customer Network Device
CND-CMF CND-Configuration and Management Function
CND-CPF CND-Content Protection Function
CND-CSMF CND-Communication Service Media Function
CND-SPF CND-Service protection Function
CNG Customer Network Gateway
CP Content Protection
CPE Consumer Premise Equipment
CPN Customer Premises Network
CW Control Words
DLNA Digital Living Network Alliance
DMZ DeMilitarized Zone
DOS Denial Of Service
DRM Digital Right Management
DSL Digital Subscriber Line
DVB Digital Video Broadcasting
DVB-CPCM DVB Content Protection & Copy Management
FW FirmWare
HGI Home Gateway Initiative
HTTP Hyper Text Transfer Protocol
ICMP Internet Control Message Protocol
IMS IP Multimedia Subsystem
ETSI
---------------------- Page: 7 ----------------------
8 ETSI TS 187 021 V3.2.1 (2014-04)
IPSEC Internet Protocol SECurity
IPTV SP IPTV Service Provider
IPTV Internet Protocol TeleVision
IPv6 Internet Protocol version 6
ISP Internet Service Provider
MCF Media Control Function
MDF Media Delivery Function
MF Media Function
MFC Media Control Function
NAC Network Access Control
NAT Network Address Translation
NEA Network Endpoint Assessment
OMA Open Mobile Alliance
PAT Port Address Translation
PC Protection Client
PCL Protection Client Loader
PCO Protection Client Owner
P-CSCF Proxy-Call Session Control Function
PDA Personal digital assistant
PPP Point to Point Protocol
QoS Quality of Service
ROM Read Only Memory
RTP Real-time Transport Protocol
RTSP Real Time Streaming Protocol
SMS Short Message Service
SOC Security-on-Chip
SP Service Protection
SP/CP Service Protection and/or Content Protection
SSL Secure Socket Layer
STB Set Top Box
TCP Transmission Control Protocol
TLS Transport Layer Security
UC Unsolicited Communication
UDP Datagram Protocol
UE User Equipment
UICC Universal Integrated Circuit Card
UPnP Universal Plug and Play
URI Uniform Resource Identifier
URL Uniform Resource Locator
UTM Unified Threat Management
VOD Video On Demand
VPN Virtual Private Network
WFA Wi-Fi Alliance
Wi-Fi Wireless Fidelity
WPA2 Wi-Fi Protected Access 2
4 General overview
This clause introduces the subset of security mechanisms to be evaluated and specified in details within the present
document. The security mechanisms has been selected mainly (but not only) from the contents of the TR 185 012 [i.1].
ETSI
---------------------- Page: 8 ----------------------
9 ETSI TS 187 021 V3.2.1 (2014-04)
5 Firewalling
The main mechanism to perform Network Access Control is a firewall, i.e. a system designed to permit, deny or proxy
data traffic to or from the customer's network. A firewall is positioned to control all incoming and outgoing traffic;
hence the CNG is the perfect candidate to perform the firewall functions.
5.1 Firewalling: basic description
There are several approaches to implements firewall functionalities, such as:
• Packet Filtering: the simplest one inspects each incoming or outgoing IP packet permitting, dropping or
rejecting it on the basis of simple policies (usually defined as access control list) such as the IP address and the
protocol type.
• Stateful Firewall: in addition to a Packet Filter, keeps track on IP packets belonging to the same connection
thereby detecting whether a packet is part of an existing connection or a start of a new connection.
• Application Level Gateway: In addition to a stateful firewall can understand the behaviour of some
applications and can detect e.g. if an illegal protocol is used for a given application or dynamically open ports
for additional sessions belonging to a flow.
Firewalls can divide the network into subnets each one with a different level of security and different security policy as
for example a demilitarized zone.
The firewall could have several configuration alternatives:
• A basic/minimum configuration to ensure a minimum level of security.
• One or several default configurations provided and managed by the operator/service provider through a remote
management system.
• Additional alternative configurations that can depend on the user (e.g. there can be different configurations for
parents and children). These user specific configurations could be managed by the same entity managing the
user identity (e.g. the UICC).
5.2 Firewalling: architecture
In the CPN context, the CNG sits between the NGN and the internal network and this aspect makes the CNG as the
perfect candidate to host the firewall functions. Figure 1 shows a typical scenario where the CNG and the Firewall are
co-located on the same device. The external interface is the one that is connected to the NGN via e.g. xDSL,
IEEE 802.16 [i.7] wireless modem, FTTx, etc., and is often referred to as the unsecure (red) interface. The secure
(black) internal interfaces are connected to the CNDs and can be based on ethernet, IEEE 802.1b [i.8] and other wired
or wireless communication technologies. The firewall may also implement a DMZ.
ETSI
---------------------- Page: 9 ----------------------
10 ETSI TS 187 021 V3.2.1 (2014-04)
CPN
CND
CNG
Firewall
CND NGN
Internal External
(secure) (unsecure)
interfaces interface
CND
Outbound traffic Inbound traffic
Figure 1: Firewall in the CPN
The advantages of using a Firewall as shown in the picture (i.e. co-located on the CNG) is that the CNG appears to the
external network (i.e. NGN) as the only point of contact for the CPN, simplifying the protection of the CNDs against
threats that originate on the NGN.
5.3 Firewalling: implementation details
For the protection of the CPN, a firewall should support some basic features, such as security policy definition and
enforcing, firewall management, logging functions and so on. The following clause describes in details such features.
5.3.1 Stateful inspection
The stateful firewall function is mandatory for the protection of the CPN, such a firewall function may be implemented
in the CNG. While a packet filter decides whether or not to drop a packet based on few information contained in the
packet headers (e.g. addressing information), a stateful packet filter takes its decisions also on the state information that
the firewall keeps in memory about all active connections travelling across it.
For connection-oriented protocols, such as TCP, the state of the connection is equivalent to the protocols definition of a
connection (i.e. three-way handshake), whereas for a connection-less protocol, such as UDP, the state of the connection
is the set of packets that are sent between common endpoints (i.e. source IP address/port and destination IP
address/port) without interruption, i.e. the lack of any packets matching that flow for a given period of time. For the
CPN context such a period of time shall be one minute.
The stateful firewall shall also perform additional structural checks on network packets. These checks include
e.g. quickly dropping of malformed packet and enforcing the TCP three-way handshake to establish and teardown
network connections.
5.3.2 Communication technologies
The Firewall shall be enabled on the local CPN network including all kind of wired and wireless connectivity used on
the CPN, as well as remote access connections such as PPP over Ethernet and Virtual Private Network on the WAN
side of the CNG. Note however that the firewall cannot be enabled when the CNG acts as a network bridge.
IPv6 firewalling shall be implemented in case the CNG supports IPv6 traffic.
ETSI
---------------------- Page: 10 ----------------------
11 ETSI TS 187 021 V3.2.1 (2014-04)
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.