ETSI TS 187 003 V2.3.2 (2011-03)

Technical Specification
Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN);
NGN Security;
Security Architecture
2 ETSI TS 187 003 V2.3.2 (2011-03)

Reference
RTS/TISPAN-07041-NGN-R2
Keywords
architecture, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2011.
All rights reserved.
TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
LTE™ is a Trade Mark of ETSI currently being registered
for the benefit of its Members and of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI TS 187 003 V2.3.2 (2011-03)
Contents
Intellectual Property Rights . 5
Foreword . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 9
3 Definitions and abbreviations . 9
3.1 Definitions . 9
3.2 Abbreviations . 10
4 NGN Security . 12
4.1 NGN security architecture . 13
4.2 Security domains . 15
4.3 NASS and RACS security architecture . 16
4.3.1 NASS-IMS Bundled Security . 17
4.4 IMS security architecture . 17
4.4.1 NASS-IMS Bundled Security . 20
4.5 PES Security Architecture . 21
4.5.1 Security for H.248 within PES. 21
4.5.2 IMS-based PES Security . 22
4.6 Application security architecture . 22
4.6.1 Generic Authentication Architecture (GAA) . 22
4.6.1.1 Generic Bootstrapping Architecture (GBA) . 22
4.6.1.2 Support for Subscriber Certificates (SSC) . 23
4.6.1.3 Access to NAF using HTTPS. 23
5 Mapping of Security Requirements to Security Services and NGN FEs . 23
5.1 Security services in NGN security architecture . 23
5.2 Security Services in NGN FEs . 24
5.3 Security Services on NGN Interfaces . 28
5.4 Mapping of 3GPP security FEs to NGN FEs . 31
6 NGN IMS Residential Gateway . . 32
7 Security for H248 . 33
7.1 R-MGF Context . 33
7.2 A-MGF Context . 33
8 Security Architectures for Media Security . 33
9 Security Architectures for IPTV . 33
10 Security Architecture for Customer Premises Networking . 33
11 Security Architecture for Fixed Mobile Convergence . 33
12 Interfaces out of scope . 33
12.1 Interconnect Iz interface I BGF . 33
12.2 RI' and Gq' . 33
13 Security Architecture for Corporate Networks . 33
13.1 Subscription Based Business Trunking . 33
13.2 Peering Based Business Trunking . 34
14 Security Architecture for Host Enterprise . 34
Annex A (informative): NGN-relevant security interfaces . 35
A.1 Network attachment security interfaces . 35
ETSI
4 ETSI TS 187 003 V2.3.2 (2011-03)
A.1.1 Reference Point e1 (CNG - AMF) . 36
A.1.2 Reference Point e2 (CLF - AF) . 36
A.1.3 Reference Point a3 (AMF - UAAF) . 36
A.1.4 Reference Point e5 (UAAF - UAAF) . 36
A.2 Service layer security interfaces . 37
A.2.1 NGN IP Multimedia Subsystem (IMS) . 37
A.2.1.1 Reference Point Gm (UE - P-CSCF) . 37
A.2.1.2 Reference Point Cx (CSCF - UPSF) . 38
A.2.1.3 Reference Point Gq' (P-CSCF - RACS) . 38
A.2.1.4 Reference Point Iw (IWF - non-compatible SIP) . 38
A.2.1.5 Reference Point Ic (IBCF - IMS) . 38
A.2.1.6 Void . 38
A.2.1.7 Reference Point Ut (UE - AS) . 38
A.3 Interconnection security interfaces . 39
A.3.1 Interconnecting security at the transport layer . 40
A.3.2 Interconnecting security at the service layer . 40
Annex B (informative): Mapping of NGN Security Requirements to Security Services . 41
Annex C (informative): Implementation notes on the IMS Residential Gateway . 47
Annex D (informative): Supplementary Information on NASS-IMS Bundled Authentication . 48
D.1 Flow Diagram for NASS Bundled Authentication . 48
Annex E (informative): Open Issues in NGN Security . 50
Annex F (informative): IPTV content security elements and their interactions . 51
F.1 IPTV-Unicast authorized Content Delivery Option A . 52
F.2 IPTV-Unicast authorized Content Delivery Option B . 52
F.3 IPTV-Multicast Content Delivery . 53
F.4 Mapping Content Security to IPTV architecture . 54
F.5 Text contributed during release 2 . 55
Annex G (informative): Bibliography . 58
Annex H (informative): Change history . 59
History . 60

ETSI
5 ETSI TS 187 003 V2.3.2 (2011-03)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Telecommunications and Internet
converged Services and Protocols for Advanced Networking (TISPAN).
ETSI
6 ETSI TS 187 003 V2.3.2 (2011-03)
1 Scope
The present document defines the security architecture of NGN. The definition complies with the requirements of
ITU-T Recommendation I.130 [29] at stage 2.
The present document addresses the security architecture required to fulfil the NGN security requirements defined in
TS 187 001 [1] and includes the definition of security architectures to provide protection for each of the NGN
functional architecture (ES 282 001 [2]) and its subsystems (ES 282 004 [5], ES 282 001 [2], ES 282 007 [24],
ES 283 003 [23] and ES 282 003 [4]). Where appropriate the present document endorses security mechanisms defined
in other specifications.
The present document addresses the security issues of the NGN core network and the NGN access network(s) up to and
including the NGN Network Termination (NGN NT) in the residential customer domain. The NGN NT denotes a
logical demarcation point between the residential customer domain and the NGN core and access networks and covers
the corresponding interfaces.
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are necessary for the application of the present document.
[1] ETSI TS 187 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN SECurity (SEC); Requirements".
[2] ETSI ES 282 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture".
[3] ETSI ES 282 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation Sub-system (PES); Functional
architecture".
[4] ETSI ES 282 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Resource and Admission Control Sub-System (RACS):
Functional Architecture".
[5] ETSI ES 282 004: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture; Network Attachment
Sub-System (NASS)".
[6] ETSI TS 183 033: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia; Diameter based protocol for the interfaces
between the Call Session Control Function and the User Profile Server Function/Subscription
Locator Function; Signalling flows and protocol details [3GPP TS 29.228 V6.8.0 and
3GPP TS 29.229 V6.6.0, modified]".
[7] ETSI TS 133 203: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; 3G security; Access security for IP-based services
(3GPP TS 33.203)".
ETSI
7 ETSI TS 187 003 V2.3.2 (2011-03)
[8] ETSI TS 133 210: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; 3G security; Network Domain Security (NDS); IP
network layer security (3GPP TS 33.210)".
[9] ETSI TS 133 141: "Universal Mobile Telecommunications System (UMTS); LTE; Presence
service; Security (3GPP TS 33.141)".
[10] ETSI TS 133 222: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; Generic Authentication Architecture (GAA); Access
to network application functions using Hypertext Transfer Protocol over Transport Layer Security
(HTTPS) (3GPP TS 33.222)".
[11] ETSI TS 133 220: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; Generic Authentication Architecture (GAA); Generic
Bootstrapping Architecture (GBA) (3GPP TS 33.220)".
[12] Void.
[13] Void.
[14] Void.
[15] Void.
[16] Void.
[17] ETSI TS 129 329: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; Sh interface based on the Diameter protocol; Protocol
details (3GPP TS 29.329)".
[18] ETSI ES 283 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Release 1 H.248 Profile for controlling Access and
Residential Gateways".
[19] ETSI ES 283 018: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN); Resource and Admission Control: H.248 Profile for controlling
Border Gateway Functions (BGF) in the Resource and Admission Control Subsystem (RACS);
Protocol specification".
[20] ETSI TS 183 019: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Network Attachment; User-Network Interface Protocol
Definitions".
[21] ETSI ES 283 035: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Network Attachment Sub-System (NASS); e2 interface based
on the DIAMETER protocol".
[22] ETSI ES 283 034: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Network Attachment Sub-System (NASS); e4 interface based
on the DIAMETER protocol".
[23] ETSI ES 283 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Call Control Protocol based on Session Initiation
Protocol (SIP) and Session Description Protocol (SDP) Stage 3".
[24] ETSI ES 282 007: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Subsystem (IMS); Functional architecture".
[25] ETSI TS 182 006: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Subsystem (IMS); Stage 2 description
(3GPP TS 23.228 v7.2.0, modified)".
[26] IETF RFC 3261: "SIP: Session Initiation Protocol".
[27] ISO/IEC 10181-1 (1996): "Information technology - Open Systems Interconnection - Security
frameworks for open systems: Overview".
ETSI
8 ETSI TS 187 003 V2.3.2 (2011-03)
[28] ISO/IEC 11770-1 (2010): "Information technology - Security techniques - Key management -
Part 1: Framework".
[29] ITU-T Recommendation I.130: "Method for the characterization of telecommunication services
supported by an ISDN and network capabilities of an ISDN".
[30] ITU-T Recommendation X.810 (1995): "Information technology - Open Systems Interconnection -
Security frameworks for open systems: Overview".
[31] ITU-T Recommendation X.811: "Information Technology - Open Systems Interconnection -
Security frameworks for open systems: Authentication framework".
[32] ITU-T Recommendation X.812: "Information Technology - Open Systems Interconnection -
Security frameworks for open systems: Access control framework".
[33] ITU-T Recommendation X.814: "Information Technology - Open Systems Interconnection -
Security frameworks for open systems: Confidentiality framework".
[34] ITU-T Recommendation X.815: "Information Technology - Open Systems Interconnection -
Security frameworks for open systems: Integrity framework".
[35] ETSI TS 183 017: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Resource and Admission Control: DIAMETER protocol for
session based policy set-up information exchange between the Application Function (AF) and the
Service Policy Decision Function (SPDF); Protocol specification".
[36] IETF RFC 2617: "HTTP Authentication: Basic and Digest Access Authentication".
[37] ETSI TS 183 043: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IMS-based PSTN/ISDN Emulation; Stage 3 specification".
[38] ETSI TS 182 012: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IMS-based PSTN/ISDN Emulation Sub-system (PES);
Functional architecture".
[39] ETSI TS 133 102: "Universal Mobile Telecommunications System (UMTS); LTE; 3G security;
Security architecture (3GPP TS 33.102)".
[40] ETSI ES 283 026: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Resource and Admission Control; Protocol for QoS reservation
information exchange between the Service Policy Decision Function (SPDF) and the Access-
Resource and Admission Control Function (A-RACF) in the Resource and Protocol specification".
[41] ETSI EG 202 238: "Telecommunications and Internet Protocol Harmonization Over Networks
(TIPHON); Evaluation criteria for cryptographic algorithms".
[42] IEEE 802.1x: "Standard for Local and Metropolitan Area Networks - Port-Based Network Access
Control".
[43] ETSI TS 181 005: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Service and Capability Requirements".
[44] ETSI TS 124 229: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; IP multimedia call control protocol based on Session
Initiation Protocol (SIP) and Session Description Protocol (SDP); Stage 3".
[45] ETSI TS 123 002: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; Network architecture".
[46] ETSI TS 133 234: "Universal Mobile Telecommunications System (UMTS); LTE; 3G security;
Wireless Local Area Network (WLAN) interworking security".
[47] ETSI TS 187 003 Release 1: "Telecommunications and Internet converged Services and Protocols
for Advanced Networking (TISPAN); NGN Security; Security Architecture NGN R1".
ETSI
9 ETSI TS 187 003 V2.3.2 (2011-03)
[48] ETSI TS 185 003: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN); Customer Network Gateway (CNG) Architecture and
Reference Points".
2.2 Informative references
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI TR 133 919: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; 3G Security; Generic Authentication Architecture
(GAA); System description (3GPP TR 33.919)".
[i.2] ETSI TS 133 221: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; Generic Authentication Architecture (GAA); Support
for subscriber certificates (3GPP TS 33.221)".
[i.3] ETSI TS 182 027: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IPTV Architecture; IPTV functions supported by the IMS
subsystem".
[i.4] ETSI TR 183 032: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Feasibility study into mechanisms for the support of
encapsulated ISUP information in IMS".
[i.5] ETSI TR 182 005: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Organization of user data".
[i.6] ETSI TR 183 014: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation; Development and Verification of
PSTN/ISDN Emulation".
[i.7] ETSI TS 102 165-1: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Methods and protocols; Part 1: Method and proforma for
Threat, Risk, Vulnerability Analysis".
[i.8] ETSI TR 180 000: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Terminology".
[i.9] ETSI TS 182 028: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN integrated IPTV subsystem Architecture".
[i.10] ETSI TR 187 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); TISPAN NGN Security (NGN-SEC); Threat, Vulnerability and
Risk Analysis".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
AUTHentication service (AUTH): See ITU-T Recommendation X.811 [31].
AUTHORization service (AUTHOR): See ITU-T Recommendation X.812 [32].
CONFidentiality service (CONF): See ITU-T Recommendation X.814 [33].
ETSI
10 ETSI TS 187 003 V2.3.2 (2011-03)
content protection: protection of content (files or streams) post-delivery
NOTE: It ensures that a user can only use the content in accordance with the license that they have been granted,
e.g. play/view/hear multiple times or hours, etc.
data: any information conveyed in communication packets as well as any other information such as topology
information
INTegrity service (INT): See ITU-T Recommendation X.815 [34].
Key Management service (KM): See ISO/IEC 11770-1 [28].
license: data package which represents the granted Rights to a specific user and the key related to the protected content
NGN Network Termination (NGN NT): reference point which denotes a logical demarcation point between the
residential customer domain and the NGN core via access networks
NOTE: It covers the corresponding interfaces.
Policy Enforcement Function (PEF): security function that enforces policy rules
NOTE: The PEF encompasses functions for filtering and topology hiding such as typically found in firewalls
and/or session border controllers.
rights: pre-defined set of usage entitlement to the content
NOTE: The entitlement may include the permissions (e.g. to view/hear, copy, modify, record, distribute, etc.),
constraints (e.g. play/view/hear multiple times or hours), etc.
security domain: set of elements made of security policy, security authority and set of security relevant activities in
which the set of elements are subject to the security policy for the specified activities, and the security policy is
administered by the security authority for the security domain
NOTE: The activities of a security domain involve one or more elements from that security domain and, possibly,
elements of other security domains.
service protection: protection of content (data or media stream) during the delivery time or the time of transmission
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
rd
3G 3 Generation
rd
3GPP 3 Generation Partnership Project
AAA Authentication, Authorization, Accounting
ACK ACKnowledge
ACR Anonymous Communications Rejection
AF Application Functions
AGCF Access Gateway Control Function
AGW Access GateWay
AKA Authentication and Key Agreement
AMF Access Management Function
AN Access Network
AP Access Point
AP Authentication Proxy
A-RACF Access-Resource Admission Control Function
ARF Access Relay Function
AS Application Server
ASP Application Service Provider
AuC Authentication Centre
AUTH AUTHentication service
AUTHOR AUTHORization service
BGCF Breakout Gateway Control Function
BSF Bootstrapping Server Functionality
ETSI
11 ETSI TS 187 003 V2.3.2 (2011-03)
CA Certification Authority
C-BGF Core Border Gateway Function
CEF Content Encryption Function
CLF Connectivity session and repository Location Function
CND Customer Network Device
CNG Customer Network Gateway
CoD Content on Demand
CONF CONFidentiality service
CPE Customer Premises Equipment
CPN Customer Premises Network
CSCF Call Session Control Function
DoS Denial-of-Service
DRM Digital Rights Management
ESP Encapsulating Security Protocol
FE Functional Entity
FFS For Further Study
GAA Generic Authentication Architecture
GBA Generic Bootstrapping Architecture
GE Generic Entities
GRE Generic Routing Encapsulation
HLR Home Location Register
HSS Home Subscriber Server
HTTP HyperText Transport Protocol
IBCF Interconnection Border Control Function
I-BGF Interconnection Border Gateway Function
I-CSCF Interrogating Call Session Control Function
ID IDentity
IETF Internet Engineering Task Force
IF InterFace
IKE Internet Key Exchange
IMPI IMS Private User ID
IMPU IMS Public User ID
IMS IP Multimedia Subsystem
INT INTegrity service
INTF INTegrity Function
IP Internet Protocol
IPsec Internet Protocol security
IPTV Internet Protocol TeleVision
IRG IMS Residential Gateway
ISIM IMS Subscriber Identity Module
ISUP ISDN User Part
IUA ISDN Q.921-User Adaptation
IWF InterWorking Function
KM Key Management service
KMF Key Management Function
LIF Licensing Issuing Function
MAA Multimedia Auth Answer
MDF Media Delivery Function
ME Mobile Equipment
MGC Media Gateway Controller
MGCF Media Gateway Control Function
MRFC Multimedia Resource Function Controller
MRFP Multimedia Resource Function Processor
n.a. not applicable
NACF Network Access Configuration Function
NAF Network Application Function
NASS Network Access SubSystem
NAT Network Address Translation
NBA NASS Bundled Authentication
NDS Network Domain Security
NE Network Element
NGN NT NGN Network Termination
ETSI
12 ETSI TS 187 003 V2.3.2 (2011-03)
NGN Next Generation Network
OIR Originating Identity Presentation
P-CSCF Proxy Call Session Control Function
PDBF Profile DataBase Function
PEF Policy Enforcement Function
PES PSTN/ISDN Emulation
PS Packet Switched
RACS Resource Admission Control Subsystem
RGW Residential GateWay
SA Security Association
SCF Service Control Function
SCS OSA Service Capability Server
S-CSCF Serving Call Session Control Function
SDP Session Description Protocol
SEG Security Gateway
SEGF SEcurity Gateway Function
SGF Signalling Gateway Function
SIP Session Initiation Protocol
SLF Subscription Locator Function
SPD Security Policy Database
SPDF Service Policy Decision Function
SSC Support for Subscriber Certificates
SSF Service Selection Function
TE Terminal Equipment
THF Topology Hiding Function
THIG Topology Hiding Interconnection Gateway
TISPAN Telecommunication and Internet converged Services and Protocols for Advanced Networking
TLS Transport Layer Security
T-MGF Trunking Media Gateway Function
TS Technical Specification
UA User Agent
UAAF User Access Authorization Function
UE User Equipment
UICC Universal Integrated Circuit Card
UMTS Universal Mobile Telecommunication System
UPSF User Profile Server Function
USIM UMTS Subscriber Identity Module
VGW Voice over IP GateWay
WLAN Wireless Local Area Network
XCAP XML Configuration Access Protocol
XML eXtensible Markup Language
4 NGN Security
This clause provides an overview of the NGN security document. The entire document can be seen as a documented
output of a security process that loops through several stages; see figure 1, where arrows indicate logical steps and
dependencies.
The present document assumes existence of a well-defined NGN architecture (see ES 282 001 [2]) that includes the
IMS architecture (TS 123 002 [45]), the Network Attachment Subsystem (NASS) architecture (see ES 282 004 [5], the
Resource Admission Subsystem (RACS) architecture (see ES 282 003 [4]), and the PSTN/ISDN Emulation (PES)
architecture (see ES 282 002 [3]). Likewise, the present document assumes the corresponding IMS security architecture
(see TS 133 102 [39]). IMS architecture and IMS security architecture are shown as dashed boxes; those prerequisites
are not specified further in the present document.
The description of the NGN security, derived using the ETSI Threat, Vulnerability and Risk Analysis method [i.10],
[i.7], architecture has been divided in a number of smaller blocks describing the security interfaces, the security
functions and security protocols, security building blocks and security components.
ETSI
13 ETSI TS 187 003 V2.3.2 (2011-03)

NGN architecture (NASS, RACS, PES, IMS)
IMS Security Architecture
NGN Release 1 Security
Requirements (TS 187 001)
NGN Release 1 Threat & Risk Analysis
(TR 187 002)
NGN Release 1 Security Architecture with security interfaces for NASS, RACS, PES, IMS (TS 187 003)
Security Domains
Security ServicSecures ity Functions Security Functions Countermeasures
Security Building Blocks
Security Components/ Security Building Blocks
NGN Release 2 Security Architecture with security interfaces (ffs)

Figure 1: Overview of NGN security documents
4.1 NGN security architecture
The NGN security architecture basically consists of the following major parts:
• NGN security domains (see clause 4.3).
• Security services (see clause 5):
- authentication;
- authorization;
- policy enforcement;
- key management;
- confidentiality; and
- integrity.
• Security protocols including those contained in:
- IMS Access Security (see TS 133 203 [7]);
- SIP HTTP-digest [26]) (for NGN legacy UE);
- XCAP (see TS 183 033 [6]), presence security (see TS 133 141 [9]).
• Application specific key management.
• SEGFs to secure signalling and control communication among network entities/FEs. Security Gateways
(SEGs) for IMS network domain security - as defined by TS 133 210 [8] - are considered primarily functional
components. The present document endorses SEGs and calls them Security Gateway Function (SEGF).
• CNG to secure access of UEs
ETSI
14 ETSI TS 187 003 V2.3.2 (2011-03)
• NGN-specific security mechanisms at various protocols/logical layers such as:
- NASS authentication based on explicit line authentication;
- NASS authentication based on implicit physical line authentication; and
- NASS-IMS bundled authentication.
• NGN subsystem specific security measures (e.g. for PES).
Figure 2 provides a high level overview of the security FEs within the NGN security architecture. Three logical security
planes with respective FEs are distinguished:
• NASS security plane;
• IMS security plane;
• GAA/GBA key management plane.
(GBA Bootstrapping, opt)
ISIM
GBA- U mode
DIAMETER BSF
Ut
Secure session
NAF/AS
IMS AKA
Security Association
setup
ISIM
AKA mode
UPSF
P- CS CF S- CSCF
NASS Authentication
(e.g. IEEE 802.1x/PANA )
NASS
credentials
PDBF
AMF V- UAAF H- UA AF
Figure 2: Usage of security FEs in the NGN security architecture
The NASS security plane encompasses the security operations during network attachment for gaining access to the
NGN access network. The visited UAAF (V-UAAF) in a visited access network relays authentication message to/from
the home NGN network; the V-UAAF (if present) may be a proxy while the home UAAF (H-UAAF) shall process the
authentication message and decide authorization. The H-UAAF takes into account user profile information that is stored
in the PDBF. The PDBF shall hold the profiles of the NASS user. In NGN, an IMS subscriber may register over an IP
access session established by a NASS subscriber, which may not be the same as the IMS subscriber. Hence, in such
cases, there is no relation at all between the profile/credentials used at the NASS level and at the IMS level. However,
the PDBF may be co-located with the UPSF.
NOTE: The dashed lines between H-UAAF and PDBF and between the NAS/AS and the UPSF indicate
interfaces which are not defined and standardized in the present document. Specification of such
interfaces is left as further study. Nevertheless, such an UAAF-PDBF interface is generally required for
carrying out authentication at NASS level.
The IMS security plane encompasses the P-CSCF, S-CSCF, I-CSCF (not shown in figure 2) and the UPSF. P-CSCF,
S-CSCF and I-CSCF shall be involved in the IMS security procedures for authenticating UE and core network, deciding
authorization, as well as for supplying fresh key material as specified in TS 133 203 [7]. The UPSF shall hold the user
profiles used at the IMS level.
The GBA/GAA security plane (optional) encompasses the NAF and BSF FEs for application layer security.
ETSI
15 ETSI TS 187 003 V2.3.2 (2011-03)
This clause describes the NGN security architecture.
4.2 Security domains
A security domain (see ISO/IEC 10181-1 [27] and ITU-T Recommendation X.810 [30]) is a set of elements under a
given security policy administered by a single security authority for some specific security relevant activities. The
activities of a security domain involve one or more elements from that domain, however at least one of the elements
must be in that domain.
In general, a security domain is required to:
• protect the integrity, and optionally the confidentiality, of its functional elements and activities;
• ensure the availability of, and account for the use of, the elements and activities under its protection.
The following principal security domains are identified in the general case where the visited network provider hosts
some IMS services and the core IMS provider in the home network domain further provides IMS services:
• Customer's domain that includes UE (owned by customer or by operator).
• Access network security domain with FEs hosted by the access network provider.
• Visited NGN security domain with FEs hosted by a visited network provider where the visited network may
provide access to some application services (AF). The visited network provider may host some applications
and may own an own database of subscribers. Alternatively, or additionally, the visited network provider may
rd
outsource some application services to the home network provider or even to a 3 application provider.
• Home NGN security domain with FEs hosted by the home network provider where the home network may
provide some application services (AF). The home network provider hosts some applications and owns a
database of subscribers.
• 3rd party application network security domain with FEs hosted by the ASP where the ASP provides some
application services (AF). The ASP may be a separate service provider different from the visited or the home
network provider. The ASP may need to deploy authorization information offered by the visited or home
network provider.
Figure 3 shows the partitioning of the NGN network into security domains.

Figure 3: NGN security domains
NOTE: Although Figure 3 shows the Next Generation Access and the Visited NGN as separate entities, they may,
in practice, be co-located.
ETSI
16 ETSI TS 187 003 V2.3.2 (2011-03)
4.3 NASS and RACS security architecture
Figure 4 shows a high-level view of the NASS and RACS subsystems as mapped to the five NGN security domains.

Figure 4: NASS and RACS NGN architecture with security domains
SEGFs security shall protect the interdomain interfaces between the NGN security domains.
Figure 4 shows the most general case. NASS and RACS functional entities are mapped to the networking domains such
as access transport network, visited NGN and home NGN. Those networking domains equally represent security
domains in the sense of TS 133 210 [8] assuming that each networking domain is being operated by a distinct operator.
SEcurity Gateway Functions (SEGFs) within each security domain shall protect the exposed interfaces in-between
security domains and ensure that a minimal security policy among security domains is enforced.
SEGFs may also optionally protect the (less exposed, internal) interfaces within a security domain; this is left to the
discretion of the network operator. The general security architecture case for NASS and RACS subsystems can be
collapsed iteratively into fewer (security) domains (not shown): e.g. home network and visited network within one
rd
security domain, or access, visited, home network and ASP network all in one security domain. If 3 party ASP
network security domain and home network security domain coincide, then the home network actually hosts the
rd
application. The same holds true for the visited network security and the 3 party ASP network security domain.
It is noted that not all interfaces might occur:
• In NASS scenario 1 (described in ES 282 044 [5], clause 6), the interface e2 with the branches
V-CLF-to-H_CLF, V does not occur.
• In NASS scenario 2 (described in ES 282 004 [5], clause 6), the interface e2 with the branch V-CLF-to-AF
does not occur.
• In NASS scenario 3 (described in ES 282 004 [5], clause 6), the interfaces e5 and e2 with the branches
V-UAAF-to-H-UAAF and V-CLF-to-H-CLF do not occur.
• In NASS scenario 4 (described in ES 282 004 [5], clause 6), the interfaces e5 and e2 with the branches
V-UAAF-to-H-UAAF and V-CLF-to-AF do not occur.
It is further noted, that several SEGFs shown as separate functional entities may be co-located; such as for example, the
SEGFs around Ri'and Di interfaces.
It is noted that there might be further application-specific security protocols (not shown) on top of the Za interfaces.
Such security protocols (if any) remain for further study.
Figure 5: void
ETSI
17 ETSI TS 187 003 V2.3.2 (2011-03)

Figure 6: NGN security architecture with FEs
and security gateway
...