ETSI TR 187 002 V1.2.2 (2008-03)

Technical Report
Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN);
TISPAN NGN Security (NGN_SEC);
Threat, Vulnerability and Risk Analysis

2 ETSI TR 187 002 V1.2.2 (2008-03)

Reference
RTR/TISPAN-07023-NGN-R1
Keywords
analysis, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2008.
All rights reserved.
TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
ETSI
3 ETSI TR 187 002 V1.2.2 (2008-03)
Contents
Intellectual Property Rights.5
Foreword.5
1 Scope.6
2 References.6
2.1 Normative references.6
2.2 Informative references.7
3 Definitions and abbreviations.8
3.1 Definitions.8
3.2 Abbreviations.9
4 NGN-relevant Security Interfaces and Scenarios.10
4.1 Security-relevant NGN Scenarios .10
4.1.1 Basic NGN scenario (ECN&S model).10
4.1.2 IMS scenarios.11
4.1.2.1 3GPP IMS.11
4.1.2.2 Generic or NGN IMS.12
4.1.3 Nomadic user security scenario .13
5 Threat and risk analysis.14
5.1 PES Analysis.14
5.1.1 PES objectives and security objectives.14
5.1.2 Stage 2 model of PES (UML).15
5.1.2.1 Identification of assets.16
5.1.2.2 Missing considerations in PES.16
5.1.2.2.1 ECN technology.16
5.1.2.2.2 Protocol stack.16
5.1.2.2.3 Cardinality of relationships .17
5.1.2.2.4 Deployment.17
5.1.3 Points of attack in PES.17
5.1.3.1 Interfaces.17
5.1.3.2 Implicit relationships.17
5.1.4 Risk analysis.18
5.1.4.1 Overview.18
5.1.4.2 Interception.18
5.1.4.2.1 Interception at the customer to MGW interface .18
5.1.4.2.2 Interception within the fixed network.18
5.1.4.3 Manipulation.18
5.1.4.3.1 Manipulation at the customer interface .19
5.1.4.3.2 Manipulation in the fixed parts of the network.19
5.1.4.3.3 Manipulation in links between networks.20
5.1.4.4 Denial-of-Service.20
5.1.5 PES unwanted incidents.21
5.1.6 Existing PES security provisions .21
5.1.7 Security capabilities in PES.21
5.1.7.1 H.248 ETSI_ARGW .21
5.1.7.1.1 Authentication.21
5.1.7.1.2 Confidentiality of signalling.21
5.1.7.1.3 Confidentiality of traffic.21
5.1.7.1.4 Integrity of signalling .22
5.1.7.1.5 Integrity of traffic .22
5.1.8 Role of NGN subsystems in PES.22
5.1.8.1 Transport plane.22
5.1.8.1.1 NASS.22
5.1.8.1.2 RACS .22
5.1.8.1.3 Transport elements.22
ETSI
4 ETSI TR 187 002 V1.2.2 (2008-03)
5.1.8.2 Service plane.22
5.1.8.2.1 IMS.22
5.1.8.2.2 PSS.22
5.1.8.3 Recommendations.22
5.2 Analysis of NASS .22
5.2.1 NASS-IMS bundled authentication analysis.23
5.2.1.1 NASS-IMS bundled Authentication objectives and security objectives .23
5.2.1.2 Stage 2 model of NASS-IMS bundled authentication.23
5.2.1.2.1 Identification of assets.24
5.2.1.2.2 Missing considerations in NASS.25
5.2.1.3 Points of attack on the NASS-IMS bundled authentication .26
5.2.1.3.1 Interfaces.26
5.2.1.4 Risk analysis.26
5.2.1.4.1 Overview.26
5.2.1.4.2 Interception.26
5.2.1.4.3 Manipulation.27
5.2.1.4.4 IP Address and Identity spoofing .29
5.2.1.4.5 Invalidation of IP address not signalled.30
5.2.1.4.6 Denial-of-Service.30
5.2.1.4.7 "line-id poisoning" attack with malicious P-Access-Network-Info.31
5.2.1.5 NASS-IMS bundled authentication related unwanted incidents .32
5.3 Analysis of RACS .32
5.4 Analysis of NGN-IMS.32
5.5 Analysis of DNS and ENUM in NGN.32
5.6 Analysis of SIP in NGN .32
6 Conclusions.33
History .35

ETSI
5 ETSI TR 187 002 V1.2.2 (2008-03)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Telecommunications and Internet
converged Services and Protocols for Advanced Networking (TISPAN).
ETSI
6 ETSI TR 187 002 V1.2.2 (2008-03)
1 Scope
The present document presents the results of the Threat Vulnerability Risk Analysis (TVRA) for two scenarios of
release 1 of the NGN. Those two analysed scenarios are PSTN/ISDN Emulation and NASS-IMS bundled
authentication.
The present document follows the method and proforma for carrying out a TVRA [5] and incorporates material of the
NGN threat and risk analysis herein.
The present document identifies security-relevant interfaces in the NGN, identifies security-relevant scenarios for use in
the NGN, analyses NGN in terms of security threats and risks by performing a security threat and risk analysis, and
classifies the identified vulnerabilities and the associated risk presented to the NGN.
This threat and risk analysis makes a number of assumptions that are believed to hold for typical deployment scenarios
of NGN R1. Note however, that depending on actual instantiation of NGN, some of the made assumptions may not
fully hold; this may potentially impact the associated risks.
NOTE: Security threats and risks for issues NGN release 2 or later may also be captured in the present document.
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific.
• For a specific reference, subsequent revisions do not apply.
• Non-specific reference may be made only to a complete document or a part thereof and only in the following
cases:
- if it is accepted that it will be possible to use all future changes of the referenced document for the
purposes of the referring document;
- for informative references.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
For online referenced documents, information sufficient to identify and locate the source shall be provided. Preferably,
the primary source of the referenced document should be cited, in order to ensure traceability. Furthermore, the
reference should, as far as possible, remain valid for the expected life of the document. The reference shall include the
method of access to the referenced document and the full network address, with the same punctuation and use of upper
case and lower case letters.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are indispensable for the application of the present document. For dated
references, only the edition cited applies. For non-specific references, the latest edition of the referenced document
(including any amendments) applies.
Not applicable.
ETSI
7 ETSI TR 187 002 V1.2.2 (2008-03)
2.2 Informative references
[1] ETSI EG 202 387: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Security Design Guide; Method for application of Common
Criteria to ETSI deliverables".
[2] ETSI TS 181 005: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Service and Capability Requirements".
[3] IEEE 802.11i: "IEEE Standard for information technology-Telecommunications and information
exchange between systems-Local and metropolitan area networks- Specific requirements-Part 11:
Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications:
Amendment 6: Medium Access Control (MAC) Security Enhancements".
[4] ISO/IEC 13335: "Information technology - Guidelines for the management of IT security".
[5] ETSI TS 102 165: "Telecommunications and Internet Protocol Harmonization Over Networks
(TIPHON) Release 4; Protocol Framework Definition; Methods and Protocols for Security".
[6] ETSI ES 282 004: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture; Network Attachment Sub-
System (NASS)".
[7] ETSI TS 187 001: "Telecommunications and Internet Converged Services and Protocols for
Advanced Networking (TISPAN); NGN SECurity (SEC); Requirements".
[8] ETSI TS 187 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Security; Security Architecture".
[9] ETSI TR 180 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Release 1; Release definition".
[10] ETSI ES 282 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation Sub-system (PES); Functional
architecture".
[11] ETSI ES 282 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Resource and Admission Control Sub-system (RACS);
Functional Architecture".
[12] ETSI ES 283 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); PSTN/ISDN Emulation Subsystem (PES); NGN Release 1
H.248 Profile for controlling Access and Residential Gateways".
[13] ETSI EN 383 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Interworking between Session Initiation Protocol (SIP) and
Bearer Independent Call Control (BICC) Protocol or ISDN User Part (ISUP) [ITU-T
Recommendation Q.1912.5, modified]".
[14] ETSI TS 133 210: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); 3G security; Network Domain Security (NDS); IP network
layer security (3GPP TS 33.210 Release 7)".
[15] ETSI TS 133 102: "Universal Mobile Telecommunications System (UMTS); 3G security; Security
architecture (3GPP TS 33.102 Release 7)".
[16] AS/NZS 4360: "Risk Management".
[17] Directive 2002/21/EC of the European Parliament and of the council of 7 March 2002 on a
common regulatory framework for electronic communications networks and services (Framework
Directive).
[18] Directive 2002/22/EC of the European Parliament and of the council of 7 March 2002 on universal
service and users' rights relating to electronic communications networks and services (Universal
Service Directive).
ETSI
8 ETSI TR 187 002 V1.2.2 (2008-03)
[19] Directive 2002/58/EC of the European Parliament and of the council of 12 July 2002 concerning
the processing of personal data and the protection of privacy in the electronic communications
sector (Directive on privacy and electronic communications).
[20] IETF RFC 3550: "RTP: A Transport Protocol for Real-Time Applications".
[21] IETF RFC 2326: "Real Time Streaming Protocol (RTSP)".
[22] IETF RFC 2327: "SDP: Session Description Protocol".
[23] IETF RFC 3015: "Megaco Protocol Version 1.0".
[24] ETSI ES 282 001: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Functional Architecture Release 1".
[25] IETF RFC 3261: "SIP: Session Initiation Protocol".
[26] ETSI ES 283 003: " Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); IP Multimedia Call Control Protocol based on Session Initiation
Protocol (SIP) and Session Description Protocol (SDP) Stage 3 [3GPP TS 24.229 (Release 7),
modified]".
[27] ETSI TS 133 203: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); 3G security; Access security for IP-based services (3GPP
TS 33.203 Release 7)".
[28] ETSI TS 133 234: "Universal Mobile Telecommunications System (UMTS); 3G security;
Wireless Local Area Network (WLAN) interworking security (3GPP TS 33.234 Release 6)".
[29] ITU-T Recommendation H.248: "Gateway control protocol".
[30] 3GPP TR 33.803: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; Coexistence between TISPAN and 3GPP authentication schemes
(Release 7)".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in EG 202 387 [1] and the following apply:
attack: attempt to bypass security controls on a computer
T-nnn: numeric identifier for a threat
threat: potential cause of an unwanted incident which may result in harm to a system or organization
NOTE: See ISO/IEC 13335 [4].
unwanted incident: incident such as loss of confidentiality, integrity and/or availability
NOTE: See AS/NZS 4360 [16].
vulnerability: flaw or weakness in system security procedures, system design, implementation, internal controls, etc.,
that could be exploited to violate system security policy
NOTE: Vulnerability is often used synonymously with weakness.
ETSI
9 ETSI TR 187 002 V1.2.2 (2008-03)
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
rd
3G 3 Generation
rd
3GPP 3 Generation Partnership Project
AGCF Access Gateway Control Function
AGW Access GateWay
A-MGF Access Media Gateway Function
ARGW Access Residential media GateWay
AS Application Server
CC Call Control
CD Compact Disc
CHAP Challenge Handshake Authentication Protocol
CLF Connectivity session and repository Location Function
CPE Customer Premises Equipment
CSCF Call Session Control Function
DNS Domain Name System
DoS Denial-of-Service
DTMF Dual Tone Multi Frequency
EAP Extensible Authentication Protocol
ECN Electronic Communication Network
ECN&S Electronic Communications Networks and Services
ECS Electronic Communication Service
ESP Encapsulating Security Payload
FFS For Further Study
GPRS GSM Packet Radio System
I-CSCF Interrogating Call Session Control Function
IETF Internet Engineering Task Force
IMS IP Multimedia Subsystem
IP Internet Protocol
IPsec Internet Protocol security
ISDN Integrated Services Digital Network
ISIM IMS subscriber Identity Module
ISO International Standards Organization
ISUP ISDN User Part
MGC Media Gateway Controller
MGW Media GateWay
MRFP Media Resource Function Processor
NASS Network Access SubSystem
NGN Next Generation Network
NT Network Termination
OSI Open Systems Interconnection
P-CSCF Proxy Call Session Control Function
PDBF Profile Data Base Function
PES PSTN/ISDN Emulation Subsystem
PS Packet-Switched
PSTN Public Switched Telephone Network
RACS Resource Admission Control Subsystem
RCEF Resource Control Enforcement Function
RGW Residential GateWay
R-MGF Residential Media Gateway Function
ROM Read-Only Memory
RTP Realtime Transport Protocol
RTSP Real-Time Streaming Protocol
S-CSCF Serving Call Session Control Function
SDP Session Description Protocol
SEG SEcurity Gateway
SGW Signalling GateWay
SIP Session Initiation Protocol
SpoA Service point of Attachment
ETSI
10 ETSI TR 187 002 V1.2.2 (2008-03)
TDM Time Division Multiplex
TISPAN Telecommunication and Internet converged Services and Protocols for Advanced Networking
TOE Target Of Evaluation
TpoA Transport point of Attachment
TVRA Threat Vulnerability Risk Assessment
UAAF User Access Authorization Function
UE User Equipment
UICC Universal Integrated Circuit Card
UML Unified Modelling Language
UPSF User Profile Server Function
VLAN Virtual Local Area Network
WiFi Wireless Fidelity
WLAN Wireless Local Area Network
4 NGN-relevant Security Interfaces and Scenarios
This clause identifies the NGN use cases and therefore the NGN security environment that the TVRA has been applied
to.
4.1 Security-relevant NGN Scenarios
Scenarios are presented following a complexity ordering, from a simple generic model to rather more complex
scenarios.
4.1.1 Basic NGN scenario (ECN&S model)
The Electronic Communication Network (ECN) and Electronic Communication Service (ECS) model as shown in
figure 1 is the model used in the Framework Directive [17] and simplifies the network into a set of provision types. An
ECN is a communication network and roughly speaking addresses the lowest 3 layers of the ISO/OSI protocol stack. An
ECS is a communication service and roughly speaking addresses the highest layers of the ISO/OSI stack. In order to
connect a user connects to both an ECS and an ECN.
The basic model shows that the CPE may consist of more than one equipment type and that the NT has two connection
points, one for services (SpoA) and one for Transport (or network) (TpoA).

Figure 1: Basic ECN&S model for the NGN
ETSI
11 ETSI TR 187 002 V1.2.2 (2008-03)
4.1.2 IMS scenarios
4.1.2.1 3GPP IMS
The 3GPP IMS model does not in general distinguish ECS and ECN but there is a broad assumption that IMS lies on
top of the PS subsystem which is an implementation of ECN using 3GPP specific access technology. The trusted
domain therefore encompasses each of the NT, ECN (the GPRS network) and ECS (the IMS network), see figure 2 for
a simplified IMS scenario.
Figure 2: Simplified view of 3GPP IMS domains mapped to ECNS
The authentication mechanism does not provide separate authentication of each service on the broad assumption that all
services are offered to the same identity and therefore there is no need to give authorization and authentication on a
per-service basis.
ETSI
12 ETSI TR 187 002 V1.2.2 (2008-03)
4.1.2.2 Generic or NGN IMS
Figure 3: view of IMS where IMS is trusted
In figure 4 the model is extended to show which domains shown in figure 3 contain different element types.

Figure 4: Open interfaces in the IMS model for NGN
ETSI
13 ETSI TR 187 002 V1.2.2 (2008-03)
Figure 5 further extends the model to show a roaming scenario.

Figure 5: Roaming scenario
4.1.3 Nomadic user security scenario
The actors in this scenario (see figure 9) are named Bob and Alice.
Alice has a multi-service terminal she usually uses at home. She normally uses a set of services offered by two service
providers (ECS1 and ECS3 in figure 9). She has taken her terminal to a friend's house (Bob) and expects to use her
services there as well. Alice connects her terminal to the network at Bob's house via some form of fixed or wireless
access (WiFi) and is using services from her own service provider. Bob has a different transport network provider from
Alice.
ETSI
14 ETSI TR 187 002 V1.2.2 (2008-03)

Figure 6: Nomadic user security scenario
Bob wants to be assured that allowing Alice to use his home network does not generate costs for him (Alice has to pay
the charges for her service use). Furthermore Bob requires some assurance that Alice, and the actions of Alice's service
provider, does not alter the risk of attack to the other terminals at Bob's home. Bob also requires some assurance that
Alice and Alice's service provider should not block the other terminals in Bob's home from using their services. Alice
requires some assurance that her communication should not be impeded by Bob's terminals. Bob's terminals should not
be able to masquerade as Alice either during the time she is in Bob's home or afterwards. Alice may use her terminal to
call the local emergency service, be connected to an appropriate emergency centre and provide the appropriate location
information.
5 Threat and risk analysis
This clause analyses NGN in terms of threats and carries out an analysis of risks according to the methodology defined
in TS 102 165 [5].
5.1 PES Analysis
5.1.1 PES objectives and security objectives
The current draft of ES 282 002 [10] identifies some of the objectives for PES and these are restated here with respect
to the actor making the statement.
Table 1: PES objectives
Actor (note 1) Objective
Existing PSTN/ISDN service provider (note 2) Seamless provision of service to customer base in presence
of change of technology in the core network
Packet transport technology provider (note 3) To offer an alternative to circuit switched transports for point-
to-point time critical services
Aspirant NGN service provider To adopt NGN ECN technology (packet based) whilst allowing
slow changeover to NGN ECS technology
NOTE 1: The end customer is not considered as an actor in PES although he may be considered a stakeholder.
NOTE 2: This is a special case of an ECS.
NOTE 3: This is a special case of an ECN.

The security objectives for PES are bound by the conditions of the Framework Directive [17] and the Privacy
Directive [19].
ETSI
15 ETSI TR 187 002 V1.2.2 (2008-03)
5.1.2 Stage 2 model of PES (UML)
The UML class diagram representing PES is given in figure 7.
cd PES-analysis-structure
«Protocol»
GW_Control
~ AuthenticationCapability: boolean
~ ConfidentialityCapability: boolean
~ IntegrityCapability: boolean
+Is controlled by +Controls
«asset» «asset»
0.* 1
MGW MGC
«asset»
SGW
«asset» «asset»
«Protocol» «Protocol»
RGW AGW
AnalogueSignalProv ision DigitalSignalProvision
«Protocol»
ISUP
Deployed in customer Deployed in ECN
premises
«asset»
PES_CC
«asset»
«asset»
Outbound_CC
Inbound_CC
«Protocol»
InterNW_CC
Figure 7: UML class diagram for PES
The UML model in figure 7 identifies the assets and the relationship between them for PES. The model of figure 7 is
generic and does not imply a specific implementation. Figure 11 illustrates the specific application of the 2 generic
protocols (H.248 as specified in ES 283 002 [12] for the Gateway control protocol and for the means of providing
signalling from the analogue user line to the PES-CC, and SIP-I [13] for the Inter-network call control transfer protocol)
in the available PES stage 3 definitions.
ETSI
16 ETSI TR 187 002 V1.2.2 (2008-03)
cd PES-R1
«Protocol» «Protocol» «Protocol»
AnalogueSignalProv ision GW_Control InterNW_CC
~ AuthenticationCapability: boolean
~ ConfidentialityCapability: boolean
~ IntegrityCapability: boolean
«instantiate»
«instantiate» «instantiate»
«instantiate»
H248_NOTIFY : H248_ETSI_ARGW :GW_Control MTP :InterNW_CC SIP-I :InterNW_CC
AnalogueSignalProv ision
::GW_Control
~ AuthenticationCapability: boolean
~ ConfidentialityCapability: boolean
~ IntegrityCapability: boolean

Figure 8: Instances of the PES protocols
5.1.2.1 Identification of assets
The assets in PES (for stage 2 analysis) are:
• Media Gateway Function (MGW):
- Residential MGW (RGW) in customer premises.
- Access MGW (AGW) in network operator premises.
• Media Gateway Control Function (MGC).
• Call controller (CC):
- Outbound call controller.
- Inbound call controller.
• Protocols:
- Between MGC and MGW.
• Between MGC and CC:
- Between inbound and outbound CC.
- Between UE and MGW.
5.1.2.2 Missing considerations in PES
5.1.2.2.1 ECN technology
The technology of the ECN is not fully described in the PES. However the NGN as a whole uses IPv4 and/or IPv6 as
the core technology in the ECN.
Attacks on IP of any type will affect PES and so are not addressed specifically in the present document.
5.1.2.2.2 Protocol stack
The overall transmission chain and the invocation of protocols at points in the deployment chain is not fully described
in PES.
ETSI
17 ETSI TR 187 002 V1.2.2 (2008-03)
5.1.2.2.3 Cardinality of relationships
The cardinality of relationships between objects in PES is not clear. The UML model in figure 7 addresses these where
possible but these should be verified.
5.1.2.2.4 Deployment
There are a number of ways to deploy PES and a number of protocol choices that may be made. For example the MGC
and PES_CC entities may be co-located and there will be no visible interface between MGC and PES_CC.
5.1.3 Points of attack in PES
5.1.3.1 Interfaces
The primary points of attack in PES are the open interfaces (considered here as communications paths) where data is
transmitted.
NOTE: The secondary point of attack is the application itself which may be corrupt, or malicious. It is assumed
for the first pass that the application software functions correctly and that attacks will be on data external
to the application (e.g. configuration data) and on the interfaces to the application.
Table 2: Interfaces and their characteristics
Communication paths Characteristics Attributes transferred
Customer to MGW Closed circuit DTMF tones for called party identity
Call continuation tones
Call content
MGW to MGC IP transfer Responses to control messages
MGW to SGW Interpreted DTMF tones (H.248 [29] package)
SGW to MGW Instructions for sending call signalling tones
MGC to MGW Gateway control messages
SGW to CC ISUP message
Outbound CC to Inbound CC ISUP message

5.1.3.2 Implicit relationships
There are a number of implicit relationships in PES which may be open to attack. These are explored further here.
cd Attribute relationships
«asset»
Customer
+Is represented by +Represents
MGW
- LineIdentity: int
1 1
+ E164number: int
Figure 9: UML representation of customer to MGW relationship
The MGW acts on behalf of the customer and the customer requires that the MGW does not misrepresent the customer
by modifying data belonging to (or leased to) the customer. For PES the primary customer identity is his E.164 number.
For analysis it is assumed that there is a one-to-one relationship of MGW and customer.
ETSI
18 ETSI TR 187 002 V1.2.2 (2008-03)
5.1.4 Risk analysis
5.1.4.1 Overview
This analysis works from the perspective of trying to identify which threats may be possible on the open interfaces. The
weighting of risk is defined in the TVRA guidance but for this analysis it is sufficient to identify and quantify the
potential of any threat being successful.
5.1.4.2 Interception
This threat means that an unauthorized party may learn information transferred or stored in PES. According to the
penetration points the following threats can be distinguished.
5.1.4.2.1 Interception at the customer to MGW interface
There are essentially two scenarios to consider:
• MGW in customer premises.
• MGW in operator's premises.
In both scenarios it is assumed that the MGC is in the operator's premises (i.e. an MGC in the customer premises is not
a valid scenario for PES).
For the purpose of attack it is assumed that the user signalling/traffic are sent over non-radiating wires that are routed in
difficult to access areas (or where access is physically obvious).
Table 3: T-1: Attack potential for interception at the customer interface
Factor Assigned weighting Value
Elapsed time ≤ 1 week 1
(1 point per week)
Expertise Proficient 2
Knowledge of TOE Public 0
Access to mount attack Moderate 4
Equipment Standard 0
Total Moderate - possible 7
5.1.4.2.2 Interception within the fixed network
For the purposes of attack it is assumed that the fixed network is physically difficult to penetrate and will be managed to
identify break-ins. It is assumed that the protocols and signalling are defined with respect to publicly available
specifications.
Table 4: T-2: Attack potential for interception at the customer interface
Factor Assigned weighting Value
Elapsed time ≤ 1 month 4
(1 point per week)
Expertise Proficient 2
Knowledge of TOE Public 0
Access to mount attack Difficult 12
Equipment Standard 0
Total High - unlikely 18
5.1.4.3 Manipulation
NOTE: Extend manipulation for targeted and non-targeted attacks. Review the weightings.
ETSI
19 ETSI TR 187 002 V1.2.2 (2008-03)
5.1.4.3.1 Manipulation at the customer interface
There are essentially two scenarios to consider:
• MGW in customer premises.
• MGW in operator's premises.
In both scenarios it is assumed that the MGC is in the operator's premises (i.e. an MGC in the customer premises is not
a valid scenario for PES).
For the purpose of attack it is assumed that the user signalling/traffic are sent over non-radiating wires that are routed in
difficult to access areas (or where access is physically obvious).
Table 5: T-3: Attack potential for manipulation at the customer interface
Factor Assigned weighting Value
Elapsed time ≤ 1 week 1
(1 point per week)
Expertise Proficient 2
Knowledge of TOE Public 0
Access to mount attack Moderate 4
Equipment Standard 0
Total Moderate - possible 7
5.1.4.3.2 Manipulation in the fixed parts of the network
In contrast to the customer interface in the fixed parts of the network all kinds of manipulation are possible:
• deletion;
• reordering; and
• insertion of data is possible without restriction.
The underlying attacks can be in principle at least the same as for manipulation at the radio interface, with the following
attacks added.
• Manipulations can be done in the following ways:
- an attacker can use some equipment infiltrated into any interface of the system to manipulate the data and
voice signals being transferred there;
- deletion can be carried out, e.g. by physical action like wire-cutting, but also by rerouting of the data
(e.g. by manipulation of the data header);
- an attacker, who has access to an entity in the system, e.g. the MGC/SGW, can manipulate the data or
voice signals being processed or stored.
Table 6: T-4: Attack potential for manipulation in the fixed network
Factor Assigned weighting Value
Elapsed time ≤ 1 month 4
(1 point per week)
Expertise Proficient 2
Knowledge of TOE Public 0
Access to mount attack Moderate 4
Equipment Specialized 3
Total Moderate - possible 13
ETSI
20 ETSI TR 187 002 V1.2.2 (2008-03)
5.1.4.3.3 Manipulation in links between networks
In addition to those manipulations considered in the fixed parts of the network there is further scope for attack between
networks (although still "fixed"). These manipulations have different attack potential depending on the implementation
of the interface.
Table 7: T-5: Attack potential for manipulation between networks (without SEG)
Factor Assigned weighting Value
Elapsed time ≤ 1 week 0
(1 point per week)
Expertise Proficient 2
Knowledge of TOE Public 0
Access to mount attack Moderate 4
Equipment Standard 0
Total Basic - likely 6
Table 8: T-7: Attack potential for manipulation between networks (with SEG)
Factor Assigned weighting Value
Elapsed time ≤ 1 week 0
(1 point per week)
Expertise Proficient 2
Knowledge of TOE Public 0
Access to mount attack Moderate 12
Equipment Standard 0
Total Moderate - possible 14
5.1.4.4 Denial-of-Service
This threat means that an unauthorized party may deny system availability to authorized parties.
There are essentially two scenarios to consider:
• Attack of public interfaces.
• Attack of private interfaces.
Table 9: T-8: Attack potential for denial-of-service on publicly addressable interfaces
Factor Assigned weighting Value
Elapsed time ≤ 1 week 0
(1 point per week)
Expertise Layman 0
Knowledge of TOE Public 0
Access to mount attack Easy 1
Equipment Standard 0
Total No rating - Likely 1
Table 10: T-9: Attack potential for denial-of-service on non-publicly addressable interfaces
Factor Assigned weighting Value
Elapsed time ≤ 1 week 0
(1 point per week)
Expertise Layman 0
Knowledge of TOE Public 0
Access to mount attack Difficult 12
Equipment Standard 0
Total Moderate - Possible 12
ETSI
21 ETSI TR 187 002 V1.2.2 (2008-03)
5.1.5 PES unwanted incidents
The unwanted incidents such as loss of availability, loss of integrity, loss of confidentiality as a result of the PES trust
assumptions as given in clause 5.1.4.2.1 are considered to be unlikely.
5.1.6 Existing PES security provisions
The existing PES security model is shown in figure 1 of [24] and the security provisions for use of H.248 [29] for that
model are also described in ES 283 002 [12].

Figure 10: H.248 deployment model as specified in ES 282 002 [10]
As shown in figure 13, the trust domain is assumed to include the AGCF as well as the A-MGF, R-MGF in the in the
operator's domain.
5.1.7 Security capabilities in PES
5.1.7.1 H.248 ETSI_ARGW
5.1.7.1.1 Authentication
Not provided.
The rationale for no explicit authentication function/capability in H.248 [29] ETSI_ARGW is that the Access Gateway
is under the control of the ECN&S providing service. The provisioning mechanism for the telephone line/service
establishes the identity of the customer. The means to establish identity vary between providers but may include checks
for documentary proof of identity and address. Post provisioning there are no further authentication checks made. The
fixed net
...