1 / 22

Presentazione per l’Osservatorio Sicurezza Anfov

ETSI TISPAN NGN Security . Presentazione per l’Osservatorio Sicurezza Anfov . Autore:Paolo DE LUTIIS Telecom Italia Security Innovation. ANFOV - Milano, 14 November 2007. Table of Contents. ETSI TISPAN: WG7 activities TISPAN NGN overview TISPAN NGN security: Security areas

fayola
Download Presentation

Presentazione per l’Osservatorio Sicurezza Anfov

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ETSI TISPAN NGN Security Presentazione per l’Osservatorio Sicurezza Anfov Autore:Paolo DE LUTIIS Telecom Italia Security Innovation ANFOV - Milano, 14 November 2007 ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  2. Table of Contents • ETSI TISPAN: WG7 activities • TISPAN NGN overview • TISPAN NGN security: • Security areas • Network Domain Security • TISPAN IMS Security • IMS-AKA • NASS bundled • HTTP DIGEST • Application security • TISPAN NGN Security Standards • Main technical documents • Conclusion ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  3. ETSI TISPAN: WG7 activities ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  4. WG7 - security • TISPAN Working Group (WG) 7 is responsible for the management and co-ordination of the development of security specifications for TC TISPAN. • For TISPAN NGN, TISPAN WG7 is responsible for: • Defining the security requirements; • Defining the security architecture for NGN; • Conducting threat and risk analyses for specific NGN use cases; • Proposing security countermeasures; • WG7 security standardization process is risk-based. The Threats, Vulnerability and Risk Analysis (TVRA) methodology has been defined specifically to address the needs of the NGN security. The TVRA is ISO15408 (Common Criteria)-based ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  5. WG7 security – Current focus (NGN rel. 2): • Fixed-mobile convergence (authentication schema coexistence) • Media security • Network Address Translation • IPTV security • Impact of unsolicited communication in the NGN environment • Identity Management • Customer Premises Network Security ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  6. TISPAN NGN overview ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  7. Service layer IP Transport layer Broadcast UMTS PSTN / ISDN FTTx xDSL WiFi/WiMax TISPAN NGN outline Applications Other network Other… User Profile IMS PSTN PES RACS NASS ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  8. TISPAN NGN security ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  9. Intra-Operator Security Interconnection Security Access Security Security areas NGN Subsystems ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  10. Security Domains • A security domain (TS 187 003) consists of the functional entities administered by a single authority (e.g. the same operator's network). A security domain is required to: • protect the integrity and the confidentiality of its functional elements, • ensure the availability of the elements and activities under its protection. • Interdomain interfaces are protected by security gateway functions (SEGF) • SEGFs connect domains using IPsec in ESP tunnel mode with Internet Key Exchange (IKE) • The actual inter-security domain policy is not standardized and is left to the discretion of the roaming agreements of the operators ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  11. Securty Gateway Function SEGF IPSEC tunnel SEGF SEGF SEGF SEGF SEGF SEGF SEGF SEGF TISPAN NGN Security Domains 3Party ASP Security Domain 3Party ASP Security Domain Access Network Security Domain Visited Network Security Domain Home Network Security Domain ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  12. Access Security • Access domain registration involves access-level authentication and authorization procedures between the UE and the Access Network. • Fixed broadband access (and non-3GPP WLAN access) may employ different access domain registration methods based on the access network configuration and operator policy. • These solutions usually do not rely on any kind of security token. An AAA infrastructure is used for bearer-level registration. • TISPAN requirements (TS 187 001) states that NGN shall support both the use explicit (e.g. PPP or IEEE 802.1x) and/or implicit line authentication (e.g. MAC address authentication or line authentication) of the users/subscribers at the NASS layer. ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  13. IMS Security • The IMS is independent of the transport network. • The identity of the accessing UE is checked at the edge of the IMS. The nodes in the IMS domain will trust SIP messages with asserted identity headers. • At the border of the IMS the P-CSCF is in charge of authenticate the UE and insert within each SIP request an asserted identity (token). This identity is passed between nodes in the IMS domain, with no need for further authentication. • IMS Authentication options (TS 187 001): • Full IMS security: Authentication and Key Agreement (AKA) as defined by 3GPP (plus NAT traversal) • Early deployment scenarios: • NASS bundled authentication • HTTP DIGEST ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  14. IMS and call control UPSF UPSF DNS S-CSCF S-CSCF S-CSCF I-CSCF I-CSCF I-CSCF P-CSCF P-CSCF P-CSCF Visited Home Called Access Access ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  15. NASS Auth. Full IMS Security (IMS-AKA) IPSEC protects signalling confidentiality and integrity User credential and secret Key User profile, credential and keys IMS UE UPSF P-CSCF I/S-CFCS UICC SIP protocol NASS NGN and UE are mutually authenticated (AKA) ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  16. SIP protocol NASS Auth. NASS Bundled Authentication (NBA) NO IPSEC, the signalling is transmitted in the clear NO UICC and NO IMS credential required User profile, no credential required IMS UE UPSF P-CSCF I/S-CFCS NASS CLF The authentication is one-way: only the NGN authenticates the UE ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  17. SIP Protocol NASS Auth. HTTP Digest (HD) Explicit authentication NO IPSEC: the signalling is transmitted in the clear NO UICC required (user credential and keys in the UE memory) User profile, credential and keys IMS UE UPSF P-CSCF I/S-CFCS NASS NGN and UE are mutually authenticated ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  18. Application Security (optional) UE UPSF GBA-u mode UICC BSF AS HD over TLS ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  19. ETSI TISPAN NGN Security Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  20. Security ETSI TISPAN specifications • Main Technical Specification • NGN Security requirements (TS 187 001) • NGN Security architecture (TS 187 003) • NGN Lawful Interception functional entities, information flow and reference points (TS 187 005) • Main Technical Report (feasibility studies). • NGN Threats, Vulnerability and Risk Analysis (TVRA) (TR 187 002) • NAT traversal (TR 187 008) • Media security (TR 187 007) • Impact of unsolicited communication in the NGN (WI 07 025) • Identity Management (WI 07 027) • Data Retention (WI 07 032) All the TISPAN activities related to the core IMS have been delegated to the 3GPP ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  21. Conclusions ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

  22. Conclusions • NGN is divided into Security domains. Domains are considered to be trusted environment • Core or intra-domain security is mainly under the responsibility of the Operator • Inter-domain security is provided by SEGF • Access Authentication is performed on both service layer (e.g. IMS) and networkattachment (NASS) • IMS-AKA (as defined by 3GPP plus NAT support) is the preferred solution for IMS authentication: • Identity and keys stored on smart card (UICC) • Mutual authentication between Network and UE (AKA) • IPSEC for the protection of the signalling only • Other authentication mechanisms (NBA, HD) have been defined for early deployment scenarios (short term solutions). ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

More Related