ETSI Tispan NGN security standardizationETSI TISPAN NGN: WG7 and the security standardization threat and risk analyses for specific NGN use cases (e.g. NASS, IPTV, CPN) and uses the

ETSI Tispan NGN security standardizationstandardization

Paolo De Lutiis, ETSI TISPAN WG7 Chairman

Telecom Italia SpA, Security Innovation© ETSI 2010. All rights reserved

6th ETSI Security Workshop 19-20 Jan. 2011

ETSI TISPAN NGN and its security: background

Main NGN Security deliverables

Main NGN release 3 security topics

Summary

Main NGN Security deliverables

Possible hot topics for future work

2

Application layer

ETSI TISPAN NGN: the architecture

IP Transport layer

Service layerExternal Networks

3

Intra-OperatorSecurityInterconnection

Security

ETSI TISPAN NGN: the security areas

NGN

Access Security

4

• TISPAN WG7 is responsible for the management and co-ordination of the development of security specifications for the ETSI TISPAN NGN:

• Defines security requirements,

• Defines the security architecture.

• The TISPAN WG7 activities are risk based. WG7 Conducts

ETSI TISPAN NGN: WG7 and the security standardization

• The TISPAN WG7 activities are risk based. WG7 Conducts threat and risk analyses for specific NGN use cases (e.g. NASS, IPTV, CPN) and uses the results of such analysis in order to define requirements and security mechanisms

• Threat Vulnerability Risk Assessment (TVRA) has been defined to assess the security of the NGN. It allows a systematic identification of assets and threats and weaknesses, computes a weighted risk level.

5

During the standardization of NGN release 3, the main topics addressed by WG7 were:

• IPTV Security

• Service Protection & Content Protection

Main NGN release 3 security topics

6

• Service Protection & Content Protection

• CPN Security

• NNI Interconnection security

• Prevention of Unsolicited Communications (PUC)

• Application layer security

IPTV Security, two mechanisms:

• OMA BCAST

• Service protection and content protection are kept as separated issues

• Two profiles: Smart Card and DRM (UICC-less)

• User Authentication and Service Authorization and any

Main NGN release 3 security topics: IPTV

• User Authentication and Service Authorization and any Content Protection

• “Early deployment scenario” without clear distinction between service and content protection

• Based on the authentication and authorization mechanisms defined by TISPAN (e.g. DIGEST authentication) to be used in conjunction with the content protection mechanism defined by the provider (e.g. Conditional access)

7

• Service Protection/Content Protection Interoperability of CPE with a IPTV Service Providers offering means that an end user can switch to another Service Provider (using a different SPCP system) to obtain service from whilst retaining his CPE equipment

• It is introduced a mechanism for a “secure” update of the SP and CP engines implemented within the CPE

Main NGN release 3 security topics: SP & CP

8

and CP engines implemented within the CPE

Legacy TV IPTV STBWAN Gateway

IPTV enabled TV

IPTV Provider 2

IPTV Provider 1

Access Provider

DLNA devices

Change of

IPTV Provider

Firewalling

• TISPAN “endorsed” the HGI spec by defining:

• Stateful inspection

• Two default profiles: High , Low

Main NGN release 3 security topics: CPN 1/2

• Two default profiles: High , Low

• Remote management (TR-069)

• NAT-T

• IPv6

• SIP B2BUA (for IMS support)

9

Network Access Control:

• NAC is able to gather all the methods linked to the network’s access

• RFC5209 Network Endpoint Assessment (NEA)

Main NGN release 3 security topics: CPN 2/2

10

• RFC5209 Network Endpoint Assessment (NEA)

• Posture assessment of the client devices:

• Patches

• Anti-Virus

• Firewall and software configuration

• Centralized Security policy compliance

Security Gateway Function (SEGF)

• Firewall + IPSEC gateway

• Strong emphasis on the protection of the signalling (e.g. the IPSEC tunnels are mandatory only for the signalling)

• Commercially available as “Session Border Controller” for the Interworking of session-based services (e.g. voice).

Main NGN release 3 security topics: NNI interconnection

the Interworking of session-based services (e.g. voice).

• The main security mechanisms are:

• THIG (topology hiding)

• NAT-T

• Firewall (and related pinholing)

• Lawful Interception

• VPN (IPSEC and TLS)

11

• The NGN should manage the UC

• TISPAN defines a network architecture: Identification, Marking, Handling

• The customer is directly involved in the UC management (e.g. «SPIT button»)

• SIP header extension to carry SPIT information directly in

Main NGN release 3 security topics: PUC

12

• SIP header extension to carry SPIT information directly in band (draft-wing-sipping-spam-score-02)

PUC identifier Indicating the PUC element making the claim mandatory

PIF identifier The name of the agreed PIF mandatory

Strength An integer indicating the confidence of the score optional

Info A text field containing any arbitrary information optional

Param[1..3] 3 general purpose parameters for future proofing optional

IsSpam A boolean for convenience purposes alone mandatory

• Main user authentication mechanisms assumes the UICC is available on the device. Unfortunately fixed line devices available on the market are without SC reader.

• SIP digest and NBA have been defined for IMS authentication only.

• A new functional element has been introduced to enable the HTTP digest authentication and the re-using of the SIP digest

Main NGN release 3 security topics: application layer security

13

• A new functional element has been introduced to enable the HTTP digest authentication and the re-using of the SIP digest credentials stored in the UPSF:

• Support for legacy devices

• Simplified provisioning

• Enable SSO

TS 187 001Requirements

TS 187 003Architecture

TR 187 019(NNI)

Main NGN release 3 security deliverables

Main Reports Main Specifications

14

TS 187 021(CPN)

TS 187 015(PUC)

(NNI)

TR 187 013(IPTV)

TR 187 002(TVRA)

TS 187 005(LI)

TS 187 017(DR)

Downgrade to TR pending

• TS 187 001 v3 Security Architectures

• TS 187 001 v3 Security requirements

• TR 187 013 Feasibility study on IPTV security architecture

• TS 187 015 Prevention of Unsolicited Communication in the NGN

• TR 187 002 v3 Threat, Vulnerability and Risk Analysis

Main NGN release 3 security deliverables

15

• TR 187 002 v3 Threat, Vulnerability and Risk Analysis

• TR 187 019 Interconnection security

• TS 187 005 v3 Lawful Interception; Stage 1 and Stage 2 definition;

• TS 187 017 v3 Data Retention in the NGN.

• TR 187 021 Security services and mechanisms for customer premises networks connected to TISPAN NGN

TISPAN WG7 identified the following topics (under discussion):

• Full IPTV stage 3 definition (OMA BCAST)

• Content protection for IPTV services

• NGA security

• IdM and SSO to enable a “full" FMC

Possible hot topics for NGN security beyond release 3

16

• IdM and SSO to enable a “full" FMC

• Smart Metering Security

• Enhanced mechanisms for the NNI Security

• Enhanced RACS Security

• Enhanced NASS Security

• DIAMETER profile for TISPAN NGN