presentazione per l osservatorio sicurezza anfov l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Presentazione per l’Osservatorio Sicurezza Anfov PowerPoint Presentation
Download Presentation
Presentazione per l’Osservatorio Sicurezza Anfov

Loading in 2 Seconds...

play fullscreen
1 / 22

Presentazione per l’Osservatorio Sicurezza Anfov - PowerPoint PPT Presentation


  • 93 Views
  • Uploaded on

ETSI TISPAN NGN Security . Presentazione per l’Osservatorio Sicurezza Anfov . Autore:Paolo DE LUTIIS Telecom Italia Security Innovation. ANFOV - Milano, 14 November 2007. Table of Contents. ETSI TISPAN: WG7 activities TISPAN NGN overview TISPAN NGN security: Security areas

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Presentazione per l’Osservatorio Sicurezza Anfov' - fayola


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
presentazione per l osservatorio sicurezza anfov

ETSI TISPAN NGN Security

Presentazione per l’Osservatorio Sicurezza Anfov

Autore:Paolo DE LUTIIS

Telecom Italia

Security Innovation

ANFOV - Milano, 14 November 2007

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

table of contents
Table of Contents
  • ETSI TISPAN: WG7 activities
  • TISPAN NGN overview
  • TISPAN NGN security:
    • Security areas
    • Network Domain Security
    • TISPAN IMS Security
      • IMS-AKA
      • NASS bundled
      • HTTP DIGEST
    • Application security
  • TISPAN NGN Security Standards
    • Main technical documents
  • Conclusion

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

etsi tispan wg7 activities

ETSI TISPAN: WG7 activities

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

wg7 security
WG7 - security
  • TISPAN Working Group (WG) 7 is responsible for the management and co-ordination of the development of security specifications for TC TISPAN.
  • For TISPAN NGN, TISPAN WG7 is responsible for:
    • Defining the security requirements;
    • Defining the security architecture for NGN;
    • Conducting threat and risk analyses for specific NGN use cases;
    • Proposing security countermeasures;
  • WG7 security standardization process is risk-based. The Threats, Vulnerability and Risk Analysis (TVRA) methodology has been defined specifically to address the needs of the NGN security. The TVRA is ISO15408 (Common Criteria)-based

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

wg7 security current focus ngn rel 2
WG7 security – Current focus (NGN rel. 2):
  • Fixed-mobile convergence (authentication schema coexistence)
  • Media security
  • Network Address Translation
  • IPTV security
  • Impact of unsolicited communication in the NGN environment
  • Identity Management
  • Customer Premises Network Security

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

tispan ngn overview

TISPAN NGN overview

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

tispan ngn outline

Service layer

IP Transport layer

Broadcast

UMTS

PSTN / ISDN

FTTx

xDSL

WiFi/WiMax

TISPAN NGN outline

Applications

Other network

Other…

User

Profile

IMS

PSTN

PES

RACS

NASS

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

tispan ngn security

TISPAN NGN security

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

security areas

Intra-Operator

Security

Interconnection

Security

Access

Security

Security areas

NGN

Subsystems

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

security domains
Security Domains
  • A security domain (TS 187 003) consists of the functional entities administered by a single authority (e.g. the same operator's network). A security domain is required to:
    • protect the integrity and the confidentiality of its functional elements,
    • ensure the availability of the elements and activities under its protection.
  • Interdomain interfaces are protected by security gateway functions (SEGF)
  • SEGFs connect domains using IPsec in ESP tunnel mode with Internet Key Exchange (IKE)
    • The actual inter-security domain policy is not standardized and is left to the discretion of the roaming agreements of the operators

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

tispan ngn security domains

Securty Gateway Function

SEGF

IPSEC tunnel

SEGF

SEGF

SEGF

SEGF

SEGF

SEGF

SEGF

SEGF

TISPAN NGN Security Domains

3Party ASP

Security Domain

3Party ASP

Security Domain

Access Network

Security Domain

Visited Network

Security Domain

Home Network

Security Domain

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

access security
Access Security
  • Access domain registration involves access-level authentication and authorization procedures between the UE and the Access Network.
  • Fixed broadband access (and non-3GPP WLAN access) may employ different access domain registration methods based on the access network configuration and operator policy.
  • These solutions usually do not rely on any kind of security token. An AAA infrastructure is used for bearer-level registration.
  • TISPAN requirements (TS 187 001) states that NGN shall support both the use explicit (e.g. PPP or IEEE 802.1x) and/or implicit line authentication (e.g. MAC address authentication or line authentication) of the users/subscribers at the NASS layer.

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

ims security
IMS Security
  • The IMS is independent of the transport network.
  • The identity of the accessing UE is checked at the edge of the IMS. The nodes in the IMS domain will trust SIP messages with asserted identity headers.
  • At the border of the IMS the P-CSCF is in charge of authenticate the UE and insert within each SIP request an asserted identity (token). This identity is passed between nodes in the IMS domain, with no need for further authentication.
  • IMS Authentication options (TS 187 001):
    • Full IMS security: Authentication and Key Agreement (AKA) as defined by 3GPP (plus NAT traversal)
    • Early deployment scenarios:
      • NASS bundled authentication
      • HTTP DIGEST

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

ims and call control
IMS and call control

UPSF

UPSF

DNS

S-CSCF

S-CSCF

S-CSCF

I-CSCF

I-CSCF

I-CSCF

P-CSCF

P-CSCF

P-CSCF

Visited

Home

Called

Access

Access

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

full ims security ims aka

NASS Auth.

Full IMS Security (IMS-AKA)

IPSEC protects signalling confidentiality and integrity

User credential and secret Key

User profile, credential and keys

IMS

UE

UPSF

P-CSCF

I/S-CFCS

UICC

SIP protocol

NASS

NGN and UE are mutually authenticated (AKA)

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

nass bundled authentication nba

SIP protocol

NASS Auth.

NASS Bundled Authentication (NBA)

NO IPSEC, the signalling is transmitted in the clear

NO UICC and NO IMS credential required

User profile, no credential required

IMS

UE

UPSF

P-CSCF

I/S-CFCS

NASS

CLF

The authentication is one-way: only the NGN authenticates the UE

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

http digest hd

SIP Protocol

NASS Auth.

HTTP Digest (HD)

Explicit authentication

NO IPSEC: the signalling is transmitted in the clear

NO UICC required (user credential and keys in the UE memory)

User profile, credential and keys

IMS

UE

UPSF

P-CSCF

I/S-CFCS

NASS

NGN and UE are mutually authenticated

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

application security optional
Application Security (optional)

UE

UPSF

GBA-u mode

UICC

BSF

AS

HD over TLS

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

etsi tispan ngn security standards

ETSI TISPAN NGN Security Standards

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

security etsi tispan specifications
Security ETSI TISPAN specifications
  • Main Technical Specification
    • NGN Security requirements (TS 187 001)
    • NGN Security architecture (TS 187 003)
    • NGN Lawful Interception functional entities, information flow and reference points (TS 187 005)
  • Main Technical Report (feasibility studies).
    • NGN Threats, Vulnerability and Risk Analysis (TVRA) (TR 187 002)
    • NAT traversal (TR 187 008)
    • Media security (TR 187 007)
    • Impact of unsolicited communication in the NGN (WI 07 025)
    • Identity Management (WI 07 027)
    • Data Retention (WI 07 032)

All the TISPAN activities related to the core IMS have been delegated to the 3GPP

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

conclusions

Conclusions

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS

conclusions22
Conclusions
  • NGN is divided into Security domains. Domains are considered to be trusted environment
  • Core or intra-domain security is mainly under the responsibility of the Operator
  • Inter-domain security is provided by SEGF
  • Access Authentication is performed on both service layer (e.g. IMS) and networkattachment (NASS)
  • IMS-AKA (as defined by 3GPP plus NAT support) is the preferred solution for IMS authentication:
    • Identity and keys stored on smart card (UICC)
    • Mutual authentication between Network and UE (AKA)
    • IPSEC for the protection of the signalling only
  • Other authentication mechanisms (NBA, HD) have been defined for early deployment scenarios (short term solutions).

ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS