ImageVerifierCode 换一换
格式:PDF , 页数:22 ,大小:200.31KB ,
资源ID:541437      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-541437.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ATIS 1000025-2013 User to Network Interface (UNI) Standard for Signaling and Control Security Requirements for Evolving VoP Multimedia Networks.pdf)为本站会员(刘芸)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ATIS 1000025-2013 User to Network Interface (UNI) Standard for Signaling and Control Security Requirements for Evolving VoP Multimedia Networks.pdf

1、 AMERICAN NATIONAL STANDARD FOR TELECOMMUNICATIONS ATIS-1000025.2013 USER TO NETWORK INTERFACE (UNI) STANDARD FOR SIGNALING AND CONTROL SECURITY REQUIREMENTS FOR EVOLVING VOP/MULTIMEDIA NETWORKS As a leading technology and solutions development organization, ATIS brings together the top global ICT c

2、ompanies to advance the industrys most-pressing business priorities. Through ATIS committees and forums, nearly 200 companies address cloud services, device solutions, emergency services, M2M communications, cyber security, ehealth, network evolution, quality of service, billing support, operations,

3、 and more. These priorities follow a fast-track development lifecycle from design and innovation through solutions that include standards, specifications, requirements, business use cases, software toolkits, and interoperability testing. ATIS is accredited by the American National Standards Institut

4、e (ANSI). ATIS is the North American Organizational Partner for the 3rd Generation Partnership Project (3GPP), a founding Partner of oneM2M, a member and major U.S. contributor to the International Telecommunication Union (ITU) Radio and Telecommunications sectors, and a member of the Inter-American

5、 Telecommunication Commission (CITEL). For more information, visit . AMERICAN NATIONAL STANDARD Approval of an American National Standard requires review by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. Consensus is e

6、stablished when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by directly and materially affected interests. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections

7、be considered, and that a concerted effort be made towards their resolution. The use of American National Standards is completely voluntary; their existence does not in any respect preclude anyone, whether he has approved the standards or not, from manufacturing, marketing, purchasing, or using prod

8、ucts, processes, or procedures not conforming to the standards. The American National Standards Institute does not develop standards and will in no circumstances give an interpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpretation

9、 of an American National Standard in the name of the American National Standards Institute. Requests for interpretations should be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or withdraw

10、n at any time. The procedures of the American National Standards Institute require that action be taken periodically to reaffirm, revise, or withdraw this standard. Purchasers of American National Standards may receive current information on all standards by calling or writing the American National

11、Standards Institute. Notice of Disclaimer however, new security challenges are introduced. Threats in the end-user plane now become threats to the signaling and control plane since the signaling and control plane becomes more accessible to the multitude of end-users and can be affected by user plane

12、 traffic. This standard specifies Voice over Packet and Multimedia signaling and control plane security requirements for evolving networks. This standard is part of a suite of signaling and control security standards as shown in Figure 1. This standard provides security requirements for VoP and Mult

13、imedia signaling and control services that cross the User to Network Interfaces (UNI). This standard is in alignment with ITU-T Recommendation X.805. ITU X.805. ATIS-1000025.2013 2 Figure 1: Signaling and Control Plane Security Standards 2 Scope, Purpose, however, when using DHCP to obtain IP addres

14、ses, ACLs should not be used due to changing IP addresses. Means to detect and log unauthorized access attempts to the network at the UNI shall be supported. NOTE: A system configurable threshold may be set for the number of unauthorized access attempts beyond which a system alarm will be generated,

15、 logged, and reported to a management system. 7.1.3 Authentication Security Dimension The terminal equipment shall be authenticated by the network across the UNI before call connection messages are exchanged. NOTE: If IPsec or TLS protocols are used, authentication mechanisms within these protocols

16、may be used to provide authentication of the terminal equipment. NOTE: Authentication of the network by the terminal equipment is not currently a requirement. Authentication mechanisms across the UNI shall make use of at least one of the following: 1. Non-clear-text passwords. ATIS-1000025.2013 9 2.

17、 Digital authenticators. 3. Digital signatures. Signaling traffic from the terminal shall include an element in the signaling data or message that enables the receiving network to verify the authenticity of the message. NOTE: If IPsec or TLS protocols are used, authentication mechanisms within these

18、 protocols may be used to provide data or message authenticity across the UNI. Each SIP User Agent (for example, those found in access Endpoints such as terminals, Gateways, IP Phones, or Soft Clients) shall register with the Network Provider VoP registration functional entity, as per RFC3261. SIP r

19、egistration is required for service to be authorized. Each SIP Endpoint shall register with the Network Provider VoP registration functional entity, as per RFC 3261. NOTE: Access will be denied to non-registered end points. Each called and calling User Agent Endpoint shall be identified by a unique

20、URI. 7.1.4 Non-Repudiation Security Dimension The capability for authorized access attempts at the UNI to be logged and reported to a management system shall be provided. The capability for unauthorized access attempts at the UNI to be logged and reported to a management system shall be provided. NO

21、TE: Access attempts which fail authentication are defined as unauthorized access attempts. NOTE: A system configurable threshold may be set for the number of unauthorized access attempts beyond which a system alarm will be generated, logged, and reported to a management system. The capability to ide

22、ntify unauthorized SIP signaling packets at the UNI and to log and report these to a management system shall be provided ATIS-1000025.2013 10 NOTE: A system configurable threshold may be set for the number of unauthorized SIP signaling packets beyond which a system alarm will be generated, logged, a

23、nd reported to a management system. 7.1.5 Data Confidentiality Security Dimension Confidentiality functions within the security mechanism (see requirement CR-SEC-UNI-00300) across the UNI may be supported to provide confidentiality of signaling data (e.g., phone numbers, network addresses, and call

24、accounting information) to protect the signaling data from unauthorized access or observation. 7.1.6 Communication Security Dimension No additional requirements to address the Communication Security dimension have been identified beyond those specified in the Authentication Security (section 7.1.3)

25、and Data Integrity (section 7.1.7) dimensions in this standard. 7.1.7 Data Integrity Security Dimension Data integrity functions within the security mechanism (see requirement CR-SEC-UNI-00200) across the UNI may be supported to provide data integrity of signaling data (e.g., phone numbers, network

26、addresses, and call accounting information) to protect the signaling data from unauthorized modification. 7.1.8 Availability Security Dimension As a best practice, network entities communicating across the UNI should implement mechanisms to detect and mitigate IP DoS attacks. Both application layer

27、flooding attacks, network layer flooding attacks, and malformed packet attacks should be mitigated by the DoS protection mechanisms. Attacks directly against SIP are not necessarily required to break or disable the service entirely. Where SIP relies upon ancillary services (such as DNS, RSVP, SNMP,

28、and others), attacks against these underlying infrastructure services should also be mitigated by security and DoS protection mechanisms. 7.1.9 Privacy Security Dimension User Agents and Proxy network elements shall be able to support processing and delivery of signaling packets over the UNI which h

29、ave the following data obscured, as per RFC3323: Identity of the communication party. Exact location of the communication party. NOTE: Endpoints and communication parties can obscure some personal data in signaling packets or use network service, as described in RFC3323. NOTE: REQ-SEC-UNI-01800 is i

30、n addition to other security requirements specified in this standard (e.g., encryption), because some signaling links may be outside a service providers span of control. NOTE: Compliance with this requirement should not prevent a Proxy network element from applying a local policy that would prevent

31、Endpoints from being anonymous. ATIS-1000025.2013 11 NOTE: Calling party presentation restriction (privacy) needs to be honored by the network and not relayed to the Endpoint over the UNI. Access to information such as alias translation database information, phone numbers, network addresses, and cal

32、l accounting information shall be restricted by an access control mechanism. 7.2 H.323 H.323 (Packet-based multimedia communications systems) is the ITU Recommendation for the setup and control of packet telephony and multimedia. ITU-T H.323 The following requirements address the UNI security for ge

33、neral areas of H.323 Voice over IP applications including: Connection Establishment (Registration, Admission, Status). Signaling/Call Control. Within H.323, other signaling and control standards are referenced: ITU-T Recommendation H.225, Call Signalling Protocols and Media Stream Packetization for

34、Packet Based Multimedia Communications Systems. o H.225 includes the Registration, Admission, Status (RAS) channel for communications between Endpoints and the Gatekeeper. ITU-T Recommendation H.245, Control Protocol for Multimedia Communication. H.323 network architectural models used in this docum

35、ent are shown in Figure 3 and Figure 4, with the network side of the UNI on the left of each figure. Figure 3 shows a solution where the Gatekeeper is within the Carrier Network. Figure 4 shows a solution where a Gatekeeper is provided on the user side of the UNI. See ITU-T H.323 for more informatio

36、n on the H.323 architecture, including H.323 definitions. See also ITU-T Recommendation H.235, H.323 security - Framework for security in H-series (H.323 and other H.245-based) multimedia systems ITU-T H.235. Figure 3: H.323 Architectural Model #1 NOTE: Solid Line Indicates Signaling Relationship. G

37、atekeeperEndpointGatewayUNIATIS-1000025.2013 12 Figure 4: H.323 Architectural Model #2 NOTE: Solid Line Indicates Signaling Relationship. NOTE: There may be a Session Border Controller at the UNI. 7.2.1 General Requirements Mechanisms for authentication shall be provided for all Connection Establish

38、ment and Signaling/Call Control exchanges between Endpoints and Gatekeepers, Endpoints and Gateways, and Gateways and Gatekeepers. If data integrity is provided across the UNI, then the mechanism shall be based on IPsec or TLS. The mechanism shall be provided for all Connection Establishment and Sig

39、naling/Call Control exchanges between Endpoints and Gatekeepers, Gateways and other H.323 Network Elements across the UNI. If data confidentiality is provided across the UNI, then the mechanism shall be based on IPsec or TLS. The mechanism shall be provided for all Connection Establishment and Signa

40、ling/Call Control exchanges between Endpoints and Gatekeepers, Endpoints and Gateways, and Gateways and Gatekeepers. If NAT functionality is implemented across the UNI and IPsec is used, then IPsec mechanisms shall work in the presence of this NAT functionality. NOTE: Refer to ATIS-1000007.2006 (R20

41、11) for IPsec and TLS Protocol Requirements Generic. GatekeeperEndpointGatewayUNIATIS-1000025.2013 13 7.2.2 Access Control Security Dimension Some means shall be used to restrict/grant access to specific Endpoints, on the customer side of the UNI, across the UNI interface. NOTE: Access Control Lists

42、 (ACLs) may be used to provide H.323 Authorization/Access Control; however, when using DHCP to obtain IP addresses, ACLs should not be used due to changing IP addresses. Means to detect and log unauthorized access attempts to the network at the UNI shall be supported. NOTE: A system configurable thr

43、eshold may be set for the number of unauthorized access attempts beyond which a system alarm will be generated, logged, and reported to a management system. 7.2.3 Authentication Endpoints shall be authenticated by the network across the UNI before call connection messages are exchanged. NOTE: If IPs

44、ec or TLS protocols are used, authentication mechanisms within these protocols may be used to provide authentication of the Endpoints. Authentication mechanisms across the UNI shall make use of at least one of the following: 1. Non-clear-text passwords. 2. Digital authenticators. 3. Digital signatur

45、es. Signaling traffic from the Endpoints and Gatekeeper (if on the user side of the UNI) shall include an element in the signaling data or message that enables the receiving network to verify the authenticity of the message. NOTE: If IPsec or TLS protocols are used, authentication mechanisms within

46、these protocols may be used to provide data or message authenticity across the UNI. Each Endpoint e.g., terminal, IP Phone, or Soft Client shall register with the H.323 Gatekeeper functional entity. ATIS-1000025.2013 14 Each Gatekeeper on the user side of the UNI shall register with the Network Prov

47、ider. Each Endpoint registered with the appropriate Gatekeeper shall have a unique H.323 alias. Each Endpoint registered with the appropriate Gatekeeper shall have a unique Call Reference Value (CRV). The CRV and the H.323 alias shall be associated to identify each Endpoint. 7.2.4 Non-repudiation Se

48、curity Dimension The capability for authorized access attempts at the UNI to be logged and reported to a management system shall be provided. The capability for unauthorized access attempts at the UNI to be logged and reported to a management system shall be provided. NOTE: Access attempts which fai

49、l authentication are defined as unauthorized access attempts. NOTE: A system configurable threshold may be set for the number of unauthorized access attempts beyond which a system alarm will be generated, logged, and reported to a management system. The capability to identify unauthorized H.323 signaling packets at the UNI and to log and report these to a management system shall be provided NOTE: A system configurable threshold may be set for the number of unauthorized H.323 signaling packets beyond which a system alarm will be generated, logge

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1