ETSI 3GPP TS 33 210-2003 See TS 133 210 V5 4 0 (Version 5 4 0 Release 5).pdf

1、 ETSI TS 133 210 V5.4.0 (2003-06)Technical Specification Digital cellular telecommunications system (Phase 2+);Universal Mobile Telecommunications System (UMTS);3G security;Network Domain Security (NDS);IP network layer security(3GPP TS 33.210 version 5.4.0 Release 5)GLOBAL SYSTEM FOR MOBILE COMMUNI

2、CATIONSRETSI ETSI TS 133 210 V5.4.0 (2003-06) 1 3GPP TS 33.210 version 5.4.0 Release 5 Reference RTS/TSGS-0333210v540 Keywords GSM, UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Associatio

3、n but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or percei

4、ved difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be

5、 aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, send your comment to: editoretsi.org Copyright Notificati

6、on No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for t

7、he benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TS 133 210 V5.4.0 (2003-06) 2 3GPP TS

8、33.210 version 5.4.0 Release 5 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR

9、000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Po

10、licy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Te

11、chnical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the corresponding E

12、TSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp . ETSI ETSI TS 133 210 V5.4.0 (2003-06) 3 3GPP TS 33.210 version 5.4.0 Release 5 Contents Intellectual Property Rights2 Foreword.2 Foreword.4 Introduction 4 1

13、Scope 5 2 References 5 3 Definitions, symbols and abbreviations .6 3.1 Definitions6 3.2 Symbols7 3.3 Abbreviations .7 4 Overview over UMTS network domain security for IP based protocols .8 4.1 Introduction 8 4.2 Protection at the network layer.8 4.3 Security for native IP based protocols8 4.4 Securi

14、ty domains 8 4.4.1 Security domains and interfaces .8 4.5 Security Gateways (SEGs) .8 5 Key management and distribution architecture for NDS/IP.9 5.1 Security services afforded to the protocols.9 5.2 Security Associations (SAs).9 5.2.1 Security Policy Database (SPD) .10 5.2.2 Security Association Da

15、tabase (SAD) 10 5.3 Profiling of IPsec10 5.3.1 Support of ESP .10 5.3.2 Support of tunnel mode 10 5.3.3 Support of ESP encryption transforms .11 5.3.4 Support of ESP authentication transforms11 5.3.5 Requirements on the construction of the IV .11 5.4 Profiling of IKE11 5.5 Security policy granularit

16、y .12 5.6 UMTS key management and distribution architecture for native IP based protocols 12 5.6.1 Network domain security architecture outline 12 5.6.2 Interface description .13 Annex A (informative): Other issues 15 A.1 Network Address Translators (NATs) and Transition Gateways (TrGWs) .15 A.2 Fil

17、tering routers and firewalls 15 A.3 The relationship between BGs and SEGs.15 Annex B (normative): Security protection for GTP16 B.1 The need for security protection.16 B.2 Policy discrimination of GTP-C and GTP-U .16 Annex C (normative): Security protection of IMS protocols .18 C.1 The need for secu

18、rity protection.18 C.2 Protection of IMS protocols and interfaces18 Annex D (informative): Change history .19 History 20 ETSI ETSI TS 133 210 V5.4.0 (2003-06) 4 3GPP TS 33.210 version 5.4.0 Release 5 Foreword This Technical Specification has been produced by the 3rdGeneration Partnership Project (3G

19、PP). The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version nu

20、mber as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, u

21、pdates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. Introduction An identified security weakness in 2G systems is the absence of security in the core network. This was formerly perceived not to be a problem, since the 2G networks previous

22、ly were the provinces of a small number of large institutions. This is no longer the case, and so there is now a need for security precautions. Another significant development has been the introduction of IP as the network layer in the GPRS backbone network and then later in the UMTS network domain.

23、 Furthermore, IP is not only used for signalling traffic, but also for user traffic. The introduction of IP therefore signifies not only a shift towards packet switching, which is a major change by its own accounts, but also a shift towards completely open and easily accessible protocols. The implic

24、ation is that from a security point of view, a whole new set of threats and risks must be faced. For 3G systems it is a clear goal to be able to protect the core network signalling protocols, and by implication this means that security solutions must be found for both SS7 and IP based protocols. Thi

25、s technical specification is the stage-2 specification for IP related security in the UMTS core network. The security services that have been identified as being needed are confidentiality, integrity, authentication and anti-replay protection. These will be ensured by standard procedures, based on c

26、ryptographic techniques. ETSI ETSI TS 133 210 V5.4.0 (2003-06) 5 3GPP TS 33.210 version 5.4.0 Release 5 1 Scope The present document defines the security architecture for the UMTS network domain IP based control plane. The scope of the UMTS network domain control plane security is to cover the contr

27、ol signalling on selected interfaces between UMTS network elements. 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present document. References are either specific (identified by date of publication, edition number, version

28、 number, etc.) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that do

29、cument in the same Release as the present document. 1 3GPP TS 21.133: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Security Threats and Requirements“. 2 3GPP TR 21.905: “3rd Generation Partnership Project; Technical Specification Group

30、Services and System Aspects; Vocabulary for 3GPP Specifications“. 3 3GPP TS 23.002: “3rd Generation Partnership Project; Technical Specification Group Services and Systems Aspects; Network architecture“. 4 3GPP TS 23.060: “3rd Generation Partnership Project; Technical Specification Group Services an

31、d System Aspects; General Packet Radio Service (GPRS); Service description; Stage 2“. 5 3GPP TS 23.228: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; IP Multimedia Subsystem (IMS); Stage 2“. 6 3GPP TS 29.060: “3rd Generation Partnership Project; Tech

32、nical Specification Group Core Network; General Packet Radio Service (GPRS); GPRS Tunnelling Protocol (GTP) across the Gn and Gp Interface“. 7 3GPP TS 33.102: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Security Architecture“. 8 3GPP T

33、S 33.103: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G security; Integration guidelines“. 9 3GPP TS 33.120: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Security Principles and Objec

34、tives“. 10 3GPP TS 33.203: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Access security for IP-based services“. 11 RFC-2393: “IP Payload Compression Protocol (IPComp)“. 12 RFC-2401: “Security Architecture for the Internet Protocol“. 13 RFC-2402: “IP

35、 Authentication Header“. 14 RFC-2403: “The Use of HMAC-MD5-96 within ESP and AH“. 15 RFC-2404: “The Use of HMAC-SHA-1-96 within ESP and AH“. 16 RFC-2405: “The ESP DES-CBC Cipher Algorithm With Explicit IV“. ETSI ETSI TS 133 210 V5.4.0 (2003-06) 6 3GPP TS 33.210 version 5.4.0 Release 5 17 RFC-2406: “

36、IP Encapsulating Security Payload“. 18 RFC-2407: “The Internet IP Security Domain of Interpretation for ISAKMP“. 19 RFC-2408: “Internet Security Association and Key Management Protocol (ISAKMP)“. 20 RFC-2409: “The Internet Key Exchange (IKE)“. 21 RFC-2410: “The NULL Encryption Algorithm and Its Use

37、With IPsec“. 22 RFC-2411: “IP Security Document Roadmap“. 23 RFC-2412: “The OAKLEY Key Determination Protocol“. 24 RFC-2451: “The ESP CBC-Mode Cipher Algorithms“. 25 RFC-2521: “ICMP Security Failures Messages“. 26 Internet Draft: “On the Use of SCTP with IPsec “, available as “draft-ietf-ipsec-sctp-

38、03.txt“ 27 RFC-1750: “Randomness Recommendations for Security“. 3 Definitions, symbols and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply. Anti-replay protection: Anti-replay protection is a special case of integrity protection. Its

39、main service is to protect against replay of self-contained packets that already have a cryptographical integrity mechanism in place. Confidentiality: The property that information is not made available or disclosed to unauthorised individuals, entities or processes. Data integrity: The property tha

40、t data has not been altered in an unauthorised manner. Data origin authentication: The corroboration that the source of data received is as claimed. Entity authentication: The provision of assurance of the claimed identity of an entity. Key freshness: A key is fresh if it can be guaranteed to be new

41、, as opposed to an old key being reused through actions of either an adversary or authorised party. NDS/IP Traffic: Traffic that requires protection according to the mechanisms defined in this specification. ISAKMP Security Association: A bi-directional logical connection created for security purpos

42、es. All traffic traversing a SA is provided the same security protection. The SA itself is a set of parameters to define security protection between two entities. IPsec Security Association: A unidirectional logical connection created for security purposes. All traffic traversing a SA is provided th

43、e same security protection. The SA itself is a set of parameters to define security protection between two entities. A IPsec Security Association includes the cryptographic algorithms, the keys, the duration of the keys, and other parameters. Security Domain: Networks that are managed by a single ad

44、ministrative authority. Within a security domain the same level of security and usage of security services will be typical. Transport mode: Mode of operation that primarily protects the payload of the IP packet, in effect giving protection to higher level layers. Tunnel mode: Mode of operation that

45、protects the whole IP packet by tunnelling it so that the whole packet is protected. ETSI ETSI TS 133 210 V5.4.0 (2003-06) 7 3GPP TS 33.210 version 5.4.0 Release 5 3.2 Symbols For the purposes of the present document, the following symbols apply: Gi Reference point between GPRS and an external packe

46、t data network Gn Interface between two GSNs within the same PLMN Gp Interface between two GSNs in different PLMNs. The Gp interface allows support of GPRS network services across areas served by the co-operating GPRS PLMNs Mm Interface between a CSCF and an IP multimedia network Mw Interface betwee

47、n a CSCF and another CSCF Za Interface between SEGs belonging to different networks/security domains Zb Interface between SEGs and NEs and interface between NEs within the same network/security domain 3.3 Abbreviations For the purposes of the present document, the following abbreviations apply: AAA

48、Authentication Authorization Accounting AES Advanced Encryption Standard AH Authentication Header BG Border Gateway CS Circuit SwitchedCSCF Call State Control Function DES Data Encryption StandardDoI Domain of Interpretation ESP Encapsulating Security Payload GTP GPRS Tunnelling Protocols IESG Inter

49、net Engineering Steering Group IETF Internet Engineering Task Force IKE Internet Key Exchange IP Internet Protocol IPsec IP security - a collection of protocols and algorithms for IP security incl. key mngt. ISAKMP Internet Security Association Key Management Protocol IV Initialisation VectorMAC Message Authentication Code NAT Network Address Translator NDS Network Domain Security NDS/IP NDS for IP based protocols NE Network Entity PS Packet Switched SA Security Association SAD Security Association Database (sometimes