ETSI TS 133 210-2017 Digital cellular telecommunications system (Phase 2+) (GSM) Universal Mobile Telecommunications System (UMTS) LTE 3G security Network Domain Security (NDS) IP .pdf

1、 ETSI TS 133 210 V14.0.0 (2017-05) Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 3G security; Network Domain Security (NDS); IP network layer security (3GPP TS 33.210 version 14.0.0 Release 14) TECHNICAL SPECIFICATION ETSI ETSI T

2、S 133 210 V14.0.0 (2017-05)13GPP TS 33.210 version 14.0.0 Release 14Reference RTS/TSGS-0333210ve00 Keywords GSM,LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but n

3、on lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions o

4、f the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific

5、network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find e

6、rrors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm e

7、xcept as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2017. All rights reserve

8、d. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members GSM and

9、 the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 133 210 V14.0.0 (2017-05)23GPP TS 33.210 version 14.0.0 Release 14Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information perta

10、ining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secreta

11、riat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on

12、the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identiti

13、es, UMTS identities or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “

14、shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when u

15、sed in direct citation. ETSI ETSI TS 133 210 V14.0.0 (2017-05)33GPP TS 33.210 version 14.0.0 Release 14Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 5g3Introduction 5g31 Scope 6g32 References 6g33 Definitions, symbols and abbreviations . 7g33.1 Definiti

16、ons 7g33.2 Symbols 8g33.3 Abbreviations . 8g34 Overview over network domain security for IP based protocols . 9g34.1 Introduction 9g34.2 Protection at the network layer . 9g34.3 Security for native IP based protocols 9g34.4 Security domains 9g34.4.1 Security domains and interfaces . 9g34.5 Security

17、Gateways (SEGs) . 9g35 Key management and distribution architecture for NDS/IP . 10g35.1 Security services afforded to the protocols . 10g35.2 Security Associations (SAs) . 10g35.2.0 General 10g35.2.1 Security Policy Database (SPD) . 11g35.2.2 Security Association Database (SAD) 11g35.3 Profiling of

18、 IPsec 11g35.3.0 General 11g35.3.1 Support of ESP . 11g35.3.2 Support of tunnel mode . 11g35.3.3 Support of ESP encryption transforms . 12g35.3.4 Support of ESP authentication transforms 12g35.3.5 Requirements on the construction of the IV . 12g35.4 Profiling of IKEv2 12g35.4.0 General 12g35.4.1 Voi

19、d 12g35.4.2 Profiling of IKEv2 12g35.4.3 Void 14g35.5 Security policy granularity . 14g35.6 Network domain security key management and distribution architecture for native IP based protocols . 14g35.6.1 Network domain security architecture outline 14g35.6.2 Interface description . 15g3Annex A (infor

20、mative): Other issues 17g3A.1 Network Address Translators (NATs) and Transition Gateways (TrGWs) . 17g3A.2 Filtering routers and firewalls 17g3A.3 The relationship between BGs and SEGs . 17g3Annex B (normative): Security protection for GTP . 18g3B.0 General . 18g3B.1 The need for security protection

21、 . 18g3ETSI ETSI TS 133 210 V14.0.0 (2017-05)43GPP TS 33.210 version 14.0.0 Release 14B.2 Policy discrimination of GTP-C and GTP-U . 18g3B.3 Protection of GTP-C transport protocols and interfaces 19g3Annex C (normative): Security protection of IMS protocols . 20g3C.0 General . 20g3C.1 The need for s

22、ecurity protection . 20g3C.2 Protection of IMS protocols and interfaces 20g3Annex D (normative): Security protection of UTRAN/GERAN IP transport protocols . 21g3D.0 General . 21g3D.1 The need for security protection . 21g3D.2 Protection of UTRAN/GERAN IP transport protocols and interfaces . 21g3Anne

23、x E (informative): RFC-4303 compared with RFC-2406 . 22g3Annex F (informative): Change history . 23g3History 25g3ETSI ETSI TS 133 210 V14.0.0 (2017-05)53GPP TS 33.210 version 14.0.0 Release 14Foreword This Technical Specification has been produced by the 3rdGeneration Partnership Project (3GPP). The

24、 contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as

25、follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates,

26、etc. z the third digit is incremented when editorial only changes have been incorporated in the document. Introduction An identified security weakness in 2G systems is the absence of security in the core network. This was formerly perceived not to be a problem, since the 2G networks previously were

27、the provinces of a small number of large institutions. This is no longer the case, and so there is now a need for security precautions. Another significant development has been the introduction of IP as the network layer in the GPRS backbone network and then later in the UMTS network domain. Further

28、more, IP is not only used for signalling traffic, but also for user traffic. The introduction of IP therefore signifies not only a shift towards packet switching, which is a major change by its own accounts, but also a shift towards completely open and easily accessible protocols. The implication is

29、 that from a security point of view, a whole new set of threats and risks must be faced. For 3G and fixed broadband systems it is a clear goal to be able to protect the core network signalling protocols, and by implication this means that security solutions must be found for both SS7 and IP based pr

30、otocols. This technical specification is the stage-2 specification for IP related security in the 3GPP and fixed broadband core networks. The security services that have been identified as being needed are confidentiality, integrity, authentication and anti-replay protection. These will be ensured b

31、y standard procedures, based on cryptographic techniques. ETSI ETSI TS 133 210 V14.0.0 (2017-05)63GPP TS 33.210 version 14.0.0 Release 141 Scope The present document defines the security architecture for network domain IP based control planes, which shall be applied to NDS/IP-networks (i.e. 3GPP and

32、 fixed broadband networks). The scope of network domain control plane security is to cover the control signalling on selected interfaces between network elements of NDS/IP networks. 2 References The following documents contain provisions which, through reference in this text, constitute provisions o

33、f the present document. - References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. - For a specific reference, subsequent revisions do not apply. - For a non-specific reference, the latest version applies. In the case of a reference to

34、 a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document. 1 3GPP TS 21.133: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; S

35、ecurity Threats and Requirements“. 2 3GPP TR 21.905: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Vocabulary for 3GPP Specifications“. 3 3GPP TS 23.002: “3rd Generation Partnership Project; Technical Specification Group Services and Systems Aspects;

36、 Network architecture“. 4 3GPP TS 23.060: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; General Packet Radio Service (GPRS); Service description; Stage 2“. 5 3GPP TS 23.228: “3rd Generation Partnership Project; Technical Specification Group Services

37、and System Aspects; IP Multimedia Subsystem (IMS); Stage 2“. 6 3GPP TS 29.060: “3rd Generation Partnership Project; Technical Specification Group Core Network; General Packet Radio Service (GPRS); GPRS Tunnelling Protocol (GTP) across the Gn and Gp Interface“. 7 3GPP TS 33.102: “3rd Generation Partn

38、ership Project; Technical Specification Group Services and System Aspects; 3G Security; Security Architecture“. 8 3GPP TS 33.103: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G security; Integration guidelines“. 9 3GPP TS 33.120: “3rd Generation Pa

39、rtnership Project; Technical Specification Group Services and System Aspects; 3G Security; Security Principles and Objectives“. 10 3GPP TS 33.203: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Access security for IP-based services“. 11 -25 Void. 26 R

40、FC-3554: “On the Use of Stream Control Transmission Protocol (SCTP) with IPsec“. 27 RFC-1750: “Randomness Recommendations for Security“. 28 3GPP TS 25.412: “3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iu interface signalling transport“. 29 Void. ETSI

41、 ETSI TS 133 210 V14.0.0 (2017-05)73GPP TS 33.210 version 14.0.0 Release 1430 3GPP TS 33.310: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Network domain security; Authentication Framework“. 31 RFC-4303: “IP Encapsulating Security Paylo

42、ad (ESP)“ 32 Void. 33 Void 34 Void. 35 RFC-4301: “Security Architecture for the Internet Protocol“. 36 Void. 37 Void. 38 3GPP TS 25.422: “3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iur interface signalling transport“. 39 3GPP TS 25.467: “3rd Generat

43、ion Partnership Project; Technical Specification Group Radio Access Network; UTRAN architecture for 3G Home Node B (HNB); Stage 2“. 40 3GPP TS 25.468: “3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iuh Interface RANAP User Adaption (RUA) signalling“. 4

44、1 3GPP TS 25.471: “3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iurh Interface RNSAP User Adaption (RNA) signalling“. 42 RFC-6311: “Protocol Support for High Availability of IKEv2/IPsec“. 43 RFC-7296: “Internet Key Exchange Protocol Version 2 (IKEv2)“

45、. 44 IANA: “Internet Key Exchange Version 2 (IKEv2) Parameters“. 45 RFC-7321: “Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)“. 3 Definitions, symbols and abbreviations 3.1 Definitions For the purposes of

46、 the present document, the following terms and definitions apply. Anti-replay protection: Anti-replay protection is a special case of integrity protection. Its main service is to protect against replay of self-contained packets that already have a cryptographical integrity mechanism in place. Confid

47、entiality: The property that information is not made available or disclosed to unauthorised individuals, entities or processes. Data integrity: The property that data has not been altered in an unauthorised manner. Data origin authentication: The corroboration that the source of data received is as

48、claimed. Entity authentication: The provision of assurance of the claimed identity of an entity. Key freshness: A key is fresh if it can be guaranteed to be new, as opposed to an old key being reused through actions of either an adversary or authorised party. NDS/IP Traffic: Traffic that requires pr

49、otection according to the mechanisms defined in this specification. NDS/IP-networks: 3GPP and fixed broadband networks. ETSI ETSI TS 133 210 V14.0.0 (2017-05)83GPP TS 33.210 version 14.0.0 Release 14IPsec Security Association: A unidirectional logical connection created for security purposes. All traffic traversing a SA is provided the same security protection. The SA itself is a set of parameters to define security protection between two entities. A IPsec Security Association includes the cryptographic algorithm