ITU-T Q 3201-2007 EAP-based security signalling protocol architecture for network attachment (Study Group 11)《记发器信令的信号编码》.pdf

1、 International Telecommunication Union ITU-T Q.3201TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (10/2007) SERIES Q: SWITCHING AND SIGNALLING Signalling requirements and protocols for the NGN Signalling and control requirements and protocols to support attachment in NGN environments EAP-based secu

2、rity signalling protocol architecture for network attachment ITU-T Recommendation Q.3201 ITU-T Q-SERIES RECOMMENDATIONS SWITCHING AND SIGNALLING SIGNALLING IN THE INTERNATIONAL MANUAL SERVICE Q.1Q.3 INTERNATIONAL AUTOMATIC AND SEMI-AUTOMATIC WORKING Q.4Q.59 FUNCTIONS AND INFORMATION FLOWS FOR SERVIC

3、ES IN THE ISDN Q.60Q.99 CLAUSES APPLICABLE TO ITU-T STANDARD SYSTEMS Q.100Q.119 SPECIFICATIONS OF SIGNALLING SYSTEMS No. 4, 5, 6, R1 AND R2 Q.120Q.499 DIGITAL EXCHANGES Q.500Q.599 INTERWORKING OF SIGNALLING SYSTEMS Q.600Q.699 SPECIFICATIONS OF SIGNALLING SYSTEM No. 7 Q.700Q.799 Q3 INTERFACE Q.800Q.8

4、49 DIGITAL SUBSCRIBER SIGNALLING SYSTEM No. 1 Q.850Q.999 PUBLIC LAND MOBILE NETWORK Q.1000Q.1099 INTERWORKING WITH SATELLITE MOBILE SYSTEMS Q.1100Q.1199 INTELLIGENT NETWORK Q.1200Q.1699 SIGNALLING REQUIREMENTS AND PROTOCOLS FOR IMT-2000 Q.1700Q.1799 SPECIFICATIONS OF SIGNALLING RELATED TO BEARER IND

5、EPENDENT CALL CONTROL (BICC) Q.1900Q.1999 BROADBAND ISDN Q.2000Q.2999 SIGNALLING REQUIREMENTS AND PROTOCOLS FOR THE NGN Q.3000Q.3999 General Q.3000Q.3029 Network signalling and control functional architecture Q.3030Q.3099 Network data organization within the NGN Q.3100Q.3129 Bearer control signallin

6、g Q.3130Q.3179 Signalling and control requirements and protocols to support attachment in NGN environments Q.3200Q.3249 Resource control protocols Q.3300Q.3369 Service and session control protocols Q.3400Q.3499 Service and session control protocols supplementary services Q.3600Q.3649 NGN application

7、s Q.3700Q.3849 Testing for NGN networks Q.3900Q.3999 For further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. Q.3201 (10/2007) i ITU-T Recommendation Q.3201 EAP-based security signalling protocol architecture for network attachment Summary ITU-T Recommendation Q.3201 descri

8、bes the security signalling requirements and protocol architecture for supporting access security aspects of network attachment procedure in a next generation network (NGN). Basic threats and security requirements for the attachment of NGN access networks are analysed, and a model of an extensible a

9、uthentication protocol (EAP)-based security signalling protocol architecture accommodating heterogeneous multi-links in the next generation network access environment is presented. Based on it, three feasible scenarios for authentication signalling in NGN network attachment control functions are dev

10、eloped. Source ITU-T Recommendation Q.3201 was approved on 29 October 2007 by ITU-T Study Group 11 (2005-2008) under the ITU-T Recommendation A.8 procedure. ii ITU-T Rec. Q.3201 (10/2007) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field o

11、f telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing

12、telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by

13、the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate bot

14、h a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is achieved when al

15、l of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RI

16、GHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by I

17、TU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this

18、 may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2008 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. ITU-T Rec.

19、 Q.3201 (10/2007) iii CONTENTS Page 1 Scope 1 1.1 Relationship 1 2 References. 1 3 Abbreviations 2 4 Threats on access networks 3 5 Conventions 4 6 Security requirements for access networks. 4 7 Signalling protocol architecture for authentication 5 7.1 Basic authentication model. 7 7.2 EAP-based aut

20、hentication architecture in access networks 8 7.3 EAP authentication model 9 7.4 Integrated authentication model in NGN . 9 7.5 Authentication scenarios based on network architecture . 10 Bibliography. 14 ITU-T Rec. Q.3201 (10/2007) 1 ITU-T Recommendation Q.3201 EAP-based security signalling protoco

21、l architecture for network attachment 1 Scope This Recommendation provides the basic security framework protocol architecture to support network attachment in NGN environments. This Recommendation also provides some threats and security requirements related to the signalling and control for network

22、attachment. The goal of this Recommendation is to identify security requirements for access networks and to define an EAP-based security protocol architecture for network access attachment. The main focus of this Recommendation is on an EAP-based security signalling protocol architecture for authent

23、ication and authorization in the network attachment system of NGN. This Recommendation incorporates the overall context of related standards, on the issue of network security protocol, from IETF, IEEE and ITU-T. 1.1 Relationship Work for this Recommendation is based upon the context of ITU-T Y.2701

24、and ITU-T Y.2012; this Recommendation complies with the security requirements and guidelines specified in ITU-T Y.2701, and considers the compatibility with the functional architecture in ITU-T Y.2012. 2 References The following ITU-T Recommendations and other references contain provisions which, th

25、rough reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applyin

26、g the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T Y.

27、2012 ITU-T Recommendation Y.2012 (2006), Functional requirements and architecture of the NGN release 1. ITU-T Y.2701 ITU-T Recommendation Y.2701 (2007), Security requirements for NGN release 1. IETF RFC 2865 IETF RFC 2865 (2000), Remote Authentication Dial In User Service (RADIUS). IETF RFC 2989 IET

28、F RFC 2989 (2000), Criteria for Evaluating AAA Protocols for Network Access. IETF RFC 3127 IETF RFC 3127 (2001), Authentication, Authorization, and Accounting: Protocol Evaluation. IETF RFC 3588 IETF RFC 3588 (2003), Diameter Base Protocol. 2 ITU-T Rec. Q.3201 (10/2007) IETF RFC 4016 IETF RFC 4016 (

29、2005), Protocol for Carrying Authentication and Network Access (PANA) Threat Analysis and Security Requirements. IETF RFC 4058 IETF RFC 4058 (2005), Protocol for Carrying Authentication for Network Access (PANA) Requirements. IETF RFC 4186 IETF RFC 4186 (2006), Extensible Authentication Protocol Met

30、hod for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM). IETF RFC 4187 IETF RFC 4187 (2006), Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA). 3GPP TS 33.102 3GPP TS 33.102 (2006), Security Architecture (Relea

31、se 7). IEEE 802.11i IEEE 802.11i (2004), IEEE Standard for information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications Amendment

32、 6: Medium Access Control (MAC) Security Enhancements. 3 Abbreviations This Recommendation uses the following abbreviations: AAA Authentication, Authorization and Accounting AKA Authentication and Key Agreement ANI Access Network Interface AP Access Point AR-FE Acces Relay Functional Entity AS Authe

33、ntication Server BB Broadband DoS Denial of Service EAP Extensible Authentication Protocol EAPoL Extensible Authentication Protocol over Local Area Network EP Enforcement Point FE Functional Entity GW Gateway HSS Home Subscriber Server ID Identity IMS Internet Protocol Multimedia Subsystem ITU-T Rec

34、. Q.3201 (10/2007) 3 IP Internet Protocol IP-CAN Internet Protocol Connectivity Access Network ISDN Integrated Services Digital Network MAC Medium Access Control MITM Man-In-The-Middle NACF Network Access Control Function NGN Next Generation Network NMF Network Management Function NNI Network Networ

35、k Interface NW Network PAA Protocol for carrying authentication for network access Authentication Agent PaC Protocol for carrying authentication for network access Client PANA Protocol for carrying Authentication for Network Access PMK Pair-wise Master Key PPP Point-to-Point Protocol PSTN Public Swi

36、tched Telephone Network RACS Resource and Admission Control Subsystem RADIUS Remote Authentication Dial In User Service SSID Service Set Identifier TAAF Transport Authentication and Authorization Function TAPF Transport network Access Process Function TE Terminal Equipment TLS Transport Layer Securi

37、ty UE User Equipment UNI User Network Interface 4 Threats on access networks This clause discusses some possible threats on the authentication, defined in IETF RFC 4016, of the access network. Success or failure indications When a client accesses the network, an attacker can fool the client to fail

38、to be authenticated using a false authentication failure message. The attacker may launch a denial of service (DoS) attack and break the authentication signalling by sending a number of false failure messages. If the communication channel between the customer device and the authenticator is not prot

39、ected by a security association, the attacker can easily make false failure messages. The customer device and the authenticator can prevent this attack by using the authentication keys established in the mutual authentication procedure. Success or failure indication messages shall be encrypted or de

40、crypted using the authentication keys. 4 ITU-T Rec. Q.3201 (10/2007) Man-in-the-middle attack (MITM) An attacker can claim to be the customer device or the authenticator between the real customer device and the real authenticator. Using the man-in-the-middle (MITM) attack, the attacker can steal the

41、 security association between the real customer device and the real authenticator. If the attacker is successful in the man-in-the-middle (MITM) attack, the attacker can sniff all the messages and insert a spoof message channel between the real customer device and the real authenticator. The attacke

42、r, therefore, gains a capability to execute all different kinds of attacks later. Replay attack An attacker can replay the valid authentication messages to cause false failures or success. The customer device and the authenticator can be protected from this attack by encrypting the message with a se

43、quence number or time stamp. Device identifier attack The authenticator identifies the customer device using a device identifier. In case of successful authentication, the client can send the packet with the device identifier because the authenticator controls the authenticated traffic using the dev

44、ice identifier. However, the attacker can also send the packet using the device identifier without the authentication procedure. This attack can be prevented by using the security association between the customer device and the authenticator. Client leaving the network When the client is about to le

45、ave the access network, it should inform the authenticator of the service termination before it leaves, returning the allowed resources to the authentication client. If the customer device leaves the network without a notification, the attacker may pretend to be the client and use the network or tra

46、nsmit a disconnect message. Service theft An attacker can steal the network access service by pretending to be the authenticated client. After the client is successfully authenticated, the enforcement point will control traffic to prevent unauthorized traffic into the network. The filtering will be

47、based on the IP and MAC addresses. Any attacker who can spoof the IP and MAC addresses in the packets can launch a service-theft attack easily. This attack can be prevented using per-packet protection with the security association between the customer device and the authenticator. Denial of service

48、(DoS) attack Since the access network is vulnerable to many kinds of DoS attacks targeting the authentication agent or authenticator, the protocol should be designed to prevent DoS attacks. An attacker can perform a focused attack on the victim authenticator using a bunch of authentication requests.

49、 Since the authenticator may allocate resources to maintain the state information of the authentication client during the authentication process, the attacker can deplete the resources of the authenticator or authentication server. 5 Conventions None. 6 Security requirements for access networks This clause discusses the security requirements for the access network defined in IETF RFC 4058. ITU-T Rec. Q.3201 (10/2007) 5 Multi-access The authentication procedure should support authentication clients with multiple in