ITU-T Y 2704-2010 Security mechanisms and procedures for NGN (Study Group 13)《下一代网络(NGN)的安全机制和程序 13号研究组》.pdf

1、 International Telecommunication Union ITU-T Y.2704TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2010) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security Security mechanisms and procedures for NGN Recommendation

2、 ITU-T Y.2704 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Y.100Y.199 Services, applications and middleware Y.200Y.299 Network aspects Y.300Y.399 Interfaces and protocols Y.400Y.499

3、Numbering, addressing and naming Y.500Y.599 Operation, administration and maintenance Y.600Y.699 Security Y.700Y.799 Performances Y.800Y.899 INTERNET PROTOCOL ASPECTS General Y.1000Y.1099 Services and applications Y.1100Y.1199 Architecture, access, network capabilities and resource management Y.1200

4、Y.1299 Transport Y.1300Y.1399 Interworking Y.1400Y.1499 Quality of service and network performance Y.1500Y.1599 Signalling Y.1600Y.1699 Operation, administration and maintenance Y.1700Y.1799 Charging Y.1800Y.1899 IPTV over NGN Y.1900Y.1999 NEXT GENERATION NETWORKS Frameworks and functional architect

5、ure models Y.2000Y.2099 Quality of Service and performance Y.2100Y.2199 Service aspects: Service capabilities and service architecture Y.2200Y.2249 Service aspects: Interoperability of services and networks in NGN Y.2250Y.2299 Numbering, naming and addressing Y.2300Y.2399 Network management Y.2400Y.

6、2499 Network control architectures and protocols Y.2500Y.2599 Future networks Y.2600Y.2699 Security Y.2700Y.2799Generalized mobility Y.2800Y.2899 Carrier grade open environment Y.2900Y.2999 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T Y.2704 (01/2010) i Recommen

7、dation ITU-T Y.2704 Security mechanisms and procedures for NGN Summary Recommendation ITU-T Y.2701, Security requirements for NGN release 1, provides security requirements for next generation networks (NGNs) and its interfaces (e.g., UNIs, NNIs and ANIs). Recommendation ITU-T Y.2704 describes some s

8、ecurity mechanisms that can be used to fulfil the requirements described in Recommendation ITU-T Y.2701 and specifies the suite of options for each selected mechanism. Specifically, this Recommendation describes identification, authentication and authorization mechanisms; then it discusses transport

9、 security for signalling and OAMP, and media security. It then describes audit-trail-related mechanisms and finally describes the provisioning. The security mechanisms described in this Recommendation are based on use of the trust model defined in Recommendation ITU-T Y.2701. The list of security me

10、chanisms described in this Recommendation is not exhaustive. NGN providers are encouraged to support additional security tools, capabilities and operational measures as needed beyond the mechanisms specified in this Recommendation for NGN security protection. History Edition Recommendation Approval

11、Study Group 1.0 ITU-T Y.2704 2010-01-29 13 ii Rec. ITU-T Y.2704 (01/2010) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization

12、 Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets

13、every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts pur

14、view, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is vol

15、untary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and t

16、he negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involv

17、e the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recomm

18、endation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at

19、http:/www.itu.int/ITU-T/ipr/. ITU 2010 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T Y.2704 (01/2010) iii CONTENTS Page 1 Scope 1 1.1 Assumptions . 1 1.2 Overview 1 2 References. 2 3 Definitions 3

20、3.1 Terms defined elsewhere 3 3.2 Terms defined in this Recommendation . 4 4 Abbreviations and acronyms 4 5 Conventions 7 6 Security risks and threats 7 7 Security trust model 7 7.1 Single network trust model . 7 7.2 Peering network trust model . 9 8 Identification, authentication and authorization

21、. 10 8.1 Subscribers . 10 8.2 Network element 10 8.3 Credential usage in the NGN security 10 8.4 Identification and authentication of subscribers . 14 8.5 Identification and authentication of end-users . 18 8.6 Identification and authentication by TE-BE . 20 8.7 Authenticator-SAA/TAA-FEs interface .

22、 20 8.8 Identification and authentication of bearer traffic 21 9 Transport security for signalling and OAMP . 23 9.1 TLS . 23 9.2 IPsec in trusted and trusted-but-vulnerable zones 27 9.3 Key agreement protocol between untrusted and trusted-but-vulnerable zone . 31 9.4 IPsec between untrusted and tru

23、sted-but-vulnerable zone . 31 10 Media security 31 10.1 SRTP . 33 11 OAMP . 34 11.1 Network element interface to logging systems 35 11.2 Network element use of SNMP 35 11.3 Security patch management 35 11.4 Version management 35 11.5 Audit trail, trapping, and logging at TE-BE . 36 12 Provisioning o

24、f equipment in untrusted zone . 36 iv Rec. ITU-T Y.2704 (01/2010) Page Appendix I Examples of source-address assurance and its application to the mechanism of subscriber identification and authentication . 37 I.1 Subscriber identification and authentication linked to access-line authentication . 37

25、I.2 Subscriber identification and authentication linked to explicit access authentication at IP connectivity establishment . 39 Appendix II Emergency telecommunications service (ETS) interconnection security 42 II.1 Background . 42 II.2 Scope/purpose . 42 II.3 Security objectives and guidelines for

26、interconnection of ETS . 42 II.4 Authentication and authorization . 42 II.5 Transport security for signalling and OAMP . 43 II.6 Media traffic . 43 II.7 Support of calling number ID and calling name ID restriction features 43 II.8 Non-traceability 43 II.9 End-to-end peer-to-peer encryption . 43 Appe

27、ndix III Security best practices . 44 III.1 Introduction 44 III.2 Firewalls . 44 III.3 Operating system hardening . 45 III.4 Vulnerability assessment 45 III.5 Intrusion detection systems 46 Bibliography. 47 Rec. ITU-T Y.2704 (01/2010) 1 Recommendation ITU-T Y.2704 Security mechanisms and procedures

28、for NGN 1 Scope ITU-T Y.2701, Security requirements for NGN release 1, provides security requirements for next generation networks (NGNs) and its interfaces (e.g., UNIs, NNIs and ANIs), including a trust model. The security mechanisms selected to implement these requirements will contain options, an

29、d mismatched options are undesirable because they tend to introduce security vulnerabilities and make it more difficult to achieve interoperability. This Recommendation therefore highlights some important security mechanisms that can be used to realize the requirements in ITU-T Y.2701 and specifies

30、the suite of options to be used for each selected mechanism to reduce interoperability and mismatch problems. The list of mechanisms described in this Recommendation is not exhaustive. NGN providers are encouraged to support additional security tools, capabilities and operational measures as needed

31、beyond the mechanisms specified in this Recommendation for NGN security protection. This Recommendation is intended to be used with ITU-T Y.2701 to provide a base for NGN security. It should be used with other security-related Recommendations and other specifications as appropriate for specific secu

32、rity areas. NOTE The mechanisms described in this Recommendation for identification and authentication are part of the broader topic generally known as IdM (“identity management“). 1.1 Assumptions This Recommendation is based on the following assumptions: 1) The bundling of functional entities, as d

33、efined in ITU-T Y.2012, to a given network element will vary, depending on the vendor. 2) Each NGN provider has specific responsibilities within its domain for security. For example, implementing applicable security services and practices a) to protect itself, b) to assure end-to-end security is not

34、 compromised within its network, and c) to assure high availability and integrity of NGN communications. 3) Each network domain will establish and enforce policies for service level agreements (SLAs) to assure the security of its domain and the security of the network interconnections. It is assumed

35、 that the SLAs would specify security services, mechanisms and practices to be implemented to protect the interconnected networks and the communications (signalling/control traffic, bearer traffic and management traffic) across UNIs, ANIs and NNIs. 4) This Recommendation addresses network-based secu

36、rity, which is a layered architecture, consisting of perimeter security to trusted domains, physical security of provider equipment, and potentially the use of encryption. 1.2 Overview This Recommendation is organized as follows: Clause 2 (References) This clause provides normative references. Claus

37、e 3 (Definitions) This clause provides definitions used in this Recommendation. Clause 4 (Abbreviations and acronyms) This clause provides the list of abbreviations and acronyms used in this Recommendation. Clause 5 (Conventions) This clause is intentionally left blank. 2 Rec. ITU-T Y.2704 (01/2010)

38、 Clause 6 (Security risks and threats) This clause provides reference to security risks and threats applicable to NGN. Clause 7 (Security trust model) This clause provides a summary of the trust model defined in ITU-T Y.2701. Clause 8 (Identification, authentication and authorization) This clause pr

39、ovides mechanisms and security measures for identification, authentication and authorization. Clause 9 (Transport security for signalling and OAMP) This clause provides mechanisms for signalling and OAMP encryption and integrity protection. Clause 10 (Media security) This clause provides mechanisms

40、for media (i.e., bearer traffic) protection. Clause 11 (OAMP) This clauses provides information and references for audit trail, trapping and logging of security events. Clause 12 (Provisioning of equipment in untrusted zone) This clause provides information regarding provisioning of subscriber equip

41、ment in the untrusted zone. Appendix I Examples of source-address assurance and its application to the mechanism of subscriber identification and authentication Appendix II Emergency telecommunications service (ETS) interconnection security Appendix III Security best practices Bibliography 2 Referen

42、ces The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users

43、of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendat

44、ion does not give it, as a stand-alone document, the status of a Recommendation. ITU-T Y.2012 Recommendation ITU-T Y.2012 (2006), Functional requirements and architecture of the NGN release 1. ITU-T Y.2701 Recommendation ITU-T Y.2701 (2007), Security requirements for NGN release 1. ITU-T Y.2702 Reco

45、mmendation ITU-T Y.2702 (2008), Authentication and authorization requirements for NGN release 1. ITU-T Y.2703 Recommendation ITU-T Y.2703 (2009), The application of AAA service in NGN. ITU-T Y.2720 Recommendation ITU-T Y.2720 (2009), NGN identity management framework. ITU-T X.509 Recommendation ITU-

46、T X.509 (2008) | ISO/IEC 9594-8:2008, Information technology Open systems interconnection The Directory: Public-key and attribute certificate frameworks. ITU-T X.660 Recommendation ITU-T X.660 (2008) | ISO/IEC 9834-1:2008, Information technology Open Systems Interconnection Procedures for the operat

47、ion of OSI Registration Authorities: General procedures and top arcs of the International Object Identifier tree. Rec. ITU-T Y.2704 (01/2010) 3 ITU-T X.1035 Recommendation ITU-T X.1035 (2007), Password-authenticated key exchange (PAK) protocol. IETF RFC 4302 IETF RFC 4302 (2005), IP Authentication H

48、eader. IETF RFC 4303 IETF RFC 4303 (2005), IP Encapsulating Security Payload (ESP). IETF RFC 5246 IETF RFC 5246 (2008), The Transport Layer Security (TLS) Protocol Version 1.2. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 asset ITU-T

49、 Y.2701: Anything that has value to the organization, its business, its operations and its continuity. 3.1.2 border element ITU-T Y.2701: Network element providing functions connecting different security and administrative domains. 3.1.3 corporate network ITU-T Y.2701: A private network that supports multiple users and may be in multiple locations (e.g., an enterprise, a campus). 3.1.4 domain border element ITU-T Y.2701: Bor