1、 AMERICAN NATIONAL STANDARD FOR TELECOMMUNICATIONS ATIS-1000019.2007(R2012) Network to Network Interface (NNI) Standard for Signaling and Control Security for Evolving VoP Multimedia Networks ATIS is the leading technical planning and standards development organization committed to the rapid develop
2、ment of global, market-driven standards for the information, entertainment and communications industry. More than 200 companies actively formulate standards in ATIS Committees and Forums, covering issues including: IPTV, Cloud Services, Energy Efficiency, IP-Based and Wireless Technologies, Quality
3、of Service, Billing and Operational Support, Emergency Services, Architectural Platforms and Emerging Networks. In addition, numerous Incubators, Focus and Exploratory Groups address evolving industry priorities including Smart Grid, Machine-to-Machine, Connected Vehicle, IP Downloadable Security, P
4、olicy Management and Network Optimization. ATIS is the North American Organizational Partner for the 3rd Generation Partnership Project (3GPP), a member and major U.S. contributor to the International Telecommunication Union (ITU) Radio and Telecommunications Sectors, and a member of the Inter-Ameri
5、can Telecommunication Commission (CITEL). ATIS is accredited by the American National Standards Institute (ANSI). For more information, please visit .AMERICAN NATIONAL STANDARD Approval of an American National Standard requires review by ANSI that the requirements for due process, consensus, and oth
6、er criteria for approval have been met by the standards developer. Consensus is established when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by directly and materially affected interests. Substantial agreement means much more than a simple majority,
7、 but not necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be made towards their resolution. The use of American National Standards is completely voluntary; their existence does not in any respect preclude anyone, whether he has approv
8、ed the standards or not, from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standards. The American National Standards Institute does not develop standards and will in no circumstances give an interpretation of any American National Standard.
9、 Moreover, no person shall have the right or authority to issue an interpretation of an American National Standard in the name of the American National Standards Institute. Requests for interpretations should be addressed to the secretariat or sponsor whose name appears on the title page of this sta
10、ndard. CAUTION NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American National Standards Institute require that action be taken periodically to reaffirm, revise, or withdraw this standard. Purchasers of American National Standards may receive
11、current information on all standards by calling or writing the American National Standards Institute. Notice of Disclaimer however, new security challenges are introduced. Threats in the end-user plane now become threats to the signaling and control plane since the signaling and control plane become
12、s more accessible to the multitude of end-users. Connections between carrier VoIP networks have been made via TDM or analogue mechanisms. Using TDM or analogue techniques isolates VoIP networks from each other and circumvents many interoperability issues, but it also adds unnecessary service limitat
13、ions, cost, and complexity. It also degrades VoIP quality, as multiple TDM to IP transcoding hops increase latency and can add distortion. These undesirable effects undermine service quality and the potential to deliver voice, video, and other real-time communication services over a cost-effective c
14、onverged infrastructure. To realize the full benefits of VoIP, networks must be able to be connected directly at the IP level without converting to TDM. To enable direct IP connection between carrier networks, stringent security mechanisms must be in place at the network to network interface to ensu
15、re the networks are not vulnerable to attack. These security mechanisms help allow desired IP telephony traffic to enter the network while blocking intruders and attacks in a controlled manner to protect internal network resources. To ensure a secure network to network interface, a concept that is u
16、seful is that of a Border Security Function (BSF). The BSF is a set of security functions to enables secure communication to occur across the network to network interface. The security functions included in the BSF may be distributed into various network elements such as Call Servers or Soft Switche
17、s, or the security functions may be included in stand alone network elements such as a Session Border Controller (SBC). Implementation topology recommendations for the BSF are beyond the scope of this document. Other non-security related functions may also included at the NNI such as signaling trans
18、lation and QoS policy enforcement; however, such non-security related functions are beyond the scope of this document. ATIS-1000019.2007 A diagram of two interconnected networks is given below in Figure 2. The BSF security functions may include, but are not limited to: Access control mechanisms to a
19、llow only desired peer networks to access a network across the NNI. Authentication mechanisms to ensure the identity of signaling plane peer entities communicating across the NNI, and data origin authentication of signaling messages being sent across the NNI. Non-repudiation services for signaling m
20、essages being sent across the NNI. Data confidentiality services for signaling plane information being sent across the NNI to ensure it cannot be viewed by unauthorized parties. Security of communication across the NNI interface. Data integrity services for signaling plane information being sent acr
21、oss the NNI to ensure that it cannot be modified by unauthorized parties. Security services to enhance availability; for example to protect networks from denial of service attacks at the NNI. Security services, to ensure privacy of sensitive data and internal network topologies. In Figure 2, an IP T
22、ransport Network is shown for completeness between different VoIP/Multimedia Networks. IP Transport Networks may or may not implement their own Border Security Function depending on particular IP Transport Network security policy. For simplicity, subsequent diagrams in this document do not show the
23、IP transport network. Figure 2 - Architectural Diagram of Interconnected VoIP/Multimedia Networks 2 SCOPE, PURPOSE, 2. Security Layers (Applications Security, Network Services Security and Infrastructure Security); and 3. Security Dimensions (Access Control, Authentication, Non-repudiation/Audit Log
24、ging, Data Confidentiality and Privacy, Data Integrity, Availability). This standard is related to the ITU-T Recommendation X.805 model in the following manner: 1. Security Planes Addressed: Signaling and Control Plane Only. 2. Security Layers Addressed: Applications Security only (H.323 and SIP). 3
25、. Security Dimensions Addressed: All. 5 ATIS-1000019.2007 6 H.323 SECURITY H.323is the ITU Recommendation for the setup and control of packet telephony and multimedia. The following requirements address the NNI security for general areas of H.323 Voice over IP applications including: Connection Esta
26、blishment (Registration, Admission, Status) Signaling/Call Control Within H.323, other signaling and control standards are referenced: ITU-T Recommendation H.225, Call Signalling Protocols and Media Stream Packetization for Packet Based Multimedia Communications Systems. o H.225 includes the Registr
27、ation, Admission, Status (RAS) channel for communications between endpoints and the gatekeeper. ITU-T Recommendation H.245, Control Protocol for Multimedia Communication. The H.323 network architectural model is shown in Figure 4. See Reference H.323 for more information on the H.323 architecture, i
28、ncluding H.323 definitions. Figure 5 illustrates the H.323 network to H.323 network interface. Figure 6 illustrates the SIP network to H.323 network interface. Figure 4 - H.323 Architectural Model NOTE - Solid Line Indicates Signaling Relationship. 6 ATIS-1000019.2007 Figure 5 - H.323 Network to H.3
29、23 Network Interface NOTE 1 - Solid Line Indicates Signaling Relationship. NOTE 2 - The Border Security Function is not an H.323 defined entity. Figure 6 - SIP Network to H.323 Network Interface NOTE 1 - Solid Line Indicates Signaling Relationship. NOTE 2 - The Border Security Function is not an H.3
30、23 or SIP defined entity. 7 ATIS-1000019.2007 6.1 General Requirements REQ-SEC-NNI-00100 Mechanisms for authentication and confidentiality based on IPsec and/or TLS shall be provided at a minimum for all Connection Establishment and Signaling/Call Control exchanges between network peer entities acro
31、ss the NNI. If NAT is implemented across the NNI and IPsec is used, said IPsec mechanisms must work in the presence of NAT. NOTE - See H.235 for information on H.323 IPsec and TLS security profiles. Reference ITU-T H.235. Refer to Generic for IPsec and TLS Protocol Requirements. 6.2 Access Control S
32、ecurity Dimension REQ-SEC-NNI-00200 Some means shall be used to restrict/grant access to specific network entities across the NNI interface. NOTE - Access Control Lists (ACLs) may be used to provide access control. REQ-SEC-NNI-00300 Some means shall be used to allow or reject specific types of infor
33、mation entering a network across the NNI. NOTE - Firewall mechanisms may be used to allow or reject specific information entering a network across the NNI. For example, firewall mechanisms may be used to reject all but SIP and/or H.323 signaling and media plane and other desired information from ent
34、ering a network across the NNI. REQ-SEC-NNI-00400 Means to detect and log unauthorized access attempts to the network at the NNI shall be supported and used. NOTE - A system configurable threshold may be set for the number of unauthorized access attempts beyond which a system alarm will be generated
35、, logged, and reported to a management system. 8 ATIS-1000019.2007 6.3 Authentication Security Dimension REQ-SEC-NNI-00500 There shall be a secure (mutually authenticated) mode of communication established between network entities implementing the border security function (BSF) across the NNI before
36、 they exchange call connection messages with either: TLS; or IPsec. REQ-SEC-NNI-00600 Mutual authentication mechanisms across the NNI shall include at least one of the following: 1. Non-clear-text passwords. 2. Digital authenticators. 3. Digital signatures. REQ-SEC-NNI-00700 Signaling traffic must i
37、nclude an element in the signaling data or message that enables the receiving network to verify the authenticity of the message. For example, authentication mechanisms within the IPsec and/or TLS protocols may be used for data or message authentication across the NNI. REQ-SEC-NNI-00800 It shall be p
38、ossible to independently assign an authentication mechanism or algorithm (as specified in the H.245 OpenLogical Channel message) to each independent media channel. 6.4 Non-Repudiation Security Dimension REQ-SEC-NNI-00900 The capability for unauthorized access attempts at the NNI to be logged and rep
39、orted to a management system shall be provided. NOTE - A system configurable threshold may be set for the number of unauthorized access attempts beyond which a system alarm will be generated, logged, and reported to a management system. 9 ATIS-1000019.2007 REQ-SEC-NNI-01000 The capability to identif
40、y unauthorized H.323 signaling packets at the NNI and to log and report these to a management system shall be provided. NOTE - A system configurable threshold may be set for the number of unauthorized H.323 signaling packets beyond which a system alarm will be generated, logged, and reported to a ma
41、nagement system. 6.5 Data Confidentiality Security Dimension REQ-SEC-NNI-01100 The negotiated security mechanism (see requirement REQ-SEC-NNI-00100) across the NNI shall be supported to provide confidentiality of signaling data (e.g., H.323 aliases, phone numbers, network addresses, and call account
42、ing information) to protect the signaling data from unauthorized access or observation. 6.6. Communication Security Dimension No additional requirements to address the Communication Security dimension have been identified beyond those specified in the Authentication Security (see 6.3) and Data Integ
43、rity (see 6.7) dimensions. 6.7 Data Integrity Security Dimension REQ-SEC-NNI-01200 The negotiated security mechanism (see requirement REQ-SEC-NNI-00100) across the NNI shall be used to provide signaling data integrity.6.8 Availability Security Dimension As a best practice guideline, interconnected n
44、etworks should implement mechanisms to detect and mitigate H.323 DoS attacks directed both from the host to the foreign networks and in the opposite direction (i.e., attacks across the NNI). For example, network entities implementing the BSF should support capabilities to detect and prevent DoS atta
45、ck. Mechanisms may differ depending on the attack direction. Both application layer flooding attacks and malformed packet attacks should be mitigated by the DoS protection mechanisms. 6.9 Privacy Security Dimension It is necessary to be able to hide internal network addresses and topology from viewi
46、ng and discovery from the NNI in order to enhance security. For example, attackers accessing a network from the NNI should not be able see internal IP addresses of call servers and other VoIP/Multimedia network elements. 10 ATIS-1000019.2007 REQ-SEC-NNI-01300 Network edge entities shall be capable o
47、f supporting network address translation (NAT) functions in order to hide internal network topology, if internal network resources use private IP addressing schemes. 7 SIP SECURITY Session Initiation Protocol (SIP) is a control protocol for multimedia over packet networks including telephony, confer
48、encing, and instant messaging. The SIP protocol initiates call/session setup, authentication and other call features within an IP domain. The SIP protocol is specified in IETF RFC-3261. The following requirements address the security for the following two general areas of SIP Voice over IP applicati
49、ons across the NNI interface: Session Establishment; and Signaling/Call Control. Figure 7 shows the SIP network to SIP network interface. More information on SIP network architecture, including SIP definitions, can be found in RFC 3261. ATIS-1000009.2006 specifies the IP Network-to-Network Interface (NNI) for VoIP between carriers using SIP. SIP NNI. Figure 7 - SIP Network to SIP Network Interface NOTE - Solid Line IndicatesSignaling Relationship 11 ATIS-1000019.2007 7.1 General Requirements REQ-SEC-NNI-01400 Mechan