1、 Reference numberECMA TR/12:2009Ecma International 2009ECMA TR/100 1stEdition / December 2009 Next Generation Corporate Networks (NGCN) - Security of Session-based Communications COPYRIGHT PROTECTED DOCUMENT Ecma International 2009 Ecma International 2009 i Contents Page 1 Scope 1 2 References . 1 3
2、 Terms and definitions . 3 3.1 External definitions . 3 3.2 Other definitions 4 4 Abbreviations . 4 5 Background 5 6 General principles . 5 6.1 Threats and counter-measures 5 6.2 Threats to session level security . 6 6.3 Authorisation . 7 6.4 Security and mobile users 8 6.5 Security and NGN 8 6.6 Se
3、curity and software status . 8 6.7 Call recording and audit . 8 7 Signalling security . 9 7.1 Security of access to session level services . 9 7.2 Securing a SIP signalling hop 10 7.2.1 TLS for securing SIP signalling . 10 7.2.2 IPsec for security SIP signalling 10 7.2.3 The role of SIP digest authe
4、ntication 11 7.3 Ensuring that all SIP signalling hops are secured . 11 7.4 End-to-end signalling security . 12 7.4.1 End-to-end security using S/MIME 12 7.4.2 Near end-to-end security using SIP Identity . 13 7.5 Authenticated identity delivery 14 7.5.1 P-Asserted-Identity (PAI) 14 7.5.2 Authenticat
5、ed Identity Body (AIB) . 14 7.5.3 SIP Identity . 15 7.5.4 Authenticated response identity 16 7.6 NGN considerations 16 7.7 Public Switched Telephony Network (PSTN) interworking . 18 8 Media security 18 8.1 SRTP . 18 8.2 Key management for SRTP 19 8.2.1 Key management on the signalling path 19 8.2.2
6、Key management on the media path . 20 8.3 Authentication . 21 8.3.1 Authentication with key management on the signalling path 22 8.3.2 Authentication with DTLS-SRTP 22 8.3.3 Authentication with ZRTP . 23 8.4 Media recording . 23 8.5 NGN considerations 24 9 Use of certificates 24 10 User interface co
7、nsiderations 25 11 Summary of requirements, recommendations and standardisation gaps 25 11.1 Requirements on NGNs 25 ii Ecma International 200911.2 Recommendations on enterprise networks 26 11.3 Standardisation gaps 26 Ecma International 2009 iii Introduction This Ecma Technical Report is one of a s
8、eries of Ecma publications that explore IP-based enterprise communication involving Corporate telecommunication Networks (CNs) (also known as enterprise networks) and in particular Next Generation Corporate Networks (NGCN). The series particularly focuses on inter-domain communication, including com
9、munication between parts of the same enterprise, between enterprises and between enterprises and carriers. This particular Ecma Technical Report discusses issues related to the security of session-based communications and builds upon concepts introduced in ECMA TR/95. This Technical Report is based
10、upon the practical experience of Ecma member companies and the results of their active and continuous participation in the work of ISO/IEC JTC1, ITU-T, ETSI, IETF and other international and national standardization bodies. It represents a pragmatic and widely based consensus. In particular, Ecma ac
11、knowledges valuable input from experts in ETSI TISPAN. This Ecma Technical Report has been adopted by the General Assembly of December 2009. iv Ecma International 2009DISCLAIMER This document and possible translations of it may be copied and furnished to others, and derivative works that comment on
12、or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document it
13、self may not be modified in any way, including by removing the copyright notice or references to Ecma International, except as needed for the purpose of developing any document or deliverable produced by Ecma International (in which case the rules applied to copyrights must be followed) or as requir
14、ed to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by Ecma International or its successors or assigns. This document and the information contained herein is provided on an “AS IS“ basis and ECMA INTERNATIONAL DISCLAIMS AL
15、L WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Ecma International 2009 1Next Generation Corporate Networks (NGC
16、N) - Security of Session-based Communications 1 Scope This Ecma Technical Report is one of a series of publications that provides an overview of IP-based enterprise communication involving Corporate telecommunication Networks (CNs) (also known as enterprise networks) and in particular Next Generatio
17、n Corporate Networks (NGCN). The series particularly focuses on session level communication based on the Session Initiation Protocol (SIP) 4, with an emphasis on inter-domain communication. This includes communication between parts of the same enterprise (on dedicated infrastructures and/or hosted),
18、 between enterprises and between enterprises and public networks. Particular consideration is given to Next Generation Networks (NGN) as public networks and as providers of hosted enterprise capabilities. Key technical issues are investigated, current standardisation work and gaps in this area are i
19、dentified, and a number of requirements and recommendations are stated. Among other uses, this series of publications can act as a reference for other standardisation bodies working in this field, including ETSI TISPAN, 3GPP, IETF and ITU-T. This particular Technical Report discusses security of ses
20、sion-based communications. It uses terminology and concepts developed in ECMA TR/95 1. It identifies a number of requirements impacting NGN standardisation and makes a number of recommendations concerning deployment of enterprise networks. Also a number of standardisation gaps are identified. Both s
21、ignalling security and media security are considered. The scope of this Technical Report is limited to communications with a real-time element, including but not limited to voice, video, real-time text, instant messaging and combinations of these (multi-media). The non-real-time streaming of media i
22、s not considered. For media, only security of transport (e.g., securing the Real-time Transport Protocol, RTP 6) is considered, and higher level security measures (e.g., digital rights management) are not considered. Peer-to-peer signalling between SIP user agents (without involving SIP intermediari
23、es) is not considered. Detailed considerations for lawful interception are outside the scope of this Technical Report, although general considerations for call recording and audit are discussed. 2 References For dated references, only the edition cited applies. For undated references, the latest edi
24、tion of the referenced document (including any amendments) applies. 1 ECMA TR/95, Next Generation Corporate Networks (NGCN) - General 2 ECMA TR/96, Next Generation Corporate Networks (NGCN) - Identification and Routing 3 ECMA TR/101, Next Generation Corporate Networks (NGCN) - Emergency Calls 4 IETF
25、 RFC 3261, SIP: Session Initiation Protocol 5 IETF RFC 3325, Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks 6 IETF RFC 3550, RTP: A Transport Protocol for Real-Time Applications 7 IETF RFC 3711, The Secure Real-time Transport Protocol (SRTP)
26、 2 Ecma International 20098 IETF RFC 3830, MIKEY: Multimedia Internet KEYing 9 IETF RFC 3893, The Session Initiation Protocol (SIP) Authenticated Identity Body (AIB) Format 10 IETF RFC 4119, A Presence-based GEOPRIV Location Object Format 11 IETF RFC 4301, Security Architecture for the Internet Prot
27、ocol 12 IETF RFC 4346, The Transport Layer Security (TLS) Protocol Version 1.1 13 IETF RFC 4347, Datagram Transport Layer Security 14 IETF RFC 4474, Enhancements for Identity Management in the Session Initiation Protocol (SIP) 15 IETF RFC 4567, Key Management Extensions for Session Description Proto
28、col (SDP) and Real Time Streaming Protocol (RTSP) 16 IETF RFC 4568, Session Description Protocol (SDP) Security Descriptions for Media Streams 17 IETF RFC 4650, HMAC-Authenticated Diffie-Hellman for Multimedia Internet KEYing (MIKEY) 18 IETF RFC 4738, MIKEY-RSA-R: An Additional Mode of Key Distribut
29、ion in Multimedia Internet KEYing (MIKEY) 19 IETF RFC 4916, Connected Identity in the Session Initiation Protocol (SIP) 20 IETF RFC 4961, Symmetric RTP / RTP Control Protocol (RTCP) 21 IETF draft-ietf-avt-dtls-srtp-07, Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure R
30、eal-time Transport Protocol (SRTP) NOTE At the time of publication of this Technical Report, the IETF had approved this draft as a standards track RFC but had not published the RFC and had not allocated an RFC number. If the draft is no longer available, readers should look for the RFC with the same
31、 title. 22 IETF draft-ietf-avt-rtp-and-rtcp-mux-07, Multiplexing RTP Data and Control Packets on a Single Port NOTE At the time of publication of this Technical Report, the IETF had approved this draft as a standards track RFC but had not published the RFC and had not allocated an RFC number. If the
32、 draft is no longer available, readers should look for the RFC with the same title. 23 IETF draft-ietf-sip-connect-reuse-14, Connection Reuse in the Session Initiation Protocol (SIP) NOTE At the time of publication of this Technical Report, the IETF had approved this draft as a standards track RFC b
33、ut had not published the RFC and had not allocated an RFC number. If the draft is no longer available, readers should look for the RFC with the same title. 24 IETF draft-ietf-sip-dtls-srtp-framework-07, Framework for Establishing an SRTP Security Context using DTLS NOTE At the time of publication of
34、 this Technical Report, the IETF had approved this draft as a standards track RFC but had not published the RFC and had not allocated an RFC number. If the draft is no longer available, readers should look for the RFC with the same title. 25 IETF RFC 5626, Managing Client Initiated Connections in th
35、e Session Initiation Protocol (SIP) 26 IETF RFC 5630, The use of the SIPS URI Scheme in the Session Initiation Protocol (SIP) Ecma International 2009 327 IETF draft-ietf-sipcore-location-conveyance-01, Location Conveyance for the Session Initiation Protocol NOTE At the time of publication of this Te
36、chnical Report, the IETF had not completed the approval process for this draft and had not allocated an RFC number. If the draft (or a later version) is no longer available, readers should look for the RFC with the same title. 28 IETF draft-zimmermann-avt-zrtp-16, ZRTP: Media Path Key Agreement for
37、Secure RTP NOTE At the time of publication of this Technical Report, the IETF had not published this as an informational RFC. If the draft (or a later version) is no longer available, readers should look for the RFC with the same title. 29 ITU-T Recommendation E.164, The international public telecom
38、munication numbering plan 30 ITU-T Recommendation X.509, Information Technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks 31 3GPP TS 33.203, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G securit
39、y; Access security for IP-based services (Release 8) 32 3GPP TS 33.210, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G security; Network domain security; IP network layer security (Release 8) 33 3GPP TS 33.310, 3rd Generation Partnership Project; Te
40、chnical Specification Group Services and System Aspects; Network domain security; Authentication Framework (AF) (Release 8) 34 ETSI TS 187 003, Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Security Architecture 35 IEEE 802.1x, IEEE
41、Standard for Local and metropolitan area networks - Port-Based Network Access Control (2004) 36 IEEE 802.11, IEEE Standard for Information Technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific Requirements - Part 11: Wireless LAN M
42、edia Access Control (MAC) and Physical Layer (PHY) Specifications (2007) 37 OASIS, Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 (March 2005) 38 ISO 27001, Information technology - Security techniques - Information security management systems - Requirements 3
43、Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 External definitions This Technical Report uses the following terms defined in ECMA TR/95 1: Domain Enterprise network Next Generation Corporate Network (NGCN) 4 Ecma International 2009 Next Gener
44、ation Network (NGN) Private network traffic Public network traffic Session Service Provider (SSP) SIP intermediary 3.2 Other definitions None. 4 Abbreviations AIB Authenticated Identity Body AKA Authentication and Key Agreement CA Certification Authority B2BUA Back-to-Back UA DECT Digital Enhanced C
45、ordless Telecommunications DoS Denial of Service DTLS Datagram Transport Layer Security DNS Domain Name System GAN Generic Access Network IMS IP Multimedia Subsystem IP Internet Protocol IPsec Internet Protocol Security LAN Local Area Network MIKEY Multimedia Internet KEYing NAT Network Address Tran
46、slation NGCN Next Generation Corporate Network NGN Next Generation Network PAI P-Asserted-Identity PIN Personal Identification Number PKI Public Key Infrastructure PLMN Public Land Mobile Network PSTN Public Switched Telephone Network RTCP Real-time Transport Control Protocol RTP Real-time Transport
47、 Protocol S/MIME Secure Multi-media Internet Mail Extensions SBC Session Border Controller SDP Session Description Protocol SIP Session Initiation Protocol Ecma International 2009 5SRTCP Secure Real-time Transport Control Protocol SRTP Secure RTP SSP Session Service Provider TCP Transaction Control
48、Protocol TLS Transport Layer Security UA User Agent UAC User Agent Client UAS User Agent Server UDP User Datagram Protocol URI Universal Resource Identifier VPN Virtual Private Network WLAN Wireless LAN 5 Background General concepts of NGCNs are discussed in ECMA TR/95 1. In particular, that documen
49、t describes use of the Session Initiation Protocol (SIP) 4 for session level communications within enterprise networks and with other domains. It focuses on enterprise networks based on enterprise infrastructure (NGCN), but also covers hosting on other networks, in particular NGNs, using the same infrastructure that supports public networks. ECMA TR/95 describes the basic communications architecture of an NGCN as comprising three levels (transport, session and application)