1、 ETSI TS 102 466 V1.1.1 (2007-01)Technical Specification Satellite Earth Stations and Systems (SES);Broadband Satellite Multimedia (BSM);Multicast Security ArchitectureETSI ETSI TS 102 466 V1.1.1 (2007-01) 2 Reference DTS/SES-00106 Keywords broadband, interworking, IP, satellite, security, ETSI 650
2、Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloa
3、ded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference s
4、hall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is ava
5、ilable at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The
6、 copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2007. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks curre
7、ntly being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TS 102 466 V1.1.1 (2007-01) 3 Contents Intellectual Property Rights5 Foreword.5 Introduction 5 1 Scope 6 2 Referen
8、ces 6 3 Definitions and abbreviations.7 3.1 Definitions7 3.2 Abbreviations .7 4 BSM Secure Multicast Service Requirements .8 4.1 Multicast threat analysis.8 4.2 Multicast service scenarios.9 4.2.1 Scenario 1: End-to-end secure multicast - External multicast source to BSM9 4.2.2 Scenario 2: Multicast
9、 group with static membership10 4.2.3 Scenario 3: Multicast group with dynamic membership.10 4.2.4 Scenario 4: Multiple senders.11 4.2.5 Scenario 5: Composite group key management between BSM and non-BSM domains 11 4.3 Summary of multicast security service requirements.12 5 BSM Multicast Security Fu
10、nctional Architecture Requirements.12 5.1 Multicast security reference framework.13 5.1.1 Multicast data handling (privacy and integrity)14 5.1.2 Group Security Association (GSA).14 5.1.2.1 Registration Security Association .15 5.1.2.2 Rekey Security Association 15 5.1.2.3 Data Security Association
11、.16 5.1.3 Key management 16 5.1.3.1 Registration Protocol.16 5.1.3.2 Rekey Protocol17 5.1.3.3 Data Security Protocol 17 5.1.4 Security policy establishment and enforcement18 5.1.5 Example multicast key management systems.19 5.2 Generic BSM multicast architecture 19 5.3 Interactions between security
12、and other non BSM entities.20 5.3.1 Interactions with AAA20 5.3.2 Interactions with COPS 20 5.3.3 Interactions between BSM security and Network Address Translation (NAT)20 5.3.4 Interactions with IPv6 related entities.21 5.4 Summary of multicast key management requirements.21 6 BSM Multicast Securit
13、y Functional Architecture Definition.22 6.1 Detailed BSM security functional architecture.22 6.1.1 Case 1: Secure multicast in the Satellite Dependent (SD) layer (below SI-SAP).23 6.1.2 Case 2: Secure multicast with network layer security (above SI-SAP) 24 6.1.3 Case 3: Mixed secure multicast (secur
14、ity manager above SI-SAP and security engine below SI-SAP) 25 6.1.4 Case 4: End-to-end secure multicast.26 6.1.5 Case 5: Secure multicast in composite groups (BSM and non-BSM membership)27 6.2 Interactions between multicast security and QoS BSM entities .27 6.2.1 QoS provisioning for key management
15、messages 27 6.2.2 Securing RSVP and Diffserv message exchanges 28 6.3 Interactions between multicast security and multicast source management entities 30 Annex A (informative): The current DVB-RCS security system .31 A.1 DVB-RCS Authentication31 ETSI ETSI TS 102 466 V1.1.1 (2007-01) 4 A.2 Transport
16、of security messages 32 A.3 DVB-RCS multicast extensions .33 Annex B (informative): IPSec extensions for multicast 35 B.1 Security Association Modes.35 B.1.1 Tunnel Mode with Address Preservation .35 B.2 Modifications to IPsec Databases.36 B.3 Data Origin Authentication 36 B.4 Interworking between u
17、nicast and multicast Key Management.37 B.5 IPv4 NAT issues.37 B.6 Avoidance of NAT Using an IPv6 Over IPv4 Network.38 Annex D (informative): Bibliography.39 History 40 ETSI ETSI TS 102 466 V1.1.1 (2007-01) 5 Intellectual Property Rights IPRs essential or potentially essential to the present document
18、 may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETS
19、I standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence
20、 of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Satellite Earth Stations and Systems (SES). Introd
21、uction The aim here is to build an open specification for secure IP multicast service delivery via satellites. The present document are be based on current ETSI BSM architecture documents. Also it is aligned with the relevant IETF standards such as IPsec, MSEC and IP-over-DVB recommendations (RFCs).
22、 ETSI ETSI TS 102 466 V1.1.1 (2007-01) 6 1 Scope The present document provides a multicast security architecture for secure multicast services over BSM networks, maintaining interworking with the Internet architecture. It specifies the multicast security reference framework and the security services
23、 that can be part of a secure multicast solution. Its focus is on functional areas such as multicast group key management and data handling. The following topics are out of scope for the present document: Detailed definition, construction and modification of multicast security policies. Securing mul
24、ticast management and control messages for On Board Processing (OBP) satellites. Security for reliable multicast (such as Internet RMT work) is out of scope as well. This work builds on the earlier work in the general security architecture TS 102 465 1 and the Security Aspects report (BSM TR 102 287
25、 (see bibliography). 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present document. References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For a specifi
26、c reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/ NOTE: While any hyperlinks included in this clause were valid
27、at the time of publication ETSI cannot guarantee their long term validity. 1 ETSI TS 102 465: “Satellite Earth Stations and Systems (SES); Broadband Satellite Multimedia (BSM); General Security Architecture“. 2 ETSI TS 102 292: “Satellite Earth Stations and Systems (SES); Broadband Satellite Multime
28、dia (BSM) services and architectures; Functional architecture for IP interworking with BSM networks“. 3 ETSI TS 102 463: “Satellite Earth Stations and Systems (SES); Broadband Satellite Multimedia (BSM); Interworking with IntServ QoS“. 4 ETSI TS 102 294: “Satellite Earth Stations and Systems (SES);
29、Broadband Satellite Multimedia (BSM) services and architectures; IP interworking via satellite; Multicast functional architecture“. 5 ETSI TS 102 464: “Satellite Earth Stations and Systems (SES); Broadband Satellite Multimedia (BSM); Interworking with DiffServ Qos“. 6 ETSI TS 102 461: “Satellite Ear
30、th Stations and Systems (SES); Broadband Satellite Multimedia (BSM); Multicast Source Management“. 7 ETSI TS 102 462: “Satellite Earth Stations and Systems (SES); Broadband Satellite Multimedia (BSM); QoS Functional Architecture“. ETSI ETSI TS 102 466 V1.1.1 (2007-01) 7 3 Definitions and abbreviatio
31、ns 3.1 Definitions For the purposes of the present document, the terms and definitions given in TS 102 465 1 apply. 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: AH Authentication Header ATM Asynchronous Transfer Mode CGD Composite Group Distributor C
32、OPS Common Open Policy Service DCKS Domain Controller and Key Server DES Data Encryption Standard DoS Denial of Service DVB Digital Video Broadcast DVB-RCS DVB-Return Channel Satellites DVB-S Digital Video Broadcast by Satellite EKE Explicit Key Exchange ESP Encapsulated Security Payload ETSI Europe
33、an Telecommunications Standards Institute FEC Forward Error Correction GC Group Controller GCKS Group Controller Key Server GKMP Group Key Management Protocol GS Guaranteed Service GSA Group Security Association GSPD Group Security Policy Database HMAC Hash based Message Authentication Code IP Inter
34、net Protocol IPsec Internet Protocol Security ISP Internet Service Provider ITU International Telecommunication Union LKH Logical Key Hierarchy MAC Message Authentication Code MKE Main Key Exchange MPE Multi Protocol Encapsulation MPEG Moving Picture Experts Group MPEG-TS MPEG Transport Stream MSEC
35、Multicast SECurity group in the IETF NAT Network Address Translation NCC Network Control Centre OBP On Board Processing PEP Performance Enhancing Proxy PID Packet IDentifier PKI Public Key Infrastructure PDP Policy Decision Point PEP Policy Enforcement Point QKE Quick Key Exchange QoS Quality of Ser
36、vice RCST Return Channel Satellite Terminal RMTP Reliable Multicast Transport Protocol RSA Rivest, Shamir and Adleman RTCP Real time Transport Control Protocol RTP Real time Transport Protocol SA Security Association SDAF Satellite Dependent Adaptation Function ETSI ETSI TS 102 466 V1.1.1 (2007-01)
37、8 SIAF Satellite Independent Adaptation Function SID Security association IDentity SIP Session Initiation Protocol SI-SAP Satellite Independent Service Access Point SPI Security Parameter Index SSM Source-Specific Multicast ST Satellite Terminal TEK Traffic Encryption Key ULE Unidirectional Lightwei
38、ght Encapsulation VPN Virtual Private Network 4 BSM Secure Multicast Service Requirements 4.1 Multicast threat analysis Application Type Trust Model Group Dynamics Figure 1: Factors affecting secure multicast system design There are several interrelated factors or aspects of IP Multicast that influe
39、nce the approaches and mechanisms used to secure it (details are presented in TR 102 287 (see bibliography) and shown in Figure 1. The most relevant factors include: Multicast application type. Group dynamics and Scalability issues. Underlying trust model. The secure BSM multicast groups can be larg
40、e and dynamic. Therefore multicast key management is considered the most complex issue that need to be addressed in details. The general security architecture TS 102 465 1and the security aspect report TR 102 287 (see bibliography) documents have analysed the security threats to BSM networks and ser
41、vices. They also provides the counter measures needed against such threats. The same threat analysis and counter measures are applicable to the present document. For example, threats and potential attacks on the BSM entities are categorized into 4 types: Network, software, hardware and human threats
42、. The network threats are the major focus of the present document. In addition, there is further analysis of threats to IP transmission over DVB networks in draft-cruickshank-ipdvb-sec-req-04.txt (see bibliography). For the purpose of the present document, three threat examples have been identified:
43、 EXAMPLE 1: Monitoring: The intruder monitors (passively) the satellite broadcasts in order to gain information about data and/or tracking the communicating parties. ETSI ETSI TS 102 466 V1.1.1 (2007-01) 9 EXAMPLE 2: Local high jacking of the satellite transmission: Here it is assumed that the intru
44、der is sophisticated and able to block the original transmission from the satellite system and deliver a modified version of the MPEG-TS transmission to a single satellite Receiver or a small group of Receivers (e.g. in a single company site). The global satellite system might not be aware of such a
45、ttacks. EXAMPLE 3: Global high jacking of the satellite transmission: Again it is assumed that the intruder is very sophisticated and able to high jack the whole satellite transmission to all Receivers. The above analysis shows the need for BSM security services such as data confidentiality, integri
46、ty, sender authentication/authorization and efficient key management system. These security services are defined in TS 102 465 1, clause 4.2. 4.2 Multicast service scenarios This clause presents some high level scenarios that highlight key management issue for secure multicast services in BSM networ
47、ks. Each scenario should counter all of the threats identified above. Security policies play an important role in defining the rules that govern a secure multicast session and the privileges of each ingress ST/Gateway (multicast sender) and egress STs (multicast receiver). All BSM security entities
48、will enforce the rules of these policies. 4.2.1 Scenario 1: End-to-end secure multicast - External multicast source to BSM This scenario is transparent to BSM. The BSM network plays no part in the secure multicast service setup or management. The multicast source (IP host/server), receivers (IP host
49、) and key management are outside the BSM security administrative domain. Figure 2 shows this scenario, where the access to BSM network is controlled and managed by the BSM multicast source management functions (described in TS 102 461 6). Secure multicast source (Host/server) Secure multicast receivers (hosts) IPsec/application multicast security BSM network (ACCESS CONTROL ONLY) Non BSM network Non BSM network Figure 2: Scenario 1: End-to-end multicast group - BSM transparent ETSI ETSI TS 102 466 V1.1.1 (2007-01) 104.2.2 Scenario 2:
