1、 ETSI TS 133 210 V15.0.0 (2018-07) Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 3G security; Network Domain Security (NDS); IP network layer security (3GPP TS 33.210 version 15.0.0 Release 15) TECHNICAL SPECIFICATION ETSI ETSI T
2、S 133 210 V15.0.0 (2018-07)13GPP TS 33.210 version 15.0.0 Release 15Reference RTS/TSGS-0333210vf00 Keywords GSM,LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but n
3、on lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions o
4、f the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific
5、network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find e
6、rrors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm e
7、xcept as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. ETSI 2018. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI
8、logo are trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTETMare trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members. GSMand the GSM logo are trademarks registered and
9、owned by the GSM Association. ETSI ETSI TS 133 210 V15.0.0 (2018-07)23GPP TS 33.210 version 15.0.0 Release 15Intellectual Property Rights Essential patents IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information pertaining to these essential
10、IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are
11、available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) whic
12、h are, or may be, or may become, essential to the present document. Trademarks The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and c
13、onveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks. Foreword This Technical Specification (TS) has been produced by
14、ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GS
15、M, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of th
16、e ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TS 133 210 V15.0.0 (2018-07)33GPP TS 33.210 version 15.0.0 Release 15Contents Intellectual Property Rights 2g3Foreword . 2g
17、3Modal verbs terminology 2g3Foreword . 5g3Introduction 5g31 Scope 6g32 References 6g33 Definitions, symbols and abbreviations . 7g33.1 Definitions 7g33.2 Symbols 8g33.3 Abbreviations . 8g34 Overview over network domain security for IP based protocols . 9g34.1 Introduction 9g34.2 Protection at the ne
18、twork layer . 9g34.3 Security for native IP based protocols 9g34.4 Security domains 9g34.4.1 Security domains and interfaces . 9g34.5 Security Gateways (SEGs) . 9g35 Key management and distribution architecture for NDS/IP . 10g35.1 Security services afforded to the protocols . 10g35.2 Security Assoc
19、iations (SAs) . 10g35.2.0 General 10g35.2.1 Security Policy Database (SPD) . 11g35.2.2 Security Association Database (SAD) 11g35.3 Profiling of IPsec 11g35.3.0 General 11g35.3.1 Support of ESP . 11g35.3.2 Support of tunnel mode . 11g35.3.3 Support of ESP encryption transforms . 11g35.3.4 Support of
20、ESP authentication transforms 12g35.3.5 Requirements on the construction of the IV . 12g35.4 Profiling of IKEv2 12g35.4.0 General 12g35.4.1 Void 12g35.4.2 Profiling of IKEv2 12g35.4.3 Void 13g35.5 Security policy granularity . 13g35.6 Network domain security key management and distribution architect
21、ure for native IP based protocols . 14g35.6.1 Network domain security architecture outline 14g35.6.2 Interface description . 15g3Annex A (informative): Other issues 16g3A.1 Network Address Translators (NATs) and Transition Gateways (TrGWs) . 16g3A.2 Filtering routers and firewalls 16g3A.3 The relati
22、onship between BGs and SEGs . 16g3Annex B (normative): Security protection for GTP . 17g3B.0 General . 17g3B.1 The need for security protection . 17g3ETSI ETSI TS 133 210 V15.0.0 (2018-07)43GPP TS 33.210 version 15.0.0 Release 15B.2 Policy discrimination of GTP-C and GTP-U . 17g3B.3 Protection of GT
23、P-C transport protocols and interfaces 18g3Annex C (normative): Security protection of IMS protocols . 19g3C.0 General . 19g3C.1 The need for security protection . 19g3C.2 Protection of IMS protocols and interfaces 19g3Annex D (normative): Security protection of UTRAN/GERAN IP transport protocols .
24、20g3D.0 General . 20g3D.1 The need for security protection . 20g3D.2 Protection of UTRAN/GERAN IP transport protocols and interfaces . 20g3Annex E (informative): RFC-4303 compared with RFC-2406 . 21g3Annex F (informative): Change history . 22g3History 24g3ETSI ETSI TS 133 210 V15.0.0 (2018-07)53GPP
25、TS 33.210 version 15.0.0 Release 15Foreword This Technical Specification has been produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the conte
26、nts of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved doc
27、ument under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. Introduction An identified security weakness in 2G
28、systems is the absence of security in the core network. This was formerly perceived not to be a problem, since the 2G networks previously were the provinces of a small number of large institutions. This is no longer the case, and so there is now a need for security precautions. Another significant d
29、evelopment has been the introduction of IP as the network layer in the GPRS backbone network and then later in the UMTS network domain. Furthermore, IP is not only used for signalling traffic, but also for user traffic. The introduction of IP therefore signifies not only a shift towards packet switc
30、hing, which is a major change by its own accounts, but also a shift towards completely open and easily accessible protocols. The implication is that from a security point of view, a whole new set of threats and risks must be faced. For 3G and fixed broadband systems it is a clear goal to be able to
31、protect the core network signalling protocols, and by implication this means that security solutions must be found for both SS7 and IP based protocols. This technical specification is the stage-2 specification for IP related security in the 3GPP and fixed broadband core networks. The security servic
32、es that have been identified as being needed are confidentiality, integrity, authentication and anti-replay protection. These will be ensured by standard procedures, based on cryptographic techniques. ETSI ETSI TS 133 210 V15.0.0 (2018-07)63GPP TS 33.210 version 15.0.0 Release 151 Scope The present
33、document defines the security architecture for network domain IP based control planes, which shall be applied to NDS/IP-networks (i.e. 3GPP and fixed broadband networks). The scope of network domain control plane security is to cover the control signalling on selected interfaces between network elem
34、ents of NDS/IP networks. 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present document. - References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. - For a s
35、pecific reference, subsequent revisions do not apply. - For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the pre
36、sent document. 1 3GPP TS 21.133: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Security Threats and Requirements“. 2 3GPP TR 21.905: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Vocabula
37、ry for 3GPP Specifications“. 3 3GPP TS 23.002: “3rd Generation Partnership Project; Technical Specification Group Services and Systems Aspects; Network architecture“. 4 3GPP TS 23.060: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; General Packet Radi
38、o Service (GPRS); Service description; Stage 2“. 5 3GPP TS 23.228: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; IP Multimedia Subsystem (IMS); Stage 2“. 6 3GPP TS 29.060: “3rd Generation Partnership Project; Technical Specification Group Core Networ
39、k; General Packet Radio Service (GPRS); GPRS Tunnelling Protocol (GTP) across the Gn and Gp Interface“. 7 3GPP TS 33.102: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Security Architecture“. 8 3GPP TS 33.103: “3rd Generation Partnership
40、 Project; Technical Specification Group Services and System Aspects; 3G security; Integration guidelines“. 9 3GPP TS 33.120: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Security Principles and Objectives“. 10 3GPP TS 33.203: “3rd Gener
41、ation Partnership Project; Technical Specification Group Services and System Aspects; Access security for IP-based services“. 11 -25 Void. 26 RFC-3554: “On the Use of Stream Control Transmission Protocol (SCTP) with IPsec“. 27 RFC-1750: “Randomness Recommendations for Security“. 28 3GPP TS 25.412: “
42、3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iu interface signalling transport“. 29 Void. 30 3GPP TS 33.310: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Network domain security; Authenti
43、cation Framework“. ETSI ETSI TS 133 210 V15.0.0 (2018-07)73GPP TS 33.210 version 15.0.0 Release 1531 RFC-4303: “IP Encapsulating Security Payload (ESP)“ 32 Void. 33 Void 34 Void. 35 RFC-4301: “Security Architecture for the Internet Protocol“. 36 Void. 37 Void. 38 3GPP TS 25.422: “3rd Generation Part
44、nership Project; Technical Specification Group Radio Access Network; UTRAN Iur interface signalling transport“. 39 3GPP TS 25.467: “3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN architecture for 3G Home Node B (HNB); Stage 2“. 40 3GPP TS 25.468: “3rd G
45、eneration Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iuh Interface RANAP User Adaption (RUA) signalling“. 41 3GPP TS 25.471: “3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iurh Interface RNSAP User Adaption (RNA) sig
46、nalling“. 42 RFC-6311: “Protocol Support for High Availability of IKEv2/IPsec“. 43 RFC-7296: “Internet Key Exchange Protocol Version 2 (IKEv2)“. 44 IANA: “Internet Key Exchange Version 2 (IKEv2) Parameters“. 45 RFC-7321: “Cryptographic Algorithm Implementation Requirements and Usage Guidance for Enc
47、apsulating Security Payload (ESP) and Authentication Header (AH)“. 3 Definitions, symbols and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply. Anti-replay protection: Anti-replay protection is a special case of integrity protection. I
48、ts main service is to protect against replay of self-contained packets that already have a cryptographical integrity mechanism in place. Confidentiality: The property that information is not made available or disclosed to unauthorised individuals, entities or processes. Data integrity: The property
49、that data has not been altered in an unauthorised manner. Data origin authentication: The corroboration that the source of data received is as claimed. Entity authentication: The provision of assurance of the claimed identity of an entity. Key freshness: A key is fresh if it can be guaranteed to be new, as opposed to an old key being reused through actions of either an adversary or authorised party. NDS/IP Traffic: Traffic that requires protection according to the mechanisms defined in this specification. NDS/IP-n