1、 ETSI TS 187 021 V3.2.1 (2014-04) Security services and mechanisms for customer premises networks connected to NGN Technical Specification ETSI ETSI TS 187 021 V3.2.1 (2014-04)2Reference RTS/NTECH-00009-SEC-CPN Keywords gateway, IP, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex
2、 - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org The present document may be made availabl
3、e in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only pre
4、vailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ET
5、SI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced or utilized in any form or b
6、y any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all me
7、dia. European Telecommunications Standards Institute 2014. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTETMare Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizati
8、onal Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 187 021 V3.2.1 (2014-04)3Contents Intellectual Property Rights 5g3Foreword . 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbre
9、viations . 7g33.1 Definitions 7g33.2 Abbreviations . 7g34 General overview . 8g35 Firewalling . 9g35.1 Firewalling: basic description. 9g35.2 Firewalling: architecture . 9g35.3 Firewalling: implementation details . 10g35.3.1 Stateful inspection 10g35.3.2 Communication technologies 10g35.3.3 Security
10、 policy 11g35.3.4 ALG for standard protocols support . 11g35.3.5 Firewall management 11g35.3.6 Logging . 12g36 SP and/or CP secure upgrade . 12g36.1 SP and/or CP secure upgrade: introduction and scope . 12g36.1.1 Introduction. 12g36.1.2 Scope 13g36.2 SP and/or CP secure upgrade: architecture . 13g36
11、.2.1 SP and/or CP upgrade stakeholders 13g36.2.1a CND secure upgrade trust hierarchy . 15g36.2.1a.1 IPTV trust authority 15g36.2.1a.2 Registration operator trust authority . 16g36.2.1a.3 ISP trust authority . 16g36.2.1a.4 IPTV service provider trust authority 16g36.2.1a.5 SP/CP trust authority . 16g
12、36.2.1a.6 CND trust authority . 16g36.2.1a.7 Chip manufacturer trust authority . 16g36.2.1a.8 IPTV service provider specific trusted platform software and applications 17g36.2.1a.9 IPTV service provider common applications 17g36.2.2 SP and/or CP upgrade architecture . 17g36.2.2.1 Overview . 17g36.2.
13、2.2 Functional entities . 17g36.2.2.3 Affected interfaces and reference points . 18g36.2.3 SP and/or CP upgrade use cases . 19g36.2.3.1 General 19g36.2.3.2 User changes service provider. 19g36.2.3.3 A stakeholder X requests to be firmware owner . 20g36.2.3.4 Firmware owner requests upgrade of firmwa
14、re. 21g36.2.3.5 A stakeholder Y requests to be SP owner . 21g36.2.3.6 SP owner requests upgrade of SP software module 22g36.2.3.7 A stakeholder Y requests to be CP owner . 22g36.2.3.8 CP owner requests upgrade of CP software module . 23g36.2.4 SP and/or CP upgrade security architecture 23g36.2.4.1 T
15、rusted environment architecture for SP/CP . 23g36.2.4.1.1 Hardware supported trusted environment preventing Hi-Jacking . 23g36.2.4.1.2 Hardware supported trusted environment, protecting the key flow . 27g3ETSI ETSI TS 187 021 V3.2.1 (2014-04)46.3 SPCP secure upgrade: implementation details . 27g36.3
16、.1 Aspects of end to end security 27g36.3.2 Secure upgrade using TR-069 CWMP 28g36.3.2.1 A stakeholder Y requests to be SP owner . 28g36.3.2.1.1 ACS initiates a remote management connection with the IPTV CND 28g36.3.2.1.2 perform mutual authentication between ACS and the IPTV CND 28g36.3.2.1.3 Instr
17、uct IPTV CND to download the SP loader package . 28g36.3.2.1.4 Instruct IPTV CND to download the SP Software Module . 29g36.3.2.1.5 Install EU where EE is secure execution environment for SPCP 29g37 Network Access Control (NAC) 29g37.1 NAC: basic description 29g38 Hosted-NAT solution for RTSP based
18、services . 32g38.1 Hosted-NAT for RTSP: basic description 32g38.2 Hosted-NAT for RTSP: architecture 33g3Annex A (informative): Example of a secure boot protocol . 35g3A.1 Type 1 STB architecture. 35g3A.1.1 Primary boot loader 35g3A.1.2 Secondary boot loader 36g3A.1.3 Secure boot process flow 37g3A.1
19、.4 Error handing and recovery procedures 37g3A.1.4.1 General 37g3A.1.4.2 Recovery sources 37g3A.1.4.3 Recovery success verification Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on
20、the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may b
21、e, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Network Technologies (NTECH). ETSI ETSI TS 187 021 V3.2.1 (2014-04)61 Scope The present document specifies the functional models and information flows (stage
22、2) and protocols (stage 3) which implement the security services and mechanisms required to provide security in a Customer Premises Network (CPN) to support the overall security architecture for NGN release 3. CPN security services and mechanisms are used either singly or in combination to realize t
23、he CPN security requirements specified in TS 187 001 1 (NGN Security requirements). Reference will be made to TR 185 012 i.1 for security mechanisms that have been shown to be appropriate for CPN environment. 2 References References are either specific (identified by date of publication and/or editi
24、on number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected locat
25、ion might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the presen
26、t document. 1 ETSI TS 187 001: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN SECurity (SEC); Requirements“. 2 ETSI TS 185 006: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Customer Device
27、s architecture and Reference Points“. 3 ETSI TS 185 003: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Customer Network Gateway (CNG) Architecture and Reference Points“. 4 ETSI TS 187 003: “Telecommunications and Internet converged Services and P
28、rotocols for Advanced Networking (TISPAN); NGN Security; Security Architecture“. 5 Broadband Forum TR-069 Amendment 3: “CPE WAN Management Protocol“, November 2010. 6 Broadband Forum TR-157 Amendment 3: “Component Objects for CWMP“, November 2010. 7 IETF RFC 5246: “The Transport Layer Security (TLS)
29、 Protocol Version 1.2“. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI TR 185 012: “Telecommunications and Internet converged Services and Protocol
30、s for Advanced Networking (TISPAN) Feasibility study of security mechanisms for customer premises networks connected to TISPAN NGN“. i.2 IETF RFC 5209 (June 2008): “Network Endpoint Assessment (NEA): Overview and Requirements“. i.3 ETSI ES 282 003: “Telecommunications and Internet converged Services
31、 and Protocols for advanced Networking (TISPAN); Resource and Admission Control Sub-System (RACS): Functional Architecture“. ETSI ETSI TS 187 021 V3.2.1 (2014-04)7i.4 ETSI TS 102 825 (all parts): “Digital Video Broadcasting (DVB); Content Protection and Copy Management (DVB-CPCM)“. i.5 ETSI TS 183 0
32、65: “Telecommunications and Internet converged Services and Protocols for Advanced Networks(TISPAN); Customer Network Gateway Configuration Function; e3 Interface based upon CWMP“. i.6 Broadband Forum TR-069: “CPE WAN Management Protocol“. i.7 IEEE 802.16: “IEEE Standard for Local and metropolitan a
33、rea networks Part 16: Air Interface for Broadband Wireless Access Systems“. i.8 IEEE 802.1b: “IEEE Standard for Local and Metropolitan Area Networks - Local and Metropolitan Area Network: LAN/MAN Management“. i.9 Home Gateway Initiative: “Home Gateway Technical Requirements V.1.0“. 3 Definitions and
34、 abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in TS 187 003 4 and Broadband Forum TR-157 6 apply. 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: ACS Auto-Configuration Server AKA Authentication
35、 and Key Agreement ALG Application Level GatewayAPI Application programming Interface B2BUA Back to back User Agent BGF Border Gateway FunctionBL1 Boot Loader image CA Conditional AccessC-BGF Core- Border Gateway Function CND Customer Network Device CND-CMF CND-Configuration and Management Function
36、CND-CPF CND-Content Protection Function CND-CSMF CND-Communication Service Media Function CND-SPF CND-Service protection Function CNG Customer Network Gateway CP Content Protection CPE Consumer Premise Equipment CPN Customer Premises Network CW Control Words DLNA Digital Living Network Alliance DMZ
37、DeMilitarized Zone DOS Denial Of Service DRM Digital Right Management DSL Digital Subscriber LineDVB Digital Video Broadcasting DVB-CPCM DVB Content Protection hence the CNG is the perfect candidate to perform the firewall functions. 5.1 Firewalling: basic description There are several approaches to
38、 implements firewall functionalities, such as: Packet Filtering: the simplest one inspects each incoming or outgoing IP packet permitting, dropping or rejecting it on the basis of simple policies (usually defined as access control list) such as the IP address and the protocol type. Stateful Firewall
39、: in addition to a Packet Filter, keeps track on IP packets belonging to the same connection thereby detecting whether a packet is part of an existing connection or a start of a new connection. Application Level Gateway: In addition to a stateful firewall can understand the behaviour of some applica
40、tions and can detect e.g. if an illegal protocol is used for a given application or dynamically open ports for additional sessions belonging to a flow. Firewalls can divide the network into subnets each one with a different level of security and different security policy as for example a demilitariz
41、ed zone. The firewall could have several configuration alternatives: A basic/minimum configuration to ensure a minimum level of security. One or several default configurations provided and managed by the operator/service provider through a remote management system. Additional alternative configurati
42、ons that can depend on the user (e.g. there can be different configurations for parents and children). These user specific configurations could be managed by the same entity managing the user identity (e.g. the UICC). 5.2 Firewalling: architecture In the CPN context, the CNG sits between the NGN and
43、 the internal network and this aspect makes the CNG as the perfect candidate to host the firewall functions. Figure 1 shows a typical scenario where the CNG and the Firewall are co-located on the same device. The external interface is the one that is connected to the NGN via e.g. xDSL, IEEE 802.16 i
44、.7 wireless modem, FTTx, etc., and is often referred to as the unsecure (red) interface. The secure (black) internal interfaces are connected to the CNDs and can be based on ethernet, IEEE 802.1b i.8 and other wired or wireless communication technologies. The firewall may also implement a DMZ. ETSI
45、ETSI TS 187 021 V3.2.1 (2014-04)10CNDCPNCNGFirewallInternal(secure)interfacesOutbound trafficNGNCNDCNDInbound trafficExternal (unsecure)interfaceFigure 1: Firewall in the CPN The advantages of using a Firewall as shown in the picture (i.e. co-located on the CNG) is that the CNG appears to the extern
46、al network (i.e. NGN) as the only point of contact for the CPN, simplifying the protection of the CNDs against threats that originate on the NGN. 5.3 Firewalling: implementation details For the protection of the CPN, a firewall should support some basic features, such as security policy definition a
47、nd enforcing, firewall management, logging functions and so on. The following clause describes in details such features. 5.3.1 Stateful inspection The stateful firewall function is mandatory for the protection of the CPN, such a firewall function may be implemented in the CNG. While a packet filter
48、decides whether or not to drop a packet based on few information contained in the packet headers (e.g. addressing information), a stateful packet filter takes its decisions also on the state information that the firewall keeps in memory about all active connections travelling across it. For connecti
49、on-oriented protocols, such as TCP, the state of the connection is equivalent to the protocols definition of a connection (i.e. three-way handshake), whereas for a connection-less protocol, such as UDP, the state of the connection is the set of packets that are sent between common endpoints (i.e. source IP address/port and destination IP address/port) without interruption, i.e. the lack of any packets matching that flow for a given period of time. For the CPN context such a period of time shall be one minute. The stateful
