1、 International Telecommunication Union ITU-T X.1101TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (05/2010) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Multicast security Security requirements and framework for multicast communication Recommenda
2、tion ITU-T X.1101 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM AS
3、PECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE A
4、PPLICATIONS AND SERVICES Multicast security X.1100X.1109Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cyber
5、security X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Vulnerability/state exchange X.1520X.1539 Event/incident/heuri
6、stics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1101 (05/2010) i Recommendation I
7、TU-T X.1101 Security requirements and framework for multicast communication Summary Recommendation ITU-T X.1101 defines the network and service models used for multicast communication. It addresses potential security threats and the required countermeasures. Potential threats are defined from the ge
8、neral, mobility-oriented and multicast specific perspectives, and multicast-specific threats are analysed in particular detail. As such, the security requirements, framework and functions are defined and explained as the main focus of the Recommendation. History Edition Recommendation Approval Study
9、 Group 1.0 ITU-T X.1101 2010-05-29 17 ii Rec. ITU-T X.1101 (05/2010) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sect
10、or (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every
11、 four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview,
12、 the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntar
13、y. However, the Recommendation may contain certain mandatory provisions (to ensure e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the ne
14、gative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the
15、 use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendat
16、ion, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:
17、/www.itu.int/ITU-T/ipr/. ITU 2010 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1101 (05/2010) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Terms and definitions . 1 3.1 Terms defined elsewhere
18、1 3.2 Terms defined in this Recommendation . 3 4 Abbreviations and acronyms 3 5 Conventions 4 6 Overview of multicast communication . 4 6.1 Network and service models on multicast communication 5 6.2 Characteristics of multicast communications . 10 7 Security threats to multicast communication 11 7.
19、1 General multicast security threats in wired networks . 12 7.2 Mobile multicast security threats in a wireless network 14 8 Security requirements for multicast communication 15 8.1 Security requirements . 15 8.2 Relationship between security threats and requirements in multicast communications 17 9
20、 Security framework for multicast communication . 17 9.1 Multicast security architecture . 18 9.2 Multicast security functions satisfying the security requirements . 20 Appendix I Use cases for wired mobile multicast communication standards 24 I.1 Multicast in a wired environment . 24 I.2 Multicast
21、in wireless networks . 27 Appendix II Security technologies for multicast communication 31 Bibliography. 32 Rec. ITU-T X.1101 (05/2010) 1 Recommendation ITU-T X.1101 Security requirements and framework for multicast communication 1 Scope The purpose of this Recommendation is to analyse the potential
22、 security threats and vulnerabilities that can arise during multicast communication at the application and IP layers, which provides efficient multiparty group communication, as well as to define the basic security requirements, and provide the security objects and functionalities, the security stru
23、cture and multicast security technology for the efficient implementation of security to support such communication. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the tim
24、e of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A
25、list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.603 Recommendation ITU-T X.603 (2004) | ISO/IEC 16512-1:2005, Information technology R
26、elayed multicast protocol: Framework. ITU-T X.603.1 Recommendation ITU-T X.603.1 (2007) | ISO/IEC 16512-2:2008, Information technology Relayed multicast protocol: Specification for simplex group applications. ITU-T X.604 Recommendation ITU-T X.604 (2010) | ISO/IEC 24793-1:2010, Information technolog
27、y Mobile multicast communications: Framework. ITU-T X.604.1 Recommendation ITU-T X.604.1 (2010) | ISO/IEC 24793-2:2010, Information technology Mobile multicast communications: Protocol over native IP multicast networks. 3 Terms and definitions 3.1 Terms defined elsewhere This Recommendation uses the
28、 following terms defined elsewhere: 3.1.1 access control b-ITU-T X.800: The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner. 3.1.2 anonymity b-ITU-T X.1252: A situation where an entity cannot be identified within a set of entities
29、. NOTE Anonymity prevents the tracing of entities or their behaviour such as user location, frequency of a service usage, and so on. 3.1.3 application service provider (ASP) b-ITU-T X.1121: An entity (person or group) which provides application service(s) to mobile users through an application serve
30、r. 3.1.4 authentication b-ITU-T X.800: See data origin authentication and peer-entity authentication. 2 Rec. ITU-T X.1101 (05/2010) 3.1.5 authorization b-ITU-T X.800: The granting of rights, which includes the granting of access based on access rights. 3.1.6 confidentiality b-ITU-T X.800: The proper
31、ty that information is not made available or disclosed to unauthorized individuals, entities, or processes. 3.1.7 content protection b-ITU-T X.1191: Ensuring that an end user can only use the content that he/she already acquired in accordance with the rights granted to him/her by the rights holder;
32、content Protection involves protecting contents from illegal copying and distribution, interception, tampering, unauthorized use, etc. 3.1.8 data integrity b-ITU-T X.800: The property that data has not been altered or destroyed in an unauthorized manner. 3.1.9 data origin authentication b-ITU-T X.80
33、0: The corroboration that the source of data received is as claimed. 3.1.10 integrity b-ITU-T X.800: The property that data has not been altered or destroyed in an unauthorized manner 3.1.11 IP multicast ITU-T X.603: Realizes a multicast scheme in the IP network with the help of multiple multicast-e
34、nabled IP routers. 3.1.12 key b-ITU-T X.800: A sequence of symbols that controls the operations of encipherment and decipherment. 3.1.13 key management b-ITU-T X.800: The generation, storage, distribution, deletion, archiving and application of keys in accordance with a security policy. 3.1.14 masqu
35、erade b-ITU-T X.800: The pretence by an entity to be a different entity. 3.1.15 mobile network b-ITU-T X.1121: A network that provides wireless network access points to mobile terminals. 3.1.16 mobile terminal b-ITU-T X.1121: An entity that has wireless network access function and connects a mobile
36、network for data communication with application servers or other mobile terminals. 3.1.17 mobile user b-ITU-T X.1121: An entity (person) that uses and operates the mobile terminal for receiving various services from application service providers. 3.1.18 multicast ITU-T X.603: A data delivery scheme
37、where the same data unit is transmitted from a single source to multiple destinations in a single invocation of service. 3.1.19 peer-entity authentication b-ITU-T X.800: The corroboration that a peer entity in an association is the one claimed. 3.1.20 personally identifiable information (PII) b-ITU-
38、T X.1252: Any information a) that identifies or can be used to identify, contact, or locate the person to whom such information pertains; b) from which identification or contact information of an individual person can be derived; or c) that is or can be linked to a natural person directly or indirec
39、tly. 3.1.21 security policy b-ITU-T X.800: The set of criteria for the provision of security services (see also identity-based and rule-based security policy). 3.1.22 shoulder surfing b-ITU-T X.1121: A security threat which collects information in busy places by watching keystroke, reading mobile te
40、rminals screen, or listening to sound from a mobile terminal. 3.1.23 threat b-ITU-T X.800: A potential violation of security. Rec. ITU-T X.1101 (05/2010) 3 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 backward access control: Feature by which joinin
41、g members are not allowed to decrypt past data. NOTE This definition is consistent with b-IETF RFC 4046. 3.2.2 forward access control: Feature by which joining members are not allowed to access to future group data. NOTE This definition is consistent with b-IETF RFC 4046. 3.2.3 group and membership
42、control (GMC) agent: An agent that is in charge of user and membership authentication, authorization for accessing a group, group management, etc. 3.2.4 group identifier: An identifier used to represent a specific group. 3.2.5 group key management: The secure distribution and refreshment of keying m
43、aterial. 3.2.5 group key management (GKM) agent: An agent which has a responsibility for the creation, distribution, renewal and maintenance of group keys. 3.2.6 individual key: A key shared between a user and a session manager through group and membership control (GMC), after a successful user auth
44、entication. 3.2.7 membership authentication: Mechanism that identifies whether a node is a genuine member of a multicast session group. 3.2.8 multicast communication: A communication using multicasting technologies, i.e., IP multicast or overlay multicast. 3.2.9 overlay multicast network: An overlay
45、 multicast network pertains to a network wherein legacy IP multicasting schemes are not fully supported, where multicast application data are delivered using unicast transport such as TCP, UDP, or IP-in-IP tunnelling schemes. 3.2.10 receiver security agent (ReSA): An agent assuming responsibility fo
46、r the corresponding security functions of the sender security agent (SSA), the group and membership control (GMC) agent and the group key management (GKM) agent such as a membership authentication and group key update. 3.2.11 sender security agent (SSA): An agent which is to perform contents protect
47、ion and the corresponding security functions of the receiver security agent (ReSA), the group and membership control (GMC) agent and the group key management (GKM) agent. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: ACK ACKnowledgement CP Contents P
48、rovider DoS Denial of Service DMA Dedicated Multicast Agent DVMPR Distance Vector Multicast Routing Protocol FA Foreign Agent FEC Forward Error Correction GKM Group Key Management GM multicast Group Member 4 Rec. ITU-T X.1101 (05/2010) GMC Group and Membership Control HA Home Agent IGMP Internet Gro
49、up Management Protocol IP Internet Protocol ISP Internet Service Provider LMC Local Mobility Controller MA Multicast Agent (including HA and FA) MAID Multicast Agent IDentifier MCS Multicast Contents Server MLD Multicast Listener and Discovery MMA Mobile Multicast Agent MMC Mobile Multicast Communications MN Mobile Node MOSPF Multicast Open shortest Path First MR Multicast-enabled Router NAK Negative AcKnowledgement PIM Protocol Independent Multicast ReSA Receiver Secu
