Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 33.210  Word version:  18.1.0

Top   Top   None   None   Next
0…   4…   5…   6…   A…

 

0  Introductionp. 5

An identified security weakness in GPRS systems is the absence of security in the core network. This was formerly perceived not to be a problem, since the GPRS networks previously were the provinces of a small number of large institutions. This is no longer the case, and so there is now a need for security precautions. Another significant development has been the introduction of IP as the network layer in the GPRS backbone network and then later in the UMTS network domain. Furthermore, IP is not only used for signalling traffic, but also for user traffic. The introduction of IP therefore signifies not only a shift towards packet switching, which is a major change by its own accounts, but also a shift towards completely open and easily accessible protocols. The implication is that from a security point of view, a whole new set of threats and risks must be faced.
For UMTS and fixed broadband systems it is a clear goal to be able to protect the core network signalling protocols, and by implication this means that security solutions must be found for both SS7 and IP based protocols.
Starting with LTE, but especially with 5G, security of signalling protocols moves onto the application layer. The current document is the central repository of the protection mechanisms and profiles for these protocols.
Starting with LTE, but especially with 5G, security of signalling protocols moves onto the application layer. The current document is the central repository of the protection mechanisms and profiles for these protocols.
This document is the stage-2 specification for IP related security in the 3GPP and fixed broadband core networks.
The security services that have been identified as being needed are confidentiality, integrity, authentication and anti-replay protection. These will be ensured by standard procedures, based on cryptographic techniques.
Up

1  Scopep. 6

The present document defines the security architecture for network domain IP based control planes, which shall be applied to NDS/IP-networks (i.e. 3GPP and fixed broadband networks). The scope of network domain control plane security is to cover the control signalling on selected interfaces between network elements of NDS/IP networks. The present document furthermore serves as a central repository for cryptographic profiles for security above IP layer.

2  Referencesp. 6

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]  Void
[2]
TR 21.905: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Vocabulary for 3GPP Specifications".
[3]
TS 23.002: "3rd Generation Partnership Project; Technical Specification Group Services and Systems Aspects; Network architecture".
[4]  Void
[5]  Void
[6]
TS 29.060: "3rd Generation Partnership Project; Technical Specification Group Core Network; General Packet Radio Service (GPRS); GPRS Tunnelling Protocol (GTP) across the Gn and Gp Interface".
[7]  Void
[8]  Void
[9]  Void
[10]
TS 33.203: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Access security for IP-based services".
[11] - [25]  Void.
[26]
RFC 3554:  "On the Use of Stream Control Transmission Protocol (SCTP) with IPsec".
[27]  Void.
[28]
TS 25.412: "3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iu interface signalling transport".
[29]  Void
[30]
TS 33.310: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Network domain security; Authentication Framework".
[31]
RFC 4303:  "IP Encapsulating Security Payload (ESP)"
[32]  Void
[33]  Void
[34]  Void
[35]
RFC 4301:  "Security Architecture for the Internet Protocol".
[36]  Void
[37]  Void
[38]
TS 25.422: "3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iur interface signalling transport".
[39]
TS 25.467: "3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN architecture for 3G Home Node B (HNB); Stage 2".
[40]
TS 25.468: "3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iuh Interface RANAP User Adaption (RUA) signalling".
[41]
TS 25.471: "3rd Generation Partnership Project; Technical Specification Group Radio Access Network; UTRAN Iurh Interface RNSAP User Adaption (RNA) signalling".
[42]
RFC 6311:  "Protocol Support for High Availability of IKEv2/IPsec".
[43]
RFC 7296:  "Internet Key Exchange Protocol Version 2 (IKEv2)".
[44]
IANA: "Internet Key Exchange Version 2 (IKEv2) Parameters".
[45]  Void
[46]
RFC 7515:  "JSON Web Signature (JWS)".
[47]
RFC 7516:  "JSON Web Encryption (JWE)".
[48]
RFC 7518:  "JSON Web Algorithms (JWA)".
[49]
RFC 6347:  "Datagram Transport Layer Security Version 1.2".
[50]
RFC 5246:  "The Transport Layer Security (TLS) Protocol Version 1.2".
[51]
RFC 8442:  "ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS 1.2 and DTLS 1.2".
[52]  Void
[53]
RFC 2817:  "Upgrading to TLS Within HTTP/1.1".
[54]
RFC 5288:  "AES Galois Counter Mode (GCM) Cipher Suites for TLS".
[55]
RFC 5289:  "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)".
[56]  Void
[57]
RFC 6066:  "Transport Layer Security (TLS) Extensions: Extension Definitions".
[58]  Void.
[59]
RFC 5077:  "Transport Layer Security (TLS) Session Resumption without Server-Side State".
[60]
RFC 5746:  "Transport Layer Security (TLS) Renegotiation Indication Extension".
[61]
RFC 7627:  "Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension".
[62]
RFC 7919:  "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)".
[63]  Void
[64]
RFC 5489:  "ECDHE_PSK Cipher Suites for Transport Layer Security (TLS)".
[65]
RFC 5487:  "Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode".
[66]
RFC 8446:  "The Transport Layer Security (TLS) Protocol Version 1.3".
[67]  Void
[68]  Void
[69]
RFC 4086:  "Randomness Recommendations for Security".
[70]
RFC 8221:  "Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)".
[71]
RFC 8422:  "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)".
[72]
RFC 8937:  " Randomness Improvements for Security Protocols".
[73]
RFC 8247:  "Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2)".
[74]
RFC 9110:  "HTTP Semantics".
Up

3  Definitions, symbols and abbreviationsp. 8

3.1  Definitionsp. 8

For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
Anti-replay protection:
Anti-replay protection is a special case of integrity protection. Its main service is to protect against replay of self-contained packets that already have a cryptographical integrity mechanism in place.
Confidentiality:
The property that information is not made available or disclosed to unauthorised individuals, entities or processes.
Data integrity:
The property that data has not been altered in an unauthorised manner.
Data origin authentication:
The corroboration that the source of data received is as claimed.
Entity authentication:
The provision of assurance of the claimed identity of an entity.
Key freshness:
A key is fresh if it can be guaranteed to be new, as opposed to an old key being reused through actions of either an adversary or authorised party.
NDS/IP Traffic:
Traffic that requires protection according to the mechanisms defined in this specification.
NDS/IP-networks:
3GPP and fixed broadband networks.
IPsec Security Association:
A unidirectional logical connection created for security purposes. All traffic traversing a SA is provided the same security protection. The SA itself is a set of parameters to define security protection between two entities. A IPsec Security Association includes the cryptographic algorithms, the keys, the duration of the keys, and other parameters.
Security Domain:
Networks that are managed by a single administrative authority. Within a security domain the same level of security and usage of security services will be typical.
Transit Security Domain:
A security domain, which is transmitting NDS/IP traffic between other security domains.
Transport mode:
Mode of operation that primarily protects the payload of the IP packet, in effect giving protection to higher level layers.
Tunnel mode:
Mode of operation that protects the whole IP packet by tunnelling it so that the whole packet is protected.
Up

3.2  Symbolsp. 9

For the purposes of the present document, the following symbols apply:
Gi
Reference point between GPRS and an external packet data network
Gn
Interface between two GSNs within the same PLMN
Gp
Interface between two GSNs in different PLMNs. The Gp interface allows support of GPRS network services across areas served by the co-operating GPRS PLMNs
Mm
Interface between a CSCF and an IP multimedia network
Mw
Interface between a CSCF and another CSCF
Za
Interface between SEGs belonging to different networks/security domains
Zb
Interface between SEGs and NEs and interface between NEs within the same network/security domain
Up

3.3  Abbreviationsp. 9

For the purposes of the present document, the following abbreviations apply:
AAA
Authentication Authorization Accounting
AES
Advanced Encryption Standard
AH
Authentication Header
BG
Border Gateway
CS
Circuit Switched
CSCF
Call Session Control Function
DES
Data Encryption Standard
DoI
Domain of Interpretation
ESP
Encapsulating Security Payload
GTP
GPRS Tunnelling Protocols
IESG
Internet Engineering Steering Group
IETF
Internet Engineering Task Force
IKE
Internet Key Exchange
IKEv2
Internet Key Exchange version 2
IP
Internet Protocol
IPsec
IP security - a collection of protocols and algorithms for IP security incl. key mngt.
ISAKMP
Internet Security Association Key Management Protocol
IV
Initialisation Vector
MAC
Message Authentication Code
NAT
Network Address Translator
NDS
Network Domain Security
NDS/IP
NDS for IP based protocols
NE
Network Entity
PS
Packet Switched
SA
Security Association
SAD
Security Association Database (sometimes also referred to as SADB)
SEG
Security Gateway
SIP
Session Initiation Protocol
SPD
Security Policy Database (sometimes also referred to as SPDB)
SPI
Security Parameters Index
TISPAN
Telecoms & Internet converged Services & Protocols for Advanced Networks
TrGW
Transition Gateway
Up

Up   Top   ToC