report - Light Reading

More documents

Recommendations

Info

SECURITY FROM 3GPP IMS TO TISPAN NGN the required user configuration data in a multiple UPSF configuration. For interoperation with other IP networks, the Core IMS of 3GPP is supplemented with the IBCF (Interconnection Border Control Function) and the IWF (Inter-working Function). Figure 4 provides an overview of the TISPAN NGN architecture [4]. By means of the UAAF (User Access Authorization Function) and its associated data repository PDBF (Profile DataBase Function) the NASS (see[5]) registers, authenticates and authorizes access of Customer Premises Equipment (CPE) to the fixed network. The NACF (Network Access Configuration Function) allocates IP addresses to CPE, and also provides it with contact addresses of services, e.g. the IP address of the P-CSCF (Proxy Call Session Control Function) for the IMS service. The CLF (Connectivity Session Location and Repository Function) binds all the NACF and UAAF information with the location information for support of RACS, Service Control Subsystems and Application Servers operations. The reference points indicated with “e x” in Figure 5 may be external and require special attention from a security point of view. The e2 and e5 Figure 6 : Simplified RACS diagram NASS (CLF) reference points indicate the support of a proxy function in a visited network for CLF and UAAF respectively. QoS (Quality of Service) control is provided with the RACS (Resource Admission Control Subsystem) (see [6]) that provides a mechanism to reserve, allocate and release network resources. The RACS is session-aware but service-agnostic. RACS also performs service-based local policy control plus near-end and far-end NAT (Network Address Translation) traversal. The SPDF (Service Policy Decision Function) hosts the policy rules and communicates with different RACFs (see Figure 6). A mandatory requirement for the TISPAN NGN architecture is that its functions may be distributed over different administrative domains that belong to several service and application providers. This is especially valid for NASS and RACS functions. Nomadicity further induces the need for concepts like visited and home networks. Wholesale business relationships between providers are supported, in addition to the retail relationship with subscribers. TISPAN NGN Quick Threat Analysis The main intention is to keep TISPAN security as aligned as possible with 3GPP, extrapolating TISPAN security from 3GPP’s approach where differences between the fixed and mobile architectures are identified: • while mobile technology allowed both the network infrastructure and mobile handsets to evolve in parallel, the fixed networks have a large installed base that is unlikely to be able to support complex security solutions without drastic e4 Access CPE IP edge Node NASS: Network Access Subsystem SPDF: Service Policy Decision Function Rq Service Control Subsystems and Applications SPDF Gq' A-RACF C-RACF Re la Core Border Node RACS Border Gateway RACF: Resource and Admission Control Function RACS: Resource Admission Control Subsystem changes (disruptive upgrades and/or hardware extensions or replacement). Taking into account the installed base justifies the need for more security solution options to support these additional scenarios; • pure wireline solutions in the fixed networks do not have the same vulnerability as the air interface. This allows the introduction of simplified security scenarios for secured IMS access (access-bundled authentication) as is explained later; • fixed networks have to support inter-working with many sets of more or less secure protocol stacks, and with a wide variety of access technologies; • the user equipment (UE) vulnerability has an unpredictable security dimension in the fixed networks, because users can modify their UE without prior notice to the IMS provider, such as adding air interfaces (e.g., WiFi); • TISPAN supports several business roles that extend from the access and regional network providers to services/applications providers. Consequently, many reference points become interoperator interfaces. This strengthens the importance of network domain security in TISPAN. Concerning risks and vulnerabilities, operators are most worried about theft of service by identity theft, and Denial of Service (DoS) attacks. The former threatens their revenues, while the latter endangers service delivery and consequently their reputation and, again, revenues. Identity theft stresses the importance of authentication for access to the network and services. Because user identification does not prevent DoS attacks, specific DoS countermeasures need to be deployed in the network infrastructure such as described in [a], first page of this article. 306 - Alcatel Telecommunications Review - 4 th Quarter 2005 www.alcatel.com/atr
SECURITY FROM 3GPP IMS TO TISPAN NGN TISPAN NGN Security The overall NGN security architecture [7] is derived from the TISPAN functional architecture by splitting it into three views (see Figure 7): • access view (“first hop” or “first mile”) security; • NGN Core view (intra-operator domain) security; • interconnecting view ( inter-operator domain) security. Figure 7: TISPAN NGN Security Architecture Access View Security The access view is a difficult part of CPE the NGN architecture to secure because of the different access technologies it interconnects. It consists of the network attachment part and the service layer part. Network attachment includes network authentication between the user equipment and the NASS. Network authentication is access technology-dependent, and typical examples in the case of DSL (Digital Subscriber Line) are implicit authentication with the line identity, or explicit with, e.g., IEEE 802.1x (port-based network access control). For IMS access security, the main objective is to align with the 3GPP solution. This is straightforward when there is no NAT in the CPE: TISPAN has adopted the 3GPP solution, i.e., IPsec transport mode and SIP Digest AKA. This solution assumes the use of an ISIM application on UICC in the terminal, in the residential gateway, or in a split terminal (a secondary terminal such as a UMTS mobile connected to the first via, e.g., an air interface, and which performs the actual authentication). In cases where there is a NAT in the CPE, two solutions are being discussed by TISPAN with 3GPP SA3, one being IPsec-based, Figure 8: Simplified example of inter-operator security CPE e1 Visited NGN Access Network A-RACF SEG SEG Za-type interfaces Home NGN Network SEG SEG Home Access Network "Zb" e2 "Zb" CLF SEG SEG CLF "Zb" "Zb" a2 a4 a4 "Zb" "Zb" e5 "Zb" NACF UAAF SEG SEG UAAF (PDBF) "Zb" a1 a3 "Zb" AMF Zb-type interface "Zb" Rq e4 Zb-type interface "Zb" NASS UPSF Applications Transfer Functions NGN Core View Security IMS RACS Other Networks and the other TLS-based. The decision is pending, but it should be noted that, since 3GPP may be confronted with the NAT issue in the future, the solution selected for TISPAN might end up being used in 3GPP for achieving convergence. Because of the existing installed base, and in order to facilitate IMS rollout in the fixed networks, TISPAN is also specifying an IMS access mechanism bundled with the network attachment authentication. This solution requires a trust relationship between the access and IMS providers. It bundles IMS access with implicit or explicit network access authentication. The intra-domain security is the sole responsibility of the operator but is not obvious. Protection at the borders of the domain is not sufficient, as experience has shown that Home Core Network Service Control Subsystems and Applications Gq' SPDF PES Interconnecting View Security many attacks are launched from inside the network. The separation principle, whereby information flow types (signaling, management and media) and node types are isolated and individually protected, will significantly decrease the extent of an attack. Databases need to be concentrated in zones that are highly protected with firewalls. Administrative rules will further control potential sources of internal attack. When needed, the operator can choose intra-domain security based on IPsec ESP tunnel mode with IKE for control and management layers. An important distinction between the 3GPP and TISPAN architectures is that the latter supports more business roles. These roles extend from the access and regional network providers to service providers. As a consequence, many reference points www.alcatel.com/atr 4 th Quarter 2005 - Alcatel Telecommunications Review - 307
Page 1 and 2: 4 PICK AND MIX TO DEVELOP YOUR SERV
Page 3 and 4: Using Fixed/Mobile Convergence to C
Page 5 and 6: A SERVICE DELIVERY TRANSFORMATION P
Page 7 and 8: TRANSFORMING SERVICE DELIVERY ARCHI
Page 9 and 10: ALCATEL'S ADVANCED RATING ENGINE: A
Page 11 and 12: ALCATEL'S ADVANCED RATING ENGINE: A
Page 13 and 14: ENABLING MVNOs AT BELL MOBILITY WIT
Page 15 and 16: ENABLING MVNOs AT BELL MOBILITY WIT
Page 17 and 18: SERVICE-ORIENTED ARCHITECTURES: ORC
Page 19 and 20: SERVICE-ORIENTED ARCHITECTURES: ORC
Page 21 and 22: OPERATIONAL SUPPORT EVOLUTION WITH
Page 27 and 28: TECHNOLOGY WHITE PAPER D. Hills, N.
Page 29 and 30: USING FIXED MOBILE CONVERGENCE TO C
Page 31 and 32: USING FIXED MOBILE CONVERGENCE TO C
Page 33 and 34: BT COMMUNICATOR: THE WORLD’S BIGG
Page 35 and 36: BT COMMUNICATOR: THE WORLD’S BIGG
Page 37 and 38: STRATEGY WHITE PAPER J. de Vriendt,
Page 39 and 40: NETWORK MIGRATION STRATEGIES TOWARD
Page 41 and 42: NETWORK MIGRATION STRATEGIES TOWARD
Page 43 and 44: TECHNOLOGY WHITE PAPER S. Grégoir,
Page 45 and 46: ALCATEL’S USER-CENTRIC DATA REPOS
Page 47 and 48: ALCATEL’S USER-CENTRIC DATA REPOS
Page 49 and 50: STRATEGY WHITE PAPER A. Bultinck, D
Page 51: SECURITY FROM 3GPP IMS TO TISPAN NG
Page 55 and 56: TECHNICAL PAPER F. Bataille, C. Baz
Page 57 and 58: REACHABILITY AND CONTEXT ENABLERS F
Page 59 and 60: PRESENCEN AND LOCALIZATION DATA ENA
Page 65 and 66: TECHNOLOGY WHITE PAPER A. Lemke, G.
Page 67 and 68: TRIPLE PLAY: DON’T PLAY! MAKE IT
Page 69 and 70: TRIPLE PLAY: DON’T PLAY! MAKE IT
Page 71 and 72: INGREDIENTS, UTENSILS AND RECIPES F
Page 77 and 78: ORANGE VIDEO PROJECT WITH ALCATEL t
Page 79 and 80: ORANGE VIDEO PROJECT WITH ALCATEL A
Page 81 and 82: RICH MEDIA SERVICE DELIVERY From th
Page 83 and 84: EDITORIAL OFFICES ENGLISH EDITION C

report - Light Reading

Create successful ePaper yourself

Delete template?

Save as template?