International Telecommunication Union
Next Generation Network
Security
(Direction and Status of FG NGN Work)
Jiashun Tu
ZTE
ITU-T/IETF Workshop on NGN
1-2 May 2005, Geneva
Outline
ITU-T
o
o
o
o
Security in the context of the overall goals of
the ITU-T Focus Group on Next Generation
Networks (FGNGN)
Relation to work of other SDOs
Key Tasks
Goals
ITU- T/IETF Workshop on NGN, 1-2 May 2005, Geneva
2
ITU-T NGN Focus Group
ITU-T
o ITU-T created NGN Focus Group to address
Telecommunication industry’s urgent need for
specifications for NGN in May, 2004. First results of
NGN FG (NGN Release 1) are expected in May, 2005
o "Through this initiative ITU-T is bringing all players
together in an environment where they can create
truly global specifications for the service-aware
network of the future, to deliver dynamic,
customized services on a massive scale." Herb
Bertine, ITU-T SG 17 Chairman
o Security is among the most essential NGN enablers
and differentiators
ITU- T/IETF Workshop on NGN, 1-2 May 2005, Geneva
3
NGN Subsystem Architecture
Overview
ITU-T
Applications
Based on
3GPP IMS R6
Other Multimedia
Subsystems …
IP Connectivity
Access Network
And related subsystems
( R T S P-b a s e d )
Streaming services
Network
Attachment
Subsystem
(SIP -b a s e d )
IP Multimedia Subsystem
(Core IMS)
PSTN
(SIP -I b a s e d )
PSTN/ISDN Emulation
Subsystem
Resource and
Admission Control
Subsystem
GW
GW
GW
GW
Access Transport
Network
IP
Core Transport Network
ITU- T/IETF Workshop on NGN, 1-2 May 2005, Geneva
4
Highlights of the working document
Guidelines for NGN security
ITU-T
o Overview of relevant global
security standards
o Security in NGN
• NGN threat model (based on
ITU-T X.800 and X.805
Recommendations)
• Security risks in NGN
• Selection of OSI layers for
security provisions
• Granularity of protection
o Security Dimensions and
Mechanisms (based on ITUT X.805)
• Access control
• Authentication
•
•
•
•
•
•
Non-repudiation
Data confidentiality
Communication security
Data integrity
Availability
Privacy
o Elements of security
framework for NGN
• Access security:
Authentication,
Authorization, and
Accounting framework for
NGN
• Security framework for
Mobility in NGN
• Link-layer security for NGN
ITU- T/IETF Workshop on NGN, 1-2 May 2005, Geneva
5
Highlights of the working document
Guidelines for NGN security (cont.)
ITU-T
• Security framework for
home networks
• Security framework for
end-to-end data
communication
• Security framework for
intrusion-tolerant NGN
• Reference Security
Model for NGN
o Components of the NGN
security
•
•
•
•
•
IP-CAN security
Network domain security
IMS access security
Application security
Security of Open
Service/application
Framework in NGN
o IMS security mechanisms
based on the use of
Universal Integrated Circuit
Card (UICC)
ITU- T/IETF Workshop on NGN, 1-2 May 2005, Geneva
6
Highlights of the working document NGN
security requirements for Release 1
ITU-T
o Security requirements
(general considerations
based on the concepts of
X.805)
o Security requirements for
Transport Stratum
• Home Network domain
• Home Network to IP-CAN
domain interface
• The IP-CAN
• IP-CAN to Core Network
interface
• Core Network
o Security requirements for
Service Stratum
• IMS domain
• Transport stratum to IMS
domain
• IMS to Application domain
security
• Application domain security
• Home Network to Application
domain security
• Home Network-to-IMS domain
security
• Open service platform to
valued-added service provider
security
ITU- T/IETF Workshop on NGN, 1-2 May 2005, Geneva
7
ITU-T Recommendation X.805
Security Architecture—the foundation of NGN
Security studies
ITU-T
End-user plane
Control plane
THREATS
Privacy
Destruction
Availability
Data integrity
Communication security
Data confidentiality
Infrastructure security
Non-repudiation
VULNERABILITIES
Authentication
Services security
Access control
Security layers
Applications security
Corruption
Removal
Disclosure
Interruption
ATTACKS
8 Security dimensions
Management plane
ITU- T/IETF Workshop on NGN, 1-2 May 2005, Geneva
X.805_F3
8
Key Tasks
ITU-T
Key Work Items:
• Resolve how IMS is to handle 3GPP vs. 3GPP2
Differences
• Key distribution (for end-users and network
elements)
• AAA for DSL access and QoS authorization
• Hop-by-hop SIP security vs. end-to-end
• VoIP NAT/Firewall traversal
• Identity management
• SPAM control (voice messaging)
• Convergence with IT security
ITU- T/IETF Workshop on NGN, 1-2 May 2005, Geneva
9
Relation to work of other SDOs
ITU-T
ITU-T
SG 13
ITU-T
SG 17
ISO/JTC
SC 27
IETF
ITU-T
FGNGN
ETSI
TISPAN
ITU- T/IETF Workshop on NGN, 1-2 May 2005, Geneva
ATIS
10