The present document is part of a TS-family covering the 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Telecommunication management; as identified below:
-
TS 32.371: "Security Management concept and requirements".
-
TS 32.372: "Security services for Integration Reference Points (IRP); Information Service (IS)".
-
TS 32.376: "Security services for Integration Reference Point (IRP); Solution Set (SS) definitions".
In 3GPP SA5 context, IRPs are introduced to address process interfaces at the Itf-N interface. The Itf-N interface is built up by a number of Integration Reference Points (IRPs) and a related Name Convention, which realize the functional capabilities over this interface. The basic structure of the IRPs is defined in
TS 32.101 and
TS 32.102. IRP consists of IRPManager and IRPAgent. Usually there are three types of transaction between IRPManager and IRPAgent, which are operation invocation, notification, and file transfer.
However, there are different types of intentional threats against the transaction between IRPManagers and IRPAgents. All the threats are potential risks of damage or degradation of telecommunication services, which operators should take measures to reduce or eliminate to secure the telecommunication service, network, and data.
By introducing Security Management, the present document describes security requirements to relieve the threats between IRPManagers and IRPAgents.
As described in
TS 32.101, the architecture of Security Management is divided into two layers:
-
Layer A - Application Layer
-
Layer B - OAM&P transport network
The threats and Security Management requirements of different layers are different, which should be taken into account respectively.
3GPP defines three types of IRP specifications, (see
TS 32.102). One type relates to the definitions of the interface deployed across the Itf-N. These definitions need to be agreed between the IRPManagers and IRPAgents so that meaningful communication can occur between them. An example of this type is the Alarm IRP.
The other two types (NRM IRP and Data Definition IRP) relate to the network resource model (schema) of the managed network. This network schema needs to be agreed between the IRPManagers and IRPAgents so that network management services can be provided to the IRPManager(s) by the IRPAgent(s). An example of this type is the UTRAN NRM IRP.
This Requirement specification is applicable to the Interface IRP specifications. That is to say, it is concerned only with the security aspects of operations/notifications/file deployed across the Itf-N.
The present document defines, in addition to the requirements defined in
TS 32.101 and
TS 32.102, the requirements for Security Management IRP.
The purpose of the present document is to specify the necessary security features, services and functions to protect the network management data, including Requests, Responses, Notifications and Files, exchanged across the Itf N.
Telecommunication network security can be breached by weaknesses in operational procedures, physical installations, communication links, computational processes and data storage. Of concern here in the present document is the security problems resulting from the weaknesses inherent in the communication technologies (i.e., the 3GPP defined Interface IRPs and their supporting protocol stacks) deployed across the Itf-N.
Appropriate level of security for a telecommunication network is essential. Secured access to the network management applications, and network management data, is essential. The 3GPP-defined Interface IRPs (and their supporting protocol stacks), deployed across the Itf-N, are used for such access, and therefore, their security is considered essential.
Many network management security standards exist. However, there is no recommendation on how to apply them in the Itf-N context. Their deployment across the Itf-N is left to operators. The present document and the corresponding solutions identify and recommend security standards in the Itf-N context.
The business case for secured Itf-N is complex as it does not relate to the functions of the Interface IRPs (the functions are constant) but rather, it relates to variants such as the cost of recovering from security breaks, the probability of security incidents and the cost of implementing Security Management, all of which differs depending on specific deployment scenarios.
The present document describes the security functions for a 3G network in terms of Security Domains (
subclause 4.1).
Clause 5 defines the Itf-N Security Management scope in terms of its context (
subclause 5.1) and the possible threats that can occur there are defined in
clause 6.
Clause 7 specifies the Itf N security Requirements.