eurescom project p710 “security for the tmn x-interface” by pål kristiansen, telenor r&d

TMN WorkshopAntwerp, 27 May1998

EURESCOM Project P710“Security for the TMN X-interface”

by Pål Kristiansen, Telenor R&D

The need for TMN security & the P710 effort Description of the P710 Security Solution Possible future security capabilities (STASE-ROSE) Summary and Conclusions

Presentation Contents


Why is security important ? TMN X-interfaces may be carried over networks operated by different providers

thereby offering potential intruders a broad selection of points of attack.

TMN interfaces are based on publicly known and available standards. The information carried by CMIP can easily be interpreted and thereby also easily manipulated and misused by an intruder.

Protocol analysers and protocol stacks are commercially available for any intruder that wants to make use of it.

The power of CMIP allows a single message to affect a very large number of entities. Therefore, the potential consequences of an attack could be considerable.

Conclusion: Open interfaces are by nature vulnerable to various threats of attack. Security

measures are therefore an absolute requirement for any operator that wants to protect its business interests related to the use and provision of management services.

The availability of an appropriate set of inter-domain security services is a prerequisite for the provision of automated X-interfaces in Europe.


P710 Rationale Commercial automated X-interfaces in Europe may become a reality

in the very near future. A commercial driver for P710 is the planned ATM MoU.

Today there exist no common accepted (i.e. standardised) off-the-shelf security solution available for the protection of CMIP communications.

Any proposed security solution should be validated through practical implementation and experimentation before it is accepted and applied in a real environment. Theoretical studies are not sufficient.

EURESCOM is currently in a good position to provide important practical results in the area of X-interface security.


Some Important Considerations P710 needed to select a solution that can operate in a multi-operator

and multi-vendor environment.

P710 wanted to select a security solution that conforms to existing security standards to ensure a certain level of market acceptance.

The main security problem for CMIP environments is the lack of support for integrating security services within the OSI-stack.

P710 wanted to design a security solution that is flexible enough to be able to utilise existing management platform security capabilities as much as possible.

P710 has to select commercial products for the purpose of implementation and validation but has no intention to mandate one particular product for an operational phase.


Overall P710 Security Solution

Peer-to-peer Authenticationand

Access Control

Managementapplication

International DCN

Managementapplication

ACSEROSE

CMISE

Closedstack

Integrity / Confidentiality

ACSE ROSE

CMISE

Closedstack


Secure VPN based on IPsec

TCP/IP overX.25

TMN platform

IPSec Tunnel mode

Gateway

TMN platform

IPSec Tunnel mode

GatewayLab A

Lab B

IPSec AH/ESP- ISAKMP/Oakley with pre-shared secret auth- Manual Key management

TMN platformIPSec transport and tunnel mode

X.25 card

Lab C

TMN platformIPSec transport and tunnel mode

Ethernet - TCP/IPEthernet - TCP/IP

Lab D

Gateway Ethernet - TCP/IP


Application Level Security Architecture

Management Application

Protocol Stack

Stack - API

Security Handler

Management MIB

Security Control Component (SCC)

Security AuditLog Component

Security Audit Log Function

Association Access Control Component

SMIB

ADF

GSS Component

LogCredentials

SMIB

Application Entity

GSS-API


The use of STASE-ROSE (Q.813) with GSS-API

ROSE

STASE- ROSE

CMISE

ACSE GSSComponent

GSS-APIinterface

Presentation Layer

App

licat

ion

Lay

erSCC

GSS-APIinterface

Management Application

Application Level


Considerations regarding STASE-ROSE STASE-ROSE, if implemented, would become an option to the P710 IPsec

solution.

In addition to integrity/confidentiality protection, STASE-ROSE will be able to provide a basis for non-repudiation.

STASE-ROSE with GSS-API support could be an add-on capability to the P710 application level architecture. In this case the same cryptographic module (GSS-API module) could be used to provide the entire range of cryptographic services.

The possibility of commercial implementation may seem promising, however yet very unclear (if, who and when?).

X-interface solutions may require multi-vendor support for STASE-ROSE.

Since P710 needs to implement and validate solutions that are available today, STASE-ROSE is not an option.


Summary and Conclusions (1) Today there is no complete standardised off-the-shelf security solution

available for CMIP.

Existing management platforms have either very little or no support at all for security. It is a goal for P710 to enable the use of platform supported capabilities (particularly access control) whenever available.

It should be possible to provide a secure CMIP solution today (apart from maybe non-repudiation) using existing “standard” security technology. A dividing of security functionality between application level and network level is however recommended to provide all the main security services.

The use of GSS-API provides for easy and standard way of integration (and easy replacement) of cryptographic services at application level.


Summary and Conclusions (2) IP security (IPsec) should provide an investment guaranteed solution

for creating a secure VPN (requires the use of CMIP over IP).

Host-integration of IPsec may be considered as a future option.

STASE-ROSE, if implemented with GSS-API support, would become an add-on capability to the P710 solution. It may, however, take a while before this solution is applicable for multi-vendor environments.

An “easy to use” manual public key management solution, appropriate for smaller user-groups, should be sufficient in a first phase. Full PKI functionality may be considered as a future option.

The P710 security solution is designed to be flexible and is not tailored to one specific X-interface environment.


Questions ?

e-mail : [email protected]

eurescom project p710 “security for the tmn x-interface” by pål kristiansen, telenor r&d

Documents