ETSI TS 133 210 V15.1.0 (2018-10)

Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 3G security; Network Domain Security (NDS); IP network layer security (3GPP TS 33.210 version 15.1.0 Release 15)

ETSI TS 133 210 V15.1.0 (2018-10)

Name:ETSI TS 133 210 V15.1.0 (2018-10)   Standard name:Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 3G security; Network Domain Security (NDS); IP network layer security (3GPP TS 33.210 version 15.1.0 Release 15)
Standard number:ETSI TS 133 210 V15.1.0 (2018-10)   language:English language
Release Date:10-Oct-2018   technical committee:3GPP SA 3 - Security
Drafting committee:   ICS number:
ETSI TS 133 210 V15.1.0 (2018-10)






TECHNICAL SPECIFICATION
Digital cellular telecommunications system (Phase 2+) (GSM);
Universal Mobile Telecommunications System (UMTS);
LTE;
3G security;
Network Domain Security (NDS);
IP network layer security
(3GPP TS 33.210 version 15.1.0 Release 15)

---------------------- Page: 1 ----------------------
3GPP TS 33.210 version 15.1.0 Release 15 1 ETSI TS 133 210 V15.1.0 (2018-10)



Reference
RTS/TSGS-0333210vf10
Keywords
GSM,LTE,SECURITY,UMTS
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:

The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at

If you find errors in the present document, please send your comment to one of the following services:

Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2018.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM TM
3GPP and LTE are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M logo is protected for the benefit of its Members.

GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3GPP TS 33.210 version 15.1.0 Release 15 2 ETSI TS 133 210 V15.1.0 (2018-10)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP).
The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or
GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables.
The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under
.
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
ETSI

---------------------- Page: 3 ----------------------
3GPP TS 33.210 version 15.1.0 Release 15 3 ETSI TS 133 210 V15.1.0 (2018-10)
Contents
Intellectual Property Rights . 2
Foreword . 2
Modal verbs terminology . 2
Foreword . 5
Introduction . 5
1 Scope . 6
2 References . 6
3 Definitions, symbols and abbreviations . 7
3.1 Definitions . 7
3.2 Symbols . 8
3.3 Abbreviations . 8
4 Overview over network domain security for IP based protocols . 9
4.1 Introduction . 9
4.2 Protection at the network layer . 9
4.3 Security for native IP based protocols . 9
4.4 Security domains . 9
4.4.1 Security domains and interfaces . 9
4.5 Security Gateways (SEGs) . 9
5 Key management and distribution architecture for NDS/IP . 10
5.1 Security services afforded to the protocols . 10
5.2 Security Associations (SAs) . 10
5.2.0 General . 10
5.2.1 Security Policy Database (SPD) . 11
5.2.2 Security Association Database (SAD) . 11
5.3 Profiling of IPsec . 11
5.3.0 General . 11
5.3.1 Support of ESP . 11
5.3.2 Support of tunnel mode . 11
5.3.3 Support of ESP encryption transforms . 11
5.3.4 Support of ESP authentication transforms . 12
5.3.5 Requirements on the construction of the IV . 12
5.4 Profiling of IKEv2 . 12
5.4.0 General . 12
5.4.1 Void . 12
5.4.2 Profiling of IKEv2 . 12
5.4.3 Void . 13
5.5 Security policy granularity . 13
5.6 Network domain security key management and distribution architecture for native IP based protocols . 14
5.6.1 Network domain security architecture outline . 14
5.6.2 Interface description . 15
6 Other 3GPP profiles . 16
6.1 General . 16
6.2 TLS protocol profiles . 16
6.2.1 General . 16
6.2.2 Profiling for TLS 1.3 . 16
6.2.3 Profiling for TLS 1.2 and earlier . 16
6.3 JWE and JWS profiles . 18
6.3.1 General . 18
6.3.2 JWE profile . 18
6.3.3 JWS profile . 18
Annex A (informative): Other issues . 19
ETSI

---------------------- Page: 4 ----------------------
3GPP TS 33.210 version 15.1.0 Release 15 4 ETSI TS 133 210 V15.1.0 (2018-10)
A.1 Network Address Translators (NATs) and Transition Gateways (TrGWs) . 19
A.2 Filtering routers and firewalls . 19
A.3 The relationship between BGs and SEGs . 19
Annex B (normative): Security protection for GTP . 20
B.0 General . 20
B.1 The need for security protection . 20
B.2 Policy discrimination of GTP-C and GTP-U . 20
B.3 Protection of GTP-C transport protocols and interfaces . 21
Annex C (normative): Security protection of IMS protocols . 22
C.0 General . 22
C.1 The need for security protection . 22
C.2 Protection of IMS protocols and interfaces . 22
Annex D (normative): Security protection of UTRAN/GERAN IP transport protocols . 23
D.0 General . 23
D.1 The need for security protection . 23
D.2 Protection of UTRAN/GERAN IP transport protocols and interfaces . 23
Annex E (informative): RFC-4303 compared with RFC-2406 . 24
Annex F (informative): Change history . 25
History . 27

ETSI

---------------------- Page: 5 ----------------------
3GPP TS 33.210 version 15.1.0 Release 15 5 ETSI TS 133 210 V15.1.0 (2018-10)
Foreword
rd
This Technical Specification has been produced by the 3 Generation Partnership Project (3GPP).
The contents of the present document are subject to continuing work within the TSG and may change following formal
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an
identifying change of release date and an increase in version number as follows:
Version x.y.z
where:
x the first digit:
1 presented to TSG for information;
2 presented to TSG for approval;
3 or greater indicates TSG approved document under change control.
y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections,
updates, etc.
z the third digit is incremented when editorial only changes have been incorporated in the document.
Introduction
An identified security weakness in GPRS systems is the absence of security in the core network. This was formerly
perceived not to be a problem, since the GPRS networks previously were the provinces of a small number of large
institutions. This is no longer the case, and so there is now a need for security precautions. Another significant
development has been the introduction of IP as the network layer in the GPRS backbone network and then later in the
UMTS network domain. Furthermore, IP is not only used for signalling traffic, but also for user traffic. The introduction
of IP therefore signifies not only a shift towards packet switching, which is a major change by its own accounts, but also
a shift towards completely open and easily accessible protocols. The implication is that from a security point of view, a
whole new set of threats and risks must be faced.
For UMTS and fixed broadband systems it is a clear goal to be able to protect the core network signalling protocols, and
by implication this means that security solutions must be found for both SS7 and IP based protocols.
Starting with LTE, but especially with 5G, security of signalling protocols moves onto the application layer. The current
document is the central repository of the protection mechanisms and profiles for these protocols.
This document is the stage-2 specification for IP related security in the 3GPP and fixed broadband core networks.
The security services that have been identified as being needed are confidentiality, integrity, authentication and anti-
replay protection. These will be ensured by standard procedures, based on cryptographic techniques.
ETSI

---------------------- Page: 6 ----------------------
3GPP TS 33.210 version 15.1.0 Release 15 6 ETSI TS 133 210 V15.1.0 (2018-10)
1 Scope
The present document defines the security architecture for network domain IP based control planes, which shall be
applied to NDS/IP-networks (i.e. 3GPP and fixed broadband networks). The scope of network domain control plane
security is to cover the control signalling on selected interfaces between network elements of NDS/IP networks. . The
present document furthermore serves as a central repository for cryptographic profiles for security above IP layer.
2 References
The following documents contain provisions which, through reference in this text, constitute provisions of the present
document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or
non-specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including
a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same
Release as the present document.
[1] 3GPP TS 21.133: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3G Security; Security Threats and Requirements".
[2] 3GPP TR 21.905: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; Vocabulary for 3GPP Specifications".
[3] 3GPP TS 23.002: "3rd Generation Partnership Project; Technical Specification Group Services
and Systems Aspects; Network architecture".
[4] 3GPP TS 23.060: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; General Packet Radio Service (GPRS); Service description; Stage 2".
[5] 3GPP TS 23.228: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; IP Multimedia Subsystem (IMS); Stage 2".
[6] 3GPP TS 29.060: "3rd Generation Partnership Project; Technical Specification Group Core
Network; General Packet Radio Service (GPRS); GPRS Tunnelling Protocol (GTP) across the Gn
and Gp Interface".
[7] 3GPP TS 33.102: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3G Security; Security Architecture".
[8] 3GPP TS 33.103: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3G security; Integration guidelines".
[9] 3GPP TS 33.120: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3G Security; Security Principles and Objectives".
[10] 3GPP TS 33.203: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; Access security for IP-based services".
[11] -[25] Void.
[26] RFC-3554: "On the Use of Stream Control Transmission Protocol (SCTP) with IPsec".
[27] RFC-1750: "Randomness Recommendations for Security".
[28] 3GPP TS 25.412: "3rd Generation Partnership Project; Technical Specification Group Radio
Access Network; UTRAN Iu interface signalling transport".
[29] Void.
ETSI

---------------------- Page: 7 ----------------------
3GPP TS 33.210 version 15.1.0 Release 15 7 ETSI TS 133 210 V15.1.0 (2018-10)
[30] 3GPP TS 33.310: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3G Security; Network domain security; Authentication Framework".
[31] RFC-4303: "IP Encapsulating Security Payload (ESP)"
[32] Void.
[33] Void
[34] Void.
[35] RFC-4301: "Security Architecture for the Internet Protocol".
[36] Void.
[37] Void.
[38] 3GPP TS 25.422: "3rd Generation Partnership Project; Technical Specification Group Radio
Access Network; UTRAN Iur interface signalling transport".
[39] 3GPP TS 25.467: "3rd Generation Partnership Project; Technical Specification Group Radio
Access Network; UTRAN architecture for 3G Home Node B (HNB); Stage 2".
[40] 3GPP TS 25.468: "3rd Generation Partnership Project; Technical Specification Group Radio
Access Network; UTRAN Iuh Interface RANAP User Adaption (RUA) signalling".
[41] 3GPP TS 25.471: "3rd Generation Partnership Project; Technical Specification Group Radio
Access Network; UTRAN Iurh Interface RNSAP User Adaption (RNA) signalling".
[42] RFC-6311: "Protocol Support for High Availability of IKEv2/IPsec".
[43] RFC-7296: "Internet Key Exchange Protocol Version 2 (IKEv2)".
[44] IANA: "Internet Key Exchange Version 2 (IKEv2) Parameters".
[45] RFC-7321: "Cryptographic Algorithm Implementation Requirements and Usage Guidance for
Encapsulating Security Payload (ESP) and Authentication Header (AH)".
[46] IETF RFC 7515: "JSON Web Signature (JWS)".
[47] IETF RFC 7516: "JSON Web Encryption (JWE)".
[48] IETF RFC 7518: "JSON Web Algorithms (JWA)".

3 Definitions, symbols and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply.
Anti-replay protection: Anti-replay protection is a special case of integrity protection. Its main service is to protect
against replay of self-contained packets that already have a cryptographical integrity mechanism in place.
Confidentiality: The property that information is not made available or disclosed to unauthorised individuals, entities
or processes.
Data integrity: The property that data has not been altered in an unauthorised manner.
Data origin authentication: The corroboration that the source of data received is as claimed.
Entity authentication: The provision of assurance of the claimed identity of an entity.
Key freshness: A key is fresh if it can be guaranteed to be new, as opposed to an old key being reused through actions
of either an adversary or authorised party.
ETSI

---------------------- Page: 8 ----------------------
3GPP TS 33.210 version 15.1.0 Release 15 8 ETSI TS 133 210 V15.1.0 (2018-10)
NDS/IP Traffic: Traffic that requires protection according to the mechanisms defined in this specification.
NDS/IP-networks: 3GPP and fixed broadband networks.
IPsec Security Association: A unidirectional logical connection created for security purposes. All traffic traversing a
SA is provided the same security protection. The SA itself is a set of parameters to define security protection between
two entities. A IPsec Security Association includes the cryptographic algorithms, the keys, the duration of the keys, and
other parameters.
Security Domain: Networks that are managed by a single administrative authority. Within a security domain the same
level of security and usage of security services will be typical.
Transit Security Domain: A security domain, which is transmitting NDS/IP traffic between other security domains.
Transport mode: Mode of operation that primarily protects the payload of the IP packet, in effect giving protection to
higher level layers.
Tunnel mode: Mode of operation that protects the whole IP packet by tunnelling it so that the whole packet is
protected.
3.2 Symbols
For the purposes of the present document, the following symbols apply:
Gi Reference point between GPRS and an external packet data network
Gn Interface between two GSNs within the same PLMN
Gp Interface between two GSNs in different PLMNs. The Gp interface allows support of GPRS
network services across areas served by the co-operating GPRS PLMNs
Mm Interface between a CSCF and an IP multimedia network
Mw Interface between a CSCF and another CSCF
Za Interface between SEGs belonging to different networks/security domains
Zb Interface between SEGs and NEs and interface between NEs within the same network/security
domain

3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AAA Authentication Authorization Accounting
AES Advanced Encryption Standard
AH Authentication Header
BG Border Gateway
CS Circuit Switched
CSCF Call Session Control Function
DES Data Encryption Standard
DoI Domain of Interpretation
ESP Encapsulating Security Payload
GTP GPRS Tunnelling Protocols
IESG Internet Engineering Steering Group
IETF Internet Engineering Task Force
IKE Internet Key Exchange
IKEv2 Internet Key Exchange version 2
IP Internet Protocol
IPsec IP security - a collection of protocols and algorithms for IP security incl. key mngt.
ISAKMP Internet Security Association Key Management Protocol
IV Initialisation Vector
MAC Message Authentication Code
NAT Network Address Translator
NDS Network Domain Security
NDS/IP NDS for IP based protocols
NE Network Entity
PS Packet Switched
ETSI

---------------------- Page: 9 ----------------------
3GPP TS 33.210 version 15.1.0 Release 15 9 ETSI TS 133 210 V15.1.0 (2018-10)
SA Security Association
SAD Security Association Database (sometimes also referred to as SADB)
SEG Security Gateway
SIP Session Initiation Protocol
SPD Security Policy Database (sometimes also referred to as SPDB)
SPI Security Parameters Index
TISPAN Telecoms & Internet converged Services & Protocols for Advanced Networks
TrGW Transition Gateway

4 Overview over network domain security for IP based
protocols
4.1 Introduction
The scope of this section is to outline the basic principles for the network domain security architecture. A central
concept introduced in this specification is the notion of a security domain. The security domains are networks that are
managed by a single administrative authority. Within a security domain the same level of security and usage of security
services will be typical. Typically, a network operated by a single network operator or a single transit operator will
constitute one security domain although an operator may at will subsection its network into separate sub-networks.
4.2 Protection at the network layer
For native IP-based protocols, security shall be provided at the network layer. The security protocols to be used at the
network layer are the IETF defined IPsec security protocols as specified in RFC-4301 [35] and in RFC-2401 [12].
4.3 Security for native IP based protocols
The network domain control plane of an NDS/IP-network is sectioned into security domains and typically these
coincide with operator borders. The border between the security domains is protected by Security Gateways (SEGs).
The SEGs are responsible for enforcing the security policy of a security domain towards other SEGs in the destination
security domain. The network operator may have more than one SEG in its network in order to avoid a single point of
failure or for performance reasons. A SEG may be defined for interaction towards all reachable security domain
destinations or it may be defined for only a subset of the reachable destinations.
The network domain security of an NDS/IP-network does not extend to the user plane and consequently the security
domains and the associated security gateways towards other domains do not encompass the user plane Gi-interface
towards other, possibly external, IP networks.
A chained-tunnel/hub-and-spoke approach is used which facilitates hop-by-hop based security protection between
security domains.
Within a se
...

  • Relates Information
  • ISO 8130-9:1992

    ISO 8130-9:1992 - Coating powders
    09-28
  • EN 352-2:2020/FprA1

    EN 352-2:2021/oprA1:2023
    09-28
  • IEC TS 61158-4:1999

    IEC TS 61158-4:1999 - Digital data communications for measurement and control - Fieldbus for use in industrial control systems - Part 4: Data Link protocol specification Released:3/24/1999 Isbn:2831847656
    09-28
  • HD 566 S1:1990

    HD 566 S1:1998
    09-28
  • ISO 5131:1982/Amd 1:1992

    ISO 5131:1982/Amd 1:1992
    09-28
  • EN 60598-2-22:1990

    EN 60598-2-22:1996
    09-27
  • ISO 8504-2:1992

    ISO 8504-2:1992 - Preparation of steel substrates before application of paints and related products -- Surface preparation methods
    09-27
  • EN 12165:2024

    prEN 12165:2022
    09-27
  • IEC TS 61158-6:1999

    IEC TS 61158-6:1999 - Digital data communications for measurement and control - Fieldbus for use in industrial control systems - Part 6: Application Layer protocol specification Released:3/24/1999 Isbn:2831847613
    09-27
  • ISO 4252:1992

    ISO 4252:1992 - Agricultural tractors -- Operator's workplace, access and exit -- Dimensions
    09-27