L.5 Interworking using a MC Security Gateway
33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS
L.5.1 General
Interworking with Land Mobile Radio Systems is defined in TS 23.283[48]. An interworking function (IWF) is required to allow the MC System to interwork with Land Mobile Radio Systems.
L.5.2 MC Security Gateway and the IWF
The functional model for the SeGy as used within the IWF is shown in Figure L.5.2-1. Where the IWF terminates the security of the 3GPP MC Domain, the IWF performs the functions of a SeGy for that purpose.
For interworking communications sent towards the non-3GPP system, an MC gateway with an IS Proxy and the HTTP proxy are used to provide topology hiding and terminate external routing as defined in clause 11.1.3 and the IWF processes the signalling and media for use in the Land Mobile Radio System after terminating the 3GPP MC system security. Where the media and signalling between an MC Domain and IWF is not encrypted using 3GPP MC security mechanisms, the SeGy functionality is not applied by the IWF, allowing the media and signaling to pass directly through for processing by the IWF.
For interworking communications sent from a Land Mobile Radio system towards the 3GPP system, the IWF processes the signalling and media from the Land Mobile Radio system prior to applying 3GPP security and sending it into the 3GPP system. Where the media and signalling between an MC Domain and IWF is not encrypted using 3GPP MC security mechanisms, the SeGy functionality is not applied by the IWF, allowing the processed media and signaling to pass directly from the IWF into the 3GPP system.
Figure L.5.2-1: Functional model for MC Security Gateway use during interworking
The IWF-1 reference point is defined in 23.283 [48] and provides for the transfer of MCPTT media and signalling between a 3GPP MC domain MCPTT server and the IWF. Authentication and security of this interface shall be as described in clause 6.
The IWF-2 reference point is defined in 23.283 [48] and provides for the transfer of MCData media and signalling between a 3GPP MC domain MCData server and the IWF. Authentication and security of this interface shall be as described in clause 6.
The IWF-3 reference point is defined in 23.283 [48] and provides for the transfer of group management information between a 3GPP MC domain GMS and the IWF. Authentication and security of this interface shall be as described in clause 6.
Any security applied by the non-3GPP system to MCPTT or MCData media and signalling, or any interfaces within the non-3GPP system is defined by the non-3GPP system and is out of scope for this document.
Annex M (informative):
Change history
|
Change history |
|||||||
|
Date |
Meeting |
TDoc |
CR |
Rev |
Cat |
Subject/Comment |
New version |
|
2017-06 |
SA#76 |
Upggrade to change control version |
14.0.0 |
||||
|
2017-09 |
SA#77 |
SP-170639 |
0001 |
– |
F |
Ambient Listening and ambient viewing |
14.1.0 |
|
2017-09 |
SA#77 |
SP-170639 |
0002 |
1 |
F |
Group communications and emergencies |
14.1.0 |
|
2017-09 |
SA#77 |
SP-170639 |
0005 |
– |
F |
Fix IdM token response message |
14.1.0 |
|
2017-09 |
SA#77 |
SP-170639 |
0006 |
– |
F |
Token revocation |
14.1.0 |
|
2017-09 |
SA#77 |
SP-170639 |
0008 |
– |
F |
Video push and video pull |
14.1.0 |
|
2017-09 |
SA#77 |
SP-170639 |
0009 |
– |
F |
Clarifications of key period calculation |
14.1.0 |
|
2017-09 |
SA#77 |
SP-170639 |
0010 |
– |
F |
Clarifications of security domain parameters and UK-ID |
14.1.0 |
|
2017-09 |
SA#77 |
SP-170639 |
0011 |
– |
F |
Clarifications and editorial corrections related to SRTCP protection |
14.1.0 |
|
2017-09 |
SA#77 |
SP-170639 |
0012 |
1 |
F |
Correction of parameters for use of MIKEY-SAKKE |
14.1.0 |
|
2017-09 |
SA#77 |
SP-170639 |
0014 |
1 |
F |
Corrections to MCData security procedures |
14.1.0 |
|
2017-09 |
SA#77 |
SP-170639 |
0015 |
1 |
F |
General Corrections to TS 33.180 |
14.1.0 |
|
2017-09 |
SA#77 |
SP-170639 |
0016 |
– |
F |
MCData payload authentication correction |
14.1.0 |
|
2018-01 |
SA#78 |
SP-170874 |
0017 |
– |
F |
Corrections to MCData security procedures |
14.2.0 |
|
2018-01 |
SA#78 |
SP-170874 |
0019 |
– |
F |
Add transmission control for MCVideo |
14.2.0 |
|
2018-01 |
SA#78 |
SP-170874 |
0020 |
– |
F |
MCPTT to MCX fixes |
14.2.0 |
|
2018-01 |
SA#78 |
SP-170874 |
0021 |
– |
F |
SIP MESSAGE clarification for MCData |
14.2.0 |
|
2018-01 |
SA#78 |
SP-170874 |
0030 |
1 |
F |
A Clarification on SSRC use in group communications |
14.2.0 |
|
2018-01 |
SA#78 |
SP-170874 |
0032 |
1 |
F |
Fix inter-domain IdM token exchange procedure |
14.2.0 |
|
2018-01 |
SA#78 |
SP-170874 |
0035 |
– |
F |
Fix reference to 33.179 |
14.2.0 |
|
2018-01 |
SA#78 |
SP-170874 |
0036 |
– |
F |
Fix media security for private call |
14.2.0 |
|
2018-01 |
SA#78 |
SP-170874 |
0037 |
1 |
F |
Fix client check during GMK provisioning |
14.2.0 |
|
2018-01 |
SA#78 |
SP-170874 |
0038 |
1 |
F |
Alignment with MuSiK Stage 3 in CT1 specs 24.379 and 24.481 |
14.2.0 |
|
2018-01 |
SA#78 |
SP-170874 |
0039 |
1 |
F |
Key parameters payload correction |
14.2.0 |
|
2018-01 |
SA#78 |
SP-170877 |
0026 |
1 |
B |
Adding KMS Redirect Responses |
15.0.0 |
|
2018-01 |
SA#78 |
SP-170877 |
0027 |
1 |
B |
KMS enhancement, including Migration KMS |
15.0.0 |
|
2018-01 |
SA#78 |
SP-170877 |
0028 |
1 |
B |
Addition of Clause on Logging, Audit and Discreet Monitoring |
15.0.0 |
|
2018-01 |
SA#78 |
SP-170877 |
0029 |
1 |
B |
Addition of Signalling Proxies |
15.0.0 |
|
2018-01 |
SA#78 |
SP-170877 |
0040 |
1 |
B |
Addition of Element for Authenticating Requests (EAR) |
15.0.0 |
|
2018-01 |
SA#78 |
SP-170877 |
0041 |
– |
B |
Addition of KMS Requests to support KMS Discovery |
15.0.0 |
|
2018-01 |
SA#78 |
SP-170877 |
0043 |
1 |
B |
Addition of Security Gateway |
15.0.0 |
|
2018-03 |
SA#79 |
SP-180043 |
0045 |
3 |
B |
Interconnection, Interworking media and signaling |
15.1.0 |
|
2018-03 |
SA#79 |
SP-180043 |
0046 |
1 |
F |
Interworking key management (InterSD) |
15.1.0 |
|
2018-03 |
SA#79 |
SP-180043 |
0048 |
1 |
B |
Interworking SeGy clarification |
15.1.0 |
|
2018-03 |
SA#79 |
SP-180043 |
0049 |
– |
B |
[eMCSEC] Addition of indicators on the use of Security Gateways |
15.1.0 |
|
2018-03 |
SA#79 |
SP-180043 |
0051 |
– |
B |
Adding Integrity Key for KMS communications |
15.1.0 |
|
2018-03 |
SA#79 |
SP-180043 |
0054 |
2 |
A |
GMK management clarification |
15.1.0 |
|
2018-03 |
SA#79 |
SP-180043 |
0055 |
2 |
A |
MC key storage and persistence |
15.1.0 |
|
2018-03 |
SA#79 |
SP-180051 |
0056 |
2 |
B |
Security of functional alias(es) |
15.1.0 |
|
2018-03 |
SA#79 |
SP-180051 |
0057 |
1 |
B |
Security of Multi-talker |
15.1.0 |
|
2018-03 |
SA#79 |
SP-180043 |
0059 |
– |
B |
Providing details of EARs into Annex J |
15.1.0 |
|
2018-03 |
SA#79 |
SP-180043 |
0060 |
1 |
F |
Clarification of purpose of Inter-domain user service authorisation |
15.1.0 |
|
2018-03 |
SA#79 |
SP-180043 |
0061 |
– |
F |
[eMCSEC] Correction of reference to SA1 specification |
15.1.0 |
|
2018-06 |
SA#80 |
SP-180447 |
0064 |
– |
F |
Interconnection references clarification |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180447 |
0065 |
– |
F |
Mixing of encrypted media |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180447 |
0066 |
– |
B |
Migration user authentication and authorisation |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180447 |
0067 |
– |
F |
Various technical clarifications |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180447 |
0068 |
1 |
F |
Removal of Editor’s note in Clause I.3.4 |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180447 |
0069 |
1 |
C |
Resolution of editor’s notes within Clause 10 on logging, audit and discreet monitoring. |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180447 |
0071 |
– |
A |
Addition of test vector for MIKEY-SAKKE UID |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180447 |
0073 |
– |
A |
Removal of Editor’s note in Clause 5.1.3.1. |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180446 |
0075 |
1 |
A |
[eMCSec] 33180 R15 technical clarification for a proxy usage |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180446 |
0076 |
1 |
F |
[eMCSec] 33180 R15 Migration KMS clarification |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180445 |
0078 |
– |
A |
Definition of KMS XML namespace |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180446 |
0080 |
1 |
A |
Addition of note to say that temporary group regroup mechanism is not secured. |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180446 |
0082 |
– |
A |
Inclusion of MCData message types as defined by CT1 |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180447 |
0083 |
– |
F |
Making Annex J normative |
15.2.0 |
|
2018-06 |
SA#80 |
SP-180447 |
0084 |
– |
B |
Definition of KMS Redirect Request message format |
15.2.0 |
|
2018-09 |
SA#81 |
SP-180702 |
0086 |
1 |
A |
[MCSec] 33180 R15. Examples of MC service ID shall be URI |
15.3.0 |
|
2018-09 |
SA#81 |
SP-180702 |
0088 |
1 |
A |
[MCSec] 33180 R15. Clarification for MIKEY-SAKKE values |
15.3.0 |
|
2018-09 |
SA#81 |
SP-180702 |
0091 |
– |
A |
[MCSec] 33180 R15 Fix XML schema (mirror) |
15.3.0 |
|
2018-09 |
SA#81 |
SP-180702 |
0093 |
– |
A |
[MCSec] 33180 R15 FC values for MCData (mirror) |
15.3.0 |
|
2018-09 |
SA#81 |
SP-180703 |
0094 |
– |
F |
[MCSec] 33180 R15 registered media type |
15.3.0 |
|
2019-03 |
SA#83 |
SP-190101 |
0097 |
1 |
A |
Annex D.3.5.2 XSD correction (mirror) |
15.4.0 |
|
2019-03 |
SA#83 |
SP-190101 |
0099 |
1 |
A |
[33.180] R15 IdMS interface security (mirror) |
15.4.0 |
|
2019-03 |
SA#83 |
SP-190101 |
0103 |
1 |
A |
[33.180] R15 InK clarifications (mirror) |
15.4.0 |
|
2019-03 |
SA#83 |
SP-190101 |
0105 |
1 |
A |
[33.180] R15 MCX identity clairfication (mirror) |
15.4.0 |
|
2019-06 |
SA#84 |
SP-190356 |
0107 |
1 |
A |
[MCSec] 33180 R15. Clarification of the references to RFC 3711 |
15.5.0 |
|
2019-06 |
SA#84 |
SP-190356 |
0109 |
– |
A |
[33.180] R15 XSD Corrections (mirror) |
15.5.0 |
|
2019-06 |
SA#84 |
SP-190356 |
0111 |
1 |
A |
[33.180] R15 Remove IANA editor’s notes (mirror) |
15.5.0 |
|
2019-06 |
SA#84 |
SP-190357 |
0112 |
1 |
B |
[33.180] R16 Establishment of PCK for MCData |
16.0.0 |
|
2019-09 |
SA#85 |
SP-190680 |
0114 |
– |
A |
[33.180] R16 – Fix hash result (mirror) |
16.1.0 |
|
2019-12 |
SA#86 |
SP-191209 |
0117 |
– |
A |
[MCXSec] 33180 R16 Missing Abbreviations (Mirror) |
16.2.0 |
|
2019-12 |
SA#86 |
SP-191209 |
0118 |
– |
A |
[MCXSec] 33180 R16 Reference Addition (Mirror) |
16.2.0 |
|
2019-12 |
SA#86 |
SP-191209 |
0119 |
– |
A |
[MCXSec] 33180 R16 Correction concerning IdM client (Mirror) |
16.2.0 |
|
2019-12 |
SA#86 |
SP-191209 |
0128 |
– |
A |
[33.180] R16 Fix bad reference |
16.2.0 |
|
2019-12 |
SA#86 |
SP-191136 |
0129 |
1 |
F |
[33.180] R16 Consistent use of off-network |
16.2.0 |
|
2019-12 |
SA#86 |
SP-191136 |
0130 |
– |
F |
[33.180] R16 KM client to KMS security |
16.2.0 |
|
2019-12 |
SA#86 |
SP-191136 |
0131 |
1 |
F |
[33.180] R16 TrK-ID and InK-ID |
16.2.0 |
|
2019-12 |
SA#86 |
SP-191136 |
0132 |
– |
C |
[33.180] R16 InterSD KM record |
16.2.0 |
|
2019-12 |
SA#86 |
SP-191136 |
0133 |
– |
F |
[33.180] R16 ETSI Plugtest clarifications |
16.2.0 |
|
2019-12 |
SA#86 |
SP-191136 |
0134 |
1 |
B |
Algorithm selection for MCData signalling protection |
16.2.0 |
|
2020-03 |
SA#87E |
SP-200135 |
0135 |
– |
D |
[33.180] Formatting corrections |
16.3.0 |
|
2020-03 |
SA87E |
SP-200135 |
00136 |
1 |
B |
[33.180] R16 Gateway security |
16.3.0 |
|
2020-03 |
SA87E |
SP-200135 |
0137 |
– |
B |
[33.180] R16 – MC location authorization |
16.3.0 |
|
2020-03 |
SA87E |
SP-200135 |
0138 |
1 |
F |
[33.180] R16 SeGy IWF corrections |
16.3.0 |
|
2020-03 |
SA87E |
SP-200135 |
0139 |
– |
F |
Correction to definition about temporary group call related procedures |
16.3.0 |
|
2020-07 |
SA88E |
SP-200362 |
0146 |
– |
F |
[33.180] R16 Fix IdM client terminology |
16.4.0 |
|
2020-07 |
SA88E |
SP-200362 |
0147 |
– |
D |
[33.180] R16 Fix XML references |
16.4.0 |
|
2020-07 |
SA88E |
SP-200362 |
0148 |
– |
F |
[33.180] R16 TrK-ID and InK-ID indication |
16.4.0 |
|
2020-09 |
SA#89e |
SP-200772 |
0150 |
1 |
B |
MCData message store security |
17.0.0 |
|
2020-12 |
SA#90e |
SP-201005 |
0152 |
1 |
A |
[33.180] R17 Fix terminology |
17.1.0 |
|
2021-03 |
SA#91e |
SP-210108 |
0158 |
– |
A |
RFC3830 reference correction (mirror) |
17.2.0 |
|
2021-03 |
SA#91e |
SP-210108 |
0162 |
– |
A |
[33.180] R17 XML encryption correction (mirror) |
17.2.0 |
|
2021-06 |
SA#92e |
SP-210443 |
0166 |
– |
A |
[33.180] R17 UID encoding (mirror) |
17.3.0 |
|
2021-06 |
SA#92e |
SP-210444 |
0172 |
– |
F |
CR on Signalling Algorithm Selection |
17.3.0 |
|
2021-09 |
SA#93e |
SP-210845 |
0173 |
1 |
F |
Group subscription |
17.4.0 |
|
2021-12 |
SA#94e |
SP-211375 |
0177 |
– |
B |
[33.180] R17 Preconfigured group clarification |
17.5.0 |
|
2021-12 |
SA#94e |
SP-211376 |
0180 |
– |
A |
[33.180] R17 KMS message signature clarification (mirror) |
17.5.0 |
|
2021-12 |
SA#94e |
SP-211376 |
0183 |
– |
A |
[33.180] R17 MIKEY signature clarification (mirror) |
17.5.0 |
|
2021-12 |
SA#94e |
SP-211375 |
0184 |
– |
B |
[33.180] MCXSec over 5GS |
17.5.0 |
|
2022-03 |
SA#95e |
SP-220220 |
0187 |
– |
A |
R17 Clarification requested by ETSI Plugtest (mirror) |
17.6.0 |
|
2022-03 |
SA#95e |
SP-220221 |
0189 |
1 |
B |
Authorization between MCData message store and MCData Server |
17.6.0 |
|
2022-09 |
SA#97e |
SP-220885 |
0193 |
1 |
A |
[33.180] R17 Incorrect reference (mirror) |
17.7.0 |
|
2022-12 |
SA#98e |
SP-221151 |
0199 |
– |
A |
[MCSec] Incorrect example (Mirror) |
17.8.0 |
|
2022-12 |
SA#98e |
SP-221151 |
0202 |
– |
A |
[MCXSec] Incorrect reference (Mirror) |
17.8.0 |