D.2 Protection of UTRAN/GERAN IP transport protocols and interfaces
33.2103GPPIP network layer securityNetwork Domain Security (NDS)Release 17TS
IPsec ESP shall be used with both encryption and integrity protection for all RANAP and RNSAP messages traversing inter-security domain boundaries.
Iu/Iuh and Iur/Iurh control plane traffic shall be routed via a SEG when it takes place between different security domains (in particular over those interfaces that may exist between different operator domains). In order to do so, operators shall operate NDS/IP Za-interface between SEGs. If a UTRAN node has implemented SEG functionality within the same physical entity, transport mode IPsec is optional for implementation and use on the Iur/Iurh interface.
It will be for the operator to decide whether and where to deploy Zb-interfaces in order to protect the RANAP and RNSAP messages over the Iu/Iuh and Iur/Iurh interfaces within the same security domain.
Annex E (informative):
Void
Annex F (informative):
Change history
|
Change history |
||||||||
|
Date |
TSG # |
TSG Doc. |
CR |
Rev |
Subject/Comment |
Old |
New |
WI |
|
03-2002 |
SA_15 |
SP-020117 |
– |
– |
Approved at TSG SA#15 and placed under change control |
2.0.0 |
5.0.0 |
|
|
06-2002 |
SA_16 |
SP-020355 |
0001 |
NDS/IP Confidentiality protection for IMS session keys |
5.0.0 |
5.1.0 |
||
|
06-2002 |
SA_16 |
SP-020356 |
0002 |
Strengthening the requirements on IV construction to prevent attacks based on predictable IV |
5.0.0 |
5.1.0 |
||
|
12-2002 |
SA_18 |
SP-020719 |
0003 |
Adding requirement to provide mandatory support for 3DES encryption in NDS/IP.Remove AES references and dependencies |
5.1.0 |
5.2.0 |
||
|
12-2002 |
SA_18 |
SP-020720 |
0004 |
Securing UTRAN/GERAN IP Transport interfaces and specifically the Iu interface with NDS/IP mechanisms (Implemented after Rel-5 CR 003 included) |
5.1.0 |
6.0.0 |
SECNDSIP |
|
|
03-2003 |
SA_19 |
SP-030104 |
0006 |
Za-interface and roaming agreements |
6.0.0 |
6.1.0 |
SECNDSIP |
|
|
03-2003 |
SA_19 |
SP-030105 |
0008 |
Clarification to the re-keying aspects of network domain security |
6.0.0 |
6.1.0 |
SECNDSIP |
|
|
06-2003 |
SA_20 |
SP-030225 |
0010 |
Use of IPsec ESP with encryption on the Za-interface |
6.1.0 |
6.2.0 |
SECNDSIP |
|
|
09-2003 |
SA_21 |
SP-030488 |
0012 |
Change of IKE profiling |
6.2.0 |
6.3.0 |
SECNDSIP |
|
|
09-2003 |
SA_21 |
SP-030489 |
0014 |
Update draft-ietf-ipsec-sctp-04.txt reference to new standard RFC: RFC 3554 |
6.2.0 |
6.3.0 |
SECNDSIP |
|
|
03-2004 |
SA_23 |
SP-040153 |
0015 |
– |
Addition of AES transform |
6.3.0 |
6.4.0 |
SECNDSIP |
|
06-2004 |
SA_24 |
SP-040374 |
0016 |
– |
Diffie-Hellman groups in NDS/IP |
6.4.0 |
6.5.0 |
SEC-NDS-IP |
|
2005-12 |
SP- 30 |
SP-050841 |
0017 |
2 |
Extension of scope to encompass TISPAN NGN |
6.5.0 |
7.0.0 |
FBI |
|
2006-09 |
SP-33 |
SP-060492 |
0019 |
– |
Clarifying the use of RFC3554 |
7.0.0 |
7.1.0 |
SEC1-NDS |
|
2006-12 |
SP-34 |
SP-060808 |
0020 |
1 |
Clarifying the use of transit security domains |
7.1.0 |
7.2.0 |
SEC7-NDS |
|
2006-12 |
SP-34 |
SP-060808 |
0021 |
1 |
Addition of reference to NDS/AF specification |
7.1.0 |
7.2.0 |
SEC7-NDS |
|
2007-09 |
SP-37 |
SP-070590 |
0022 |
1 |
Clarification on the use of the IPsec mode for the Zb-reference point |
7.2.0 |
7.3.0 |
SEC1-NDS |
|
2008-03 |
SP-39 |
SP-080142 |
0024 |
– |
Introducing the support of IKEv2 for EPS |
7.3.0 |
8.0.0 |
SAES |
|
2008-03 |
SP-39 |
SP-080142 |
0025 |
1 |
Introducing the support of RFC-4303 for EPS |
7.3.0 |
8.0.0 |
SAES |
|
2008-09 |
SP-41 |
SP-080544 |
0023 |
3 |
Introduction of Network Domain Security support for 3GPP2 IMS |
8.0.0 |
8.1.0 |
IMS-Sec |
|
2008-12 |
SP-42 |
SP-080747 |
0026 |
– |
Update of IKEv2 SA profile |
8.1.0 |
8.2.0 |
TEI8 |
|
2009-06 |
SP-44 |
SP-090273 |
0027 |
— |
Clarification about the encryption on Za reference point |
8.2.0 |
8.3.0 |
TEI8 |
|
2009-12 |
– |
– |
– |
– |
Update to Rel-9 version (MCC) |
8.3.0 |
9.0.0 |
– |
|
2010-06 |
SP-48 |
SP-100251 |
0028 |
– |
Correction of explanations of abbreviations CSCF and IKEvx |
9.0.0 |
9.1.0 |
TEI9 |
|
2010-10 |
SP-49 |
SP-100474 |
0029 |
2 |
IPsec Alignment |
9.1.0 |
10.0.0 |
TEI10 |
|
2010-10 |
SP-49 |
SP-100482 |
0031 |
– |
Clarification on usage of ESP authentication and encryption transforms |
9.1.0 |
10.0.0 |
TEI10 |
|
2010-12 |
SP-50 |
SP-100731 |
0033 |
– |
NDS corrections |
10.0.0 |
10.1.0 |
TEI10 |
|
2010-12 |
SP-50 |
SP-100833 |
0034 |
2 |
Correction of IKEv2 references and IKE usage |
10.1.0 |
11.0.0 |
TEI11 |
|
2011-03 |
SP-51 |
SP-110019 |
0036 |
1 |
Correction of Iur security |
11.0.0 |
11.1.0 |
TEI10 |
|
2011-03 |
SP-51 |
SP-110020 |
0038 |
1 |
IKEv1 usage |
11.0.0 |
11.1.0 |
TEI11 |
|
2011-06 |
SP-52 |
SP-110269 |
0039 |
– |
Clarification of algorithm names and DH group usage in IKEv2 |
11.1.0 |
11.2.0 |
TEI10 |
|
2011-06 |
SP-52 |
SP-110264 |
0041 |
– |
Correction of Iuh/Iurh security |
11.1.0 |
11.2.0 |
TEI11 |
|
2011-12 |
SP-54 |
SP-110848 |
0032 |
– |
Introduction of reference to RFC 4301 in overview clause |
11.2.0 |
11.3.0 |
Sec11 |
|
2012-06 |
SP-56 |
SP-120338 |
0042 |
1 |
Implementation requirements for IPsec authentication transforms |
11.3.0 |
12.0.0 |
SEC12 |
|
2012-09 |
SP-57 |
SP-120605 |
0044 |
– |
Clarification of integrity and confidentiality requirements for GTP-C [Rel-12] |
12.0.0 |
12.1.0 |
SEC11 |
|
2012-12 |
SP-58 |
SP-120856 |
0045 |
1 |
Specification of missing IKEv2 reauthentication |
12.1.0 |
12.2.0 |
SEC12 |
|
2015-12 |
SP-70 |
SP-150731 |
0046 |
1 |
Updating IKEv2 profiles in TS 33.210 |
12.2.0 |
13.0.0 |
SEC13 |
|
0047 |
1 |
Updating ESP profiles in TS 33.210 |
||||||
|
0048 |
– |
Removing IKEv1 from TS 33.210 |
||||||
|
Change history |
|||||||
|
Date |
Meeting |
TDoc |
CR |
Rev |
Cat |
Subject/Comment |
New version |
|
2016-12 |
SA#74 |
SP-160788 |
0049 |
1 |
F |
3GPP security profile update – IPsec |
14.0.0 |
|
2018-06 |
– |
– |
– |
– |
– |
Update to Rel-15 version (MCC) |
15.0.0 |
|
2018-09 |
SA#81 |
SP-180706 |
0050 |
1 |
B |
Update NDS/IP scope with application layer crypto profiles |
15.1.0 |
|
2018-12 |
SA#82 |
SP-181022 |
0055 |
– |
F |
Adding references for the TLS Protocol Profiles clause |
15.2.0 |
|
2018-12 |
SA#82 |
SP-181030 |
0056 |
– |
B |
Update NDS/IP scope with application layer crypto profiles |
16.0.0 |
|
2019-03 |
SA#83 |
SP-190104 |
0057 |
– |
F |
Correcting TLS crypto profiles |
16.1.0 |
|
2019-06 |
SA#84 |
SP-190354 |
0058 |
1 |
F |
Deprecation of TLS 1.1 |
16.2.0 |
|
2019-06 |
SA#84 |
SP-190354 |
0059 |
– |
F |
References to several obsoleted RFCs |
16.2.0 |
|
2020-03 |
SA#87E |
SP-200143 |
0064 |
1 |
B |
ESP profile update |
16.3.0 |
|
2020-03 |
SA#87E |
SP-200143 |
0065 |
– |
B |
TLS Recommended Cipher Suites |
16.3.0 |
|
2020-03 |
SA#87E |
SP-200143 |
0066 |
1 |
B |
Required TLS extenstions and algorithms |
16.3.0 |
|
2020-03 |
SA#87E |
SP-200143 |
0067 |
– |
B |
IKEv2 profile update 33.210 |
16.3.0 |
|
2020-07 |
SA#88E |
SP-200356 |
0068 |
2 |
F |
Editorial corrections to NDS/IP |
16.4.0 |
|
2020-07 |
SA#88E |
SP-200363 |
0069 |
1 |
F |
Elliptic Curve Group Size |
16.4.0 |
|
2020-07 |
SA#88E |
SP-200363 |
0070 |
1 |
F |
TLS 1.3 cipher suites |
16.4.0 |
|
2021-12 |
SA#94e |
SP-211379 |
0072 |
– |
B |
Security updates for algorithms and protocols for 33.210 |
17.0.0 |
|
2022-09 |
SA#97e |
SP-220888 |
0073 |
1 |
F |
Update IPSec references to rfc8221 |
17.1.0 |
|
2022-09 |
SA#97e |
SP-220888 |
0074 |
1 |
F |
Update IPSec reference from obsolete RFC 7296 to RFC 8247 |
17.1.0 |