Motivation

While the public switched telephone networks (PSTNs) that use circuit based technology are relatively secure, security threats on the evolving telecommunications infrastructure are on the increase – both in frequency and in complexity. Efforts over the years to secure packet infrastructures have been somewhat fragmented and event-driven and so far have failed to produce the desired level of protection against threats. This issue is complicated by the large number of organizations working on various aspects of security, making coordination and cooperation difficult and challenging.

Recognizing that security is one of the defining features of NGN, it is essential to put in place a set of standards that will guarantee, to the maximum degree possible, the security of the NGN. One example of a new application and architecture, which requires specific and new set of mechanisms is IPTV.

A major development that needs detailed standardization is NGN identity management (IdM). In particular, Study Group 13 needs to address, in the context of NGN, the broad IdM issues of concern to telecom network/service providers, governments, and end users. This includes assertion and assurance of entity identities (e.g. user, device, service providers) noted in the following, non-exhaustive list:

• Efficient support of subscriber services (e.g. NGN services and applications) using common IdM infrastructure to support multiple applications including inter-network communications
• Appropriate secure provisioning of the network devices
• Ease of use and single sign-on / sign-off
• Public safety services
• International emergency and priority services
• Electronic government (e-Government) services
• Privacy/user control of personal information (i.e. protection of personal identifiable information [PPII])
• Security (e.g. confidence of transactions, protection from identity (ID) theft) and protection of NGN infrastructure, resources (services and applications) and end users information
• National security and critical infrastructure protection

• Provide for maximal network and end-user resource protection
• Allow for highly-distributed intelligence end-to-end
• Allow for co-existence of multiple networking technologies
• Provide for end-to-end security mechanisms
• Provide for security solutions that apply over multiple administrative domains
• Provide for secure identity management, which involves, but not limited to:
  • Reliable authentication of the NGN entities (e.g. users, user devices, network providers, service providers, identity providers, etc.)
  • Prevention of the unauthorized access to identity data in NGN
  • Secure exchange of identity information among federated entities in NGN
  • Support for the record-keeping of the use of identity information in NGN
  • Support for the user privacy and anonymity in NGN
  • Capability of supporting the NGN users to securely manage their identity information (e.g. modifying user profiles, changing passwords, enabling location-based services, viewing billing records, etc.)
• Provide for security solutions for IPTV that are cost-effective and have acceptable impact on the performance, quality of service, usability, and scalability. The types of protection that IPTV security should provide include, but not limited to:
  • Content protection
  • Service protection
  • Network protection
  • Terminal protection
  • Subscriber protection
• Provide for security solutions, which support the cases where the mobile terminal serves as a payment or banking terminal, and the NGN network is used as a transport system to carry transaction flows. The security issues addressed here include network and interface capabilities and functions to support:
  • Transaction protection
  • Privacy policy
  • Financial infrastructure protection
  • Subscriber protection
  • Identity management aspects
• The complexity of the issue necessitates a systematic study of general security mechanisms and applications developed in ITU-T Study Group 17, the lead study group on security, ISO/IEC JTC 1/SC 27, ATIS, 3G Partnership Projects, IETF, and other applicable SDOs as well as interface and protocol specific mechanisms developed in the relevant ITU-T study groups and the IETF working groups.

Recommendations under responsibility of this Question include: Y.2701, Y.2702, etc.

Question

Study items to be considered include, but are not limited to:

• What new Recommendations, enhancements to existing Recommendations or guidance to other study groups are needed to standardize identification and cataloguing NGN threats and vulnerabilities?
• What are the security requirements of NGN to effectively counter these threats? Which of these requirements should be included in all next generation networks and which could be offered as an optional service?
• What new Recommendations or guidance are necessary to enable comprehensive, end-to-end security in NGN that span across multiple heterogeneous administrative domains?
• What new Recommendations or guidance are necessary to enable attachment of terminals in a secure fashion, including authentication, authorization, and accounting (AAA) considerations, to NGN?
• How to define security architecture of identity management in next generation networks?
• What are security requirements to identity management in NGN?
• What new Recommendations are needed for supporting security requirements of identity management in NGN?
• What new Recommendations are needed for supporting secure interoperability among different circles of trusts (CoT) in NGN?
• What are security requirements of IPTV as its study evolves?
• What new NGN Recommendations are needed for supporting security requirements of IPTV?
• What new NGN Recommendations are needed for supporting security of financial transactions
• What enhancements to existing Recommendations are required to provide energy savings directly or indirectly in information and communication technologies (ICTs) or in other industries? What enhancements to developing or new Recommendations are required to provide such energy savings?

Tasks

Tasks include, but are not limited to:

• Lead the NGN-specific security project-level issues within Study Group 13 and with other study groups.
• Ensure the developed NGN architecture is consistent with accepted security principles.
• Ensure that AAA principles are integrated as required throughout the NGN.
• Ensure that identity management solutions meet security requirements of NGN.
• Ensure that security solutions for IPTV are consistent with security requirements of NGN.

Specifically,

• Study and define the functional architectural concepts for integration of a common identity management (IdM) infrastructure in the NGN architecture to be used by multiple NGN application and services (e.g. IPTV, voice and data).
• Study and define the functional architectural concepts for the exchange of IdM information between next generation networks, and IdM bridging/interoperability between an NGN and other different types of networks (e.g. the public Internet).
• Study and specify the components capabilities (e.g. discovery, policy and trust model, authentication and authorization, assertions, credential lifecycle management) of a framework and the associated requirements for NGN IdM.
• Study and specify the requirements and capabilities for NGN identity assurance (e.g. assurance levels and authentication method). This includes mechanisms to allow mapping and interworking between different assurance approaches and methods that might be adopted in various national networks.
• Study and specify requirements and guidelines for NGN support of authentication capabilities using biometrics (tele-biometrics), smart cards and security tokens. This includes requirements and guidelines to protect biometric data, smart cards, and security tokens assurance capabilities used to support services/applications such as tele-medicine, e-Government services, and national/inter-national government services?
• Identify the internal and external interfaces in the NGN for exchange of IdM information. Define the interface specification including protocols and mechanisms (e.g. SAML, Diameter, SIP).
• Study and define requirements for protection of an end user subscriber’s personally identifiable information (PII) in the NGN. This includes requirements and approaches to allow user control of PII and network mechanisms for adherence to policy regarding PII and information dissemination.
• Study and define the requirements to protect IdM systems. Provide guidelines and approaches on how to use IdM capabilities as a means for NGN providers to exchange information and coordinate responses against cyber-attacks.
• Study and define the use scenarios, requirements, architecture, and information flows for the security of mobile financial environment.
• Consider enhancements to existing Recommendations are required to provide energy conservation directly or indirectly in information and communication technologies (ICTs) or in other industries. Consider enhancements to developing or new Recommendations are required to provide energy conservation.

Approval procedure

Traditional Approval Procedure shall be the default for all Draft Recommendations developed by Q.16/13.

Relationships

Recommendations: X.800-series, Y-series

Questions: Relevant Questions on NGN networking, architecture, and QoS (where authentication and authorization are required for access to resources)

Study groups: All ITU-T Study Groups, ITU-R, ITU-D

Standardization bodies, fora, and consortia:

• ISO/IEC JTC1 SC 27
• ATIS
• ETSI
• TIA
• IETF
• 3GPP
• 3GPP2
• DSL Forum
• OMA
• OASIS
• Liberty Alliance