Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doug Bellows – Inteliquent 10/4/2018

Published byShawn Charles Modified over 6 years ago

Similar presentations

Presentation on theme: "Doug Bellows – Inteliquent 10/4/2018"— Presentation transcript:

1 Doug Bellows – Inteliquent 10/4/2018
Draft Attestation and Origination Identifier Framework Technical Report Doug Bellows – Inteliquent 10/4/2018

2 Draft Attestation and origination ID Framework TR – Contribution IPNNI-2018-00106R000
Adapted from UNI Security Whitepaper Short security analysis of SHAKEN Introduces models for use of SHAKEN in relation to UNI and NNI interfaces Proposed guidelines for attestation population Proposed guidelines for origid population Use cases for attestation in various UNI/NNI scenarios

3 SHAKEN security services
Identifies/Authenticates originating service provider Protect integrity of call parameters Identity header with cryptographic signature and PKI certificates provide both services UNI security is outside the SHAKEN mechanisms

4 UNI Security Model

5 UNI Security Model Three applicable security services:
Customer/user identity User authentication User-to-TN authorization UNI security has components in the administrative plane and services plane – may also rely on network/transport-layer services

6 UNI Security Model Per SHAKEN definitions, attestation values rely on application of first two services (value “B”) or all three services (value “A”) “Customer/user” is the direct customer of the SP and not necessarily the end user (reseller/VASP call scenarios). UNI is the interface between the SP and the customer.

7 NNI Model

8 Populating Identity header for calls received at an NNI
For calls originated by a customer to an SP within the trust domain (e.g. U.S. service providers), Identity header should be populated by the carrier hosting the UNI Some scenarios do not fall into this category, e.g. international gateways Identity headers should be passed as-is across the NNI to and from transit carriers and to terminating carriers. Within the trust domain, calls may arrive at an intermediate NNI without an Identity header (e.g. TDM interfaces, non-SHAKEN-capable SPs). Populating Identity by the intermediate SP may aid traceback but provides less information than population by the originating SP. Assume no direct knowledge of customer/user identity/authentication/authorization, so no attestation values that rely on these services

9 Origination Identifier Guidelines
Origid guidelines re-factor the text in SHAKEN – origid based on UNI or NNI interface characteristics as opposed to an attestation level determined later NNI – origid should be a reference at the granularity of the peer SP or peer SBC/IBCF UNI – granularity depends on the characteristics of the interface and user: If the SP controls calling TN marking (network marking or TN filtering), origid reference may be at a granularity other than UNI or customer (e.g. access network or region) as might be useful for the SP to locate the source. If the customer controls calling TN marking, origid reference should be at the granularity of customer or UNI Privacy concerns – origid is an opaque value outside the originating SP. If tied permanently to a personal/small business UNI it could reveal information on calling patterns not immediately obvious based on calling TN alone. Possibly origid for an individual/small business UNI should not be a permanent reference (e.g. it persists for <24 hours or the length of a SIP registration to drive analytics).

10 UNI/NNI Use Cases - Customer/TN Identity
Direct individual assignment Customer/TN ID may be interchangable Prepaid account Customer may not be strongly identified Enterprise Multiple TNs per customer, possibly multiple SPs Communication reseller TNs assigned to reseller or end user, end users are known only to reseller Value-added service provider Calls may be originated by end user or by VASP, TNs may be assigned to either

11 UNI/NNI Use Cases – Customer/user authentication
Device Device-resident credentials/SIM, cryptographic transaction, other factors Account User-provided credentials (e.g. username/password), SIP registration, other factors Network IP address whitelist, VPN, dedicated connections

12 UNI/NNI Use Cases – Calling TN authorization/screening
SP marking Direct assignment Contract relationship “Letter of Authorization” Independent authorization check Indirect No validation

13 UNI/NNI Example Use Cases
End user Customer/ Inter- connecting entity TN assigned to TN assigned by Identity established by Authentication type Authorization established by Attestation result Mobile subscriber Same as end user Subscriber Originating SP Customer name/address/credit checks Device Direct assignment A Enterprise PBX Enterprise customer Other SP Customer ID/pre-shared key, IP network ACL Letter of Authorization Individual or enterprise VASP Customer name/address/credit checks, end-user traced through customer Customer ID/IP network ACL Direct assignment, terms of use (customer responsible for end use) Non-domestic entity Gateway provider Non- domestic provider/not determined Not determined (gateway provider not the originating SP) Network interconnection Not determined C Reseller Terms of use A or B based on terms enforcement

Download ppt "Doug Bellows – Inteliquent 10/4/2018"

Similar presentations

LinkSec Architecture Attempt 3

LinkSec Architecture Attempt 3
Secure Communication Architectures.

Secure Communication Architectures.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
DOCUMENT #: GSC15-GTSC8-06 FOR: Presentation SOURCE: ATIS AGENDA ITEM: GTSC8; 4.2 CONTACT(S): Art Reilly ATIS Cybersecurity.

DOCUMENT #: GSC15-GTSC8-06 FOR: Presentation SOURCE: ATIS AGENDA ITEM: GTSC8; 4.2 CONTACT(S): Art Reilly ATIS Cybersecurity.
Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.

Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.
Draft-rosen-ecrit-emergency- framework-00 Brian Rosen NeuStar CPa-060006.

Draft-rosen-ecrit-emergency- framework-00 Brian Rosen NeuStar CPa
GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.

GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.
Certificate Credentials STIR WG IETF 91 (Honolulu) Sean Jon.

Certificate Credentials STIR WG IETF 91 (Honolulu) Sean Jon.
Slide title In CAPITALS 50 pt Slide subtitle 32 pt Authentication/Authorization for possible deployments Relevant scenarios for CAFE.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt Authentication/Authorization for possible deployments Relevant scenarios for CAFE.
M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date: 2014-01-27.

M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:
Timeline – Standards & Requirements

Timeline – Standards & Requirements
IPSec Detailed Description and VPN

IPSec Detailed Description and VPN
draft-rescorla-fallback-01

draft-rescorla-fallback-01
User-group-based Security Policy for Service Layer

User-group-based Security Policy for Service Layer
Firewall Issues Research Group GGF-15 Oct 4 2005 Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks.

Firewall Issues Research Group GGF-15 Oct Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks.
sip-identity-04 Added new response codes for various conditions

sip-identity-04 Added new response codes for various conditions
Encryption and Network Security

Encryption and Network Security
IP-NNI Joint Task Force Status Update

IP-NNI Joint Task Force Status Update

Similar presentations

Ads by Google