ISO_IEC_TR_16166_2010E.pdf

Reference numberISO/IEC TR 16166:2010(E)ISO/IEC 2010 TECHNICAL REPORT ISO/IECTR16166First edition2010-08-01 Information technology Telecommunications and information exchange between systems Next Generation Corporate Networks(NGCN)Security of session-based communications Technologies de linformation Tlinformatique Rseaux dentreprise de prochaine gnration(NGCN)Scurit des communications sur la base de sessions ISO/IEC TR 16166:2010(E)PDF disclaimer This PDF file may contain embedded typefaces.In accordance with Adobes licensing policy,this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing.In downloading this file,parties accept therein the responsibility of not infringing Adobes licensing policy.The ISO Central Secretariat accepts no liability in this area.Adobe is a trademark of Adobe Systems Incorporated.Details of the software products used to create this PDF file can be found in the General Info relative to the file;the PDF-creation parameters were optimized for printing.Every care has been taken to ensure that the file is suitable for use by ISO member bodies.In the unlikely event that a problem relating to it is found,please inform the Central Secretariat at the address given below.COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2010 All rights reserved.Unless otherwise specified,no part of this publication may be reproduced or utilized in any form or by any means,electronic or mechanical,including photocopying and microfilm,without permission in writing from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel.+41 22 749 01 11 Fax +41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2010 All rights reserved ISO/IEC TR 16166:2010(E)ISO/IEC 2010 All rights reserved iii Contents Page Foreword.vIntroduction.vi1 Scope.12 References.13 Terms and definitions.33.1 External definitions.33.2 Other definitions.44 Abbreviations.45 Background.56 General principles.56.1 Threats and counter-measures.56.2 Threats to session level security.66.3 Authorisation.76.4 Security and mobile users.86.5 Security and NGN.86.6 Security and software status.86.7 Call recording and audit.87 Signalling security.87.1 Security of access to session level services.97.2 Securing a SIP signalling hop.97.2.1 TLS for securing SIP signalling.107.2.2 IPsec for security SIP signalling.107.2.3 The role of SIP digest authentication.107.3 Ensuring that all SIP signalling hops are secured.117.4 End-to-end signalling security.127.4.1 End-to-end security using S/MIME.127.4.2 Near end-to-end security using SIP Identity.137.5 Authenticated identity delivery.137.5.1 P-Asserted-Identity(PAI).147.5.2 Authenticated Identity Body(AIB).147.5.3 SIP Identity.147.5.4 Authenticated response identity.157.6 NGN considerations.167.7 Public Switched Telephony Network(PSTN)interworking.178 Media security.188.1 SRTP.188.2 Key management for SRTP.188.2.1 Key management on the signalling path.188.2.2 Key management on the media path.208.3 Authentication.218.3.1 Authentication with key management on the signalling path.218.3.2 Authentication with DTLS-SRTP.228.3.3 Authentication with ZRTP.228.4 Media recording.228.5 NGN considerations.239 Use of certificates.2410 User interface considerations.24ISO/IEC TR 16166:2010(E)iv ISO/IEC 2010 All rights reserved 11 Summary of requirements,recommendations and standardisation gaps.2511.1 Requirements on NGNs.2511.2 Recommendations on enterprise networks.2511.3 Standardisation gaps.26 ISO/IEC TR 16166:2010(E)ISO/IEC 2010 All rights reserved v Foreword ISO(the International Organization for Standardization)and IEC(the International Electrotechnical Commission)form the specialized system for worldwide standardization.National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity.ISO and IEC technical committees collaborate in fields of mutual interest.Other international organizations,governmental and non-governmental,in liaison with ISO and IEC,also take part in the work.In the field of information technology,ISO and IEC have established a joint technical committee,ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives,Part 2.The main task of the joint technical committee is to prepare International Standards.Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting.Publication as an International Standard requires approval by at least 75%of the national bodies casting a vote.Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights.ISO and IEC shall not be held responsibl