1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T H.248.90 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (10/2014) SERIES H: AUDIOVISUAL AND MULTIMEDIA SYSTEMS Infrastructure of audiovisual services Communication procedures Gateway control protocol: ITU-T H.248 packages
2、for control of transport security using transport layer security (TLS) Recommendation ITU-T H.248.90 ITU-T H-SERIES RECOMMENDATIONS AUDIOVISUAL AND MULTIMEDIA SYSTEMS CHARACTERISTICS OF VISUAL TELEPHONE SYSTEMS H.100H.199 INFRASTRUCTURE OF AUDIOVISUAL SERVICES General H.200H.219 Transmission multipl
3、exing and synchronization H.220H.229 Systems aspects H.230H.239 Communication procedures H.240H.259 Coding of moving video H.260H.279 Related systems aspects H.280H.299 Systems and terminal equipment for audiovisual services H.300H.349 Directory services architecture for audiovisual and multimedia s
4、ervices H.350H.359 Quality of service architecture for audiovisual and multimedia services H.360H.369 Telepresence H.420H.429 Supplementary services for multimedia H.450H.499 MOBILITY AND COLLABORATION PROCEDURES Overview of Mobility and Collaboration, definitions, protocols and procedures H.500H.50
5、9 Mobility for H-Series multimedia systems and services H.510H.519 Mobile multimedia collaboration applications and services H.520H.529 Security for mobile multimedia systems and services H.530H.539 Security for mobile multimedia collaboration applications and services H.540H.549 Mobility interworki
6、ng procedures H.550H.559 Mobile multimedia collaboration inter-working procedures H.560H.569 BROADBAND, TRIPLE-PLAY AND ADVANCED MULTIMEDIA SERVICES Broadband multimedia services over VDSL H.610H.619 Advanced multimedia services and applications H.620H.629 Ubiquitous sensor network applications and
7、Internet of Things H.640H.649 IPTV MULTIMEDIA SERVICES AND APPLICATIONS FOR IPTV General aspects H.700H.719 IPTV terminal devices H.720H.729 IPTV middleware H.730H.739 IPTV application event handling H.740H.749 IPTV metadata H.750H.759 IPTV multimedia application frameworks H.760H.769 IPTV service d
8、iscovery up to consumption H.770H.779 Digital Signage H.780H.789 E-HEALTH MULTIMEDIA SERVICES AND APPLICATIONS Interoperability compliance testing of personal health systems (HRN, PAN, LAN and WAN) H.820H.859 Multimedia e-health data exchange services H.860H.869 For further details, please refer to
9、the list of ITU-T Recommendations. Rec. ITU-T H.248.90 (10/2014) i Recommendation ITU-T H.248.90 Gateway control protocol: ITU-T H.248 packages for control of transport security using transport layer security (TLS) Summary Transport layer security (TLS) is a session layer protocol for securing IP tr
10、ansport protocols. TLS bearer plane traffic could be terminated or forwarded by ITU-T H.248 media gateways. Recommendation ITU-T H.248.90 provides multiple ITU-T H.248 packages for support of TLS, including the establishment, negotiation, release and performance monitoring of TLS sessions, complemen
11、ted by models, considerations of package mode operations and signalling flows. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T H.248.90 2014-10-14 16 11.1002/1000/12241 _ * To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web brow
12、ser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T H.248.90 (10/2014) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communicatio
13、n technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World
14、 Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In s
15、ome areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recogni
16、zed operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The wor
17、ds “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that
18、the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendatio
19、n development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are
20、 therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2015 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T H.248.90 (10/2014) iii Table of Contents Page 1
21、Scope . 1 1.1 Applicability statements . 1 2 References . 2 3 Definitions 3 3.1 Terms defined elsewhere 3 3.2 Terms defined in this Recommendation . 3 4 Abbreviations and acronyms 4 5 Conventions 6 5.1 Conventions used in signalling flows . 6 5.2 TLS endpoint notations 6 5.3 Important notation deriv
22、ed from TLS presentation language 7 6 Use case descriptions 7 6.1 Use cases related to TLS transport modes 7 6.2 Bearer connection network use cases with ITU-T H.248 IP-IP gateways . 8 6.3 Bearer connection network use cases with ITU-T H.248 “TCP to non-TCP“ gateways . 10 6.4 Bearer connection netwo
23、rk use cases with multiparty services using TCP transport (e.g., ITU-T H.248.69 gateway) 10 7 Models 10 7.1 Network model from ITU-T H.248 entity point of view 10 7.2 Bearer connection model 11 8 TLS basic session control package . 12 8.1 Properties 13 8.2 Events . 14 8.3 Signals 15 8.4 Statistics 1
24、6 8.5 Error Codes . 16 8.6 Procedures 16 9 TLS-specific stream endpoint interlinkage procedures 21 9.1 Introduction 21 9.2 Procedures 21 10 TLS capability negotiation package . 24 10.1 Properties 24 10.2 Events . 27 10.3 Signals 27 10.4 Statistics 27 10.5 Error codes 27 10.6 Procedures 28 iv Rec. IT
25、U-T H.248.90 (10/2014) Page 11 TLS session maintenance package . 31 11.1 Properties 32 11.2 Events . 32 11.3 Signals 33 11.4 Statistics 34 11.5 Error codes 34 11.6 Procedures 34 12 TLS traffic volume metrics package . 36 12.1 Properties 36 12.2 Events . 36 12.3 Signals 36 12.4 Statistics 36 12.5 Err
26、or codes 44 12.6 Procedures 44 13 Package-less TLS control . 47 13.1 Related to TLS session establishment 47 13.2 Related to TLS authentication 51 13.3 Related to TLS session release . 52 14 The TLS profile concept . 52 14.1 TLS protocol profiles . 52 14.2 Illustration of TLS profile concept . 53 14
27、.3 Example for the TLS MG profile concept 54 15 Security considerations . 55 Annex A State modelling for TLS bearer connection endpoints . 56 A.1 Introduction and purpose 56 A.2 Original state model for TLS session endpoints . 56 A.3 Simplified state model for ITU-T H.248-based TLS basic session con
28、trol . 56 Annex B TLS protocol layer: Data model 58 B.1 Motivation 58 B.2 Data model 58 B.3 Terminology based on data model . 61 Appendix I Sample use cases of TLS bearer encryption 62 I.1 Use case #I.1 “Terminal-to-MG TLS session, provisioned TLS service negotiation“ 62 I.2 Use case #I.2 “Terminal-
29、to-MG TLS session, MGC-controlled TLS service negotiation“ 63 I.3 Use case #I.3 “WebRTC to NGN/IMS interworking function with DTLS-to-TLS support“ 63 I.4 Use case #I.4 “TLS-based transport security for facsimile packet relay service T.38“ . 63 Rec. ITU-T H.248.90 (10/2014) v Page Appendix II Example
30、 call flows . 65 II.1 TLS to non-TLS interworking with TCP as example bearer type 65 Appendix III Example TLS profiles . 74 III.1 Typical Internet TLS profile . 74 III.2 3GPP TLS domain profile 75 III.3 OMA TLS domain profiles 76 III.4 IETF minimum TLS domain profile 77 III.5 IETF example of a natio
31、nal TLS domain profile . 78 III.6 ITU-T TLS domain profile for NGN signalling and management plane . 78 Appendix IV Illustration of protocol semantics of the TLS basic session control package . 79 IV.1 Overview 79 IV.2 Conventions 79 IV.3 Establishment of TLS security sessions . 79 IV.4 Release of T
32、LS security sessions . 81 Appendix V Illustration of the TLS-specific interlinkage procedures 83 V.1 Overview 83 V.2 Conventions 83 V.3 Usage of SEPP interlinkage 83 V.4 Usage of protocol layers interlinkage . 83 Appendix VI TLS alert protocol from ITU-T H.248 gateway perspective 91 VI.1 Background
33、. 91 VI.2 ITU-T H.248 gateway framework concerning TLS alert handling 91 VI.3 TLS error alerts categorization . 91 VI.4 Final considerations 92 Appendix VII TLS session resumption Framework 93 VII.1 Introduction 93 VII.2 Brief summary of TLS session resumption 93 VII.3 Example use cases 93 VII.4 Fin
34、al considerations and guidelines 98 Bibliography. 100 Rec. ITU-T H.248.90 (10/2014) 1 Recommendation ITU-T H.248.90 Gateway control protocol: ITU-T H.248 packages for control of transport security using transport layer security (TLS) 1 Scope Transport layer security (TLS) is a cryptography protocol
35、that provides secure communication between two IP transport connection endpoints This Recommendation defines, in general, ITU-T H.248 signalling elements for support of TLS in various options. This Recommendation provides, in more detail, information about: basic exchange architecture of keying info
36、rmation between the control plane (including ITU-T H.248 interface) and the bearer plane; negotiation aspects: indication and determination of cryptographic capabilities between TLS endpoints; minimum amount of information carried by ITU-T H.248 for establishing ITU-T H.248 TLS/L4 terminations (Note
37、); NOTE Some information could be provisioned via management and there is also TLS information exchanged via the (L4) bearer interface with the remote TLS endpoint. TLS procedures in detail at the various TLS sublayers, i.e., for support of the: TLS record protocol, TLS handshake protocol, TLS chang
38、e cipher spec protocol, TLS alert protocol, TLS application data protocol; profiling of TLS services; specifying a set of cipher suites; consideration of ITU-T H.248 MG modes of operation and connection models; and SDP- versus Property-based TLS endpoint control. The scope of this Recommendation is
39、limited to the TLS protocol (the DTLS partner protocol is subject of another Recommendation). 1.1 Applicability statements Table 1 summarizes all possible TLS-based interfaces of ITU-T H.248 entities, under the assumption of an underlying IP network, and their relevance for this Recommendation. 2 Re
40、c. ITU-T H.248.90 (10/2014) Table 1 Principal TLS-based interfaces of ITU-T H.248 entities and their relevance for this Recommendation TLS-based transport at: ITU-T H.248 entity: This Recommendation: Call control interface (e.g., SIP) MGC Out of scope. Gateway control interface (ITU-T H.248) MGC, MG
41、 Out of scope. Possible ITU-T H.248 transport modes are indicated by ITU-T H.248.67. Usage of a TLS-based ITU-T H.248 transport mode would typically be specified by an ITU-T H.248 profile (as part of clause 6.10 in the profile definition template (see Appendix III in ITU-T H.248.1). Bearer interface
42、 MG In scope. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subj
43、ect to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document
44、within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T H.248.1 Recommendation ITU-T H.248.1 (2005), Gateway control protocol: Version 3. ITU-T H.248.8 Recommendation ITU-T H.248.8 (2013), Gateway control protocol: Error code and service change r
45、eason description. ITU-T H.248.37 Recommendation ITU-T H.248.37 (2008), Gateway control protocol: IP NAPT traversal package. ITU-T H.248.50 Recommendation ITU-T H.248.50 (2010), Gateway control protocol: NAT traversal toolkit packages. ITU-T H.248.67 Recommendation ITU-T H.248.67 (2009), Gateway con
46、trol protocol: Transport mode indication package. ITU-T H.248.69 Recommendation ITU-T H.248.69 (2009), Gateway control protocol: Packages for interworking between MSRP and H.248. ITU-T H.248.78 Recommendation ITU-T H.248.78 (2013), Gateway control protocol: Bearer-level application level gateway. IT
47、U-T H.248.80 Recommendation ITU-T H.248.80 (2014), Gateway control protocol: Usage of the revised SDP offer/answer model with ITU-T H.248. ITU-T H.248.84 Recommendation ITU-T H.248.84 (2012), Gateway control protocol: NAT traversal for peer-to-peer services. ITU-T H.248.88 Recommendation ITU-T H.248
48、.88 (2014), Gateway control protocol: RTP topology dependent RTCP handling by ITU-T H.248 media gateways with IP terminations. ITU-T H.248.89 Recommendation ITU-T H.248.89 (2014), Gateway control protocol: TCP support packages. Rec. ITU-T H.248.90 (10/2014) 3 ITU-T H.248.91 Recommendation ITU-T H.24
49、8.91 (2014), Gateway control protocol: Guidelines on the use of ITU-T H.248 capabilities for transport security in TLS networks in ITU-T H.248 profiles. ITU-T H.248.92 Recommendation ITU-T H.248.92 (2014), Gateway control protocol: Stream endpoint interlinkage package. ITU-T H.248.93 Recommendation ITU-T H.248.93 (2014), Gateway control protocol: ITU-T H.248 support for control of tran
