ITU-T H 248 91-2014 Gateway control protocol Guidelines on the use of ITU-T H 248 capabilities for transport security in TLS networks in ITU-T H 248 profiles (Study Group 16)《为ITU-.pdf

1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T H.248.91 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (10/2014) SERIES H: AUDIOVISUAL AND MULTIMEDIA SYSTEMS Infrastructure of audiovisual services Communication procedures Gateway control protocol: Guidelines on the use

2、 of ITU-T H.248 capabilities for transport security in TLS networks in ITU-T H.248 profiles Recommendation ITU-T H.248.91 ITU-T H-SERIES RECOMMENDATIONS AUDIOVISUAL AND MULTIMEDIA SYSTEMS CHARACTERISTICS OF VISUAL TELEPHONE SYSTEMS H.100H.199 INFRASTRUCTURE OF AUDIOVISUAL SERVICES General H.200H.219

3、 Transmission multiplexing and synchronization H.220H.229 Systems aspects H.230H.239 Communication procedures H.240H.259 Coding of moving video H.260H.279 Related systems aspects H.280H.299 Systems and terminal equipment for audiovisual services H.300H.349 Directory services architecture for audiovi

4、sual and multimedia services H.350H.359 Quality of service architecture for audiovisual and multimedia services H.360H.369 Telepresence H.420H.429 Supplementary services for multimedia H.450H.499 MOBILITY AND COLLABORATION PROCEDURES Overview of Mobility and Collaboration, definitions, protocols and

5、 procedures H.500H.509 Mobility for H-Series multimedia systems and services H.510H.519 Mobile multimedia collaboration applications and services H.520H.529 Security for mobile multimedia systems and services H.530H.539 Security for mobile multimedia collaboration applications and services H.540H.54

6、9 Mobility interworking procedures H.550H.559 Mobile multimedia collaboration inter-working procedures H.560H.569 BROADBAND, TRIPLE-PLAY AND ADVANCED MULTIMEDIA SERVICES Broadband multimedia services over VDSL H.610H.619 Advanced multimedia services and applications H.620H.629 Ubiquitous sensor netw

7、ork applications and Internet of Things H.640H.649 IPTV MULTIMEDIA SERVICES AND APPLICATIONS FOR IPTV General aspects H.700H.719 IPTV terminal devices H.720H.729 IPTV middleware H.730H.739 IPTV application event handling H.740H.749 IPTV metadata H.750H.759 IPTV multimedia application frameworks H.76

8、0H.769 IPTV service discovery up to consumption H.770H.779 Digital Signage H.780H.789 E-HEALTH MULTIMEDIA SERVICES AND APPLICATIONS Interoperability compliance testing of personal health systems (HRN, PAN, LAN and WAN) H.820H.859 Multimedia e-health data exchange services H.860H.869 For further deta

9、ils, please refer to the list of ITU-T Recommendations. Rec. ITU-T H.248.91 (10/2014) i Recommendation ITU-T H.248.91 Gateway control protocol: Guidelines on the use of ITU-T H.248 capabilities for transport security in TLS networks in ITU-T H.248 profiles Summary Recommendation ITU-T H.248.91 provi

10、des guidelines on the use of secured IP bearer traffic according to the transport layer security (TLS) technology in ITU-T H.248 profiles. These guidelines may be used by other standards developing organizations (SDOs) when defining their ITU-T H.248.1 profiles in support of TLS. History Edition Rec

11、ommendation Approval Study Group Unique ID* 1.0 ITU-T H.248.91 2014-10-14 16 11.1002/1000/12242 _ * To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/118

12、30-en. ii Rec. ITU-T H.248.91 (10/2014) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent org

13、an of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the

14、topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are

15、prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendatio

16、n may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used

17、to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectua

18、l Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received not

19、ice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU

20、2015 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T H.248.91 (10/2014) iii Table of Contents Page 1 Scope . 1 2 References . 2 3 Definitions 2 3.1 Terms defined elsewhere 2 3.2 Terms defined in this

21、 Recommendation . 3 4 Abbreviations and acronyms 3 5 Conventions 3 6 Requirements for control the MG mode of operation 4 6.1 TLS transport mode 4 6.2 MG mode of operation for case of TLS-over-TCP transport . 4 7 Requirements given by a TLS Profile concept . 6 7.1 Requirements to such a TLS profile .

22、 6 7.2 Requirements to elements of TLS profiles . 6 8 Requirements on TLS procedures 7 8.1 Selection of the TLS domain 7 8.2 Client/Server Mode 8 8.3 Behavioural requirements for authentication . 9 8.4 Renegotiation of security parameters . 13 8.5 Termination of the TLS/TCP session . 14 8.6 Reportin

23、g unsuccessful TLS connection set-up . 14 8.7 TLS statistics 14 8.8 Auditing of TLS related capabilities by the MGC . 15 9 Performance and resource aspects 15 10 ITU-T H.248 profile specification guidelines 15 10.1 Profile identification . 15 10.2 Summary . 15 10.3 Gateway control protocol version 1

24、5 10.4 Connection model . 16 10.5 Context attributes 16 10.6 Terminations . 16 10.7 Descriptors 16 10.8 Command API 17 10.9 Generic command syntax and encoding . 18 10.10 Transactions 18 10.11 Messages . 18 10.12 Transport . 18 10.13 Security . 18 iv Rec. ITU-T H.248.91 (10/2014) Page 10.14 Packages

25、 . 18 10.15 Mandatory support of SDP and ITU-T H.248.1 Annex C information elements 28 10.16 Optional support of SDP and ITU-T H.248.1 Annex C information elements 28 10.17 Procedures 28 Appendix I Use case specific capability sets Two examples . 29 I.1 Overview 29 Bibliography. 31 Rec. ITU-T H.248.

26、91 (10/2014) 1 Recommendation ITU-T H.248.91 Gateway control protocol: Guidelines on the use of ITU-T H.248 capabilities for transport security in TLS networks in ITU-T H.248 profiles 1 Scope Transport layer security (TLS) is a cryptographic protocol that provides secure communication between two IP

27、 transport endpoints. This Recommendation: describes example use cases; defines the basic requirements to secure the bearer path connection between a media gateway (MG) and a remote endpoint through TLS; references suitable ITU-T H.248 signalling capabilities in terms of ITU-T H.248 packages as defi

28、ned by other ITU-T H.248.x-series Recommendations; and defines a protocol solution in style of a generic profile (which covers usage information of package(s) and procedures) as a guideline for final profile specifications. The scope and purpose of this Recommendation is illustrated in Figure 1: H .

29、 2 4 8 . 9 1 (1 4 )_ F 0 1I T U - T H . 2 4 8 p r o f i l e s p e c i f i c a t i o nP r o f i l e s p e c i f i c a t i o n g u i d e l i n e s ( t h i s R e c o m m e n d a t i o n )U s e ca s esR e q u i r e m e n t sR e f e r e n c e s t o s u i t a b l eI T U - T H . 2 4 8 t o o l s( N o t e )G

30、 e n e r i c p r o f i l e d e f i n i t i o n( s p e c i f i c a t i o n g u i d e l i n e s )NOTE E.g., ITU-T H.248 packages according to ITU-T H.248.84, ITU-T H.248.89, ITU-T H.248.90, etc. Figure 1 Scope, structuring principle and framework of this Recommendation The primary audience of this Rec

31、ommendation are therefore authors of ITU-T H.248 profile specifications, which aim to support a particular network use case with TLS encrypted bearer traffic (based on the example use cases from Appendix II of ITU-T H.248.90).This Recommendation is organized as follows: examples; principal requireme

32、nts are subject of clauses 6 to 9, categorized in capabilities with regards to the mode of operation of a MG, TLS profile concepts and TLS protocol specific requirements; and profile specification guidelines in clause 10 (which follows the profile structure of the ITU-T H.248 profile template accord

33、ing to ITU-T H.248.1). 2 Rec. ITU-T H.248.91 (10/2014) 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Reco

34、mmendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularl

35、y published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T H.248.1 Recommendation ITU-T H.248.1 (2013), Gateway control protocol: Version 3. ITU-T H.248.84 Recommendation ITU-T H.248.84 (2012), Gateway contro

36、l protocol: NAT traversal for peer-to-peer services. ITU-T H.248.89 Recommendation ITU-T H.248.89 (2014), Gateway control protocol: TCP support packages. ITU-T H.248.90 Recommendation ITU-T H.248.90 (2014), Gateway control protocol: ITU-T H.248 packages for control of transport security using transp

37、ort layer security (TLS). ITU-T X.509 Recommendation ITU-T X.509 (2012), Information technology Open systems interconnection The Directory: Public-key and attribute certificate frameworks. IETF RFC 793 IETF RFC 793 (1981), Transmission Control Protocol DARPA Internet Program Protocol Specification.

38、IETF RFC 2712 IETF RFC 2712 (1999), Addition of Kerberos Cipher Suites to Transport Layer Security (TLS). IETF RFC 3436 IETF RFC 3436 (12/2002), Transport layer security over stream control transmission protocol. IETF RFC 4120 IETF RFC 4120 (2005), The Kerberos Network Authentication Service (V5). I

39、ETF RFC 4145 IETF RFC 4145 (2005), TCP-Based Media Transport in the Session Description Protocol (SDP). IETF RFC 4279 IETF RFC 4279 (2005), Pre-Shared Key Ciphersuites for Transport Layer Security (TLS). IETF RFC 4572 IETF RFC 4572 (2006), Connection-Oriented Media Transport over the Transport Layer

40、 Security (TLS) Protocol in the Session Description Protocol (SDP). IETF RFC 4583 IETF RFC 4583 (2006), Session Description Protocol (SDP) Format for Binary Floor Control Protocol (BFCP) Streams. IETF RFC 5246 IETF RFC 5246 (2008), The Transport Layer Security (TLS) Protocol Version 1.2. 3 Definitio

41、ns 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: See TLS related terminology in ITU-T H.248.90. Rec. ITU-T H.248.91 (10/2014) 3 3.2 Terms defined in this Recommendation None. 4 Abbreviations and acronyms This Recommendation uses the following abbreviatio

42、ns and acronyms: AN Access Network API Application Program Interface BFCP Binary Floor Control Protocol CA Certification Authority CN Core Network CS Capability Set DB Data Base e2ae End-to-Access-Edge (security model) IP Internet Protocol IWF Interworking Function Lx Layer number MG Media Gateway M

43、GC Media Gateway Controller NAPT Network Address and Port Translation PSK Pre-Shared Key SCTP Stream Control Transmission Protocol SDO Standards Developing Organization SDP Session Description Protocol SEP Stream Endpoint SHA Secure Hash Algorithm TCP Transport Control Protocol TLS Transport Layer S

44、ecurity UE User Equipment 5 Conventions This Recommendation provides a list of items, labelled as R-x/y, where x refers to the clause number and y a number within that clause. Such items use the following keywords with meanings as prescribed below: The keywords “is required to“ indicate a requiremen

45、t which must be strictly followed and from which no deviation is permitted if conformance to this Recommendation is to be claimed. The keywords “is prohibited from“ indicate a requirement which must be strictly followed and from which no deviation is permitted if conformance to this Recommendation i

46、s to be claimed. The keywords “is recommended“ indicate a requirement which is recommended but which is not absolutely required. Thus this requirement need not be present to claim conformance. 4 Rec. ITU-T H.248.91 (10/2014) The keywords “can optionally“ indicate an optional requirement which is per

47、missible, without implying any sense of being recommended. This term is not intended to imply that the vendors implementation must provide the option and the feature can be optionally enabled by the network operator/service provider. Rather, it means the vendor may optionally provide the feature and

48、 still claim conformance with the Recommendation. 6 Requirements for control the MG mode of operation 6.1 TLS transport mode TLS is designed as a transport-independent protocol, just making the assumption of “reliable transport“ of the underlying protocol (see section 1 of IETF RFC 5246). Support of

49、 one or multiple TLS transport mode(s) is required. R-6.1/1: Transport mode “TLS-over-TCP“. NOTE This requirement would be applicable for the very majority of use cases. R-6.1/2: Transport mode “TLS-over-SCTP“ IETF RFC 3436. It may be noted that TLS protocol procedures need to be decoupled from protocol procedures of the underlying transport protocol. 6.2 MG mode of operation for case of TLS-over-TCP transport A p