SACM Working Group X. Zhuang Internet Draft M. Qi Intended status: Informational J. Zhu Expires: September 20, 2014 China Mobile March 20, 2014 Telecommunication Requirement draft-zhuang-sacm-telereq-01 Abstract This memo documents describes an additional use case based on telecommunication scenario which is also fit for common enterprise scenario Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on August 8, 2014. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) Zhuang Expires Auguet 8, 2014 [Page 1] Internet-Draft Telecommunication Requirement Feb 2014 in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction .....................................................2 2. Conventions used in this document ................................2 3. Problem Statement ................................................2 3.1 Background of telecommunication device use cases ................2 3.2 problem statement ...............................................3 4. New use cases for telecommunication equipment ....................4 4.1. security policy Guidance setting ...............................4 5. Security Considerations ..........................................4 6. IANA Considerations ..............................................5 7. Conclusions ......................................................5 8. References .......................................................6 8.1. Normative References ...........................................6 8.2. Informative References .........................................6 1. Introduction SACM will create a protocol for security assessment about network devices in enterprise scenario. Under telecommunication use scenario research, According to the telecommunication operator's operation experience, it proposes a new security use case to cover telecommunication devices. This use case can also fit for other the enterprise's scenario. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [RFC2119]. In this document, these words will appear with that interpretation only when in ALL CAPS. Lower case uses of these words are not to be interpreted as carrying RFC-2119 significance. 3. Problem Statement 3.1 Background of telecommunication device use cases Operator network can also be regarded as a kind of enterprise network.Due to the large number of telecommunications equipment, it will bring a lot of Zhuang Expires Auguet 8, 2014 [Page 2] Internet-Draft Telecommunication Requirement Feb 2014 work to check compliance of the equipment during the operation and maintenance phase. what's more, negligent operation and maintenance personnel may lead to wrong configuration, causing some bad consequences, such as device system paralysis, abnormal operation of the network and so on. Therefore, implementation of telecommunication equipments also needs an automated check. 3.2 problem statement Although the use cases of SACM are only for enterprise in the endpoint.The use cases of SACM focus on enterprise scenario in the endpoint. The operator network can also be regarded as a kind of enterprise network. The current use case can also be used in the operator network.However, when we want to take analysis on telecommunication network under current scenario, some gaps are existed. Lack of security posture assessment Guidance setting for requirements combined with common requirement part and alternative requirement part. In telecommunication network, due to same kind of network equipment could be numerous and distributed deployed, a issue will be raised that this kind of devices could be bought from different manufacturers. These manufactures have different development processes and technical system. So they could use different mechanisms and different parameters to fulfill the same main requirement of device. In order to ensure the correctness implementation, it is necessary to make different alternative detailed safety requirements for different implementations. For example, a device needs to ensure the secure communications with others, so a main requirement is defined as "using the safe channel to transmit data". The manufacturers could use TLS and IPsec to achieve the goals when they build up their devices. So some alternative detailed definitions should be attached after the main requirements: When the device uses TLS based mechanism to meet such requirement, the certificates should be used as the credential in TLS handshake. When the device uses IPsec instead, the pre-shared key should be used as the credential in IKEv2. So a requirement Guidance can be expressed in this way: The devices should use the safe channel to transmit data. When the device uses TLS, the certificates should be used as the credential of the qualification process of the TLS handshake. And when the device uses IPsec, the pre-shared key Zhuang Expires Auguet 8, 2014 [Page 3] Internet-Draft Telecommunication Requirement Feb 2014 should be used as the credential of negotiation process of IKEv2. In the current use case draft, it couldn't be found about the description for this kind of Guidance. This problem mainly caused by using different ways to meet the same main requirement. It means this kind of Guidance requirement is also fit for other enterprise that owns the large and distributed enterprise networks. 4 New use cases for telecommunication equipment 4.1 security policy Guidance setting This use case describes the process of setting security policy Guidance of the telecommunication equipment. The building blocks of this use case are: o General Security policy Guidance setting: based on security policy Guidance input and their own business experience, operators set a common security policy Guidance, including the administrator's password length, the effective time and so on. o Specific security policy Guidance setting: Operators set security policy Guidance for devices according to the specific features and deployment environment. 5. Security Considerations TBD Zhuang Expires Auguet 8, 2014 [Page 4] Internet-Draft Telecommunication Requirement Feb 2014 6. IANA Considerations There are no IANA considerations associated to this memo. Zhuang Expires Auguet 8, 2014 [Page 5] Internet-Draft Telecommunication Requirement Feb 2014 7. Conclusions TBD Zhuang Expires Auguet 8, 2014 [Page 6] Internet-Draft Telecommunication Requirement Feb 2014 8. References 8.1. Normative References 8.2. Informative References Authors' Addresses Xiaojun Zhuang China Mobile Unit 2, 32 Xuanwumenxi Ave, Xicheng District, Beijing 100053, China Email: zhuangxiaojun@chinamobile.com Minpeng Qi China Mobile Unit 2, 32 Xuanwumenxi Ave, Xicheng District, Beijing 100053, China Email: qiminpeng@chinamobile.com Judy Zhu China Mobile Unit 2, 32 Xuanwumenxi Ave, Xicheng District, Beijing 100053, China Email: Zhuhongru@chinamobile.com Zhuang Expires Auguet 8, 2014 [Page 7]