Search
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

ETSI releases Middlebox Security Protocols specification for fine-grained access control

March 2021 by Marc Jacob

ETSI is pleased to announce a new specification, ETSI TS 103 523-2: Transport Layer MSP (TLMSP), Part 2 of the Middlebox Security Protocol (MSP) series, which defines a protocol for varied (fine-grained) access control to communications traffic. This specification was developed by the ETSI Technical Committee CYBER.

Middleboxes are vital in modern networks - from new 5G deployments, with ever-faster networks that need performance management, to resisting new cyberattacks with evolved threat defence that copes with encrypted traffic, to VPN provision. Network operators, service providers, users, enterprises, and small businesses require being granted varied (fine grained) permissions.

Various cyber defence techniques motivate these requirements. At present, the solutions used often break security mechanisms and/or ignore the desire for explicit authorization by the endpoints. Some encryption protocols can even be blocked altogether at the enterprise gateway, forcing users to revert to insecure protocols. As more datagram network traffic is encrypted, the problems for cyber defence will grow. This intrusive "break-and-inspect" method, ignoring the desire for explicit authorization by endpoints, raises questions around security, privacy and trust.

ETSI TS 103 523-2, MSP Part 2 addresses this gap by specifying a protocol that allows fine-grained access and nuanced permissions for different portions of traffic, allowing middleboxes to perform their functions securely whilst keeping up with the rapid pace of technical development.

This new specification defines TLMSP, a protocol that grants fine-grained permissions and accesses to different middleboxes. It allows endpoint control of what entities can access data for cyber defence purposes and protects against unauthorized access. As authorized middleboxes rarely need full read and write access to all traffic, TLMSP provides means for endpoints to classify the communication into different "contexts", each of which can have different read, delete, and write permissions associated with it, following the security principle of least privilege. This subdivision is for the application to determine and is under endpoint control.

TLMSP was born from an academic effort that evolved into ETSI TC CYBER – adding security measures against known attacks, and more features including auditing, a more flexible message format, adaptation to varying network conditions, on-path middlebox discovery and improved handling of errors. A reference implementation code is also available on ETSI Forge.

The use cases for TLMSP are many and varied, forming the basis of ETSI’s MSP hackathon:

• system and user security, including cyber defence and protection of user data
• operational use cases including in Content Delivery Networks
• compliance by network operators with obligations and service agreements, and discharge of transparency and audit obligations in regulated industries
• maintaining enterprise network and data centre visibility

ETSI TS 103 523-2 is Part 2 of the Middlebox Security Protocol (MSP) series; this series is a set of protocol specifications that enable secure and functional operation of next generation middleboxes.




See previous articles

    

See next articles