ETSI releases Middlebox Security Protocols specification for fine-grained access control

Sophia Antipolis, 2 March 2021

ETSI is pleased to announce a new specification, ETSI TS 103 523-2: Transport Layer MSP (TLMSP), Part 2 of the Middlebox Security Protocol (MSP) series, which defines a protocol for varied (fine-grained) access control to communications traffic. This specification was developed by the ETSI Technical Committee CYBER.

Middleboxes are vital in modern networks - from new 5G deployments, with ever-faster networks that need performance management, to resisting new cyberattacks with evolved threat defence that copes with encrypted traffic, to VPN provision. Network operators, service providers, users, enterprises, and small businesses require being granted varied (fine grained) permissions.

Various cyber defence techniques motivate these requirements. At present, the solutions used often break security mechanisms and/or ignore the desire for explicit authorization by the endpoints. Some encryption protocols can even be blocked altogether at the enterprise gateway, forcing users to revert to insecure protocols. As more datagram network traffic is encrypted, the problems for cyber defence will grow. This intrusive "break-and-inspect" method, ignoring the desire for explicit authorization by endpoints, raises questions around security, privacy and trust.

ETSI TS 103 523-2, MSP Part 2 addresses this gap by specifying a protocol that allows fine-grained access and nuanced permissions for different portions of traffic, allowing middleboxes to perform their functions securely whilst keeping up with the rapid pace of technical development.

This new specification defines TLMSP, a protocol that grants fine-grained permissions and accesses to different middleboxes. It allows endpoint control of what entities can access data for cyber defence purposes and protects against unauthorized access. As authorized middleboxes rarely need full read and write access to all traffic, TLMSP provides means for endpoints to classify the communication into different "contexts", each of which can have different read, delete, and write permissions associated with it, following the security principle of least privilege. This subdivision is for the application to determine and is under endpoint control.

TLMSP was born from an academic effort that evolved into ETSI TC CYBER – adding security measures against known attacks, and more features including auditing, a more flexible message format, adaptation to varying network conditions, on-path middlebox discovery and improved handling of errors. A reference implementation code is also available on ETSI Forge

The use cases for TLMSP are many and varied, forming the basis of ETSI's MSP hackathon:
• system and user security, including cyber defence and protection of user data
• operational use cases including in Content Delivery Networks
• compliance by network operators with obligations and service agreements, and discharge of transparency and audit obligations in regulated industries
• maintaining enterprise network and data centre visibility

ETSI TS 103 523-2 is Part 2 of the Middlebox Security Protocol (MSP) series; this series is a set of protocol specifications that enable secure and functional operation of next generation middleboxes.
USEFUL LINKS
Download the specification ETSI TS 103 523-2 Transport Layer MSP (TLMSP) here
Download the reference implementation code here

USEFUL LINKS

Download the specification ETSI TS 103 523-2 Transport Layer MSP (TLMSP) here

Download the reference implementation code here

About ETSI

ETSI provides members with an open and inclusive environment to support the development, ratification and testing of globally applicable standards for ICT systems and services across all sectors of industry and society.  We are a not-for-profit body with more than 900 member organizations worldwide, drawn from 65 countries and five continents. Members comprise a diversified pool of large and small private companies, research entities, academia, government and public organizations. ETSI is officially recognized by the EU as a European Standards Organization (ESO). For more information please visit us at https://www.etsi.org/.

Contact
Claire Boyer
M.: +33 (0)6 87 60 84 40
Email: claire.boyer@etsi.org