Middlebox Security Protocols specification released
ETSI has announced a new specification, ETSI TS 103 523-2: Transport Layer MSP (TLMSP), Part 2 of the Middlebox Security Protocol (MSP) series, which defines a protocol for varied (fine-grained) access control to communications traffic. This specification was developed by the ETSI Technical Committee CYBER.
Middleboxes are vital in modern networks - from new 5G deployments, with ever-faster networks that need performance management, to resisting new cyberattacks with evolved threat defence that copes with encrypted traffic, to VPN provision. Network operators, service providers, users, enterprises, and small businesses require being granted varied (fine grained) permissions.
Various cyber defence techniques motivate these requirements. At present, the solutions used often break security mechanisms and/or ignore the desire for explicit authorisation by the endpoints. Some encryption protocols can even be blocked altogether at the enterprise gateway, forcing users to revert to insecure protocols. As more datagram network traffic is encrypted, the problems for cyber defence will grow. This intrusive "break-and-inspect" method, ignoring the desire for explicit authorisation by endpoints, raises questions around security, privacy and trust.
ETSI TS 103 523-2, MSP Part 2 addresses this gap by specifying a protocol that allows fine-grained access and nuanced permissions for different portions of traffic, allowing middleboxes to perform their functions securely whilst keeping up with the rapid pace of technical development.
This new specification defines TLMSP, a protocol that grants fine-grained permissions and accesses to different middleboxes. It allows endpoint control of what entities can access data for cyber defence purposes and protects against unauthorised access. As authorised middleboxes rarely need full read and write access to all traffic, TLMSP provides means for endpoints to classify the communication into different ‘contexts’, each of which can have different read, delete, and write permissions associated with it, following the security principle of least privilege. This subdivision is for the application to determine and is under endpoint control
TLMSP was born from an academic effort that evolved into ETSI TC CYBER – adding security measures against known attacks, and more features including auditing, a more flexible message format, adaptation to varying network conditions, on-path middlebox discovery and improved handling of errors. A reference implementation code is also available on ETSI Forge.
The use cases for TLMSP are many and varied, forming the basis of ETSI's MSP hackathon:
- System and user security, including cyber defence and protection of user data.
- Operational use cases including in content delivery networks.
- Compliance by network operators with obligations and service agreements, and discharge of transparency and audit obligations in regulated industries.
- Maintaining enterprise network and data centre visibility.
ETSI TS 103 523-2 is Part 2 of the Middlebox Security Protocol (MSP) series; this series is a set of protocol specifications that enable secure and functional operation of next generation middleboxes.