ETSI releases Middlebox Security Protocols specification

Tuesday, 09 March, 2021

ETSI has announced a new specification, ETSI TS 103 523-2: Transport Layer MSP (TLMSP), Part 2 of the Middlebox Security Protocol (MSP) series, which defines a protocol for varied (fine-grained) access control to communications traffic. The specification was developed by ETSI Technical Committee CYBER.

Middleboxes are vital in modern networks — from new 5G deployments with ever-faster networks that need performance management, to resisting new cyber attacks with evolved threat defence that copes with encrypted traffic, to VPN provision.

Network operators, service providers, users, enterprises and small businesses require being granted varied (fine-grained) permissions.

Various cyber defence techniques motivate these requirements. At present, the solutions used often break security mechanisms and/or ignore the desire for explicit authorisation by the endpoints. Some encryption protocols can even be blocked altogether at the enterprise gateway, forcing users to revert to insecure protocols.

As more network traffic is encrypted, the problems for cyber defence will grow. Intrusive ‘break and inspect’ methods, ignoring the desire for explicit authorisation by endpoints, raise questions around security, privacy and trust.

ETSI TS 103 523-2, MSP Part 2 addresses this gap by specifying a protocol that allows fine-grained access and nuanced permissions for different portions of traffic, allowing middleboxes to perform their functions securely whilst keeping up with the rapid pace of technical development.

This new specification defines TLMSP, a protocol that grants fine-grained permissions and accesses to different middleboxes. It allows endpoint control of what entities can access data for cyber defence purposes and protects against unauthorised access.

TLMSP was born from an academic effort that evolved into ETSI TC CYBER, adding security measures against known attacks and more features including auditing, a more flexible message format, adaptation to varying network conditions, on-path middlebox discovery and improved handling of errors.

Image credit: ©stock.adobe.com/au/monsitj