ITOT

ISO Transport Service on top of TCP

Security
Introduced in Rel-15
A standardized method for securely transporting ISO-based application protocol data units (APDUs), such as those used in PKI and certificate management, over a TCP/IP network. It provides a reliable, connection-oriented transport layer for security-related communications between network entities.

Description

ISO Transport Service on top of TCP (ITOT) is a transport layer protocol specification defined by 3GPP for carrying OSI (Open Systems Interconnection) application protocols over TCP/IP networks. It is formally specified in IETF RFC 1006 and adopted by 3GPP for specific security-related interfaces. The core function of ITOT is to provide an ISO Transport Service (TS) as defined in ISO/IEC 8073, but using TCP (Transmission Control Protocol) as its underlying network service instead of the native OSI network layer protocols. This allows applications designed for the OSI stack to operate seamlessly over ubiquitous TCP/IP infrastructure.

Architecturally, ITOT acts as an adaptation layer. It sits between the TCP layer and the OSI application layer, such as the protocols used for Public Key Infrastructure (PKI) operations. When an OSI application has data to send (an Application Protocol Data Unit or APDU), it passes it to the presentation and session layers (if used), and then to the ITOT layer. The ITOT entity encapsulates this data within a TPKT (TCP Packet) header, as per RFC 1006, and transmits it over a standard TCP connection to the peer ITOT entity. The receiving ITOT entity strips the TPKT header and delivers the APDU to its upper OSI layers. This encapsulation provides the necessary framing for the OSI data over the byte-stream-oriented TCP connection.

In the 3GPP ecosystem, ITOT is specified for use in security protocols, particularly for the transfer of certificates and PKI-related messages. For example, it can be used on the interface between a Network Domain Security (NDS) entity and a Certificate Authority (CA). Its role is to ensure a reliable, in-order, and error-checked delivery of security-sensitive APDUs. By leveraging TCP, it inherits features like flow control, congestion control, and guaranteed delivery, which are critical for the integrity of security transactions. The specification in 3GPP documents like TS 33.108 ensures interoperability between different vendors' equipment when performing security operations that rely on standardized OSI application protocols, providing a robust transport foundation for the network's security architecture.

Purpose & Motivation

ITOT was adopted to solve the problem of interoperability for security and management protocols that were originally designed for the OSI protocol suite, in a world that had largely standardized on TCP/IP. Many telecommunications standards, including early 3GPP specifications for security functions like certificate management, were based on ISO standards (e.g., X.509 certificates use ASN.1 and are often carried by OSI application protocols). Deploying these protocols natively required a full OSI stack, which was complex and not widely deployed in IP-based operator networks.

The motivation for specifying ITOT in 3GPP, particularly from Release 15 onwards for 5G security, was to provide a pragmatic and standardized bridge. It allows the rich, well-defined semantics of OSI application protocols for PKI to be reused without mandating an entire OSI network infrastructure. By specifying how to run these protocols over TCP/IP, 3GPP enabled vendors to implement security functions using proven ISO application layer standards while utilizing the ubiquitous, reliable, and manageable TCP/IP transport layer. This addressed the limitations of previous ad-hoc methods or the overhead of implementing full OSI stacks, ensuring secure, reliable, and interoperable transport for critical security data like certificate requests and revocation messages between network functions and external PKI entities in 5G networks.

Key Features

  • Provides ISO Transport Service (TS) over TCP/IP networks as per IETF RFC 1006
  • Uses TPKT header for framing OSI APDUs over TCP byte streams
  • Enables OSI-based security applications (e.g., PKI) to operate over IP networks
  • Ensures reliable, in-order delivery of security protocol data units
  • Specified for use in 3GPP security interfaces like certificate management
  • Facilitates vendor interoperability for security-related communications

Evolution Across Releases

Rel-15 Initial

Introduced ITOT into the 3GPP security architecture, specifying its use for transporting PKI and certificate management protocol data units over TCP/IP. This provided a standardized transport method for OSI-based security applications within the newly defined 5G security framework, enabling reliable communication with external Certificate Authorities.

TS 33.108

Defining Specifications

SpecificationTitle
TS 33.108 3GPP TR 33.108