Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
CAN CSA ISO IEC TR 26927-13 (2017): Security Framework for Next Generation Network Interoperability – A Canadian Adoption of ISO/IEC TR 26927-13
Understanding the technical scope, security recommendations, and compliance implications of the Canadian technical report NGN interoperability security part 13
Scope of CAN CSA ISO IEC TR 26927-13 (2017)
CAN CSA ISO IEC TR 26927-13 (2017) is the Canadian adoption of the international Technical Report ISO/IEC TR 26927-13:2017, titled Information technology – Telecommunications and information exchange between systems – Next Generation Network (NGN) – Framework for NGN interoperability – Part 13: Security considerations. This document provides a structured, risk-based framework for addressing security aspects when interconnecting heterogeneous NGN domains. It is intended for network operators, equipment vendors, service providers, and regulators who need to ensure that interoperability does not introduce unacceptable security vulnerabilities.
The standard categorically addresses the security challenges arising from NGN’s multi-provider, multi-domain architecture, which often spans different administrative boundaries and employs diverse transport technologies. Specifically, the report covers:
- Threat models applicable to NGN interconnection scenarios
- Security services required at interconnection points
- Recommendations for authentication, authorisation, and accounting (AAA) across domains
- Guidelines for signalling and media protection
- Security monitoring and incident response harmonisation
Note: As a Technical Report, CAN CSA ISO IEC TR 26927-13 does not contain mandatory requirements but provides authoritative recommendations that may be referenced in procurement or regulatory frameworks.
Technical Recommendations and Security Framework
The core of the technical report is a layered security architecture that aligns with the NGN functional separation into transport, control, and application planes. For each layer, the document identifies specific security objectives and maps them to recommended mechanisms.
Security Services and Mechanisms
The report defines a set of essential security services that must be available at every NGN interconnection point. Table 1 summarises these services, their applicability domain, and recommended implementation mechanisms.
| Security Service | Applicable NGN Layer | Recommended Mechanism | Interoperability Priority |
|---|---|---|---|
| Peer entity authentication | Control & Transport | Digital certificates (X.509) with mutual TLS | High |
| Access control | All layers | Attribute-based policy enforcement points (ABAC) | High |
| Data origin authentication | Signalling & Media | HMAC or digital signatures on SIP/SDP bodies | Medium |
| Confidentiality (signalling) | Control | TLS 1.2+ or DTLS for SIP | Medium |
| Confidentiality (media) | Transport | SRTP with negotiated keying (MIKEY/DTLS-SRTP) | Medium |
| Security audit logging | All layers | Common event format (CEF) with trusted timestamping | Low |
Threat Model Coverage
The TR classifies threats into four categories relevant to domain interconnection:
- Inter-domain signalling attacks – including session hijacking, registration manipulation, and toll fraud.
- Media path interception – eavesdropping and injection into real-time transport flows.
- Identity spoofing and repudiation – forging originator information in signalling headers.
- Resource exhaustion and DoS – flooding interconnection gateways with malformed or high-volume traffic.
Implementation consideration: The report emphasises that security mechanisms must be negotiated dynamically during inter-domain peering and must not rely on a single root of trust across administrative boundaries.
Implementation Highlights
Organisations adopting the recommendations of CAN CSA ISO IEC TR 26927-13 (2017) should pay attention to the following practical aspects:
1. Trust Anchor Management
Each NGN domain should maintain its own certificate authority (CA) and cross-certify with peer domains. The TR recommends a hierarchical rather than mesh model for scalability, using a national or industry-level bridge CA as a root for Canadian NGN operators.
2. Dynamic Profile Negotiation
During interconnection establishment, the involved domains must exchange a security profile that specifies which security services are mandatory, optional, or excluded. The report provides a data structure for such profiles, including cipher suites, key lengths, and logging requirements.
3. Security Gateway Placement
The TR advises that security gateways (SGW) be located at the logical boundary of each NGN domain. It distinguishes between a signalling proxy (SIP-aware SGW) and a media relay (RTP/RTCP-aware SGW). For optimal performance, signalling and media gateways may be physically separate.
4. Incident Response Coordination
Because attacks often propagate across domains, the report defines a lightweight incident-sharing mechanism based on structured messages (e.g., using JSON over secure REST channels). It includes a standard taxonomy for event types (e.g., authentication failure threshold exceeded, malformed message pattern, traffic anomaly).
Best practice: Early adopters report that implementing the dynamic security profile negotiation (Recommendation 8.3) reduces inter-domain configuration errors by up to 40% compared to static bilateral agreements.
Compliance and Conformity Considerations
Although CAN CSA ISO IEC TR 26927-13 (2017) is a Technical Report and thus not a normative standard, it can be used as a baseline for regulatory compliance and procurement specifications. The following points are relevant for demonstrating adherence:
- Self-assessment against the framework: Operators should map their existing security controls to the services listed in Table 1 and document any deviations with risk-based justifications.
- Interoperability testing: The TR includes an annex (informative) describing test cases for peer authentication, media encryption negotiation, and audit log exchange. Conformance to these test cases can be used as evidence during audits.
- Third-party certification: As of 2026, the Standards Council of Canada has not established a specific certification program for this TR, but conformity can be evaluated by accredited testing laboratories under the Canadian Telecommunications Certification Body framework.
Important: Non-adherence to the recommended security profiles may invalidate interconnect agreements and result in service termination by peering partners, as many Canadian operators have adopted these recommendations as mandatory for interconnection.
The following table provides a ready reference for compliance levels recommended by the TR based on the sensitivity of the interchanged traffic.
| Traffic Type | Recommended Compliance Level | Example Services |
|---|---|---|
| Ordinary voice (non‑emergency) | Core (authentication + media encryption) | Consumer VoIP, enterprise trunking |
| Emergency services (e.g., E9-1-1) | Enhanced (Core + priority handling & enhanced audit) | NG9-1-1 call routing, location information exchange |
| Government/classified | Full (Enhanced + dedicated hardware security modules & independent audit) | Secure government telephony, PSN interconnect |
| Signalling only (no media) | Reduced (peer authentication + signalling confidentiality) | Presence, instant messaging, SIP trunking signalling |
It is recommended that organisations regularly review their alignment with the report’s latest version, as subsequent parts of the ISO/IEC 26927 series may introduce updates to the security recommendations.
Tip: When developing an internal compliance checklist, use the service-by-layer matrix from Table 1 and the compliance levels from Table 2 to structure your gap analysis. This approach directly mirrors the report’s own structure.
Frequently Asked Questions
Q: Is CAN CSA ISO IEC TR 26927-13 (2017) a mandatory standard in Canada?
A: No. As a Technical Report (TR), it is not a mandatory standard. However, it is often referenced in interconnection agreements and by the Canadian Radio-television and Telecommunications Commission (CRTC) as a benchmark for NGN security practices. Some service providers may mandate compliance as a condition of peering.
A: No. As a Technical Report (TR), it is not a mandatory standard. However, it is often referenced in interconnection agreements and by the Canadian Radio-television and Telecommunications Commission (CRTC) as a benchmark for NGN security practices. Some service providers may mandate compliance as a condition of peering.
Q: How does this Canadian adoption differ from the original ISO/IEC TR 26927-13:2017?
A: CAN CSA ISO IEC TR 26927-13 (2017) is identical in technical content to the international edition. The only changes are editorial adjustments to meet Canadian references and terminology, and the addition of a foreword by the Standards Council of Canada. All recommendations, tables, and annexes are identical.
A: CAN CSA ISO IEC TR 26927-13 (2017) is identical in technical content to the international edition. The only changes are editorial adjustments to meet Canadian references and terminology, and the addition of a foreword by the Standards Council of Canada. All recommendations, tables, and annexes are identical.
Q: Can I implement only parts of the security framework?
A: Yes. The TR is designed to be modular. Operators may choose to implement only a subset of the recommended security services based on their risk assessment. However, the document strongly encourages that all inter-domain interconnection points implement at least peer authentication and signalling confidentiality to ensure baseline protection.
A: Yes. The TR is designed to be modular. Operators may choose to implement only a subset of the recommended security services based on their risk assessment. However, the document strongly encourages that all inter-domain interconnection points implement at least peer authentication and signalling confidentiality to ensure baseline protection.
Q: When will the next revision of this TR be published?
A: As of 2026, ISO/IEC JTC 1 is working on an updated version of ISO/IEC TR 26927-13, which is expected to include recommendations for quantum-safe key exchange and integration with 5G standalone security architectures. When the international revision is published, the corresponding CAN CSA update will likely follow within one year.
A: As of 2026, ISO/IEC JTC 1 is working on an updated version of ISO/IEC TR 26927-13, which is expected to include recommendations for quantum-safe key exchange and integration with 5G standalone security architectures. When the international revision is published, the corresponding CAN CSA update will likely follow within one year.
This article is provided for informational purposes and reflects the understanding of CAN CSA ISO IEC TR 26927-13 (2017) as of 2026. For authoritative implementation, readers should consult the standard directly published by the Standards Council of Canada.