Protective measures
Information on protection of the IP-based handover point for intercept measures and information requests
General
In order to protect the IP-based handover point conforming to the ETSI technical specification, dedicated cryptosystems based on the IPsec protocol family are used to connect the networks of the authorised organisations and operators to form a virtual private network (VPN). A public key infrastructure (PKI) for key management is operated by the Bundesnetzagentur as the central registration and certification authority. The Bundesnetzagentur also manages the permissible security relationships within the VPN in an access control list (ACL) accessible via a lightweight directory access protocol (LDAP).
IP cryptosystems
In order to guarantee compliance with the high protection requirements for secure transmission in IP networks, only IP cryptosystems that meet certain requirements defined by the Bundesnetzagentur in cooperation with the Federal Office for Information Security (BSI) may be used. One IP cryptosystem was defined in consultation with the manufacturers. A second IP cryptosystem was defined on the basis of a further consultation but did not meet the full interoperability requirements.
The only IP cryptosystem permitted for use on the basis of the TKÜV is listed below:
| Number | Manufacturer | Product | Contact person |
|---|---|---|---|
| 1 | secunet Security Networks Aktiengesellschaft Link to secunet website | SINA Box | E-Mail an Secunet |
The cryptosystems are essentially components of the authorised organisations' and obligated operators' sub-networks; the organisations and operators are therefore responsible for planning, operation, maintenance and troubleshooting (operation of a syslog server) for their cryptosystems.
Part A Annex A.2 of the Technical Directive relating to the Telecommunications Interception Ordinance (TR TKÜV) contains the relevant technical requirements as well as the policy for the registration and certification authority (TKÜV CA) as referred to in the TR TKÜV.
Policy for the registration and certification authority (TKÜV-CA) – Bundesnetzagentur Section IS 16
A detailed description of the whole process and a list of the information required for VPN membership are included in the Policy available to download here.
Policy key elements:
- Identity and services of the certification authority (TKÜV CA)
- Rules/procedure for registration
- Procedure for creating certificates (including IP configuration)
- Certificate revocation/invalidation
- Management system options
- Cryptosystem test
- Miscellaneous
TKÜ VPN membership application
- The TKÜ VPN application form is available to download here. The two parts in the form – registration and technical – can be completed separately with additions, changes or deletions. Applications should be sent by email using PGP encryption to is16.Postfach@bnetza.de and the original should be sent by post.
Contact
Surveillance measures and provision of information;
Emergency preparedness in telecommunications
Federal Network Agency
Canisiusstraße 21
55122 Mainz
Telefax +49 6131 18 5632
mailto: IS16.Postfach@BNetzA.de
Download
The PGP key for IS16.Postfach@BNetzA.de was created on 23 October 2019 and can be used for secure e-mail communication:
The public key (pgp) for unit IS 16 (zip / 3 KB)