Introduction To LTE eRAN2.1 Transmission Solution: Security Level

Security Level: Internal use
Introduction to LTE eRAN2.1 Transmission Solution
www.huawei.com
HUAWEI TECHNOLOGIES CO., LTD.
Huawei Confidential
Foreword
This document describes the LTE eRAN2.1 transmission solution to help users better understand the principles of LTE transmission network.
eRAN2.1 is an enhanced version and has the following new features:

Enhanced QoS: PIR/CIR. Enhanced security solution. 1. Self-setup of ACL packet filtering over an X2 interface during ANR 2. Security PnP 3. CMPV2 certificate management
Huawei Confidential
Page2
References
Transmission Security MOM Description Security Feature Parameter Description Principles and Practice of PKI Principles and Fundamentals of Digital Certificates and SSL Requirement for DHCP SERVER
Huawei Confidential
Page3
Training Objectives
After completing this course, you should be able to:
Understand the LTE eRAN2.1 transmission solution. Understand the networking solution for LTE eRAN2.1 transmission security. Know principles of transmission security.
Huawei Confidential
Page4
Contents
1. LTE Transmission Network - Interfaces 2. LTE Transmission Network - QoS
3. LTE Transmission Network - Reliability

4. LTE Transmission Network - Fault Detection 5. LTE Transmission Network - Security
Huawei Confidential
Page5
Interfaces of the LTE Transmission Network

S11 MME S1-C S-GW
S1-U
Clock server
OAM
X2 (X2-C, X2-U) eNodeB eNodeB
An LTE network has two protocol interfaces: S1 interface X2 interface The LTE transmission data includes the following: Data over S1 interface, including data of the S1 control plane (S1-C) and data of the S1 user plane (S1-U). Data over X2 interface, including data of the X2 control plane (X2-C) and the X2 user plane (X2-U). OAM data. Clock synchronization data. Note: S11 interface is part of the core network and is not described in this course.
Huawei Confidential
Page 6
Contents

Huawei Confidential
Page7
LTE E2E QoS Solution

QCI VLAN priority/layer2 DSCP/layer3 VLAN priority/layer2 QCI
eNodeB Router
Router eNodeB bottleneck Shaping Ethernet
IP network
Ethernet
MME/S-GW
DiffServ IP DiffServ
bottleneck
bottleneck
bottleneck
A transport path is a pipe model. A pipe has bottlenecks prone to congestion. The end nodes should support traffic shaping to prevent the traffic data from being discarded at the congested places.
1.
QoS Mapping
Traffic QoS: user plane (based on QCI, GBR, Non-GBR), signaling, IP clock, and OAM. IP layer: DSCP mapping, DiffServ. Data link layer: Ethernet QoS (IEEE802.1P/Q).
2.
Traffic shaping
Logical port shaping Physical port shaping
MPLS: Multi Protocol Label Switching ~ SDSCP: Differentiated Service Code Point ~ CoS: Class of Service
Huawei Confidential
Page 8
QoS Mapping
QoS relevant concepts
1. QCI: QCI is an important QoS concept introduced to LTE and defines QoS class and important quality parameters, such as priority, packet delay budget, and packet error rate. DSCP and VLAN priority (P-bit): A concept about packet priority defined by a transmission network. DSCP is at the IP layer and VLAN priority is at the link layer. 2.
1. 2. 3. 4.
LTE QoS Mapping

Mapping from the control plane, user plane, and OM to DSCP. Mapping from service at the user plane to QCI, where QCI is extensible. Mapping from QCI at the service plane to IPPATH (optional). Mapping from DSCP to VLAN priority.
QCI Resourc e Type 1 2 GBR Priority Packet Delay Budget 100 ms 150 ms 50 ms 300 ms 100 ms 300 ms Packet Error Loss Rate 10-2 10-3 10-3 10-6 10-6 10-6 Example Services
2 4 3 5 1 6
Conversational Voice Conversational Video (Live Streaming) Real Time Gaming Non-Conversational Video (Buffered Streaming) IMS Signaling Video (Buffered Streaming) TCP-based (e.g., www, e-mail, chat, ftp, p2p file sharing, progressive video, etc.) Voice, Video (Live Streaming) Interactive Gaming Video (Buffered Streaming) TCP-based (e.g., www, e-mail, chat, ftp, p2p file sharing, progressive video, etc.)
23.203 defines nine QCIs and supports QCI extension. Beginning from eRAN2.1, Huawei supports extended QCI.
3 4 5 6
NonGBR
100 ms
10-3
8 8 300 ms 9 9 10-6
Huawei Confidential
Page 9
QoS Mapping
Mapping from service types and DSCPs to VLAN priorities.
Service Type
QCI1 QCI2 QCI3 QCI4 QCI5 QCI6 QCI7 QCI8 QCI9 MML FTP 1588V2 HWDEFINED BFD IKE IPPM Ping packet
DSCP
0x2E 0x1A 0x1A 0x22 0x2E 0x12 0x12 0x0A 0 0x2E 0x2E 0x0E 0x2E 0x2E
DSCP
46 26 34 26 46 18 18 10 0 46 46 14 46 46
Nine service types
SCTP
OM IP clock
MML Command to Configure DSCP SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI ADD BFDSESSION Built-in, unchangeable ADD IPPMSESSION PING No need to configure. The DSCP of the eNodeB response packets is the DSCP of the peer ping packet. By default the DSCP of the ping command of the transmission network and core network is 0. No need to configure
VLAN
USERDATA USERDATA USERDATA USERDATA USERDATA USERDATA USERDATA USERDATA USERDATA SIG OM_H OM_L USERDATA USERDATA USERDATA USERDATA USERDATA USERDATA
VLAN Pri 5 3 4 3 5 2 2 1 0 5 5 1 5
5
Depending on actual situation 5 Depending on actual situation 7 0
Manual Configuration 0x30 48
Manual Configuration 0x3F 63
Ping (response packet)
USERDATA
ARP
No DSCP value
OTHER
Huawei Confidential
Page 10
eNodeB Traffic Shaping and Scheduling

eNodeB Two Level Shaping Queues
EF AF 4 AF 3 AF 2 AF 1 BE EF AF 4
Queues
AF 3 AF 2 AF 1 BE EF AF 4
Queues
AF 3 AF 2 AF 1 BE
Level 1 shaper Logical interface1 Logical interface2 Logical interface3
IP Scheduler
Level 2 shaper
GE/FE Interface
eNode B2
eNode B1
IP/Ethernet Transport Network

SGW/MME
The eNodeB GE/FE interfaces support two levels of shaping: physical port shaping and logical port shaping. Each logical port shaping contains eight queues.
The need for two levels of queues is to differentiate operators, that is, to support eRAN sharing.
The parameters of a logical port include committed information rate (CIR), PIR and scheduling weight. The logical ports can share the bandwidth of the physical ports.
Huawei Confidential
Page 11
PIR/CIR
PIR
CIR
PIR: Peak Information Rate; CIR: Commit Information Rate; CBS: Committed Burst Size; EBS: Excess Burst Size; PBS: Peak Burst Size;
In versions earlier than eRAN2.1, eNodeB supports the single-rate tri-color markup algorithm, shortened as srTCM (CIR, CBS, and EBS) for the traffic shaping, in compliance with RFC2697. In eRAN2.1, eNodeB supports dual-rate tri-color markup algorithm, shorten as trTCM (CIR, CBS, PIR, PBS) in compliance with RFC2698. PIR/CIR refers to the trTCM algorithm. The transport admission algorithm of eNodeB is affected by this algorithm. The admission of GBR services is controlled by CIR, whereas the admission of non-GBR services is controlled by PIR. The purpose is to guarantee the quality of high priority GBR services. eNodeB supports two levels of traffic shaping, namely logical port shaping and physical port limited rate. In eRAN2.1, logical ports support PIR/CIR. This function can be used by the eRAN sharing scenario. As illustrated by the following figure, the CIR traffics of different operators do not share the physical bandwidth, whereas the PIR traffics do.
OperatorB CIR OperatorB PIR Total Bandwidth OperatorA PIR OperatorA CIR
Huawei Confidential
Page 12
Contents

Huawei Confidential
Page13
Reliability
Redundancy: eNodeB and backhaul network provide different redundancy solutions for the backhaul design. This inevitably includes port redundancy and board redundancy.
The main reliability solution of eRAN2.1 is port (channel) redundancy. The board redundancy is LMPT cold standby.
End-to-end redundancy
S-GW/MME
(S1 interface) Transport layer Network layer Data link layer PHY layer
eNode B
Transport layer Network layer Data link layer
PHY layer
Work path
Traffic flow protection

Control Plane User Clock Plane data
OAM data
Backhaul transport network

Protection path
Traffic flow protection Control Plane User Plane
Port Board redundancy redundancy Protection path
Work path
Backhaul transport network
Work path Protection path
Board Port redundancy redundancy
Segment-by-segment redundancy
OAM backup
Clock Server (optional)
Huawei Confidential
Page 14
Overview of the Reliability Solution

route backup:
active route + backup route
GE
eNodeB
Router IP/MPLS Network
GE
S-GW/MME
GE
eNodeB Ethernet
GE
eNodeB
S-GW Pool
S/R
Switch/router Ethernet Trunk
S-GW
S-GW
S-GW
MME Pool
MME
MME
1.
Reliability solution: S1-flex, channel backup (3s), IP route backup, and Ethernet link aggregate. Fault detection mechanisms: BFD (100 ms), Ethernet OAM (100 ms).
E-UTRAN
S1-flex eNodeB eNodeB
2.
eNodeB eNodeB eNodeB
eNodeB eNodeB eNodeB
BFD - Bidirectional Failure Detection; ARP - Address Resolution Protocol.
Huawei Confidential
Page 15
Summary of the Reliability Functions

Protocol Layer Application Layer Transport Layer
Transmission Reliability Redundancy Protected Mechanism Object OM channel backup SCTP multihoming OM channels S1/X2 channels Transmission Maintenance and Detection Maintenance Time Mechanism OM handshake protocol SCTP protocol detection Proprietary handshake protocol: 35s Heartbeat check and retransmission check: Handover can be finished in 5s by parameter settings. 100 ms. Parameters are configurable. 100 ms. Parameters are configurable. ms 3s 1s ms
BFD detection
Network Layer Data Link Layer
IP route backup
Routes, links
BFD detection Physical port detection IEEE 802.3ah detection IEEE 802.1ag detection Physical port detection
Ethernet Port Links, Trunk Ethernet ports
Physical Layer
None
None
Huawei Confidential
Page 16
OMCH Backup
1. 2. The OMCH backup function is used only in the scenario of M2000 remote HA. The OMCH backup function is used when the OM channel passes the Ethernet. The eNodeB configures two different OM IP addresses for the active and standby OM channels, and M2000 configures the same or different IP addresses. The OMCH backup function uses two physical ports for higher reliability. Preferentially the active and standby OM IP addresses are in different network segments. In this way, the OMCHs are over different routes, providing higher reliability at higher cost. When the active OMCH is down, the M2000 automatically delivers a switchover command and, upon receipt of the command, the eNodeB switches to the standby OMCH. When the active OMCH is down, the active/standby switchover takes a minimum of six minutes. The following figure illustrates the OMCH backup function.
3.
4.
Huawei Confidential
Page 17
SCTP Multi-Homing
Each end of an SCTP link binds N IP addresses for redundancy, where N is greater than 2. Two IP addresses are configured for SCTP dual-homing, the first of which is the primary IP address and the second is the standby IP address. The two routes of the dual homing are active and standby. An SCTP link is established on boards and no port is specified. The two IP addresses can be in the same interface or in different interfaces of the same board. It is recommended to use the same interface for the two IP addresses. This function needs to negotiate and work with the core network. Therefore this function is not actively recommended to customers. This function does not support cross-route.
An SCTP link is identified by four parameters: local IP, local SCTP port number, peer IP, and peer SCTP port number.
The difference between SCTP multi-homing and OMCH backup is as follows: In SCTP multi-homing, the slave path automatically switches to the master path when the master path is recovered; in OMCH backup, the M2000 switches to the active OMCH after it detects that the standby OMCH is down.
Huawei Confidential
Page 18
IP Route Backup
IP route backup means that multiple routes are configured for the same destination. The route of the highest priority is the primary route and other routes of lower priority are backup routes. The physical connection of each route is different. When the primary route is faulty, eNodeB performs active/standby switchover and select a backup route to avoid service interruption. When the primary link is recovered, eNodeB automatically switches to the primary route.
//Add IP address of Ethernet port 0 ADD DEVIP:SN=7,SBT=BASE_BOARD,PT=ETH,PN=0,IP="11.11.11.11",MASK="255.255.255.0"; //Add IP address of Ethernet port 1 ADD DEVIP:SN=7,SBT=BASE_BOARD,PT=ETH,PN=1,IP="12.12.12.12",MASK="255.255.255.0"; //Add master IP route (Route backup is used between the eNodeB and SeGW.) ADDIPRT:SN=7,SBT=BASE_BOARD,DSTIP="13.13.13.13",DSTMASK="255.255.255.0",RTTYPE=NEXTHOP,NEXTHOP="11.11.11.10",PREF =50,DESCRI="Master IP Route"; //Add slave IP route ADDIPRT:SN=7,SBT=BASE_BOARD,DSTIP="13.13.13.13",DSTMASK="255.255.255.0",RTTYPE=NEXTHOP,NEXTHOP="12.12.12.10",PREF =60,DESCRI="Slave IP Route"; The eNodeB needs to provide two DEVIPs that are in different network segments. (With only one DEVIP, route backup cannot be configured.)
Huawei Confidential
Page 19
Ethernet Link Aggregation

Ethernet link aggregation means that multiple physical ports aggregate into one logical path to increase the bandwidth between switches and eNodeBs and to provide more bandwidth, more throughput, and higher network capacity. This function requires that the peer transport device also supports this function, which ordinary routers do. Trunk No. is the unique number of the aggregate group. Port priority: The lower the value, the higher the priority.
Huawei Confidential
Page 20
Contents

Huawei Confidential
Page21
Link Fault Detection

Network management quality QoS monitoring Fault detection Fault location and quick recovery
Two scenarios End to End maintenance Seg by Seg maintenance
Transport device eNode B End-to-end (X2 interface)
Transport network
Transport device GE/FE
S-GW/MME Seg-by-Seg
eNode B End-to-end (S1 interface)
Huawei Confidential
Page 22
Maintainability Solution
IP CORE
Performance counter
802.3ah
802.1ag
BFD single hop Multi-hop BFD IPPM
Access link maintenance: IEEE802.3ah

Connectivity maintenance: IEEE802.1ag Application layer maintenance: BFD, IPPM, and IPPATH check
Huawei Confidential
Page 23
IPPATH Check
It is recommended to disable this function in ordinary situations.
Huawei Confidential
Page 24
IP Performance Monitoring (1)
Function: IP performance monitoring (IP PM) monitors the transport quality between eNodeB and S-GW and check the transport performance parameters, including the number of packets sent and received, packet loss rate, one-way delay variation, and round-trip delay variation. Strength: Provides transport KPI and works with the dynamic transport flow control to avoid the impact of dynamic transport bandwidth variation on QoS. Weakness: The more IP PM sessions are activated, the more accurate the congestion is determined and the more resources are consumed. Requirement for the devices: IPPM is Huawei proprietary and requires support from the eNodeB and the core network. IPPM requires that the DSCP value of the transmission network is the same as that of the eNodeB and core network and cannot be changed. Otherwise, activating the IPPM fails. Applicable scenario: IP PM is recommended in the scenario that the core network consists of Huawei equipment, particularly if the IP transmission has to pass poor-quality ADSL lines that have high packet loss rate, unstable line rates, or large bandwidth variation.
Huawei Confidential
Page 25
IP Performance Monitoring (2)
External congestion check: IP PM checks in real time the packet loss of a user data path, calculates the packet loss rate of the path, and dynamically adjusts the logical port bandwidth for dynamic admission control of the transport bandwidth and flow control, avoiding packet loss caused by congestion of the transmission network.
Max bandwidth 100Mbps bottleneck30Mbps 1. detect
2. calculate the bottleneck
MME/SGW
Bandwidth change 3. Transport Dynamic Flow Control
eNodeB
To enable bidirectional link check, set up a PM session in the A > B direction and a PM session in the B > A direction.
This figure shows adaptive flow control based on IP PM. The dotted lines indicate bandwidth variation of the IP/Ethernet transmission network. The IP PM between S-GW/MME and eNodeB checks the variation of the transmission network performance, including delay, jitter, and packet loss rate, and estimates the minimum end-to-end available transmission bandwidth. The eNodeB sends the available bandwidth information to the flow control module who adjusts the data flow to the transmission network to reduce the packet loss rate and to increase the bandwidth utilization of the transmission network.
Huawei Confidential
Page 26
Bidirectional Forwarding Detection (BFD)
Function: Fast fault detection of any types of channels. Detects the connectivity of the same path (physical or logical links) between two systems. Used by all protocols at layer two or higher layers. eNodeB implements BFD over UDP. Strength: Fault detection for IP routes. Quick detection in 100 ms. Requirement on the device: At present the eNodeB supports BFD version 1; the peer device should also support BFD version 1. If the peer device does not support BFD version 1, this function cannot be used. Both ends start BFD simultaneously. The detection duration of both ends should be consistent. Recommended scenarios Segment-by-segment BFD (SBFD): Used in point-to-point detection of network faults, applicable to detection of direct connection between two points of the same network segment. Multi-hop BFD (MBFD): Used in end-to-end detection of network faults, applicable to two ends that have multiple routing nodes in between.
Huawei Confidential
Page 27
Segment-by-Segment BFD and Multi-Hop BFD
SBFD: Used in fault detection between an eNodeB and a transmission device at L3, or between an S-GW/MME and a transmission device. Used to locate a fault or to trigger switchover of protection paths between an eNodeB and a transmission device, or between an S-GW/MME and a transmission device. SBFD does not traverse an L3 transmission device. MBFD: Used for detection between eNodeBs, between an eNodeB and an SGW, and between an eNodeB and a remote transmission device. Used to locate a fault or to trigger switchover of protection paths between two ends to ensure network reliability.
Huawei Confidential
Page 28
BFD
+++ HUAWEI 2010-07-08 15:37:15 O&M #62147 %%ADD BFDSESSION: SN=7, BFDSN=0, SRCIP=10.141.225.226, DSTIP=10.69.23.24, HT=MULTI_HOP;%% RETCODE = 0 Operation succeeded
Huawei Confidential
Page 29
IEEE802.3ah and IEEE802.1ag

Ethernet OAM is implemented by two protocols. IEEE 802.1ag highlights endto-end Ethernet link OAM and IEEE 802.3ah highlights segment-by-segment Ethernet OAM (concerning the user side only and not the network side). The two work together to provide complete Ethernet OAM solution. The following figure shows the position of the Ethernet OAM.
Huawei Confidential
Page 30
IEEE802.3ah and IEEE802.1ag

IEEE 802.3ah Link performance Strength: Highlights segmentmonitoring by-segment Ethernet fault Fault detection monitoring (concerning only user Loopback test side, not network side). Connectivity check Loopback test Link follow-up test Strength: Highlights end-toend Ethernet link faulty monitoring The peer equipment needs to support IEEE 802.3ah. The transmission equipment needs to support IEEE 802.1ag.
IEEE 802.1ag
Huawei Confidential
Page 31
Contents

Huawei Confidential
Page32
eNodeB Security Architecture

The security architecture contains three parts:
1. Security threats: Potentially existing damages that may affect normal system running. 2. Security measures: Methods to protect system security. 3. Security system: Target protected by the security measures and here refers to eNodeB. A security system contains radio plane, transmission plane, equipment plane, and OAM plane.
No.
Security threats
3 4 5
Stealing eNodeB hardware. Obtaining important information from eNodeB. eNodeB Loading invalid versions or illegally controlling eNodeB. DoS (Denial of Service) attack. Eavesdropping Uu interface signal to obtain important user information. Uu interface Mimicking Uu interface signaling to forge user access. Eavesdropping data from the transmission network to obtain important user information. S1 interface Intercepting data of the transmission network to tamper with the data. X2 interface The same as the S1 interface Intercepting important information sent by eNodeB and transferred by OM interface. or stealing important data from OM interface Deleting eNodeB Logging in to, controlling, and operating eNodeB illegally.
Threatened Object
Threat Type
Security System
Equipment security
Radio security
Transmission security Transmission security OAM security
6 Five security threat types are defined. See Remark.
Clock server
Attack of eNodeB from the illegal clock source.
OAM security
Huawei Confidential
Security Measures
Tailored to the security threats, ITU-T X.805 identifies and defines eight security measures:
1. Access control: Prevents equipment from being illegally used and allows only authorized users to access the protected content (equipment, information, services). For example, only authorized users can gain access to eNodeB by the OM interface. 2. Authentication: Authenticates the identity of a communication entity and allows entities of valid identity to set up communications. 3. Non-repudiation: Prevents an entity from denying an operation by evidences (such as operation logs). For example, an operation log records each operation on the eNodeB. 4. Data confidentiality: Uses encryption to prevent data from being disclosed. 5. Communications security: Information is transmitted only between authenticated entities to prevent disclosure or falsification of the data during communications. 6. Data integrity: Ensures data correctness, prevents illegal change, deletion, generation, or replication of data, and identifies unauthorized operations. 7. Availability: Ensures that the system works and that services are not interrupted as a result of an illegal operation. 8. Privacy: Protects keys, identity information, and equipment or network activity information, such as log information.
Security System
Transmission security
Transmission security policy
1.IPSEC 2.802.1x
Equipment security
Simple firewall function
OM security
OM channel security
PNP
Certificate management PKI /CMPV2
1. ACL 2. Interface security management
1. SSL
This course describes transmission security. Huawei Confidential
Transmission Security Mechanism

PKI system SeGW
CRL Server CA
IPSec
eNodeB
802.1X
Access network
Core network
SAE
RADIUS
IPSec 802.1X
IPCLK
M2000
The eNodeB uses 802.1x (EAP-TLS)-based authentication access control and IPSec to ensure transmission security. 1. The 802.1X-based authentication access control ensures that the eNodeB gains access to the transmission network by the legal process. 2. IPSec provides security mechanism for the eNodeB in the all-IP scenario to ensure transmission confidentiality, completeness, authentication, and replay-resistance. 802.1X and IPSec provide transmission security protection at different layers. A user can use them together or separately.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Page 35
802.1x Access Authentication
The MAC address of the eNodeB is authenticated to prevent unauthorized equipment from gaining access to the transmission network. The 802.1x access control sends the digital certificate of the eNodeB to the RADIUS server over the EAPoL; the RADIUS server authenticates the eNodeB identity by using the Huawei CA root certificates configured on the server.
Huawei Confidential
Page 36
Principles of IPSec (1/3)

IPSec is an open standards framework structure. The IPSec protocol suite includes ESP/AH, IKE, DPD, and encryption algorithms.
1. Security protocols AH refers to authentication header and provides data integrity check. AH is applicable for transmitting non-confidential data. ESP refers to encapsulating security payload and provides data integrity check and encryption. ESP is applicable for transmitting confidential data. 2. Packet encapsulation methods Transport mode: Provides protection for the payload and upper-layer protocols of the IP data packets. In transport mode, the IPSec header (AH and/or ESP) is inserted after the IP header and before upper-layer protocols. Tunnel mode: Provides security protection for the original IP data packets. In tunnel mode, the original IP data packets are encapsulated into a new IP data packet; the IPSec header (AH and/or ESP) is inserted between the new IP header and original IP header. The security of the original IP header is protected by IPSec as part of the payload.
Huawei Confidential

Transfer Mode IP Header AH Header TCP/UDP Data
Format of the AH packet with different Encapsulation Mode

Tunnel Mode New Header
The Range of AH Authentication
AH Header
IP Header
TCP/UDP
Data
The Range of AH Authentication
The Range of ESP Encryption Transfer Mode IP Header ESP Header TCP/UDP Data ESP Tail ESP Auth
Format of the ESP packet with different Encapsulation Mode

Tunnel Mode New Header ESP Header
The Range of ESP Authentication The Range of ESP Encryption IP Header TCP/UDP Data ESP Tail ESP Auth
The Range of ESP Authentication
The Range of AH Authentication The Range of ESP Encryption IP Header AH Header ESP Herder TCP/UDP Data ESP Tail ESP Auth Transport Mode
Format of packet using both protocols with different Encapsulation Mode

New Header AH Header ESP Header IP Header
The Range of ESP Authentication
The Range of ESP Encryption TCP/UDP Data ESP Tail ESP Auth Tunnel Mode
The Range of ESP Authentication The Range of AH Authentication
Huawei Confidential
Page 38

3. Integrity check In integrity check, Hash function is used to accept message input of any length and to generate message digest of fixed length. The two communicating entities calculate and compare the digest to determine whether the packets are complete and are not tampered with. MD5 SHA-1 Data encryption An encryption algorithm uses symmetric cryptography to encrypt and decrypt data. NULL: Null encryption algorithm, no encryption of IP packets. DES (Data Encryption Standard): Uses a 56-bit key to encrypt a 64-bit plaintext block. 3DES: Uses three 56-bit DES keys (totaling 168 bits) to encrypt plaintext. AES (Advanced Encryption Standard): AES has three key lengths: 128 bits, 192 bits, and 256 bits. The longer the key, the higher the security and the slower the calculation. IKE (Internet key exchange) IKE is used for key negotiation, identity authentication, and IPSec SA negotiation. Key exchange algorithm In IKE, two communicating entities calculate the shared key by a series of data exchange without transferring the key. Even if a third-party intercepts all the exchanged data for calculating the key, this party cannot calculate the key. The core technology is DH (Diffie Hellman) algorithm and pseudorandom functions. Authentication Pre-shared key (PSK) Digital certificate (PKI) ACL ACL refers to access control list. The IPSec filter matches the ACL configured by the user with the 5-tuple of the data stream to identify which packets need encryption.
4.
5. 6.
7. 8.
Huawei Confidential
IPSec Application Scenarios

Scenario 1: An IPSec tunnel is set up between the eNodeB and the SeGW. The S1 data stream, X2 data stream, and OAM data stream are protected by the IPSec tunnel (main scenario). Scenario 2: An IPSec tunnel is set up between eNodeB X2 interfaces. Scenario 3: An IPSec tunnel is set up between the S1 interfaces of eNodeB and MME/S-GW.
Typical IPSec networking

Redundancy with two SeGW
PKI system
SeGW
CRL Server CA
eNodeB
eNodeB
Access network
SeG W
Core network
SAE
S1 X2 OAM SYN
SeGW eNodeB
eNodeB
IPCLK
M2000 eNodeB
None Security zone
Security zone
Centralized
eNodeB
Distributed
The IPSec networking needs to consider three factors: security domain, protected stream, and configuration mode (see Remarks).
Huawei Confidential
Page 40
Intelligent PNP Process: eNodeB Security Startup with Digital Certificates

SeGW
6
3 5
M2000
Prerequisites for eNodeB security startup with intelligent PnP: 1. The transmission network has deployed a public DHCP server. The PnP configuration information and the DHCP option 43 are defined. 2. The eNodeB is preset with a factory certificate. 3. The PKI server is preset with a Huawei root certificate, ESN list, and CRL which can be obtained from the web portal. The ESN list is a whitelist. 4. The SeGW is preset with the operators root certificate. 5. The 802.1X authentication server (RADIUS server) is preset with the Huawei root certificate.
PKI system
eNodeB
Radius Server
Public DHCP Server
CRL Server
CA
1.VLAN Scanning
2.DHCP/publ ic DHCP Server
3.Authenti cation with PKI Server
4. build IPSec tunnel
5.OM channel setup
6.Download Cfg and software
The PnP process has six steps (for details, see Remark): 1. Automatic access process: 802.1X authentication and VLAN learning. 2. DHCP process: Obtaining DHCP temporary, SeGW IP, PKI, and M2000 IP. 3. PKI authentication. 4. IPSec tunnel setup. 5. OMCH setup. 6. Downloading the configuration and software. After restart, the PnP process is finished. Note: If one of the above steps is faulty, the system starts the PnP process again, until the PnP process is finished.
Huawei Confidential
Page 41
All-Process Certificate Management Solution

To support certificate-based transmission security mechanism, Huawei provides allprocess certificate management solution. The core of this solution is PKI. This solution consists of two stags: factory stage and operation stage. PKI mechanism: PKI (Public Key Infrastructure) uses asymmetric cryptography to provide information security service and is the basis and core of the current network security construction. PKI is in wide use. PKI uses username, password, and symmetric key to provide a secure and standard key management infrastructure. The core technology of PKI is digital certificate (public key) management, including issuance, delivery, update, and revocation of certificates. Certificate management Factory stage: The factory CA issues factory device certificate; the eNodeB is preset with the device certificate and Huawei root certificate; the root certificates, CRL, and ESN are published on the web portal. Operation stage: Includes eNodeB installation, eNodeB security selfstartup with intelligent PnP, and automatic eNodeB certificate management with all-process certificate management process.
Huawei Confidential
Page 42
Principle 1 - Symmetric Cryptography

Encryption and decryption use the same key. The sender and receiver should agree upon a key before security communication. Security depends on the confidentiality of the key. Disclosure of the key means that the encryption is no longer secure.
User A
KEY
KEY ALLOCATE
User B
KEY
plaintext
cryptograph
cryptograph
plaintext
Huawei Confidential
Page 43
Principle 2 - Asymmetric Cryptography

Also known as public key encryption Encryption and decryption use different keys. The encryption key can be open and is called public key. The decryption key must be secret and is called private key. Private key is used for signature and public key for authentication.
User A
User B
Get the public key of B
Public key of B Private key of B
plaintext
cryptograph
cryptograph
plaintext
Huawei Confidential
Page 44
Principle 3 - Digital Certificates
A digital certificate is an electronic ID card containing an entitys identity and associated public key information. This electronic ID card must be issued by trusted authority.
Calculate message digest
CABs private key
Calculate digital signature
CAs digital signature
Huawei Confidential
Page 45
Principle 4 - Certificate Revocation List (CRL)
For some reasons, a digital certificate needs to be revoked before the validity period expires. The revoked certificates are uniformly saved in the CRL (blacklist).
version tbsCertList signatureAlgorithm signatureValue Signature issuer
thisUpdate
nextUpdate revokedCertificates crlExtensions CRL userCertificate revocationDate crlEntryExtensions
Huawei Confidential
Page 46
Principle 5 - PKI
PKI refers to public key infrastructure.
The PKI implementation is based on asymmetric cryptography algorithms and technologies. PKI is the basis and core of the current network security construction. Established over a group of standard and interoperable PKI protocols. Uses digital certificates compliant with ITU-T X509, manages the public keys of asymmetric cryptography, and binds the public key of an entity with other identify information (which for a device can be the device name, home country, province, city, specific location, or unique ID). A trusted CA (certificate authority) adds signature to the public key and identity information of a user, generating a digital certificate. Manages the life cycle of digital certificates.
PKI architecture
CA
CA issues, updates, revokes, and authenticates digital certificates. CA is the core executive part of PKI.
RA RA is the registration and approval body for the digital certificates. RA is a CAs window for users. CR/CRL CR/CRL stores the digital certificates or CRL. Exists as an FTP server, Web server, or LDAP server.
Huawei Confidential
Page 47
CA hierarchy
Root CA
Life cycle of a digital certificate

3 certificate deliver 2 certification authorize
Middle
CA
CA
4 certificate cancel
ultimate user
CR/CRL server
RA
entity PKI system

ultimate user ultimate user ultimate user
1 certificate request
5 certificate overdue
A parent CA can have child CAs and therefore establishing a CA hierarchy. Any CA can issue certificates adapted to its authority. A three-layer CA hierarchy can satisfy the requirement of most operators. There is no limit to the depth of the CA hierarchy. A customer can choose an appropriate depth according to the actual situation.
Huawei Confidential
Page 48
Certificate
Extract Root CAs public key and verify both Root CA signatures Extract Root CA1s public key and verify CA1s signature
Extract Root CA2s public key and verify CA2s signature
Assume that A authenticates Bs certificates. Bs certificate specifies the CA that issues the certificate. Move along the CA hierarchy until to the root certificate. The movement forms a certificate chain. The authentication process is described as follows: Moving in the reverse direction, starting from the root certificate, each node authenticates the certificate of the next node until to B. The root certificate is of self-signature and uses its own public key for authentication. If all the signatures pass authentication, A determines that all certificates are correct. If A trusts the root CA, he can trust Bs certificates and public key.
Huawei Confidential
Page 49
Deploying PKI on eNodeB

The core of PKI mechanism is certificates. PKI includes the network elements that use certificates, the PKI servers (CA and CRL servers) that manage the certificates, and certificate management between NEs and PKI servers.
PKI system Certificate management Network element
CA CRL Server
Root certificate Device certificate CRL
NEs NEs that use certificates include eNodeB and SeGW. Three files are built-in: device certificate, root certificate, and CRL.
PKI servers: PKI servers manage certificates and include the CA server and the CRL server. The certificate management protocol between CA and eNodeB is CMPV2.
Page 50
Huawei Confidential
Certificate Verification in the LTE

eNodeB SeGW/CA eNodeB SeGW/CA Whitelist Verify
Verify
Root certificate to verify the device certificate
Root certificate plus whitelist to verify the device certificate
CA root certificate can verify the validity of the device certificate issued by the CA.
For example, in the SeGW authenticating an eNodeB, the root certificate of the eNodeB device certificate is preset on the SeGW. During authentication, the eNodeB sends the device certificate to the SeGW which uses the preset root certificate to verify the validity of the device certificate.
Verification of device certificates by root certificate can ensure that the device certificate is issued by the root certificate CA. Huawei CA root certificate can verify that an eNodeB is a valid Huawei device. To strengthen the authentication, the whitelist is used. The whitelist stipulates that the eNodeB ESN contained in the device certificate is compared with the preset ESN list. Only Huawei eNodeB of specific ESN is valid.
Huawei Confidential
Page 51
Certificate Management
Factory stage At the factory stage, an eNodeB is preset with a unique device certificate. The ESN list, CRL, and factory CA root certificate are published on the web portal.
Operation stage At the operation stage, a customer obtains the ESN list, CRL, and factory CA root certificates from the web portal to support the factory-preset certificate and eNodeB authentication.
For details, see the Remark.
Huawei Confidential
Page 52
Certificate Management (CMPv2)

Two certificate management phases: 1. PnP phase: In the PnP phase, eNodeB uses the initial request message and initial reply message to apply to the operators CA server for a device certificate. The DHCP option parameter (CA protocol type) can determine whether a CMPV2 message uses http or https. The following figure illustrates the PnP scenario. 2. Maintenance phase: After the system enters stable status, two messages, Key Update Request and Key Update Reply, are used to update the certificate. If updating the certificate fails, the existing certificate is still effective and in use to prevent interruption of the transmission link.
The certificate management system (cmpv2) is compliant with 3GPP 33.310.

eNodeB 1.Creating KEY-pair(private key and public key) for certificate file; 2.Creating certificate. Subject CN(comman name) and SubjectAltername of the certificate equal ESN@huawei.com. ESN(Electrical Sequence Number) is the unique Id of eNodeB.
PKI Server
Ir{ Certificate request file, Vendor certificate}
Ip{Operator certificate, Operator root certificate}
1.Verifying the vendor certificate with whitelist which is comprised with eNodeBs ESN; 2.Verfying the vendor certificate with vendor root certificate; 3. Issuing the operator certificate with certificate request file received;
Huawei Confidential
Page 53
Equipment Security: Simple Firewall

The eNodeB provides simple firewall function, including ACL packet filtering and interface security management. ACL packet filtering 1. Objective: To prevent DoS attack, or used by IPSec to match packets to determine whether the packet should be applied with IPSec. The eNodeB supports ACL rule definition to permit or deny the packets that match the rule. 2. 6-tuple rule: protocol type, destination IP, source IP, destination port, source port, DSCP. 3. Response methods: permit or deny. 4. Handling methods: Whitelist: First, an ACL rule denying reception of all packets is configured, then the packets that are permitted to pass are specified for each data stream. Blacklist: An ACL rule that denies a data stream is configured for the data stream that needs to be denied. By default, all packets are permitted. Therefore, there is no need to configure an ACL rule that permits all packets. In light of complete protection, the whitelist is better. For the SON X2 self-setup function, the system automatically adds an ACL rule for an X2 interface. Interface security management This function consists of three parts: 1. Communication matrix: The support website publishes the open protocol ports (TCP/UDP) of eNodeB of each version as the basis for port management. 2. Service port disable: When there is no service configuration over a service port, a user can disable the service port to decrease the possibility of being attacked. 3. Debug port or protocol port disable: A user can choose to disable the debug port, or a protocol port of the debug port, preferentially Telnet port 23 and SSH port 22.
Huawei Confidential
Page 54
Self-Setup of ACL Packet Filtering over X2 Interface New in eRAN2.1

Some operators want all the ingress and egress streams of the eNodeB to be under the control of a whitelist to improve the system security. The default value is deny. Only the streams whose ACL rule is permit can be received by the system. The eNodeB interfaces include S1, X2, OM, clock, and cascade. Except for X2 interface, all interfaces are statically configured. A user can perform data planning and configuration in advance. X2 interface is dynamically configured by ANR and the ACL rules cannot be planned in advance over the X2 interface. Therefore, X2 interface should support generation of ACL rules during ANR. To support this function, 3GPP extends S1AP "eNB Configuration Transfer/ MME Configuration Transfer" and adds service IP in addition to signaling IP. During the X2 self-setup process, eNodeB sets up ACL packet filtering rules after exchanging the address information.
X2 self-setup is described as follows: 1. The source eNodeB and destination eNodeB exchange IP
address information (signaling IP and service IP) by two messages

"eNB Configuration Transfer" and "MME Configuration Transfer.
2.
The source eNodeB sets up a signaling link to the destination eNodeB and configures ACL rules according to the source IP address and destination IP address: {SCTP, source signaling IP, destination signaling IP}, {UDP, source service IP, destination
service IP}.
Huawei Confidential
Page 55
OMCH Security (Principles of SSL)

SSL protocol is developed by Netscape and provides encrypted and reliable connection between two computers. Its features are as follows:
1. 2. 3. 4. Established over a reliable transport layer protocol (such as TCP) Unrelated to the application layer protocol Encryption algorithms, negotiation of the communication key, and authentication by server are finished before communication over the application layer protocol. The upper application layer protocols (such as HTTP, FTP, and TELNET) are transparently established over the SSL protocol. All the data transported by the application layer protocols is encrypted, ensuring communication confidentiality.
SSL provides three security services:
Confidentiality protection
After the handshake protocol finishes negotiation of the session key, all messages are encrypted for transmission.
Integrity protection
Maintains data integrity and ensures that data is not tampered with during transmission.
Authentication
Authenticates a user and a server so that they are sure that data is sent to the correct client and server. Though client authentication during a session is optional, a server is always authenticated.
Huawei Confidential
Page 56
Principles of SSL (2)

Application Layer Protocol (HTTP, FTP, Telnet)
SSL Record Protocol SSL handshake Protocol Change Cipher Spec Protocol SSL Alert Protocol
TCP
IP
SSL application scenario
OMCH HTTPS FTPS HTTPS FTPS
SSL-based OMCH. Local (or remote) FTPS connection to upload or download files. Local (or remote) WebLMT sets up an HTTPS connection for operation and maintenance.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Page 57
Security Configuration on eNodeB (1)

The transport-layer security configuration on eNodeB consists of IPSec configuration and packet filtering configuration.
1. IPSec configuration This configuration defines the data that requires IPSec, the authentication method, the data encryption algorithms, the key exchange methods, and the key encryption algorithms. The details are as follows:
ACLRULE defines an ACL rule, specifically the types of packets that require encryption protection. ACL defines an ACL group. An ACL group contains one or multiple ACL rules. IKECFG defines the eNodeB local negotiation parameters for IKE negotiation. IKEPROPOSAL defines an IKE proposal that contains the encryption and negotiation algorithms at the IKE negotiation stage. IKEPEER defines the parameters interacted between eNodeB and peer at the IKE negotiation stage. IPSECPROPOSAL defines the encapsulation, authentication algorithm, and encryption algorithm used at the IPSec stage. IPSECPOLICY defines the protection policy for IP packets compliant with the ACL rules. IPSECBIND binds IPSec with physical ports.
2. Packet filtering configuration This configuration defines the ingress and egress permitted or denied by eNodeB. The details are as follows:
ACL and ACLRULE define the admission rules for the packets. PACKETFILTER binds ACL with physical ports.
Huawei Confidential
Page58
Security Configuration on eNodeB (2)

3. Configuration about digital certificates
This configuration defines the digital certificate used by IPSec for authentication.
Appcert defines the device certificate currently in use. Trustcert defines the CA server certificate trusted by eNodeB. Crosscert defines the CA certificate trusted by the CA server that issues device certificate to eNodeB. CRL defines the certificate revocation list. CRLpolicy defines the CRL policy used by eNodeB. Certchktsk defines the certificate update method and policy. Ca defines the configuration information on the CA server. Certmk defines the device certificate that can be used by eNodeB. Certreq defines the parameters for generating a certificate request file.
For details, see the Transmission Security MOM Description.doc. The security configuration information of the TMO network is described in the attached file.
Huawei Confidential
Page59
Security Configuration on the SeGW

The security configuration on the security gateway varies slightly for different vendors and is similar to the security configuration on the eNodeB described in the preceding pages. The security configuration on the security gateway defines the data that requires IPSec, the authentication method, the data encryption algorithms, the key exchange methods, and the key encryption algorithms. The attached file is about security configuration on the Symantec security gateway. The configuration commands vary substantially for different vendors. The attached file is for reference only.
DHCP server configuration

The security configuration on the DHCP server requires that option 43 contains the CA server information and the certificate path. For details, see the attached Requirement for the DHCP server.
Huawei Confidential
Page60
Thank you
www.huawei.com
Copyright2008 Huawei Technologies Co., Ltd. All Rights Reserved.
The information contained in this document is for reference purpose only, and is subject to change or withdrawal according to specific customer requirements and conditions.

Introduction To LTE eRAN2.1 Transmission Solution: Security Level

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To LTE eRAN2.1 Transmission Solution: Security Level

Uploaded by

Copyright:

Available Formats

Security Level: Internal use

Introduction to LTE eRAN2.1 Transmission Solution

HUAWEI TECHNOLOGIES CO., LTD.

eRAN2.1 is an enhanced version and has the following new features:

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

3. LTE Transmission Network - Reliability

HUAWEI TECHNOLOGIES CO., LTD.

Interfaces of the LTE Transmission Network

X2 (X2-C, X2-U) eNodeB eNodeB

HUAWEI TECHNOLOGIES CO., LTD.

3. LTE Transmission Network - Reliability

HUAWEI TECHNOLOGIES CO., LTD.

LTE E2E QoS Solution

Router eNodeB bottleneck Shaping Ethernet

HUAWEI TECHNOLOGIES CO., LTD.

LTE QoS Mapping

HUAWEI TECHNOLOGIES CO., LTD.

Nine service types

Manual Configuration 0x30 48

Manual Configuration 0x3F 63

Ping (response packet)

HUAWEI TECHNOLOGIES CO., LTD.

eNodeB Traffic Shaping and Scheduling

Level 1 shaper Logical interface1 Logical interface2 Logical interface3

IP/Ethernet Transport Network

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

3. LTE Transmission Network - Reliability

HUAWEI TECHNOLOGIES CO., LTD.

Traffic flow protection

Backhaul transport network

Traffic flow protection Control Plane User Plane

Port Board redundancy redundancy Protection path

Backhaul transport network

Work path Protection path

Board Port redundancy redundancy

Clock Server (optional)

HUAWEI TECHNOLOGIES CO., LTD.

Overview of the Reliability Solution

Router IP/MPLS Network

Switch/router Ethernet Trunk

S1-flex eNodeB eNodeB

eNodeB eNodeB eNodeB

eNodeB eNodeB eNodeB

BFD - Bidirectional Failure Detection; ARP - Address Resolution Protocol.

HUAWEI TECHNOLOGIES CO., LTD.

Summary of the Reliability Functions

Network Layer Data Link Layer

Ethernet Port Links, Trunk Ethernet ports

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

Ethernet Link Aggregation

HUAWEI TECHNOLOGIES CO., LTD.

3. LTE Transmission Network - Reliability

HUAWEI TECHNOLOGIES CO., LTD.

Link Fault Detection

Two scenarios End to End maintenance Seg by Seg maintenance

Transport device eNode B End-to-end (X2 interface)

Transport device GE/FE