training doc_introduction to lte eran2.1 transmission solution-20110426-a-1.0

7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0

1/61

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

Security Level:

www.huawei.com

Introduction to LTE eRAN2.1

Transmission Solution

Internal use


2/61

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page2

Foreword

This document describes the LTE eRAN2.1 transmission solution tohelp users better understand the principles of LTE transmissionnetwork.

eRAN2.1 is an enhanced version and has the following new features:

Enhanced QoS: PIR/CIR.

Enhanced security solution.

1. Self-setup of ACL packet filtering over an X2 interfaceduring ANR

2. Security PnP

3. CMPV2 certificate management


3/61


References

Transmission Security MOM Description

Security Feature Parameter Description

Principles and Practice of PKI

Principles and Fundamentals of Digital Certificates and SSL

Requirement for DHCP SERVER


4/61


Training Objectives

After completing this course, you should be able to:

Understand the LTE eRAN2.1 transmission solution.

Understand the networking solution for LTE eRAN2.1

transmission security.

Know principles of transmission security.


5/61


Contents

1. LTE Transmission Network - Interfaces

2. LTE Transmission Network - QoS

3. LTE Transmission Network - Reliability4. LTE Transmission Network - Fault Detection

5. LTE Transmission Network - Security


6/61

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 6

Interfaces of the LTE Transmission Network

An LTE network has two protocol interfaces: S1 interface X2 interface

The LTE transmission data includes the following: Data over S1 interface, including data of the S1 control plane (S1-C) and data

of the S1 user plane (S1-U). Data over X2 interface, including data of the X2 control plane (X2-C) and theX2 user plane (X2-U).

OAM data. Clock synchronization data.

Note: S11 interface is part of the core network and is not described in this course.

X2 (X2-C, X2-U)

S1-C

S1-U

OAM

Clock server

eNodeB eNodeB

S11

MME S-GW


7/61


Contents






8/61


LTE E2E QoS Solution

1. QoS Mapping Traffic QoS: user plane (based on QCI, GBR, Non-GBR), signaling, IP clock, and OAM.

IP layer: DSCP mapping, DiffServ. Data link layer: Ethernet QoS (IEEE802.1P/Q).

2. Traffic shaping Logical port shaping

Physical port shaping

Ethernet

IP networkRouter

eNodeB

eNodeB

MME/S-GW

IP DiffServ

DiffServ

MPLS: Multi Protocol Label Switching ~ SDSCP: Differentiated Service Code Point ~ CoS: Class of Service

Router

QCI VLAN priority/layer2 DSCP/layer3

Ethernet

VLAN priority/layer2 QCI

A transport path is a pipe model. A pipe has bottlenecks prone to congestion. The end nodes should support traffic shaping to

prevent the traffic data from being discarded at the congested places.

bottleneck bottleneck bottleneck bottleneck

Shaping


9/61


QoS Mapping

QoS relevant concepts1. QCI: QCI is an important QoS concept introduced to LTE and defines QoS

class and important quality parameters, such as priority, packet delaybudget, and packet error rate.

2. DSCP and VLAN priority (P-bit): A concept about packet priority defined by

a transmission network. DSCP is at the IP layer and VLAN priority is at thelink layer.

LTE QoS Mapping1. Mapping from the control plane, user plane, and OM to DSCP.

2. Mapping from service at the user plane to QCI, where QCI is extensible.

3. Mapping from QCI at the service plane to IPPATH (optional).

4. Mapping from DSCP to VLAN priority.

QCI Resourc

e Type

Priority Packet

Delay

Budget

Packet

Error Loss

Rate

Example Services

1 2 100 ms 10-2 Conversational Voice2

GBR

4 150 ms 10-3 Conversational Video (Live Streaming)

3 3 50 ms 10-3 Real Time Gaming4 5 300 ms 10-6 Non-Conversational Video (Buffered Streaming)5 1 100 ms 10-6 IMS Signaling6

6 300 ms 10-6Video (Buffered Streaming)

TCP-based (e.g., www, e-mail, chat, ftp, p2p file

sharing, progressive video, etc.)7 Non-

GBR 7 100 ms 10-3Voice,

Video (Live Streaming)

Interactive Gaming

8

8

300 ms 10-6Video (Buffered Streaming)

TCP-based (e.g., www, e-mail, chat, ftp, p2p file

9 9 sharing, progressive video, etc.)

23.203 defines nine QCIs and

supports QCI extension. Beginning

from eRAN2.1, Huawei supports

extended QCI.


10/61


QoS MappingMapping from service types and DSCPs to VLAN priorities.

Service Type DSCP DSCPMML Command toConfigure DSCP

VLANVLAN Pri

Nineservicetypes

QCI1 0x2E 46 SET DIFPRI USERDATA 5QCI2 0x1A 26 SET DIFPRI USERDATA 3QCI3 0x1A 34 SET DIFPRI USERDATA 4QCI4 0x22 26 SET DIFPRI USERDATA 3QCI5 0x2E 46 SET DIFPRI USERDATA 5QCI6 0x12 18 SET DIFPRI USERDATA 2QCI7 0x12 18 SET DIFPRI USERDATA 2QCI8 0x0A 10 SET DIFPRI USERDATA 1QCI9 0 0 SET DIFPRI USERDATA 0

SCTP 0x2E 46 SET DIFPRI SIG 5

OMMML 0x2E 46 SET DIFPRI OM_H 5FTP 0x0E 14 SET DIFPRI OM_L 1

IP clock

1588V2 0x2E 46 SET DIFPRI USERDATA 5

HW-DEFINED

0x2E46

SET DIFPRIUSERDATA 5

BFD Manual Configuration ADD BFDSESSION USERDATADepending onactual situation

IKE 0x30 48 Built-in, unchangeable USERDATA 5

IPPM Manual ConfigurationADD IPPMSESSION USERDATA Depending on

actual situationPing packet 0x3F 63 PING USERDATA 7

Ping (response packet) 0 0

No need to configure.The DSCP of theeNodeB response

packets is the DSCP ofthe peer ping packet. Bydefault the DSCP of the

ping command of thetransmission networkand core network is 0.

USERDATA

0

ARP No DSCP value No need to configure OTHER 5


11/61


eNodeB Traffic Shaping and Scheduling

The eNodeB GE/FE interfaces support two levels of shaping: physical port shaping and logical port shaping. Each logical port shaping contains eight queues.

The need for two levels of queues is to differentiate operators, that is, to support eRAN sharing.

The parameters of a logical port include committed information rate (CIR), PIR and scheduling weight.

The logical ports can share the bandwidth of the physical ports.

IP/Ethernet

Transport Network

Logicalinterface1

eNodeB Two Level Shaping

Logicalinterface2

Logicalinterface3

GE/FE Interface

IP Scheduler

Level 2 shaper

Level 1 shaper

eNode B2eNode B1 SGW/MME

AF2

AF3

BEAF1

Queues

EF AF4

AF2

AF3

BEAF

1

Queues

EFAF

4AF

2AF

3BE

AF1

Queues

EFAF

4


12/61


PIR/CIR

In versions earlier than eRAN2.1, eNodeB supports the single-rate tri-color markup algorithm, shortened assrTCM (CIR, CBS, and EBS) for the traffic shaping, in compliance with RFC2697.

In eRAN2.1, eNodeB supports dual-rate tri-color markup algorithm, shorten as trTCM (CIR, CBS, PIR, PBS)in compliance with RFC2698. PIR/CIR refers to the trTCM algorithm.

The transport admission algorithm of eNodeB is affected by this algorithm. The admission of GBR services iscontrolled by CIR, whereas the admission of non-GBR services is controlled by PIR. The purpose is toguarantee the quality of high priority GBR services.

eNodeB supports two levels of traffic shaping, namely logical port shaping and physical port limited rate. IneRAN2.1, logical ports support PIR/CIR.

This function can be used by the eRAN sharing scenario. As illustrated by the following figure, the CIR trafficsof different operators do not share the physical bandwidth, whereas the PIR traffics do.

Page 12

CIR

PIR

PIR: Peak Information Rate;

CIR: Commit Information Rate;

CBS: Committed Burst Size;

EBS: Excess Burst Size;PBS: Peak Burst Size;

Total Bandwidth

OperatorA CIR

OperatorA PIR

OperatorB CIR

OperatorB PIR


13/61


Contents






14/61


Reliability

Backhaul

transport network Protection path

eNode B

Traffic flow protection

Port

redundancy

Board

redundancy

ControlPlane

UserPlane

OAMdata

Clockdata

S-GW/MME

Traffic flow protection

Board

redundancy

Port

redundancy

ControlPlane

User Plane

Backhaul

transport network

Work path

Protection path

Work path

Protectionpath

Transportlayer

Networklayer

Data linklayer

PHY layer

Transportlayer

Networklayer

Data linklayer

PHY layer

(S1 interface)

Segment-by-segment redundancy

End-to-end redundancy

OAM

backup

Clock Server

(optional)

Work path

Redundancy: eNodeB and backhaul network provide different redundancy solutions for

the backhaul design. This inevitably includes port redundancy and board redundancy.

The main reliability solution of eRAN2.1 is port (channel) redundancy. The board

redundancy is LMPT cold standby.


15/61


Overview of the Reliability Solution

IP/MPLS

Network

S-GW/MME

GE

route backup:active route + backup route

eNodeB

eNodeB

Ethernet Trunk

Switch/router

RouterGE

GE

GE

BFD - Bidirectional Failure Detection; ARP - Address Resolution Protocol.

eNodeBeNodeBeNodeBeNodeBeNodeBeNodeB

S-GW S-GW

S-GW

MME

eNodeB

S-GW Pool

MME Pool

eNodeB

E-UTRAN

MME

S1-flex

S/R

Ethernet

eNodeB

1. Reliability solution: S1-flex, channel backup (3s),

IP route backup, and Ethernet link aggregate.

2. Fault detection mechanisms: BFD (100 ms),

Ethernet OAM (100 ms).


16/61


Protocol

Layer

Transmission Reliability Transmission Maintenance and Detection

Redundancy

Mechanism

Protected

Object

Maintenance

Mechanism

Time

Application

Layer

OM channel

backup

OM channels OM handshake

protocol

Proprietary handshake

protocol: 35s

Transport

Layer

SCTP multi-

homing

S1/X2

channels

SCTP protocol

detection

Heartbeat check and

retransmission check:

Handover can be

finished in 5s by

parameter settings.

BFD detection 100 ms. Parameters are

configurable.

Network

Layer

IP route

backup

Routes, links BFD detection 100 ms. Parameters are

configurable.

Physical port

detection

ms

Data Link

Layer

Ethernet Port

Trunk

Links,

Ethernet ports

IEEE 802.3ah

detection

3s

IEEE 802.1ag

detection

1s

Physical

Layer

None None Physical port

detection

ms

Summary of the Reliability Functions

OMCH B k


17/61


OMCH Backup1. The OMCH backup function is used only in the scenario of M2000 remote HA.

2. The OMCH backup function is used when the OM channel passes the Ethernet. The eNodeBconfigures two different OM IP addresses for the active and standby OM channels, andM2000 configures the same or different IP addresses.

3. The OMCH backup function uses two physical ports for higher reliability. Preferentially theactive and standby OM IP addresses are in different network segments. In this way, theOMCHs are over different routes, providing higher reliability at higher cost.

4. When the active OMCH is down, the M2000 automatically delivers a switchover command and,upon receipt of the command, the eNodeB switches to the standby OMCH. When the activeOMCH is down, the active/standby switchover takes a minimum of six minutes. The followingfigure illustrates the OMCH backup function.

SCTP M lti H i


18/61


SCTP Multi-Homing

Each end of an SCTP link binds N IP addresses forredundancy, where N is greater than 2. Two IP addresses are configured for SCTP dual-homing,the first of which is the primary IP address and the second isthe standby IP address. The two routes of the dual homingare active and standby. An SCTP link is established onboards and no port is specified. The two IP addresses can be in the same interface or indifferent interfaces of the same board. It is recommended touse the same interface for the two IP addresses. This function needs to negotiate and work with the corenetwork. Therefore this function is not actively recommendedto customers. This function does not support cross-route.

An SCTP link is identified by four parameters:

local IP, local SCTP port number, peer IP, and

peer SCTP port number.

The difference between SCTP multi-homingand OMCH backup is as follows: In SCTP

multi-homing, the slave path automatically

switches to the master path when the master

path is recovered; in OMCH backup, the M2000

switches to the active OMCH after it detects

that the standby OMCH is down.


19/61


IP Route Backup

IP route backup means that multiple routes are configured for the same destination. Theroute of the highest priority is the primary route and other routes of lower priority are backup

routes. The physical connection of each route is different. When the primary route is faulty,eNodeB performs active/standby switchover and select a backup route to avoid service

interruption. When the primary link is recovered, eNodeB automatically switches to the primary

route.

//Add IP address of Ethernet port 0

ADD DEVIP:SN=7,SBT=BASE_BOARD,PT=ETH,PN=0,IP="11.11.11.11",MASK="255.255.255.0";

//Add IP address of Ethernet port 1

ADD DEVIP:SN=7,SBT=BASE_BOARD,PT=ETH,PN=1,IP="12.12.12.12",MASK="255.255.255.0";//Add master IP route (Route backup is used between the eNodeB and SeGW.)

ADDIPRT:SN=7,SBT=BASE_BOARD,DSTIP="13.13.13.13",DSTMASK="255.255.255.0",RTTYPE=NEXTHOP,NEXTHOP="11.11.11.10",PREF

=50,DESCRI="Master IP Route";

//Add slave IP route

ADDIPRT:SN=7,SBT=BASE_BOARD,DSTIP="13.13.13.13",DSTMASK="255.255.255.0",RTTYPE=NEXTHOP,NEXTHOP="12.12.12.10",PREF

=60,DESCRI="Slave IP Route";

The eNodeB needs to provide two DEVIPs that are in different network segments. (With only one DEVIP, route backup cannot be configured.)


20/61


Ethernet Link Aggregation

Ethernet linkaggregation means that

multiple physical portsaggregate into one logicalpath to increase thebandwidth betweenswitches and eNodeBsand to provide morebandwidth, morethroughput, and highernetwork capacity.

This function requiresthat the peer transportdevice also supports thisfunction, which ordinaryrouters do.

Trunk No. is the uniquenumber of the aggregategroup.

Port priority: The lowerthe value, the higher thepriority.


21/61


Contents



3. LTE Transmission Network - Reliability

4. LTE Transmission Network - Fault Detection



22/61


Link Fault Detection

Network management quality QoS monitoring

Fault detection

Fault location and quick recovery

eNode B

S-GW/MME

Transport

network

Transport

deviceTransport

device

eNode B

GE/FE

End-to-end (S1 interface)

End-to-end(X2 interface)

Seg-by-Seg

Two scenarios

End to End maintenance

Seg by Seg maintenance


23/61


Maintainability Solution

Access link maintenance: IEEE802.3ah

Connectivity maintenance: IEEE802.1ag

Application layer maintenance: BFD, IPPM, and IPPATH check

802.3ah

BFD single hop

Multi-hop BFD

IPPM

Performance

counter

IP CORE

802.1ag


24/61


IPPATH Check

It is recommended to disable this function in ordinary situations.


25/61


IP Performance Monitoring (1)

Function: IP performance monitoring (IP PM) monitors the transport quality between eNodeB and

S-GW and check the transport performance parameters, including the number of packets sent

and received, packet loss rate, one-way delay variation, and round-trip delay variation.

Strength: Provides transport KPI and works with the dynamic transport flow control to avoid the

impact of dynamic transport bandwidth variation on QoS.

Weakness: The more IP PM sessions are activated, the more accurate the congestion is

determined and the more resources are consumed.

Requirement for the devices: IPPM is Huawei proprietary and requires support from the eNodeB

and the core network. IPPM requires that the DSCP value of the transmission network is the

same as that of the eNodeB and core network and cannot be changed. Otherwise, activating the

IPPM fails.

Applicable scenario: IP PM is recommended in the scenario that the core network consists of

Huawei equipment, particularly if the IP transmission has to pass poor-quality ADSL lines that

have high packet loss rate, unstable line rates, or large bandwidth variation.


26/61


IP Performance Monitoring (2) External congestion check: IP PM checks in real time the packet loss of a user data path,

calculates the packet loss rate of the path, and dynamically adjusts the logical port bandwidth fordynamic admission control of the transport bandwidth and flow control, avoiding packet losscaused by congestion of the transmission network.

This figure shows adaptive flow control based on IP PM. The dotted lines indicate bandwidth

variation of the IP/Ethernet transmission network. The IP PM between S-GW/MME and eNodeBchecks the variation of the transmission network performance, including delay, jitter, and packet loss

rate, and estimates the minimum end-to-end available transmission bandwidth. The eNodeB sends

the available bandwidth information to the flow control module who adjusts the data flow to the

transmission network to reduce the packet loss rate and to increase the bandwidth utilization of the

transmission network.

To enable bidirectional link

check, set up a PM session

in the A > B direction and a

PM session in the B > A

direction.

MME/SGW eNodeB

bottleneck30Mbps

Max bandwidth100Mbps

Bandwidth change

1. detect

2. calculat

3. Transport DynamicFlow Control


27/61


Bidirectional Forwarding Detection (BFD)

Function: Fast fault detection ofany types of channels. Detects the connectivity of the samepath (physical or logical links) between two systems. Used by all protocols at layer two or

higher layers. eNodeB implements BFD over UDP.

Strength: Fault detection for IP routes. Quick detection in 100 ms.

Requirement on the device:At present the eNodeB supports BFD version 1; the peer device

should also support BFD version 1. If the peer device does not support BFD version 1, this

function cannot be used.

Both ends start BFD simultaneously. The detection duration of both ends should be consistent.

Recommended scenarios

Segment-by-segment BFD (SBFD): Used in point-to-point detection of network faults,

applicable to detection of direct connection between two points of the same network segment.

Multi-hop BFD (MBFD): Used in end-to-end detection of network faults, applicable to two ends

that have multiple routing nodes in between.


28/61


Segment-by-Segment BFD and Multi-Hop BFD

SBFD: Used in fault detection between an eNodeB and a transmission device at L3, or between an S-GW/MME and

a transmission device. Used to locate a fault or to trigger switchover of protection paths between an eNodeB and a

transmission device, or between an S-GW/MME and a transmission device.

SBFD does not traverse an L3 transmission device.

MBFD: Used for detection between eNodeBs, between an eNodeB and an SGW, and between an eNodeB and a

remote transmission device. Used to locate a fault or to trigger switchover of protection paths between two ends to

ensure network reliability.


29/61


BFD +++ HUAWEI 2010-07-08 15:37:15 O&M #62147 %%ADD BFDSESSION: SN=7, BFDSN=0,

SRCIP=10.141.225.226, DSTIP=10.69.23.24, HT=MULTI_HOP;%% RETCODE = 0

Operation succeeded


30/61


IEEE802.3ah and IEEE802.1ag

Ethernet OAM is implemented by two protocols. IEEE 802.1ag highlights end-

to-end Ethernet link OAM and IEEE 802.3ah highlights segment-by-segment

Ethernet OAM (concerning the user side only and not the network side). The two

work together to provide complete Ethernet OAM solution.

The following figure shows the position of the Ethernet OAM.


31/61


IEEE802.3ah and IEEE802.1ag

IEEE 802.3ah

Link performancemonitoring

Fault detection

Loopback test

Strength: Highlights segment-by-segment Ethernet fault

monitoring (concerning only user

side, not network side).

The peer equipmentneeds to support

IEEE 802.3ah.

IEEE 802.1ag

Connectivity

check

Loopback test

Link follow-uptest

Strength: Highlights end-to-

end Ethernet link faulty

monitoring

The transmission

equipment needs to

support IEEE

802.1ag.


32/61


Contents



3. LTE Transmission Network - Reliability

4. LTE Transmission Network - Fault Detection


N d B S it A hit t


33/61


eNodeB Security Architecture

The security architecture contains threeparts:

1. Security threats: Potentially existing damagesthat may affect normal system running.2. Security measures: Methods to protect system

security.3. Security system: Target protected by the

security measures and here refers to eNodeB.A security system contains radio plane,transmission plane, equipment plane, and OAMplane.

No. Threatened

Object

Threat Type Security System

1 eNodeB

Stealing eNodeB hardware.Obtaining important information from

eNodeB.Loading invalid versions or illegally

controlling eNodeB.DoS (Denial of Service) attack.

Equipmentsecurity

2 Uu interface

Eavesdropping Uu interface signal to obtainimportant user information.

Mimicking Uu interface signaling to forgeuser access.

Radio security

3 S1 interface

Eavesdropping data from the transmissionnetwork to obtain important userinformation.

Intercepting data of the transmission networkto tamper with the data.

Transmissionsecurity

4 X2 interface The same as the S1 interface Transmissionsecurity

5 OM interface

Intercepting important information sent byeNodeB and transferred by OM interface.

Deleting or stealing important data fromeNodeB

Logging in to, controlling, and operatingeNodeB illegally.

OAM security

6 Clock server Attack of eNodeB from the illegal clocksource. OAM securityFive security threat types are defined. See Remark.

Security threats

Security Measures


34/61


Security Measures

This course describes transmission security.

Transmission

security policy

Certificate management

PNP

PKI /CMPV2

Transmission security

1.IPSEC

2.802.1x

Equipment security

Simple firewall function

1. ACL

2. Interfacesecurity

management

OM security

OM channel security

1. SSL

Security System

Tailored to the security threats, ITU-T X.805 identifies and defines eight security measures:

1. Access control: Prevents equipment from being illegally used and allows only authorized users to access theprotected content (equipment, information, services). For example, only authorized users can gain access to eNodeB bythe OM interface.2. Authentication:Authenticates the identity of a communication entity and allows entities of valid identity to set upcommunications.

3. Non-repudiation: Prevents an entity from denying an operation by evidences (such as operation logs). For example,an operation log records each operation on the eNodeB.4. Data confidentiality: Uses encryption to prevent data from being disclosed.5. Communications security: Information is transmitted only between authenticated entities to prevent disclosure orfalsification of the data during communications.6. Data integrity: Ensures data correctness, prevents illegal change, deletion, generation, or replication of data, andidentifies unauthorized operations.7. Availability: Ensures that the system works and that services are not interrupted as a result of an illegal operation.8. Privacy: Protects keys, identity information, and equipment or network activity information, such as log information.


35/61


Transmission Security Mechanism

Access network Core networkeNodeB

SeGW

M2000

SAE

IPCLK

CRL Server

PKI system

CA

802.1X

RADIUS

802.1XIPSec

IPSec

The eNodeB uses 802.1x (EAP-TLS)-based authentication access control andIPSec to ensure transmission security.

1. The 802.1X-based authentication access control ensures that the eNodeBgains access to the transmission network by the legal process.

2. IPSec provides security mechanism for the eNodeB in the all-IP scenario toensure transmission confidentiality, completeness, authentication, andreplay-resistance.

802.1X and IPSec provide transmission security protection at different layers. Auser can use them together or separately.

802 1 A A th ti ti


36/61


802.1x Access Authentication

The MAC address of the eNodeB is authenticated to prevent unauthorized

equipment from gaining access to the transmission network.

The 802.1x access control sends the digital certificate of the eNodeB to the RADIUSserver over the EAPoL; the RADIUS server authenticates the eNodeB identity by

using the Huawei CA root certificates configured on the server.


37/61


Principles of IPSec (1/3)

IPSec is an open standards framework structure. The IPSec protocol suite includesESP/AH, IKE, DPD, and encryption algorithms.

1. Security protocolsAH refers to authentication header and provides data integrity check. AHis applicable for transmitting non-confidential data.ESP refers to encapsulating security payload and provides data integrity

check and encryption. ESP is applicable for transmitting confidential data.2. Packet encapsulation methodsTransport mode: Provides protection for the payload and upper-layerprotocols of the IP data packets. In transport mode, the IPSec header (AHand/or ESP) is inserted after the IP header and before upper-layerprotocols.Tunnel mode: Provides security protection for the original IP data

packets. In tunnel mode, the original IP data packets are encapsulated intoa new IP data packet; the IPSec header (AH and/or ESP) is insertedbetween the new IP header and original IP header. The security of theoriginal IP header is protected by IPSec as part of the payload.



38/61


IP HeaderESP Header TCP/UDP Data ESP Tail ESP Auth

The Range of ESP Authentication

AH Header

The Range of AH Authentication

New Header

The Range of ESP Encryption

Tunnel

Mode

IP Header ESP Herder TCP/UDP Data ESP Tail ESP Auth


AH Header


Transport

Mode


IP Header ESP Header TCP/UDP Data ESP Tail ESP Auth

The Range of ESP

Authentication

The Range of ESP

Encryption

IP HeaderESP Header TCP/UDP Data ESP Tail ESP Auth


New Header


Transfer Mode

Tunnel Mode

IP Header AH Header TCP/UDP Data


IP HeaderAH Header TCP/UDP Data


New Header

Transfer Mode

Tunnel Mode

Format of the AH packet with

different Encapsulation Mode

Format of the ESP

packet with different

Encapsulation Mode


Format of packet using

both protocols with

different Encapsulation

Mode



39/61


Principles of IPSec (3/3)3. Integrity check

In integrity check, Hash function is used to accept message input of any length and to generatemessage digest of fixed length. The two communicating entities calculate and compare thedigest to determine whether the packets are complete and are not tampered with.MD5SHA-1

4. Data encryptionAn encryption algorithm uses symmetric cryptography to encrypt and decrypt data.NULL: Null encryption algorithm, no encryption of IP packets.DES (Data Encryption Standard): Uses a 56-bit key to encrypt a 64-bit plaintext block.3DES: Uses three 56-bit DES keys (totaling 168 bits) to encrypt plaintext.AES (Advanced Encryption Standard): AES has three key lengths: 128 bits, 192 bits, and 256

bits. The longer the key, the higher the security and the slower the calculation.5. IKE (Internet key exchange)

IKE is used for key negotiation, identity authentication, and IPSec SA negotiation.6. Key exchange algorithm

In IKE, two communicating entities calculate the shared key by a series of data exchangewithout transferring the key. Even if a third-party intercepts all the exchanged data for calculatingthe key, this party cannot calculate the key. The core technology is DH (Diffie Hellman) algorithmand pseudorandom functions.

7. AuthenticationPre-shared key (PSK)Digital certificate (PKI)

8. ACLACL refers to access control list. The IPSec filter matches the ACL configured by the user withthe 5-tuple of the data stream to identify which packets need encryption.

IPS A li ti S i


40/61


IPSec Application Scenarios

Scenario 1: An IPSec tunnel is set up between the eNodeB and the SeGW.

The S1 data stream, X2 data stream, and OAM data stream are protected by

the IPSec tunnel (main scenario).

Scenario 2: An IPSec tunnel is set up between eNodeB X2 interfaces.

Scenario 3: An IPSec tunnel is set up between the S1 interfaces of eNodeB

and MME/S-GW.

Typical IPSec networking

Access

network

Core network

eNodeB

SeG

W

SeGW

M2000

SAE

IPCLK

CRL Server

PKI system

CA

eNodeB

Redundancy with two SeGW

S1

X2

OAMSYN

None Security

zone

Security

zone

eNodeB

eNodeB

SeGW

Centralized

DistributedeNodeB

eNodeB

The IPSec networking needs to consider three factors: security domain, protected stream, and configuration mode (see Remarks).

Intelligent PNP Process: eNodeB Security


41/61


Intelligent PNP Process: eNodeB Security

Startup with Digital Certificates

Radius Server

M2000

CRL Server

PKI system

CA

eNodeB1

2

3

4

5SeGW

Public DHCP Server

6

1.VLAN

Scanning2.DHCP/publ

ic DHCP

Server

5.OM

channel

setup

6.Download

Cfg and

software

3.Authenti

cation with

PKI

Server

4. build

IPSec

tunnel

Prerequisites for eNodeB security startupwith intelligent PnP:

1. The transmission network has deployed apublic DHCP server. The PnP configurationinformation and the DHCP option 43 are defined.2. The eNodeB is preset with a factory certificate.3. The PKI server is preset with a Huawei rootcertificate, ESN list, and CRL which can beobtained from the web portal. The ESN list is awhitelist.

4. The SeGW is preset with the operators rootcertificate.5. The 802.1X authentication server (RADIUSserver) is preset with the Huawei root certificate.

The PnP process has six steps (for details, see Remark):

1. Automatic access process: 802.1X authentication and VLAN learning.2. DHCP process: Obtaining DHCP temporary, SeGW IP, PKI, and M2000 IP.

3. PKI authentication.4. IPSec tunnel setup.5. OMCH setup.6. Downloading the configuration and software. After restart, the PnP process is finished.

Note: If one of the above steps is faulty, the system starts the PnP process again, until the PnPprocess is finished.


42/61


All-Process Certificate Management Solution

To support certificate-based transmission security mechanism, Huawei provides all-process certificate management solution. The core of this solution is PKI. Thissolution consists of two stags: factory stage and operation stage.

PKI mechanism:PKI (Public Key Infrastructure) uses asymmetric cryptography to provideinformation security service and is the basis and core of the current networksecurity construction. PKI is in wide use.PKI uses username, password, and symmetric key to provide a secureand standard key management infrastructure. The core technology of PKI is

digital certificate (public key) management, including issuance, delivery,update, and revocation of certificates.

Certificate managementFactory stage: The factory CA issues factory device certificate; theeNodeB is preset with the device certificate and Huawei root certificate; theroot certificates, CRL, and ESN are published on the web portal.

Operation stage: Includes eNodeB installation, eNodeB security self-startup with intelligent PnP, and automatic eNodeB certificate managementwith all-process certificate management process.


43/61


Principle 1 - Symmetric Cryptography

KEY KEYKEYALLOCATE

Encryption and decryption use the same key.

The sender and receiver should agree upon a key before security

communication.

Security depends on the confidentiality of the key. Disclosure of the key means

that the encryption is no longer secure.

cryptograph cryptographplaintext plaintext

User AUser B

Principle 2 Asymmetric Cryptography


44/61


Principle 2 - Asymmetric Cryptography

Also known as public key encryption

Encryption and decryption use different keys.

The encryption key can be open and is called public key. The decryption keymust be secret and is called private key.

Private key is used for signature and public key for authentication.

Private key of B

Public key of BGet the public keyof B

plaintext plaintextcryptograph cryptograph

User AUser B

Principle 3 - Digital Certificates


45/61


Principle 3 - Digital Certificates

A digital certificate is an electronic ID card containing an entitys identity

and associated public key information.

This electronic ID card must be issued by trusted authority.

Calculate message digest

Calculate digital signature

CABs private key

CAs digital signature

P i i l 4 C tifi t R ti Li t (CRL)


46/61


Principle 4 - Certificate Revocation List (CRL)

tbsCertList

signatureAlgorithm

signatureValue

version

Signature

issuer

thisUpdate

nextUpdate

revokedCertificates

crlExtensions CRL userCertificate revocationDate crlEntryExtensions

For some reasons, a digital certificate needs to be revoked before the

validity period expires. The revoked certificates are uniformly saved in the CRL (blacklist).

Principle 5 PKI


47/61


Principle 5 - PKI PKI refers to public key infrastructure.

The PKI implementation is based on asymmetric cryptography algorithms and technologies. PKIis the basis and core of the current network security construction.

Established over a group of standard and interoperable PKI protocols.

Uses digital certificates compliant with ITU-T X509, manages the public keys of asymmetriccryptography, and binds the public key of an entity with other identify information (which for adevice can be the device name, home country, province, city, specific location, or unique ID).

A trusted CA (certificate authority) adds signature to the public key and identity information of auser, generating a digital certificate.

Manages the life cycle of digital certificates.

CA

CA issues, updates, revokes, and authenticates

digital certificates.

CA is the core executive part of PKI.

RA

RA is the registration and approval body for the

digital certificates.

RA is a CAs window for users. CR/CRL

CR/CRL stores the digital certificates or CRL.

Exists as an FTP server, Web server, or LDAP

server.

PKI architecture

Life cycle of a digital


48/61


Life cycle of a digital

certificate

RA

CA

entity

1certificate

request5 certificate

overdue

4 certificate

cancel

3

certificate

deliver

2

certification

authorize

PKI system

Root CA

Middle CA

ultimate user

ultimate user

ultimate user ultimate user

CA hierarchy

A parent CA can have child CAs and therefore establishing a CA hierarchy. Any CA can issue

certificates adapted to its authority.

A three-layer CA hierarchy can satisfy the requirement of most operators.

There is no limit to the depth of the CA hierarchy. A customer can choose an appropriate depth

according to the actual situation.

CR/CRL

server

Certificate


49/61


Certificate

Assume that A authenticates Bs certificates. Bs certificate specifies the CA that issues the certificate.Move along the CA hierarchy until to the root certificate. The movement forms a certificate chain. The

authentication process is described as follows: Moving in the reverse direction, starting from the root certificate, each node authenticates the

certificate of the next node until to B. The root certificate is of self-signature and uses its own publickey for authentication.

If all the signatures pass authentication, A determines that all certificates are correct. If A trusts theroot CA, he can trust Bs certificates and public key.

Extract Root CAs public

key and verify both Root

CA signatures

Extract Root CA1s public

key and verify CA1s

signature

Extract Root CA2s public

key and verify CA2s

signature


50/61


Deploying PKI on eNodeB

Network elementCRL Server

PKI system

CA

Root certificate

Device certificate

CRL

Certificate

management

The core of PKI mechanism is certificates. PKI includes the network elements

that use certificates, the PKI servers (CA and CRL servers) that manage the

certificates, and certificate management between NEs and PKI servers.

NEs

NEs that use certificates include eNodeBand SeGW. Three files are built-in: device

certificate, root certificate, and CRL.

PKI servers:

PKI servers manage certificates andinclude the CA server and the CRL

server.

The certificate management protocol

between CA and eNodeB is CMPV2.

Certificate Verification in the LTE


51/61


Certificate Verification in the LTE

eNodeB

Verify

SeGW/CA

Root certificate to verify the device

certificate

eNodeB

Verify

SeGW/CA

Whitelist

Root certificate plus whitelist to verify

the device certificate

CA root certificate can verify the validity of the device certificate issued by the CA.For example, in the SeGW authenticating an eNodeB, the root certificate of the eNodeB devicecertificate is preset on the SeGW. During authentication, the eNodeB sends the device

certificate to the SeGW which uses the preset root certificate to verify the validity of the device

certificate.

Verification of device certificates by root certificate can ensure that the device certificate

is issued by the root certificate CA. Huawei CA root certificate can verify that aneNodeB is a valid Huawei device. To strengthen the authentication, the whitelist is used.

The whitelist stipulates that the eNodeB ESN contained in the device certificate is

compared with the preset ESN list. Only Huawei eNodeB of specific ESN is valid.


52/61


Certificate Management

Factory stage

At the factory stage, an eNodeB is preset with a uniquedevice certificate. The ESN list, CRL, and factory CA root

certificate are published on the web portal.

Operation stage

At the operation stage, a customer obtains the ESN list, CRL, and

factory CA root certificates from the web portal to support the

factory-preset certificate and eNodeB authentication.

For details, see the Remark.


53/61


Certificate Management (CMPv2)

Two certificate management phases:

1. PnP phase: In the PnP phase, eNodeB uses the initial request

message and initial reply message to apply to the operators CA

server for a device certificate. The DHCP option parameter (CA

protocol type) can determine whether a CMPV2 message uses

http or https. The following figure illustrates the PnP scenario.

2. Maintenance phase: After the system enters stable status, two

messages, Key Update Request and Key Update Reply, are used

to update the certificate. If updating the certificate fails, the existing

certificate is still effective and in use to prevent interruption of the

transmission link.

Page 53

The certificate management system (cmpv2) is compliant with 3GPP 33.310.

eNodeB PKI Server

Ir{ Certificate request fi le, Vendor certificate}

Ip{Operator certificate, Operator root certificate}

1.Creating KEY-pair(private key and

public key) for certificate file;2.Creating certificate. Subject

CN(comman name) andSubjectAlternameof the [email protected].

ESN(Electrical Sequence Number)is the unique Id of eNodeB.

1.Verifying the vendor certificate

with whitelist which is

comprised with eNodeBsESN;

2.Verfying the vendor certificatewith vendor root certificate;

3. Issuing the operator certificatewith certificate request filereceived;


54/61


Equipment Security: Simple Firewall

The eNodeB provides simple firewall function, including ACL packet filtering and interface securitymanagement.ACL packet filtering

1. Objective: To prevent DoS attack, or used by IPSec to match packets to determine whether thepacket should be applied with IPSec. The eNodeB supports ACL rule definition to permit ordeny the packets that match the rule.

2. 6-tuple rule: protocol type, destination IP, source IP, destination port, source port, DSCP.3. Response methods: permit or deny.4. Handling methods:

Whitelist: First, an ACL rule denying reception of all packets is configured, then thepackets that are permitted to pass are specified for each data stream.

Blacklist: An ACL rule that denies a data stream is configured for the data stream that

needs to be denied. By default, all packets are permitted. Therefore, there is no need toconfigure an ACL rule that permits all packets.

In light of complete protection, the whitelist is better. For the SON X2 self-setup function,the system automatically adds an ACL rule for an X2 interface.

Interface security managementThis function consists of three parts:

1. Communication matrix: The support website publishes the open protocol ports (TCP/UDP) ofeNodeB of each version as the basis for port management.

2. Service port disable: When there is no service configuration over a service port, a user candisable the service port to decrease the possibility of being attacked.3. Debug port or protocol port disable: A user can choose to disable the debug port, or a protocol

port of the debug port, preferentially Telnet port 23 and SSH port 22.

Self-Setup of ACL Packet Filtering over X2 Interface -


55/61


Self-Setup of ACL Packet Filtering over X2 Interface -

New in eRAN2.1

Page 55

Some operators want all the ingress and egress streams of the eNodeB to be under the control of awhitelist to improve the system security. The default value is deny. Only the streams whose ACL ruleis permit can be received by the system.

The eNodeB interfaces include S1, X2, OM, clock, and cascade. Except for X2 interface, allinterfaces are statically configured. A user can perform data planning and configuration in advance.

X2 interface is dynamically configured by ANR and the ACL rules cannot be planned in advance overthe X2 interface. Therefore, X2 interface should support generation of ACL rules during ANR.

To support this function, 3GPP extends S1AP "eNB Configuration Transfer/ MME ConfigurationTransfer" and adds service IP in addition to signaling IP. During the X2 self-setup process, eNodeBsets up ACL packet filtering rules after exchanging the address information.

X2 self-setup is described as follows:

1. The source eNodeB and destination eNodeB exchange IP

address information (signaling IP and service IP) by two messages

"eNB Configuration Transfer" and "MME Configuration Transfer.

2. The source eNodeB sets up a signaling link to the destinationeNodeB and configures ACL rules according to the source IP

address and destination IP address: {SCTP, source signaling IP,

destination signaling IP}, {UDP, source service IP, destination

service IP}.

OMCH Security (Principles of SSL)


56/61


OMCH Security (Principles of SSL)

SSL protocol is developed by Netscape and provides encrypted and reliable connection betweentwo computers. Its features are as follows:

1. Established over a reliable transport layer protocol (such as TCP)2. Unrelated to the application layer protocol

3. Encryption algorithms, negotiation of the communication key, and authentication by server arefinished before communication over the application layer protocol.

4. The upper application layer protocols (such as HTTP, FTP, and TELNET) are transparentlyestablished over the SSL protocol. All the data transported by the application layer protocols isencrypted, ensuring communication confidentiality.

SSL provides three security services:

Confidentiality protection After the handshake protocol finishes negotiation of the session key, all messages

are encrypted for transmission.

Integrity protection Maintains data integrity and ensures that data is not tampered with during

transmission.

Authentication Authenticates a user and a server so that they are sure that data is sent to the

correct client and server. Though client authentication during a session is optional,a server is always authenticated.

P i i l f SSL (2)


57/61


Application Layer Protocol (HTTP, FTP, Telnet)

SSL handshake ProtocolSSL Record Protocol Change Cipher Spec Protocol SSL Alert Protocol

TCP

IP

Principles of SSL (2)

SSL application scenario

SSL-based OMCH.

Local (or remote) FTPS connection to upload or download files.

Local (or remote) WebLMT sets up an HTTPS connection for operation and

maintenance.

OMCH

FTPS

FTPS

HTTPS

HTTPS

Security Configuration on eNodeB (1)


58/61



The transport-layer security configuration on eNodeB consists of IPSecconfiguration and packet filtering configuration.

1. IPSec configuration

This configuration defines the data that requires IPSec, the authentication method, the dataencryption algorithms, the key exchange methods, and the key encryption algorithms. Thedetails are as follows:

ACLRULE defines an ACL rule, specifically the types of packets that require encryption protection.

ACL defines an ACL group. An ACL group contains one or multiple ACL rules.

IKECFG defines the eNodeB local negotiation parameters for IKE negotiation.

IKEPROPOSAL defines an IKE proposal that contains the encryption and negotiation algorithms at the IKEnegotiation stage.

IKEPEER defines the parameters interacted between eNodeB and peer at the IKE negotiation stage.

IPSECPROPOSAL defines the encapsulation, authentication algorithm, and encryption algorithm used atthe IPSec stage.

IPSECPOLICY defines the protection policy for IP packets compliant with the ACL rules.

IPSECBIND binds IPSec with physical ports.

2. Packet filtering configuration

This configuration defines the ingress and egress permitted or denied by eNodeB. The detailsare as follows:

ACL and ACLRULE define the admission rules for the packets.

PACKETFILTER binds ACL with physical ports.

S it C fi ti N d B (2)


59/61



3. Configuration about digital certificates

This configuration defines the digital certificate used by IPSec for authentication.

Appcert defines the device certificate currently in use.

Trustcert defines the CA server certificate trusted by eNodeB.

Crosscert defines the CA certificate trusted by the CA server that issues device certificate toeNodeB.

CRL defines the certificate revocation list.

CRLpolicy defines the CRL policy used by eNodeB.

Certchktsk defines the certificate update method and policy. Ca defines the configuration information on the CA server.

Certmk defines the device certificate that can be used by eNodeB.

Certreq defines the parameters for generating a certificate request file.

For details, see the Transmission Security MOM Description.doc.

The security configuration information of the TMO network is

described in the attached file.

Security Configuration on the SeGW


60/61


Security Configuration on the SeGW

The security configuration on the security gateway varies slightly for different vendors and

is similar to the security configuration on the eNodeB described in the preceding pages.

The security configuration on the security gateway defines the data that requires IPSec,

the authentication method, the data encryption algorithms, the key exchange methods,and the key encryption algorithms.

The attached file is about security configuration on the Symantec security gateway. The

configuration commands vary substantially for different vendors. The attached file is for

reference only.

DHCP server configuration

The security configuration on the DHCP server requires that option 43 contains the CA

server information and the certificate path. For details, see the attached Requirement forthe DHCP server.


61/61

Thank youwww.huawei.com

Copyright2008 Huawei Technologies Co., Ltd. All Rights Reserved.

The information contained in this document is for reference purpose only, and is subject tochange or withdrawal according to specific customer requirements and conditions.

training doc_introduction to lte eran2.1 transmission solution-20110426-a-1.0

Documents