transmission security overview(sran10.1_01)

7/25/2019 Transmission Security Overview(SRAN10.1_01)

1/21

SingleRAN

Transmission Security Overview

Feature Parameter Description

Issue 01

Date 2015-03-23

HUAWEI TECHNOLOGIES CO., LTD.


2/21

Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written

consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective

holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and the

customer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,

and recommendations in this document are provided "AS IS" without warranties, guarantees or

representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 01 (2015-03-23) Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

i
http://www.huawei.com/


3/21

Contents

1 About This Document.................................................................................................................. 1

1.1 Scope.............................................................................................................................................................................. 1

1.2 Intended Audience..........................................................................................................................................................2

1.3 Change History...............................................................................................................................................................2

1.4 Differences Between Base Station Types.......................................................................................................................3

2 Transport Network Overview.....................................................................................................5

2.1 IP Backhaul Network......................................................................................................................................................5

2.2 Evolution........................................................................................................................................................................ 5

2.3 Security Requirements....................................................................................................................................................6

2.3.1 NDS Dimensions Defined by 3GPP............................................................................................................................6

2.3.2 NDS Mechanism Defined by 3GPP............................................................................................................................ 6

3 Transmission Security Solutions................................................................................................7

3.1 On a Trusted Network.....................................................................................................................................................83.2 On an Untrusted Network...............................................................................................................................................9

3.3 Application Restrictions............................................................................................................................................... 11

3.3.1 Scenario1: RAN Sharing Applied.............................................................................................................................11

3.3.2 Scenario 2: Transmission on Public Networks..........................................................................................................11

3.3.3 Scenario3: Base Stations Cascaded.......................................................................................................................... 11

4 Transmission Security Features................................................................................................12

4.1 Introduction.................................................................................................................................................................. 12

4.2 IPsec..............................................................................................................................................................................12

4.3 Access Control Based on 802.1x..................................................................................................................................12

4.4 SSL............................................................................................................................................................................... 13

4.5 PKI................................................................................................................................................................................13

5 Parameters.....................................................................................................................................15

6 Counters........................................................................................................................................ 16

7 Glossary.........................................................................................................................................17

8 Reference Documents.................................................................................................................18

SingleRAN

Transmission Security Overview Feature Parameter

Description Contents



ii


4/21

1About This Document

1.1 Scope

This document describes transmission security, including transport network overview and

transmission security solutions and features.

This document involves the following elements:

l Base stations, including 3900 series base stations

l Base station controllers, including the GBSC, RNC, and MBSC

l U2000

Table 1-1defines all types of base stations.

Table 1-1Base station definition

Base Station Name Definition

GBTS GBTS refers to a base station deployed with GTMU and

maintained through a base station controller.

eGBTS eGBTS refers to a base station deployed with GTMUb,

UMPT_G, or UMDU_G and directly maintained by the element

management system (EMS).

NodeB NodeB refers to a base station deployed with WMPT, UMPT_Uor UMDU_U.

eNodeB eNodeB refers to a base station deployed with LMPT, UMPT_L,

UMPT_T, UMDU_L, or UMDU_T.

SingleRAN


Description 1 About This Document



1


5/21

Base Station Name Definition

Co-MPT multimode

base station

Co-MPT multimode base station refers to a base station

deployed with UMPT_GU, UMDU_GU, UMPT_GL,

UMDU_GL, UMPT_GT, UMDU_GT, UMPT_UL, UMDU_UL,

UMPT_UT, UMDU_UT, UMPT_LT, UMDU_LT, UMPT_GUL,

UMDU_GUL, UMPT_GUT, UMDU_GUT, UMPT_ULT,

UMDU_ULT, UMPT_GLT, UMDU_GLT, UMPT_GULT, or

UMDU_GULT, and it functionally corresponds to any

combination of eGBTS, NodeB, and eNodeB. For example, Co-

MPT multimode base station deployed with UMPT_GU

functionally corresponds to the combination of eGBTS and

NodeB.

Separate-MPT

multimode base station

Separate-MPT multimode base station refers to a base station on

which different modes use different main control boards. For

example, base stations deployed with GTMU and WMPT are

called separate-MPT GSM/UMTS dual-mode base station.

NOTE

A UMDU cannot be used in a separate-MPT base station.

Unless otherwise specified, the descriptions and examples for the UMPT in a co-MPT base

station are applicable to the UMDU in a co-MPT base station.

1.2 Intended Audience

This document is intended for personnel who:

l Need to understand transmission security

l Work with Huawei products

1.3 Change History

This section provides information about the changes in different document versions. There are

two types of changes, which are defined as follows:

l Feature change

Changes in features of a specific product version

l Editorial change

Changes in wording or addition of information that was not described in the earlier

version

SRAN10.1 01 (2015-03-23)

This is the first official release. This issue does not include any changes.

SingleRAN





2


6/21

SRAN10.1 Draft A (2015-01-15)

Compared with Issue 01 (2014-04-26) of SRAN9.0, Draft A (2015-01-15) of SRAN10.1

includes the following changes.

Change Type Change Description Parameter Change

Feature change Added descriptions about the

different operators can use

differential certificates. For details,

see 3.3.1 Scenario 1: RAN Sharing

Applied.

None

Editorial change None None

1.4 Differences Between Base Station Types

Definition

The macro base stations described in this document refer to 3900 series base stations. These

base stations work in GSM, UMTS, or LTE mode, as listed in the section Scope.

The LampSite base stations described in this document refer to distributed base stations that

provide indoor coverage. These base stations work in UMTS or LTE mode but not in GSM

mode.

The micro base stations described in this document refer to all integrated entities that work in

UMTS or LTE mode but not in GSM mode. Descriptions of boards, cabinets, subracks, slots,

and RRUs do not apply to micro base stations.

The following table defines the types of micro base stations.

Base Station Model RAT

BTS3202E LTE FDD

NOTE

The co-MPT and separate-MPT applications are irrelevant to single-mode micro base stations.

Feature Support by Macro, Micro, and LampSite Base Stations

None

SingleRAN





3


7/21

Function Implementation in Macro, Micro, and LampSite Base Stations

Function Difference

IPSec NAT traversal IPSec NAT traversal is specific to micro base stations.

An NAT gateway is likely to be deployed when data is

transmitted on the public network. When an NAT gateway is

deployed along the IPSec tunnel, the communicating parties must

both support NAT traversal.

SingleRAN





4


8/21

2Transport Network Overview

2.1 IP Backhaul Network

A mobile backhaul network is an end-to-end transport network that transmits data between a

base station and a base station controller. Figure 2-1shows an IP-based mobile backhaul

network (IP backhaul for short).

This section describes transmission security solutions for the IP backhaul.

Figure 2-1IP backhaul network

2.2 Evolution

In TDM/ATM or IP over E1 mode, a transport network is generally only used to carry radio

services, and transmission links inherently provide their own high security. Therefore, there is

no need to deploy additional security features. However, with the wide development of

mobile broadband (MBB), transport networks have evolved towards all-IP based networks.

This not only means that data migrates to the packet switched (PS) domain, but also that the

transport network becomes completely open and easily accessible. As a result, transport

networks carrying telecommunication services face various security concerns.

NOTE

This document only describes transmission security pertaining to the Ethernet or IP network.

To protect radio equipment from security threats and attacks and to provide securecommunication on transport networks, multi-plane security measures are required.

SingleRAN


Description 2 Transport Network Overview



5


9/21

2.3 Security Requirements

As indicated in 3GPP TS 33.210, Network Domain Security for IP based protocols (NDS/IP)

is recommended for transmission security.

2.3.1 NDS Dimensions Defined by 3GPP

3GPP defines the following NDS dimensions:

l Data integrity

Data integrity ensures the correctness or accuracy of data by preventing data from

unauthorized modification, removal, and creation, and provides proof of such

unauthorized activities. For example, Internet Protocol Security (IPsec) provides

integrity protection for all IP packets.

l Data source authentication

Data source authentication ensures that the source of data received is as claimed.

l Anti-replay protection

Anti-replay protection is a special case of integrity protection. It protects packets from

being intercepted, modified, and then reinserted by a third party.

l (Optional) data confidentiality

Data confidentiality ensures that only authorized entities can access and parse data,

thereby preventing eavesdropping.

2.3.2 NDS Mechanism Defined by 3GPPNDS/IP in 3GPP networks use the standard security procedure and mechanism defined by

IETF.

This mechanism divides a network into different security domains, which are isolated by

security gateways (SeGWs). The SeGWs perform routing and implement security policies for

traffic between the security domains. This mechanism is described as follows:

l Each security domain has one or more SeGWs in order to balance traffic load or to

prevent a single point of failure.

l Secure communication between NEs is implemented by IPsec, which provides protective

measures such as data source authentication, data integrity check, and dataconfidentiality.

l The base station uses the public key infrastructure (PKI) and the pre-shared key (PSK) to

authenticate the identity of the peer end.

The typical security procedure is as follows:

1. The base station enables an IPsec tunnel.

2. The base station sends IPsec packets to the SeGW through the IPsec tunnel in the IP

backhaul.

3. The SeGW receives and processes the IPsec packets.

SingleRAN


Description 2 Transport Network Overview



6


10/21

3Transmission Security SolutionsThis chapter describes recommended transmission security solutions that meet transmission

security standards and operator requirements.

SingleRAN


Description 3 Transmission Security Solutions



7


11/21

3.1 On a Trusted Network

On a trusted network, sites are physically safe. For example, an operator that owns a site can

strictly control access to the site, and the site or transport network is managed by one

organization.

The security policy for trusted networks, then, is to deploy strong authentication protocols to

restrict network access.

Transmission security solutions for trusted networks are as follows:

l Secure Sockets Layer (SSL)

Operation and maintenance (O&M) data between the base station and the U2000 or

LMT is encrypted by SSL. This improves the transmission security of O&M channels.

l 802.1x

The base station is authenticated based on 802.1x before it accesses the network. This

ensures network security.

Figure 3-1shows the logical networking for transmission security on a trusted network.

Figure 3-1Logical networking for transmission security on a trusted network

Table 3-1describes the network elements (NEs) involved in the transmission security solution

for trusted networks.

Table 3-1NEs involved in the transmission security solution for trusted networks

NE Description

Base station Complies with SSL and 802.1x

U2000 Implements configuration and management of base

stations.

Authentication, Authorization and

Accounting (AAA) server

Uses digital certificates to perform access control

based on 802.1x on base stations.

802.1x authenticator Possibly uses a switch on the transport network that

is enabled with access control based on 802.1x.

SingleRAN





8


12/21

Table 3-2describes the external interfaces involved in the transmission security solution for

trusted networks.

Table 3-2External interfaces involved in the transmission security solution for trusted

networks

External Interface Description

SSL interface Located between the base station and U2000. Through this

interface, the base station establishes an SSL connection to the

U2000.

802.1x interface Located between the base station and 802.1x authenticator. Through

this interface, the base station initiates access control based on

802.1x.

3.2 On an Untrusted Network

On an untrusted network, sites are physically unsafe. An operator that owns a site cannot

strictly control access, and the site or transport network may be managed by one or multiple

organizations.

The security policy for untrusted networks is to use IPsec and other security features to

protect data on the user, control, and management planes.

Transmission security solutions for untrusted networks are as follows:

l IPsec

The base station supports IPsec. In IPsec networking, an SeGW is deployed to terminate

an IPsec tunnel on the core network (CN) side. In addition to the IPsec tunnel solution,

IPsec also provides the secure base station deployment solution and the IPsec reliability

solution.

NOTE

Clock packets can be carried over the user, control, or management plane. That is, clock packets can be

transmitted using the IP address for any of the base station's user, control, and management planes.

l PKI

The base station complies with Certificate Management Protocol (CMPv2) and can bepreconfigured with a device certificate before delivery. With the cooperation of base

stations, a PKI system issues and manages certificates for authentication during IPsec/

802.1x/SSL implementation.

l SSL

O&M data between the base station and the U2000 or LMT is encrypted by SSL, which

improves transmission security.

l 802.1x

The base station is authenticated based on 802.1x before it accesses the network, which

ensures network security.

Figure 3-2shows the logical networking for transmission security on an untrusted network.

SingleRAN





9


13/21

Figure 3-2Logical networking for transmission security on an untrusted network

Table 3-3describes theNEs involved in the transmission security solution for untrusted

networks.

Table 3-3NEs involved in the transmission security solution for untrusted networks

NE Description

Base station l Uses an integrated firewall to protect against attacks.

l Supports the configuration of VLANs to isolate data on the user,

control, and management planes.

U2000 Implements configuration and management of base stations.

AAA server Uses digital certificates to perform access control based on 802.1x

on base stations.

802.1x authenticator Generally uses a switch on the transport network that is enabled

with access control based on 802.1x.

SeGW l Terminates an IPsec tunnel.

l Uses an integrated firewall to protect against attacks to the CN.

PKI l Includes the CA/RA and certificate revocation list (CRL) server.

NOTE

CA stands for certificate authority and RA stands for registration authority.

l Manages digital certificates for NEs such as the base station and

SeGW.

Table 3-4describes theexternal interfaces involved in the transmission security solution for

untrusted networks.

SingleRAN





10


14/21

Table 3-4External interfaces involved in the transmission security solution for untrusted

networks

External Interface Description

SSL interface Located between the base station and U2000. Through this interface,the base station establishes an SSL connection to the U2000.

802.1x interface Located between the base station and 802.1x authenticator. Through

this interface, the 802.1x authenticator performs access control

based on 802.1x on the base station.

IPsec interface Located between the base station and SeGW. Through this interface,

an IPsec tunnel is established.

PKI interface l CMPv2 interface

Located between the base station and CA or between the base

station and RA. Through this interface, the base station sends a

request to the CA or RA to apply for, revoke, and update adigital certificate.

l LDAP/FTP interface

Located between the base station and CRL server. Through this

interface, the base station downloads CRLs.

3.3 Application Restrictions

3.3.1 Scenario 1: RAN Sharing AppliedWhen RAN Sharing is applied, multiple IPsec tunnels must be established in order to isolate

and protect the data of each operator.

As of SRAN10.1, different operators can use differential certificates.

3.3.2 Scenario 2: Transmission on Public Networks

For transmission on public networks, IPsec tunnels must support Network Address

Translation (NAT). Currently, 3900 series base stations do not support IPsec tunnels enabled

with NAT.

3.3.3 Scenario 3: Base Stations Cascaded

When multiple base stations are cascaded, each base station must be protected by IPsec. It is

recommended that each base station have a separate IPsec tunnel and that the Hub base station

perform forwarding only.

SingleRAN





11


15/21

4Transmission Security Features

4.1 Introduction

Transmission security features are IPsec, SSL, PKI, and access control based on 802.1x, as

shown in Figure 4-1.

Figure 4-1Transmission security features

4.2 IPsec

IPsec is a security framework defined by the IETF. It can provide end-to-end secure data

transmission on untrusted networks, such as the Internet. On IP networks, IPsec providestransparent, interoperable, and cryptography-based security services to ensure confidentiality,

integrity, and authenticity of data and to provide anti-replay protection.

IPsec operates at the IP layer of the TCP/IP protocol stack and provides transparent security

services for upper-layer applications. (TCP stands for Transmission Control Protocol.)

For details about IPsec, seeIPsec Feature Parameter Descriptionfor SingleRAN.

4.3 Access Control Based on 802.1x

802.1x is an Institute of Electrical and Electronics Engineers (IEEE) standard for port-basednetwork access control. Access control based on 802.1x involves the following NEs:

SingleRAN


Description 4 Transmission Security Features



12


16/21

l Client, that is, a base station

l Authentication access equipment, such as a local area network (LAN) switch

l Authentication server, such as an AAA server

l Access control based on 802.1x is implemented as follows:

After a base station initially accesses the network and before it is authenticated,

only 802.1x authentication packets can be transmitted over a port on the

authentication access equipment.

After the authentication server authenticates the base station and authorizes the port,

data can be transmitted over the authorized port. This ensures that only authorized

users can access the network.

For details about access control based on 802.1x, seeAccess Control based on 802.1x Feature

Parameter Descriptionfor SingleRAN.

4.4 SSLSSL is a security protocol developed by Netscape. The latest standard version of SSL is

Transport Layer Security version 1.2 (TLSv1.2), which aims to provide authentication,

confidentiality, and integrity protection for two communication applications.

SSL enables an end-to-end secure connection to be established between two pieces of

equipment. The details are as follows:

l SSL operates between the transport and application layers. It is carried over reliable

transport layer protocols but is independent of application layer protocols.

l Before any communication using application layer protocols, negotiation of the

encryption algorithm and key and authentication have to be completed.l Application layer protocols such as HTTP, FTP, and Telnet can be transparently carried

over SSL. All data transmitted using the application layer protocols is encrypted to

ensure confidentiality.

SSL also protects O&M data transmitted between the base station or base station controller

and the U2000 to provide secure remote maintenance.

For details about SSL, see SSL Feature Parameter Descriptionfor SingleRAN.

4.5 PKI

PKI uses an asymmetric cryptographic algorithm to provide information security. It mainly

manages keys and digital certificates. The functionalities and interfaces related to PKI comply

with X.509 and 3GPP TS 33.310.

A PKI system consists of the following elements: CA, RA (optional), certificate & CRL

database, and end entity.

PKI defines a certificate management system, which uses CMPv2 to exchange management

information between NEs in a PKI system. CMPv2 provides the following functions:

l Certificate registration, application, and revocation

l Key update and recovery

l Cross-certification

SingleRAN





13


17/21

l CA key update announcement

l Certificate issuing and revocation announcements

Using CMPv2, the base station and the PKI system exchange information about applying for,

issuing, and updating a certificate to implement certificate management.

For details about PKI, seePKI Feature Parameter Descriptionfor SingleRAN.

SingleRAN





14


18/21

5ParametersThere are no specific parameters associated with this feature.

SingleRAN


Description 5 Parameters



15


19/21

6CountersThere are no specific counters associated with this feature.

SingleRAN


Description 6 Counters



16


20/21

7GlossaryFor the acronyms, abbreviations, terms, and definitions, see Glossary.

SingleRAN


Description 7 Glossary



17


21/21

8Reference Documents1. ITU-T X.800, "Security architecture for Open Systems Interconnection for CCITT

applications," March 1991

2. ITU-T X.805, "Security architecture for systems providing end-to-end communications,"

October 2003

3. NGMN Alliance, "Security in LTE backhauling - A white paper," V1.0, February 2012

4. 3GPP TS 33.102 V11.3.0 (2012-06): "3G security; Security architecture"

5. 3GPP TS 33.210 V11.3.0 (2011-12): "3G security; Network Domain Security (NDS); IP

network layer security"

6. 3GPP TS 33.310 V10.5.0 (2011-12): "Network Domain Security (NDS); Authentication

Framework (AF)"

7. 3GPP TS 33.401 V11.4.0 (2012-06): "3GPP System Architecture Evolution (SAE);

Security architecture"

8. IETF RFC 4303, "IP Encapsulating Security Payload (ESP)," December 2005

9. IETF RFC 4306, "Internet Key Exchange (IKEv2) Protocol

10. IPsec Feature Parameter Description

11. Access Control based on 802.1x Feature Parameter Description

12. SSL Feature Parameter Description

13. PKI Feature Parameter Description

SingleRAN


Description 8 Reference Documents


C i h H i T h l i C L d

18