Transmission Security Overview (SRAN9.0 - 01)

SingleRAN
Transmission Security Overview

Feature Parameter Description
Issue
01
Date
2014-04-26
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2016. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2014-04-26)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.
SingleRAN
Transmission Security Overview Feature Parameter
Description
Contents
Contents
1 About This Document.................................................................................................................. 1
1.1 Scope.............................................................................................................................................................................. 1
1.2 Intended Audience.......................................................................................................................................................... 2
1.3 Change History............................................................................................................................................................... 2
1.4 Differences Between Base Station Types....................................................................................................................... 3
2 Transport Network Overview..................................................................................................... 5

2.1 IP Backhaul.....................................................................................................................................................................5
2.2 Evolution........................................................................................................................................................................ 5
2.3 Security Requirements....................................................................................................................................................6
2.3.1 NDS Dimensions Defined by 3GPP............................................................................................................................ 6
2.3.2 NDS Mechanism Defined by 3GPP............................................................................................................................ 6
3 Transmission Security Solutions................................................................................................7

3.1 On a Trusted Network.....................................................................................................................................................8
3.2 On an Untrusted Network...............................................................................................................................................9
3.3 Application Restrictions............................................................................................................................................... 11
3.3.1 Scenario 1: RAN Sharing Applied.............................................................................................................................11
3.3.2 Scenario 2: Transmission on Public Networks.......................................................................................................... 11
3.3.3 Scenario 3: Base Stations Cascaded.......................................................................................................................... 11
4 Transmission Security Features................................................................................................12

4.1 Introduction.................................................................................................................................................................. 12
4.2 IPsec..............................................................................................................................................................................12
4.3 Access Control Based on 802.1x.................................................................................................................................. 12
4.4 SSL............................................................................................................................................................................... 13
4.5 PKI................................................................................................................................................................................13
5 Parameters..................................................................................................................................... 15
6 Counters........................................................................................................................................ 16
7 Glossary......................................................................................................................................... 17
8 Reference Documents................................................................................................................. 18
Issue 01 (2014-04-26)

ii
SingleRAN
Description
1 About This Document
About This Document
1.1 Scope
This document describes transmission security, including transport network overview and
transmission security solutions and features.
This document involves the following network elements (NEs):
l
Base stations, including 3900 series base stations
Base station controllers, including the BSC, RNC, and MBSC
U2000
Table 1-1 defines all types of base stations.

Table 1-1 Base station definitions
Issue 01 (2014-04-26)
Base Station
Name
Definition
GBTS
A base station configured with a GTMU, GTMUb, or GTMUc and

maintained through a base station controller.
eGBTS
A base station configured with a UMPT_G.
NodeB
A base station configured with a WMPT or UMPT_U.
eNodeB
A base station configured with an LMPT or UMPT_L.
Co-MPT
multimode base
station
A base station configured with a UMPT_GU, UMPT_GL, UMPT_UL,

UMPT_GT, UMPT_UT, UMPT_GUL, UMPT_GUT, or UMPT_GULT.
A co-MPT multimode base station functionally corresponds to any
physical combination of eGBTS, NodeB, and eNodeB. For example, a
co-MPT multimode base station configured with a UMPT_GU
functionally corresponds to the physical combination of eGBTS and
NodeB.

SingleRAN
Description
Base Station
Name
Definition
Separate-MPT
multimode base
station
A base station on which each mode uses its separate main control board.
For example, a base station configured with a GTMU and WMPT is
called a separate-MPT GSM/UMTS dual-mode base station.
1.2 Intended Audience

This document is intended for personnel who:
l
Need to understand transmission security
Work with Huawei products
1.3 Change History

This section provides information about the changes in different document versions. There are
two types of changes:
l
Feature change
Changes in features and parameters of a specified version as well as the affected entities
Editorial change
Changes in wording or addition of information that was not described in the earlier
version
SRAN9.0 01 (2014-04-26)
This is the first official release. This issue does not include any changes.
SRAN9.0 Draft B (2014-02-28)

This issue includes the following changes.
Change
Type
Change Description
Parameter Change
Feature
change
None.
None
Editorial
change
Added the description about the feature and

function difference between different base
station types. For details, see 1.4 Differences
Between Base Station Types.
None.
SRAN9.0 Draft A (2014-01-20)

Compared with Issue 02 (2013-08-30) of SRAN8.0, Draft A (2014-01-20) of SRAN9.0
includes the following changes.
Issue 01 (2014-04-26)

SingleRAN
Description
Change
Type
Change Description
Parameter Change
Feature
change
Huawei mobile network management system

M2000 is renamed U2000.
None
Editorial
change
None
None
1.4 Differences Between Base Station Types

Definition
The macro base stations described in this document refer to 3900 series base stations. These
base stations work in GSM, UMTS, or LTE mode, as listed in the "Scope" section.
The LampSite base stations described in this document refer to distributed base stations that
provide indoor coverage. These base stations work in UMTS or LTE mode but not in GSM
mode.
The micro base stations described in this document refer to all integrated entities that work in
UMTS or LTE mode but not in GSM mode. Descriptions of boards, cabinets, subracks, slots,
and RRUs do not apply to micro base stations.
The following table defines the types of micro base stations.
Base Station Model
RAT
BTS3803E
UMTS
BTS3902E
UMTS
BTS3202E
LTE FDD
BTS3203E
LTE FDD
NOTE
The co-MPT and separate-MPT applications are irrelevant to single-mode micro base stations.
Feature Support by Macro, Micro, and LampSite Base Stations

None
Issue 01 (2014-04-26)

SingleRAN
Description
Function Implementation in Macro, Micro, and LampSite Base Stations

Function
Difference
IPsec NAT traversal
IPSec NAT traversal is specific to micro base stations.

An NAT gateway is likely to be deployed when data is
transmitted on the public network. When an NAT gateway is
deployed along the IPsec tunnel, the communicating parties must
both support NAT traversal.
Issue 01 (2014-04-26)

SingleRAN
Description
2 Transport Network Overview
Transport Network Overview
2.1 IP Backhaul
A mobile backhaul network transmits data between a base station and a base station
controller. Figure 2-1 shows an IP-based mobile backhaul network (IP backhaul for short).
This section describes transmission security solutions for the IP backhaul.
Figure 2-1 IP backhaul network
2.2 Evolution
In TDM/ATM or IP over E1 mode, a transport network is generally only used to carry radio
services, and transmission links inherently provide their own high security. Therefore, there is
no need to deploy additional security features. However, with the wide development of
mobile broadband (MBB), transport networks have evolved towards all-IP based networks.
This not only means that data migrates to the packet switched (PS) domain, but also that the
transport network becomes completely open and easily accessible. As a result, transport
networks carrying telecommunication services face various security concerns.
NOTE
This document only describes transmission security pertaining to the Ethernet or IP network.
To protect radio equipment from security threats and attacks and to provide secure
communication on transport networks, multi-plane security measures are required.
Issue 01 (2014-04-26)

SingleRAN
Description
2 Transport Network Overview
2.3 Security Requirements

As indicated in 3GPP TS 33.210, Network Domain Security for IP based protocols (NDS/IP)
is recommended for transmission security.
2.3.1 NDS Dimensions Defined by 3GPP

3GPP defines the following NDS dimensions:
l
Data integrity
Data integrity ensures the correctness or accuracy of data by preventing data from
unauthorized modification, removal, and creation, and provides proof of such
unauthorized activities. For example, Internet Protocol Security (IPsec) provides
integrity protection for all IP packets.
Data source authentication

Data source authentication ensures that the source of data received is as claimed.
Anti-replay protection
Anti-replay protection is a special case of integrity protection. It protects packets from
being intercepted, modified, and then reinserted by a third party.
(Optional) data confidentiality

Data confidentiality ensures that only authorized entities can access and parse data,
thereby preventing eavesdropping.
2.3.2 NDS Mechanism Defined by 3GPP

In NDS/IP, all the nodes on the network are regarded as IP nodes. NDS/IP in 3GPP networks
use the standard security procedure and mechanism defined by IETF.
This mechanism divides a network into different security domains, which are isolated by
security gateways (SeGWs). The SeGWs perform routing and implement security policies for
traffic between the security domains. This mechanism is described as follows:
l
Each security domain has one or more SeGWs in order to balance traffic load or to
prevent a single point of failure.
Secure communication between NEs is implemented by IPsec, which provides protective

measures such as data source authentication, data integrity check, and data
confidentiality.
The typical security procedure is as follows:
Issue 01 (2014-04-26)
The base station enables an IPsec tunnel.
The base station sends IPsec packets to the SeGW through the IPsec tunnel in the IP
backhaul.
The SeGW receives and processes the IPsec packets.
The base station uses the public key infrastructure (PKI) and the pre-shared key (PSK) to
authenticate the identity of the peer end.

SingleRAN
Description
3 Transmission Security Solutions
Transmission Security Solutions
This chapter describes recommended transmission security solutions that meet transmission
security standards and operator requirements.
Issue 01 (2014-04-26)

SingleRAN
Description
3.1 On a Trusted Network

On a trusted network, sites are physically safe. For example, an operator that owns a site can
strictly control access to the site, and the site or transport network is managed by one
organization.
The security policy for trusted networks, then, is to deploy strong authentication protocols to
restrict network access.
Transmission security solutions for trusted networks are as follows:
l
Secure Sockets Layer (SSL)

Operation and maintenance (O&M) data between the base station and the U2000 or
LMT is encrypted by SSL. This improves the transmission security of O&M channels.
802.1x
The base station is authenticated based on 802.1x before it accesses the network, which
ensures network security.
Figure 3-1 shows the logical networking for transmission security on a trusted network.
Figure 3-1 Logical networking for transmission security on a trusted network
Table 3-1 describes the NEs involved in the transmission security solution for trusted
networks.
Table 3-1 NEs involved in the transmission security solution for trusted networks
Issue 01 (2014-04-26)
NE
Description
Base station
Complies with SSL and 802.1x
U2000
Configures and manages base stations.
Authentication, Authorization and

Accounting (AAA) server
Uses digital certificates to perform access control

based on 802.1x on base stations.
802.1x authenticator
A switch on the transport network that is enabled

with access control based on 802.1x

SingleRAN
Description
Table 3-2 describes the external interfaces involved in the transmission security solution for
trusted networks.
Table 3-2 External interfaces involved in the transmission security solution for trusted
networks
External
Interface
Description
SSL interface
Located between the base station and U2000. Through this interface,
the base station establishes an SSL connection to the U2000.
802.1x interface
Located between the base station and 802.1x authenticator. Through

this interface, the base station initiates access control based on
802.1x.
3.2 On an Untrusted Network

On an untrusted network, sites are physically unsafe. An operator that owns a site cannot
strictly control access, and the site or transport network may be managed by one or multiple
organizations.
The security policy for an untrusted network is to use IPsec and other security features to
protect data on the user, control, and management planes.
Transmission security solutions for untrusted networks are as follows:
l
IPsec
The base station supports IPsec. In IPsec networking, an SeGW is deployed to terminate
an IPsec tunnel on the core network (CN) side. In addition to the IPsec tunnel solution,
IPsec also provides the secure base station deployment solution and the IPsec reliability
solution.
NOTE
Clock packets can be carried over the user, control, or management plane. That is, clock packets
can be transmitted using the IP address for any of the base station's user, control, and management
planes.
PKI
The base station complies with Certificate Management Protocol v2 (CMPv2) and can be
preconfigured with a device certificate before delivery. With the cooperation of base
stations, a PKI system issues and manages certificates for authentication during IPsec/
802.1x/SSL implementation.
SSL
O&M data between the base station and the U2000 or LMT is encrypted by SSL, which
improves transmission security.
802.1x
The base station is authenticated based on 802.1x before it accesses the network, which
ensures network security.
Figure 3-2 shows the logical networking for transmission security on an untrusted network.
Issue 01 (2014-04-26)

SingleRAN
Description
Figure 3-2 Logical networking for transmission security on an untrusted network
Table 3-3 describes the NEs involved in the transmission security solution for untrusted
networks.
Table 3-3 NEs involved in the transmission security solution for untrusted networks
NE
Description
Base station
l Uses an integrated firewall to protect against attacks.

l Supports the configuration of VLANs to isolate data on the user,
control, and management planes.
U2000
Configures and manages base stations.
AAA server
Uses digital certificates to perform access control based on 802.1x on

base stations.
802.1x
authenticator
A switch on the transport network that is enabled with access control

based on 802.1x
SeGW
l Terminates an IPsec tunnel.

l Uses an integrated firewall to protect against attacks to the CN.
PKI
l Includes the CA/RA and certificate revocation list (CRL) server.

NOTE
CA stands for certificate authority and RA stands for registration authority.
l Manages digital certificates for NEs such as the base station and
SeGW.
Issue 01 (2014-04-26)
Table 3-4 describes the external interfaces involved in the transmission security solution
for untrusted networks.

10
SingleRAN
Description
Table 3-4 External interfaces involved in the transmission security solution for untrusted
networks
External
Interface
Description
SSL
interface
Located between the base station and U2000. Through this interface,
the base station establishes an SSL connection to the U2000.
802.1x
interface
Located between the base station and 802.1x authenticator. Through

this interface, the base station initiates access control based on 802.1x.
IPsec
interface
Located between the base station and SeGW. Through this interface,
an IPsec tunnel is established.
PKI
interface
l CMPv2 interface
Located between the base station and CA or between the base
station and RA. Through this interface, the base station sends a
request to the CA or RA to apply for, revoke, and update a digital
certificate.
l LDAP/FTP interface
Located between the base station and CRL server. Through this
interface, the base station downloads CRLs.
3.3 Application Restrictions

3.3.1 Scenario 1: RAN Sharing Applied
When RAN Sharing is applied, multiple IPsec tunnels must be established in order to isolate
and protect the data of each operator.
Currently, different operators can only use the same digital certificate for authentication.
3.3.2 Scenario 2: Transmission on Public Networks

For transmission on public networks, IPsec tunnels must support Network Address
Translation (NAT).
Currently, 3900 series base stations do not support IPsec tunnels enabled with NAT.
3.3.3 Scenario 3: Base Stations Cascaded

When multiple base stations are cascaded, each base station must be protected by IPsec. It is
recommended that each base station have a separate IPsec tunnel and that the Hub base station
perform forwarding only.
Issue 01 (2014-04-26)

11
SingleRAN
Description
4 Transmission Security Features
Transmission Security Features
4.1 Introduction
Transmission security features include IPsec, 802.1x, SSL, and PKI-CMPv2, as shown in
Figure 4-1.
Figure 4-1 Transmission security features
4.2 IPsec
IPsec is a security framework defined by the IETF. It can provide end-to-end secure data
transmission on untrusted networks, such as the Internet. On IP networks, IPsec provides
transparent, interoperable, and cryptography-based security services to ensure confidentiality,
integrity, and authenticity of data and to provide anti-replay protection.
IPsec operates at the IP layer of the TCP/IP protocol stack and provides transparent security
services for upper-layer applications. (TCP stands for Transmission Control Protocol.)
For details about IPsec, see IPsec Feature Parameter Description for SingleRAN.
4.3 Access Control Based on 802.1x

802.1x is an Institute of Electrical and Electronics Engineers (IEEE) standard for port-based
network access control. Access control based on 802.1x involves the following NEs:
Issue 01 (2014-04-26)

12
SingleRAN
Description
Client, such as a base station
Authentication access equipment, such as a local area network (LAN) switch
Authentication server, such as an AAA server
Access control based on 802.1x is implemented as follows:

l
After a base station initially accesses the network and before it is authenticated, only
802.1x authentication packets can be transmitted over a port on the authentication access
equipment.
After the authentication server authenticates the base station and authorizes the port, data
can be transmitted over the authorized port. This ensures that only authorized users can
access the network.
For details about access control based on 802.1x, see Access Control based on 802.1x Feature
Parameter Description for SingleRAN.
4.4 SSL
SSL is a security protocol developed by Netscape. The latest standard version of SSL is
Transport Layer Security version 1.2 (TLSv1.2), which aims to provide authentication,
confidentiality, and integrity protection for two communication applications.
SSL enables an end-to-end secure connection to be established between two pieces of
equipment. The details are as follows:
l
SSL operates between the transport and application layers. It is carried over reliable
transport layer protocols but is independent of application layer protocols.
Before any communication using application layer protocols, negotiation of the

encryption algorithm and key and authentication have to be completed.
Application layer protocols such as HTTP, FTP, and Telnet can be transparently carried
over SSL. All data transmitted using the application layer protocols is encrypted to
ensure confidentiality.
SSL also protects O&M data transmitted between the base station or base station controller
and the U2000 to provide secure remote maintenance.
For details about SSL, see SSL Feature Parameter Description for SingleRAN.
4.5 PKI
PKI uses an asymmetric cryptographic algorithm to provide information security. It mainly
manages keys and digital certificates. The functionalities and interfaces related to PKI comply
with X.509 and 3GPP TS 33.310.
A PKI system consists of the following elements: CA, RA (optional), certificate & CRL
database, and end entity.
PKI defines a certificate management system, which uses CPMv2 to exchange management
information between NEs in a PKI system. CMPv2 provides the following functions:
l
Certificate registration, application, and revocation
Key update and recovery
Issue 01 (2014-04-26)

13
SingleRAN
Description
Cross-certification
CA key update announcement
Certificate issuing and revocation announcements
Using CMPv2, the base station and the PKI system exchange information about applying for,
issuing, and updating a certificate to implement certificate management.
For details about PKI, see PKI Feature Parameter Description for SingleRAN.
Issue 01 (2014-04-26)

14
SingleRAN
Description
5 Parameters
Parameters
There are no specific parameters associated with this feature.
Issue 01 (2014-04-26)

15
SingleRAN
Description
6 Counters
Counters
There are no specific counters associated with this feature.
Issue 01 (2014-04-26)

16
SingleRAN
Description
7 Glossary
Glossary
For the acronyms, abbreviations, terms, and definitions, see Glossary.
Issue 01 (2014-04-26)

17
SingleRAN
Description
8 Reference Documents
Reference Documents
1.
ITU-T X.800, "Security architecture for Open Systems Interconnection for CCITT
applications", March 1991
2.
ITU-T X.805, "Security architecture for systems providing end-to-end communications",

October 2003
3.
NGMN Alliance, "Security in LTE backhauling A white paper", V1.0, February 2012
4.
3GPP TS 33.102 V11.3.0 (2012-06): "3G security; Security architecture"
5.
3GPP TS 33.210 V11.3.0 (2011-12): "3G security; Network Domain Security (NDS); IP
network layer security"
6.
3GPP TS 33.310 V10.5.0 (2011-12): "Network Domain Security (NDS); Authentication

Framework (AF)"
7.
3GPP TS 33.401 V11.4.0 (2012-06): "3GPP System Architecture Evolution (SAE);

Security architecture"
8.
IETF RFC 4303, "IP Encapsulating Security Payload (ESP)", December 2005
9.
IETF RFC 4306, "Internet Key Exchange (IKEv2) Protocol"
10. IPsec Feature Parameter Description

11. Access Control based on 802.1x Feature Parameter Description
12. SSL Feature Parameter Description
13. PKI Feature Parameter Description
Issue 01 (2014-04-26)

18

Transmission Security Overview (SRAN9.0 - 01)

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Transmission Security Overview (SRAN9.0 - 01)

Enviado por

Direitos autorais:

Formatos disponíveis

SingleRAN

Transmission Security Overview

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2016. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Huawei Proprietary and Confidential

2 Transport Network Overview..................................................................................................... 5

3 Transmission Security Solutions................................................................................................7

4 Transmission Security Features................................................................................................12

Huawei Proprietary and Confidential

1 About This Document

About This Document

Base stations, including 3900 series base stations

Base station controllers, including the BSC, RNC, and MBSC

Table 1-1 defines all types of base stations.

A base station configured with a GTMU, GTMUb, or GTMUc and

A base station configured with a UMPT_G.

A base station configured with a WMPT or UMPT_U.

A base station configured with an LMPT or UMPT_L.

A base station configured with a UMPT_GU, UMPT_GL, UMPT_UL,

Huawei Proprietary and Confidential

1 About This Document

1.2 Intended Audience

Need to understand transmission security

Work with Huawei products

1.3 Change History

SRAN9.0 Draft B (2014-02-28)

Added the description about the feature and

SRAN9.0 Draft A (2014-01-20)

Huawei Proprietary and Confidential

1 About This Document

Huawei mobile network management system

1.4 Differences Between Base Station Types

Feature Support by Macro, Micro, and LampSite Base Stations

Huawei Proprietary and Confidential

1 About This Document

Function Implementation in Macro, Micro, and LampSite Base Stations

IPsec NAT traversal

IPSec NAT traversal is specific to micro base stations.

Huawei Proprietary and Confidential

2 Transport Network Overview

Transport Network Overview

Huawei Proprietary and Confidential

2 Transport Network Overview

2.3 Security Requirements

2.3.1 NDS Dimensions Defined by 3GPP

Data source authentication

(Optional) data confidentiality

2.3.2 NDS Mechanism Defined by 3GPP

Secure communication between NEs is implemented by IPsec, which provides protective

The typical security procedure is as follows:

The base station enables an IPsec tunnel.

The SeGW receives and processes the IPsec packets.

Huawei Proprietary and Confidential

3 Transmission Security Solutions

Transmission Security Solutions

Huawei Proprietary and Confidential

3 Transmission Security Solutions

3.1 On a Trusted Network

Secure Sockets Layer (SSL)

Complies with SSL and 802.1x