Escolar Documentos
Profissional Documentos
Cultura Documentos
01
Date
2014-04-26
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2014-04-26)
SingleRAN
Transmission Security Overview Feature Parameter
Description
Contents
Contents
1 About This Document.................................................................................................................. 1
1.1 Scope.............................................................................................................................................................................. 1
1.2 Intended Audience.......................................................................................................................................................... 2
1.3 Change History............................................................................................................................................................... 2
1.4 Differences Between Base Station Types....................................................................................................................... 3
5 Parameters..................................................................................................................................... 15
6 Counters........................................................................................................................................ 16
7 Glossary......................................................................................................................................... 17
8 Reference Documents................................................................................................................. 18
Issue 01 (2014-04-26)
ii
SingleRAN
Transmission Security Overview Feature Parameter
Description
1.1 Scope
This document describes transmission security, including transport network overview and
transmission security solutions and features.
This document involves the following network elements (NEs):
l
U2000
Issue 01 (2014-04-26)
Base Station
Name
Definition
GBTS
eGBTS
NodeB
eNodeB
Co-MPT
multimode base
station
SingleRAN
Transmission Security Overview Feature Parameter
Description
Base Station
Name
Definition
Separate-MPT
multimode base
station
A base station on which each mode uses its separate main control board.
For example, a base station configured with a GTMU and WMPT is
called a separate-MPT GSM/UMTS dual-mode base station.
Feature change
Changes in features and parameters of a specified version as well as the affected entities
Editorial change
Changes in wording or addition of information that was not described in the earlier
version
SRAN9.0 01 (2014-04-26)
This is the first official release. This issue does not include any changes.
Change Description
Parameter Change
Feature
change
None.
None
Editorial
change
None.
SingleRAN
Transmission Security Overview Feature Parameter
Description
Change
Type
Change Description
Parameter Change
Feature
change
None
Editorial
change
None
None
RAT
BTS3803E
UMTS
BTS3902E
UMTS
BTS3202E
LTE FDD
BTS3203E
LTE FDD
NOTE
The co-MPT and separate-MPT applications are irrelevant to single-mode micro base stations.
Issue 01 (2014-04-26)
SingleRAN
Transmission Security Overview Feature Parameter
Description
Difference
Issue 01 (2014-04-26)
SingleRAN
Transmission Security Overview Feature Parameter
Description
2.1 IP Backhaul
A mobile backhaul network transmits data between a base station and a base station
controller. Figure 2-1 shows an IP-based mobile backhaul network (IP backhaul for short).
This section describes transmission security solutions for the IP backhaul.
Figure 2-1 IP backhaul network
2.2 Evolution
In TDM/ATM or IP over E1 mode, a transport network is generally only used to carry radio
services, and transmission links inherently provide their own high security. Therefore, there is
no need to deploy additional security features. However, with the wide development of
mobile broadband (MBB), transport networks have evolved towards all-IP based networks.
This not only means that data migrates to the packet switched (PS) domain, but also that the
transport network becomes completely open and easily accessible. As a result, transport
networks carrying telecommunication services face various security concerns.
NOTE
This document only describes transmission security pertaining to the Ethernet or IP network.
To protect radio equipment from security threats and attacks and to provide secure
communication on transport networks, multi-plane security measures are required.
Issue 01 (2014-04-26)
SingleRAN
Transmission Security Overview Feature Parameter
Description
Data integrity
Data integrity ensures the correctness or accuracy of data by preventing data from
unauthorized modification, removal, and creation, and provides proof of such
unauthorized activities. For example, Internet Protocol Security (IPsec) provides
integrity protection for all IP packets.
Anti-replay protection
Anti-replay protection is a special case of integrity protection. It protects packets from
being intercepted, modified, and then reinserted by a third party.
Each security domain has one or more SeGWs in order to balance traffic load or to
prevent a single point of failure.
Issue 01 (2014-04-26)
The base station sends IPsec packets to the SeGW through the IPsec tunnel in the IP
backhaul.
The base station uses the public key infrastructure (PKI) and the pre-shared key (PSK) to
authenticate the identity of the peer end.
SingleRAN
Transmission Security Overview Feature Parameter
Description
This chapter describes recommended transmission security solutions that meet transmission
security standards and operator requirements.
Issue 01 (2014-04-26)
SingleRAN
Transmission Security Overview Feature Parameter
Description
802.1x
The base station is authenticated based on 802.1x before it accesses the network, which
ensures network security.
Figure 3-1 shows the logical networking for transmission security on a trusted network.
Figure 3-1 Logical networking for transmission security on a trusted network
Table 3-1 describes the NEs involved in the transmission security solution for trusted
networks.
Table 3-1 NEs involved in the transmission security solution for trusted networks
Issue 01 (2014-04-26)
NE
Description
Base station
U2000
802.1x authenticator
SingleRAN
Transmission Security Overview Feature Parameter
Description
Table 3-2 describes the external interfaces involved in the transmission security solution for
trusted networks.
Table 3-2 External interfaces involved in the transmission security solution for trusted
networks
External
Interface
Description
SSL interface
Located between the base station and U2000. Through this interface,
the base station establishes an SSL connection to the U2000.
802.1x interface
IPsec
The base station supports IPsec. In IPsec networking, an SeGW is deployed to terminate
an IPsec tunnel on the core network (CN) side. In addition to the IPsec tunnel solution,
IPsec also provides the secure base station deployment solution and the IPsec reliability
solution.
NOTE
Clock packets can be carried over the user, control, or management plane. That is, clock packets
can be transmitted using the IP address for any of the base station's user, control, and management
planes.
PKI
The base station complies with Certificate Management Protocol v2 (CMPv2) and can be
preconfigured with a device certificate before delivery. With the cooperation of base
stations, a PKI system issues and manages certificates for authentication during IPsec/
802.1x/SSL implementation.
SSL
O&M data between the base station and the U2000 or LMT is encrypted by SSL, which
improves transmission security.
802.1x
The base station is authenticated based on 802.1x before it accesses the network, which
ensures network security.
Figure 3-2 shows the logical networking for transmission security on an untrusted network.
Issue 01 (2014-04-26)
SingleRAN
Transmission Security Overview Feature Parameter
Description
Table 3-3 describes the NEs involved in the transmission security solution for untrusted
networks.
Table 3-3 NEs involved in the transmission security solution for untrusted networks
NE
Description
Base station
U2000
AAA server
802.1x
authenticator
SeGW
PKI
l Manages digital certificates for NEs such as the base station and
SeGW.
Issue 01 (2014-04-26)
Table 3-4 describes the external interfaces involved in the transmission security solution
for untrusted networks.
10
SingleRAN
Transmission Security Overview Feature Parameter
Description
Table 3-4 External interfaces involved in the transmission security solution for untrusted
networks
External
Interface
Description
SSL
interface
Located between the base station and U2000. Through this interface,
the base station establishes an SSL connection to the U2000.
802.1x
interface
IPsec
interface
Located between the base station and SeGW. Through this interface,
an IPsec tunnel is established.
PKI
interface
l CMPv2 interface
Located between the base station and CA or between the base
station and RA. Through this interface, the base station sends a
request to the CA or RA to apply for, revoke, and update a digital
certificate.
l LDAP/FTP interface
Located between the base station and CRL server. Through this
interface, the base station downloads CRLs.
Issue 01 (2014-04-26)
11
SingleRAN
Transmission Security Overview Feature Parameter
Description
4.1 Introduction
Transmission security features include IPsec, 802.1x, SSL, and PKI-CMPv2, as shown in
Figure 4-1.
Figure 4-1 Transmission security features
4.2 IPsec
IPsec is a security framework defined by the IETF. It can provide end-to-end secure data
transmission on untrusted networks, such as the Internet. On IP networks, IPsec provides
transparent, interoperable, and cryptography-based security services to ensure confidentiality,
integrity, and authenticity of data and to provide anti-replay protection.
IPsec operates at the IP layer of the TCP/IP protocol stack and provides transparent security
services for upper-layer applications. (TCP stands for Transmission Control Protocol.)
For details about IPsec, see IPsec Feature Parameter Description for SingleRAN.
12
SingleRAN
Transmission Security Overview Feature Parameter
Description
After a base station initially accesses the network and before it is authenticated, only
802.1x authentication packets can be transmitted over a port on the authentication access
equipment.
After the authentication server authenticates the base station and authorizes the port, data
can be transmitted over the authorized port. This ensures that only authorized users can
access the network.
For details about access control based on 802.1x, see Access Control based on 802.1x Feature
Parameter Description for SingleRAN.
4.4 SSL
SSL is a security protocol developed by Netscape. The latest standard version of SSL is
Transport Layer Security version 1.2 (TLSv1.2), which aims to provide authentication,
confidentiality, and integrity protection for two communication applications.
SSL enables an end-to-end secure connection to be established between two pieces of
equipment. The details are as follows:
l
SSL operates between the transport and application layers. It is carried over reliable
transport layer protocols but is independent of application layer protocols.
Application layer protocols such as HTTP, FTP, and Telnet can be transparently carried
over SSL. All data transmitted using the application layer protocols is encrypted to
ensure confidentiality.
SSL also protects O&M data transmitted between the base station or base station controller
and the U2000 to provide secure remote maintenance.
For details about SSL, see SSL Feature Parameter Description for SingleRAN.
4.5 PKI
PKI uses an asymmetric cryptographic algorithm to provide information security. It mainly
manages keys and digital certificates. The functionalities and interfaces related to PKI comply
with X.509 and 3GPP TS 33.310.
A PKI system consists of the following elements: CA, RA (optional), certificate & CRL
database, and end entity.
PKI defines a certificate management system, which uses CPMv2 to exchange management
information between NEs in a PKI system. CMPv2 provides the following functions:
l
Issue 01 (2014-04-26)
13
SingleRAN
Transmission Security Overview Feature Parameter
Description
Cross-certification
Using CMPv2, the base station and the PKI system exchange information about applying for,
issuing, and updating a certificate to implement certificate management.
For details about PKI, see PKI Feature Parameter Description for SingleRAN.
Issue 01 (2014-04-26)
14
SingleRAN
Transmission Security Overview Feature Parameter
Description
5 Parameters
Parameters
Issue 01 (2014-04-26)
15
SingleRAN
Transmission Security Overview Feature Parameter
Description
6 Counters
Counters
Issue 01 (2014-04-26)
16
SingleRAN
Transmission Security Overview Feature Parameter
Description
7 Glossary
Glossary
Issue 01 (2014-04-26)
17
SingleRAN
Transmission Security Overview Feature Parameter
Description
8 Reference Documents
Reference Documents
1.
ITU-T X.800, "Security architecture for Open Systems Interconnection for CCITT
applications", March 1991
2.
3.
NGMN Alliance, "Security in LTE backhauling A white paper", V1.0, February 2012
4.
5.
3GPP TS 33.210 V11.3.0 (2011-12): "3G security; Network Domain Security (NDS); IP
network layer security"
6.
7.
8.
IETF RFC 4303, "IP Encapsulating Security Payload (ESP)", December 2005
9.
Issue 01 (2014-04-26)
18