Вы находитесь на странице: 1из 21

SingleRAN

Transmission Security Overview


Feature Parameter Description
Issue

01

Date

2014-04-26

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2016. All rights reserved.


No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions


and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address:

Huawei Industrial Base


Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website:

http://www.huawei.com

Email:

support@huawei.com

Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
Transmission Security Overview Feature Parameter
Description

Contents

Contents
1 About This Document.................................................................................................................. 1
1.1 Scope.............................................................................................................................................................................. 1
1.2 Intended Audience.......................................................................................................................................................... 2
1.3 Change History............................................................................................................................................................... 2
1.4 Differences Between Base Station Types....................................................................................................................... 3

2 Transport Network Overview..................................................................................................... 5


2.1 IP Backhaul.....................................................................................................................................................................5
2.2 Evolution........................................................................................................................................................................ 5
2.3 Security Requirements....................................................................................................................................................6
2.3.1 NDS Dimensions Defined by 3GPP............................................................................................................................ 6
2.3.2 NDS Mechanism Defined by 3GPP............................................................................................................................ 6

3 Transmission Security Solutions................................................................................................7


3.1 On a Trusted Network.....................................................................................................................................................8
3.2 On an Untrusted Network...............................................................................................................................................9
3.3 Application Restrictions............................................................................................................................................... 11
3.3.1 Scenario 1: RAN Sharing Applied.............................................................................................................................11
3.3.2 Scenario 2: Transmission on Public Networks.......................................................................................................... 11
3.3.3 Scenario 3: Base Stations Cascaded.......................................................................................................................... 11

4 Transmission Security Features................................................................................................12


4.1 Introduction.................................................................................................................................................................. 12
4.2 IPsec..............................................................................................................................................................................12
4.3 Access Control Based on 802.1x.................................................................................................................................. 12
4.4 SSL............................................................................................................................................................................... 13
4.5 PKI................................................................................................................................................................................13

5 Parameters..................................................................................................................................... 15
6 Counters........................................................................................................................................ 16
7 Glossary......................................................................................................................................... 17
8 Reference Documents................................................................................................................. 18

Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

ii

SingleRAN
Transmission Security Overview Feature Parameter
Description

1 About This Document

About This Document

1.1 Scope
This document describes transmission security, including transport network overview and
transmission security solutions and features.
This document involves the following network elements (NEs):
l

Base stations, including 3900 series base stations

Base station controllers, including the BSC, RNC, and MBSC

U2000

Table 1-1 defines all types of base stations.


Table 1-1 Base station definitions

Issue 01 (2014-04-26)

Base Station
Name

Definition

GBTS

A base station configured with a GTMU, GTMUb, or GTMUc and


maintained through a base station controller.

eGBTS

A base station configured with a UMPT_G.

NodeB

A base station configured with a WMPT or UMPT_U.

eNodeB

A base station configured with an LMPT or UMPT_L.

Co-MPT
multimode base
station

A base station configured with a UMPT_GU, UMPT_GL, UMPT_UL,


UMPT_GT, UMPT_UT, UMPT_GUL, UMPT_GUT, or UMPT_GULT.
A co-MPT multimode base station functionally corresponds to any
physical combination of eGBTS, NodeB, and eNodeB. For example, a
co-MPT multimode base station configured with a UMPT_GU
functionally corresponds to the physical combination of eGBTS and
NodeB.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
Transmission Security Overview Feature Parameter
Description

1 About This Document

Base Station
Name

Definition

Separate-MPT
multimode base
station

A base station on which each mode uses its separate main control board.
For example, a base station configured with a GTMU and WMPT is
called a separate-MPT GSM/UMTS dual-mode base station.

1.2 Intended Audience


This document is intended for personnel who:
l

Need to understand transmission security

Work with Huawei products

1.3 Change History


This section provides information about the changes in different document versions. There are
two types of changes:
l

Feature change
Changes in features and parameters of a specified version as well as the affected entities

Editorial change
Changes in wording or addition of information that was not described in the earlier
version

SRAN9.0 01 (2014-04-26)
This is the first official release. This issue does not include any changes.

SRAN9.0 Draft B (2014-02-28)


This issue includes the following changes.
Change
Type

Change Description

Parameter Change

Feature
change

None.

None

Editorial
change

Added the description about the feature and


function difference between different base
station types. For details, see 1.4 Differences
Between Base Station Types.

None.

SRAN9.0 Draft A (2014-01-20)


Compared with Issue 02 (2013-08-30) of SRAN8.0, Draft A (2014-01-20) of SRAN9.0
includes the following changes.
Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
Transmission Security Overview Feature Parameter
Description

1 About This Document

Change
Type

Change Description

Parameter Change

Feature
change

Huawei mobile network management system


M2000 is renamed U2000.

None

Editorial
change

None

None

1.4 Differences Between Base Station Types


Definition
The macro base stations described in this document refer to 3900 series base stations. These
base stations work in GSM, UMTS, or LTE mode, as listed in the "Scope" section.
The LampSite base stations described in this document refer to distributed base stations that
provide indoor coverage. These base stations work in UMTS or LTE mode but not in GSM
mode.
The micro base stations described in this document refer to all integrated entities that work in
UMTS or LTE mode but not in GSM mode. Descriptions of boards, cabinets, subracks, slots,
and RRUs do not apply to micro base stations.
The following table defines the types of micro base stations.
Base Station Model

RAT

BTS3803E

UMTS

BTS3902E

UMTS

BTS3202E

LTE FDD

BTS3203E

LTE FDD

NOTE

The co-MPT and separate-MPT applications are irrelevant to single-mode micro base stations.

Feature Support by Macro, Micro, and LampSite Base Stations


None

Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
Transmission Security Overview Feature Parameter
Description

1 About This Document

Function Implementation in Macro, Micro, and LampSite Base Stations


Function

Difference

IPsec NAT traversal

IPSec NAT traversal is specific to micro base stations.


An NAT gateway is likely to be deployed when data is
transmitted on the public network. When an NAT gateway is
deployed along the IPsec tunnel, the communicating parties must
both support NAT traversal.

Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
Transmission Security Overview Feature Parameter
Description

2 Transport Network Overview

Transport Network Overview

2.1 IP Backhaul
A mobile backhaul network transmits data between a base station and a base station
controller. Figure 2-1 shows an IP-based mobile backhaul network (IP backhaul for short).
This section describes transmission security solutions for the IP backhaul.
Figure 2-1 IP backhaul network

2.2 Evolution
In TDM/ATM or IP over E1 mode, a transport network is generally only used to carry radio
services, and transmission links inherently provide their own high security. Therefore, there is
no need to deploy additional security features. However, with the wide development of
mobile broadband (MBB), transport networks have evolved towards all-IP based networks.
This not only means that data migrates to the packet switched (PS) domain, but also that the
transport network becomes completely open and easily accessible. As a result, transport
networks carrying telecommunication services face various security concerns.
NOTE

This document only describes transmission security pertaining to the Ethernet or IP network.

To protect radio equipment from security threats and attacks and to provide secure
communication on transport networks, multi-plane security measures are required.

Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
Transmission Security Overview Feature Parameter
Description

2 Transport Network Overview

2.3 Security Requirements


As indicated in 3GPP TS 33.210, Network Domain Security for IP based protocols (NDS/IP)
is recommended for transmission security.

2.3.1 NDS Dimensions Defined by 3GPP


3GPP defines the following NDS dimensions:
l

Data integrity
Data integrity ensures the correctness or accuracy of data by preventing data from
unauthorized modification, removal, and creation, and provides proof of such
unauthorized activities. For example, Internet Protocol Security (IPsec) provides
integrity protection for all IP packets.

Data source authentication


Data source authentication ensures that the source of data received is as claimed.

Anti-replay protection
Anti-replay protection is a special case of integrity protection. It protects packets from
being intercepted, modified, and then reinserted by a third party.

(Optional) data confidentiality


Data confidentiality ensures that only authorized entities can access and parse data,
thereby preventing eavesdropping.

2.3.2 NDS Mechanism Defined by 3GPP


In NDS/IP, all the nodes on the network are regarded as IP nodes. NDS/IP in 3GPP networks
use the standard security procedure and mechanism defined by IETF.
This mechanism divides a network into different security domains, which are isolated by
security gateways (SeGWs). The SeGWs perform routing and implement security policies for
traffic between the security domains. This mechanism is described as follows:
l

Each security domain has one or more SeGWs in order to balance traffic load or to
prevent a single point of failure.

Secure communication between NEs is implemented by IPsec, which provides protective


measures such as data source authentication, data integrity check, and data
confidentiality.

The typical security procedure is as follows:

Issue 01 (2014-04-26)

The base station enables an IPsec tunnel.

The base station sends IPsec packets to the SeGW through the IPsec tunnel in the IP
backhaul.

The SeGW receives and processes the IPsec packets.

The base station uses the public key infrastructure (PKI) and the pre-shared key (PSK) to
authenticate the identity of the peer end.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
Transmission Security Overview Feature Parameter
Description

3 Transmission Security Solutions

Transmission Security Solutions

This chapter describes recommended transmission security solutions that meet transmission
security standards and operator requirements.

Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
Transmission Security Overview Feature Parameter
Description

3 Transmission Security Solutions

3.1 On a Trusted Network


On a trusted network, sites are physically safe. For example, an operator that owns a site can
strictly control access to the site, and the site or transport network is managed by one
organization.
The security policy for trusted networks, then, is to deploy strong authentication protocols to
restrict network access.
Transmission security solutions for trusted networks are as follows:
l

Secure Sockets Layer (SSL)


Operation and maintenance (O&M) data between the base station and the U2000 or
LMT is encrypted by SSL. This improves the transmission security of O&M channels.

802.1x
The base station is authenticated based on 802.1x before it accesses the network, which
ensures network security.

Figure 3-1 shows the logical networking for transmission security on a trusted network.
Figure 3-1 Logical networking for transmission security on a trusted network

Table 3-1 describes the NEs involved in the transmission security solution for trusted
networks.
Table 3-1 NEs involved in the transmission security solution for trusted networks

Issue 01 (2014-04-26)

NE

Description

Base station

Complies with SSL and 802.1x

U2000

Configures and manages base stations.

Authentication, Authorization and


Accounting (AAA) server

Uses digital certificates to perform access control


based on 802.1x on base stations.

802.1x authenticator

A switch on the transport network that is enabled


with access control based on 802.1x

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
Transmission Security Overview Feature Parameter
Description

3 Transmission Security Solutions

Table 3-2 describes the external interfaces involved in the transmission security solution for
trusted networks.
Table 3-2 External interfaces involved in the transmission security solution for trusted
networks
External
Interface

Description

SSL interface

Located between the base station and U2000. Through this interface,
the base station establishes an SSL connection to the U2000.

802.1x interface

Located between the base station and 802.1x authenticator. Through


this interface, the base station initiates access control based on
802.1x.

3.2 On an Untrusted Network


On an untrusted network, sites are physically unsafe. An operator that owns a site cannot
strictly control access, and the site or transport network may be managed by one or multiple
organizations.
The security policy for an untrusted network is to use IPsec and other security features to
protect data on the user, control, and management planes.
Transmission security solutions for untrusted networks are as follows:
l

IPsec
The base station supports IPsec. In IPsec networking, an SeGW is deployed to terminate
an IPsec tunnel on the core network (CN) side. In addition to the IPsec tunnel solution,
IPsec also provides the secure base station deployment solution and the IPsec reliability
solution.
NOTE

Clock packets can be carried over the user, control, or management plane. That is, clock packets
can be transmitted using the IP address for any of the base station's user, control, and management
planes.

PKI
The base station complies with Certificate Management Protocol v2 (CMPv2) and can be
preconfigured with a device certificate before delivery. With the cooperation of base
stations, a PKI system issues and manages certificates for authentication during IPsec/
802.1x/SSL implementation.

SSL
O&M data between the base station and the U2000 or LMT is encrypted by SSL, which
improves transmission security.

802.1x
The base station is authenticated based on 802.1x before it accesses the network, which
ensures network security.

Figure 3-2 shows the logical networking for transmission security on an untrusted network.
Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

SingleRAN
Transmission Security Overview Feature Parameter
Description

3 Transmission Security Solutions

Figure 3-2 Logical networking for transmission security on an untrusted network

Table 3-3 describes the NEs involved in the transmission security solution for untrusted
networks.
Table 3-3 NEs involved in the transmission security solution for untrusted networks
NE

Description

Base station

l Uses an integrated firewall to protect against attacks.


l Supports the configuration of VLANs to isolate data on the user,
control, and management planes.

U2000

Configures and manages base stations.

AAA server

Uses digital certificates to perform access control based on 802.1x on


base stations.

802.1x
authenticator

A switch on the transport network that is enabled with access control


based on 802.1x

SeGW

l Terminates an IPsec tunnel.


l Uses an integrated firewall to protect against attacks to the CN.

PKI

l Includes the CA/RA and certificate revocation list (CRL) server.


NOTE
CA stands for certificate authority and RA stands for registration authority.

l Manages digital certificates for NEs such as the base station and
SeGW.

Issue 01 (2014-04-26)

Table 3-4 describes the external interfaces involved in the transmission security solution
for untrusted networks.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

10

SingleRAN
Transmission Security Overview Feature Parameter
Description

3 Transmission Security Solutions

Table 3-4 External interfaces involved in the transmission security solution for untrusted
networks
External
Interface

Description

SSL
interface

Located between the base station and U2000. Through this interface,
the base station establishes an SSL connection to the U2000.

802.1x
interface

Located between the base station and 802.1x authenticator. Through


this interface, the base station initiates access control based on 802.1x.

IPsec
interface

Located between the base station and SeGW. Through this interface,
an IPsec tunnel is established.

PKI
interface

l CMPv2 interface
Located between the base station and CA or between the base
station and RA. Through this interface, the base station sends a
request to the CA or RA to apply for, revoke, and update a digital
certificate.
l LDAP/FTP interface
Located between the base station and CRL server. Through this
interface, the base station downloads CRLs.

3.3 Application Restrictions


3.3.1 Scenario 1: RAN Sharing Applied
When RAN Sharing is applied, multiple IPsec tunnels must be established in order to isolate
and protect the data of each operator.
Currently, different operators can only use the same digital certificate for authentication.

3.3.2 Scenario 2: Transmission on Public Networks


For transmission on public networks, IPsec tunnels must support Network Address
Translation (NAT).
Currently, 3900 series base stations do not support IPsec tunnels enabled with NAT.

3.3.3 Scenario 3: Base Stations Cascaded


When multiple base stations are cascaded, each base station must be protected by IPsec. It is
recommended that each base station have a separate IPsec tunnel and that the Hub base station
perform forwarding only.

Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

11

SingleRAN
Transmission Security Overview Feature Parameter
Description

4 Transmission Security Features

Transmission Security Features

4.1 Introduction
Transmission security features include IPsec, 802.1x, SSL, and PKI-CMPv2, as shown in
Figure 4-1.
Figure 4-1 Transmission security features

4.2 IPsec
IPsec is a security framework defined by the IETF. It can provide end-to-end secure data
transmission on untrusted networks, such as the Internet. On IP networks, IPsec provides
transparent, interoperable, and cryptography-based security services to ensure confidentiality,
integrity, and authenticity of data and to provide anti-replay protection.
IPsec operates at the IP layer of the TCP/IP protocol stack and provides transparent security
services for upper-layer applications. (TCP stands for Transmission Control Protocol.)
For details about IPsec, see IPsec Feature Parameter Description for SingleRAN.

4.3 Access Control Based on 802.1x


802.1x is an Institute of Electrical and Electronics Engineers (IEEE) standard for port-based
network access control. Access control based on 802.1x involves the following NEs:
Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

12

SingleRAN
Transmission Security Overview Feature Parameter
Description

4 Transmission Security Features

Client, such as a base station

Authentication access equipment, such as a local area network (LAN) switch

Authentication server, such as an AAA server

Access control based on 802.1x is implemented as follows:


l

After a base station initially accesses the network and before it is authenticated, only
802.1x authentication packets can be transmitted over a port on the authentication access
equipment.

After the authentication server authenticates the base station and authorizes the port, data
can be transmitted over the authorized port. This ensures that only authorized users can
access the network.

For details about access control based on 802.1x, see Access Control based on 802.1x Feature
Parameter Description for SingleRAN.

4.4 SSL
SSL is a security protocol developed by Netscape. The latest standard version of SSL is
Transport Layer Security version 1.2 (TLSv1.2), which aims to provide authentication,
confidentiality, and integrity protection for two communication applications.
SSL enables an end-to-end secure connection to be established between two pieces of
equipment. The details are as follows:
l

SSL operates between the transport and application layers. It is carried over reliable
transport layer protocols but is independent of application layer protocols.

Before any communication using application layer protocols, negotiation of the


encryption algorithm and key and authentication have to be completed.

Application layer protocols such as HTTP, FTP, and Telnet can be transparently carried
over SSL. All data transmitted using the application layer protocols is encrypted to
ensure confidentiality.

SSL also protects O&M data transmitted between the base station or base station controller
and the U2000 to provide secure remote maintenance.
For details about SSL, see SSL Feature Parameter Description for SingleRAN.

4.5 PKI
PKI uses an asymmetric cryptographic algorithm to provide information security. It mainly
manages keys and digital certificates. The functionalities and interfaces related to PKI comply
with X.509 and 3GPP TS 33.310.
A PKI system consists of the following elements: CA, RA (optional), certificate & CRL
database, and end entity.
PKI defines a certificate management system, which uses CPMv2 to exchange management
information between NEs in a PKI system. CMPv2 provides the following functions:
l

Certificate registration, application, and revocation

Key update and recovery

Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

13

SingleRAN
Transmission Security Overview Feature Parameter
Description

Cross-certification

CA key update announcement

Certificate issuing and revocation announcements

4 Transmission Security Features

Using CMPv2, the base station and the PKI system exchange information about applying for,
issuing, and updating a certificate to implement certificate management.
For details about PKI, see PKI Feature Parameter Description for SingleRAN.

Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

14

SingleRAN
Transmission Security Overview Feature Parameter
Description

5 Parameters

Parameters

There are no specific parameters associated with this feature.

Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

15

SingleRAN
Transmission Security Overview Feature Parameter
Description

6 Counters

Counters

There are no specific counters associated with this feature.

Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

16

SingleRAN
Transmission Security Overview Feature Parameter
Description

7 Glossary

Glossary

For the acronyms, abbreviations, terms, and definitions, see Glossary.

Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

17

SingleRAN
Transmission Security Overview Feature Parameter
Description

8 Reference Documents

Reference Documents

1.

ITU-T X.800, "Security architecture for Open Systems Interconnection for CCITT
applications", March 1991

2.

ITU-T X.805, "Security architecture for systems providing end-to-end communications",


October 2003

3.

NGMN Alliance, "Security in LTE backhauling A white paper", V1.0, February 2012

4.

3GPP TS 33.102 V11.3.0 (2012-06): "3G security; Security architecture"

5.

3GPP TS 33.210 V11.3.0 (2011-12): "3G security; Network Domain Security (NDS); IP
network layer security"

6.

3GPP TS 33.310 V10.5.0 (2011-12): "Network Domain Security (NDS); Authentication


Framework (AF)"

7.

3GPP TS 33.401 V11.4.0 (2012-06): "3GPP System Architecture Evolution (SAE);


Security architecture"

8.

IETF RFC 4303, "IP Encapsulating Security Payload (ESP)", December 2005

9.

IETF RFC 4306, "Internet Key Exchange (IKEv2) Protocol"

10. IPsec Feature Parameter Description


11. Access Control based on 802.1x Feature Parameter Description
12. SSL Feature Parameter Description
13. PKI Feature Parameter Description

Issue 01 (2014-04-26)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd.

18