Академический Документы
Профессиональный Документы
Культура Документы
www.huawei.com
Huawei Confidential
Foreword
This document describes the LTE eRAN2.1 transmission solution to help users better understand the principles of LTE transmission network.
Huawei Confidential
Page2
References
Transmission Security MOM Description Security Feature Parameter Description Principles and Practice of PKI Principles and Fundamentals of Digital Certificates and SSL Requirement for DHCP SERVER
Huawei Confidential
Page3
Training Objectives
After completing this course, you should be able to:
Understand the LTE eRAN2.1 transmission solution. Understand the networking solution for LTE eRAN2.1 transmission security. Know principles of transmission security.
Huawei Confidential
Page4
Contents
1. LTE Transmission Network - Interfaces 2. LTE Transmission Network - QoS
Huawei Confidential
Page5
S1-U
Clock server
OAM
An LTE network has two protocol interfaces: S1 interface X2 interface The LTE transmission data includes the following: Data over S1 interface, including data of the S1 control plane (S1-C) and data of the S1 user plane (S1-U). Data over X2 interface, including data of the X2 control plane (X2-C) and the X2 user plane (X2-U). OAM data. Clock synchronization data. Note: S11 interface is part of the core network and is not described in this course.
Huawei Confidential
Page 6
Contents
1. LTE Transmission Network - Interfaces 2. LTE Transmission Network - QoS
Huawei Confidential
Page7
eNodeB Router
IP network
Ethernet
MME/S-GW
DiffServ IP DiffServ
bottleneck
bottleneck
bottleneck
A transport path is a pipe model. A pipe has bottlenecks prone to congestion. The end nodes should support traffic shaping to prevent the traffic data from being discarded at the congested places.
1.
QoS Mapping
Traffic QoS: user plane (based on QCI, GBR, Non-GBR), signaling, IP clock, and OAM. IP layer: DSCP mapping, DiffServ. Data link layer: Ethernet QoS (IEEE802.1P/Q).
2.
Traffic shaping
Logical port shaping Physical port shaping
MPLS: Multi Protocol Label Switching ~ SDSCP: Differentiated Service Code Point ~ CoS: Class of Service
Huawei Confidential
Page 8
QoS Mapping
QoS relevant concepts
1. QCI: QCI is an important QoS concept introduced to LTE and defines QoS class and important quality parameters, such as priority, packet delay budget, and packet error rate. DSCP and VLAN priority (P-bit): A concept about packet priority defined by a transmission network. DSCP is at the IP layer and VLAN priority is at the link layer. 2.
1. 2. 3. 4.
2 4 3 5 1 6
Conversational Voice Conversational Video (Live Streaming) Real Time Gaming Non-Conversational Video (Buffered Streaming) IMS Signaling Video (Buffered Streaming) TCP-based (e.g., www, e-mail, chat, ftp, p2p file sharing, progressive video, etc.) Voice, Video (Live Streaming) Interactive Gaming Video (Buffered Streaming) TCP-based (e.g., www, e-mail, chat, ftp, p2p file sharing, progressive video, etc.)
23.203 defines nine QCIs and supports QCI extension. Beginning from eRAN2.1, Huawei supports extended QCI.
3 4 5 6
NonGBR
100 ms
10-3
8 8 300 ms 9 9 10-6
Huawei Confidential
Page 9
QoS Mapping
Mapping from service types and DSCPs to VLAN priorities.
Service Type
QCI1 QCI2 QCI3 QCI4 QCI5 QCI6 QCI7 QCI8 QCI9 MML FTP 1588V2 HWDEFINED BFD IKE IPPM Ping packet
DSCP
0x2E 0x1A 0x1A 0x22 0x2E 0x12 0x12 0x0A 0 0x2E 0x2E 0x0E 0x2E 0x2E
DSCP
46 26 34 26 46 18 18 10 0 46 46 14 46 46
SCTP
OM IP clock
MML Command to Configure DSCP SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI SET DIFPRI ADD BFDSESSION Built-in, unchangeable ADD IPPMSESSION PING No need to configure. The DSCP of the eNodeB response packets is the DSCP of the peer ping packet. By default the DSCP of the ping command of the transmission network and core network is 0. No need to configure
VLAN
USERDATA USERDATA USERDATA USERDATA USERDATA USERDATA USERDATA USERDATA USERDATA SIG OM_H OM_L USERDATA USERDATA USERDATA USERDATA USERDATA USERDATA
VLAN Pri 5 3 4 3 5 2 2 1 0 5 5 1 5
5
Depending on actual situation 5 Depending on actual situation 7 0
USERDATA
ARP
No DSCP value
OTHER
Huawei Confidential
Page 10
Queues
AF 3 AF 2 AF 1 BE EF AF 4
Queues
AF 3 AF 2 AF 1 BE
IP Scheduler
Level 2 shaper
GE/FE Interface
eNode B2
eNode B1
The eNodeB GE/FE interfaces support two levels of shaping: physical port shaping and logical port shaping. Each logical port shaping contains eight queues.
The need for two levels of queues is to differentiate operators, that is, to support eRAN sharing.
The parameters of a logical port include committed information rate (CIR), PIR and scheduling weight. The logical ports can share the bandwidth of the physical ports.
Huawei Confidential
Page 11
PIR/CIR
PIR
CIR
PIR: Peak Information Rate; CIR: Commit Information Rate; CBS: Committed Burst Size; EBS: Excess Burst Size; PBS: Peak Burst Size;
In versions earlier than eRAN2.1, eNodeB supports the single-rate tri-color markup algorithm, shortened as srTCM (CIR, CBS, and EBS) for the traffic shaping, in compliance with RFC2697. In eRAN2.1, eNodeB supports dual-rate tri-color markup algorithm, shorten as trTCM (CIR, CBS, PIR, PBS) in compliance with RFC2698. PIR/CIR refers to the trTCM algorithm. The transport admission algorithm of eNodeB is affected by this algorithm. The admission of GBR services is controlled by CIR, whereas the admission of non-GBR services is controlled by PIR. The purpose is to guarantee the quality of high priority GBR services. eNodeB supports two levels of traffic shaping, namely logical port shaping and physical port limited rate. In eRAN2.1, logical ports support PIR/CIR. This function can be used by the eRAN sharing scenario. As illustrated by the following figure, the CIR traffics of different operators do not share the physical bandwidth, whereas the PIR traffics do.
OperatorB CIR OperatorB PIR Total Bandwidth OperatorA PIR OperatorA CIR
Huawei Confidential
Page 12
Contents
1. LTE Transmission Network - Interfaces 2. LTE Transmission Network - QoS
Huawei Confidential
Page13
Reliability
Redundancy: eNodeB and backhaul network provide different redundancy solutions for the backhaul design. This inevitably includes port redundancy and board redundancy.
The main reliability solution of eRAN2.1 is port (channel) redundancy. The board redundancy is LMPT cold standby.
End-to-end redundancy
S-GW/MME
(S1 interface) Transport layer Network layer Data link layer PHY layer
eNode B
Transport layer Network layer Data link layer
PHY layer
Work path
Work path
Segment-by-segment redundancy
OAM backup
Huawei Confidential
Page 14
GE
eNodeB
GE
S-GW/MME
GE
eNodeB Ethernet
GE
eNodeB
S-GW Pool
S/R
S-GW
S-GW
S-GW
MME Pool
MME
MME
1.
Reliability solution: S1-flex, channel backup (3s), IP route backup, and Ethernet link aggregate. Fault detection mechanisms: BFD (100 ms), Ethernet OAM (100 ms).
E-UTRAN
2.
Huawei Confidential
Page 15
BFD detection
IP route backup
Routes, links
BFD detection Physical port detection IEEE 802.3ah detection IEEE 802.1ag detection Physical port detection
Physical Layer
None
None
Huawei Confidential
Page 16
OMCH Backup
1. 2. The OMCH backup function is used only in the scenario of M2000 remote HA. The OMCH backup function is used when the OM channel passes the Ethernet. The eNodeB configures two different OM IP addresses for the active and standby OM channels, and M2000 configures the same or different IP addresses. The OMCH backup function uses two physical ports for higher reliability. Preferentially the active and standby OM IP addresses are in different network segments. In this way, the OMCHs are over different routes, providing higher reliability at higher cost. When the active OMCH is down, the M2000 automatically delivers a switchover command and, upon receipt of the command, the eNodeB switches to the standby OMCH. When the active OMCH is down, the active/standby switchover takes a minimum of six minutes. The following figure illustrates the OMCH backup function.
3.
4.
Huawei Confidential
Page 17
SCTP Multi-Homing
Each end of an SCTP link binds N IP addresses for redundancy, where N is greater than 2. Two IP addresses are configured for SCTP dual-homing, the first of which is the primary IP address and the second is the standby IP address. The two routes of the dual homing are active and standby. An SCTP link is established on boards and no port is specified. The two IP addresses can be in the same interface or in different interfaces of the same board. It is recommended to use the same interface for the two IP addresses. This function needs to negotiate and work with the core network. Therefore this function is not actively recommended to customers. This function does not support cross-route.
An SCTP link is identified by four parameters: local IP, local SCTP port number, peer IP, and peer SCTP port number.
The difference between SCTP multi-homing and OMCH backup is as follows: In SCTP multi-homing, the slave path automatically switches to the master path when the master path is recovered; in OMCH backup, the M2000 switches to the active OMCH after it detects that the standby OMCH is down.
Huawei Confidential
Page 18
IP Route Backup
IP route backup means that multiple routes are configured for the same destination. The route of the highest priority is the primary route and other routes of lower priority are backup routes. The physical connection of each route is different. When the primary route is faulty, eNodeB performs active/standby switchover and select a backup route to avoid service interruption. When the primary link is recovered, eNodeB automatically switches to the primary route.
//Add IP address of Ethernet port 0 ADD DEVIP:SN=7,SBT=BASE_BOARD,PT=ETH,PN=0,IP="11.11.11.11",MASK="255.255.255.0"; //Add IP address of Ethernet port 1 ADD DEVIP:SN=7,SBT=BASE_BOARD,PT=ETH,PN=1,IP="12.12.12.12",MASK="255.255.255.0"; //Add master IP route (Route backup is used between the eNodeB and SeGW.) ADDIPRT:SN=7,SBT=BASE_BOARD,DSTIP="13.13.13.13",DSTMASK="255.255.255.0",RTTYPE=NEXTHOP,NEXTHOP="11.11.11.10",PREF =50,DESCRI="Master IP Route"; //Add slave IP route ADDIPRT:SN=7,SBT=BASE_BOARD,DSTIP="13.13.13.13",DSTMASK="255.255.255.0",RTTYPE=NEXTHOP,NEXTHOP="12.12.12.10",PREF =60,DESCRI="Slave IP Route"; The eNodeB needs to provide two DEVIPs that are in different network segments. (With only one DEVIP, route backup cannot be configured.)
Huawei Confidential
Page 19
Huawei Confidential
Page 20
Contents
1. LTE Transmission Network - Interfaces 2. LTE Transmission Network - QoS
Huawei Confidential
Page21
Transport network
S-GW/MME Seg-by-Seg
Huawei Confidential
Page 22
Maintainability Solution
IP CORE
Performance counter
802.3ah
802.1ag
BFD single hop Multi-hop BFD IPPM
Huawei Confidential
Page 23
IPPATH Check
It is recommended to disable this function in ordinary situations.
Huawei Confidential
Page 24
Function: IP performance monitoring (IP PM) monitors the transport quality between eNodeB and S-GW and check the transport performance parameters, including the number of packets sent and received, packet loss rate, one-way delay variation, and round-trip delay variation. Strength: Provides transport KPI and works with the dynamic transport flow control to avoid the impact of dynamic transport bandwidth variation on QoS. Weakness: The more IP PM sessions are activated, the more accurate the congestion is determined and the more resources are consumed. Requirement for the devices: IPPM is Huawei proprietary and requires support from the eNodeB and the core network. IPPM requires that the DSCP value of the transmission network is the same as that of the eNodeB and core network and cannot be changed. Otherwise, activating the IPPM fails. Applicable scenario: IP PM is recommended in the scenario that the core network consists of Huawei equipment, particularly if the IP transmission has to pass poor-quality ADSL lines that have high packet loss rate, unstable line rates, or large bandwidth variation.
Huawei Confidential
Page 25
External congestion check: IP PM checks in real time the packet loss of a user data path, calculates the packet loss rate of the path, and dynamically adjusts the logical port bandwidth for dynamic admission control of the transport bandwidth and flow control, avoiding packet loss caused by congestion of the transmission network.
Max bandwidth 100Mbps bottleneck30Mbps 1. detect
MME/SGW
Bandwidth change 3. Transport Dynamic Flow Control
eNodeB
To enable bidirectional link check, set up a PM session in the A > B direction and a PM session in the B > A direction.
This figure shows adaptive flow control based on IP PM. The dotted lines indicate bandwidth variation of the IP/Ethernet transmission network. The IP PM between S-GW/MME and eNodeB checks the variation of the transmission network performance, including delay, jitter, and packet loss rate, and estimates the minimum end-to-end available transmission bandwidth. The eNodeB sends the available bandwidth information to the flow control module who adjusts the data flow to the transmission network to reduce the packet loss rate and to increase the bandwidth utilization of the transmission network.
Huawei Confidential
Page 26
Function: Fast fault detection of any types of channels. Detects the connectivity of the same path (physical or logical links) between two systems. Used by all protocols at layer two or higher layers. eNodeB implements BFD over UDP. Strength: Fault detection for IP routes. Quick detection in 100 ms. Requirement on the device: At present the eNodeB supports BFD version 1; the peer device should also support BFD version 1. If the peer device does not support BFD version 1, this function cannot be used. Both ends start BFD simultaneously. The detection duration of both ends should be consistent. Recommended scenarios Segment-by-segment BFD (SBFD): Used in point-to-point detection of network faults, applicable to detection of direct connection between two points of the same network segment. Multi-hop BFD (MBFD): Used in end-to-end detection of network faults, applicable to two ends that have multiple routing nodes in between.
Huawei Confidential
Page 27
SBFD: Used in fault detection between an eNodeB and a transmission device at L3, or between an S-GW/MME and a transmission device. Used to locate a fault or to trigger switchover of protection paths between an eNodeB and a transmission device, or between an S-GW/MME and a transmission device. SBFD does not traverse an L3 transmission device. MBFD: Used for detection between eNodeBs, between an eNodeB and an SGW, and between an eNodeB and a remote transmission device. Used to locate a fault or to trigger switchover of protection paths between two ends to ensure network reliability.
Huawei Confidential
Page 28
BFD
+++ HUAWEI 2010-07-08 15:37:15 O&M #62147 %%ADD BFDSESSION: SN=7, BFDSN=0, SRCIP=10.141.225.226, DSTIP=10.69.23.24, HT=MULTI_HOP;%% RETCODE = 0 Operation succeeded
Huawei Confidential
Page 29
Huawei Confidential
Page 30
IEEE 802.1ag
Huawei Confidential
Page 31
Contents
1. LTE Transmission Network - Interfaces 2. LTE Transmission Network - QoS
Huawei Confidential
Page32
Security threats
3 4 5
Stealing eNodeB hardware. Obtaining important information from eNodeB. eNodeB Loading invalid versions or illegally controlling eNodeB. DoS (Denial of Service) attack. Eavesdropping Uu interface signal to obtain important user information. Uu interface Mimicking Uu interface signaling to forge user access. Eavesdropping data from the transmission network to obtain important user information. S1 interface Intercepting data of the transmission network to tamper with the data. X2 interface The same as the S1 interface Intercepting important information sent by eNodeB and transferred by OM interface. or stealing important data from OM interface Deleting eNodeB Logging in to, controlling, and operating eNodeB illegally.
Threatened Object
Threat Type
Security System
Equipment security
Radio security
Transmission security Transmission security OAM security
Clock server
OAM security
Huawei Confidential
Security Measures
Tailored to the security threats, ITU-T X.805 identifies and defines eight security measures:
1. Access control: Prevents equipment from being illegally used and allows only authorized users to access the protected content (equipment, information, services). For example, only authorized users can gain access to eNodeB by the OM interface. 2. Authentication: Authenticates the identity of a communication entity and allows entities of valid identity to set up communications. 3. Non-repudiation: Prevents an entity from denying an operation by evidences (such as operation logs). For example, an operation log records each operation on the eNodeB. 4. Data confidentiality: Uses encryption to prevent data from being disclosed. 5. Communications security: Information is transmitted only between authenticated entities to prevent disclosure or falsification of the data during communications. 6. Data integrity: Ensures data correctness, prevents illegal change, deletion, generation, or replication of data, and identifies unauthorized operations. 7. Availability: Ensures that the system works and that services are not interrupted as a result of an illegal operation. 8. Privacy: Protects keys, identity information, and equipment or network activity information, such as log information.
Security System
Transmission security
Transmission security policy
1.IPSEC 2.802.1x
Equipment security
Simple firewall function
OM security
OM channel security
PNP
1. SSL
IPSec
eNodeB
802.1X
Access network
Core network
SAE
RADIUS
IPSec 802.1X
IPCLK
M2000
The eNodeB uses 802.1x (EAP-TLS)-based authentication access control and IPSec to ensure transmission security. 1. The 802.1X-based authentication access control ensures that the eNodeB gains access to the transmission network by the legal process. 2. IPSec provides security mechanism for the eNodeB in the all-IP scenario to ensure transmission confidentiality, completeness, authentication, and replay-resistance. 802.1X and IPSec provide transmission security protection at different layers. A user can use them together or separately.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Page 35
The MAC address of the eNodeB is authenticated to prevent unauthorized equipment from gaining access to the transmission network. The 802.1x access control sends the digital certificate of the eNodeB to the RADIUS server over the EAPoL; the RADIUS server authenticates the eNodeB identity by using the Huawei CA root certificates configured on the server.
Huawei Confidential
Page 36
1. Security protocols AH refers to authentication header and provides data integrity check. AH is applicable for transmitting non-confidential data. ESP refers to encapsulating security payload and provides data integrity check and encryption. ESP is applicable for transmitting confidential data. 2. Packet encapsulation methods Transport mode: Provides protection for the payload and upper-layer protocols of the IP data packets. In transport mode, the IPSec header (AH and/or ESP) is inserted after the IP header and before upper-layer protocols. Tunnel mode: Provides security protection for the original IP data packets. In tunnel mode, the original IP data packets are encapsulated into a new IP data packet; the IPSec header (AH and/or ESP) is inserted between the new IP header and original IP header. The security of the original IP header is protected by IPSec as part of the payload.
Huawei Confidential
AH Header
IP Header
TCP/UDP
Data
The Range of ESP Encryption Transfer Mode IP Header ESP Header TCP/UDP Data ESP Tail ESP Auth
The Range of ESP Authentication The Range of ESP Encryption IP Header TCP/UDP Data ESP Tail ESP Auth
The Range of AH Authentication The Range of ESP Encryption IP Header AH Header ESP Herder TCP/UDP Data ESP Tail ESP Auth Transport Mode
The Range of ESP Encryption TCP/UDP Data ESP Tail ESP Auth Tunnel Mode
Huawei Confidential
Page 38
4.
5. 6.
7. 8.
Huawei Confidential
PKI system
SeGW
CRL Server CA
eNodeB
eNodeB
Access network
SeG W
Core network
SAE
S1 X2 OAM SYN
SeGW eNodeB
eNodeB
IPCLK
M2000 eNodeB
Security zone
Centralized
eNodeB
Distributed
The IPSec networking needs to consider three factors: security domain, protected stream, and configuration mode (see Remarks).
Huawei Confidential
Page 40
M2000
Prerequisites for eNodeB security startup with intelligent PnP: 1. The transmission network has deployed a public DHCP server. The PnP configuration information and the DHCP option 43 are defined. 2. The eNodeB is preset with a factory certificate. 3. The PKI server is preset with a Huawei root certificate, ESN list, and CRL which can be obtained from the web portal. The ESN list is a whitelist. 4. The SeGW is preset with the operators root certificate. 5. The 802.1X authentication server (RADIUS server) is preset with the Huawei root certificate.
PKI system
eNodeB
Radius Server
CRL Server
CA
1.VLAN Scanning
The PnP process has six steps (for details, see Remark): 1. Automatic access process: 802.1X authentication and VLAN learning. 2. DHCP process: Obtaining DHCP temporary, SeGW IP, PKI, and M2000 IP. 3. PKI authentication. 4. IPSec tunnel setup. 5. OMCH setup. 6. Downloading the configuration and software. After restart, the PnP process is finished. Note: If one of the above steps is faulty, the system starts the PnP process again, until the PnP process is finished.
Huawei Confidential
Page 41
Huawei Confidential
Page 42
Encryption and decryption use the same key. The sender and receiver should agree upon a key before security communication. Security depends on the confidentiality of the key. Disclosure of the key means that the encryption is no longer secure.
User A
KEY
KEY ALLOCATE
User B
KEY
plaintext
cryptograph
cryptograph
plaintext
Huawei Confidential
Page 43
User A
User B
plaintext
cryptograph
cryptograph
plaintext
Huawei Confidential
Page 44
A digital certificate is an electronic ID card containing an entitys identity and associated public key information. This electronic ID card must be issued by trusted authority.
Huawei Confidential
Page 45
For some reasons, a digital certificate needs to be revoked before the validity period expires. The revoked certificates are uniformly saved in the CRL (blacklist).
thisUpdate
nextUpdate revokedCertificates crlExtensions CRL userCertificate revocationDate crlEntryExtensions
Huawei Confidential
Page 46
Principle 5 - PKI
PKI refers to public key infrastructure.
The PKI implementation is based on asymmetric cryptography algorithms and technologies. PKI is the basis and core of the current network security construction. Established over a group of standard and interoperable PKI protocols. Uses digital certificates compliant with ITU-T X509, manages the public keys of asymmetric cryptography, and binds the public key of an entity with other identify information (which for a device can be the device name, home country, province, city, specific location, or unique ID). A trusted CA (certificate authority) adds signature to the public key and identity information of a user, generating a digital certificate. Manages the life cycle of digital certificates.
PKI architecture
CA
CA issues, updates, revokes, and authenticates digital certificates. CA is the core executive part of PKI.
RA RA is the registration and approval body for the digital certificates. RA is a CAs window for users. CR/CRL CR/CRL stores the digital certificates or CRL. Exists as an FTP server, Web server, or LDAP server.
Huawei Confidential
Page 47
CA hierarchy
Root CA
Middle
CA
CA
4 certificate cancel
ultimate user
CR/CRL server
RA
1 certificate request
5 certificate overdue
A parent CA can have child CAs and therefore establishing a CA hierarchy. Any CA can issue certificates adapted to its authority. A three-layer CA hierarchy can satisfy the requirement of most operators. There is no limit to the depth of the CA hierarchy. A customer can choose an appropriate depth according to the actual situation.
Huawei Confidential
Page 48
Certificate
Extract Root CAs public key and verify both Root CA signatures Extract Root CA1s public key and verify CA1s signature
Assume that A authenticates Bs certificates. Bs certificate specifies the CA that issues the certificate. Move along the CA hierarchy until to the root certificate. The movement forms a certificate chain. The authentication process is described as follows: Moving in the reverse direction, starting from the root certificate, each node authenticates the certificate of the next node until to B. The root certificate is of self-signature and uses its own public key for authentication. If all the signatures pass authentication, A determines that all certificates are correct. If A trusts the root CA, he can trust Bs certificates and public key.
Huawei Confidential
Page 49
NEs NEs that use certificates include eNodeB and SeGW. Three files are built-in: device certificate, root certificate, and CRL.
PKI servers: PKI servers manage certificates and include the CA server and the CRL server. The certificate management protocol between CA and eNodeB is CMPV2.
Page 50
Huawei Confidential
Verify
CA root certificate can verify the validity of the device certificate issued by the CA.
For example, in the SeGW authenticating an eNodeB, the root certificate of the eNodeB device certificate is preset on the SeGW. During authentication, the eNodeB sends the device certificate to the SeGW which uses the preset root certificate to verify the validity of the device certificate.
Verification of device certificates by root certificate can ensure that the device certificate is issued by the root certificate CA. Huawei CA root certificate can verify that an eNodeB is a valid Huawei device. To strengthen the authentication, the whitelist is used. The whitelist stipulates that the eNodeB ESN contained in the device certificate is compared with the preset ESN list. Only Huawei eNodeB of specific ESN is valid.
Huawei Confidential
Page 51
Certificate Management
Factory stage At the factory stage, an eNodeB is preset with a unique device certificate. The ESN list, CRL, and factory CA root certificate are published on the web portal.
Operation stage At the operation stage, a customer obtains the ESN list, CRL, and factory CA root certificates from the web portal to support the factory-preset certificate and eNodeB authentication.
Huawei Confidential
Page 52
1.Verifying the vendor certificate with whitelist which is comprised with eNodeBs ESN; 2.Verfying the vendor certificate with vendor root certificate; 3. Issuing the operator certificate with certificate request file received;
Huawei Confidential
Page 53
Huawei Confidential
Page 54
2.
The source eNodeB sets up a signaling link to the destination eNodeB and configures ACL rules according to the source IP address and destination IP address: {SCTP, source signaling IP, destination signaling IP}, {UDP, source service IP, destination
service IP}.
Huawei Confidential
Page 55
Confidentiality protection
After the handshake protocol finishes negotiation of the session key, all messages are encrypted for transmission.
Integrity protection
Maintains data integrity and ensures that data is not tampered with during transmission.
Authentication
Authenticates a user and a server so that they are sure that data is sent to the correct client and server. Though client authentication during a session is optional, a server is always authenticated.
Huawei Confidential
Page 56
TCP
IP
SSL application scenario
OMCH HTTPS FTPS HTTPS FTPS
SSL-based OMCH. Local (or remote) FTPS connection to upload or download files. Local (or remote) WebLMT sets up an HTTPS connection for operation and maintenance.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Page 57
2. Packet filtering configuration This configuration defines the ingress and egress permitted or denied by eNodeB. The details are as follows:
ACL and ACLRULE define the admission rules for the packets. PACKETFILTER binds ACL with physical ports.
Huawei Confidential
Page58
This configuration defines the digital certificate used by IPSec for authentication.
Appcert defines the device certificate currently in use. Trustcert defines the CA server certificate trusted by eNodeB. Crosscert defines the CA certificate trusted by the CA server that issues device certificate to eNodeB. CRL defines the certificate revocation list. CRLpolicy defines the CRL policy used by eNodeB. Certchktsk defines the certificate update method and policy. Ca defines the configuration information on the CA server. Certmk defines the device certificate that can be used by eNodeB. Certreq defines the parameters for generating a certificate request file.
For details, see the Transmission Security MOM Description.doc. The security configuration information of the TMO network is described in the attached file.
Huawei Confidential
Page59
Huawei Confidential
Page60
Thank you
www.huawei.com
Copyright2008 Huawei Technologies Co., Ltd. All Rights Reserved.
The information contained in this document is for reference purpose only, and is subject to change or withdrawal according to specific customer requirements and conditions.