Data Architecture Proposal

Mesa ISSI Working Session/PSAWG

Frdric ROSIN - 11/01/2006
Outline

1. Introduction
2. Addressing Principle
3. Roaming
4. End-to-end encryption and compression
5. SNDCP adaptation
6. Architecture for external data servers connected
beyond a data security gateway
7. Conclusion

2
Abbreviations
AVL: Automatic Vehicle Location
DNS: Domain Name Server
ESP: Encapsulating Security Payload
IP: Internet Protocol
IPSec: Internet Protocol Security
ISSI: Inter RFSS Interface
KMF: Key Management Facility
MDP: Mobile Data Peripheral
MRC: Mobile Radio Controller (P25 Radio Terminal)
OTAR: Over-The-Air-Re-keying
PDP context: Packet Data Protocol (SNDCP) context
RFSS: Radio Frequency Sub-System
SNDCP: Sub-network Dependent Convergence Protocol
SPI: Security Parameters Index
SU: Subscriber Unit
SUID : Subscriber Unit Identity
TCP: Transport Control Protocol
UDP: User Datagram Protocol

3
Outline

1. Introduction
2. Addressing Principles
3. Roaming
4. End-to-end encryption and compression
5. SNDCP adaptation
6. Architecture for external data servers connected
beyond a data security gateway
7. Conclusion

4
Introduction

Existing packet data architecture is revisited in order to:

Support SU mobility between multiple RFSS

Use of the IP Security standard as a basis for end-to-
end confidentiality
- Justified in order to have interoperable equipment
Provide efficient compression
- Compression has to be end-to-end performed before end-
to-end encryption

5
Where are the end-to-end encryption endpoints ?

In the MRCs
In Data Servers

A A
MRC MRC
Um, Um2 Um, Um2
P25 Realm
P25 Network
Ed

Data Servers

Sub-system performing end-to-end encryption

6
Outline

1. Introduction
2. Addressing Principles
3. Roaming
4. End-to-end encryption and compression
5. SNDCP adaptation
6. Architecture for external data servers connected
beyond a data security gateway
7. Conclusion

7
Addressing principles

Addressing is based on a P25 Mobile Sub-network

concept
Each SU shall be IP addressable in order to support
Data Link Independent OTAR
Each SU shall be able to be connected to one or
several IP addressable MDP for data transactions
based on SNDCP

RFSS MRC
Um, Um2
(SNDCP)

P25 Mobile Sub-Network

8
Addressing principles (contd)

Each P25 Mobile Sub-network has one P25 address (SUID of the
MRC)
Simple engineering rules in order to ease IP routing and to avoid
further interoperability issues
One IP subnet mask = An IP address | 0x03
IP Subnet Mask & 0xFC is the address of the MRC
Others are the IP addresses for MDP(s)

Once an IP address of an MRC or an MDP is activated (SNDCP

activation), the related IP address is reachable from anywhere for
any device which knows the existence of this IP address

9
Addressing principles (contd)

For data application addressing the MRC (OTAR):

SUID address can be used to retrieve the IP address
by DNS resolution
SU initiated Hello procedure enables the KMF to
know when the IP address of the MRC is activated

For request to data servers:

When an MDP or an MRC initiates a request to a pre-
provisioned IP address of a data server, the
responder retrieves the source IP address from the
received IP packet

10
Outline

1. Introduction
2. Addressing Principles
3. Roaming
4. End-to-end encryption and compression
5. SNDCP adaptation
6. Architecture for external data servers connected
beyond a data security gateway
7. Conclusion

11
IP Addressing and Roaming

Routing of the outbound packets:

IP packets destined to an IP address of an MDP or an

MRC is always first routed to the MRCs Home RFSS
When the MRC roams in a serving RFSS area,
outbound IP packets have to be routed from the
MRCs Home RFSS to the new serving RFSS area

Mobile IP has been designed for such a purpose

12
Mobile IP: main principles

Mobile IP enables transparent routing of an IP packet to

mobile endpoint over an IP network
The mobile endpoint has a fixed IP address so-called
Home address in a home network
When moving outside the Home network, the mobile
endpoint registers to mobility agents (local foreign
agent and remote Home agent), that tunnel and route
IP packets to the mobile host
Home agent: tunnels IP packet to the mobile endpoint
and maintains the mobiles location info
Foreign agent: provides IP routing function (IP de-
tunneling) to the mobile endpoint once registered with
the Home agent

13
Mobile IP: Outbound transmission

Home network External Node

2- Home agent receives IP datagram destined to
The mobile endpoint

Home Agent
1- IP Datagram to mobile endpoint

Mo
bile
IP t
unn
Ip based Network
el
3- Home agent tunnels packets to foreign agent

Foreign Agent Visited network

4- Foreign agent routes datagram to mobile endpoint

Mobile endpoint

14
Mobile IP: Inbound transmission

External Node
Home network

Home Agent 2 - Foreign agent routes datagram

Network

Visited network
Foreign Agent

1- mobile endpoint sends datagram to an external node,

With the foreign agent acting as default gateway
mobile endpoint

15
Mobile IP: Application on the ISSI

Mobile endpoint = RFSS endpoint at which the activated PDP

context is located
A new Mobile IP tunnel is put in place on the ISSI each time an
MDP or an MRC activates a PDP context in a serving RFSSs
area (I.e. outside its Home RFSS area)

A A
MRC MRC
Um, Um2 Um, Um2
P25 Realm ISSI
Serving RFSS Home RFSS
Mobile IP tunnel

Data Servers
16
Outline

1. Introduction
2. Addressing Principles
3. Roaming
4. End-to-end encryption and compression
5. SNDCP adaptation
6. Architecture for external data servers connected
beyond a data security gateway
7. Conclusion

17
IPSec/ESP for confidentiality: Main principle

One security association is defined per application and per direction

in order to define the security policy to be applied:
Indexed by the SPI (Security Parameters Index) field in the ESP
header
Open to specific P25 encryption and key distribution
Encryption may be by-passed if needed
Two encapsulation modes:
Transport Mode ESP TCP UDP ESP Integrity
Payload
IP Header Header Header trailer Check
IPSec tunnel is created between two hosts at which the data
applications are located
Transport packet is encrypted

Tunnel Mode
ESP TCP UDP ESP Integrity
IPSec tunnel is
IP created between
Header Header IP two security
Header gatewaysPayload
Header which may trailer Check
route the IP packet once decrypted
IP packet is encrypted

18
IPSec/ESP for confidentiality: Application in the
MRC
Standard application of IPSec in the MRC:
all the inbound and outbound IP packets would be tunneled
within an IPSec packet always conveying the IP address of the
MRC
This would hide the real serviced IP address, thus preventing
SNDCP to deliver required quality of service over the air
interface

IPSec

IP

Serviced IP address on the MDP SNDCP

IP address of the extremity of the IPSec tunnel

MRC
PDP context 19
IPSec/ESP for confidentiality: Application in the
MRC
To make visible the serviced IP address at the SNDCP, we
propose to move end-to-end encryption of the IPSec standard
(ESP) at the SNDCP layer

IP

ESP/SNDCP

Serviced IP address on the MRC or the MDP MRC

PDP context

20
IPSec/ESP for confidentiality: Application

Application in the MRC:

MRC performs end-to-end encryption at the SNDCP level
From the perspective of the entities addressing an MDP, the
extremity of the IPSec tunnel is the MDP
SNDCP level at the MRC may perform compression before
encryption

Application in the data servers

Common IPSec implementation

21
Outline

1. Introduction
2. Addressing Principles
3. Roaming
4. End-to-end encryption and compression
5. SNDCP adaptation
6. Architecture for external data servers connected
beyond a data security gateway
7. Conclusion

22
SNDCP adaptation

Headers of the IPSec packet can be compressed/decompressed

over the air by SNDCP
IP header and ESP header compression (IPHC)
TCP/UDP headers may not be compressed for encrypted flow

ESP Payload compression/decompression is performed at

SNDCP layer of the MRC for end-to-end encrypted flow
Use of a IPR-free compression algorithm such as deflate

23
SNDCP adaptation (contd)

For an inbound flow:

SNDCP at the MRC performs:
1. Transport packet compression
2. Transport packet encryption and encapsulation in an
IPSec packet
3. IPSec Header compression
SNDCP at the FNE performs IPSec Header de
compression
Data Server performs the reverse operation for the two
first actions at the MRC

24
Inbound flow from an MDP to an external data
server

ESP encapsulation is performed at the SNDCP level in the

MRC

Data
Server

Um
A
MDP MRC
ESP Tunnel
MRCs
serving
ESP Tunnel
RFSS

25
Inbound flow: ESP in transport mode
IP Header
TCP UDP
S: MDP Payload
Header
D: Data Srv

IP payload Compression and encryption, IPSec

MRC packet construction, IP Header compression
(IPHC), SNDCP encapsulation

IP Header ESP TCP UDP ESP Integrity

SNDCP Payload
S: MDP Header Header trailer Check
Header
D: Data Srv

Compressed by SNDCP End-to-end compressed and Encrypted

Serving SNDCP decapsulation, IPSec
RFSS Header decompression

IP Header ESP TCP UDP ESP Integrity

Payload
S: MDP Header Header trailer Check
D: Data Srv
DATA IPSec de-tunneling, decryption,
SERVER decompression

TCP UDP
Payload
Header
26
Outbound flow from a data server to an MDP
located in the MRCs Home RFSS area

From the perspective of the Data Server, destination of

the IPSec tunnel is located on the MDP

Data
Server

Um
A
MDP MRC Home
ESP Tunnel
RFSS

ESP Tunnel
27
Outbound flow from an external data server to an
MDP not located in the MRCs Home RFSS area
When the MDP IP address is activated, from the MRCs
serving RFSS (i.e. the MRC is not registered in its
Home RFSS area) then:
A mobile IP foreign agent is activated in the serving
RFSS area.
Thus, IP packet destined for the MDP are first routed
to the MRCs Home RFSS, then tunneled towards the
foreign agent. Data
ISSI Ed
Server

Um
A IP tunnel
e
MDP MRC Mobil Home
ESP Tunnel
Serving RFSS
RFSS
ESP Tunnel
28
 Outbound flow: ESP in transport mode
TCP UDP
Payload
Header

DATA IP payload Compression and encryption, IPSec

SERVER packet construction

IP Header ESP TCP UDP ESP Integrity

Payload
S: Data Srv Header Header trailer Check
D: MDP
MDPs Care Of address HOME End-to-end compressed and Encrypted
RFSS Mobile IP Encapsulation

IP Header IP Header ESP TCP UDP ESP Integrity

Payload
S: Data Srv S: Data Srv Header Header trailer Check
D: CoA D: MDP
SERVING End-to-end compressed and Encrypted
RFSS Mobile IP de-tunneling+ IPSec Header compression, SNDCP
encapsulation
IP Header ESP TCP UDP ESP Integrity
SNDCP Payload
S: Data Srv Header Header trailer Check
Header
D: MDP
IPSec Header decompression, end-to-end decryption and
Compressed by SNDCP
MRC decompression and construction of the IP packet to be routed
towards the MDP
IP Header
TCP UDP
S: Data Srv Payload
Header
D: MDP 29
 From an MDP to another MDP not located in its
Home RFSS
MDP A knows the IP address of the MDP B by local
provisioning
ESP is always performed in transport mode

Um A
MRC B MDP B
ESP Tunnel

IP tu nnel
e
Um Mobil MDP Bs
A MDP Bs serving
MDP A MRC A
ESP Tunnel Home RFSS
RFSS ISSI
MRC As
Serving ESP Tunnel
RFSS
30
From an MDP to another MDP not located in its
Home RFSS: ESP in transport mode
IP Header
TCP UDP
S: MDP A Payload
Header
D: MDP B
IP payload Compression, encryption, IPSec packet
MRC A construction, IPSec Header compression (IPHC),
SNDCP encapsulation
IP Header
ESP TCP UDP ESP Integrity
SNDCP S: MDP A Payload
Header Header trailer Check
Header D: MDP B
Compressed by SNDCP Serving End-to-end compressed and Encrypted IPSec Header
RFSS decompression
IP Header IPSec packet construction at
ESP TCP UDP ESP Integrity
S: MDP A
Header
Mobile IP Encapsulation
the SNDCP FNE
Header
Payload
trailer Check
D: MDP B
HOME End-to-end compressed and Encrypted
RFSS B Mobile IP Encapsulation

IP Header IP Header ESP TCP UDP ESP Integrity

Payload
S: MDP A S: MDP A Header Header trailer Check
D: CoA D: MDP B
SERVING End-to-end compressed and Encrypted Mobile IP foreign agent and
MDP Bs Care Of address RFSS B SNDCP at the FNE

IP Header ESP TCP UDP ESP Integrity

SNDCP Payload
S: MDP A Header Header trailer Check
Header
D: MDP B
IPSec Header decompression,
Compressed by SNDCP MRC B End-to-end compressed and Encrypted end-to-end decryption,
decompression and construction of
IP Header
TCP UDP the IP packet to be routed to the
S: MDP A
Header
Payload
MDP 31
D: MDP B
Stack Model Reference

TCP UDP
TCP UDP TCP UDP
Compression/ESP
IP IP
IP IP
Compression/
ESP/SNDCP SNDCP

A Um,Um2

MDP MRC SNDCP FNE Data Server

Mobile IP on the ISSI for outbound IP packet tunneling

32
Outline

1.Introduction
2.Addressing Principles
3.Roaming
4.End-to-end encryption and compression
5.SNDCP adaptation
6.Architecture for external data servers connected
beyond a data security gateway
7.Conclusion

33
Architecture Extension for external data server

If external data server does not have end-to-end

encryption capability, a Data Security Gateway has to
do it:

A A
MRC MRC
Um, Um2 Um, Um2
P25 Realm
P25 Network
Ed
Security
Gateway
External Data Server
Edr

private network
Sub-system performing end-to-end encryption
34
Architecture extension for external data server

ESP in tunnel mode shall be used (instead of transport mode):

For IP packets coming from the P25 realm, the Data Security
Gateway performs end-to-end decryption and routes the IP
packet encapsulated by the ESP header towards the external
data server.
For IP packets going to the P25 realm, the IP packet is
encapsulated by the ESP header and end-to-end encrypted.
In tunnel mode, headers of the IP packet and the IP packet
encapsulated by ESP may be compressed

35
Architecture extension for external data server:
SNDCP supplementary adaptation
For an inbound flow:
SNDCP at the MRC performs:
1. IP Header compression
2. IP packet compression
3. IP packet encryption and encapsulation in an IPSec
packet
4. IPSec Header compression
SNDCP at the FNE performs IPSec Header
decompression
Data Security Gateway performs the reverse
operation of 1, 2 and 3 operations

36
Inbound flow from an MDP to an external data
server

ESP encapsulation in tunnel mode is performed at the

SNDCP level in the MRC

Edr
Security External
Gateway Data
Server
Um
A
MDP MRC
ESP Tunnel
MRCs
Serving
ESP Tunnel
RFSS

37
 Inbound flow: ESP in tunnel mode
IP Header
TCP UDP
S: MDP Payload
Header
D: ES

IP Header (IPHC) compression, IP payload

MRC Compression, IPSec packet construction, IPSec
Header compression (IPHC), SNDCP
encapsulation
IP Header
IP Header ESP TCP UDP ESP Integrity
SNDCP S: MDP Payload
S: MDP Header Header trailer Check
Header D: ES
D: SGW

Compressed by SNDCP End-to-end compressed and Encrypted

Serving SNDCP desencapsulation, IPSec
RFSS Header decompression

IP Header
IP Header ESP TCP UDP ESP Integrity
S: MDP Payload
S: MDP Header Header trailer Check
D: ES
D: SGW
Security IPsec de-tunneling, decryption,
Gateway decompression, IP Header
decompression
IP Header
TCP UDP
S: MDP Payload
Header
D: ES
38
Outbound flow from an external data server to an
MDP located in a serving RFSS area
From the perspective of the Security Gateway,
destination of the IPSec tunnel is located on the MDP
ESP encapsulation is performed in tunnel mode in
order to keep the IP address of the external data
server in the end-to-end encrypted IP packet

Edr
Ed Security External
ISSI Data
Gateway
Server
Um
A IP tunnel
e
MDP MRC Mobil Home
ESP Tunnel
Serving RFSS
RFSS
ESP Tunnel
39
Outbound flow: ESP in tunnel mode
IP Header
TCP UDP
S: ES Payload
Header
D: MDP

Security IP Header (IPHC), IP payload Compression, IPSec

Gateway packet construction

IP Header
IP Header ESP TCP UDP ESP Integrity
S: ES Payload
S: SGW Header Header trailer Check
D: MDP
D: MDP
End-to-end compressed and Encrypted
MDPs Care Of address HOME Mobile IP Encapsulation
RFSS

IP Header
IP Header IP Header ESP TCP UDP ESP Integrity
S: ES Payload
S: SGW S: SGW Header Header trailer Check
D: MDP
D: CoA D: MDP
SERVING
End-to-end compressed and Encrypted
RFSS
IP Header
IP Header ESP TCP UDP ESP Integrity
SNDCP S: ES Payload
S: SGW Header Header trailer Check
Header D: MDP
D: MDP
IPSec Header decompression, end-to-end decryption,
Compressed by SNDCP MRC decompression and IP header decompression and construction of
the IP packet to be routed to the MDP
IP Header
TCP UDP
S: ES Payload
D: MDP
Header 40
Outline

1.Introduction
2.Addressing Principles
3.Roaming
4.End-to-end encryption and compression
5.SNDCP adaptation
6.Architecture for external data servers connected
beyond a data security gateway
7.Conclusion

41
Summary and conclusion

Recommendations:
Use of a Mobile IP tunnel on the ISSI for outbound
packet routing towards P25 MDP and MRC
Use of ESP/Ipsec standard in transport mode for data
transaction within P25 realm
Use of ESP/Ipsec standard in tunnel mode for data
transaction with external data server connected beyond
a data security gateway
Re-visit SNDCP header and payload compression to
ensure interoperable compression
Use of an IPR-free (Deflate for instance) compression
algorithm for the payload.
Use SUID addresses and DNS resolution instead of
RSI addressing for OTAR

42
RFC References

RFC 3220: Mobile IP

RFC 2401 IPSec
RFC 2406 ESP
RFC 2507 IPHC
RFC 1951 Deflate

THANK
YOU

43