Академический Документы
Профессиональный Документы
Культура Документы
1. Introduction
2. Addressing Principle
3. Roaming
4. End-to-end encryption and compression
5. SNDCP adaptation
6. Architecture for external data servers connected
beyond a data security gateway
7. Conclusion
2
Abbreviations
AVL: Automatic Vehicle Location
DNS: Domain Name Server
ESP: Encapsulating Security Payload
IP: Internet Protocol
IPSec: Internet Protocol Security
ISSI: Inter RFSS Interface
KMF: Key Management Facility
MDP: Mobile Data Peripheral
MRC: Mobile Radio Controller (P25 Radio Terminal)
OTAR: Over-The-Air-Re-keying
PDP context: Packet Data Protocol (SNDCP) context
RFSS: Radio Frequency Sub-System
SNDCP: Sub-network Dependent Convergence Protocol
SPI: Security Parameters Index
SU: Subscriber Unit
SUID : Subscriber Unit Identity
TCP: Transport Control Protocol
UDP: User Datagram Protocol
3
Outline
1. Introduction
2. Addressing Principles
3. Roaming
4. End-to-end encryption and compression
5. SNDCP adaptation
6. Architecture for external data servers connected
beyond a data security gateway
7. Conclusion
4
Introduction
5
Where are the end-to-end encryption endpoints ?
In the MRCs
In Data Servers
A A
MRC MRC
Um, Um2 Um, Um2
P25 Realm
P25 Network
Ed
Data Servers
1. Introduction
2. Addressing Principles
3. Roaming
4. End-to-end encryption and compression
5. SNDCP adaptation
6. Architecture for external data servers connected
beyond a data security gateway
7. Conclusion
7
Addressing principles
RFSS MRC
Um, Um2
(SNDCP)
8
Addressing principles (contd)
Each P25 Mobile Sub-network has one P25 address (SUID of the
MRC)
Simple engineering rules in order to ease IP routing and to avoid
further interoperability issues
One IP subnet mask = An IP address | 0x03
IP Subnet Mask & 0xFC is the address of the MRC
Others are the IP addresses for MDP(s)
9
Addressing principles (contd)
10
Outline
1. Introduction
2. Addressing Principles
3. Roaming
4. End-to-end encryption and compression
5. SNDCP adaptation
6. Architecture for external data servers connected
beyond a data security gateway
7. Conclusion
11
IP Addressing and Roaming
12
Mobile IP: main principles
13
Mobile IP: Outbound transmission
Home Agent
1- IP Datagram to mobile endpoint
Mo
bile
IP t
unn
Ip based Network
el
3- Home agent tunnels packets to foreign agent
Mobile endpoint
14
Mobile IP: Inbound transmission
External Node
Home network
Network
Visited network
Foreign Agent
15
Mobile IP: Application on the ISSI
A A
MRC MRC
Um, Um2 Um, Um2
P25 Realm ISSI
Serving RFSS Home RFSS
Mobile IP tunnel
Data Servers
16
Outline
1. Introduction
2. Addressing Principles
3. Roaming
4. End-to-end encryption and compression
5. SNDCP adaptation
6. Architecture for external data servers connected
beyond a data security gateway
7. Conclusion
17
IPSec/ESP for confidentiality: Main principle
Tunnel Mode
ESP TCP UDP ESP Integrity
IPSec tunnel is
IP created between
Header Header IP two security
Header gatewaysPayload
Header which may trailer Check
route the IP packet once decrypted
IP packet is encrypted
18
IPSec/ESP for confidentiality: Application in the
MRC
Standard application of IPSec in the MRC:
all the inbound and outbound IP packets would be tunneled
within an IPSec packet always conveying the IP address of the
MRC
This would hide the real serviced IP address, thus preventing
SNDCP to deliver required quality of service over the air
interface
IPSec
IP
IP
ESP/SNDCP
20
IPSec/ESP for confidentiality: Application
21
Outline
1. Introduction
2. Addressing Principles
3. Roaming
4. End-to-end encryption and compression
5. SNDCP adaptation
6. Architecture for external data servers connected
beyond a data security gateway
7. Conclusion
22
SNDCP adaptation
23
SNDCP adaptation (contd)
24
Inbound flow from an MDP to an external data
server
Data
Server
Um
A
MDP MRC
ESP Tunnel
MRCs
serving
ESP Tunnel
RFSS
25
Inbound flow: ESP in transport mode
IP Header
TCP UDP
S: MDP Payload
Header
D: Data Srv
TCP UDP
Payload
Header
26
Outbound flow from a data server to an MDP
located in the MRCs Home RFSS area
Data
Server
Um
A
MDP MRC Home
ESP Tunnel
RFSS
ESP Tunnel
27
Outbound flow from an external data server to an
MDP not located in the MRCs Home RFSS area
When the MDP IP address is activated, from the MRCs
serving RFSS (i.e. the MRC is not registered in its
Home RFSS area) then:
A mobile IP foreign agent is activated in the serving
RFSS area.
Thus, IP packet destined for the MDP are first routed
to the MRCs Home RFSS, then tunneled towards the
foreign agent. Data
ISSI Ed
Server
Um
A IP tunnel
e
MDP MRC Mobil Home
ESP Tunnel
Serving RFSS
RFSS
ESP Tunnel
28
Outbound flow: ESP in transport mode
TCP UDP
Payload
Header
Um A
MRC B MDP B
ESP Tunnel
IP tu nnel
e
Um Mobil MDP Bs
A MDP Bs serving
MDP A MRC A
ESP Tunnel Home RFSS
RFSS ISSI
MRC As
Serving ESP Tunnel
RFSS
30
From an MDP to another MDP not located in its
Home RFSS: ESP in transport mode
IP Header
TCP UDP
S: MDP A Payload
Header
D: MDP B
IP payload Compression, encryption, IPSec packet
MRC A construction, IPSec Header compression (IPHC),
SNDCP encapsulation
IP Header
ESP TCP UDP ESP Integrity
SNDCP S: MDP A Payload
Header Header trailer Check
Header D: MDP B
Compressed by SNDCP Serving End-to-end compressed and Encrypted IPSec Header
RFSS decompression
IP Header IPSec packet construction at
ESP TCP UDP ESP Integrity
S: MDP A
Header
Mobile IP Encapsulation
the SNDCP FNE
Header
Payload
trailer Check
D: MDP B
HOME End-to-end compressed and Encrypted
RFSS B Mobile IP Encapsulation
TCP UDP
TCP UDP TCP UDP
Compression/ESP
IP IP
IP IP
Compression/
ESP/SNDCP SNDCP
A Um,Um2
32
Outline
1.Introduction
2.Addressing Principles
3.Roaming
4.End-to-end encryption and compression
5.SNDCP adaptation
6.Architecture for external data servers connected
beyond a data security gateway
7.Conclusion
33
Architecture Extension for external data server
A A
MRC MRC
Um, Um2 Um, Um2
P25 Realm
P25 Network
Ed
Security
Gateway
External Data Server
Edr
private network
Sub-system performing end-to-end encryption
34
Architecture extension for external data server
35
Architecture extension for external data server:
SNDCP supplementary adaptation
For an inbound flow:
SNDCP at the MRC performs:
1. IP Header compression
2. IP packet compression
3. IP packet encryption and encapsulation in an IPSec
packet
4. IPSec Header compression
SNDCP at the FNE performs IPSec Header
decompression
Data Security Gateway performs the reverse
operation of 1, 2 and 3 operations
36
Inbound flow from an MDP to an external data
server
Edr
Security External
Gateway Data
Server
Um
A
MDP MRC
ESP Tunnel
MRCs
Serving
ESP Tunnel
RFSS
37
Inbound flow: ESP in tunnel mode
IP Header
TCP UDP
S: MDP Payload
Header
D: ES
IP Header
IP Header ESP TCP UDP ESP Integrity
S: MDP Payload
S: MDP Header Header trailer Check
D: ES
D: SGW
Security IPsec de-tunneling, decryption,
Gateway decompression, IP Header
decompression
IP Header
TCP UDP
S: MDP Payload
Header
D: ES
38
Outbound flow from an external data server to an
MDP located in a serving RFSS area
From the perspective of the Security Gateway,
destination of the IPSec tunnel is located on the MDP
ESP encapsulation is performed in tunnel mode in
order to keep the IP address of the external data
server in the end-to-end encrypted IP packet
Edr
Ed Security External
ISSI Data
Gateway
Server
Um
A IP tunnel
e
MDP MRC Mobil Home
ESP Tunnel
Serving RFSS
RFSS
ESP Tunnel
39
Outbound flow: ESP in tunnel mode
IP Header
TCP UDP
S: ES Payload
Header
D: MDP
IP Header
IP Header ESP TCP UDP ESP Integrity
S: ES Payload
S: SGW Header Header trailer Check
D: MDP
D: MDP
End-to-end compressed and Encrypted
MDPs Care Of address HOME Mobile IP Encapsulation
RFSS
IP Header
IP Header IP Header ESP TCP UDP ESP Integrity
S: ES Payload
S: SGW S: SGW Header Header trailer Check
D: MDP
D: CoA D: MDP
SERVING
End-to-end compressed and Encrypted
RFSS
IP Header
IP Header ESP TCP UDP ESP Integrity
SNDCP S: ES Payload
S: SGW Header Header trailer Check
Header D: MDP
D: MDP
IPSec Header decompression, end-to-end decryption,
Compressed by SNDCP MRC decompression and IP header decompression and construction of
the IP packet to be routed to the MDP
IP Header
TCP UDP
S: ES Payload
D: MDP
Header 40
Outline
1.Introduction
2.Addressing Principles
3.Roaming
4.End-to-end encryption and compression
5.SNDCP adaptation
6.Architecture for external data servers connected
beyond a data security gateway
7.Conclusion
41
Summary and conclusion
Recommendations:
Use of a Mobile IP tunnel on the ISSI for outbound
packet routing towards P25 MDP and MRC
Use of ESP/Ipsec standard in transport mode for data
transaction within P25 realm
Use of ESP/Ipsec standard in tunnel mode for data
transaction with external data server connected beyond
a data security gateway
Re-visit SNDCP header and payload compression to
ensure interoperable compression
Use of an IPR-free (Deflate for instance) compression
algorithm for the payload.
Use SUID addresses and DNS resolution instead of
RSI addressing for OTAR
42
RFC References
THANK
YOU
43