Automatic OMCH Establishment Feature Parameter.pdf

7/27/2019 Automatic OMCH Establishment Feature Parameter.pdf

http://slidepdf.com/reader/full/automatic-omch-establishment-feature-parameterpdf 1/66

Huawei Proprietary and Confidential Copyright ©

Huawei Technologies Co., Ltd.

SingleRAN

Automatic OMCH EstablishmentFeature Parameter Description

Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All othertrademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the commercial contract made betweenHuawei and the customer. All or partial products, services and features described in this document maynot be within the purchased scope or the usage scope. Unless otherwise agreed by the contract, allstatements, information, and recommendations in this document are provided "AS IS" without warranties,guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.



SingleRAN

Automatic OMCH Establishment Contents

Draft A (2012-12-30) Huawei Proprietary and Confidential Copyright

© Huawei Technologies Co., Ltd.

i

Contents

1 About This Document .............................................................................................................. 1-1 1.1 Scope ............................................................................................................................................ 1-1 1.2 Intended Audience......................................................................................................................... 1-1 1.3 Change History .............................................................................................................................. 1-1

2 Overview...................................................................................................................................... 2-1 2.1 Introduction.................................................................................................................................... 2-1 2.2 Benefits ......................................................................................................................................... 2-2 2.3 Application Networking Scenarios ................................................................................................. 2-3

3 OMCH Protocol Stacks ............................................................................................................ 3-1 3.1 Non-IPSec Networking Scenario ................................................................................................... 3-1 3.2 IPSec Networking Scenario .......................................................................................................... 3-2

4 Obtaining Transmission Configuration Information ....................................................... 4-1 4.1 DHCP Overview ............................................................................................................................ 4-1

4.1.1 Introduction ........................................................................................................................... 4-1 4.1.2 DHCP Interworking ............................................................................................................... 4-1 4.1.3 DHCP Packet Format ........................................................................................................... 4-2

4.2 Mapping Between DHCP Clients and Servers .............................................................................. 4-4 4.3 DHCP Procedure ........................................................................................................................... 4-4

4.3.1 Base Station Identification .................................................................................................... 4-4 4.3.2 Procedure for Obtaining Configuration Information in Non-IPSec Networking Scenarios ... 4-5 4.3.3 Procedure for Obtaining Configuration Information in IPSec Networking Scenarios ........... 4-6 4.3.4 Procedure for Releasing Allocated Configuration Information ............................................. 4-8

4.4 Schemes for Obtaining VLAN Information for DHCP Packets ...................................................... 4-8 4.4.1 Overview ............................................................................................................................... 4-8 4.4.2 Scheme 1 ........................................................................................................................... 4-10 4.4.3 Scheme 2 ........................................................................................................................... 4-11 4.4.4 Scheme 3 ........................................................................................................................... 4-12 4.4.5 Scheme 4 ........................................................................................................................... 4-13

5 Automatic OMCH Establishment by the Single-mode Base Station and Co-MPTMultimode Base Station ............................................................................................................. 5-1

5.1 Overview ....................................................................................................................................... 5-1 5.2 Automatic OMCH Establishment in Non-IPSec Networking Scenarios ........................................ 5-1

5.2.1 Introduction to Non-IPSec Networking ................................................................................. 5-1 5.2.2 Automatic OMCH Establishment Procedure ........................................................................ 5-1 5.2.3 Configuration Requirements for the DHCP Server ............................................................... 5-2 5.2.4 Configuration Requirements for NEs .................................................................................... 5-8

5.3 Automatic OMCH Establishment in IPSec Networking Scenario 1 ............................................... 5-9 5.3.1 Introduction to IPSec Networking Scenario 1 ....................................................................... 5-9



SingleRAN

Automatic OMCH Establishment Contents



ii

5.3.2 Automatic OMCH Establishment Procedure ...................................................................... 5-10 5.3.3 Configuration Requirements for the Public DHCP Server .................................................. 5-12 5.3.4 Establishing a Temporary IPSec Tunnel ............................................................................. 5-14 5.3.5 Configuration Requirements for the Internal DHCP Server ............................................... 5-16 5.3.6 Obtaining Formal Transmission Configuration Information from the Internal DHCP Server

..................................................................................................................................................... 5-17 5.3.7 Establishing a Formal IPSec Tunnel .................................................................................. 5-20 5.3.8 Configuration Requirements for NEs .................................................................................. 5-21

5.4 Automatic OMCH Establishment in IPSec Networking Scenario 2 ............................................. 5-22 5.4.1 Introduction to IPSec Networking Scenario 2 ..................................................................... 5-22 5.4.2 Automatic OMCH Establishment Procedure ...................................................................... 5-23 5.4.3 Configuration Requirements for the Internal DHCP Server ............................................... 5-23 5.4.4 Configuration Requirements for NEs .................................................................................. 5-24

5.5 Automatic OMCH Establishment in IPSec Networking Scenario 3 ............................................. 5-25 5.5.1 Introduction to IPSec Networking Scenario 3 ..................................................................... 5-25 5.5.2 Automatic OMCH Establishment Procedure ...................................................................... 5-26 5.5.3 Configuration Requirements for the Internal DHCP Server ............................................... 5-27 5.5.4 Configuration Requirements for NEs .................................................................................. 5-28

6 Automatic OMCH Establishment by the Separate-MPT Multimode Base Station ... 6-1 6.1 Networking .................................................................................................................................... 6-1 6.2 Automatic OMCH Establishment Procedure ................................................................................. 6-2 6.3 Configuration Requirements for the DHCP Server ....................................................................... 6-3 6.4 Configuration Requirements for NEs ............................................................................................ 6-3

7 Application Restrictions ......................................................................................................... 7-1 7.1 Configuration Requirements for Base Stations and Other NEs .................................................... 7-1 7.2 Impact of M2000 Deployment on Base Station Deployment by PnP ............................................ 7-3

8 Glossary ...................................................................................................................................... 8-1 9 Reference Documents ............................................................................................................. 9-1



SingleRAN

Automatic OMCH Establishment 1 About This Document



1-1

1 About This Document

1.1 Scope

This document describes the Automatic OMCH Establishment feature, including its implementationprinciples, procedures, and requirements for NEs.

For details about data to prepare before a base station starts the automatic OMCH establishmentprocedure, see 3900 Series Base Station Initial Configuration Guide. For details about software andconfiguration file downloading, activation, and commissioning on a base station after the automaticOMCH establishment procedure is complete, see 3900 Series Base Station Commissioning Guide.

This document applies to IP-based 3900 GSM series base stations, 3900 WCDMA series base stations,3900 LTE series base stations, and 3900 multimode base stations.

1.2 Intended Audience

This document is intended for personnel who:

Are familiar with GSM, WCDMA, and LTE basics

Need to understand Automatic OMCH Establishment

Work with Huawei products

1.3 Change History

This section provides information about the changes in different document versions.

There are two types of changes, which are defined as follows:

Feature change: refers to a change in the Automatic OMCH Establishment feature of a specific

product version. Editorial change: refers to a change in wording or the addition of information that was not described in

the earlier version.

Document Versions

The document version is Draft A (2012-12-30).

Draft A (2012-12-30)

This is a draft.

This is a new document.



SingleRAN

Automatic OMCH Establishment 2 Overview



2-1

2 Overview

2.1 Introduction

Operation and maintenance channels (OMCHs) are established between base stations and theoperation maintenance center (OMC, either the M2000 or BSC). OMCHs are used to transmit operationand maintenance information about base stations and are classified as follows:

OMCHs between the single-mode base station, such as the eGBTS, NodeB, or eNodeB and theM2000, or between the GBTS and the BSC.

OMCHs between the co-MPT multimode base station and the M2000. MPT is short for mainprocessing and transmission unit.

OMCHs between the separate-MPT multimode base station and the M2000. The separate-MPTmultimode base station is comprised of multiple cascaded single-mode base stations and thereforehas multiple OMCHs. For example, OMCHs for the separate-MPT UMTS/LTE dual-mode base stationinclude the OMCH between the NodeB and the M2000, and the OMCH between the eNodeB and the

M2000.

OMCHs between the eGBTS, NodeB, eNodeB, or co-MPT multimode base station and the M2000 arecarried over Transmission Control Protocol (TCP). OMCHs between the GBTS and the BSC are carriedover User Datagram Protocol (UDP). For details about the protocol stacks for OMCHs, see chapter 3"OMCH Protocol Stacks."

One end of an OMCH is located at the main control board of a base station. Depending on the configuration of the maincontrol board, multimode base stations are classified into co-MPT multimode base stations and separate-MPT multimodebase stations. For co-MPT multimode base stations, GSM, UMTS, and LTE modes share the same main control boardand OMCH. For separate-MPT multimode base stations, GSM, UMTS, and LTE modes have their respective main controlboards and OMCHs.

In this document, a base station is used if differentiation among GSM, UMTS, and LTE modes is not required. A GBTS,eGBTS, NodeB, eNodeB, co-MPT multimode base station, or separate-MPT multimode base station is used ifdifferentiation among GSM, UMTS, and LTE modes is required.

The Automatic OMCH Establishment feature enables a powered-on base station, which is configuredwith hardware but no transmission information, to obtain OMCH configuration information through thetransport network and automatically establish an OMCH to the M2000 or BSC. The base station thencan automatically download software and configuration files from the M2000 or BSC over theestablished OMCH and activate them. After being commissioned, the base station enters the workingstate.

This feature applies to base station deployment by plug and play (PnP). Figure 2-1 shows the automaticOMCH establishment phase during base station deployment by PnP.



SingleRAN




2-2

Figure 2-1 Automatic OMCH establishment phase during base station deployment by PnP

To establish an OMCH, a base station needs to obtain the following transmission configurationinformation:

Basic information, including its OM IP address, OM virtual local area network (VLAN) ID, the interfaceIP address, the interface IP address mask, the IP address of the next-hop gateway, the IP address ofthe M2000 or BSC, and the IP address mask of the M2000 or BSC.

Security-related information, including the Certificate Authority (CA) name, transmission protocol(HTTP or HTTPS) used by the CA, CA address, CA port number, CA path, and IP address of thesecurity gateway (SeGW). Obtaining the operator's CA information is required only when the base

station needs to use digital certificates issued by the operator's CA to perform identity authenticationwith other NEs.

For details about how the base station obtains the preceding information, see chapter 4 "ObtainingTransmission Configuration Information."

2.2 Benefits

With the Automatic OMCH Establishment feature, a base station can establish OMCHs by networkcommunication without requiring operations at the local end. This implements remote base stationdeployment by PnP, thereby facilitating base station deployment and reducing the deployment cost andtime.



SingleRAN




2-3

2.3 Application Networking Scenarios

The Automatic OMCH Establishment feature applies to base station deployment by PnP in InternetProtocol Security (IPSec) or non-IPSec networking scenarios. In this document, the IPSec or non-IPSecnetworking indicates that the IP layer communication between the base station and other NEs is securedor not secured by IPSec, respectively.

Table 2-1 describes the application networking scenarios for the Automatic OMCH Establishmentfeature.

Table 2-1 Application networking scenarios

Networking Scenario Description

Non-IPSec IPSec does not secure Dynamic Host Configuration Protocol(DHCP) packets, OMCH data, service data, signaling data, or clockdata.

IPSec Scenario 1 IPSec secures DHCP packets, OMCH data, and all or some of theother data.

Scenario 2 IPSec secures OMCH data and all or some of the other data. It doesnot secure DHCP packets.

Scenario 3: IPSec secures service and signaling data. It neither secures OMCHdata nor all or some of the other data.

For details about how the single-mode base station and co-MPT multimode base station obtain OMCHconfiguration information and establish OMCHs in different scenarios, see chapter 5 "Automatic OMCHEstablishment by the Single-mode Base Station and Co-MPT Multimode Base Station." For details abouthow the separate-MPT multimode base station obtains OMCH configuration information and establishesOMCHs in different scenarios, see chapter 6 "Automatic OMCH Establishment by the Separate-MPTMultimode Base Station."



SingleRAN

Automatic OMCH Establishment 3 OMCH Protocol Stacks



3-1

3 OMCH Protocol Stacks

3.1 Non-IPSec Networking Scenario

Figure 3-1 shows the protocol stacks for an OMCH between the eGBTS, NodeB, eNodeB, or co-MPTmultimode base station and the M2000 in non-IPSec networking scenarios.

Figure 3-1 Protocol stacks for an OMCH between the eGBTS, NodeB, eNodeB, or co-MPT multimode basestation and the M2000 (non-IPSec networking)

As shown in Figure 3-1, an OMCH between the eGBTS, NodeB, eNodeB, or co-MPT multimode basestation and the M2000 is carried over TCP and Secure Sockets Layer (SSL), of which SSL is optional.

The eGBTS, NodeB, eNodeB, or co-MPT multimode base station listens to the TCP connectionestablishment request with a specific TCP port number from the M2000, and establishes the TCPconnection to the M2000 as requested. After the TCP connection is established, the M2000 initiates anOMCH establishment request to the eGBTS, NodeB, eNodeB, or co-MPT multimode base station.

The M2000 can use SSL to perform encryption and authentication for OMCHs and enable theestablishment of SSL-based OMCHs. SSL uses the public key infrastructure (PKI), with which thecommunication between the base station and the M2000 is protected against eavesdropping andtherefore confidentiality and reliability are guaranteed. However, the M2000 should not use digitalcertificate to authenticate a base station if SSL-based OMCHs are to be established during base stationdeployment by PnP. For details about SSL, see SSL Feature Parameter Description.

Figure 3-2 shows the protocol stacks for an OMCH between the GBTS and the BSC in non-IPSecnetworking scenarios.



SingleRAN




3-2

Figure 3-2 Protocol stacks for an OMCH between the GBTS and the BSC (non-IPSec networking)

As shown in Figure 3-2, an OMCH between the GBTS and the BSC is carried over UDP. The GBTSlistens to the UDP connection establishment request with a specific UDP port number from the BSC, andestablishes the UDP connection to the BSC as requested. After the UDP connection is established, theBSC initiates an OMCH establishment request to the GBTS.

3.2 IPSec Networking Scenario

In IPSec networking scenarios, OMCH data can be secured or not secured by IPSec. Figure 3-3 showsthe networking scenario in which IPSec secures OMCH data.

Figure 3-3 Networking scenario in which IPSec secures OMCH data

As shown in Figure 3-3, the network is divided into the trusted domain and the untrusted domain, whichare separated by the SeGW. NEs in the untrusted domain cannot access the NEs in the trusted domain. After a base station starts, it establishes an IPSec tunnel to the SeGW. Packets from the base station aresent over the IPSec tunnel to pass the untrusted domain and then forwarded by the SeGW to the M2000or BSC in the trusted domain.



SingleRAN




3-3

Figure 3-4 shows the protocol stacks for an OMCH between the eGBTS, NodeB, eNodeB, or co-MPTmultimode base station and the M2000 in IPSec networking scenarios.

Figure 3-4 Protocol stacks for an OMCH between the eGBTS, NodeB, eNodeB, or co-MPT multimode basestation and the M2000 (IPSec networking)

Figure 3-5 shows the protocol stacks for an OMCH between the GBTS and the BSC in IPSec networkingscenarios.

Figure 3-5 Protocol stacks for an OMCH between the GBTS and the BSC (IPSec networking)

In IPSec networking scenarios, IPSec secures base station data. IPSec is a security architecture definedby the Internet Engineering Task Force (IETF) and applicable to the IP layer. IPSec secures datacommunication by identity authentication, data encryption, data integrity, and address encryption. Duringthe automatic OMCH establishment procedure, the base station establishes an IPSec tunnel to theSeGW and then an OMCH secured by the IPSec tunnel. The base station uses two types of source anddestination IP addresses:

IP addresses in the untrusted domain, that is, the interface IP addresses used for communication with

the SeGW in the untrusted domain after the base station starts.



SingleRAN




3-4

IP addresses in the trusted domain, that is, the IP addresses used for communication with the M2000,BSC, or a DHCP server that is built into the M2000 (referred to as M2000 DHCP server in thisdocument) in the trusted domain.

The base station uses the interface IP address to access the untrusted domain. Unless otherwise

specified, the base station uses the logical IP address to access the trusted domain.

When using IPSec to secure data, an operator can determine whether to use digital certificates foridentity authentication. If authentication by digital certificates is used, the PKI must be deployed. A basestation interworks with the PKI using Certificate Management Protocol (CMP). During the automaticOMCH establishment procedure, the base station interworks with the operator's PKI to obtain theoperator-issued device certificate and CA root certificate, and establishes an IPSec tunnel to the SeGWand then an OMCH secured by the IPSec tunnel.

For details about IPSec tunnels, see IPSec Feature Parameter Description. For details about digitalcertificate management, see PKI Feature Parameter Description.

During the OMCH establishment procedure, the eGBTS, NodeB, eNodeB, or co-MPT multimode base station listens tospecific TCP port numbers, and the GBTS listens to the UDP port numbers. For details, see Communication Matrix of3900 Series Base Stations. The packets with these port numbers must be allowed to pass through the firewall betweenthe base station and the DHCP server, M2000, or BSC.

After establishing an OMCH to the M2000, the base station uses File Transmission Protocol (FTP) to download softwareand configuration files from the FTP server. FTP runs over TCP/IP, and therefore its transport layer can be secured usingSSL. For details about FTP, see RFC 959.

After establishing an OMCH to the BSC, the GBTS uses the proprietary protocol that runs over UDP to download softwareand configuration files from the BSC.

IPSec networking is not supported by the following base stations:

GBTSs in which the GTMU provides the transmission port.

NodeBs in which the WMPT provides the transmission port.



SingleRAN

Automatic OMCH Establishment 4 Obtaining Transmission Configuration Information



4-1

4 Obtaining Transmission Configuration Information

4.1 DHCP Overview

4.1.1 Introduction

Before an OMCH is established, a base station is not configured with any data and cannot performend-to-end communication with other NEs at the IP layer. To implement this communication, the basestation needs to obtain the following information:

OMCH configuration data, including the OM IP address, OM VLAN ID, interface IP address, interfaceIP address mask, IP address of the next-hop gateway, IP address of the M2000 or BSC, and IPaddress mask of the M2000 or BSC.

During base station deployment by PnP, if the base station needs to use digital certificates issued bythe operator's CA to perform identity authentication with other NEs, it also needs to obtain theoperator's CA information, including the CA name, CA address, CA port number, CA path, and

transmission protocol (HTTP or HTTPS) used by the CA. In IPSec networking scenarios, the base station also needs to obtain SeGW information, including the

SeGW IP address and SeGW local name.

The base station uses DHCP to obtain the preceding information. DHCP is used to allocate anddistribute configuration parameters and adopts the client/server mode. The DHCP procedure involvesthe following logical NEs:

DHCP client: a host that uses DHCP to obtain configuration parameters

DHCP server: a host that allocates and distributes configuration parameters to a DHCP client

DHCP relay agent: an NE that transmits DHCP packets between a DHCP server and a DHCP client. ADHCP relay client must be deployed between a DHCP server and a DHCP client that are in different

broadcast domains.

After a DHCP client accesses the network, it actively exchanges DHCP packets with its DHCP server toobtain configuration parameters. During the exchange, the DHCP server and the DHCP relay agentlisten to DHCP packets in which the destination UDP port number is 67, and the DHCP client listens toDHCP packets in which the destination UDP port number is 68.

4.1.2 DHCP Interworking

Figure 4-1 shows the interworking between a DHCP client and a DHCP server.



SingleRAN




4-2

Figure 4-1 DHCP interworking

1. After the DHCP client starts, it broadcasts a DHCPDISCOVER packet to search for an availableDHCP server. The DHCPDISCOVER packet carries the identification information about the DHCPclient.

2. The DHCP server responds to the DHCPDISCOVER packet with a DHCPOFFER packet.

3. The DHCP client sends a DHCPREQUEST packet to the DHCP server, requesting parameters suchas an IP address.

4. The DHCP server sends a DHCPACK packet to the DHCP client to assign parameters such as an IPaddress.

5. If the assigned parameters cannot be used, for example, an assigned IP address has been used byother DHCP clients, the DHCP client sends a DHCPDECLINE packet to notify the DHCP server.

6. If the DHCP client does not need the assigned parameters any more, it sends a DHCPRELEASEpacket to notify the DHCP server so that the DHCP server can assign these parameters to otherDHCP clients.

4.1.3 DHCP Packet Format

Figure 4-2 shows the example format of DHCP packets shown in Figure 4-1.



SingleRAN




4-3

Figure 4-2 DHCP packet format

NOTE

The actual length and sequence of each field in a DHCP packet in software implementation may be different from thoseshown in Figure 4-2.

In a DHCP packet, the IP and UDP headers are in the standard format, and the DHCP header containsthe DHCP control and configuration information. In the DHCP header, the fields related to automaticOMCH establishment are as follows:

yiaddr: This field carries the interface IP address of the base station.

giaddr: This field carries the IP address of the DHCP relay agent.



SingleRAN




4-4

Option fields: These fields carry other configuration information. They are encoded incode-length-value (CLV) format and consist of many subcodes. Among them, Option 43 carriesHuawei proprietary information elements (IEs) and most configuration information of the base station.For example, subcode 1 in Option 43 carries the electronic serial number (ESN) of the Huawei basestation.

Because Option 43 has a limited length, Option 224 is also used to carry Huawei proprietary IEs inSRAN8.0 or later.

For details about DHCP, see section "Dynamic Host Configuration Protocol (DHCP)" in RFC 2131 and"DHCP Options and BOOTP Vendor Extensions" in RFC 2132.

4.2 Mapping Between DHCP Clients and Servers

In this document, base stations act as DHCP clients. Table 4-1 describes the mapping between basestations and DHCP servers.

Table 4-1 Mapping between base stations and DHCP servers

Base Station Type DHCP Server in Non-IPSecNetworking Scenarios

DHCP Server in IPSecNetworking Scenarios

Single-mode GBTS BSC In the trusted domain: M2000DHCP server

In the untrusted domain:public DHCP server

eGBTS M2000

NodeB M2000 or RNC

eNodeB M2000

Multimode Co-MPTmultimode basestation

M2000

Separate-MPTmultimode basestation

Same as that of each single-modebase station

Unless otherwise specified, "base station controller" in this document is a generic term for GSM and UMTS modes.

The DHCP server and the M2000 are different logical communication entities, although they may be deployed on thesame hardware. Therefore, this document distinguishes between the DHCP server and the M2000.

In SRAN8.0, if single-mode base stations or separate-MPT multimode base stations evolve to co-MPTmultimode base stations, their DHCP servers must migrate to the M2000. Even if the evolution is notimplemented, the migration is recommended, because it provides better function support and paves theway to future smooth upgrades and evolutions.

4.3 DHCP Procedure

4.3.1 Base Station Identification

Upon receiving a DHCP packet from a base station, the DHCP server finds and sends relatedconfiguration information to the base station based on the base station identification (BS ID) contained inthe DHCP packet.



SingleRAN




4-5

The M2000 that matches SRAN8.0 uses the combination of the ESN and slot number or the combinationof the deployment identifier (DID), subrack topology, and slot number as the BS ID.

Base station controllers and M2000s that match versions earlier than SRAN8.0 use the combination ofthe ESN and NE type or the combination of the DID and NE type as the BS ID.

The details about each element in the combinations are as follows:

ESN identifies the baseband unit (BBU) backplane of the base station. Each backplane has a uniqueESN. The ESN is reported by the base station.

DID is scanned into the base station using a barcode scanner connected to the USB port of the maincontrol board. After being scanned into the base station, the DID is broadcast in all BBUs. All maincontrol boards will record the DID and use it as the BS ID in the DHCP procedure.

Subrack topology identifies the interconnection relationship between BBU subracks that areinterconnected using UCIUs. The combination of the DID and subrack topology uniquely identifies aBBU subrack.

Slot number identifies the number of the slot that accommodates the main control board. The slot

number is used to differentiate main control boards in a BBU subrack. If the base station is configuredwith active and standby main control boards, the slot number is that of the active main control board.The slot number is reported by the base station.

NE type indicates whether the base station works in the GSM, UMTS, or LTE mode.

When creating a base station commissioning task by PnP, operators must specify the ESN if the M2000uses the combination of the ESN and slot number as the BS ID. The DID must be included in the basestation configuration file if the M2000 uses the combination of the subrack topology and slot number asthe BS ID.

4.3.2 Procedure for Obtaining Configuration Information inNon-IPSec Networking Scenarios

Procedure for Obtaining Configuration Information with No DHCP Relay Agent

A DHCP client and a DHCP server on the same Layer 2 (L2) network can directly communicate witheach other. The L2 network is a subnet in which broadcast IP packets can be exchanged and forwardedby MAC addresses and VLAN IDs. An example is the Ethernet or a VLAN of the Ethernet.

Figure 4-3 shows the procedure for a base station to obtain configuration information from a DHCPserver when no DHCP relay agent is deployed.

Figure 4-3 Procedure for obtaining configuration information with no DHCP relay agent

The procedure is as follows: After the base station is powered on, it broadcasts a DHCPDISCOVERpacket with the BS ID. The DHCP server then sends configuration information to the base station based

on the BS ID.



SingleRAN




4-6

The DHCP server can be deployed on the L2 network of the base station only when the DHCP server isdeployed on the base station controller instead of the M2000. This is because DHCP packets carry thewell-known UDP port number and the operating system of the M2000 always discards such packets.Therefore, the DHCP server deployed on the M2000 can process only DHCP packets forwarded by theDHCP relay agent, but not DHCP packets broadcast by the base station.

Procedure for Obtaining Configuration Information with a DHCP Relay Agent

If a DHCP server is not deployed on the L2 network of a DHCP client, a DHCP relay agent must beinstalled on the next-hop gateway of the DHCP client to forward DHCP packets. The DHCP relay agentmust be on the same L2 network as the DHCP client, and the DHCP server must be on the Layer 3 (L3)network in which packets are forwarded by IP addresses.

Figure 4-4 shows the procedure for a base station to obtain configuration information from a DHCPserver when a DHCP relay agent is deployed.

Figure 4-4 Procedure for obtaining configuration information with a DHCP relay agent

The procedure is as follows: The DHCP relay agent converts DHCP packets broadcast by the basestation to unicast packets and routes the unicast packets to the DHCP server. The DHCP server sendsunicast response packets to the DHCP relay agent, which then broadcasts received response packetson the L2 network.

4.3.3 Procedure for Obtaining Configuration Information in IPSecNetworking Scenarios

In IPSec networking scenarios, a DHCP server in the trusted domain can be secured or not secured byIPSec. When the DHCP server is secured by IPSec, a public DHCP server in the untrusted domain mustbe deployed. Figure 4-5 shows the OMCH networking in this scenario.



SingleRAN




4-7

Figure 4-5 IPSec OMCH networking

Figure 4-6 shows the two procedures for the base station in Figure 4-5 to obtain transmissionconfiguration information.

Figure 4-6 Two procedures for obtaining transmission configuration information in IPSec networkingscenarios

1. The base station exchanges DHCP packets with a public DHCP server to obtain information, such asthe interface IP address for accessing the untrusted domain and the SeGW IP address. The basestation also needs to obtain the CA IP address if digital certificates are required for identityauthentication with the SeGW. This procedure is referred to as the first DHCP procedure.



SingleRAN




4-8

2. The base station negotiates with the SeGW on the Internet Key Exchange (IKE) security association(SA) and IPSec SA, and then establishes an IPSec tunnel. If digital certificates are required foridentity authentication with the SeGW, the base station must apply to the CA for digital certificatesthat can be identified by the SeGW.

3. The base station exchanges DHCP packets with its M2000 DHCP server to obtain the OM IPaddress used for accessing the trusted domain. This procedure is referred to as the second DHCPprocedure. The second DHCP procedure varies depending on IPSec networking scenarios. Fordetails, see section 5.3.6 "Obtaining Formal Transmission Configuration Information from the InternalDHCP Server."

During the first DHCP procedure, the public DHCP server runs DHCP. It may not supportHuawei-defined DHCP Option fields and fail to identify the BS ID reported by the base station. If thisoccurs, the public DHCP server selects an IP address from the IP address pool and sends it to the basestation. During the second DHCP procedure, the M2000 DHCP server sends configuration parametersto the base station based on the BS ID reported by the base station.

4.3.4 Procedure for Releasing Allocated Configuration Information

When a base station obtains configuration information from its M2000 DHCP server and does not needconfiguration information allocated by a public DHCP server, the base station sends a DHCPRELEASEmessage to the public DHCP server. After receiving the DHCPRELEASE message, the public DHCPserver can redistribute allocated configuration information to other NEs. Figure 4-7 shows the procedurefor releasing allocated configuration information.

Figure 4-7 Procedure for releasing allocated configuration information

In addition to the preceding procedures, DHCP also supports the procedure for updating configuration information. However, base stations in SRAN8.0 do not support the procedure for updating configuration information.

4.4 Schemes for Obtaining VLAN Information for DHCP Packets4.4.1 Overview

Packets sent by a base station on a VLAN-based network must carry the VLAN ID. Before an OMCH isestablished, that is, before the base station sends the first DHCP packet, it must automatically acquireVLAN information after it starts. After acquiring VLAN information, it sends DHCP packets with VLAN IDsto interwork with DHCP servers to obtain transmission configuration information. Table 4-2 describes therecommended schemes for the base station in SRAN8.0 to obtain VLAN information during deployment.



SingleRAN




4-9

Table 4-2 Obtaining VLAN information

ScenarioSN

Scenario Description How to ObtainVLANInformationBase

StationDeploymentMode

Whether IPSec

Secures OMCHData

Requirements for NEs

1 By PnP No N/A Using scheme 1

2 By PnP Yes The SeGW initiates a requestfor IKE negotiation with thebase station. The destinationIP address of the request isthe interface IP address thatthe base station uses toaccess the untrusted domain.

The VLAN information inDHCP packets sent by thebase station must be thesame as the VLANinformation in theconfiguration files of the basestation.

3 By PnP Yes The security policy allows thetransmission of DHCP packetssent by DHCP servers or theM2000 to the base station.

Using scheme 2

4 By PnP Yes The L2 network is configuredwith the default VLAN ID or noVLAN ID.

Using scheme 3

5 By PnP Yes The next-hop gateway of thebase station can periodicallysend ping packets to theinterface IP address of the basestation.

Using scheme 4

6 By USB Either Yes or No N/A From a USBflash drive

If a base station is deployed by USB, it imports transmission configuration information including VLANconfiguration information from the USB. If the base station is deployed by PnP, the scheme for obtainingVLAN information varies depending on whether IPSec secures OMCH data and the capability of NEs:

If IPSec does not secure OMCH data, scheme 1 is used:

The M2000 or BSC actively and periodically sends OMCH establishment requests to the base station. After receiving the requests, the next-hop gateway of the base station sends Address ResolutionProtocol (ARP) packets to the base station. The base station then records VLAN IDs derived from ARPpackets and includes recorded VLAN IDs in DHCP packets.

If IPSec secures OMCH data, any of the following schemes is used:

− Scheme 1



SingleRAN




4-10

− Scheme 2: The DHCP server on the M2000 periodically sends the base station empty packets withthe destination IP address as the interface IP address of the base station. This enables the next-hopgateway of the base station to send ARP packets from which the base station derives VLANinformation.

−

Scheme 3: The base station sends DHCP packets with no VLAN ID, and the L2 network attaches aVLAN ID to DHCP packets sent by the base station. Therefore, the base station does not need toacquire VLAN information.

− Scheme 4: The next-hop gateway of the base station or other NEs periodically send packets to thebase station or an idle address of the subnet in which the base station is deployed. This enables thenext-hop gateway of the base station to send ARP packets from which the base station derives VLANinformation.

4.4.2 Scheme 1

Scheme 1 applies to two scenarios:

IPSec does not secure OMCH data. Figure 4-8 shows the procedure for a base station to obtain VLAN

information in this scenario.

IPSec secures OMCH data and NEs meet specific requirements. Figure 4-9 shows the procedure for abase station to obtain VLAN information in this scenario.

Figure 4-8 Scheme 1 (IPSec does not secure OMCH data

1. The M2000 or BSC sends an OMCH establishment request to the OM IP address of the base station.

2. To forward the OMCH establishment request to the correct base station, the next-hop gateway of thebase station broadcasts ARP packets to obtain the MAC address mapping the destination IP address

of the request. The next-hop gateway or the L2 network attaches VLAN IDs to ARP packets so thatcorrect VLAN IDs are contained in the ARP packets received by the base station.

3. The base station parses all received ARP packets and records the VLAN IDs contained in thepackets. It may record the VLAN ID in an ARP packet destined for another base station.

4. The base station attempts to send all DHCP packets with recorded VLAN IDs. Only DHCP packetswith correct VLAN IDs can reach the DHCP relay agent.



SingleRAN




4-11

Figure 4-9 Scheme 1 (IPSec secures OMCH data)

1. The M2000 or BSC sends an OMCH establishment request to the OM IP address of the base station.The request is forwarded to the SeGW.

2. The SeGW detects that the IPSec SA with the base station has not been established and sends anIKE negotiation request to the interface IP address of the base station. The request is routed to thenext-hop gateway of the base station.

3. To forward the IKE negotiation request to the correct base station, the next-hop gateway of the basestation broadcasts ARP packets to obtain the MAC address mapping the destination IP address of

the request. The next-hop gateway or the L2 network attaches VLAN IDs to ARP packets so thatcorrect VLAN IDs are contained in the ARP packets received by the base station.



4.4.3 Scheme 2

Figure 4-10 shows the procedure for a base station to obtain VLAN information in scheme 2.



SingleRAN




4-12

Figure 4-10 Scheme 2

1. The M2000 sends a DHCPOFFER packet with no content to the interface IP address of the basestation. The packet is forwarded to the next-hop gateway of the base station.

2. To forward the DHCPOFFER packet to the correct base station, the next-hop gateway of the basestation broadcasts ARP packets to obtain the MAC address mapping the destination IP address ofthe request. The next-hop gateway or the L2 network attaches VLAN IDs to ARP packets so thatcorrect VLAN IDs are contained in the ARP packets received by the base station.



4.4.4 Scheme 3



1. The base station sends a DHCP packet with no VLAN ID.



SingleRAN




4-13

2. The L2 network between the base station and the next-hop gateway of the base station automaticallyattaches the default VLAN ID to the DHCP packet. The default VLAN ID is the same as the VLAN IDrequired for deploying the base station. With the correct VLAN ID, the DHCP packet can beforwarded over the L2 network to the DHCP relay agent and then reach the DHCP server.

4.4.5 Scheme 4



1. After the next-hop gateway of the base station is configured with the service level agreement (SLA), itperiodically sends ping packets to the interface IP address of the base station or an IP address onthe network segment of the base station.

2. To forward ping packets to the correct base station, the next-hop gateway of the base stationbroadcasts ARP packets to obtain the MAC address of the base station mapping the destination IPaddress of the ping packets. The ARP packets received by the base station carry correct VLAN IDs.





SingleRAN

Automatic OMCH Establishment

5 Automatic OMCH Establishment by the

Single-mode Base Station and Co-MPT Multimode

Base Station



5-1

5 Automatic OMCH Establishment by the Single-modeBase Station and Co-MPT Multimode Base Station

5.1 OverviewThis chapter describes the automatic OMCH establishment procedures implemented by the single-modebase station and co-MPT multimode base station in IPSec or non-IPSec networking scenarios, and theprocedures' requirements for NEs. In IPSec networking scenarios, the network is divided into theuntrusted domain and the trusted domain. Depending on NE distribution in the untrusted domain and thetrusted domain, IPSec networking scenarios are classified as follows:

Scenario 1: IPSec secures OMCH data and DHCP packets.

Scenario 2: IPSec secures OMCH data, but not DHCP packets.

Scenario 3: IPSec secure service data, but not OMCH data or DHCP packets.

5.2 Automatic OMCH Establishment in Non-IPSec NetworkingScenarios

5.2.1 Introduction to Non-IPSec Networking

Figure 5-1 shows a non-IPSec networking scenario in which IPSec does not secure OMCH data.

Figure 5-1 Non-IPSec networking

This networking has the following characteristics:

The DHCP server is not deployed on the L2 network of the base station.

The DHCP relay agent is deployed on the next-hop gateway of the base station.

IPSec does not secure OMCH data.

5.2.2 Automatic OMCH Establishment Procedure

Figure 5-2 shows the automatic OMCH establishment procedure in non-IPSec networking scenarios.



SingleRAN




Base Station



5-2

Figure 5-2 Automatic OMCH establishment in non-IPSec networking scenarios

1. After a base station commissioning by PnP task is created on the M2000, the M2000 or BSC

periodically sends an SSL-based or plaintext-based OMCH establishment request to the base station.In the request, the source IP address is the IP address of the M2000 and the destination IP addressis the OM IP address of the base station. After the next-hop gateway of the base station receives therequest, it broadcasts ARP packets to the base station to obtain the MAC address mapping theinterface IP address of the base station.

The next-hop gateway of the base station broadcasts ARP packets each time it receives a TCP connection request sentperiodically by the M2000.

2. The base station obtains VLAN information. For details, see section 4.4 "Schemes for ObtainingVLAN Information for DHCP Packets."

3. The base station first sends DHCP packets with no VLAN ID and then DHCP packets with VLAN IDs.

By exchanging DHCP packets with its next-hop gateway and DHCP server, the base station obtainsthe OMCH configuration data and validates the data.

4. In response to the ARP packets and the OMCH establishment request, the base station establishesan OMCH to the M2000 or BSC. The DHCP server then sends related configuration files to the basestation based on the BS ID.

5.2.3 Configuration Requirements for the DHCP Server

The DHCP server of a base station must be configured with the following:

A route to the base station or the network segment of the base station.

Parameters to be used during the DHCP procedure. These parameters are contained in the DHCP

packet headers, Option fields defined by RFC 2132, and subcodes of Option 43 defined by Huawei.

Table 5-1 lists the parameters to be contained in the DHCP packet headers.

Table 5-1 Parameters to be contained in the DHCP packet headers in non-IPSec networking scenarios

ParameterName

MappingDHCPField

Length(Bytes)

Parameter Description MandatoryorOptional

DHCP PacketInvolved

Interface IP Address

yiaddr 4 Interface IP address of thebase station

Mandatory DHCPOFFER

DHCPACK



SingleRAN




Base Station



5-3

ParameterName

MappingDHCPField

Length(Bytes)

Parameter Description MandatoryorOptional

DHCP PacketInvolved

Relay AgentIP

giaddr 4 IP address of the DHCPrelay agent deployed on thenetwork, if any. Broadcastpackets (Discovery andRequest packets) sent bythe base station do notcarry this IP address, andthe DHCP relay agent addsthis IP address to DHCPpackets to be forwarded.For details, see RFC 2131.

Optional DHCPDISCOVERY

DHCPOFFER

DHCPREQUEST

DHCPACK

Table 5-2 lists the parameters to be contained in Option fields defined by RFC 2132.

Table 5-2 Parameters to be contained in DHCP Option fields in non-IPSec scenarios

ParameterName

MappingDHCPOption

Length(Bytes)

Parameter Description DHCP Packet Involved

Subnet Mask 1 4 Subnet mask of a DHCP client DHCPOFFER

DHCPACK

Router Option 3 N*4 List of the IP addresses of routers

deployed in a DHCP client'ssubnet

DHCPOFFER

DHCPACK

Vendor SpecificInformation

43 0-255 Vendor-specific informationexchanged between a DHCPclient and a DHCP server

DHCPDISCOVER

DHCPREQUEST

DHCPOFFER

DHCPACK

IP AddressLease Time

51 4 Lease time of an assigned IPaddress

DHCPOFFER

DHCPACK

DHCP Message

Type

53 1 Value:

1: DHCPDISCOVER

2: DHCPOFFER

3: DHCPREQUEST

5: DHCPACK

DHCPDISCOVER

DHCPREQUEST DHCPOFFER

DHCPACK

Server Identifier 54 4 IP address of a DHCP server DHCPOFFER

DHCPACK

Renewal (T1)Time Value

58 4 Interval from address assignmentto the transition to theRENEWING state

DHCPOFFER

DHCPACK



SingleRAN




Base Station



5-4

ParameterName

MappingDHCPOption

Length(Bytes)

Parameter Description DHCP Packet Involved

Rebinding (T2)Time Value

59 4 Interval from address assignmentto the transition to theREBINDING state

DHCPOFFER

DHCPACK

Vendor classidentifier

60 0-255 Vendor type and clientconfiguration

DHCPDISCOVER

DHCPREQUEST

Client-identifier 61 0-255 Unique identifier of a DHCP client DHCPDISCOVER

DHCPREQUEST

Table 5-3 lists the parameters to be contained in subcodes of Option 43 defined by Huawei.

Table 5-3 Parameters to be contained in subcodes of option 43 in non-IPSec scenarios

Parameter Name MappingSubcode

Length(Bytes)

ParameterDescription

Mandatory orOptional

DHCP PacketInvolved

ESN 1 20 ESN of theBBUbackplane. Itis used by aDHCP serverto determinethe location

and BBUsubrack of thebase station.

Mandatory DHCPDISCOVER

DHCPOFFER

DHCPREQUEST

DHCPACK

MPT 1st Slot Number 251 1 Slot numberof the firstmain controlboard

Mandatory DHCPDISCOVER

DHCPOFFER

DHCPREQUEST

DHCPACK

MPT 2nd Slot

Number

249 1 Slot number

of the secondmain controlboard

Mandatory only

if the basestation isconfigured withactive/standbyorprimary/secondary main controlboards.

DHCPOFFER

DHCPACK

OM Bearing Board 250 1 Value:

0: AnOMCH is

establishedon the

Optional. Thedefault value is0.

DHCPOFFER

DHCPACK



SingleRAN




Base Station



5-5


Length(Bytes)



DHCP PacketInvolved

panel. Usethis value

forsingle-modebasestations.

1: AnOMCH isestablishedon thebackplane.

DID 27 1 to 64

If the basestation is

configuredwith only oneBBU, the DIDserves thesame purposeas the ESN.

If the basestation isconfiguredwith multipleBBUs that areinterconnecte

d usingUCIUs, theseBBUs use thesame DID.

Optional. TheDID becomesmandatory afterit is scanned.

DHCPDISCOVER

DHCPOFFER

DHCPREQUEST

DHCPACK

Subrack Topo 246 1 to 16

Interconnection relationshipbetween theBBUaccommodating the maincontrol boardthat sends the

DHCPpackets andother BBUs ifthese BBUsareinterconnected usingUCIUs. TheDHCP serveruses thecombinationof the DID,

subrack

Mandatory

DHCPDISCOVER

DHCPOFFER

DHCPREQUEST

DHCPACK



SingleRAN




Base Station



5-6


Length(Bytes)



DHCP PacketInvolved

topology, andslot number to

identify theconfigurationfile of thebase station.

OM Interface Type 2 1 Transmissioninterface ofthe basestation:Ethernet orE1.

NOTE

If an Ethernetinterface isused as thetransmissioninterface, theOMCH managedobject (MO) inconfigurationfiles of thebase stationmust bebound to aroute, or the

peer IPaddress mustbe the IPaddress of theM2000 or thenext-hopgateway of thebase station.

Optional

The defaultvalue isEthernet.

DHCPOFFER

DHCPACK

OM Interface SlotNumber

248 1 Slot numberof the maincontrol boardif thetransmission

interface isprovided bythe maincontrol board,or the slotnumber of theUTRP board ifthetransmissioninterface isprovided bythe UTRP

board.

Mandatory inSRAN8.0 orlater only if anEthernetinterface is used

as thetransmissioninterface. If thisparameter is notspecified, thebase stationautomaticallyidentifies the slotnumber.

DHCPOFFER

DHCPACK



SingleRAN




Base Station



5-7


Length(Bytes)



DHCP PacketInvolved

OMCH Interface PortNumber

247 1 Port numberof thetransmissioninterface ofthe basestation

Mandatory inSRAN8.0 orlater only if anEthernetinterface is usedas thetransmissioninterface. If thisparameter is notspecified, thebase stationautomaticallyidentifies theport number.

DHCPOFFER

DHCPACK

OMLOCATION 51 3 The numbersof the cabinet,subrack, andslot thataccommodatethe maincontrol boardwhere theOMCH islocated.

Mandatory inSRAN8.0 orlater only if anEthernetinterface is usedas thetransmissioninterface.

If this parameteris not specified,the base station

automaticallyidentifies thenumbers of thecabinet,subrack, andslot.

DHCPOFFER

DHCPACK

OM IP Address 3 4 Local IPaddress of theOMCH

Mandatory DHCPOFFER

DHCPACK

OM IP AddressSubnet Mask

4 4 Local IPaddress mask

of the OMCH

Mandatory DHCPOFFER

DHCPACK

M2000 IP Address 5 4 Peer IPaddress of theOMCH Thisparameterand OMCHRoute Mask collectivelyidentify anOMCH route.

Optional DHCPOFFER

DHCPACK

M2000 IP Subnet

Mask

6 4 Peerl IP

address mask

Optional DHCPOFFER



SingleRAN




Base Station



5-8


Length(Bytes)



DHCP PacketInvolved

of the OMCH

NOTE

In the decimalequivalent ofthis parametervalue, 01 isnot allowed.

DHCPACK

OM Vlan ID 11 2 VLAN ID ofthe OMCH

Mandatory onlyif VLANinformation isconfigured andan Ethernetinterface is used

as thetransmissioninterface

DHCPOFFER

DHCPACK

OM Vlan Priority 12 1 VLAN priorityof the OMCH

Optional DHCPOFFER

DHCPACK

BSC IP 13 4 IP address ofthe BSC

Mandatory forthe GSM mode

DHCPOFFER

DHCPACK

OM Next Hop IP Address

17 4 Next-hop IPaddress of thebase station

Mandatory DHCPOFFER

DHCPACK

When creating a base station commissioning by PnP task on the M2000, deployment engineers canexport configuration information listed in Table 5-3 to the DHCP server. Deployment engineers canmanually modify the configuration information for the DHCP server only on the M2000 GUI. Deploymentmay fail if the DHCP server is not configured with mandatory parameters listed in Table 5-3 or optionalparameters that must be configured in certain scenarios.

5.2.4 Configuration Requirements for NEs

Table 5-4 lists the configuration requirements for NEs during base station deployment by PnP in thenon-IPSec networking scenario shown in Figure 5-1.

Table 5-4 Configuration requirements for NEs

NE Requirement

Base station None

Next-hop L2 NE of thebase station

(Optional) Is configured with VLAN information. VLAN configuration isrequired only when the L2 network adopts VLANs.

L2 NEs Allow the transmission of DHCP broadcast and unicast packets withoutfiltering or modifying DHCP packets.

Are configured with the VLAN forwarding function that matches the

base station.



SingleRAN




Base Station



5-9

NE Requirement


Is enabled with the DHCP relay agent function.

Is configured with the IP address of the DHCP server. Generally, the IP

address is that of the M2000. If a Network Address Translation (NAT)server is deployed, the IP address is the IP address converted by theNAT server.

Is configured with a route to the DHCP server.

Is configured with a route to the OM IP address of the base station if theOM IP address is not the interface IP address.

L3 NEs Are configured with routes to the OM IP address of the base station, theIP address of the M2000, and the DHCP relay agent.

M2000 or BSC Is configured with a route to the OM IP address of the base station.

DHCP server Is configured with a route to the DHCP relay agent.

FTP server Is configured with a route to the OM IP address of the base station.

Stores software and configuration files of the base station in thespecified directory.

Provides access rights, such as the user name and password, for thebase station.

5.3 Automatic OMCH Establishment in IPSec Networking

Scenario 1

5.3.1 Introduction to IPSec Networking Scenario 1

Figure 5-3 shows IPSec networking scenario 1, in which IPSec secures both OMCH data and DHCPpackets.

Figure 5-3 IPSec networking scenario 1



SingleRAN




Base Station



5-10


A public DHCP server and an M2000 DHCP server are deployed in the untrusted domain and the

trusted domain, respectively. The base station obtains from the public DHCP server the transmissionconfiguration information required for establishing a temporary IPSec tunnel to the SeGW and obtainsfrom the M2000 DHCP server the formal transmission configuration information.

The base station in the untrusted domain cannot directly access NEs in the trusted domain. Instead,packets from the base station must be encrypted over the IPSec tunnel to the SeGW before beingtransmitted to the M2000 or BSC in the trusted domain.

A CA is deployed. During base station deployment, the CA can be accessed by NEs or using an IPaddress (for example, the interface IP address of the base station) in the untrusted domain.

After the base station starts, it must apply to the CA for operator-issued digital certificates beforeconnecting to the SeGW. After obtaining the certificates, the base station negotiates with the SeGW toestablish an IPSec tunnel.


In IPSec networking scenario 1, the base station obtains configuration information as follows:

1. Obtains the following information from the public DHCP server:

− Interface IP address used for accessing NEs in the untrusted domain.

− Configuration information used for establishing an IPSec tunnel to the SeGW. The informationincludes the SeGW configuration data and the CA configuration data.

2. Obtains digital certificates from the CA.

3. After establishing the IPSec tunnel, obtains the OMCH configuration data from the M2000 DHCPserver. The information is used for accessing NEs in the trusted domain and referred to as formal

transmission configuration information in this document.

The interface IP address obtained from the public DHCP server can be the same as or different from thatobtained from the M2000 DHCP server.

Figure 5-4 shows the automatic OMCH establishment procedure in IPSec networking scenario 1.



SingleRAN




Base Station



5-11

Figure 5-4 Automatic OMCH establishment procedure in IPSec networking scenario 1


2. Using the DHCP procedure, the base station obtains from the public DHCP server the transmissionconfiguration information used for establishing a temporary IPSec tunnel. The information includesthe interface IP address of the base station, CA configuration data, SeGW configuration data, andM2000 DHCP server IP address. For details about the configuration information on the public DHCP

server, see section 5.2.3 "Configuration Requirements for the DHCP Server."3. Using CMPv2, the base station applies to the CA for an operator-issued device certificate and a CA

root certificate. The base station adds the obtained CA root certificate to the default trusted certificatelist so that it can authenticate peer NEs, such as the SeGW. If the application for operator-issueddigital certificates fails or receives no response within about 30 seconds, the preconfigured digitalcertificates are used for establishing an IPSec tunnel.

NOTE

The operator's CA must be configured with the Huawei-issued CA root certificate to authenticate the device certificate ofthe base station. The base station uses the Huawei-issued device certificate for identity authentication by the CA.

4. The base station establishes a temporary IPSec tunnel to the SeGW. For details about the securityparameters used by the base station during the temporary IPSec tunnel establishment, see section

5.3.4 "Establishing a Temporary IPSec Tunnel."5. With protection from the temporary IPSec tunnel, the base station obtains formal transmission

configuration information from the M2000 DHCP server in different ways, depending on whether theIP address used for accessing the trusted domain and the M2000 DHCP server IP address areavailable. For details, see section 5.3.6 "Obtaining Formal Transmission Configuration Informationfrom the Internal DHCP Server."

6. The base station releases the temporary IPSec tunnel and uses formal transmission configurationinformation to establish a formal IPSec tunnel to the SeGW. For details, see section 5.3.7"Establishing a Formal IPSec Tunnel."

7. With protection from the formal IPSec tunnel, the base station waits 10 minutes for the SSL-based orplaintext-based OMCH establishment request from the M2000 or BSC and finally establishes an

OMCH to the M2000 or BSC. If an OMCH is successfully established between the M2000 and base



SingleRAN




Base Station



5-12

station within 10 minutes, base station deployment by PnP ends. Otherwise, base station deploymentby PnP is restarted.

5.3.3 Configuration Requirements for the Public DHCP Server

The public DHCP server must be configured with the parameters listed in Table 5-5 as well as a route tothe base station or the network segment of the base station. Unless otherwise specified, theseparameters are contained in subcodes of Option 43 in DHCP packets.

Table 5-5 Parameters to be configured on the public DHCP server

Classification

ParameterName

MappingSubcode

Length(Bytes)


Mandatoryor Optional

DHCP PacketInvolved

CAinformation

PKI SERVERIP

35 4 IP address ofthe CA

Mandatoryonly ifidentityauthenticati

on by digitalcertificatesis requiredand the CAURL is notconfigured.

Theseparameterscollectivelyidentify andequal theURL of the

CA.These fourparameterscannot beconfigured ifthe CA URLhas beenconfigured.

DHCPOFFER

DHCPACK

CA protocoltype

39 1 Protocol usedto access theCA: HTTP orHTTPS

DHCPOFFER

DHCPACK

CA port 36 2 HTTP orHTTPS portnumber of theCA

DHCPOFFE

DHCPACK

CA Path 37 1 to 60 Path used foraccessingdigital

certificates onthe CA

DHCPOFFE

DHCPACK

CA URL 44 1 to 128 URL used foraccessing thedigital

certificate path.This parameteris configurableonly when thebase stationand CA useCMPv2.

The CA URLformat is asfollows:http(s)://CAIP:CAport/CAPath

Mandatoryonly if thefollowing

parametersare notconfiguredwhenauthentication by digitalcertificatesis required:PKISERVER IP,CAprotocoltype, CAport, and

DHCPOFFE

DHCPACK



SingleRAN




Base Station



5-13

Classification

ParameterName

MappingSubcode

Length(Bytes)



DHCP PacketInvolved

CA Path.

CA Name 38 1 to 127 Name of theCA

Mandatoryonly if thebase stationuses thedigitalcertificatesfor identityauthentication

DHCPOFFE

DHCPACK

SeGWinformatio

n

Public SeGWIP Address

18 4 IP address ofthe public

SeGW in IPSecnetworkingscenarios. Thisparameter isallocated by thepublic DHCPserver andused duringDHCPinterworkingbetween thebase station

and the M2000DHCP server.

Mandatoryonly if the

base stationneeds toaccess theM2000DHCPserverthrough theSeGW

DHCPOFFE

DHCPACK

Public SeGWLocal Name

31 1 to 32 Local name ofthe publicSeGW.

It is used by thebase station toauthenticatethe publicSeGW in IPSecnetworkingscenarios.

Optionalwhen theSeGW isconfigured

DHCPOFFE

DHCPACK

InternalDHCPserver IPaddress(list)

InternalDHCP ServerIP Address(List)

42 N*4 IP address ofthe M2000DHCP serverthat sendstransmissionconfigurationinformation tothe basestation.

In SRAN8.0, amaximum of

eight M2000

Optional.

If thisparameter isconfigured,the basestation cansend unicastDHCPpackets tothe DHCPserver even

if the SeGW

DHCPOFFE

DHCPACK



SingleRAN




Base Station



5-14

Classification

ParameterName

MappingSubcode

Length(Bytes)



DHCP PacketInvolved

DHCP serveraddresses can

be configured.

cannot sendany DHCP

server IPaddress tothe basestation.

Transmissionconfigurationinformation for thebasestation

Interface IP Address

- 4 Carried in theyiaddr field inDHCP packetheaders

Mandatory DHCPOFFE

DHCPACK

Interface IP Addressmask

- 4 Carried inDHCP option 1

Mandatory DHCPOFFE

DHCPACK

Next-hopGateway IP Address

- 4 Carried inDHCP option 3

Mandatory DHCPOFFE

DHCPACK

All IP addresses or URLs listed in Table 5-5 except Internal DHCP Server IP Address (List) can beused only in the untrusted domain. Particularly, NEs in the untrusted domain must have access to the CAIP address and the CA URL. If the base station cannot access the CA, it cannot obtain anyoperator-issued certificate.

NOTE

In IPSec networking scenario 1, the public DHCP server assigns an interface IP address in the IP address pool to thebase station, without parsing the BS ID contained in Option 43. Therefore, the BS ID contained in DHCP packets ismeaningless in such a scenario.

5.3.4 Establishing a Temporary IPSec Tunnel

After the base station obtains the transmission configuration information (including its interface IPaddress, the SeGW IP address, and the CA IP address) from the public DHCP server, the base stationobtains digital certificates from the CA and attempts to establish a temporary IPSec tunnel to the SeGW.For details about the temporary IPSec tunnel establishment, see IPSec Feature Parameter Description.This section describes the security parameters (algorithms) used by the base station during deploymentby PnP.

IKEv1 and IKEv2 are incompatible. During base station deployment by PnP, the base station cannotpredict the IKE version used by the SeGW. If the base station successfully negotiated an IKE versionwith the SeGW, the base station preferentially tries this IKE version. Otherwise, the base station triesIKEv2 before IKEv1.

IKE SA Negotiation During IKE SA negotiation in the normal operation of the base station, the base station supports a largenumber of algorithm groups. However, during base station deployment by PnP, the base station onlysupports the 48 algorithm groups (see Table 5-6) in the IKEv2 proposal and the 120 algorithm groups(see Table 5-7) in the IKEv1 proposal.



SingleRAN




Base Station



5-15

Table 5-6 Algorithms in the IKEv2 proposal

Encryption Algorithm AuthenticationAlgorithm

Diffie-HellmanGroup

PRF Algorithm

3DES SHA1 DH_GROUP2 HMAC_SHA1

AES128 AES_XCBC_96 DH_GROUP14 AES128_XCBC

AES192 N/A DH_GROUP15 N/A

AES256 N/A N/A N/A

Table 5-7 Algorithms in the IKEv1 proposal

Encryption Algorithm Authentication Algorithm Diffie-Hellman Group AuthenticationMethod

(Only IKEv1)

DES MD5 DH_GROUP1 PSK

3DES SHA1 DH_GROUP2 RSA-SIG

AES128 - DH_GROUP14 DSS-SIG

AES192 - DH_GROUP15 -

AES256 - - -

NOTE

During base station deployment by PnP, when performing IKEv1 negotiation, the base station tries only the perfectforward secrecy (PFS) value DISABLE, not PFS_GROUP1 or PFS_GROUP2.

To establish a temporary IPSec tunnel, the base station preferentially tries the five algorithm groupslisted in Table 5-7 in sequence. If this fails, the base station tries the other groups until it establishes anIPSec tunnel. To increase the deployment success rate and shorten the deployment duration, it isrecommended that security parameters in configuration files of the base station follow the configurationslisted in Table 5-8.

Table 5-8 The first five algorithm groups in the IKE proposal

Sequence Encryption

Algorithm

Authentication

Algorithm

Diffie-Hellman Group PRF Algorithm

(Only IKEv2)

1 AES128 SHA1 DH-Group2 HMAC-SHA1

2 3DES SHA1 DH-Group2 HMAC-SHA1

3 AES256 AES_XCBC_96 DH_GROUP15 AES128_XCBC

4 AES192 SHA1 DH_GROUP14 HMAC_SHA1

5 AES128 SHA1 DH_GROUP14 HMAC_SHA1



SingleRAN




Base Station



5-16

IPSec SA Negotiation During IPSec SA negotiation in the normal operation of the base station, the base station supports ESPand AH authentication in tunnel or transport mode. However, during base station deployment by PnP, thebase station only supports ESP authentication in tunnel mode.

During IPSec SA negotiation in the normal operation of the base station, the base station supportsmultiple encryption and authentication algorithm groups. However, during base station deployment byPnP, the base station supports only the encryption and authentication algorithm groups listed in Figure5-5. It first tries the six algorithm groups marked in green. If this fails, it tries the six algorithm groupsmarked in gray. Once IKE negotiation is successful using an algorithm group, the base station appliesthis algorithm group.

The base station tries IKE version and algorithm groups in the following priority sequence:

1. IKEv2 and algorithm groups marked in green

2. IKEv2 and algorithm groups marked in gray

3. IKEv1 and algorithm groups marked in green

4. IKEv1 and algorithm groups marked in gray

Figure 5-5 Encryption and authentication algorithms in IPSec proposal

Authenticationalgorithm

Encryptionalgorithm

3DES

AES128

AES192

AES256

SHA1 SHA256 AES-XCBC-MAC-96

NOTE

During base station deployment by PnP, the base station does not try all supported security parameters (such as the DESalgorithm) when establishing an IPSec tunnel. This is because trying all supported combinations of security parametersmay take a long time.

During base station deployment by PnP, the base station must use tunnel mode instead of transfer mode as theencapsulation mode when establishing an IPSec tunnel. This is because the M2000, BSC, DHCP server, and FTP serverdo not support IPSec.

If the security parameters and their settings on the base station or SeGW side are inconsistent with

those tried during base station deployment by PnP, OMCH establishment may fail, leading todeployment failures. Therefore, ensure there is consistency between the parameters and settings.

5.3.5 Configuration Requirements for the Internal DHCP Server

The M2000 DHCP server must be configured with the parameters listed in Table 5-9 as well as theparameters listed in Table 5-3. These parameters are contained in Option 43 in DHCP packets.

Table 5-9 Parameters specific to the M2000 DHCP server in IPSec networking scenario 1

Classification ParameterName

MappingSubcode



DHCP PacketInvolved

SeGW Serving 20 IP address of the Mandatory

DHCPOFFER



SingleRAN




Base Station



5-17

Classification ParameterName

MappingSubcode



DHCP PacketInvolved

information SecGW IP serving SeGW inIPSec networking

scenarios

DHCPACK

ServingSecGWLocal Name

32 Local name of theserving SeGW.

It is provided bythe base station toauthenticate theserving SeGW inIPSec networkingscenarios

Optional

5.3.6 Obtaining Formal Transmission Configuration Informationfrom the Internal DHCP Server

RFC 4306, the standard protocol for IKEv2, defines the MODE-CONFIG mode in which the base stationuses the configuration payload (CP) to apply to the SeGW for certain configuration information. Usingthe MODE-CONFIG mode during IKE negotiation, the base station can obtain one temporary logical IPaddress used for accessing the trusted domain and one M2000 DHCP server IP address. The basestation can also interwork with the public DHCP server to obtain a maximum of eight M2000 DHCPserver IP addresses.

NOTE

In IKEv1, CP is not standardized and is referred to as MODE-CONFIG, which is supported only by the base station inaggressive mode. For details about the MODE-CONFIG, see RFC4306 Internet Key Exchange (IKEv2) Protocol .

The base station follows procedures listed in Table 5-10 to obtain formal transmission configurationinformation from the M2000 DHCP server, depending on whether the logical IP address used foraccessing the untrusted domain and any M2000 DHCP server IP address are available.

Table 5-10 Obtaining formal transmission configuration information from the M2000 DHCP server

If... Then... ConfigurationRequirements for NEs

The base station has obtained theinterface IP address foraccessing the untrusted domain,and has used theMODE-CONFIG mode during IKEnegotiation to obtain the logical IPaddress for accessing the trusteddomain.

The base station has obtainedone or more M2000 DHCP serverIP addresses, using either theDHCP procedure or theMODE-CONFIG mode during IKEnegotiation.

The base station uses the logical IPaddress for accessing the trusteddomain as the source IP address,and uses any M2000 DHCP serverIP address as the destination IPaddress. The base station thenunicasts DHCP packets to eachM2000 DHCP server. Only theM2000 DHCP server that has thecorrect BS ID sends configurationinformation to the base station.

The base station automaticallyconfigures an access control list(ACL) rule that allows DHCPpackets to reach the base station.

See Table 5-11.



SingleRAN




Base Station



5-18

If... Then... ConfigurationRequirements for NEs

In the ACL rule, both the sourceand destination IP addresses can

be any address.

The base station has obtained theinterface IP address foraccessing the untrusted domain,but not the logical IP address foraccessing the trusted domain.

The base station has obtainedone or more M2000 DHCP serverIP addresses.

The base station uses the interfaceIP address for accessing theuntrusted domain as the source IPaddress, and uses any M2000DHCP server IP address as thedestination IP address. The basestation then unicasts DHCPpackets to each M2000 DHCPserver. Only the M2000 DHCPserver that has the correct BS IDsends configuration information tothe base station.

The base station automaticallyconfigures an ACL rule that allowsDHCP packets to reach the basestation. In the ACL rule, the sourceIP address is the interface IPaddress and the destination IPaddress is an M2000 DHCP serverIP address.

See Table 5-12.

The base station has not obtainedthe logical IP address for accessing

the trusted domain or any M2000DHCP server IP address.

The base station uses 0.0.0.0 asthe source IP address and

255.255.255.255 as the destinationIP address to broadcast DHCPpackets over an IPSec tunnel. Thepackets are encapsulated over theIPSec tunnel before reaching theSeGW.

The base station automaticallyconfigures an ACL rule that allowsDHCP packets to reach the basestation. In the ACL rule, the sourceUDP port number is 68 and thedestination UDP port number is 67.

See Table 5-13.

Table 5-11 Configuration requirements for NEs (1)

NE Requirement

Public DHCP server Is configured with one to eight M2000 DHCP server IP addressesonly if the SeGW is not configured with any M2000 DHCP server IPaddress.

SeGW Supports the MODE-CONFIG mode so that the SeGW sends atemporary logical IP address and an M2000 DHCP server IP

address to the base station. Alternatively, the SeGW sends a



SingleRAN




Base Station



5-19

NE Requirement

temporary logical IP address and the public DHCP server sendsan M2000 DHCP server IP address. It is recommended that theoperator plan all temporary logical IP addresses for accessing the

trusted domain on the same network segment and on a differentnetwork segment from the OM IP address of the base station.

Automatically generates an ACL rule after using theMODE-CONFIG mode to send the M2000 DHCP server IPaddress. In the ACL rule, the source IP address is the temporarylogical IP address for accessing the trusted domain and thedestination IP address can be any IP address. This eliminates theneed to manually configure associated ACL rules. If an ACL rule ismanually configured that the source IP address is the temporarylogical IP address for accessing the trusted domain, the IPaddresses of all M2000 DHCP servers must be on the networksegment defined by this ACL rule.

All NEs between the basestation and the M2000 DHCPserver

Are configured with the firewall policy or the packet filtering policyso that they allow the transmission of packets with 67 or 68 as thesource and destination UDP port number.

Are configured with a route to the logical IP address for accessingthe trusted domain or network segment of the logical IP addressso that related packets can be routed to the SeGW.

M2000 DHCP server Is configured with a route to the logical IP address of the basestation.


NE Requirement

Public DHCP server Is configured with one to eight M2000 DHCP server IPaddresses.

All NEs between the base stationand the M2000 DHCP server

Are configured with the firewall policy or the packet filteringpolicy so that they allow the transmission of packets with 67 or68 as the source and destination UDP port number.

Are configured with a route to the temporary logical IP addressfor accessing the trusted domain or network segment of thetemporary logical IP address so that related packets can berouted to the SeGW.

Are configured with a route to the interface IP address of thebase station or the IP address of the network segment.

M2000 DHCP server Is configured with a route to the interface IP address of the basestation.



SingleRAN




Base Station



5-20


NE Requirement

SeGW Supports sending DHCP broadcast packets in IPSec tunnels, in

compliance with RFC 3456.

All NEs between the basestation and the M2000 DHCPserver

Are configured with the firewall policy or the packet filtering policyso that they allow the transmission of packets with 67 or 68 as thesource and destination UDP port number.

Are configured with a route to the IP address of the DHCP relayagent on the SeGW.

M2000 DHCP server Are configured with a route to the IP address of the DHCP relayagent on the SeGW.

Compared with non-IPSec networking scenarios, IPSec networking scenario 1 has the followingdifferences in the procedure for obtaining transmission configuration information from the M2000 DHCPserver:

The M2000 DHCP server can be deployed only on the M2000, not the base station controller.

The base station may obtain IP addresses of many DHCP servers. Therefore, it needs tocommunicate with each DHCP server to find the correct DHCP server.

IPSec secures OMCH data. Therefore, among the configuration information sent by the M2000 DHCPserver to the base station, the SeGW IP address is mandatory and the local name of the SeGW isoptional. The local name of the SeGW is used to authenticate the SeGW.

5.3.7 Establishing a Formal IPSec Tunnel

The SeGW IP address obtained from the M2000 DHCP server may or may not be the same as theSeGW IP address obtained from the public DHCP server. In either case, the base station needs tonegotiate an IKE SA and an IPSec SA with the SeGW before establishing an IPSec tunnel to the SeGW.The SeGW is identified by the SeGW IP address in the configuration information from the M2000 DHCPserver.

The procedure for establishing a formal IPSec tunnel differs from the procedure for establishing atemporary IPSec tunnel as follows:

To establish an IKE SA and an IPSec tunnel to the SeGW, the base station uses the interface IPaddress and the SeGW IP address sent by the M2000 DHCP server. During IPSec tunnel negotiation,the base station automatically configures two ACL rules. In both ACL rules, the source IP address is

the OM IP address of the base station, but the destination IP address can be any IP address in onerule and must be the IP address of the M2000 or BSC in the other rule. Accordingly, the SeGW can beconfigured with the two ACL rules. If the SeGW is configured with the two ACL rules, the ID of the ACLrule by which the destination IP address can be any IP address should be as small as possible toavoid rule mismatches.

NOTE

If the SeGW is configured with the ACL rule that the destination IP address is the IP address of the M2000 or BSC, theFTP server from which the base station downloads software and configuration files must be deployed on the M2000 orBSC and use the same IP address as the M2000 or BSC. Otherwise, the base station cannot access the FTP server afterthe base station and the SeGW filter packets according to ACL rules.

The base station preferentially tries security parameters with which the temporary IPSec tunnel wassuccessfully established to establish the formal IPSec tunnel. If this fails, the base station follows the



SingleRAN




Base Station



5-21

sequence described in section 5.3.4 "Establishing a Temporary IPSec Tunnel" to try other securityparameters.


Table 5-14 lists the configuration requirements for NEs in IPSec networking scenario 1.

Table 5-14 Configuration requirements for NEs in IPSec networking scenario 1

NE Requirement


Are configured with correct VLAN information.


Is configured as the DHCP server or enabled with the DHCP relay agent.

Is configured with correct DHCP server IP addresses.

Is configured with routes to the DHCP server, CA, and SeGW.

L3 NEs (NEs in the untrusted domain): Are configured with routes to the temporaryand formal interface IP addresses of the base station and routes to the CAand the SeGW.

(NEs in the trusted domain): Are configured with a route to the OM IPaddress of the base station and routes to the M2000 and FTP server.

M2000 Is configured with a route to the OM IP address of the base station.

M2000 DHCP server Is configured with a route to the DHCP relay agent.

FTP server Is configured with a route to the OM IP address of the base station.

Stores software and configuration files of the base station in the specifieddirectory.

Provides access rights, such as the user name and password, for the basestation.

SeGW Allows DHCP packets to be exchanged between the base station and theM2000.

Allows packets to be exchanged between the base station and the M2000over an OMCH and between the base station and the FTP server.

Is enabled with the DHCP relay agent function if the SeGW complies withRFC 3456.

Is configured with security parameters listed in Table 5-5.

Is configured with ACL rules that allow the transmission of packets sentfrom the base station during the DHCP procedure and the OMCHestablishment procedure.

Is configured with related IP address pool and assignment rules if theSeGW needs to assign an IP address for accessing the trusted domain ora DHCP server IP address to the base station.

Is configured with operator-issued CA certificates and its own certificates.



SingleRAN




Base Station



5-22

NE Requirement

CA Is configured with the following:

An IP address that can be accessed by NEs in the untrusted domain

Huawei-issued CA root certificates

5.4 Automatic OMCH Establishment in IPSec NetworkingScenario 2


Figure 5-6 shows IPSec networking scenario 2, in which IPSec secures all packets except DHCPpackets.



An M2000 DHCP server in the trusted domain is deployed. IPSec does not secure DHCP packets.Using a DHCP procedure in the untrusted domain, the base station obtains its temporary IP address

and the OM IP address, the SeGW IP address, and the CA IP address. From the M2000 DHCP server,the base station obtains the formal transmission configuration information.

The base station in the untrusted domain cannot directly access NEs in the trusted domain. Instead,packets from the base station must be encrypted over the IPSec tunnel to the SeGW before beingtransmitted to the M2000 or BSC in the trusted domain.

A CA is deployed and provides digital certificates for the base station to perform mutual authenticationwith other NEs. During base station deployment, the CA can be accessed by NEs or using an IPaddress in the untrusted domain.

After the base station starts, it must apply to the CA for operator-issued digital certificates beforeconnecting to the SeGW.



SingleRAN




Base Station



5-23


In IPSec networking scenario 2, the base station must establish an IPSec tunnel to the SeGW before itcan access the M2000 or BSC in the trusted domain. To establish the IPSec tunnel, the base stationmust obtain digital certificates issued by the operator's CA. To obtain digital certificates, the base stationmust obtain required configuration information from the M2000 DHCP server.




2. The base station obtains required configuration information from the M2000 DHCP server. Theinformation includes the interface IP address and the OM IP address of the base station, the CA IPaddress, and the SeGW address.

NOTE

DHCP packets from the base station are forwarded by the DHCP relay agent to the DHCP server on the M2000.

3. By using the configuration information obtained from the M2000 DHCP server, the base stationapplies to the CA for operator-issued digital certificates.

4. By using the configuration information obtained from the M2000 DHCP server, the base stationestablishes a formal IPSec tunnel to the SeGW.

5. The base station validates the formal transmission configuration information. With protection from theformal IPSec tunnel, the base station waits for the SSL-based or plaintext-based OMCHestablishment request from the M2000 or BSC and finally establishes an OMCH to the M2000 orBSC.

5.4.3 Configuration Requirements for the Internal DHCP Server

The M2000 DHCP server must be configured with the parameters listed in Table 5-15 as well as theparameters listed in Table 5-3. These parameters are contained in subcodes of Option 43 in DHCPpackets.



SingleRAN




Base Station



5-24


Classification

ParameterName

MappingSubcode

Length(Bytes)



DHCP PacketInvolved

SeGWinformation

ServingSecGW IP 20 4 IP address of theSeGW in IPSecnetworkingscenarios

Mandatory

DHCPOFFER DHCPACK

ServingSecGWLocalName

32 1 to 32 Local name ofthe servingSeGW. It isprovided by thebase station toauthenticate theserving SeGW inIPSec

networkingscenarios

CAinformation

CA URL 44 1 to 128 URL from whichthe base stationobtainsoperator-issueddigitalcertificates.

This URL mustbe accessible toNEs in the

untrusteddomain.

Mandatory DHCPOFFER

DHCPACK

CA Name 38 1 to 127 Name of the CA




NE RequirementL2 NEs Allow the transmission of DHCP broadcast and unicast packets without

filtering or modifying DHCP packets.


Next-hop gateway of thebase station

Is enabled with the DHCP relay agent function.

Is configured with correct DHCP server IP addresses.

Is configured with routes to the DHCP server, CA, and SeGW.



SingleRAN




Base Station



5-25

NE Requirement

L3 NEs (NEs in the untrusted domain): Are configured with routes to theinterface IP addresses of the base station and routes to the CA and theSeGW.

(NEs in the trusted domain): Are configured with a route to the OM IPaddress of the base station and routes to the M2000 and FTP server.

M2000 Is configured with a route to the OM IP address of the base station

M2000 DHCP server Is configured with a route to the DHCP relay agent.

SeGW Allows packets to be exchanged between the base station and theM2000 over an OMCH and between the base station and the FTPserver.

Is configured with security parameters listed in Table 5-6, Table 5-7, and Figure 5-5.

Is configured with ACL rules in which the source destination IP addresscan be any address and the destination IP address can be any IPaddress or the OM IP address of the base station .

Is configured with operator-issued CA certificates and its owncertificates.




5.5 Automatic OMCH Establishment in IPSec NetworkingScenario 3


Figure 5-8 shows IPSec networking scenario 3, in which IPSec secures service and signaling data, butnot DHCP packets or OMCH data.



SingleRAN




Base Station



5-26



An M2000 DHCP server is deployed. The base station obtains the OMCH configuration data and CAconfiguration data from the M2000 DHCP server. IPSec does not secure DHCP packets.

IPSec does not secure OMCH data. The base station uses the OM IP address to access NEs in theuntrusted domain. IPSec tunnels established between the base station and the SeGW are used tosecure signaling and service data.

Either party involved in IPSec negotiation uses digital certificates or PSK to authenticate the otherparty.

The CA is optional. If the PSK is used for authentication, a CA is not required. If digital certificates areused for authentication, a CA is required. After the base station starts, it must apply to the CA foroperator-issued digital certificates before connecting to the SeGW. During base station deployment,the CA can be accessed by NEs or using an IP address (for example, the interface IP address of the

base station) in the untrusted domain.





SingleRAN




Base Station



5-27


1. The base station obtains VLAN information. For details, see section 4.4 "Schemes for Obtaining

VLAN Information for DHCP Packets."

2. The base station obtains the OMCH configuration data and CA configuration data (optional) from theM2000 DHCP server. If the base station uses the PSK for authentication, the base station does notneed to obtain the CA configuration data. If the base station uses digital certificates for authentication,the base station must obtain the CA configuration data.

3. The base station applies to the CA for operator-issued digital certificates if digital certificates are usedfor authentication. After the base station restarts, it establishes an IPSec tunnel to the SeGW tosecure services and signaling.

4. Based on the configuration information obtained from the M2000 DHCP server, the base stationestablishes an OMCH to the M2000 or BSC

5.5.3 Configuration Requirements for the Internal DHCP ServerIf the base station uses digital certificates for authentication, the M2000 DHCP server must beconfigured with the parameters listed in both Table 5-17 and Table 5-3. These parameters are containedin subcodes of Option 43 in DHCP packets.


Classification

Parameter Name

Subcode

Length (Bytes) ParameterDescription


DHCPPacketInvolved

CA

information

CA URL 44 1 to 128 URL from which

the base stationobtainsoperator-issueddigitalcertificates. ThisURL must beaccessible toNEs in theuntrusteddomain.

Mandator

y

DHCPOFF

ER DHCPACK

CA Name 38 1 to 127 Name of the CA



SingleRAN




Base Station



5-28




NE Requirement



Next-hop gatewayof the base station

Is enabled with the DHCP relay agent function and configured with the IPaddress of the DHCP server, that is, the IP address of the M2000. If an NATserver is deployed, the IP address of the M2000 must be that converted bythe NAT server.

Is configured with a route to the DHCP server.

Is configured with a route to the OM IP address of the base station if the OMIP address is not the same as the interface IP address of the base station.

Is configured with a route to the CA.

L3 NEs (NEs in the untrusted domain): Are configured with a route to the IP addressof the base station, a route to the OM IP address of the base station, a routeto the M2000, a route to the FTP server, and a route to the CA.

(NEs in the trusted domain): Are configured with a route to the OM IP addressof the base station and routes to the M2000 and FTP server.

M2000 Is configured with a route to the OM IP address of the base station.

M2000 DHCPserver

Is configured with a route to the DHCP relay agent.






SingleRAN



Separate-MPT Multimode Base Station



6-1

6 Automatic OMCH Establishment by the Separate-MPTMultimode Base Station

6.1 NetworkingThe separate-MPT multimode base station is similar to many single-mode base stations that areinterconnected using the transmission board. The interconnection can either be based on the panel orthe backplane. Generally, the transmission board of a certain mode provides a shared transmissioninterface for connecting to the transport network. The base station in this mode is called an upper-levelbase station, and base stations in the other modes are called lower-level base stations. The upper-levelbase station acts as the DHCP relay agent of lower-level base stations.

Figure 6-1 shows the OMCH networking for the separate-MPT multimode base station that usespanel-based interconnection. The upper-level base station provides two transmission interfaces, one forpanel-based interconnection and the other for connecting to the transport network.

Figure 6-1 OMCH networking for the separate-MPT multimode base station that uses panel-basedinterconnection

Figure 6-2 shows the OMCH networking for the separate-MPT multimode base station that usesbackplane-based interconnection.



SingleRAN






6-2

Figure 6-2 OMCH networking for the separate-MPT multimode base station that uses backplane-basedinterconnection

The automatic OMCH establishment procedure for the separate-MPT base station is similar to therespective automatic OMCH establishment procedure for each single-mode base station. Lower-levelbase stations can start the automatic OMCH establishment procedure only after the upper-level basestation completes the procedure. This section describes the differences in the procedures between theseparate-MPT base station and the single-mode base station.

6.2 Automatic OMCH Establishment ProcedureFigure 6-3 shows the automatic OMCH establishment procedure for the separate-MPT multimode basestation.

Figure 6-3 Automatic OMCH establishment procedure

2. DHCP procedur e

2. DHCP procedure

3. OMCH establishment

Lower-levelbase station

Upper-levelbase station

DHCP server ofupper-level base

station

OMC of upper-level base station

DHCP server oflower-level base

station

OMC of lower-level base

station

1. OMCH auto-establishment, configuration file download and

activation, and transition to working state

1. Same as the single-mode base station, the upper-level base station follows the OMCH establishmentprocedure described in chapter 5 "Automatic OMCH Establishment by the Single-mode Base Stationand Co-MPT Multimode Base Station." The upper-level base station then obtains software andconfiguration files from the M2000 or BSC over the established OMCH. The upper-level base stationactivates software and configuration files and then enters the working state.



SingleRAN






6-3

2. Each lower-level base station exchanges DHCP packets with the DHCP relay agent (upper-levelbase station) and the DHCP server to obtain the transmission configuration information.

3. Each lower-level base station establishes an OMCH to the M2000 or BSC.

The DHCP servers of the upper-level base station and lower-level base stations can be deployed on the

same NE or different NEs.

6.3 Configuration Requirements for the DHCP Server

Each mode in a separate-MPT multimode base station has almost the same configuration requirementsfor the DHCP server as a single-mode base station. The only difference lies in the setting of the OMBearing Board parameter on DHCP servers of lower-level base stations, as described in Table 6-1. Fordetails about the configuration requirements for the DHCP server of each single-mode base station, seechapter 5 "Automatic OMCH Establishment by the Single-mode Base Station and Co-MPT MultimodeBase Station."

Table 6-1 Setting of the OM Bearing Board parameter on DHCP servers of lower-level base stations

ParameterName

Subcode Parameter Description Length(Bytes)


DHCP PacketInvolved

OM BearingBoard

250 Value:

0: An OMCH isestablished on thepanel.

1: An OMCH isestablished on thebackplane.

Set this parameter to 0

when the separate-MPTmultimode base stationuses panel-basedinterconnection.

Set this parameter to 1 when the separate-MPTmultimode base stationuses backplane-basedinterconnection.

1 Mandatory DHCPOFFER

DHCPACK

6.4 Configuration Requirements for NEsEach mode in a separate-MPT multimode base station has similar configuration requirements for NEs toa single-mode base station. For details about these requirements, see chapter 5 "Automatic OMCHEstablishment by the Single-mode Base Station and Co-MPT Multimode Base Station." This sectiondescribes only the differences in the configuration requirements.

The upper-level base station acts as the DHCP relay agent to forward DHCP packets and as a router toforward OMCH and service packets for lower-level base stations. The transport network for theupper-level base station needs to forward DHCP packets from the DHCP servers of lower-level basestations. Therefore, the upper-level base station and its transport network must be configured with datalisted in Table 6-2.



SingleRAN






6-4

Table 6-2 Configuration requirements

NE Requirement

Upper-level base station Is enabled with the DHCP relay agent function.

Is configured with IP addresses of the DHCP servers of lower-levelbase stations.

Is configured with routes to the DHCP servers of lower-level basestations.

Is configured with routes used for serving lower-level base stations,including downlink routes to the IP addresses of lower-level basestations and uplink routes to the peer IP addresses of lower-level basestations.

− If the lower-level base station is the GBTS or NodeB, uplink routes tothe base station controller must be configured.

− If the lower-level base station is the eNodeB, uplink routes to the

M2000, mobility management entity (MME), and serving gateway(S-GW) must be configured.

Is configured with the IP address of the transmission interface (used forpanel-based interconnection) provided by the upper-level base station.It is recommended that only one such IP address be configured. Ifmany such IP addresses are configured, the source IP address inDHCP packets forwarded by the upper-level base station is the firstconfigured IP address. As a result, the packet forwarding may fail dueto differences in the configuration sequence.

If the DHCP packets and OM data of lower-level base stations aresecured by the IPSec tunnel of the upper-level base station, theupper-level base station needs to configure security parameters for thepasserby flows of lower-level base stations. The security parametersinclude the packet filtering rules, ACL rules, IPSec proposal, and IKEproposal.

All NEs on the transportnetwork for theupper-level base station

Are configured with routes to the DHCP servers of lower-level basestations.

Are configured with routes to the IP address of the DHCP relay agent.

Are configured with routes to the OM IP address of the upper-level basestation or either of the following routes:

− The routes to the IP address of the transmission interface (used forpanel-based interconnection) provided by the upper-level base stationwhen the separate-MPT multimode base station uses panel-basedinterconnection

− The routes to the network segment of the next-hop gateway of theupper-level base station when the separate-MPT multimode basestation uses backplane-based interconnection

DHCP servers oflower-level base stations

Are configured with routes to the upper-level base station

Lower-level base stations Are configured with routes to the OM IP address of the upper-level basestation. If the separate-MPT multimode base station uses panel-basedinterconnection, lower-level base stations can also be configured with

routes to the IP address of either of the transmission interfaces (used for



SingleRAN






6-5

NE Requirement

panel-based connection or used for connecting to the transport network)provided by the upper-level base station.



SingleRAN

Automatic OMCH Establishment 7 Application Restrictions



7-1

7 Application Restrictions

7.1 Configuration Requirements for Base Stations and Other

NEsWhen a base station is to be deployed by PnP, configuration requirements for the base station andrelated DHCP servers must be met to ensure successful automatic OMCH establishment. Ifconfiguration requirements are not met, automatic OMCH establishment may fail, leading to adeployment failure. Table 7-1 through Table 7-3 summarizes the configuration requirements.

Table 7-1 lists the configuration requirements for the configuration files of the base station in allscenarios.

Table 7-1 Configuration requirements for configuration files of the base station in all scenarios

SN MO Requirement

1 OMCH If the base station is configured with active and standby OMCHs, only theactive OMCH is used for base station deployment by PnP. The activeOMCH is the OMCH for which the Flag parameter is set toMASTER(Master).

The active OMCH must meet the following requirements:

If the active OMCH is bound to a route:

− The PeerIP parameter must be set to the IP address of the M2000.

− The IP addresses of the M2000 and the FTP server must be on thenetwork segment that is collectively specified by the PeerIP andPEERMASK parameters.

If the active OMCH is not bound to any route:

− The FTP server and the M2000 must be deployed on the sameequipment or network segment.

− The PeerIP parameter must be set to the IP address of the M2000.

− The IP addresses of the M2000 and the FTP server must be on thenetwork segment that is collectively specified by the PeerIP andPEERMASK parameters.

− The base station must be configured with a route to the networksegment of its peer IP address.

If the requirements are not met, the PeerIP parameter must be set to thenext-hop IP address of the active OMCH, and the PEERMASK parameter

must be set to the interface IP address mask of the base station.

2 VLANMAP The VLANMODE parameter specifies the VLAN mode. It is recommendedthat upper-level and lower-level base stations use the SingleVLAN modeinstead of the VLANGroup mode to configure VLANs. If base stations arecascaded and the upper-level base station uses the VLANGroup mode,the upper-level base station must attach related VLAN IDs to packets withdifferentiated services code point (DSCP) set to 46 (when the lower-levelbase station is the NodeB or eNodeB) or 48 (when the lower-level basestation is GBTS or eGBTS).



SingleRAN




7-2

SN MO Requirement

3 BFDSESSION If the CATLOG parameter is set to RELIABILITY(Reliability) for a BFDsession, the BFD session is bound to a handover route. If the base stationuses a logical IP address as the OM IP address, the base station cannotbe deployed by PnP in non-IPSec networking scenarios.

4 NE If the combination of the DID and NE type is used as the BS ID, the DID parameter in the NE MO must be specified.

Table 7-2 lists the specific configuration requirements for the configuration files of the base station inIPSec networking scenarios.

Table 7-2 Configuration requirements for the configuration files of the base station in IPSec networkingscenarios

SN NE MO Requirement

1 Base station ACLRULE The configured ACL rule meets either of thefollowing requirements:

The SIP and DIP parameters are set to 0.0.0.0,and the SWC and DWC parameters are set to255.255.255.255. That is, both the source anddestination IP addresses can be any address.

The SIP is set to the OM IP address, and the DIP parameter is set to the IP address of the M2000,the IP address of the M2000 network segment,or 0.0.0.0. Note that IPSec tunnels do not secureOMCHs established during base stationdeployment if the ACTION parameter is set toDENY(Deny). IPSec tunnels secure the OMCHsonly when the ACTION parameter is set toPERMIT(Permit).

If neither requirement is met, errors may occurwhen parameters configured on the SeGW areexported from the CME, leading to failures in base

station deployment by PnP.

2 Base station IKEPROPOSAL

IPSECPROPOSAL

Parameter settings of the IKEPROPOSAL MOmust be consistent with those described in Table5-6 or Table 5-7.

Parameter settings of the IPSECPROPOSAL MOmust be consistent with those described in Figure5-5.

If the base station uses the IPSec tunnel pairtopology, only the active tunnel supports basestation deployment by PnP.



SingleRAN




7-3

SN NE MO Requirement

3 Base station BFDSESSION If the base station uses the IPSec tunnel pairtopology, the BFD session cannot be bound to aroute during the BFD session configuration.

4 L2 NEs ETHTRK Ethernet link aggregation group must not bemanually configured on the peer L2 NEs of thebase station.

5 CA CA The CA must be configured with the INITREQSIP parameter and the UPDSIP parameter whenidentify authentication by digital certificates isrequired.

The CA must be accessible to NEs in the untrusteddomain.

Table 7-3 lists the configuration requirements for a DHCP server.

Table 7-3 Configuration requirements for a DHCP server

SN Requirement

1 The public DHCP server can be configured with a maximum of eight M2000 DHCP serverIP addresses.

2 If the WMPT board of the NodeB needs to be replaced with the UMPT board, the BS IDconfigured on the DHCP server must be changed from being bound to the panel's ESN

(mapping subcode 43 in DHCP Option 43) to being bound to the backplane's ESN(mapping subcode 1 in DHCP Option 43).

NOTE

When you configure or modify the information of the M2000 DHCP server on the M2000, the destination IP address of theOMCH route and the IP address of the destination network segment must be correct.

7.2 Impact of M2000 Deployment on Base Station Deploymentby PnP

During base station deployment by PnP and subsequent commissioning, the base station needs tocommunicate with many application services of the M2000, including the DHCP service, FTP service,and OMCH management service.

The preceding three services can be deployed on different M2000s and use different IP addresses.Therefore, network planning and base station data configuration must ensure normal communicationbetween the OM IP address of the base station and the IP addresses of the three services.

Table 7-4 describes the impact of M2000 deployment on automatic OMCH establishment.



SingleRAN




7-4

Table 7-4 Impact of M2000 deployment on automatic OMCH establishment

M2000Deployment

M2000DeploymentDescription

M2000Serving asthe DHCP

Server

M2000Serving asthe OMC

Requirement forthe Base StationDeployment

Impact on theNetworkConfiguration

Single-serversystem

All applicationservices aredeployed onthe sameserver and theserver hasonly one IPaddress.

Singleserver

Singleserver

For details, seechapter 5"Automatic OMCHEstablishment bythe Single-modeBase Station andCo-MPTMultimode BaseStation" andchapter 6"Automatic OMCHEstablishment bythe Separate-MPTMultimode BaseStation."

For details, seechapter 5"AutomaticOMCHEstablishmentby theSingle-modeBase Stationand Co-MPTMultimodeBase Station" and chapter 6"AutomaticOMCHEstablishmentby theSeparate-MPTMultimodeBase Station."

HA system The activeand standbynodes have

the samefunction anddata on thetwo nodesaresynchronized.

The activeand standbynodes usethe same IPaddress.

Active orstandbynode


For details, seechapter 5"Automatic OMCH

Establishment bythe Single-modeBase Station andCo-MPTMultimode BaseStation" andchapter 6"Automatic OMCHEstablishment bythe Separate-MPTMultimode BaseStation."

For details, seechapter 5"Automatic

OMCHEstablishmentby theSingle-modeBase Stationand Co-MPTMultimodeBase Station" and chapter 6"AutomaticOMCHEstablishmentby theSeparate-MPTMultimodeBase Station."

SLS system The slavenodeperformsthe networkmanagement functiononly.

The IP

address of

Master node Master orslave node

The PeerIP parameter forthe OMCH mustbe set to the IPaddress of theM2000 thatmanages thebase station.

If the OMCH is

In IPSecnetworkingscenarios, theIP address ofthe M2000DHCP serverconfigured onthe public

DHCP server



SingleRAN




7-5

M2000Deployment


M2000Serving asthe DHCPServer




the masternode isdifferentfrom that ofthe slavenode, andthe IPaddressesof the twonodes are inthe samesubnet.

bound to a route,the route mustbe to thenetworksegment of theM2000.

must be the IPaddress of themaster node. The SeGWmust beconfigured with ACL ruleswhich allowpackets of theM2000 DHCPserver to pass. The SeGWmust beconfigured with ACL ruleswhich allow OMdata to pass.

Remote HAsystem

The activeand standbynodes aredeployed ontwolocations.

The IPaddress ofthe activenode isdifferentfrom that ofthe standbynode, andthe IPaddressesof the twonodes may

not be in thesamesubnet.


The M2000must serveas theDHCPserver.

The base stationmust beconfigured withroutes to the twoIP address ortwo network

segments. The PeerIP

parameter forthe OMCH of thebase stationmust be set tothe IP address ofthe M2000 thatserves as theDHCP server.

In IPSecnetworkingscenarios,the IPaddress ofthe M2000

DHCP serverconfigured onthe publicDHCP servermust be theIP address ofthe M2000that servesas the DHCPserver. If theoperatorexpects touse either ofthe activeand standbynodes as theDHCPserver, thepublic DHCPserver mustbe configuredwith the IPaddresses ofthe activeand standby

nodes.



SingleRAN




7-6

M2000Deployment






The SeGWmust beconfiguredwith ACLrules whichallow DHCPpackets topass. If theoperatorexpects touse either ofthe active

and standbynodes as theDHCPserver, theSeGW mustbe configuredwith ACLrules whichallow packetsof active andstandbynodes topass.

The SeGWmust beconfiguredwith ACLrules whichallow OMdata to pass.If theoperatorexpects touse either ofthe activeand standbynodes as theOMC, theSeGW mustbe configuredwith ACLrules whichallow packetsof active andstandbynodes topass.



SingleRAN




7-7

M2000Deployment






Emergencysystem

Theemergencysystemperformsbasicfunctions onlyand does notsupport PnPor DHCP.

Notsupported

Notsupported

Not involved Not involved

For example: When the M2000 uses the multi-server load-sharing (SLS) networking, the DHCP service is deployed

on the master server, whereas the FTP service and the OMCH management service can be deployedon either the master or slave server. When the FTP service and OMCH management service aredeployed on different M2000 servers and accordingly use different IP addresses, the routeconfiguration on the base station and the transport network must ensure that the IP addresses of thetwo services are reachable using configured routes.

If IPSec secures OMCH data, the IPSec SA's traffic selector (TS) successfully negotiated between thebase station and the SeGW must cover the traffic between the OM IP address of the base station andthe IP addresses of the FTP service and the OMCH management service.

OMCH networking requires that the NAT server be deployed only on the M2000 side, but not the base

station or BSC side. Figure 7-1 shows the OMCH networking in which the NAT server is deployed on theM2000 side.

Figure 7-1 OMCH networking when the NAT server is deployed on the M2000

The IP address and port number of the M2000 can be converted by the NAT. Therefore, the route to theM2000 on the base station side must use an M2000 IP address visible on the base station side as thedestination address. As shown in Figure 7-1, the local IP address configured for the M2000 is 10.0.0.1. After the conversion performed by the NAT server, however, the source IP address in TCP packetsreceived by the base station is 20.1.1.1 instead of 10.0.0.1. Therefore, the route to 20.1.1.1 instead of10.0.0.1 must be configured on the base station side



SingleRAN

Automatic OMCH Establishment 8 Glossary



8-1

8 Glossary

For the acronyms, abbreviations, terms, and definitions, see Glossary .



SingleRAN

Automatic OMCH Establishment 9 Reference Documents

9 Reference Documents

[1] IPSec Feature Parameter Description for SingleRAN

[2] PKI Feature Parameter Description for SingleRAN

[3] SSL Feature Parameter Description for SingleRAN

[4] 3900 Series Base Station Commissioning Guide

[5] 3900 Series Base Station Initial Configuration Guide