7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
1/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Security Level:
www.huawei.com
Introduction to LTE eRAN2.1
Transmission Solution
Internal use
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
2/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page2
Foreword
This document describes the LTE eRAN2.1 transmission solution tohelp users better understand the principles of LTE transmissionnetwork.
eRAN2.1 is an enhanced version and has the following new features:
Enhanced QoS: PIR/CIR.
Enhanced security solution.
1. Self-setup of ACL packet filtering over an X2 interfaceduring ANR
2. Security PnP
3. CMPV2 certificate management
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
3/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page3
References
Transmission Security MOM Description
Security Feature Parameter Description
Principles and Practice of PKI
Principles and Fundamentals of Digital Certificates and SSL
Requirement for DHCP SERVER
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
4/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page4
Training Objectives
After completing this course, you should be able to:
Understand the LTE eRAN2.1 transmission solution.
Understand the networking solution for LTE eRAN2.1
transmission security.
Know principles of transmission security.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
5/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page5
Contents
1. LTE Transmission Network - Interfaces
2. LTE Transmission Network - QoS
3. LTE Transmission Network - Reliability4. LTE Transmission Network - Fault Detection
5. LTE Transmission Network - Security
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
6/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 6
Interfaces of the LTE Transmission Network
An LTE network has two protocol interfaces: S1 interface X2 interface
The LTE transmission data includes the following: Data over S1 interface, including data of the S1 control plane (S1-C) and data
of the S1 user plane (S1-U). Data over X2 interface, including data of the X2 control plane (X2-C) and theX2 user plane (X2-U).
OAM data. Clock synchronization data.
Note: S11 interface is part of the core network and is not described in this course.
X2 (X2-C, X2-U)
S1-C
S1-U
OAM
Clock server
eNodeB eNodeB
S11
MME S-GW
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
7/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page7
Contents
1. LTE Transmission Network - Interfaces
2. LTE Transmission Network - QoS
3. LTE Transmission Network - Reliability4. LTE Transmission Network - Fault Detection
5. LTE Transmission Network - Security
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
8/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 8
LTE E2E QoS Solution
1. QoS Mapping Traffic QoS: user plane (based on QCI, GBR, Non-GBR), signaling, IP clock, and OAM.
IP layer: DSCP mapping, DiffServ. Data link layer: Ethernet QoS (IEEE802.1P/Q).
2. Traffic shaping Logical port shaping
Physical port shaping
Ethernet
IP networkRouter
eNodeB
eNodeB
MME/S-GW
IP DiffServ
DiffServ
MPLS: Multi Protocol Label Switching ~ SDSCP: Differentiated Service Code Point ~ CoS: Class of Service
Router
QCI VLAN priority/layer2 DSCP/layer3
Ethernet
VLAN priority/layer2 QCI
A transport path is a pipe model. A pipe has bottlenecks prone to congestion. The end nodes should support traffic shaping to
prevent the traffic data from being discarded at the congested places.
bottleneck bottleneck bottleneck bottleneck
Shaping
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
9/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 9
QoS Mapping
QoS relevant concepts1. QCI: QCI is an important QoS concept introduced to LTE and defines QoS
class and important quality parameters, such as priority, packet delaybudget, and packet error rate.
2. DSCP and VLAN priority (P-bit): A concept about packet priority defined by
a transmission network. DSCP is at the IP layer and VLAN priority is at thelink layer.
LTE QoS Mapping1. Mapping from the control plane, user plane, and OM to DSCP.
2. Mapping from service at the user plane to QCI, where QCI is extensible.
3. Mapping from QCI at the service plane to IPPATH (optional).
4. Mapping from DSCP to VLAN priority.
QCI Resourc
e Type
Priority Packet
Delay
Budget
Packet
Error Loss
Rate
Example Services
1 2 100 ms 10-2 Conversational Voice2
GBR
4 150 ms 10-3 Conversational Video (Live Streaming)
3 3 50 ms 10-3 Real Time Gaming4 5 300 ms 10-6 Non-Conversational Video (Buffered Streaming)5 1 100 ms 10-6 IMS Signaling6
6 300 ms 10-6Video (Buffered Streaming)
TCP-based (e.g., www, e-mail, chat, ftp, p2p file
sharing, progressive video, etc.)7 Non-
GBR 7 100 ms 10-3Voice,
Video (Live Streaming)
Interactive Gaming
8
8
300 ms 10-6Video (Buffered Streaming)
TCP-based (e.g., www, e-mail, chat, ftp, p2p file
9 9 sharing, progressive video, etc.)
23.203 defines nine QCIs and
supports QCI extension. Beginning
from eRAN2.1, Huawei supports
extended QCI.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
10/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 10
QoS MappingMapping from service types and DSCPs to VLAN priorities.
Service Type DSCP DSCPMML Command toConfigure DSCP
VLANVLAN Pri
Nineservicetypes
QCI1 0x2E 46 SET DIFPRI USERDATA 5QCI2 0x1A 26 SET DIFPRI USERDATA 3QCI3 0x1A 34 SET DIFPRI USERDATA 4QCI4 0x22 26 SET DIFPRI USERDATA 3QCI5 0x2E 46 SET DIFPRI USERDATA 5QCI6 0x12 18 SET DIFPRI USERDATA 2QCI7 0x12 18 SET DIFPRI USERDATA 2QCI8 0x0A 10 SET DIFPRI USERDATA 1QCI9 0 0 SET DIFPRI USERDATA 0
SCTP 0x2E 46 SET DIFPRI SIG 5
OMMML 0x2E 46 SET DIFPRI OM_H 5FTP 0x0E 14 SET DIFPRI OM_L 1
IP clock
1588V2 0x2E 46 SET DIFPRI USERDATA 5
HW-DEFINED
0x2E46
SET DIFPRIUSERDATA 5
BFD Manual Configuration ADD BFDSESSION USERDATADepending onactual situation
IKE 0x30 48 Built-in, unchangeable USERDATA 5
IPPM Manual ConfigurationADD IPPMSESSION USERDATA Depending on
actual situationPing packet 0x3F 63 PING USERDATA 7
Ping (response packet) 0 0
No need to configure.The DSCP of theeNodeB response
packets is the DSCP ofthe peer ping packet. Bydefault the DSCP of the
ping command of thetransmission networkand core network is 0.
USERDATA
0
ARP No DSCP value No need to configure OTHER 5
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
11/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 11
eNodeB Traffic Shaping and Scheduling
The eNodeB GE/FE interfaces support two levels of shaping: physical port shaping and logical port shaping. Each logical port shaping contains eight queues.
The need for two levels of queues is to differentiate operators, that is, to support eRAN sharing.
The parameters of a logical port include committed information rate (CIR), PIR and scheduling weight.
The logical ports can share the bandwidth of the physical ports.
IP/Ethernet
Transport Network
Logicalinterface1
eNodeB Two Level Shaping
Logicalinterface2
Logicalinterface3
GE/FE Interface
IP Scheduler
Level 2 shaper
Level 1 shaper
eNode B2eNode B1 SGW/MME
AF2
AF3
BEAF1
Queues
EF AF4
AF2
AF3
BEAF
1
Queues
EFAF
4AF
2AF
3BE
AF1
Queues
EFAF
4
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
12/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
PIR/CIR
In versions earlier than eRAN2.1, eNodeB supports the single-rate tri-color markup algorithm, shortened assrTCM (CIR, CBS, and EBS) for the traffic shaping, in compliance with RFC2697.
In eRAN2.1, eNodeB supports dual-rate tri-color markup algorithm, shorten as trTCM (CIR, CBS, PIR, PBS)in compliance with RFC2698. PIR/CIR refers to the trTCM algorithm.
The transport admission algorithm of eNodeB is affected by this algorithm. The admission of GBR services iscontrolled by CIR, whereas the admission of non-GBR services is controlled by PIR. The purpose is toguarantee the quality of high priority GBR services.
eNodeB supports two levels of traffic shaping, namely logical port shaping and physical port limited rate. IneRAN2.1, logical ports support PIR/CIR.
This function can be used by the eRAN sharing scenario. As illustrated by the following figure, the CIR trafficsof different operators do not share the physical bandwidth, whereas the PIR traffics do.
Page 12
CIR
PIR
PIR: Peak Information Rate;
CIR: Commit Information Rate;
CBS: Committed Burst Size;
EBS: Excess Burst Size;PBS: Peak Burst Size;
Total Bandwidth
OperatorA CIR
OperatorA PIR
OperatorB CIR
OperatorB PIR
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
13/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page13
Contents
1. LTE Transmission Network - Interfaces
2. LTE Transmission Network - QoS
3. LTE Transmission Network - Reliability4. LTE Transmission Network - Fault Detection
5. LTE Transmission Network - Security
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
14/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 14
Reliability
Backhaul
transport network Protection path
eNode B
Traffic flow protection
Port
redundancy
Board
redundancy
ControlPlane
UserPlane
OAMdata
Clockdata
S-GW/MME
Traffic flow protection
Board
redundancy
Port
redundancy
ControlPlane
User Plane
Backhaul
transport network
Work path
Protection path
Work path
Protectionpath
Transportlayer
Networklayer
Data linklayer
PHY layer
Transportlayer
Networklayer
Data linklayer
PHY layer
(S1 interface)
Segment-by-segment redundancy
End-to-end redundancy
OAM
backup
Clock Server
(optional)
Work path
Redundancy: eNodeB and backhaul network provide different redundancy solutions for
the backhaul design. This inevitably includes port redundancy and board redundancy.
The main reliability solution of eRAN2.1 is port (channel) redundancy. The board
redundancy is LMPT cold standby.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
15/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 15
Overview of the Reliability Solution
IP/MPLS
Network
S-GW/MME
GE
route backup:active route + backup route
eNodeB
eNodeB
Ethernet Trunk
Switch/router
RouterGE
GE
GE
BFD - Bidirectional Failure Detection; ARP - Address Resolution Protocol.
eNodeBeNodeBeNodeBeNodeBeNodeBeNodeB
S-GW S-GW
S-GW
MME
eNodeB
S-GW Pool
MME Pool
eNodeB
E-UTRAN
MME
S1-flex
S/R
Ethernet
eNodeB
1. Reliability solution: S1-flex, channel backup (3s),
IP route backup, and Ethernet link aggregate.
2. Fault detection mechanisms: BFD (100 ms),
Ethernet OAM (100 ms).
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
16/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 16
Protocol
Layer
Transmission Reliability Transmission Maintenance and Detection
Redundancy
Mechanism
Protected
Object
Maintenance
Mechanism
Time
Application
Layer
OM channel
backup
OM channels OM handshake
protocol
Proprietary handshake
protocol: 35s
Transport
Layer
SCTP multi-
homing
S1/X2
channels
SCTP protocol
detection
Heartbeat check and
retransmission check:
Handover can be
finished in 5s by
parameter settings.
BFD detection 100 ms. Parameters are
configurable.
Network
Layer
IP route
backup
Routes, links BFD detection 100 ms. Parameters are
configurable.
Physical port
detection
ms
Data Link
Layer
Ethernet Port
Trunk
Links,
Ethernet ports
IEEE 802.3ah
detection
3s
IEEE 802.1ag
detection
1s
Physical
Layer
None None Physical port
detection
ms
Summary of the Reliability Functions
OMCH B k
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
17/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 17
OMCH Backup1. The OMCH backup function is used only in the scenario of M2000 remote HA.
2. The OMCH backup function is used when the OM channel passes the Ethernet. The eNodeBconfigures two different OM IP addresses for the active and standby OM channels, andM2000 configures the same or different IP addresses.
3. The OMCH backup function uses two physical ports for higher reliability. Preferentially theactive and standby OM IP addresses are in different network segments. In this way, theOMCHs are over different routes, providing higher reliability at higher cost.
4. When the active OMCH is down, the M2000 automatically delivers a switchover command and,upon receipt of the command, the eNodeB switches to the standby OMCH. When the activeOMCH is down, the active/standby switchover takes a minimum of six minutes. The followingfigure illustrates the OMCH backup function.
SCTP M lti H i
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
18/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 18
SCTP Multi-Homing
Each end of an SCTP link binds N IP addresses forredundancy, where N is greater than 2. Two IP addresses are configured for SCTP dual-homing,the first of which is the primary IP address and the second isthe standby IP address. The two routes of the dual homingare active and standby. An SCTP link is established onboards and no port is specified. The two IP addresses can be in the same interface or indifferent interfaces of the same board. It is recommended touse the same interface for the two IP addresses. This function needs to negotiate and work with the corenetwork. Therefore this function is not actively recommendedto customers. This function does not support cross-route.
An SCTP link is identified by four parameters:
local IP, local SCTP port number, peer IP, and
peer SCTP port number.
The difference between SCTP multi-homingand OMCH backup is as follows: In SCTP
multi-homing, the slave path automatically
switches to the master path when the master
path is recovered; in OMCH backup, the M2000
switches to the active OMCH after it detects
that the standby OMCH is down.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
19/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 19
IP Route Backup
IP route backup means that multiple routes are configured for the same destination. Theroute of the highest priority is the primary route and other routes of lower priority are backup
routes. The physical connection of each route is different. When the primary route is faulty,eNodeB performs active/standby switchover and select a backup route to avoid service
interruption. When the primary link is recovered, eNodeB automatically switches to the primary
route.
//Add IP address of Ethernet port 0
ADD DEVIP:SN=7,SBT=BASE_BOARD,PT=ETH,PN=0,IP="11.11.11.11",MASK="255.255.255.0";
//Add IP address of Ethernet port 1
ADD DEVIP:SN=7,SBT=BASE_BOARD,PT=ETH,PN=1,IP="12.12.12.12",MASK="255.255.255.0";//Add master IP route (Route backup is used between the eNodeB and SeGW.)
ADDIPRT:SN=7,SBT=BASE_BOARD,DSTIP="13.13.13.13",DSTMASK="255.255.255.0",RTTYPE=NEXTHOP,NEXTHOP="11.11.11.10",PREF
=50,DESCRI="Master IP Route";
//Add slave IP route
ADDIPRT:SN=7,SBT=BASE_BOARD,DSTIP="13.13.13.13",DSTMASK="255.255.255.0",RTTYPE=NEXTHOP,NEXTHOP="12.12.12.10",PREF
=60,DESCRI="Slave IP Route";
The eNodeB needs to provide two DEVIPs that are in different network segments. (With only one DEVIP, route backup cannot be configured.)
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
20/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 20
Ethernet Link Aggregation
Ethernet linkaggregation means that
multiple physical portsaggregate into one logicalpath to increase thebandwidth betweenswitches and eNodeBsand to provide morebandwidth, morethroughput, and highernetwork capacity.
This function requiresthat the peer transportdevice also supports thisfunction, which ordinaryrouters do.
Trunk No. is the uniquenumber of the aggregategroup.
Port priority: The lowerthe value, the higher thepriority.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
21/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page21
Contents
1. LTE Transmission Network - Interfaces
2. LTE Transmission Network - QoS
3. LTE Transmission Network - Reliability
4. LTE Transmission Network - Fault Detection
5. LTE Transmission Network - Security
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
22/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 22
Link Fault Detection
Network management quality QoS monitoring
Fault detection
Fault location and quick recovery
eNode B
S-GW/MME
Transport
network
Transport
deviceTransport
device
eNode B
GE/FE
End-to-end (S1 interface)
End-to-end(X2 interface)
Seg-by-Seg
Two scenarios
End to End maintenance
Seg by Seg maintenance
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
23/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 23
Maintainability Solution
Access link maintenance: IEEE802.3ah
Connectivity maintenance: IEEE802.1ag
Application layer maintenance: BFD, IPPM, and IPPATH check
802.3ah
BFD single hop
Multi-hop BFD
IPPM
Performance
counter
IP CORE
802.1ag
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
24/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 24
IPPATH Check
It is recommended to disable this function in ordinary situations.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
25/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 25
IP Performance Monitoring (1)
Function: IP performance monitoring (IP PM) monitors the transport quality between eNodeB and
S-GW and check the transport performance parameters, including the number of packets sent
and received, packet loss rate, one-way delay variation, and round-trip delay variation.
Strength: Provides transport KPI and works with the dynamic transport flow control to avoid the
impact of dynamic transport bandwidth variation on QoS.
Weakness: The more IP PM sessions are activated, the more accurate the congestion is
determined and the more resources are consumed.
Requirement for the devices: IPPM is Huawei proprietary and requires support from the eNodeB
and the core network. IPPM requires that the DSCP value of the transmission network is the
same as that of the eNodeB and core network and cannot be changed. Otherwise, activating the
IPPM fails.
Applicable scenario: IP PM is recommended in the scenario that the core network consists of
Huawei equipment, particularly if the IP transmission has to pass poor-quality ADSL lines that
have high packet loss rate, unstable line rates, or large bandwidth variation.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
26/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 26
IP Performance Monitoring (2) External congestion check: IP PM checks in real time the packet loss of a user data path,
calculates the packet loss rate of the path, and dynamically adjusts the logical port bandwidth fordynamic admission control of the transport bandwidth and flow control, avoiding packet losscaused by congestion of the transmission network.
This figure shows adaptive flow control based on IP PM. The dotted lines indicate bandwidth
variation of the IP/Ethernet transmission network. The IP PM between S-GW/MME and eNodeBchecks the variation of the transmission network performance, including delay, jitter, and packet loss
rate, and estimates the minimum end-to-end available transmission bandwidth. The eNodeB sends
the available bandwidth information to the flow control module who adjusts the data flow to the
transmission network to reduce the packet loss rate and to increase the bandwidth utilization of the
transmission network.
To enable bidirectional link
check, set up a PM session
in the A > B direction and a
PM session in the B > A
direction.
MME/SGW eNodeB
bottleneck30Mbps
Max bandwidth100Mbps
Bandwidth change
1. detect
2. calculat
3. Transport DynamicFlow Control
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
27/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 27
Bidirectional Forwarding Detection (BFD)
Function: Fast fault detection ofany types of channels. Detects the connectivity of the samepath (physical or logical links) between two systems. Used by all protocols at layer two or
higher layers. eNodeB implements BFD over UDP.
Strength: Fault detection for IP routes. Quick detection in 100 ms.
Requirement on the device:At present the eNodeB supports BFD version 1; the peer device
should also support BFD version 1. If the peer device does not support BFD version 1, this
function cannot be used.
Both ends start BFD simultaneously. The detection duration of both ends should be consistent.
Recommended scenarios
Segment-by-segment BFD (SBFD): Used in point-to-point detection of network faults,
applicable to detection of direct connection between two points of the same network segment.
Multi-hop BFD (MBFD): Used in end-to-end detection of network faults, applicable to two ends
that have multiple routing nodes in between.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
28/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 28
Segment-by-Segment BFD and Multi-Hop BFD
SBFD: Used in fault detection between an eNodeB and a transmission device at L3, or between an S-GW/MME and
a transmission device. Used to locate a fault or to trigger switchover of protection paths between an eNodeB and a
transmission device, or between an S-GW/MME and a transmission device.
SBFD does not traverse an L3 transmission device.
MBFD: Used for detection between eNodeBs, between an eNodeB and an SGW, and between an eNodeB and a
remote transmission device. Used to locate a fault or to trigger switchover of protection paths between two ends to
ensure network reliability.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
29/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 29
BFD +++ HUAWEI 2010-07-08 15:37:15 O&M #62147 %%ADD BFDSESSION: SN=7, BFDSN=0,
SRCIP=10.141.225.226, DSTIP=10.69.23.24, HT=MULTI_HOP;%% RETCODE = 0
Operation succeeded
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
30/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 30
IEEE802.3ah and IEEE802.1ag
Ethernet OAM is implemented by two protocols. IEEE 802.1ag highlights end-
to-end Ethernet link OAM and IEEE 802.3ah highlights segment-by-segment
Ethernet OAM (concerning the user side only and not the network side). The two
work together to provide complete Ethernet OAM solution.
The following figure shows the position of the Ethernet OAM.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
31/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 31
IEEE802.3ah and IEEE802.1ag
IEEE 802.3ah
Link performancemonitoring
Fault detection
Loopback test
Strength: Highlights segment-by-segment Ethernet fault
monitoring (concerning only user
side, not network side).
The peer equipmentneeds to support
IEEE 802.3ah.
IEEE 802.1ag
Connectivity
check
Loopback test
Link follow-uptest
Strength: Highlights end-to-
end Ethernet link faulty
monitoring
The transmission
equipment needs to
support IEEE
802.1ag.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
32/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page32
Contents
1. LTE Transmission Network - Interfaces
2. LTE Transmission Network - QoS
3. LTE Transmission Network - Reliability
4. LTE Transmission Network - Fault Detection
5. LTE Transmission Network - Security
N d B S it A hit t
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
33/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
eNodeB Security Architecture
The security architecture contains threeparts:
1. Security threats: Potentially existing damagesthat may affect normal system running.2. Security measures: Methods to protect system
security.3. Security system: Target protected by the
security measures and here refers to eNodeB.A security system contains radio plane,transmission plane, equipment plane, and OAMplane.
No. Threatened
Object
Threat Type Security System
1 eNodeB
Stealing eNodeB hardware.Obtaining important information from
eNodeB.Loading invalid versions or illegally
controlling eNodeB.DoS (Denial of Service) attack.
Equipmentsecurity
2 Uu interface
Eavesdropping Uu interface signal to obtainimportant user information.
Mimicking Uu interface signaling to forgeuser access.
Radio security
3 S1 interface
Eavesdropping data from the transmissionnetwork to obtain important userinformation.
Intercepting data of the transmission networkto tamper with the data.
Transmissionsecurity
4 X2 interface The same as the S1 interface Transmissionsecurity
5 OM interface
Intercepting important information sent byeNodeB and transferred by OM interface.
Deleting or stealing important data fromeNodeB
Logging in to, controlling, and operatingeNodeB illegally.
OAM security
6 Clock server Attack of eNodeB from the illegal clocksource. OAM securityFive security threat types are defined. See Remark.
Security threats
Security Measures
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
34/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Security Measures
This course describes transmission security.
Transmission
security policy
Certificate management
PNP
PKI /CMPV2
Transmission security
1.IPSEC
2.802.1x
Equipment security
Simple firewall function
1. ACL
2. Interfacesecurity
management
OM security
OM channel security
1. SSL
Security System
Tailored to the security threats, ITU-T X.805 identifies and defines eight security measures:
1. Access control: Prevents equipment from being illegally used and allows only authorized users to access theprotected content (equipment, information, services). For example, only authorized users can gain access to eNodeB bythe OM interface.2. Authentication:Authenticates the identity of a communication entity and allows entities of valid identity to set upcommunications.
3. Non-repudiation: Prevents an entity from denying an operation by evidences (such as operation logs). For example,an operation log records each operation on the eNodeB.4. Data confidentiality: Uses encryption to prevent data from being disclosed.5. Communications security: Information is transmitted only between authenticated entities to prevent disclosure orfalsification of the data during communications.6. Data integrity: Ensures data correctness, prevents illegal change, deletion, generation, or replication of data, andidentifies unauthorized operations.7. Availability: Ensures that the system works and that services are not interrupted as a result of an illegal operation.8. Privacy: Protects keys, identity information, and equipment or network activity information, such as log information.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
35/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 35
Transmission Security Mechanism
Access network Core networkeNodeB
SeGW
M2000
SAE
IPCLK
CRL Server
PKI system
CA
802.1X
RADIUS
802.1XIPSec
IPSec
The eNodeB uses 802.1x (EAP-TLS)-based authentication access control andIPSec to ensure transmission security.
1. The 802.1X-based authentication access control ensures that the eNodeBgains access to the transmission network by the legal process.
2. IPSec provides security mechanism for the eNodeB in the all-IP scenario toensure transmission confidentiality, completeness, authentication, andreplay-resistance.
802.1X and IPSec provide transmission security protection at different layers. Auser can use them together or separately.
802 1 A A th ti ti
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
36/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 36
802.1x Access Authentication
The MAC address of the eNodeB is authenticated to prevent unauthorized
equipment from gaining access to the transmission network.
The 802.1x access control sends the digital certificate of the eNodeB to the RADIUSserver over the EAPoL; the RADIUS server authenticates the eNodeB identity by
using the Huawei CA root certificates configured on the server.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
37/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Principles of IPSec (1/3)
IPSec is an open standards framework structure. The IPSec protocol suite includesESP/AH, IKE, DPD, and encryption algorithms.
1. Security protocolsAH refers to authentication header and provides data integrity check. AHis applicable for transmitting non-confidential data.ESP refers to encapsulating security payload and provides data integrity
check and encryption. ESP is applicable for transmitting confidential data.2. Packet encapsulation methodsTransport mode: Provides protection for the payload and upper-layerprotocols of the IP data packets. In transport mode, the IPSec header (AHand/or ESP) is inserted after the IP header and before upper-layerprotocols.Tunnel mode: Provides security protection for the original IP data
packets. In tunnel mode, the original IP data packets are encapsulated intoa new IP data packet; the IPSec header (AH and/or ESP) is insertedbetween the new IP header and original IP header. The security of theoriginal IP header is protected by IPSec as part of the payload.
Principles of IPSec (2/3)
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
38/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 38
IP HeaderESP Header TCP/UDP Data ESP Tail ESP Auth
The Range of ESP Authentication
AH Header
The Range of AH Authentication
New Header
The Range of ESP Encryption
Tunnel
Mode
IP Header ESP Herder TCP/UDP Data ESP Tail ESP Auth
The Range of ESP Authentication
AH Header
The Range of ESP Encryption
Transport
Mode
The Range of AH Authentication
IP Header ESP Header TCP/UDP Data ESP Tail ESP Auth
The Range of ESP
Authentication
The Range of ESP
Encryption
IP HeaderESP Header TCP/UDP Data ESP Tail ESP Auth
The Range of ESP Authentication
New Header
The Range of ESP Encryption
Transfer Mode
Tunnel Mode
IP Header AH Header TCP/UDP Data
The Range of AH Authentication
IP HeaderAH Header TCP/UDP Data
The Range of AH Authentication
New Header
Transfer Mode
Tunnel Mode
Format of the AH packet with
different Encapsulation Mode
Format of the ESP
packet with different
Encapsulation Mode
Principles of IPSec (2/3)
Format of packet using
both protocols with
different Encapsulation
Mode
Principles of IPSec (3/3)
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
39/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Principles of IPSec (3/3)3. Integrity check
In integrity check, Hash function is used to accept message input of any length and to generatemessage digest of fixed length. The two communicating entities calculate and compare thedigest to determine whether the packets are complete and are not tampered with.MD5SHA-1
4. Data encryptionAn encryption algorithm uses symmetric cryptography to encrypt and decrypt data.NULL: Null encryption algorithm, no encryption of IP packets.DES (Data Encryption Standard): Uses a 56-bit key to encrypt a 64-bit plaintext block.3DES: Uses three 56-bit DES keys (totaling 168 bits) to encrypt plaintext.AES (Advanced Encryption Standard): AES has three key lengths: 128 bits, 192 bits, and 256
bits. The longer the key, the higher the security and the slower the calculation.5. IKE (Internet key exchange)
IKE is used for key negotiation, identity authentication, and IPSec SA negotiation.6. Key exchange algorithm
In IKE, two communicating entities calculate the shared key by a series of data exchangewithout transferring the key. Even if a third-party intercepts all the exchanged data for calculatingthe key, this party cannot calculate the key. The core technology is DH (Diffie Hellman) algorithmand pseudorandom functions.
7. AuthenticationPre-shared key (PSK)Digital certificate (PKI)
8. ACLACL refers to access control list. The IPSec filter matches the ACL configured by the user withthe 5-tuple of the data stream to identify which packets need encryption.
IPS A li ti S i
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
40/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 40
IPSec Application Scenarios
Scenario 1: An IPSec tunnel is set up between the eNodeB and the SeGW.
The S1 data stream, X2 data stream, and OAM data stream are protected by
the IPSec tunnel (main scenario).
Scenario 2: An IPSec tunnel is set up between eNodeB X2 interfaces.
Scenario 3: An IPSec tunnel is set up between the S1 interfaces of eNodeB
and MME/S-GW.
Typical IPSec networking
Access
network
Core network
eNodeB
SeG
W
SeGW
M2000
SAE
IPCLK
CRL Server
PKI system
CA
eNodeB
Redundancy with two SeGW
S1
X2
OAMSYN
None Security
zone
Security
zone
eNodeB
eNodeB
SeGW
Centralized
DistributedeNodeB
eNodeB
The IPSec networking needs to consider three factors: security domain, protected stream, and configuration mode (see Remarks).
Intelligent PNP Process: eNodeB Security
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
41/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 41
Intelligent PNP Process: eNodeB Security
Startup with Digital Certificates
Radius Server
M2000
CRL Server
PKI system
CA
eNodeB1
2
3
4
5SeGW
Public DHCP Server
6
1.VLAN
Scanning2.DHCP/publ
ic DHCP
Server
5.OM
channel
setup
6.Download
Cfg and
software
3.Authenti
cation with
PKI
Server
4. build
IPSec
tunnel
Prerequisites for eNodeB security startupwith intelligent PnP:
1. The transmission network has deployed apublic DHCP server. The PnP configurationinformation and the DHCP option 43 are defined.2. The eNodeB is preset with a factory certificate.3. The PKI server is preset with a Huawei rootcertificate, ESN list, and CRL which can beobtained from the web portal. The ESN list is awhitelist.
4. The SeGW is preset with the operators rootcertificate.5. The 802.1X authentication server (RADIUSserver) is preset with the Huawei root certificate.
The PnP process has six steps (for details, see Remark):
1. Automatic access process: 802.1X authentication and VLAN learning.2. DHCP process: Obtaining DHCP temporary, SeGW IP, PKI, and M2000 IP.
3. PKI authentication.4. IPSec tunnel setup.5. OMCH setup.6. Downloading the configuration and software. After restart, the PnP process is finished.
Note: If one of the above steps is faulty, the system starts the PnP process again, until the PnPprocess is finished.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
42/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 42
All-Process Certificate Management Solution
To support certificate-based transmission security mechanism, Huawei provides all-process certificate management solution. The core of this solution is PKI. Thissolution consists of two stags: factory stage and operation stage.
PKI mechanism:PKI (Public Key Infrastructure) uses asymmetric cryptography to provideinformation security service and is the basis and core of the current networksecurity construction. PKI is in wide use.PKI uses username, password, and symmetric key to provide a secureand standard key management infrastructure. The core technology of PKI is
digital certificate (public key) management, including issuance, delivery,update, and revocation of certificates.
Certificate managementFactory stage: The factory CA issues factory device certificate; theeNodeB is preset with the device certificate and Huawei root certificate; theroot certificates, CRL, and ESN are published on the web portal.
Operation stage: Includes eNodeB installation, eNodeB security self-startup with intelligent PnP, and automatic eNodeB certificate managementwith all-process certificate management process.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
43/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 43
Principle 1 - Symmetric Cryptography
KEY KEYKEYALLOCATE
Encryption and decryption use the same key.
The sender and receiver should agree upon a key before security
communication.
Security depends on the confidentiality of the key. Disclosure of the key means
that the encryption is no longer secure.
cryptograph cryptographplaintext plaintext
User AUser B
Principle 2 Asymmetric Cryptography
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
44/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 44
Principle 2 - Asymmetric Cryptography
Also known as public key encryption
Encryption and decryption use different keys.
The encryption key can be open and is called public key. The decryption keymust be secret and is called private key.
Private key is used for signature and public key for authentication.
Private key of B
Public key of BGet the public keyof B
plaintext plaintextcryptograph cryptograph
User AUser B
Principle 3 - Digital Certificates
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
45/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 45
Principle 3 - Digital Certificates
A digital certificate is an electronic ID card containing an entitys identity
and associated public key information.
This electronic ID card must be issued by trusted authority.
Calculate message digest
Calculate digital signature
CABs private key
CAs digital signature
P i i l 4 C tifi t R ti Li t (CRL)
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
46/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 46
Principle 4 - Certificate Revocation List (CRL)
tbsCertList
signatureAlgorithm
signatureValue
version
Signature
issuer
thisUpdate
nextUpdate
revokedCertificates
crlExtensions CRL userCertificate revocationDate crlEntryExtensions
For some reasons, a digital certificate needs to be revoked before the
validity period expires. The revoked certificates are uniformly saved in the CRL (blacklist).
Principle 5 PKI
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
47/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 47
Principle 5 - PKI PKI refers to public key infrastructure.
The PKI implementation is based on asymmetric cryptography algorithms and technologies. PKIis the basis and core of the current network security construction.
Established over a group of standard and interoperable PKI protocols.
Uses digital certificates compliant with ITU-T X509, manages the public keys of asymmetriccryptography, and binds the public key of an entity with other identify information (which for adevice can be the device name, home country, province, city, specific location, or unique ID).
A trusted CA (certificate authority) adds signature to the public key and identity information of auser, generating a digital certificate.
Manages the life cycle of digital certificates.
CA
CA issues, updates, revokes, and authenticates
digital certificates.
CA is the core executive part of PKI.
RA
RA is the registration and approval body for the
digital certificates.
RA is a CAs window for users. CR/CRL
CR/CRL stores the digital certificates or CRL.
Exists as an FTP server, Web server, or LDAP
server.
PKI architecture
Life cycle of a digital
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
48/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 48
Life cycle of a digital
certificate
RA
CA
entity
1certificate
request5 certificate
overdue
4 certificate
cancel
3
certificate
deliver
2
certification
authorize
PKI system
Root CA
Middle CA
ultimate user
ultimate user
ultimate user ultimate user
CA hierarchy
A parent CA can have child CAs and therefore establishing a CA hierarchy. Any CA can issue
certificates adapted to its authority.
A three-layer CA hierarchy can satisfy the requirement of most operators.
There is no limit to the depth of the CA hierarchy. A customer can choose an appropriate depth
according to the actual situation.
CR/CRL
server
Certificate
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
49/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 49
Certificate
Assume that A authenticates Bs certificates. Bs certificate specifies the CA that issues the certificate.Move along the CA hierarchy until to the root certificate. The movement forms a certificate chain. The
authentication process is described as follows: Moving in the reverse direction, starting from the root certificate, each node authenticates the
certificate of the next node until to B. The root certificate is of self-signature and uses its own publickey for authentication.
If all the signatures pass authentication, A determines that all certificates are correct. If A trusts theroot CA, he can trust Bs certificates and public key.
Extract Root CAs public
key and verify both Root
CA signatures
Extract Root CA1s public
key and verify CA1s
signature
Extract Root CA2s public
key and verify CA2s
signature
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
50/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 50
Deploying PKI on eNodeB
Network elementCRL Server
PKI system
CA
Root certificate
Device certificate
CRL
Certificate
management
The core of PKI mechanism is certificates. PKI includes the network elements
that use certificates, the PKI servers (CA and CRL servers) that manage the
certificates, and certificate management between NEs and PKI servers.
NEs
NEs that use certificates include eNodeBand SeGW. Three files are built-in: device
certificate, root certificate, and CRL.
PKI servers:
PKI servers manage certificates andinclude the CA server and the CRL
server.
The certificate management protocol
between CA and eNodeB is CMPV2.
Certificate Verification in the LTE
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
51/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 51
Certificate Verification in the LTE
eNodeB
Verify
SeGW/CA
Root certificate to verify the device
certificate
eNodeB
Verify
SeGW/CA
Whitelist
Root certificate plus whitelist to verify
the device certificate
CA root certificate can verify the validity of the device certificate issued by the CA.For example, in the SeGW authenticating an eNodeB, the root certificate of the eNodeB devicecertificate is preset on the SeGW. During authentication, the eNodeB sends the device
certificate to the SeGW which uses the preset root certificate to verify the validity of the device
certificate.
Verification of device certificates by root certificate can ensure that the device certificate
is issued by the root certificate CA. Huawei CA root certificate can verify that aneNodeB is a valid Huawei device. To strengthen the authentication, the whitelist is used.
The whitelist stipulates that the eNodeB ESN contained in the device certificate is
compared with the preset ESN list. Only Huawei eNodeB of specific ESN is valid.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
52/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 52
Certificate Management
Factory stage
At the factory stage, an eNodeB is preset with a uniquedevice certificate. The ESN list, CRL, and factory CA root
certificate are published on the web portal.
Operation stage
At the operation stage, a customer obtains the ESN list, CRL, and
factory CA root certificates from the web portal to support the
factory-preset certificate and eNodeB authentication.
For details, see the Remark.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
53/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Certificate Management (CMPv2)
Two certificate management phases:
1. PnP phase: In the PnP phase, eNodeB uses the initial request
message and initial reply message to apply to the operators CA
server for a device certificate. The DHCP option parameter (CA
protocol type) can determine whether a CMPV2 message uses
http or https. The following figure illustrates the PnP scenario.
2. Maintenance phase: After the system enters stable status, two
messages, Key Update Request and Key Update Reply, are used
to update the certificate. If updating the certificate fails, the existing
certificate is still effective and in use to prevent interruption of the
transmission link.
Page 53
The certificate management system (cmpv2) is compliant with 3GPP 33.310.
eNodeB PKI Server
Ir{ Certificate request fi le, Vendor certificate}
Ip{Operator certificate, Operator root certificate}
1.Creating KEY-pair(private key and
public key) for certificate file;2.Creating certificate. Subject
CN(comman name) andSubjectAlternameof the [email protected].
ESN(Electrical Sequence Number)is the unique Id of eNodeB.
1.Verifying the vendor certificate
with whitelist which is
comprised with eNodeBsESN;
2.Verfying the vendor certificatewith vendor root certificate;
3. Issuing the operator certificatewith certificate request filereceived;
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
54/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 54
Equipment Security: Simple Firewall
The eNodeB provides simple firewall function, including ACL packet filtering and interface securitymanagement.ACL packet filtering
1. Objective: To prevent DoS attack, or used by IPSec to match packets to determine whether thepacket should be applied with IPSec. The eNodeB supports ACL rule definition to permit ordeny the packets that match the rule.
2. 6-tuple rule: protocol type, destination IP, source IP, destination port, source port, DSCP.3. Response methods: permit or deny.4. Handling methods:
Whitelist: First, an ACL rule denying reception of all packets is configured, then thepackets that are permitted to pass are specified for each data stream.
Blacklist: An ACL rule that denies a data stream is configured for the data stream that
needs to be denied. By default, all packets are permitted. Therefore, there is no need toconfigure an ACL rule that permits all packets.
In light of complete protection, the whitelist is better. For the SON X2 self-setup function,the system automatically adds an ACL rule for an X2 interface.
Interface security managementThis function consists of three parts:
1. Communication matrix: The support website publishes the open protocol ports (TCP/UDP) ofeNodeB of each version as the basis for port management.
2. Service port disable: When there is no service configuration over a service port, a user candisable the service port to decrease the possibility of being attacked.3. Debug port or protocol port disable: A user can choose to disable the debug port, or a protocol
port of the debug port, preferentially Telnet port 23 and SSH port 22.
Self-Setup of ACL Packet Filtering over X2 Interface -
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
55/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential
Self-Setup of ACL Packet Filtering over X2 Interface -
New in eRAN2.1
Page 55
Some operators want all the ingress and egress streams of the eNodeB to be under the control of awhitelist to improve the system security. The default value is deny. Only the streams whose ACL ruleis permit can be received by the system.
The eNodeB interfaces include S1, X2, OM, clock, and cascade. Except for X2 interface, allinterfaces are statically configured. A user can perform data planning and configuration in advance.
X2 interface is dynamically configured by ANR and the ACL rules cannot be planned in advance overthe X2 interface. Therefore, X2 interface should support generation of ACL rules during ANR.
To support this function, 3GPP extends S1AP "eNB Configuration Transfer/ MME ConfigurationTransfer" and adds service IP in addition to signaling IP. During the X2 self-setup process, eNodeBsets up ACL packet filtering rules after exchanging the address information.
X2 self-setup is described as follows:
1. The source eNodeB and destination eNodeB exchange IP
address information (signaling IP and service IP) by two messages
"eNB Configuration Transfer" and "MME Configuration Transfer.
2. The source eNodeB sets up a signaling link to the destinationeNodeB and configures ACL rules according to the source IP
address and destination IP address: {SCTP, source signaling IP,
destination signaling IP}, {UDP, source service IP, destination
service IP}.
OMCH Security (Principles of SSL)
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
56/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 56
OMCH Security (Principles of SSL)
SSL protocol is developed by Netscape and provides encrypted and reliable connection betweentwo computers. Its features are as follows:
1. Established over a reliable transport layer protocol (such as TCP)2. Unrelated to the application layer protocol
3. Encryption algorithms, negotiation of the communication key, and authentication by server arefinished before communication over the application layer protocol.
4. The upper application layer protocols (such as HTTP, FTP, and TELNET) are transparentlyestablished over the SSL protocol. All the data transported by the application layer protocols isencrypted, ensuring communication confidentiality.
SSL provides three security services:
Confidentiality protection After the handshake protocol finishes negotiation of the session key, all messages
are encrypted for transmission.
Integrity protection Maintains data integrity and ensures that data is not tampered with during
transmission.
Authentication Authenticates a user and a server so that they are sure that data is sent to the
correct client and server. Though client authentication during a session is optional,a server is always authenticated.
P i i l f SSL (2)
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
57/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 57
Application Layer Protocol (HTTP, FTP, Telnet)
SSL handshake ProtocolSSL Record Protocol Change Cipher Spec Protocol SSL Alert Protocol
TCP
IP
Principles of SSL (2)
SSL application scenario
SSL-based OMCH.
Local (or remote) FTPS connection to upload or download files.
Local (or remote) WebLMT sets up an HTTPS connection for operation and
maintenance.
OMCH
FTPS
FTPS
HTTPS
HTTPS
Security Configuration on eNodeB (1)
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
58/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page58
Security Configuration on eNodeB (1)
The transport-layer security configuration on eNodeB consists of IPSecconfiguration and packet filtering configuration.
1. IPSec configuration
This configuration defines the data that requires IPSec, the authentication method, the dataencryption algorithms, the key exchange methods, and the key encryption algorithms. Thedetails are as follows:
ACLRULE defines an ACL rule, specifically the types of packets that require encryption protection.
ACL defines an ACL group. An ACL group contains one or multiple ACL rules.
IKECFG defines the eNodeB local negotiation parameters for IKE negotiation.
IKEPROPOSAL defines an IKE proposal that contains the encryption and negotiation algorithms at the IKEnegotiation stage.
IKEPEER defines the parameters interacted between eNodeB and peer at the IKE negotiation stage.
IPSECPROPOSAL defines the encapsulation, authentication algorithm, and encryption algorithm used atthe IPSec stage.
IPSECPOLICY defines the protection policy for IP packets compliant with the ACL rules.
IPSECBIND binds IPSec with physical ports.
2. Packet filtering configuration
This configuration defines the ingress and egress permitted or denied by eNodeB. The detailsare as follows:
ACL and ACLRULE define the admission rules for the packets.
PACKETFILTER binds ACL with physical ports.
S it C fi ti N d B (2)
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
59/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page59
Security Configuration on eNodeB (2)
3. Configuration about digital certificates
This configuration defines the digital certificate used by IPSec for authentication.
Appcert defines the device certificate currently in use.
Trustcert defines the CA server certificate trusted by eNodeB.
Crosscert defines the CA certificate trusted by the CA server that issues device certificate toeNodeB.
CRL defines the certificate revocation list.
CRLpolicy defines the CRL policy used by eNodeB.
Certchktsk defines the certificate update method and policy. Ca defines the configuration information on the CA server.
Certmk defines the device certificate that can be used by eNodeB.
Certreq defines the parameters for generating a certificate request file.
For details, see the Transmission Security MOM Description.doc.
The security configuration information of the TMO network is
described in the attached file.
Security Configuration on the SeGW
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
60/61
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page60
Security Configuration on the SeGW
The security configuration on the security gateway varies slightly for different vendors and
is similar to the security configuration on the eNodeB described in the preceding pages.
The security configuration on the security gateway defines the data that requires IPSec,
the authentication method, the data encryption algorithms, the key exchange methods,and the key encryption algorithms.
The attached file is about security configuration on the Symantec security gateway. The
configuration commands vary substantially for different vendors. The attached file is for
reference only.
DHCP server configuration
The security configuration on the DHCP server requires that option 43 contains the CA
server information and the certificate path. For details, see the attached Requirement forthe DHCP server.
7/30/2019 Training Doc_Introduction to LTE eRAN2.1 Transmission Solution-20110426-A-1.0
61/61
Thank youwww.huawei.com
Copyright2008 Huawei Technologies Co., Ltd. All Rights Reserved.
The information contained in this document is for reference purpose only, and is subject tochange or withdrawal according to specific customer requirements and conditions.