Professional Documents
Culture Documents
SRAN11.1
Issue 02
Date 2016-05-26
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Contents
5 Parameters..................................................................................................................................... 14
6 Counters........................................................................................................................................ 15
7 Glossary......................................................................................................................................... 16
8 Reference Documents................................................................................................................. 17
1.1 Scope
This document describes transmission security, including transport network overview as well
as transmission security solutions and features.
This document involves the following network elements (NEs):
l 3900 series base stations
l Base station controllers, including the BSC, RNC, and MBSC
l U2000
Unless otherwise specified, in this document, LTE, eNodeB, and eRAN always include both
FDD and TDD. The "L" and "T" in RAT acronyms refer to LTE FDD and LTE TDD,
respectively.
For definitions of base stations described in this document, see section "Base Station
Products" in SRAN Networking and Evolution Overview Feature Parameter Description.
SRAN11.1 02 (2016-05-26)
This issue includes the following changes.
SRAN11.1 01 (2016-02-29)
This issue does not include any changes.
2.1 IP Backhaul
This section describes transmission security solutions for IP backhaul. Figure 2-1 shows an
IP-based mobile backhaul network (IP backhaul) in which data is transmitted between a base
station and a base station controller.
2.2 Evolution
In TDM, ATM, or IP over E1 transmission mode, the transport network is generally dedicated
to transmitting radio services. Transmission links are designed to provide secure transmission,
without requiring additional security features. However, as the mobile broadband (MBB)
network develops, transport networks have evolved into all-IP-based systems, which are
completely open and easily accessible. As a result, transport networks transmitting
telecommunication services are subject to various security risks.
NOTE
Multi-plane security measures are required to protect radio equipment against security threats
and malicious attacks, and to provide secure communication over transport networks.
This chapter describes recommended transmission security solutions that meet transmission
security standards and operator requirements.
On a trusted network, the following strong authentication protocols are adopted to restrict
network access:
Figure 3-1 shows the logical networking for transmission security on a trusted network.
Table 3-1 describes the NEs involved in the transmission security solution for trusted
networks.
Table 3-1 NEs involved in the transmission security solution for trusted networks
NE Description
Table 3-2 describes the external interfaces involved in the transmission security solution for
trusted networks.
Table 3-2 External interfaces involved in the transmission security solution for trusted
networks
External Description
Interface
SSL interface The base station uses this interface to establish an SSL connection to
a U2000.
802.1X interface The base station uses this interface to perform 802.1X-based access
control.
Clock packets can be transmitted over the user, control, or management plane. Clock packets can
be transmitted using the IP address for the user, control, or management plane of the base station.
l PKI
The PKI system works with the base station to issue and manage certificates for
authentication during 802.1X, IPsec, and SSL implementation. The base station complies
Figure 3-2 shows the logical networking for transmission security on an untrusted network.
Table 3-3 describes the NEs involved in the transmission security solution for untrusted
networks.
Table 3-3 NEs involved in the transmission security solution for untrusted networks
NE Description
AAA server Uses digital certificates to implement 802.1X-based access control for
base stations.
802.1X A switch on the transport network that is enabled with access control
authenticator based on 802.1X
NE Description
l Table 3-4 describes the external interfaces involved in the transmission security solution
for untrusted networks.
Table 3-4 External interfaces involved in the transmission security solution for untrusted
networks
External Description
Interface
IPsec An interface used to establish IPsec tunnels between base stations and
interface SeGWs.
4.1 Introduction
Transmission security features include IPsec, 802.1X, SSL, MACsec, and PKI-CMPv2. These
can be applied to the interfaces shown in Figure 4-1.
4.2 IPsec
Defined by the IETF, IPsec is a security framework that provides secure end-to-end data
transmission on untrusted networks, such as the Internet. On IP networks, IPsec provides
transparent, interoperable, and cryptography-based security services to ensure the
confidentiality, integrity, and authenticity of transmissions and to provide anti-replay
protection.
IPsec operates at the IP layer of the TCP/IP protocol stack and provides transparent security
services for upper-layer applications.
For details on IPsec, see IPsec Feature Parameter Description for SingleRAN.
1. The base station accesses the network and begins an authentication procedure.
Only 802.1X authentication packets can be transmitted over a port on authentication
access equipment.
2. The authentication server authenticates the base station and authorizes the port.
Data can be transmitted over the authorized port to ensure that only authorized users can
access the network.
For details about access control based on 802.1X, see Access Control based on 802.1x
Feature Parameter Description for SingleRAN.
4.4 SSL
SSL is a security protocol developed by Netscape. The latest standard version of SSL is
Transport Layer Security version 1.2 (TLSv1.2), which aims to provide authentication,
confidentiality, and integrity protection for two communication applications.
l SSL operates between the TCP and application layers. It is established over reliable
transport layer protocols but operates independently from application layer protocols.
l Before any communication using application layer protocols occurs, encryption
algorithm negotiation, key negotiation, and server authentication must be completed.
l Application layer protocols such as HTTP, FTP, and Telnet can be transparently
established over SSL. All data transmitted using the application layer protocols is
encrypted to ensure confidentiality.
SSL can also be established between the base station or base station controller and the U2000
to protect O&M data and provide secure remote maintenance.
For more details about SSL, see SSL Feature Parameter Description for SingleRAN.
4.5 PKI
PKI uses an asymmetric cryptographic algorithm to provide information security. PKI
manages keys and digital certificates, while functionalities and interfaces related to PKI
comply with X.509 and 3GPP TS 33.310.
l CA
l RA (optional)
l Certificate & CRL database
l End entity
The certificate management system in a PKI uses the CPMv2 protocol to exchange
management information between NEs within it. CMPv2 provides the following functions:
l Certificate registration, application, and revocation
l Key update and recovery
l Cross-certification
l CA key update announcement
l Certificate issuance and revocation announcements
Using CMPv2, the base station and the PKI system exchange information to implement
certificate management (application, issuance, and update).
For more details about PKI, see PKI Feature Parameter Description for SingleRAN.
4.6 MACsec
MACsec ensures secure communication over an IEEE 802 LAN. MACsec specifically
provides user data confidentiality, data frame integrity check, and data origin authentication at
the MAC layer.
MACsec is used by default for base stations to protect data transmitted between
interconnected UMPTe boards.
5 Parameters
6 Counters
7 Glossary
8 Reference Documents
1. ITU-T X.800, "Security architecture for Open Systems Interconnection for CCITT
applications", March 1991
2. ITU-T X.805, "Security architecture for systems providing end-to-end communications",
October 2003
3. NGMN Alliance, "Security in LTE backhauling – A white paper", V1.0, February 2012
4. 3GPP TS 33.102 V11.3.0 (2012-06): "3G security; Security architecture"
5. 3GPP TS 33.210 V11.3.0 (2011-12): "3G security; Network Domain Security (NDS); IP
network layer security"
6. 3GPP TS 33.310 V10.5.0 (2011-12): "Network Domain Security (NDS); Authentication
Framework (AF)"
7. 3GPP TS 33.401 V11.4.0 (2012-06): "3GPP System Architecture Evolution (SAE);
Security architecture"
8. IETF RFC 4303, "IP Encapsulating Security Payload (ESP)", December 2005
9. IETF RFC 4306, "Internet Key Exchange (IKEv2) Protocol"
10. IPsec Feature Parameter Description
11. Access Control based on 802.1x Feature Parameter Description
12. SSL Feature Parameter Description
13. PKI Feature Parameter Description
14. MACsec Feature Parameter Description