Transmission Security Overview (SRAN11.1 - 02)

SingleRAN
SRAN11.1
Transmission Security Overview

Feature Parameter Description
Issue 02
Date 2016-05-26
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2018. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 02 (2016-05-26) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
Transmission Security Overview Feature Parameter
Description Contents
Contents
1 About This Document.................................................................................................................. 1

1.1 Scope.............................................................................................................................................................................. 1
1.2 Intended Audience.......................................................................................................................................................... 1
1.3 Change History............................................................................................................................................................... 1
1.4 Differences Between Base Station Types....................................................................................................................... 2
2 Transport Network Overview..................................................................................................... 4

2.1 IP Backhaul.....................................................................................................................................................................4
2.2 Evolution........................................................................................................................................................................ 4
2.3 Security Requirements....................................................................................................................................................5
2.3.1 NDS/IP Dimensions Defined by 3GPP....................................................................................................................... 5
2.3.2 NDS/IP Mechanisms Defined by 3GPP...................................................................................................................... 5
3 Transmission Security Solutions................................................................................................6

3.1 On a Trusted Network.....................................................................................................................................................6
3.2 On an Untrusted Network...............................................................................................................................................7
3.3 Application Constraints.................................................................................................................................................. 9
3.3.1 Scenario 1: RAN Sharing............................................................................................................................................ 9
3.3.2 Scenario 2: Transmission on Public Networks............................................................................................................ 9
3.3.3 Scenario 3: Cascaded Base Stations.......................................................................................................................... 10
3.3.4 Scenario 4: Interconnected Base Stations..................................................................................................................10
3.3.5 Networking That Does Not Support the Transmission Security Solution.................................................................10
4 Transmission Security Features................................................................................................11

4.1 Introduction...................................................................................................................................................................11
4.2 IPsec..............................................................................................................................................................................11
4.3 Access Control Based on 802.1X................................................................................................................................. 12
4.4 SSL............................................................................................................................................................................... 12
4.5 PKI................................................................................................................................................................................12
4.6 MACsec........................................................................................................................................................................ 13
5 Parameters..................................................................................................................................... 14
6 Counters........................................................................................................................................ 15
7 Glossary......................................................................................................................................... 16
Issue 02 (2016-05-26) Huawei Proprietary and Confidential ii

SingleRAN
Description Contents
8 Reference Documents................................................................................................................. 17
Issue 02 (2016-05-26) Huawei Proprietary and Confidential iii

SingleRAN
Description 1 About This Document
1 About This Document
1.1 Scope
This document describes transmission security, including transport network overview as well
as transmission security solutions and features.
This document involves the following network elements (NEs):
l 3900 series base stations
l Base station controllers, including the BSC, RNC, and MBSC
l U2000
Unless otherwise specified, in this document, LTE, eNodeB, and eRAN always include both
FDD and TDD. The "L" and "T" in RAT acronyms refer to LTE FDD and LTE TDD,
respectively.
For definitions of base stations described in this document, see section "Base Station
Products" in SRAN Networking and Evolution Overview Feature Parameter Description.
1.2 Intended Audience

This document is intended for personnel who:
l Need to understand the features described herein
l Work with Huawei products
1.3 Change History

This section provides information about the changes in different document versions. There are
two types of changes:
l Feature change
Changes in features and parameters of a specified version as well as the affected entities
l Editorial change
Changes in wording or addition of information that was not described in the earlier
version
Issue 02 (2016-05-26) Huawei Proprietary and Confidential 1

SingleRAN
SRAN11.1 02 (2016-05-26)
This issue includes the following changes.
Change Change Description Parameter Change

Type
Feature None None

change
Editorial Added descriptions of the scenarios that do not None

change support the transmission security solution. For
details, see 3.3.5 Networking That Does Not
Support the Transmission Security Solution.
SRAN11.1 01 (2016-02-29)
This issue does not include any changes.
SRAN11.1 Draft A (2015-12-30)

Draft A (2015-12-30) of SRAN11.1 introduces the following changes to Issue 01
(2015-03-23) of SRAN10.1.
Change Change Description Parameter Change

Type
Feature Added the MACsec function, which protects None

change data transmitted between interconnected
UMPTe boards. For details, see 3.3.4 Scenario
4: Interconnected Base Stations and 4.6
MACsec.
Editorial None None

change
1.4 Differences Between Base Station Types

Feature Support by Macro, Micro, and LampSite Base Stations
The features described in this document are implemented in the same way on macro, micro,
and LampSite base stations.

SingleRAN
Function Implementation in Macro, Micro, CBS, and LampSite Base Stations

Function Difference
MACsec Macro and LampSite base stations support this function.

MACsec protects data transmitted between interconnected
UMPTe boards. UMPTe boards are not used in micro base
stations so micro base stations do not support this function.

SingleRAN
Description 2 Transport Network Overview
2 Transport Network Overview
2.1 IP Backhaul
This section describes transmission security solutions for IP backhaul. Figure 2-1 shows an
IP-based mobile backhaul network (IP backhaul) in which data is transmitted between a base
station and a base station controller.
Figure 2-1 IP backhaul network
2.2 Evolution
In TDM, ATM, or IP over E1 transmission mode, the transport network is generally dedicated
to transmitting radio services. Transmission links are designed to provide secure transmission,
without requiring additional security features. However, as the mobile broadband (MBB)
network develops, transport networks have evolved into all-IP-based systems, which are
completely open and easily accessible. As a result, transport networks transmitting
telecommunication services are subject to various security risks.
NOTE
This document only describes transmission security pertaining to Ethernet or IP networks.
Multi-plane security measures are required to protect radio equipment against security threats
and malicious attacks, and to provide secure communication over transport networks.

SingleRAN
Description 2 Transport Network Overview
2.3 Security Requirements

As indicated in 3GPP TS 33.210, Network Domain Security for IP based protocols (NDS/IP)
is recommended for transmission security.
2.3.1 NDS/IP Dimensions Defined by 3GPP

3GPP defines the following NDS/IP dimensions:
l Data integrity
This ensures data accuracy by protecting data against unauthorized modification,
removal, and creation, and providing evidence of these unauthorized activities.
l Data origin authentication
This ensures that the source of data received is as claimed.
l Anti-replay protection
This is a special type of integrity protection that safeguards packets from being
intercepted, modified, and then reinserted by a third party.
l Data confidentiality (optional)
This prevents eavesdropping by allowing only authorized entities to access and parse
data.
2.3.2 NDS/IP Mechanisms Defined by 3GPP

In NDS/IP, all network nodes are treated as IP nodes. NDS/IP in 3GPP networks uses
standard security procedures and mechanisms defined by IETF.
The network is divided into different security domains, which are isolated by security
gateways (SeGWs). The SeGWs perform routing and implement security policies for traffic
between these security domains. The NDS/IP mechanisms are as follows:
l Each security domain has one or more SeGWs in order to balance traffic load and to
prevent a single point of failure.
l IPsec authenticates the data source, checks data integrity, and ensures confidentiality.
l A typical security procedure is as follows:
– The base station establishes an IPsec tunnel.
– The base station transmits IPsec packets to the SeGW through the IPsec tunnel in
the IP backhaul.
– The SeGW receives and processes the IPsec packets.
l The base station uses public key infrastructure (PKI) or the pre-shared key (PSK) to
authenticate the identity of the peer end.

SingleRAN
Description 3 Transmission Security Solutions
3 Transmission Security Solutions
This chapter describes recommended transmission security solutions that meet transmission
security standards and operator requirements.
3.1 On a Trusted Network

A trusted network contains physically safe sites. Each site or transport network is managed by
a single organization and the operator running a site can strictly control access to it.
On a trusted network, the following strong authentication protocols are adopted to restrict
network access:
l Secure Sockets Layer (SSL)

SSL encryption is used to secure transmissions of operation and maintenance (O&M)
data between the base station and the U2000 or local maintenance terminal (LMT).
l 802.1X
The base station is authenticated based on 802.1X before it accesses the network.
Figure 3-1 shows the logical networking for transmission security on a trusted network.
Figure 3-1 Logical networking for transmission security on a trusted network
Table 3-1 describes the NEs involved in the transmission security solution for trusted
networks.

SingleRAN
Table 3-1 NEs involved in the transmission security solution for trusted networks
NE Description
Base station Supports SSL and 802.1X.
U2000 Configures and manages base stations.
Authentication, Authorization and Uses digital certificates to implement 802.1X-

Accounting (AAA) server based access control for base stations.
802.1X authenticator A switch on the transport network, which is

enabled with access control based on 802.1X
Table 3-2 describes the external interfaces involved in the transmission security solution for
trusted networks.
Table 3-2 External interfaces involved in the transmission security solution for trusted
networks
External Description
Interface
SSL interface The base station uses this interface to establish an SSL connection to
a U2000.
802.1X interface The base station uses this interface to perform 802.1X-based access
control.
3.2 On an Untrusted Network

An untrusted network contains physically unsafe sites. The sites or transport network may be
managed by multiple organizations and the operator running a site cannot strictly control
access to it.
On an untrusted network, IPsec and other security features are used to protect data on the user,
control, and management planes.
Transmission security solutions for untrusted networks are as follows:
l IPsec
In IPsec networking, an SeGW is deployed to terminate an IPsec tunnel on the core
network (CN) side. In addition to the IPsec tunnel solution, IPsec also provides secure
base station deployment and IPsec reliability solutions.
NOTE
Clock packets can be transmitted over the user, control, or management plane. Clock packets can
be transmitted using the IP address for the user, control, or management plane of the base station.
l PKI
The PKI system works with the base station to issue and manage certificates for
authentication during 802.1X, IPsec, and SSL implementation. The base station complies

SingleRAN
with Certificate Management Protocol v2 (CMPv2) and can be preconfigured with a

device certificate before delivery.
l SSL
SSL is used to encrypt O&M data transferred between the base station and the U2000 or
LMT.
l 802.1X
The base station is authenticated based on 802.1X before it accesses the network.
l Media Access Control security (MACsec)
MACsec is used to protect data transmitted between interconnected UMPTe boards.
Figure 3-2 shows the logical networking for transmission security on an untrusted network.
Figure 3-2 Logical networking for transmission security on an untrusted network
Table 3-3 describes the NEs involved in the transmission security solution for untrusted
networks.
Table 3-3 NEs involved in the transmission security solution for untrusted networks
NE Description
Base station l Uses an integrated firewall to prevent attacks.

l Supports VLAN configuration to isolate user, control, and
management planes.
If two base stations are connected to each other through the Ethernet ports
on UMPTe boards in two BBUs, the MACsec function protects data
transmitted between these Ethernet ports.
U2000 Configures and manages base stations.
AAA server Uses digital certificates to implement 802.1X-based access control for
base stations.
802.1X A switch on the transport network that is enabled with access control
authenticator based on 802.1X
SeGW l Terminates an IPsec tunnel.

l Uses an integrated firewall to prevent attacks to the CN.

SingleRAN
NE Description
PKI l Includes the certificate authority (CA), registration authority (RA),

and certificate revocation list (CRL) server.
l Manages digital certificates for NEs such as base stations and SeGWs.
l Table 3-4 describes the external interfaces involved in the transmission security solution
for untrusted networks.
Table 3-4 External interfaces involved in the transmission security solution for untrusted
networks
External Description
Interface
SSL A type of secure connection used by the base station to connect to a

interface U2000.
802.1X An interface used by the base station to implement access control

interface through an 802.1X authenticator.
IPsec An interface used to establish IPsec tunnels between base stations and
interface SeGWs.
PKI l CMPv2 interface

interface The base station sends requests through this interface to a CA or
RA to apply for, revoke, or update a digital certificate.
l LDAP/FTP interface
The base station uses this interface to download CRLs from a CRL
server.
UMPTe A port on a UMPTe board used to interconnect base stations.

interconnecti
on port
3.3 Application Constraints
3.3.1 Scenario 1: RAN Sharing

When RAN Sharing is in use, multiple IPsec tunnels must be established in order to isolate
and protect the data of each operator.
Different operators can use different certificates for authentication.
3.3.2 Scenario 2: Transmission on Public Networks

For transmission on public networks, IPsec tunnels must support NAT.

SingleRAN
3.3.3 Scenario 3: Cascaded Base Stations

When base stations are cascaded, each base station must be safeguarded using IPsec. It is
recommended that each base station possess an individual IPsec tunnel and that the hub base
station only perform forwarding.
3.3.4 Scenario 4: Interconnected Base Stations

MACsec is used to protect data transmitted between interconnected UMPTe boards in two
base stations.
3.3.5 Networking That Does Not Support the Transmission

Security Solution
If an FDD eNodeB is configured with two UMPT boards, IPsec tunnels using certificate-
based authentication can be established only between one UMPT board and an SeGW.

SingleRAN
Description 4 Transmission Security Features
4 Transmission Security Features
4.1 Introduction
Transmission security features include IPsec, 802.1X, SSL, MACsec, and PKI-CMPv2. These
can be applied to the interfaces shown in Figure 4-1.
Figure 4-1 Transmission security features
4.2 IPsec
Defined by the IETF, IPsec is a security framework that provides secure end-to-end data
transmission on untrusted networks, such as the Internet. On IP networks, IPsec provides
transparent, interoperable, and cryptography-based security services to ensure the
confidentiality, integrity, and authenticity of transmissions and to provide anti-replay
protection.
IPsec operates at the IP layer of the TCP/IP protocol stack and provides transparent security
services for upper-layer applications.
For details on IPsec, see IPsec Feature Parameter Description for SingleRAN.

SingleRAN
4.3 Access Control Based on 802.1X

802.1X is an Institute of Electrical and Electronics Engineers (IEEE) standard for port-based
network access control. Access control based on 802.1X involves the following NEs:
l Clients, such as base stations

l Authentication access equipment, such as a local area network (LAN) switch
l Authentication server, such as an AAA server
Access control based on 802.1X is implemented as follows:
1. The base station accesses the network and begins an authentication procedure.
Only 802.1X authentication packets can be transmitted over a port on authentication
access equipment.
2. The authentication server authenticates the base station and authorizes the port.
Data can be transmitted over the authorized port to ensure that only authorized users can
access the network.
For details about access control based on 802.1X, see Access Control based on 802.1x
Feature Parameter Description for SingleRAN.
4.4 SSL
SSL is a security protocol developed by Netscape. The latest standard version of SSL is
Transport Layer Security version 1.2 (TLSv1.2), which aims to provide authentication,
confidentiality, and integrity protection for two communication applications.
SSL enables an end-to-end secure connection to be established between two pieces of

equipment. The details are as follows:
l SSL operates between the TCP and application layers. It is established over reliable
transport layer protocols but operates independently from application layer protocols.
l Before any communication using application layer protocols occurs, encryption
algorithm negotiation, key negotiation, and server authentication must be completed.
l Application layer protocols such as HTTP, FTP, and Telnet can be transparently
established over SSL. All data transmitted using the application layer protocols is
encrypted to ensure confidentiality.
SSL can also be established between the base station or base station controller and the U2000
to protect O&M data and provide secure remote maintenance.
For more details about SSL, see SSL Feature Parameter Description for SingleRAN.
4.5 PKI
PKI uses an asymmetric cryptographic algorithm to provide information security. PKI
manages keys and digital certificates, while functionalities and interfaces related to PKI
comply with X.509 and 3GPP TS 33.310.
A PKI system consists of the following elements:

SingleRAN
l CA
l RA (optional)
l Certificate & CRL database
l End entity
The certificate management system in a PKI uses the CPMv2 protocol to exchange
management information between NEs within it. CMPv2 provides the following functions:
l Certificate registration, application, and revocation
l Key update and recovery
l Cross-certification
l CA key update announcement
l Certificate issuance and revocation announcements
Using CMPv2, the base station and the PKI system exchange information to implement
certificate management (application, issuance, and update).
For more details about PKI, see PKI Feature Parameter Description for SingleRAN.
4.6 MACsec
MACsec ensures secure communication over an IEEE 802 LAN. MACsec specifically
provides user data confidentiality, data frame integrity check, and data origin authentication at
the MAC layer.
MACsec is used by default for base stations to protect data transmitted between
interconnected UMPTe boards.

SingleRAN
Description 5 Parameters
5 Parameters
There are no specific parameters associated with this feature.

SingleRAN
Description 6 Counters
6 Counters
There are no specific counters associated with this feature.

SingleRAN
Description 7 Glossary
7 Glossary
For the acronyms, abbreviations, terms, and definitions, see Glossary.

SingleRAN
Description 8 Reference Documents
8 Reference Documents
1. ITU-T X.800, "Security architecture for Open Systems Interconnection for CCITT
applications", March 1991
2. ITU-T X.805, "Security architecture for systems providing end-to-end communications",
October 2003
3. NGMN Alliance, "Security in LTE backhauling – A white paper", V1.0, February 2012
4. 3GPP TS 33.102 V11.3.0 (2012-06): "3G security; Security architecture"
5. 3GPP TS 33.210 V11.3.0 (2011-12): "3G security; Network Domain Security (NDS); IP
network layer security"
6. 3GPP TS 33.310 V10.5.0 (2011-12): "Network Domain Security (NDS); Authentication
Framework (AF)"
7. 3GPP TS 33.401 V11.4.0 (2012-06): "3GPP System Architecture Evolution (SAE);
Security architecture"
8. IETF RFC 4303, "IP Encapsulating Security Payload (ESP)", December 2005
9. IETF RFC 4306, "Internet Key Exchange (IKEv2) Protocol"
10. IPsec Feature Parameter Description
11. Access Control based on 802.1x Feature Parameter Description
12. SSL Feature Parameter Description
13. PKI Feature Parameter Description
14. MACsec Feature Parameter Description


Transmission Security Overview (SRAN11.1 - 02)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Transmission Security Overview (SRAN11.1 - 02)

Uploaded by

Copyright:

Available Formats

SingleRAN

Transmission Security Overview

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 02 (2016-05-26) Huawei Proprietary and Confidential i

1 About This Document.................................................................................................................. 1

2 Transport Network Overview..................................................................................................... 4

3 Transmission Security Solutions................................................................................................6

4 Transmission Security Features................................................................................................11

Issue 02 (2016-05-26) Huawei Proprietary and Confidential ii

Issue 02 (2016-05-26) Huawei Proprietary and Confidential iii

1 About This Document

1.2 Intended Audience

1.3 Change History

Issue 02 (2016-05-26) Huawei Proprietary and Confidential 1

Change Change Description Parameter Change

Feature None None

Editorial Added descriptions of the scenarios that do not None

SRAN11.1 Draft A (2015-12-30)

Change Change Description Parameter Change

Feature Added the MACsec function, which protects None

Editorial None None

1.4 Differences Between Base Station Types

Issue 02 (2016-05-26) Huawei Proprietary and Confidential 2

Function Implementation in Macro, Micro, CBS, and LampSite Base Stations

MACsec Macro and LampSite base stations support this function.

Issue 02 (2016-05-26) Huawei Proprietary and Confidential 3

2 Transport Network Overview

Figure 2-1 IP backhaul network

This document only describes transmission security pertaining to Ethernet or IP networks.

Issue 02 (2016-05-26) Huawei Proprietary and Confidential 4

2.3 Security Requirements

2.3.1 NDS/IP Dimensions Defined by 3GPP

2.3.2 NDS/IP Mechanisms Defined by 3GPP

Issue 02 (2016-05-26) Huawei Proprietary and Confidential 5

3 Transmission Security Solutions

3.1 On a Trusted Network

l Secure Sockets Layer (SSL)

Figure 3-1 Logical networking for transmission security on a trusted network

Issue 02 (2016-05-26) Huawei Proprietary and Confidential 6

Base station Supports SSL and 802.1X.

U2000 Configures and manages base stations.

Authentication, Authorization and Uses digital certificates to implement 802.1X-

802.1X authenticator A switch on the transport network, which is

3.2 On an Untrusted Network

Issue 02 (2016-05-26) Huawei Proprietary and Confidential 7

with Certificate Management Protocol v2 (CMPv2) and can be preconfigured with a

Figure 3-2 Logical networking for transmission security on an untrusted network

Base station l Uses an integrated firewall to prevent attacks.

U2000 Configures and manages base stations.

SeGW l Terminates an IPsec tunnel.

Issue 02 (2016-05-26) Huawei Proprietary and Confidential 8

PKI l Includes the certificate authority (CA), registration authority (RA),

SSL A type of secure connection used by the base station to connect to a

802.1X An interface used by the base station to implement access control

PKI l CMPv2 interface

UMPTe A port on a UMPTe board used to interconnect base stations.

3.3 Application Constraints

3.3.1 Scenario 1: RAN Sharing

Different operators can use different certificates for authentication.

3.3.2 Scenario 2: Transmission on Public Networks

Issue 02 (2016-05-26) Huawei Proprietary and Confidential 9