Training Doc - Introduction To LTE ERAN2.1 Transmission Solution-20110426-A-1.0

Security Level: Internal use
Introduction to LTE eRAN2.1

Transmission Solution
www.huawei.com
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

Foreword
This document describes the LTE eRAN2.1 transmission solution to

help users better understand the principles of LTE transmission
network.
eRAN2.1 is an enhanced version and has the following new features:
 Enhanced QoS: PIR/CIR.

 Enhanced security solution.
1. Self-setup of ACL packet filtering over an X2 interface
during ANR
2. Security PnP
3. CMPV2 certificate management
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page2

References
• Transmission Security MOM Description

• Security Feature Parameter Description
• Principles and Practice of PKI
• Principles and Fundamentals of Digital Certificates and SSL
• Requirement for DHCP SERVER

Training Objectives
• After completing this course, you should be able to:

 Understand the LTE eRAN2.1 transmission solution.
 Understand the networking solution for LTE eRAN2.1 transmission

security.
 Know principles of transmission security.

Contents
1. LTE Transmission Network - Interfaces
2. LTE Transmission Network - QoS
3. LTE Transmission Network - Reliability
4. LTE Transmission Network - Fault Detection
5. LTE Transmission Network - Security

Interfaces of the LTE Transmission Network
S11
MME S-GW
S1
S1-C
-C -U
S1-U
S1
Clock server
OAM
X2 (X2-C, X2-U)
eNodeB eNodeB
 An LTE network has two protocol interfaces:

 S1 interface
 X2 interface
 The LTE transmission data includes the following:
 Data over S1 interface, including data of the S1 control plane (S1-C) and data
of the S1 user plane (S1-U).
 Data over X2 interface, including data of the X2 control plane (X2-C) and the
X2 user plane (X2-U).
 OAM data.
 Clock synchronization data.
 Note: S11 interface is part of the core network and is not described in this course.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 6

Contents

LTE E2E QoS Solution
QCI VLAN priority/layer2 DSCP/layer3 VLAN priority/layer2 QCI
eNodeB
Router MME/S-GW
Router IP network Ethernet
eNodeB Ethernet DiffServ

IP DiffServ
bottleneck bottleneck bottleneck bottleneck
Shaping
A transport path is a pipe model. A pipe has bottlenecks prone to congestion. The end nodes should support traffic shaping to
prevent the traffic data from being discarded at the congested places.
1. QoS Mapping
• Traffic QoS: user plane (based on QCI, GBR, Non-GBR), signaling, IP clock, and OAM.
• IP layer: DSCP mapping, DiffServ.
• Data link layer: Ethernet QoS (IEEE802.1P/Q).
2. Traffic shaping
• Logical port shaping
• Physical port shaping
MPLS: Multi Protocol Label Switching ~ SDSCP: Differentiated Service Code Point ~ CoS: Class of Service

QoS Mapping
• QoS relevant concepts
1. QCI: QCI is an important QoS concept introduced to LTE and defines QoS class and
important quality parameters, such as priority, packet delay budget, and packet error rate.
2. DSCP and VLAN priority (P-bit): A concept about packet priority defined by a
transmission network. DSCP is at the IP layer and VLAN priority is at the link layer.
 LTE QoS Mapping

1. Mapping from the control plane, user plane, and OM to DSCP.
2. Mapping from service at the user plane to QCI, where QCI is extensible.
3. Mapping from QCI at the service plane to IPPATH (optional).
4. Mapping from DSCP to VLAN priority.
QCI Resourc Priority Packet Packet Example Services

e Type Delay Error Loss
Budget Rate
1 2 100 ms 10-2 Conversational Voice
2 4 150 ms 10-3 Conversational Video (Live Streaming)
GBR
23.203 defines nine QCIs and 3 3 50 ms 10-3 Real Time Gaming
4 5 300 ms 10-6 Non-Conversational Video (Buffered Streaming)
supports QCI extension. Beginning
5 1 100 ms 10-6 IMS Signaling
from eRAN2.1, Huawei supports
6 Video (Buffered Streaming)
extended QCI. 6 300 ms 10-6 TCP-based (e.g., www, e-mail, chat, ftp, p2p file
sharing, progressive video, etc.)
7 Non- Voice,
GBR 7 100 ms 10-3 Video (Live Streaming)
Interactive Gaming
8
8 Video (Buffered Streaming)
300 ms 10-6 TCP-based (e.g., www, e-mail, chat, ftp, p2p file
9 9 sharing, progressive video, etc.)

QoS Mapping
Mapping from service types and DSCPs to VLAN priorities.
MML Command to VLAN Pri

Service Type DSCP DSCP VLAN
Configure DSCP
QCI1 0x2E 46 SET DIFPRI USERDATA 5
QCI2 0x1A 26 SET DIFPRI USERDATA 3
Nine QCI4 0x22 26 SET DIFPRI USERDATA 3
service QCI5 0x2E 46 SET DIFPRI USERDATA 5
types QCI6 0x12 18 SET DIFPRI USERDATA 2
QCI7 0x12 18 SET DIFPRI USERDATA 2
QCI9 0 0 SET DIFPRI USERDATA 0
SCTP 0x2E 46 SET DIFPRI SIG 5
MML 0x2E 46 SET DIFPRI OM_H 5
OM
FTP 0x0E 14 SET DIFPRI OM_L 1
1588V2 0x2E 46 SET DIFPRI USERDATA 5
IP clock HW- 46 USERDATA 5
0x2E SET DIFPRI
DEFINED
Depending on
BFD Manual Configuration ADD BFDSESSION USERDATA
actual situation
IKE 0x30 48 Built-in, unchangeable USERDATA 5
ADD IPPMSESSION USERDATA Depending on
IPPM Manual Configuration
actual situation
Ping packet 0x3F 63 PING USERDATA 7
No need to configure. 0
The DSCP of the
eNodeB response
packets is the DSCP of
Ping (response packet) 0 0 the peer ping packet. By USERDATA
default the DSCP of the
ping command of the
transmission network
and core network is 0.
ARP No DSCP value No need to configure OTHER 5

eNodeB Traffic Shaping and Scheduling
eNodeB Two Level Shaping
Queues Queues Queues
AF AF AF AF AF AF AF AF AF AF AF AF
EF BE EF BE EF BE
4 3 2 1 4 3 2 1 4 3 2 1
Level 1 shaper
Logical Logical Logical
interface1 interface2 interface3
IP Scheduler
Level 2 shaper
GE/FE
Interface
IP/Ethernet
Transport Network
eNode B2
eNode B1 SGW/MME
• The eNodeB GE/FE interfaces support two levels of shaping: physical port shaping and logical port shaping. Each logical port shaping contains eight queues.
• The need for two levels of queues is to differentiate operators, that is, to support eRAN sharing.
 The parameters of a logical port include committed information rate (CIR), PIR and scheduling weight.
 The logical ports can share the bandwidth of the physical ports.

PIR/CIR
PIR: Peak Information Rate;
CIR: Commit Information Rate;
PIR
CBS: Committed Burst Size;
EBS: Excess Burst Size;
CIR PBS: Peak Burst Size;
• In versions earlier than eRAN2.1, eNodeB supports the single-rate tri-color markup algorithm, shortened as
srTCM (CIR, CBS, and EBS) for the traffic shaping, in compliance with RFC2697.
• In eRAN2.1, eNodeB supports dual-rate tri-color markup algorithm, shorten as trTCM (CIR, CBS, PIR, PBS)
in compliance with RFC2698. PIR/CIR refers to the trTCM algorithm.
• The transport admission algorithm of eNodeB is affected by this algorithm. The admission of GBR services is
controlled by CIR, whereas the admission of non-GBR services is controlled by PIR. The purpose is to
guarantee the quality of high priority GBR services.
• eNodeB supports two levels of traffic shaping, namely logical port shaping and physical port limited rate. In
eRAN2.1, logical ports support PIR/CIR.
• This function can be used by the eRAN sharing scenario. As illustrated by the following figure, the CIR traffics
of different operators do not share the physical bandwidth, whereas the PIR traffics do.
OperatorB CIR
OperatorB PIR
Total Bandwidth
OperatorA PIR
OperatorA CIR

Contents

Reliability
Redundancy: eNodeB and backhaul network provide different redundancy solutions for
the backhaul design. This inevitably includes port redundancy and board redundancy.
The main reliability solution of eRAN2.1 is port (channel) redundancy. The board
redundancy is LMPT cold standby.
End-to-end redundancy S-GW/MME

(S1 interface)
Work path
eNode B
Transport
Backhaul Traffic flow protection layer
Backhaul
Transport Traffic flow protection transport network
transport network Control User Plane Network
layer Protection
Control User Clock OAM Plane layer
Network Plane Plane data data path
layer Data link
Board Port layer
Data link
layer Work path Backhaul Work path redundancy redundancy PHY layer
Port Board Backhaul
transport network Protection path
PHY layer redundancy redundancy Protection path transport network
OAM Clock Server

Segment-by-segment redundancy backup (optional)

Overview of the Reliability Solution
route backup:
active route + backup route
GE Router
eNodeB
IP/MPLS GE
Network
GE
S-GW/MME
eNodeB
Ethernet
GE
S-GW Pool
S/R
eNodeB S-GW S-GW
Switch/router
S-GW MME Pool
Ethernet Trunk MME
MME
MME
S1-flex
1. Reliability solution: S1-flex, channel backup
(3s), IP route backup, and Ethernet link eNodeB eNodeB
eNodeB
eNodeB eNodeB
eNodeB
aggregate. E-UTRAN eNodeB eNodeB
2. Fault detection mechanisms: BFD (100 ms),
Ethernet OAM (100 ms).
BFD - Bidirectional Failure Detection; ARP - Address Resolution Protocol.

Summary of the Reliability Functions
Protocol Transmission Reliability Transmission Maintenance and Detection
Redundancy Protected Maintenance Time
Layer Mechanism Object Mechanism
Application OM channel OM channels OM handshake Proprietary handshake

backup protocol protocol: 3–5s
Layer
Transport SCTP multi- S1/X2 SCTP protocol Heartbeat check and
homing channels detection retransmission check:
Layer Handover can be
finished in 5s by
parameter settings.
BFD detection 100 ms. Parameters are
configurable.
Network IP route Routes, links BFD detection 100 ms. Parameters are
backup configurable.
Layer Physical port ms
detection
Data Link Ethernet Port Links, IEEE 802.3ah 3s
Trunk Ethernet ports detection
Layer IEEE 802.1ag 1s
detection
Physical None None Physical port ms
detection
Layer

OMCH Backup
1. The OMCH backup function is used only in the scenario of M2000 remote HA.
2. The OMCH backup function is used when the OM channel passes the Ethernet. The eNodeB
configures two different OM IP addresses for the active and standby OM channels, and
M2000 configures the same or different IP addresses.
3. The OMCH backup function uses two physical ports for higher reliability. Preferentially the
active and standby OM IP addresses are in different network segments. In this way, the
OMCHs are over different routes, providing higher reliability at higher cost.
4. When the active OMCH is down, the M2000 automatically delivers a switchover command
and, upon receipt of the command, the eNodeB switches to the standby OMCH. When the
active OMCH is down, the active/standby switchover takes a minimum of six minutes. The
following figure illustrates the OMCH backup function.

SCTP Multi-Homing
• Each end of an SCTP link binds N IP addresses for
redundancy, where N is greater than 2.
• Two IP addresses are configured for SCTP dual-homing,
the first of which is the primary IP address and the second is
the standby IP address. The two routes of the dual homing
are active and standby. An SCTP link is established on
boards and no port is specified.
• The two IP addresses can be in the same interface or in
different interfaces of the same board. It is recommended to
use the same interface for the two IP addresses.
• This function needs to negotiate and work with the core
network. Therefore this function is not actively recommended
to customers.
• This function does not support cross-route.
An SCTP link is identified by four parameters:

local IP, local SCTP port number, peer IP, and
peer SCTP port number.
The difference between SCTP multi-homing
and OMCH backup is as follows: In SCTP
multi-homing, the slave path automatically
switches to the master path when the master
path is recovered; in OMCH backup, the
M2000 switches to the active OMCH after it
detects that the standby OMCH is down.

IP Route Backup
IP route backup means that multiple routes are configured for the same destination. The
route of the highest priority is the primary route and other routes of lower priority are backup
routes. The physical connection of each route is different. When the primary route is faulty,
eNodeB performs active/standby switchover and select a backup route to avoid service
interruption. When the primary link is recovered, eNodeB automatically switches to the primary
route.
//Add IP address of Ethernet port 0

ADD DEVIP:SN=7,SBT=BASE_BOARD,PT=ETH,PN=0,IP="11.11.11.11",MASK="255.255.255.0";
//Add IP address of Ethernet port 1
ADD DEVIP:SN=7,SBT=BASE_BOARD,PT=ETH,PN=1,IP="12.12.12.12",MASK="255.255.255.0";
//Add master IP route (Route backup is used between the eNodeB and SeGW.)
ADDIPRT:SN=7,SBT=BASE_BOARD,DSTIP="13.13.13.13",DSTMASK="255.255.255.0",RTTYPE=NEXTHOP,NEXTHOP="11.11.11.10",PREF=
50,DESCRI="Master IP Route";
//Add slave IP route
ADDIPRT:SN=7,SBT=BASE_BOARD,DSTIP="13.13.13.13",DSTMASK="255.255.255.0",RTTYPE=NEXTHOP,NEXTHOP="12.12.12.10",PREF=
60,DESCRI="Slave IP Route";
The eNodeB needs to provide two DEVIPs that are in different network segments. (With only one DEVIP, route backup cannot be configured.)

Ethernet Link Aggregation
• Ethernet link
aggregation means that
multiple physical ports
aggregate into one logical
path to increase the
bandwidth between
switches and eNodeBs
and to provide more
bandwidth, more
throughput, and higher
network capacity.
• This function requires

that the peer transport
device also supports this
function, which ordinary
routers do.
•Trunk No. is the unique

number of the aggregate
group.
•Port priority: The lower

the value, the higher the
priority.

Contents

Link Fault Detection
• Network management quality

• QoS monitoring
• Fault detection
• Fault location and quick recovery
• Two scenarios
• End to End maintenance
• Seg by Seg maintenance
Seg-by-Seg
Transport Transport
GE/FE device device
Transport GE/FE
eNode B
network
End-to-end S-GW/MME
/FE
(X2 interface) GE eg
-S Seg-by-Seg
b y
g-
Se
eNode B
End-to-end (S1 interface)

Maintainability Solution
IP CORE
Performance
counter
802.3ah
802.1ag
BFD single hop

Multi-hop BFD
IPPM
 Access link maintenance: IEEE802.3ah

 Connectivity maintenance: IEEE802.1ag
 Application layer maintenance: BFD, IPPM, and IPPATH check

IPPATH Check
It is recommended to disable this function in ordinary situations.

IP Performance Monitoring (1)
 Function: IP performance monitoring (IP PM) monitors the transport quality between eNodeB
and S-GW and check the transport performance parameters, including the number of packets
sent and received, packet loss rate, one-way delay variation, and round-trip delay variation.
 Strength: Provides transport KPI and works with the dynamic transport flow control to avoid the
impact of dynamic transport bandwidth variation on QoS.
 Weakness: The more IP PM sessions are activated, the more accurate the congestion is
determined and the more resources are consumed.
 Requirement for the devices: IPPM is Huawei proprietary and requires support from the eNodeB
and the core network. IPPM requires that the DSCP value of the transmission network is the
same as that of the eNodeB and core network and cannot be changed. Otherwise, activating the
IPPM fails.
 Applicable scenario: IP PM is recommended in the scenario that the core network consists of
Huawei equipment, particularly if the IP transmission has to pass poor-quality ADSL lines that
have high packet loss rate, unstable line rates, or large bandwidth variation.

IP Performance Monitoring (2)
 External congestion check: IP PM checks in real time the packet loss of a user data path,
calculates the packet loss rate of the path, and dynamically adjusts the logical port bandwidth for
dynamic admission control of the transport bandwidth and flow control, avoiding packet loss
caused by congestion of the transmission network.
Max bandwidth ：100Mbps
bottleneck：30Mbps 1. detect
To enable bidirectional link

2. calculate the bottleneck
check, set up a PM session
in the A > B direction and a
MME/SGW eNodeB
Bandwidth change PM session in the B > A
3. Transport Dynamic
Flow Control direction.
This figure shows adaptive flow control based on IP PM. The dotted lines indicate bandwidth
variation of the IP/Ethernet transmission network. The IP PM between S-GW/MME and eNodeB
checks the variation of the transmission network performance, including delay, jitter, and packet
loss rate, and estimates the minimum end-to-end available transmission bandwidth. The eNodeB
sends the available bandwidth information to the flow control module who adjusts the data flow to
the transmission network to reduce the packet loss rate and to increase the bandwidth utilization of
the transmission network.

Bidirectional Forwarding Detection (BFD)
 Function: Fast fault detection of any types of channels. Detects the connectivity of the same
path (physical or logical links) between two systems. Used by all protocols at layer two or
higher layers. eNodeB implements BFD over UDP.
 Strength: Fault detection for IP routes. Quick detection in 100 ms.

 Requirement on the device: At present the eNodeB supports BFD version 1; the peer device
should also support BFD version 1. If the peer device does not support BFD version 1, this
function cannot be used.
 Both ends start BFD simultaneously. The detection duration of both ends should be consistent.
 Recommended scenarios
 Segment-by-segment BFD (SBFD): Used in point-to-point detection of network faults,
applicable to detection of direct connection between two points of the same network segment.
 Multi-hop BFD (MBFD): Used in end-to-end detection of network faults, applicable to two ends
that have multiple routing nodes in between.

Segment-by-Segment BFD and Multi-Hop BFD
 SBFD: Used in fault detection between an eNodeB and a transmission device at L3, or between an S-GW/MME
and a transmission device. Used to locate a fault or to trigger switchover of protection paths between an eNodeB
and a transmission device, or between an S-GW/MME and a transmission device.
SBFD does not traverse an L3 transmission device.
 MBFD: Used for detection between eNodeBs, between an eNodeB and an SGW, and between an eNodeB and a
remote transmission device. Used to locate a fault or to trigger switchover of protection paths between two ends to
ensure network reliability.

BFD
 +++ HUAWEI 2010-07-08 15:37:15 O&M #62147 %%ADD BFDSESSION: SN=7, BFDSN=0,
SRCIP=“10.141.225.226”, DSTIP=“10.69.23.24”, HT=MULTI_HOP;%% RETCODE = 0 Operation succeeded

IEEE802.3ah and IEEE802.1ag
•Ethernet OAM is implemented by two protocols. IEEE 802.1ag highlights end-
to-end Ethernet link OAM and IEEE 802.3ah highlights segment-by-segment
Ethernet OAM (concerning the user side only and not the network side). The two
work together to provide complete Ethernet OAM solution.
•The following figure shows the position of the Ethernet OAM.

IEEE802.3ah and IEEE802.1ag
•Link performance Strength: Highlights segment- The peer equipment
monitoring by-segment Ethernet fault needs to support
IEEE 802.3ah •Fault detection monitoring (concerning only user IEEE 802.3ah.
•Loopback test side, not network side).
•Connectivity Strength: Highlights end-to- The transmission
check end Ethernet link faulty equipment needs to
IEEE 802.1ag •Loopback test monitoring support IEEE
•Link follow-up 802.1ag.
test

Contents

eNodeB Security Architecture
The security architecture contains three
parts:
1. Security threats: Potentially existing damages

that may affect normal system running.
2. Security measures: Methods to protect system
security.
3. Security system: Target protected by the
security measures and here refers to eNodeB.
A security system contains radio plane,
transmission plane, equipment plane, and OAM
plane.
No. Threatened Threat Type Security System
Object
Stealing eNodeB hardware. Equipment
Security threats 1 eNodeB
Obtaining important information from
eNodeB.
security
Loading invalid versions or illegally
controlling eNodeB.
DoS (Denial of Service) attack.
Eavesdropping Uu interface signal to obtain Radio security
2 important user information.
Uu interface Mimicking Uu interface signaling to forge
user access.
Eavesdropping data from the transmission Transmission
network to obtain important user security
3 S1 interface information.
Intercepting data of the transmission
network to tamper with the data.
4 X2 interface The same as the S1 interface Transmission
security
Intercepting important information sent by
eNodeB and transferred by OM interface.
5 OM interface Deleting
eNodeB
or stealing important data from OAM security
Logging in to, controlling, and operating
eNodeB illegally.
6 Clock server Attack of eNodeB from the illegal clock OAM security
source.
Five security threat types are defined. See Remark.

Security Measures
Tailored to the security threats, ITU-T X.805 identifies and defines eight security measures:
1. Access control: Prevents equipment from being illegally used and allows only authorized users to access the
protected content (equipment, information, services). For example, only authorized users can gain access to eNodeB by
the OM interface.
2. Authentication: Authenticates the identity of a communication entity and allows entities of valid identity to set up
communications.
3. Non-repudiation: Prevents an entity from denying an operation by evidences (such as operation logs). For example,
an operation log records each operation on the eNodeB.
4. Data confidentiality: Uses encryption to prevent data from being disclosed.
5. Communications security: Information is transmitted only between authenticated entities to prevent disclosure or
falsification of the data during communications.
6. Data integrity: Ensures data correctness, prevents illegal change, deletion, generation, or replication of data, and
identifies unauthorized operations.
7. Availability: Ensures that the system works and that services are not interrupted as a result of an illegal operation.
8. Privacy: Protects keys, identity information, and equipment or network activity information, such as log information.
Security System
Transmission security Equipment security OM security
Transmission PNP
security policy Simple firewall function OM channel security
1.IPSEC
2.802.1x 1. ACL 1. SSL

2. Interface
Certificate management security
management
PKI /CMPV2
This course describes transmission security.

Transmission Security Mechanism
PKI system
SeGW
CRL Server CA
IPSec
Access network Core network

802.1X
eNodeB SAE
RADIUS IPCLK M2000
IPSec
802.1X
The eNodeB uses 802.1x (EAP-TLS)-based authentication access control and

IPSec to ensure transmission security.
1. The 802.1X-based authentication access control ensures that the eNodeB

gains access to the transmission network by the legal process.
2. IPSec provides security mechanism for the eNodeB in the all-IP scenario to
ensure transmission confidentiality, completeness, authentication, and
replay-resistance.
802.1X and IPSec provide transmission security protection at different layers. A

user can use them together or separately.

802.1x Access Authentication
The MAC address of the eNodeB is authenticated to prevent unauthorized equipment

from gaining access to the transmission network.
The 802.1x access control sends the digital certificate of the eNodeB to the RADIUS
server over the EAPoL; the RADIUS server authenticates the eNodeB identity by
using the Huawei CA root certificates configured on the server.

Principles of IPSec (1/3)
IPSec is an open standards framework structure. The IPSec protocol suite includes
ESP/AH, IKE, DPD, and encryption algorithms.
1. Security protocols
AH refers to authentication header and provides data integrity check. AH
is applicable for transmitting non-confidential data.
ESP refers to encapsulating security payload and provides data integrity
check and encryption. ESP is applicable for transmitting confidential data.
2. Packet encapsulation methods
Transport mode: Provides protection for the payload and upper-layer
protocols of the IP data packets. In transport mode, the IPSec header (AH
and/or ESP) is inserted after the IP header and before upper-layer
protocols.
Tunnel mode: Provides security protection for the original IP data
packets. In tunnel mode, the original IP data packets are encapsulated into
a new IP data packet; the IPSec header (AH and/or ESP) is inserted
between the new IP header and original IP header. The security of the
original IP header is protected by IPSec as part of the payload.

Transfer Mode IP Header AH Header TCP/UDP Data
Format of the AH packet with
different Encapsulation Mode The Range of AH Authentication
Tunnel Mode New Header AH Header IP Header TCP/UDP Data
The Range of AH Authentication
The Range of ESP

Encryption
Transfer Mode IP Header ESP Header TCP/UDP Data ESP Tail ESP Auth
Format of the ESP The Range of ESP

Authentication
packet with different
Encapsulation Mode The Range of ESP Encryption
Tunnel Mode New Header ESP Header IP Header TCP/UDP Data ESP Tail ESP Auth
The Range of ESP Authentication

The Range of ESP Encryption
IP Header TCP/UDP Data ESP Tail ESP Auth Transport

AH Header ESP Herder
Mode
Format of packet using The Range of ESP Authentication
both protocols with
different Encapsulation
Mode
The Range of ESP Encryption
New Header AH Header ESP Header IP Header TCP/UDP Data ESP Tail ESP Auth
Tunnel
The Range of ESP Authentication Mode

3. Integrity check
In integrity check, Hash function is used to accept message input of any length and to generate
message digest of fixed length. The two communicating entities calculate and compare the
digest to determine whether the packets are complete and are not tampered with.
•MD5
•SHA-1
4. Data encryption
An encryption algorithm uses symmetric cryptography to encrypt and decrypt data.
•NULL: Null encryption algorithm, no encryption of IP packets.
•DES (Data Encryption Standard): Uses a 56-bit key to encrypt a 64-bit plaintext block.
•3DES: Uses three 56-bit DES keys (totaling 168 bits) to encrypt plaintext.
•AES (Advanced Encryption Standard): AES has three key lengths: 128 bits, 192 bits, and 256
bits. The longer the key, the higher the security and the slower the calculation.
5. IKE (Internet key exchange)
IKE is used for key negotiation, identity authentication, and IPSec SA negotiation.
6. Key exchange algorithm
In IKE, two communicating entities calculate the shared key by a series of data exchange
without transferring the key. Even if a third-party intercepts all the exchanged data for
calculating the key, this party cannot calculate the key. The core technology is DH (Diffie
Hellman) algorithm and pseudorandom functions.
7. Authentication
•Pre-shared key (PSK)
•Digital certificate (PKI)
8. ACL
ACL refers to access control list. The IPSec filter matches the ACL configured by the user with
the 5-tuple of the data stream to identify which packets need encryption.

IPSec Application Scenarios
Scenario 1: An IPSec tunnel is set up between the eNodeB and the SeGW.
The S1 data stream, X2 data stream, and OAM data stream are protected by
the IPSec tunnel (main scenario).
Scenario 2: An IPSec tunnel is set up between eNodeB X2 interfaces.
Scenario 3: An IPSec tunnel is set up between the S1 interfaces of eNodeB
and MME/S-GW.
Typical IPSec networking

Redundancy with two SeGW PKI system
SeGW
CRL Server CA
eNodeB
eNodeB
Access Core network

network SAE S1
X2
SeGW
OAM
eNodeB
SeG SYN
eNodeB W IPCLK M2000
eNodeB
Centralized
None Security Security
zone zone eNodeB Distributed
The IPSec networking needs to consider three factors: security domain, protected stream, and configuration mode (see Remarks).

Intelligent PNP Process: eNodeB Security
Startup with Digital Certificates
SeGW 5 M2000 Prerequisites for eNodeB security startup
with intelligent PnP:
6 4
3 PKI system 1. The transmission network has deployed a
eNodeB 1
public DHCP server. The PnP configuration
2 information and the DHCP option 43 are defined.
CRL Server CA
2. The eNodeB is preset with a factory certificate.
Radius Server Public DHCP Server 3. The PKI server is preset with a Huawei root
certificate, ESN list, and CRL which can be
obtained from the web portal. The ESN list is a
whitelist.
4. The SeGW is preset with the operator’s root
1.VLAN 2.DHCP/ 3.Authenti 4. build 5.OM 6.Download certificate.
Scanning public DHCP cation with
PKI Server
IPSec
tunnel
channel
setup
Cfg and
software
5. The 802.1X authentication server (RADIUS
Server
server) is preset with the Huawei root certificate.
The PnP process has six steps (for details, see Remark):
1. Automatic access process: 802.1X authentication and VLAN learning.

2. DHCP process: Obtaining DHCP temporary, SeGW IP, PKI, and M2000 IP.
3. PKI authentication.
4. IPSec tunnel setup.
5. OMCH setup.
6. Downloading the configuration and software. After restart, the PnP process is finished.
Note: If one of the above steps is faulty, the system starts the PnP process again, until the PnP
process is finished.

All-Process Certificate Management Solution
To support certificate-based transmission security mechanism, Huawei provides all-
process certificate management solution. The core of this solution is PKI. This
solution consists of two stags: factory stage and operation stage.
PKI mechanism:
PKI (Public Key Infrastructure) uses asymmetric cryptography to provide
information security service and is the basis and core of the current network
security construction. PKI is in wide use.
PKI uses username, password, and symmetric key to provide a secure
and standard key management infrastructure. The core technology of PKI is
digital certificate (public key) management, including issuance, delivery,
update, and revocation of certificates.
Certificate management
Factory stage: The factory CA issues factory device certificate; the
eNodeB is preset with the device certificate and Huawei root certificate; the
root certificates, CRL, and ESN are published on the web portal.
Operation stage: Includes eNodeB installation, eNodeB security self-
startup with intelligent PnP, and automatic eNodeB certificate management
with all-process certificate management process.

Principle 1 - Symmetric Cryptography
• Encryption and decryption use the same key.
• The sender and receiver should agree upon a key before security
communication.
• Security depends on the confidentiality of the key. Disclosure of the key means
that the encryption is no longer secure.
User B
User A
KEY
KEY ALLOCATE KEY
plaintext cryptograph cryptograph plaintext

Principle 2 - Asymmetric Cryptography
• Also known as public key encryption
• Encryption and decryption use different keys.
• The encryption key can be open and is called public key. The decryption key
must be secret and is called private key.
• Private key is used for signature and public key for authentication.
User B
User A
Get the public key Public key of B
of B
Private key of B
cryptograph cryptograph
plaintext plaintext

Principle 3 - Digital Certificates
• A digital certificate is an electronic ID card containing an entity’s identity

and associated public key information.
• This electronic ID card must be issued by trusted authority.
Calculate message digest
CAB’s private key
Calculate digital signature
CA’s digital signature

Principle 4 - Certificate Revocation List (CRL)
 For some reasons, a digital certificate needs to be revoked before the

validity period expires.
 The revoked certificates are uniformly saved in the CRL (blacklist).
version
tbsCertList Signature
signatureAlgorithm issuer
thisUpdate
signatureValue
nextUpdate
revokedCertificates
crlExtensions CRL userCertificate revocationDate crlEntryExtensions

Principle 5 - PKI
• PKI refers to public key infrastructure.
 The PKI implementation is based on asymmetric cryptography algorithms and technologies.
PKI is the basis and core of the current network security construction.
 Established over a group of standard and interoperable PKI protocols.
 Uses digital certificates compliant with ITU-T X509, manages the public keys of asymmetric
cryptography, and binds the public key of an entity with other identify information (which for a
device can be the device name, home country, province, city, specific location, or unique ID).
 A trusted CA (certificate authority) adds signature to the public key and identity information of a
user, generating a digital certificate.
 Manages the life cycle of digital certificates.
CA
PKI architecture

• CA issues, updates, revokes, and authenticates

digital certificates.
• CA is the core executive part of PKI.
 RA
 RA is the registration and approval body for the
digital certificates.
 RA is a CA’s window for users.
 CR/CRL
 CR/CRL stores the digital certificates or CRL.
 Exists as an FTP server, Web server, or LDAP
server.

Life cycle of a digital
CA hierarchy
certificate
3
Root CA certificate
deliver
2
Middle CA certification CA
4 certificate
authorize cancel
ultimate user CR/CRL RA

server
entity
PKI system
ultimate user ultimate user ultimate user 1 certificate 5 certificate
request overdue
• A parent CA can have child CAs and therefore establishing a CA hierarchy. Any CA can issue
certificates adapted to its authority.
• A three-layer CA hierarchy can satisfy the requirement of most operators.
• There is no limit to the depth of the CA hierarchy. A customer can choose an appropriate
depth according to the actual situation.

Certificate
 Extract Root CA’s public

key and verify both Root
CA signatures
 Extract Root CA1’s public

key and verify CA1’s
signature
 Extract Root CA2’s public

key and verify CA2’s
signature
 Assume that A authenticates B’s certificates. B’s certificate specifies the CA that issues the certificate.
Move along the CA hierarchy until to the root certificate. The movement forms a certificate chain. The
authentication process is described as follows:
 Moving in the reverse direction, starting from the root certificate, each node authenticates the
certificate of the next node until to B. The root certificate is of self-signature and uses its own
public key for authentication.
 If all the signatures pass authentication, A determines that all certificates are correct. If A trusts
the root CA, he can trust B’s certificates and public key.

Deploying PKI on eNodeB
The core of PKI mechanism is certificates. PKI includes the network elements
that use certificates, the PKI servers (CA and CRL servers) that manage the
certificates, and certificate management between NEs and PKI servers.
PKI system
Certificate
management
CA CRL Server
Network element
Root certificate
Device certificate
CRL
NEs PKI servers:

NEs that use certificates include eNodeB PKI servers manage certificates and
and SeGW. Three files are built-in: device include the CA server and the CRL
certificate, root certificate, and CRL. server.
The certificate management protocol
between CA and eNodeB is CMPV2.

Certificate Verification in the LTE
eNodeB SeGW/CA eNodeB SeGW/CA

Whitelist
Verify
Verify
Root certificate to verify the device Root certificate plus whitelist to verify
certificate the device certificate
CA root certificate can verify the validity of the device certificate issued by the CA.
For example, in the SeGW authenticating an eNodeB, the root certificate of the eNodeB
device certificate is preset on the SeGW. During authentication, the eNodeB sends the device
certificate to the SeGW which uses the preset root certificate to verify the validity of the device
certificate.
Verification of device certificates by root certificate can ensure that the device certificate
is issued by the root certificate CA. Huawei CA root certificate can verify that an
eNodeB is a valid Huawei device. To strengthen the authentication, the whitelist is
used. The whitelist stipulates that the eNodeB ESN contained in the device certificate is
compared with the preset ESN list. Only Huawei eNodeB of specific ESN is valid.

Certificate Management
Factory stage Operation stage

At the factory stage, an eNodeB is preset with a unique At the operation stage, a customer obtains the ESN list, CRL, and
device certificate. The ESN list, CRL, and factory CA root factory CA root certificates from the web portal to support the
certificate are published on the web portal. factory-preset certificate and eNodeB authentication.
For details, see the Remark.

Certificate Management (CMPv2)
Two certificate management phases:
1. PnP phase: In the PnP phase, eNodeB uses the initial request message
and initial reply message to apply to the operator’s CA server for a
device certificate. The DHCP option parameter (CA protocol type) can
determine whether a CMPV2 message uses http or https. The following
figure illustrates the PnP scenario.
2. Maintenance phase: After the system enters stable status, two

messages, Key Update Request and Key Update Reply, are used to
update the certificate. If updating the certificate fails, the existing
certificate is still effective and in use to prevent interruption of the
transmission link.
The certificate management system (cmpv2) is compliant with 3GPP 33.310.
eNodeB PKI Server
1.Creating KEY-pair(private key and

public key) for certificate file; 1.Verifying the vendor certificate
Ir{ Certificate request file, Vendor certificate}
2.Creating certificate. Subject with whitelist which is
CN(comman name) and comprised with eNodeB’s
SubjectAltername of the certificate ESN;
Ip{Operator certificate, Operator root certificate}
equal [email protected]. 2.Verfying the vendor certificate
ESN(Electrical Sequence Number) with vendor root certificate;
is the unique Id of eNodeB. 3. Issuing the operator certificate
with certificate request file
received;

Equipment Security: Simple Firewall
The eNodeB provides simple firewall function, including ACL packet filtering and interface security
management.
ACL packet filtering
1. Objective: To prevent DoS attack, or used by IPSec to match packets to determine whether
the packet should be applied with IPSec. The eNodeB supports ACL rule definition to permit or
deny the packets that match the rule.
2. 6-tuple rule: protocol type, destination IP, source IP, destination port, source port, DSCP.
3. Response methods: permit or deny.
4. Handling methods:
① Whitelist: First, an ACL rule denying reception of all packets is configured, then the
packets that are permitted to pass are specified for each data stream.
② Blacklist: An ACL rule that denies a data stream is configured for the data stream that
needs to be denied. By default, all packets are permitted. Therefore, there is no need to
configure an ACL rule that permits all packets.
③ In light of complete protection, the whitelist is better. For the SON X2 self-setup function,
the system automatically adds an ACL rule for an X2 interface.
Interface security management
This function consists of three parts:
1. Communication matrix: The support website publishes the open protocol ports (TCP/UDP) of
eNodeB of each version as the basis for port management.
2. Service port disable: When there is no service configuration over a service port, a user can
disable the service port to decrease the possibility of being attacked.
3. Debug port or protocol port disable: A user can choose to disable the debug port, or a protocol
port of the debug port, preferentially Telnet port 23 and SSH port 22.

Self-Setup of ACL Packet Filtering over X2 Interface -
New in eRAN2.1
Some operators want all the ingress and egress streams of the eNodeB to be under the control of a
whitelist to improve the system security. The default value is deny. Only the streams whose ACL
rule is permit can be received by the system.
The eNodeB interfaces include S1, X2, OM, clock, and cascade. Except for X2 interface, all
interfaces are statically configured. A user can perform data planning and configuration in advance.
X2 interface is dynamically configured by ANR and the ACL rules cannot be planned in advance
over the X2 interface. Therefore, X2 interface should support generation of ACL rules during ANR.
To support this function, 3GPP extends S1AP "eNB Configuration Transfer/ ‘MME Configuration
Transfer’" and adds service IP in addition to signaling IP. During the X2 self-setup process, eNodeB
sets up ACL packet filtering rules after exchanging the address information.
X2 self-setup is described as follows:

1. The source eNodeB and destination eNodeB exchange IP address
information (signaling IP and service IP) by two messages "eNB
Configuration Transfer" and "MME Configuration Transfer“.
2. The source eNodeB sets up a signaling link to the destination eNodeB
and configures ACL rules according to the source IP address and
destination IP address: {SCTP, source signaling IP, destination signaling
IP}, {UDP, source service IP, destination service IP}.

OMCH Security (Principles of SSL)
SSL protocol is developed by Netscape and provides encrypted and reliable connection
between two computers. Its features are as follows:
1. Established over a reliable transport layer protocol (such as TCP)

2. Unrelated to the application layer protocol
3. Encryption algorithms, negotiation of the communication key, and authentication by server are
finished before communication over the application layer protocol.
4. The upper application layer protocols (such as HTTP, FTP, and TELNET) are transparently
established over the SSL protocol. All the data transported by the application layer protocols is
encrypted, ensuring communication confidentiality.
SSL provides three security services:
• Confidentiality protection
• After the handshake protocol finishes negotiation of the session key, all
messages are encrypted for transmission.
• Integrity protection
• Maintains data integrity and ensures that data is not tampered with during
transmission.
• Authentication
• Authenticates a user and a server so that they are sure that data is sent to the
correct client and server. Though client authentication during a session is
optional, a server is always authenticated.

Principles of SSL (2)
Application Layer Protocol (HTTP, FTP, Telnet)
SSL Record Protocol SSL handshake Protocol Change Cipher Spec Protocol SSL Alert Protocol
TCP
IP
SSL application scenario
OMCH
FTPS
HTTPS
FTPS
HTTPS
SSL-based OMCH.
Local (or remote) FTPS connection to upload or download files.
Local (or remote) WebLMT sets up an HTTPS connection for operation and
maintenance.

Security Configuration on eNodeB (1)
• The transport-layer security configuration on eNodeB consists of IPSec
configuration and packet filtering configuration.
•
1. IPSec configuration
This configuration defines the data that requires IPSec, the authentication method, the data encryption
algorithms, the key exchange methods, and the key encryption algorithms. The details are as follows:
 ACLRULE defines an ACL rule, specifically the types of packets that require encryption protection.
 ACL defines an ACL group. An ACL group contains one or multiple ACL rules.
 IKECFG defines the eNodeB local negotiation parameters for IKE negotiation.
 IKEPROPOSAL defines an IKE proposal that contains the encryption and negotiation algorithms at the IKE
negotiation stage.
 IKEPEER defines the parameters interacted between eNodeB and peer at the IKE negotiation stage.
 IPSECPROPOSAL defines the encapsulation, authentication algorithm, and encryption algorithm used at the IPSec
stage.
 IPSECPOLICY defines the protection policy for IP packets compliant with the ACL rules.
 IPSECBIND binds IPSec with physical ports.
2. Packet filtering configuration

This configuration defines the ingress and egress permitted or denied by eNodeB. The details are as
follows:
 ACL and ACLRULE define the admission rules for the packets.
 PACKETFILTER binds ACL with physical ports.

Security Configuration on eNodeB
(2)
3. Configuration about digital certificates
This configuration defines the digital certificate used by IPSec for authentication.
 Appcert defines the device certificate currently in use.

 Trustcert defines the CA server certificate trusted by eNodeB.
 Crosscert defines the CA certificate trusted by the CA server that issues device certificate to
eNodeB.
 CRL defines the certificate revocation list.
 CRLpolicy defines the CRL policy used by eNodeB.
 Certchktsk defines the certificate update method and policy.
 Ca defines the configuration information on the CA server.
 Certmk defines the device certificate that can be used by eNodeB.
 Certreq defines the parameters for generating a certificate request file.
• For details, see the Transmission Security MOM Description.doc.
• The security configuration information of the TMO network is

described in the attached file.

Security Configuration on the SeGW
• The security configuration on the security gateway varies slightly for different vendors
and is similar to the security configuration on the eNodeB described in the preceding
pages. The security configuration on the security gateway defines the data that requires
IPSec, the authentication method, the data encryption algorithms, the key exchange
methods, and the key encryption algorithms.
• The attached file is about security configuration on the Symantec security gateway. The
configuration commands vary substantially for different vendors. The attached file is for
reference only.
DHCP server configuration Segw.rar
• The security configuration on the DHCP server requires that option 43 contains the CA
server information and the certificate path. For details, see the attached Requirement for
the DHCP server.
Requirement for DHCP SERVER.rar

Thank you
www.huawei.com
Copyright©2008 Huawei Technologies Co., Ltd. All Rights Reserved.

The information contained in this document is for reference purpose only, and is subject to
change or withdrawal according to specific customer requirements and conditions.

Training Doc - Introduction To LTE ERAN2.1 Transmission Solution-20110426-A-1.0

Uploaded by

Copyright:

Available Formats

Training Doc - Introduction To LTE ERAN2.1 Transmission Solution-20110426-A-1.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Training Doc - Introduction To LTE ERAN2.1 Transmission Solution-20110426-A-1.0

Uploaded by

Copyright:

Available Formats

Security Level: Internal use

Introduction to LTE eRAN2.1

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

This document describes the LTE eRAN2.1 transmission solution to

eRAN2.1 is an enhanced version and has the following new features:

 Enhanced QoS: PIR/CIR.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page2

• Transmission Security MOM Description

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page3

• After completing this course, you should be able to:

 Understand the networking solution for LTE eRAN2.1 transmission

 Know principles of transmission security.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page4

1. LTE Transmission Network - Interfaces

2. LTE Transmission Network - QoS

3. LTE Transmission Network - Reliability

4. LTE Transmission Network - Fault Detection

5. LTE Transmission Network - Security

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page5

 An LTE network has two protocol interfaces:

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 6

1. LTE Transmission Network - Interfaces

2. LTE Transmission Network - QoS

3. LTE Transmission Network - Reliability

4. LTE Transmission Network - Fault Detection

5. LTE Transmission Network - Security

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page7

eNodeB Ethernet DiffServ

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 8

 LTE QoS Mapping

QCI Resourc Priority Packet Packet Example Services

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 9

MML Command to VLAN Pri

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 10

Queues Queues Queues

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 11

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 12

1. LTE Transmission Network - Interfaces

2. LTE Transmission Network - QoS

3. LTE Transmission Network - Reliability

4. LTE Transmission Network - Fault Detection

5. LTE Transmission Network - Security

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page13

End-to-end redundancy S-GW/MME

OAM Clock Server

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 14

BFD - Bidirectional Failure Detection; ARP - Address Resolution Protocol.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 15

Application OM channel OM channels OM handshake Proprietary handshake

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 16

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 17

An SCTP link is identified by four parameters:

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 18

//Add IP address of Ethernet port 0

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 19

• This function requires

•Trunk No. is the unique

•Port priority: The lower

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 20