Beruflich Dokumente
Kultur Dokumente
SEG #1 SEG #2
”inititator” ”receiver”
IKE_SA_INIT request (plain text) • IKE SA SPI used by SEG#1
• Supported security algorithms for IKE
• Almost identical format to SA
IKE_SA_INIT request, except: • DH key exchange data
• includes also IKE SA SPI for SEG#2 • Nonce payload
• Certificate Request • Notification fields (optional)
IKE_SA_INIT response (plain text)
SEG #2 selects
security algorithms for
IKE SA
NAS Signaling
(ciphered & integrity protected using NAS signaling security)
SAE-GW
S1 U
U-plane U-plane data
U-plane data U-plane data
(ciphered and integrity protected packets forwarded over X2
(ciphered) with IPSec-optional) ciphered and integrity
protected with IPSec - optional)
O&M EMS/
M-plane
NMS
M-plane data AKA/Subscriber Security
(ciphered and integrity protected
with IPSec & TLS - optional) Transport Security
Table of Contents
Introduction
1 Motivation and Feature Overview
Technical Details
2 Functionality and Implementation, Message Flows
Configuration Management
3 Parameters
Deployment Aspects
4 Feature Activation and Configuration Examples
• There can be several security policies defined, each has its own packet filter.
– IPSECC/policyNumber
• If an uplink packet (coming from FSMx) matches a filter criterion, the corresponding security policy is applied to the packet:
– IPSECC/ipSecStatus = PROTECT (0), DISCARD (1), BYPASS (2), default = 2
ipSecEnabled IPSECC false (0), true (1) false (0) This parameter enables IPSec (value true) or disables (value false) usage of IPSec at the eNB.
This is a parameter structure that defines the list of security policies of the FTM. Each entry in the list consists of several
securityPolicies IPSECC parameter structure -
parameters, the most important ones are described below.
This parameter holds the local IP address of the data traffic packet for this policy as seen by the FTM. IPSec tunnel
selection based on the following combinations of local IP addresses and local port numbers and protocol are possible: i)
single IP address (equivalent to netmask /32 in IPv4), no particular protocol/port; ii) single IP address, selected protocol/port
; iii) IP subnet, no particular protocol/port; iv) IP subnet, selected protocol/port. For example, if the eNB U-plane virtual
localIpAddress IPSECC IPv4 address -
address is 10.10.10.1 and C-plane virtual address is 10.10.10.2, then one could map all U/C traffic to this IPSec tunnel by
setting localIpAddress = 10.10.10.0 and localNetmask = 255.255.255.252. Alternatively, instead of source subnet, the
traffic-to-IPSec-tunnel mapping can be based on destination subnet (or both). NOTE: mapping based on destination subnet
is the preferred planning approach, since it typically results in simpler database creation and management.
This is the port number of the local IP address. If value 0 is configured, the IPSec policy is valid in the same way to and
localIpPort IPSECC -1...65535, step 1 -1
from all ports of the local IP address. Value 0 corresponds to all ports.
This parameter specifies the netmask to the parameter localIpAddress. The type of localNetmask (IPv4 or IPv6) must match
localNetmask IPSECC IPv4 address -
the type of parameter localIpAddress.
This parameter holds the remote IP address of the data traffic packet for this policy. IPSec tunnel selection based on the
following combinations of remote IP addresses and remote port numbers and protocol are possible: i) single IP address
remoteIpAddress IPSECC IPv4 address -
(equivalent to netmask /32 in IPv4), no particular protocol/port; ii) single IP address, selected protocol/port ; iii) IP subnet, no
particular protocol/port; iv) IP subnet, selected protocol/port.
This is the port number of the remote IP address. If value 0 is configured, the IPSec policy is valid in the same way to and
remoteIpPort IPSECC -1...65535, step 1 -1
from all ports of the remote IP address.
This parameter specifies the netmask to the parameter remoteIpAddress. The type of remoteNetmask (IPv4 or IPv6) must
remoteNetmask IPSECC IPv4 address -
match the type of parameter remoteIpAddress.
This parameter holds the protocol information of the IP packet according to RFC791 (IPv4) or RFC1883 (IPv6). If the
protocol IPSECC -1...254, step 1, -1
parameter has value -1, the policy is valid for all protocols.
This parameter defines the local endpoint of the IPSec tunnel. It should equal either the physical Ethernet interface address
localTunnelEndpoint IPSECC IPv4 address -
of the VLAN interface address.
remoteTunnelEndpoint IPSECC IPv4 address - This parameter holds the remote IPSec tunnel endpoint IP address, i.e., the security gateway address.
antiReplayEnabled IPSECC false (0), true (1) If this flag is true,anti replay checking for the IPSec connections of this policy is enabled, else it is switched off.
For internal use SIZE_64 (0),SIZE_128 This is the size of the anti replay window to be used on the security policy.
antiReplayWindowSize IPSECC
7 © Nokia Siemens Networks 2012 (1), SIZE_256 (2) The parameter is only relevant if the parameter antiReplayEnabled has the value True.
IPSec parameters (4/4) Table of Contents Main Menu
LTE689 – LTE IPSec Support
This flag rules the basic treatment of a traffic data packet that applies to the selection criteria of this policy. The
values have the following meaning: "DISCARD": the packet is discarded without any further action or notification, i.e.
PROTECT (0), DISCARD (1),
ipSecStatus IPSECC BYPASS (2) it is prevented from passing to its designated destination. "BYPASS": the packet is delivered to its destination without
BYPASS (2)
any other processing, in particular without any further IPSec-related processing. "PROTECT": the packet will be made
subject to the settings of its security policy.
ENCRYPTION_NULL (0),
AES_128_CBC (1), 3DES_192_CBC ENC_AES_128_CB
encryptionMethod IPSECC (2), C_OR_3DES_192_ This parameter defines the encryption algorithm to be applied to the traffic data packet for which the policy matches.
AES_128_CBC_OR_3DES_192_CB CBC (3)
C (3)
ikeProtocol IPSECC IKE_V1 (0), IKE_V2(1) IKE_V2 (1) This parameter holds the IKE protocol version of this association used for this policy.
This parameter holds the maximum duration in seconds of the life time of the security association. After the timer has
saMaxLifeTime IPSECC 300...86400 seconds, step 1 86400 expired for the security association, a new security association is negotiated by IKE. The default value corresponds to
24 hours.
This is the IPSec tunnel endpoint for IKE protocol. It should equal to the value of the IPSECC/remoteTunnelEndpoint
remoteTunnelEndpoint IPSECC IPv4 address -
parameter.
This parameter specifies the delay between the sending of two consecutive DPD INFORMATIONAL messages by the
BTS. The INFORMATIONAL message indicates the BTS is still alive. For IKEv2, the BTS raises the Dead Peer
dpddelay IPSECC 10…360 seconds 10 Detected (DPD) alarm if the remote peer has not sent any INFORMATIONAL message to the BTS after the BTS has
sent a fixed number of INFORMATIONAL messages. For IKEv1 the BTS raises the DPD alarm, if the remote peer
has not sent back any INFORMATIONAL messages after the time defined in the parameter dpdtimeout has expired.
For IKEv1, the BTS raises the Dead Peer Detected (DPD) alarm if the remote peer has not sent back any
dpdtimeout IPSECC 60...3600 seconds 120
INFORMATIONAL messages after the time defined in the parameter dpdtimeout has expired.
For internal use This is the order number of the security policy. Only the lowest number of several equally matching policies is
policyNumber IPSECC 0...65535, step 1 -
8 © Nokia Siemens Networks 2012 executed on a specific traffic data packet.
LTE689 – LTE IPSec Support Main Menu
Table of Contents
Introduction
1 Motivation and Feature Overview
Technical Details
2 Functionality and Implementation, Message Flows
Configuration Management
3 Parameters
Deployment Aspects
4 Feature Activation and Configuration Examples
A trust relation ship exists between Nokia Siemens Networks and the operator:
• Nokia Siemens Networks provides for each Flexi Multimode BTS a unique vendor device
certificate signed by the Nokia Siemens Networks CA
• As part of the delivery the operator gets a list of all shipped modules (serial numbers) and the
Nokia Siemens Networks public root certificate
When the eNB auto connects to the operator’s network it utilizes the CMP in-band initialization
procedure to ask for an operator’s eNB certificate:
• The Flexi Multimode base station / eNB sends a public key for signing as well as it’s vendor
device certificate and serial number
• The operator CA verifies the vendor device certificate with the help of the Nokia Siemens
Networks root certificate
• If Nokias Siemens Networks Identity Management Solution (IDM) is in place the serial number is
automatically checked against the order list
• If both verifications passed the CA signs the key and issues the operator device certificate to
the Flexi Multimode Bases station
OP device
Cert NSN device cert swapped by operator device cert
• Needed if CMP and CRL server are used for eNB authentication and certificate revocation,
• NSN PKI solution is the InstaCertifier,
• Parameters to be planned:
– CERTH/cmpServerIpAddress
– CERTH/cmpServerPort
– CERTH/caSubjectName = 0...128 characters
– CERTH/btsCertificateUpdateTime
– CERTH/caCertificateUpdateTime
– CERTH/crlUpdatePeriod
• The settings must match with the server settings and hence planned together with the
security administrator/planner.
• The following must be in place in both eNB and SEG if using X.509
signatures for authentication:
– CA root certificate,
– private key,
– eNB certificate.
• Normally the above are obtained from CMP server prior to IPSec tunnel
setup. They can be also loaded manually to eNB using the site manager.
• Sometimes the other IPSec peer can disappear without properly deleting the SA, for example because the node is
being rebooted or physical connection was cut.
• The actual implemetation details that are left open in the RFC:
– when to send ARE-U-THERE? Example trigger from Linux StrongSwan implementation: when there is no traffic in
the SA pipe for dpddelay seconds, where dpddelay is user-definable parameter
– when and how to react if there is no response? Example from Linux StrongSwan implementation: retransmit ARE-
U-THERE in increasing time intervals up to five times. If no response, release the SA.
• Note: there is, in principle, no need for planning coordination the DPD timers between peers (though, it may happen
that one end will always trigger ARE-U-THERE first).
Table of Contents
This feature enables secure eNB control and data communication between the Flexi Multiradio
BTS and other eNBs and Core Nodes by using IPSec to secure transport and application
protocols.
With IPSec also the separation between different types of traffic, like C-Plane and U-Plane traffic
from M-Plane traffic, by dedicated transport tunnels is supported
Benefits for the operator:
– Improved RAN network security
– Possibility of traffic separation within the backhaul
– CAPEX savings: no external HW equipment needed at the eNB side
3 x GE 1)
4 x E1/T1/JT1 2)4)
High-capacity IPSec 3)4)
ToP (IEEE1588-2008), Sync Ethernet 4)
Ethernet switching 5)
Non-blocking throughput performance with IPSec
Flexi Multiradio BTS
System Module 1) 2 x GE electrical + 1 x GE optical via SFP module
2) E1/T1/JT1 interface for synchronization
with 3) IPSec HW capability: 2 Gbit/s DL+UL
4) SW support with RL10
Flexi Transport sub-module FTLB 5) SW support with RL20
BTS Transport
− IPSec processing done by a
S internal
Public
LMP SSE Subnet for
SSE
Subnet
PPP
IPSec processing
dedicated HW (Cavium Router)
User defined
Router (CV)
− Does not affect traffic processing
LLP
FSP1 eth0
IWF
done in the main board (WP
I eth1 eth2 eth3
U-Plane X
P H
PPP TRS
Ip
INT
Ip
TRS Router)
PDH 1- 4 C A
FSP2 ppp
J
U-Plane Y P Q
P
TRS D
G BTS IWF
FSP3 eth0 eth1 EIF
K N INT
U-Plane Z
P
Sw itch
ToP E
R O
2 x GE 1)
4 x E1/T1/JT1 2)
IPSec 3)4)
ToP (IEEE1588-2008), Sync Ethernet
Ethernet switching 4)
FSP2
J ppp
PPP TRS
PDH 1- 4 − FTIB throughput with IPSec
U-Plane Y P Q
P
IWF
IP
TRS
A
EI F limited to 160 Mbit/s DL+UL
G BTS
FSP3 et h0 et h1
K N INT
U-Plane Z
P
Sw itch
ToP E
R O
Table of Contents
Release information:
System release RL20
eNode B LBTS 2.0
NetAct -
MME -
SAE-GW -
HW/SW requirements:
− LTE564 is supported by Flexi MRD BTS, with:
Flexi BTS system modules (FSM): FSM R2
Flexi transport sub-modules (FTM): FTIB
Feature dependencies:
− LTE564 depends on the following features:
LTE707 Flexi Transport sub-module FTIB (RL10)
− LTE564 is analogous to feature LTE689 LTE IPSec Support for control, user and
management plane, supported on FTLB, except some differences in the internal IPSec
processing on FTIB and FTLB boards (see next slides)
Table of Contents
IPSec is a L3 security architecture defined by IETF; it comprises a suite of protocols for data
encryption, integrity protection and communication peer authentication according to RFC4301.
Fundamental components of IPSec:
Security protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP)
Security Associations
Key management, manual and automatic, Internet Key Exchange (IKE)
Mathematical algorithms for authentication and encryption
IPSec can be also used to implement VPNs on L3, for traffic separation
U-Plane, C-Plane, M-Plane and S-Plane traffic can be separated with dedicated IPSec VPN tunnels from
each other and from any other operator’s traffic if any part of the transport network is shared.
Separation ensures that any attacks from affected/unsecured network parts will have no impact to the
separated data paths.
LTE RL10 and RL20 implement a subset of the full IPSec protocol suite
Data encryption and integrity protection, origin authentication and
Services:
anti-replay protection
Key exchange: dual stack IKEv1 (RFC 2409) / IKEv2 (RFC 4306)
LTE RL10 and RL20 implement a subset of the full IPSec protocol suite
Table of Contents
Integrated SEG
Security Association pair SA#1
Application IP@
Network
Security Association pair SA#n Management
2 alternatives possible:
Security on Transport level: „Outer” secured communication channel in a VPN mode (FlexiBTS ↔ SEG)
Security on Application level: „Inner”, e2e secured communication channel (typically separate for UP, CP, MP and SP (if supported))
Both in a form of Security Association established with ISAKMP protocol
U X2-u/c
Single
tunnel per MME
C
Ethernet
eNB
Tunnel IP
M
VLAN SAE-
optional SEG
S GW
eN
B O&M
IPSec VPN
IPSec tunnel: “outer” IP layer
IPSec tunnel: “inner” IP layer
Table of Contents
Parameter Description
This is a parameter structure that defines the list of security policies of the FTM. Each entry in the list consists of several
full name: securityPolicies parameters.
object: IPSECC Parameters included in this strucuture:
range: parameter structure antiReplayEnabled, antiReplayWindowSize, authentication, dpddelay, dpdtimeout, encryptionMethod, ikeEncryptionMethod,
default: - ikeProtocol, ipSecStatus, localIpAddress, localIpPort, localNetmask, localTunnelEndpoint, policyNumber, protocol,
unit: - remoteIpAddress, remoteIpPort, remoteNetmask, remoteTunnelEndpoint, saMaxLifeTime
This parameter holds the local IP address of the data traffic packet for this policy as seen by the FTM. To be entered in dotted
decimal format.
full name: localIpAddress
object: IPSECC The following combinations of local and remote IP addresses, local and remote port numbers and protocol are feasible:
range: IPv4 address - a single IP address (equivalent to netmask /32 in IPv4), no particular protocol/port
default: - - a single IP address, selected protocol/port
unit: - - an IP subnet, no particular protocol/port
- an IP subnet, selected protocol/port.
Parameter Description
This is the port number of the local IP address. If value -1 is configured, the IPSec policy is valid in the same way to and from
all ports of the local IP address.
full name: localIpPort The following combinations of local and remote IP addresses, local and remote port numbers and protocol are feasible:
object: IPSECC - single IP address (equivalent to netmask /32 in IPv4), no particular protocol/port
Range and step: -1..65535, step 1
- single IP address, selected protocol/port
default: -1 (all ports are allowed)
unit: - - IP subnet, no particular protocol/port
- IP subnet, selected protocol/port.
full name: localNetmask This parameter specifies the netmask to the parameter localIpAddress. The type of localNetmask (IPv4 or IPv6) must match
object: IPSECC the type of parameter localIpAddress.
range: IPv4 address
default: -
unit: -
Parameter Description
This parameter holds the remote IP address of the data traffic packet for this policy as seen by the FTM. To be entered in
dotted decimal format.
full name: remoteIpAddress The following combinations of local and remote IP addresses, local and remote port numbers and protocol are feasible:
object: IPSECC - a single IP address (equivalent to netmask /32 in IPv4), no particular protocol/port
range: IPv4 address
- a single IP address, selected protocol/port
default: -
unit: - - an IP subnet, no particular protocol/port
- an IP subnet, selected protocol/port.
This is the port number of the remote IP address. If value -1 is configured, the IPSec policy is valid in the same way to and from
all ports of the remote IP address.
full name: remoteIpPort The following combinations of local and remote IP addresses, local and remote port numbers and protocol are feasible:
object: IPSECC - single IP address (equivalent to netmask /32 in IPv4), no particular protocol/port
Range and step: -1..65535, step 1
- single IP address, selected protocol/port
default: -1 (all ports are allowed)
unit: - - IP subnet, no particular protocol/port
- IP subnet, selected protocol/port.
full name: remoteNetmask This parameter specifies the netmask to the parameter remoteIpAddress. The type of remoteNetmask (IPv4 or IPv6) must
object: IPSECC match the type of parameter remoteIpAddress.
range: IPv4 address
default: -
unit: -
Parameter Description
This parameter defines the remote endpoint of the IPSec tunnel. It should equal either the physical Ethernet interface address
full name: remoteTunnelEndpoint or the VLAN interface address.
object: IPSECC
range: IPv4 address
default: -
unit: -
full name: ipSecStatus This flag rules the basic treatment of a traffic data packet that applies to the selection criteria of this policy. The values have the
object: IPSECC following meaning: "DISCARD": the packet is discarded without any further action or notification, i.e. it is prevented from
range: 0 (PROTECT) passing to its designated destination. "BYPASS": the packet is delivered to its destination without any other processing, in
1 (DISCARD)
particular without any further IPSec-related processing. "PROTECT": the packet will be made subject to the settings of its
security policy.
2 (BYPASS)
default: BYPASS
unit: -
This parameter holds the ESP encryption algorithm to be applied to the traffic data packet for which the policy matches.
full name: encryptionMethod
The default value for ESP encryption algorithm offers 2 values (priority list) where
object: IPSECC
range: 0 (ENC_NULL),
- AES-128 CBC is tried first (1. priority) and
1 (ENC_AES_128_CBC), - 3DES-192 CBC is tried next (2.priority).
2 (ENC_3DES_192_CBC),
3 (ENC_AES_128_CBC_OR_3DES_192_CBC) )
default: (3)
unit: -
Parameter Description
This parameter determines if this policy is using a pre-shared key or a certificate in IKE. Certificate is obtained from CMP
full name: authentication
server during eNB startup or downloaded manually to eNB using the site manager.
object: IPSECC
range: 1 (certificate), 2 (psk)
default: certificate
unit: -
This parameter holds the IKE protocol version of this association used for this policy.
full name: ikeProtocol
object: IPSECC
range: IKE_V1 (0), IKE_V2 (1)
default: IKE_V2
unit: -
This parameter holds the encryption algorithm at the IKE layer to be applied to the IKE protocol packet. Note that encryption is
full name: ikeEncryptionMethod always used in IKE protocol.
object: IPSECC
range: 0 (ENC_NULL),
1 (ENC_AES_128_CBC),
2 (ENC_3DES_192_CBC),
3 (ENC_AES_128_CBC_OR_3DES_192_CBC) )
default: (3)
unit: -
Parameter Description
This parameter holds the maximum duration in seconds of the life time of the security association. After the timer has expired
full name: saMaxLifeTime
for the security association, a new security association is negotiated by IKE. The default value corresponds to 24 hours.
object: IPSECC
range: 300...86400 sec, step 1 sec
default: 86400
unit: seconds
This parameter specifies the delay between the sending of two consecutive DPD INFORMATIONAL messages by the BTS.
The INFORMATIONAL message indicates the BTS is still alive.
full name: dpddelay
object: IPSECC For IKEv2, the BTS raises the Dead Peer Detected (DPD) alarm if the remote peer has not sent any INFORMATIONAL
range: 10…360 seconds
message to the BTS after the BTS has sent a fixed number of INFORMATIONAL messages. For IKEv1 the BTS raises the
DPD alarm, if the remote peer has not sent back any INFORMATIONAL messages after the time defined in the parameter
default: 10 sec
dpdtimeout has expired.
unit: seconds
full name: dpdtimeout For IKEv1, the BTS raises the Dead Peer Detected (DPD) alarm if the remote peer has not sent back any INFORMATIONAL
object: IPSECC messages after the time defined in the parameter dpdtimeout has expired.
range: 60...3600 seconds
default: 120 sec
unit: seconds
Table of Contents
Encrypted
Authenticated
Transmission order
0 31
IPSec in this configuration introduces an IP header (20 bytes)
additional overhead of 71 bytes to the original IP Security Parameters Index (SPI) (4 bytes)
datagram: Extended Sequence Number (4 bytes)
Transmission order
Authenticated
ESP header: 24 bytes Initialization Vector (AES-CBC: 16 bytes)
Explicit padding: 15 bytes
Payload
(n*16bytes)
ESP Authentication data: 12 bytes
Encrypted
Outer IP header: 20 bytes Padding
Total: 71 bytes Pad Length Next Header
(1 byte) (1 byte)
This results in an additional IP bandwidth
Authentication Data (SHA-1-96: 12 bytes)
requirement of ~ 15% for a typical user profile
Table of Contents
LTE IP Sec measurement (M51125) contains counters for counting protected, discarded and bypassed
bytes and frames for IPSec
Protected_ESPFramesTX (ID: M51125C0)
Table of Contents
Table of Contents
Introduction
1 Motivation and Feature Overview
Technical Details
2 Functionality and Implementation, Message Flows
Configuration Management
3 Parameters
Feature summary
• Enables secure communication of O&M control and bulk data between the Flexi Multiradio BTS LTE
at one end, and BTS Site Manager and NetAct or other management systems at the other end.
• The feature includes a PKI infrastructure by employing secure protocols such as Transport Layer
Security (TLS).
• The feature also brings CAPEX savings, as there is no need to invest in any external HW.
• Applied together with LDAP, TLS takes care of confidential user credential exchange
– Air interface security of U-plane and C-plane (RRC) traffic is terminated at the eNodeB.
Traffic in the LTE mobile backhaul network is not secured by Radio Network Layer protocols
– LTE network architecture is flat adjacent eNBs and core nodes (MME, S-GW) become directly
IP-reachable from eNB site.
If physical access to the site cannot be prohibited, a hacker could connect his device to the network
port and attack aforementioned network elements.
Transport security features are seen mandatory if not both the mobile backhaul network and the
eNodeB site can be regarded as secure.
RNC Internet
C-plane can be
RNC can be
maliciously
attacked
manipulated
For internal use
54 © Nokia Siemens Networks 2012
Introduction Table of Contents Main Menu
Security Threats in WCDMA
Internet
NAS Signaling
(ciphered & integrity protected using NAS signaling security)
SAE-GW
S1 U
U-plane U-plane data
U-plane data U-plane data
(ciphered and integrity protected packets forwarded over X2
(ciphered) with IPSec-optional) ciphered and integrity
protected with IPSec - optional)
O&M EMS/
M-plane
NMS
M-plane data AKA/Subscriber Security
(ciphered and integrity protected
with IPSec & TLS - optional) Transport Security
Table of Contents
Introduction
1 Motivation and Feature Overview
Technical Details
2 Functionality and Implementation, Message Flows
Configuration Management
3 Parameters
Security is assured by the Transport Layer Security Protocol and further protocols such as HTTP or
LDAP running on top of it:
– Unsecure protocols such as FTP are no longer used.
– TLS is a secure communication method for protecting the confidentiality and integrity of, for
example, Java, HTTP and LDAP based O&M traffic.
Digital certificates according to X.509v3 format are used to mutually authenticate the eNB, the BTS Site
Manager, and network servers such as NetAct.
O&M interfaces, messages and commands are encrypted and integrity protected by TLS. Data such as
user names and passwords is not transferred as plain text.
• that guarantees privacy and data integrity between Client and Server applications communicating over public
network
• communicated information can be protected from:
– eavesdropping
– tampering
– message forgery
• Based on SSL3.0 (Secure Sockets Layer), TLS supercedes and is an extension to SSL. TLS and SSL are not
interoperable.
• Interoperability
• Algorithm flexibility
• Ease of deployment
• Ease of use
Administrative overhead
– A TLS/SSL environment is complex and requires maintenance.
– The system administrator must configure the system and manage certificates.
• Here TLS Handshake Protocol is only explained in detail and no explaination is given for the record protocol as it
is data exchange between client and server and it has got nothing to do with TLS connection establishment.
The LDAP interface for user authentication and provision of permission information for a user is secured by
TLS:
‒ The NetAct centralized user authentication and authorization (CUAA) application and other services use the
LDAP interface to authenticate a user and to fetch permission information for a user.
‒ Insecure connections on the LDAP link between the BTS and the LDAP servers lead to a situation where a user's
username and password are transferred in plain text across the O&M network.
Insecure and secure O&M connections are established on separate TCP ports. By opening or closing these
ports, secure and insecure connections can be activated and deactivated
The same ports are used for both secure and unsecure connections; for eNB these ports are
configurable using BTSSM.
Make sure to have the configuration matched between the operation mode settings in eNB and iOMS.
If the settings differ, the eNB might not be able to connect, but will continue trying to connect even though the
iOMS connection port is closed.
Probing (Secure/Unsecure)
– Both secure and unsecure O&M protocol connections are allowed. Both secure and insecure ports are open.
– When the parameter value is changed from Off to Probing, iOMS resets the port 8002 to trigger the eNB
change from insecure to secure connection.
Off
– Only unsecure O&M protocol connections are allowed. The secure port (8003) is closed.
If the negotiated file transfer protocols allow both insecure and secure file transfers, and the file transfer
attempts from both secure and insecure ports fails, the client does not retry, but aborts the procedure.
Depending on the transport network configuration and the number of network management locations and applications
to be addressed, TLS (one or more instances) alone or together with other secure transport protocols like IPSec
can be used and configured in parallel.
• If the eNB (acting as TLS server) certificate validation fails in BTSSM (acting as TLS client), the BTSSM asks user
permission to establish the secure connection even if the eNB certificate is "unknown" to BTSSM.
If the secure connection establishment fails, BTSSM attempts to establish an unsecure connection; in this case
BTSSM has to be locally connected to the eNB
Table of Contents
Introduction
1 Motivation and Feature Overview
Technical Details
2 Functionality and Implementation, Message Flows
Configuration Management
3 Parameters
Defines the usage of TLS between the eNB and the iOMS system.The usage of TLS
omsTls IPNO off (0), forced (1), probing (2) probing
requires that valid certificates are installed to the eNB.
This parameter holds the TLS access mode for the LDAP server(s) of the BTS. The possible
ldapConnectionType AMGR TLS (0), TLS_OR_PLAIN_TEXT (1) - values are: "secured" (allow only secured connections) and "both" (allow both unsecured
and secured connections).
Deployment Aspects
4 Feature Activation and Configuration Examples
• A part of the X.509 certificate examination is the check if the certificate has been
revoked.
• The URL of the revocation repository server (CRL Distribution Point) is given by a Full
Qualified Domain Names (FQDN) within the certificate.
• Domain Name Service (DNS) is used to derive the corresponding IP address.
Deployment Aspects
4 Feature Activation and Configuration Examples
• Certificates of remote peers (received as part of IPSec or TLS establishment) and configured trust
anchors need to be checked if they are valid and have not been revoked
• To allow this examination each certificate contains the URL of the responsible revocation repository
server given by a Full Qualified Domain Name (FQDN).
• The DNS client in Network Element (NE) sends the FQDN of the CRL Distribution Point to a DNS
name server which returns the corresponding IP address assigned to the repository.
DNS query
(CRL Server FQDN)
DNS response
(CRL Server IP@)
Deployment Aspects
4 Feature Activation and Configuration Examples
Deployment Aspects
4 Feature Activation and Configuration Examples
• The following requirements are not closely related to the LTE482: DNS Support for Certificate Examination
feature, but should be taken into account when selecting a DNS server for the network:
– Place DNS server on the demilitarized zone. The DMZ should be located between the network elements and
the NetAct.
– Use authentication ticketing for DNS services.
– Restrict zone transfers to minimize the amount of information on the network available to attackers. Consider
the authenticated zone transfers if zone transfers are required.
– Use two servers, or the views feature, if internal and external clients require different information (so-called
split-horizon or split-brain technique). For additional security, consider using DNS proxying for the external DNS
server.
– Internal DNS servers should be recursive, and external DNS servers must be non-recursive.
– Do not allow dynamic updates. If dynamic updates are required, use transaction signatures to authenticate
requests.
– If the system does not serve as a DNS server, ensure that no DNS service is running.
– Run DNS server in a chroot (change root) environment, and run it without super-user privileges.
– Run DNS on a dedicated server.
Deployment Aspects
4 Feature Activation and Configuration Examples
Deployment Aspects
4 Feature Activation and Configuration Examples
Deployment Aspects
4 Feature Activation and Configuration Examples
CFAM LTE482 DNS Support for Certificate Examination, System Feature Specification,
Version 1.1.0, T. Kinnunen
LTE Radio Access, Rel. RL30, Operating Documentation, Issue 01
LTE482 - DNS Support for Certificate Examination.ppt, Feature Introduction
LTE482 DNS Support for Certificate Examination, Focal Point
LTE482 DNS Support for Certificate Examination, PKDB