Install | ownCloud.org
Manual Installation — ownCloud Administrators Manual 7.0 documentation
How QoS is managed in LTE system | beyond3g
Quality of Service Overview - Technical Documentation - Support - Juniper Networks
- On the radio interface
- Radio bearer control
- Admission control
- Congestion control
- On the transport (backhaul)
- Mapping DSCP with P-bit in VLAN
Quality of Service (QoS) and Policy Management in Mobile Data Networks
3GPP TR 29.839: Home (e)Node B - security gateway interface (Release 11)
QCI | 4G University5.2 H(e)NB procedures5.2.1 GeneralThe H(e)NB shall support DSCP marking on the IPsec header when forwarding the UE uplink traffic.Based on H(e)NB configuration either the QCI mapping or the Reflective QoS may be used.5.2.2 QCI mappingThe QCI mapping table contains a one-to-one mapping from QCI value to DSCP marking value. The QCI mappingtable is configured in the H(e)NB by the operator.
Do we have DSCP marking on the outer IP header (the one above GTP) and how do they look? What specification relate to this topic?how QCI map to the DSCP ??? And DSCP mapping table will be made in router ?? | LinkedIn
Specifications that relate to the S1 interface (also touching the QoS aspects) are TS 36.410, TS 36.411, TS 36.412, TS 36.413 and TS 36.414.
The technical specification TS 36.414 section 5.4 Diffserv code point marking says:
“IP Differentiated Services code point marking  shall be supported. The mapping between traffic categories and Diffserv code points shall be configurable by O&M based on QoS Class Identifier (QCI) Characteristics and others E-UTRAN traffic parameters. Traffic categories are implementation-specific and may be determined from the application parameters”
which means, that there is DSCP marking, but it is defined by a specific implementation.
The SGW, PGW, and eNB all contain QCI to DSCP markings. During bearer setup, the QCI values are communicated from the HSS/PCRF to the PGW, SGW, & eNB. The adjacent routers need only to enforce the DSCP markings set by the EPC elements.
QCI-to-DSCP mapping cannot be fixed by 3GPP standard as it depends on transmission network design. Transmission equipments must prioritze the IP packets according to the service they are carrying, so the mapping must be configured according to TX network.
QCI DSCP Example 3GPP service
1 EF conversational voice
2 EF conversational video
3 EF real-time gaming
4 AF41 buffered streaming
5 AF31 IMS signaling
6 AF31 buffered streaming
7 AF21 interactive gaming
8 AF11 web access
9 BE e-mail
DSCP is field in IP header, QCI is end to end parameter mapped in each part of the network in different parameters or group of parameters (in radio interface, transmission network..). DSCP value mapping to QCI is mapping for prioritizing bearers in transmission network and can be (and will be) done on P-GW, S-GW and eNB: Mapping which you configure on eNB will take place in up-link: when eNodeB has to transmit IP packet which carries GTP packet corresponding to bearer with
CQIQCI 7, eNB will add DSCP value which (according to what you have configured on eNB) corresponds to QCI7 in IP header of that IP package. Important is to emphasize that eNB itself, when receive down-link package, does not care for received DSCP in IP header (placed by S-GW), eNB does not compare recieved DSCP with configured DSCP on eNB for that QCI - moreover, those 2 DSCP values (for UL and DL) can be different, depending of transmission network. What you configure on S-GW for S1 will take place on S1 down-link in the same way as described for eNB... And analogically for other cases...
QoS and IPSec interactions | CCIE, the beginning!
Enterprise QoS Solution Reference Network Design Guide - IPSec VPN QoS Design [Design Zone for IPv6] - Cisco
Feature #166: DSCP config in StrongSwan
strongSwan does not provide DSCP specific functionality but the DSCP example in our test suite might give you an idea how to configure it using iptables and XFRM marks.Test ikev2/net2net-psk-dscp
[strongSwan] DSCP support in new version of strongswan
Check left|right subnet and proto settings.
check ike=XXX and esp=XXX
libopenikev2: openikev2::Payload_NOTIFY Class Reference
UNSUPPORTED_CRITICAL_PAYLOAD Unsupported critical payload. INVALID_IKE_SPI Invalid IKE SPI. INVALID_MAJOR_VERSION Invalid Major Version. INVALID_SYNTAX Invalid syntax. INVALID_MESSAGE_ID Invalid message ID. INVALID_SPI Invalid SPI. NO_PROPOSAL_CHOSEN No proposal chosen. INVALID_KE_PAYLOAD Invalid KE payload. AUTHENTICATION_FAILED Authentication failed. SINGLE_PAIR_REQUIRED Single pair required. NO_ADDITIONAL_SAS No additional SAs. INTERNAL_ADDRESS_FAILURE Internal address failure. FAILED_CP_REQUIRED Failed Configuration Payload required. TS_UNACCEPTABLE Traffic selector unacceptable. INVALID_SELECTORS Invalid selectors. INITIAL_CONTACT Initial contact. SET_WINDOW_SIZE Set window size. ADDITIONAL_TS_POSSIBLE Additional Traffic selector possible. IPCOMP_SUPPORTED IPcomp supported. NAT_DETECTION_SOURCE_IP NAT detection source ip. NAT_DETECTION_DESTINATION_IP NAT detection destination ip. COOKIE Cookie. USE_TRANSPORT_MODE Use transport mode. HTTP_CERT_LOOKUP_SUPPORTED HTTP certificate lookup supported. REKEY_SA Rekey SA. ESP_TFC_PADDING_NOT_SUPPORTED ESP TFC padding not supported. NON_FIRST_FRAGMENT_ALSO Non first fragment also.
Stuff: GRE over IPSec tunnels between Cisco and Linux (openswan)
leftprotoport=47 #match the GRE traffic, this line is very important
rightprotoport=47 #match the GRE traffic
11 Network Domain Control Plane protectionFor X2 interface, we could:
The protection of IP based control plane signalling for EPS and E-UTRAN shall be done according to TS 33.210 .
NOTE1: In case control plane interfaces are trusted (e.g physically protected), there is no need to use protection according to TS 33.210.
In order to protect the S1 and X2 control plane, it is required to implement IPSec ESP according to RFC 4303 as specified by TS 33.210. For both S1-MME and X2-C, IKEv2 certificates based authentication according to TS 33.310 shall be implemented. For S1-MME and X2-C, tunnel mode IPSec is mandatory to implement on the eNB. On the core network side a SEG may be used to terminated the IPSec tunnel.
Transport mode IPSec is optional for implementation on the X2-C and S1-MME.
NOTE 2: Transport mode can be used for reducing the protocol overhead added by IPSec.
12 Backhaul link user plane protection
The protection of user plane data between the eNB and the UE by user specific security associations is covered by clause 5.1.3 and 5.1.4.
In order to protect the S1 and X2 user plane as required by clause 5.3.4, it is required to implement IPSec ESP according to RFC 4303 as profiled by TS 33.210, with confidentiality, integrity and replay protection.
On the X2-U and S1-U, transport mode IPSec is optional for implementation.
Tunnel mode IPSec is mandatory to implement on the eNB for X2-U and S1-U. On the core network side a SEG may be used to terminate the IPSec tunnel.
For both S1 and X2 user plane, IKEv2 with certificates based authentication shall be implemented. The certificates shall be implemented according to the profile described by TS 33.310. IKEv2 shall be implemented conforming to the IKEv2 profile described in TS 33.310.
NOTE 2: In case S1 and X2 user plane interfaces are trusted (e.g. physically protected), the use of IPSec/IKEv2 based protection is not needed.
- Setupt eNB-to-eNB IPSec transport link
- Send eNB-to-eBN traffic via SecGW
The following suggest method 2:
LTE transport network security
Radio-to-core protection in LTE
osx - Getting a list of used libraries by a running process (unix) - Stack Overflow
The LTE Network Architecture - Alcatel-Lucent | At the Speed of Ideas
eNodeB (evolved NodeB)
UE (user equipment)
PDN (packet data network)
EPC (evolved packet core)
EPS (evolved packet system)
EPS bearer: an IP packet flow with a defined QoS between the gateway and the UE
CN (core network)
SAE (system architecture evolution): evolution of non-radio aspect.
EPC is consist of the following logical nodes:
- P-GW (PDN Gateway)
- S-GW (Serving Gateway)
- MME (Mobility Management Entity)
- PCRF (Policy Ccontrol and charging Rules Functions)
- HSS (Home Subscriber Server)
NAS (Non Access Stratum)
AS (Access Stratum) protocol: The protocol running between eNodeBs and UE
S-TMSI (SAE Temporary Mobile Subscriber Identification)
TA (Tracking Area)
S1 interface: Interface that connect eNodeB and EPC
S1-MME interface: Interface that connect eNodeB and MME
S1-U interface: Interface that connect eNodeB and S-GW
X2 interface: eNodeB interconnected to each other by X1.
S1-flex: the feature of S1 interface linking the access network to the CN
MME/S-GW pool: The set of MME/S-GW nodes that serves a common area.
pool area: the area covered by MME/S-GW pool
TR-196: Femto Access Point Service Data Model
As a bidirectional SOAP/HTTP-based protocol, it provides the communication between customer-premises equipment (CPE) and Auto Configuration Servers (ACS). TR-069 is a more generic which address various devices such as modems, routers, gateways, set-top box, and VoIP-phones. TR-196 primary objective is to provide data model very specific to Femto Access Point(FAP)
E-UTRAN: responsible for radio-related functions:
- RRS (Radio resource management)
- Header Compression
- Connectivity to the EPC
RAN (Radio Access Network)
PMIP (Proxy Mobile Internet Protocol)
PLMN (Public Land Mobile Network)
GTP (GPRS Tunnel Protocol): 3GPP-specific protocol over CN interfaces, S1 and S5/S8.
PDCP (Packet Data Convergence Protocol)
RLC (Radio Link Control)
MAC (Medium Access Control)
RRC (Radio Resource Control) protocol
- GBR (Minimum guaranteed bit rate)
ARP (Allocation and Retention Priority)
AM (Acknowledge Mode)
LTE-Uu: radio interface
TFT (Traffic Flow Template)
UL TFT (Uplink TFT)
DL TFT (Downlink TFT)
PCEF (Policy Control Enforcement Function)
bearer level QoS parameter value is passed from:
PCRF -> P-GW -> S-GW -> --(S11)--> MME
PCC (Policy Control and Charging)
SONs (Self-optimizing networks)
SS7 (Signal System #7)
S1 Control plane:
S1-AP (Application Protocol)
S1 User Plane:
TNL (Transport Network Layer)
HOL (Head-of-line blocking)
[wiki] Head-of-line blocking
NNSF (NAS Node Selection Function)
UMTS Serving Radio Network Subsystem (SRNS) relocation procedure
ANRF (automatic neighbor relation function)
PCI (Physical Cell Identity)
automatic self-configuration of the PCIs
O&M (Operation and Maintenance)
SN (Sequence Number)
HFN (Hyper Frame Number)
RRM (Radio resource management)
4.3 Configuring the peer side using CA certificates
The ID by which a peer is identifying itself during IKE main mode can by any of the ID types IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN. If one of the first three ID types is used, then the accompanying X.509 certificate of the peer must contain a matching subjectAltName field of the type ipAddress (IP:), dnsName (DNS:) or rfc822Name (email:), respectively. With the fourth type DER_ASN1_DN, the identifier must completely match the subject field of the peer's certificate. One of the two possible representations of a Distinguished Name (DN) is the LDAP-type formatRe: [strongSwan] rightid (Ipsec with Certificates)
rightid="C=CH,O=Linux strongSwan, CN=sun.strongswan.org"Additional whitespace can be added everywhere as desired since it will be automatically eliminated by the X.509 parser. An exception is the single whitespace between individual words , like e.g. in Linux strongSwan, which is preserved by the parser.
The Relative Distinguished Names (RDNs) can alternatively be separated by a slash ( '/') instead of a comma (',')
This is the representation extracted from the certificate by the OpenSSL command line optionrightid="/C=CH/O=Linux strongSwan/CN=sun.strongswan.org"
openssl x509 -in sunCert.pem -noout -subject
Re: [strongSwan] understanding %fromcertrightid and leftid are required to prevent an endpoint having a valid and trusted certificate to take on the identity of another endpoint (e.g. a client acting as the SEGW).The leftid must exactly match either the subjectDistinguishedName or a subjectAltName in the leftcert. rightid must match the identity of the remote endpoint but may contain wildcards, the most general being rightid=%any which returns a full match for any id. rightid is sent by the initiator in the optional IDr payload in order to assist the remote endpoint in the selection of the identity to be used if the remote endpoint has multiple identities (e.g. multiple certificates). If rightid contains at least one wildcard ('*' character) then IDr is omitted but the the responder must always return its full IDr not containing any wildcards. In your first example where you define rightid="C=*, O=*, OU=*, CN=*" the IDr payload is not sent by the initiator and the responder returns an IDr of the form "O=Alcatel, CN=654...@alcatel-lucent.com" which does not match your rightid template because the C= and OU= RDNs are missing and the following local error is produced: constraint check failed: identity 'C=*, O=*, OU=*, CN=*' required selected peer config '30' inacceptable no alternative config found In order for your example to work you must either define rightid="O=*, CN=*" or if you don't know exaclty which type of RDNs are used by the SEGW in its certificate just rightid=%any Please be aware that the use of wildcards makes your endpoints vulnerable to kind of man-in-the-middle attacks mentioned in the first paragraph. In your second example you didn't specify any rightid. In that case by default the IP address specified by right is used as rightid, i.e. rightid=172.21.11.181 Since this IDr is not contained in the SEGW's certificate the remote error parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] received AUTHENTICATION_FAILED notify error is received.
'Re: [strongSwan] FQDN based certificate authentication for ikev2' - MARCleftid=%fromcertis an OpenSwan option not supported by strongSwan. The strongSwan configuration is leftcert=carolCert.pem leftid=ca...@strongswan.org or simply leftcert=carolCert.pem If leftid is missing then left, i.e. the IP address is chosen by default for leftid but since the IP address usually is not contained as a subjectAltName in the certificate, the fallback is for leftid to assume the value of the subject Distinguished Name as e.g. leftid="C=CH, O=strongSwan, CN=ca...@strongswan.org"
'Re: [strongSwan] Cannot set ID to FQDN with certificate loaded,' - MARCif you want to use FQDNs as IDs then you must set rightid and leftid accordingly: On the initiator 10.0.0.2: left=10.0.0.2 leftcert="/etc/ipsec/certs/ipsec.d//certs/ib-cert.pem" leftid=ib.atca.nsn.com right=10.0.0.1 rightid=cla.atca.nsn.com On the responder 10.0.0.1: left=10.0.0.1 leftcert="/etc/ipsec/certs/ipsec.d//certs/cla-cert.pem" leftid=cla.atca.nsn.com right=%any
QA Cafe - Knowledgebase - How do I display the contents of a SSL certificate?subjectAltNames don't go into the Distinguished Name (DN) itself as you did in [O=MyCo Ltd, OU=SW, L=Swindon, ST=Wiltshire, C=GB, CN=sgw.myco.com, subjectAltName=sgw.myco.co] but into an X.509v3 certificate extension. Enter the subjectAltName in the form subjectAltName=DNS:sgw.myco.com in the appropriate place in your openssl.cnf file before you generate your certificate.
# openssl x509 -in acs.qacafe.com.pem -text
Public key certificate - Wikipedia, the free encyclopedia
Certificate Signing Request (CSR)
Certificate signing request - Wikipedia, the free encyclopedia
How To Generate SSL Key, CSR and Self Signed Certificate For Apache
# openssl req -new -key www.thegeekstuff.com.key -out www.thegeekstuff.com.csr
Setting-up a Simple CA Using the strongSwan PKI Tool - SimpleCA - strongSwan - strongSwan
The Most Common OpenSSL Commands
Binary to Hex:
# echo 0123456789abcdef0123456789abcdef | xxd
0000000: 3031 3233 3435 3637 3839 6162 6364 6566 0123456789abcdef
0000010: 3031 3233 3435 3637 3839 6162 6364 6566 0123456789abcdef
# echo 0123456789abcdef0123456789abcdef | xxd -g1
0000000: 30 31 32 33 34 35 36 37 38 39 61 62 63 64 65 66 0123456789abcdef
0000010: 30 31 32 33 34 35 36 37 38 39 61 62 63 64 65 66 0123456789abcdef
0000020: 0a .
# echo 0123456789abcdef0123456789abcdef | xxd -i
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x61, 0x62,
0x63, 0x64, 0x65, 0x66, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x0a
Hex string to binary:
# echo 0123456789abcdef0123456789abcdef | xxd | xxd -r
# echo 0123456789abcdef0123456789abcdef | xxd -g1| xxd -r
# echo 0123456789abcdef0123456789abcdef | xxd -i | xxd -r -p
# echo 0123456789abcdef0123456789abcdef | xxd -r -p | xxd
0000000: 0123 4567 89ab cdef 0123 4567 89ab cdef .#Eg.....#Eg....
Issue #467: What if I use 0.0.0.0/0 as leftsubnet and rightsubnet in ipsec.conf - strongSwan - strongSwan - IKEv2/IPsec VPN for Linux, Android, FreeBSD, Mac OS X
A route is installed in routing table 220 by default (use
ip route list table 220to view it).
Revocation list - Wikipedia, the free encyclopedia
Online Certificate Status Protocol - Wikipedia, the free encyclopedia
What is OCSP (Online Certificate Status Protocol)? - Definition from WhatIs.com
PUBLIC KEY INFRASTRUCTURE CERTIFICATE REVOCATION LIST VERSUS ONLINE CERTIFICATE STATUS PROTOCOL
How Certificate Revocation Works
Latest Simplified Specifications - SD Association
SD Specifications, Part E1, SDIO Simplified Specification, Version 2.00, February 8, 2007
SD Specifications, Part 1, Physical Layer Simplified Specification, Version 4.10, January 22, 2013
Secure Digital - Wikipedia, the free encyclopedia
Secure Digital - Wikipedia, the free encyclopedia
Open Cryptographic Framework for Linux | Free Security & Utilities software downloads at SourceForge.net
The Design of the OpenBSD Cryptographic Framework
Netkey + Openswan + OCF && H/W acceleratorsdrivers == kernel crash/panic - ReadList.com
OCF Hardware crypto acceleration - Swan
Understanding Cryptographic Performance
Openswan vs strongSwan | Computing | Pariah Zero
Using a Linux L2TP/IPsec VPN server
Openswan - Wikipedia, the free encyclopedia
Openswan has been forked to Libreswan in 2012.
Libreswan - Wikipedia, the free encyclopedia
崩潰的 MS-DOS 原始碼：髒話笑話滿天飛 | TechNews 科技新報
彩蛋 (視覺) - 维基百科，自由的百科全书
Google "waldorf school in california"
Waldorf Schools | California | K12 Academics
Waldorf of the Peninsula | A RENAISSANCE EDUCATION… in the Silicon Valley
Google "public waldorf school in california"
Charter school - Wikipedia, the free encyclopedia
Find a School | Alliance for Public Waldorf Education
特許學校(Charter Schools)不是公辦民營，而是公費補助、民辦民營 - 思考者的網誌：成就仁德、智慧、正義、與公理的社會 - udn部落格
美國特許學校(Charter school)的美麗與哀愁 @ 閱讀與生活筆記 :: 隨意窩 Xuite日誌