2014年6月21日 星期六

IPSec/strongswan failures and checkpoints

FAIL_CP_REQ
Add

leftsourceip=%config
leftdns=%dns

TS_UNACCEPTABLE
Check left|right subnet and proto settings.

NO_PROPOSAL_CHOSEN
check ike=XXX and esp=XXX

libopenikev2: openikev2::Payload_NOTIFY Class Reference
http://openikev2.sourceforge.net/libopenikev2_api/classopenikev2_1_1Payload__NOTIFY.html
UNSUPPORTED_CRITICAL_PAYLOAD Unsupported critical payload.
INVALID_IKE_SPI Invalid IKE SPI.
INVALID_MAJOR_VERSION Invalid Major Version.
INVALID_SYNTAX Invalid syntax.
INVALID_MESSAGE_ID Invalid message ID.
INVALID_SPI Invalid SPI.
NO_PROPOSAL_CHOSEN No proposal chosen.
INVALID_KE_PAYLOAD Invalid KE payload.
AUTHENTICATION_FAILED Authentication failed.
SINGLE_PAIR_REQUIRED Single pair required.
NO_ADDITIONAL_SAS No additional SAs.
INTERNAL_ADDRESS_FAILURE Internal address failure.
FAILED_CP_REQUIRED Failed Configuration Payload required.
TS_UNACCEPTABLE Traffic selector unacceptable.
INVALID_SELECTORS Invalid selectors.
INITIAL_CONTACT Initial contact.
SET_WINDOW_SIZE Set window size.
ADDITIONAL_TS_POSSIBLE Additional Traffic selector possible.
IPCOMP_SUPPORTED IPcomp supported.
NAT_DETECTION_SOURCE_IP NAT detection source ip.
NAT_DETECTION_DESTINATION_IP NAT detection destination ip.
COOKIE Cookie.
USE_TRANSPORT_MODE Use transport mode.
HTTP_CERT_LOOKUP_SUPPORTED HTTP certificate lookup supported.
REKEY_SA Rekey SA.
ESP_TFC_PADDING_NOT_SUPPORTED ESP TFC padding not supported.
NON_FIRST_FRAGMENT_ALSO Non first fragment also.

GRE over IPSec tunnels between Cisco and Linux

Stuff: GRE over IPSec tunnels between Cisco and Linux (openswan)
http://ghergamilan.blogspot.tw/2010/06/gre-over-ipsec-tunnels-between-cisco.html

        leftprotoport=47                       #match the GRE traffic, this line is very important
        rightprotoport=47                     #match the GRE traffic

2014年6月11日 星期三

LTE Security: IPSec


http://www.qtc.jp/3GPP/Specs/33401-860.pdf

11 Network Domain Control Plane protection

The protection of IP based control plane signalling for EPS and E-UTRAN shall be done according to TS 33.210 [5].

NOTE1: In case control plane interfaces are trusted (e.g physically protected), there is no need to use protection according to TS 33.210[5].

In order to protect the S1 and X2 control plane, it is required to implement IPSec ESP according to RFC 4303[7] as specified by TS 33.210[5]. For both S1-MME and X2-C, IKEv2 certificates based authentication according to TS 33.310[6] shall be implemented. For S1-MME and X2-C, tunnel mode IPSec is mandatory to implement on the eNB. On the core network side a SEG may be used to terminated the IPSec tunnel.

Transport mode IPSec is optional for implementation on the X2-C and S1-MME.

NOTE 2: Transport mode can be used for reducing the protocol overhead added by IPSec.

12 Backhaul link user plane protection

The protection of user plane data between the eNB and the UE by user specific security associations is covered by clause 5.1.3 and 5.1.4.


In order to protect the S1 and X2 user plane as required by clause 5.3.4, it is required to implement IPSec ESP according to RFC 4303[7] as profiled by TS 33.210[5], with confidentiality, integrity and replay protection.

On the X2-U and S1-U, transport mode IPSec is optional for implementation.

Tunnel mode IPSec is mandatory to implement on the eNB for X2-U and S1-U. On the core network side a SEG may be used to terminate the IPSec tunnel.

For both S1 and X2 user plane, IKEv2 with certificates based authentication shall be implemented. The certificates shall be implemented according to the profile described by TS 33.310[6]. IKEv2 shall be implemented conforming to the IKEv2 profile described in TS 33.310[6].

NOTE 2: In case S1 and X2 user plane interfaces are trusted (e.g. physically protected), the use of IPSec/IKEv2 based protection is not needed.
For X2 interface, we could:
  1. Setupt eNB-to-eNB IPSec transport link
  2. Send eNB-to-eBN traffic via SecGW
No resource found for method 1.
The following suggest method 2:

LTE transport network security
http://www.ieee-cqr.org/2012/May15/Session%202/2_Jason_Boswell_NSN%20LTE%20Security.pdf

Radio-to-core  protection in LTE
http://www.stoke.com/GetFile.asp?f=9da2433463cb8e11f41bd6213c67303e

2014年6月10日 星期二

Getting a list of used libraries by a running process

osx - Getting a list of used libraries by a running process (unix) - Stack Overflow
http://stackoverflow.com/questions/2184775/getting-a-list-of-used-libraries-by-a-running-process-unix

cat /proc/$pid/maps
or
pldd

2014年6月6日 星期五

LTE notes

The LTE Network Architecture - Alcatel-Lucent | At the Speed of Ideas
http://www3.alcatel-lucent.com/wps/DocumentStreamerServlet?LMSG_CABINET=Docs_and_Resource_Ctr&LMSG_CONTENT_FILE=White_Papers/CPG0599090904_LTE_Network_Architecture_EN_StraWhitePaper.pdf




eNodeB (evolved NodeB)
UE (user equipment)
PDN (packet data network)
EPC (evolved packet core)
EPS (evolved packet system)
EPS bearer: an IP packet flow with a defined QoS between the gateway and the UE
CN (core network)
SAE (system architecture evolution): evolution of non-radio aspect.

EPC is consist of the following logical nodes:

  • P-GW (PDN Gateway)
  • S-GW (Serving Gateway)
  • MME (Mobility Management Entity)
  • PCRF (Policy Ccontrol and charging Rules Functions)
  • HSS (Home Subscriber Server)

NAS (Non Access Stratum)
AS (Access Stratum) protocol: The protocol running between eNodeBs and UE
S-TMSI (SAE Temporary Mobile Subscriber Identification)
TA (Tracking Area)




S1 interface: Interface that connect eNodeB and EPC
S1-MME interface: Interface that connect eNodeB and MME
S1-U interface: Interface that connect eNodeB and S-GW
X2 interface: eNodeB interconnected to each other by X1.
S1-flex: the feature of S1 interface linking the access network to the CN
MME/S-GW pool: The set of MME/S-GW nodes that serves a common area.
pool area: the area covered by MME/S-GW pool


TR-196: Femto Access Point Service Data Model
http://www.broadband-forum.org/technical/download/TR-196.pdf
[wiki] TR-196
http://en.wikipedia.org/wiki/TR-196
As a bidirectional SOAP/HTTP-based protocol, it provides the communication between customer-premises equipment (CPE) and Auto Configuration Servers (ACS). TR-069 is a more generic which address various devices such as modems, routers, gateways, set-top box, and VoIP-phones. TR-196 primary objective is to provide data model very specific to Femto Access Point(FAP)

E-UTRAN: responsible for radio-related functions:
  • RRS (Radio resource management)
  • Header Compression
  • Security
  • Connectivity to the EPC

RAN (Radio Access Network)
PMIP (Proxy Mobile Internet Protocol)
PLMN (Public Land Mobile Network)


blue region of the stack is the E-UTRAN user plane protocol stack

GTP (GPRS Tunnel Protocol): 3GPP-specific protocol over CN interfaces, S1 and S5/S8.
PDCP (Packet Data Convergence Protocol)
RLC (Radio Link Control)
MAC (Medium Access Control)
blue region of the stack indicate the AS protocol.

RRC (Radio Resource Control) protocol

Bearers:
  • GBR (Minimum guaranteed bit rate)
  • Non-GBR
QCI (QoS class identification)
ARP (Allocation and Retention Priority)

AM (Acknowledge Mode)
LTE-Uu: radio interface

EPS bearer
S5/S8 bearer
S1 bearer
radio bearer


TFT (Traffic Flow Template)
UL TFT (Uplink TFT)
DL TFT (Downlink TFT)

PCEF (Policy Control Enforcement Function)

bearer level QoS parameter value is passed from:
PCRF -> P-GW -> S-GW -> --(S11)--> MME

PCC (Policy Control and Charging)


SONs (Self-optimizing networks)
SS7 (Signal System #7)

S1 Control plane:
SCTP(Stream Control Transmission Protocol)/IP
S1-AP (Application Protocol)


S1 User Plane:
TEID (Tunnel End ID)
TNL (Transport Network Layer)
HOL (Head-of-line blocking)

[wiki] Head-of-line blocking
http://en.wikipedia.org/wiki/Head-of-line_blocking

NNSF (NAS Node Selection Function)

X2 handover
S1 handover

UMTS Serving Radio Network Subsystem (SRNS) relocation procedure


S1 handover:



ANRF (automatic neighbor relation function)
PCI (Physical Cell Identity)
eNB Configuration Transfer procedure
automatic self-configuration of the PCIs
O&M (Operation and Maintenance)
SN (Sequence Number)
HFN (Hyper Frame Number)



selective retransmissions
multiple preparation
RRM (Radio resource management)