2014年6月11日 星期三

LTE Security: IPSec


http://www.qtc.jp/3GPP/Specs/33401-860.pdf

11 Network Domain Control Plane protection

The protection of IP based control plane signalling for EPS and E-UTRAN shall be done according to TS 33.210 [5].

NOTE1: In case control plane interfaces are trusted (e.g physically protected), there is no need to use protection according to TS 33.210[5].

In order to protect the S1 and X2 control plane, it is required to implement IPSec ESP according to RFC 4303[7] as specified by TS 33.210[5]. For both S1-MME and X2-C, IKEv2 certificates based authentication according to TS 33.310[6] shall be implemented. For S1-MME and X2-C, tunnel mode IPSec is mandatory to implement on the eNB. On the core network side a SEG may be used to terminated the IPSec tunnel.

Transport mode IPSec is optional for implementation on the X2-C and S1-MME.

NOTE 2: Transport mode can be used for reducing the protocol overhead added by IPSec.

12 Backhaul link user plane protection

The protection of user plane data between the eNB and the UE by user specific security associations is covered by clause 5.1.3 and 5.1.4.


In order to protect the S1 and X2 user plane as required by clause 5.3.4, it is required to implement IPSec ESP according to RFC 4303[7] as profiled by TS 33.210[5], with confidentiality, integrity and replay protection.

On the X2-U and S1-U, transport mode IPSec is optional for implementation.

Tunnel mode IPSec is mandatory to implement on the eNB for X2-U and S1-U. On the core network side a SEG may be used to terminate the IPSec tunnel.

For both S1 and X2 user plane, IKEv2 with certificates based authentication shall be implemented. The certificates shall be implemented according to the profile described by TS 33.310[6]. IKEv2 shall be implemented conforming to the IKEv2 profile described in TS 33.310[6].

NOTE 2: In case S1 and X2 user plane interfaces are trusted (e.g. physically protected), the use of IPSec/IKEv2 based protection is not needed.
For X2 interface, we could:
  1. Setupt eNB-to-eNB IPSec transport link
  2. Send eNB-to-eBN traffic via SecGW
No resource found for method 1.
The following suggest method 2:

LTE transport network security
http://www.ieee-cqr.org/2012/May15/Session%202/2_Jason_Boswell_NSN%20LTE%20Security.pdf

Radio-to-core  protection in LTE
http://www.stoke.com/GetFile.asp?f=9da2433463cb8e11f41bd6213c67303e

凌晨4:35
標籤:

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)