11 Network Domain Control Plane protectionFor X2 interface, we could:
The protection of IP based control plane signalling for EPS and E-UTRAN shall be done according to TS 33.210 .
NOTE1: In case control plane interfaces are trusted (e.g physically protected), there is no need to use protection according to TS 33.210.
In order to protect the S1 and X2 control plane, it is required to implement IPSec ESP according to RFC 4303 as specified by TS 33.210. For both S1-MME and X2-C, IKEv2 certificates based authentication according to TS 33.310 shall be implemented. For S1-MME and X2-C, tunnel mode IPSec is mandatory to implement on the eNB. On the core network side a SEG may be used to terminated the IPSec tunnel.
Transport mode IPSec is optional for implementation on the X2-C and S1-MME.
NOTE 2: Transport mode can be used for reducing the protocol overhead added by IPSec.
12 Backhaul link user plane protection
The protection of user plane data between the eNB and the UE by user specific security associations is covered by clause 5.1.3 and 5.1.4.
In order to protect the S1 and X2 user plane as required by clause 5.3.4, it is required to implement IPSec ESP according to RFC 4303 as profiled by TS 33.210, with confidentiality, integrity and replay protection.
On the X2-U and S1-U, transport mode IPSec is optional for implementation.
Tunnel mode IPSec is mandatory to implement on the eNB for X2-U and S1-U. On the core network side a SEG may be used to terminate the IPSec tunnel.
For both S1 and X2 user plane, IKEv2 with certificates based authentication shall be implemented. The certificates shall be implemented according to the profile described by TS 33.310. IKEv2 shall be implemented conforming to the IKEv2 profile described in TS 33.310.
NOTE 2: In case S1 and X2 user plane interfaces are trusted (e.g. physically protected), the use of IPSec/IKEv2 based protection is not needed.
- Setupt eNB-to-eNB IPSec transport link
- Send eNB-to-eBN traffic via SecGW
The following suggest method 2:
LTE transport network security
Radio-to-core protection in LTE