A packet mobile backhaul is based on an open and well-known protocol, IP. Even though the backhaul is a separate, private network (not directly connected to the public internet), it is still vulnerable to many threats that do not exist in a TDM or ATM network. Introducing IP based logical interfaces and IP/MPLS/Ethernet technologies for the backhaul necessitates that these threats are identified and properly addressed.
In many cases, 3GPP requires an implementation of cryptographic protection using IPsec. For LTE, 3GPP specifications for the network domain are clearly written and explicit. For 2G and 3G, guidance from the more recent LTE specification work can be used.
The backhaul security is not only about IP layer and IP layer protection with IPsec. Other layers and other types of threats need to be considered as well. Many of the topics of this kind are addressed by sound design guidelines and operating practices.
IPsec VPNs are deployed for a cryptographic protection for the traffic carried in the mobile backhaul. IPsec supports encryption, authentication and confidentiality. Typically IPsec is implemented between a BTS (as BTS integrated IPsec function, or as a separate cell site gateway), and a central site IPsec GW. With the IPsec VPN, high availability of the IPsec GW is necessary, since a number of BTSs depend on it. Different models for the resilience exist that depend on the IPSec GW implementation.
ESP in tunnel mode is the selected IPsec protocol to provide the protection, which is able to support all of the required security services. IKEv2 (and IKEv1 for interworking with legacy equipment) is used to handle key management and control the establishment and release of IPsec SAs. As part of the IKE exchanges, the peers must authenticate each other. The authentication can be based on PSK, or preferably on X.509 digital certificates as they provide a better scalability. IPsec affects other system areas as packet fragmentation and Quality of Service, and the system designer needs to take those effects into account when planning an IPsec VPN for the mobile backhaul.
1. 3GPP TS33.120 Security Objectives and Principles, v4.0.0.
2. 3GPP TS33.102 3G Security; Security architecture, v10.0.0.
3. 3GPP TS33.210 3G security; Network Domain Security (NDS); IP network layer security, v11.2.0.
4. 3GPP TS21.133 3G security; Security threats and requirements, v4.1.0.
5. 3GPP TS33.401 3GPP System Architecture Evolution (SAE); Security architecture, v10.2.0.
6. 3GPP TS36.300 Evolved Universal Terrestrial Radio Access (E-UTRA), Overall description, v10.5.0
7. 3GPP TS43.051 GSM/EDGE Radio Access Network (GERAN), Overall Description, v10.0.0.
8. 3GPP TS25.401 UTRAN overall description (Release 10), v10.2.0.
9. Niemi, Nyberg: UMTS security. Wiley, 2004.
10. Forsberg, Horn, Moeller, Niemi: LTE Security. Wiley, 2010.
11. 3GPP TS33.310 Network Domain Security (NDS); Authentication Framework, v10.1.0.
12. Vyncke, Paggen: LAN Switch Security: What Hackers Know About Your Switches. Cisco Press, 2007.
13. IEEE 802.1X-2010, IEEE Standard for Local and metropolitan area networks. Port-Based Network Access Control
14. IEEE 802.1AE-2006, IEEE Standard for Local and metropolitan area networks. Media Access Control (MAC) Security.
15. IEEE 802.1AR-2009, IEEE Standard for Local and metropolitan area networks. Secure Device Identity.
16. MEF 6.1 Ethernet Services Definitions Phase 2
17. MEF 10.2 Ethernet Services Attributes Phase 2.
18. MEF 22 Mobile Backhaul Implementation Agreement (2/09).
19. Adams, Lloyd: Understanding PKI. Second Edition, Addison Wesley, 2003.
20. IETF RFC 1191 Path MTU Discovery.
21. IETF RFC 1981 Path MTU Discovery for IP version 6.
22. IETF RFC 2328 OSPF Version 2.
23. IETF RFC 2409 The Internet Key Exchange (IKE).
24. IETF RFC 3948 UDP Encapsulation of IPsec ESP Packets.
25. IETF RFC 4301 Security Architecture for the Internet Protocol.
26. IETF RFC 4302 IP Authentication Header.
27. IETF RFC 4303 IP Encapsulating Security Payload (ESP)
28. IETF RFC 4306The Internet Key Exchange (IKEv2) Protocol
29. IETF RFC 4307 Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)
30. IETF RFC 4835 Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)
31. IETF RFC 5709 OSPFv2 HMAC-SHA Cryptographic Authentication
32. IETF RFC 5880 Bidirectional Forwarding Detection (BFD)
33. IETF RFC 5996 Internet Key Exchange Protocol Version 2 (IKEv2)
34. ITU-T, ‘Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks’, X.509, August 2005.