IP Transport network Overview –

part 2
Introduction
Why learn about the IP transport Network?
› IP features

› IP security and protocols

Scope and objectives
Scope
› IP Packet Format
› Transport Protocols
› What is IP Security
› Common mode in IPsec
› Security Architecture
› Security Features

Objectives

› To get an overview of the

Ericsson IP Security solution
> Pre-test
Pre-test
› A pre-test will be
inserted here. You do
not have to take any
actions on this. It is
done by external
vendor. The pre-test
will re-use the the Quiz
at the end.
> Overview
Overview

› IP Security

› IP Format

› IP transport network Features and Security

› IPsec Transport protocols

IP Packet Format

6
Transport protocols

User plane over

Control GTP -U and NW
O&M Ping
plane synch over NTP

ports

SCTP UDP TCP ICMP

17 protocols 6 Utility (no ports)

1
132

IP

dat datgrmfo t
octerd torde bitorde
octe+0 octe+120 2octe+3
34567012 45670123 01234567

hdr typeofhdr
lengthver+0 servictoal lengthoa
iden+4tfcao flagsrmticon entofsragm
time+8olv protclheadkiv erchksum
+12 sourceIPad res

+16 destinaoIPr adres

+20opti optins(fay) pading
+24

Physical network and Ethernet

IPDat

dat datgrmfo t
octerd torde bitorde
octe+0 octe+120 2octe+3
34567012 45670123 01234567

hdr typeofhdr
lengthver+0 servictoal lengthoa
iden+4tfcao flagsrmticon entofsragm
time+8olv protclheadkiv erchksum
+12
sourceIPad res

+16 destinaoIPr adres

+20opti optins(fay) pading
+24

IPDat

dat agrmfot
octerd datgrmfo torde tbiorde
34567octe+012 octe+14567023 0 2octe+3014567
lengthvr+0d typeofsrvichdal lengthoa
iden+4tfcao flagsrm tifcaon entofsragm
time+8olv protclheadk tolive erchksum
+126 sourceIPadtin res
datgrm format +16opti20 destinaoIP ns(ifay) adresping
+240 optins(fay) pading
IPDat
IPDat
octerd itordeb
cte+0o cte+1o octe+23
01234567 67012345 23456701 0

hdr typeof
length+0ver servic toalengh
identfca+4 tionflag fragmentos t
timeolv+8 protcl headrcksum
+12 sourceIPad es
+16 destinaoIP dres
opt+20 ions(fay) pading
+24

IPDat

datgrm format
octerd bitorde
octe+0 octe+1 octe+23
01234567 67012345 12345670 0

hdr typeof
length+0ver servic toalengh
identfca+4 tionflag fragmentos t
timeolv+8 protcl headrcksum
+12 sourceIPad es
+16 destinaoIP dres
opt+20 ions(fay) pading
+24

IPDat

octerd datgrm bitorde format

octerd01234567+ octe+16702345 octe+23145670bird 0
hdrve+0lngt typeofsrvic toalengh
lengthidfca+4 tionservcflag fragmentos s t
timeolv+8 protcl headrcksum
+12 sourceIPad es
+16opt20 ions(fay)detIP pading dres
opt+204 ons(ifay) pading
+24 IPDat
IPDat
What’s ipsec?

Clear Text Clear Text

Encrypted Text

IPSec Tunnel

Public Network
Private Network
Private Network

SEGw1 SEGw2

Example of Secured IP Network

 IPSEC modes of operation

Transport mode Tunnel mode

SeGw SeGw
Host Router Router Host Host LA LA Host
LA A B LA
N N
N N

Protected link

S IP S H S IP H S A B

IPSec IP payload IP header IPSec IP payload + SeGw source and

(header and tail) (protected) (unprotected) (header and tail) header destination IP
(protected) address
IPSec Components

Encapsulating Security Payload (ESP)

Authentication Header (AH)

Internet Key Exchange (IKE)

Ipsec layout

Domain of Interpretation
ESP packet diagram
Orig IP Hdr TCP Hdr Data

Insert Append
Orig IP Hdr ESP Hdr TCP Hdr Data ESP Trailer ESP Auth
Usually encrypted
Integrity hash coverage
Authentication Header
packet diagram
Orig IP Hdr TCP Hdr Data

Orig IP Hdr AH Hdr TCP Hdr Data

Integrity hash coverage (except for mutable fields in IP hdr)

AH header
Internet Key Exchange (IKE)

Key
SSN

Key Key
PRI PRI
Key Key
PUB PUB
Encryption Layers

Application-Layer (SSL, PGP, S-HTTP, SSH)

Application
Layers (5-7)

Network-Layer (IPSec)
Transport/
Network
Layers (3-4)
SEGw SEGw

Link/Physical
Layers (1-2)

Link-Layer Encryption (KG, KIV)

IPSec Protocols

Encryption Integrity/Authentication Modes

Data Privacy Data Exchange Verification Transport Format
• DES • IKE • AH / ESP
Data Encryption Standard Internet Key Exchange Authentication
Header /
• 3DES • RSA / DSS Encapsulating
Triple Data Encryption Rivest, Shamir, Adelman / Security Payload
Standard Digital Signature Standard
• Tunnel /
• AES • X.509v3 Transport
Advanced Encryption Digital Certificates Network to Network /
Standard (US) Host to Host

• IDEA • MD5 / SHA

International Data Message Digest 5 / Secure
Encryption Algorithm Hash Algorithm
Security Features
› Access Control – ACL, AAA, SEGw

› Security Audit – SSH (Secure Shell)

› Hardening and File System Integrity – IDS, DoS

IP RAN for Transport Security
IPsec
GSM RBS
Tunnels

SIU
GSM BSC/RNC Site

GSM/WCDMA RBS Site

with Transport Sharing
SEGw L2 Sw BSC
Mobile
L2/L3 Backhaul
SIU L2/L3
L2/L3 Transport To Core Network
GSM
SEGw Backhaul
Backhaul

WCDMA SEGw L2 Sw
ET-MFX RNC

LTE eNB

• IP RAN Reference solution including secure transport

LTE • Authentication and Encryption of traffic
DUL SEGw
• Security Gateway’s from Juniper/SIU
• SIU – Site Integration Unit
Example IP RAN Transport network security

Common virtual network (common virtual private network)

Independent virtual networks (independent virtual private networks)

Common virtual private network
Independent virtual private networks
 use of IPSec-tunnels
Internet
At HO signaling to another pool Core Network Core Network
may be needed. pool 2
Only S1 at HO between pools. MME
S-GW

l
S1 optiona A3
is
ec
IPs
n d X2
S1 a

A2

A1
c

A2
se
IP

A1
Recommendation:
RBS A1 Use IPsec only on such sections that are not secure
SEG RBS
RBS RBS

LTE RBS will have IPsec RBS

or external SEG (R1)
Summary
Summary
› IP Packet format
› Transport Protocols
› What is IP sec
› IPsec Modes of Operation
› Encryption Layers
› IPsec Protocols
› Security Features
› IP RAN for transport Security
› Use of IPsec tunnels
QUIZ
Quiz
› Network security is primarily focused on which layer?
– Application Layer
– Transport/Network Layer (correct)
– Link/Physical

› Which IP packet format is Ericsson using currently?

– IPv2
– IPv4 (correct)
– IPv6
Quiz
› Encryption protocols are mainly used for?
– Data Privacy (Correct)
– Data Exchange Verification
– Transport Format

› Integrity/Authentication protocols are mainly used for?

– Data Privacy
– Data Exchange Verification (correct)
– Transport Format
Quiz
› The Network protocol Secure Shell (SSH) is used for?
– Access Control
– Security Audit (correct)
– Hardening and File system Integrity

› Which transport protocol is most likely to be used for

Operation and Maintenance (O&M)?
– SCTP Streamed Control Transmission Protocol
– UDP User Datagram Protocol
– TCP Transmission Control Protocol (Correct)
Feedback FORM

› A feedback form will be added here.

More Information

› Product Security (link)

› Product Catalogue (link)
› Customer Product Information (link)
Acronyms
› AAA Authentication, Authorization and Accounting triple A
› ACL Access Control List ACL
› AES Advanced Encryption Standard AES
› AH Authentication Header AH
› ATM Asynchronous Transmission Mode ATM
› BSC Base Station Controller BSC
› BSS Base Station Subsystem BSS
› CPE Customer Premise Equipment CPE
› DDoS Distributed Denial of Service DDOS
› DoS Denial of Service DOS
› DES Data Encryption Standard DES
› 3DES Triple Data Encryption Standard triple D E S
› DSS Digital Signature Standard DSS
› eNodeB E node B
› EPC Evolved Packet Core EPC
› ESP Encapsulating Security Payload ESP
› GSM Global System for Mobile communication GSM
› IDEA International Data Encryption Algorithm IDEA
› IDS Intrusion Detection System IDS
› IHL IP Header Length IHL
› IKE Internet Key Exchange IKE
› IKEv2 I K E version two
› IP Internet Protocol IP
› IPsec I P sec
› IPv2 Internet Protocol version2 I P version two
› IPv4 Internet Protocol version4 I P version four
› IPTV Internet Protocol Tele Vision IPTV
Acronyms
› L10B L ten B
› MD5 Message Digest 5 M D five
› O&M Operation and Maintenance O and M
› OSS-RC Operations Support System Radio and Core OSSRC
› RAN Radio Access Network ran
› RBS Radio Base Station RBS
› RNC Radio Network Controller RNC
› RSA Rivest, Shamir, Adelman RSA
› SA Security Association SA
› SCP SCP
› SCTP Streamed Controlled Transmission Protocol SCTP
› SEGw Security Gateways
› SFTP SFTP
› SHA Secure Hash Algorithm SHA
› SIU Site Integration Unit SIU
› SPI SPI
› SSH Secure Shell SSH
› SSL SSL
› TCP Transmission Control Protocol TCP
› TDM Time Division Multiplexing TDM
› TLS TLS
› UDP User Datagram Protocol UDP
› VPN Virtual Private Network VPN
› WCDMA Wideband Code Division Multiple Access WCDMA
› X11 X eleven
› X509v3 X509 Version Three X five o nine version three