Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
Introduction
1 Motivation and Feature Overview
Technical Details
2 Functionality and Implementation, Message Flows
Configuration Management
3 Parameters
Deployment Aspects
4 Feature Activation and Configuration Examples
• Hence, the term “IPSec” does not refer to a single protocol, but a set of protocols about ~20 IETF RFCs on
IPSec currently.
• Security protocol:
– Authentication Header (AH), not in RL10/RL20. AH has no encryption, only authentication.
– Encapsulating Security Payload (ESP), encrypts and authenticates.
– ESP adds a new header.
– ESP implemented in RL10/RL20.
• Key management
– Internet Key Exchange (IKE) is a set of protocols used by IPSec to create a Secure Association (SA) between two ends.
– Two versions: IKEv1 and IKEv2.
– IKEv2 supports SCTP.
– IKEv2 recommended by 3GPP, but not supported by all IPSec implementations.
– both IKEv1 and IKEv2 implemented in RL10/RL20.
LTE RL10 and RL20 implement a subset of the full IPSec protocol suite:
Data encryption and integrity protection, origin authentication and anti-
Services:
replay protection
Key exchange: dual stack IKEv1 (RFC 2409) / IKEv2 (RFC 4306)
LTE RL10 and RL20 implement a subset of the full IPSec protocol suite:
Table of Contents
Introduction
1 Motivation and Feature Overview
Technical Details
2 Functionality and Implementation, Message Flows
Configuration Management
3 Parameters
Deployment Aspects
4 Feature Activation and Configuration Examples
NOTE: in addition to IPSec SA described above, there exist also another kind of SA, called IKE SA, that
is used in initial connection establishment between IPSec peers (see following slides).
• IPSec security protocols typically use symmetric ciphers for protecting user data (example: AES-CBC-
128).
• Symmetric ciphers use a key to encrypting and decrypting. There should be a mechanism to
exchange that key between the ends.
• Internet Security Association and Key Managemement Protocol (ISAKMP) is one of those
protocols.
• Internet Key Exchange protocol in itself is (again!) a set of protocols instead of a single protocol
• With the help of ISAKMP, IPSec uses the best of both symmetricities:
– Using asymmetric ciphering for ISAKMP establishes secure connection between IPSec peers
– The security association of this connection is called IKE SA
– Secret keys for symmetric ciphering can be distributed over this secure connection
– Using symmetric keys for protecting user data flows more efficient
• IKE has two versions: IKEv1 and IKEv2
– IKEv2 recommended by 3GPP
SEG #1 SEG #2
”inititator” ”receiver”
IKE_SA_INIT request (plain text) • IKE SA SPI used by SEG#1
• Supported security algorithms for IKE
• Almost identical format to SA
IKE_SA_INIT request, except: • DH key exchange data
• includes also IKE SA SPI for SEG#2 • Nonce payload
• Certificate Request • Notification fields (optional)
IKE_SA_INIT response (plain text)
SEG #2 selects
security algorithms for
IKE SA
NAS Signaling
(ciphered & integrity protected using NAS signaling security)
SAE-GW
S1 U
U-plane U-plane data
U-plane data U-plane data
(ciphered and integrity protected packets forwarded over X2
(ciphered) with IPSec-optional) ciphered and integrity
protected with IPSec - optional)
O&M EMS/
M-plane
NMS
M-plane data AKA/Subscriber Security
(ciphered and integrity protected
with IPSec & TLS - optional) Transport Security
NOTE: S-plane security not specified by 3GPP