• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Securing the backhaul
 

Securing the backhaul

on

  • 7,388 views

Presented by Andrew Davies, IP Architect, Telefonica UK, in LTE World Summit Amsterdam 26th June 2013

Presented by Andrew Davies, IP Architect, Telefonica UK, in LTE World Summit Amsterdam 26th June 2013

Statistics

Views

Total Views
7,388
Views on SlideShare
992
Embed Views
6,396

Actions

Likes
8
Downloads
0
Comments
0

18 Embeds 6,396

http://blog.3g4g.co.uk 6248
http://feedly.com 74
http://news.google.com 29
http://feeds.feedburner.com 16
http://inoreader.com 6
http://www.feedspot.com 6
http://newsblur.com 3
http://feedproxy.google.com 2
http://translate.googleusercontent.com 2
http://wireless650.rssing.com 2
https://twitter.com 1
http://www.newsblur.com 1
https://reader.aol.com 1
http://www.hanrss.com 1
http://www.ighome.com 1
https://reader.aol.co.uk 1
http://feedreader.com 1
http://3g4g.blogsopt.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Securing the backhaul Securing the backhaul Presentation Transcript

    • Securing the backhaul Learning to love the LTE Security Gateway LTE World Summit Amsterdam 26th June 2013 Andrew Davies, IP Architect, Telefonica UK
    •  My background • • • • Data (IP) Networking Telefonica UK; Mobile Operator, Fixed Broadband and Corporate Services Currently lead for LTE IP Architecture and Design I have been learning to love the LTE Security Gateway for about eighteen months
    • CONTENTS 01 02 03 04 05 06 The Requirement The solution, PKI and IPSec, Firewalling MTU Auto-Integration Geo-Resilience LTE - Advanced
    • 01 The Requirement?
    • The requirement – securing the backhaul MME S-GW P-GW Internet • I need to protect this infrastructure • Customer confidentiality • Service protection/Infrastructure integrity
    • The requirement – securing the backhaul MME S-GW P-GW Internet • What has changed from 2G/3G? • All IP + Ethernet = RJ45, threat is similar but TDM kit not so widely available and as well understood as IP/Ethernet and free capture programs. • 2G/3G core segregated from MBH by BSC/RNC
    • The requirement – securing the backhaul MME S-GW P-GW Internet • Threat – eavesdropping • • • eNodeB locations are insecure First mile termination could be located in third party premises Aggregation infrastructure could be located in third party premises
    • The requirement – securing the backhaul MME S-GW P-GW Internet • Threat – Alien eNodeB • How do you prevent someone attaching an eNodeB to your infrastructure?
    • The requirement – securing the backhaul MME S-GW MME P-GW Internet • Threat – Alien MME • How do you prevent someone attaching an MME to your infrastructure?
    • The requirement – securing the backhaul MME S-GW P-GW Internet • Threat – Denial of Service • How do you prevent someone flooding your IP infrastructure or attached systems?
    • The requirement – securing the backhaul MME S-GW P-GW Internet
    • The requirement – securing the backhaul MME S-GW P-GW Internet • Caption competition….. I don’t know how it works either
    • The requirement – securing the backhaul MME S-GW P-GW Internet • Threat – Complexity • Difficult to maintain infrastructure is insecure
    • The requirement – securing the backhaul MME S-GW P-GW Internet • 3GPP • Encryption of IP traffic from eNodeB to EPC is not mandated.
    • The requirement – securing the backhaul MME S-GW P-GW Internet • What is everyone else doing? • Time for some market research
    • 02 Securing the backhaul - PKI - IPSec
    • Last mile Aggregation Core MME S-GW P-GW Internet • Authentication • PKI = Public Key Infrastructure • Encryption • IPSec = IETF defined IP Security protocol
    • Last mile Aggregation Core MME S-GW P-GW Internet eNodeBs Have IPSec feature set EPC does not have IPSec feature set
    • Last mile Aggregation Core MME S-GW P-GW Internet These could be Insecure Third Party locations
    • Last mile Aggregation Core VPN Concentrator IPSec Tunnel MME S-GW P-GW Internet These could be Insecure Third Party locations
    • Last mile Aggregation Core VPN Concentrator IPSec Tunnel MME S-GW P-GW Internet
    • Last mile Aggregation Core VPN Concentrator IPSec Tunnel MME S-GW P-GW Internet Only VPN Concentrator Between MBH and Core
    • Last mile Aggregation Core VPN Concentrator IPSec Tunnel MME S-GW P-GW Internet Only VPN Concentrator Between MBH and Core
    • RNC BSC IuPS-cp/up Gb GN S-GW MBH VPN Concentrator Signalling MME 23 P-GW
    • RNC BSC IuPS-cp/up Gb GN S-GW MBH VPN Concentrator Signalling MME 24 P-GW
    • RNC BSC IuPS-cp/up Gb GN S-GW MBH VPN Concentrator Signalling MME 25 P-GW
    • GN S-GW MBH VPN Concentrator P-GW Signalling MME • Do I want to connect my precious signalling infrastructure to MBH via VPN concentrator? 26
    • GN S-GW MBH VPN Concentrator MME MME Signalling • Dedicated Security domain for S1-MME interface on MME 27 P-GW
    • • Firewall feature set on LTE Security Gateway VPN Concentrator + Firewall Feature set Security Gateway GN S-GW MBH MME MME Signalling • Dedicated Security domain for S1-MME interface on MME 28 P-GW
    • • Firewall feature set on LTE Security Gateway VPN Concentrator + Firewall Feature set • Includes Stateful inspection of SCTP traffic Security Gateway GN S-GW MBH MME MME Signalling • Dedicated Security domain for S1-MME interface on MME 29 P-GW
    • • Securing 2G and 3G alongside LTE Secure when all IP? No IPSec No IPSec CP 3G OAM UP LTE Solution No IPSec OAM UP CP 2G OAM UP CP
    • • Securing 2G and 3G alongside LTE Secure when all IP? IPSec No IPSec No IPSec OAM No UP Yes CP 2G No CP 3G OAM UP LTE Solution No OAM UP CP
    • • Securing 2G and 3G alongside LTE Secure when all IP? IPSec No IPSec No IPSec OAM No IPSec UP Yes n/a CP 2G No CP 3G OAM UP LTE Solution No IPSec OAM UP CP
    • • Securing 2G and 3G alongside LTE Secure when all IP? IPSec No IPSec No IPSec OAM No IPSec UP Yes n/a CP 2G No CP 3G OAM UP LTE Solution No IPSec OAM No UP No CP No
    • • Securing 2G and 3G alongside LTE Secure when all IP? IPSec No IPSec No IPSec OAM No IPSec UP Yes n/a CP 2G No CP 3G OAM UP LTE Solution No IPSec OAM No IPSec UP No IPSec CP No IPSec
    •  Securing 2G/3G • • Vendor support for IPSec ion 2G/3G is coming……… Do you want to put all eggs in one basket? 35
    • • Certificates MBH Security Gateway 36
    • • Certificates Certificate Authority MBH Security Gateway 37
    • • Certificates Certificate Authority Device Root certificate certificate MBH Security Gateway 38
    • • Certificates Device Root certificate certificate Certificate Authority Device Root certificate certificate MBH Security Gateway 39
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate MBH Security Gateway 40
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway 41
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway 42
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway 43
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway 44
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway MBH 45
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway MBH 46
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway MBH 47 Certificate Authority Vendor # 3
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway MBH 48 Certificate Authority Vendor # 3
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway MBH 49 Certificate Authority Vendor # 3
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway MBH 50 Certificate Authority Vendor # 3
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway MBH 51 Certificate Authority Vendor # 3
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway MBH 52 Certificate Authority Vendor # 3
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway MBH 53 Certificate Authority Vendor # 3
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway MBH 54 Certificate Authority Vendor # 3
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway MBH 55 Certificate Authority Vendor # 3
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway Certificate Authority Vendor # 3 MBH Certificate Authority Vendor # 4 56
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway Certificate Authority Vendor # 3 MBH Certificate Authority Vendor # 4 57
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway Certificate Authority Vendor # 3 MBH Certificate Authority Vendor # 4 58
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway Certificate Authority Vendor # 3 MBH Certificate Authority Vendor # 4 59
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway Certificate Authority Vendor # 3 MBH Certificate Authority Vendor # 4 60
    • • Certificates Certificate Authority Vendor # 1 Device Root certificate certificate Certificate Authority Vendor # 2 MBH Security Gateway Certificate Authority Vendor # 3 MBH Certificate Authority Vendor # 4 61
    • • Certificates Certificate Authority Operator #1 Device Root certificate certificate MBH Security Gateway Certificate Authority Vendor # 3 MBH Certificate Authority Vendor # 4 62
    • • Certificates Certificate Authority Operator #1 Device Root certificate certificate MBH Security Gateway MBH 63 Certificate Authority Operator #2
    • 03 MTU Size
    •  MTU Size • Ethernet MTU is 1500bytes • IPSec overhead can be as large as 72bytes • If your Carrier Ethernet solution can support Jumbo frames or Baby Jumbo’s (1700) then you are OK 65
    • User Payload TCP Header + 20 bytes IPV4 Header + 20 bytes GTP Header + 8 bytes UDP Header + 8 bytes IPV4 Header + 20 bytes ESP AH + 72 bytes IPV4 Header + 20 bytes
    •  MTU Size • • • • • • • • • • • Ethernet MTU is 1500 Outer IP Header = 20 bytes (1500-20 = 1480) ESP Overhead Total = 72 bytes (1480-72 = 1408) Inner IP Header = 20 bytes (1408-20 = 1388) Fragmentation requirement 1388 (modulus 8) = 1384) Padding so IP packet modulus 16 = 1384 + 20 (modulus16) = 12 16-12 = 4, 1384+20+4=1408 UDP Header = 8 bytes (1384-8 = 1376) GTP-U Header = 8 bytes (1376-8 = 1368) User IP Header = 20 bytes (1368-20 = 1348) Padding so IP packet modulus 16 = 1348 + 20 (modulus16) = 8 16-8 = 8, 1348-8 = 1340 TCP Header = 20 bytes (1340-20 = 1320)
    •  MTU Size • Pre-fragmentation of IP packets ahead of IPSec encryption is a good idea where eNodeB does not support re-assembly of encrypted packets 68
    • 04 Auto-Integration
    • OSS MME S-GW P-GW Security Gateway Internet • How are you going to commission eNodeBs on industrial scale?
    • OAM/DCN Firewall OSS MME S-GW P-GW Security Gateway Internet • How are you going to commission eNodeBs on industrial scale?
    • OAM/DCN Firewall OSS MME S-GW P-GW Security Gateway Internet • How are you going to commission eNodeBs on industrial scale?
    • OAM/DCN Firewall DCN MBH MBH Router Core Router Security Gateway S1-MME S1-U GN S-GW OSS P-GW MME • How are you going to create a clean and secure Architecture?
    • Good basic principle if these are physically different systems OAM/DCN Firewall DCN MBH MBH Router Core Router Security Gateway S1-MME S1-U GN S-GW OSS P-GW MME • How are you going to create a clean and secure Architecture?
    • OAM/DCN Firewall ? DCN MBH MBH Router Core Router Security Gateway S1-MME S1-U GN S-GW OSS P-GW MME • How are you going to create a clean and secure Architecture?
    • OSS Front End OAM/DCN Firewall ? DCN MBH MBH Router Core Router Security Gateway S1-MME S1-U GN S-GW OSS P-GW MME • How are you going to create a clean and secure Architecture?
    • OSS Front End OAM/DCN Firewall ? PKI DCN MBH MBH Router Core Router Security Gateway S1-MME S1-U GN S-GW OSS P-GW MME • How are you going to create a clean and secure Architecture?
    • OSS Front End PKI Front End OAM/DCN Firewall ? PKI DCN MBH MBH Router Core Router Security Gateway S1-MME S1-U GN S-GW OSS P-GW MME • How are you going to create a clean and secure Architecture?
    • OSS Front End PKI Front End OAM/DCN Firewall ? PKI DCN MBH MBH Router Core Router Security Gateway S1-MME S1-U GN S-GW OSS P-GW MME • How are you going to create a clean and secure Architecture?
    • OSS Front End PKI Front End OAM/DCN Firewall ? PKI DCN MBH MBH Router Core Router Security Gateway S1-MME S1-U GN S-GW OSS P-GW MME • How are you going to create a clean and secure Architecture?
    • OSS Front End PKI Front End OAM/DCN Firewall ? PKI DCN MBH MBH Router Core Router Security Gateway S1-MME S1-U GN S-GW OSS P-GW MME • How are you going to create a clean and secure Architecture?
    • OSS Front End PKI Front End OAM/DCN Firewall ? PKI DCN MBH MBH Router Core Router Security Gateway S1-MME S1-U GN S-GW OSS P-GW MME • How are you going to create a clean and secure Architecture?
    • OSS Front End PKI Front End OAM/DCN Firewall PKI DCN OAM OSS Security Gateway MBH MBH Router Core Router S1-MME S1-U GN S-GW P-GW MME • How are you going to create a clean and secure Architecture?
    • OSS Front End PKI Front End OSS OAM/DCN Firewall Front End OAM PKI PKI Front End OSS DCN OAM/DCN Firewall Security Gateway MBH MBHRouter Core Router S1-U GN S1-MME S-GW MME PKI P-GW DCN OAM OSS Security Gateway • How are you going to create a clean and secure Architecture? MBH MBH Router Core Router S1-U GN S1-MME S-GW P-GW MME • How are you going to create a clean and secure Architecture? 84
    • OSS Front End PKI Front End OAM/DCN Firewall OAM PKI DCN OSS Security Gateway MBH MBHRouter Core Router S1-U GN S1-MME S-GW P-GW MME • How are you going to create a clean and secure Architecture? • Auto integration means an un-encrypted un-authenticated path from your eNodeB to the OSS platforms 85
    • 05 Geo-resilience
    •  Geo-resilience • Building the infrastructure to provide resilience against the loss of a significant location/installation.
    • Last mile Aggregation MBH Core
    • Last mile Aggregation No resilience MBH Impact is 100% Loss of one cell site Core
    • Last mile Aggregation No resilience MBH Impact is 100% Loss of one cell site Access edge Impact is 100% loss of N cell sites Core
    • Last mile Aggregation No resilience MBH Impact is 100% Loss of one cell site Access edge Impact is 100% loss of N cell sites MBH Resilient No SPOF Core
    • Last mile Aggregation Core No resilience MBH Core Impact is 100% Loss of one cell site Access edge Impact is 100% loss of N cell sites MBH Resilient Core Resilient No SPOF No SPOF
    • Last mile Aggregation Core MME S-GW P-GW Core No resilience MBH Impact is 100% Loss of one cell site Internet MME Access edge Impact is 100% loss of N cell sites MBH Resilient Core Resilient No SPOF No SPOF S-GW P-GW EPC Resilient No SPOF
    • Security Gateway Last mile Aggregation Core Significant loss of customer base MME S-GW P-GW Core No resilience MBH Impact is 100% Loss of one cell site Internet MME Access edge Impact is 100% loss of N cell sites MBH Resilient Core Resilient No SPOF No SPOF S-GW P-GW EPC Resilient No SPOF
    • Security Gateway Last mile Aggregation Core Significant loss of customer base MME S-GW P-GW Core MBH Internet MME S-GW P-GW
    • Last mile Aggregation Core Site 1 MME S-GW MBH P-GW Core Internet MME Site 2 S-GW P-GW
    • La st mil e Aggreg Last ation Core Aggregation mile MME S-GW MBH Core P-GW MME Core Internet S-GW P-GW MME S-GW MBH P-GW Core Internet MME S-GW P-GW
    • La st mil e Aggreg ation Core • Options for Geo-resilience? MME S-GW MBH P-GW Core Internet MME S-GW P-GW
    • La st mil e Aggreg ation Core • Options for Geo-resilience? MME S-GW MBH P-GW Core Internet MME S-GW P-GW • Backup IPSec tunnels
    • La st mil e Aggreg ation Core • Options for Geo-resilience? MME S-GW MBH P-GW Core Internet MME S-GW P-GW • Backup IPSec tunnels • Dynamic IP Routing
    • La st mil e Aggreg ation Core • Options for Geo-resilience? MME S-GW MBH P-GW Core Internet • Backup IPSec tunnels • Dynamic IP Routing MME S-GW P-GW • Our evaluation of backup IPSec tunnels was that the technology was not completely ready.
    • Last mile Aggregation Core MME S-GW P-GW Population A MBH Core Internet MME S-GW Population B P-GW
    • Last mile Aggregation Y Core BGP MME S-GW P-GW Population A MBH Core Internet MME S-GW Population B X BGP • Advertise the IPSec end point address using BGP P-GW
    • Last mile Aggregation Y Core BGP MME S-GW P-GW Population A MBH Core Internet MME S-GW Population B • Advertise the IPSec end point address using BGP P-GW
    • Last mile Aggregation Y Core BGP MME S-GW Population A X MBH P-GW BGP Core Internet MME S-GW Population B • Advertise the IPSec end point address using BGP P-GW
    • Last mile Aggregation Y Core BGP MME S-GW Population A X MBH P-GW BGP Core Internet MME S-GW Population B • Advertise the IPSec end point address using BGP P-GW
    • La st mil e Aggreg ation Core • Options for Geo-resilience? MME S-GW MBH P-GW Core Internet MME S-GW P-GW • Challenges with Geo-resilience? • IP Routing • Backup IPSec tunnels • Dynamic IP Routing
    • La st mil e Aggreg Last ation Core Aggregation mile MME S-GW MBH Core • Options for Geo-resilience? Hi, I’m Fred P-GW • Backup IPSec tunnels MME • Dynamic IP Routing Core Internet S-GW P-GW MME S-GW P-GW MBH Core • Challenges with Geo-resilience? Internet • IP Routing • Certificates MME S-GW Hi, I’m Rick SubjectAltname field P-GW
    • La st mil e Aggreg Last ation Core Aggregation mile MME S-GW MBH Core P-GW Hi, I’m Fred MME Core Internet S-GW P-GW MME S-GW P-GW MBH Core Internet MME S-GW Hi, I’m Rick SubjectAltname field P-GW
    • La st mil e Aggreg Last ation Core Aggregation mile MME S-GW MBH Core P-GW Hi, I’m Fred MME Core Internet S-GW P-GW MME S-GW P-GW MBH Core Internet I’m only speaking to Rick MME S-GW Hi, I’m Rick SubjectAltname field P-GW
    • La st mil e Aggreg Last ation Core Aggregation mile MME S-GW MBH Core P-GW Hi, I’m Fredrick MME Core Internet S-GW P-GW MME S-GW P-GW MBH Core Internet MME S-GW Hi, I’m Fredrick SubjectAltname field P-GW
    • La st mil e Aggreg Last ation Core Aggregation mile MME S-GW MBH Core P-GW Hi, I’m Fredrick MME Core Internet S-GW P-GW MME S-GW P-GW MBH Core Internet MME S-GW Hi, I’m Fredrick SubjectAltname field P-GW
    • La st mil e Aggreg Last ation Core Aggregation mile MME S-GW MBH Core P-GW Hi, I’m Fredrick MME Core Internet S-GW P-GW MME S-GW P-GW MBH Core Internet MME S-GW Hi, I’m Fredrick SubjectAltname field P-GW
    • 06 LTE - Advanced
    • LTE-Advanced • How will we secure X2 traffic with the very stringent demands of LTE-A? Target latency above which a performance decrement is seen is 1ms. 115
    • Last mile X2 Aggregation Core MME S-GW P-GW Internet • Where are you going to deploy the VPN concentrator for X2 handover?
    • Last mile Aggregation Core X2 MME S-GW P-GW Internet • Option 1 – Centralised SecGW?
    • Last mile Aggregation Core Latency X2 too High MME S-GW P-GW Internet • Option 1 – Centralised SecGW?
    • Last mile Aggregation X2 Core MME S-GW P-GW Internet • Option 2 – SecGW at Core Edge?
    • Last mile Aggregation Core Latency X2 too High MME S-GW P-GW Internet • Option 2 – SecGW at Core Edge?
    • Last mile Aggregation X2 Core MME S-GW P-GW Internet • Option 3 – Tens of SecGW distributed in Aggregation?
    • Last mile Aggregation Core Latency X2 possibly OK MME S-GW P-GW Internet • Option 3 – Tens of SecGW distributed in Aggregation?
    • Last mile X2 Aggregation Core MME S-GW P-GW Internet • Option 4 – Hundreds of SecGW at local exchanges?
    • Last mile X2 Aggregation Core MME S-GW P-GW Internet Secure inter SecGW traffic? • Option 4 – Hundreds of SecGW at local exchanges?
    • Last mile X2 Aggregation Core Secure MME Locations? S-GW P-GW Internet Secure inter SecGW traffic? • Option 4 – Hundreds of SecGW at local exchanges?
    • Last mile X2 Aggregation Core CertificateMME Management? S-GW P-GW Internet Secure inter SecGW traffic? • Option 4 – Hundreds of SecGW at local exchanges?
    • Last mile Aggregation X2 Core MME S-GW P-GW Internet • Option 5 – Don’t encrypt?
    • Last mile X2 Aggregation Core MME S-GW P-GW Internet • Option 6 – No VPN concentrator ?
    • • Summary • Simple – Just deploy LTE Security Gateway and encrypt with IPSec. • There’s a few gotcha’s to watch out for. • Keeping a multi operator and multi vendor deployed environment simple is not easy. 129
    • Questions? 130
    • Thank You