:,/#.( ;(,5#/# <%/=( >#5# ?,/785$#/4 !"#$% &'#!()*+#, !"#$% '('%) 8adlo-Lo-core proLecLlon ln L1L @ ABCD Senza Fili Consulting www.senzafiliconsulting.com E1E CF lnLroducLlon ;),$%.$#/4 $"% 012 )(+#,-$,-.,)% 5#/G L1L ushers ln moblle neLworks LhaL have a more flexlble and less hlerarchlcal framework, hlgher performance and rlcher funcLlonallLy. 8uL lL also lncreases Lhe poroslLy of Lhe moblle neLwork and lLs vulnerablllLy Lo mallclous aLLacks and accldenLal Lrafflc dlsrupLlon. SecurlLy has become a hoL Loplc among L1L operaLors. Whlle Lhe aLLenLlon focuses almosL excluslvely on moblle devlces, Lhey are far from belng Lhe only LargeLs for aLLack and enLry polnLs Lo moblle neLworks. ALLacks can be launched from Lhe lnLerneL as well as from roamlng and MvnC parLners. unauLhorlzed access Lo Lhe neLwork may come from lnfrasLrucLure elemenLs such as Lhe en8. AdopLlon of small and femLo cells, whlch are easler Lo access Lhan LradlLlonal macro cells are, furLher lncreases Lhe vulnerablllLy of Lhe neLwork. lf lefL unproLecLed, Lhe 8An-Lo-core llnk offers anoLher rouLe LhaL can cause dlsrupLlon ln moblle neLworks. 1o avold congesLlon or servlce lnLerrupLlon, and provlde a conslsLenL CoL Lo Lhelr subscrlbers, moblle operaLors have Lo proLecL Lhelr enLlre neLworks devlces, base sLaLlons or femLo cells, backhaul llnks, and Lhe core neLwork agalnsL abnormal Lrafflc flows LhaL may sLem from lnLenLlonal aLLacks (e.g., malware), unlnLended evenLs (e.g., conflguraLlon errors), or unusual buL leglLlmaLe Lrafflc splkes (e.g., durlng a sporLs evenL), and may resulL ln splkes boLh ln Lhe conLrol plane (slgnallng floods) and ln Lhe daLa plane (8An congesLlon). ln Lhe conLexL of end-Lo-end neLwork proLecLlon, securlng Lhe radlo-Lo-core llnk ls of cruclal lmporLance Lo ensurlng Lhe overall securlLy ln moblle neLworks. ln Lhls paper we focus on Lhe securlLy and proLecLlon of Lhe radlo-Lo-core llnk, and dlscuss how Lhe sLraLeglcally locaLed securlLy gaLeway (SeCW) enables operaLors Lo meeL Lhelr performance, rellablllLy and servlce requlremenLs as Lhey go Lhrough Lhree dlsLlncL, buL ofLen overlapplng, phases ln Lhelr L1L deploymenLs: 0(8/."H lnlLlal phase wlLh llmlLed adopLlon and coverage. I),3$"H full neLwork bulldouL, wlLh lncrease ln coverage, Lrafflc load and subscrlber adopLlon. J+K(/.%+ 7%)K#.%7H addlLlon of voL1L and 8CS, lnLroducLlon of advanced pollcy funcLlonallLy, expanslon of Wl-ll offload, and small-cell deploymenLs.
lsec and SeCWs are Lhe domlnanL soluLlon, endorsed by 3C, Lo proLecL Lhe L1L radlo-Lo-core llnk. SeGWs role has sLarLed Lo expand beyond securlLy. lL proLecLs Lhe neLwork agalnsL sudden and unexpecLed surges ln slgnallng and user daLa Lrafflc, wheLher Lhe resulL of mallclous aLLack, conflguraLlon error, or splkes ln subscrlber acLlvlLy. ScalablllLy, mulLl-vendor lnLeroperablllLy and low laLency are requlred ln Lhe SeCW Lo supporL L1L neLworks as Lhey evolve from Lhe lnlLlal launch Lo a maLure phase marked by hlgher Lrafflc loads and Lhe lnLroducLlon of advanced servlces.
!"#$% '('%) 8adlo-Lo-core proLecLlon ln L1L @ ABCD Senza Fili Consulting www.senzafiliconsulting.com E2E AF SecurlLy, scale and aggregaLlon 1"% ),5% ,6 $"% 7%.8)#$9 4($%3(9 L<%I!M 8adlo-Lo-core llnk proLecLlon requlres a dedlcaLed efforL. 3C sLandards make a sLrong case for Lhe adopLlon of lsec encrypLlon and muLual auLhenLlcaLlon of Lhe radlo-Lo-core llnk Lo secure Lhe llnk beLween Lhe en8 and Lhe MML, and recommend lsec ln unLrusLed llnks. 1 lnlLlally moblle operaLors have been cauLlous ln Lhe adopLlon of lsec because of Lhe addlLlonal cosL, overhead (esLlmaLed Lo be 14 by nCMn 2 ) and complexlLy lL enLalls, buL Lhere ls an emerglng consensus among operaLors LhaL lsec ls needed Lo secure unLrusLed slLes and ls hlghly deslrable even ln LrusLed slLes. 1o daLe, severe securlLy breaches and neLwork dlsrupLlon have been infrequent, but they carry high costs because they may encourage churn, shrink revenues and damage the operators brand repuLaLlon. As deflned by 3C, Lhe SeCW LermlnaLes Lhe lsec Lunnel aL Lhe moblle core edge, and hence provldes for Lhe encrypLlon and decrypLlon of lsec Lrafflc, and for muLual auLhenLlcaLlon wlLh en8s ln Lhe 8An. 1he SeCW ls lnserLed aL Lhe edge of Lhe core neLwork Lo secure Lhe S1-MML and S1-u Lrafflc from en8s, aggregaLe lL, and Lhen forward lL Lo Lhe MML and SCW (llgure 1), proLecLlng Lhe neLwork from man-ln-Lhe-mlddle aLLacks. 1he SeCW can also carry Lhe conLrol-plane x2 lnLerface among en8s Lo coordlnaLe Lransmlsslon ln Lhe 8An. 1he lsec Lunnel LhaL ls lnlLlaLed aL Lhe en8 can be LermlnaLed dlrecLly aL Lhe MML and SCW. 1hls approach, however, can resulL ln hlgher cosLs and less efflclenL neLwork uLlllzaLlon, because lsec LermlnaLlon ls a compuLaLlonally lnLenslve funcLlon for whlch Lhe MML and Lhe SCW are noL deslgned and opLlmlzed. WlLhouL a SeCW, lsec LermlnaLlon may overload Lhese elemenLs and, Lo prevenL Lhls, operaLors have Lo lnvesL ln addlLlonal processlng capaclLy.
1. 3C 18 33.401, !"## %&'()* +,-./()-(0,) 12340(/35 6%+178 %)-0,/(& +,-./()-(0,), 2012. 1he declslon of wheLher Lhe radlo-Lo-core llnk ls LrusLed ls lefL Lo Lhe moblle operaLor, because lL ls Lled Lo Lhe operators lnLernal crlLerla, whlch Lyplcally lnclude facLors such as conLrol over Lhe physlcal slLe where Lhe en8 ls locaLed and over Lhe backhaul llnk (l.e., use of the operators own backhaul lnfrasLrucLure versus Lhlrd-parLy leased llnks), securlLy level aL Lhe cell slLe, sharlng of neLwork componenLs wlLh oLher moblle or flxed neLworks, and regulaLory requlremenLs. 2. nCMn, %*944 :)44 ;9-<.904 =)>0/,)*)5(', 2012. !"#$% '('%) 8adlo-Lo-core proLecLlon ln L1L @ ABCD Senza Fili Consulting www.senzafiliconsulting.com E3E
>#48)% AF <,8).%7 (/+ #N'(.$ ,6 8/%O'%.$%+ +($( (/+ 7#4/(5#/4 $)(66#. ,K%)5,(+ ,/ /%$3,)G '%)6,)N(/.%F <,8).%H <%/=( >#5# The SeGW was initially developed to provide the scalability and performance needed to meet operators radio-Lo-core securlLy requlremenLs, buL lLs sLraLeglc poslLlon on Lhe border beLween Lhe 8An and Lhe core neLwork makes lL Lhe ldeal candldaLe Lo aggregaLe Lrafflc dlrecLed Lo Lhe core and hence Lo provlde funcLlonallLy LhaL goes beyond enabllng efflclenL lsec encrypLlon and muLual auLhenLlcaLlon. 1he edge of Lhe core ls an ldeal place Lo monlLor lncomlng Lrafflc from Lhe 8An and Lo ldenLlfy and manage susplclous or unexpecLedly hlgh Lrafflc flows, ln boLh Lhe conLrol plane (slgnallng) and Lhe user plane (daLa Lrafflc), LhaL may dlsrupL neLwork access and servlce avallablllLy. ln dolng so, Lhe SeCW reduces Lhe capaclLy requlremenLs on Lhe MML and SCW LhaL would oLherwlse have Lo process all Lhe Lrafflc from Lhe 8An. 1he SeCW glves operaLors a valuable vanLage polnL from whlch Lo galn vlslblllLy lnLo Lhe comblned conLrol and user plane Lrafflc, before lL geLs segregaLed ln Lhe MML and SCW, respecLlvely. ln addlLlon, Lhe SeCW faclllLaLes lsec lmplemenLaLlon ln mulLl-vendor deploymenLs, because lL can provlde full lnLeroperablllLy across elemenLs from dlfferenL vendors. 1he role of Lhe SeCW ln fllLerlng lncomlng Lrafflc ls noL llmlLed Lo Lhe ldenLlflcaLlon and managemenL of lnLenLlonal mallclous aLLacks, lL lncludes many oLher Lypes of anomalous Lrafflc (llgure 2). Some occaslonal Lrafflc splkes are subscrlber-drlven, occurrlng, for example, as a resulL of weaLher dlsrupLlon, hlghway accldenLs, or planned evenLs such as concerLs or games where many people congregaLe. Whlle Lhls Lrafflc ls enLlrely leglLlmaLe, Lhe neLwork may noL have sufflclenL capaclLy Lo manage and LransporL lL, and servlce avallablllLy may be parLlally or compleLely compromlsed as a resulL. Slgnallng Lrafflc overload can also be generaLed unlnLenLlonally by erroneous conflguraLlon seLLlngs or oLher sofLware malfuncLlons ln Lhe uL appllcaLlons or CSs or ln oLher neLwork elemenLs. 1hls Lype of Lrafflc ls noL mallclous, buL lL ls unexpecLed and can have Lhe same lmpacL as user-drlven Lrafflc splkes. ln boLh cases user-plane Lrafflc overload and conLrol-plane Lrafflc overload a scalable SeCW can recognlze and manage unusually hlgh Lrafflc levels and proLecL Lhe neLwork ln real Llme, before Lhe Lrafflc hlLs Lhe core neLwork ln Lhe MML or SCW, ln order Lo conLaln or prevenL dlsrupLlon. 1he dlsrupLlon can be broughL on lnnocenLly by Lrafflc overload ln elLher slgnallng or daLa. Slgnallng overload may cause congesLlon ln Lhe MML or oLher core elemenLs such as Lhe PSS, and lead Lo access or servlce denlal even lf Lhere ls sufflclenL capaclLy ln Lhe daLa plane Lo saLlsfy access and servlce requesLs. ln Lhls slLuaLlon, slgnallng overload prevenLs efflclenL uLlllzaLlon of neLwork resources. user-plane Lrafflc overload has a slmllar lmpacL on subscrlber experlence (l.e., dlsrupLlon of servlce), buL, unllke slgnallng overload, lL ls !"#$% '('%) 8adlo-Lo-core proLecLlon ln L1L @ ABCD Senza Fili Consulting www.senzafiliconsulting.com E4E Lyplcally drlven by llmlLed avallablllLy of 8An resources l.e., Lhere are more users demandlng access Lhan Lhe neLwork has capaclLy Lo supporL. 1he capablllLy of Lhe SeCW Lo deLecL and manage unexpecLed Lrafflc paLLerns mallclous or noL ls boLh necessary and advanLageous. 8egardless of Lhe cause, unusually lnLense Lrafflc flows can severely compromlse neLwork and servlce avallablllLy. 1he dlsrupLlon may be llmlLed Lo one or a few en8s or have a wlder lmpacL on Lhe neLwork. lL may affecL only a subseL of subscrlbers who cannoL geL access or use some servlces, or lL may enLlrely shuL down parLs of Lhe neLwork. DF 1he evoluLlon of securlLy and proLecLlon requlremenLs 1")%% '"(7%7 #/ 012 +%'5,9N%/$7 As moblle operaLors roll ouL Lhelr neLworks, Lhelr requlremenLs for performance, securlLy and Lrafflc load evolve (llgure 3). uurlng Lhe lnlLlal launch sLage, Lhe focus ls on baslc funcLlonallLy and rellablllLy. As Lhe number of subscrlbers grows, scalablllLy becomes a Lop prlorlLy. As neLwork uLlllzaLlon grows, lL keeps evolvlng Loo, wlLh moblle operaLors lnLroduclng advanced funcLlonallLy and supporL for new servlces. Lach operaLor moves aL lLs own pace across Lhe sLages, and may see some overlap across sLages, buL Lhe Lrend Loward more sLrlngenL requlremenLs has Lo be kepL ln mlnd from Lhe sLarL, when seLLlng Lhe course for neLwork deploymenL.
>#48)% DF *(+#,-$,-.,)% '),$%.$#,/ +8)#/4 $")%% '"(7%7 #/ 012 +%'5,9N%/$7F <,8).%H <%/=( >#5# !"#$% '('%) 8adlo-Lo-core proLecLlon ln L1L @ ABCD Senza Fili Consulting www.senzafiliconsulting.com E5E DFCF 8alanclng securlLy and performance ;"(7% CH 1"% #/#$#(5 7$(4% ,6 012 +%'5,9N%/$ uurlng Lhe lnlLlal sLage of L1L deplyomenLs, operaLors lnlLlally requlre only baslc securlLy lsec wlLh encrypLlon and muLual auLhenLlcaLlon buL Lhe declslons Lhey make have a long-lasLlng lmpacL along several dlmenslons: !"%)% (/+ ",3 7",85+ $"% ,'%)($,) +%'5,9 P;7%.Q 1he flrsL declslon for moblle operaLors ls Lo choose wheLher Lo deploy lsec across all Lhelr slLes, or only ln unLrusLed slLes. An lncreaslng number of operaLors are chooslng Lo deploy lsec across boLh LrusLed and unLrusLed slLes as Lhey recognlze LhaL even LrusLed slLes can become LargeLs of securlLy LhreaLs. A declslon Lo lnLegraLe lsec ln LrusLed slLes aL a laLer sLage may lncrease deploymenL cosLs and complexlLy. <",85+ <%I!7 R% +%'5,9%+ #/ ( +#7$)#R8$%+ ()."#$%.$8)% ,) ( .%/$)(5#=%+ ,/%Q 1he cholce beLween a dlsLrlbuLed (SeCW closer Lo Lhe en8) or cenLrallzed (SeCW closer Lo Lhe core) archlLecLure ls Lled Lo mulLlple facLors, whlch lnclude Lhe overall neLwork archlLecLure sLraLegy, Lhe servlces lL supporLs, Lhe backhaul lnfrasLrucLure, and Lhe dlsLrlbuLlon of subscrlbers wlLhln Lhe fooLprlnL. lor lnsLance, an operaLor LhaL chooses an approach wlLh MML and SCW dlsLrlbuLed across Lhe fooLprlnL, Lo mlnlmlze laLency ln order Lo supporL servlces such as voL1L, wlll have Lo deploy SeCW closer Lo Lhe en8. AlLernaLlvely, an operaLor may have a cenLrallzed LC buL choose Lo have a dlsLrlbuLed SeCW archlLecLure LhroughouL Lhe fooLprlnL, or ln some areas. A dlsLrlbuLed SeCW archlLecLure provldes more flexlblllLy and lower laLency for Lhe en8Loen8 x2 lnLerface. A cenLrallzed archlLecLure requlres fewer buL hlgher-capaclLy SeCWs, and more redundancy opLlons. !"($ ()% $"% .('(.#$9 (/+ '%)6,)N(/.% (778N'$#,/7 $"($ /%%+ $, N(+% 3"%/ 7%5%.$#/4 $"% <%I!Q A scalable soluLlon ls requlred Lo accommodaLe Lhe growlng Lrafflc load orlglnaLlng from wlder neLwork coverage, a growlng number of subscrlbers wlLh L1L devlces, and hlgher per-subscrlber Lrafflc usage. Powever, operaLors have Lo dlmenslon Lhelr lnlLlal deploymenL on Lhe basls of Lrafflc growLh LhaL ls lnherenLly dlfflculL Lo predlcL. 1he Lrend Loward susLalned and sLeep Lrafflc growLh conLlnues unabaLed, buL Lhe fuLure pace and volume are noL known. CperaLors sLlll need, Lhough, Lo flnd a good lnlLlal balance Lo avold overcommlLmenL or lnsufflclenL capaclLy. ConcurrenLly, hlgh Lrafflc loads ralse performance requlremenLs even furLher. A low packeL-processlng raLe ln encrypLlng and decrypLlng daLa can Lurn Lhe SeCW lnLo a boLLleneck, unable Lo process conLrol-plane and user-plane Lrafflc, or Lo do so aL Lhe requlred laLency, and more vulnerable Lo denlal of servlce aLLacks. 1he dlsrupLlon from overloaded SeCWs evenLually spreads from Lhe core Lo Lhe 8An, whlch ln Lurn becomes unable Lo address servlces requesLs and hence Lo use Lhe avallable capaclLy, leadlng Lo lnefflclencles ln Lhe use of preclous and llmlLed radlo resources. A hlgh packeL-per-second processlng raLe ln Lhe SeCW can reduce overall neLwork capex and opex because lL ls conduclve Lo a hlgher 8An uLlllzaLlon. 1he lnLroducLlon of a SeCW may also reduce Lhe capaclLy requlremenLs on Lhe MML and SCW, leadlng Lo capex and opex savlngs ln Lhe core neLwork. !"($ ()% $"% #/$%),'%)(R#5#$9 )%S8#)%N%/$7 $, %/78)% 7N,,$" #/$%4)($#,/ (.),77 K%/+,)7Q 1he SeCW has Lo be smooLhly lnLegraLed wlLhln Lhe exlsLlng lnfrasLrucLure on boLh Lhe 8An and Lhe core sldes, and lL musL be lnLeroperable wlLh equlpmenL from Lhe vendors LhaL Lhe operaLor has selecLed. lnLeroperablllLy requlremenLs on Lhe en8 slde are sLrlcLer, because Lhe en8 lnlLlaLes Lhe lsec channel LhaL Lhe SeCW LermlnaLes. AlLhough Lhe lnLerfaces are based on sLandards, vendor-speclflc lmplemenLaLlons are ofLen noL fully lnLeroperable wlLh each oLher. As operaLors look Lo mulLl-vendor 8Ans and shared-lnfrasLrucLure parLnershlps, lnLeroperablllLy acqulres more promlnence as Lhe basls for a rellable user experlence and lower cosLs. SeCW lnLeroperablllLy has Lo be esLabllshed wlLh all Lhe vendors lnvolved on boLh Lhe 8An and !"#$% '('%) 8adlo-Lo-core proLecLlon ln L1L @ ABCD Senza Fili Consulting www.senzafiliconsulting.com E6E core sldes. AlLhough esLabllshlng lnLeroperablllLy may lnlLlally be Llme-consumlng for boLh vendors and operaLors, ln Lhe long Lerm lL lowers Lhe rlsk of vendor lock-ln and glves operaLors more freedom ln chooslng Lhelr 8An vendors. 1he lnlLlal sLage ln deploylng a moblle neLwork ls hecLlc. CperaLors have Lo balance mulLlple performance requlremenLs and deadllnes agalnsL fundlng avallablllLy. 8uL chooslng scalable and fuLure-proof soluLlons aL Lhls sLage, whlle avoldlng over-englneerlng, ls cruclal Lo a smooLh long-Lerm expanslon of Lhe neLwork wlLhouL expenslve and dlsrupLlve upgrades. DFAF 1aklng L1L malnsLream ;"(7% AH 1)(66#. 4),3$" (/+ /%$3,)G %O'(/7#,/ As subscrlbers move Lo L1L smarLphones and dlscover LhaL wlLh fasLer neLworks Lhey can do more, noL only ls Lhe number of subscrlbers on L1L neLworks growlng, buL so ls Lhe Lrafflc per subscrlber. 1he growLh ln neLwork Lrafflc load ls dlfflculL Lo predlcL as usage paLLerns, charglng models, and devlce mlxes conLlnue Lo evolve. CperaLors need flexlblllLy Lo adapL Lo rapldly changlng capaclLy requlremenLs. 1he flrsL operaLors Lo launch L1L neLworks, havlng now enLered Lhe second phase, face Lhe challenges of managlng and proLecLlng Lrafflc ln an envlronmenL of acceleraLed expanslon of coverage and capaclLy requlremenLs. ln !anuary 2013, verlzon reporLed LhaL L1L now accounLs for 30 of Lrafflc ln lLs neLwork and 23 of subscrlbers suggesLlng LhaL L1L subscrlbers are much heavler daLa users Lhan Lhelr 3C counLerparLs. AL Lhe same Llme, coverage has gone up Lo lnclude 89 of Lhe neLwork fooLprlnL. ln !apan, n11 uOCOMOs LTE network covers 75% of Lhe populaLlon wlLh 23,000 base sLaLlons and serves 10 of subscrlbers. More Lhan 20 of lLs subscrlbers use more Lhan 3C8 per monLh each, Lwlce as many subscrlbers as a year ago. 1he challenges ln managlng Lhe lncreased Lrafflc load are lnLenslfled by Lhe Lrend of Lhe pasL few years Loward more complex and unpredlcLable Lrafflc flows, whlch are due Lo Lhe convergence of mulLlple facLors: LcosysLem fragmenLaLlon lncreases Lhe llkellhood of abnormal and unexpecLed Lrafflc overload LhaL may be caused by appllcaLlon or sofLware updaLes, or by malware lnLroduced by appllcaLlons (especlally lf noL downloaded from LrusLed sLores LhaL check appllcaLlon lnLegrlLy). Peavler use of real-Llme appllcaLlons such as vldeo and audlo sLreamlng, gamlng, and volce creaLes more sLrlngenL requlremenLs for laLency and CoS-based access. A hlgher number of appllcaLlons per devlce drlves up Lhe background slgnallng acLlvlLy due Lo frequenL updaLe requesLs from appllcaLlons especlally Lhose for chaLLy apps such as soclal neLworklng and communlcaLlons, whlch requlre frequenL checks for updaLes. Moblle neLworks have become more aLLracLlve LargeLs for hackers and hackLlvlsLs. Mallclous aLLacks are on Lhe rlse, and Lhelr growLh ls llkely Lo acceleraLe. Whlle mosL of Lhe aLLacks now use uLs as Lhe enLry polnL, oLher vulnerable elemenLs ln moblle neLworks are llkely Lo be more wldely LargeLed ln Lhe fuLure. 1he lncrease ln Lrafflc affecLs boLh Lhe conLrol plane and Lhe user plane, wlLh Lhe expecLaLlon LhaL growLh ln Lhe conLrol plane wlll exceed LhaL ln Lhe user plane by 30 Lo 30, accordlng Lo 4C Amerlcas 3 . ln Canada, 1elus reporLs an lncrease ln slgnallng Lrafflc of 2,700 durlng a perlod ln whlch daLa Lrafflc doubled 4 .
3. 4C Amerlcas, ?)@ A/,)4)'' ;,39BC95B +DD4/-9(/35' 95B E)2/-)'8 F5B),'(95B/5G (.) H*D9-( 35 ?)(@3,<'I 2012. 4. hLLp://www.carLL.ca/news/13804/Cable-1elecom/lLLL-1rafflc-Lsunaml-causlng-congesLlon-ln-wlreless-neLs-says-1elus-SpadoLLo.hLml !"#$% '('%) 8adlo-Lo-core proLecLlon ln L1L @ ABCD Senza Fili Consulting www.senzafiliconsulting.com E7E Whlle L1L has a more efflclenL conLrol plane Lhan 3C, generaLlng a lower slgnallng load for Lhe same user-plane load, Lhe neLwork- wlde volume of slgnallng Lrafflc wlll conLlnue Lo lncrease due Lo lncreased use per moblle devlce, as subscrlbers rely on Lhem for a larger number of servlces and appllcaLlons whlch Lhey use more frequenLly. lrequenL connecLlon requesLs and Lransmlsslon ln smaller packeL slzes resulL from chaLLy apps, voL1L, adverLlsemenLs, and, generally, a hlgher number of appllcaLlons lnsLalled ln moblle devlces. CrowLh ln user daLa and slgnallng Lrafflc, and wlder coverage, creaLe Lhe need Lo expand Lhe capaclLy of Lhe radlo-Lo-core llnk and of lLs LermlnaLlng polnL ln Lhe SeCW. ln boLh cases, lL ls cruclal LhaL Lhe soluLlon adopLed durlng Lhe lnlLlal phase scale smooLhly Lo meeL Lhe new requlremenLs, reLalnlng Lhe same performance level and havlng a comparable lmpacL on capex and opex. 1he growLh and expanslon sLage ln L1L enLalls a dlfflculL balanclng acL for moblle operaLors caughL beLween Lhe need Lo lmprove performance and capaclLy, on Lhe one hand, and adherlng Lo hlgh securlLy and rellablllLy sLandards, on Lhe oLher all ln an envlronmenL where subscrlbers are eager Lo lncrease Lhelr use of Lhelr moblle plans, buL reslsL paylng more for Lhem. As a resulL, moblle operaLors need a flexlble and lncremenLal expanslon process LhaL enables Lhem Lo gradually expand Lhe SeCW capaclLy ln llne wlLh Lhe Lrafflc growLh, and Lo avold expenslve soluLlon upgrades or Lhe lnLegraLlon of new ones. DFDF new requlremenLs, new funcLlonallLy ;"(7% DH 012 %K,58$#,/ As daLa Lrafflc and subscrlbers move Lo L1L, operaLors need Lo do more Lhan lncrease Lhelr capaclLy. 1hey have Lo conLlnue Lo lnnovaLe and expand Lhe funcLlonallLy and servlces offered. Change wlll affecL dlfferenL areas and lmpacL neLwork proLecLlon ln mulLlple ways. ln Lhe 8An, Lhe wlder use of small cells, femLo cells and Wl-ll Lo offload Lrafflc from overloaded macro cells lnLroduces a much more complex neLwork Lopology, wlLh overlapplng layers, hlgher levels of lnLerference, and a hlgher denslLy of elemenLs. MoblllLy managemenL, lnLerference mlLlgaLlon, and Lrafflc coordlnaLlon among 8An layers lncrease Lhe Lrafflc requlremenLs especlally on Lhe slgnallng slde. 1he lnLroducLlon of Lrafflc managemenL Lechnlques such as CCM and elClC requlre a low laLency on Lhe x2 lnLerface and Lhe backhaul. 1he wldenlng adopLlon of small cells and femLo cells lncreases Lhe vulnerablllLy of moblle neLworks Lo mallclous aLLacks by addlng a large number of 8An elemenLs wlLh largely unproLecLed physlcal access, drlvlng Lhe need for Lhe robusL muLual auLhenLlcaLlon LhaL lsec provldes. lrom a devlce perspecLlve, M2M devlces, many of whlch may be unaLLended and noL LlghLly monlLored, presenL an enLlrely new seL of securlLy challenges LhaL have noL yeL been fully explored or LesLed. MosL M2M devlces operaLe wlLhouL physlcal human supervlslon and can be easlly locaLed, especlally lf Lhey are noL moblle. 1hls makes Lhem more vulnerable Lo physlcal mallclous access and hence to attacks targeting the mobile network or the networks of the operators customers. Whlle ln mosL cases M2M devlces wlll generaLe low Lrafflc volumes, Lhe need for frequenL reporLs or sLaLus checks ls llkely Lo dlsproporLlonaLely lncrease Lhe slgnallng load over Lhe user-daLa load, lncreaslng Lhe capaclLy requlremenLs ln Lhe conLrol plane. 1he lnLroducLlon of voL1L, 8CS, gamlng and vldeo servlces creaLes LlghLer laLency requlremenLs across Lhe neLwork, and lL ls cruclal LhaL Lhe radlo-Lo-core llnk noL become a laLency boLLleneck. 1he processlng raLe and capaclLy aL Lhe SeCW have Lo be sufflclenLly hlgh Lo keep laLency low. ln addlLlon, Lrafflc prlorlLlzaLlon, Lrafflc shaplng and load balanclng ln Lhe SeCW may also enable operaLors Lo preserve Lhe CoL for appllcaLlons wlLh low laLency requlremenLs. !"#$% '('%) 8adlo-Lo-core proLecLlon ln L1L @ ABCD Senza Fili Consulting www.senzafiliconsulting.com E8E lurLhermore, real-Llme appllcaLlons such as voL1L or vldeo sLreamlng lmpose a parLlcular challenge because Lhey use small packeLs and hence more processlng has Lo be done aL Lhe SeCW Lo LransporL Lhe same volume of user-plane Lrafflc. LffecLlvely, Lhese appllcaLlons lncrease Lhe capaclLy load on Lhe SeCW, and fasL packeL processlng for encrypLlon and decrypLlon ls essenLlal Lo mlnlmlze Lhe adverse lmpacL of small-packeL Lrafflc on overall neLwork uLlllzaLlon and performance. llnally, Lhe wlder adopLlon of shared 8An and backhaul lnfrasLrucLure among operaLors, and of Lhlrd-parLy backhaul soluLlons LhaL accompany Lhe lncreased peneLraLlon of small cells and femLo cells, ralses Lhe percenLage of unLrusLed slLes ln whlch Lhe lsec proLecLlon ls a de facLo requlremenL. 1haL wlll puL addlLlonal pressure on moblle operaLors Lo selecL lsec and SeCW soluLlons LhaL scale smooLhly. 8Ans wlLh a hlgher denslLy and varleLy of elemenLs creaLe a much more demandlng lnLeroperablllLy envlronmenL, ln whlch Lhe SeCW has Lo lnLeroperaLe wlLh an expandlng array of equlpmenL soluLlons and vendors. ln Lhe case of lnfrasLrucLure sharlng, 8An equlpmenL ls selecLed and operaLed by dlfferenL enLlLles over whlch Lhe moblle operaLor has no conLrol. 1he capablllLy of Lhe SeCW Lo adapL Lo Lhese lnherenLly complex 8An Lopologles ls vlLal for operaLors LhaL rely on lnfrasLrucLure sharlng arrangemenLs Lo conLaln cosLs and opLlmlze neLwork uLlllzaLlon. 1o ensure rellable performance, operaLors need Lo see more deeply lnLo how Lhe neLwork manages Lrafflc so Lhey can correcL problems ln real Llme as Lhey arlse. 1racklng key performance meLrlcs aL Lhe S1 and x2 lnLerfaces e.g., handoffs and aLLach compleLlon Llme, and dropped packeLs ensures rellable performance for real-Llme appllcaLlons such as voL1L, and efflclenL moblllLy managemenL ln Lhe 8An. A fuLure-proof radlo-Lo-core SeCW has Lo scale Lo lnclude supporL for a wlder range and hlgher denslLy of 8An elemenLs and moblle devlces, as well as cope wlLh a hlgher percenLage of unLrusLed slLes, emerglng securlLy LhreaLs, and an lncreaslngly demandlng and dlverse Lrafflc mlx. As operaLors move Lo Lhe Lhlrd phase, Lhe SeCW conLlnues Lo perform lLs baslc Lask ln proLecLlng Lhe radlo-Lo-core llnk, buL lL also has Lo provlde Lhe processlng power, laLency, and Lrafflc opLlmlzaLlon needed Lo supporL new servlces, as well as Lhe scalablllLy and lnLeroperablllLy requlred Lo operaLe ln more complex envlronmenLs. TF Concluslons ;),$%.$#/4 012 /%$3,)G7 +8)#/4 4),3$" (/+ %K,58$#,/ SecurlLy and, more generally, neLwork proLecLlon from unexpecLed hlgh-Lrafflc evenLs has galned a hlgher prlorlLy sLaLus ln L1L as moblle neLworks become easler and more aLLracLlve LargeLs for mallclous aLLacks, and more vulnerable Lo slgnallng and daLa Lrafflc overload LhaL can dlsrupL or compleLely block neLwork access. WlLhln Lhe conLexL of L1L securlLy, Lhe radlo-Lo-core llnk has Lo be proLecLed Lo ensure end-Lo-end neLwork securlLy. lsec has emerged as Lhe de facLo sLandard Lo secure Lhe radlo-Lo-core llnk. 1he SeCW ls a cruclal enabler Lo provlde Lhe scalablllLy, processlng and aggregaLlon capablllLles, Lhe performance, and Lhe funcLlonallLy Lo supporL lsec. lsec wlLh Lhe supporL of a SeCW aL Lhe moblle core edge ls Lhe soluLlon LhaL 3C sLrongly recommends and LhaL operaLors worldwlde have sLarLed Lo deploy ln mosL of Lhelr new L1L neLworks. 8uL Lhey face mulLlple cholces on how Lo deploy lsec and !"#$% '('%) 8adlo-Lo-core proLecLlon ln L1L @ ABCD Senza Fili Consulting www.senzafiliconsulting.com E9E SeCWs ln Lerms of Lopology, performance, cosL and funcLlonallLy as Lhey move Lhrough Lhe Lhree phases launch, growLh, advanced servlces from Lhelr lnlLlal L1L launches Lo more maLure and heavlly used neLworks. AL launch, whaL maLLers mosL Lo operaLors ls Lhe baslc funcLlonallLy of Lhe SeCW ln LermlnaLlng Lhe lsec Lunnel and provldlng muLual auLhenLlcaLlon wlLh Lhe en8. As Lrafflc grows and new servlces are lnLroduced, Lhe funcLlonallLy of Lhe SeCW ls slaLed Lo evolve and expand. 1he poslLlon of Lhe SeCW beLween Lhe 8An and Lhe LC ls ldeal Lo supporL funcLlons LhaL go beyond proLecLlon from mallclous aLLacks, Lo lnclude managemenL of conLrol-plane and user-plane Lrafflc overload, coordlnaLlon of 8An moblllLy, and Lrafflc flow opLlmlzaLlon. A scalable soluLlon LhaL allows moblle operaLors Lo smooLhly evolve Lo meeL Lhelr anLlclpaLed and unanLlclpaLed radlo-Lo-core requlremenLs ls cruclal Lo malnLalnlng performance and cosL and keeplng Lhe rlsks (and cosLs) of dlsrupLlon Lo a mlnlmum, wlLhouL compromlslng Lhe safeLy and lnLegrlLy of Lhelr neLworks. UF Clossary 2C Second generaLlon 3C 1hlrd generaLlon 3C 1hlrd CeneraLlon arLnershlp ro[ecL CCM CoordlnaLed mulLlpolnL elClC Lnhanced lnLer-cell lnLerference coordlnaLlon en8 enode8 LC Lvolved packeL core Cx lnLerface beLween Lhe C8l and Lhe CW Cy lnLerface beLween Lhe CW and Lhe CCS PSS Pome subscrlber server l lnLerneL proLocol lsec l securlLy L1L Long Lerm evoluLlon L1L-uu lnLerface beLween Lhe uL and Lhe en8 M2M Machlne Lo machlne MML MoblllLy managemenL enLlLy MnC Moblle neLwork operaLor MvnC Moblle vlrLual neLwork operaLor nCMn nexL CeneraLlon Moblle neLworks [Alllance] CCS Cnllne charglng sysLem CS CperaLlng sysLem C8l ollcy and charglng rules funcLlon CW ackeL gaLeway CoL CuallLy of experlence CoS CuallLy of servlce 8An 8adlo access neLwork 8CS 8lch communlcaLlon servlces S1 L1L lnLerface beLween an en8, and an MML (S1-MML, conLrol plane) or an SCW (S1-u, user plane) S11 lnLerface beLween Lhe MML and Lhe SCW S3/8 lnLerface beLween Lhe SCW and Lhe CW S6a lnLerface beLween Lhe MML and Lhe PSS SeCW SecurlLy gaLeway SCl L1L lnLerface beLween Lhe CW and Lhe lnLerneL SCW Servlng gaLeway Sp lnLerface beLween Lhe PSS and C8l uL user equlpmenL voL1L volce over L1L x2 L1L lnLerface beLween Lwo en8s, lncludlng x2-C (conLrol plane) and x2-u (user plane) !"#$% '('%) 8adlo-Lo-core proLecLlon ln L1L 2013 Senza Fili Consulting, LLC. All rights reserved. This white paper was prepared on behalf of Stoke Inc. The views and statements expressed in this document are those of Senza Fili Consulting LLC, and they should not be inferred to reflect the position of Stoke Inc. The document can be distributed only in its integral form and acknowledging the source. No selection of this material may be copied, photocopied, or duplicated in any form or by any means, or redistributed without express written permission from Senza Fili Consulting. While the document is based upon information that we consider accurate and reliable, Senza Fili Consulting makes no warranty, express or implied, as to the accuracy of the information in this document. Senza Fili Consulting assumes no liability for any damage or loss arising from reliance on this information. Trademarks mentioned in this document are property of their respective owners. Cover page photo by Gui Jun Peng/Shutterstock. AbouL SLoke SLoke provldes markeL-proven moblle gaLeway soluLlons Lo Lhe broadband neLwork lndusLry. SLoke producLs have been chosen by 1ler 1 moblle neLwork operaLors for Lechnlcal excellence and hlgh quallLy manufacLurlng and parLners wlLh leadlng lndusLry equlpmenL provlders and sysLems lnLegraLors Lo provlde key elemenLs of Lhelr soluLlons. SLoke ls Lhe lndusLry leader ln deployed L1L securlLy gaLeways and offers exLenslve commerclal experlence developlng, deploylng and malnLalnlng L1L securlLy gaLeway equlpmenL ln a Lop Ller L1L neLwork. SLoke producLs and soluLlons, based on Lhe lnnovaLlve SSx plaLform, provlde a sLrong buslness value Lo neLwork operaLors. lor more lnformaLlon, vlslL www.sLoke.com. AbouL Senza llll Senza llll provldes advlsory supporL on wlreless daLa Lechnologles and servlces. AL Senza llll we have ln- depLh experLlse ln flnanclal modellng, markeL forecasLs and research, whlLe paper preparaLlon, buslness plan supporL, 8l preparaLlon and managemenL, due dlllgence, and Lralnlng. Cur cllenL base ls lnLernaLlonal and spans Lhe enLlre value chaln: cllenLs lnclude wlrellne, flxed wlreless and moblle operaLors, enLerprlses and oLher verLlcal players, vendors, sysLem lnLegraLors, lnvesLors, regulaLors, and lndusLry assoclaLlons. We provlde a brldge beLween Lechnologles and servlces, helplng our cllenLs assess esLabllshed and emerglng Lechnologles, leverage Lhese Lechnologles Lo supporL new or exlsLlng servlces, and bulld solld, proflLable buslness models. lndependenL advlce, a sLrong quanLlLaLlve orlenLaLlon, and an lnLernaLlonal perspecLlve are Lhe hallmarks of our work. lor addlLlonal lnformaLlon, vlslL www.senzaflllconsulLlng.com or conLacL us aL lnfo[senzaflllconsulLlng.com or +1 423 637 4991. AbouL Lhe auLhor Monlca aollnl ls Lhe founder and presldenL of Senza llll. Monlca wrlLes exLenslvely on Lhe Lrends, Lechnologlcal lnnovaLlon, and flnanclal drlvers ln Lhe wlreless lndusLry ln reporLs, whlLe papers, blogs, and arLlcles. AL Senza llll, she asslsLs vendors ln galnlng a beLLer undersLandlng of Lhe servlce provlder and end user markeLs. She works alongslde servlce provlders ln developlng wlreless daLa sLraLegles, and ln assesslng Lhe demand for wlreless servlces. lndependenL advlce, a sLrong quanLlLaLlve approach, and an lnLernaLlonal perspecLlve are Lhe hallmarks of her work. Monlca has a hu ln CognlLlve Sclence from Lhe unlverslLy of Callfornla, San ulego, an M8A from Lhe unlverslLy of Cxford, and a 8A/MA ln hllosophy from Lhe unlverslLy of 8ologna (lLaly). She can be conLacLed aL monlca.paollnl[senzaflllconsulLlng.com. !"#$% &'#!()*+#,