Académique Documents
Professionnel Documents
Culture Documents
Objectives
! ! ! ! !
Descripe the SGSN-to-GGSN interface Discuss the GPRS tunnelling protocols Understand the way GPRS provides data security across the PLMN Describe the components that can assist in securing the data Understand why ETSI chose the use of IPSec and other Layer2 protocols
Protocol between GPRS-Support nodes (GSNs) in the UMTS/GPRS backbone networks GTP-Userdata transfer procedures GTP-Signaling and GTP-Control procedures Two different types of tunnels deal with either network signaling&control and actual user data.
GTP is defined for the Gn interface and for Gp interface. GTP enables multiprotocol packets to be tunneled. GTP specifies a tunnel control and management protocol GTP-C which enables the SGSN to provide PDN access for a mobile system. Signaling is used to create, modify and delete tunnels.
4
In transmission plane GTP uses a tunneling mechanism GTP-U to provide a service for carrying user data packets. GTP-U and GTP-C protocol are implemented by SGSNs and GGSNs in GPRS-backbone.
"
"
As the GGSN may be linked to different kinds of PDNs, GTP enables multiprotocol packets to be tunneled through GPRS-backbone on Gn interface and Gp interface. GTP utilizes TCP/IP for protocols that need a reliable data link and UDP/IP for protocols that do not need a reliable datalink.
Signaling plane " Path management messages (Echo request/responce) " Tunnel management messages " Location management messages " Mobility management messages Transmission plane " Tunnels are used to carry encapsulated tunneled PDUs between a given GSN pair for individual mobile stations. " The key tunnel ID, present in the GTP header, indicates to which tunnel a particular PDU belongs.
7
GTP header is a fixed-format, 20-octet header used for all GTP messages.
" "
Version Spare 1111, unused bits. Message type, PDU or signaling message Length, size of GTP message Sequence number Flow label LLC frame number, is used as the inter-SGSN routing update procedure to coordinate the data transmission on the link between the mobile station and SGSN. Spare bits Tunnel identifier - TID
"
"
"
"
Tunneling refers to the encapsulation of users data packet within another packet. Packets that reach SGSN or GGSN are encapsulated packets with source and destination support node addresses in the outer packets header. Actual information from user is not modified. This is useful because it supports multiprotocol packets to be tunneled. Tunnels are established when SGSN activates a PDP context with GGSN. TID identifies tunnel wich is unique to every tunnel. SGSN and GGSN tables are mapped. Tunnel is destroyed when context is deactivated.
10
GTP Identities
"
"
"
"
A many-to-many relationship exists between SGSNs and GGNSs. Therefore multiple tunnels can exist. Different network applications on same mobile could use different tunnels. Tables in the SGSN and GGSN have identifiers that map a particular mobile address with its NSAPI, TTLI and PDP context. During handover, when mobile attaches itself to different SGSN, queued packets are tunneled to new SGSN.
11
12
14
- Authentication Header (AH), Encapsulated Security Payload (ESP) and Internet Security Association and Key Management Protocol (ISAKMP) can be applied in a straightforward way. - L2TP does not provide robust security, therefore it should be used in conjunction with IPSec for providing secure connection. - L2TP supports both, host-created and ISP-created tunnels.
15
IPSec
is widely supported by the industry ensures interoperability and availability of secure solutions for different type and kinds of end users all IPSec-compliant products from different vendors are required to be compatible provides for transparent security, irrespective of the applications used is not limited to operating system-specific solutions an open architecture provides easy adaptability of newer, stronger cryptographic algorithms includes a secure key management solution with digital certificate support. guarantees the ease of management and use used in conjunction with L2TP provides secure remote access client-to-server communication
16
Packet-filtering techniques
require access to clear text, both in the packet headers and in the packet payload when encryption is applied, some or all of the information needed by the packet filters may no longer be available in most IPSec-based VPNs, packet filtering will no longer be the principle method for enforcing access control
17
Authentication
"
AH (Authentication header)
is used to provide connectionless integrity and data origin authentication for an entire IP datagram authenticates the entire packet the actual message digest is inside the AH
"
18
Authentication
"
"
19
Security The key technologies that comprise the security component of a VPN are
"
" "
Access control to guarantee the security of network connections. Encryption to protect the privacy of data. Authentication to verify the users identity as well as the integrity of the data.
20
"
Operating system username/password S/Key (one-time) password Remote Access Dial-In User Server (RADIUS) authentication scheme Strong two-factor, token-based scheme
require two elements to verify a users identity: a physical element in his or her possession (a hardware electronic token) and a code that is memorized (a PIN number)
21
Security
"
"
"
"
When evaluating VPN solutions, it is important to consider a solution that has both data authentication and user authentication mechanisms. A complete VPN solution supports both data authentication as well as user authentication. Various cryptographic techniques can be used to ensure the data privacy of information transmitted over an unsecured channel such as the Internet, as in the case of a VPN. The transmission mode used in the VPN solution determines which pieces of the message are encrypted.
22
Security
The four transmission modes used in VPN solutions are " In-place transmission mode
only the data is encrypted and the packet size is not affected
"
Transport mode
only the data is encrypted and the packet size increases in size
"
"
23
Wireless VPN
24
roaming users
selected wireless operators and geographical locations
"
26