SGSN-to-GGSN & GGSN-to-PDN Interface

Jarkko Mikkonen Mikko Lehto

Objectives
! ! ! ! !

Descripe the SGSN-to-GGSN interface Discuss the GPRS tunnelling protocols Understand the way GPRS provides data security across the PLMN Describe the components that can assist in securing the data Understand why ETSI chose the use of IPSec and other Layer2 protocols

GPRS Tunneling protocol GTP

" " " "

Protocol between GPRS-Support nodes (GSNs) in the UMTS/GPRS backbone networks GTP-Userdata transfer procedures GTP-Signaling and GTP-Control procedures Two different types of tunnels deal with either network signaling&control and actual user data.

GPRS Tunneling protocol GTP

" " "

GTP is defined for the Gn interface and for Gp interface. GTP enables multiprotocol packets to be tunneled. GTP specifies a tunnel control and management protocol GTP-C which enables the SGSN to provide PDN access for a mobile system. Signaling is used to create, modify and delete tunnels.
4

GPRS Tunneling protocol GTP

" "

In transmission plane GTP uses a tunneling mechanism GTP-U to provide a service for carrying user data packets. GTP-U and GTP-C protocol are implemented by SGSNs and GGSNs in GPRS-backbone.

GPRS Tunneling protocol GTP

"

"

As the GGSN may be linked to different kinds of PDNs, GTP enables multiprotocol packets to be tunneled through GPRS-backbone on Gn interface and Gp interface. GTP utilizes TCP/IP for protocols that need a reliable data link and UDP/IP for protocols that do not need a reliable datalink.

GPRS Tunneling protocol GTP

Signaling plane " Path management messages (Echo request/responce) " Tunnel management messages " Location management messages " Mobility management messages Transmission plane " Tunnels are used to carry encapsulated tunneled PDUs between a given GSN pair for individual mobile stations. " The key tunnel ID, present in the GTP header, indicates to which tunnel a particular PDU belongs.
7

GPRS Tunneling protocol GTP

"

GTP header is a fixed-format, 20-octet header used for all GTP messages.

GPRS Tunneling protocol GTP

" " " " " " "

" "

Version Spare 1111, unused bits. Message type, PDU or signaling message Length, size of GTP message Sequence number Flow label LLC frame number, is used as the inter-SGSN routing update procedure to coordinate the data transmission on the link between the mobile station and SGSN. Spare bits Tunnel identifier - TID

GPRS Tunneling protocol GTP layer

"

"

"

"

"

Tunneling refers to the encapsulation of users data packet within another packet. Packets that reach SGSN or GGSN are encapsulated packets with source and destination support node addresses in the outer packets header. Actual information from user is not modified. This is useful because it supports multiprotocol packets to be tunneled. Tunnels are established when SGSN activates a PDP context with GGSN. TID identifies tunnel wich is unique to every tunnel. SGSN and GGSN tables are mapped. Tunnel is destroyed when context is deactivated.
10

GTP Identities

"

"

"

"

A many-to-many relationship exists between SGSNs and GGNSs. Therefore multiple tunnels can exist. Different network applications on same mobile could use different tunnels. Tables in the SGSN and GGSN have identifiers that map a particular mobile address with its NSAPI, TTLI and PDP context. During handover, when mobile attaches itself to different SGSN, queued packets are tunneled to new SGSN.
11

Virtual Private Network - VPN

GPRS must support access to private networks. Corporations expect convenient but secure access from wireless data networks. Roaming mobile corporate users should have secure, trusted access to companys data vaults. Term Wireless VPN is used to describe such environment.

12

Virtual Private Network - VPN

VPNs are owned by carriers, but are used by customers as they owned them. VPNs provides benefits of a dedicated network without the expence of deploying and maintaining equipment and facilities. GPRS VPN operator provides a range of services from full outsourcing of the data network operation to providing selected parts of it, like remote access, site connectivity Access by remote mobile workers is becoming more important GPRS wireless access services make this possible. GPRS VPNs are based on standard IPs and feature seamless interoperability between providers.
13

Virtual Private Network - VPN

Password Authentication Procedure (PAP) and Challenge Handshake Authentication Protocoll (CHAP) do little security. PAP and CHAP are part of basic Point-to-Point Protocoll (PPP) suite and fall short in providing a true security procedure. PAP & CHAP are rudimentary procedures used to log onto a network, but hackers and crackers can easily defeat both.

14

Virtual Private Network - VPN

"

Layer 2 Tunnel Protocol L2TP

frame inside UDP packet creates an L2TP tunnel. This is encapsulated inside in an IP packet whose source/destination addresses define tunnels ends. And now IPSec protocols can be applied to protecting the data.

- Another variation of an IP encapsulation protocol. Encapsulating an L2TP

- Authentication Header (AH), Encapsulated Security Payload (ESP) and Internet Security Association and Key Management Protocol (ISAKMP) can be applied in a straightforward way. - L2TP does not provide robust security, therefore it should be used in conjunction with IPSec for providing secure connection. - L2TP supports both, host-created and ISP-created tunnels.

15

Virtual Private Network - VPN

"

IPSec
is widely supported by the industry ensures interoperability and availability of secure solutions for different type and kinds of end users all IPSec-compliant products from different vendors are required to be compatible provides for transparent security, irrespective of the applications used is not limited to operating system-specific solutions an open architecture provides easy adaptability of newer, stronger cryptographic algorithms includes a secure key management solution with digital certificate support. guarantees the ease of management and use used in conjunction with L2TP provides secure remote access client-to-server communication

16

Virtual Private Network - VPN

"

Packet-filtering techniques
require access to clear text, both in the packet headers and in the packet payload when encryption is applied, some or all of the information needed by the packet filters may no longer be available in most IPSec-based VPNs, packet filtering will no longer be the principle method for enforcing access control

17

Authentication
"

AH (Authentication header)
is used to provide connectionless integrity and data origin authentication for an entire IP datagram authenticates the entire packet the actual message digest is inside the AH

"

ESP (Encapsulating Security Payload)

provides authentication and encryption for IP datagrams with the encryption algorithm used determined by the user doesnt authenticate the outer IP header the actual message digest is inserted at the end of the packet

18

Authentication
"

Security Association (SA)

The IPSec standard dictates that prior to any data transfer occurring, a Security Association (SA) must be negotiated between the two VPN nodes. The SA contains all the information required for execution of various network security services.

"

The Internet Key Exchange (IKE)

19

Security The key technologies that comprise the security component of a VPN are
"

" "

Access control to guarantee the security of network connections. Encryption to protect the privacy of data. Authentication to verify the users identity as well as the integrity of the data.

20

Security Some of the common user authentication schemes are

" " "

"

Operating system username/password S/Key (one-time) password Remote Access Dial-In User Server (RADIUS) authentication scheme Strong two-factor, token-based scheme
require two elements to verify a users identity: a physical element in his or her possession (a hardware electronic token) and a code that is memorized (a PIN number)

21

Security
"

"

"

"

When evaluating VPN solutions, it is important to consider a solution that has both data authentication and user authentication mechanisms. A complete VPN solution supports both data authentication as well as user authentication. Various cryptographic techniques can be used to ensure the data privacy of information transmitted over an unsecured channel such as the Internet, as in the case of a VPN. The transmission mode used in the VPN solution determines which pieces of the message are encrypted.
22

Security
The four transmission modes used in VPN solutions are " In-place transmission mode
only the data is encrypted and the packet size is not affected
"

Transport mode
only the data is encrypted and the packet size increases in size

"

Encrypted tunnel mode

the IP header information and the data are encrypted

"

Nonencrypted tunnel mode

nothing is encrypted

23

Wireless VPN

24

GPRS Virtual Private Network

"

A GPRS VPN shares many requirements with other VPNs.

The remote user needs network access comparable to that of on-premise corporate computers. The remote user must be authenticated, possibly by both the access network and by the corporation. There should be no eavesdropping on data flowing between the remote user and the corporation, nor should it be possible for the data to be altered by a third party. The presence of W-VPN users and the infrastructure to support them should not provide a conduit for an intruder to breach the corporate firewall.
25

GPRS Virtual Private Network

When W-VPN is being considered, a corporation should evaluate several factors unique to the wireless world. " security aspects
the air link security
"

roaming users
selected wireless operators and geographical locations

"

the performance of the air link

fading and multipath may reduce performance quality of service (QoS)

26