Transmission Module LTE

1 © Nokia Siemens Networks RA4155-02A RL15TD eNB HOT – Transport

LTE Transport OvervieweNB Hands-on Training for Trial (RL15TD)

2 © Nokia Siemens Networks RA4155-02A RL15TD eNB HOT – transport

Nokia Siemens Networks Academy

Legal notice

Intellectual Property Rights

All copyrights and intellectual property rights for Nokia Siemens Networks training documentation, product documentation and slide presentation material, all of which are forthwith known as Nokia Siemens Networks training material, are the exclusive property of Nokia Siemens Networks. Nokia Siemens Networks owns the rights to copying, modification, translation, adaptation or derivatives including any improvements or developments. Nokia Siemens Networks has the sole right to copy, distribute, amend, modify, develop, license, sublicense, sell, transfer and assign the Nokia Siemens Networks training material. Individuals can use the Nokia Siemens Networks training material for their own personal self-development only, those same individuals cannot subsequently pass on that same Intellectual Property to others without the prior written agreement of Nokia Siemens Networks. The Nokia Siemens Networks training material cannot be used outside of an agreed Nokia Siemens Networks training session for development of groups without the prior written agreement of Nokia Siemens Networks.


Contents


EUTRAN Interfaces


Transport Security – New Threats

NB Server

Internet OperatorServices

UE

3G

RNC

3GPP U-plane security

Core

eNBServer


UE

LTE

U-plane security

Core

Core nodes and

adjacent eNB’s

can be attacked!

User traffic

can be

compromised!

Location of base station changes

Traditionally in secure, locked sites

In future increasingly in public places or homes

Attack methods evolve

Better attack tools are widely available

Higher processing power to break algorithms

More sophisticated attacks, done by professionals


IPSec with PKI is the Standardized Solution

• Relevant 3GPP standards

– TS 33.210 – Network Domain Security

– TS 33.310 – Authentication Framework

– TS 33.401 – Security Architecture

eNBServer


UE

Core

Security

Gateway

(SEG)

Security

Gateway

(SEG)

integrated in

Flexi BTS

IPSec tunnelCert Cert

Authentication

Confidentiality

Integrity protection

PKI: Public Key Infrastructure


Asymmetric Cryptography:Public & Private Keys

Document

Clear Text

BPUBLIC

KEYPRIVATE

KEY

B

Document

Clear Text

PRIVATE

KEY

BDocument

Clear Text

Document

Clear Text

BPUBLIC

KEY

Document

Clear Text

BPUBLIC

KEY FAILS !

Document

Clear Text

Interceptor

BPUBLIC

KEY

A B

Source: Raimund Kausl


Digital Certificate Concept

• It includes no secrets

• It is issued by a trusted authority which states “I guarantee that this particular public key is associated with this particular user, trust me!”

• It binds the entity’s identity to the public key

• It contains at least the

• Name of the user respectively subject –certificate owner

• A copy of the user’s public key

• Name of the trusted Authority respectively issuer – Certificate Authority (CA)

• Digital signature of the Certificate Authority

• A subject could be any end entity that has an unique identity like

• People

• Executable programs / SW

• Network elements like Web servers,a LTE Flexi Multiradio BTS ,…

Certificate for User “A”

“ I officially notarize the

association between this

particular user and particular

public key”

APUBLIC

KEY

Subjects Name: “A”

YourCertification Authority

Source: Raimund Kausl


User Plane Protocol Stack


Transport Overhead

GTP-U (without header extension) 8 bytes

UDP 8 bytes

IPv4 (transport) 20 bytes

IPSec ESP Header (SPI/Sequence Number) 8 bytes

AES Initialisation Vector 16 bytes

ESP Trailer (2-17 bytes, incl. 0-15 padding bytes, average 8

bytes) 10 bytes

IPSec Authentication (HMAC-SHA-1-96) 12 bytes

IPSec Tunnel mode IP header 20 bytes

Ethernet higher layer (incl. 4 bytes for VLAN) 22 bytes

Eth. Inter Frame Gap, Preamble/SFD 20 bytes

Total transport overhead 144 bytes


Dimensioning Based on Air Interface CapacityC

ell

pe

ak

Cell average

eN

B

tra

nsp

ort

All-AverageAll-Average/

Single-Peak

Peak

Rate!

All-Peak

Overb

ookin

g


Dimensioning Example: “All-Average/Single-Peak” Throughput 1+1+1/10MHz

Notes:

• Dimensioning: Max (3 x average rate, peak rate)

• M-plane (~1Mbit/s), C-plane (~0.3Mbit/s), X2 U-plane (~30ms bursts) not included

Air

Interface

eNB

92

29

Ethernet layer, with IPSec

Transport

Interface

3 cells, 10MHz, 2x2 MIMO

DL 18 Mbit/s net PHY average rate per cell

UL 7 Mbit/s net PHY average rate per cell

DL 77 Mbit/s net PHY peak rate per cell

UL 24 Mbit/s net PHY peak rate per cell

77

24

+20%

Transport to support the aggregated average capacity of all cells, while at least supporting the peak capacity of one cell


Dimensioning Example:“All-Peak” S1 Throughput 2+2+2/20MHz

Notes:

• Dimensioning: 6 x peak rate

• M-plane (~1Mbit/s), C-plane (~0.3Mbit/s), X2 U-plane (~30ms bursts) not included

Air

Interface

eNB

1100

340

918

282

Ethernet layer, with IPSec6 cells, 20MHz, 2x2 MIMO

DL 153 Mbit/s net PHY peak rate per cell

UL 47 Mbit/s net PHY peak rate per cell

Transport

Interface

Transport to support the aggregated peak capacity of all cells (“non-blocking”)

+20%


Quality of Service Requirements

QCI Resource Type Priority

Packet Delay

Budget

Packet Loss

Rate Example Services

1 GBR 2 100 ms 10-2 Conversational Voice

2 GBR 4 150 ms 10-3 Conversational Video (Live Streaming)

3 GBR 5 300 ms 10-6

Non-Conversational Video (Buffered

Streaming)

4 GBR 3 50 ms 10-3 Real Time Gaming

5 Non-GBR 1 100 ms 10-6 IMS Signaling

6 Non-GBR 7 100 ms 10-3

Voice, Video (Live Streaming) Interactive

Gaming

7 Non-GBR 6 Video (Buffered Streaming)

8 Non-GBR 8 300 ms 10-6

TCP-based (e.g., www, e-mail, chat, ftp, p2p

file sharing, progressive video, etc.)

9 Non-GBR 9

LTE User Plane QoS Requirements


Synchronization via Transport Network


LTE Radio to Transport QoS Mapping


Packet Scheduling


Traffic Prioritization


Flexi Multiradio BTS IP Address Model (1/2)

S1/X2 U-plane application

S1/X2 C-plane application

S-plane application

M-plane application

eNB

internal

routing

U

C

M

S

Binding to virtual address

Binding to interface address

eNB applications may be bound to

interface address(es) or virtual address(es)

Interface IP address

Virtual IP address

eNB

• The eNB can be configured with separate IP addresses for User, Control,Management and Synchronization Plane applications.


IP Addressing Examples

eNB applications may be bound to

interface address(es) or virtual address(es)

M

S

U

C

U

C

M

S

M

S

U

C

Application(s) bound to interface address(es) Application(s) bound to virtual address(es)

• Address sharing, i.e. configuration with the same IP address, is possible. In the simplest configuration, the eNB features a single IP address.

eNB

internal

routing

Virtual addressInterface address

Multiple interface addresses

Address sharing(Single address)


Flexi Multiradio BTS IP Address Model (2/2)

Interface address(es) may be assigned to

physical interface(s) or logical interface(s)

• Possible data link layer interface types are Ethernet (physical interface) or VLAN (logical interface)

– RL15TD supports one physical interface and max 4 logical interfaces

• Different interfaces belong to different IP subnets.

VLAN

(optional)

eNB

internal

routing

Interface address assigned to physical

interfaces

eNB

Physical interface

(Ethernet)

VLAN2

VLAN3

VLAN4

VLAN1

eNB

internal

routing

Interface addresses assigned to logical

interfaces

eNBPhysical interface

(Ethernet)

Logical interface (VLAN)


IP Addressing with IPSec Tunnel Mode

If IPSec Tunnel Mode is enabled, IPSec tunnel termination

is bound to an interface address

Application(s) bound to interface address

Collapsed "inner" and "outer" address

Application(s) bound to virtual address(es) ("inner“) address)

Tunnel terminated at the interface address ("outer“ address)

Tunnel3

Tunnel4

Tunnel2

Tunnel1

M

S

U

C

Multiple tunnels per eNB

IPSec

tunnel

U

C

M

S

Single tunnel per eNB

VLAN optional

Tunnel


U

C

M

S

eNB

internal

routing

VLAN optional


Recommendation

IP Addressing Example with VLAN and IPSec

• U/C/M-plane

– bound to virtual addresses

– forwarded via IPSec tunnel

– assigned to VLAN

• S-plane

– bound to interface address

– bypassing the IPSec tunnel

– assigned to the same VLAN

IPSec Tunnel

U

C

M

eNB

internal

routing

SVLAN

Separate interface IP address for IPSec tunnel termination,IP addresses per functional plane for traffic separation

Interface

IP address

Application

IP address

U C MUser plane Control plane Management

planeS Synchronization

plane


MME

SAE-GW

O&M

„X2 Star“ Architecture

– X2 traffic routed through (central) Security Gateway (SEG)

▪ No direct IPSec tunnels between eNBs

– Can be implemented with E-Line or E-Tree (both recommended)

eNB

eNB

X2-u/c

SEG

IPSec

tunnel

U

C

M

S


VLAN optional

Simplest configuration with single IP address


MME

SAE-GW

O&M

„X2 Star“ Use Case: „IP VPN“

IP

eNB

Separate IP addresses for IPSec tunnel terminationand applications

X2-u/c

SEG

IP VPN

Eth

ern

et

IPSEc tunnel: “outer” IP layer

IPSEc tunnel: “inner” IP layer

Tunnel


U

C

M

S

eNB

internal

routing

VLAN optional


MME

SAE-GW

O&M

„X2 Mesh“ Architecture(Not recommended)

– X2 traffic switched or routed in mobile backhaul network

▪ Direct IPSec tunnels between eNBs

– Requires E-LAN (not recommended)

eNB

X2-u/c

SEG


U

C

M

S

eNB

internal

routing

VLAN optional

X2 TunnelsS1 Tunnel


Architecture Comparison

• “X2 Mesh” with E-LAN

– Higher complexity

– Perceived advantages are questionable

▪ Marginal backhaul traffic savings

• X2 traffic <5%

▪ X2 latency optimization

• S1 transport should be designed for low latency anyhow

– „IP-VPN“ use case not possible with 3GPP Rel.8 ANR

“X2 Star” with E-Line / E-Tree

– Simpler Traffic Engineering

– Easier troubleshooting

– Impact of DoS attacks is limited to one eNB

Recommendation


Flexi Transport Sub-Module FTLB

Flexi Multiradio BTS

System Module

with

Flexi Transport sub-module

3 x GE 1)

4 x E1/T1/JT1 2)4)

High-capacity IPSec 3)4)

ToP (IEEE1588-2008), Sync Ethernet 4)

Ethernet switching 5)

1) 2 x GE electrical + 1 x GE optical via SFP module

2) E1/T1/JT1 interface for synchronization

3) IPSec HW capability: 2 Gbit/s DL+UL

4) SW support with RL15TD

Non-blocking throughput performance with IPSec

Industry-leading IPSec performance with FTLB

Date post:	02-Jan-2016
Category:	Documents
Upload:	cepillo
View:	68 times
Download:	0 times

Transmission Module LTE

Documents