sgsn-to-ggsn & ggsn-pdn
TRANSCRIPT
-
8/4/2019 SGSN-to-GGSN & GGSN-PDN
1/13
1
SGSNSGSN--toto--GGSN & GGSNGGSN & GGSN--toto--PDNPDN
InterfaceInterface
Jarkko MikkonenMikko Lehto
2
ObjectivesObjectives
! Descripe the SGSN-to-GGSN interface
! Discuss the GPRS tunnelling protocols
! Understand the way GPRS provides data security across
the PLMN! Describe the components that can assist in securing the
data
! Understand why ETSI chose the use of IPSec and otherLayer2 protocols
-
8/4/2019 SGSN-to-GGSN & GGSN-PDN
2/13
3
GPRSGPRS Tunneling protocolTunneling protocol GTPGTP
" Protocol between GPRS-Support nodes (GSNs) in the
UMTS/GPRS backbone networks" GTP-Userdata transfer procedures
" GTP-Signaling and GTP-Control procedures
" Two different types of tunnels deal with either networksignaling&control and actual user data.
4
GPRSGPRS Tunneling protocolTunneling protocol GTPGTP
" GTP is defined for the Gn interface and for Gp interface.
" GTP enables multiprotocol packets to be tunneled.
" GTP specifies a tunnel control and management protocol GTP-Cwhich enables the SGSN to provide PDN access for a mobile system.Signaling is used to create, modify and delete tunnels.
-
8/4/2019 SGSN-to-GGSN & GGSN-PDN
3/13
5
GPRSGPRS Tunneling protocolTunneling protocol GTPGTP
" In transmission plane GTP uses a tunneling mechanismGTP-U to provide a service for carrying user data packets.
" GTP-U and GTP-C protocol are implemented by SGSNs
and GGSNs in GPRS-backbone.
6
GPRSGPRS Tunneling protocolTunneling protocol GTPGTP
" As the GGSN may be linked to different kinds of PDNs,GTP enables multiprotocol packets to be tunneledthrough GPRS-backbone on Gn interface and Gp
interface." GTP utilizes TCP/IP for protocols that need a reliable
data link and UDP/IP for protocols that do not need areliable datalink.
-
8/4/2019 SGSN-to-GGSN & GGSN-PDN
4/13
7
GPRSGPRS Tunneling protocolTunneling protocol GTPGTP
Signaling plane
" Path management messages (Echo request/responce)
" Tunnel management messages
" Location management messages
" Mobility management messages
Transmission plane
" Tunnels are used to carry encapsulated tunneled PDUsbetween a given GSN pair for individual mobile stations.
" The key tunnel ID, present in the GTP header, indicates
to which tunnel a particular PDU belongs.
8
GPRSGPRS Tunneling protocolTunneling protocol GTPGTP
" GTP header is a fixed-format, 20-octet header used for allGTP messages.
-
8/4/2019 SGSN-to-GGSN & GGSN-PDN
5/13
9
GPRSGPRS Tunneling protocolTunneling protocol GTPGTP
" Version
" Spare 1111, unused bits.
" Message type, PDU or signaling message
" Length, size of GTP message
" Sequence number
" Flow label
" LLC frame number, is used as the inter-SGSN routingupdate procedure to coordinate the data transmission onthe link between the mobile station and SGSN.
" Spare bits
" Tunnel identifier - TID
10
GPRSGPRS Tunneling protocolTunneling protocol GTPGTP layerlayer
" Tunneling refers to the encapsulation of users datapacket within another packet.
" Packets that reach SGSN or GGSN are encapsulatedpackets with source and destination support nodeaddresses in the outer packets header.
" Actual information from user is not modified. This isuseful because it supports multiprotocol packets to betunneled.
" Tunnels are established when SGSN activates a PDPcontext with GGSN. TID identifies tunnel wich is uniqueto every tunnel. SGSN and GGSN tables are mapped.
" Tunnel is destroyed when context is deactivated.
-
8/4/2019 SGSN-to-GGSN & GGSN-PDN
6/13
11
GTPGTP IdentitiesIdentities
" A many-to-many relationship exists between SGSNs and GGNSs.Therefore multiple tunnels can exist.
" Different network applications on same mobile could use differenttunnels.
" Tables in the SGSN and GGSN have identifiers that map a particularmobile address with its NSAPI, TTLI and PDP context.
" During handover, when mobile attaches itself to different SGSN,
queued packets are tunneled to new SGSN.
12
Virtual Private NetworkVirtual Private Network -- VPNVPN
GPRS must support access to private networks. Corporations expectconvenient but secure access from wireless data networks.
Roaming mobile corporate users should have secure, trusted access tocompanys data vaults.
Term Wireless VPN is used to describe such environment.
-
8/4/2019 SGSN-to-GGSN & GGSN-PDN
7/13
13
VirtualVirtual PrivatePrivate NetworkNetwork -- VPNVPN
VPNs are owned by carriers, but are used by customers asthey owned them.
VPNs provides benefits of a dedicated network without the
expence of deploying and maintaining equipment andfacilities.
GPRS VPN operator provides a range of services from fulloutsourcing of the data network operation to providingselected parts of it, like remote access, site connectivity
Access by remote mobile workers is becoming moreimportant GPRS wireless access services make this
possible.
GPRS VPNs are based on standard IPs and feature seamless
interoperability between providers.
14
Virtual Private NetworkVirtual Private Network -- VPNVPN
Password Authentication Procedure (PAP) and ChallengeHandshake Authentication Protocoll (CHAP) do littlesecurity.
PAP and CHAP are part of basic Point-to-Point Protocoll(PPP) suite and fall short in providing a true security
procedure.PAP & CHAP are rudimentary procedures used to log onto
a network, but hackers and crackers can easily defeatboth.
-
8/4/2019 SGSN-to-GGSN & GGSN-PDN
8/13
15
Virtual Private NetworkVirtual Private Network -- VPNVPN
" Layer 2 Tunnel Protocol L2TP
- Another variation of an IP encapsulation protocol. Encapsulating an L2TPframe inside UDP packet creates an L2TP tunnel. This is encapsulatedinside in an IP packet whose source/destination addresses define tunnels
ends. And now IPSec protocols can be applied to protecting the data.
- Authentication Header (AH), Encapsulated Security Payload (ESP) andInternet Security Association and Key Management Protocol (ISAKMP)
can be applied in a straightforward way.
- L2TP does not provide robust security, therefore it should be used in
conjunction with IPSec for providing secure connection.
- L2TP supports both, host-created and ISP-created tunnels.
16
Virtual Private NetworkVirtual Private Network -- VPNVPN
" IPSec
is widely supported by the industry
ensures interoperability and availability of secure solutions for
different type and kinds of end users
all IPSec-compliant products from different vendors are required
to be compatible
provides for transparent security, irrespective of the applicationsused
is not limited to operating system-specific solutions
an open architecture provides easy adaptability of newer,
stronger cryptographic algorithms
includes a secure key management solution with digital
certificate support.
guarantees the ease of management and use
used in conjunction with L2TP provides secure remote access
client-to-server communication
-
8/4/2019 SGSN-to-GGSN & GGSN-PDN
9/13
17
Virtual Private NetworkVirtual Private Network -- VPNVPN
" Packet-filtering techniques
require access to clear text, both in the packet headers and in the
packet payload
when encryption is applied, some or all of the information
needed by the packet filters may no longer be available
in most IPSec-based VPNs, packet filtering will no longer be the
principle method for enforcing access control
18
AuthenticationAuthentication
" AH (Authentication header)
is used to provide connectionless integrity and data origin
authentication for an entire IP datagram
authenticates the entire packet
the actual message digest is inside the AH
" ESP (Encapsulating Security Payload)
provides authentication and encryption for IP datagrams with the
encryption algorithm used determined by the user
doesnt authenticate the outer IP header
the actual message digest is inserted at the end of the packet
-
8/4/2019 SGSN-to-GGSN & GGSN-PDN
10/13
19
AuthenticationAuthentication
" Security Association (SA)
The IPSec standard dictates that prior to any datatransfer occurring, a Security Association (SA) must
be negotiated between the two VPN nodes.
The SA contains all the information required for
execution of various network security services.
" The Internet Key Exchange (IKE)
20
SecuritySecurity
The key technologies that comprise the securitycomponent of a VPN are
" Access control to guarantee the security of network
connections.
" Encryption to protect the privacy of data.
" Authentication to verify the users identity as well as theintegrity of the data.
-
8/4/2019 SGSN-to-GGSN & GGSN-PDN
11/13
21
SecuritySecurity
Some of the common user authentication schemes are
" Operating system username/password
" S/Key (one-time) password
" Remote Access Dial-In User Server (RADIUS)authentication scheme
" Strong two-factor, token-based scheme
require two elements to verify a users identity: a physical element
in his or her possession (a hardware electronic token) and a code
that is memorized (a PIN number)
22
SecuritySecurity
" When evaluating VPN solutions, it is important toconsider a solution that has both data authentication anduser authentication mechanisms.
" A complete VPN solution supports both dataauthentication as well as user authentication.
" Various cryptographic techniques can be used to ensurethe data privacy of information transmitted over anunsecured channel such as the Internet, as in the case of aVPN.
" The transmission mode used in the VPN solutiondetermines which pieces of the message are encrypted.
-
8/4/2019 SGSN-to-GGSN & GGSN-PDN
12/13
23
SecuritySecurity
The four transmission modes used in VPN solutions are
" In-place transmission mode
only the data is encrypted and the packet size is not affected
" Transport mode
only the data is encrypted and the packet size increases in size
" Encrypted tunnel mode
the IP header information and the data are encrypted
" Nonencrypted tunnel mode
nothing is encrypted
24
Wireless VPNWireless VPN
-
8/4/2019 SGSN-to-GGSN & GGSN-PDN
13/13
25
GPRS Virtual Private NetworkGPRS Virtual Private Network
" A GPRS VPN shares many requirements withother VPNs. The remote user needs network access comparable to that of on-premise
corporate computers.
The remote user must be authenticated, possibly by both the access
network and by the corporation.
There should be no eavesdropping on data flowing between the remote
user and the corporation, nor should it be possible for the data to be
altered by a third party.
The presence of W-VPN users and the infrastructure to support them
should not provide a conduit for an intruder to breach the corporate
firewall.
26
GPRS Virtual Private NetworkGPRS Virtual Private Network
When W-VPN is being considered, a corporation shouldevaluate several factors unique to the wireless world.
" security aspects
the air link security
" roaming users
selected wireless operators and geographical locations
" the performance of the air link
fading and multipath may reduce performance
quality of service (QoS)