SecGW Administration Guide, StarOS Release 21.6
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- January 25, 2018
Chapter: Security Gateway Overview
Security Gateway
Overview
This chapter contains general overview information about the Security Gateway (SecGW) running on an VPC-DI Virtualized Service Module (VSM) as a VPC-VSM instance.
The following topics are covered in this chapter:
Product Overview
The SecGW is a high-density IP Security (IPSec) gateway for mobile wireless carrier networks. It is typically used to secure backhaul traffic between the Radio Access Network (RAN) and the operator core network.
IPSec is an open standards set that provides confidentiality, integrity, and authentication for data between IP layer peers. The SecGW uses IPSec-protected tunnels to connect outside endpoints. SecGW implements the parts of IKE/IPSec required for its role in mobile networks.
The following types of LTE traffic may be carried over encrypted IPSec tunnels in the Un-trusted access domain:
-
S1-C and S1-U: Control and User Traffic between eNodeB and EPC
-
X2-C and X2-U: Control and User Traffic between eNodeBs during Handoff
-
SPs typically carry only Control Traffic, however there exists a case for carrying non-Internet User traffic over secured tunnels
SecGW Application
The StarOS-based Security Gateway (SecGW) application is a solution for Remote-Access (RAS) and Site-to-Site (S2S) mobile network environments. It is implemented via StarOS as a WSG (Wireless Security Gateway) service that leverages the IPSec features supported by StarOS.
For complete descriptions of supported IPSec features, see the IPSec Reference.
IPSec Capabilities
The following IPSec features are supported by StarOS for implementation in an SecGW application:
-
Anti Replay
-
Certificate Management Protocol (CMPv2)
-
Session Recovery
-
Support for IKE ID Type
-
PSK support with up to 255 octets
-
Online Certificate Status Protocol (OCSP)
-
Blacklist/Whitelist by IDi
-
Rekey Traffic Overlap
-
CRL fetching with LDAPv3
-
Sequence Number based Rekey
-
PSK Support for up to 1000 Remote Secrets
-
Certificate Chaining
-
RFC 5996 Compliance
-
Duplicate Session Detection
-
Extended Sequence Number
Process Recovery
The process recovery feature stores backup Security Association (SA) data in an AAA manager task. This manager runs on the SecGW where the recoverable tasks are located.
Network Deployment
SecGW supports the following network deployment scenarios:
Remote Access Tunnels
In a RAS scenario, a remote host negotiates a child SA with the SecGW and sends traffic inside the child SA that belongs to a single IP address inside the remote host. This is the inner IP address of the child SA. The outer IP address is the public IP address of the remote host. The addresses on the trusted network behind the SecGW to which the host talks could be a single IP or a network.
Packet Flow
The figures below indicate traffic packet flows to and from the SecGW.
Standards
Compliant
-
RFC 1853 – IP in IP Tunneling
-
RFC 2401 – Security Architecture for the Internet Protocol
-
RFC 2402 – IP Authentication Header
-
RFC 2406 – IP Encapsulating Security Payload (ESP)
-
RFC 2407 – The Internet IP Security Domain of Interpretation for ISAKMP
-
RFC 2408 – Internet Security Association and Key Management Protocol (ISAKMP)
-
RFC 2409 – The Internet Key Exchange (IKE)
-
RFC 3280 – Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
-
RFC 3554 – On the Use of Stream Control Transmission Protocol (SCTP) with IPsec [Partially compliant, ID_LIST is not supported.]
-
RFC 4210 – Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)
-
RFC 4306 – Internet Key Exchange (IKEv2) Protocol
-
RFC 4718 – IKEv2 Clarifications and Implementation Guidelines
-
RFC 5996 – Internet Key Exchange Protocol Version 2 (IKEv2)
-
Hashed Message Authentication Codes: - AES 96
- MD5
- SHA1/SHA2
-
X.509 Certificate Support – maximum key size = 2048
Supported Algorithms
SecGW supports the protocols in the table below, which are specified in RFC 5996.
| Protocol | Type | Supported Options | ||
|---|---|---|---|---|
|
Internet Key Exchange version 2 |
IKEv2 Encryption |
DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-256 |
||
|
IKEv2 Pseudo Random Function |
PRF-HMAC-SHA1, PRF-HMAC-MD5, AES-XCBC-PRF-128 |
|||
|
IKEv2 Integrity |
HMAC-SHA1-96, HMAC-SHA2-256-128, HMAC-SHA2-384-192. HMAC-SHA2-512-256, HMAC-MD5-96, AES-XCBC-96 |
|||
|
IKEv2 Diffie-Hellman Group |
Group 1 (768-bit), Group 2 (1024-bit), Group 5 (1536-bit), Group 14 (2048-bit) |
|||
|
IP Security |
IPSec Encapsulating Security Payload Encryption |
NULL, DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-256, AES-128-GCM-128, AES-128-GCM-64, AES-128-GCM-96, AES-256-GCM-128, AES-256-GCM-64, AES-256-GCM-96
|
||
|
Extended Sequence Number |
Value of 0 or off is supported (ESN itself is not supported) |
|||
|
IPSec Integrity |
NULL, HMAC-SHA1-96, HMAC-MD5-96, AES-XCBC-96, HMAC-SHA2-256-128, HMAC-SHA2-384-192, HMAC-SHA2-512-256 HMAC-SHA2-384-192 and HMAC-SHA2-512-256 are not supported on vPC-DI and vPC-SI platforms if the hardware doesn't have crypto hardware. |
Feedback