This chapter contains general overview information about the Security Gateway (SecGW) running on an VPC-DI Virtualized Service Module (VSM) as a VPC-VSM instance.
The following topics are covered in this chapter:
The SecGW is a high-density IP Security (IPSec) gateway for mobile wireless carrier networks. It is typically used to secure backhaul traffic between the Radio Access Network (RAN) and the operator core network.
IPSec is an open standards set that provides confidentiality, integrity, and authentication for data between IP layer peers. The SecGW uses IPSec-protected tunnels to connect outside endpoints. SecGW implements the parts of IKE/IPSec required for its role in mobile networks.
The following types of LTE traffic may be carried over encrypted IPSec tunnels in the Un-trusted access domain:
S1-C and S1-U: Control and User Traffic between eNodeB and EPC
X2-C and X2-U: Control and User Traffic between eNodeBs during Handoff
SPs typically carry only Control Traffic, however there exists a case for carrying non-Internet User traffic over secured tunnels
The StarOS-based Security Gateway (SecGW) application is a solution for Remote-Access (RAS) and Site-to-Site (S2S) mobile network environments. It is implemented via StarOS as a WSG (Wireless Security Gateway) service that leverages the IPSec features supported by StarOS.
For complete descriptions of supported IPSec features, see the IPSec Reference.
The following IPSec features are supported by StarOS for implementation in an SecGW application:
Anti Replay
Certificate Management Protocol (CMPv2)
Session Recovery
Support for IKE ID Type
PSK support with up to 255 octets
Online Certificate Status Protocol (OCSP)
Blacklist/Whitelist by IDi
Rekey Traffic Overlap
CRL fetching with LDAPv3
Sequence Number based Rekey
PSK Support for up to 1000 Remote Secrets
Certificate Chaining
RFC 5996 Compliance
Duplicate Session Detection
Extended Sequence Number
The process recovery feature stores backup Security Association (SA) data in an AAA manager task. This manager runs on the SecGW where the recoverable tasks are located.
SecGW supports the following network deployment scenarios:
In a RAS scenario, a remote host negotiates a child SA with the SecGW and sends traffic inside the child SA that belongs to a single IP address inside the remote host. This is the inner IP address of the child SA. The outer IP address is the public IP address of the remote host. The addresses on the trusted network behind the SecGW to which the host talks could be a single IP or a network.
The figures below indicate traffic packet flows to and from the SecGW.
RFC 1853 – IP in IP Tunneling
RFC 2401 – Security Architecture for the Internet Protocol
RFC 2402 – IP Authentication Header
RFC 2406 – IP Encapsulating Security Payload (ESP)
RFC 2407 – The Internet IP Security Domain of Interpretation for ISAKMP
RFC 2408 – Internet Security Association and Key Management Protocol (ISAKMP)
RFC 2409 – The Internet Key Exchange (IKE)
RFC 3280 – Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 3554 – On the Use of Stream Control Transmission Protocol (SCTP) with IPsec [Partially compliant, ID_LIST is not supported.]
RFC 4210 – Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)
RFC 4306 – Internet Key Exchange (IKEv2) Protocol
RFC 4718 – IKEv2 Clarifications and Implementation Guidelines
RFC 5996 – Internet Key Exchange Protocol Version 2 (IKEv2)
X.509 Certificate Support – maximum key size = 2048
SecGW supports the protocols in the table below, which are specified in RFC 5996.
Protocol | Type | Supported Options | ||
---|---|---|---|---|
Internet Key Exchange version 2 |
IKEv2 Encryption |
DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-256 |
||
IKEv2 Pseudo Random Function |
PRF-HMAC-SHA1, PRF-HMAC-MD5, AES-XCBC-PRF-128 |
|||
IKEv2 Integrity |
HMAC-SHA1-96, HMAC-SHA2-256-128, HMAC-SHA2-384-192. HMAC-SHA2-512-256, HMAC-MD5-96, AES-XCBC-96 |
|||
IKEv2 Diffie-Hellman Group |
Group 1 (768-bit), Group 2 (1024-bit), Group 5 (1536-bit), Group 14 (2048-bit) |
|||
IP Security |
IPSec Encapsulating Security Payload Encryption |
NULL, DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-256, AES-128-GCM-128, AES-128-GCM-64, AES-128-GCM-96, AES-256-GCM-128, AES-256-GCM-64, AES-256-GCM-96
|
||
Extended Sequence Number |
Value of 0 or off is supported (ESN itself is not supported) |
|||
IPSec Integrity |
NULL, HMAC-SHA1-96, HMAC-MD5-96, AES-XCBC-96, HMAC-SHA2-256-128, HMAC-SHA2-384-192, HMAC-SHA2-512-256 HMAC-SHA2-384-192 and HMAC-SHA2-512-256 are not supported on vPC-DI and vPC-SI platforms if the hardware doesn't have crypto hardware. |