SGSN-to-GGSN & GGSN-PDN

8/4/2019 SGSN-to-GGSN & GGSN-PDN

1/13

1

SGSNSGSN--toto--GGSN & GGSNGGSN & GGSN--toto--PDNPDN

InterfaceInterface

Jarkko MikkonenMikko Lehto

2

ObjectivesObjectives

! Descripe the SGSN-to-GGSN interface

! Discuss the GPRS tunnelling protocols

! Understand the way GPRS provides data security across

the PLMN! Describe the components that can assist in securing the

data

! Understand why ETSI chose the use of IPSec and otherLayer2 protocols


2/13

3

GPRSGPRS Tunneling protocolTunneling protocol GTPGTP

" Protocol between GPRS-Support nodes (GSNs) in the

UMTS/GPRS backbone networks" GTP-Userdata transfer procedures

" GTP-Signaling and GTP-Control procedures

" Two different types of tunnels deal with either networksignaling&control and actual user data.

4


" GTP is defined for the Gn interface and for Gp interface.

" GTP enables multiprotocol packets to be tunneled.

" GTP specifies a tunnel control and management protocol GTP-Cwhich enables the SGSN to provide PDN access for a mobile system.Signaling is used to create, modify and delete tunnels.


3/13

5


" In transmission plane GTP uses a tunneling mechanismGTP-U to provide a service for carrying user data packets.

" GTP-U and GTP-C protocol are implemented by SGSNs

and GGSNs in GPRS-backbone.

6


" As the GGSN may be linked to different kinds of PDNs,GTP enables multiprotocol packets to be tunneledthrough GPRS-backbone on Gn interface and Gp

interface." GTP utilizes TCP/IP for protocols that need a reliable

data link and UDP/IP for protocols that do not need areliable datalink.


4/13

7


Signaling plane

" Path management messages (Echo request/responce)

" Tunnel management messages

" Location management messages

" Mobility management messages

Transmission plane

" Tunnels are used to carry encapsulated tunneled PDUsbetween a given GSN pair for individual mobile stations.

" The key tunnel ID, present in the GTP header, indicates

to which tunnel a particular PDU belongs.

8


" GTP header is a fixed-format, 20-octet header used for allGTP messages.


5/13

9


" Version

" Spare 1111, unused bits.

" Message type, PDU or signaling message

" Length, size of GTP message

" Sequence number

" Flow label

" LLC frame number, is used as the inter-SGSN routingupdate procedure to coordinate the data transmission onthe link between the mobile station and SGSN.

" Spare bits

" Tunnel identifier - TID

10

GPRSGPRS Tunneling protocolTunneling protocol GTPGTP layerlayer

" Tunneling refers to the encapsulation of users datapacket within another packet.

" Packets that reach SGSN or GGSN are encapsulatedpackets with source and destination support nodeaddresses in the outer packets header.

" Actual information from user is not modified. This isuseful because it supports multiprotocol packets to betunneled.

" Tunnels are established when SGSN activates a PDPcontext with GGSN. TID identifies tunnel wich is uniqueto every tunnel. SGSN and GGSN tables are mapped.

" Tunnel is destroyed when context is deactivated.


6/13

11

GTPGTP IdentitiesIdentities

" A many-to-many relationship exists between SGSNs and GGNSs.Therefore multiple tunnels can exist.

" Different network applications on same mobile could use differenttunnels.

" Tables in the SGSN and GGSN have identifiers that map a particularmobile address with its NSAPI, TTLI and PDP context.

" During handover, when mobile attaches itself to different SGSN,

queued packets are tunneled to new SGSN.

12

Virtual Private NetworkVirtual Private Network -- VPNVPN

GPRS must support access to private networks. Corporations expectconvenient but secure access from wireless data networks.

Roaming mobile corporate users should have secure, trusted access tocompanys data vaults.

Term Wireless VPN is used to describe such environment.


7/13

13

VirtualVirtual PrivatePrivate NetworkNetwork -- VPNVPN

VPNs are owned by carriers, but are used by customers asthey owned them.

VPNs provides benefits of a dedicated network without the

expence of deploying and maintaining equipment andfacilities.

GPRS VPN operator provides a range of services from fulloutsourcing of the data network operation to providingselected parts of it, like remote access, site connectivity

Access by remote mobile workers is becoming moreimportant GPRS wireless access services make this

possible.

GPRS VPNs are based on standard IPs and feature seamless

interoperability between providers.

14


Password Authentication Procedure (PAP) and ChallengeHandshake Authentication Protocoll (CHAP) do littlesecurity.

PAP and CHAP are part of basic Point-to-Point Protocoll(PPP) suite and fall short in providing a true security

procedure.PAP & CHAP are rudimentary procedures used to log onto

a network, but hackers and crackers can easily defeatboth.


8/13

15


" Layer 2 Tunnel Protocol L2TP

- Another variation of an IP encapsulation protocol. Encapsulating an L2TPframe inside UDP packet creates an L2TP tunnel. This is encapsulatedinside in an IP packet whose source/destination addresses define tunnels

ends. And now IPSec protocols can be applied to protecting the data.

- Authentication Header (AH), Encapsulated Security Payload (ESP) andInternet Security Association and Key Management Protocol (ISAKMP)

can be applied in a straightforward way.

- L2TP does not provide robust security, therefore it should be used in

conjunction with IPSec for providing secure connection.

- L2TP supports both, host-created and ISP-created tunnels.

16


" IPSec

is widely supported by the industry

ensures interoperability and availability of secure solutions for

different type and kinds of end users

all IPSec-compliant products from different vendors are required

to be compatible

provides for transparent security, irrespective of the applicationsused

is not limited to operating system-specific solutions

an open architecture provides easy adaptability of newer,

stronger cryptographic algorithms

includes a secure key management solution with digital

certificate support.

guarantees the ease of management and use

used in conjunction with L2TP provides secure remote access

client-to-server communication


9/13

17


" Packet-filtering techniques

require access to clear text, both in the packet headers and in the

packet payload

when encryption is applied, some or all of the information

needed by the packet filters may no longer be available

in most IPSec-based VPNs, packet filtering will no longer be the

principle method for enforcing access control

18

AuthenticationAuthentication

" AH (Authentication header)

is used to provide connectionless integrity and data origin

authentication for an entire IP datagram

authenticates the entire packet

the actual message digest is inside the AH

" ESP (Encapsulating Security Payload)

provides authentication and encryption for IP datagrams with the

encryption algorithm used determined by the user

doesnt authenticate the outer IP header

the actual message digest is inserted at the end of the packet


10/13

19

AuthenticationAuthentication

" Security Association (SA)

The IPSec standard dictates that prior to any datatransfer occurring, a Security Association (SA) must

be negotiated between the two VPN nodes.

The SA contains all the information required for

execution of various network security services.

" The Internet Key Exchange (IKE)

20

SecuritySecurity

The key technologies that comprise the securitycomponent of a VPN are

" Access control to guarantee the security of network

connections.

" Encryption to protect the privacy of data.

" Authentication to verify the users identity as well as theintegrity of the data.


11/13

21

SecuritySecurity

Some of the common user authentication schemes are

" Operating system username/password

" S/Key (one-time) password

" Remote Access Dial-In User Server (RADIUS)authentication scheme

" Strong two-factor, token-based scheme

require two elements to verify a users identity: a physical element

in his or her possession (a hardware electronic token) and a code

that is memorized (a PIN number)

22

SecuritySecurity

" When evaluating VPN solutions, it is important toconsider a solution that has both data authentication anduser authentication mechanisms.

" A complete VPN solution supports both dataauthentication as well as user authentication.

" Various cryptographic techniques can be used to ensurethe data privacy of information transmitted over anunsecured channel such as the Internet, as in the case of aVPN.

" The transmission mode used in the VPN solutiondetermines which pieces of the message are encrypted.


12/13

23

SecuritySecurity

The four transmission modes used in VPN solutions are

" In-place transmission mode

only the data is encrypted and the packet size is not affected

" Transport mode

only the data is encrypted and the packet size increases in size

" Encrypted tunnel mode

the IP header information and the data are encrypted

" Nonencrypted tunnel mode

nothing is encrypted

24

Wireless VPNWireless VPN


13/13

25

GPRS Virtual Private NetworkGPRS Virtual Private Network

" A GPRS VPN shares many requirements withother VPNs. The remote user needs network access comparable to that of on-premise

corporate computers.

The remote user must be authenticated, possibly by both the access

network and by the corporation.

There should be no eavesdropping on data flowing between the remote

user and the corporation, nor should it be possible for the data to be

altered by a third party.

The presence of W-VPN users and the infrastructure to support them

should not provide a conduit for an intruder to breach the corporate

firewall.

26

GPRS Virtual Private NetworkGPRS Virtual Private Network

When W-VPN is being considered, a corporation shouldevaluate several factors unique to the wireless world.

" security aspects

the air link security

" roaming users

selected wireless operators and geographical locations

" the performance of the air link

fading and multipath may reduce performance

quality of service (QoS)

SGSN-to-GGSN & GGSN-PDN

Documents

Transcript of SGSN-to-GGSN & GGSN-PDN