Secure Mobile Back Haul
Secure Mobile Back Haul
Secure Mobile Back Haul
AbstractThe Long Term Evolution (LTE) architecture proposes a flat all-IP backhaul network. 3rd Generation Partnership
Project (3GPP) specified new security and traffic transport
requirements of new LTE backhaul network. However, existing
LTE backhaul traffic architectures are incapable of achieving
these security requirements.
In this paper, we propose two secured Virtual Private Network
(VPN) architectures for LTE backhaul. Both architectures are
layer 3 Internet Protocol security (IPsec) VPNs which are built
using Internet Key exchange version 2 (IKEv2) and Host Identity
Protocol (HIP). They are capable of fulfilling 3GPP security
requirements such as user authentication, user authorization,
payload encryption, privacy protection and IP based attack
prevention. We study various IP based attacks on LTE backhaul
and our proposed architectures can protect the backhaul network
from them.
I. I NTRODUCTION
Affordable, truly accessible mobile broadband has matured with HSPA (High Speed Packet Access), HSPA+ and
LTE/LTE-A will be used in the near future. However, the
LTE architecture proposes a flat all-IP backhaul network.
Furthermore, new security and traffic transport requirements
of LTE backhaul are specified by 3GPP. The motivation of
this research is to identify these security challenges of the LTE
backhaul and to provide a secured backhaul traffic architecture.
Additionally, various types of traffic will be transported by
the LTE backhaul starting from evolved nodeBs (eNBs), such
as S1-U traffic to the Service Gateway (SGW), S1-C traffic
to the Mobility Management Entity (MME), X2-U and X2C traffic to other eNBs etc [1]. There are two crucial traffic
transport issues identified due to these different traffics. First
issue is to backhaul different traffics to the correct destination.
Second problem is to provide different levels of Quality of
Service (QoS), priority and fault management requirements
for different traffic types. A VPN based backhaul traffic
architecture is a promising solution to fix above issues.
Therefore, we propose two IPsec VPN architectures not only
to fulfill LTE backhaul security requirements but also to solve
the above traffic transport problems. This is the first secured
VPN architecture proposal for the LTE backhaul network.
Our first architecture is an IPsec tunnel mode VPN which
is built using IKEv2. Second architecture is an IPsec BEET
(Bound End-to-End Tunnel) mode VPN which is built using
HIP. Both architectures are able to secure the backhaul traffic
by fulfilling 3GPP security requirements for LTE backhaul
such as user authentication, authorization, payload encryption,
privacy protection and IP based attack prevention.
III. BACKGROUND
A. LTE Mobile Backhaul Network
LTE transport network contains three sections, namely radio
access, backhaul and core network. Among them, the backhaul
network can subdivided to access network and aggregation
network. Hence, the backhaul network extends from the first
transport equipment connecting cell sites (e.g. eNBs sites) to
the transport aggregation equipment connecting central sites
(e.g., SGWs/MME sites) [3]. In addition, several transport
interfaces (e.g. S1,X2) also belong to the backhaul network.
1) Security issues and protection requirements of LTE backhaul: LTE is about evolving to all-IP architecture. This evolution introduces several security ricks to the LTE backhaul.
Three main reasons have been identified for such security risks
[1] [2].
First, the LTE backhaul consists of the IP-based control
/service elements (MME, SGW,eNBs) and interfaces (X2,S1).
As a result, there is a possibility of several breaches and
IP based attacks to the backhaul. For instance, an IP based
attack which initiates in access network could affect the core
gateways directly. However, such risks were never seen in
previous non IP mobile backhauls.
Second, LTE backhaul network is now a carrier Ethernet
environment with hundreds or thousands of end users (eNBs).
Each node may have different level of security and these end
nodes provide plenty of potential entry points for intruders.
Thus, it is important to implement all network security features
by considering the LTE backhaul as a public network.
Third, LTE backhaul does not have built-in security in
bearer data as it is the case with 2G/3G networks. Prior to
the LTE evolution, traffics in backhaul network are secured
by radio network layer protocols. However, the air interface
encryption of user plane traffic will be terminated at the eNBs
in LTE architecture. LTE backhaul traffic can be eavesdropped
by unauthorized users. Hence, there is a requirement in the
3GPP standard [1] to encrypt both signaling and data traffic
in backhaul network.
ARCHITECTURES
B. IP security (IPsec)
IPsec is a protocol suite for securing IP traffic of a network.
IPsec defines two new protocols; Authentication Header (AH)
and Encapsulating Security Payload (ESP) [6]. AH protocol
ensures the authenticity of an IP packet. ESP protocol ensures
the authenticity and additionally encrypts the IP packet.
IPsec has three modes of operation. First, Transport mode
of operation, the original IP header is retained and the IPsec
header is inserted between the IP header and the header of
a higher layer transport protocol. Second, Tunnel mode of
operation, the entire IP packet is encapsulated in another IP
datagram and an IPsec header is inserted between the outer
and inner IP headers [6]. Third, Bound End-to-End Tunnel
(BEET) mode of operation, it is a combination of transport and
tunnel modes. IPsec tunnel mode uses two pair of addresses;
outer addresses for wire and inner addresses for application.
As inner addresses are fixed for the life time of a Security
modified BEX.
RESULTS
TLS\SSL
BEET Mode
Tunnel Mode
400
Throughput(Mbps)
350
300
250
200
150
100
50
0
100
200
300
400
can observe that both IPsec tunnel and BEET VPNs have
no throughput drop even under DDoS attack of 20 attackers.
However, TLS/SSL VPN has no throughput (total packet drop)
during the DDoS attack also. When the numbers of attackers
increase, total system down time also increases and system
rapidly approaches to zero throughput status.
C. Impact of TCP reset attack
TCP reset attack is an IP based attack where an attacker
sends fake TCP packets to endpoints by setting the reset bit to
one. However, the attacker must include correct IP addresses,
port numbers and a valid sequence number in the packet
header. Once these fake TCP packets match with the above
parameters, end point resets the ongoing TCP connection [11].
We model a TCP packet generator which has the same
data rate as the VPN users. Attacker sends fake TCP packets
(with no payload) by increasing the sequence number until it
resets the attacked TCP connection. For each packet, sequence
number is increased by a window size which is 16384 (Typical
value for Cisco routers) [11].
500
Time(s)
TLS\SSL
0.9
BEET Mode
0.8
Tunnel Mode
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
2500
5000
7500
10000
12500
15000
17500
20000
TLS\SSL1 Attackers
TLS\SSL2 Attackers
TLS\SSL5 Attackers
TLS\SSL10 Attackers
TLS\SSL20 Attackers
BEET Mode
400
Throughput(Mbps)
350
300
250
200
150
100
50
0
100
200
300
400
500
Time(s)
(1)
T ime =
W indowSize
DataRate
We evaluated our architecture with these theoretical values
and Figure 8 shows that they have similar results. It verifies
the accuracy of our TCP reset attack simulation model. Here
we used sequence number range of 232 , window size of 16384
and attacker packets are TCP packets without any payload.
Attackers data rate gradually increased from 50 Mbps to 500
Mbps. When the attackers data rate increases, it lowers the
1800
Theoretical
Simulated
1600
1400
1200
1000
800
600
400
200
0
50
100
150
200
250
300
350
400
450
500