Feature Operational Description

This section describes the IPsec feature in more detail, including network configuration
requirements and operation flows.

2.1 Network Requirements

Confirm that the following network requirements are fulfilled at feature activation:

 The RBS node must be a DUW-based RBS 6000 running on W15.1 or later.
 The Operations Support System for Radio and Core (OSS-RC) release must
be later than 15.1, which supports IPsec configuration, IPsec certificate
handling, and Public Key Infrastructure (PKI) services
 The security gateway in the network that the RBS communicates through
must be compliant with RFCs 4301, 4303 and 4306 as they are profiled in
3GPP TS 33.210 and 3GPP TS 33.310.
 A license and a certificate for IPsec must be installed on the RBS to activate
the IPsec function.

2.2 Feature Operation Sequence Diagram

The purpose of introducing IPsec is to enable secure communication between network
nodes over untrusted networks by creating a Virtual Private Network (VPN). This VPN can
then be used to protect the Iub and O&M traffic.

The following figure shows an example network scenario with IPsec. Three IP nodes
including RBS 1, RBS 2, and a security gateway are connected using IPsec tunnels
through a transport network. Each RBS has an outer IP host and an inner IP host.

Figure 1 Network View with IPsec Tunnels

The inner IP hosts connected using IPsec tunnels is a part of an overlay IP network and
the outer IP hosts are part of the transport network.
In each of the RBSs, traffic selectors define the traffic to be transported in tunnels
towards each of the other nodes. For example, for the tunnel between RBS 1 and SEG,
the traffic selectors in RBS 1 contain a local IP address range that includes the inner IP
address in RBS 1 and a remote IP address range that includes the inner IP address in the
OSS-RC or RNC. The traffic selectors in the security gateway contain a local IP address
range that includes the inner IP addresses in the OSS-RC or RNC and a remote IP
address range that includes the inner IP address in RBS 1.

An IKE relationship exists between RBS 1 and SEG and between RBS 2 and SEG. Each
node adopts an IKE protocol entity which uses the outer IP hosts for communication with
their IKE peers.

When IKEv2 sets up a child SA, a negotiation procedure is conducted to decide the traffic
selectors for the child SA. IPsec ensures that at any given time, the needed child SAs are
set up for the part of a traffic flow that is transported between two nodes.

IPsec provides the following:

 A clear separation between the address allocation in the private overlay

network versus the RAN IP transport network.
 Encryption and integrity protection across the untrusted transport network so
that a malicious user attached to the IP transport network cannot eavesdrop
on the traffic or fake traffic towards the private network.

This is achieved by setting up an IPsec tunnel using ESP in tunnel mode. ESP provides
the encryption and tunnel mode provides the address separation.

A mobile network consist of many nodes which make manual configuration of preshared
keys an overwhelming O&M burden. Therefore, IKEv2 with certificate based
authentication is used.

As indicated in the following figure, IPsec tunnel mode has different IP addresses for the
tunnel end-point and for the host that provides the IP bearer service access.

Figure 2 IPsec Addressing

The outer IP address is the address that terminates the IPsec tunnel. This is the address
in the headers of IP packets sent through the transport network.

The inner IP address is the address in the overlay VPN that the application uses to send
and receive all IPsec-protected traffic.

The same inner IP address is used for control plane, user plane, and network
synchronization traffic.
O&M and Iub must use separate inner IP interfaces, so separate IPsec tunnels for O&M
and Iub traffic are recommended.

The IPsec function is optional and subject to license control.