440 likes | 746 Views
Data Architecture Proposal. Mesa – ISSI Working Session/PSAWG Frédéric ROSIN - 11/01/2006. Outline. Introduction Addressing Principle Roaming End-to-end encryption and compression SNDCP adaptation Architecture for external data servers connected beyond a data security gateway Conclusion.
E N D
Data Architecture Proposal Mesa – ISSI Working Session/PSAWG Frédéric ROSIN - 11/01/2006
Outline • Introduction • Addressing Principle • Roaming • End-to-end encryption and compression • SNDCP adaptation • Architecture for external data servers connected beyond a data security gateway • Conclusion
Abbreviations • AVL: Automatic Vehicle Location • DNS: Domain Name Server • ESP: Encapsulating Security Payload • IP: Internet Protocol • IPSec: Internet Protocol Security • ISSI: Inter RFSS Interface • KMF: Key Management Facility • MDP: Mobile Data Peripheral • MRC: Mobile Radio Controller (P25 Radio Terminal) • OTAR: Over-The-Air-Re-keying • PDP context: Packet Data Protocol (SNDCP) context • RFSS: Radio Frequency Sub-System • SNDCP: Sub-network Dependent Convergence Protocol • SPI: Security Parameters Index • SU: Subscriber Unit • SUID : Subscriber Unit Identity • TCP: Transport Control Protocol • UDP: User Datagram Protocol
Outline • Introduction • Addressing Principles • Roaming • End-to-end encryption and compression • SNDCP adaptation • Architecture for external data servers connected beyond a data security gateway • Conclusion
Introduction • Existing packet data architecture is revisited in order to: • Support SU mobility between multiple RFSS • Use of the IP Security standard as a basis for end-to-end confidentiality • Justified in order to have interoperable equipment • Provide efficient compression • Compression has to be end-to-end performed before end-to-end encryption
Where are the end-to-end encryption endpoints ? • In the MRCs • In Data Servers A A MRC MRC Um, Um2 Um, Um2 P25 Realm P25 Network Ed Data Servers Sub-system performing end-to-end encryption
Outline • Introduction • Addressing Principles • Roaming • End-to-end encryption and compression • SNDCP adaptation • Architecture for external data servers connected beyond a data security gateway • Conclusion
Addressing principles • Addressing is based on a P25 Mobile Sub-network concept • Each SU shall be IP addressable in order to support Data Link Independent OTAR • Each SU shall be able to be connected to one or several IP addressable MDP for data transactions based on SNDCP RFSS MRC Um, Um2 (SNDCP) P25 Mobile Sub-Network
Each P25 Mobile Sub-network has one P25 address (SUID of the MRC) Simple engineering rules in order to ease IP routing and to avoid further interoperability issues One IP subnet mask = An IP address | 0x03 IP Subnet Mask & 0xFC is the address of the MRC Others are the IP addresses for MDP(s) Once an IP address of an MRC or an MDP is activated (SNDCP activation), the related IP address is reachable from anywhere for any device which knows the existence of this IP address Addressing principles (cont’d)
Addressing principles (cont’d) • For data application addressing the MRC (OTAR): • SUID address can be used to retrieve the IP address by DNS resolution • SU initiated Hello procedure enables the KMF to know when the IP address of the MRC is activated • For request to data servers: • When an MDP or an MRC initiates a request to a pre-provisioned IP address of a data server, the responder retrieves the source IP address from the received IP packet
Outline • Introduction • Addressing Principles • Roaming • End-to-end encryption and compression • SNDCP adaptation • Architecture for external data servers connected beyond a data security gateway • Conclusion
IP Addressing and Roaming • Routing of the outbound packets: • IP packets destined to an IP address of an MDP or an MRC is always first routed to the MRC’s Home RFSS • When the MRC roams in a serving RFSS area, outbound IP packets have to be routed from the MRC’s Home RFSS to the new serving RFSS area • Mobile IP has been designed for such a purpose
Mobile IP: main principles • Mobile IP enables transparent routing of an IP packet to mobile endpoint over an IP network • The mobile endpoint has a fixed IP address so-called “Home address” in a home network • When moving outside the Home network, the mobile endpoint registers to mobility agents (local foreign agent and remote Home agent), that tunnel and route IP packets to the mobile host • Home agent: tunnels IP packet to the mobile endpoint and maintains the mobiles location info • Foreign agent: provides IP routing function (IP de-tunneling) to the mobile endpoint once registered with the Home agent
Mobile IP: Outbound transmission External Node Home network 2- Home agent receives IP datagram destined to The mobile endpoint Mobile IP tunnel Home Agent 1- IP Datagram to mobile endpoint Ip based Network 3- Home agent tunnels packets to foreign agent Visited network Foreign Agent 4- Foreign agent routes datagram to mobile endpoint Mobile endpoint
Mobile IP: Inbound transmission External Node Home network Home Agent 2 - Foreign agent routes datagram Network Visited network Foreign Agent 1- mobile endpoint sends datagram to an external node, With the foreign agent acting as default gateway mobile endpoint
Mobile IP: Application on the ISSI • Mobile endpoint = RFSS endpoint at which the activated PDP context is located • A new Mobile IP tunnel is put in place on the ISSI each time an MDP or an MRC activates a PDP context in a serving RFSS’s area (I.e. outside its Home RFSS area) A A MRC MRC Mobile IP tunnel Um, Um2 Um, Um2 P25 Realm ISSI Serving RFSS Home RFSS Data Servers
Outline • Introduction • Addressing Principles • Roaming • End-to-end encryption and compression • SNDCP adaptation • Architecture for external data servers connected beyond a data security gateway • Conclusion
TCP UDP Header Integrity Check TCP UDP Header Integrity Check ESP Header ESP Header ESP trailer ESP trailer IP Header IP Header IP Header Payload Payload IPSec/ESP for confidentiality: Main principle • One security association is defined per application and per direction in order to define the security policy to be applied: • Indexed by the SPI (Security Parameters Index) field in the ESP header • Open to specific P25 encryption and key distribution • Encryption may be by-passed if needed • Two encapsulation modes: • Transport Mode • IPSec tunnel is created between two hosts at which the data applications are located • Transport packet is encrypted • Tunnel Mode • IPSec tunnel is created between two security gateways which may route the IP packet once decrypted • IP packet is encrypted
IPSec/ESP for confidentiality: Application in the MRC • Standard application of IPSec in the MRC: • all the inbound and outbound IP packets would be tunneled within an IPSec packet always conveying the IP address of the MRC • This would hide the real serviced IP address, thus preventing SNDCP to deliver required quality of service over the air interface IPSec IP SNDCP Serviced IP address on the MDP IP address of the extremity of the IPSec tunnel MRC PDP context
IPSec/ESP for confidentiality: Application in the MRC • To make visible the serviced IP address at the SNDCP, we propose to move end-to-end encryption of the IPSec standard (ESP) at the SNDCP layer IP ESP/SNDCP Serviced IP address on the MRC or the MDP MRC PDP context
IPSec/ESP for confidentiality: Application • Application in the MRC: • MRC performs end-to-end encryption at the SNDCP level • From the perspective of the entities addressing an MDP, the extremity of the IPSec tunnel is the MDP • SNDCP level at the MRC may perform compression before encryption • Application in the data servers • Common IPSec implementation
Outline • Introduction • Addressing Principles • Roaming • End-to-end encryption and compression • SNDCP adaptation • Architecture for external data servers connected beyond a data security gateway • Conclusion
SNDCP adaptation • Headers of the IPSec packet can be compressed/decompressed over the air by SNDCP • IP header and ESP header compression (IPHC) • TCP/UDP headers may not be compressed for encrypted flow • ESP Payload compression/decompression is performed at SNDCP layer of the MRC for end-to-end encrypted flow • Use of a IPR-free compression algorithm such as deflate
SNDCP adaptation (cont’d) • For an inbound flow: • SNDCP at the MRC performs: • Transport packet compression • Transport packet encryption and encapsulation in an IPSec packet • IPSec Header compression • SNDCP at the FNE performs IPSec Header de compression • Data Server performs the reverse operation for the two first actions at the MRC
ESP encapsulation is performed at the SNDCP level in the MRC Inbound flow from an MDP to an external data server Data Server MRC’s serving RFSS Um ESP Tunnel A MRC MDP ESP Tunnel
IP Header S: MDP D: Data Srv IP Header S: MDP D: Data Srv SNDCP Header IP Header S: MDP D: Data Srv Integrity Check ESP trailer ESP Header TCP UDP Header TCP UDP Header ESP trailer ESP Header Integrity Check TCP UDP Header TCP UDP Header Payload Payload Payload Payload Inbound flow: ESP in transport mode MRC IP payload Compression and encryption, IPSec packet construction, IP Header compression (IPHC), SNDCP encapsulation Compressed by SNDCP End-to-end compressed and Encrypted Serving RFSS SNDCP decapsulation, IPSec Header decompression DATA SERVER IPSec de-tunneling, decryption, decompression
Outbound flow from a data server to an MDP located in the MRC’s Home RFSS area • From the perspective of the Data Server, destination of the IPSec tunnel is located on the MDP Data Server Home RFSS Um ESP Tunnel A MRC MDP ESP Tunnel
Outbound flow from an external data server to an MDP not located in the MRC’s Home RFSS area • When the MDP IP address is activated, from the MRC’s serving RFSS (i.e. the MRC is not registered in its Home RFSS area) then: • A mobile IP foreign agent is activated in the serving RFSS area. • Thus, IP packet destined for the MDP are first routed to the MRC’s Home RFSS, then tunneled towards the foreign agent. Mobile IP tunnel Data Server Ed ISSI Serving RFSS Home RFSS Um ESP Tunnel A MRC MDP ESP Tunnel
IP Header S: Data Srv D: CoA IP Header S: Data Srv D: MDP IP Header S: Data Srv D: MDP IP Header S: Data Srv D: MDP SNDCP Header IP Header S: Data Srv D: MDP TCP UDP Header ESP trailer Integrity Check ESP Header TCP UDP Header Integrity Check TCP UDP Header Integrity Check ESP trailer TCP UDP Header TCP UDP Header ESP Header ESP Header ESP trailer Payload Payload Payload Payload Payload Outbound flow: ESP in transport mode IP payload Compression and encryption, IPSec packet construction DATA SERVER End-to-end compressed and Encrypted MDP’s Care Of address HOME RFSS Mobile IP Encapsulation SERVING RFSS End-to-end compressed and Encrypted Mobile IP de-tunneling+ IPSec Header compression, SNDCP encapsulation IPSec Header decompression, end-to-end decryption and decompression and construction of the IP packet to be routed towards the MDP Compressed by SNDCP MRC
From an MDP to another MDP not located in its Home RFSS • MDP A knows the IP address of the MDP B by local provisioning • ESP is always performed in transport mode A Um Mobile IP tunnel ESP Tunnel MRC B MDP B MDP B’s serving RFSS MDP B’s Home RFSS MRC A’s Serving RFSS Um ESP Tunnel A MRC A MDP A ISSI ESP Tunnel
IP Header S: MDP A D: CoA IP Header S: MDP A D: MDP B IP Header S: MDP A D: MDP B SNDCP Header IP Header S: MDP A D: MDP B IP Header S: MDP A D: MDP B IP Header S: MDP A D: MDP B IP Header S: MDP A D: MDP B SNDCP Header ESP Header TCP UDP Header ESP Header ESP trailer Integrity Check TCP UDP Header ESP trailer Integrity Check TCP UDP Header TCP UDP Header Integrity Check TCP UDP Header ESP trailer ESP Header ESP Header TCP UDP Header Integrity Check ESP trailer Payload Payload Payload Payload Payload Payload From an MDP to another MDP not located in its Home RFSS: ESP in transport mode IP payload Compression, encryption, IPSec packet construction, IPSec Header compression (IPHC), SNDCP encapsulation MRC A Compressed by SNDCP End-to-end compressed and Encrypted IPSec Header decompression Serving RFSS IPSec packet construction at the SNDCP FNE Mobile IP Encapsulation HOME RFSS B End-to-end compressed and Encrypted Mobile IP Encapsulation Mobile IP foreign agent and SNDCP at the FNE SERVING RFSS B End-to-end compressed and Encrypted MDP B’s Care Of address IPSec Header decompression, end-to-end decryption, decompression and construction of the IP packet to be routed to the MDP MRC B End-to-end compressed and Encrypted Compressed by SNDCP
Stack Model Reference TCP UDP TCP UDP TCP UDP Compression/ESP IP IP IP IP Compression/ESP/SNDCP SNDCP A Um,Um2 MDP MRC SNDCP FNE Data Server + Mobile IP on the ISSI for outbound IP packet tunneling
Outline • Introduction • Addressing Principles • Roaming • End-to-end encryption and compression • SNDCP adaptation • Architecture for external data servers connected beyond a data security gateway • Conclusion
Architecture Extension for external data server • If external data server does not have end-to-end encryption capability, a Data Security Gateway has to do it: A A MRC MRC Um, Um2 Um, Um2 P25 Realm P25 Network Ed Security Gateway External Data Server Edr private network Sub-system performing end-to-end encryption
Architecture extension for external data server • ESP in tunnel mode shall be used (instead of transport mode): • For IP packets coming from the P25 realm, the Data Security Gateway performs end-to-end decryption and routes the IP packet encapsulated by the ESP header towards the external data server. • For IP packets going to the P25 realm, the IP packet is encapsulated by the ESP header and end-to-end encrypted. • In tunnel mode, headers of the IP packet and the IP packet encapsulated by ESP may be compressed
Architecture extension for external data server: SNDCP supplementary adaptation • For an inbound flow: • SNDCP at the MRC performs: • IP Header compression • IP packet compression • IP packet encryption and encapsulation in an IPSec packet • IPSec Header compression • SNDCP at the FNE performs IPSec Header decompression • Data Security Gateway performs the reverse operation of 1, 2 and 3 operations
ESP encapsulation in tunnel mode is performed at the SNDCP level in the MRC Inbound flow from an MDP to an external data server Edr Security Gateway External Data Server MRC’s Serving RFSS Um ESP Tunnel A MRC MDP ESP Tunnel
IP Header S: MDP D: SGW IP Header S: MDP D: SGW IP Header S: MDP D: ES IP Header S: MDP D: ES IP Header S: MDP D: ES IP Header S: MDP D: ES SNDCP Header TCP UDP Header TCP UDP Header TCP UDP Header TCP UDP Header Integrity Check ESP trailer ESP Header Integrity Check ESP Header ESP trailer Payload Payload Payload Payload Inbound flow: ESP in tunnel mode MRC IP Header (IPHC) compression, IP payload Compression, IPSec packet construction, IPSec Header compression (IPHC), SNDCP encapsulation Compressed by SNDCP End-to-end compressed and Encrypted Serving RFSS SNDCP desencapsulation, IPSec Header decompression Security Gateway IPsec de-tunneling, decryption, decompression, IP Header decompression
Outbound flow from an external data server to an MDP located in a serving RFSS area • From the perspective of the Security Gateway, destination of the IPSec tunnel is located on the MDP • ESP encapsulation is performed in tunnel mode in order to keep the IP address of the external data server in the end-to-end encrypted IP packet Edr Mobile IP tunnel Security Gateway External Data Server Ed ISSI Serving RFSS Home RFSS Um ESP Tunnel A MRC MDP ESP Tunnel
IP Header S: SGW D: CoA IP Header S: SGW D: MDP IP Header S: SGW D: MDP IP Header S: SGW D: MDP IP Header S: ES D: MDP IP Header S: ES D: MDP SNDCP Header IP Header S: ES D: MDP IP Header S: ES D: MDP IP Header S: ES D: MDP TCP UDP Header Integrity Check TCP UDP Header ESP trailer ESP trailer ESP Header Integrity Check TCP UDP Header ESP Header TCP UDP Header ESP Header Integrity Check TCP UDP Header ESP trailer Payload Payload Payload Payload Payload Outbound flow: ESP in tunnel mode IP Header (IPHC), IP payload Compression, IPSec packet construction Security Gateway End-to-end compressed and Encrypted HOME RFSS MDP’s Care Of address Mobile IP Encapsulation SERVING RFSS End-to-end compressed and Encrypted IPSec Header decompression, end-to-end decryption, decompression and IP header decompression and construction of the IP packet to be routed to the MDP Compressed by SNDCP MRC
Outline • Introduction • Addressing Principles • Roaming • End-to-end encryption and compression • SNDCP adaptation • Architecture for external data servers connected beyond a data security gateway • Conclusion
Summary and conclusion • Recommendations: • Use of a Mobile IP tunnel on the ISSI for outbound packet routing towards P25 MDP and MRC • Use of ESP/Ipsec standard in transport mode for data transaction within P25 realm • Use of ESP/Ipsec standard in tunnel mode for data transaction with external data server connected beyond a data security gateway • Re-visit SNDCP header and payload compression to ensure interoperable compression • Use of an IPR-free (Deflate for instance) compression algorithm for the payload. • Use SUID addresses and DNS resolution instead of RSI addressing for OTAR
RFC References • RFC 3220: Mobile IP • RFC 2401 IPSec • RFC 2406 ESP • RFC 2507 IPHC • RFC 1951 Deflate THANK YOU