Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Radio-to-core
protection in LTE
The widening role of the security gateway
SENZA
CONSULTING
Monica Paolini
Senza Fili Consulting
1. Introduction
Protecting the LTE radio-to-core link
LTE ushers in mobile networks that have a more flexible and less hierarchical framework, higher performance and richer functionality.
But it also increases the porosity of the mobile network and its vulnerability to malicious attacks and accidental traffic disruption.
Security has become a hot topic among LTE operators. While the attention focuses almost exclusively on mobile devices, they are far
from being the only targets for attack and entry points to mobile networks. Attacks can be launched from the internet as well as from
roaming and MVNO partners.
Unauthorized access to the network may come from infrastructure elements such as the eNB. Adoption of small and femto cells,
which are easier to access than traditional macro cells are, further increases the vulnerability of the network. If left unprotected, the
RAN-to-core link offers another route that can cause disruption in mobile networks.
To avoid congestion or service interruption, and provide a consistent QoE to their subscribers, mobile operators have to protect their
entire networks devices, base stations or femto cells, backhaul links, and the core network against abnormal traffic flows that may
stem from intentional attacks (e.g., malware), unintended events (e.g., configuration errors), or unusual but legitimate traffic spikes
(e.g., during a sports event), and may result in spikes both in the
control plane (signaling floods) and in the data plane (RAN
congestion). In the context of end-to-end network protection,
LTE radio-to-core protection:
securing the radio-to-core link is of crucial importance to
The evolution of the security gateway
ensuring the overall security in mobile networks.
In this paper we focus on the security and protection of the
radio-to-core link, and discuss how the strategically located
security gateway (SeGW) enables operators to meet their
performance, reliability and service requirements as they go
through three distinct, but often overlapping, phases in their LTE
deployments:
Launch: initial phase with limited adoption and coverage.
Growth: full network buildout, with increase in coverage,
traffic load and subscriber adoption.
Advanced services: addition of VoLTE and RCS, introduction
of advanced policy functionality, expansion of Wi-Fi offload,
and small-cell deployments.
|1|
Figure 1. The SeGW position within an LTE network. Source: Senza Fili
1. 3GPP TR 33.401, 3GPP System Architecture Evolution (SAE): Security Architecture, 2012. The decision of whether the radio-to-core link is trusted is left to the mobile
operator, because it is tied to the operators internal criteria, which typically include factors such as control over the physical site where the eNB is located and over the
backhaul link (i.e., use of the operators own backhaul infrastructure versus third-party leased links), security level at the cell site, sharing of network components with
other mobile or fixed networks, and regulatory requirements.
2. NGMN, Small Cell Backhaul Requirements, 2012.
|2|
Figure 2. Sources and impact of unexpected data and signaling traffic overload on network performance. Source: Senza Fili
The SeGW was initially developed to provide the scalability and performance needed to meet operators radio-to-core security
requirements, but its strategic position on the border between the RAN and the core network makes it the ideal candidate to
aggregate traffic directed to the core and hence to provide functionality that goes beyond enabling efficient IPsec encryption and
mutual authentication. The edge of the core is an ideal place to monitor incoming traffic from the RAN and to identify and manage
suspicious or unexpectedly high traffic flows, in both the control plane (signaling) and the user plane (data traffic), that may disrupt
network access and service availability. In doing so, the SeGW reduces the capacity requirements on the MME and SGW that would
otherwise have to process all the traffic from the RAN. The SeGW gives operators a valuable vantage point from which to gain
visibility into the combined control and user plane traffic, before it gets segregated in the MME and SGW, respectively. In addition,
the SeGW facilitates IPsec implementation in multi-vendor deployments, because it can provide full interoperability across elements
from different vendors.
The role of the SeGW in filtering incoming traffic is not limited to the identification and management of intentional malicious attacks;
it includes many other types of anomalous traffic (Figure 2). Some occasional traffic spikes are subscriber-driven, occurring, for
example, as a result of weather disruption, highway accidents, or planned events such as concerts or games where many people
congregate. While this traffic is entirely legitimate, the network may not have sufficient capacity to manage and transport it, and
service availability may be partially or completely compromised as a result. Signaling traffic overload can also be generated
unintentionally by erroneous configuration settings or other software malfunctions in the UE applications or OSs or in other network
elements. This type of traffic is not malicious, but it is unexpected and can have the same impact as user-driven traffic spikes.
In both cases user-plane traffic overload and control-plane traffic overload a scalable SeGW can recognize and manage unusually
high traffic levels and protect the network in real time, before the traffic hits the core network in the MME or SGW, in order to
contain or prevent disruption.
The disruption can be brought on innocently by traffic overload in either signaling or data. Signaling overload may cause congestion in
the MME or other core elements such as the HSS, and lead to access or service denial even if there is sufficient capacity in the data
plane to satisfy access and service requests. In this situation, signaling overload prevents efficient utilization of network resources.
User-plane traffic overload has a similar impact on subscriber experience (i.e., disruption of service), but, unlike signaling overload, it is
|3|
typically driven by limited availability of RAN resources i.e., there are more users demanding access than the network has capacity
to support.
The capability of the SeGW to detect and manage unexpected traffic patterns malicious or not is both necessary and
advantageous. Regardless of the cause, unusually intense traffic flows can severely compromise network and service availability. The
disruption may be limited to one or a few eNBs or have a wider impact on the network. It may affect only a subset of subscribers who
cannot get access or use some services, or it may entirely shut down parts of the network.
Figure 3. Radio-to-core protection during three phases in LTE deployments. Source: Senza Fili
|4|
What are the capacity and performance assumptions that need to made when selecting the SeGW?
A scalable solution is required to accommodate the growing traffic load originating from wider network coverage, a growing
number of subscribers with LTE devices, and higher per-subscriber traffic usage. However, operators have to dimension their
initial deployment on the basis of traffic growth that is inherently difficult to predict. The trend toward sustained and steep traffic
growth continues unabated, but the future pace and volume are not known. Operators still need, though, to find a good initial
balance to avoid overcommitment or insufficient capacity.
Concurrently, high traffic loads raise performance requirements even further. A low packet-processing rate in encrypting and
decrypting data can turn the SeGW into a bottleneck, unable to process control-plane and user-plane traffic, or to do so at the
required latency, and more vulnerable to denial of service attacks. The disruption from overloaded SeGWs eventually spreads
from the core to the RAN, which in turn becomes unable to address services requests and hence to use the available capacity,
leading to inefficiencies in the use of precious and limited radio resources. A high packet-per-second processing rate in the SeGW
can reduce overall network capex and opex because it is conducive to a higher RAN utilization. The introduction of a SeGW may
also reduce the capacity requirements on the MME and SGW, leading to capex and opex savings in the core network.
What are the interoperability requirements to ensure smooth integration across vendors?
The SeGW has to be smoothly integrated within the existing infrastructure on both the RAN and the core sides, and it must be
interoperable with equipment from the vendors that the operator has selected. Interoperability requirements on the eNB side
are stricter, because the eNB initiates the IPsec channel that the SeGW terminates. Although the interfaces are based on
standards, vendor-specific implementations are often not fully interoperable with each other. As operators look to multi-vendor
RANs and shared-infrastructure partnerships, interoperability acquires more prominence as the basis for a reliable user
experience and lower costs. SeGW interoperability has to be established with all the vendors involved on both the RAN and
|5|
core sides. Although establishing interoperability may initially be time-consuming for both vendors and operators, in the long
term it lowers the risk of vendor lock-in and gives operators more freedom in choosing their RAN vendors.
The initial stage in deploying a mobile network is hectic. Operators have to balance multiple performance requirements and deadlines
against funding availability. But choosing scalable and future-proof solutions at this stage, while avoiding over-engineering, is crucial
to a smooth long-term expansion of the network without expensive and disruptive upgrades.
Ecosystem fragmentation increases the likelihood of abnormal and unexpected traffic overload that may be caused by
application or software updates, or by malware introduced by applications (especially if not downloaded from trusted stores that
check application integrity).
Heavier use of real-time applications such as video and audio streaming, gaming, and voice creates more stringent requirements
for latency and QoS-based access.
A higher number of applications per device drives up the background signaling activity due to frequent update requests from
applications especially those for chatty apps such as social networking and communications, which require frequent checks
for updates.
Mobile networks have become more attractive targets for hackers and hacktivists. Malicious attacks are on the rise, and their
growth is likely to accelerate. While most of the attacks now use UEs as the entry point, other vulnerable elements in mobile
networks are likely to be more widely targeted in the future.
The increase in traffic affects both the control plane and the user plane, with the expectation that growth in the control plane will
3
exceed that in the user plane by 30% to 50%, according to 4G Americas . In Canada, Telus reports an increase in signaling traffic of
4
2,700% during a period in which data traffic doubled .
3. 4G Americas, New Wireless Broadband Applications and Devices: Understanding the Impact on Networks, 2012.
4. http://www.cartt.ca/news/13804/Cable-Telecom/IEEE-Traffic-tsunami-causing-congestion-in-wireless-nets-says-Telus-Spadotto.html
|6|
While LTE has a more efficient control plane than 3G, generating a lower signaling load for the same user-plane load, the networkwide volume of signaling traffic will continue to increase due to increased use per mobile device, as subscribers rely on them for a
larger number of services and applications which they use more frequently. Frequent connection requests and transmission in smaller
packet sizes result from chatty apps, VoLTE, advertisements, and, generally, a higher number of applications installed in mobile
devices.
Growth in user data and signaling traffic, and wider coverage, create the need to expand the capacity of the radio-to-core link and of
its terminating point in the SeGW. In both cases, it is crucial that the solution adopted during the initial phase scale smoothly to meet
the new requirements, retaining the same performance level and having a comparable impact on capex and opex.
The growth and expansion stage in LTE entails a difficult balancing act for mobile operators caught between the need to improve
performance and capacity, on the one hand, and adhering to high security and reliability standards, on the other all in an
environment where subscribers are eager to increase their use of their mobile plans, but resist paying more for them. As a result,
mobile operators need a flexible and incremental expansion process that enables them to gradually expand the SeGW capacity in line
with the traffic growth, and to avoid expensive solution upgrades or the integration of new ones.
|7|
Furthermore, real-time applications such as VoLTE or video streaming impose a particular challenge because they use small packets
and hence more processing has to be done at the SeGW to transport the same volume of user-plane traffic. Effectively, these
applications increase the capacity load on the SeGW, and fast packet processing for encryption and decryption is essential to minimize
the adverse impact of small-packet traffic on overall network utilization and performance.
Finally, the wider adoption of shared RAN and backhaul infrastructure among operators, and of third-party backhaul solutions that
accompany the increased penetration of small cells and femto cells, raises the percentage of untrusted sites in which the IPsec
protection is a de facto requirement. That will put additional pressure on mobile operators to select IPsec and SeGW solutions that
scale smoothly.
RANs with a higher density and variety of elements create a much more demanding interoperability environment, in which the SeGW
has to interoperate with an expanding array of equipment solutions and vendors. In the case of infrastructure sharing, RAN
equipment is selected and operated by different entities over which the mobile operator has no control. The capability of the SeGW
to adapt to these inherently complex RAN topologies is vital for operators that rely on infrastructure sharing arrangements to contain
costs and optimize network utilization.
To ensure reliable performance, operators need to see more deeply into how the network manages traffic so they can correct
problems in real time as they arise. Tracking key performance metrics at the S1 and X2 interfaces e.g., handoffs and attach
completion time, and dropped packets ensures reliable performance for real-time applications such as VoLTE, and efficient mobility
management in the RAN.
A future-proof radio-to-core SeGW has to scale to include support for a wider range and higher density of RAN elements and mobile
devices, as well as cope with a higher percentage of untrusted sites, emerging security threats, and an increasingly demanding and
diverse traffic mix. As operators move to the third phase, the SeGW continues to perform its basic task in protecting the radio-to-core
link, but it also has to provide the processing power, latency, and traffic optimization needed to support new services, as well as the
scalability and interoperability required to operate in more complex environments.
4. Conclusions
Protecting LTE networks during growth and evolution
Security and, more generally, network protection from unexpected high-traffic events has gained a higher priority status in LTE as
mobile networks become easier and more attractive targets for malicious attacks, and more vulnerable to signaling and data traffic
overload that can disrupt or completely block network access. Within the context of LTE security, the radio-to-core link has to be
protected to ensure end-to-end network security. IPsec has emerged as the de facto standard to secure the radio-to-core link. The
SeGW is a crucial enabler to provide the scalability, processing and aggregation capabilities, the performance, and the functionality to
support IPsec.
IPsec with the support of a SeGW at the mobile core edge is the solution that 3GPP strongly recommends and that operators
worldwide have started to deploy in most of their new LTE networks. But they face multiple choices on how to deploy IPsec and
|8|
SeGWs in terms of topology, performance, cost and functionality as they move through the three phases launch, growth, advanced
services from their initial LTE launches to more mature and heavily used networks.
At launch, what matters most to operators is the basic functionality of the SeGW in terminating the IPsec tunnel and providing mutual
authentication with the eNB. As traffic grows and new services are introduced, the functionality of the SeGW is slated to evolve and
expand. The position of the SeGW between the RAN and the EPC is ideal to support functions that go beyond protection from
malicious attacks, to include management of control-plane and user-plane traffic overload, coordination of RAN mobility, and traffic
flow optimization.
A scalable solution that allows mobile operators to smoothly evolve to meet their anticipated and unanticipated radio-to-core
requirements is crucial to maintaining performance and cost and keeping the risks (and costs) of disruption to a minimum, without
compromising the safety and integrity of their networks.
5. Glossary
2G
3G
3GPP
COMP
Second generation
Third generation
Third Generation Partnership Project
Coordinated multipoint
eICIC
eNB
EPC
Gx
Gy
HSS
IP
IPsec
LTE
LTE-Uu
M2M
MME
MNO
MVNO
NGMN
OCS
OS
PCRF
PGW
QoE
QoS
RAN
RCS
S1
S11
S5/8
S6a
SeGW
SGi
SGW
Sp
UE
VoLTE
X2
|9|
About Stoke
Stoke provides market-proven mobile gateway solutions to the broadband network industry. Stoke
products have been chosen by Tier 1 mobile network operators for technical excellence and high quality
manufacturing and partners with leading industry equipment providers and systems integrators to
provide key elements of their solutions. Stoke is the industry leader in deployed LTE security gateways
and offers extensive commercial experience developing, deploying and maintaining LTE security gateway
equipment in a top tier LTE network. Stoke products and solutions, based on the innovative SSX platform,
provide a strong business value to network operators. For more information, visit www.stoke.com.
SENZA
CONSULTING
Senza Fili provides advisory support on wireless data technologies and services. At Senza Fili we have indepth expertise in financial modeling, market forecasts and research, white paper preparation, business
plan support, RFP preparation and management, due diligence, and training. Our client base is
international and spans the entire value chain: clients include wireline, fixed wireless and mobile
operators, enterprises and other vertical players, vendors, system integrators, investors, regulators, and
industry associations.
We provide a bridge between technologies and services, helping our clients assess established and
emerging technologies, leverage these technologies to support new or existing services, and build solid,
profitable business models. Independent advice, a strong quantitative orientation, and an international
perspective are the hallmarks of our work. For additional information, visit www.senzafiliconsulting.com
or contact us at info@senzafiliconsulting.com or +1 425 657 4991.