!SenzaFili RAN-EPCSecurity 130213v1

White paper Radio-to-core protection in LTE

Radio-to-core protection in LTE The widening role of the security gateway

Monica Paolini Senza Fili Consulting

SENZA

CONSULTING


2013 Senza Fili Consulting www.senzafiliconsulting.com |1|

1. Introduction Protecting the LTE radio-to-core link

LTE ushers in mobile networks that have a more flexible and less hierarchical framework, higher performance and richer functionality.

But it also increases the porosity of the mobile network and its vulnerability to malicious attacks and accidental traffic disruption.

Security has become a hot topic among LTE operators. While the attention focuses almost exclusively on mobile devices, they are far

from being the only targets for attack and entry points to mobile networks. Attacks can be launched from the internet as well as from

roaming and MVNO partners.

Unauthorized access to the network may come from infrastructure elements such as the eNB. Adoption of small and femto cells,

which are easier to access than traditional macro cells are, further increases the vulnerability of the network. If left unprotected, the

RAN-to-core link offers another route that can cause disruption in mobile networks.

To avoid congestion or service interruption, and provide a consistent QoE to their subscribers, mobile operators have to protect their

entire networks devices, base stations or femto cells, backhaul links, and the core network against abnormal traffic flows that may

stem from intentional attacks (e.g., malware), unintended events (e.g., configuration errors), or unusual but legitimate traffic spikes

(e.g., during a sports event), and may result in spikes both in the

control plane (signaling floods) and in the data plane (RAN

congestion). In the context of end-to-end network protection,

securing the radio-to-core link is of crucial importance to

ensuring the overall security in mobile networks.

In this paper we focus on the security and protection of the

radio-to-core link, and discuss how the strategically located

security gateway (SeGW) enables operators to meet their

performance, reliability and service requirements as they go

through three distinct, but often overlapping, phases in their LTE

deployments:

Launch: initial phase with limited adoption and coverage.

Growth: full network buildout, with increase in coverage,

traffic load and subscriber adoption.

Advanced services: addition of VoLTE and RCS, introduction

of advanced policy functionality, expansion of Wi-Fi offload,

and small-cell deployments.

LTE radio-to-core protection: The evolution of the security gateway

IPsec and SeGWs are the dominant solution, endorsed by 3GPP, to protect the LTE radio-to-core link.

SeGWs role has started to expand beyond security. It protects the network against sudden and unexpected surges in signaling and user data traffic, whether the result of malicious attack, configuration error, or spikes in subscriber activity.

Scalability, multi-vendor interoperability and low latency are required in the SeGW to support LTE networks as they evolve from the initial launch to a mature phase marked by higher traffic loads and the introduction of advanced services.



2. Security, scale and aggregation The role of the security gateway (SeGW)

Radio-to-core link protection requires a dedicated effort. 3GPP standards make a strong case for the adoption of IPsec encryption and

mutual authentication of the radio-to-core link to secure the link between the eNB and the MME, and recommend IPsec in untrusted

links.1 Initially mobile operators have been cautious in the adoption of IPsec because of the additional cost, overhead (estimated to be

14% by NGMN2) and complexity it entails, but there is an emerging consensus among operators that IPsec is needed to secure

untrusted sites and is highly desirable even in trusted sites. To date, severe security breaches and network disruption have been

infrequent, but they carry high costs because they may encourage churn, shrink revenues and damage the operators brand

reputation.

As defined by 3GPP, the SeGW terminates the IPsec tunnel at the mobile core edge, and hence provides for the encryption and

decryption of IPsec traffic, and for mutual authentication with eNBs in the RAN. The SeGW is inserted at the edge of the core network

to secure the S1-MME and S1-U traffic from eNBs, aggregate it, and then forward it to the MME and SGW (Figure 1), protecting the

network from man-in-the-middle attacks. The SeGW can also carry the control-plane X2 interface among eNBs to coordinate

transmission in the RAN.

The IPsec tunnel that is initiated at the eNB can be terminated directly at the MME and SGW. This approach, however, can result in

higher costs and less efficient network utilization, because IPsec termination is a computationally intensive function for which the

MME and the SGW are not designed and optimized. Without a SeGW, IPsec termination may overload these elements and, to

prevent this, operators have to invest in additional processing capacity.

Figure 1. The SeGW position within an LTE network. Source: Senza Fili

1. 3GPP TR 33.401, 3GPP System Architecture Evolution (SAE): Security Architecture, 2012. The decision of whether the radio-to-core link is trusted is left to the mobile operator, because it is tied to the operators internal criteria, which typically include factors such as control over the physical site where the eNB is located and over the backhaul link (i.e., use of the operators own backhaul infrastructure versus third-party leased links), security level at the cell site, sharing of network components with other mobile or fixed networks, and regulatory requirements. 2. NGMN, Small Cell Backhaul Requirements, 2012.



Figure 2. Sources and impact of unexpected data and signaling traffic overload on network performance. Source: Senza Fili

The SeGW was initially developed to provide the scalability and performance needed to meet operators radio-to-core security

requirements, but its strategic position on the border between the RAN and the core network makes it the ideal candidate to

aggregate traffic directed to the core and hence to provide functionality that goes beyond enabling efficient IPsec encryption and

mutual authentication. The edge of the core is an ideal place to monitor incoming traffic from the RAN and to identify and manage

suspicious or unexpectedly high traffic flows, in both the control plane (signaling) and the user plane (data traffic), that may disrupt

network access and service availability. In doing so, the SeGW reduces the capacity requirements on the MME and SGW that would

otherwise have to process all the traffic from the RAN. The SeGW gives operators a valuable vantage point from which to gain

visibility into the combined control and user plane traffic, before it gets segregated in the MME and SGW, respectively. In addition,

the SeGW facilitates IPsec implementation in multi-vendor deployments, because it can provide full interoperability across elements

from different vendors.

The role of the SeGW in filtering incoming traffic is not limited to the identification and management of intentional malicious attacks;

it includes many other types of anomalous traffic (Figure 2). Some occasional traffic spikes are subscriber-driven, occurring, for

example, as a result of weather disruption, highway accidents, or planned events such as concerts or games where many people

congregate. While this traffic is entirely legitimate, the network may not have sufficient capacity to manage and transport it, and

service availability may be partially or completely compromised as a result. Signaling traffic overload can also be generated

unintentionally by erroneous configuration settings or other software malfunctions in the UE applications or OSs or in other network

elements. This type of traffic is not malicious, but it is unexpected and can have the same impact as user-driven traffic spikes.

In both cases user-plane traffic overload and control-plane traffic overload a scalable SeGW can recognize and manage unusually

high traffic levels and protect the network in real time, before the traffic hits the core network in the MME or SGW, in order to

contain or prevent disruption.

The disruption can be brought on innocently by traffic overload in either signaling or data. Signaling overload may cause congestion in

the MME or other core elements such as the HSS, and lead to access or service denial even if there is sufficient capacity in the data

plane to satisfy access and service requests. In this situation, signaling overload prevents efficient utilization of network resources.

User-plane traffic overload has a similar impact on subscriber experience (i.e., disruption of service), but, unlike signaling overload, it is



typically driven by limited availability of RAN resources i.e., there are more users demanding access than the network has capacity

to support.

The capability of the SeGW to detect and manage unexpected traffic patterns malicious or not is both necessary and

advantageous. Regardless of the cause, unusually intense traffic flows can severely compromise network and service availability. The

disruption may be limited to one or a few eNBs or have a wider impact on the network. It may affect only a subset of subscribers who

cannot get access or use some services, or it may entirely shut down parts of the network.

3. The evolution of security and protection requirements Three phases in LTE deployments

As mobile operators roll out their networks, their requirements for performance, security and traffic load evolve (Figure 3). During the

initial launch stage, the focus is on basic functionality and reliability. As the number of subscribers grows, scalability becomes a top

priority. As network utilization grows, it keeps evolving too, with mobile operators introducing advanced functionality and support for

new services. Each operator moves at its own pace across the stages, and may see some overlap across stages, but the trend toward

more stringent requirements has to be kept in mind from the start, when setting the course for network deployment.

Figure 3. Radio-to-core protection during three phases in LTE deployments. Source: Senza Fili



3.1. Balancing security and performance Phase 1: The initial stage of LTE deployment

During the initial stage of LTE deplyoments, operators initially require only basic security IPsec with encryption and mutual

authentication but the decisions they make have a long-lasting impact along several dimensions:

Where and how should the operator deploy IPsec?

The first decision for mobile operators is to choose whether to deploy IPsec across all their sites, or only in untrusted sites. An

increasing number of operators are choosing to deploy IPsec across both trusted and untrusted sites as they recognize that even

trusted sites can become targets of security threats. A decision to integrate IPsec in trusted sites at a later stage may increase

deployment costs and complexity.

Should SeGWs be deployed in a distributed architecture or a centralized one?

The choice between a distributed (SeGW closer to the eNB) or centralized (SeGW closer to the core) architecture is tied to

multiple factors, which include the overall network architecture strategy, the services it supports, the backhaul infrastructure,

and the distribution of subscribers within the footprint. For instance, an operator that chooses an approach with MME and SGW

distributed across the footprint, to minimize latency in order to support services such as VoLTE, will have to deploy SeGW closer

to the eNB. Alternatively, an operator may have a centralized EPC but choose to have a distributed SeGW architecture

throughout the footprint, or in some areas. A distributed SeGW architecture provides more flexibility and lower latency for the

eNBtoeNB X2 interface. A centralized architecture requires fewer but higher-capacity SeGWs, and more redundancy options.

What are the capacity and performance assumptions that need to made when selecting the SeGW?

A scalable solution is required to accommodate the growing traffic load originating from wider network coverage, a growing

number of subscribers with LTE devices, and higher per-subscriber traffic usage. However, operators have to dimension their

initial deployment on the basis of traffic growth that is inherently difficult to predict. The trend toward sustained and steep traffic

growth continues unabated, but the future pace and volume are not known. Operators still need, though, to find a good initial

balance to avoid overcommitment or insufficient capacity.

Concurrently, high traffic loads raise performance requirements even further. A low packet-processing rate in encrypting and

decrypting data can turn the SeGW into a bottleneck, unable to process control-plane and user-plane traffic, or to do so at the

required latency, and more vulnerable to denial of service attacks. The disruption from overloaded SeGWs eventually spreads

from the core to the RAN, which in turn becomes unable to address services requests and hence to use the available capacity,

leading to inefficiencies in the use of precious and limited radio resources. A high packet-per-second processing rate in the SeGW

can reduce overall network capex and opex because it is conducive to a higher RAN utilization. The introduction of a SeGW may

also reduce the capacity requirements on the MME and SGW, leading to capex and opex savings in the core network.

What are the interoperability requirements to ensure smooth integration across vendors?

The SeGW has to be smoothly integrated within the existing infrastructure on both the RAN and the core sides, and it must be

interoperable with equipment from the vendors that the operator has selected. Interoperability requirements on the eNB side

are stricter, because the eNB initiates the IPsec channel that the SeGW terminates. Although the interfaces are based on

standards, vendor-specific implementations are often not fully interoperable with each other. As operators look to multi-vendor

RANs and shared-infrastructure partnerships, interoperability acquires more prominence as the basis for a reliable user

experience and lower costs. SeGW interoperability has to be established with all the vendors involved on both the RAN and



core sides. Although establishing interoperability may initially be time-consuming for both vendors and operators, in the long

term it lowers the risk of vendor lock-in and gives operators more freedom in choosing their RAN vendors.

The initial stage in deploying a mobile network is hectic. Operators have to balance multiple performance requirements and deadlines

against funding availability. But choosing scalable and future-proof solutions at this stage, while avoiding over-engineering, is crucial

to a smooth long-term expansion of the network without expensive and disruptive upgrades.

3.2. Taking LTE mainstream Phase 2: Traffic growth and network expansion

As subscribers move to LTE smartphones and discover that with faster networks they can do more, not only is the number of

subscribers on LTE networks growing, but so is the traffic per subscriber. The growth in network traffic load is difficult to predict as

usage patterns, charging models, and device mixes continue to evolve. Operators need flexibility to adapt to rapidly changing capacity

requirements. The first operators to launch LTE networks, having now entered the second phase, face the challenges of managing and

protecting traffic in an environment of accelerated expansion of coverage and capacity requirements.

In January 2013, Verizon reported that LTE now accounts for 50% of traffic in its network and 23% of subscribers suggesting that LTE

subscribers are much heavier data users than their 3G counterparts. At the same time, coverage has gone up to include 89% of the

network footprint. In Japan, NTT DOCOMOs LTE network covers 75% of the population with 23,000 base stations and serves 10% of

subscribers. More than 20% of its subscribers use more than 3GB per month each, twice as many subscribers as a year ago.

The challenges in managing the increased traffic load are intensified by the trend of the past few years toward more complex and

unpredictable traffic flows, which are due to the convergence of multiple factors:

Ecosystem fragmentation increases the likelihood of abnormal and unexpected traffic overload that may be caused by

application or software updates, or by malware introduced by applications (especially if not downloaded from trusted stores that

check application integrity).

Heavier use of real-time applications such as video and audio streaming, gaming, and voice creates more stringent requirements

for latency and QoS-based access.

A higher number of applications per device drives up the background signaling activity due to frequent update requests from

applications especially those for chatty apps such as social networking and communications, which require frequent checks

for updates.

Mobile networks have become more attractive targets for hackers and hacktivists. Malicious attacks are on the rise, and their

growth is likely to accelerate. While most of the attacks now use UEs as the entry point, other vulnerable elements in mobile

networks are likely to be more widely targeted in the future.

The increase in traffic affects both the control plane and the user plane, with the expectation that growth in the control plane will

exceed that in the user plane by 30% to 50%, according to 4G Americas3. In Canada, Telus reports an increase in signaling traffic of

2,700% during a period in which data traffic doubled4.

3. 4G Americas, New Wireless Broadband Applications and Devices: Understanding the Impact on Networks, 2012. 4. http://www.cartt.ca/news/13804/Cable-Telecom/IEEE-Traffic-tsunami-causing-congestion-in-wireless-nets-says-Telus-Spadotto.html



While LTE has a more efficient control plane than 3G, generating a lower signaling load for the same user-plane load, the network-

wide volume of signaling traffic will continue to increase due to increased use per mobile device, as subscribers rely on them for a

larger number of services and applications which they use more frequently. Frequent connection requests and transmission in smaller

packet sizes result from chatty apps, VoLTE, advertisements, and, generally, a higher number of applications installed in mobile

devices.

Growth in user data and signaling traffic, and wider coverage, create the need to expand the capacity of the radio-to-core link and of

its terminating point in the SeGW. In both cases, it is crucial that the solution adopted during the initial phase scale smoothly to meet

the new requirements, retaining the same performance level and having a comparable impact on capex and opex.

The growth and expansion stage in LTE entails a difficult balancing act for mobile operators caught between the need to improve

performance and capacity, on the one hand, and adhering to high security and reliability standards, on the other all in an

environment where subscribers are eager to increase their use of their mobile plans, but resist paying more for them. As a result,

mobile operators need a flexible and incremental expansion process that enables them to gradually expand the SeGW capacity in line

with the traffic growth, and to avoid expensive solution upgrades or the integration of new ones.

3.3. New requirements, new functionality Phase 3: LTE evolution

As data traffic and subscribers move to LTE, operators need to do more than increase their capacity. They have to continue to

innovate and expand the functionality and services offered. Change will affect different areas and impact network protection in

multiple ways.

In the RAN, the wider use of small cells, femto cells and Wi-Fi to offload traffic from overloaded macro cells introduces a much more

complex network topology, with overlapping layers, higher levels of interference, and a higher density of elements. Mobility

management, interference mitigation, and traffic coordination among RAN layers increase the traffic requirements especially on the

signaling side. The introduction of traffic management techniques such as COMP and eICIC require a low latency on the X2 interface

and the backhaul. The widening adoption of small cells and femto cells increases the vulnerability of mobile networks to malicious

attacks by adding a large number of RAN elements with largely unprotected physical access, driving the need for the robust mutual

authentication that IPsec provides.

From a device perspective, M2M devices, many of which may be unattended and not tightly monitored, present an entirely new set

of security challenges that have not yet been fully explored or tested. Most M2M devices operate without physical human

supervision and can be easily located, especially if they are not mobile. This makes them more vulnerable to physical malicious access

and hence to attacks targeting the mobile network or the networks of the operators customers. While in most cases M2M devices

will generate low traffic volumes, the need for frequent reports or status checks is likely to disproportionately increase the signaling

load over the user-data load, increasing the capacity requirements in the control plane.

The introduction of VoLTE, RCS, gaming and video services creates tighter latency requirements across the network, and it is crucial

that the radio-to-core link not become a latency bottleneck. The processing rate and capacity at the SeGW have to be sufficiently high

to keep latency low. In addition, traffic prioritization, traffic shaping and load balancing in the SeGW may also enable operators to

preserve the QoE for applications with low latency requirements.



Furthermore, real-time applications such as VoLTE or video streaming impose a particular challenge because they use small packets

and hence more processing has to be done at the SeGW to transport the same volume of user-plane traffic. Effectively, these

applications increase the capacity load on the SeGW, and fast packet processing for encryption and decryption is essential to minimize

the adverse impact of small-packet traffic on overall network utilization and performance.

Finally, the wider adoption of shared RAN and backhaul infrastructure among operators, and of third-party backhaul solutions that

accompany the increased penetration of small cells and femto cells, raises the percentage of untrusted sites in which the IPsec

protection is a de facto requirement. That will put additional pressure on mobile operators to select IPsec and SeGW solutions that

scale smoothly.

RANs with a higher density and variety of elements create a much more demanding interoperability environment, in which the SeGW

has to interoperate with an expanding array of equipment solutions and vendors. In the case of infrastructure sharing, RAN

equipment is selected and operated by different entities over which the mobile operator has no control. The capability of the SeGW

to adapt to these inherently complex RAN topologies is vital for operators that rely on infrastructure sharing arrangements to contain

costs and optimize network utilization.

To ensure reliable performance, operators need to see more deeply into how the network manages traffic so they can correct

problems in real time as they arise. Tracking key performance metrics at the S1 and X2 interfaces e.g., handoffs and attach

completion time, and dropped packets ensures reliable performance for real-time applications such as VoLTE, and efficient mobility

management in the RAN.

A future-proof radio-to-core SeGW has to scale to include support for a wider range and higher density of RAN elements and mobile

devices, as well as cope with a higher percentage of untrusted sites, emerging security threats, and an increasingly demanding and

diverse traffic mix. As operators move to the third phase, the SeGW continues to perform its basic task in protecting the radio-to-core

link, but it also has to provide the processing power, latency, and traffic optimization needed to support new services, as well as the

scalability and interoperability required to operate in more complex environments.

4. Conclusions Protecting LTE networks during growth and evolution

Security and, more generally, network protection from unexpected high-traffic events has gained a higher priority status in LTE as

mobile networks become easier and more attractive targets for malicious attacks, and more vulnerable to signaling and data traffic

overload that can disrupt or completely block network access. Within the context of LTE security, the radio-to-core link has to be

protected to ensure end-to-end network security. IPsec has emerged as the de facto standard to secure the radio-to-core link. The

SeGW is a crucial enabler to provide the scalability, processing and aggregation capabilities, the performance, and the functionality to

support IPsec.

IPsec with the support of a SeGW at the mobile core edge is the solution that 3GPP strongly recommends and that operators

worldwide have started to deploy in most of their new LTE networks. But they face multiple choices on how to deploy IPsec and



SeGWs in terms of topology, performance, cost and functionality as they move through the three phases launch, growth, advanced

services from their initial LTE launches to more mature and heavily used networks.

At launch, what matters most to operators is the basic functionality of the SeGW in terminating the IPsec tunnel and providing mutual

authentication with the eNB. As traffic grows and new services are introduced, the functionality of the SeGW is slated to evolve and

expand. The position of the SeGW between the RAN and the EPC is ideal to support functions that go beyond protection from

malicious attacks, to include management of control-plane and user-plane traffic overload, coordination of RAN mobility, and traffic

flow optimization.

A scalable solution that allows mobile operators to smoothly evolve to meet their anticipated and unanticipated radio-to-core

requirements is crucial to maintaining performance and cost and keeping the risks (and costs) of disruption to a minimum, without

compromising the safety and integrity of their networks.

5. Glossary

2G Second generation

3G Third generation

3GPP Third Generation Partnership Project

COMP Coordinated multipoint

eICIC Enhanced inter-cell interference coordination

eNB eNodeB

EPC Evolved packet core

Gx Interface between the PCRF and the PGW

Gy Interface between the PGW and the OCS

HSS Home subscriber server

IP Internet protocol

IPsec IP security

LTE Long term evolution

LTE-Uu Interface between the UE and the eNB

M2M Machine to machine

MME Mobility management entity

MNO Mobile network operator

MVNO Mobile virtual network operator

NGMN Next Generation Mobile Networks [Alliance]

OCS Online charging system

OS Operating system

PCRF Policy and charging rules function

PGW Packet gateway

QoE Quality of experience

QoS Quality of service

RAN Radio access network

RCS Rich communication services

S1 LTE interface between an eNB, and an MME (S1-MME, control plane) or an SGW (S1-U, user plane)

S11 Interface between the MME and the SGW

S5/8 Interface between the SGW and the PGW

S6a Interface between the MME and the HSS

SeGW Security gateway

SGi LTE interface between the PGW and the internet

SGW Serving gateway

Sp Interface between the HSS and PCRF

UE User equipment

VoLTE Voice over LTE

X2 LTE interface between two eNBs, including X2-C (control plane) and X2-U (user plane)


2013 Senza Fili Consulting, LLC. All rights reserved. This white paper was prepared on behalf of Stoke Inc. The views and statements expressed in this document are those of Senza Fili Consulting LLC, and they should not be inferred to reflect the position of Stoke Inc. The

document can be distributed only in its integral form and acknowledging the source. No selection of this material may be copied, photocopied,

or duplicated in any form or by any means, or redistributed without express written permission from Senza Fili Consulting. While the document

is based upon information that we consider accurate and reliable, Senza Fili Consulting makes no warranty, express or implied, as to the

accuracy of the information in this document. Senza Fili Consulting assumes no liability for any damage or loss arising from reliance on this information. Trademarks mentioned in this document are property of their respective owners. Cover page photo by Gui Jun Peng/Shutterstock.

About Stoke

Stoke provides market-proven mobile gateway solutions to the broadband network industry. Stoke products have been chosen by Tier 1 mobile network operators for technical excellence and high quality manufacturing and partners with leading industry equipment providers and systems integrators to provide key elements of their solutions. Stoke is the industry leader in deployed LTE security gateways and offers extensive commercial experience developing, deploying and maintaining LTE security gateway equipment in a top tier LTE network. Stoke products and solutions, based on the innovative SSX platform, provide a strong business value to network operators. For more information, visit www.stoke.com.

About Senza Fili

Senza Fili provides advisory support on wireless data technologies and services. At Senza Fili we have in-depth expertise in financial modeling, market forecasts and research, white paper preparation, business plan support, RFP preparation and management, due diligence, and training. Our client base is international and spans the entire value chain: clients include wireline, fixed wireless and mobile operators, enterprises and other vertical players, vendors, system integrators, investors, regulators, and industry associations.

We provide a bridge between technologies and services, helping our clients assess established and emerging technologies, leverage these technologies to support new or existing services, and build solid, profitable business models. Independent advice, a strong quantitative orientation, and an international perspective are the hallmarks of our work. For additional information, visit www.senzafiliconsulting.com or contact us at [email protected] or +1 425 657 4991.

About the author

Monica Paolini is the founder and president of Senza Fili. Monica writes extensively on the trends, technological innovation, and financial drivers in the wireless industry in reports, white papers, blogs, and articles. At Senza Fili, she assists vendors in gaining a better understanding of the service provider and end user markets. She works alongside service providers in developing wireless data strategies, and in assessing the demand for wireless services. Independent advice, a strong quantitative approach, and an international perspective are the hallmarks of her work.

Monica has a PhD in Cognitive Science from the University of California, San Diego, an MBA from the University of Oxford, and a BA/MA in Philosophy from the University of Bologna (Italy). She can be contacted at [email protected].

SENZA

CONSULTING

!SenzaFili RAN-EPCSecurity 130213v1

Documents

Transcript of !SenzaFili RAN-EPCSecurity 130213v1