Macsec Feature Parameter Description: Singleran

SingleRAN
MACsec Feature Parameter

Description
Issue 01
Date 2016-08-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2016. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2016-08-30) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
SingleRAN
MACsec Feature Parameter Description Contents
Contents
1 About This Document.................................................................................................................. 1

1.1 Scope.............................................................................................................................................................................. 1
1.2 Intended Audience.......................................................................................................................................................... 2
1.3 Change History............................................................................................................................................................... 2
1.4 Differences Between Base Station Types....................................................................................................................... 3
2 Overview......................................................................................................................................... 4
2.1 Background.....................................................................................................................................................................4
2.2 Introduction.................................................................................................................................................................... 4
2.3 Benefits........................................................................................................................................................................... 4
2.4 Architecture.................................................................................................................................................................... 5
3 Technical Description...................................................................................................................7
3.1 Introduction.................................................................................................................................................................... 7
3.2 Principles........................................................................................................................................................................ 7
3.3 MACsec Application...................................................................................................................................................... 9
4 Related Features...........................................................................................................................11
5 Network Impact........................................................................................................................... 12
6 Engineering Guidelines............................................................................................................. 13
6.1 When to Use MACsec.................................................................................................................................................. 13
6.2 Planning........................................................................................................................................................................ 13
6.2.1 Network Planning...................................................................................................................................................... 13
6.2.2 Hardware Planning.................................................................................................................................................... 13
6.3 Deployment.................................................................................................................................................................. 13
6.4 Performance Monitoring...............................................................................................................................................13
6.5 Troubleshooting............................................................................................................................................................ 13
7 Parameters..................................................................................................................................... 14
8 Counters........................................................................................................................................ 15
9 Glossary......................................................................................................................................... 16
10 Reference Documents............................................................................................................... 17
Issue 01 (2016-08-30) Huawei Proprietary and Confidential ii

SingleRAN
MACsec Feature Parameter Description 1 About This Document
1 About This Document
1.1 Scope
This document describes MACsec, including its technical principles, related features, network
impact, and engineering guidelines.
NOTE
In this document, unless TDD or FDD are explicitly specified, all references to LTE, eNodeB or eRAN,
should be understood to include both FDD and TDD modes. For RAT multi-mode abbreviations, in
addition to G, U and L for GSM, UMTS and LTE FDD modes respectively, in this document T stands
for LTE TDD.
This document applies only to LTE FDD. Any "LTE" in this document refers to LTE FDD,
and "eNodeB" refers to LTE FDD eNodeB.
This document applies to the following types of base stations.
Table 1-1 Base station definitions

Base Station Definition
Name
GBTS A base station configured with a GTMU, GTMUb, or GTMUc and

maintained through a base station controller.
eGBTS A base station configured with a GTMUb, GTMUc, UMPT_G, or

UMDU_G and directly maintained by the element management system
(EMS).
NodeB A base station configured with a WMPT, UMPT_U, or UMDU_U.
eNodeB A base station configured with an LMPT, UMPT_L, UMPT_T,

UMDU_L, or UMDU_T.
Issue 01 (2016-08-30) Huawei Proprietary and Confidential 1

SingleRAN
Base Station Definition

Name
Co-MPT A base station configured with a UMPT_GU, UMDU_GU, UMPT_GL,

multimode base UMDU_GL, UMPT_GT, UMDU_GT, UMPT_UL, UMDU_UL,
station UMPT_UT, UMDU_UT, UMPT_LT, UMDU_LT, UMPT_GUL,
UMDU_GUL, UMPT_GUT, UMDU_GUT, UMPT_ULT, UMDU_ULT,
UMPT_GLT, UMDU_GLT, UMPT_GULT, or UMDU_GULT. A co-
MPT multimode base station functionally corresponds to any physical
combination of eGBTS, NodeB, and eNodeB. For example, a co-MPT
multimode base station configured with a UMPT_GU or UMDU_GU
functionally corresponds to the physical combination of eGBTS and
NodeB.
NOTE
Unless otherwise specified, the descriptions and examples of the UMPT in a co-
MPT base station also apply to the UMDU in a co-MPT base station.
Separate-MPT A base station on which each mode uses its separate main control board.
multimode base For example, a base station configured with a GTMU and WMPT is
station called a separate-MPT GSM/UMTS dual-mode base station.
NOTE
A UMDU cannot be used in a separate-MPT base station.
1.2 Intended Audience

This document is intended for personnel who:
l Need to understand the feature described herein
l Work with Huawei products
1.3 Change History

This section provides information about the changes in different document versions. There are
two types of changes:
l Feature change
Changes in features and parameters of a specified version as well as the affected entities
l Editorial change
Changes in wording or addition of information and any related parameters affected by
editorial changes. Editorial change does not specify the affected entities.
SRAN12.0 01 (2016-08-30)
This issue does not include any changes.
SRAN12.0 Draft A (2016-06-23)

This issue includes the following changes.

SingleRAN
Change Change Description Parameter Change

Type
Feature None None

change
Editorial Revised the descriptions of the authentication None

change server, which does not need to provide the
charging function. For details, see 2.4
Architecture.
1.4 Differences Between Base Station Types

The feature described in this document applies only to macro and LampSite base stations.

SingleRAN
MACsec Feature Parameter Description 2 Overview
2 Overview
2.1 Background
To deploy BBU interconnection-related features, the UMPTe must be used to directly
interconnect BBUs through Ethernet ports. Data is transmitted through these interconnection
ports complying with the standard Ethernet protocol.
Featured by simplicity, high efficiency, and scalability, Ethernet provides simple packet
formats that can be easily parsed and therefore is not secure. Data transmitted over the
interconnection ports contains control-, user-, and management-plane information, which is
all sensitive. Media access control security (MACsec) is introduced to protect the data.
2.2 Introduction
MACsec defines secure data communication based on IEEE 802 LAN and complies with the
IEEE Std 802.1AE-2006 protocol.
With MACsec, two communication peers (also known as MACsec peers) ensure the
following security features of packets transmitted on a network by encrypting the packets and
authenticating the data origin:
l Access equipment validity: MACsec provides the identity authentication function to
ensure that only valid equipment can access a network.
l Confidentiality: The MACsec entity encrypts data and transmits data in ciphertext to
prevent unauthorized access to data.
l Integrity: The MACsec entity checks integrity of the received data to ensure that the data
is not distorted.
l Authenticity: The MACsec entity authenticates the data origin to confirm the sender of
the data.
NOTE
The MACsec entity is an NE or network equipment that uses MACsec for communication.
2.3 Benefits
The MACsec feature increases the security of transmission between interconnected BBUs.

SingleRAN
2.4 Architecture
MACsec involves the following equipment: client, device (referring to the access equipment
in this document), and authentication server.
l The client refers to a terminal requesting access to a LAN. The device in the LAN
authenticates this terminal and performs the MACsec key negotiation and packet
encryption functions.
l The device controls access of clients. It interacts with the authentication server and
performs 802.1x-based authentication on connected clients. In addition, the device
performs the MACsec key negotiation and packet encryption functions.
l The authentication server authenticates and authorizes clients, and is a Remote
Authentication Dial In User Service (RADIUS) server in most cases. After a client is
authenticated, the authentication server distributes keys to the client and the device.
MACsec has two typical networking modes: distributed and centralized. In centralized
networking, the functions of the device and authentication server are integrated into one
hardware and they interact inside the hardware. Figure 2-1 shows the two typical MACsec
networking modes.
Figure 2-1 Typical MACsec networking modes
BBUs are centrally deployed and directly connected using Ethernet cables. The UMPTe in the
root BBU serves as the device and authentication server. The UMPTe in the leaf BBU serves
as the client. Figure 2-2 shows an example of MACsec networking.

SingleRAN
Figure 2-2 Centralized MACsec networking

SingleRAN
MACsec Feature Parameter Description 3 Technical Description
3 Technical Description
3.1 Introduction
MACsec is used in conjunction with the 802.1X authentication framework and operates after
a successful 802.1X authentication procedure. By identifying packets sent by authenticated
clients, MACsec uses the key, which is obtained from negotiation using MACsec Key
Agreement (MKA), to encrypt and perform integrity check on authenticated user data. This
prevents interconnection ports from processing packets sent or distorted by unauthenticated
clients.
MACsec involves the following basic concepts:
l CA: A secure Connectivity Association (CA)consists of two or more CA members that

use the same key or Cipher Suite. A secret key possessed by a member of a given CA is
called a CAK. A CAK is classified into two types: pairwise CAK and group CAK.
– A pairwise CAK is the CAK used by two CA members comprising a CA.
– A group CAK is the CAK used by three or more CA members comprising a CA.
Currently, MACsec mainly applies to point-to-point networking and uses the pairwise
CAK. A pairwise CAK can be either the CAK generated during 802.1X authentication or
the pre-shared key (PSK). Huawei-issued base stations use the pairwise CAK generated
during 802.1X access authentication.
l SA: A Secure Association (SA)is a set of security parameters used for establishing
secure channels between CA members. It includes the Cipher Suite used for encryption
and keys used for integrity check. Each secure channel comprises a succession of SAs,
each with a different key called SAK. An SAK is derived from a CAK and is used for
encrypting data transmitted in secure channels. MKA specifies the maximum number of
packets that can be encrypted by an SAK. If the number of packets using an SAK for
encryption exceeds the maximum number, the SAK will be updated. For example, on a
link with a data rate of 10 Gbit/s, an SAK is updated once every 300 seconds at the
soonest.
3.2 Principles
MACsec interaction consists of four phases: identity authentication, session negotiation,
secure communication, and session termination, as shown in Figure 3-1.

SingleRAN
Figure 3-1 MACsec signaling process
Identity Authentication
Before a client establishes a session with the device, the client must have its identity
authenticated over the device port. After the client passes 802.1X authentication, the RADIUS
server distributes the generated CAK to the client and device.
Session Negotiation
With the CAK, the client starts a negotiation session with the device using EAPOL-MKA
packets. During the negotiation session, the client and device both use the MKA to inform
each other of their capabilities and required parameters (such as priorities and whether the
session needs to be encrypted). The device is selected the key server in this process. The key
server derives an SAK for encrypting data packets from the CAK and distributes the SAK to
the client.
Secure Communication
After the negotiation session is complete, both the client and device have the SAK and use it
for encrypting data packets. Then they start secure communication. MACsec security

SingleRAN
measures include data encryption and integrity check. The anti-replay protection and perfect
forward secrecy (PFS) functions are now not implemented on base stations because there is a
low probability of replay attacks and key cracking for BBU interconnection.
l Data encryption
After a MACsec negotiation succeeds, the sender encrypts the data and the receiver then
decrypts the data. The key used for encryption and decryption is obtained from MKA
negotiation.
l Integrity protection
The MACsec-encapsulated data frames use the key derived from the CAK to calculate
the integrity check value (ICV) and append the value to the end of the MACsec packets.
Figure 3-2 shows the MACsec packet encapsulation.
Figure 3-2 MACsec packet encapsulation
When the device receives the MACsec packets, it also uses the key obtained from MKA
negotiation to calculate the ICV and compares the result with the ICV carried in the
packets. If the two ICVs are the same, the packets are valid. Otherwise, the packets are
discarded.
3.3 MACsec Application

MACsec can be used to protect interconnection data between BBUs both using the UMPTe,
as shown in Figure 3-3.

SingleRAN
Figure 3-3 BBUs interconnected using the UMPTe

SingleRAN
MACsec Feature Parameter Description 4 Related Features
4 Related Features
Prerequisite Features
None
Mutually Exclusive Features

None
Impacted Features
None

SingleRAN
MACsec Feature Parameter Description 5 Network Impact
5 Network Impact
System Capacity
No impact.
Network Performance
This feature provides MAC-layer security protection for data transmitted through BBU
interconnection ports and increases data transmission security.

SingleRAN
MACsec Feature Parameter Description 6 Engineering Guidelines
6 Engineering Guidelines
6.1 When to Use MACsec

This feature is activated by default and does not need to be configured.
6.2 Planning
6.2.1 Network Planning

The UMPTe boards of interconnected BBUs must be directly connected without using any
switch devices.
6.2.2 Hardware Planning

The BBUs must use the UMPTe for interconnection.
6.3 Deployment
This feature does not require feature deployment.
6.4 Performance Monitoring

Run the MML command DSP CTRLLNKSTAT on the root or leaf BBU. If the value of the
MACSec Negotiation State parameter is Succeeded, this feature works properly.
6.5 Troubleshooting
To accommodate this feature, ALM-26314 Inter-BBU Port Failure is added to facilitate fault
location. For details about alarm handling, see 3900 Series Base Station Alarm Reference.

SingleRAN
MACsec Feature Parameter Description 7 Parameters
7 Parameters
There are no specific parameters associated with this feature.

SingleRAN
MACsec Feature Parameter Description 8 Counters
8 Counters
There are no specific counters associated with this feature.

SingleRAN
MACsec Feature Parameter Description 9 Glossary
9 Glossary
For the acronyms, abbreviations, terms, and definitions, see Glossary.

SingleRAN
MACsec Feature Parameter Description 10 Reference Documents
10 Reference Documents
1. IEEE 802.1AE-2006
2. 3900 Series Base Station Alarm Reference


Macsec Feature Parameter Description: Singleran

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Macsec Feature Parameter Description: Singleran

Uploaded by

Copyright:

Available Formats

SingleRAN

MACsec Feature Parameter

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2016-08-30) Huawei Proprietary and Confidential i

1 About This Document.................................................................................................................. 1

Issue 01 (2016-08-30) Huawei Proprietary and Confidential ii

1 About This Document

Table 1-1 Base station definitions

GBTS A base station configured with a GTMU, GTMUb, or GTMUc and

eGBTS A base station configured with a GTMUb, GTMUc, UMPT_G, or

NodeB A base station configured with a WMPT, UMPT_U, or UMDU_U.

eNodeB A base station configured with an LMPT, UMPT_L, UMPT_T,

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 1

Base Station Definition

Co-MPT A base station configured with a UMPT_GU, UMDU_GU, UMPT_GL,

1.2 Intended Audience

1.3 Change History

SRAN12.0 Draft A (2016-06-23)

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 2

Change Change Description Parameter Change

Feature None None

Editorial Revised the descriptions of the authentication None

1.4 Differences Between Base Station Types

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 3

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 4

Figure 2-1 Typical MACsec networking modes

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 5

Figure 2-2 Centralized MACsec networking

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 6

l CA: A secure Connectivity Association (CA)consists of two or more CA members that

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 7

Figure 3-1 MACsec signaling process

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 8

Figure 3-2 MACsec packet encapsulation

3.3 MACsec Application

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 9

Figure 3-3 BBUs interconnected using the UMPTe

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 10

Mutually Exclusive Features

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 11

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 12

6.1 When to Use MACsec

6.2.1 Network Planning

6.2.2 Hardware Planning

6.4 Performance Monitoring

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 13

There are no specific parameters associated with this feature.

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 14

There are no specific counters associated with this feature.

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 15

For the acronyms, abbreviations, terms, and definitions, see Glossary.

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 16

Issue 01 (2016-08-30) Huawei Proprietary and Confidential 17

You might also like