Professional Documents
Culture Documents
Macsec Feature Parameter Description: Singleran
Macsec Feature Parameter Description: Singleran
Issue 01
Date 2016-08-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Contents
2 Overview......................................................................................................................................... 4
2.1 Background.....................................................................................................................................................................4
2.2 Introduction.................................................................................................................................................................... 4
2.3 Benefits........................................................................................................................................................................... 4
2.4 Architecture.................................................................................................................................................................... 5
3 Technical Description...................................................................................................................7
3.1 Introduction.................................................................................................................................................................... 7
3.2 Principles........................................................................................................................................................................ 7
3.3 MACsec Application...................................................................................................................................................... 9
4 Related Features...........................................................................................................................11
5 Network Impact........................................................................................................................... 12
6 Engineering Guidelines............................................................................................................. 13
6.1 When to Use MACsec.................................................................................................................................................. 13
6.2 Planning........................................................................................................................................................................ 13
6.2.1 Network Planning...................................................................................................................................................... 13
6.2.2 Hardware Planning.................................................................................................................................................... 13
6.3 Deployment.................................................................................................................................................................. 13
6.4 Performance Monitoring...............................................................................................................................................13
6.5 Troubleshooting............................................................................................................................................................ 13
7 Parameters..................................................................................................................................... 14
8 Counters........................................................................................................................................ 15
9 Glossary......................................................................................................................................... 16
10 Reference Documents............................................................................................................... 17
1.1 Scope
This document describes MACsec, including its technical principles, related features, network
impact, and engineering guidelines.
NOTE
In this document, unless TDD or FDD are explicitly specified, all references to LTE, eNodeB or eRAN,
should be understood to include both FDD and TDD modes. For RAT multi-mode abbreviations, in
addition to G, U and L for GSM, UMTS and LTE FDD modes respectively, in this document T stands
for LTE TDD.
This document applies only to LTE FDD. Any "LTE" in this document refers to LTE FDD,
and "eNodeB" refers to LTE FDD eNodeB.
This document applies to the following types of base stations.
Separate-MPT A base station on which each mode uses its separate main control board.
multimode base For example, a base station configured with a GTMU and WMPT is
station called a separate-MPT GSM/UMTS dual-mode base station.
NOTE
A UMDU cannot be used in a separate-MPT base station.
SRAN12.0 01 (2016-08-30)
This issue does not include any changes.
2 Overview
2.1 Background
To deploy BBU interconnection-related features, the UMPTe must be used to directly
interconnect BBUs through Ethernet ports. Data is transmitted through these interconnection
ports complying with the standard Ethernet protocol.
Featured by simplicity, high efficiency, and scalability, Ethernet provides simple packet
formats that can be easily parsed and therefore is not secure. Data transmitted over the
interconnection ports contains control-, user-, and management-plane information, which is
all sensitive. Media access control security (MACsec) is introduced to protect the data.
2.2 Introduction
MACsec defines secure data communication based on IEEE 802 LAN and complies with the
IEEE Std 802.1AE-2006 protocol.
With MACsec, two communication peers (also known as MACsec peers) ensure the
following security features of packets transmitted on a network by encrypting the packets and
authenticating the data origin:
l Access equipment validity: MACsec provides the identity authentication function to
ensure that only valid equipment can access a network.
l Confidentiality: The MACsec entity encrypts data and transmits data in ciphertext to
prevent unauthorized access to data.
l Integrity: The MACsec entity checks integrity of the received data to ensure that the data
is not distorted.
l Authenticity: The MACsec entity authenticates the data origin to confirm the sender of
the data.
NOTE
The MACsec entity is an NE or network equipment that uses MACsec for communication.
2.3 Benefits
The MACsec feature increases the security of transmission between interconnected BBUs.
2.4 Architecture
MACsec involves the following equipment: client, device (referring to the access equipment
in this document), and authentication server.
l The client refers to a terminal requesting access to a LAN. The device in the LAN
authenticates this terminal and performs the MACsec key negotiation and packet
encryption functions.
l The device controls access of clients. It interacts with the authentication server and
performs 802.1x-based authentication on connected clients. In addition, the device
performs the MACsec key negotiation and packet encryption functions.
l The authentication server authenticates and authorizes clients, and is a Remote
Authentication Dial In User Service (RADIUS) server in most cases. After a client is
authenticated, the authentication server distributes keys to the client and the device.
MACsec has two typical networking modes: distributed and centralized. In centralized
networking, the functions of the device and authentication server are integrated into one
hardware and they interact inside the hardware. Figure 2-1 shows the two typical MACsec
networking modes.
BBUs are centrally deployed and directly connected using Ethernet cables. The UMPTe in the
root BBU serves as the device and authentication server. The UMPTe in the leaf BBU serves
as the client. Figure 2-2 shows an example of MACsec networking.
3 Technical Description
3.1 Introduction
MACsec is used in conjunction with the 802.1X authentication framework and operates after
a successful 802.1X authentication procedure. By identifying packets sent by authenticated
clients, MACsec uses the key, which is obtained from negotiation using MACsec Key
Agreement (MKA), to encrypt and perform integrity check on authenticated user data. This
prevents interconnection ports from processing packets sent or distorted by unauthenticated
clients.
MACsec involves the following basic concepts:
3.2 Principles
MACsec interaction consists of four phases: identity authentication, session negotiation,
secure communication, and session termination, as shown in Figure 3-1.
Identity Authentication
Before a client establishes a session with the device, the client must have its identity
authenticated over the device port. After the client passes 802.1X authentication, the RADIUS
server distributes the generated CAK to the client and device.
Session Negotiation
With the CAK, the client starts a negotiation session with the device using EAPOL-MKA
packets. During the negotiation session, the client and device both use the MKA to inform
each other of their capabilities and required parameters (such as priorities and whether the
session needs to be encrypted). The device is selected the key server in this process. The key
server derives an SAK for encrypting data packets from the CAK and distributes the SAK to
the client.
Secure Communication
After the negotiation session is complete, both the client and device have the SAK and use it
for encrypting data packets. Then they start secure communication. MACsec security
measures include data encryption and integrity check. The anti-replay protection and perfect
forward secrecy (PFS) functions are now not implemented on base stations because there is a
low probability of replay attacks and key cracking for BBU interconnection.
l Data encryption
After a MACsec negotiation succeeds, the sender encrypts the data and the receiver then
decrypts the data. The key used for encryption and decryption is obtained from MKA
negotiation.
l Integrity protection
The MACsec-encapsulated data frames use the key derived from the CAK to calculate
the integrity check value (ICV) and append the value to the end of the MACsec packets.
Figure 3-2 shows the MACsec packet encapsulation.
When the device receives the MACsec packets, it also uses the key obtained from MKA
negotiation to calculate the ICV and compares the result with the ICV carried in the
packets. If the two ICVs are the same, the packets are valid. Otherwise, the packets are
discarded.
4 Related Features
Prerequisite Features
None
Impacted Features
None
5 Network Impact
System Capacity
No impact.
Network Performance
This feature provides MAC-layer security protection for data transmitted through BBU
interconnection ports and increases data transmission security.
6 Engineering Guidelines
6.2 Planning
6.3 Deployment
This feature does not require feature deployment.
6.5 Troubleshooting
To accommodate this feature, ALM-26314 Inter-BBU Port Failure is added to facilitate fault
location. For details about alarm handling, see 3900 Series Base Station Alarm Reference.
7 Parameters
8 Counters
9 Glossary
10 Reference Documents
1. IEEE 802.1AE-2006
2. 3900 Series Base Station Alarm Reference