The evolved Packet Core (EPC): The allall-IP based Core Network of LTE
IT# !SP C$E Trainin% on &Technology, Standardization and Deployment of Long Term Evolution (IMT)' Sa i T!""!NE
!%enda
() #ser Plane $verview *) LTE Interfaces +) LTE Identities ,) LTE-EPC "earers 5) Network Entities .) "ackha/lin% and "ackbone 0) Sec/rit1
2
Traffic
#ull! meshe" approach $ith tunnelin% mechanism o&er I' transport net$or) Iu #le* approach !ccess 3atewa1 +A,-. Enhanced Node " +/01.
reates 2ools of 55/s an" 6,-s2 /ach e01 connecte" to multiple 55/s an" 6,-s in a pool7
4
#le*ible architecture 61 #le* 9 55/ 'oolin% net$or) re"un"anc! an" traffic loa" sharin% 61 #le*: e01 can connect to a ma*imum of 18 55/s In practice %eo%raphical re"un"anc! is "esire"2 connectin% each e01 to 2 55/s2 in "ifferent locations7
8
5$CN ser&ice pro&i"ers can ha&e se2arate core networks +55/2 6,-2 'D0 ,-. an" E-#T8!N (eN"s) 9ointl1 shared7 /nable" b! the 61-fle* mechanism +each e01 can be connecte" to multiple core net$or)s entities.7
:
*) LTE Interfaces
HSS Gr S6
SGSN
Gb 2, net$or)s
Iu UP 3, net$or)s
S1 CP Iu CP 3T/ net$or)s
10
S1 fle!: e01 +enhanced Node B. an" a,- +access Gateway. multipointto-multipoint lin)s2 "#: inter-e01s "irect interface for <= mana%ement an" RR57 $$S%, S$S% and &%' element() uni>ue an" central no"e A ,5 +Access Core Gateway. or a $* +in 3,'' 3T/?6A/2 a,- refers to the Serving $ate+ay +6,-.)7 , $*: terminates control an" use" planes for U/ an" mana%es the core net$or) features implemente" in the ,,60 an" 6,60 in Release 87 #E Control 2lane protocol similar to Release 8 RR Control.: mobilit! control an" ra"io bearer confi%uration7 !C3: /ser 2lane: hea"er compression2 cipherin%2 inte%rit! an" AR@
11
+Radio Resource
Two interfaces: S1 for the control plane X2 for the user plane Inter-eNode Bs X2 interface (includes Control and user planes)
12
Interfaces
1efore transmission on 61 interface2 user plane pac)ets are transmitte" to the transport la!er $ithout processin%2 ontrol plane is lin)e" to the messa%es an" proce"ures relate" to the interface operation:
<an"o&er mana%ement control messa%es B1earerC control messa%es
13
Interfaces
'h!sical la!er +part of the transport la!er. is common to the user an" control planes2 Control plane signaling: more constraints in terms of securit!2 reliabilit! an" "ata loss2 User plane information: less secure" routin% protocols 61 an" D2 interfaces specifie" b! the 3,'' e0o"e1 of &arious &en"ors ma! be: Interconnecte" throu%h D2 interface onnecte" to the 55/ or 6-,- +61 interface.7
1(
14
3TP
All variants of GTP have certain features in common. The structure of the messages is the same, with a GTP header following the UDP/TCP header. GTPv1 headers contain the following fields:
+ 0 32 64 Sequence number Bit 0-2 Version 3 4 5 Extension Header Flag 6 7 8-15 Sequence N-PDU Message Type Number Flag Number Flag TEID N-PDU number Next extension header type 16-23 24-31 Total length
Version: 3-bit field. For GTPv1, this has a value of 1. Protocol Type (PT): 1-bit value that differentiates GTP (value 1) from GTP' (value 0). Reserved a 1-bit reserved field (must be 0). Extension header flag (E): 1-bit value that states whether there is an extension header optional field. Sequence number flag (S): 1-bit value that states whether there is a Sequence Number optional field. N-PDU number flag (PN): 1-bit value that states whether there is a N-PDU number optional field. Message Type: 8-bit field to indicate the type of GTP message. Different types of messages are defined in 3GPP TS 29.060 section Length a 16-bit field that indicates the length of the payload in bytes (rest of the packet following the mandatory 8-byte GTP header). Includes the optional fields. Tunnel endpoint identifier (TEID): 32-bit(4-octet) field used to multiplex different connections in the same GTP tunnel. Sequence number: optional 16-bit field. Exists if any of the E, S, or PN bits are on. N-PDU number: optional 8-bit field. This field exists if any of the E, S, or PN bits are on. Next extension header type: optional 8-bit field. This field exists if any of the E, S, or PN bits are on.
18
3TP 2rinci2le
1:
ontrol plane 61 interface2 or 61- : si%nalin% interface supportin% a set of features an" proce"ures bet$een e0o"e1 an" 55/2 ( main %roups 61- si%nalin% proce"ures:
Bearer related procedures: bearer establishment2 chan%e an" release2 !ando"er procedures: all 61 features relate" to the mobilit! of the users bet$een e0o"e1s or $ith the 2,?3, technolo%ies2 NA +Non Access tratum. signaling transfer: si%nalin% bet$een a terminal an" 55/2 throu%h 61 interface +e0o"e1 transparent si%nalin%.2 Paging procedure: use" for 5T sessions +the 55/ re>uest from e0o"e1 to pa%e a terminal in a %i&en cell.
1;
+) LTE Identities
19
#ser Identities
International Mo-ile Su-(cri-er Identity +I56I. allocate" to each mobile subscriber in e&er! +,652 U5T62 an" /'6. s!stem7 A3Rs2 6,60s an" 55/s ma! allocate Temporary Mo-ile Su-(cri-er Identitie( +D-T56I. for subscriber i"entit! confi"entialit!7 An 56 ma! be allocate" three T56Is throu%h the:
A3R +T56I. 6,60 +'-T56I. 55/ +6-T56I2 5-T56I2 part of ,UTI2 Glo#ally Uni$ue Temporary U% &dentity.7
20
#ser Identities
21
#ser Identities
Te 2orar1 5obile S/bscriber Identit1 +T56I. structure an" co"in% is chosen b! a%reement bet$een operator an" 5/ manufacturer in or"er to meet local nee"s7 The T56I consists of ( octets7 It can be co"e" usin% a he*a"ecimal representation7 The net$or) shall not allocate a T56I $ith all 32 bits e>ual to 12 because T56I must be store" in the 6I52 an" 6I5 uses ( octets $ith all bits e>ual to 1 to in"icate that no &ali" T56I is a&ailable7 3loball1 #ni;/e Te 2orar1 #E Identit1 +,UTI .: unambi%uous i"entification of the U/ that "oes not re&eal the U/ or the userFs permanent i"entit! in the %"ol"ed Pac(et ystem +/'6.7 It allo$s the i"entification of the 55/ an" net$or)7 $/TI ) $/MMEI * M TMSI2 $here GU''%& E 5 9 50 9 55/ I"entifier ''% &dentifier E 55/ ,roup ID 9 55/ o"e 5 an" 50 shall ha&e the same fiel" siGe as in earlier 3,'' s!stems7 '-T' & shall be of 32 bits len%th7 55/ ,roup ID shall be of 18 bits len%th7 55/ o"e shall be of ; bits len%th7
22
LTE Identities
I< I5SI 5eanin% International 5obile 6ubscriber I"entit! 'ublic 3an" 5obile 0et$or) I"entifier <escri2tion Uni>ue i"entification of mobile +3T/. subscriber 0et$or) +55/. %ets the '350 of the subscriber Uni>ue i"entification of '350 Str/ct/re I56I +not more than 14 "i%its. E '350 ID 9 56I0 E 5 9 50 9 56I0 '350 ID +not more than 8 "i%its. E 5 9 50 3 "i%its 2 or 3 "i%its 9 or 10 "i%its ,UTI +not more than ;0 bits. E ,U55/I 9 5T56I TI0 E ,UTI
5obile ountr! o"e assi%ne" b! ITU 5obile 0et$or) o"e assi%ne" b! 0ational Authorit! 5obile 6ubscriber 5SIN assi%ne" b! operator I"entification 0umber To i"entif! a U/ bet$een the U/ an" ,loball! Uni>ue 3#TI the 55/ on behalf of I56I for securit! Temporar! U/ I"entit! reason ,UTI is store" in TI0 parameter of U/Cs Temporar! I"entit! 55 conte*t7 TI0 in"icates $hich TIN use" in 0e*t Up"ate temporar! ID $ill be use" in the ne*t up"ate7 To locall! i"entif! a U/ in short $ithin a 6A/ Temporar! 5obile 55/ %roup +Uni>ue $ithin a 55/ S-T5SI 6ubscriber I"entit! 'ool.
LTE Identities
I< 5-T56I 5eanin% 55/ 5obile 6ubscriber I"entit! <escri2tion Uni>ue $ithin a 55/ 32 bits ,U55/I +not more than (; bits.E '350 ID 9 55/I 55/I +2( bits. E 55/,I 9 55/ 18 bits ; bits 0*0001 H 0*###3 +18 bits. I5/I +14 "i%its. E TA 9 60R 9 D I5/I?6A +18 "i%its. E TA 9 60R 9 6A0 / ,I +not more than 42 bits. E '350 I D9 / I
2(
Str/ct/re
,loball! Uni>ue 55/ To i"entif! a 55/ uni>uel! in %lobal ,U55/I I"entit! ,UTI contains ,U55/I 55/I 55/,I 55/ -R0TI I5/I I5/I?6A To i"entif! a 55/ uni>uel! $ithin a 55/ I"entifier '350 =perator commissions at e0155/I 55/ ,roup I"entifier Uni>ue $ithin a '350 To i"entif! a 55/ uni>uel! $ithin a 55/ o"e 55/ ,roup7 6-T56I contains 55/ ; ell- Ra"io 0et$or) To i"entif! an U/ uni>uel! in a cell Temporar! I"entifier International 5obile To i"entif! a 5/ +5obile />uipment. />uipment I"entit! uni>uel! To i"entif! a 5/ +5obile />uipment. I5/I?6oft$are Aersion uni>uel! To i"entif! a ell in %lobal +,loball! /-UTRA0 ell ,lobal Uni>ue. I"entifier /' can )no$ U/ location base" of / ,I
/ ,I
LTE Identities
I< / I 5eanin% /-UTRA0 ell I"entifier <escri2tion To i"entif! a ell $ithin a '350 To i"entif! a specific 'D0 ,- +',-. <66 assi%ns '-,- for 'D0 +I' net$or). connection of each U/ To i"entif! Trac)in% Area ,loball! uni>ueTAI Str/ct/re / I +2; 1its. E e01 ID 9 ell ID I' a""ress +( b!tes. or #@D0 +&ariable len%th. TAI +not more than 32 bits. E '350 ID 9 TA '-,-
TAI
TA
TAI 3ist
To in"icate e01 to $hich Trac)in% Trac)in% Area o"e Area the e01 belon%s +per ell. 18 bits Uni>ue $ithin a '35018 U/ can mo&e into the cells Trac)in% Area inclu"e" in TA3 list $ithout Aariable len%th I"entit! 3ist location up"ate +TA up"ate. ,loball! uni>ue
24
LTE Identities
<escri2tion To i"entif! an 'D0 +I' net$or).2 that mobile "ata user $ants to communicate $ith 'D0 I"entit! +A'0. is use" to 'ac)et Data 0et$or) "etermine the '-,- an" point of 'D0 ID I"entit! interconnection $ith a 'D0 -ith A'0 as >uer! parameter to the D06 proce"ures2 the 55/ $ill recei&e a list of can"i"ate '-,-s2 an" then a ',- is selecte" b! 55/ $ith polic! /'6 /&ol&e" 'ac)et 6!stem To i"entif! an /'6 bearer +Default or 1earer ID 1earer I"entifier De"icate". per an U/( /-UTRA0 Ra"io Access /-RA1 ID To i"entif! an /-RA1 per an U/ 1earer I"entifierI Data Ra"io 1earer DR1 ID To i"entif! a DR1 per an U/ I"entifier To i"entif! the "efault bearer 31I 3in)e" /'6 1earer ID associate" $ith a "e"icate" /'6 bearer Tunnel /n" 'oint To i"entif! the en" point of a ,T' T/ID i"entifier tunnel $hen the tunnel is establishe" I< 5eanin% Str/ct/re
28
LTE Identities
2:
,) Network Entities
2;
55E 55E host the followin% f/nctions: 0A6 si%nalin% securit! A6 securit! control Inter 0 no"e si%nalin% for mobilit! bet$een 3,'' access net$or)s Trac)in% Area list mana%ement 'D0 ,- an" 6er&in% ,- selection 55/ selection for han"o&ers $ith 55/ chan%e 6,60 selection for han"o&ers to 2, or 3, 3,'' access net$or)s Roamin% Authentication 1earer mana%ement functions inclu"in% "e"icate" bearer establishment 6upport '-6 +$hich inclu"es /T-6 an" 5A6. messa%e transmission U/ reachabilit! in i"le state +inclu"in% control an" pa%in% retransmission.
29
S-3:
Servin% 3atewa1 (S-3:) hosts the followin% f/nctions: The local 5obilit! Anchor point for inter-e01 han"o&er 5obilit! anchorin% for inter-3,'' mobilit! /-UTRA0 i"le mo"e "o$nlin) pac)et bufferin% an" initiation of net$or) tri %%ere" ser&ice re>uest proce"ure 3a$ful Interception 'ac)et routein% an" for$ar"in% Transport le&el pac)et mar)in% in the uplin) an" the "o$nlin) Accountin% on user an" @ I %ranularit! for inter-operator char%in% U3 an" D3 char%in% per U/2 'D02 an" @ I
30
P-3:
P<N 3atewa1 hosts the followin% f/nctions: 'er-user base" pac)et filterin% +b! e7%7 "eep pac)et inspection. 3a$ful Interception U/ I' a""ress allocation Transport le&el pac)et mar)in% in the "o$nlin) U3 an" D3 ser&ice le&el char%in%2 %atin% an" rate enforcement D3 rate enforcement base" on A'0-A51R re"it control for online char%in% The 6-,- an" '-,- are usuall! inte%rate" in the same e>uipment +"irect tunnel.7 'h!sical separation is "one in the case of roamin%7
Note
31
PC87 6 =SS
PCRF (Policy Control and Charging Rules Function) Policy control decision-making, Control the flow-based charging functionalities in the Policy Control Enforcement Function (PCEF), which resides in the P-GW Provides the QoS authorization (QoS class identifier [QCI] and bit rates) that decides how a certain data flow will be treated in the PCEF and ensures that this is in accordance with the users subscription profile. Contains users SAE subscription data such as the EPS-subscribed QoS profile and any access restrictions for roaming Holds information about the PDNs to which the user can connect (in the form of an access point name (APN) (which is a label according to DNS naming conventions describing the access point to the PDN) or a PDN address (indicating subscribed IP address(es)) Holds dynamic information such as the identity of the MME to which the user is currently attached or registered Integrates the authentication center (AUC), which generates the vectors for authentication and security keys.
32
ar1
RR: Ra"io Resource RR : Ra"io Resource ontrol /55: /&ol&e" 5obilit! 5ana%ement / 5: /&ol&e" onnection 5ana%ement
33
5) LTE-EPC "earers
3(
34
Pa%in%: Throu%h the ' < +lo%ical channel. Establish ent> aintenance and release of an 88C connection bet$een the U/ an" /-UTRA0:
Allocation of temporar! i"entifiers bet$een U/ an" /-UTRA0 onfi%uration of si%nalin% ra"io bearer+s. for RR connection
Transmission of si%nalin% messa%es to an" from the /'6: 0A6 5essa%es +Non Access tratum. han"le" transparentl! b! the RR +Radio Resource Control.: control information e*chan%e" bet$een U/ an" /-UTRA0 /-UTRA0 RR si%nificantl! simplifie" compare" to UTRA0: Re"uction in the number of messa%es
3:
<efa/lt-<edicated "earer
Default 0earer &s Dedicated 0earer A default -earer carries all )in"s of traffic +no filter. witho/t ?oS7 It is t!picall! create" "urin% the Attach proce"ure A dedicated -earer carries a specific "ata flo$2 i"entif! b! the T#T +Traffic +low Template.2 with a %iven ?oS7
/*7: Aoice2 streamin% an be establishe":
Durin% the Attach proce"ure +"epen"in% on the user profile. After the Attach proce"ure2 on "eman"7
3;
<efa/lt-<edicated bearer
39
<efa/lt-<edicated "earer
-hen the U/ establishes a 'D0 onnection this creates a lo%ical en" to en" KpipeK bet$een the U/ an" the ',-7 The U/ is assi%ne" an I' a""ress +I'&( or I'&8. an" the defa/lt bearer is setup +al$a!s #est effort.7 If the U/ re>uires some @o6 "ifferent than best effort2 a dedicated bearer can be setup7 This $ill be a necessit! for &oice ser&ices o&er 3T/ for e*ample but coul" also be use" $hen a streamin% session is setup2 or a 6)!pe session etc7 The net$or) )no$s that a dedicated #earer is nee"e" b! D1I2 most li)el! b! the PC87 no"e7
(0
D'I inspects2 reassembles an" "ecompresses incomin% pac)ets2 anal!Ges the co"e an" passes "ata to appropriate applications an" ser&ices7 If malicious UR3s or co"e are "etecte"2 the s!stem can bloc) them entirel!7 D'I can also be use" b! ser&ice pro&i"ers to offer subscribers "ifferent le&els of access +such as t!pe of usa%e2 "ata limits or ban"$i"th le&el.2 compl! $ith re%ulations2 prioritiGe traffic2 a"Lust loa"s an" %ather statistical information7 D'I can reco%niGe applications as "ata passes throu%h the s!stem2 allocatin% each the resources the! nee"7
(1
Nor al /sers
T=P@* T=P@*
(3
:ireless "ackha/l
Access Network
Co22er 7iber =andset> P<! or La2to2 Carrier Base Station 'ublic 6$itche" Telephone 0et$or) Mobile Switching Office (provisioning, call routing, etc)
Three 5ain Transport 5etho"s opper +T1s. #iber 5icro$a&e opper?#iber <!bri" 6olution opper TD5 %reat for &oice2 not so %reat for "ata #iber /thernet %reat for "ata2 allo$s transition to A=I'
((
#iber >uic)l! replacin% copper to meet 3T/ ban"$i"th re>uirements 'oint-to-point micro$a&e bac)haule" to fiber to sa&e cost - /thernet o&er /1 "ri&in% sa&in%s2 %reater "ata flo$ an" %reater reliabilit!
(4
connection bet$een the base station an" the controllers is enable" &ia the backha/l network7 The backbone network is not in&ol&e" an" can be functionall! (eparate2 bein% utiliGe" primaril! for interconnection of switch7
5obile bac)haul is increasin%l! becomin% a strate%ic invest ent for ser&ice pro&i"ers +source: M2orld 'o#ile Bac(haul &nfrastructure 'ar(etN2 #rost O 6ulli&an2 #ebruar! 2009. an" hence the nee" for fle*ibilit! is e&er %ro$in%7
(8
LTE !rchitect/re: The 5obile broadband backha/l "roadband 5obile Network Evol/tion
1ac)haul s!stems "esi%ne" to ser&e 3T/ "eplo!ments shoul" a""ress three basic re>uirements: =i%her ca2acities: 1ac)haul to a sin%le site shoul" be able scale to 1005bps an" e&en be!on" Lower Latencies: The re>uirement for 10 millisecon" en"to-en" lea"s to select a solution that supports e*tremel! lo$ latenc! !ll IP: 6upport I' traffic from the %et-%o7
(:
E4a 2les of
icrowave ca2acities Ca2acit1 1245bps Up to ( 5iles+P5. Up%ra"e to ,i%-/ 1245bps Up to 4 5iles+;70P5. Up%ra"e to ,i%-/ Up to 4 miles+; )m. Up to 8 miles+97: )m. Up to ( miles+ )m. Up to 4 miles+; )m. Up to 4 miles+; )m. 100 5bps 100 5bps 1000 5bps 1000 5bps 100?1000 5bps <istance
"rid%e:ave <escri2tion ;0 ,<G #ast /thernet e*ten"e" ran%e $ireless bri"%e ;0 ,<G #ast /thernet e*ten"e" ran%e $ireless bri"%e ;0 ,<G #ast /thernet me"ium ran%e $ireless bri"%e ;0 ,<G #ast /thernet me"ium ran%e $ireless bri"%e ;0 ,<G #ast /thernet me"ium ran%e $ireless bri"%e ;0 ,<G #ast /thernet me"ium ran%e $ireless bri"%e ;0 ,<G A"aptRate 100?1000 5bps e*ten"e" ran%e $ireless bri"%e ;0 ,<G A"aptRate 100?1000 5bps e*ten"e" ran%e $ireless bri"%e
S/
ar1
The /-UTRA0 consists of e0o"e1s $hich pro&i"e /-UTRA user plane +'D '?R3 ?5A ?'<J. an" control plane +RR . protocol terminations to$ar" the user e>uipment +U/.7 The e01s are interconnecte" $ith each other b! means of the D2 interface7 The e01s connecte" throu%h 61 interface to the /&ol&e" 'ac)et ore +/' .2 more specificall! to the 5obilit! 5ana%ement /ntit! +55/. b! means of the 61-55/ interface an" to the 6er&in% ,ate$a! +6,-. b! means of the 61-U interface7
The E-#T8!N
LTE !rchitect/re
(9
0) Sec/rit1
40
IPsec
6ecurit! concerns:
As U5T62 U/ authentication +U6I5: 12; bits )e! impose".Q The internal si%nalin% protection +inte%rit!.2 si%nalin% an" traffic encr!ptionQ A""itional si%nalin% encr!ption for RR an" 0A67
A#Penc
eNode"
AN!Senc
S-3:
AN!Sint
A88Cenc A88Cint
88C
55E
#SI5 - !/C
A CA> IA
b!
#E - =SS A!S5E #E - 55E AN!Senc AN!Sint AeN" #E - eN" A#Penc A88Cint A88Cenc
<ierarchical protection +U/2 e012 A65/2 <662 Au .Q /nsure transport securit! on all interfaces7
41
in $hich )e!s
43
/ncr!ption is performe" at the e%ode07 56's +'o#ile er"ices Pro"ider. shoul" support encr!ption $ithin the transport net$or)2 especiall! if usin% thir"-part! bac)haul transport pro&i"ers or public Internet transport7 I1Sec tunneling bet$een the e0o"e1 an" the securit! %ate$a! use" to secure "ata an" pro&i"e @o6 to mana%e the securit! centrall!7
4(
Sec/rit1 !s2ects and 2ara eters in LTE N!S sec/rit1 0A6 messa%es2 #E an" 55E scope 7 0A6 messa%e communication bet$een U/ an" 55/ are Integrity protecte" an" 'iphered $ith e*tra 0A6 securit! hea"er7 !S sec/rit1 RR an" user plane "ata2 #E an" eN" scope 7 'D ' la!er in U/ an" e01 si"e responsible for cipherin% an" inte%rit!7 RR messa%es inte%rit! protecte" an" ciphere" but U-'lane "ata is onl! ciphere"7 <ifferent Sec/rit1 al%orith s (inte%rit1-ci2herin%) Inte%rit1 +EI!: /'6 Inte%rit! Al%orithm.
&BBBBC /IA0 0ull Inte%rit! 'rotection al%orithm &BBB(C 12;-/IA1 60=- 3, &BB(BC 12;-/IA2 A/6
Sec/rit1 !s2ects and 2ara eters in LTE Ae1-2ara eters distrib/tion in LTE nodes
Ae1 hierarch1
#aster han"o&ers an" )e! chan%es2 in"epen"ent of APA A""e" comple*it! in han"lin% of securit! conte*ts
#SI5 - !/C A
CA> IA #E - =SS
4:
4;
49
80
e0o"e1 )e!s:
3e01: Deri&e" b! the terminal an" the 55/ from 3A65/ +4'aster 3eyF. an" issue" b! the 55/ in e0o"e1 +B'aster 3eyC. 3e01 is use" to "eri&e the A6 traffic )e!s an" han"o&er )e! 3e01 R 3e01R: Deri&e" from the terminal an" the source from e0o"e1 3e01 or &ali" 0< +0e*t <op. Durin% the han"o&er2 the terminal an" the tar%et e0o"e1 "eri&e a ne$ 3e01R from 3e01
81
3U'enc: Deri&e" from 3e01 an" use" to encr12t the /ser 2lane 3RR
int:
essa%e 3RR
enc:
essa%es
0e*t <op +0<.: Interme"iate )e! use" to "eri&e 3e01R "urin% intra-LTE handover sec/rit1 The 0 +Ne5t !op Chaining Counter. "etermines if the ne*t 3e01R
82
83
MME
HSS
AUTH VECT REQUEST (IMSI) RAND, XRES, AUTN, KASME RAND = RANDOM() Check: RES == XRES ?? SQN = SQN + 1 AUTN = AES1(K, RAND, SQN) RES = AES2(K, RAND) (Ck, Ik) = AES3(K, KA RAND) KASME = F(Ck, Ik, ...) F
Ke KN-int KN-enc
F
KeRRC-int KeRRC-enc
8(
"ackha/lin% Sec/rit1
Technologie(: I'?5'36 +1ac)bone.2 5etro /thernet +1ac)haul. I/T# has "efine" a suite of securit! protocols: Internet 'rotocol 6ecurit! or MIPsec7N 'ro&i"e en"-to-en" securit! at the pac)et processin% la!er to protect the net$or) an" hi%herla!er applications7 6ecures communications on a host-to-host2 net$or)-to-net$or) an" net$or)-to-host basis7 Ipsec authenticates an" encr!pts each I' pac)et $ithin a communications session7
84
Thank 1o/
88