WO2014177170A1 - Sctp multi homing in lte backhaul with two parallel ipsec tunnels for two different ip addresses - Google Patents

Sctp multi homing in lte backhaul with two parallel ipsec tunnels for two different ip addresses Download PDF

Info

Publication number
WO2014177170A1
WO2014177170A1 PCT/EP2013/058829 EP2013058829W WO2014177170A1 WO 2014177170 A1 WO2014177170 A1 WO 2014177170A1 EP 2013058829 W EP2013058829 W EP 2013058829W WO 2014177170 A1 WO2014177170 A1 WO 2014177170A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
ipsec
tunnel
processor
memory
Prior art date
Application number
PCT/EP2013/058829
Other languages
French (fr)
Inventor
Jan Frey
Markus Hauenstein
Dieter KNUEPPEL
Original Assignee
Nokia Solutions And Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Solutions And Networks Oy filed Critical Nokia Solutions And Networks Oy
Priority to PCT/EP2013/058829 priority Critical patent/WO2014177170A1/en
Publication of WO2014177170A1 publication Critical patent/WO2014177170A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/24Multipath
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/65Network streaming protocols, e.g. real-time transport protocol [RTP] or real-time control protocol [RTCP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/12Setup of transport tunnels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/28Routing or path finding of packets in data switching networks using route fault recovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • Embodiments of the invention generally relate to wireless communications networks, such as, but not limited to, the Universal Mobile Telecommunications System (UMTS) Terrestrial Radio Access Network (UTRAN), Long Term Evolution (LTE) Evolved UTRAN (E-UTRAN), and/or LTE-A.
  • UMTS Universal Mobile Telecommunications System
  • UTRAN Universal Mobile Telecommunications System
  • LTE Long Term Evolution
  • E-UTRAN Evolved UTRAN
  • LTE-A LTE-A
  • Universal Mobile Telecommunications System (UMTS) Terrestrial Radio Access Network (UTRAN) refers to a communications network including base stations, or Node Bs, and for example radio network controllers (RNC).
  • UTRAN allows for connectivity between the user equipment (UE) and the core network.
  • the RNC provides control functionalities for one or more Node Bs.
  • the RNC and its corresponding Node Bs are called the Radio Network Subsystem (RNS).
  • RNS Radio Network Subsystem
  • E-UTRAN enhanced UTRAN
  • eNodeB or eNB enhanced Node B
  • LTE Long Term Evolution
  • E-UTRAN refers to improvements of the UMTS through improved efficiency and services, lower costs, and use of new spectrum opportunities.
  • LTE is a 3GPP standard that provides for uplink peak rates of at least 50 megabits per second (Mbps) and downlink peak rates of at least 100 Mbps.
  • LTE supports scalable carrier bandwidths from 20 MHz down to 1 .4 MHz and supports both Frequency Division Duplexing (FDD) and Time Division Duplexing (TDD).
  • FDD Frequency Division Duplexing
  • TDD Time Division Duplexing
  • LTE may also improve spectral efficiency in networks, allowing carriers to provide more data and voice services over a given bandwidth. Therefore, LTE is designed to fulfill the needs for high-speed data and media transport in addition to high-capacity voice support. Advantages of LTE include, for example, high throughput, low latency, FDD and TDD support in the same platform, an improved end- user experience, and a simple architecture resulting in low operating costs.
  • LTE Rel-10, LTE Rel-1 1 , LTE Rel-12 are targeted towards future international mobile telecommunications advanced (IMT-A) systems, referred to herein for convenience simply as LTE-Advanced (LTE-A).
  • IMT-A international mobile telecommunications advanced
  • LTE-A is directed toward extending and optimizing the 3GPP LTE radio access technologies.
  • a goal of LTE-A is to provide significantly enhanced services by means of higher data rates and lower latency with reduced cost.
  • LTE-A will be a more optimized radio system fulfilling the international telecommunication union-radio (ITU-R) requirements for I MT- Advanced while keeping the backward compatibility.
  • ITU-R international telecommunication union-radio
  • Another embodiment is directed to a computer program, embodied on a computer readable medium, wherein the computer program is configured to control a processor to perform a process.
  • the process includes providing, in a base station, support for a first internet protocol (IP) address and a second IP address.
  • IP internet protocol
  • the method may also include establishing a first internet protocol security (IPsec) tunnel and a second IPsec tunnel in parallel.
  • IPsec internet protocol security
  • FIG. 1 illustrates a system according to one embodiment
  • Fig. 2 illustrates a system according to another embodiment
  • FIG. 3 illustrates an apparatus according to one embodiment
  • FIG. 4 illustrates a flow diagram of a method according to an embodiment.
  • IPsec internet protocol security
  • Some embodiments of the invention relate to the field of mobile backhaul networks, but in general embodiments may apply to networking use cases that might require both resilient (redundant) and secure (authenticated and encrypted) packet transport.
  • Certain embodiments enable connecting a single network host (such as a base station) to two security gateways at the same time and to make use of these security gateways according to network and gateway availability. This mechanism may be required in order to provide efficient "geo-redundant" setups, i.e., deployment of the security gateways to different locations, so that resilience is maintained even in catastrophic scenarios such as data center power loss or earthquakes.
  • Fig. 1 illustrates an example of a system in which certain embodiments may be applicable. As illustrated in Fig.
  • the system includes an IPsec endpoint 104 (e.g., base station, base transceiver station (BTS), node B, or eNB) connected to IPsec GW1 and IPsec GW2 via the IP network 100.
  • IPsec GW1 and IPsec GW2 may then be in communication with controller/gateway 105 via the core network 102.
  • IP/Ethernet based transport networks provide a true variety of mechanisms to implement redundant network access and, therefore, enable the highest possible resilience of the network connection. Starting from physical layer methods (such as protection provided by microwave radio networks, SONET/SDH ring protection, etc.) and Ethernet layer methods (such as spanning tree), IP layer routing is ultimately meant to provide a route to the destination even in case of failures. This IP layer redundancy can be implemented by redundant static routes, but in the most general case can require dynamic routing (e.g., OSPF or IS-IS).
  • BFD bidirectional forwarding detection
  • some embodiments can address these issues by providing a combination of the advantages of dynamic network use (increased resilience) and application of IPsec (increased security). Since these mechanisms have conflicting aspects (e.g., IPsec requiring static policies for operation, including IP addresses and other network level information), certain embodiments are able to provide a solution for a complex problem.
  • Fig. 2 illustrates a system according to one embodiment. As illustrated in Fig. 2, the system includes an IPsec endpoint 204, such as a base station or eNB, connected to IPsec GW1 and IPsec GW2 via the IP network 200. IPsec GW1 and IPsec GW2 may then be in communication with mobility management entity (MME)/gateway 205 via the core network 202.
  • MME mobility management entity
  • the host side (e.g., endpoint 204) supports terminating the traffic in two IP addresses, IP1 and IP2.
  • two IPsec tunnels 210 and 220 are established in parallel between endpoint 204 and gateway 205 via IPsec GW1 and IPsec GW2, respectively.
  • IPsec policies in endpoint 204 e.g., eNB
  • traffic with source address IP2 is mapped to tunnel 210 towards IPsec GW2.
  • each IPsec GW runs just a single tunnel towards each endpoint 204. In this embodiment, no routing protocol is needed in the IPsec domain.
  • the endpoint 204 maps uplink (left-to-right in Fig. 2) packets to the two different IPsec gateways (e.g., IPsec GW1 and IPsec GW2) based on the source IP address contained in the egress packets.
  • IPsec GW1 can be configured to handle packets traveling towards IP1
  • IPsec GW2 may be configured to handle packets traveling towards IP2.
  • an eNB makes use of a single IP address for the backhaul connectivity.
  • traffic can be allocated to the two paths 210 and 220 as needed. This traffic allocation works in both the uplink and downlink directions.
  • uplink eNB egress
  • packets with source address IP1 can be forced into the tunnel 220, while packets with source address IP2 can be forced into the tunnel 210.
  • the eNB will use IP1 address (just as in normal single address eNB).
  • the eNB may start using the other IP address, IP2.
  • the LTE system may then setup new user connections with IP2 as selected by the eNB.
  • apparatus 10 may be a gateway or MME as discussed above in connection with Figs. 1 and 2. It should be noted that one of ordinary skill in the art would understand that apparatus 10 may include components or features not shown in Fig. 3. Only those components or feature necessary for illustration of the invention are depicted in Fig. 3.
  • apparatus 10 includes a processor 22 for processing information and executing instructions or operations.
  • processor 22 may be any type of general or specific purpose processor. While a single processor 22 is shown in Fig. 3, multiple processors may be utilized according to other embodiments. In fact, processor
  • Apparatus 10 further includes a memory 14, which may be coupled to processor 22, for storing information and instructions that may be executed by processor 22.
  • Memory 14 may be one or more memories and of any type suitable to the local application environment, and may be implemented using any suitable volatile or nonvolatile data storage technology such as a semiconductor-based memory device, a magnetic memory device and system, an optical memory device and system, fixed memory, and removable memory.
  • memory 14 can be comprised of any combination of random access memory (RAM), read only memory (ROM), static storage such as a magnetic or optical disk, or any other type of non-transitory machine or computer readable media.
  • RAM random access memory
  • ROM read only memory
  • static storage such as a magnetic or optical disk
  • non-transitory machine or computer readable media any other type of non-transitory machine or computer readable media.
  • the instructions stored in memory 14 may include program instructions or computer program code that, when executed by processor 22, enable the apparatus 10 to perform tasks as described herein.
  • Apparatus 10 may also include one or more antennas 25 for transmitting and receiving signals and/or data to and from apparatus 10.
  • Apparatus 10 may further include a transceiver 28 configured to transmit and receive information.
  • transceiver 28 may be configured to modulate information on to a carrier waveform for transmission by the antenna(s) 25 and demodulates information received via the antenna(s) 25 for further processing by other elements of apparatus 10.
  • transceiver 28 may be capable of transmitting and receiving signals or data directly.
  • Processor 22 may perform functions associated with the operation of apparatus 10 including, without limitation, precoding of antenna gain/phase parameters, encoding and decoding of individual bits forming a communication message, formatting of information, and overall control of the apparatus 10, including processes related to management of communication resources.
  • memory 14 stores software modules that provide functionality when executed by processor 22.
  • the modules may include, for example, an operating system that provides operating system functionality for apparatus 10.
  • the memory may also store one or more functional modules, such as an application or program, to provide additional functionality for apparatus 10.
  • the components of apparatus 10 may be implemented in hardware, or as any suitable combination of hardware and software.
  • apparatus 10 may be a network node, such as a base station, node B, and/or eNB, for example.
  • apparatus 10 is configured with two IP addresses.
  • apparatus 10 may be controlled by memory 14 and processor 22 to support a first IP address and a second IP address.
  • Apparatus 10 may then be controlled by memory 14 and processor 22 to establish a first IPsec tunnel and a second IPsec tunnel in parallel.
  • apparatus 10 may be controlled by memory 14 and processor 22 to allocate packets with a source address as the first IP address through the first IPsec tunnel to a first gateway.
  • apparatus 10 may also be controlled by memory 14 and processor 22 to allocate packets with a source address as the second IP address through the second IPsec tunnel to a second gateway.
  • apparatus 10 may be controlled by memory 14 and processor 22 to utilize SCTP multihoming in order to make use of the two IP addresses.
  • apparatus 10 may be controlled by memory 14 and processor 22 to utilize the first IP address under normal conditions.
  • apparatus 10 may be controlled by memory 14 and processor 22 to utilize the second IP address when failure occurs.
  • apparatus 10 may then be controlled by memory 14 and processor 22 to signal the change to using the second IP address to a MME so that subsequent downlink user plane packets are sent to the second IP address.
  • Fig. 4 illustrates an example of a flow diagram of a method for multihomed IPsec connectivity, according to one embodiment. In an embodiment, the method of Fig.
  • the method includes, at 400, providing support for a first IP address and a second IP address in the network node.
  • the method may then include, at 410, establishing a first IPsec tunnel and a second IPsec tunnel in parallel.
  • the method can further include, at 420, allocating packets with a source address being the first IP address through the first IPsec tunnel to a first gateway.
  • the method may also include, at 430, allocating packets with a source address being the second IP address through the second IPsec tunnel to a second gateway.
  • the method may also include, at 440, utilizing SCTP multihoming in order to make use of the two IP addresses.
  • the method may include utilizing the first IP address under normal conditions, and utilizing the second IP address when failure occurs.
  • the method may include, at 450, signaling when a change to using the second IP address occurs to a MME so that subsequent downlink user plane packets are sent to the second IP address.
  • the functionality of any of the methods described herein, such as that illustrated in Fig. 4 discussed above may be implemented by software and/or computer program code stored in memory or other computer readable or tangible media, and executed by a processor.
  • the functionality may be performed by hardware, for example through the use of an application specific integrated circuit (ASIC), a programmable gate array (PGA), a field programmable gate array (FPGA), or any other combination of hardware and software.
  • ASIC application specific integrated circuit
  • PGA programmable gate array
  • FPGA field programmable gate array
  • Embodiments of the invention provide several advantages. For example, some advantages include the support of revertive failover, which means that after network recovery the system can easily revert back to the original path. Also, according to certain embodiments, fast failover times can be achieved. Since both paths through the network (including the IPsec tunnels) can be statically provisioned so that they are available immediately in case of failures, the failover time is mainly defined by the failure detection time. It is noted that alternative solutions often suffer from significant load peaks at security gateways when multiple eNBs require setup of backup tunnels at the same time (e.g., due to failure of the primary IPsec gateway). However, because embodiments of the present invention keep the tunnels statically up, there are no such load peaks due to simultaneous/synchronized tunnel creations.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application relates to the use of SCTP multihoming and the use of two parallel IPsec tunnels for the two IP addresses provided by SCTP multihoming. When securing LTE networks. 3GPP TS 33.401 defines IPsec for S1-MM1 & X2 Control Plane and SI & X2 User Plane. Typically, an eNB makes use of a single IPsec tunnel for the backhaul connectivity. However, such a one-tunnel model has disadvantages e.g. with respect to resiliency and therefore the application proposes that two IPsec tunnels (210 & 220) are established in parallel. Then a static IPsec policy in the eNB (204) maps traffic with one source address (IP1) to one tunnel (220), while traffic with another source address (IP2) is mapped to the other tunnel (210). Both tunnels can be statically provisioned so that they are available immediately in case of failures. Selection of the IP addresses and failover between them is standardized by SCTP protocol and, therefore, no additional mechanisms are required from the network itself, i.e. the redundancy is provided by transport layer.

Description

DESCRIPTION
TITLE
SCTP MULTI HOMING IN LTE BACKHAUL WITH TWO PARALLEL IPSEC TUNNELS FOR TWO DIFFERENT IP ADDRESSES
BACKGROUND: Field: [0001] Embodiments of the invention generally relate to wireless communications networks, such as, but not limited to, the Universal Mobile Telecommunications System (UMTS) Terrestrial Radio Access Network (UTRAN), Long Term Evolution (LTE) Evolved UTRAN (E-UTRAN), and/or LTE-A.
Description of the Related Art: [0002] Universal Mobile Telecommunications System (UMTS) Terrestrial Radio Access Network (UTRAN) refers to a communications network including base stations, or Node Bs, and for example radio network controllers (RNC). UTRAN allows for connectivity between the user equipment (UE) and the core network. The RNC provides control functionalities for one or more Node Bs. The RNC and its corresponding Node Bs are called the Radio Network Subsystem (RNS). In case of E-UTRAN (enhanced UTRAN), no RNC exists and most of the RNC functionalities are contained in the enhanced Node B (eNodeB or eNB).
[0003] Long Term Evolution (LTE) or E-UTRAN refers to improvements of the UMTS through improved efficiency and services, lower costs, and use of new spectrum opportunities. In particular, LTE is a 3GPP standard that provides for uplink peak rates of at least 50 megabits per second (Mbps) and downlink peak rates of at least 100 Mbps. LTE supports scalable carrier bandwidths from 20 MHz down to 1 .4 MHz and supports both Frequency Division Duplexing (FDD) and Time Division Duplexing (TDD).
[0004] As mentioned above, LTE may also improve spectral efficiency in networks, allowing carriers to provide more data and voice services over a given bandwidth. Therefore, LTE is designed to fulfill the needs for high-speed data and media transport in addition to high-capacity voice support. Advantages of LTE include, for example, high throughput, low latency, FDD and TDD support in the same platform, an improved end- user experience, and a simple architecture resulting in low operating costs. [0005] Further releases of 3GPP LTE (e.g., LTE Rel-10, LTE Rel-1 1 , LTE Rel-12) are targeted towards future international mobile telecommunications advanced (IMT-A) systems, referred to herein for convenience simply as LTE-Advanced (LTE-A).
[0006] LTE-A is directed toward extending and optimizing the 3GPP LTE radio access technologies. A goal of LTE-A is to provide significantly enhanced services by means of higher data rates and lower latency with reduced cost. LTE-A will be a more optimized radio system fulfilling the international telecommunication union-radio (ITU-R) requirements for I MT- Advanced while keeping the backward compatibility.
SUMMARY: [0007] One embodiment is directed to a method including providing, in a base station, support for a first internet protocol (IP) address and a second IP address. The method may also include establishing a first internet protocol security (IPsec) tunnel and a second IPsec tunnel in parallel.
[0008] Another embodiment is directed to an apparatus. The apparatus includes at least one processor and at least one memory comprising computer program code. The at least one memory and the computer program code are configured, with the at least one processor, to cause the apparatus at least to provide support for a first internet protocol (IP) address and a second IP address, and to establish a first internet protocol security (IPsec) tunnel and a second IPsec tunnel in parallel. [0009] Another embodiment is directed to an apparatus including means for providing support for a first internet protocol (IP) address and a second IP address, and means for establishing a first internet protocol security (IPsec) tunnel and a second IPsec tunnel in parallel.
[00010] Another embodiment is directed to a computer program, embodied on a computer readable medium, wherein the computer program is configured to control a processor to perform a process. The process includes providing, in a base station, support for a first internet protocol (IP) address and a second IP address. The method may also include establishing a first internet protocol security (IPsec) tunnel and a second IPsec tunnel in parallel.
BRIEF DESCRIPTION OF THE DRAWINGS:
[00011] For proper understanding of the invention, reference should be made to the accompanying drawings, wherein:
[00012] Fig. 1 illustrates a system according to one embodiment; [00013] Fig. 2 illustrates a system according to another embodiment;
[00014] Fig. 3 illustrates an apparatus according to one embodiment; and
[00015] Fig. 4 illustrates a flow diagram of a method according to an embodiment.
DETAILED DESCRIPTION: [00016] It will be readily understood that the components of the invention, as generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of systems, methods, apparatuses, and computer program products for multihomed internet protocol security (IPsec) connectivity as represented in the attached figures, is not intended to limit the scope of the invention, but is merely representative of selected embodiments of the invention.
[00017] If desired, the different functions discussed below may be performed in a different order and/or concurrently with each other. Furthermore, if desired, one or more of the described functions may be optional or may be combined. As such, the following description should be considered as merely illustrative of the principles, teachings and embodiments of this invention, and not in limitation thereof.
[00018] Some embodiments of the invention relate to the field of mobile backhaul networks, but in general embodiments may apply to networking use cases that might require both resilient (redundant) and secure (authenticated and encrypted) packet transport. Certain embodiments enable connecting a single network host (such as a base station) to two security gateways at the same time and to make use of these security gateways according to network and gateway availability. This mechanism may be required in order to provide efficient "geo-redundant" setups, i.e., deployment of the security gateways to different locations, so that resilience is maintained even in catastrophic scenarios such as data center power loss or earthquakes.
[00019] As will be discussed in detail below, embodiments make use of additional IP addresses provided in a base station, such as an LTE eNB, in order to allow flexible protection between different network paths. Certain embodiments allow dynamic failover between two (e.g., remotely located) IPsec gateways (GW). This is typically prevented by the static IPsec configuration. According to an embodiment, a combination of several mechanisms allows controlling both uplink and downlink packet routing solely by the base station. [00020] Fig. 1 illustrates an example of a system in which certain embodiments may be applicable. As illustrated in Fig. 1 , the system includes an IPsec endpoint 104 (e.g., base station, base transceiver station (BTS), node B, or eNB) connected to IPsec GW1 and IPsec GW2 via the IP network 100. IPsec GW1 and IPsec GW2 may then be in communication with controller/gateway 105 via the core network 102. [00021] In general, IP/Ethernet based transport networks provide a true variety of mechanisms to implement redundant network access and, therefore, enable the highest possible resilience of the network connection. Starting from physical layer methods (such as protection provided by microwave radio networks, SONET/SDH ring protection, etc.) and Ethernet layer methods (such as spanning tree), IP layer routing is ultimately meant to provide a route to the destination even in case of failures. This IP layer redundancy can be implemented by redundant static routes, but in the most general case can require dynamic routing (e.g., OSPF or IS-IS).
[00022] Recently, methods such as bidirectional forwarding detection (BFD) support for static routing have become more popular. In some ways, BFD can be seen as a simple form of dynamic routing. In short, it may be said that network resilience is typically provided by enabling dynamic modifications of the network configuration. However, when introducing IPsec into such a network, these dynamic mechanisms are often in conflict with the setup of the IPsec endpoints (typically requiring a rather static configuration which is usually quite complex even without dynamics).
[00023] One example is utilizing the typical approach of using security policies, which may define the type of traffic to be protected as well as the endpoints between which the traffic is protected, to control the encryption of traffic. These (rather static) policies would have to be modified in case of a network configuration change, such as a change possibly caused by a network (link) failure. Implementing such dynamic changes based on auxiliary information is not only difficult to implement (due, for example, to required information exchange between different system components such as routing and IPsec engines), but it also has a significant performance impact as a certain time is needed to update the security associations based on the modified policies.
[00024] In view of the above, some embodiments can address these issues by providing a combination of the advantages of dynamic network use (increased resilience) and application of IPsec (increased security). Since these mechanisms have conflicting aspects (e.g., IPsec requiring static policies for operation, including IP addresses and other network level information), certain embodiments are able to provide a solution for a complex problem.
[00025] Certain embodiments are able to address issues related to combining network redundancy with IP security. Some embodiments may work without dynamic routing protocols, thus increasing simplicity, stability, and predictability. [00026] Fig. 2 illustrates a system according to one embodiment. As illustrated in Fig. 2, the system includes an IPsec endpoint 204, such as a base station or eNB, connected to IPsec GW1 and IPsec GW2 via the IP network 200. IPsec GW1 and IPsec GW2 may then be in communication with mobility management entity (MME)/gateway 205 via the core network 202. [00027] According to some embodiments, as depicted in Fig. 2, the host side (e.g., endpoint 204) supports terminating the traffic in two IP addresses, IP1 and IP2. Additionally, according to certain embodiments, two IPsec tunnels 210 and 220 are established in parallel between endpoint 204 and gateway 205 via IPsec GW1 and IPsec GW2, respectively. In one embodiment, IPsec policies in endpoint 204 (e.g., eNB) map traffic with source address IP1 to tunnel 220 towards IPsec GW1 , while traffic with source address IP2 is mapped to tunnel 210 towards IPsec GW2. According to an embodiment, each IPsec GW runs just a single tunnel towards each endpoint 204. In this embodiment, no routing protocol is needed in the IPsec domain.
[00028] The endpoint 204 (e.g., eNB) maps uplink (left-to-right in Fig. 2) packets to the two different IPsec gateways (e.g., IPsec GW1 and IPsec GW2) based on the source IP address contained in the egress packets. In the downlink direction (right-to-left in Fig. 2), IPsec GW1 can be configured to handle packets traveling towards IP1 , while IPsec GW2 may be configured to handle packets traveling towards IP2.
[00029] Certain embodiments may be applicable to LTE and, more specifically, an eNB in LTE. It should be noted, however, that embodiments are not limited to LTE and are equally applicable to other types of networks. [00030] Typically, an eNB makes use of a single IP address for the backhaul connectivity. According to an embodiment, by means of adding a second IP address at the eNB side, traffic can be allocated to the two paths 210 and 220 as needed. This traffic allocation works in both the uplink and downlink directions. In uplink (eNB egress), based on suitable IPsec policy configuration, packets with source address IP1 can be forced into the tunnel 220, while packets with source address IP2 can be forced into the tunnel 210. In downlink (eNB ingress), normal destination based IP routing is used to direct packets towards IP1 to just use IPsec GW1 , while packets towards IP2 will just use IPsec GW2. This is provided by static network configuration, thereby making the need for dynamic changes obsolete. [00031] As a consequence, selection of the primary path 220 or backup path 210 for data transmission may be controlled by the eNB, which is one advantage of this embodiment. Based on the two IP address design in the eNB, a rather simple network configuration (based on static routing) is sufficient to enable use of the two parallel tunnels 210 and 220, thus reducing the network complexity. [00032] The steps discussed below can be implemented in order to achieve the desired level of redundancy (LTE is again used as an example), according to certain embodiments.
[00033] For the control plane (S1 application protocol (AP) in LTE), based on 3GPP standards, Stream Control Transmission Protocol (SCTP) multihoming is used to make use of the two IP addresses (IP1 and IP2) in the eNB. Selection of the addresses and failover between them is standardized by SCTP protocol and, therefore, no additional mechanisms are required from the network itself (redundancy provided by transport layer/L4).
[00034] For the user plane (GPRS tunnelling protocol (GTP) traffic), the following redundancy principles may be implemented. Under normal conditions, the eNB will use IP1 address (just as in normal single address eNB). In case of failures (detected by additional mechanisms, such as IPsec dead peer detection (DPD), additional BFD sessions or change of IPsec session state for example), the eNB may start using the other IP address, IP2. The LTE system may then setup new user connections with IP2 as selected by the eNB. In order to enforce use of the alternative route also in the downlink direction for existing user connections (which have so far used IP1 ), the eNB can signal its IP address change to the MME, so that subsequent downlink user plane packets are sent to IP address IP2 (for example by using S1 AP:PATH_SWITCH_REQUEST). This is an optional step but may be beneficial because existing calls are not dropped, and the users therefore do not have to redial (to continue their call with a new connection). [00035] Fig. 3 illustrates an example of an apparatus 10 according to an embodiment. In one embodiment, apparatus 10 may be a network node such as a base station, for example node B or eNB. In other embodiments, apparatus 10 may be a gateway or MME as discussed above in connection with Figs. 1 and 2. It should be noted that one of ordinary skill in the art would understand that apparatus 10 may include components or features not shown in Fig. 3. Only those components or feature necessary for illustration of the invention are depicted in Fig. 3.
[00036] As illustrated in Fig. 3, apparatus 10 includes a processor 22 for processing information and executing instructions or operations. Processor 22 may be any type of general or specific purpose processor. While a single processor 22 is shown in Fig. 3, multiple processors may be utilized according to other embodiments. In fact, processor
22 may include one or more of general-purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs), field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), and processors based on a multi-core processor architecture, as examples. [00037] Apparatus 10 further includes a memory 14, which may be coupled to processor 22, for storing information and instructions that may be executed by processor 22. Memory 14 may be one or more memories and of any type suitable to the local application environment, and may be implemented using any suitable volatile or nonvolatile data storage technology such as a semiconductor-based memory device, a magnetic memory device and system, an optical memory device and system, fixed memory, and removable memory. For example, memory 14 can be comprised of any combination of random access memory (RAM), read only memory (ROM), static storage such as a magnetic or optical disk, or any other type of non-transitory machine or computer readable media. The instructions stored in memory 14 may include program instructions or computer program code that, when executed by processor 22, enable the apparatus 10 to perform tasks as described herein.
[00038] Apparatus 10 may also include one or more antennas 25 for transmitting and receiving signals and/or data to and from apparatus 10. Apparatus 10 may further include a transceiver 28 configured to transmit and receive information. For instance, transceiver 28 may be configured to modulate information on to a carrier waveform for transmission by the antenna(s) 25 and demodulates information received via the antenna(s) 25 for further processing by other elements of apparatus 10. In other embodiments, transceiver 28 may be capable of transmitting and receiving signals or data directly.
[00039] Processor 22 may perform functions associated with the operation of apparatus 10 including, without limitation, precoding of antenna gain/phase parameters, encoding and decoding of individual bits forming a communication message, formatting of information, and overall control of the apparatus 10, including processes related to management of communication resources.
[00040] In an embodiment, memory 14 stores software modules that provide functionality when executed by processor 22. The modules may include, for example, an operating system that provides operating system functionality for apparatus 10. The memory may also store one or more functional modules, such as an application or program, to provide additional functionality for apparatus 10. The components of apparatus 10 may be implemented in hardware, or as any suitable combination of hardware and software.
[00041] As mentioned above, according to one embodiment, apparatus 10 may be a network node, such as a base station, node B, and/or eNB, for example. According to one embodiment, apparatus 10 is configured with two IP addresses. In an embodiment, apparatus 10 may be controlled by memory 14 and processor 22 to support a first IP address and a second IP address. Apparatus 10 may then be controlled by memory 14 and processor 22 to establish a first IPsec tunnel and a second IPsec tunnel in parallel. In one embodiment, apparatus 10 may be controlled by memory 14 and processor 22 to allocate packets with a source address as the first IP address through the first IPsec tunnel to a first gateway. In this embodiment, apparatus 10 may also be controlled by memory 14 and processor 22 to allocate packets with a source address as the second IP address through the second IPsec tunnel to a second gateway.
[00042] According to one embodiment, for control plane traffic, apparatus 10 may be controlled by memory 14 and processor 22 to utilize SCTP multihoming in order to make use of the two IP addresses. In an embodiment, for user plane traffic, apparatus 10 may be controlled by memory 14 and processor 22 to utilize the first IP address under normal conditions. In this embodiment, apparatus 10 may be controlled by memory 14 and processor 22 to utilize the second IP address when failure occurs. According to an embodiment, apparatus 10 may then be controlled by memory 14 and processor 22 to signal the change to using the second IP address to a MME so that subsequent downlink user plane packets are sent to the second IP address. [00043] Fig. 4 illustrates an example of a flow diagram of a method for multihomed IPsec connectivity, according to one embodiment. In an embodiment, the method of Fig. 4 may be performed by a network node, such as a base station, node B, or eNB, for example. The method includes, at 400, providing support for a first IP address and a second IP address in the network node. The method may then include, at 410, establishing a first IPsec tunnel and a second IPsec tunnel in parallel. The method can further include, at 420, allocating packets with a source address being the first IP address through the first IPsec tunnel to a first gateway. The method may also include, at 430, allocating packets with a source address being the second IP address through the second IPsec tunnel to a second gateway. The method may also include, at 440, utilizing SCTP multihoming in order to make use of the two IP addresses. The method may include utilizing the first IP address under normal conditions, and utilizing the second IP address when failure occurs. According to an embodiment, the method may include, at 450, signaling when a change to using the second IP address occurs to a MME so that subsequent downlink user plane packets are sent to the second IP address. [00044] In some embodiments, the functionality of any of the methods described herein, such as that illustrated in Fig. 4 discussed above, may be implemented by software and/or computer program code stored in memory or other computer readable or tangible media, and executed by a processor. In other embodiments, the functionality may be performed by hardware, for example through the use of an application specific integrated circuit (ASIC), a programmable gate array (PGA), a field programmable gate array (FPGA), or any other combination of hardware and software.
[00045] Embodiments of the invention provide several advantages. For example, some advantages include the support of revertive failover, which means that after network recovery the system can easily revert back to the original path. Also, according to certain embodiments, fast failover times can be achieved. Since both paths through the network (including the IPsec tunnels) can be statically provisioned so that they are available immediately in case of failures, the failover time is mainly defined by the failure detection time. It is noted that alternative solutions often suffer from significant load peaks at security gateways when multiple eNBs require setup of backup tunnels at the same time (e.g., due to failure of the primary IPsec gateway). However, because embodiments of the present invention keep the tunnels statically up, there are no such load peaks due to simultaneous/synchronized tunnel creations.
[00046] Further, according to an embodiment, the switching between primary and backup path happens almost synchronously for uplink and downlink direction. In certain embodiments, the backup tunnel can be constantly monitored, for example, in order to generate alarms. Whereas in alternative solutions it is often not possible to monitor the backup path (e.g., IPsec tunnel is not up) and thus the backup path might not be available when needed. This monitoring capability may be an important feature, for example, during maintenance if the primary IPsec gateway needs servicing and the operator wants to force all traffic to the second gateway. Overall system availability is, therefore, increased. Furthermore, certain embodiments support user plane load balancing as both paths are active in parallel.
[00047] One having ordinary skill in the art will readily understand that the invention as discussed above may be practiced with steps in a different order, and/or with hardware elements in configurations which are different than those which are disclosed. Therefore, although the invention has been described based upon these preferred embodiments, it would be apparent to those of skill in the art that certain modifications, variations, and alternative constructions would be apparent, while remaining within the spirit and scope of the invention. In order to determine the metes and bounds of the invention, therefore, reference should be made to the appended claims.

Claims

WE CLAIM:
1 . A method, comprising: providing, in a base station, support for a first internet protocol (IP) address and a second IP address; and establishing a first internet protocol security (IPsec) tunnel and a second IPsec tunnel in parallel.
2. The method according to claim 1 , further comprising allocating packets with a source address being the first IP address through the first IPsec tunnel to a first gateway.
3. The method according to claims 1 or 2, further comprising allocating packets with a source address being the second IP address through the second IPsec tunnel to a second gateway.
4. The method according to claim 1 , further comprising utilizing stream control transmission protocol (SCTP) multihoming in order to make use of the first and second IP addresses.
5. The method according to claim 1 , further comprising utilizing the first IP address under normal conditions.
6. The method according to claims 1 or 5, further comprising utilizing the second IP address when a failure occurs.
7. The method according to any of claims 1 -6, further comprising signaling when a change to using the second IP address occurs to a mobility management entity (MME) so that subsequent downlink user plane packets are sent to the second IP address.
8. The method according to claim 1 , wherein the base station comprises an evolved node B (eNB).
9. An apparatus, comprising: at least one processor; and at least one memory comprising computer program code, the at least one memory and the computer program code configured, with the at least one processor, to cause the apparatus at least to provide support for a first internet protocol (IP) address and a second IP address; and establish a first internet protocol security (IPsec) tunnel and a second IPsec tunnel in parallel.
10. The apparatus according to claim 9, wherein the at least one memory and the computer program code are further configured, with the at least one processor, to cause the apparatus at least to allocate packets with a source address being the first IP address through the first IPsec tunnel to a first gateway.
1 1 . The apparatus according to claims 9 or 10, wherein the at least one memory and the computer program code are further configured, with the at least one processor, to cause the apparatus at least to allocate packets with a source address being the second IP address through the second IPsec tunnel to a second gateway.
12. The apparatus according to claim 9, wherein the at least one memory and the computer program code are further configured, with the at least one processor, to cause the apparatus at least to utilize stream control transmission protocol (SCTP) multihoming in order to make use of the first and second IP addresses.
13. The apparatus according to claim 9, wherein the at least one memory and the computer program code are further configured, with the at least one processor, to cause the apparatus at least to utilize the first IP address under normal conditions.
14. The apparatus according to claims 9 or 13, wherein the at least one memory and the computer program code are further configured, with the at least one processor, to cause the apparatus at least to utilize the second IP address when a failure occurs.
15. The apparatus according to any of claims 9-14, wherein the at least one memory and the computer program code are further configured, with the at least one processor, to cause the apparatus at least to signal, to a mobility management entity (MME), when a change to using the second IP address occurs so that subsequent downlink user plane packets are sent to the second IP address.
16. The apparatus according to claim 9, wherein the apparatus comprises an evolved node B (eNB).
17. An apparatus, comprising: means for providing support for a first internet protocol (IP) address and a second IP address; and means for establishing a first internet protocol security (IPsec) tunnel and a second IPsec tunnel in parallel.
18. A computer-readable medium encoded with instructions that, when executed in hardware, perform a process according to any of claims 1 -8.
PCT/EP2013/058829 2013-04-29 2013-04-29 Sctp multi homing in lte backhaul with two parallel ipsec tunnels for two different ip addresses WO2014177170A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2013/058829 WO2014177170A1 (en) 2013-04-29 2013-04-29 Sctp multi homing in lte backhaul with two parallel ipsec tunnels for two different ip addresses

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2013/058829 WO2014177170A1 (en) 2013-04-29 2013-04-29 Sctp multi homing in lte backhaul with two parallel ipsec tunnels for two different ip addresses

Publications (1)

Publication Number Publication Date
WO2014177170A1 true WO2014177170A1 (en) 2014-11-06

Family

ID=48325663

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2013/058829 WO2014177170A1 (en) 2013-04-29 2013-04-29 Sctp multi homing in lte backhaul with two parallel ipsec tunnels for two different ip addresses

Country Status (1)

Country Link
WO (1) WO2014177170A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108307391A (en) * 2016-09-22 2018-07-20 大唐移动通信设备有限公司 A kind of terminal access method and system
CN108616908A (en) * 2016-12-29 2018-10-02 中国移动通信集团浙江有限公司 A kind of network system and the data transferring method based on the network system
CN113853773A (en) * 2019-05-13 2021-12-28 上海诺基亚贝尔股份有限公司 Mapping bearer identities to IPv6 architecture

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100306572A1 (en) * 2009-06-01 2010-12-02 Alexandro Salvarani Apparatus and method to facilitate high availability in secure network transport
WO2011022613A1 (en) * 2009-08-20 2011-02-24 Kineto Wireless, Inc. High availability design for iuh
US20110228935A1 (en) * 2010-03-17 2011-09-22 Fujitsu Limited Communication apparatus, communication method, and communication system
US8386766B2 (en) * 2007-10-17 2013-02-26 Telefonaktiebolaget Lm Ericsson (Publ) Method and arrangement for deciding a security setting

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8386766B2 (en) * 2007-10-17 2013-02-26 Telefonaktiebolaget Lm Ericsson (Publ) Method and arrangement for deciding a security setting
US20100306572A1 (en) * 2009-06-01 2010-12-02 Alexandro Salvarani Apparatus and method to facilitate high availability in secure network transport
WO2011022613A1 (en) * 2009-08-20 2011-02-24 Kineto Wireless, Inc. High availability design for iuh
US20110228935A1 (en) * 2010-03-17 2011-09-22 Fujitsu Limited Communication apparatus, communication method, and communication system

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
"Building the Mobile Internet", 24 January 2011, CISCO PRESS, ISBN: 978-0-13-139053-9, article KEVIN GRAYSON: "Transport/Session Layer Mobility - SCTP", XP055111717 *
"LTE - The UMTS Long Term Evolution From Theory to Practice", 22 July 2011, JOHN WILEY & SONS, Chichester, Great Britain, ISBN: 978-0-47-066025-6, article SUDEEP PALAT ET AL: "Network Architecture", pages: 23 - 55, XP055111652, DOI: 10.1002/9780470978504.ch2 *
"Network Security", 1 June 2007, JOHN WILEY & SONS, INC., Hoboken, NJ, USA, ISBN: 978-0-47-170355-6, article ANIRBAN CHAKRABARTI ET AL: "IP Security (IPSec)", pages: 65 - 82, XP055111787, DOI: 10.1002/9780470099742.ch5 *
JASON S BOSWELL: "LTE transport network security", 1 May 2012 (2012-05-01), pages 1 - 10, XP055111399, Retrieved from the Internet <URL:http://www.ieee-cqr.org/2012/May15/Session 2/2_Jason_Boswell_NSN LTE Security.pdf> [retrieved on 20140401] *
PATRICK DONEGAN: "White Paper - IPsec Deployment Strategies for Securing LTE Networks", 1 May 2011 (2011-05-01), pages 1 - 17, XP055111398, Retrieved from the Internet <URL:http://go.radisys.com/rs/radisys/images/paper-seg-ipsec-deployment.pdf> [retrieved on 20140401] *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108307391A (en) * 2016-09-22 2018-07-20 大唐移动通信设备有限公司 A kind of terminal access method and system
CN108616908A (en) * 2016-12-29 2018-10-02 中国移动通信集团浙江有限公司 A kind of network system and the data transferring method based on the network system
CN113853773A (en) * 2019-05-13 2021-12-28 上海诺基亚贝尔股份有限公司 Mapping bearer identities to IPv6 architecture
CN113853773B (en) * 2019-05-13 2024-03-08 上海诺基亚贝尔股份有限公司 Mapping bearer identities to IPv6 architecture

Similar Documents

Publication Publication Date Title
US11095645B2 (en) Virtualization of the evolved packet core to create a local EPC
US10512109B2 (en) Transmitting communication device, receiving communication device and methods performed thereby
ES2924692T3 (en) Method and apparatus for resource request in side link transmission in a wireless communication system
US20190182883A1 (en) Cell configuration method and device
EP3114869B1 (en) Federated x2 gateway for managing mesh networks
CN109845300B (en) Method and apparatus for supporting separated security for CU-CP and CU-UP in wireless communication system
US9942748B2 (en) Service provisioning system and method, and mobile edge application server and support node
US9800552B2 (en) Method of connecting security gateway to mesh network
US10187928B2 (en) Methods and systems for controlling a SDN-based multi-RAT communication network
JP7378569B2 (en) Lossless transmission for Unaware Response Mode (UM) data radio bearer (DRB)
ES2882620T3 (en) Evolved Packet Core Network (EPC) Synergy Transport Radio Access Network (RAN)
EP3695636B1 (en) Method and apparatus for changing pdcp version
EP3255922B1 (en) Service flow offloading method and apparatus
WO2021062803A1 (en) Data packet transmission method and device
US20180302479A1 (en) Handling at least one communication exchange between a telecommunications network and at least one user equipment
WO2014177170A1 (en) Sctp multi homing in lte backhaul with two parallel ipsec tunnels for two different ip addresses
CN113518387B (en) Wireless network communication method and communication equipment based on internet protocol version IPv6
US20230164623A1 (en) Application Function Node, Access and Mobility Management Function Node, System and Methods in a Communications Network
KR20230153401A (en) Congestion control for remote direct memory access (RDMA) in next-generation cellular networks
US20230179996A1 (en) Selective user plane protection in 5g virtual ran
KR20230069987A (en) Routing methods, devices and systems
WO2024113620A1 (en) Pre-shared secret key generation for integrated access and backhaul network device
RU2803196C1 (en) Data package transmission method and device
US20230254737A1 (en) Managing data networks on user equipments
US11917522B2 (en) Managing radio bearer traffic between radio network nodes

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13720888

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13720888

Country of ref document: EP

Kind code of ref document: A1