Data Architecture Proposal

1
Data Architecture Proposal

• Mesa ISSI Working Session/PSAWG
• Frédéric ROSIN - 11/01/2006

2
Outline

• Introduction
• Addressing Principle
• Roaming
• End-to-end encryption and compression
• SNDCP adaptation
• Architecture for external data servers connected
  beyond a data security gateway
• Conclusion

3
Abbreviations

• AVL Automatic Vehicle Location
• DNS Domain Name Server
• ESP Encapsulating Security Payload
• IP Internet Protocol
• IPSec Internet Protocol Security
• ISSI Inter RFSS Interface
• KMF Key Management Facility
• MDP Mobile Data Peripheral
• MRC Mobile Radio Controller (P25 Radio Terminal)
• OTAR Over-The-Air-Re-keying
• PDP context Packet Data Protocol (SNDCP) context
  
• RFSS Radio Frequency Sub-System
• SNDCP Sub-network Dependent Convergence Protocol
• SPI Security Parameters Index
• SU Subscriber Unit
• SUID Subscriber Unit Identity
• TCP Transport Control Protocol
• UDP User Datagram Protocol

4
Outline

• Introduction
• Addressing Principles
• Roaming
• End-to-end encryption and compression
• SNDCP adaptation
• Architecture for external data servers connected
  beyond a data security gateway
• Conclusion

5
Introduction

• Existing packet data architecture is revisited in
  order to
• Support SU mobility between multiple RFSS
• Use of the IP Security standard as a basis for
  end-to-end confidentiality
• Justified in order to have interoperable
  equipment
• Provide efficient compression
• Compression has to be end-to-end performed before
  end-to-end encryption

6
Where are the end-to-end encryption endpoints ?

• In the MRCs
• In Data Servers

A
A
MRC
MRC
Um, Um2
Um, Um2
P25 Realm
P25 Network
Ed
Data Servers
Sub-system performing end-to-end encryption
7
Outline

• Introduction
• Addressing Principles
• Roaming
• End-to-end encryption and compression
• SNDCP adaptation
• Architecture for external data servers connected
  beyond a data security gateway
• Conclusion

8
Addressing principles

• Addressing is based on a P25 Mobile Sub-network
  concept
• Each SU shall be IP addressable in order to
  support Data Link Independent OTAR
• Each SU shall be able to be connected to one or
  several IP addressable MDP for data transactions
  based on SNDCP

RFSS
MRC
Um, Um2 (SNDCP)
P25 Mobile Sub-Network
9
Addressing principles (contd)

• Each P25 Mobile Sub-network has one P25 address
  (SUID of the MRC)
• Simple engineering rules in order to ease IP
  routing and to avoid further interoperability
  issues
• One IP subnet mask An IP address 0x03
• IP Subnet Mask 0xFC is the address of the MRC
• Others are the IP addresses for MDP(s)
• Once an IP address of an MRC or an MDP is
  activated (SNDCP activation), the related IP
  address is reachable from anywhere for any device
  which knows the existence of this IP address

10
Addressing principles (contd)

• For data application addressing the MRC (OTAR)
• SUID address can be used to retrieve the IP
  address by DNS resolution
• SU initiated Hello procedure enables the KMF to
  know when the IP address of the MRC is activated
• For request to data servers
• When an MDP or an MRC initiates a request to a
  pre-provisioned IP address of a data server, the
  responder retrieves the source IP address from
  the received IP packet

11
Outline

• Introduction
• Addressing Principles
• Roaming
• End-to-end encryption and compression
• SNDCP adaptation
• Architecture for external data servers connected
  beyond a data security gateway
• Conclusion

12
IP Addressing and Roaming

• Routing of the outbound packets
• IP packets destined to an IP address of an MDP or
  an MRC is always first routed to the MRCs Home
  RFSS
• When the MRC roams in a serving RFSS area,
  outbound IP packets have to be routed from the
  MRCs Home RFSS to the new serving RFSS area
• Mobile IP has been designed for such a purpose

13
Mobile IP main principles

• Mobile IP enables transparent routing of an IP
  packet to mobile endpoint over an IP network
• The mobile endpoint has a fixed IP address
  so-called Home address in a home network
• When moving outside the Home network, the mobile
  endpoint registers to mobility agents (local
  foreign agent and remote Home agent), that tunnel
  and route IP packets to the mobile host
• Home agent tunnels IP packet to the mobile
  endpoint and maintains the mobiles location info
• Foreign agent provides IP routing function (IP
  de-tunneling) to the mobile endpoint once
  registered with the Home agent

14
Mobile IP Outbound transmission
External Node
Home network
2- Home agent receives IP datagram destined
to The mobile endpoint
Mobile IP tunnel
Home Agent
1- IP Datagram to mobile endpoint
Ip based Network
3- Home agent tunnels packets to foreign agent
Visited network
Foreign Agent
4- Foreign agent routes datagram to mobile
endpoint
Mobile endpoint
15
Mobile IP Inbound transmission
External Node
Home network
Home Agent
2 - Foreign agent routes datagram
Network
Visited network
Foreign Agent
1- mobile endpoint sends datagram to an external
node, With the foreign agent acting as default
gateway
mobile endpoint
16
Mobile IP Application on the ISSI

• Mobile endpoint RFSS endpoint at which the
  activated PDP context is located
• A new Mobile IP tunnel is put in place on the
  ISSI each time an MDP or an MRC activates a PDP
  context in a serving RFSSs area (I.e. outside
  its Home RFSS area)

A
A
MRC
MRC
Mobile IP tunnel
Um, Um2
Um, Um2
P25 Realm
ISSI
Serving RFSS
Home RFSS
Data Servers
17
Outline

• Introduction
• Addressing Principles
• Roaming
• End-to-end encryption and compression
• SNDCP adaptation
• Architecture for external data servers connected
  beyond a data security gateway
• Conclusion

18
IPSec/ESP for confidentiality Main principle

• One security association is defined per
  application and per direction in order to define
  the security policy to be applied
• Indexed by the SPI (Security Parameters Index)
  field in the ESP header
• Open to specific P25 encryption and key
  distribution
• Encryption may be by-passed if needed
• Two encapsulation modes
• Transport Mode
• IPSec tunnel is created between two hosts at
  which the data applications are located
• Transport packet is encrypted
• Tunnel Mode
• IPSec tunnel is created between two security
  gateways which may route the IP packet once
  decrypted
• IP packet is encrypted

19
IPSec/ESP for confidentiality Application in the
MRC

• Standard application of IPSec in the MRC
• all the inbound and outbound IP packets would be
  tunneled within an IPSec packet always conveying
  the IP address of the MRC
• This would hide the real serviced IP address,
  thus preventing SNDCP to deliver required quality
  of service over the air interface

IPSec
IP
SNDCP
Serviced IP address on the MDP
IP address of the extremity of the IPSec tunnel
MRC
PDP context
20
IPSec/ESP for confidentiality Application in the
MRC

• To make visible the serviced IP address at the
  SNDCP, we propose to move end-to-end encryption
  of the IPSec standard (ESP) at the SNDCP layer

IP
ESP/SNDCP
Serviced IP address on the MRC or the MDP
MRC
PDP context
21
IPSec/ESP for confidentiality Application

• Application in the MRC
• MRC performs end-to-end encryption at the SNDCP
  level
• From the perspective of the entities addressing
  an MDP, the extremity of the IPSec tunnel is the
  MDP
• SNDCP level at the MRC may perform compression
  before encryption
• Application in the data servers
• Common IPSec implementation

22
Outline

• Introduction
• Addressing Principles
• Roaming
• End-to-end encryption and compression
• SNDCP adaptation
• Architecture for external data servers connected
  beyond a data security gateway
• Conclusion

23
SNDCP adaptation

• Headers of the IPSec packet can be
  compressed/decompressed over the air by SNDCP
• IP header and ESP header compression (IPHC)
• TCP/UDP headers may not be compressed for
  encrypted flow
• ESP Payload compression/decompression is
  performed at SNDCP layer of the MRC for
  end-to-end encrypted flow
• Use of a IPR-free compression algorithm such as
  deflate

24
SNDCP adaptation (contd)

• For an inbound flow
• SNDCP at the MRC performs
• Transport packet compression
• Transport packet encryption and encapsulation in
  an IPSec packet
• IPSec Header compression
• SNDCP at the FNE performs IPSec Header de
  compression
• Data Server performs the reverse operation for
  the two first actions at the MRC

25
Inbound flow from an MDP to an external data
server

• ESP encapsulation is performed at the SNDCP level
  in the MRC

Data Server
MRCs serving RFSS
Um
ESP Tunnel
MRC
A
MDP
ESP Tunnel
26
Inbound flow ESP in transport mode
MRC
IP payload Compression and encryption, IPSec
packet construction, IP Header compression
(IPHC), SNDCP encapsulation
Compressed by SNDCP
End-to-end compressed and Encrypted
Serving RFSS
SNDCP decapsulation, IPSec Header decompression
DATA SERVER
IPSec de-tunneling, decryption, decompression
27
Outbound flow from a data server to an MDP
located in the MRCs Home RFSS area

• From the perspective of the Data Server,
  destination of the IPSec tunnel is located on the
  MDP

Data Server
Home RFSS
Um
ESP Tunnel
MRC
A
MDP
ESP Tunnel
28
Outbound flow from an external data server to an
MDP not located in the MRCs Home RFSS area

• When the MDP IP address is activated, from the
  MRCs serving RFSS (i.e. the MRC is not
  registered in its Home RFSS area) then
• A mobile IP foreign agent is activated in the
  serving RFSS area.
• Thus, IP packet destined for the MDP are first
  routed to the MRCs Home RFSS, then tunneled
  towards the foreign agent.

Mobile IP tunnel
Data Server
Ed
ISSI
Serving RFSS
Home RFSS
Um
ESP Tunnel
MRC
A
MDP
ESP Tunnel
29
Outbound flow ESP in transport mode
IP payload Compression and encryption, IPSec
packet construction
DATA SERVER
MDPs Care Of address
End-to-end compressed and Encrypted
HOME RFSS
Mobile IP Encapsulation
SERVING RFSS
End-to-end compressed and Encrypted
Mobile IP de-tunneling IPSec Header compression,
SNDCP encapsulation
IPSec Header decompression, end-to-end decryption
and decompression and construction of the IP
packet to be routed towards the MDP
Compressed by SNDCP
MRC
30
From an MDP to another MDP not located in its
Home RFSS

• MDP A knows the IP address of the MDP B by local
  provisioning
• ESP is always performed in transport mode

A
Um
Mobile IP tunnel
ESP Tunnel
MRC B
MDP B
MDP Bs serving RFSS
MDP Bs Home RFSS
MRC As Serving RFSS
Um
ESP Tunnel
MRC A
A
MDP A
ISSI
ESP Tunnel
31
From an MDP to another MDP not located in its
Home RFSS ESP in transport mode
IP payload Compression, encryption, IPSec packet
construction, IPSec Header compression (IPHC),
SNDCP encapsulation
MRC A
Compressed by SNDCP
End-to-end compressed and Encrypted
IPSec Header decompression
Serving RFSS
IPSec packet construction at the SNDCP FNE
Mobile IP Encapsulation
HOME RFSS B
End-to-end compressed and Encrypted
Mobile IP Encapsulation
Mobile IP foreign agent and SNDCP at the FNE
SERVING RFSS B
End-to-end compressed and Encrypted
MDP Bs Care Of address
IPSec Header decompression, end-to-end
decryption, decompression and construction of the
IP packet to be routed to the MDP
MRC B
End-to-end compressed and Encrypted
Compressed by SNDCP
32
Stack Model Reference
TCP
UDP
TCP
UDP
TCP
UDP
Compression/ESP
IP
IP
IP
IP
Compression/ESP/SNDCP
SNDCP
A
Um,Um2
MDP
MRC
SNDCP FNE
Data Server
Mobile IP on the ISSI for outbound IP packet
tunneling
33
Outline

• Introduction
• Addressing Principles
• Roaming
• End-to-end encryption and compression
• SNDCP adaptation
• Architecture for external data servers connected
  beyond a data security gateway
• Conclusion

34
Architecture Extension for external data server

• If external data server does not have end-to-end
  encryption capability, a Data Security Gateway
  has to do it

A
A
MRC
MRC
Um, Um2
Um, Um2
P25 Realm
P25 Network
Ed
Security Gateway
External Data Server
Edr
private network
Sub-system performing end-to-end encryption
35
Architecture extension for external data server

• ESP in tunnel mode shall be used (instead of
  transport mode)
• For IP packets coming from the P25 realm, the
  Data Security Gateway performs end-to-end
  decryption and routes the IP packet encapsulated
  by the ESP header towards the external data
  server.
• For IP packets going to the P25 realm, the IP
  packet is encapsulated by the ESP header and
  end-to-end encrypted.
• In tunnel mode, headers of the IP packet and the
  IP packet encapsulated by ESP may be compressed

36
Architecture extension for external data server
SNDCP supplementary adaptation

• For an inbound flow
• SNDCP at the MRC performs
• IP Header compression
• IP packet compression
• IP packet encryption and encapsulation in an
  IPSec packet
• IPSec Header compression
• SNDCP at the FNE performs IPSec Header
  decompression
• Data Security Gateway performs the reverse
  operation of 1, 2 and 3 operations

37
Inbound flow from an MDP to an external data
server

• ESP encapsulation in tunnel mode is performed at
  the SNDCP level in the MRC

Edr
Security Gateway
External Data Server
MRCs Serving RFSS
Um
ESP Tunnel
MRC
A
MDP
ESP Tunnel
38
Inbound flow ESP in tunnel mode
MRC
IP Header (IPHC) compression, IP payload
Compression, IPSec packet construction, IPSec
Header compression (IPHC), SNDCP encapsulation
End-to-end compressed and Encrypted
Compressed by SNDCP
Serving RFSS
SNDCP desencapsulation, IPSec Header decompression
Security Gateway
IPsec de-tunneling, decryption, decompression, IP
Header decompression
39
Outbound flow from an external data server to an
MDP located in a serving RFSS area

• From the perspective of the Security Gateway,
  destination of the IPSec tunnel is located on the
  MDP
• ESP encapsulation is performed in tunnel mode in
  order to keep the IP address of the external data
  server in the end-to-end encrypted IP packet

Edr
Mobile IP tunnel
Security Gateway
External Data Server
Ed
ISSI
Serving RFSS
Home RFSS
Um
ESP Tunnel
MRC
A
MDP
ESP Tunnel
40
Outbound flow ESP in tunnel mode
IP Header (IPHC), IP payload Compression, IPSec
packet construction
Security Gateway
End-to-end compressed and Encrypted
HOME RFSS
MDPs Care Of address
Mobile IP Encapsulation
SERVING RFSS
End-to-end compressed and Encrypted
IPSec Header decompression, end-to-end
decryption, decompression and IP header
decompression and construction of the IP packet
to be routed to the MDP
MRC
Compressed by SNDCP
41
Outline

• Introduction
• Addressing Principles
• Roaming
• End-to-end encryption and compression
• SNDCP adaptation
• Architecture for external data servers connected
  beyond a data security gateway
• Conclusion

42
Summary and conclusion

• Recommendations
• Use of a Mobile IP tunnel on the ISSI for
  outbound packet routing towards P25 MDP and MRC
• Use of ESP/Ipsec standard in transport mode for
  data transaction within P25 realm
• Use of ESP/Ipsec standard in tunnel mode for data
  transaction with external data server connected
  beyond a data security gateway
• Re-visit SNDCP header and payload compression to
  ensure interoperable compression
• Use of an IPR-free (Deflate for instance)
  compression algorithm for the payload.
• Use SUID addresses and DNS resolution instead of
  RSI addressing for OTAR

43
RFC References

• RFC 3220 Mobile IP
• RFC 2401 IPSec
• RFC 2406 ESP
• RFC 2507 IPHC
• RFC 1951 Deflate

THANK YOU