12 Backhaul link user plane protection
The protection of user plane data between the eNB and the UE by user specific security associations is covered by clause 5.1.3 and 5.1.4.
In order to protect the S1 and X2 user plane as required by clause 5.3.3, it is required to implement IPsec ESP according to RFC 4303 [7] as profiled by TS 33.210 [5], with confidentiality, integrity and replay protection.
On the X2-U and S1-U, transport mode IPsec is optional for implementation.
NOTE 1: Transport mode can be used for reducing the protocol overhead added by IPsec.
Tunnel mode IPsec is mandatory to implement on the eNB for X2-U and S1-U.
On the core network side a SEG may be used to terminate the IPsec tunnel.. For both S1 and X2 user plane, IKEv2 with certificates based authentication shall be implemented.
The certificates shall be implemented according to the profile described by TS 33.310 [6]. IKEv2 shall be implemented conforming to the IKEv2 profile described in TS 33.310 [6]
NOTE 2: In case S1 and X2 user plane interfaces are trusted (e.g. physically protected), the use of IPsec/IKEv2 based protection is not needed.
3GPP TS 33.401 V8.1.1 (2008-10) Technical Specification 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3GPP System Architecture Evolution (SAE); Security architecture (Release 8)
Comments