Huawei ELTE2.3 ECNS610 Feature Description

8/19/2019 Huawei ELTE2.3 ECNS610 Feature Description

1/49

eCNS610 V100R003C00

Feature Description

Issue 1.0

Date 2014-04-18

HUAWEI TECHNOLOGIES CO., LTD.


2/49

Draft A (2013-04-09) Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd

i

Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior

written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respectiveholders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and

the customer. All or part of the products, services and features described in this document may not be

within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,

information, and recommendations in this document are provided "AS IS" without warranties, guarantees orrepresentations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

http://www.huawei.com/http://www.huawei.com/mailto:[email protected]:[email protected]:[email protected]://www.huawei.com/


3/49

eCNS610

Feature Description Contents



ii

Contents

1 Basic Features ............................................................................................................................ 1

1.1 eCNSFD-210200 Mobility Management .................................................................................................... 1

1.2 eCNSFD-210300 Security Management ..................................................................................................... 3

1.2.1 eCNSFD-210301 Authentication ....................................................................................................... 4

1.2.2 eCNSFD-210302 User Identity Confidentiality ................................................................................. 6

1.2.3 eCNSFD-210304 Identity Check ....................................................................................................... 7

1.3 eCNSFD-210400 Path Management........................................................................................................... 7

1.4 eCNSFD-210500 IP Address Allocation from Local Address Pool .............................................................. 8

1.5 eCNSFD-210600 Integrated Subscriber Data Management ........................................................................10

1.6 eCNSFD-210700 Session Management ..................................................................................................... 11

1.7 eCNSFD-230100 QoS and Traffic Management ........................................................................................13

1.7.1 eCNSFD-230101 EPS QoS ..............................................................................................................13

1.8 eCNSFD-240100 Routing .........................................................................................................................14

1.8.1 eCNSFD-240101 Static Routes and Default Routes ..........................................................................14

1.9 eCNSFD-240300 VLAN Supporting .........................................................................................................15

1.10 eCNSFD-240700 VRF ............................................................................................................................17

1.11 eCNSFD-260100 Software Management .................................................................................................18

1.12 eCNSFD-260400 Fault Management .......................................................................................................19

1.13 eCNSFD-260500 Equipment Management ..............................................................................................20

1.14 eCNSFD-260600 Configuration Management .........................................................................................21

1.15 eCNSFD-260700 Security Management ..................................................................................................21

1.16 eCNSFD-260800 Online Documentation.................................................................................................23

1.17 eCNSFD-260900 Tracing Function .........................................................................................................25

1.18 eCNSFD-261000 Log Management ........................................................................................................29

1.19 eCNSFD-270100 S1 Interface .................................................................................................................30

1.20 eCNSFD-270200 SGi Interface ...............................................................................................................31

1.21 eCNSFD-280300 Linux Security Hardening ............................................................................................33

2 Optional Features ................................................................................................................... 37

2.1 eCNSFD-310001 NAS Encryption and Integrity Protection (AES) ............................................................37

2.2 eCNSFD-310002 NAS Encryption and Integrity Protection (SNOW3G)....................................................38

2.3 eCNSFD-310003 O&M SSL.....................................................................................................................39

2.4 eCNSFD-310004 Static IP Address Allocation ..........................................................................................40


4/49

eCNS610

Feature Description Contents



iii

2.5 eCNSFD-310005 Multiple PDN Connection .............................................................................................41

2.6 eCNSFD-310008 SPI-based QoS Profile Control ......................................................................................42

2.7 eCNSFD-310010 Routing Behind MS.......................................................................................................43


5/49

eCNS610

Feature Description 1 Basic Features



1

1 Basic Features1.1 eCNSFD-210200 Mobility Management

Applicable NEs

eCNS

Availability

This feature is introduced in eCNS610 V100R001C00.

Summary

EPS mobility management (EMM) controls the access of a UE to the evolved universalterrestrial radio access network (E-UTRAN) and traces location information about the UE.The location information includes information about the tracking area (TA) and the eCNSwhere the UE is located.

EMM is implemented in the following procedures:

Attach

Detach

Tracking area update (TAU)

Service request

Handover

Paging

Purge

Benefits

EMM is a basic function of the eCNS610. This function allows users to move in the coverage

area of an eCNS.

Description

EMM controls the access to and handovers in the E-UTRAN.


6/49

eCNS610




2

UE states in the E-UTRAN are divided into EMM states and EPS connection management

(ECM) states:

EMM states are classified into EMM-DEREGISTERED and EMM-REGISTERED.

ECM states are classified into ECM-IDLE and ECM-CONNECTED.

The main EMM procedures are described as follows:

Attach

A UE must register on the network before using network services. This registration procedure is called network attach. During the attach procedure, a default EPS bearer,which provides a permanent IP connection, is established. The policy and chargingcontrol (PCC) rules that apply to the default EPS bearer can be predefined in the PDNGW and activated by the PDN GW itself in the attach procedure.

TAU

In an EPS network, the basic unit of location management is TA. A TA list can contain

one or more TAs. A TA list can be dynamically generated or statically configured; and.

prevents a UE from frequently initiating TA update procedures. For example, when a UEfrequently moves between several TAs, you can define these TAs as a TA list. This prevents the TAU procedure from being generated.

A UE initiates a TAU procedure in the following scenarios:

− The UE detects that the current TA identity does not exist in the TA identity (TAI) liston the network where the UE is registered.

− The access type of the UE is changed.

− The load balancing TAU is required.

− The TAU procedure is triggered during a handover procedure.

− The periodic TAU timer has expired.

− The RRC connection has failed.

Service request

A service request is used to change the ECM state from ECM-IDLE toECM-CONNECTED and to establish radio and S1-U bearers during the transfer ofuplink and downlink data.

When the UE is in ECM-IDLE mode, it initiates a service request procedure in thefollowing scenarios:

− The downlink signaling or data needs to be transmitted from the network side.

− The uplink signaling or data needs to be transmitted from the UE side.

Generally, a service request procedure is initiated by a UE. When the downlink data or

information is transferred in ECM-IDLE mode, the network initiates a paging procedure.This triggers a UE to initiate a service request procedure as the paging response.

Handover

When the UE is in the ECM-CONNECTED state, a handover procedure is triggered afterthe E-UTRAN determines that reselection is required.

The eCNS supports S1-based handover.

S1 refers to the interface between the eNodeB and the eCNS.

Detach

The detach procedure is used in the following scenarios:

− A UE is detached from the EPS service.


7/49

eCNS610




3

− A UE is disconnected from the last PDN connection.

− The network informs a UE that it cannot be connected to the EPS.

A UE can be detached explicitly or implicitly.

− Explicit detach: A UE or network side requests the detach, and the originating party

informs the other party of this event.

− Implicit detach: A network side detaches a UE without informing the UE. Forexample, the network side performs implicit detach to a UE when it determines thatthe UE is unreachable.

The detach procedure is classified into three types:

− Detach procedure initiated by a UE

− Detach procedure initiated by an eCNS

After the detach procedure is complete, the EPS bearer contexts of the UE aredeactivated locally. After a UE is detached from the network, the network cannot obtainthe UE location information.

Paging functionThis is the PS domain paging function. The network originates paging by using a certainID of a subscriber, such as GUTI or IMSI, in a known area. After obtaining a responsefrom the subscriber, the network performs the subsequent signaling flow or data transfer.

Purge

After removing the subscription data and MM context of a detached UE, the MMEnotifies the HSS of the removal through a purge procedure.

Enhancement

None

Dependency

This feature does not depend on other features.

Standards 3GPP TS 23.060, "General Packet Radio Service (GPRS); Service description"

3GPP TS 23.401, "General Packet Radio Service (GPRS) enhancements for EvolvedUniversal Terrestrial Radio Access Network (E-UTRAN) access"

3GPP TS 24.008, "Mobile radio interface Layer 3 specification; Core Network protocols- Stage 3"

3GPP TS 25.413, "UTRAN Iu Interface RANAP Signaling"

3GPP TS 24.301, "Non-Access-Stratum (NAS) protocol for Evolved Packet System(EPS); Stage 3"

3GPP TS 36.413, "Evolved Universal Terrestrial Radio Access Network (E-UTRAN); S1Application Protocol (S1AP)"

1.2 eCNSFD-210300 Security ManagementThe security management feature can:

Identify and authenticate service users.


8/49

eCNS610




4

Ensure that only legal users can access the network.

Guarantee confidentiality of user identity, user data, and signaling transfer.

The security management feature consists of the following sub-features:

Authentication User ID confidentiality

Identity check

1.2.1 eCNSFD-210301 Authentication

Applicable NEs

eCNS

Availability


Summary

The authentication feature is used in subscriber identification, authentication, and

synchronization of the encryption key. This feature checks the validity of a subscriber's

service requests to ensure that only legal subscribers can use network services. Theauthentication procedure is performed in association with EMM procedures.

Mutual authentication is supported, including authentication of the network by a UE andauthentication of a UE by the network.

Benefits

As a basic feature of the eCNS, it prevents illegal users from accessing the network, and

ensures service operation profits.

Subscribers who require high security can use this function to prevent their access to

unacknowledged networks, and eliminate possible security risks.

Description

The EPS authentication is based on a USIM. An EPS authentication vector is composed of a

quartet, namely, RAND, AUTN, XRES, and K ASME.

Random Challenge (RAND)

A RAND is a random value that the network provides to a UE. The length is 16 octets.

Authentication Token (AUTN)

An AUTN is used to provide the information for a UE so that the UE can use the AUTNto authenticate the network. The length is 17 octets.

Expected Response (XRES)

An XRES is an expected response parameter of UE authentication. It is compared withthe RES or RES+RES_EXT generated by a UE to determine whether the authenticationis successful. The length ranges from 4 to 16 octets.

Key ASME (K ASME)


9/49

eCNS610




5

A K ASME is a root encryption key deduced from the CK/IK and the public land mobilenetwork (PLMN) ID of the ASME (MME). The length is 32 octets.

Access Security Management Entity (ASME): In E-UTRAN access mode, the MME serves as an ASME.

Figure 1-1 shows the EPS authentication procedure.

Figure 1-1 EPS authentication procedure

1. The eCNS sends the Authentication Request message to the UE to trigger the authentication procedure. The authentication vectors, such as RAND, AUTN, and Key Set Identifier(KSIASME) are contained in the message.

2. The UE sends the Authentication response message to the eCNS.

The UE authenticates the network based on the AUTN. If the authentication fails, the UE

returns the Authentication Failure message to the MME, indicating the cause. If the authentication is successful, the UE calculates the RES based on the RAND and

returns the RES to the MME. The MME compares the XRES in the authentication vector

set with the returned RES. If they are consistent, the authentication succeeds. Otherwise,the authentication fails. In this case, the MME sends the Authentication Reject messageto the UE.

If the authentication succeeds, the UE calculates and saves the K ASME value for laterencryption and integrity protection.

----End

In addition to basic authentication features, the eCNS provides the feature to obtainauthentication sets in advance. The CNS can request authentication sets before all

authentication sets are used up. Therefore, the duration of the procedure for the UE to access

to the eCNS is shortened and user experience is improved.

Enhancement

None

Dependency



10/49

eCNS610




6

Standards 3GPP TS 33.102, "3G Security; Security architecture"

3GPP TS 33.401, "3GPP System Architecture Evolution (SAE); Security architecture"

1.2.2 eCNSFD-210302 User Identity Confidentiality

Applicable NEs

eCNS

Availability


Summary

The EPS user identity confidentiality is implemented through GUTI allocation. The GUTI is

used to provide a unique temporary UE identity in the EPS network. This identity does notreveal the permanent UE identity on the LTE-Uu interface.

Benefits

As a basic feature of the eCNS, user identity confidentiality prevents the IMSIs of UEs from

being stolen, improving network security.

Description

A GUTI consists of the following parts:

GUMMEI: A GUMMEI consists of a mobile country code (MCC), a mobile networkcode (MNC), and an eCNS identity.

M-TMSI: A 32-bit M-TMSI uniquely identifies a UE in an eCNS.

The GUTI can be implicitly allocated in the attach or TAU procedure or explicitly allocated in

the GUTI reallocation procedure.

Enhancement

None

Dependency


Standards 3GPP TS 24.301, "Non-Access-Stratum (NAS) protocol for Evolved Packet System

(EPS); Stage 3"



11/49

eCNS610




7

1.2.3 eCNSFD-210304 Identity Check

Applicable NEs

eCNS

Availability


Summary

The network requests different user identities, such as IMSI and IMEI, to check the real

identity of a UE.

BenefitsThis is a basic feature of the eCNS.

Description

When a UE attaches to the network using a GUTI, to obtain the real identity of the UE, the

network sends the UE an Identity Request for IMSI, IMEI, or IMEISV. Then the UE returns

an Identity Response to notify the network of its identity.

After obtaining the real identity of the UE, the network checks the user identity with the

HLR/HSS or EIR. For details, see section 1.2.1 eCNSFD-210301 Authentication.

Enhancement

None

Dependency


Standards 3GPP TS 24.301, "Non-Access-Stratum (NAS) protocol for Evolved Packet System

(EPS); Stage 3"


1.3 eCNSFD-210400 Path Management

Applicable NEs

eCNS


12/49

eCNS610




8

Availability


SummaryThe system can manage the paths by using path detection messages, and clear invalid paths.

Benefits

The communication between devices can be ensured.

Description

A GTP path is determined by a quaternary, namely, local IP address, local port, peer IP

address, and peer port. The path management messages such as Echo Request and EchoResponse are usually transmitted and received between the GTP entities.

The path management feature is used to detect whether the peer GTP Entity is available. TheeCNS can send the path management message on all paths in use. When a path is detected asfaulty, the eCNS may deactivate all PDP/EPS bearer contexts related to the path so that data

packets are no longer along this path.

If no signaling or data is sent or received on a path for a long period, the eCNS determinesthat the path is invalid and clears the path.

Enhancement

None

Dependency


Standards 3GPP TS 29.060, "GPRS Tunneling Protocol (GTPv1) across the Gn and Gp interface"

3GPP TS 09.60, "GPRS Tunneling Protocol (GTPv0) across the Gn and Gp interface"

1.4 eCNSFD-210500 IP Address Allocation from LocalAddress Pool

Applicable NEs

eCNS

Availability



13/49

eCNS610




9

Summary

The eCNS allocates IPv4 addresses to UEs from its local address pool.

BenefitsThis feature provides an enhancement to eCNSFD-110004 Static IP Address Allocation and

enables the eCNS to automatically create routes to UEs.

Description

A UE must obtain at least one IP address before it is able to access PS services. A PDN

Address Allocation IE is specified during the setup of a default bearer for the UE. This IE

contains protocol information (including an IP address field) the UE must obtain before it isable to access an external PDN. In addition, this IE indicates the method the UE expects touse to obtain an IP address.

3GPP TS 23.401 defines three modes of allocating IP addresses to UEs:

IP address allocation from the local address pool

In this mode, the eCNS allocates a dynamic IP address to a UE from the local address pool during the activation of a bearer for the UE.

The local address pool contains the IP addresses planned by the enterprise customer.

Static IP address allocation

In this mode, the eCNS allocates IP addresses to UEs from its integrated subscriber data

module. This module matches the IMSI of each UE to an IP address range planned bythe enterprise customer. This mode is a pure static IP address allocation mode, whichrequires complex configurations.

Static allocation is an optional feature and is under license control. IP address allocation from the RADIUS server

In this mode, the eCNS allocates dynamic IP addresses obtained from the RADIUSserver during UE authentication in the bearer activation procedure. Note that dynamic IPaddresses are carried in access response messages sent by the RADIUS server.

This mode is applicable to enterprise customers or internet service providers (ISPs) whomanage the RADIUS server and plan IP addresses for their internal users.

Enhancement

None

Dependency


Standards

3GPP TS 23.401, "General Packet Radio Service (GPRS) enhancements for Evolved

Universal Terrestrial Radio Access Network (E-UTRAN) access"


14/49

eCNS610




10

1.5 eCNSFD-210600 Integrated Subscriber DataManagement

Applicable NEseCNS

Availability


Summary

The eCNS implements the subscriber data management function, which is generally provided

by the home subscriber server (HSS) in an EPC.

Benefits

This feature meets the requirements of the enterprise customer for higher space utilization,

low power consumption, simple service delivery system, independent service management,and capability to terminate LTE local services.

Description

Compared with the HSS, the eCNS has the following unique characteristics in terms of

subscriber data management:

Integrated subscriber data management interface

The eCNS does not need to provide a standard S6a interface.

Differentiated service delivery system

For end users, the eCNS delivers services using MML commands. For enterprisecustomers, the eCNS does not interconnect with their service delivery systems.

Differentiated subscriber data management

The eCNS stores and manages subscriber data and simplifies data templates. The eCNScan substitute for an LTE-HSS, but not an IMS-HSS, GSM-HSS, or UMTS-HSS.

The eCNS manages subscriber data as follows:

− Defines a USIM card

The eCNS accepts the input of the information about a USIM card.

− Cancels a USIM card

The eCNS removes the information about a USIM card.

− Defines a subscriber

The eCNS enables services for a subscriber and allocates a phone number to thesubscriber.

− Deregisters a subscriber

The eCNS disables services for a subscriber and removes the information about thissubscriber.

− Allows the query of static subscriber information


15/49

eCNS610




11

The eCNS allows the query of static subscriber information, including subscribedservices and locking status.

− Manages EPS QoS templates

The eCNS allows the enterprise customer to create EPS QoS templates and set

default QoS parameters.− Manages APN templates

The eCNS allows the enterprise customer to create access point name (APN)templates.

− Manages PDP context templates

The eCNS allows the enterprise customer to create PDP context templates.

Enhancement

None

Dependency


Standards

3GPP TS 23.008, "Organization of subscriber data"

3GPP TS 29.002, "Mobile Application Part (MAP) specification"

1.6 eCNSFD-210700 Session Management

Applicable NEs

eCNS

Availability


Summary

The objective of EPS session management (ESM) is to manage EPS bearers. Through theE-UTRAN and EPC networks, the EPS provides an IP connection, known as the PDNconnection, between a UE and the PDN. Each PDN connection consists of at least one EPS bearer. The EPS bearer refers to the logical combination of one or more service data flows

(SDFs). EPS bearers are created to meet requirements of QoS management and providecontrol for a bearer granularity.

Benefits

As a basic feature of the eCNS, it enables subscribers to connect to an external PDN and

perform data services.


16/49

eCNS610




12

Description

The ESM procedure can be initiated by the network or requested by a UE. The ESM involves

the following procedures:

Default EPS bearer context activation

This procedure is used to set up a default EPS bearer context between a UE and the EPC.It can be part of the attach procedure or an independent procedure.

Dedicated EPS bearer context activation

This procedure is used to set up the special QoS and traffic flow template (TFT) bearercontexts between a UE and the EPC.

EPS bearer context modification

This procedure is used to modify the QoS and TFT of the EPS bearer context.

EPS bearer context deactivation

This procedure is used to deactivate one, several, or all the EPS bearer contexts to the

PDN. If all the EPS bearer contexts to the PDN are deactivated, the connection to thePDN is disconnected.

UE-requested PDN disconnection

This procedure is used when the UE requests to be disconnected from the PDN. In this procedure, all the EPS bearer contexts, including the default bearer context, related to thePDN are released.

The last PDN connection can be disconnected only by the detach procedure initiated by the UE or theMME, and not by the UE-requested PDN connection.

UE-requested EPS bearer resource modification

The procedure involves the allocation and release of UE-requested EPS bearer resources.

The allocation part involves allocating EPS bearer resources to new SDFs on requestfrom the UE. The UE can request or modify a specified QoS. It can also initiate theguaranteed bit rate (GBR) request or change the existing GBR.

The release part involves releasing the EPS bearer resources related to a specified SDFon request from the UE.

The UE-initiated detach procedure is used to release all bearers.

Enhancement

None

Dependency


Standards 3GPP TS 23.060, "General Packet Radio Service (GPRS); Service description"

3GPP TS 23.401, "General Packet Radio Service (GPRS) enhancements for EvolvedUniversal Terrestrial Radio Access Network (E-UTRAN) access"

3GPP TS 24.008, "Mobile radio interface Layer 3 specification; Core Network protocols

- Stage 3"

NOTE

NOTE


17/49

eCNS610




13

3GPP TS 25.413, "UTRAN Iu Interface RANAP Signaling"

3GPP TS 29.060, "GPRS Tunneling Protocol (GTPv1) across the Gn and Gp interface"

3GPP TS 24.301, "Non-Access-Stratum (NAS) protocol for Evolved Packet System(EPS); Stage 3"

3GPP TS 36.413, "Evolved Universal Terrestrial Radio Access Network (E-UTRAN); S1Application Protocol (S1AP)"

3GPP TS 29.274, "Evolved General Packet Radio Service (GPRS); Tunneling Protocolfor Control plane (GTPv2-C); Stage 3"

1.7 eCNSFD-230100 QoS and Traffic Management

1.7.1 eCNSFD-230101 EPS QoS

Applicable NEs

eCNS

Availability


Summary

The eCNS supports EPS QoS control at the bearer level.

Benefits

As a basic feature of the eCNS, it guarantees the end-to-end QoS in the EPS network.

Description

EPS QoS parameters are included in the EPS bearer context.

EPS QoS parameters contain uplink/downlink GBR, uplink/downlink maximum bit rate(MBR), allocation/retention priority (ARP), QCI, APN-AMBR, and UE-AMBR.

Enhancement None

Dependency


Standards




18/49

eCNS610




14

1.8 eCNSFD-240100 Routing

1.8.1 eCNSFD-240101 Static Routes and Default Routes

Applicable NEs

eCNS

Availability


Summary

The eCNS, together with routers, implements routing using static routes, which are manually

configured by network administrators. Default routes are special routes and can also bemanually configured.

The eCNS uses static routes to communicate with a network or equipment. Specifically, theconfigured static routes are added to a routing table. Before the eCNS sends signaling, user

data, or OM packets, it searches the routing table for a next-hop router or an interface by thespecified destination address and subnet mask.

Benefits

This feature provides multiple route options for the enterprise customer.

DescriptionStatic routes apply to networks with simple architectures and static network topologies. Static

routes help implement security policies. Only authorized network administrators are allowedto modify the routing table.

The eCNS use static routes to communicate with OM networks, eNodeBs, and PDNs.

Implementation

Static routes are added to the routing table after being configured by network administrators.

Multiple static routes can be configured for the same destination address. If these routes areassigned the same priority, they work in load sharing mode. If they are assigned different priorities, they work in route backup mode.

Default routes are used only when no matched entries are found in the routing table. Defaultroutes can be manually configured by network administrators or generated using dynamic

routing protocols such as Open Shortest Path First (OSPF) and Intermediate System toIntermediate System (IS-IS).

The configuration for default routes is simple and robust. Together with other routes, defaultroutes ensure that packets are forwarded when no matched entries are found in the routingtable.

Detection

Bidirectional forwarding detection (BFD) is used to check the next hop of one or more static

routes. If BFD detects that the next hop is unreachable, the associated static routes are

http://3ms.huawei.com/term/docMaintain/termOperate.do?method=listTermAndDefinition&f_id=20081205001089&fd_id=7755&node_id=1-9&searchType=fulltext&searchValue=OSPF&caseSensitive=&language_t=cnhttp://3ms.huawei.com/term/docMaintain/termOperate.do?method=listTermAndDefinition&f_id=20081203000465&fd_id=52510&node_id=1-9&searchType=fulltext&searchValue=IS-IS&caseSensitive=&language_t=cnhttp://3ms.huawei.com/term/docMaintain/termOperate.do?method=listTermAndDefinition&f_id=20081203000465&fd_id=52510&node_id=1-9&searchType=fulltext&searchValue=IS-IS&caseSensitive=&language_t=cnhttp://3ms.huawei.com/term/docMaintain/termOperate.do?method=listTermAndDefinition&f_id=20081203000465&fd_id=52510&node_id=1-9&searchType=fulltext&searchValue=IS-IS&caseSensitive=&language_t=cnhttp://3ms.huawei.com/term/docMaintain/termOperate.do?method=listTermAndDefinition&f_id=20081203000465&fd_id=52510&node_id=1-9&searchType=fulltext&searchValue=IS-IS&caseSensitive=&language_t=cnhttp://3ms.huawei.com/term/docMaintain/termOperate.do?method=listTermAndDefinition&f_id=20081205001089&fd_id=7755&node_id=1-9&searchType=fulltext&searchValue=OSPF&caseSensitive=&language_t=cn


19/49

eCNS610




15

removed from the routing table. When the next hop becomes reachable, the associated static

routes are added back to the routing table.

Application

In a network with a simple structure, static routes can be configured to ensure that the networkworks properly. Correct static route settings provide network security and save bandwidth

resources for important applications.

Default routes are used to reduce the time for selecting routes and the bandwidth for

forwarding packets. Default routes can meet the requirements for simultaneouscommunication by a large number of users.

Enhancement

None

DependencyApplication Limitations

When the network is faulty or the network topology is changed, the static routes become

unavailable and must be reconfigured by network administrators.

Interaction with Other Features

N/A

Standards

RFC 791, "Internet Protocol"

RFC 1155, "Structure and Identification of Management Information for TCP/IP-basedInternets"

1.9 eCNSFD-240300 VLAN Supporting

Applicable NEs

eCNS

AvailabilityThis feature is introduced in eCNS610 V100R001C00.

Summary

A virtual local area network (VLAN) is a logical network comprising multiple physical

network devices. A VLAN forms a broadcast domain. Different VLANs communicate witheach other through routes.

The eCNS implements VLAN functions by setting VLAN IDs on sub-interfaces.


20/49

eCNS610




16

Benefits

Broadcast traffic and unicast traffic in a VLAN are not forwarded to other VLANs. This helps

control network traffic, reduce equipment investments, simplify network management, and

improve network security and reliability.

Traffic can be isolated by adding interfaces to different VLANs.

Description

The eCNS provides the following VLAN functions:

Isolates traffic

When the eCNS uses a set of switching equipment to construct a LAN, it can assign the

interfaces between NEs to different VLANs to implement traffic isolation. The eCNScan also assign the interfaces between PDNs to different VLANs to isolate users.

Adapts to the peer

If the routers, switches, or firewalls that are directly connected to the eCNS are assignedto different VLANs, the relevant ports on the eCNS must be divided into sub-interfaces.These sub-interfaces must also be assigned to the corresponding VLANs.

Increases the number of available interfaces

If the ports on the eCNS are insufficient for connecting to the routers, switches, or

firewalls, these ports can be divided into sub-interfaces and VLAN IDs can beconfigured on these ports.

If a sub-interface on the eCNS is configured with a VLAN ID, the layer-2 or layer-3 device that isdirectly connected to the eCNS must also be configured with the same VLAN ID.

Enhancement

None

Dependency

Application Limitations

This feature is applicable only when the routers, switches, and firewalls that are directlyconnected to the eCNS also support VLAN functions.


Table 1-1 Interaction with other features

Related Feature Interaction

eCNSFD-040100Routing

Route information must be configured on the eCNS. Otherwise, packets cannot be forwarded between VLANs.


21/49

eCNS610




17

1.10 eCNSFD-240700 VRF

Applicable NEs

eCNS

Availability

This feature is introduced in eCNS610 V100R003.

Summary

Virtual routing and forwarding (VRF) is a means of implementing the virtual private network

(VPN) function. It enables the functions of multiple virtual routing devices to be implementedon a single routing device. It is also used to logically define a physical device. Each VRF has

a separate routing table and address space.

eCNS supports VRF, and the functions of multiple logically separated virtual eCNS can be

implemented on one eCNS device. VPN instances can be created on the eCNS to implementVRF.

Benefits

This feature facilitates connections between the eCNS and intranets because the address

spaces of APNs of carriers' private networks can be reused.

APN traffic can be separated to ensure network security.

Interfaces of different VPN instances can use the same IP address, which conserves public IP

addresses.

Description

A VPN keeps the transferred data private from other VPNs. By taking advantage of this

feature on the eCNS, you can bind each APN to a separate VPN to divide the traffic ofdifferent APNs. Through traffic separation and network division, the APN resources of a VPN

will not be used by other VPNs or subscribers of other VPNs on the network. Therefore, theinformation in the VPN is secure.

A eCNS can be logically divided into multiple virtual eCNS through VRF. Each virtual eCNSworks independently as a eCNS and has its own routing table and interface for data

forwarding. In addition, traffic of different services can be separated.

Networking application: The problem of insufficient IP addresses can be solved by binding physical interfaces (or Eth-trunk interfaces or sub-interfaces), logical interfaces, and routes to

VRF, and the traffic of the signaling plane, user plane, and operation and maintenance (OM)data can be separated.

Service application: By binding APNs to VRF, multiple virtual routing areas are available on

one eCNS to realize the separation of addresses and routes among APNs.

Resource application: By binding address pools to VRF, address resources can be reused.


22/49

eCNS610




18

Enhancement

None

Dependency

Table 1-2 Interaction with other features

Feature Interaction

eCNSFD-110010 Routing BehindMS

Different UEs which support “Routing Behind MS”

can be separated by different VRFs。

Standards

RFC 2764, "IP Based Virtual Private Networks"

1.11 eCNSFD-260100 Software Management

Applicable NEs

eCNS

Availability


Summary

Software management is used to achieve software management of the eCNS, including

software installation and activation in addition to patch installation, loading, and activation.

Benefits

As a basic feature of the eCNS, it can flexibly manage the running software. Patches can

correct software faults without service interruption.

Description

Software management includes software installation and patch installation.

Enhancement

None

Dependency



23/49

eCNS610




19

Standards

None

1.12 eCNSFD-260400 Fault Management

Applicable NEs

eCNS

Availability


SummaryThe fault management feature is used to monitor system operations. The eCNS notifies

maintenance personnel of faults and events through alarms.

Benefits

As a basic feature of the eCNS, it provides detailed alarm information to help maintenance

personnel easily locate and handle faults.

Description

The eCNS generates various types of alarms that cover faults and events related to softwarefunctions, hardware parts, and external environment to ensure that faults can be immediatelydetected and handled.

To simplify management, these alarms are assigned different severities.

The eCNS alarms are classified into the following severities:

Critical

Major

Minor

Warning

You can adjust the alarm severities based on certain requirements.

When an alarm occurs, the system reports the detailed information about the alarm so thatmaintenance personnel can locate and handle the fault. Maintenance personnel can shield

alarms that they consider as unimportant.

The alarm tool uses different colors and windows to differentiate the alarms of different

severities, so that users can focus on alarms of high severity first. Alarms can be queried byspecifying a combination of criteria such as the time range, alarm severity, and alarm type.The results returned help in analysis and location of faults.

Enhancement

None


24/49

eCNS610




20

Dependency


Standards None

1.13 eCNSFD-260500 Equipment Management

Applicable NEs

eCNS

AvailabilityThis feature is introduced in eCNS610 V100R001C00.

Summary

Equipment management monitors and controls the functions of entities such as system

hardware and links.

Benefits

As a basic feature of the eCNS, it helps maintenance personnel in knowing the operations of

the system so that they can flexibly maintain and manage the system.

Description

The equipment management feature helps in monitoring and control.

Status monitoring

The eCNS610 provides MML commands for querying status of devices. It does notsupport the GUI query mode. Status control

The eCNS610 provides MML commands for controlling the status of ports, links, andservice processes.

Enhancement

None

Dependency


Standards

CCITT X.731 Information Technology - Open Systems Interconnection - Systems

Management


25/49

eCNS610




21

1.14 eCNSFD-260600 Configuration Management

Applicable NEs

eCNS

Availability


Summary

Configuration management includes operations such as adding, deleting, modifying, and

querying of system data.

BenefitsAs a basic feature of the eCNS, it helps engineers configure and manage parameters for

system operation to make the system work properly.

Description

The eCNS provides both dynamic and static modes for data configuration:

Dynamic data configuration means directly modifying system data without interruptingthe operation of the system.

Static data configuration means editing the data script file (MML.TXT) offline.Modification of the file takes effect after the system resets.

Configuration management also provides backup or export configuration data.

Enhancement

None

Dependency


Standards None

1.15 eCNSFD-260700 Security Management

Applicable NEs

eCNS


26/49

eCNS610




22

Availability


SummaryThe security management provided by the eCNS ensures that only authorized users can

perform operations on the system, and guarantees system security. Security managementincludes account management, right management, operation period control, account validitycontrol, access control list (ACL), account lockout policy, password policy, and operation log.

Benefits

Only authorized operators can perform authorized operations on legal terminals. It prevents

unauthorized operators from performing operations intentionally or unintentionally, andensures system security.

Description

Security management includes account management, right management, operation period

control, account validity control, ACL, account lockout policy, password policy, and operationlog.

Account Management

To maintain the eCNS, the operator must have a valid account. All accounts are managed by the system administrator. The system administrator can add or delete operatoraccounts as required.

Rights Management

The eCNS classifies commands to different command sets. You can manage the rights ofeach account by assigning the account with the execution rights of a specified commandset.

For convenient management, account rights are defined in user groups, and then users in

different user groups can be assigned different rights. A user group is a collection ofusers who share the same rights. By default, the system provides four user groups:

− Administrators: There is only one administrator account in a system.

− Operators: Users in this group can check the data, maintain the system, and configurethe data.

− Users: Users in this group can check the data and maintain the system.

− Guests: Users in this group can only check the data.

The administrator can assign rights to users by assigning users to different user groups,and can assign special rights to a user account.

Operation Period Control

You can control the time period for which users log in and operate the OMU. If thecurrent time is not in the specified time period, users cannot log in and operate the OMU.

Account Validity Control

The administrator can change the account validity by modifying the user attributes.When a user account is invalid, the user cannot log in to the OMU server.

ACL


27/49

eCNS610




23

Generally, the OMU does not restrict the IP address of the client that a user uses. After

the ACL function is enabled, the IP address of the client that the user uses to log in to theOMU must be contained in the ACL. Otherwise, the login fails.

Account Lockout Policy

You can set a threshold for the number of login failures. If the number of failures to login using an account exceeds the threshold, the system locks out the account. During aspecified period, the system rejects login requests from this account.

The account lockout policy can prevent malicious hackers from logging in and misusingthe data.

Password Policy

The complexity and regular modification of passwords guarantee system security. TheeCNS can customize the password policy as follows:

− Specify the validity period of a password

− Specify the password length

−

Specify the characters that can be used in a password Operation Log

An operation log records all the operation information about a user, including user name,user number, IP address, commands that the user runs, time when the command is run,

and result of the command. You can check the operation log on the LMT and tracesuspicious operations.

Enhancement

None

DependencyThis feature does not depend on other features.

Standards

None

1.16 eCNSFD-260800 Online Documentation

Applicable NEseCNS

Availability


Summary

Each version of the eCNS has its own online help, which contains:

O&M system online help


28/49

eCNS610




24

It is used to help users correctly use relevant interfaces and different managementfunctions, and provides alarm descriptions and suggestions for handling alarms.

MML command online help

It is used to explain each MML command and help users correctly use these commands.

An online help provides the following functions:

It is organized based on common tasks performed by users. In the client window, chooseHelp > Help Topics to display the online help. You can obtain the information about a

task through the navigation tree.

It provides the detailed description of all operations supported by the system. Operationhelp is associated with certain interfaces, so you can obtain relevant information by pressing F1 to activate the help you want to query.

It also provides powerful index function, so you can obtain help information by typing akey word.

BenefitsAs a basic feature of the eCNS, it guides an operator to use and maintain the system.

Description

The contents of the online help are as follows:

Interface online help

It describes the meanings of the LMT user interfaces and how to use maintenancefunctions and alarm management functions.

Alarm help

It describes each alarm and provides suggestions to handle alarms.

MML help

It describes the function, notes, parameter description, and example of each MMLcommand.

Performance index help

It describes the meaning, triggering point, measurement object, and unit of eachmeasurement index.

There are several ways to trigger the online help:

Press F1 to invoke the interface online help.

The MML help is automatically triggered after a command is selected or entered. The alarm help is automatically triggered when you check the alarm.

Choose Help > Help theme to display all online helps.

Enhancement

None

Dependency



29/49

eCNS610




25

Standards

None

1.17 eCNSFD-260900 Tracing Function

Applicable NEs

eCNS

Availability


SummaryTracing can be classified into subscriber tracing and interface tracing. The tracing functions

can be used to store, resolve, and review a tracing file. Interface tracing involvesestablishment, capture, and resolution of tracing messages processed by the interfaces of

eCNS.

Benefits

This feature guarantees flexibility in locating and solving problems for enterprise customers.

The tracing feature is used in the daily maintenance of a device. This feature can locate where

a fault occurs in the service procedure through message tracing. After a device is configured

for data, the device can validate whether signaling links run normally by setting up tracing,and locate faults.

Description

The eCNS provides subscriber signaling and data tracing based on the IMSI or MSISDN. The

eCNS supports the following types of message filters:

MM messages of the S1 interface: NAS_MM and GTP_C

SM messages of the S1 interface: NAS_SM and GTP_C

S1-AP message of the S1 interface: S1-AP

The eCNS can create subscriber tracing for a UE that does not attach to the network. Once theUE initiates the attach procedure, all the signaling and user data can be captured.

Group tracing means tracing the signaling message and interface message on a certain group.

Interface tracing means tracing all the messages on a certain interface.

The eCNS allows a tracing file to be saved to the hard disk in different formats through bothautomatic and manual modes.

The tracing messages can be saved in following format:

Trace message file (*.tmf): It is used to browse messages offline through the TraceViewer. This type of message browsing is intuitive.

Text file (*.txt): It is used to save the messages displayed in the tracing interface.


30/49

eCNS610




26

Protocol text file (*.txt): It is used to save protocol explanation of messages.

CSV file (*.csv): It is used to save the complete code flow. The LMT interface displaysonly part of the code flow.

The OMS provides a message analyzer that can be used to view messages online. You can

double-click a certain message in the Message Browser window to query the detailedinformation about this message.

When browsing messages online, you can select and double-click a record that you want toquery. A window containing the detailed information and explanation of the record isdisplayed, as shown in Figure 1-2.

Figure 1-2 Message Browser

The window is divided into two parts, the upper pane and the lower pane. You can adjust the view bymoving the bar that separates the two panes. If you select a row in the upper part of the window, the row

is highlighted in blue and the blue bar in the lower pane indicates the hexadecimal information of theselected row.

The tracing files that are saved on local devices can be viewed in the Trace Viewer. The

Trace Viewer can be used to perform the following operations:

View message streams

Complete tracing message procedures can be viewed, including the directory, time, type,and content of a message, as shown in Figure 1-3.

NOTE


31/49

eCNS610




27

Figure 1-3 Trace Viewer

Resolve messages

Select and double-click a record that you want to query. A window containing thedetailed information and explanation of the record is displayed, as shown in Figure 1-4.


32/49

eCNS610




28

Figure 1-4 Message Browser

The window is divided into two parts, the upper pane and the lower pane. You can adjust the view by

moving the bar that separates the two panes. If you select a row in the upper part of the window, the rowis highlighted in blue and the blue bar in the lower pane indicates the hexadecimal information of theselected row.

Sort messages

Messages can be sorted according to the serial number, time, direction, and type.

Enhancement

None

Dependency


Standards

None

NOTE


33/49

eCNS610




29

1.18 eCNSFD-261000 Log Management

Applicable NEs

eCNS

Availability


Summary

The eCNS provides and manages run logs, debug logs, operation logs, and security logs. It

allows log export and upload.

BenefitsThis feature meets the requirements of enterprise customers for log management.

Description

The eCNS supports the following logs:

Run logs: record the running status of system software, for example, record systemdeployment status and system status changes. Using the run logs, OM personnel canlearn the running status of the system.

Debug logs: record the running status of system software, for example, object statusmigrations and message exceptions. Using the debug logs, R&D personnel can locate

problems and analyze system efficiency.

Operation logs: record the commands delivered from LMTs. Using the operation logs,OM personnel can manage OM records.

Security logs: record the security events that occur on the eCNS. The security eventsinclude user login, account management, and account authentication.

Enhancement

None

Dependency


Standards

None


34/49

eCNS610




30

1.19 eCNSFD-270100 S1 Interface

Applicable NEs

eCNS

Availability


Summary

The S1 interface includes the S1-MME interface and the S1-U interface in LTE/SAE.

The S1-MME interface is a standard interface between the eNodeB and the eCNS.

The S1-U interface is a user-plane interface between the eNodeB and the eCNS. It is used totransmit uplink and downlink user-plane data flows between the eNodeB and the eCNS.

Benefits

This feature enables the S1 interface to transmit user-plane and control-plane data.

Description

The S1-MME interface is the signaling interface between the eNodeB and the eCNS. Figure

1-5 shows the protocol stack of the S1-MME interface.

Figure 1-5 Protocol stack of the S1-MME interface

The protocol layers are described as follows:

S1 Application Protocol (S1-AP): It refers to the application layer protocol between theeNodeB and the MME.

Stream Control Transmission Protocol (SCTP): It is used to guarantee the transmissionof signaling messages between the eNodeB and the MME.

IP: It contains IPv4 that is defined in RFC 791 and IPv6 that is defined in RFC 1883.

L2/L1: The data link layer/physical layer protocol can be 10 Mbit/s, 100 Mbit/s, or 1000

Mbit/s Ethernet.


35/49

eCNS610




31

The S1-U interface uses the GPRS Tunneling Protocol version 1 (GTPv1). Figure 1-6 shows

the S1-U interface protocol stack.

Figure 1-6 S1-U interface protocol stack

Enhancement

None

Dependency


Standards

3GPP TS 36.413, "Evolved Universal Terrestrial Radio Access Network (E-UTRAN); S1

Application Protocol (S1AP)"

1.20 eCNSFD-270200 SGi Interface

Applicable NEs

eCNS

Availability



36/49

eCNS610




32

Summary

The SGi interface is an interface between eCNS and the packet data network (PDN), or

between the eCNS and the authentication, authorization and accounting (AAA) server. It is

used to transmit PS session data.

Benefits

For... Benefits

Enterprisecustomers

This feature enables the eCNS to interwork with PDN devices of

various vendors by using the SGi interface, complying with 3GPPspecifications.

Subscribers Subscribers are unaware of the SGi interface feature.

Description

SGi Interface Protocol Stack

Figure 1-7 shows the SGi interface protocol stack.

Figure 1-7 SGi interface protocol stack

Enhancement

None

Dependency

Application Limitations

None


37/49

eCNS610




33


N/A

1.21 eCNSFD-280300 Linux Security Hardening

Applicable NEs

eCNS

Availability


SummaryThis feature hardens Linux operating system (OS) security and protects against attacks without

interruptions to ongoing services. A secure OS is essential to ensure proper running of NEs and

prevent unauthorized operations. An OS with vulnerabilities is open to attacks from hackers and

viruses, leading to issues such as network service interruption, information loss, data corruption,

and low efficiency.

Linux security is hardened using the following means:

Minimized OS

OS passwords, file permissions, and kernel parameters

OS logs

Interconnection security data

Benefits

This feature enhances system robustness and security, protects against hackers and viruses,

and improves user satisfaction.

Description

This feature hardens Linux security and protects against attacks without interruption to

ongoing services.

OS Security Threats and Vulnerability Causes

The Linux OS faces the following security threats:

Manipulated attacks

Manipulated attacks are major attacks the OS faces. Hackers attack the system byutilizing OS vulnerabilities that are caused by various factors such as OS leaks, insecure

passwords, or configuration defects. After seizing the super control rights, the hackerstamper with important files and data, wrecking havoc for the network security.

Programmed attacks

Programmed attacks mainly refer to computer viruses, including executable file viruses,worm viruses, script viruses, and backdoor programs.


38/49

eCNS610




34

The following factors make the OS vulnerable:

OS leaks

OS leaks arise from program design or function defects such as identity authentication

defects and service loopholes.

Insecure accounts or passwords

Hackers and viruses can easily crack insecure accounts and passwords using means such as

password dictionaries or brutal-force crackers.

Incorrect file permissions

With file permissions, users can operate files such as reading, writing, or executing files. File

permissions are essential to file sharing, protection, and confidentiality.

To protect files and directories against unauthorized access, the Linux OS defines three types

of users: owner, user group, and others. These users can be assigned different permissions.

If incorrect permissions are granted to user groups or others, important files may beunexpectedly read, written, or executed.

Insecure network services

All network services have security risks. For example, Telnet does not encrypt or verify

sessions; it transmits user names and passwords over the network in plaintext. In addition,

network services such as Samba have security leaks. If the OS is not promptly patched,

hackers or viruses may utilize these leaks to attack the system.

Incorrect operations

Incorrect operations (for example, directly powering off the Linux OS) may lead to system

faults or system breakdown. If users open email attachments sent from unknown addresses or

visit unknown websites, the system may get infected with viruses.

OS Security Hardening Policies

Linux security is hardened using the following policies:

Minimizing the OS

The default software package of the Linux OS contains many services and components,most of which are optional. These services and components affect OS performance andsecurity. Therefore, the OS needs to be streamlined for different purposes, including:

− Reducing the system size

− Increasing the startup speed

− Improving the system security

− Retaining existing services and functions after minimization

The minimized OS supports system security measures, for example, closing ports, closingservices, and clearing leaks.

Configuring OS passwords, file permissions, and kernel parameters

Different users are assigned different file permissions to protect important files from being

written, read, or executed by unauthorized users.

In addition to the default user root, the Linux OS creates a user named omu, as described in

Table 1-3. The administrator can also create other users for routine operations andmaintenance (OM).


39/49

eCNS610




35

Table 1-3 OS users and rights

User

Name

Function Rights Default

Password

root User root is the default user. This user can controlall resources, create other users, assign file

permissions to them, and perform all operationssupported by the OS.

During system deployment, user root can performinstallation and configuration. After the

deployment, this user cannot perform routine OM,and the password is managed by the enterprisecustomer.

User root has the highestrights, and can install and

uninstall serverapplications.

huawei

omu User omu is created during the installation of the

OMU. This user manages OMU processes and

performs routing OM functions by using, forexample, alarms, and logs.

User omu has permissions

to control the status ofOMU processes.

omu

Managing OS logs

To better manage OS logs and protect their security, the OS uses different log management

policies based on log types, saving paths, and log formats.

Linux OS logs are classified into two types:

− Login logs

utmp and wtmp are key log files in the Linux OS log system.

utmp records the information about users who have logged in to the system. wtmp records the information about login, logout, data exchange, power-off, and restart.

− System logs

System logs are configured in the /etc/syslog-ng/syslog-ng.conf file.

Different logs are saved in different paths:

− The saving path of a system log can be specified by the destination messages

parameter in the /etc/syslog-ng/syslog-ng.conf file. The default path is /var/log/messages.

− utmp is saved in /var/run/utmp.

− wtmp is saved in /var/log/wtmp.

The policies for managing OS logs are as follows:

− Creates a centralized log management mechanism.

If multiple computers use the SuSE Linux OS, use a central log server to save and

managing logs. Centralized log management can reduce the daily workload ofquerying logs and to help trace attackers.

− Backs up logs.

− Controls the access to logs.

− Compresses logs and save logs for a long period.

Configuring interconnection security data

To harden system security, the OS supports the configuration of the following securitydata for interconnection between an OMU (or another board) and an OM node (such asan LMT):


40/49

eCNS610




36

− Client digital certificate

A client digital certificate is used to authenticate a client that communicates with theOMU. The client supports two types of certificates:

− Common Cert: To apply a certificate to all offices, set the certificate as Common

Cert. − Server Cert: To apply a certificate to only one office, set the certificate as Server

Cert.

− SMM security data

To harden system security during deployment and routing OM, the OS allows thefollowing security configurations for the shelf management module (SMM):

− Prohibiting a user from accessing the SMM from an external network port

− Prohibiting user root from accessing the SMM, and allowing only user smm toaccess the SMM

− Secure transmission mode between a client and the OMU

By default, the system supports SSL connections and common connections. SSLconnections are recommended for secure data transmission.

Dependency


Standards

None


41/49

eCNS610

Feature Description 2 Optional Features



37

2 Optional Features2.1 eCNSFD-310001 NAS Encryption and IntegrityProtection (AES)

Applicable NEs

eCNS

Availability


Summary

This feature uses Advanced Encryption Standard (AES) to protect non-access stratum (NAS)

signaling and improve system security.

NAS is a protocol layer between the UE and the EPC, used to transmit user data and signaling

between them.

Benefits

This feature ensures the security and reliability of NAS signaling in addition to user data.

Description

AES is the most widely used encryption and integrity protection standard in the world. 3GPP

defines two AES algorithms, EPS Encryption Algorithm 2 (EEA2) and EPS IntegrityAlgorithm 2 (EIA2), with the key length of 128 bits.

After a UE attaches to the network, the UE notifies its supported encryption and integrity protection algorithms to the eCNS.

If the UE supports AES, the eCNS determines whether to use AES according to local policies.If AES is used, the eCNS uses AES to encrypt and protect the integrity of signaling betweenthe UE and the eCNS.

Enhancement

None


42/49

eCNS610




38

Dependency


Standards3GPP TS 33.401, "3GPP System Architecture Evolution (SAE); Security architecture"

2.2 eCNSFD-310002 NAS Encryption and IntegrityProtection (SNOW3G)

Applicable NEs

eCNS

Availability


Summary

This feature uses SNOW 3G to protect NAS signaling and improve system security.

NAS is a protocol layer between the UE and the EPC, used to transmit user data and signaling

between them.

Benefits

This feature ensures the security and reliability of NAS signaling in addition to user data.

Description

SNOW 3G is an EPS security standard. 3GPP defines two SNOW 3G algorithms, EPS

encryption algorithm 1 (EEA1) and EPS integrity algorithm 1 (EIA1), with the key length of128 bits.

After a UE attaches to the network, the UE notifies its supported encryption and integrity protection algorithms to the eCNS.

If the UE supports SNOW 3G, the eCNS determines whether to use SNOW 3G based on thelocal policy to encrypt and protect the integrity of signaling between the UE and the eCNS.

Enhancement

None

Dependency



43/49

eCNS610




39

Standards 3GPP TS 33.401, "Security architecture"

ETSI Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2,Document 2: SNOW 3G Specification

2.3 eCNSFD-310003 O&M SSL

Applicable NEs

eCNS

Availability


Summary

The eCNS employs Huawei SeCert Transport Layer Security (TLS) development library and

supports SSLv3.0, TLSv1.0, and TLSv1.1 by default.

The Secure Socket Layer (SSL) feature can be implemented when the eCNS communicates

with the M2000 or LMT to enhance security through encryption. Therefore, the MML channel, binary channel, SOAP interface, Web interface, and FTP file transfer channel between theeCNS and the M2000 or LMT can be encrypted to ensure secure transmission.

Benefits The security of accounts and passwords of Internet service providers (ISPs) for operation

and maintenance is guaranteed, data is transmitted over networks while remaining intact,and the network operation expenditure is reduced.

By providing the SSL value-added service to enterprises and individuals, an ISPestablishes closer long-term cooperative relationships with them and improves servicequality as the ISP makes full use of the existing network resources. The ISP therefore becomes more competitive and will be exposed to greater business profits.

Description

SSL is a security protocol that was first proposed by Netscape to provide secure

communication for the application layer based on TCP transmission. In the TCP/IP protocolstack, SSL is applied between the transport layer and the application layer and adopts TCP tocarry messages, therefore ensuring secure transmission for the application layer. SSL iswidely used in services such as Web, FTP, and Telnet.

Currently, available SSL versions are SSLv1, SSLv2, and SSLv3, among which SSLv3 is thelatest version. The standardized versions of SSL are TLS1.0 and TLS1.1.

SSL provides the following security services:

Identity authentication

Identity authentication means checking whether the peer end is the actual end with which

you want to communicate. SSL authenticates the server and the client based on digital

certificates to confirm that they are legitimate users. Both the client and the server have


44/49

eCNS610




40

their own identifiers, which are numbered with a public key. To verify that a user is

legitimate, SSL requires digital authentication during data exchange in the handshakestage.

Connection privacy

Connection privacy means that data is encrypted before transmission to avoid datacracking by illegitimate users. SSL ensures connection privacy by employing encryptionalgorithms. The common encryption algorithms are DES, 3DES, RC2, and RC4.

Data integrity

Data integrity means that any modification to data during transmission can be detected.SSL sets up a secure channel between the client and the server so that all SSL-processeddata can reach the destination without being modified. SSL guarantees data integrity byemploying message digest algorithms. The common message abstract algorithms areMD5 and SHA-1.

Enhancement

None

Dependency


Standards

None

2.4 eCNSFD-310004 Static IP Address Allocation

Applicable NEs

eCNS

Availability


Summary

The eCNS allocates static IP addresses to UEs based on subscriber data.

Benefits

This feature provides a basic function for radio access.

Description

A UE must obtain at least one IP address before it is able to access PS services. A PDN

Address Allocation IE is specified during the setup of a default bearer for the UE. This IEcontains protocol information (including an IP address field) the UE must obtain before it is


45/49

eCNS610




41

able to access an external PDN. In addition, this IE indicates the method the UE expects to

use to obtain an IP address.

3GPP TS 23.401 defines three modes of allocating IP addresses to UEs:

IP address allocation from the local address pool

In this mode, the eCNS allocates a dynamic IP address to a UE from the local address pool during the activation of a bearer for the UE.

The local address pool contains the IP addresses planned by the enterprise customer.

Static IP address allocation

In this mode, the eCNS allocates IP addresses to UEs from its integrated subscriber datamodule. This module matches the IMSI of each UE to an IP address range planned by

the enterprise customer. This mode is a pure static IP address allocation mode, whichrequires complex configurations.

IP address allocation from the RADIUS server

In this mode, the eCNS allocates dynamic IP addresses obtained from the RADIUS

server during UE authentication in the bearer activation procedure. Note that dynamic IPaddresses are carried in access response messages sent by the RADIUS server.

This mode is applicable to enterprise customers or internet service providers (ISPs) whomanage the RADIUS server and plan IP addresses for their internal users.

Enhancement

None

Dependency


Standards



2.5 eCNSFD-310005 Multiple PDN Connection

Applicable NEs

eCNS

Availability


This feature is an optional feature and is under license control.

Summary

A UE can create several PDN connections to access different networks at the same time. The

UE also needs to support the feature.


46/49

eCNS610




42

Benefits

The multiple PDN feature enables a UE to connect to several networks at the same time.

Therefore, the UE can use other services without stopping the current service. For example,

the UE can receive multimedia messages when surfing on the Internet or send pictures on the

websites through multimedia messages.

Description

The EPS can support simultaneous exchange of IP traffic between a UE and multiple PDNs

by using one or several PDN GWs. The usage of multiple PDNs is controlled by network policies and defined in the subscription data.

To allow one or several connections to the PDN, the EPS must support the UE-initiated PDNconnection procedure. The UE-initiated PDN connection procedure includes theestablishment of a default bearer.

The UE can use the disconnection procedure to disconnect from any PDN. In thisdisconnection procedure, all bearers related to the disconnected PDN, including the default

bearer, are released.

The disconnection procedure cannot be used to disconnect the last PDN connection. The UEor eCNS can initiate a detach procedure to disconnect the last PDN connection.

Enhancement

None

Dependency


Standards



2.6 eCNSFD-310008 SPI-based QoS Profile Control

Applicable NEs

eCNS

Availability

This feature was introduced in eCNS610 V100R003C00.

This feature is an optional feature and is under license control.


47/49

eCNS610




43

Summary

This feature uses the shallow packet inspection (SPI) technique to recognize traffic flows and

provide QoS guarantees. SPI refers to the inspection of quintuples in IP packet headers at L3

and L4. A quintuple contains the source address, destination address, source port number,

destination port number, and protocol type.

Benefits

This feature enables the eCNS to perform effective control and refined management, provide

different QoS guarantees for different services, and improve user satisfaction.

Description

In the uplink, the eCNS resolves quintuples in packet headers a

Documents

Huawei ELTE2.3 ECNS610 Feature Description