RTN 950 V100R003C03 Security White Paper 02

8/10/2019 RTN 950 V100R003C03 Security White Paper 02

1/37

OptiX RTN 950 Radio Transmission System

V100R003C03

Security White Paper

Issue 02

Date 2012-07-28

HUAWEI TECHNOLOGIES CO., LTD.


2/37

Issue 02 (2012-07-28) Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

i

Copyright Huawei Technologies Co., Ltd. 2012. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior

written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective

holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and

the customer. All or part of the products, services and features described in this document may not be

within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,

information, and recommendations in this document are provided "AS IS" without warranties, guarantees orrepresentations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://www.huawei.com

Email: [email protected]
http://www.huawei.com/http://www.huawei.com/mailto:[email protected]:[email protected]:[email protected]://www.huawei.com/


3/37


4/37


5/37


V100R003C03

Security White Paper 1 Product Introduction and Network Applications



2

1.2 Network ApplicationsThe OptiX RTN 950 provides several types of service interfaces and facilitates installationand flexible configuration. It can provide a solution that is integrated with the TDM

microwave, Hybrid microwave, and Packet microwave based on the network requirements.This solution supports a smooth upgrade from the TDM microwave to the Hybrid microwave,

or from the Hybrid microwave to the Packet microwave. In addition, the solution can beevolved based on service changes due to radio mobile network evolution. Therefore, this

solution can satisfy the transmission requirements of not only 2G and 3G networks, but alsofuture LTE and 4G networks.

Figure 1-2 shows the microwave transmission solution that is provided by the OptiX RTN 950

for the mobile communication network.

Figure 1-2Microwave transmission solution provided by the OptiX RTN 950


6/37


V100R003C03

Security White Paper 2 Security Architecture



3

2 Security Architecture2.1 Overview of Hardware Security

Figure 2-1 shows the system block diagram of the OptiX RTN 950. The system adopts

high-reliability hardware design to ensure that the system runs properly under security threats.

Figure 2-1System block diagram

The following hardware preventive measures are provided:

Microwave interfaces: The FEC encoding mode is adopted and the adaptive time-domainequalizer for baseband signals is used. This enables the microwave interfaces to tolerate

strong interference. Therefore, an interceptor cannot restore the contents in a data frame

if coding details and service configurations are not obtained.


7/37


V100R003C03




4

Modular design: Control units are separated from service units and service units are

separated from each other. In this manner, a fault on any unit can be properly isolated,minimizing the impact of the fault on other units in the system.

CPU flow control: Data flow sent to the CPU for processing is classified and controlled

to prevent the CPU from being attacked by a large number of packets. This ensures thatthe CPU operates properly under attacks.

2.2 Overview of Software SecurityBeing positioned at the transport layer of a communications network, the OptiX RTN 950

provides high-capacity and high-reliability transparent transmission tunnels, and is almost

invisible to end users. Therefore, the transmission tunnels are not easily exposed to externalattacks. To better address security requirements, the following part describes services

provided by the OptiX RTN 950, based on which security design is implemented.

The OptiX RTN 950 processes two categories of data: O&M data and service data. Thepreceding data is transmitted over independent paths and does not affect each other. Therefore,services on the OptiX RTN 950 are processed on two planes:

Management plane

Data plane

The management plane provides access to the required equipment and management functions,

such as managing accounts and passwords, communication protocols, and alarm reporting.

The management plane adopts a security architecture shown inFigure 2-2.

Figure 2-2Security architecture on the management plane

Hardware Platform

Vxworks OS

TCP/IP Protocol Stack

Security Management

Account and

Password

Management

Security Log

SSL 3 0/TLS 1 0

OSPFv2

ACL

NTPv3

TCP/IP Attack

Prevention

RADIUS

SNMPv3

Operation Log

FTP/SFTP

Security features on the management plane implement security access, integrated security

management, and all-round security audits. The Secure Sockets Layer (SSL) features providesecurity access to the required equipment. The Remote Authentication Dial-In User Service


8/37


V100R003C03




5

(RADIUS) feature implements centralized security authentication for the equipment on the

entire network.

The data plane processes the service data flow entering the equipment and forwards servicepackets according to the forwarding table. Security features on the data plane ensure

confidentiality and integration of user data by preventing malicious theft, modification, andremoval of user service packets. They ensure stable and reliable operation of the forwarding

plane by protecting forwarding entries against malicious attacks and falsification. The dataplane provides:

User service separation methods

Access control methods

Methods for controlling and managing ingress and egress bandwidth of the equipment to

ensure reliable operation, such as flow control and QoS. The data plane adopts a securityarchitecture shown inFigure 2-3.

Figure 2-3Security architecture on the data plane

Hardware platform

Product adapter/driver

VxWorks OS

Service platform

Access

control

Quality of service

Service

componentsProtocol

securityFlow control

Security

components

Protocol

components

Other

components

Availability

Figure 2-4 shows principles of data separation on the management plane and data

plane.Principles of data separation

Fiber or Radio

payload

D bytes

payload

D bytes

Fiber or Radio

payload

VLAN

payload

VLAN

The equipment supports two modes:


9/37


V100R003C03




6

In overhead+payload mode, data on the management plane is transmitted as D-byte

overheads and data on the data plane is transmitted as payloads. Data is physicallyseparated on the two planes.

In VLAN+payload mode, data on the two planes is transmitted as service data, shares

physical bandwidth and is separated by the VLAN technology. Data on the two planesuses different VLAN IDs.

Table 2-1 lists the security functions provided by the OptiX RTN 950.

Table 2-1Security functions

Plane Function Description

Management

plane

Account and

passwordmanagement

Manages and stores maintenance

accounts.

Local authentication

and authorization

Authenticates and authorizes accounts.

RADIUS

authentication andauthorization

Authenticates and authorizes remote

accounts in a centralized manner toreduce maintenance costs.

Security log Records events related to account

management.

Operation log Records non-query operations arerecorded.

TCP/IP attack defense Provides defense against TCP/IP

attacks, such as IP error packets,Internet Control Message Protocol(ICMP) ping attacks and Jolt attacks,

and Dos attacks.

Access control list Provides access control lists based onIP addresses and port IDs.

SSL/TLS encryptioncommunication

Uses the SSL3.0 and TLS1.0 protocolsto establish an encryption channel

based on a security certificate.

SFTP Supports Secure File Transfer Protocol

(SFTP) clients.

Open Shortest Path

First (OSPF)

Uses the OSPFv2 protocol for standard

MD5 authentication.

Network Time

Protocol (NTP)

Uses the NTPv3 protocol for MD5

authentication and permission control.

Data plane Flow control Controls traffic at ports. Broadcastpackets are suppressed. Unknown

unicast packets and multicast packets

are discarded. QoS is used to limit theservice traffic.

Discarding of Discards incorrect packets, such as an


10/37


V100R003C03




7

Plane Function Description

incorrect packets Ethernet packet shorter than 46 bytes.

Loop prevention Detects self-loops at service ports,

blocks of self-looped ports, and detectsEthernet loops.

Access control of

Layer 2 services

Filters static MAC addresses in the

static MAC address table, provides ablacklist, enables and disables the

MAC address learning function, andfilters packets based on complex traffic

classification.

Service separation Includes Layer 2 logical separation,

split horizon, and physical pathseparation.


11/37


V100R003C03

Security White Paper 3 System Security



8

3 System Security3.1 Management Plane

3.1.1 Threats

The management plane of the OptiX RTN 950 supports O&M functionality. This functionality

allows you to activate and maintain services, monitor network problems, and identify security

risks. Threats to the management plane are a leakage of accounts and passwords and invalidaccess. An authorized user who obtains accounts and passwords to log in can configure the

system or modify services. In serious cases, service interruption or termination may occur.

The OptiX RTN 950 adopts the following measures to protect the management plane against

the preceding threats:

Strict account management and permission control

Effective log management

Private communication channels (to be described in chapter 4 "Network Security")

Account management and authorization prevent invalid accounts from accessing to theequipment. Security logs and operation logs record security and configuration events of the

system, so users can check logs to prevent security risks at any time. Private communicationchannels prevent accounts and passwords from leaking out. The following chapters describe

these security measures in detail.

3.1.2 Preventive Measures

Figure 3-1 shows the security management system provided by the OptiX RTN 950.


12/37


V100R003C03




9

Figure 3-1Security management system provided by the OptiX RTN 950

Security

Management

Log

Management

Account

Management

Account Password

Management

Authorization

Authentication

Operation Log

Security Log

.Account Complexity

.Password Complexity

.Valid Period of Password

.Encrypt Pollicy Password

.Radius Account Management

.User Group Management

.Radius Authorization

.State of Account

.Valid Period of Account

.Period of Login

.Disable Unused Account

.Lock Policy and Security

Alarm

.Radius Authentication

.Log Integrality

.Log Record

.Log Overflow Event

.Log Integrality

.Log Record

.Log Overflow Event

.log Upload

Accounts and Passwords

Accounts of the OptiX RTN 950 are divided into five levels: system monitoring, systemoperation, system maintenance, system administration, and system super administrator.

Accounts at the system monitoring level represent the lowest rights and are authorized toissue query commands of the smallest function collection. Accounts at the system super

administrator level represent the highest rights and are authorized to perform all operations ofthe system. Accounts at the system administration level are authorized to manage accounts,

that is, to create, delete, modify, and query accounts. When creating an account, theadministrator must specify information such as the user name, password, user level, and

active period for this account. When a user first uses a new account to log in, the system

prompts the user to change the initial password.

The system supports default accounts. After the system starts up for the first time, a user

needs to log in to the system by using a default account. Default accounts can be queried ordeleted and their passwords can be modified by using the network management system

(NMS).When a user uses a default account and a default password to log in, the systemprompts the user to change the password.0 andTable 3-3 list default accounts and passwords

of the system.

Table 3-1Default accounts and passwords in BIOS state

Account Password Group

szhw nesoft Super administrator


13/37


V100R003C03




10

Table 3-2Default accounts and passwords

Account Password Group

szhw nesoft Super administrator

root password Administrator

lct password Administrator

LCD LCD Administrator

Table 3-3Rules for accounts and passwords

Rule DescriptionUniqueness of accounts All accounts held in the same system are unique.

Complexity of accounts An account consists of 4 to 16 characters, includingletters in lower case and upper case.

Length of passwords A password consists of 8 to 16 characters. To change

a password, a user needs to enter the originalpassword once and a new password twice.

Complexity of

passwords

A new password consists of at least three of the

following character types: lower case letters, upper

case letters, numbers, and special characters.

A new password must be different from the

previous five passwords.

A new password must be different from an account

name, either in the normal written format or in the

reversely written format.

A new password must contain two or more

characters different from those of the oldpassword.

Active periods of

passwords

After the active period expires, the password can be

used for only three logins. The default value is 0,

which indicates that the passwoord is validpermanently.

A common user has a shortest active period of oneday after which the password can be changed.

Storage of passwords Passwords encrypted by using MD5 are held in the

system beyond queries.

Management of accounts Accounts can be created, modified, deleted, and

queried.

Query of online users Users of the administrator group can query otheronline users.


14/37


V100R003C03




11

Authentication

Authentication is the process wherein the system checks whether accounts and passwords are

valid. Terminals accessing the equipment through physical ports and protocol ports need topass authentication before they are authorized to operate the equipment.

The equipment supports two authentication modes: local authentication and RADIUSauthentication. In local authentication mode, accounts and passwords are saved on the

equipment. The equipment uses locally stored accounts to authenticate users in login attempts.In RADIUS authentication mode, accounts and passwords are saved on the RADIUS server.

The equipment uses the RADIUS protocol to forward accounts and passwords to the RADIUS

server. The RADIUS server checks whether the accounts and passwords are valid. InRADIUS authentication mode, accounts and passwords of equipment on the entire network

are saved on the RADIUS server. These accounts and passwords can be easily maintained andhave high security.

Local authentication

Table 3-4 lists the check items involved in local authentication.

Table 3-4Check items involved in local authentication

Item Description Handling

Activation status

of accounts

If an account is activated, the

login request is accepted; if anaccount is deactivated, the

login request is refused.

The user who is logged in to the

system by using an administratoraccount can change the activation

status of other accounts.

Active periods of

accounts

An account can be used for

logins within a specific period,

namely, the active period. Ifthe active period of an account

expires, the login request isrefused.


system by using an administrator

account can change the activeperiods of other accounts.

Active periods of

passwords

The password of an account

can be used for logins within aspecific period, namely, the

active period. After the activeperiod of the password expires,

the first three login requestsare accepted but the later ones

are refused.


system by using an administratoraccount can change the active

periods of the passwords of otheraccounts.

Login time of

accounts

An account can be used for

logins within a specific section

of a day, namely, the logintime. If an account is used

beyond its login time, the loginrequest is refused.


system by using an administrator

account can change the logintime of other accounts.


15/37


V100R003C03




12

Item Description Handling

Inactive time ofaccounts

An account is deactivated if aspecific period elapses from

the last login. This period is

called inactive time ofaccounts. If an account is

deactivated, the login requestis refused.

The user who is logged in to thesystem by using an administrator

account can change the inactive

time and enabled/disabled statusof other accounts.

Locked accounts If an account is locked, the

login request is refused untilthe locking time expires.

After five login attempts using

one account fail and the intervalbetween two attempts is shorter

than three minutes, the account islocked and cannot be unlocked

manually. An alarm is reported atevery login attempt since the

sixth one.

Automatic logout of

accounts

If an account does not exchange

data with the equipment for a

specified time, the account will be

automatically logged out. Then the

account must be authorized again

before logging in to the equipment.

The specified time for automatic

logout is one hour, which cannot be

changed by users.

RADIUS authentication

In RADIUS authentication mode, accounts and passwords are managed by the RADIUSserver and only the accounts that pass the authentication can be used to log in to the

equipment. The RADIUS authentication mode takes precedence over the local authenticationmode. If the RADIUS server is unreachable, the local authentication mode is automatically

used. Successful local authentication also requires valid accounts and passwords. When theconsecutive authentication failures reach a specified value, a security alarm is reported. In

addition, the RADIUS protocol supported by the system complies with RFC 2856 and RFC2866.Figure 3-2 andFigure 3-3 show the principle and process of RADIUS authentication.

Figure 3-2Networking of RADIUS authentication

U2000 server

RADIUS

master server

RADIUS

Slave server

U2000 client

U2000 client

U2000 client

Device

NAS

NAS

NAS

NAS


16/37


V100R003C03




13

Figure 3-3Process of RADIUS authentication

U2000 server

1

Login username

+ password)

2

Radius request

3

Radius response4

Login success/failure

NAS

RADIUS server

Reliability is critical to a RADIUS server because accounts of equipment on the entire

network are managed and authenticated by the RADIUS server. The OptiX RTN 950 supports

master and slave RADIUS servers to ensure reliability of the external server.

Table 3-5RADIUS functions

Function Description

RADIUS

authentication,authorization, and

accounting

After the RADIUS function is enabled, accounts

attempting to log in to an NE are forwarded to theRADIUS server. The RADIUS server determines

whether these accounts can log in to the NE.

RADIUS

authentication policy

The system prefers RADIUS authentication to local

authentication.

Authorization

Authorization is the process wherein the system assigns operation rights to valid accounts thathave logged in.

Accounts are managed in groups.Table 3-6 lists division and definition of groups. Accounts

of the administrator group and higher-level groups are authorized to perform all securitymanagement and maintenance operations. System super administrator-level account has the

highest rights and is only available in fault location. Operations that an account can performdepend on the rights granted to a user when the account is created. If an account is used to

attempt any unauthorized operation, an error message is displayed and the attempt is logged.

Table 3-6Groups of accounts

Group Rights

System monitoring This group represents the lowest rights. The accounts of this group are

authorized to issue query commands and modify their own attributes.

System operation The accounts of this group are authorized to query the systeminformation and perform some configuration operations.

System maintenance The accounts of this group are authorized to perform all maintenance

operations.

System

administration

The accounts of this group are authorized to perform all query and

configuration operations.


17/37


V100R003C03




14

Group Rights

Superadministration

The accounts of this group are authorized to perform all operations.

Log Management

Logs record routine maintenance events of the equipment. Users can find security loopholes

and risks by checking logs. Considering security categories, the system provides security logsand operation logs. Security logs record operation events related to account management.

Operation logs record all events related to system configurations.

Operation log

The operation log tracks the non-query operations performed by each account, including the

account name, address of the client, time, operation, and results.

Table 3-7Operation log

Operation Description

Querying the

operation log

Only authorized administrators or users with higher rights can upload

and query the operation log.

Checking theintegrity of the

operation log

The system checks the integrity of the operation log and allows nomanual changes.

Recovering theoperation log The operation log can be recovered even after a power-cycle of thesystem.

Overwriting the

operation log

The operation log keeps records in time sequence. After the memory

is exhausted, the earliest records of the operation log are overwrittenwith the latest records. Once the memory is exhausted, a performance

event is reported to prompt the user.

Security log

The security log tracks security-related configuration operations (including user management

and security settings) and the attempts of unauthorized operations. The security log providesthe information about the account name, address of the client, time, and operation.

Table 3-8Security log


Querying the

security log

Only authorized administrators or users with higher rights can upload

and query the security log.

Checking theintegrity of the

security log

The system checks the integrity of the security log and allows nomanual changes.


18/37


V100R003C03




15


Recovering thesecurity log

The security log can be recovered even after a power-cycle of thesystem.

Overwriting thesecurity log

The security log keeps records in time sequence. After the memory isexhausted, the earliest records of the operation log are overwrittenwith the latest records. Once the memory is exhausted, a performance

event is reported to prompt the user.

3.2 Data PlaneThe data plane of the OptiX RTN 950 transparently transmits services based on Layer 2

information, such as VLAN tags and MAC addresses. The boards of the equipment do notlisten to user services.

The OptiX RTN 950 handles the threats of flow bursts, malicious pockets, and data thefts

through access control, flow control, loop detection and avoidance, protocol securityguarantee, and service separation. Section4.3 "Network Services"describes details of these

mechanisms.


19/37


V100R003C03

Security White Paper 4 Network Security



16

4 Network Security4.1 Network Security Management

Figure 4-1 shows the implementation mechanism of security management for a network.

Figure 4-1Implementation of security management

External DCN

Transport network

(Internal DCN)

Firewall

SSL

NMS

ACL

4.1.1 Threats

According to the network topology, a data communication network (DCN) consists of an

external DCN and an internal DCN. The external DCN refers to a network from the NMS tothe gateway equipment. The external DCN is generally an IP network that is built or leased by

a customer, or the Internet. The internal DCN refers to a self-organization network ofequipment. The IP protocol has been widely developed and applied because it is simple and

open. However, an IP network has poor security and can be easily attacked. The securitythreats brought by the external DCN on internal equipment are as follows: invalid access,

network attacks, and theft and modification of private data. To counterattack such threats, the

OptiX RTN 950 provides the following preventive measures:


20/37


V100R003C03




17

Access control

TCP/IP attack prevention

Encryption channel for access

Secure communication protocols

4.1.2 Preventive Measures

Access Control

The OptiX RTN 950 provides Access Control Lists (ACLs). Users set IP addresses and

communication ports in whitelists and blacklists to limit data from specific IP addresses and

to filter data from specific communication ports. The ACL function protects the equipmentfrom network attacks by controlling data of access requests from unauthorized IP addresses

and communication ports.

Table 4-1Classification of ACLs

Item Value Range Feature

Basic ACL 00xffffffff Rules are defined based on the source IP address.

AdvancedACL

00xffffffff Rules are defined based on the source IP address of a datapacket, destination IP address of a data packet, protocol

type of the IP bearer network, and protocol features. Theprotocol features include source port of the TCP protocol,

destination port of the TCP protocol, and ICMP protocol

type.

Table 4-2ACL parameters

Parameter Value Range Description

ACL operation type Permit and deny Indicates the ACL operation type. The values

are as follows:

Deny: If a received message does notcomply with a rule in an ACL, the

message is discarded.

Permit: If a received message complies

with a rule in an ACL, the message isdiscarded.

Source IP address Source IP address The source IP address and the source

wildcard determine the addresses to whichthat an access control rule is applicable.

Source wildcard 00xFFFFFFFF The value 0 represents a bit that must be

exactly matched and the value 1 represents abit that is ignored.

Sink IP address Sink IP address The destination IP address and the sink

wildcard determine the addresses to which

that an access control rule is applicable.


21/37


V100R003C03




18

Parameter Value Range Description

Sink wildcard 00xFFFFFFFF The value 0 represents a bit that must beexactly matched and the value 1 represents a

bit that is ignored.

Protocol type TCP, UDP, ICMP,and IP

Set this parameter to UDP or TCP whenfiltering packets at an UDP or a TCP port. Set

this parameter to ICMP when filtering packetsof the ICMP protocol and code type. The

value IP indicates that the protocol type is not

concerned.

Source port 065535 or

0xFFFFFFFF;0xFFFFFFFF

indicates that this

parameter is notconcerned.

This parameter is available only when

Protocol typeis set to TCPor UDP.

Sink port 065535 or0xFFFFFFFF;

0xFFFFFFFF

indicates that thisparameter is not

concerned.

This parameter is available only whenProtocol typeis set to TCPor UDP.

ICMP protocol type ICMP protocol type This parameter is available only when

Protocol typeis set to ICMP. The value 255

indicates that this parameter is not concerned.

ICMP code type ICMP code type This parameter is available only when

Protocol typeis set to ICMP. The value 255indicates that this parameter is not concerned.

TCP/IP Attack Prevention

Gateway equipment may be under external attacks because it is directly connected to an

external DCN. The TCP/IP protocol stack needs to protect the equipment from attacks, soservices are transmitted normally by the equipment under attacks. Therefore, the equipment is

more secure and reliable.

Table 4-3 lists the attacks that the equipment can prevent currently.

Table 4-3TCP/IP attacks

Attack Protocol Attack Mode Preventive Measure

Address

spoofingattack

ARP IP address

conflict

If the IP address of an external device

conflicts with that of the equipment, theequipment sends a gratuitous ARP

packet to broadcast the correct MACaddress.


22/37


V100R003C03




19

Attack Protocol Attack Mode Preventive Measure

IP IP addressconfiguration

conflict

Before making an IP address to takeeffect, the equipment checks whether the

IP address has been used. If the IP

address has been used, the equipmentdoes not make the IP address to take

effect.

Message

spoofing

attack

IP IP option attack Prevents attacks by using ICMP, TCP,

or UDP messages that carry incorrect IP

options.

IP Defective IP

header attack

Prevents attacks by using extremely

short IP headers, defective IP headers,special source IP addresses, and IP

headers with unknown protocols.

IP IP fragment attack Prevents IP fragment attacks such asmassive segments, huge offsets, repeated

segments, TearDrop, Bonk, SynDrop,NewTear, Nesta, Rose, and Fawx.

TCP TCP flag bit

traversal

Prevents TCP flag bit traversal such as

packets without Flag, FIN bit withoutACK bit, packet with URG/OOB flag,

and SYN and FIN bits set.

ICMP Defective ICMPpacket

Prevents ping attacks and Jolt attacks.

Flood attack IP IP non-payload

flood attack

Prevents IP packet attacks and generates

an alarm indicating an IP address attackwithout affecting the normal operation

of the equipment.

UDP UDP flood attack Prevents fraggle attacks and diagnosesport flooding, port 0 flooding, and loop

flooding.

ICMP ICMP flood

attack

Prevents ICMP flood attacks, Smurf

attacks, ping flood attacks, loop ping

flood attacks, time stamp request flood

attacks, mask request flood attacks, androuter request flood attacks.

DoS attack TCP Syn flood attack Prevents Syn flood attacks without

affecting the normal operation of the

equipment.

TCP Land attack Prevents land attacks without affecting

the normal operation of the equipment.


23/37


V100R003C03




20

Security Access

Security access is the process wherein the OptiX RTN 950 uses secure communication

channels or secure communication protocols for access to prevent security risks. The NMScan use SSL channels to access the equipment.

The NMS accesses the equipment by using SSL channels.

The NMS uses Ethernet ports or Operation, Administration, and Maintenance (OAM) ports to

access the equipment. OAM ports provide local access. Ethernet ports provide remote accessby using the external DCN for access. Communication between the NMS and GNE uses

standard TCP/IP protocols. When the NMS uses external DCN to access the equipment,configuration data and account information of the NMS transmit over the external DCN. The

communication channels for access use the SSL3.0 and TLS1.0 protocols to encrypt data toensure secure transmission.SSL access of the NMS

External DCN

Transportn etwork( Internal DCN)

Firewall

SSL

NMS

GNE

Certificates are needed for establishing SSL and TLS encryption channels. The certificates are

managed and issued by carriers. The OptiX RTN 950 loads and activates SSL certificates. Thedelivered equipment has a default SSL certificate by default. It is recommended that the

customer replace the default SSL certificate with its own SSL certificate. The equipmentcomplies with RFC 2246 standards and supports encryption algorithms specified in the

standards, such as AES, DES, RC4, RC5, IDEA, SHA-1, and MD5.

The following part describes working principles of SSL.

The SSL protocol provides enhanced encryption and decryption algorithms to ensure allsecurity features except serviceability for communication. In addition, the algorithms cannot

be cracked in a short time. The SSL layer establishes an encryption channel based on TCP toencrypt data that passes the SSL layer. The SSL protocol consists of the Handshake protocol

and the Record protocol. The Handshake protocol is used for cipher key negotiation. Most ofthe contents in the protocol describe how to securely negotiate a cipher key between two

communication parties. The Record protocol defines the data transmission format.

Transport Layer Security (TLS) is a security protocol similar to the SSL protocol. TLS1.0 isbased on SSL3.0 and supports SSL3.0.Figure 4-3 shows the negotiation of the SSL protocol

key.


24/37


V100R003C03




21

Figure 4-3Negotiation of the SSL/TLS key

N

MS

External DCN

1

6

5

4

3

2

7

8

9

1

12

11

ClientHello

ServerHello

Certificate

CertificateRequest

ServerHelloDone

Certificate

ClientKeyExchange

CertificateVerify

ChangeCipherSpec

Finished

ChangeCipherSpec

Finished

4.2 Protocols and Control

4.2.1 Threats

On an internal DCN, standard protocols on the IP layer are used for communication between

equipment. These protocols may be used for interconnection with third-party equipment. Inthis case, the result calculated by the OptiX RTN 950 may be incorrect when the third-party

equipment transmits incorrect information. When interconnected with third-party equipment,the OptiX RTN 950 takes the following preventive measures to ensure communication

security:

Adding protocol authentication and access control

Adopting secure standard protocols

4.2.2 SFTP Clients

The OptiX RTN 950 provides an SFTP client based on SSH for software upgrades. In this

application, the equipment serves as a client and the SFTP server is deployed outside theequipment network and is provided by the carrier. Figure 4-4 shows the application of SFTPclients.

The SFTP authentication policy is determined by the SFTP server. The OptiX RTN 950

supports password authentication and key authentication. Password authentication is theprocess wherein an SFTP client uses a user name and password to log in to the SFTP server.

Key authentication is the process wherein an SFTP client and SFTP server adoptRevist-Shamir-Adleman Algorithm (RSA) for cryptographic authentication. A user needs to

generate an RSA key on the equipment and to upload the public key to the SFTP server beforecryptographic authentication. The user can set the length of the RSA key from 2048 bits to

4096 bits.


25/37


V100R003C03




22

The equipment uses passphrases to protect private keys on an SFTP client for cryptographicauthentication. When users generate key pairs, they need to set the passphrases.

The SFTP client of the OptiX RTN 950 is enabled when before deliver. Users can disable orenable it using the NMS.

Figure 4-4Application of SFTP clients

External DCN

Transport network

(Internal DCN)

Firewall

SSH

GNE

NE

NE

NE

Sftp server

LAN

sftp client

sftp client

sftp client

sftp client

NMS

Figure 4-5 shows principles of SSH.Protocol layers

SSH client SSH server

Application layer Application layer

Transmission layer

Transmission layer

SSH protocol layer

SSH protocol layer

TCP connection

Transmission p rotocol

Authentication protocol

Session protocol

SSH protocols adopt Client/Server architecture and consist of three layers: transmission layer,authentication layer, and connection layer.

Transmission protocols

Transmission protocols are used to establish a secure encryption channel between the SSHclient and SSH server. In this manner, confidentiality of data that requires high security in

transmission, such as authentication and data exchange, is protected.

The transmission layer provides origin authentication and integrity check, and enables a clientto authenticate a server.

The transmission protocols run on top of the TCP/IP connection. The well-known portnumber used by the HHS server is 22.

Authentication protocols


26/37


V100R003C03




23

Authentication protocols run on top of transmission protocols and process authenticationrequests.

Connection protocols

Connection protocols divide an encryption channel into multiple logical channels for differentapplications. Connection protocols run on top of authentication protocols and provide servicessuch as sessions and execution of remote commands.

Negotiation of SSH is described as follows:

1. Connection establishment

Port number 22 is listened on to establish TCP connections to SSH clients.

2. Version negotiation

The version of the SSH protocol is negotiated on TCP connections. The OptiX RTN 950supports SSHv2.

3. Algorithm negotiation

An SSH client and an SSH server support different encryption algorithm collections, so theyneed to negotiate encryption algorithms when the SSH protocol is running. The algorithmsthat need to be negotiated are as follows:

Key exchange algorithms: are used for generating session keys.

Encryption algorithms: are used for encrypting data.

Host public key algorithms: are used for signing and authentication.

MAC algorithms: are used for integrity protection.

The SSH client and SSH server send to each other the algorithm collection that they

respectively support and the result is the intersection of algorithms supported by both parties.

4. Key exchange

The key exchange and encryption algorithms resulted from step 3 are used to negotiate thekeys required for data communication.

5. User authentication

Password authentication and public key authentication are provided.

6. Service requests

The OptiX RTN 950 supports SFTP clients.

4.2.3 OSPF Protocol

The management plane uses the OSPF protocol to dynamically calculate routes on the entire

network for network management. The OptiX RTN 950 supports OSPFv2 in compliance withRFC 2328 standards. Besides the routing function, the equipment supports authentication

types as follows:

Null authentication

The OSPF packets are not authenticated. That is, the OSPF protocol does not processauthentication on packet reception.

Simple password authentication


27/37


V100R003C03




24

A "clear" 64-bit password is used for authentication. Simple password authentication guardsagainst the equipment inadvertently joining the routing domain. The OptiX RTN 950s in thesame OSPF domain must be configured with the same password for authentication.

Cryptographic authentication

Cryptographic authentication uses MD5 to calculate the digest. Because the password used tocalculate the digest is never sent over the network, the protection is provided against passive

attacks. When employing cryptographic authentication, the OptiX RTN 950s in the sameOSPF domain must be configured with the same key for authentication.

The equipment uses null authentication as the default authentication. Users can configureauthentication types as required.

4.2.4 NTP Protocol

Network Time Protocol (NTP) is used to synchronize time between NEs. Possible securityloopholes in NTP result in time disturbance on the network. To enhance security of NTP, the

NTP protocol provides the authentication function and access control of local services.

The NTP authentication function verifies validity and integrity of NTP packets. This functionprevents the equipment from incorrect packets and ensures packet exchanges from valid

servers.

Access control of local services enables the system administrator to better control the NTPprotocol. This function prevents NTP information on the equipment from malicious query and

modification. Users have different rights as follows:

Query: Users are authorized to query local NTP services.

Synchronize: Users are authorized to use the local clock as the synchronization source

for other hosts.

Server: is a combination of the rights above.

Peer: Users have full control rights to query, being synchronized, and synchronize other

hosts.

NTP uses MD5 to check whether clients and servers are valid. If a client and server adoptauthentication, keys configured on both parties must be the same and be reliable.Table 4-4

shows the authentication relationship.

Table 4-4Authentication relationship

Server Client Authentication

Enabled Enabled Pass

Enabled Disabled Pass

Disabled Disabled Pass

Disabled enabled Not pass

NTP complies with RFC 1305 standards.Figure 4-6 shows working principles of NTP time

synchronization.Principles of NTP time synchronization


28/37


29/37


V100R003C03




26

Table 4-5Packet verification rules for Layer 2 protocols

Protocol Verification Rule

IGMP An IGMP packet is discarded when any of the following conditions is met:

Checksum of the IP header and checksum of the IGMP are incorrect. The TTL value of the IP header is not 1.

The source IP address is an invalid unicast address.

The multicast IP address is invalid. It is not in the multicast IP address

range, that is, 224.0.1.0 to 239.255.255.255.

The destination IP address mismatches the destination MAC address.

BPDU DMAC = 01-80-c2-00-00-00 or 01-80-c2-00-00-08

Each protocol packet is verified according to the corresponding protocol.

LACP DMAC = 01-80-c2-00-00-02EthType = 0x8809

EthSubType = 0x01

Each TLV is verified according to the corresponding protocol.

Eth-OAM

(802.1ag)

DMAC = 01-80-c2-00-00-02

EthType = 0x8809

EthSubType = 0x01

Each TLV is verified according to the corresponding protocol.

Eth-OAM

(802.3ah)

EthType = 0x8809 (private) or 0x8902 (IEEE 802.1ag standard)


ERPS DMAC = 01-19-A7-00-00-01


Robust Measures

Countermeasures under abnormal conditions are as follows:

According ITU-T G.8032, R-APS packets are transmitted within an Ethernet ring and the

R-APS packets at ports not on the ring are not extracted or processed, so the robustnessof ring network protocols is improved.

4.3 Network Services

4.3.1 Threats

As described previously, data services are under the following threats:


30/37


31/37


V100R003C03




28

and a network may be congested when flow bursts occur. Flow control can prevent such

scenarios and ensure secure and stable operation of the network.

Suppressing broadcast flow

Broadcast storm suppression: The broadcast flow is limited and the flow that exceeds

the limit is discarded.

Broadcast storm suppression enabled based on port: After broadcast stormsuppression is enabled at a port, the broadcast flow at the port is discarded when the

broadcast flow exceeds the broadcast flow suppression threshold. The defaultthreshold is 30%.

Setting of broadcast flow suppression threshold: The threshold specifies the broadcast

flow that a port allows. When the actual broadcast flow exceeds the threshold, theexcess broadcast flow is discarded to ensure that the proportion of the broadcast flow

is within a proper range. This prevents a broadcast storm and network congestion sothe network services can run normally.

Discarding unknown unicast packets

Unknown unicast packets can be discarded or forwarded.

Discarding unknown multicast packets

Unknown multicast packets can be discarded or forwarded.

Monitoring port flow

The flow at a port is monitored. When packets are received at rate faster than the specified

threshold, a flow threshold-crossing alarm is reported, prompting a user to take preventive

measures.

Limiting service flow using QoS

Figure 4-7QoS network model

The QoS function of the equipment can be implemented in the DiffServ mode. A network is

divided into several DiffServ domains (DS domains for short). A DS edge node classifies theflow entering a DS domain and identifies the flow of different service types with different

PHBs. The PHB information is forwarded to all nodes in the DS domain. Then the nodes inthe DS domain perform flow control on the services based on the PHBs. The flow control

measures include CAR, flow shaping, and queue scheduling.

Loop Prevention

If a loop is generated on a Layer 2 switching network, packets will be duplicated and cycledin the loop, and therefore a broadcast storm occurs. In this case, all available bandwidth


32/37


V100R003C03




29

resources will be occupied by the broadcast storm and the network will be unavailable. The

OptiX RTN 950 prevents network loops mainly by the following means:

Detection of self-loops at service ports

The equipment can detect whether a service port is self-looped by transmitting and receivingprotocol packets.

Blocking of self-looped ports

After self-loop detection and blocking of self-looped ports are enabled, a port is blocked to

prevent a broadcast storm when the port is self-looped.

Detection of Ethernet loopbacksBy indicating Ethernet service IDs and logical ports,

users can detect service loops and set whether to automatically disconnect loops. If a serviceloop is detected and automatic disconnection is enabled, the Ethernet VLAN service is

automatically disconnected. Users will receive alarms of service disconnection.Scenario of aservice loop

NOTE

This function is only supported by packet service boards.

Discarding of Incorrect PacketsIncorrect packets include packets with missing fields, disordered packets, duplicated packets,

and excessively large or small packets. Incorrect packets may be forged by malicious users, or

caused by bit errors on the transmission line, or caused by abnormal processing of theequipment hardware. Processing incorrect packets brings extra load to the equipment and

reduces the bandwidth for normal services. Therefore, incorrect packets must be identifiedand discarded.

The following incorrect packets are discarded:

A packet whose source MAC address and destination MAC address are the same

A packet whose size is smaller than 46 bytes

A packet whose size is greater than the maximum transmission unit (MTU)

An excessively large packet whose DATA is greater than 65535 bytes

A packet whose FCS (CRC) is incorrect

Access Control of Layer 2 Services

Access control of Layer 2 services is provided to filter out unauthorized user data.

Static MAC address table

For E-LAN services, static MAC addresses can be added to, deleted from, and queried in thestatic MAC address table. When the MAC address learning function is disabled, MAC

addresses must be added to the static MAC address table to ensure that services are forwarded


33/37


V100R003C03




30

properly. If the MAC address of a service does not match the static MAC address table, the

service is considered as invalid and is discarded.

Black list

For E-LAN services, MAC addresses can be added to, deleted from, and queried in the blacklist. Services whose MAC addresses are in the black list are considered as invalid and filtered

out.

Disable of MAC address learning

E-LAN services can filter out invalid packets after MAC address learning is disabled.

When MAC address learning is enabled, the equipment can learn the MAC addresses.

When MAC address learning is disabled, the equipment can forward E-LAN services andfilter out invalid MAC addresses after static MAC addresses are configured.

NOTE


Packet filter based on complex flow classification

Data flow is managed according to complex flow classification, preventing attacks of a largenumber of packets and invalid packets.

Complex rules are used for flow classification. For example, packets can be classifiedaccording toCVLANID,CVLANPRI,SVLANID,SVLANPRI,CVLAN+CVLNAPRI,SVLAN+SVLANPR

I or IP-DSCP. After being filtered based on the complex flow classification, packets areforwarded or discarded.

Discarding: A data flow is discarded if the data flow does not comply with rules in anACL.

Forwarding: A data flow is forwarded if the data flow complies with rules in an ACL.

NOTE


Service Separation

The following logical and physical separation methods are provided to prevent malicious datatheft and reduce the impact of the broadcast flow.

Layer 2 logical separation

Virtual local area network (VLAN) is the basic unit for managing network data equipment. A

VLAN is a logical subnet or a logical broadcast domain. Users are allocated to differentVLANs so that they cannot communicate with each other at Layer 2. In this manner, logical

separation is achieved for Layer 2 services. In addition, after VLANs are divided, thebroadcast flow is limited in each broadcast domain, which limits the broadcast range.

The OptiX RTN 950 supports identification and forwarding of VLAN tags, and switching ofVLAN tags.Figure 4-9 shows an example of V-LAN services.


34/37


V100R003C03




31

Figure 4-9Scenario of the QinQ service

Users who create an Ethernet private network can separate services by configuring the"Hub/Spoke" attribute of logical ports. Services between Spoke ports are separate, so Spoke

ports cannot communicate with each other. NOTE The "Hub/Spoke" feature is only supported by EOS boards.

Split horizon

A group of physical or logical ports that cannot communicate with each other on the localequipment are configured to prevent service loops and separate services for different users. In

this manner, service security is ensured.

The OptiX RTN 950 supports creation of split horizon groups for L2VPN services, andsupports adding and deleting of group members.

NOTE


Physical path separation

Services for different users are carried on different physical paths. In this manner, services do

not share physical paths or communicate with each other at the physical layer, and thereforeservice security is ensured.


35/37


V100R003C03

Security White Paper 5 Appendix



32

5 AppendixA-1 Standards Compliance

Table 5-1 shows the security standards that the OptiX RTN 950 complies with.

Table 5-1Standards compliance

Related Standard Description

ITU-T G.8011.1 Ethernet private line service

ITU-T G.8011.2 Ethernet virtual private line service

ITU-T G.8261/Y.1361 Timing and synchronization aspects in Packet Networks

ITU-T G.8262/Y.1362 Timing characteristics of synchronous Ethernet equipment slaveclock

ITU-T G.8032/Y.1344 Ethernet Ring Protection Switching

RFC 2474 Definition of the Differentiated Services Field(DS Field) in the

IPv4 and IPv6 Headers

RFC 2819 Remote Network Monitoring Management Information Base

RFC 0793 Transmission Control Protocol

RFC 0768 User Datagram Protocol

RFC 0791 Internet Protocol, Version 4 (IPv4)

RFC 0792 Internet Control Message Protocol

RFC 0826 An Ethernet Address Resolution Protocol

RFC 0894 A Standard for the Transmission of IP Datagrams over EthernetNetworks

RFC 2516 A Method for Transmitting PPP Over Ethernet (PPPoE)

RFC 1661 The Point-to-Point Protocol (PPP)

RFC 1662 PPP in HDLC-like Framing


36/37


V100R003C03




33

Related Standard Description

RFC 1332 The PPP Internet Protocol Control Protocol (IPCP)

RFC 1990 The PPP Multilink Protocol (MP)

RFC 2131 Dynamic Host Configuration Protocol

RFC 2328 OSPF Version 2

RFC 2246 Security Socket Layer 3.0/ TLS 1.0

RFC 1305 Network Time Protocol 3.0

IEEE 802.3ah Media Access Control Parameters, Physical Layers, and

Management Parameters for Subscriber Access Networks

IEEE 802.1ad Virtual Bridged Local Area Networks Amendment 4: Provider

Bridges

IEEE 802.1ag Virtual Bridged Local Area Networks Amendment 5:Connectivity Fault Management

A-2 Acronyms and Abbreviations

Table 5-2Acronyms and abbreviations

Acronym and Abbreviation Full Name

ACL Access Control List

CAR Committed Access Rate

DCN Data Communication Network

DNS Domain Name System

ECC Embedded Control Channel

FTP File Transfer Protocol

GNE Gate Network Element

HTTP Hyper-Text Transmission Protocol

ID IDentification

IEEE Institute of Electrical and Electronics Engineers

IF Intermediate Frequency

IP Internet Protocol

ISO International Organization for Standardization

ISP Internet Service Provider


37/37


V100R003C03


Acronym and Abbreviation Full Name

ITU-T International Telecommunication Union-Telecommunication Standardization Sector

LAN Local Area Network

LCT Local Craft Terminal

NMS Network Management System

OAM Operation Administration and Maintenance

ODU Outdoor Unit

OSI Open Systems Interconnection

OSS Operation Support System

OSPF Open Shortest Path First

PDH Plesiochronous Digital Hierarchy

QoS Quality of Service

RMON Remote Monitoring

RTN Radio Transmission Node

SDH Synchronous Digital Hierarchy

SNMP Simple Network Management Protocol

TCP/IP Transmission Control Protocol/ Internet Protocol

VLAN Virtual Local Area Network

Documents

RTN 950 V100R003C03 Security White Paper 02