UMTS is composed of three main sub-systems or components, which will ... system (defined as S-UMTS), the generic air interface (described in terms of the access ... may adopt if it is required that speeds greater than the primary rate (i.e. well.
Protocol Stack Design for 3rd Generation Mobile Systems – UMTS Core Network Theodore Stergiou, Professor Roger J. Green, Dr. Mark S. Leeson Communications and Signal Processing Group, School of Engineering, University of Warwick, Coventry, United Kingdom e-mail: {esrua, rjg, msl}@eng.warwick.ac.uk
Abstract In this paper we illustrate a new protocol stack, namely the FCNS (Future Core Networks System), primarily designed for carrying signalling information in the UMTS core network packet switched domain that will provide interoperability with the circuit switched domain and greater flexibility, robustness and security than the proposed schemes from the telecommunications community. The paper is divided in sections, as follows. In the first section an introduction is given as to the current research undergoing by academic and commercial organisations and committees. We then move to analyse the proposed approaches depicting their disadvantages that constitute the motivation behind our work. A detailed overview of the FCNS architecture is given explaining its features, capabilities and services offered. Finally we give some comparisons and description of the current work undergoing for the protocol and possible future enhancements.
Keywords UMTS, core network, security, protocol design, FCNS
1. Introduction Universal Mobile Telecommunications System (UMTS) is the de facto standard that will be used in order to introduce the third generation (3G) mobile systems to the subscribers. It constitutes the platform where services such as high-speed data, multimedia applications, videoconferencing, m-commerce and international roaming will be deployed. UMTS is composed of three main sub-systems or components, which will together provide for the efficient and worldwide access to services by the users. These include the satellite system (defined as S-UMTS), the generic air interface (described in terms of the access network) and the fixed network (referred to as the core network). The latter, which is the network our research work is based upon, is comprised of systems such as optical networks, the Internet, telephony system, Local Area Networks (LANs) and ISDN systems. Currently, there exist two architectures for the core network defined by the European Telecommunications Standards Institute (ETSI) and the Third Generation Partnership Program (3GPP), the Release 99 [3GPP,1998] and Release 4/5 [3GPP,2001]. Release 4/5 is the all-IP version of the UMTS core network that will not be on effect until 2005, where UMTS services will be offered to home users after migrating from the currently used second generation (2G) systems. Release 99 on the other hand, whose architecture is depicted in
Figure 1, is based on the General Packet Radio Service (GPRS) platform allowing operators to fully utilise the capabilities and investments made for that system.
Figure 1: UMTS core network architecture, Release 99, reproduced by [1] The proposed protocols to support the transfer of signalling information between the UMTS core network elements include the Mobile Internet Protocol (MIP), the Stream Control Transmission Protocol (SCTP) and Asynchronous Transfer Mode (ATM) protocol. In the following section we introduce the main disadvantages of these protocols, especially MIP/IP and further analyse the reasons for which the need of a new approach has been imperative.
2. Work Motivation In the first part of this section we provide readers with a brief overview of MIP/IP [Ollikainen,1999] and the proposed protocols to act as its transport means, followed by the analysis of the problems associated with these standards. 2.1 MIP/IP overview MIP is an enhanced version of IP optimised for use within mobile environments, where sophisticated routing mechanisms are required to support mobile hosts’ connection throughout a call’s duration. It defines procedures required to support the hosts of a mobile system irrespective of their point-of-attachment to the network and without altering their IP address. These techniques that ultimately compose what is known as triangular routing, forward the host’s packets to its permanent home environment, which in turn forwards them to the network where the host belongs at the time. The packet routing is done via tunnelling, where modified IP packets encapsulating additional headers indicating the packets’ original
source and destination address are advanced between the agents, which are responsible for the forwarding of the user data. Advantages of this approach include the case of the IPsec architecture, where encapsulation and tunnelling are governed by the use of the Authentication Header (AH) and Encapsulation Security Payload (ESP) protocols, which enhance packet security against malicious attacks, by authenticating and encrypting the IP packet’s contents [Kent,1998]. For the UMTS core network there may be the need of using additional protocols in order to support the MIP broadband backbone mechanisms during the exchange of information between different networks. ATM and SCTP are two well-defined standards that commercial organisations may adopt if it is required that speeds greater than the primary rate (i.e. well above 2Mbit/s) need to be supported. SCTP is a general-purpose transport protocol initially designed to support telephony signalling over unreliable networks, such as IP. Its services include multihoming enabling network to maintain a connection (association in SCTP terms) even when a route fails and a certain degree of protection against resource attacks by implementing a four-way connection establishment (handshake) mechanism. Its advantages over TCP are explained in [Steward et al,2000] with the most important being the message-based orientation of the protocol in contrast to TCP, which is connection-oriented, ensuring a more reliable and flexible transmission of small amounts of data, like signalling information. 2.2 Standard weaknesses MIP has disadvantages associated with its performance when operating in a mobile environment, mainly during handoff sessions and when interoperability with other protocols is necessary. One of the main concerns of the Internet community is the triangular routing and the necessity of periodically advertising routing information to the nodes and agents present in the network. The authors in [Yap et al,2000] describe these problems in details proposing an enhanced version of MIP (Itinerant IP - IIP) that in a sense does not make use of mobile agents eliminating problems such as bottlenecks and delays that may be imposed during handoffs. IIP makes use of the Point-to-point protocol (PPP) for internetworking purposes as well as the Dynamic Host Configuration Protocol (DHCP) servers in order to acquire IP addresses on demand, when a mobile node or the mobile station is on move. Both protocols have security flaws already exploited by their use in the computer systems, which makes them a less attractive solution for use in UMTS. Furthermore location update procedures do not incorporate any kind of security mechanisms in order to ensure the authentication of the information passed to the base home register from the mobile node nor that between the register and the correspondent node. This may result in the information being compromised by an attacker who may for example wish to attack the correspondent node or even impersonate it. ATM is a protocol designed for variable bit rate environments, operating at high speeds where network elements or nodes exchange real-time data, like video and audio. Its features include
the capabilities of maintaining a connection via the Operation and Maintenance cells (OAM) and the choice between various service classes of service. ATM though does not incorporate any kind of security functions to ensure the secured packet flow in the network nor does it integrate a standard fault detection and correction mechanism for the mapping of IP/IIP or other messages into the ATM cells [Stergiou,1999]. Additional protocols would add extra overhead to the messages and would also introduce the problem of interoperability with the ATM platform. SCTP on the other hand makes use of enhanced handshake mechanism than TCP or ATM ensuring greater protection against potential attacks. Although SCTP is a protocol more suitable for use in mobile systems from the performance and security point of view, we have identified several deficiencies arising from its design and possible methods of implementation. The handshake mechanism used in the connection establishment phase ensures that a node wishing to connect to a peer, really wants to establish the communication. The mechanism though does not ensure protection against passive attacks, where an attacker could monitor the channel and exploit the contents of the messages, which are sent unencrypted. Furthermore the protocol does not support protection against attacks targeting the Domain Name Server (DNS), which an attacker can overflow in order to gain access to the host names included in the INIT messages. Additionally, alert mechanisms are also sent unsecured and could be used by an attacker to exploit the network’s vulnerabilities. Moreover man-in-the-middle attacks could be successful, where an intruder could be able to intercept and ultimately alter the messages exchanged in a communication. The protocol does not offer any kind of protection against such attacks that could result in a whole connection to be compromised. The use of IPsec and AH specifically could prevent, to a degree, the effect of such attacks, but there are problems associated with the IPsec architecture [Ferguson and Schneier,1999] that would also introduce delays and inter-operational problems due to the use of encapsulation. For protection against other attacks ESP could be used to ensure the security of the messages, yet as analysed in [Bellovin,1996] certain vulnerabilities (session high jacking attacks is typical example) degrade protocol’s performance. From our analysis we have concluded that there is a need for a protocol stack to support the transfer of signalling information in the UMTS core network that would offer greater flexibility, robustness and security than the proposed solutions.
3. FCNS protocol stack In the following sections we present our solution, FCNS, outlining its architecture and design principles followed to realise the protocol. Its main advantage is that its implementation will result in vital information passed through the UMTS core network being sent securely in contrast to the Release99 platform, where data such as secret keys are sent in plaintext form, increasing potential security risks.
3.1 Architecture and layers analysis FCNS is a packet-based protocol stack designed according to the OSI 7-layer model principle, decomposing the protocol into several layers, each of which performs specific tasks, which are independent from the other layers’ tasks. The protocol has not been designed solely for use within the UMTS core network; instead it can be used as the means of establishing a communication between users in any environment that is supported by the protocol. For this reason FCNS is composed of 5 layers, namely the User Defined layer (composed of the User-Defined presentation layer - UDpres, User-Defined session layer - UDses), Transmission layer (tx_layer), End-to-end layer (ee_layer), Security layer (sec_layer) and the physical layer (phys_layer). The relationship and interconnection of these layers is depicted in Figure 2. The User-defined layer serves as the means of establishing a connection between two users belonging to a different network and environment, where both the semantics of the data to be exchanged must be defined as well as a session between these users, in order to enforce the necessary synchronisation and QoS functions for the data stream. The Transmission layer has the job of ensuring the secured and reliable end-to-end transfer of signalling information between nodes belonging to different subnetworks. The functions supported by this layer include explicit flow control, QoS maintenance for a particular connection, segmentation and reassembly, if that is required, as well as security for the particular level of the connection, which the layer is responsible for. The message that is passed onto the End-to-end sublayer is encrypted according to the specifications and algorithms dictated by the Security layer. FCNS does not support connectionless operation of the network and includes mechanisms to support resynchronisation of the data stream. Typical examples of use are the transfer of information between a mobile node and its correspondent belonging in a different domain or network. The End-to-end layer is similar to the network layer defined by the OSI model, responsible for the routing of FCNS packets between different subnetworks, checksum calculation for the error detection and correction mechanisms, error control, segmentation and reassembly, as well as providing for the links’ and messages’ security. The latter feature is again governed by the security layer that initiates the necessary mechanisms in order to secure the intermediate links between the end nodes. The End-to-end layer is also responsible for the signalling of errors to the system concerning the underlying subnetworks supporting a connection. Also, because Release99 is composed of a Circuit Switched Domain in addition to the Packet Switched Domain, this layer is responsible for the correct function calls to SS7 supporting a circuit switched connection. The physical layer is a layer acting as an interface between the physical medium protocols and standards for data transmission and FCNS, more like the data link layer defined by the OSI 7layer model. It is responsible for identifying the various communication media and appropriately format and synchronise the data stream before passing it onto the physical link. It is also responsible for monitoring the transmission of packets and ensures that they are delivered in the same order they have been sent.
Figure 2: FCNS architecture Finally, the security layer is the layer responsible for identifying and validating (authenticating) the nodes participating in a communication, as well as initiating, monitoring and terminating the security functions used for the communication links security. It also controls the encryption and decryption mechanisms for the various messages and packets exchanged either internally in FCNS or between network nodes, ensuring the secure update of mobile node information between its home and serving environment. It is the layer that acts as the interface between FCNS and the various network elements of the UMTS core network where all messages are authenticated prior to their transmission or upon their reception. Its simplicity and well-defined structure provides network operators with the advantage of ease in use and implementation of the layer within FCNS. 3.2 Advantages In this subsection we present the advantages of our approach based on comparisons made with the protocols described in Section 2. Performance, flexibility, robustness and security are the main areas FCNS addresses and, hence, all evaluations of our protocol with the proposed standards are focused in these issues. Security performance is the main issue for which FCNS has been designed in order to overcome the problems associated with SCTP, MoIP and ATM. Its strength lies in the security layer, which provides for the necessary functions and mechanisms, ensuring the secure functioning of the protocol under any operational environment. FCNS does not suffer from the effects of man-in-the-middle attacks like SCTP where an adversary can intercept any message present in the communication link and either alter its contents or even deny the forwarding of that message to its intended destination. This is achieved by encrypting all the routes of the network, both on an end-to-end and link basis. Traffic padding functions enforced by security layer protect the network from passive attacks
and hence possible interceptions. A 10-way handshake mechanism on the same time ensures the authentication of the hosts present in a communication further enhancing the protocol’s capability of overcoming attacks targeted at the communication establishment time. FCNS makes use of the HLR/AuC of the UMTS core network in order to obtain all the information necessary to efficiently identify a host initiating or requesting a connection. The link security mechanisms enable the secure transfer of that information to the Visited Location Register (VLR) when the mobile host changes its environment during a handoff procedure. The use of the security layer is not limited to securing the communication links between the different nodes and subnetworks or to enforce the handshake mechanism during connection setup phase. The layer is responsible for ensuring that all messages generated by the FCNS error protocol are sent encrypted and never unsecured. This measure ensures that an attacker, if able to overcome the traffic padding mechanisms, could not be easily able to obtain information as to the contents of the messages and hence use those to manipulate with the protocol. Another strength of the protocol is that the internal messages or service primitives are sent encrypted between the different layers of FCNS. 160-bit encryption keys are used in order to scramble the messages and provide an adequate level of security for the protocol. This approach has the advantage over attacks aimed at the protocol itself, where an attacker could manipulate the FCNS messages and be further able to force unauthorised requests for connection establishment or tearing down procedures. Furthermore, FCNS as a protocol stack provides for a solid and robust architecture for use not only with the UMTS core network, but with any other architecture that is needed to be supported. FCNS is defined in layers that can either be used as single protocols or together forming the FCNS protocol stack. The need of interoperation with different protocols is eliminated, reducing the network’s complexity and cost that would be required for the addition of extra logic and switches in a network topology. Moreover mapping procedures of messages created by different protocols require extra fault detection and correction mechanisms to guard the process, which may deemed unsuccessful under heavy network load. Finally, the support of different addressing schemes makes FCNS compatible with most of the existing technology and hence an attractive solution for network operators wishing to enhance the security and overall performance of a given network.
4. Current status and future developments Our research focuses on the development of FCNS and its comparison with the proposed protocols for the UMTS core network. The work involves the simulation of the UMTS core network using the IP based solution and then the FCNS solution. The comparisons and tests focus on performance and security issues, such as congestion, delays in the transmission, link errors and bandwidth (BW) limitations, timeouts and synchronisation issues, as well as authentication and encryption measures. Such measurements include the relative efficiency of the protocol given for the various layers of FCNS, together with the representation of its overall performance. The calculated overall FCNS efficiency has been 92% (total of 676 bytes) for systems under normal operational modes.
Currently the protocol is subject to simulation-based evaluation separated in two phases. The first phase includes the simulation of FCNS in a computer environment to obtain a first set of measurements and then the second phase will utilise a more sophisticated test-bed emulating the UMTS core network Release99, in order to check the performance of the protocol in situations where shifting between the circuit- and packet-switched domains is necessary. There are measurements completed for packet delay times, round-trip delays and so on, with results pending on the efficiency and the quality of service offered by FCNS, as well as its security features compared to IPsec and relevant architectures. The authors believe that FCNS is a strong candidate for use within the UMTS core network Release 99, which could be used instead of the various architectures and proposals made by the telecommunication society. An example of such a suggestion is given in [Kaaranen, 2001] where IP and the GPRS Tunnelling Protocol (GTP) are used in order to form the User Plane Protocol stack for the UMTS packet switched domain. The problems observed at the design of the Release 99, as mentioned in the sections 2 and 3, are, in part, associated with the use of various protocols for the different planes of the UMTS core network, which may lead to interoperability problems and reduced system’s flexibility. FCNS as a solid and robust design could replace these proposals and form a more flexible and efficient architecture that could be further used in order to allow for the migration to the all-packet-switched philosophy of the Release 4/5. Its advantages and increased security performance over the proposed protocols, together with the delay in deploying the UMTS platform, could provide the opportunity of modifying the anticipated stacks and hence utilize all the features of FCNS, resulting in a stronger and more secure 3G mobile system.
5. References 3GPP (1998), Third Generation Partnership Program Specifications, “Technical Recommendation (TR) 21.101: 3rd Generation Mobile System Release 1999 Specifications”, Technical Specification Group Services and System Aspects. 3GPP (2001), Third Generation Partnership Program Specifications, “Technical Recommendation (TR) 21.103: 3rd Generation Mobile System Release 5 Specifications”, Technical Specification Group Services and System Aspects. Ville Ollikainen (1999), “Mobile IP explained”, Seminar on Multimedia, University of Technology, Helsinki, Finland. Kent, S. (1998), “Security Architecture for the Internet Protocol”, IETF Request for Comments 2401, Network Working Group, The Internet Society. Steward, R., Xie, Q. et al (2000), “Stream Control Transmission Protocol”, IETF Request for Comments 2960, Network Working Group, The Internet Society. Yap, C.N., Kraner, M. et al (2000), “Novel and enchanced Mobile Internet Protocol for third generation cellular environments compared to MIP and MIP-LR”, IEE 3G Mobile communication technologies conference, No. 471
Stergiou T. (1999), “Fault detection in heterogeneous ATM/SDH systems”, MSc dissertation thesis, University of Essex Ferguson, N., Schneier, B. (1999), “A Cryptographic evaluation of IPsec”, Counterpane Internet Security Inc., Counterpane Labs, California, U.S.A. Bellovin, S.M. (1996), “Problem areas for the IP security protocols”, Proceedings of the 6th Usenix UNIX Security symposium, San Jose, CA, U.S.A. Kaaranen H., Ahtiaien A., Laitinen L., Naghian S., Niemi V. (2001), “UMTS Networks, Architecture, Mobility and Services”, John Wiley & Sons Ltd., Chichester, England
