This annex details how NDS/IP shall be used to protect UTRAN/GERAN IP transport protocols and interfaces.
The control plane in question is used to transfer signalling messages in UTRAN/GERAN IP transport network. The UTRAN IP transport option is specified in Rel-5 UTRAN Technical Specifications. UTRAN Iu interface signalling transport is specified in TS 25.412
and Iur interface signalling transport in TS 25.422
. The architecture for the UTRAN Iuh/Iurh interfaces is specified in TS 25.467
, stage 3 specification is contained in TS 25.468
and TS 25.471
. Based on the known security threats in IP networking, the traffic shall be protected properly. This is in order not to restrict the application of IP in UTRAN and GERAN only to closed network environments.
The security solution for IP based UTRAN/GERAN transport shall follow the principles introduced in the NDS/IP since the IPsec provides application independent security solution for all IP traffic.
Iu/Iuh and Iur/Iurh interfaces are carrying information that is classified as sensitive. Iu/Iuh and Iur/Iurh are used for conveying e.g. subscriber specific security keys. These keys are vital for the end-user security. Hence Iu/Iuh and Iur/Iurh shall be encrypted along with the integrity check.
IPsec ESP shall be used with both encryption and integrity protection for all RANAP and RNSAP messages traversing inter-security domain boundaries.
Iu/Iuh and Iur/Iurh control plane traffic shall be routed via a SEG when it takes place between different security domains (in particular over those interfaces that may exist between different operator domains). In order to do so, operators shall operate NDS/IP Za-interface between SEGs. If a UTRAN node has implemented SEG functionality within the same physical entity, transport mode IPsec is optional for implementation and use on the Iur/Iurh interface.
It will be for the operator to decide whether and where to deploy Zb-interfaces in order to protect the RANAP and RNSAP messages over the Iu/Iuh and Iur/Iurh interfaces within the same security domain.