9.2 Protection of the Backhaul
9.2.1 Cryptographic Protection Compared to Other Protection
As discussed, 3GPP in a number of cases mandates the use of IPsec for the mobile backhaul, unless the network is physically secure. IPsec is addressed in a separate section (9.3).
In addition to the services provided by IPsec protocols, further protection within the mobile backhaul may need to be considered. Backhaul service may be disturbed even if IPsec is deployed, if the backhaul is open to threats by other means of attack, or by attacks on other protocol layers. 3GPP does not specifically address the need for protection on other layers, or protection of the mobile backhaul in general.
As an example, a router may forward the IPsec encapsulated traffic to a false destination, if the routing table has been manipulated maliciously. Similarly, a Layer-2 bridge may be overloaded with non-legitimate traffic, so that the IPsec encapsulated packets cannot be forwarded further.
This type of issues and threats are not specific to the mobile network backhaul only, nor are the design practices and features that address them. Some of the key issues, mostly related to L2, are included in this section. They are specific to a packet mobile backhaul, as similar threats did not exist in the TDM era.
Protection of the backhaul against various threats is closely related with QoS and resilience. QoS features, such as ingress policing or admission control, prevent unauthorized or excessive use of network resources. ...
Get Mobile Backhaul now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
