The Location of Header Compression (HC) and User Data Ciphering (UDC) Lucent Technologies Nortel Networks Qualcomm Inc. Notice Contributors grant a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include portions of the contribution; and at the Organization Partner’s sole discretion to permit others to reproduce in whole or in part such contributions or the resulting Organizational Partner’s standards publication. Contributors are also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution. This document has been prepared by the contributors to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on the contributors. Contributors specifically reserve the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of the contributors other than provided in the copyright statement above.
Outline Background System Overview Impacts to HC in case of Radio Link Congestion Impacts to UDC in case of Radio Link Congestion Security Implementation Cost Conclusions
Background Two major categories of network evolution architecture have been proposed A lot of commonalities between these two proposals The differences between these two proposals include: –Location of Header Compression (HC) and User Data Ciphering (UDC) –Paging Management and Location management –Location of EAP Authenticator This slide only addresses location of HC and User Data Ciphering issue: –Assumes HC and UDC are collocated for simplicity –Two alternatives: HC and UDC located in the central node (AG); or HC and UDC located in the edge node (BS)
System Overview (1) UDC is part of link layer: – UDC can not be shared across different technologies anyhow: Different technologies use different ciphering algorithms Different mechanisms for generating cryptosync Different mechanisms for OTA session key generating and exchanging HC is a function applied over link layer If HC/UDC is located in the edge node, link layer can be completely terminated at the edge node –Makes AG fully Access Agnostic and easily upgradeable to support further radio evolution without impacting the core IP network –Can fully use all IP networks behind the Edge Node If HC/UDC is located in the central node, link layer has to be extended to the central node –Need 3GPP2 Specific interface (A10/A11 similar interface) between AG and BS
System Overview (2) There is inter-dependency between HC and link scheduling HC State Machine can not be shared across different technologies anyhow: –Different Link has different HC Configuration Parameters, e.g.: RoHC over EV-DO requires the link layer (DO) to convey a TimerBasedCompression parameter from AN to AT. FEEDBACK_FOR must describe the channel as provided by the link. e.g. in DO, FEEDBACK_FOR is set to the DO Link flow number –Different Link has different HC instance –Different Link has different QoS requirement HC in the BS opens possibilities for further system enhancements based on the IP flow awareness at the BS: –The BS could inspect the higher layer headers and used IP aware scheduling –The BS can optimize HC based on radio link knowledge
User Data Ciphering If ciphering is performed on IP packets at the AG (rather than after RLP fragmentation), AT must re-assemble the packet in memory before deciphering: –Ciphering in the AT is performed in hardware, –Packet reassembly must be performed under control of Central Processor –Requires transferring packets out of and into hardware –Significantly increases AT complexity: Impact on hardware design Required bus bandwidth –See Via contribution (C ) on the details If cryptosync is not generated from RLP sequence number, the explicit cryptosync must be included in each ciphered packet: –Add two more octets overhead to each VoIP packet, –Significantly impact on capacity and link budget. If RLP sequence numbers are used for generating cryptosync, RLP sequence numbers must be generated at the AG: –If RLP sequence number is in units of RLP payloads (e.g. VoIP), packet fragmentation must be performed in the AG. –Even for VoIP, packet fragmentation is needed for full header packets –AG has to perform RLP function
Impacts to HC in case of Radio Link Congestion If HC is located in the central node (AG): –Require flow control mechanisms between BS and AG –The BS have to drop the compressed packets –Will impact on HC state (HC state between compressor and decompressor will be out of sync more often) –Will drop more packets due to waiting for feedback from the decompressor (1 round trip delay) –HC state resync procedures take longer –At HC resync, the already buffered data at BS is still sent over the air and it is totally wasted Require mechanisms to delete buffered packets at the BS buffer by AG –Need in sequence delivering between the AG and BS ROHC out of order delivery capability is limited. –Need HC negotiation mechanisms between the AG and BS (since PPP is removed) If HC is located in the edge node: –IP Packets can be dropped at the AG or at BS without impact to HC State –HC resync procedure is performed immediately –No flow control is needed between BS and AG Conclusion: HC in the AG creates significant unnecessary complexity and performance degradation to he whole system
Impacts to UDC in case of Radio Link Congestion If UDC is located in the central node (AG): –Require flow control mechanisms between BS and AG for handoff –The BS can not drop the packets beyond the replay window –Impact RLP retransmission operation due to RLP packets are dropped If UDC is located in the edge node: –IP Packets can be dropped at the AG or at BS without impact to RLP operation –No flow control is needed between BS and AG
Security Implementation in BS is Cost Effective Edge devices protection can be done without much incremental cost –Examples: A leading home/office router manufacturer offers a 4-port gigabit Ethernet router with address translation (NAT), firewall and IPSEC VPN functionality with a throughput of 800Mbps at under $130. Also typical consumer WiFi access points products at price range of $30-50 are able to handle advanced encryption for data rates up to 56Mbps. If concerned about physical security of base station, should be addressed using tamper resistant storage/processors –Executing encryption and decryption inside a secure domain –Example 1: DRM is in TPM (tamper proof module) in the AT and the similar capability can be put in BS as well –Example 2: Secure domain capability to allow execution of encryption and decryption in an secure area is also becoming commonplace in processing cores and architectures e.g. by ARM family of processors
Other Considerations It is not desirable to have signaling encryption/integrity and user data ciphering in the different locations: –Need key distribution mechanism to the BS for signaling encryption/integrity –If both are performed in the edge, no key distribution mechanism needed from AG to BS (assume EAP authenticator is in the BS as well) Transport Capacity Efficiency between AG and BS: –It might be claimed that if HC is located at AG, it provides transport capacity savings for the BS-AG interface. –However, If a transport link of BS-AG interface is a true bottleneck, the mobility tunnel UDP/IP headers also need to be compressed over that congested link. –This mobility tunnel UDP/IP header compression requires a separate header compression function over the congested link anyhow. –This separate header compression entity could at the same time handle the compression of both user data IP header and mobility tunnel IP header without significant increase in the complexity
Conclusions Having HC and UDC in the AG: –L2 and L3 has no clean separation (L2 is extended to AG) –Causes a lot of unnecessary design challenges –Make inter-operability more difficult by introducing a complex BS-AG interface –Increases the system complexity and cost –Decreases the system performance –Endangers the long term competitiveness of the 3GPP2 system Having HC and UDC in the BS: –L2 is fully terminated at BS –Simplify the system design –Enabled better system performance with decreasing network complexity –No 3GPP2 specific Interface required between BS and AG –More competitive to other technologies HC and UDC functions should be located in the BS