Manualshelf

Manual

ManualsBrandsCisco ManualsSoftwareCisco IOS Software Release 12.3(11)T
21222324252627282930
Cisco Packet Data Serving Node (PDSN) Release 2.0
Resource Management
25
12.3(11)T
IS-835-B Compliant Static IPSec
An IPSec Security Association is a unidirectional logical connection between two IPSec systems, and is
uniquely identified by Security Parameter Index (SPI), IP Destination Address, and the Security Protocol
(where the Security Protocol is Authenticate Header (AH) or Encapsulating Security Payload (ESP). The
Security Association has two types: Transport and Tunnel.
IPSec based security may be applied on tunnels between the PDSN and HA depending on parameters
received from Home AAA server. A single tunnel may be established between each PDSN-HA pair. A
single tunnel between a PDSN-HA pair can have three types of traffic streams: Control Messages, Data
with IP-in-IP encapsulation, and Data with GRE-in-IP encapsulation. All traffic carried in the tunnel has
the same level of protection provided by IPSec.
The IS835 standard defines MobileIP service as described in RFC 2002; the Cisco PDSN provides
Mobile IP service and Proxy Mobile IP service.
In Proxy Mobile service, the Mobile-Node is connected to the PDSN/FA through Simple IP, and the
PDSN/FA acts as Mobile IP Proxy on the MN’s behalf to the HA. Once Security-Osculations (tunnels)
are established, they remain active until there is traffic (user traffic or user binding) on the tunnel, or the
lifetime of the security association expires.
IS-835 B specification describes three mechanisms to provide IP Security: 1) Certificates, 2)
Dynamically distributed Pre-Shared secret, and 3) Statically configured Pre-Shared secret.
Once security associations (tunnels) are established, they remain active till there is traffic (user traffic or
user bindings) on the tunnel, or until the lifetime of the association expires.
The IS835 standard specifies support for the following IPSec modes:
IKE & Public Certificate(X.509)
Dynamic pre-shared IKE secret distributed by Home Radius Server.
Statically configured IKE pre-shared secret.
Note IS835B Static IPSec feature is avaibale only on the Cisco 7200 Internet router platform. The Cisco IOS
IPSec feature is available on the Cisco 7200 7200 Internet router , Cisco 6500 Catalyst switch, and Cisco
7600 switch platforms. PDSN Release 2.0 only supports Statically configured Pre-Shared secret.
The level of IPsec protection on a tunnel between the PDSN and HA is determined by a “security level”
parameter: whether to provide IPSec protection on control messages, data, control message plus data, or
no protection. The security level attribute is received from the Home Radius server in an Access-Accept
Message by the PDSN. On the HA, this attribute has to be configured for each Foreign Agent because
there is no provision to pass security-level from the Home AAA server to the Home Agent.
PDSN Release 2.0 supports the following values:
IPSec for Mobile Control and Data traffic
No IPSec
Once a Security Association is established, it will be periodically refreshed by the PDSN until the tunnel
expires.
If reverse tunneling is supported by the HA (as indicated by the RADIUS server), and IPSec security is
authorized for the tunneled data, and a mobile requests reverse tunneling, then the PDSN will provide
security on the reverse tunnel.