User's Manual
System Architecture and Protocol Guide – 9-05 16 © 2005 SkyPilot Networks, Inc.
4. When Node A receives the SP_AUTH_CHALLENGE message, it verifies Node B’s Identification Certificate using its root
public key. Node A decrypts Node B’s random number using its private key and shared static key. Node A then computes its
own random number. Using the two random numbers it computes the secret session key.
5. Node A encrypts its random number using the shared static key. It then encrypts this ciphertext along with Node B’s decrypted
random number using Node B’s public key. The resulting ciphertext is placed in an
SP_AUTH_RESPONSECHALLENGE message and sent to Node B.
6. When Node B receives the
SP_AUTH_RESPONSECHALLENGE message, it decrypts the random numbers. Node B
verifies that this decrypted random number matches the one it generated in Step 2. If the random numbers match, then Node
B will generate the secret session key using the two random numbers. Node B will encrypt Node A’s decrypted random
number using Node A’s public key. Node B will send Node A an
SP_AUTH_RESPONSE message containing the
ciphertext.
7. Upon receiving the
SP_AUTH_RESPONSE message Node A decrypts the random number using its private key. It
compares the decrypted random number with the one it generated in Step 4.
If at any step this authentication protocol fails, the link will be placed in the authorization failed state and no user data will be
exchanged.
Encryption
Having successfully completed the authentication protocol, the nodes load the session keys into hardware. All packets passed
between these two nodes are then encrypted utilizing these 128-bit Advanced Encryption Standard (AES) session keys.
Network Management
The management of all nodes in a SkyPilot Carrier-Class Broadband Wireless System can be handled through either the local
Command Line Interface (CLI) and/or through the SkyProvision element management system (EMS). Note that the SkyProvision
EMS supports all configuration parameters, while the CLI supports a subset. Use of the SkyProvision EMS is recommended,
therefore, to utilize the full potential of the SkyPilot system.
All SkyPilot nodes have an SNMP Agent that can be used to monitor link status and traffic statistics, and to query the configuration.
The SNMP protocol, along with Telnet used for remote CLI access, run on top of an IP stack. Therefore each SkyPilot node
requires the allocation of an IP address. This address can be configured manually via the CLI, or more typically, allocated via
DHCP.
A DHCP server is bundled with the SkyProvision EMS application. It is recommended that this server be used for the configuration
of the SkyPilot management IP addresses. This DHCP server may also optionally be used for subscriber IP address allocation.
When using the SkyProvision EMS, the following configuration sequence occurs once a node has successfully completed its link
layer authentication (see Encryption and Authentication):
1. The node issues a
DHCP_REQUEST message to obtain a management IP address.
2. The
DHCP_RESPONSE contains both the allocated IP address and the IP address of the SkyProvision server
application.
3. The node utilizes HTTP to retrieve an XML format configuration file from the server.
4. The XML file is parsed and all configuration parameters applied. The parameters include Ethernet filters, QoS settings,
Ethernet port state (which is used to control the subscriber’s provisioned state) and any VLAN settings.
5. The XML configuration file also defines the primary and back-up software versions. If the versions specified do not match
those in memory, then the node initiates an FTP Get to retrieve the new software image.
CLI
The Command Line Interface (CLI) gives an operator the ability to manage and monitor a SkyPilot node locally or remotely. The
CLI supports a subset of the management parameters available through the configuration file. This subset is defined in the
document titled “Managing Your SkyPilot Network”.
The CLI may be used to configure a small network during testing or early deployment, and must be used to configure any
SkyGateway Management VLAN ID. If the SkyProvision EMS is utilized, any configuration completed via the CLI must also be
made in the SkyProvision database, otherwise the intended configuration will be lost on the next reboot of the node.