Security View
....................................................................................................................................................................................................................................
Overview
The bearer and signaling interfaces on the IP core network may or
may not be trusted and secure depending on the service provider’s
network implementation. This section provides security information.
Bearer Security
Additional security features were developed on the OIU-IP. The
OIU-IP uses the real time transfer protocol (RTP) to carry voice traffic
on protected packet over SONET (POS) fiber optic links.
The security features for the OIU-IP bearer interface include:
• point to point protocol (PPP) link scrambling,
• valid user datagram protocol (UDP) port range matching,
• dynamic packet filtering of voice RTP traffic,
• invalid packet discard for protocol errors,
• internet control message protocol (ICMP) message processing
controls,
• provisionable thresholds for triggering selected minor alarms
when detecting protocol violations, and
• detection of flood attack on links, and routing of new calls away
from such links during duration of the attack.
OIU-IP bearer network security is implemented in two main areas, the
packet field programmable gate array (PFPGA) on the OFI-IP and the
router to which the OFI-IP is connected. The router connected to an
OFI-IP performs basic filtering functionality and guards the OC-3c
intra-office link. The router should be capable of rough filtering
non-relevant traffic away from the OFI-IP interface. A router which
permits configurable packet filter policies based on IP destination
protocol and is capable of rate limiting to minimize the effect of ping
floods on the OC-3c link is recommended.
The PFPGA monitors the bit-stream for a large variety of protocol
violations and discards nonconforming or malicious packets.
Discarded packets are counted, and the counts are listed in various
digital performance monitoring (DPM) and traffic measurement
reports. A subset of the DPM counts can be provisioned with a minor
alarm at DPM threshold crossing.
The OIU-IP Interface Specification, 235-900-316 document explains
OIU-IP security in greater detail.
Architecture
....................................................................................................................................................................................................................................
235-200-118
Issue 3.02B, March 2007
Lucent Technologies
2-35
To Next Page
Loading...
Need help?
General
