4th–generation wireless for the united states...

S t r at e g i c w h i t e pa p e r 4t h g e n e r at i o n w i r e l e S S f o r U n i t e D S tat e S g oV e r n M e n t

4th–generation wireleSS for the UniteD StateS goVernMent

Str ategic white paper

LGS Innovations, LLC solves complex networking and communications challenges facing the U.S. Federal Government.

Building on its Bell Labs heritage, LGS delivers groundbreaking research and advanced networking and communications

solutions that provide an information advantage and contribute to the mission success of its customers. LGS is an

independent subsidiary of Alcatel-Lucent (ALU) dedicated solely to serving the U.S. Federal Government (USG).

LGS is applying 4G technology to enable mobile access to cloud services and enhance situational awareness for the USG.

Our 4G solutions offer secure wireless access through value-added services while leveraging commercial infrastructure

and components with carrier grade redundancy to deliver mission critical services and applications. By transforming the

government’s ability to securely send and receive information of all kinds — anywhere, at any time, on any device — LGS

contributes to mission success, from protecting the homeland to increasing service to the citizen.

This white paper addresses LGS solutions for the 4G Mobile government worker. It focuses on the challenges that the USG

faces and the potential benefits realized through 4th generation wireless products and services.

S t r at e g i c w h i t e pa p e r 4t h g e n e r at i o n w i r e l e S S f o r U S g


i i

[ 1 ] 4 g f o r th e U . S . g oVe r n M e nt — tr e n DS & cha l l e n g e S 0 1

1.1 4G Mobile Benefits 02

[ 2] 4 g lte oVe rVi e w 0 4

2.1 All-IP 04

2.2 Inherent Security 05

2.3 LGS 4G Solutions 06

2.4 Extending USG’s RF Footprint 09

2.5 LGS 4G LTE Dedicated Core 09

[ 3] SU M M a ry 1 3

[4] a ppe n D ix — Vo lte S ecU r it y pr o p oSa l 14

table of contentS


1

Mobility is a primary enabler of workforce efficiency. Commercial enterprises are continually enhancing their productivity

and efficiency by extending services through secure, high speed, reliable broadband access. Mobile broadband access

reduces the time to perform regular business functions through a more rapid response to situations that require

collaboration regardless of team members’ locations. This gives transparent access to critical data and applications

anywhere, anytime.

Until 2010, most cellular networks were based on air interface standards such as Global Systems for Mobile (GSM),

Universal Mobile Telecommunications System (UMTS), Code Division Multiple Access (CDMA), and Evolution-Data

Optimized or Evolution-Data Only (EvDO). While these standards support both voice and data communications through

a standards-based packetized data protocol, none uses end-to-end Internet Protocol (IP) that most USG enterprises utilize

on a daily basis. Therefore, federally approved protection systems to secure data in flight and at rest on any given USG

enterprise are not utilized to secure the USG data traversing a commercial cellular network. In 2010, the 3GPP1 specified

the Long Term Evolution (LTE) air interface as the worldwide-accepted standard for 4G networks. In response, most cellular

service providers are implementing 4G/LTE networks to handle the rapidly increasing demand for mobile broadband data.

The federal use of commercial mobile computing platforms has increased significantly in the past few years. However,

the USG has yet to fully adopt enterprise mobility solutions in part due to the lack of security necessary to protect

sensitive data. The 4G Mobile government worker needs to use their mobile device across multiple network environments

with different security requirements from the home to a government enterprise to a secure government enclave. The 4G

Mobile government worker has drivers that exceed those of commercial mobile subscribers. These challenges impact the

government’s solution requirements which are summarized in Table 1-1.

table 1–1 | USg Mobile Service Drivers

U S G D R I v E R S S o LU T I o n R Eq U I R E M E n T S

M o b i l e S e rVi ce S « Extend Enterprise Unified Communications to mobile devices « Enhance Situational Awareness through advanced wireless

r eD U ce coS tS th r o U g h cotS

« Leverage commercial wireless infrastructure, transport & devices « Secure use of commercial RF spectrum

SerVice S Manag eM ent

« Segregate authenticated USG wireless users’ data from the public network & from the internet

« Enhance overall security consistent with DoD needs and standards « Authorize mobile access to apps in a USG private cloud « Centralize management & monitoring of wireless devices

D Ual- h o Min g « Enforce UGS mobile device restrictions within USG enclave « Allow USG mobile devices on commercial networks « Allow policy-based roaming

coVer ag e « Scale systems supporting smaller base-level enclaves to large enterprise-level agencies

1 The 3rd Generation Partnership Project (3GPP) unites [Six] telecommunications standards bodies, known as “organizational Partners” and provides their members with a stable environment to produce the highly successful Reports and Specifications that define wireless communications technologies. http://www.3gpp.org

1. 4g for the U.S. goVernMent — trenDS & challengeS


2

2 . 1 4 g M o b i l e b e n e fitS

4G mobile services have the potential to dramatically change the way USG accesses and provide unified communications

resulting in enhanced benefits in the areas of Network Performance, Cost Savings and Services Management.

Network Performance: 4G LTE technology extends unified communications to the mobile, improves user experience

and enhances situational awareness for mission critical services. The technology offers major performance gains over its

predecessor technologies, which in turn, extends broadband to the mobile user at a much lower cost per bit. Performance

gains are attributed to:

» Orthogonal Frequency Division Multiplexing (OFDM) — modulation techniques for increased spectral efficiency,

» Multiple Input Multiple Output (MIMO) — antenna technology for increased link capacity,

» Flat IP architecture — scalable, end-to-end IP.

Improvements in 4G over 3G technologies result in a 10-fold increase in throughput, 4-fold increase in spectral efficiency

and a 6-fold gain in reduced latency.

Cost Savings: LTE delivers a single global standard, achieving higher economies of scale than 3G technologies through

the use of commercial wireless. The commercial wireless market is experiencing global investment in the LTE technology

and user devices. For example, Global Mobile Suppliers Association (GSA)2 reports that 218 operators in 81 countries are

investing in LTE with 91 LTE networks expected to be in service by the end of 2012. GSA’s LTE report also summarizes

rapid global growth:

» Juniper Research: Global LTE service revenues will exceed $200B by 2015

» Infonetics: The number of LTE subscribers is forecast at 290 million by 2015

» IDC: LTE mobile phone shipments are forecast to reach 129.1 million units in 2014.

Fueling this dramatic subscriber growth is the explosion of mobile broadband data. Cisco3 projects that global mobile data

traffic is expected to grow at a compound annual rate of 91% over the next 5 years. To handle these trends in data growth,

subscriber increases and mobile devices, 4G offers superior quality of service. The USG’s adoption of LTE should leverage

commercial wireless infrastructure and user devices, and therefore potentially reduce service costs, increase the diversity of

devices, and extend the availability of mobile broadband.

Services Management: A significant advantage of migrating to 4G mobile services is the potential to offer a secure end-user

experience.

2 “Evolution to LTE Report”, July 6, 2011, www.gsacom.com.3 “Cisco visual networking Index: Global Mobile Data Traffic Forecast Update 2010-2015”, February, 2011.


3

Mobile services management for the USG can be achieved through an LGS

integrated platform that manages dual-homing user devices across multiple

networks from the home to the government enterprise to secure enclaves.

By providing centralized control for device management, real-time policy-

based identity access and real-time visibility across the network elements

and application layers, the USG 4th generation mobile worker has ubiquitous,

secure mobile services.

The biggest challenge and area of concern facing the US Government in

realizing the benefits of 4G networks is to ensure the security and integrity

of highly sensitive and/or classified data. Examples include authentication

of user and network, centralized identity and device management, policy enforcement and the protection of data inside and

outside the USG. Additionally, the Department of Defense (DoD) has unique challenges such as the accessing of information

at multiple classification levels under multiple authorities (DoD, DHS) and the Certification & Accreditation process.

LGS’ 4G solutions adhere to inherent, commercial LTE security mechanisms but also incorporate following security criteria:

» Ensure security & privacy

» Data integrity, separation, protection & management

» Policy-based service management

» Real-time traffic and threat analysis.

Same device - multiple networks & security requirementsSame device - multiple networks & security requirementsSame device - multiple networks & security requirementsSame device - multiple networks & security requirements


4

LTE is a wireless broadband technology designed to support roaming Internet access via mobile phones and other handheld

devices. With its architecture centered on Internet Protocol (IP), LTE was engineered to have excellent support for web

browsing, VoIP and other IP-based services. Through the use of IP protocol stacks, LTE provides the first end-to-end mobile

network capable of utilizing IP security mechanisms that are accepted by many USG agencies to secure both data at rest and

data in flight of the mobile user.

2 . 1 a l l i p

The “all IP” architecture of 4G LTE is shown in Figure 2-1.1. In earlier wireless standards, voice switching and packet

switching are carried out in parallel. The circuit switching for voice communications is done in the Mobile Switching

Center (MSC) and data is handled in the Serving GPRS Support Node (SGSN) or the Packet Data Serving Node (PDSN) for

CDMA.

figure 2-1.1 | all ip, Simplified network architecture

The lower portion of Figure 2-1.1 shows the 4G LTE architecture. Mobile terminals are served over IP channels by eNodeB

RF elements in the Radio Access Network (RAN). The Evolved Packet Core (EPC) controls all multimedia services. The

control plane and data (or bearer) planes are separate, which facilitates scaling, data throughput, QoS (Quality of Service)

and a number of other advantageous features. LTE network elements integrate an all-IP backhaul and transport network,

Mobile Evolution Transport Architecture (META), to enable low latency (lower than 20 ms end-to-end) and the delivery of

high throughput in a cost-effective way. META supports a diverse set of transport alternatives to enable the evolution to

all-IP across any media (copper, fiber, wireless, satellite). This flexibility is important to potential military uses, which can

be in widely varying environments that often have limited bandwidth in backbone and backhaul facilities. An additional

LTE architectural element is the IP Multimedia Subsystems (IMS) Service Delivery Environment (SDE), which efficiently

manages standardized VoIP and Video services and blends telecom with web 2.0, enabling rich multimedia applications

regardless of access technology.

2. 4g lte oVerView

n e w, a l l- i p M o b i l e co r e n e t wo r k i ntr o D U ce D with lte » End-to-end IP, every service delivered over IP » Clear delineation of control panel and data plane » Simplified architecture; flat-IP architecture with a single core

2G/3G

LTE+EPC


5

2 . 2 i n h e r e nt S ecU r it y

The 4G LTE standard builds in security features such as mutual authentication of the user and network, centralized identity

management and policy enforcement, as shown in 2.2-1.

End user authentication, tracking area list management, and idle mode mobile device reachability are functions managed in

the Mobility Management Entity (MME) of the EPC. The system-wide user identity is housed in the Home Subscriber Server

(HSS) database. The Policy and Charging

Resource Function (PCRF) queries the policy database and enforces QoS policy. Data plane traffic is carried over bearers

in virtual containers with unique QoS characteristics. The PCRF supports dynamic QoS management and the Packet Data

Network Gateway (PDN GW) acts as the Policy & Charging Enforcement Function (PCEF) point to maintain QoS /SLA for

each of the service data flows.

figure 2.2–1 | centralized authentication, identity and policy Management

LGS’ parent company, Alcatel-Lucent (ALU), drafted a contribution to Security Technical Reference 3GPP SA3, Release 10

for advanced encryption and key management for secure Voice over LTE (VoLTE). The Appendix describes the proposed

solution for encrypted VoLTE communications based on MIKEY-IBAKE, Identity-Based Mode of Key Distribution in

Multimedia Internet KEYing (MIKEY).

th e h o M e SU b S cr i b e r S e rVe r (hS S) » Master user database » Supports the IP Multimedia Subsystem (IMS) network entities » Supports authentication and authorization of user » Provides information about the subscriber’s location

» Authentication » Tracking area list management » Idle mode UE reachability

» query policy database » Enforce qoS policy » Request specific qoS

PCRF — Policy and Charging Resource Function


6

2 . 3 lgS 4 g S o lU ti o nS

LGS 4G solutions leverage Alcatel-Lucent’s commercially fielded LTE infrastructure portfolio for the EPC and RAN,

the ground-breaking lightRadio™, - part of our small cell portfolio and a mobile device ecosystem in partnership with

commercial service providers. Our 4G solutions are based on standards-based commercial network sharing options, which

are enhanced with LGS managed services. 4G lightRadio™ small cells with Wi-Fi access may be used to expand the wireless

Radio Frequency (RF) footprint in USG campus and military base environments.Services that Secure the Network

Figure 2.3-1 shows the concept of end-to-end services across the 4G network, that will secure the network to the user

devices.

figure 2.2–1 | end-to-end Services Management

LGS services management addresses USG’s needs to:

» centralize device configuration and management with policy-based rules

» authorize access to public and private cloud based applications

» authenticate dual-homed devices that operate securely within a government enclave & roam to the commercial

network

» provide end-to-end visibility of USG application and network traffic.

Mobile Devices & Services Management

LGS leverages the Alcatel-Lucent Motive system to secure what is on the network. Motive performs standards-based Mobile

Device Management (MDM) that simplifies key user device touch points for offer, activation, support and maintenance.

Motive also handles device operations and help desk capabilities to support and maintain a wide range of WiFi, 2G, 3G and

4G mobile devices.

SERVICE MANAGEMENT PLATFORMKNOWLEDGE MANAGEMENT

Wireless NetworksDevices Mobile IP Network IP Network, B/OSS

USGServiceConsole Device Capabilities

Device ContentSubscripton

Access Management

Network Security

MDM Data Source Integration &Service Orchestration

Signaling & IP TrafficVisibility

Identity


7

Motive’s mobile service view gives end-to-end visibility and control of mobile broadband services across the entire service

delivery chain, which is used to pinpoint and resolve customer issues by gathering and analyzing critical QoE information

from devices, back office and network management systems. Motive’s primary capabilities include the following:

» Android OS, Apple’s iOS (iPhone and iPad), Blackberry (in development) Support

» Automatic Device Detection

» Configuration management

» Lock & Wipe, passwords, remote control, problem remediation

» Application installation

» Multi-device capable: handset, USB modems & CPEs.

Identity Access Assurance

LGS has established a strategic partnership to supply, access assurance management through cloud-based applications by

using a Smartphone’s ability to securely establish one’s identity through a combination of encryption, PIN entry, location-

based technology and biometrics such as voice, face and palm image matching. This allows the USG to set the level of

security for each type of transaction, such as financial, database, electronic health records or secure call conferencing.

The identify access assurance system operates transparently and securely across a commercial wireless network. When

the customer initiates a transaction in the cloud (e.g., accessing an on-line health record), a request is made for access

assurance. Depending on the type or level of transaction and the configured verification methods associated with that

transaction level, the application prompts the customer to enter verification data on their phone through some combination

of biometrics and/or passwords. This may be used in conjunction with PKI-verified possession of the device itself and even

the user’s GPS location.

Network Managed Services

LGS offers managed services that incorporate device management, identity management and network forensics to assist the

USG to better provision, control and monitor their wireless traffic and device usage within the government’s enclave, within

the enterprise and across the commercial networks.

Our wireless services solution addresses how to manage a complex wireless network through mechanisms that provide

visibility to the applications and traffic in an end-to-end manner. These functions are performed by the ALU 9900 Wireless

Network Guardian (WNG), which is integrated with Motive MDM.

Often wireless service providers stitch together separate performance and analysis tools to manage their networks, namely,

RF analysis tools (cell performance without linkage to users, apps, devices, or Quality of Experience (QoE)), IP management

tools (aggregate IP apps, traffic, trends without connection to RAN/RF load and performance or QoE), and customer care

tools (profile, trouble tickets, service plans, billing history without connection to QoE, usage, performance). The ALU WNG

overcomes these shortcomings. The WNG automates and correlates data and performs analysis from the user device through

the network elements, thereby giving end-to-end visibility to application, traffic performance and anomalies.


8

Some example WNG use case scenarios include:

» WNG alarms on heavy users and congested cells in real time, enabling congestion based policy management

» Understanding the relationship between network settings/policies and device/application behavior

» Identifying the impact of permitted/prohibited device features on network load and performance

» Identifying popular new “over-the-top” applications and their impact.

The ALU 9900 WNG is an award-winning4, market-leading product for 3G and 4G that performs real time network and

subscriber experience analytics. Figure 2-3.4 shows the WNG within a 4G network, passively monitoring the USG traffic

and making specific information visible to the USG’s security center.. Triggers generate flow records that capture anomalies

and performance statistics filtered at a USG managed security center. Once thresholds are triggered, the system can enforce

QoS changes or initiate actions to a user device through Motive if necessary.

figure 2.3-4 | wireless network guardian USG Framework

4 2011 LTE World Best network or Device Testing Product for LTE, 2011 Informa Broadband Traffic Management for “Most Effective Solution for Integrating RAn-awareness into Policy Management”

Government threat and use profiles

Remote Access

Managed Security Center » Cellular asset surveillance

» Notification of issues

» Forensic analysis interface

» Load threat updates to system

» Integration with agency-unified threat management center

Extract government user flow and provide custom analysis

Notification and Analysis

Customized Control of Government Cellular Network Resources

9900 WirelessNetwork Guardian

5780 DynamicServices Controller

Backhaul

Monitorand analyze

Processand trigger

Anomaly notification

Packet coreRadio access

network


9

2 . 4 e x te n D i n g US g ’ S r f f o otpr i nt

Small cells are small form factor base stations that may be deployed in USG campus environments or on military bases to

extend commercial wireless service in-building or outdoors. The ALU portfolio of small cell products has various form-

factors, commercial RF spectrum options and output power levels.

The ALU’s award-winning 5 lightRadio™ is a radically different small cell product family that is first of its kind. The

lightRadio™ technology is a single, scalable small cell, the “Cube” shown in Figure 2.4-1. This portfolio is multi-technology

and multi-band with wideband active antenna arrays, deployable on a pole, in a stadium or on a building façade, putting

data capacity where it is needed and extending RF coverage. Bell Labs’ analysis estimates that lightRadio™ achieves

significant operational savings over legacy RAN systems: 66% site rental, 60% civil works, and 51% power consumption.

figure 2.4-1 | lightradio™ cube

The lightRadio™ small cells portfolio is being integrated with Wi-Fi access. This innovative, 3GPP standards-based

approach provides a ubiquitous and economical alternative that extends USG’s wireless on-campus footprint with trusted

Wi-Fi and LTE in the same cube-based cell. Furthermore this solution offers seamless and secure roaming between the 4G

and Wi-Fi networks using the same mobile device. Both network access and seamless roaming are managed by a policy-

based controller in the LGS Evolved Packet Core (EPC) via secure tunneling mechanisms between an ALU WLAN Gateway

and the user device.

2 . 5 lgS 4 g D e D i cate D co r e

LGS’ 4G USG Network solution provides a dedicated 4G Core architecture that secures the USG data within the enclave and

on the mobile device, thereby enabling secure mobile access to cloud-based applications, user privacy, and policy based

roaming. The 3GPP standards specify network options that support sharing of various elements in the LTE network, such as

the Multiple Operator Core Network (MOCN). The MOCN standards allows a mobile service provider to operate a private 4G

Core, while sharing a commercial service provider’s cellular RAN and associated RF spectrum.

An MOCN approach configured in a government framework is shown in Figure 2.5-1. The USG supports a private 4G CORE

infrastructure, which is operated by managed services within a USG Network Operations Center (NOC). This architectural

approach provides ubiquitous LTE and Wi-Fi service to the 4G mobile government worker, while retaining privacy and

5 Alcatel-Lucent’s lightRadio™ receives first place award in 2011 CTIA E-Tech Competition honoring emerging mobile technologies

» Bell Labs innovations in RF components » Software-defined ultra-compact baseband System-on-a-Chip (SoC) » Bell Labs advanced CPRI compression » network MiMo/CoMP leadership » End-to-end IP design and management » Currently in commercial trials


1 0

security of government’s data, cloud-based applications, policies and device configurations. In this architecture the USG

traffic is identified and routed to the appropriate EPC by assigning a Public Land Mobile Network (PLMN) identifier to the

USG as specified by standards.

figure 2.5-1 | 3gpp Mocn concept Architecture Framework

Evolved Packet Core (EPC)

The primary elements of the 4G EPC, as illustrated in Figure 3-1.1, are the SGW 7750 (Serving Gateway), PGW 7750 (Packet

Data Network Gateway), MME 9471 (Mobility Management Entity), and PCRF (Policy and Charging Resource Function). The

Serving Gateway is a data plane element whose primary function is to manage user-plane mobility and act as a demarcation

point between the RAN and core networks. SGW maintains data paths between eNodeBs and the PGW. From a functional

perspective, the SGW is the termination point of the packet data network interface towards E-UTRAN. When users’ devices

move across areas served by eNodeB elements in e-UTRAN, the SGW serves as a local mobility anchor.

The SGW carries out the following general functions:

» Mobility anchoring for inter-3GPP handovers

» Idle mode downlink packet buffering

» Local mobility anchor for inter-eNodeB handovers

» Packet routing and forwarding.

Like the SGW, the Packet Data Network Gateway (PDN-GW or PGW) is the termination point of the packet data interface

towards the Packet Data Network(s). The PGW carries out the following general functions:

» IP anchor point for bearers

» UE IP address allocation

» Per-user based packet filtering

» Connectivity to packet data network.

The Mobility Management Entity (9471 MME) is the network element that provides mobility and session control

management and authentication for LTE User Equipment (UE). The MME performs the signaling and control functions to


1 1

manage UE access to network connections, and assignment of network resources and the management of the mobility states

to support tracking, paging, roaming, and handovers. The MME provides routing to the USG or commercial service provider

based on the PLMN.

The MME carries out the following general functions:

» Authentication

» Tracking area list management

» Idle mode UE reach-ability

» SGW/PDN EPC selection based on PLMN

» Inter core network node signaling for mobility between 2G/3G and LTE

» Bearer management functions.

The Policy and Charging Resource Function (PCRF) is tasked with orchestrating end-to-end quality of service (QoS) for end-

user services delivered across the EPC. Alcatel-Lucent 5780 Dynamic Service Controller (DSC) implements a 3GPP-compliant

PCRF functional entity. It provides authorization during UE attachment to the network, and more importantly it provides

dynamic session management (i.e., service request and dedicated bearer establishment). In addition the DSC serves as the

Access Network Discovery and Selection Function (ANDSF) for Wi-Fi access and roaming control mechanisms.

The PCRF carries out the following general functions:

» Network control of Service Data Flow detection, gating, QoS, and flow-based charging

» Dynamic policy decision on service data flow treatment in the Policy and Charging Enforcement Function (PCEF)

on the PGW

» Authorizes QoS resources.

» Automated Wi-Fi access based on location; seamless and secure handover through policy-based roaming

HSS-8650 (Home Subscriber Server)

The Home Subscriber Server (HSS-8650) is a master user database that supports the network entities that handle the

network connections. The HSS contains the subscription-related information (user profiles), performs authentication and

authorization of the user, and can provide information about the user’s physical location. The HSS function is provided

on the 8650 Subscriber Data Management (SDM). The HSS supports a Diameter-based interface to the MME to support

authentication of the user device, tracking area for mobility, PGW session information, and subscriber data.


1 2

The HSS carries out the following general functions:

» Master user database

» Tracking area for mobility

» PGW session information

» Subscriber data

» AAA servers in CDMA networks support the functions of Authentication, Authorization, and Accounting. For LTE,

the HSS and AAA functionalities are co-located.

SAM-5620 (Service Aware Manager)

The 5620 Service Aware Manager (SAM) is a comprehensive set of element, network,

and mobile service layer management capabilities for the Alcatel-Lucent MME, SGW,

PGW, and PCRF elements. In addition, the same 5620 SAM manages the Alcatel-

Lucent portfolio of Service Router products which play a central role in the IP/MPLS-

based Mobile Evolution Transport Architecture (META). The co-existence of these

capabilities on the same platform places the 5620 SAM in the unique position of

being able to offer end-to-end management for both the mobile service and transport

layers, but also provide seamless integration between these layers.

SAM-8950

The 8950 SAM is a workflow-enabled provisioning OSS that provides automated flow-through service activation and

provisions services quickly and cost-effectively for the IMS. There is a single point of entry via open, published north-bound

SOAP/XML API. This interface validates each request and selects an appropriate workflow using a set of configurable rules.

A web-based graphical user interface (GUI) allows the system operator to create orders, view details, search orders, manage

manual tasks and run reports.

Supporting Network Elements

» 8950 AAA – server validates roaming onto CDMA networks & performs the authentication and authorization

required for 3GPP2 roaming

» VitalQIP DNS/DHCP – Domain Name Server/Dynamic Host Configuration Protocol (DNS/DHCP) IP address

management

» 8960 iECCF – Instant Enhanced Charging Collection Function (iECCF) performs off-line accounting and usage

tracking

» 5450 ISC – IP Session Controller (ISC) or compact IMS, along with the Short Message System (SMS) provides MDM

through its interface with Motive

» Fortigate – FIPS 140-2 compliant security gateway managed by the FortiMgr vendor product.


1 3

LGS Innovations offers the U.S. Federal Government innovation, state-of-the art concepts that are realized through our

fielded LTE portfolio. The U.S. Federal Government turns to LGS Innovations to research, develop and deploy networking

and communications solutions for its missions around the world, trusting the company to address its most challenging

communications needs. LGS Innovations is the U.S. Federal Government’s one-stop shop for mobile network need – from

infrastructure requirements to network architecture and network operations, Systems Engineering and Technical Assistance

(SETA) consulting, 4G LTE managed services and product-only solutions.

3. SUMMary

1 4

© 2 0 1 4 – l g S i n n oVat i o n S l l c - a l l r i g h t S r e S e r V e D

l g S , l g S i n n oVat i o n S , a n D t h e l g S i n n oVat i o n S l o g o a r e t r a D e M a r k S o f l g S i n n oVat i o n S l l c .

4. appenDix — Volte SecUrity propoSal

The goal in the VoLTE Call Encryption service is to provide an additional layer of security for voice calls made between

mobile phones to assure end-to-end voice security and prevent third-party eavesdropping. To achieve this service requires

mutual authentication between the user and IMS service management, signaling protection, and media encryption.

In the MIKEY-IBAKE solution framework, illustrated in Figure Appendix-1, every participant has an Identity-Based Public

Key and a corresponding secret Private Key issued by a new Key Management System (KMS). Participants obtain private

keys from KMS offline, for example participants contact their KMS once a month. The IBAKE messages during key exchange

are encrypted using Identity Based Encryption. All involved parties are mutually authenticated and contribute to the

session key generation so that only intended peers know the Session key (the key is not know to the KMS, and SPs will not

know the media plane session encryption key). There is no interface between KMSs, and no need for On-Line KMSs. This

standard, or an alternate standards contribution, would allow SPs to offer a commercial encrypted VoIP service for sensitive

communications.

figure appendix-1 | Mikey-ibake framework

These exchanges take place periodically

Initiator’sinitiator

Secure rtpresponder

KMSI KMSR

Responder’s

Initiator and Responder have security associations with their corresponding KMSs Identity-Based, Authenticated Key Exchange allows SRTP encrypted call set-up

4th–generation wireless for the united states...

Documents