On demand network-wide VPN deployment in GPRS

C. Xenakis, L. Merakos
2002 IEEE Network  
The Mobile Internet requires enhanced security services available to all mobile subscribers in a dynamic fashion. A network-wide Virtual Private Network (VPN) deployment scenario over the General Packet Radio Service (GPRS) is proposed and analyzed from a security viewpoint. The proposed security scheme improves the level of protection that is currently supported in GPRS and facilitates the realization of Mobile Internet. It secures data transmission over the entire network route from a mobile
more » ... ser to a remote server by utilizing the default GPRS ciphering over the radio interface, and by deploying an IP VPN over the GPRS core, as well as on the public Internet. Thus, ondemand VPN services are made available for all GPRS network subscribers and roaming users. The VPN functionality, which is based on the IPsec framework, is outsourced to the network infrastructure so as to eliminate the potential computational overhead on the mobile device. The VPN initialization and key agreement procedures are based on an Internet Key Exchange (IKE) protocol proxy scheme, which enables the mobile station to initiate a VPN establishment, while shifting the complex key negotiation to the network infrastructure. The deployed VPN operates transparently to the mobile subscribers' movement. The required enhancements for security service provision can be integrated in the existing network infrastructure, and therefore, the proposed security scheme can be employed as an add-on feature to the GPRS standard. Keywor ds -Security, Virtual Private Network (VPN), General Packet Radio Service (GPRS), IP Security (IPsec), Internet Key Exchange (IKE), Network Address Translation (NAT). security; the second pertains to a network-based approach, where the VPN functionality is outsourced to the network operator or the service provider. Currently, GPRS supports static VPN deployment between the border gateway of the GPRS core network and a remote corporate security gateway. This means that VPNs are realized under certain circumstances, and cannot satisfy the new emerging security requirements that the Mobile Internet introduces. Furthermore, this security scheme permits the flow of unprotected data over the GPRS backbone exposing them to various attacks [2] . In this paper, a dynamic network-wide VPN deployment scenario over the GPRS network is proposed and analyzed from a security point of view. The proposed security scheme, which is based on the IPsec [1] protocol suite, improves the level of protection that is currently supported in GPRS. The mobile user initiates a VPN establishment between the involved Serving GPRS Support Node (SGSN) and a corporate security gateway or another SGSN, outsourcing the complex key negotiation and encryption/decryption functionality to the network infrastructure. Thus, on-demand VPN services are available for all GPRS network subscribers and roaming users. The proposed security scheme provides maximal security services by employing the existing GPRS security over the radio interface, and protecting data transmission over the GPRS backbone and the public Internet. Network Address Translation (NAT) [5] is also used since the mobile users utilize private unregistered IP addresses. The required enhancements for the VPN establishment and maintenance can be integrated within the existing network infrastructure, and the deployed VPN operates transparently to the GPRS functionality. The rest of this paper is organized as follows. Section 2 introduces the GPRS mobile system. Section 3 presents IP security focusing on the incompatibilities that may arise from the simultaneous use of IPsec and NAT technologies. Section 4 describes the VPN deployment, and analyzes the required network enhancements, the IPsec protocol configuration and operation, as well as the assumed trust model. Section 5 presents a qualitative evaluation of the proposed network-wide VPN scheme, and section 6 contains the conclusions. GPRS NETWORK The Mobile Internet is becoming available with the deployment of the enhanced version of second-generation mobile communication systems, such as GPRS. GPRS attempts to reuse the existing Global System for Mobile communication (GSM) network elements as much as possible, but in order to effectively build a packet-based mobile cellular network, some new network elements, interfaces, and protocols are required [3] . The new network nodes are called GPRS Support Nodes (GSN). SGSN is responsible for the delivery of data packets from and to the Mobile Station (MS) within its service area. Gateway GSN (GGSN) acts as an interface between the GPRS backbone network and the external packet data network. The communication between the GSNs is based on IP tunnels through the use of the GPRS Tunneling Protocol (GTP) [3] . The GPRS network architecture is illustrated in Fig. 1 .
doi:10.1109/mnet.2002.1081763 fatcat:mxb7ooigmzfdzhtibmy76vniiu