[Intern] 07/09/2022 Transport Security Considerations for the Open-RAN Fronthaul.

# [Intern] 07/09/2022 Transport Security Considerations for the Open-RAN Fronthaul. ###### tags: `BMW-Lab`, `Intern` :::success **Goal:** To summary the Transport Security Considerations for the Open-RAN Fronthaul. ::: :::success **References** - [Transport Security Considerations](https://drive.google.com/file/d/1MSqiLzVM-UEENGvis2izkJ-Mt7jlq9u1/view) ::: ## O-FH transport network Fronthaul (O-FH), provides data transfer between O-DU and O-RU (as shown in figure ), where C/U/S determines the data transfer method and the time synchronization method between O-RU and O-DU ![](https://imgur.com/a13iMqe.png) ![](https://imgur.com/4nY9ZBx.png) It is common knowledge, that O-FH transport network has a lot of different security risks: O-FH threat scenario: ## C-Plane An attacker can claim to be an O-DU and inject its own control messages into the O-RU. These control messages can be specific to achieve a desired behavior of the U-plane packets or false messages that can cause a Denial-of-Service (DoS) in the O-RU. An attacker can inject false data into legitimate control messages between the O-DU and O-RU causing, as before, a degradation in the performance of the O-RU. An attacker can also identify and intercept a specific legitimate non-corrupted control message, store it, delay it and/or re-transmit it repeatedly. ## U-Plane The attacker can impersonate an O-RU or O-DU and perform a DoS by injecting false U-Plane packets or corrupting legitimate ones. An attacker can intercept and perform passive wiretapping to legitimate user packets, but still it would need to break upper layer security if implemented. Additionally, an attacker can enable a rogue base station to manipulate or redirect user data messages. ## S-Plane The attacker can impersonate a legitimate clock; master, slave, or intermediate, and send malicious time protocol packets to the O-DU, O-RU, or intermediate nodes in the O-FH. An attacker can also inject an excessive number of false packets, thus causing a complete time misalignment which can result in a degradation or interruption of the clock service.Delay attacks and packet removal attacks, that can also be applied to the other planes, have a more significant impact in the S-Plane. An attacker can introduce random packet delays on PTP messages between master and slaves, causing an inaccurate PTP offset calculation and a synchronization mismatch. An attacker can also selectively remove or drop synchronization packets between the O-DU, O-RU, and intermediate nodes causing a complete DoS to the O-RAN. ## M-Plane As the M-Plane operates in the application layer and is being secured by TLS or SSH, it only presents a direct threat in its specific messages if an attacker can break such security thus gaining OAM access. However, similar Layer-2 threats that affect the other planes will impact the M-Plane. Ethernet frames carrying M-Plane messages can be corrupted,or false messages can be injected, again causing DoS to the network. ## MAC Security (MAC-sec) The main solution to protecting the O-FH is MAC Security (MAC-sec), a Layer-2 security protocol standardized by the IEEE to protect Ethernet frames. Its security features of data con-fidentiality, authenticity and integrity offers the protection required in the O-FH. MACsec IP provides Ethernet Layer 2 Security for data confidentiality and data integrity as standardized in IEEE 802.1AE. The MACsec IP protects components in Ethernet networks especially high-speed Ethernet used in 5G networks, industrial, automotive and cloud industries. The MACsec IP is a fully compliant solution that provides line-rate encryption, it is configurable to support multiple Connectivity Associations (SecYs) for traffic differentiation, and supports VLAN-in-clear. The MACsec solution additionally includes a software tool for MACsec Key Agreement Protocol IEEE 802.1X integration. The protection of each plane using MACsec can be analysed using a default O-FH scenario. It consists of a point-to-point connection between two hosts (O-RU and O-DU), with four ports for each plane. When MACsec is enabled on the two hosts, all ports are initially mutually authenticated by the MKA protocol, meaning that each port will only accept Ethernet frames from the corresponding port and host. To Ethernet frames MACsec offers encryption, which maintains the frames privacy in the link, and integrity, which identifies and does not accept any corrupted frames. Additionally, a replay window can be set in MACsec to ensure in-order delivery of frames. Hence, MACsec can protect all planes in the O-FH from: malicious frame injection received from not-legitimate nodes, frame transmission to not legitimate nodes,frame eavesdropping, frame corruption of legitimate frames,and frame replay. Even if a MitM intends to impersonate either the O-RU or the O-DU, it will still have no access to the security session keys for encryption and integrity residing in the legitimate O-RU and O-DU. ## Conclusion Unfortunately, hacking ware developing together with new generation network technology. Nowadays, we can see new generation of hack ware like Pegasus which easily hacking cellphones and base station across the whole world. It makes Transport Security Considerations Open-RAN Fronthaul not efficient. However, these solutions definitely will decrease the number of possibilities for attackers.