[Intern] 06/09/2022 The Security Aspect of 5G Fronthaul.

# [Intern] 06/09/2022 The Security Aspect of 5G Fronthaul. ###### tags: `BMW-Lab`, `Intern` :::success **Goal:** To summary the Security Aspect of 5G Fronthaul. ::: :::success **References** - [the Security Aspect of 5G Fronthaul](https://drive.google.com/file/d/1wN4IfavluAqIokRpcNMnAblhgvXUoztr/view) ::: ## Background ## CPRI and eCPRI CPRI, or Common Public Radio Interface, defines key interface specification between REC (Radio Equipment Control) and RE (Radio Equipment) of radio base stations used for cellular wireless networks. It is a protocol of choice for fronthaul communications between towers and base stations (BSs) through several generations of wireless networks. CPRI has efficient and flexible I/Q data interfaces for various standards, such as GSM, WCDMA, LTE, etc. ![](https://imgur.com/EcxIQsU.png) With the introduction of new 5G applications, flexible fronthaul configurations are necessary. Issued after CPRI, eCPRI defines specifications connecting eREC and eRE via fronthaul transport network and mainly used for 5G systems, LTE-Advanced and LTE-Advanced Pro. And eCPRI can balance important components of latency, throughput, and reliability requirements for advanced 5G applications, and it is expected to be used to support 5G by enabling increased efficiency. Besides, eCPRI is an open interface, allowing carriers to work together in a more complimentary way, which can bring about better connected and faster networks across the world. ![](https://imgur.com/rFaPlzO.png) # BASEBAND UNIT (BBU) A baseband unit (BBU) is a device in telecom systems that transports a baseband frequency, usually from a remote radio unit, to which it may be tied through optical fiber. BBUs are useful in a wide range of telecom systems that route data to user endpoints, as well as for different types of enterprise architectures # REMOTE RADIO UNIT (RRU) A Remote Radio Unit (RRU), commonly referred to as a Remote Radio Head (RRH), is a transceiver that you'll find on wireless base stations. These transceivers connect wireless devices with wireless networks, making it possible to send and receive text messages, among other things. # Security Threats in 5G Fronthaul: In 5G network, the core network is normally regarded as the secure network domain. However, some network functions or some parts of the network functions of the core network could possibly be deployed in the unsafe domain. Thus, it increases the risk of communication between the radio access network (RAN) parts and the core network (CN) parts, as well as the inter-communication between the CN elements located in secure and not-secure domain. We identify the following categories for typical security threats on the optical fronthaul networks. # Eavesdropping/Packet sniffing. Eavesdropping is to attempt unau thorizedaccess to the carried data for the purpose of stealing data or analysing the network traffic without breaking the connection. There are several ways to tap into an optical fibre, including fibre bending, splitting, evanescent coupling,scattering, and V-grooves . It is not very difficult to tap the fibre; One can tap the fibre using a commercially available clip-on coupler that can detect the leaked optical signal caused by a bend in the fibre. More complex method is to observe the signal leaked due to crosstalk in optical switching and perform eavesdropping. A signal on an optical fibre can be easily captured, once the physical access to the fibre is available. At this point, the data of millions of users and billions of applications is exposed to theft and manipulation. # Denial of Service (DoS) attack. Denial of Service (DoS) attack is one of the critical cyber-attacks on 5G networks. Attackers can launch DoS attacks on the user plane by sending bogus packets to the network. In terms of optical fronthaul networks, attackers may inject bogus packets into optical fibre.The path towards the core network can be flooded by bogus packets. This would lead to denial of service or at least throughput degradation caused by congestion to networks. For instance, simulation results of DDoS attacks on optical fibre cable is presented. # Network intrusion. Attackers may attempt to intrude the network via a fronthaul, access resources, and manipulate the network operation. Malicious applications and network devices may allow an attacker to introduce vulnerabilities to the core network. This type of attack is critical to optical networks that are managed by an SDN controller because the attacker may try to hijack an SDN controller and control the entire 5G networks. # Man-in-the-middle attack. A man-in-the middle attack occurs when there is no authentication of the communication endpoints. If an attacker can impersonate a legitimate network device, he can execute a man-in-the-middle attack to monitor, modify or inject control messages, like Pegasus hack software. # Quantum attacks. Quantum attacks are a new and critical threat on the internet, including 5G network. It is well known that most popular public-key cryptosystems, such as RSA, ECC and Diffie-Hellman key exchange will be broken using Shor’s algorithm when large-scale quantum computers are available. One may argue that it may be too early to discuss this threat at this stage since no one knows when quantum computers can be built. However, as long as there exists a non-negligible risk of quantum attacks such as harvest attacks, it is reasonable to consider the quantum security at the stage of 5Garchitecture design. In this context, the quantum attack should be considered as one of the serious threats that a framework of 5G security should consider. ## Security Solutions For the security of 5G fronthaul, network nodes should be mutually authenticated, and traffic data between nodes should be encrypted. With 5G architectures, the traffic from RRH traverses over Ethernet or IP networks, which introduces a variety of security concerns. Security breaches can lead to severe service disruptions and financial loss. Service providers must put systems and controls in place to protect their networks against malicious attacks and ensure the integrity and confidentiality of voice and data communications. ## MACsec MACsec (Media Access Control Security) is an IEEE 802.1AE standards to provide an point-to-point secure communication over Ethernet-based networks. When MACsec is enabled, each packet on the wire is encrypted using symmetric key cryptography such as AES-GCM-128 or AES-GCM256 for data confidentiality and integrity. MACsec Key Agreement (MKA) is a companion protocol defined in IEEE Std 802.1X-2010 to provide mutual authentication between the ports and derive a master session key. For a point-to-point direct link, ASIC-based MACsec adds approximately 1–3 µsec of the latency and about 32 extra bytes of the overhead. ## IPsec IPsec is a widely deployed security protocol over IP networks. It enables a network entity in public domain to access a secure domain, and also enables a network entity in different domain to connect with each other in a secure way. Most IPsec implementations consist of an IKE (Internet Key Exchange) daemon that processes the actual IP packets with numerous configuration options.Securing Ethernet-based Optical Fronthaul for 5G Network. However, the network domain partition in 5G networks is usually complicated, therefore, a significant number of IPsec tunnels would be required.Hence, configuring IPsec tunnel will be a big challenge for a large scale of deployment. Furthermore, IPsec tunnels commonly use certificate-based authentication methods, which may cause significant cost to maintain a large scale of PKI system. A PKI system includes initial certificate application, certificate revocation and the periodical revocation list updating, which brings unnecessary risks to fronthaul networks. An online certificate status validation protocol, like OCSP, might solve this problem, however it is not widely used so far. In virtual infrastructure, certificate management could be much more difficult because of the virtual network functions are dynamically deployed. ## WireGuard WireGuard is a modern secured tunnel that is operated over IP layer. The WireGuard Handshake protocol is based on Noise framework, which results in minimalistic and secured message exchange. Specifically, the WireGuard protocol uses a Noise Handshake pattern. The security of this pattern is formally verified in . This pattern requires one-round trip of the message exchange between an initiator and a responder for session keys calculation; a static public key of initiator/responder is transmitted in an encrypted form. WireGuard uses a point-to-point protocol for transporting IP packets that are encapsulated in UDP packets. The tunnel implements AEAD (Authenticated Encryption with Associated Data) form of data encapsulation. The data message is shown in Figure 2. The output from the AEAD is the concatenation of a ciphertext, which is of the same length as a plaintext, and a 128-bit tag, which is the output of the Poly1305 function.