Redline Communications Inc. AN100UA 用户手册
Red
MAX
™
Base Station
User Manual
Doc. #70-00058-01-01
Proprietary Redline Communications © 2007
July 13, 2007
Page 89 of 119
6.1.5 Generic 802.3 DL Classifiers
When host learning is enabled, 802.3 classifiers created for downlink service flows will
be 'generic' type. The generic type 802.3 classifier allows all downlink Ethernet traffic
addressed to any of the learned hosts on the associated subscriber. Only the priority may
be adjusted on generic 802.3 classifiers.
be 'generic' type. The generic type 802.3 classifier allows all downlink Ethernet traffic
addressed to any of the learned hosts on the associated subscriber. Only the priority may
be adjusted on generic 802.3 classifiers.
6.1.6 DHCP Option 82
The DHCP option 82 support can be used by equipment upstream of the RedMAX base
station to uniquely identify when customer equipment located behind a subscriber issues
a request for network access (DHCP request for an IP address). This information, used in
combination with other network notification messages, allows network operators to be
informed when customers activate self-install CPEs. Operations can then take manual or
automated actions to authorize and activate the services for this subscriber.
The format of Relay Agent Option 82 option is as follows:
station to uniquely identify when customer equipment located behind a subscriber issues
a request for network access (DHCP request for an IP address). This information, used in
combination with other network notification messages, allows network operators to be
informed when customers activate self-install CPEs. Operations can then take manual or
automated actions to authorize and activate the services for this subscriber.
The format of Relay Agent Option 82 option is as follows:
Circuit ID: MAC address of base station.
Remote ID: MAC address of subscriber.
GiAddr:
Remote ID: MAC address of subscriber.
GiAddr:
Management IP address of base station (if added by upstream
equipment).
equipment).
Note: The subscriber CLI control 'dhcpRelayAgent' must be enabled prior to using the
Option 82 feature.
Option 82 feature.
6.2
Privacy Layer -- Encryption
6.2.1 Overview
All RedMAX equipment is hardware enabled to support the privacy sub-layer as defined
in 802.16-2004. The process of modem authentication and message exchange for user
traffic encryption is described fully in the 802.16-2004. The Privacy Sub-layer can be
enabled on a individual subscribers. This release supports user traffic encryption through
the DES cryptographic suite only, with the Traffic Encryption Key secured to a 3DES
level. Encryption must be enabled separately for the AN-100U and each participating
subscriber.
Authentication and registration are part of the 802.16 MAC common part sublayer.
Authentication is based on the use of PKI technology-based X.509 digital certificates.
Each wireless subscriber access modem will contain one built-in certificate for itself and
another for its manufacturer. These certificates allow the customer modem to uniquely
authenticate itself with the base station. The base station can then verify that the customer
modem is authorized to receive service. If the database lookup succeeds, the base station
sends the customer modem an encrypted authorization key, using the customer modem’s
public key. This authorization key is used to encrypt and protect any transmissions that
follow.
The authentication process ensures the subscriber modem is an authentic device and not a
rogue that was brought into the wireless sector area. For authentication the devices use
X.509 digital certificates [IETF RFC 3280] together with RSA public-key encryption
algorithm. At the end of the authentication, process the device has a shared key with its
peer known as AK (Authentication Key). This Key is used to derive the TEK.
in 802.16-2004. The process of modem authentication and message exchange for user
traffic encryption is described fully in the 802.16-2004. The Privacy Sub-layer can be
enabled on a individual subscribers. This release supports user traffic encryption through
the DES cryptographic suite only, with the Traffic Encryption Key secured to a 3DES
level. Encryption must be enabled separately for the AN-100U and each participating
subscriber.
Authentication and registration are part of the 802.16 MAC common part sublayer.
Authentication is based on the use of PKI technology-based X.509 digital certificates.
Each wireless subscriber access modem will contain one built-in certificate for itself and
another for its manufacturer. These certificates allow the customer modem to uniquely
authenticate itself with the base station. The base station can then verify that the customer
modem is authorized to receive service. If the database lookup succeeds, the base station
sends the customer modem an encrypted authorization key, using the customer modem’s
public key. This authorization key is used to encrypt and protect any transmissions that
follow.
The authentication process ensures the subscriber modem is an authentic device and not a
rogue that was brought into the wireless sector area. For authentication the devices use
X.509 digital certificates [IETF RFC 3280] together with RSA public-key encryption
algorithm. At the end of the authentication, process the device has a shared key with its
peer known as AK (Authentication Key). This Key is used to derive the TEK.