Cisco Cisco Packet Data Gateway (PDG)
HNB Gateway in Wireless Network
▀ Features and Functionality - Optional Enhanced Feature Software
▄ HNB-GW Administration Guide, StarOS Release 18
56
IP Security (IPSec)
IP Security provides a mechanism for establishing secure tunnels from mobile subscribers to pre-defined endpoints (i.e.
enterprise or home networks) in accordance with the following standards:
enterprise or home networks) in accordance with the following standards:
RFC 2401, Security Architecture for the Internet Protocol
RFC 2402, IP Authentication Header (AH)
RFC 2406, IP Encapsulating Security Payload (ESP)
RFC 2409, The Internet Key Exchange (IKE)
RFC-3193, Securing L2TP using IPSEC, November 2001
IP Security (IPSec) is a suite of protocols that interact with one another to provide secure private communications across
IP networks. These protocols allow the system to establish and maintain secure tunnels with peer security gateways.
IP networks. These protocols allow the system to establish and maintain secure tunnels with peer security gateways.
IPSec tunnel supports AAA and DHCP address overlapping. Address overlapping is meant for multiple customers using
the same IP address for AAA/DHCP servers. The AAA and DHCP control messages are sent over IPSec tunnels and
AAA/DHCP packets required to be encrypted are decided as per the ACL configuration done for specific session.
the same IP address for AAA/DHCP servers. The AAA and DHCP control messages are sent over IPSec tunnels and
AAA/DHCP packets required to be encrypted are decided as per the ACL configuration done for specific session.
Important:
For more information on IPSec configuration, refer HNB-GW Service Configuration section. Refer to
the StarOS IP Security (IPSec) Reference for additional information.
Session Recovery
The Session Recovery feature provides seamless failover and reconstruction of subscriber session information in the
event of a hardware or software fault within the system preventing a fully connected user session from being
disconnected.
event of a hardware or software fault within the system preventing a fully connected user session from being
disconnected.
Session recovery is performed by mirroring key software processes (e.g. session manager and AAA manager) within the
system. These mirrored processes remain in an idle state (in standby-mode), wherein they perform no processing, until
they may be needed in the case of a software failure (e.g. a session manager task aborts). The system spawns new
instances of “standby mode” session and AAA managers for each active Control Processor (CP) being used.
system. These mirrored processes remain in an idle state (in standby-mode), wherein they perform no processing, until
they may be needed in the case of a software failure (e.g. a session manager task aborts). The system spawns new
instances of “standby mode” session and AAA managers for each active Control Processor (CP) being used.
Additionally, other key system-level software tasks, such as VPN manager, are performed on a physically separate
packet processing card to ensure that a double software fault (e.g. session manager and VPN manager fails at same time
on same card) cannot occur. The packet processing card used to host the VPN manager process is in active mode and is
reserved by the operating system for this sole use when session recovery is enabled.
packet processing card to ensure that a double software fault (e.g. session manager and VPN manager fails at same time
on same card) cannot occur. The packet processing card used to host the VPN manager process is in active mode and is
reserved by the operating system for this sole use when session recovery is enabled.
The additional hardware resources required for session recovery include a standby System Processor Card (SPC) and a
standby packet processing card.
standby packet processing card.
There are two modes for Session Recovery.
Task recovery mode: Wherein one or more session manager failures occur and are recovered without the need
to use resources on a standby packet processing card. In this mode, recovery is performed by using the
mirrored “standby-mode” session manager task(s) running on active packet processing cards. The “standby-
mode” task is renamed, made active, and is then populated using information from other tasks such as AAA
manager.
mirrored “standby-mode” session manager task(s) running on active packet processing cards. The “standby-
mode” task is renamed, made active, and is then populated using information from other tasks such as AAA
manager.
Full packet processing card recovery mode: Used when a packet processing card hardware failure occurs, or
when a packet processing card migration failure happens. In this mode, the standby packet processing card is
made active and the “standby-mode” session manager and AAA manager tasks on the newly activated packet
processing card perform session recovery.
made active and the “standby-mode” session manager and AAA manager tasks on the newly activated packet
processing card perform session recovery.