Cisco Cisco Packet Data Gateway (PDG)
Security Gateway Overview
▀ Product Overview
▄ SecGW Administration Guide, StarOS Release 18
12
Product Overview
The SecGW is a high-density IP Security (IPSec) gateway for mobile wireless carrier networks. It is typically used to
secure backhaul traffic between the Radio Access Network (RAN) and the operator core network.
secure backhaul traffic between the Radio Access Network (RAN) and the operator core network.
IPSec is an open standards set that provides confidentiality, integrity, and authentication for data between IP layer peers.
The SecGW uses IPSec-protected tunnels to connect outside endpoints. SecGW implements the parts of IKE/IPSec
required for its role in mobile networks.
The SecGW uses IPSec-protected tunnels to connect outside endpoints. SecGW implements the parts of IKE/IPSec
required for its role in mobile networks.
The SecGW is enabled as a Wireless Security Gateway (WSG) service in a StarOS instance running in a virtual machine
on a Virtualized Services Module (VSM) in an ASR 9000.
on a Virtualized Services Module (VSM) in an ASR 9000.
The following types of LTE traffic may be carried over encrypted IPSec tunnels in the Un-trusted access domain:
S1-C and S1-U: Control and User Traffic between eNodeB and EPC
X2-C and X2-U: Control and User Traffic between eNodeBs during Handoff
SPs typically carry only Control Traffic, however there exists a case for carrying non-Internet User traffic over
secured tunnels
Figure 1.
SecGW Implementation
ASR 9000 VSM
SecGW is enabled via a StarOS image running in a virtualized environment supported on the ASR 9000 VSM. StarOS
runs in four hypervisor-initiated virtual machines (one per CPU) on the VSM.
runs in four hypervisor-initiated virtual machines (one per CPU) on the VSM.
The VSM is a service blade for the ASR 9000 router that supports multiple services and applications running
simultaneously on top of a virtualized hardware environment.
simultaneously on top of a virtualized hardware environment.
The VSM supports the following major hardware components:
(4) CPUs [20 cores per socket]
(4) hardware crypto devices
(1) Data Path Switch supporting (12) 10 Gigabit Ethernet (GbE) devices
(2) NPUs