The realization of high data rates in LTE technology over an all IP network means an ever increasing load on packet data networks. 3GPP has defined data offloading as a key solution to cope with this challenge. Data offloading has been a critical area of study in 3GPP Release-10.
Two important traffic offload techniques namely LIPA and SIPTO have been introduced.
However along with data is it possible to offload voice and SMS traffic as well using LIPA and SIPTO?
It is possible to offload voice and SMS traffic using a local gateway extension tunnel.
The tunnel is shown in pink on the attached picture as given:
Please refer to Link for more information ----> TD S2-096015.
Related
So lets say I have a laptop which connects through a Wireless Access Point which is then connected to a router.
I'm trying to figure out if this happens as a result of an ARP response using the MAC address or, if the laptop uses the IP address to find the router. I know most models have switches built into them so lets negate that for this.
Does that mean that the laptop explicitly uses the IP address to find the router and will only use the MAC address if it needs to traverse through a switch somewhere else in the topology?
Thanks in advance. This is quite a difficult topic to find information on.
First lets rewrite your question to:
Question 1: How does a wireless lan (WiFi) connection differ from a wired connection?
Question 2: Does a WiFi connection transmit data directly to the router's IP, or does it uses the MAC address?
Question 3: Does a Laptop forward PDU's into the router through the wireless access point? does it than use the IP or MAC?
Assumption, PDU refers to Protocol Data Unit
Awnser question 1:
To understand how WIFI works, we first need to understand how a Wired network works. For this we use the OSI model.
The PDU for each of the 7 layers in the model is different and dependent on what that layer represent.
Layer 1 (Physical) is all about electrical signals, Frequencies, voltages, amplitudes and the likes. it defines how we transmit the data down a wire (or through the ether), in this layer there is no network. All communication is from node to node
(so like
"switch <=> switch"
"switch <=> Accesspoint"
"Accesspoint <=> Laptop"
Etcetera
)
This layer does not (normally) have any security or encryption.
Layer 2 (Data Link) is the layer were we start to get a network.
In this layer we start to see structures in the data (the PDU's are called frames) and we get addresses (MAC) Data can now only travel within this physical network (also known as subnet). Encryption is possible but not often implemented outside of the Enterprise networks.
Layer 3 (Network) is where we start to really get interesting. We have all the parts now to build networks and networks of networks (internet).
This layer's PDU is called a packet and its address is an IP address.
From this point on we can make connections that span over multiple hops though different networks with the so called routing scheme's.
Now to WiFi has the following changes to this standard model:
Layer 1: this is wireless (through the ether) so we get channels, bands, frequency and interference. It means that besides how to encode the bits we also have to dial a transceiver. to facilitate this there is a mechanism that uses names for humans to identify networks (SSID).
also because normally we do not have encryption anyone could just see all your data , WiFi adds an encryption scheme to this layer to ensure only authorized devices can communicate on it. (WPA for example)
Answer question 2:
WiFI is on layer 1, so it does not connected to anything but what is directly connected to itself (ergo WiFi is only on the ether), the router is on a different connection. We need at least layer 2 to communicate with it (using MAC addresses) or if we want to send data to other networks we need at least layer 3 and an IP address.
Answer question 3:
Well, for data to be transmitted to other networks (a router connects at least 2 networks) we need layer 3 and an IP address. so the only way your laptop can transmit data like this we use IP addresses.
Footnote:
To learn more about all this you could capture the data transmitted in your own network (DO not capture data on other people there network this is often illegal consult your local law proffesional!). To capture this data Wireshark is a great tool. you can see all this in action in it.
Is anyone aware of any open source codes for Netflow Anomaly detection for DDOS and tunneling? I am a newbie in this area . I did find very few on github but anyone who has more experience with it, do advise.
Just want to try a few to understand how they work so language of python or r or c++ language are fine
There's some great resources around for ingesting the various flow formats. The harder part is in doing anomaly detection. You could consider 'R', see for instance: http://www.ojscurity.com/2014/10/r-netflow-analytics-i.html
When trying to detect tunneling you will need to establish one or more metrics that you can use to "profile" the traffic. Typically this would be on a per-endpoint, per-protocol basis. For instance, HTTPS traffic to Amazon looks different than watching NetFlix content. The metrics you establish should enable you detect a chance in the typical pattern for a given type of traffic.
So it might be hard to detect HTTP traffic tunneled over HTTPS by using just flow data. However, tunneling HTTP traffic over DNS should be fairly easy to detect due to the different volumetric and session timing characteristics of each protocol.
DDoS is more straightforward, and can be detected by a volumetric "baseline", since typical attacks are extremely loud in nature. Although, the more specific you get in terms of protocol, and type of packet, the faster and more accurate your DDoS detection will be.
Finally, the more you "know" about the network you are monitoring, the better you are able to pick up anomalies. There are some obvious first-principles here, as DDoS attacks are loud, and most protocols have fairly well-known volume/timing characteristics, but learning what is typical for your network is the best way to reduce false positives.
I am investigating the SIP signaling and RTP media in VoLTE traffic. I can see RTP header but was told that the RTP payload and the SIP packets are all encrypted in IPsec. Is this true? If yes, at what interface I can see the decrypted packets?
Thanks.
LTE is based on IMS (IP Multimedia Subsystem) which is a very broad and encompassing set of specifications for an architectural framework that enables multimedia communication between IP connected end points.
Because it is so broad and all encompassing there are actually many different security points and interfaces - for example there are security specs for communication between an access network connected device (such as a mobile phone) and the core, for communication between different nodes within a single core network, for communication between different operator's or organisation's core networks etc.
3GPP and LTE build on the IMS specs and include specific security specs for the Mobile world also. There is a 3GPP spec which looks at access security for IMS (3GPP TS 33.203) and it includes the following diagram:
Each of the numbers in the diagram above is a different security 'association' and the above standard references one or more specifications for each one.
The result of all this security complexity and these many security layers is that the answer to your question depends on the point in the network you are looking at. For example, if you intercept the traffic between the phone and the base station you will not be able to see anything as it will all be encrypted at a lower layer (notwithstanding the latest GSM/3G security hacks etc). Similarly if you are looking at the traffic between the core network nodes or between different networks this may be over IPSEC tunnels etc and again you will not be able to see it.
If your aim is to intercept and eavesdrop on VoLTE voice calls then you are going to find this very hard as many of the above mechanisms are designed to prevent this - I won't say it is impossible as I'm sure someone will reference a hack or a 'government backdoor' example for similar technology etc.
If your interest is academic, or in profiling the performance of the network etc then you may be able to achieve what you want using one of the open source IMS solutions - e.g. http://www.openimscore.org.
Or, if you are working for, or with, one of the network equipment vendors then you may be in a position to insert or leverage network management and/or OSS 'hooks' or mechanisms which allow you gather info from some unencrypted data at certain points in the end to end flow.
LTE Broadcast (eMBMS) enables a Single Frequency
Network (SFN) broadcast capability within LTE, so that the same content
can be sent to a large number of users at the same time, resulting in a
more efficient use of network resources than each user requesting the
same content and then having the content unicast to each user. eMBMS uses HTTP protocol , so wanted to know if it is a REStfull api?
Simple answer is no - eMBMS is more than just an interface, as Makoto says, it is a set of specifications that make up a Mobile Multicast solution.
There is a good overview which should illustrate this here:
http://www.slideshare.net/zahidtg/lte-embms-technology-overview
I have started exploring on the network programming in Linux using Socket. I am wondering how come webservers like Yahoo, google, and etc are able to establish million/billions of connections. I believe the core is only socket programming to access the remote server. If that is the case then how come billion and millions of people are able to connect to the server. It means billions/millions of socket connection. This is not possible right? The spec says maximum 5 socket connections only. What is the mystery behind it?
Can you also speak in terms of this - API?
listen(sock,5);
To get an idea of tuning an individual server you may want to start with Apache Performance Tuning and maybe Linux Tuning Parameters, though it is somewhat outdated. Also see Upper limit of file descriptor in Linux
When you got a number of finely tuned servers, a network balancer is used and it typically distributes IP traffic across a cluster of such hosts. Sometimes a DNS load balancing is used in addition to further split between IP balancers.
Here, if you are interested you can follow Google's Compute Engine Load Balancing, which provides a single IP address, and does away with the need to have DNS balancing in addition, and reproduce their results:
The following instructions walk you step-by-step in setting up a
Google Compute Load Balancer benchmark that achieves 1,000,000
Requests Per Second. It is the code and step were used when writing a
blog post for the Google Cloud Platform blog. You can find the Google
Cloud Platform blog # http://googlecloudplatform.blogspot.com/ This
GIST is a combination of instructions and scripts from Eric Hankland
and Anthony F. Voellm. You are free to reuse the code snippets.
https://gist.github.com/voellm/1370e09f7f394e3be724
It doesn't 'say maximum 5 connections only'. The argument to listen() that you refer to is the backlog, not the total number of connections. It refers to the number of incoming connections that TCP will accept and hold on the 'backlog' queue() prior to the application getting hold of them via accept().