User's Manual
User
AN-100U/UX Base Station
Manual
70-00058-01-04 Proprietary Redline Communications © 2010 Page 113 of 136 April 19, 2010
Traffic arriving at the base station from subscribers appears on the Ethernet port as well
as being resubmitted to the MAC for reclassification and broadcast over the air.
Disabled Mode: When the Intra-Sector L2 Forwarding feature is disabled, the base station
will not forward traffic between subscribers (hairpinning) and will not accept traffic
resubmitted to the Ethernet port by an external switch.
7.2.5 DHCP Option 82
The DHCP option 82 support can be used by equipment upstream of the RedMAX base
station to uniquely identify when customer equipment located behind a subscriber issues
a request for network access (DHCP request for an IP address). This information, used
in combination with other network notification messages, allows network operators to be
informed when customers activate self-install CPEs. Operations can then take manual or
automated actions to authorize and activate the services for this subscriber.
The format of Relay Agent Option 82 option is as follows:
Circuit ID: MAC address of base station.
Remote ID: MAC address of subscriber.
GiAddr: Management IP address of base station (if added by upstream
equipment).
Note: The subscriber CLI control 'dhcpRelayAgent' must be enabled prior to using the
Option 82 feature.
7.3 Privacy Layer -- Encryption
7.3.1 Overview
The RedMAX AN-100U/UX base station and SU-O/SU-I subscribers support the privacy
sub-layer as defined in the IEEE 802.16-2004 standards. The process of modem
authentication and message exchange for user traffic encryption is described fully in the
IEEE 802.16-2004 standards.
Authentication uses Public Key Infrastructure (PKI) technology-based X.509 digital
certificates and the RSA (Rivest-Shamir-Adleman) public-key encryption algorithm. The
current software release supports the Data Encryption Suite (DES) cryptographic suite
with exchanged Traffic Encryption Keys (TEKs) secured using 3DES (TEKs are triple
encrypted using three keys in succession).
The authentication process is performed by the base station and does not require
external Authentication, Authorization, and Accounting (AAA) servers (e.g. RADIUS,
TACCACS, LDAP, etc). The authentication process ensures subscriber modems are
genuine Redline devices and not rogues introduced into the wireless sector area.
If authorization is successful, the base station sends the customer subscriber an
encrypted authorization key using the subscribers public key. This key is used to encrypt
transmissions to the base station. At the end of the authentication process the
subscriber has a shared AK (Authentication Key), which is used to derive TEKs.
Management messages between the base station and subscriber modem are protected
with a Keyed-Hashing for Message Authentication (HMAC) digest to ensure the data
from the sender has not been altered.