4RF Aprisa SR+ User Manual

160 | Managing the Radio

QoS

QoS > Summary

This page provides a summary of the QoS Settings.

See ‘QoS > Traffic Priority’ and ‘QoS > Traffic Classification’ for configuration options.

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 161

QoS > Traffic Priority

TRAFFIC PRIORITY

Default Management Data Priority

The Default Management Data Priority controls the priority of the Ethernet management traffic relative to Ethernet customer traffic. It can be set to Very High, High, Medium and Low. The default setting is Medium.

This priority is also used for traffic if the remote serial port is not available for the radio hardware data port option e.g. if the base station is 2E2S and a remote radio is 4E0S.

SERIAL PRIORITY

This parameter controls the per port priority of the serial customer traffic relative to the Ethernet customer traffic. If equal priority is required to Ethernet traffic, this setting must be the same as the Ethernet Data Priority setting.

The serial data priority can be set to Very High, High, Medium and Low. The default setting is Low.

A queuing system is used to prioritize traffic from the serial and Ethernet interfaces for over the air transmission. A weighting may be given to each data type and this is used to schedule the next transmission over the air e.g. if there are pending data packets in multiple buffers but serial data has a higher weighting it will be transmitted first. The serial buffer is 20 serial packets (1 packet can be up to 512 bytes).

There are four priority queues in the Aprisa SR: Very High, High, Medium and Low. Data is added to one of these queues depending on the priority setting. Data leaves the queues from highest priority to lowest: the Very High queue is emptied first, followed by High then Medium and finally Low.

Aprisa SR+ User Manual 1.6.0 PO

162 | Managing the Radio

ETHERNET PRIORITY

This parameter controls the per port priority of the Ethernet customer traffic relative to the serial customer traffic. If equal priority is required to serial traffic, this setting must be the same as the Serial Data Priority setting.

The Ethernet Priority enables users to set the priority of Ethernet port ingress frames. The priority for each port can be:

1.From PCP priority bits (VLAN priority) in VLAN tagged frames or priority tag (VLAN 0) frames

2.From DSCP priority bits in an IP packet (DSCP in IPv4 TOS field)

3.All frames are set to ‘very high’ priority

4.All frames are set to ‘high’ priority

5.All frames are set to ‘medium’ priority

6.All frames are set to ‘low’ priority

The default setting is Low.

A queuing system is used to prioritize customer traffic from the serial and Ethernet interfaces for over the air transmission. A weighting may be given to each data type and this is used to schedule the next transmission over the air e.g. if there are pending data packets in multiple buffers but serial data has a higher weighting it will be transmitted first. The Ethernet buffer is 10 Ethernet packets (1 packet can be up to Ethernet MTU, 1536 bytes).

There are four priority queues in the Aprisa SR+: Very High, High, Medium and Low. Data is added to one of these queues depending on the priority setting. Data leaves the queues from highest priority to lowest: the Very High queue is emptied first, followed by High then Medium and finally Low.

Default Priority

When the priority of an Ethernet port uses the PCP bits (VLAN priority) values the ‘Default Priority’ option is enabled, allowing the priority of untagged VLAN frames to be set.

When the priority of an Ethernet port uses the DSCP priority (in IPv4 TOS field) values the ‘Default Priority’ option is enabled, allowing the priority of ARP frames to be set.

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 163

PRIORITY DEFINITIONS

PCP (Priority Code Point)

These settings provide priority translation / mapping between the external radio LAN VLAN priority network and the radio internal VLAN priority network, using the VLAN tagged PCP (Priority Code Point) priority field in the Ethernet/VLAN frame.

The IEEE 802.1Q specification defines a standards-based mechanism for providing VLAN tagging and class of service (CoS) across Ethernet networks. This is accomplished through an additional VLAN tag, which carries VLAN tag ID and frame prioritization information (PCP field), inserted within the header of a Layer 2 Ethernet frame.

Priority Code Point (PCP) is a 3-bit field that indicates the frame priority level (or CoS). The operation of the PCP field is defined within the IEEE 802.1p standard, which is an extension of 802.1Q. The standard establishes eight levels of priority, referred to as CoS values, where CoS 7 (‘111’ in PCP filed) is the highest priority and CoS 0 (‘000’) is the lowest priority.

The radio in bridge mode used the PCP value in the VLAN tag to prioritize packets and provide the appropriate QoS treatment per traffic type. The radio implements 4 priority queuing techniques that base its QoS on the VLAN priority (PCP). Based on VLAN priority bits, traffic can be put into a particular Class of Service (CoS) queue. Packets with higher CoS will always serve first for OTA transfer and on ingress/egress Ethernet ports.

The ‘PCP priority definition’ tab is used to map ingress VLAN packet with PCP priority to the radio internal

CoS (priority). Since, in most of the cases the radio VLAN network is connected to the corporate VLAN networks, the network administrator might like to have a different VLAN priority scheme of the radio network CoS. For example, management traffic in the multi-gigabit corporate VLAN network might be prioritize with priority 7 (highest priority) and SCADA traffic with priority 5, but in the narrow bandwidth radio network, SCADA traffic will be map to radio very high CoS / priority (i.e. set PCP 5 = Very high) and management traffic might will be map to radio medium CoS / priority (i.e. set PCP 7 = medium) in order to serve first the mission-critical SCADA traffic over the radio network.

Aprisa SR+ User Manual 1.6.0 PO

164 | Managing the Radio

This is done by mapping the external radio network VLAN priority to the internal radio CoS / priority using the ‘PCP priority definition’ tab. The radio support 4 queues, thus at maximum an 8 -> 4 VLAN priority / CoS mapping is done.

Default mapping of ingress packet VLAN priority to radio CoS / priority shown in the ‘PCP priority definition’ tab.

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 165

DSCP (Differentiated Services Code Point)

These settings provide translation / mapping between the external radio IP priority network and the radio internal IP priority network, using the DSCP (DiffServ Code Point) priority field in the IP packet header.

Differentiated Services (DiffServ) is a new model in which traffic is treated by routers with relative priorities based on the IPv4 type of services (ToS) field. DSCP (DiffServ Code Point) standard defined in RFC 2474 and RFC 2475. DiffServ increases the number of definable priority levels by reallocating bits of an IP packet for priority marking.

The DiffServ architecture defines the DiffServ (DS) field, which supersedes the ToS field in IPv4 to make per-hop behaviour (PHB) decisions about packet classification and traffic scheduling functions. The six most significant bits of the DiffServ field (in the IPv4 TOS field) is called as the DSCP. The standardized DiffServ field of the packet is marked with a value so that the packet receives a particular routing/forwarding treatment or PHB, at each router node. Using DSCP packet classification, traffic can be partition into multiple priority levels.

The radio in router mode uses the DSCP value in the IP header to select a PHB behaviour for the packet and provide the appropriate QoS treatment. The radio implements 4 priority queuing techniques that base its PHB on the DSCP in the IP header of a packet. Based on DSCP, traffic can be put into a particular priority / CoS (Class of Service) queue. Packets with higher CoS will always serve first for OTA transfer and on ingress / egress Ethernet ports.

The ‘DSCP priority definition’ tab is used to map ingress IP packet with DSCP priority to the radio internal priority / CoS. Since, in most of the cases the radio routed network is connected to the corporate routed networks, the network administrator might like to have a different routed network priority scheme of the radio network, for example management traffic in the multi-gigabit corporate routed network might be prioritize with DSCP EF (expedite forwarding) code (DSCP highest priority), and SCADA traffic with DSCP AF11 (assured forwarding) code (high priority), but in the narrow bandwidth radio network, SCADA traffic will be map to radio very high CoS / priority (i.e. set AF11 = Very high) and management traffic might map to radio low CoS / priority (i.e. set EF = Low) in order to serve first the mission-critical SCADA traffic over the radio network.

Aprisa SR+ User Manual 1.6.0 PO

166 | Managing the Radio

This is done by mapping the external radio network DSCP priority to the internal radio CoS / priority levels using the ‘DSCP priority definition’ tab. The radio support four queues, thus at maximum a 64 -> 4 CoS / priority mapping is done.

Default mapping of ingress packet DSCP priority to radio CoS shown in the ‘DSCP priority definition’ tab.

The radio maps all 64 DSCP values. The user can configure most common used 21 DSCP codes and the rest are mapped by default to low CoS / priority.

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 167

QoS > Traffic Classification

These settings provide multiple traffic classification profiles based on classification rules. Profiles for a specific traffic type, protocol or application can be assigned to a particular VLAN and CoS / priority in bridge mode or to CoS / priority in router mode to provide the appropriate QoS treatment.

For example SCADA traffic, management traffic, FTP traffic, can each have its own profile build with a set of classification rules. A profile can be build using multiple classification rules based on ports, Ethernet, IP, TCP / UDP headers fields (i.e. L1/2/3/4 header fields) such as: Ethernet port #1, VLAN ID, VLAN priority, IP DSCP Priority, MAC/IP address, TCP / UDP port fields to identify and classify the specific traffic type. When an ingress packet matches the profile L2/3/4 header fields settings, the packet is assigned to a particular VLAN and CoS / priority in bridge mode or to CoS / priority in router mode to provide the appropriate QoS treatment.

The radio supports four CoS / priority queues: very high, high, medium and low. These queues are connected to a strict priority scheduler which dispatches packets from the queues out to the egress port by always serving first the ‘very high’ priority queue, whenever there is a packet in this queue. When the highest priority queue empties, the scheduler will serve the next high priority queues and so on. So when SCADA traffic is assigned to a ‘Very high’ priority, it will always served first and send over-the-air (OTA) whenever SCADA traffic enters to the radio, giving it the highest priority over other traffic type.

These settings are different for Bridge Mode and Router Mode.

Aprisa SR+ User Manual 1.6.0 PO

168 | Managing the Radio

Bridge Mode Traffic Classification Settings

TRAFFIC CLASSIFICATION

VLAN bridge mode traffic classification settings provide mapping / assigning of profiles (set by rules to match a specific traffic type) to a VLAN ID and VLAN CoS / priority. The profile which is used to match to a specific traffic type will be identified in the radio network by its associated VLAN ID and VLAN CoS / priority to provide the appropriate QoS treatment. CoS / Priority can be set to very high, high, medium, low priority.

Profile name

A free form field to enter the profile name with a maximum of 32 chars.

Assigned Priority

Traffic packets that match the applied profile rules will be assigned to the selected ‘assigned priority’ setting of Very High, High, Medium and Low. This field cannot be set to Don’t Care.

This applies profile rule mapping to the VLAN CoS / Priority with the appropriate internal radio assigned priority setting of Very High, High, Medium and Low.

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 169

Assigned VLAN ID

Traffic packets that match the applied profile rules will be assigned to the selected ‘assigned VLAN ID’ setting of VLAN ID in the range of 0 to 4095.

A VLAN ID of an ingress packet matching the classification rule (see ‘VLAN ID’ rule in next page) shall be changed to the ‘assigned VLAN ID’ setting, if below conditions are met:

1.The VLAN ID of Ingress packet is same as PVID of the ingress port.

2.Packet is received untagged at the port

If the VLAN ID of the tagged ingress packet is not the same as the PVID of the ingress port, then it shall not be changed and the ‘assigned VLAN ID’ setting is ignored i.e. ingress VLANs will pass-through unchanged.

If ‘assigned VLAN ID’ value is set in the ‘port VLAN membership’ under Ethernet > VLAN (port x tab), then this VLAN will be available for ingress and egress on the Ethernet and RF ports, otherwise this VLAN will only be available in one direction on the egress RF port.

For example, if the base station Ethernet port 1 ‘assigned VLAN ID’ = 100 (VLAN-100) and it is also defined in the ‘port VLAN membership’ under Ethernet > VLAN (port 1 tab) and the remote sends a packet to the base with a VLAN of 100, this packet will be egress out to Ethernet port 1 (tagged or untagged based on the ‘egress action’ definition). If the VLAN-100 wasn’t set in the ‘port VLAN membership’, then the base station will drop a packet from the remote.

This setting parameter can be ‘Don’t Care’ (Assigned VLAN ID = 0) which means that the VLAN ID of ingress frame will never be modified.

Active

Activates or deactivates the profile rule.

Controls

The Save button saves all profiles to the radio.

The Cancel button removes all changes since the last save or first view of the page if there has not been any saves. This button will un-select all the Select radio buttons.

The Edit button will show the next screen for the selected profile where the profile can be configured. This button will be disabled unless a profile is selected.

The Add button adds a new profile,

If no profile was selected then the new profile is added to the end of the list,

If a profile is selected the new profile is added after that profile.

The Delete button will delete the selected profile. The button will be disabled unless a profile has been selected.

The Delete All button will delete all the profiles. A pop-up will ask if the action is correct. If the answer is yes, then all profiles are deleted in SuperVisor. The Save button must be pressed to delete all the profiles in the radio.

The Move up button will move the selected profile up one in the order of profiles

The Move Down button will move the selected profile down one in the order of profiles

The Previous button displays the previous page in the list of profiles. A pop up will be displayed if any profile has been modified and not saved, preventing the previous page being displayed.

The Next button will display the next page in the list of profiles.

Aprisa SR+ User Manual 1.6.0 PO

170 | Managing the Radio

To edit a traffic classification, select the profile and click on the Edit button

ETHERNET PORT CRITERIA

Ethernet Port

Set the layer 1 Ethernet port number or all Ethernet ports in the selected profile classification rule.

VLAN ID

Sets the layer 2 packet Ethernet header VLAD ID field in the selected profile classification rule. Valid values are between 0 and 4095. This VLAN ID should be enabled in the system for using this parameter during classification.

Enable this VLAN in the network by setting the same VLAN ID value in PVID (port VLAN ID) and in the PORT VLAN MEMBERSHIP under ‘VLAN PORT SETTINGS – Port 1’ on page 144. If the VLAN ID is set to zero, all VLAN IDs will meet the criteria.

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 171

PRIORITY CRITERIA

Priority Type

Set the layer 2 Ethernet or layer 3 IP packet header priority type fields in the selected profile classification rules.

Priority Type

Description

 

 

None

Do not use any layer 2 / 3 Ethernet or IP header

 

priority fields in the selected profile classification

 

rules.

 

 

PCP

Use the layer 2 Ethernet header priority field of

 

PCP (Priority Code Point) VLAN priority bits (per

 

IEEE 802.1p/q) in the selected profile

 

classification rules.

 

 

DSCP

Use the layer 3 IP header TOS field used as DSCP

 

(Differentiated Services Code Point per RFC 2474

 

and RFC 2475) priority bit in the selected profile

 

classification rules.

 

 

PCP / DSCP Range

As per the ‘priority type’ selection, this parameter sets the PCP priority value/s or DSCP priority value/s fields in the selected profile classification rule. The value can be set to a single priority or a single range (no multiple ranges are allowed), for example, the PCP selected priority value can be 7 or a range of priority values like 4-7.

The following table shows the layer 2 packet VLAN tag header PCP priority field values

PCP Value

PCP Priority

Priority Level

(Decimal)

 

 

 

 

 

7

Priority [7]

Highest

 

 

 

6

Priority [6]

 

 

 

 

5

Priority [5]

 

 

 

 

4

Priority [4]

 

 

 

 

3

Priority [3]

 

 

 

 

2

Priority [2]

 

 

 

 

1

Priority [1]

 

 

 

 

0

Priority [0]

Lowest

 

 

 

Aprisa SR+ User Manual 1.6.0 PO

172 | Managing the Radio

The following table shows the layer 3 packet IP header DSCP priority field values

DSCP Value

DSCP Priority

(Decimal)

 

 

 

46

EF (Expedited Forwarding)

 

 

10

AF11 (Assured Forwarding)

 

 

12

AF12

 

 

14

AF13

 

 

18

AF21

 

 

20

AF22

 

 

22

AF23

 

 

26

AF31

 

 

28

AF32

 

 

30

AF33

 

 

34

AF41

 

 

36

AF42

 

 

38

AF43

 

 

0

CS0/Best Effort (BE)

 

 

8

CS1 (Class Selector )

 

 

16

CS2

 

 

24

CS3

 

 

32

CS4

 

 

40

CS5

 

 

48

CS6

 

 

56

CS7

 

 

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 173

Click on More Options if more Layer 2/3/4 (Ethernet / IP / TCP or UDP) packet header fields are required for the selected profile classification rule. This page describes all the possible fields that can be used for the classification rules in bridge mode.

ETHERNET CRITERIA

Source MAC Address

This parameter sets the Layer 2 Ethernet packet header Source MAC Address field in the selected profile classification rule in the format of ‘hh:hh:hh:hh:hh:hh’.

Source MAC Wildcard Mask

This parameter sets the wildcard mask of the ‘Source MAC Address’. If the Source MAC Address is set to ‘FF:FF:FF:FF:FF:FF’, all source MAC addresses will meet the criteria.

Destination MAC Address

This parameter sets the Layer 2 Ethernet packet header Destination MAC Address field in the selected profile classification rule in the format of ‘hh:hh:hh:hh:hh:hh’.

Destination MAC Wildcard Mask

This parameter sets the wildcard mask of the ‘Destination MAC Address’. If the Destination MAC Address is set to ‘FF:FF:FF:FF:FF:FF’, all destination MAC addresses will meet the criteria.

Aprisa SR+ User Manual 1.6.0 PO

174 | Managing the Radio

EtherType (Hex)

This parameter sets the Layer 2 Ethernet packet header EtherType field in the selected profile classification rule. EtherType is a 16 bit (two octets) field in an Ethernet frame. It is used to indicate which protocol is encapsulated in the payload of an Ethernet Frame.

EtherType Examples:

Protocol

EtherType Value

 

(Hexadecimal)

 

 

IPv4

0800

 

 

ARP

0806

 

 

IPv6

86DD

 

 

VLAN

8100

 

 

IP CRITERIA

Source IP Address

This parameter sets the Layer 3 IP packet header Source IP Address field in the selected profile classification rule. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.

Source IP Wildcard Mask

This parameter sets the wildcard mask applied to the ‘Source IP Address’. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.

0 means that it must be a match. If the wildcard mask is set to 0.0.0.0, the complete Source IP Address will be evaluated for the classification rule.

If the wildcard mask is set to 0.0.255.255, the first 2 octets of the Source IP Address will be evaluated for the classification rule.

If the wildcard mask is set to 255.255.255.255, none of the Source IP Address will be evaluated for the classification rule.

Note: The wildcard mask operation is the inverse of subnet mask operation

Destination IP Address

This parameter sets the Layer 3 IP packet header Destination IP Address field in the selected profile classification rule. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.

Destination IP Wildcard Mask

This parameter sets the wildcard mask applied to the ‘Destination IP Address’. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.

0 means that it must be a match. If the wildcard mask is set to 0.0.0.0, the complete Destination IP Address will be evaluated for the classification rule.

If the wildcard mask is set to 0.0.255.255, the first 2 octets of the Destination IP Address will be evaluated for the classification rule.

If the wildcard mask is set to 255.255.255.255, none of the Destination IP Address will be evaluated for the classification rule.

Note: The wildcard mask operation is the inverse of subnet mask operation

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 175

IP Protocol Number

This parameter sets the Layer 3 IP packet header ‘Protocol’ field in the selected profile classification rule. This field defines the protocol used in the data portion of the IP datagram.

Protocol number Examples:

Protocol

Protocol value

 

(decimal)

 

 

ICMP

1

 

 

TCP

6

 

 

UDP

17

 

 

TCP / UDP PORT CRITERIA

Source Range

This parameter sets the Layer 4 TCP / UDP packet header Source Port or Source Port range field in the selected profile classification rule. To specify a range, insert a dash between the ports e.g. 1000-2000. If the source port range is set to 1-65535, traffic from any source port will meet the criteria.

Destination Range

This parameter sets the Layer 4 TCP / UDP packet header Destination Port or Destination Port range field in the selected profile classification rules. To specify a range, insert a dash between the ports e.g. 10002000. If the source port range is set to 1-65535, traffic from any source port will meet the criteria.

Examples for TCP / UDP Port Numbers:

Protocol

TCP / UDP Port #

 

(decimal)

 

 

Modbus

502

 

 

IEC 60870-5-104

2,404

 

 

DNP 3

20,000

 

 

SNMP

161

 

 

SNMP TRAP

162

 

 

Aprisa SR+ User Manual 1.6.0 PO

176 | Managing the Radio

Router Mode Traffic Classification Settings

TRAFFIC CLASSIFICATION

Router Mode traffic classification settings provide mapping / assigning of profiles (set by rules to match a specific traffic type) to a CoS / priority. The profile which is used to match to a specific traffic type will be identified in the radio network by its associated CoS / priority to provide the appropriate QoS treatment. CoS / Priority can be set to very high, high, medium, low priority.

Profile name

A free form field to enter the profile name with a maximum of 32 chars.

Assigned Priority

Traffic packets that match the applied profile rules will be assigned to the selected ‘assigned priority’ setting of Very High, High, Medium and Low. This field cannot be set to Don’t Care.

Active

Activated or deactivate the profile rule.

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 177

Controls

The Save button saves all profiles to the radio.

The Cancel button removes all changes since the last save or first view of the page if there has not been any saves. This button will un-select all the Select radio buttons.

The Edit button will show the next screen for the selected profile where the profile can be configured. This button will be disabled unless a profile is selected.

The Add button adds a new profile,

If no profile was selected then the new profile is added to the end of the list,

If a profile is selected the new profile is added after that profile.

The Delete button will delete the selected profile. The button will be disabled unless a profile has been selected.

The Delete All button will delete all the profiles. A pop-up will ask if the action is correct. If the answer is yes, then all profiles are deleted in SuperVisor. The Save button must be pressed to delete all the profiles in the radio.

The Move up button will move the selected profile up one in the order of profiles

The Move Down button will move the selected profile down one in the order of profiles

The Previous button displays the previous page in the list of profiles. A pop up will be displayed if any profile has been modified and not saved, preventing the previous page being displayed.

The Next button will display the next page in the list of profiles.

Aprisa SR+ User Manual 1.6.0 PO

178 | Managing the Radio

To edit a traffic classification, select the profile and click on the Edit button

ETHERNET PORT CRITERIA

Ethernet Port

Set the layer 1 Ethernet port number or all Ethernet ports in the selected profile classification rules.

PRIORITY CRITERIA

DSCP Range

Sets the DSCP priority value/s field in the selected profile classification rule. The value can be set to a single priority or a single range (no multiple range are allowed), for example, priority value can be 46 (EF) or a range of priority values like 10-14.

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 179

The following table shows the layer 3 packet IP header DSCP priority field values

DSCP Value

DSCP Priority

(Decimal)

 

 

 

46

EF (Expedited Forwarding)

 

 

10

AF11 (Assured Forwarding)

 

 

12

AF12

 

 

14

AF13

 

 

18

AF21

 

 

20

AF22

 

 

22

AF23

 

 

26

AF31

 

 

28

AF32

 

 

30

AF33

 

 

34

AF41

 

 

36

AF42

 

 

38

AF43

 

 

0

CS0/Best Effort (BE)

 

 

8

CS1 (Class Selector )

 

 

16

CS2

 

 

24

CS3

 

 

32

CS4

 

 

40

CS5

 

 

48

CS6

 

 

56

CS7

 

 

Aprisa SR+ User Manual 1.6.0 PO

180 | Managing the Radio

Click on More Options if more Layer 3/4 packet header fields are required for the selected profile classification rule. This page describes all the possible fields that can be used for the classification rules in router mode.

IP CRITERIA

Source IP Address

This parameter sets the Layer 3 packet IP header Source IP Address field in the selected profile classification rules. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.

Source IP Wildcard Mask

This parameter sets the wildcard mask applied to the ‘Source IP Address’. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.

0 means that it must be a match. If the wildcard mask is set to 0.0.0.0, the complete Source IP Address will be evaluated for the classification rules.

If the wildcard mask is set to 0.0.255.255, the first 2 octets of the Source IP Address will be evaluated for the classification rules.

If the wildcard mask is set to 255.255.255.255, none of the Source IP Address will be evaluated for the classification rules.

Note: The wildcard mask operation is the inverse of subnet mask operation

Destination IP Address

This parameter sets the Layer 3 packet IP header Destination IP Address field in the selected profile classification rules. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 181

Destination IP Wildcard Mask

This parameter sets the wildcard mask applied to the ‘Destination IP Address’. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.

0 means that it must be a match. If the wildcard mask is set to 0.0.0.0, the complete Destination IP Address will be evaluated for the classification rules.

If the wildcard mask is set to 0.0.255.255, the first 2 octets of the Destination IP Address will be evaluated for the classification rules.

If the wildcard mask is set to 255.255.255.255, none of the Destination IP Address will be evaluated for the classification rules.

Note: The wildcard mask operation is the inverse of subnet mask operation

Protocol Number

This parameter sets the Layer 3 IP packet header ‘Protocol’ field in the selected profile classification rule.

This field defines the protocol used in the data portion of the IP datagram. Protocol number Examples:

Protocol

Protocol value

 

(decimal)

 

 

ICMP

1

 

 

TCP

6

 

 

UDP

17

 

 

TCP / UDP Port Criteria

Source Range

This parameter sets the Layer 4 TCP / UDP packet header Source Port or Source Port range field in the selected profile classification rule. To specify a range, insert a dash between the ports e.g. 1000-2000. If the source port range is set to 1-65535, traffic from any source port will meet the criteria.

Destination Range

This parameter sets the Layer 4 TCP / UDP packet header Destination Port or Destination Port range field in the selected profile classification rule. To specify a range, insert a dash between the ports e.g. 10002000. If the source port range is set to 1-65535, traffic from any source port will meet the criteria.

Examples for TCP / UDP Port Numbers:

Protocol

TCP / UDP Port #

 

(decimal)

 

 

Modbus

502

 

 

IEC 60870-5-104

2,404

 

 

DNP 3

20,000

 

 

SNMP

161

 

 

SNMP TRAP

162

 

 

Aprisa SR+ User Manual 1.6.0 PO

182 | Managing the Radio

Security

Security > Summary

This page displays the current settings for the Security parameters.

See ‘Security > Setup’ and ‘Security > Manager’ for configuration options.

Aprisa SR+ User Manual 1.6.0 PO

4RF Aprisa SR+ User Manual

Managing the Radio | 183

Security > Setup

PAYLOAD SECURITY PROFILE SETTINGS

Security Profile Name

This parameter enables the user to predefine a security profile with a specified name.

Security Scheme

This parameter sets the security scheme to one of the values in the following table:

Security Scheme

Disabled (No encryption and no Message Authentication Code)

AES Encryption + CCM Authentication 128 bit

AES Encryption + CCM Authentication 64 bit

AES Encryption + CCM Authentication 32 bit

AES Encryption only

CCM Authentication 128 bit

CCM Authentication 64 bit

CCM Authentication 32 bit

The default setting is Disabled.

Aprisa SR+ User Manual 1.6.0 PO

184 | Managing the Radio

Payload Encryption Key Type

This parameter sets the Payload Encryption Key Type:

 

Option

Function

 

 

 

 

Pass Phrase

Use the Pass Phrase password format for standard security.

 

 

 

 

Raw Hexadecimal

Use the Raw Hexadecimal key format for better security. It

 

 

must comply with the specified encryption key size e.g. if

 

 

Encryption Type to AES128, the encryption key must be 16

 

 

bytes (32 chars)

 

 

 

The default setting is Pass Phrase.

 

Payload Encryption Key Size

This parameter sets the Encryption Type to AES128, AES192 or AES256. The default setting is AES128.

The higher the encryption size the better the security.

Payload Encryption Key

This parameter sets the Payload Encryption password. This key is used to encrypt the payload.

Pass Phrase

Good password policy:

contains at least eight characters, and

contains at least one upper case letter, and

contains at least one lower case letter, and

contains at least one digit or another character such as @+... , and

is not a term in a familiar language or jargon, and

is not identical to or derived from the accompanying account name, from personal characteristics or from information from one’s family/social circle, and

is easy to remember, for instance by means of a key sentence

Raw Hexadecimal

The Raw Hexadecimal key must comply with the specified encryption key size e.g. if Encryption Type to AES128, the encryption key must be 16 bytes (32 chars).

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 185

KEY ENCRYPTION KEY SETTINGS

The Key Encryption Key provides the ability to encrypt the Payload Encryption Key so it can be safely transmitted over the radio link to remote radios.

The Key Encryption Key Type, Key Encryption Key Size and Key Encryption Key must be the same on all radios in the network.

Key Encryption Key Type

This parameter sets the Payload Encryption Key Type:

 

Option

Function

 

 

 

 

Pass Phrase

Use the Pass Phrase password format for standard security.

 

 

 

 

Raw Hexadecimal

Use the Raw Hexadecimal key format for better security. It

 

 

must comply with the specified encryption key size

 

 

e.g. if Encryption Type to AES128, the encryption key must

 

 

be 16 bytes (32 chars)

 

 

 

The default setting is Pass Phrase.

 

Key Encryption Key Size

This parameter sets the Encryption Type to AES128, AES192 or AES256. The default setting is AES128.

The higher the encryption type the better the security.

Key Encryption Key

This parameter sets the Key Encryption Key. This is used to encrypt the payload encryption key.

USB Transaction Status

This parameter shows if a USB flash drive is plugged into the radio host port .

Option

Function

 

 

USB Storage Not Detected

A USB flash drive is not plugged into the radio host port.

 

 

USB Storage Detected

A USB flash drive is plugged into the radio host port.

 

 

Note: Some brands of USB flash drives may not work with 4RF radios.

Controls

The ‘Save’ button saves the Key Encryption Key settings to the radio. If the Security Level is set to Strong

(see ‘Security Level’ on page 191), this button will be grayed out.

The ‘Load From USB’ button loads the Key Encryption Key settings from the USB flash drive. If a USB flash drive is not detected, this button will be grayed out

The ‘Copy To USB’ button copies the Key Encryption Key settings to a file called ‘asrkek.txt’ on the USB flash drive. This settings file can be used to load into other radios. If a USB flash drive is not detected or the Security Level is set to Strong (see ‘Security Level’ on page 191), this button will not be shown.

Aprisa SR+ User Manual 1.6.0 PO

186 | Managing the Radio

Key Encryption Key Summary

The security of over-the-air-rekeying depends on a truly random Key Encryption Key. This is why the use of a Raw Hexadecimal key is recommended as a plain text phrase based on known spelling and grammar constructs is not very random. The default Key Encryption Key is provided only to allow testing of the security mechanism and is not intended for operational use. Using the default Key Encryption Key undermines the security of the AES payload encryption because an attacker using the default Key Encryption Key would immediately recover the AES payload key after the first over-the-air-rekeying event.

When the Security Level is set to Strong, various protections are applied to the Key Encryption Key setting to prevent tampering. In addition, the Key Encryption Key Type, Key Encryption Key Size, and the Key Encryption Key itself are all loaded from a customer prepared USB key. This is a one way operation to prevent key recovery from radios. While the ability to save a Key Encryption Key to USB exists in Standard Security Level, the Strong Security Level Key Encryption Key is not compromised because the Strong Key Encryption Key is not the same as the Standard Security Level Key Encryption Key.

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 187

PROTOCOL SECURITY SETTINGS

Telnet option

This parameter option determines if you can manage the radio via a Telnet session. The default setting is disabled.

ICMP option (Internet Control Message Protocol)

This parameter option determines whether the radio will respond to a ping. The default setting is disabled.

HTTPS option

This parameter option determines if you can manage the radio via a HTTPS session (via a Browser). The default setting is enabled.

SNMP Proxy Support

This parameter option enables an SNMP proxy server in the base station. This proxy server reduces the radio link traffic during SNMP communication to remote / repeater stations. This option applies to the base station only. The default setting is disabled.

This option can also be used if the radio has Serial Only interfaces.

SNMP Protocol

This parameter sets the SNMP Protocol:

 

Option

Function

 

 

 

 

Disabled

All SNMP functions are disabled.

 

 

 

 

All Versions

Allows all SNMP protocol versions.

 

 

 

 

SNMPv3 Only

Only SNMPv3 transactions will be accepted.

 

 

 

 

SNMPv3 With

Only SNMPv3 transactions authenticated using HMAC-MD5 or

 

Authentication Only

HMAC-SHA will be accepted (as per table below).

 

 

 

 

SNMPv3 With Encryption

Only SNMPv3 transactions with an encrypted type of DES or

 

Only

AES will be accepted (as per table below).

 

 

 

The default setting is All Versions.

 

The default SNMPv3 with Authentication User Details provided are:

User Name

Encryption

Authentication

Context

Authentication

Encryption

 

Type

Type

Name

Passphrase

Passphrase

 

 

 

 

 

 

noAuthUser

-

-

noAuth

noAuthUser

noAuthUser

 

 

 

 

 

 

desUserMD5

DES

MD5

priv

desUserMD5

desUserMD5

 

 

 

 

 

 

desUserSHA

DES

SHA

priv

desUserSHA

desUserSHA

 

 

 

 

 

 

authUserMD5

-

MD5

auth

authUserMD5

authUserMD5

 

 

 

 

 

 

authUserSHA

-

SHA

auth

authUserSHA

authUserSHA

 

 

 

 

 

 

privUserMD5

AES

MD5

priv

privUserMD5

privUserMD5

 

 

 

 

 

 

privUserSHA

AES

SHA

priv

privUserSHA

privUserSHA

 

 

 

 

 

 

Aprisa SR+ User Manual 1.6.0 PO

188 | Managing the Radio

SNMPv3 Authentication Passphrase

The SNMPv3 Authentication Passphrase can be changed via the SNMPv3 secure management protocol interface (not via SuperVisor).

When viewing / managing the details of the users via SNMPv3, the standard SNMP-USER-BASED-SM-MIB interface is used. This interface can be used to change the SNMPv3 Authentication Passphrase of the users.

The SNMPv3 Authentication Passphrase of a user required to be changed cannot be changed by the same user i.e. a different user must be used for the transactions.

Generate New Keys from SNMPv3 USM User Passphrases

Net-SNMP is a suite of open source software for using and deploying the SNMP protocol. Similar functionality is built into many commercial SNMP managers.

This next step of loading the Aprisa SR+ radios with keys generated from USM user passphrases requires the SNMPv3 USM Management utility provided as part of NET-SNMP.

The utility is called ‘snmpusm’. It provides a range of commands including the management of changing passwords for SNMPv3 users. In order to use this utility, the user will need to install NET-SNMP on a Linux (or Windows®) or machine. The examples below are from the Linux environment. This tool automatically obtains the engine ID from the target radio before generating the keys and loading them into the target.

To change a user authentication passphrase:

The following are examples of:

Changing the privUserSHA user encryption key / password from privUserSHA to privUserSHANew:

c:\usr\bin>snmpusm -v 3 -u privUserSHA -n priv -l authPriv -a SHA -A privUserSHA -x AES -X privUserSHA -Cx 172.17.70.17 passwd privUserSHA privUserSHANew

Changing the privUserSHA user authentication key / password from privUserSHA to privUserSHANew:

c:\usr\bin>snmpusm -v 3 -u privUserSHA -n priv -l authPriv -a SHA -A privUserSHA -x AES -X privUserSHANew -Ca 172.17.70.17 passwd privUserSHA privUserSHANew

Changing the desUserSHA user encryption key / password from desUserSHA to desUserSHANew:

c:\usr\bin>snmpusm -v 3 -u desUserSHA -n priv -l authPriv -a SHA -A desUserSHA -x DES -X desUserSHA -Cx 172.17.70.17 passwd desUserSHA desUserSHANew

Changing the desUserSHA user authentication key / password from desUserSHA to desUserSHANew:

c:\usr\bin>snmpusm -v 3 -u desUserSHA -n priv -l authPriv -a SHA -A desUserSHA -x DES -X desUserSHANew -Ca 172.17.70.17 passwd desUserSHA desUserSHANew

Changing the privUserMD5 user encryption key / password from privUserMD5 to privUserMD5New:

c:\usr\bin>snmpusm -v 3 -u privUserMD5 -n priv -l authPriv -a MD5 -A privUserMD5 -x AES -X privUserMD5 -Cx 172.17.70.17 passwd privUserMD5 privUserMD5New

Changing the privUserMD5 user authentication key / password from privUserMD5 to privUserMD5New:

c:\usr\bin>snmpusm -v 3 -u privUserMD5 -n priv -l authPriv -a MD5 -A privUserMD5 -x AES -X privUserMD5New -Ca 172.17.70.17 passwd privUserMD5 privUserMD5New

Aprisa SR+ User Manual 1.6.0 PO

Managing the Radio | 189

Changing the desUserMD5 user encryption key / password from desUserMD5 to desUserMD5New:

c:\usr\bin>snmpusm -v 3 -u desUserMD5 -n priv -l authPriv -a MD5 -A desUserMD5 -x DES -X desUserMD5 -Cx 172.17.70.17 passwd desUserMD5 desUserMD5New

Changing the desUserMD5 user authentication key / password from desUserMD5 to desUserMD5New:

c:\usr\bin>snmpusm -v 3 -u desUserMD5 -n priv -l authPriv -a MD5 -A desUserMD5 -x DES -X desUserMD5New -Ca 172.17.70.17 passwd desUserMD5 desUserMD5New

Changing the authUserSHA user authentication key / password from authUserSHA to authUserSHANew:

c:\usr\bin>snmpusm -v 3 -u authUserSHA -n auth -l authNoPriv -a SHA -A authUserSHA -Ca 172.17.70.17 passwd authUserSHA authUserSHANew

Changing the authUserMD5 user authentication key / password from authUserMD5 to authUserMD5New:

c:\usr\bin>snmpusm -v 3 -u authUserMD5 -n auth -l authNoPriv -a MD5 -A authUserMD5 -Ca 172.17.70.17 passwd authUserMD5 authUserMD5New

Notes

-Cx option is to change the Encryption key/password

-Ca option is to change the Authentication key/password

Other information on this utility can be obtained from the utility command help itself or online

Summary

It is necessary to record the new passphrases loaded into the Aprisa SR+ radios and then load the passphrases into the SNMP manager. There is a separate passphrase for the two supported forms of authentication (MD5 and SHA1) only as well as the two forms of authentication used in combination the two forms of encryption (DES and AES). It is vital to change all passphrases even if the depreciated mechanism are not used (MD5 and DES) otherwise an attacker could still use the default passphrases.

Aprisa SR+ User Manual 1.6.0 PO

Loading...
+ 109 hidden pages