SP WiFi Packet Core Integration - Cisco Systems, Inc

Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved. 1

SP WiFi Packet Core Integration Sergei Gotchev MITG CSE, Djordje Vulovic Sales SE

March 21, 2012 Belgrade

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Business drivers for SP Wi-Fi

Overall WiFi Architecture

Wi-Fi Components

MPC Integration


0

1,800,000

3,600,000

2009 2010 2011 2012 2013 2014

TB/m

o

Source: Cisco Visual Networking Index (VNI) Global Mobile Data Forecast, 2009–2014

66%

8%

4% 5%

17%

Mobile VoIP

Mobile Gaming

Mobile P2P

Mobile Web/Data

Mobile Video

26x


0

2

4

6

8

10

12

2010 2011 2012 2013 2014

Voice Messaging Data

$B Revenue

0

100

200

300

400

500

2010 2011 2012 2013 2014

Smartphone Tablet Data Card

Traffic PB

Device Innovation & Impact

• Smartphones

• Tablets

• e-Readers


Source: Agilent

1000

100

10

1

1990 1995 2000 2005 2010 2015

Gro

wth

Spectrum

Average

Macro Cell

Efficiency

Macro

Capacity

26x

Growth

Future networks supporting mobile Internet traffic will need to be able to

seamlessly integrate many more smaller cells


• Optimization – increases network capacity and

reduce 3G data traffic overload by offloading traffic

with SP Wi-Fi.

• Monetization – creates new revenue streams by

taking advantage of advanced technology that

provides secure delivery of location-based services to

mobile devices

• Churn Reduction – expand a physical footprint with a

cost-effective Wi-Fi solution to keep customers on the

service provider network as they move from home to

the train to the office.



Overall WiFi Architecture

Wi-Fi Components

MPC Integration

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 8

1001110100100100010

Uncontrolled No SP involvement. User driven offload via unmanaged

device.

Home/Soho Dual SSID

(Community) SP provides dual SSID home device.

Private and public (community) SSID

Hot Spot / Hot Zone SP installed and managed hot spots in Malls, restaurants,

Hotels,…

High Density Wireless SP installed and managed hot spots in high density user

areas (stadiums,..)

Metro / Mesh SP install and manages outdoor Wi-Fi for large dense urban

areas coverage

Enterprise Guest Access Enterprise Guest Access managed by SP

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Metro Hotspot Residential Client Centric

Portal

L2(.1Q)

CoA

Services

ISG

L3, L3VPN

AAA

Cisco

AR

Pre-std 11.r fast

roaming

Portal with WISPr 1.0

L3VPN

CoA

Services

ISG

L3, L3VPN

ASR 1K

Subscriber

Control

Cisco

AR

Autonomous AP

Local

SSID/ Services

Portal

ASR 1K

CoA

Services

ISG

L2TP

3rd party CPE

L2/L3

LNS

CAR

AAA

ASR 5K

Services

GGSN

IKEv2/

IPSec

3rd party IWLAN

Clients

GTP

TTG

Cisco

Access Registrar

EAP-SIM/

EAP-AKA

Un-trusted/

BYO Wi-Fi

AZR


MSP

FSP

3G/4G

Mobile

Packet

Core

Converged

Operator

Fixed

BB

Infra.

M

F


On-Net

Off-Net

Internet

Access

Backend

Packet Core

Integration


Internet

AP/

MAG

PMIPv6

WLC/

MAG

WLC

AP

AP

AP

AP

L3

WLC

UE

MA

G

GT

P

L3

Subscriber

Polic

y E

nfo

rcem

ent

LM

A

L2

IPS

ec

.1Q

PMIPv6

IPSec

Internet

LM

A

GT

P

Subscriber

Polic

y E

nfo

rcem

ent

L3

PMIPv6

L3

GTP

Backend

Packet Core Integration

Access

User Equipment


Internet

MA

G

GT

P

L3

Subscriber

Polic

y E

nfo

rcem

ent

LM

A

L2

IPS

ec

Internet

LM

A

GT

P

Subscriber

Polic

y E

nfo

rcem

ent

L3

Stadium / Large Venue

6500/WiSM-2 or

5508 WLC

(Unified)

Network Control System (NCS)

AP3500/3600/3500p

(Grayling) SMB Managed AP

AP1140/1260/3500

(auto/HREAP)

Indoor Hotspot

AP1140/1260/3500/3600

(auto/HREAP)

WLC cluster

Flex7500 (HREAP)

5508,6500/WiSM-2

Metro Wi-Fi AP1550

(Unified)



Overall Architecture

SP Wi-Fi Components

MPC Integration


Internet

SMB Managed

AP

3G/4G Macro

Site

Stadium / Large

Venue

WLC for On

Premise

Content

Indoor Hotspot

Partner

Net

MSP

Credentials

IP Core

UCS

Wireless LAN

Controller (WLC)

Wireless Control

System (WCS) Cisco

ASR 1000

Residential

Managed AP

Metro Wi-Fi IP

Backhaul

Cisco

ASR 5000

Consumer

Broadband

Secure WiFi

Backhaul WAG


All Client-less and Client-based configurations supported

Devices IP Core

Mobile Packet Core

Trusted Wi-Fi

3G Cellular

Converged, Per subscriber

Policy, Charging and Billing Systems

Per User GTP Tunnel

GTP (Gn) Secure Client based

iWLAN

Clientless – IPSG (IP)

Clientless

MAG (PMIPv6)

Clientless eWAG

(GTPv1)

Untrusted Wi-Fi

Per User IPSec Tunnel

TTG

SGSN

eWAG

Per User GTP Tunnel

MAG

GGSN

Per User PMIPv6 Tunnel

VPN

Un Tunneled User Data (IP)

IPSG

Clientless 3GPP

Clientless 3GPP2 Per User PMIPv6 Tunnel

HSGW

P-GW

Multiple Applications Simultaneously Running on Session-

Centric Operating System



Overall Architecture

SP Wi-Fi Components

MPC Integration


• The IP Services Gateway is a device capable of providing managed services to IP flows.

• The IPSG is situated on the network side of legacy, non-service capable subscriber management devices such as WLC.

• The IPSG can provide per-subscriber services such as enhanced charging, stateful firewall, traffic performance optimization, and others.

• No replacement of the existing access gateways

• No need for ISG subscriber management

• No need for client

• WiFi infrastructure must be trusted – 802.1x for Auth and WiFi encryption required

• AAA needs to cache some parameters (MAC, IMSI, MSISDN)

• IP Address allocated in WiFi and must be from the same address space as MPC

• For mobility HA is required on Mobile IP TS 23.327 or PMIP


Internet

Off-net

NAT-FW

On-net

Content

Gx Gy

Ga

WiSPr 1/web login/EAP-

SIM/AKA

Trusted

Wifi

WAP

GW

IPSG

ASR500

AAA/

Portal HLR OCS PCRF CGF

WLC

Secured DPI

Mobile charging

Mobile policy

Mobile Services

Radius

traffic

eNB/NB

Gn SGSN

Wifi Access Network

Mobile

Legacy

GGSN

Gi

HA

ASR500


AP WLC AAA DHCP IPSG INTERNET Client

HLR HSS

802.1x (1) 802.1x (1) RADIUS (2)

EAP Negotiation (3)

EAP Authentication / Authorization (4)

DHCP Discover (5) DHCP Discover (6)

DHCP Offer (7)

DHCP Request / ACK (8)

RADIUS Acc(11)

RADIUS Acc(12)

IP Traffic (10)

IP Traffic (13) IP Traffic (14)

User Record

Cached

Acct Start (9)

User Authorized

And service profile

downloaded

Session

created

802.11(x) CAPWAP RADIUS DHCP IP


Device AP+WLC

Association

RADIUS Access Accept

RADIUS Accounting Start (Calling-user-ID = MAC, Framed-IP -Address

DHCP/

Router

IP

IPSG

RADIUS Access Request (MAC Auth)

Broadhop

Portal SuM QNS/AAA

RADIUS Access Req (username= MAC)

RADIUS Access Accept(MSISDN, W-APN, Charging

Characteristics)

DHCP

RADIUS Accounting Start

RADIUS Accounting Start (

Framed-IP –Address= IPv4

Called-Station-ID=W-APN

Calling-Station-ID = MSISDN

3GPP-Charging-Characteristics = 16bits

3GPP-IMEISV = MAC Address)

Build State for IP

Address

Gx:CCR-I: Subscription-ID = MSISDN

Gx:CCA-I: Policy to apply

Association Response

All subscriber devices’ MAC-addresses are

provisioned along with MSISDN, W-APN and

Charging Characteristics and activated on the

SUM server.


Device AP+WLC DHCP/

Router IPSG Broadhop

Portal SuM QNS

DHCP

http://www.google.com

http 302: branded- portal.com

http://branded-portal.com

Send branded portal including <script type="text/javascript” src=https://ngs-ip/sites/js/SCRIPT_NAME> </script>

Post Credential RADIUS Access Request (Username, Password,

Calling-station-ID =MAC, Framed-IP-Addr) RADIUS Access Req (username, password)

RADIUS Access Accept(MSISDN, W-APN, Charging

Characteristics) RADIUS Access Accept

Configure External branded-

portal.com

Open Association

Build State for IP

Address

Remove Redirect Rule

All subscriber authentication credentials i.e.

username, password, are provisioned along

with MSISDN, W-APN and Charging

Characteristics and activated on the SUM

server.

RADIUS Accounting Start (

Framed-IP –Address= IPv4

Called-Station-ID=W-APN

Calling-Station-ID = MSISDN

3GPP-Charging-Characteristics = 16bits

3GPP-IMEISV = MAC Address)

https://ngs-ip/sites/js/SCRIPT_NAME




Device AP+WLC

DHCP/

Router IPSG Broadhop

Portal SuM QNS

IP

Gx:CCR-I: Subscription-ID = MSISDN

Gx:CCA-I: Policy to apply


• PDG - Packet Data Gateway provides 3GPP 23.234 WLAN-to-3GPP interworking.

• TTG - Tunnel Termination Gateway enables PDG functionality for existing GGSN deployments and provides PDG functionality to the subscriber UEs in the WLAN.

• iWLAN UE client is required to support integration of access over WiFi into mobile packet core based on 3GPP iWLAN architecture

• Seamless mobility via Home Agent based on Client Mobile IP or PMIP from GGSN

• The iWLAN main client functions

• Connection management to select access type

• User authentication while connecting over WiFi

• Create Secure tunnel while connection over WiFi

• Optional Mobile IP tunnel to provide session persistence during inter-access mobility

• Optional policy management to control the behavior of the client

• Seamless mobility via Home Agent based on Mobile IP TS 23.327 or PMIP


NB

Wifi Network

Internet

Off-net

NAT-FW

Mobile

On-net

Content

Gx Gy

Ga

Gn

WAP

GW

Gi/IP

AP

i-WLAN

Un-Trusted

Wifi AP

AAA/

Portal HLR OCS PCRF CGF

SGSN

i-WLAN

Client

IPSec

DPI

Mobile charging

Mobile policy

Mobile Services

Convergent

Gateway

TTG

GGSN

HA


• WiFi attachment and authentication depends on the capabilities on WiFi AP (Wispr1.0 /2.0)

• IKEv2 authentication is based on EAP SIM

WiFi Attachment

WiFi Authentication (WiFi credentials, TTG address returned)

IKEv2 Authentication (EAP SIM)

IKEv2/IPSec SA establishment GTP tunnel establishment

IPSec Tunnel GTP Tunnel

IP addr allocation, PDP establishment

Device AP+WLC TTG CAR HLR GGSN


• New gateway allowing clientless WiFi integration into Packet Core, interfacing GGSN

• WiFi infrastructure must be trusted – 802.1x for Auth and WiFi encryption required

• eWAG provides interface between WIFi and existing GGSN – WiFi session terminates on GGSN via Gn’ interface

• Existing MPC infrastructure reused – PCRF, OCS, Billing, LI

• eWAG only interfaces to AAA and GGSN – no other MPC integration is needed

• AAA needs to cache some parameters (MAC, IMSI, MSISDN)

• DHCP or Radius Accounting Request from UE triggers eWAG session

• UE allocated IP address from MPC space

• Layer 3 IP or GRE datapath to eWAG

• Seamless mobility via Home Agent based on Mobile IP or PMIP from GGSN


NB

Wifi

Internet

Off-net

SGSN

NAT-FW

AP

AAA

Proxy

Mobile

On-net

Content HLR OCS PCRF

Mobile

AAA

Gx

Gy

EAP-SIM/AKA

CGF

Ga

ASR5K

WLC

Internet

eWAG

GGSN

Gn’

DHCP

WiFi IP addr space MPC IP addr space

Mapping between WiFI and MPC

address spaces


Device AP+WLC HLR CAR ITP

ITPITPITPITP

Open Association

EAP Request/ID

EAP ID Response/ID RADIUS Access Request (username= EAP ID, calling station ID = MAC)

EAP-SIM Method

RADIUS Access Accept (EAP Success)

MAP SEND AUTH

INFO Req

MAP SEND AUTH

INFO Res

RADIUS Accounting Start (Calling-user-ID = MAC, Framed-IP -Address

EAP SUCCESS

DHCP/

Router

DHCP

Data packet (Src IP=IP1)

Build State for IP1 Address

RADIUS Access Request

(VSA map:getauthinf)

RADIUS Access

Accept(VSA

map:authtriplet)

eWAG GGSN

RADIUS Accounting Start (Calling-user-ID = MAC, Framed-IP –

Address, Starent VSAs: VSAs:

User-Name = MSISDN@SSID, Framed-IP-Addr)

Create PDP Ctx Req

All subscriber authorized IMSIs

provisioned as well as IMSI to MSISDN

mapping

Cache mapping between IMSI, MAC

address and SSID

Create PDP Ctx Res (IP2)

Build IP1 <->IP2 mapping

Data packet (Src IP=IP2)

GTP tunnel

IP1 <->IP2 NAT

Data packet (Src IP=IP2) Gi


UE ASR5K eWAG GGSN CAR HSS/HLR WiFi

GRE Tunnel per WiFI

Wifi Attach

EAP-Req/Identity

(RADIUS Proxy) EAP-Resp/Identity

EAP-Challenge

EAP-Response

EAP-Accept

E

A

P

D

H

C

P

DHCP Discover

DHCP Request

DHCP Acknowledge

DHCP Offer

Create PDP cntx IMSI, MSIDSN, APN from configuration

Create PDP cntx Ack IP Addr. For WiFi Client

G

T

P

End User IP “Session” PDP Context Internet/

Enterprise

Gi Connection

ASR5K “glueuing” the “dhcp” session to the corresponding pdp cont; based on a) src IP addr,

or b) sub-channel (“Key”) ID inside the GRE tunnel

EAP radius messages proxied by the 5K, to get the association between client

MAC address and IMSI/MSISDN.


UE ASR5K eWAG GGSN 3GPP AAA HSS/HLR WiFi

GRE Tunnel per WiFI

Wifi Attach

EAP-Req/Identity

(RADIUS Proxy) EAP-Resp/Identity

EAP-Challenge

EAP-Response

EAP-Accept

E

A

P

D

H

C

P

DHCP Discover

DHCP Request

DHCP Acknowledge

DHCP Offer

Create PDP cntx IMSI, MSIDSN, APN from configuration

Create PDP cntx Ack IP Addr. For WiFi Client

G

T

P

End User IP “Session” PDP Context Internet/

Enterprise

Gi Connection

ASR5K “glueuing” the “dhcp” session to the corresponding pdp cont; based on a) src IP addr,

or b) sub-channel (“Key”) ID inside the GRE tunnel

EAP radius messages proxied by the 5K, to get the association between client

MAC address and IMSI/MSISDN. AAA configuration @ WLC?


LTE

WiFi

SGW

AAA

Operator IP

Service Domain

eUTRAN

S1

S1u

S5

SWn

SWm

S6b Gx Gy

Gxc

ANDSF

WLAN

MME

PGW

ePDG

S11

PCRF OCS

SGi

HSS

Client

Client

Client

Simplified and flattened RAN

with IP to the edge

• Radio resource management, incl. handovers

• Interacts with MME for all signaling plane processing

• Exchanges user plane traffic with Serving GW

Data Plane anchoring for 3GPP Access Networks with

2G/3G interworking

• Anchor point for 3GPP IP Access Networks only (2G/3G/LTE)

• Processes all IP packets to/from UE

• Controlled by MME

• Uses network-based mobility towards PDN GW (GTP or PMIPv6)

E-UTRAN Control Plane with 2G/3G interworking

• Handles all signaling traffic (no user plane traffic)

• Interacts with eNodeB and Serving GW to control tunnels, paging, etc.

• Interacts with HSS for user authentication, profile download, etc.

• Interacts with SGSN for 2G/3G

Subscriber-aware Data Plane anchoring for all Access

Networks

• Common anchor point for all IP Access Networks (3GPP and non-

3GPP)

• Assigns/owns IP-address for UE (v4/v6)

• Processes all IP packets to/from UE

• Can be in home and/or visited network

EPC point of attachment for untrusted IP access

networks

IPSec to UE for EPC connectivity

Network-based mobility towards PDNGW (PMIPv6)


S2a: PMIP6

LTE SGW

AAA

Operator IP

Service Domain

eUTRAN

S1

S1u

S5

SWn

SWm

S6b Gx Gy

Gxc

ANDSF

MME

PGW

S11

PCRF OCS

SGi

HSS

S2c: IPSec + DSMIP6

Client

Client

Client

• Untrusted WiFi access

SWu + S2b - IPSec tunnel to ePDG switched to PMIPv6 to PGW;

S2c – DSMIPv6 over IPSec

• Trusted WiFi access (802.1x over the air)

S2a - PMIPv6 infrastructure tunnel from MAG in WiFi to PGW

S2c – DSMIPv6 tunnel from device to PGW

S2c: DSMIP6

MAG

SWu: IPSec/IKEv2

WiFi ePDG


UE AP WLC ISG/MAG Portal eNodeB ePDG MME SGW PGW PCRF AAA ANDSF DHCP HSS

1. IKEv2 SA Init

2. IKEv2 SA RSP

10. IKEv2 AUTH RSP

11. IKEv2 AUTH REQ

12. PBU

14. IKEv2 AUTH RSP

3. IKEv2 AUTH REQ

6. IKEv2 SAUTH RSP

7. IKEv2 AUTH REQ

4. DER[EAP Payload, User ID, APN]

5. DEA[EAP Request, AKA Challenge]

UE Runs AKA computations

8. DER[EAP Resonse, AKA

Challenge] 9. DEA[EAP Success, Key, IMSI]

ePDG computes Auth payload based on key

ePDG checks auth correctness

13. PBA

ePDG calculates Auth

SWu: IPSec tunnel S2b: PMIPv6 tunnel

User WiFI session anchored on PGW

4a. User Profile and AVS fetch

12a. Update PGW

Address & Fetch

Sub profile

WiFI attachment and authentication

message flow



1. IKEv2 SA Init

2. IKEv2 SA RSP

10. IKEv2 AUTH RSP

11. IKEv2 AUTH REQ

12. IKEv2 AUTH RSP

3. IKEv2 AUTH REQ

6. IKEv2 SAUTH RSP

7. IKEv2 AUTH REQ

4. DER[EAP

Payload, User ID,

APN]

5. DEA[EAP Request,

AKA Challenge]

UE Runs AKA computations

8. DER[EAP Resonse, AKA Challenge]

9. DEA[EAP Success, Key, IMSI]

PGW computes Auth payload based on key

PGW checks auth correctness and calculates Auth

S2c: DSMIPv6 tunnel


WiFI attachment and UE assigned lP address in the

WLAN network

4a. User Profile and AVS fetch

14. DSMIPv6 BA

13. DSMIPv6 BU



1. PBU(IMSI-NAI, APN)

3 PBA

S2a: PMIPv6 tunnel


Device connected to Trusted WLAN access and

authenticated

2.Update PGW

Address & Fetch

User Profile



1. PBU(IMSI-NAI, APN)

2. PBA(IMSI-NAI, APN)

S2a: PMIPv6 tunnel


UE Attached to LTE over S5. GTP

UE Moves over to WLAN gets authenticated and attaches to

trusted WLAN access

2.Update PGW

Address & Fetch

User Profile

PGW detects handover based on IMSI, APN and switches the

call to WLAN access

3. DBR

4. DBR

5.DBR

6.DBR

PGW starts releasing the EPS bearer


• Full range of integration options for e2e architectures to accommodate various WiFi deployment and ownership models

Trusted WiFi - 802.1x over the air & network based tunnels to access core network (PMIPv6)

Untrusted WiFi – Client based IPSec to TTG/ePDG

• Layered architecture to transparently deliver current and future services

Basic connectivity and off-load with intra-access mobility

Intelligence and policy control over off-load criteria

• Easy migration from 3G to 4G integration via SW upgrade

• Solution elements

Leading WiFi solution

TTG/ePDG on ASR5000 leading platform supporting rich set of services and seamless mobility

Client strategy leveraging partner echo-system combined it with Cisco’s own client heritage

Thank you.

SP WiFi Packet Core Integration - Cisco Systems, Inc

Documents

Transcript of SP WiFi Packet Core Integration - Cisco Systems, Inc