Integrating Wi-Fi into the Mobile Core

Making Clear Architecture Choices

Real-World Implementation Trade-Offs Among Different Approaches to Wi-Fi / Cellular Integration

Ruckus Wireless | White Paper

As mobile operator interest in leveraging Wi-Fi for data offload grows, practical questions are arising about how best to implement the concept. In particular, choosing an approach to integrating Wi-Fi subscriber authentication and traffic flows with the mobile core can become a complex discussion. A number of different architectures can be used, and their relative merits have significant dependencies on the realities of current UE1 standards support, among other factors. This paper examines and evaluates the most common designs considered for Wi-Fi/cellular integration broadly defined as those centered around the 3GPP Technical Specification 23.234 (commonly known as I-WLAN) and those that use a more expedient collection of 3GPP-standard core entity and UE interfaces, which we will call here clientless mode, for sake of simplicity. Highlighted along the way are some of the trade-offs that are involved when choosing one path or another.

Three key operational assumptions drove their work: WLAN access points would be incapable of providing sufficiently secure over-the-air connectivity for authentication and traffic; the majority of the WLAN infrastructure would be operated by third parties in partnership with mobile operators, which in combination with the first assumption means that WLANs would need to be considered untrusted networks; and service goals would be centered on offering all 3G applications (voice, SMS/MMS, packet data) over the Wi-Fi infrastructure, fully integrated with the IMS environment in the core of the operators network. While the full 86-page TS 23.234 document covers many interface details and architecture variations, the essence of I-WLAN is often cited using a single diagram, reproduced on the next page (in

The Origins and Definition of I-WLAN

Roughly seven years ago, a 3GPP working group was tasked with figuring out how one might integrate a public WLAN infrastructure into a cellular network.
1 See Appendix 1 for acronym glossary.

Figure 1) as drawn in the original 3GPP document. For anyone new to 3GPP standards vocabulary, understanding this diagram typically requires careful study of all the reference points (the twoletter acronyms for data- and control-plane interfaces) and entity definitions involved.

Page 2

Integrating Wi-Fi into the Mobile Core

FIGURE 1: Baseline architecture of the I-WLAN specification for Wi-Fi / cellular integration

FIGURE 2: Summary of I-WLAN architecture options as defined in TS 23.234

To save you this trouble, weve drawn the essence of I-WLAN in Figure 2 below, highlighting the options and elements most important in weighing this approach relative to others. The I-WLAN spec provides two variations on a common theme. In accord with the key WLAN-capability assumptions noted earlier, the foundation of both variations is the establishment of an IPsec tunnel between the UE and a tunnel termination

gateway entity. This end-to-end tunnel approach eliminates any dependency on the security or feature support of the underlying untrusted WLAN and backhaul infrastructure. The WLAN needs to provide nothing more complex than open-SSID association and IP connectivity. The approach does require (in current practice) EAP-SIM, IKEv2, and IPsec support on the UE.

Mobile Core UEs New APs Legacy APs

Gateway

GGSN

AAA or HLR

Internet

I-WLAN Modes

TTG

EAP-SIM + IKEv2 IPsec EAP-SIM + IKEv2 IPsec

TTG
GTP

PDG

PDG

NOTE: Gateway interfaces to PCRF/PCEF vary by operator implementation and are omitted here for clarity of the primary control and data integration architecture options.

Control Data Interface

Page 3

Integrating Wi-Fi into the Mobile Core

In addition to tunnel establishment and termination, a small number of functions must be performed on the WLAN traffic at the interface to the mobile core. These include policy enforcement at authentication, usage tracking, basic network access control, local and remote address maintenance/translation and registration, traffic routing upstream, and implementation of certain QoS mechanisms. The two variations on the basic I-WLAN architecture involve performing these functions either in a more fully-featured gateway (the PDG mode), or separated into a more simplified tunnel termination gateway (TTG) that leaves the balance of the functions to be performed by the GGSN entity in the mobile core with interactions between the GGSN and TTG managed through a GTP tunnel interface. In either case, authentication, session start/stop, and usage accounting are handled through standard RADIUS (eventually Diameter) calls to AAA. Interfaces to PCRF and PCEF entities would vary by operator implementation but in any event follow 3GPP reference point standards and are omitted in Figure 2 for simplicity. Given the relative immaturity of security and authentication features in WLAN products at the time 23.234 was crafted, this approach made a lot of sense. For operators looking to use legacy APs of their own or from partner networks in a current Wi-Fi offload project, the advantage of independence from the

typically quite heterogeneous capabilities and security of that legacy infrastructure remains compelling. As well see in the next sections, however, an operator pursuing this model today must make some sacrifices that may be at best unnecessary and at worst ill-advised.

I-WLANs Challenges
Figure 3 highlights the most significant issue with any I-WLAN integration in the near term: very few of todays smart mobile devices include the required support for IPsec, IKEv2, and EAP-SIM. Reports from a number of leading operators suggest that UE manufacturers are not currently placing high priority on adding these which is unsurprising, given that the battle for share in smart mobile devices is won or lost on the basis of compelling features consumers can see and feel, not invisible plumbing mechanisms such as those in question here. Beyond the broad absence of I-WLAN tunneling support, there are other operational issues that arise with the model even when it is supported by the UE: heavy overhead on the client that consumes scarce and precious UE resources, especially in offload scenarios where operators wish to differentiate services by application or application type; excess costs of tunnel aggregation at the core, driven

FIGURE 3: Current UE suport for Wi-Fi / cellular integration prerequisites. See appendix 2 for more details.

again by the overhead of the protocol; and loss of QoS and data forwarding flexibility in the access

Unit volume share of devices shipping as of Q2, 2011, supporting...

I-WLAN: IPsec, IKEv2, and EAP-SIM Not all of the above Clientless Mode: EAP-SIM Not

network there is no option to break out traffic locally, so all traffic must be brought back to the core and all traffic shaping done there. Since for most operators the assumptions on which the I-WLAN spec was based are no longer true, these challenges suggest that alternatives more suited to current goals and network contexts should be considered.

20% 67%

The Clientless Alternative

As Figure 3 suggests, there is another path to Wi-Fi/cellular integration that takes advantage of embedded security features in the UE installed base and addresses the cost and flexibility issues of the I-WLAN approach. This alternative combines the
Sources: IDC, Nielson, company statements, product specifications, Ruckus analysis.

use of fully 3GPP-standard interfaces to the mobile core with

Page 4

Integrating Wi-Fi into the Mobile Core

IEEE 802.1x Wi-Fi authentication that has become standard fare for enterprise- and service provider WLANs for a few years now. Recalling Figure 3, 802.1x is supported by the majority of smart mobile devices on the market today. The three variations of this approach, which we refer to as clientless modes because of their minimal requirements on UEs, are summarized in Figure 4.

The clientless approach allows the AP to play an intelligent role in the network, performing policy enforcement and other packet-inspection tasks at the edge of the network. While most enforcement and packet-inspection tasks are concentrated in the mobile core today, as aggregate mobile data volume multiplies, the increasing impracticality of wire-speed packet processing of any complexity will necessitate a distributed approach that the I-WLAN architecture precludes. The third mode in Figure 4, dubbed Wi-Fi Gateway or Edge Breakout, highlights another flexibility advantage of this approach. Here control-plane traffic is routed from the AP to the gateway, but user-plane traffic can be routed directly to the Internet a useful option in cases where no packet processing is required at the core or to the GGSN, based on dynamic, peruser policies. The flexibility to provide selective local breakout of traffic, offloading the mobile core as well, will be an increasingly essential capability as data volumes rise and application-specific policy definition and enforcement enable more selective offload.

These clientless modes include TTG and PDG variants that use northbound interfaces to the mobile core that are identical to the TTG and PDG modes in I-WLAN. Their only differences from I-WLAN are the substitution of EAP SIM and 802.1x authentication at the AP, instead of EAP SIM + IKEv2, and the use of GRE tunneling from the AP to the WLAN gateway entity. As with I-WLAN, AES over-the-air encryption is used for 3G-equivalent subscriber security. The GRE tunnels from AP to gateway can also be secured through AES encryption (most efficiently with DTLS), for complete end-to-end security.

FIGURE 4: Summary of alternative 802.1x-based WLAN / cellular integration modes

Mobile Core UEs New APs Legacy APs

Gateway

GGSN

AAA or HLR

Internet

Clientless TTG Modes PDG

EAP-SIM + 802.1x AES EAP-SIM + 802.1x AES GRE GRE

AES/DTLS

TTG
GTP

See Note
AES/DTLS

PDG

Wi-Fi Gateway (Edge Breakout)

EAP-SIM + 802.1x

See Note

Wi-Fi Gateway

AES
NOTE: Legacy APs can be used for these 802.1x offload scenarios if they support 802.1x, EAP-SIM, GRE, and appropriate QoS mechanisms as required by mode.

Control Data Interface

Page 5

Integrating Wi-Fi into the Mobile Core

Summing It Up
Multiple approaches to Wi-Fi/cellular integration are possible in todays mobile core environments, using existing 3GPPstandard interfaces and standard capabilities in Wi-Fi systems and UEs. The key attributes of the two integration approaches weve explored here in brief are summarized in the table on the right. Fortunately, with proper WLAN gateway design, both of these approaches can be supported at the same time, used selectively as necessary for different UEs on the same Wi-Fi network, or for different Wi-Fi networks (legacy and new, for example) integrated into a common mobile core. Given the advantages weve outlined here of using the best tool available for the job at hand, we hope you can see the merits of careful consideration of the available options and sound network engineering within the context of your Wi-Fi offload goals and current infrastructure.

TABLE 1

wi-fi / cellular integratiOn apprOach attributes

Attribute
AES over-the-air encryption End-to-end security and encryption Legacy AP support Compatible with majority of current UEs Minimal UE overhead Allows intelligence in access networks Allows flexible data forwarding architectures Adheres to 3GPP reference point standards for PDG,AAA/ HLR, PCEF, PCRF

I-WLAN

Clientless

Only with 802.1x and GRE support

2011, Ruckus Wireless, Inc. 880 West Maude Avenue, Suite 101, Sunnyvale, CA 94085 USA (650) 265-4200 Ph / (408) 738-2065 Fx

w w w.r u c k u s w i re le s s .co m

Page 6

APPENDIX

Acronyms
Acronym Spelled Out 3GPP 802.1x AES AP DTLS EAP-SIM Advanced Encryption Standard Access Point Datagram Transport Layer Security Extended Authentication Protocol Subscriber Identity Module Gateway GPRS Support Node Generic Routing Encapsulation General Packet Radio Service GPRS Tunneling Protocol Home Location Register Internet Key Exchange (v2) IP Multimedia Subsystem Internet Protocol Security Policy and Charging Enforcement Function Policy and Charging Rules Function Packet Data Gateway Third Generation Partnership Project In Plain(-er) English The standards-development organization for 3G and 4G mobile wireless networks IEEE standard for authentication mechanisms The most commonly-used industry standard for robust, keybased encryption of digital communications A Wi-Fi infrastructure device analogous to a base station in cellular-speak A standard for AES encryption of datagram protocols Part of the 802.1x family of standards for secure authentication over Wi-Fi, using the subscriber credentials most commonly found in smart mobile devices The entity in the mobile core that provides an interface between the packet traffic on the 3G or 4G RAN to the Internet A lightweight point to point tunneling protocol that can encapsulate a variety of network layer protocols The original packet traffic model in 2G wireless networks A group of protocols used for GPRS packet traffic and control in mobile core networks The primary subscriber database entity in a 2G or 3G cellular network Protocol used to set up security associations in IPsec An architecture for delivering multimedia services over IP in a 3GPP-standard environment A protocol suite for securing IP communications Mobile core entity responsible for managing subscriber packet-data sessions, watching and reporting on bandwidth usage (current, aggregate), etc. Mobile core entity used to define and communicate policies to other entities (such as PCEF) Mobile core entity used to integrate WLAN traffic, comprising: tunnel establishment and termination policy enforcement at authentication usage tracking limited message and packet filtering (amounting to basic network access control) local and remote address maintenance/translation and registration traffic routing upstream, and implementation of limited QoS mechanisms Base stations and the upstream entities used to aggregate traffic from and control them Mobile core entity used to integrate WLAN traffic, focusing primarily on tunnel establishment and termination only Devices subscribers use to access wireless networks

GGSN GRE GPRS GTP HLR IKEv2 IMS IPsec PCEF

PCRF PDG

RAN TTG UE

Radio Access Network Tunnel Termination Gateway User Equipment

Page 7

APPENDIX
/A 3r K dA Pa rt y C M

*
N I-W LA
0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 0 0 0 0 0 0 1 1 0 0 0 1 1 0 1 1 1 0 0 0

Ve rs io n

PSI M

Apple

BlackBerry

Motorola

Nokia

SAMSUNG

Sony Ericsson

3GS 4 8520 8900 9000 9300 9700 9780 9800 A3100 MB200 MB300 MB502 MB511 MB860 5800 C5-03 C7 E5 E63 E71 E72 E75 N78 N8 N85 N86 N96 N97 N97 MINI X3 TOUCH X6 B6520 Galaxy S I9000 P1000 S5570L S5830L S8000L I637 I8000L I900L I5800 C905 M1 U1 Satio U10 AINO U5 U8 X1 Xperia X10 X10 Mini X10 Mini pro

iOS

Proprietary

WM

Android

Symbian

WM Android Android Android Android Android Proprietary WM WM Android Android Proprietary WM Symbian Proprietary Symbian Symbian WM Android Android Android

3 4 4.6 4.6 4.6 4.6 4.6 6 6 6.1 1.5 1.5 2.1 2.1 2.2 S60 S60 S60 S60 S60 S60 S60 S60 S60 3 S60 S60 S60 S60 S60 S40 S60 6.5 2.2 2.1 2.2 2.2 2.2 Java 6.1 6.1 2.1 2.1 Java 6.5 S60 Java S60 S60 6.1 1.6 1.6 1.6

1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 0 1 1 1 1 1 1

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 0 0 0

1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 0 0 0

0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 0 0 0 1 0 0 0 0 1 0 0 0

1 Supported 0 Not supported

*CM=Connection Manager

80 2. 1x
1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 0 0 0

ra nd

od el

IP Se c

Ev 2 IK

EA