Technical Considerations

for Mobile Data Offload

with ePDG
White Paper

TABLE OF CONTENTS

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

1/8

INTRODUCTION.......................................................................................................................... 2
EVOLVED PACKET DATA GATEWAY (ePDG) ................................................................................. 3
WIFI OFFLOAD CONCEPTS........................................................................................................... 3
SYSTEM ARCHITECTURE ............................................................................................................. 4
MOBILE DEVICE ARCHITECTURE .................................................................................................. 6
EPDG FUNCTION ........................................................................................................................ 7
OPERATOR REQUIREMENTS ....................................................................................................... 7
HARDWARE ACCELERATION ....................................................................................................... 8
CONCLUSION ............................................................................................................................. 8
ABOUT INSIDE SECURE ............................................................................................................... 8

Technical Considerations for Mobile Data Offload with ePDG-White Paper

1. INTRODUCTION
EXPONENTIAL GROWTH IN MOBILE DATA TRAFFIC REQUIRES OPERATORS TO DRIVE DOWN THE COST
OF DELIVERING GIGA BYTES WITHOUT COMPROMISING SERVICE AND SECURITY
As millions of users demand Internet connectivity at home, work and everywhere in between to access a
growing array of data intensive services, carriers are experiencing a tremendous surge in the use of mobile data.
This tremendous increase in data volume is severely straining the limited available radio resources. The
explosive growth in mobile data traffic driven by increasing numbers of connected devices has led to the
deployment of Long Term Evolution (LTE) networks. LTE networks have taken some of the pressure off 3g
networks, but will not be sufficient to meet the increasing demand driven by increasing amounts of HighDefinition (HD) video streams and voice over LTE (VoLTE) services.
Operators are taking action to meet ever-rising mobile Internet data demand with major efforts under way
focused on integrating WIFI into the mobile core for data offload. To address this demand of secure WIFI
offload for untrusted networks it is imperative for user and networking equipment manufacturers to deliver
compatible products.
WIFIs relatively low cost, simple architecture and usage of non-licensed spectrum makes it an attractive data
solution for mobile operators to fulfill consumers immediate data demand. But using WIFI cannot come at the
sacrifice of service quality and security. Users will expect the same quality of experience and access to the same
services regardless of access type. While operator services are delivered over Wi-Fi, enterprise and government
users concurrently use highly secure VPN connections to their own security gateways.
Consequently, a key challenge that operators need to address when integrating WIFI into the mobile core is
maintaining session security and continuity when handing off between 3g/4g radio networks and WIFI. This
paper will address the use of ePDG in addressing this challenge.

This paper provides an ePDG technical overview for:

2/8

Mobile device vendors facing requirements for ePDG from major carriers

Mobile application processor vendors considering low energy hardware implementation of IPsec

Network equipment vendors looking to develop ePDG functionality

Network processor vendors considering high capacity hardware implementation of IPsec

Carriers looking to deliver their services opportunistically over best access available

Technical Considerations for Mobile Data Offload with ePDG-White Paper

2. EVOLVED PACKET DATA GATEWAY (ePDG)

ePDG (Evolved Packet Data Gateway) is the key to maintaining continuity and security in the handover between
licensed and unlicensed radio spectrum. The main function of the ePDG is to secure the data transmission with a
UE connected to the Evolved Packet Core (EPC) over an untrusted non-3GPP access. For this purpose, the ePDG
acts as a termination node of IPsec tunnels established with the UE.
Major carriers are now planning to deliver their services, such as VoLTE, through any available WIFI access. To
provide these services in a secure way and to authenticate their users, an IPsec connection using IKEv2 and EAPSIM or EAP-AKA is made from the mobile device to the carriers ePDG. To ensure seamless handover and IP
address preservation, the IPsec stack needs to be deeply integrated with the mobile device. That mobile data offload solution is referred in 3GPP 23.402 and 33.402 as network-based mobility (NBM) over untrusted access.

3. WIFI OFFLOAD CONCEPTS

There two different concepts for WIFI Offload:
Operator WIFI (trusted access): The operator complements its cellular cover by also providing its subscribers
WIFI access directly or through partners. The operator is here in its traditional role of providing coverage and
Internet access. There are currently a lot of commercial deployments of Operator WIFI.
ePDG (un-trusted access): The operator is a service provider that wants to deliver its services through the best
available access. The subscriber has already Internet access, such as home WIFI or public hotspot, and
operator services can opportunistically and seamlessly take advantage of these existing connections. Driven by
operator services such as VoLTE, this technology is now being developed and tested by major players with
INSIDE Secure IPsec technology.
Both concepts aim at driving down the cost of delivering data by leveraging WIFI. However, these concepts are
based on different philosophies and should not be considered to be in opposition to each other. There are valid
reasons to build out private and controlled WIFI coverage and to also opportunistically connect to any available
WIFI to deliver services.
This white paper is focused on the ePDG model.

3/8

Technical Considerations for Mobile Data Offload with ePDG-White Paper

4. SYSTEM ARCHITECTURE
The system is described in 3GPP specification as untrusted non-3GPP access (typically WIFI access) with Network
Based Mobility. The picture below is a simplified view of the 3GPP architecture. In fact, the mobile device (UE)
may use multiple operator services in parallel, and may therefore establish multiple IPsec connections to ePDG(s).
In addition to the secure connections to the ePDG(s), themobile terminal may also have its own corporate VPN
connection to the corporate network over both LTE and WIFI (not depicted below).

The ePDG (evolved Packet Data gateway) is the IPsec gateway that terminates the IPsec connection from the
mobile (Swu interface). It is able to relay SIM or USIM authentication (EAP-SIM or EAP AKA) to the operators AAA
and to establish a tunnel (Proxy Mobile IP or GTP are standardized) toward the PDN Gateway.
The PDN gateway is the gateway to the 3GPP network. It allocates the UEs virtual IP address and is able to tunnel
the traffic to this IP address to the ePDG or LTE network for IP address preservation.
The UE (User Equipment) is able to connect to its operators services either through an IPsec connection or an LTE
connection.

4/8

Technical Considerations for Mobile Data Offload with ePDG-White Paper

Another view of the architecture is the protocol stack. In the picture and its legend below (copied from 3GPP TS
23.402) the protocol stack is depicted with Proxy Mobile IP between ePDG and PDN gateway (S2b). GTP is the
other alternative standardized for S2b. The Gateway LMA corresponds to the PDN Gateway.
The protocol stack highlights the need for a complete support of IPv4 and IPv6.

IPv4/IPv6
IKEv2

IKEv2

PMIPv6

IPv4/IPv6 IPv4/IPv6

IPv4/IPv6
L2/L1

UE

PMIPv6

L2/L1

IPv4/IPv6

L2/L1

L2/L1

IPsec

ePDG
MAG

Control Plane

Gateway
LMA

Tunnelling
Layer

Tunnelling
Layer

IPv4/IPv6 IPv4/IPv6

IPv4/IPv6

IPsec

IPv4/IPv6
L2/L1

S2b

SWu

L2/L1

L2/L1

L2/L1
S2b

SWu
UE

IPv4/IPv6

IPv4/IPv6

ePDG
MAG

Gateway
LMA

User Plane

Legend:
According to terms defined in PMIPv6 specification (RFC5213), the functional entities terminating both the
control and user planes are denoted MAG in the non-3GPP IP access and LMA in the Gateway. LMA includes
also the function of a Home Agent.
The MM control plane stack is PMIPv6 (RFC5213) over IPv6/IPv4.
The user plane carries remote IPv4/v6 packets over either an IPv4 or an IPv6 transport network. Between the
UE and the ePDG, packets are encapsulated using IPsec (RFC3948).
The tunnelling layer implements GRE encapsulation applicable for PMIPv6.
IPv4/IPv6: This refers to network layer protocols. On the ePDG MAG user plane this includes termination of the
UE-MAG IP messages that may be handled by the ePDG (e.g. DHCP) and forwarding of user plane IP packets
between the UE-MAG point-to-point logical link and the S2b tunnel for the UE.

5/8

Technical Considerations for Mobile Data Offload with ePDG-White Paper

5. MOBILE DEVICE ARCHITECTURE

The picture below describes the high level software architecture of a mobile device.
The IPsec Client provides the IPsec connection with EAP-AKA or EAP-SIM for (U)SIM authentication. It is able to
establish the VPN for corporate access or for mobile data offload or for both simultaneously. It provides a VPN
management API to multiple controlling applications such as: Mobile Data Offload Middleware, Graphical User
Interface (GUI), and Mobile Device Management (MDM) software.
For Mobile data offload, the VPN client is controlled by the Mobile Data Offload Middleware that starts and stops
VPN connections according to the radio connectivity and service-specific policies. The Mobile Data Offload
Middleware also provides the ePDG address, the mobile identity (NAI) and the established IP address (if IP address
preservation is used).
The operator may have defined multiple services that should use ePDG, and they may require the establishment
of multiple IPsec connections.

VoLTE

IMS
App

Connectivity
manager

Mobile Data
Offload MW

Operator
service

Mobile
Device

Others
(GUI, MDM)

VPN Management API

IPsec Client

6/8

Technical Considerations for Mobile Data Offload with ePDG-White Paper

6. EPDG FUNCTION
The ePDG function is to terminate a high number of IPsec connections and relay them to the PDN Gateway
through a GTP or PMIP tunnel. It therefore requires an IPsec stack with a high rate of IKEv2 connections per
second and a high throughput of ESP for IPv4 and IPv6.
The ePDG function has to relay EAP messages from the mobile device to the AAA system for authentication. It also
provides the mobility parameters that allow the AAA to indicate the right PDN Gateway for IP address
preservation.

Swm
AAA
interface

Gxb
PCRF
interface

Netw
ork
Man
age
ment

Swu

ePDG

IPsec stack
EAP Relay

GTP or PMIP

S2b

This section refers as the ePDG function, as ePDG may be combined with other elements such as
TTG (Tunnel Termination Gateway) or PDN Gateway.

7. OPERATOR REQUIREMENTS
To be deployed within a Telco or carrier grade system, the ePDG Gateways must adhere to the same requirements
as all other Telecom or carrier grade systems with major carriers. These require high availability, service continuity
and scalability.
Voice calls have the same demanding requirements when handed over to WIFI as they do on the LTE network:
handover should not impact voice quality, confidentiality must be preserved, and authentication should be based
on the (U)SIM card. With an ePDG solution that meets these requirements, the mobile devices will automatically
use the best available access seamlessly without disruption or risk of compromise. As many customers enjoy
quality WIFI access indoors, the ePDG solution can both increase the quality of service and preserve operator
radio spectrum. When authentication and handover between macro and offload networks is seamless, customers
will access and stay on the WIFI network, helping operators achieve their WIFI offloading targets.
In order to maintain a scalable service built for continuity carriers require support for IPV6 and the capability to
maintain multiple concurrent sessions.
Finally, operators will not deploy ePDG clients that have not undergone extensive testing in the carriers labs and
in the real network to guarantee gateway interoperability and service quality.

7/8

Technical Considerations for Mobile Data Offload with ePDG-White Paper

8. HARDWARE ACCELERATION
The use of ePDG has hardware implications for both end user and network equipment suppliers.
The effect on the mobile UE is that the cryptographic security of IPsec makes heavy processing demands on the
mobile CPU, which in turn increases the device battery usage. This increase in power intake can be addressed with
appropriate device hardware. With in-line packet acceleration, the full processing of ESP packet is handled in
hardware, which allows for a dramatic reduction in CPU usage and power consumption.
Over 80% of bytes in Internet are transferred in packets larger than 1300 Bytes
(http://www.caida.org/research/traffic-analysis/pkt_size_distribution/graphs.xml). The current networking
processors are set up to handle those. But packet sizes for voice are much smaller, as small as 48 bytes, and in
networking processors the efficiency and throughput drops to 1/3 or even 1/5 that of large packets. So the
mobile device and the ePDG should process efficiently traffic that contains a high proportion of small IPsec
packets.. Adding simple crypto cores for hashing or ciphering will provide some benefits for large packets, but will
in fact decrease performances for small packets. That is not suitable for ePDG where Voice over LTE (VoLTE) will
represent a large share of the traffic.
Similar to above the use of packet engines can greatly enhance performance. The benefits of packet engines are
that they are designed for highly efficient scaling with the ability to support multiple I/O channels and multiple
data flows and synchronization between the processing of those data flows. Performance can be increased by
running multiple packet engines in a parallel fashion; each efficiently servicing a single data flow.

9. CONCLUSION
The mobile data offload model using an ePDG is approaching its mass-market deployment. User and networking
equipment vendors need to be aware of carrier requirements and ensure that their products will meet the
demands for power efficient mobile devices and high capacity gateways to accommodate the growing traffic and
continue to support underlying security requirements. With few proven software and hardware options on the
market it is vitally important to fully understand the requirements and make sure that component vendors are
capable of delivering tested and proven solutions.

10. ABOUT INSIDE SECURE

INSIDE Secure (NYSE INSD.PA) is a major provider of security technologies that include VPN, DRM, FIPS certified
crypto, payments, secure elements and TrustZone enabled software. INSIDE offers a complete portfolio of IPsec
products: QuickSec Mobile VPN Client, QuickSec IPsec Toolkit and HW IP acceleration for IPsec.
The INSIDE Secure teams experience with IPSEC VPN technology dates back to 1998 (originally part of SafeNet)
with the release of the worlds first VPN product the System X.25 and led to the SafeNet organization becoming
one of the founding members of the VPN Consortium in 1999. Since then the team has been responsible for many
industry first VPN developments including release of the first IPSec client (1997), first IKEv2 toolkit, worlds first
MOBIKE enabled toolkit. The team is also behind the industry leading IPSEC VPN client for Android, with over 100
million VPN clients installed. INSIDEs market leading VPN client has now been configured to run an ePDG and
corporate VPN sessions concurrently and includes support for IPV6 that has been tested by leading carriers.
INSIDE Secure continues to work with industry partners and customers on the development, testing and
deployment of the IPsec technology that underpins the ePDG model.

For more information visit:

http://www.insidesecure.com/eng/Products/Security-Solutions-for-Android/QuickSec-Mobile-VPN-Client-for-Android
http://www.insidesecure.com/eng/Products/Security-Toolkits/QuickSec-R-IPsec-Server-Toolkit
http://www.insidesecure.com/eng/Products/Semiconductor-IP/Security-Protocol-Engines

8/8

Technical Considerations for Mobile Data Offload with ePDG-White Paper