Académique Documents
Professionnel Documents
Culture Documents
TABLE OF CONTENTS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
1/8
INTRODUCTION.......................................................................................................................... 2
EVOLVED PACKET DATA GATEWAY (ePDG) ................................................................................. 3
WIFI OFFLOAD CONCEPTS........................................................................................................... 3
SYSTEM ARCHITECTURE ............................................................................................................. 4
MOBILE DEVICE ARCHITECTURE .................................................................................................. 6
EPDG FUNCTION ........................................................................................................................ 7
OPERATOR REQUIREMENTS ....................................................................................................... 7
HARDWARE ACCELERATION ....................................................................................................... 8
CONCLUSION ............................................................................................................................. 8
ABOUT INSIDE SECURE ............................................................................................................... 8
1. INTRODUCTION
EXPONENTIAL GROWTH IN MOBILE DATA TRAFFIC REQUIRES OPERATORS TO DRIVE DOWN THE COST
OF DELIVERING GIGA BYTES WITHOUT COMPROMISING SERVICE AND SECURITY
As millions of users demand Internet connectivity at home, work and everywhere in between to access a
growing array of data intensive services, carriers are experiencing a tremendous surge in the use of mobile data.
This tremendous increase in data volume is severely straining the limited available radio resources. The
explosive growth in mobile data traffic driven by increasing numbers of connected devices has led to the
deployment of Long Term Evolution (LTE) networks. LTE networks have taken some of the pressure off 3g
networks, but will not be sufficient to meet the increasing demand driven by increasing amounts of HighDefinition (HD) video streams and voice over LTE (VoLTE) services.
Operators are taking action to meet ever-rising mobile Internet data demand with major efforts under way
focused on integrating WIFI into the mobile core for data offload. To address this demand of secure WIFI
offload for untrusted networks it is imperative for user and networking equipment manufacturers to deliver
compatible products.
WIFIs relatively low cost, simple architecture and usage of non-licensed spectrum makes it an attractive data
solution for mobile operators to fulfill consumers immediate data demand. But using WIFI cannot come at the
sacrifice of service quality and security. Users will expect the same quality of experience and access to the same
services regardless of access type. While operator services are delivered over Wi-Fi, enterprise and government
users concurrently use highly secure VPN connections to their own security gateways.
Consequently, a key challenge that operators need to address when integrating WIFI into the mobile core is
maintaining session security and continuity when handing off between 3g/4g radio networks and WIFI. This
paper will address the use of ePDG in addressing this challenge.
2/8
Mobile device vendors facing requirements for ePDG from major carriers
Mobile application processor vendors considering low energy hardware implementation of IPsec
Carriers looking to deliver their services opportunistically over best access available
3/8
4. SYSTEM ARCHITECTURE
The system is described in 3GPP specification as untrusted non-3GPP access (typically WIFI access) with Network
Based Mobility. The picture below is a simplified view of the 3GPP architecture. In fact, the mobile device (UE)
may use multiple operator services in parallel, and may therefore establish multiple IPsec connections to ePDG(s).
In addition to the secure connections to the ePDG(s), themobile terminal may also have its own corporate VPN
connection to the corporate network over both LTE and WIFI (not depicted below).
The ePDG (evolved Packet Data gateway) is the IPsec gateway that terminates the IPsec connection from the
mobile (Swu interface). It is able to relay SIM or USIM authentication (EAP-SIM or EAP AKA) to the operators AAA
and to establish a tunnel (Proxy Mobile IP or GTP are standardized) toward the PDN Gateway.
The PDN gateway is the gateway to the 3GPP network. It allocates the UEs virtual IP address and is able to tunnel
the traffic to this IP address to the ePDG or LTE network for IP address preservation.
The UE (User Equipment) is able to connect to its operators services either through an IPsec connection or an LTE
connection.
4/8
Another view of the architecture is the protocol stack. In the picture and its legend below (copied from 3GPP TS
23.402) the protocol stack is depicted with Proxy Mobile IP between ePDG and PDN gateway (S2b). GTP is the
other alternative standardized for S2b. The Gateway LMA corresponds to the PDN Gateway.
The protocol stack highlights the need for a complete support of IPv4 and IPv6.
IPv4/IPv6
IKEv2
IKEv2
PMIPv6
IPv4/IPv6 IPv4/IPv6
IPv4/IPv6
L2/L1
UE
PMIPv6
L2/L1
IPv4/IPv6
L2/L1
L2/L1
IPsec
ePDG
MAG
Control Plane
Gateway
LMA
Tunnelling
Layer
Tunnelling
Layer
IPv4/IPv6 IPv4/IPv6
IPv4/IPv6
IPsec
IPv4/IPv6
L2/L1
S2b
SWu
L2/L1
L2/L1
L2/L1
S2b
SWu
UE
IPv4/IPv6
IPv4/IPv6
ePDG
MAG
Gateway
LMA
User Plane
Legend:
According to terms defined in PMIPv6 specification (RFC5213), the functional entities terminating both the
control and user planes are denoted MAG in the non-3GPP IP access and LMA in the Gateway. LMA includes
also the function of a Home Agent.
The MM control plane stack is PMIPv6 (RFC5213) over IPv6/IPv4.
The user plane carries remote IPv4/v6 packets over either an IPv4 or an IPv6 transport network. Between the
UE and the ePDG, packets are encapsulated using IPsec (RFC3948).
The tunnelling layer implements GRE encapsulation applicable for PMIPv6.
IPv4/IPv6: This refers to network layer protocols. On the ePDG MAG user plane this includes termination of the
UE-MAG IP messages that may be handled by the ePDG (e.g. DHCP) and forwarding of user plane IP packets
between the UE-MAG point-to-point logical link and the S2b tunnel for the UE.
5/8
VoLTE
IMS
App
Connectivity
manager
Mobile Data
Offload MW
Operator
service
Mobile
Device
Others
(GUI, MDM)
IPsec Client
6/8
6. EPDG FUNCTION
The ePDG function is to terminate a high number of IPsec connections and relay them to the PDN Gateway
through a GTP or PMIP tunnel. It therefore requires an IPsec stack with a high rate of IKEv2 connections per
second and a high throughput of ESP for IPv4 and IPv6.
The ePDG function has to relay EAP messages from the mobile device to the AAA system for authentication. It also
provides the mobility parameters that allow the AAA to indicate the right PDN Gateway for IP address
preservation.
Swm
AAA
interface
Gxb
PCRF
interface
Netw
ork
Man
age
ment
Swu
ePDG
IPsec stack
EAP Relay
GTP or PMIP
S2b
This section refers as the ePDG function, as ePDG may be combined with other elements such as
TTG (Tunnel Termination Gateway) or PDN Gateway.
7. OPERATOR REQUIREMENTS
To be deployed within a Telco or carrier grade system, the ePDG Gateways must adhere to the same requirements
as all other Telecom or carrier grade systems with major carriers. These require high availability, service continuity
and scalability.
Voice calls have the same demanding requirements when handed over to WIFI as they do on the LTE network:
handover should not impact voice quality, confidentiality must be preserved, and authentication should be based
on the (U)SIM card. With an ePDG solution that meets these requirements, the mobile devices will automatically
use the best available access seamlessly without disruption or risk of compromise. As many customers enjoy
quality WIFI access indoors, the ePDG solution can both increase the quality of service and preserve operator
radio spectrum. When authentication and handover between macro and offload networks is seamless, customers
will access and stay on the WIFI network, helping operators achieve their WIFI offloading targets.
In order to maintain a scalable service built for continuity carriers require support for IPV6 and the capability to
maintain multiple concurrent sessions.
Finally, operators will not deploy ePDG clients that have not undergone extensive testing in the carriers labs and
in the real network to guarantee gateway interoperability and service quality.
7/8
8. HARDWARE ACCELERATION
The use of ePDG has hardware implications for both end user and network equipment suppliers.
The effect on the mobile UE is that the cryptographic security of IPsec makes heavy processing demands on the
mobile CPU, which in turn increases the device battery usage. This increase in power intake can be addressed with
appropriate device hardware. With in-line packet acceleration, the full processing of ESP packet is handled in
hardware, which allows for a dramatic reduction in CPU usage and power consumption.
Over 80% of bytes in Internet are transferred in packets larger than 1300 Bytes
(http://www.caida.org/research/traffic-analysis/pkt_size_distribution/graphs.xml). The current networking
processors are set up to handle those. But packet sizes for voice are much smaller, as small as 48 bytes, and in
networking processors the efficiency and throughput drops to 1/3 or even 1/5 that of large packets. So the
mobile device and the ePDG should process efficiently traffic that contains a high proportion of small IPsec
packets.. Adding simple crypto cores for hashing or ciphering will provide some benefits for large packets, but will
in fact decrease performances for small packets. That is not suitable for ePDG where Voice over LTE (VoLTE) will
represent a large share of the traffic.
Similar to above the use of packet engines can greatly enhance performance. The benefits of packet engines are
that they are designed for highly efficient scaling with the ability to support multiple I/O channels and multiple
data flows and synchronization between the processing of those data flows. Performance can be increased by
running multiple packet engines in a parallel fashion; each efficiently servicing a single data flow.
9. CONCLUSION
The mobile data offload model using an ePDG is approaching its mass-market deployment. User and networking
equipment vendors need to be aware of carrier requirements and ensure that their products will meet the
demands for power efficient mobile devices and high capacity gateways to accommodate the growing traffic and
continue to support underlying security requirements. With few proven software and hardware options on the
market it is vitally important to fully understand the requirements and make sure that component vendors are
capable of delivering tested and proven solutions.
8/8