design & deploying trusted and un-trusted...

Design & Deploying Trusted And Un-Trusted VoWiFi

Kasu Venkat Reddy , Sr Solution Intergration Architect ([email protected])

Arun Gunasekaran , Network Consulting Engineer ([email protected])

BRKSPM-2127

• Introduction

• VoWIFI Use cases

• VoWIFI Call-flows

• Architecture Guidelines and Best Practices

• Deployment Challenges and Best Practices

• Conclusion

Agenda

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSPM-2127 4

What is VoWiFi ?

ePDG PGW IMS

SP Packet Core

IPSec Tunnel

• Apple ios 8 release introduced Wi-Fi calling feature

• WiFi-Calling enables UE’s to securely access IMS services over Wi-Fi similar to LTE access inline with 3GPP standards

• Same native voice dialer used for both VoWiFi and Cellular (VoLTE)

• Same MSISDN used for both VoWiFi and Cellular (VoLTE)

• Seamless Mobility across VoWiFi and VoLTE


Cisco VNI Projection ( 2015 – 2020 )

• VoWiFi is going to outperform VoLTE by 2016

and VoIP by 2018 in terms of minutes of use.

• By 2020, VoWiFi will have 53 percent of mobile IP

voice

Bussiness Drivers

• Leverage global WiFi footprint

• Cost-effective solution to complement cellular coverage (mainly Indoor)

• Customer retention

• Competitive edge over OTT players

VoWiFi – Business Drivers

0

1,000

2,000

3,000

4,000

5,000

6,000

7,000

8,000

9,000

10,000

2015 2016 2017 2018 2019 2020

VoWiFi ( 15.7% , 52.9% )

VoLTE ( 18.0% , 26.3% )

VoIP ( 66.3% , 20.8% )53%

41%

Min

ute

s o

f U

se

(B

illio

ns) p

er Y

ea

r

Source: ACG, Cisco VNI Global Mobile Data Traffic Forecast, 2015–2020

6%

18%

16%

66%

• Untrusted Voice over WIFI

• Trusted Voice over WIFI

VoWIFI Usecases


VoWiFi Trusted /Untrusted Use CaseUntrusted VoWiFi • Wi-Fi access network is untrusted and un-managed

• IPSec tunnel established between UE (Sw client) and Mobile

Packet Core (ePDG)

• ePDG handles user authentication and establishes packet data

network connection with P-GW using S2b based GTP interface

• UE uses Swu client for IMS APN and native client to local

break out rest of the traffic over Wi-Fi access network

UE

ePDG PGWIMS

NetworkSWuClient

Native Client

WLAN

Internet

VoWIFI Untrusted Network

UE

ePDGIMS

PGW

IMS NetworkSWu

Client

Internet

VoWIFI Trusted Network (Hybrid)

TWAG

Native Client

Internet PGW

UE

ePDG PGWIMS

NetworkSWuClient

DHCP

Allocated 173.38.0.1

Internet

VoWIFI Trusted Network –Optimised Routing using SIPTO (Hybrid)

TWAGSIPTO Enabled

PGWNO IP Match

SIPTO

IP MatchNAT Pool

173.38.1.0/24

Trusted VoWiFi • Wi-Fi access network is trusted and managed

• As per 3GPP Release 11 ,one of the key characteristic of

“Trusted Wi-Fi” architecture is the client-less approach to

support packet core integration

• TWAG lacks the support for multiple APN’s signalling over S2a

for the UE with PGW .With this , all the offloaded Wi-Fi traffic

assumed to be part of Internet APN

• VoWiFi can’t be supported as it requires it’s own IMS APN

• Hybrid architecture recommended ,i.e. combination of Release

11 trusted Wi-Fi and Un-trusted vowifi architecture

• Hybrid model support’s simultaneous offloading of IMS APN

and Internet APN traffic when user moves from cellular to

trusted Wi-Fi access network

• As per 23.402, UE can be connected with only one non-3GPP

access


VoWiFi Trusted /Untrusted Use Case Architecture

End to End Solution

Component

ePDG/SaMOG

3GPP AAA

PGW

PCRF, OCS

HSS

IMS

UE

EMS/NMS

AP/WLC

Use Cases

• Un-Trusted / Un-Managed VoWiFi for

sim-based subscribers

• Trusted/Managed VoWiFi for sim-based

subscribers

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

VoWIFI Initial Attach – Untrusted Network

BRKSPM-2127 9

UE AP / WLC EPDG 3GPP AAA HSS

Diameter EAP Request

Diameter EAP Answer

User-name: Root NAI

EAP Identity : EAP-AKA RAT Type : WLAN

User-name: Root NAI,

EAP-AKA Challenge Req

Diameter Mul-Auth Req

Diameter Mul-Auth Ans

User-Name : IMSI,

Rat Type : WLAN

User-name: IMSI,

Auth Vector Attributes

Diameter EAP Request

Diameter EAP Answer

Diam Server Assign Req

Diam Server Assign Answer

User-Name : IMSI,

Rat Type : WLANSA Type : Registration

User-name: IMSI,

Subscriber profile (APN, QoS, MIP6-Agent-Info, etc..)


EAP-AKA Challenge Resp


Subscriber profile (APN, QoS, MIP6-Agent-Info, etc..)

SWM SWX

UE performed EPDG Selection

IKEv2 SA INIT Request

IKEv2 SA INIT Response

IKEv2 Auth Request

IKEv2 Auth Response

IKEv2 Auth Request

User-name : Root NAI, EAP Request : AKA Challenge

User-name : Root NAI

APN : IMS APNIP : 0.0.0.0

UE runs AKA algorithm and

verifies the auth vectors

SWU

User-name : Root NAI, EAP Response : AKA Challenge Resp

IKEv2 Auth Response

EAP Success

3GPP AAA Verifies the challenge response


VoWIFI Initial Attach – Untrusted Network

BRKSPM-2127 10

AP EPDG PGW 3GPP AAA

SWXS6BSWU

HSS PCRF OCS

EPDG performs PGW Selection

DNS / Local resolution or HSS Provided

IKEv2 Auth Request

Create Session Request

Create Session Response

Update Location Request

User Profile Request

User Profile Response

Gy CCR - I

- IGy CCA - I

Gx CCR - I

Gx CCA - I

Update Location Response

IKEv2 Auth Response

IMSI , MSISDN, RAT : WLAN, APN : IMS APN

Serv NW : MCC & MNC , Handover Ind flag : 0 APCO : P-CSCF Address request

User-name: Root NAI , RAT Type : WLAN

Serv Selection : APN Name, MIP Home Agent : PGW Address

User-name: IMSI , RAT Type : WLAN




Result Code : Diameter Success

UE IP Address , P-CSCF IP AddressIMSI, MSISDN, PGW S2B TEID

PAA : UE IP Address, APCO IE: P-CSCF Address

UE


VoWIFI : LTE to WiFi Handover

BRKSPM-2127 11

UE AP EPDG PGW 3GPP AAA

SWXS6BSWU

HSS PCRF OCS

UE Authenticated with EPDG. EPDG selects

the PGW IP address provided by HSS

IKEv2 Auth Request


Create Session Response

Update Location Request

User Profile Request

User Profile Response

Gy CCR - I

- IGy CCA - I

Gx CCR - I

Gx CCA - I

Update Location Response

IKEv2 Auth Response

IMSI , MSISDN, RAT : WLAN, APN : IMS APN

Serv NW : MCC & MNC , Handover Ind flag : 1 PAA : A.B.C.D, APCO : P-CSCF Address request

User-name: Root NAI , RAT Type : WLAN






Result Code : Diameter Success

IMSI, MSISDN, PGW S2B TEID

PAA : A.B.C.D, APCO IE: P-CSCF AddressUE IP Address : A.B.C.D , P-CSCF IP Address

UE IP Address : A.B.C.D


VoWIFI Initial Attach – Trusted Network

BRKSPM-2127 12

UE AP EPDG IMS PGW 3GPP AAA HSS IMSSAMOG INT. PGW

SaMOG - Authentication & Authorization

UE IP Address Assignment ( Internet APN )

EPDG - Authentication & Authorization

UE Select EPDG using DNS procedure.

DNS traffic can be routed internally

SaMOG selectively offloads

EPDG traffic (SIPTO)

UE IP Address Assignment ( IMS APN )

INETERNET

E P D G C O N T R O L PA C K E T F L O W

CONTROL PACKETS CONTROL PACKETS CNTL PKTS

I M S A P N T R A F F I C F L O W ( V O I C E A N D V I D E O )

VOICE & VIDEO VOICE & VIDEO VOI & VID VOICE & VIDEO

• ePDG Discovery

• PGW Selection

• Seamless Mobility

• UE Dependancies

• Location Information

• Emergency Calling

• Quality of Service

• Security Framework

Architecture Guidelines and Best Practices

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSPM-2127

EPDG DiscoveryEPDG Selection Options

UE can dynamically derive ePDGFQDN as per the 3GPP standards

EPDG FQDN format :

epdg.epc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org

Following possible option available for UE to derive PLMN

• SIM card ( Home location )

• Last known cell id from LTE

• WIFI Hotspot 2.0

UEs configured with static ePDGFQDN / Domain name / IP address

14

UELocal Caching

DNS ServerRoot DNS Server

Authoritative

DNS ServerEPDG

Internet Service Provider GSMA Operator Network

Recursive DNS Query

FQDN :epdg.epc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org

Iterative DNS Query

DNS Response

Authoritative DNS Server Details ( IP Address )

Iterative DNS Query


DNS Response

EPDG IP Address

Operator Authoritative DNS

selects the EPDG based on the MCC and MNC value

EPDG IP Address

IPSec Session Establishment

Based on the MCC and MNC value, Root DNS

selects the Operator authoritative DNS Server


DNS Response


Regulatory Aspects

• International Roaming

• National Roaming

• Country specific regulatory aspects

Best Practice

• Understand regulatory aspects

• EPDG selection option• DNS capabilities

• Optimisted EPDG FQDN Resolution ( Trusted N/W )

Trusted VoWIFI Usecase

• Locally optimised ePDG FQDN resolution

DNS Capabilities

• Redundancy

• Load Balancing

• Primary and secondary EPDG address to UE

• Heartbeat exchange with EPDG

EPDG Discovery

UELocal Caching

DNS ServerRoot DNS Server

Authoritative

DNS ServerEPDG

Internet Service Provider GSMA Operator Network

Recursive DNS Query


Iterative DNS Query

DNS Response

Authoritative DNS Server Details ( IP Address )

Iterative DNS Query


DNS Response

EPDG IP Address

Operator Authoritative DNS

selects the EPDG based on the MCC and MNC value

EPDG IP Address

IPSec Session Establishment

Based on the MCC and MNC value, Root DNS

selects the Operator authoritative DNS Server


DNS Response

15


Seamless Mobility - PGW Selection

VoWIFI Initial Attach

• All Zero IP-address from UE

• EPDG decides the method from subscription

• Dynamic ip address allocation using APN

FQDN

• Static IP address allocation from HSS

• PGW IP address allocation from Local

policy configuration

16

LTE to WIFI Handover

• PGW IP address updated in HSS via S6A

interface in LTE Network

• UE sends Non-Zero IP address to EPDG

• EPDG selects HSS provided mandatory Static

PGW IP address

• EPDG sends handover indicator to PGW

• PGW preserves the same IP address for WIFI

Network

EPDG AAA HSS DNS PGW

EAP Request

EAP Answer

MIP6 Agent Info : PGW IP Address

SA Request

SA Answer


SNAPTR Query ( APN FQDN )


SNAPTR Response

AAAA Query

AAAA Response

PGW 1 IP Address , PGW 2, …..

UE Authenticated with EPDG

EPDG selects HSS provided PGW IP Address

EPDG preforms dynamic resolution for PGW IP Address

Create Session RequestEPDG selects locally configured PGW IP address


Seamless Mobility

Best Practice

• S6A and S6B interface should update

PGW IP address in HSS

• EPDG / MME should select the HSS

provided PGW IP address

• Locally configured PGW IP address

for fallback

WIFI to LTE Handover

• PGW IP address updated in HSS via S6B

interface in WiFi Network

• UE sends handover indicator to MME

• MME selects HSS provided PGW IP

address

• PGW preserves the same IP address for

UE in LTE network

17


UE Dependancies

UE GAPs

• Most UEs today qualifying WiFi network

based on RSSI strength

• Most UEs today have toggling Issue with

data offload

18

• UE should qualify the WIFI network before

initiating VoWIFI attach / Handover

(RSSI signal strength, latency, delay etc.. )

• UE should have seamless mobility capability

to handover from LTE to WiFi and viceversa

• UE should support WMM to maintain end to

end QOS

• UE should support Hotspot 2.0 for seamless

onboarding

• UE should able to offload both the internet

APN and IMS APN simultaneously (Trusted

Network )

UE

IPSec Client

VOIP SMS Other APPs

WIFI LTE

IMS APN

IPSec Client

Connection Manager

EPDGMME/ SGW

UntrustedNetwork

LTENetwork

EPC CoreIMS

Network Internet


Location Information

Untrusted Network

• Outer IPSec IP address and port no.via

S2B to PGW

• Outer IPSec IP address, port number

and AP mac id via SWm to AAA

• 3rd Party Geo location provider like

Maxmind, Neustar IP Intelligence,etc..

Trusted Network

• WLC accounting ( Trusted Network )

• PGW CDRs ( Trusted Network )

• P-ANI Header in SIP message to IMS

VoWIFI Operator Platform with Details

Check System for details

Platform with Details

Details of Subscriber and Activity against IP Address, date & Time Stamp shared with LEA

LEA WIFI ISP

Post Crime

Request for details

MSISDN

MSISDN Call Details

Details related to call

Since the call Originated from

Untrusted Network, Outer IP Address of the Subscriber

IPSec Tunnel Provided

Details related to call

Since the call Originated from

Untrusted Network, Outer IP Address of the Subscriber

IPSec Tunnel Provided

Request for Subscriber Details

Request for Activity details

against the IP Address provided

Check System for details

Details against IP Address,

date & Time Stamp

Subscriber & Activity details

Subscriber identity and call

log details

19


Emergency CallingCurrent Possible Approaches

• When an emergency call (ex: 911) is made, the phone

will default the call over the cellular network

• Operator mandates subscriber to provide an

emergency address when WiFi service is turned-on,

which can be used during emergency calling.

• Operator assisted re-direction

Emergency call routed to the operator call

centre. Caller provides location information

based on which the operator redirect to

appropriate public-safety answering point

(PSAP).

• Home PSAP assisted re-drection

Emergency call routed to the home PSAP. Caller

provides location information based on which the

home PSAP redirect to appropriate PSAP.

If subscriber not able to convey the location, the

emergency address defined as part of WiFi calling profile

will be used

20


Emergency CallingUE EPDG 3GPP AAA PGW

IKEv2 SA Init / Response

Drop existing IPSec tunnel

Identify EPDG support emergency

calling (or) Normal selection

IKEv2 Auth Request

Diam EAP RequestIDR : Emergency

Emergency

Indication IE

Diam EAP AnswerCall setup parameters

from locally configured emergency profile


Create Session Reponse

APN : SOS

IKEv2 Auth Response

Defined as part of 3GPP Rel-13

• For UE detected emergency sessions only

• No procedures to detect local emergency

numbers while UE is in roaming

Per 3GPP TS 23.167 clause J.1:

• Emergency sessions are only supported over

WLAN access to EPC in following case:

• UE shall issue an Emergency session over

WLAN to EPC only when it has failed or has

not been able to use 3GPP access to set up

an emergency session

• The UE has sufficient credentials to access

EPC

• ePDG and a PGW in the home PLMN are

used

21


UE AP / WLC EPDG PGW

SIPTO

S2B

Local Break OutDSCP Marking

EoGRE TunnelDSCP Marking

RF InterfaceWMM

SaMOG

Default Bearer QCI – 5 SIP Signaling

Dedicated Bearer QCI – 1 Voice Data

Dedicated Bearer QCI – 2 Video Data

SWu


Dedicated Bearer QCI – 1 Voice Data

Dedicated Bearer QCI – 2 Video Data

UE ENODEB SGW PGW

S1U S5

Default Bearer QCI – 5SIP Signaling


Dedicated Bearer QCI – 1Voice Data

Dedicated Bearer QCI – 2Video Data

Dedicated Bearer QCI – 1Voice Data

Dedicated Bearer QCI – 2Video Data

Radio

BRKSPM-2127

Quality of ServiceV

oW

IFI N

etw

ork

Vo

LT

EN

etw

ork

LTE networks

• Dedicated bearer with different QCI/ARP is

honored at UE, eNB, SGW & PGW

Untrusted VoWIFI Network

• All dedicated bearers or QCI values terminates

at ePDG

• WiFi access does not support QCI bearers

• QCI to DSCP marking for right priority

• DSCP marking could likely be altered over the

untrusted network

• “Best effort” QoS treatment for IP packets

Trusted WIFI Network

• The quality of service can be guaranteed in the

trusted WIFI network

• The QCI values can be mapped to appropriate

DSCP and WMM in the air interface

22


Security Framework

Best Practice

• Secure internet facing interface

• ACL on all context

• Isolate management traffic

23

Co

nte

xt 1

Context 2

Context 3

SWu

SWm

S2B

BRKSPM-2127

EPDG can be configured with Public IP

address

ACL rules on ePDG for allowing only

traffic on port 4500 & 500 (for IKEv2) and

protocol 50 (ESP)

Additionally DOS cookie challenge

feature can be enabled

Use multiple context to isolate the

interface traffic

Enable ACL on all context allow only

interface traffic

Use separate network for management

traffic

• IPSec Profile

• MTU

• Stale Sessions

• DRA Caching

• Timers

Deployment Challenges and Best Practices


IKEv2 and IPSec ProfileProtocol Type Supported Options

Internet Key

Exchange

version 2

IKEv2 Encryption

DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-256,

AES-128-GCM-128, AES-128-GCM-64, AES-128-GCM-96,

AES-256-GCM-128, AES-256-GCM-64, AES-256-GCM-96

IKEv2 Pseudo Random Function PRF-HMAC-SHA1, PRF-HMAC-MD5, AES-XCBC-PRF-128

IKEv2 Integrity HMAC-SHA1-96, HMAC-SHA2-256-128, HMAC-SHA2-384-

192. HMAC-SHA2-512-256, HMAC-MD5-96, AES-XCBC-96

IKEv2 Diffie-Hellman Group Group 1 (768-bit), Group 2 (1024-bit), Group 5 (1536-bit),

Group 14 (2048-bit)

IP Security

IPSec Encapsulating Security

Payload Encryption

NULL, DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-

256

Extended Sequence Number Value of 0 or off is supported (ESN itself is not supported)

IPSec Integrity

NULL, HMAC-SHA1-96, HMAC-MD5-96, AES-XCBC-96,

HMAC-SHA2-256-128, HMAC-SHA2-384-192, HMAC-

SHA2-512-256

Protocol Type Apple Profile Samsung Porfile

Internet Key

Exchange

version 2

IKEv2 Encryption AES-CBC-256 AES-CBC-128

IKEv2 Pseudo Random Function PRF-HMAC-SHA1 PRF-HMAC-SHA1

IKEv2 Integrity HMAC-SHA1-96 HMAC-SHA1-96

IKEv2 Diffie-Hellman Group Group 2 (1024-bit) Group 2 (1024-bit)

IP Security

IPSec Encapsulating Security Payload

Encryption AES-CBC-128 AES-CBC-128

Extended Sequence Number False False

IPSec Integrity HMAC-SHA1-96 HMAC-SHA1-96

Widely used security profiles

Cisco ePDG supports multiple profile

configuration

Best practice is to limit the No. of profiles

UE EPDG

IKEv2 SA INIT Request

IKEv2 SA INIT Response

IKEv2 Auth Request

Encryption, Integrity, PRF, DH Group, NAT

Detection source IP, NAT Detection destination IP

Encryption, Integrity, PRF, DH Group, NAT

Detection source IP, NAT Detection destination IP

25


Stale Session

Recommended Approch

• EPDG will compare the PGW details with existing S2B session and initiates the delete session request to

Old PGW if the PGW selected is different from the old one.

Stale Session in PGW

• When UE initates re-attach, ePDG locally

cleans up the existing session and

performs PGW selection for new session

• If PGW selected is same old one, the

session will be replaced in PGW

• If PGW selected is different from old one,

the old PGW will hold a stale session

No clear guidelines from 3GPP to address this problem

Un-trusted /

Un-managed

Access

Network

UE IPSec

Client

ePDG

PGW 1

IMS

S2B

26

PGW 2S2B


MTU

Solution Recommended

• Calculate Max payload EPDG can send in Swu interface without fragmentation

• EPDG max payload shall be configured as IMS MTU

• PGW MTU shall be IMS MTU + additional headers

• End to end MTU should be consistent

to ensuse the quality of experience

• Different protocol stack and

encapsulation method used across the

interfaces could cause fragmentation

• Fragmentation of IPSec packet could

cause additional processing at UE and

may delay in packet delivery to

application in UE

• NAT / Firewall devices may drop the

small fragemented IPSec packets as

threat

UEIPSec

Client

ePDG PGWSGI

IMSS2BSWu

27

IPV4 / IPV6

ESP

IPV4 / IPV6

GTP

UDP

IPv4 / IPV6

ESP

IPV4 / IPV6

ESP

IPv4 / IPV6

ESP


AAA Cluster

BRKSPM-2127

DRA Caching

PGW

S6b

IMS

S2B

Un-trusted /

Un-managed

Access

Network

IPSec

ClientePDG

AAA 1HSS

SWx

SWm

S6B

• During session initiation, AAA registers

its identity as serving 3GPP AAA in

HSS. HSS will use this identity for

future communication

• HSS expects same 3GPP AAA server to

be used for all communication related to

the subscriber session

• DRA should able to route both SWm

and S6b traffic related to the subscriber

session to same AAA

• DRA should support subscriber session

level caching to route single user

session traffic always to same AAA

Recommended Approch

• DRA should support subscriber session caching or IMSI based routing

28

AAA 2

DRA


TimersTimer Type Description

EPDG Session Setup Timeout EPDG Service Configuration • Maximum time allowed to setup a session

IKE Session Setup Timer IKEv2 / IPSec Timer • This timer ensures that an IKE session set up is completed within a configured period

IKEv2 and IPSec SA Lifetime Timers IKEv2 / IPSec Timer • The ePDG maintains separate SA lifetime timers for both IKEv2 SAs and IPSec SAs. The

same is used to initiate rekeying

DPD Timers IKEv2 / IPSec Timer • When enabled, the ePDG may initiate DPD via IKEv2 keep-alive messages to check the

liveliness of the WLAN UEs

Watchdog-timeout Diameter • Watchdog messages are exchange between active peers on regular interval

Device-watchdog-request max-retries Diameer • No of Retries before marking the peer as inactive

GTPC echo-interval GTP • Duration between sending echo request messages

GTPC echo-retransmission-timeout GTP • Max time duration allowed to wait for the response brefore retransmitting.

GTPC max-retransmissions GTP • Maximum retries for GTP Echo requests sent before marking the node as inactive

29


Conclusion

30

VoWIFI has moved from novelty to neccessity and it enables newbusiness opportunity for service operators

VoWIFI virtually turns every WiFi access point into cellular tower and itextents operators network instantly

VoWIFI complements VoLTE by reusing the same IMS investments andprovides better solution for indoor coverage issue

VoWIFI will give competitive advantage over OTT players


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

BRKSPM-2127 32

CiscoLive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

BRKSPM-2127 33

Thank you

design & deploying trusted and un-trusted...

Documents