Upload
leonard-bailey
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
1
Subject: Femto Network Gateway (FNG) Architecture
Date: 15 October 2007Source: AirvanaContact: Baw Ch’ng, Minsh Den, Woojune Kim, Doug Knisely, Balaji Raghothaman{baw, mden, wkim, dknisely, braghothaman}@airvana.com
cdma2000® is the trademark for the technical nomenclature for certain specifications and standards of the Organizational Partners (OPs) of 3GPP2.
Airvana, Inc., grants a free, irrevocable license to 3GPP2 and its Organizational Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner's name any Organizational Partner's standards publication even though it may include all or portions of this contribution; and at the Organizational Partner's sole discretion to permit others to reproduce in whole or in part such contribution or the resulting Organizational Partner's standards publication. Airvana, Inc., is also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution.This document has been prepared by Airvana, Inc., to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on Airvana, Inc. Airvana, Inc., specifically reserves the right to amend or modify the material contained herein and to any intellectual property of Airvana, Inc.,other than provided in the copyright statement above.
2
Focus of Contribution (1)
Cable, DSL, or other Broadband Internet Service
Femtocells(Home Base Stations)
PublicInternet
“The Phone Network”
The Internet
FemtoNetwork Gateway
(FNG)
Operator’sCore Network
• Radio Interface to mobile devices
• Interface to the broadband Internet
• Management capabilities
• Security against tampering
• Security for data transport
• Firewall/security from public Internet
• Security data transport to femtos
• Scalability to support large numbers of femtos
• Scalability toward Core Network
• Topology hiding
• Existing circuit or IP-based telephony services
• Supplementary Services (e.g., SMS)
• Emergency Services, etc.
• Packet Data Services
3
• Packet Data Service architectures also fall into two broad categories:– Legacy Packet Data Service architecture
• Legacy IOSs (e.g., A10/A11 from the femtocell to the legacy PDSN)
– All-IP Packet Data Service architecture• Most PDS Termination (PDST) functions performed in the
femtocell
• FNG follows a PDIF-like architecture and interfaces to the Packet Data Core Network
Focus of Contribution (2)
4
Outline
• Femto Network Gateway (FNG) Architecture• Tunnel Structure
– Tunnels for 1x Voice
• Femto/FNG Packet Data Services Functional Split• FNG Packet Data Services
– Simple IP, Mobile IP, Proxy-MIP
• Authentication– Femto device, A12, and user authentications
• QoS• Accounting• A-Interface Proxy Functions• Detailed Call Flows
5
Conceptual Deployment Model
Access Network(owned by same operator as wireless
service provider, or broadband ISP networks that have direct peering with
wireless operator’s network)
Wireless Operator’sCore Network
(controlled by wireless operator,assumed trusted, secured)
Internet(not controlled by wireless operator,
assume untrusted, unsecured)
TrustedNetwork
UntrustedNetwork
Femto Cell
IMS
1xMSC/xLR
AAA
MIP-HA
AGW
Databases
etc.
Femto CellFemto Cell
Femto CellFemto CellFemto
CellFemto Cells
Femto Cells
Security
Very large number of femtocells
Scalability
Efficiency
NAT Traversal
Very large number of femtocells
6
Femto Network Gateway Architecture (1)
• What is the Femto Network Gateway (FNG) Architecture?– PDIF-like architecture that provides highly scalable
• Secure access to core network services from untrusted networks
• Mobility support
• QoS support
• Accounting support
• NAT traversal support
– … and addresses femto network specific scalability issues• Concentrator or Proxy functions to allow large number of femtocells
to inter-operate with legacy macro and core network elements not originally designed to interface with a large number of other network elements.
– Example: A13 Proxy» FNG proxies A13 interfaces from femtocells so a macro RNC
needs to deal with only one A13 interface proxy instead of one million A13 interfaces from one million femtocells
Re-use existing PDIF standards and protocols
Re-use existing A13, A16-A19, A21 standards and protocols
7
Femto Network Gateway Architecture (2)
EV-DO
VoIP capableEV-DO Device
Legacy 1x Device
1xRTT
FemtoEV-DO
VoIP capableEV-DO Device
Legacy 1x Device
1xRTT
Femto
Femto Network Gateway
(FNG)
IP Network(Assume unsecure, untrusted)
Operator’s Core Network
IPSec tunnels
UntrustedNetwork
TrustedNetwork
Home Router / Residential GatewayNAT/Firewall
• PDIF-like secure access architecture
• IKEv2 & IPSec provides authentication, security, NAT traversal support
8
Common Aspects of Femto Networks(Technology Independent)
FemtocellPublic
Internet
LegacyCircuit
Network
Packet DataServices
FemtoNetwork Gateway
Operator’sCore Network
Secure IPSec tunnels for signaling, voice, and
packet data
Packet Data Traffic
Circuit Traffic
9
Tunnel Structure (1)
Femtocell FNG
1xVoice-Tunnel
Base-Tunnel
Per-user Data-Tunnel (1x-Data or EV-DO)
toAT
toAT
toAT
Mobile IP or Simple IP
PPP
PPP
PPP
Mobile IP or Simple IP
Mobile IP or Simple IP
SIP, Management
Signaling (A13, A16-A19, A21, etc.)
EVRC/RTP for user 1
EVRC/RTP for user 2
EVRC/RTP for user N
toAT
EVRC
1x-TCH
toAT
EVRC
1x-TCH
toAT
EVRC
1x-TCH
10
Tunnel Structure (2)
• “Base-Tunnel”– For signaling
• “1xVoice-Tunnel”– For 1x voice transported
over RTP
• “Data-Tunnel”– For user packet data
– Per-user tunnels consistent with PDIF model
Femtocell
FNG
1x
Vo
ice
-Tu
nn
el
Ba
se-
Tu
nn
el
Per
-us
er
Da
ta-T
un
ne
l (1
x-D
ata
or
EV
-DO
)
toAT
toAT
toAT
Mo
bil
e I
P o
r S
imp
le I
P
PP
P
PP
P
PP
P
Mo
bil
e I
P o
r S
imp
le I
P
Mo
bil
e I
P o
r S
imp
le I
P
SIP
, M
an
ag
em
en
t
Sig
na
lin
g (
A1
3, A
16
-A1
9, A
21
, etc
.)
EV
RC
/RT
P f
or
us
er
1
EV
RC
/RT
P f
or
us
er
2
EV
RC
/RT
P f
or
us
er
N
toAT
EV
RC
1x-T
CH
toAT
EV
RC
1x-T
CH
toAT
EV
RC
1x-T
CH
Color Code (to be used in all future call flows):* RED = Base-Tunnel (per Femto-cell permanent tunnel)* BLUE = 1xVoice-Tunnel (per Femto-cell permanent tunnel)* GREEN = Data-Tunnel (per AT, tunnel life time same as corresponding PPP session)
11
Tunnels for 1x Voice
• “Base-Tunnel”– Used for SIP signaling– Tunnel Inner Address (TIA) is SIP UA’s address
• “1xVoice-Tunnel”– Used for RTP transported 1x voice traffic– Tunnel Inner Address (TIA) is RTP media termination point’s
address– Separate streams using different port numbers
• Motivation to use separate tunnels for signaling and media traffic– Support differentiated QoS without running into IPSec “anti-
replay window” issue
12
“Base” and “1xVoice” Tunnel Setup
• PDIF-like IPSec tunnel setup
• Separate IKE sessions for “Base” and “1xVoice” tunnels
– Future optimization: setting up “1xVoice” tunnel as child of “Base” tunnel
Femtocell FNGHome Ruoter(NAT + DHCP)
AAA
1: IKE_SA_INIT exchange
2: IKE_AUTHCFG_REQUEST(INTERNAL_IP4_ADDRESS)
TIA allocation
9: IKE_AUTHCFG_REPLY(TIA), AUTH IPSec tunnel established
3: RADIUSAccess-Request or
DIAMETEREAP-Request
4a: RADIUSAccess-Challenge or
DIAMETEREAP-Answer
4b: IKE_AUTHEAP message
5b: RADIUSAccess-Request or
DIAMETEREAP-Request
5a: IKE_AUTHEAP message
6: RADIUSAccess-Accept or
DIAMETEREAP-Answer
7: IKE_AUTHEAP Success
8: IKE_AUTHAUTH
Re-use existing PDIF tunnel setup call flow
13
All-IP PDST/FNG-Based Femto Network Architecture for 1x and DO Packet Services
EV-DO
VoIP capableEV-DO Device
Legacy 1x Device
1xRTT
Femto NetworkGateway
(FNG)
SIP/IMS Core
IP CoreNetwork
HA
IPSec Tunnels
Femto
MGW
RTP
SIP
Internet
(Proxy-) MIP
IP in IPSec
• Terminate 1x Packet Data Service Option (SO33)• Provides NULL 1x PCF function• Provide EV-DO Packet Data Service termination
• Terminate PPP• ROHC (for DO VoIP)• Authentication Agent for PDS-AAA• Accounting Agent
• AN-AAA authentication agent for EV-DO (AN-AAA)• Exchange IP packets within IPSec with FNG
• Proxy (mux/demux) functions for scalability:• Access Authentication (AN-AAA) – IKE to Radius Proxy• A13/A16 for EV-DO handoff• A21 (optional; required only if A21-based handoff is chosen)• AAA for accounting (more details to follow…)
• IPSec Terminations
14
Femto Network Gateway Functions (1)
• Security– Security for Core Network (firewall function)– Security for User Media (encrypted tunnel function, i.e., IPSec)
• Authentication– Facilitate Femtocell Device Authentication– Facilitate EV-DO Terminal Authentication– Facilitate Packet Data User Authentication
• Mobility– Packet Data IP Layer (L3) Mobility
• MIP-FA (v4) and Attendant (v6)
• Simple IP (v4 & v6)
• Proxy-MIP (v4 & v6) support
– Packet Data Link Layer (L2) Mobility• “A-Interface Proxy” functions for A13, A16(-A19), A21
15
Femto Gateway Functions (2)
• Billing and Accounting– IP level accounting performed by FNG– Aggregates air link accounting information from femtocells– Generates accounting records for AAA
• QoS– IP level traffic profile transfer and enforcement
16
Femtocell and FNG Functional Split
Functionality Femtocell and FNG Division of Responsibility
PPP and ROHC PPP terminated by femtocellROHC performed by femtocell
IPSec IPSec tunnels terminated by femtocell and FNG.
Mobility MIP-FA and PMIP mobility agent functionalities in FNG.
Authentication Mutual authentication between femtocell and FNGA12 Terminal Authentication via IKE/EAP relay through FNGPPP-CHAP/PAP user authentication via IKE/EAP relay through FNG.Mobile IP user authentication done as part of MIP Registration process through MIP-FA in FNG.
Accounting Air link accounting done by femtocell and relay accounting records to FNGFNG does IP level accounting and provide AAA with consolidated accounting records
QoS policy enforcement Airlink QoS handled by femtocellIP level reverse link QoS handled by femtocellIP level forward link QoS handled by FNG
IP routing When reverse tunneled (P)MIP is required, user traffic is always routed through PDIF.
17
FNG Packet Data – Simple IP
Mobile Station
Femto FNG
Simple IP / PPP Simple IP / IPSec Simple IP
Internet
CN
CNAT Femtocell FNG
Apps
IP
PPP
RLP
MAC
PHY
PPP
RLP
MAC
PHY
IP Relay
L2 L2 L2
IP
L2
Apps
IP
UDP
ESP
IP
UDP
ESP
IP Relay
18
FNG Packet Data – Client Mobile IP
Mobile Station
Femto FNG(MIP-FA)
HA
Mobile IP / PPP Mobile IP / IPSec Mobile IP
CNAT Femtocell FNG HA
Apps
IP
PPP
RLP
MAC
PHY
PPP
RLP
MAC
PHY
IP Relay
IP
L2 L2
IP
L2
IP (tunnel)
L2
IP (tunnel)
L2
IP
L2
Apps
UDP
ESP
UDP
ESP
IP Relay IP Relay
19
FNG Packet Data – Proxy Mobile IP
Mobile Station
Femto FNG(PMIP)
HA
Simple IP / PPP Simple IP / IPSec Proxy-MIP
CNAT Femtocell FNG HA
Apps
IP
PPP
RLP
MAC
PHY
PPP
RLP
MAC
PHY
IP Relay
IP
L2 L2
IP
L2
IP (tunnel)
L2
IP (tunnel)
L2
IP
L2
Apps
UDP
ESP
UDP
ESP
IP Relay IP Relay
20
Authentication (1)
• Have to account for– Femto FNG mutual authentication– A12 Terminal Authentication with AN-AAA (omitted for 1x)– Packet data user authentication
• Use IKE Multiple-Authentication– Use one IKE session to perform multiple authentications
• Femto FNG mutual authentication• A12 Terminal Authentication with AN-AAA (omitted for 1x)• Packet data user authentication
– References:• X50-20070212-016 (WLAN Enhancement) and RFC 4739• Already approved for PDIF
21
Authentication (2)
Femto-FNGMutual Authentication(Use Femto’s Credential)
FNGFemtoAAA
EAP / IKEv2Use Femto Cell’s credential
RADIUS or DIAMETER
A12 TerminalAuthentication(Use AT’sCredential)
FNGFemtoAAA
IKEv2/EAP-MD5Relay AT’s credential
RADIUS or DIAMETER
AT
PPP-CHAP(Use AT’s credential)
Simple IP & Proxy-MIPPacket Data UserAuthentication(Use AT’sCredential)
FNGFemtoAAA
IKEv2/EAP-MD5/GTCRelay AT’s credential
RADIUS or DIAMETER
AT
PPP-CHAP/PAP(Use AT’s credential)
Mobile IPPacket Data UserAuthentication(Use AT’sCredential)
AT
FNGFemtoAAA
Mobile IP Registration(Use AT’s credential, MN-NAI, MN-FA, MN-AAA extensions)
RADIUS or DIAMETER
22
Authentication – High Level Call FlowSimple IP / Proxy-MIP
UserAuthentication
(Simple IP orProxy-MIP)
A12 TerminalAuthentication
Femto-FNGAuthentication
HAAT Femto FNGHome Ruoter(NAT + DHCP)
AAA4. PPP-LCP
11a: User Traffic Flowing
5a. PPP-CHAP/PAP5b. IKEv2/EAP-MD5 (for CHAP)
IKEv2/EAP-GTC (for PAP)5c. RADIUS
10. PPP-IPCPFemto gives TIA to AT as link address and gives DNS server addresses from IKEv2 to AT during PPP-IPCP
7: Proxy-Mobile IP Registration - RRQ(CoA=FNG)
8b: Proxy-Mobile IP Registration - RRP(HoA, DNS addresses, ...)
11c: User Traffic Flowing11b: User Traffic Flowing
Femto-AAA
2. PPP-LCP
3a. PPP-CHAP 3b. IKEv2/EAP-MD5
1a. IKEv2/EAP-AKA or EAP-TLS
AN-AAA
3c. RADIUS
1b. RADIUS or DIAMETER
SimpleIP/PMIP
decision
9. IKEv2/EAP Success(CFG_REPLY assigns HoA as TIA)
0. Data Call or Session setup
IKE_AUTH(ANOTHER_AUTH_FOLLOWS)
IKE_AUTH(ANOTHER_AUTH_FOLLOWS)
23
Authentication – High Level Call FlowMobile IP (MIP-FA Mode)
UserAuthentication
(Mobile IP)
A12 TerminalAuthentication
Femto-FNGAuthentication
HAAT Femto FNGHome Ruoter(NAT + DHCP)
AAA4. PPP-LCP
11a: User Traffic Flowing
5a. PPP-IPCP
5c. RADIUS
11c: User Traffic Flowing11b: User Traffic Flowing
Femto-AAA
2. PPP-LCP
3a. PPP-CHAP 3b. IKEv2/EAP-MD5
1a. IKEv2/EAP-AKA or EAP-TLS
AN-AAA
3c. RADIUS
1b. RADIUS or DIAMETER
0. Data Call or Session setup
IKE_AUTH(CFG_REPLY assigns temp TIA)
IKE_AUTH(ANOTHER_AUTH_FOLLOWS)
11b: Mobile IP Registration (Agent Solicitation, Agent Advertisement, MIP-RRQ)
5c. MIP-RRQ/RRPMIP-RRQ
([HA], HoA, DNS addresses, etc.)
5a. MIP Registraton
MIP-RRP
IKE CREATE_CHILD_SA(TS=HoA, …)
IKE INFORMATIONALDelete(old SA)
24
All-IP PDST/FNG-Based Femto Network QoS, Policy, and Accounting Architecture for Packet Services
EV-DO
VoIP capableEV-DO Device
Legacy 1x Device
1xRTT
Femto NetworkGateway
(FNG)IP CoreNetwork
HA
IPSec Tunnel(s)
Femto
Internet
AAA
Airlink Accounting
(Radius)
IP Usage Accounting
(Radius)
PCRF
Policy(Ty)
25
Packet Data QoS Support
• QoS:– During authentication, FNG receives QoS Profile from AAA
(common for PDIF)– FNG shares the QoS Profile with the femtocell (required
whenever the RNC function is in the femtocell)– EV-DO multi-flow QoS is implemented in the femtocell
• Terminates RSVP-like protocol; passes packet filters to FNG for enforcement on forward traffic and accounting purposes
• Femtocell implements EV-DO over-the-air QoS as part of its RNC/air interface functions
26
Packet Data QoS Support
• Air Link QoS– Enforced in femtocell– Have dependency on QoS Profile
• Today, user’s QoS Profile obtained from AAA
– FNG needs to transfer QoS Profile to femtocell• QoS Profile to be transferred during user authentication• In the future, expects to obtain QoS profile through Ty interface
from PCRF
• Backhaul/IP Level QoS– Enforced by both femtocell and FNG
• Femtocell enforces QoS on the up link• FNG enforces QoS on the down link
– Both femtocell and FNG must be aware of and enforce user’s QoS Profile
27
QoS Support and IPSec Tunnels
• In theory– Need one IPSec tunnel per user per QoS class to support differentiated
QoS and to avoid IPSec “anti-replay attack window” issue
• In practice– Expect to maintain only two QoS classes on the backhaul
• One for “delay sensitive” traffic (e.g., for EV-DO VoIP)• One for “best effort” traffic (e.g., everything else)
– Use child tunnels (child SAs) to accommodate QoS-differentiated tunnels
• QoS Management over Untrusted Backhaul:– Femtocell establishes IPSec child tunnels as needed for differentiated QoS– Femtocell performs packet filtering and mapping to IPSec tunnels for
reverse traffic– FNG performs packet filtering and mapping to IPSec tunnes for forward
traffic
28
Packet Data Accounting Support
• Prepaid, Rescinding of Services, etc., Performed by Radius Interface between AAA and FNG– Re-use from PDIF; may need to supplement some features
that have not been specified for PDIF yet
• FNG has AAA interface for basic usage accounting– Re-use from PDIF
• Air-link accounting comes from AAA client in femtocell– Standard Radius interface– FNG provides proxy mux/demux function for scalability
29
Secure A-Interface Proxy Functions
• Certain A-interfaces are terminated by macro RAN elements that are not meant to scale to very large number of peers– E.g., “hundreds” instead of “millions” of A-interface peers
• These macro RAN elements are deployed in operator’s secure, private networks– Should not allow elements coming from the public Internet to
interface with macro RAN elements directly
• Use mux/demux “proxies” to solve scalability and security issues for femto to inter-operate with macro RAN elements using (proxied) A-interfaces
30
A13Proxy
Security Gateway
Macro EV-DO RNC
FemtoPBS
FemtoPBS
FemtoPBS
FemtoPBS
FemtoPBS
A13
A13
A13
A13
A13 A13
A13
A13
Internet
Trusted Network
Untrusted Network
Macro EV-DO RNC
Macro EV-DO RNC
Secure A13 Proxy Architecture
Appear to Macro EV-DO RNC as one EV-DO Subnet
• A16(-A19) treatment is similar
FNG
31
Secure A21 Proxy Architecture
A21Proxy
Security GatewayFunction
BSC
BSC
BSC
FemtoPBS
FemtoPBS
FemtoPBS
FemtoPBS
FemtoPBS
A21
A21
A21
A21
A21 A21
A21
A21
Internet
Trusted Network
Untrusted Network
FNG
Appear to Macro BSC as one A21 interface
32
FNG Architecture Recap
Packet Data Services +SIP/IMS Core Network
(MMD)
PSTN
“Home Network”
“Vis
ited
Net
wo
rk”
EV-DO RAN
Home Agent
CSCF
HSSAAA
PSTN MGW
SGW/MGCF
MGW
IMS-AS /SMS GW
HLR / AuC
PDSN
RNCFemto Cell
SIP UA
PDSTBSC/RNC
MSC
BSCA
21 Cx
SIP
ISC
ISUP / PCM
(P)MIP
A13, A16-A19
Sh
CSRV
ipVLR/IMS-ASISC
AN
SI-4
1
FNG
Sec
urity
Gat
eway A13, A16-A19
Proxies
MIP-FA/PMIP/ Attendant
A21 Proxy
SIP
33
Thank you!
Specific details on proposed femto network architecture, Stage 2 description, and high-level call flows can be found
in Airvana contributions to TSG-A and TSG-X.
A40-20070723-006_Airvana_Femto Overview Architecture and Stage 2 Aspects R2 0 Final.pdfX10-20070723-012_Airvana_Femto Overview Architecture and Stage 2 Aspects R2 0 Final.pdfX30-20070723-043 Airvana_Femto Overview Architecture and Stage 2 Aspects R2 0 Final.pdfX50-20070723-030 Airvana_Femto Overview Architecture and Stage 2 Aspects R2 0 Final.pdf
34
Backup
35
Detailed Call Flows – Tunnel Setup (1)
• Femto-FNG mutual authentication• A12 Terminal Authentication (optional, omitted for 1x)
UserAuthentication
& Per-ATTunnel Setup
A12 TerminalAuthentication
Femto-FNGAuthentication
HAAT Femtocell FNGHome Ruoter(NAT + DHCP)
16. PPP-LCP
Femto-AAA
0. Data Call orSession setup
3a. IKEv2/EAP-AKA(mutual auth between femtocell and FNG)
AN-AAA
3b. RADIUS or DIAMETER
1. IKE_SA_INIT.req
2. IKE_SA_INIT.rsp(MULTIPLE_AUTH_SUPPORTED)
9. PPP-CHAP.challenge
10. PPP-CHAP(NAI, challenge-rsp)
11. IKE_AUTH.req(EAP.rsp(MD5-Challenge))
14. IKE_AUTH.rsp (EAP-Success)
12. Access-Request(NAI, CHAP-rsp,
CHAP-ID, challenge)
13. ACCESS.Accept15. PPP-CHAP.
success
5. IKE_AUTH.req(AUTH,N(ANOTHER_AUTH_FOLLOWS))
8. IKE_AUTH.rsp(EAP.req(MD5-Challenge))
CHAP-ID from EAP header
NAI in NAME field of MD5-Challenge
4. PPP-LCP
6. IKE_AUTH.rsp
7. IKE_AUTH.req
36
Detailed Call Flow – Tunnel Setup (2)• Simple IP user authentication & PMIP (continued from previous slide)
UserAuthentication
& Per-ATTunnel Setup
AAA
16. PPP-LCP
38a: User Traffic Flowing
Femtocell gives new HoA to AT as link address and gives DNS server addresses from IKEv2 to AT in PPP-IPCP phase
32: Proxy-Mobile IP Registration - RRQ(CoA=FNG)
35: Proxy-Mobile IP Registration - RRP(HoA, DNS addresses, ...)
38c: User Traffic Flowing38b: User Traffic Flowing
17. IKE_AUTH.req(AUTH,N(ANOTHER_AUTH_FOLLOWS))
20. IKE_AUTH.rsp(EAP.req(MD5-Challenge))
21. PPP-CHAP.challenge
28. IKE_AUTH.rsp(EAP-Success)
25. ACCESS.Accept(QoS Profile,
[HA])
29. PPP-CHAPsuccess
33. ACCESS.Request(MN-HA SPI, ...)
34. ACCESS.Accept(MN-HA key, Auth, …)
22. PPP-CHAP(NAI, challenge-rsp)
23. IKE_AUTH.req(EAP.rsp(MD5-Challenge))
24. Access-Request(NAI, CHAP-rsp,
CHAP-ID, challenge)NAI in NAME field of MD5-Challenge
CHAP-ID from EAP header
SimpleIP/PMIP, AAA-selection based on locally configured profile keyed by NAI.
37. PPP-IPCP(Config-Ack)
30. PPP-IPCP(Config-Req)
31. IKE_AUTH.req(AUTH)
36. IKE_AUTH.rsp(CFG_REPLY(TIA=HoA), DNS addresses…)
26. IKE INFORMATIONAL(Notification(QoSProfile))
27. IKE INFORMATIONAL
18. IKE_AUTH.rsp
19. IKE_AUTH.req
22. Accounting-Start
AT Femto FNG HA
37
Detailed Call Flow – Tunnel Setup (3)• Mobile IP user authentication (continued from slide before last)
AT Femto FNG HA
UserAuthentication
& Per-ATTunnel Setup
A12 TerminalAuthentication
20b: MIP Agent Solicitation
21a: MIP Agent Advertisement(MN-FA challenge, CoA={FNG, …})
21b: MIP Agent Adv.(MN-FA challenge.,
CoA={FNG, ...})
22a: MIP-RRQ(MN-NAI, MN-AAA,
MN-FA, MN-HA)
22b: MIP-RRQ(MN-NAI, MN-AAA, MN-FA, MN-HA)
TIA allocation
29: MIP-RRP.([HA], HoA, DNS IP addresses, ...)
30: MIP-RRP([HA], HoA, DNS
addresses...)
Create new SA that uses the new
HoA in Traffic Selector, then delete old SA
36a: User Traffic Flowing
36b: User Traffic Flowing 36c: User Traffic Flowing
23. Access-Request(NAI, CHAP-rsp,
CHAP-ID, challenge)
24. ACCESS.Accept(QoS Profile,
[dynamic-HA])
27: MIP-RRQ(MN-NAI, MN-HA)
28: MIP-RRP.(HoA, DNS IP addresses, ...)
31. IKE CREATE_CHILD_SA.req(TS=HoA, …)
32. IKE CREATE_CHILD_SA.rsp
18. IKE_AUTH.req(AUTH)
AAA
16: PPP-LCP(AT rejects CHAP)
17: PPP-IPCP(no address config)
19. IKE_AUTH.rsp(CFG_REPLY(TIA=tmp))
Assign temporary TIA
25. IKE INFORMATIONAL(Notification(QoSProfile))
26. IKE INFORMATIONAL
33. IKE INFORMATIONAL(Delete(old SA))
34. IKE INFORMATIONAL
20a: MIP Agent Sol.
35. Accounting-Start
38
Detailed Call Flow – Tunnel Disconnect (1)
FNG Initiated Termination
MIP-HA Initiated Termination (PMIP only)
AAA Initiated Termination
AT Initiated Termination
HAAT Femtocell FNGHome Ruoter(NAT + DHCP)
AAA
1. PPP-LCP.Terminate-Request
2. IKE INFORMATIONAL.req(Delete)
3. RADIUS Accounting-Req(stop)/Session-Termination-Request(STR)
5. MIP-RRQ(lifetime=0)
7. IKE INFORMATIONAL.rsp(Delete)
4. RADIUS Accounting-Rsp(stop)/Session-Termination-Answer(STA)
6. MIP-RRP
8. PPP-LCPTerminate-Ack
For PMIP only
4. PPP-LCP.Terminate-Request
3. IKE INFORMATIONAL.req(Delete)
1. RADIUS Disconnect-Req(stop)/Abort-Session-Request(ASR)
6. IKE INFORMATIONAL.rsp(Delete)
2. RADIUS Disconnect-Rsp(stop)/Abort-Session-Answer(ASA)
5. PPP-LCPTerminate-Ack
3. PPP-LCP.Terminate-Request
2. IKE INFORMATIONAL.req(Delete)
5. IKE INFORMATIONAL.rsp(Delete)4. PPP-LCP
Terminate-Ack
1. MIP-Revocation
6. MIP RevocationAcknowledgement
For PMIP only
7. RADIUS Accounting-Req(stop)/Session-Termination-Request(STR)
8. RADIUS Accounting-Rsp(stop)/Session-Termination-Answer(STA)
4. PPP-LCP.Terminate-Request
3. IKE INFORMATIONAL.req(Delete)
6. IKE INFORMATIONAL.rsp(Delete)
5. PPP-LCPTerminate-Ack
1. RADIUS Accounting-Req(stop)/Session-Termination-Request(STR)
2. RADIUS Accounting-Rsp(stop)/Session-Termination-Answer(STA)
7. MIP-RRQ(lifetime=0)
8. MIP-RRPFor PMIP only
7. MIP-RRQ(lifetime=0)
8. MIP-RRPFor PMIP only
39
Detailed Call Flow – Tunnel Disconnect (2)
AAA Initiated Termination
FNG/MIP-FA Initiated Termination (CMIP4 Registration Revocation case)
MIP-HA Initiated Termination (CMIP4 Registration Revocation case)
HAAT Femtocell FNGHome Ruoter(NAT + DHCP)
AAA
6. PPP-LCP.Terminate-Request
5. IKE INFORMATIONAL.req(Delete)
8. IKE INFORMATIONAL.rsp(Delete)
7. PPP-LCPTerminate-Ack
1. MIP Revocation
4. MIP RevocationAcknowledgement
9. RADIUS Accounting-Req(stop)/Session-Termination-Request(STR)
10. RADIUS Accounting-Rsp(stop)/Session-Termination-Answer(STA)
2. MIP Agent Advertisement [unicast](sequence number = 0)
3. MIP Agent Adv.(seq # = 0)
6. PPP-LCP.Terminate-Request
5. IKE INFORMATIONAL.req(Delete)
8. IKE INFORMATIONAL.rsp(Delete)
7. PPP-LCPTerminate-Ack
1. MIP Revocation
2. MIP RevocationAcknowledgement
9. RADIUS Accounting-Req(stop)/Session-Termination-Request(STR)
10. RADIUS Accounting-Rsp(stop)/Session-Termination-Answer(STA)
3. MIP Agent Advertisement [unicast](sequence number = 0)
4. MIP Agent Adv.(seq # = 0)
8. PPP-LCP.Terminate-Request
7. IKE INFORMATIONAL.req(Delete)
10. IKE INFORMATIONAL.rsp(Delete)
9. PPP-LCPTerminate-Ack
3. MIP Revocation
4. MIP RevocationAcknowledgement
5. MIP Agent Advertisement [unicast](sequence number = 0)
6. MIP Agent Adv.(seq # = 0)
1. RADIUS Disconnect-Req(stop)/Abort-Session-Request(ASR)
2. RADIUS Disconnect-Rsp(stop)/Abort-Session-Answer(ASA)
40
Detailed Call Flow – Tunnel Disconnect (3)
FNG/MIP-FA Initiated Termination (CMIP4 [Re-]Registration Failure case)
MIP-HA Initiated Termination (CMIP4 [Re-]Registration Failure case)
HAAT Femtocell FNGHome Ruoter(NAT + DHCP)
AAA
8. PPP-LCP.Terminate-Request
7. IKE INFORMATIONAL.req(Delete)
10. IKE INFORMATIONAL.rsp(Delete)
9. PPP-LCPTerminate-Ack
1. MIP-RRQ
6. MIP-RRP(Fail)
11. RADIUS Accounting-Req(stop)/Session-Termination-Request(STR)
12. RADIUS Accounting-Rsp(stop)/Session-Termination-Answer(STA)
2. MIP-RRQ
5. MIP-RRP(Fail)
3. MIP-RRQ
4. MIP-RRP(Fail)
Timer, counter
FNG starts timer/counter after MIP-RRP(Fail). AT may retry MIP-Registration. If no retry is attempted before timer expiration or retries exceed certain maximum number, proceed to disconnect IPSec tunnel.
8. PPP-LCP.Terminate-Request
7. IKE INFORMATIONAL.req(Delete)
10. IKE INFORMATIONAL.rsp(Delete)
9. PPP-LCPTerminate-Ack
11. RADIUS Accounting-Req(stop)/Session-Termination-Request(STR)
12. RADIUS Accounting-Rsp(stop)/Session-Termination-Answer(STA)
2. MIP-RRQ
5. MIP-RRP(Fail)
3. MIP-RRQ
4. MIP-RRP(Fail) Timer,
counter
FNG starts timer/counter after MIP-RRP(Fail). AT may retry MIP-Registration. If no retry is attempted before timer expiration or retries exceed certain maximum number, proceed to disconnect IPSec tunnel. No MIP4 signaling to MIP-HA (state clean-up depends on time-out on MIP-HA).