Project

General

Profile

Feature #5288

Updated by pespin 7 months ago

We need to come up with a good architectural plan of how we'd want to implement an ePDG. 

 In the end it is a "fancy" IPsec gateway between the 3GPP CN and the public internet.    Somewhere on the level of A SGW in the LTE EPC.  

 Major Majur elements are: 

 * handling of ESP in UDP / NAT-T for the user plane 
 ** Linux kernel IPsec would be great to use 
 * handling of IKE for session setup / key exchange framework 
 ** this could be strongswan 
 * handling of EAP-AKA for 3GPP specific authentication againt HSS 
 ** this could    be some strongswan plugin that then talks DIAMETER towards a HSS in order to obtain authentication tuples 
 * DNS based look-up/resolution of PGW for the APN specified by the user 
 * encapsulation of user plane traffic in GTP-U towards the PGW 
 ** in theory, the linux kernel GTP module should be able to do this [in "SGSN" role"] 
 ** of course there might be dificulty combining that with IPsec 
 ** in the worst case, we might be able to leverage a standard UPF to do the encap/decap part, but I hope we don't need to go there. 

 There's also a question of handling some of the "auxiliary" bits that in the PGW case is handled by PCO, such as 
 * IP address allocation inside the tunnel 
 * signaling of internal DNS servers 
 * signaling of P-CSCF address (likely obtained via DIAMETER from HSS or via global config?) 

 In terms of code reuse, we could theoretically look at leveraging DIAMETER from open5gs, but then it uses freeDiameter, so we can likely also "just" use freeDiameter directly. 

 At first glance, there doesn't seem to be any IKEv2 implementation with Linux kernel IPsc support in Erlang, Go or Python, which would allow us to do the signaling / control plane in a higher-level possibly more safe programming language than C. 

 However, 
 * https://github.com/qwj/python-vpn looks like a fairly recent implementation with even ESP/user plane in python (we'd want to plug kernel ESP in there) 
 * https://github.com/kimvais/ike is an older (abandoned?) approach for just the IKE side, no ESP 
 * https://docs.rs/ipsec-parser/0.7.0/ipsec_parser/ is just a basic parser in rust, no protocol logic, encoder, ... 

 In terms of clients to test an ePDG with, there is 
 * https://github.com/fasferraz/SWu-IKEv2 
 * some yet-unreleased code to add PC/SC reader support to strongswan so it can act as a client with EAP-AKA

Back

Add picture from clipboard (Maximum size: 48.8 MB)