Actions
- Table of contents
- EPDG implementation plan
EPDG implementation plan¶
The big picture¶
Ideally, we want to reuse existing code whenever possible, rather than reinvent the wheel. Time will tell, if this works out or if we have to rewrite more of it.- StrongSwan charon for handling IKEv2 and managing the IPsec SAs in the kernel IPsec
- Erlang DIAMETER application for all the related interfaces
- Erlang gtplib for S2b
- charon
- ePDG (likely in Erlang)
Between those two we will need some kind of non-standard, custom interface. For now I've called it "CEAI" for (Charon External AKA Interface)
Control Plane¶
- red color indicates elements / interfaces to be implemented.
User Plane¶
- red color indicates elements / interfaces to be implemented.
- blue color indicates control-plane elements controlling the user plane
At system startup¶
- set the various routes
- on
epdg
node- osmo-epdg creates the
gtp0
net-device (in GTP_ROLE_SGSN) via netlink
- osmo-epdg creates the
- on
epc
node- open5gs-upf creates the
tun0
net-device
- open5gs-upf creates the
When a user authenticates via IPsec¶
- on
epdg
node- osmo-epdg creates a new GTP tunnel entry within the GTP link
- GTPA_PEER_ADDRESS/ADDR6 = pgw-ip
- GTPA_MS_ADDRESS/MS_ADDR6 = ue-ip (inner)
- GTPA_I_TEI = epdg-teid
- GTPA_O_TEI = pgw-teid
- osmo-epdg creates a new GTP tunnel entry within the GTP link
- on
epc
node- open5gs-upf creates a new GTP tunnel entry within its internal state tables
Uplink traffic (e.g. from UE to P-CSCF)¶
- one
epdg
node- IPsec-encapsulated traffic from the UE side enters as IPv6-in-ESP-in-UDP-in-IP[v4/v6] on the public/internet-facing side
- kernel-IPsec (configured by strongswan) will transform (decrypt, ...) the traffic
- we configure strongswan to mark the ipsec-originated traffic with a certain fwmark
- traffic with that fwmark is routed (using a statically configured
ip rule
) towards thegtp0
net-device (created by osmo-epdg at startup) - linux kernel GTP tunnel module
- looks up the in-kernel table to determine destination TEID and destination IP address based on the MS-side source address
- encapsulates packet in GTP header and sends it through the in-kernel UDP socket to the PGW
- on the
epc
node- (open5gs-)pgw matches inbound packet based on (dest-ip + TEID) with its internal state table
- (open5gs-)pgw decapsulates packet from GTP header
- (open5gs-)pgw exposes inner IPv6 packet on
tun0
net-device - linux kernel routes packet towards P-CSCF (inner IPv6 dest IP address as originally set by UE)
- on the
ims
node- linux kernel routes packet towards local P-CSCF socket
Downlink traffic (e.g. from P-CSCF to UE)¶
- on
ims
node- IPv6 packet from P-CSCF is sent to UE IPv6 address
- large network route (for all UE) points towards
epc
node
- on
epc
node- traffic to UE IPv6 is routed into
tun0
net-device - (open5gs-)pgw looks up destination-ip and TEID
- (open5gs-)pwg encapsulates packet with GTP-U header and sends it via UDP socket
- linux kernel routes it towards the ePDG
- traffic to UE IPv6 is routed into
- on
epdg
node- linux kernel routes GTP packet to locally bound UDP socket and detects the kernel GTP driver is bound to that socket
- linux kernel GTP driver performs lookup based on dest-ip and TEID
- linux kernel de-capsulates GTP packet and exposes inner packet on
gtp0
net-device - linux kernel IPsec code applies transformation (crypto) and ESP-in-UDP-encapsulation
- packet is routed towards UE
Authentication¶
3GPP Interfaces and Procedures¶
ePDG¶
IKEv2 to UE¶
- TS 33.402 section 8
- TS 24.302 chapter 7
- RFC 4187
- RFC 4301
- RFC 4555
- RFC 5996
- RFC 7296
S2b to PGW (GTPv2C) [TS 29.274]¶
Create Session Request / Response¶
Delete Session Request / Response¶
Modify Bearer Request / Respone (not needed?)¶
Modify Bearere Command (not needed?)¶
Bearer Resource Command (not needed?)¶
Create Bearer Request / Response¶
Update Bearer Request / Response (not needed?)¶
SWm to AAA (DIAMETER) [3GPP TS 29.273]¶
Diameter-EAP-Request (DER) / Diameter-EAP-Response (DEA)¶
Diameter-AA-Request (AAR) / Diameter-AA-Response (AAA)¶
Session-Termination-Request (STR) / Session-Termination-Answer (STA)¶
Re-Auth-Requst (RAR) / Re-Auth-Answer (RAA)¶
Abort-Session-Request (ASR) / Abort-Session-Answer (ASA)¶
SWu to UE (IKEv2, ESP) [3GPP TS 33.402]¶
Gxb to PCRF (not needed?)¶
3GPP AAA Server¶
SWx to HSS (DIAMETER) [3GPP TS 29.273 sec 8, 3GPP TS 23.402 sec 12]¶
Push-Profile-Request (PPR) / Push-Profile-Answer (PPA)¶
Registration-Termination-Request (RTR) / Registration-Termination-Answer (RTA)¶
Multimedia-Auth-Request (MAR) / Multimedia-Auth-Answer (MAA)¶
- 3GPP TS 29.273 8.2.2.1
- https://www.etsi.org/deliver/etsi_ts/129200_129299/129273/17.06.00_60/ts_129273v170600p.pdf
- https://dstest.info/DiaDict/Dictionary/Multimedia-Auth-Request_SWx.html
Server-Assignment-Request (SAR) / Server-Assignment-Answer (SAA)¶
S6b to PGW (DIAMETER) [3GPP TS 29.273 sec 9]¶
SWm to ePDG (DIAMETER)¶
see above.
custom Interfaces / Procedures¶
CEAI / GSUP¶
All messages must contain the TLV message class using the value IPSEC_EPDG / 5.
Send Authentication Information Request¶
- Request the Auth Tuples to authenticate a UE. osmo-epdg will use SWx to request the information from the HSS.
- Direction: Send from strongswan to osmo-edpg
- TLV:
- IMSI
- PDP Information (APN, PDP Type)
- Auth Related TLV
Send Authentication Information Result¶
- Direction: Send from osmo-epdg to strongswan
Send Authentication Information Error¶
- Direction: Send from osmo-epdg to strongswan
Update Location Request¶
- Authorization of the UE to use the ePDG and requested APN/PGW. osmo-epdg will use SWx to update the HSS and authorize in the same request the UE + APN/PGW.
- Direction: Send from strongswan to osmo-edpg
Update Location Result¶
- Direction: Send from osmo-epdg to strongswan
Update Location Error¶
- Direction: Send from osmo-epdg to strongswan
Tunnel Request¶
- strongswan ask the osmo-epdg to create the GTP Tunnel towards the PGW.
- Direction: Send from strongswan to osmo-edpg
Tunnel Result¶
- Direction: Send from osmo-epdg to strongswan
Tunnel Error¶
- Direction: Send from osmo-epdg to strongswan
Purge MS Request¶
- strongswan asks the osmo-epdg to tear down the UE session due to UE disconnection (close ipsec tunnel).
- Direction: Send from strongswan to osmo-epdg
Purge MS Result¶
- Direction: Send from osmo-epdg to strongswan
Purge MS Error¶
- Direction: Send from osmo-epdg to strongswan
Cancel Location Request¶
- The HSS/PGW asked to terminate the session since the UE moved somewhere else.
- Direction: Send from osmo-epdg to strongswan
Cancel Location Result¶
- Direction: Send from strongswan to osmo-epdg
Cancel Location Error¶
- Direction: Send from strongswan to osmo-epdg
Related information links¶
Updated by pespin 14 days ago · 27 revisions