Project

General

Profile

Actions

EPDG implementation plan

The big picture

Ideally, we want to reuse existing code whenever possible, rather than reinvent the wheel. Time will tell, if this works out or if we have to rewrite more of it.
  • StrongSwan charon for handling IKEv2 and managing the IPsec SAs in the kernel IPsec
  • Erlang DIAMETER application for all the related interfaces
  • Erlang gtplib for S2b
This means we will have two major "applications" running:
  • charon
  • ePDG (likely in Erlang)

Between those two we will need some kind of non-standard, custom interface. For now I've called it "CEAI" for (Charon External AKA Interface)

Control Plane

  • red color indicates elements / interfaces to be implemented.

User Plane

  • red color indicates elements / interfaces to be implemented.
  • blue color indicates control-plane elements controlling the user plane

At system startup

  • set the various routes
  • on epdg node
    • osmo-epdg creates the gtp0 net-device (in GTP_ROLE_SGSN) via netlink
  • on epc node
    • open5gs-upf creates the tun0 net-device

When a user authenticates via IPsec

  • on epdg node
    • osmo-epdg creates a new GTP tunnel entry within the GTP link
      • GTPA_PEER_ADDRESS/ADDR6 = pgw-ip
      • GTPA_MS_ADDRESS/MS_ADDR6 = ue-ip (inner)
      • GTPA_I_TEI = epdg-teid
      • GTPA_O_TEI = pgw-teid
  • on epc node
    • open5gs-upf creates a new GTP tunnel entry within its internal state tables

Uplink traffic (e.g. from UE to P-CSCF)

  • one epdg node
    • IPsec-encapsulated traffic from the UE side enters as IPv6-in-ESP-in-UDP-in-IP[v4/v6] on the public/internet-facing side
    • kernel-IPsec (configured by strongswan) will transform (decrypt, ...) the traffic
      • we configure strongswan to mark the ipsec-originated traffic with a certain fwmark
    • traffic with that fwmark is routed (using a statically configured ip rule) towards the gtp0 net-device (created by osmo-epdg at startup)
    • linux kernel GTP tunnel module
      • looks up the in-kernel table to determine destination TEID and destination IP address based on the MS-side source address
      • encapsulates packet in GTP header and sends it through the in-kernel UDP socket to the PGW
  • on the epc node
    • (open5gs-)pgw matches inbound packet based on (dest-ip + TEID) with its internal state table
    • (open5gs-)pgw decapsulates packet from GTP header
    • (open5gs-)pgw exposes inner IPv6 packet on tun0 net-device
    • linux kernel routes packet towards P-CSCF (inner IPv6 dest IP address as originally set by UE)
  • on the ims node
    • linux kernel routes packet towards local P-CSCF socket

Downlink traffic (e.g. from P-CSCF to UE)

  • on ims node
    • IPv6 packet from P-CSCF is sent to UE IPv6 address
    • large network route (for all UE) points towards epc node
  • on epc node
    • traffic to UE IPv6 is routed into tun0 net-device
    • (open5gs-)pgw looks up destination-ip and TEID
    • (open5gs-)pwg encapsulates packet with GTP-U header and sends it via UDP socket
    • linux kernel routes it towards the ePDG
  • on epdg node
    • linux kernel routes GTP packet to locally bound UDP socket and detects the kernel GTP driver is bound to that socket
    • linux kernel GTP driver performs lookup based on dest-ip and TEID
    • linux kernel de-capsulates GTP packet and exposes inner packet on gtp0 net-device
    • linux kernel IPsec code applies transformation (crypto) and ESP-in-UDP-encapsulation
  • packet is routed towards UE

Authentication

MSC UE, sswan, ePDG, PWG, HSS

3GPP Interfaces and Procedures

ePDG

IKEv2 to UE

  • TS 33.402 section 8
  • TS 24.302 chapter 7
  • RFC 4187
  • RFC 4301
  • RFC 4555
  • RFC 5996
  • RFC 7296

S2b to PGW (GTPv2C) [TS 29.274]

Create Session Request / Response
Delete Session Request / Response
Modify Bearer Request / Respone (not needed?)
Modify Bearere Command (not needed?)
Bearer Resource Command (not needed?)
Create Bearer Request / Response
Update Bearer Request / Response (not needed?)

SWm to AAA (DIAMETER) [3GPP TS 29.273]

Diameter-EAP-Request (DER) / Diameter-EAP-Response (DEA)
Diameter-AA-Request (AAR) / Diameter-AA-Response (AAA)
Session-Termination-Request (STR) / Session-Termination-Answer (STA)
Re-Auth-Requst (RAR) / Re-Auth-Answer (RAA)
Abort-Session-Request (ASR) / Abort-Session-Answer (ASA)

SWu to UE (IKEv2, ESP) [3GPP TS 33.402]

Gxb to PCRF (not needed?)

3GPP AAA Server

SWx to HSS (DIAMETER) [3GPP TS 29.273 sec 8, 3GPP TS 23.402 sec 12]

Push-Profile-Request (PPR) / Push-Profile-Answer (PPA)
Registration-Termination-Request (RTR) / Registration-Termination-Answer (RTA)
Multimedia-Auth-Request (MAR) / Multimedia-Auth-Answer (MAA)
Server-Assignment-Request (SAR) / Server-Assignment-Answer (SAA)

S6b to PGW (DIAMETER) [3GPP TS 29.273 sec 9]

SWm to ePDG (DIAMETER)

see above.

custom Interfaces / Procedures

CEAI / GSUP

All messages must contain the TLV message class using the value IPSEC_EPDG / 5.

Send Authentication Information Request
  • Request the Auth Tuples to authenticate a UE. osmo-epdg will use SWx to request the information from the HSS.
  • Direction: Send from strongswan to osmo-edpg
  • TLV:
    • IMSI
    • PDP Information (APN, PDP Type)
    • Auth Related TLV
Send Authentication Information Result
  • Direction: Send from osmo-epdg to strongswan
Send Authentication Information Error
  • Direction: Send from osmo-epdg to strongswan
Update Location Request
  • Authorization of the UE to use the ePDG and requested APN/PGW. osmo-epdg will use SWx to update the HSS and authorize in the same request the UE + APN/PGW.
  • Direction: Send from strongswan to osmo-edpg
Update Location Result
  • Direction: Send from osmo-epdg to strongswan
Update Location Error
  • Direction: Send from osmo-epdg to strongswan
Tunnel Request
  • strongswan ask the osmo-epdg to create the GTP Tunnel towards the PGW.
  • Direction: Send from strongswan to osmo-edpg
Tunnel Result
  • Direction: Send from osmo-epdg to strongswan
Tunnel Error
  • Direction: Send from osmo-epdg to strongswan
Purge MS Request
  • strongswan asks the osmo-epdg to tear down the UE session due to UE disconnection (close ipsec tunnel).
  • Direction: Send from strongswan to osmo-epdg
Purge MS Result
  • Direction: Send from osmo-epdg to strongswan
Purge MS Error
  • Direction: Send from osmo-epdg to strongswan
Cancel Location Request
  • The HSS/PGW asked to terminate the session since the UE moved somewhere else.
  • Direction: Send from osmo-epdg to strongswan
Cancel Location Result
  • Direction: Send from strongswan to osmo-epdg
Cancel Location Error
  • Direction: Send from strongswan to osmo-epdg

Related information links

Files (2)
ipsec_auth.png View ipsec_auth.png 80.8 KB MSC UE, sswan, ePDG, PWG, HSS lynxis, 01/29/2023 07:16 PM
ipsec_auth.msc ipsec_auth.msc 1.14 KB MSC UE, sswan, ePDG, PWG, HSS (source) lynxis, 01/29/2023 07:16 PM

Updated by lynxis 20 days ago · 26 revisions

Add picture from clipboard (Maximum size: 48.8 MB)