Actions
EPDG implementation plan » History » Revision 17
« Previous |
Revision 17/27
(diff)
| Next »
laforge, 02/05/2024 04:36 PM
- Table of contents
- EPDG implementation plan
EPDG implementation plan¶
The big picture¶
Ideally, we want to reuse existing code whenever possible, rather than reinvent the wheel. Time will tell, if this works out or if we have to rewrite more of it.- StrongSwan charon for handling IKEv2 and managing the IPsec SAs in the kernel IPsec
- Erlang DIAMETER application for all the related interfaces
- Erlang gtplib for S2b
- charon
- ePDG (likely in Erlang)
Between those two we will need some kind of non-standard, custom interface. For now I've called it "CEAI" for (Charon External AKA Interface)
Control Plane¶
- red color indicates elements / interfaces to be implemented.
User Plane¶
- red color indicates elements / interfaces to be implemented.
- blue color indicates control-plane elements controlling the user plane
At system startup¶
- set the various routes
- on
epdg
node- osmo-epdg creates the
gtp0
net-device (in GTP_ROLE_SGSN) via netlink
- osmo-epdg creates the
- on
epc
node- open5gs-upf creates the
tun0
net-device
- open5gs-upf creates the
When a user authenticates via IPsec¶
- on
epdg
node- osmo-epdg creates a new GTP tunnel entry within the GTP link
- on
epc
node- open5gs-upf creates a new GTP tunnel entry within its internal state tables
Uplink traffic (e.g. from UE to P-CSCF)¶
- one
epdg
node- IPsec-encapsulated traffic from the UE side enters as IPv6-in-ESP-in-UDP-in-IP[v4/v6] on the public/internet-facing side
- kernel-IPsec (configured by strongswan) will transform (decrypt, ...) the traffic
- we configure strongswan to mark the ipsec-originated traffic with a certain fwmark
- traffic with that fwmark is routed (using a statically configured
ip rule
) towards thegtp0
net-device (created by osmo-epdg at startup) - linux kernel GTP tunnel module
- looks up the in-kernel table to determine destination TEID and destination IP address based on the MS-side source address
- encapsulates packet in GTP header and sends it through the in-kernel UDP socket to the PGW
- on the
epc
node- (open5gs-)pgw matches inbound packet based on (dest-ip + TEID) with its internal state table
- (open5gs-)pgw decapsulates packet from GTP header
- (open5gs-)pgw exposes inner IPv6 packet on
tun0
net-device - linux kernel routes packet towards P-CSCF (inner IPv6 dest IP address as originally set by UE)
- on the
ims
node- linux kernel routes packet towards local P-CSCF socket
Downlink traffic (e.g. from P-CSCF to UE)¶
- on
ims
node- IPv6 packet from P-CSCF is sent to UE IPv6 address
- large network route (for all UE) points towards
epc
node
- on
epc
node- traffic to UE IPv6 is routed into
tun0
net-device - (open5gs-)pgw looks up destination-ip and TEID
- (open5gs-)pwg encapsulates packet with GTP-U header and sends it via UDP socket
- linux kernel routes it towards the ePDG
- traffic to UE IPv6 is routed into
- on
epdg
node- linux kernel routes GTP packet to locally bound UDP socket and detects the kernel GTP driver is bound to that socket
- linux kernel GTP driver performs lookup based on dest-ip and TEID
- linux kernel de-capsulates GTP packet and exposes inner packet on
gtp0
net-device - linux kernel IPsec code applies transformation (crypto) and ESP-in-UDP-encapsulation
- packet is routed towards UE
Authentication¶
3GPP Interfaces and Procedures¶
ePDG¶
S2b to PGW (GTPv2C) [TS 29.274]¶
Create Session Request / Response¶
Delete Session Request / Response¶
Modify Bearer Request / Respone (not needed?)¶
Modify Bearere Command (not needed?)¶
Bearer Resource Command (not needed?)¶
Create Bearer Request / Response¶
Update Bearer Request / Response (not needed?)¶
SWm to AAA (DIAMETER) [3GPP TS 29.273]¶
Diameter-EAP-Request (DER) / Diameter-EAP-Response (DEA)¶
Diameter-AA-Request (AAR) / Diameter-AA-Response (AAA)¶
Session-Termination-Request (STR) / Session-Termination-Answer (STA)¶
Re-Auth-Requst (RAR) / Re-Auth-Answer (RAA)¶
Abort-Session-Request (ASR) / Abort-Session-Answer (ASA)¶
SWu to UE (IKEv2, ESP) [3GPP TS 33.402]¶
Gxb to PCRF (not needed?)¶
3GPP AAA Server¶
SWx to HSS (DIAMETER) [3GPP TS 29.273 sec 8, 3GPP TS 23.402 sec 12]¶
Push-Profile-Request (PPR) / Push-Profile-Answer (PPA)¶
Registration-Termination-Request (RTR) / Registration-Termination-Answer (RTA)¶
Multimedia-Auth-Request (MAR) / Multimedia-Auth-Answer (MAA)¶
- 3GPP TS 29.273 8.2.2.1
- https://www.etsi.org/deliver/etsi_ts/129200_129299/129273/17.06.00_60/ts_129273v170600p.pdf
- https://dstest.info/DiaDict/Dictionary/Multimedia-Auth-Request_SWx.html
Server-Assignment-Request (SAR) / Server-Assignment-Answer (SAA)¶
S6b to PGW (DIAMETER) [3GPP TS 29.273 sec 9]¶
SWm to ePDG (DIAMETER)¶
see above.
custom Interfaces / Procedures¶
CEAI¶
FIXME
Related information links¶
Updated by laforge 3 months ago · 17 revisions