Version 24 - History - EPDG implementation plan - osmo-ePDG - VoWifi Evolved Packet Data Gateway - Open Source Mobile Communications

EPDG implementation plan » History » Version 24

pespin, 02/07/2024 03:17 PM

-laforge
+{{>toc}}
-laforge
+h1. EPDG implementation plan
 laforge
 h2. The big picture
 Ideally, we want to reuse existing code whenever possible, rather than reinvent the wheel.  Time will tell, if this works out or if we have to rewrite more of it.
 * StrongSwan charon for handling IKEv2 and managing the IPsec SAs in the kernel IPsec
 * Erlang DIAMETER application for all the related interfaces
 * Erlang gtplib for S2b
 This means we will have two major "applications" running:
 * charon
 * ePDG (likely in Erlang)
 Between those two we will need some kind of non-standard, custom interface.  For now I've called it "CEAI" for (Charon External AKA Interface)
 h2. Control Plane
 * *red* color indicates elements / interfaces to be implemented.
 {{graphviz_link()
 digraph G {
   rankdir=LR;
   subgraph cluster_swan {
     label = "StrongSWAN domain";
     charon;
+  }
   subgraph cluster_erlang {
     label = "Erlang domain";
     ePDG [color=red];
     AAA [label="3GPP AAA Server", color=red];
+  }
   HSS;
   PGW;
-pespin
+  PCRF;
-laforge
+  UE;
   charon -> ePDG [label="CEAI", color=red];
   UE -> charon [label="IKEv2"];
   ePDG -> AAA [label="SWm (DIAMETER)", color=red];
   AAA -> HSS [label="SWx (DIAMETER)", color=red];
-pespin
+  PGW -> AAA [label="S6b (DIAMETER)", color=red];
 laforge
   ePDG -> PGW [label="S2b (GTPv2C)", color=red];
-laforge
+  ePDG -> PCRF [label="Gxb", color=red, style=dashed];
   PGW -> PCRF [label="Gx (DIAMETER)"];
 pespin
   {rank=same; PCRF; HSS}
 laforge
 }}
 h2. User Plane
 * *red* color indicates elements / interfaces to be implemented.
 * *blue* color indicates control-plane elements controlling the user plane
 {{graphviz_link()
 digraph G {
   rankdir=LR;
   subgraph cluster_swan {
     label = "StrongSWAN domain";
     { rank=same;
       ipsec [label="Linux kernel\nIPsec"];
       charon [color=blue];
+    }
     charon -> ipsec [label="netlink", color=blue];
+  }
   subgraph cluster_erlang {
     label = "Erlang domain";
     { rank=same
       gtp [label="Linux kernel\nGTP"];
       ePDG [color="blue"];
+    }
     ePDG -> gtp [label="netlink", color=blue];
+  }
   PGW;
   UE;
   UE -> ipsec [label="ESP/UDP"];
   ipsec->gtp [label="kernel IP stack"];
   gtp -> PGW [label="S2b (GTPv1U)", color=red];
+}
 }}
-laforge
+h3. At system startup
 * set the various routes
 * on @epdg@ node
-laforge
+** osmo-epdg creates the @gtp0@ net-device (in GTP_ROLE_SGSN) via netlink
-laforge
+* on @epc@ node
 ** open5gs-upf creates the @tun0@ net-device
 h3. When a user authenticates via IPsec
 * on @epdg@ node
 ** osmo-epdg creates a new GTP tunnel entry within the GTP link
-laforge
+*** GTPA_PEER_ADDRESS/ADDR6 = pgw-ip
 *** GTPA_MS_ADDRESS/MS_ADDR6 = ue-ip (inner)
 *** GTPA_I_TEI = epdg-teid
 *** GTPA_O_TEI = pgw-teid
-laforge
+* on @epc@ node
 ** open5gs-upf creates a new GTP tunnel entry within its internal state tables
 h3. Uplink traffic (e.g. from UE to P-CSCF)
 * one @epdg@ node
 ** IPsec-encapsulated traffic from the UE side enters as IPv6-in-ESP-in-UDP-in-IP[v4/v6] on the public/internet-facing side
 ** kernel-IPsec (configured by strongswan) will transform (decrypt, ...) the traffic
 *** we configure strongswan to mark the ipsec-originated traffic with a certain fwmark
 ** traffic with that fwmark is routed (using a statically configured @ip rule@) towards the @gtp0@ net-device (created by osmo-epdg at startup)
 ** linux kernel GTP tunnel module
 *** looks up the in-kernel table to determine destination TEID and destination IP address based on the MS-side source address
 *** encapsulates packet in GTP header and sends it through the in-kernel UDP socket to the PGW
 * on the @epc@ node
 ** (open5gs-)pgw matches inbound packet based on (dest-ip + TEID) with its internal state table
 ** (open5gs-)pgw decapsulates packet from GTP header
 ** (open5gs-)pgw exposes inner IPv6 packet on @tun0@ net-device
 ** linux kernel routes packet towards P-CSCF (inner IPv6 dest IP address as originally set by UE)
 * on the @ims@ node
 ** linux kernel routes packet towards local P-CSCF socket
 h3. Downlink traffic (e.g. from P-CSCF to UE)
 * on @ims@ node
 ** IPv6 packet from P-CSCF is sent to UE IPv6 address
 ** large network route (for all UE) points towards @epc@ node
 * on @epc@ node
 ** traffic to UE IPv6 is routed into @tun0@ net-device
 ** (open5gs-)pgw looks up destination-ip and TEID
 ** (open5gs-)pwg encapsulates packet with GTP-U header and sends it via UDP socket
 ** linux kernel routes it towards the ePDG
 * on @epdg@ node
 ** linux kernel routes GTP packet to locally bound UDP socket and detects the kernel GTP driver is bound to that socket
 ** linux kernel GTP driver performs lookup based on dest-ip and TEID
 ** linux kernel de-capsulates GTP packet and exposes inner packet on @gtp0@ net-device
 ** linux kernel IPsec code applies transformation (crypto) and ESP-in-UDP-encapsulation
 * packet is routed towards UE
 lynxis
 h2. Authentication
 !ipsec_auth.png!
-laforge
+h2. 3GPP Interfaces and Procedures
 laforge
 h3. ePDG
-pespin
+h4. IKEv2 to UE
 * TS 33.402 section 8
 * TS 24.302 chapter 7
-pespin
+* RFC 4187
-pespin
+* RFC 4555
-pespin
+* RFC 5996
-pespin
+* RFC 7296
 laforge
-lynxis
+h4. S2b to PGW (GTPv2C) [TS 29.274]
 laforge
 h5. Create Session Request / Response
 h5. Delete Session Request / Response
 h5. Modify Bearer Request /  Respone (not needed?)
 h5. Modify Bearere Command (not needed?)
 h5. Bearer Resource Command (not needed?)
 h5. Create Bearer Request / Response
 h5. Update Bearer Request / Response (not needed?)
-pespin
+h4. SWm to AAA (DIAMETER) [3GPP TS 29.273]
 laforge
 h5. Diameter-EAP-Request (DER) / Diameter-EAP-Response (DEA)
 h5. Diameter-AA-Request (AAR) / Diameter-AA-Response (AAA)
 h5. Session-Termination-Request (STR) / Session-Termination-Answer (STA)
 h5. Re-Auth-Requst (RAR) / Re-Auth-Answer (RAA)
 h5. Abort-Session-Request (ASR) / Abort-Session-Answer (ASA)
-pespin
+h4. SWu to UE (IKEv2, ESP) [3GPP TS 33.402]
 laforge
-pespin
+* Related: https://fabricioapps.blogspot.com/2017/10/untrusted-non-3gpp-ip-access-swu-ikev2.html
 laforge
 h4. Gxb to PCRF (not needed?)
 h3. 3GPP AAA Server
-pespin
+h4. SWx to HSS (DIAMETER) [3GPP TS 29.273 sec 8,  3GPP TS 23.402 sec 12]
 laforge
 h5. Push-Profile-Request (PPR) / Push-Profile-Answer (PPA)
 h5. Registration-Termination-Request (RTR) / Registration-Termination-Answer (RTA)
 h5. Multimedia-Auth-Request (MAR) / Multimedia-Auth-Answer (MAA)
-pespin
+* 3GPP TS 29.273 8.2.2.1
-pespin
+* https://www.etsi.org/deliver/etsi_ts/129200_129299/129273/17.06.00_60/ts_129273v170600p.pdf
-pespin
+* https://dstest.info/DiaDict/Dictionary/Multimedia-Auth-Request_SWx.html
-laforge
+h5. Server-Assignment-Request (SAR) / Server-Assignment-Answer (SAA)
-pespin
+h4. S6b to PGW (DIAMETER) [3GPP TS 29.273 sec 9]
 laforge
-pespin
+* https://osmocom.org/issues/6229
 laforge
 h4. SWm to ePDG (DIAMETER)
-laforge
+see above.
 laforge
-lynxis
+h3. custom Interfaces / Procedures
-lynxis
+h4. CEAI / GSUP
 lynxis
-lynxis
+All messages must contain the TLV message class using the value IPSEC_EPDG / 5.
 laforge
-lynxis
+h5. Send Authentication Information Request
 * Request the Auth Tuples to authenticate a UE. osmo-epdg will use SWx to request the information from the HSS.
 * Direction: Send from strongswan to osmo-edpg
 h5. Send Authentication Information Result
 * Direction: Send from osmo-epdg to strongswan
 h5. Send Authentication Information Error
 * Direction: Send from osmo-epdg to strongswan
 h5. Update Location Request
 * Authorization of the UE to use the ePDG and requested APN/PGW. osmo-epdg will use SWx to update the HSS and authorize in the same request the UE + APN/PGW.
 * Direction: Send from strongswan to osmo-edpg
 h5. Update Location Result
 * Direction: Send from osmo-epdg to strongswan
 h5. Update Location Error
 * Direction: Send from osmo-epdg to strongswan
 h5. Tunnel Request
 * strongswan ask the osmo-epdg to create the GTP Tunnel towards the PGW.
 * Direction: Send from strongswan to osmo-edpg
 h5. Tunnel Result
 * Direction: Send from osmo-epdg to strongswan
 h5. Tunnel Error
 * Direction: Send from osmo-epdg to strongswan
 laforge
-pespin
+h5. Purge MS Request
 laforge
-pespin
+* strongswan asks the osmo-epdg to tear down the UE session due to UE disconnection (close ipsec tunnel).
 * Direction: Send from strongswan to osmo-epdg
 laforge
-pespin
+h5. Purge MS Result
 * Direction: Send from osmo-epdg to strongswan
 h5. Purge MS Error
 * Direction: Send from osmo-epdg to strongswan
 h5. Cancel Location Request
 * The HSS/PGW asked to terminate the session since the UE moved somewhere else.
 * Direction: Send from osmo-epdg to strongswan
 h5. Cancel Location Result
 * Direction: Send from strongswan to osmo-epdg
 h5. Cancel Location Error
 * Direction: Send from strongswan to osmo-epdg
 lynxis
 h4. Related information links
 pespin
 * https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/21-23/PGW-Admin/21-23-pgw-admin/21-16-PGW-Admin_chapter_011001.html

Project

General

Profile

Cellular Network Infrastructure » osmo-ePDG - VoWifi Evolved Packet Data Gateway

EPDG implementation plan » History » Version 24