EPDG implementation plan » History » Revision 24
Revision 23 (pespin, 02/07/2024 03:16 PM) → Revision 24/27 (pespin, 02/07/2024 03:17 PM)
{{>toc}}
h1. EPDG implementation plan
h2. The big picture
Ideally, we want to reuse existing code whenever possible, rather than reinvent the wheel. Time will tell, if this works out or if we have to rewrite more of it.
* StrongSwan charon for handling IKEv2 and managing the IPsec SAs in the kernel IPsec
* Erlang DIAMETER application for all the related interfaces
* Erlang gtplib for S2b
This means we will have two major "applications" running:
* charon
* ePDG (likely in Erlang)
Between those two we will need some kind of non-standard, custom interface. For now I've called it "CEAI" for (Charon External AKA Interface)
h2. Control Plane
* *red* color indicates elements / interfaces to be implemented.
{{graphviz_link()
digraph G {
rankdir=LR;
subgraph cluster_swan {
label = "StrongSWAN domain";
charon;
}
subgraph cluster_erlang {
label = "Erlang domain";
ePDG [color=red];
AAA [label="3GPP AAA Server", color=red];
}
HSS;
PGW;
PCRF;
UE;
charon -> ePDG [label="CEAI", color=red];
UE -> charon [label="IKEv2"];
ePDG -> AAA [label="SWm (DIAMETER)", color=red];
AAA -> HSS [label="SWx (DIAMETER)", color=red];
PGW -> AAA [label="S6b (DIAMETER)", color=red];
ePDG -> PGW [label="S2b (GTPv2C)", color=red];
ePDG -> PCRF [label="Gxb", color=red, style=dashed];
PGW -> PCRF [label="Gx (DIAMETER)"];
{rank=same; PCRF; HSS}
}
}}
h2. User Plane
* *red* color indicates elements / interfaces to be implemented.
* *blue* color indicates control-plane elements controlling the user plane
{{graphviz_link()
digraph G {
rankdir=LR;
subgraph cluster_swan {
label = "StrongSWAN domain";
{ rank=same;
ipsec [label="Linux kernel\nIPsec"];
charon [color=blue];
}
charon -> ipsec [label="netlink", color=blue];
}
subgraph cluster_erlang {
label = "Erlang domain";
{ rank=same
gtp [label="Linux kernel\nGTP"];
ePDG [color="blue"];
}
ePDG -> gtp [label="netlink", color=blue];
}
PGW;
UE;
UE -> ipsec [label="ESP/UDP"];
ipsec->gtp [label="kernel IP stack"];
gtp -> PGW [label="S2b (GTPv1U)", color=red];
}
}}
h3. At system startup
* set the various routes
* on @epdg@ node
** osmo-epdg creates the @gtp0@ net-device (in GTP_ROLE_SGSN) via netlink
* on @epc@ node
** open5gs-upf creates the @tun0@ net-device
h3. When a user authenticates via IPsec
* on @epdg@ node
** osmo-epdg creates a new GTP tunnel entry within the GTP link
*** GTPA_PEER_ADDRESS/ADDR6 = pgw-ip
*** GTPA_MS_ADDRESS/MS_ADDR6 = ue-ip (inner)
*** GTPA_I_TEI = epdg-teid
*** GTPA_O_TEI = pgw-teid
* on @epc@ node
** open5gs-upf creates a new GTP tunnel entry within its internal state tables
h3. Uplink traffic (e.g. from UE to P-CSCF)
* one @epdg@ node
** IPsec-encapsulated traffic from the UE side enters as IPv6-in-ESP-in-UDP-in-IP[v4/v6] on the public/internet-facing side
** kernel-IPsec (configured by strongswan) will transform (decrypt, ...) the traffic
*** we configure strongswan to mark the ipsec-originated traffic with a certain fwmark
** traffic with that fwmark is routed (using a statically configured @ip rule@) towards the @gtp0@ net-device (created by osmo-epdg at startup)
** linux kernel GTP tunnel module
*** looks up the in-kernel table to determine destination TEID and destination IP address based on the MS-side source address
*** encapsulates packet in GTP header and sends it through the in-kernel UDP socket to the PGW
* on the @epc@ node
** (open5gs-)pgw matches inbound packet based on (dest-ip + TEID) with its internal state table
** (open5gs-)pgw decapsulates packet from GTP header
** (open5gs-)pgw exposes inner IPv6 packet on @tun0@ net-device
** linux kernel routes packet towards P-CSCF (inner IPv6 dest IP address as originally set by UE)
* on the @ims@ node
** linux kernel routes packet towards local P-CSCF socket
h3. Downlink traffic (e.g. from P-CSCF to UE)
* on @ims@ node
** IPv6 packet from P-CSCF is sent to UE IPv6 address
** large network route (for all UE) points towards @epc@ node
* on @epc@ node
** traffic to UE IPv6 is routed into @tun0@ net-device
** (open5gs-)pgw looks up destination-ip and TEID
** (open5gs-)pwg encapsulates packet with GTP-U header and sends it via UDP socket
** linux kernel routes it towards the ePDG
* on @epdg@ node
** linux kernel routes GTP packet to locally bound UDP socket and detects the kernel GTP driver is bound to that socket
** linux kernel GTP driver performs lookup based on dest-ip and TEID
** linux kernel de-capsulates GTP packet and exposes inner packet on @gtp0@ net-device
** linux kernel IPsec code applies transformation (crypto) and ESP-in-UDP-encapsulation
* packet is routed towards UE
h2. Authentication
!ipsec_auth.png!
h2. 3GPP Interfaces and Procedures
h3. ePDG
h4. IKEv2 to UE
* TS 33.402 section 8
* TS 24.302 chapter 7
* RFC 4187
* RFC 4555
* RFC 5996
* RFC 7296
h4. S2b to PGW (GTPv2C) [TS 29.274]
h5. Create Session Request / Response
h5. Delete Session Request / Response
h5. Modify Bearer Request / Respone (not needed?)
h5. Modify Bearere Command (not needed?)
h5. Bearer Resource Command (not needed?)
h5. Create Bearer Request / Response
h5. Update Bearer Request / Response (not needed?)
h4. SWm to AAA (DIAMETER) [3GPP TS 29.273]
h5. Diameter-EAP-Request (DER) / Diameter-EAP-Response (DEA)
h5. Diameter-AA-Request (AAR) / Diameter-AA-Response (AAA)
h5. Session-Termination-Request (STR) / Session-Termination-Answer (STA)
h5. Re-Auth-Requst (RAR) / Re-Auth-Answer (RAA)
h5. Abort-Session-Request (ASR) / Abort-Session-Answer (ASA)
h4. SWu to UE (IKEv2, ESP) [3GPP TS 33.402]
* Related: https://fabricioapps.blogspot.com/2017/10/untrusted-non-3gpp-ip-access-swu-ikev2.html
h4. Gxb to PCRF (not needed?)
h3. 3GPP AAA Server
h4. SWx to HSS (DIAMETER) [3GPP TS 29.273 sec 8, 3GPP TS 23.402 sec 12]
h5. Push-Profile-Request (PPR) / Push-Profile-Answer (PPA)
h5. Registration-Termination-Request (RTR) / Registration-Termination-Answer (RTA)
h5. Multimedia-Auth-Request (MAR) / Multimedia-Auth-Answer (MAA)
* 3GPP TS 29.273 8.2.2.1
* https://www.etsi.org/deliver/etsi_ts/129200_129299/129273/17.06.00_60/ts_129273v170600p.pdf
* https://dstest.info/DiaDict/Dictionary/Multimedia-Auth-Request_SWx.html
h5. Server-Assignment-Request (SAR) / Server-Assignment-Answer (SAA)
h4. S6b to PGW (DIAMETER) [3GPP TS 29.273 sec 9]
* https://osmocom.org/issues/6229
h4. SWm to ePDG (DIAMETER)
see above.
h3. custom Interfaces / Procedures
h4. CEAI / GSUP
All messages must contain the TLV message class using the value IPSEC_EPDG / 5.
h5. Send Authentication Information Request
* Request the Auth Tuples to authenticate a UE. osmo-epdg will use SWx to request the information from the HSS.
* Direction: Send from strongswan to osmo-edpg
h5. Send Authentication Information Result
* Direction: Send from osmo-epdg to strongswan
h5. Send Authentication Information Error
* Direction: Send from osmo-epdg to strongswan
h5. Update Location Request
* Authorization of the UE to use the ePDG and requested APN/PGW. osmo-epdg will use SWx to update the HSS and authorize in the same request the UE + APN/PGW.
* Direction: Send from strongswan to osmo-edpg
h5. Update Location Result
* Direction: Send from osmo-epdg to strongswan
h5. Update Location Error
* Direction: Send from osmo-epdg to strongswan
h5. Tunnel Request
* strongswan ask the osmo-epdg to create the GTP Tunnel towards the PGW.
* Direction: Send from strongswan to osmo-edpg
h5. Tunnel Result
* Direction: Send from osmo-epdg to strongswan
h5. Tunnel Error
* Direction: Send from osmo-epdg to strongswan
h5. Purge MS Request
* strongswan asks the osmo-epdg to tear down the UE session due to UE disconnection (close ipsec tunnel).
* Direction: Send from strongswan to osmo-epdg
h5. Purge MS Result
* Direction: Send from osmo-epdg to strongswan
h5. Purge MS Error
* Direction: Send from osmo-epdg to strongswan
h5. Cancel Location Request
* The HSS/PGW asked to terminate the session since the UE moved somewhere else.
* Direction: Send from osmo-epdg to strongswan
h5. Cancel Location Result
* Direction: Send from strongswan to osmo-epdg
h5. Cancel Location Error
* Direction: Send from strongswan to osmo-epdg
h4. Related information links
* https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/21-23/PGW-Admin/21-23-pgw-admin/21-16-PGW-Admin_chapter_011001.html
