EPDG implementation plan » History » Version 28
laforge, 06/12/2024 06:25 PM
1 | 2 | laforge | {{>toc}} |
---|---|---|---|
2 | |||
3 | 1 | laforge | h1. EPDG implementation plan |
4 | 2 | laforge | |
5 | 28 | laforge | This page describes the implementation plan that was written up _before_ the actual implementation. It might not always have been implemented according to plan! |
6 | |||
7 | 2 | laforge | h2. The big picture |
8 | |||
9 | Ideally, we want to reuse existing code whenever possible, rather than reinvent the wheel. Time will tell, if this works out or if we have to rewrite more of it. |
||
10 | * StrongSwan charon for handling IKEv2 and managing the IPsec SAs in the kernel IPsec |
||
11 | * Erlang DIAMETER application for all the related interfaces |
||
12 | * Erlang gtplib for S2b |
||
13 | |||
14 | This means we will have two major "applications" running: |
||
15 | * charon |
||
16 | * ePDG (likely in Erlang) |
||
17 | |||
18 | Between those two we will need some kind of non-standard, custom interface. For now I've called it "CEAI" for (Charon External AKA Interface) |
||
19 | |||
20 | h2. Control Plane |
||
21 | |||
22 | * *red* color indicates elements / interfaces to be implemented. |
||
23 | |||
24 | {{graphviz_link() |
||
25 | digraph G { |
||
26 | rankdir=LR; |
||
27 | subgraph cluster_swan { |
||
28 | label = "StrongSWAN domain"; |
||
29 | charon; |
||
30 | } |
||
31 | subgraph cluster_erlang { |
||
32 | 27 | pespin | label = "Erlang domain (osmo-epdg)"; |
33 | 2 | laforge | ePDG [color=red]; |
34 | AAA [label="3GPP AAA Server", color=red]; |
||
35 | } |
||
36 | HSS; |
||
37 | PGW; |
||
38 | 14 | pespin | PCRF; |
39 | 2 | laforge | UE; |
40 | |||
41 | charon -> ePDG [label="CEAI", color=red]; |
||
42 | |||
43 | UE -> charon [label="IKEv2"]; |
||
44 | ePDG -> AAA [label="SWm (DIAMETER)", color=red]; |
||
45 | AAA -> HSS [label="SWx (DIAMETER)", color=red]; |
||
46 | 14 | pespin | PGW -> AAA [label="S6b (DIAMETER)", color=red]; |
47 | 2 | laforge | |
48 | ePDG -> PGW [label="S2b (GTPv2C)", color=red]; |
||
49 | 1 | laforge | ePDG -> PCRF [label="Gxb", color=red, style=dashed]; |
50 | PGW -> PCRF [label="Gx (DIAMETER)"]; |
||
51 | 14 | pespin | |
52 | {rank=same; PCRF; HSS} |
||
53 | 2 | laforge | } |
54 | }} |
||
55 | |||
56 | h2. User Plane |
||
57 | |||
58 | * *red* color indicates elements / interfaces to be implemented. |
||
59 | * *blue* color indicates control-plane elements controlling the user plane |
||
60 | |||
61 | {{graphviz_link() |
||
62 | digraph G { |
||
63 | rankdir=LR; |
||
64 | |||
65 | subgraph cluster_swan { |
||
66 | label = "StrongSWAN domain"; |
||
67 | { rank=same; |
||
68 | ipsec [label="Linux kernel\nIPsec"]; |
||
69 | charon [color=blue]; |
||
70 | } |
||
71 | charon -> ipsec [label="netlink", color=blue]; |
||
72 | } |
||
73 | subgraph cluster_erlang { |
||
74 | label = "Erlang domain"; |
||
75 | { rank=same |
||
76 | gtp [label="Linux kernel\nGTP"]; |
||
77 | ePDG [color="blue"]; |
||
78 | } |
||
79 | ePDG -> gtp [label="netlink", color=blue]; |
||
80 | } |
||
81 | PGW; |
||
82 | UE; |
||
83 | |||
84 | UE -> ipsec [label="ESP/UDP"]; |
||
85 | ipsec->gtp [label="kernel IP stack"]; |
||
86 | gtp -> PGW [label="S2b (GTPv1U)", color=red]; |
||
87 | } |
||
88 | }} |
||
89 | |||
90 | 16 | laforge | h3. At system startup |
91 | |||
92 | * set the various routes |
||
93 | * on @epdg@ node |
||
94 | 17 | laforge | ** osmo-epdg creates the @gtp0@ net-device (in GTP_ROLE_SGSN) via netlink |
95 | 16 | laforge | * on @epc@ node |
96 | ** open5gs-upf creates the @tun0@ net-device |
||
97 | |||
98 | h3. When a user authenticates via IPsec |
||
99 | |||
100 | * on @epdg@ node |
||
101 | ** osmo-epdg creates a new GTP tunnel entry within the GTP link |
||
102 | 18 | laforge | *** GTPA_PEER_ADDRESS/ADDR6 = pgw-ip |
103 | *** GTPA_MS_ADDRESS/MS_ADDR6 = ue-ip (inner) |
||
104 | *** GTPA_I_TEI = epdg-teid |
||
105 | *** GTPA_O_TEI = pgw-teid |
||
106 | 16 | laforge | * on @epc@ node |
107 | ** open5gs-upf creates a new GTP tunnel entry within its internal state tables |
||
108 | |||
109 | h3. Uplink traffic (e.g. from UE to P-CSCF) |
||
110 | |||
111 | * one @epdg@ node |
||
112 | ** IPsec-encapsulated traffic from the UE side enters as IPv6-in-ESP-in-UDP-in-IP[v4/v6] on the public/internet-facing side |
||
113 | ** kernel-IPsec (configured by strongswan) will transform (decrypt, ...) the traffic |
||
114 | *** we configure strongswan to mark the ipsec-originated traffic with a certain fwmark |
||
115 | ** traffic with that fwmark is routed (using a statically configured @ip rule@) towards the @gtp0@ net-device (created by osmo-epdg at startup) |
||
116 | ** linux kernel GTP tunnel module |
||
117 | *** looks up the in-kernel table to determine destination TEID and destination IP address based on the MS-side source address |
||
118 | *** encapsulates packet in GTP header and sends it through the in-kernel UDP socket to the PGW |
||
119 | * on the @epc@ node |
||
120 | ** (open5gs-)pgw matches inbound packet based on (dest-ip + TEID) with its internal state table |
||
121 | ** (open5gs-)pgw decapsulates packet from GTP header |
||
122 | ** (open5gs-)pgw exposes inner IPv6 packet on @tun0@ net-device |
||
123 | ** linux kernel routes packet towards P-CSCF (inner IPv6 dest IP address as originally set by UE) |
||
124 | * on the @ims@ node |
||
125 | ** linux kernel routes packet towards local P-CSCF socket |
||
126 | |||
127 | h3. Downlink traffic (e.g. from P-CSCF to UE) |
||
128 | |||
129 | * on @ims@ node |
||
130 | ** IPv6 packet from P-CSCF is sent to UE IPv6 address |
||
131 | ** large network route (for all UE) points towards @epc@ node |
||
132 | * on @epc@ node |
||
133 | ** traffic to UE IPv6 is routed into @tun0@ net-device |
||
134 | ** (open5gs-)pgw looks up destination-ip and TEID |
||
135 | ** (open5gs-)pwg encapsulates packet with GTP-U header and sends it via UDP socket |
||
136 | ** linux kernel routes it towards the ePDG |
||
137 | * on @epdg@ node |
||
138 | ** linux kernel routes GTP packet to locally bound UDP socket and detects the kernel GTP driver is bound to that socket |
||
139 | ** linux kernel GTP driver performs lookup based on dest-ip and TEID |
||
140 | ** linux kernel de-capsulates GTP packet and exposes inner packet on @gtp0@ net-device |
||
141 | ** linux kernel IPsec code applies transformation (crypto) and ESP-in-UDP-encapsulation |
||
142 | * packet is routed towards UE |
||
143 | 5 | lynxis | |
144 | h2. Authentication |
||
145 | |||
146 | !ipsec_auth.png! |
||
147 | |||
148 | 3 | laforge | h2. 3GPP Interfaces and Procedures |
149 | 2 | laforge | |
150 | h3. ePDG |
||
151 | |||
152 | 20 | pespin | h4. IKEv2 to UE |
153 | |||
154 | * TS 33.402 section 8 |
||
155 | * TS 24.302 chapter 7 |
||
156 | 23 | pespin | * RFC 4187 |
157 | 25 | pespin | * RFC 4301 |
158 | 24 | pespin | * RFC 4555 |
159 | 23 | pespin | * RFC 5996 |
160 | 22 | pespin | * RFC 7296 |
161 | 1 | laforge | |
162 | 6 | lynxis | h4. S2b to PGW (GTPv2C) [TS 29.274] |
163 | 2 | laforge | |
164 | h5. Create Session Request / Response |
||
165 | |||
166 | h5. Delete Session Request / Response |
||
167 | |||
168 | h5. Modify Bearer Request / Respone (not needed?) |
||
169 | |||
170 | h5. Modify Bearere Command (not needed?) |
||
171 | |||
172 | h5. Bearer Resource Command (not needed?) |
||
173 | |||
174 | h5. Create Bearer Request / Response |
||
175 | |||
176 | h5. Update Bearer Request / Response (not needed?) |
||
177 | |||
178 | |||
179 | 9 | pespin | h4. SWm to AAA (DIAMETER) [3GPP TS 29.273] |
180 | 2 | laforge | |
181 | h5. Diameter-EAP-Request (DER) / Diameter-EAP-Response (DEA) |
||
182 | |||
183 | h5. Diameter-AA-Request (AAR) / Diameter-AA-Response (AAA) |
||
184 | |||
185 | h5. Session-Termination-Request (STR) / Session-Termination-Answer (STA) |
||
186 | |||
187 | h5. Re-Auth-Requst (RAR) / Re-Auth-Answer (RAA) |
||
188 | |||
189 | h5. Abort-Session-Request (ASR) / Abort-Session-Answer (ASA) |
||
190 | |||
191 | 12 | pespin | h4. SWu to UE (IKEv2, ESP) [3GPP TS 33.402] |
192 | 2 | laforge | |
193 | 11 | pespin | * Related: https://fabricioapps.blogspot.com/2017/10/untrusted-non-3gpp-ip-access-swu-ikev2.html |
194 | 2 | laforge | |
195 | h4. Gxb to PCRF (not needed?) |
||
196 | |||
197 | h3. 3GPP AAA Server |
||
198 | |||
199 | 10 | pespin | h4. SWx to HSS (DIAMETER) [3GPP TS 29.273 sec 8, 3GPP TS 23.402 sec 12] |
200 | 2 | laforge | |
201 | h5. Push-Profile-Request (PPR) / Push-Profile-Answer (PPA) |
||
202 | |||
203 | h5. Registration-Termination-Request (RTR) / Registration-Termination-Answer (RTA) |
||
204 | |||
205 | h5. Multimedia-Auth-Request (MAR) / Multimedia-Auth-Answer (MAA) |
||
206 | |||
207 | 7 | pespin | * 3GPP TS 29.273 8.2.2.1 |
208 | 8 | pespin | * https://www.etsi.org/deliver/etsi_ts/129200_129299/129273/17.06.00_60/ts_129273v170600p.pdf |
209 | 7 | pespin | * https://dstest.info/DiaDict/Dictionary/Multimedia-Auth-Request_SWx.html |
210 | |||
211 | 2 | laforge | h5. Server-Assignment-Request (SAR) / Server-Assignment-Answer (SAA) |
212 | |||
213 | 13 | pespin | h4. S6b to PGW (DIAMETER) [3GPP TS 29.273 sec 9] |
214 | 2 | laforge | |
215 | 13 | pespin | * https://osmocom.org/issues/6229 |
216 | 2 | laforge | |
217 | h4. SWm to ePDG (DIAMETER) |
||
218 | |||
219 | 1 | laforge | see above. |
220 | 3 | laforge | |
221 | 4 | lynxis | h3. custom Interfaces / Procedures |
222 | |||
223 | 19 | lynxis | h4. CEAI / GSUP |
224 | 4 | lynxis | |
225 | 19 | lynxis | All messages must contain the TLV message class using the value IPSEC_EPDG / 5. |
226 | 1 | laforge | |
227 | 19 | lynxis | h5. Send Authentication Information Request |
228 | |||
229 | * Request the Auth Tuples to authenticate a UE. osmo-epdg will use SWx to request the information from the HSS. |
||
230 | * Direction: Send from strongswan to osmo-edpg |
||
231 | 26 | lynxis | * TLV: |
232 | ** IMSI |
||
233 | ** PDP Information (APN, PDP Type) |
||
234 | ** Auth Related TLV |
||
235 | 19 | lynxis | |
236 | h5. Send Authentication Information Result |
||
237 | |||
238 | * Direction: Send from osmo-epdg to strongswan |
||
239 | |||
240 | h5. Send Authentication Information Error |
||
241 | |||
242 | * Direction: Send from osmo-epdg to strongswan |
||
243 | |||
244 | |||
245 | h5. Update Location Request |
||
246 | |||
247 | * Authorization of the UE to use the ePDG and requested APN/PGW. osmo-epdg will use SWx to update the HSS and authorize in the same request the UE + APN/PGW. |
||
248 | * Direction: Send from strongswan to osmo-edpg |
||
249 | |||
250 | h5. Update Location Result |
||
251 | |||
252 | * Direction: Send from osmo-epdg to strongswan |
||
253 | |||
254 | h5. Update Location Error |
||
255 | |||
256 | * Direction: Send from osmo-epdg to strongswan |
||
257 | |||
258 | |||
259 | h5. Tunnel Request |
||
260 | |||
261 | * strongswan ask the osmo-epdg to create the GTP Tunnel towards the PGW. |
||
262 | * Direction: Send from strongswan to osmo-edpg |
||
263 | |||
264 | h5. Tunnel Result |
||
265 | |||
266 | * Direction: Send from osmo-epdg to strongswan |
||
267 | |||
268 | h5. Tunnel Error |
||
269 | |||
270 | * Direction: Send from osmo-epdg to strongswan |
||
271 | 1 | laforge | |
272 | 21 | pespin | h5. Purge MS Request |
273 | 1 | laforge | |
274 | 21 | pespin | * strongswan asks the osmo-epdg to tear down the UE session due to UE disconnection (close ipsec tunnel). |
275 | * Direction: Send from strongswan to osmo-epdg |
||
276 | 1 | laforge | |
277 | 21 | pespin | h5. Purge MS Result |
278 | |||
279 | * Direction: Send from osmo-epdg to strongswan |
||
280 | |||
281 | h5. Purge MS Error |
||
282 | |||
283 | * Direction: Send from osmo-epdg to strongswan |
||
284 | |||
285 | h5. Cancel Location Request |
||
286 | |||
287 | * The HSS/PGW asked to terminate the session since the UE moved somewhere else. |
||
288 | * Direction: Send from osmo-epdg to strongswan |
||
289 | |||
290 | h5. Cancel Location Result |
||
291 | |||
292 | * Direction: Send from strongswan to osmo-epdg |
||
293 | |||
294 | h5. Cancel Location Error |
||
295 | |||
296 | 19 | lynxis | * Direction: Send from strongswan to osmo-epdg |
297 | |||
298 | h4. Related information links |
||
299 | 15 | pespin | |
300 | * https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/21-23/PGW-Admin/21-23-pgw-admin/21-16-PGW-Admin_chapter_011001.html |