Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved. 1
SP WiFi Packet Core Integration Sergei Gotchev MITG CSE, Djordje Vulovic Sales SE
March 21, 2012 Belgrade
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Business drivers for SP Wi-Fi
Overall WiFi Architecture
Wi-Fi Components
MPC Integration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
0
1,800,000
3,600,000
2009 2010 2011 2012 2013 2014
TB/m
o
Source: Cisco Visual Networking Index (VNI) Global Mobile Data Forecast, 2009–2014
66%
8%
4% 5%
17%
Mobile VoIP
Mobile Gaming
Mobile P2P
Mobile Web/Data
Mobile Video
26x
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
0
2
4
6
8
10
12
2010 2011 2012 2013 2014
Voice Messaging Data
$B Revenue
0
100
200
300
400
500
2010 2011 2012 2013 2014
Smartphone Tablet Data Card
Traffic PB
Device Innovation & Impact
• Smartphones
• Tablets
• e-Readers
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Source: Agilent
1000
100
10
1
1990 1995 2000 2005 2010 2015
Gro
wth
Spectrum
Average
Macro Cell
Efficiency
Macro
Capacity
26x
Growth
Future networks supporting mobile Internet traffic will need to be able to
seamlessly integrate many more smaller cells
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
• Optimization – increases network capacity and
reduce 3G data traffic overload by offloading traffic
with SP Wi-Fi.
• Monetization – creates new revenue streams by
taking advantage of advanced technology that
provides secure delivery of location-based services to
mobile devices
• Churn Reduction – expand a physical footprint with a
cost-effective Wi-Fi solution to keep customers on the
service provider network as they move from home to
the train to the office.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Business drivers for SP Wi-Fi
Overall WiFi Architecture
Wi-Fi Components
MPC Integration
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 8
1001110100100100010
Uncontrolled No SP involvement. User driven offload via unmanaged
device.
Home/Soho Dual SSID
(Community) SP provides dual SSID home device.
Private and public (community) SSID
Hot Spot / Hot Zone SP installed and managed hot spots in Malls, restaurants,
Hotels,…
High Density Wireless SP installed and managed hot spots in high density user
areas (stadiums,..)
Metro / Mesh SP install and manages outdoor Wi-Fi for large dense urban
areas coverage
Enterprise Guest Access Enterprise Guest Access managed by SP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Metro Hotspot Residential Client Centric
Portal
L2(.1Q)
CoA
Services
ISG
L3, L3VPN
AAA
Cisco
AR
Pre-std 11.r fast
roaming
Portal with WISPr 1.0
L3VPN
CoA
Services
ISG
L3, L3VPN
ASR 1K
Subscriber
Control
Cisco
AR
Autonomous AP
Local
SSID/ Services
Portal
ASR 1K
CoA
Services
ISG
L2TP
3rd party CPE
L2/L3
LNS
CAR
AAA
ASR 5K
Services
GGSN
IKEv2/
IPSec
3rd party IWLAN
Clients
GTP
TTG
Cisco
Access Registrar
EAP-SIM/
EAP-AKA
Un-trusted/
BYO Wi-Fi
AZR
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
MSP
FSP
3G/4G
Mobile
Packet
Core
Converged
Operator
Fixed
BB
Infra.
M
F
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
On-Net
Off-Net
Internet
Access
Backend
Packet Core
Integration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Internet
AP/
MAG
PMIPv6
WLC/
MAG
WLC
AP
AP
AP
AP
L3
WLC
UE
MA
G
GT
P
L3
Subscriber
Polic
y E
nfo
rcem
ent
LM
A
L2
IPS
ec
.1Q
PMIPv6
IPSec
Internet
LM
A
GT
P
Subscriber
Polic
y E
nfo
rcem
ent
L3
PMIPv6
L3
GTP
Backend
Packet Core Integration
Access
User Equipment
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Internet
MA
G
GT
P
L3
Subscriber
Polic
y E
nfo
rcem
ent
LM
A
L2
IPS
ec
Internet
LM
A
GT
P
Subscriber
Polic
y E
nfo
rcem
ent
L3
Stadium / Large Venue
6500/WiSM-2 or
5508 WLC
(Unified)
Network Control System (NCS)
AP3500/3600/3500p
(Grayling) SMB Managed AP
AP1140/1260/3500
(auto/HREAP)
Indoor Hotspot
AP1140/1260/3500/3600
(auto/HREAP)
WLC cluster
Flex7500 (HREAP)
5508,6500/WiSM-2
Metro Wi-Fi AP1550
(Unified)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Business drivers for SP Wi-Fi
Overall Architecture
SP Wi-Fi Components
MPC Integration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Internet
SMB Managed
AP
3G/4G Macro
Site
Stadium / Large
Venue
WLC for On
Premise
Content
Indoor Hotspot
Partner
Net
MSP
Credentials
IP Core
UCS
Wireless LAN
Controller (WLC)
Wireless Control
System (WCS) Cisco
ASR 1000
Residential
Managed AP
Metro Wi-Fi IP
Backhaul
Cisco
ASR 5000
Consumer
Broadband
Secure WiFi
Backhaul WAG
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
All Client-less and Client-based configurations supported
Devices IP Core
Mobile Packet Core
Trusted Wi-Fi
3G Cellular
Converged, Per subscriber
Policy, Charging and Billing Systems
Per User GTP Tunnel
GTP (Gn) Secure Client based
iWLAN
Clientless – IPSG (IP)
Clientless
MAG (PMIPv6)
Clientless eWAG
(GTPv1)
Untrusted Wi-Fi
Per User IPSec Tunnel
TTG
SGSN
eWAG
Per User GTP Tunnel
MAG
GGSN
Per User PMIPv6 Tunnel
VPN
Un Tunneled User Data (IP)
IPSG
Clientless 3GPP
Clientless 3GPP2 Per User PMIPv6 Tunnel
HSGW
P-GW
Multiple Applications Simultaneously Running on Session-
Centric Operating System
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Business drivers for SP Wi-Fi
Overall Architecture
SP Wi-Fi Components
MPC Integration
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
• The IP Services Gateway is a device capable of providing managed services to IP flows.
• The IPSG is situated on the network side of legacy, non-service capable subscriber management devices such as WLC.
• The IPSG can provide per-subscriber services such as enhanced charging, stateful firewall, traffic performance optimization, and others.
• No replacement of the existing access gateways
• No need for ISG subscriber management
• No need for client
• WiFi infrastructure must be trusted – 802.1x for Auth and WiFi encryption required
• AAA needs to cache some parameters (MAC, IMSI, MSISDN)
• IP Address allocated in WiFi and must be from the same address space as MPC
• For mobility HA is required on Mobile IP TS 23.327 or PMIP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Internet
Off-net
NAT-FW
On-net
Content
Gx Gy
Ga
WiSPr 1/web login/EAP-
SIM/AKA
Trusted
Wifi
WAP
GW
IPSG
ASR500
AAA/
Portal HLR OCS PCRF CGF
WLC
Secured DPI
Mobile charging
Mobile policy
Mobile Services
Radius
traffic
eNB/NB
Gn SGSN
Wifi Access Network
Mobile
Legacy
GGSN
Gi
HA
ASR500
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
AP WLC AAA DHCP IPSG INTERNET Client
HLR HSS
802.1x (1) 802.1x (1) RADIUS (2)
EAP Negotiation (3)
EAP Authentication / Authorization (4)
DHCP Discover (5) DHCP Discover (6)
DHCP Offer (7)
DHCP Request / ACK (8)
RADIUS Acc(11)
RADIUS Acc(12)
IP Traffic (10)
IP Traffic (13) IP Traffic (14)
User Record
Cached
Acct Start (9)
User Authorized
And service profile
downloaded
Session
created
802.11(x) CAPWAP RADIUS DHCP IP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Device AP+WLC
Association
RADIUS Access Accept
RADIUS Accounting Start (Calling-user-ID = MAC, Framed-IP -Address
DHCP/
Router
IP
IPSG
RADIUS Access Request (MAC Auth)
Broadhop
Portal SuM QNS/AAA
RADIUS Access Req (username= MAC)
RADIUS Access Accept(MSISDN, W-APN, Charging
Characteristics)
DHCP
RADIUS Accounting Start
RADIUS Accounting Start (
Framed-IP –Address= IPv4
Called-Station-ID=W-APN
Calling-Station-ID = MSISDN
3GPP-Charging-Characteristics = 16bits
3GPP-IMEISV = MAC Address)
Build State for IP
Address
Gx:CCR-I: Subscription-ID = MSISDN
Gx:CCA-I: Policy to apply
Association Response
All subscriber devices’ MAC-addresses are
provisioned along with MSISDN, W-APN and
Charging Characteristics and activated on the
SUM server.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Device AP+WLC DHCP/
Router IPSG Broadhop
Portal SuM QNS
DHCP
http://www.google.com
http 302: branded- portal.com
http://branded-portal.com
Send branded portal including <script type="text/javascript” src=https://ngs-ip/sites/js/SCRIPT_NAME> </script>
Post Credential RADIUS Access Request (Username, Password,
Calling-station-ID =MAC, Framed-IP-Addr) RADIUS Access Req (username, password)
RADIUS Access Accept(MSISDN, W-APN, Charging
Characteristics) RADIUS Access Accept
Configure External branded-
portal.com
Open Association
Build State for IP
Address
Remove Redirect Rule
All subscriber authentication credentials i.e.
username, password, are provisioned along
with MSISDN, W-APN and Charging
Characteristics and activated on the SUM
server.
RADIUS Accounting Start (
Framed-IP –Address= IPv4
Called-Station-ID=W-APN
Calling-Station-ID = MSISDN
3GPP-Charging-Characteristics = 16bits
3GPP-IMEISV = MAC Address)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Device AP+WLC
DHCP/
Router IPSG Broadhop
Portal SuM QNS
IP
Gx:CCR-I: Subscription-ID = MSISDN
Gx:CCA-I: Policy to apply
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
• PDG - Packet Data Gateway provides 3GPP 23.234 WLAN-to-3GPP interworking.
• TTG - Tunnel Termination Gateway enables PDG functionality for existing GGSN deployments and provides PDG functionality to the subscriber UEs in the WLAN.
• iWLAN UE client is required to support integration of access over WiFi into mobile packet core based on 3GPP iWLAN architecture
• Seamless mobility via Home Agent based on Client Mobile IP or PMIP from GGSN
• The iWLAN main client functions
• Connection management to select access type
• User authentication while connecting over WiFi
• Create Secure tunnel while connection over WiFi
• Optional Mobile IP tunnel to provide session persistence during inter-access mobility
• Optional policy management to control the behavior of the client
• Seamless mobility via Home Agent based on Mobile IP TS 23.327 or PMIP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
NB
Wifi Network
Internet
Off-net
NAT-FW
Mobile
On-net
Content
Gx Gy
Ga
Gn
WAP
GW
Gi/IP
AP
i-WLAN
Un-Trusted
Wifi AP
AAA/
Portal HLR OCS PCRF CGF
SGSN
i-WLAN
Client
IPSec
DPI
Mobile charging
Mobile policy
Mobile Services
Convergent
Gateway
TTG
GGSN
HA
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
• WiFi attachment and authentication depends on the capabilities on WiFi AP (Wispr1.0 /2.0)
• IKEv2 authentication is based on EAP SIM
WiFi Attachment
WiFi Authentication (WiFi credentials, TTG address returned)
IKEv2 Authentication (EAP SIM)
IKEv2/IPSec SA establishment GTP tunnel establishment
IPSec Tunnel GTP Tunnel
IP addr allocation, PDP establishment
Device AP+WLC TTG CAR HLR GGSN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
• New gateway allowing clientless WiFi integration into Packet Core, interfacing GGSN
• WiFi infrastructure must be trusted – 802.1x for Auth and WiFi encryption required
• eWAG provides interface between WIFi and existing GGSN – WiFi session terminates on GGSN via Gn’ interface
• Existing MPC infrastructure reused – PCRF, OCS, Billing, LI
• eWAG only interfaces to AAA and GGSN – no other MPC integration is needed
• AAA needs to cache some parameters (MAC, IMSI, MSISDN)
• DHCP or Radius Accounting Request from UE triggers eWAG session
• UE allocated IP address from MPC space
• Layer 3 IP or GRE datapath to eWAG
• Seamless mobility via Home Agent based on Mobile IP or PMIP from GGSN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
NB
Wifi
Internet
Off-net
SGSN
NAT-FW
AP
AAA
Proxy
Mobile
On-net
Content HLR OCS PCRF
Mobile
AAA
Gx
Gy
EAP-SIM/AKA
CGF
Ga
ASR5K
WLC
Internet
eWAG
GGSN
Gn’
DHCP
WiFi IP addr space MPC IP addr space
Mapping between WiFI and MPC
address spaces
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Device AP+WLC HLR CAR ITP
ITPITPITPITP
Open Association
EAP Request/ID
EAP ID Response/ID RADIUS Access Request (username= EAP ID, calling station ID = MAC)
EAP-SIM Method
RADIUS Access Accept (EAP Success)
MAP SEND AUTH
INFO Req
MAP SEND AUTH
INFO Res
RADIUS Accounting Start (Calling-user-ID = MAC, Framed-IP -Address
EAP SUCCESS
DHCP/
Router
DHCP
Data packet (Src IP=IP1)
Build State for IP1 Address
RADIUS Access Request
(VSA map:getauthinf)
RADIUS Access
Accept(VSA
map:authtriplet)
eWAG GGSN
RADIUS Accounting Start (Calling-user-ID = MAC, Framed-IP –
Address, Starent VSAs: VSAs:
User-Name = MSISDN@SSID, Framed-IP-Addr)
Create PDP Ctx Req
All subscriber authorized IMSIs
provisioned as well as IMSI to MSISDN
mapping
Cache mapping between IMSI, MAC
address and SSID
Create PDP Ctx Res (IP2)
Build IP1 <->IP2 mapping
Data packet (Src IP=IP2)
GTP tunnel
IP1 <->IP2 NAT
Data packet (Src IP=IP2) Gi
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
UE ASR5K eWAG GGSN CAR HSS/HLR WiFi
GRE Tunnel per WiFI
Wifi Attach
EAP-Req/Identity
(RADIUS Proxy) EAP-Resp/Identity
EAP-Challenge
EAP-Response
EAP-Accept
E
A
P
D
H
C
P
DHCP Discover
DHCP Request
DHCP Acknowledge
DHCP Offer
Create PDP cntx IMSI, MSIDSN, APN from configuration
Create PDP cntx Ack IP Addr. For WiFi Client
G
T
P
End User IP “Session” PDP Context Internet/
Enterprise
Gi Connection
ASR5K “glueuing” the “dhcp” session to the corresponding pdp cont; based on a) src IP addr,
or b) sub-channel (“Key”) ID inside the GRE tunnel
EAP radius messages proxied by the 5K, to get the association between client
MAC address and IMSI/MSISDN.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
UE ASR5K eWAG GGSN 3GPP AAA HSS/HLR WiFi
GRE Tunnel per WiFI
Wifi Attach
EAP-Req/Identity
(RADIUS Proxy) EAP-Resp/Identity
EAP-Challenge
EAP-Response
EAP-Accept
E
A
P
D
H
C
P
DHCP Discover
DHCP Request
DHCP Acknowledge
DHCP Offer
Create PDP cntx IMSI, MSIDSN, APN from configuration
Create PDP cntx Ack IP Addr. For WiFi Client
G
T
P
End User IP “Session” PDP Context Internet/
Enterprise
Gi Connection
ASR5K “glueuing” the “dhcp” session to the corresponding pdp cont; based on a) src IP addr,
or b) sub-channel (“Key”) ID inside the GRE tunnel
EAP radius messages proxied by the 5K, to get the association between client
MAC address and IMSI/MSISDN. AAA configuration @ WLC?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
LTE
WiFi
SGW
AAA
Operator IP
Service Domain
eUTRAN
S1
S1u
S5
SWn
SWm
S6b Gx Gy
Gxc
ANDSF
WLAN
MME
PGW
ePDG
S11
PCRF OCS
SGi
HSS
Client
Client
Client
Simplified and flattened RAN
with IP to the edge
• Radio resource management, incl. handovers
• Interacts with MME for all signaling plane processing
• Exchanges user plane traffic with Serving GW
Data Plane anchoring for 3GPP Access Networks with
2G/3G interworking
• Anchor point for 3GPP IP Access Networks only (2G/3G/LTE)
• Processes all IP packets to/from UE
• Controlled by MME
• Uses network-based mobility towards PDN GW (GTP or PMIPv6)
E-UTRAN Control Plane with 2G/3G interworking
• Handles all signaling traffic (no user plane traffic)
• Interacts with eNodeB and Serving GW to control tunnels, paging, etc.
• Interacts with HSS for user authentication, profile download, etc.
• Interacts with SGSN for 2G/3G
Subscriber-aware Data Plane anchoring for all Access
Networks
• Common anchor point for all IP Access Networks (3GPP and non-
3GPP)
• Assigns/owns IP-address for UE (v4/v6)
• Processes all IP packets to/from UE
• Can be in home and/or visited network
EPC point of attachment for untrusted IP access
networks
IPSec to UE for EPC connectivity
Network-based mobility towards PDNGW (PMIPv6)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
S2a: PMIP6
LTE SGW
AAA
Operator IP
Service Domain
eUTRAN
S1
S1u
S5
SWn
SWm
S6b Gx Gy
Gxc
ANDSF
MME
PGW
S11
PCRF OCS
SGi
HSS
S2c: IPSec + DSMIP6
Client
Client
Client
• Untrusted WiFi access
SWu + S2b - IPSec tunnel to ePDG switched to PMIPv6 to PGW;
S2c – DSMIPv6 over IPSec
• Trusted WiFi access (802.1x over the air)
S2a - PMIPv6 infrastructure tunnel from MAG in WiFi to PGW
S2c – DSMIPv6 tunnel from device to PGW
S2c: DSMIP6
MAG
SWu: IPSec/IKEv2
WiFi ePDG
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
UE AP WLC ISG/MAG Portal eNodeB ePDG MME SGW PGW PCRF AAA ANDSF DHCP HSS
1. IKEv2 SA Init
2. IKEv2 SA RSP
10. IKEv2 AUTH RSP
11. IKEv2 AUTH REQ
12. PBU
14. IKEv2 AUTH RSP
3. IKEv2 AUTH REQ
6. IKEv2 SAUTH RSP
7. IKEv2 AUTH REQ
4. DER[EAP Payload, User ID, APN]
5. DEA[EAP Request, AKA Challenge]
UE Runs AKA computations
8. DER[EAP Resonse, AKA
Challenge] 9. DEA[EAP Success, Key, IMSI]
ePDG computes Auth payload based on key
ePDG checks auth correctness
13. PBA
ePDG calculates Auth
SWu: IPSec tunnel S2b: PMIPv6 tunnel
User WiFI session anchored on PGW
4a. User Profile and AVS fetch
12a. Update PGW
Address & Fetch
Sub profile
WiFI attachment and authentication
message flow
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
UE AP WLC ISG/MAG Portal eNodeB ePDG MME SGW PGW PCRF AAA ANDSF DHCP HSS
1. IKEv2 SA Init
2. IKEv2 SA RSP
10. IKEv2 AUTH RSP
11. IKEv2 AUTH REQ
12. IKEv2 AUTH RSP
3. IKEv2 AUTH REQ
6. IKEv2 SAUTH RSP
7. IKEv2 AUTH REQ
4. DER[EAP
Payload, User ID,
APN]
5. DEA[EAP Request,
AKA Challenge]
UE Runs AKA computations
8. DER[EAP Resonse, AKA Challenge]
9. DEA[EAP Success, Key, IMSI]
PGW computes Auth payload based on key
PGW checks auth correctness and calculates Auth
S2c: DSMIPv6 tunnel
User WiFI session anchored on PGW
WiFI attachment and UE assigned lP address in the
WLAN network
4a. User Profile and AVS fetch
14. DSMIPv6 BA
13. DSMIPv6 BU
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
UE AP WLC ISG/MAG Portal eNodeB ePDG MME SGW PGW PCRF AAA ANDSF DHCP HSS
1. PBU(IMSI-NAI, APN)
3 PBA
S2a: PMIPv6 tunnel
User WiFI session anchored on PGW
Device connected to Trusted WLAN access and
authenticated
2.Update PGW
Address & Fetch
User Profile
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
UE AP WLC ISG/MAG Portal eNodeB ePDG MME SGW PGW PCRF AAA ANDSF DHCP HSS
1. PBU(IMSI-NAI, APN)
2. PBA(IMSI-NAI, APN)
S2a: PMIPv6 tunnel
User WiFI session anchored on PGW
UE Attached to LTE over S5. GTP
UE Moves over to WLAN gets authenticated and attaches to
trusted WLAN access
2.Update PGW
Address & Fetch
User Profile
PGW detects handover based on IMSI, APN and switches the
call to WLAN access
3. DBR
4. DBR
5.DBR
6.DBR
PGW starts releasing the EPS bearer
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
• Full range of integration options for e2e architectures to accommodate various WiFi deployment and ownership models
Trusted WiFi - 802.1x over the air & network based tunnels to access core network (PMIPv6)
Untrusted WiFi – Client based IPSec to TTG/ePDG
• Layered architecture to transparently deliver current and future services
Basic connectivity and off-load with intra-access mobility
Intelligence and policy control over off-load criteria
• Easy migration from 3G to 4G integration via SW upgrade
• Solution elements
Leading WiFi solution
TTG/ePDG on ASR5000 leading platform supporting rich set of services and seamless mobility
Client strategy leveraging partner echo-system combined it with Cisco’s own client heritage
Thank you.