Overview Systems Interworking Architecture Tatiana Issaeva Presentation goes thought the goals, concepts and architecture of the PP/ Interworking and explain how operators services are accessed by a PP terminal: Goals and Concepts of PP/ Interworking PP/ Interworking scenarios Reference Architecture for - Interworking 6 scenarios from - Interworking Present status of -PP standardization Introduction Mass-market public wireless access has typically been provided by cellular systems owned by cellular operators. Third-generation cellular systems provide wide coverage and nearly universal roaming with improved data capacity and can offer data rates up to 2 Mb/s and above But Wireless LAN () deployments are becoming increasingly prevalent Wireless LAN installments take place in locations like companies, coffee shops, airports or hotels Currently based systems are emerging as a new means for public wireless access systems already offer bit rates surpassing those of systems, but are found lacking with respect to roaming, mobility support and lack of sufficient security measures and architecture beyond basic radio access systems are great for hot spot coverage, while systems provide global coverage and the necessary network and management infrastructure to cater for security, roaming, and charging requirements Integration of the two systems aims to combine them such that their best features are kept intact and their weaknesses mediated by the companion system PP and Systems The Third Generation Partnership Project (PP) is a global specification organization for telecommunication Its original mandate was to produce a global specification for a mobile system within the framework set by the International Telecommunication Union (ITU) called International Mobile Telecommunications 2000 (IMT-2000). Cellular system being specified within PP, known as the Universal Mobile Telecommunications System (UMTS), has a new radio system and access network, extensive support for packet data and multimedia, and provides a host of other higher-layer services. UMTS has excellent characteristics in terms of coverage, mobility and roaming. network architecture Systems Node B UTRAN BTS GERAN RNC BSC SGSN -Network (PS domain) CS domain TDM (HLR) CSCF GGSN MRF MGW MGCF Internet Intranet PSTN PLMN PP IMS is a cable replacement technology. Unlike the PP system architecture, there is no existing formal standard for a access network architecture nor for a typical public access system. system provides typical user equipment such as a laptop computer or PDA with means to move freely within the borders of coverage while maintaining connectivity to the user s local area network As for the standards used today, the 11 Mb/s IEEE802.11b working in the 2.4 GHz industrial, scientific, and medical (ISM) band is the de facto standard. There are newer standards offering higher data rates up to 54Mb/s that will very likely complement and possibly even replace IEEE802.11b, such as 5 GHz IEEE802.11a [4] or its 2.4 GHz version, IEEE802.11g [5]. From the system point of view, the consequences of these upgrades are limited mostly to the radio interface as higher layers remain untouched.
A de facto system A de facto system Authentication and authorization is one basic prerequisite for providing connectivity and other services via a system. To realize these functions an authentication, authorization, and accounting () server and a user database are required. An server is typically a RADIUS server used for authentication, authorization, and accounting for subscribers of a system. The subscribers user identities such as login names, shared secrets like passwords, and user profiles can be stored in the user database. The database is accessed from the server over the backbone network using the Lightweight Directory Access Protocol (LDAP) as the de facto standard. Legacy authentication and authorization is done using Web browsers. When the user starts his/her Web browser, its first request is redirected into a system HTTP server and a landing Web page is displayed. The user is prompted to enter login name and password. The password can be static, limited time, or even generated ad hoc (using, e.g., SecureID technology). Similarly, users can be prompted to input their credit card number and pay for the connection without establishing a more lasting relationship with the system operator. With the advent of IEEE802.1x and IEEE802.11i standards, authentication is moving to a higher, more user-friendly, more secure level that is also utilized for PP interworking Need for - Interworking PP/ Interworking concepts Cellular operators face the need to extend service coverage to new complementary accesses such as Therefore interworking and integration solutions between the existing public wireless access systems, such as cellular networks, and the new complementary access systems, s, are being developed. Ideally, operators would want the subscription management, roaming, and security facilities of a system and the hot spot capacity and low investment cost of systems PP has recently also taken the initiative to develop a cellular - interworking architecture, as an add-on to the existing PP cellular system specifications to be published with PP Release 6 and Release 7 specifications. The main driver is to enable PP system operators to provide public access as an integral component of their total service offering to their cellular subscribers. PP aims to create a complete set of specifications for interworking to facilitate the emergence of a competitive open multivendor business environment for driving public access toward a mass market business. Definition of the interworking architecture in the PP is currently ongoing, and major portions of the architecture work have already been done Nevertheless there are still a lot of issues, which remain unresolved. PP/ interworking architecture do not rely on the specifics of the access network and existing de facto access equipment can be used as such for PP interworking PP system operators have a large established customer base and elaborated customer care, charging, and billing systems, and a proven, robust, and scalable system for distributing and maintaining security modules and UICC smart cards containing Subscriber Identity Module (SIM)/Universal SIM (USIM) applications Most cellular operators already provide access and services over their packet-switched core network (PS CN) domain and wide-area cellular radio access networks. They use SIM/USIM for security control and maintain a user database, including security components and service profiles, in their home subscriber servers (). s together with the already distributed SIM/USIM smart cards and established global roaming agreements between PP system operators form the largest operational security system in the world to date. On top of this, it is in the interest of cellular operators not to compromise their current security level by adding a new interworking domain. Given this requirement, the customer base, proven security track record, and developed tools for maintaining the system, it seems obvious that there are significant benefits in reusing the subscription system for interworking access. -PP Service Scenarios The interworking levels have been categorized into six hierarchical service scenarios [TS 22.934]: Scenario 1 - Common Billing and Customer Care Single customer relationship Customer receives one bill from the usage of both cellular & services Scenario 1 has been declared out of scope for PP. Scenario 2 - PP system based Access Control and Charging Authentication, authorization and accounting () are provided by the PP system, for access Scenario 3 - Access to PP system Packet-switched (PS) based services The same services provided by PS core can be accessed by Scenario 4 - Service Continuity Services supported in scenario 3 survive an inter-system handover between and PP. The change of access may be noticeable to the user. Scenario 5 - Seamless Services Seamless service continuity between the access technologies. Scenario 6 - Access to PP Circuit-switched (CS) Services CS core network services supported over Scenario 6 could not find any use case. The hierarchical concept of scenarios implies that higher scenarios shall reuse the functionalities of the lower scenarios Scenario 2 - PP system based Access Control and Charging Authentication, authorization and accounting () are provided by the PP system. The security level of these functions applied to is in line with that of the PP system. This ensures that the user does not see significant difference in the way access is granted. This may also provide means for the operator to charge access in a consistent manner over the two platforms. Use case : Angus Lagavulin is PP subscriber who needs a more secure way of accessing the than user name and password. Angus s home PP operator modifies his PP user profile to include access and Angus purchases a NIC equipped with a UICC associated with his PP account. Angus is authenticated on the from the credentials on the UICC but does not have access to PP services other than those he can normally access from the Internet. Use case: Jack Daniels is a PP subscriber and wants to access PP packet switched services and service without having to swap NIC s in his laptop. Jack purchases a dual mode (PP/) NIC. Jack can access PP and service using separate sessions without changing any hardware.
PP- interworking architecture for Scenario 2 W a : terminal + U(SIM) card Wa, : access authentication ( protocols) : Home Subscriber server Wx: interface to Scenario 2: direct access To reuse PP subscription, PP interworking terminals will need access to UICC smart cards with SIM/USIM applications ( ). Interworking standard refers to IEEE 802.11i to implement the authentication, access control, and key agreement functions The functionality of Scenario 2: authentication, authorization and charging is done using authentication, authorization and accounting () infrastructure, reusing user credentials from in the home network. Authentication always performed in the home network in PP Server. From an signaling point of view PP- interworking is always a roaming case, where the subscription related infrastructure is provided by the PP system, and the accessed system provides actual access for the roaming user. Once the user has been successfully authenticated and authorized for network access, the access network grants the access to an network. In scenario 2, the network is the public Internet, and the user data is directly routed from the access network to the Internet. EAP-SIM / EAP AKA authentication EAPOL - AN 802.1x Wa proxy EAP over Diameter/Radius Serve r Wx/D / HLR Diameter/M AP Authorization information and authentication vectors needed in the authentication protocols are stored by the. Scenario 2: protocols EAP protocol operation: authentication procedure RADIUS is an authentication, authorization, and accounting () protocol that is widely used in Internet access networks. For user authentication, RADIUS can function as an EAP transport. RADIUS has several limitations in the areas of security, robustness, roaming support, and serverinitiated operations. DIAMETER, the successor protocol to RADIUS, is currently being specified in the IETF to overcome these limitations. Extensible Authentication Protocol (EAP) itself does not specify the actual authentication and key agreement protocol, but it provides a wrapper or framework for any multi-round-trip authentication protocol to be transported. EAP supports multiple authentication mechanisms and it is equipped to handle new authentication mechanisms as extension EAP types, or EAP methods. A separate EAP method specification for each authentication method is required. Because EAP is an end-to-end protocol, the access point or other intermediate elements do not need to know the details of each authentication and key agreement protocol; it is sufficient that the server and implement the same EAP method. Scenario 2 is completed in Release 6 PP specs. Wa and message flow for Session Authentication and Authorization using Diameter EAP-AKA and EAP SIM PP Proxy PP Server In order to be able to reuse the USIM/SIM-based authentication algorithms, two new EAP methods, EAP SIM and EAP AKA, have been specified for PP- interworking EAP authentication is initiated between and 1. Wa: Diameter_EAP_Request (EAP Response/Identity(NAI)) 2. : Diameter_EAP_Request (EAP Response/Identity(NAI)) 3. :Diameter_EAP_Answer 4. Wa: Diameter_EAP_Answer (EAP Resquest) 5. Wa: Diameter_EAP_Request (EAP Response) 6.: Diameter_EAP_Request (EAP Response) 2N :Diameter_EAP_Answer (EAP Success, Authorization 2N+Wa: Diameter_EAP_Answer Info, Session Keying Material) (EAP Success, Authorization Info, Session Keying Material EAP SIM: specifies an authentication and key agreement protocol based on the GSM SIM algorithms. Although it is based on the GSM authentication protocol, it includes several important enhancements to extend the GSM mechanisms with mutual authentication and longer session key derivation. EAP SIM also includes mechanisms for identity hiding using temporary identifiers, or pseudonyms, and a fast reauthentication procedure EAP AKA : encapsulates the UMTS Authentication and Key Agreement (AKA) within EAP. Because UMTS AKA natively supports mutual authentication and strong key derivation, EAP AKA is a more or less faithful encapsulation of the UMTS mechanisms into EAP EAP AKA includes the same identity hiding and fast reauthentication functions as EAP SIM
15. 1. 4. 18. 2255. 25. Authentication based on EAP AKA scheme PP / AN -serv HLR 2. EAP Request/Identity 3. EAP Response/Identity [NAI based on a pseudonym or IMSI] 5. EAP Response/Identity [NAI based on a pseudonym or IMSI] 6. 7. EAP Request/AKA -Identity [Any identity] 8. EAP Request/AKA -Identity [Any identity] 9. EAP Response/AKA - Identity [Identity] 10. EAP Response/AKA -Identity [Identity] 11. 12.. 13. EAP Request/AKA - Challenge [RAND, AUTN, MAC, Protected pseudonym, Next re -auth id, Result ind] 14. EAP Request/AKA - Challenge [RAND, AUTN, MAC, Protected pseudonym, Next reauth id, Result ind] 16. EAP Response/AKA -Challenge [RES, MAC, Result ind] 17. EAP Response/AKA - Challenge [RES, MAC, Result ind] 19. EAP- Request/AKA -Notification [Success notification ] 20. EAP- Request/AKA -Notification [Success notification ] Scenario 3 - Access to PP system PS based services The goal of this scenario is to allow the operator to extend PP system PS based services to the. These services may include, for example, APNs, IMS based services, location based services, instant messaging, presence based services, MBMS and any service that is built upon the combination of several of these components Even though this scenario allows access to all services, it is an implementation question whether only a subset of the services is actually provided. However, service continuity between the PP system part and the part is not required. Use case : Jose Cuervo is a PP subscriber and wants to access to his PP packet switched services, e.g MMS, that he cannot normally access through the Internet. Jose has a dual mode NIC in his laptop and is able to receive his MMS through the or PP system. Scenario 3 is completed in Release 6 PP specs. 21. EAP- Response/AKA - Notification 22. EAP -Response/AKA -Notification 24. EAP Success 23. EAP Success + keying material PP- interworking architecture for Scenario 3 Access Gateway (WAG): policy enforcement and charging in the visited (roaming) network Wa Packet Data Gateway (): access to packet based services, VPN concentrator, charging, service authorization, address allocation Wa, : access authentication ( protocols) Wu: VPN tunnel between terminal and Wi: interface to Packet Data Networks Scenario 3: PP access Scenario 3 is realized with an end-to-end tunnel between the user equipment (), and a GGSN-like gateway, Packet Data Gateway in the home network to divert the complete user plane through the operator network. On Wu interface and Packet Data Gateway run IKEv2 protocol to establish sec tunnel and protect user data packets transmitted This arrangement allows for offering the same services to the users behind Gi as to those behind Wi reference point The home or visited operator may want to provide services that are accessible only in a private network, not over the public Internet: Multimedia Messaging Service (MMS), Wireless Application Protocol (WAP), and PP Multimedia Subsystem (IMS). On top of that, the tunnel establishment is cryptographically independent of the access authentication and thus, reusable for other accesses as well. Wu Sec tunnel EAP-SIM/EAP AKA over IKE_v2 EAP over Diameter Services Serve r Protocol stack between and -Initiated tunnel establishment Remote AN WAG Remote AN WAG PP Server/Proxy Visited PP Server Home Remote Layer The remote layer is used by the to be addressed in the external packet data networks (i.e. on the Wi reference point). On this layer, the is addressed by its remote address and the packets are exchanged between the and an external entity. The routes the remote packets without modifying them. Tunnelling layer The tunnelling layer consists of a tunnelling header, which allows end-to-end tunnelling between a and a. It is used to encapsulate packets with the remote layer. When encapsulated packets are encrypted, the tunnelling header contains a field which is used to identify the peer and decrypt the packets. Layer Tunneling layer The transport layer is used by the intermediate entities/networks and AN in order to transport the remote layer packets. Tunneling layer 1. local address allocation and Access Authentication and Authorization 2. W-APN resolution and tunnel establishment to in Visited PLMN 2.1 DNS query: 2.3 Retrieving Authentication 2.2 End-to-end tunnel establishment and Authorization data 2.4 Tunnel packet flow filter exchange 3. W-APN resolution and tunnel establishment to in Home PLMN 3.1 DNS query: 3.2 End-to-end tunnel establishment 3.4 Tunnel packet flow filter exchange 3.3 Retrieving Authentication and Authorization data
Tunnel full authentication and authorization with EAP over IKEv2 PP /HLR -Serv 1. IKE_SA_INIT [Headers, Sec.associations, D-H values, Nonces] 2. IKE_AUTH Request [Header, User ID, Configuration Payload, Sec.Associations, Traffic selectors, W-APN] 3. Authentication-Request/Identity[User ID] 4. User profile and AVs retrieval if needed. 5. EAP-Request/AKA(SIM)-Challenge 6. IKE_AUTH Response [Header, ID, Certificate, AUTH, EAP-Request/AKA(SIM)-Challenge] access to PP IMS 2G CS domain BTS BSC TDM GERAN 2G PSTN PLMN 7. IKE_AUTH Request [Header, EAP-Response/AKA(SIM)-Challenge] 8. EAP-Response/AKA(SIM)-Challenge 9. Authentication-Anwer/EAP-Success + keying meterial 9a. Authorization-Request/Identity[W-APN] 9b. Check in user s subscription if tunnel is allowed 9c. AA-response 10. AUTH payload is computed using the keying material (MSK) Node B RNC UTRAN AP 2G SGSN -Network (PS domain) (HLR) CSCF GGSN MRF MGW MGCF PP IMS 11.IKE_AUTH Response [Header, EAP-Success] 12.IKE_AUTH Request [AUTH] AP Access Router WAG Internet Intranet 13.IKE_AUTH Response [Header, AUTH, Configuration Payload, Sec.Associations, Traffic selectors] 14. Delete old IKE SA address allocation, P-CSCF discovery Service authentication and authorization IMS signaling IMS Registration through PP/ Interworking Architecture from PP TS 23.234 AP DNS 1. association at L1/2 2. Access Authentication at server 3. Obtain local address from 4. Retrieve address 5. Establish tunnel to 6. Obtain remote address and discover P-CSCF 7. Set-up security association between and P-CSCF DNS P-CSCF S-CSCF access network Intranet / Internet Access Network Ww Wn WAG PP Access Wp Wu Packet Data Gateway Wi Wa PP Visited Network PP Wf CGw/CCF Proxy Wm Wg Wo OCS PP Home Network Dw D' / Gr' Wf SLF PP Wx Server HLR CGw/CC F Access Gateway (WAG): policy enforcement and charging in the visited (roaming) network Packet Data Gateway (): access to packet based services, VPN concentrator, charging, service authorization, address allocation Wa, : access authentication ( protocols) Wu: VPN tunnel between terminal and Wi: interface to Packet Data Networks 8. IMS registration and session set-up Mobile core network Scenario 4 - Service Continuity The goal of this scenario is to allow the services supported in Scenario 3 to survive a change of access between and PP systems. The change of access may be noticeable to the user, but there will be no need for the user/ to reestablish the service. There may be a change in service quality as a consequence of the transition between systems due to the varying capabilities and characteristics of the access technologies and their associated networks. It is also possible that some services may not survive, as the continuing network may not support an equivalent service. Change in service quality may be a consequence of mobility between radio access technologies, due to varying capabilities and characteristics of radio access technologies. Use case : Jari Finlandia is a PP subscriber who travels frequently and has a PDA equipped with a and PP transceiver. Jari would like to be able to move freely about airports and hotels without having to establish a PP session when he moves out or range of the. Jari s PDA can switch between PP and as required based on the parameters (e.g. QOS) in his profile on the same session. However, Jari may experience brief interruptions in data flow during the transitions between PP and. PP has initiated work on Release 7 contents and Scenario 4 will most likely be part of it At the moment there is not much progress on it, there is no decision yet even on architecture level for providing session mobility The criteria and decision mechanism for change of access network is also under investigation Scenario 4 architecture One possible solution to realize session mobility is to utilize Mobile layer. Any layer on top of should not notice the fact that handoff has occurred, except from the fact that the link parameters (bandwidth, RTT) have changed, and possibly also some handoff latency. Handoff is triggered when the M client detects changes in availability of the access technology (e.g. link up/down events). needs to support Mobile client and Home Agent is needed as part of operators home network + Mobile Wu Sec tunnel EAP-SIM/EAP AKA over IKE_v2 Serve r EAP over Diameter M? HA Packet Data
Scenario 5 - Seamless services PP specifications on - interworking The goal of this scenario is to provide seamless service continuity between the access technologies, for the services supported in Scenario 3. By seamless service continuity is meant minimizing aspects such as data loss and break time during the switch between access technologies. Use case : Seamus Bushmills is a PP subscriber with a multimedia terminal that includes Vo capability. Seamus spends a lot of time in places with service and would like to utilise for his multimedia calls when possible. However, Seamus is on the go and may need to leave the area with in the middle of a call. Seamus would like to maintain his multimedia and Vo sessions when he leaves coverage without noticeable interruption. Seamus purchased a card for his terminal, and can switch between PP and as necessary without interrupting the session. This is a long term issue, similar to Scenario 4 PP TR 22.934, Feasibility study on PP system to Wireless Local Area Network () interworking. PP TS 23.234, PP System to Wireless Local Area Network () Interworking, System Description, Release 6. PP TR 22.234 v 6.2.0, Requirements on PP system to Wireless Local Area Network () interworking PP TS 29.234, PP system to Wireless Local Area Network () interworking; Stage 3 PP TS 33.234, security; Wireless Local Area Network () interworking security PP TR 23.836, Quality of Service (QoS) and policy aspects of PP - Wirless Local Area Network () interworking Conclusion PP standards have now means for cellular operators to intergate s as one possible access technology to their service offering - interworking is independent of technology used and utilizes PP based accounting, charging and authorization The inter-system mobility issues between and systems are still unresolved Other references K. Ahmavaara, H. Haverinen, R. Pichna, Interworking Architecture Between PP and Systems, IEEE Communications Magazine,Vol41, No. 11, pp.74-88, November 2003. Geir M. Køien and Thomas Haslestad, Security Aspects of - Interworking, IEEE Communications Magazine, vol. 41, no. 11, Nov 2003 pp. 82-88. November 2003.