cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
cdma2000 Femtocell Network: Packet Data Network Aspects
1
2
3 CONTENTS
4
5
1 Introduction .............................................................................................................................................. 1
6
7 1.1 Scope.......................................................................................................................................... 1
8
9 2 References ................................................................................................................................................ 2
10
2.1 Normative References ................................................................................................................ 2
11
12 2.2 Informative References .............................................................................................................. 4
13
14 3 FAP Network Connectivity Procedures ................................................................................................... 5
15
3.1 General ....................................................................................................................................... 5
16
17 3.2 Tunnel Management Procedures ................................................................................................ 5
18 3.2.1 Discovery and Selection of SeGW from FAP ............................................................. 5
19 3.2.2 Tunnel Establishment .................................................................................................. 6
20
3.2.3 Tunnel Disconnection .................................................................................................. 7
21
22 3.3 Authentication and Authorization .............................................................................................. 8
23 3.3.1 Authentication Procedures ........................................................................................... 8
24
3.4 FAP Auto-configuration ............................................................................................................ 9
25
26
3.4.1 FMS Discovery ............................................................................................................ 9
27 3.4.2 FAP Auto-configuration Procedures ......................................................................... 10
28 3.4.3 Location Determination of the FAP........................................................................... 10
29
30
3.5 Quality of Service (QoS) Considerations ................................................................................. 11
31 3.5.1 CHILD_SA ................................................................................................................ 11
32 3.5.2 Reverse Link Packet Classifier in FAP ...................................................................... 12
33
34 4 Mobility Management ............................................................................................................................ 13
35
36
5 Local IP Access for HRPD..................................................................................................................... 14
37
38
6 Remote IP Access .................................................................................................................................. 15
39
40 6.1 General ..................................................................................................................................... 15
41 6.2 Discovery and Selection of SeGW by MS ............................................................................... 16
42
6.2.1 MS Requirements ...................................................................................................... 16
43
44
6.2.2 SeGW Requirements ................................................................................................. 17
45 6.2.3 Femtocell AAA Requirement .................................................................................... 17
46 6.2.4 Home AAA Requirements ......................................................................................... 17
47
48
6.3 Remote IP Access Tunnel Establishment ................................................................................ 17
49 6.3.1 IKEv2 PSK Key Generation ...................................................................................... 18
50 6.3.2 MS Requirements ...................................................................................................... 18
51 6.3.3 SeGW Requirements ................................................................................................. 20
52
6.3.4 Home AAA Requirements ......................................................................................... 22
53
54
6.3.5 FAP Requirements ..................................................................................................... 23
55 6.4 IP Traffic Processing for Remote IP Access ............................................................................ 23
56
6.4.1 MS Requirements ...................................................................................................... 23
57
58
6.4.2 FAP Requirements ..................................................................................................... 24
59
60
i Contents
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
6.4.3 SeGW Requirements ................................................................................................. 24
6.5 Tunnel Disconnection .............................................................................................................. 25 1
2
6.5.1 MS Procedures ........................................................................................................... 25
3
6.5.2 SeGW Requirements ................................................................................................. 25 4
6.5.3 Home AAA Requirements ......................................................................................... 25 5
6.5.4 FAP Requirements ..................................................................................................... 25 6
7
7 Accounting ............................................................................................................................................. 26 8
9
10
8 RADIUS Considerations ........................................................................................................................ 27
11
8.1 RADIUS Attributes between SeGW and Femtocell AAA for FAP Authorization .................. 27 12
8.2 RADIUS Attributes between SeGW and HAAA for RIPA ..................................................... 27 13
14
8.3 RADIUS Vendor Specific Attributes ....................................................................................... 29 15
8.3.1 Session-Key-Method ................................................................................................. 29 16
8.3.2 RIPA-Info .................................................................................................................. 29 17
18
9 Diameter Considerations ........................................................................................................................ 31 19
20
9.1 Diameter Applications and Commands .................................................................................... 31 21
9.1.1 FAP Authorization ..................................................................................................... 31 22
9.1.2 RIPA Authentication ................................................................................................. 31 23
24
9.2 Diameter AVPs ........................................................................................................................ 35
25
9.2.1 Master-Security-Association ..................................................................................... 36 26
9.2.2 Session-Key-Nonces .................................................................................................. 36 27
9.2.3 RIPA-Info .................................................................................................................. 37 28
29
9.3 Experimental Result-Code AVP Values .................................................................................. 37 30
9.3.1 Permanent Failures .................................................................................................... 37 31
32
A Annex – Call Flow Examples (Informative) .......................................................................................... 38 33
34
A.1 Femtocell Network Connectivity Call Flow ............................................................................ 38
35
A.1.1 Femtocell Network Connectivity Call Flow without Redirection ............................. 38 36
A.1.2 Femtocell Network Connectivity Call Flow with Redirection to Serving 37
System ....................................................................................................................... 39 38
A.2 SeGW Discovery ..................................................................................................................... 41 39
40
A.3 FAP-SeGW IPsec Tunnel Establishment ................................................................................. 41 41
A.4 Remote IP Access Call Flows .................................................................................................. 44 42
43
A.4.1 Redirection Based SeGW Discovery with EAP Authentication ................................ 44
44
A.4.2 Redirection Based SeGW Discovery with IKEv2 PSK Authentication..................... 45
45
A.4.3 Tunnel Establishment for Remote IP Address with EAP Authentication .................. 46 46
A.4.4 Tunnel Establishment for Remote IP Access with IKEv2 PSK Authentication ........ 48 47
48
49
50
51
52
53
54
55
56
57
58
59
60
Contents ii
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
1
LIST OF FIGURES
2
Figure 1 Example of Security Associations and associated QoS classes of traffic with two
3
SAs ................................................................................................................................... 11
4
5 Figure 2 IP Access Bearer and Interfaces ....................................................................................... 14
6 Figure 3 Femtocell Remote IP Access Architecture ....................................................................... 15
7 Figure 4 Session-Key-Method VSA ............................................................................................... 29
8
Figure 5 RIPA-Info VSA ................................................................................................................ 29
9
10
Figure 6 Femtocell Network Connectivity Call Flow without Redirection .................................... 38
11 Figure 7 Femtocell Network Connectivity with Redirection .......................................................... 40
12 Figure 8 SeGW Discovery .............................................................................................................. 41
13
Figure 9 IPsec Tunnel Establishment .............................................................................................. 42
14
15
Figure 10 Redirection Based SeGW Discovery with EAP Authentication ....................................... 44
16 Figure 11 Redirection Based SeGW Discovery with IKEv2 PSK Authentication............................ 45
17 Figure 12 Tunnel Establishment for Remote IP Access with EAP Authentication........................... 47
18
Figure 13 Tunnel Establishment for Remote IP Access with IKEv2 PSK Authentication ............... 49
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
iii List of Figures
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
LIST OF TABLES 1
2
Table 1 Additional Parameters in A10 Connection Setup Airlink Fields ...................................... 26
3
Table 2 Additional Parameters in PDSN UDR .............................................................................. 26 4
Table 3 Additional Accounting Parameter Attribute RADIUS Definitions ................................... 26 5
Table 4 Meaning of the the Request, Accept, Reject, Challenge columns of Table 5 and 6
7
Table 6. ............................................................................................................................. 27
8
Table 5 RADIUS Attributes exchanged between the SeGW and the Femtocell AAA for
9
FAP Authorization ............................................................................................................ 27
10
Table 6 RADIUS Attributes exchanged between the SeGW and the HAAA ................................ 28 11
Table 7 Diameter Command Codes for FAP Authorization .......................................................... 31 12
Table 8 Diameter Command Codes for EAP based IKEv2 ........................................................... 32 13
14
Table 9 Diameter Command Codes for PSK based IKEv2............................................................ 33
15
Table 10 Meaning of the Request, Answer columns ....................................................................... 35 16
Table 11 Diameter AVP exchanged between the SeGW and the HAAA ........................................ 35 17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
List of Tables iv
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
1
REVISION HISTORY
2
3
4
5
Revision Date Remarks
6
7 1.0 January 2010 Initial Publication
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
v Revision History
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
FOREWORD 1
2
(This foreword is not part of this Standard.) 3
4
This document was prepared by 3GPP2 TSG-X. 5
6
7
This document is a new specification. 8
9
This document is part of a multi-part document consisting of multiple parts that together 10
describes specifications for cdma2000 femtocell Network. 11
12
13
This document is subject to change following formal approval. Should this document be 14
modified, it will be re-released with a change of release date and an identifying change in 15
version number as follows: 16
17
X.S0059-100-X-n 18
19
20
where: 21
22
X an uppercase numerical or alphabetic character [A, B, C, …] that represents the 23
revision level. 24
25
n a numeric string [1, 2, 3, …] that indicates a point release level. 26
27
This document uses the following conventions: 28
29
“Shall” and “shall not” identify requirements to be followed strictly to conform to 30
31
this document and from which no deviation is permitted.
32
“Should” and “should not” indicate that one of several possibilities is recommended 33
as particularly suitable, without mentioning or excluding others, that a certain course 34
of action is preferred but not necessarily required, or that (in the negative form) a 35
certain possibility or course of action is discouraged but not prohibited. 36
37
“May” and “need not” indicate a course of action permissible within the limits of the 38
document. 39
40
“Can” and “cannot” are used for statements of possibility and capability, whether 41
material, physical or causal. 42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Foreword vi
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
1
1 Introduction
2
This document provides a packet date specifications for the HRPD and 1x packet data
3
Femtocell network.
4
5
6
7 1.1 Scope
8
9
This series of documents defines packet data specifications for an HRPD and 1x packet data
10 Femtocell network that can support existing services provided by HRPD and 1x. This revision
11 of the Femtocell network specification provides the following capability:
12
13
FAP-SeGW Tunnel Management
14
FAP Authentication and Authorization
15
16 FAP Auto-Configuration
17
18 FAP Remote IP Access
19
20
Mobility Management
21
Accounting Enhancements
22
23 Femto Local IP Access for HRPD
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
1.1 Scope 1 1 Introduction
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
2 References 1
2
3
2.1 Normative References 4
5
This section provides references to other specifications and standards that are necessary to 6
implement this document. 7
8
9
[1] 3GPP2: A.S0024-0 v1.0, Interoperability Specification (IOS) for Femtocell
10
Access Points, TBD. 11
12
[Editor Note: The above document is a work in progress and should not be referenced
unless and until it is approved and published. Until such time as this Editor‟s Note is 13
14
removed, the inclusion of the above document is for informational purposes only.]
15
[2] 3GPP2: X.S0011-D v2.0, cdma2000 Wireless IP Network Standard, 16
November, 2008. 17
18
[3] 3GPP2: X.P0044-0 v1.0, MIPv4 Enhancements, TBD. 19
20
[Editor Note: The above document is a work in progress and should not be referenced 21
unless and until it is approved and published. Until such time as this Editor‟s Note is 22
removed, the inclusion of the above document is for informational purposes only.] 23
24
[4] 3GPP2: X.S0047-0 v1.0, MIPv6 Enhancements, February 2009. 25
26
[5] 3GPP2: X.S0061-0 v1.0, Network PMIP Support, December 2008.
27
[6] 3GPP2: S.S0132 Femtocell Security Framework, TBD. 28
29
[Editor Note: The above document is a work in progress and should not be referenced 30
unless and until it is approved and published. Until such time as this Editor‟s Note is 31
removed, the inclusion of the above document is for informational purposes only.] 32
33
[7] 3GPP2: X.S0059-200-0 v1.0, cdma2000 Femtocell Network: 1x and IMS 34
Network Aspects, January 2010. 35
36
[8] 3GPP2: C.S0005, Upper Layer (Layer 3) Signaling Standard for cdma2000 37
Spread Spectrum Systems. 38
39
[9] 3GPP2: C.S0024, cdma2000 High Rate Packet Data Air Interface
40
Specification.
41
[10] IETF: RFC 4306, Kaufman, „Internet Key Exchange (IKEv2) Protocol‟, 42
43
December 2005.
44
[11] IETF: RFC 3948, Huttunen, et. al., „UDP Encapsulation of IPsec ESP 45
Packets‟, January 2005. 46
47
[12] IETF: RFC 2406, Kent, et. al., „IP Encapsulating Security Payload (ESP)‟, 48
November 1998. 49
50
[13] IETF: RFC 5176, Chiba, et. al., „Dynamic Authorization Extensions to 51
Remote Authentication Dial In User Service (RADIUS)‟, January 2008. 52
53
[14] IETF: RFC 4005, Calhoun, et. al., „Diameter Network Access Server
54
Application‟, August 2005. 55
56
[15] Broadband Forum: TR-069 Amendment 2, CPE WAN Management
57
Protocol v1.1, December 2007.
58
59
60
2 References 2 2.1 Normative References
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
[16] 3GPP2: X.S0063-0 v1.0, Femtocell Management Object, TBD
1
[Editor Note: The above document is a work in progress and should not be referenced
2
unless and until it is approved and published. Until such time as this Editor‟s Note is
3
4
removed, the inclusion of the above document is for informational purposes only.]
5
[17] IETF: RFC 5280, D. Cooper, et. al., „Internet X.509 Public Key
6
Infrastructure Certificate and Certificate Revocation List (CRL) Profile‟,
7
May 2008.
8
9 [18] IETF: RFC 1541, R. Droms, „Dynamic Host Configuration Protocol‟,
10 March 1997.
11
12 [19] IETF: RFC 3315, R. Droms, et. al., „Dynamic Host Configuration Protocol
13 for IPv6 (DHCPv6)‟, July 2003.
14
15 [20] IETF: Internet Draft “draft-ietf-ipsecme-ikev2-redirect-08.txt”, Devarapalli,
16 et. al., “Redirect Mechanism for IKEv2”, April 2009.
17
18
[Editor Note: The above document is a work in progress and should not be referenced
19 unless and until it is approved and published. Until such time as this Editor‟s Note is
20 removed, the inclusion of the above document is for informational purposes only.]
21
[21] IETF: RFC5295, J. Salowey, et. al., Specification for the Derivation of Root
22
23
Keys from an Extended Master Session Key (EMSK), August 2008.
24
[22] National Institute of Standards and Technology: "Secure Hash Standard",
25
FIPS 180-2, With Change Notice 1 dated February 2004, August 2002.
26
27 [23] IETF: RFC 4187, J. Arko, „Extensible Authentication Protocol Method for
28 3rd Generation Authentication and Key Agreement (EAP-AKA)‟, January
29 2006.
30
31 [24] IETF: RFC 3579, B. Aboba, P. Calhoun, „RADIUS Support for EAP‟, Sept.
32 2003.
33
34 [25] IETF: RFC 826, D. C. Plummer, „An Ethernet Address Resolution
35 Protocol‟, November 1982.
36
37
[26] IETF: RFC 2548, G. Zorn, „Microsoft Vendor-specific RADIUS
38
Attributes‟, March 1999.
39
[27] IETF: RFC 2401, S. Kent, „Security Architecture for the Internet Protocol‟,
40
November 1998.
41
42
[28] IETF: RFC 2865, C. Rigney, et. al., „Remote Authentication Dial In User
43
Service (RADIUS)‟, June 2000.
44
45 [29] IETF: RFC 3588, P. Calhoun, et. al., „Diameter Base Protocol‟, September
46 2003.
47
48 [30] IETE: RFC 4072, P. Eronen, et. al., „Diameter Extensible Authentication
49 Protocol (EAP) Application‟, August 2005.
50
51 [31] IETF: draft-cakulev-ikev2-psk-diameter
52
[Editor Note: The above document is a work in progress and should not be
53
54
referenced unless and until it is approved and published. Until such time as this
55
Editor‟s Note is removed, the inclusion of the above document is for
56
informational purposes only.]
57
58
59
60
2.1 Normative References 3 2 References
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
[32] Broadband Forum: TR-106 Amendment 3, Data Model Template for TR-
069-Enabled Devices, September 2009. 1
2
[33] Broadband Forum: TR-131, ACS Northbound Interface Requirements, 3
November, 2009 4
5
6
2.2 Informative References 7
8
This section provides references to other documents that may be useful for the reader of this 9
document. 10
11
3GPP2: A.S0017-D v1.0, Interoperability Specification (IOS) for 12
cdma2000 Access Network Interfaces - Part 7 (A10 and A11 Interfaces), 13
July 2007. 14
15
3GPP2: A.S0008-C v2.0, Interoperability Specification (IOS) for High
16
Rate Packet Data (HRPD) Radio Access Network Interfaces with Session
17
Control in the Access Network, January 2009.
18
3GPP2: A.S0009-C v2.0, Interoperability Specification (IOS) for High 19
Rate Packet Data (HRPD) Radio Access Network Interfaces with Session 20
Control in the Packet Control Function, January 2009. 21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
2 References 4 2.2 Informative References
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
1 3 FAP Network Connectivity Procedures
2
3
4
5
3.1 General
6
7
Before the FAP can serve the cdma2000® 1 MS, the FAP completes the neighborhood
8
discovery (see [1]) and network connectivity procedures.
9
10 Network connectivity procedures of the FAP includes the following procedures:
11
12
13
SeGW discovery and secure tunnel establishment procedures as described in section
14
3.2,
15
FAP mutual authentication with the SeGW and the FAP authorization procedures as
16
described in section 3.3,
17
18
FAP auto-configuration procedures as described in section 3.4,
19
20 1x RTT capable FAP registration procedures as described in [7].
21
22 To be able to perform network connectivity procedures, the FAP needs to be configured by
23 means outside the scope of this specification with the following minimum information:
24
25
FEID and associated security parameters (see [6]),
26
27 Home Domain Name.
28
29 In addition, the FAP can be pre-configured with the SeGW‟s FQDN(s) or IP address(es).
30
31
32 3.2 Tunnel Management Procedures
33
34
35 3.2.1 Discovery and Selection of SeGW from FAP
36
37 If the FAP needs to obtain IP address of the SeGW, the FAP shall use the FQDN of the
38 SeGW and DNS mechanisms to retrieve the IP address of the SeGW.
39
40
The FQDN may be pre-provisioned in the FAP, otherwise, the FAP shall perform the
41
42
following using the preconfigured home domain name for SeGW discovery:
43
44 If FAP has obtained BASE_ID, NID and SID over 1x air interface (see [8]), the FAP
45 shall build FQDN of SeGW by using the format of ...1x.SeGW. for the DNS request,
47 where, , , and shall be encoded using hexadecimal
48 uppercase ASCII characters.
49
50
51
52
1
53 cdma2000® is the trademark for the technical nomenclature for certain specifications and
54 standards of the Organizational Partners (OPs) of 3GPP2. Geographically (and as of the date
55 of publication), cdma2000 is a registered trademark of the Telecommunications Industry
56 Association (TIA-USA) in the United States.
57
58
59
60
3.1 General 5 3 FAP Network Connectivity Procedures
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
If FAP has obtained HRPD Subnet and HRPD SectorID over HRPD air interface
(see [9]), the FAP shall build FQDN of the SeGW by using the format of ..HRPD.SeGW. for the DNS 2
request, where, and shall be encoded as 3
hexadecimal uppercase in ASCII characters. 4
5
If the FAP has obtained both 1x and HRPD parameters described above, the FAP 6
shall build FQDN based on either 1x or HRPD parameters as specified above 7
according to operator‟s policy. 8
9
If neither 1x BASE_ID/NID/SID nor HRPD Subnet/SectorID is acquired over the air, 10
the FAP shall build FQDN either using the format of default.1x.SeGW. or format of default.HRPD.SeGW. according 12
to operator‟s policy. 13
14
The FAP determines the IP address of the DNS server by means that are outside the scope of
15
this specification. 16
17
3.2.2 Tunnel Establishment 18
19
The tunnel establishment message exchange to setup the IPsec tunnel between the FAP and 20
the SeGW is shown in A.3. 21
22
23
3.2.2.1 FAP Requirements 24
25
The FAP shall support the IKEv2 procedure for key exchange and IPsec tunnel establishment 26
with the SeGW. The FAP shall support the NAT traversal per IKEv2 [10] and the UDP 27
encapsulation of IPsec ESP in tunnel mode [11]. The FAP shall support IPv4 and may support 28
IPv6 for inner IP address. Upon selection of the SeGW, the FAP shall initiate Internet Key 29
Exchange [10] by sending IKE_SA_INIT Request message to the SeGW in order to establish 30
secure IP tunnel with the SeGW. Upon receiving IKE_SA_INIT Response message, the FAP 31
shall send IKE_AUTH Request to the SeGW. 32
33
34
Upon receiving IKE-AUTH Response from the SeGW, the FAP shall establish an IPsec ESP
35
tunnel to the SeGW according to [12]. 36
37
3.2.2.2 SeGW Procedure 38
39
The SeGW shall support the IKEv2 procedure for key exchange and IPsec tunnel 40
establishment with the FAP. The SeGW shall support the NAT traversal per IKEv2 [10] and 41
the UDP encapsulation of IPsec ESP packets [11]. The SeGW shall support both IPv4 and 42
IPv6 as inner IP address for IPsec tunnel. 43
44
45
Upon receiving the IKE SA_INIT Request message, the SeGW shall perform IKEv2 46
procedures by sending IKE SA_INIT Response message [10] in order to establish secure IP 47
tunnel with the FAP. 48
49
50
If the operator policy requires femtocell subscription authorization, upon receiving
51
IKE_AUTH request from the FAP, after successful authentication (see section 3.3), the
52
SeGW shall send RADIUS Access-Request or DIAMETER AAR command to the Femtocell
53
AAA including NAI which uses FEID in FQDN format as the username in NAI format (i.e.,
54
FAP-FQDN@realm) to verify that the FAP identified by FEID is authorized to provide
55
service. If the RADIUS Access-response or DIAMETER AAA command is received from
56
Femtocell AAA indicating successful authorization, the SeGW shall continue IKEv2 57
procedures by sending IKE_AUTH Response to the FAP. If RADIUS Access Reject or 58
59
60
3 FAP Network Connectivity Procedures 6 3.2 Tunnel Management Procedures
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
DIAMETER AAA with Experimental Result-Code AVP (see section 9.3) is received from
1 Femtocell AAA, the SeGW shall send IKEv2 Notification message to the FAP indicating
2 authorization failure.
3
4
Upon completion of the IKEv2 procedures, the SeGW shall establish an IPsec in ESP tunnel
5
mode between itself and the FAP [12].
6
7
8 3.2.2.3 Femtocell AAA Requirements
9
10 The Femtocell AAA shall perform service authorization for FAP if operator‟s policy dictates
11 so.
12
13
3.2.2.3.1 Diameter Authorization Procedures
14
15
Upon receipt of an AAR command, the Femtocell AAA shall check for the FAP authorization
16
information. If there is no authorization information for the FAP (identified by FEID), the
17
Femtocell AAA shall return the AAA command with the Experimental-Result-Code set to
18
DIAMETER_ERROR_NO_FAP_AUTHORIZATION to the SeGW. If the Femtocell AAA
19
has authorization information for the FAP, the Femtocell AAA shall send AAA with
20
DIAMETER_SUCCESS in the Result code AVP indicating successful authorization to the
21
22
SeGW.
23
24 3.2.2.3.2 RADIUS Authorization Procedures
25
26 Upon receipt of a RADIUS Access-Request message from the SeGW, the Femtocell AAA
27 shall check for the FAP authorization information. If there is no FAP authorization
28 information for the FAP (identified by FEID), the Femtocell AAA shall return the RADIUS
29 Access-Reject message to the SeGW. If the Femtocell AAA has authorization information
30 for the FAP, the Femtocell AAA shall send Access-Response message to the SeGW.
31
32
33 3.2.3 Tunnel Disconnection
34
35 Tunnel disconnection may be initiated from the FAP or from the SeGW, e.g., due to a timeout
36 of the IKE SA lifetime set internally in the FAP or SeGW, or due to a request from the
37 Femtocell AAA server.
38
39
The tunnel disconnection message exchanges between the FAP and the SeGW are performed
40
via IKEv2.
41
42
43 3.2.3.1 FAP Procedures
44
45 The FAP shall use the procedures specified in IKEv2 [10] to delete one or more IPsec tunnel
46 (s) to the SeGW.
47
48
49
3.2.3.2 SeGW Procedures
50
The SeGW shall use the procedures specified in IKEv2 [10] to delete IPsec tunnel to the FAP.
51
52
53 Upon reception of either the RADIUS Disconnect-Request message [13] or Diameter Abort-
54 Session-Request command [14] from the Femtocell AAA (for the Femtocell AAA initiated
55 tunnel disconnection), the SeGW shall check whether the FAP has any active SA(s). If the
56 check indicates that the referenced SAs exist, the SeGW shall perform tunnel disconnection
57 procedures for all the IPsec SA(s) and IKE_SA by sending the IKEv2 INFORMATIONAL
58
59
60
3.2 Tunnel Management Procedures 7 3 FAP Network Connectivity Procedures
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
request message with Protocol ID set to 1 (IKE) in the DELETE payload to the FAP.
Otherwise, the SeGW shall send a RADIUS Disconnect-NAK or Diameter Abort-Session- 1
Answer with Result-Code AVP set to DIAMETER_UNKNOWN_SESSION_ID or 2
DIAMETER_UNABLE_TO_COMPLY to the Femtocell AAA. 3
4
5
If the SeGW does not receive IKEv2 INFORMATIONAL response from the FAP, it shall
6
resend the INFORMATIONAL message with the same DELETE payloads that it sent before.
7
After resending the INFORMATIONAL message to the FAP for configurable number of
8
times (e.g., using exponential backoff algorithm), if the SeGW still does not receive any 9
response from the FAP, the SeGW assumes that the FAP has disconnected and remove all 10
incoming and outgoing SAs for the FAP. 11
12
If the SeGW receives IKEv2 INFORMATIONAL response from the FAP without any 13
DELETE payload, the SeGW shall remove all the SAs corresponding for the FAP. 14
15
16
3.2.3.3 Femtocell AAA Procedures 17
18
When the FAP subscription for the user to access cdma2000 packet data services has been 19
deleted/prohibited, the Femtocell AAA shall instruct the SeGW to disconnect a particular 20
session for a specific FAP by sending the RADIUS Disconnect-Request or Diameter Abort- 21
Session-Request message. 22
23
24
3.3 Authentication and Authorization 25
26
This section describes the authentication and authorization procedures between the FAP and 27
the SeGW. 28
29
30
3.3.1 Authentication Procedures 31
32
3.3.1.1 General 33
34
In order to establish a connection to the cdma2000 home network, the FAP performs 35
authentication with a SeGW located in the home network. If the policy of the home network 36
requires authorization of the FAP before access to the network can be granted, the SeGW 37
contacts the Femtocell AAA using either RADIUS or Diameter protocol. 38
39
40
3.3.1.2 FAP Authentication 41
42
The authentication between the FAP and the SeGW (referred to as the FAP authentication) 43
shall be performed using IKEv2 with X.509 digital certificates. 44
45
The FAP shall be authenticated by the SeGW using the FAP‟s certificate. The FAP‟s 46
47
certificate is installed by the FAP vendor during its manufacturing. The FAP certificate shall
48
be compliant to [17] and shall support FAP certificate profile specified in [6].
49
50
The FAP certificate is identified using device identifier of the FAP (i.e., FEID) and shall be 51
compliant to the IEEE Extended Unique Identifier-64 (EUI-64) format containing the IEEE 52
hardware address of the device. The EUI-64 format supports encapsulation of both 48-bit and 53
64-bit IEEE hardware addresses such as the MAC address. The FEID shall be encoded in 54
FQDN format (e.g., FEID.devicemodel.vendor.com) in the subjectAltName extension [17] of 55
the FAP certificate. The same FEID in FQDN format shall be used in the IKEv2 Identification 56
57
58
59
60
3 FAP Network Connectivity Procedures 8 3.3 Authentication and Authorization
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
payload (i.e, IDi field) of the IKE_AUTH request from the FAP. The SeGW shall check the
1 FAP certificate validity time as specified in [17].
2
3 The SeGW shall be authenticated by the FAP using SeGW‟s certificate. The SeGW certificate
4
is assigned to the SeGW by the cdma2000 network operator. The SeGW server certificate
5
shall be compliant to [17] and shall support the SeGW certificate profile specified in [6].
6
7
8 The SeGW certificate shall be identified by using either the SeGW‟s FQDN or its IP address
9 in the subjectAltName extension of the SeGW certificate. The SeGW‟s FQDN (or the IP
10 address) shall be used in the IKEv2 Identification payload (i.e, IDr field) of the IKE_AUTH
11 response from the SeGW. The FAP shall check that the subjectAltName extension in the
12 SeGW certificate matches the value received in the IDr field. The FAP shall check the SeGW
13 certificate validity time as specified in [17].
14
15
16
At least one CA certificate in the trust chain of SeGW certificate shall be pre-provisioned in
17
the FAP for verifying the SeGW certificate.
18
19 At least one CA certificate in the trust chain of FAP certificate shall be pre-provisioned in the
20 SeGW for verifying the FAP certificate.
21
22
23 3.3.1.3 FAP Authorization
24
25
After the FAP is successfully authenticated by the SeGW, based on the network policy, (e.g.,
26 FAP authorization is required), the SeGW shall contact the Femtocell AAA for authorization
27 using FEID in FQDN format received in the IDi payload as the FAP username in NAI format
28 (i.e., FAP-FQDN@realm) using AAA protocols as specified in 3.2.2.2.
29
30
The Femtocell AAA shall check the FAP authorization policy based on the FEID received in
31
the AAA message. If the FAP authorization check fails, the Femtocell AAA shall send AAA
32
message to the SeGW indicating authorization failure. The Femtocell AAA shall maintain the
33
FAP authorization policy. The authorization policy may be based on a black list/white list of
34
FEIDs or a profile for each FAP. The FAP authorization policy may be associated with the
35
36
existing user profile at the AAA.
37
38 If the Remote IP Access service (see section 6) is supported, the Femtocell AAA shall store
39 the mapping information between the FAP and the SeGW IP address received in the AAA
40 message.
41
42
43
3.4 FAP Auto-configuration
44
45
Following a secure tunnel establishment with the SeGW, the FAP shall perform FMS
46
discovery as specified in section 3.4.1 and then connect to the FMS to perform the auto-
47
configuration procedures using Fm interface [15] as specified in section 3.4.2. The Secure
48
tunnel between the FAP and SeGW provides confidentiality, data integrity and certificate
49
based mutual authentication.
50
51
52 3.4.1 FMS Discovery
53
54
55
3.4.1.1 FAP Requirements
56
After successful IPsec tunnel establishment, if the FAP needs to obtain IP address(es) of the
57
58
FMS, the FAP shall use the FQDN of the FMS and use DNS mechanisms to retrieve the IP
59
60
3.4 FAP Auto-configuration 9 3 FAP Network Connectivity Procedures
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
address (es) of the FMS. If the FQDN is not pre-provisioned in the FAP, the FAP shall build
FQDN by using the format of FMS. for the DNS request. The FAP 1
shall identify the operator‟s network in home domain name. If the FAP is pre-provisioned 2
with more than one FQDNs of FMS, the selection of using which FQDN is outside the scope 3
of this document. 4
5
6
3.4.2 FAP Auto-configuration Procedures 7
8
The FMS and the FAP shall follow the procedures specified in [15] for FAP auto- 9
configuration. Informative call flows including the auto-configuration of the FAP are shown 10
in section A.3. The detailed configuration parameters and their associated management 11
objects/ data models exchanged between the FAP and the FMS are described in [16]. 12
13
The FAP (acting as CPE) or the FMS (acting as ACS) may initiate auto-configuration session 14
15
as specified in [15].
16
17
3.4.2.1 FAP Requirements 18
19
The FAP shall establish connection with the FMS. 20
21
22
The FAP shall support all the baseline RPC methods including generic methods and CPE
23
methods as specified in Annex A.3.1 and A.3.2 of [15]. In addition the FAP should support
24
Upload and FactoryReset as specified in Annex A.4.1.5 of [15]. The FAP may support other
25
optional CPE methods as specified in Annex A.4.1 of [15].
26
27
After auto-configuration is successfully completed, the 1x or 1x/HRPD Hybrid FAP shall 28
perform registration procedures with the CSCF/FCS as described in [7]. Section A.1 shows 29
informative call flows including the auto-configuration aspects of FAP network connectivity 30
procedures. 31
32
33
3.4.2.2 FMS Requirements 34
35
The FMS shall support all the baseline RPC methods including Generic methods and ACS 36
methods as specified in Annex A.3.1 and A.3.3 of [15]. The FMS may support optional ACS 37
methods as specified in Annex A.4.2 of [15]. 38
39
The FMS shall support a Northbound Interface (NBI) that satisfies the requirements in [33]. 40
The FMS shall support the use of the NBI to delegate the processing of TR-069 vendor- 41
specific parameters (as specified in Section 3.3 of [32]) to the vendor-specific parameter 42
43
processing entities. A vendor-specific parameter processing entity can be collocated with the
44
FMS or can be a separate entity.
45
46
The selection of applicable strings for the vendor-specific parameters depends 47
on operator‟s policy and is outside the scope of this specification. 48
49
50
3.4.3 Location Determination of the FAP 51
52
3.4.3.1 FMS Requirements 53
54
The FMS shall verify FAP‟s location. The FMS shall not configure FAP to provide the 55
services to the MS unless the location of the FAP is verified by the FMS. How FMS verifies 56
the FAP‟s location is outside of the scope of this document. 57
58
59
60
3 FAP Network Connectivity Procedures 10 3.4 FAP Auto-configuration
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
3.5 Quality of Service (QoS) Considerations
1
2 The FAP and the SeGW shall support multiple Quality of Service (QoS) classes/profiles
3 required for providing QoS to all the different classes of traffic from/to the MS. The different
4 QoS classes of traffic shall be managed using different CHILD_SA pairs between the FAP
5 and the SeGW.
6
7
8 3.5.1 CHILD_SA
9
10 If different classes of traffic (distinguished by Differentiated Services Code Point (DSCP)
11 bits) are sent on the same SA, and if the FAP/SeGW is employing the optional anti-replay
12 feature available in both AH and ESP, this could result in inappropriate discarding of lower
13 priority packets due to the windowing mechanism used by this feature. Therefore, the FAP
14 and SeGW use multiple Security Associations to provide the appropriate QoS services.
15 Traffic from multiple MSs but belonging to the same QoS class should reuse the same
16 CHILD_SA that provides that QoS.
17
18
19
Once the IKE_SA has been authenticated, more than one CHILD_SA pair can be negotiated
20
inside the IKE_SA. The CREATE_CHILD_SA exchange is protected using the cryptographic
21
algorithms and keys negotiated in the first two messages of the IKE exchange. Therefore,
22
creation of additional CHILD_SA pairs between the FAP and SeGW does not trigger further
23 authentication and authorization messaging to the Femtocell AAA.
24
25 Both FAP and SeGW shall support at least two CHILD_SA pairs for QoS support. The
26
multiple CHILD_SA pairs are shared by all MS served by the FAP. If more than one
27
CHILD_SA pair is required, the FAP and SeGW shall perform CREATE_CHILD_SA
28
exchange procedures and include traffic selectors as specified in [10].
29
30
31 Figure 1 shows an example of the security associations and the associated QoS classes of
32 traffic with two SAs established between FAP and SeGW.
33
34
SA1 (base SA) contains all control signaling and best effort traffic,
35
36 SA2 carries RTP 1x Voice and/or VoIP traffic.
37
38
MS FAP SeGW
39
40 IPsec Tunnel between the FAP and SeGW
41
42 SA1 Control Signaling (such as
43 A11, A12, A13, A16-A19,
44 Fx2 etc) and Best Effort
Traffic etc
45
46
47
48
SA2
Voice Services
49 (such as RTP 1x Voice,
50 VoIP)
51
52
53
54
55
56 Figure 1 Example of Security Associations and associated QoS classes of traffic with two
57 SAs
58
59
60
3.5 Quality of Service (QoS) Considerations 11 3 FAP Network Connectivity Procedures
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
3.5.2 Reverse Link Packet Classifier in FAP
1
The Reverse Link Packet Classifier shall map traffic belonging to different QoS classes to 2
appropriate SA by using the Protocol Type (GRE, UDP, TCP) as a traffic selector. It may also 3
employ different GRE keys (i.e., based on different A10 connections) as traffic selectors to 4
map to different CHILD_SAs. The FAP shall ensure the proper DSCP marking both on the 5
inner and outer IP packet headers. 6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
3 FAP Network Connectivity Procedures 12 3.5 Quality of Service (QoS) Considerations
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
1
4 Mobility Management
2
Handoff between macro cell and femtocell cell is specified in [1].
3
4
5 IP services available to the MS through femtocell are specified in [2], [3], [4], and [5].
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
3.5 Quality of Service (QoS) Considerations 13 4 Mobility Management
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
5 Local IP Access for HRPD 1
2
The Local IP access at the HRPD FAP provides for IP connectivity to allow a MS to access
3
either local IP networks or the Internet through the local interface. For local IP access, the MS 4
connects through the FAP to the local network by configuring an additional IP interface on 5
the existing HRPD access stream [1]. At the same time, the MS can still have IP connectivity 6
to the operator‟s IP domain via the PDSN. In this model, the MS can have IP connectivity 7
with: 8
9
Correspondent Node via LIPA in the same subnet with the FAP. 10
11
Correspondent Node via the operator‟s domain. The MS can still use the IP service 12
provided by the PDSN. Therefore, the MS can access all services available on the 13
macro network while simultaneously accessing the home intranet. 14
15
Correspondent Node in the Internet. The Internet may be reached either on the local 16
IP interface or through the PDSN IP interface. Operator may configure the FAP and 17
the MS to use local IP interface for internet communications. 18
19
20
Figure 2 shows the bearer and interfaces related to Local IP Access.
21
22
Operator’s domain traffic 23
on HRPD Service Stream IPsec tunnel
24
A10 SeGW PDSN
25
A11 FGW
26
MS A12
FAP
27
28
IP 29
Local IP access A12
traffic on HRPD 30
Access Stream Correspondent 31
Correspondent Node via
Node via LIPA AN-AAA H-AAA Operator’s 32
domain 33
34
Figure 2 IP Access Bearer and Interfaces 35
36
37
The AN-AAA may be used to authorize an MS for LIPA service during HRPD access 38
authentication on the A12 interface. For LIPA authorization, the AN-AAA may access the 39
Home AAA for authorization information, but this interface is outside the scope of this 40
specification. 41
42
43
Refer to [1] for requirements and procedures on AN-PPP and A12 interface for supporting
44
local IP access.
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
5 Local IP Access for HRPD 14 3.5 Quality of Service (QoS) Considerations
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
1
6 Remote IP Access
2
3
4 6.1 General
5
6 Remote IP Access allows a given MS to reach the IP network local to the FAP using any IP
7 connectivity available to the MS (e.g., through macro network IP connection) while the MS is
8 not directly connected to the FAP. This service is assumed to be invoked on the MS on
9 demand by the user.
10
11
Remote IP Access is achieved by using IPsec tunnel between the MS and SeGW and between
12
13
the SeGW and FAP. A given MS establishes an IPsec tunnel to the SeGW, which has an IPsec
14
tunnel pre-established to the FAP(s). The remote IP access architecture is specified in Figure
15
3.
16
17
18
19
20
21
Security
AAA HAAA
Gateway messages
22
(SeGW)
23
AA
24 Am
e ss
25 ag
es
26
27
Public Femto-
28 Internet AAA
29
30 IP Connectivity
31
Access Network (e.g., HRPD) SeGW – FAP
32
IPsec tunnel
33
34
FAP
35
36
37 MS-
38 SeGW
39 tunnel
40 Local
41 Network
42
43
44
45
Remote MS – FAP local network data flow
46 MS
47
48 Figure 3 Femtocell Remote IP Access Architecture
49
50
51
Remote IP Access is achieved by performing the following procedures:
52
53 The MS performs SeGW discovery as described in section 6.2,
54
55 Tunnel establishment, MS authentication and authorization by the Home AAA as
56 described in section 6.3,
57
58
59
60
6.1 General 15 6 Remote IP Access
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
Assignment of local IP address by the FAP (or by local DHCP Server) to the MS.
1
In order to perform Remote IP Access procedures, the following requirements shall be met by 2
means outside the scope of this document. 3
4
The FAP(s) that can be remotely accessed by a given MS shall be configured as part 5
of the MS subscription profile at the operator‟s Home AAA. 6
7
The FAP(s) shall be identified by its FEID(s) and/or by realm. The realm may be 8
used in cases where multiple FAPs are connected to the same local network. 9
10
The MS shall be pre-configured with at least one FQDN or shall form the FQDN for 11
discovering the SeGW. 12
13
The FAP shall support DHCP as specified in [18] to allocate IP addresses for the MS. 14
The FAP may support DHCPv6 as specified [19] to allocate IP addresses for the MS. 15
16
17
6.2 Discovery and Selection of SeGW by MS 18
19
In order to access a local IP network connected to a FAP, the MS needs to first establish an 20
IPSec tunnel to the same SeGW that is serving the FAP. Since the SeGW needs to be 21
discovered by the MS using an IP connection, the SeGW needs to be publicly reachable. In 22
order to discover the correct SeGW, the MS first uses the DNS Discovery for SeGW IP 23
address. Additionally, the MS can use the SeGW Redirection method specified in this section 24
to connect to the SeGW serving the FAP. 25
26
27
When MS tries to connect to a SeGW that is not serving the desired FAP, the current SeGW
28
can redirect the MS to an alternative SeGW using the redirection procedure specified in 29
section 6 (section titled “Redirect during IKE_AUTH Exchange”) of [20]. The following 30
functions need to be supported for SeGW redirection: 31
32
When the MS tries to connect to a SeGW, the SeGW performs the access request to 33
the Home AAA for authentication and authorization. 34
35
The Home AAA maintains list of FAPs and/or realm(s) that a given MS can access 36
as part of MS subscription profile. 37
38
The Femtocell AAA maintains the association between the FAP‟s FEID and the 39
SeGW that is currently serving the FAP. 40
41
The Home AAA interacts with the Femtocell AAA to retrieve the SeGW IP address 42
and the FAP(s) associated with the local network (e.g., identified by the FEID or the 43
realm) that the MS is trying to access. In case multiple FEIDs are available, the 44
Femtocell AAA may return a list of FEID and SeGW IP address pairs to the Home 45
AAA. The Home AAA includes this list to the SeGW in the Home AAA 46
authorization response. The interface between the Home AAA and the Femtocell 47
AAA is outside the scope of this document. 48
49
50
6.2.1 MS Requirements 51
52
To discover a target SeGW, the MS shall query DNS server for candidate SeGW(s) using the
53
pre-configured FQDN of the SeGW at the MS, if the FQDN is available. Otherwise, the MS 54
shall form the FQDN for Remote IP Access as RemoteIPAccess.SeGW.. The DNS server address is made available to the MS using means outside the scope 56
of this document. 57
58
59
60
6 Remote IP Access 16 6.2 Discovery and Selection of SeGW by MS
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
By using the SeGW‟s IP address received from the DNS query, the MS shall start the tunnel
1 establishment procedures specified in section 6.3. In case multiple SeGW IP addresses are
2 returned by the DNS server, the MS shall try to establish IPSec tunnel to each of the returned
3 SeGW IP addresses, until the MS can successfully connect to a SeGW. If all returned SeGW
4 IP addresses have been tried and the tunnel establishment is unsuccessful, the MS shall treat it
5 as no SeGW is currently serving the target FAP, and therefore, Remote IP Access is not
6 available. If during the IKEv2 tunnel establishment, the MS receives a redirection, the MS
7 shall follow the procedure specified in section 6.3.2.1. When the correct SeGW is found, the
8 MS should cache SeGW IP address for future use. In case the MS cannot connect to the
9 cached SeGW IP address in a subsequent try, the MS should restart with a DNS query to
10 discover the SeGW.
11
12
13 6.2.2 SeGW Requirements
14
15 Upon receiving IPsec tunnel establishment request from the MS, the SeGW shall send the
16 Remote IP Access service identity received in the IDi payload (in the form of NAI) to the
17 Home AAA using RADIUS or Diameter protocol according to section 6.3.3. If the Remote IP
18 Access authentication and authorization with Home AAA fails, the SeGW shall send a Notify
19 message to the MS indicating authentication failure.
20
21
If the SeGW Redirection method is supported, then upon receiving an address for a different
22
SeGW address from the HAAA, the serving SeGW shall use the IKEv2 redirection
23
24
mechanism to redirect the MS to the specified SeGW using procedures specified in section
25
6.3.3 of this document.
26
27
6.2.3 Femtocell AAA Requirement
28
29 The Femtocell AAA shall maintain association between the FAP identity (i.e., FEID) and the
30 SeGW address. The Femtocell AAA shall provide such association information upon request
31
from the Home AAA.
32
33
34 6.2.4 Home AAA Requirements
35
36 The Home AAA shall maintain the NAI used for Remote IP Access, the corresponding
37 FEID(s) or realm(s) as part of MS subscription profile. The HAAA shall authenticate and
38 authorize the Remote IP Access service request from the MS using one of the methods
39 specified in section 6.3.4.
40
41
42
During the tunnel establishment (see section 6.3), if SeGW Redirection based SeGW
43
discovery is supported by the HAAA, the HAAA shall obtain the correct SeGW and the
44
FEID/realm address for a given MS (identified by the NAI) by contacting the Femtocell AAA.
45
If the current SeGW that the MS requests IPsec connection to is not the correct SeGW, the
46 HAAA shall return the SeGW address together with the FEID/realm to the requesting SeGW
47 using the RADIUS or Diameter message.
48
49
50 6.3 Remote IP Access Tunnel Establishment
51
52 Upon discovering the SeGW IP address, the MS shall use IKEv2 [10] to setup the IPsec
53 tunnel between MS and SeGW. The IPsec tunnel establishment shall be authenticated using
54 either the IKEv2 Pre-Shared Key (PSK) method or IKEv2 EAP-AKA method as specified in
55 this section.
56
57
58
59
60
6.3 Remote IP Access Tunnel Establishment 17 6 Remote IP Access
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
A dedicated CHILD_SA pair between the SeGW and the FAP shall be created to handle
traffic for Remote IP Access service. Traffic for other purposes shall not use this dedicated 1
SA. 2
3
4
6.3.1 IKEv2 PSK Key Generation 5
6
The Remote IP Access IKEv2 Root Key (RIPA-IKEv2-RK) used in IKEv2 PSK
7
authentication method shall be 64 octets and be derived from Extended Master Session Key 8
(EMSK), MN-AAA, or CHAP-SS as per [21] with the following considerations: 9
10
The Key Derivation Function (KDF) shall be HMAC-SHA256 as per [22]. 11
12
If EMSK is available, the EMSK shall be used as specified in [21]. 13
14
If EMSK is not available, the MN-AAA shared secret shall be used as the EMSK in 15
the formulas specified in [21]. 16
17
If neither EMSK nor MN-AAA is available, the CHAP-SS (Shared Secret) shall be
18
used as the EMSK in the formulas specified in [21].
19
The key label shall be “ripaikev2pskrk@femtocell.3gpp2.org” specified in lower 20
21
case printable ASCII and the string shall not be null terminated.
22
Optional Data is not used. 23
24
The length shall be 0x0040 in network byte order. 25
26
Since HMAC-SHA256 produces an output of 32 octets and the required RIPA-IKEv2-RK 27
size is 64 octets, the procedure in section 3.1.2 of [21] shall be used to create the key of 28
required length. 29
30
The RIPA-IKEv2-Key is then derived from the RIPA-IKEv2-RK using the HMAC-SHA256 31
32
KDF function as specified below. The RIPA-IKEv2-Key shall be of size 32 octets.
33
34
RIPA-IKEv2-Key=KDF(RIPA-IKEv2-RK, Ni|Nr, “ripaikev2pskkey@femtocell.3gpp2.org”), 35
36
37
where Ni and Nr are nonces exchanged between MS and SeGW as specified in [10], and the
key labels “ripaikev2pskkey@femtocell.3gpp2.org” is specified in lower case printable ASCII 38
39
and the string shall not be null terminated.
40
41
6.3.2 MS Requirements 42
43
The MS shall support IKEv2 [10] and ESP [12] for key exchange and IPSec tunnel 44
establishment with the SeGW. The MS shall support IKEv2 EAP-AKA or IKEv2 PSK for 45
authentication with the Home AAA. 46
47
48
The MS shall setup the IPSec tunnel with the SeGW for each of the FAP it wants to connect 49
to, and shall follow the procedures described below. 50
51
The MS shall initiate the IKEv2 key exchange protocol with the SeGW as specified in [10]. 52
The MS shall include the Security Parameter Index in the IKE Header (HDR) of the 53
IKE_SA_INIT message. The MS shall also include SAi1 payload, Key Exchange initiator 54
(KEi) payload (with the initiator's Diffie-Hellman value) and the Initiator‟s Nonce (Ni). 55
56
57
58
59
60
6 Remote IP Access 18 6.3 Remote IP Access Tunnel Establishment
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
Once the initial exchange is finished, in the first IKE_AUTH Request message, the MS shall
1 identify itself by including its Network Access Identifier (NAI) in the IDi payload with ID
2 type set to ID_RFC822_ADDR. The IDi payload shall identify the Remote IP Access service.
3 For example, if the MS has subscription NAI of the form user@realm that is used for IP
4 connectivity authentication, then the Remote IP Access NAI can be formed as
5 {RemoteIPAccess}.{[localIPnetworkId]}.user@realm, where the localIPnetworkId is optional
6 (i.e., can be omitted) and can be either the selected FEID or the local network realm. The
7 curly bracket “{}” is used as delimiter. If the localIPnetworkId is omitted, it is used as an
8 indication to the network that the MS wishes to connect to the default local IP network
9 (identified by the default FEID or realm) in the MS subscription profile at the Home AAA.
10 The localIPnetworkId, if used, is assumed to be configured on the MS.
11
12
13
The NAI used to form the Remote IP Access NAI shall be selected using the following
14
procedure. If EMSK is available, the MS shall use the NAI associated with the EMSK for
15 forming the Remote IP Access NAI. If EMSK is not available, but EAP-AKA is supported,
16 then the NAI associated with the EAP-AKA shall be selected by the MS. Otherwise, the MS
17 shall use the NAI associated with the MN-AAA key (used for mobile IP service
18 authentication) or the CHAP Shared Secret (SS) (used for simple IP service authentication).
19
20
In the first IKE_AUTH Request message, the MS shall also include a CP(CFG_REQUEST)
21
payload containing at least one INTERNAL_ADDRESS attribute (either IPv4 or IPv6) for
22
tunnel internal address assignment by the targeted local network. Upon successful
23
authentication and authorization, the MS shall extract from the CP(CFG_REPLY) payload in
24
25
the last IKE_AUTH Response message an assigned internal address (IPv4 or IPv6) from the
26
SeGW. For IPv6, the MS shall perform IPv6 autoconfiguration procedures upon receiving
27
IPv6 prefix from the SeGW. The MS shall use this address as the internal address in the IPsec
28 tunnel for future communication with the targeted local network.
29
30 Upon the completion of the IKEv2 procedures, the MS shall establish an IPsec ESP tunnel to
31 the SeGW according to [12].
32
33
34 6.3.2.1 SeGW Redirection
35
36 The MS shall support the requirements specified in this section for SeGW Redirection method.
37
38 The MS shall include in the initial IKE_INIT request message a Notify payload with
39
REDIRECT_SUPPORTED indication as specified in [20]. The SeGW redirection takes place
40
during the final IKE_AUTH Response message. Upon receiving the final IKE_AUTH
41
Response from the SeGW, the MS shall verify the SeGW‟s AUTH payload before acting on
42
the Redirect payload, as specified in section 6 of [20].
43
44
45 6.3.2.2 IKEv2 Pre-Shared Key Method
46
47 If the MS supports IKEv2 Pre-Shared Key method, the MS shall support the requirements
48 specified in this section.
49
50
The MS shall generate RIPA-IKEv2-RK and RIPA-IKEv2-Key as specified in section 6.3.1.
51
52
53 In the first IKE_AUTH request message, the MS shall prove the knowledge of the secret
54 corresponding to IDi, by signing the first IKE_SA_INIT message using the RIPA-IKEv2-Key
55 and including the signature in the AUTH payload. Upon receiving the IKE_AUTH Response
56 message from the SeGW, the MS shall verify the signature in the AUTH payload.
57
58
59
60
6.3 Remote IP Access Tunnel Establishment 19 6 Remote IP Access
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
6.3.2.3 IKEv2 EAP-AKA Method
1
If the MS supports IKEv2 EAP-AKA, the MS shall support the requirements specified in this 2
section. 3
4
5
The MS shall support EAP-AKA [23]. In the first IKE_AUTH Request message, the MS shall
6
not include the AUTH payload, which is an indication of using EAP authentication. Upon
7
receiving the EAP-Success, the MS shall use the Master Session Key (MSK) derived
8
according to [23] to generate an AUTH payload and send to the SeGW. Upon receiving the
9
final IKE_AUTH Response message, the MS shall verify the AUTH payload from SeGW
10
using the MSK. 11
12
6.3.3 SeGW Requirements 13
14
The SeGW shall support IKEv2 [10] and ESP [12]. As initiated by the MS, the SeGW shall 15
perform IKEv2 procedures to establish IPsec tunnel with the MS. 16
17
18
Upon receiving the IKE_SA_INIT Request message from the MS, the SeGW shall choose a 19
cryptographic suite from the initiator's offered choices and express that choice in the first 20
Security Association responder (SAr1) payload, complete the Diffie-Hellman exchange with 21
the Key Exchange responder (KEr) payload, and send its nonce in the Nonce responder (Nr) 22
payload. The SeGW shall also fill the Security Parameter Index responder (SPIr) field in the 23
HDR with the random value. The HDR, SAr1, KEr, Nr payloads shall be included in the 24
IKE_SA_INIT Response message and sent to the MS. 25
26
27
Once the MS is authenticated and authorized, the SeGW shall verify that it has an existing
28
IPsec tunnel with any of the FEIDs authorized by the Home AAA. Otherwise, the SeGW shall 29
abort tunnel establishment procedure and send the error code of 8195 to indicate the MS that 30
the Remote IP access service is not available at this time. If the existing IPsec tunnel with the 31
FAP is available and a CHILD_SA pair of RIPA has not been established for other MSs, the 32
SeGW shall send a CREATE_CHILD_SA request to the FAP to create a separate CHILD_SA 33
pair by including a nonce Ni [10]. Upon receiving the CREATE_CHILD_SA response from 34
the FAP, the SeGW shall derive the keying material for the CHILD_SA pair according to [10]. 35
If the CHILD_SA pair cannot be created successfully, the SeGW shall abort tunnel 36
establishment procedure and send an IKEv2 Notification message to the MS with 37
NO_ADDITIONAL_SAS in a Notify payload. The SeGW shall only use the newly created 38
CHILD_SA pair for Remote IP Access service. 39
40
41
If the existing IPsec tunnel with the FAP is available and the CHILD_SA pair for RIPA
42
service has already been established, the SeGW shall use the existing CHILD_SA to request 43
local IP address for the MS. 44
45
Using the CHILD_SA pair for RIPA service, the SeGW shall forward the internal address 46
request from the MS to the FAP in a DHCP message [18] for IPv4 address assignment, 47
DHCPv6 message [19] for IPv6 addresses assignment, or both for IPv4 and IPv6 addresses 48
assignment as specified in the following:. 49
50
51
For IPv4 address request, the SeGW shall use either DHCPDISCOVER with Rapid 52
Commit Option or DHCPDISCOVER without Rapid Commit Option. The Client 53
Identifier Option shall be set to the NAI received from IDi payload received from the 54
MS (see section 6.3.2). 55
56
57
58
59
60
6 Remote IP Access 20 6.3 Remote IP Access Tunnel Establishment
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
For IPv6 address request, the SeGW shall use REQUEST message. The DUID type
1 in Client Identifier option shall be set to 2 (Vendor-assigned unique ID based on
2 Enterprise Number, see section 9.1 of [19]). The Enterprise Number shall be set to
3 5535 and the identifier shall be set to NAI received from IDi payload received from
4 the MS (see section 6.3.2).
5
6
Upon receiving an assigned local network address from the FAP in a DHCPACK (for IPv4)
7 or DHCP REPLY (for IPv6), the SeGW shall include this assigned address in an
8 CP(CFG_REPLY) Payload in the IKE_AUTH Response message to the MS.
9
10 Upon the completion of the IKEv2 procedures with successful authentication of the MS, the
11
SeGW shall establish an IPsec ESP tunnel with the MS according to [12].
12
13
14 6.3.3.1 SeGW Redirection
15
16 If the SeGW supports redirection, the SeGW shall support the requirements specified in this
17 section.
18
19
The SeGW shall support and only use IKEv2 redirection during the IKE_AUTH exchange as
20
specified in section 6 of [20]. After receiving an IKE_INIT message from MS with a
21
REDIRECT_SUPPORTED payload, the SeGW shall verify the AUTH payload if the AUTH
22
payload is present (i.e. when IKEv2 PSK is used) in the IKE_AUTH Request message from
23
the MS before sending the REDIRECT Payload. If AUTH payload is not present (i.e. when
24
25
EAP is used), the SeGW shall start the EAP authentication method and if authentication is
26
successful then send the REDIRECT payload. The SeGW shall include the REDIRECT and
27
IP_R in a Notify payload in the IKE_AUTH Response message, as specified in section 6 of
28 [20]. The SeGW shall only use the IP address as the redirected address.
29
30
6.3.3.2 IKEv2 Pre-Shared Key Method
31
32 If IKEv2 PSK method is used for authentication, upon receiving the IKE_AUTH Request
33
message from the MS, the SeGW shall send a RADIUS Authorize-Only (Service-Type set to
34
“Authorize-Only”) Access Request message or Authorize-Only (Auth-Request-Type set to
35
“Authorize-Only) Diameter message with received NAI, Ni and Nr to the HAAA to obtain the
36
RIPA-IKEv2-Key. The SeGW shall set the Session-Key-Method VSA to 2 (RIPA IKEv2
37
PSK method).
38
39
40 Once the SeGW receives the RIPA-IKEv2-Key from the HAAA, the SeGW shall verify the
41 AUTH payload in the IKE_AUTH Request message. If the verification of AUTH payload is
42 successful, the SeGW shall send an IKE_AUTH Response message to the MS. The SeGW
43 shall assert its identity with the IDr payload, sign the IKE_SA_INIT Response message using
44 the RIPA-IKEv2-Key and include the signature in the AUTH payload. If the SeGW received
45 Session-Timeout VSA (RADIUS) or MSA-Lifetime of the Master-Security-Association AVP
46 (Diameter) from the HAAA, the SeGW shall set the lifetime of the IKEv2 SA to the value
47
received in Session-Timeout VSA (RADIUS) or MSA-Lifetime of the Master-Security-
48
Association AVP (Diameter).
49
50
51 6.3.3.3 IKEv2 EAP Method
52
53 If IKEv2 EAP method is used for authentication, upon receiving indication to use EAP in the
54 IKE_AUTH message from the MS, the SeGW shall forward the EAP messages (extracted
55 from the EAP payload) to the HAAA server via the RADIUS EAP-Message attribute in a
56 RADIUS Access Request [13]or Diameter EAP-Payload AVP in a Diameter DER [30]. Upon
57 receiving the RADIUS EAP-Message attribute in a RADIUS Access Accept or Diameter
58
59
60
6.3 Remote IP Access Tunnel Establishment 21 6 Remote IP Access
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
EAP-Payload AVP in a Diameter DEA from the Home AAA, the SeGW shall forward the
EAP message to the MS via the EAP payload in the IKE_AUTH message. 1
2
3
Upon receiving the AUTH payload in the IKE_AUTH message from the MS, the SeGW shall
4
verify it using the MSK received from the AAA server. In return, the SeGW shall use the
5
MSK to generate the AUTH payload in the IKE_AUTH message sent to the MS.
6
7
6.3.4 Home AAA Requirements 8
9
The Home AAA shall perform authentication and service authorization per operator‟s policy. 10
The Home AAA shall support IKEv2 PSK [10] and/or IKEv2 EAP-AKA [23] for 11
authenticating the MS. The Home AAA shall support RADIUS [13] or Diameter [14] 12
protocols. 13
14
15
The Home AAA shall maintain MS‟s NAI used for Remote IP Access, the corresponding 16
FEID(s) or realm(s) as part of the MS subscription profile. Upon receiving RADIUS Access 17
Request or Diameter DER message containing the NAI for Remote IP Access, the HAAA 18
shall retrieve the FEID(s) of the FAP(s) that is accessible to the MS, and contact the 19
Femtocell AAA to obtain the SeGW identity that is currently serving the FAP. The Home 20
AAA shall return the SeGW address and FEID identity to the requesting SeGW via RADIUS 21
(see Section 8.2) or Diameter (see Section 9.1.2) protocol. The HAAA shall only return IP 22
address of the redirected SeGW. 23
24
25
6.3.4.1 IKEv2 Pre-Shared Key Method 26
27
If IKEv2 Pre-Shared Key method is used for authentication, upon receiving RADIUS Access
28
Request message or Diameter DER message with MS‟s NAI, Ni, and Nr from the SeGW, the 29
HAAA shall use the NAI to retrieve the associated RIPA-IKEv2-RK key, generate the RIPA- 30
IKEv2-Key as specified in Section 6.3.1 and return the RIPA-IKEv2-Key to the SeGW using 31
the MS-MPPE-Send-Key attribute (RADIUS) or the Master-Security-Association AVP 32
(Diameter) without the SPI. 33
34
The HAAA shall set the Session-Timeout VSA (RADIUS) or MSA-Lifetime of the Master- 35
36
Security-Association AVP (Diameter) to the value not greater than the lifetime of the
37
associated EMSK if the RIPA-IKEv2-RK is generated form the EMSK. Otherwise if the
38
RIPA-IKEv2-RK is generated directly from the MN-AAA, the HAAA should set the Session-
39
Timeout VSA (RADIUS) or MSA-Lifetime (Diameter) to the Lifetime of the session.
40
41
6.3.4.2 IKEv2 EAP-AKA Method 42
43
The HAAA shall support EAP-AKA [23], RADIUS Support for EAP [24], and Diameter IKE 44
EAP (IKEEAP) specified in this document. 45
46
47
If the EAP authentication is successful, the HAAA server shall derive the MSK according to
48
[23]. If RADIUS is used, the HAAA server shall send the MSK to the SeGW via the MS-
49
MPPE-Recv-Key attribute (for the first 32 bytes of the MSK) and MS-MPPE-Send-Key 50
attribute (for the second 32 bytes of the MSK) [23][25]. If Diameter is used, the HAAA 51
server shall send the MSK to the SeGW the EAP-Master-Session-Key AVP. 52
53
If RADIUS is used, the HAAA server shall include the Message-Authenticator attribute [24] 54
for protecting the integrity of the RADIUS messages that carry the EAP-Message attribute 55
56
[26].
57
58
59
60
6 Remote IP Access 22 6.3 Remote IP Access Tunnel Establishment
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
6.3.5 FAP Requirements
1
2 Upon receiving the CREATE_CHILD_SA request message from the SeGW, the FAP shall
3 respond with a CREATE_CHILD_SA response message and include a nonce Nr in the
4 response. The FAP shall derive the keys associated with the newly created CHILD_SA pair
5 according to [10]. The FAP shall use only the newly created CHILD_SA pair for Remote IP
6 Access services.
7
8
The FAP shall support DHCP relay/proxy or server functionality[18]. Upon receiving the
9
10
request from the SeGW for an internal address for the MS, the FAP shall allocate an IPv4
11
address from the local network subnet, either by itself or from another entity in the local
12
network (e.g. DHCP server), and shall return this address to SeGW via a DHCPACK message
13
using the existing IPsec tunnel with the SeGW.
14
15 The FAP may support DHCPv6 as specified in [19]. Upon receiving the request from the
16 SeGW for an internal address for the MS, the FAP shall allocate IPv6 addresses from the local
17
network subnet, either by itself or from another entity in the local network (e.g. DHCPv6
18
server), and shall return this address to SeGW via a DHCP REPLY using the existing IPsec
19
tunnel with the SeGW.
20
21
22
23
6.4 IP Traffic Processing for Remote IP Access
24
25
The MS and SeGW use the IPsec tunnel created according to section 6.3.2 for Remote IP
26
Access service. The FAP and SeGW only use the CHILD_SA pair created according to
27
section 6.3.3 for sending and receiving IP traffic related to Remote IP Access service.
28
29 Since there are more than one CHILD_SA pair between the SeGW and the FAP, for traffic
30 from the FAP to the MS, the FAP needs to determine if the traffic is intended for the Remote
31 IP Access service (i.e., based on the local IP address assigned by the FAP for RIPA) and
32
encapsulate the traffic using the corresponding CHILD_SA. If the FAP receives broadcast and
33
multicast traffics from the local network, the FAP may encapsulate these packets to the
34
corresponding CHILD_SA. How the FAP decides whether it sends broadcast and multicast
35
packets is out side the scope of this document. For traffic from the MS to the FAP, the SeGW
36
determines (i.e., based on the IP address assigned using DHCP procedures for IPv4 or
37
DHCPv6 procedures for IPv6) whether the traffic is intended for Remote IP Access service
38
39
and encapsulate the traffic using the corresponding CHILD_SA.
40
41 6.4.1 MS Requirements
42
43 Once the MS completes IPsec tunnel establishment with the SeGW, the MS shall operate in
44 the ESP tunnel mode for Remote IP Access, as specified by section 3 of [12].
45
46
47 6.4.1.1 Outbound IP Traffic Processing
48
49 The MS shall use the SA with the SeGW to process the outbound traffic for remote IP service
50 according to Section 3 of [12].
51
52
6.4.1.2 Inbound IP Traffic Processing
53
54
Upon receiving an IPsec packet from the SeGW, the MS shall perform inbound packet
55
processing according to Section 3.4 of [12].
56
57
58
59
60
6.4 IP Traffic Processing for Remote IP Access 23 6 Remote IP Access
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
6.4.2 FAP Requirements
1
The FAP shall only use the dedicated CHILD_SA pair created during the tunnel establishment 2
procedure for Remote IP Access according to section 6.3.5. 3
4
5
6.4.2.1 Outbound Traffic Processing 6
7
The FAP shall monitor the local network traffic. For any packet that is not originated by the
8
FAP and has the remote MS‟s local network address as the destination address, the FAP shall
9
send it using the CHILD_SA for Remote IP Access to the SeGW. The FAP shall send the 10
packet to the MS using ESP tunnel mode as specified in [12]. Except for the RIPA traffic, the 11
FAP shall not forward traffic from any other nodes to the SeGW. 12
13
6.4.2.2 Inbound Traffic Processing 14
15
Upon receiving an IPsec packet from the SeGW via the CHILD_SA for Remote IP Access, 16
the FAP shall perform inbound packet processing according to Section 3.4 of [12]. The FAP 17
shall send the packets to the destination address at the local network. 18
19
20
6.4.3 SeGW Requirements 21
22
Upon the creation of the IPsec SA with the MS, and the IPsec CHILD_SA with the FAP for 23
Remote IP Access service, the SeGW shall tunnel the Remote IP Access traffic from the MS 24
to the target FAP using the dedicated CHILD_SA. In the other direction, the SeGW shall 25
tunnel all traffic from the CHILD_SA for Remote IP Access (from the FAP) to the MS using 26
the IPsec tunnel with the MS. 27
28
29
6.4.3.1 Traffic from the MS to the FAP 30
31
Upon receiving any IPsec packets from the MS, the SeGW shall use the Security Association 32
(SA) with the MS to perform inbound packet processing as specified in Section 3.4 of [12], 33
including but not limited to removing the outer headers, decrypting and verifying the integrity 34
of the ESP payload, and reconstructing the entire IP datagram in the ESP Payload field. 35
36
The SeGW shall determine the target FAP associated with the MS (e.g., based on mapping 37
between the IPSec tunnel with the FAP and the address assigned to MS for RIPA service). 38
39
The SeGW shall select the CHILD_SA for Remote IP Access with the target FAP. The SeGW
40
shall use the selected CHILD_SA to perform outbound packet processing to the reconstructed
41
IP datagram according to Section 3.3 of [12], including but not limited to encapsulating and
42
encrypting the entire reconstructed IP datagram, calculating the integrity check value, and
43
constructing the outer header [27]. The SeGW shall send the resulting outbound IPsec packet
44
to the target FAP via the CHILD_SA for Remote IP Access.
45
46
6.4.3.2 Traffic from the FAP to the MS 47
48
For any IPsec packet received via the CHILD_SA for Remote IP Access from the FAP, the 49
SeGW shall perform inbound packet processing and reconstruct the entire IP datagram in the 50
ESP payload as specified in Section 3.4 of [12]. 51
52
53
The SeGW shall first determine the MS(‟s) associated with the FAP (e.g., based on mapping 54
between the IPSec tunnel with the MS and the IP address assigned to the MS for RIPA 55
service). The SeGW shall then identify which MS the reconstructed IP datagram is intended 56
for by comparing the destination IP address with the assigned internal IP address to the MS by 57
58
59
60
6 Remote IP Access 24 6.4 IP Traffic Processing for Remote IP Access
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
the FAP‟s local network. The SeGW shall select the SA with the target MS. The SeGW shall
1 perform outbound traffic processing to the IP datagram using the selected SA in the tunnel
2 mode as specified in Section 3.3 of [12]. The SeGW shall send the resulting IPsec packet to
3 the target MS. If the destination IP address from the reconstructed IP datagram does not
4 match the MS‟s assigned IP address, but received from the FAP using the CHILD_SA for
5 RIPA service, the SeGW shall discard the reconstructed IP datagram.
6
7
If the destination IP address from the reconstructed IP datagram does not match the MS‟s
8
assigned IP address and it is not broadcast and multicast IP address, but received from the
9
FAP using the CHILD_SA for RIPA service, the SeGW shall discard the reconstructed IP
10
11
datagram. If the destination IP address from the reconstructed IP datagram is the broadcast
12
and multicast IP address, the SeGW shall encapsulate these packets to the corresponding
13
CHILD_SA for each MS that is associated with the FAP from which the packets are received.
14
15
16 6.5 Tunnel Disconnection
17
18 Tunnel disconnection may be initiated from the MS or from the SeGW, e.g., due to a timeout
19 of the IKE SA lifetime set internally in the MS or SeGW, or due to a request from the Home
20 AAA server.
21
22
The tunnel disconnection message exchanged between the MS and the SeGW are performed
23
via IKEv2.
24
25
26 6.5.1 MS Procedures
27
28 The MS shall use the procedures specified in IKEv2 [10] to delete the IPsec tunnel with the
29 SeGW.
30
31
32 6.5.2 SeGW Requirements
33
34 The SeGW shall use the procedures specified in IKEv2 [10] to delete the IPsec tunnel with
35 the MS. If there are no more MSs using RIPA with the given FAP, the SeGW shall use the
36 IKEv2 procedures to close the CHILD_SA pair with the FAP that was specifically created for
37 the RIPA service.
38
39
If the CHILD_SA pair for RIPA service with a FAP is terminated, the SeGW shall use the
40
procedure specified in IKEv2 [10] to delete the RIPA IPsec tunnel with all the MSs that use
41
RIPA service with the FAP.
42
43
44 6.5.3 Home AAA Requirements
45
46 When the remote IP access services has been terminated for the MS, the HAAA shall instruct
47 the SeGW to disconnect the session for the MS by sending the RADIUS Disconnect-Request
48 or Diameter Abort-Session-Request message.
49
50
51 6.5.4 FAP Requirements
52
53 The FAP shall use the procedures specified in IKEv2 [10] to delete the CHILD_SA pair for
54 RIPA with the SeGW if the FAP decides to terminate the RIPA service for all MSs.
55
56
57
58
59
60
6.5 Tunnel Disconnection 25 6 Remote IP Access
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
7 Accounting 1
2
The FAP performs RAN accounting procedure as specified in [1]. The PDSN shall follow
3
accounting procedures as specified in [2]. In addition, the FAP and PDSN may support FEID 4
in A10 Connection Setup airlink records and PDSN UDR as specified in this section. 5
6
Table 1 Additional Parameters in A10 Connection Setup Airlink Fields 7
8
Item Parameter Max Payload Format 9
Length 10
(octets) 11
12
dx FEID 16 String 13
14
15
16
Table 2 Additional Parameters in PDSN UDR
17
Item Parameter Description 18
D. Infrastructure Identifiers 19
Dx FEID FEID of the FAP 20
21
22
23
Table 3 Additional Accounting Parameter Attribute RADIUS Definitions 24
25
RADIUS Attribute Definitions
26
Item Parameter Type/ Maximum Format Field Special Values 27
Vendor Payload 28
Type Length 29
(in octets) 30
D. Infrastructure Identifiers 31
Dx FEID 26/216 16 String 3GPP2_FEID The FEID of the FAP.[6] 32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
7 Accounting 26 6.5 Tunnel Disconnection
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
1
8 RADIUS Considerations
2
Table 4 shows the meaning of the RADUIS message columns in columns of Table 5 and
3
Table 6.
4
5
6 Table 4 Meaning of the the Request, Accept, Reject, Challenge columns
7 of Table 5 and Table 6.
8
9
Coding Meaning
10 0 This attribute shall not be present.
11 0+ Zero or more instances of this attribute may be present.
12 0-1 Zero or one instance of this attribute may be present.
13 1 Exactly one instance of this attribute shall be present.
14
15
16
17
18
8.1 RADIUS Attributes between SeGW and Femtocell AAA for
19 FAP Authorization
20
21 Table 5 summarizes the RADIUS attributes in the RADIUS messages exchanged between the
22 SeGW and the Femtocell AAA.
23
24
Table 5 RADIUS Attributes exchanged between the SeGW and the
25
Femtocell AAA for FAP Authorization
26
27 Attribute Type Value Request Accept Reject Disconnect Comments
28 Type
29 User-Name 1 String 1 0-1 0 1 User's NAI,
30 Case Sensitive.
31 [28]
32
NAI format is
33
FAP-
34
FQDN@realm)
35
Class 25 String 0 0-1 0 0 [28]
36
37
Service-Type 6 Integer 1 0 0 0 [28]
38
Set to
39
„Authentication
40
Only‟ per [28]
41 Session- 27 Integer 0 0-1 0 0 [28]
42 Timeout
43 NAS-Identifier 32 String 0-1 0 0 0 [28]
44 NAS-IP- 4 Address 0-1 0 0 0 [28]
45 Address Note 1
46 NAS-IPv6- 95 Address 0-1 0 0 0 [28]
47 Address Note 1
48
Message- 80 String 1 1 1 1 [28]
49
Authenticator
50
Note 1: At least one of NAS-IP-Address or NAS-IPv6-Address shall be included.
51
52
53
54
8.2 RADIUS Attributes between SeGW and HAAA for RIPA
55
56
Table 6 summarizes the RADIUS attributes in the RADIUS messages exchanged between the
57
SeGW and the HAAA.
58
59
60
8.1 RADIUS Attributes between SeGW and
27 8 RADIUS Considerations
Femtocell AAA for FAP Authorization
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
Table 6 RADIUS Attributes exchanged between the SeGW and the
HAAA 1
2
Attribute Type Value Type Request Accept Reject Challenge Disconnect Comments
3
User-Name 1 String 1 0-1 0 0 1 User's NAI,
4
Case Sensitive.
5
[28]
6
Class 25 String 0 0-1 0 0 0
7
NAS- 32 0-1 0 0 0 0 [28] 8
Identifier 9
NAS-IP- 4 Address 0-1 0 0 0 0 [28] 10
Address Note 1 11
NAS-IPv6- 95 Address 0-1 0 0 0 0 [28] 12
Address Note 1 13
EAP-Message 79 String 1+ 1+ 1+ 1+ 0 Used only for 14
EAP. 15
MS-MPEE- 26/*/16 String 0 0-1 0 0 0 If PSK is used, 16
Send-Key (Vendor contains RIPA- 17
Type = IKEv2-Key. 18
19
311)
20
If EAP is used,
21
contains the
22
second 32
23
bytes of the
24
MSK.
25
MS-MPPE- 26/17 String 0 1 0 0 0 Contains the 26
Recv-Key (Vendor first 32 bytes 27
Type = of the MSK. 28
311) Only used for 29
EAP. 30
Session- 27 Integer 0 0-1 0 0 0 [28] 31
Timeout 32
Message- 80 String 1 1 1 1 1 [28] 33
Authenticator 34
Session-Key- 26/212 String 0-1 0 0 0 0 Nonces 35
Nonces exchanged 36
37
between MS
38
and SeGW,
39
and sent from
40
SeGW to
41
HAAA for Key
42
generation.
43
Used only for
44
PSK.[4] 45
Session-Key- 26/213 Integer 0-1 0 0 0 0 Indication that 46
Method authorization 47
for IKEv2 PSK 48
is needed. 49
Used only for 50
PSK. 51
RIPA-Info 26/215 String 0 0+ 0 0 0 52
Note 1: At least one of NAS-IP-Address or NAS-IPv6-Address shall be included. 53
54
55
56
57
58
59
60
8 RADIUS Considerations 8.2 RADIUS Attributes between SeGW and HAAA
28
for RIPA
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
8.3 RADIUS Vendor Specific Attributes
1
2
3 8.3.1 Session-Key-Method
4
5 The Session-Key-Method VSA conveys the method for which the key included is used. This
6 attribute shall be included in the RADIUS Access-Request message sent to the HAAA.
7
8
1 2 3
9
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
10
Type Length Vendor-ID
11 Vendor-ID (cont) Vendor-Type Vendor-Length
12 Vendor Value
13
Figure 4 Session-Key-Method VSA
14
15
16 Type: 26
17
18
Length: 12
19
Vendor ID: 5535
20
21 Vendor-Type: 213
22
23 Vendor-Length: 6
24
25
Vendor-Value: A 32 bit unsigned integer representing an enumeration with the following
26 values:
27
1: MIP6 IKEv2 PSK method (see [4])
28
29 2 RIPA IKEv2 PSK method.
30
31 3 and above are reserved.
32
33
34 8.3.2 RIPA-Info
35
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
36
Type Length Vendor-ID
37
Vendor-ID (cont) Vendor-Type Vendor-Length
38
Sub-Type (=1) Length Value (SeGW IPv4 or IPv6 address)
39
Value (SeGW IPv4 or IPv6 address) Value (SeGW IPv6 address)
40
Value (SeGW IPv6 address)
41
Value (SeGW IPv6 address)
42
Value (SeGW IPv6 address) Sub-Type (=2) Length
43
Value (FEID)
44
45
Figure 5 RIPA-Info VSA
46
47 Type: 26
48
49 Length: variable, greater than 8
50
51
Vendor-ID: 5535
52
Vendor-Type: 215
53
54 Vendor-Length: variable, greater than 2
55
56 Sub-Type (=1): Sub-Type for SeGW IP address
57
58
59
60
8.3 RADIUS Vendor Specific Attributes 29 8 RADIUS Considerations
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
Length: Length of SeGW IP address (IPv4 = 6 octets, IPv6= 18 octets
1
SeGW IP address: 2
3
This subtype is optional, The HAAA indicates the address of the SeGW IP address
4
which has IPsec tunnel with associated FEID(s). If this subtype is not present, it implies
5
that the SeGW that sent Access Request message is the serving SeGW which has the
6
IPsec tunnel with the FAP‟s FEID(s).
7
Sub-Type (=2): Sub-Type for FEID 8
9
Length: Length of FEID 10
11
FEID: 12
13
This subtype shall be present one or more times. The HAAA indicates the FAP‟s FEID 14
that is authorized to be accessed by the MS. 15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
8 RADIUS Considerations 30 8.3 RADIUS Vendor Specific Attributes
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
1 9 Diameter Considerations
2
3
4
5
9.1 Diameter Applications and Commands
6
7
8
9.1.1 FAP Authorization
9
This specification uses the Diameter NASREQ Application for FAP authorization (see [23]).
10
11
12 An SeGW supporting this authorization scheme shall advertise support by including Diameter
13 NASREQ Application ID in the Diameter capability exchange procedure define by Diameter
14 base [29].
15
16
17
9.1.1.1 Command Codes
18
19
FAP Authorization uses the following command codes:
20
21 Table 7 Diameter Command Codes for FAP Authorization
22
23
Command-Name Abbreviation Code Reference
24 AA-Request AAR 265 [14]
25 AA-Answer AAA 265 [14]
26 Session-Termination-Request STR 275 [29]
27 Session-Termination-Answer STA 275 [29]
28 Abort-Session-Request ASR 274 [29]
29 Abort-Session-Answer ASA 274 [29]
30
31
32 Command AAR is sent by the SeGW to the Femtocell AAA to initiate a FAP authorization
33 procedures. Command AAA is sent in response to the AAR.
34
35
36
STR is used by the SeGW to inform the Femtocell AAA when the IPsec tunnel between the
37
FAP and the SeGW has terminated. The Femtocell AAA acknowledge reception of the STR
38 with an STA.
39
40 ASR is used by the Femtocell AAA to terminate a IPsec session between the FAP and SeGW.
41
ASA is used by the SeGW to acknowledge receipt of the ASR.
42
43
44 9.1.2 RIPA Authentication
45
46 This specification uses two Diameter Applications as follows to support RIPA:
47
48
EAP based IKE Authentication uses 3GPP2 Diameter IKE EAP (IKEEAP) specified
49
in this document; and
50
51 PSK based IKE Authentication used 3GPP2 Diameter IKE PSK Authentication
52 IKEPSK specified in this document.
53
54 An SeGW supporting either these two IKE Authentication schemes shall advertise support by
55 including these Application IDs in the Diameter capability exchange procedure define by
56 Diameter base [29].
57
58
59
60
9.1 Diameter Applications and Commands 31 9 Diameter Considerations
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
9.1.2.1 Command Codes for Diameter EAP based IKEv2 Authentication
1
The EAP based IKEV2 Authentication Application supports the following command codes: 2
3
4
Table 8 Diameter Command Codes for EAP based IKEv2
5
Command-Name Abbreviation Code Reference 6
Diameter-EAP-Request DER 268 [30] 7
Diameter-EAP-Answer DEA 268 [30] 8
Session-Termination-Request STR 275 [29] 9
10
Session-Termination-Answer STA 275 [29]
11
Abort-Session-Request ASR 274 [29]
12
Abort-Session-Answer ASA 274 [29]
13
14
15
Command DER is sent by the SeGW to the HAAA to initiate a Remote IP access service
16
authentication and authorization procedures. Command DEA is sent in response to the DER.
17
If the RIPA authentication and authorization is successful, the DEA shall also include the
18
information of the SeGW IP address and FEID(s). The Application-ID field of the Diameter
19
header shall be set to the Diameter IKEv2-EAP Application ID (value of TBD).
20
21
STR is used by the SeGW to inform the HAAA when the IPsec tunnel between the MS and 22
the SeGW has terminated. The HAAA acknowledge reception of the STR with an STA. 23
These commands are used as per [29]. 24
25
26
ASR is used by the HAAA to terminate a IPsec session between the MS and SeGW. It is used 27
as per [29]. ASA is used by the SeGW to acknowledge receipt of the ASR. Subsequently the 28
SeGW shall take further actions to terminate the corresponding IPsec between the MS and the 29
SeGW and release the corresponding CHILD_SA pair between the SeGW and the FAP if 30
there is no other MSs using RIPA with the given FAP. 31
32
33
9.1.2.1.1 Diameter-EAP-Request Command
34
::= 35
36
37
{ Auth-Application-Id }
38
{ Origin-Host }
39
{ Origin-Realm }
40
{ Destination-Realm }
41
{ Auth-Request-Type }
42
{ User-Name }
43
[ Destination-Host ] 44
[ NAS-Identifier ] 45
[ NAS-IP-Address ] 46
[ NAS-IPv6-Address ] 47
[ NAS-Port-Type ] 48
{ EAP-Payload } 49
* [ AVP ] 50
51
52
9.1.2.1.2 Diameter-EAP-Answer Command
53
::= 54
55
56
{ Auth-Application-Id }
57
{ Auth-Request-Type }
58
59
60
9 Diameter Considerations 32 9.1 Diameter Applications and Commands
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
{ Result-Code }
1 { Origin-Host }
2 { Origin-Realm }
3 [ User-Name ]
4 [ EAP-Payload ]
5 [ EAP-Reissued-Payload ]
6 [ EAP-Master-Session-Key ]
7 [ EAP-Key-Name ]
8 [ Multi-Round-Time ]
9 [ RIPA-Info]
10 * [ AVP ]
11
12
13 9.1.2.2 Command Codes for Diameter Authentication using PSK based IKEv2
14
15
The PSK based IKEv2 Authentication Application supports the following command codes:
16
17 Table 9 Diameter Command Codes for PSK based IKEv2
18
19 Command-Name Abbreviation Code Reference
20 IKEv2-PSK-Request IKEPSKR TBD [4]
21 IKEv2-PSK-Answer IKEPSKA TBD [4]
22 Session-Termination-Request STR 275 [29]
23 Session-Termination-Answer STA 275 [29]
24 Abort-Session-Request ASR 274 [29]
25
Abort-Session-Answer ASA 274 [29]
26
27
28
29 Commands IPR/IPA are specified below and are used by the SeGW to retrieve the Preshared
30 Key needed to authenticate the MS. The IKEv2-PSK-Request /Answer commands are
31 exchanged between the SeGW and the HAAA. The commands are exchanged in order to
32 provide the SeGW with keys necessary to validate the AUTH message of the IKEv2 exchange.
33 If the RIPA authentication and authorization is successful, the IPA shall also include the
34 information of the SeGW IP address and FEID(s). The Application-ID field of the Diameter
35 header shall be set to the Diameter IKE PSK Authentication IKEPSK Application ID (value
36
of TBD).
37
38
39 STR is used by the SeGW to inform the HAAA when the IPsec tunnel has terminated. The
40 HAAA acknowledge reception of the STR with an STA. These commands are used as per
41 [29].
42
43
ASR is used by the HAAA to terminate a IPsec session between the MS and SeGW. It is used
44
as per [29]. ASA is used by the SeGW to acknowledge receipt of the ASR. Subsequently the
45
SeGW shall take further actions to terminate the corresponding IPsec.
46
47
48 9.1.2.2.1 IKEv2-PSK-Request Command
49
50 The IKEv2-PSK-Request message, indicated with the Command-Code set to TBD is sent
51 from the SeGW to the HAAA to initiate IKEv2 PSK authentication and authorization. The
52 Application-ID field of the Diameter Header shall be set to the Diameter IKEv2-PSK-Request
53 Application ID (value of TBD).
54
55
::=
56
57
58
59
60
9.1 Diameter Applications and Commands 33 9 Diameter Considerations
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
{ Auth-Application-Id }
{ Origin-Host } 1
{ Origin-Realm } 2
{ Destination-Realm } 3
{ Auth-Request-Type } 4
{ User-Name } 5
{ Session-Key-Nonces } 6
[ Destination-Host ] 7
[ Origin-State-Id ] 8
[ Auth-Session-State ] 9
[ NAS-IP-Address ] 10
11
[ NAS-IPv6-Address ]
12
[ NAS-Port-Type ]
13
[ NAS-Identifier ]
14
*[Proxy-Info]
15
*[Route-Record]
16
*[AVP]
17
18
Note 1: Auth-Request-Type value shall be set to AUTHORIZE_ONLY (2) as specified in 19
[29]. 20
21
22
Note 2: Session-Key-Nonces contains nonces used for RIPA-IKEv2-Key generation. 23
24
9.1.2.2.2 IKEv2-PSK-Answer Command 25
26
The IKEv2-PSK-Answer message, indicated by the Command-Code field set to TBD, is sent 27
by the HAAA to the SeGW in response to the IKEPSKR command. If the RIPA authorization 28
procedure was successful then the response shall include Master-Security-Association. The 29
Application-ID field in the Diameter header shall be set to the Diameter PSK based IKE 30
Authorization Application-ID (value of TBD). The following specifies the allowed AVPs in 31
the command: 32
33
34
::= 35
36
{ Auth-Application-Id } 37
{ Result-Code } 38
{ Origin-Host } 39
{ Origin-Realm } 40
[Master-Security-Association ] 41
[ User-Name ] 42
[ Origin-State-Id ] 43
[ Error-Message ] 44
[ Error-Reporting-Host ] 45
* [ Failed-AVP ] 46
[ Re-Auth-Request-Type ] 47
48
* [ Redirected-Host ]
49
[ Redirected-Host-Usage ]
50
[ Redirected-Max-Cache-Time ]
51
[RIPA-Info]
52
*[Proxy-Info ]
53
*[Route-Record ]
54
*[ AVP ] 55
56
57
58
59
60
9 Diameter Considerations 34 9.1 Diameter Applications and Commands
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
Note 1: Master-Security-Association is a grouped AVP that contains the RIPA-IKEv2-Key
1 that corresponds to the NAI that was requested in the IPR command. This AVP shall be
2 returned unless there is a failure.
3
4
5 9.2 Diameter AVPs
6
7 Table 3 shows the meaning of the Diameter AVPs specified in columns of Table 4.
8
9
Table 10 Meaning of the Request, Answer columns
10
11 Coding Meaning
12 0 This attribute shall not be present.
13
0+ Zero or more instances of this attribute may be present.
14
0-1 Zero or one instance of this attribute may be present.
15
1 Exactly one instance of this attribute shall be present.
16
17
18
19 Table 4 lists the Diameter AVPs used in the Diameter commands exchanged between the
20 SeGW and the HAAA.
21
22
23
Table 11 Diameter AVP exchanged between the SeGW and the HAAA
24 Attribute AVP Code Value Request Answer Comments
25
Type
26
User-Name 1 UTF8String 1 0-1 User's NAI, Case
27
Sensitive.[29]
28
NAS-IP-Address 4 OctetString 0-1 0 IP Addr of NAS in
29
30
SeGW
31
Session-Timeout 27 Unsigned32 0 0-1 Seconds until forced
32 session termination
33 and re-authentication
34 required.[29]
35 Idle-Timeout 28 Unsigned32 0 0-1 Seconds of idle time
36 before auto-
37 termination of
38 session.[29]
39 Authorization- 291 Unsigned32 0-1 0-1 0-Immediate re-
40 Lifetime authentication [29]
41 NAS-Identifier 32 UTF8String 0-1 0 Alternative to NAS-
42
IP_Address to
43
identify NAS.[29]
44
NAS-Port-Type 61 Enumerated 0-1 0 5 = virtual.[14]
45
46
NAS-IPv6-Address 95 OctetString 0-1 0 IPv6 Addr of NAS in
47
SeGW.[14]
48
Master-Security- TBD/TBD Grouped 0 0-1 Grouped AVP that
49 Association includes session key
50 related information.
51 Session-Key- TBD/TBD Grouped 0-1 0 Grouped AVP that
52 Nonces describes Ni and Nr
53 nonces exchanged
54 between MS and
55 SeGW, and sent from
56 SeGW to HAAA for
57 RIPA-IKEv2-Key
58
59
60
9.2 Diameter AVPs 35 9 Diameter Considerations
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
generation.
Ni TBD/TBD Unsigned32 0-1 0 The IKEv2 Initiator‟s 1
nonce. [4] 2
Nr TBD/TBD Unsigned32 0-1 0 The IKEv2 3
Responder‟s nonce. 4
[4] 5
RIPA-Info 5535/53 Grouped 0-1 0 6
7
FEID 5535/54 EUI-64 0 1+
8
SeGW-IP-Address 5535/55 IP address - 0
9
10
11
9.2.1 Master-Security-Association 12
13
The Master-Security-Association (AVP Code TBD/TBD) is of type Grouped and contains the 14
session related information for use with the IKEv2 PSK method (see [31]). 15
16
17
Master-Security-Association::= 18
{ Key } 19
[ MSA-Lifetime ] 20
[ MSA-SPI ] 21
* [ AVP ] 22
23
24
9.2.1.1 Key
25
26
Key AVP (Code TBD/TBD) is of type OctetString and contains the session key RIPA-IKEv2-
27
Key for the associated RIPA IKEv2 PSK authorization. When the Diameter server computes
28
the session key it is placed in this AVP most significant byte first.
29
30
9.2.1.2 MSA-Lifetime 31
32
MSA-Lifetime AVP (Code TBD/TBD) is of type Unsigned32 and represents the period of 33
time (in seconds) for which the RIPA-IKEv2-Key is valid. The associated RIPA-IKEv2-Key 34
shall not be used if the lifetime has expired. 35
36
37
9.2.1.3 MSA-SPI 38
39
MSA-SPI AVP (Code TBD/TBD) is of is of type Unsigned32 and contains an SPI associated 40
with the RIPA-IKEv2-Key. 41
42
9.2.2 Session-Key-Nonces 43
44
The IKEv2-Nonces AVP (Code TBD/TBD) is of type Grouped and contains the nonces 45
46
exchanged between MS and HA during IKEv2 initial exchange and used for RIPA-IKEv2-
47
Key generation (see [31]).
48
49
9.2.2.1 Ni 50
51
The Ni AVP (Code TBD/TBD) is of type Unsigned32 and contains IKEv2 initiator nonce. 52
53
54
9.2.2.2 Nr
55
56
The Ni AVP (Code TBD/TBD) is of type Unsigned32 and contains IKEv2 responder nonce.
57
58
59
60
9 Diameter Considerations 36 9.2 Diameter AVPs
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
9.2.3 RIPA-Info
1
2 The RIPA-Info AVP (Code 5535/53) is of type Grouped and contains the SeGW IP address
3 and FEID exchanged between SeGW and HAAA during RIPA authentication and
4 authorization.
5
6
RIPA-Info ::=
7
*{FEID}
8
[SeGW-IP-Address]
9
10
*[AVP]
11
12 9.2.3.1 FEID
13
14 FEID AVP (Code 5535/54) is of type Unsigned64 and contains the FEIDs of FAP(s) that is
15 accessible to the MS through Remote IP Access service.
16
17
18
9.2.3.2 SeGW-IP-Address
19
20
SeGW-IP-Address AVP (Code 5535/55) is of type IPv4 or IPv6 address and contains the IPv4
21
or IPv6 address of the SeGW that is currently serving the FAP(s) accessible to the MS
22 through Remote IP Access.
23
24
25 9.3 Experimental Result-Code AVP Values
26
27 This section defines new result code values that shall be supported by all Diameter
28 implementations that conform to this document. When one of the result codes specified here
29 is included in a response, it shall be inside an Experimental-Result AVP and Result-Code
30 AVP shall be absent.
31
32
33 9.3.1 Permanent Failures
34
35
Errors that fall within the Permanent Failures category are used to inform the peer that the
36
request failed, and should not be attempted again. The following Diameter Experimental
37 Result Codes are 3GPP2 specific.
38
39
DIAMETER_ERROR_USER_NO_FAP_SUBSCRIPTION (5003)
40
41
42 A command was received for a FAP with no FAP subscription.
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
9.3 Experimental Result-Code AVP Values 37 9 Diameter Considerations
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
A Annex – Call Flow Examples (Informative) 1
2
3
A.1 Femtocell Network Connectivity Call Flow 4
5
6
A.1.1 Femtocell Network Connectivity Call Flow without Redirection 7
8
Figure 6 shows the femtocell network connectivity call flow without redirection for 1x FAP, 9
HRPD FAP, or HRPD and 1x Hybrid FAP unless noted in the step descriptions. 10
11
12
Public DNS DNS Femto- CSCF/
FAP S-SeGW S-FMS 13
Server Server AAA FCS
14
15
1. Femto Powers up and initiates
Neighborhood discovery; 16
Neighborhood discovery should 17
be completed prior to step 4
18
19
2. DNS Query (S-SeGW) 20
21
3. Establish Tunnel 3. Femto-AAA Authorization 22
23
24
4. FAP determines its
location related information 25
26
27
28
5. DNS Query (FMS)
29
30
31
6. TR-069 CWMP Session Establishment
32
33
34
7. FMS verifies FAP’s location 35
36
37
8. TR-069: Auto-configuration with Serving FMS. FMS configures FAP with the femto
38
operational information
39
40
9. cdma1x FAP connects to CSCF and performs SIP registration; CSCF registers FAP with MFIF 41
42
43
10. FAP is now configured and
registered with the operator’s network 44
FAP now is ready to serve MS/AT 45
46
47
48
Figure 6 Femtocell Network Connectivity Call Flow without Redirection
49
50
1. The FAP performs neighborhood discovery as specified in [1]. This step may include the 51
position location determination, for example, using GPS and/or macro system overhead 52
information. The FAP also reads the system parameter messages of the strongest 53
neighboring macro cell to obtain the system information such as SID, NID, Subnet ID etc. 54
55
2. After obtaining an IP address from the local/private network, The FAP performs SeGW 56
discovery through the public DNS server. 57
58
59
60
9 Diameter Considerations 38 9.3 Experimental Result-Code AVP Values
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
3. The FAP establishes IPsec tunnel with the SeGW discovered in step 2. In this step, FAP
1 subscription authorization is also performed. Refer to sections 3.2 and 3.3.
2
4. The FAP determines its location related information. How the FAP determines its
3
4
location related information is outside of the scope of this document.
5
5. The FAP performs FMS discovery through established IPsec tunnel.
6
7 6. The FAP and FMS establish a TR-069 CWMP session.
8
9 7. The FAP connects with the FMS and provides its location information to the FMS and
10 the FMS verifies the geo-location for the FAP.
11
12
8. The FMS performs FAP provisioning and configuration. The FAP sends its neighborhood
13 information during the auto-configuration stage. The FAP is configured with the
14 femtocell parameters and identities and the IP addresses of the network elements as
15 specified in section 3.
16
17
9. The FAP performs SIP registration with the CSCF. The CSCF performs third party
18
registration of FAP with the FCS. This step only applies to 1x FAP or 1x/HRPD Hybrid
19 FAP.
20
10. The FAP has now completed the network connectivity procedure and is ready to serve the
21
MS.
22
23
24 A.1.2 Femtocell Network Connectivity Call Flow with Redirection to
25
26
Serving System
27
Figure 7 shows the FAP network connectivity call flow with FMS redirection for 1x FAP,
28
HRPD FAP, or HRPD and 1x Hybrid FAP unless noted in the step descriptions.
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
9.3 Experimental Result-Code AVP Values 39 9 Diameter Considerations
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
DNS Femto-
FAP Local DNS D-SeGW D-FMS
Server AAA 1
1. DNS Query(Default 2
SeGW) 3
4
2. Establish Tunnel 2. Authorization 5
6
7
8
3. FAP determines its location 9
related information 10
11
12
13
4. DNS Query(Default FMS)
14
15
16
5. TR-069 CWMP Session Establishment
17
18
19
6. TR-069 Inform Request (Location information,
FAP identity) 20
21
22
23
7. TR-069 Inform Response
24
25
8. TR-069 SetParameterValues 26
(serving SeGW, serving FMS)
27
28
9. TR-069 SetParameterResponse 29
30
31
10. TR-069 CWMP Session Termination 32
33
34
35
11. Destroy Secure 36
Connection 37
38
39
40
41
12. FAP registers with the serving 42
system 43
44
45
46
47
48
Figure 7 Femtocell Network Connectivity with Redirection
49
50
1. After obtaining an IP address from the local/private network, the FAP performs FSGW 51
discovery through the local DNS server. 52
53
2. The FAP establishes IPsec tunnel with the FSGW discovered in step 1. In this step, FAP 54
subscription authorization is also performed. 55
56
3. The FAP determines its location related information. How the FAP determines its
57
location related information is outside of the scope of this document.
58
59
60
9 Diameter Considerations 40 9.3 Experimental Result-Code AVP Values
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
4. The FAP performs FMS discovery through established IPsec tunnel.
1
5. The FAP and the default FMS establishes a TR-069 CWMP Session.
2
3 6. The FAP sends to the FMS an Inform Request containing location parameters and FAP
4
identity, etc.
5
6 7. The FMS returns an Inform Response to accept the FAP location information.
7
8 8. The FMS then prepares for the local access information (including serving Security
9 Gateway and serving FMS) and sets the values on the FAP using the SetParameterValues
10 message.
11
12
9. The FAP acknowledges the update by returning a SetParameterValues Response message.
13
10. The FAP releases the TR-069 CWMP Session between the FAP and the default FMS.
14
15 11. The IPsec tunnel between the FAP and the default SeGW is terminated.
16
17 12. The FAP then registers with the serving system using the provisioned identity of the
18 serving SeGW and the serving FMS. Refer to appendix A.1.1.
19
20
21
A.2 SeGW Discovery
22
23
Figure 8 shows SeGW Discovery if IP address of the SeGW is unknown to the FAP.
24
25
26 Public
AT FAP
27 DNS Server
28
29
1. DNS Query (FQDN)
30
31
32
2. DNS Answer (SeGW‟s IP Address)
33
34
35
36
37 Figure 8 SeGW Discovery
38
39
1. The FAP sends a DNS query to the DNS Server including the FQDN of the SeGW which
40
is preconfigured in the FAP or is built by the FAP as specified in section 3.2.1.
41
42 2. The DNS server responds with a DNS answer including the SeGW‟s IP address.
43
44
45
46
A.3 FAP-SeGW IPsec Tunnel Establishment
47
Figure 9 shows FAP-SeGW IPsec tunnel establishment. In the call flow, as an example, a
48
CHILD_SA pair is created.
49
50
51
52
53
54
55
56
57
58
59
60
9.3 Experimental Result-Code AVP Values 41 9 Diameter Considerations
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
Femto
FAP SeGW
AAA 1
2
1. Pre-configure FAP device 1. Pre-configured SeGW Server 3
cert & (optionally) trusted server cert and trusted FAP device CA 4
CA certs (for SeGW auth) certs (for FAP auth)
5
6
2. IKE_SA_INIT Request (HDR, SA, KE, Ni) 7
8
3.IKE_SA_INIT Response (HDR, SA, KE, Nr, CERTREQ) 9
10
4. IKE_AUTH Request (HDR, SK{IDi(FEID), CERT(FEID), 11
CERTREQ, AUTH, SA, TSi, TSr}) 12
13
5. Verify FAP 14
Cert & AUTH signature; verify
15
IDi matches cert identity
16
6. AAA Request (FEID)
17
7. AAA Response
8. IKE_AUTH Response (HDR, SK{IDr(FQDNofFGW), 18
(Authorization info)
CERT(SeGW), AUTH})
19
9. Verify SeGW cert & AUTH 20
signature; verify Discovered GW ID 21
(FQDN) matches the identity in the
22
server cert (e.g.
dNSName.SubjectAltName) 23
24
IKE_SA and the first CHILD_SA is established 25
26
10.CREATE_CHILD_SA Request (HDR, SK {SA, Ni, [KEi], [TSi,
TSr]}) 27
11. CREAT_CHILD_SA Response (HDR, SK {SA, Nr, [KEr], [TSi, 28
TSr]}) 29
IPSec Tunnel is Established with 1st Child SA and 2nd Child 30
SA 31
32
Figure 9 IPsec Tunnel Establishment 33
34
35
1. The FAP is assigned a device certificate during it‟s manufacturing. The FAP device
36
certificate is signed by a Certificate Authority (device certificate CA) trusted by the 37
cdma2000 operator. The private key for the certificate is stored securely at the FAP. 38
Similarly, the SeGW is assigned a server certificate. The private key of the SeGW server 39
certificate is stored securely at the SeGW. The SeGW is also configured with list of the 40
root certificates corresponding to the trusted device certificate CAs. The FAP may also 41
be configured with the list of root CA certificates corresponding to the server certificates 42
that the FAP will accept for the SeGW. 43
44
2. The FAP initiates the IKEv2 exchange with the SeGW, known as IKE_SA_INIT 45
exchange by issuing a IKE_SA_INIT Request to negotiate cryptographic algorithms, 46
exchange nonces and perform a Diffie-Hellman exchange with the SeGW. In addition, 47
using the NAT Traversal procedures outlined in section 2.23 of [10], the initiator includes 48
NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP 49
payloads to negotiate support for UDP encapsulation. 50
51
3. The SeGW responds with IKE_SA_INIT Response by choosing a cryptographic suite 52
from the initiator's offered choices, completing the Diffie-Hellman and nonce exchange 53
with the FAP. In addition, the SeGW includes the list of FAP CA certificates that it will 54
accept in it‟s CERTREQ payload. For successful FAP authentication, the CERTREQ 55
payload has to contain at least one CA certificate that is in the trust chain of the FAP 56
device certificate. At this point in the negotiation, IKE_SA_INIT exchange is complete 57
58
59
60
9 Diameter Considerations 42 9.3 Experimental Result-Code AVP Values
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
and all but the headers of all the messages that follow are encrypted and integrity
1 protected.
2
4. The FAP initiates the IKE_AUTH exchange with the SeGW by setting the IDi payload to
3
4
FEID, CERT payload set to the FAP device certificate corresponding to the FEID and the
5
AUTH payload containing the signature of the previous IKE_SA_INIT Request message
6
(in step 2) generated using the private key of the FAP device certificate. The
7 authentication algorithm used to generate AUTH payload is also included in the AUTH
8 payload. The FAP also includes the CERTREQ payload contains the list of CA
9 certificates for SeGW (server) authentication. . For successful SeGW authentication, the
10 CERTREQ payload has to contain at least one CA certificate that is in the trust chain of
11 the SeGW server certificate.
12
13
5. Using the CA certificate corresponding to the FAP device certificate, the SeGW first
14
verifies that the FAP device certificate in the CERT payload has not been modified and
15 the identity included in the IDi corresponds to the identity in the FAP device certificate.
16 If the verification is successful, using the public key of FAP device certificate, the SeGW
17 generates the expected AUTH payload and compares it with the received AUTH payload.
18 If they match, then the authentication of the FAP is successful. Otherwise, the SeGW
19 sends IKEv2 Notification message indicating authentication failure.
20
21
6. If the network policy requires femtocell subscription authorization, the SeGW contacts
22 the Femtocell AAA to verify that the FAP identified by FEID is authorized to provide
23 service.
24
25
7. The Femtocell AAA responds with authorization result. If the authorization is not
26
successful, the SeGW sends IKEv2 Notification message indicating authorization failure.
27
Otherwise, the SeGW proceeds with server authentication.
28
8. The SeGW responds with the IKE_AUTH Response by setting the IDr payload to the
29
FQDN of the SeGW, CERT payload set to the SeGW server certificate corresponding to
30
the FQDN and the AUTH payload containing the signature of the IKE_SA_INIT
31
32
Response message (in step 3) generated using the private key of the SeGW server
33
certificate. The authentication algorithm used to generate AUTH payload is also
34
included in the AUTH payload.
35
9. Using the CA certificate corresponding to the SeGW server certificate, the FAP first
36
verifies that the SeGW server certificate in the CERT payload has not been modified and
37
the identity included in the IDi corresponds to identify in the server certificate and
38
39
contains the expected SeGW value as discovered during the SeGW discovery procedures.
40
If the verification is successful, using the public key of the SeGW server certificate, the
41
FAP generates the expected AUTH payload and compares it with the received AUTH
42
payload. If they match, then the SeGW (server) authentication is successful. This
43 completes the IKE_AUTH exchange. An IPSec SA with first CHILD_SA pair has been
44 established between the FAP and the SeGW. The first CHILD_SA pair is used for best
45 effort traffic, Tunnel management (Fx3), FAP Configuration messages.
46
47
10. The FAP sends CREATE_CHILD_SA request for setting up 2nd CHILD_SA pair.
48
11. The SeGW responds with CREATE_CHILD_SA Response. The 2nd CHILD_SA pair is
49
used for SIP Signaling and (HRPD) A11 Signaling and/or 1x VoIP and HRPD (A10)
50
VoIP bearer.
51
52
53
54
55
56
57
58
59
60
9.3 Experimental Result-Code AVP Values 43 9 Diameter Considerations
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
A.4 Remote IP Access Call Flows
1
2
A.4.1 Redirection Based SeGW Discovery with EAP Authentication 3
4
Figure 10 shows a call flow that the MS discovers SeGW through redirection mechanism, in 5
which EAP authentication is used for IPsec establishment between the MS and the SeGW. 6
This call flow assumes the MS obtains SeGW1 IP address through DNS discovery or other 7
ways. 8
9
10
Home Femto
MS SeGW1 SeGW2 11
AAA AAA
12
1. Pre-configured FEID(s) 13
corresponding to NAI of the 1. Stores SeGW Add
MS for Remote IP Access. for given FAP 14
15
2. IKE_SA_INIT Request (HDR, SAi1, KEi, Ni,
N(REDIRECT_SUPPORTED) ) 16
3.IKE_SA_INIT Response (HDR, SAr1, KEr, Nr) Verify NAI has 17
FAP for Remote IP 18
4. IKE_AUTH Request (HDR, SK{IDi(NAI),
CP(CFG_REQUEST), SAi2}) Access
19
20
5. EAP Exchanges (via AAA messags). Return 5. Retrieve SeGW 21
5. EAP Exchanges via IKEv2
redirected SeGW2_ADDR Addr for given FAP
22
23
6. IKE_AUTH Request (HDR, SK{AUTH})
24
7. Verify 25
AUTH payload
corresponds to MSK 26
8. IKE_AUTH Response (HDR,
SK{IDr(SeGW1_ADDR), AUTH, 27
N[REDIRECT, SeGW2_ADDR]})
28
9. Verify AUTH payload 29
corresponds to MSK
30
10. Send IKE_SA_INIT Request to redirected SeGW2 31
32
33
34
Figure 10 Redirection Based SeGW Discovery with EAP Authentication
35
36
1. The Home AAA is preconfigured with the FAP(s) associated with the NAI of MS for 37
Remote IP Access service (RIPA). The Femtocell AAA stores SeGW IP address for a 38
given FAP when the FAP establishes the IP sec tunnel with the SeGW. 39
40
2. The MS obtains SeGW1 IP address through DNS discovery or other ways (not shown in 41
this figure.) The MS sends initial IKE_SA_INIT request to SeGW1 to negotiate the 42
security parameters for IKEv2 SA. The MS indicates that redirection is supported. 43
44
3. SeGW1 responds with IKE_SA_INIT response to complete initial Diffie-Hellman key
45
exchange. 46
47
4. The MS sends IKE_AUTH request by including the NAI, but without the AUTH payload,
48
indicating that it wants to use EAP exchange. The MS requests a dynamically assigned
49
address at the remote FAP‟s local network by including an INTERNAL_IP4_ADDRESS
50
or an INTERNAL_IP6_ADDRESS attribute (length set to 0) in the CFG_REQUEST
51
Payload of the IKE_AUTH message. The MS also includes the IDi and SAi payloads to
52
identify itself and request for RIPA service and negotiate IPsec SA, respectively. The 53
IKE_AUTH exchange is encrypted and integrity protected by the IKE SA established 54
during the IKE_SA_INIT exchange. 55
56
5. EAP messages are exchanged, via the SeGW1, between the MS and HAAA for mutual
57
authentication. Between the MS and SeGW1, the EAP messages are transported in
58
59
60
9 Diameter Considerations 44 9.3 Experimental Result-Code AVP Values
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
IKE_AUTH messages [10]. Between the HA and HAAA, the EAP messages are
1 transported in AAA messages. The Home AAA verifies that the MS has associated
2 FAP(s) for RIPA service. The Home AAA retrieves the correct SeGW address
3 (SeGW2_ADDR) from the Femtocell AAA that is serving the FAP associated with the
4 MS, and returns this address (SeGW2_ADDR) to SeGW1. Both the MS and HAAA
5 derive the Master Session Key during EAP authentication. The HAAA sends the MSK to
6 the SeGW1.
7
8 6. Upon successful EAP authentication, the MS sends the IKE_AUTH message that
9 includes the AUTH payload. The AUTH payload is computed by the MS based on the
10 MSK that was generated from the EAP authentication.
11
12
7. SeGW1 verifies the AUTH payload.
13
8. SeGW1 sends the IKE_AUTH response message that includes the AUTH payload
14
computed using the MSK. The SeGW1 also includes the redirect address SeGW2 in the
15
IKE_AUTH message.
16
17 9. The MS verifies the AUTH payload.
18
19 10. The MS sends a new IKE_INIT_SA request to the redirected SeGW2.
20
21
22 A.4.2 Redirection Based SeGW Discovery with IKEv2 PSK Authentication
23
24
Figure 11 shows a call flow for MS discovering the SeGW through redirection mechanism, in
25
which IKEv2 PSK authentication is used for IPsec establishment between the MS and the
26 SeGW. This call flow assumes the MS obtains SeGW1 IP address through DNS discovery or
27 other ways.
28
29
Home Femto
30
MS SeGW1 SeGW2
AAA AAA
31
1. Pre-configured Home AAA
32 1. Pre-configure MS with with Shared Secret with MS, 1.Stores SeGW Add
Shared Secret and FEID(s) corresponding to for a given FAP
33
NAI of the MS
34
2. IKE_SA_INIT Request (HDR, SAi1, KEi, Ni,
35 N(REDIRECT_SUPPORTED)
36 3.IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
37
4. Derive RIPA-IKEv2-Key
38
5. IKE_AUTH Request (HDR, SK{IDi(NAI), AUTH,
39 CP(CFG_REQUEST), SAi2, [TSi, TSr]}) 6. AAA Access Request (NAI)
40
7. verify NAI has associated FAP
41 (FEID) for RIPA. Derive IKEv2 PSK
(RIPA-IKEv2-Key)
42
43
8. Retrieve SeGW
44 Addr (SeGW2_ADDR) for
9. AAA Response ( RIPA-IKEv2-Key, given FAP
45
SeGW2_ADDR)
46
10. Verify MS
47 AUTH payload; verify IDi
48 matches signature using PSK
49 11. IKE_AUTH Response (HDR,
SK{IDr(SeGW1_ADDR), AUTH,
50 N[REDIRECT, SeGW2_ADDR]})
51 12. Verify AUTH
52 payload mathes IDr
53 13. Send IKE_SA_INIT Request to redirected SeGW2_ADDR
54
55
56
57 Figure 11 Redirection Based SeGW Discovery with IKEv2 PSK Authentication
58
59
60
9.3 Experimental Result-Code AVP Values 45 9 Diameter Considerations
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
1. The Home AAA is preconfigured with the FAP(s) associated with the NAI of MS for
Remote IP Access service (RIPA). The MS and Home AAA are configured with pre- 1
shared secret for PSK derivation. The Femtocell AAA stores SeGW IP address for a 2
given FAP when the FAP establishes the IP Sec tunnel with the SeGW. 3
4
2. The MS sends initial IKE_SA_INIT request to SeGW1 to negotiate the security 5
parameters for IKEv2 SA. The MS indicates that redirection is supported. 6
7
3. SeGW1 responds with IKE_SA_INIT response to complete initial Diffie-Hellman key
8
exchange. 9
10
4. The MS derives the PSK (RIPA-IKEv2-Key) according to section 6.3.1.
11
5. The MS sends IKE_AUTH request, by including the NAI for Remote IP Access and 12
AUTH payload. The AUTH payload includes the signature of the IKE_SA_INIT 13
message in step 2 signed using the RIPA-IKEv2-Key. 14
15
6. SeGW1 sends AAA access request message to Home AAA, including the MS‟s NAI for 16
RIPA. 17
18
7. The Home AAA verifies that the given NAI has associated FAP(s) for RIPA service, and 19
derives the RIPA-IKEv2-Key for the given NAI. 20
21
8. The Home AAA retrieves the correct SeGW address (SeGW2_ADDR) from the 22
Femtocell AAA that is serving the FAP associated with the MS. 23
24
9. The Home AAA returns the derived RIPA-IKEv2-Key and the redirection address
25
SeGW2_ADDR to SeGW1.
26
10. SeGW1 verifies the AUTH payload using the received RIPA-IKEv2-Key. 27
28
11. SeGW1 sends the IKE_AUTH response message that includes an AUTH payload and the 29
redirection address SeGW2_ADDR. The AUTH payload contains a signature of message 30
in 3 signed using the RIPA-IKEv2-Key. 31
32
12. The MS verifies the AUTH payload. 33
34
13. The MS sends a new IKE_INIT_SA request to the redirected SeGW2. 35
36
A.4.3 Tunnel Establishment for Remote IP Address with EAP 37
38
Authentication 39
40
Figure 12 shows a call flow that the MS establishes the IPsec tunnel with the correct SeGW
41
that is serving the corresponding FAP. In this call flow, EAP authentication is used for IPsec 42
establishment between the MS and the SeGW. This call flow assumes the MS obtains SeGW 43
IP address through DNS discovery, redirection mechanism or other ways. 44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
9 Diameter Considerations 46 9.3 Experimental Result-Code AVP Values
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
Home Femto
MS SeGW FAP
AAA AAA
1
2
1. Pre-configured Home AAA
3 with FEID(s) corresponding to 1. Stores SeGW Add
NAI of the MS for RIPA. for given FAP(s)
4
5 2. IKE_SA_INIT Request (HDR, SAi1, KEi, Ni,
6 N(REDIRECT_SUPPORTED))
7 3.IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
8
4. IKE_AUTH Request (HDR, SK{IDi(NAI), AUTH,
9 CP(CFG_REQUEST), SAi2, [TSi, TSr]})
10
5. EAP Exchanges (via AAA
11 5. Retrieve SeGW
5. EAP Exchanges via IKEv2 messags). HAAA verifies NAI
12 Addr for given FAP
has FAP for RIPA
13
14
6. IKE_AUTH Request (HDR, SK{AUTH})
15
16 7. Verify
AUTH payload using MSK
17
18
8. CREATE_CHILD_SA Request (HDR, SK {SAi, Ni, [KEi], [TSi, TSr]})
19
20 9. CREAT_CHILD_SA Response (HDR, SK {SAr, Nr, [KEr], [TSi, TSr]})
21 The CHILD_SA for RIPA between SeGW and FAP is established
22
23 10. DHCP request and response to assign an address (Assigned_ADDR) at
FAP‟s local network using the second child SA.
24
25 11. IKE_AUTH Response (HDR,
SK{IDr(SeGW_ADDR), AUTH, CP(CFG_REPLY/
26
Assigned_ADDR), SAr2, [Tsi, TSr]})
27
28 12. Verify AUTH payload
using EAP MSK.
29
30 IPSec Tunnel is Established with 1st Child SA
31
32
Figure 12 Tunnel Establishment for Remote IP Access with EAP Authentication
33
34
35 1. The Home AAA is preconfigured with the FAP(s) associated with the NAI of MS for
36 Remote IP Access service (RIPA). The Femtocell AAA stores SeGW IP address for a
37 given FAP when the FAP establishes the IPSec tunnel with the SeGW.
38
39 2. The MS sends initial IKE_SA_INIT request to SeGW1 to negotiate the security
40 parameters for IKEv2 SA.
41
42
3. SeGW1 responds with IKE_SA_INIT response to complete initial Diffie-Hellman key
43 exchange.
44
4. The MS sends IKE_AUTH request, including the NAI, but without the AUTH payload,
45
46
indicating that it wants to use EAP exchange. The MS requests a dynamically assigned
47
address at the remote FAP‟s local network by including an INTERNAL_IP4_ADDRESS
48
or an INTERNAL_IP6_ADDRESS attribute (length set to 0) in the CFG_REQUEST
49
Payload of the IKE_AUTH message. The MS also includes the IDi and SAi payloads to
50 identify itself and request for RIPA service and negotiate IPsec SA, respectively. The
51 IKE_AUTH exchange is encrypted and integrity protected by the IKE SA established
52 during the IKE_SA_INIT exchange.
53
54
5. EAP messages are exchanged, via the SeGW, between the MS and HAAA for mutual
55
authentication. Between the MS and SeGW, the EAP messages are transported in
56
IKE_AUTH messages [10]. Between the HA and HAAA, the EAP messages are
57 transported in AAA messages. The Home AAA verifies that the MS has associated
58
59
60
9.3 Experimental Result-Code AVP Values 47 9 Diameter Considerations
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
FAP(s) for RIPA service. The Home AAA also returns the correct SeGW address for the
RIPA service for the MS to the requesting SeGW, and SeGW knows that it is the correct 1
SeGW to serve the MS (otherwise, see redirection based SeGW discovery call flow). 2
Both the MS and HAAA derive the Master Session Key during EAP authentication. The 3
HAAA sends the MSK to the SeGW. 4
5
6. Upon successful EAP authentication, the MS sends the IKE_AUTH message that 6
includes the AUTH payload. The AUTH payload is computed based on the MSK that 7
was obtained from the EAP key exchange. 8
9
7. The SeGW verifies the AUTH payload using the MSK. 10
11
8. Upon successful authentication of the MS, the SeGW selects the existing IKE SA with
12
the FAP associated with the MS, and sends a CREATE_CHILD_SA using the existing
13
SA, including a new nonce Ni.
14
9. The FAP sends a CREATE_CHILD_SA response with a new nonce Nr. The new 15
16
CHILD_SA keys are derives by the FAP and the SeGW and the new CHILD_SA pair
17
between the FAP and the SeGW is established.
18
10. On behalf of the MS, the SeGW sends a DHCP request for an internal address at FAP‟s 19
local network. The FAP returns an assigned internal IP address (either assigned by itself 20
or by a local DHCP server) via a DHCP message. 21
22
11. The SeGW sends an IKE_AUTH response including an AUTH payload and a 23
CFG_REPLY payload. The AUTH payload contains the SeGW‟s credential generated 24
using the MSK. The CFG_REPLY payload contains the assigned internal IP address at 25
the FAP‟s local network. 26
27
12. The MS verifies the AUTH payload using the MSK (derived during EAP authentication). 28
The MS receives the assigned internal IP address. The IPsec tunnel between the MS and 29
the SeGW is established. 30
31
32
A.4.4 Tunnel Establishment for Remote IP Access with IKEv2 PSK 33
Authentication 34
35
Figure 13 shows a call flow that the MS establishes the IPsec tunnel with the correct SeGW 36
that is serving the corresponding FAP. In this call flow IKEv2 PSK authentication is used for 37
IPsec establishment between the MS and the SeGW. This call flow assumes the MS obtains 38
SeGW IP address through DNS discovery, redirection mechanism or other ways. 39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
9 Diameter Considerations 48 9.3 Experimental Result-Code AVP Values
cdma2000 Femtocell Network: X.S0059-100-0 v1.0
Packet Data Network Aspects
Home Femto
MS SeGW FAP
AAA AAA
1
2 1. Pre-configured Home AAA
1. Pre-configure MS with with Shared Secret with MS, 1. Stores SeGW Add
3 Shared Secret and FEID(s) corresponding to for given FAP(s)
4 NAI of the MS
5 2. IKE_SA_INIT Request (HDR, SAi1, KEi, Ni,
N(REDIRECT_SUPPORTED))
6
3.IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
7
8 4. Derive RIPA-IKEv2-Key
9
5. IKE_AUTH Request (HDR, SK{IDi(NAI), AUTH,
10 CP(CFG_REQUEST), SAi2, [TSi, TSr]}) 6. AAA Access Request
(NAI)
11
7. verify NAI has associated FAP
12 (FEID) for RIPA. Derive IKEv2 PSK
13 (RIPA-IKEv2-Key)
14
8. Retrieve SeGW address
15
for the FAP
16 9. AAA Response ( RIPA-
17 IKEv2-Key, SeGW address)
18 10. Verify MS
19 AUTH payload signature
matches IDi
20
21
11. CREATE_CHILD_SA Request (HDR, SK {SAi, Ni, [KEi], [TSi, TSr]})
22
23 12. CREAT_CHILD_SA Response (HDR, SK {SAr, Nr, [KEr], [TSi, TSr]})
24 The Child SA for RIPA between SeGW and FAP is established
25
13. DHCP request and response to assign an address (Assigned_ADDR) at
26
FAP‟s local network using the second child SA.
27 14. IKE_AUTH Response (HDR,
SK{IDr(SeGW_ADDR), AUTH, CP(CFG_REPLY/
28 Assigned_ADDR), SAr2, [Tsi, TSr]})
29
15. Verify AUTH payload mathes IDr
30
31 IPSec Tunnel is Established with 1st Child SA
32
33 Figure 13 Tunnel Establishment for Remote IP Access with IKEv2 PSK Authentication
34
35
36
1. The Home AAA is preconfigured with the FAP(s) associated with the NAI of MS for
37
Remote IP Access service (RIPA). MS and Home AAA are configured with pre-shared
38 secret for PSK derivation. The Femtocell AAA stores SeGW IP address for a given FAP
39 when the FAP establishes the IP sec tunnel with the SeGW.
40
2. The MS sends initial IKE_SA_INIT request to SeGW1 to negotiate the security
41
42
parameters for IKEv2 SA.
43
3. The SeGW responds with IKE_SA_INIT response to complete initial Diffie-Hellman key
44
exchange.
45
46 4. The MS derives the PSK (RIPA-IKEv2-Key) according to section 6.3.1.
47
48 5. The MS sends IKE_AUTH request, include the NAI for Remote IP Access and AUTH
49 payload. The AUTH payload includes the signature of IKE_SA_INIT message in step 2
50 signed using the RIPA-IKEv2-Key.
51
52 6. The SeGW sends AAA access request message to Home AAA, including the MS‟s NAI
53 for RIPA.
54
55
7. The Home AAA verifies that the given NAI has associated FAP(s) for RIPA service, and
56
derives the RIPA-IKEv2-Key for the given NAI.
57
58
59
60
9.3 Experimental Result-Code AVP Values 49 9 Diameter Considerations
X.S0059-100-0 v1.0 cdma2000 Femtocell Network:
Packet Data Network Aspects
8. The Home AAA retrieves the correct SeGW address that is serving the FAP associated
with the MS. 1
2
9. The Home AAA returns the derived RIPA-IKEv2-Key and the correct SeGW address to 3
the requesting SeGW using AAA messages. The SeGW should know that it is the correct 4
SeGW to serve the MS and associated FAP (otherwise see redirection based SeGW 5
discovery call flow). 6
7
10. The SeGW verifies the AUTH payload in the IKE_AUTH message received in step 5
8
using the received RIPA-IKEv2-Key. 9
10
11. Upon successful authentication of the MS, the SeGW selects the existing IKE SA with
11
the FAP associated with the MS, and sends a CREATE_CHILD_SA using the existing
12
SA, including a new nonce Ni.
13
12. The FAP sends a CREAT_CHILD_SA response with a new nonce Nr. The new 14
CHILD_SA keys are derived by the FAP and the SeGW and the new CHILD_SA pair 15
16
between the FAP and the SeGW is established.
17
13. On behalf of the MS, the SeGW sends a DHCP request for an internal address at FAP‟s 18
local network. The FAP returns an assigned internal IP address (either assigned by itself 19
or by a local DHCP server) via a DHCP message. 20
21
14. The SeGW sends an IKE_AUTH response including an AUTH payload and a 22
CFG_REPLY payload. The AUTH payload contains the a signature on the IKE_INIT 23
response message in step 3 generated using the RIPA-IKEv2-Key. The CFG_REPLY 24
payload contains the assigned internal IP address at the FAP‟s local network. 25
26
15. The MS verifies the AUTH payload using the RIPA-IKEv2-Key. The MS receives the 27
assigned internal IP address. Upon successful verification of the AUTH payload, the 28
IPsec tunnel between the MS and the SeGW is established. 29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
9 Diameter Considerations 50 9.3 Experimental Result-Code AVP Values