7.2.1 Initial Attach with PMIPv6 on S2b
23.4023GPPArchitecture enhancements for non-3GPP accessesRelease 18TS
This clause is related to the case when the UE powers-on in an untrusted non-3GPP IP access network via the PMIP based S2b interface.
PMIPv6 specification, RFC 5213 [8], is used to setup a PMIPv6 tunnel between the ePDG and the PDN GW. It is assumed that MAG is collocated with ePDG. The IPsec tunnel between the UE and the ePDG provides a virtual point-to-point link between the UE and the MAG functionality on the ePDG.
Figure 7.2.1-1: Initial attachment over PMIP based S2b for roaming, non-roaming and LBO
NOTE 1: For GTP based S2b, procedure steps (A) to (E) are defined in clause 7.2.4.
NOTE 2: Before the UE initiates the setup of an IPsec tunnel with the ePDG it configures an IP address from an untrusted non-3GPP IP access network. This address is used for sending all IKEv2, RFC 5996 [9] messages and as the source address on the outer header of the IPsec tunnel.
The home routed roaming (Figure 4.2.3-1), LBO (Figure 4.2.3-4) and non-roaming (Figure 4.2.2-1) scenarios are depicted in the figure.
– In the LBO case, the 3GPP AAA Proxy acts as an intermediary, forwarding messages from the 3GPP AAA Server in the HPLMN to the PDN GW in the VPLMN and visa versa. Messages between the PDN GW in the VPLMN and the hPCRF in the HPLMN are forwarded by the vPCRF in the VPLMN.
– In the home routed roaming and non-roaming case, the vPCRF and the 3GPP AAA Proxy are not involved.
If dynamic policy provisioning is not deployed, the optional step 3 does not occur. Instead, the PDN GW may employ static configured policies.
This procedure is also used to establish the first PDN connection over an untrusted non-3GPP access with PMIPv6 on S2b when the UE already has active PDN connections only over a 3GPP access and wishes to establish simultaneous PDN connections to different APNs over multiple accesses.
The UE may be authenticated and authorised to access the Untrusted Non-3GPP Access network with an access network specific procedure. These procedures are outside the scope of 3GPP.
1) The Access authentication procedure between UE and the 3GPP EPC may be performed as defined by TS 33.402 [45]. In the roaming case signalling may be routed via a 3GPP AAA Proxy in the VPLMN. As part of the AAA exchange for network access authentication, the AAA/HSS and/or the 3GPP AAA Proxy may return to the Non-3GPP IP Access a set of home/visited operator’s policies to be enforced on the usage of local IP address, or IPv6 prefix, allocated by the access system upon successful authentication. Subscription data is provided to the Non-3GPP IP Access by the HSS/AAA in this step.
2) The IKEv2 tunnel establishment procedure is started by the UE. The UE may indicate in a notification part of the IKEv2 authentication request that it supports MOBIKE. The ePDG IP address to which the UE needs to form IPsec tunnel is discovered via DNS query as specified in clause 4.5.4. The UE may request connectivity to a specific PDN providing an APN, that is conveyed with IKEv2 as specified in TS 33.402 [45]. For networks supporting multiple mobility protocols, if there was any dynamic IPMS decision involved in this step, the decision is stored in the 3GPP AAA Server. The PDN GW information is returned as part of the reply from the 3GPP AAA Server to the ePDG as described in clause 4.5.1. If the UE has provided an APN the ePDG verifies that it is allowed by subscription. If the UE has not provided an APN the ePDG uses the default APN. The PDN GW selection takes place at this point as described in clause 4.5.1. This may entail an additional name resolution step, issuing a request to a DNS Server. If there is no requested IP address in the CFG_Request from the UE to the ePDG which indicates the attach is an initial attach, the ePDG may perform a new PDN GW selection procedure as described in clause 4.5.1, e.g. to allocate a PDN GW that allows for more efficient routeing. The UE shall indicate the type of address(es) (IPv4 address or IPv6 prefix /address or both) in the CFG_Request sent to the ePDG during IKEv2 message exchange. If the PDN requires an additional authentication and authorisation with an external AAA Server, the UE includes the authentication credentials in this step as specified in RFC 4739 [50] and in TS 33.402 [45]. As part of the IKEv2 tunnel establishment procedure, the ePDG may request the UE to provide its IMEI(SV). In that case the UE shall signal its IMEI(SV) to the ePDG. The ePDG forwards the IMEI(SV) received from the UE to the 3GPP AAA Server (over SWm).
2a) If IMEI check is required by operator policy and if the ePDG is in the HPLMN, the IMEI check shall be performed by the EIR in the home country. The 3GPP AAA server shall request the EIR to perform the IMEI check by sending the ME Identity Check Request (ME Identity, IMSI) to the EIR. Upon receiving the ME Identity Check Ack (Result) from the EIR, the 3GPP AAA server shall determine whether to continue or to stop the authentication and authorization procedure. If the 3GPP AAA server determines that the authentication and authorization procedure shall be stopped, it shall reply to the ePDG with a failure message with appropriate cause value.
2b) If IMEI check is required by operator policy and if the ePDG is in the visited PLMN, the IMEI check shall be performed by the EIR in the visited country. The 3GPP AAA proxy shall request the EIR to perform the IMEI check by sending the ME Identity Check Request (ME Identity, IMSI) to the EIR. Upon receiving the ME Identity Check Ack (Result) from the EIR, the 3GPP AAA proxy shall determine whether to continue or to stop the authentication and authorization procedure. If the 3GPP AAA proxy determines that the authentication and authorization procedure shall be stopped, the 3GPP AAA Proxy shall reply to the ePDG with a failure message with appropriate cause value.
3) The ePDG sends the Proxy Binding Update (MN-NAI, Lifetime, APN, Access Technology Type, Handover Indicator, GRE key for downlink traffic, UE Address Info, Charging Characteristics, Additional Parameters, IMEI(SV) if available) message to the PDN GW. Access Technology Type option is set to a value matching the characteristics of the non-3GPP IP access. Handover Indicator is set to indicate attachment over a new interface. The proxy binding update message shall be secured. The MN NAI identifies the UE. The Lifetime field must be set to a nonzero value in the case of a registration and a zero value in the case of a de-registration. The APN is used by the PDN GW to determine which PDN to establish connectivity for, in the case that the PDN GW supports multiple PDN connectivity. The ePDG creates and includes a PDN connection identity if the ePDG supports multiple PDN connections to a single APN. The UE Address Info shall be set based on the CFG_Request in step 1 and subscription profile in the same way as the PDN type is selected during the E‑UTRAN Initial Attach in TS 23.401 [4]. The Additional Parameters include the authentication credentials for an additional authentication and authorization with an external AAA server if it was provided by the UE in step 2. The PDN GW performs the authentication and authorization with the external AAA server if it is required to get access for the given APN as specified in TS 33.402 [45].
4) The PDN GW initiates the IP CAN Session Establishment Procedure with the PCRF, as specified in TS 23.203 [19]. If available, the PCRF provides the APN-AMBR and Default Bearer QoS to the PDN GW in the response message.
5) The selected PDN GW informs the 3GPP AAA Server of the PDN GW identity. The 3GPP AAA Server then informs the HSS of the PDN GW identity and APN associated with the UE’s PDN Connection. The message includes information that identifies the PLMN in which the PDN GW is located. This information is registered in the HSS as described in clause 12. The PDN GW shall only use the APN-AMBR and Default Bearer QoS received from the 3GPP AAA server in this step if these parameters have not been received in step 4.
6) The PDN GW processes the proxy binding update and creates a binding cache entry for the UE. The PDN GW allocates an IP address for the UE. The PDN GW then sends a Proxy Binding Ack (MN NAI, UE Address Info, GRE Key for uplink traffic, Charging ID) message to the ePDG, including the IP address(es) allocated for the UE (identified by the MN NAI). If the corresponding Proxy Binding Update contains the PDN connection identity, the PDN GW shall acknowledge if multiple PDN connections to the given APN are supported. The Charging ID is assigned for the PDN connection for charging correlation purposes.
NOTE 3: If UE requests for both IPv4 address and IPv6 prefix, both are allocated. If the PDN GW operator dictates the use of IPv4 address only or IPv6 prefix only for this APN, the PDN GW shall allocate the only IPv4 address or only IPv6 prefix to the UE. If the UE requests for only IPv4 address or IPv6 prefix only one address/prefix is allocated accordingly.
NOTE 4: The ePDG learns from the PBA whether the PDN GW supports multiple PDN connection to the same APN or not.
7) After the Proxy Binding Update is successful, the ePDG is authenticated by the UE and indicates to the UE that the authentication and authorization with the external AAA server is successful.
8) The ePDG sends the final IKEv2 message with the IP address in IKEv2 Configuration payloads. The ePDG also includes the identity of the associated PDN (APN) in the IDr payload of IKEv2. In case the UE provided APN to the ePDG in the earlier steps, the ePDG shall not change the provided APN.
9) IP connectivity from the UE to the PDN GW is now setup. Any packet in the uplink direction is tunnelled to the ePDG by the UE using the IPSec tunnel. The ePDG then tunnels the packet to the PDN GW. From the PDN GW normal IP-based routing takes place. In the downlink direction, the packet for UE (HoA) arrives at the PDN GW. The PDN GW tunnels the packet based on the binding cache entry to the ePDG. The ePDG then tunnels the packet to the UE via proper IPsec tunnel.