7.3 Initial Attach Procedure for S2c in Untrusted Non-3GPP IP Access

23.4023GPPArchitecture enhancements for non-3GPP accessesRelease 18TS

This clause is related to the case when the UE powers-on in an untrusted network and host-based mobility management mechanism is used to establish IP connectivity and to perform inter-access Handover. Dual Stack MIPv6, RFC 5555 [10] is used for supporting mobility over S2c interface.

Figure 7.3-1: Initial attachment from Untrusted Non-3GPP IP Access with DSMIPv6

The non-roaming (Figure 4.2.2-2), Roaming (Figure 4.2.3-3) and LBO (Figure 4.2.3-5) are all covered in this procedure. In the Roaming and LBO case, the ePDG communicates with the 3GPP AAA Server by way of the 3GPP AAA Proxy, functioning as a relay for AAA messages. In the LBO case, the PDN GW in the VPLMN interacts with the PCRF by means of the vPCRF. In the non-roaming case, the 3GPP AAA Proxy and vPCRF are not involved.

This procedure is also used to establish the first PDN connection over an untrusted non-3GPP access with DSMIPv6 on S2c when the UE already has active PDN connections only over a 3GPP access and wishes to establish simultaneous PDN connections to different APNs over multiple accesses.

If dynamic policy provisioning is not deployed, the optional step 6 does not occur. Instead, the PDN GW may employ static configured policies.

1) The Access authentication procedure between UE and the 3GPP EPC may be performed as defined by TS 33.402 [45]. As part of the AAA exchange for network access authentication, the AAA/HSS and/or the 3GPP AAA Proxy may return to the Non-3GPP IP Access a set of home/visited operator’s policies to be enforced on the usage of local IP address, or IPv6 prefix, allocated by the access system upon successful authentication. Subscription data is provided to the Non-3GPP IP Access by the HSS/AAA in this step. After the authentication, UE is configured with Local IP Address from the access network domain. This address is used for sending all IKEv2, RFC 5996 [9] messages and as the source address on the outer header of the IPsec tunnel between the UE and the ePDG.

2) The IKEv2 tunnel establishment procedure is started by the UE. The UE may indicate in a notification part of the IKEv2 authentication request that it supports MOBIKE. The ePDG IP address to which the UE needs to form IPsec tunnel is discovered via DNS query as specified in clause 4.5.4. The procedure is as described in TS 33.402 [45].

3) The ePDG sends the final IKEv2 message with the assigned IP address in IKEv2 Configuration payloads.

4) IPsec Tunnel between the UE and ePDG is now setup.

5) A security association is established between UE and PDN GW to secure the DS-MIPv6 messages between UE and PDN GW. This step is performed as specified in step 4 of clause 6.3. During this step an IPv6 home network prefix is assigned by the PDN GW to the UE as defined in RFC 5026 [40]. After the IPv6 home network prefix is assigned, UE constructs a home address from it via auto-configuration.

6) The UE sends the Binding Update (IP Addresses (HoA, CoA)) message to the PDN GW. The Binding Update is as specified in RFC 5555 [10]. The UE may request an IPv4 Home Address in this step. The UE shall inform the PDN GW that the whole home prefix shall be moved.

7) The PDN GW executes a IP‑CAN Session Establishment Procedure with the PCRF as specified in TS 23.203 [19]. The message from the PDG GW includes at least the HoA and the CoA. The message may also include a permanent UE identity and an APN string.

The PCRF decides on the PCC rules and Event Triggers and provisions them to the PDN GW. The PDN GW installs the received PCC rules.

8) The PDN GW processes the binding update and creates a binding cache entry for the UE. The PDN GW allocates an IPv4 home address for the UE if requested by the UE in step 5 and allowed by the subscription profile received as it is specified in the E‑UTRAN attach procedure in TS 23.401 [4]. The PDN GW then sends a Binding Ack to the UE, including the IPv4 home address allocated for the UE.

9) The IP Connectivity is now setup.