6 Tunnel management procedure

24.1393GPP3GPP system - fixed broadband access network interworkingRelease 17Stage 3TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

6.1 Tunnel management procedures over S2b

6.1.1 General

The purpose of tunnel management procedures is to establish or disconnect an end-to-end tunnel between the UE and the ePDG for S2b access to 3GPP Evolved Packet Core (EPC) via a fixed broadband access network.

The tunnel management procedures and ePDG selection procedure specified in 3GPP TS 24.302 [3] clause 7 are applied. In addition, the procedures specified in this subclause shall be supported.

NOTE: If required by national regulations, a DNS server can indicate that the current country mandates the selection of ePDG in this country (see 3GPP TS 23.402 [18] and 3GPP TS 23.003 [19]).

6.1.2 UE procedures

6.1.2.1 Tunnel establishment

Once the ePDG has been selected, the UE shall initiate the IPsec tunnel establishment procedure using the IKEv2 protocol as specified in 3GPP TS 24.302 [3] subclause 7.2.2 with the following additions:

a) if the UE supports Reflective QoS, the UE shall provide the RQSI using AT_ RQSI_IND attribute as defined in subclause 8.1.1.1 within the IKE_AUTH request message;

b) if MOBIKE is supported, the UE shall include the MOBIKE_SUPPORTED notification in the IKE_AUTH request message;

c) in an IPv4 fixed broadband access network, NAT may be deployed, e.g. a UE may locate behind a Residence Gateway in which a NAT function is enabled. The UE shall support the NAT detection function as specified in IETF RFC 5996 [7]; and

d) if NAT is detected between the UE and the ePDG,

– the UE shall invoke the IKEv2 NAT traversal procedure as specified in IETF RFC 5996 [7];

– the UE shall use UDP encapsulated for ESP as specified in IETF RFC 5996 [7]; and

– the UE may send the NAT-keepalive packet to keep NAT mapping alive as defined in the IETF RFC 3948 [9].

6.1.2.2 Tunnel modification

The UE shall support the tunnel modification procedure specified in 3GPP TS 24.302 [3] subclause 7.2.3.

The tunnel modification procedure may be triggered if the UE local IP address or the NAT UDP port number or both have been reassigned. For instance, the Residence Gateway NAT function may be restarted for some reasons. As the result of the NAT restart, the UE local IP address and the mapping of the NAT UDP port number may be reassigned.

If the UE detects that the local IP address or the NAT UDP port number or both are reassigned, the UE shall:

– disconnect the tunnel as specified in subclause 6.1.2.3 and re-initiate the tunnel establishment procedure as specified in subclause 6.1.2.1; or

– use MOBIKE for recovering the IKEv2 SA as specified in IETF RFC 4555 [8].

If MOBIKE is supported, the UE shall support the tunnel modification procedure specified in 3GPP TS 24.302 [3] subclause 7.2.3 with the following additions:

– the UE shall perform the Dead Peer Detection (DPD) procedure to detect if NAT mapping have changed as specified in IETF RFC 4555 [8];

– if NAT remapping is detected, the UE shall update the IKEv2 security association with the new allocated local IP address, and shall then send an INFORMATIONAL request containing the UPDATE_SA_ADDRESSES notification to the ePDG; and

– when the UE receives an INFORMATIONAL request with a COOKIE2 notification present, the UE shall copy the notification to the COOKIE2 notification of an INFORMATIONAL response and send it to the ePDG.

6.1.2.3 Tunnel disconnection

The procedure of tunnel disconnection initiated by the UE is specified 3GPP TS 24.302 [3].

6.1.2.4 Support of reflective QoS

The UE may support reflective QoS for uplink traffic as specified in subclause 5.2.

If reflective QoS is supported and IPsec anti-replay feature specified in IETF RFC 4301 [10] is implemented, the UE should create dedicated child SA for each IP flow which has the same DSCP marking value. If not, the UE may choose to increase the IPsec anti-replay window size or use any other implementation-specific method to avoid the sequence issue.

6.1.3 ePDG procedure

6.1.3.1 Tunnel establishment

Upon receipt of an IKE_AUTH request message from the UE requesting the establishment of a tunnel, the ePDG shall perform the tunnel establishment procedure as specified in 3GPP TS 24.302 [3] with the following additions:

a) the ePDG shall support the NAT detection function as defined in section 2.23 of IETF RFC 5996 [7];

b) if MOBIKE_SUPPORTED notification is received, the ePDG shall include the MOBIKE_SUPPORTED notification in the IKE_AUTH response message;

c) if NAT is detected between the UE and the ePDG, the ePDG shall use UDP encapsulated for ESP as defined in IETF RFC 5996 [7]; and

d) the ePDG shall send the RQSI on whether Reflective QoS shall be applied within the IKE_AUTH response message to the UE if received from the 3GPP AAA Server.

6.1.3.2 Tunnel modification

If MOBIKE applies, the ePDG shall perform the tunnel modification procedure as defined in 3GPP TS 24.302 [3], subclause 7.4.2.

If MOBIKE does not apply, the ePDG shall perform the procedure for UE initiated disconnection as defined in subclause 6.1.3.3, followed by the tunnel establishment procedure as defined in subclause 6.1.3.1.

6.1.3.3 Tunnel disconnection

The procedure of tunnel disconnection initiated by the ePDG is as specified 3GPP TS 24.302 [3].

6.1.3.4 Support of QoS

When receiving a downlink data packet for a UE, the ePDG shall copy the DSCP marking value from the received IP header into the new IPSec header before forwarding to the UE, as specified in subclause 5.3.

If the anti-replay feature specified in IETF RFC 4301 [10] is implemented, the ePDG should create a dedicated child SA for each IP flow which has the same DSCP marking value; or, the ePDG may choose to increase the IPsec anti-replay window size or use any other implementation-specific method to avoid the out of sequence issue.

Optionally, the ePDG may perform DSCP marking remapping based on the operator’s policy.

6.2 Tunnel management procedure over S2c

6.2.1 S2c procedure over trusted fixed broadband access network

6.2.1.1 General

The purpose of tunnel management procedures is to establish or disconnect an end-to-end tunnel between the UE and the HA for S2c access to 3GPP Evolved Packet Core (EPC) via a trusted fixed broadband access network.

The tunnel management procedures specified in 3GPP TS 24.303 [4] clause 5 are applied. In addition, the procedures specified in this subclause shall be supported.

6.2.1.2 UE procedure

6.2.1.2.1 Dual-Stack Mobile IPv6 initial attach

Once the HA has been selected, the UE shall initiate the Dual-Stack Mobile IPv6 initial attach procedure specified in 3GPP TS 24.303 [4], subclause 5.1 with the following additions:

a) if the UE supports Reflective QoS, the UE may provide the RQSI using AT_ RQSI_IND attribute as defined in subclause 8.1.1.1 within the IKE_AUTH request message;

b) If MOBIKE is supported, the UE shall include the MOBIKE_SUPPORTED notification in the IKE_AUTH request message;

d) If NAT is detected between the UE and the HA,

– the UE shall invoke the IKEv2 NAT traversal procedure as specified in IETF RFC 5996 [7];

– the UE shall use UDP-Encapsulated ESP as defined in IETF RFC 5996 [7] and IETF RFC 4555 [8]; and

– the UE may send the NAT-keepalive packet to keep NAT mapping alive as defined in IETF RFC 3948 [9] and IETF RFC 4555 [8].

6.2.1.2.2 Dual-Stack Mobile IPv6 handover

The Dual-Stack Mobile IPv6 handover procedure shall be triggered if the UE local IP address has been reassigned, or the UE moves from one link to another link.

The UE procedure of Dual-Stack Mobile IPv6 handover is specified in 3GPP TS 24.303 [4], subclause 5.2.

If the UE detects that the local IP address or the NAT UDP port number or both are reassigned, the UE shall update the mobility tunnel with the HA by initiating the Dual-Stack Mobile IPv6 handover.

6.2.1.2.3 Dual Stack Mobile IPv6 Re-Registration

The UE procedure of Dual-Stack Mobile IPv6 Re-Registration is specified in 3GPP TS 24.303 [4], subclause 5.3.

6.2.1.2.4 Dual-Stack Mobile IPv6 detach

The UE procedure of Dual-Stack Mobile IPv6 detach is specified in 3GPP TS 24.303 [4], subclause 5.4.

6.2.1.2.5 Support of reflective QoS

The UE may support UE Reflective QoS function for uplink traffic as specified in subclause 5.2.

If UE Reflective QoS function for uplink traffic is enabled, S2c data integrity protection is used and the IPsec anti-replay feature specified in IETF RFC 4301 [10] is implemented, the UE should create dedicated child SA for each IP flow which has the same DSCP marking value; or, the UE may choose to increase the IPsec anti-replay window size or use any other implementation-specific method to avoid the sequence issue.

6.2.1.3 HA procedure

6.2.1.3.1 Dual-Stack Mobile IPv6 initial attach

Upon receipt of an IKE_AUTH request message from the UE requesting the establishment of a tunnel, the HA shall perform the Dual-Stack Mobile IPv6 initial attach procedure as specified in 3GPP TS 24.303 [4], subclause 5.1 with the following additions:

a) the HA shall support the NAT detection function as defined in section 2.23 of IETF RFC 5996 [7] and in IETF RFC 4555 [8];

b) if MOBIKE_SUPPORTED notification is received, the HA shall include the MOBIKE_SUPPORTED notification in the IKE_AUTH response message; and

c) if NAT is detected between the UE and the HA, the HA shall use UDP encapsulated for ESP as defined in IETF RFC 5996 [7].

6.2.1.3.2 Dual-Stack Mobile IPv6 handover

The Dual-Stack Mobile IPv6 handover procedure shall be triggered if the UE local IP address has been reassigned, or the UE moves from one link to another link.

The HA procedure of Dual-Stack Mobile IPv6 handover is specified in 3GPP TS 24.303 [4], subclause 5.2.

6.2.1.3.3 Dual Stack Mobile IPv6 Re-Registration

The HA procedure of Dual-Stack Mobile IPv6 Re-Registration is specified in 3GPP TS 24.303 [4], subclause 5.3.

6.2.1.3.4 Dual-Stack Mobile IPv6 detach

The HA procedure of Dual-Stack Mobile IPv6 detach is specified in 3GPP TS 24.303 [4], subclause 5.4.

6.2.1.3.5 Support of QoS

The HA shall set per QoS flow DSCP marking on the IP outer header as specified in subclause 5.3.

If S2c data integrity protection is used and the IPsec anti-replay feature specified in IETF RFC 4301 [10] is implemented, the HA should create a dedicated child SA for each IP flow which has the same DSCP marking value. Or, the UE may choose to increase the IPsec anti-replay window size or use any other implementation-specific method to avoid the out of sequence issue.

6.2.2 S2c procedure over un-trusted fixed broadband access network

6.2.2.1 General

The purpose of tunnel management procedures is to establish or disconnect an end-to-end tunnel between the UE and the HA for S2c access to 3GPP Evolved Packet Core (EPC) via an un-trusted fixed broadband access network.

The tunnel management procedures specified in 3GPP TS 24.303 [4] clause 5 are applied. The additional procedures specified in this subclause shall also be supported.

6.2.2.2 UE procedure

The UE tunnel management procedure of the IPsec tunnel with ePDG is specified in subclause 6.1.2.

The UE tunnel management procedure of Dual-Stack Mobile IPv6 tunnel with the HA is specified in subclause 6.2.1.2.

The UE may support the UE reflective QoS for uplink traffic on the IPsec header as specified in subclause 6.1.2.4.

6.2.2.3 ePDG Procedure

The ePDG tunnel management procedure of the IPsec tunnel is specified in subclause 6.1.3.

The ePDG procedure for the support of QoS is specified in subclause 6.1.3.4.

6.2.2.4 HA Procedure

The HA tunnel management procedure of Dual-Stack Mobile IPv6 tunnel is specified in subclause 6.2.1.3.

The HA procedure for the support of QoS is specified in subclause 6.2.1.3.5.