ePDG Basic featuresoverview

Introduction
• Due to tremendous surge in smart phones and other tablet devices leading to unpredictable data usage growth
rates, While the obvious choice seems to be improving the existing EPC core and access with improved
network architecture to enable bandwidth usage growth, it is not a cost efficient and scalable solution.

• One of the most significant approaches is offloading traffic over other access technologies such as Wi-Fi,
Femto or Small-cells that are connected to the EPC through untrusted 3rd party access networks such as DSL,
Cable, and FTTH. Wi-Fi is uniquely positioned to handle the data surge and throughput requirements on the
mobile networks.

• Operators today can create strategic value by integrating Wi-Fi with their core networks to extend service
reach (esp. indoor coverage), manage capacity, and deliver enhanced customer experience. ePDG and AAA
are crucial network components that allow this integration of non-3GPP Wi-Fi access into the Evolved Packet
Core (EPC). It enables in the operator’s network:
-Secure Access
-Efficient Extension of Network Coverage
-Harmonized Service Capability
-Seamless Mobility

Copyright Mavenir 2019. Proprietary and Confidential. 2

 Ice.net Network Overview

• Figure below shows an overview of Ice.net’s network, where Native Wi-Fi calling, purpose of this
delivery, is added as a new access method to Ice.net’s Network.

Copyright Mavenir 2019. Proprietary and Confidential. 3

Features of ePDG
• IPsec tunnel establishment in access side with multiple IPsec tunnels per UE supported

• GTP tunnel establishment in core side

• Wi-Fi to LTE and LTE to Wi-Fi seamless mobility, as described in TS 23.402.

Combined with AAA server, Authentication and Authorization services.

• Support of both IPv4 and IPv6 for protocols used in the Access side.

• ePDG provides Ice.net Native VoWiFi clients with the abilities to perform:
-EPC Attachment via an untrusted Wi-Fi network
-IMS Registration over an untrusted Wi-Fi network
-Wi-Fi calling via Ice.net IMS network towards IMS, CS and PSTN numbers
-Encrypted communication

Copyright Mavenir 2019. Proprietary and Confidential. 4

3GPP & NON-3GPP

• The UE can connect to the EPC using several access technologies. These
access technologies are composed of

• 3GPP access - these access technologies are defined by the 3GPP

specifications. They include GPRS, EDGE, UMTS, HSPA, LTE etc.
• non-3GPP access - these access technologies are not defined by the 3GPP
specifications. They include technologies such as cdma2000, WiMAX, IEEE
802.11 – Wi-Fi etc.

Copyright Mavenir 2019. Proprietary and Confidential. 5

 ePDG Interfaces

• SWu (UE – ePDG) :The SWu interface is the interface between the UE and the ePDG which supports IPsec tunnels.

• SWm (ePDG – AAA) :The SWm interface is between the ePDG and an external 3GPP-AAA server.

• S2b (ePDG – PGW) :The S2b is interface between the ePDG and the PDN GW. The S2b interface is based upon GTP.

Copyright Mavenir 2019. Proprietary and Confidential. 6

 ePDG Interfaces

SWm (ePDG – AAA) S2b (ePDG – PGW)

Copyright Mavenir 2019. Proprietary and Confidential. 7

 ePDG mOne Virtualization
The mOne software platform runs on a RedHat Linux operating system, with middleware
providing high-availability, full FCAPS support and an internal messaging distribution framework.

The following are the VM software components for EPDG:

 RM – Resource Manager functions as “front end” to the system for external traffic presenting
the system as a single entity rather than individual nodes. RM components are configured as
1:1 (active/standby) pair
 DM – Distribution Manager responsible for distribution of internal traffic within system. DM
components are configured as 1:1 (active/standby) pair.
 AM – Admin Manager responsible for the management of the system providing EMS as well
as FCAPS functionality. AM components are configured as 1:1 (active/standby) pair.
 MP- Media Processor responsible for processing all media plane or user plane packets.
 CE- Control Engine responsible for the application logic. Ex. EPDG. CE components are
configured as 1:1 (active/standby) pair to preserve the session states.

Copyright Mavenir 2019. Proprietary and Confidential. 8

ePDG IPsec and GTP tunnel establishment

1. IPsec tunnel is established between UE and ePDG. UE packages the service packet inside
another IP packet.

Copyright Mavenir 2019. Proprietary and Confidential. 9

ePDG IPsec and GTP tunnel establishment

3. The outer packet is sourced from the UE’s private IP address within the Wi-Fi network and is
destined to ePDG service address.

4. For illustration purposes, Wi-Fi Access Point, NATs the outer address in IP header. It is now
replaced with Wi-Fi AP’s internet IP address.

5. The packet arrives at ePDG and integrity/confidentiality functions are performed on the ESP.
The packaged IP packet is now ready to be routed to any service within the provider network
which is here sent towards the PDN Gateway after GTP tunneling.

Copyright Mavenir 2019. Proprietary and Confidential. 10

IMSI Filtering and Blacklisting

• During the IKEv2 Security Association establishment, the UE provides its identity in the IDi
payload of the IKE_AUTH message. It is possible that attacker generate valid SA_INIT
message with cookie and a subsequent IKE_AUTH with invalid Idi to overload IKE service
and AAA. The operator network can easily be protected against such attacks by filtering our
invalid identities. The UE identity must be in NAI format of username@realm.
• The username field contains IMSI preceded by “1” or “0” depending upon EAP-SIM or EAP-
AKA is used for the authentication (assuming full authentication is used).

• The root NAI format will be as follows:

• 0<IMSI>@nai.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org", for EAP AKA authentication
• 1<IMSI>@nai.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org", for EAP TLS authentication

The username/IMSI consist of three elements: MCC, MNC and MSIN

Copyright Mavenir 2019. Proprietary and Confidential. 11

IMSI Filtering and Blacklisting

For example, for EAP AKA authentication: if the IMSI is

234150999999999 (MCC = 234, MNC = 15), the root NAI then takes the form:
0234150999999999@nai.epc.mnc015.mcc234.3gppnetwork.org.

For EAP SIM

234150999999999 (MCC = 234, MNC = 15), the root NAI then takes the form:
1234150999999999@nai.epc.mnc015.mcc234.3gppnetwork.org.

Copyright Mavenir 2019. Proprietary and Confidential. 12

 IMS Registration over WiFi process

       • ePDG discovery

                  • PGW selection
• PCSCF discovery
• IMS registration

Copyright Mavenir 2019. Proprietary and Confidential. 13

 IMS Registration over WiFi process

• ePDG discovery
ePDG will be dynamically discovered by the UE based on DNS queries for resolving the ePDG FQDN.
GLB (Global Load Balancer) will provide the DNS functionality. GLB will randomly pick one IP from the
first site and one IP from the second site and return them to UE in random order. GLB will NOT provide
any capability to monitor the availability of ePDG, e.g. via ICMP.
• PGW selection
PGw Selection from ePDG can be done in one of the following ways, as per configuration:
• Static: ePDG is instructed to select the returned from HSS (via the AAA) PGw IP address.
If no PGw is allocated to the user, ePDG will perform a DNS query to resolve the APN
FQDN
• Dynamic: ePDG will perform a DNS query to resolve the APN FQDN apart from the
Handover cases where ePDG will select the returned from HSS PGw Identity.
the Dynamic method will be implemented in both ePDG and HSS

Copyright Mavenir 2019. Proprietary and Confidential. 14

IMS Registration over WiFi process

• P-CSCF discovery
UE will request P-CSCF IPv6 address using the P-CSCF_IP6_ADDRESS attribute in the
CFG_REQUEST configuration payload, as described in TS 24.302 and shown in the “UE
Attachment” call flow The ePDG will map the request to a Private IE in the “Create Bearer
Request” towards the PGW.

UE will then use the received P-CSCF IPv6 IP address for contacting IMS on SIP level that is
sending SIP Registration and subsequent SIP signaling.

Copyright Mavenir 2019. Proprietary and Confidential. 15

 One Integrated Node details/Login Process
Production LAB
Component Node IP Product Version Component Node IP Product Version
ePDG01 ePDG01-A 10.9.14.2 B-R_2_0_12_4 lab-ePDG01 lab-ePDG01-A 10.9.13.2 B-R_2_0_12_4
ePDG01 ePDG01-B 10.9.14.3 B-R_2_0_12_4   lab-ePDG01-B does not exist  
ePDG01 ePDG01-VIP 10.9.14.4 B-R_2_0_12_4   lab-ePDG01-VIP 10.9.13.4 B-R_2_0_12_4
    EMS GUI  
    EMS GUI  
       
       
lab-DSC01 lab-DEA01-rtr-1 10.9.13.132 9_0
DSC01 DSC01-MGR-1 10.9.14.130 9_0   lab-DEA01-rtr-2 10.9.13.133 9_0
    GUI :9998  
  DSC01-MGR-2 10.9.14.131 9_0        
    GUI :9998   lab-AAA01 oam101 10.9.13.98 11_0
  DSC-RTR-1 10.9.14.132 9_0   oam102 10.9.13.99 11_0
  DSC-RTR-2 10.9.14.133 9_0     GUI :10443  
       
  sdb101 10.9.13.100 11_0
  sdb102 10.9.13.101 11_0
AAA01 oam101 10.9.14.98 11_0
  svr101 10.9.13.102 11_0
  oam102 10.9.14.99 11_0
  svr102 10.9.13.103 11_0
    GUI :10443  
  svr103 10.9.13.104 11_0
  sdb101 10.9.14.100 11_0
  slb101 10.9.13.108 11_0
  sdb102 10.9.14.101 11_0   slb102 10.9.13.109 11_0
  svr101 10.9.14.102 11_0
  svr102 10.9.14.103 11_0
  svr103 10.9.14.104 11_0
  svr104 10.9.14.105 11_0
  svr105 10.9.14.106 11_0
  svr106 10.9.14.107 11_0
  slb101 10.9.14.108 11_0
  slb102 10.9.14.109 11_0

Copyright Mavenir 2019. Proprietary and Confidential. 16

System Components
• Below lists the products and the relevant SW releases of Mavenir delivery to Ice.net

• Below lists Ice.net products connected to Mavenir’s ePDG and AAA.

Copyright Mavenir 2019. Proprietary and Confidential. 17

Network Diagram

Copyright Mavenir 2019. Proprietary and Confidential. 18

Network Architecture

Copyright Mavenir 2019. Proprietary and Confidential. 19

Copyright Mavenir 2019. Proprietary and Confidential. 20
Network Development/VM allocation
ePDG Node: The ePDG node refers to logical ePDG system which consist of active and standby
ePDG instance.
ePDG (VM) instance: The ePDG instance refers to individual virtual machines of type ePDG.

AAA VM: Each AAA system consist of 12 AAA host VM instances.

The AAA VM refers to a standalone instance within a VCX. There will be 12 VM’s in the VCX .
The first pair of AAA VM’s (also referred as oam101 and oam102) in active:active replication are
referred as OAMs.
The next three pairs AAA VMs (also referred as AAA front ends as SWx, SWm and S6b) in active:
active replication are referred as FEs.
The fifth pair of AAA VM’s (also referred as AAA back ends as sdb101 and sdb102) active: active
replication are referred as BEs.
The sixth pair of AAA VM’s (also referred as AAA load balancers as slb101 and slb102) in active:
standby are referred as LB’s.  AAA VCX VM’s naming.
AAA (VM) instance: The AAA VM refers to a standalone instance within an AAA deployment.

Copyright Mavenir 2019. Proprietary and Confidential. 21

Network Development/VM allocation

• ePDG:A single ePDG VM instance requires 12 vCPU, and 32 GB RAM.

• Call model assumptions:
The BHCA/sub/hour of 0.5 and Average Call Hold Time (ACHT) of each voice session as 90
seconds assumed
• As a result of the Capacity Tests, Mavenir provides following recommendations:
Key Capacity indicators per integrated ePDG VM are:
• 200k Sessions including 10k active calls
• 200k limit is a pre-allocated session array (system setting)
• Slow-path CPU is driven by transaction (attachments, de/re-attachments, re-keying interval,
DPD-setting etc.)
• Fast-Path limit is 10k active calls (5% of total session).
• Please note that the KPI for active sessions is available only if a dedicated bearer is used.
• ePDG VMs scale in a linear fashion:

Copyright Mavenir 2019. Proprietary and Confidential. 22

ePDG VM expansion

ePDG expansion is required if one of the below limitation is reached

• Subscriber session >200k subscribers
-It is recommended to apply admission control for the value of 200k subscribers
• Active calls >10k
-it is recommended to monitor the amount of parallel active session on some other node
e.g.SBC,PCRF,TAS
-as alternate,Fast path CPU usage can indicate the usage
-capacity reports shows the linear growth of CPU usage with the amount of sessions
• Slow Path CPU >70%
-Overload handling is applied upon exceeding
-If slowpath CPU exceeds less than 200k sessions,the call model needs to be revised

Copyright Mavenir 2019. Proprietary and Confidential. 23

AAA
AAA (Authentication,Authorization,Accounting)

Mavenir delivers a AAA server, ENEA Session Manager, in order to provide

Ice.net network with the necessary Authentication and Authorization functionality,
as specified in 3GPP specs
• AAA provides the network with the following functionalities:
• EAP AKA Authentication
• 3GPP Diameter Interfaces SWm,SWx,S6b
• ENEA setup have SLB,SDB,SVR
SVR - frontend nodes. request comes here from load balancers or ePDG

SDB - in memory database - ItemStore

SLB - load balancer

Copyright Mavenir 2019. Proprietary and Confidential. 24

Call Flow

Figure above shows the ePDG discovery procedure

Copyright Mavenir 2019. Proprietary and Confidential. 25

Call Flow

The procedure by which the UE discovers the ePDG IPv4 address in order to initiate the IKEv2
authentication procedure. It does this by constructing the ePDG FQDN (Fully Qualified Domain
Name) from the Home PLMN ID

1. The UE performs a DNS lookup against its local DNS (hosted by the broadband ISP), using
the derived FQDN string described above.
2. The local DNS learns (via delegation by the GSMA authoritative DNS) that is needs to query
ICE’s Internet DNS.
3,4. The UE obtains the ePDG public IPv4 address. UE will use the received IPv4 address to
send the IKE_INIT message to initiate the attach over WiFi procedure

Copyright Mavenir 2019. Proprietary and Confidential. 26

Tmm TABLE for KPI

• 811_UAG_DIAMETER
• 812_UAG_EPDG_GTPV2
• 814_UAG_EPDG_IKE
• 816_UAG_EPDG_APN
• 810_UAG_EPDG_FUNCTIONAL
• 814_UAG_EPDG_IKE
• 816_UAG_EPDG_APN
• 818_UAG_EPDG_LATENCY
• 819_UAG_EPDG_BEARERS

Copyright Mavenir 2019. Proprietary and Confidential. 27

• Total users in MP

• /usr/IMS/current/bin/mpguQuery -sum |grep "Total session"

• for CE

• rmtCmd ' /usr/IMS/current/bin/epdgCli show pdn 8 |grep summary ' ce

• To check replication b/w ADM

• rmtCmd '/usr/IMS/current/bin/checkDb.sh -v' adm

• for going inside config DB

• mysql -p$(mavcrypt d) mnode_cm_data;

• to check core

• rmtCmd 'ls -lrt /data/storage/corefiles/*core*' ALL

• programe version

• rmtCmd "/usr/IMS/current/bin/program_version.sh" all

Copyright Mavenir 2019. Proprietary and Confidential. 28

 Thank You

Copyright Mavenir 2019. Proprietary and Confidential. mavenir.com