3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3GPP system to Wireless Local

Area Networ V11.0.0!WLAN" (2012-09) interwor in#; Technical Specification System description !$elease %%"

3GPP TS 23.234

The present document has been developed within the 3rd Generation Partnership Project (3GPP TM) and may be further elaborated for the purposes of 3GPP. The present document has not been subject to any approval process by the 3GPP Or ani!ational Partners and shall not be implemented. This "pecification is provided for future development wor# within 3GPP only. The Or ani!ational Partners accept no liability for any use of this "pecification. "pecifications and reports for implementation of the 3GPP TM system should be obtained via the 3GPP Or ani!ational Partners$ Publications Offices.

$elease %%

&

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

%eywords
LTE, UMTS, radio, LAN, inter or!in"

3GPP Postal address 3GPP support office address

#$0 %o&te de' L&(io)e' - So*+ia Anti*o)i' Va),onne - -%AN.E Te)./ 033 4 92 94 42 00 -a1/ 033 4 93 #$ 42 1#

&nternet
+tt*/33 .3"**.or"

Copyright Notification 'o part may be reproduced e(cept as authori!ed by written permission. The copyri ht and the fore oin restriction e(tend to reproduction in all media.
) *+,*- 3GPP Or ani!ational Partners (./&0- .T&"- 11".- 2T"&- TT.- TT1). .ll ri hts reserved. 3MT"4 is a Trade Mar# of 2T"& re istered for the benefit of its members 3GPP4 is a Trade Mar# of 2T"& re istered for the benefit of its Members and of the 3GPP Or ani!ational Partners 5T24 is a Trade Mar# of 2T"& currently bein re istered for the benefit of its Members and of the 3GPP Or ani!ational Partners G"M6 and the G"M lo o are re istered and owned by the G"M .ssociation

3GPP

$elease %%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

.ontent'
1ontents....................................................................................................................................................3 7oreword...................................................................................................................................................8 , "cope......................................................................................................................................................9 * /eferences..............................................................................................................................................9 3 :efinitions- symbols and abbreviations................................................................................................,+
3., :efinitions............................................................................................................................................................,+ 3.* "ymbols................................................................................................................................................................,, 3.3 .bbreviations.......................................................................................................................................................,,

; <5.' /adio networ#s interwor#in with 3GPP................................................................................,* = >i h?level /e@uirements and Principles..............................................................................................,3
=., .ccess 1ontrol.....................................................................................................................................................,3 =.,., <5.' &mpacts.................................................................................................................................................,3 =.,.* 2(istin 3GPP 2lement &mpacts.......................................................................................................................,; =.,.3 /e@uirements for <5.' :irect &P .ccess......................................................................................................,; =.,.; /e@uirements for <5.' 3GPP &P .ccess.......................................................................................................,; =.,.;., /e@uirement for private networ# access from <5.' 3GPP &P .ccess.......................................................,= =.,.;.* /e@uirements for "upport of &M" 2mer ency 1alls.....................................................................................,= =.,.= <5.' .ccess .uthori!ation...........................................................................................................................,A =.,.A 3GPP <5.' .ttach.........................................................................................................................................,A =.* Boid ,8 =.3 3ser &dentity.........................................................................................................................................................,8 =.3., General ,8 =.3.* '.& 3sername..................................................................................................................................................,8 =.3.3 '.& /ealm 'ame..............................................................................................................................................,8 =.3.; '.& decoration for roamin ..............................................................................................................................,8 =.3.= '.& decoration for &M" 2mer ency 1all "ervice............................................................................................,9 =.; 'etwor# .dvertisement and "election.................................................................................................................,9 =.;., :escription of the issue.....................................................................................................................................,9 =.;.* &?<5.' .ccess 'etwor# .dvertisement and "election..................................................................................,C =.;.*., 1ase of &222 9+*.,, <5.'s.......................................................................................................................,C =.;.*.,., General ,C =.;.*.,.* <5.' .ccess 'etwor# .dvertisement.....................................................................................................*+ =.;.*.,.3 &?<5.' .ccess 'etwor# "election...........................................................................................................*+ =.;.*.* 1ase of other <5.'s....................................................................................................................................*, =.;.3 P5M' .dvertisement and "election................................................................................................................*, =.;.3., General *, =.;.3.* 'etwor# .dvertisement.................................................................................................................................*, =.;.3.3 'etwor# "election..........................................................................................................................................*, =.= .uthentication methods.......................................................................................................................................** =.A "ervice .uthori!ation Principles for <5.' 3GPP &P .ccess............................................................................** =.A., .ccessin >ome 'etwor# provided services...................................................................................................** =.A.* .ccessin Bisited 'etwor# provided services..................................................................................................*3 =.A.3 2(ternal &P 'etwor# selection..........................................................................................................................*3 =.8 &P 1onnectivity for <5.' 3GPP &P .ccess.......................................................................................................*3 =.8., Principles...........................................................................................................................................................*3 =.8.* Tunnellin /e@uirements..................................................................................................................................*; =.8.3 Boid *; =.9 /oamin re@uirements for <5.' 3GPP &P .ccess...........................................................................................*; =.C /outin 2nforcement and Policy 2nforcement for <5.' 3GPP &P .ccess......................................................*= =.C., Purpose for routin enforcement and policy enforcement................................................................................*= =.C.* /outin 2nforcement in the <5.' .'..........................................................................................................*= =.C.3 /outin enforcement and policy 2nforcement in the >P5M'........................................................................*= =.C.; /outin enforcement and policy 2nforcement in the BP5M'........................................................................*=

3GPP

$elease %%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

=.,+ &P address allocation for the <5.' 32............................................................................................................*= =.,+., General............................................................................................................................................................*= =.,+.* "tatic and :ynamic /emote &P .ddress.........................................................................................................*A =.,, 1har in .............................................................................................................................................................*A =.,* ... Protocol /e@uirements.............................................................................................................................*8 =.,3 Do" "upport.......................................................................................................................................................*8 =.,3., General............................................................................................................................................................*8 =.,3.* 3se of 1o" based :iff"erv for providin Do" over &?<5.' usin <5.' 3GPP &P .ccess.....................*9 =.,3.3 Do" re@uirements on the architecture.............................................................................................................*9

A &nterwor#in .rchitecture....................................................................................................................*9
A., /eference Model..................................................................................................................................................*9 A.,., 'on /oamin <5.' &nter?wor#in /eference Model...................................................................................*C A.,.* /oamin <5.' &nter?wor#in /eference Model...........................................................................................*C A.* 'etwor# elements.................................................................................................................................................3, A.*., <5.' 32........................................................................................................................................................3, A.*.,., Boid 3* A.*.* 3GPP ... Pro(y.............................................................................................................................................3* A.*.3 3GPP ... "erver............................................................................................................................................33 A.*.; >5/E>""..........................................................................................................................................................33 A.*.= <5.' .ccess Gateway...................................................................................................................................3; A.*.=., Policy 2nforcement........................................................................................................................................3= A.*.=.* Boid 3= A.*.A Pac#et :ata Gateway........................................................................................................................................3= A.*.8 "ubscription 5ocator 7unction ("57)...............................................................................................................3A A.*.9 Offline 1har in "ystem...................................................................................................................................3A A.*.C Online 1har in "ystem...................................................................................................................................3A A.3 /eference Points...................................................................................................................................................38 A.3., <a reference point............................................................................................................................................38 A.3.,., General description........................................................................................................................................38 A.3.,.* 7unctionality..................................................................................................................................................38 A.3.* <( reference point............................................................................................................................................38 A.3.3 :$EGr$ reference point........................................................................................................................................39 A.3.; <o reference point............................................................................................................................................39 A.3.= <f reference point.............................................................................................................................................39 A.3.A < reference point............................................................................................................................................3C A.3.8 <n reference point............................................................................................................................................3C A.3.9 <p reference point............................................................................................................................................3C A.3.C <i reference point.............................................................................................................................................3C A.3.,+ <m reference point.........................................................................................................................................3C A.3.,, <d reference point..........................................................................................................................................;+ A.3.,,., General description......................................................................................................................................;+ A.3.,,.* 7unctionality................................................................................................................................................;+ A.3.,* <u reference point..........................................................................................................................................;+ A.3.,3 <w reference point.........................................................................................................................................;, A.3.,3., General :escription.....................................................................................................................................;, A.3.,3.* 7unctionality................................................................................................................................................;, A.3.,; :w reference point..........................................................................................................................................;, A.3.,= <y reference point..........................................................................................................................................;, A.3.,A <! reference point..........................................................................................................................................;, A.; Protocols...............................................................................................................................................................;, A.;., /emote &P 5ayer...............................................................................................................................................;* A.;.* Tunnellin layer................................................................................................................................................;* A.;.3 Transport &P 5ayer............................................................................................................................................;* A.= <5.' user profile..............................................................................................................................................;*

8 Procedures............................................................................................................................................;3
8., &?<5.' and BP5M' "election Procedure........................................................................................................;3 8.,., &nitial networ# selection....................................................................................................................................;3 8.,.* 'etwor# re?selection.........................................................................................................................................;3 8.* <5.' .ccess .uthentication and .uthorisation...............................................................................................;; 8.3 "ubscriber Profile 3pdate....................................................................................................................................;A

3GPP

$elease %%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

8.3.+ <5.' :irect .ccess .uthori!ation information update procedure................................................................;A 8.3., .ccess and service .uthori!ation information update procedure.....................................................................;8 8.; 1ancellin <5.' /e istration...........................................................................................................................;9 8.= :isconnectin a "ubscriber by <5.'................................................................................................................;C 8.A :isconnectin a "ubscriber by Online 1har in "ystem....................................................................................=+ 8.A., The O1" initiated <5.' .' access disconnection.......................................................................................=+ 8.A.* The O1" initiated tunnel disconnection...........................................................................................................=, 8.8 1har in offline char ed subscribers...................................................................................................................=* 8.9 1har in online char ed subscribers...................................................................................................................=3 8.C <?.P' resolution and Tunnel establishment......................................................................................................=; 8.C., Boid =8 8.C.* "ubse@uent authentication.................................................................................................................................=8 8.C.3 3se of :'".......................................................................................................................................................=8 8.C.; "ubse@uent tunnel establishment......................................................................................................................=8 8.,+ Tunnel disconnection procedures.......................................................................................................................=8 8.,+., <5.' 32 initiated tunnel disconnection......................................................................................................=9 8.,+.* The networ# initiated tunnel disconnection....................................................................................................=C 8.,+.3 :isconnection of the last tunnel for a <5.' 32..........................................................................................=C 8.,, The <5.' 32 initiated <5.' .' .ccess disconnection.............................................................................A+ 8.,* 3ser identity to >"" resolution..........................................................................................................................A+ 8.,*., General............................................................................................................................................................A+ 8.,*.* "57 @uery........................................................................................................................................................A, 8.,3 :isconnectin a "ubscriber by the 2(ternal ... "erver.................................................................................A* 8.,3., The 2(ternal ... "erver initiated tunnel disconnection...............................................................................A*

Annex A (informative): Void........................................................................................................63 Annex B (informative): Void........................................................................................................64 Annex C (informative): Possible interworking ar !ite t"res between #$A% A% and P$&% ................................................................................................................6' 1., <5.' shared by (or connected to) multiple &"Ps and P5M's.......................................................A= 1.* /outin pac#ets from <5.' 32 when <5.' .' is connected to multiple BP5M'sE&"Ps and it provides direct &nternet access......................................................................................................A=
1.*., "eparatin traffic for different BP5M's.........................................................................................................A= 1.*.* /outin the traffic.............................................................................................................................................AA 1.*.3 "eparatin traffic to different BP5M's usin a combined :'"E'.T approach............................................A8

3GPP

$elease %%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

1.3 <5.' .' e(clusively owned by and connected to a sin le P5M'...............................................AC 1.; <5.' .' connected to a sin le &"P..............................................................................................AC Annex ( (normative): )!ort &essage )ervi e..........................................................................*+ :., .rchitecture for support of "M"......................................................................................................8+ :.* Boid..................................................................................................................................................8+ :.3 Boid..................................................................................................................................................8+ Annex , (informative): Void........................................................................................................*Annex . (normative): /nformation on re0"sing t!e 11)% to im2lement t!e P(1 f"n tion*3 7., &ntroduction.......................................................................................................................................8* 7.* Mappin between 2*2 tunnel and GTP tunnel.................................................................................83
7.*., General..............................................................................................................................................................83 7.*.* 'o re?use of policy control functionality in the GG"'....................................................................................83 7.*.3 /e?use of policy control functionality in the GG"'........................................................................................83 7.*.3., 3sa e of :iff"erv mar#in of the GTP tunnel..............................................................................................83 7.*.3.* 3sa e of Do" profile of the GTP tunnels......................................................................................................8;

7.3 Gn$ considerations.............................................................................................................................8;

7.3.+ General..............................................................................................................................................................8= 7.3., &nterwor#in procedure over Gn$ ? Tunnel establishment procedure...............................................................8A 7.3.* &nterwor#in procedure over Gn$ ? Tunnel disconnection procedure...............................................................88 7.3.*., 32 initiated tunnel disconnection..................................................................................................................88 7.3.*.* 'etwor# initiated tunnel disconnection.........................................................................................................89

7.; Boid..................................................................................................................................................89
7.= Tunnel Terminatin Gateway (TTG) functionality.............................................................................................89

Annex 1: Void...............................................................................................................................4+ Annex 5 (informative): #ork in ot!er bodies............................................................................4>., Do" Mappin ...................................................................................................................................9, >.* <MM specifications from <i?7iTM .lliance.................................................................................9* >.3 9+*.,: specifications from &222.....................................................................................................9* >.; &/ 3; specifications from G"M......................................................................................................93 Annex / (informative): C!ange !istor6......................................................................................44

3GPP

$elease %%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

-ore ord
This Technical "pecification has been produced by the 3rd Generation Partnership Project (3GPP). The contents of the present document are subject to continuin wor# within the T"G and may chan e followin formal T"G approval. "hould the T"G modify the contents of the present document- it will be re?released by the T"G with an identifyin chan e of release date and an increase in version number as followsF Bersion (.y.! whereF ( the first di itF , presented to T"G for informationG * presented to T"G for approvalG 3 or reater indicates T"G approved document under chan e control. y the second di it is incremented for all chan es of substance- i.e. technical enhancements- correctionsupdates- etc. ! the third di it is incremented when editorial only chan es have been incorporated in the document.

3GPP

$elease %%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

S(o*e

This document specifies system description for interwor#in between 3GPP systems and <ireless 5ocal .rea 'etwor#s (<5.'s). This specification is not limited to <5.' technolo ies. &t is also valid for other &P based .ccess 'etwor#s that support the same capabilities towards the interwor#in system as <5.' does. The intent of 3GPPH<5.' &nterwor#in is to e(tend 3GPP services and functionality to the <5.' access environment. The 3GPPH<5.' &nterwor#in "ystem provides bearer services allowin a 3GPP subscriber to use a <5.' to access 3GPP P" based services. This specification defines a 3GPP system architecture and procedures to do the followin F ? ? ? ? Provide .ccess- .uthentication and .uthorisation (...) services to the 3GPP?<5.' &nterwor#in "ystem based on subscription. Provide access to the locally connected &P networ# (e. . the &nternet) if allowed by subscription. Provide <5.' 32s with &P bearer capability to the operator$s networ# and P" "ervices- if allowed by subscription. Provide <5.' 32s with &P bearer capability to access &M" 2mer ency calls for both 3&11 and 3&11?less cases.

%e4eren(e'
/eferences are either specific (identified by date of publication- edition number- version number- etc.) or non?specific. 7or a specific reference- subse@uent revisions do not apply. 7or a non?specific reference- the latest version applies. &n the case of a reference to a 3GPP document (includin a G"M document)- a non?specific reference implicitly refers to the latest version of that document in the same Release as the present document. I,J I*J I3J I;J I=J IAJ I8J I9J ICJ I,+J I,,J I,*J I,3J void. void. void. void. 3GPP T" *3.++3F K'umberin - addressin and identificationK. 3GPP T" *3.+;+F KTechnical /ealisation of the "hort Messa e "ervice ("M")K. 3GPP T" *3.+A+F KGP/"G "ervice descriptionK. void. 3GPP T" *;.*3;F K3GPP "ystem to <5.' &nterwor#in G 32 to 'etwor# protocolsG "ta e 3K. 3GPP T" *C.++*F KMobile .pplication Part (M.P) specificationK. void. void. 3GPP T" 3*.*=,F KTelecommunication mana ementG 1har in mana ementG Pac#et "witched (P") domain char in K.

The followin documents contain provisions which- throu h reference in this te(t- constitute provisions of the present document.

3GPP

$elease %%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

I,;J I,=J I,AJ I,8J I,9J I,CJ I*+J I*,J

3GPP T" 33.*3;F K<5.' &nterwor#in "ecurityK. 3GPP T" *3.,*=F KOverall >i h 5evel 7unctionality and .rchitecture &mpacts of 7low 0ased 1har in K. void. &2T7 /71 ;*9*F KThe 'etwor# .ccess &dentifierK. void. &222 "td 9+*.,L?*++,F 5&222 "tandard for 5ocal and metropolitan area networ#sM Port?0ased 'etwor# .ccess 1ontrolK. &2T7 /71 ;*9;F K&dentity "election >ints for the 2(tensible .uthentication Protocol (2.P)K. &222 "td 9+*.,,?,CCC- 5ocal and metropolitan area networ#sM"pecific re@uirementsMPart ,,F <ireless 5.' Medium .ccess 1ontrol (M.1) and Physical 5ayer (P>N) specifications- &222"ep. ,CCC. &2T7 /71 ;,98F K2(tensible .uthentication Protocol Method for 3rd Generation .uthentication and %ey . reement (2.P?.%.)K. &2T7 /71 ;,9AF K2(tensible .uthentication Protocol Method for Global "ystem for Mobile 1ommunications (G"M) "ubscriber &dentity Modules (2.P?"&M)K. 3GPP T" *3.**9F K &P Multimedia "ubsystem (&M")G "ta e *K. 3GPP T" **.*3;F K/e@uirements on 3GPP system to <ireless 5ocal .rea 'etwor# (<5.') interwor#in K. 3GPP T" 3*.*=*F KTelecommunication mana ementG 1har in mana ementG <ireless 5ocal .rea 'etwor# (<5.') char in K. 3GPP T" 3*.*CAF KTelecommunication mana ementG 1har in mana ementG Online 1har in "ystem (O1") applications and interfacesK. 3GPP T" *C.+A+F KGP/"G GTP across the Gn and Gp interfaceK. 3GPP T" *3.++9F KOr ani!ation of subscriber dataK. 3GPP T/ *,.C+=F KBocabulary for 3GPP "pecificationsK. 3GPP T" *3.++*F K'etwor# architectureK. &2T7 /71 ;83CF K Multiple .uthentication 2(chan es in the &nternet %ey 2(chan e (&%2v*) ProtocolK. 3GPP T" *3.,+8F K3rd Generation Partnership ProjectG Technical "pecification Group "ervices and "ystem .spectsG Duality of "ervice (Do") concept and architecture K. &222 9+*.,:- ,CC9 2dition (&"OE&21 ,=9+*?3F,CC9)F K&222 "tandard for &nformation technolo y??Telecommunications and information e(chan e between systems??&222 standard for local and metropolitan area networ#s??1ommon specifications??Media access control (M.1) 0rid esK. &222 9+*.,,eF K&222 "tandard for &nformation Technolo y ? Telecommunications and &nformation 2(chan e 0etween "ystems ? 5ocal and Metropolitan .rea 'etwor#s ? "pecific /e@uirements ? Part ,,F <ireless 5.' Medium .ccess 1ontrol (M.1) and Physical 5ayer (P>N) "pecifications ? .mendmentF Medium .ccess Method (M.1) Duality of "ervice 2nhancementsK. 3GPP T" *3.*+3F K3rd Generation Partnership ProjectG Technical "pecification Group "ervices and "ystem .spectsG Policy and 1har in 1ontrol .rchitectureK. &2T7 /71 *;8=F K.n .rchitecture for :ifferentiated "ervicesK.

I**J I*3J I*;J I*=J I*AJ I*8J I*9J I*CJ I3+J I3,J I3*J I33J I3;J

I3=J

I3AJ I38J

3GPP

$elease %%

%*

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

I39J I3CJ

&2T7 /71 *;8;F K:efinition of the :ifferentiated "ervices 7ield (:" 7ield) in the &Pv; and &PvA >eadersK. 3GPP T" *3.*+;F K3rd Generation Partnership ProjectG Technical "pecification Group "ervices and "ystem .spectsG "upport of "M" and MM" over eneric 3GPP &P accessK.

6e4inition', '78,o)' and a,,re9iation'

3.1 6e4inition'
7or the purposes of the present document- the terms and definitions defined in T/ *,.C+= I3+J and the followin applyF Available ))/(: .n ""&: that the <5.' 32 has found after active andEor passive scannin which meets certain conditions as specified in &222 9+*.,, I,CJ. 31PP 0 #$A% /nterworking: 3sed enerically to refer to interwor#in between the 3GPP system and the <5.' family of standards. .nne( 0 includes e(amples of <5.' /adio 'etwor# Technolo ies. 31PP #$A% 7o) 2rofile: 3GPP defined Do" profile for &?<5.' access. (ifferentiated )ervi es .ield (() .ield): The &Pv; header TO" octet or the &PvA Traffic 1lass octet when interpreted in conformance with the definition iven in &2T7 /71 *;8; I39J. ,xternal AAA )erver: The ... "erver is located in the e(ternal pac#et data networ#s. The P:G interwor#s with the 2(ternal ... "erver via the <i reference point. ,xternal /P %etwork8,xternal Pa ket (ata %etwork: .n &P or Pac#et :ata networ# with access provided by the 3GPP H <5.' &nterwor#in - rather than directly from the <5.' .'. 5ome #$A%: . <5.' which interwor#s with the >P5M' without usin a BP5M'. /nterworking #$A% (/0#$A%): . <5.' that interwor#s with a 3GPP system. /0#$A% sele tion: Procedure to select a specific &?<5.' from the available &?<5.'s. $o al )ervi e /dentifier: .n identifier used within the 3GPP system for a service available directly from the &?<5.'for e(ample &nternet access or access to a specific corporate networ#. 9ffline !arging: Mechanism for collectin and forwardin char in information concernin &?<5.' and core networ# resource usa e without affectin the service rendered in real?time. 9nline !arging: Mechanism for collectin and forwardin char in information concernin &?<5.' and core networ# resource usa e where the service may be affected in real?time. Poli 6 ,nfor ement: 7unctionality implemented in a <.G to ensure pac#ets comin from or oin to the <5.' .' are allowed based on unencrypted data within the pac#ets. (e. . source and destination &P address and port number). Private network a ess from #$A% 31PP /P A ess: 32 access to an e(ternal &P networ# via a P5M' via a tunnel. This is one of the <5.' 3GPP &P access. <hile the <5.' 3GPP &P access only performs user authentication and authori!ation with 3GPP ... server- this access performs authentication and authori!ation with e(ternal server via P:G in addition to the authentication and authori!ation with 3GPP ... server. P) based servi es: General term to refer to the services provided by a P5M' usin the &P bearer capability between a <5.' 32s and the P5M' when <5.' 3GPP &P .ccess is used. 2(amples include bearer services such as &nternet access- and 1orporate &P networ# access and hi her level services such as "M" and 51". :e;"ested #0AP%: The <?.P' re@uested by the user. :o"ting ,nfor ement: /outin 2nforcement ensures all pac#ets sent toEfrom the <5.' 32 for 3G P" based service are routed to the interwor#in BP5M' (roamin case) or >P5M' (no roamin case). /outin 2nforcement is implemented between a <5.' .' and a <.G. )ele ted #0AP%: The <?.P' selected by the networ# as a result of the <5.' ?32 subscriber re@uest.

3GPP

$elease %%

%%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

)ervi e A"t!ori<ation: .uthori!ation allowin a subscriber to access the re@uested service based on subscription. ="nnel /dentifier: &dentifier of a tunnel between a <5.' 32 and a P:G. &t is contained in the unencrypted part of a pac#et. >ser /dentifier: &dentifier of a user which may be used- for e(ample- in char in functionality. #$A% A ess Point %ame (#0AP%): &s used to identify a specific &P networ# and a point of interconnection to that networ# (Pac#et :ata Gateway). #$A% 31PP /P A ess: .ccess to an &P networ# via a P5M' via a tunnel. . related term is <5.' :irect &P .ccess. #$A% overage: The area where a <5.' 32 can connect to a <5.'. #$A% (ire t /P A ess: .ccess to an &P networ# directly from a <5.' .' without passin data to a P5M' via a tunnel. . related term is <5.' 3GPP &P .ccess. #$A% >,?s lo al /P address: The address used to deliver a pac#et to a <5.' 32 in a <5.' .'. &t identifies the <5.' 32 in the <5.' .'. The <5.' 32$s local &P address may be translated by a 'etwor# .ddress Translation prior to bein received by any other &P networ#- includin a P5M'. #$A% >,?s remote /P address: The address used by the data pac#et encapsulated inside the <5.' 32 to P:G tunnel. &t represents the address of the <5.' 32 in the networ# which the <5.' 32 is accessin via the P:G.

3.2 S78,o)'
7or the purposes of the present document the followin symbols applyF :$ :w Gr$ <a <d <f < <i <m <n <p <o <u <w <( <y <! /eference point between a pre?/A >""E>5/ and a 3GPP ... "erver /eference point between a 3GPP ... "erver and an "57 /eference point between a pre?/A >""E>5/ and a 3GPP ... "erver /eference point between a <5.' .ccess 'etwor# and a 3GPP ... "erverEPro(y (char in and control si nallin ) /eference point between a 3GPP ... Pro(y and a 3GPP ... "erver (char in and control si nallin ) /eference point between an Offline 1har in "ystem and a 3GPP ... "erverEPro(y /eference point between a 3GPP ... "erverEPro(y and <.G /eference point between a Pac#et :ata Gateway and an e(ternal &P 'etwor# /eference point between a Pac#et :ata Gateway and a 3GPP ... "erver or 3GPP ... pro(y /eference point between a <5.' .ccess 'etwor# and a <5.' .ccess Gateway /eference point between a <5.' .ccess Gateway and a Pac#et :ata Gateway /eference point between a 3GPP ... "erver and an O1" /eference point between a <5.' 32 and a Pac#et :ata Gateway /eference point between a <5.' 32 and a <5.' .ccess 'etwor# /eference point between an >"" and a 3GPP ... "erver /eference point between a P:G and an O1" /eference point between a P:G and an Offline 1har in "ystem

3.3 A,,re9iation'
... .15 .%. .P .P' 1o" :>1P :'" :"1P 2.P .uthentication- .uthorisation and .ccountin .ccess 1ontrol 5ist .uthentication and %ey . reement .ccess Point .ccess Point 'ame 1lass of "ervice :ynamic >ost 1onfi uration Protocol :omain 'ame "ystem :iff"erv 1ode Point 2(tensible .uthentication Protocol

3GPP

$elease %%

%&

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

7D:' GG"' GTP >5/ >P5M' >"" &222 &P &P?"M?G< &"P &?<5.' '.& '.T O1" P:. P:G P5M' "&M ""&: 32 3MT" 3"&M ""&: B5.' BP5M' <.G <?.P' <5.' <5.' .' <5.' 32 <MM

7ully Dualified :omain 'ame Gateway GP/" "upport 'ode GP/" Tunnellin Protocol >ome 5ocation /e ister >ome P5M' >ome "ubscriber "erver &nstitute of 2lectrical and 2lectronics 2n ineers &nternet Protocol &P "hort Messa e Gateway &nternet "ervice Provider &nterwor#in <5.' 'etwor# .ccess &dentifier 'etwor# .ddress Translation Online 1har in "ystem Personal :i ital .ssistant Pac#et :ata Gateway Public 5and Mobile 'etwor# "ubscriber &dentity Module "ervice "et &:entifier 3ser 2@uipment 3niversal Mobile Telecommunications "ystem 3MT" "&M "ervice "et &:entifier Birtual 5ocal .rea 'etwor# Bisited P5M' <5.' .ccess Gateway <5.' .P' <ireless 5ocal .rea 'etwor# <5.' .ccess 'etwor# <5.' 3ser 2@uipment <i?7iTM Multimedia

4
?

:LAN %adio net or!' inter or!in"

it+ 3GPP

This specification defines two new procedures in the 3GPP "ystemF <5.' .ccess- .uthentication and .uthorisation- which provides for access to the <5.' and the locally connected &P networ# (e. . &nternet) to be authenticated and authorised throu h the 3GPP "ystem. .ccess to a locally connected &P networ# from the <5.'- is referred to as <5.' :irect &P .ccess. <5.' 3GPP &P .ccess- which allows <5.' 32s to establish connectivity with 2(ternal &P networ#s- such as 3G operator networ#s- corporate &ntranets or the &nternet via the 3GPP system.

<5.' 3GPP &P .ccess should- as far as possible- be technically independent of <5.' .ccess .uthentication and .uthorisation. >owever- <5.' 3GPP &P .ccess to 2(ternal &P 'etwor#s from 3GPPH<5.' &nterwor#in "ystems shall be possible only if <5.' .ccess .uthenticationE.uthorisation has been completed first. 'OT2F The independence re@uirement does not preclude the possibility that the procedure <5.' GPP &P .ccess may rely on information derived in the procedure for <5.' .ccess .uthori!ation.

7i ure ;., illustrates <5.' networ#s from the point of view of 3GPP interwor#in . The Pac#et :ata Gateway supports <5.' 3GPP &P .ccess to 2(ternal &P networ#s. The <5.' includes <5.' access points and intermediate ... elements. &t may additionally include other devices such as routers. The <5.' 3ser 2@uipment (<5.' 32) includes all e@uipment that is in possession of the end user- such as a computer- <5.' radio interface adapter etc.

3GPP

$elease %%

%3

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

;ntranet 3 ;nternet

3GPP Networ :LAN UE

WLAN Access Networ it+ or it+o&t an inter8ediate net or!

3GPP AAA Ser9er Pa(!et 6ata G:

WLAN
3GPP PS 'er9i(e' (in()&din" a((e'' to internet)

3GPP ;P A((e''

1i#ure ('%2 Simplified WLAN Networ 3odel' The shaded area refers to WLAN 3GPP 4P Access functionality .s 3GPP?<5.' interwor#in concentrates on the interfaces between 3GPP elements and the interface between the 3GPP system and the <5.'- the internal operation of the <5.' is only considered in order to assess the impact of architecture optionsEre@uirements on the <5.'. 3GPP?<5.' interwor#in shall be independent of the underlyin <5.' /adio Technolo y.

<i"+-)e9e) %e=&ire8ent' and Prin(i*)e'

$.1 A((e'' .ontro)

.ccess 1ontrol is the capability to permit or deny a subscriber the use of a resource- in this case the <5.' andEor the interwor#in to the 3GPP system. The followin functional re@uirements and principles have uided the development of this standard with re ard to .ccess 1ontrol.

$.1.1 :LAN ;8*a(t'

The followin re@uirements should be satisfied by the <5.' 3GPP &nterwor#in function with re ard to the <5.' itselfF ? ? ? ? ? ? 5e acy <5.' terminals should be supported. >owever software up rades may be re@uired for e. . to access a (3)"&M. 2(istin client hardware and software should be used where ever possible Minimal impact on e(istin <5.' networ#s. The need for operators to administer and maintain <5.' 32 software shall be minimi!ed. Methods for #ey distribution to the <5.' access networ# to allow secure tunnels to be established shall be supported. 'oteF This does not mean <ireless 2@uivalent Privacy (<2P) #eys in the case of a 9+*.,, networ#. <5.' .ccess .uthori!ation shall occur upon the success of the authentication procedure. &t may ta#e into account the user$s subscription profile and optionally information about the <5.' .'- such as <5.' .' operator name- <5.' .' location information (e. .- country- telephone area code- city)- <5.' .' throu hput (e. .- ma(imum and minimum bandwidth uarantees for both in ress and e ress traffic). /esults of <5.' .ccess .uthori!ation re@uests shall be indicated to the <5.'- so that the <5.' can ta#e appropriate action.

3GPP

$elease %%

%(

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

? ? 0

&t shall be possible to indicate to the user of the results of authori!ation re@uests. The <5.' .ccess .uthori!ation mechanism shall be able chan e service provisionin dynamically- and inform the user and <5.' of any chan e. =rans2orting A"t!enti ation signalling over #$A% :adio /nterfa e: <5.' authentication si nallin is carried between <5.' 32 and <5.' .' by <5.' .ccess Technolo y specific protocols. To ensure multivendor interoperability these <5.' technolo y specific protocols shall conform to e(istin standards of the specific <5.' access technolo y. =rans2orting A"t!enti ation signalling between #$A% A% and 31PP network F <5.' .uthentication si nallin shall be transported between an6 #$A% A% and 31PP network by a standard protocol- which is independent of the specific <5.' technolo y utilised within the <5.' .ccess networ#. 1han es to the <5.' re@uired to support &M" 2mer ency 1alls should be supported- althou h these chan es are to be minimi!ed.

$.1.2 E1i'tin" 3GPP E)e8ent ;8*a(t'

The followin re@uirements should be satisfied by the 3GPP?<5.' &nterwor#in "ystem function with re ard to e(istin 3GPP networ# elementsF ? ? ? ? 2(istin "&M and 3"&M shall be supported. .uthentication shall rely on (3)"&M based authentication mechanisms. /A 3"&M may include new functionality if necessary e. . in order to improve privacy. 1han es in the >""E>5/E.u1 shall be minimi!ed. The "ervice 5ocation 7unction ("57) node shall be used in the same way as defined in T" *3.**9 I*;J to find the address of a subscriber$s >""- if necessary. The <5.' connection established for a 3GPP subscriber shall have no impact to the capabilities of havin simultaneous P" and 1" connections for the same subscriber. (e. . the >5/"" shall not dere ister a P" subscriber when the 32 re isters on a <5.') This T" proposes solutions for operators who want to interwor# their <5.' with an e(istin pre?/A >5/E>"". &M" 2mer ency 1alls over &?<5.' shall be supported in this release. This includes also the case of 3&11?less 32.

? ?

$.1.3 %e=&ire8ent' 4or :LAN 6ire(t ;P A((e''

The followin re@uirements should be satisfied by the <5.' 3GPP?<5.' &nterwor#in function with re ard to allowin direct access to the &P networ# to which the <5.' is connected (e. . the &nternet)F ? . <5.' supportin both <5.' :irect &P .ccess and <5.' 3GPP &P .ccess shall be able to support a <5.' 32 operatin in the <5.' :irect &P .ccess mode only- e. . accordin to subscription.

$.1.4 %e=&ire8ent' 4or :LAN 3GPP ;P A((e''

The followin re@uirements should be satisfied by the <5.' 3GPP?<5.' &nterwor#in function with re ard to allowin access to a <5.' 3GPP &P networ# (e. . the operator$s intranet which allows &M" access)F ? ? ? "ervice .uthori!ation for 3GPP services shall occur after successful .uthentication. &t shall be possible to use "ervice 0ased Policy 1ontrol. .ccess to 3GPP P" based services shall be provided via <5.'. The interwor#in architecture shall provide &P connectivity to be able to support all 3GPP P" based services. 3GPP P" based services which use more than &P connectivity (e. . "M"- MM"- M0M") could re@uire additional entities and interfaces not specified in this document. :ependin on operator$s policy- it shall also be possible to access 3GPP P" based services via the &nternet (notin that the access to the &nternet in this case may or may not be via <5.' :irect &P .ccess).

3GPP

$elease %%

%-

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

? ?

Duality of "ervice shall be supported when accessin these services via <5.'- althou h some limitations may e(ist because of the <5.' .'. . combined access capable user with the subscription for both services should be able to choose between K<5.' :irect &P .ccess onlyK or K<5.' 3GPP &P .ccessK. The <5.' 32 shall be able to detect if a 3GPPH<5.' does not support access to 3GPP P" based services.

:ata flows must be able to be routed to the >P5M' or the BP5M'- e. . accordin to subscription. The enforcement of this routin shall not rely on the <5.' 32 client. This routin enforcement may re@uire additional functionality in the <5.' .'

'OT2F 0

,nd to ,nd A"t!enti ation: <5.' .uthentication si nallin is e(ecuted between <5.' 32 and 3GPP ... "erver for the purpose of authenticatin the end?user and authori!in the access to the <5.' and 3GPP networ#. :etails of 2nd?to?2nd .uthentication is covered in T" 33.*3; I,;J. )ervi e )ele tion and A"t!orisation: The solution shall include means for securely deliverin service selection information from the <5.' 32 to the 3GPP ... "erver in the >ome 'etwor#. &f a user chooses to access the &nternet directly usin the local &P networ#- no service selection information is passed to the P5M'. &n all other cases- where <5.' 3GPP &P .ccess is desired- the service selection information shall contain the name of the <?.P' to which access is re@uested. The 3GPP ... "erver in the >ome networ# shall verify the users subscription to the indicated <?.P' a ainst the subscriber profile retrieved from >"". The 3GPP ... "erver selects a <?.P' based on the re@uested <?.P' and on the user$s subscriptionElocal policy. The service re@uest shall be indicated by a tunnel establishment re@uest from the <5.' 32 to the P:G. The P:G shall then see# authenticationEauthorisation from the 3GPP ... Pro(y or "erver in the same networ#. The results of the authorisation decision shall be communicated to the Bisited 'etwor#. .ll subscription?based authorisation decisions are made in the >ome networ#. &n the case of a re@uest for access to services provided in the Bisited 'etwor#- the 3GPP ... Pro(y shall also authorise access based on local policy.

? ? ?

$.1.4.1

%e=&ire8ent 4or *ri9ate net or! a((e'' 4ro8 :LAN 3GPP ;P A((e''

The followin re@uirements should be satisfied by the <5.' 3GPP?<5.' &nterwor#in function with re ard to allowin private networ# access from <5.' 3GPP &P .ccessF ? ? ? ? 1onfidentiality of &: and password used for authentication and authori!ation by P:' service provider shall be possible. &t shall be possible that P.P and 1>.P capability with e(istin /.:&3" protocol between P:G and e(ternal /.:&3" server in P:' is utili!ed. :uration of tunnellin establishment should be as short as possible. &mpact to 32 or P:G should be as less as possible.

$.1.4.2

%e=&ire8ent' 4or S&**ort o4 ;MS E8er"en(7 .a))'

The followin re@uirements shall be satisfied by the <5.' 3GPP?<5.' &nterwor#in function with re ard to support for &M" 2mer ency 1allsF ? )ervi e )ele tion and A"t!orisation: The <5.' 32 shall be able to as# for &M" 2mer ency 1all "ervice in tunnel establishment via an &M" 2mer ency 1all specific <?.P' for this purpose. The P:G shall then see# authenticationEauthorisation from the 3GPP ... Pro(y or "erver in the same networ#. 'o service subscription shall be necessary for the user to ain access to the &M" 2mer ency 1all <?.P' i.e. the 3GPP ... "erver in the >ome networ# does not need to verify the users subscription to the indicated <?.P' a ainst the subscriber profile retrieved from >"". ? ,nd to ,nd A"t!enti ationF 0ased on the national re ulations and operator$s policy- <5.' .uthentication si nallin between <5.' 32 and 3GPP ... "erver for the purpose of authenticatin the end?user and

3GPP

$elease %%

%.

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

authori!in the access to the <5.' and 3GPP networ# may be s#ipped. :etails of 2nd?to?2nd .uthentication are covered in T" 33.*3; I,;J. 7or the 3&11?less case- it shall be possible to either (i) "#ip authentication or (ii) use a dummy or null authentication method. ? The results of the authorisation decision shall be communicated to the BP5M' and the <5.' .'.

$.1.$ :LAN A((e'' A&t+ori>ation

<5.' .ccess .uthori!ation defines the process(es) in 3GPP ... "erver verifyin whether <5.' .ccess should be allowed to a subscriber and decidin what access rulesEpolicy should be applied to a subscriber. &t is the sta e after access authentication- but before service authorisation and <5.' 32$s local &P address allocation. .fter the authentication process succeeds- there could be additional conditions for the 3GPP ... "erver to decide whether the access is allowed and what access rulesEpolicy should be applied. These conditions may be based on the subscriber$s profile- the account status- OOM rules- local a reements or information about the <5.' .'. The procedure for <5.' .ccess .uthori!ation between the <5.' 32 and the 3GPP ... "erver is combined with the <5.' .ccess .uthentication. .ccess rulesEpolicy decided by the 3GPP ... "erver may be deployed in the 3GPP ... "erver- orEand in other entities such as the <.G or the <5.' .'. .ccess rulesEpolicy may include access scope limitation- time limitation- bandwidth control values- andEor user priority. <5.' .ccess rulesEpolicy should be specified by the home andEor visited operator based on the subscriber$s profilethe account status- OOM rules (e. . blac#list- access limitation list)- and local a reements. 7actors such as access time and access location could also be considered in these rules. The access scope limitation could be- for e(ample- onlyEnotEmay Kaccess throu h <.GKG onlyEnotEmay Kaccess intranet LK. .ccess scope limitation can be achieved usin &P allocation scheme- B5.' allocation- 7ilterin - .15s in the routers and switchers- or other methods. :ifferent access priority or the ran e of priorities may be authori!ed for different subscribers- andEor for one subscriber based on different access time or location- etc. The 32 should be able to indicate in the access authori!ation procedure that the user is connectin in order to ma#e an &M" 2mer ency 1all. The 3GPP ... "erver shall in that case be able to deploy accessErules and policy to restrict the user to only that service.

$.1.# 3GPP :LAN Atta(+

3GPP <5.' attach status indicates whether the <5.' 32 is now bein served by the 3GPPH<5.' &nterwor#in "ystem. . <5.' 32 is K<5.'?attachedK after successful authentication and <5.' .ccess .uthori!ation. . <5.' 32 is K<5.'?detachedK in 3GPP networ# after its disconnection- or its authentication or <5.' .ccess .uthori!ation bein cancelled. The <5.'?attach status is maintained by the 3GPP ... "erver. The <5.' 32$s <5.' attach status should be obtained from the 3GPP ... "erver directly or throu h the >""by other entities in the 3GPP or 3GPP connected networ#. Other entities in the 3GPP networ# obtain the <5.' 32$s <5.'?attach status directly from the 3GPP ... "erver or throu h the >"". These entities and the correspondin reference points are not in the scope of this T". The description of the correspondin status in the <5.' 32 is out of the scope of this T".

3GPP

$elease %%

%/

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

$.2 Void $.3 U'er ;dentit7

$.3.1 Genera)
The networ# authentication procedure is based on the use of 2.P method where user identification is based on 'etwor# .ccess &dentifier ('.&)- whose format is specified in /71 *;9A I,8J. . '.& is composed of a username part and a realm part. &n the followin - the term of $identity$ includes both the '.& username part and the realm part- while the term of $username$ only refers to the '.& username part.

$.3.2 NA; U'erna8e

The '.& username part format shall comply with &2T7 2.P?"&M I*3J and 2.P?.%. I**J. Three types of usernames areF ,. a Permanent usernameG *. a Pseudonym usernameG 3. a 7ast re?authentication username. 0oth of the Pseudonym and the 7ast re?authentication usernames are used in temporary identities- but the purpose and usa e of them are different. The first two types of usernames are only used on full authentication and the last one only on fast re?authentication. The Permanent username- which is specified in &2T7 2.P?"&M I*3J and 2.P?.%. I**J- shall be derived from &M"&which resides in the 3&11. :etails of these are covered in T" 33.*3; I,;J- T" *;.*3; ICJ and T" *3.++3 I=J. 7or the case of 3&11?less &M" 2mer ency 1all- an identifier of the 32 (e. . &M2&) should be used as the permanent username. 'OT2F The permanent username is not used for authentication in case of 3&11?less &M" emer ency calls.

The Pseudonym username is used for user identity protection. The use of the Pseudonym username is necessary to replace the Permanent username derived from &M"& in radio transmissions- so that it protects the user a ainst tracin from unauthori!ed access networ#s. The 7ast re?authentication username is used in fast re?authentication. &t also provides user identity protection. 7or the fast re?authentication- a <5.' 32 shall use the previously allocated 7ast re?authentication identity as specified in the &2T7 2.P?"&M I*3J and &2T7 2.P?.%. I**J /71s. Temporary identities (pseudonyms and fast re?authentication identities) are allocated by the 3GPP ... "erver. The format and the procedure for derivin the temporary identities are defined in T" 33.*3; I,;J.

$.3.3 NA; %ea)8 Na8e

The '.& realm name shall be in the form of an &nternet domain name as specified in /71 ,+3= and shall identify the user$s >P5M'- based on its M11 and M'1. :etails on '.& realm construction are specified in T" *3.++3 I=J.

$.3.4 NA; de(oration 4or roa8in"

. roamin '.& is constructed when the <5.' 32 authenticates throu h a BP5M'. The <5.' 32 shall indicate in the '.& both the user$s >P5M' and the chosen BP5M'- based on their M11 and M'1. The details on /oamin '.& construction are specified in T" *3.++3 I=J.

3GPP

$elease %%

%0

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

$.3.$ NA; de(oration 4or ;MS E8er"en(7 .a)) Ser9i(e

7or &M" 2mer ency 1alls- &M" 2mer ency 1all "ervice specific realms within the P5M' shall be defined. <hen re@uestin an emer ency service- realm should be decorated with this service part. The details on &M" 2mer ency 1all '.& construction are specified in T" *3.++3 I=J.

$.4 Net or! Ad9erti'e8ent and Se)e(tion

$.4.1 6e'(ri*tion o4 t+e i''&e
&f the <5.' radio technolo y allows for features enablin radio access networ# sharin or provider selection these shall be reused for <5.' .ccess 'etwor# (<5.' .') selection in 3GPP?<5.' interwor#in . &n addition to <5.' .ccess 'etwor# selection- the <5.' 32 may need to select a BP5M' throu h which to authenticate- if more than one is available throu h the chosen radio networ#. . <5.' 32 may need to select a P5M' within which &M" 2mer ency 1alls are supported. <5.' .ccess 'etwor# advertisement and selection depends on the particular <5.' technolo y. BP5M' advertisement and selection should be independent of <5.' technolo y. The eneric 'etwor# .dvertisin and "election scenario is illustrated in fi ures =., and =.*.

3GPP 5ome Networ

3GPP )isited Networ 8%

3GPP )isited Networ 8&

3GPP )isited Networ 8n

WLAN AN

67
1i#ure -'%2 Networ Advertisin# and Selection Scenario .n area is shown covered by a <5.' .ccess 'etwor#s havin a set of roamin a reements with different 3G networ#s (3GPP Bisited 'etwor# P,- P*-Q- Pn). . <5.' 32 enterin the <5.' .' wants to connect to his own 3GPP >ome 'etwor# to which he is a subscriber (as shown in fi ure =.,). /eferrin to the fi ure the user subscribin to the services provided to the 3GPP >ome 'etwor# can reach the associated home networ# in two different ways- e. . via either of 3GPP Bisited 'etwor# P, or 3GPP Bisited 'etwor# P*.

3GPP

$elease %%

%,

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

3GPP 5ome Networ

3GPP )isited Networ 8%

3GPP )isited Networ 8&

3GPP )isited Networ 8n

WLAN AN8%

WLAN AN8&

WLAN AN8n

67
1i#ure -'&2 Networ Advertisin# and Selection Scenario .nother scenario is represented by an area covered by some <5.' .ccess 'etwor#s (<5.' .'P,- P*- Q- Pn) havin a set of roamin a reements with different 3G networ#s (3GPP Bisited 'etwor# P,-P*-Q-Pn) and where one of the <5.' .ccess 'etwor# has a directly roamin a reement with the 3GPP >ome networ# or the <5.' .ccess 'etwor# is directly deployed by the 3GPP >ome networ#. . <5.' 32 enterin the area wants to connect to his own 3GPP >ome 'etwor# to which he is a subscriber (as shown in fi ure =.*). /eferrin to the fi ure the user subscribin to the services provided to the 3GPP >ome 'etwor# can reach the associated home networ# in three different ways- e. . via <5.' .'P, then throu h either of 3GPP Bisited 'etwor# P, or 3GPP Bisited 'etwor# P*- or via <5.' .'P*.

$.4.2 ;-:LAN A((e'' Net or! Ad9erti'e8ent and Se)e(tion

$.4.2.1
$.4.2.1.1

.a'e o4 ;EEE ?02.11 :LAN'

Genera)

The followin principles shall applyF ? ? ? ? /e@uire no modifications of e(istin le acy .Ps. >ave no impact on e(istin le acy clients (implies no modification of current broadcast ""&:s). >ave low latency and overhead. The <5.' 32 should be able to select the &?<5.' .ccess 'etwor# supportin the preferred P5M'.

&n the case of &222 9+*.,, <5.'sF ? ? ? ? Modification of current broadcast ""&:s shall not be re@uiredG .ctive scannin should be supported by the <5.' 32G Passive scannin shall be supported by the <5.' 32G Multiple ""&:s may be supported (i.e. only standard 9+*.,, capable .Ps are re@uired).

3GPP

$elease %%

&*

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

$.4.2.1.2

:LAN A((e'' Net or! Ad9erti'e8ent

. <5.' networ# name is provided in <5.' beacon si nal in so?called ""&: ("ervice "et &:) information element. There is also the possibility for a <5.' 32 to actively solicit support for specific ""&:s by sendin a probe re@uest messa e and receive a reply if the access point does support the solicited ""&:. .ctive and passin scannin are defined in &222 9+*.,, I*,J. . <5.' .' may indicate that it provides 3G interwor#in without the involvement of any other networ# than the <5.' .'. The above re@uirement may be met throu h e(plicit 2.P?based procedures or throu h the eneric Preferred ""&: list procedures ? for e(ample Preferred ""&: lists could include ""&: formats defined by operators for the above purposes. 7or the case of 2.P based procedures- <5.' should be able to indicate which P5M's e(plicitly support &M" 2mer ency 1all service (via service specific realms). 'OT2F The definition of the service specific realm for &M" emer ence calls is 77".

$.4.2.1.3

;-:LAN A((e'' Net or! Se)e(tion

7or purpose of selectin the preferred &?<5.' .' the <5.' 32 may contain lists of &?<5.' identities$ preferences. One list will contain the ""&:s preferred by the >ome 'etwor# operator and one list contains the ""&:$s preferred by the user. The Operator$s preferred ""&: list would be populated- for e(ample- with the ""&:s commonly used by major hotspot operators with whom the >ome Operator has a direct or indirect (throu h BP5M' in a roamin case) relationship. There are two modes in networ# selection- i.e. Manual mode and automatic mode. &an"al mode &n the manual mode- the <5.' 32 shall try to find all available ""&:s throu h passive scannin andEor active scannin (when it is supported). Once a list of all available ""&:s has been obtained- it shall be possible for the <5.' 32 to obtain a list of all available P5M's from each ""&:. <hen a list of P5M's has been obtained from all ""&:s it shall present them to the user to select one. The <5.' 32 shall then associate with the ""&: that supports the P5M' that is selected by the user. A"tomati &ode &n the automatic mode the procedure is as followsF +. The <5.' 32 scans for all available ""&: usin passive scan andEor active scans. &f the <5.' 32 contains the &?<5.' identities$ preference lists- the scan should be done in the order of these lists. &t is not re@uired to continue the scannin after the hi hest priority ""&: is found. ,. "tart association and perform 'etwor# :iscovery. <hen there is more than one available ""&: and the <5.' 32 contains &?<5.' identities$ preference lists- the association shall be done in the order of these lists. ,a) &f authentication to >P5M' succeeds (i.e. 2.P?"uccess is received)- then stop this procedure. ,b)&f 'etwor# .dvertisement information I*+J is received (i.e. 2.P?&dentityE/e@uest is received)- then store the list and start a ain step ,. /epeat step, for all available ""&:s. &f the scannin in step + was stopped due to the discovery of the hi hest priority ""&:- but the >P5M' has not been found (e. . because the ""&: list is not updated or the selected ""&: was a fa#e one)- then the user should o bac# to step + and scan for all remainin ""&:s. 'ote that if an .P supportin >P5M' is found in the middle of the procedure- step ,a- then step , is stopped and association with the remainin available .Ps will not ta#e place. *. 3se the lists of $3ser 1ontrolled P5M' "elector list for &?<5.'$ and $Operator 1ontrolled P5M' "elector list for &?<5.'$ and the lists from step ,b) to select the best matchin P5M'. 'ote that the $3ser 1ontrolled P5M' "elector list for &?<5.'$ has hi her priority than the $Operator 1ontrolled P5M' "elector list for &?<5.'$.

3GPP

$elease %%

&%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

Then select the &?<5.' .' that supports the best match P5M'. &f more than one &?<5.' .' supports the best matched P5M'- the &?<5.' .' havin the hi hest priority ""&: is selected- if $&?<5.' identities$ preference lists are available. 3. .ssociate with the .P selected in step * and attempt authentication with the best match P5M'. . <5.' .' may indicate that it provides 3G interwor#in without the involvement of any other networ# than the <5.' .'. &f such an indication is provided by the <5.' .' and if the <5.' 32 supports the indication- then the <5.' 32 shall use it at ""&: selection as defined in T" *;.*3; ICJ. The above re@uirement may be met throu h e(plicit 2.P?based procedures or throu h the eneric $&?<5.' identities$ preference lists procedures ? for e(ample &?<5.' identities preference lists could include ""&: formats defined by operators for the above purposes. 'OT2F These selection procedures may have to be modified for the &M" 2mer ency 1all case.

$.4.2.2

.a'e o4 ot+er :LAN'

Other .ccess 'etwor# Technolo ies are not described in this T" but not e(cluded.

$.4.3 PLMN Ad9erti'e8ent and Se)e(tion

$.4.3.1 Genera)

The followin principles shall be used in P5M' .dvertisement and "electionF ? ? ? ? ? ? This procedure ta#es place after association with an .P The user shall be able to select the Bisited 'etwor# 3se the '.& for routin of ... messa es. >ave low latency and overhead. 3se e(istin 2.P mechanisms- if possible. 0e e(tensible to permit advertisement of <5.' characteristics other than the P5M'&:s of roamin partners.

$.4.3.2

Net or! Ad9erti'e8ent

'etwor# advertisement information enumerates the roamin partners and associated '.& realms. This information shall be provided to the <5.' 32 when the <5.' is unable to route an authentication re@uest from the <5.' 32 based on the initial '.& (e. . when the <5.' .' receives a '.& with an un#nown realm) and when the <5.' 32 e(plicitly re@uests 'etwor# advertisement information. The networ# advertisement information is returned from the first hop ... functionality. The first hop ... functionality may be located either in the <5.' .' or in the P5M' in case no ... functionality is in the <5.' .'. The provisionin of this ... functionality is an implementation issue and does not put new re@uirements on 3GPP ... Pro(yE"erver. :etails on the usa e and codin of 'etwor# advertisement information are included in T" *;.*3; ICJ. &n order to support &M" 2mer ency 1all service- this information shall contain an indicator showin those P5M's that support &M" 2mer ency 1all service.

$.4.3.3

Net or! Se)e(tion

The automatic and manual mode P5M' selection procedures are defined in T" **.*3; I*=J. The detailed procedure in case of &222 9+*.,, <5.' is described in =.;.*. The <5.' 32 shall indicate its home networ# throu h the use of an initial '.&. The realm part of this initial '.& shall be derived from the &M"&- as described in section =.3.3. Optionally- if there is preference for a roamin networ#the initial '.& then ta#es the form of a /oamin '.&- as described in section =.3.;G e. .- for optimi!in user access e(perience in re?access case- the <5.' 32 may include information of preferred roamin networ# from previous successful authentication while it is associated to the same .P. 7or &M" 2mer ency 1all case- '.& shall be decorated as described in =.3.=.

3GPP

$elease %%

&&

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

7or the manual selection case allowed by some operator- initial '.& can include the roamin networ# decided by the user- e. . usin a preferred P5M' list stored in the 3&11. &f the <5.' .' is able to route authentication re@uest based on the initial '.&- then no special processin for networ# advertisementEselection is needed. &f the <5.' .' is unable to route authentication re@uest from <5.' 32 based on the initial '.&- the <5.' .' shall deliver the networ# advertisement information to the <5.' 32. The <5.' 32 processes this information accordin to its internal roamin preference policies or prompts the user to select a BP5M' preference. &t uses the result to determine how to construct a new '.& indicatin the selected BP5M'- accordin to "ection =.;.*. .fter the networ# advertisement information is delivered and BP5M' selection is performed- the <5.' 32 attempts to authenticate with the new '.& determined in the prior step. The <5.' .' shall use the '.& to route the ... traffic to the appropriate BP5M' ... Pro(y.

$.$ A&t+enti(ation 8et+od'

.uthentication methods are discussed in T" 33.*3; I,;J.

$.# Ser9i(e A&t+ori>ation Prin(i*)e' 4or :LAN 3GPP ;P A((e''

The home networ# decides whether visited service is allowed or not based on e. . <?.P'- the user subscription information- visited networ# capabilities and roamin a reement.

$.#.1 A((e''in" <o8e Net or! *ro9ided 'er9i(e'

The followin functionality and re@uirements have been identifiedF ? ? ? ? ? &t shall be possible to support multiple service authori!ations after successful authentication. The "ervice authorisation procedure should- as far as possible- be independent from <5.' .ccess authentication and authorisation. The routin policy applied at <5.' .ccess .uthentication and .uthorisation may include policy determinin whether the user has &P connectivity to the P:Gs used for access to e(ternal &P networ#s. &t shall be possible to permit access to different services simultaneously. &t shall be possible to provide &P related confi uration parameters to the <5.' 32 durin or after successful service authorisation. These confi uration parameters may include e. . the <5.' 32$s remote &P address and addresses of :>1P and :'" servers in the >P5M'. "ervice authori!ation information shall be protected. The .ccess Point 'ame (.P') concept defined in T" *3.++3 I=J shall be used for <5.' interwor#in authori!ation (namely <?.P'). &n a service authori!ation procedureF ? <?.P' selection and authori!ation is an end?to?end procedure between the <5.' 32 and the >P5M' (the service authori!ation decision is made by the 3GPP ... "erver based on the re@uested <?.P' and subscription information retrieved from the >""E>5/- which includes e. . the subscribed <?.P's). The <5.' 32 shall use <?.P' to indicate to the networ# the service or set of services it wants to access. The P:G selection shall be performed under control of the 3GPP >ome 'etwor# by means of answers to :'" @ueries for the re@uested <?.P'. The selection is based on the re@uested <?.P' and user subscription information. The <5.' 32 shall choose an &P address of the P:G- if there is more than one P:G address in the answer to the :'" @ueries. The mechanism to select the P:G by the home networ# is out of scope of this specification- since it depends on the operator$s preference. ? The P:G needs to #now the authori!ed <?.P' to select the e(ternal networ#- i.e. <i interface.

? ?

? ?

3GPP

$elease %%

&3

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

7or the case of &M" 2mer ency 1alls- there shall be <?.P' indicatin the &M" 2mer ency 1all service. 'o subscription is needed to access this service.

$.#.2 A((e''in" Vi'ited Net or! *ro9ided 'er9i(e'

<hen accessin visited networ# provided services- additional principles below applyF ? &n order for the <5.' 32 to be able to use <?.P's in the BP5M'- the 3GPP ... "erver needs to pass to the 3GPP ... Pro(y the authori!ed <?.P' and service related information which is re@uired by the Bisited 'etwor# to perform the service. The <?.P' needs to be understood by both the >ome and the Bisited 'etwor#s. The B?P:G selection is shall be under control of the 3GPP Bisited 'etwor# by means of answers to :'" @uery for the re@uested <?.P'. The selection is based on the authori!ed <?.P' and service related information. The <5.' 32 shall choose the &P address of the P:G if there is more than one P:G address in the answer to :'" @uery. The mechanism to select the B?P:G by the Bisited 'etwor# is out of scope of this specification- since it depends on the operator$s preference. ? ? The selected P:G in the Bisited 'etwor# needs to #now the authori!ed <?.P' to select the e(ternal networ#i.e. <i interface. &t shall be possible to provide &P related confi uration parameters to the <5.' 32 durin or after successful service authorisation. These confi uration parameters may include e. . the <5.' 32$s remote &P address and addresses of :>1P and :'" servers in the BP5M'.

? ?

&n the roamin case- &M" 2mer ency 1alls shall be accessed in the BP5M'.

$.#.3 E1terna) ;P Net or! 'e)e(tion

The <5.' 32 can connect to different 2(ternal &P networ#s- such as the &nternet- an operator$s &P networ# or a corporate &P networ#. The user may indicate a preferred &P networ# with a re@uested <5.' .ccess Point 'ame (<? .P'). The /e@uested <?.P' may also indicate a point of interconnection to the e(ternal &P networ# (i.e. P:G). . <?.P' is indicated by the <5.' 32 in the tunnel establishment procedure between the <5.' 32 and a P:G. &t is then forwarded to the 3GPP ... serverEpro(y in the same networ# as the P:G.

$.2 ;P .onne(ti9it7 4or :LAN 3GPP ;P A((e''

$.2.1 Prin(i*)e'
The <5.' 32 initiates the establishment of tunnels and is involved in pac#et encapsulationEdecapsulation. The tunnel shall reside between the <5.' 32 and the P:G. &n the non roamin case- the P:G shall reside in the >ome P5M'G in the roamin case- the P:G may reside either in the >ome or in the Bisited P5M' (both cases shall be supported). The followin steps are performed at tunnel establishmentF ,. <?.P' resolution and discovery of the tunnel endpoint (P:G) &P?address is performed usin the procedures described in clause 8.C. *. Tunnel establishment- includin mutual authentication- shall occur between the <5.' 32 and the P:G. 'OT2 ,F 7ilterin attributes may be needed in order to enable the <5.' to enforce that the <5.' 32 tunnels all traffic as re@uired. 7ilterin attributes may be transmitted from 3GPP ... "erver to <5.' over the <a reference point. The <5.' .ccess 'etwor# sets up appropriate pac#et filters. 'OT2 *F The P:G is described in section A.

3GPP

$elease %%

&(

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

The tunnel establishment is not coupled to <5.' access authenticationEauthorisation. The <5.' 32 may establish several tunnels in order to access several e(ternal &P networ#s simultaneously. The e(ternal &P networ# selection is performed as part of the establishment of each tunnel. 2ditor$s noteF /outin towards the >ome P5M' in the Bisited P5M'- as well as its impacts on the <5.' .'- are for further study.

$.2.2 T&nne))in" %e=&ire8ent'

The re@uirements that a <5.' 32?&nitiated tunnellin protocol should meet areF ? ? ? ? ? ? Minimal re@uirements to the underlyin &P connectivity networ#- i.e. <5.' 32 initiated tunnellin and tunnel establishment si nallin can be deployed on top of eneric &P connectivity networ#s Minimal impacts to the <5.' .ccess 'etwor# 2stablishment of trusted relationships (e. . mutual authentication for both tunnel end?points) shall be possible Tunnel &P confi uration of the <5.' 32 may be obtained fromEthrou h the remote tunnel endpoint "et up secure tunnels between <5.' 32 and remote tunnel endpoint. 2specially support encryption and inte rity protection durin tunnel establishment and while transportin user data pac#ets- if enabled. /emote &P address (inner &P)F ? ? ? The transport of &Pv; pac#ets shall be supported The transport of &PvA pac#ets shall be supported (e. . in order to support &PvA services li#e &M")

5ocal &P address (outer &P)F ? ? The tunnel protocol shall be able to support &Pv; and &PvA transport addresses The tunnel protocol shall support private <5.' 32$s local &P addresses- which are non?routable in the public &nternet.

The protocol should be fully specified and 3GPP should define its usa e to enable multi?vendor inter?operability.

$.2.3 Void

$.? %oa8in" re=&ire8ent' 4or :LAN 3GPP ;P A((e''

7or the delivery of 3GPP P" based services in a roamin scenarioF ? ? ? ? ? ? The roamin architecture shall ensure that 1:/s can be enerated e. . volume and time based by the visited networ#. The roamin architecture shall ensure that tunnels established are between entities that have a roamin a reement. The roamin architecture shall ensure that the bearer path from the <5.' to >omeEBisited 3GPP networ# conforms to Do" and roamin a reement(s). The roamin architecture shall provide the ability to allow the user to access services provided by the visited networ#- e. . local P" services. The roamin architecture shall allow the home networ# to limit the set of 3GPP services available for a iven roamin user. .ll pac#ets of P" based services sent toEfrom a <5.' 32 are routed via a BP5M' in a 3GPP networ#G however basic &nternet access may be routed directly from the <5.'.

3GPP

$elease %%

&-

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

$.9 %o&tin" En4or(e8ent and Po)i(7 En4or(e8ent 4or :LAN 3GPP ;P A((e''
$.9.1 P&r*o'e 4or ro&tin" en4or(e8ent and *o)i(7 en4or(e8ent
&n order to ensure operator policies- e. . Do"- 1har in can be applied to user traffic- <5.' 3GPP &P .ccess re@uires routin enforcement and policy enforcement to be implemented in the 3GPPH<5.' &nterwor#in "ystem.

$.9.2 %o&tin" En4or(e8ent in t+e :LAN AN

/outin enforcement shall be used to ensure that all pac#ets sent toEfrom the <5.' 32 for 3G P" based service are routed to the interwor#in BP5M' (roamin case) or >P5M' (no roamin case). >owever- this routin enforcement shall not prevent a <5.' .' from routin non 3G P" based service traffic to another networ# (e. . the &nternet) other than a P5M'- when provision of such services (e. . direct &nternet access from the <5.') is a reed between the <5.' and the P5M'. <hen subscription limits a <5.' 32 to e(clusively access only 3GPP P" based service- the P5M' can indicate to the <5.' .' routin enforcement to ensure that all pac#ets sent toEfrom the <5.' 32 are routed to the interwor#in BP5M' (roamin case) or >P5M' (no roamin case). &f a <5.' 32 user subscription allows a <5.' :irect &P .ccess the <5.' .' should be capable of routin pac#ets directly to the e(ternal pac#et data networ#. /outin enforcement in the <5.' .' shall ensure that pac#ets sent between a P:G and a <5.' 32 are routed to the ri ht entity in the interwor#in BP5M' (roamin case) or >P5M' (no roamin case). /outin enforcement should not prevent the <5.' .' from supportin a <5.' :irect &P .ccess only capable <5.' 32 or a <5.' 3GPP &P .ccess capable <5.' 32 optin for a <5.' :irect &P .ccess- and non 3G interwor#in <5.' terminals. /outin enforcement should have minimal impact on the <5.' .'.

$.9.3 %o&tin" en4or(e8ent and *o)i(7 En4or(e8ent in t+e <PLMN

<hen supportin <5.' 3GPP &P .ccess and access is via a tunnel endpoint (P:G) in the >P5M'- the >P5M' shall be able to provide the BP5M' with suitable policy enforcement information. The >P5M' may also provide suitable routin enforcement information to <5.'.

$.9.4 %o&tin" en4or(e8ent and *o)i(7 En4or(e8ent in t+e VPLMN

<hen supportin <5.' 3GPP &P .ccess- the BP5M' shall be able to implement policy enforcement on traffic sent toEfrom a <5.' 32 accordin to policy enforcement information provided by the >P5M'. The BP5M' may also provide suitable routin enforcement information to <5.'.

$.10 ;P addre'' a))o(ation 4or t+e :LAN UE

$.10.1 Genera)
<hen usin <5.' :irect &P .ccess- a <5.' 32 needs to use its local &P address only. <hen usin <5.' 3GPP &P .ccess- a <5.' 32 shall use two &P addressesG its local &P address and remote &P address. . <5.' 32$s local &P address identifies the <5.' 32 in the <5.' .'. &n systems supportin only <5.' :irect &P .ccess- the <5.' 32$s local &P address is assi ned by the <5.' .'G in a <5.' 3GPP &P .ccess enabled system- it can be assi ned by a <5.' or by a P5M' (a BP5M' in roamin case and a >P5M' in non?roamin case). 7or the <5.'?assi ned local &P address- which belon s to the address space of <5.' .'- there is no additional re@uirement on the <5.'. <5.' 32$s local &P address allocation by the P5M' is for further study. <hen usin <5.' 3GPP &P .ccess- a <5.' 32$s remote &P address identifies the <5.' 32 in the networ# that the <5.' 32 is accessin for the 3G P" service. &t shall be used for the inner pac#et of the <5.' 32?initiated tunnel. &t

3GPP

$elease %%

&.

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

can be assi ned by >P5M'- BP5M' or an e(ternal &P networ#. The remote &P address can be statically or dynamically assi ned. The only case where BP5M' assi ns the remote &P address for the <5.' 32 is when the <5.' 32? initiated tunnel terminates at the BP5M'$s P:G. <hen the <5.' 32$s remote &P address is allocated by the e(ternal &P networ#- the P:G is re@uired to have an interface with an address allocation server- such as ... or :>1Pbelon in to the e(ternal &P networ#. 7or the <5.' 32$s remote &P address- &Pv; addresses shall be supported. <hen the <5.' 32 accesses 3G P" based services usin an &PvA networ# such as &M" services- &PvA addresses shall be supported for the <5.' 32$s remote &P address. To avoid any clashes between addresses used in <5.' .' and P5M' and to enable correct routin of pac#ets sent out by the <5.' 32 the P5M' operator should allocate public addresses to networ# nodes- which are addressed by <5.' 32s. <hen a <5.' 32 accesses several 3G P" based services with different <?.P's simultaneously- the <5.' 32 can et several remote &P addresses. There may be several <5.' 32?initiated tunnels for the services.

$.10.2 Stati( and 67na8i( %e8ote ;P Addre''

/emote &P address can be allocated to a <5.' 32 in four different waysF ? ? ? ? The >P5M' operator assi ns a /emote &P address permanently to the <5.' 32 (static remote &P address). The >P5M' operator assi ns a /emote &P address to the <5.' 32 when the tunnel is established to the P:G in the home networ# (dynamic >P5M' remote &P address). The BP5M' operator assi ns a /emote &P address to the <5.' 32 when the tunnel is established to the P:G in the visited networ# (dynamic BP5M' remote &P address). The e(ternal &P networ# operator assi ns a permanent or dynamic /emote &P address to the <5.' 32 (e(ternal /emote &P address allocation).

&t is the >P5M' operator that defines in the subscription whether static &P address allocation is used. <hen static &P address allocation is used- a <5.' 32 either can include its static &P address in the tunnel setup re@uest messa e- or indicate in the tunnel setup re@uest messa e that the networ# should confi ure the static &P address of the <5.' 32 or the networ# simply provides the static address to the <5.' 32.

$.11 .+ar"in"
The followin functionality and re@uirements have been identifiedF ? ? ? ? ? ? The <5.' .ccess 'etwor# shall be able to report the <5.' access usa e to the appropriate 3GPP system (i.e. BP5M' in the roamin case and >P5M' in the non?roamin case). &t shall be possible for the 3GPP system to control a specific on oin <5.' access session for online char in purposes. &t shall be possible for an operator to maintain a sin le prepaid account for <5.'- P"- 1"- and &M" for a user. The 3GPP system shall be able to process the <5.' access resource usa e information- and convert it into the format used in 3GPP networ#s (e. . 1:/). &t shall be possible to correlate char in and accountin records enerated in <5.' .ccess related nodes and records enerated in 3GPP nodes. &t shall be possible to apply offline char in and online char in mechanisms for the <5.' interwor#in with 3GPP networ#.

.dditionally- for <5.' 3GPP &P .ccessF ? ? &t shall be possible to enerate per user char in information in the >P5M' and in the BP5M' irrespective of whether the service is provided in the >P5M' or in the BP5M'. <5.' 1har in &nformation shall be collected for each <5.' 32 by the <.G and the P:G that are servin the <5.' 32. The operator can control whether char in information shall be collected in the P:G on an individual <5.' 32 andEor <?.P' conte(t basis by appropriately settin the "ubscribed 1har in

3GPP

$elease %%

&/

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

1haracteristics andEor <?.P' 1har in 1haracteristics in the >"". The 1har in 1haracteristics on the <5.' subscription and individually subscribed <?.P's are specified in T" 3*.*=* I*AJ.

$.12 AAA Proto(o) %e=&ire8ent'

? ? .s far as possible- a common ... protocol shall be used across all ... interfaces. This may not be possible for the <a and <d interfaces when the <5.' .' is usin a le acy ... protocol. &f protocol interwor#in is needed- then in the non?roamin case it shall be performed at the ed e of the 3GPP networ#. 7or roamin - such interwor#in shall be performed either in the visited networ# or in the home networ# (dependent upon inter?operator roamin a reements).

$.13 @oS S&**ort

$.13.1 Genera)
The support of Do" mechanisms is an optional functionality of the 3GPP?<5.' &nterwor#in architecture. 7i ure =.3 shows the considered Do" architecture for <5.' :irect &P .ccess.

:LAN UE

:LAN AN

TE

End-to-End Ser9i(e

:LAN Aearer Ser9i(e

E1terna) Aearer Ser9i(e

1i#ure -'32 9oS Architecture for WLAN :irect 4P Access 7i ure =.; shows the considered Do" architecture for <5.' 3GPP &P .ccess.

1i#ure -'(2 9oS Architecture for WLAN 3GPP 4P Access

3GPP

$elease %%

&0

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

The 2nd?to?2nd "ervice provides transport of the si nallin and user data between the <5.' 32 and another (e(ternal) T2 (or correspondent node) passed over different bearer services of the networ#. &n case of <5.' :irect &P .ccess- it consists of <5.' 0earer "ervice and 2(ternal 0earer "ervice. &n case of <5.' 3GPP &P .ccess- it consists of 3GPP &P .ccess 0earer "ervice and 2(ternal 0earer "ervice. The 2(ternal 0earer "ervice is not further elaborated here as this bearer may be usin several networ# services- e. . another 3MT" 0earer "ervice (T" *3.,+8 I33J). The 3GPP &P .ccess 0earer "ervice provides transport of si nallin and user data between <5.' 32 and P:G and supports Do". <5.' 0earer "ervice supports <5.' .' specific bearer capability between <5.' 32 and <5.' .'.

$.13.2 U'e o4 .oS ,a'ed 6i44Ser9 4or *ro9idin" @oS o9er ;-:LAN &'in" :LAN 3GPP ;P A((e''
<hen usin 3GPP &P .ccess- a tunnel from 32 to P:G is established for carryin P" based services traffic. This tunnel traverses over inter P5M' bac#bone (e. . G/L) in the case of a roamin user. <hile accessin home networ# servicesone or more tunnels will be setup that will carry traffic for all home networ# services that are bein accessed irrespective of the level of Do" re@uired for an individual service. &t is possible that data for more than one &P flow and for different services is carried in one tunnel. "ince the data within these tunnels (includin the inside &P headers) is li#ely to be encrypted- it may not be possible to separate out individual &P flows and service traffic at intermediate nodes. . possible way to provide Do" in such a situation is the use of :iff"erv I38J by the <5.' 32 and P:G to appropriately colour the :" 7ield in the e(ternal &P header based on the Do" re@uired for the service that the individual pac#et belon s to :iff"erv therefore allows to provide for different classes of traffic different levels of Do". "uch use of :iff"erv mechanism wor#s well with G"M.$s specifications on G/L (&/ 3;).

$.13.3 @oS re=&ire8ent' on t+e ar(+ite(t&re

The 3GPP <5.' Do" profile shall be <5.' technolo y independent. The 3GPP ... "erver shall be the sin le point to authori!e the 3GPP <5.' Do" profile for both <5.' direct &P .ccess and <5.' 3GPP &P .ccess. The 3GPP <5.' Do" profile shall be specified within the subscriber data of the >"" (defined in T" *3.++9 I*CJ). Policy 1ontrol and 1har in (P11) functionality shall be used where applicable- in accordance with T" *3.*+3 I3AJ. . mechanism shall be defined- which allows that the <5.' .'$s Do" capabilities (e. . the supported 3GPP <5.' Do" profile) are provided by the <5.' .' to the 3GPP ... "erver durin initial <5.' direct &P .ccess authori!ation. The authori!ed 3GPP <5.' Do" profile shall be sent from the 3GPP ... "erver to the <5.' .' durin <5.' 3GPP &P .ccess authori!ation and re?authori!ation. . mechanism for chan e of authori!ed 3GPP <5.' Do" profile after initial authori!ation from 3GPP ... "erverEPro(y to <5.' .' and P:G shall be considered. 1har in si nallin sent between <5.' .' and 3GPP ... Pro(yE"erver shall contain information about the used 3GPP <5.' Do" profile.

;nter or!in" Ar(+ite(t&re

#.1 %e4eren(e Mode)

2ditor$s noteF The term roamin is used here when referrin to roamin between 3GPP networ#s. >owever- an intermediate a re ator or a chain of intermediate networ#s may possibly separate the user when accessin the <5.' from the 3GPP home networ#.

3GPP

$elease %%

&,

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

#.1.1 Non %oa8in" :LAN ;nter- or!in" %e4eren(e Mode)

3GPP 5ome Networ
&ntranet E &nternet

SL-

<SS
rC 3G

<L% B44)ine .+ar"in" S7'te8

:>

:1

6C

:4

:a WLAN Access Networ :LAN UE : :n

3GPP AAA Ser9er :"

:o
:8

B.S :7

:AG

:*

P6G

:i

:LAN 3GPP ;P A((e'' :&

NBTE/

T+e '+aded area re4er' to :LAN 3GPP ;P A((e'' 4&n(tiona)it7.

1i#ure .'%2 Non+roamin# reference model

#.1.2 %oa8in" :LAN ;nter- or!in" %e4eren(e Mode)

The home networ# is responsible for access control. 1har in records can be enerated in the visited andEor the home 3GPP networ#s. The <( and <o reference points are intra?operator. The home 3GPP networ# interfaces to other 3GPP networ#s via the inter?operator <d reference point. The 3GPP ... pro(y relays access control si nallin and accountin information to the home 3GPP ... "erver usin the <d reference point. &t can also issue char in records to the visited networ# Offline 1har in "ystem when re@uired. The 3GPP networ# interfaces to <5.' .ccess 'etwor#s via the <a reference point.

3GPP

$elease %%

3*

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

&ntranet E &nternet

3GPP )isited Networ 3GPP AAA Pro17

:"

:4

:a

B44)ine .+ar"in" S7'te8

WLAN Access Networ :LAN : UE :n :AG

:LAN 3GPP ;P A((e''

:d

3GPP AAA Ser9er :o

: 8
:7
:>

6 :1

SL<SS <L%

:*

3 6C rC G
: 4

:&

Pa(!et 6ata Gate a7

B.S B44)ine .+ar"in" S7'te8

:i

3GPP 5ome Networ

NBTE/

T+e '+aded area re4er' to :LAN 3GPP ;P A((e'' 4&n(tiona)it7.

1i#ure .'&a2 $oamin# reference model + 3GPP PS ;ased services provided via the 3GPP 5ome Networ

3GPP

$elease %%

3%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

3GPP )isited Networ

:a

:LAN : UE :&

:n :AG

:*

Pa(!et 6ata Gate a7 :i

:>

&ntranet E &nternet SL<SS <L% B44)ine .+ar"in" S7'te8 3GPP 5ome Networ
NBTE/ T+e '+aded area re4er' to :LAN 3GPP ;P A((e'' 4&n(tiona)it7.

:1
C 6C 3 Gr

3GPP AAA Ser9er :o B.S

:4

1i#ure .'&;2 $oamin# reference model + 3GPP PS ;ased services provided via the 3GPP )isited Networ

#.2 Net or! e)e8ent'

#.2.1 :LAN UE
. <5.' 32 is the 3ser 2@uipment usin a 3&11 card utili!ed by a 3GPP subscriber to access the <5.' .' for 3GPP interwor#in purpose. The <5.' 32 may be capable of <5.' access only- or it may be capable of both <5.' and 3GPP radio access. "ome <5.' 32$s may be capable of simultaneous access to both <5.' and 3GPP radio access. . <5.' 32 may include terminal types whose confi uration (e. . interface to a 3&11)- operation and software environment are not under the e(clusive control of the 3GPP system operator- such as a laptop computer or P:. with a <5.' card- 3&11 card reader and suitable software applications. The <5.' 32 functions includeF ? ? ? ? ? .ssociatin to an &?<5.'. <5.' access authentication based on 2.P methods. "election of a suitable BP5M' in the roamin case. 0uildin an appropriate '.&. Obtain a local &P address. &f the <5.' 32 is intended for use with <5.' .'s supportin &Pv; only as well as with <5.' .'s supportin &PvA only- it shall be e@uipped with a dual &P stac#.

3GPP

:d

:LAN 3GPP ;P A((e''

B44)ine .+ar"in" S7'te8

WLAN Access Networ

:"

:8

3GPP AAA Pro17

4

$elease %%

3&

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

? ?

&f Do" mechanisms are appliedF the 32 applies :iff"erv mechanisms by mar#in the :" field of &P pac#ets accordin to the application Do" re@uirements (as recommended in .nne( >)G &f Do" mechanisms are applied- the 32 maps the :" field of &P pac#ets into <5.' technolo y specific Do" parameters.

7or <5.' 3GPP &P .ccess enabled <5.' 32F ? ? ? ? ? ? ? ? 0uildin an appropriate <?.P' to be used for 2(ternal &P networ# selection. /e@uest the resolution of a <?.P' to a P:G address. &f &Pv; and &PvA addresses are returned durin the resolution process- the <5.' 32 shall select the address that has the same format as its own local &P address (&Pv; or &PvA). 2stablish a secure tunnel to a P:G. Obtain a remote &P address. .ccessin services provided in the operators P" domain. .llowin users to select the type of networ# access- i.e. <5.' 3GPP &P .ccess or <5.' :irect &P .ccess. .bility to indicate whether multiple authentication is needed or not in the tunnel establishment procedure. This function is only re@uired in case that the specified <?.P' re@uires the authentication and authori!ation with the 2(ternal ... "erver. :etails on the multiple authentications are specified in /71 ;83C I3*J.

#.2.1.1

Void

#.2.2 3GPP AAA Pro17

The 3GPP ... Pro(y represents a pro(yin and filterin function that resides in the Bisited 3GPP 'etwor#. The 3GPP ... Pro(y functions includeF ? ? ? ? ? ? /elayin the ... information between <5.' and the 3GPP ... "erver. 2nforcin policies derived from roamin a reements between 3GPP operators and between <5.' operator and 3GPP operator Providin access scope limitation information to the <5.' based on authori!ation information from the >ome networ# /eportin per?user char in Eaccountin information to the BP5M' Offline 1har in "ystem for roamin users "ervice termination (OOM initiated termination from visited networ# operator) Protocol conversion when the <a and <d reference points do not use the same protocol

7or <5.' 3GPP &P .ccess onlyF ? ? ? ? ? /eceivin per?tunnel char in information based on the tunnel identifier from the <.G and mappin of a user identifier and a tunnel identifier from the P:GG eneratin per user char in records for roamin users. /eceivin authori!ation information related to subscriber re@uests for <?.P's in the >ome or Bisited networ# .uthori!ation of access to Bisited networ# <?.P's accordin to local policy /eceivin the suitable policy enforcement information from ...?"erver and provides it to the <.G in BP5M'. May provide suitable routin enforcement information to <5.' .'.

The 3GPP ... Pro(y functionality can reside in a separate physical networ# node- it may reside in the 3GPP ... "erver or any other physical networ# node.

3GPP

$elease %%

33

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

#.2.3 3GPP AAA Ser9er

The 3GPP ... server is located within the 3GPP networ#. There should be only one 3GPP ... "erver for a <5.' attached subscriber. The 3GPP ... "erverF ? ? ? ? ? ? ? ? ? ? ? ? /etrieves authentication information and subscriber profile (includin subscriber$s authori!ation information) from the >5/E>"" of the 3GPP subscriber$s home 3GPP networ#. .uthenticates the 3GPP subscriber based on the authentication information retrieved from >5/E>"". The authentication si nallin may pass throu h ... pro(ies. 3pdates the <5.' access authorisation information when user$s service subscription is modified when re@uested by >""E>5/. 1ommunicates (includin updates) authori!ation information to the <5.' .' potentially via ... pro(ies. /e isters its (the 3GPP ... server) address or name with the >5/E>"" for each authenticated and authori!ed 3GPP subscriber. &nitiates the Pur e procedure when the 3GPP ... server deletes the information of a subscriber. May act also as a ... pro(y (see above). Maintains the <5.' 32$s <5.'?attach status. Provides the <5.' 32$s <5.'?attach status to other entities (which are out of the scope of this T"). Generates and reports per?user char in Eaccountin information about <5.' :irect &P .ccess to the >P5M' Offline 1har in "ystem. Transfer a subscriber$s authentication to a 3GPP ... "erver when it is re@uested by >""E>5/. &f Do" mechanisms are appliedF the 3GPP ... server authori!es and stores the 3GPP <5.' Do" profile. The authori!ed Do" profile is based on the closest match of subscriber$s <5.' Do" profile with the <5.' .' capabilitiesEpolicies.

7or <5.' 3GPP &P .ccessF ? 1ommunicates (includin updates) service authori!ation information (e. . authori!ed <?.P'- necessary #eyin material for tunnel establishment and user data traffics) to the P:G. ... pro(ies if the P:G is located in BP5M'. Provides the P:G with the <5.' 32$s remote &P address- received from the >""- when static remote &P address allocation is used. Provides the ...?Pro(y with suitable policy enforcement information. Provides suitable policy enforcement information to <.G in >P5M'. May provide suitable routin enforcement information to <5.' .'. &f Do" mechanisms are appliedF the 3GPP ... server authori!es the 3GPP <5.' Do" profile for tunnels. The authori!ed Do" profile is based on the subscriber$s <5.' Do" profile in the subscription information and stored 3GPP <5.' Do" profile for the <5.' :irect &P .ccess if <5.' .ccess .uthentication and .uthori!ation procedure has been performed.

? ? ? ? ?

#.2.4 <L%3<SS
The >5/E>"" located within the 3GPP subscriber$s home networ# is the entity containin authentication and subscription data re@uired for the 3GPP subscriber to access the <5.' interwor#in service. 0esides other information- the >"" contains 3GPP <5.' Do" profiles$ authentication and subscription data for the 3GPP subscriber.

3GPP

$elease %%

3(

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

The >"" also provides access to the <5.' 32$s <5.'?attach status for other entities- e. . answers or relays the <5.'?attach status @uery from other entities. To this end- the >"" shall store the &P address of the 3GPP ... server to which the <5.' 32 is re istered. <hen a 3GPP ... "erver other than the re istered 3GPP ... "erver of a subscriber- re@uests authentication information or the profile of the subscriber- the >"" should re@uest it transfer the authentication to the re istered 3GPP ... "erver by providin the re istered 3GPP ... "erver address to it.

#.2.$ :LAN A((e'' Gate a7

The <5.' .ccess Gateway applies to a <5.' 3GPP &P .ccess enabled system. The <5.' .ccess Gateway is a ateway via which the data toEfrom the <5.' .ccess 'etwor# shall be routed via a P5M' to provide a <5.' 32 with 3G P" based services in a <5.' 3GPP &P .ccess enabled system. The <5.' .ccess Gateway shall reside in the BP5M' in the roamin case- and in the >P5M' in the non?roamin case. The <5.' .ccess GatewayF ? ? ? .llows BP5M' to enerate char in information for users accessin via the <5.' .' in the roamin case. 2nforces routin of pac#ets throu h the P:G. Performs collection of per tunnel accountin information- e. . volume count (byte count) and elapsed time- to be used for inter?operator settlements in case of the roamin scenario when the <u reference point is between the <5.' 32 and a P:G in the home networ# (fi ure A.*a). The char in information is forwarded to the 3GPP ... pro(y in the visited networ# via the < reference point. 7ilters out pac#ets based on unencrypted information in the pac#ets. Pac#ets should only be forwarded if theyF ,. are part of an e(istin tunnel or *. are e(pected messa es from the <5.' 32s. This includes service re@uests- and tunnel establishment messa es. ? &f Do" mechanisms are appliedF supports :iff"erv mechanism for uplin#Edownlin# &P pac#ets.

"ince the <.G does not have a full trust relationship with the <5.' 32- it is not able to stop all messa es. >owevermessa es from an un#nown &P address can easily be discarded. Other approaches may be used as well. .dditional types of messa e screenin are left to the operators$ control. 7urthermore- 'etwor# .ddress Translators within the <5.' may modify the source address of &P pac#ets from the <5.' 32s. The modified source address can be reliably associated to a <5.' 32 by the P:G durin tunnel establishment and provided to the <.G via the 3GPP ... "erverEPro(y. 0efore this point- all tunnel establishment pac#ets shall be routed by the <.G e(cept those which are possibly discarded due to certain 7irewall rules implemented on the <.G. 'OT2F Per tunnel accountin eneration in the <.G is not re@uired when the <.G and P:G are in the same networ#- i.e. the non?roamin case.

The <.G may implement policy enforcement before tunnel establishment to enhance the firewall a ainst unwanted pac#ets o throu h the P5M'- for e(ample- to forbid the roamin <5.' 32 from sendin tunnel establishment to P5M' other than its >P5M'G to forbid pac#ets from unauthori!ed <5.' 32. The <.G shall implement policy enforcement after tunnel establishment. .fter tunnel establishment- the followin procedures apply at the <.GF ? &f service is provided throu h a P:G in the >P5M' the <.GF ? ? ? 2nsures that all pac#ets from the <5.' 32 are routed to the >P5M'. 2nsures that pac#ets from the authorised <5.' 32s are only routed to the appropriate P:G in the >P5M' and that pac#ets from other sources than that P:G are not routed to the <5.' 32.

&f service is provided throu h a P:G in the BP5M' the <.GF

3GPP

$elease %%

3-

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

? ?

2nsures that all pac#ets from the <5.' 32 are routed to the BP5M'. 2nsures that pac#ets from the authorised <5.' 32s are only routed to the appropriate P:G in the BP5M' and that pac#ets from other sources than that P:G are not routed to the <5.' 32.

#.2.$.1

Po)i(7 En4or(e8ent

&nformation re ardin the selected P:G- includin whether the P:G is in the >P5M' or the BP5M' is provided by the >P5M' to the BP5M'. &n the roamin case- the P:G information is delivered from the 3GPP ... "erver to the 3GPP ... Pro(y. <ithin the BP5M'- policy enforcement information is delivered to the <.G. 'OT2F <hether information re ardin one or all P:Gs is provided will li#ely impact the si nallin which supports the activation of a further <?.P'. :eliverin information of all valid P:Gs may limit impacts on si nallin for further <?.P' establishment.

The policy enforcement delivered durin initial authentication (before the tunnel establishment) will be bound to a user$s ... si nallin . The <.G re@uires functionality to be able to associate this information to a user$s traffic. .s an implementation option- this functionality can be achieved by allocatin the local &P .ddress by BP5M'. The bindin of the policy to a user$s traffic allows the <.G to drop un?authori!ed pac#ets sent toEfrom a user.

#.2.$.2

Void

#.2.# Pa(!et 6ata Gate a7

The Pac#et :ata Gateway applies to a <5.' 3GPP &P .ccess enabled system. 3GPP P" based services are accessed via a Pac#et :ata Gateway. 3GPP P" based services may be accessed via a Pac#et :ata Gateway in the user$s >ome 'etwor# or a P:G in the selected BP5M'. The process of authorisation and service selection (e. . <?.P' selection) and subscription chec#in determines whether a service shall be provided by the home networ# or by the visited networ#. The resolution of the &P address of the Pac#et :ata Gateway providin access to the selected service will be performed in the P5M' functionin as the home networ# (in the BP5M' or >P5M'). &f the P:G is intended to support connections from <5.' 32s usin &Pv; and &PvA local addresses- it shall be e@uipped with a dual &P stac#. "uccessful activation of a selected service results inF ? ? ? :etermination of the Pac#et :ata Gateway &P address used by the <5.' 32G .llocation of a <5.' 32$s remote &P address to the <5.' 32 (if one is not already allocated)G /e istration of the <5.' 32$s local &P address with the Pac#et :ata Gateway and bindin of this address with the <5.' 32$s remote &P address.

The Pac#et :ata GatewayF ? ? ? ? ? ? ? 1ontains routein information for <5.'?3G connected usersG /outes the pac#et data received fromEsent to the P:' toEfrom the <5.'?3G connected userG Performs address translation and mappin G Performs de?capsulation and encapsulationG accepts or rejects the re@uested <?.P' accordin to the decision made by the 3GPP ... "erverG .llows allocation of the <5.' 32$s remote &P addressG /elays the <5.' 32$s remote &P address allocated by an e(ternal &P networ# to the <5.' 32- when e(ternal &P networ# address allocation is used.

3GPP

$elease %%

3.

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

? ? ?

Performs re istration of the <5.' 32$s local &P address and bindin of this address with the <5.' 32$s remote &P addressG Provides procedures for unbindin a <5.' 32$s local &P address with the <5.' 32$s remote &P addressG Provides procedures for authentication and prevention of hijac#in (i.e. ensurin the validity of the <5.' 32 initiatin any bindin of the <5.' 32$s local &P address with the <5.' 32$s remote &P address- unbindin etc.) May filter out unauthorised or unsolicited traffic with pac#et filterin functions. .ll types of messa e screenin are left to the operators$ control- e. . by use of &nternet firewalls. :elivers the mappin of a user identifier and a tunnel identifier to the ... Pro(y. Generates char in information related to user data traffic for offline and online char in purposes. May apply &P flow based bearer level char in (T" 3*.*=, I,3J- T" *3.,*= I,=J)- e. . in order to differentiate or suppress <5.' bearer char in for 3GPP P" based services. &n case the P:G has the interface with the P:' which re@uires the authentication and authori!ation with the 2(ternal ... "erver- then the P:G shall ne otiate with the <5.' 32 whether KMultiple authentication 2(chan es in &%2v*K is supported or not. &f both <5.' 32 and P:G support this function and <5.' 32 re@uests multiple authentications with the 2(ternal ... "erver- then ne(t authentication and authori!ation with the 2(ternal ... "erver is performed after the successful authentication and authorisation with the 3GPP ... "erver. :etails on the multiple authentications are specified in /71 ;83C I3*J. <hether or not multiple authentications and authori!ations are re@uired is confi ured on a <?.P' basis in the P:G. &f Do" mechanisms are appliedF it operates as a Do" ed e router between 3GPPE<5.' &nterwor#in system and e(ternal networ#- by supportin :iff"erv ed e function. <hen applyin receiver control :iff"erv ed e functions the authori!ed 3GPP <5.' Do" profile (as received from the 3GPP ... server) shall be enforced accordin to operator policy. This may result in re?classification (re?mar#in the :"1P) or discardin of &P pac#ets. &f Do" mechanisms are appliedF enforces policy control (e. . service based Do" control or atin ) accordin to T" *3.*+3 I3AJ.

? ? ? ? ?

.nne( 7 describes how P:G functionality can be provided by re?usin e(istin unmodified GG"' functionality.

#.2.2 S&,'(ri*tion Lo(ator -&n(tion (SL-)

The "57 is located within the 3GPP subscriber$s home networ# and enables the 3GPP ... "erver to find the address of the >"" which holds the subscriber data for a iven user identity in a confi uration with multiple separately addressable >""$s. The "57 should be used in the same way for <5.' as for &M"- which is specified in T" *3.**9 I*;J.

#.2.? B44)ine .+ar"in" S7'te8

The Offline 1har in "ystem is within the 3GPP networ#. The mappin of the Offline 1har in "ystem in the /elease A char in architecture is specified in T" 3*.*=* I*AJ.

#.2.9 Bn)ine .+ar"in" S7'te8

The Online 1har in "ystem (O1") is located within the 3GPP networ#. The O1" is described in T" 3*.*CA I*8J.

3GPP

$elease %%

3/

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

#.3 %e4eren(e Point'

#.3.1 :a re4eren(e *oint
#.3.1.1 Genera) de'(ri*tion

The <a reference point connects the <5.' .ccess 'etwor#- possibly via intermediate networ#s- to the 3GPP 'etwor# (i.e. the 3GPP ... Pro(y in the roamin case and the 3GPP ... server in the non?roamin case). The prime purpose of the protocols crossin this reference point is to transport authentication- authori!ation and char in ?related information in a secure manner. The reference point has to accommodate also le acy <5.' .ccess 'etwor#s. 5e acy lo ical nodes outside of 3GPP scope that terminate or pro(y the <a reference point si nallin and do not support 3GPP ... protocol shall re@uire si nallin conversion between the le acy ... protocol and the 3GPP ... protocol. 2.P authentication shall be transported over the <a reference point.

#.3.1.2

-&n(tiona)it7

The functionality of the reference point is to transport ... framesF ? ? ? 1arryin data for authentication si nallin between <5.' 32 and 3GPP 'etwor#G 1arryin data for authori!ation (includin the authori!ation information update) si nallin between <5.' .' and 3GPP 'etwor#. These data may include a well?defined identification of the <5.' .'G 1arryin char in si nallin per <5.' user to enable offline andEor online char in . To minimi!e the re@uirements put on the <5.' .ccess 'etwor#- the use of online char in over <a is optional and depends on the a reement between the operators of the <5.' .' and the 3GPP P5M'G 2nablin the identification of the operator networ#s amon st which the roamin occursG 1arryin #eyin data for the purpose of radio interface inte rity protection and encryptionG May carry /outin 2nforcement information from the P5M' to ensure that all pac#ets sent toEfrom the <5.' 32 for P" based services are routed to the interwor#in BP5M' (roamin case) or >P5M' (no roamin case) appropriatelyG Pur in a user from the <5.' access for immediate service terminationG Providin access scope limitation information to the <5.' based on the authorised services for each user (for e(ample- &P address filters)G &f Do" mechanisms are appliedF carryin data for <5.' .' Do" capabilitiesEpolicies (e. . the supported 3GPP <5.' Do" profiles) within authentication re@uest from <5.' .' to 3GPP ... Pro(y and 3GPP ... "erver.

? ? ?

? ? ?

#.3.2 :1 re4eren(e *oint

This reference point is located between 3GPP ... "erver and >"". The prime purpose of the protocol(s) crossin this reference point is communication between <5.' ... infrastructure and >"". The functionality of the reference point is to enableF ? ? ? ? ? /etrieval of authentication vectors- e. . for 3"&M authentication- from >"". /etrieval of <5.' access?related subscriber information (profile) from >"" /e istration of the 3GPP ... "erver of an authorised (for <5.' .ccess) <5.' user in the >"". &ndication of chan e of subscriber profile within >"" (e. . indication for the purpose of service termination). Pur e procedure between the 3GPP ... server and the >"".

3GPP

$elease %%

30

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

? ? ?

/etrieval of online char in E offline char in function addresses from >"". 7ault recovery procedure between the >"" and the 3GPP ... "erver. /etrieval of service related information (e. . <?.P's that may be selected by the <5.' 32 and the data defined for the <?.P's in the <5.' 32$s profile) includin an indication of whether the BP5M' is allowed to provide this service.

#.3.3 6C3GrC re4eren(e *oint

This optional reference point is located between 3GPP ... "erver and pre?/A >5/E>"". The prime purpose of the protocol(s) crossin this reference point is communication between <5.' ... infrastructure and >5/. The protocol crossin this reference point is based upon the :EGr reference points defined in T" *3.++* I3,J. "upport of the :$EGr$ reference points re@uires no modifications to the M.P protocol at the >5/. <hen the >5/ ma#es it possible the functionality of the reference point is to enableF ? ? ? ? ? ? ? /etrieval of authentication vectors- e. . for 3"&M authentication- from >5/. /e istration of the 3GPP ... "erver of an authorised <5.' user in the >5/. &ndication of chan e of subscriber profile within >5/ (e. . indication for the purpose of service termination). Pur e procedure between the 3GPP ... server and the >5/. 7ault recovery procedure between the >5/ and the 3GPP ... server. /etrieval of service related information (e. . .P's that may be selected by the <5.' 32) includin indications of whether the service is to be supported by the >P5M' or by an identified BP5M'. /etrieval of onlineEoffline char in function address from >5/.

The functions provided on the :$EGr$ reference points are a subset of the functions provided on the :EGr reference points described in T" *3.++* I3,J. &f a 3GPP ... "erver supports the :$ reference point- it will appear to the >5/E>"" as a B5/ and shall behave accordin to the description of the behaviour of a B5/ supportin the : reference point as described in T" *3.++* I3,J. &f a 3GPP ... "erver supports the Gr$ reference point- it will appear to the >5/E>"" as an "G"' and shall behave accordin to the description of the behaviour of an "G"' supportin the Gr reference point as described in T" *3.++* I3,J.

#.3.4 :o re4eren(e *oint

The <o reference point is used by a 3GPP ... "erver to communicate with 3GPP Online 1har in "ystem (O1"). The prime purpose of the protocol(s) crossin this reference point is to transport online char in related information so as to perform credit control for the online char ed subscriber. The functionality of the reference point is to transportF ? Online char in data.

<o reference point should be similar to /o interface currently used in 3GPP O1".

#.3.$ :4 re4eren(e *oint

The <f reference point is located between 3GPP ... "erverEPro(y and 3GPP Offline 1har in "ystem. The prime purpose of the protocols crossin this reference point is to transportEforward offline char in information towards 3GPP operator$s Offline 1har in "ystem located in the visited networ# or home networ# where the subscriber is residin . The information forwarded to the Offline 1har in "ystem is typically used forF ? Generatin bills for offline char ed subscribers by the subscribers$ home operator.

3GPP

$elease %%

3,

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

1alculation of inter?operator accountin from all roamin users. This inter operator accountin is used to settle the payments between visited and home networ# operator andEor between homeEvisited networ# and <5.'.

The functionality of the reference point is to transportF ? <5.' access?related char in data per <5.' user.

#.3.# :" re4eren(e *oint

The < reference point applies to <5.' 3GPP &P .ccess. This is an ... interface between the 3GPP ... "erverEPro(y and the <.G. &t is used toF ? ? provide information needed by the <.G to perform policy enforcement functions for authorised users. transport per?tunnel based char in information from the <.G to the ... Pro(y- only for roamin scenario.

#.3.2 :n re4eren(e *oint

The <n reference point applies to <5.' 3GPP &P .ccess. This is the reference point between the <5.' .ccess 'etwor# and the <.G. This interface is to force traffic on a <5.' 32 initiated tunnel to travel via the <.G. There can be several different ways to implement this interface as shown in .nne( 1. The specific method to implement this interface is subject to local a reement between the <5.' .' and the P5M' and is out of the scope of this /elease of 3GPP specifications.

#.3.? :* re4eren(e *oint

The <p reference point applies to <5.' 3GPP &P .ccess. This is the reference point between the <.G and P:G.

#.3.9 :i re4eren(e *oint

The <i reference point applies to <5.' 3GPP &P .ccess. This is the reference point between the Pac#et :ata Gateway and a pac#et data networ#. The pac#et data networ# may be an operator e(ternal public or private pac#et data networ# or an intra operator pac#et data networ#- e. . the entry point of &M"- /.:&3" .ccountin or .uthentication- :>1P. Wi reference point is similar to the Gi reference point provided by the P" domain. &nterwor#in with pac#et data networ#s is provided via the <i reference point based on &P. Mobile terminals offered services via the <i reference point may be lobally addressable throu h the operator$s public addressin scheme or throu h the use of a private addressin scheme.

#.3.10 :8 re4eren(e *oint

The <m reference point applies to <5.' 3GPP &P .ccess. This reference point is located between 3GPP ... "erver and Pac#et :ata Gateway respectively between 3GPP ... Pro(y and Pac#et :ata Gateway. The functionality of this reference point is to enableF ? ? ? The 3GPP ... "erverEPro(y to retrieve tunnellin attributes and <5.' 32$s &P confi uration parameters fromEvia Pac#et :ata Gateway. The 3GPP ... "erver to provide the P:G with the <5.' 32$s remote &P address- received from the >""when static remote &P address allocation is used. The 3GPP ... "erver to provide the P:G with char in data (subscribed 1har in 1haracteristics or <?.P' 1har in 1haracteristics) for 3GPP P" based services char in

3GPP

$elease %%

(*

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

? ?

1arryin messa es between P:G and ... "erver in support of the user authentication e(chan e which ta#es place between <5.' 32 and 3GPP ... serverEpro(y. 1arryin messa es for user authori!ation (includin authori!ation information update) between P:G and 3GPP ... serverEpro(y. These messa es transport e. . the re@uested <?.P' from P:G to 3GPP ... serverEpro(y and eventually the authori!ed <?.P' from 3GPP ... serverEpro(y to P:G. 1arryin authentication data for the purpose of tunnel establishment- tunnel data authentication and encryption. 1arryin mappin of a user identifier and a tunnel identifier sent from the P:G to the ... Pro(y throu h the ... "erver.

? ?

#.3.11 :d re4eren(e *oint

#.3.11.1 Genera) de'(ri*tion

The <d reference point connects the 3GPP ... Pro(y- possibly via intermediate networ#s- to the 3GPP ... "erver. The prime purpose of the protocols crossin this reference point is to transport authentication- authori!ation and related information in a secure manner. 2.P authentication shall be transported over the <d reference point.

#.3.11.2
? ? ? ? ? ? ? ? ? ?

-&n(tiona)it7

The functionality of the reference point is to transport ... messa es includin F 1arryin data for authentication si nallin between 3GPP ... Pro(y and 3GPP ... "erverG 1arryin data for authori!ation si nallin between 3GPP ... Pro(y and 3GPP ... "erverG 1arryin char in si nallin per <5.' userG 1arryin #eyin data for the purpose of radio interface inte rity protection and encryptionG 1arryin authentication data for the purpose of tunnel establishment- tunnel data authentication and encryptionfor the case in which the P:G is in the BP5M'G 1arryin mappin of a user identifier and a tunnel identifier sent from the P:G to the ... Pro(y throu h the ... "erverG 3sed for pur in a user from the <5.' access for immediate service terminationG 2nablin the identification of the operator networ#s amon st which the roamin occursG Providin access scope limitation information to the <5.' based on the authorised services for each user (for e(ample- &P address filters)G &f Do" mechanisms are appliedF carryin data for <5.' .' Do" capabilitiesEpolicies (e. . the supported 3GPP <5.' Do" profiles) within authentication re@uest from 3GPP ... Pro(y to 3GPP ... "erver.

#.3.12 :& re4eren(e *oint

The <u reference point applies to <5.' 3GPP &P .ccess. The <u reference point is located between the <5.' 32 and the Pac#et :ata Gateway. &t represents the <5.' 32? initiated tunnel between the <5.' 32 and the Pac#et :ata Gateway. Transport for the <u reference point protocol is provided by the <w- <n and <p reference points- which ensure that the data are routed via the <5.' .ccess Gateway where routin enforcement is applied. The functionality of the <u reference point is to enableF ? ? <5.' 32?initiated tunnel establishment 3ser data pac#et transmission within the <5.' 32?initiated tunnel

3GPP

$elease %%

(%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

Tear down of the <5.' 32 initiated tunnel

#.3.13 : re4eren(e *oint

#.3.13.1 Genera) 6e'(ri*tion

The reference point <w connects the <5.' 32 to the <5.' .ccess 'etwor# per &222 9+*.,( I,CJ specifications or for other access systems- by mechanisms providin e@uivalent security. The definition of &222 Physical and Medium .ccess 1ontrol layers protocols (e. . 5ayer , and 5ayer * defined by &222 9+*.,, standards) is out of the scope of 3GPP.

#.3.13.2

-&n(tiona)it7

The functionality of the reference point is based on &222 9+*.,( specifications I,CJ or- for non?<5.' access systemsspecifications with e@uivalent functionality and it is intended to transport si nallin messa es includin F ? ? parameters for authentication si nallin between the 3GPP ... "erver and the <5.' 32G parameters for identification of the operator networ#s for roamin purposes (i.e. P5M' list).

#.3.14 6 re4eren(e *oint

This reference point is between the 3GPP ... "erver and the "57. The prime purpose of the protocol(s) crossin this reference point is to enable the 3GPP ... "erver to find the address of the >"" which holds the subscriber data for a iven user identity in a confi uration with multiple separately addressable >""$s.

#.3.1$ :7 re4eren(e *oint

The <y reference point is used by a P:G to communicate with an Online 1har in "ystem (O1"). The purpose of the protocol(s) crossin this reference point is to transport online char in related information about <5.' 3GPP &P .ccess so as to perform credit control for the online char ed subscriber.

#.3.1# :> re4eren(e *oint

The <! reference point is used by a P:G to communicate with an Offline 1har in "ystem. The purpose of the protocol(s) crossin this reference point is to transport offline char in related information about <5.' 3GPP &P .ccess.

#.4 Proto(o)'
The protocol stac# between the <5.' 32 and the P:G is shown in fi ure A.3

1i#ure .'32 Protocol stac ;etween the WLAN 67 and the Pac et :ata Gateway

3GPP

$elease %%

(&

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

#.4.1 %e8ote ;P La7er

The remote &P layer is used by the <5.' 32 to be addressed in the e(ternal pac#et data networ#s (i.e. on the <i reference point). On this layer- the <5.' 32 is addressed by its remote &P address and the pac#ets are e(chan ed between the <5.' 32 and an e(ternal entity. The P:G routes the remote &P pac#ets without modifyin them.

#.4.2 T&nne))in" )a7er

The tunnellin layer consists of a tunnellin header- which allows end?to?end tunnellin between a <5.' 32 and a P:G. &t is used to encapsulate &P pac#ets with the remote &P layer. <hen encapsulated &P pac#ets are encrypted- the tunnellin header contains a field which is used to identify the peer and decrypt the pac#ets.

#.4.3 Tran'*ort ;P La7er

The transport &P layer is used by the intermediate entitiesEnetwor#s and <5.' .' in order to transport the remote &P layer pac#ets. 0etween the <5.' 32 and the <.G- the transport &P layer is used by the <5.' 32 to be addressed within the <5.' .'- the intermediate networ#s (if any) and 3G networ#s. On this layer- the <5.' 32 is addressed by its local &P address. 7or e(ample this local &P address can beF ? a private &Pv; address allocated by the <5.' .'G in this case a '.T is re@uired in the <5.' .' and used to ma#e the <5.' 32$s local &P address routable in the intermediate networ#s (if any)- the BP5M' and the >P5M'G a public (either &Pv; or &PvA) address allocated by the <5.' .'G in this case no '.T is neededG an &P address allocated by the <.G in an address space that is routable in the <5.' .' as well as in the intermediate networ#s (if any) and the 3G networ#G in this case no '.T is needed.

? ?

#.$ :LAN &'er *ro4i)e

The <5.' user profile shall reside in >"" (if the operator is usin a le acy >5/- the <5.' user profile may reside in the 3GPP ... "erver) and be retrieved by 3GPP ... server via <( reference point. The parameters stored in the networ# elements for &?<5.'- which includes the parameters of the <5.' user profile- are defined in clause 30 of T" *3.++9 I*CJ.

3GPP

$elease %%

(3

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

Pro(ed&re'

2.1 ;-:LAN and VPLMN Se)e(tion Pro(ed&re

2.1.1 ;nitia) net or! 'e)e(tion

1i#ure /'%2 4+WLAN and )PL3N selection procedure ,. The <5.' 32 selects a <5.' .' and establishes the <5.' connection with a <5.' technolo y specific procedure (e. . in &222 9+*.,, it starts an association procedure). The details of the selection of the <5.' .' are specified in T" *;.*3; ICJ. *. The .uthentication procedure is initiated in a <5.' technolo y specific way and as a part of this process- the <5.' 32 sends a '.& to the <5.' .'. The '.& shall be constructed as it is specified in T" *3.++3 I=J. 3. &f the <5.' .' is not able to route the authentication re@uest (e. . in the case where the <5.' .' receives an initial '.& with an un#nown realm)- the <5.' .' sends a response to the <5.' 32 that provides information about the 3GPP networ#s to which the <5.' .' is able to route authentication re@uests. &f &M" 2mer ency 1alls are supported in a iven 3GPP networ#- this shall be indicated to the <5.' 32 via an &M" 2mer ency 1all specific realm. 7rom this point the <5.' 32 may continue the access authentication with the selected <5.' .' usin a different '.& (step *) or may start access authentication with another available <5.' .' (step ,) or may stop. The details of the <5.' 32 behaviour are specified in T" *;.*3; ICJ. &f the <5.' 32 continues the access authentication with the selected <5.' .'- it shall select a BP5M' amon the 3GPP networ#s indicated in the response received from the <5.' .' and build the new '.& as a roamin '.& indicatin this BP5M'. ;. The <5.' .' routes the ... messa e to the 3GPP ... "erver or 3GPP ... Pro(y based on the '.& and the access authentication is performed as it is specified in T" *;.*3; ICJ.

2.1.2 Net or! re-'e)e(tion

<hen the <5.' 32 chan es from the current servin P5M' to another P5M' with or without chan e of the <5.' .'- it needs to use a new '.& correspondin to the new P5M' in a new authentication initiated by the <5.' 32 or the <5.' .'. The 3GPP ... "erver may then receive a new authentication with P5M' selection different from the current active connection. 7or e(ample- the <5.' 32 lost radio in the first <5.' .'- then it chan ed to another <5.' .' with a different P5M' selection before the previous <5.' .' detected that the user is lost- or the <5.' 32 started the new authentication before the disconnection of the previous connection. &n this case- the 3GPP ... "erver shall initiate a disconnection to the currently active connection after the success of the new authentication and authori!ation process.

3GPP

$elease %%

((

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

2.2 :LAN A((e'' A&t+enti(ation and A&t+ori'ation

<5.' 32 <5.' .' 3GPP ... "erver >""E>5/ <.G

,. <5.' 1onnection "etup

*. 'ecessaryamountof 2.P /e@uestO 2.P /esponsemessa ee(chan es between32 and 3GPP ... "erver as specifiedin the utilised2.P type

3. .uthentication &nfo retrievalfrom >"" if info not yet available in 3GPP ... server

;. "ubscriberprofile retrieval from >"" if info not yet available in this 3GPP ... server =. Policyenforcement info delivery A. .ccess .ccept I#eyin material and authorisation information within messa eJ 9. .ccountin "tart C. Balidate the new session ,+. <5.' /e istration to >"" if <5.' usernot yet re isteredto this 3GPP ... "erver

8. 2.PE"uccess

1i#ure /'&2 Authentication and authorisation procedure ,. <5.' connection is established with a <5.' technolo y specific procedure (out of scope for 3GPP). *. The 2.P authentication procedure is initiated in <5.' technolo y specific way. .ll 2.P pac#ets are transported over the <5.' interface encapsulated within a <5.' technolo y specific protocol. .ll 2.P pac#ets are transported over the <a reference point. . number of 2.P /e@uest and 2.P /esponse messa e e(chan es is e(ecuted between 3GPP ... "erver and <5.' 32. The amount of round trips depends e. . on the utilised 2.P type. &nformation stored in and retrieved from >"" may be needed to e(ecute certain 2.P messa e e(chan es. 7or &M" 2mer ency 1alls- the used 2.P method shall accommodate the emer ency re@uest. The <5.' .' may send its Do" capabilitiesEpolicies (e. . the supported 3GPP <5.' Do" profiles) to the 3GPP ... "erver within above authentication procedure si nallin . "tandardi!ed techni@ues for capabilities e(chan e are to be determined in sta e 3. 3 &nformation to e(ecute the authentication with the accessed user is retrieved from >"". This information retrieval is needed only if necessary information to e(ecute the 2.P authentication is not already available in

3GPP

$elease %%

(-

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

3GPP ... "erver. To identify the user the username part of the provided '.& identity is utilised. :urin the information retrieval the >""E>5/ chec#s if there is a 3GPP ... "erver already re istered to serve for the user. &n case the >""E>5/ detects that another 3GPP ... "erver has already re istered for this user- it shall provide the current 3GPP ... "erver with the previously re istered 3GPP ... "erver address. The authentication si nallin is then routed to the previously re istered 3GPP ... "erver. 'OT2 ,F 7or &M" 2mer ency 1alls- authentication may be s#ipped entirely dependin on the national re ulations or the operator$s preference. ; "ubscribers <5.' related profile is retrieved from >"". This profile includes e. . the authorisation information and permanent identity of the user. /etrieval is needed only if subscriber profile information is not already available in 3GPP ... "erver. 'OT2 *F &n case of &M" 2mer ency 1alls it is possible that no subscription information is available- therefore no data retrieval from the >"" is possible- e. . in case of 3&11?less &M" 2mer ency 1alls. =. Optionally- the 3GPP ... "erver (or the 3GPP ... Pro(y in roamin case) may send the policy enforcement information to the <.G in the P5M' that the <5.' 32 selected in case BP5M' is to allocate the local &P .ddress for the <5.' 32. 'OT2 3F .dditional process- such as allocatin the &P address- may be necessary durin or before this step to be performed. A &f the 2.P authentication and authorisation was successful- then 3GPP ... "erver sends .ccess .ccept messa e to <5.'. &n this messa e 3GPP ... "erver includes 2.P "uccess messa e- #eyin material derived from the 2.P authentication as well as connection authorisation information (e. . '." 7ilter /ule or Tunnellin attributes) to the <5.'. <hen Do" mechanism is applied the authori!ed 3GPP <5.' Do" profile shall be included in this messa e- and 3GPP ... "erver shall store authori!ed 3GPP <5.' Do" Profile andEor <5.' Do" capabilitiesEpolicies if available. <5.' stores the #eyin material and authorisation information to be used in communication with the authenticated <5.' 32. 'OT2 ;F &n the roamin case- authorisation information is passed from 3GPP ... "erver to 3GPP ... Pro(y in the form of 5ocal service identifiers (see section A.=). 'OT2 =F :ependin on national re ulations and operator preferences- in the case of &M" 2mer ency 1alls- the 3GPP ... server may still send .ccept (i.e. indicatin success of authentication and authori!ation) even thou h authentication or authori!ation fails. &n case the <5.' 32 has indicated &M" 2mer ency 1all within the procedure- the routin policy sent to the <5.' shall include only those policies necessary to set up an &M" 2mer ency 1all (e. . allow tunnel set up but no :irect &P .ccess permitted). 8 <5.' informs the <5.' 32 about the successful authentication and authorisation with the 2.P "uccess messa e. 9 The 3GPP ... server receives an accountin start messa e from the <5.' .'. C .t this point the 3GPP ... server considers that a new authenticated session is started and it chec#s its validity. &f there is a different previously established authentication session of the <5.' user- e. .- a session that uses a different <5.' 32 or roamin in a different <5.' .' or in a different BP5M'- the 3GPP ... "erver shall close the previously established session (K"ession abort procedureK over <a) to avoid multiple <5.' direct &P access sessions. ,+ 3GPP ... "erver re isters the <5.' users 3GPP ... "erver to the >"". &n re istration messa es the subscriber is identified by his permanent identity. This re istration is needed only if the subscriber is not already re istered to this 3GPP ... "erver.

3GPP

$elease %%

(.

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

2.3 S&,'(ri,er Pro4i)e U*date

2.3.0 :LAN 6ire(t A((e'' A&t+ori>ation in4or8ation &*date *ro(ed&re
<5.' 32 <5.' .' <.G 3GPP ... "erver >""

,. 3ser is re istered to a 3GPP ... server *. 3ser subscription is modified in >""

3. <( K"ubscriber ProfileK procedure

;. Policy enforcement information is updated to <.G

=. .ccess authorisation information is updated to the <5.'

1i#ure /'32 Su;scri;er Profile and access authori<ation info 6pdate Procedure ,. 3ser is re istered to a 3GPP ... "erver *. "ubscribers subscription is modified in the >"" e. . via OOM. 3. >"" updates the profile information stored in the re istered 3GPP ... "erver by <( reference point procedure K"ubscriber ProfileK. ;. &f the policy enforcement information updated in step 3 and the policy enforcement information was sent to the <.G beforehand (e. .- in step = of clause 8.*)- it should be updated to the <.G in this step. =. The <5.' access authorisation information of the associated connection is updated to <5.' as necessary. &f the subscriber loses the authori!ation of the <5.' access- <5.' shall disconnect the radio interface connection by <5.' technolo y specific mechanisms.

3GPP

$elease %%

(/

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

2.3.1 A((e'' and 'er9i(e A&t+ori>ation in4or8ation &*date *ro(ed&re

This procedure is for <5.' 3GPP &P .ccess.

1i#ure /'(2 Authori<ation information 6pdate Procedure ,. 3ser is re istered to a 3GPP ... "erver *. 3ser$s service subscription is modified in the >"" e. . via OOM3. >"" updates the profile information stored in the re istered 3GPP ... "erver by <( reference point procedure K"ubscriber ProfileK. ;. The <5.' access authorisation information of the associated connection is updated to <5.' .' if necessary. &f the subscriber loses the authori!ation of the <5.' access- <5.' shall disconnect the radio interface connection by <5.' technolo y specific mechanisms. =. The service authorisation information of the activated services is updated to P:Gs if necessary. . deactivation of service may be initiated if the subscriber lost the authori!ation of the activated service. A. The filterin policy information of the activated services is updated to <.G if necessary. 'OT2F The de?re istration may be initiated by the 3GPP ... "erver to the >"" as necessary- i.e.- the 3GPP ... "erver determines that the <5.' 32 is unable to access any service upon the updated authori!ation.

3GPP

$elease %%

(0

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

2.4 .an(e))in" :LAN %e"i'tration

<5.' 32 <5.' .' 3GPP ... "erver >"" ,.3ser <5.' subscription is cancelled in >"" *. <( K1ancel <5.' /e istrationK 3. <a K"ession .bortK procedure (if needed) ;.:isconnection of the <5.' radio interface connection(if needed) <.G P:G =. /elease tunel resource and information in P:G (if needed) A. "top accountin (if needed) 8. /emove the filters in the <.G (if needed) 2(ternal ... "erver

1i#ure /'-2 =ancellation of WLAN $e#istration Procedure ,. The 3GPP subscribers <5.' subscription is cancelled in >"". *. >"" cancels subscribers <5.' re istration in the 3GPP ... "erver by <( reference point procedure K1ancel <5.' /e istrationK. &n the messa es subscriber is identified by his permanent identity. 3. &f the subscriber$s <5.' access connection still e(ists- <a reference point procedure K"ession .bortK procedure is e(ecuted towards <5.'. ;. &f the radio connection still e(ists- <5.' disconnects the radio interface connection by <5.' technolo y specific mechanisms. =. &f the subscriber$s tunnel connection with one or several P:G(s) e(ists- the 3GPP ... "erverEPro(y informs the P:G(s) over the <m reference point- to remove the tunnel related information and resource. A. &f accountin has been started in the 2(ternal ... "erver- then the P:G initiates K.ccountin "topK procedure to the 2(ternal ... "erver. 8. The filters- which were deployed to <.G for the tunnel(s) durin the tunnel establishment- are removed.

3GPP

$elease %%

(,

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

2.$ 6i'(onne(tin" a S&,'(ri,er ,7 :LAN

<5.' 32 <5.' .' 3GPP ... "erverEPro(y >""

,."ession termination event tri ered *. <a K"ession TerminationK procedure <.G P:G 2(ternal ... "erver

3. /elease tunnel resource and information in P:G (if needed) ;. "top accountin (if needed) =. /emove the filters in the <.G (if needed) A. 3GPP ... server decides to remove the <5.' 32s state and initiates <( KPur eK.

1i#ure /'.2 WLAN initiated disconnection procedure ,. <5.' detects that a "ession related to a <5.' 32 should be terminated towards the 3GPP ... "erver- e. . when the <5.' 32 has disappeared from <5.' covera e. *. <5.' initiates <a "ession Termination procedure towards 3GPP ... "erver. 3. &f the subscriber has a tunnel connection with one or more P:Gs- and the 3GPP ... "erverEPro(y needs to remove the connections- it informs the P:G(s) over the <m reference point to remove the tunnel related information and resource. ;. &f accountin has been started in the 2(ternal ... "erver- then the P:G initiates K.ccountin "topK procedure to the 2(ternal ... "erver. =. The filters- which were deployed to <.G for the tunnel(s) durin the tunnel establishment- are removed. A. &n case when the 3GPP ... "erver decides to remove the <5.' 32s state from the 3GPP ... "erver- the 3GPP ... "erver notifies >"" usin <( procedure KPur eK that the <5.' re istration in the 3GPP ... "erver has been cancelled. >"" removes the state related to that 3GPP ... "erver- e. .- the address of the servin 3GPP ... "erver for the identified subscriber.

3GPP

$elease %%

-*

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

2.# 6i'(onne(tin" a S&,'(ri,er ,7 Bn)ine .+ar"in" S7'te8

2.#.1 T+e B.S initiated :LAN AN a((e'' di'(onne(tion
<5.' 32 <5.' .' 3GPP ... "erverEPro(y O1" >""

,. 3ser is online char ed *.Online credit re@uest denied by O1" 3.<a K"ession .bortK procedure ;. :isconnection of the <5.' radio interface connection

<.G

P:G

2(ternal ... "erver

=. /elease tunnel resource and information in P:G (if needed) A. "top accountin 8. /emove the filters in the <.G (if needed) 9.<( Kpur eK (if needed)

1i#ure /'/2 The >=S initiated WLAN AN access disconnection procedure This section applies to the case when an online char ed user runs out of credit and is totally disconnected from <5.'. ,. . subscriber is online char ed by 3GPP ... "erver for <5.' access. *. The O1" (Online 1har in "ystem) denies credit re@uest from the 3GPP ... "erver for <5.' access. The possibly already retrieved online credit runs out. 3. To disconnect the subscriber$s connection- <a reference point procedure K"ession .bortK procedure is e(ecuted towards the <5.' .'. ;. The <5.' .' disconnects the radio interface connection by <5.' technolo y specific mechanisms. =. &f the subscriber$s tunnel connection with one or several P:G(s) e(ists- the 3GPP ... "erverEPro(y informs the P:G(s) over the <m reference point- to remove the tunnel related information and resource. A. &f accountin has been started in the 2(ternal ... "erver- then the P:G initiates K.ccountin "topK procedure to the 2(ternal ... "erver. 8. &f filters were deployed to <.G for the tunnel(s) durin the tunnel establishment- then they are removed. 9. &f no <( KPur eK procedure was already initiated in step 3- then the 3GPP ... "erver notifies >"" that <5.' re istration in the 3GPP ... "erver has been cancelled- by means of <( procedure KPur eK

3GPP

$elease %%

-%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

2.#.2 T+e B.S initiated t&nne) di'(onne(tion

<5.' 32 <5.' .' <.G P:G 3GPP ... "erver E Pro(y O1" >""

,.Online credit re@uest denied by O1" *. P:G initated tunnel disconnection

3. <5.' .' .ccess :isconnection (if needed) ;.<( Kpur eK (if needed)

1i#ure /'0a2 The >=S initiated tunnel disconnection procedure This section applies to the case when the tunnels of an online char ed user are disconnected due to the lac# of credits. ,. The Online 1har in "ystem (O1") denies the credit re@uest from the P:G. The possibly already retrieved online credit runs out. *. The P:G disconnects the tunnels that re@uire new credits usin the networ# initiated tunnel disconnection procedure (clause 8.,+.*). The tunnels that do not re@uire new credits (e. .- the tunnels usin free of char e <? .P's) will not be disconnected. 3 &f all tunnels of the subscriber have been disconnected in the previous step then the 3GPP ... "erver may decide to totally disconnect the subscriber by performin K"ession .bortK towards the <5.' .' (i.e. step 3 and ; of clause 8.A.,). ;. &f the subscriber is disconnected from the <5.' .' in step 3 and no <( KPur eK procedure was already initiated- then the 3GPP ... "erver notifies >"" that <5.' re istration in the 3GPP ... "erver has been cancelled- by means of <( procedure KPur eK.

3GPP

$elease %%

-&

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

2.2 .+ar"in" o44)ine (+ar"ed '&,'(ri,er'

1i#ure /'02 =har#in# Procedure for >ffline =har#ed Su;scri;ers ,. The <5.' user is authenticated and authori!ed for <5.' access. 3ser profile is downloaded into 3GPP ... "erver. Part of the profile is information that the user is to be offline char ed. *. The <5.' .' collects char in data related to access or services locally consumed. 3. The <5.' .' periodically forwards collected char in information to the 3GPP ... "erver over <a reference point. <hile roamin - the 3GPP ... Pro(y in BP5M' then relays this information to BP5M'$s offline char in system over <f interface and to the 3GPP ... "erver in >P5M' over <d interface. ;. This step only happens in roamin case as shown in fi ure A.*aF /oamin reference model ? 3GPP P" based services provided via the 3GPP >ome 'etwor#. &n this case the <.G in BP5M' periodically sends char in information to the 3GPP ... Pro(y in BP5M' over < reference point. The 3GPP ... Pro(y in BP5M' then relays this information to BP5M'$s offline char in system over <f interface. =. &n case 32 establishes &Psec Tunnel with P:G. The P:G periodically sends char in information to the 3GPP Offline char in system over <! reference point.

3GPP

$elease %%

-3

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

A. The 3GPP ... "erver forwards char in information to the >P5M'$s Offline 1har in "ystem over the <f reference point. 'OT2F &n visited networ# the 3GPP ... Pro(y may also periodically report the usa e of resources to the local Offline 1har in "ystem over the <f reference point.

2.? .+ar"in" on)ine (+ar"ed '&,'(ri,er'

<5.' 32 <5.' .' 3GPP ... "erverEPro(y O1"

,. <5.'3ser is .uthenticatedand user profile downloadedinto 3GPP ...server

*. 3GPP ...server re@uests creditfromO1" over<oreferencepoint as a partofauthorisation 3. 1redit is returned as time orvolume@uota

;. Duota is reported to <5.' .' as a part of authentication procedure =. <5.' monitors @uotaconsumplion A. <5.' .' issues re? authenticationupon@uota e(haustionandreports the@uota usa e

8. 3GPP ...server re@uests creditfromO1" over<oreferencepoint as a part of re?authorisation 9. 1redit is returned as time orvolume@uota

C. Duota is reported to <5.' .' as a part of re?authentication procedure ,+. 3ser disconnects ,,. <5.' .' reports the used@uota ,*. 3ser accountis credited Edebitedaccordin ly

1i#ure /',2 =har#in# Procedure for >nline =har#ed Su;scri;ers ,. The <5.' user is authenticated and authori!ed for <5.' access. 3ser profile is downloaded into 3GPP ... "erver. Part of the profile is information that the user is to be online char ed.

3GPP

$elease %%

-(

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

*. The 3GPP ... "erver re@uests online char in credit from the O1". 3. The O1" returns credit as time andEor volume @uota. ;. The allocated @uota is indicated to the <5.' .'. =. The <5.' .' monitors the @uota consumption. A. <hen @uota is almost used- the <5.' .' issues re?authentication messa e over <a reference point. 3sed @uota is indicated in the re@uest. 8. The 3GPP ... "erver re@uests more credit from the O1". 9. The O1" returns credit as time andEor volume @uota. C. The allocated new @uota is indicated to the <5.' .'. ,+. The user disconnects from <5.' .'. ,,. The <5.' .' reports the used @uota to the 3GPP ... "erver over <a reference point. ,*. The user account is debited E credit accordin the usa e information in the final messa e. 'OT2F &n visited networ# the 3GPP ... Pro(y may also periodically report the usa e of resources to the local Online 1har in "ystem over <f reference point. &n home networ# the 3GPP ... "erver may also report the usa e to the Online 1har in "ystem over the <f reference point usin offline char in procedures for statistical or other purposes.

2.9 :-APN re'o)&tion and T&nne) e'ta,)i'+8ent

This information flow presents the eneric messa e e(chan e necessary in order to resolve the selected <?.P' and establish a <5.' 32?&nitiated tunnel for <5.' 3GPP &P .ccess purposes. .s a prere@uisite of these procedures it is necessary to perform the followin F ,. .llocation of the <5.' 32$s local &P address and optionally <5.' .ccess .uthentication and .uthorisation which may depend on the home operator policy as well as the policy of the provider of the <5.' .ccess 'etwor#. 'OT2 ,F The authentication and authori!ation for <5.' :irect &P access and 5.' 3GPP &P access may be performed independently accordin to the home operator$s policy. (7or e(ample- the <5.' .ccess .uthentication and .uthorisation procedure can be s#ipped when the home operator allows).

3GPP

$elease %%

--

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

<5.' 32

<5.' .'

<.G

3GPP ... "erverEPro(y

Bisited P:G

3GPP ... "erver

>ome P:G

,. <5.' 32 local &P address allocation and optionally <5.' .ccess .uthentication and .uthori!ation *. <?.P' resolution and tunnel establishment to P:G in Bisited P5M' *., :'" @ueryF *.* 2nd?to?end tunnel establishment
*.3 /etrievin .uthentication and .uthori!ation data *.; 'e(t .uthentication and .uthori!ation if needed

2(ternal ... "erver

*.= Tunnel pac#et flow filter e(chan e

3. <?.P' resolution and tunnel establishment to P:G in >ome P5M' 3., :'" @ueryF 3.* 2nd?to?end tunnel establishment
3.; 'e(t .uthentication and .uthori!ation if needed 3.3 /etrievin .uthentication and .uthori!ation data

3.= Tunnel pac#et flow filter e(chan e

1i#ure /'%*2 7?ample messa#e flow to WLAN 67+4nitiated tunnel esta;lishment <hen the user decides that he wants to access a service- the <5.' 32 selects the <?.P' networ# &: associated to the service re@uested by the user. . detailed description of the <?.P' resolution and the <5.' 32?&nitiated Tunnel 2stablishment is iven below. 7or the case of &M" 2mer ency 1alls- a <?.P' shall be used to indicate emer ency access to P" domain. The emer ency call <?.P' defaults to the visitedElocal P:G. *. :ependin on internal confi uration- the <5.' 32 initiates <?.P' resolution and tunnel establishment with a P:G in BP5M'. 'OT2 *F The confi uration of the <5.' 32 re ardin <?.P's can be controlled by e. . 3"&M .pplication Tool#it?based mechanisms. *., <5.' 32 constructs an 7D:' usin the <?.P' 'etwor# &dentifier and BP5M' &: as the Operator &dentifier and performs a :'" @uery to resolve it. The :'" response will contain one or more &P addresses of e@uivalent P:Gs that support the re@uested <?.P' in the BP5M' accordin to standard :'" procedures. &f the BP5M' does not support the <?.P'- then the :'" @uery returns a ne ative response. &n this casethe <5.' 32 continues with step 3.

3GPP

$elease %%

-.

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

*.* The <5.' 32 selects a P:G from the list received in step *.,. &f the :'" response contains &Pv; and &PvA addresses- the <5.' 32 has to select an address that has the same format as its own local &P address. &f a P:G is finally selected- the establishment of an end?to?end tunnel is performed between the <5.' 32 and this P:G. The <5.' 32 shall include the <?.P' and the user identity in the initial tunnel establishment re@uest. *.3 :urin the tunnel establishment- the P:G contacts the 3GPP ... "erver in the >P5M' via the 3GPP ... Pro(y for authori!ation of the <5.' 32 for the <?.P' bein re@uested by the <5.' 32 and to retrieve the information re@uired for the mutual authentication part of the tunnel establishment. The authori!ed 3GPP <5.' Do" profile shall be sent to the P:G if Do" mechanisms are applied. .s a result of successful mutual authentication the 3GPP ... "erver re isters itself at the >"" (<5.' re istration procedure). This action may be omitted- if the 3GPP ... "erver is already re istered at the >"". The 3GPP ... "erver shall be able to chec# that the user re@uestin the tunnel establishment has been already successfully <5.' .ccess .uthori!ed. 0ased on operator policy it shall be possible to turn this chec# on and off. The chec# may be based on the user$s subscription data- e. . the user$s subscribed services. &f the chec# is not successful- the tunnel establishment re@uest is rejected. &f the <5.' 32 is not allowed to use a visited?P:G to access the iven <?.P'- the 3GPP ... "erver shall send a rejection messa e to the P:G and then the tunnel establishment shall be rejected by the P:G. The 3GPP ... "erver shall provide P:G with the subscribed 1har in 1haracteristics or <?.P' 1har in 1haracteristics. &f it is not possible to establish the tunnel with any of the P:Gs received from step*.,- or the tunnel establishment failure reason is that the <5.' 32 is not allowed to use a visited?P:G to access the iven <?.P'- then the <5.' 32 continues with step 3. Otherwise- the visited P:G shall dynamically assi n a remote &P address for the <5.' 32 or shall re@uest it from an e(ternal &P networ# usin standard mechanisms (such as :>1P- /adius). 'OT2 3F The access to emer ency <?.P' shall not re@uire any subscription. Tunnel establishment towards the local emer ency <?.P' shall not be rejected based on chec# of user$s subscribed services or that user is not allowed to use a P:G from the visited networ#. >owever- authori!ation procedures may be used on <m to re ister the P:G at the 3GPP ... "erver as servin the user for the emer ency <?.P'. *.; &f the specified <?.P' re@uires the ne(t authentication and authori!ation with the 2(ternal ... "erver- the P:G initiates the ne(t authentication and authori!ation with the 2(ternal ... "erver after the successful authentication and authorisation in step *.3. The .ccountin start messa e is sent to the 2(ternal ... "erver if the specified <?.P' re@uires. *.= :urin the tunnel establishment procedure- the P:G and the <.G e(chan e information via the 3GPP ... Pro(y in order to establish a filterin policy to allow the forwardin of tunnelled pac#ets to the P:G. The 3GPP ... Pro(y re@uests the <.G to apply filterin policy based on information obtained from the P:G. The 3GPP ... Pro(y decides which filterin policy could be applied by the <.G accordin to local information (e. . based on number of users- <.G capabilities- roamin a reement policy- etc). The P:G binds the remote &P address with the local &P address of the <5.' 32. The remote &P address is communicated to the <5.' 32. 3. :ependin on internal confi uration- or due to the failure of step *., or *.3- the <5.' 32 initiates <?.P' resolution and tunnel establishment with a P:G in >P5M'. 3., <5.' 32 constructs an 7D:' usin <?.P' 'etwor# &dentifier and the >P5M' &: as the Operator &dentifier- and performs a :'" @uery to resolve it. The :'" response will contain one or more &P addresses of e@uivalent P:Gs that support the re@uested <?.P' in the >P5M' accordin to standard :'" procedures. 3.* The <5.' 32 selects a P:G from the list received in step 3.,. &f the :'" response contains &Pv; and &PvA addresses- the <5.' 32 has to select an address that has the same format as its own local &P address. &f a P:G is finally selected- establishment of an end?to?end tunnel is performed between the <5.' 32 and this P:G. The <5.' 32 shall include the <?.P' and the user identity in the initial tunnel establishment re@uest. 3.3 :urin the tunnel establishment- the P:G contacts the 3GPP ... "erver in the >P5M' for authori!ation of the <5.' 32 for the <?.P' bein re@uested by the <5.' 32 and to retrieve the information re@uired for the mutual authentication part of tunnel establishment. The authori!ed 3GPP <5.' Do" profile shall be sent to the P:G if Do" mechanisms are applied. .s a result of successful mutual authentication the 3GPP ... "erver re isters itself at the >"" (<5.' re istration procedure). This action may be omitted- if the 3GPP ... "erver is already re istered at the >"". The 3GPP ... "erver shall be able to chec# that the

3GPP

$elease %%

-/

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

user re@uestin the tunnel establishment has been already <5.' .ccess .uthori!ed. 0ased on operator policy it shall be possible to turn this chec# on and off. The chec# may be based on the user$s subscription data- e. . the user$s subscribed services. &f the chec# is not successful- the tunnel establishment re@uest is rejected. &f the <5.' 32 is not allowed to use a >ome P:G to access the iven <?.P' accordin to his subscription- the 3GPP ... "erver shall send a rejection messa e to the P:G and then the tunnel establishment shall be rejected by the >ome P:G. The 3GPP ... "erver shall provide the P:G with the <5.' 32$s remote &P address- received from the >""- when static remote &P address allocation is used. Otherwise the home P:G shall dynamically assi n a remote &P address for the <5.' 32 or shall re@uest it from an e(ternal &P networ# usin standard mechanisms (such as :>1P- /adius) The 3GPP ... "erver shall provide P:G with the subscribed 1har in 1haracteristics or <?.P' 1har in 1haracteristics. 3.; &f the specified <?.P' re@uires the ne(t authentication and authori!ation with the 2(ternal ... "erver- the P:G initiates the ne(t authentication and authori!ation with the 2(ternal ... "erver after the successful authentication and authorisation in step 3.3. The .ccountin start messa e is sent to the 2(ternal ... "erver if the specified <?.P' re@uires. 3.= :urin the tunnel establishment- the P:G and the <.G e(chan e information via the 3GPP ... "erver and 3GPP ... Pro(y in order to establish a filterin policy to allow the forwardin of tunnelled pac#ets to the P:G. The 3GPP ... "erver re@uests to the <.G to apply filterin policy based on information obtained from the P:G. The 3GPP ... "erver decides which filterin policy could be applied by the <.G accordin to local information (e. . based on number of user- <.G capabilities- roamin a reement policyetc). The applied filterin policy is communicated to the >ome?P:G. The P:G binds the remote &P address with the local &P address of the <5.' 32. The remote &P address is communicated to the <5.' 32.

2.9.1 Void

2.9.2 S&,'e=&ent a&t+enti(ation

&n the case that the user attempts a subse@uent tunnel establishment to a different P:G- it should be possible to avoid repeatin the full authentication process and to perform fast re?authentication. .7ast re?authentication is an optional feature and its activation is performed in the home operator$s networ#.

2.9.3 U'e o4 6NS

Operators may to restrict the propa ation of :'" information used for the above mechanism to :'" servers controlled by the P5M's and to :'" servers available only to authorised 3GPP <5.' 32s (i.e. those <5.' 32s which have successfully connected to a 3GPP &nterwor#in <5.'). &t is an operators$ decision whether such propa ation of this :'" information is restricted or not. &t shall be possible to confi ure multiple P:G addresses a ainst a sin le 7D:' in a manner which allows the load to be shared across these P:Gs. &t shall be possible to confi ure &Pv; and &PvA addresses a ainst a sin le 7D:' and to return these addresses to ether to the <5.' 32. "ee T" *3.++3 I=J for more information on P:G addressin (< .P's).

2.9.4 S&,'e=&ent t&nne) e'ta,)i'+8ent

The subse@uent tunnel establishment should follow the same procedure as in the first tunnel establishment.

2.10 T&nne) di'(onne(tion *ro(ed&re'

Tunnel disconnection can be eitherF ? ? &nitiated from the <5.' 32- as a result of an e(plicit deactivationEde?re istration from the service. &nitiated from the P:G- e. . due to timeout of the tunnel connection or re@uest from the 3GPP ... "erver or other networ# entities.

Tunnel disconnection is specified for the followin situationsF

3GPP

$elease %%

-0

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

? ? ?

'ormal service termination resultin from an end user re@uestin termination of the end?to?end tunnel connection usin tunnel control si nallin or deletion of the &P bearers associated with a service"ervice termination resultin from networ# operator intervention5oss of radio connections which are used to transport the tunnel si nallin .

The tunnel disconnection messa e e(chan es between the <5.' 32 and the P:G are performed basin on the specific tunnel control si nallin protocol. The <5.' 32 and the P:G release the control information associated with the tunnel durin the e(chan e- and the P:G should send a tunnel release report to the 3GPP ... "erver to update the correspondin subscriber$s service connection information and status in the 3GPP ... "erver- e. . the serviceEtunnel connection activation info- the allocated &P address- etc. The filterin policy information applied on the <.G should also be removed. if necessary.

2.10.1 :LAN UE initiated t&nne) di'(onne(tion

<5.' 32 ,. The 32 determine to release the tunnel *. /elease tunnel /e@ 3. /elease .c# 3. /elease the tunnel resource and info <5.' .' <.G P:G 3GPP ... "erver >""

2(ternal ... "erver

3. Tunnel disconnection /eport

;. /elease the tunnel resource and info

=. "top accountin (if needed) Aa. "ervice infoE status update Ab. 7ilterin policy remove from <.G

1i#ure /'%&2 WLAN 67 initiated tunnel disconnection ,. The <5.' 32 determine to release the tunnel- e. . due to the normal service termination operation. *. The <5.' 32 send a /elease tunnel re@uest to the P:G. 3. 3pon receivin the /elease tunnel re@uest- the P:G sends a /elease ac#nowled ement to the <5.' 32releases the resources and the associated control information of the tunnel- and sends a Tunnel disconnection report to the 3GPP ... "erver. ;. 3pon receivin the /elease ac#nowled ement- the <5.' 32 releases the resources and the control information of the tunnel. =. &f accountin has been started in the 2(ternal ... "erver- then the P:G initiates K.ccountin "topK procedure to the 2(ternal ... "erver. A. 3pon receivin the Tunnel disconnection report- the 3GPP ... "erver updates the related service information andEor status of the subscriberG and removes the filterin policy related to the disconnected tunnel from <.G if necessary.

3GPP

$elease %%

-,

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

2.10.2 T+e net or! initiated t&nne) di'(onne(tion

<5.' 32 <5.' .' <.G P:G 3GPP ... "erver >""

,. The P:G determine to release the tunnel *. /elease tunnel /e@ 3. /elease the tunnel resource and info 3. /elease .c# ;. /elease the tunnel resource and info 2(ternal ... "erver

;. Tunnel disconnection /eport

=. "top accountin (if needed) Aa. "ervice infoE status update Ab. 7ilterin policy remove from <.G

1i#ure /'%32 The networ initiated tunnel disconnection ,. The P:G determines to release the tunnel- e. . due to timeout of the tunnel connection or a re@uest from the 3GPP ... "erver- or due to a networ# initiated normal service termination or a service termination resultin from networ# operator intervention. *. The P:G sends a /elease tunnel re@uest to the <5.' 32. 3. 3pon receivin the /elease tunnel re@uest- the <5.' 32 releases the resources and the associated control information of the tunnel- and sends the /elease ac#nowled ement to the P:G. ;. 3pon receivin the release ac#nowled ement- the P:G releases the resources- the associated control information of the tunnel- and the related service authori!ation informationG and sends a Tunnel disconnection report to the 3GPP ... "erver. =. &f accountin has been started in the 2(ternal ... "erver- then the P:G initiates K.ccountin "topK procedure to the 2(ternal ... "erver. A. 3pon receivin the Tunnel disconnection report- the 3GPP ... "erver updates the related service information andEor status of the subscriberG and removes the filterin policy related to the disconnected tunnel from <.G if necessary.

2.10.3 6i'(onne(tion o4 t+e )a't t&nne) 4or a :LAN UE

&f the P:G detects that the disconnected tunnel is the last tunnel between the P:G and the <5.' 32- then all the <5.' 32 related authori!ation and profile information could be removed from the P:G durin the tunnel disconnection process. &n case the 3GPP ... "erver decides to disconnect the <5.' 32 from the <5.' after disconnection of the tunnela disconnection procedure will proceed as described in section 8.A., (steps 3?;). .fter the <5.' 32 was disconnected from the <5.'- the 3GPP ... "erver notifies the >"" usin the <( procedure KPur eK that the <5.' 32$s re istration in the 3GPP ... "erver has been deleted. &n this case the >"" de? re isters the 3GPP ... "erver (<5.' de?re istration procedure).

3GPP

$elease %%

.*

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

2.11 T+e :LAN UE initiated :LAN AN A((e'' di'(onne(tion

The <5.' 32 may disconnect the from <5.' .' byF ? ? initiatin a disconnection of the <5.' radio connectionG initiatin a disconnection of the <5.' &P connectivity.

(is onne tion of t!e #$A% radio onne tion 3pon receivin a <5.' radio disconnection re@uest (e. .- :isassociation in case of &2229+*.,, <5.' .') from the <5.' 32 with the <5.' access connection- the <5.' .' should perform the Kdisconnectin a subscriber by <5.' .'K (section 8.=) durin or after the <5.' radio disconnection- with or without confirm messa e to the <5.' 32. (is onne tion of t!e #$A% /P onne tivit6 The 32 initiated disconnection of the <5.' &P connectivity is usually performed before the disconnection of the <5.' radio connection and after the disconnection of the 3GPP P" access tunnels. >owever the <5.' 32 may initiate a <5.' &P connectivity disconnection before the 3GPP P" access tunnels are disconnected. This will tri er the tunnel disconnection procedure specified in section 8.,+.*. &f the <5.' 32 initiates a disconnection of the <5.' &P connectivityF ,. The <5.' 32 may initiate a disassociation after the disconnection procedure. *. The <5.' .' stops the connection under the re@uest of the <5.' 32- e. . close the opened port to the <5.' 32. 3. The <5.' .' should perform the Kdisconnectin a subscriber by <5.' .'K durin or after the disconnection of <5.' access connection. The <5.' .' should initiate an authentication or a disconnection of <5.' radio connection with this <5.' 32- if the <5.' 32 #eeps the <5.' radio connection without subse@uent indication or re@uests in a certain period of time. =!e 31PP P) A ess t"nnel dis onne tion The 32 initiated tunnel disconnection is usually performed before the disconnection of <5.' &P connectivity and the disconnection of the <5.' radio connection. >owever- the <5.' 32 may directly initiate a disconnection of the <5.' radio connection as a fast disconnection option when tunnel connections with P:G e(ist. This will tri er the tunnel disconnection procedure specified in section 8.,+.*.

2.12 U'er identit7 to <SS re'o)&tion

2.12.1 Genera)
This section describes the resolution mechanism- which enables the 3GPP ... "erver to find the address of the >""that holds the subscriber data for a iven user identity when multiple and separately addressable >""s have been deployed by the networ# operator. This resolution mechanism is not re@uired in networ#s that utilise a sin le >"". .n e(ample for a sin le >"" solution is a server farm architecture. The '.& will be used as user identifier towards the "57. The subscription locator is accessed via the :w reference point. The :w reference point is the standard interface between the 3GPP ... "erver and the "57. The synchronisation between the "57 and the different >""s is an OOM issue. The subscription locator is already defined in T" *3.**9 I*;J for 1( and "h interfaces. The :w interface providesF ? an operation to @uery the subscription locator from 3GPP ... "erver

3GPP

$elease %%

.%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

a response to provide the >"" name towards 3GPP ... "erver.

0y sendin the :w?operation :<R"57RD32/N the 3GPP ... "erver indicates a user identity of which it is loo#in for an >"". 0y the :w?operation :<R"57R/2"P- the "57 responds with the >"" address. The 3GPP ... "erver may optionally store the >"" address for a iven subscriber so subse@uent @ueries to the "57 are not needed. "ubclause 8.,*.* presents an e(ample of the session flow when the 3GPP ... "erver needs to @uery the "57.

2.12.2 SL- =&er7

1i#ure /'%(2 9uery throu#h SL1 ,. 3GPP ... "erver detects that it re@uires the user profile- the re istration or new authentication vectors for a iven 3GPP subscriber- so has to @uery for the location of the user$s subscription data. The 3GPP ... "erver sends a :<R"57RD32/N to the "57 and includes as parameter the user identity of the subscriber. *. The "57 loo#s up its database for the @ueried user identity. 3. The "57 answers with the >"" address in which the user$s subscription data can be found. ;. The 3GPP ... "erver can proceed by @ueryin the appropriate >"" by <( protocol.

3GPP

$elease %%

.&

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

2.13 6i'(onne(tin" a S&,'(ri,er ,7 t+e E1terna) AAA Ser9er

2.13.1 T+e E1terna) AAA Ser9er initiated t&nne) di'(onne(tion

<5.' 32

<5.' .'

<.G

P:G

3GPP ... "erver E Pro(y

2(ternal ... "erver

>""

,.2nternal ... "erver initiates tunnel disconnection *. P:G initated tunnel disconnection

3. <5.' .' .ccess :isconnection (if needed) ;.<( Kpur eK (if needed)

1i#ure /'%-2 The 7?ternal AAA Server initiated tunnel disconnection procedure This section applies to the case when the tunnel disconnection is initiated by the 2(ternal ... "erver. ,. "ome &P applications- for e(ample- the authori!ation of usa e of the <?.P' e(pired- could need to interwor# with the P:G to terminate a particular session. 7or this purpose- the 2(ternal ... "erver may initiate the tunnel disconnection. *. The P:G disconnects the tunnels usin the networ# initiated tunnel disconnection procedure (clause 8.,+.*). 3 &f all tunnels of the subscriber have been disconnected in the previous step then the 3GPP ... "erver may decide to totally disconnect the subscriber by performin K"ession .bortK towards the <5.' .' (i.e. steps 3 and ; of clause 8.A.,). ;. &f the subscriber is disconnected from the <5.' .' in step 3 and no <( KPur eK procedure was already initiated- then the 3GPP ... "erver notifies >"" that <5.' re istration in the 3GPP ... "erver has been cancelled- by means of <( procedure KPur eK.

3GPP

$elease %%

.3

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

Anne1 A (in4or8ati9e)/ Void

3GPP

$elease %%

.(

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

Anne1 A (in4or8ati9e)/ Void

3GPP

$elease %%

.-

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

Anne1 . (in4or8ati9e)/ Po''i,)e inter or!in" ar(+ite(t&re' ,et een :LAN AN and PLMN ..1 :LAN '+ared ,7 (or (onne(ted to) 8&)ti*)e ;SP' and PLMN'

This is typically when a <5.' .' is owned by an independent entity such as a hotel and the owner allows subscribers of &"Ps to use their <5.' .' by usin the &"P networ#. >owever- <5.' .' owned by an &"P or a P5M' may also allow other &"PEP5M' subscribers to use the <5.' in a similar way. &n this situation- the <5.' .' may be connected to multiple &"Ps and P5M's in the layer * for <5.' 3GPP &P .ccess as shown in 7i ure 1.,.,. .nother solution usin :'" and '.T is described in 1.*.3. To this end- B5.' or other layer * tunnellin capabilities may be implemented in .Ps or access controller in <5.' .' in order to separate traffic of different networ#s. The interface between the <5.' .' and the P5M' may be a 5ayer * tunnel- such as B5.'- Martini- or BP5"- etc. The <.G ta#es the role of the access router of the <5.' .'. This enables end to end tunnellin for <5.' 3GPP &P .ccess- even when the &P address of the P:G is not routable on the &nternet. The local &P address of a <5.' 32- when usin <5.' 3GPP &P .ccess- belon s to the P5M'$s &P address space. "o- all the pac#ets to a <5.' 32 shall pass throu h the P5M'.

1i#ure ='%'%2 Wn 4nterface when WLAN is connected to multiple 4SPs and PL3Ns

..2

%o&tin" *a(!et' 4ro8 :LAN UE +en :LAN AN i' (onne(ted to 8&)ti*)e VPLMN'3;SP' and it *ro9ide' dire(t ;nternet a((e''

..2.1 Se*aratin" tra44i( 4or di44erent VPLMN'

<hen a <5.' .' providin direct &nternet access has connections to multiple BP5M's it is necessary to route all the users$ non?&nternet traffic to the correct BP5M' whilst &nternet traffic is routed directly to the &nternet. The BP5M' identity is #nown to the <5.' .' at initial user authenticationEauthorisation- since the ... si nallin is routed to that BP5M'- and the .ccess?.ccept received from that BP5M'.

3GPP

$elease %%

..

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

Therefore- for each BP5M' there must be a separate (lo ical) router in the <5.' .' which has a connection to that BP5M' and also to the &nternet (noteF this is a $lo ical$ router H it doesn$t represent a restriction on <5.' .'$s physical architecture). This router will receive all the traffic from <5.' 32s that are authenticated throu h that BP5M'. <e call this the K<5.' .' 0order /outer for BP5M' LK. Barious techni@ues could be used to ensure that all the <5.' 32s traffic is sent to the correct (lo ical) routerincludin F ? B5.'s . separate B5.' is defined for each BP5M'. The <5.' .' 0order /outer for a iven BP5M' is only accessible from that BP5M'$s B5.'. .ppropriate /.:&3" .BPs can be used to place the user onto a particular B5.'. On receivin this instruction- the <5.' .P performs B5.' ta in of all frames from the user. "ince the <5.' .' #nows the identity of the correct BP5M' at initial authenticationEauthorisation timethis instruction can be sent to the .P at this time. .s a result- all traffic from the user will be sent to the correct router. ? 1ompulsory tunnellin "tandard /.:&3" .BPs are used to re@uest the <5.' .P to establish a compulsory tunnel for the <5.' 32s frames towards the correct router. . ain- this can be done at initial authenticationEauthorisation time. Other techni@ues may also e(ist- but since there is no re@uirement for si nallin from BP5M' to <5.' .'- the techni@ue chosen is entirely a matter for the <5.' .' operator.

..2.2 %o&tin" t+e tra44i(

The <5.' .' 0order /outer for a iven BP5M' must distin uish &nternet traffic (which should be sent directly to the &nternet) from non?&nternet traffic (i.e. pac#ets to P:Gs H which should be sent to the BP5M'). One way to achieve this is for the <5.' .' to reco nise the addresses of P:Gs. Traffic to a #nown P:G address is routed to the BP5M' and other traffic to the &nternet. There are several ways the <5.' .' could discover the P:G addressesF ? "tatically H >P5M's inform BP5M's of their P:G addresses and BP5M's inform <5.' .'s of these addresses to ether with any BP5M' P:G addresses. The addresses are statically confi ured in the routin tables of the <5.' .' 0order /outer. :ynamically ? usin standard &P routin protocols H >P5M's must advertise routes to their P:Gs across the inter?operator bac#bone. BP5M's simply pass these advertisements to <5.' .'s alon with advertisements of their own P:G addresses.

1onfi uration or advertisement of these addresses into the <5.' .' does not ma#e these addresses routable from the Public &nternet. Only users who are .uthenticated and .uthorised 3GPP <5.' 32s will be able to send pac#ets to the (lo ical) <5.' .' 0order /outer- so only these devices can send pac#ets to the confi uredEadvertised addresses. The above two approaches re@uire that the addresses or prefi(es confi ured or advertised are not also advertised over the public &nternet. This is because althou h an addressEprefi( may be confi uredEadvertised- there may be firewall rules or policies in the BP5M' which prevent pac#ets bein routed over the inter?operator bac#bone to that address. &n that case- pac#ets to that address would be dropped- meanin that any device re?usin that address would not be routable at all from the <5.' 32s. The solution is summarised in the fi ure below (assumin the B5.' option for dealin with multiple BP5M's). 'ote that this is a lo ical view H the e(istence of two 0order /outers with lin#s to the &nternet does not imply two physical elementsElin#s.

3GPP

$elease %%
Tra44i( 4ro8 UE1 *)a(ed onto VLAN2 and ro&ted 9ia A%1, VPLMN1 to t+e 'a8e P6G

./

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

:LAN AN
)LAN% A%1

VPLMN1

UE1

AP1

)LAN&

;NTE%NET
UE2

4nter PL3N networ

<PLMN

AP2 A%1

P6G

VPLMN2
%o&tein" ad9erti'e8ent it+ P6G addre'' or *re4i1 A**)ie' 4ire a)) r&)e'3*o)i(ie' to ,)o(! tra44i( to e.". GSN'

UE3

Tra44i( 4ro8 UE3 *)a(ed onto VLAN2 and ro&ted 9ia A%2, VPLMN2 to t+e 'a8e P6G

1i#ure ='&'%2 Traffic routein# ;ased on the use of )LANs in the WLAN AN

..2.3 Se*aratin" tra44i( to di44erent VPLMN' &'in" a (o8,ined 6NS3NAT a**roa(+

&f the <5.' 32 is associated to the <5.' .' and authenticated throu h 2.P- it can access the &nternet directly (for <5.' :irect &P .ccess) or establish a tunnel to a P:G in the BP5M'E>P5M' to access 3GPP P" based services (for <5.' 3GPP &P .ccess). 0oth cases must be enabled in parallel. The <5.' 32 performs a :'" @uery to resolve a <?.P' to a P:G address. This &P address is the tunnel endpoint in the P5M'. &f the P:G resides in the >P5M'- it must be possible to route traffic to the P:G throu h the selected BP5M'. The combined :'"E'.T approach as described in this chapter adds no re@uirements to the <5.' 32 and >P5M' and uses only normal &P routin capabilities in the BP5M'. The main idea is to use some #ind of Kreverse '.TK in the BP5M' that maps the P:G address received in the answer to the <5.' 32$s :'" re@uest to an address out of the address ran e of the BP5M'. 2ach P:G address is mapped to one BP5M' address- which may be a private address- dependin on the addresses used in the <5.' .'. 7or simplicity (no new protocol needed) and performance reasons the BP5M' :'" pro(y and the desired reverse '.T function are implemented on the <.G. Thus- inside of the '.T is the >P5M' address space- outside is the <5.' .' address space. .s the <5.' is directly connected to the BP5M' it is aware about the BP5M' &P addresses and can easily route <5.' 3GPP &P .ccess traffic to the correct BP5M'. The BP5M' maps the destination address of the &P pac#et to the stored P:G address and forwards the pac#et to the >P5M'. <5.' :irect &P .ccess traffic oes to the default route confi ured in the <5.' ed e router- i.e. to the &nternet. The followin fi ure shows the process of <?.P' resolution and '.T in the BP5M'. The fi ure shows a local :'" server in the <5.' .' while it is also possible that the <5.' 32 receives the address of a :'" server in the BP5M' by :>1P or durin 2.P authentication. &f the <5.' 32 wants to access a P:G in the >P5M'- the <?.P' indicates the >P5M' and optionally the BP5M'- otherwise the <?.P' indicates the BP5M' only.

3GPP

$elease %%
:LAN UE

.0
Lo(a) :LAN Na8e Ser9er :AG (Na8e Ser9er3NAT)

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

<PLMN Na8e Ser9er

AP

6<.P Ser9er

AAA Ser9er

1. EAP ,a'ed :LAN a((e'' a&t+enti(ation

2. VPLMN 'e)e(tion

%o&tin" to34ro8 :AG ,a'ed on addre'' *re4i1 a))o(ated to :AG

B*erator %oa8in" Net or!

3. Get ;P addr, )o(a) 6NS 'er9er and de4a&)t ro&ter 4. 6NS re=&e't 4or :-APN -@6N $. -or ard re=&e't to VPLMN na8e 'er9er #. -or ard re=&e't to <PLMN na8e 'er9er

2. %e'o)9e :-APN -@6N ?. %e'*ond it+ addre'' re(ord o4 :-APN 9. .+an"e addre'' in re(ord to an addre'' +o'ted ,7 t+e :AG and 'tore t+i' 8a**in" 10. %e'*ond it+ addre'' re(ord

11. %e'*ond it+ addre'' re(ord

12. :LAN UE e'ta,)i'+e' t&nne) to addre'' (ontained in addre'' re(ord, +i(+ i' (+an"ed in :AG

1i#ure ='&'&2 :NS controlled reverse NAT procedure ,. <5.' access authentication procedure between <5.' 32 and ... server based on 2.P. *. <5.' 32 retrieves P5M' list from <5.' and selects a preferred BP5M'. 3. <5.' 32 ets transport &P address- local name server (optionally) and default router address via :>1P. ;. <5.' 32 builds <?.P' 7D:' indicatin BP5M' (optionally) and >P5M' and sends :'" re@uest to local name server or directly to the name server in the BP5M'. =. 5ocal name server inspects <?.P' 7D:' and forwards :'" re@uest to BP5M' name server. BP5M' name server is implemented to ether with a KreverseK '.T and probably a 7irewall on the <.G. A. BP5M' name server inspects <?.P' 7D:' and forwards :'" re@uest to >P5M' name server throu h GP/" roamin networ#. 8. >P5M' name server resolves <?.P'. 9. >P5M' name server responds to BP5M' name server with an address record of the <?.P'. C. BP5M' name server (actin as :'" Pro(y) optionally chan es the P:G address contained in the address record to an address of the <.G address space (this address may be a private address) and stores the mappin between the two addresses. The new address must be routable within the <5.' to the <.G. 1han in the addresses may be an option confi urable by the operator. ,+. BP5M' name server responds the address record to local name server. ,,. 5ocal name server responds the address record to <5.' 32.

3GPP

$elease %%

.,

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

,*. <5.' 32 establishes tunnel to the address contained in the address record. This may be an address hosted by the <.G (otherwise it is the P:G address). This address is chan ed (K'.TtedK) at the <.G to the KrealK P:G address.

..3

:LAN AN e1()&'i9e)7 o ned ,7 and (onne(ted to a 'in")e PLMN

This is when a P5M' operator installs its own <5.' .' without any connections to other &"Ps or P5M's. &n this case- <5.' .' can be re arded as an e(tension of the P5M'$s &P networ# and no tunnel is re@uired between <5.' .' and P5M'. The local &P address of a <5.' 32 in <5.' 3GPP &P .ccess belon s to the P5M'$s &P address space.

..4

:LAN AN (onne(ted to a 'in")e ;SP

This is when <5.' .' is solely connected to an &"P$s bac#bone networ#. <5.' .' is re arded as an e(tension of the &"P$s bac#bone networ#. Many le acy <5.' .'s can be cate ori!ed to this case The connectivity between the <5.' .' and the P5M' is in layer 3 throu h the &"P$s bac#bone networ# as shown in fi ure 1.;.,. This #ind of <5.' .' supports <5.' :irect &P .ccess as defined in the T" *3.*3;- i.e. the authenticated <5.' 32 can access the &nternet directly via the &"P. 7or <5.' 3GPP &P .ccess- the local &P address of a <5.' 32 is enerally allocated by the &"P and it belon s to the &"P$s &P address space. <hen P5M' allocates <5.' 32$s local &P address- a layer * tunnel is re@uired. <hen the end to end tunnellin is used between a <5.' 32 and a P:G and the &P address of the P:G is non?routable in the &nternet- an additional means is re@uired for routin the pac#ets to the P:G and to meet the routin enforcement re@uirement. &t is 77" for methods to enable <5.' 3GPP &P .ccess for this #ind of <5.' .'.

&nternet

P5M' &"P bac# born networ# 5ayer * <5.' connection .ccess .ccess router 'etwor#

32

<n 5ayer 3 connectivity

<.G

P:G

<i

&nternet

1i#ure ='('%2 Wn 4nterface when WLAN is connected to a PL3N throu#h an 4SP

3GPP

$elease %%

/*

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

Anne1 6 (nor8ati9e)/ S+ort Me''a"e Ser9i(e 6.1 Ar(+ite(t&re 4or '&**ort o4 SMS

The architecture for support of &P delivery of "M" messa es is specified in T" *3.*+; I3CJ.

6.2

Void

6.3

Void

3GPP

$elease %%

/%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

Anne1 E (in4or8ati9e)/ Void

3GPP

$elease %%

/&

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

Anne1 - (nor8ati9e)/ ;n4or8ation on re-&'in" t+e GGSN to i8*)e8ent t+e P6G 4&n(tion
This anne( does not introduce new normative re@uirements for the P:G.

-.1

;ntrod&(tion

This section provides information on how to re?use e(istin GG"' deployments to implement the P:G functionality via usin a subset of the Gn reference point (denoted here as Gn$). The Gn$ reference point provides means where GP/" mobile operators can reuse e(istin infrastructure and functionality for a user accessin from a <5.' 32. 0y usin this e(istin standardi!ed reference point- interoperability towards the Gateway GP/" "upport 'odes (GG"') is assured. "uch a P:G implementation allows re?use of e(istin GG"' functionality without up radin GG"'s. 7or e(ample- GG"' functions- which are used in this case areF ? ? ? ? 1har in Gateway interfacesG &P address allocationG .uthentication in e(ternal networ#sG "in le access to 3GPP P" domain services.

Traffic Plane 7unctionality in the GG"' for online and offline service data flow char in (&P flow level bearer char in introduced in /el?A- Policy and 1har in 2nforcement 7unction (P127) in /el?8)- may also be re?used. &f Do" mechanisms are applied policy control functionality (e. . service based Do" control or atin ) accordin to T" *3.*+3 I3AJ may be re?used. The followin fi ure depicts a P:G implementation that re?uses GG"' functionality. &t shall be noted that only a subset of the GG"' is reused for this purpose.

:8

:*

P:G
T&nne) Ter8ination Gate a7

GnD

Gi 3 :i
S&,'et o4 GGSN 4&n(tion'

:&

1i#ure 1'%2 P:G implementation re+usin# GGSN functionality The P:G functionality described in this specification may be implemented usin the architecture described above in 7i ure 7.,. &n case this implementation is applied- the TTG and GG"' parts of the P:G shall be in the same P5M'. This type of P:G implementation shall remain transparent to the other functional elements of the networ#.

3GPP

$elease %%

/3

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

-.2

Ma**in" ,et een E2E t&nne) and GTP t&nne)

-.2.1 Genera)
The end?to?end tunnel between the <5.' 32 and the P:G is setup accordin to the procedure described in this specification. &n a confi uration when the Gn$ reference point is used- the end?to?end tunnel setup is terminated by the TTG of the P:G- and the setup of GTP tunnel(s) is tri ered towards the GG"' part of the P:G. The GTP tunnel(s) between the TTG part and the GG"' part of the P:G are established usin the two messa es 1reate P:P 1onte(t /e@uest and 1reate P:P 1onte(t /esponse. . GTP tunnel is identified in each node with a T2&: (Tunnel 2nd?point &dentifier ? an inte er)- an &P address and a 3:P port. The <?.P' provided over the end?to?end tunnel shall be forwarded in the 1reate P:P 1onte(t /e@uest messa e to the GG"' to select the e(ternal networ#. The &M"& of the <5.' 32 shall be forwarded to the GG"' in the 1reate P:P 1onte(t /e@uest messa e. 7or further details on GTP tunnel mana ement please refer to T" *C.+A+ I*9J.

-.2.2 No re-&'e o4 *o)i(7 (ontro) 4&n(tiona)it7 in t+e GGSN

2ach end?to?end tunnel is mapped one?to?one to a GTP tunnel.
:& P6G TTG GnD Gi 3 :i
3GPP PS Ser9i(e'

6<.P 6<.P %adi&' %adi&' A**)i(ation Ser9er' A**)i(ation Ser9er'

:LAN :LAN UE UE :LAN :LAN UE UE

GGSN GGSN '&,'et

Bne-to-one 8a**in" ,et een ea(+ end-to-end t&nne) and a (orre'*ondin" GTP t&nne)

1i#ure 1'&'&2 3appin# ;etween 7&7 tunnel and a sin#le GTP tunnel

-.2.3 %e-&'e o4 *o)i(7 (ontro) 4&n(tiona)it7 in t+e GGSN

-.2.3.1 U'a"e o4 6i44Ser9 8ar!in" o4 t+e GTP t&nne)
The GG"' may have the additional capability to put a policed :iff"erv mar#in onto the GTP &P header- based on the :"1P mar#in of the received :5 &P pac#et and the applied policy. &n this case no additional secondary P:P conte(ts are needed.

3GPP

$elease %%

/(
G1 P6G TTG

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

:LAN :LAN UE UE :LAN :LAN UE UE

:&

GnD

GGSN 3GSN '&,'et

Gi 3 :i
3GPP PS Ser9i(e'

6<.P 6<.P %adi&' %adi&' A**)i(ation Ser9er' A**)i(ation Ser9er'

Bne-to-one 8a**in" ,et een ea(+ end-to-end t&nne) and a (orre'*ondin" GTP t&nne)

1i#ure 1'&'3'%2 3appin# ;etween 7&7 tunnel and a sin#le GTP tunnel

-.2.3.2 U'a"e o4 @oS *ro4i)e o4 t+e GTP t&nne)'

2ach end?to?end tunnel is mapped to one primary and multiple secondary GTP tunnels (one per allowed :"1P of the user$s 3GPP <5.' Do" profile). The secondary P:P?conte(t activation may be either networ#?initiated- or TTG initiated (where the TTG acts as M"). 'etwor# initiated secondary P:P conte(t activation ta#es place if enabled in the TTG and also the GG"' supports it. &n case of TTG initiated secondary P:P?conte(t activation the TTG initiates a secondary P:P?conte(t for each allowed :"1P of the user$s 3GPP <5.' Do" profile at the time of end?to?end tunnel setup. The T7Ts for these secondary P:P conte(ts are statically confi ured in the TTG. The T7Ts statically confi ured in the TTG shall only use :"1P as filterin criteria to allow the selection of the appropriate P:P conte(t by the TTG. There shall be one P:P conte(t without T7T to be able to transfer pac#ets in case the :"1P mar#in of an incomin pac#et does not match to any T7T. 'OT2F The GG"' may apply :iff"erv ed e control functions of uplin# &P pac#ets which may result in re? classification (re?mar#in the :"1P) or discardin of &P pac#ets.

The end?to?end tunnel is released by the TTG when the last active GTP tunnel to the GG"' is released. &n the :5 direction the correct GTP tunnel is selected based on the active predefined P11 rules.
G1 P6G TTG P6G GnD 6<.P 6<.P %adi&' %adi&'
3GPP 3GPPPS Ser9i(e' Ser9i(e PS '

:LAN :LAN UE UE :LAN :LAN UE UE

:&

GGSN GGSN '&,'et

Gi 3 :i

A**)i(ation Ser9er' A**)i(ation Ser9er'

Bne to 'e9era) 8a**in" ,et een ea(+ end-to-end t&nne) and one *ri8ar7 and 'e9era) 'e(ondar7 GTP t&nne)'

1i#ure 1'&'3'&2 3appin# ;etween 7&7 tunnel and one primary and several secondary GTP tunnel!s"

-.3

GnC (on'ideration'

2ditor$s noteF The Gn$ procedures shall comprise a subset of the Gn reference point procedures. There shall be no enhancements to Gn applied.

3GPP

$elease %%

/-

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

-.3.0 Genera)
. minimum set of interwor#in procedures over the Gn$ reference point would include the followin messa es from the Gn reference point messa es and procedures specified in T" *C.+A+ I*9JF ? ? ? ? ? ? 1reate P:P 1onte(t /e@uest E /esponseG 3pdate P:P 1onte(t /e@uest E /esponseG :elete P:P 1onte(t /e@uest E /esponseG 2rror &ndicationG Bersion 'ot "upportedG GTP Payload 7orwardin .

The TTG must be provided with information- e. . M11 and M'1 of the BP5M'- needed to include the /.& &nformation 2lement within the messa in to the GG"' to enable simple position based billin and to enable the >P5M' to restrict certain content to those countries dependin on that country$s le al re@uirements. The assi nment of the remote &P address should be done from a pool of &P address belon in to the GG"'E/.:&3" server or at least Kaddress ran e coordinatedK with those to enable correct routin on Gi. The 2nd?user?address &2 must be provided in the 1reate P:P 1onte(t /e@uest. &f address assi nment is done by the GG"'E/.:&3"- the &2 shall be empty in the re@uest messa e (indicatin dynamic address assi nment by GG"'E/.:&3")- which ma#es the GG"'E/.:&3" assi n and return an &P address in the /esponse messa e. The '".P& value to be provided over the Gn$ reference point is allocated in the TTG- see subclause 7.=. &f a certain char in profile should be applied in GG"' the 1har in 1haracteristics &2 may be included. &n that case this information needs to be available in the TTG. The 1har in 1haracteristics may be used to ive special char in for <5.' in the GG"'. The 1har in 1haracteristic is defined per subscriber and is stored in >5/. 7or GP/" the 1har in 1haracteristic is sent to "G"' at attach and is forwarded to GG"' at P:P conte(t creation. 7or <5.' interwor#in - the TTG may for e(ample et this information from >5/ via the 3GPP ... "erver.

3GPP

$elease %%

/.

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

-.3.1 ;nter or!in" *ro(ed&re o9er GnC - T&nne) e'ta,)i'+8ent *ro(ed&re

67 WLAN AN WAG 3GPP AAA Pro?y@Server TTG GGSN

WLAN Access Authentication and Authorication and WLAN UE local IP address allocation

DNS

uer! 1. E2E Tunnel establishment request 2. "etrie#in$ authentication and authori%ation data &. 'reate PDP conte(t request

&. 'reate PDP conte(t res,onse ). E2E Tunnel establishment ac* +. A,,l! ,ac*et -ilter ,olic! to the WA. /. 0,tionall! -urther secondar! PDP conte(ts are set u,

1i#ure 1'3'%2 Tunnel esta;lishment procedure ,) The 32 performs a :'" @uery to resolve the <?.P' and sends 2*2 tunnel establishment re@uest (<?.P'user identity) to the TTG (see subclause 8.C). *) The TTG contacts the 3GPP ... "erver in the >P5M' possibly via the ... pro(y for authori!ation and authentication of the <5.' 32 (see subclause 8.C). .dditionally- the TTG retrieves the &M"&- M"&":'- and servin networ# identity from the ... server. 3) The TTG performs P:P 1onte(t .ctivation procedure towards the GG"' by usin 1reate P:P 1onte(t /e@uest messa e and 1reate P:P 1onte(t /esponse messa e (see T" *3.+A+ I8J). ;) The TTG returns 2*2 tunnel establishment ac#nowled ement (remote &P address) to the <5.' 32. =) The TTG provides filterin information to the <.G (see subclause 8.C). A) &f policy control functionality in the GG"' is re?used accordin to clause 7.*.3.* further secondary P:P conte(ts are established.

3GPP

$elease %%

//

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

-.3.2 ;nter or!in" *ro(ed&re o9er GnC - T&nne) di'(onne(tion *ro(ed&re

-.3.2.1 UE initiated t&nne) di'(onne(tion
67 WLAN AN WAG 3GPP AAA Pro?y@Server TTG GGSN

1. "elease tunnel request 2. Delete PDP conte(t request 2. Delete PDP conte(t res,onse &. "elease ac* &. Tunnel disconnection re,ort

). -ilter ,olic! remo#e -rom the WA.

1i#ure 1'3'&'%2 67 initiated tunnel disconnection procedure ,) The <5.' 32 determines to release the tunnel and sends a /elease tunnel re@uest to the TTG (see subclause 8.,+.,). *) 3pon receivin the /elease tunnel re@uest- the TTG performs P:P 1onte(t :eactivation procedure for the primary and possibly established secondary P:P conte(ts towards the GG"' by usin :elete P:P 1onte(t /e@uest messa e and :elete P:P 1onte(t /esponse messa e (see T" *3.+A+ I8J). 3) The TTG sends a /elease ac#nowled ement to the <5.' 32 and Tunnel disconnection report to the 3GPP ... server (see subclause 8.,+.,). ;) 3pon receivin the Tunnel disconnection report- the 3GPP ... server removes the filterin policy from the <.G (see subclause 8.,+.,).

3GPP

$elease %%

/0

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

-.3.2.2 Net or! initiated t&nne) di'(onne(tion

Pro?y@Server 67 WLAN AN WAG 3GPP AAA TTG GGSN

1. Delete PDP conte(t request 1. "elease tunnel request

2. "elease ac* 2. Delete PDP conte(t res,onse &. Tunnel disconnection re,ort

). -ilter ,olic! remo#e -rom the WA.

1i#ure 1'3'&'&2 Networ initiated tunnel disconnection procedure ,) The GG"' determines to release the last active GTP tunnel and sends :elete P:P 1onte(t /e@uest messa e towards the TTG (see T" *3.+A+ I8J). The TTG then sends a /elease tunnel re@uest to the <5.' 32 (see subclause 8.,+.*). *) 3pon receivin the /elease tunnel re@uest- the <5.' 32 sends a /elease ac#nowled ement to the TTG (see subclause 8.,+.*). The TTG sends a :elete P:P 1onte(t /esponse messa e to the GG"' (see T" *3.+A+ I8J). 3) The TTG sends a Tunnel disconnection report to the 3GPP ... server (see subclause 8.,+.*). ;) 3pon receivin the Tunnel disconnection report- the 3GPP ... server removes the filterin policy from the <.G (see subclause 8.,+.*). 'OT2F 'etwor# initiated tunnel disconnection procedure may also be tri ered by the TTG (e. . re@uest from ... server).

-.4

Void

-.$ T&nne) Ter8inatin" Gate a7 (TTG) 4&n(tiona)it7

The functionality of the TTG shall cover all aspects of the P:G that are not covered by the GG"'. The TTG shall be responsible for allocatin '".P& values before sendin the 1reate P:P 1onte(t /e@uest messa e to the GG"'. .lthou h the TTG acts li#e the "G"' in terms of GTP tunnel establishment- it also mana es '".P& allocation as <5.' 32$s pro(y for the purpose of leavin the Gn$ based P:G transparent to the <5.' 32. &f the networ# supports simultaneous GP/" and <5.' connections- the TTG shall ensure that the '".P& values allocated do not overlap with those used by the 32 for GP/" P:P 1onte(ts. 'OT2F This can be achieved by restrictin TTG allocated '".P& values to those which are reserved on the mobile radio layer 3 interface in this case.

3GPP

$elease %%

/,

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

The TTG shall reject a tunnel establishment re@uest if all available '".P& values for this user in this GG"' have already been allocated. >owever- the TTG should not e(plicitly indicate the e(haustion of the '".P& values to the 32 in such a case. 'OT2F The mechanism above implies that it may not be possible to deploy distinct TTGs providin service for a sin le user for <?.P's which are then served from the same GG"'s. 7or a iven user- all tunnels towards <?.P's served from the same GG"'s should be directed to the same TTGG the method by which this will be done is 77".

3GPP

$elease %%

0*

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

Anne1 G/ Void

3GPP

$elease %%

0%

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

Anne1 < (in4or8ati9e)/ :or! in ot+er ,odie' <.1 @oS Ma**in"

&222 9+*.,, <5.' .'s <i?7iTM .lliance$s <MM uidelines provide a mappin from &222 9+*.,,e Do" priority cate ories to 9+*.,: priority levels. This mechanism is shown in 7i ure >.,. "ee .nne( > for further details on these specifications.

3appin# of 4P pac ets of different applications To different access classes

Voi(e data tran'8it =&e&e

Video data tran'8it =&e&e

Ae't e44ort data tran'8it =&e&e

Aa(!"ro&nd data tran'8it =&e&e

A4$

Assi#nin# different priorities to pac ets from different Aueues for transmission over the air

1i#ure 5'%2 9oS 3appin# Once the Do" provisionin has been accomplished durin the authentication phase- based on the information included in Table , and Table * of .nne( >- it is possible to map different types of traffic from the home networ# to :iff"erv 1ode Points (:"1Ps) and then onwards to &222 9+*.,,e classes and &222 9+*.,: ta s in the <5.' .'. "imilarly the <5.' 32 can appropriately mar# the traffic in the reverse direction. The provisioned <5.' Do" profile may include for e(ample information on bandwidth and ma(imum :"1P allowed for the user. The point of enforcement of bandwidth and ma(imum :"1P policies within the 3GPP system is the P:G. The <5.' .ccess Gateway in the <5.' .' can implement similar enforcement. The entities responsible for proper :"1P mar#in are the end points of the tunnel (namely the <5.' 32 and the P:G). &f there is an inconsistent mar#in of Do" re@uest from the <5.' 32 between layer * and layer 3 (for fraudulent reasons or due to error)- the inconsistency is resolved in the favour of layer 3 mar#in . once the pac#et enters the 3GPP system.

3GPP

$elease %%

0&

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

<.2

:MM '*e(i4i(ation' 4ro8 :i--iTM A))ian(e

<MM defined by <i?7iTM .lliance- is a profile based on &222 9+*.,,e draft specifications. <MM provides support for multimedia applications by definin four access cate ories derived from 9+*.,: specifications. These access cate ories as shown in the followin table >.,- map to priority levels in 9+*.,: specifications of &222. Ta;le 5'%2 3appin# of W33 access cate#ories and 0*&'%d ta#s
Access =ate#ory :MM Voi(e Priorit7 :MM Video Priorit7 :MM Ae't E44ort Priorit7 :MM Aa(!"ro&nd Priorit7 0*&'%d Ta#s 2,# $,4 0,3 2,1

<.3

?02.16 '*e(i4i(ation' 4ro8 ;EEE

"The user_priority parameter is the priority requested by the originating service user. The value of this parameter is in the range 0 through 7.

The &222 9+*.,: specification is the &222 standard for brid es that also addresses how to prioritise different classes of user traffic at layer *. "ection A.; of 9+*.,: specifications provide the followin definition of user priorityF

!T"#

The default user_priority value is 0. $alues % through 7 form an ordered sequence of user_priorities& 'ith % being the lo'est value and 7 the highest. (ee 7.7.) and *nne+ G ,informative- for further e+planation of the use of user_priority values."

.nne( > in 9+*.,: specifications provide traffic class mappin as shown in the followin table >.*F Ta;le 5'&2 Traffic class mappin# accordin# to the num;er of Aueues
Num;er of Aueues in the system 1 2 3 4 Types@classes of traffic supported ;y the Aueues EAe't E44ort, E1(e))ent e44ort, Aa(!"ro&nd, Voi(e, .ontro))ed Load, Video, Net or! .ontro)F EAe't E44ort, E1(e))ent e44ort, Aa(!"ro&ndF EVoi(e, .ontro))ed Load, Video, Net or! .ontro)F EAe't E44ort, E1(e))ent e44ort, Aa(!"ro&ndF E.ontro))ed Load, VideoF EVoi(e, Net or! .ontro)F EAa(!"ro&ndF EAe't E44ort, E1(e))ent e44ortF E.ontro))ed Load, VideoF EVoi(e, Net or! .ontro)F EAa(!"ro&ndF EAe't E44ort, E1(e))ent e44ortF E.ontro))ed LoadF EVideoF EVoi(e, Net or! .ontro)F EAa(!"ro&ndF EAe't E44ortF EE1(e))ent e44ortF E.ontro))ed LoadF EVideoF EVoi(e, Net or! .ontro)F EAa(!"ro&ndF EAe't E44ortF EE1(e))ent e44ortF E.ontro))ed LoadF EVideoF EVoi(eF ENet or! .ontro)F

3GPP

$elease %%

03

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

<.4

;% 34 '*e(i4i(ation' 4ro8 GSMA

Ta;le 5'32 9oS mappin# in G$B

G"M.$s &/2G 3; is a specification for the G/L. &t also describes how :iff"erv$s bits are interpreted by the inter P5M' bac#bone (G/L). Table >.3 shows this mappin .

3GPP 9oS 4nformation Traffic =lass =onversational Streamin# 4nteractive T5P N3A N3A 1 2 Cac #round 3 N3A

:iffserv P5C

:S=P

9oS $eAuirement on G$B 3a? :elay 3a? Ditter $8' $8' N3A N3A N3A N3A Pac et Loss 0.$G 0.$G 0.1G 0.1G 0.1G 0.1G S:6 7rror $atio 10-# 10-# 10-? 10-? 10-? 10-?

Service 7?ample

EA-41 A-31 A-21 A-11 AE

101110 100010 011010 010010 001010 000000

208' 408' 2$08' 3008' 3$08' 4008'

Vo;P, Video .on4eren(in" A&dio3Video Strea8in" Tran'a(tiona) Ser9i(e' :e, Aro 'in" Te)net E-8ai) 6o n)oad

3GPP

$elease %%

0(

3GPP TS &3'&3( )%%'*'* !&*%&+*,"

Anne1 ; (in4or8ati9e)/ .+an"e +i'tor7

=han#e history
:ate 200$-12 200#-03 200#-03 200#-03 200#-03 200#-0# 200#-0# 200#-0# 200#-09 200#-09 200#-09 200#-09 200#-09 200#-12 2002-03 2002-12 200?-0# 200?-12 2009-12 2011-03 2012-09 TSG 8 SA H30 SA H31 SA H31 SA H31 SA H31 SA H32 SA H32 SA H32 SA H33 SA H33 SA H33 SA H33 SA H33 SA H34 SA H3$ SA H3? SA H40 SA H42 SA H4# SAH$1 TSG :oc' =$ SP-0$0#22 0141 SP-0#0134 0142 SP-0#0123 0144 SP-0#0134 014$ SP-0#0123 SP-0#022# SP-0#02?$ SP-0#022# SP-0#0$20 SP-0#0$?4 SP-0#0$20 SP-0#0#$# 01$0 01$1 01$2 01$3 01$$ 01$# 01$? 01$9 $ev =at 2 3 2 1 4 2 1 3 1 2 1 3 2 4 2 A A . . Su;ject@=omment Te(+ni(a) re=&ire8ent' 4or *ri9ate net or! a((e'' 4ro8 :LAN 3GPP ;P A((e'' Pro(ed&re' 4or t+e *ri9ate net or! a((e'' 4ro8 :LAN 3GPP ;P A((e'' .orre(tion o4 'o8e re4eren(e' PAP a&t+enti(ation (a*a,i)it7 '&**ortin" 4or ;-:LAN Pri9ate Net or! A((e'' U*date o4 re4eren(e' @oS and Po)i(7 A'*e(t 4or ;nter or!in" :LAN U*date t+e ;ET- re4eren(e AdI&'t8ent needed on : %e4eren(e Point to ,e in *+a'e it+ &*dated '(o*e Anne1 6 S+ort Me''a"e Ser9i(e .orre(tion ;n()&'ion o4 @oS S&**ort 4or :LAN 3GPP ;P A((e'' .orre(tion on 4&n(tion' o4 :d Addition o4 detai)' o4 ;MS e8er"en(7 (a)) 4&n(tiona)it7 to t+e ;:LAN *ro(ed&re' Addition o4 re=&ire8ent' te1t to '&**ort o4 ;MS E8er"en(7 .a)) 4&n(tiona)it7 .orre(tion' re)ated to @oS and Po)i(7 A'*e(t 4or ;nter or!in" :LAN U*date re4eren(e ;-:LAN B44-)ine .+ar"in" A''i"ne8ent o4 re8ote ;P addre'' 4or t+e :LAN UE and ,indin" it+ t+e )o(a) ;P addre'' at t+e P6G U*date to %e)-? 9er'ion (M..) U*date to %e)-9 9er'ion (M..) U*date to %e)-10 9er'ion (M..) U*date to %e)-11 9er'ion (M..) >ld #.2.0 2.0.0 2.0.0 2.0.0 2.0.0 2.1.0 2.1.0 2.1.0 2.2.0 2.2.0 2.2.0 2.2.0 2.2.0 2.3.0 2.4.0 2.$.0 2.#.0 2.2.0 ?.0.0 9.0.0 10.0.0 New 2.0.0 2.1.0 2.1.0 2.1.0 2.1.0 2.2.0 2.2.0 2.2.0 2.3.0 2.3.0 2.3.0 2.3.0 2.3.0 2.4.0 2.$.0 2.#.0 2.2.0 ?.0.0 9.0.0 10.0.0 %%'*'*

SP-0#0$29 01#0 SP-0#0?32 01#2 SP-020099 01#$ SP-020?0$ 01## SP-0?0390 0121 -

3GPP