Beruflich Dokumente
Kultur Dokumente
CDMA Development Group 575 Anton Boulevard, Suite 560 Costa Mesa, California 92626 PHONE +1 888 800-CDMA +1 714 545-5211 FAX +1 714 545-4601 http://www.cdg.org cdg@cdg.org
Notice
Each CDG member acknowledges that CDG does not review the disclosures or contributions of any CDG member nor does CDG verify the status of the ownership of any of the intellectual property rights associated with any such disclosures or contributions. Accordingly, each CDG member should consider all disclosures and contributions as being made solely on an as-is basis. If any CDG member makes any use of any disclosure or contribution, then such use is at such CDG member's sole risk. Each CDG member agrees that CDG shall not be liable to any person or entity (including any CDG member) arising out of any use of any disclosure or contribution, including any liability arising out of infringement of intellectual property rights.
Contents
1. Overview ..................................................................................................................................... 1 1.1 Introduction......................................................................................................................... 1 1.2 Acronyms and Abbreviations ............................................................................................. 1 2. Service Types ............................................................................................................................. 4 2.1 Server-Based Applications................................................................................................. 4 2.2 Internet Access Service ..................................................................................................... 4 2.2.1 Legacy Internet Access ....................................................................................... 4 2.3 Corporate VPN Access ...................................................................................................... 5 3. General Recommendations ...................................................................................................... 6 3.1 Call Flow............................................................................................................................. 6 3.2 Authentication and Accounting........................................................................................... 6 3.3 Public IP Address Assignment ........................................................................................... 7 3.4 VPN Connections ............................................................................................................... 8 4. Network Recommendations...................................................................................................... 9 4.1 Simple IP ............................................................................................................................ 9 4.2 Mobile IP .......................................................................................................................... 11 4.3 L2TP................................................................................................................................. 13
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
19
3 May 2005
ii
Contents
Figures
Figure 4-1: Simple IP .................................................................................................................... 9 Figure 4-2: Simple IP Call Flow Example ................................................................................... 11 Figure 4-3: Mobile IP .................................................................................................................. 11 Figure 4-4: Mobile IP Call Flow Example ................................................................................... 13 Figure 4-5: L2TP......................................................................................................................... 13 Figure 4-6: L2TP Call Flow Example.......................................................................................... 15
2 3 4 5 6 7
Tables
Table 1-1: Acronyms and Abbreviations....................................................................................... 1 Table 2-1: Relationship Between Packet Routing and Connection Mode.................................... 5 Table 3-1: Public IP Address Assignment .................................................................................... 7
10 11 12
13
3 May 2005
iii
Contents
Revision History
Date 14 July 1999 1 April 2004 15 November 2004 3 May 2005 Version 9.4 9.5 1.0 1.1 Initial CDG release Document revisions added Reformat only Significant revision. Document is network only. Description
3 May 2005
iv
1. Overview
1.1 Introduction
This document presents technical recommendations for implementing CDMA packet data roaming. The International Roaming Team has developed this implementation guide through the CDMA Development Group (CDG). Topics discussed include service descriptions and detailed network configuration recommendations. These implementation recommendations apply to both 1xRTT and EV-DO roaming. Recommendations that are relevant to only 1xRTT or EV-DO are noted. The scope of this document is defining the services available in a roaming scenario, and making recommendations for network architectures for implementing these services. It is recognized that there are many ways in which data roaming between two operators may be implemented; however, it is in the interest of operators to limit the possible number of configurations to avoid having to accommodate several approaches. As such, this document is limited to only describing recommended approaches. Issues and recommendations related to billing, reconciliation, and inter-carrier settlement are outside the scope of this document. These are addressed in the Packet Data Billing Implementation Guide. It is expected that the technical capability and handset features (i.e., R-UIM, Multi-Band Multi-Protocol handsets) will be developed in the future to provide roaming capability between the various American, Asian and European Cellular standards. At this time, inter-standard roaming recommendations are outside of the scope of this document. In general, these recommendations are based on IETF and 3GPP2 standards. However, some technology deemed necessary to provide required configurations currently falls outside standards. These instances are noted.
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
25
26
3 May 2005
Acronym / Abbreviation AN-AAA ATM BGP CDG CHAP CoA CRX DES DNS ESP EV-DO FA HA IKE IP L2TP LAC LAN LNS MIP MS MSID NAT PAP PDSN PPP QoS RADIUS RRQ R-UIM SIP Ref Doc 79, Ver 1.1 Access Network AAA
Description
Asynchronous Transfer Mode Border Gateway Protocol CDMA Development Group Challenge Handshake Authentication Protocol Care of Address CDMA Roaming eXchange Data Encrypted Standard Domain Name Server Encapsulating Security Payload Evolution-Data Only Foreign Agent Home Agent Internet Key Exchange Internet Protocol Layer 2 Tunnelling Protocol L2TP Access Concentrator Local Area Network L2TP Network Server Mobile IP Mobile Station Mobile Station ID Network Address Translation Password Authentication Protocol Packet Data Serving Node Point-to-Point Protocol Quality of Service Remote Authentication Dial-In User Service Registration Message Removable User Identity Module Simple IP 3 May 2005 2
Acronym / Abbreviation VPN VSA WAP Virtual Private Network Vendor Specific Attribute
Description
3 May 2005
2. Service Types
This section presents an overview of the categories of data services a roaming subscriber may access. These services fall into three basic categories: server-based applications, Internet access, and Corporate VPN services.
2 3 4
5 6 7 8 9 10 11
12 13 14 15 16
17 18 19 20 21 22 23 24
3 May 2005
Authentication
Accounting
in Home NW
in Home NW
SIP
in Home NW
SIP
2 3 4 5 6 7
3 May 2005
3. General Recommendations
The following are general configuration recommendations for roaming that should apply to all roaming scenarios.
2 3
4 5 6 7 8 9 10 11
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
3 May 2005
1 2 3 4 5 6 7 8
6. The visited AAA server should route RADIUS packets to the home AAA server using a secure, established data connection with the home network, e.g., a VPN connection. If a VPN connection between the home and visited operators is used, information exchanged between the two servers will be protected outside the operators networks. 7. The home and visited AAA servers should mutually authenticate each other by shared key or other means. At a minimum, the home AAA server should have a table of IP addresses of valid visited AAA servers.
9 10 11 12
13
14 15 16 17 18 19 20 21 22 23 24 25
Required implies that a public IP address assigned to the element is necessary in order for the particular roaming architecture to function. Recommended implies that if an operator has sufficient public IP address resources available, it should assign a public IP address to the element even though it is not required for the particular roaming architecture. Assigning a public IP address in these cases will prepare the operator for supporting other roaming architectures. Optional implies a public or private address assignment wont affect any of the three roaming architectures. Using public addressing implies that each element has a unique address officially reserved from the Internet addressing authority. However, these roaming service elements should remain invisible and inaccessible from the public Internet.
3 May 2005
VPN Connections
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
3 May 2005
4. Network Recommendations
Following are three recommended network configurations for establishing data roaming between two operators: Simple IP, Mobile IP, and L2TP. The order in which these are presented does not imply a recommendation of one implementation over another; however, pros and cons of each approach are provided. The management of IP addressing is a primary differentiator among the implementation approaches, and the address management advantages and disadvantages of each are provided in addition to other pros and cons. Following this, other general pros and cons of each implementation are cited and configuration recommendations are provided.
2 3 4 5 6 7 8 9
10
4.1 Simple IP
Simple IP access refers to the MS accessing the public Internet directly from the visited operators network. Also, if the MS needs to access services in the home network, it must create a data session from the visited network to the application server in the home network. This approach is different from L2TP and Mobile IP in that the visited operator assigns the roaming MS its IP address, and no tunneling technology is used to place the roaming subscriber inside the home operator network.
11 12 13 14 15 16
Visited -A A A
VPN
H om e -A A A
PD SN
Visited
GW
GW
Internet
GW
GW
H om e
A pplication
17
Server
18 19
3 May 2005
Simple IP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
The advantages and disadvantages of Simple IP for data roaming are listed below: Advantages:
+ There is no tunneling performance overhead. + The roaming MS may directly access the public Internet without tunneling to the
home operators network.
+ The roaming MS may directly access application servers in the visited network
without tunneling to the home operators network. Disadvantages: The visited operator must assign the roaming MS its IP address. The roaming MS may not be assigned a static IP address. If the MS is provisioned with private, hard coded DNS server addresses, it will not be able to access DNS services while roaming. If the MS is assigned a private IP address by the visited operator, NAT must be employed for the MS to access applications servers in the home network. The IP addresses of application servers must be made visible to the visited network. Security is compromised since other inbound roamers in the visited operators network will be able to access the home operators network. To avoid this, the visited operator may need to maintain separate IP address pools for each roaming partner. The following are recommendations for implementing Simple IP service: 1. The visited operator should assign the roaming MS an IP address. This may be a public or private IP address. 2. The roaming MS may be assigned an IP address that can be routed over a secure connection to the home network. This IP address should not be routable or visible to the Internet. This provides security of visited network elements from Internet attacks. 3. The roaming MS should access the public Internet directly from the visited operators network. 4. The home operators firewalls must be configured to accommodate application server access by the roaming MS in the visited operators network. 5. The visited operator should only assign the roaming MS an IP address from a pool specifically associated with the operator of the MS. This will prevent a roaming MS from another roaming partner of the visited operator from accessing the network of the home operator.
3 May 2005
10
Mobile IP
Home NW (SIP) Local GW Int. GW Int. GW Home AAA WAP Server Home GW
Visited AAA
Acces -Reques s t Acces -Accept s Acct ar -St t Acct -Res pons e
VPN
I er L nt net ocalAcces s
L T mi i CP er naton
2 3
4 5 6 7 8
4.2 Mobile IP
Mobile IP service is a standards compliant capability that is useful in providing packet data roaming. In addition to providing the mobility function, it allows the home operator to assign a roaming MS an IP address and provide transparent access to the home network.
Visited -A A A
VPN
H om e -A A A
PD SN
FA
GW M IP Tunnel
GW
HA
H om e
Visited
GW
Internet
GW
A pplication
Server
10 11
Figure 4-3: Mobile IP The advantages and disadvantages of Mobile IP for data roaming are listed below: Advantages:
12 13 14 15
+ The home operator assigns the roaming MS its IP address. + The home operator may assign a static IP address to the roaming MS.
Ref Doc 79, Ver 1.1 3 May 2005 11
Mobile IP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
+ The home operator may assign a private IP address to the roaming MS without the
need to employ NAT for home network access.
+ The roaming MS may transparently access servers in the home network. + Security is improved since other inbound roamers in the visited operators network will
not be able to access the home operators network. To achieve this without Mobile IP (or L2TP), the visited operator will need to maintain separate IP address pools for each roaming partner.
+ The use of Mobile IP allows for network layer mobility across PDSNs.
Disadvantages: There is a performance overhead for Mobile IP. Reverse tunneling is required for Mobile IP roaming. When the roaming MS is accessing the public Internet, tunneling back to the home network is not efficient. If the roaming MS requires access to an application server in the visited network, it will be required to tunnel back to the home operator and then route back to the visited operator. The following are recommendations for the implementation of roaming using Mobile IP: 1. Mobile IP service should be provided in accordance with IS-835. 2. If feasible, the visited PDSN should support FA capabilities, but the visited operator doesnt normally need to offer Mobile IP service to its home subscribers. Consequently, roaming mobiles should be able to receive Mobile IP service. 3. The home operator should normally provide Mobile IP service to subscribers, and should have an HA accessible by the visited operator. 4. The home operators HA should be assigned a public IP address. 5. The home operator may assign a private or a public IP address to the MS, depending on the preference of the home operator. The FA CoA provided by the visited operator should be a public IP address. 6. The home operator may assign the roaming MS the IP addresses of a primary and secondary DNS server through the Mobile IP registration process. 7. The roaming MS should be configured to send the registration message (RRQ) with the T bit set so that reverse tunneling is requested. 8. To protect user data, the visited FA and home HA should exchange packet data through the secure data connection between operators (VPN, CRX, etc.). Since there will be a VPN connection between the home and visited operators, information exchanged between the FA and HA will be protected outside the operators network, and it should not be necessary to specifically encrypt user data between them. 9. The FA and HA should mutually authenticate each other. Without mutual authentication, it is possible that a node may attempt to impersonate an FA. At a minimum, the HA should have a table of IP addresses of valid visited operator FAs.
3 May 2005
12
L2TP
Home NW (MIP)
Roamer MS
PDSN
HA
Local GW
Int. GW
Int. GW
Home AAA
HA
App Server
Home GW
Access-Request Access-Accept
Acct-Start Acct-Response
MIP Tunnel
2 3
4 5 6 7 8
4.3 L2TP
L2TP tunnels are a recommended approach for providing Simple IP roaming service to a MS. Also, L2TP tunnels should be used to implement corporate VPN services for Simple IP. In this case, the subscriber is assigned an IP address by the corporate network and placed securely inside the corporate network.
Visited -AAA
VPN
Home -AAA
Roaming MS (MIP)
PDSN
LAC
L2TP GW Tunnel
GW
LNS
Visited
GW
Internet
GW
Home
Application
Server
10 11
Figure 4-5: L2TP The advantages and disadvantages of L2TP for data roaming are listed below: Advantages:
12 13 14
L2TP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
+ The home operator may assign a static IP address to the roaming MS. + The home operator may assign a private IP address to the roaming MS without the
need for employing NAT for home network access.
+ The roaming MS may transparently access servers in the home network. + The service plane may be made more secure since application servers may be
hidden from the visited network.
+ Security is improved since other inbound roamers in the visited operators network will
not be able to access the home operators network. To achieve this without L2TP (or Mobile IP), the visited operator will need to maintain separate IP address pools for each roaming partner. Disadvantages: The use of L2TP is not yet defined by IS-835 standards, although it is an IETF standard and is commonly used. There is a performance overhead for L2TP transport and management. IS-835 QOS mechanisms and L2TP are not compatible. When the roaming MS is accessing the public Internet, tunneling back to the home network is not efficient. If the roaming MS requires access to an application server in the visited network, it will be required to tunnel back to the home operator and then route back to the visited operator. The following are recommendations for implementing L2TP tunnels: 1. The home and visited operator should agree upon whether L2TP will be used to tunnel roaming subscribers back to the home network. 2. A roaming MS that is expected to use L2TP to reach its home operator should not request Mobile IP service. 3. The home operator may include the IP address of the LNS as an attribute. If the visited operator receives this attribute, it should construct an L2TP tunnel to this end point. The IP address of the visited operators AAA will indicate to the home operator of the location of the roaming MS so that the home AAA may determine whether or not L2TP is required. 4. Alternatively, a roaming MS that requires L2TP tunneling may assigned a unique realm for this purpose. Such realms should be shared between the home and visited operators in advance. The visited AAA may ascertain from the realm of the roaming MS that it should receive L2TP service. If L2TP is required, it is recommended that the Home network return the IP address of the LNS in the Access-Accept message; however, the visited operators AAA may insert the IP address of the home operators LNS as an attribute in the Access-Accept message before forwarding to the PDSN. 5. If the IP address of an LNS is received by the PDSN in the Access-Accept message, the PDSN should act as a LAC and establish an L2TP tunnel with the LNS of the home operator. 6. As there should be a VPN connection between the visited and home operator, there is not a need to encrypt user data between the PDSN/LAC and LNS.
3 May 2005
14
L2TP
1 2 3 4 5 6 7 8 9 10
7. In addition to the PDSN/LAC authenticating the MS, the LNS in the home operators network should also authenticate the MS with the home AAA. 8. PPP is negotiated between the roaming MS and the LNS. The LNS in the home operator should assign the MS an IP address, which may be public or private depending on the preference of the home operator. 9. The PDSN/LAC and LNS should mutually authenticate each other. Without mutual authentication, it is possible that a node may attempt to impersonate a LAC. At a minimum, the LNS should have a table of IP addresses of valid LACs in visited operator networks. 10. LCP Forwarding should be enabled on the visited network PDSN's.
Serving NW Roamer MS
LCP Phase PAP Request
Home NW Local GW Int. GW Int. GW LNS Home AAA App Server Home GW
PDSN
Visited AAA
Access-Request Access-Accept
Access-Request Access-Accept
L2TP Negotiation PAP-Ack IPCP Phase
Access-Request Access-Accept
Acct-Start Acct-Response
Acct-Start Acct-Response
L2TP Tunnel
LCP Termination
Acct-Stop Acct-Response
Acct-Stop Acct-Response
11
12 13
3 May 2005
15