Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

www.netmanias.com www.nmcgroups.com

Network Architecture for LTE and Wi-Fi Interworking

August 16, 2012

Chris Yoo
+82-2-3444-5747, +82-10-3229-1852
cmyoo@netmanias.com

www.netmanias.com
www.nmcgroups.com

About NMC Consulting Group

NMC Consulting Group was founded on year 2002 and is advanced, professional network consulting company which is specialized for IP Network area like FTTH, Metro Ethernet and IP/MPLS, Service area like IPTV, IMS and CDN
lastly, Wireless network area like Mobile WiMAX, LTE and Wi-Fi.
Copyright 2002-2012 NMC Consulting Group. All rights reserved.
Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

Table of Contents
LTE Overview
Network Reference Model
Authentication and Security
EPS Bearer
QoS
Handover
Wi-Fi Overview
Network Architecture
Handover
Comparison (LTE vs. Wi-Fi)
Tunneling Technology for Mobile Network
LTE and Wi-Fi Interworking
Network Reference Model
Authentication and Security
IP Allocation
Traffic Selector
Status of KT, SKT & LG U+ and UE Requirements

Copyright 2002-2012 NMC Consulting Group. All rights reserved. 2

Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

LTE Overview: Network Reference Model Related Blogs

LTE = E-UTRN: eNB

EPC = SAE: MME, S-GW, P-GW, HSS,
SPR OFCS OCS PCRF, SPR, OFCS, OCS
Diameter (Sp) GTP Diameter
EPS = LTE + EPC
(Gz) (Gy)
LTE: Long Term Evolution
E-UTRAN: Evolved-UTRAN (Universal
Terrestrial Radio Access Network)
HSS PCRF
EPC: Evolved Packet Core
Diameter Diameter
SAE: System Architecture Evolution
(S6a) (Gx) EPS: Evolved Packet System
UE: User Equipment
eNB: Evolved Node B
S1-AP
(S1-MME) S-GW: Serving-Gateway
MME P-GW: PDN-Gateway
GTP-C
MME: Mobility Management Entity
(S11) HSS: Home Subscriber Server
PCRF: Policy and Charging Rule Function
GTP-U GTP-U/GTP-C IP SPR: Subscriber Profile Repository
LTE-Uu PDN
UE eNB
(S1-U)
S-GW
(S5)
P-GW
(SGi) OFCS: Offline Charging System
OCS: Online Charging System
PDN: Packet Data Network

UE S-GW MME PCRF OFCS

User device which has LTE
chip, antenna and USIM card
(ex. Smartphone, USB modem,
Router (Egg))
Local mobility anchor point of
the data connections for inter-
eNB handover and inter-3GPP
handover
Main control entity for the E-
UTRAN (brain of EPS)
User authentication
UE mobility management: UE
location, UE state (ECM/EMM)
It makes policy decision for UE It manages offline charging
and provides PCC rules (QoS data (CDR) per UE/per SDF,
and charging rules) to P-GW which provided by P-GW

eNB P-GW HSS SPR OCS

Base station which provides It provides PDN access for UE Central DB holding user profile: Database for PCRF, which It manages data volume
wireless connection between Mobility anchor point for inter user ID(IMSI), authentication maintains policy and charging (UL/DL bytes), time
UE and EPC S-GW handover key, QoS profile, etc rule of user (connection time) and event
Encryption and integrity IP address assignment to UE User profile is provisioned by It is provisioned by B/OSS based online charging data per
protected of control/data Online/Offline Charging B/OSS when user subscription when user subscription UE/per SDF, which provided
packet
Copyright between
2002-2012 NMC and eNBGroup. All rights
UEConsulting QoSreserved.
Enforcement by P-GW 3
 Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

LTE Overview: Authentication and Security Related Blogs

IMSI, LTE K User Authentication

Mandatory
HSS
Optional User Identification: IMSI (International Mobile Subscriber Identity)
- Global Uniqueness
EPS Authentication Vectors - PLMN ID (MCC + MNC) + MSIN
(RAND, AUTN, XRES, KASME) - Stored at USIM (UE) and HSS (E-UTRAN)
Authentication Key: LTE K
- Stored at USIM (UE) and HSS (E-UTRAN)
KASME KNASint/KNASenc User Authentication Protocol: EPS-AKA
MME
User Authentication Process
1. When UE requests to attach LTE network
1 Mutual Authentication
2. MME obtains authentication vectors (RAND, AUTN, XRES, KASME) from the HSS
3. Mutual authentication between UE and MME
- UE authenticates LTE network (MME)
2 NAS Signaling

- MME authenticates UE
Integrity/
Ciphering
Security for Radio Interface
KeNB KRRCint/KRRCenc KUPenc After success of mutual authentication, security for radio interface is provided based on master key
eNB (KASME)
1. Control message between UE and MME: Encrypted (optional) and Integrity Protected (mandatory)
3 RRC Signaling
2. Control message between UE and eNB: Encrypted (optional) and Integrity Protected (mandatory)
Integrity/
3. User data between UE and eNB: Encrypted (optional)
Ciphering

3 User Plane
Ciphering IMSI Assignment IMSI Format
Subscriber gets UE and USIM IMSI is provisioned in HSS and
IMSI, LTE K card which includes IMSI SPR when user subscriptioin PLMN
MCC MNC MSIN

3 digits Max. 3 digits Max. 10 digits

HSS SPR
USIM Attach Request Max. 15 digits
UE KASME KNASint/KNASenc KeNB KRRCint/KRRCenc KUPenc (IMSI)
UE MME S-GW P-GW PCRF Example
450 05 0123456789
LTE Network (E-UTRAN)
Korea SK Telecom

Copyright 2002-2012 NMC Consulting Group. All rights reserved. 4

Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

LTE Overview: EPS Bearer Related Blogs

EPS Bearer
HSS SPR
Logical transport channel between UE and the PDN for
transporting UE IP traffic
EPS Bearer =
MME PCRF
Data Radio Bearer (between UE and eNB) +
S1 Bearer (GTP tunnel between eNB and S-GW) +
S5 Bearer (GTP tunnel between S-GW and P-GW)
UE eNB S-GW P-GW
eNB can distinguish UE by DRB ID in EPS bearer
S-GW can distinguish UE by Tunnel Endpoint ID (TEID)
ECM Connection P-GW can distinguish UE by TEID or UE IP address
Control
Plane At least one EPS bearer per UE, and it may also have
RRC Connection S1 Signaling Connection S11 GTP-C S5 GTP-C
multiple EPS bears per UE in order to provide QoS
differentiation (ex. Internet bearer and VoLTE bearer)
User Data Radio Bearer S1 Bearer S5 Bearer
Plane EPS Bearer Two Types of EPS Bearer
Default EPS Bearer
Dedicated EPS Bearer

Data Radio Bearer S1 Bearer

S1 (GTP) S5 Bearer
S5 (GTP)
PDN
(Internet)
UE eNB S-GW P-GW

DL TFT
DRB ID S1 TEID S1 TEID S5 TEID S5 TEID
(DL) (DL) (DL) (DL) (DL)
IP Payload IP UDP GTP-U IP Payload IP UDP GTP-U IP Payload (*,Dst IP=UE,*,*,*) IP Payload
Application

S5 TEID DL TFT
DRB ID (DL) S1 TEID (DL) S5 TEID (DL)
SIP=www.google.com SIP=S-GW SIP=P-GW SIP=www.go
DIP=UE DIP=eNB DIP=S-GW ogle.com
DIP=UE
UL TFT DRB ID
UL TFT

DRB ID DRB ID S1 TEID S1 TEID S5 TEID

(UL) (UL) (UL) (UL) (UL)
(Src IP=UE,*,*,*,*) Payload IP Payload IP GTP-U UDP IP Payload IP GTP-U UDP IP Payload IP

DRB ID (UL) S1 TEID (UL) S5 TEID (UL)

SIP=UE
SIP=UE SIP=eNB SIP=S-GW DIP=www.go
Copyright 2002-2012 NMC Consulting Group. AllDIP=www.google.com
rights reserved. DIP=S-GW DIP=P-GW
ogle.com 5
Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

LTE Overview: QoS Related Blogs

PDN Connection 1 (EPS Session 1)

Resource Type QoS Parameters of EPS Bearer QoS Parameters of SDF

UE
Dedicated Bearer GBR MBR
GBR QCI ARP (UL/DL) (UL/DL) QCI ARP MBR (UL/DL) GBR (UL/DL) SDF 5
for PDN 1
UE
Dedicated Bearer QCI ARP MBR (UL/DL) SDF 4
IP addr Non-GBR QCI ARP APN- PDN 1
for PDN 1 UE-AMBR QCI ARP MBR (UL/DL) SDF 3
1 AMBR
Default Bearer (UL/DL) QCI ARP MBR (UL/DL) SDF 2
Non-GBR QCI ARP (UL/DL)
for PDN 1 QCI ARP MBR (UL/DL) SDF 1

QCI: QoS Class Identifier GBR: Guaranteed Bit Rate APN-AMBR: Access Point Name-Aggregate Maximum Bit Rate
ARP: Allocation and Retention Priority MBR: Maximum Bit Rate UE-AMBR: User Equipment-Aggregate Maximum Bit Rate

Common QoS Parameter (Resource Type, QCI, ARP)
Resource Type
GBR (Guaranteed Bit Rate): A certain amount of
bandwidth is reserved for this bearer
Non-GBR: It does not have a fixed (reserved) bandwidth
allocated for this bearer (Best Effort)
QCI
The class-based QoS concept (such as IP DSCP) where
each EPS bearer is assigned a QCI (1 ~ 9)
It defines packet forwarding treatment
QoS characteristics which defines below parameters:
- Resource Type (GBR or Non-GBR)
- Packet Delay Budget (30ms ~ 300ms)
- Packet Error Loss Rate (10-2 ~ 10-6)
Copyright 2002-2012 NMC Consulting Group. All rights reserved.
QoS Parameter for GBR Bearer
ARP GBR (UL/DL)
Priority for the allocation and retention of bearers, Guaranteed (Reserved) bandwidth (bps) for GBR
defined by 0 ~ 15 bearer
Bearers with high ARP are assigned low ARP value,
and vice versa (ex. VoIP emergency call service MBR (UL/DL)
has low ARP value)
In resource limitation situation, LTE network use Maximum allowed bandwidth (bps) for GBR bearer
the ARP to prioritize establishment and Any traffic in excess of the MBR may be discarded
modification of bearers with a high ARP over
bears with a low ARP QoS Parameter for Non-GBR Bearer
It also uses ARP to decide which existed bearers
APN-AMBR (UL/DL)
to drop in case of resource limitation
Maximum allowed bandwidth (bps) for all non-GBR
bearers associated with a specific APN
UE-AMBR (UL/DL)
Maximum allowed bandwidth (bps) for all non-GBR
bearers of a UE
6
Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

LTE Overview: Handover Related Blogs

Basic Requirement of Handover

Intra E-UTRAN Handover

Inter E-UTRAN and S-GW Handover

UE IP address should not be changed
Packet loss and reordering should be minimized during handover
P-GW P-GW

Handover Decision
Handover decision is performed by serving eNB (In case of Wi-Fi, UE(STA)
S-GW MME S-GW S-GW MME S-GW performs handover decision)
Handover Decision Process
1. UE sends Measurement Report message to serving eNB periodically (or
event triggered)
Source Target Source Target
2. Measurement Report message includes
Radio signal strength from serving cell to UE
eNB
eNB eNB
eNB eNB
eNB eNB
eNB eNB
eNB eNB
eNB eNB
eNB eNB
eNB Radio signal strength from neighbor cells to UE
3. Serving ENB decides handover based on information of Measurement
Report message
moving moving
UE
UE UE
UE UE
UE UE
UE
Type of Handover
Intra E-UTRAN: eNB relocated, without changing MME and S-GW
Inter E-UTRAN, S-GW and MME Handover

Inter RAT Handover

Inter E-UTRAN and MME: eNB and MME relocated, without changing S-GW
Inter E-UTRAN and S-GW: eNB and S-GW relocated, without changing MME
P-GW P-GW Inter E-UTRAN and MME and S-GW: eNB, S-GW and MME relocated
Inter RAT (E-UTRAN and GERAN/UTRAN): Handover between 3G and LTE

S-GW MME MME S-GW S-GW SGSN

RNC
Source Target Source Target

eNB
eNB eNB
eNB eNB
eNB eNB
eNB eNB
eNB eNB
eNB NodeB NodeB

moving moving
UE
UE UE
UE UE
UE UE
UE

Copyright 2002-2012 NMC Consulting Group. All rights reserved. 7

Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking
Wi-Fi Overview: Network Architecture
STA
802.11i/WPA2: EAP based Authentication
& CCMP based Security
Authentication 802.11i/WPA: EAP based Authentication
& Security & TKIP based Security
802.1x: EAP based Authentication
& WEP based Security
802.11n: 600Mbps / 2.4 & 5GHz
802.11g: 54Mbps / 2.4GHz
PHY & MAC
802.11b: 11Mbps / 2.4GHz
802.11a: 54Mbps / 5GHz
Wi-Fi Hotspot Service in Korea
: EAP based or Non Standard MAC/Web based Authentication
SSID
ollehWiFi (secure)
KT
NESPOT, ollehWiFi
T wifi zone (secure)
SKT
T wifi zone
U+ zone (secure)
LG U+
FREE U+ zone
Copyright 2002-2012 NMC Consulting Group. All rights reserved.
Related Blogs
WLAN/Wi-Fi Standard
AP
Wi-Fi AAA IEEE (WLAN): http://www.ieee802.org/11
IEEE 802.11 standards define MAC and PHY layer
Wireless LAN (WLAN) term is used by IEEE 802.11
802.1x: RADIUS* based Authentication Wi-Fi Alliance (Wi-Fi): http://www.wi-fi.org
* RADIUS is IETF RFC standards (RFC
Several AP vendors came together to form a global non-profit
3580, RFC 4675, RFC 4898, )
organization with the goal of driving adoption of high-speed wireless
local area networking
Wi-Fi term is used by Wi-Fi Alliance
WLAN(Wireless LAN) = Wi-Fi
The term Wi-Fi is used in general as a synonym for WLAN
Wi-Fi Network Element (Entity)
STA (Station)
Device which has Wi-Fi chip & antenna
AP (Access Point)
Authentication It has IEEE 802.11 Wireless LAN interface for use-facing and IEEE
EAP-AKA 802.3 Ethernet interface for network-facing port
It provides connection between STA and IP network
MAC based authentication,
Web (ID/PW) based authentication
AAA (Authentication, Authorization, Accounting)
EAP-AKA
User authentication server
MAC based authentication,
Web (ID/PW) based authentication Authentication & Security for Radio Interface
MSCHAPv2 over PEAP (Very similar with EAP-TTLS) EAP based authentication
Open Access (1 hour free access after Ad. watch) User data encryption and integrity protected based on
AES(CCMP)/TKIP/WEP
8
Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

Wi-Fi Overview: Handover (Vendor Specific Solution)

Wi-Fi Handover
AP Controller (APC, or Wireless LAN Controller(WLC)) will be required to support Inter-AP handover
Major AP/APC providers such as Aruba, Avaya, Meru support vendor specific protocol between AP and APC (CAPWAP[RFC 5415, 5416] driven by Cisco, but other vendors still support
their own methods http://community.arubanetworks.com/aruba/attachments/aruba/115/422/1/CAPWAP+Position.pdf)

Example: Handover Solution of the Meru Networks

Wi-Fi Inter-AP Handover Wi-Fi Inter-APC Handover

Internet IMS Internet IMS

Wi-Fi Wi-Fi

AAA AAA

IP Network IP Network

Accounting for MS (IP1) Accounting for MS (IP1)

IPinIP Tunnel
APC 1 APC 2 APC 1 APC 2

IP Network IP Network

AP AP AP AP AP AP AP AP
AP 1 AP 2 AP 3 AP 4 AP 1 AP 2 AP 3 AP 4

IP1 IP1 IP1 IP1

WiFi WiFi WiFi WiFi WiFi

STA STA STA STA STA

Traffic Flow: Before Inter-AP Handover Traffic Flow: Before Inter-APC Handover
Traffic Flow: After Inter-AP Handover Traffic Flow: After Inter-APC Handover

STA cant recognize Inter-AP handover, which

STA IP address (IP1) is not changed
means that BSSID (AP MAC) is not changed
IPinIP Tunnel between APCs
STA IP address (IP1) is not changed
Accounting Data from APC2
Accounting Data from APC1
Handover Time: 200ms ~ 2s (802.11 HO standard)
Handover Time: 3ms

Copyright 2002-2012 NMC Consulting Group. All rights reserved. 9

Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

Comparison
LTE Wi-Fi
Standard 3GPP IEEE 802.11/Wi-Fi Alliance
UE
Standard Entity LTE (E-UTRAN): eNB STA, AP, AP Controller(optional), AAA
EPC (SAE): S-GW, P-GW, MME, HSS, PCRF, SPR, OCS, OFCS
EAP based Authentication (Standard)
EAP-AKA/SIM
EAP-TLS
EAP-TTLS, etc
User Authentication EPS-AKA
Web based Authentication (WBA)
ID/PW
MAC based Authentication (Non Standard)
STA MAC
EAP based Authentication
Encryption/Integrity Protected
Security for User Data Encryption
Web/MAC based Authentication
None
QoS Support Supported Supported (WMM), but not guaranteed
Supported, but vendor specific methods
Handover (User Mobility) Support Supported AP Controller required
Packet Loss during handover
Tunneling Protocol GTP Vendor Specific
Frequency Interference None Big issue (ISM band)
KT: 1.8GHz
Frequency Band SKT: 800MHz, 1.8GHz 2.4GHz/5GHz
LG U+: 800MHz, 2.1GHz

Copyright 2002-2012 NMC Consulting Group. All rights reserved. 10

Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

Tunneling Technology for Mobile Network Related Blogs

Wired Access Network (FTTH, DSL, Ethernet, HFC, etc)

SIP=YouTube User Mobility in Wired Network
DIP=10.1.1.5
If user moves to another location without changing IP address in wired
IP Payload access network, communication will be broken because IP routing
YouTube IP Network network can not recognize user mobility
10.1.1.5 10.1.1.0/24
PC 1 ge1
20.1.1.5 20.1.1.0/24 ge2 Internet
PC 2 ge3
30.1.1.5 Router
30.1.1.0/24
PC 3 Switch

User Mobility in Wireless/Mobile Network

Wireless/Mobile Access Network (3G, LTE, WiMAX, Wi-Fi, etc) The key requirement of user mobility is User IP address should not be
changed
IP Anchor should be existed in wireless/mobile network for supporting
1.1.1.8 c Mobile Network user mobility (3G: GGSN, LTE: P-GW, WiMAX: ASN-GW, Wi-Fi: AP
move Tunnel 1
10.1.1.5
Controller)
1.1.1.8 c
Tunnel 2 IP Anchor Downstream traffic delivered process
SmartPhone 20.1.1.5 1. IP Anchor advertises user IP address prefix to IP routing network
via OSPF, IS-IS or BGP
SIP=YouTube 2. IP Anchor receives IP packet destined to user over the Internet
30.1.1.5 DIP=1.1.1.8
a YouTube IP Network 3. IP Anchor encapsulates the user IP packet with Tunnel header and
10.1.1.0/24 IP Payload forwards the resulting outer IP packet to the Base Station(BS)
b ge1
4. So, IP routing network between BS and IP Anchor has no chance to
20.1.1.0/24 ge2 Internet
ge3
Router see user IP address, which means that IP routing network does not
30.1.1.0/24 require to concern about user mobility
Switch

Tunneling Protocol in Wireless/Mobile Network

a IP Tunnel header IP Payload b IP Tunnel header IP Payload c IP Payload
3G/LTE (standardized by 3GPP)
SIP=IP Anchor SIP=YouTube SIP=IP Anchor SIP=YouTube SIP=YouTube - eNB ~ S-GW: GTP Tunnel (3GPP)
DIP=10.1.1.5 DIP=1.1.1.8 DIP=20.1.1.5 DIP=1.1.1.8 DIP=1.1.1.8
- S-GW ~ P-GW: GTP Tunnel (3GPP)
WiMAX (standardized by WiMAX Forum)
- BS ~ ASN-GW: GRE Tunnel (RFC 1702)
- ASN-GW ~ HA: IPinIP Tunnel (RFC 2003)
Wi-Fi (standardized by IEEE/Wi-Fi Alliance)
Copyright 2002-2012 NMC Consulting Group. All rights reserved. - AP ~ AP Controller: Vendor Specific Tunnel 11
Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

LTE and Wi-Fi Interworking: (1) Network Reference Model Related Blogs

Internet
Mobile Data Offloading
Data offloading is the use of complementary network technologies for
delivering data originally targeted for cellular networks. The main
Diameter complementary network technologies used for the mobile data
(SWx)
HSS offloading are Wi-Fi, Femtocell
Lets use cheaper Wi-Fi access instead of expensive cellular (LTE)
network!
Diameter
Diameter
PCRF P-GW
3GPP Trust & Untrust Access Network
Diameter
(S6b)
Simply put, this is really an indicator on if the 3GPP operator trust the
MME AAA security of the non-3GPP access network
If non-3GPP access network supports trust security level from the
GTP-U PMIPv6 (S2b)
GTP Tunnel GRE Tunnel
3GPP core (EPC) viewpoint, it is interworked with S2a interface,
otherwise S2b interface is used
Diameter - Example of Trust network: WiMAX
GTP-C (SWm)
S-GW ePDG - Example of Untrust network: WLAN(Wi-Fi) in a public caf
Diameter
(SWa)
S1-AP
GTP Tunnel IPSec Tunnel HSS
GTP-U IKEv2 SWx
EPC (SWu) DHCP
S6a PCRF
Gxc Rx
DHCP Gx
Operator's IP
AP SGi Services
3GPP Serving PDN (e.g. IMS, PSS
eNB AP/APC
E-UTRAN Wi-Fi Access Gateway
S5
Gateway etc.)

RRC 802.11 S2b

S6b
Gxb
EPS-AKA EAP-AKA SWm
S2a ePDG 3GPP AAA
Server
LTE Wi-Fi LTE Wi-Fi HPLMN SWn

Non-3GPP Gxa

UE Handover UE
Networks
Trusted
SWu Untrusted
Non-3GPP IP Non-3GPP IP
Access Access SWa
STa

EPS Entity EPS Entity for Wi-Fi Entity Dual-Radio UE UE Traffic Path
UE
Wi-Fi Interworking
3GPP TS 23.402 Figure 4.2.2-1: Non-Roaming Architecture within EPS using S5, S2a, S2b

Copyright 2002-2012 NMC Consulting Group. All rights reserved. 12

Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

LTE and Wi-Fi Interworking: (2) Authentication and Security Related Blogs

Internet
HSS delivers AVs to
MME & 3GPP AAA

HSS

AVs AVs
RAND, AUTN, P-GW RAND, AUTN, XRES
XRES MME authenticates UE 3GPP AAA authenticates UE 3GPP
by verifying if RES = XRES by verifying if RES = XRES
MME
AAA

ePDG authenticates UE
EPS-AKA S-GW by verifying AUTH ePDG EAP-AKA over IKEv2
AUTN, AUTN, RES AUTN, AUTN, RES

1 2
IKEv2
AUTH
User Authentication for LTE access 1
AP
Authentication Protocol: EPS-AKA (USIM based)
eNB AP/APC
Mutual authentication between UE and MME

LTE Wi-Fi LTE Wi-Fi

User Authentication for ePDG access 2
Authentication Protocol: EAP-AKA ove IKEv2 (USIM based)
Handover It is very similar with EPS-AKA in LTE network
UE UE
User Authentication Process
UE authenticates MME UE authenticates 3GPP AAA
1. When UE requests to connect with ePDG
by verifying AUTN by verifying AUTN
2. 3GPP AAA obtains authentication vectors (RAND, AUTN, XRES)
from the HSS
3. Mutual authentication between UE and 3GPP AAA
- UE authenticates 3GPP AAA
- 3GPP AAA authenticates UE

Copyright 2002-2012 NMC Consulting Group. All rights reserved. 13

Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

LTE and Wi-Fi Interworking: (2) Authentication and Security (cont) Related Blogs

Security for LTE Radio Interface 1

User data is encrypted between UE and eNB
LTE chip(HW) of UE supports data encryption/decryption
Internet

Security for Wi-Fi Radio Interface 2

3GPP assumes that Wi-Fi security is not enabled (supported)

P-GW Security between UE and ePDG 3

User data is encrypted and integrity protected between UE
and ePDG
IPSec driver(SW) of UE supports data encryption/decryption
and integrity protection (Performance issue?)

S-GW ePDG

Encryption & Integrity Protected

AP 3
eNB AP/APC IPSec ESP Packet between UE and ePDG
Encryption 1 2
20B
IP
8B
ESP
20B
IP
Variable Variable
ESP ESP
Header Header Header Application Trailer ICV
LTE Wi-Fi LTE Wi-Fi
Encrypted
Handover
UE UE Integrity Protected

Copyright 2002-2012 NMC Consulting Group. All rights reserved. 14

 Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

LTE and Wi-Fi Interworking: (3) IP Allocation Related Blogs

Internet Which entity allocates UE IP address? 1 3

P-GW allocates UE IP address in both case that UE attaches to
LTE and Wi-Fi network
User packet is routing with this address in the Internet
UE IP address is not changed even if access network is changed
(LTE to Wi-Fi, and Wi-Fi to LTE)
P-GW

IP Allocation by P-GW IP Allocation by P-GW

For Internet Connection For Internet Connection
via LTE Network S-GW ePDG via Wi-Fi Network
UE IP(PDN Address) = UE IP(WLAN UEs Remote
1.1.1.1
1 3 IP) = 1.1.1.1

DHCP

AP
IP Allocation by DHCP
For ePDG Connection
2
eNB AP/APC
via Wi-Fi Nework
UE IP(WLAN UEs Local
IP) = 10.1.1.1
LTE Wi-Fi LTE Wi-Fi

Handover Another IP address for accessing Wi-Fi network 2

UE UE
Wi-Fi AP or External DHCP server allocates Outer IP address in
Application Application
Wi-Fi access network for IPSec Tunneling between UE and ePDG
1.1.1.1 TCP/IP OS (Kernal) OS (Kernal) TCP/IP 1.1.1.1 This outer IP address can be changed during Wi-Fi handover. So,
LTE
IPSec
Driver Driver LTE
IPSec 10.1.1.1 MOBIKE should be supported in UE and ePDG
Wi-Fi Wi-Fi So, Two IP addresses are required when UE accesses to Wi-Fi
UE Protocol Stack UE Protocol Stack
network
- WLAN UEs Local IP: Outer IP address which allocated by
AP/DHCP server
- WLAN UEs Remote IP: Inner IP address which allocated by P-
Copyright 2002-2012 NMC Consulting Group. All rights reserved. GW 15
Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

LTE and Wi-Fi Interworking: (3) IP Allocation (cont) Related Blogs

Example of LTE attach UE IP(PDN Address) = 1.1.1.1

IP address usage
LTE Wi-Fi

UE eNB S-GW P-GW

DRB GTP Tunnel GTP Tunnel
Internet

Payload IP DRB Payload IP GTP-U UDP IP Payload IP GTP-U UDP IP Payload IP

Application
Payload
IP SIP=UE(1.1.1.1) SIP=UE(1.1.1.1) SIP=eNB SIP=UE(1.1.1.1) SIP=S-GW SIP=UE(1.1.1.1)
IP Payload DIP=google DIP=google DIP=S-GW DIP=google DIP=P-GW DIP=google
IPSec
LTE
Wi-Fi
DRB IP Payload IP UDP GTP-U IP Payload IP UDP GTP-U IP Payload IP Payload
UE
SIP=google SIP=S-GW SIP=google SIP=P-GW SIP=google SIP=google
DIP=UE(1.1.1.1) DIP=eNB DIP=UE(1.1.1.1) DIP=S-GW DIP=UE(1.1.1.1) DIP=UE(1.1.1.1)

ePDG connection UE IP(WLAN UEs Remote IP) = 1.1.1.1

UE IP(WLAN UEs Local IP) = 10.1.1.1

DHCP

LTE Wi-Fi
Wi-Fi Access Network

UE ePDG P-GW
IPSec Tunnel GRE Tunnel
Internet

Payload IP IPSec IP Payload IP GRE IP Payload IP

Application
Payload
IP SIP=UE(1.1.1.1) SIP=UE(10.1.1.1) SIP=UE(1.1.1.1) SIP=ePDG SIP=UE(1.1.1.1)
IP Payload DIP=google DIP=ePDG DIP=google DIP=P-GW DIP=google
IPSec
LTE IP IPSec IP Payload
Wi-Fi
IP IPSec IP Payload IP GRE IP Payload IP Payload
UE
SIP=ePDG SIP=google SIP=P-GW SIP=google SIP=google
DIP=UE(10.1.1.1) DIP=UE(1.1.1.1) DIP=ePDG DIP=UE(1.1.1.1) DIP=UE(1.1.1.1)

Copyright 2002-2012 NMC Consulting Group. All rights reserved. 16

Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

LTE and Wi-Fi Interworking: (4) Traffic Selector Related Blogs

WLAN 3GPP IP Access 1

User Traffic Path: UE Wi-Fi AP ePDG P-GW Internet
Traffic is passed through the 3GPP core, which means that it can support
handover between LTE and Wi-Fi
20.20.1.1 Use Case: Operator Service (example: KT olleh TV now). Operator can
provide differentiated service (e.g., heterogeneous handover) to their
subscriber
P-GW
WLAN Direct IP Access 2
User Traffic Path: UE Wi-Fi AP Internet
Traffic is not passed through the 3GPP core, which means that it can not
support handover between LTE and Wi-Fi
Use Case: OTT service (example: YouTube)

S-GW ePDG
Traffic Selector
TS (Traffic Selector) 1 Traffic Selector can be used to distinguish between WLAN 3GPP IP Access
TSi = SIP, Protocol, SP 2 and WLAN Direct IP Access
UE gets Traffic Selector from the ePDG during the IKEv2 procedure
TSr = DIP, Protocol, DP
Traffic Selector consists of TSi and TSr:
TSi + TSr = 5-tuple
AP - TSi = Source IP Address(SIP) range,
eNB AP/APC Protocol range,
Source Port Number(SP) range
WLAN 3GPP IP Access WLAN Direct IP Access - TSr = Destination IP Address(DIP) range, Server Identification
Protocol range (same as TSi, TCP or UDP
LTE Wi-Fi LTE Wi-Fi
SIP = Source IP (IP header)
Destination Port Number(DP) range Service Identification
Handover DIP = Destination IP (IP header) Tsi + TSr = 5-tuple
UE UE SP = Source Port # (TCP/UDP header) Based on 5-tuple, UE (IPSec driver) can determine whether application
DP = Destination Port # (TCP/UDP header) traffic (IP flow) is served by WLAN 3GPP IP Access or WLAN Direct IP Access

Copyright 2002-2012 NMC Consulting Group. All rights reserved. 17

Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

LTE and Wi-Fi Interworking: (4) Traffic Selector (cont) Related Blogs

UE
App YouTube ollehTV

DIP=YouTube DIP=20.20.1.1(ollehTV)
Protocol=TCP Protocol=6(TCP) Traffic Selector
DP=80 2 5 DP=80(HTTP) Source IP Destination IP Protocol Source Port # Destination Port #
0.0.0.0 ~ 255.255.255.255 20.20.1.1 6 (TCP) 0 ~ 65535 80 (HTTP)

TCP/IP
Traffic Selector 1
no match match

IPSec Insert IPSec header

LTE AP
Wi-Fi AP/APC ePDG P-GW 20.20.1.1

6 Payload IP IPSec IP
7 4
SIP=UE(1.1.1.1) SIP=UE(10.1.1.1)
DIP=20.20.1.1 DIP=ePDG
a b c
3 Payload IP d

SIP=UE(10.1.1.1) IP Network
DIP=YouTube WLAN 3GPP IP Access
WLAN Direct IP Access
10.1.1.1
WLAN UEs Local IP Address
a b Payload IP c
Allocated by AP/DHCP Server in Wi-Fi Network Payload IP IPSec IP GRE IP Payload IP
IPSec Tunnel Outer Source IP in case of WLAN 3GPP
IP Access SIP=UE(1.1.1.1) SIP=UE(10.1.1.1) SIP=UE(1.1.1.1) SIP=ePDG SIP=UE(1.1.1.1)
Source IP in case of WLAN Direct IP Access DIP=20.20.1.1 DIP=ePDG DIP=20.20.1.1 DIP=P-GW DIP=20.20.1.1
1.1.1.1 d Payload IP
WLAN UEs Remote IP Address
Allocated by P-GW
IPSec Tunnel Inner Source IP in case of WLAN 3GPP SIP=UE(10.1.1.1)
IP Access DIP=YouTube

Copyright 2002-2012 NMC Consulting Group. All rights reserved. 18

Netmanias Technical Document: Network Architecture for LTE and Wi-Fi Interworking

Status of KT, SKT & LG U+ and UE Requirements

KT, SKT: No plan
LG U+: Deploy ePDG from Insprit (http://www.in-sprit.com/kr/content/main/index.php), but do not service yet

LG U+: The Purpose of ePDG Deployment LG U+ Service

Internet Internet
Provides security when subscriber accesses LG U+ service via Wi-Fi
network
At this moment, theres no interworking (no PMIPv6/GTE tunnel)
between P-GW and ePDG which means that it does not support P-GW
handover between LTE and Wi-Fi

S-GW ePDG

UE Software Requirement for LTE/Wi-Fi Interworking

AP
IPSec(MOBIKE) driver (Kernel Layer) is required eNB AP/APC

Handover Manager (Kernel Layer) is required: Handover decision by

monitoring LTE and Wi-Fi signal strength
LTE Wi-Fi LTE Wi-Fi
Big Issue: Apple willing to support IPSec and Handover Manager in
iPhone/iPad??? UE UE

Copyright 2002-2012 NMC Consulting Group. All rights reserved. 19