Voice over WiFi,

Solution Overview
Workshop America Movil
Florian Hartmann
Sales Manager, Latin America Service Provider
May 2017
1
Agenda
• Introduction

• VoWIFI Use cases

• VoWIFI Call-flows

• Architecture Guidelines, Security and Best Practices

• Deployment Challenges and Best Practices

• Conclusion
What is VoWiFi ?
• Apple ios 8 release introduced Wi-Fi calling feature

• WiFi-Calling enables UE’s to securely access IMS

services over Wi-Fi similar to LTE access inline
with 3GPP standards

• Same native voice dialer used for both VoWiFi and

Cellular (VoLTE)

• Same MSISDN used for both VoWiFi and Cellular

(VoLTE)
SP Packet Core
IPSec Tunnel
• Seamless Mobility across VoWiFi and VoLTE
ePDG PGW IMS

3
VoWiFi – Business Drivers
10,000 Cisco VNI Projection ( 2015 – 2020 )
Minutes of Use (Billions) per Year

VoWiFi ( 15.7% , 52.9% )

9,000 VoLTE ( 18.0% , 26.3% ) 53% • VoWiFi is going to outperform VoLTE by 2017
8,000 VoIP ( 66.3% , 20.8% ) and VoIP by 2018 in terms of minutes of use.
7,000 • By 2020, VoWiFi will have 53 percent of mobile IP
6,000 voice
5,000 41%
4,000 Business Drivers
3,000 6%
• Leverage global WiFi footprint
2,000 66%
• Cost-effective solution to complement cellular
1,000 18% coverage (mainly Indoor)
0 16% • Customer retention
2015 2016 2017 2018 2019 2020
• Competitive edge over OTT players
Source: ACG, Cisco VNI Global Mobile Data Traffic Forecast, 2015–2020

4
VoWiFi Use Cases
• Untrusted Voice over WIFI

• Trusted Voice over WIFI

VoWiFi Trusted /Untrusted Use Case
Untrusted VoWiFi
SWu ePDG PGW
IMS
Network • Wi-Fi access network is untrusted and un-managed
Client
• IPSec tunnel established between UE (Sw client) and Mobile
UE WLAN
Packet Core (ePDG)
• ePDG handles user authentication and establishes packet data
Native Internet
network connection with P-GW using S2b based GTP interface
Client • UE uses Swu client for IMS APN and native client to local
VoWIFI Untrusted Network break out rest of the traffic over Wi-Fi access network

IMS IMS
SWu ePDG
PGW
Network Trusted VoWiFi
Client
• Wi-Fi access network is trusted and managed
UE TWAG
Internet • As per 3GPP Release 11 ,one of the key characteristic of
PGW
“Trusted Wi-Fi” architecture is the client-less approach to
Native
Internet
support packet core integration
Client • TWAG lacks the support for multiple APN’s signaling over S2a
VoWIFI Trusted Network (Hybrid) for the UE with PGW .With this , all the offloaded Wi-Fi traffic
assumed to be part of Internet APN
SIPTO
• VoWiFi can’t be supported as it requires it’s own IMS APN
SWu IP Match
ePDG PGW
IMS
Network
• Hybrid architecture recommended ,i.e. combination of Release
NAT Pool
Client 173.38.1.0/24 11 trusted Wi-Fi and Un-trusted VoWiFi architecture
TWAG • Hybrid model support’s simultaneous offloading of IMS APN
UE SIPTO Enabled and Internet APN traffic when user moves from cellular to
DHCP NO IP Match trusted Wi-Fi access network
PGW Internet
Allocated
173.38.0.1 • As per 23.402, UE can be connected with only one non-3GPP
access
VoWIFI Trusted Network – Optimised Routing using SIPTO (Hybrid)
VoWiFi Trusted /Untrusted Use Case Architecture
Use Cases
• Un-Trusted / Un-Managed VoWiFi for
sim-based subscribers
• Trusted/Managed VoWiFi for sim-based
subscribers

End to End Solution

Component
ePDG/SaMOG

3GPP AAA

PGW

PCRF, OCS

HSS

IMS

UE

EMS/NMS

AP/WLC
VoWIFI Initial Attach – Untrusted Network
UE AP / WLC EPDG 3GPP AAA HSS
UE performed EPDG Selection

IKEv2 SA INIT Request

IKEv2 SA INIT Response
IKEv2 Auth Request
Diameter EAP Request
User-name : Root NAI
User-name: Root NAI
Diameter Mul-Auth Req
APN : IMS APN
EAP Identity : EAP-AKA User-Name : IMSI,
IP : 0.0.0.0
RAT Type : WLAN Rat Type : WLAN
Diameter Mul-Auth Ans
Diameter EAP Answer
IKEv2 Auth Response
User-name: IMSI,
User-name: Root NAI,
User-name : Root NAI, EAP Request : AKA Challenge Auth Vector Attributes
EAP-AKA Challenge Req
UE runs AKA algorithm and
3GPP AAA Verifies the challenge response
verifies the auth vectors IKEv2 Auth Request
Diameter EAP Request Diam Server Assign Req
User-name : Root NAI, EAP Response : AKA Challenge Resp
User-name: Root NAI,
EAP-AKA Challenge Resp User-Name : IMSI,
Rat Type : WLAN
SA Type : Registration

Diameter EAP Answer Diam Server Assign Answer

IKEv2 Auth Response User-name: Root NAI,
Subscriber profile (APN,
EAP Success
QoS, MIP6-Agent-Info, etc..)
SWU SWM
User-name: IMSI,
Subscriber profile (APN,
QoS, MIP6-Agent-Info, etc..)
SWX

8
Architecture Guidelines and Best Practices
• ePDG Discovery

• PGW Selection

• Seamless Mobility

• UE Dependencies

• Location Information

• Emergency Calling

• Quality of Service

• Security Framework
EPDG Discovery
Internet Service Provider GSMA Operator Network EPDG Selection Options
UE
Local Caching
Root DNS Server
Authoritative
EPDG  UE can dynamically derive ePDG FQDN as
DNS Server DNS Server
per the 3GPP standards
Recursive DNS Query
FQDN :epdg.epc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org EPDG FQDN format :
Based on the MCC and MNC value, Root DNS
Iterative DNS Query selects the Operator authoritative DNS Server epdg.epc.mnc<MNC>.mcc<MCC>.pub.
3gppnetwork.org
FQDN :epdg.epc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org

DNS Response
Following possible option available for
Authoritative DNS Server Details ( IP Address ) UE to derive PLMN

Iterative DNS Query Operator Authorit ativ e DNS

• SIM card ( Home location )
FQDN :epdg.epc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org
selects the EPDG based on the
MCC and MNC value
• Last known cell id from LTE
• WIFI Hotspot 2.0
DNS Response
DNS Response EPDG IP Address
EPDG IP Address  UEs configured with static ePDG FQDN /
Domain name / IP address
IPSec Session Establishment

13
EPDG Discovery
Internet Service Provider GSMA Operator Network Regulatory Aspects
Local Caching Authoritative
UE
DNS Server
Root DNS Server
DNS Server
EPDG • International Roaming
Recursive DNS Query • National Roaming
FQDN :epdg.epc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org • Country specific regulatory aspects
Based on the MCC and MNC value, Root DNS
Iterative DNS Query selects the Operator authoritative DNS Server

FQDN :epdg.epc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org
Trusted VoWiFi Use case
• Locally optimized ePDG FQDN resolution
DNS Response
Authoritative DNS Server Details ( IP Address )

Iterative DNS Query Operator Authorit ativ e DNS DNS Capabilities

selects the EPDG based on the
FQDN :epdg.epc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org MCC and MNC value • Redundancy
DNS Response • Load Balancing
DNS Response
EPDG IP Address
EPDG IP Address
• Primary and secondary EPDG address to
UE
IPSec Session Establishment • Heartbeat exchange with EPDG

Best Practice • DNS capabilities

• Understand regulatory aspects • Optimized EPDG FQDN Resolution ( Trusted N/W )
• EPDG selection option
UE Dependancies
UE • UE should qualify the WIFI network before initiating
VoWIFI attach / Handover
VOIP SMS
(RSSI signal strength, latency, delay etc.. )
Other APPs
• UE should have seamless mobility capability to
IMS APN handover from LTE to WiFi and vice versa
• UE should support WMM to maintain end to end
IPSec Client QOS
• UE should support Hotspot 2.0 for seamless
IPSec Client onboarding
• UE should able to offload both the internet APN
Connection Manager and IMS APN simultaneously (Trusted Network )

WIFI LTE

Untrusted LTE
Network Network
UE GAPs
• Most UEs today qualifying WiFi network based on
MME/ RSSI strength
EPDG
SGW
• Most UEs today have toggling Issue with data
IMS
EPC Core Internet
offload
Network
Location Information
LEA VoWIFI Operator
Post Crime
Request for details
MSISDN
Details related to call
Since the call Originated from
Untrusted Network, Outer IP
Address of the Subscriber
IPSec Tunnel Provided
Request for Subscriber Details
Request for Activity details
against the IP Address
provided
Details of Subscriber and Activit y against IP Address, date & Time Stamp shared with LEA
Platform with Details WIFI ISP Platform with Details
Untrusted Network
Check System for details
• Outer IPSec IP address and port no.via S2B
MSISDN Call Details
to PGW
Details related to call • Outer IPSec IP address, port number and AP
mac id via SWm to AAA
Since the call Originated from
Untrusted Network, Outer IP • 3rd Party Geo location provider like Maxmind,
Address of the Subscriber Neustar IP Intelligence..
IPSec Tunnel Provided
Check System for details
Trusted Network
Details against IP Address,
date & Time Stamp
• WLC accounting ( Trusted Network )
Subscriber & Activity details • PGW CDRs ( Trusted Network )
Subscriber identity and call • P-ANI Header in SIP message to IMS
log details
Emergency Calling
Current Possible Approaches
• When an emergency call (ex: 911) is made, the phone will
default the call over the cellular network

• Operator mandates subscriber to provide an emergency

address when WiFi service is turned-on, which can be used
during emergency calling.
• Operator assisted re-direction
Emergency call routed to the operator call center.
Caller provides location information based on which
the operator redirect to appropriate public-safety
answering point (PSAP).
• Home PSAP assisted re-direction
Emergency call routed to the home PSAP. Caller
provides location information based on which the
home PSAP redirect to appropriate PSAP.
If the subscriber is not able to convey the location, the
emergency address defined as part of WiFi calling profile will be
used
Emergency Calling
UE EPDG
Drop existing IPSec tunnel
Identify EPDG support emergency
calling (or) Normal selection
IKEv2 SA Init / Response
3GPP AAA PGW
Defined as part of 3GPP Rel-13
• For UE detected emergency sessions only
• No procedures to detect local emergency numbers
while UE is in roaming

Per 3GPP TS 23.167 clause J.1:

IKEv2 Auth Request
• Emergency sessions are only supported over
Diam EAP Request WLAN access to EPC in following case:
IDR : Emergency
Emergency • UE shall issue an Emergency session over WLAN
Indication IE to EPC only when it has failed or has not been able
to use 3GPP access to set up an emergency
Diam EAP Answer
Call setup parameters session
from locally configured
emergency profile
• The UE has sufficient credentials to access EPC
Create Session Request • ePDG and a PGW in the home PLMN are used
APN : SOS

Create Session Reponse

IKEv2 Auth Response
 Quality of Service
UE ENODEB SGW PGW
LTE networks
• Dedicated bearer with different QCI/ARP is honored
at UE, eNB, SGW & PGW
Default Bearer QCI – 5 Default Bearer QCI – 5 Default Bearer QCI – 5
VoLTE Network

SIP Signaling SIP Signaling SIP Signaling

Dedicated Bearer QCI – 1 Dedicated Bearer QCI – 1 Dedicated Bearer QCI – 1

Untrusted VoWIFI Network
Voice Data Voice Data Voice Data
• All dedicated bearers or QCI values terminates at
Dedicated Bearer QCI – 2 Dedicated Bearer QCI – 2 Dedicated Bearer QCI – 2
Video Data Video Data Video Data ePDG
Radio S1U S5 • WiFi access does not support QCI bearers
• QCI to DSCP marking for right priority
• DSCP marking could likely be altered over the
UE AP / WLC SaMOG EPDG PGW untrusted network
• “Best effort” QoS treatment for IP packets
VoWIFI Network

RF Interface EoGRE Tunnel Default Bearer QCI – 5

WMM DSCP Marking
Local Break Out
DSCP Marking SIP Signaling Trusted WIFI Network
Dedicated Bearer QCI – 1
Voice Data
• The quality of service can be guaranteed in the
Dedicated Bearer QCI – 2
trusted WIFI network
SIPTO Video Data
• The QCI values can be mapped to appropriate
SWu S2B DSCP and WMM in the air interface
Security Framework
 EPDG can be configured with Public IP
address
 ACL rules on ePDG for allowing only traffic on
port 4500 & 500 (for IKEv2) and protocol 50
(ESP)
 Additionally DOS cookie challenge feature can
be enabled
 Use multiple context to isolate the interface
traffic
 Enable ACL on all context allow only interface
traffic
Context SWm
 Use separate network for management traffic
Context 1

SWu
2

Context S2B
3

Best Practice
• Secure internet facing interface • Isolate management traffic
• ACL on all context
Deployment Challenges and Best Practices
• IPSec Profile

• MTU

• Stale Sessions

• DRA Caching
IKEv2 and IPSec Profile
Protocol Type Supported Options

DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-256,

IKEv2 Encryption AES-128-GCM-128, AES-128-GCM-64, AES-128-GCM-96,
UE EPDG AES-256-GCM-128, AES-256-GCM-64, AES-256-GCM-96
Internet Key IKEv2 Pseudo Random Function PRF-HMAC-SHA1, PRF-HMAC-MD5, AES-XCBC-PRF-128
IKEv2 SA INIT Request Exchange
version 2 HMAC-SHA1-96, HMAC-SHA2-256-128, HMAC-SHA2-384-
IKEv2 Integrity
192. HMAC-SHA2-512-256, HMAC-MD5-96, AES-XCBC-96
Encryption, Integrity, PRF, DH Group, NAT
Detection source IP, NAT Detection destination IP IKEv2 Diffie-Hellman Group
Group 1 (768-bit), Group 2 (1024-bit), Group 5 (1536-bit),
Group 14 (2048-bit)
IPSec Encapsulating Security NULL, DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-
IKEv2 SA INIT Response Payload Encryption 256
Extended Sequence Number Value of 0 or off is supported (ESN itself is not supported)
Encryption, Integrity, PRF, DH Group, NAT
IP Security
Detection source IP, NAT Detection destination IP NULL, HMAC-SHA1-96, HMAC-MD5-96, AES-XCBC-96,
IPSec Integrity HMAC-SHA2-256-128, HMAC-SHA2-384-192, HMAC-
SHA2-512-256
IKEv2 Auth Request

Widely used security profiles

Protocol Type Apple Profile Samsung Porfile

IKEv2 Encryption AES-CBC-256 AES-CBC-128

Internet Key IKEv2 Pseudo Random Function PRF-HMAC-SHA1 PRF-HMAC-SHA1
Exchange
 Cisco ePDG supports multiple profile version 2 IKEv2 Integrity HMAC-SHA1-96 HMAC-SHA1-96

configuration IKEv2 Diffie-Hellman Group Group 2 (1024-bit) Group 2 (1024-bit)

IPSec Encapsulating Security Payload
 Best practice is to limit the No. of profiles Encryption
AES-CBC-128 AES-CBC-128

IP Security Extended Sequence Number False False

IPSec Integrity HMAC-SHA1-96 HMAC-SHA1-96

Stale Session
Stale Session in PGW

PGW 1
• When UE initiates re-attach, ePDG locally
S2B cleans up the existing session and performs
PGW selection for new session
Un-trusted / • If PGW selected is same old one, the session
UE Un-managed
IPSec Access
ePDG IMS will be replaced in PGW
Client Network • If PGW selected is different from old one, the
old PGW will hold a stale session
S2B
PGW 2 No clear guidelines from 3GPP to address this
problem

Recommended Approach

• EPDG will compare the PGW details with existing S2B session and initiates the delete session request to
Old PGW if the PGW selected is different from the old one.
MTU
• End to end MTU should be consistent to
ensure the quality of experience
UE SWu S2B SGI • Different protocol stack and encapsulation
IPSec ePDG PGW IMS
method used across the interfaces could
Client
cause fragmentation
• Fragmentation of IPSec packet could cause
additional processing at UE and may delay in
IPV4 / IPV4 / IPV4 / packet delivery to application in UE
IPV6 IPV6 IPV6 • NAT / Firewall devices may drop the small
fragmented IPSec packets as threat
GTP ESP
ESP
IPv4 / UDP
IPV6
IPv4 /
ESP IPV6
ESP
Solution Recommended
• Calculate Max payload EPDG can send in Swu interface without fragmentation
• EPDG max payload shall be configured as IMS MTU
• PGW MTU shall be IMS MTU + additional headers
Conclusion
• VoWiFi has moved from novelty to necessity and it enables new business
opportunity for service operators

• VoWiFi virtually turns every WiFi access point into cellular tower and it extents
operators network instantly

• VoWiFi complements VoLTE by reusing the same IMS investments and provides
better solution for indoor coverage issue

• VoWiFi can give competitive advantage over OTT players

• UE still plays a critical role in the deployment

• Some important aspects still waiting for Regulation

Obrigado
Florian Hartmann
Sales Manager, Latin America Service Provider
May 2017
29