UMTS - IKEv2 & MOBIKE


Advertisements

Internet Key Exchange is a sophisticated version 2 defined by the IETF in RFC 4306. It allows creating and maintaining security associations and IPSec tunnels between two nodes and exchanging some configuration data; they are transferred to the so-called payload configuration dialogues in the message.

Comprehensive IKEv2 session consists of multiple dialogues, structured phases. The flow of messages and typical base is given in the figure below, and a description of how it is applied in the context of signaling between EU and ePDG −

IKEv2Phase Comments
Initial Exchange

Notifies payload as MOBIKE support indication. IP address to be requested/ delivered in configuration payload.

Home agent address to be requested/ provided in configuration payload.

Auth Exchange
Create child SA For creating protected tunnel for DSM IPv6 signaling
x. Information Exchange At any point after AUTH.

In the Evolved 3GPP system IKEv2 is used for −

  • IP address information: either IPv4 address or IPv6 prefix.
  • IP mobility mode selection information.
  • IP address information: IPv6 prefix.
  • DNS server address.

Diameter

The diameter is a generic AAA protocol, with additional functions for network access, mobility and QoS handling. Although it is in principle, of a general nature peer-to-peer, it is used in the 3GPP architecture in the client-server mode. It has a built-in extensibility and so perfectly supports message structures on the interfaces with the need for some flexibility. In addition, it supports multiple server configurations with failure and failover handling. Functionally, it has similarities with its predecessor radius but differs profoundly on the level of message and parameters. DIAMETER offers ability to detect a dead peer by pairs of heartbeat messages. It can be run over SCTP or TCP and uses the 3868 port.

The DIAMETER protocol is used extensively in the EPC −

  • S6a for subscription download and update between MME and HSS.

  • S6d (between an upgraded SGSN and HSS), which is the counterpart of S6a for the legacy world with interworking capability with the new system.

  • S13 for equipment checking between MME and EIR.

  • SWa for authentication between untrusted non-3GPP access and AAA server.

  • STa for authentication between trusted non-3GPP access and AAA server and authorization.

  • SWd for forwarding between an AAA proxy and a AAA server (forwarding between VPLMN and HPLMN).

  • S6b for authorization of APN and mobility between PDN GW and AAA server.

  • SWm for authentication and authorization between ePDG and AAA server.

  • SWx for exchange of authentication vector and registration information between AAA server and HSS.

  • Gx for IP-CAN session handling and GW-Control Session handling between PDN GW and PCRF.

Advertisements