|
1.
|
The UE sends IKE_SA_INIT Message.
|
|
2.
|
ePDG responds with IKE_SA_INIT_RSP Message.
|
|
3.
|
The UE sends the anonymous or configured value (in the IDi payload), APN (in the IDr payload), and CERTREQ information in
this first message of the IKE_AUTH phase, and begins negotiation of child security associations. The UE omits the AUTH parameter
in order to indicate to the ePDG that it wants to use EAP over IKEv2. The UE shall send the configuration payload (CFG_REQUEST)
within the IKE_AUTH request message to obtain an IPv4 home IP Address and/or a Home Agent Address.
|
|
4.
|
ePDG decodes and processes the string anonymous or any configured value received in IDi payload in the IKE_AUTH request. In
addition to the ePDG server certificate, the IKEv2 server initiates an EAP Identity request towards the IKEv2 client.
|
|
5
|
The IKEv2 client (UE) authenticates the server using the certificate and provides the IMSI in the EAP Identity response.
|
|
6
|
The ePDG sends the Authentication and Authorization Request message to the 3GPP AAA Server, containing the user identity and
APN.
|
|
7.
|
The 3GPP AAA Server shall fetch the user profile and authentication vectors from HSS/HLR (if these parameters are not available
in the 3GPP AAA Server). The 3GPP AAA Server shall lookup the IMSI of the authenticated user based on the received user identity
(root NAI) and include the EAP-AKA as requested authentication method in the request sent to the HSS. The HSS shall then generate
authentication vectors with AMF separation bit = 0 and send them back to the 3GPP AAA server. The 3GPP AAA Server checks in
user's subscription if he/she is authorized for non-3GPP access. The counter of IKE SAs for that APN is stepped up. If the
maximum number of IKE SAs for that APN is exceeded, the 3GPP AAA Server shall send an indication to the ePDG that established
the oldest active IKE SA (it could be the same ePDG or a different one) to delete the oldest established IKE SA. The 3GPP
AAA Server shall update accordingly the information of IKE SAs active for the APN.
The 3GPP AAA Server initiates the authentication challenge. The user identity is not requested again.
|
|
8.
|
The ePDG responds with its identity, a certificate, and sends the AUTH parameter to protect the previous message it sent to
the UE (in the IKE_SA_INIT exchange). It completes the negotiation of the child security associations if any. The EAP message
received from the 3GPP AAA Server (EAP-Request/AKA-Challenge) is included in order to start the EAP procedure over IKEv2.
|
|
9.
|
The UE checks the authentication parameters and responds to the authentication challenge. The only payload (apart from the
header) in the IKEv2 message is the EAP message.
|
|
10
|
The ePDG forwards the EAP-Response/AKA-Challenge message to the 3GPP AAA Server.
|
|
10a
|
The AAA checks, if the authentication response is correct.
|
|
11.
|
When all checks are successful, the 3GPP AAA Server sends the final Authentication and Authorization Answer (with a result
code indicating success) including the relevant service authorization information, an EAP success and the key material to
the ePDG. This key material shall consist of the MSK generated during the authentication process. When the SWm and SWd interfaces
between ePDG and 3GPP AAA Server are implemented using Diameter, the MSK shall be encapsulated in the EAP-Master-Session-Key-AVP,
as defined in RFC 4072.
|
|
12.
|
The MSK shall be used by the ePDG to generate the AUTH parameters in order to authenticate the IKE_SA_INIT phase messages,
as specified for IKEv2 in RFC 4306. These two first messages had not been authenticated before as there was no key material
available yet. According to RFC 4306 [3], the shared secret generated in an EAP exchange (the MSK), when used over IKEv2,
shall be used to generated the AUTH parameters.
|
|
13.
|
The EAP Success/Failure message is forwarded to the UE over IKEv2.
|
|
14
|
The UE takes its own copy of the MSK as input to generate the AUTH parameter to authenticate the first IKE_SA_INIT message.
The AUTH parameter is sent to the ePDG.
|
|
15
|
The ePDG checks the correctness of the AUTH parameter calculated based on:
|
|
16
|
On successful authentication the ePDG selects the P-GW based on Node Selection options.The ePDG sends Create Session Request
(IMSI, [MSISDN], Serving Network, RAT Type (WLAN), Indication Flags, Sender F-TEID for C-plane, APN, Selection Mode, PAA,
APN-AMBR, Bearer Contexts, [Recovery], [Charging characteristics], [Additional Protocol Configuration Options (APCO)]), Private
IE (P-CSCF, AP MAC address). Indication Flags shall have Dual Address Bearer Flag set if PDN Type is IPv4v6.Handover flag
shall be set to Initial or Handover based on the presence of IP addresses in the IPv4/IPv6_Address configuration requests.Selection
Mode shall be set to "MS or network provided APN, subscribed verified". The MSISDN, Charging characteristics, APN-AMBR and
bearer QoS shall be provided on S2b interface by ePDG when these are received from AAA on SWm interface.The control plane
TEID shall be per PDN connection and the user plane TEID shall be per bearer created.
|
|
17.
|
The P-GW allocates the requested IP address session and responds back to the ePDG with a Create Session Response (Cause, P-GW
S2b Address C-plane, PAA, APN-AMBR, [Recovery], Bearer Contexts Created, [Additional Protocol Configuration Options (APCO)],
Private IE (P-CSCF)) message.
|
|
18.
|
The ePDG calculates the AUTH parameter calculated based on IDr payload, which authenticates the second IKE_SA_INIT message.
|
|
19.
|
The ePDG sends the assigned Remote IP address in the configuration payload (CFG_REPLY).The AUTH parameter is sent to the UE
together with the configuration payload, security associations and the rest of the IKEv2 parameters and the IKEv2 negotiation
terminates.
|
|
20.
|
Router Advertisement will be sent for IPv6 address assignments, based on configuration.
|
Note
|
If the ePDG detects that an old IKE SA for that APN already exists, it will delete the IKE SA and send the UE an INFORMATIONAL
exchange with a Delete payload in order to delete the old IKE SA in UE.
|
|
Feedback