Both the GSM and the UMTS systems offer packet data capabilities. The GSM system, which was designed and optimized for the support of speech and circuit data services, has been augmented with packet data capabilities via the General Packet Radio Service (GPRS) overlay. Therefore, the GPRS system does not always deliver optimal data transmission or offer high performance and throughput data services. Conversely, UMTS has been designed from the outset to support packet data services through its PS domain, so its performance is expected to be much more efficient and at a higher data rate than GPRS. Chapter 4 provides an in-depth description of both the UMTS PS domain and GPRS packet data services capabilities. This section focuses on packet-data-based Mobile VPN services that can be provided by both the GPRS and UMTS packet data systems.
The differences in VPN service between the GPRS and UMTS systems are for the most part negligible. The few exceptions are:
New features introduced in 3GPP Release 99 standards and not present in pre-Release 99 GPRS systems, such as multiple levels of QoS per single data sessions.
DHCP Relay at the GGSN and Mobile IP FA support at the GGSN.
These features significantly extend the range of services operators can offer, and they will be common to both GPRS and UMTS systems from Release 99 onward. However, it is also expected that after Release 99 packet data services, networks will not be centered around the GSM/GPRS system, and consequently these capabilities are expected to be more widespread in UMTS networks (the exception being EDGE and GERAN deployments, which are unlikely to be a very common in Europe and Asia anyway, and might be limited to other regions, such as North America). For these reasons, this chapter refers to GPRS and UMTS PS domain VPNs interchangeably. When a particular VPN service only applies to some release of the system, we will make that explicit.
Let's begin this section by focusing on the GGSN. The GGSN sits between the wireless network and the wireline data networks that interface with it. This network element is common to both GPRS and UMTS systems. This is also the network element that is key to providing advanced data services such as MVPN. The Home Location Register (HLR), the AAA subsystem, Serving GPRS Support Nodes (SGSNs), the user profile, and customer relationship management subsystems are also critical components in the IP services delivery, but the IP services intelligence is concentrated in the GGSN, since this is the point which processes user packets at the network and possibly higher layers. The GGSN is a network element that terminates GTP tunnels established from the SGSN, where the user is located as it moves around the wireless access network. The GGSN provides access points to packet data networks (PDNs). Each access point is identified via a logical name, or the access point name (APN). The format of the APN is specified in [3GPP TS23.003], and its syntax has been introduced earlier, in Chapter 2, in relation to DNS usage in cellular systems. The SGSN, at session setup time, resolves the APN via DNS to an IP address or a list of IP addresses belonging to one or more GGSNs offering the desired access point. In fact, for service availability purposes or simply for scalability and load sharing, it is desirable to allow an access point to be distributed over more than one GGSN. This results eventually in the selection of an IP address to be used to establish a GTP tunnel. The actual algorithm used to select the IP address from a list of IP addresses resolved by DNS is vendor-specific. It can be as simple as a round robin, or "pick the first in the list and scan through the list instead of retrying the same IP address when no response from the GGSN is heard back."
The GPRS tunnel establishment process is key to the provisioning of VPN services, and it is explained here in detail. The first message used to set up the GTP tunnel contains the user identity provided by the IMSI and MSISDN. (For a definition of the IMSI and MSISDN see [3GPP TS23.003].) In addition, it carries two other very important pieces of information: the Network Identifier portion of the APN and the Selection Mode. It is possible to authenticate the user based on IMSI or MSISDN—for instance, by passing the IMSI or MSISDN and APN to AAA servers that consider the identity information to be trusted, since it comes from the wireless network. As a part of this process, the GGSN can receive user profile information in the messages received back from the AAA subsystem. Then, this information can be used at the GGSN to retrieve IP service-related parameters and policies from external databases, such as LDAP or COPS directories (see Chapter 5), so that the appropriate policies for the user can be put in place.
The Network Identifier (NI) part of the APN is used at the GGSN to associate the session to an appropriate external network and determine what is the user authentication method and the protocol to be used (IPv4, IPv6, or PPP), as well as whether the PPP session needs to be handled at the GGSN or simply relayed to a LNS via L2TP tunnel (in the latter case, the GGSN would act as an LAC as well). Also, packet handling behavior, policies, external servers IP addresses, host configuration information, and other information can be associated to the APN. A sound GGSN implementation must therefore allow for the configuration of a significant amount of information per APN, to determine in which way the incoming sessions for each APN need to be handled. There are more approaches to service selection and configuration, such as deriving the configuration information from the domain a user specifies together with the username, at logon time. These are discussed later in the chapter.
The Selection Mode information element carried in the Create PDP context request determines in which way the user session is incoming for a specific access point—that is, according to which criterion the user was allowed to use the APN by the network (SGSN). The APN can in fact be MS-specified, network-specified (as in the case of a default APN the user is assigned to by the SGSN), or be a part of the subscription profile and generated by the MS or by the network. Later in this chapter we provide insight on the use of the Selection Mode and the preconditions for it to be useful in providing secure VPN services.
Based on the reception of the APN information, and on lookup of the session-handling information configured for the APN, different network access services can be offered at the GGSN. These network access services can be broadly classified into:
IP PDP type:
IP with Protocol Configuration Options
DHCP Relay and Mobile IP (available beginning with R99)
PPP PDP type (available beginning with Release 98):
PPP terminated at the GGSN
The current standards are a bit fuzzy in the way they classify the different sorts of network access services offered by GPRS. They oversimplify the classification in "Nontransparent" and "Transparent" access methods (3G [TS29.061] and GSM [TS09.61]), perhaps echoing the original GSM transparent and nontransparent circuit-switched data bearers. We have therefore chosen to adopt our own classification, which we have just introduced and which will be further detailed in the remainder of the chapter. We believe this to be clearer and more precise than the one currently used by 3GPP standards.
In the standards, transparent access is defined to be when the GGSN does not participate in user authentication. The GGSN does not query an external server for user authentication, and the user authentication for network access simply relies on the wireless network access authentication. Wireless network access authentication is performed when the user attaches to Packet Mobility Management (PMM) at the SGSN, or if the user changes SGSN as the user moves, based on trust of information from the old SGSN or based on MS reauthentication at the new SGSN. Broadly speaking, this access method would map to Simple IP access mode in our taxonomy (see below the section providing a detailed description of this access mode), should we elect to engage in terminology mapping. But we will show that in Simple IP access mode external servers can be used, and the GGSN can still participate in user authentication.
In this case only the SIM (or USIM) card in the wireless device (MS) is authenticated, rather than the user of the SIM. Even though entering the PIN number at MS startup provides user-level identification, normally users want to skip this phase and configure the MS to automatically remember and use the PIN, thus defeating the purpose of the user-level authentication built into the system. In addition, the PIN is a secret shared with the wireless provider and is not considered a user secret for external network access (that is, the external network cannot base user authentication on the PIN used for wireless access authentication). So, external networks offering "transparent access service" do so based on a trust relationship with the wireless carrier.
In the standards, nontransparent access refers to all other access methods where the GGSN participates in user authentication. However, after trying to understand the standards in detail, we are left with many questions and doubts, which often spark lengthy debates on what is transparent and what is not. In fact, PPP Relay over L2TP tunnels appears to be classified as nontransparent access, but typically user authentication is performed at an LNS not collocated with the GGSN, so by the definition provided, this should be considered a transparent access mode. For the sake of avoiding this kind of interesting but unproductive debate, at least for those who kindly decided to read this book, we opted to use our own terminology, which we consider more appropriate. We also avoided trying to map this to the standards taxonomy, since again this would have required us to justify decisions taken in the standards, which appears to be quite a risky and difficult task and not necessary for the readers to fully master the matter and properly apply these solutions in the real world.
The IP PDP type allows for the provision of IP network access services for both IPv4 and IPv6 by offering IP layer connectivity and services to the MS. We have decided to consider IPv4 only in this chapter for the sake of simplicity, since it will be mainstream for a few years to come in the provisioning of corporate network access services and advanced IP services.
Solutions based on this PDP type encompass different ways to offer IP address assignment, host configuration, and lower-layer connectivity to the IP network. The value of the network identifier portion of the APN sent to the GGSN in the Create PDP context request determines which combination of these service building blocks will be used for the sessions based on GGSN configuration. Also, other information can be provisioned at the GGSN on a per-APN NI basis, such as the next hop for uplink packets (in case this helped to route packets to appropriate destinations on a per-APN basis, such as in the case where a different ISP or network is associated with different APNs).
An APN configured for Simple IP mode of access offers the following types of services:
Layer 2 (ATM, MPLS, Frame Relay, PPP, etc.) or tunnel-based (IPSec tunnel mode, IP/IP, GRE, etc.) connectivity to the external network.
Possibility to interface to a AAA server to perform an IMSI- or MSISDN-based authentication or RADIUS-based IP address assignment.
Use of RADIUS accounting to communicate session-related events to accounting servers or application servers.
Dynamic or static IP address assignment.
Network-initiated PDP context activation.
When network-initiated PDP context is supported, the IP address needs to be statically associated to the IMSI of the MS. The IP address is assigned using local pools at the GGSN or RADIUS or DHCP client, and it is communicated to the MS in the end-user address IE of the GTP Create PDP context response and RIL3 [3GPP TS24.008] Activate PDP context accept messages.
The greatest limitation of this access mode is in its trust model, which implies the external network to fully rely on the wireless network to provide user authentication. There is neither a human-kept secret (password) nor two-factor authentication (human-kept secret plus a token-card-generated one-time code) that can be used to prevent individuals from getting hold of a terminal, by accident or maliciously, to access the network associated to the APN, if the true owner of the terminal disabled the need to insert a PIN to get the MS attached to PS services. For this reason, this access mode is most useful for providing access to applications and services that do not require user authentication. In addition, if an application accessed via Simple IP requires strict user authentication for sensitive transactions to be carried out, some login- and password-based authentication within the TLS session can be used.
On the other hand, this access mode is most suitable for services that require minimum interaction between the user and the terminal in order to set up connectivity. This access mode, if accompanied by the usage of RADIUS Authentication or Accounting, can also be used to provide single sign-on by transferring session-related information to a services access layer that distributes the user identity and IP address used for mapping to applications. In fact, the service access layer may "know" of the mapping of the IP address to IMSI or MSISDN via RADIUS-based IP address assignment or via reporting of the mapping of the IP address to the user identity (IMSI or MSISDN) via RADIUS accounting messages. Today this IP address-to-user ID mapping is mostly used in WAP gateways or HTTP proxy servers to enable advanced content conditioning and billing features.
Normally, Simple IP can be expected to be used for Web- or WAP-based browsing applications. Another possible application of this network access mode is end-to-end VPNs—that is, client-based remote network access. Recall from Chapter 5 that the VPN client-based network access requires public routable IP addresses to be assigned—unless nonstandard-compliant IKE implementations are adopted. The latter condition, however, requires the service provider and the corporations to agree on which VPN client and gateway vendor to pick, which does not appear to be practical in most cases. Recently, some IPSec NAT traversals proposals to the IETF make the use of private addresses possible for IPSec tunnel mode operation, thus relaxing the constraint to have public IP addresses assigned.
In Simple IP the GGSN can be provided with evidence the subscriber to the APN has access rights based on the Selection Mode Information Element carried in the Create PDP context request, if the selection mode attribute is set to value 0—that is, "MS or network provided APN, subscribed verified." Of course, if reliance on this information is fundamental for the proper operation of the service, the GTP signaling must be protected by security measures that would enable integrity preservation. Alternatively, the GGSN can query an AAA server with RADIUS Access Accept populated with the user MSISDN or the IMSI RADIUS 3GPP VSA (as described in [3GPP TS29.061] and in Appendix C), so that it would be possible to perform authentication of the user based on the IMSI or MSISDN trusted information provided by the network. In this case, the Access Request user-name and password would be populated with some dummy values. Again, the IMSI or MSISDN information transported by GTP signaling should be protected, so that its integrity (and, if desired, its confidentiality) can be preserved. Typically this is achieved by using GTP protected with IPSec.
The IP addresses can be assigned in this case via local address pool, RADIUS, or DHCP client. Static IP addresses are also allowed, and in fact, the use of static IP addresses is necessary for network-initiated PDP context activation.
The host configuration is yet another area in which this solution is not as strong as the others. With Simple IP the MS is required to be manually configured by the user, possibly with the aid of some software tools provided with the subscription pack on an installation CD-ROM, with the IP address of the NetBIOS (Network Basic Input-Output System) servers or DNS servers to avoid headaches to the service provider's help desks. This may not be desirable if no automated and constrained mechanism is in place. In summary, this access mode is suitable for simple terminals requiring access to applications that can resolve strict user authentication in a way independent from network access authentication.
IP with Protocol Configuration Options access method architecture is depicted in Figure 6.2. The Create PDP context request message can contain the Protocol Configuration Options Information Element (PCO IE). This Information Element is a transparent container of host configuration and authentication information that is exchanged between the terminal equipment (TE) and the Mobile Terminal (MT) components of the MS. The TE component is expected to be a laptop or another device that interfaces to the MT via a PPP-based link. The PPP authentication phase can be based on "No auth" PAP or CHAP. The MT always successfully authenticates the TE, collects authentication material from it, and enters the Internet Protocol Control Protocol (IPCP) phase. This authentication material and IPCP configure request is then included in the PCO IE in an Activate PDP context request sent to the SGSN, which then transparently transfers this information to the GGSN in a Create PDP context request message. Eventually, the GGSN uses this information to authenticate the MS. If the MS is authenticated, then the GGSN also determines which host configuration information needs to be sent back to the MS (including an IP address for the MS, the IP address of the primary and secondary DNS servers, or possibly the IP addresses of the primary and secondary NetBIOS name servers) using a PCO IE in the Create PDP context response.
This access mode based on IP PDP type allows for the same layer two or tunneled connectivity to the network associated to the APN as in the Simple IP case, but it adds the capability to perform user authentication for network access based on a secret shared between the administrative entity of the external network and the end user, thus allowing for a stricter level of security than Simple IP mode. The only weakness in this model is the possibility for a malicious user to snoop a challenge/response pair sent in a PCO IE and then reuse that to gain access to the network. In fact, this network access mode does not allow the GGSN (or the AAA subsystem) to generate a challenge to the MS, thus exposing the system to replay-based attacks. In general, a well-designed network should not be exposed to such attacks, unless the malicious user can craft a handset to generate this stolen challenge/response pair, which is generally not a trivial task. Network administrators still concerned about the weakness associated with replay-based attacks can always turn to the PPP PDP type, in relay or PPP terminated forms, for assistance (see the section "PPP PDP Type" coming up in the chapter for details).
By defining the username to be compliant to [RFC2486] format, in which the concept of the NAI is introduced to define a username with the format "user@domain," IP with PCO access mode allows for the GGSN in a visited network to be used, provided that AAA level roaming capability is in place (a la iPass and GRIC—two ISPs offering global Internet access based on roaming agreements with other ISPs in different countries). Also, by changing the domain component, some intelligent IP services platforms can be configured to return in the filter ID attribute or other RADIUS attributes the name of a service whose definition, in terms of network access policies, can be retrieved from an LDAP or equivalent service policies configuration data repository. The different service policies may, for instance, allow the GGSN to route user packets to different networks depending on the domain component of the username, thus allowing a subscriber to select a specific network and the service it offers based on this value.
Also, by adding the "3GPP-GGSN-MCC-MNC" RADIUS Vendor-Specific Attribute (VSA, see [3GPP TS29.061]) to the RADIUS messages, when a GGSN in the visited network is used at the home AAA server, it is possible to apply visited-network-dependent policies. The AAA subsystem may as well trigger applications in the home network to send to the MS visited network-specific push content, such as local news or alerts. The AAA server in the home network may in fact instruct push servers in the home network to initiate push sessions with the MS, using the address that is included in Accounting Request START that has been received from the GGSN. Alternatively, if the GGSN is in the home network, an equivalent functionality is provided by the usage of the "3GPP-SGSN-IP address" RADIUS 3GPP VSA to determine whether the user is "at home" or roaming. With Reverse DNS lookup it is also possible to retrieve additional information and identify the current provider or determine geographic location information.
Release 99 of the 3GPP standards has enhanced GPRS specifications to allow an APN to be configured to support DHCP Relay service or Mobile IP Foreign Agent (FA) functionality. Figure 6.3 depicts a typical DHCP Relay access method scenario. When the Create PDP context request is sent to the GGSN for an APN configured to support DHCP or Mobile IP FA, a Create PDP context response is sent back to the SGSN immediately without any other user authentication than in Simple IP access mode. This defines a GTP tunnel and a bearer toward an MS without any MS IP address associated with it. This tunnel can be used to exchange DHCP configuration messages or Mobile IP advertisements and registration messages. Eventually the MS will be assigned an IP address using DCHP or Mobile IP methods. The remote network access will be obtained using encapsulations methods allowed by Mobile IP, or by using the link layer and tunneling technologies defined for Simple IP when DCHP is configured.
The DHCP Relay access mode is likely to be used when advanced host configuration methods and when a "LAN-like" access mode are required. The LAN-like access mode is particularly suitable for wireless devices that require discovery of a lot of service-related information, such as the HTTP or SIP proxy IP address. Generally, the user authentication in this method suffers from the same shortcomings as in the Simple IP mode. However, here user authentication may be further enhanced by the use of the DHCP authentication [RFC3118].
The Mobile IPv4 access mode is also suitable for LAN-like access mode, as it seamlessly supports the handoff between GPRS/UMTS and other access technologies such as Wireless LAN. Note that Wireless LAN-based access is key in many hot-spot-based deployment scenarios (more in Chapter 9) and is appealing for its high data rate and the low cost per byte. The Mobile IP-based, combined GPRS/UMTS/WLAN networks may become widely deployed in the future, once some security and standard issues have been resolved and when interoperable and affordable user devices are available.
The PPP PDP type was added to the GPRS specification beginning with Release 98. This was a very important addition to the capabilities offered by the GPRS system in that it allows more seamless adaptation to the installed base of wireline remote network access infrastructure that is today in most cases based on PPP. It also solves weaknesses in the CHAP implementation based on the IP with Protocol Configuration Options access mode, as detailed previously. PPP PDP type enables the use of PPP encryption and PPP compression, as well as the use of network layer protocols other than IP. PPP also defines an Extensible Authentication Protocol (EAP—[RFC2284]) that allows the LCP negotiation to terminate without determining the authentication protocol, which is transparent to the NAS and only determined at authentication phase time. This allows for the evolution of the authentication protocols used without the need of changing the NAS and AAA infrastructure. It also allows for the use of advanced authentication algorithms that will be developed over time, such as smart cards and biometrics, that cannot reuse existing authentication methods such as PAP and CHAP as authentication information transport method.
PPP periodically checks the availability of the end-to-end link by using an LCP echo request/response message. This can lead to a number of problems related to bringing up the radio links even when no useful data needs to be transmitted. Here is how this problem can be eliminated: Both the GGSN and the MT have local GPRS/UMTS bearers availability information. So both entities can avoid relaying LCP echo requests and just respond to the echo requests themselves. In the PPP Relay case, both the GGSN and MT will act as LCP echo message proxies (the GGSN toward external NASs, the MT toward the TE). When PPP is terminated at the GGSN, the GGSN should not transmit LCP echo requests, and the MT should act as an LCP proxy. This setup guarantees optimal performance of a PPP PDP type based MVPN, and it does not represent any practical limitation in detection of the link state.
Some MVPN client implementations—such as L2TP-based VPN clients and IPSec VPN clients—normally exchange keep-alive messages with the VPN gateway. In this case the network has no control over them, nor can it act as a proxy to avoid inefficient usage of radio resources. Therefore, it may happen that this would negatively impact the radio resources usage and make the bill for the user undesirably more expensive. Also, a PPP PDP type based solution with LCP proxy would allow the end-to-end bearer to be up as long as the wireless bearer is up, whereas a VPN client-VPN gateway link may be down even when the wireless bearer is not (for example, because the VPN tunnel keep-alive messages were lost over the radio). Because of these deficiencies and others described in Chapters 4 and 5, it appears clear that the end-to-end, VPN client-based solutions often may not be optimal in cellular environment, both from an operator and from a wireless subscriber perspective. Therefore, compulsory MVPN solutions built around properly executed PPP PDP type or IP PDP type access methods are more likely to be successful in the cellular environment.
The additional benefit of a PPP PDP type based MVPN is that in the PPP Relay case, the service provider can let the private network administrator perform address management and AAA, thus minimizing the impact on the cellular network administration and complexity. On the other hand, operators can offer outsourcing of these services and also consolidate on a unique platform terminating L2TP tunnels coming from both CSD and PS bearers-based access—and even dial, broadband, and wireless LAN access.
In PPP PDP access type an APN can be configured to relay PPP frames to a predefined external NAS device. The de facto standard technology used in this case is L2TP (see Chapter 2 for background on L2TP). L2TP can be relayed over Frame Relay, ATM, and UDP/IP. The APN at the GGSN must be configured with the L2 address (Frame Relay or ATM) or the IP address of the LNS, as well as the L2TP tunnel name and password. The information associated to APN determines which remote network PPP frames are going to be relayed to, thus requiring the GGSN only to set up the tunnel and the L2TP calls within it. This constitutes a really simple setting that can also guarantee a sufficient level of end-to-end security when the L2TP tunnels are secured via IPSec transport mode and PPP encryption is negotiated. Also, as it can be anticipated, in this scenario the GGSN may be acting as an LCP echo proxy. Figure 6.4 depicts the protocol stacks involved in a typical PPP Relay configuration using L2TP transported over UDP/IP.
Since the GGSN transparently attempts to set up calls to the LNS configured for the PPP Relay APN, it is recommended to include the APN in the set of the PDP context information stored in the HLR. This way, the incoming selection mode IE in the Create PDP context request is set to value "0"— or "MS or network provided APN, subscribed verified"—and those subscribers who are not authorized to attempt to set up the L2TP tunnels are denied the right to perform L2TP call setup. This feature helps protect against denial-of-service (DoS) attacks. Also, the Calling Number L2TP AVP should be set to the MSISDN of the MS, so that the LNS may be configured to reject incoming calls from calling numbers that do not belong to a certain preconfigured set of allowed numbers. The LNS administrator may use this option to detect the MSISDN of users attempting to access the LNS without rights, if necessary, for security reasons. Also, sending this AVP is necessary for the LNS to relay the MSISDN information to the AAA subsystem or to WAP gateways via a proprietary or RADIUS-based interface (in which case the RADIUS attribute used would be the Calling Station ID attribute).
PPP terminated at the GGSN access method offers the benefits of the PPP protocol-based host configuration and authentication in addition to a very flexible network access paradigm allowing for an array of advanced IP services. For instance, when the user is authenticated, the AAA server can return a name of a service to be provided to the user (as described in the previous section, "IP with Protocol Configuration Options") or possibly the information necessary to tunnel PPP frames to a LNS. The GGSN can also support PPP compression (typically LZS and MPPC), which allows for more efficient use of radio interface.
On the same GGSN platform used to terminate PPP PDP type GTP tunnels, it is often possible to terminate/originate L2TP tunnels, and therefore consolidation of multiple access technologies, both wireline and wireless, is also possible. Figure 6.5 illustrates in particular the protocol stacks supported by a GGSN terminating PPP.
A comparison between PPP terminated at the GGSN and IP PCO access modes will help us assess the weaknesses and strengths of each of them. The PPP terminated at the GGSN mode is more friendly to the GTP protocol operation, since in this case the GTP tunnel can be established immediately, without requiring the GGSN to wait for the user AAA and configuration processes (and possibly L2TP tunnel establishment, when the tunnel attributes are passed back in RADIUS Access Accept) to complete.
In some GGSN implementations, it is also possible to set up the GGSN to immediately establish an L2TP call when an incoming IP PDP type Create PDP context message is for a specific "IP with Protocol Configuration Options" access mode APN. This setup, however, would constitute a non-standard usage of L2TP, and it makes the end-to-end session vulnerable to the potential replay based attacks that affect the IP PCO mode. The L2TP tunnel establishment and user AAA process may also take long enough to create problems for GTP protocol handlers at the SGSN. In principle, an operator may tune the GTP timers and retransmission attempts for create PDP context requests to allow for the latency associated to "IP with Protocol Configuration Options" in setting up tunnels, but this is not a generally safe measure and also does not offer sufficient guarantees to provide acceptable service also when the user is roaming to networks that do not adopt the same tuning of GTP parameters.
Having said this, the solution might address the current shortage of PPP-capable GPRS terminal implementations that is affecting the industry, while still allowing the service flexibility offered by the other approach. Finally, the PPP PDP type allows for PPP compression protocols, such as STAC LZS and MPPC, to be used and negotiated, which is not something IP allows for. This can make the extra overhead added by PPP (2 bytes per packet) totally insignificant. As a summary, IP with Protocol Configuration Options results to be dominated by the PPP PDP type terminated at the GGSN, but it still can be expected to survive for quite a while at least until PPP PDP type support in terminals is widespread.
Service level agreements (SLAs), which a UMTS Mobile VPN service provider defines with a customer, include business arrangements and financial and legal clauses that are not relevant to technology and hence beyond the scope of this book. Usually, SLAs include availability figures, packet loss per class of service, replacement policies of failed units in the customer network if the operator also provides the customer premise equipment, troubleshooting and help desk support to administrators, technical training for administrators, IP addressing information, and the scope of the variables the customer can remotely manage.
The availability and support commitments agreed in the SLA can be expressed in terms of mean time between failure (MTBF), mean time to repair (MTTR), and reachability of technical support or availability of spare parts to replace failed parts. For instance, there can be different tariffs applied whether continuous support or limited support is guaranteed.
The guaranteed QoS levels could also be part of the SLA, together with a traffic conditioning agreement according to the DiffServ model (see Chapter 2), including a traffic profile a customer must comply with and the policing and remarking rules a service provider would enforce at the boundary with the customer network to traffic complying and not complying with the traffic profile. The SLA also specifies how IPSec sets up security and confidentiality features, including:
Which encryption and message header authentication algorithms are expected to be used
Whether manual configuration or PKI infrastructure is used for authentication keys distribution
Whether tunnel or transport mode is used
Particular IPSec policies
The IP addresses of the security gateways
Password management criteria for L2TP tunnels should also be included. Within this security-parameters-related section of the SLA, the handling of subscriber profiles and data should be described. Also, the trust relationship existing between the customer and the provider often depends on very specific clauses and guarantees written in this section.
The account setup and service sign-up methods for subscribers associated with the customer network must be part of the agreement. The service provider may provide a service signup Web page for this purpose. The type of subscriber authentication information that can be requested in order to obtain troubleshooting and support or benefit from customer care services must be included, and the handling of such data, that is confidentiality and privacy matters, must be spelled out.
Other specifications the SLA may include are:
AAA server access method (via proxy or direct access or broker network), as well as IP addressing information for host configuration information servers and network access methods allowed (IP with PCO, PPP Relay, PPP terminated), together with the availability, security, and AAA message attributes required for the service delivery.
Billing date and payment methods conditions, integral usage data documentation, and other billing and financial aspects.
For the CSD case, NAS telephone numbers, as well any conditions associated with user sessions termination upon idle timeouts.
IP addresses for LNS or other tunneling protocols endpoints.
Availability of the MVPN service when roaming and associated roaming fees.
It is not our intention here to provide an exhaustive list of what an SLA for MVPN may include (especially considering that some of these details had been covered in Chapter 5); however, we do once again want to stress its importance. This document, beyond the legal and business aspects, sets the customer expectations and also defines the service the customer will ultimately receive. So it is important that both the service provider and the customer can perceive it as a useful tool for their interaction, service definition, and implementation.
Also, since there will likely be a large set of customer network requirements, the level of customization of the SLA might vary widely depending on the size of the customer MVPN. It also depends on whether the provider wants to standardize a service or whether the provider wants to use the flexibility of its network to accommodate different customer needs.
If the expectations of MVPN services to become one of the mainstream cash generators for wireless service providers are ever realized, accounting data collection and billing information generation will surely become some of the most critical aspects in the successful and profitable delivery of MVPN services. Operators may define charging plans based on tariff times, traffic volume thresholds, location, or other parameters, such as application-level information derived by deep packet inspection. All charging plans are ultimately based on an appropriate charging data collection. Prepaid access-based subscription plans are also possible. Although this is certainly not the most common scenario for data VPN for corporate network access, it will play a significant role if access to application-specific VPNs is used to support consumer services.
The GPRS charging architecture was outlined in Chapter 4. GPRS charging is based on the Charging Data Records (CDRs collected for wireless access usage accounting. However, RADIUS accounting is also used to account for session duration and possibly to interface with an accounting infrastructure operated by a partner network. For example, RADIUS is used when the customer network requires collection of accounting data for trend analysis and usage profiling, and possibly of charging for network access itself in a manner independent of the billing performed by the wireless service provider. The standards also define the support of prepaid services in GPRS. The standard is CAMEL Phase 3 ([3GPP TS23.078], see Figure 6.6), which defines the interaction of the SGSN with the GSM SCF for the provision of prepaid services. The protocol used for such interaction is called CAMEL Application Part, or CAP, defined in [3GPP TS29.078].
One of the strengths of the GSM/GPRS and UMTS systems is its seamless roaming capability across countries and networks belonging to different operators. This capability can also be used to support Mobile VPN services.
Roaming support in GSM has been at the core of the reasons why the GSM Association was established in the first place. Many operators (mostly PTTs, for Post, Telephone, and Telegraph, in the early days) agreed to provide service to subscribers roaming into their own networks from other Home Public Mobile Networks (HPMNs) according to a well-defined set of rules set forth in the GSM Memorandum of Understanding (MoU). This has spurred a number of activities within the GSM Association International Roaming Expert Group (IREG) that helped in fine-tuning technical details in providing roaming to subscribers across networks, across countries, and for different services.
One of the GMS MoU's guiding principles is that a Visited Public Mobile Network (VPMN) cannot provide more services than the user has subscribed to in the HPMN. Networks entering into a roaming agreement need to specify what services the roamers are entitled to receive when in visitor mode, and also have to agree to rules governing the ways such services might be denied. The home operator may always define classes of users that can be offered roaming service by VPMNs by defining barring information on all or a subset of the services available in a VPMN. This information is stored in the HLR and downloaded in the visited network serving node at the time of user attachment, or it is transferred to a serving node when a user performs a location update procedure/handoff. When the mobile station or user equipment attempts to attach in a roamed-to network and the user has no right to get roaming service, the network may signal this, and the mobile station will not attempt again to attach to the network.
Roaming was initially conceived to enable service across countries, but as soon as market deregulation took place, regulators forced incumbent operators to provide access to their own infrastructure to new entrants on the basis of regulated roaming rates to alleviate entry barrier problems and promote competition on a fair basis. This scenario is also being repeated by 3G, except in this case, greenfield operators (that is, new companies starting up 3G businesses without having been a player in 2.5G GPRS network deployment) waiting to roll out 3G service are currently trying to establish some customer base by defining GPRS roaming agreements with incumbents.
Because of the high importance of roaming, the rest of the section focuses on enabling roaming for data services. Note that so far we are at the early stages of the wide-scale deployment of international and national roaming capabilities we could expect for the future. Existing roaming solutions are limited in scope, and no significant commercial deployments have been recorded at present nor are expected in the short term. Also, the standards for CAMEL still have some ambiguities that make interdomain, multivendor operation of prepaid mechanism not likely to happen very soon, mostly because of interoperability problems (which are being sorted out at this writing).
For the CSD case, roaming support is all but equivalent to the roaming support for voice services. In this book we won't describe the details of CS voice capability, except for the need for users to have a list of phone numbers available in visited networks that would allow them not to dial back to access numbers in the home network. This may be accomplished according to the IETF ROAMOPS (for Roaming Operations) WG guidelines or manually in a proprietary way. It should be noted that WAP services access in roaming conditions could be made far more efficient and cost-effective if carriers provided POPs around the world by defining a phone list users could use as they dial from around the world. Unfortunately, though, carriers are concerned about phone book configurations on terminals and also have shown reluctance to deploy advanced roaming solutions before the service has really taken off within the home network. This reluctance has, in essence, stopped the deployment of such a solution to date.
GPRS/UMTS data roaming is governed by both standards and industry consortia documents such as [PRD IR34] from the GSM Association IREG. The GPRS standards allow for a user to roam in a visited network and use a GGSN in the home network, or use a GGSN in the visited network. The interface between the GGSN in the home network and the SGSN in the visited network is called the Gp interface (see Chapter 4). The GTP tunnel, when a GGSN in the home network is used, traverses a network that is provided by a transit network service provider. This network, depicted in Figure 6.7, is called GRX (GPRS Roaming Exchange), and according to IREG guidelines, it is based on a public addressing scheme.
Access to the GRX may happen at central exchange points, which are equivalent to IXC or Internet Exchange Points, where many operators can exchange roaming traffic and set up BGP4 peering, over an L2 infrastructure provided by the GRX provider. The BGP routes advertised over the GRX are not distributed outside the GRX itself, and also no Internet routes are distributed over the GRX. Therefore, there is no mutual network layer reachability between the Internet and the GRX: the GRX is a private network based on a public addressing scheme. This was believed to be the best option because IREG members assumed that coordinating the use of a private address space between operators would be unpractical. However, the operation of a GPRS network may require a significant number of public IP addresses and the Internet Addresses registries are known not to give out many of them lately, so this may prove to be a hurdle in network operation.
Typically, a GRX also offers DNS root service for the .gprs domain so that resolution of access point names to IP addresses in remote networks is possible from any GPRS network.
GPRS-based MVPN service is normally offered based on a GGSN in the home network. This is accomplished normally by devoting an APN to the customer network, and this APN will resolve to an IP address or a list of IP addresses belonging to a GGSN in the home network. This approach requires the GTP tunnels between the SGSNs and home GGSNs to be protected via IPSec transport mode, so that the trust relationship between the visited network operator and the home network operator is not required to be extended over all the network providers traversed by the GTP tunnel. However, it is also possible to use a GGSN in the visited network, by defining a well-known APN that can be translated by the SGSN of the visited network into an APN that resolves to one or more IP addresses belonging to GGSN in the visited network. This requires a PPP PDP type APN, or an APN supporting the IP PDP type with PCO access mode, and the GGSN ability to dynamically assign the incoming request from the user to an appropriate VPN and to establish connectivity if no connectivity is statically set up. User assignment to a VPN is usually based on user profile information retrieved from the AAA subsystem (e.g., via the Filter ID RADIUS or "RADIUS L2TP Tunnel Information" attributes. Other solutions may require more customization of the GGSN node (e.g., lookup tables).
When a user is roaming using a home GGSN, accounting information at the GGSN is critical to record the usage data in the home network independently of the visited network. Also, the home GGSN, as mentioned, may use RADIUS accounting to accommodate the customer network's needs. User authentication in a home GGSN scenario is performed exactly as in the nonroaming scenario. For cases that rely strictly on the HLR subscription data for user authentication, integrity protection of GTP signaling from the visited SGSN to the home GGSN is required, so that the Selection Mode IE cannot be altered and therefore is expected to be valid, since it is generated by a visited network that has a trust relationship with the home network. As a part of the roaming agreement, the way the GTP signaling integrity is guaranteed may be subject to negotiation and definition. By the same token, IPSec polices for VPNs may be defined as a part of the roaming agreement.
User authentication in a visited network GGSN is normally governed by a AAA roaming agreement, where the visited GGSN may be acting as a AAA client to an AAA infrastructure based on RADIUS proxy and possibly including a RADIUS broker (see Figure 6.8). However, this kind of arrangement is likely not to dominate in the GPRS world, unlike the CDMA2000 networks that strictly rely on this setup (see Chapter 7).