CDMA2000 IP Address Management

CDMA2000 IP Address Management

In this section we provide an overview of IP address management from both a wireless carrier and a private network perspective. When an MS connects to a private network in either Simple IP or Mobile IP modes, it may be assigned a private IP address out of private network address space. Because no global authority allocates such addresses, they may not be globally routable or even unique, which should not pose a significant problem to the enterprise or wireless carrier. It is important, however, to architect the PDSN so that it can properly handle such a situation, that is, the PDSN must be able to appropriately route packets to and from HA's even though they have overlapping private addresses. To accomplish this, the PDSN must make use of the HA address in the outer IP header of tunneled packets and the link layer identification information on the access network side (that is on the R-P interface side) of the PDSN to resolve potential collisions in the IP addresses assigned to different MSs.

While private addresses are perfectly acceptable in the CDMA2000 VPN environment, public addresses allowing for easy voluntary MVPN might mean additional benefits to corporate CDMA2000 service subscribers. For example, there might be a requirement to provide end-to-end security for the protection of such extravagant data types as classified information, in addition to different levels of security provided by wireless carrier to different sets of customers. In such cases, the IT department might need to support voluntary VPN based on end-to-end tunneling such as IPSec or similar techniques to add an additional level of protection for sensitive data and to limit the exposure of private data to a third party such as a wireless access provider.

Alternatively, for the wireless carriers relying on private IP address space in their core networks and using network address translation to maximize the efficiency in dealing with scarce public IP addresses, voluntary MVPN can also be supported (regrettably, with greater difficulty) when one of the available NAT traversal mechanisms is properly executed by the carrier. (See Chapters 2 and 5 for more on these issues.)

Simple IP VPN Address Assignment

In CDMA2000, Simple IP address assignment is handled by the PDSN unless VPN service is requested. As opposed to Mobile IP, the Simple IP access method does not allow for static addresses to be preprovisioned in the MS. Instead, the IP address must be assigned to the MS dynamically via one of the available address assignment mechanisms, during PPP startup when the MS first registers with the PDSN and sends an IP address during the IPCP phase to request a dynamic IP address. Note that the address assigned to the MS may be a private address as per [RFC1918] or a public address.

The following list outlines the IP address assignment options available for Simple IP:

  • Assignment from a pool of addresses configured in the PDSN or in a PDSN cluster. The pool may be statically associated to the user via a mapping table provisioned on each PDSN, or the name of the address pool may be returned to the PDSN in the RADIUS Access Accept message by the AAA server.

  • Assignment via the use of an AAA server such as RADIUS or DIAMETER when performing authentication of the MS. Like the local pool case, the address from the AAA server is communicated to the client during PPP negotiation.

  • Assignment via DHCP, which requires DHCP client support in the PDSN.

When compulsory VPN service is requested in Simple IP mode, the responsibility for IP address assignment to the mobile is transferred to a private network. As described in the "Simple IP: A True Mobile VPN?" section earlier in the chapter, in this case the PPP link is terminated and then encapsulated into L2TP tunnel and forwarded to the LNS in a private network, where address assignment then occurs.

Mobile IP VPN Address Assignment

Like the Simple IP service, the address assignment process for Mobile IP service can be provided via a variety of options. Unlike Simple IP, however, mobile stations requesting Mobile IP service can optionally be provisioned with static preconfigured IP addresses. When an IP address is statically assigned to the MS, it will be proposed to the PDSN via IPCP during PPP negotiation. Recall from Chapter 4 that the IP address assignment for Mobile IP service in CDMA2000, and for Mobile IP in general, is always handled by the Home Agent. This makes the HA, in both public and private form, the most important element in IP address assignment process in the Mobile IP VPN service.

After the MS is authenticated with the PDSN, it can request either static or dynamic IP addresses from its HA. The HA returns the IP address to be used by the MS in the Mobile IP Registration Reply message, which is forwarded to the MS by the PDSN. As outlined previously, this address may be either publicly routable or provided from the private address space at the discretion of the wireless carrier (in the case of the private HA VPN option) or a private network (in the case of the public HA VPN option). Multiple, overlapping private addresses are supported by the PDSN per the TIA [IS835] standard, as long as the addresses from each individual HAs are unique and nonoverlapping. Another useful option that further distinguishes Mobile IP address assignment capabilities from Simple IP is the ability to support multiple IP addresses in the MS to support multiple communications sessions between the MS and its private network (somewhat similar to the concept of multiple PDP contexts support in GPRS and UMTS networking).

If the MS requires an access to a private home address, then it has to negotiate reverse tunneling as described in [RFC2344]. As a result, the PDSN forms a logical association that contains the R-P Session ID, the mobile station's home address, and the Home Agent address. When the PDSN receives a packet for a registered mobile station from the HA, the PDSN maps the mobile station's HA address and the home address to one association, and transmits the packet on the R-P connection indicated by the R-P Session ID of the association.