Cisco Cisco Packet Data Gateway (PDG) Documentation Roadmaps
MME in LTE/SAE Wireless Data Services
Features and Functionality - Base Software ▀
Cisco ASR 5000 Series Product Overview ▄
OL-22938-01
2. Key agreement: Performs key agreement by, generating the cipher key; and generating the integrity key.
3. Protection: When the AKA procedure is performed it protects, the integrity of messages; confidentiality of
3. Protection: When the AKA procedure is performed it protects, the integrity of messages; confidentiality of
signalling data; and confidentiality of user data
HSS Support Over S6a Interface
Provides a mechanism for performing Diameter-based authorization, authentication, and accounting (AAA) for
subscriber bearer contexts based on the following standards:
subscriber bearer contexts based on the following standards:
3GPP TS 23.401 V8.1.0 (2008-03): 3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial
Radio Access Network (E-UTRAN) access (Release 8)
Radio Access Network (E-UTRAN) access (Release 8)
3GPP TS 29.272 V8.1.1 (2009-01): 3rd Generation Partnership Project; Technical Specification Group Core
Network and Terminals; Evolved Packet System (EPS); Mobility Management Entity (MME) and Serving
GPRS Support Node (SGSN) related interfaces based on Diameter protocol (Release 8)
GPRS Support Node (SGSN) related interfaces based on Diameter protocol (Release 8)
3GPP TS 33.401 V8.2.1 (2008-12): 3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3GPP System Architecture Evolution (SAE): Security Architecture; (Release 8)
RFC 3588, Diameter Base Protocol, December 2003
The S6a protocol is used to provide AAA functionality for subscriber EPS Bearer contexts through Home Subscriber
Server (HSS).
Server (HSS).
During the initial attachment procedures the MME sends to the USIM on AT via the HSS the random challenge
(RAND) and an authentication token AUTN for network authentication from the selected authentication vector. At
receipt of this message, the USIM verifies that the authentication token can be accepted and if so, produces a response.
The AT and HSS in turn compute the Cipher Key (CK) and Integrity Key (IK) that are bound to Serving Network ID.
During the attachment procedure the MME requests a permanent user identity via the S1-MME NAS signaling interface
to eNodeB and inserts the IMSI, Serving Network ID (MCC, MNC) and Serving Network ID it receives in an
Authentication Data Request to the HSS. The HSS returns the Authentication Response with authentication vectors to
MME. The MME uses the authentication vectors to compute the cipher keys for securing the NAS signaling traffic.
(RAND) and an authentication token AUTN for network authentication from the selected authentication vector. At
receipt of this message, the USIM verifies that the authentication token can be accepted and if so, produces a response.
The AT and HSS in turn compute the Cipher Key (CK) and Integrity Key (IK) that are bound to Serving Network ID.
During the attachment procedure the MME requests a permanent user identity via the S1-MME NAS signaling interface
to eNodeB and inserts the IMSI, Serving Network ID (MCC, MNC) and Serving Network ID it receives in an
Authentication Data Request to the HSS. The HSS returns the Authentication Response with authentication vectors to
MME. The MME uses the authentication vectors to compute the cipher keys for securing the NAS signaling traffic.
At EAP success, the MME also retrieves the subscription profile from the HSS which includes QoS information and
other attributes such as default APN name and SGW/PGW fully qualified domain names.
other attributes such as default APN name and SGW/PGW fully qualified domain names.
Among the AAA parameters that can be configured are:
Authentication of the subscriber with HSS
Subscriber location update/location cancel
Update subscriber profile from the HSS
Priority to dictate the order in which the servers are used allowing for multiple servers to be configured in a
single context
Routing Algorithm to dictate the method for selecting among configured servers. The specified algorithm
dictates how the system distributes AAA messages across the configured HSS servers for new sessions. Once a
session is established and an HSS server has been selected, all subsequent AAA messages for the session will
be delivered to the same server.
session is established and an HSS server has been selected, all subsequent AAA messages for the session will
be delivered to the same server.