Cisco Cisco Packet Data Gateway (PDG)
• Change of Authorization: The system supports CoA messages from the AAA server to change data
filters associated with a subscriber session. The CoA request message from the AAA server must contain
attributes to identify NAS and the subscriber session and a data filter ID for the data filter to apply to
the subscriber session.
attributes to identify NAS and the subscriber session and a data filter ID for the data filter to apply to
the subscriber session.
• Disconnect Message: The DM message is used to disconnect subscriber sessions in the system from a
RADIUS server. The DM request message should contain necessary attributes to identify the subscriber
session.
session.
The above extensions can be used to dynamically re-direct subscriber PDP contexts to an alternate address
for performing functions such as provisioning and/or account set up. This functionality is referred to as Session
Redirection, or Hotlining.
for performing functions such as provisioning and/or account set up. This functionality is referred to as Session
Redirection, or Hotlining.
Session redirection provides a means to redirect subscriber traffic to an external server by applying ACL rules
to the traffic of an existing or a new subscriber session. The destination address and optionally the destination
port of TCP/IP or UDP/IP packets from the subscriber are rewritten so the packet is forwarded to the designated
redirected address.
to the traffic of an existing or a new subscriber session. The destination address and optionally the destination
port of TCP/IP or UDP/IP packets from the subscriber are rewritten so the packet is forwarded to the designated
redirected address.
Return traffic to the subscriber has the source address and port rewritten to the original values. The redirect
ACL may be applied dynamically by means of the Radius Change of Authorization (CoA) extension.
ACL may be applied dynamically by means of the Radius Change of Authorization (CoA) extension.
For more information on dynamic RADIUS extensions support, refer CoA, RADIUS, And Session
Redirection (Hotlining) in this guide.
Redirection (Hotlining) in this guide.
Important
IP Security (IPSec)
IP Security provides a mechanism for establishing secure tunnels from mobile subscribers to pre-defined
endpoints (i.e. enterprise or home networks) in accordance with the following standards:
endpoints (i.e. enterprise or home networks) in accordance with the following standards:
• RFC 2401, Security Architecture for the Internet Protocol
• RFC 2402, IP Authentication Header (AH)
• RFC 2406, IP Encapsulating Security Payload (ESP)
• RFC 2409, The Internet Key Exchange (IKE)
• RFC-3193, Securing L2TP using IPSEC, November 2001
IP Security (IPSec) is a suite of protocols that interact with one another to provide secure private
communications across IP networks. These protocols allow the system to establish and maintain secure tunnels
with peer security gateways.
communications across IP networks. These protocols allow the system to establish and maintain secure tunnels
with peer security gateways.
IPSec tunnel supports AAA and DHCP address overlapping. Address overlapping is meant for multiple
customers using the same IP address for AAA/DHCP servers. The AAA and DHCP control messages are sent
over IPSec tunnels and AAA/DHCP packets required to be encrypted are decided as per the ACL configuration
done for specific session.
customers using the same IP address for AAA/DHCP servers. The AAA and DHCP control messages are sent
over IPSec tunnels and AAA/DHCP packets required to be encrypted are decided as per the ACL configuration
done for specific session.
For more information on IPSec configuration, refer HNB-GW Service Configuration section. Refer to the
StarOS IP Security (IPSec) Reference for additional information.
StarOS IP Security (IPSec) Reference for additional information.
Important
HNB-GW Administration Guide, StarOS Release 19
46
HNB Gateway in Wireless Network
IP Security (IPSec)