для Cisco Cisco Tunnel Terminating Gateway (TTG)
Evolved Packet Data Gateway Overview
▀ Features and Functionality
▄ ePDG Administration Guide, StarOS Release 17
44
communicates with OCSP responder. In case the OCSP responder detail is absent in the certificate the ePDG
configuration is used for extracting the same. The OCSP client (ePDG) to the OCSP responder interaction will be over
HTTP. A TCP socket connection will be established to the OCSP responder. OCSP responder communicates with the
associated CA (certification authority) and gets the certificate revocation status which can be "good" or "revoked" or
"unknown". The ePDG behavior in case of "unknown" is similar to "revoked". When the OCSP response reaches ePDG,
it validates if the response is received from genuine entity and post validation checks the certificate status. If the
certificate status is good then proceeds with device authorization.
configuration is used for extracting the same. The OCSP client (ePDG) to the OCSP responder interaction will be over
HTTP. A TCP socket connection will be established to the OCSP responder. OCSP responder communicates with the
associated CA (certification authority) and gets the certificate revocation status which can be "good" or "revoked" or
"unknown". The ePDG behavior in case of "unknown" is similar to "revoked". When the OCSP response reaches ePDG,
it validates if the response is received from genuine entity and post validation checks the certificate status. If the
certificate status is good then proceeds with device authorization.
ePDG expects the SUBJECT/CN field of UE certificate to contain the IMSI or NAI and detects that its NAI with
presence of '@' else its IMSI. This extracted CN fields is accordingly verified with the IDi payload received from UE in
IKE_AUTH_REQ message. The certificate identity is more reliable and also the IKE_AUTH_REQ identity does have
significance is AUTH payload verification hence this functionality of comparison is in place. ePDG sends the NAI
identity as received in the IKE_AUTH_REQ message to the AAA server and once AAA server sends back the
authorization success then ePDG does PGW selection and communicates with PGW over S2b interface to establish the
call.
presence of '@' else its IMSI. This extracted CN fields is accordingly verified with the IDi payload received from UE in
IKE_AUTH_REQ message. The certificate identity is more reliable and also the IKE_AUTH_REQ identity does have
significance is AUTH payload verification hence this functionality of comparison is in place. ePDG sends the NAI
identity as received in the IKE_AUTH_REQ message to the AAA server and once AAA server sends back the
authorization success then ePDG does PGW selection and communicates with PGW over S2b interface to establish the
call.
IPsec subsystem does comply with RFC 2560 and uses open SSL 0.9.7 for certificate based authentication, therefore
ePDG inherently complies with same.
ePDG inherently complies with same.
ePDG supports both UICC and non-UICC devices simultaneously for same ePDG service. ePDG service does have
single crypto template association with the service IP address and hence IPsec subsystem is enhanced for supporting the
multiple authentication methods per crypto template. ePDG identifies whether certificate based authentication needs to
be used or not by the presence of AUTH payload. If the AUTH parameter is absent in initial IKE_AUTH_REQ message
it indicates that EAP-AKA based authentication is to be used. If the AUTH payload is present and the CERT payload is
also present it indicates certificate based mechanism is to be used.
single crypto template association with the service IP address and hence IPsec subsystem is enhanced for supporting the
multiple authentication methods per crypto template. ePDG identifies whether certificate based authentication needs to
be used or not by the presence of AUTH payload. If the AUTH parameter is absent in initial IKE_AUTH_REQ message
it indicates that EAP-AKA based authentication is to be used. If the AUTH payload is present and the CERT payload is
also present it indicates certificate based mechanism is to be used.
OCSP communication is optional and if not configured then ePDG validates based on the configured CA certificates.
Figure 7.
NON UICC device Call flow
1. UE → ePDG: IKEv2 SA_INIT UE sends IKE_SA_INIT Request (SA, KE, Ni, NAT-DETECTION Notify).
2. ePDG → UE: IKEv2 SA_INIT RSP The ePDG responds with an IKE_SA_INIT Response (SA, KE, Nr
2. ePDG → UE: IKEv2 SA_INIT RSP The ePDG responds with an IKE_SA_INIT Response (SA, KE, Nr
payloads, NAT-Detection Notify, [CERTREQ]).