1. 1 Subject:Femto Network Gateway (FNG) Architecture Date: 15 October 2007 Source: Airvana Contact: Baw Ch’ng, Minsh Den, Woojune Kim, Doug Knisely, Balaji Raghothaman {baw, mden, wkim, dknisely, braghothaman}@airvana.com cdma2000® is the trademark for the technical nomenclature for certain specifications and standards of the Organizational Partners (OPs) of 3GPP2. Airvana, Inc., grants a free, irrevocable license to 3GPP2 and its Organizational Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner's name any Organizational Partner's standards publication even though it may include all or portions of this contribution; and at the Organizational Partner's sole discretion to permit others to reproduce in whole or in part such contribution or the resulting Organizational Partner's standards publication. Airvana, Inc., is also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution. This document has been prepared by Airvana, Inc., to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on Airvana, Inc. Airvana, Inc., specifically reserves the right to amend or modify the material contained herein and to any intellectual property of Airvana, Inc.,other than provided in the copyright statement above.

2. 2 Focus of Contribution (1) Cable, DSL, or other Broadband Internet Service Femtocells (Home Base Stations) Public Internet “The Phone Network” The Internet Femto Network Gateway (FNG) Operator’s Core Network Radio Interface to mobile devices Interface to the broadband Internet Management capabilities Security against tampering Security for data transport Firewall/security from public Internet Security data transport to femtos Scalability to support large numbers of femtos Scalability toward Core Network Topology hiding Existing circuit or IP-based telephony services Supplementary Services (e.g., SMS) Emergency Services, etc. Packet Data Services

3. 3 Packet Data Service architectures also fall into two broad categories: –Legacy Packet Data Service architecture Legacy IOSs (e.g., A10/A11 from the femtocell to the legacy PDSN) –All-IP Packet Data Service architecture Most PDS Termination (PDST) functions performed in the femtocell FNG follows a PDIF-like architecture and interfaces to the Packet Data Core Network Focus of Contribution (2)

4. 4 Outline Femto Network Gateway (FNG) Architecture Tunnel Structure –Tunnels for 1x Voice Femto/FNG Packet Data Services Functional Split FNG Packet Data Services –Simple IP, Mobile IP, Proxy-MIP Authentication –Femto device, A12, and user authentications QoS Accounting A-Interface Proxy Functions Detailed Call Flows

5. 5 Conceptual Deployment Model Security Very large number of femtocells Scalability Efficiency NAT Traversal Very large number of femtocells

6. 6 Femto Network Gateway Architecture (1) What is the Femto Network Gateway (FNG) Architecture? –PDIF-like architecture that provides highly scalable Secure access to core network services from untrusted networks Mobility support QoS support Accounting support NAT traversal support –… and addresses femto network specific scalability issues Concentrator or Proxy functions to allow large number of femtocells to inter-operate with legacy macro and core network elements not originally designed to interface with a large number of other network elements. –Example: A13 Proxy »FNG proxies A13 interfaces from femtocells so a macro RNC needs to deal with only one A13 interface proxy instead of one million A13 interfaces from one million femtocells Re-use existing PDIF standards and protocols Re-use existing A13, A16-A19, A21 standards and protocols

7. 7 Femto Network Gateway Architecture (2) Home Router / Residential Gateway NAT/Firewall PDIF-like secure access architecture IKEv2 & IPSec provides authentication, security, NAT traversal support

8. 8 Common Aspects of Femto Networks (Technology Independent) Femtocell Public Internet Legacy Circuit Network Packet Data Services Femto Network Gateway Operator’s Core Network Secure IPSec tunnels for signaling, voice, and packet data Packet Data Traffic Circuit Traffic

9. 9 Tunnel Structure (1)

10. 10 Tunnel Structure (2) “Base-Tunnel” –For signaling “1xVoice-Tunnel” –For 1x voice transported over RTP “Data-Tunnel” –For user packet data –Per-user tunnels consistent with PDIF model

11. 11 Tunnels for 1x Voice “Base-Tunnel” –Used for SIP signaling –Tunnel Inner Address (TIA) is SIP UA’s address “1xVoice-Tunnel” –Used for RTP transported 1x voice traffic –Tunnel Inner Address (TIA) is RTP media termination point’s address –Separate streams using different port numbers Motivation to use separate tunnels for signaling and media traffic –Support differentiated QoS without running into IPSec “anti- replay window” issue

12. 12 “Base” and “1xVoice” Tunnel Setup PDIF-like IPSec tunnel setup Separate IKE sessions for “Base” and “1xVoice” tunnels –Future optimization: setting up “1xVoice” tunnel as child of “Base” tunnel Re-use existing PDIF tunnel setup call flow

13. 13 All-IP PDST/FNG-Based Femto Network Architecture for 1x and DO Packet Services EV-DO VoIP capable EV-DO Device Legacy 1x Device 1xRTT Femto Network Gateway (FNG) SIP/IMS Core IP Core Network HA IPSec Tunnels Femto MGW RTP SIP Internet (Proxy-) MIP IP in IPSec Terminate 1x Packet Data Service Option (SO33) Provides NULL 1x PCF function Provide EV-DO Packet Data Service termination Terminate PPP ROHC (for DO VoIP) Authentication Agent for PDS-AAA Accounting Agent AN-AAA authentication agent for EV-DO (AN-AAA) Exchange IP packets within IPSec with FNG Proxy (mux/demux) functions for scalability: Access Authentication (AN-AAA) – IKE to Radius Proxy A13/A16 for EV-DO handoff A21 (optional; required only if A21-based handoff is chosen) AAA for accounting (more details to follow…) IPSec Terminations

14. 14 Femto Network Gateway Functions (1) Security –Security for Core Network (firewall function) –Security for User Media (encrypted tunnel function, i.e., IPSec) Authentication –Facilitate Femtocell Device Authentication –Facilitate EV-DO Terminal Authentication –Facilitate Packet Data User Authentication Mobility –Packet Data IP Layer (L3) Mobility MIP-FA (v4) and Attendant (v6) Simple IP (v4 & v6) Proxy-MIP (v4 & v6) support –Packet Data Link Layer (L2) Mobility “A-Interface Proxy” functions for A13, A16(-A19), A21

15. 15 Femto Gateway Functions (2) Billing and Accounting –IP level accounting performed by FNG –Aggregates air link accounting information from femtocells –Generates accounting records for AAA QoS –IP level traffic profile transfer and enforcement

16. 16 Femtocell and FNG Functional Split FunctionalityFemtocell and FNG Division of Responsibility PPP and ROHCPPP terminated by femtocell ROHC performed by femtocell IPSecIPSec tunnels terminated by femtocell and FNG. MobilityMIP-FA and PMIP mobility agent functionalities in FNG. AuthenticationMutual authentication between femtocell and FNG A12 Terminal Authentication via IKE/EAP relay through FNG PPP-CHAP/PAP user authentication via IKE/EAP relay through FNG. Mobile IP user authentication done as part of MIP Registration process through MIP- FA in FNG. AccountingAir link accounting done by femtocell and relay accounting records to FNG FNG does IP level accounting and provide AAA with consolidated accounting records QoS policy enforcementAirlink QoS handled by femtocell IP level reverse link QoS handled by femtocell IP level forward link QoS handled by FNG IP routingWhen reverse tunneled (P)MIP is required, user traffic is always routed through PDIF.

17. 17 FNG Packet Data – Simple IP

18. 18 FNG Packet Data – Client Mobile IP

19. 19 FNG Packet Data – Proxy Mobile IP

20. 20 Authentication (1) Have to account for –Femto  FNG mutual authentication –A12 Terminal Authentication with AN-AAA (omitted for 1x) –Packet data user authentication Use IKE Multiple-Authentication –Use one IKE session to perform multiple authentications Femto  FNG mutual authentication A12 Terminal Authentication with AN-AAA (omitted for 1x) Packet data user authentication –References: X50-20070212-016 (WLAN Enhancement) and RFC 4739 Already approved for PDIF

21. 21 Authentication (2)

22. 22 Authentication – High Level Call Flow Simple IP / Proxy-MIP

23. 23 Authentication – High Level Call Flow Mobile IP (MIP-FA Mode)

24. 24 All-IP PDST/FNG-Based Femto Network QoS, Policy, and Accounting Architecture for Packet Services EV-DO VoIP capable EV-DO Device Legacy 1x Device 1xRTT Femto Network Gateway (FNG) IP Core Network HA IPSec Tunnel(s) Femto Internet AAA Airlink Accounting (Radius) IP Usage Accounting (Radius) PCRF Policy (Ty)

25. 25 Packet Data QoS Support QoS: –During authentication, FNG receives QoS Profile from AAA (common for PDIF) –FNG shares the QoS Profile with the femtocell (required whenever the RNC function is in the femtocell) –EV-DO multi-flow QoS is implemented in the femtocell Terminates RSVP-like protocol; passes packet filters to FNG for enforcement on forward traffic and accounting purposes Femtocell implements EV-DO over-the-air QoS as part of its RNC/air interface functions

26. 26 Packet Data QoS Support Air Link QoS –Enforced in femtocell –Have dependency on QoS Profile Today, user’s QoS Profile obtained from AAA –FNG needs to transfer QoS Profile to femtocell QoS Profile to be transferred during user authentication In the future, expects to obtain QoS profile through Ty interface from PCRF Backhaul/IP Level QoS –Enforced by both femtocell and FNG Femtocell enforces QoS on the up link FNG enforces QoS on the down link –Both femtocell and FNG must be aware of and enforce user’s QoS Profile

27. 27 QoS Support and IPSec Tunnels In theory –Need one IPSec tunnel per user per QoS class to support differentiated QoS and to avoid IPSec “anti-replay attack window” issue In practice –Expect to maintain only two QoS classes on the backhaul One for “delay sensitive” traffic (e.g., for EV-DO VoIP) One for “best effort” traffic (e.g., everything else) –Use child tunnels (child SAs) to accommodate QoS-differentiated tunnels QoS Management over Untrusted Backhaul: –Femtocell establishes IPSec child tunnels as needed for differentiated QoS –Femtocell performs packet filtering and mapping to IPSec tunnels for reverse traffic –FNG performs packet filtering and mapping to IPSec tunnes for forward traffic

28. 28 Packet Data Accounting Support Prepaid, Rescinding of Services, etc., Performed by Radius Interface between AAA and FNG –Re-use from PDIF; may need to supplement some features that have not been specified for PDIF yet FNG has AAA interface for basic usage accounting –Re-use from PDIF Air-link accounting comes from AAA client in femtocell –Standard Radius interface –FNG provides proxy mux/demux function for scalability

29. 29 Secure A-Interface Proxy Functions Certain A-interfaces are terminated by macro RAN elements that are not meant to scale to very large number of peers –E.g., “hundreds” instead of “millions” of A-interface peers These macro RAN elements are deployed in operator’s secure, private networks –Should not allow elements coming from the public Internet to interface with macro RAN elements directly Use mux/demux “proxies” to solve scalability and security issues for femto to inter-operate with macro RAN elements using (proxied) A-interfaces

30. 30 Secure A13 Proxy Architecture Appear to Macro EV-DO RNC as one EV-DO Subnet A16(-A19) treatment is similar FNG

31. 31 Secure A21 Proxy Architecture Appear to Macro BSC as one A21 interface

32. 32 FNG Architecture Recap

33. 33 Thank you! Specific details on proposed femto network architecture, Stage 2 description, and high-level call flows can be found in Airvana contributions to TSG-A and TSG-X. A40-20070723-006_Airvana_Femto Overview Architecture and Stage 2 Aspects R2 0 Final.pdf X10-20070723-012_Airvana_Femto Overview Architecture and Stage 2 Aspects R2 0 Final.pdf X30-20070723-043 Airvana_Femto Overview Architecture and Stage 2 Aspects R2 0 Final.pdf X50-20070723-030 Airvana_Femto Overview Architecture and Stage 2 Aspects R2 0 Final.pdf

34. 34 Backup

35. 35 Detailed Call Flows – Tunnel Setup (1) Femto-FNG mutual authentication A12 Terminal Authentication (optional, omitted for 1x)

36. 36 Detailed Call Flow – Tunnel Setup (2) Simple IP user authentication & PMIP (continued from previous slide) ATFemtoFNGHA

37. 37 Detailed Call Flow – Tunnel Setup (3) Mobile IP user authentication (continued from slide before last) ATFemtoFNGHA

38. 38 Detailed Call Flow – Tunnel Disconnect (1)

39. 39 Detailed Call Flow – Tunnel Disconnect (2)

40. 40 Detailed Call Flow – Tunnel Disconnect (3)