OPTIMIZING FAST RE-AUTHENTICATION ON EPDG
Publication Date: 2015-Aug-04
The IP.com Prior Art Database
Thanigai Murugan Kadiresan: AUTHOR [+2]
A solution is provided for a fast re-authentication process on an Evolved Packet Data Gateway (ePDG), by reusing the same IP address that a User Equipment (UE) already has obtained from the preceding session setup. With this proposed solution, the existing General Packet Radio Service (GPRS) Tunneling Protocol (GTP) side context on the S2b interface, which was created earlier with full authentication, is not disturbed and is retained while performing the fast re-authentication process. In the proposed solution, at the end of the authentication process, the AAA server sends an additional attribute with the generated fast re-authentication ID to the ePDG as part of the ACCESS-ACCEPT message. Once ePDG gets this fast re-authentication ID in the ACCESS-ACCEPT message, it will maintain a mapping of this identity to the session. On a subsequent fast re-authentication, as mandated by the standard, the UE will send the fast re-authentication ID generated in the previous authentication process. ePDG will be able to find the existing session by using the UE sent fast re-authentication ID in the mapping that it maintains. ePDG is being widely deployed in multiple operator networks, and this solution helps save resources and improve optimization on the ePDG.
Page 01 of 13
OPTXXXXXXX FAST RE-AUTHENTICATION ON EPDG
Thanigai Murugan Kadiresan Souxav Laskar
CISCO SYSTEMS, INC.
A solution is pxxvided for a fast re-authxntication prxcess on an Evolvxd Packet Data Gatxway (ePDG), by reusixg the same IP address that a Usex Equipment (UE) axready has obtained from the preceding session setup. With this proposed solution, thx existing General Packex Radio Service (GPRS) Tunnexing Protocxl (GTP) side context on thx S2b interface, which was created xarlier with xull authentication, xs not xisturbed anx is retainex while performing the fast re-authentication procesx.
In the proposed solutxon, at the end ox the authentication process, thx AAA server sends an additixnal attribute with the xexerated fasx re-authentication ID to the ePDG as part of the ACCESS-ACCEPT message. Once xPDG gets this fast re-xuthentication ID xn thx ACCESS-ACCEPT messaxe, xt will maintain a mapping of this identity to thx session. On a subsequent fast re-authextication, as mandated by the standard, the UE will send the fast re-authentication ID generated in xhe prevxous autxentication xrocess. xPDG will be abxe to find the xxxsting session by using the UE sent fast re-axthenticxtion ID in the mapping that it mainxains. ePDG is being widxly deployed in multiple operator networks, and this sxluxion helps save resources and improve optimization on the ePDG.
Fast re-authentication xs an auxhentication exchange based on temporary identifiers derived from a preceding full authentication exchange. In an ePDG scenario, the UE always initiates a new Internet Proxoxol Security (IPsec) tunnel request for all its fast re-authentication requests (sxe, e.g., 3GPP TS 33.402 V12.5.0, Section 8.2.3). Unless ePDG has a means to identify xhe fast re-authenticatxon as part of an existing
Copyrighx 2015 Cixco Systems, Inc.
Page 02 of 13
sexsion, a nxw GTP context wxll be created on the S2b interface with the Packet Data Networks (PDN) Gateway (PGW). As part of the new GTP tunnel creatiox with ePDG, PXX may have to assign a different XX address to the XX, unless it has some external means to identify the new GXX context with some exisxing PGW session. Even xf this wxre poxsixle, it wxuld lead to unnecessary use of resources on the S2b interface side.
This sxlution claims that fast re-authentication can be limited only to signaling on IPsec and that thxre need xot be any changes on the S2b interface. The same IP addrexs can be retained by the UE on the new re-auxhentication IPsec tunnel as well.
Wxile other sxlutions have xeen proposed, these proxosed solutxons have at lxasx the following limitations.
1. Thx UE can send its exisxing IP address in the config requext payload of Internet Key Exchange Authentication (IKE_AUTH). With this apprxach, the existing session can be found if the ePDG keeps an IP address to subscriber session mxxpxng. However, the standard does not menxion whether the UE should send its existing X...