Introduction
The concurrent evolution of computing, microelectronics, wireless data technologies, and the Internet have given rise to a new trend in global telecommunications - data mobility. There are now about 100 million hosts connected to the Internet, and this number is almost doubling yearly. With mobile subscribers expected to surpass one billion by 2003 (about half of which will be worldwide business users), wireless data is definitely a communications technology whose time is fast approaching. These skyrocketing subscriber numbers combined with recent technology advances are generating fast growing interest in the emerging Third Generation (3G) wireless data standards, which among other things specify the higher data rates necessary for wireless traffic. As this technology converges with the exponential growth of the Internet, network-based, Mobile Virtual Private Networks (VPNs) will become the major enabling technology for communicating business information via public networking infrastructures. Indeed businesses today already are looking to wireless carriers for Mobile VPNs (and other value-added IP services) as they attempt to cope with global on-demand communications, complex applications, productivity requirements, and shortages of IT talent. In the next few years, an enormous market opportunity clearly awaits wireless carriers who can meet demands for such advanced services. Two wireless packet data technologies General Packet Radio Service (GPRS), a packet data overlay to the existing GSM and TDMA networks and Universal Mobile Telecommunication System (UMTS), the next generation of GSM/GPRS technologies are central to the ability to provide high speed Mobile VPNs. These technologies provide necessary architectural framework for private mobile communications through the public Internet. This paper will focus on Mobile VPN services, comparing and contrasting circuit and packet approaches to wireless data. It also will examine the design and implementation of Mobile VPNs within GPRS and UMTS cellular systems.
Existing wireless packet data technologies that address these and other problems largely are conceptually similar and based on various tunneling mechanisms. (See Figure 1.) In all of them tunnels are dynamically established between the mobile nodes temporary point of attachment to the Internet and its home network (where the user is logically assigned the IP address). An alternative approach terminates tunnels at an Intermediate Gateway node that acts as an anchor point. User packets then may either be tunneled back to the home network (using another tunnel or a Link Layer technology) or directly delivered to a local interface for forwarding. As mobile nodes dynamically change their points of attachment to the network (traveling through certain area of the country from Mobile Switching Center (MSC) to MSC for example), tunnels are dynamically established between the home and visited networks.
Mobile VPNs
Todays growing mobile workforce and its attendant requirements for remote data access is forever changing the telecommunications industry. Telemetry and other un-tethered equipment, traveling sales forces, field maintenance crews, telecommuters, and other mobile professionals are driving demands for secure, anytime/anywhere access to corporate intranets, databases and e-mail servers. In this new environment, productivity gains (or losses) will be directly linked to the information delivery process. In the roughly ten years since their emergence, data VPNs typically have been implemented at the data link layer using Frame Relay and ATM networking technologies. Now VPN services based on IP and the use of the Internet are quickly gaining public interest and market acceptance. VPNs are evolving from voice to data services and from wireline to wireless data networks. Like traditional VPNs, IP VPNs utilize shared facilities to emulate private networks and deliver reliable, secure services to end users. Mobile IP VPNs, which must provide these services over wireless media, also use IP tunneling technologies. (See Figure 2.) GPRS and UMTS-based VPNs use a combination of GPRS Tunneling Protocol (GTP) on the dynamic mobile tunnel side and IETF-defined tunneling protocols on the fixed side. The business benefits of deploying Mobile VPNs (MVPNs) are numerous. MVPNs provide remote workers with constant, media-independent connectivity to corporate sites or to the ISPs and ASPs of their choice. MVPNs also enable businesses and ISPs to outsource mobile remote access thereby eliminating the costs of purchasing and supporting the infrastructure while maintaining full control over address assignments and user authentication and security. In this way, corporations can leverage the Internet to provide anytime/anywhere, secure connectivity to remote offices, SOHOs, mobile employees, e-commerce and extranet business partners over public network infrastructure. By enabling always on connectivity, there is the potential to enhance relationships with customers, business partners, and suppliers by sharing in real time information.
While voluntary tunneling provides a simple, secure end-to-end solution for access to private networks, it also leads to extra encapsulation overhead over last-hop wireless links. Also, this is a less efficient, more costly use of radio resources. In volume-based charging scenarios for instance, such overhead could significantly increase corporate costs for remote connectivity. Voluntary tunneling carries a number of other drawbacks as well. For example, it requires that mobile nodes be given public addresses allowing end-to-end transparent IP connectivity. In addition, it requires complex encryption and decryption algorithms, which can increase the complexity and cost of mobile devices, which typically have low processing power and are often battery power consumption limited. Also, with voluntary tunneling, applications that need to inspect or modify encapsulated packets will be unable to get access to user traffic. This means that QoS solutions, traffic-shaping mechanisms, monitoring equipment and firewalls will fail to perform their functions, and encapsulated (secured) packets cannot be modified by the Network Address Translation (NAT) protocol. Network-based compulsory tunneling, on the other hand, provides a more optimal foundation for MVPN solutions. (See Figure 4.) This tunneling approach assumes that not mobile devices, but the wireless operators network infrastructure itself features the intelligence and functionality necessary for the deployment of MVPNs. This approach assumes that the air interface owned by the wireless carriers is secure. With compulsory tunneling, network components such as access servers, gateways, etc. (not the mobiles) initiate tunnels, which typically terminate at the private network. Compulsory tunnels can be used by multiple subscribers and can remain active even if no subscriber transactions are in progress (thus placing less burden on the computing and routing infrastructure). The compulsory approach to tunneling also assumes the existence of proper agreements between corporations or ISPs and wireless operators. Service Level Agreements (SLAs) address the business relationships between service providers and corporations, while the Security Associations (SAs) or shared secrets used to generate IP Security (IPSec) session keys address the technical relationships. IPSec is a group of RFCs (RFC 2401 and companion documents) dealing with the secure encapsulation of IP traffic. Compulsory tunnels established through the public Internet require protection through authentication and encryption. This protection, however, need not be extended through the radio link but can be implemented between the tunnel end points only. Security in this scenario is likely to be based on IPSec, and will include mechanisms for distributing keys such as the Internet Key Exchange (IKE - RFC 2409).
To implement MVPNs capable of supporting services on a large scale, wireless data infrastructures will require a new class of platforms that fully comply with 3G and 2.5G wireless standards. Such systems will provide the critical ability to rapidly address demands for business-class IP services. SpringTide 7000 Wireless IP Service Switch addresses these requirements by leveraging a service-intelligent architecture, multi-protocol tunnel switching and true virtual routing. This powerful platform will enable wireless carriers to deliver the industrys broadest portfolio of highly available IP services including Mobile Virtual Private Networks.
Wireless data platforms such as GGSN can be implemented on general-purpose non-real time computers platforms with software routing capability such as Unix-based solutions or dedicated routing platforms such as Remote Access Servers (RAS), Routers, and IP Service Switches.
2000 Lucent Technologies, Inc.
RAS devices are used to aggregate low-speed connections such as modem or ISDN calls from the PSTN and a small number of T1s or T3s. Typical RAS is designed to handle specific numbers of sessions, which are physically limited by a known number of interfaces with a known maximum throughput. RASs are relatively costly in that they employ resource allocation strategies and operating systems that generally are not optimized for efficient routing and tunneling support. In turn general-purpose routers traditionally have been designed to dynamically communicate with large numbers of networks via a limited number of individual connections. In todays networks, IP router designs are optimized for use in dynamic clustered topologies that scale overall system performance by adding interconnected routers, rather than by scaling the number of connections to a specific router. Router designs were never intended to terminate tens (or even hundreds) of thousands of simultaneous individual connections, PPP sessions, tunnels or tunneling sessions.
In contrast, general routing is a time-consuming, complex process in which devices map each packet to a specific context, based on the identity of the ingress port. The packet is marked with a label describing it as a member of a particular context. It is then handed off to a general-purpose processor through a shared PCI bus that recognizes the packet as a routing update. The processor then runs an algorithm to rebuild the entire routing table for every routing context within the entire switch, paying attention to the context labels.
case, mobile VPN users access corporate networks by first attaching to the GPRS network and then initiating PPP sessions and specifying Access Point Names (APNs). Once the PDP context is active, control of the communication session is passed to the L2TP Access Concentrator (LAC) supported by GGSN, which triggers the establishment of a L2TP connection to the corporate L2TP Network Server (LNS) and performs GTP-to-L2TP tunnel switching. Newly-attached users can share previously established L2TP tunnels by creating new L2TP sessions within those pre-established tunnels. If the tunnel does not exist, a new tunnel will be created. The GGSN/LAC then uses the L2TP control connection to establish an L2TP call (L2TP tunnel to carry PPP) between the LAC and the LNS. Using the services of the corporate AAA system (e.g. RADIUS), the LNS performs the authentication of the mobile user. Following authentication, an IP address is assigned to the mobile using IPCP or other address assignment mechanisms. For corporate network management purposes, using private corporate intranet IP addresses is preferable. It also saves carriers limited number of public Internet addresses. Such communications, like security arrangements, are governed by SLAs or defined between a GGSN/LAC and corporate-based LNS. (See Figure 9.) In compulsory service operations, the wireless operator assigns APN network identifiers to corporations according to certain rules. The APNs are used by the SGSN to select the GGSN to be addressed for a specific group of corporate mobile users. Using data stored locally or IP roaming mechanisms requiring LACs to query AAA subsystems using the mobile users Network Access Identifier (NAI), the GGSN determines the IP addresses of the GGSNs/LACs to which mobile users will be attached.
The services and functions of virtual routers available individually to each of hundreds of virtual GGSNs provisioned in the SpringTide 7000 Wireless include: IP routing over varied protocols (RIP, OSPF, BGP-4, etc.) Route policies over high-speed cell or packet media GTP/PPP session termination GTP/IP session termination PPP tunneling (PPTP and L2TP) initiation and termination RADIUS client LDAP client (for directory-enabled policy and service attainment) QoS-enabled forwarding (both DiffServ and ATM CoS) Stateful firewall (as well as basic packet filtering) IPSec tunnel initiation and termination NAT/PT MPLS LER DHCP Relay Agent VLAN (802.1Q)
Some of the advantages of Springtide 7000 Wireless - based VPN solution are: Management Flexibility: The VR model provides complete separation of software stack, management MIBs, routing and forwarding tables. This approach provides complete privacy for network management functionality-an important feature for wireless carriers serving business customers. Since each virtual GGSN has its own SNMP MIB, administrative access to individual virtual GGSNs can be isolated. Directory Driven Model: The Springtides service definition is directory based. The directory-based approach is highly scalable and easy to deploy since if changes need to be made it has to be done in a single place. Customized Services: The directory based policy model and fine grain identification of the user and/or application flows allows SP to customize services not only per VPN customers but also per applications for a VPN customer. For example, the SP can offer additional services to VPN customers such that certain traffic flows (applications) get strongly encrypted In addition, wireless carrier can leverage other Lucent GGSN features such as traffic engineering capabilities, directory based model, subscriber management features etc. to increase revenue and reduce operational cost (See Figure 10.)
Conclusion
In summary, virtual router approaches provide the multiple functions of traditional GGSN, B-RAS, ATM edge routers, customer premises VPN appliances, firewalls, and QoS/MPLS-enabled routers, among others. Virtual routing-based MVPNs utilizing the SpringTide 7000 Wireless effectively allow wireless operators to deploy any of the existing GPRS and UMTS VPN options without the drawbacks associated with the individual technologies.
Glossary
3G . . . . . 3GPP . . . AAA . . . . ATM . . . . AuC . . . . BLST . . . . BS . . . . . BTS . . . . . CDMA . . CGF . . . . EDGE . . . EIR . . . . . ETSI . . . . GGSN . . . GPRS . . . GSM . . . . GTP . . . . HLR . . . . IETF . . . . IMEI . . . . IMSI . . . . IMT-2000 IPSec . . . ISP . . . . . ITU . . . . . LCS . . . . . L2TP . . . . LAC . . . . LAN . . . . LNS . . . . MAN . . . MAP . . . . MSC . . . . NodeB . . OA& M . . PLMN . . . PDP . . . . PSTN . . . PVC . . . . QoS . . . . RA . . . . . RADIUS . RAS . . . . RNC . . . . RNS . . . . SGSN . . . SIM . . . . SMS . . . . SRNS . . . SVC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Third Generation .3rd-Generation Partnership Project .Authentication Authorization, Accounting .Asynchronous Transfer Mode .Authentication Center .Board Level Self Test .Base Station .Base station Transceiver System .Code Division Multiple Access .Charging Gateway Function .Enhanced Data rates through Global Evolution .Equipment Identity Register .European Telecommunications Standards Institute .Gateway GPRS Support Node .General Packet Radio Service .Global System for Mobile Communications .GPRS Tunneling Protocol .Home Location Register .Internet Engineering Task Force .International Mobile Equipment Identity .International Mobile Subscriber Identity .International Mobile Telecommunications 2000 .IP security .Internet Service Provider .International Telecommunication Union .Location Services .Layer 2 Tunneling Protocol .L2TP Access Concentrator .Local Area Network .L2TP Network Server .Metropolitan Area Network .Mobile Application Part .Mobile-services Switching Center .UMTS BaseStation .Operations, Administration and Maintenance .Public Land Mobile Network .Packet Data Protocol .Public Switched Telephone Network .Permanent Virtual Circuit .Quality of Service .Routing Area .Remote Authentication Dial-in User Service .Remote Access Server .Radio Network Control .Radio Network Subsystem .Serving GPRS Support Node .Subscriber Identity Module .Short Message Service .Serving RNS .Switched Virtual Circuit
2000 Lucent Technologies, Inc.
TCP . . . . TIA . . . . TDD . . . TDM . . . TDMA . . UCR . . . UCU . . . UDP . . . UE . . . . URC . . . USIM . . UMTS . . UTRA . . UTRAN . VLR . . . VPN . . . WAN . . WAP . . . WCDMA
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
.Transmission Control Protocol .Telecommunication Industry Association .Time Division Duplex .Time Division Multiplex .Time Division Multiple Access .UTRA/ cdma2000 Radio .UTRA Channel Unit .User Datagram Protocol .User Equipment .Universal Radio Controller .User Service (or Subscriber) Identity Module .Universal Mobile Telecommunications System .UMTS Terrestrial Radio Access .UMTS Terrestrial Radio Access Network .Visitor Location Register .Virtual Private Network .Wide Area Network .Wireless Access Protocol .Wideband Code Division Multiple Access
SpringTide 7000 is a trademark of SpringTide Networks, Inc. All other trademarks, registered trademarks, service names, product and/or brand names are the sole property of their respective owners. This document is for planning purposes only and is not intended to modify or supplement any specifications or warranties relating to these products and services. Entire contents copyrighted by Lucent Technologies, Inc. Unauthorized redistribution electronic or otherwise, without prior written approval of Lucent Technologies, Inc. is prohibited by law. Requests for permission to copy or distribute, Lucent Technologies, Inc. Three Clock Tower Place, Maynard, MA 01754. To learn more, contact your Lucent Technologies representative, authorized reseller or sales agent. Or, visit our Web site at www.lucent.com. Specifications subject to change without notice.
05-GPRS601