]> Cisco Systems

10 New Square Park Feltham TW14 8HA UK mgrayson@cisco.com

general DMM Working Group Distributed Mobility Roaming Server Initiated This document describes the problem statement for enabling roaming across a distributed set of heterogenous wireless access networks.

Introduction Mobility management and roaming are core capabilities of the wireless ecosystem. Whereas the topic of mobility management has often been focused on the functionality deployed in public macro cellular networks, that provide service over wide geographic areas to millions of subscribers, there is increasing interest in how to integrate wide area public macro cellular systems with small, localized, distributed private wireless network deployments. This document describes the challenges with scaling the roaming signaling between these different distributed networks.

Terminology To Be Completed

Roaming Architectures Roaming signaling is sent between a wireless access network and an identity provider to enable the authentication and authorization of an identity provider end-user onto the third-party operated wireless access network. Conventionally, these approaches have relied on hierarchical schemes to support roaming signaling. For example, the eduroam system described in scales by having a hierarchy that includes national proxies and global proxies, as illustrated in .

| National |<--->| Global |<--->| National |<--->| IdP | | | | Proxy | | Proxy | | Proxy | | | +-----+ +----------+ +--------+ +----------+ +-----+ ]]>

Existing 4G roaming solutions are based on a similar hop-by-hop approach. Intermediaries, that may include Roaming Hubs, IPX and Roaming Value Added Services (RVAS) terminate roaming signaling and re-establish signaling between the next hop system, as illustrated in .

| Roaming |<-->| IPX |<-->| Value |<-->| Public | | Mobile | | Hub | | | | Added | | Mobile | | Network | | | | | | Service | | Network | +---------+ +---------+ +-----+ +---------+ +---------+ ]]>

Scaling Roaming Signaling The GSMA (www.gsma.com) has been successful in scaling roaming between over 800 public cellular operators. However, how to scale roaming signaling for the switch to small, localized, distributed networks is still a significant issue. One key aspect of scaling private networks is related to the dimensioning of inter-connected signaling that is a function of the geographical coverage of the private wireless access network and the number of subscribers served by a particular identity provider. Public cellular networks provide nationwide coverage to 10s of millions of subscribers. Such scale drives significant roaming signaling traffic between cellular providers that enable assumptions related to longevity of signaling connections to be embedded into technical procedures that support bidirectional signaling between all public cellular operators. In contrast, early data from the Wireless Broadband Alliance (WBA) on adoption of its OpenRoaming federation , a system designed to operate with private wireless networks, indicates that dimensioning in private deployments may be as low as one thousandth of that experienced by a conventional public cellular network. With some forecasting 1 million private cellular networks by the end of the decade , a thousand times the current number of public cellular networks, we can anticipate the future scalability challenges of being able to support 1000 times more networks, each with 1/1000th of the signaling load.

Flattening Roaming Hierarchies In contrast to traditional hierarchical approaches to roaming signaling, recent developments have seen a switch to flattened architectures. For example, the OpenRoaming federation uses Dynamic Peer Discovery for RADIUS/TLS to enable a flattened architecture with roaming signaling sent directly between the OpenRoaming Access Network Provider (ANP) and the OpenRoaming Identity Provider (IDP), as illustrated in .

| Provider | | Provider | | | +----------+ +----------+ ]]>

5G has introduced a new Service Based Architecture (SBA) that avoids strict signaling hierarchies. Instead, SBA allows signaling consumers to communicate with different signaling producers. Form a roaming perspective, the 5G system has been enhanced whereby there is a direct TLS signaling exchange between Security Edge Protection Proxies (SEPP), deployed by both home and visited networks, used to exchange the SBA-based signaling.

| i) visited | | initiated ------->|--------------->|------> SBA signaling | | ii) home <-------|<---------------|<------ initiated SBA signaling ]]>

Furthermore, whereas 5G Release 15 introduced the concept of Non Public Networks (NPN) into the 5G architecture (https://www.3gpp.org/technologies/npn), 3GPP Release 16 saw the introduction of Standalone NPN Cellular Hotspots . SNPN Cellular Hotspots refers to a connectivity hotspot based on 3GPP 5G network technology that provides services in a similar way as provided by Wi-Fi hotspots. Charging requirements are considered out of scope for this functionality. Requirements for SNPN Cellular Hotspots include the ability of a Hotspot to interconnect with a large number of identity providers, termed SNPN Credential Providers.

Bi-Directional Roaming signaling Roaming signaling used to interconnect wireless access networks with identity provider networks is used to authenticate credentials presented by devices and authorize access onto the specific wireless network. Even if the provision of the wireless service is monetized by some alternative value chain other than charging the end-user, roaming signaling usually includes accounting messages. While authentication, authorization and accounting messages can be described as access network originated signaling, there are typically requirements for roaming systems to support identity provider initiated signaling. For example, if the end-user is being charged, there can be an identity provider initiated signaling to indicate that the user has consumed all their available credit. In other roaming systems, identity provider initiated signaling can be used to signal a first wireless access network that a user previously authenticated and authorized to access via this first wireless access network has moved and is now being served by a second wireless access network.

Enterprise networks All wireless access networks need to configure their perimeter firewall functions to enable roaming signaling to be exchanged between the wireless access network and the identity provider. In public cellular systems, the GSMA is responsible for operating the IR.21 roaming database, used to exchange the IP address ranges used by each operator for connection to the IPX . IP address information for equipment such as Mobility Management Entities (MMEs), Serving Gateways (SGWs), signaling Edge Protection Proxies (SEPPs), User Plane Functions (UPFs) and AAA Servers is exchanged allowing the recipient to use such information to configure firewall and/or border gateway functions. In contrast to a centralized data based approach that can scale to 100s of public cellular operators, there is no organization responsible for maintaining a centralized registry of signaling systems used to support roaming onto small, localized, distributed, private networks. In contrast in private networks, firewall rules are often configured to permit outbound signaling from enterprise specific functions while prohibiting signaling originating from unknown endpoints on the Internet. While able to support access network provider initiated roaming signaling, such a configuration will block any identity provider initiated roaming signaling, as illustrated in .

|-------------------------> Initiated | | ii) Identity |x<------------------------ Provider | Initiated ]]>

The Server-Initiated Roaming Challenge In order to avoid the need to operate a central database for roaming onto small, localized, distributed, private wireless network deployments, roaming signaling needs to accommodate the typical enterprise firewall configurations that block server-initiated signaling.

Roaming Transport Alternatives The challenge of how to support server push based signaling across firewall deployments is well understood. Roaming signaling is exchanged using a range of different transports: Wi-Fi Networks typically authenticate users using RADIUS based signaling. More recently, Wi-Fi roaming is increasingly adopting RadSec to secure roaming signaling using secured sessions mutually authenticated using x509v3 PKI certificates . 4G Networks typically authenticate users using Diameter based signaling. specifies the S6a reference point. The S6a interface protocol is an IETF vendor specific Diameter application, where the Diameter application identifier assigned to the application is 16777251. The S6a interface is protected by using 3GPP defined Security Gateways (SEG) used to establish and maintain IPsec secured ESP Security Association in tunnel mode between security domains . 5G Service Based Architecture allows signaling consumers to communicate with different signaling producers. SBA defines the use of RESTful APIs transported using HTTP2 defined methods like GET, POST and PATCH. The 5G System also introduces the Security Edge Protection Proxy (SEPP). The SEPP sits at the perimeter of the 5G public cellular network. The 5G N32 interface is defined by 3GPP for use between two SEPPs to ensure the HTTP2 messages can be securely exchanged. First, N32 control signaling is exchanged to establish N32 forwarding. The N32 forwarding operates by taking the HTTP2 Request or Response messages that need to be exchanged between operators and encoding the HTTP2 header frames and data frames in JSON.

Supporting server-initiated messages Looking at current solutions for supporting server-initiated messages with these different transports: IETF RADEXT has identified the challenge of how a home RADIUS server can send Change of Authorization (CoA) packets to a Network Access Server (NAS) which is behind a firewall or NAT gateway. defines a "reverse change of authorization (CoA)" path for RADIUS packets, allowing a home RADIUS server to send CoA packets in "reverse" down a RADIUS/TLS connection that was previously established by an access network originated signaling exchange. 3GPP is discussing architectural enhancements to support SNPN Cellular Hotspots in 5G. Discussions highlight that in current N32 SBA architecture, the HPLMN initiated signaling to a callback URI may require a separate access network firewall rule configuration. Proposals include studying enhancements to N32 that permit the server initiated signaling towards an SNPN to reuse the same outbound socket as SNPN-initiated signaling towards the server so as to minimize the firewall and border gateway configuration of the SNPN. There are no standard Diameter protocol technique that allows a server-initiated message to reuse an existing SCTP or TLS connection from the Diameter server to the Diameter client in a way that avoids the client operator having to configure firewall rules for inbound traffic.

Problem Statement The problems that can be addressed with DMM are summarized as follows: PS1: Re-using outbound sockets when roaming with 5G Service Based Architecture PS2: Re-using outbound sockets when roaming with 4G Diameter Based Architecture

Security Considerations To Be Completed

IANA Considerations To Be Completed

This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. [STANDARDS-TRACK] This document specifies a transport profile for RADIUS using Transport Layer Security (TLS) over TCP as the transport protocol. This enables dynamic trust relationships between RADIUS servers. [STANDARDS-TRACK] The Diameter base protocol is intended to provide an Authentication, Authorization, and Accounting (AAA) framework for applications such as network access or IP mobility in both local and roaming situations. This document specifies the message format, transport, error reporting, accounting, and security services used by all Diameter applications. The Diameter base protocol as defined in this document obsoletes RFC 3588 and RFC 5719, and it must be supported by all new Diameter implementations. [STANDARDS-TRACK] This document describes the architecture of the eduroam service for federated (wireless) network access in academia. The combination of IEEE 802.1X, the Extensible Authentication Protocol (EAP), and RADIUS that is used in eduroam provides a secure, scalable, and deployable service for roaming network access. The successful deployment of eduroam over the last decade in the educational sector may serve as an example for other sectors, hence this document. In particular, the initial architectural choices and selection of standards are described, along with the changes that were prompted by operational experience. This document specifies a means to find authoritative RADIUS servers for a given realm. It is used in conjunction with either RADIUS over Transport Layer Security (RADIUS/TLS) or RADIUS over Datagram Transport Layer Security (RADIUS/DTLS). Wireless Broadband Alliance, Inc. Cisco Systems Intel Corporation SingleDigits Cisco Systems This document describes the Wireless Broadband Alliance's OpenRoaming system. The OpenRoaming architectures enables a seamless onboarding experience for devices connecting to access networks that are part of the federation of access networks and identity providers. The primary objective of this document is to describe the protocols that form the foundation for this architecture, enabling providers to correctly configure their equipment to support interoperable OpenRoaming signalling exchanges. In addition, the topic of OpenRoaming has been raised in different IETF working groups, and therefore a secondary objective is to assist those discussions by describing the federation organization and framework. InkBridge Cisco This document defines a "reverse Change-of-Authorization (CoA)" path for RADIUS packets. A TLS connection is normally used to forward request packets from a client to a server and to send responses from the server to the client. This specification allows a server to send CoA request packets to the client in "reverse" down that connection, and for the client to send responses to the server. Without this capability, it is in general impossible for a server to send CoA packets to a Network Access Server (NAS) that is located behind a firewall or NAT. This reverse CoA functionality extends the available transport methods for CoA packets, but it does not change anything else about how CoA packets are handled. This document updates RFC8559.