Transcript
ALCATEL-LUCENT
lightRadio WI-FI
WLAN GATEWAY
EVOLUTION OF THE ALCATEL-LUCENT
7750 SERVICE ROUTER TO SUPPORT
WLAN GATEWAY FUNCTIONALITY
APPLICATION NOTE
TABLE OF CONTENTS
1. Leveraging Wi-Fi access technology / 1
2. Introducing the WLAN Gateway / 2
2.1 Aggregating and shaping Wi-Fi traffic / 2
2.2 Enhanced subscriber management mechanisms / 3
3. Thin pipe and fat pipe tunneling / 3
3.1 Thin pipe tunneling / 4
3.2 Fat pipe tunneling / 4
4. WLAN service deployment scenarios / 6
4.1 Layer 2 wholesale / 6
4.2 Retail Wi-Fi service/Layer 3 wholesale / 7
4.3 Cellular . Wi-Fi intermobility (cellular offload over Wi-Fi access) / 9
5. Advanced WLAN Gateway functions / 10
6. Conclusion / 11
7. References / 11
8. Acronyms / 12
LightRadio Wi-Fi WLAN Gateway
ALCATEL-LUCENT APPLICATION NOTE
1
The Alcatel-Lucent lightRadio™ Wi-Fi® solution is a comprehensive solution for wireline
and wireless providers. Service providers, multiple service operators (MSOs), mobile
network operators (MNOs) and mobile virtual network operators (MVNOs) can leverage
both licensed spectrum with metro cells/small cells and unlicensed Wi-Fi spectrum to
expand their service footprints.
This paper describes the Alcatel-Lucent 7750 Service Router (SR) in its role as the
Alcatel-Lucent lightRadio Wi-Fi WLAN Gateway to leverage unlicensed Wi-Fi as an
access technology. The paper emphasizes the solution strategy, service deployment
scenarios and advanced Alcatel-Lucent 7750 SR capabilities that can further enrich
a Wi-Fi service offering.
1. LEVERAGING WI-FI ACCESS
TECHNOLOGY
With high-speed connectivity at home and in the office, end users are increasingly seeking
the same connectivity experience while out in the community and on the road. The
introduction of new high-speed mobile data services such as Fourth Generation (4G)/long
term evolution (LTE) is the first step toward bridging this gap. Usage caps and costs
associated with mobile data plans have led end users to consider alternative solutions.
The increasingly wide availability of Wi-Fi in the home, at work and in restaurants and
other public areas has provided an avenue for end users to gain access to the bandwidth
that they expect on their mobile devices. However, access to Wi-Fi hotspots frequently
requires users to identify the local network, authenticate to it, and in many cases pay
fees to access it. The resulting service may offer varying levels of bandwidth capability,
quality and signal strength. When the user moves to a new location, the whole process
needs to be repeated.
In response to consumers’ expectations to always be connected, standards organizations
are working on specifications that allow wireline and wireless providers to use Wi-Fi
as an access technology to expand their service footprint. Fixed and mobile providers
now see the strategic importance of leveraging Wi-Fi access, with its low cost and use of
unlicensed spectrum, as a means of expanding service coverage, creating new services
and fostering brand loyalty. With trusted Wi-Fi, Wi-Fi hotspots can be integrated in the
fixed or mobile operator’s policy and accounting infrastructure. This integration allows
operators to maintain customer visibility on their networks and provide a seamless
Wi-Fi access experience to the end customer.
Alcatel-Lucent lightRadio Wi-Fi offers a comprehensive solution for wireline and wireless
providers to leverage Wi-Fi as an access technology, as shown in Figure 1. The Alcatel-Lucent
7750 SR is the WLAN Gateway (GW) or, to use Third Generation Partnership Project
[3GPP™] terminology, the Trusted Wireless Access Gateway (TWAG).
For more information on Alcatel-Lucent lightRadio Wi-Fi solution, please visit:
www.alcatel-lucent.com/lightradio-wifi
The standards-based WLAN Gateway features of the Alcatel-Lucent 7750 SR build on
capabilities that have made the Alcatel-Lucent 7750 SR an industry-leading IP service edge
router. In particular, the Alcatel-Lucent 7750 SR is a leader as a modern Broadband Network
Gateway (BNG) for offering residential broadband services and as a mobile packet core .
Gateway General Packet Radio Service (GPRS) Support Node (GGSN) and LTE serving
gateway (SGW)/packet data network gateway (PGW) . platform for offering mobile broadband
services. These capabilities are now extended to provide WLAN Gateway functionality
for adding trusted Wi-Fi access to a wireline or wireless provider’s service offerings.
The following sections describe the Alcatel-Lucent 7750 SR WLAN Gateway, emphasizing
the solution strategy, diverse deployment scenarios, and the advanced Alcatel-Lucent
7750 SR features that can further enrich a Wi-Fi service offering.
2. INTRODUCING THE WLAN GATEWAY
The Alcatel-Lucent lightRadio Wi-Fi solution is a comprehensive Wi-Fi service solution
that addresses both wireline and wireless provider requirements. Subsets of the architecture
can be deployed depending on the objectives of the Wi-Fi service. In the architecture,
the Alcatel-Lucent 7750 SR serves as the WLAN Gateway and is present in all service
configurations. WLAN access points (APs) and the aggregation network that provides
connectivity between the APs and the WLAN Gateway are also present in all service offerings.
2.1 Aggregating and shaping Wi-Fi traffic
A basic function of the WLAN Gateway is to aggregate Wi-Fi traffic from the WLAN APs
and to apply Quality of Service (QoS) traffic shaping to and from the APs. The degree
to which the WLAN Gateway interacts with individual subscriber traffic depends on
whether the Wi-Fi service is a wholesale or retail service. Wholesale services generally
Figure 1. Alcatel-Lucent lightRadio Wi-Fi solution
EnterpriseInternetResidentialCDN7750 SR(SGW/PGW/GGSN)
7750 SR(WLAN GW)
9471 WMM(MME/SGSN)
5780 DSC(PCRF/ANDSF)
9900 WNG8950 AAA8650 SDM
5620 SAM
NETWORK MANAGEMENTWIRELESSPACKET COREWi-Fi ENABLEDlightRadio NETWORK9362 Enterprise Cell9363 Metro CellIndoor MS9764Metro CellOutdoorWLAN AP(Wi-Fi)
have less individual subscriber traffic visibility. For retail services, the WLAN Gateway
needs to create a state for each subscriber instance. In instances where the WLAN Gateway
creates a Wi-Fi subscriber context, the Alcatel-Lucent 7750 SR can hierarchically police
the subscriber traffic within the AP-level traffic shaping.
2.2 Enhanced subscriber management mechanisms
Other basic WLAN Gateway features include support for mechanisms to coordinate with
the provider’s back-end subscriber, policy and billing infrastructure for authentication
and parameters to create subscriber context . for example:
. Per-subscriber authentication (web authorization or Extensible Authentication
Protocol [EAP] based)
. Remote Authentication Dial-In User Service (RADIUS) accounting
. Quota management or credit control
. Lawful Intercept
For Wi-Fi retail services, the subscriber context exists on the WLAN Gateway. The
WLAN Gateway can optionally coordinate with a mobile provider’s core infrastructure
by interconnecting with a PGW or a GGSN. In all cases, the goal is to provide a seamless
network experience independent of whether the user service is Wi-Fi only or combined
with a wireline or wireless service subscription. For the Wi-Fi service to provide seamless
mobility, mechanisms are required to allow for inter-AP mobility. If the Wi-Fi service
is also tied to a cellular data service, the user should be able to seamlessly move from
Wi-Fi to cellular data service.
The various Wi-Fi service deployment scenarios and the Wi-Fi service requirements
that allow for a superior Quality of Experience (QoE) are explored in more detail in
later sections of this paper.
3. THIN PIPE AND FAT PIPE TUNNELING
For Wi-Fi access infrastructure design, one of the key decisions is to determine the
mechanism by which end user devices or User Equipment (UE) will be connect to the
network. There are currently two main models, shown in Figure 2:
. Thin pipe . The UE creates an encrypted tunnel back to the evolved Packet Data
Gateway (ePDG).
. Fat pipe . A tunnel is created between the AP and the WLAN Gateway, and the
AP is responsible for mapping the UE data to that tunnel.
The ePDG and WLAN Gateway act as aggregators and gateways for Wi-Fi traffic.
Figure 2. 3GPP thin and fat pipe Wi-Fi service modelsWLAN APePDGIPsec (UE-ePDG)
Protected tunnelWLAN APWLAN GWSingle tunnel per SSID/AP802.11isecurityTHIN PIPE MODEL WITH TUNNELS BETWEEN THE UE AND ePDGFAT PIPE MODEL WITH A TUNNEL BETWEEN THE AP AND THE WLAN GW
3.1 Thin pipe tunneling
In thin pipe tunneling models, as described in the 3GPP TS 23.402 S2a/S2b/S2c specification,
each UE establishes encrypted IP Security (IPsec) tunnels, one for each service, to an
ePDG (a 3GPP term) that terminates the Wi-Fi-attached UE thin-pipe IPsec sessions.
There are a number of challenges with the thin pipe approach:
. IPsec is not widely supported on UEs, so thin pipes cannot address the installed base
of handsets and potentially other Wi-Fi devices.
. IPsec encryption/decryption is a processing-intensive task that increases battery drain.
. IPsec is an encapsulation technique, so there is overhead associated with each packet
on the Wi-Fi network along with new requirements to support packet fragmentation
on the WLAN interfaces.
. The handshake has some latency to establish an IPsec session, which may affect the
user experience, especially for short sessions.
3.2 Fat pipe tunneling
In the fat pipe model, connectivity between the WLAN Gateway and the APs is based
on the 3GPP S2a Mobility based on GPRS Tunneling Protocol (GTP) (SaMOG) Release 11
standard.1 Alcatel-Lucent is one of the main proponents of this model and believes fat
pipes offer a superior solution based on the model’s flexibility, scalability and no new
UE requirements.
In this pipe model, a tunnel is established between WLAN APs and the WLAN Gateway,
with the AP responsible for placing the UE sessions into the tunnel. For thin APs that
use an Access Controller (AC) to control multiple APs in a WLAN zone, the fat pipe is
created between the AC and the WLAN Gateway. The fat pipe model imposes no new
requirements on the UE, so fat pipe tunneling can address the installed base of UEs.
There is an AP requirement to support whatever tunneling mechanism is used for
the fat pipe.
So far, this discussion has referred to generic APs and UEs. However, the AP can actually
reside within a managed home gateway (HGW), and the fat pipe is conceptually the same.
3.2.1 Flexible tunneling protocols
The fat pipe model accommodates different access methods, including bridged VLAN,
bridged tunnel and routed tunnel, as shown in Figure 3.
1 3GPP TS 23.402: Architecture enhancements for non-3GPP accesses. Release 11, paragraph 16, March 2012
Figure 3. Alcatel-Lucent lightRadio WLAN Gateway AP to WLAN Gateway tunneling protocols
Within each of the main tunneling approaches, there are also several alternative
approaches to providing encapsulation and/or encryption.
3.2.2 Encapsulation and Layer 2 bridged tunneling
The Alcatel-Lucent lightRadio Wi-Fi solution supports a variety of encapsulation methods
between the AP/HGW and the WLAN Gateway, as shown in Figure 3. Alcatel-Lucent
believes that bridged tunneling with Layer 2 over GRE (L2oGRE) or Layer 2 virtual
private network (VPN) over GRE (L2VPNoGRE) offers the most flexible solution.
3.2.3 Support for IPv4 and IPv6
An advantage to using a Layer 2 tunnel is that the tunnel is agnostic as to whether it is
transporting IPv4 or IPv6. A dual-stack IPv4/IPv6 UE can be supported across the tunnel
and the AP need not be IPv6-aware. In contrast, a routed tunneling mechanism requires
a complete IPv4 and IPv6 dual stack in the network or the added complexity of implementing
4to6/6to4 transition mechanisms. The Alcatel-Lucent 7750 SR supports IPv4 and
IPv6 and is fully capable of supporting routed tunneling, but Layer 2 tunneling is a more
elegant and scalable solution.
3.2.4 Support for wholesale Layer 2 WLAN services
Layer 2 fat pipe tunneling also lends itself to wholesale Layer 2 WLAN services, which
routed tunneling cannot support. In the case where the AP is owned by a wholesale provider,
a single fat pipe tunnel from the AP to the WLAN Gateway can support multiple
retailer WLAN service set identifiers (SSIDs) that can, for example, be delimited with
Bridged: VLAN segregating
trusted Wi-Fi traffic. Simplified HGW. Integrated FMC operatorFIXED ACCESSSERVICEBRIDGEVLAN 1TrustedWi-Fi SSIDPrivate SSIDVLAN 2IPIPNAPT
Bridged: Tunneling. L2oGRE (soft GRE)
. L2 VPNoGRE (soft GRE)
¬ Optionally GREoIPsecFIXED ACCESSSERVICEBRIDGETrustedWi-Fi SSIDPrivate SSIDVLAN 2TUNNELNAPTIP
Routed: Tunneling. GRE. GREoIPsecFIXED ACCESSSERVICEDHCP RELAYTrustedWi-Fi SSIDPrivate SSIDVLAN 2TUNNELNAPT
IEEE 802.1Q virtual LAN (VLAN) tags.2 Efficient use of tunnels aids in the overall scale
of the solution. In addition, a Layer 2 service allows the use of Layer 2-aware Network
Address Translation (NAT),3 which greatly simplifies Wi-Fi IP address management.
3.2.5 Soft GRE
The Alcatel-Lucent WLAN Gateway offers mechanisms for GRE tunnels to be automatically
created when devices attach to the AP, eliminating the need for each AP to be
explicitly provisioned on the WLAN Gateway. Because this “soft GRE” is stateless and
the tunnel contexts are created based on need, the WLAN Gateway does not need to
maintain states for unused tunnels, improving the solution’s scalability.
3.2.6 Hop-by-hop security
In thin pipe models, data is secured end-to-end in IPsec from the UE to the ePDG. In
the fat pipe model, there is no loss in data security because the traffic can be secured
on a hop-by-hop basis. IEEE 802.11i security and encryption protocols can be used to
secure traffic between the UE and the AP, and the fat pipe tunnel between the AP and
the WLAN Gateway can be secured with IPsec by running GRE over IPsec (GREoIPsec).
Corporate VPN access is also compatible with the fat pipe model because it allows
end-to-end encryption. In contrast, the thin pipe model would require double IPsec
encryption by the UE.
4. WLAN SERVICE DEPLOYMENT
SCENARIOS
Wireline and wireless providers have varying business imperatives for rolling out WLAN
services. A common motivation is to leverage Wi-Fi as a low-cost access technology to
extend the service footprint. The Alcatel-Lucent 7750 SR WLAN Gateway features in the
Alcatel-Lucent lightRadio Wi-Fi solution support a variety of wholesale and retail deployment
scenarios for wireline and wireless providers, including:
. Layer 2 wholesale
. Retail Wi-Fi service/Layer 3 wholesale
. Cellular . Wi-Fi intermobility (cellular offload over Wi-Fi access)
The differences between the scenarios relate to the available methods and mechanisms
for authentication, IP address assignment, billing and anchoring of the UE.
From a technical perspective, the scenarios are presented from simplest model to most
complex. The QoE goals for Alcatel-Lucent lightRadio Wi-Fi go beyond the free Wi-Fi
model, in which users are forced to terminate all sessions and re-authenticate when on
the move. The Alcatel-Lucent 7750 SR WLAN Gateway supports mechanisms for moving
between APs and between Wi-Fi and cellular networks, making the user experience as
seamless as possible.
4.1 Layer 2 wholesale
The deployment scenario for a Wi-Fi service with the fewest requirements on the WLAN
Gateway is a Layer 2 wholesale service. Layer 2 wholesale allows a wireline or wireless
operator with a Wi-Fi service footprint to partner with retail service providers, MSOs,
2 IEEE 802.1Q: Standard for Local and metropolitan area networks . Virtual Bridged Local Area Networks, May 19, 2006
3 IETF Layer 2-Aware NAT. draft-miles-behave-l2nat-00, March 4, 2009
MNOs or MVNOs for use of their Wi-Fi infrastructure, as shown in Figure 4. In this scenario,
the retail SP/MSO/MNO/MVNO has the direct business relationship with end users.
Figure 4. Layer 2 wholesale Wi-Fi service
In the Layer 2 wholesale model, the WLAN Gateway provides a Layer 2 connection from
the AP back to the retailer. The WLAN Gateway can perform ingress and egress shaping
on the SSID based on the Service Level Agreement (SLA) with the retailer.
The WLAN Gateway is not involved with issues such as user authentication and IP
address assignment. These aspects are the responsibility of the retailer, and all UE
requests and traffic are passed back to the retail partner as simple Layer 2 traffic.
4.2 Retail Wi-Fi service/Layer 3 wholesale
A retail Wi-Fi service is a service in which the wireline or wireless provider allows
users Wi-Fi access to their network through a retail SSID, as shown in Figure 5. In this
scenario, the Wi-Fi service operator has the business relationship with end users, so the
retailer needs mechanisms to authenticate the end user, assign an IP address, and create
a user context for accounting and billing. The following discussion refers to retail Wi-Fi
service, but from the perspective of the Alcatel-Lucent 7750 SR WLAN Gateway, the same
mechanisms can be used to provide a Layer 3 wholesale service. The only difference is
who owns the back-end authentication and accounting servers.
Figure 5. Retail Wi-Fi/Layer 3 wholesale
WLAN APWLAN GWShaping per SSID/APProtected tunnelAAARETAILER WI-FISERVICE CORERetailer Layer 2 VPN802.11isecurity
InternetWLAN APWLAN APWLAN GWShaping per SSID/APWith policing per UEProtected tunnelAAARETAILER WI-FISERVICE CORE802.11isecurityInter-APmobility
4.2.1 Portal-based and EAP authentication
The Alcatel-Lucent 7750 SR WLAN Gateway supports both portal-based authentication
and EAP authentication. Portal-based authentication is the familiar mechanism found in
public hotspots where, after attaching to the Wi-Fi service SSID, the user opens a web
browser and is redirected to an authentication page to enter user credentials.
EAP is an authentication framework frequently used in wireless networks and point-to-
point connections. In IEEE 802.11 (Wi-Fi), the Wi-Fi Protected Access (WPA) and and
Wi-Fi Protected Access II (WPA2) standards have adopted IEEE 802.1X,4 with five EAP
types as the official authentication mechanisms:
. EAP-TLS
. EAP-SIM
. EAP-AKA
. LEAP
. EAP-TTLS
EAP authentication provides a greatly enhanced user experience because it allows for
seamless authentication of UEs based on unique device identifiers without the need for
user intervention.
4.2.2 IP address assignment
After the end user is authenticated, an IP address needs to be assigned. The Alcatel-Lucent
7750 SR WLAN Gateway supports IP address assignment using various methods, including
a local Dynamic Host Configuration Protocol (DHCP) server in the Alcatel-Lucent 7750 SR,
DHCP relay, DHCP proxy, and RADIUS.
4.2.3 UE context and policing
Similar in concept to how a BNG creates a broadband subscriber context in wireline
environments based on information from the policy server during authentication, the
WLAN Gateway creates a UE context for accounting and billing. The Alcatel-Lucent
7750 SR WLAN Gateway performs ingress and egress shaping per SSID as in the Layer 2
wholesale service, but because the UE is anchored in the WLAN Gateway, hierarchical
ingress and egress policing of the UE within the shaped SSID is also supported.
4.2.4 Inter-AP mobility
For a UE that moves between APs within the Wi-Fi service, the WLAN Gateway supports
Wi-Fi inter-AP mobility by seamlessly switching the UE connection when the UE traffic
moves to a new AP-to-WLAN Gateway tunnel. When moving between APs, the UE can
avoid full re-authentication and reassociation if the AP and UE support IEEE 802.11 Pairwise
Master Key (PMK) caching or if the APs implement IEEE 802.11r5 or IEEE 802.11i
Opportunistic Key Caching (OKC).
4 IEEE 802.1X: Standard for local and metropolitan area networks .Port-Based Network Access Control, February 5, 2010
5 IEEE 802.1r: Standard for Information technology . Telecommunications and information exchange between systems . Local and metropolitan
area networks . Specific requirements. Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications Amendment 2:
Fast Basic Service Set (BSS) Transition, July 15, 2008
4.3 Cellular - Wi-Fi intermobility (cellular offload over Wi-Fi access)
Cellular . Wi-Fi intermobility (cellular offload over Wi-Fi access) is a retail Wi-Fi service
opportunity for MNOs and MVNOs to ensure seamless connectivity and mobility between
cellular infrastructure and Wi Fi hotspots. In this scenario, the Wi-Fi network is used to
offload data from the mobile operator’s cellular network and onto the unlicensed Wi-Fi
spectrum, as shown in Figure 6. The application is based on S2a mobility over SaMOG.6
Figure 6. Cellular . Wi-Fi intermobility (cellular offload over Wi-Fi access)
Cellular . Wi-Fi intermobility retains many of the same characteristics of the previously
discussed deployment scenarios, but additional WLAN Gateway features allow communication
and coordination with the MNO/MVNO mobile core infrastructure.
As with the retail Wi-Fi service scenario, portal-based and EAP authentication are supported
with EAP-based authentication, providing superior user QoE. For each UE in the service,
the WLAN Gateway creates a subscriber instance, so hierarchical policing of UE Wi-Fi
traffic is supported within the shaping per SSID in the AP.
4.3.1 Auto-creation of the UE subscriber context
Cellular . Wi-Fi intermobility differs from the other deployment scenarios in that the
WLAN Gateway communicates with the mobile core to retrieve the authentication and
other subscriber parameters to auto-create the UE subscriber context. For example, the
subscriber IP address would normally be assigned by the mobile core 3GPP AAA server.
In the 3GPP SaMOG model, the UE Wi-Fi data traffic is tunneled in GTP v1 or v2 back
to the PGW/GGSN, which serves as the anchor point for the UE. In this example, the
MNO’s subscribers can access the same services available on the 3G/4G cellular network
(mobile portal, parental controls, pre-paid charging, and so on).
4.3.2 Local breakout
Rather than GTP tunneling traffic back to the mobile core, the WLAN Gateway also supports
the option for “local breakout”, in which UE traffic can be offloaded to the Internet or
other fixed network resources. In both cases, accounting can be unified at the mobile
core AAA server.
6 3GPP TS 23.402: Architecture enhancements for non-3GPP accesses. Release 11, paragraph 16, March 2012
InternetWLAN APWLAN GWShaping per SSID/APWith policing per UEProtected tunnelS2aSWxSTaPGW/GGSNAAAHSS/HLRPACKET CORE802.11isecurityWi-Fi toCellularMobility
4.3.3 Wi-Fi to cellular mobility
This deployment scenario gets its name because the UE is able to move between Wi-Fi
and the cellular network. Because the WLAN Gateway obtains the UE IP address from
the mobile core, the UE has the same IP address when it is on Wi-Fi and the cellular
network, allowing seamless mobility when a user moves between networks.
5. ADVANCED WLAN
GATEWAY FUNCTIONS
Beyond the basic connectivity model, many WLAN Gateway features are similar in
concept to the requirements for a BNG in a residential service context. The Alcatel-Lucent
7750 SR is an industry-leading BNG, and the WLAN Gateway features are newly incorporated
into the Alcatel-Lucent Service Router Operating System (SR OS). The Alcatel-Lucent
7750 SR can simultaneously support a full range of IP service edge features, such as BNG,
along with the WLAN Gateway. Many of the advanced IP service edge features in the
Alcatel-Lucent 7750 SR have applicability to a WLAN Gateway. The following list highlights
some advanced capabilities that the WLAN Gateway inherits from its Alcatel-Lucent
7750 SR and SR OS lineage:
. Dual-stack IPv4 and IPv6 . Support for IPv6 is becoming more common in both
provider networks and UE. The Alcatel-Lucent 7750 SR WLAN Gateway natively
supports IPv4 and IPv6 for both network infrastructure and high-scale subscriber
support.
. Lawful Intercept . The WLAN Gateway inherits the Alcatel-Lucent 7750 SR
infrastructure used to support Lawful Intercept at high scale and high bandwidth
for BNG subscribers.
. Carrier-grade NAT . The WLAN Gateway has integrated carrier-grade NAT that
supports NAT44, NAT64 and Layer 2-aware NAT, allowing for easy use of private
network addresses.
. Accounting and credit control . The Alcatel-Lucent 7750 SR supports a variety of
methods for subscriber accounting, including XML-based accounting files and RADIUS
accounting. For pre-paid service support, the Alcatel-Lucent 7750 SR supports RADIUS
and Diameter credit control.
. IPsec tunnel termination and public key infrastructure (PKI) . Deployed in leading
mobile networks as a high-scale and high-bandwidth 3GPP Security Gateway (SeGW),
the WLAN Gateway can leverage base IPsec features to secure AP fat pipe tunnels for
untrusted aggregation networks.
. Application Assurance (AA) . AA on the WLAN Gateway extends the service depth
and functionality of the Alcatel-Lucent 7750 SR by enabling visibility and intelligent
control for IP applications. Support for extensive per-application, per-subscriber,
or per-VPN Layer 2 and Layer 3 service policies provides application reporting and
traffic management capabilities. AA enables enhanced and personalized QoS-managed
application performance in highly differentiated consumer, business, and mobile
service offerings with industry-leading scale.
6. CONCLUSION
Alcatel-Lucent has designed its lightRadio Wi-Fi solution with careful consideration to ensure
completeness and scalability. 3GPP thin pipe tunneling models have challenges in the areas
of scalability and addressing the installed base of mobile handsets. In contrast, Alcatel-Lucent
is leveraging a fat pipe model, which greatly reduces the number of required tunnels and
which is compatible with existing devices and the latest dual-stack IPv4/IPv6 devices.
When Alcatel-Lucent needed a WLAN Gateway for the lightRadio Wi-Fi solution architecture,
evolving the Alcatel-Lucent 7750 SR was a natural choice. The Alcatel-Lucent 7750 SR
is a modern service edge router with the industry’s most advanced network processor
technology. Moreover, the Alcatel-Lucent 7750 SR has a proven record of success in
large-scale deployment scenarios with requirements similar to WLAN Gateway requirements
. in particular, as a BNG that supports both IPv4 and IPv6 and within the mobile
core as a GGSN/PGW.
Deployed as a lightRadio Wi-Fi WLAN Gateway, the Alcatel-Lucent 7750 SR offers a
feature set suited to a wide variety of service scenarios. Providers and operators can offer
both Layer 2 and Layer 3 wholesale and retail services, with multiple options for tunnel
encapsulation (with or without IPsec encryption), authentication methods, IP address
assignment, and service accounting. The WLAN Gateway also supports features that
users demand in a carrier-grade Wi-Fi service offering: seamless authentication, inter-AP
mobility and Wi-Fi-to-cellular mobility.
Using the Alcatel-Lucent 7750 SR as a WLAN Gateway, wireline and wireless providers
can leverage other advanced and proven features . for example, Lawful Intercept,
carrier-grade NAT, IPsec, and AA . when creating Wi-Fi service offerings with the
Alcatel-Lucent lightRadio Wi-Fi solution.
7. REFERENCES
1. 3GPP TS 23.402: Architecture enhancements for non-3GPP accesses. Release 11.
March 2012.
http://www.3gpp.org/ftp/Specs/html-info/23402.htm
2. IEEE 802.1Q: Standard for Local and metropolitan area networks . Virtual Bridged
Local Area Networks. May 19, 2006.
http://standards.ieee.org/getieee802/download/802.1Q-2005.pdf
3. IEEE 802.1r: Standard for Information technology . Telecommunications and
information exchange between systems . Local and metropolitan area networks .
Specific requirements. Part 11: Wireless LAN Medium Access Control (MAC)
and Physical Layer (PHY) Specifications Amendment 2: Fast Basic Service Set
(BSS) Transition. July 15, 2008.
4. IEEE 802.1X: Standard for local and metropolitan area networks . Port-Based
Network Access Control. February 5, 2010.
http://standards.ieee.org/getieee802/download/802.1X-2010.pdf
5. IEEE 802.11 (WPA2): Wireless Local Area Networks.
http://standards.ieee.org/getieee802/download/802.11i-2004.pdf
6. IETF Layer 2-Aware NAT. draft-miles-behave-l2nat-00. March 4, 2009.
http://tools.ietf.org/html/draft-miles-behave-l2nat-00
www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent, the Alcatel-Lucent logo and lightRadio are trademarks
of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented
is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.
Copyright ⓒ 2012 Alcatel-Lucent. All rights reserved. M2012011887 (February)
8. ACRONYMS
3GPP Third Generation Partnership
Project
4G Fourth Generation
5620 SAM Alcatel-Lucent 5620 Service
Aware Manager
5780 DSC Alcatel-Lucent 5780 Dynamic
Services Controller
7750 SR Alcatel-Lucent 7750 Service
Router
8610 ICC Alcatel-Lucent 8610 Instant
Convergent Charging Suite
8615 IECCF Alcatel-Lucent 8615 Instant
Enhanced Charging Collection
Function
8650 SDM Alcatel-Lucent 8650 Subscriber
Data Manager
8950 AAA Alcatel-Lucent 8950
Authentication, Authorization
and Accounting server
9471 WMM Alcatel-Lucent 9471 Wireless
Mobility Manager
AA Application Assurance
AAA Authentication, Authorization
and Accounting
AC Access Controller
ANDSF Access network discovery and
selection function
AP access point
BNG Broadband Network Gateway
CDN content delivery network
DHCP Dynamic Host Configuration
Protocol
EAP Extensible Authentication Protocol
ePDG evolved Packet Data Gateway
FMC fixed-mobile convergence
GGSN Gateway GPRS Support Node
GPRS General Packet Radio Service
GRE Generic Routing Encapsulation
GREoIPsec GRE over IPSec
GTP GPRS Tunneling Protocol
GW gateway
HLR Home Location Register
HSS Home Subscriber Server
IEEE Institute of Electrical and
Electronics Engineers
IETF Internet Engineering Task Force
IP Internet Protocol
IPsec IP Security
L2oGRE Layer 2 over GRE
L2VPNoGRE Layer 2 VPN over GRE
LTE long term evolution
MME Mobility Management Entity
MNO mobile network operator
MSO multiple service operator
MVNO mobile virtual network operator
NAPT network address port translation
NAT Network Address Translation
OKC Opportunistic Key Caching
PCRF Policy Charging Rules Function
PGW packet data network gateway
PKI public key infrastructure
PMK Pairwise Master Key
QoE Quality of Experience
QoS Quality of Service
RADIUS Remote Authentication Dial-In
User Service
SaMOG S2a Mobility based on GPRS
Tunneling Protocol
SeGW Security Gateway
SGSN Serving GPRS Support Node
SGW serving gateway
SLA Service Level Agreement
SR OS Alcatel-Lucent Service Router
Operating System
SSID service set identifier
TWAG Trusted Wireless Access Gateway
UE User Equipment
VLAN virtual local area network
VPN virtual private network
Wi-Fi Wireless Fidelity
WLAN wireless local area network
WPA Wi-Fi Protected Access
WPA2 Wi-Fi Protected Access II
XML Extensible Markup Language