Multiple Digital Certificate Selection Based On Apn - Cisco ASR 5000 series Product Overview

PDG/TTG Overview

Multiple Digital Certificate Selection Based on APN

Selecting digital certificates based on Access Point Name (APN) allows you to apply digital certificates per the
requirements of each APN and associated packet data network. A digital certificate is an electronic credit card that
establishes a subscriber's credentials when doing business or other transactions on the Internet. Some digital certificates
conform to ITU-T standard X.509 for a Public Key Infrastructure (PKI) and Privilege Management Infrastructure
(PMI). X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and
a certification path validation algorithm.
During session establishment, the PDG/TTG can select a digital certificate from multiple certificates based on the APN.
The selected certificate is associated with the APN that the WLAN UE includes in the IDr payload of the first
IKE_AUTH_REQ message.
When configuring APN-based certificate selection, ensure that the certificate names match the associated APNs exactly.
The PDG/TTG can then examine each APN received in the IDr payload and select the correct certificate.
The PDG/TTG generates an SNMP notification when the certificate is within 30 days of expiration and approximately
once a day until a new certificate is provided. Operators need to generate a new certificate and then configure the new
certificate using the system's CLI. The certificate is then used for all new sessions.
Subscriber Traffic Policing for IPSec Access
Traffic policing allows you to manage bandwidth usage on the network and limit bandwidth allowances to subscribers.
Traffic policing enables the configuration and enforcement of bandwidth limitations on individual subscribers of a
particular traffic class in a 3GPP service. Bandwidth enforcement is configured and enforced independently in the
downlink and uplink directions.
When configured in the Subscriber Configuration Mode of the system's CLI, the PDG/TTG performs traffic policing.
However, if the GGSN changes the QoS via an Update PDP Context Request, the PDG/TTG uses the QoS values from
the GGSN.
Per RFC 2698, a Token Bucket Algorithm is used to implement the traffic policing feature on the PDG/TTG. The
following criteria is used when determining how to mark a packet:
Committed Data Rate (CDR): The guaranteed rate (in bits per second) at which packets can be
transmitted/received for the subscriber during the sampling interval. Note that the committed (or guaranteed)
data rate does not apply to the Interactive and Background traffic classes.
Peak Data Rate (PDR): The maximum rate (in bits per second) that subscriber packets can be
transmitted/received for the subscriber during the sampling interval.
Using negotiated QoS data rates, the system calculates the burst size, which is the maximum number of bytes that can
be transmitted/received for the subscriber during the sampling interval for both committed and peak rate conditions. The
committed burst size (CBS) and peak burst size (PBS) for each subscriber depends on the guaranteed bit rate (GBR) and
maximum bit rate (MBR) respectively. This represents the maximum number of tokens that can be placed in the
subscriber's ―bucket‖. The burst size is the bucket size used by the Token Bucket Algorithm.
Tokens are removed from the subscriber's bucket based on the size of the packets being transmitted/received. Every
time a packet arrives, the system determines how many tokens need to be added (returned) to a subscriber's CBS (and
PBS) bucket. This value is derived by computing the product of the time difference between incoming packets and the
CDR (or PDR). The computed value is then added to the tokens remaining in the subscriber's CBS (or PBS) bucket.
The total number of tokens can not be greater than the burst size. If the total number of tokens is greater than the burst
size, the number is set to equal the burst size.
OL-22938-02
Features and Functionality ▀
Cisco ASR 5000 Series Product Overview ▄