Hss Support Over S6A Interface - Cisco ASR 5000 series Product Overview

Mobility Management Entity Overview
The AKA is the procedure that take between the user and network to authenticate themselves towards each other and to
provide other security features such as integrity and confidentiality protection.
In a logical order this follows the following procedure:
• Authentication: Performs authentication by, identifying the user to the network; and identifying the network to
the user.
•
Key agreement: Performs key agreement by, generating the cipher key; and generating the integrity key.
• Protection: When the AKA procedure is performed it protects, the integrity of messages; confidentiality of
signalling data; and confidentiality of user data

HSS Support Over S6a Interface

Provides a mechanism for performing Diameter-based authorization, authentication, and accounting (AAA) for
subscriber bearer contexts based on the following standards:
3GPP TS 23.401 V8.1.0 (2008-03): 3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial
Radio Access Network (E-UTRAN) access (Release 8)
3GPP TS 29.272 V8.1.1 (2009-01): 3rd Generation Partnership Project; Technical Specification Group Core
Network and Terminals; Evolved Packet System (EPS); Mobility Management Entity (MME) and Serving
GPRS Support Node (SGSN) related interfaces based on Diameter protocol (Release 8)
3GPP TS 33.401 V8.2.1 (2008-12): 3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3GPP System Architecture Evolution (SAE): Security Architecture; (Release 8)
RFC 3588, Diameter Base Protocol, December 2003
The S6a protocol is used to provide AAA functionality for subscriber EPS Bearer contexts through Home Subscriber
Server (HSS).
During the initial attachment procedures the MME sends to the USIM on AT via the HSS the random challenge
(RAND) and an authentication token AUTN for network authentication from the selected authentication vector. At
receipt of this message, the USIM verifies that the authentication token can be accepted and if so, produces a response.
The AT and HSS in turn compute the Cipher Key (CK) and Integrity Key (IK) that are bound to Serving Network ID.
During the attachment procedure the MME requests a permanent user identity via the S1-MME NAS signaling interface
to eNodeB and inserts the IMSI, Serving Network ID (MCC, MNC) and Serving Network ID it receives in an
Authentication Data Request to the HSS. The HSS returns the Authentication Response with authentication vectors to
MME. The MME uses the authentication vectors to compute the cipher keys for securing the NAS signaling traffic.
At EAP success, the MME also retrieves the subscription profile from the HSS which includes QoS information and
other attributes such as default APN name and SGW/PGW fully qualified domain names.
Among the AAA parameters that can be configured are:
Authentication of the subscriber with HSS
Subscriber location update/location cancel
Update subscriber profile from the HSS
OL-22938-02
Features and Functionality - Base Software ▀
Cisco ASR 5000 Series Product Overview ▄