The Programmable Virtual Private Cloud (PVPC) is a programmable distributed overlay network and one central method of onboarding large number of devices is through onboarding a private Access Point Name (APN) or Data Network Name (DNN) in pre- and post-5G speak respectively. This document will use the term APN universally, but both the term is interchangeable.
APNs are onboarded onto one of our many Regional Sites based on latency requirements and access to carrier networks.
Using the APN method, all the mobile devices using the APN will be manageable in the Lolo PVPC infrastructure. From there you can manage these networks and devices using the PVPC APIs.
APN integration relies on the methods in the ETSI standard TS 129 061 - Interworking between the Public Land Mobile Network (PLMN) supporting packet based services and Packet Data Networks (PDN) which can be found here.
The following definitions are set out and used in this document:
Access Point Name used interchangeably with Data Network Name or DNN in 5G
CSP Gateways are high performance, redundant gateways which run in the Regional Sites and terminate APNs using IPSec or fiber connections.
These are special Regional Sites where only CG-NAT is hosted for egress pinning
The Enterprise Gateway is a Programmable Virtual Private Cloud router spun as a private network for the customers
Packet Data Network (PDN) Gateway used interchangeably with User Plane Function or UPF in 5G
Regional Sites are one of the global sites where the PVPC traffic plane is hosted.
The overview of the architecture is as follows:
Onboarding of an APN is a service request (not done through the API) in which the Lolo operations team establishes an IPSec VPN to the Connectivity Service Provider's (CSP) PGW - typically along with RADIUS integration, however other protocols such as Diameter are supported. Once an APN is terminated in the CSP Gateways, the traffic and devices attached to these networks now becomes manageable using the PVPC API.
The following parameters are typically exchanged as part of the IPSec Integration:
- IKE Version
- Pre-shared Key
- Hash Algorithm
- Encryption Algorithm
- Key Exchange
- Transport Protocol
- Authentication Algorithm
- Encryption Algorithm
- Perfect Forward Secrecy
- Data lifetime
Tunnel Monitoring attributes
BGP Information for Redundant VPNs
- IP Addresses
The following parameters are typically exchanged as part of the RADIUS Integration:
Primary and Secondary RADIUS Server IP Addresses
Usage for Authentication, Accounting and IP Address Allocation
Username - typically [email protected]
Set to use DNS on APN
A number of additional RADIUS attributed as defined in TS 129 061 are specified.
Updated over 1 year ago