APN / DNN Onboarding

How to Onboard an APN / DNN

Overview

The Programmable Virtual Private Cloud (PVPC) is a programmable distributed overlay network and one central method of onboarding large number of devices is through onboarding a private Access Point Name (APN) or Data Network Name (DNN) in pre- and post-5G speak respectively. This document will use the term APN universally, but both the term is interchangeable.

APNs are onboarded onto one of our many Regional Sites based on latency requirements and access to carrier networks.

Using the APN method, all the mobile devices using the APN will be manageable in the Lolo PVPC infrastructure. From there you can manage these networks and devices using the PVPC APIs.

APN integration relies on the methods in the ETSI standard TS 129 061 - Interworking between the Public Land Mobile Network (PLMN) supporting packet based services and Packet Data Networks (PDN) which can be found here.

The following definitions are set out and used in this document:

TermDefinition
APNAccess Point Name used interchangeably with Data Network Name or DNN in 5G
CSP GatewayCSP Gateways are high performance, redundant gateways which run in the Regional Sites and terminate APNs using IPSec or fiber connections.
Egress SiteThese are special Regional Sites where only CG-NAT is hosted for egress pinning
Enterprise GatewayThe Enterprise Gateway is a Programmable Virtual Private Cloud router spun as a private network for the customers
PGWPacket Data Network (PDN) Gateway used interchangeably with User Plane Function or UPF in 5G
Regional SiteRegional Sites are one of the global sites where the PVPC traffic plane is hosted.
Regional Sites host the following:
CSP Gateways
PVPC Enterprise Gateways
CG-NAT
IPSec Contrators

The overview of the architecture is as follows:

10011001

Onboarding of an APN is a service request (not done through the API) in which the Lolo operations team establishes an IPSec VPN to the Connectivity Service Provider's (CSP) PGW - typically along with RADIUS integration, however other protocols such as Diameter are supported. Once an APN is terminated in the CSP Gateways, the traffic and devices attached to these networks now becomes manageable using the PVPC API.

IPSec Integration

The following parameters are typically exchanged as part of the IPSec Integration:
Tunnel MTU

IKE Proposal

  • IKE Version
  • Pre-shared Key
  • Hash Algorithm
  • Encryption Algorithm
  • Key Exchange

IPSec Proposal

  • Transport Protocol
  • Authentication Algorithm
  • Encryption Algorithm
  • Perfect Forward Secrecy
  • Data lifetime

Tunnel Monitoring attributes

BGP Information for Redundant VPNs

  • IP Addresses
  • Routes

RADIUS Integration

The following parameters are typically exchanged as part of the RADIUS Integration:
Primary and Secondary RADIUS Server IP Addresses
Usage for Authentication, Accounting and IP Address Allocation
Username - typically [email protected]
Set to use DNS on APN

A number of additional RADIUS attributed as defined in TS 129 061 are specified.