EPDG

Evolved Packet Data Gateway

Core Network
Introduced in Rel-8
The Evolved Packet Data Gateway is a core network element that provides secure IP connectivity between a UE and the EPC over untrusted non-3GPP access networks, such as Wi-Fi. It acts as a termination point for IPsec tunnels, enabling seamless mobility and service continuity between 3GPP and non-3GPP access. This is crucial for offloading traffic and providing ubiquitous connectivity.

Description

The Evolved Packet Data Gateway (EPDG) is a critical functional entity within the 3GPP Evolved Packet Core (EPC) architecture, specifically defined to enable secure and trusted integration of untrusted non-3GPP access networks. Its primary role is to serve as a secure gateway and tunnel termination point for User Equipment (UE) connecting via IP-based access like Wi-Fi, public hotspots, or fixed broadband. The EPDG establishes an encrypted IPsec tunnel (using IKEv2) directly with the UE, protecting all user plane and control plane traffic as it traverses the untrusted network segment. This tunnel terminates at the EPDG, which then routes the traffic into the secure 3GPP EPC domain.

Architecturally, the EPDG interfaces with several key EPC nodes. It communicates with the 3GPP AAA Server (and potentially a 3GPP AAA Proxy) for user authentication, authorization, and policy retrieval. For mobility and session management, it connects to the PDN Gateway (PGW) via the S2b interface, which is based on the GPRS Tunneling Protocol (GTP) or the Proxy Mobile IP (PMIP) protocol. This connection allows the EPDG to act as a mobility anchor, similar to the PGW's role for 3GPP access, ensuring that the UE's IP address is preserved when moving between access types. The EPDG also interacts with the HSS to fetch subscriber profiles during the authentication process.

From a functional perspective, the EPDG's operation begins when a UE discovers an EPDG address (via DNS or pre-configuration) and initiates an IKEv2 exchange. The EPDG authenticates the UE using EAP-AKA or EAP-AKA' methods, leveraging credentials from the USIM. Once the IPsec tunnel is established, the EPDG facilitates the creation of a PDN connection by signaling to the PGW. It manages the binding between the UE's tunnel information and the corresponding bearer in the EPC. The EPDG also handles policy enforcement, applying QoS rules and charging policies received from the PCRF via the Gxb interface (if PMIP is used) or embedded within the PGW signaling. Its role is fundamental to the Access Network Discovery and Selection Function (ANDSF) and later to the Non-3GPP Interworking Function (N3IWF) in 5G, providing a blueprint for non-3GPP integration.

Purpose & Motivation

The EPDG was introduced in 3GPP Release 8 as part of the System Architecture Evolution (SAE) to address the growing need for seamless integration of high-performance, ubiquitous Wi-Fi networks with the cellular packet core. Prior to its standardization, interworking between cellular and WLAN was often limited to simple offloading at the IP layer without integrated authentication, security, or mobility support. This resulted in a disjointed user experience, broken application sessions during handovers, and inconsistent security policies when moving between cellular and Wi-Fi.

The creation of the EPDG was motivated by the desire to treat certain non-3GPP accesses as "trusted" extensions of the operator's network. By defining a standardized, secure gateway, operators could leverage widely available Wi-Fi infrastructure to offload data traffic while maintaining the same level of control, security, and service continuity expected from the 3GPP network. It solved the critical problem of establishing a trusted IP path over an inherently untrusted access medium, ensuring that user traffic is protected from eavesdropping or manipulation on public Wi-Fi networks.

Furthermore, the EPDG enabled new business models and technical capabilities, such as seamless voice call continuity between VoLTE and Wi-Fi (VoWiFi), which relies on the EPDG to provide a secure, QoS-managed tunnel for IMS signaling and media. It laid the groundwork for the broader "non-3GPP access" concept that later evolved into the Trusted Non-3GPP Gateway Function (TNGF) and the Non-3GPP Interworking Function (N3IWF) in the 5G Core network, demonstrating its foundational importance in converged access architectures.

Key Features

  • Terminates IPsec (IKEv2) tunnels with UEs over untrusted non-3GPP IP access
  • Interfaces with 3GPP AAA Server for EAP-based authentication using USIM credentials
  • Connects to PGW via S2b interface using GTP or PMIP for PDN connectivity
  • Acts as a mobility anchor for sessions handed over from/to 3GPP access
  • Enforces QoS and charging policies received from PCRF
  • Supports discovery via DNS or ANDSF mechanisms

Evolution Across Releases

Rel-8 Initial

Introduced as a core component of the Evolved Packet Core (EPC) for untrusted non-3GPP access interworking. Initial architecture defined the EPDG's role in establishing IPsec tunnels with UEs, interfacing with the AAA server for authentication, and connecting to the PGW via the S2b interface to provide secure PDN connectivity and mobility support.

TS 28.709TS 32.753TS 32.756

Defining Specifications

SpecificationTitle
TS 28.709 3GPP TS 28.709
TS 32.753 3GPP TR 32.753
TS 32.756 3GPP TR 32.756