LWIPEP

LWIP Encapsulation Protocol

Protocol
Introduced in Rel-13
LWIPEP is the protocol entity responsible for generating and processing LWIP PDUs in the LTE-WLAN Radio Level Integration with IPsec Tunnel feature. It resides in the UE and the eNB, handling the encapsulation and decapsulation of user data into the IPsec-secured format for transmission over an untrusted WLAN link under eNB control.

Description

The LWIP Encapsulation Protocol (LWIPEP) is a functional entity defined by 3GPP for the LTE WLAN Radio Level Integration with IPsec Tunnel (LWIP) feature. It is a key user-plane protocol layer that operates in both the user equipment (UE) and the eNodeB (eNB). The primary role of LWIPEP is to prepare user data for secure transmission over an untrusted WLAN access network by generating the specific LWIP Protocol Data Unit (PDU). It sits logically above the IP layer responsible for the IPsec tunnel and below the upper layers that provide the original IP packets (or Ethernet frames) from applications.

In the transmit direction (e.g., uplink from UE), the LWIPEP entity in the UE receives an IP packet from the application layers. Its task is to construct the payload that will be protected by the IPsec Encapsulating Security Payload (ESP). This may involve encapsulating the original IP packet inside an Ethernet frame if the underlying WLAN link requires Ethernet framing (this is network configuration dependent). This constructed payload (either the original IP packet or the Ethernet frame containing it) is then passed down to the IP layer, which becomes the source for the IPsec ESP tunnel. The resulting secured IP packet, which is the LWIP PDU, is then sent over the WLAN interface. In the eNB, the receiving LWIPEP entity performs the inverse operation after the IPsec tunnel has processed and decrypted the packet: it extracts the original payload (IP packet or Ethernet frame) from the LWIP PDU and forwards it appropriately toward the S1-U interface to the core network.

The protocol's operation is tightly controlled by the eNB via RRC signaling. The eNB configures the UE with LWIP parameters, including security parameters for the IPsec tunnel and instructions on how the LWIPEP should handle encapsulation. There is no standalone LWIPEP header; the encapsulation is defined by the structure of the payload passed to IPsec. The LWIPEP's function is thus procedural rather than header-based. Its role is critical in making the WLAN link appear as a secure, virtual layer-2 pipe to the eNB, enabling the eNB to perform bearer-level traffic steering and aggregation between the LTE and WLAN radios without involving the core network for the user-plane path.

Purpose & Motivation

LWIPEP was created as an essential component to realize the LWIP feature's goal of secure, radio-level WLAN integration. The problem it addresses is the need for a standardized method to format user data for secure transport over an IPsec tunnel that terminates at the eNB. Without LWIPEP, there would be no defined procedure for the UE and eNB to agree on how to encapsulate the diverse types of user traffic (IPv4, IPv6, Ethernet) into a consistent payload for the IPsec tunnel, which is necessary for interoperability and correct processing at both ends.

Prior to LWIP, solutions for untrusted WLAN access, like ePDG, terminated the IPsec tunnel in the core network, separating the radio control (eNB) from the security endpoint. LWIPEP enables the termination point to be the eNB itself, which is the key innovation. This solves the problem of latency and control lag, as the eNB can now make instant steering decisions and manage the radio resources of both LTE and WLAN directly. The motivation for defining LWIPEP was to provide a clear, normative description of the user-plane processing required at both ends of the IPsec tunnel, ensuring that LTE bearers could be seamlessly and securely extended over any WLAN infrastructure, thereby increasing network capacity and user data rates with enhanced security.

Key Features

  • Functional entity responsible for constructing the payload for the LWIP IPsec tunnel
  • Defines the encapsulation procedure for user IP packets (or Ethernet frames) into the LWIP PDU
  • Operates in both the UE and the eNB as a symmetric protocol entity
  • Configured by the eNB via RRC signaling for parameters like encapsulation mode
  • Works in conjunction with IPsec ESP to provide end-to-end security between UE and eNB over WLAN
  • Enables the eNB to treat the WLAN link as a secure layer-2 transport for LTE bearers

Evolution Across Releases

Rel-13 Initial

Introduced the LWIPEP entity and its functional description. Defined its role in processing data for the LWIP bearer, including the encapsulation procedures for different payload types (IP or Ethernet) before IPsec protection. Established the foundational procedures for secure data preparation over untrusted WLAN.

TS 36.361
Rel-14

Refined LWIPEP procedures alongside broader LWIP enhancements, focusing on mobility and handover optimizations to ensure smooth data path switching between LTE and the LWIP tunnel.

TS 36.361
Rel-15

Ensured LWIPEP compatibility and operation within the 5G system architecture, particularly in scenarios involving E-UTRA and NR dual connectivity.

TS 36.361
Rel-16

Potential optimizations to the encapsulation handling for improved efficiency and support for new service requirements defined in later releases.

TS 36.361
Rel-17

Continued support and maintenance within the evolving 5G framework, ensuring alignment with new security and QoS capabilities.

TS 36.361
Rel-18

Part of the ongoing 5G-Advanced feature set, with LWIPEP remaining a component for integrated access scenarios, potentially reviewed for further optimizations.

TS 36.361
Rel-19

Maintained as a protocol entity for backward compatibility and integrated access support within the comprehensive 5G-Advanced radio access portfolio.

TS 36.361

Defining Specifications

SpecificationTitle
TS 36.361 3GPP TR 36.361