UWAN

Untrusted Wireless Access Network

Security
Introduced in Rel-13
A non-3GPP access network (like Wi-Fi) that is not inherently trusted by the 3GPP core network. To securely integrate such access, UE connections are routed through an evolved Packet Data Gateway (ePDG) which establishes an IPsec tunnel, protecting traffic as it traverses the untrusted link. This is fundamental for secure non-3GPP access in EPS and 5GS.

Description

An Untrusted Wireless Access Network (UWAN) is a conceptual classification in 3GPP architectures for Evolved Packet System (EPS) and 5G System (5GS), referring to any wireless IP-based access network that is not operated by the mobile network operator or is not considered secure enough to have a direct, trusted connection to the 3GPP core. The most common example is a public or private Wi-Fi network (e.g., IEEE 802.11). The core principle is that the 3GPP network cannot rely on the security mechanisms of the UWAN itself to protect user plane traffic and signaling. Therefore, a special security gateway, the evolved Packet Data Gateway (ePDG), is introduced as a mandatory point of entry.

When a User Equipment (UE) attaches to the network via a UWAN, it must first discover and select a suitable ePDG. The UE then establishes an IPsec tunnel (specifically, an IKEv2-based tunnel) with the ePDG. This tunnel encapsulates all traffic destined for the 3GPP core network, including authentication signaling and user data packets. The ePDG acts as a security gateway, terminating the IPsec tunnel from the untrusted side and presenting a trusted interface towards the core. It interfaces with the 3GPP AAA infrastructure (HSS/AAA Server) to authenticate the UE using EAP-AKA or EAP-AKA' protocols over this secure tunnel. Once authenticated, the ePDG sets up the necessary connectivity to the Packet Data Network Gateway (PGW) in EPS or the User Plane Function (UPF) in 5GS, creating a secure end-to-end logical path for the UE.

The architecture involves several key components: the UE with its support for IKEv2/IPsec and ePDG discovery (via DNS), the UWAN itself which merely provides IP connectivity, the ePDG as the trust boundary, and the core network elements (HSS, PGW/UPF). The ePDG's role is critical—it validates the UE's credentials, enforces policies, and ensures that all traffic from the untrusted access is properly encrypted and integrity-protected before entering the operator's trusted domain. This model allows operators to securely leverage vast, existing Wi-Fi infrastructure for data offloading and service continuity without compromising the security standards of their mobile core network.

Purpose & Motivation

The concept of UWAN was formalized to address the growing need for mobile operators to integrate ubiquitous, but inherently insecure, Wi-Fi networks into their service offerings. Prior to its standardization, Wi-Fi access was often handled as a completely separate, best-effort internet access with no integration with cellular services like IMS or seamless mobility. The problem was twofold: providing secure access that meets 3GPP's stringent authentication and confidentiality requirements, and enabling seamless service continuity between 3GPP and non-3GPP accesses. The creation of the UWAN/ePDG architecture in Release 8 (EPS) provided a standardized solution.

It solved the security problem by establishing a clear trust boundary. Instead of trying to secure the Wi-Fi link itself (which is often impractical on public hotspots), it assumes the worst-case scenario—the access is untrusted—and mandates end-to-end encryption between the UE and the operator's network. This protects against eavesdropping and manipulation on the Wi-Fi link. Furthermore, it enabled tight integration with the core network's subscription and policy framework (PCRF/PCF), allowing operators to apply the same billing, QoS, and access control policies regardless of whether the user is on LTE or Wi-Fi. This was a key motivator for creating a standardized, secure non-3GPP interworking framework, paving the way for features like Wi-Fi Calling and seamless offloading.

Key Features

  • Classification for non-3GPP IP access networks lacking inherent trust (e.g., public Wi-Fi)
  • Mandates use of an ePDG as a secure gateway and trust boundary
  • Requires UE to establish an IPsec/IKEv2 tunnel with the ePDG for all 3GPP traffic
  • Utilizes EAP-AKA/AKA' for strong UE authentication over the untrusted link
  • Enables integrated policy control and charging via interaction with PCRF/PCF
  • Provides a foundation for seamless mobility to/from trusted 3GPP access

Evolution Across Releases

Rel-13 Initial

Formally defined the Untrusted Wireless Access Network concept within the broader S2b interface architecture for non-3GPP access. Specified the mandatory use of the ePDG, the IPsec tunnel establishment procedures (SWu interface), and the integration with the EPC for authentication (SWm interface to 3GPP AAA) and policy control (Gxb interface to PCRF).

TS 23.402TS 32.251TS 32.298TS 32.299

Defining Specifications

SpecificationTitle
TS 23.402 3GPP TS 23.402
TS 32.251 3GPP TR 32.251
TS 32.298 3GPP TR 32.298
TS 32.299 3GPP TR 32.299