Pdif Service - Cisco ASR 5000 series Product Overview

▀ Features and Functionality - Licensed Enhanced Feature Support

PDIF Service

The PDIF service and the processes associated with it define the PDIF itself. The PDIF service enables mobile stations
to interface with the PDIF.
The PDIF service configuration includes the following:
The IPv4 address for the service: This is the PDIF IP address to which the MS tries to connect. The MS sends
IKEv2 messages to this IP address and this address must be a valid address in the context. PDIF service will
not be up and running if this IP address is not configured.
The name of the crypto template for IKEv2: A crypto template is used to configure an IKEv2 PDIF IPSec
policy. It includes most of the IPSec parameters and IKEv2 parameters for keep-alive, lifetime, NAT-T and
cryptographic and authentication algorithms. There must be one crypto template per PDIF service. The PDIF
service will not be up and running without a crypto-template configuration.
The EAP profile name: This profile defines the EAP authentication methods.
Multiple authentication support: The multiple authentication configuration is a part of the crypto template.
IKEv2 and IPSec transform sets: These define the negotiable algorithms for IKE SA and CHILD SA setup to
connect calls to the PDIF/FA.
Configure the setup timeout value: The MS connection attempt is terminated if the MS does not establish a
successful connection within the configured value.
Mobile IP foreign agent context and foreign agent service: This defines the system context where mobile IP
foreign agent functionalities are configured.
Max-sessions: The maximum number of subscriber sessions allowed by this PDIF service.
PDIF supports a domain template for storing domain related configuration: The domain name is taken from
the received NAI and searched in the domain template database.
3GPP2 serving PCF address: This configurable specifies what value in the RADIUS attribute when sending
authentication and accounting messages.
Duplicate session detection parameters: PDIF supports either NAI (first phase authentication) or IMSI to be
used for duplicate session detection. This configuration specifies whether duplicate session detection is based
on IMSI or NAI. The default is NAI.
When the PDIF service is configured in the system with the IP address, crypto template, etc., the PDIF is ready to accept
IKEv2 control packets for establishing IKEv2 PDIF sessions.
There is a limit to the number of CHILD SAs supported by each PDIF service. Traditionally, other Cisco services limit
this to the number of subscriber sessions. The PDIF treats this as the number of CHILD SAs. This means that if each
subscriber establishes only a single CHILD SA, the limit will be equal to the number of subscriber sessions. During
CHILD SA rekeying, for a small duration of time, there are two CHILD SAs in the system. This is to make sure that
transient packets for the old CHILD SA are still processed (not dropped).
Multiple PDIF Services
The PDIF supports multiple PDIF services running simultaneously on the same ASR 5000. This feature enables
operators to configure PDIF services with different crypto templates to support multiple subscriber handsets and to set
per-service maximum session limits. The total number of sessions for all PDIF services running simultaneously on the
same ASR 5000 must fall under the PDIF session counting license limit.
▄ Cisco ASR 5000 Series Product Overview
Packet Data Interworking Function Overview
OL-22938-02