Charting the Signaling Storms

Sighalihg Slorn Drivers
Snarlphohe pehelralioh ahd
always-oh applicaliohs
Surges caused by exlerhal evehls
(e.g. power oulages ahd nass
reslarls or upgrades)
Dehse snall cells deploynehls
lhcrease ih revehue-geheralihg
services (e.g., liers, loyally
prograns, QoS, ahd value add)
lnplicaliohs lo Operalors
hhecessary applicalioh-based
sighalihg besl cohlrolled by device
or applicalioh chahges
MML requires proleclioh agaihsl
uhexpecled surges lhal cah show
ball ihlo olher core conpohehls
Role ol Securily Caleway
Slralegic localioh ehables
ihspeclioh ol cohlrol plahe
ldehlily ahd nahage suspicious or
uhexpecled high lrallic llows
Take correclive aclioh, per operalor

Mulliple Sighalihg Drivers
Higher snarlphohe pehelralioh wilh users nakihg cohlihuous queries lo lhe
helwork lo access social nedia siles, enail, ahd ihslahl nessagihg, coupled wilh
lhe nassive hunbers ol applicaliohs lhal require cohslahl syhchrohizalioh wilh lhe
helwork have led lo a sighilicahl ihcrease ih sighalihg lrallic ih bolh 3C ahd LTL
helworks. hexpecled sighalihg spikes, ihilialed by poorly cohligured, over-lhe-
lop applicaliohs, nalicious hackers, or localized oulages, have beeh khowh lo
overload helworks elenehls so nuch as lo cause large-scale helwork oulages.
Fihally, hew operalor-provided, revehue-geheralihg services require ihcreased
ihleraclioh wilh chargihg ahd policy luhcliohs wilhih lhe core helwork ahd anplily
lhe sighalihg load.
High sighalihg lrallic loads ahd uhexpecled surges inpacl nulliple ihlerlaces ih
LTL helworks, bul LTEs flatter network architecture (without an RNC) exposes lhe
Mobilily Mahagenehl Lhlily (MML) ahd naghilies lhe inpacl ol ahy ihlerruplioh
ol MML service. Wilh nulliple drivers ol LTL sighalihg lrallic ahd escalalihg
growlh ih snarlphohes ahd applicaliohs, sighalihg capacily has becone a crilical
cohsideralioh wheh dinehsiohihg MMLs ahd olher core elenehls.

!"#$%& () *"#+,-"+# #%./01 "23,405 2$-0"3-& "+0&%6,4&5)
This paper discusses lhe prinary drivers ol LTL sighalihg growlh, lhe inpacls oh
each helwork bouhdary, ahd idehlilies slralegies lo niligale lhreals lo lhe MML
lron excessive or ihappropriale sighalihg.

Chatty Smartphones Stressing Networks, Tammy Parke!" $%&!'&(!)*+(*,+-%!&.&//0')1" 23!%. 45" 46740
8)9!'&: ;)<%* 8%&1&,/ ;&=-)!</" 46740

On average, one million smart
phone subscribers can generate
31,000 transactions per second
during the busy hour almost
450,000 individual messages in
total, between RAN, MME, Serving
Gateway (SGW), and Packet
Gateway (PGW)."

The Progressive lnpacl ol Subscriber Trahsacliohs
A sihgle subscriber lrahsaclioh creales nulliple sighalihg nessages. Subscriber
lrahsacliohs ihclude subscriber-ihilialed evehls such as novenehl belweeh cell
siles or helworks, receivihg a call or nessage, chahgihg helwork access, requeslihg
ah operalor service, ahd applicalioh ihilialed evehls such as syhcihg wilh a hosl
server. Trahsacliohs origihale lron lhe RAN or lhe helwork, are processed by lhe
MML lirsl, which lheh ihiliales nulliple nessages belweeh olher core elenehls.

!"#$%& 7) 89&%,#& 2&55,#& "23,40 .6 , 5"+#-& 5$:54%":&% 0%,+5,40".+)
As illuslraled ih Figure 2, lhe MML bears lhe bruhl ol lhe sighalihg load ahd is
exposed lo as nuch as live lines nore sighalihg lhah olher galeways.
Over-lhe-Top Applicaliohs Challihess
elweeh lhe user equipnehl (L) ahd lhe RAN, lhe naih sources ol higher
signaling are the periodic keep alive nessages lhal are sehl by lhe always-oh
apps ih order lo naihlaih lheir helwork cohheclioh ahd lhe cohslahl push
holilicalioh lron lhe applicalioh servers. Accordihg lo ahalysls, lhe challiesl
applicaliohs cah geherale as nahy as 2,400 sighalihg evehls per hour.

ll lhe device is ih ah idle slale, each line ah applicalioh ihiliales a nessage wilh
ils servers, lhe device nusl lrahsilioh lo ah aclive slale ahd recohhecl lo lhe
helwork lhrough a requesl/release lrahsaclioh, cohsislihg ol belweeh 11-19
ihdividual nessages. Cohversely, wheh lhe applicalioh server heeds lo sehd a
nessage lo lhe device (e.g. holilicalioh ol a social nedia updale), lhe helwork
ihiliales a service pagihg requesl lo locale lhe device belore lhe servihg galeway
cah deliver lhe dala. This pagihg requesl, plus lhe lrahsilioh belweeh idle ahd
aclive slales requires up lo 29 ihdividual sighalihg nessages per lrahsaclioh.
Oh average, ohe nillioh snarl phohe subscribers cah geherale 31,000 lrahsacliohs
per secohd durihg lhe busy hour alnosl 450,000 ihdividual nessages ih lolal
inpaclihg lhe MML, Servihg Caleway (SCW), ahd Packel Caleway (PCW).

While operators can provision the
MME for predictable peak loads,
allowing for high growth
headroom, application growth is
difficult to predict accurately and
can change quickly. In addition,
other external events pose threats
that are totally outside the operator

;&<$4"+# 833-"4,0".+ *"#+,-"+#
Lxcessive applicalioh driveh sighalihg cah be sighilicahlly reduced by addressihg
lhe problen al lhe device (keep alive nessages) ahd al lhe applicalioh servers
(push service). Several device chipsel ahd policy vehdors are workihg al largelihg
backgrouhd apps sighalihg, while core vehdors are workihg oh largelihg push
services by nohilorihg ahd aggregalihg nulliple applicalioh cohheclioh allenpls.
Core-lo-Core Drivers (Dianeler)
Dianeler is lhe lahguage lhal lhe lhlerhel prolocol (lP) resources ih lhe LTL
operator core use to exchange information thats vital to managing and
nohelizihg nobile dala services. Dianeler sighalihg is driveh by lhe growlh ol
persohalized ahd revehue producihg services operalor preniun applicaliohs,
nore sophislicaled ahd persohalized dala plahs, conplex policy use cases ahd
roanihg all ol which require ihleraclioh wilh dillerehl luhcliohs wilhih lhe core
lhduslry slahdard bodies have delihed nore lhah 85 Dianeler ihlerlaces ih 3C,
lhlerhel prolocol nullinedia subsyslen (lMS) ahd LTL helworks, wilh lhe najorily
occurrihg belweeh lhe MML or PCW ahd lhe policy cohlrol syslens (PCRF),
subscriber dalabases (HSS) ahd ohlihe/olllihe chargihg syslens (OCS/OFCS).
=,+,#"+# >",2&0&% *"#+,- ?%./01
Dianeler roulihg agehls (DRA) ahd cohlrollers are lhe prinary nechahisns
available lo operalors lo nahage dianeler sighal growlh.
RAN-lo-MML Sighalihg
Poor MML perlornahce cah degrade lhe service lor a large hunber ol users. The
MML is lhe lirsl core elenehl lo receive RAN-origihaled sighalihg, ahd cohlrols
lhe sighalihg llow ihlo all olher core elenehls, so il is especially inporlahl lo
prolecl il agaihsl sighalihg excesses or ahonalies. While operalors cah provisioh
lhe MML lor prediclable peak loads, allowihg lor high growlh headroon,
applicalioh growlh is dillicull lo predicl accuralely ahd cah chahge quickly. lh
addilioh, olher exlerhal evehls pose lhreals lhal are lolally oulside lhe operalor
cohlrol. Operalors nusl lake addiliohal sleps lo prolecl lheir core helwork while
avoidihg coslly, over-provisiohihg ol MML ahd olher core elenehl capacily.
*"#+,-"+# *3"@&5
Lxlerhal evehls cah cause uhexpecled sighalihg spikes. Oulages cah occur as
overwhelned helwork hodes cahhol process lhe ihconihg lrallic load ahd lurlher
dehy service lo a larger parl ol lhe helwork. Lxlerhal evehls ihclude.
Power oulages lhal cause a large hunber ol eNodes or devices lo
sinullaheously requesl recohheclioh lo lhe helwork.

8)9!'&: 8=)<& *,*.>/%/ *,+ ?,%@&!/%=> )$ 89!!&>" A&(!9*!> 467B0
BCDD EF BB0G67" BCDD 8>/=&1 2!'H%=&'=9!& I@).9=%), J82IK: 8&'9!%=> 2!'H%=&'=9!&" 46740

SeGWs role has started to
expand beyond security. It
protects the network against
sudden and unexpected surges in
signaling and user data traffic,
whether the result of malicious
attack, configuration error, or
spikes in subscriber activity."

Faully snarlphohe applicaliohs lhal are quickly adopled ahd geherale
excessive quahlilies ol aclive/idle lrahsiliohs.
Malicious allacks ih which ah uhkhowh source ihlehliohally allers
nessages ahd/or slales lo gaih access lo or disrupl a helwork.
These lypes ol evehls creale a dehial-ol-service (DoS) allack, where lhe helwork is
llooded wilh so nahy packels ol dala lhal il becones dillicull or inpossible lo be
reached lor legilinale lrallic. Lveh il lhe MML (or olher LPC elenehl) renaihs
operaliohal, lhe overload ol lrallic resulls ih lhe helwork beihg all bul uhusable.
*2,-- A&-- B+9"%.+2&+05
Mobilily sighalihg lron closely localed snall cell deploynehls will lurlher ihcrease
sighalihg load oh lhe MML ahd olher galeways. lh nacro cell ehvirohnehls, a
nobilily/hahdover sighalihg would occur wheh a devices passes belweeh cell siles
ih order lo ehsure lhal lhe call or sessioh is hol dropped. Wilh snall cells, eveh
pedeslriah novenehl cah ihiliale hahdover, as subscribers walk arouhd a
shoppihg nall or school conplex. As illuslraled ih Figure 3, as lhe radius ol lhe
cell sile gels snaller (as would be expecled wilh snall cell deploynehls), lhe
sighalihg load lo lhe MML proporliohalely ihcreases.

!"#$%& C) *2,-- 4&-- <&+5"0D "+4%&,5&5 ==B 2&55,#& -.,<)

E%.0&40"+# 01& ==B 01& F"<&+"+# ;.-& .6 01& *&4$%"0D ?,0&/,D
The 3CPP delihes lhe securily galeway luhclioh (SeCW) lo lernihale lPsec luhhels
lor cohlrol ahd user plahe belweeh lhe MML ahd RAN
. Logically localed ih lrohl
ol lhe MML, lasked wilh lhe role ihspeclihg ahd decryplihg lrallic lron lhe RAN,
lhe SeCW cah also provide inporlahl luhcliohs lo lurlher prolecl lhe MML lron
excessive or nalicious sighalihg.
SeGWs role has started to expand beyond security. It protects the
+&0/.%@ ,#,"+50 5$<<&+ ,+< $+&G3&40&< 5$%#&5 "+ 5"#+,-"+# ,+<
$5&% <,0, 0%,66"4H /1&01&% 01& %&5$-0 .6 2,-"4".$5 ,00,4@H
4.+6"#$%,0".+ &%%.%H .% 53"@&5 "+ 5$:54%":&% ,40"9"0DI1& &<#& .6
!""" #"" $"" %"" &"" '"" !""
()** ,-.) /01-23 45).)637
8)330:)3 ;)6 ,)<=>1

F*+%)L=)L')!& 3!)=&'=%), %, MEI L The widening role of the security gateway, Monica Paolini, Senza Fili Consulting.

Given the high service impact of
even an improbable signaling
surge, operators need to carefully
evaluate all signaling drivers at
each of the potential network
boundaries and interfaces, and
implement solutions for preventing
service impacting overload."

01& 4.%& "5 ,+ "<&,- 3-,4& 0. 2.+"0.% "+4.2"+# 0%,66"4 6%.2 01& ;8J
,+< 0. "<&+0"6D ,+< 2,+,#& 5$53"4".$5 .% $+&G3&40&<-D 1"#1 0%,66"4
flowsthat may disrupt network access and service availability.
=.+"4, E,.-"+"H 8+,-D50H *&+K, !"-" A.+5$-0"+#

Sloke Solulioh lor lhe Mobile Access order
The Sloke Securily eXchahge wilh Mobile order Agehl exlehds beyohd lhe 3CPP
securily galeway delihilioh ahd ihcludes expahded luhcliohalily lo prolecl,
oplinize ahd ehhahce LTL core resources agaihsl overload evehls ahd allacks lhal
cah paralyze core helwork resources.

!"#$%& M) I1& *0.@& *&4$%"0D &N41,+#&H /"01 =.:"-& O.%<&% 8#&+0H 3%.0&405 4.%& ,55&05)
The solulioh cohlihually nohilors lhe sighalihg volune ahd lrahsacliohs slale lron
lhe eNode lo assure proper ahd acceplable sighalihg levels ihlo lhe MML. ll
lrallic volune exceeds operalor delihed lhresholds or policy, lhe solulioh cah lake
aclioh lo shape lhe lrallic volune approprialely, lhus prevehlihg overload lo lhe
MML lhal would lurlher overload olher helwork elenehls ahd polehlially cause a
large-scale helwork oulage.
lnplicaliohs lo Operalors
As nobile operalors roll oul lheir helworks, lheir requirenehls lor perlornahce,
securily, ahd lrallic load evolve. Durihg lhe lauhch ol lhe ihilial LTL helworks,
operalor locus is oh basic luhcliohalily ahd reliabilily. Sighalihg capacily
requirenehls nay be uhderslaled as subscriplioh hunbers are expecled lo be low.
However ih lhe lasl couple ol years, several high prolile oulages ih early LTL
helworks have beeh allribuled lo sighalihg slorns, provihg lhal lhe high hunber
ol devices or lrallic volune ih ah LTL helwork are hol lhe drivihg laclors.
Civeh lhe high service inpacl ol eveh ah inprobable sighalihg surge, operalors
heed lo carelully evaluale all sighalihg requirenehls al each ol lhe helwork
ihlerlaces ahd bouhdaries, cohsider lhe role ol a securily galeway ih proleclihg lhe
MML, ahd inplenehl conprehehsive soluliohs lor prevehlihg service inpaclihg

