Professional Documents
Culture Documents
Aalto 2021 - Sessions 1 and 2
Aalto 2021 - Sessions 1 and 2
ELEC-E7230 – Mobile
Communication Systems
Grading Policy
• Assignment
– Presentation of a scientific publication relevant to the
course – 30% of course grade
1
9/13/2021
Important Dates
• Lecture 1: Mon 13.09.21 12:15 - 14:00 (T. T.)
• Lecture 2: Fri. 17.09.21 12.15 – 14:00
• Lecture 2: Mon 20.09.21 12:15-14:00 (T. T.)
• Lecture 3: Mon 27.09.21 12:15 - 14:00 (T. T.)
• Lecture 4: Mon 4.10.20 12:15 - 14:00 (E. M.)
• Lecture 5: Mon 11.10.20 12:15 - 14:00 (E. M.)
• Lecture 6: Mon 18.10.20 12:15 - 14:00 (E. M.)
Important Highlights
• Reading Materials
– Materials for 4G and 5G
– Basics vs Advanced
2
9/13/2021
Content
• Mobile Network Architectures Evolution
– MN Arch. Evolution: 2G to 3G
– 4G – Evolved Packet System
• Core NW Architecture & components
• Protocols ELEC-E7311 SDN
Fundamentals &
• 5G Network architecture Techniques
– 4G to 5G Migration
– 5G Architecture: Components & Interfaces
– 5G Mechanisms: Subset
– Network Slicing
• Network Function Virtualization
• Software Defined Networking Last three sessions, by
Edward
– Network Selection
• Evolved RAN: LTE, LTE-Advanced and
LTE-Advanced Pro
© Tarik TALEB 2021
3
9/13/2021
Learning Outcome
ELEC-E7230 – Mobile
Communication Systems
Session I
4
9/13/2021
Mobile Generations …
1G 2G 3G 4G
~1980 ~1990 ~2000 ~2010
The foundation of Mobile telephony The foundation of Further enhanced
mobile telephony for everyone mobile broadband mobile broadband
“IMT-2000” “IMT-Advanced”
https://www.youtube.com/watch?v=rP6Flfu42Qk
© Tarik TALEB 2021
10
5
9/13/2021
11
Mobile Network
Architecture Evolution
12
6
9/13/2021
Requirements MRP
Referring to 3GPP
specs
(contributed by Cross reference
of specs Terminal certification
individual members) based on 3GPP specs
Partners of 3GPP
Referring to 3GPP specs Terminal
for the local specs Certification
Organisational Partners
EU Japan Korea China North America
13
13
WG4: Radio
Performance, Protocol WG6: Smart Card
Aspects WG4: Codec
Application Aspects
14
7
9/13/2021
• 2G or GSM/CS • 3G or UMTS
– Voice communication – Built on WCDMA
• narrowband, real-time, circuit switched • High peak data rates: 2Mbps
– WAP or HSCSD as extensions to • Extended by HSDPA (Rel. 5), HSUPA
(Rel. 6), and HSPA+ (Rel. 7)
enable data communications but
IMS as service control layer for PS
limited success
core network
15
HSPA+
HSDPA HSUPA DL: 28 Mbps
DL: 14.4 Mbps DL: 14.4 Mbps UP: 11 Mbps
UMTS UP: 384 Kbps UP: 5.7 Mbps
2 Mbps
1999 2002 2004 2007 2008 2011
UMTS LTE-
HSDPA HSUPA HSPA+ LTE
(W-CDMA) Advanced
16
8
9/13/2021
Nomenclature (1)
17
Nomenclature (2)
18
9
9/13/2021
19
GSM 2G Architecture
SS7
ISUP
MAP/IS41 (over TCAP)
PSDN
Um SMS-SC
SS7
IAM
A E PSTN
BSC MSC GMSC
2G MS PSTN, ISDN
Routing Info
Abis B PLMN C
VLR
BTS D Subscriber’s location?
In case of roaming
H
HLR
GERAN GSM EDGE Radio Access
EIR AuC
Network
20
10
9/13/2021
• Lower bit rates (14.4 kbps) • Higher bit rates (up to 170 kpbs)
• Inefficient use of resources
2.5 G
(GPRS)
21
GPRS Architecture
Um
SS7
A E PSTN
BSC MSC GMSC
2.5G MS PSTN, ISDN
Abis B PLMN C
VLR
BTS
D
Packet Data Protocol
Gs HLR/ H
(PDP) context: HSS
1) PDP type Gb
2) PDP address (for MS) EIR AuC
PCRF
3) Requested QoS Gr Gc
4) GGSN address Gx Rx
IP Gi
SGSN Gn GGSN
PSDN
22
11
9/13/2021
A E PSTN
BSC MSC GMSC
2.5G MS PSTN, ISDN
Abis B PLMN C
VLR
BTS
D
Gs HLR/ H
HSS
Gb
IuCS AuC
EIR PCRF
Uu Gr Gc
Gx Rx
IP Gi
RNC SGSN Gn GGSN
3G UE PSDN
IuPS
Iub
23
PSTN/CS-
Nb/Nc MGW
BSC MSC GMSC
2.5G MS PSTN, ISDN
A /IuCS
Abis SS7
B
C
VLR
BTS
D
ATM
Gb /IuPS Gs HLR/ H
HSS
IuCS AuC
PCRF
Uu Gr Gc
Gx Rx
Gi
RNC SGSN Gn GGSN
3G UE PSDN
IuPS
Iub
Node B Gs
24
12
9/13/2021
25
26
13
9/13/2021
27
• 3GPP accesses
• non-3GPP accesses
– Untrusted non-3GPP
• Requirement for a special gateway (evolved Packet Data
Gateway) for a secure access of UE to EPC
– Trusted non-3GPP
• ePDG not required
28
14
9/13/2021
UTRAN
SGSN
HSS
GERAN
Control Plane
S3 S6a
3GPP
Access
PCRF
MME
S1-MME S12 Gxc Gx Rx
S4
S11
Data Plane
29
UTRAN
SGSN
HSS
GERAN
S3 S6a
3GPP
PCRF
Access S6a
S1-MME
MME
S12 Gx Rx
S4
3GPP
S11 Operator's IP
Operator's IP
Access
S10 Serving S5 PDN SGi
UE E-UTRAN Services
Services
Gateway Gateway (e.g.
(e.g.IMS,
IMS,PSS
PSSetc.)
etc.)
LTE-Uu S1-U
30
15
9/13/2021
MME
S1-MME
S11 Operator's IP
Data Plane
• UE IP address allocation
• UE data anchoring
• Per user packet filtering
• Lawful interception
• Transport level packet marking
• Service level charging
• Service level gating control
• Rate enforcement based on
• Aggregate Maximum Bit Rate for an APN
• Accumulated Maximum Bit Rates of the
aggregate of service data flows with the same
guaranteed bit rate
• DHCPv4 & DHCPv6 functions
31
MME
S1-MME
S11 Operator's IP
Data Plane
32
16
9/13/2021
MME Functions
Control Plane
MME
S1-MME
S11 Operator's IP
Data Plane
33
Evolved RAN
Control Plane
MME
S1-MME
S11 Operator's IP
Data Plane
34
17
9/13/2021
35
LTE UE Identifiers
• UE
– IMEI or MEID - Mobile Equipment Identifier
• Globally unique number identifying a physical piece of mobile station
equipment
• MEID allows hexadecimal digits while IMEI (Int’l Mobile Station
Equipment Identity) allows only decimal digits
• Only sent to MME (in NAS), not to eNB.
• Sent only after NAS security is setup (i.e, encrypted and integrity
protected).
36
18
9/13/2021
Initial Attach
http://www.netmanias.com/en/post/techdocs/6098/emm-initial-attach-lte/emm-procedure-1-
initial-attach-part-1-cases-of-initial-attach
© Tarik TALEB 2021
37
UE ID Acquisition
http://www.netmanias.com/en/post/techdocs/6098/e
mm-initial-attach-lte/emm-procedure-1-initial-
attach-part-1-cases-of-initial-attach
38
19
9/13/2021
Authentication
39
40
20
9/13/2021
Location Update
41
42
21
9/13/2021
43
44
22
9/13/2021
http://www.netmanias.com/en/post/techdocs/6098/emm-initial-attach-lte/emm-procedure-1-
initial-attach-part-1-cases-of-initial-attach
© Tarik TALEB 2021
45
Some Nomenclature
46
23
9/13/2021
HSS
NAS NAS
Relay
PCRF
RRC S6a S1-AP
RRC S1-AP
NAS MME PDCP PDCP SCTP SCTP
Gx Rx
S1-MME IP IP
RLC RLC
S11MAC MAC L2 Operator's IP L2
S10 Serving S5 PDN SGi
UE E-UTRAN L1 Services L1
Gateway L1 L1 Gateway
(e.g. IMS, PSS etc.)
LTE-Uu S1-U S1-MME
LTE-Uu eNodeB
UE MME
47
HSS
PCRF
S6a
NAS MME
Gx Rx
S1-MME
S11 Operator's IP
S10 Serving S5 PDN SGi
UE E-UTRAN Services
Gateway Gateway (e.g. IMS, PSS etc.)
LTE-Uu S1-U
48
24
9/13/2021
SGSN Gn/Gp
GERAN EIR
HSS
S3
S13 PCRF
S6a S12
Gxc
NAS MME
Gx Rx
S1-MME S4
49
EPS – Overview
• A-GW: Access gateway for
HSS
Trusted non-3GPP access
SWx
• ePDG: Security GW
for untrusted non 3GPP
PCRF
acess S6a
Gxc Rx
Gx
Operator's IP
Gxa
SGi Services
3GPP Serving PDN (e.g. IMS, Internet)
Access Gateway Gateway
S5
S6b
S2b
S2a SWm
ePDG 3GPP AAA
Server
HPLMN SWn
Non-3GPP
Networks A-GW SWu Untrusted
PCC Interface Non-3GPP
PMIP or GTP Interface Trusted Non- Access SWa STa
3GPP Access
PMIP Interface UE
AAA Interface
50
25
9/13/2021
51
52
26
9/13/2021
53
54
27
9/13/2021
55
56
28
9/13/2021
PCC Evolution
• Background:
– Service-Based Local Policy (SBLP) for resource reservation
and access control within IMS
• Bearer-level QoS control
• Service level access control
– Further enhancement of SBLP in Rel. 6
– Introduction of Flow-Based Charging (FBC) in Rel. 6
• Per-service charging: offline and online models
• Per-service/content access control
– Similarities between SBLP and FBC
• Centralized
• Same anchor points: AF and GGSN
– Merging SBLP and FBC in Rel. 7 ➔ PCC
– Continuous enhancements of PCC in Rel. 8 and beyond
• Objectives:
– Support of IP services’ QoS
– Charging subscribers for used resources
© Tarik TALEB 2021
57
PCRF
S6a
Gxc Rx
Gx
AFOperator's IP
Gxa
SGi Services
Serving PDN (e.g. IMS, Internet)
3GPP Gateway Gateway
Access (MAG, BBERF) (LMA, PCEF)
S5
S6b
S2b
OFCS
Gz S2a SWm
ePDG 3GPP AAA
OCS (MAG) Server
Gy
SWn
A-GW
(MAG, SWu Untrusted
BBERF) Non-3GPP
Trusted Non- Access SWa STa
PCEF Policy and Charging Enforcement Function 3GPP Access
BBERF Bearer-Binding and Event-Reporting Function UE
OCS Online Charging System
OFCS OFfline Charging System
© Tarik TALEB 2021
SPR Subscription Profile Repository
58
29
9/13/2021
Sp
PCRF
Gxc Rx
Gx
AFOperator's IP
Gxa
SGi Services
Serving PDN (e.g. IMS, Internet)
Gateway Gateway
(MAG, BBERF) S5 (LMA, PCEF)
OFCS
Gz S2a
OCS
Gy
A-GW
(MAG,
BBERF)
Trusted Non-
PCEF Policy and Charging Enforcement Function 3GPP Access
BBERF Bearer-Binding and Event-Reporting Function
OCS Online Charging System
OFCS OFfline Charging System
© Tarik TALEB 2021
SPR Subscription Profile Repository
59
Items related to service data Service data flow template List of packet filters for the detection of
flow detection in PCEF the service data flow
Precedence Determines the order in which the
service data flow templates are applied
at PCEF
Items related to policy control (i. Gate status Indicates whether a SDF may pass
e. gating and QoS control) (gate open) or shall be discarded (gate
closed)
QoS class identifier (QCI) Identifier that represents the packet
forwarding behavior of a flow
UL and DL maximum bit rates The maximum bitrates authorized for
the service data flow
UL and DL guaranteed bit rates The guaranteed bitrates authorized for
the service data flow
Items related to charging Charging key The charging system uses the charging
control key to determine the tariff to apply for
the service data flow
Charging method Indicates the required charging method
for the PCC rule. Values: online, offline,
or no charging
Measurement method Indicates whether the SDF data volume,
duration, combined volume/duration or
event shall be measured
© Tarik TALEB 2021
60
30
9/13/2021
• Gating Control:
– Blocks or allows Service Data Flows (e.g. based
on indicators from AF)
• QoS Control:
– Provides PCEF with authorized QoS class and
bit rates for IP flows
• Charging Control:
– Online charging
– Offline charging
– NO charging
© Tarik TALEB 2021
61
• On-Path Model:
– without BBERF in access gateway (in case of
GTP)
– QoS/bearer signaling (using GTP) on the same
path as user plane
• Off-Path Model:
– with BBERF in access gateway (in case of PMIP)
– QoS signaling (using Gxa/Gxc) on a path different
from that of user plane
62
31
9/13/2021
Application Signaling Gx Rx
Application AFOperator's IP
3G UE
SGi Services
PDN (e.g. IMS, Internet)
3GPP Serving
Access Activate/modify bearer Gateway
interface Access Gateway GTP-based (PCEF)
S5
Bearer Binding
63
Sp
PCRF
Gx Rx
Gxc AFOperator's IP
SGi Services
Serving PDN (e.g. IMS, Internet)
3GPP Gateway Gateway
3G UE
Access PMIP-based
(BBERF) (PCEF)
S5 Network
Access Info
64
32
9/13/2021
65
Bearer binding
Application / Service Layer
UE eNB Serving GW PDN GW
UL Traffic Flow AggregatesDL Packet classification
DL Traffic Flow Aggregates
S1-TE-ID TNL QoS & DiffServ marking
Radio Bearer UL-TFT
S1 Bearer IP Transport Leg DL-TFT
UL Packet classification
& DiffServ marking UL-TFT → RB-ID DL-TFT → S5/S8-TEID
RB-ID S1-TEID S1-TEID S5/S8-TEID
GTP-based
S5/S8 UE eNodeB
eNB Serving GW PDN GW
Radio Bearer S1 Bearer S5/S8 Bearer
UL Packet classification
& DiffServ marking
© Tarik TALEB 2021
66
33
9/13/2021
Bearer Binding
67
Discard
No match
Bearer Filter
#3
No match
Filter
Bearer
#2
No match
Bearer Incoming DL
Filter
#1 packets
Filter Evaluation
order
68
34
9/13/2021
69
Service/Subscriber Differentiation
Service differentiation
Subscriber
- Public internet
differentiation - Corporate (VPN)
- Premium content
- Business vs. standard - P2P file sharing
- Post- vs. pre-paid roamers - Video streaming
- Privileged (e.g. police) - IMS voice
- Flat rate abusers Total edge-to-edge
(terminals< -- > gateway - Mobile-TV
Transmission capacity
70
35
9/13/2021
• Bearer types
EPS QoS Concept
– GBR vs. non-GBR bearers
– Default vs. Dedicated Bearers
• QoS Parameters
– QCI: QoS Class Indicator
• 1 to 9:
• QCI = 1 ➔ Resource Type = GBR, Priority = 2, Packet Delay Budget = 100ms, Packet Error Loss
Rate = 10-2 , Example Service = Voice
• QCI = 9 ➔ Resource Type = Non-GBR, Priority = 9, Packet Delay Budget = 300ms, Packet Error
Loss Rate = 10-6, Example Service = Internet
– ARP: Allocation and Retention Priority
• In 4G, ARP priority level (PL) values range from 1 through 15, where 1 corresponds to the highest
priority and 15 corresponds to the lowest priority.
• Used to accept or reject a bearer request, when resources are limited
– MBR: Maximum Bit Rates
– GBR: Guaranteed Bit Rate
• QoS Mechanisms
– Control Plane Signaling Procedures
– User Plane Functions
– Packet-Flow-Level Functions
– Bearer-Level Functions
– DSCP-Level Functions DSCP Differentiated Service Code Point
© Tarik TALEB 2021
71
Bearer Types
• Guaranteed bit-rate (GBR) bearer:
– Established “on demand”
– No congestion due packet losses
– Suitable for services tolerating “service blocking over service dropping”
• Non-GBR bearer:
– No resources blocked
– May experience packet losses
• Default bearer:
– One default bearer per terminal IP address
– For basic connectivity.
– non-GBR
– QoS level depending on subscription data
– Not associated with any specific packet filter
• Dedicated bearer:
– Either non-GBR or GBR
– Packet flows mapping onto dedicated bearers based on operator
policies
© Tarik TALEB 2021
72
36
9/13/2021
QoS Parameters
• QoS Class Identifier (QCI):
– a reference to node-specific pre-configured parameters that control
packet-forwarding treatment at the user plane
73
QoS Mechanisms
- Control Plane Signaling Procedures -
UL filters
DL filters
QCI
Policy
ARP
MBR Controller
GBR(opt.) (PCRF)
Establish/modify
(packet flow)
Packet data flow level
Transport level
74
37
9/13/2021
QoS Mechanisms
- User-Plane Functions -
Packet
inspection
UL+DL
packet flow Functions operate
policing per packet flow
UL packet
DL packet Functions operate
filtering GBR/ARP filtering per bearer
admission
ARP
ARP
admission
preemption
ARP
Rate policing
preemption
Queue Queue
management management Rate policing
UL+DL
scheduling
L1/L2
configuration
Map QCI to Map QCI to
Terminal Functions operate
DSCP DSCP
per bearer
Queue Functions operate
management per DSCP
UL+DL
scheduling
LTE RAN Transport Gateway
75
DSCP vs QCI
Service 1
(e.g. Internet)
Service 2
(e.g. P2P file sharing)
Service 3
(e.g. VoLTE)
76
38
9/13/2021
Terminal Network
RAN Initiate dedicated bearer (QoS info)
77
Client
application Application
function Flow detect + info
Policy Subscription
(IMS CSCF) data
controller
(PCRF)
Service
policies
Qos parameters and -Subscriber groups
UL/DL packet filters -Volume quota
IP address
-Time of day
-QoS per service
-etc.
Internet)
IMS-voice
Terminal LTE RAN Transport Gateway
78
39
9/13/2021
Security:
Authentication
TS 33.401 – LTE Security
TS 33.102 – 3G Security
79
80
40
9/13/2021
Authentication in brief
• Authentication
– Establishing or confirming something (or someone) as authentic
– Mutual authentication, means network authenticates the user and the user
authenticates the network
81
User Authentication
82
41
9/13/2021
LTE UE Identifiers
• UE
– IMEI or MEID - Mobile Equipment Identifier
• Globally unique number identifying a physical piece of mobile station
equipment
• MEID allows hexadecimal digits while IMEI (Int’l Mobile Station
Equipment Identity) allows only decimal digits
• Only sent to MME (in NAS), not to eNB.
• Sent only after NAS security is setup (i.e, encrypted and integrity
protected).
83
42
9/13/2021
Challenge Ki
RAND
Triplets Triplets
A3 A8 (RAND, SRES, Kc)
RAND, SRES,
Kc
RES Kc A3 A8
Challenge RAND
Signed RES Kc
RES
For encryption RES = SRES?
between MS & NW Triplets = RAND, SRES, Kc
using A5
85
Challenge/response-based one-way
authentication using long-term shared key
between user's SIM card and NW
86
43
9/13/2021
HSS
P-GW
S-GW
S-GW
MME
eNB
eNB eNB
RRC Connection
User Domain
Security Network Access
Security
NAS Connection
87
88
44
9/13/2021
MME
K K
S6a
Kasme Kasme
Kasme
SRB-0
KeNB KeNB KeNB
SRB-1 S1-MME
SRB-2 NAS
GTPC-1
CK, IK
CK, IK CK, IK
CK, IK
GTPC-1
Data Radio Bearer-10
GTP-U-10 GTP-U-10
CK CK
Encrypted Info
Integrity Protected
ASME Access Security Management Entity (MME) Info
© Tarik TALEB 2021 CK, IK Ciphering Key, Integrity Protection Key
89
LTE AKA
SQN AUTN RAND UE MME HSS
SQN K RAND
Authentication data request
(IMSI, VPLMN, Network Type
USIM K = E-UTRAN)
Function
Generate authentication
CK vectors AV(1..n)
RES
XRES
IK CK
RAND
SQN VPLMN Authentication data response AUTN IK
AV RAND
SQN VPLMN
IMSI
Store authentication vector
IMSI
KDF
Select authentication vector AV KDF
Security Mode
Command Used to
Derive NAS keys from
Kasme
90
45
9/13/2021
AK
SQN
K
f1 f2 f3 f4
XMAC RES CK IK
Verify that SQN is in the correct range • USIM keeps track of last SQN received,
SQNms
• USIM only accepts a sequence number
from HSS if |SQN – SQNms | < D
91
KeNB_1
2
NH_2, NCC=2
0
Handover Required
NH_1, NCC=1
Kasme
UE checks NCC value to be correct
5 UE computes NH_2 using function f2. NH_2, NCC=2
UE computes Kenb_2 using funciton f1
PCI: Physical Cell Identity
EARFCN-DL: E-UTRAN Absolute Frequency Channel –DL
NH Next Hop Parameter
© Tarik TALEB 2021 NCC NH Chaining Counter
92
46
9/13/2021
KeNB_1
2
NH_2, NCC=2
0
Handover Required
93
MME
K K
S6a
Kasme Kasme
Kasme
SRB-0
KeNB KeNB KeNB
SRB-1 S1-MME
SRB-2 NAS
GTPC-1
CK, IK
CK, IK CK, IK
CK, IK
GTPC-1
Data Radio Bearer-10
GTP-U-10 GTP-U-10
CK CK
Encrypted Info
Integrity Protected
ASME Access Security Management Entity (MME) Info
© Tarik TALEB 2021 CK, IK Ciphering Key, Integrity Protection Key
94
47
9/13/2021
• Authentication in GSM
– Challenge response based
– One-way
– Long term key
95
Overall Summary
• Legacy Networks: Main References:
• 3GPP Technical Specifications 23.401
– GSM
• 3GPP Technical Specifications 23.402
– GPRS • TS 33.401 – LTE Security
– UMTS • TS 33.102 – 3G Security
• System Architecture Evolution
– Background & requirements
– Motivation
– Basic principles
– Network elements and high level functions
– Attach procedure
– EPC Protocols
• Architectural enhancements for E-UTRAN and
interoperability with 3GPP and non-3GPP accesses
– Interoperability Mobility and handover management
– Policy Control and Charging (PCC)
– QoS Provisioning
– Security (Authentication) & its evolution
96
48