Huawei LTE EPS End To End IP Protocol Analysis

EPS End to End IP Protocol Analysis P-1
Confidential Information of Huawei. No Spreading Without

Permission

Permission

Permission

Permission
 A discussion based opening

Permission
 E-UTRAN consists of a group of eNodeB.

 EPC consists of MME and S-GW

Permission
 There are 3 types of traffic flow:

 Signaling flow
 User traffic flow
 eNodeB O&M traffic flow

Permission
 Transmission network: Use MPLS (PWE3) technology which is a static Layer 2

service backhaul technology
 IP backhaul : Uses the IP/MPLS technology and provides the dynamic L2/L3 service
packet function and an open mechanism, which can be used to transmit integrated
services.

Permission

Permission
 IP Network

Permission

Permission
 The TCP/IP protocol stack is a set of communication protocols consists of two most
important protocols: the Transmission Control Protocol (TCP) and the Internet
Protocol (IP) . The TCP/IP protocol stack ensures the communication between
network devices. It is a set of rules that define how information is delivered in the
network.

Permission
 Header will be added at different layer.

Permission
 Protocol structure is based on TCP/IP protocol.

 The upper part is referred to signaling protocol structure while the bottom part is
referred to user plane protocol structure.
 MPLS protocol is applied in transmission backhaul network.

Permission
 Protocol structure is based on TCP/IP protocol.

 The upper part is referred to signaling protocol structure while the bottom part is
referred to user plane protocol structure.

Permission

Permission
 Precaution: Will increase CPU load if tracing is performed from eNodeB, MME,
Router/ Switch
 This part mainly to discuss the methods on collecting the IP messages from different
points in the network, eg: UE, eNodeB, router/ switch, etc.
 By analyzing the trace result from different points can help to identify the network
problem.

Permission
 WEBLMT is through eNodeB.

 Wireshark is a network tool that very commonly used in the industry.

Permission
 Example trace by using Wireshark

Permission

Permission

Permission
There are three method collecting eNodeB trace which are:

1. Port mirroring and wireshark
2. WEBLMT
3. U2000
Basically we can trace all the messages if we are using the first method which is Port
mirroring and wireshark. The trade off is more complicated.
While WEBLMT is suitable on collecting the MAC layer trace and PNP messages.
U2000 can be used on collecting IP layer messages.
Tracing can be performed from U2000 if the eNodeB O&M channel is available.

Permission
 STR PORTREDIRECT: SN=7, SBT=BASE_BOARD, SRCPN=1, DSTPN=0,

TIMEOUT=60, REASON="tracing";

Permission
 Details on how to analyse the messages will be discussed in next chapter.

Permission

Permission
 What is the purpose of ARP messages? Will be discuss in following slides.

Permission

Permission

Permission

Permission
1. Log in to the server as user ossuser in SSH mode using PuTTY. In the ATAE cluster system
or Sun-based SLS system, log in to the server on which you need to collect NE information.
2. Run the following command to switch to user root.
~> su - root
Password: Password of root
3. Run the following command to execute the environment variables.
# . /opt/oss/server/svc_profile.sh
4. Run the following command to execute the script.
# cd /opt/oss/server/rancn/bin/
# ./CapturePacketHelp.sh NEIP
5. After the execution of this script is complete, the command start with tcpdump or snoop is
displayed. The command started with "tcpdump" or "snoop" is used to collect NE information.
Tcpdump is for Linux OS while snoop is for Solaris OS.
6. Type the displayed NE information collection command and press Enter. In the Sun-based
system where IPMP load balancing has been implemented, two screens need to be opened to
run the two commands simultaneously.
7. Press Ctrl+C to stop the command and run the following command to modify the permissions
to the generated file.
# cd /export/home/omc/var/logs/
# chmod 775 U2000_packets*.cap
# chown ossuser:ossgroup U2000_packets*.cap
8. Log in to the server using the FTP tool to obtain the .cap file and view the NE information
collection result. The .cap file is saved under the /export/home/omc/var/logs directory.

Permission

Permission

Permission

Permission
 Address Resolution Protocol (ARP)

 MAC address is obtained through ARP negotiation
 In order for the devices to be able to communicate, ARP is used to map IP address to
the hardware address, also known as Media Access Control (MAC) address

Permission
 ARP performs the address resolution as follows:

 ARP request: Host A knows only the IP address rather than the MAC address of Host
B. Host A broadcasts an ARP request for the MAC address of Host B.
 ARP response: All the other hosts on the network including Host B receive the
broadcaster ARP request. The destination IP address of the packet is Host B.
Therefore, only Host B responds to the ARP request. Host B sends an ARP reply,
which carries its MAC address, to Host A. After receiving the ARP reply, Host A can
communicate with Host B by using this MAC address.
 Each host has a high-speed ARP cache, which is the key to efficient ARP operations.
This cache stores the latest mappings between IP addresses and MAC addresses.
Before sending a packet, the sender searches the cache for the MAC address
mapping to the target IP address. If the cache contains the mapped MAC address, the
sender sends the packet to the host with this MAC address without broadcasting an
ARP request. If the cache does not contain the mapped MAC address, the sender
broadcasts an ARP request.

Permission
 Proxy ARP is used to interconnect computers or routing devices in the same network
segment but on different physical networks.
 If a router not enabled with Proxy ARP receives an ARP request, the router
checks whether it is the destination. If yes, the router responds with an ARP
reply. If no, the router discards the ARP request.
 If a router enabled with Proxy ARP receives an ARP request whose
destination is not the router itself, the router queries the routing table instead of
directly discarding the request. If the router has a route to the destination, the
router responds to the ARP request sender with an ARP reply carrying its own
MAC address. The ARP request sender sends the packet to the router and the
router forwards the packet to the destination.

Permission
 The service process is as follows:

 A host providing the gratuitous ARP service sends an ARP request to query the MAC
address mapping to its own IP address. If the IP address is unique, the host receives
no reply to the ARP request.
 If the host receives a reply to the ARP request, the host's IP address is the same as
that of another host.
 If receiving an ARP reply, the host generates an error message in the terminal's log,
indicating that there is a duplicate IP address on the network.
 Gratuitous ARP provides the following functions:
 Checks duplicate IP addresses: Normally, the host does not receive an ARP
reply after sending an ARP request with its own IP address being the
destination address.
 Declares a new MAC address: If the MAC address of a host changes due to
replacement of the network adapter, the host sends a gratuitous ARP packet
to declare the MAC address change to all the other hosts before the aging of
ARP entries.

Permission

Permission

Permission

Permission
EPS End to End IP Protocol Analysis 41
 ICMP messages use the basic 20-byte IP header. Other fields in ICMP messages
depend on the application in practice.
 An ICMP packet contains the following fields basically:
 Type field: indicates the ICMP message type.
 Code field: indicates a specific message of the type specified by the type field.
 For example, when the type field value is 3, the ICMP message is a Destination
Unreachable message. The specific message is determined by the code field value.
 0 = net unreachable
 1 = host unreachable
 2 = protocol unreachable
 3 = port unreachable
 Checksum field: indicates the checksum of an ICMP message. It occupies 16 bits but
is not currently used. Therefore, its value is 0.

Permission
 Ping uses a series of ICMP Echo messages to check the following:

 Availability of a remote device
 Round-trip delay in communication between two MEPs
 Packet loss
 In a ping process, the source sends an ICMP Echo Request packet to the destination
and waits for a reply. If the source receives an ICMP Echo Reply packet within a
specified period, the destination is reachable. If the source does not receive an ICMP
Echo Reply packet within a specified period, the destination is unreachable and a
message indicating ping operation timeout is displayed on the source.

Permission

Permission
 Time to Live: TTL will be reduced by every router on the route to its destination

Permission
 MTU: Maximum Transmit Unit

 IP fragmentation involves breaking a datagram into a number of smaller pieces that
can be reassembled later.
 The IP source, destination, identification, total length, and fragment offset fields, along
with the "more fragments" and "don't fragment" flags in the IP header, are used for IP
fragmentation and reassembly.

Permission

Permission

Permission
 The common TCP port numbers are HTTP 80, FTP 20/21, Telnet 23, SMTP 25, DNS
53 and etc. The common reserved UDP port numbers are DNS 53, BootP 67
(server)/68 (client), TFTP 69, SNMP 161 and etc.
 TCP Flags：SYN（Synchronize sequence numbers. Only the first packet sent from
each end should have this flag set.）、Push（Push function. Asks to push the
buffered data to the receiving application）、RST（Reset）、FIN（No more data
from sender）；

Permission
 TCP three way handshake is used to establish a connection between two host.
 Note: The initial SN is random. If the connection establishment times out, the host
sends three times of SYN requests. The timer is 6s for the first time and the timer is
24s for the second time. For windows XP, the timer is 3s for the first time and the time
is 6s for the second time.
 The client sends Segment 1 with sequence number a.
 The server responds Segment 2 with sequence number b. The server also
acknowledges Segment 1 by acknowledging the client’s initial sequence number a
plus 1.
 The client receives Segment 2 sent by the server and sends Segment 3. The client
also acknowledges Segment 2 by acknowledging the host’s initial sequence number
b plus 1.
 Thus, a TCP connection is established between the client and server. This process is
called three-way handshake. The data transmission continues.
 In addition, MSS is negotiated during this three-way handshake. See the following
description.
 After data transmission, the connection must be terminated. This requires four-way
handshake, and you can see the following description.

Permission

Permission
 Host A send a message with sequence number 42 to host B, the packet size is 8 byte.
 Host B send an ACK message to host A after receiving the packet. ACK number is
next expected byte send from Host A. ( ACK number= seq number + packet size =
42+8 = 50)

Permission
 Host A send a message with sequence number 42 to Host B and carry the ACK
number of 79 which means that “A” expects packet number 79 from “B”.
 Host B send the message with sequence number 79 to Host A and carry the ACK
number of 43 which means that “B” expects packet number 43 from “A”.

Permission
 Assume “A” is 102.0.0.4 while “B” is 173.194.126.55

 “A” send a packet with length 174 byte to B as sequence number 1 and ack number 1.
 “A” is expecting a packet with sequence number 1 from B as carried in
“Acknowledgement Number”

Permission
 B acknowledge the packet sent from A

Permission
 If A continuously send a few ACK packet to B with same sequence number but ACK
is increasing
 A is receiving the data from B continuously and reply the acknowledgement to B

Permission
 TCP is using sliding window method to control the data flow, inform the sender how much data
to be sent. TCP window size will affect the transmitting speed. If the window size is constantly
reduced, it indicate that the receiver cannot handle the data speed from the sender
 The sliding window technology can dynamically change the window size to adjust the data
transmission between two hosts. Every TCP/IP host supports full duplex data transmission, so
there are two sliding windows. One is receiver and the another is sender. TCP adopts the
acknowledgement mechanism, so the acknowledgement number is the next expected byte.
 The following is the flow control by the sliding window in a single direction data transmission.
 Assume the sender sends three data packets each time, and the window size is 4. The sender
sends four packets with sequence number 1, 2, 3, 4 respectively. The receiver successfully
receives the packet and responds sequence number 5 to acknowledge that it receives the data.
The sender receives the acknowledgement and continues sending the data with the window
size of 4. When the receiver requests to lower or increase network flow, it can change the
window size. In this example, the window size is decreased to 2, meaning two packets are sent
every time. When the receiver requests to change the window size to 0, it means that the
receiver has accepted all data or the application of receiver has no time to read the data and
asks to stop the sending. Upon receiving the acknowledgement with window size 0, the sender
stops sending the data.
 The sliding window mechanism provides reliable flow control and congestion management in
the data transmission between end-to-to devices. However, it functions only between the
source device and destination device. If network congestion occurs in any intermediate device,

Permission
like routers, the sliding window is useless. This can be managed by ICMP source
quench.

Permission

Permission
 Before an OMCH is established, a base station is not configured with any data and cannot
perform end-to-end communication with other devices at the IP layer. To implement this
communication, the base station needs to obtain the following information:
1. OMCH configuration data, including the OM IP address, OM VLAN ID, interface IP
address, interface IP address mask, IP address of the next-hop gateway, IP address
of the U2000 or BSC, and IP address mask of the U2000 or BSC.
2. During base station deployment by PnP, if the base station needs to use digital
certificates issued by the operator's CA to perform identity authentication with other
devices, it also needs to obtain the operator's CA information, including the CA name,
CA address, CA port number, CA path, and transmission protocol (HTTP or https)
used by the CA.
3. In IPsec networking scenarios, the base station also needs to obtain SeGW
information, including the SeGW IP address and SeGW local name.
 The base station uses DHCP to obtain the configuration parameters. The DHCP procedure
involves the following logical NEs:
 DHCP client: a host that uses DHCP to obtain configuration parameters
 DHCP server: a host that allocates and distributes configuration parameters to a DHCP
client
 DHCP relay agent: an NE that transmits DHCP packets between a DHCP server and a
DHCP client. A DHCP relay client must be deployed between a DHCP server and a
DHCP client that are in different broadcast domains.
 After a DHCP client accesses the network, it actively exchanges DHCP packets with its DHCP
server to obtain configuration parameters. During the exchange, the DHCP server and the
DHCP relay agent listen to DHCP packets in which the destination UDP port number is 67, and

Permission
the DHCP client listens to DHCP packets in which the destination UDP port number is
68.

Permission
A DHCP client and a DHCP server on the same Layer 2 (L2) network can directly
communicate with each other. The L2 network is a subnet in which broadcast IP
packets can be exchanged and forwarded by Media Access Control (MAC)
addresses and VLAN IDs.
1. After the DHCP client starts, it broadcasts a DHCPDISCOVER packet to search for
an available DHCP server. The DHCPDISCOVER packet carries the identification
information about the DHCP client.
2. The DHCP server responds to the DHCPDISCOVER packet with a DHCPOFFER
packet.
3. The DHCP client sends a DHCPREQUEST packet to the DHCP server, requesting
parameters such as an IP address.
4. The DHCP server sends a DHCPACK packet to the DHCP client to assign
parameters such as an IP address.
5. If the assigned parameters cannot be used, for example, an assigned IP address has
been used by other DHCP clients, the DHCP client sends a DHCPDECLINE packet
to notify the DHCP server.
6. If the DHCP client does not need the assigned parameters any more, it sends a
DHCPRELEASE packet to notify the DHCP server so that the DHCP server can
assign these parameters to other DHCP clients.

Permission
 When the DHCP client and DHCP server are not in the same broadcast domain, they
cannot receive broadcast packets from each other. In this case, the DHCP relay agent
function must be enabled in the broadcast domain of the DHCP client to ensure the
communication between the DHCP client and DHCP server. Generally, the DHCP
relay agent function is enabled on the gateway.
 The procedure is as follows: The DHCP relay agent converts DHCP packets
broadcast by the base station to unicast packets and routes the unicast packets to the
DHCP server. The DHCP server sends unicast response packets to the DHCP relay
agent, which then broadcasts received response packets on the L2 network.

Permission
 IP layer tracing is suitable on secure network scenario while MAC layer tracing
suitable on non-secure network, the information will be more complete
 PNP= Plug and Play

Permission
 Map the timing to analyze the MAC layer message

Permission
 After receiving the unicast message from eNodeB, U2000 will check the eNodeB IP
address from its ARP table.
 If there is no matching found, ARP procedure will be triggered.

Permission
 DHCP Discover message sent by eNodeB contain ESN number.

Permission

Permission

Permission

Permission

Permission
 Messages are captured by using wireshark

Permission

Permission

Permission

Permission
Trace based on S1 interface messages for MME side.

Permission

Permission

Permission

Permission

Permission

Permission
 Host A will start the Retransmission Timeout (RTO) timer after sending a packet to
peer.
 If the acknowledgement packet is not received within the RTO, sender will assume
that the packet is loss and resend the packet.
 The RTO value will impact on the network performance. If the RTO value is too big,
sender need to wait for a long period only find out that the packet is loss, impact on
the throughput.
 If the RTO value is too small, sender will find out that the packet loss in a very short
duration but will cause the unnecessary retransmission for longer delay packet,
wasting the network resources.

Permission
 Local end will retransmit the packet if do not receive any acknowledgment from peer.
 “TCP Retransmission” will be shown in Wireshark.
 From the details, we can know which packet is retransmitted.

Permission

Permission
 Analysis of TCP messages can be done through statistic analysis from wireshark.
 The top line in the graph represent the highest TCP sequence number can be
handled by local end. (Sequence number of ACK+ Window Size -1).
 The middle line represent the TCP sequence number received at local end.
 The lowest line represent the “Acknowledgement Number” in the message from
sender which is also the next TCP sequence number will be received by local end.
 If the middle line close to upper line: Sender has a higher speed compared with
receiver. Normally is related to the receiver network issue or processing capability of
the receiver which caused the network speed cannot go higher,
 If the middle line close to lower line: Speed at sender is low can be caused by speed
limit at sender or congestion.

Permission

Permission

Permission

Permission

Huawei LTE EPS End To End IP Protocol Analysis

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Huawei LTE EPS End To End IP Protocol Analysis

Uploaded by

Copyright:

Available Formats

EPS End to End IP Protocol Analysis P-1

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

 A discussion based opening

Confidential Information of Huawei. No Spreading Without

 E-UTRAN consists of a group of eNodeB.

Confidential Information of Huawei. No Spreading Without

 There are 3 types of traffic flow:

Confidential Information of Huawei. No Spreading Without

 Transmission network: Use MPLS (PWE3) technology which is a static Layer 2

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

 Header will be added at different layer.

Confidential Information of Huawei. No Spreading Without

 Protocol structure is based on TCP/IP protocol.

Confidential Information of Huawei. No Spreading Without

 Protocol structure is based on TCP/IP protocol.

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

 WEBLMT is through eNodeB.

Confidential Information of Huawei. No Spreading Without

 Example trace by using Wireshark

Confidential Information of Huawei. No Spreading Without

 Example trace by using Wireshark

Confidential Information of Huawei. No Spreading Without

 Example trace by using Wireshark

Confidential Information of Huawei. No Spreading Without

There are three method collecting eNodeB trace which are:

Confidential Information of Huawei. No Spreading Without

 STR PORTREDIRECT: SN=7, SBT=BASE_BOARD, SRCPN=1, DSTPN=0,

Confidential Information of Huawei. No Spreading Without

 Details on how to analyse the messages will be discussed in next chapter.

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

 What is the purpose of ARP messages? Will be discuss in following slides.

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

 Address Resolution Protocol (ARP)

Confidential Information of Huawei. No Spreading Without

 ARP performs the address resolution as follows:

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

 The service process is as follows:

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

Confidential Information of Huawei. No Spreading Without

 Ping uses a series of ICMP Echo messages to check the following:

Confidential Information of Huawei. No Spreading Without