• No results found

LTE RAN

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "LTE RAN"

Copied!
226
0
0

Loading.... (view fulltext now)

Download now ( 226 Page )

Full text

(1)LTE Radio Access Network Course Code: LT3603. Duration: 2 days. Technical Level: 3. ... delivering knowledge, maximizing performance.... LTE courses include: n. LTE/SAE Engineering Overview. n. LTE Air Interface. n. LTE Radio Access Network. n. Cell Planning for LTE Networks. n. LTE Evolved Packet Core Network. n. 4G Air Interface Technologies. n. LTE Technologies, Services and Markets. Wray Castle – leading the way in LTE training. www.wraycastle.com.

(2)

(3) LTE Radio Access Network. LTE RADIO ACCESS NETWORK. First published 2010 WRAY CASTLE LIMITED BRIDGE MILLS STRAMONGATE KENDAL LA9 4UB UK. Yours to have and to hold but not to copy The manual you are reading is protected by copyright law. This means that Wray Castle Limited could take you and your employer to court and claim heavy legal damages. Apart from fair dealing for the purposes of research or private study, as permitted under the Copyright, Designs and Patents Act 1988, this manual may only be reproduced or transmitted in any form or by any means with the prior permission in writing of Wray Castle Limited.. © Wray Castle Limited.

(4) LTE Radio Access Network. ii. LT3603/v1.

(5) LTE and E-UTRAN Overview. LTE RADIO ACCESS NETWORK. Contents Section 1. LTE and E-UTRAN Overview. Section 2. Non-Access Stratum Processes. Section 3. S1 Interface Messages and Procedures. Section 4. X2 Interface Messages and Procedures. Section 5. Supporting Protocols and Technologies. Section 6. E-UTRAN Support for LTE Procedures. Glossary. LT3603/v1. © Wray Castle Limited. iii.

(6) LTE Radio Access Network. iv. LT3603/v1.

(7) LTE and E-UTRAN Overview. Section 1. LTE and E-UTRAN Overview. LT3603/v1. © Wray Castle Limited. v.

(8) LTE Radio Access Network. vi. LT3603/v1.

(9) LTE and E-UTRAN Overview. Contents LTE Overview ....................................................................................................................................... 1.1 Broadband Access with LTE ................................................................................................................ 1.2 Architecture Terminology ..................................................................................................................... 1.3 LTE Development and Design Goals ................................................................................................... 1.4 LTE Standards Development ............................................................................................................... 1.5 LTE Key Technologies ......................................................................................................................... 1.6 Access Networks and the eNB (Evolved Node B) ............................................................................... 1.7 X2 Interface .......................................................................................................................................... 1.8 The EPC (Evolved Packet Core) ......................................................................................................... 1.9 S1 Interface ........................................................................................................................................... 10 Resilience Through Pooling ............................................................................................................... 1.11 Evolved Packet Core ‘S’ Interfaces.................................................................................................... 1.12 Data Rates and Services ................................................................................................................... 1.13 E-UTRA Protocols .............................................................................................................................. 1.14 PDN Connectivity Services ................................................................................................................ 1.15 Connection Hierarchies ...................................................................................................................... 1.16 EPS Bearers and E-RABs.................................................................................................................. 1.17 Connection Identifiers ........................................................................................................................ 1.18 Transport Identities ............................................................................................................................ 1.19 Default and Dedicated EPS Bearers.................................................................................................. 1.20. LT3603/v1. © Wray Castle Limited. vii.

(10) LTE Radio Access Network. viii. LT3603/v1.

(11) LTE and E-UTRAN Overview. Objectives. At the end of this section you will be able to: ƒ. outline the evolutionary process prescribed for GSM and UMTS networks and show where LTE/SAE fits in. ƒ. explain the significance of LTE in the continued progression toward converged telecommunications and entertainment markets. ƒ. outline the overall performance aims for LTE. ƒ. identify the key air interface, radio access and core network technologies chosen for E-UTRA. ƒ. outline the basic architecture of the E-UTRAN and EPC (Evolved Packet Core) including the eNB (evolved Node B), E-UTRAN interfaces and the EPC elements. ƒ. explain the role of the X2 interface in the E-UTRAN. ƒ. explain the role of the S1 interface and other possible S interfaces within the EPC. ƒ. outline the peak and average data rates that E-UTRA promises to supply and the range of services that could be carried. ƒ. describe the E-UTRA protocol stack and assign layer functions to the correct network entities. ƒ. identify the role and extent of the PDN Connectivity Service, the EPS Bearer and the E-RAB. ƒ. outline the structure and use of the EPS Bearer ID, E-RAB ID and the UE identities employed on the S1 and X2 interfaces. LT3603/v1. © Wray Castle Limited. ix.

(12) LTE Radio Access Network. x. LT3603/v1.

(13) LTE and E-UTRAN Overview. 100+ Mbit/s. 40 Mbit/s 10 Mbit/s 400 kbit/s. LTE (4G). UMTS/HSPA+. UMTS/HSPA. UMTS EDGE Evolution 1 Mbit/s GSM/EGPRS GSM/GPRS. 150 kbit/s. 50 kbit/s. LTE Overview. LTE Overview LTE (Long Term Evolution) represents the next developmental step for the 3GPP (3rd Generation Partnership Project) standards group. It provides for a continued evolutionary path from 2G GSM/GPRS, beyond 3G UMTS/HSPA and ultimately towards a 4G solution. UMTS (Universal Mobile Telecommunications System) has continued to build on the success of GSM (Global System for Mobile Communications) and momentum is gathering behind its significantly increased capability with the introduction of HSPA (High Speed Packet Access). The classic fixed and mobile telecommunications business models are undergoing enormous change with the move towards all-IP switching and a total-communications service profile. Meanwhile, the last decade has seen the Internet develop into a serious business tool and fixed broadband access is fast becoming a basic commodity. This market landscape is ready for a technology that combines broadband capabilities with an efficient scalable switching infrastructure and a flexible service delivery mechanism. LTE provides just such a solution and is designed to address growing global demand for anywhere, anytime broadband access while maintaining efficient provision of traditional telecommunications services and maximizing compatibility and synergies with other communications systems. Although LTE most obviously represents an evolutionary path for UMTS networks, it has also been designed to allow cost-effective upgrade paths from other technology starting points. For example, GSM operators can now access 3G-like performance through EDGE (Enhanced Data rates for Global Evolution) Evolution, and this in turn can be used as a direct pathway to LTE. Similarly, the interworking capabilities of the EPC (Evolved Packet Core) make it possible for CDMA (Code Division Multiple Access) to migrate radio access from 1x or 1xEV-DO (1x Evolution – Data Only) to LTE.. LT3603/v1. © Wray Castle Limited. 1.1.

(14) LTE Radio Access Network. Broadcast content provider. Former ‘Fixed’ Operator. Former ‘Mobile’ Operator. New market opportunities. LTE Radio Access. LTE Radio Access. New market opportunities. Broadband Access with LTE. Broadband Access with LTE Wide-area LTE radio access combined with the EPC represents a complete adoption of an all-IP (Internet Protocol) architecture, offering broadband delivery capability with the potential for bit rates of several hundred megabits per second and QoS (Quality of Service) management suitable for realtime operation of high-quality voice and video telephony. LTE has a very important role in the overall telecommunications service convergence concept. LTE could provide a key to unlocking a truly converged fixed/mobile network for the delivery of quadruple play services. Its potential bandwidth capabilities are sufficient for the support of services ranging from managed QoS real-time voice or video telephony to high-quality streamed TV. Its flat all-IP architecture means that it can act as a universal access network for a wide range of core network types.. 1.2. © Wray Castle Limited. LT3603/v1.

(15) LTE and E-UTRAN Overview. LTE. SAE. EPS UE E-UTRA E-UTRAN. EPC. Architecture Terminology. Architecture Terminology LTE is the term used to describe collectively the evolution of the RAN (Radio Access Network) into the E-UTRAN (Evolved Universal Terrestrial Radio Access Network ) and the RAT (Radio Access Technology) into E-UTRA (Evolved Universal Terrestrial Radio Access). SAE (System Architecture Evolution) is the term used to describe the evolution of the core network into the EPC (Evolved Packet Core). There is also a collective term, EPS (Evolved Packet System), which refers to the combined E-UTRAN and EPC.. LT3603/v1. © Wray Castle Limited. 1.3.

(16) LTE Radio Access Network. LTE/SAE Design Aims ƒ 100 Mbit/s (downlink) and 50 Mbit/s (uplink) ƒ increased cell edge bit rate ƒ 2–4 times better spectral efficiency ƒ reduced radio access network latencey ƒ scalable bandwidth up to 20 MHz ƒ interworking with 3G systems. LTE Development and Design Goals. LTE Development and Design Goals The debate about the structure and composition of LTE has been ongoing since at least 2004, with many organizations promoting their preferred technological solutions. 3GPP brought some focus to the debate in June 2005 by publishing Technical Report TR 25.913 – Requirements for Evolved UTRA and UTRAN. TR 25.913 stated several objectives for the evolution of the radio interface and radio access network architecture. Targets included a significantly increased peak data rate, e.g. 100 Mbit/s (downlink) and 50 Mbit/s (uplink), and an increased ‘cell edge bit rate’ while maintaining the same site locations as are deployed for R99 (Release 99) and HSPA. Other objectives include significantly improved spectrum efficiency (two to four times that provided by Release 6 HSPA), the possibility for a significantly reduced radio access network latency for both C-plane and U-plane traffic, scaleable bandwidth with support for channel bandwidths up to 20 MHz, and support for interworking with existing 3G systems and non-3GPP-specified systems.. 1.4. © Wray Castle Limited. LT3603/v1.

(17) LTE and E-UTRAN Overview. Phase 1. Phase 2. GSM900. GSM1800 GSM1900. Phase 2+. Rel 96-98. Rel 99. Rel 4. Rel 5. Rel 6. Rel 7. Rel 8. Rel 9. EDGE Evolution. GPRS EGPRS Rel 99 UMTS. Rel 4. Rel 5. Rel 6. Rel 7. HSDPA IMS. HSUPA. HSPA+. Rel 8. Rel 9. UMTS/SAE. Rel 8. Rel 9. LTE/SAE. LTE-A. LTE Standards Development. LTE Standards Development Since the publication of the first GSM specifications in the late 1980s, the technologies and techniques employed by GSM networks have continued to evolve and develop. GSM itself underwent a series of changes, from Phase 1 to Phase 2 and eventually to Phase 2+. Phase 2+ progressed with a series of yearly releases, starting with Release 96. UMTS was introduced as part of Release 99 and from then onwards the 3GPP 3G network technology has also been undergoing a process of evolution. The evolutions that particularly affect the air interface are mainly contained in Releases 5, 6, 7 and 8. Releases 5 and 6 introduced HSPA – HSDPA (High Speed Downlink Packet Access) in Release 5 and HSUPA (High Speed Uplink Packet Access), or Enhanced Uplink, in R6. Release 7 outlines the changes necessary to deliver HSPA+ and Release 8 specifications begin to describe LTE. Some have termed LTE ‘3.9G’, while others have queried whether it should be regarded as a 4G technology.. LT3603/v1. © Wray Castle Limited. 1.5.

(18) LTE Radio Access Network. LTE Signalling. LTE Traffic. SCTP E-UTRA E-UTRAN. All-IP. EPC. LTE Key Technologies. LTE Key Technologies Tests and evaluations carried out during 2007 led to the publication of the Release 8 36-series of specifications, which began to detail the technological basis for LTE. Of the original four candidate air interface technologies, two were chosen for the final version: OFDMA (Orthogonal Frequency Division Multiple Access) and SC-FDMA (Single Carrier FDMA). OFDMA is employed on the LTE downlink and is expected eventually to provide peak data rates approaching 360 Mbit/s in a 20 MHz channel. SC-FDMA is employed on the LTE uplink and may deliver up to 86 Mbit/s. In addition to the air interface technologies, LTE simplifies the range of technologies employed in other parts of the network. LTE is an ‘all-IP’ environment, meaning that all air interface, backhaul and core network interfaces will carry only IP-based traffic. The need to support different protocols for different traffic types, as was the case with R99, is therefore avoided. In this all-IP environment, layer 4 transport layer functions for signalling connections are performed using an alternative to the traditional choices, TCP (Transmission Control Protocol) or UDP (User Datagram Protocol). SCTP (Stream Control Transmission Protocol) was developed with the needs of IP-based signalling in mind and is used to manage and protect all LTE signalling services.. 1.6. © Wray Castle Limited. LT3603/v1.

(19) LTE and E-UTRAN Overview. • • • • • • •. inter-cell RRM radio bearer control connection mobility control radio admission control measurement control cell configuration dynamic resource allocation. eNB. eNB (Evolved Node B). Uu S1. X2. RRC PDCP. S1. RLC MAC PHY. Evolved Packet Core. E-UTRAN. LTE UE. Access Networks and the eNB. Access Networks and the eNB (Evolved Node B) The basic building blocks of the E-UTRA access network are the eNB (Evolved Node B) plus backhaul – and nothing else. All layers of the air interface protocol stack, including the elements that previously resided in the RNC (Radio Network Controller) – RRC (Radio Resource Control), RLC (Radio Link Control) and MAC (Medium Access Control) – have been moved out to the base station. As the eNB now anchors the main backhaul link to the core network, it has also assumed responsibility for managing the PDCP (Packet Data Convergence Protocol) service, which provides header compression and ciphering facilities over the air interface. HSDPA began the process of moving RRM (Radio Resource Management) functions, such as packet scheduling, from the RNC to the Node B. In LTE, all remaining RRC functions are devolved to the eNB, meaning that there is no longer a role for a device such as the RNC. Among the RRM functions now devolved to the eNB are radio bearer control, radio admission control, connection mobility control and the dynamic allocation (via scheduling) of resources to UEs (User Equipments) in both uplink and downlink directions. Following on from innovations in R4 and R5 networks, LTE also supports the concept of flexible associations between access and core network elements, meaning that each eNB has a choice of MME (Mobility Management Entity) nodes to which to pass control of each UE. Dynamic selection of an MME for each UE as it attaches is therefore also an eNB responsibility. The eNB also receives, schedules and transmits control channel information in its cell, including paging messages and broadcast system information, both of which are received from the MMEs. It retains many of the traditional roles associated with base stations, such as bearer management. It is responsible for routing U-plane traffic between each UE and its S-GW (Serving Gateway). The complexity of the eNB and of the decisions it is required to make are therefore much greater than for an R99 Node B.. LT3603/v1. © Wray Castle Limited. 1.7.

(20) LTE Radio Access Network. X2-C X2-AP X2AP. SCTP IP Data Link Layer Physical Lyer. X2. X2-U User Plane PDUs. GTP-U UDP IP Data Link Layer Physical Layer. X2 Interface. X2 Interface With the removal of the RNC from the access network architecture, inter-eNB handover is negotiated and managed directly between eNBs using the X2-C interface. In LTE implementations that need to support macro diversity, the X2-U interface will carry handover traffic PDUs (Protocol Data Units) between eNBs. X2-C (control plane) signalling is carried by the X2AP (X2 Application Protocol), which travels over an SCTP association established between neighbouring eNBs. X2AP performs duties similar to those performed by RNSAP (Radio Network Subsystem Application Protocol), which operates between neighbouring RNCs over the Iur interface in UMTS R99 networks. X2-U (user plane) traffic is carried by the existing GTP-U (GPRS Tunnelling Protocol – User plane), as employed in UMTS R99 networks. The facilities provided by the X2-U interface are only expected to be required if macro-diversity handover is supported. Both sub-types of the X2 interface travel over IP: SCTP/IP for the X2-C and UDP/IP for the X2-U.. 1.8. © Wray Castle Limited. LT3603/v1.

(21) LTE and E-UTRAN Overview. HSS. • NAS Security • Idle state mobility handling • EPS bearer control. MME PCRF. IP network. Internet • mobility • anchoring. S-GW. PDN-GW EPC. The Evolved Packet Core. The EPC (Evolved Packet Core) The reduced complexity in the RAN is mirrored by a similar reduction in the core network, where the EPC (Evolved Packet Core) structure consists of five main nodes, although others may be required for backwards-compatibility purposes. The MME handles control plane functions related to mobility management (authentication and security) and idle mode handling (location updates and paging), in which sense it is broadly analogous to the VLR (Visitor Location Register) or GMM (GPRS Mobility Management) functions found in legacy networks. The MME is also responsible for EPC bearer control, and so handles connection control signalling. The S-GW and PDN (Packet Data Network) Gateway are broadly analogous to the SGSN (Serving GPRS Support Node) and GGSN (Gateway GPRS Support Node) found in R99 networks and perform user plane handling, switching/routing and interfacing functions. Unlike legacy systems, however, bearer control has been removed from these devices and resides with the MME. The PCRF (Policy and Charging Rules Function) handles QoS and bearer policy enforcement and also provides charging and rating facilities. Subscriber management and security functions are handled by the HSS (Home Subscriber Server), which incorporates the functions of the legacy HLR (Home Location Register) and which is already familiar from R5 elements such as the IMS (IP Multimedia Subsystem). For backwards-compatibility purposes, SGSNs deployed to legacy parts of an operator’s network can be interfaced to both the MME (for mobility management) and the S-GW (for user plane flows). The MME then provides legacy systems with an interface to the HSS, and the S-GW and PDN-GW assume the role previously performed by the GGSN. The packet data services of legacy (GSM/GPRS, R99 and HSPA) networks and LTE/SAE systems can therefore interwork via a unified set of core network elements if required. The gateway elements form the EPC. LT3603/v1. © Wray Castle Limited. 1.9.

(22) LTE Radio Access Network. S12AP S1-AP MME SCTP IP Data Link Layer Physical Layer. S1-MME. User Plane PDUs. S1-U. GTP–U UDP. S-GW. IP Data Link Layer Physical Layer. S1 Interface. S1 Interface Backhaul links to the core network are carried by the S1 interface. Following the general structure of the Iub interface which it replaces, traffic over the S1 is logically split into two types. S1-U flows carry user plane traffic and S1-MME flows carry mobility management, bearer control and direct transfer control plane traffic. Message structures for the S1-MME interface that operate between the eNB and the MME are defined by S1AP (S1 Application Protocol). The S1AP (S1 Application Protocol) performs duties that can be seen as a combination of those performed by R99 RANAP (Radio Access Network Application Part) and GTP-C (GPRS Tunnelling Protocol – Control plane). To provide additional redundancy, traffic differentiation and load balancing, the S1-flex concept allows each eNB to maintain logical connections to multiple S-GWs and MMEs – there may therefore be multiple instances of the S1 interface per node. The S1-U interface employs GTP-U to create and manage user-plane data contexts between the eNB and the S-GW.. 1.10. © Wray Castle Limited. LT3603/v1.

(23) LTE and E-UTRAN Overview PDN-GW. Co-ordinated MME Pool and S-GW Service Area. E-UTRAN Tracking Areas served by Pools and Areas. Resilience Through Pooling. Resilience Through Pooling In common with ongoing developments within many existing 3G core networks, the EPC is designed to take advantage of the concept of ‘pooling’, specifically of MME and S-GW nodes. The ‘S1-flex’ facility that allows each eNB in the E-UTRAN to be associated with multiple MMEs in the EPC allows those MMEs to be grouped into ‘pools’. Each pool will be responsible for the eNBs in one or more complete tracking areas. This means that when an eNB selects the MME that will handle the Attach process for a UE, that MME can continue to serve that UE as long as it remains within the tracking areas associated with the MME’s pool. This reduces the requirement for MME relocation and consequently reduces the network’s signalling load. Pooling also provides a measure of resilience for network services to the extent that, if one MME falls over, eNBs have a number of alternative devices to select. As with current implementations of the pooling concept, however, MME pooling does not protect the connections to UEs being served by a failed MME – when the MME fails all ongoing services supported by it fail too. In the same way as an MME pool area comprises a set of cells within which a UE does not need to change the serving MME, an S-GW service area is a set of cells within which a UE does not need to change S-GW. MME pools may overlap, and each MME pool area is identified by an MMEGI (MME Group Identifier). S-GW Areas are also permitted to overlap.. Further Reading: 3GPP TS 23.401:3.1 LT3603/v1. © Wray Castle Limited. 1.11.

(24) LTE Radio Access Network 2G/3G SGSN. HSS. UMTS/ GPRS. S6a. S3. UTRAN/ GERAN. S4. PCRF. MME. S12. LTE. S7. S11. S1-MME. Rx+. IMS E-UTRAN. S5. S1-U. IP Services. PDN-GW. S-GW Interworking to MME. SGi. S2. WLAN or WiMAX. Evolved Packet Core ‘S’ Interfaces. Evolved Packet Core ‘S’ Interfaces In addition to the S1 interface connecting the E-UTRAN to the EPC, a broader range of ‘S’ interfaces have been defined to identify interconnections between EPC nodes and external nodes. The gateways and the MME are the main new nodes in the EPC. They are interconnected via the S5 and S11 interfaces. The SGi interface provides a connection to the operator’s IP-based services. It is likely that this will include services managed through the IMS. In this respect the S6a interface connects the MME to the HSS, and the S7 interface provides access from the PCRF to the PDN-GW (Packet Data Network Gateway). The S3 and S4 interfaces provide connectivity into the EPC from legacy 2G/3G SGSNs (Serving GPRS Support Nodes). However, the UTRAN may be connected directly to the EPC via the S12 interface. WLANs (Wireless Local Area Networks) or WiMAX (Worldwide Interoperability for Microwave Access) can be supported through the EPC via the S2 interface. This would require connectivity to the MME, which is provided by interfaces and interworking functions not shown in this diagram.. 1.12. © Wray Castle Limited. LT3603/v1.

(25) LTE and E-UTRAN Overview. Channel bandwidth Modulation and 1.4 MHz MIMO coding rate 1x1 0.9 QPSK 1/2. 3 MHz. 5 MHz. 10 MHz. 20 MHz. 2.2. 3.6. 7.2. 14.4. 16QAM 1/2. 1x1. 1.7. 4.3. 7.2. 14.4. 28.8. 16QAM 3/4. 1x1. 2.6. 6.5. 10.8. 21.6. 43.2. 64QAM 3/4. 1x1. 3.9. 9.7. 16.2. 32.4. 64.8. 64QAM 4/4. 1x1. 5.2. 13.0. 21.6. 43.2. 86.4. 64QAM 3/4. 2x2. 7.8. 19.4. 32.4. 64.8. 129.6. 64QAM 4/4. 2x2. 10.4. 25.9. 43.2. 86.4. 172.8. QPSK 1/2. 1x1. 0.9. 2.2. 3.6. 7.2. 14.4. 16QAM 1/2. 1x1. 1.7. 4.3. 7.2. 14.4. 28.8. 16QAM 3/4. 1x1. 2.6. 6.5. 10.8. 21.6. 43.2. 16QAM 4/4. 1x1. 3.5. 8.6. 14.4. 28.8. 57.6. 64QAM 3/4. 1x1. 3.9. 9.7. 16.2. 32.4. 64.8. 64QAM 4/4. 1x1. 5.2. 13.0. 21.6. 43.2. 86.4. Source: WCDMA for UMTS: 4th Edition – Holma & Toskala (Ed). Data Rates and Services. Data Rates and Services The potential peak data rates of 100 Mbit/s and more are only available when employing channel bandwidths of 20 MHz, which are difficult to find in most countries’ crowded radio environments. Even then, the fastest data rates will only be achievable on links that use advanced antenna techniques such as MIMO (Multiple Input Multiple Output). 2x2 MIMO, where both transmitter and receiver use two separate antennas to carry parallel streams of data over the same channel, is required for data rates of up to 170 Mbit/s, while future versions of E-UTRA that promise data rates of up to 360 Mbit/s would require 4x4 MIMO. The data rates for E-UTRA variants up to 2x2 MIMO in a 20 MHz channel are shown in the diagram. These data rates assume error coding rates of 1/2, 3/4 and 4/4, which are not currently defined in the specifications and so should only be considered to be an example of what is generically achievable with the technology. Data rates of 100 Mbit/s or more will provide users with access to almost any Internet or communications service currently available, from movie downloads and database access down to simpler communications activities such as making a telephone call or sending a text message. The capacity allocation method employed by E-UTRA has more in common with HSPA than R99 UMTS. There is no dedicated channel in LTE, meaning that bandwidth is shared between users in a flexible, on-demand way. This flexibility, coupled with the high data rates, makes E-UTRA very attractive. Although E-UTRA’s theoretical ability to provide one user in a cell with a 100 Mbit/s connection has been much discussed, network operators are more excited about the possibility of providing 1 Mbit/s connections to 100 simultaneous users in one cell.. LT3603/v1. © Wray Castle Limited. 1.13.

(26) LTE Radio Access Network. User Equipment Non-Access Stratum (NAS). eNB. RRC. RRC. PDCP. PDCP. RLC. RLC. MAC. MAC. Physical Layer. Physical Layer. Evolved Packet Core Non-Access Stratum (NAS). E-UTRA Protocols. E-UTRA Protocols In line with other aspects of E-UTRA, the air interface protocol stack has been designed to reduce complexity. Whereas an R99/HSPA-enabled Node B employs a protocol stack with a variety of RLC and MAC instances, an E-UTRA eNB employs a protocol stack with just one instance of each layer. The extent of the air interface protocol stack has also been reduced. In previous incarnations of UMTS some layers operated between the UE and the Node B, while most extended all the way to the RNC. With the elimination of the RNC, all air interface protocols in E-UTRA operate between the UE and the eNB.. 1.14. © Wray Castle Limited. LT3603/v1.

(27) LTE and E-UTRAN Overview. PDN Connectivity Service (PCS). Evolved Packet System. EPS Bearer PDN-GW. Packet Data Network. PDN Connectivity Services. PDN Connectivity Services The EPS is designed to provide IP connectivity between a UE and a PDN (Packet Data Network). The connection provided to a UE is referred to as a PCS (PDN Connectivity Service). This consists of an EPS bearer that connects the UE to an Access Point in a PDN-GW (PDN Gateway) and traverses both the E-UTRAN and the EPC. The PDN-GW routes traffic between the EPS bearer and the external PDN. The EPS bearer, in turn, carries one or more SDF (Service Data Flow) between the UE (User Equipment) and external data services. If a UE requires additional connectivity that is only available via a different PDN-GW Access Point, then additional PDN Connectivity Services may be established in parallel.. Further Reading: 3GPP TS 23.401:4.7.1 LT3603/v1. © Wray Castle Limited. 1.15.

(28) LTE Radio Access Network PDN Connectivity Service (PCS). EPS Bearer ID (EBI). Radio Bearer ID. GTP TEID. GTP TEID. C-RNTI LCID. eNB UE. SGi. S5/S8. S1-U. S-GW. PDN-GW. Application Server. Connection Hierarchies. Connection Hierarchies To quote 3GPP TS 23.401 (4.7.1), ‘The Evolved Packet System provides IP connectivity between a UE and a PLMN external packet data network. This is referred to as a PDN Connectivity Service. The PDN Connectivity Service supports the transport of one or more Service Data Flows’. Within the EPS, user connectivity is provided via the EPS Bearer, which is analogous to the PDP Context provided by legacy 3GPP PS networks. The EPS Bearer tunnels user traffic between the PDN-GW APN and the UE via the S-GW and eNB and is, in reality, a concatenation of connections over three successive interfaces: ƒ a GTP-U tunnel over the S5 interface (PDN-GW to S-GW), identified by a GTP TEID ƒ a GTP-U tunnel over the S1-U interface (S-GW to eNB), also identified by a GTP TEID ƒ an E-UTRAN RB (Radio Bearer) on the LTE Uu interface (eNB to UE) LTE Radio Bearers are identified by the C-RNTI (Cell-specific Radio Network Temporary Identifier) and LCID (Logical Channel ID). There is a one-to-one mapping between an RB and an EPS Bearer. Each EPS Bearer can support multiple SDF, although as QoS in the EPC is applied on a ‘per bearer’ level, all SDFs sharing the same EPS Bearer will also share the same QoS (Quality of Service). UEs can be assigned multiple EPS Bearers with different QoS levels to support a varied service set.. Further Reading: 23.401:4.7; 36.300 1.16. © Wray Castle Limited. LT3603/v1.

(29) LTE and E-UTRAN Overview PDN Connectivity Service (PCS). EPS Bearer ID. EPS Bearer ID. Radio Bearer ID. E-RAB ID. eNB UE. SGi. S5/S8. S1-U. S-GW. PDN-GW. Application Server. EPS Bearers and E-RABs. EPS Bearers and E-RABs An EPS Bearer (and the LTE RB that it maps to) carries traffic across the E-UTRAN and the EPC between the UE and the PDN-GW. An E-RAB (and the RB that it maps to) carries traffic between the UE and the S-GW over the E-UTRAN, which may involve journeys across both X2 and S1 interfaces. The E-RAB therefore travels over a subsection of the route traversed by the EPS Bearer and there is a one-to-one mapping between one pair of connections. To simplify the identification of connections, a paired EPS Bearer and E-RAB share the same 8-bit identifier; although only the least significant 4 bits of the ID are active.. Further Reading: 23.401:4.7; 36.300:8.2; 36.413:9.2.23 (E-RAB ID); 29.274:8.8 (EPS Bearer ID) LT3603/v1. © Wray Castle Limited. 1.17.

(30) LTE Radio Access Network. MME. Data Radio Bearer. S-GW UE. PDN-GW. EPS Bearer. Connection Identifiers. Connection Identifiers The EPS Bearer ID is assigned by the MME upon bearer establishment. It uniquely identifies an EPS Bearer for one UE accessing via the E-UTRAN. The EPS Bearer ID is a one-octet string, which in theory means that each UE can have up to 256 EPS Bearers associated with it per MME. However, the relevant specifications currently indicate that the most significant 4 bits of the ID should be set to 0, which limits the number of EPS Bearers per UE to 16. The EPS Bearer travels between the UE and the PDN-GW; during handovers it may also extend over the X2 interface between source and target eNBs. When travelling over the S1 and X2 interfaces, there is a one-to-one mapping between the EPS Bearer and the E-RAB (E-UTRAN Radio Access Bearer) and between the identities assigned to each of those entities.. Further Reading: 3GPP TS 23.401:5.2.1 1.18. © Wray Castle Limited. LT3603/v1.

(31) LTE and E-UTRAN Overview eNB UE S1AP ID. MME UE S1AP ID. S1-MME S1-AP Context MME. S1-U GTP Tunnel. X2-U (GTP TE-Ids) X2-C (eNB UE X2AP ID). S-GW. Tunnel Endpoint IDs (TE-ID). Transport Identities. Transport Identities To allow the S1 and X2 protocols to identify the UEs that form the endpoint of each transport tunnel, terminals are assigned identities that are unique within the eNBs or MMEs that support those endpoints. The UE S1AP ID and MME S1AP ID are unique within the eNB and MME respectively that are handling the E-RAB/EPS Bearer to an Attached UE. The IDs are simple numerical identifiers (24 bits in the eNB and 32 bits in the MME) and are not associated with a specific instance of the S1 interface in each device. An eNB can therefore support a maximum of 224 (16.7 million) UE S1 connections and an MME 232 (4.3 billion). The UE X2AP ID performs the same basic function as the S1-related identities, but for the X2 interface. The X2 is optional and is only used to pass handover-related traffic between source and target eNBs, so the X2AP ID will only be created as required when a handover is initiated. The ID is 12 bits long and provides a maximum of 4096 UE X2 handover identities per eNB. The 4-byte GTP TEID (Tunnel Endpoint ID) is used in the EPS the same way as it is in legacy networks. Each device that supports a GTP tunnel refers to it in terms of the TEID assigned to the tunnel plus the IP address and UDP port number of the interface that handles it. TEIDs are assigned by the receiving side of each connection and are exchanged using S1AP during tunnel establishment.. Further Reading: 3GPP TS 23.401:5.2; 36.413:9.2.3; 29.274 (GTPv2-C); 36.41x (S1); 36.42x (X2) LT3603/v1. © Wray Castle Limited. 1.19.

(32) LTE Radio Access Network. Both Bearers share same IP address. Initial or Default EPS Bearer. eNB. IMS. PDN-GW. S-GW. Subsequent or Dedicated EPS Bearer. UE. Both Bearers routed via same APN. Internet. Default and Dedicated Bearers. Default and Dedicated EPS Bearers Each UE will establish an initial or default EPS Bearer as part of the attach process. This will provide the required ‘always on’ IP connectivity to the UE and may be to a default APN (Access Point Name), if one is stored in the user’s subscriber profile, or to an APN selected by the network. In networks that interconnect to an IMS, the default bearer allows the UE to perform SIP registration and thereafter to provide a path for session initiation messaging. In these circumstances, the data rate and QoS assigned initially to the default bearer is commensurate with the expected low level of SIPbased traffic flow, but these parameters can be modified to accommodate the requirements of application traffic flows when a connection is established. If a UE has a requirement to establish an application connection whose QoS or data rate demands are incompatible with those currently assigned to the default bearer (but which can still be routed through the current APN), the PDN-GW or PCRF may initiate the establishment of an additional EPS Bearer to carry the new traffic flow. Any additional bearers assigned to a UE in addition to the default bearer are termed dedicated bearers and will be identified by different EPS Bearer/E-RAB and radio bearer IDs. A UE may have more than one PDN Connectivity Service running if it has connections established through more than one APN/PDN-GW. In that case, there will be one Default Bearer and an optional number of Dedicated Bearers created for each PCS. The 4-bit EPS Bearer ID limits the total number of bearers established for one UE to sixteen (numbered 0 to 15).. Further Reading: 3GPP TS 23.401:4.7.2 1.20. © Wray Castle Limited. LT3603/v1.

(33) LTE and E-UTRAN Overview. Section 1 Glossary 1xEV-DO 3GPP. 1x Evolution – Data Only 3rd Generation Partnership Project. A1AP APN CDMA C-RNTI. A1 Application Protocol Access Point Name, Code Division Multiple Access Cell-specific Radio Network Temporary Identifier. EDGE eNB EPC E-RAB E-UTRA E-UTRAN. Enhanced Data rates for Global Evolution Evolved Node B Evolved Packet Core E-UTRAN Radio Access Bearer Evolved Universal Terrestrial Radio Access. Evolved Universal Terrestrial Radio Access Network. GGSN GMM GSM GTP-C GTP-U. Gateway GPRS Support Node GPRS Mobility Management Global System for Mobile Communications GPRS Tunnelling Protocol – Control plane GPRS Tunnelling Protocol – User plane. HLR HSDPA HSPA HSS HSUPA. Home Location Register High Speed Downlink Packet Access High Speed Packet Access. Home Subscriber Server High Speed Uplink Packet Access. IMS. IP Multimedia Subsystem. LCID LTE. Logical Channel ID Long Term Evolution. MAC MIMO MME. Medium Access Control Multiple Input Multiple Output Mobility Management Entity. OFDMA. Orthogonal Frequency Division Multiple Access. LT3603/v1. © Wray Castle Limited. 1.21.

(34) LTE Radio Access Network. PCRF PCS PDCP PDN PDN-GW PDU QoS. Policy and Charging Rules Function PDN Connectivity Service Packet Data Convergence Protocol Packet Data Network. Packet Data Network Gateway Protocol Data Unit Quality of Service. RAN RANAP RB RLC RNC RNSAP RRC RRM. Radio Access Network Radio Access Network Application Part Radio Bearer Radio Link Control Radio Network Controller Radio Network Subsystem Application Protocol Radio Resource Control Radio Resource Management. S1AP SAE SC-FDMA SCTP SDF SGSN S-GW. S1 Application Protocol System Architecture Evolution Single Carrier FDMA Stream Control Transmission Protocol Service Data Flow Serving GPRS Support Node Serving Gateway. TCP TEID. Transmission Control Protocol Tunnel Endpoint ID. UDP UE UMTS. User Datagram Protocol User Equipment Universal Mobile Telecommunications System. VLR. Visitor Location Register. WiMAX WLAN. Worldwide Interoperability for Microwave Access Wireless Local Area Network. X2AP. X2 Application Protocol. 1.22. © Wray Castle Limited. LT3603/v1.

(35) LTE Radio Access Network. Section 2. Non-Access Stratum Processes. © Wray Castle Limited.

(36) LTE Radio Access Network. ii. © Wray Castle Limited. LT3603/v1.

(37) Non-Access Stratum Processes. Contents LTE AS and NAS ................................................................................................................................. 2.1 NAS Identities ...................................................................................................................................... 2.2 UE State Machines .............................................................................................................................. 2.3 EMM States .......................................................................................................................................... 2.4 ECM (EPS Connection Management) States ...................................................................................... 2.5 NAS Functions and Procedures ........................................................................................................... 2.6 Active EPS Bearers and Bearer Contexts ........................................................................................... 2.7 Inactive EPS Bearers and Bearer Contexts ......................................................................................... 2.8 NAS Message Structure....................................................................................................................... 2.9 Message Types .................................................................................................................................. 2.10 EMM Messages ................................................................................................................................. 2.11 EMM Common Procedures ................................................................................................................ 2.12 GUTI Reallocation .............................................................................................................................. 2.13 Authentication .................................................................................................................................... 2.14 Security Mode Control........................................................................................................................ 2.15 Identification ....................................................................................................................................... 2.16 EMM Information ................................................................................................................................ 2.17 CS Service Notification ...................................................................................................................... 2.18 EMM Specific Procedures .................................................................................................................. 2.19 Attach ................................................................................................................................................. 2.20. LT3603/v1. © Wray Castle Limited. iii.

(38) LTE Radio Access Network. Combined Attach................................................................................................................................ 2.22 Detach ................................................................................................................................................ 2.23 Network-initiated Detach .................................................................................................................... 2.24 Tracking Area Update (TAU) Process ............................................................................................... 2.25 TAU Message .................................................................................................................................... 2.26 EMM Connection Management Messages ........................................................................................ 2.27 Service Request and Extended Service Request .............................................................................. 2.28 Service Request Process ................................................................................................................... 2.29 Paging ................................................................................................................................................ 2.30 Transport of NAS Messages .............................................................................................................. 2.31 EPS Session Management (ESM) Messages ................................................................................... 2.32 Default EPS Bearer Context Activation.............................................................................................. 2.33 Default EPS Bearer Context Activation Message .............................................................................. 2.34 Dedicated EPS Bearer Context Activation ......................................................................................... 2.35 EPS Bearer Context Modification ...................................................................................................... 2.36 EPS Bearer Context Deactivation ...................................................................................................... 2.37 PDN Connectivity ............................................................................................................................... 2.38 PDN Disconnect ................................................................................................................................. 2.39 Bearer Resource Allocation ............................................................................................................... 2.40 Bearer Resource Modification ............................................................................................................ 2.41 ESM Information Request/Response................................................................................................. 2.42 ESM Status ........................................................................................................................................ 2.43 NAS Security ...................................................................................................................................... 2.44 Security Header Types....................................................................................................................... 2.45 Integrity Protection ............................................................................................................................. 2.46 Ciphering ............................................................................................................................................ 2.47. iv. © Wray Castle Limited. LT3603/v1.

(39) Non-Access Stratum Processes. Objectives. At the end of this section you will be able to: ƒ. outline the roles of the LTE Access Stratum (AS) and Non-Access Stratum. ƒ. list the set of identifiers employed by the NAS. ƒ. describe the set of mobility and connection management state machines employed. ƒ. discuss the differences between active and inactive EPS Bearer Contexts. ƒ. outline the basic set of functions performed by NAS message types. ƒ. describe the basic structure of a NAS message. ƒ. discuss the functions of the NAS EMM message types. ƒ. discuss the functions of the NAS ESM message types. ƒ. outline the functions employed to provide NAS security. LT3603/v1. © Wray Castle Limited. v.

(40) LTE Radio Access Network. vi. © Wray Castle Limited. LT3603/v1.

(41) Non-Access Stratum Processes. User Equipment. Uu. eNode B. Non-Access Stratum (NAS) Access Stratum (AS). S1. Evolved Packet Core. Non-Access Stratum (NAS) Access Stratum (AS). LTE AS and NAS. LTE AS and NAS As with UMTS R99, the services provided to UEs by the EPS are divided into those handled by the AS (Access Stratum) and those provided by the NAS (Non-Access Stratum). The AS comprises all of the functions performed by the E-UTRAN. The NAS consists of the Bearers and bearer control signalling functions that support them. The S1AP (S1 Application Protocol) includes provision for the direct transfer of NAS signalling between UE and MME via the eNB. Compared to the core network architecture of previous generations of mobile system such as GSM or R99 UMTS, the EPC has been provided with a much ‘flatter’ network design, which limits the number of node types deployed.. Further Reading: 3GPP TS 36.300 (E-UTRAN) and 24.301 (NAS) LT3603/v1. © Wray Castle Limited. 2.1.

(42) LTE Radio Access Network. MCC. MNC. MMEI. M-TMSI. 24 bits. 32 bits. M-TMSI. GUTI. M-TMSI. 32 bits. MMEC. M-TMSI. 8 bits. 32 bits. S-TMSI. NAS Identities. NAS Identities The main means of identifying EPS subscribers remains the IMSI (International Mobile Subscriber Identity), which is permanently assigned to a subscriber account. Temporary and anonymous identification of subscribers is provided by the GUTI (Globally Unique Temporary Identity), which is assigned by the serving MME when a UE has successfully attached and is reassigned if the UE moves to the control of a new MME. The GUTI is analogous to the legacy TMSI (Temporary Mobile Subscriber Identity), but with the additional feature that its structure uniquely identifies not only the subscriber within the MME but also the MME that assigned it. The GUTI is constructed from the GUMMEI (Globally Unique MME Identifier), which identifies the MME, and the M-TMSI (MME Temporary Mobile Subscriber Identity). The M-TMSI is used to provide anonymous identification of a subscriber within an MME once that subscriber has been authenticated and attached. As with legacy TMSI use, the MME may elect to reissue the M-TMSI at periodic intervals and it will be reissued in any case if the UE passes to the control of a different MME. The GUMMEI is constructed from the MCC, MNC and MME ID. The MME ID is subdivided into an MME Group ID and MMEC (MME Code). The MMEC is the MME’s index within its pool. The M-TMSI allows a subscriber to be uniquely identified within an individual MME, whereas the S-TMSI (SAE TMSI) allows subscribers to be identified within an MME group or pool. To achieve this, the S-TMSI simply adds the one-octet MMEC (MME Code) to the M-TMSI. The MMEC is the MME’s index within its pool.. Further Reading: 3GPP TS 36.300 (E-UTRAN) and 24.301 (NAS) 2.2. © Wray Castle Limited. LT3603/v1.

(43) Non-Access Stratum Processes. MME. eNB. RRC. UE. RRC. ECM. ECM. EMM. EMM. State machines store UE and bearer context data. UE State Machines. UE State Machines In order to offer effective service to UEs, the EPS needs to be able to define and keep track of the availability and reachability of each terminal. It achieves this by maintaining two sets of ‘contexts’ for each UE – an EMM (EPS Mobility Management) context and an ECM (EPS Connection Management) context – each of which is handled by ‘state machines’ located in the UE and the MME. A further state machine operates in the UE and serving eNB to track the terminal’s RRC state, which can be either RRC-IDLE (which relates to a UE in idle mode) or RRC-CONNECTED (which relates to a UE with an active traffic bearer).. Further Reading: 3GPP TS 23.401:4.6 LT3603/v1. © Wray Castle Limited. 2.3.

(44) LTE Radio Access Network. Detach, Attach Reject. MME. TAU Reject All Bearers deactivated EMM-Deregistered. EMM-Registered Attach accept, TAU accept. Detach, Attach Reject TAU Reject E-UTRAN interface switched off due to Non-3GPP handover All Bearers deactivated EMM-Deregistered. EMM-Registered Attach accept, TAU accept. UE. EMM States. EMM States EMM is analogous to the MM processes undertaken in legacy networks and seeks to ensure that the MME maintains enough location data to be able to offer service to each UE when required. The two EMM states maintained by the MME are EMM-DEREGISTERED and EMM-REGISTERED. A UE in the EMM-DEREGISTERED state has no valid context stored in an MME, so its current location is unknown and paging and traffic routing cannot take place. This is generally consistent with a UE that is either powered off or is out of EPC-connected network coverage. The EMM-REGISTERED state relates to UEs that have performed either an attach or a TAU (Tracking Area Update) and for which the MME maintains a valid context. In this state the UE will have been assigned an M-TMSI and will be performing TAU functions when necessary. This means that the MME knows the UE’s location (at least to the current TA level) and can page and route traffic for it. A UE in the EMM-REGISTERED state will have at least one active EPS bearer (the ‘always-on’ initial or default bearer). In order for a UE in ECM-Idle state to perform an Explicit Detach and move from EMM-Registered to EMM-Deregistered, it must first move to ECM-Connected state to ensure that a signalling bearer is available to carry the Detach message.. Further Reading: 3GPP TS 23.401:4.6.2 2.4. © Wray Castle Limited. LT3603/v1.

(45) Non-Access Stratum Processes. MME. S1 connection released ECM-Idle. ECM-Connected S1 connection established. RCC connection released ECM-Idle. ECM-Connected RCC connection established. UE. ECM States. ECM (EPS Connection Management) States The ECM states describe a UE’s current connectivity status with the EPC, e.g. whether an S1 connection exists between the UE and EPC or not. There are two ECM states, ECM-IDLE and ECM-CONNECTED. A UE in ECM-IDLE has no S1 active relationship with an MME, although UE and Bearer Contexts will be stored in the serving MME, and no NAS signalling is passing between those elements. A UE in this state will perform network and cell selection/reselection and will send TAU messages, but has no RRC or S1 traffic bearers established. In ECM-IDLE the location of the UE is known by the MME only to the level of the current TA or TA List. In the ECM-CONNECTED state a UE has established a signalling relationship with an MME, which will know the UE’s location to the eNB level, not the current cell level. The UE’s Bearer Contexts will be activated and RRC and S1 transport resources will have been assigned to it. A UE will move to the ECM-CONNECTED state during functions such as Attach, TAU and Detach and when an EPS bearer is active for traffic transfer. A UE moves from ECM-IDLE to ECM-CONNECTED by sending a Service Request to the MME.. Further Reading: 3GPP TS 23.401:4.6.3 LT3603/v1. © Wray Castle Limited. 2.5.

(46) LTE Radio Access Network. To support UE mobility To support the session management procedures that establish and maintain IP connectivity between the UE and a PDN-GW. NAS – Non Access Stratum. EMM – EPS Mobility Management ESM – EPS Session Management. NAS Functions and Procedures. NAS Functions and Procedures The EPS NAS offers the highest stratum of signalling and control between a UE and an MME. The main functions performed by the NAS are support of UE mobility and support of the session management procedures that establish and maintain IP connectivity between the UE and a PDN-GW. Integrity Protection and Ciphering are offered by the EPS NAS as a means of securing signalling transaction between the UE and an MME. NAS functions are performed by invoking a specific EP (Elementary Procedure). EPs exist to perform functions that support mobility and session management. Sets of EPs have been defined that relate to EMM, which perform Attach, security and location update functions, and others have been defined that relate to ESM (EPS Session Management), which perform bearer management and resource allocation functions.. 2.6. © Wray Castle Limited. LT3603/v1.

(47) Non-Access Stratum Processes. Bearer Context – Active Bearer Attributes. MME. UE. eNB. RRC. S-GW. S1 Tunnel. PDN-GW. S5/S8 Tunnel. Radio Bearer/E-RAB/EPS Bearer Active Active EPS Bearers and Bearer Contexts. Active EPS Bearers and Bearer Contexts An EPS bearer provides a data path between a UE and an APN located in a PDN-GW. Once created, an EPS bearer can be in one of two states – active or inactive. When active, the EPS bearer is assigned bearer resources that amount to a radio bearer and GTP tunnels, with assigned TEIDs (Tunnel Endpoint IDs) that will carry the E-RAB (E-UTRAN Radio Access Bearer) and EPS Bearer over the Uu, S1-U and S5/S8 interfaces. Each PDN connection and default and dedicated EPS bearer is described by a Bearer Context stored in the UE and MME and in other devices required to serve each bearer. Default and dedicated bearer contexts describe the UE’s current ECM state (idle or connected) plus the bearer’s EPS bearer ID and QoS parameters, and can be either active or inactive. An active Bearer Context is deemed to be in the ESM BEARER CONTEXT ACTIVE state.. Further Reading: 3GPP TS 23.401:4.7.2 LT3603/v1. © Wray Castle Limited. 2.7.

(48) LTE Radio Access Network. Bearer Context – Inactive Bearer Attributes. MME. UE. eNB. S-GW. PDN-GW. S5/S8 Tunnel. Radio Bearer/ E-RAB Released. S5/S8 EPS Bearer Active. Inactive EPS Bearers and Bearer Contexts. Inactive EPS Bearers and Bearer Contexts When an EPS Bearer is inactive, either as a result of an instruction from the UE or MME or of an inactivity timer expiring, Uu and S1-U resources are released, although the S5/S8 tunnel is retained and details of the bearer context are retained by the UE and the MME for future reactivation when required. The separation of the bearer resources from the bearer context means that details of each bearer can be retained by the network even when the physical resources associated with it have been released during periods of inactivity. An inactive bearer context can be reactivated by either the UE or the network using the Service Request procedure. The S-GW may invoke the Downlink Data Notification procedure if data arrives for an inactive bearer. The Bearer Context data held in the UE and the MME may become unsynchronized during periods of inactivity, both devices will attempt to re-synchronize this data when a signalling connection is re-established. An inactive Bearer Context is deemed to be in the ESM [EPS Session Management] BEARER CONTEXT INACTIVE state.. Further Reading: 3GPP TS 23.401:4.7.2 2.8. © Wray Castle Limited. LT3603/v1.

(49) Non-Access Stratum Processes. 7 6 5 4 3 2 1 EPS Bearer ID (ESM) or Protocol Discriminator Security Header Type (EMM) Procedure Transaction Identity Message Type 8. 1 1a (ESM only) 2 3. Message Information Elements n Protocol Discriminator = 0010 for ESM, 0111 for EMM PTI (Procedure Transaction Identity) only required for ESM. NAS Message Structure. NAS Message Structure EPS NAS messages are constructed following the standard Layer 3 message structure employed in legacy ETSI/3GPP network types such as GPRS (detailed in 3GPP TS24.007). The message formats are based on industry-standard CSN.1 syntax and coding rules. Most NAS messages are constructed following one of the two main format options: Plain NAS messages and Security Protected NAS messages. Plain NAS transactions consist of messages sent in clear with no integrity protection. Security Protected NAS messages can be integrity protected (using a MAC) only or can have integrity protection and a ciphered payload. The payload of a Security Protected message is a Plain NAS message. EPS Bearer Identities are only required in ESM messages which deal with resource management for individual bearers. In the absence of an EPS Bearer ID the Security Header of a plain NAS message is always set to 0000. The Protocol Discriminator field will take the value 0010 for ESM messages and 0111 for EMM functions. A Procedure Transaction Identity is only required for ESM message types and acts as a unique identifier for a transaction in progress between an individual UE and the MME. The ECM SERVICE REQUEST message employs a simpler but non-standard Layer 3 format which is slightly different to those shown in the diagram.. Further Reading: 3GPP TS24.301:9.1 (message formats) LT3603/v1. © Wray Castle Limited. 2.9.

(50) LTE Radio Access Network. 8 7 6 5 4 3 2 1 0 1 -. -. -. -. -. -. 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0. 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0. 0 0 0 0 0 0 1 1 1 1 1 1 0 0 0 0 0 1 0 0 1 1 1 0 0 0 0 0. 0 0 0 1 1 1 0 0 0 0 1 1 0 0 0 0 1 1 1 1 1 1 1 0 0 0 0 1. 0 1 1 0 0 1 0 0 1 1 0 1 0 0 1 1 0 0 0 1 0 1 1 0 0 1 1 0. 1 0 1 0 1 0 0 1 0 1 0 0 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0. 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1. 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1. 8 7 6 5 4 3 2 1 EMM – EPS Mobility Management Attach Request Attach Accept Attach Complete Attach Reject Detach Request Detach Accept TAU Request TAU Accept TAU Complete TAU Reject Extended Service Request Service Request GUTI Reallocation Command GUTI Reallocation Complete Authentication Request Authentication Response Authentication Reject Authentication Failure Identity Request Identity Response Security Mode Command Security Mode Complete Security Mode Reject EMM Status EMM Information Downlink NAS Transport Uplink NAS Transport CS Service Notification. 1 1 -. -. -. -. -. -. 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1. 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 0. 0 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1. 0 0 0 1 1 1 0 0 0 1 1 0 0 0 0 1 1 1 1 0 0 0. 0 1 1 0 1 1 0 1 1 0 1 0 0 1 1 0 0 1 1 0 1 0. 1 0 1 1 0 1 1 0 1 1 0 0 1 0 1 0 1 0 1 1 0 0. 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1. 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1. ESM – EPS Session Management Activate Default EPS Bearer Context Request Activate Default EPS Bearer Context Accept Activate Default EPS Bearer Context Reject Activate Dedicated EPS Bearer Context Request Activate Dedicated EPS Bearer Context Accept Activate Dedicated EPS Bearer Context Reject Modify EPS Bearer Context Request Modify EPS Bearer Context Accept Modify EPS Bearer Context Reject Deactivate EPS Bearer Context Request Deactivate EPS Bearer Context Accept PDN Connectivity Request PDN Connectivity Reject PDN Disconnect Request PDN Disconnect Reject Bearer Resource Allocation Request Bearer Resource Allocation Reject Bearer Resource Modification Request Bearer Resource Modification Reject ESM Information Request ESM Information Response ESM Status. Message Types. Message Types Message Type codes are used to identify the type of transaction being performed by a NAS message. Message Type codes starting with 01 relate to EMM functions whilst codes starting 11 relate to ESM messages.. Further Reading: 3GPP TS24.301:9.8 2.10. © Wray Castle Limited. LT3603/v1.

(51) Non-Access Stratum Processes. EMM – EPS Mobility Management EMM Common procedures EMM Specific procedures EMM Connection Management procedures. EPS Mobility Management (EMM) Messages. EMM Messages Three types of EMM procedure are defined for NAS messaging purposes: EMM Common procedures, EMM Specific procedures and EMM Connection Management procedures. EMM Common Procedures are initiated by the network and can only be performed when a NAS signalling connection already exists between the MME and the target UE. EMM Specific procedures handle Attach, Detach and TAU functions; some procedures can only be performed by the UE, others can be performed by the UE or the network. Only one EMM Specific procedure can be in progress per UE at any one time. EMM Connection Management (which is a subset of EMM functionality and is distinct from ECM – EPS Connection Management) procedures are used to handle connection establishment functions such as UE-initiated SERVICE REQUEST and network-initiated PAGING messages. The transport of NAS messages is also handled by this subset of message types. A set of EMM Specific and Connection Management procedures (ATTACH REQUEST, TRACKING AREA UPDATE REQUEST, DETACH REQUEST, SERVICE REQUEST and EXTENDED SERVICE REQUEST) are grouped and classed as ‘initial NAS messages’. The EMM Specific TAU functions and all of the EMM Connection Management functions are only applicable to a UE that is in ‘S1 mode’, which means that the UE is Attached to the EPS and communicating via an eNB that has an S1 connection to an MME. Alternative UE connection modes are A/Gb (via GSM/GPRS), Iu (via UMTS) and S101 (via CDMA2000) access networks.. Further Reading: 3GPP TS24.301:5.1.2 LT3603/v1. © Wray Castle Limited. 2.11.

(52) LTE Radio Access Network. EMM Common Elementary Procedures 0 0 0 0 0 0 0 0 0 0 0 0. 1 1 1 1 1 1 1 1 1 1 1 1. 0 0 0 0 0 0 0 0 0 0 0 1. 1 1 1 1 1 1 1 1 1 1 1 0. 0 0 0 0 0 1 0 0 1 1 1 0. 0 0 0 0 1 1 1 1 1 1 1 0. 0 0 1 1 0 0 0 1 0 1 1 0. 0 1 0 1 0 0 1 0 1 0 1 0. GUTI Reallocation Command GUTI Reallocation Complete Authentication Request Authentication Response Authentication Reject Authentication Failure Identity Request Identity Response Security Mode Command Security Mode Complete Security Mode Reject EMM Status. All network-initiated. EMM Common Procedures. EMM Common Procedures EMM Common Procedures are all network-initiated and provide the means to manage UE identification and authentication processes. This set of procedures also controls the implementation of NAS connection security. The subset of EPs belonging to the Common Procedures type consists of: ƒ GUTI Reallocation ƒ Authentication ƒ Security Mode Control ƒ Identification ƒ EMM Information An existing signalling connection must be in place between the initiating MME and the target UE before any of these function types can be performed.. Further Reading: 3GPP TS24.301:5.1.2 2.12. © Wray Castle Limited. LT3603/v1.

(53) Non-Access Stratum Processes. EMM Common EP GUTI Reallocation Network Initiated UE. MME. GUTI REALLOCATION COMMAND Start T3450. GUTI REALLOCATION COMPLETE Stop T3450. GUTI REALLOCATION COMMAND Information Element. Required. Length. Protocol Discriminator. Mand. 1/2. Security Header Type. Mand. 1/2. Message Type. Mand. 1. New GUTI New TAI List. Mand Opt. 12 8-98. GUTI Reallocation. GUTI Reallocation The GUTI (Globally Unique Temporary Identity) is created as the concatenation of the GUMMEI (Globally Unique MME ID), which identifies the MME, and the M-TMSI (MME Temporary Mobile Subscriber Identity), which is used to provide anonymous identification of a subscriber within an MME once that subscriber has been authenticated and attached. As with legacy TMSI use, the MME may elect to reissue the M-TMSI at periodic intervals and it will be reissued in any case if the UE passes to the control of a different MME. The allocation of a new MTMSI results in a GUTI Reallocation procedure. In addition to a new GUTI, the MME may also elect to issue the UE an new or updated TAI List. This list shows the TAI (Tracking Area Identity) of all TAs within which the UE can roam without performing a TAU. GUTI Reallocation usually takes place in ciphered mode. When the MME issues the GUTI REALLOCATION message it starts timer T3450, which provides a maximum period within which the Reallocation should be completed. If the UE receives and processes the GUTI REALLOCATION COMMAND messages correctly it responds with GUTI REALLOCATION COMPLETE. The MME then stops timer T3450. If T3450 expires without a response from the UE the MME may retransmit the GUTI REALLOCATION COMMAND. This process can be repeated up to four times and if the UE continues to fail to respond it will be forced to re-Attach to receive network service. If a UE receives a new TAI List that does not include the identity of the current TA it will perform a TAU.. Further Reading: 3GPP TS24.301:5.4.1 and 8.2.12/13 LT3603/v1. © Wray Castle Limited. 2.13.

(54) LTE Radio Access Network. EMM Common EP Authentication Network Initiated UE. MME. AUTHENTICATION REQUEST Start T3460. AUTHENTICATION RESPONSE. Stop T3460. AUTHENTICATION REJECT. AUTHENTICATION REQUEST Information Element. Required. Length. Protocol Discriminator. Mand. 1/2. Security Header Type. Mand. 1/2. Message Type. Mand. 1. NAS Key Set Identifier. Mand. 1/2. Spare. Mand. 1/2. RAND. Mand. 16. AUTN. Mand. 17. Authentication. Authentication Authentication is usually performed as part of the Attach procedure and also during Tracking Area Updates. It is controlled by the EPS AKA (Authentication and Key Agreement) process and allows a UE and the network mutually authenticate each other. A successful Authentication procedure results in a Security Context being established in the UE and the MME which stores, amongst other data, the computed value of KASME used as the root for EPS Integrity Protection and Ciphering procedures. Authentication is always initiated by the network. The UE can elect to accept or reject the authentication challenge issued by the network. Rejection would occur if, for example, the UE had no valid USIM installed or could not recover the required security information from the USIM. The MME initiates the process by issuing an AUTHENTICATION REQUEST to the UE, which contains the vectors (including RAND and AUTN) required to allow the UE/USIM to calculate a response. Timer T3460 is started in the MME at this point. If the UE is required to authenticate the network it will check the AUTN details provided before computing a response (RES) to the RAND challenge. If the process completes successfully the UE returns an AUTHENTICATION RESPONSE containing the computed RES challenge response to the MME. If the process fails, for example if the AUTN authentication vectors provided by the network are deemed to be invalid, the UE will respond with an AUTHENTICATION FAILURE message to the MME. On receipt of either response type the MME stops timer T3460. In the event of a positive response from the UE, the MME processes the supplied challenge response and determines whether the authentication process has been successful. If the authentication is accepted it is implicitly acknowledged to the UE by sending no confirmation; if the authentication is not accepted by the MME is is explicitly rejected by sending an AUTHENTICATION REJECT message to the UE.. Further Reading: 3GPP TS24.301:5.4.2 and 8.2.5-8 and 33.401 (EPS AKA) 2.14. © Wray Castle Limited. LT3603/v1.

(55) Non-Access Stratum Processes. EMM Common EP Security Mode Network Initiated UE. MME. SECURITY MODE COMMAND. Start T3460. SECURITY MODE COMPLETE. Stop T3460. OR. SECURITY MODE REJECT. Stop T3460. SECURITY MODE COMMAND Information Element. Required. Length. Protocol Discriminator. Mand. 1/2. Security Header Type. Mand. 1/2 1. Message Type. Mand. Selected NAS Security algorithms. Mand. 1. NAS Key Set Identifier. Mand. 1/2. Spare. Mand. 1/2. Replayed UE Capabilities. Mand. 3-6. IMSISV Request. Opt. 1. Replayed NonceUE. Opt. 5. NonceMME. Opt. 5. Security Mode Control. Security Mode Control The Authentication process leads to the computation of KASME and the creation of a shared EPS Security Context between the UE and the MME; the Security Mode Control process is employed to invoke the Security Context when required. Security Mode is also employed when a change to the current set of security vectors is required. Security mode control is initiated by the MME, which issues a SECURITY MODE COMMAND and starts timer T3460. The command is sent in clear in a Plain NAS message but it employs Integrity Protection by adding a NAS integrity key computed from the current KASME value. If security mode is being invoked immediately after a successful EPS authentication procedure the MME will also reset the downlink NAS COUNT at this point. Upon receipt of the command, the UE checks the integrity of the message and if it determines that it is unaltered and therefore valid it takes the EPS Security Context referenced in the command into use. The UE uses the cipher and integrity keys related to the EPS Security Context to encrypt and integrity protect a response. The response is carried in a SECURITY MODE COMPLETE message to the MME, with the security header indicator set to ‘Integrity protected and ciphered with new EPS security context’. The MME deciphers the message and checks the validity of the Integrity Protection; if all is as expected it stops timer T3460 and invokes security mode at the network end of the connection. All further communications between the MME and the UE will be ciphered and integrity protected until such time as security mode is cancelled or the security vectors are refreshed. The UE refuses to implement security mode if the command received from the MME fails its integrity check or if the details contained in it are incorrect. In this case a SECURITY MODE REJECT message is returned to the MME. Further Reading: 3GPP TS24.301:5.4.3 and 8.2.20-22 and 33.401 (EPS AKA) LT3603/v1. © Wray Castle Limited. 2.15.

(56) LTE Radio Access Network. EMM Common EP Identity Network Initiated UE. MME. IDENTITY REQUEST Start T3470. IDENTITY RESPONSE. Stop T3470. IDENTITY REQUEST. 001 IMSI 010 IMEI 011 IMEISV 100 TMSI. Information Element. Required. Length. Protocol Discriminator. Mand. 1/2. Security Header Type. Mand. 1/2. Message Type. Mand. 1. Identity Type. Mand. 1/2. Spare. Mand. 1/2. Identification. Identification The Identification procedure allows the MME to request IMSI, IMEI, IMEISV or TMSI details from a UE. The process is initiated with an IDENTITY REQUEST issued from the MME. Timer T3470 is started when the message is first transmitted. The Identity Type information element allows the UE to determine the type of information being requested. On receipt of the request, the UE encodes the required information into an IDENTITY RESPONSE message. The MME receives it and stops timer T3470. If the UE cannot transmit a response, possibly due to network failure or lack of coverage, it will perform a Tracking Update at the next opportunity. If timer T3470 expires before a response is received the message can be retransmitted a maximum of four further times. Other failure types, such as the collision of an IDENITY REQUEST with an ATTACH REQUEST issued by the UE will generally result in the UE being detached and forced to reattach to the network.. Further Reading: 3GPP TS24.301:5.4.4, and 8.2.18/19 and 24.008:10.5.5.9 (Identity Type values) 2.16. © Wray Castle Limited. LT3603/v1.

(57) Non-Access Stratum Processes. EMM Common EP EMM Information Network Initiated UE. MME. EMM INFORMATION. EMM INFORMATION Information Element. Required. Length. Protocol Discriminator. Mand. 1/2. Security Header Type. Mand. 1/2. Message Type. Mand. 1. Full Network Name. Opt. 3-n. Short Network Name. Opt. 3-n. Local Timezone. Opt. 2. Universal Time and local timezone. Opt. 8. Daylight Saving Time. Opt. 3. EMM Information. EMM Information EMM Information is an optional message type which is designed to allow the network to ‘provide information to the UE’. The types of information that can be carried in EMM Information messages currently include: ƒ full name for network ƒ short name for network ƒ local time zone ƒ universal time and local time zone ƒ network daylight saving time An EMM INFORMATION message is issued by the MME, there is no corresponding response message from the UE for messages successfully received. Support for the EMM Information message type is optional for UEs. A non-supporting UE that receives such a message responds with an EMM STATUS message indicating ‘message type nonexistent or not implemented’.. Further Reading: 3GPP TS24.301:5.4.5 and 8.2.13 LT3603/v1. © Wray Castle Limited. 2.17.

(58) LTE Radio Access Network. EMM EP CS Service Notification Network Initiated UE. MME. CS SERVICE NOTIFICATION. CS SERVICE NOTIFICATION Information Element. Required. Length. Protocol Discriminator. Mand. 1/2. Security Header Type. Mand. 1/2 1. Message Type. Mand. Paging ID Type. Mand. 1. Calling Line ID. Opt. 3-14. Supplementary Services Code. Opt. 2. LCS Indicator. Opt. 2. LCS Client ID. Opt. 3-257. 0 IMSI 1 TMSI. CS Service Notification. CS Service Notification The CS Notification message is used to alert a UE that is Combined Attached to the EPS and to a CS-capable non-EPS network that an inbound call is waiting for it in the CS domain. The relevant 3GPP specification does not make it clear which, if any, NAS EMM message category this message type belongs to, it is simply shown as grouped with the other EMM-related procedures. This message type is only used to alert a UE that is in ECM-CONNECTED mode and which already has an active NAS signalling connection; notification of UEs in Idle Mode is handled by the Paging process. The message must contain a Paging Identity related to the CS domain that issued the page; this will take the form of either an IMSI or a TMSI. If the EPC connects to a peer CS domain node via an SGs interface the message may optionally also contain one or more additional fields, including details of the calling party’s CLI, details of any Supplementary Services invoked for the call and also details of any Location-based Service (LCS) identifiers related to the call.. Further Reading: 3GPP TS24.301:8.2.9 2.18. © Wray Castle Limited. LT3603/v1.

References

Download now ( PDF - 226 Page - 4.39 MB )

Outline

EPC IP network Non-Access Stratum Processes EMM – EPS Mobility Management S1 Interface Messages and Procedures X2 Interface Messages and Procedures UTRAN IP Transport UTRAN Support for LTE Procedures

Related documents