03 - lte-eps mobility & session management

1 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies

LTE/EPS Mobility & Session ManagementLTE/EPS Fundamentals Course


Nokia Siemens Networks Academy

Legal notice

Intellectual Property RightsAll copyrights and intellectual property rights for Nokia Siemens Networks training documentation, product documentation and slide presentation material, all of which are forthwith known as Nokia Siemens Networks training material, are the exclusive property of Nokia Siemens Networks. Nokia Siemens Networks owns the rights to copying, modification, translation, adaptation or derivatives including any improvements or developments. Nokia Siemens Networks has the sole right to copy, distribute, amend, modify, develop, license, sublicense, sell, transfer and assign the Nokia Siemens Networks training material. Individuals can use the Nokia Siemens Networks training material for their own personal self-development only, those same individuals cannot subsequently pass on that same Intellectual Property to others without the prior written agreement of Nokia Siemens Networks. The Nokia Siemens Networks training material cannot be used outside of an agreed Nokia Siemens Networks training session for development of groups without the prior written agreement of Nokia Siemens Networks.


Module ObjectivesAfter completing this module, the participant should be able to:

• Introduce the LTE Mobility Areas.

• List different LTE-UE identifications.

• Compare the terminology used in 3G and LTE when referring to Mobility and Session Management.

• Describe the LTE Mobility & Connection States.

• Explain the EPS Bearer Architecture and Attributes.

• Analyze different LTE/EPS procedures: Attach, S1 Release, Detach, Service Request, Tracking Area Update, Dedicated SAE Bearer Activation and inter eNB handover.

• Review the LTE/EPS Authentication Procedure and the Security Keys Generation.


Module Contents

• LTE/EPS Mobility Areas

• LTE-UE Identifications

• Mobility & Connection Management Terminology

• LTE Mobility & Connection States

• The EPS Bearer

• LTE/EPS Procedures

• Security: EPS Authentication and Key Agreement (AKA)


Module Contents





• The EPS Bearer




LTE/EPS Mobility Areas

Two areas are defined for handling of mobility in LTE/EPS:

Tracking Area (TA)

It is the successor of location and routing areas from 2G/3G.

When a UE is attached to the network, the MME will know the UE’s position on tracking area level.

In case the UE has to be paged, this will be done in the full tracking area.

Tracking areas are identified by a Tracking Area Identity (TAI).

The Cell

Smallest entity regarding mobility

When the UE is connected to the network, the MME will know the UE´s position on cell level

Cells are identified by the Cell Identification (CI) and by the Physical Cell Identification (PCI)


LTE Cell Identifications

Cell Identity (CI or CellID)

Used to identify the cell uniquely within the PLMN.

28-bits long

Broadcasted on System Information Block Type 1

Cell Identify together with the PLMN Identity form the Evolved Cell Global Identity (ECGI), used to differentiate EUTRAN cell globally

More on CI and ECGI in 36.331 RRC-specification

Physical Cell Identity (PCI or PhyCellID))

It is used in downlink to scramble the data transmitted by the cell.

It helps the UE to distinguish information coming from different transmitters.

Similar to scrambling codes in UMTS

Range: from 0 to 503

Since there are only 504 PhyCelIDs, they must be repeated

More on PCI in 36.211 Physical Layer Specification

- The CellId is a System Level parameter

- The PhyCellID is a Physical level parameter- UE gets the PhyCellID from the Primary and Secondary Synchronization Signals (PSS and SSS)

PSS: provides the PhyCellID sector: 0..2

SSS: provides the PhyCellID group: 0…167

Example:

•Let's say that we are going to deploy a LTE network in a city and that city needs 1000 cells.

•Each of the 1000 cells will have their own cell ID, but, since there is only 504 physical cell IDs, we will need to repeat the physical cell IDs twice.

•The key is that that the two cell that share a physical cell ID cannot be geographically close to each other or they will interfere will each other.


Tracking Areas

S-eNBTAI3

TAI3TAI3

TAI3

TAI3TAI3

TAI3

MME

eNB

TAI2

TAI2TAI2

TAI2

TAI2

TAI2

TAI2

TAI2

TAI1

TAI1TAI1

TAI1

TAI1 eNB 1 2

MME

3

Cell Identity

Tracking Area

Tracking Area Identity (TAI) vs. Tracking Area Code (TAC)

TAI= MCC + MNC + TAC

Tracking Area Update (TAU)

Procedure triggered by the LTE-UE moving to a new TA.

TAU are performed by the LTE-UE in both idle and connected mode. (GSM/UMTS difference)

For further info refer to TS 23.401 chapter 5.3.3.0

why a TAU is necessary in the connected state?

The answer to that question can be found in the message sequence charts for handovers.

For example: during an X2 handover, which is directly negotiated between two base stations, the Mobility Management Entity (MME) in core network is only informed of the handover after it has taken place. Also, there's no direct communication between the MME and the mobile device during the handover procedure. That means that in case the new cell is in a new tracking area, the mobile has to update its tracking area list as that information was not contained in the handover messaging.

From a logical point of view that also makes sense. Tracking areas are administered by the core network (by the Non Access Stratum) while handovers are performed by the access network. Also, the signaling does not interrupt the user data transfer so there are no side effects of performing this procedure in connected mode and while transferring data.


Multiple Tracking Areas Registration

UE may be told by the network to be registered in several tracking areas simultaneously.

Gain: when the UE enters a new cell, it checks which tracking areas the new cell is part of. If this TA is on UE’s TA list, then no tracking area update is necessary.

S-eNBTAI3

TAI3TAI3

TAI3

TAI3TAI3

TAI3

MME

eNB

TAI2

TAI2TAI2

TAI2

TAI2

TAI2

TAI2

TAI2

TAI1

TAI1TAI1

TAI1

TAI1 eNB 1 2

MME

3

Cell Identity

Tracking Area

TA List:

TA1

TA2

•Another difference between TAU and the LAU/RAU of UMTS is that the mobile can have a list of several valid tracking areas and an update only has to be made if the new cell is in a tracking area that is not part of that list.

•This solution will avoid unnecessary tracking area updates at the tracking areas border when the UE is ping-ponging between cells belonging to different TAs.


Tracking Areas: Use of S1-flex Interface

MME Pooling:

several MME

handle the same

tracking area

TAI1

S-eNB

TAI2

TAI2TAI2

TAI3

TAI3TAI3

TAI3

MME

eNB

TAI2

TAI2TAI2

TAI2

TAI2

TAI2

TAI2

TAI2

TAI1

TAI1

TAI1

eNB

S-MME

TAI1

321

1 2 3

3

2

1 TAI1

TAI2

TAI3

Due to S1-Flex implementation both MME must be aware on how the Radio Network is organized in TAs


Module Contents





• The EPS Bearer




UE Identifications

• IMSI– International Mobile Subscriber Identity

• GUTI– Global Unique Temporary Identity

• C-RNTI– Cell Radio Network Temporary Identity

• S1-AP UE ID– S1 Application Protocol User Equipment Identity


UE Identifications: IMSI

IMSI: • International Mobile Subscriber Identity.• Used in LTE to uniquely identify a subscriber world-wide• Its structure is kept in form of MCC+MNC+MSIN:

MCC: mobile country code MNC: mobile network codeMSIN: mobile subscriber identification number

• A subscriber can use the same IMSI for 2G, 3G and LTE access• MME uses the IMSI to locate the HSS holding the subscribers permanent registration data for tracking area updates and attaches

IMSI

MCC MNC MSIN

3 digits 2 digits 10 digits

•USIM card can be used to access 2G networks (besides 3G and LTE Networks)

•SIM card (original 2G SIM card) can not be used to access LTE Networks


GUTI:

• Globally Unique Temporary Identity

• It is dynamically allocated by the serving MME

• Its main purpose is to avoid usage of IMSI on air

• Internally the allocating MME can translate GUTI into IMSI and vice versa

• The GUTI consists of 2 components: GUMMEI and M-TMSI

UE Identification: GUTI

GUTI

M-TMSIGUMMEI

M-TMSI: Temporary Identity of the UE within and specific MME.

GUMMEI: Global Unique MME Identity:

Identity of the MME that allocated the GUTI

It Contains:

MCC + MNC + MME group ID (MMEGI) + MME Code (MMEC)

Further Reading:

The GUMMEI in turn consists of the following:

− PLMN Id: MCC, MNC

− MME Identifier (MMEI): MME Group Id (MMEGI) and MME Code (MMEC)

The MMEC provides a unique identity to an MME within the MME pool, while the MMEGI is used to distinguish between different MME pools.More details about these identifiers can be found in TS 23.003.

GUTI reallocation is further described in TS 23.401 and TS 24.301.


Further Reading: S-TMSI

S-TMSI:

•The SAE TMSI (S-TMSI) is a shortened form of the GUTI

•It is used to identify the UE over the radio path and is included in the RRC connection request and paging messages

•The S-TMSI contains the MMEC and M-TMSI components of the GUTI

• Note, however, that the S-TMSI does not include the MMEGI — that is, the MME pool component

M-TMSIMMEC

GUMMEI

MMEGIMNCMCC

GUTI

S-TMSI

Because MME pool areas can overlap, care must be taken to ensure that MMEs serving the overlapping areas are

not allocated the same MMECs


UE Identifications: C-RNTI

C-RNTI:

• Cell Radio Network Temporary Identity

• C-RNTI is allocated by the eNB serving a UE when it is in active mode (RRC_CONNECTED)

• This is a temporary identity for the user only valid within the serving cell of the UE

• It is release as soon as the UE moves to idle state (RRC_IDLE)

• It is exclusively used for radio management procedures.


UE Identifications:S1-AP UE ID

S1-AP UE ID:

• S1 Application Protocol User Equipment Identity.

• Two additional temporary identifiers allocated by eNB and MME:

- eNB S1-AP UE ID

- MME S1-AP IE ID

• Their purpose is to allow efficient implementation of S1 control signaling (S1AP=S1 Application Protocol)

• They shall allow easy distribution of S1 signaling messages inside MME and eNB.

• NOTE: This concept is similar to SCCP local references known from Iuor A interface in 3G/2G.


IMSI International Mobile Subscriber IdentityGUTI Globally Unique Temporary IdentityC-RNTI Cell Radio Network Temporary Identity

UE Identifications Summary

C-RNTI

eNB S1-AP UE-ID | MME S1-AP UE-ID

MCC

IMSIMNC MSIN

S-eNBTAI2

TAI2TAI2

TAI3

TAI3TAI3

TAI3

MME

HSS

eNB

TAI2

TAI2TAI2

TAI2

TAI2

TAI2TAI2

TAI2

TAI1

TAI1TAI1

TAI1

TAI1eNB

1 2

S-MME

32

Cell IdentityMME Identity

3

1

GUTI

M-TMSIGUMMEI

TAI Tracking Area Identity (MCC+MNC+TAC) S-MME Serving MMES-eNB Serving E-Node B


Module Contents





• The EPS Bearer




Terminology in LTE and in 3G Connection and Mobility Management

3G LTE

GPRS attached EMM registered

Handovers (DCH) when RRC connected

Handovers when RRC connected

RNC hides mobility from core network

Core network sees every handover

Mobility management

Connection management

Location area Not relevant (no CS core)

Routing area Tracking area

PDP context EPS bearer

Radio access bearer Radio bearer + S1 bearer


Module Contents





• The EPS Bearer




LTE Mobility & Connection States

There are two sets of states defined for the UE based on the information held by the MME.

These are:

1.- EPS* Mobility Management (EMM) states

2.- EPS* Connection Management (ECM) states

*EPS: Evolved Packet System

More about LTE Mobility and Connection States on 3GPP TS23.401


EPS Mobility Management (EMM) states

EMM deregistered EMM registered

Attach

Detach


EPS Mobility Management (EMM) states

EMM-DEREGISTERED:•In this state the MME holds no valid location information about the UE

•MME may keep some UE context when the UE moves to this state (e.g. to avoid the need for Authentication and Key Agreement (AKA) during every attach procedure)

•Successful Attach and Tracking Area Update (TAU) procedures lead to transition to EMM-REGISTERED

EMM-REGISTERED: •In this state the MME holds location information for the UE at least to the accuracy of a tracking area

•In this state the UE performs TAU procedures, responds to pagingmessages and performs the service request procedure if there is uplink data to be sent.


EPS Connection Management (ECM) and LTE Radio Resource Control (RRC) States

•UE and MME enter ECM-CONNECTED state when the signalling connection is established between UE and MME

•UE and E-UTRAN enter RRC-CONNECTED state when the signalling connection is established between UE and E-UTRAN

ECM idle ECM connected

S1 connection establishment

S1 connection release

RRC idle RRC connected

RRC connection establishment

RRC connection release

E-UTRAN MMEUE


EPS Connection Management

ECM Connected= RRC Connected + S1 Connection

eNB

MME

UE

RRC Connection S1 Connection

ECM Connected


EPS Connection Management (ECM) states

ECM-IDLE:•In this state there is no NAS signalling connection between the UE and the network and there is no context for the UE held in the E-UTRAN.

•The location of the UE is known to within the accuracy of a tracking area

•Mobility is managed by tracking area updates.

ECM-CONNECTED:•In this state there is a signalling connection between the UE and the MME which is provided in the form of a Radio Resource Control (RRC) connection between the UE and the E-UTRAN and an S1 connection for the UE between the E-UTRAN and the MME.

•The location of the UE is known to within the accuracy of a cell.

•Mobility is managed by handovers.


RRC States

RRC-IDLE:• No signalling connection between the UE and the E-UTRAN.• I.e.: PLMN Selection.• UE Receives system information and listens for Paging.• Mobility based on Cell Re-selection performed by UE.• No RRC context stored in the eNB (No C-RNTI).• RACH procedure used on RRC connection establishment.

RRC-CONNECTED:• UE has an E-UTRAN RRC connection.• UE has context in E-UTRAN (C-RNTI allocated).• E-UTRAN knows the cell which the UE belongs to.• Network can transmit and/or receive data to/from UE.• Mobility based on handovers• UE reports neighbour cell measurements.


EMM & ECM States Transitions

EMM_Deregistered

ECM_Idle

Power On

Registration (Attach)

EMM_Registered

ECM_Connected

• Allocate C-RNTI, GUTI• Allocate IP address• Authentication• Establish security context

• Release RRC connection • Release C-RNTI• Configure DRX for paging

EMM_Registered

ECM_Idle

Release due to Inactivity

•Establish RRC Connection•Allocate C-RNTI

New TrafficTAUDeregistration (Detach)

Change PLMN

• Release C-RNTI, GUTI• Release IP address

Timeout of Periodic TAUpdate

• Release GUTI• Release IP address


EMM & ECM States Summary

EMM_Deregistered

ECM_Idle

Network Context:• no context exists

Allocated IDs:• IMSI

UE Position:• unknown to network

Mobility:• PLMN/cell selection

UE Radio Activity:• none

EMM_Registered

ECM_Connected

Network Context:• all info for ongoing transmission/reception

Allocated IDs:• IMSI, GUTI• IP address• C-RNTI

UE Position:• known on cell level

Mobility:• NW controlled handover

UE Radio Activity:• DL w/o DRX• UL w/o DTX

EMM_Registered

ECM_Idle

Network Context:• security keys• enable fast transition to ECM_CONNECTED

Allocated IDs:• IMSI, GUTI• IP address

UE Position:• known on TA level (TA list)

Mobility:• cell reselection

UE Radio Activity:• DL DRX for paging• no UL


Module Contents





• The EPS Bearer




LTE/EPS Bearer

•The main function of every mobile radio telecommunication network is to provide subscribers with transport bearers for their user data.

•In circuit switched networks users get a fixed assigned portion of the network’s bandwidth.

•In packet networks users get a bearer with a certain quality of service (QoS) ranging from fixed guaranteed bandwidth down to best effort services without any guarantee.

•LTE/EPS is a packet oriented system

EPS/SAE

Bearer

PDN GW

UE

•For further information about the EPS Bearer, please refer to 3GPP TS 23.401, v9.2.0, section 4.7.2


LTE/EPS Bearer: Identity & Architecture

cell

S1-ULTE-Uu S5/S8

PDN

SGieNB Serving

GatewayPDN

Gateway

E-UTRAN EPC PDN

•An EPS bearer identity uniquely identifies an EPS bearer for one UE. The EPS Bearer Identity is allocated by the MME.

•LTE/EPS Bearer spans the complete network, from UE over EUTRAN and EPC up to the connector of the external PDN.

•The SAE bearer is associated with a quality of service (QoS) usually expressed by a label or QoS Class Identifier (QCI)

LTE-UE

End-to-End Service

EPS Bearer External Bearer

Radio Bearer S1 Bearer S5/S8 Bearer

•There is a one to one mapping between EPS Radio Bearer (RB) and EPS Bearer, and the mapping between EPS RB Identity and EPS Bearer Identity is made by E-UTRAN.

•The E-RAB ID value used at S1 and X2 interfaces to identify an E-RAB is the same as the EPS Bearer ID value used to identify the associated EPS Bearer.


LTE/EPS Bearer Sections

S5/S8 Bearer

•Between the P-GW to S-GW.

•This is usually a GTP or MIP (Mobile IP) tunnel between the two network elements.

S1 Bearer•Between eNB and S-GW.•The S1 Bearer is implemented using the 2G/3G GTP (GPRS TunnelingProtocol) protocol which builds a GTP tunnel between eNB and S-GW. •The setup of this S1Bearer is managed by the MME. S-GW and eNB do not directly exchange signaling to create it.

Radio Bearer•Between UE and eNB. •The eNB connects a radio bearer internally with the associated S1 Bearer on S1-U interface. •The mapping of radio bearers to physical resources on the air interface is the major task of the eNB scheduler.

•An E-RAB (E-UTRAN Radio Access Bearer) refers to the concatenation of an S1 bearer and the corresponding radio bearer, as defined in TS 36.300


EPS Bearers Establishment can be triggered by….

cellS1-U

UE

S5PDN

SGi

eNB

ServingGateway PDN

Gateway

EPS Bearer External Bearer

MME:This happens typically during the attach procedure of an UE. Depending on the information coming from HSS, the MME will set up an initial bearer, also known as the Default EPS bearer. This EPS bearer provides the initial connectivity of the UE with its external data network or IMS platform.

MME

S1-MMES11

PDN Gateway: The external data network can request the setup of an EPS bearer by issuing this request via PCRF to the PDN gateway. This request will include the quality of service granted to the new bearer. Those are referred as Dedicated EPS bearers.

UE: Note here the differences to GPRS in 2G/3G networks, where only MS/UE initiated PDP context setup is defined.

PCRFGx/S7

Rx

Further Reading in Note Page

•Default bearer is established during the attach phase.

•Dedicated bearers are established based on the services running between the UE and the PDN/IMS.

•A comparison can be made between the dedicated bearer in EPS and the secondary PDP context in UMTS.

•TS 29.274 defines the create bearer request message. This request is used to establish dedicated bearers but not default bearer.

•Reading from the specs, it may lead to a confusion the following sentence: “the dedicated bearers are network initiated”. Because LTE/EPS is all on IP and if you are receiving a call then network may initiate dedicated bearer to forward that call to you. This doesn't mean that UE cannot ask for dedicated bearers. UE can ask for dedicated bearers by sending out bearer modification command but UE cannot send create bearer request. Bearer modification command will make PDN trigger a dedicated bearer.


The Default Bearer Concept

•Each UE that is attached to the LTE network has at least one bearer available, that is called the default bearer.•Its goal is to provide continuous IP connectivity towards the EPC (“always-on” concept)•From the QoS point of view, the default bearer is normally a quite basic bearer•If an specific service requires more stringent QoS attributes, then a dedicated bearer should be established.

cellS1-U

UE

S5PDN

Sgi

eNB

ServingGateway

PDNGateway

Default EPS Bearer

MME

S1-MMES11

•A default Evolved Packet System (EPS) bearer is the bearer that is established during the attach process.

•It will give the UE an IP address and packet data resources so that the UE can do limited packet services.

•One of the best examples of a service that would be good for the default EPS bearer is an IMS registration.

•The characteristics of the default EPS bearer will be defined by the subscription and established by the Mobility Management Entity (MME) upon receiving the attach message based on the subscriber profile in the Home Subscriber Server (HSS).

•Default bearers are created on a per PDN basis. So if a UE is connecting to two PDNs it will need to establish two default bearers.


SAE Bearer QoS Awareness

•One of the major requirements for EUTRAN and EPC to fulfill is that every SAE bearer must be QoS aware.

•All data transmitted within a SAE bearer will get the same QoS handling (scheduling, prioritization, discarding probability, etc.).

•Different applications (for example take a packet video streaming service and a ftp download) have different QoS setting and cannot share the same SAE bearer.

•Other applications with similar traffic characteristics will be able to be placed inside the same SAE bearer provided that the bandwidth of the bearer is scaled accordingly .

•Due to this fact, the standard will allow a UE to have several SAE bearers, each one with a different QoS setting.

•Schedulers in eNB, SAE GW and PDN GW must respect the QoS of each individual SAE bearer.

•Limits coming from a user’s subscription must be taken into account when a new SAE bearer is set up or one is modified. This is one task of the MME.

•Basic Guideline: The LTE/EPS Bearer and QoS management has to be improved in comparison to the way it is done in existing 3GPP system.

•The main reason is that it has not been easy for operators to implement QoS attributes in GSM/WCDMA networks, as they were somehow disconnected from the application layer. This problem was even getting worse by the fact that the UE was responsible for setting the QoS attributes for a Bearer.

•It was therefore agreed that only a reduced set of QoS parameters and standardized attributes would be specified for the EPS bearer.


EPS Bearer QoS Attributes

Default Bearer/Dedicated Bearer

AMBR

EPS Bearer QoS Parameters

(To be defined per User)

ARP

QCI

UL/DL-TFT

MBR

GBR/N-GBR

EPS Bearer QoS Parameters

(To be defined per Bearer)

For every EPS bearer the following QoS parameters are available:

• Dedicated or default EPS bearer

• Guaranteed Bit Rate (GBR) or Non-Guaranteed Bit Rate (N-GBR)

• Maximum Bit Rate (MBR)

• Traffic Flow Control (UL/DL-TFT):• Integer number indicating QoS category: Label or QoS Class identifier (QCI)

• Allocation/Retention Priority (ARP)

For all bearers together for one user, following QoS parameter is available:

• Aggregate Maximum Bit Rate (AMBR)


SAE Bearer QoS Attributes (1/3)

Dedicated or Default bearer:

•The default bearer is allocated during attach of a UE to the system.

•Dedicated bearers on the other hand are created on demand by the external PDN network.

•Only dedicated bearers can be of Guaranteed Bit rate (GBR) type.

GBR (Guaranteed Bit Rate) or NGBR (Non Guaranteed Bit Rate):

•GBR bearers will reserve some (physical or virtual) capacity along the transmission path and thus guarantee some bit rate level.

•This is required for streaming and conversational services with low upper delay and delay jitter bounds.

•For services that do not have so strong requirements regarding these values typically NGBR bearers will be used.

•The technical difference between GBR and NGBR will be seen in the admission control functions of eNB, SAE GW and PDN GW.

• GBR bearers will usually block more virtual resources for the same throughput and peak bit rate than NGBR bearers.

GBR identifies the bit rate that will be ensured to the bearer.



Traffic Flow Control (UL/DL-TFT):•Because a single UE can have multiple SAE bearers, the system requires some kind of packet filter to decide which IP datagram has to go to which SAE bearer.•These packet filters are formed by the uplink and downlink TFT (Traffic Flow Template).•Each dedicated SAE bearer has to have one UL and one DL TFT.•Some criteria like source and destination IP address, flow labels, port numbers, transport layer protocol type, etc. specifies, which IP datagrams will have to be sent in the associated SAE bearer. •In the moment the concrete structure of the TFT is for further study, especially whether additional QoS parameters might be inside or not.

Maximum Bit Rate (MBR):

•Identifies the Maximum Bit Rate for the SAE Bearer.

•Can be only specified for GBR SAE Bearers

•Not included in 3GPP Rel.8: in Rel 8 the MBR is always set to equal to the GBR



Label or QCI:•The label is simply an integer number assigned to the SAE bearer.•This number indicates the QoS category the bearer belongs to by identifying a set of locally configured values for 3 QoS attributes: Priority, Delay and Loss Rate.•It is up to the operator to define these labels, although some standard labels might be provided by 3GPP.• This label can be translated into a DiffServ-tag used on S1-U and S5/S8 in the IP header to implement IP differentiated service routing in the associated IP protocol stacks.•Refer to next slides for further information on this parameter

Allocation/Retention Priority (ARP):

•Indicated the priority of the Bearer compared to other bearers.

•This provides the basic information for admission control for bearer set-up and for bearer dropping (in case of congestion situation).

Aggregate maximum Bit Rate (AMBR):

•Specifies a maximum bandwidth per user (UE) considering all the simultaneous services established by this user.

ARP Parameter

Notes from the Specs (3GPP TS 23.401, v9.2.0, section 4.7.3) regarding the ARP parameter:

The ARP should be understood as "Priority of Allocation and Retention"; not as "Allocation, Retention, and Priority".

Video telephony is one use case where it may be beneficial to use EPS bearers with different ARP values for the same UE. In this use case an operator could map voice to one bearer with a higher ARP, and video to another bearer with a lower ARP. In a congestion situation (e.g. cell edge) the eNB can then drop the "video bearer" without affecting the "voice bearer". This would improve service continuity.

UE-AMBR

Notes from the Specs (3GPP TS 23.401, v9.2.0, section 4.7.3) regarding the UE-AMBR parameter:

The UE-AMBR limits the aggregate bit rate that can be expected to be provided across all Non-GBR bearers of a UE (e.g. excess traffic may get discarded by a rate shaping function).

Each of those Non-GBR bearers could potentially utilize the entire UE-AMBR, e.g. when the other Non-GBR bearers do not carry any traffic.

GBR bearers are outside the scope of UE AMBR.

The E-UTRAN enforces the UE-AMBR in uplink and downlink.


3G vs. SAE Bearers QoS Attributes Comparison

• A single scalar parameter (QoS Class Identifier=QCI) is a pointer to a set of QoS parameters.

• QCI is also called Label in LTE.• Simplified approach compared to 2G/3G where each

parameter is indicated separately.

3G LTE/EPS

Residual BER

SDU error rate

Delivery of erroneous SDUs

Max SDU size

Delivery order

Transfer delay

ARP

Traffic class

Traffic handling priority

Max bit rate

Guaranteed bit rate

QCI (QoS Class Identifier)

ARP

Max bit rate

Guaranteed bit rate

Aggregate max bit rate

Per bearer

Per terminal

UL/DL TFT


QoS Class Identifier (QCI) Table in 3GPP

GBR1

Guarantee Delay budget Loss rate ApplicationQCI

GBR

100 ms 1e-2 VoIP

2

GBR

150 ms 1e-3 Video call

3

GBR

300 ms 1e-6 Streaming

4

Non-GBR 100 ms 1e-6 IMS signalling5

Non-GBR 100 ms 1e-3 Interactive gaming6

Non-GBR 300 ms 1e-6TCP protocols : browsing, email, file download

7

Non-GBR 300 ms 1e-68

Non-GBR 300 ms 1e-69

Priority

2

4

5

1

7

6

8

9

50 ms 1e-3 Real time gaming3

Nine pre-configured classes have been specified in 2 categories of Bearers: GBR and N-GBR.

In addition, Operators can create their own QoS class identifiers (QCI)

The QoS attributes associated with the QCI parameter are:

Priority: used to define the priority for the Packet Scheduler function in the eNB

Delay Budget: helps the packet scheduler to ensure that users are scheduled sufficiently often to guarantee the delay requirements of the Bearer.

Loss Rate tolerance is primarily intended for setting the RLC protocol settings (e.g. number of RLC retransmissions). The label will most likely also include a priority parameter, which the packet scheduler can use for differentiation.


SAE Bearer Usage Example

PDNGateway

PDN

IMAP server(IP:A, UDP Port:a)

SIP server(IP:B, UDP Port:b)

VoIP User Agent(IP:C, UDP Port:c)

Default EPS Bearer (N-GBR)

Dedicated EPS Bearer (GBR)

E-MAIL

SIP UA

VoIPCodec

DL Packet Filter:(DL TFT)IP Source Add.=C UDP Source Port =cProtocol = UDP/RTP

UL Packet Filter:(UL TFT)IP Dest Add.=C UDP Dest. Port =cProtocol = UDP/RTP

•The figure shows a UE with three applications running: e-mail, SIP user agent and VoIP call. The voice over IP call was initiated via the SIP user agent. In this example we have three applications running, although for the user the SIP UA and the VoIP call belong together and form one service component.

•First let us analyze how many different QoS requirements we have. If we don’t want to make a too fine split, we can say, that SIP signaling and e-mail is not so time sensitive. So both could share a single SAE bearer with NGBR behavior and this could be the default EPS bearer created when the user attached to the system.

•On other hand the VoIP call is obviously time critical, as speech codecs do not tolerate a high delay or delay jitter. Thus for the speech call we would have to setup a SAE bearer providing a minimum bit rate equal to the minimum useful bit rate the codec requires.

•So we end up with two SAE bearers, the default one for the e-mail application and the SIP user agent. The second SAE bearer is a dedicated one and is used for the transfer of the VoIP speech packets (usually IP/UDP/RTP datagrams).

•For the dedicated bearer we have to specify a DL and UL TFT to support the system in its decision which IP datagrams will be transferred via which SAE bearer. In the simplest from the TFT specify the IP addresses of the UE and the opposite VoIP client and their allocated UDP port numbers for the VoIP call.


IP PackageIP Source:AIP Dest.:B

GTP-U T-PDU

TEID-SG1

SAE bearer – GTP option shown on S5/S8

S1-U S5PDN

SgieNB Serving

GatewayPDN

Gateway

Applic.Applic.

IPIP

IP: A IP: B

Radio Bearer S1 GTP-U Tunnel S5/S8 GTP-U Tunnel

IP PackageIP Source:BIP Dest:A

TEID-eNB

TEID-SG1

TEID-SG2

TEID-PG

GTP-U T-PDU

TEID-SG2IP PackageIP Source:BIP Dest:A

GTP-U T-PDU

TEID-eNBIP PackageIP Source:BIP Dest:A

Radio Protocols

IP PackageIP Source:BIP Dest:A


Radio Protocols


GTP-U T-PDU

TEID-PGIP PackageIP Source:AIP Dest.:B

RadioProtocolsRadio

Protocols

•SAE bearers consist of three segments: radio bearer, S1-U bearer and S5/S8 bearer.

•For the S5/S8 bearer between SAE GW and PDN GW there are two options mentioned. The first one is based on the 2G/3G protocol GTP which is also used on S1-U. The second option for S5/S8 is based on Mobile IPv6 (MIPv6). As the latter is not completed yet, we discuss here only the GTP based S5/S8 interface.

•On the radio interface the SAE bearer is uniquely associated with one radio bearer RB. The radio bearer is by the radio scheduler dynamically mapped to the available physical layer resources, this means, that a RB does not allocate resources in a fixed manner for a long time. This provides the required flexibility for resource re-assignments which WCDMA introduced with HSDPA.

•Between eNB and SAE GW the SAE bearer is tied to a single GTP-U tunnel. A GTP-U tunnel is identified by a TEID (Tunnel Endpoint IDentifier) allocated by both endpoints - in this case one from eNB TEID-eNB and one from SAE GW TEID-SG1. It is a task of the MME to exchange both TEIDs between eNB and SAE GW during setup of the tunnel. Packets in the downlink will be sent in GTP-U frames (T-PDU) and will carry the TEID-eNB in its header. The eNB must connect its TEID-eNB internally with the radio bearer. This also works for uplink, where all data from the associated radio bearer will have to be sent on S1-U with the TEID-SG1 in the GTP-U header.

•If the S5/S8 interface is based on GTP option, then we will also here find a GTP-U tunnel for the SAE bearer. Again exactly one tunnel will be provided for the SAE bearer. The setup of the tunnel requires two new TEID -one from SAE GW TEID-SG2 (usually different from TEID-SG1) and one from the PDN GW TEID-PG. The communication principle is the same as on S1-U interface. But this time SAE GW and PDN GW handle the exchange of their TEIDs for themselves. Therefore they use the control part of the GTP protocol which provides messages to setup such tunnels. [NOTE: Which changes in GTP are required for this is currently under investigation.]

•The SAE gateway is responsible to link the S1 GTP-U tunnel and the S5/S8 GTP-U tunnel with each other to allow efficient forwarding of data between PDN GW and eNB. The PDN GW on the other hand must link its tunnel to the external network and to the IP address of the UE inside this network. The DL TFT packet filters support the PDN GW in the task to select the right GPT-U tunnel of a UE for an incoming IP datagram. The UL TFT on the other hand is used at the UE side for the same task.

•It is important to note, how and when these tunnels and bearer segments are available. When a new SAE bearer is setup usually a radio bearer, a S1 GTP-U tunnel and a S5/S8 GTP-U tunnel is created. The latter will only be released, when the SAE bearer is released. Radio bearer and S1 GTP-U tunnel on the other hand will be released when the UE enters an idle state. This state can be triggered due to inactivity. When this happens the radio bearer is removed and the eNB will also clear the TEIDs from its memory for the UE (to be true, the eNB will delete everything). The SAE GW therefore also must delete the TEID-eNB, but will usually keep its own TEID-SG1. If there should be data to be sent later on, the UE must send a SERVICE REQUEST to the MME to demand the re-establishment of the S1 GTP-U tunnel and the radio bearer. In short words, the S5/S8 tunnel is rather permanent, whereas radio bearer and S1 tunnel are dynamic with respect to the life time of a SAE bearer.


Module Contents





• The EPS Bearer




LTE/EPS Procedures

• Attach

• S1 Release

• Detach

• Service Request

• Tracking Area Update (TAU)

• Dedicated Bearer Activation

• Handover


MMEHSSPCRF

UE eNB newMME

ServingGateway(SGW)

PDNGateway

Attach Request

IMSI/old GUTI,old TAI,old GUMMEI, old ECGI

Authentication Request

Authentication Response

Update Location (ME & MME Capabilities, IMEI, Update Type)

Authentication Vector Request (IMSI)

Insert Subscriber Data (subscription data = default APN, subscriber AMBR

Insert Subscriber Data Ack

Update Location Ack

EMM_Deregistered

Attach (1/2)

Authentication Vector Response

RRC_Connected

ECM_Connected

Default bearer QOS profile, TA restrictions, …)

Reference to specs.: TS 23.401 section 5.3.2

The attach procedure in LTE/EPS is quite similar to the GPRS attach in 2G/3G. It brings the UE from EMM_DEREGISTERED state to EMM_REGISTERED. In addition to that the procedure also establishes the default SAE bearer for the UE and thus allocates the required IP addresses for the subscriber in the external packet data network.

1.- The UE connects to the serving cell and the associated eNB. The UE sends the ATTACH REQUEST message (NAS) including IMSI/ old GUTI, old TAI, old GUMMEI and old ECGI. The eNB selects an available MME and forwards the message to it.

2.-The first task of the MME is to identify and authenticate the subscriber. Thus it contacts the HSS (in case IMSI is used for identification) or the old MME (in case the UE is identified via old GUTI) with IDENTIFICATION REQUEST (GTP-C). The response should contain the IMSI (when contacting old MME) and some authentication vectors for the subscriber. (Flowchart shows direct contact with HSS).

3.-Using the authentication vectors from the old MME/HSS the new MME can start an authentication procedure (NAS). The authentication mechanism is the same as in 3G.

4.-After a successful authentication the new MME can begin to update the HSS and download the subscription data from there. This is achieved via Diameter procedures UPDATE LOCATION and INSERT SUBSCRIBER DATA. During this process the HSS will also force the old MME to clear the stored data about the subscriber using the Diameter operation CANCEL LOCATION.


Update Bearer Response

Update Bearer Request

(IP/TEID of eNB for S1U)

Attach Complete

(EPS Bearer ID,IP/TEID of eNB for S1U

EPS RB Est. Resp.

Includes Attach Complete

Create Def. Bearer Req.

MMEHSSPCRF

UE eNB newMME

ServingGateway(SGW)

PDNGateway

Attach (2/2)

(GUTI, security info, UE IP address, IP/TEID of SGW-S1U (only for eNB))

Create Def. Bearer Rsp.

(IP/TEID of SGW-S1U,…..)

Create Def. Bearer Rsp.

(UE IP address, IP/TEID of PDN GW, user & control planeEPS Bearer ID and QoS according to PCRF)

select SAE GWCreate Default Bearer Request

(IMSI, RAT type, default Bearer QoS, Map APN to PDN GW)

(IMSI,MSISDN, APN, IP/TEID of SGW-S5, user & control plane)

Attach AcceptEPS R Bearer Est. Req.

(Includes Attach Accept)

UL/DL Packet Data via Default EPS Bearer

PCRF Interaction

EMM_Registered

ECM_Connected

(EPS RB ID)


5.-Based on the subscription data the new MME must decide whether a default bearerhas to be created or not. The default access point name (default APN) assists the MME in selection of an appropriate SAE GW. To this serving gateway the CREATE DEFAULT BEARER REQUEST message (GTP-C) is sent to. The SAE GW will now create the S5/S8 tunnel. This is done with the same message, but sent to the PDN GW.

6.-When the EPC resources for the default bearer are prepared, the new MME can give the ATTACH ACCEPT message to eNB. The S1-AP message which will contain it is the Initial Context Setup request and it will also hold the tunnel endpoint identifier allocated by the Serving GW for S1-U interface. The eNB creates the radio bearer for the default SAE bearer and returns ATTACH COMPLETE to the MME. The S1-AP message this one is in will hold the TEID allocated by the eNB for S1-U interface. Via an UPDATE BEARER procedure the MME will give this parameter to the Serving GW.

7.-Now the default SAE bearer is complete and the UE is in state EMM_REGISTERED and ECM_CONNECTED.


RRC Connection Release

S1 Release

MME

S1 Release Request

causeUpdate Bearer Request

release of eNB S1U resources


ServingGateway(SGW)

PDNGateway

S1 Release Command

cause

S1 Release Complete

RRC Connection Release Ack

EMM_Registered

ECM_Connected

•After attach UE is in EMM_Registered state.

•The default Bearer has been allocated (RRC_connected + ECM_connected) even it may not transmit or receive data

•If there is a longer period of inactivity by this UE, the Admission Control should free the resources (RRC_idle + ECM_idle)

S1 Signalling Connection ReleaseECM_Idle

EMM_Registered


1.-The eNB can send the message S1 RELEASE REQUEST (S1-AP) to the MME to request the release of all EUTRAN resources for a UE. The message can for instance be triggered by detection of a too long inactivity period.

2.-When the MME gets a trigger to release the UE from EUTRAN, it will release the S1 tunnels allocated for the SAE bearers of the UE. This is done by sending an UPDATE BEARER REQUEST message (GTP-C) to the Serving GW. In the message the indication of the release of the S1 resources is contained.

3.-In parallel to the previous step the MME will send the S1-AP message S1 RELEASE COMMAND to the eNB. It will trigger the release of the UE on the air interface with message RRC CONNECTION RELEASE (RRC). This will bring the UE to RRC_IDLE state and with that also to ECM_IDLE state. The UE acknowledges with RRC CONNECTION RELEASE ACK.


Detach

•Can be triggered by UE or by the Network (MME, SGSN or HSS).

•During the detach procedure all SAE bearers with their associated tunnels and radio bearers will be deleted.

• The LTE-UE will lose all the temporary IDs (GUTI, C-RNTI and IP Address)

Note: Detach procedure initiated by UE.

MME

NAS: Detach Accepted

Delete Bearer Request

Delete Bearer Response

EMM-Registered

ServingGateway(SGW)

PDNGateway

NAS Detach Request

switch off flag Delete Bearer Request


PCRF

S1 Signalling Connection Release

RRC_Connected

ECM_Connected

EMM-Deregistered

RRC_Idle + ECM Idle


IP SessionTermination

HSS

Notify Request

Notify Response

The transition to EMM_DEREGISTERED state is achieved by the NAS detach procedure.

The Detach procedure allows:

-the UE to inform the network that it does not want to access the EPS any longer

-the network to inform the UE that it does not have access to the EPS any longer

The UE is detached either explicitly or implicitly:

-Explicit detach: The network or the UE explicitly requests detach and signal with each other

-Implicit detach: The network detaches the UE, without notifying the UE. This is typically the case when the network presumes that it is not able to communicate with the UE, e.g. due to radio conditions.

The procedure consists of the DETACH REQUEST / DETACH ACCEPTprocedure between UE and MME and the DELETE BEARER procedure between MME and Serving GW and PDN GW. Furthermore at the end the S1 RELEASE procedure between MME and eNB deletes all radio resources.


Detach Reference to specs.: TS 23.401 section 5.3.8

Note: Detach procedure initiated by MME.

MME

NAS: Detach Accepted



EMM-Registered

ServingGateway(SGW)

PDNGateway

NAS Detach Request

switch off flag Delete Bearer Request


PCRF

S1 Signalling Connection Release

RRC_Connected

ECM_Connected

EMM-Deregistered

RRC_Idle + ECM Idle

IP SessionTermination

HSS

Notify Request

Notify Response

The transition to EMM_DEREGISTERED state is achieved by the NAS detach procedure.

The Detach procedure allows:

-the UE to inform the network that it does not want to access the EPS any longer

-the network to inform the UE that it does not have access to the EPS any longer

The UE is detached either explicitly or implicitly:

-Explicit detach: The network or the UE explicitly requests detach and signal with each other

-Implicit detach: The network detaches the UE, without notifying the UE. This is typically the case when the network presumes that it is not able to communicate with the UE, e.g. due to radio conditions.

The procedure consists of the DETACH REQUEST / DETACH ACCEPTprocedure between UE and MME and the DELETE BEARER procedure between MME and Serving GW and PDN GW. Furthermore at the end the S1 RELEASE procedure between MME and eNB deletes all radio resources.


Service Request

MMEServingGateway(SGW)

PDNGateway

NAS Service Request

GUTI/S-TMSI, TAI, service type

Authentication Request

authentication challenge


Authentication response

RRC_Idle+ ECM_Idle

ECM_Connected

RRC_Connected


NAS Service Request

Initial Context Setup Req.


(IP/TEID of ENB in S1U)


(IP/TEID of SGW in S1U, QoS,..)RB Establishment Req.

RB Establishment Rsp.

Initial Context Setup Rsp.

(IP/TEID of eNB in S1U, ..)

Note: Service Request procedure initiated by UE.

UE Triggered Service Request Procedure

• From time to time a UE must switch from ECM_Idle to ECM_connected

• The reasons for this might be UL data is available, UL signaling is pending (e.g. tracking area update, detach) or a paging from the network was received.

1.-The UE sends the NAS message SERVICE REQUEST towards the MME encapsulated in an RRC message to the eNodeB. If there are multiple MME connected to the eNB it is the task of the eNB to select the right MME (the one the UE is registered with) from S-TMSI/GUTI and TAI. The service type parameter indicates the above mentioned reason for the service request.

2.The eNodeB forwards NAS message to MME. NAS message is encapsulated in an S1-AP: Initial UE Message (NAS message, TAI+ECGI of the serving cell, S-TMSI, CSG ID, CSG access Mode).

3.NAS authentication procedures may be performed.

4.The MME sends S1-AP Initial Context Setup Request (Serving GW address, S1-TEID(s) (UL), EPS Bearer QoS(s), Security Context, MME Signalling Connection Id, Handover Restriction List,…) message to the eNodeB. This step activates the radio and S1 bearers for all the active EPS Bearers. The eNodeB stores the Security Context, MME Signalling Connection Id, EPS Bearer QoS(s) and S1-TEID(s) in the UE RAN context.

5.The eNodeB performs the radio bearer establishment procedure. The user plane security is established at this step.When the user plane radio bearers are setup the Service Request is completed and EPS bearer state is synchronized between the UE and the network

6.The uplink data from the UE can now be forwarded by eNodeB to the Serving GW. The eNodeBsends the uplink data to the Serving GW address and TEID provided in the step 4. The Serving GW forwards the uplink data to the PDN GW.

7.The eNodeB sends an S1-AP message Initial Context Setup Complete (eNodeB address, List of accepted EPS bearers, List of rejected EPS bearers, S1 TEID(s) (DL)) to the MME.

8.The MME sends a Modify Bearer Request message (eNodeB address, S1 TEID(s) (DL) for the accepted EPS bearers, Delay Downlink Packet Notification Request, RAT Type) to the Serving GW. The Serving GW is now able to transmit downlink data towards the UE.

12.The Serving GW sends a Modify Bearer Response to the MME.


Service Request


PDNGateway

Paging

(S-TMSI, TAI/TAI-list)

DL DataDL Data Notification

Paging

S-TMSI

RRC_Idle+ ECM_Idle


DL Data Notification Ack.

Note: Service Request procedure initiated by the Network

UE Triggered Service Request Procedure

1.When the Serving GW receives a downlink data packet for a UE known as not user plane connected (i.e. the S-GW context data indicates no downlink user plane TEID), it buffers the downlink data packet and identifies which MME is serving that UE.

2.The Serving GW sends a Downlink Data Notification message to the MME for which it has control plane connectivity for the given UE. The MME respond to the S-GW with a Downlink Data Notification Ack message.

If the Serving GW receives additional downlink data packets for this UE, the Serving GW buffers these downlink data packets and the Serving GW does not send a new Downlink Data Notification.

3.The MME sends a Paging message (NAS ID for paging, TAI(s), UE identity based DRX index, Paging DRX length, list of CSG IDs for paging) to each eNodeB belonging to the tracking area(s) in which the UE is.

4.If eNodeBs receive paging messages from the MME, the UE is paged by the eNodeBs.

Steps 3-4 are omitted if the MME already has a signalling connection over S1-MME towards the UE.

5.When UE is in the ECM-IDLE state, upon reception of paging indication in E-UTRAN access, the UE initiates the UE triggered Service Request procedure


Tracking area 1Tracking area 2

Tracking area update

MME

Tracking Area Update (TAU)

•Tracking area (TA) is similar to Location/Routing area in 2G/3G .

•TAI (Tracking Area Identity) = MCC (Mobile Country Code) + MNC (Mobile Network Code) + TAC (Tracking Area Code).

•When UE is in ECM-Idle, MME knows UE location with Tracking Area accuracy.

A Tracking Area Update takes place if:

- UE detects it has entered a new Tracking Area that is not in the list of TAIs that the UE registered with the network;

- the periodic Tracking Area update timer has expired;


MMEHSS

eNB newMME MME

oldMME

newServingGateway(SGW)

PDNGateway

TAU Request

Context Request

(Current GUTI/IMSI, old TAI, EPS Bearer Status)

(Old GUTI/IMSI, complete TAU Request Message)

Context Response

(IMSI, IMEI,MSISDN, unused EPS Authentication vectors, KASME, etc…)Authentication Request


Create Bearer Request

(IMSI, bearer contexts, RAT type)

Context Acknowledge

Serving GW change Indication


(IP/TEID for new SGW-S5, RAT type)

Create Bearer Response

(new SGW-S1 IP/TEID)


(IP/TEID for PDN GW)

oldServingGateway(SGW)

TAU (1/2)

UE EMM_Registered

RRC_Idle + ECM_Idle

RRC_Connected

ECM_Connected

MME determines if ServingGW Change is needed


TAU Request

Note: TAU with Serving GW change

1.-The UE sends TRACKING AREA UPDATE REQUEST with its current GUTI or IMSI, old TAI and EPS Bearer Status information to the eNB. This one has to forward the message to a MME. If the old MME cannot be selected, then a new MME must be chosen by the eNB.

2.-The new MME must first of all get the identity (IMSI) of the subscriber and authenticate him/her. Therefore the new MME contacts the old one via GTP-C CONTEXT REQUEST. The CONTEXT RESPONSE contains IMSI, authentication vectors, but also all information about the currently active SAE bearers of this user.

3.-With one of the authentication vectors the new MME can start authentication.

4.-After a successful authentication the new MME analyzes if a Serving GW change is needed

5.- New MME informs the old one that it is ready to take control over the UE (Context Acknowledge message). The old MME will now start a timer and wait for the cancellation of the subscriber record.

6.-In parallel to the previous step the new MME sends GTP-C CREATE BEARER REQUEST to the Serving GW it has selected. The message will trigger the setup of new S1 tunnels and trigger an update towards PDN GW. This will change the traffic path from PDN GW to new Serving GW to new eNB.


MMEHSS

eNB newMME MME

oldMME

newServingGateway(SGW)

PDNGateway

Update Location

(new MME identity, IMSI, update type, …)

(IMSI, cancellation type = update)

Cancel Location Ack


(TEID)


Cancel Location

oldServingGateway(SGW)

Update Location Ack

Tracking Area Update Accept

(new GUTI, TA/TA-list, EPS Bearer Status)

Tracking Area Update Complete

TAU (2/2)

EMM_Registered

RRC_Connected + ECM_Connected

( IMSI, subscription data)

Note: TAU with Serving GW change


7.-Also simultaneously with the previous steps the MME will update the HSS. During this the HSS will cancel the subscriber record in the old MME. The old MME will of course also delete the old tunnels in the old Serving GW.

8.-At the end the UE gets a NAS message TRACKING AREA UPDATE ACCEPT. In it a new GUTI and new tracking area (or tracking area list) will be contained. The UE has to acknowledge with TRACKING AREA UPDATE COMPLETE.


“Multi Tracking Area Registration” Concept

UE only triggers TAU when moving to a cell belonging to a TA not in the TA list for that UE.


Dedicated Bearer Activation

•The default SAE bearer is created when the UE performs the attach. •Subsequent SAE bearers are known as dedicated SAE bearers.•They are expected to be allocated on a per application base, with parameter that are application dependent.•Dedicated SAE bearers can be triggered by the network, not only by the user, like PDP contexts in GPRS.



(SGW-S1 IP/TEID2, QoS param.)

Create Dedicated BearerRequest

Create Dedicated BearerRequest

Dedicated Bearer Activation (1/2)


PDNGateway

(PDN GW IP/TEID2, QoS param. …)

Service Request

PCRF

PCCDecision

Paging

(S-TMSI, TA/TA-list, …)

Paging

(S-TMSI)

(GUTI/S-TMSI, TAI.service type = paging response)

Initial Context Setup Req.


(eNB-S1 IP/TEID1)

(SGW-S1 IP/TEID1, EPS Bearer ID,QoS)RB Establishment Req.

RB Establishment Rsp. Initial Context Setup Rsp.

(eNB-S1 IP/TEID1, EPS Bearer ID, ..)

RRC_Connected + ECM_Connected

Network Triggered

Service Request

Procedure

RRC_Idle+ ECM_Idle

(QoS Policy)


Note: procedure initiated by the Network

1.-The external data network triggers the request for a new IP connectivity bearer (SAE bearer) via the PCRF connected to the PDN gateway that owns the default SAE bearer of this user. This is sent in form of a Policy and Charging Control (PCC) decision (QoS policy) from PCRF to PDN GW.

2.-The PDN GW first of all uses GTP-C CREATE DEDICATED BEARER REQUEST to setup the tunnel between PDN GW and Serving GW.

3.-The Serving GW allocates the resources for the S5/S8 tunnel and forwards an associated request to the MME for the S1 tunnel.

4.-If the UE is currently ECM_IDLE it must be paged. Thus the MME sends PAGING messages of S1-AP protocol to all eNB that own cell’s of the UE’s current tracking area (or tracking areas). If the UE receives such a paging it will respond with the SERVICE REQUEST procedure. in the following the default SAE bearer will be re-established.


(SGW-S5 IP/TEID2, EPSBearer ID, QoS, …)

Create Dedicated BearerResponse

Session Mgmt. Response(NAS message, EPS Bearer ID)

Dedicated Bearer Activation (2/2)


PDNGateway

Create Dedicated BearerResponse

PCRF

(eNB IP/TEID2, EPS Bearer ID, QoS, … )

PCCProvisionAck


Note: procedure initiated by the Network

5.-The UE NAS layer builds a Session Management Response including EPS Bearer Identity. The UE then sends a Direct Transfer (Session Management Response) message to the MME.

6.- Upon reception of the Bearer Setup Response message and the Session Management Response message in step 5, the MME acknowledges the bearer activation to the Serving GW by sending a Create Bearer Response (EPS Bearer Identity, S1-TEID) message.

7.-The Serving GW acknowledges the bearer activation to the PDN GW by sending a Create Bearer Response (EPS Bearer Identity, S5/S8-TEID) message.

8.-If the dedicated bearer activation procedure was triggered by a PCC Decision Provision message from the PCRF, the PDN GW indicates to the PCRF whether the requested PCC decision (QoS policy) could be enforced or not, allowing the completion of the PCRF-Initiated Session Modification procedure.


LTE/EPS Handover

• When the UE is in ECM_Connected state, mobility handling takes place via network controlled handovers with UE assistance.

• UE assistance here simply means that the UE sends measurements and reports to the eNB to assist in the handover decision.

• Currently it is planned that neighbour cells are based on the UE’s cell detection capabilities rather than on a network supplied neighbour cell list.

Intra LTE/EPS Network Handover Types:

• 1.- Intra eNB handover.

• 2.- Inter eNB handover with X2 interface (with or without Serving Gateway relocation)

• 3.- Inter eNB handover without X2 Interface (S1-based handover)


LTE/SAE Handover principles

•1.- Lossless

- Downlink Packets are forwarded from the source cell to the target cell.

•2.-Network Controlled

-Target cell is selected by the network, not by the UE

-Handover control in E-UTRAN (not in packet core)

•3.-UE-assisted

-Measurements are collected by the UE and reported to the network.

•4.-Late path switch

- Only once the handover is successful, the packet core is involved.


Handover Procedure

SAE GW

MME

Source eNB

Target eNB

SAE GW

MME

SAE GW

MME

SAE GW

MME

= Data in radio= Signalling in radio

= GTP tunnel= GTP signalling

= S1 signalling= X2 signalling

Before handoverHandover

preparationRadio handover

Late path switching

Note: X2-based handover without Serving GW relocation


User plane switching in HandoverNote: X2-based handover without Serving GW relocation

DATA FORWARDING

Downlink

–source eNB forwards all downlink RLC SDUs that have not been acknowledged by the UE to the target eNB

–target eNB re-transmits and prioritize all downlink RLC SDUs forwarded by the source eNB as soon as it obtains them

–reordering and duplication avoidance in the UE

•Uplink

–source eNB forwards all successfully received uplink RLC SDUs to the EPC

–UE re-transmits the uplink RLC SDUs that have not been successfully received by the source eNB

–Reordering and duplication avoidance in EPC


(HO-command, target eNB IP/TE IDin X2)

X2AP: Handover Request

(target cell, source eNB IP/TE ID in X2,Serving MME & SAE GW)

RRC: Measurement Control

Inter eNB Handover with X2 interface (1/2)

MME

ECM_Connected

ServingGateway

(SGW)

Packet Data

sourceeNB

targeteNB

RRC: Measurement Report

HO Decision

Admission Control: allocatesresources for incoming UEX2AP: Handover Request Ack

RRC: Handover Command

(target cell description, C-RNTI,…)

detach source cell

sync. target cell

forward bufferedDL packets

buffering of DLpackets from old eNB

DL Packet Data



1.-The source eNB configures the UE measurement procedures with MEASUREMENT CONTROL

2.-UE is triggered to send MEASUREMENT REPORT to the source eNB. It can be event triggered or periodic.

3.-Source eNB makes handover decision based on UE report + load and service information.

4.- When the source (current serving) eNB decides to start a handover of an UE to a neighbor cell in a new (target) eNB it will contact this target eNB. This is done via the X2-AP message HANDOVER REQUEST. The message will contain the target cell for the UE, the current serving MME and SAE GW. It is task of the target eNB to allocate virtual capacity in the target cell via its admission control function.

5.-If this is done the target eNB returns part of the handover message for the UE within the X2-AP message HANDOVER REQUEST ACKNOWLEDGE. In this message also a data forwarding tunnel (TEID from target eNB) is indicated. It allows the source eNB to forward still buffered or still arriving downlink packets to the target eNB.

6.-The source eNB can now give the HANDOVER COMMAND (RRC) to the UE. The command contains the configuration for the UE in the new cell and possibly already an UL/DL resource allocation. The UE will detach from the old cell and synchronize itself to the new cell. In the mean time the source eNB can start downlink packet forwarding via X2 interface.




S1AP: Handover CompletePath Switch Request

MMEServing

Gateway(SGW)

(TAI, target cell ECGI, target eNB IP/TEID, … )

sourceeNB

targeteNB

Synchronization

UL Allocation + timing advance

RRC: Handover Confirm

(target eNB IP/TEID, …

switch DLPath

(new SGW-S1 IP/TEID, … )

S1AP: Handover Complete AckPath Switch Req. Ack.

(new SGW-S1 IP/TEID, … )X2AP: Release Resources

flush DL buffersDL Packet Data

release resources

Packet Data

Packet Data forwards DL packetsand accepts UL

packets


Inter eNB Handover with X2 interface (2/2)


MME determinesif Serving GW

Change is needed

Packet Data

7.-UE performs the final synchronization to target eNB and accesses the cell via RACH procedure

(DL pre-synchronization is obtained during cell identification and measurements)

8.-Target eNB gives the uplink allocation and timing advance information

9.-Once synchronization between UE and the new cell is achieved, the UE confirms the handover with RRC message HANDOVER CONFIRM. This will trigger a HANDOVER COMPLETE message of S1-AP to be sent to the MME. It simply informs the MME that now a new eNB is responsible for the UE. Thus this message will contain the IP addresses and TEIDs of the target eNB for the S1 tunnels.Additionally it contains the TAI and the target cell ECGI.

10.-The MME’s task is to send this information via GTP-C UPDATE BEARER REQUESTto the Serving GW. This will switch the traffic path now completely from Serving GW to target eNB.

11.-Serving Gateway switches the downlink data path to the target side.

12.-Serving Gateway sends an UPDATE BEARER RESPONSE message to MME.

13.-MME confirms the Handover Execution with the HANDOVER COMPLETE ACK message.

14.-By sending RELEASE RESOURCE the target eNB informs success of handover to source eNB and triggers the release of resources.

15.-Upon reception of the RELEASE RESOURCE message, the source eNB can release radio and C-plane related resources associated to the UE context.


Module Contents





• The EPS Bearer




LTE/SAE Security: EPS Authentication and Key Agreement (AKA)

•EPS Authentication and Key Agreement (EPS AKA) shall be based on UMTS AKA. • UMTS Authentication and Key Agreement is a protocol designed to support roaming and fast re-authentication. • It was originally designed to achieve maximum compatibility with 2G security mechanisms.

The requirements on EPS AKA are:EPS AKA shall be based on USIM and extensions to UMTS AKAAccess to E-UTRAN with 2G SIM shall not be granted. R99 USIM will be accepted.EPS AKA shall produce keys that are the basis of C-plane and U-plane protectionUMTS AKA achieves mutual authentication between the user and the network by

demonstrating knowledge of a pre-shared secret key K which is only known by the USIM and the AuC in the user’s HSS.

For further information, please refer to 3GPP TS 33.401 and TS 33.102 (SAE Security Architecture)


EPS Authentication Procedure

• RAND is a random value

• KASME is an authentication parameter used, among other tasks, for network authentication

• AUTN is the Network Authentication Token

• XRES is the UE expected result of the authentication computation

MME

Authentication Vectors: RAND(i), KASME(i), AUTN, XRES(i)

Authentication Data Response

HSS

NAS: attach Request

User Id, UE Capabilities, etc. Authentication Data Request

NAS: USER Authentication Request

KASME(i), RAND(i), AUTN

NAS: USER Authentication Response

RES(i)If RES(i)=XRES(i)

Authentication successful

UE uses KASME to verify

the Network


Security Functions - Encryption

Signaling protection•For core network (NAS) signaling, integrity and confidentiality protection terminate in MME.•For radio network (RRC) signaling, integrity and confidentiality protection terminate in eNodeB.

User plane protection•Encryption terminates in eNodeB.


Hierarchy of Security Keys used in the EPS(3GPP TS 33.401, section 6.2)

• All keys used for security (crypto-algorithms) are 128 bits

• Possibility to use 256-bit keys later.

•The generation of keys is triggered by Authentication and Key Agreement (AKA) procedures.

• In LTE the MME acts as the Access Security Management Entity (ASME). This is the access network entity that receives top level keys from the HSS.

•UMTS AKA is capable of agreeing two keys, CK and IK, on the USIM and in the AuC. For LTE these keys never leave the HSS. Instead they are used to derive KASME, which is transferred from the HSS to the MME as part of the Authentication Vector.

•The keys used for UP, NAS and AS protection shall be dependent on the algorithm with which they are used.

• The keys used for UP, NAS and RRC (AS) protection shall be dependent on the algorithm with which they are used.


EPS/LTE Security Keys (1/2)

Keys shared between the UE and HSSK This is a permanent key stored on the USIM and in the Authorization Centre

(AuC). The AuC resides in the HSS.CK, IK A pair of keys derived in the AuC and on the USIM during an AKA run.

Intermediate Key shared by the UE and Access Security Management Entity (ASME=MME)KASME This key is derived from the CK, IK and serving PLMN’s identity by the UE

and HSS during an AKA run. It is transferred to the ASME (MME) by the HSS as part of the authentication vector response. The serving PLMN’sidentity becomes known to the UE as part of the attachment procedure.

Intermediate Keys for Access NetworksKeNB This key is derived from KASME by the UE and MME. It depends on the

identity of the eNB. This key is transferred to the eNB.


EPS/LTE Security Keys (2/2)

Keys for NAS SignalingKNASint This key is derived from KASME by the UE and MME. It is used

for the integrity protection of NAS traffic.KNASenc This key is derived from KASME by the UE and MME. It is used for

the encryption of NAS traffic.

Keys for U-plane TrafficKUPenc This key is derived from KeNB by the UE and eNB and is used for

the encryption of U-plane data over the LTE-Uu interface. In order to derive this key an identifier for the encryption algorithm is shared between the eNB and UE.

Keys for RRC SignalingKRRCint This key is derived from KeNB by the UE and eNB and is used for

the integrity protection of RRC traffic. In order to derive this key an identifier for the integrity protection algorithm is shared between the eNB and UE.

KRRC-enc This key is derived from KeNB by the UE and eNB and is used for the encryption of RRC traffic. In order to derive this key an identifier for the encryption algorithm is shared between the eNB and UE.


Key Generation Procedure

KEY GENERATION PROCEDURE

1.-When a UE initially attaches to the network the MME will authenticate the subscriber using UMTS4

AKA . This triggers generation of security keys by the UE and HSS. At this point the UE and HSS know the PLMN ID which is used in the generation of KASME.

2.-The UE and HSS generate CK and IK from K and the RAND value used in UMTS-AKA.

3.-The UE and HSS derive KASME from CK, IK and PLMN-ID.

4.-The HSS transfers KASME to the MME as part of the Authentication Vector used in EPS AKA.

5.-Once the UE has successfully been authenticated the MME and UE generate the keys for NAS signalling security - KNAS int and KNAS enc

6.-The MME and UE generate the KeNB key from KASME and the eNB-ID.

7.-The MME transfers KeNB to the eNB across the S1-MME. This key is transferred as part of the Initial Context Setup Request message to the eNB.

8.-The eNB and UE generate the keys used for protection of RRC signaling (KeNB RRC-int and KeNB RRC-enc)

and U-plane traffic (KeNB UP-enc), using KeNB.

03 - lte-eps mobility & session management

Documents