03 - lte-eps mobility & session management
TRANSCRIPT
1 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
LTE/EPS Mobility & Session ManagementLTE/EPS Fundamentals Course
2 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Nokia Siemens Networks Academy
Legal notice
Intellectual Property RightsAll copyrights and intellectual property rights for Nokia Siemens Networks training documentation, product documentation and slide presentation material, all of which are forthwith known as Nokia Siemens Networks training material, are the exclusive property of Nokia Siemens Networks. Nokia Siemens Networks owns the rights to copying, modification, translation, adaptation or derivatives including any improvements or developments. Nokia Siemens Networks has the sole right to copy, distribute, amend, modify, develop, license, sublicense, sell, transfer and assign the Nokia Siemens Networks training material. Individuals can use the Nokia Siemens Networks training material for their own personal self-development only, those same individuals cannot subsequently pass on that same Intellectual Property to others without the prior written agreement of Nokia Siemens Networks. The Nokia Siemens Networks training material cannot be used outside of an agreed Nokia Siemens Networks training session for development of groups without the prior written agreement of Nokia Siemens Networks.
3 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Module ObjectivesAfter completing this module, the participant should be able to:
• Introduce the LTE Mobility Areas.
• List different LTE-UE identifications.
• Compare the terminology used in 3G and LTE when referring to Mobility and Session Management.
• Describe the LTE Mobility & Connection States.
• Explain the EPS Bearer Architecture and Attributes.
• Analyze different LTE/EPS procedures: Attach, S1 Release, Detach, Service Request, Tracking Area Update, Dedicated SAE Bearer Activation and inter eNB handover.
• Review the LTE/EPS Authentication Procedure and the Security Keys Generation.
4 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Module Contents
• LTE/EPS Mobility Areas
• LTE-UE Identifications
• Mobility & Connection Management Terminology
• LTE Mobility & Connection States
• The EPS Bearer
• LTE/EPS Procedures
• Security: EPS Authentication and Key Agreement (AKA)
5 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Module Contents
• LTE/EPS Mobility Areas
• LTE-UE Identifications
• Mobility & Connection Management Terminology
• LTE Mobility & Connection States
• The EPS Bearer
• LTE/EPS Procedures
• Security: EPS Authentication and Key Agreement (AKA)
6 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
LTE/EPS Mobility Areas
Two areas are defined for handling of mobility in LTE/EPS:
Tracking Area (TA)
It is the successor of location and routing areas from 2G/3G.
When a UE is attached to the network, the MME will know the UE’s position on tracking area level.
In case the UE has to be paged, this will be done in the full tracking area.
Tracking areas are identified by a Tracking Area Identity (TAI).
The Cell
Smallest entity regarding mobility
When the UE is connected to the network, the MME will know the UE´s position on cell level
Cells are identified by the Cell Identification (CI) and by the Physical Cell Identification (PCI)
7 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
LTE Cell Identifications
Cell Identity (CI or CellID)
Used to identify the cell uniquely within the PLMN.
28-bits long
Broadcasted on System Information Block Type 1
Cell Identify together with the PLMN Identity form the Evolved Cell Global Identity (ECGI), used to differentiate EUTRAN cell globally
More on CI and ECGI in 36.331 RRC-specification
Physical Cell Identity (PCI or PhyCellID))
It is used in downlink to scramble the data transmitted by the cell.
It helps the UE to distinguish information coming from different transmitters.
Similar to scrambling codes in UMTS
Range: from 0 to 503
Since there are only 504 PhyCelIDs, they must be repeated
More on PCI in 36.211 Physical Layer Specification
- The CellId is a System Level parameter
- The PhyCellID is a Physical level parameter- UE gets the PhyCellID from the Primary and Secondary Synchronization Signals (PSS and SSS)
PSS: provides the PhyCellID sector: 0..2
SSS: provides the PhyCellID group: 0…167
Example:
•Let's say that we are going to deploy a LTE network in a city and that city needs 1000 cells.
•Each of the 1000 cells will have their own cell ID, but, since there is only 504 physical cell IDs, we will need to repeat the physical cell IDs twice.
•The key is that that the two cell that share a physical cell ID cannot be geographically close to each other or they will interfere will each other.
8 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Tracking Areas
S-eNBTAI3
TAI3TAI3
TAI3
TAI3TAI3
TAI3
MME
eNB
TAI2
TAI2TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI1
TAI1TAI1
TAI1
TAI1 eNB 1 2
MME
3
Cell Identity
Tracking Area
Tracking Area Identity (TAI) vs. Tracking Area Code (TAC)
TAI= MCC + MNC + TAC
Tracking Area Update (TAU)
Procedure triggered by the LTE-UE moving to a new TA.
TAU are performed by the LTE-UE in both idle and connected mode. (GSM/UMTS difference)
For further info refer to TS 23.401 chapter 5.3.3.0
why a TAU is necessary in the connected state?
The answer to that question can be found in the message sequence charts for handovers.
For example: during an X2 handover, which is directly negotiated between two base stations, the Mobility Management Entity (MME) in core network is only informed of the handover after it has taken place. Also, there's no direct communication between the MME and the mobile device during the handover procedure. That means that in case the new cell is in a new tracking area, the mobile has to update its tracking area list as that information was not contained in the handover messaging.
From a logical point of view that also makes sense. Tracking areas are administered by the core network (by the Non Access Stratum) while handovers are performed by the access network. Also, the signaling does not interrupt the user data transfer so there are no side effects of performing this procedure in connected mode and while transferring data.
9 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Multiple Tracking Areas Registration
UE may be told by the network to be registered in several tracking areas simultaneously.
Gain: when the UE enters a new cell, it checks which tracking areas the new cell is part of. If this TA is on UE’s TA list, then no tracking area update is necessary.
S-eNBTAI3
TAI3TAI3
TAI3
TAI3TAI3
TAI3
MME
eNB
TAI2
TAI2TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI1
TAI1TAI1
TAI1
TAI1 eNB 1 2
MME
3
Cell Identity
Tracking Area
TA List:
TA1
TA2
•Another difference between TAU and the LAU/RAU of UMTS is that the mobile can have a list of several valid tracking areas and an update only has to be made if the new cell is in a tracking area that is not part of that list.
•This solution will avoid unnecessary tracking area updates at the tracking areas border when the UE is ping-ponging between cells belonging to different TAs.
10 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Tracking Areas: Use of S1-flex Interface
MME Pooling:
several MME
handle the same
tracking area
TAI1
S-eNB
TAI2
TAI2TAI2
TAI3
TAI3TAI3
TAI3
MME
eNB
TAI2
TAI2TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI1
TAI1
TAI1
eNB
S-MME
TAI1
321
1 2 3
3
2
1 TAI1
TAI2
TAI3
Due to S1-Flex implementation both MME must be aware on how the Radio Network is organized in TAs
11 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Module Contents
• LTE/EPS Mobility Areas
• LTE-UE Identifications
• Mobility & Connection Management Terminology
• LTE Mobility & Connection States
• The EPS Bearer
• LTE/EPS Procedures
• Security: EPS Authentication and Key Agreement (AKA)
12 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
UE Identifications
• IMSI– International Mobile Subscriber Identity
• GUTI– Global Unique Temporary Identity
• C-RNTI– Cell Radio Network Temporary Identity
• S1-AP UE ID– S1 Application Protocol User Equipment Identity
13 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
UE Identifications: IMSI
IMSI: • International Mobile Subscriber Identity.• Used in LTE to uniquely identify a subscriber world-wide• Its structure is kept in form of MCC+MNC+MSIN:
MCC: mobile country code MNC: mobile network codeMSIN: mobile subscriber identification number
• A subscriber can use the same IMSI for 2G, 3G and LTE access• MME uses the IMSI to locate the HSS holding the subscribers permanent registration data for tracking area updates and attaches
IMSI
MCC MNC MSIN
3 digits 2 digits 10 digits
•USIM card can be used to access 2G networks (besides 3G and LTE Networks)
•SIM card (original 2G SIM card) can not be used to access LTE Networks
14 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
GUTI:
• Globally Unique Temporary Identity
• It is dynamically allocated by the serving MME
• Its main purpose is to avoid usage of IMSI on air
• Internally the allocating MME can translate GUTI into IMSI and vice versa
• The GUTI consists of 2 components: GUMMEI and M-TMSI
UE Identification: GUTI
GUTI
M-TMSIGUMMEI
M-TMSI: Temporary Identity of the UE within and specific MME.
GUMMEI: Global Unique MME Identity:
Identity of the MME that allocated the GUTI
It Contains:
MCC + MNC + MME group ID (MMEGI) + MME Code (MMEC)
Further Reading:
The GUMMEI in turn consists of the following:
− PLMN Id: MCC, MNC
− MME Identifier (MMEI): MME Group Id (MMEGI) and MME Code (MMEC)
The MMEC provides a unique identity to an MME within the MME pool, while the MMEGI is used to distinguish between different MME pools.More details about these identifiers can be found in TS 23.003.
GUTI reallocation is further described in TS 23.401 and TS 24.301.
15 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Further Reading: S-TMSI
S-TMSI:
•The SAE TMSI (S-TMSI) is a shortened form of the GUTI
•It is used to identify the UE over the radio path and is included in the RRC connection request and paging messages
•The S-TMSI contains the MMEC and M-TMSI components of the GUTI
• Note, however, that the S-TMSI does not include the MMEGI — that is, the MME pool component
M-TMSIMMEC
GUMMEI
MMEGIMNCMCC
GUTI
S-TMSI
Because MME pool areas can overlap, care must be taken to ensure that MMEs serving the overlapping areas are
not allocated the same MMECs
16 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
UE Identifications: C-RNTI
C-RNTI:
• Cell Radio Network Temporary Identity
• C-RNTI is allocated by the eNB serving a UE when it is in active mode (RRC_CONNECTED)
• This is a temporary identity for the user only valid within the serving cell of the UE
• It is release as soon as the UE moves to idle state (RRC_IDLE)
• It is exclusively used for radio management procedures.
17 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
UE Identifications:S1-AP UE ID
S1-AP UE ID:
• S1 Application Protocol User Equipment Identity.
• Two additional temporary identifiers allocated by eNB and MME:
- eNB S1-AP UE ID
- MME S1-AP IE ID
• Their purpose is to allow efficient implementation of S1 control signaling (S1AP=S1 Application Protocol)
• They shall allow easy distribution of S1 signaling messages inside MME and eNB.
• NOTE: This concept is similar to SCCP local references known from Iuor A interface in 3G/2G.
18 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
IMSI International Mobile Subscriber IdentityGUTI Globally Unique Temporary IdentityC-RNTI Cell Radio Network Temporary Identity
UE Identifications Summary
C-RNTI
eNB S1-AP UE-ID | MME S1-AP UE-ID
MCC
IMSIMNC MSIN
S-eNBTAI2
TAI2TAI2
TAI3
TAI3TAI3
TAI3
MME
HSS
eNB
TAI2
TAI2TAI2
TAI2
TAI2
TAI2TAI2
TAI2
TAI1
TAI1TAI1
TAI1
TAI1eNB
1 2
S-MME
32
Cell IdentityMME Identity
3
1
GUTI
M-TMSIGUMMEI
TAI Tracking Area Identity (MCC+MNC+TAC) S-MME Serving MMES-eNB Serving E-Node B
19 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Module Contents
• LTE/EPS Mobility Areas
• LTE-UE Identifications
• Mobility & Connection Management Terminology
• LTE Mobility & Connection States
• The EPS Bearer
• LTE/EPS Procedures
• Security: EPS Authentication and Key Agreement (AKA)
20 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Terminology in LTE and in 3G Connection and Mobility Management
3G LTE
GPRS attached EMM registered
Handovers (DCH) when RRC connected
Handovers when RRC connected
RNC hides mobility from core network
Core network sees every handover
Mobility management
Connection management
Location area Not relevant (no CS core)
Routing area Tracking area
PDP context EPS bearer
Radio access bearer Radio bearer + S1 bearer
21 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Module Contents
• LTE/EPS Mobility Areas
• LTE-UE Identifications
• Mobility & Connection Management Terminology
• LTE Mobility & Connection States
• The EPS Bearer
• LTE/EPS Procedures
• Security: EPS Authentication and Key Agreement (AKA)
22 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
LTE Mobility & Connection States
There are two sets of states defined for the UE based on the information held by the MME.
These are:
1.- EPS* Mobility Management (EMM) states
2.- EPS* Connection Management (ECM) states
*EPS: Evolved Packet System
More about LTE Mobility and Connection States on 3GPP TS23.401
23 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
EPS Mobility Management (EMM) states
EMM deregistered EMM registered
Attach
Detach
24 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
EPS Mobility Management (EMM) states
EMM-DEREGISTERED:•In this state the MME holds no valid location information about the UE
•MME may keep some UE context when the UE moves to this state (e.g. to avoid the need for Authentication and Key Agreement (AKA) during every attach procedure)
•Successful Attach and Tracking Area Update (TAU) procedures lead to transition to EMM-REGISTERED
EMM-REGISTERED: •In this state the MME holds location information for the UE at least to the accuracy of a tracking area
•In this state the UE performs TAU procedures, responds to pagingmessages and performs the service request procedure if there is uplink data to be sent.
25 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
EPS Connection Management (ECM) and LTE Radio Resource Control (RRC) States
•UE and MME enter ECM-CONNECTED state when the signalling connection is established between UE and MME
•UE and E-UTRAN enter RRC-CONNECTED state when the signalling connection is established between UE and E-UTRAN
ECM idle ECM connected
S1 connection establishment
S1 connection release
RRC idle RRC connected
RRC connection establishment
RRC connection release
E-UTRAN MMEUE
26 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
EPS Connection Management
ECM Connected= RRC Connected + S1 Connection
eNB
MME
UE
RRC Connection S1 Connection
ECM Connected
27 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
EPS Connection Management (ECM) states
ECM-IDLE:•In this state there is no NAS signalling connection between the UE and the network and there is no context for the UE held in the E-UTRAN.
•The location of the UE is known to within the accuracy of a tracking area
•Mobility is managed by tracking area updates.
ECM-CONNECTED:•In this state there is a signalling connection between the UE and the MME which is provided in the form of a Radio Resource Control (RRC) connection between the UE and the E-UTRAN and an S1 connection for the UE between the E-UTRAN and the MME.
•The location of the UE is known to within the accuracy of a cell.
•Mobility is managed by handovers.
28 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
RRC States
RRC-IDLE:• No signalling connection between the UE and the E-UTRAN.• I.e.: PLMN Selection.• UE Receives system information and listens for Paging.• Mobility based on Cell Re-selection performed by UE.• No RRC context stored in the eNB (No C-RNTI).• RACH procedure used on RRC connection establishment.
RRC-CONNECTED:• UE has an E-UTRAN RRC connection.• UE has context in E-UTRAN (C-RNTI allocated).• E-UTRAN knows the cell which the UE belongs to.• Network can transmit and/or receive data to/from UE.• Mobility based on handovers• UE reports neighbour cell measurements.
29 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
EMM & ECM States Transitions
EMM_Deregistered
ECM_Idle
Power On
Registration (Attach)
EMM_Registered
ECM_Connected
• Allocate C-RNTI, GUTI• Allocate IP address• Authentication• Establish security context
• Release RRC connection • Release C-RNTI• Configure DRX for paging
EMM_Registered
ECM_Idle
Release due to Inactivity
•Establish RRC Connection•Allocate C-RNTI
New TrafficTAUDeregistration (Detach)
Change PLMN
• Release C-RNTI, GUTI• Release IP address
Timeout of Periodic TAUpdate
• Release GUTI• Release IP address
30 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
EMM & ECM States Summary
EMM_Deregistered
ECM_Idle
Network Context:• no context exists
Allocated IDs:• IMSI
UE Position:• unknown to network
Mobility:• PLMN/cell selection
UE Radio Activity:• none
EMM_Registered
ECM_Connected
Network Context:• all info for ongoing transmission/reception
Allocated IDs:• IMSI, GUTI• IP address• C-RNTI
UE Position:• known on cell level
Mobility:• NW controlled handover
UE Radio Activity:• DL w/o DRX• UL w/o DTX
EMM_Registered
ECM_Idle
Network Context:• security keys• enable fast transition to ECM_CONNECTED
Allocated IDs:• IMSI, GUTI• IP address
UE Position:• known on TA level (TA list)
Mobility:• cell reselection
UE Radio Activity:• DL DRX for paging• no UL
31 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Module Contents
• LTE/EPS Mobility Areas
• LTE-UE Identifications
• Mobility & Connection Management Terminology
• LTE Mobility & Connection States
• The EPS Bearer
• LTE/EPS Procedures
• Security: EPS Authentication and Key Agreement (AKA)
32 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
LTE/EPS Bearer
•The main function of every mobile radio telecommunication network is to provide subscribers with transport bearers for their user data.
•In circuit switched networks users get a fixed assigned portion of the network’s bandwidth.
•In packet networks users get a bearer with a certain quality of service (QoS) ranging from fixed guaranteed bandwidth down to best effort services without any guarantee.
•LTE/EPS is a packet oriented system
EPS/SAE
Bearer
PDN GW
UE
•For further information about the EPS Bearer, please refer to 3GPP TS 23.401, v9.2.0, section 4.7.2
33 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
LTE/EPS Bearer: Identity & Architecture
cell
S1-ULTE-Uu S5/S8
PDN
SGieNB Serving
GatewayPDN
Gateway
E-UTRAN EPC PDN
•An EPS bearer identity uniquely identifies an EPS bearer for one UE. The EPS Bearer Identity is allocated by the MME.
•LTE/EPS Bearer spans the complete network, from UE over EUTRAN and EPC up to the connector of the external PDN.
•The SAE bearer is associated with a quality of service (QoS) usually expressed by a label or QoS Class Identifier (QCI)
LTE-UE
End-to-End Service
EPS Bearer External Bearer
Radio Bearer S1 Bearer S5/S8 Bearer
•There is a one to one mapping between EPS Radio Bearer (RB) and EPS Bearer, and the mapping between EPS RB Identity and EPS Bearer Identity is made by E-UTRAN.
•The E-RAB ID value used at S1 and X2 interfaces to identify an E-RAB is the same as the EPS Bearer ID value used to identify the associated EPS Bearer.
34 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
LTE/EPS Bearer Sections
S5/S8 Bearer
•Between the P-GW to S-GW.
•This is usually a GTP or MIP (Mobile IP) tunnel between the two network elements.
S1 Bearer•Between eNB and S-GW.•The S1 Bearer is implemented using the 2G/3G GTP (GPRS TunnelingProtocol) protocol which builds a GTP tunnel between eNB and S-GW. •The setup of this S1Bearer is managed by the MME. S-GW and eNB do not directly exchange signaling to create it.
Radio Bearer•Between UE and eNB. •The eNB connects a radio bearer internally with the associated S1 Bearer on S1-U interface. •The mapping of radio bearers to physical resources on the air interface is the major task of the eNB scheduler.
•An E-RAB (E-UTRAN Radio Access Bearer) refers to the concatenation of an S1 bearer and the corresponding radio bearer, as defined in TS 36.300
35 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
EPS Bearers Establishment can be triggered by….
cellS1-U
UE
S5PDN
SGi
eNB
ServingGateway PDN
Gateway
EPS Bearer External Bearer
MME:This happens typically during the attach procedure of an UE. Depending on the information coming from HSS, the MME will set up an initial bearer, also known as the Default EPS bearer. This EPS bearer provides the initial connectivity of the UE with its external data network or IMS platform.
MME
S1-MMES11
PDN Gateway: The external data network can request the setup of an EPS bearer by issuing this request via PCRF to the PDN gateway. This request will include the quality of service granted to the new bearer. Those are referred as Dedicated EPS bearers.
UE: Note here the differences to GPRS in 2G/3G networks, where only MS/UE initiated PDP context setup is defined.
PCRFGx/S7
Rx
Further Reading in Note Page
•Default bearer is established during the attach phase.
•Dedicated bearers are established based on the services running between the UE and the PDN/IMS.
•A comparison can be made between the dedicated bearer in EPS and the secondary PDP context in UMTS.
•TS 29.274 defines the create bearer request message. This request is used to establish dedicated bearers but not default bearer.
•Reading from the specs, it may lead to a confusion the following sentence: “the dedicated bearers are network initiated”. Because LTE/EPS is all on IP and if you are receiving a call then network may initiate dedicated bearer to forward that call to you. This doesn't mean that UE cannot ask for dedicated bearers. UE can ask for dedicated bearers by sending out bearer modification command but UE cannot send create bearer request. Bearer modification command will make PDN trigger a dedicated bearer.
36 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
The Default Bearer Concept
•Each UE that is attached to the LTE network has at least one bearer available, that is called the default bearer.•Its goal is to provide continuous IP connectivity towards the EPC (“always-on” concept)•From the QoS point of view, the default bearer is normally a quite basic bearer•If an specific service requires more stringent QoS attributes, then a dedicated bearer should be established.
cellS1-U
UE
S5PDN
Sgi
eNB
ServingGateway
PDNGateway
Default EPS Bearer
MME
S1-MMES11
•A default Evolved Packet System (EPS) bearer is the bearer that is established during the attach process.
•It will give the UE an IP address and packet data resources so that the UE can do limited packet services.
•One of the best examples of a service that would be good for the default EPS bearer is an IMS registration.
•The characteristics of the default EPS bearer will be defined by the subscription and established by the Mobility Management Entity (MME) upon receiving the attach message based on the subscriber profile in the Home Subscriber Server (HSS).
•Default bearers are created on a per PDN basis. So if a UE is connecting to two PDNs it will need to establish two default bearers.
37 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
SAE Bearer QoS Awareness
•One of the major requirements for EUTRAN and EPC to fulfill is that every SAE bearer must be QoS aware.
•All data transmitted within a SAE bearer will get the same QoS handling (scheduling, prioritization, discarding probability, etc.).
•Different applications (for example take a packet video streaming service and a ftp download) have different QoS setting and cannot share the same SAE bearer.
•Other applications with similar traffic characteristics will be able to be placed inside the same SAE bearer provided that the bandwidth of the bearer is scaled accordingly .
•Due to this fact, the standard will allow a UE to have several SAE bearers, each one with a different QoS setting.
•Schedulers in eNB, SAE GW and PDN GW must respect the QoS of each individual SAE bearer.
•Limits coming from a user’s subscription must be taken into account when a new SAE bearer is set up or one is modified. This is one task of the MME.
•Basic Guideline: The LTE/EPS Bearer and QoS management has to be improved in comparison to the way it is done in existing 3GPP system.
•The main reason is that it has not been easy for operators to implement QoS attributes in GSM/WCDMA networks, as they were somehow disconnected from the application layer. This problem was even getting worse by the fact that the UE was responsible for setting the QoS attributes for a Bearer.
•It was therefore agreed that only a reduced set of QoS parameters and standardized attributes would be specified for the EPS bearer.
38 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
EPS Bearer QoS Attributes
Default Bearer/Dedicated Bearer
AMBR
EPS Bearer QoS Parameters
(To be defined per User)
ARP
QCI
UL/DL-TFT
MBR
GBR/N-GBR
EPS Bearer QoS Parameters
(To be defined per Bearer)
For every EPS bearer the following QoS parameters are available:
• Dedicated or default EPS bearer
• Guaranteed Bit Rate (GBR) or Non-Guaranteed Bit Rate (N-GBR)
• Maximum Bit Rate (MBR)
• Traffic Flow Control (UL/DL-TFT):• Integer number indicating QoS category: Label or QoS Class identifier (QCI)
• Allocation/Retention Priority (ARP)
For all bearers together for one user, following QoS parameter is available:
• Aggregate Maximum Bit Rate (AMBR)
39 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
SAE Bearer QoS Attributes (1/3)
Dedicated or Default bearer:
•The default bearer is allocated during attach of a UE to the system.
•Dedicated bearers on the other hand are created on demand by the external PDN network.
•Only dedicated bearers can be of Guaranteed Bit rate (GBR) type.
GBR (Guaranteed Bit Rate) or NGBR (Non Guaranteed Bit Rate):
•GBR bearers will reserve some (physical or virtual) capacity along the transmission path and thus guarantee some bit rate level.
•This is required for streaming and conversational services with low upper delay and delay jitter bounds.
•For services that do not have so strong requirements regarding these values typically NGBR bearers will be used.
•The technical difference between GBR and NGBR will be seen in the admission control functions of eNB, SAE GW and PDN GW.
• GBR bearers will usually block more virtual resources for the same throughput and peak bit rate than NGBR bearers.
GBR identifies the bit rate that will be ensured to the bearer.
40 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
SAE Bearer QoS Attributes (2/3)
Traffic Flow Control (UL/DL-TFT):•Because a single UE can have multiple SAE bearers, the system requires some kind of packet filter to decide which IP datagram has to go to which SAE bearer.•These packet filters are formed by the uplink and downlink TFT (Traffic Flow Template).•Each dedicated SAE bearer has to have one UL and one DL TFT.•Some criteria like source and destination IP address, flow labels, port numbers, transport layer protocol type, etc. specifies, which IP datagrams will have to be sent in the associated SAE bearer. •In the moment the concrete structure of the TFT is for further study, especially whether additional QoS parameters might be inside or not.
Maximum Bit Rate (MBR):
•Identifies the Maximum Bit Rate for the SAE Bearer.
•Can be only specified for GBR SAE Bearers
•Not included in 3GPP Rel.8: in Rel 8 the MBR is always set to equal to the GBR
41 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
SAE Bearer QoS Attributes (3/3)
Label or QCI:•The label is simply an integer number assigned to the SAE bearer.•This number indicates the QoS category the bearer belongs to by identifying a set of locally configured values for 3 QoS attributes: Priority, Delay and Loss Rate.•It is up to the operator to define these labels, although some standard labels might be provided by 3GPP.• This label can be translated into a DiffServ-tag used on S1-U and S5/S8 in the IP header to implement IP differentiated service routing in the associated IP protocol stacks.•Refer to next slides for further information on this parameter
Allocation/Retention Priority (ARP):
•Indicated the priority of the Bearer compared to other bearers.
•This provides the basic information for admission control for bearer set-up and for bearer dropping (in case of congestion situation).
Aggregate maximum Bit Rate (AMBR):
•Specifies a maximum bandwidth per user (UE) considering all the simultaneous services established by this user.
ARP Parameter
Notes from the Specs (3GPP TS 23.401, v9.2.0, section 4.7.3) regarding the ARP parameter:
The ARP should be understood as "Priority of Allocation and Retention"; not as "Allocation, Retention, and Priority".
Video telephony is one use case where it may be beneficial to use EPS bearers with different ARP values for the same UE. In this use case an operator could map voice to one bearer with a higher ARP, and video to another bearer with a lower ARP. In a congestion situation (e.g. cell edge) the eNB can then drop the "video bearer" without affecting the "voice bearer". This would improve service continuity.
UE-AMBR
Notes from the Specs (3GPP TS 23.401, v9.2.0, section 4.7.3) regarding the UE-AMBR parameter:
The UE-AMBR limits the aggregate bit rate that can be expected to be provided across all Non-GBR bearers of a UE (e.g. excess traffic may get discarded by a rate shaping function).
Each of those Non-GBR bearers could potentially utilize the entire UE-AMBR, e.g. when the other Non-GBR bearers do not carry any traffic.
GBR bearers are outside the scope of UE AMBR.
The E-UTRAN enforces the UE-AMBR in uplink and downlink.
42 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
3G vs. SAE Bearers QoS Attributes Comparison
• A single scalar parameter (QoS Class Identifier=QCI) is a pointer to a set of QoS parameters.
• QCI is also called Label in LTE.• Simplified approach compared to 2G/3G where each
parameter is indicated separately.
3G LTE/EPS
Residual BER
SDU error rate
Delivery of erroneous SDUs
Max SDU size
Delivery order
Transfer delay
ARP
Traffic class
Traffic handling priority
Max bit rate
Guaranteed bit rate
QCI (QoS Class Identifier)
ARP
Max bit rate
Guaranteed bit rate
Aggregate max bit rate
Per bearer
Per terminal
UL/DL TFT
43 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
QoS Class Identifier (QCI) Table in 3GPP
GBR1
Guarantee Delay budget Loss rate ApplicationQCI
GBR
100 ms 1e-2 VoIP
2
GBR
150 ms 1e-3 Video call
3
GBR
300 ms 1e-6 Streaming
4
Non-GBR 100 ms 1e-6 IMS signalling5
Non-GBR 100 ms 1e-3 Interactive gaming6
Non-GBR 300 ms 1e-6TCP protocols : browsing, email, file download
7
Non-GBR 300 ms 1e-68
Non-GBR 300 ms 1e-69
Priority
2
4
5
1
7
6
8
9
50 ms 1e-3 Real time gaming3
Nine pre-configured classes have been specified in 2 categories of Bearers: GBR and N-GBR.
In addition, Operators can create their own QoS class identifiers (QCI)
The QoS attributes associated with the QCI parameter are:
Priority: used to define the priority for the Packet Scheduler function in the eNB
Delay Budget: helps the packet scheduler to ensure that users are scheduled sufficiently often to guarantee the delay requirements of the Bearer.
Loss Rate tolerance is primarily intended for setting the RLC protocol settings (e.g. number of RLC retransmissions). The label will most likely also include a priority parameter, which the packet scheduler can use for differentiation.
44 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
SAE Bearer Usage Example
PDNGateway
PDN
IMAP server(IP:A, UDP Port:a)
SIP server(IP:B, UDP Port:b)
VoIP User Agent(IP:C, UDP Port:c)
Default EPS Bearer (N-GBR)
Dedicated EPS Bearer (GBR)
SIP UA
VoIPCodec
DL Packet Filter:(DL TFT)IP Source Add.=C UDP Source Port =cProtocol = UDP/RTP
UL Packet Filter:(UL TFT)IP Dest Add.=C UDP Dest. Port =cProtocol = UDP/RTP
•The figure shows a UE with three applications running: e-mail, SIP user agent and VoIP call. The voice over IP call was initiated via the SIP user agent. In this example we have three applications running, although for the user the SIP UA and the VoIP call belong together and form one service component.
•First let us analyze how many different QoS requirements we have. If we don’t want to make a too fine split, we can say, that SIP signaling and e-mail is not so time sensitive. So both could share a single SAE bearer with NGBR behavior and this could be the default EPS bearer created when the user attached to the system.
•On other hand the VoIP call is obviously time critical, as speech codecs do not tolerate a high delay or delay jitter. Thus for the speech call we would have to setup a SAE bearer providing a minimum bit rate equal to the minimum useful bit rate the codec requires.
•So we end up with two SAE bearers, the default one for the e-mail application and the SIP user agent. The second SAE bearer is a dedicated one and is used for the transfer of the VoIP speech packets (usually IP/UDP/RTP datagrams).
•For the dedicated bearer we have to specify a DL and UL TFT to support the system in its decision which IP datagrams will be transferred via which SAE bearer. In the simplest from the TFT specify the IP addresses of the UE and the opposite VoIP client and their allocated UDP port numbers for the VoIP call.
45 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
IP PackageIP Source:AIP Dest.:B
GTP-U T-PDU
TEID-SG1
SAE bearer – GTP option shown on S5/S8
S1-U S5PDN
SgieNB Serving
GatewayPDN
Gateway
Applic.Applic.
IPIP
IP: A IP: B
Radio Bearer S1 GTP-U Tunnel S5/S8 GTP-U Tunnel
IP PackageIP Source:BIP Dest:A
TEID-eNB
TEID-SG1
TEID-SG2
TEID-PG
GTP-U T-PDU
TEID-SG2IP PackageIP Source:BIP Dest:A
GTP-U T-PDU
TEID-eNBIP PackageIP Source:BIP Dest:A
Radio Protocols
IP PackageIP Source:BIP Dest:A
IP PackageIP Source:AIP Dest.:B
Radio Protocols
IP PackageIP Source:AIP Dest.:B
GTP-U T-PDU
TEID-PGIP PackageIP Source:AIP Dest.:B
RadioProtocolsRadio
Protocols
•SAE bearers consist of three segments: radio bearer, S1-U bearer and S5/S8 bearer.
•For the S5/S8 bearer between SAE GW and PDN GW there are two options mentioned. The first one is based on the 2G/3G protocol GTP which is also used on S1-U. The second option for S5/S8 is based on Mobile IPv6 (MIPv6). As the latter is not completed yet, we discuss here only the GTP based S5/S8 interface.
•On the radio interface the SAE bearer is uniquely associated with one radio bearer RB. The radio bearer is by the radio scheduler dynamically mapped to the available physical layer resources, this means, that a RB does not allocate resources in a fixed manner for a long time. This provides the required flexibility for resource re-assignments which WCDMA introduced with HSDPA.
•Between eNB and SAE GW the SAE bearer is tied to a single GTP-U tunnel. A GTP-U tunnel is identified by a TEID (Tunnel Endpoint IDentifier) allocated by both endpoints - in this case one from eNB TEID-eNB and one from SAE GW TEID-SG1. It is a task of the MME to exchange both TEIDs between eNB and SAE GW during setup of the tunnel. Packets in the downlink will be sent in GTP-U frames (T-PDU) and will carry the TEID-eNB in its header. The eNB must connect its TEID-eNB internally with the radio bearer. This also works for uplink, where all data from the associated radio bearer will have to be sent on S1-U with the TEID-SG1 in the GTP-U header.
•If the S5/S8 interface is based on GTP option, then we will also here find a GTP-U tunnel for the SAE bearer. Again exactly one tunnel will be provided for the SAE bearer. The setup of the tunnel requires two new TEID -one from SAE GW TEID-SG2 (usually different from TEID-SG1) and one from the PDN GW TEID-PG. The communication principle is the same as on S1-U interface. But this time SAE GW and PDN GW handle the exchange of their TEIDs for themselves. Therefore they use the control part of the GTP protocol which provides messages to setup such tunnels. [NOTE: Which changes in GTP are required for this is currently under investigation.]
•The SAE gateway is responsible to link the S1 GTP-U tunnel and the S5/S8 GTP-U tunnel with each other to allow efficient forwarding of data between PDN GW and eNB. The PDN GW on the other hand must link its tunnel to the external network and to the IP address of the UE inside this network. The DL TFT packet filters support the PDN GW in the task to select the right GPT-U tunnel of a UE for an incoming IP datagram. The UL TFT on the other hand is used at the UE side for the same task.
•It is important to note, how and when these tunnels and bearer segments are available. When a new SAE bearer is setup usually a radio bearer, a S1 GTP-U tunnel and a S5/S8 GTP-U tunnel is created. The latter will only be released, when the SAE bearer is released. Radio bearer and S1 GTP-U tunnel on the other hand will be released when the UE enters an idle state. This state can be triggered due to inactivity. When this happens the radio bearer is removed and the eNB will also clear the TEIDs from its memory for the UE (to be true, the eNB will delete everything). The SAE GW therefore also must delete the TEID-eNB, but will usually keep its own TEID-SG1. If there should be data to be sent later on, the UE must send a SERVICE REQUEST to the MME to demand the re-establishment of the S1 GTP-U tunnel and the radio bearer. In short words, the S5/S8 tunnel is rather permanent, whereas radio bearer and S1 tunnel are dynamic with respect to the life time of a SAE bearer.
46 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Module Contents
• LTE/EPS Mobility Areas
• LTE-UE Identifications
• Mobility & Connection Management Terminology
• LTE Mobility & Connection States
• The EPS Bearer
• LTE/EPS Procedures
• Security: EPS Authentication and Key Agreement (AKA)
47 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
LTE/EPS Procedures
• Attach
• S1 Release
• Detach
• Service Request
• Tracking Area Update (TAU)
• Dedicated Bearer Activation
• Handover
48 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
MMEHSSPCRF
UE eNB newMME
ServingGateway(SGW)
PDNGateway
Attach Request
IMSI/old GUTI,old TAI,old GUMMEI, old ECGI
Authentication Request
Authentication Response
Update Location (ME & MME Capabilities, IMEI, Update Type)
Authentication Vector Request (IMSI)
Insert Subscriber Data (subscription data = default APN, subscriber AMBR
Insert Subscriber Data Ack
Update Location Ack
EMM_Deregistered
Attach (1/2)
Authentication Vector Response
RRC_Connected
ECM_Connected
Default bearer QOS profile, TA restrictions, …)
Reference to specs.: TS 23.401 section 5.3.2
The attach procedure in LTE/EPS is quite similar to the GPRS attach in 2G/3G. It brings the UE from EMM_DEREGISTERED state to EMM_REGISTERED. In addition to that the procedure also establishes the default SAE bearer for the UE and thus allocates the required IP addresses for the subscriber in the external packet data network.
1.- The UE connects to the serving cell and the associated eNB. The UE sends the ATTACH REQUEST message (NAS) including IMSI/ old GUTI, old TAI, old GUMMEI and old ECGI. The eNB selects an available MME and forwards the message to it.
2.-The first task of the MME is to identify and authenticate the subscriber. Thus it contacts the HSS (in case IMSI is used for identification) or the old MME (in case the UE is identified via old GUTI) with IDENTIFICATION REQUEST (GTP-C). The response should contain the IMSI (when contacting old MME) and some authentication vectors for the subscriber. (Flowchart shows direct contact with HSS).
3.-Using the authentication vectors from the old MME/HSS the new MME can start an authentication procedure (NAS). The authentication mechanism is the same as in 3G.
4.-After a successful authentication the new MME can begin to update the HSS and download the subscription data from there. This is achieved via Diameter procedures UPDATE LOCATION and INSERT SUBSCRIBER DATA. During this process the HSS will also force the old MME to clear the stored data about the subscriber using the Diameter operation CANCEL LOCATION.
49 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Update Bearer Response
Update Bearer Request
(IP/TEID of eNB for S1U)
Attach Complete
(EPS Bearer ID,IP/TEID of eNB for S1U
EPS RB Est. Resp.
Includes Attach Complete
Create Def. Bearer Req.
MMEHSSPCRF
UE eNB newMME
ServingGateway(SGW)
PDNGateway
Attach (2/2)
(GUTI, security info, UE IP address, IP/TEID of SGW-S1U (only for eNB))
Create Def. Bearer Rsp.
(IP/TEID of SGW-S1U,…..)
Create Def. Bearer Rsp.
(UE IP address, IP/TEID of PDN GW, user & control planeEPS Bearer ID and QoS according to PCRF)
select SAE GWCreate Default Bearer Request
(IMSI, RAT type, default Bearer QoS, Map APN to PDN GW)
(IMSI,MSISDN, APN, IP/TEID of SGW-S5, user & control plane)
Attach AcceptEPS R Bearer Est. Req.
(Includes Attach Accept)
UL/DL Packet Data via Default EPS Bearer
PCRF Interaction
EMM_Registered
ECM_Connected
(EPS RB ID)
Reference to specs.: TS 23.401 section 5.3.2
5.-Based on the subscription data the new MME must decide whether a default bearerhas to be created or not. The default access point name (default APN) assists the MME in selection of an appropriate SAE GW. To this serving gateway the CREATE DEFAULT BEARER REQUEST message (GTP-C) is sent to. The SAE GW will now create the S5/S8 tunnel. This is done with the same message, but sent to the PDN GW.
6.-When the EPC resources for the default bearer are prepared, the new MME can give the ATTACH ACCEPT message to eNB. The S1-AP message which will contain it is the Initial Context Setup request and it will also hold the tunnel endpoint identifier allocated by the Serving GW for S1-U interface. The eNB creates the radio bearer for the default SAE bearer and returns ATTACH COMPLETE to the MME. The S1-AP message this one is in will hold the TEID allocated by the eNB for S1-U interface. Via an UPDATE BEARER procedure the MME will give this parameter to the Serving GW.
7.-Now the default SAE bearer is complete and the UE is in state EMM_REGISTERED and ECM_CONNECTED.
50 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
RRC Connection Release
S1 Release
MME
S1 Release Request
causeUpdate Bearer Request
release of eNB S1U resources
Update Bearer Response
ServingGateway(SGW)
PDNGateway
S1 Release Command
cause
S1 Release Complete
RRC Connection Release Ack
EMM_Registered
ECM_Connected
•After attach UE is in EMM_Registered state.
•The default Bearer has been allocated (RRC_connected + ECM_connected) even it may not transmit or receive data
•If there is a longer period of inactivity by this UE, the Admission Control should free the resources (RRC_idle + ECM_idle)
S1 Signalling Connection ReleaseECM_Idle
EMM_Registered
Reference to specs.: TS 23.401 section 5.3.5
1.-The eNB can send the message S1 RELEASE REQUEST (S1-AP) to the MME to request the release of all EUTRAN resources for a UE. The message can for instance be triggered by detection of a too long inactivity period.
2.-When the MME gets a trigger to release the UE from EUTRAN, it will release the S1 tunnels allocated for the SAE bearers of the UE. This is done by sending an UPDATE BEARER REQUEST message (GTP-C) to the Serving GW. In the message the indication of the release of the S1 resources is contained.
3.-In parallel to the previous step the MME will send the S1-AP message S1 RELEASE COMMAND to the eNB. It will trigger the release of the UE on the air interface with message RRC CONNECTION RELEASE (RRC). This will bring the UE to RRC_IDLE state and with that also to ECM_IDLE state. The UE acknowledges with RRC CONNECTION RELEASE ACK.
51 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Detach
•Can be triggered by UE or by the Network (MME, SGSN or HSS).
•During the detach procedure all SAE bearers with their associated tunnels and radio bearers will be deleted.
• The LTE-UE will lose all the temporary IDs (GUTI, C-RNTI and IP Address)
Note: Detach procedure initiated by UE.
MME
NAS: Detach Accepted
Delete Bearer Request
Delete Bearer Response
EMM-Registered
ServingGateway(SGW)
PDNGateway
NAS Detach Request
switch off flag Delete Bearer Request
Delete Bearer Response
PCRF
S1 Signalling Connection Release
RRC_Connected
ECM_Connected
EMM-Deregistered
RRC_Idle + ECM Idle
Reference to specs.: TS 23.401 section 5.3.8
IP SessionTermination
HSS
Notify Request
Notify Response
The transition to EMM_DEREGISTERED state is achieved by the NAS detach procedure.
The Detach procedure allows:
-the UE to inform the network that it does not want to access the EPS any longer
-the network to inform the UE that it does not have access to the EPS any longer
The UE is detached either explicitly or implicitly:
-Explicit detach: The network or the UE explicitly requests detach and signal with each other
-Implicit detach: The network detaches the UE, without notifying the UE. This is typically the case when the network presumes that it is not able to communicate with the UE, e.g. due to radio conditions.
The procedure consists of the DETACH REQUEST / DETACH ACCEPTprocedure between UE and MME and the DELETE BEARER procedure between MME and Serving GW and PDN GW. Furthermore at the end the S1 RELEASE procedure between MME and eNB deletes all radio resources.
52 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Detach Reference to specs.: TS 23.401 section 5.3.8
Note: Detach procedure initiated by MME.
MME
NAS: Detach Accepted
Delete Bearer Request
Delete Bearer Response
EMM-Registered
ServingGateway(SGW)
PDNGateway
NAS Detach Request
switch off flag Delete Bearer Request
Delete Bearer Response
PCRF
S1 Signalling Connection Release
RRC_Connected
ECM_Connected
EMM-Deregistered
RRC_Idle + ECM Idle
IP SessionTermination
HSS
Notify Request
Notify Response
The transition to EMM_DEREGISTERED state is achieved by the NAS detach procedure.
The Detach procedure allows:
-the UE to inform the network that it does not want to access the EPS any longer
-the network to inform the UE that it does not have access to the EPS any longer
The UE is detached either explicitly or implicitly:
-Explicit detach: The network or the UE explicitly requests detach and signal with each other
-Implicit detach: The network detaches the UE, without notifying the UE. This is typically the case when the network presumes that it is not able to communicate with the UE, e.g. due to radio conditions.
The procedure consists of the DETACH REQUEST / DETACH ACCEPTprocedure between UE and MME and the DELETE BEARER procedure between MME and Serving GW and PDN GW. Furthermore at the end the S1 RELEASE procedure between MME and eNB deletes all radio resources.
53 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Service Request
MMEServingGateway(SGW)
PDNGateway
NAS Service Request
GUTI/S-TMSI, TAI, service type
Authentication Request
authentication challenge
Authentication Response
Authentication response
RRC_Idle+ ECM_Idle
ECM_Connected
RRC_Connected
Reference to specs.: TS 23.401 section 5.3.4
NAS Service Request
Initial Context Setup Req.
Update Bearer Request
(IP/TEID of ENB in S1U)
Update Bearer Response
(IP/TEID of SGW in S1U, QoS,..)RB Establishment Req.
RB Establishment Rsp.
Initial Context Setup Rsp.
(IP/TEID of eNB in S1U, ..)
Note: Service Request procedure initiated by UE.
UE Triggered Service Request Procedure
• From time to time a UE must switch from ECM_Idle to ECM_connected
• The reasons for this might be UL data is available, UL signaling is pending (e.g. tracking area update, detach) or a paging from the network was received.
1.-The UE sends the NAS message SERVICE REQUEST towards the MME encapsulated in an RRC message to the eNodeB. If there are multiple MME connected to the eNB it is the task of the eNB to select the right MME (the one the UE is registered with) from S-TMSI/GUTI and TAI. The service type parameter indicates the above mentioned reason for the service request.
2.The eNodeB forwards NAS message to MME. NAS message is encapsulated in an S1-AP: Initial UE Message (NAS message, TAI+ECGI of the serving cell, S-TMSI, CSG ID, CSG access Mode).
3.NAS authentication procedures may be performed.
4.The MME sends S1-AP Initial Context Setup Request (Serving GW address, S1-TEID(s) (UL), EPS Bearer QoS(s), Security Context, MME Signalling Connection Id, Handover Restriction List,…) message to the eNodeB. This step activates the radio and S1 bearers for all the active EPS Bearers. The eNodeB stores the Security Context, MME Signalling Connection Id, EPS Bearer QoS(s) and S1-TEID(s) in the UE RAN context.
5.The eNodeB performs the radio bearer establishment procedure. The user plane security is established at this step.When the user plane radio bearers are setup the Service Request is completed and EPS bearer state is synchronized between the UE and the network
6.The uplink data from the UE can now be forwarded by eNodeB to the Serving GW. The eNodeBsends the uplink data to the Serving GW address and TEID provided in the step 4. The Serving GW forwards the uplink data to the PDN GW.
7.The eNodeB sends an S1-AP message Initial Context Setup Complete (eNodeB address, List of accepted EPS bearers, List of rejected EPS bearers, S1 TEID(s) (DL)) to the MME.
8.The MME sends a Modify Bearer Request message (eNodeB address, S1 TEID(s) (DL) for the accepted EPS bearers, Delay Downlink Packet Notification Request, RAT Type) to the Serving GW. The Serving GW is now able to transmit downlink data towards the UE.
12.The Serving GW sends a Modify Bearer Response to the MME.
54 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Service Request
MMEServingGateway(SGW)
PDNGateway
Paging
(S-TMSI, TAI/TAI-list)
DL DataDL Data Notification
Paging
S-TMSI
RRC_Idle+ ECM_Idle
Reference to specs.: TS 23.401 section 5.3.4
DL Data Notification Ack.
Note: Service Request procedure initiated by the Network
UE Triggered Service Request Procedure
1.When the Serving GW receives a downlink data packet for a UE known as not user plane connected (i.e. the S-GW context data indicates no downlink user plane TEID), it buffers the downlink data packet and identifies which MME is serving that UE.
2.The Serving GW sends a Downlink Data Notification message to the MME for which it has control plane connectivity for the given UE. The MME respond to the S-GW with a Downlink Data Notification Ack message.
If the Serving GW receives additional downlink data packets for this UE, the Serving GW buffers these downlink data packets and the Serving GW does not send a new Downlink Data Notification.
3.The MME sends a Paging message (NAS ID for paging, TAI(s), UE identity based DRX index, Paging DRX length, list of CSG IDs for paging) to each eNodeB belonging to the tracking area(s) in which the UE is.
4.If eNodeBs receive paging messages from the MME, the UE is paged by the eNodeBs.
Steps 3-4 are omitted if the MME already has a signalling connection over S1-MME towards the UE.
5.When UE is in the ECM-IDLE state, upon reception of paging indication in E-UTRAN access, the UE initiates the UE triggered Service Request procedure
55 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Tracking area 1Tracking area 2
Tracking area update
MME
Tracking Area Update (TAU)
•Tracking area (TA) is similar to Location/Routing area in 2G/3G .
•TAI (Tracking Area Identity) = MCC (Mobile Country Code) + MNC (Mobile Network Code) + TAC (Tracking Area Code).
•When UE is in ECM-Idle, MME knows UE location with Tracking Area accuracy.
A Tracking Area Update takes place if:
- UE detects it has entered a new Tracking Area that is not in the list of TAIs that the UE registered with the network;
- the periodic Tracking Area update timer has expired;
56 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
MMEHSS
eNB newMME MME
oldMME
newServingGateway(SGW)
PDNGateway
TAU Request
Context Request
(Current GUTI/IMSI, old TAI, EPS Bearer Status)
(Old GUTI/IMSI, complete TAU Request Message)
Context Response
(IMSI, IMEI,MSISDN, unused EPS Authentication vectors, KASME, etc…)Authentication Request
Authentication Response
Create Bearer Request
(IMSI, bearer contexts, RAT type)
Context Acknowledge
Serving GW change Indication
Update Bearer Request
(IP/TEID for new SGW-S5, RAT type)
Create Bearer Response
(new SGW-S1 IP/TEID)
Update Bearer Response
(IP/TEID for PDN GW)
oldServingGateway(SGW)
TAU (1/2)
UE EMM_Registered
RRC_Idle + ECM_Idle
RRC_Connected
ECM_Connected
MME determines if ServingGW Change is needed
Reference to specs.: TS 23.401 section 5.3.3
TAU Request
Note: TAU with Serving GW change
1.-The UE sends TRACKING AREA UPDATE REQUEST with its current GUTI or IMSI, old TAI and EPS Bearer Status information to the eNB. This one has to forward the message to a MME. If the old MME cannot be selected, then a new MME must be chosen by the eNB.
2.-The new MME must first of all get the identity (IMSI) of the subscriber and authenticate him/her. Therefore the new MME contacts the old one via GTP-C CONTEXT REQUEST. The CONTEXT RESPONSE contains IMSI, authentication vectors, but also all information about the currently active SAE bearers of this user.
3.-With one of the authentication vectors the new MME can start authentication.
4.-After a successful authentication the new MME analyzes if a Serving GW change is needed
5.- New MME informs the old one that it is ready to take control over the UE (Context Acknowledge message). The old MME will now start a timer and wait for the cancellation of the subscriber record.
6.-In parallel to the previous step the new MME sends GTP-C CREATE BEARER REQUEST to the Serving GW it has selected. The message will trigger the setup of new S1 tunnels and trigger an update towards PDN GW. This will change the traffic path from PDN GW to new Serving GW to new eNB.
57 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
MMEHSS
eNB newMME MME
oldMME
newServingGateway(SGW)
PDNGateway
Update Location
(new MME identity, IMSI, update type, …)
(IMSI, cancellation type = update)
Cancel Location Ack
Delete Bearer Request
(TEID)
Delete Bearer Response
Cancel Location
oldServingGateway(SGW)
Update Location Ack
Tracking Area Update Accept
(new GUTI, TA/TA-list, EPS Bearer Status)
Tracking Area Update Complete
TAU (2/2)
EMM_Registered
RRC_Connected + ECM_Connected
( IMSI, subscription data)
Note: TAU with Serving GW change
Reference to specs.: TS 23.401 section 5.3.3
7.-Also simultaneously with the previous steps the MME will update the HSS. During this the HSS will cancel the subscriber record in the old MME. The old MME will of course also delete the old tunnels in the old Serving GW.
8.-At the end the UE gets a NAS message TRACKING AREA UPDATE ACCEPT. In it a new GUTI and new tracking area (or tracking area list) will be contained. The UE has to acknowledge with TRACKING AREA UPDATE COMPLETE.
58 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
“Multi Tracking Area Registration” Concept
UE only triggers TAU when moving to a cell belonging to a TA not in the TA list for that UE.
59 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Dedicated Bearer Activation
•The default SAE bearer is created when the UE performs the attach. •Subsequent SAE bearers are known as dedicated SAE bearers.•They are expected to be allocated on a per application base, with parameter that are application dependent.•Dedicated SAE bearers can be triggered by the network, not only by the user, like PDP contexts in GPRS.
60 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Update Bearer Response
(SGW-S1 IP/TEID2, QoS param.)
Create Dedicated BearerRequest
Create Dedicated BearerRequest
Dedicated Bearer Activation (1/2)
MMEServingGateway(SGW)
PDNGateway
(PDN GW IP/TEID2, QoS param. …)
Service Request
PCRF
PCCDecision
Paging
(S-TMSI, TA/TA-list, …)
Paging
(S-TMSI)
(GUTI/S-TMSI, TAI.service type = paging response)
Initial Context Setup Req.
Update Bearer Request
(eNB-S1 IP/TEID1)
(SGW-S1 IP/TEID1, EPS Bearer ID,QoS)RB Establishment Req.
RB Establishment Rsp. Initial Context Setup Rsp.
(eNB-S1 IP/TEID1, EPS Bearer ID, ..)
RRC_Connected + ECM_Connected
Network Triggered
Service Request
Procedure
RRC_Idle+ ECM_Idle
(QoS Policy)
Reference to specs.: TS 23.401 section 5.4.1
Note: procedure initiated by the Network
1.-The external data network triggers the request for a new IP connectivity bearer (SAE bearer) via the PCRF connected to the PDN gateway that owns the default SAE bearer of this user. This is sent in form of a Policy and Charging Control (PCC) decision (QoS policy) from PCRF to PDN GW.
2.-The PDN GW first of all uses GTP-C CREATE DEDICATED BEARER REQUEST to setup the tunnel between PDN GW and Serving GW.
3.-The Serving GW allocates the resources for the S5/S8 tunnel and forwards an associated request to the MME for the S1 tunnel.
4.-If the UE is currently ECM_IDLE it must be paged. Thus the MME sends PAGING messages of S1-AP protocol to all eNB that own cell’s of the UE’s current tracking area (or tracking areas). If the UE receives such a paging it will respond with the SERVICE REQUEST procedure. in the following the default SAE bearer will be re-established.
61 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
(SGW-S5 IP/TEID2, EPSBearer ID, QoS, …)
Create Dedicated BearerResponse
Session Mgmt. Response(NAS message, EPS Bearer ID)
Dedicated Bearer Activation (2/2)
MMEServingGateway(SGW)
PDNGateway
Create Dedicated BearerResponse
PCRF
(eNB IP/TEID2, EPS Bearer ID, QoS, … )
PCCProvisionAck
Reference to specs.: TS 23.401 section 5.4.1
Note: procedure initiated by the Network
5.-The UE NAS layer builds a Session Management Response including EPS Bearer Identity. The UE then sends a Direct Transfer (Session Management Response) message to the MME.
6.- Upon reception of the Bearer Setup Response message and the Session Management Response message in step 5, the MME acknowledges the bearer activation to the Serving GW by sending a Create Bearer Response (EPS Bearer Identity, S1-TEID) message.
7.-The Serving GW acknowledges the bearer activation to the PDN GW by sending a Create Bearer Response (EPS Bearer Identity, S5/S8-TEID) message.
8.-If the dedicated bearer activation procedure was triggered by a PCC Decision Provision message from the PCRF, the PDN GW indicates to the PCRF whether the requested PCC decision (QoS policy) could be enforced or not, allowing the completion of the PCRF-Initiated Session Modification procedure.
62 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
LTE/EPS Handover
• When the UE is in ECM_Connected state, mobility handling takes place via network controlled handovers with UE assistance.
• UE assistance here simply means that the UE sends measurements and reports to the eNB to assist in the handover decision.
• Currently it is planned that neighbour cells are based on the UE’s cell detection capabilities rather than on a network supplied neighbour cell list.
Intra LTE/EPS Network Handover Types:
• 1.- Intra eNB handover.
• 2.- Inter eNB handover with X2 interface (with or without Serving Gateway relocation)
• 3.- Inter eNB handover without X2 Interface (S1-based handover)
63 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
LTE/SAE Handover principles
•1.- Lossless
- Downlink Packets are forwarded from the source cell to the target cell.
•2.-Network Controlled
-Target cell is selected by the network, not by the UE
-Handover control in E-UTRAN (not in packet core)
•3.-UE-assisted
-Measurements are collected by the UE and reported to the network.
•4.-Late path switch
- Only once the handover is successful, the packet core is involved.
64 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Handover Procedure
SAE GW
MME
Source eNB
Target eNB
SAE GW
MME
SAE GW
MME
SAE GW
MME
= Data in radio= Signalling in radio
= GTP tunnel= GTP signalling
= S1 signalling= X2 signalling
Before handoverHandover
preparationRadio handover
Late path switching
Note: X2-based handover without Serving GW relocation
65 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
User plane switching in HandoverNote: X2-based handover without Serving GW relocation
DATA FORWARDING
Downlink
–source eNB forwards all downlink RLC SDUs that have not been acknowledged by the UE to the target eNB
–target eNB re-transmits and prioritize all downlink RLC SDUs forwarded by the source eNB as soon as it obtains them
–reordering and duplication avoidance in the UE
•Uplink
–source eNB forwards all successfully received uplink RLC SDUs to the EPC
–UE re-transmits the uplink RLC SDUs that have not been successfully received by the source eNB
–Reordering and duplication avoidance in EPC
66 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
(HO-command, target eNB IP/TE IDin X2)
X2AP: Handover Request
(target cell, source eNB IP/TE ID in X2,Serving MME & SAE GW)
RRC: Measurement Control
Inter eNB Handover with X2 interface (1/2)
MME
ECM_Connected
ServingGateway
(SGW)
Packet Data
sourceeNB
targeteNB
RRC: Measurement Report
HO Decision
Admission Control: allocatesresources for incoming UEX2AP: Handover Request Ack
RRC: Handover Command
(target cell description, C-RNTI,…)
detach source cell
sync. target cell
forward bufferedDL packets
buffering of DLpackets from old eNB
DL Packet Data
Note: X2-based handover without Serving GW relocation
Reference to specs.: TS 23.401 section 5.5.1
1.-The source eNB configures the UE measurement procedures with MEASUREMENT CONTROL
2.-UE is triggered to send MEASUREMENT REPORT to the source eNB. It can be event triggered or periodic.
3.-Source eNB makes handover decision based on UE report + load and service information.
4.- When the source (current serving) eNB decides to start a handover of an UE to a neighbor cell in a new (target) eNB it will contact this target eNB. This is done via the X2-AP message HANDOVER REQUEST. The message will contain the target cell for the UE, the current serving MME and SAE GW. It is task of the target eNB to allocate virtual capacity in the target cell via its admission control function.
5.-If this is done the target eNB returns part of the handover message for the UE within the X2-AP message HANDOVER REQUEST ACKNOWLEDGE. In this message also a data forwarding tunnel (TEID from target eNB) is indicated. It allows the source eNB to forward still buffered or still arriving downlink packets to the target eNB.
6.-The source eNB can now give the HANDOVER COMMAND (RRC) to the UE. The command contains the configuration for the UE in the new cell and possibly already an UL/DL resource allocation. The UE will detach from the old cell and synchronize itself to the new cell. In the mean time the source eNB can start downlink packet forwarding via X2 interface.
67 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Update Bearer Response
Update Bearer Request
S1AP: Handover CompletePath Switch Request
MMEServing
Gateway(SGW)
(TAI, target cell ECGI, target eNB IP/TEID, … )
sourceeNB
targeteNB
Synchronization
UL Allocation + timing advance
RRC: Handover Confirm
(target eNB IP/TEID, …
switch DLPath
(new SGW-S1 IP/TEID, … )
S1AP: Handover Complete AckPath Switch Req. Ack.
(new SGW-S1 IP/TEID, … )X2AP: Release Resources
flush DL buffersDL Packet Data
release resources
Packet Data
Packet Data forwards DL packetsand accepts UL
packets
Reference to specs.: TS 23.401 section 5.5.1
Inter eNB Handover with X2 interface (2/2)
Note: X2-based handover without Serving GW relocation
MME determinesif Serving GW
Change is needed
Packet Data
7.-UE performs the final synchronization to target eNB and accesses the cell via RACH procedure
(DL pre-synchronization is obtained during cell identification and measurements)
8.-Target eNB gives the uplink allocation and timing advance information
9.-Once synchronization between UE and the new cell is achieved, the UE confirms the handover with RRC message HANDOVER CONFIRM. This will trigger a HANDOVER COMPLETE message of S1-AP to be sent to the MME. It simply informs the MME that now a new eNB is responsible for the UE. Thus this message will contain the IP addresses and TEIDs of the target eNB for the S1 tunnels.Additionally it contains the TAI and the target cell ECGI.
10.-The MME’s task is to send this information via GTP-C UPDATE BEARER REQUESTto the Serving GW. This will switch the traffic path now completely from Serving GW to target eNB.
11.-Serving Gateway switches the downlink data path to the target side.
12.-Serving Gateway sends an UPDATE BEARER RESPONSE message to MME.
13.-MME confirms the Handover Execution with the HANDOVER COMPLETE ACK message.
14.-By sending RELEASE RESOURCE the target eNB informs success of handover to source eNB and triggers the release of resources.
15.-Upon reception of the RELEASE RESOURCE message, the source eNB can release radio and C-plane related resources associated to the UE context.
68 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Module Contents
• LTE/EPS Mobility Areas
• LTE-UE Identifications
• Mobility & Connection Management Terminology
• LTE Mobility & Connection States
• The EPS Bearer
• LTE/EPS Procedures
• Security: EPS Authentication and Key Agreement (AKA)
69 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
LTE/SAE Security: EPS Authentication and Key Agreement (AKA)
•EPS Authentication and Key Agreement (EPS AKA) shall be based on UMTS AKA. • UMTS Authentication and Key Agreement is a protocol designed to support roaming and fast re-authentication. • It was originally designed to achieve maximum compatibility with 2G security mechanisms.
The requirements on EPS AKA are:EPS AKA shall be based on USIM and extensions to UMTS AKAAccess to E-UTRAN with 2G SIM shall not be granted. R99 USIM will be accepted.EPS AKA shall produce keys that are the basis of C-plane and U-plane protectionUMTS AKA achieves mutual authentication between the user and the network by
demonstrating knowledge of a pre-shared secret key K which is only known by the USIM and the AuC in the user’s HSS.
For further information, please refer to 3GPP TS 33.401 and TS 33.102 (SAE Security Architecture)
70 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
EPS Authentication Procedure
• RAND is a random value
• KASME is an authentication parameter used, among other tasks, for network authentication
• AUTN is the Network Authentication Token
• XRES is the UE expected result of the authentication computation
MME
Authentication Vectors: RAND(i), KASME(i), AUTN, XRES(i)
Authentication Data Response
HSS
NAS: attach Request
User Id, UE Capabilities, etc. Authentication Data Request
NAS: USER Authentication Request
KASME(i), RAND(i), AUTN
NAS: USER Authentication Response
RES(i)If RES(i)=XRES(i)
Authentication successful
UE uses KASME to verify
the Network
71 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Security Functions - Encryption
Signaling protection•For core network (NAS) signaling, integrity and confidentiality protection terminate in MME.•For radio network (RRC) signaling, integrity and confidentiality protection terminate in eNodeB.
User plane protection•Encryption terminates in eNodeB.
72 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Hierarchy of Security Keys used in the EPS(3GPP TS 33.401, section 6.2)
• All keys used for security (crypto-algorithms) are 128 bits
• Possibility to use 256-bit keys later.
•The generation of keys is triggered by Authentication and Key Agreement (AKA) procedures.
• In LTE the MME acts as the Access Security Management Entity (ASME). This is the access network entity that receives top level keys from the HSS.
•UMTS AKA is capable of agreeing two keys, CK and IK, on the USIM and in the AuC. For LTE these keys never leave the HSS. Instead they are used to derive KASME, which is transferred from the HSS to the MME as part of the Authentication Vector.
•The keys used for UP, NAS and AS protection shall be dependent on the algorithm with which they are used.
• The keys used for UP, NAS and RRC (AS) protection shall be dependent on the algorithm with which they are used.
73 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
EPS/LTE Security Keys (1/2)
Keys shared between the UE and HSSK This is a permanent key stored on the USIM and in the Authorization Centre
(AuC). The AuC resides in the HSS.CK, IK A pair of keys derived in the AuC and on the USIM during an AKA run.
Intermediate Key shared by the UE and Access Security Management Entity (ASME=MME)KASME This key is derived from the CK, IK and serving PLMN’s identity by the UE
and HSS during an AKA run. It is transferred to the ASME (MME) by the HSS as part of the authentication vector response. The serving PLMN’sidentity becomes known to the UE as part of the attachment procedure.
Intermediate Keys for Access NetworksKeNB This key is derived from KASME by the UE and MME. It depends on the
identity of the eNB. This key is transferred to the eNB.
74 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
EPS/LTE Security Keys (2/2)
Keys for NAS SignalingKNASint This key is derived from KASME by the UE and MME. It is used
for the integrity protection of NAS traffic.KNASenc This key is derived from KASME by the UE and MME. It is used for
the encryption of NAS traffic.
Keys for U-plane TrafficKUPenc This key is derived from KeNB by the UE and eNB and is used for
the encryption of U-plane data over the LTE-Uu interface. In order to derive this key an identifier for the encryption algorithm is shared between the eNB and UE.
Keys for RRC SignalingKRRCint This key is derived from KeNB by the UE and eNB and is used for
the integrity protection of RRC traffic. In order to derive this key an identifier for the integrity protection algorithm is shared between the eNB and UE.
KRRC-enc This key is derived from KeNB by the UE and eNB and is used for the encryption of RRC traffic. In order to derive this key an identifier for the encryption algorithm is shared between the eNB and UE.
75 © Nokia Siemens Networks LTE/EPS Mobility & Session Management / Jose Maria Anarte / v2.0 / Document NumberFor public use – IPR applies
Key Generation Procedure
KEY GENERATION PROCEDURE
1.-When a UE initially attaches to the network the MME will authenticate the subscriber using UMTS4
AKA . This triggers generation of security keys by the UE and HSS. At this point the UE and HSS know the PLMN ID which is used in the generation of KASME.
2.-The UE and HSS generate CK and IK from K and the RAND value used in UMTS-AKA.
3.-The UE and HSS derive KASME from CK, IK and PLMN-ID.
4.-The HSS transfers KASME to the MME as part of the Authentication Vector used in EPS AKA.
5.-Once the UE has successfully been authenticated the MME and UE generate the keys for NAS signalling security - KNAS int and KNAS enc
6.-The MME and UE generate the KeNB key from KASME and the eNB-ID.
7.-The MME transfers KeNB to the eNB across the S1-MME. This key is transferred as part of the Initial Context Setup Request message to the eNB.
8.-The eNB and UE generate the keys used for protection of RRC signaling (KeNB RRC-int and KeNB RRC-enc)
and U-plane traffic (KeNB UP-enc), using KeNB.