1 structure of primary and secondary synchronization channels (sch) c p primary synchronisation code...

1 Structure of Primary and Secondary Synchronization Channels (SCH) c p Primary Synchronisation Code ( It is the same for every cell in the system)

2 Fast Cell Search Downlink primary scrambling codesSecondary synchronisation codes PSC0 PSC1 PSC7 Group 1 PSC8 PSC9 PSC15 Group 2 PSC504 PSC511 Group 64 associated C s 0,k C s 1,k C s 63,k PSC505

SSC Sequences 3

Cell Search Downlink scrambling code and common channel frame synchronization of that cell will be determined during cell search All common physical channel timings are related to the timing of P-CCPCH, so only the timing of P-CCPCH need to be found out Step 1, Slot synchronization: SCHs primary synchronization code is used to acquire slot synchronization to a cell primary synchronization code is common to all cells, so slot timing of the cell can be obtained by detecting peaks in a single matched filter output Step 2, Frame synchronization and code-group identification: now secondary SCH is used to find frame synchronization and identify the code- group of the cells found in the first step. This is done by correlating the received signal with all possible secondary synchronization code sequences and identifying the max correlation value. Step 3, Scrambling code identification: Mobile station determines the exact primary scrambling code used by the found cell. The primary scrambling code is identified through symbol-to-symbol correlation over the CPICH with all codes within the group identified in step 2. After the primary scrambling code has been detected, the primary CCPCH can be detected, and the system and cell specific BCH information can be read.

Slotted Downlink Transmission MS Single-receiver Measurements on other frequencies without affecting normal data flow. The information is compressed in time An idle time period of 5ms is created within each frame. 6

7 Idle period available for interfrequency measurement Instantaneous Rate/Power Normal transmission Slotted transmission T f Downlink slotted transmission

Handover [1/7] 1. Intra-mode handover Include soft handover, softer handover and hard handover. Rely on the Ec/Io measurement performed from the CPICH. 2. Inter-mode handover Handover to the UTRAN TDD mode. 3. Inter-system handover Handover to other system, such as GSM. Make measurement on the frequency during compressed mode (Slotted transmission). 8

Handovers [2/7] 1. Intra-frequency HO 1.1 Softer Handover Between two adjacent sectors of a base station Communication take place concurrently via two air interface channels, one for each sector separately. The two signals combined at BS Only one power control loop per connection 9 UE1 BS 1 BS 2

Handovers [3/7] 1.2 Soft Handover Between cell coverage area of two different base stations The main difference between softer and soft HO is in the uplink direction Data at different BS from the MS is combined at RNC Frame reliability indicator is used to select the best frame Two power control loops per connection are active, one per BS 10 UE1 BS 1 BS 2

Soft Handover 11

Handovers [4/7] 2. Inter-frequency HO Hard handover The handover between two base stations operating at two different frequencies e.g. HO between two different UMTS operators 3. Inter System HO Hard handover take place between the WCDMA FDD system and another system e.g. such as HO between UMTS to GSM 13

WCDMA Handovers [5/7] Terminology: Active set (AS), represents the number of links that UE is connected to. Neighbor set (NS), represents the links that UE monitors which are not already in active set.

WCDMA Handovers [6/7] Handover parameters: Add window Represents a value of how much worse a new signal can be compared to the best one in the current active set in order to be added into the set Adding link to combining set can be done only if maximum number of links is not full yet (defined with parameter). Moreover a new link is added to the active set only if the difference between the best and the new is still at least as good after the add timer is expired. Timer is started when the signal first reaches the desired level. Drop window Represents a value of how much poorer the worst signal can be when compared to the best one in the active set before it is dropped out Similarly to adding, signal which is to be dropped needs to fulfill the drop condition after the corresponding drop timer is expired.

WCDMA Handovers [7/7] Replace window Represents a value for how much better a new signal has to be compared to the poorest one in the current active set in order to replace its place Replace event takes place only if active set is full as otherwise add event would be applied Similarly to add and drop events, also with replace event there exist a replace timer

Active set management 17

Power Control in WCDMA [1/4] 18 The purpose of power control (PC) is to ensure that each user receives and transmits just enough energy to prevent: Blocking of distant users (near-far-effect) Exceeding reasonable interference levels UE1 UE2 UE3 UE1 UE2 UE3 UE1 UE2 UE3 Without PC received power levels would be unequal In theory with PC received power levels would be equal

Power Control in WCDMA [2/4] Power control can be divided into two parts: Open loop power control (slow power control) Used to compensate e.g. free-space loss in the beginning of the call Based on distance attenuation estimation from the downlink pilot signal Closed loop power control (fast power control) Used to eliminate the effect of fast fading Applied 1500 times per second 19

Power Control in WCDMA [3/4] Closed loop power control can also be divided into two parts: Innerloop power control Measures the signal levels and compares this to the target value and if the value is higher than target then power is lowered otherwise power is increased Outerloop power control Adjusts the target value for innerloop power control Can be used to control e.g. the Quality of Service (QoS) 20

Power Control in WCDMA [4/4] Example of inner loop power control behavior: With higher velocities channel fading is more rapid and 1500 Hz power control may not be sufficient 21

Application protocols in UTRAN Iub interface (between RNC and base station) NBAP (Node B Application Part) Iur interface (between Serving RNC and Drift RNC) RNSAP (Radio Network Subsystem Application Part) - Link management for inter-RNC soft handover Iu interface (between RNC and core network) RANAP (Radio Access Network Application Part) - Radio Access Bearer (RAB) management - SRNS Relocation - Transfer of higher-level signalling messages 22

Serving RNC and Drift RNC in UTRAN Core network Iu Iur Iub DRNC SRNC UE BS RNC Concept needed for: Soft handover between base stations belonging to different RNCs 23

Serving RNS (SRNS) Relocation RNS = Radio Network Sub-system = RNC + all base stations controlled by this RNC SRNS Relocation means that the Serving RNC functionality is transferred from one RNC (the old SRNC) to another (the new SRNC, previously a DRNC) without changing the radio resources and without interrupting the user data flow. RANAP provides the signalling facilities over the two Iu interfaces involved (Iu interfaces to old and new SNRC) for performing SRNC Relocation in a co-ordinated manner. 24

SRNS Relocation (cont.) Core network Iu Iur Iub DRNC SRNC UE BS RNC Iu SRNC SRNC provides: 1) connection to core network 2) macrodiversity combining point 25

Soft handover concept Iu Iur Iub DRNC SRNC UE BS RNC Leg 1 Leg 3 Signal combining point is in SRNC (downlink: in UE) BS Leg 2 Legs 1 and 2: Iur interface is not needed Leg 3 is added: Iur interface is needed! Core network 26

Radio propagation, fading and receivers When transmitted radio signal travels in the air interface it is altered in many ways before it reaches the receiver reflections, diffractions, attenuation of the signal energy, etc. These different multipath components of the transmitted signal arrive at different times to the receiver and can cause either destructive or constructive addition to the arriving plane waves 27 ConstructiveDestructive

Radio propagation, fading and receivers Fast changes of the radio channel conditions caused by the fading channel conditions (destructive and constructive addition) is called fast fading Example of the fast fading channel in the function of time is in the right hand figure Illustrates, for instance, deep fades in the channel that power control would need to react to 28

RAKE receiver building block The most commonly used receiver is so called RAKE receiver Especially designed to compensate the effects of fading Every multipath component arriving at the receiver more than one chip time (0.26 s) apart can be distinguished by the RAKE receiver Compensating is done by using several sub-receivers referred as fingers Each of those fingers can receive individual multipath components Each component is then decoded independently and after that combined in order to make the most use of the different multipath components and thus reduce the effect of fading This kind of combining method is so called Maximum Ratio Combining (MRC) 29

Radio propagation, fading and receivers Finger #1 Finger #2 Finger #3 Transmitted symbol Received symbol at each time slot Phase modified using the channel estimate Combined symbol 30

Diversity [1/2] Different components of the transmitted signal can be used to enhance the end quality of the received signal Components differ from each other by their amplitudes and delays There exists different types diversity which can be used to improve the quality, e.g.: Multipath Reflections, diffractions, attenuation of the signal energy, etc. Macro Different base stations or Node Bs send the same information Site Selection Diversity Transmission (SSTD) Maintain a list of available base stations and choose the best one, from which the transmission is received and tell the others not to transmit 31

Diversity [2/2] Time: Same information is transmitted in different times Receiver: Transmission is received with multiple antennas Transmit: Transmission is sent with multiple antennas

Micro- / macrodiversity combining Iu Iur Iub DRNC SRNC UE BS RNC Macrodiversity combining point in SRNC Core network Rake receiver Multipath propagation Microdiversity combining point in base station (uplink) 33

Micro- / macrodiversity combining Microdiversity combining: multipath signal components are processed in RAKE fingers and combined (= summed) using MRC (MRC = Maximum Ratio Combining) Macrodiversity combining: the same bit sequences (with different bit error positions) are combined at the SRNC (usually: selection combining). Hard handover: slow (a lot of signalling) Soft handover: fast selection in SRNC (uplink) 34

Cell A Cell B Cell C Signal margin Soft handover region ADD threshold DROP threshold Time margin Ec/No Time Macrodiversity - active set 35

Security in UMTS GSMUMTS SIM authentication (PIN code) SIM authentication (PIN code) User authentication Ciphering (air interface) Signalling data integrity IP security (e.g. IPSEC) User authentication Network authentication USIM authentication (PIN code) Ciphering (air interface) KASUMI algorithm (known) UMTS: larger key lengths than in GSM 36

Security in digital networks: terminology Authentication: SIM authentication (PIN code) user authentication (GSM, UMTS) network authentication (UMTS) Integrity: signalling data integrity (UMTS) Confidentiality ( privacy): ciphering of signals over radio interface hiding of user identifiers over radio interface end-to-end encryption (offered by service provider) 37

Authentication Authentication: Procedure of verifying the authenticity of an entity (user, terminal, network, network element). In other words, is the entity the one it claims to be? SIM authentication is local (network is not involved) In GSM, only user is authenticated In UMTS, both user and network are authenticated User/network is authenticated at the beginning of each user-network transaction (e.g. location updating or connection set-up) and always before ciphering starts. See Security in GSM for more details 38

Integrity Data integrity: The property that data has not been altered in an unauthorised manner. Man-in-the-middle security attack, e.g. false BS Data integrity checking is not done in GSM In UMTS, signalling messages are appended with a 32 bit security field (MAC-I) at the terminal or RNC before transmission and checked at the receiving end In UMTS, also volume of user data (not the user data itself) is integrity protected 39

Signalling integrity protection in UMTS Signalling message Algorithm f 9 MAC-I Integrity Key (IK) and other keys/parameters UE RNC MAC-I generationMAC-I checking MAC-I generationMAC-I checking Both in terminal and RNC

Confidentiality Confidentiality: The property that information is not made available to unauthorised individuals, entities or processes. Example 1: Ciphering (encryption) over the air interface Example 2: Preventing unencrypted transmission of user ID information such as IMSI number over the air interface => Temporary Mobile Subscriber Identity (TMSI) is generated (at the end of each MM or CM transaction) and is used at the beginning of the next transaction instead of IMSI.

Example 1: ciphering (encryption) BS MS UE BTS BSC RNC SGSN Core Network Air interface GPR S UMT S MS BTS BSC Core Network GSM Both CS and PS information Signalling integrity protection

Network domain security Circuit switched network => quite good IP-based network (Internet) => rather poor at present (security mechanisms are developed by IETF, 3GPP...) Some security threats in IP-based network: Sniffing (electronic eavesdropping) Spoofing, session hijacking Denial of service (DoS), spamming Confidentiality Integrity

44 WCDMA: More Information? http://www.3gpp.org 21.101 guide to all other documents 25.XXX series radio access network (RAN) 25.211 frame structure etc. 25.212 channel coding etc. 25.213 spreading and modulation 25.214 physical layer procedures (tx diversity, etc.) 25.321 medium access control (MAC) 25.322 radio link control (RLC) 26.XXX series voice coding

1 structure of primary and secondary synchronization channels (sch) c p primary synchronisation code...

Documents