the peril of cellular network evolution - purdue university · the peril of cellular network...

The Peril of Cellular Network Evolution

-‐ On CSFB and VoLTE

Chunyi Peng Fall 2015

Emerging Problems in Network Evolu?on

MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 2

•  Circuit-‐switching for voice

•  Packet-‐switching for everything

•  IP-‐based

•  Circuit-‐switching for voice

•  Packet-‐switching for data

2G 3G 4G

Q1: Will existing techniques fail to well support emerging requirements? YES!

Q2: Will new features raise new side-effects?

MUTUAL INTERFERENCE BETWEEN VOICE AND DATA IN 4G LTE NETWORKS

[mobicom’13] [CNS’15]


Advancing toward 4G LTE •  4G LTE grows fast

–  Better support for mobile Internet –  480 LTE networks (by 09/2015, 4gamerica)

4

4G LTE’s Trouble in Voice •  4G LTE: Packet-‐switched (PS) only

– No circuit-‐switched (CS)

5

4G Base Station

4G PS Gateway

Internet

IP packets

Telephony Network Voice, traditionally via CS

No CS, ?

Two Solu?ons: CSFB & VoLTE •  #1. CSFB (Circuit-‐Switched Fallback): leverage 3G/2G CS to support voice

•  #2. VoLTE (Voice over LTE): deliver voice directly in packets (over IP)

6

4G Base Station

4G PS Gateway

Internet

Telephony Network 3G CS Domain

Coexis?ng Voice Solu?ons •  Circuit-‐Switched Fallback (CSFB)

–  Reuse the legacy 2G/3G networks –  Broadly launched in many LTE networks –  1st-‐choice of LTE networks

•  Voice over LTE (VoLTE) –  Ul?mate solu?on, similar to (VoIP) in LTE –  Need to deploy IMS (IP mul?media system) –  Heavy cost and overhead –  Ini?al rollout: AT&T, T-‐Mobile, Verizon since late 2014

7

...

CSFB (Circuit-‐Switched Fallback)

8

3G Base Station 3G CS Gateway Telephony Network

3G PS Gateway

Internet

IP packets (data-plane) 3G voice (data-plane)

Signaling (control-plane)


9


3G PS Gateway

Internet

4G Base Station

4G PS Gateway

Control (MME) Internet


10


3G PS Gateway

Internet

4G Base Station

4G PS Gateway

Control (MME) Internet 4G Base Station

4G PS Gateway

Control (MME) Internet

An Example: Incoming Call Comes During Downloading

•  Expected flows on Bob

•  [tu13-‐mobisys]: data transmission suspends and user traffic is over-‐accounted when inter-‐system handover, e.g., 4G <-‐>3G (step 3 and 6), occurs.

•  What else? Impact on data or voice services?

11

CSFB: Incoming Call Flow

12

1. Call Request 2. Paging Request (CS call)

5. Paging Response (CS call)

4G MME Callee 3G CS Gateways 4G BS

3. Extend Service Request

4. Switch to 3G 3G BS

6. Setup CS Call

7. Call Conversion

8. Switch back to 4G

Seemingly Reasonable •  Users only switch to 3G when needed (calls) •  Users still obtain higher-speed 4G LTE for data •  Carriers reuse the existing 3G (cost-effective)

By design: Independent voice & data •  Expected data throughput slump during voice

– 4G downgrade to 3G


Three Unexpected Issues in CSFB Unexpected: Interference btw. voice & data •  #1: Data applica?on aborts

– When voice call ends

•  #2: Lose 4G connec?vity – Got stuck in 10+ hours

•  #3: Miss calls when turning on data

14

#1: Applica?on Aborts

•  10-‐day abort ra?o – 2-‐5% on average – 15% in worst case

•  Event: IP address change – “Implicit Detached” by cellular

– “Network re-‐akach” by mobile

15

App on 4G

App on 3G

Voice on 3G

Handoff (4G ->3G)

Handoff (3G ->4G)

App on 4G

✕

App aborts

Cause •  CS domain

– When CSFB call ends, implicit detach from network (occasionally)

–  network reakach, assign a new IP address

•  PS domain – Data service pauses with implicit detach – Abort due to a new IP

•  TCP/UDP sessions cannot be recovered

•  Root cause: shared states between CS and PS MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 16

Circuit-Switching (CS)

Packet-Switching (PS)

17

Data Plane Data Plane Control Plane Control Plane

…

…

Implicit Detached

CSFB voice ends Detached

Data start

Data stops

Network-Reattach

Attached New IP addr.

Shared control states in CS and PS

STATE Data Voice

…

Evalua?on: Data App Abort Due to Voice Call

•  8 popular data applica?ons – Browser, Gmail, Ftp, Youtube, Skype, PPS (Streaming), Pandora (internet radio), Facebook

•  We find that Browsing, Gmail, FTP, Skype and Facebook may abort due to CSFB calls. – Browsing/Facebook: content is not displayed – FTP/Gmail: downloading is terminated – Skype: voice call is aborted

18

#2: Lose 4G connec?vity

•  Result – 10+ hour in 3G

•  even handoff

•  Events

– CS call state changes HO trigger

– PS data resets HO ?mer

19

PS Data on 4G

PS Data on 3G

Handoff (4G ->3G)

NO Handoff (3G ->4G)

Call & hang up

NoVoice on 3G

✕

PS Data on 4G

✕


20





4. Switch to 3G

3G BS

6. Setup CS Call

7. Call Conversion


Data Plane (CS)

W-REQ

IDLE

W-PAGE

RECV

ALERT

Conn

F-REQ

F-PAGE

F-RECV

Fail

Call control setup: 6 signaling Handoff 4G->3G: 21 signaling Handoff 3G->4G: 21 signaling

Cause •  RRC states shared in CS and PS

– Voice calls: RRC connected – Data: RRC connected

•  4G-‐>3G procedure – RRC connected: handoff – RRC idle: cell-‐reselec?on

•  4G-‐>3G switches counts on handoff – Handoff’s ?mer sepngs – During data, no handoff is performed

•  Root cause: shared states, complex signalings MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 21

Call & hang up: Change call state F-RECV

Handoff State Machine 22 22

Data Plane (CS)

F-RECV

Data

3G IDLE

3G DATA FACH/DCH

4G DATA

4G IDLE

Call & hang up: Change call state

10 s

ec

5 sec

1st

>1st

L

S

Y

N

HO-‐in-‐3G reset Data

3G IDLE

3G DATA FACH/DCH

4G DATA

4G IDLE

10 s

ec

PS data: reset HO timer

Circuit-Switching (CS)

Packet-Switching (PS) Data Plane Data Plane Control Plane Control Plane

Complex signaling/control involved in both CS and PS

Evalua?on •  We conduct an experiment to track the dura?on Bob stays in 3G for 3 mins aqer Bob’s call conversa?on finishes. –  Packet Size: 1B or 1KB –  Packet Interval: 1~24 seconds

•  Q: Why does it depend on traffic pattern ? 23

OP-I OP-II

19s-1KB 13s-1KB 14s-1B 7s-1B

RRC State Transi?on •  Go back to 4G LTE via Inter-‐RAT Handover or Cell reselec4on.

•  RRC State Transi?ons observed in OP-‐I and OP-‐II

24

Simplified RRC State for OP-I Simplified RRC State for OP-II

Inter-RAT Handover

Inter-RAT Handover

#3: Miss Voice Calls

25

4G LTE Phone

PS on 4G

Missed call

Turn on PS data

✕ Incoming Call

•  Event –  “Implicit Detached”

by cellular – Transient

unavailability

•  Root cause: shared control states between CS and PS

Security Implica?ons

C. Peng (OSU) 26

Possible Problems

27





6. Setup Circuit-Switched Call

7. Call Conversion


#1. Action before paging response (w/o user awareness and consent)

#2. Data over 3G; handoff causes Data service interruption

#3. What if 3G-4G handoff is deferred or cancelled?


One Example

0

5

10

15

20

25

0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75

4G

3G

X-th second

Speed (M

bps)

Call ends Ringing @callee 28

#1. Action before ringtones (w/o user awareness) #2. Data service interruption (6-7 seconds)

US OP-1

Another Example

0

5

10

15

20

25

0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75

4G

3G

X-th second

Speed (M

bps)

Call ends Ringing@ callee 29

#3. 3G->4G switch is deferred not back to 4G LTE in case of PS traffic

US OP-2

So, possible exploit •  Anyone can make a call without callee’s consent

•  With CSFB, it can manipulate 4G-‐>3G handoff – Handoff already happens before the call setup

•  So it is viable to impede data services – Long data service disruption

•  It is even worse while repeating it – 3G – 4G – 3G – 4G … (ping-pong)

30

Ping-Pong Attack

31

1. Call Request 2. Paging Request (CS call) 3. Extend Service Request


1. Dial

2. Hang-‐up 5. Paging Response (CS call)

6. Setup CS Call

5. Stop call request

6. Switch back to 4G 3. Wait

1. Dial 2. Hang-‐up, 3. Wait

4G –> 3G

3G –> 4G …


Ping-‐Pong Akacks (cont’d) •  How to guarantee successive switch without

the victim’s awareness? •  Two key timers:

– T1: dial time between dialing and hanging up – T2: wait time between hanging up and re-dialing

32

Ping-‐Pong Akack Valida?on

33

0

5

10

15

20

25

30

35

40

0 10 20 30 40 50 60 70 80 90 100 110 120

Per Second

Moving Avg.

Speed (M

bps)

X-th second

TCP-w/o attack

0

5

10

15

20

25

30

35

0 10 20 30 40 50 60 70 80 90 100 110 120

Per Second

Moving Avg.

Speed (M

bps)

TCP-w/ attack

0.08 0.01

X-th second

TCP: from 31Mbps to 0.08 Mbps in 30s

On Real Apps

App Task TCP/UDP w/o conn loss w/ conn loss

Web Access one CNN page TCP Abort Abort

Gmail Sending/receiving emails TCP Fail & mul?-‐entry

Abort & Auto Recovery

Fabebook Ongoing chat session TCP Slower slower

Whatsapp Ongoing chat session TCP Slower Abort & recover

AndFTP File download TCP Abort Abort

Youtube Video streaming TCP Freeze Abort

PPStream Video streaming UDP Freeze Abort

Skype Ongoing video calls UDP Freeze Abort

34

Discussion •  Any other side-‐effects from CSFB?

•  What insights and lessons learnt from CSFB? – How should we design voice solu?ons? – How should we design cellular network arch?


Takeaway •  CSFB is a cost-‐effec?ve solu?on

– Seek to reuse the exis?ng architecture

•  Unexpected consequence –  Incompa?bility with exis?ng procedures – Mutual interference caused by shared states in CS and PS, as well as complex signaling

•  Complex dependency and coupling effects

– Akacks: open access to control one’s state without consent


the peril of cellular network evolution - purdue university · the peril of cellular network...

Documents