03_tm51153en04gla2_lte-eps mobility and session and management.pdf

TM51153EN04GLA2 Nokia Solutions and Networks 2014

Nokia AcademyLTE/EPS Fundamentals CourseLTE/EPS Mobility & Session Management

2 TM51153EN04GLA2 Nokia Solutions and Networks 2014

Copyright and confidentialityThe contents of this document are proprietary and confidential property of Nokia Solutions and Networks. This document is provided subject to confidentiality obligations of the applicable agreement(s).

This document is intended for use of Nokia Solutions and Networks customers and collaborators only for the purpose for which this document is submitted by Nokia Solutions and Networks. No part of this document may be reproduced or made available to the public or to any third party in any form or means without the prior written permission of Nokia Solutions and Networks. This document is to be used by properly trained professional personnel. Any use of the contents in this document is limited strictly to the use(s) specifically created in the applicable agreement(s) under which the document is submitted. The user of this document may voluntarily provide suggestions, comments or other feedback to Nokia Solutions and Networks in respect of the contents of this document ("Feedback"). Such Feedback may be

used in Nokia Solutions and Networks products and related specifications or other documentation. Accordingly, if the user of this document gives Nokia Solutions and Networks feedback on the contents of this document, Nokia Solutions and Networks may freely use, disclose, reproduce, license, distribute and otherwise commercialize the feedback in any Nokia Solutions and Networks product, technology, service, specification or other documentation.

Nokia Solutions and Networks operates a policy of ongoing development. Nokia Solutions and Networks reserves the right to make changes and improvements to any of the products and/or services described in this document or withdraw this document at any time without prior notice.

The contents of this document are provided "as is". Except as required by applicable law, no warranties of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular

purpose, are made in relation to the accuracy, reliability or contents of this document. NOKIA SOLUTIONS AND NETWORKS SHALL NOT BE RESPONSIBLE IN ANY EVENT FOR ERRORS IN THIS DOCUMENT or for any loss of data or income or any special, incidental, consequential, indirect or direct damages howsoever caused, that might arise from the use of this document or any contents of this document.

This document and the product(s) it describes are protected by copyright according to the applicable laws.

Nokia is a registered trademark of Nokia Corporation. Other product and company names mentioned herein may be trademarks or trade names of theirrespective owners.

Nokia Solutions and Networks 2014


Module ObjectivesAfter completing this module, the participant should be able to:

Introduce the LTE Mobility Areas. List different LTE-UE identifications. Compare the terminology used in 3G and LTE when referring to Mobility

and Session Management. Describe the LTE Mobility & Connection States. Explain the EPS Bearer Architecture and Attributes. Analyze different LTE/EPS procedures: Attach, S1 Release, Detach,

Service Request, Tracking Area Update, Dedicated SAE Bearer Activation and inter eNB handover.

Review the LTE/EPS Authentication Procedure


Module Contents

LTE/EPS Mobility Areas LTE-UE Identifications Mobility & Connection Management Terminology LTE Mobility & Connection States The EPS Bearer LTE/EPS Procedures Security: EPS Authentication


Module Contents



LTE/EPS Mobility Areas

Two areas are defined for handling of mobility in LTE/EPS:

Tracking Area (TA)It is the successor of location and routing areas from 2G/3G.When a UE is attached to the network, the MME will know the UEs position on tracking area level. In case the UE has to be paged, this will be done in the full tracking area. Tracking areas are identified by a Tracking Area Identity (TAI).

The Cell Smallest entity regarding mobilityWhen the UE is connected mode, the MME will know the UEs position on cell levelCells are identified by the Cell Identification (CI) and by the Physical Cell Identification (PCI)


Tracking Areas

S-eNBTAI3TAI3

TAI3TAI3

TAI3TAI3

TAI3

MME

eNB

TAI2TAI2

TAI2TAI2

TAI2

TAI2TAI2

TAI2

TAI1TAI1

TAI1TAI1

TAI1 eNB 1 2

MME

3

Cell Identity

Tracking Area

Tracking Area Identity (TAI) vs. Tracking Area Code (TAC)TAI= MCC + MNC + TAC

Tracking Area Update (TAU) Procedure triggered by the LTE-UE moving to a new TA.TAU are performed by the LTE-UE in both idle and connected mode. (GSM/UMTS difference)For further info refer to TS 23.401 chapter 5.3.3.0


Multiple Tracking Areas Registration

UE may be told by the network to be registered in several tracking areas simultaneously. Gain: when the UE enters a new cell, it checks which tracking areas the new cell is part of. If this TA is on UEs TA list, then no tracking area update is necessary.

S-eNBTAI3TAI3

TAI3TAI3

TAI3TAI3

TAI3

MME

eNB

TAI2TAI2

TAI2TAI2

TAI2

TAI2TAI2

TAI2

TAI1TAI1

TAI1TAI1

TAI1 eNB 1 2

MME

3

Cell Identity

Tracking Area

TA List:TA1TA2


Tracking Areas: Use of S1-flex Interface

MME Pooling:several MME

handle the same

tracking area

TAI1

S-eNB

TAI2

TAI2TAI2

TAI3

TAI3TAI3

TAI3

MME

eNB

TAI2

TAI2TAI2

TAI2

TAI2

TAI2TAI2

TAI2

TAI1

TAI1

TAI1

eNB

S-MME

TAI1

321

1 2 3

3

2

1 TAI1TAI2TAI3

Due to S1-Flex implementation both MME must be aware on how the Radio Network is organized in TAs


Module Contents



UE Identifications

IMSI International Mobile Subscriber Identity

GUTI Global Unique Temporary Identity

C-RNTI Cell Radio Network Temporary Identity

S1-AP UE ID S1 Application Protocol User Equipment Identity


UE Identifications: IMSI

IMSI: International Mobile Subscriber Identity. Used in LTE to uniquely identify a subscriber world-wide Its structure is kept in form of MCC+MNC+MSIN:

MCC: mobile country code MNC: mobile network codeMSIN: mobile subscriber identification number

A subscriber can use the same IMSI for 2G, 3G and LTE access MME uses the IMSI to locate the HSS holding the subscribers permanent

registration data for tracking area updates and attaches

IMSI

MCC MNC MSIN

3 digits 2 digits 10 digits


GUTI: Globally Unique Temporary Identity It is dynamically allocated by the serving MME Its main purpose is to avoid usage of IMSI on air Internally the allocating MME can translate GUTI into IMSI and vice versa The GUTI consists of 2 components: GUMMEI and M-TMSI

UE Identification: GUTI

GUTIM-TMSIGUMMEI

M-TMSI: Temporary Identity of the UE within and specific MME.

GUMMEI: Global Unique MME Identity:Identity of the MME that allocated the GUTIIt Contains:MCC + MNC + MME group ID (MMEGI) + MME Code (MMEC)


Further Reading: S-TMSI

S-TMSI: The SAE TMSI (S-TMSI) is a shortened form of the GUTI It is used to identify the UE over the radio path and is included in the RRC connection request and paging messagesThe S-TMSI contains the MMEC and M-TMSI components of the GUTI Note, however, that the S-TMSI does not include the MMEGI that is, the MME pool component

M-TMSIMMEC

GUMMEI

MMEGIMNCMCC

GUTI

S-TMSI


UE Identifications: C-RNTI

C-RNTI: Cell Radio Network Temporary Identity C-RNTI is allocated by the eNB serving a UE when it is in active mode

(RRC_CONNECTED) This is a temporary identity for the user only valid within the serving cell of

the UE It is release as soon as the UE moves to idle state (RRC_IDLE) It is exclusively used for radio management procedures.


UE Identifications:S1-AP UE ID

S1-AP UE ID: S1 Application Protocol User Equipment Identity. Two additional temporary identifiers allocated by eNB and MME:

- eNB S1-AP UE ID- MME S1-AP IE ID

Their purpose is to allow efficient implementation of S1 control signaling (S1AP=S1 Application Protocol) They shall allow easy distribution of S1 signaling messages inside MME and eNB. NOTE: This concept is similar to SCCP local references known from Iu or A interface in 3G/2G.


IMSI International Mobile Subscriber IdentityGUTI Globally Unique Temporary IdentityC-RNTI Cell Radio Network Temporary Identity

UE Identifications Summary

C-RNTIeNB S1-AP UE-ID | MME S1-AP UE-ID

MCCIMSIMNC MSIN

S-eNBTAI2TAI2

TAI2TAI3

TAI3TAI3

TAI3

MME

HSS

eNB

TAI2TAI2

TAI2TAI2

TAI2

TAI2TAI2

TAI2

TAI1TAI1

TAI1TAI1

TAI1eNB

1 2

S-MME

32

Cell Identity MME Identity

3

1

GUTIM-TMSIGUMMEI

TAI Tracking Area Identity (MCC+MNC+TAC) S-MME Serving MMES-eNB Serving E-Node B


Module Contents



Terminology in LTE and in 3G Connection and Mobility Management

3G LTE

GPRS attached EMM registered

Handovers (DCH) when RRC connected

Handovers when RRC connected

RNC hides mobility from core network

Core network sees every handover

Mobility management

Connection management

Location area Not relevant (no CS core)Routing area Tracking area

PDP context EPS bearer

Radio access bearer Radio bearer + S1 bearer


Module Contents



LTE Mobility & Connection States

There are two sets of states defined for the UE based on the information held by the MME.

These are:1.- EPS* Mobility Management (EMM) states2.- EPS* Connection Management (ECM) states

*EPS: Evolved Packet System


EPS Mobility Management (EMM) states

EMM deregistered EMM registered

Attach

Detach


EPS Mobility Management (EMM) states

EMM-DEREGISTERED: In this state the MME holds no valid location information about the UE MME may keep some UE context when the UE moves to this state

(e.g. to avoid the need for Authentication and Key Agreement (AKA) during every attach procedure)

Successful Attach and Tracking Area Update (TAU) procedures lead to transition to EMM-REGISTERED

EMM-REGISTERED: In this state the MME holds location information for the UE at least to

the accuracy of a tracking area In this state the UE performs TAU procedures, responds to paging

messages and performs the service request procedure if there is uplink data to be sent.


EPS Connection Management (ECM) and LTE Radio Resource Control (RRC) States UE and MME enter ECM-CONNECTED state when the signaling

connection is established between UE and MME UE and E-UTRAN enter RRC-CONNECTED state when the signaling

connection is established between UE and E-UTRAN

ECM idle ECM connected

S1 connection establishment

S1 connection release

RRC idle RRC connected

RRC connection establishment

RRC connection release

E-UTRAN MMEUE


EPS Connection Management

ECM Connected= RRC Connected + S1 Connection

eNB

MME

UE

RRC Connection S1 Connection

ECM Connected


EPS Connection Management (ECM) states

ECM-IDLE: In this state there is no NAS signaling connection between the UE and the

network and there is no context for the UE held in the E-UTRAN. The location of the UE is known to within the accuracy of a tracking area Mobility is managed by tracking area updates.

ECM-CONNECTED: In this state there is a signaling connection between the UE and the MME

which is provided in the form of a Radio Resource Control (RRC) connection between the UE and the E-UTRAN and an S1 connection for the UE between the E-UTRAN and the MME.

The location of the UE is known to within the accuracy of a cell. Mobility is managed by handovers.


RRC States

RRC-IDLE: No signaling connection between the UE and the E-UTRAN. I.e.: PLMN Selection. UE Receives system information and listens for Paging. Mobility based on Cell Re-selection performed by UE. No RRC context stored in the eNB (No C-RNTI). RACH procedure used on RRC connection establishment.

RRC-CONNECTED: UE has an E-UTRAN RRC connection. UE has context in E-UTRAN (C-RNTI allocated). E-UTRAN knows the cell which the UE belongs to. Network can transmit and/or receive data to/from UE. Mobility based on handovers UE reports neighbor cell measurements.


EMM & ECM States Transitions

EMM_Deregistered

ECM_Idle

Power On

Registration (Attach)

EMM_Registered

ECM_Connected

Allocate C-RNTI, GUTI Allocate IP address Authentication Establish security context

Release RRC connection Release C-RNTI Configure DRX for paging

EMM_Registered

ECM_Idle

Release due to Inactivity

Establish RRC ConnectionAllocate C-RNTI

New TrafficTAUDeregistration (Detach)Change PLMN

Release C-RNTI, GUTI Release IP address

Timeout of Periodic TAUpdate

Release GUTI Release IP address


EMM & ECM States Summary

EMM_Deregistered

ECM_Idle

Network Context: no context exists

Allocated IDs: IMSI

UE Position: unknown to network

Mobility: PLMN/cell selection

UE Radio Activity: none

EMM_Registered

ECM_Connected

Network Context: all info for ongoing transmission/reception

Allocated IDs: IMSI, GUTI IP address C-RNTI

UE Position: known on cell level

Mobility: NW controlled handover

UE Radio Activity: DL w/o DRX UL w/o DTX

EMM_RegisteredECM_Idle

Network Context: security keys enable fast transition to ECM_CONNECTED

Allocated IDs: IMSI, GUTI IP address

UE Position: known on TA level (TA list)

Mobility: cell reselection

UE Radio Activity: DL DRX for paging no UL


Module Contents



LTE/EPS Bearer

The main function of every mobile radio telecommunication network is to provide subscribers with transport bearers for their user data.

In circuit switched networks users get a fixed assigned portion of the networks bandwidth.

In packet networks users get a bearer with a certain quality of service (QoS) ranging from fixed guaranteed bandwidth down to best effort services without any guarantee.

LTE/EPS is a packet oriented system

EPS/SAEBearer

PDN GW

UE


LTE/EPS Bearer: Identity & Architecture

cell

S1-ULTE-Uu S5/S8

PDN

SGieNB Serving

GatewayPDN

Gateway

E-UTRAN EPC PDN

An EPS bearer identity uniquely identifies an EPS bearer for one UE. The EPS Bearer Identity is allocated by the MME.LTE/EPS Bearer spans the complete network, from UE over EUTRAN and EPC up to the connector of the external PDN. The SAE bearer is associated with a quality of service (QoS) usually expressed by a label or QoS Class Identifier (QCI)

LTE-UE

End-to-End Service

EPS Bearer External Bearer

Radio Bearer S1 Bearer S5/S8 Bearer


LTE/EPS Bearer SectionsS5/S8 Bearer Between the P-GW to S-GW. This is usually a GTP or MIP (Mobile IP) tunnel between the two network

elements.

S1 BearerBetween eNB and S-GW.The S1 Bearer is implemented using the 2G/3G GTP (GPRS Tunneling Protocol) protocol which builds a GTP tunnel between eNB and S-GW. The setup of this S1Bearer is managed by the MME. S-GW and eNB do not directly exchange signaling to create it.

Radio BearerBetween UE and eNB. The eNB connects a radio bearer internally with the associated S1 Bearer on S1-U interface. The mapping of radio bearers to physical resources on the air interface is the major task of the eNB scheduler.


EPS Bearers Establishment can be triggered by.

cellS1-U

UES5

PDNSGi

eNB

ServingGateway PDN

Gateway

EPS Bearer External Bearer

MME:This happens typically during the attach procedure of an UE. Depending on the information coming from HSS, the MME will set up an initial bearer, also known as the Default EPS bearer. This EPS bearer provides the initial connectivity of the UE with its external data network or IMS platform. MME

S1-MMES11

PDN Gateway: The external data network can request the setup of an EPS bearer by issuing this request via PCRF to the PDN gateway. This request will include the quality of service granted to the new bearer. Those are referred as Dedicated EPS bearers.

UE: Note here the differences to GPRS in 2G/3G networks, where only MS/UE initiated PDP context setup is defined.

PCRFGx/S7

Rx

Further Reading in Note Page


The Default Bearer Concept

Each UE that is attached to the LTE network has at least one bearer available, that is called the default bearer.

Its goal is to provide continuous IP connectivity towards the EPC (always-on concept)

From the QoS point of view, the default bearer is normally a quite basic bearer

If an specific service requires more stringent QoS attributes, then a dedicated bearer should be established.

cellS1-U

UES5

PDNSgi

eNB

ServingGateway

PDNGateway

Default EPS Bearer

MME

S1-MMES11


- Dedicated bearer is supported to provide QoS differentiation for applications having different QoS requirements, and to ensure optimal resource use in operators network. Dedicated bearers roughly correspond to 2G/3G secondary PDP contexts.- Once the UE has initiated a default bearer with a particular APN, a dedicated bearer may be established with the same APN and IP addresses but with different QoS parameters to meet specific application needs, such as IMS voice, IMS signalling, video streaming, file transfer, and so forth. The dedicated bearer is either GBR (guranteed bit rate) or non-GBR, and it may have any of the QCI values 1-9.

Dedicated EPS bearer

Figure: Dedicated bearer


SAE Bearer QoS Awareness One of the major requirements for EUTRAN and EPC to fulfill is that every SAE

bearer must be QoS aware. All data transmitted within a SAE bearer will get the same QoS handling

(scheduling, prioritization, discarding probability, etc.). Different applications (for example take a packet video streaming service and a ftp

download) have different QoS setting and cannot share the same SAE bearer. Other applications with similar traffic characteristics will be able to be placed inside

the same SAE bearer provided that the bandwidth of the bearer is scaled accordingly .

Due to this fact, the standard will allow a UE to have several SAE bearers, each one with a different QoS setting.


EPS Bearer QoS Attributes

EPS Bearer QoS Parameters (To be defined per Bearer)

Default Bearer/Dedicated Bearer

GBR/N-GBR

MBR

UL/DL-TFT

QCI

ARP

EPS Bearer QoS Parameters (To be defined per User) AMBR


QoS Class Identifier (QCI) Table in 3GPP

GBR1

Guarantee Delay budget Loss rate ApplicationQCI

GBR

100 ms 1e-2 VoIP

2

GBR

150 ms 1e-3 Video call

3

GBR

300 ms 1e-6 Streaming

4

Non-GBR 100 ms 1e-6 IMS signaling5

Non-GBR 100 ms 1e-3 Interactive gaming6

Non-GBR 300 ms 1e-6TCP protocols : browsing, email, file download

7

Non-GBR 300 ms 1e-68

Non-GBR 300 ms 1e-69

Priority

2

4

5

1

6

7

8

9

50 ms 1e-3 Real time gaming3


SAE Bearer QoS Attributes (1/3)Dedicated or Default bearer: The default bearer is allocated during attach of a UE to the system. Dedicated bearers on the other hand are created on demand by the external PDN

network. Only dedicated bearers can be of Guaranteed Bit rate (GBR) type.

GBR (Guaranteed Bit Rate) or NGBR (Non Guaranteed Bit Rate): GBR bearers will reserve some (physical or virtual) capacity along the transmission path and thus guarantee some bit rate level. This is required for streaming and conversational services with low upper delay and delay jitter bounds. For services that do not have so strong requirements regarding these values typically NGBR bearers will be used. The technical difference between GBR and NGBR will be seen in the admission control functions of eNB, SAE GW and PDN GW. GBR bearers will usually block more virtual resources for the same throughput and peak bit rate than NGBR bearers.


SAE Bearer QoS Attributes (2/3)

Traffic Flow Control (UL/DL-TFT): Because a single UE can have multiple SAE bearers, the system requires some

kind of packet filter to decide which IP datagram has to go to which SAE bearer. These packet filters are formed by the uplink and downlink TFT (Traffic Flow

Template). Each dedicated SAE bearer has to have one UL and one DL TFT. Some criteria like source and destination IP address, flow labels, port numbers,

transport layer protocol type, etc. specifies, which IP datagrams will have to be sent in the associated SAE bearer.

In the moment the concrete structure of the TFT is for further study, especially whether additional QoS parameters might be inside or not.

Maximum Bit Rate (MBR):Identifies the Maximum Bit Rate for the SAE Bearer.Can be only specified for GBR SAE BearersNot included in 3GPP Rel.8: in Rel 8 the MBR is always set to equal to the GBR


SAE Bearer QoS Attributes (3/3)Label or QCI: The label is simply an integer number assigned to the SAE bearer. This number indicates the QoS category the bearer belongs to by identifying a set

of locally configured values for 3 QoS attributes: Priority, Delay and Loss Rate. It is up to the operator to define these labels, although some standard labels might

be provided by 3GPP. This label can be translated into a DiffServ-tag used on S1-U and S5/S8 in the IP

header to implement IP differentiated service routing in the associated IP protocol stacks.

Refer to next slides for further information on this parameter

Allocation/Retention Priority (ARP):Indicated the priority of the Bearer compared to other bearers.This provides the basic information for admission control for bearer set-up and for bearer dropping (in case of congestion situation).

Aggregate maximum Bit Rate (AMBR):Specifies a maximum bandwidth per user (UE) considering all the simultaneous services established by this user.


SAE Bearer Usage ExamplePDN

Gateway

PDN

IMAP server(IP:A, UDP Port:a)

SIP server(IP:B, UDP Port:b)

VoIP User Agent(IP:C, UDP Port:c)

Default EPS Bearer (N-GBR)

Dedicated EPS Bearer (GBR)

E-MAIL

SIP UA

VoIPCodec

DL Packet Filter:(DL TFT)IP Source Add.=C UDP Source Port =cProtocol = UDP/RTP

UL Packet Filter:(UL TFT)IP Dest Add.=C UDP Dest. Port =cProtocol = UDP/RTP


IP PackageIP Source:AIP Dest.:B

GTP-U T-PDU

TEID-SG1

SAE bearer GTP option shown on S5/S8

S1-U S5PDN

SgieNB ServingGateway

PDNGateway

Applic.IP

IP: A IP: B

Radio Bearer S1 GTP-U Tunnel S5/S8 GTP-U Tunnel

IP PackageIP Source:B

IP Dest:A

TEID-eNB

TEID-SG1

TEID-SG2

TEID-PG

GTP-U T-PDU

TEID-SG2IP PackageIP Source:B

IP Dest:A

GTP-U T-PDU

TEID-eNBIP PackageIP Source:B

IP Dest:A

Radio Protocols

IP PackageIP Source:B

IP Dest:A


Radio Protocols


GTP-U T-PDU

TEID-PGIP PackageIP Source:AIP Dest.:B

ProtocolsRadio

Protocols


Module Contents



LTE/EPS Procedures

Attach S1 Release Detach Service Request Tracking Area Update (TAU) Dedicated Bearer Activation Handover


MMEHSSPCRF

UE eNB newMME

S-GW P-GW

Attach Request

old GUTI/IMSI, old TAI, CI/eCGI

Authentication Request

Authentication ResponseUpdate Location

Authentication Vector Request (IMSI)

Insert Subscriber Data (IMSI, subscription data = default APN, TA restrictions, )

Insert Subscriber Data Ack

Update Location Ack

EMM_Deregistered

Attach (1/2)

Authentication Vector Respond

RRC_Connected

ECM_Connected

Reference to specs.: TS 23.401 section 5.3.2


Update Bearer Response

Update Bearer RequestIP/TEID of eNB for S1U

Attach Complete

IP/TEID of eNB for S1U

RB Est. Resp.Includes Attach Complete

Create Def. Bearer Req.

MMEHSSPCRF

UE eNB newMME

S-GW P-GW

Attach (2/2)

GUTI, UE IP addr. IP/TEID of SGW for S1U

Create Def. Bearer Rsp.

UE IP addr.,IP/TEID SGW QOS according PCRF

Create Def. Bearer Rsp.

select SAE GWCreate Default Bearer Request

IMSI, RAT type, default QoS, PDN address info

IMSI, , IP/TEID of SGW-S5

Attach Accept RB Est. Req.

Includes Attach Accept

UL/DL Packet Data via Default EPS Bearer

PCRF Interaction

EMM_Registered

ECM_Connected

UE IP addr.,IP/TEID PGWQOS according PCRF



RRC Connection Release

S1 Release

MME

S1 Release Requestcause

Update Bearer Requestrelease of eNB S1U resources


ServingGateway(SGW)

PDNGateway

S1 Release Commandcause

S1 Release Complete

RRC Connection Release Ack

EMM_Registered

ECM_Connected

After attach UE is in EMM_Registered state.The default Bearer has been allocated (RRC_connected + ECM_connected) even it may not transmit or receive dataIf there is a longer period of inactivity by this UE, the Admission Control should free the resources (RRC_idle + ECM_idle)

S1 Signalling Connection ReleaseECM_Idle

EMM_Registered



Detach Can be triggered by UE or by the Network (MME, SGSN or HSS).During the detach procedure all SAE bearers with their associated tunnels and radio bearers will be deleted. The LTE-UE will lose all the temporary IDs (GUTI, C-RNTI and IP Address)

Note: Detach procedure initiated by UE.

MME

NAS: Detach Accepted

Delete Bearer Request

Delete Bearer Response

EMM-Registered

SGW PGW

NAS Detach Requestswitch off flag Delete Bearer Request


PCRF

S1 Signalling Connection Release

RRC_Connected

ECM_Connected

EMM-Deregistered

RRC_Idle + ECM Idle


IP SessionTermination

HSS

Notify RequestNotify Response


Detach Reference to specs.: TS 23.401 section 5.3.8

Note: Detach procedure initiated by MME.

MME

NAS: Detach Accepted

Delete Bearer Request


EMM-Registered

SGW PGW

NAS Detach Requestswitch off flag Delete Bearer Request


PCRF

S1 Signalling Connection Release

RRC_Connected

ECM_Connected

EMM-Deregistered

RRC_Idle + ECM Idle

IP SessionTermination

HSS

Notify RequestNotify Response


Service Request

MMEServingGateway(SGW)

PDNGateway

NAS Service RequestGUTI/S-TMSI, TAI, service type

Authentication Requestauthentication challengeAuthentication ResponseAuthentication response

RRC_Idle+ ECM_Idle

ECM_Connected

RRC_Connected


NAS Service Request

Initial Context Setup Req.

Update Bearer Request(IP/TEID of ENB in S1U)Update Bearer Response

(IP/TEID of SGW in S1U, QoS,..)RB Establishment Req.RB Establishment Rsp.

Initial Context Setup Rsp.

(IP/TEID of eNB in S1U, ..)

Note: Service Request procedure initiated by UE.

UE Triggered Service Request Procedure


Service Request


PDNGateway

Paging(S-TMSI, TAI/TAI-list)

DL DataDL Data Notification

PagingS-TMSI

RRC_Idle+ ECM_Idle


DL Data Notification Ack.

Note: Service Request procedure initiated by the Network

UE Triggered Service Request Procedure


Tracking area 1 Tracking area 2

Tracking area update

MME

Tracking Area Update (TAU) Tracking area (TA) is similar to Location/Routing area in 2G/3G .TAI (Tracking Area Identity) = MCC (Mobile Country Code) + MNC (Mobile Network Code) + TAC (Tracking Area Code).When UE is in ECM-Idle, MME knows UE location with Tracking Area accuracy.


MMEHSSeNB

new

MME

MME

oldMME new

SGW PGW

TAU Request

Context Request

(Current GUTI/IMSI, old TAI, EPS Bearer Status)

(Old GUTI/IMSI, complete TAU Request Message)Context Response(IMSI, IMEI,MSISDN, unused EPS Authentication vectors, KASME, etc)Authentication Request

Authentication Response

Create Bearer Request(IMSI, bearer contexts, RAT type)

Context Acknowledge

Serving GW change Indication

Update Bearer Request(IP/TEID for new SGW-S5, RAT type)

Create Bearer Response(new SGW-S1 IP/TEID)


(IP/TEID for PDN GW)

OldSGW

TAU (1/2)

UE EMM_Registered

RRC_Idle + ECM_Idle

RRC_Connected

ECM_Connected

MME determines if SGW Change is needed


TAU Request

Note: TAU with SGW change


MMEHSSeNB

new

MME

MME

oldMME new

SGW PGW

Update Location

(new MME identity, IMSI, update type, )

(IMSI, cancellation type = update)Cancel Location Ack

Delete Bearer Request(TEID)


Cancel Location

oldSGW

Update Location AckTracking Area Update Accept

(new GUTI, TA/TA-list, EPS Bearer Status)Tracking Area Update Complete

TAU (2/2)

EMM_Registered

RRC_Connected + ECM_Connected

( IMSI, subscription data)

Note: TAU with SGW change



Dedicated Bearer Activation

The default SAE bearer is created when the UE performs the attach.

Subsequent SAE bearers are known as dedicated SAE bearers.

They are expected to be allocated on a per application base, with parameter that are application dependent.

Dedicated SAE bearers can be triggered by the network, not only by the user, like PDP contexts in GPRS.



(SGW-S1 IP/TEID2, QoS param.)

Create Dedicated BearerRequest

Create Dedicated BearerRequest

Dedicated Bearer Activation (1/2)


PDNGateway

(PDN GW IP/TEID2, QoS param. )

Service Request

PCRF

PCCDecision

Paging

(S-TMSI, TA/TA-list, ) Paging

(S-TMSI)

(GUTI/S-TMSI, TAI.service type = paging response)Initial Context Setup Req.

Update Bearer Request

(eNB-S1 IP/TEID1)

(SGW-S1 IP/TEID1, EPS Bearer ID,QoS)RB Establishment Req.

RB Establishment Rsp. Initial Context Setup Rsp.

(eNB-S1 IP/TEID1, EPS Bearer ID, ..)

RRC_Connected + ECM_Connected

Network TriggeredService Request Procedure

RRC_Idle+ ECM_Idle

(QoS Policy)


Note: procedure initiated by the Network


(SGW-S5 IP/TEID2, EPSBearer ID, QoS, )

Create Dedicated BearerResponse

Session Mgmt. Response(NAS message, EPS Bearer ID)

Dedicated Bearer Activation (2/2)


PDNGateway

Create Dedicated BearerResponse

PCRF

(eNB IP/TEID2, EPS Bearer ID, QoS, )

PCCProvisionAck


Note: procedure initiated by the Network


LTE/EPS Handover - When the UE is in ECM_Connected state, mobility

handling takes place via network controlled handovers with UE assistance.

- UE assistance here simply means that the UE sends measurements and reports to the eNB to assist in the handover decision.

- Currently it is planned that neighbor cells are based on the UEs cell detection capabilities rather than on a network supplied neighbor cell list.

Intra LTE/EPS Network Handover Types: 1.- Intra eNB handover. 2.- Inter eNB handover with X2 interface (with or without Serving Gateway relocation) 3.- Inter eNB handover without X2 Interface (S1-based handover)


LTE/SAE Handover principles

1.- Lossless- Downlink Packets are forwarded from the source cell to

the target cell.2.-Network Controlled

-Target cell is selected by the network, not by the UE-Handover control in E-UTRAN (not in packet core)

3.-UE-assisted-Measurements are collected by the UE and reported to the network.

4.-Late path switch- Only once the handover is successful, the packet core is involved.


Handover Procedure

SAE GW

MME

Source eNB Target eNB

SAE GW

MME

SAE GW

MME

SAE GW

MME

= Data in radio= Signaling in radio

= GTP tunnel= GTP signaling

= S1 signaling= X2 signaling

Before handover Handover preparation Radio handoverLate path switching

Note: X2-based handover without Serving GW relocation


User plane switching in HandoverNote: X2-based handover without Serving GW relocation


Module Contents



LTE/SAE Security: EPS Authentication and Key Agreement (AKA)

EPS Authentication and Key Agreement (EPS AKA) shall be based on UMTS AKA.

UMTS Authentication and Key Agreement is a protocol designed to support roaming and fast re-authentication.

It was originally designed to achieve maximum compatibility with 2G security mechanisms.

The requirements on EPS AKA are:EPS AKA shall be based on USIM and extensions to UMTS AKAAccess to E-UTRAN with 2G SIM shall not be granted. R99 USIM will be accepted.EPS AKA shall produce keys that are the basis of C-plane and U-plane protectionUMTS AKA achieves mutual authentication between the user and the network by

demonstrating knowledge of a pre-shared secret key K which is only known by the USIM and the AuC in the users HSS.


EPS Authentication Procedure

RAND is a random value KASME is an authentication parameter used, among other tasks, for network authentication AUTN is the Network Authentication Token XRES is the UE expected result of the authentication computation

MME

Authentication Vectors: RAND(i), KASME(i), AUTN, XRES(i)

Authentication Data Response

HSS

NAS: attach RequestUser Id, UE Capabilities, etc. Authentication Data Request

NAS: USER Authentication RequestKASME(i), RAND(i), AUTN

NAS: USER Authentication ResponseRES(i) If RES(i)=XRES(i) Authentication successful

UE uses KASME to verify

the Network


Security Functions - Encryption

Signaling protection For core network (NAS) signaling, integrity

and confidentiality protection terminate in MME.

For radio network (RRC) signaling, integrity and confidentiality protection terminate in eNodeB.

User plane protection Encryption terminates in eNodeB.


EPS/LTE Security Keys (1/2)

Keys shared between the UE and HSSK This is a permanent key stored on the USIM and in the Authorization Centre (AuC). The AuC resides in the HSS.CK, IK A pair of keys derived in the AuC and on the USIM during an AKA run.

Intermediate Key shared by the UE and Access Security Management Entity (ASME=MME)KASME This key is derived from the CK, IK and serving PLMNs identity by the UE

and HSS during an AKA run. It is transferred to the ASME (MME) by the HSS as part of the authentication vector response. The serving PLMNs identity becomes known to the UE as part of the attachment procedure.

Intermediate Keys for Access NetworksKeNB This key is derived from KASME by the UE and MME. It depends on theidentity of the eNB. This key is transferred to the eNB.


EPS/LTE Security Keys (2/2)

Keys for NAS SignalingKNASint This key is derived from KASME by the UE and MME. It is used for the integrity protection of NAS traffic.KNASenc This key is derived from KASME by the UE and MME. It is used for the encryption of NAS traffic.

Keys for U-plane TrafficKUPenc This key is derived from KeNB by the UE and eNB and is used for the encryption of U-plane data over the LTE-Uu interface. In order

to derive this key an identifier for the encryption algorithm is shared between the eNB and UE.

Keys for RRC SignalingKRRCint This key is derived from KeNB by the UE and eNB and is used for the integrity protection of RRC traffic. In order to derive this key an

identifier for the integrity protection algorithm is shared between the eNB and UE.

KRRC-enc This key is derived from KeNB by the UE and eNB and is used for the encryption of RRC traffic. In order to derive this key an identifier for the encryption algorithm is shared between the eNB and UE.

03_tm51153en04gla2_lte-eps mobility and session and management.pdf

Documents