control-plane protocol interactions in cellular networks guan-hua tu *1, yuanjie li *1, chunyi peng...
TRANSCRIPT
Control-Plane Protocol Interactions in Cellular Networks
Guan-Hua Tu*1, Yuanjie Li*1, Chunyi Peng 2, Chi-Yu Li 1, Hongyi Wang 1, Songwu Lu 1
* The first two authors contribute equally to this work.
1: University of California, Los Angeles; 2: The Ohio State University
Cellular Services are Ubiquitous
Large-scale wireless infrastructure Offer data and voice services to
anyone, anywhere, anytime
2
Source: http://www.4gamericas.org/
6.8+ billion
Cellular Network Architecture3
3G Gateways3G Base stations
Mobile Switching Center
Circuit Switching (CS)
Packet Switching (PS)
3G (PS + CS)
Mobility Management Entity (Control Node)
4G (PS only)
Control Plane in Cellular Network4
3G Gateways
Mobile Switching Center
Circuit Switching (CS)
Packet Switching (PS)
3G
Mobility Management Entity (Control Node)
4G
Control Plane in Cellular Network
Radio Resource Control (RRC)
Mobility Management (MM)
Connectivity Management (CM)
5
Layered protocol stack
Control Plane in Cellular Network
Radio Resource Control (RRC)
Mobility Management (MM)
Connectivity Management (CM)
6
Radio Resource Control (RRC)
CS Domain
MM
CM
PS Domain
MM
CM
Layered protocol stack Domains separated for
voice (CS) and data (PS)
Control Plane in Cellular Network7
Radio Resource Control (RRC)
CS Domain
MM
CM
PS Domain
MM
CM
PS Domain
MM
CM
RRC
4G3G
Layered protocol stack Domains separated for
voice (CS) and data (PS) Hybrid 3G/4G systems
Complex Interactions
Protocols work together to offer vital 3G/4G utilities Rich patterns along three dimensions
8
Radio Resource Control
MM
CM
PS Domain
MM
CM
PS Domain
MM
CM
RRC
CS Domain
3G 4G
cross-layer
cross-domain cross-system
Problem:Each individual protocol may be well
designed.How about protocol interactions?
Rich Protocol Interactions
Complex interactions in common scenarios Inevitable interplay between radio, mobility, data/voice Concurrent voice and data use 3G/4G switch due to hybrid deployment, mobility, voice
Two causes of problematic interactions Design defects Operation/Implementation
slips
9
Diagnosis over one layer/domain/system is insufficient
Diagnosis over one layer/domain/system is insufficient
Single-type test fails to unveil both issues
Single-type test fails to unveil both issues
Rich Protocol Interactions
Complex interactions in common scenarios Inevitable interplay between radio, mobility, data/voice Concurrent voice and data use 3G/4G switch due to hybrid deployment, mobility, voice
Two causes of problematic interactions Design defects Operation/Implementation
slips
10
Diagnosis over one layer/domain/system is insufficient
Diagnosis over one layer/domain/system is insufficient
Single-type test fails to unveil both issues
Single-type test fails to unveil both issues
Closed Core Network
Closed Core Network
Our Solution: CNetVerifier
Cellular-specific model checking Extract full-stack cellular model from 3GPP standards Create a variety of usage scenarios Define desirable user-perspective properties Discover counterexamples for possible design defects
11
Model Checker
Violated propertyCounterexamples
Protocol Stacks
Usage Settings
DesirableProperties
Our Solution: CNetVerifier
Cellular-specific model checking Phone-based experimental validation
Instrument end devices to collect traces for verification Discover operational slips in real networks
12
Model Checker
Violated propertyCounterexamples
Protocol Stacks
Usage Settings
DesirableProperties
Scenario Setup
Operational slips
Design Flaws“Black-box”“Black-box”
Finding Overview13
cross-layer cross-domain cross-system
Improper cooperation: Cross-System
Scenario: run data services during 4G3G4G14
3G
1. Setup 4G connectivity to access internet1. Setup 4G connectivity to access internet2. 4G3G: 4G conn. context is converted to 3G for seamless switch2. 4G3G: 4G conn. context is converted to 3G for seamless switch
RRCMMCM
3G PS
MMCM
3G CS
MMCM
RRC
4G PS
4G4G Conn. Context
131.179.176.1
3G Conn. Context
131.179.176.1
3. 3G4G: 3G conn. context is converted back to 4G3. 3G4G: 3G conn. context is converted back to 4G
Problematic scenario: 3G context is deleted before returning to 4G15
3G
1. 3G conn. context is deleted.1. 3G conn. context is deleted.
4G
3G Conn. Context
131.179.176.1
2. 3G->4G: No 3G context transferred to 4G context2. 3G->4G: No 3G context transferred to 4G context
“Out-of-Service”“Out-of-Service”
Causes of deletion (in 3GPP) Low layer failures User disables data services No enough resources ….
Causes of deletion (in 3GPP) Low layer failures User disables data services No enough resources ….
PS conn context is not mandatory in 3G (PS+CS), but mandatory in 4G (PS only)
Shared context for 4G and 3G is not well protected in 3G
Improper cooperation: Cross-System How and why?
Real-world impact Occurs 3.1% in user study “out-of-service” for up to 25s
Lessons: a design defect Different demands of packet switching in 3G & 4G Desirable but not enforced: shared context should be consistently
protected in 4G & 3G Proposed remedies
Avoid unnecessary 3G PS context deactivation Immediately enable 4G PS context reactivation
16
Improper cooperation: Cross-System
Scenario: 4G users make calls via 3G CS Fallback17
1. To make a call, 4G user 3G1. To make a call, 4G user 3G
2. When the call ends, 3G4G2. When the call ends, 3G4G
RRCMMCM
3G PS
MMCM
3G CS
MMCM
RRC
4G PS
4G
3G
Improper cooperation: cross-domain+system
Problematic Scenario: Call with background data18
1. A call makes 4G 3G; Data is migrated to 3G, too1. A call makes 4G 3G; Data is migrated to 3G, too
2. When the call ends, No 3G4G (data is still on)2. When the call ends, No 3G4G (data is still on)
4G
3G
User gets stuck in 3G, losing 4G. User gets stuck in 3G, losing 4G.
Improper cooperation: cross-domain+system
How and Why?
Improper cooperation: cross-domain+system
How and Why? Unexpected loop in RRC state machine
19
User gets stuck in 3G, losing 4G. User gets stuck in 3G, losing 4G.
RRC
3G PS3G CS
RRC
4G PS
CONN-ED
IDLE
CONN-ED
IDLE Voice only
Voice + Data (certain setting)
RRC state transition is inconsistent with dual-domain, inter-system settings
Real-world impact 62.1% 4G users being stuck in 3G after the call Stuck in 3G for 39.6s in average
Lessons: a design defect 3G CS and 3G PS are indirectly coupled in RRC Inconsistent state transition with all 3G4G options
Proposed remedies Revise the RRC state transition for possible settings
20
Improper cooperation: cross-domain+system
21
Problem Scenario: Signaling loss for registration
Attach complete
Location update
Location update response (error)
MM
3G PS
MMCM
3G CS 4G PS
CM
RRC
CMMMRRC
Improper cooperation: Cross-Layer How and why?
Attach request
Attach accept
Attach complete
DeregisteredDeregistered
Registered
Registered Deregistered
“out-of-service” right after being attached“out-of-service” right after being attached
Deregistered
Upper-layer (MM) assumes underlying reliable in-sequence signal transfer, but lower-layer (RRC)
cannot offer this guarantee
Upper-layer (MM) assumes underlying reliable in-sequence signal transfer, but lower-layer (RRC)
cannot offer this guarantee
22
MSC
Scenario: voice/data request with location update
RRCMMCM
MMCM
3G-CS
MMCM
RRC
3G-PS 4G-PS
Location Update
1. Location update is triggered by MM (e.g., user moves)2. After location update, user can send/receive voice and data
Unnecessary Coupling: Cross-layer
Dial out
23
3G Gateways3G Base stations
MSC
Problematic Scenario: voice/data request during the location update
RRCMMCM
MMCM
3G-CS
MMCM
RRC
3G-PS 4G-PS
Location Update
2. User dials out
Dial out
Outgoing call is delayedOutgoing call is delayed
1. Location is triggered by MM (e.g., user moves)
“Updating the location”
“Without user location, the cellular network cannot route user voice/data.”
“Without user location, the cellular network cannot route user voice/data.”
Outgoing voice/data requests can be routed without user location
Outgoing voice/data requests can be routed without user location
Unnecessary prioritization of location update over outgoing call/data
Unnecessary prioritization of location update over outgoing call/data
Unnecessary Coupling: Cross-layer
How and why?
Real-world Impact up to 8.3s call delay and 4.1s data delay 7.6% of outgoing calls occur during location update
Lessons: a design defect outgoing data/voice requests and location update are
independent, but they are artificially correlated Proposed remedies
Decouple location update and outgoing data/voice requests
E.g., two parallel MM threads for different purposes
24
Unnecessary Coupling: Cross-layer
MM
3G PS
MMCM
3G CS
MMCM
RRC
4G PS
CM
RRC
Scenario: dial a call during data service in 3G25
Circuit Switching (CS)
Packet Switching (PS)
3G10Mbps 10Mbps2.5Mbps 2.5Mbps
12.2Kbps
12.2Kbps
1. Access internet at full rate2. Dials a call
Data service rate declines up to 74%Data service rate declines up to 74%Voice and data have competing demands on the channel, but they have to share the radio channelVoice and data have competing demands on the channel, but they have to share the radio channel
Unnecessary Coupling: Cross-domain
Voice: low rate, low loss (e.g., 16QAM)Data: high rate, loss tolerant (e.g., 64QAM)
Voice: low rate, low loss (e.g., 16QAM)Data: high rate, loss tolerant (e.g., 64QAM)
Scenario: Location update in 3G and 4G26
3G
3G PS
MMCM
3G CS
CM
RRC
4G PS
CM
RRCMM MM
4G
Unnecessary Coupling: Cross-system
1. Update 4G location, and notify 3G MSC1. Update 4G location, and notify 3G MSC2. 3G location update fails, so 4G deregisters the network2. 3G location update fails, so 4G deregisters the network
Detach
MSCunavailable
3G internal failures are exposed to 4G devices3G internal failures are exposed to 4G devices
Conclusion
Uncover problems in signaling protocol interactions in cellular networks
Three Lessons The layering rule should be fully honored (optimistic
assumptions, coupled actions) Inter-domain difference should be well recognized
(coupling independent services) Hybrid systems are not properly coordinated (context
sharing, fault isolation) More rigorous efforts are needed
27
Backup slides29
Related Work
Protocol verification for the Internet Since 1990s Single protocol with implementation E.g., [Cohrs’89, SIGCOMM], [Holzmann’91], [Smith’96], TCP
[NSDI’04], Routing[SIGCOMM’05], …
Emerging techniques for network verification E.g., Anteater [SIGCOMM’11], Head Space Analysis[NSDI’12],
NICE [NSDI’12], Alloy[SIGCOMM’13], NetCheck[NSDI’14], Software Dataplane [NSDI’14] …
Largely unexplored territory in cellular networks Few efforts, e.g., 2G handoff [Orava’92], Authentication [Tang’13]
30