Pages

Showing posts with label Signalling. Show all posts
Showing posts with label Signalling. Show all posts

Sunday, 4 December 2016

5G, Hacking & Security


It looks like devices that are not manufactures with security and privacy in mind are going to be the weakest link in future network security problems. I am sure you have probably read about how hacked cameras and routers enabled a Mirai botnet to take out major websites in October. Since then, there has been no shortage of how IoT devices could be hacked. In fact the one I really liked was 'Researchers hack Philips Hue lights via a drone; IoT worm could cause city blackout' 😏.


Enter 5G and the problem could be be made much worse. With high speed data transfer and signalling, these devices can create an instantaneous attack on a very large scale and generating signalling storm that can take a network down in no time.

Giuseppe TARGIA, Nokia presented an excellent summary of some of these issues at the iDate Digiworld Summit 2016. His talk is embedded below:



You can check out many interesting presentations from the iDate Digiworld Summit 2016 on Youtube and Slideshare.

Related posts:


Friday, 7 October 2016

Whats up with VoLTE Roaming?

I have been covering the LTE Voice Summit for last couple of years (see here: 2015 & 2014) but this year I wont be around unfortunately. Anyway, I am sure there will be many interesting discussions. From my point of view, the 2 topics that have been widely discussed is roaming and VoWiFi.

One of the criticisms of VoWiFi is that it does not the QoS aspect is missing, which makes VoLTE special. In a recent post, I looked at the QoS in VoWiFi issue. If you haven't seen it, see here.

Coming back to VoLTE roaming, I came across this recent presentation by Orange.
This suggests that S8HR is a bad idea, the focus should be on LBO. For anyone who is not aware of the details of S8HR & LBO, please see my earlier blog post here. What this presentation suggests is to use LBO with no MTR (Mobile Termination Rates) but instead use TAP (Transferred Account Procedures). The presentation is embedded below:



Another approach that is not discussed too much but seems to be the norm at the moment is the use of IP eXchange (IPX). I also came across this other panel discussion on the topic


IPX is already in use for data roaming today and acts as a hub between different operators helping to solve inter-operability issues and mediating between roaming models. It can work out based on the calling and callee party what kind of quality and approach to use.

Here is the summary of the panel discussion:



Hopefully the LTE Voice Summit next week will provide some more insights. I look forward to hearing them.

Blog posts on related topics:

Saturday, 27 August 2016

Dedicated Core Networks (DCN) for different traffic types

Looking at a paper (embedded below) from NTT Docomo technical journal where they talk about Dedicated Core Network (DCN) for handling different traffic type (M2M/IoT for example). Note that this approach is different from NFV based network sliced architecture. For the latter, the network functions should have been virtualized.


There will be some signalling overhead in the core network to handle the new core and reroute the traffic according destined for the new dedicated core. I would still hope that this would be minuscule in the grand scheme of things. Anyway, let me know what you think about the paper below.



Wednesday, 10 August 2016

New whitepaper on Narrowband Internet of Things

Rohde & Schwarz has just published a new whitepaper on Narrowband Internet of Things (NB-IoT).

NB-IoT has been introduced as part of 3GPP Rel-13 where 3GPP has specified a new radio interface. NBIoT is optimized for machine type traffic and is kept as simple as possible in order to reduce device costs and to minimize battery consumption. In addition, it is also adapted to work in difficult radio conditions, which is a frequent operational area for certain machine type communication devices. Although NB-IoT is an independent radio interface, it is tightly connected with LTE, which also shows up in its integration in the current LTE specifications.
The paper contains the necessary technical details including the new channels, new frame and slot structure, new signalling messages including the system information messages, etc. It's a good read.

Its embedded below and can be downloaded from here:



Related posts:


Friday, 28 August 2015

MCPTT Off-network and UE to UE/Network Relays

3GPP SA6 recently held a workshop on Mission Critical Push To Talk (MCPTT) stage 3 development in Canada. You can look at the meeting report here and download any presentations from here.

An interesting presentation that caught my attention was one on "MCPTT Off-network Architecture". The presentation is embedded below where it is described technically what is meant by Off-network. From my understanding an off-network from MCPTT point of view is one where the UE does not have network coverage.

In such a situation a UE can connect to another UE that can connect to UE/network (if available) to relay the message. Its similar to another technology that I have talked about, Multihop Cellular Networks and ODMA. Anyway, here is the presentation:



Sometimes the standards can take too long to develop a feature and apps can come and deliver a similar service at a very short notice. One such App that does something similar is called Firechat, which played a big role in many protests worldwide. The video explaining it below is worth watching.


The problem with Apps is that they cannot be used by the emergency services or other governmental organisations, unless a standard feature is available. This is the expectation from this Off-network relays. It would work in combination with D2D/ProSe.


For anyone interested in the latest Public Safety (PS), here is a presentation by SA6 chairman from July

Sunday, 9 August 2015

Diameter Security is worse than SS7 Security?



Back in December last year, there was a flurry of news about SS7 security flaw that allowed hackers to snoop on an unsuspecting users calls and SMS. The blog readers will also be aware that SS7 is being replaced by the Diameter protocol. The main reason being to simplify roaming while at the same time being able to manage the signalling storm in the networks.


The bad news is that while is case of SS7, security issues are due to network implementation and configuration (above pic), the security issues in Diameter seem to be due to the protocol and architecture themselves (below pic)


Diameter is very important for LTE network architecture and will possibly continue in the future networks too. It is very important to identify all such issues and iron them before some hackers start exploiting the network vulnerabilities causing issues for everyone.

The presentation by Cédric Bonnet, Roaming Technical Domain Manager, Orange at Signalling Focus Day of LTE World Summit 2015 is embedded below:


From SS7 to Diameter Security from Zahid Ghadialy

Some important information from this post has been removed due to a valid complaint.

Sunday, 12 July 2015

S8HR: Standardization of New VoLTE Roaming Architecture

VoLTE is a very popular topic on this blog. A basic VoLTE document from Anritsu has over 40K views and my summary from last years LTE Voice summit has over 30K views. I assume this is not just due to the complexity of this feature.

When I attended the LTE Voice summit last year, of the many solutions being proposed for roaming, 'Roaming Architecture for Voice over LTE with Local Breakout (RAVEL)' was being touted as the preferred solution, even though many vendors had reservations.

Since then, GSMA has endorsed a new VoLTE roaming architecture, S8HR, as a candidate for VoLTE roaming. Unlike previous architectures, S8HR does not require the deployment of an IMS platform in VPLMN. This is advantageous because it shortens time-to-market and provides services universally without having to depend on the capability of VPLMN.



Telecom Italia has a nice quick summary, reproduced below:

S8HR simplicity, however, is not only its strength but also its weakness, as it is the source of some serious technical issues that will have to be solved. The analysis of these issues is on the Rel13 3GPP agenda for the next months, but may overflow to Rel14. Let’s see what these issues are, more in detail:


Regulatory requirements - S8HR roaming architecture needs to meet all the current regulatory requirements applicable to voice roaming, specifically:
  • Support of emergency calls - The issues in this context are several. For example, authenticated emergency calls rely on the existence if an IMS NNI between VPLMN and HPLMN (which S8HR does not provide); conversely, the unauthenticated emergency calls, although technically feasible in S8HR, are allowed only in some Countries subject to the local regulation of VPLMN. Also, for a non-UE-detectable IMS Emergency call, the P-CSCF in the HPLMN needs to be capable of deciding the subsequent action (e.g. translate the dialed number and progress the call or reject it with the indication to set up an emergency call instead), taking the VPLMN ID into account. A configuration of local emergency numbers per Mobile Country Code on P-CSCF may thus be needed.
  • ­Support of Lawful Interception (LI) & data retention for inbound roamers in VPLMN -  S8HR offers no solution to the case where interception is required in the VPLMN for inbound roamers. 3GPP is required to define a solution that fulfill such vital regulatory requirement, as done today in circuit switched networks. Of course VPLMN and HPLMN can agree in their bilateral roaming agreement to disable confidentiality protection to support inbound roamer LI but is this practice really viable from a regulatory point of view?
Voice call continuity – The issue is that when the inbound roamers lose the LTE coverage to enter into  a 2G/3G CS area, the Single Radio Voice Call Continuity (SRVCC) should be performed involving the HPLMN in a totally different way than current specification (i.e. without any IMS NNI being deployed).
Coexistence of LBO and S8HR roaming architectures will have to be studied since an operator may need to support both LBO and S8HR VoLTE roaming architecture options for roaming with different operators, on the basis of bilateral agreement and depending on the capability.
Other issues relate to the capability of the home based S-CSCF and TAS (Telephony Application Server) to be made aware about the VPLMN identity for charging purposes and to enable the TAS to subsequently perform communication barring supplementary services. Also, where the roaming user calls a geo-local number (e.g. short code, or premium numbers), the IMS entities in HPLMN must do number resolution to correctly route the call.
From preliminary discussions held at Working Group level in SA2 (architecture) and SA3 (security) in April, it was felt useful to create a new 3GPP Technical Report to perform comprehensive technical analysis on the subject. Thus it is expected that the discussions will continue in the next months until the end of 2015 and will overheat Release 13 agenda due to their commercial and “political” nature. Stay tuned to monitor the progress of the subject or contact the authors for further information!
NTT Docomo also did some trials back in February and got some brilliant results:

In the trials, DOCOMO and KT achieved the world's first high-definition voice and video call with full end-to-end quality of service. Also, DOCOMO and Verizon achieved the world's first transoceanic high-definition VoLTE roaming calls. DOCOMO has existing commercial 3G and 4G roaming relations with Verizon Wireless and KT.
The calls were made on an IP eXchange (IPX) and network equipment to replicate commercial networks. With only two months of preparation, which also proved the technology's feasibility of speedy commercialization, the quality of VoLTE roaming calls using S8HR architecture over both short and long distances was proven to be better than that of existing 3G voice roaming services.


In fact, NTT Docomo has already said based on the survery from GSMA's Network 2020 programme that 80% of the network operators want this to be supported by the standards and 46% of the operators already have a plan to support this.


The architecture has the following technical characteristics:
(1) Bearers for IMS services are established on the S8 reference point, just as LTE data roaming.
(2) All IMS nodes are located at Home Public Land Mobile Network (HPLMN), and all signaling and media traffic for the VoLTE roaming service go through HPLMN.
(3) IMS transactions are performed directly between the terminal and P-CSCF at HPLMN. Accordingly, Visited Public Land Mobile Network (VPLMN) and interconnect networks (IPX/GRX) are not service-aware at the IMS level. The services can only be differentiated by APN or QoS levels.

These three technical features make it possible to provide all IMS services by HPLMN only and to minimize functional addition to VPLMN. As a result, S8HR shortens the time-to-market for VoLTE roaming services.

Figure 2 shows the attach procedure for S8HR VoLTE roaming. From Steps 1 to 3, there is no significant difference from the LTE data roaming attach procedure. In Step 4, HSS sends an update location answer message to MME. In order for the MME to select the PGW in HPLMN (Step 5), the MME must set the information element VPLMN Dynamic Address “Allowed,” which is included in the subscribed data, to “Not Allowed.” In Step 6, the bearer for SIP signaling is created between SGW and PGW with QCI=5. MME sends an attach accept message to the terminal with an IMS Voice over PS Session Support Indication information element, which indicates that VoLTE is supported. The information element is set on the basis of the MME’s internal configuration specifying whether there is a VoLTE roaming agreement to use S8HR. If no agreement exists between two PLMNs, the information element will not be set.

The complete article from the NTT Docomo technical journal is embedded



Monday, 23 February 2015

Static/Dynamic IP Address Allocation in LTE


I recently came across a discussion on how static and dynamic IP address are allocated in LTE for a UE. Luckily, there is a recent document from Netmanias that discussed this topic. The document is embedded below.



If you enjoyed reading the document (part 1) above, then there is a part 2 here. While in part 1, we saw that IP addresses can be either dynamic or static depending on their allocators, part 2 presents a specific case of IP address allocation – allocation in geographically-separated locations within an LTE network. In case of dynamic allocation, no matter where a user accesses, a dynamically selected P-GW dynamically allocates an IP address to the user for PDN connection. In case of static allocation, however, there is always one specific P-GW and one IP address for a user - the designated P-GW allocates a static IP address for the user’s PDN connection. A case study shows an LTE network that serves two cities as an example to describe different ways and procedures of IP address allocation, and see how they are different from each other.

Wednesday, 7 January 2015

Enhancing voice services using VoLTE


VoLTE has been a very popular topic on this blog. My overview of the LTE Voice Summit missed out narrowly from the Top 10 posts of 2014 but there were other posts related to VoLTE that made it.

In this magazine article, NTT Docomo not only talks about its own architecture and transition from 3G to 4G for voice and video, it provides some detailed insights from its own experience.

There is also discussion into technical details of the feature and examples of signalling for VoLTE registration and originating/terminating calls (control, session and user plane establishment), SMS, SRVCC, Video over LTE (ViLTE) and voice to video call switching.

The paper is embedded below and available from slideshare to download.



Related links:

Monday, 29 December 2014

The SS7 flaws that allows hackers to snoop on your calls and SMS

By now I am aware that most people have heard of the flaws in SS7 networks that allow hackers to snoop, re-route calls and read text messages. For anyone who is not aware of these things, can read some excellent news articles here:

Our trusted security expert, Ravi Borgaonkar, informs us that all these flaws have already been discussed back in May, as part of Positive Hack Days (PHDays).

The presentation is embedded below and can be downloaded from Slideshare:



xoxoxo Added this new information on the 4th Jan 2015 oxoxox

The following is this presentation and video by Tobias Engel from the 31st Chaos Communication Congress




Saturday, 26 July 2014

Observed Time Difference Of Arrival (OTDOA) Positioning in LTE

Its been a while I wrote anything on Positioning. The network architecture for the positioning entities can be seen from my old blog post here
Qualcomm has recently released a whitepaper on the OTDOA (Observed Time Difference Of Arrival) positioning. Its quite a detailed paper with lots of technical insights.

There is also signalling and example of how reference signals are used for OTDOA calculation. Have a look at the whitepaper for detail, embedded below.



Wednesday, 25 June 2014

Diamater: Market Status, Roaming, NFV and Case Studies

Some more interesting presentations from the Signalling Focus Day of LTE World Summit. Good overview of market by Greg Collins of Exact ventures is embedded below.





A good presentation by Tieto where they presented some good case studies for Diameter Interworking. Presentation embedded below:




The final presentation by Diametriq is very interesting because they presented interesting way of mining the control plane. Thee case study presented was of a 'silent roamer' who is not going to spend money while roaming because he is not sure how much money is spent. This can be exploited by the operator to offer flat packages, 1 day pass, etc. to get some revenue from these roamers. Their presentation included some animations that cannot be shown while being embedded. Please download the PPT from Slideshare to view them.


Friday, 13 December 2013

Advancements in Congestion control technology for M2M


NTT Docomo recently published a new article (embedded below) on congestion control approaches for M2M. In their own words:

Since 3GPP Release 10 (Rel. 10) in 2010, there has been active study of technical specifications to develop M2M communications further, and NTT DOCOMO has been contributing proactively to creating these technical specifications. In this article, we describe two of the most significant functions standardized between 3GPP Rel. 10 and Rel. 11: the M2M Core network communications infrastructure, which enables M2M service operators to introduce solutions more easily, and congestion handling technologies, which improve reliability on networks accommodating a large number of terminals.

Complete article as follows:



Other related posts:

Monday, 9 December 2013

Rise of the "Thing"

Light Reading carried an interesting cartoon on how M2M works. I wouldnt be surprised if some of the M2M applications at present do work like this. Jokes apart, last week the UK operator EE did a very interesting presentation on Scaling the network for the Rise of the Thing.

A question often asked is "What is the difference between the 'Internet of Things' (IoT) and 'Machine to Machine' (M2M)?". This can generate big discussions and can be a lecture on its own. Quora has a discussion on the same topic here. The picture above from the EE presentation is a good way of showing that M2M is a subset of IoT. 

Its also interesting to note how these 'things' will affect the signalling. I often come across people who tell me that since most M2M devices just use small amounts of data transfer, why is there a need to move from GPRS to LTE. The 2G and 3G networks were designed primarily for Voice with Data secondary function. These networks may work well now but what happens when the predicted 50 Billion connected devices are here by 2020 (or 500 Billion by 2030). The current networks would drown in the control signalling that would often result in congested networks. Congestion control is just one of the things 3GPP is working on for M2M type devices as blogged earlier here. In fact the Qualcomm presentation blogged about before does a decent job of comparing various technologies for IoT, see here.

The EE presentation is embedded as follows:



Another good example website I was recently made aware of is http://postscapes.com/internet-of-things-examples/ - worth checking how IoT would help us in the future.

Sunday, 28 July 2013

New RRC message in Rel-11: In-device coexistence indication

I have blogged about about IDC here and here. If the eNB is interested in knowing if the device is having an interference issue it can ask the UE to send this message in the RRC Conn Reconfiguration message. The UE would send the message if it has interference issues.
Inter-frequency handover is a good solution in case the UE is experiencing interference.

From the Rel-11 whitepaper posted last week here:

To assist the base station in selecting an appropriate solution, all necessary/available assistance information for both time and frequency domain solutions is sent together in the IDC indication. The IDC assistance information contains the list of carrier frequencies suffering from on-going interference and the direction of the interference. Additionally it may also contain time domain patterns or parameters to enable appropriate DRX configuration for time domain solutions on the serving LTE carrier frequency.

Note that the network is in the control of whether or not to activate this interference avoidance mechanism. The InDeviceCoexIndication message from the UE may only be sent if a measurement object for this frequency has been established. This is the case, when the RRCConnectionReconfiguration message from the eNB contains the information element idc-Config. The existence of this message declares that an InDeviceCoexIndication message may be sent. The IDC message indicates which frequencies of which technologies are interfered and gives assistance to possible time domain solutions. These comprise DRX assistance information and a list of IDC subframes, which indicate which HARQ processes E-UTRAN is requested to abstain from using. This information describes only proposals, it is completely up to the network to do the decisions.

Wednesday, 15 May 2013

Access Class Barring in LTE using System Information Block Type 2


As per 3GPP TS 22.011 (Service accessibility):

All UEs are members of one out of ten randomly allocated mobile populations, defined as Access Classes (AC) 0 to 9. The population number is stored in the SIM/USIM. In addition, UEs may be members of one or more out of 5 special categories (Access Classes 11 to 15), also held in the SIM/USIM. These are allocated to specific high priority users as follows. (The enumeration is not meant as a priority sequence):
Class 15 - PLMN Staff;
 -"-  14 - Emergency Services;
 -"-  13 - Public Utilities (e.g. water/gas suppliers);
 -"-  12 - Security Services;
 -"-  11 - For PLMN Use.

Now, in case of an overload situation like emergency or congestion, the network may want to reduce the access overload in the cell. To reduce the access from the UE, the network modifies the SIB2 (SystemInformationBlockType2) that contains access barring related parameters as shown below:




For regular users with AC 0 – 9, their access is controlled by ac-BarringFactor and ac-BarringTime. The UE generates a random number
– “Rand” generated by the UE has to pass the “persistent” test in order for the UE to access. By setting ac-BarringFactor to a lower value, the access from regular user is restricted (UE must generate a “rand” that is lower than the threshold in order to access) while priority users with AC 11 – 15 can access without any restriction

For users initiating emergency calls (AC 10) their access is controlled by ac-BarringForEmergency – boolean value: barring or not

For UEs with AC 11- 15, their access is controlled by ac-BarringForSpecialAC - boolean value: barring or not.


The network (E-UTRAN) shall be able to support access control based on the type of access attempt (i.e. mobile originating data or mobile originating signalling), in which indications to the UEs are broadcasted to guide the behaviour of UE. E-UTRAN shall be able to form combinations of access control based on the type of access attempt e.g. mobile originating and mobile terminating, mobile originating, or location registration.  The ‘mean duration of access control’ and the barring rate are broadcasted for each type of access attempt (i.e. mobile originating data or mobile originating signalling).

Another type of Access Control is the Service Specific Access Control (SSAC) that we have seen here before. SSAC is used to apply independent access control for telephony services (MMTEL) for mobile originating session requests from idle-mode.

Access control for CSFB provides a mechanism to prohibit UEs to access E-UTRAN to perform CSFB. It minimizes service availability degradation (i.e. radio resource shortage, congestion of fallback network) caused by mass simultaneous mobile originating requests for CSFB and increases the availability of the E-UTRAN resources for UEs accessing other services.  When an operator determines that it is appropriate to apply access control for CSFB, the network may broadcast necessary information to provide access control for CSFB for each class to UEs in a specific area. The network shall be able to separately apply access control for CSFB, SSAC and enhanced Access control on E-UTRAN.

Finally, we have the Extended Access Barring (EAB) that I have already described here before.

Monday, 18 February 2013

Saturday, 22 December 2012

Data v/s Signalling Traffic in Dongles and Phones

From a presentation by Peter Zidar in the Small Cells Global Congress 2012.

The above picture shows that even though the amount data traffic carried by dongles is much more than the amount of traffic carried by the mobile phones, the amount of signalling is far higher from the mobiles than that of dongles. This is mainly because the mobiles need to conserve the battery power and for this reason they disconnect from the network as soon as there is no need for exchange of data. Remember the Fast Dormancy issue in the smartphones? If not see this post.

Related posts:


Thursday, 20 December 2012

IMS Whitepapers from Spirent



Couple of old but interesting whitepapers from Spirent available, in case you are interesting in IMS. Available to download from here (registration required)

Related blog posts:



Tuesday, 16 October 2012

Extended Access Barring (EAB) in Release 11 to avoid MTC overload

M2M is going to be big. With the promise of 50 Billion devices by 2020, the networks are already worried about the overloading due to signalling by millions of devices occurring at any given time. To counter this, they have been working on avoiding overloading of the network for quite some time as blogged about here.

The feature to avoid this overload is known as Extended Access Barring (EAB). For E-UTRAN, in Rel-10, a partial solution was implemented and a much better solution has been implemented in Rel-11. For GERAN a solution was implemented in Rel-10. The following presentation gives a high level overview of EAB for E-UTRAN and GERAN.



In Rel-11, a new System Information Block (SIB 14) has been added that is used specifically for EAB. Whereas in Rel-10, the UE would still send the RRCConnectionRequest, in Rel-11, the UE does not even need to do that, thereby congesting the Random Access messages.

The following is from RRC 36.331 (2012-09)
***

–                SystemInformationBlockType14

The IE SystemInformationBlockType14 contains the EAB parameters.
SystemInformationBlockType14 information element
-- ASN1START

SystemInformationBlockType14-r11 ::= SEQUENCE {
    eab-Param-r11                        CHOICE {
       eab-Common-r11                       EAB-Config-r11,
       eab-PerPLMN-List-r11                 SEQUENCE (SIZE (1..6)) OF EAB-ConfigPLMN-r11
    }                                                  OPTIONAL, -- Need OR
    lateNonCriticalExtension             OCTET STRING          OPTIONAL, -- Need OP
    ...
}

EAB-ConfigPLMN-r11 ::=               SEQUENCE {
    eab-Config-r11                   EAB-Config-r11            OPTIONAL -- Need OR
}

EAB-Config-r11 ::=               SEQUENCE {
    eab-Category-r11                 ENUMERATED {a, b, c, spare},
    eab-BarringBitmap-r11            BIT STRING (SIZE (10))
}

-- ASN1STOP

SystemInformationBlockType14 field descriptions
eab-BarringBitmap
Extended access class barring for AC 0-9. The first/ leftmost bit is for AC 0, the second bit is for AC 1, and so on.
eab-Category
Indicates the category of UEs for which EAB applies. Value a corresponds to all UEs, value b corresponds to the UEs that are neither in their HPLMN nor in a PLMN that is equivalent to it, and value c corresponds to the UEs that are neither in the PLMN listed as most preferred PLMN of the country where the UEs are roaming in the operator-defined PLMN selector list on the USIM, nor in their HPLMN nor in a PLMN that is equivalent to their HPLMN, see TS 22.011 [10].
eab-Common
The EAB parameters applicable for all PLMN(s).
eab-PerPLMN-List
The EAB parameters per PLMN, listed in the same order as the PLMN(s) occur in plmn-IdentityList in SystemInformationBlockType1.

***

Here is my attempt to explain the difference in overload control mechanism in Rel-8, Rel-10 and Rel-11. Please note that not actual message names are used.





As usual, happy to receive feedback, comments, suggestions, etc.