Showing posts with label LTE. Show all posts
Showing posts with label LTE. Show all posts

Tuesday, 20 January 2026

Telecom Security Realities from 2025 and Lessons for 2026

Telecom security rarely stands still. Each year brings new technologies, new attack paths, and new operational realities. Yet 2025 was not defined by dramatic new exploits or spectacular network failures. Instead, it became a year that highlighted how persistent, patient and methodical modern telecom attackers have become.

The recent SecurityGen Year-End Telecom Security Webinar offered a detailed look back at what the industry experienced during 2025. The session pulled together research findings, real world incidents and practical lessons from across multiple domains, including legacy signalling, eSIM ecosystems, VoLTE vulnerabilities and the emerging world of satellite-based mobile connectivity.

For anyone working in mobile networks, the message was clear. The threats are evolving, but many of the core problems remain stubbornly familiar.

A Year of Stealth Rather Than Spectacle

One of the most important themes from the webinar was that 2025 did not bring a wave of highly visible disruptive telecom attacks. Instead, it was characterised by quiet, low profile intrusions that often went undetected for long periods.

Operators around the world reported that attackers increasingly favoured living-off-the-land techniques. Rather than deploying noisy malware, intruders looked for ways to gain legitimate access to core systems and remain hidden. Lawful interception platforms, subscriber databases such as HLR and HSS, and internal management platforms were all targeted.

The primary objective in many cases was intelligence collection. Attackers were interested in call data, subscriber information and network topology rather than immediate disruption. This shift in motivation makes detection far more difficult, as there are often few obvious signs of compromise.

At the same time, automation has become a defining feature on both sides of the security battle. Operators are investing heavily in AI and machine learning to identify abnormal behaviour. Attackers are doing exactly the same, using automation to scale phishing campaigns and to accelerate exploit development.

Despite all this technology, basic security discipline continues to be a major challenge. A significant proportion of incidents still originate from human error, poor operational practices or simple failure to apply patches. The industry continues to invest billions in cybersecurity, but much of that effort is consumed by reporting and compliance activities rather than direct threat mitigation.

eSIM Security Comes into Sharp Focus

The transition from physical SIM cards to eSIM and remote provisioning is one of the most significant structural changes in the mobile industry. It offers clear benefits in terms of flexibility and user experience. However, the webinar highlighted that it also introduces entirely new security concerns.

Traditional SIM security models relied heavily on physical control. Fraudsters needed access to large numbers of real SIM cards to operate at scale. With eSIM, many of those physical constraints disappear. Remote provisioning expands the number of parties involved in the connectivity chain, including resellers and intermediaries who may not always operate under strict regulatory oversight.

During 2025 several major SIM farm operations were dismantled by law enforcement. These infrastructures contained tens of thousands of active SIM cards and were used for large scale fraud, smishing campaigns and automated account creation. While such operations existed long before eSIM, the technology has the potential to make them even easier to deploy and manage.

Research discussed in the session pointed to additional concerns. Analysis of travel eSIM services revealed issues such as cross-border routing of management traffic, excessive levels of control granted to resellers, and lifecycle management weaknesses that could potentially be abused by attackers. In some cases, resellers were found to have capabilities similar to full mobile operators, but without equivalent governance or transparency.

The conclusion was not that eSIM is inherently insecure. The technology itself uses strong encryption and robust mechanisms. The problem lies in the wider ecosystem of trust boundaries, partners and processes that surround it. Securing eSIM therefore requires cooperation between operators, vendors, regulators and service providers.

SS7 Remains a Persistent Weak Point

Few topics in telecom security generate as much ongoing concern as SS7. Despite being a technology from a previous era, it remains deeply embedded in global mobile infrastructure. The webinar dedicated significant attention to why SS7 continues to be exploited in 2025 and why it is likely to remain a problem for many years to come.

Throughout the year, media reports and research papers continued to demonstrate practical abuses of SS7 signalling. Attackers probed networks, attempted to bypass signalling firewalls and looked for new ways to manipulate protocol behaviour. Techniques such as parameter manipulation and protocol parsing tricks were highlighted as methods that can sometimes evade existing protections.

One particularly interesting demonstration showed how SS7 messages could be used as a covert channel for data exfiltration. By embedding information inside otherwise legitimate signalling transactions, attackers can potentially move data across networks without triggering traditional security alarms.

Perhaps the most striking point raised was how little progress has been made in eliminating SS7 dependencies. Analysis of global network deployments showed that only a handful of countries operate mobile networks entirely without SS7. Everywhere else, the protocol remains a foundational element of roaming and interconnect.

As a result, even operators that have invested heavily in 4G and 5G security can still be undermined by weaknesses in this legacy layer. The uncomfortable reality is that SS7 vulnerabilities will continue to be exploited well into 2026 and beyond.

VoLTE and Modern Core Network Risks

While legacy protocols remain a problem, modern technologies are not immune. VoLTE infrastructure in particular was identified as an increasingly attractive target.

VoLTE relies on complex interactions between signalling systems, IP multimedia subsystems and subscriber databases. Weaknesses in configuration or interconnection can open the door to call interception, fraud or denial of service. Several real world incidents during 2025 demonstrated that attackers are actively exploring these paths.

The move toward fully virtualised and cloud-native mobile cores also introduces new operational challenges. Telecom networks now resemble large IT environments, complete with the same risks around misconfiguration, insecure APIs and exposed management interfaces.

The Emerging Security Challenge of 5G Satellites

One of the most forward-looking parts of the webinar focused on non-terrestrial networks and direct-to-device satellite connectivity. What was once a concept for the distant future is rapidly becoming a commercial reality.

Satellite integration promises to extend 5G coverage to remote areas, oceans and disaster zones. However, it also changes the security model in fundamental ways. Satellites can act either as simple relay systems or as active components of the mobile radio access network. In both cases, new threat vectors emerge.

Potential issues discussed included the risk of denial of service against shared satellite resources, difficulties in applying traditional radio security controls in space-based equipment, and the possibility of more precise user tracking due to the way satellite systems handle location information.

Experts from the space cybersecurity community explained how vulnerabilities in mission control software and ground segment infrastructure could be exploited. Much of this software was originally designed for isolated environments and is only now being connected to wider networks and the internet.

As telecom networks expand beyond the boundaries of the Earth, security responsibilities extend with them. Operators will need to think not only about terrestrial threats but also about risks originating from space-based components.

The Human Factor and the Skills Gap

Technology was only part of the story. Another recurring theme was the global shortage of skilled telecom cybersecurity professionals.

Studies referenced in the session suggested that millions of additional specialists are needed worldwide, yet only a fraction of that demand can currently be filled. Many security teams are overwhelmed by the sheer volume of alerts and data they must process.

This shortage has real consequences. When teams are stretched thin, patching is delayed, anomalies are missed and complex investigations become difficult to sustain. The panel emphasised that throwing more tools at the problem is not enough. Organisations must focus on training, automation and smarter operational processes.

Automation and AI-driven analysis were presented as essential enablers. Given the scale of modern mobile networks, it is simply not feasible for human analysts to monitor every signalling protocol, every core interface and every emerging technology manually.

Preparing for 2026

Looking ahead, the experts agreed on several broad trends. Attacks on legacy systems such as SS7 will continue. Fraudsters will increasingly target eSIM provisioning processes. VoLTE and 5G core components will face growing scrutiny. Satellite-based connectivity will introduce new and unfamiliar security questions.

Perhaps most importantly, the line between traditional telecom security and general cybersecurity will continue to blur. Mobile networks are now large, distributed IT platforms, and they inherit all the complexities that come with that transformation.

Operators, regulators and vendors must therefore adopt a holistic view. Investment must go beyond compliance reporting and focus on practical defences, real time monitoring and collaborative intelligence sharing.

Final Reflections

The SecurityGen webinar provided a valuable snapshot of an industry at a crossroads. Telecom networks are becoming more advanced and more capable, but also more complex and interconnected than ever before.

2025 demonstrated that attackers do not always need new vulnerabilities. Often they succeed simply by exploiting old weaknesses in smarter ways. The challenge for 2026 is to close those gaps while also preparing for the technologies that are only just beginning to emerge.

For those involved in telecom security, the full discussion is well worth watching. The complete webinar recording can be viewed below:

Related Posts:

Posted by Zahid Ghadialy at 07:35 Leave a comment...0 comments so far
Labels: , , , , , , , , , , , , , , ,

Thursday, 8 May 2025

3GPP Release 18 Signal level Enhanced Network Selection (SENSE) for Smarter Network Selection in Stationary IoT

As 5G evolves and the number of deployed IoT devices increases globally, efficient and reliable network selection becomes ever more critical. Particularly for stationary devices deployed in remote, deep-indoor or roaming environments, traditional selection mechanisms have struggled to provide robust connectivity. This has led to operational challenges, especially for use cases involving low-power or hard-to-reach sensors. In response, 3GPP Release 18 introduces a new capability under the SA2 architecture work, Signal level Enhanced Network Selection (SENSE), designed to tackle this exact issue.

In today’s cellular systems, when a User Equipment (UE), including IoT modules, switches on or recovers from a loss of coverage, it performs automatic network selection. This typically prioritises networks based on preferences such as PLMN priority lists and broadcast cell selection criteria, while largely ignoring the actual signal strength at the device’s location. This approach works reasonably well for mobile consumer devices that can adapt through user movement or manual intervention. However, for stationary IoT UEs, which are often unmanned and deployed permanently in locations with limited or fluctuating radio conditions, this method can result in persistent suboptimal connectivity.

The issue becomes most evident when a device latches onto a visited PLMN (VPLMN) with higher priority despite poor signal quality. The UE might remain connected to this weak network, struggling to maintain bearer sessions or repeatedly failing data transfers. These failures often go undetected by the operator's monitoring systems and may require expensive manual intervention in the field. The cumulative impact of such maintenance activities adds significantly to operational expenditure, especially in mass-scale IoT deployments.

SENSE aims to fix this problem by making signal level an integral part of the automatic network selection and reselection process. Rather than simply following preconfigured priority rules, UEs enabled with SENSE will now assess the received signal quality during network selection. This allows them to favour networks that offer stronger and more stable radio conditions, even if they have lower priority, when such conditions are essential for reliable connectivity.

The capability is particularly targeted at stationary IoT UEs that support NB-IoT, EC-GSM-IoT, or LTE Cat-M1/M2. These devices are often used in applications such as water level monitoring, power grid sensors, and remote metering, installations where physical access post-deployment may be difficult or even infeasible.

To implement SENSE, the Home PLMN (HPLMN) can configure the UE to apply Operator Controlled Signal Thresholds (OCST) for each supported access technology. These thresholds are stored within the USIM and define the minimum signal quality required for a network to be considered viable. The OCST settings can be provisioned before deployment or updated later via standard NAS signalling mechanisms, including the Steering of Roaming (SoR) feature.

When a SENSE-enabled UE attempts to select a network, it checks whether the signal level from any candidate network meets or exceeds the configured OCST for its supported radio access technologies. If it does, the UE proceeds to register with that PLMN. If no suitable network meets the signal thresholds, the UE falls back to the legacy selection process, which excludes signal strength as a factor. This dual-iteration method ensures backward compatibility while enabling more robust performance where SENSE is supported.

Additionally, SENSE influences periodic network reselection. If the average signal quality from a registered PLMN drops below the OCST threshold over time, the UE will proactively seek alternative PLMNs whose signals meet the configured criteria. This continuous evaluation helps avoid long-term connectivity issues that may otherwise remain unnoticed.

SENSE is not intended to disrupt roaming steering or PLMN preferences altogether. Instead, it introduces a smart, context-aware filter that empowers the UE to make better decisions when radio conditions are poor. By integrating signal level awareness early in the selection logic, operators gain a powerful new tool to reduce failure rates and minimise costly field maintenance.

As the IoT landscape expands across industries and geographies, features like SENSE will play a vital role in supporting dependable, scalable and autonomous deployments. In Release 18, 3GPP has taken a meaningful step towards improving network availability for devices that need to just work, no matter where they are.

Related Posts

Posted by Zahid Ghadialy at 07:35 Leave a comment...0 comments so far
Labels: , , , , , , ,

Thursday, 19 December 2024

Evolution and Impact of Cellular Location Services (LCS)

Location Services (LCS) have been standardized by 3GPP across all major generations of cellular technology, including 2G (GSM), 3G (UMTS), 4G (LTE), and 5G. These services enable applications to determine the geographical location of mobile devices, facilitating crucial functions such as emergency calls, navigation, and location-based advertising. The consistent adoption of standardized protocols ensures interoperability, scalability, and reliability, empowering mobile operators and device manufacturers to implement location services in a globally consistent manner.

The evolution of LCS technology has seen remarkable advancements with each generation of cellular networks. Early implementations in 2G and 3G relied on basic techniques such as Cell-ID, Timing Advance, and triangulation, which offered limited accuracy and were suitable only for rudimentary use cases. 

The introduction of LTE in 3GPP Release 9 marked a significant improvement, integrating support for regulatory services like emergency call localization and commercial applications such as mapping. LTE networks commonly employ global navigation satellite systems (GNSS), like GPS, to determine locations. However, alternative methods using the LTE air interface are crucial in scenarios where GNSS signals are obstructed, such as indoors or in dense urban environments. An LTE network can support horizontal positioning accuracy of 50m for 80% of mobiles and a vertical positioning accuracy of 5m and an end-to-end latency of 30 seconds.


In 5G, the introduction of high-bandwidth, low-latency communication and new architectural enhancements allows for even more accurate and responsive location services. These improvements support critical use cases like autonomous vehicles, smart cities, and industrial IoT applications. 

5G networks have further improved LCS with high-bandwidth, low-latency communication and architectural enhancements. These innovations enable critical applications like autonomous vehicles, smart cities, and industrial IoT. In Release 15, 5G devices support legacy LTE location protocols through the Gateway Mobile Location Centre (GMLC). From Release 16, the Network Exposure Function (NEF) streamlines location requests for modern applications. A 5G network is expected to deliver a horizontal positioning accuracy of 3m indoors and 10m outdoors, a vertical positioning accuracy of 3m in both environments and an end-to-end latency of one second.

The standardization efforts of 3GPP have ensured that location services meet stringent requirements for accuracy, privacy, and security. Emergency services, for instance, benefit from these standards through Enhanced 911 (E911) in the United States and similar mandates globally, which require precise location reporting for mobile callers. Furthermore, standardization fosters innovation by providing a common foundation on which developers can create new location-based services and applications. As cellular networks continue to evolve, 3GPP’s standardized LCS will remain a cornerstone in bridging connectivity with the physical world, enabling smarter, safer, and more connected societies.

Mpirical recently shared a video exploring the concepts and drivers of Location Services (LCS). It's embedded below:

If you want to learn more about LCS, check out Mpirical's training course on this topic which seeks to provide an end to end exploration of the techniques and technologies involved, including the driving factors, standardization, requirements, architectural elements, protocols and protocol stacks, 2G-5G LCS operation and location finding techniques (overview and specific examples).

Mpirical is a leading provider of telecoms training, specializing in mobile and wireless technologies such as 5G, LTE, and IoT. They boast a course catalogue of wide ranging topics and technologies for all levels, with each course thoughtfully broken down into intuitive learning modules. 

Related Posts

Posted by Zahid Ghadialy at 07:35 Leave a comment...0 comments so far
Labels: , , , , ,

Thursday, 24 October 2024

4G/LTE, 5G and Private Networks in Africa

The Global mobile Suppliers Association (GSA) recently released its "Regional Spotlight Africa – October 2024" report. It tracks 604 public mobile networks across North and Sub-Saharan Africa, including LTE, LTE-Advanced, 5G, and fixed wireless access networks. The report gives an up-to-date view of 4G and 5G deployment in Africa, using the latest data and insights from GSA's various reports on mobile networks and satellite services.

Africa has seen major progress in telecommunications in recent years. The expansion of 4G LTE networks has improved data speeds, enhanced connectivity, and supported the spread of mobile broadband services. Looking ahead, 5G technology promises even faster speeds, lower latency, and stronger security, opening the door to new possibilities in connectivity.

The report covers key areas of mobile network development, such as:

  • The current state of LTE and 5G rollouts
  • LTE-Advanced advancements
  • 5G standalone networks
  • The growth of private networks
  • Phasing out 2G and 3G technologies
  • Progress in satellite services

Alongside the report, GSA hosted a regional webinar where the research team shared insights on:

  • The status of LTE and LTE-Advanced in Africa and how it compares globally
  • Whether 5G development is being delayed by ongoing LTE rollouts and older devices
  • Recent spectrum auctions and assignments
  • The transition from 2G and 3G networks
  • The potential for satellite non-terrestrial (NTN) services in Africa and how operators are responding

The webinar video is available below.

Related Posts: 

Posted by Zahid Ghadialy at 07:35 Leave a comment...0 comments so far
Labels: , , , , , ,

Wednesday, 14 August 2024

3GPP Release 18 Description and Summary of Work Items

The first official release of 3GPP TR 21.918: "Release 18 Description; Summary of Rel-18 Work Items" has been published. It's the first official version of 5G-Advanced. Quoting from the report: 

Release 18 specifies further improvements of the 5G-Avanced system. 

These improvements consist both in enhancements of concepts/Features introduced in the previous Releases and in the introduction of new topics.

Some of the key improvements are:

  • a further integration of the Satellite (NTN) access (introduced in Rel-17) in the 5G System (5GS), 
  • a more efficient support of Internet of Things (IoT), Machine-Type Communication (MTC), including by satellite coverage
  • and also several aspects of proximity communication and location (Sidelink, Proximity, Location and Positioning, better support of the industrial needs (Verticals, Industries, Factories, Northbound API), Multicast and Broadcast Services (MBS), Network Slicing or Uncrewed Aerial Vehicles (UAV).

As for the new topics, some of the key aspects are:

  • Energy Efficiency (EE)
  • Artificial Intelligence (AI)/Machine Learning (ML)
  • eXtended, Augmented and Virtual Reality (XR, AR, VR), immersive communications

The following list is from the v1.0.0 table of contents to make it easier to find the list of topics. If it interests you, download the latest version technical report from the directory here.

5 Satellite / Non-Terrestrial Network (NTN)
5.1 General aspects
5.1.1 User plane: “5G system with satellite backhaul”
5.1.2 Discontinuous coverage: “Satellite access Phase 2”
5.1.3 Radio: "NR NTN enhancements"
5.1.4 Charging and Management aspects of Satelite
5.2 Specific aspects
5.2.1 IoT (Internet of Things) NTN enhancements
5.2.2 Guidelines for Extra-territorial 5G Systems
5.2.3 5G system with satellite access to Support Control and/or Video Surveillance
5.2.4 Introduction of the satellite L-/S-band for NR
5.2.5 Other band-related aspects of satellite

6 Internet of Things (IoT), Machine-Type Communication (MTC)
6.1 Personal IoT and Residential networks
6.2 Enhanced support of Reduced Capability (RedCap) NR devices
6.3 NR RedCap UE with long eDRX for RRC_INACTIVE State
6.4 Application layer support for Personal IoT Network
6.5 5G Timing Resiliency System
6.6 Mobile Terminated-Small Data Transmission (MT-SDT) for NR
6.7 Adding new NR FDD bands for RedCap in Rel-18
6.8 Signal level Enhanced Network Selection
6.9 IoT NTN enhancements

7 Energy Efficiency (EE)
7.1 Enhancements of EE for 5G Phase 2
7.2 Network energy savings for NR
7.3 Smart Energy and Infrastructure

8 Uncrewed Aerial Vehicles (UAV), UAS, UAM
8.1 Architecture for UAV and UAM Phase 2
8.2 Architecture for UAS Applications, Phase 2
8.3 NR support for UAV
8.4 Enhanced LTE Support for UAV

9 Sidelink, Proximity, Location and Positioning
9.1 5GC LoCation Services - Phase 3
9.2 Expanded and improved NR positioning
9.3 NR sidelink evolution
9.4 NR sidelink relay enhancements
9.5 Proximity-based Services in 5GS Phase 2
9.6 Ranging-based Service and sidelink positioning
9.7 Mobile Terminated-Small Data Transmission (MT-SDT) for NR
9.8 5G-enabled fused location service capability exposure

10 Verticals, Industries, Factories, Northbound API
10.1 Low Power High Accuracy Positioning for industrial IoT scenarios
10.2 Application enablement aspects for subscriber-aware northbound API access
10.3 Smart Energy and Infrastructure
10.4 Generic group management, exposure and communication enhancements
10.5 Service Enabler Architecture Layer for Verticals Phase 3
10.6 SEAL data delivery enabler for vertical applications
10.7 Rel-18 Enhancements of 3GPP Northbound and Application Layer interfaces and APIs
10.8 Charging Aspects of B2B
10.9 NRF API enhancements to avoid signalling and storing of redundant data
10.10 GBA_U Based APIs
10.11 Other aspects

11 Artificial Intelligence (AI)/Machine Learning (ML)
11.1 AI/ML model transfer in 5GS
11.2 AI/ML for NG-RAN
11.3 AI/ML management & charging
11.4 NEF Charging enhancement to support AI/ML in 5GS

12 Multicast and Broadcast Services (MBS)
12.1 5G MBS Phase 2
12.2 Enhancements of NR MBS
12.3 UE pre-configuration for 5MBS
12.4 Other MBS aspects

13 Network Slicing
13.1 Network Slicing Phase 3
13.2 Enhancement of NSAC for maximum number of UEs with at least one PDU session/PDN connection
13.3 Enhancement of Network Slicing UICC application for network slice-specific authentication and authorization
13.4 Charging Aspects of Network Slicing Phase 2
13.5 Charging Aspects for NSSAA
13.6 Charging enhancement for Network Slice based wholesale in roaming
13.7 Network Slice Capability Exposure for Application Layer Enablement
13.8 Other slice aspects

14 eXtended, Augmented and Virtual Reality (XR, AR, VR), immersive
14.1 XR (eXtended Reality) enhancements for NR
14.2 Media Capabilities for Augmented Reality
14.3 Real-time Transport Protocol Configurations
14.4 Immersive Audio for Split Rendering Scenarios  (ISAR)
14.5 Immersive Real-time Communication for WebRTC
14.6 IMS-based AR Conversational Services
14.7 Split Rendering Media Service Enabler
14.8 Extended Reality and Media service (XRM)
14.9 Other XR/AR/VR items

15 Mission Critical and emergencies
15.1 Enhanced Mission Critical Push-to-talk architecture phase 4
15.2 Gateway UE function for Mission Critical Communication
15.3 Mission Critical Services over 5MBS
15.4 Mission Critical Services over 5GProSe
15.5 Mission Critical ad hoc group Communications
15.6 Other Mission Critical aspects

16 Transportations (Railways, V2X, aerial)
16.1 MBS support for V2X services
16.2 Air-to-ground network for NR
16.4 Interconnection and Migration Aspects for Railways
16.5 Application layer support for V2X services; Phase 3
16.6 Enhanced NR support for high speed train scenario in frequency range 2 (FR2)

17 User Plane traffic and services
17.1 Enhanced Multiparty RTT
17.2 5G-Advanced media profiles for messaging services
17.3 Charging Aspects of IMS Data Channel
17.4 Evolution of IMS Multimedia Telephony Service
17.5 Access Traffic Steering, Switch and Splitting support in the 5G system architecture; Phase 3
17.6 UPF enhancement for Exposure and SBA
17.7 Tactile and multi-modality communication services
17.8 UE Testing Phase 2
17.9 5G Media Streaming Protocols Phase 2
17.10 EVS Codec Extension for Immersive Voice and Audio Services
17.11 Other User Plane traffic and services items

18 Edge computing
18.1 Edge Computing Phase 2
18.2 Architecture for enabling Edge Applications Phase 2
18.3 Edge Application Standards in 3GPP and alignment with External Organizations

19 Non-Public Networks
19.1 Non-Public Networks Phase 2
19.2 5G Networks Providing Access to Localized Services
19.3 Non-Public Networks Phase 2

20 AM and UE Policy
20.1 5G AM Policy
20.2 Enhancement of 5G UE Policy
20.3 Dynamically Changing AM Policies in the 5GC Phase 2
20.4 Spending Limits for AM and UE Policies in the 5GC
20.5 Rel-18 Enhancements of UE Policy

21 Service-based items
21.1 Enhancements on Service-based support for SMS in 5GC
21.2 Service based management architecture
21.3 Automated certificate management in SBA
21.4 Security Aspects of the 5G Service Based Architecture Phase 2
21.5 Service Based Interface Protocol Improvements Release 18

22 Security-centric aspects
22.1 IETF DTLS protocol profile for AKMA and GBA
22.2 IETF OSCORE protocol profiles for GBA and AKMA
22.3 Home network triggered primary authentication
22.4 AKMA phase 2
22.5 5G Security Assurance Specification (SCAS) for the Policy Control Function (PCF)
22.6 Security aspects on User Consent for 3GPP services Phase 2
22.7 SCAS for split-gNB product classes
22.8 Security Assurance Specification for AKMA Anchor Function Function (AAnF)
22.9 Other security-centric items

23 NR-only items
23.1 Not band-centric
23.1.1 NR network-controlled repeaters
23.1.2 Enhancement of MIMO OTA requirement for NR UEs
23.1.3 NR MIMO evolution for downlink and uplink
23.1.4 Further NR mobility enhancements
23.1.5 In-Device Co-existence (IDC) enhancements for NR and MR-DC
23.1.6 Even Further RRM enhancement for NR and MR-DC
23.1.7 Dual Transmission Reception (TxRx) Multi-SIM for NR
23.1.8 NR support for dedicated spectrum less than 5MHz for FR1
23.1.9 Enhancement of NR Dynamic Spectrum Sharing (DSS)
23.1.10 Multi-carrier enhancements for NR
23.1.11 NR RF requirements enhancement for frequency range 2 (FR2), Phase 3
23.1.12 Requirement for NR frequency range 2 (FR2) multi-Rx chain DL reception
23.1.13 Support of intra-band non-collocated EN-DC/NR-CA deployment
23.1.14 Further enhancements on NR and MR-DC measurement gaps and measurements without gaps
23.1.15 Further RF requirements enhancement for NR and EN-DC in frequency range 1 (FR1)
23.1.16 Other non-band related items
23.2 Band-centric
23.2.1 Enhancements of NR shared spectrum bands
23.2.2 Addition of FDD NR bands using the uplink from n28 and the downlink of n75 and n76
23.2.3 Complete the specification support for BandWidth Part operation without restriction in NR
23.2.4 Other NR band related topics

24 LTE-only items
24.1 High Power UE (Power Class 2) for LTE FDD Band 14
24.2 Other LTE-only items

25 NR and LTE items
25.1 4Rx handheld UE for low NR bands (<1GHz) and/or 3Tx for NR inter-band UL Carrier Aggregation (CA) and EN-DC
25.2 Enhancement of UE TRP and TRS requirements and test methodologies for FR1 (NR SA and EN-DC)
25.3 Other items

26 Network automation
26.1 Enablers for Network Automation for 5G phase 3
26.2 Enhancement of Network Automation Enablers

27 Other aspects
27.1 Support for Wireless and Wireline Convergence Phase 2
27.2 Secondary DN Authentication and authorization in EPC IWK cases
27.3 Mobile IAB (Integrated Access and Backhaul) for NR
27.4 Further NR coverage enhancements
27.5 NR demodulation performance evolution
27.6 NR channel raster enhancement
27.7 BS/UE EMC enhancements for NR and LTE
27.8 Enhancement on NR QoE management and optimizations for diverse services
27.9 Additional NRM features phase 2
27.10 Further enhancement of data collection for SON (Self-Organising Networks)/MDT (Minimization of Drive Tests) in NR and EN-DC
27.11 Self-Configuration of RAN Network Entities
27.12 Enhancement of Shared Data ID and Handling
27.13 Message Service within the 5G system Phase 2
27.14 Security Assurance Specification (SCAS) Phase 2
27.15 Vehicle-Mounted Relays
27.16 SECAM and SCAS for 3GPP virtualized network products
27.17 SECAM and SCAS for 3GPP virtualized network products
27.18 MPS for Supplementary Services
27.19 Rel-18 enhancements of session management policy control
27.20 Seamless UE context recovery
27.21 Extensions to the TSC Framework to support DetNet
27.22 Multiple location report for MT-LR Immediate Location Request for regulatory services
27.23 Enhancement of Application Detection Event Exposure
27.24 General Support of IPv6 Prefix Delegation in 5GS
27.25 5G Timing Resiliency System
27.26 MPS when access to EPC/5GC is WLAN
27.27 Data Integrity in 5GS
27.28 Security Enhancement on RRCResumeRequest Message Protection

28 Administration, Operation, Maintenance and Charging-centric Features
28.1 Introduction
28.2 Intent driven Management Service for Mobile Network phase 2
28.3 Management of cloud-native Virtualized Network Functions
28.4 Management of Trace/MDT phase 2
28.5 Security Assurance Specification for Management Function (MnF)
28.6 5G performance measurements and KPIs phase 3
28.7 Access control for management service
28.8 Management Aspects related to NWDAF
28.9 Management Aspect of 5GLAN
28.10 Charging Aspects of TSN
28.11 CHF Distributed Availability
28.12 Management Data Analytics phase 2
28.12 5G System Enabler for Service Function Chaining
28.13 Other Management-centric items

29 Other Rel-18 Topics

If you find them useful then please get the latest document from here.

Related Posts

Posted by Zahid Ghadialy at 07:35 Leave a comment...0 comments so far
Labels: , , , , , , , , , , , , , ,

Thursday, 27 June 2024

Short Tutorial on Mission Critical Services in LTE and 5G

Over the years we have looked at the standards development, infrastructure development and even country specific mission critical solutions development in various blog posts. In this post we are sharing this short new tutorial by Mpirical on mission critical services in LTE and 5G. The video is embedded below:

Related Posts

Posted by Zahid Ghadialy at 07:35 Leave a comment...0 comments so far
Labels: , , , , , , , , , , ,

Monday, 6 May 2024

6G and Other 3GPP Logos

The Project Coordination Group (PCG) of 3GPP recently approved a new logo for use on specifications for 6G, during their 52nd PCG meeting, hosted by ATIS in Reston, Virginia. As with previous logos, surely people in general will use them not just for 3GPP 6G compliant products, but for all kinds of things.

Over the years many people have reached out to me to ask for 3GPP logos, even though they are available publicly. All 3GPP logos, from 3G to 6G is available in the Marcoms directory here. In addition to the logo, each directory also lists guidance for use of the logos. For example, 3GPP does not allow the use of the logo as shown on the left in the image on top of the post while the one on the right is okay.

Surely there isn't an issue for general use but for anyone wishing to use the logos for their products, equipment, documentation or books, they will have to strictly comply with the rules.

Related Posts

Posted by Zahid Ghadialy at 14:35 Leave a comment...0 comments so far
Labels: , , , , , , ,

Wednesday, 24 January 2024

UE Assistance Information in LTE and 5G

I have been asked about the UE Assistance Information (UAI) RRC message a few times before. Generally I have always pointed people back to the LTE/5G specifications but here is a concise video that the telecoms technology training company Mpirical have shared recently:

If you want to dig further into details then please see the RRC specifications: 36.331 for LTE and 38.331 for 5G. 

Over the years I have added quite a few short tutorials from Mpirical on this blog, do check them out below.

Related Posts

Posted by Zahid Ghadialy at 07:33 Leave a comment...2 comments so far
Labels: , , , , , , , , , , ,

Wednesday, 13 September 2023

Private Networks Introductory Series

Private Networks has been a hot topic for a while now. We made a technical introductory video which has over 13K views while its slides have over 25K views. The Private Networks blog that officially started in April is now getting over 2K views a month. 

In addition, there are quite a few questions and enquiries that I receive on them on a regular basis. With this background, it makes sense to add these Introductory video series by Firecell in a post. Their 'Private Networks Tutorial Series' playlist, aiming to demystify private networks, is embedded below:

The playlist has five videos at the moment, hopefully they will add more:

  • Introduction to different kinds of mobile networks: public, private and hybrid networks
  • Different Names for Private Networks
  • Drivers and Enablers of Private Networks
  • Mobile Cellular vs Wi-Fi Private Networks
  • Architecture of Mobile Private Networks

I also like this post on different names for private networks.

Related Posts

Posted by Zahid Ghadialy at 18:35 Leave a comment...0 comments so far
Labels: , , , , , ,

Thursday, 3 August 2023

Tutorial: A Quick Introduction to 3GPP

We recently made a beginners tutorial explaining the need for The 3rd Generation Partnership Project (3GPP), its working, structure and provides useful pointers to explore further. The video and slides are embedded below.

You can download the slides from here.

Related Posts

Posted by Zahid Ghadialy at 07:35 Leave a comment...0 comments so far
Labels: , , , , ,

Wednesday, 12 July 2023

Small Data Transmission (SDT) in LTE and 5G NR

One of the features that was introduced part of 5G NR 3GPP Release 17 is known as Small Data Transmission (SDT). When small amount of data, in case of an IoT device, needs to be sent, there is no need to establish data radio bearers. The information can be sent as part of signalling message. A similar approach is available in case of 4G LTE. 

Quoting from Ofinno whitepaper 'Small Data Transmission: PHY/MAC', 

The SDT in the 3GPP simply refers to data transmission in an inactive state. Specifically, the SDT is a transmission for a short data burst in a connectionless state where a device does not need to establish and teardown connections when small amounts of data need to be sent.

In the 3GPP standards, the inactive state had not supported data transmission until Release 15. The 3GPP standards basically allowed the data transmission when ciphering and integrity protection are achieved during the connection establishment procedure. Therefore, the data transmission can occur after the successful completion of the establishment procedure between the device and network.

The problem arises as a device stays in the connected state for a short period of time and subsequently releases the connection once the small size data is sent. Generally, the device needs to perform multiple transmissions and receptions of control signals to initiate and maintain the connection with a network. As a payload size of the data is relatively smaller compared with the amounts of the control signals, making a connection for the small data transmission becomes more of a concern for both the network and the device due to the control signaling overhead.

The 3GPP has developed the SDT procedure to enable data transmission in the inactive state over the existing LTE and NR standards. The device initiates the SDT procedure by transmitting an RRC request message (e.g., SDT request message) and data in parallel instead of transmitting the data after the RRC request message processed by a network. Additional transmission and/or reception are optional. The device performs this SDT procedure without transition to the connected state (i.e., without making a connection to the network).

The SDT enables for the network to accept data transmission without signaling intensive bearer establishment and authentication procedure required for the RRC connection establishment or resume procedure. For example, in the SDT procedure, the device needs only one immediate transmission of a transport block (TB) that contains data and RRC request message. Furthermore, the device does not need to perform procedures (e.g., radio link monitoring) defined in the connected state since the RRC state is kept as the inactive state. This results in improving the battery life of the device by avoiding control signaling unnecessary for transmission of small size data.

The principle of the SDT is very simple. The network configures radio resources beforehand for the data transmission in the inactive state. For example, if the conditions to use the configured radio resources satisfy, the device transmits data and the RRC request message together via the configured radio resources. In the 3GPP standards, there are two types of the SDT depending on the ways to configure the radio resources: (1) SDT using a random access (RA) and (2) SDT using preconfigured radio resources. 

Figure 2 (top) illustrates different types of the SDT referred in 3GPP LTE and NR standards. The SDT using the random access in LTE and NR standards is referred to as an EDT (early data transmission) and RA-SDT (Random Access based SDT), respectively. For both the EDT and the RA-SDT, the device performs data transmission using shared radio resources of the random access procedure. Thus, the contention with other devices can occur over the access to the shared radio resources. The shared radio resources for the SDT are broadcast by system information and are configured as isolated from the one for a nonSDT RA procedure, i.e., the legacy RA procedure. On the other hands, the CG-SDT uses the preconfigured radio resources dedicated to the device. The SDT using the preconfigured radio resource is referred to as transmission via PUR (Preconfigured Uplink Resource) in the LTE standards. The NR standards refers the SDT using the preconfigured radio resource as CG-SDT (Configured Grant based SDT). The network configures the configuration parameters of the preconfigured radio resources when transiting the device in the connected state to the inactive state. For example, an RRC release message transmitted from the network for a connection release contains the configuration parameters of PUR or CG-SDT. No contention is expected for the SDT using the preconfigured radio resource since the configuration parameters are dedicated to the device. 

You can continue reading the details in whitepaper here. Ofinno has another whitepaper on this topic, 'Small Data Transmission (SDT): Protocol Aspects' here.

3GPP also recently published an article on this topic here. Quoting from the article:

With SDT it is possible for the device to send small amounts of data while remaining in the inactive state. Note that this idea resembles the early GSM systems where SMS messages where sent via the control signalling; that is, transferring small amounts of data while the mobile did not have a (voice) connection.

SDT is a procedure which allows data and/or signalling transmission while the device remains in inactive state without transitioning to connected state. SDT is enabled on a radio bearer basis and is initiated by the UE only if less than a configured amount of UL data awaits transmission across all radio bearers for which SDT is enabled. Otherwise the normal data transmission scheme is used.

With SDT the data is transmitted quickly on the allocated resource. The IoT device initiates the SDT procedure by transmitting an RRC request message and payload data in parallel, instead of the usual procedure where the data is transmitted after the RRC request message is processed by a network.

It is not only the speed and the reduced size of the transmitted data which make SDT such a suitable process for IoT devices. Since the device stays in the inactive state, it does not have to perform many tasks associated with the active state. This further improves the battery life of the IoT device. Additional transmission and/or reception are optional.

There are two ways of performing SDT:

  1. via random access (RA-SDT)
  2. via preconfigured radio resources (CG-SDT)

Random Access SDT

With RA-SDT, the IoT device does not have a dedicated radio resource, and it is possible that the random access message clashes with similar RA-SDT random access messages from other IoT devices. The device gets to know the radio resources for the RA procedure from system information messages, in a similar way to non RA-SDT devices. However, the RA radio resources for SDT and non SDT devices are kept separate; that is, these device types do not interfere with each other in random access

The RA-SDT procedure can be a two-step or a four-step random access procedure. In two-step procedure the payload data is already sent with the initial random access message, whereas in four-step procedure the device first performs contention resolution with the random access request - random access response message pair, and then sends the UL payload with RRC Resume Request. The procedure may continue with further uplink and downlink small data transmissions, and then it is terminated with an RRC Release from the network.

Below are the signalling diagrams for both two-step and four-step RA-SDT procedures. Note that in both cases the UE stays in the RRC inactive state during the whole process.

Configured Grant SDT

For CG-SDT, the radio resources are allocated periodically based on the estimation of the UE’s traffic requirements. This uplink scheduling method is called Configured Grant (CG). With CG-SDT there will be no message clashes with other IoT devices since the radio resources are dedicated for each device. The resource allocation is signalled to the IoT device by the network when the device leaves the connected state.

If the amount of data in the UE's tx buffer is larger than a defined limit, then the data transmission is done using the normal non-SDT procedure.

For SDT process, the device selects the CG-SDT as the SDT type if the resources for the CG-SDT are configured on the selected uplink carrier. If the resources for the CG-SDT are unavailable or invalid, the RA-SDT or the non-SDT RA procedure will be chosen if those are configured. If no SDT type configuration is available then a normal non-SDT data transmission is performed.

With IoT devices proliferating, it makes sense to optimise data transfer and anything else that will reduce the power consumption and let the battery in the devices last for much longer.

Related Posts

Posted by Zahid Ghadialy at 19:35 Leave a comment...0 comments so far
Labels: , , , , , , , , , , , ,
Subscribe to: Comments (Atom)