Showing posts with label Signalling. Show all posts
Showing posts with label Signalling. Show all posts

Tuesday, 14 January 2020

EN-DC SRB3 Demystified


3GPP 37.340 says that it is up the secondary node to establish "SRB3", but what exactly does this mean and how is it done?

Simple answer: The establishment of a signaling radio bearer (SRB) 3 in EN-DC mode means that RRC Measurement Reports for NR quality can be sent directly to the SgNB. This enables the 5G node to make intra-SgNB handover decisions and start the handover execution without involving the master eNodeB of the connection.

To prevent confusion the figure below shows a simplified scenario in which the Complete/Acknowledgement messages are not mentioned although they will be seen in the message flow.

A prerequisite is the successful addition of 5G radio resources as described in an earlier blog post. After this is completed the UE in the example transmits user plane information over the NR cell with the physical cell ID (PCI) = 12. In the transport network this cell is identified by NR CGI = xxxx52 (where „xxxx“ stands for a valid PLMN-ID and gNodeB-ID).

In the figure below the SgNB sends a X2AP SgNB Modification Required message that carries an embedded NR RRC cG-Config message. This cG-Config message is transparently forwarded by the MeNB to the UE. When arriving at the UE it activates CSI reference signal measurements on the 5G frequency including the serving 5G cell as well as its neighbors. It shall be noticed that here the concept of the Special Cell (SpCell) applies as it was defined for LTE-A CoMP scenarios. 

Instead of the X2AP SgNB Modification Required message the information for activating the CSI reference signal measurements can alternatively transported using the X2AP SgNB Addition Request Acknowledge or X2AP SgNB Change Required message.

In step 2 the UE sends a NR RRC (3GPP 38.331) Measurement Report that indicates a stronger 5G cell (the neighbor cell with PCI = 11) was measured. It might be a vendor-specific implementation to send this NR RRC Measurement Report simultaneously over uplink channels of the LTE radio link where it is carried by the LTE RRC Uplink Information Transfer MRDC (Multi-RAT Dual Connectivity) as well as over NR radio links where it is forwarded by the SgNB to the MeNB embedded in a X2AP RRC Transfer message.

Indeed, it is the SgNB that makes the handover decision, but since the MeNB is in charge of the signaling connection the handover command (here: another NR RRC cG-Config message that orders to switch the 5G radio link to the cell with PCI = 11) must be transmitted to the MeNB by using another X2AP SgNB Modification Required message.

After the UE received the NR CC cG-Config message sent by the SgNB the HO is executed and the 5G cell with PCI = 11 becomes the new primary secondary cell of the EN-DC connection.


Figure: Measurement Configuration, Reporting and Execution for intra-SgNB  Handover 

Wednesday, 4 December 2019

Challenges of 5G Inter-Node Handovers

In all mobile communication networks handovers are the most complex signaling procedures, because multiple network elements (or network functions) are involved. Thus, it is logical that dual connectivity with two different base stations contributing to the radio connection simultaneously are even more complicated. And in EN-DC these two base stations are often covering different footprints using different carrier frequencies.This leads to a situation where we have more options for performing a handover in detail compared with plain LTE handover scenarios before.

The two signaling scenarios presented below illustrate in which different ways a change of the LTE master eNodeB can be performed during an ongoing EN-DC radio connection by using the X2 interface. In a very similar way it is also possible to perform S1 handover from old to new MeNB.

The pros and cons of these options have been discussed already by Martin Sauter in his Wireless Moves blog.

Inter-MeNB Handover without 5G Inter-Site Anchor

Figure 1 shows the easiest way of handing over the signaling connection from one MeNB to another one. Here it is up to the new MeNB to decide if and how the 5G part of the radio connection is continued.

Figure 1: X2 Handoverof EN-DC connection without 5G inter-site anchor

The handover is triggered when the UE sends a RRC Measurement Report (step 1) indicating that a stronger 4G cell than the currently used primary cell was measured. From its neighbor list the current MeNB detects that this better cell belongs to a neighbor eNB.

To provide both, the the Master Cell Group (MCG) and Secondary Cell Group (SCG) parameters to this neighbor eNB the old MeNB queries the SCG configuration parameters from the old SgNB by performing the X2AP SgNB Modification procedure (step 2+3).

Then it sends the X2AP Handover Request message to the target MeNB (step 4) including all information necessary to continue the 5G radio link in case the target MeNB decides to go for this option.

However, what comes back from the target MeNB is a plain LTE handover command (LTE RRC Connection Reconfiguration message [step 6]) embedded in the X2AP Handover Request Acknowledge message (step 5).

Due to this the old MeNB releases all 5G resources and the UE context in the SgNB (steps 7 + 10).

After the UE  successfully connected via radio interface with the target cell in the new MeNB the S1AP Path Switch procedure is executed to re-route the GTP/IP-Tunnels on S1-U (step 8) and releases the X2 UE context in the old MeNB (step 9)

The new MeNB then waits for a new inter-RAT measurement event B1 (step 11) before starting a new SgNB addition procedure (step 12).  Once the SgNB addition is successfully completed including all necessary reconfigurations/modifications on RRC and S1 the payload transmission over 5G resources is continued.

Inter-MeNB Handover with 5G Inter-Site Anchor

Now figure 2 shows what happens when the new MeNB decides to keep the existing UE context in the SgNB while the RRC measurement results and parameters are identical with what was presented above. 
Figure 2: X2 Handoverof EN-DC connection with 5G inter-site anchor

The difference in the call flow starts at step 5 when the new MeNB after receiving the X2AP Handover Request (step 4) starts the X2AP SgNB Addition procedure towards the SgNB (old = new!). The SgNB-UE-X2AP-ID earlier requested in step 2+3 acts as the reference number for the existing context that is going to be continued.

After adding the SgNB UE context successfully the new MeNB sends the X2AP Handover Request Acknowledge message including an UE Context Kept = "true" flag and the Handover Command (step 8).

After the UE successfully connected to the target cell of the new MeNB the S1AP Path Switch procedure is performed and the temporary X2 UE context between old and new MeNB is released (step 10).

The big advantage of handling the handover in this way: The duration of the interruption of the payload transmission over 5G radio resources is minimalized and subscriber experience is significantly better compared to the scenario in figure 1.

Friday, 22 November 2019

5G Call Drops in EN-DC: A Thread for Service Quality?


As explained in the post about EN-DC setup the addition of 5G NR radio resources to an ongoing LTE connection provides additional bandwidth for user plane data transmission. And it seems to be fair to say that at least in social media today 5G speed test results, especially throughput measurements, are treated as the benchmark for EN-DC service performance. Hence, it is also logical that a loss of the physical 5G radio link (5G drop) could have a serious impact on user experience.

I write "could", because as a matter of fact many 5G drops will not be recognized by subscribers using non-realtime services including HTTP streaming.

Due to the dual connectivity of LTE Master eNodeB (MeNB) and Secondary gNodeB (SgNB) the signaling trigger points indicating a 5G drop are also a bit more complex compared to what we know from LTE. Indeed, both network nodes are able to release 5G radio resources abnormally using three different X2AP message flow scenarios as shown in figure 1.

Figure 1: Three Basic Signaling Flows for Abnormal Release of 5G Radio Resources

Which of these individual message flows will be found in the trace data depends on which of the two base stations is the first one that detects a problem on the 5G radio link.

A particular case that is seen quite often in live networks is illustrated in figure 2.

Figure 2: 5G Drop due to SGC Failure in UE



Here the trigger is a LTE RRC SCG Failure Information NR message sent by the UE to the MeNB. Thus, the MeNB requests the release of 5G radio resources, which is acknowledged and executed by the SgNB.

In addition (not show in the figures) also the GTP/IP-Tunnel for user plane transport between S-GW and gNB is released by the MeNB after successful completion of the X2AP SgNB Release procedure.

For the UE the 5G drop is not as serious as a drop of the LTE radio connection would be. It is just a fallback on plain LTE, so to say. And after the switching the GTP/IP-Tunnel back to a downlink endpoint at the eNB 4G payload transmission continues.

The longer the overall duration of the radio connection the higher is the risk that the 5G radio resources are lost during an EN-DC call. One of my favorite cases is a subscriber with a radio connection that last a bit more than two and a half hours - see figure 3.

Figure 3: Location Session Record of a Single Subscriber indicating a total number 340 SgNB Drops over 2:33 Hours

Thanks to the smart algorithms of NETSCOUT's TrueCall geolocation engine there is high confidence that she or he sits in an indoor environment, but is served by an outdoor 5G cell. Thus, the penetration loss of the 5G signal is significant. Due to the higher frequency the path loss has also higher impact on the 5G than on the 4G radio signal. This seems to be the main reason why the 5G radio link drops as often as 340 times, which leads to an overall 5G (SgNB) Drop Rate of 83% for this connection.

However, the impact on the subscriber experience might not be a serious one as a different KPI, the 5G EN-DC Duration Rate indicates. According to the Duration Rate 99.99% of all the time 5G radio resources have been available for the subscriber. This is possible, because as also shown in figure 2 within a relatively short time new 5G radio resources are allocated again to this connection. Even if the subscriber is watching e.g. a Netflix video the buffering of already downloaded data on the end user device should be sufficient to conceal the short interruption of the data transfer over 5G resources.

With rising amount of EN-DC traffic it might be rather problematic for the network to handle the additional signaling load originating from the frequent 5G additions and releases. In extreme cases this may even lead to congestion due to CPU overload in RAN nodes or virtual network functions.

For realtime services like Voice over New Radio (VoNR) the entire situation changes. Here even short interruptions of the user plane radio transmission can be perceived by subscribers so that the above discussed 5G Duration Rate KPI will become insufficient to estimate the service quality. Hence, this will drive the demand for a fully integrated view of 5G RAN and Core KPIs covering both, signaling and application quality.




Monday, 7 October 2019

Exploiting Possible 5G Vulnerabilities


The standards can try their best to ensure that the next generation of protocols is more secure than the previous one but there is always some way in which the protocols can be exploited. This is where researchers play an important role in finding such vulnerabilities before they can be exploited by hackers. Frankly I am quite sure that only a handful of these vulnerabilities are found and hackers always have something that may never be found.

In the recent HITBSecConf or the Hack In The Box Security Conference Altaf Shaik presented "4G to 5G: New Attacks". He along with Ravishankar Borgaonkar has been working to find out issues with security in cellular networks. In fact in the GSMA Mobile Security Hall of Fame, they both appear twice, individually.

From the talk narrative:

5G raises the security bar a level above 4G. Although IMSI exposure is prevented in 5G, we found new vulnerabilities to attack devices and subscribers. In this talk we expose a set of vulnerabilities in the 5G/4G protocols that are found in network operators equipment and also consumer devices such as phones, routers, latest IoT sensors, and even car modems. Our vulnerabilities affect several commercial applications and use cases that are active in 4G networks and are expected to take off in 5G networks. We developed automated tools to exploit the exposed cellular information and share some of our research traces and data sets to the community. We demonstrate a new class of hijacking, bidding down and battery draining attacks using low cost hardware and software tools. We did a rigorous testing worldwide to estimate the number of affected base stations and are surprised by the results. Finally our interactions with various vendors and standard bodies and easy fixes to prevent our attacks are discussed.

Slides and Video is embedded below






Slides and Whitepaper can be downloaded from here.

Further Reading:

Tuesday, 24 September 2019

When does your 5G NSA Device Show 5G Icon?


After I wrote about the 5G Icon Display back in February, I received lots of other useful and related materials, mostly from 3GPP standards delegates. Based on this updated information, I created a presentation and video called 'The 5G Icon Story'. Only recently did I realize that I didn't add it to the blog. So here it is.

And for people who are impatient and directly want to jump to the main point, it's UpperLayerIndication in SIB 2 as can be seen above.

The slides and video is embedded below.





Related Posts:



Thursday, 12 September 2019

How the Addition of 5G Radio Resources Increases the Complexity of LTE Signaling Procedures


While everybody is excited about the growing number of 5G deployments and speed test results it is easy to forget that a highly reliable LTE core and radio access network is the prerequisite for 5G non-standalone (NSA) data transmission.

Indeed, the 5G radio resources are just added to the ongoing LTE connection to provide higher bandwidth that enables in turn higher throughput. In other words: the current 5G deployments are designed for and limited to the needs of enhanced Mobile Broadband (eMBB) traffic.

To boost the user experience a 4G and a 5G base station cooperate and bundle there joint resources in one radio connection. The whole scenario is known as E-UTRA-NR Dual Connectivity (EN-DC) and as a matter of fact this dual connectivity increases the complexity of the RAN signaling tremendously.

The figure below shows the two base stations involved in the radio connection. On the left side is the Master eNodeB (MeNB) that controls the entire signaling connection. On the right side sits the en-gNB, also called Secondary gNodeB (SgNB). The inconsistency of acronyms originates from 3GPP specs. 3GPP 37.340 "E-UTRA and NR Multi-connectivity" can be seen as an umbrella document that originally coined "MeNB" and "SgNB". However, when standarizing more details these acronyms have been replaced with Master Node (MN) and Secondary Node (SN) and the latter is named "en-gNB" when used in EN-DC scenarios. (Sure this spec has a lot more terms to offer an is a must-read for every acroynm enthusiast.)

However, these naming conventions defined in 3GPP 37.340 have not made it into the protocol specs, especially not into 3GPP 36.423 "X2 Application Part" that names its message set for enabling EN-DC consequently "SgNB ...." - as also shown in the figure.

By the way the SgNB should also not be imagined as a single network element. On the 5G side often a virtual RAN architecture is already deployed. In such a VRAN a gNB central unit (CU) controls several gNB distributed units (DUs) and multiple remote radio heads (RRHs) including the 5G antennas can be connected to each DU.



5G Radio Resource Addition in EN-DC Mode

Before 5G radio resources can be added to the connection a LTE RRC connection and at least a default bearer for the user plane including its GTP/IP-Tunnel between S-GW and eNB must have been successfully established.

The trigger for adding 5G resources to this call is mostly an inter-RAT measurement event B1 (not shown in the figure). However, also blind addition of a 5G cells have been observed in some cases where the 5G cell coverage is expected to overlap exactly the footprint of the LTE master cell. 

All in all, there can be a 1:1 mappig between 4G and 5G cells when antennas are mounted very close to each other and pointing into the same direction. However, it is also possible that several 5G small cells (especially when using FR2 frequency bands) are deployed to cover the footprint of a 4G macro cell. 

The end-to-end signaling that adds 5G resources to the connection starts with the X2AP SgNB Addition Request message (1). It contains information about the active E-RABs of the connection, UE NR capabilities and often the singal strenght of the 5G cell as measured before is included as well. The message triggers allocation of 5G radio resources in the SgNB.

Similar to a X2 handover procedure the X2AP SgNB Addition Request Acknowledge message (2) is used to transport a NR RRC CG-Config message (3) back to the MeNB where it is "translated" into NR RRC Connection Reconfiguration and NR RRC Radio Bearer Config messages that are sent to the UE enclosed in a LTE RRC Connection Reconfiguration message. In these messages beside the Cell Group ID the 5G PCI and the absolute SSB frequency (a synonym for NR ARFCN) are found. Both, 5G PCI and SSB frequency in combination represent the identity of a 5G cell "visible" for the UE on the physical 5G radio interface. 

To keep the figure more simple I have spared the "translation" process in MeNB and show instead as next step the combined LTE/NR RRC Connection Reconfiguration Complete (4) that is send by the UE back to the MeNB to confim activation of the 5G radio link. 

After this the UE and the SgNB are ready to the 5G resources for radio transmission. However, one important component is still missing: a new GTP/IP-Tunnel for transporting the payload from the core network's serving gateway (S-GW) to the SgNB. 

The gNB downlink transport layer address (gNB DL TLA) and its appropriate GTP Tunnel Endpoint Identifier (TEID) have been already to the MeNB in step (2). Indeed, there are some more TLAs and TEIDs found in this X2AP message, especially for data forwarding across the X2 user plane interface (not shown in figure).

The MeNB forwards the gNB DL TLA/TEID to the MME (6) where it is forwarded to the S-GW using GTP-C signaling in case the two core network elements are connected over S11 reference point. The uplink TLA/TEID on the S-GW side remain the same as assigned before during establishement of the E-RAB (not shown in figure). So the new tunnel is now ready to be used (7) and transmission of payload packet starts immediately. 

In step (8) the MME confirms the successful tunnel establishment to the MeNB.

To total duration of the entire procedure from step (1) to (8) sums up to slightly more than 100 ms under lab conditions and typically around 300 ms in the live network. 

This delay does not have a direct impact on user plane latency in the initial 5G setup phase. However, the subscriber experience might be different when it comes to inter-MeNB handover, because there is no direct handover between 5G neighbor cells. 

Changing the MeNB due to subscriber mobility means: release all 5G resources on the source (M)eNB side, perform intra-LTE handover to the target (M)eNB and add new 5G resources after handover is successfully completed. 

Monday, 27 May 2019

Bandwidth Part (BWP) in 5G New Radio (NR)


I made a short tutorial explaining the concept of Bandwidth Part in 5G a while back. Slides and video embedded below.







Further Reading:

Sunday, 19 May 2019

VoLTE Hacking


The 10th Annual HITB Security Conference took place from the 6th till the 10th of May 2019 in The Netherlands. The theme for the conference this year is 'The Hacks of Future Past'. One of the presentations was on the topic 'VoLTE Phreaking' by Ralph Moonen, Technical Director at Secura.

The talk covered variety of topics:

  • A little history of telephony hacking (in NL/EU)
  • The landscape now
  • Intercepting communications in 2019
  • Vulnerabilities discovered: some new, some old
  • An app to monitor traffic on a phone

The talk provides details on how VoLTE can potentially be hacked. In a lot of instances it is some or the other misconfigurations that makes VoLTE less secure. One of the slides that caught my attention was the differences in VoLTE signaling from different operators (probably due to different vendors) as shown above.

Anyway, I am not going into more details here. The presentation is available here.


The thread in the Tweet above also provided some good references on VoLTE hacking. They are as follows:



Related Posts:


Sunday, 17 February 2019

Displaying 5G Network Status Icon on Smartphones and Other Devices

A more updated presentation & video on this topic is available on 3G4G '5G Training' page here.
Who thought displaying of network status icon on 5G devices would be so much fun. Typically the network icons are more of:
2G - Gsm, G, G+, E
3G - 3G, H, H+
4G - 4G, 4G+

Back in 2017, Samsung devices started displaying 4G+ icon. Samsung told mybroadband:

that by default its devices require a network to support Category 6 LTE, and for the total combined bandwidth to exceed 20MHz, before they will display the “4G+” icon.

Networks in South Africa frequently don’t have over 20MHz of aggregated bandwidth available, though.

As a result, one network asked Samsung to reduce the combined bandwidth requirement for the 4G+ icon to display to 15MHz, which Samsung approved.

“Samsung’s global policy regarding the display of the LTE/LTE-A/4G/4G+ network icon is that the network icon display is operator-configurable upon official request and Samsung approval,” it said.

The reason this is interesting is because LTE is really 3.9G but generally called 4G. LTE-A is supposed to be 4G because in theory it meets IMT-Advanced criteria. Then we have LTE-Advanced Pro, which is known as 4.5G. While in majority of the operators display 4.5G as 4G or 4G+, couple of operators has decided to become a bit innovative.

AT&T started by updating the network icons of some of their devices to 5GE, which is their way of saying 4.5G. E stands for Evolution. Or as some people joked, it stands for economy (or value) version, as opposed to premium version.


Brazilian operator Claro, decided to use the 4.5G icon but the 5 is much larger font compared to 4 (see the pic above). Some people call this as dishonest attempt by them.

I see a few people asking how can devices decide if they are on 4G or 4.5G. There is no standard procedure for this and is UE specific. One way is to look at RRC messages. If the system information messages contain optional IE's for 3GPP Release-13, then the network supports LTE-A Pro and if the device supports the features for LTE-A Pro, it can display 4.5G or 5GE, etc. Another approach is the optional IEs present in NAS Attach Accept message. As this comes slightly later in the registration process, the device displays 4G first and once the registration is complete, 4.5G. Note there is no requirement from standards point of  view about displaying of the network status indication icon up to 4G/4.5G.

To avoid such confusion in 5G, 3GPP submitted the first Liaison statement S2-175303. In this, 3GPP said:

With this number of System and Radio access options available, one or more new status icons are expected to appear on the User Interface of future (mobile) devices. A user should expect consistency across devices and networks as to what icons actually mean (i.e. what services might be expected when an icon is displayed).

While 3GPP specifications are not expected to define or discuss Service or RAT indicators in the User Interface themselves, 3GPP should provide the necessary tools in EPS and 5GS to enable them. It is therefore necessary to understand the conditions required for displaying these icons and with which granularity so we can identify what information ought to be available in/made available to the device.

SA2 understands that Status Icons related to 5G might be displayed for example on a UE display taking into account all or some combinations of these items (other items may exist):
- Access Restriction Data in subscription (with the potential exception of emergency access); 
- UE CN registration (i.e. is UE EPC- and/or 5GC-registered?);
- UE capabilities; 
- Network capabilities; 
- UE is camping on a cell of NG-RAN supporting NR only, E-UTRA only or, the ability to activate dual connectivity with another RAT (NR or E-UTRA);
- UE is camping on a cell of E-UTRAN (connected to EPC) with the ability to activate dual connectivity with NR as secondary cell;
- UE is in connected mode using NR, E-UTRA (in 5GS) or dual connectivity between E-UTRA and NR.

Given the above, SA2 would like to kindly ask for any feedback from GSMA FNW and NGMN on requirements and granularity for Service indicators and/or RAT indicators related to 5G.

GSMA responded in R2-1713952. 6 cases have been identified (see the first picture on top) :

The configurations consist of the following states and are as described in Table 1:

  1. EPS NR NSA (EN-DC) capable UE attached to EPC and currently in IDLE state under or in RRC_connected state connected to E-UTRAN cell not supporting LTE-NR dual connectivity 
  2. EPS NR NSA (EN-DC) capable UE attached to EPC and currently in IDLE state under or in RRC_Connected state connected to AND active on LTE for uplink and downlink on only E-UTRAN cell supporting LTE-NR dual connectivity and has not detected NR coverage (i.e. UE is not under NR coverage and/or not configured to make NR measurements)
  3. EPS NR NSA (EN-DC) capable UE attached to EPC and currently in RRC_Connected state connected to E-UTRAN cell (supporting dual connectivity) and active on LTE for uplink and downlink only and has detected NR coverage (i.e. UE is under NR coverage and has been configured to make NR measurements) 
  4. EPS NR NSA (EN-DC) capable UE attached to EPC and currently in IDLE state under E-UTRAN cell supporting LTE-NR dual connectivity and has detected NR coverage (i.e. UE is under NR coverage and has been configured to make NR measurements)
  5. EPS NR NSA (EN-DC) capable UE attached to EPC and currently in RRC_Connected state connected to E-UTRAN cell (supporting dual connectivity) and active on LTE and NR for uplink and/or downlink
  6. 5GS capable UE attached to 5GC and currently in IDLE state under or in RRC_Connected state connected to NG-RAN (eLTE (option 5 or 7) or NR (option 2 or 4) cell)

As there is no consensus on a single preferred configuration, it is desirable to make the display of 5G status icon in the UE configurable such that the display of 5G status icon can be made depending on operator preference. 

This proposal by GSMA was noted by 3GPP in R2-1803949.

RAN WG2 would like to inform GSMA and SA2 that, according to GSMA and SA2 recommendations (LSs R2-1713952 and S2-175270, respectively), RAN WG2 introduced 1 bit indication per PLMN called “upperLayerIndication” within LTE SIB 2. 

This bit enables the realization of the configurations based on UE states as per recommendation from GSMA (e.g. RRC_IDLE UE as for State 2 in LS R2-1713952 from GSMA)”. 

For idle mode UEs this is the only mechanism agreed. 

Actions: RAN WG2 would like to ask GSMA and SA2 to take the information above into account. 

Hopefully there will be less confusion when 5G is rolled out about the status icons. In the meantime we might see some more 4.5G icon innovations.

Friday, 14 September 2018

End-to-end Network Slicing in 5G

I recently realised that I have never written a post just on Network slicing. So here is one on the topic. So the first question asked is, why do we even need Network Slicing? Alan Carlton from Interdigital wrote a good article on this topic. Below is what I think is interesting:

Network slicing is a specific form of virtualization that allows multiple logical networks to run on top of a shared physical network infrastructure. The key benefit of the network slicing concept is that it provides an end-to-end virtual network encompassing not just networking but compute and storage functions too. The objective is to allow a physical mobile network operator to partition its network resources to allow for very different users, so-called tenants, to multiplex over a single physical infrastructure. The most commonly cited example in 5G discussions is sharing of a given physical network to simultaneously run Internet of Things (IoT), Mobile Broadband (MBB), and very low-latency (e.g. vehicular communications) applications. These applications obviously have very different transmission characteristics. For example, IoT will typically have a very large number of devices, but each device may have very low throughput. MBB has nearly the opposite properties since it will have a much smaller number of devices, but each one will be transmitting or receiving very high bandwidth content. The intent of network slicing is to be able to partition the physical network at an end-to-end level to allow optimum grouping of traffic, isolation from other tenants, and configuring of resources at a macro level.

Source: ITU presentation, see below

The key differentiator of the network slicing approach is that it provides a holistic end-to-end virtual network for a given tenant. No existing QoS-based solution can offer anything like this. For example, DiffServ, which is the most widely deployed QoS solution, can discriminate VoIP traffic from other types of traffic such as HD video and web browsing. However, DiffServ cannot discriminate and differentially treat the same type of traffic (e.g. VoIP traffic) coming from different tenants.

Also, DiffServ does not have the ability to perform traffic isolation at all. For example, IoT traffic from a health monitoring network (e.g. connecting hospitals and outpatients) typically have strict privacy and security requirements including where the data can be stored and who can access it. This cannot be accomplished by DiffServ as it does not have any features dealing with the compute and storage aspects of the network. All these identified shortfalls of DiffServ will be handled by the features being developed for network slicing.

I came across this presentation by Peter Ashwood-Smith from Huawei Technologies who presented '5G End to-end network slicing Demo' at ITU-T Focus Group IMT-2020 Workshop and Demo Day on 7 December 2016. Its a great presentation, I wish a video of this was available as well. Anyway, the presentation is embedded below and the PPT can be downloaded from here.



The European Telecommunications Standards Institute (ETSI) has established a new Industry Specification Group (ISG) on Zero touch network and Service Management (ZSM) that is working to produce a set of technical specifications on fully automated network and service management with, ideally, zero human intervention. ZSM is targeted for 5G, particularly in network slice deployment. NTT Technical review article on this is available here.

Finally, here is a presentation by Sridhar Bhaskaran of Cellular Insights blog on this topic. Unfortunately, not available for download.


Related Posts:

Monday, 25 June 2018

Free Apps for Field Testing - Part 2

The last time I wrote about the free apps for field testing, many people came back and suggested additional apps that are much more commonly used. In fact we got the following comment when 3G4G re-posted this

As I have used both these apps frequently, here is a small summary on them.

Network Signal Guru: This is surprisingly very popular and is quite useful. The only issue is that you need to have a rooted phone with Qualcomm chipset. I know many testers have their favourite phones and quite a few testers buy the latest phones, root them and start testing using NSG (Network Signal Guru).

I prefer using Motorola Moto Gx series phones. They are cheap, not too difficult to root (YouTube have quite a few tutorials and Google search works too) and I find that their receivers are better than others. Have detected cells that other phones cant and have even camped and speed tested on them too.

So what can NSG do?

It can provide lots of useful information on the physical layer, cell configurations, neighbor cell lists, MIMO, etc.
You can even RAT lock to LTE / WCDMA / GSM and band lock to use a specific band. It can be very useful during surveys when you want to check if you can see particular frequency anywhere in an area. You can also see Codecs, RACH information, Data information, etc.

Finally, one of the best things I find is the signalling information. Some of the details are only available for purchased option, its nevertheless very useful. Just in case you are wondering how much does it cost, its roughly £50 per month license in UK.


Cell Mapper: I find this much more helpful as it can be used without rooting. CellMapper is a crowd-sourced cellular tower and coverage mapping service. Its simple and only used for basic testing but nevertheless very useful. To give you an idea, the other day I was camped on a cell with very good signal quality but very poor data rates and there weren't many people so congestion didn't seem like a factor. On investigation I found out that I was camped on 800MHz band that has limited bandwidth per operator and there was no CA.

Cell mapper, as you can see provides information about the cell you are camped on, the cell tower location, what other sectors and frequencies are there, etc.


Do you have a favorite testing app that I missed? Let me know in comments.

Sunday, 25 March 2018

5G Security Updates - March 2018


Its been a while since I wrote about 5G security in this fast changing 5G world. If you are new to 3GPP security, you may want to start with my tutorial here.

3GPP SA3 Chairman, Anand R. Prasad recently mentioned in his LinkedIn post:

5G security specification finalized! Paving path for new business & worry less connected technology use.

3GPP SA3 delegates worked long hours diligently to conclude the specification for 5G security standard during 26 Feb.-2 Mar. Several obstacles were overcome by focussed effort of individuals & companies from around the globe. Thanks and congrats to everyone!

All together 1000s of hours of work with millions of miles of travel were spent in 1 week to get the work done. This took 8 meetings (kicked off Feb. 2017) numerous on-line meetings and conference calls.

Excited to declare that this tremendous effort led to timely completion of 5G security specification (TS 33.501) providing secure services to everyone and everything!

The latest version of specs is on 3GPP website here.

ITU also held a workshop on 5G Security in Geneva, Switzerland on 19 March 2018 (link). There were quite a few interesting presentations. Below are some slides that caught my attention.

The picture in the tweet above from China Mobile summarises the major 5G security issues very well. 5G security is going to be far more challenging than previous generations.

The presentation by Haiguang Wang, Huawei contained a lot of good technical information. The picture at the top is from that presentation and highlights the difference between 4G & 5G Security Architecture.


New entities have been introduced to make 5G more open.


EPS-AKA vs 5G-AKA (AKA = Authentication and Key Agreement) for trusted nodes


EAP-AKA' for untrusted nodes.


Slice security is an important topic that multiple speakers touched upon and I think it would continue to be discussed for a foreseeable future.

Dr. Stan Wing S. Wong from King’s College London has some good slides on 5G security issues arising out of Multi-Tenancy and Multi-Network Slicing.

Peter Schneider from Nokia-Bell Labs had good slides on 5G Security Overview for Programmable Cloud-Based Mobile Networks

Sander Kievit from TNO, a regular participant of working group SA3 of 3GPP on behalf of the Dutch operator KPN presented a view from 3GPP SA3 on the Security work item progress (slides). The slide above highlights the changes in 5G key hierarchy.

The ITU 5G Security Workshop Outcomes is available here.

ETSI Security Week 2018 will be held 11-15 June 2018. 5G security/privacy is one of the topics.

There is also 5GPPP Workshop on 5G Networks Security (5G-NS 2018), being held in Hamburg, Germany on August 27-30, 2018.

In the meantime, please feel free to add your comments & suggestions below.


Related Posts & Further Reading:

Thursday, 4 January 2018

Introduction to 3GPP Security in Mobile Cellular Networks


I recently did a small presentation on 3GPP Security, looking at the how the security mechanism works in mobile cellular networks; focusing mainly on signaling associated with authentication, integrity protection and ciphering / confidentiality. Its targeted towards people with basic understanding of mobile networks. Slides with embedded video below.



You can also check-out all such videos / presentations at the 3G4G training section.

Monday, 18 December 2017

Control and User Plane Separation of EPC nodes (CUPS) in 3GPP Release-14


One of the items in 3GPP Rel-14 is Control and User Plane Separation of EPC nodes (CUPS). I have made a video explaining this concept that is embedded below.

In 3G networks (just considering PS domain), the SGSN and GGSN handles the control plane that is responsible for signalling as well as the user plane which is responsible for the user data. This is not a very efficient approach for deployment.

You can have networks that have a lot of signalling (remember signaling storm?) due to a lot of smartphone users but not necessarily consuming a lot of data (mainly due to price reasons). On the other hand you can have networks where there is not a lot of signalling but lot of data consumption. An example of this would be lots of data dongles or MiFi devices where users are also consuming a lot of data, because it’s cheap.

To cater for these different scenarios, the control plane and user plane was separated to an extent in the Evolved Packet Core (EPC). MME handles the control plane signalling while S-GW & P-GW handles the user plane

CUPS goes one step further by separating control & user plane from S-GW, P-GW & TDF. TDF is Traffic Detection Function which was introduced together with Sd reference point as means for traffic management in the Release 11. The Sd reference point is used for Deep Packet Inspections (DPI) purposes. TDF also provides the operators with the opportunity to capitalize on analytics for traffic optimization, charging and content manipulation and it works very closely with Policy and charging rules function, PCRF.

As mentioned, CUPS provides the architecture enhancements for the separation of S-GW, P-GW & TDF functionality in the EPC. This enables flexible network deployment and operation, by using either distributed or centralized deployment. It also allows independent scaling between control plane and user plane functions - while not affecting the functionality of the existing nodes subject to this split.

As the 3GPP article mentions, CUPS allows for:
  • Reducing Latency on application service, e.g. by selecting User plane nodes which are closer to the RAN or more appropriate for the intended UE usage type without increasing the number of control plane nodes.
  • Supporting Increase of Data Traffic, by enabling to add user plane nodes without changing the number of SGW-C, PGW-C and TDF-C in the network.
  • Locating and Scaling the CP and UP resources of the EPC nodes independently.
  • Independent evolution of the CP and UP functions.
  • Enabling Software Defined Networking to deliver user plane data more efficiently.

The following high-level principles were also adopted for the CUPS:
  • The CP function terminates the Control Plane protocols: GTP-C, Diameter (Gx, Gy, Gz).
  • A CP function can interface multiple UP functions, and a UP function can be shared by multiple CP functions.
  • An UE is served by a single SGW-CP but multiple SGW-UPs can be selected for different PDN connections. A user plane data packet may traverse multiple UP functions.
  • The CP function controls the processing of the packets in the UP function by provisioning a set of rules in Sx sessions, i.e. Packet Detection Rules for packets inspection, Forwarding Action Rules for packets handling (e.g. forward, duplicate, buffer, drop), Qos Enforcement Rules to enforce QoS policing on the packets, Usage Reporting Rules for measuring the traffic usage.
  • All the 3GPP features impacting the UP function (PCC, Charging, Lawful Interception, etc) are supported, while the UP function is designed as much as possible 3GPP agnostic. For example, the UPF is not aware of bearer concept.
  • Charging and Usage Monitoring are supported by instructing the UP function to measure and report traffic usage, using Usage Reporting Rule(s). No impact is expected to OFCS, OCS and the PCRF.
  • The CP or UP function is responsible for GTP-u F-TEID allocation.
  • A legacy SGW, PGW and TDF can be replaced by a split node without effecting connected legacy nodes.
CUPS forms the basis of EPC architecture evolution for Service-Based Architecture for 5G Core Networks. More in another post soon.

A short video on CUPS below, slides available here.



Further reading:


Thursday, 23 November 2017

5G NR Radio Protocols and Tight Inter-working with LTE


Osman Yilmaz, Team Leader & Senior Researcher at Ericsson Research in Finland gave a good summary of 5G NR at URLLC 2017 Conference (see summary here). His presentation is embedded below:



Osman, along with Oumer Teyeb, Senior Researcher at Ericsson Research & member of the Ericsson 5G standardization delegation has also published a blog post LTE-NR tight-interworking on Ericsson Research blog.

The post talks about how how signalling and data will work in LTE & New Radio (NR) dual connected devices. In control plane it looks at RRC signalling applicable for this DC devices whereas in user plane it looks at direct and split DRB options.


Further details here.

Thursday, 9 November 2017

Quick tutorial on Mobile Network Sharing Options


Here is a quick tutorial on mobile network sharing approaches, looking at site/mast sharing, MORAN, MOCN and GWCN. Slides with video embedded below. If for some reason you prefer direct link to video, its here.



See also:

Sunday, 5 November 2017

RRC states in 5G

Looking back at my old post about UMTS & LTE (re)selection/handovers, I wonder how many different kinds of handovers and (re)selection options may be needed now.

In another earlier post, I talked about the 5G specifications. This can also be seen in the picture above and may be easy to remember. The 25 series for UMTS mapped the same way to 36 series for LTE. Now the same mapping will be applied to 38 series for 5G. RRC specs would thus be 38.331.

A simple comparison of 5G and LTE RRC states can be seen in the picture above. As can be seen, a new state 'RRC Inactive' has been introduced. The main aim is to maintain the RRC connection while at the same time minimize signalling and power consumption.

Looking at the RRC specs you can see how 5G RRC states will work with 4G RRC states. There are still for further studies (FFS) items. Hopefully we will get more details soon.

3GPP TS 22.261, Service requirements for the 5G system; Stage 1 suggests the following with regards to inter-working with 2G & 3G

5.1.2.2 Legacy service support
The 5G system shall support all EPS capabilities (e.g., from TSs 22.011, 22.101, 22.278, 22.185, 22.071, 22.115, 22.153, 22.173) with the following exceptions:
- CS voice service continuity and/or fallback to GERAN or UTRAN,
- seamless handover between NG-RAN and GERAN,
- seamless handover between NG-RAN and UTRAN, and
- access to a 5G core network via GERAN or UTRAN.

Sunday, 3 September 2017

5G Core Network, System Architecture & Registration Procedure

The 5G System architecture (based on 3GPP TS 23.501: System Architecture for the 5G System; Stage 2) consists of the following network functions (NF). The functional description of these network functions is specified in clause 6.
- Authentication Server Function (AUSF)
- Core Access and Mobility Management Function (AMF)
- Data network (DN), e.g. operator services, Internet access or 3rd party services
- Structured Data Storage network function (SDSF)
- Unstructured Data Storage network function (UDSF)
- Network Exposure Function (NEF)
- NF Repository Function (NRF)
- Network Slice Selection Function (NSSF)
- Policy Control function (PCF)
- Session Management Function (SMF)
- Unified Data Management (UDM)
- Unified Data Repository (UDR)
- User plane Function (UPF)
- Application Function (AF)
- User Equipment (UE)
- (Radio) Access Network ((R)AN)

As you can see, this is slightly more complex than the 2G/3G/4G Core Network Architecture.

Alan Carlton, Vice President, InterDigital and Head of InterDigital International Labs Organization spanning Europe and Asia provided a concise summary of the changes in 5G core network in ComputerWorld:

Session management is all about the establishment, maintenance and tear down of data connections. In 2G and 3G this manifested as the standalone General Packet Radio Service (GPRS). 4G introduced a fully integrated data only system optimized for mobile broadband inside which basic telephony is supported as just one profile.

Mobility management as the name suggests deals with everything that needs doing to support the movement of users in a mobile network. This encompasses such functions as system registration, location tracking and handover. The principles of these functions have changed relatively little through the generations beyond optimizations to reduce the heavy signaling load they impose on the system.

The 4G core network’s main function today is to deliver an efficient data pipe. The existence of the service management function as a dedicated entity has been largely surrendered to the “applications” new world order. Session management and mobility management are now the two main functions that provide the raison d’etre for the core network.

Session management in 4G is all about enabling data connectivity and opening up a tunnel to the world of applications in the internet as quickly as possible. This is enabled by two core network functions, the Serving Gateway (SGW) and Packet Data Gateway (PGW). Mobility management ensures that these data sessions can be maintained as the user moves about the network. Mobility management functions are centralized within a network node referred to as Mobility Management Entity (MME). Services, including voice, are provided as an “app” running on top of this 4G data pipe. The keyword in this mix, however, is “function”. It is useful to highlight that the distinctive nature of the session and mobility management functions enables modularization of these software functions in a manner that they can be easily deployed on any Commercial-Off-The-Shelf (COTS) hardware.

The biggest change in 5G is perhaps that services will actually be making a bit of a return...the plan is now to deliver the whole Network as a Service. The approach to this being taken in 3GPP is to re-architect the whole core based on a service-oriented architecture approach. This entails breaking everything down into even more detailed functions and sub-functions. The MME is gone but not forgotten. Its former functionality has been redistributed into precise families of mobility and session management network functions. As such, registration, reachability, mobility management and connection management are all now new services offered by a new general network function dubbed Access and Mobility Management Function (AMF). Session establishment and session management, also formerly part of the MME, will now be new services offered by a new network function called the Session Management Function (SMF). Furthermore, packet routing and forwarding functions, currently performed by the SGW and PGW in 4G, will now be realized as services rendered through a new network function called the User Plane Function (UPF).

The whole point of this new architectural approach is to enable a flexible Network as a Service solution. By standardizing a modularized set of services, this enables deployment on the fly in centralized, distributed or mixed configurations to enable target network configurations for different users. This very act of dynamically chaining together different services is what lies at the very heart of creating the magical network slices that will be so important in 5G to satisfy the diverse user demands expected. The bottom line in all this is that the emphasis is now entirely on software. The physical boxes where these software services are instantiated could be in the cloud or on any targeted COTS hardware in the system. It is this intangibility of physicality that is behind the notion that the core network might disappear in 5G.


3GPP TS 23.502: Procedures for the 5G System; Stage 2, provides examples of signalling for different scenarios. The MSC above shows the example of registration procedure. If you want a quick refresher of LTE registration procedure, see here.

I dont plan to expand on this procedure here. Checkout section "4.2.2 Registration Management procedures" in 23.502 for details. There are still a lot of FFS (For further studies 😉) in the specs that will get updated in the coming months.


Further Reading: