Showing posts with label Technical Details. Show all posts
Showing posts with label Technical Details. Show all posts

Wednesday, 4 December 2019

Challenges of 5G Inter-Node Handovers

In all mobile communication networks handovers are the most complex signaling procedures, because multiple network elements (or network functions) are involved. Thus, it is logical that dual connectivity with two different base stations contributing to the radio connection simultaneously are even more complicated. And in EN-DC these two base stations are often covering different footprints using different carrier frequencies.This leads to a situation where we have more options for performing a handover in detail compared with plain LTE handover scenarios before.

The two signaling scenarios presented below illustrate in which different ways a change of the LTE master eNodeB can be performed during an ongoing EN-DC radio connection by using the X2 interface. In a very similar way it is also possible to perform S1 handover from old to new MeNB.

The pros and cons of these options have been discussed already by Martin Sauter in his Wireless Moves blog.

Inter-MeNB Handover without 5G Inter-Site Anchor

Figure 1 shows the easiest way of handing over the signaling connection from one MeNB to another one. Here it is up to the new MeNB to decide if and how the 5G part of the radio connection is continued.

Figure 1: X2 Handoverof EN-DC connection without 5G inter-site anchor


The handover is triggered when the UE sends a RRC Measurement Report (step 1) indicating that a stronger 4G cell than the currently used primary cell was measured. From its neighbor list the current MeNB detects that this better cell belongs to a neighbor eNB.

To provide both, the the Master Cell Group (MCG) and Secondary Cell Group (SCG) parameters to this neighbor eNB the old MeNB queries the SCG configuration parameters from the old SgNB by performing the X2AP SgNB Modification procedure (step 2+3).

Then it sends the X2AP Handover Request message to the target MeNB (step 4) including all information necessary to continue the 5G radio link in case the target MeNB decides to go for this option.

However, what comes back from the target MeNB is a plain LTE handover command (LTE RRC Connection Reconfiguration message [step 6]) embedded in the X2AP Handover Request Acknowledge message (step 5).

Due to this the old MeNB releases all 5G resources and the UE context in the SgNB (steps 7 + 10).

After the UE  successfully connected via radio interface with the target cell in the new MeNB the S1AP Path Switch procedure is executed to re-route the GTP/IP-Tunnels on S1-U (step 8) and releases the X2 UE context in the old MeNB (step 9)

The new MeNB then waits for a new inter-RAT measurement event B1 (step 11) before starting a new SgNB addition procedure (step 12).  Once the SgNB addition is successfully completed including all necessary reconfigurations/modifications on RRC and S1 the payload transmission over 5G resources is continued.

Inter-MeNB Handover with 5G Inter-Site Anchor

Now figure 2 shows what happens when the new MeNB decides to keep the existing UE context in the SgNB while the RRC measurement results and parameters are identical with what was presented above. 
Figure 2: X2 Handoverof EN-DC connection with 5G inter-site anchor

The difference in the call flow starts at step 5 when the new MeNB after receiving the X2AP Handover Request (step 4) starts the X2AP SgNB Addition procedure towards the SgNB (old = new!). The SgNB-UE-X2AP-ID earlier requested in step 2+3 acts as the reference number for the existing context that is going to be continued.

After adding the SgNB UE context successfully the new MeNB sends the X2AP Handover Request Acknowledge message including an UE Context Kept = "true" flag and the Handover Command (step 8).

After the UE successfully connected to the target cell of the new MeNB the S1AP Path Switch procedure is performed and the temporary X2 UE context between old and new MeNB is released (step 10).

The big advantage of handling the handover in this way: The duration of the interruption of the payload transmission over 5G radio resources is minimalized and subscriber experience is significantly better compared to the scenario in figure 1.

Friday, 22 November 2019

5G Call Drops in EN-DC: A Thread for Service Quality?


As explained in the post about EN-DC setup the addition of 5G NR radio resources to an ongoing LTE connection provides additional bandwidth for user plane data transmission. And it seems to be fair to say that at least in social media today 5G speed test results, especially throughput measurements, are treated as the benchmark for EN-DC service performance. Hence, it is also logical that a loss of the physical 5G radio link (5G drop) could have a serious impact on user experience.

I write "could", because as a matter of fact many 5G drops will not be recognized by subscribers using non-realtime services including HTTP streaming.

Due to the dual connectivity of LTE Master eNodeB (MeNB) and Secondary gNodeB (SgNB) the signaling trigger points indicating a 5G drop are also a bit more complex compared to what we know from LTE. Indeed, both network nodes are able to release 5G radio resources abnormally using three different X2AP message flow scenarios as shown in figure 1.

Figure 1: Three Basic Signaling Flows for Abnormal Release of 5G Radio Resources

Which of these individual message flows will be found in the trace data depends on which of the two base stations is the first one that detects a problem on the 5G radio link.

A particular case that is seen quite often in live networks is illustrated in figure 2.

Figure 2: 5G Drop due to SGC Failure in UE



Here the trigger is a LTE RRC SCG Failure Information NR message sent by the UE to the MeNB. Thus, the MeNB requests the release of 5G radio resources, which is acknowledged and executed by the SgNB.

In addition (not show in the figures) also the GTP/IP-Tunnel for user plane transport between S-GW and gNB is released by the MeNB after successful completion of the X2AP SgNB Release procedure.

For the UE the 5G drop is not as serious as a drop of the LTE radio connection would be. It is just a fallback on plain LTE, so to say. And after the switching the GTP/IP-Tunnel back to a downlink endpoint at the eNB 4G payload transmission continues.

The longer the overall duration of the radio connection the higher is the risk that the 5G radio resources are lost during an EN-DC call. One of my favorite cases is a subscriber with a radio connection that last a bit more than two and a half hours - see figure 3.

Figure 3: Location Session Record of a Single Subscriber indicating a total number 340 SgNB Drops over 2:33 Hours

Thanks to the smart algorithms of NETSCOUT's TrueCall geolocation engine there is high confidence that she or he sits in an indoor environment, but is served by an outdoor 5G cell. Thus, the penetration loss of the 5G signal is significant. Due to the higher frequency the path loss has also higher impact on the 5G than on the 4G radio signal. This seems to be the main reason why the 5G radio link drops as often as 340 times, which leads to an overall 5G (SgNB) Drop Rate of 83% for this connection.

However, the impact on the subscriber experience might not be a serious one as a different KPI, the 5G EN-DC Duration Rate indicates. According to the Duration Rate 99.99% of all the time 5G radio resources have been available for the subscriber. This is possible, because as also shown in figure 2 within a relatively short time new 5G radio resources are allocated again to this connection. Even if the subscriber is watching e.g. a Netflix video the buffering of already downloaded data on the end user device should be sufficient to conceal the short interruption of the data transfer over 5G resources.

With rising amount of EN-DC traffic it might be rather problematic for the network to handle the additional signaling load originating from the frequent 5G additions and releases. In extreme cases this may even lead to congestion due to CPU overload in RAN nodes or virtual network functions.

For realtime services like Voice over New Radio (VoNR) the entire situation changes. Here even short interruptions of the user plane radio transmission can be perceived by subscribers so that the above discussed 5G Duration Rate KPI will become insufficient to estimate the service quality. Hence, this will drive the demand for a fully integrated view of 5G RAN and Core KPIs covering both, signaling and application quality.




Monday, 7 October 2019

Exploiting Possible 5G Vulnerabilities


The standards can try their best to ensure that the next generation of protocols is more secure than the previous one but there is always some way in which the protocols can be exploited. This is where researchers play an important role in finding such vulnerabilities before they can be exploited by hackers. Frankly I am quite sure that only a handful of these vulnerabilities are found and hackers always have something that may never be found.

In the recent HITBSecConf or the Hack In The Box Security Conference Altaf Shaik presented "4G to 5G: New Attacks". He along with Ravishankar Borgaonkar has been working to find out issues with security in cellular networks. In fact in the GSMA Mobile Security Hall of Fame, they both appear twice, individually.

From the talk narrative:

5G raises the security bar a level above 4G. Although IMSI exposure is prevented in 5G, we found new vulnerabilities to attack devices and subscribers. In this talk we expose a set of vulnerabilities in the 5G/4G protocols that are found in network operators equipment and also consumer devices such as phones, routers, latest IoT sensors, and even car modems. Our vulnerabilities affect several commercial applications and use cases that are active in 4G networks and are expected to take off in 5G networks. We developed automated tools to exploit the exposed cellular information and share some of our research traces and data sets to the community. We demonstrate a new class of hijacking, bidding down and battery draining attacks using low cost hardware and software tools. We did a rigorous testing worldwide to estimate the number of affected base stations and are surprised by the results. Finally our interactions with various vendors and standard bodies and easy fixes to prevent our attacks are discussed.

Slides and Video is embedded below






Slides and Whitepaper can be downloaded from here.

Further Reading:

Sunday, 15 September 2019

Thursday, 18 July 2019

5G SpeedTests and Theoretical Max Speeds Calculations


Right now, Speed Tests are being described as 5G killer apps.



A good point by Benedict Evans



Everyone is excited and want to see how fast 5G networks can go. If you use Twitter, you will notice loads and loads of speed tests being done on 5G. An example can be seen above.


I recently heard Phil Sheppard, Director of Strategy & Architecture, '3 UK' speak about their 5G launch that is coming up soon. Phil clearly mentioned that because they have a lot more spectrum (see Operator Watch blog post here and here) in Capacity Layer, their 5G network would be faster than the other UK operators. He also provided rough real world Peak Speeds for Three and other operators as can be seen above. Of course the real world speeds greatly depend on what else is going on in the network and in the cell so this is just a guideline rather than actual advertised speeds.


I have explained multiple times that all 5G networks being rolled out today are Non-Stand Alone (NSA) 5G networks. If you don't know what SA and NSA 5G networks are, check this out. As you can see, the 5G NSA networks are actually 4G Carrier Aggregated Networks + 5G Carrier Aggregated Networks. Not all 4G spectrum will be usable in 5G networks but let's assume it is.

To calculate the theoretical maximum speed of 5G NSA networks, we can calculate the theoretical maximum 4G Network speeds + theoretical maximum 5G Network speeds.

I have looked at theoretical calculation of max LTE Carrier Aggregated Speeds here. Won't do calculation here but assuming 3CA for any network is quite possible.

I also looked at theoretical calculation of 5G FDD New Radio here but then found a website that helps with 5G NR calculation here.

If we calculate just the 5G part, looking at the picture from Three, we can see that they list BT/EE & O2 speeds as 0.61 Gbps or 610 Mbps, just for the 5G part.

Looking at the calculation, if we Input Theoretical max values in this equation:

Calculating just for DL

J - number of aggregated component carriers,
maximum number (3GPP 38.802): 16
input value: 1

v(j)Layers - maximum number of MIMO layers ,
3GPP 38.802: maximum 8 in DL, maximum 4 in UL
input value: 8

Q(j)m modulation order (3GPP 38.804)
For UL and DL Q(j)m is same (QPSK-2, 16QAM-4, 64QAM-6, 256QAM-8)
input value: 8 (256QAM)

f(j) Scaling factor (3GPP 38.306)
input value: 1

FR(j) Frequency Range 3GPP 38.104:
FR1 (450 MHz – 6000 MHz) и FR2 (24250 MHz – 52600 MHz)
input value: FR1

µ(j) -value of carrier configuration (3GPP 38.211)
For DL and UL µ(j) is same (µ(0)=15kHz, µ(1)=30kHz, µ(2)=60kHz, µ(3)=120kHz)
input value: 0 (15kHz)

BW(j)- band Bandwidth, MHz (3GPP 38.104),
should be selected with Frequency Range and µ(i) configuration:
input value: BW:40MHz FR1 µ:15kHz:

Enter a PRB value (if other)
default: 0

Rmax (if you don't know what is it, don't change)
Value depends on the type of coding from 3GPP 38.212
(For LDPC code maximum number is 948/1024 = 0.92578125)
default: 0.92578125

*** Only for TDD ***
Part of the Slots allocated for DL in TDD mode,
where 1 = 100% of Slots (3GPP 38.213, taking into account Flexible slots).
Calculated as: the number of time Slots for DL divided by 14
default value: 0.857142

Part of the Slots allocated for UL in TDD mode,
where 1 = 100% of Slots (3GPP 38.213, taking into account Flexible slots).
Calculated as: 1 minus number of Slots for DL
default value: 0.14285800000000004

Calculated 5G NR Throughput, Mbps: 1584


As you may have noticed, BTE/EE has 40 MHz spectrum while Vodafone in UK have 50 MHz of spectrum.

Changing
BW(j)- band Bandwidth, MHz (3GPP 38.104),
should be selected with Frequency Range and µ(i) configuration:
input value: BW:50MHz FR1 µ:15kHz:

Calculated 5G NR Throughput, Mbps: 1982

Now Three UK has 100 MHz, immediately available for use. So changing

µ(j) -value of carrier configuration (3GPP 38.211)
For DL and UL µ(j) is same (µ(0)=15kHz, µ(1)=30kHz, µ(2)=60kHz, µ(3)=120kHz)
input value: 1 (30kHz)

BW(j)- band Bandwidth, MHz (3GPP 38.104),
should be selected with Frequency Range and µ(i) configuration:
BW:100MHz FR1 µ:30kHz:


Calculated 5G NR Throughput, Mbps: 4006

In theory, a lot of speed is possible with the 100 MHz bandwidth that Three will be able to use. We will have to wait and see who can do a theoretical max SpeedTest. In the meantime remember that a 1Gbps speed test will use over 1 GB of data.



Related Posts:

Tuesday, 9 July 2019

3GPP 5G Standardization Update post RAN#84 (July 2019)

3GPP recently conducted a webinar with Balazs Bertenyi, Chairman of 3GPP RAN in which he goes through some of the key features for 5G Phase 2. The webinar also goes through the details of 5G Release-15 completion, status of Release-16 and a preview of some of Release-17 features.

Slides & video embedded below. Slides can be downloaded from 3GPP website here.







Related Posts:

Monday, 27 May 2019

Bandwidth Part (BWP) in 5G New Radio (NR)


I made a short tutorial explaining the concept of Bandwidth Part in 5G a while back. Slides and video embedded below.







Further Reading:

Thursday, 23 May 2019

Presentations on Macro Cells and Millimetre-wave Technology from recent CW (Cambridge Wireless) events


CW (Cambridge Wireless) held a couple of very interesting events from 2 very popular groups.

The first one was on "5G wide area coverage: macro cells – the why and the how". This event looked at the design and optimisation of the macro cell layer and its role within future heterogeneous networks. You can access the presentations for limited time on CW website here.

The presentations available are:
Related posts that may be of interest:


The second one was on "Commercialising millimetre-wave technology". The event reviewed the commercial opportunities at millimetre-wave frequencies, what bands are available and what licensing is needed. You can access the presentations on CW website for limited time here.

The presentations available are:

We recently made a video to educate people outside our industry about non-mmWave 5G. It's embedded below.


Sunday, 19 May 2019

VoLTE Hacking


The 10th Annual HITB Security Conference took place from the 6th till the 10th of May 2019 in The Netherlands. The theme for the conference this year is 'The Hacks of Future Past'. One of the presentations was on the topic 'VoLTE Phreaking' by Ralph Moonen, Technical Director at Secura.

The talk covered variety of topics:

  • A little history of telephony hacking (in NL/EU)
  • The landscape now
  • Intercepting communications in 2019
  • Vulnerabilities discovered: some new, some old
  • An app to monitor traffic on a phone

The talk provides details on how VoLTE can potentially be hacked. In a lot of instances it is some or the other misconfigurations that makes VoLTE less secure. One of the slides that caught my attention was the differences in VoLTE signaling from different operators (probably due to different vendors) as shown above.

Anyway, I am not going into more details here. The presentation is available here.


The thread in the Tweet above also provided some good references on VoLTE hacking. They are as follows:



Related Posts:


Monday, 29 April 2019

Evolution of Security from 4G to 5G


Dr. Anand Prasad, who is well known in the industry, not just as CISO of Rakuten Mobile Networks but also as the Chairman of 3GPP SA3, the mobile communications security and privacy group, recently delivered a talk on '4G to 5G Evolution: In-Depth Security Perspective'.


The video of the talk is embedded below and the slides are available here.



An article on similar topic by Anand Prasad, et al. is also available on 3GPP website here.


Related posts and articles:

Tuesday, 12 February 2019

Prof. Andy Sutton: 5G Radio Access Network Architecture Evolution - Jan 2019


Prof. Andy Sutton delivered his annual IET talk last month which was held the 6th Annual 5G conference. You can watch the videos for that event here (not all have been uploaded at the time of writing this post). His talks have always been very popular on this blog with the last year talk being 2nd most popular while the one in 2017 was the most popular one. Thanks also to IET for hosting this annual event and IET Tv for making this videos available for free.

The slides and video is embedded below but for new starters, before jumping to this, you may want to check out about 5G Network Architecture options in our tutorial here.




As always, this is full of useful information with insight into how BT/EE is thinking about deploying 5G in UK.

Related Posts:

Thursday, 3 January 2019

Nice short articles on 5G in 25th Anniversary Special NTT Docomo Technical Journal

5G has dominated the 3G4G blog for last few years. Top 10 posts for 2018 featured 6 posts on 5G while top 10 posts for 2017 featured 7. In makes sense to start 2019 posting with a 5G post.

A special 25th Anniversary edition of NTT Docomo Technical Journal features some nice short articles on 5G covering RAN, Core, Devices & Use cases. Here is some more details for anyone interested.

Radio Access Network in 5G Era introduces NTT Docomo's view of world regarding 5G, scenarios for the deployment of 5G and also prospects for further development of 5G in the future. The article looks at the main features in 5G RAN that will enable eMBB (Massive MIMO), URLLC (short TTI) and mMTC (eDRX).

Interested readers should also check out:

Core network for Social Infrastructure in 5G Era describes the principal 5G technologies required in the core network to realise new services and applications that will work through collaboration between various industries and businesses. It also introduces initiatives for more advanced operations, required for efficient operation of this increasingly complex network.

This article also goes in detail of the Services Based Architecture (SBA). In case you were wondering what UL CL and SSC above stands for; UpLink CLassifiers (UL CL) is a technology that identifies packets sent by a terminal to a specific IP address and routes them differently (Local Breakout) as can be seen above. It is generally to be used to connect to a MEC server. Session and Service Continuity (SSC) is used to decide if the IP address would be retained when the UE moves to a new area from the old one.

Interested readers should also check out:
Evolution of devices for the 5G Era discusses prospects for the high-speed, high-capacity, low-latency, and many-terminal connectivity features introduced with 5G, as well as advances in the network expected in the future, technologies that will be required for various types of terminal devices and the services, and a vision for devices in 2020 and thereafter.

According to the article, the medium term strategy of R&D division of NTT Docomo has three main themes: 5G, AI and Devices. In simple terms, devices will collect a lot of data which will become big data, 5G will be used to transport this data and the AI will process all the collected Big Data.

NTT Docomo has also redefined the devices as connecting through various technologies including cellular, Wi-Fi, Bluetooth & Fixed communications.

Interested readers should also check out:

The final article on 5G, Views of the Future Pioneered by 5G: A World Converging the Strengths of Partners looks at field trials, partnerships, etc. In fact here the embedded video playlist below shows some of these use cases described in the article



In addition there are other articles too, but in this post I have focused on 5G only.

The 25th Anniversary Special Edition of NTT Docomo Technical Journal is available here.

Saturday, 24 November 2018

5G Top-10 Misconceptions


Here is a video we did a few weeks back to clear the misconceptions about 5G. The list above summarizes the topics covered.



The video is nearly 29 minutes long. If you prefer a shorter version or are bored of hearing me 😜 then a summary version (just over 3 minutes) is in 3G4G tweet below.


The slides can be downloaded from our Slideshare channel as always.

As always, we love your feedback, even when you strongly disagree.

Other interesting recent posts on 5G:


Monday, 19 November 2018

5G NR Radio Protocols Overview


3GPP held a workshop on 5G NR submission towards IMT-2020 last week. You can access all the agenda, documents, etc. on the 3GPP website here. You can also get a combined version of all presentations from the 3G4G website here. I also wrote a slightly detailed article on this workshop on 3G4G website here.

The following is nice overview of the 5G Radio Interface protocol as defined by 3GPP in NR Rel.15 by Sudeep Palat, Intel. The document was submitted to the 3GPP workshop on ITU submission in Brussels on Oct 24, 2018.



The presentation discusses NR radio interface architecture and protocols for control and user plane; covering RRC, SDAP, PDCP, RLC and MAC, focussing on differences and performance benefits compared to LTE.  RRC states and state transitions with reduced transition delays are also discussed.

Related Posts:

Tuesday, 1 May 2018

MAMS (Multi Access Management Services) at MEC integrating LTE and Wi-Fi networks

Came across Multi Access Management Services (MAMS) a few times recently so here is a quick short post on the topic. At present MAMS is under review in IETF and is being supported by Nokia, Intel, Broadcom, Huawei, AT&T, KT.

I heard about MAMS for the first time at a Small Cell Forum event in Mumbai, slides are here for this particular presentation from Nokia.

As you can see from the slide above, MAMS can optimise inter-working of different access domains, particularly at the Edge. A recent presentation from Nokia (here) on this topic provides much more detailed insight.

From the presentation:

        MAMS (Multi Access Management Services) is a framework for

-            Integrating different access network domains based on user plane (e.g. IP layer) interworking,

-            with ability to select access and core network paths independently

-            and user plane treatment based on traffic types

-            that can dynamically adapt to changing network conditions

-            based on negotiation between client and network
        The technical content is available as the following drafts*



-            MAMS User Plane Specification: https://tools.ietf.org/html/draft-zhu-intarea-mams-user-protocol-02




*Currently under review, Co-authors: Nokia, Intel, Broadcom, Huawei, AT&T, KT,

The slides provide much more details, including the different use cases (pic below) for integrating LTE and Wi-Fi at the Edge.


Here are the references for anyone wishing to look at this in more detail:

Thursday, 12 April 2018

#CWHeritage Talk: The History of Synchronization in Digital Cellular Networks


CW (a.k.a. Cambridge Wireless) held a very interesting event titled 'Time for Telecoms' at the Science Museum in London. I managed to record this one talk by Prof. Andy Sutton, who has also kindly shared slides and some other papers that he mentions in his presentation. You can also see the tweets from the event on Twitter.

The video playlist and the presentation is embedded below.






The papers referred to in the presentation/video available as follows:

Sunday, 25 March 2018

5G Security Updates - March 2018


Its been a while since I wrote about 5G security in this fast changing 5G world. If you are new to 3GPP security, you may want to start with my tutorial here.

3GPP SA3 Chairman, Anand R. Prasad recently mentioned in his LinkedIn post:

5G security specification finalized! Paving path for new business & worry less connected technology use.

3GPP SA3 delegates worked long hours diligently to conclude the specification for 5G security standard during 26 Feb.-2 Mar. Several obstacles were overcome by focussed effort of individuals & companies from around the globe. Thanks and congrats to everyone!

All together 1000s of hours of work with millions of miles of travel were spent in 1 week to get the work done. This took 8 meetings (kicked off Feb. 2017) numerous on-line meetings and conference calls.

Excited to declare that this tremendous effort led to timely completion of 5G security specification (TS 33.501) providing secure services to everyone and everything!

The latest version of specs is on 3GPP website here.

ITU also held a workshop on 5G Security in Geneva, Switzerland on 19 March 2018 (link). There were quite a few interesting presentations. Below are some slides that caught my attention.

The picture in the tweet above from China Mobile summarises the major 5G security issues very well. 5G security is going to be far more challenging than previous generations.

The presentation by Haiguang Wang, Huawei contained a lot of good technical information. The picture at the top is from that presentation and highlights the difference between 4G & 5G Security Architecture.


New entities have been introduced to make 5G more open.


EPS-AKA vs 5G-AKA (AKA = Authentication and Key Agreement) for trusted nodes


EAP-AKA' for untrusted nodes.


Slice security is an important topic that multiple speakers touched upon and I think it would continue to be discussed for a foreseeable future.

Dr. Stan Wing S. Wong from King’s College London has some good slides on 5G security issues arising out of Multi-Tenancy and Multi-Network Slicing.

Peter Schneider from Nokia-Bell Labs had good slides on 5G Security Overview for Programmable Cloud-Based Mobile Networks

Sander Kievit from TNO, a regular participant of working group SA3 of 3GPP on behalf of the Dutch operator KPN presented a view from 3GPP SA3 on the Security work item progress (slides). The slide above highlights the changes in 5G key hierarchy.

The ITU 5G Security Workshop Outcomes is available here.

ETSI Security Week 2018 will be held 11-15 June 2018. 5G security/privacy is one of the topics.

There is also 5GPPP Workshop on 5G Networks Security (5G-NS 2018), being held in Hamburg, Germany on August 27-30, 2018.

In the meantime, please feel free to add your comments & suggestions below.


Related Posts & Further Reading: