Showing posts with label Technical Details. Show all posts
Showing posts with label Technical Details. Show all posts

Tuesday 9 July 2019

3GPP 5G Standardization Update post RAN#84 (July 2019)

3GPP recently conducted a webinar with Balazs Bertenyi, Chairman of 3GPP RAN in which he goes through some of the key features for 5G Phase 2. The webinar also goes through the details of 5G Release-15 completion, status of Release-16 and a preview of some of Release-17 features.

Slides & video embedded below. Slides can be downloaded from 3GPP website here.







Related Posts:

Posted by Zahid Ghadialy at 07:35 Leave a comment...0 comments so far
Labels: , , , , , , ,

Monday 27 May 2019

Bandwidth Part (BWP) in 5G New Radio (NR)


I made a short tutorial explaining the concept of Bandwidth Part in 5G a while back. Slides and video embedded below.







Further Reading:

Posted by Zahid Ghadialy at 22:16 Leave a comment...3 comments so far
Labels: , ,

Thursday 23 May 2019

Presentations on Macro Cells and Millimetre-wave Technology from recent CW (Cambridge Wireless) events


CW (Cambridge Wireless) held a couple of very interesting events from 2 very popular groups.

The first one was on "5G wide area coverage: macro cells – the why and the how". This event looked at the design and optimisation of the macro cell layer and its role within future heterogeneous networks. You can access the presentations for limited time on CW website here.

The presentations available are:
Related posts that may be of interest:


The second one was on "Commercialising millimetre-wave technology". The event reviewed the commercial opportunities at millimetre-wave frequencies, what bands are available and what licensing is needed. You can access the presentations on CW website for limited time here.

The presentations available are:

We recently made a video to educate people outside our industry about non-mmWave 5G. It's embedded below.


Posted by Zahid Ghadialy at 13:05 Leave a comment...0 comments so far
Labels: , , , , , , , , ,

Sunday 19 May 2019

VoLTE Hacking


The 10th Annual HITB Security Conference took place from the 6th till the 10th of May 2019 in The Netherlands. The theme for the conference this year is 'The Hacks of Future Past'. One of the presentations was on the topic 'VoLTE Phreaking' by Ralph Moonen, Technical Director at Secura.

The talk covered variety of topics:

  • A little history of telephony hacking (in NL/EU)
  • The landscape now
  • Intercepting communications in 2019
  • Vulnerabilities discovered: some new, some old
  • An app to monitor traffic on a phone

The talk provides details on how VoLTE can potentially be hacked. In a lot of instances it is some or the other misconfigurations that makes VoLTE less secure. One of the slides that caught my attention was the differences in VoLTE signaling from different operators (probably due to different vendors) as shown above.

Anyway, I am not going into more details here. The presentation is available here.


The thread in the Tweet above also provided some good references on VoLTE hacking. They are as follows:



Related Posts:


Posted by Zahid Ghadialy at 20:38 Leave a comment...0 comments so far
Labels: , , , , ,

Monday 29 April 2019

Evolution of Security from 4G to 5G


Dr. Anand Prasad, who is well known in the industry, not just as CISO of Rakuten Mobile Networks but also as the Chairman of 3GPP SA3, the mobile communications security and privacy group, recently delivered a talk on '4G to 5G Evolution: In-Depth Security Perspective'.


The video of the talk is embedded below and the slides are available here.



An article on similar topic by Anand Prasad, et al. is also available on 3GPP website here.


Related posts and articles:
Posted by Zahid Ghadialy at 07:35 Leave a comment...0 comments so far
Labels: , , , , , , ,

Friday 29 March 2019

Ultra Reliability: 5x9s (99.999%) in 3GPP Release-15 vs 6x9s (99.9999%) in 3GPP Release-16

Posted by Zahid Ghadialy at 08:05 Leave a comment...0 comments so far
Labels: , , , ,

Tuesday 12 February 2019

Prof. Andy Sutton: 5G Radio Access Network Architecture Evolution - Jan 2019


Prof. Andy Sutton delivered his annual IET talk last month which was held the 6th Annual 5G conference. You can watch the videos for that event here (not all have been uploaded at the time of writing this post). His talks have always been very popular on this blog with the last year talk being 2nd most popular while the one in 2017 was the most popular one. Thanks also to IET for hosting this annual event and IET Tv for making this videos available for free.

The slides and video is embedded below but for new starters, before jumping to this, you may want to check out about 5G Network Architecture options in our tutorial here.




As always, this is full of useful information with insight into how BT/EE is thinking about deploying 5G in UK.

Related Posts:

Posted by Zahid Ghadialy at 19:00 Leave a comment...6 comments so far
Labels: , , , , , , , , ,

Thursday 3 January 2019

Nice short articles on 5G in 25th Anniversary Special NTT Docomo Technical Journal

5G has dominated the 3G4G blog for last few years. Top 10 posts for 2018 featured 6 posts on 5G while top 10 posts for 2017 featured 7. In makes sense to start 2019 posting with a 5G post.

A special 25th Anniversary edition of NTT Docomo Technical Journal features some nice short articles on 5G covering RAN, Core, Devices & Use cases. Here is some more details for anyone interested.

Radio Access Network in 5G Era introduces NTT Docomo's view of world regarding 5G, scenarios for the deployment of 5G and also prospects for further development of 5G in the future. The article looks at the main features in 5G RAN that will enable eMBB (Massive MIMO), URLLC (short TTI) and mMTC (eDRX).

Interested readers should also check out:

Core network for Social Infrastructure in 5G Era describes the principal 5G technologies required in the core network to realise new services and applications that will work through collaboration between various industries and businesses. It also introduces initiatives for more advanced operations, required for efficient operation of this increasingly complex network.

This article also goes in detail of the Services Based Architecture (SBA). In case you were wondering what UL CL and SSC above stands for; UpLink CLassifiers (UL CL) is a technology that identifies packets sent by a terminal to a specific IP address and routes them differently (Local Breakout) as can be seen above. It is generally to be used to connect to a MEC server. Session and Service Continuity (SSC) is used to decide if the IP address would be retained when the UE moves to a new area from the old one.

Interested readers should also check out:
Evolution of devices for the 5G Era discusses prospects for the high-speed, high-capacity, low-latency, and many-terminal connectivity features introduced with 5G, as well as advances in the network expected in the future, technologies that will be required for various types of terminal devices and the services, and a vision for devices in 2020 and thereafter.

According to the article, the medium term strategy of R&D division of NTT Docomo has three main themes: 5G, AI and Devices. In simple terms, devices will collect a lot of data which will become big data, 5G will be used to transport this data and the AI will process all the collected Big Data.

NTT Docomo has also redefined the devices as connecting through various technologies including cellular, Wi-Fi, Bluetooth & Fixed communications.

Interested readers should also check out:

The final article on 5G, Views of the Future Pioneered by 5G: A World Converging the Strengths of Partners looks at field trials, partnerships, etc. In fact here the embedded video playlist below shows some of these use cases described in the article



In addition there are other articles too, but in this post I have focused on 5G only.

The 25th Anniversary Special Edition of NTT Docomo Technical Journal is available here.
Posted by Zahid Ghadialy at 18:28 Leave a comment...0 comments so far
Labels: , , , ,

Saturday 24 November 2018

5G Top-10 Misconceptions


Here is a video we did a few weeks back to clear the misconceptions about 5G. The list above summarizes the topics covered.



The video is nearly 29 minutes long. If you prefer a shorter version or are bored of hearing me ðŸ˜œ then a summary version (just over 3 minutes) is in 3G4G tweet below.


The slides can be downloaded from our Slideshare channel as always.

As always, we love your feedback, even when you strongly disagree.

Other interesting recent posts on 5G:


Posted by Zahid Ghadialy at 09:51 Leave a comment...0 comments so far
Labels: , , , ,

Monday 19 November 2018

5G NR Radio Protocols Overview


3GPP held a workshop on 5G NR submission towards IMT-2020 last week. You can access all the agenda, documents, etc. on the 3GPP website here. You can also get a combined version of all presentations from the 3G4G website here. I also wrote a slightly detailed article on this workshop on 3G4G website here.

The following is nice overview of the 5G Radio Interface protocol as defined by 3GPP in NR Rel.15 by Sudeep Palat, Intel. The document was submitted to the 3GPP workshop on ITU submission in Brussels on Oct 24, 2018.



The presentation discusses NR radio interface architecture and protocols for control and user plane; covering RRC, SDAP, PDCP, RLC and MAC, focussing on differences and performance benefits compared to LTE.  RRC states and state transitions with reduced transition delays are also discussed.

Related Posts:

Posted by Zahid Ghadialy at 07:58 Leave a comment...1 comments so far
Labels: ,

Tuesday 1 May 2018

MAMS (Multi Access Management Services) at MEC integrating LTE and Wi-Fi networks

Came across Multi Access Management Services (MAMS) a few times recently so here is a quick short post on the topic. At present MAMS is under review in IETF and is being supported by Nokia, Intel, Broadcom, Huawei, AT&T, KT.

I heard about MAMS for the first time at a Small Cell Forum event in Mumbai, slides are here for this particular presentation from Nokia.

As you can see from the slide above, MAMS can optimise inter-working of different access domains, particularly at the Edge. A recent presentation from Nokia (here) on this topic provides much more detailed insight.

From the presentation:

        MAMS (Multi Access Management Services) is a framework for

-            Integrating different access network domains based on user plane (e.g. IP layer) interworking,

-            with ability to select access and core network paths independently

-            and user plane treatment based on traffic types

-            that can dynamically adapt to changing network conditions

-            based on negotiation between client and network
        The technical content is available as the following drafts*

-            Multi Access Management Services (MAMS) Framework – https://datatracker.ietf.org/doc/draft-kanugovi-intarea-mams-framework/

-            MAMS JSON definitions of Control Plane Messages: https://www.ietf.org/id/draft-agarwal-intarea-mams-protocol-json-00.txt

-            MAMS User Plane Specification: https://tools.ietf.org/html/draft-zhu-intarea-mams-user-protocol-02




*Currently under review, Co-authors: Nokia, Intel, Broadcom, Huawei, AT&T, KT,

The slides provide much more details, including the different use cases (pic below) for integrating LTE and Wi-Fi at the Edge.


Here are the references for anyone wishing to look at this in more detail:
Posted by Zahid Ghadialy at 13:39 Leave a comment...0 comments so far
Labels: , , , , , , ,

Thursday 12 April 2018

#CWHeritage Talk: The History of Synchronization in Digital Cellular Networks


CW (a.k.a. Cambridge Wireless) held a very interesting event titled 'Time for Telecoms' at the Science Museum in London. I managed to record this one talk by Prof. Andy Sutton, who has also kindly shared slides and some other papers that he mentions in his presentation. You can also see the tweets from the event on Twitter.

The video playlist and the presentation is embedded below.






The papers referred to in the presentation/video available as follows:
Posted by Zahid Ghadialy at 08:58 Leave a comment...0 comments so far
Labels: , , , , , , , , ,

Sunday 25 March 2018

5G Security Updates - March 2018


Its been a while since I wrote about 5G security in this fast changing 5G world. If you are new to 3GPP security, you may want to start with my tutorial here.

3GPP SA3 Chairman, Anand R. Prasad recently mentioned in his LinkedIn post:

5G security specification finalized! Paving path for new business & worry less connected technology use.

 3GPP SA3 delegates worked long hours diligently to conclude the specification for 5G security standard during 26 Feb.-2 Mar. Several obstacles were overcome by focussed effort of individuals & companies from around the globe. Thanks and congrats to everyone!

 All together 1000s of hours of work with millions of miles of travel were spent in 1 week to get the work done. This took 8 meetings (kicked off Feb. 2017) numerous on-line meetings and conference calls.

 Excited to declare that this tremendous effort led to timely completion of 5G security specification (TS 33.501) providing secure services to everyone and everything!

The latest version of specs is on 3GPP website here.

ITU also held a workshop on 5G Security in Geneva, Switzerland on 19 March 2018 (link). There were quite a few interesting presentations. Below are some slides that caught my attention.

The picture in the tweet above from China Mobile summarises the major 5G security issues very well. 5G security is going to be far more challenging than previous generations.

The presentation by Haiguang Wang, Huawei contained a lot of good technical information. The picture at the top is from that presentation and highlights the difference between 4G & 5G Security Architecture.


New entities have been introduced to make 5G more open.


EPS-AKA vs 5G-AKA (AKA = Authentication and Key Agreement) for trusted nodes


EAP-AKA' for untrusted nodes.


Slice security is an important topic that multiple speakers touched upon and I think it would continue to be discussed for a foreseeable future.

Dr. Stan Wing S. Wong from King’s College London has some good slides on 5G security issues arising out of Multi-Tenancy and Multi-Network Slicing.

Peter Schneider from Nokia-Bell Labs had good slides on 5G Security Overview for Programmable Cloud-Based Mobile Networks

Sander Kievit from TNO, a regular participant of working group SA3 of 3GPP on behalf of the Dutch operator KPN presented a view from 3GPP SA3 on the Security work item progress (slides). The slide above highlights the changes in 5G key hierarchy.

The ITU 5G Security Workshop Outcomes is available here.

ETSI Security Week 2018 will be held 11-15 June 2018. 5G security/privacy is one of the topics.

There is also 5GPPP Workshop on 5G Networks Security (5G-NS 2018), being held in Hamburg, Germany on August 27-30, 2018.

In the meantime, please feel free to add your comments & suggestions below.


Related Posts & Further Reading:

Posted by Zahid Ghadialy at 17:36 Leave a comment...0 comments so far
Labels: , , , , , , , , , , , ,

Monday 18 December 2017

Control and User Plane Separation of EPC nodes (CUPS) in 3GPP Release-14


One of the items in 3GPP Rel-14 is Control and User Plane Separation of EPC nodes (CUPS). I have made a video explaining this concept that is embedded below.

In 3G networks (just considering PS domain), the SGSN and GGSN handles the control plane that is responsible for signalling as well as the user plane which is responsible for the user data. This is not a very efficient approach for deployment.

You can have networks that have a lot of signalling (remember signaling storm?) due to a lot of smartphone users but not necessarily consuming a lot of data (mainly due to price reasons). On the other hand you can have networks where there is not a lot of signalling but lot of data consumption. An example of this would be lots of data dongles or MiFi devices where users are also consuming a lot of data, because it’s cheap.

To cater for these different scenarios, the control plane and user plane was separated to an extent in the Evolved Packet Core (EPC). MME handles the control plane signalling while S-GW & P-GW handles the user plane

CUPS goes one step further by separating control & user plane from S-GW, P-GW & TDF. TDF is Traffic Detection Function which was introduced together with Sd reference point as means for traffic management in the Release 11. The Sd reference point is used for Deep Packet Inspections (DPI) purposes. TDF also provides the operators with the opportunity to capitalize on analytics for traffic optimization, charging and content manipulation and it works very closely with Policy and charging rules function, PCRF.

As mentioned, CUPS provides the architecture enhancements for the separation of S-GW, P-GW & TDF functionality in the EPC. This enables flexible network deployment and operation, by using either distributed or centralized deployment. It also allows independent scaling between control plane and user plane functions - while not affecting the functionality of the existing nodes subject to this split.

As the 3GPP article mentions, CUPS allows for:
  • Reducing Latency on application service, e.g. by selecting User plane nodes which are closer to the RAN or more appropriate for the intended UE usage type without increasing the number of control plane nodes.
  • Supporting Increase of Data Traffic, by enabling to add user plane nodes without changing the number of SGW-C, PGW-C and TDF-C in the network.
  • Locating and Scaling the CP and UP resources of the EPC nodes independently.
  • Independent evolution of the CP and UP functions.
  • Enabling Software Defined Networking to deliver user plane data more efficiently.

The following high-level principles were also adopted for the CUPS:
  • The CP function terminates the Control Plane protocols: GTP-C, Diameter (Gx, Gy, Gz).
  • A CP function can interface multiple UP functions, and a UP function can be shared by multiple CP functions.
  • An UE is served by a single SGW-CP but multiple SGW-UPs can be selected for different PDN connections. A user plane data packet may traverse multiple UP functions.
  • The CP function controls the processing of the packets in the UP function by provisioning a set of rules in Sx sessions, i.e. Packet Detection Rules for packets inspection, Forwarding Action Rules for packets handling (e.g. forward, duplicate, buffer, drop), Qos Enforcement Rules to enforce QoS policing on the packets, Usage Reporting Rules for measuring the traffic usage.
  • All the 3GPP features impacting the UP function (PCC, Charging, Lawful Interception, etc) are supported, while the UP function is designed as much as possible 3GPP agnostic. For example, the UPF is not aware of bearer concept.
  • Charging and Usage Monitoring are supported by instructing the UP function to measure and report traffic usage, using Usage Reporting Rule(s). No impact is expected to OFCS, OCS and the PCRF.
  • The CP or UP function is responsible for GTP-u F-TEID allocation.
  • A legacy SGW, PGW and TDF can be replaced by a split node without effecting connected legacy nodes.
CUPS forms the basis of EPC architecture evolution for Service-Based Architecture for 5G Core Networks. More in another post soon.

A short video on CUPS below, slides available here.



Further reading:


Posted by Zahid Ghadialy at 12:08 Leave a comment...3 comments so far
Labels: , , , , , , , ,

Thursday 9 November 2017

Quick tutorial on Mobile Network Sharing Options


Here is a quick tutorial on mobile network sharing approaches, looking at site/mast sharing, MORAN, MOCN and GWCN. Slides and video embedded below. If for some reason you prefer direct link to video, its here.

Posted by Zahid Ghadialy at 09:48 Leave a comment...0 comments so far
Labels: , , , , , , , , ,

Wednesday 20 September 2017

A quick starter on 4G voice (for beginners)


I recently did a 4G voice presentation for beginners after realizing that even though so many years have passed after VoLTE was launched, people are still unsure how it works or how its different from CS Fallback.

There are many other posts that discuss these topics in detail on this blog (follow the label) or on 3G4G website. Anyway, here is the video:


The slides are available on 3G4G Slideshare account here. More similar training videos are available here.
Posted by Zahid Ghadialy at 13:29 Leave a comment...3 comments so far
Labels: , , , , , ,

Sunday 20 August 2017

Enhanced 5G Security via IMSI Encryption


IMSI Catchers can be a real threat. It doesn't generally affect anyone unless someone is out to get them. Nevertheless its a security flaw that is even present in LTE. This presentation here is a good starting point on learning about IMSI Catcher and the one here about privacy and availability attacks.


This article by Ericsson is a good starting point on how 5G will enhance security by IMSI encryption. From the article:
The concept we propose builds on an old idea that the mobile device encrypts its IMSI using home network’s asymmetric key before it is transmitted over the air-interface. By using probabilistic asymmetric encryption scheme – one that uses randomness – the same IMSI encrypted multiple times results in different values of encrypted IMSIs. This makes it infeasible for an active or passive attacker over the air-interface to identify the subscriber. Above is a simplified illustration of how a mobile device encrypts its IMSI. 
Each mobile operator (called the ‘home network’ here) has a public/private pair of asymmetric keys. The home network’s private asymmetric key is kept secret by the home network, while the home network’s public asymmetric key is pre-provisioned in mobile devices along with subscriber-specific IMSIs (Step 0). Note that the home network’s public asymmetric key is not subscriber-specific. 
For every encryption, the mobile device generates a fresh pair of its own public/private asymmetric keys (Step 1). This key pair is used only once, hence called ephemeral, and therefore provide probabilistic property to the encryption scheme. As shown in the figure, the mobile device then generates a new key (Step 2), e.g., using Diffie–Hellman key exchange. This new key is also ephemeral and is used only once to encrypt the mobile device’s IMSI (Step 3) using symmetric algorithm like AES. The use of asymmetric and symmetric crypto primitives as described above is commonly known as integrated/hybrid encryption scheme. The Elliptic Curve Integrated Encryption Scheme (ECIES) is a popular scheme of such kind and is very suitable to the use case of IMSI encryption because of low impact on radio bandwidth and mobile device’s battery. 
The nicest thing about the described concept is that no public key infrastructure is necessary, which significantly reduces deployment complexity, meaning that mobile operators can start deploying IMSI encryption for their subscribers without having to rely on any external party or other mobile operators.

'3GPP TR 33.899: Study on the security aspects of the next generation system' lists one such approach.


The Key steps are as follows:

  1. UE is configured with 5G (e)UICC with ‘K’ key, the Home Network ID, and its associated public key.
  2. SEAF send Identity Request message to NG-UE. NG-UE considers this as an indication to initiate Initial Authentication.
  3. NG-UE performs the following:
    1. Request the (e)UICC application to generate required security material for initial authentication, RANDUE, , COUNTER, KIARenc, and KIARInt.
    2. NG-UE builds IAR as per MASA. In this step NG-UE includes NG-UE Security Capabilities inside the IAR message. It also may include its IMEI. 
    3. NG-UE encrypts the whole IAR including the MAC with the home network public key.
    4. NG-UE sends IAR to SEAF.
  4. Optionally, gNB-CP node adds its Security Capabilities to the transposrt message between the gNB-CP and the SEAF (e.g., inside S1AP message as per 4G).
  5. gNB-CP sends the respective S1AP message that carries the NG-UE IAR message to the SEAF.
  6. SEAF acquirs the gNB-CP security capabilities as per the listed options in clause 5.2.4.12.4.3and save them as part of the temporary context for the NG-UE.
  7. SEAF follows MASA and forward the Authentication and Data Request message to the AUSF/ARPF.
  8. When AUSF/ARPF receives the Authentication and Data Request message, authenticates the NG-UE as per MASA and generates the IAS respective keys. AUSF/ARPF may recover the NG-UE IMSI and validate the NG-UE security capabilities.
  9. AUSF/ARPF sends Authentication and Data Response to the SEAF as per MASA with NG-UE Security Capabilities included.
  10. SEAF recovers the Subscriber IMSI, UE security Capabilities, IAS keys, RANDHN, COUNTER and does the following:
    1. Examine the UE Security Capabilities and decides on the Security parameters.
    2. SEAF may acquire the UP-GW security capabilities at this point after receiving the UP-GW identity from AUSF/ARPF or allocate it dynamically through provisioning and load balancing.
  11. SEAF builds IAS and send to the NG-UE following MASA. In addition, SEAF include the gNB-CP protocol agreed upon security parameters in the S1AP message being sent to the gNB-CP node.
  12. gNB-CP recovers gNB-CP protocol agreed upon security parameters and save it as part of the NG-UE current context.
  13. gNB-CP forwards the IAS message to the NG-UE.
  14. NG-UE validates the authenticity of the IAS and authenticates the network as per MASA. In addition, the UE saves all protocols agreed upon security parameters as part of its context. NG-UE sends the Security and Authentication Complete message to the SEAF.
  15. SEAF communicates the agreed upon UP-GW security parameters to the UP-GW during the NG-UE bearer setup.

 ARPF - Authentication Credential Repository and Processing Function 
AUSF - Authentication Server Function 
SCMF - Security Context Management Function
SEAF - Security Anchor Function
NG-UE - NG UE
UP - User Plane 
CP - Control Plane
IAR - Initial Authentication Request 
IAS - Initial Authentication Response
gNB - Next Generation NodeB

You may also want to refer to the 5G Network Architecture presentation by Andy Sutton for details.

See also:

Posted by Zahid Ghadialy at 18:22 Leave a comment...0 comments so far
Labels: , , , ,
Subscribe to: Posts (Atom)