Reducing 5G Device Power Consumption Using Connected-mode Discontinuous Reception (C-DRX)

Back in 2019, when we were still participating in physical event, I heard Sang-Hoon Park, ESVP, Head of Regional Network O&M Headquarter, KT talk about 'KT’s journey to large-scale 5G rollout' at Total Telecom Congress.

Interesting nugget from KT about battery life. 63% of users care about battery life but only 19% about design. Also the battery capacity has evolved significantly over generations. Finally C-DRX will play a big role in 5G battery saving @totaltelecom #TTCongress pic.twitter.com/665sokRH0T

— 3G4G (@3g4gUK) October 30, 2019

South Korea is blessed with three highly competitive MNOs and due to this, the government asked them to launch their 5G networks at the same time in 2018. I have also blogged about how KT is working on reducing the latency of their network here.

Anyway, as you can see in the picture above, using Connected-mode Discontinuous Reception (C-DRX), KT was able to show huge power saving in the 5G Samsung smartphone. They also made a video embedded below:

KT has some more details from their blog post back in 2019 here. Also some more details on RayCat here. Both the sites are in Korean but you can use Google translate to get more details.

What is KT battery saving technology (C-DRX)?

KT's'battery saving technology' is shortened to'Connected Mode Discontinuous Reception' and is called C-DRX. In simple terms, it is one of the technologies that reduces battery usage by periodically switching the communication function of a smartphone to a low power mode while data is connected.

In CDRX technology, the base station and the terminal share CDRX information through RRC setting and reconfiguration, so when there is no packet transmission/reception by the terminal, the terminal transmission/reception terminal can be turned off to reduce battery consumption, and the CDRX setting is optimized to reduce the user's battery consumption. It is possible to increase the available time for related applications.

In order to reduce the battery consumption of the terminal, it is a technology that controls the PDCCH monitoring activity, which is a downlink control channel related to the terminal identifier, through RRC. The base station controls the CDRX through RRC, and how the communication company optimizes and applies this was a big task. Is the first in Korea to optimize this technology and apply it to the national network.

In simple terms, the smartphone is not using communication, but it turns off the power completely and enters the standby state to reduce power consumption. When not in use, it completely turns off the power wasted in transmitting and receiving even during the standby time, thus extending the user's smartphone usage time.

As can be seen from the picture above, battery saving technology saves battery by completely turning off the communication function when there is no data or voice call. If the network does not have the battery saving technology applied, it is always connected to the communication network and waits even when not in use. Then, the battery is always connected to the communication function and the battery saving technology overcomes this part.

When Qualcomm announced their Industry’s First Mobile Platform with Integrated 5G back in 2019, the press release said:

The new integrated Snapdragon 5G mobile platform features Qualcomm® 5G PowerSave technology to enable smartphones with the battery life users expect today. Qualcomm 5G PowerSave builds on connected-mode discontinuous reception (C-DRX, a feature in 3GPP specifications) along with additional techniques from Qualcomm Technologies to enhance battery life in 5G mobile devices – making it comparable to that of Gigabit LTE devices today. Qualcomm 5G PowerSave is also supported in the Snapdragon X50 and X55 5G modems, which are expected to power the first waves of 5G mobile devices introduced this year.

The picture is from the slide deck here. See links in further reading below to learn more about this feature.

Further Reading:

• All about Wired and Wireless Technology: LTE Connected Mode DRX (link)
• Netmanias: Future LTE Designed by SK Telecom: ​(2) Application of C-DRX, July 2017 (link)
• Ericsson: A technical look at 5G mobile device energy efficiency, Feb 2020 (link)
• ZTE via IEEE Access: Power Saving Techniques for 5G and Beyond, July 2020 (link)

Related Posts:

• Operator Watch Blog: All three mobile network operators in South Korea launched 5G on Dec 1, 2018
• Operator Watch Blog: How is KT Reducing the Latency of their 5G Network 

5G Non IP Data Delivery and Lightweight M2M (LwM2M) over NIDD

Earlier this year, MediaTek had announced that its MT2625 NB-IoT chip has been validated for LwM2M over NIDD on SoftBank Corp.’s cellular network across Japan. This achievement marks the first global commercial readiness of LwM2M over NIDD; a secure, ultra-efficient IoT communications technique that is being adopted by operators worldwide. The benefits of LwM2M over NIDD include security improvements, cost-efficient scalability and reduced power consumption.

LwM2M over NIDD is a combination of the communication technology "NIDD (Non-IP Data Delivery)" that does not use an IP address in LTE communication NB-IoT for IoT and the device management protocol "LwM2M (Lightweight M2M)" advocated by the Open Mobile Alliance. It's been a while since I wrote about Open Mobile Alliance on this blog. OMA SpecWorks is the successor brand to the Open Mobile Alliance. You can read all about it here.

OMA SpecWorks’ LightweightM2M is a device management protocol designed for sensor networks and the demands of a machine-to-machine (M2M) environment. With LwM2M, OMA  SpecWorks has responded to demand in the market for a common standard for managing lightweight and low power devices on a variety of networks necessary to realize the potential of IoT. The LwM2M protocol, designed for remote management of M2M devices and related service enablement, features a modern architectural design based on REST, defines an extensible resource and data model and builds on an efficient secure data transfer standard called the Constrained Application Protocol (CoAP). LwM2M has been specified by a group of industry experts at the OMA SpecWorks Device Management Working Group and is based on protocol and security standards from the IETF.

You can get all the LwM2M resources here and the basic specs of 'Lightweight M2M 1.1: Managing Non-IP Devices in Cellular IoT Networks' here.

The 5G Americas whitepaper 'Wireless Technology Evolution Towards 5G: 3GPP Release 13 to Release 15 and Beyond' details how Current Architecture for 3GPP Systems for IOT Service Provision and Connectivity to External Application Servers. It also talks about Rel-13 Cellular IoT EPS Optimizations which provide improved support of small data transfer over control plane and user plane. Control Plane CIoT EPS Optimization transports user data (measurements, ID, status, etc.) via MME by encapsulating user data in NAS PDUs and reduces the total number of control plane messages when handling a short data transaction. Control Plane CIoT EPS optimization, designed for small infrequent data packets, can also be used for larger data bursts depending in UE Radio capability.

User data transported using the Control Plane CIoT EPS Optimization, has special characteristics, as different mobility anchor and termination nodes.

Therefore, the Preferred Network Behavior signaling must include information on:

• Whether Control Plane CIoT EPS optimization is supported
• Whether User Plane CIoT EPS optimization is supported
• Whether Control Plane CIoT EPS optimization is preferred or whether User Plane CIoT EPS optimization is preferred

These optimizations have enabled:

• Non-IP Data Delivery (NIDD) for both: mobile originated and mobile terminated communications, by using SCEF (Service Capability Exposure Function) or SGi tunneling. However, it has to be taken into account that Non-IP PDUs may be lost and its sequence is not guaranteed
• For IP data, the UE and MME may perform header compression based on Robust Header Compression (ROHC) framework
• NB-IoT UE can attach but not activate any PDN connection
• High latency communication handled by the buffering of downlink data (in the Serving GW or the MME)
• SMS transfer
• EPS Attach, TA Update and EPS Detach procedures for NB-IoT only UEs, with SMS service request
• Procedures for connection suspend and resume are added
• Support for transfer of user plane data without the need for using the Service Request procedure to establish Access Stratum context in the serving eNodeB and UE

When selecting an MME for a UE that is using the NB-IoT RAT, and/or for a UE that signals support for CIoT EPS Optimizations in RRC signaling, the eNodeB’s MME selection algorithm shall select an MME taking into account its Release 13 NAS signaling protocol.

Mpirical has a nice short video explaining 5G Non IP Data Delivery. It is embedded below.

IoT has not taken off as expected and prophesised for years. While the OMASpecWorks is doing some fantastic work by defining simplified approach for IoT deployment, its current member list doesn't have enough operators to drive the uptake required for its spec adoption. They would argue that it doesn't matter how many members there are as the NIDD approach is completely optional and over-the-top. Let's wait and see how it progresses.

Related Posts:

• 3G4G: 5G Service Based Architecture (SBA)
• The 3G4G Blog: Mobile Initiated Connection Only (MICO) mode in 5G System
• The 3G4G Blog: Embedded SIM (eSIM) and Integrated SIM (iSIM)
• The 3G4G Blog: 5G and Industry 4.0
• 3G4G: Internet of Things (IoT) and Machine-2-Machine (M2M)
• The 3G4G Blog: M2M vs IoT
• The 3G4G Blog: What is Industrial IoT (IIoT) and how is it different from IoT?
• The 3G4G Blog: New 3GPP Release-17 Study Item on NR-Lite (a.k.a. NR-Light) 

5G Enhanced URLLC (eURLLC)

One of the interesting features of 5G is Ultra-Reliability and Low-Latency Communication or URLLC. It has been enhanced as part of 3GPP Release-16. A summary of the changes in eURLLC can be seen in the picture above. 

This ATIS webinar that I blogged about last week covered this topic as well. For example L1/L2 changes have been summarised nicely in this Qualcomm slide above while the slide from Intel speaker below looks at redundant transmission and session continuity.

Redundant transmission in the user plane is an extremely useful feature, especially if the packets are mission critical and have to reach from the source to their destination in a guaranteed time / reliability.

Dual connectivity will enable this redundant path when required to meet a guaranteed reliability. 

Here is a short video from the training company Mpirical, explaining the the 5G eURLLC feature: 

Related Posts:

• The 3G4G Blog: ATIS Webinar on '5G Standards Developments in 3GPP Release 16 and Beyond'
• The 3G4G Blog: Carrier Aggregation (CA) and Dual Connectivity (DC)
• The 3G4G Blog - Ultra Reliability: 5x9s (99.999%) in 3GPP Release-15 vs 6x9s (99.9999%) in 3GPP Release-16
• The 3G4G Blog: Anritsu Webinar on 'Evolution of 5G from 3GPP Rel-15 to Rel-17 and Testing Challenges'
• The 3G4G Blog: 2-step RACH Enhancement for 5G New Radio (NR) 

Two Types of SMS in 5G

GSMA recently published updated "5G Implementation Guidelines: SA Option 2". It explains the two types of SMS in 5G, the same way there were 2 types of SMS in LTE.

Within 5GC, SMS Function (SMSF) supports SMS over NAS (SMSoNAS) defined in 3GPP TS 23.501. Besides, SMSoIP can also be considered as IMS based SMS solution under 5G network. SMSoIP can be deployed simultaneously with voice service over IMS to provide both voice and short message service. It is recommended to use SMSoNAS solution if voice services over IMS is not supported or for a 5G data card/Machine Type Communications (MTC)/Non-IMS device without voice service. The network architecture of SMSoIP and SMSoNAS is shown in Figure.

Two Types of SMS in 5G: SMS over NAS (SMSoNAS) & SMS over IP/IMS (SMSoIP / SMSoIMS) - https://t.co/A88ayY8F1x via @3g4gUK #Free5Gtraining #3G4G5G #GSMA #Mpirical #4G #5G #5GNetworks #5Gtechnology #SMS #5GSMS #Messaging #5GMessaging #SMSoNAS #SMSF #SMSoIP #IMS #SMSoIMS pic.twitter.com/ceI7wGEWBt

— Free 5G Training (@5Gtraining) May 31, 2021

Mpirical explains it in the video as embedded below:

You may also find "5G SMS is Very Real and Here to Stay" by William Dudley useful. It covers a lot of technical details and signalling. It's available here.

Related  posts:

• The 3G4G Blog: Mobile Voice Communications is neither Dying, nor Dead!

Mobile Initiated Connection Only (MICO) mode in 5G System

Mobile Initiated Connection Only (MICO) mode is designed for IoT devices that send small amounts of data and do not need to be paged. An example of this could be a smart bin that sends a message to the waste collection company saying it is 50% full, etc. This way the bin emptying lorry can plan to empty it in the next collection round. Here there is no reason to page the bin as there is no mobile terminated data that would be required.

MICO mode has to be negotiated between the device and AMF in 5GC. A device in MICO mode cannot be paged as it would not listen to paging to conserve battery power. This extreme power saving mode can ensure that the battery can last for very long time, ideally years thereby making this vision of billions of connected IoT devices a reality.

In an earlier post on RRC Inactive state, we looked at NAS states, along with RRC states. When the UE is in MICO mode, the AMF in 5GC will consider the UE to be unreachable when it is in CM-IDLE state. In addition, a periodic registration timer is also allocated to the MICO mode UEs. The UE has to confirm the MICO mode again during registration update.

The video and presentation are embedded below:

Intermediate: Mobile Initiated Connection Only (MICO) from 3G4G

Related Posts:

• The 3G4G Blog: A Technical Introduction to 5G NR RRC Inactive State
• The 3G4G Blog: Anritsu Webinar on 'Evolution of 5G from 3GPP Rel-15 to Rel-17 and Testing Challenges'
• 3G4G: 3GPP 5G Specifications
• 3G4G: 5G (IMT-2020) Wireless

A Technical Introduction to 5G NR RRC Inactive State

I looked at the RRC Inactive state back in 2017, but the standards were not completely defined. In the meantime standards have evolved and commercial 5G networks are rolling out left, right and centre. I made a short technical introduction to the RRC_INACTIVE state, comparing it with the 4G states in RRC and NAS. I also looked at some basic signalling examples and there are lots of relevant references at the end. Video and slides embedded below.

Advanced: 5G NR RRC Inactive State from 3G4G

Related Posts:

• The 3G4G Blog: Comparison Layer 2 Measurements LTE vs. 5G NR
• The 3G4G Blog: A Look into 5G Virtual/Open RAN - Part 3: Connection Release and Suspend
• The 3G4G Blog: How LTE RRC (4G) and NR RRC (5G) Protocols are used in Parallel in EN-DC (5G NSA)
• The 3G4G Blog: EPS Fallback in 5G Standalone Deployments
• The 3G4G Blog: RRC states in 5G

Carrier Aggregation (CA) and Dual Connectivity (DC)

This topic keeps coming up every few months with either someone asking me for clarifications or someone asking us to make a video. While I don't think I will mange to get round to making a video sometime soon, there are some excellent resources available that should help a new starter. Here they are in an order I think works best



The first resource that I think also works best is this webinar / training from Award Solutions. It covers this topic well and the image at the top of the post is a god summary for someone who already understands the technology.

It may also help to understand that in the 5G NSA can have 4G carrier aggregation as well as 5G carrier aggregation in addition to dual connectivity.

If you saw the video earlier, you noticed that DC actually came as part of LTE in Release-12. We covered it in our Telecom Infrastructure blog here. NTT Docomo Technical journal had a detailed article on 'Carrier Aggregation Enhancement and Dual Connectivity Promising Higher Throughput and Capacity' that covered DC in a lot more technical detail, albeit from LTE point of view only. The article is available here. A WWRF whitepaper from the same era can also provide more details on LTE Small Cell Enhancement by Dual Connectivity. An archived copy of the paper is available here.

Another fantastic resource is this presentation by Rapeepat Ratasuk and Amitava Ghosh from Mobile Radio Research Lab, Nokia Bell Labs. The presentation is available here and details the MCG (Master Cell Group) Split Bearer and SCG (Secondary Cell Group) Split Bearer, etc. This article from Ericsson also provides more detail on this topic while ShareTechNote takes it one level even deeper with technical details and signalling here and here.

So hopefully this is a good detailed starting point on this topic, until we manage to make a simple video someday.

2-step RACH Enhancement for 5G New Radio (NR)

5G Americas recently published a white paper titled, "The 5G Evolution: 3GPP Releases 16-17" highlighting new features in 5G that will define the next phase of 5G network deployments across the globe. It's available here. One of the sections in that details the 2-step RACH enhancement that is being discussed for a while in 3GPP. The 2-step process would supercede the 4-step process today and would reduce the lartency and optimise the signalling.

The 5G Evolution: 3GPP Releases 16-17 white paper from @5GAmericas highlights specific updates in Releases 16-17. Good whitepaper, worth reading - https://t.co/wVHBj7ZunE #Free5GTraining pic.twitter.com/lshYbzP5ne

— 5G Training (@5Gtraining) January 18, 2020

Here are the details from the 5G Americas whitepaper:

RACH stands for Random Access Channel, which is the first message from UE to eNB when it is powered on. In terms of Radio Access Network implementation, handling RACH design can be one of the most important / critical portions.

The contention-based random-access procedure from Release 15 is a four-step procedure, as shown in Figure 3.12. The UE transmits a contention-based PRACH preamble, also known as Msg1. After detecting the preamble, the gNB responds with a random-access response (RAR), also known as Msg2. The RAR includes the detected preamble ID, a time-advance command, a temporary C-RNTI (TC-RNTI), and an uplink grant for scheduling a PUSCH transmission from the UE known as Msg3. The UE transmits Msg3 in response to the RAR including an ID for contention resolution. Upon receiving Msg3, the network transmits the contention resolution message, also known as Msg4, with the contention resolution ID. The UE receives Msg4, and if it finds its contention-resolution ID it sends an acknowledgement on a PUCCH, which completes the 4-step random access procedure.

The four-step random-access procedure requires two round-trip cycles between the UE and the base station, which not only increases the latency but also incurs additional control-signaling overhead. The motivation of two-step RACH is to reduce latency and control-signaling overhead by having a single round trip cycle between the UE and the base station. This is achieved by combining the preamble (Msg1) and the scheduled PUSCH transmission (Msg3) into a single message (MsgA) from the UE, known as MsgA. Then by combining the random-access respond (Msg2) and the contention resolution message (Msg4) into a single message (MsgB) from the gNB to UE, see Figure 3.13. Furthermore, for unlicensed spectrum, reducing the number of messages transmitted from the UE and the gNB, reduces the number of LBT (Listen Before Talk) attempts.

Design targets for two-step RACH:

• A common design for the three main uses of 5G, i.e. eMBB, URLLC and mMTC in licensed and unlicensed spectrum.
• Operation in any cell size supported in Release 15, and with or without a valid uplink time alignment (TA).
• Applicable to different RRC states, i.e. RRC_INACTIVE, RRC_CONNECTED and RRC_IDLE states.
• All triggers for four-step RACH apply to two-step RACH including, Msg3-based SI request and contention-based beam failure recovery (CB BFR).

As described earlier, MsgA consists of a PRACH preamble and a PUSCH transmission, known as MsgA PRACH and MsgA PUSCH respectively. The MsgA PRACH preambles are separate from the four-step RACH preambles, but can be transmitted in the same PRACH Occasions (ROs) as the preambles of fourstep RACH, or in separate ROs. The PUSCH transmissions are organized into PUSCH Occasions (POs) which span multiple symbols and PRBs with optional guard periods and guard bands between consecutive POs. Each PO consists of multiple DMRS ports and DMRS sequences, with each DMRS port/DMRS sequence pair known as PUSCH resource unit (PRU). two-step RACH supports at least one-to-one and multiple-to-one mapping between the preambles and PRUs.

After the UE transmits MsgA, it waits for the MsgB response from the gNB. There are three possible outcomes:

1. gNB doesn’t detect the MsgA PRACH ➡ No response is sent back to the UE ➡ The UE retransmits MsgA or falls back to four-step RACH starting with a Msg1 transmission.
2. gNB detects MsgA preamble but fails to successful decode MsgA PUSCH ➡ gNB sends back a fallbackRAR to the UE with the RAPID (random-access preamble ID) and an uplink grant for the MsgA PUSCH retransmission ➡ The UE upon receiving the fallbackRAR, falls back to four-step RACH with a transmission of Msg3 (retransmission of the MsgA PUSCH).
3. gNB detects MsgA and successfully decodes MsgA PUSCH ➡ gNB sends back a successRAR to the UE with the contention resolution ID of MsgA ➡ The reception of the successRAR successfully completes the two-step RACH procedure.

As described earlier, MsgB consists of the random-access response and the contention-resolution message. The random-access response is sent when the gNB detects a preamble but cannot successfully decode the corresponding PUSCH transmission. The contention resolution message is sent after the gNB successfully decodes the PUSCH transmission. MsgB can contain backoff indication, fallbackRAR and/or successRAR. A single MsgB can contain the successRAR of one or more UEs. The fallbackRAR consists of the RAPID: an uplink grant to retransmit the MsgA PUSCH payload and time-advance command. The successRAR consists of at least the contention resolution ID, the C-RNTI and the TA command.

For more details on this feature, see 3GPP RP-190711, “2-step RACH for NR” (Work-item description)

Challenges of 5G Inter-Node Handovers

In all mobile communication networks handovers are the most complex signaling procedures, because multiple network elements (or network functions) are involved. Thus, it is logical that dual connectivity with two different base stations contributing to the radio connection simultaneously are even more complicated. And in EN-DC these two base stations are often covering different footprints using different carrier frequencies.This leads to a situation where we have more options for performing a handover in detail compared with plain LTE handover scenarios before.

The two signaling scenarios presented below illustrate in which different ways a change of the LTE master eNodeB can be performed during an ongoing EN-DC radio connection by using the X2 interface. In a very similar way it is also possible to perform S1 handover from old to new MeNB.

The pros and cons of these options have been discussed already by Martin Sauter in his Wireless Moves blog.

Inter-MeNB Handover without 5G Inter-Site Anchor

Figure 1 shows the easiest way of handing over the signaling connection from one MeNB to another one. Here it is up to the new MeNB to decide if and how the 5G part of the radio connection is continued.

Figure 1: X2 Handoverof EN-DC connection without 5G inter-site anchor

The handover is triggered when the UE sends a RRC Measurement Report (step 1) indicating that a stronger 4G cell than the currently used primary cell was measured. From its neighbor list the current MeNB detects that this better cell belongs to a neighbor eNB.

To provide both, the the Master Cell Group (MCG) and Secondary Cell Group (SCG) parameters to this neighbor eNB the old MeNB queries the SCG configuration parameters from the old SgNB by performing the X2AP SgNB Modification procedure (step 2+3).

Then it sends the X2AP Handover Request message to the target MeNB (step 4) including all information necessary to continue the 5G radio link in case the target MeNB decides to go for this option.

However, what comes back from the target MeNB is a plain LTE handover command (LTE RRC Connection Reconfiguration message [step 6]) embedded in the X2AP Handover Request Acknowledge message (step 5).

Due to this the old MeNB releases all 5G resources and the UE context in the SgNB (steps 7 + 10).

After the UE  successfully connected via radio interface with the target cell in the new MeNB the S1AP Path Switch procedure is executed to re-route the GTP/IP-Tunnels on S1-U (step 8) and releases the X2 UE context in the old MeNB (step 9)

The new MeNB then waits for a new inter-RAT measurement event B1 (step 11) before starting a new SgNB addition procedure (step 12).  Once the SgNB addition is successfully completed including all necessary reconfigurations/modifications on RRC and S1 the payload transmission over 5G resources is continued.

Inter-MeNB Handover with 5G Inter-Site Anchor

Now figure 2 shows what happens when the new MeNB decides to keep the existing UE context in the SgNB while the RRC measurement results and parameters are identical with what was presented above. 

Figure 2: X2 Handoverof EN-DC connection with 5G inter-site anchor

The difference in the call flow starts at step 5 when the new MeNB after receiving the X2AP Handover Request (step 4) starts the X2AP SgNB Addition procedure towards the SgNB (old = new!). The SgNB-UE-X2AP-ID earlier requested in step 2+3 acts as the reference number for the existing context that is going to be continued.

After adding the SgNB UE context successfully the new MeNB sends the X2AP Handover Request Acknowledge message including an UE Context Kept = "true" flag and the Handover Command (step 8).

After the UE successfully connected to the target cell of the new MeNB the S1AP Path Switch procedure is performed and the temporary X2 UE context between old and new MeNB is released (step 10).

The big advantage of handling the handover in this way: The duration of the interruption of the payload transmission over 5G radio resources is minimalized and subscriber experience is significantly better compared to the scenario in figure 1.

5G Call Drops in EN-DC: A Thread for Service Quality?

As explained in the post about EN-DC setup the addition of 5G NR radio resources to an ongoing LTE connection provides additional bandwidth for user plane data transmission. And it seems to be fair to say that at least in social media today 5G speed test results, especially throughput measurements, are treated as the benchmark for EN-DC service performance. Hence, it is also logical that a loss of the physical 5G radio link (5G drop) could have a serious impact on user experience.

I write "could", because as a matter of fact many 5G drops will not be recognized by subscribers using non-realtime services including HTTP streaming.

Due to the dual connectivity of LTE Master eNodeB (MeNB) and Secondary gNodeB (SgNB) the signaling trigger points indicating a 5G drop are also a bit more complex compared to what we know from LTE. Indeed, both network nodes are able to release 5G radio resources abnormally using three different X2AP message flow scenarios as shown in figure 1.

Figure 1: Three Basic Signaling Flows for Abnormal Release of 5G Radio Resources

Which of these individual message flows will be found in the trace data depends on which of the two base stations is the first one that detects a problem on the 5G radio link.

A particular case that is seen quite often in live networks is illustrated in figure 2.

Figure 2: 5G Drop due to SGC Failure in UE

Here the trigger is a LTE RRC SCG Failure Information NR message sent by the UE to the MeNB. Thus, the MeNB requests the release of 5G radio resources, which is acknowledged and executed by the SgNB.

In addition (not show in the figures) also the GTP/IP-Tunnel for user plane transport between S-GW and gNB is released by the MeNB after successful completion of the X2AP SgNB Release procedure.

For the UE the 5G drop is not as serious as a drop of the LTE radio connection would be. It is just a fallback on plain LTE, so to say. And after the switching the GTP/IP-Tunnel back to a downlink endpoint at the eNB 4G payload transmission continues.

The longer the overall duration of the radio connection the higher is the risk that the 5G radio resources are lost during an EN-DC call. One of my favorite cases is a subscriber with a radio connection that last a bit more than two and a half hours - see figure 3.

Figure 3: Location Session Record of a Single Subscriber indicating a total number 340 SgNB Drops over 2:33 Hours

Thanks to the smart algorithms of NETSCOUT's TrueCall geolocation engine there is high confidence that she or he sits in an indoor environment, but is served by an outdoor 5G cell. Thus, the penetration loss of the 5G signal is significant. Due to the higher frequency the path loss has also higher impact on the 5G than on the 4G radio signal. This seems to be the main reason why the 5G radio link drops as often as 340 times, which leads to an overall 5G (SgNB) Drop Rate of 83% for this connection.

However, the impact on the subscriber experience might not be a serious one as a different KPI, the 5G EN-DC Duration Rate indicates. According to the Duration Rate 99.99% of all the time 5G radio resources have been available for the subscriber. This is possible, because as also shown in figure 2 within a relatively short time new 5G radio resources are allocated again to this connection. Even if the subscriber is watching e.g. a Netflix video the buffering of already downloaded data on the end user device should be sufficient to conceal the short interruption of the data transfer over 5G resources.

With rising amount of EN-DC traffic it might be rather problematic for the network to handle the additional signaling load originating from the frequent 5G additions and releases. In extreme cases this may even lead to congestion due to CPU overload in RAN nodes or virtual network functions.

For realtime services like Voice over New Radio (VoNR) the entire situation changes. Here even short interruptions of the user plane radio transmission can be perceived by subscribers so that the above discussed 5G Duration Rate KPI will become insufficient to estimate the service quality. Hence, this will drive the demand for a fully integrated view of 5G RAN and Core KPIs covering both, signaling and application quality. 

Exploiting Possible 5G Vulnerabilities

The standards can try their best to ensure that the next generation of protocols is more secure than the previous one but there is always some way in which the protocols can be exploited. This is where researchers play an important role in finding such vulnerabilities before they can be exploited by hackers. Frankly I am quite sure that only a handful of these vulnerabilities are found and hackers always have something that may never be found.

In the recent HITBSecConf or the Hack In The Box Security Conference Altaf Shaik presented "4G to 5G: New Attacks". He along with Ravishankar Borgaonkar has been working to find out issues with security in cellular networks. In fact in the GSMA Mobile Security Hall of Fame, they both appear twice, individually.

From the talk narrative:

5G raises the security bar a level above 4G. Although IMSI exposure is prevented in 5G, we found new vulnerabilities to attack devices and subscribers. In this talk we expose a set of vulnerabilities in the 5G/4G protocols that are found in network operators equipment and also consumer devices such as phones, routers, latest IoT sensors, and even car modems. Our vulnerabilities affect several commercial applications and use cases that are active in 4G networks and are expected to take off in 5G networks. We developed automated tools to exploit the exposed cellular information and share some of our research traces and data sets to the community. We demonstrate a new class of hijacking, bidding down and battery draining attacks using low cost hardware and software tools. We did a rigorous testing worldwide to estimate the number of affected base stations and are surprised by the results. Finally our interactions with various vendors and standard bodies and easy fixes to prevent our attacks are discussed.

Slides and Video is embedded below

4G to 5G: New Attacks from 3G4G

Slides and Whitepaper can be downloaded from here.

Further Reading:

• Ravishankar Borgaonkar: New vulnerabilities in 5G Security Architecture & Countermeasures (Part 1)
• 3G4G: Security in Mobile Cellular Networks - Tutorial
• Dr. Anand R. Prasad: Evolution of Security from 4G to 5G
• GSMA Mobile Security Hall of Fame
• 4G LTE Man In The Middle Attacks With A Hacked Small Cells
• Presentations from ETSI Security Week 2019

5G and Fixed-Mobile Convergence (FMC)

We recently made a new video looking at how 5G architecture caters for Trusted and Untrusted Wireless Access as well as Wireline Access. The presentation discusses:

• Untrusted non-3GPP access networks;
• Trusted non-3GPP access networks (TNAN);
• Wireline access networks;
• Non-5G-Capable over WLAN (N5CW);
• Access Traffic Steering, Switching and Splitting (ATSSS)

Slides and video embedded below.

Advanced: True Fixed-Mobile Convergence (FMC) with 5G from 3G4G

Related Posts:

• Exploring Network Convergence of Mobile, Broadband and Wi-Fi
• Introduction to 5G ATSSS - Access Traffic Steering, Switching and Splitting
• Operator Watch Blog: BT's Converged Core to Launch in 2023
• Tutorial: Service Based Architecture (SBA) for 5G Core (5GC)
• Updated 5G Terminology Presentation (Feb 2019)
• An Introduction to Non-Terrestrial Networks (NTN)
• 3G4G: 3GPP 5G Specifications
• 3G4G: 5G (IMT-2020) Wireless
• Opinion: What is "Real 5G" or "True 5G"
• The Politics of Standalone vs Non-Standalone 5G & 4G Speeds
• New 3GPP Release-17 Study Item on NR-Lite
• 5G SpeedTests and Theoretical Max Speeds Calculations

5G SpeedTests and Theoretical Max Speeds Calculations

Right now, Speed Tests are being described as 5G killer apps.

SpeedTests are the 5G killer app right now 😂. Thread 👇 https://t.co/jjyk0PheT6

— 3G4G (@3g4gUK) July 2, 2019

A good point by Benedict Evans

What was the killer app for 3G? The internet. What’s the killer app for 5G? More internet, mostly.

— Benedict Evans (@benedictevans) January 18, 2019

Everyone is excited and want to see how fast 5G networks can go. If you use Twitter, you will notice loads and loads of speed tests being done on 5G. An example can be seen above.

I recently heard Phil Sheppard, Director of Strategy & Architecture, '3 UK' speak about their 5G launch that is coming up soon. Phil clearly mentioned that because they have a lot more spectrum (see Operator Watch blog post here and here) in Capacity Layer, their 5G network would be faster than the other UK operators. He also provided rough real world Peak Speeds for Three and other operators as can be seen above. Of course the real world speeds greatly depend on what else is going on in the network and in the cell so this is just a guideline rather than actual advertised speeds.

I have explained multiple times that all 5G networks being rolled out today are Non-Stand Alone (NSA) 5G networks. If you don't know what SA and NSA 5G networks are, check this out. As you can see, the 5G NSA networks are actually 4G Carrier Aggregated Networks + 5G Carrier Aggregated Networks. Not all 4G spectrum will be usable in 5G networks but let's assume it is.

To calculate the theoretical maximum speed of 5G NSA networks, we can calculate the theoretical maximum 4G Network speeds + theoretical maximum 5G Network speeds.

I have looked at theoretical calculation of max LTE Carrier Aggregated Speeds here. Won't do calculation here but assuming 3CA for any network is quite possible.

I also looked at theoretical calculation of 5G FDD New Radio here but then found a website that helps with 5G NR calculation here.

If we calculate just the 5G part, looking at the picture from Three, we can see that they list BT/EE & O2 speeds as 0.61 Gbps or 610 Mbps, just for the 5G part.

Looking at the calculation, if we Input Theoretical max values in this equation:

Calculating just for DL

J - number of aggregated component carriers,
maximum number (3GPP 38.802): 16
input value: 1

v(j)Layers - maximum number of MIMO layers ,
3GPP 38.802: maximum 8 in DL, maximum 4 in UL
input value: 8

Q(j)m modulation order (3GPP 38.804)
For UL and DL Q(j)m is same (QPSK-2, 16QAM-4, 64QAM-6, 256QAM-8)
input value: 8 (256QAM)

f(j) Scaling factor (3GPP 38.306)
input value: 1

FR(j) Frequency Range 3GPP 38.104:
FR1 (450 MHz – 6000 MHz) и FR2 (24250 MHz – 52600 MHz)
input value: FR1

µ(j) -value of carrier configuration (3GPP 38.211)
For DL and UL µ(j) is same (µ(0)=15kHz, µ(1)=30kHz, µ(2)=60kHz, µ(3)=120kHz)
input value: 0 (15kHz)

BW(j)- band Bandwidth, MHz (3GPP 38.104),
should be selected with Frequency Range and µ(i) configuration:
input value: BW:40MHz FR1 µ:15kHz:

Enter a PRB value (if other)
default: 0

Rmax (if you don't know what is it, don't change)
Value depends on the type of coding from 3GPP 38.212
(For LDPC code maximum number is 948/1024 = 0.92578125)
default: 0.92578125

*** Only for TDD ***
Part of the Slots allocated for DL in TDD mode,
where 1 = 100% of Slots (3GPP 38.213, taking into account Flexible slots).
Calculated as: the number of time Slots for DL divided by 14
default value: 0.857142

Part of the Slots allocated for UL in TDD mode,
where 1 = 100% of Slots (3GPP 38.213, taking into account Flexible slots).
Calculated as: 1 minus number of Slots for DL
default value: 0.14285800000000004

Calculated 5G NR Throughput, Mbps: 1584


As you may have noticed, BTE/EE has 40 MHz spectrum while Vodafone in UK have 50 MHz of spectrum.

Changing
BW(j)- band Bandwidth, MHz (3GPP 38.104),
should be selected with Frequency Range and µ(i) configuration:
input value: BW:50MHz FR1 µ:15kHz:

Calculated 5G NR Throughput, Mbps: 1982

Now Three UK has 100 MHz, immediately available for use. So changing

µ(j) -value of carrier configuration (3GPP 38.211)
For DL and UL µ(j) is same (µ(0)=15kHz, µ(1)=30kHz, µ(2)=60kHz, µ(3)=120kHz)
input value: 1 (30kHz)

BW(j)- band Bandwidth, MHz (3GPP 38.104),
should be selected with Frequency Range and µ(i) configuration:
BW:100MHz FR1 µ:30kHz:


Calculated 5G NR Throughput, Mbps: 4006

In theory, a lot of speed is possible with the 100 MHz bandwidth that Three will be able to use. We will have to wait and see who can do a theoretical max SpeedTest. In the meantime remember that a 1Gbps speed test will use over 1 GB of data.



Related Posts:

• Tutorial on 5G Spectrum
• Theoretical Throughput Calculation of FDD 5G New Radio (NR)
• Theoretical calculation of EE's announcement for 429Mbps throughput

3GPP 5G Standardization Update post RAN#84 (July 2019)

3GPP recently conducted a webinar with Balazs Bertenyi, Chairman of 3GPP RAN in which he goes through some of the key features for 5G Phase 2. The webinar also goes through the details of 5G Release-15 completion, status of Release-16 and a preview of some of Release-17 features.

Slides & video embedded below. Slides can be downloaded from 3GPP website here.

3GPP Webinar: 5G Standardization update from 3G4G

Related Posts:

• The 3G4G Blog - New 3GPP Release-17 Study Item on NR-Lite
• 3GPP Release-16, Release-17 & Beyond...
• Non-public networks (NPN) - Private Networks by another name
• Evolution of Security from 4G to 5G
• Update from 3GPP on LTE & 5G Mission Critical Communications
• Updated 5G Terminology Presentation (Feb 2019)

Bandwidth Part (BWP) in 5G New Radio (NR)

I made a short tutorial explaining the concept of Bandwidth Part in 5G a while back. Slides and video embedded below.

Intermediate: Bandwidth Parts (BWP) from 3G4G

Further Reading:

• Understanding 5G New Radio Bandwidth Parts - Keysight
• 5G/NR - Carrier Bandwidth Part - ShareTechNote
• 5G NR Bandwidth Part (BWP) - TechPlayOn

Presentations on Macro Cells and Millimetre-wave Technology from recent CW (Cambridge Wireless) events

CW (Cambridge Wireless) held a couple of very interesting events from 2 very popular groups.

The first one was on "5G wide area coverage: macro cells – the why and the how". This event looked at the design and optimisation of the macro cell layer and its role within future heterogeneous networks. You can access the presentations for limited time on CW website here.

The presentations available are:

• Macro Cell developments that support LTE evolution and 5G deployments by Colin Bryce, Commscope
• Review of current macro network site types and design by Andy Sutton, British Telecommunications
• Smart rollout to maximise ROI by Mike Page, Radio Design
• Strategic planning: an overview of the role of the macro cell by Iris Barcia, Keima
• How massive MIMO can deliver the promise of new 5G Radio Networks by George Grayland, 5GFutures

Related posts that may be of interest:

• Keima: Automated 4G / 5G HetNet Design
• Prof. Andy Sutton: 5G Radio Access Network Architecture Evolution - Jan 2019
• #CWHeritage Talk: The history of synchronisation in digital cellular networks

Commercialising millimetre-wave technology - Presentations from @cambwireless #CWRadioTech event last week available now: https://t.co/PJbrBiJ8UR #4G #5G #Spectrum #Frequencies pic.twitter.com/6naiUSK1qw

— 3G4G (@3g4gUK) May 21, 2019

The second one was on "Commercialising millimetre-wave technology". The event reviewed the commercial opportunities at millimetre-wave frequencies, what bands are available and what licensing is needed. You can access the presentations on CW website for limited time here.

The presentations available are:

• ‘Measurements, Modelling and Testing Millimetre Wave Communication Systems’ by Mark Beach, University of Bristol (Communication Systems & Networks Research Group)
• The Design of a Plastic Packaged Front-end IC for mmWave 5G by Liam Devlin, Plextek RFI
• Design Considerations for the Realisation of Cost-Effective, High-Performance mmWave PCBs by James Henderson, Plextek
• Millimetre wave wireless for improved wireless connectivity in Transport by Mark Barrett, Blu Wireless Technology
• Unlicensed, unlimited: 60GHz mmWave’ by Paul Morris, CCS
• Millimetre-Wave Circuit Simulation Challenges’ by David Morris, Keysight Technologies
• Use Cases & Enabling 5G NR Technologies by Mark Beach, University of Bristol (Communication Systems & Networks Research Group)
• Whitepaper by Paul Holes, Anritsu

We recently made a video to educate people outside our industry about non-mmWave 5G. It's embedded below.

VoLTE Hacking

The 10th Annual HITB Security Conference took place from the 6th till the 10th of May 2019 in The Netherlands. The theme for the conference this year is 'The Hacks of Future Past'. One of the presentations was on the topic 'VoLTE Phreaking' by Ralph Moonen, Technical Director at Secura.

The talk covered variety of topics:

• A little history of telephony hacking (in NL/EU)
• The landscape now
• Intercepting communications in 2019
• Vulnerabilities discovered: some new, some old
• An app to monitor traffic on a phone

The talk provides details on how VoLTE can potentially be hacked. In a lot of instances it is some or the other misconfigurations that makes VoLTE less secure. One of the slides that caught my attention was the differences in VoLTE signaling from different operators (probably due to different vendors) as shown above.

Anyway, I am not going into more details here. The presentation is available here.

Another interesting talk from #HITB2019AMS:
"VoLTE Phreaking"https://t.co/KSMLen6Yb6 [PDF] pic.twitter.com/KakJMGCcVk

— Enno Rey (@Enno_Insinuator) May 9, 2019

The thread in the Tweet above also provided some good references on VoLTE hacking. They are as follows:

• ERNW: Security Analysis of VoLTE, Part 1
• ERNW: Denial of Service attacks on VoLTE
• ERNW: VoLTE Security Analysis, part 2
• ERNW: IMSecure – Attacking VoLTE (and other Stuff)
• ERNW White Paper: Practical Attacks on VoLTE and VoWiFi

Related Posts:

• 3G4G: Voice in 4G: CSFB, VoIP & VoLTE