LTE to 3G Handover Procedure and Signalling

It may be worthwhile brushing up the LTE/SAE Interfaces and Architecture before proceeding.

1) Overview of Handover Operation

With EPC, continuous communication is possible, even while the terminal switches from one type of radio access system to another.

Specifically, in order to achieve the internal network path switching required to change radio access systems, the S-GW provides a mobility management anchor function for handover between 3GPP radio access systems, and the P-GW provides the function for handover between 3GPP and non-3GPP radio access systems. In this way, the IP address does not change when the terminal switches radio access systems, and communications can continue after handover.

In handover between the 3GPP radio access systems, LTE and 3G, handover preparation is done before changing systems, including tasks such as securing resources on the target radio access system, through cooperation between the radio access systems (Figure 3 (a)(A)). Then, when the actual switch occurs, only the network path needs to be switched, reducing handover processing time (Fig.3 (a)(B)). Also, loss of data packets that arrive at the pre-switch access point during handover can be avoided using a data forwarding function (Fig.3 (b)).

In this way, through interaction between radio access systems, fast handover without packet loss is possible, even between radio access systems such as LTE and 3G which cannot be used simultaneously.

2) Handover Preparation Procedure (Fig.3 (a)(A))

The handover preparation procedure for switching radio access from LTE to 3G is shown in Figure 4.

Step (1):The terminal sends a radio quality report containing the handover candidate base-stations and other information to the eNodeB. The eNodeB decides whether handover shall be performed based on the information in the report, identifies the base station and RNC to switch to, and begins handover preparation.

Steps (2) to (3): The eNodeB sends a handover required to the MME, sending the RNC identifier and transmission control information for the target radio access system. The MME identifies the SGSN connected to the target RNC based on the received RNC identifier and sends the communication control and other information it received from the eNodeB to the SGSN in a forward relocation request signal. The information required to configure the communications path between the S-GW and SGSN, which is used for data transmission after the MME has completed the handover, is sent at the same time.

Steps (4) to (5): The SGSN forwards the relocation request to the RNC, notifying it of the communications control information transmitted from the eNodeB. The RNC performs the required radio configuration processing based on the received information and sends a relocation response to the SGSN. Note that through this process, a 3G radio access bearer is prepared between the SGSN and RNC.

Step (6): The SGSN sends a forward relocation response to the MME in order to notify it that relocation procedure has completed. This signal also includes data issued by the SSGN and required to configure a communications path from the S-GW to the SGSN, to be used for data forwarding.

Steps (7) to (8): The MME sends a create indirect data forwarding tunnel request to the S-GW, informing it of the information issued by the SSGN that it just received. From the information that the S-GW receives, it establishes a communications path from the S-GW to the SGSN for data forwarding and sends a create indirect data forwarding tunnel response to the MME.

Through this handover preparation, target 3G radio-access resources are readied, the radio access bearer between the SGSN and RNC is configured, and the data forwarding path from the

S-GW to the SGSN configuration is completed.

3) Handover Procedure for Radio Access System Switching (Fig. 3(a)(B)):

The handover process after switching radio access system is shown in Figure 5.

Steps (1) to (2): When the handover preparation described in Fig.4 is completed, the MME sends a handover command to the eNodeB. When it receives this signal, the eNodeB sends a handover from LTE command for the terminal to switch radio systems. Note that when the eNodeB receives the handover command from the MME, it begins forwarding data packets received from the S-GW. Thereafter, packets for the terminal that arrive at the S-GW are forwarded to the terminal by the path: S-GW, eNodeB, S-GW, SGSN, RNC.

Steps (3) to (6): The terminal switches to 3G and when the radio link configuration is completed, notification that it has connected to the 3G radio access system is sent over each of the links through to the MME: from terminal to RNC, from RNC to SGSN, and from SGSN to MME. This way, the MME can perform Step (10) described below to release the eNodeB resources after a set period of time has elapsed.

Step (7): The MME sends a forward relocation complete acknowledgement to the SGSN. A set period of time after receiving this signal, the SGSN releases the resources related to data forwarding.

Step (8): The SGSN sends a modify bearer request to the S-GW to change from the communications path before the handover, between the S-GW and eNodeB, to one between the S-GW and SGSN. This signal contains information elements required to configure the path from S-GW to SGSN, including those issued by the SGSN. When the S-GW receives this signal, it configures a communications path from the S-GW to the SGSN. In this way, the communications path becomes: S-GW, SGSN, RNC, terminal; and data transmission to the target 3G radio access system begins.

Note that after this point, data forwarding is no longer needed, so the S-GW sends a packet to the eNodeB with an “End Marker” attached, and when the eNodeB receives this packet, it releases its resources related to data forwarding.

Steps (9) to (10): The S-GW sends a modify bearer response to the SGSN, indicating that handover procedure has completed. The MME also releases eNodeB resources that are no longer needed.

Through this handover procedure, data is forwarded during the handover, the switch of radio access bearer is completed, and the communications path from the P-GW to the terminal is updated.

In the examples above, we described the handover procedure between 3GPP radio access systems in which the S-GW did not change, but handovers with S-GW relocation are also possible. In these cases, the P-GW provides the anchor function for path switching, as with switches to non-3GPP access systems.

TERMS

Anchor function: A function which switches the communications path according to the area where the terminal is located, and forwards packets for the terminal to that area.

Relocation: Switching communications equipment such as area switches during communication.

UMTS-LTE in 3.5GHz

There are two new bands: 3.4-3.6 GHz and 3.6-3.8 GHz decided for Broadband Wireless Access, which are already widely available for licensing in Europe. These bands have earlier been allocated to the Fixed Service on a primary basis in Region 1. Furthermore, the 3.4-3.6 GHz band was allocated to the mobile service on a primary basis and identified for IMT at WRC 07.

These bands constitute a substantial amount of spectrum that will be available in many countries in the short term. In Europe (Region 1) both bands can be used so block sizes could be large for any duplex arrangement.

The UMTS-LTE 3500 MHz Technical Report (3GPP TR 37.801) is already available as a study of current plans in the frequency bands 3.4-3.6 GHz and 3.6-3.8 GHz for UMTS and LTE systems. Specification work is due for first publication in March 2011 (TSG#51), with a series of specifications updated or being created.

The technical report is embedded below:

3GPP TR 37.801: UMTS-LTE 3500 MHz Work Item Technical Report

View more documents from Zahid Ghadialy

Packet Flow in 2.5G, 3G, 3.5G and 4G

The 'LTE Signaling' is a very interesting book just being released that is a must have for people who are involved in design, development and testing. A book that explains the basic concepts from beginning till advanced concepts and explains how different components and interfaces fit together.

Though I havent yet read this book, I have read the earlier one titled UMTS Signaling, from the same authors that is an excellent reference for understanding Signalling in UMTS. I have no doubt that this book will be the same high quality.

The Excerpt on Wiley's website provides complete chapter 1 which is quite detailed and the Packet flow pictures and details below is extracted from this book.

The first stage of the General Packet Radio Service (GPRS), that is often referred to as the 2.5G network, was deployed in live networks starting after the year 2000. It was basically a system that offered a model of how radio resources (in this case, GSM time slots) that had not been used by Circuit Switched (CS) voice calls could be used for data transmission and, hence, profitability of the network could be enhanced. At the beginning there was no pre-emption for PS (Packet Switched) services, which meant that the packet data needed to wait to be transmitted until CS calls had been finished.

In contrast to the GSM CS calls that had a Dedicated Traffic Channel (DTCH) assigned on the radio interface, the PS data had no access to dedicated radio resources and PS signaling, and the payload was transmitted in unidirectional Temporary Block Flows (TBFs) as shown in Figure 1.2.

In Release 99, when a PDP (Packet Data Protocol) context is activated the UE is ordered by the RNC (Radio Network Controller) to enter the Radio Resource Control (RRC) CELL_DCH state. Dedicated resources are assigned by the Serving Radio Network Controller (SRNC): these are the dedicated physical channels established on the radio interface. Those channels are used for transmission of both IP payload and RRC signaling – see Figure 1.7. RRC signaling includes the exchange of Non-Access Stratum (NAS) messages between the UE and SGSN.

The spreading factor of the radio bearer (as the combination of several physical transport resources on the Air and Iub interfaces is called) depends on the expected UL/DL IP throughput. The expected data transfer rate can be found in the RANAP (Radio Access Network Application Part) part of the Radio Access Bearer (RAB) assignment request message that is used to establish the Iu bearer, a GPRS Tunneling Protocol (GTP) tunnel for transmission of a IP payload on the IuPS interface between SRNC and SGSN. While the spreading factor controls the bandwidth of the radio connection, a sophisticated power control algorithm guarantees the necessary quality of the radio transmission. For instance, this power control ensures that the number of retransmitted frames does not exceed a certain critical threshold.

Activation of PDP context results also in the establishment of another GTP tunnel on the Gn interface between SGSN and GGSN. In contrast to IuPS, where tunnel management is a task of RANAP, on the Gn interface – as in (E)GPRS – the GPRS Tunneling Protocol – Control (GTP-C) is responsible for context (or tunnel) activation, modification, and deletion.

However, in Release 99 the maximum possible bit rate is still limited to 384 kbps for a single connection and, more dramatically, the number of users per cell that can be served by this highest possible bit rate is very limited (only four simultaneous 384 kbps connections per cell are possible on the DL due to the shortness of DL spreading codes).

To increase the maximum possible bit rate per cell as well as for the individual user, HSPA was defined in Releases 5 and 6 of 3GPP.

In High-Speed Downlink Packet Access (HSDPA) the High-Speed Downlink Shared Channel (HSDSCH) which bundles several High-Speed Physical Downlink Shared Channels (HS-PDSCHs) is used by several UEs simultaneously – that is why it is called a shared channel.

A single UE using HSDPA works in the RRC CELL_DCH state. For DL payload transport the HSDSCH is used, that is, mapped onto the HS-PDSCH. The UL IP payload is still transferred using a dedicated physical data channel (and appropriate Iub transport bearer); in addition, the RRC signaling is exchanged between the UE and RNC using the dedicated channels – see Figure 1.8.

All these channels have to be set up and (re)configured during the call. In all these cases both parties of the radio connection, cell and UE, have to be informed about the required changes. While communication between NodeB (cell) and CRNC (Controlling Radio NetworkController) uses NBAP (Node B Application Part), the connection between the UE and SRNC (physically the same RNC unit, but different protocol entity) uses the RRC protocol.

The big advantage of using a shared channel is higher efficiency in the usage of available radio resources. There is no limitation due to the availability of codes and the individual data rate assigned to a UE can be adjusted quicker to the real needs. The only limitation is the availability of processing resources (represented by channel card elements) and buffer memory in the base station.

From the user plane QoS perspective the two major targets of LTE are:

• a further increase in the available bandwidth and maximum data rate per cell as well as for the individual subscriber;

• reducing the delays and interruptions in user data transfer to a minimum.

These are the reasons why LTE has an always-on concept in which the radio bearer is set up immediately when a subscriber is attached to the network. And all radio resources provided to subscribers by the E-UTRAN are shared resources, as shown in Figure 1.9. Here it is illustrated that the IP payload as well as RRC and NAS signaling are transmitted on the radio interfaces using unidirectional shared channels, the UL-SCH and the Downlink Shared Channel (DL-SCH). The payload part of this radio connection is called the radio bearer. The radio bearer is the bidirectional point-to-point connection for the user plane between the UE and eNodeB (eNB). The RAB is the user plane connection between the UE and the Serving Gateway (S-GW) and the S5 bearer is the user plane connection between the S-GW and public data network gateway (PDN-GW).

The end-to-end connection between the UE and PDN-GW, that is, the gateway to the IP world outside the operator’s network, is called a PDN connection in the E-UTRAN standard documents and a session in the core network standards. Regardless, the main characteristic of this PDN connection is that the IP payload is transparently tunneled through the core and the radio access network.

To control the tunnels and radio resources a set of control plane connections runs in parallel with the payload transport. On the radio interface RRC and NAS signaling messages are transmitted using the same shared channels and the same RLC transport layer that is used to transport the IP payload.

RRC signaling terminates in the eNB (different from 3G UTRAN where RRC was transparently routed by NodeB to the RNC). The NAS signaling information is – as in 3G UTRAN – simply forwarded to the Mobility Management Entity (MME) and/or UE by the eNB.

You can read in detail about all these things and much more from the Wiley's website here.

SON for reducing Opex in Legacy Networks

Presented by Stéphane Téral, Principal Analyst, Mobile and FMC Infrastructure, Infonetics Research in the 1st Self-Organizing Networks Conference, 30th Nov and 1st Dec. 2010 at the Waldorf Hilton.

SON Features in Legacy Networks

View more presentations from Zahid Ghadialy.

Fast Dormancy in Release-8

Nokia Siemens Networks has collaborated with Qualcomm to carry out the industry’s first successful interoperability test of the new 3GPP standardized Release 8 Fast Dormancy feature. Unlike proprietary approaches to fast dormancy, the new standard allows operators to take full advantage of smart network features such as Cell_PCH without worrying that individual handset settings will ignore network controls.

The test was conducted at Nokia Siemens Networks’ Smart Lab in Dallas using Nokia Siemens Networks’ Flexi Multiradio Base Station and Radio Network Controller and Qualcomm’s QSC7230TM smartphone optimized chipset. The test showed how smartphones can act dynamically, exploiting Cell_PCH on Nokia Siemens Networks’ smart networks or adjusting to Fast Dormancy on other vendors’ traditional networks.

In fact the operators have been getting upset quite for some time because of smartphone hacks that save the UE battery life but cause network signalling congestion. See here.

To explain the problem, lets look at the actual signalling that occurs when the UE is not transmitting anything. Most probably it gets put into CELL_PCH or URA_PCH state. Then when keep alive messages need to be sent then the state is transitioned to CELL_FACH and once done its sent back to CELL_PCH. Now the transitioning back from CELL_FACH (or CELL_DCH) to CELL_PCH can take quite some time, depending on the operator parameters and this wastes the UE battery life.

To get round this problem, the UE manufacturers put a hack in the phone and what they do is that if there no data to transmit for a small amount of time, the UE sends RRC Signalling Connection Release Indication (SCRI) message. This message is supposed to be used in case when something is gone wrong in the UE and the UE wants the network to tear the connection down by sending RRC Connection Release message. Anyway, the network is forced to Release the connection.

If there is another requirement to send another keep alive message (they are needed for lots of apps like Skype, IM's, etc.) the RRC connection would have to be established all over again and this can cause lots of unnecessary signalling for the network causing congestion at peak times.

To speed up the transitioning to CELL_PCH state in Release-8 when the UE sends SCRI message, its supposed to include the cause value as "UE Requested PS Data session end". Once the network receives this cause it should immediately move the UE to CELL_PCH state.

This is a win win situation for both the network and the UE vendors as long as a lot of UE's implement this. The good thing is that even a pre-Rel8 UE can implement this and if the network supports this feature it would work.

GSMA has created a best practices document for this feature which is embedded below.

Fast dormancy from Dono Miguel

Further Reading:

• UMTS State Switching and Fast Dormancy Evolution - Martin Sauter
• RP-090941 - System impact of poor proprietary Fast Dormancy implementations
• RP-090942 - Clarification on Enhanced SCRI approach for fast dormancy
• RP-090960 - Configuration of Fast Dormancy
• R2-096882 - Changes to Release-8 Fast Dormanc

TETRA Evolution

Couple of Interesting presentation on TETRA Evolution.

3GPP Green activities / Energy Saving initiatives

3GPP has been working on Energy saving initiatives for Release-10 and Release-11. Here is a very quick summary of some of these items.

Telecommunication management; Study on Energy Savings Management (ESM)

Most mobile network operators aim at reducing their greenhouse emissions, by several means such as limiting their networks' energy consumption.

In new generation Radio Access Networks such as LTE, Energy Savings Management function takes place especially when mobile network operators want e.g. to reduce Tx power, switch off/on cell, etc. based on measurements made in the network having shown that there is no need to maintain active the full set of NE capabilities.

By initiating this Work Item about Energy Savings Management, 3GPP hopes to contribute to the protection of our environment and the environment of future generations.

The objective of this technical work is to study automated energy savings management features. Usage of existing IRPs is expected as much as possible, e.g. Configuration Management IRP, etc. However, this technical work may identify the need for defining a new IRP.

The following operations may be considered in this study item (but not necessarily limited to):
• Retrieval of energy consumption measurements
• Retrieval of traffic load measurements
• Adjust Network Resources capabilities


OAM aspects of Energy Saving in Radio Networks

There are strong requirements from operators on the management and monitoring of energy saving functions and the evaluation of its impact on the network and service quality. Therefore an efficient and standardized Management of Energy Saving functionality is needed. Coordination with other functionalities like load balancing and optimization functions is also required.

The objectives of this work item are:
• Define Energy Savings Management OAM requirements and solutions for the following use cases,
• eNodeB Overlaid
• Carrier restricted
• Capacity Limited Network
• Define OAM requirements and solutions for coordination of ESM with other functions like
• Self-Optimization
• Self Healing
• Traditional configuration management
• Fault Management
• Select existing measurements which can be used for assessing the impact and effect of Energy Saving actions corresponding to above Energy Saving use cases.
• Define new measurements which are required for assessing the impact and effect of Energy Saving actions, including measurements of the energy consumption corresponding to above Energy Saving use cases.


Study on impacts on UE-Core Network signalling from Energy Saving

Energy Saving (ES) mechanisms are becoming an integral part of radio networks, and consequently, of mobile networks. Strong requirements from operators (for reasons of cost and environmental image) and indirectly from authorities (for the sake of meeting overall international and national targets) have been formulated. With the expected masses of mobile network radio equipment as commodities, in the form of Home NB/eNBs, this aspect becomes even more crucial.

It is necessary to ensure that ES does not lead to service degradation or inefficiencies in the network. In particular:
• the activation status of radio stations (on/off) introduces a new scale of dynamicity for the UE and network;
• mass effects in signalling potentially endanger the network stability and need to be handled properly.

It is unclear whether and how currently defined procedures are able to cope with, and eventually can be optimized for, ES conditions; thus a systematic study is needed.

The study aims, within the defined CT1 work areas, at:
• analysing UE idle mode procedures and UE-Core Network signalling resulting from frequent switch on/off of radio equipment in all 3GPP accesses, including home cell deployment and I-WLAN;
• performing a corresponding analysis for connected mode UEs;
• analysing similar impacts from activation status of non-3GPP access networks;
• documenting limitations, weaknesses and inefficiencies in these procedures, with emphasis on mass effects in the UE-Core Network signalling;
• studying potential optimizations and enhancements to these procedures;

The study shall also evaluate and give recommendations on potential enhancements to 3GPP specifications (whether and where they are seen necessary).


Study on Solutions for Energy Saving within UTRA Node B

Due to the need to reduce energy consumption within operators’ networks, and considering the large amount of UMTS network equipment deployed in the field around the world, the standardisation of methods to save energy in UMTS Node Bs is seen as an important area of study for 3GPP.There has not been a large amount of focus on energy-saving in UMTS networks so far in 3GPP, although some solutions have been agreed in Release 9. Therefore it is proposed to start an initial study phase to identify solutions and perform any initial evaluation, such that a subset of these proposals can be used as the basis for further investigation of their feasibility.

The objective is to do an initial study to identify potential solutions to enable energy saving within UMTS Node-Bs, and do light initial evaluation of the proposed solutions, with the aim that a subset of them can be taken forward for further investigation as part of a more focused study in 3GPP.

The solutions identified in this study item should consider the following aspects:
• Impacts on the time for legacy and new UEs to gain access to service from the Node B
• Impacts on legacy and new terminals (e.g. power consumption, mobility)

Some initial indication of these aspects in relation to the proposed solutions should be provided.


Study on Network Energy Saving for E-UTRAN

The power efficiency in the infrastructure and terminal should be an essential part of the cost-related requirements in LTE-A. There is a strong need to investigate possible network energy saving mechanisms to reduce CO2 emission and OPEX of operators.

Although some solutions have been proposed and part of them have been agreed in Release-9, there has not been a large amount of attention on energy saving for E-UTRAN so far. Many potential solutions are not fully shown and discussed yet. Therefore, it is proposed to start an initial study phase to identify solutions, evaluate their gains and impacts on specifications.

The following use cases will be considered in this study item:
• Intra-eNB energy saving
• Inter-eNB energy saving
• Inter-RAT energy saving

Intra-eNB energy saving, in EUTRAN network, a single cell can operate in energy saving mode when the resource utilization is sufficiently low. In this case, the reduction of energy consumption will be mainly based on traffic monitoring with regard to QoS and coverage assurance.

A lot of work on Inter-eNB energy saving has already been done for both LTE and UTRA in Rel-9. This Study Item will investigate additional aspects (if any) on top of what was already agreed for R9.

Inter-RAT energy saving, in this use case, legacy networks, i.e. GERAN and UTRAN, provide radio coverage together with E-UTRAN. For example E-UTRAN Cell A is totally covered by UTRAN Cell B. Cell B is deployed to provide basic coverage of the voice or medium/low-speed data services in the area, while Cell A enhances the capability of the area to support high-speed data services. Then the energy saving procedure can be enabled based on the interaction of E-UTRAN and UTRAN system.

The objective of this study item is to identify potential solutions for energy saving in E-UTRAN and perform initial evaluation of the proposed solutions, so that a subset of them can be used as the basis for further investigation and standardization.

Energy saving solutions identified in this study item should be justified by valid scenario(s), and based on cell/network load situation. Impacts on legacy and new terminals when introducing an energy saving solution should be carefully considered. The scope of the study item shall be as follows:
• User accessibility should be guaranteed when a cell transfers to energy saving mode
• Backward compatibility shall be ensured and the ability to provide energy saving for Rel-10 network deployment that serves a number of legacy UEs should be considered
• Solutions shall not impact the Uu physical layer
• The solutions should not impact negatively the UE power consumption

RAN2 will focus on the Intra-eNB energy saving, while RAN3 will work on Inter-RAT energy saving and potential additional Inter-eNB energy saving technology.


Study on Solutions for GSM/EDGE BTS Energy Saving

There has not been a large amount of focus on energy-saving in GSM/EDGE networks so far in 3GPP, although some solutions have been agreed in previous Releases, notably MCBTS. Therefore it is proposed to start an initial study phase to identify solutions and perform any initial evaluation, such that a subset of these proposals can be used as the basis for further investigation of their feasibility.

The objective is to study potential solutions to enable energy saving within the BTS (including MCBTS and MSR), and evaluate each proposed solutions in detail. These potential solutions shall focus on the following specific aspects
• Reduction of Power on the BCCH carrier (potentially enabling dynamic adjustment of BCCH power)
• Reduction of power on DL common control channels
• Reduction of power on DL channels in dedicated mode, DTM and packet transfer mode
• Deactivation of cells (e.g. Cell Power Down and Cell DTX like concepts as discussed in RAN)
• Deactivation of other RATs in areas with multi-RAT deployments, for example, where the mobile station could assist the network to suspend/minimise specific in-use RATs at specific times of day
• And any other radio interface impacted power reduction solutions.

The solutions identified in this study item shall also consider the following aspects:
• Impacts on the time for legacy and new mobile stations to gain access to service from the BTS
• Impacts on legacy and new mobile stations to keep the ongoing service (without increasing drop rate)
• Impacts on legacy and new mobile stations implementation and power consumption, e.g. due to reduction in DL power, cell (re-)selection performance, handover performance, etc.
• Impacts on UL/DL coverage balance, especially to CS voice

Solutions shall be considered for both BTS energy saving non-supporting and supporting mobile stations (i.e. solutions that are non-backwards compatible towards legacy mobile stations shall be out of the scope of this study).

RF Pattern Matching adopted in 3GPP Release-10

RF Pattern Matching is now a recognized unique location method in standards that provides carriers and OEMs with the ability to offer high accuracy location-based services that traditionally haven’t been available with low-accuracy Cell-ID based technologies. RF Pattern Matching will be incorporated into Release 10 of the 3G UMTS specifications, expected to become final in late 2010 or early 2011. This will also set the stage for opportunities to incorporate RF Pattern Matching into LTE and other future air interfaces.


“The decision to incorporate RF Pattern Matching into the 3G UMTS specifications is needed for all service providers wanting to provide the highest-SLA option for LBS as it gives them more credible options for public safety and commercial applications,” said Manlio Allegra, president and chief executive officer at Polaris Wireless. “This level of LBS accuracy will create an improved user experience for wireless customers, which ultimately generates additional revenue streams for carriers and other enterprises offering LBS applications.”


Polaris WLS™ is a patent-protected implementation of RF Pattern Matching, which provides the best network-based location performance in urban and indoor settings and is a perfect complement to A-GPS, enabling a best-in-class hybrid solution. Polaris’ WLS™ works without the RF Pattern Matching definition in standards, but standardization through 3GPP allows for future performance enhancements and provides flexibility for the solution and carrier implementations. Polaris’s current WLS products will continue to operate within existing standards.


By being included in the 3G UMTS standard, Polaris’ location technology has received further validation as one of the most accurate in the world. Polaris will now be considered a preferred provider to Tier 1 carriers and infrastructure vendors who want to add a high accuracy location solution to their technology mix that meets the new 3GPP standard.


The FCC is currently considering new E911 Phase II regulations that would improve indoor location capabilities for first responders. Using RF Pattern Matching, Polaris’ WLS™ software solution enables carriers and OEMs to be prepared to meet these new FCC requirements with little or no investment in new infrastructure or hardware.

RF Pattern Matching Discussion document presented in 3GPP is embedded below:

RF Pattern Matching Location Methods

View more presentations from Zahid Ghadialy.

Femtocell Interference Management in real life

Couple of years back we blogged about the Femtocell Inteference in Macro network. Since then things have moved on a long way. There are commercial rollouts happening with Vodafone leading the way. Yesterday, I was reading Prof. Simon Saunders article on Femtocell and the following struck me.

A major technical challenge that femtocell designers initially faced was the need to manage potential interference. It takes up to two years to install conventional base stations, during which time radio engineers meticulously plan a station’s position and radio characteristics to avoid interference. However, such an approach is not viable in the case of femtocells, deployed potentially in their millions at random. Automating a process conducted by radio engineers was no mean feat and simply would not have been possible a few years ago.

Fortunately, the fact that the walls of buildings keep 3G signals out and keep the femtocell’s signals in provides strong inherent interference mitigation for indoor femtocells. Extensive studies have shown that proper implementation of a few key techniques to reduce interference can take advantage of this attenuation in an intelligent manner. Such techniques include frequent monitoring of the cell’s surrounding radio environment combined with adaptive power control. Indoor users gain faster data rates, as do outdoor users who now operate on less congested cells, while it costs less for operators to deliver higher overall network capacity. Large-scale, real-world deployments are demonstrating that these techniques work in practice and even allow new approaches, such as operating 3G networks in the same spectrum as 2G networks.

AT&T has deployed femtocells on the same frequencies as both the hopping channels for GSM macrocells and with UMTS macrocells. They have tested thousands of femtocells, and found that the mitigation techniques implemented successfully minimise and avoid interference. The more femtocells are deployed, the more uplink interference is reduced.

It is very interesting to see that the interference is not causing any problems in real life.


Back in Feb, Femto Forum released a new report on "Interference Management in UMTS Femtocells". A similar report was released in Dec. 08. Then in March they released a similar report for OFDMA (covering both LTE and WiMAX) femtocells. They are interesting reading for those who are interested in this area.


European Union is having a similar program called FREEDOM (Femtocell-based network enhancement by interference management and coordination of information for seamless connectivity ). FREEDOM focuses on:

• Advanced interference-aware cooperative PHY techniques,
• Improvement of the control plane procedures for seamless connectivity, and
• System-level evaluation and hardware demonstrator of the proposed femto-based network architecture.

More info on their website (http://www.ict-freedom.eu/). You can see their scenario document that shows different interference scenarios and also compares different approaches including those of Femto Forum, 3GPP and WiMAX.

Double whammy for GSM Security

Via PC World:

A researcher at the Def Con security conference in Las Vegas demonstrated that he could impersonate a GSM cell tower and intercept mobile phone calls using only $1500 worth of equipment. The cost-effective solution brings mobile phone snooping to the masses, and raises some concerns for mobile phone security.

How does the GSM snooping work?

Chris Paget was able to patch together an IMSI (International Mobile Identity Subscriber) catcher device for about $1500. The IMSI catcher can be configured to impersonate a tower from a specific carrier. To GSM-based cell phones in the immediate area--the spoofed cell tower appears to be the strongest signal, so the devices connect to it, enabling the fake tower to intercept outbound calls from the cell phone.

What happens to the calls?

Calls are intercepted, but can be routed to the intended recipient so the attacker can listen in on, and/or record the conversation. To the real carrier, the cell phone appears to no longer be connected to the network, so inbound calls go directly to voicemail. Paget did clarify, though, that it's possible for an attacker to impersonate the intercepted device to the wireless network, enabling inbound calls to be intercepted as well.

But, aren't my calls encrypted?

Generally speaking, yes. However, the hacked IMSI catcher can simply turn the encryption off. According to Paget, the GSM standard specifies that users should be warned when encryption is disabled, but that is not the case for most cell phones. Paget explained "Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers."

What wireless provider networks are affected?

Good news for Sprint and Verizon customers--those networks use CDMA technology rather than GSM, so cell phones on the Sprint or Verizon networks would not connect to a spoofed GSM tower. However, AT&T and T-Mobile--as well as most major carriers outside of the United States--rely on GSM.

Does 3G protect me from this hack?

This IMSI catcher hack will not work on 3G, but Paget explained that the 3G network could be knocked offline with a noise generator and an amplifier--equipment that Paget acquired for less than $1000. With the 3G network out of the way, most cell phones will revert to 2G to find a viable signal to connect to.

Another one from CNET:

A researcher released software at the Black Hat conference on Thursday designed to let people test whether their calls on mobile phones can be eavesdropped on.

The public availability of the software - dubbed Airprobe -- means that anyone with the right hardware can snoop on other peoples' calls unless the target telecom provider has deployed a patch that was standardized about two years ago by the GSMA, the trade association representing GSM (Global System for Mobile Communications) providers, including AT&T and T-Mobile in the U.S.

Most telecom providers have not patched their systems, said cryptography expert Karsten Nohl.

"This talk will be a reminder to this industry to please implement these security measures because now customers can test whether they've patched the system or not," he told CNET in an interview shortly before his presentation. "Now you can listen in on a strangers' phone calls with very little effort."

An earlier incarnation of Airprobe was incomplete so Nohl and others worked to make it usable, he said.

Airprobe offers the ability to record and decode GSM calls. When combined with a set of cryptographic tools called Kraken, which were released last week, "even encrypted calls and text messages can be decoded," he said.

To test phones for interception capability you need: the Airprobe software and a computer; a programmable radio for the computer, which costs about $1,000; access to cryptographic rainbow tables that provide the codes for cracking GSM crypto (another Nohl project); and the Kraken tool for cracking the A5/1 crypto used in GSM, Nohl said.

More information about the tool and the privacy issues is on the Security Research Labs Web site.

UMTS/HSPA State Transition Problems to be solved with LTE

The way UMTS/HSPA is designed is that the Mobile (UE) is always in IDLE state. If there is some data that needs to be transferred then the UE moves to CELL_DCH. If the amount of data is very less then the UE could move to CELL_FACH state. The UE can also move to CELL_PCH and URA PCH if required but may not necessarily do so if the operator has not configured those states.

The problem in UMTS/HSPA is that these state transitions take quite some time (in mobile terms) and can slow down the browsing experience. Martin has blogged about the state transition problems because of the keep alive messages used by the Apps. These small data transfers dont let the UE go in the IDLE state. If they do then whole raft of signalling has to occur again for the UE to go to CELL_FACH or CELL_DCH. In another post Martin also pointed out the sluggishness caused by the UE in CELL_FACH state.


Mike Thelander of the Signals Research Group presented similar story in the recently concluded LTE World Summit. It can be seen from the figure above that moving from IDLE to CELL_DCH is 1-3secs whereas FACH to DCH is 500ms.

In case if some Apps are running in the background, they can be using these keep alive messages or background messages which may be very useful on the PC but for the Mobiles, these could cause unnecessary state transitions which means lots of signalling overhead.

The Apps creators have realised this problem and are working with the Phone manufacturers to optimise their messaging. For example in case of some Apps on mobiles the keep alive message has been changed from 20 seconds to 5 mins.

3GPP also realised this problem quite a while back and for this reason in Release-7 two new features were added in HSPA+. One was Continuous Packet Connectivity (CPC) and the other was Enhanced CELL_FACH. In Release-8 for HSPA+, these features were added in UL direction as well. The sole aim of these features were to reduce the time it would take to transit to CELL_DCH. Since CPC increases the cell capacity as well, more users can now be put in CELL_FACH instead of being sent to IDLE.

An interesting thing in case of LTE is that the RRC states have been simplified to just two states as shown here. The states are IDLE and CONNECTED. The intention for LTE is that all the users can be left in the CONNECTED state and so unnecessary signalling and time spent on transitioning can be reduced.

The preliminary results from the trials (as can also be seen from here) that were discussed in the LTE World Summit clearly show that LTE leads to a capacity increase by 4 times (in the same BW) and also allow very low latency. I am sure that enough tests with real life applications like Skype, Fring and Yahoo IM have not been done but I am hopeful of the positive outcome.

GSM-UMTS Network migration towards LTE

Another interesting white-paper from 3G Americas. The following from their press release:

A 3rd Generation Partnership Project (3GPP) specification, LTE will serve to unify the fixed and mobile broadband worlds and will open the door to new converged multimedia services. As an all-IP-based technology, LTE will drive a major network transformation as the traditional circuit-based applications and services migrate to an all-IP environment, though introducing LTE will require support and coordination between a complex ecosystem of application servers, devices/terminals and interaction with existing technologies. The report discusses functionality and steps GSM-UMTS network operators may use to effectively evolve their networks to LTE and identifies potential challenges and solutions for enabling the interaction of LTE with GSM, GPRS and UMTS networks.

“This white paper reveals solutions that facilitate a smooth migration for network operators as they deploy LTE,” stated Chris Pearson, president of 3G Americas. “3GPP has clearly defined the technology standards in Release 9 and Release 10, and this paper explores the implementation of these standards on 3GPP networks.”

A reported 130 operators around the world have written LTE into their technology roadmaps. In December 2009, TeliaSonera launched the world’s first LTE networks in Norway and Sweden and an estimated 17 operators are expected to follow in its footsteps in 2010.

“LTE is receiving widespread support and powerful endorsements from industry leaders around the world, but it is important to keep in mind that the evolution to LTE will require a multi-year effort,” Pearson said. “LTE must efficiently and seamlessly coexist with existing wireless technologies during its rise to becoming the leading next-generation wireless technology.”

Operators planning LTE deployments must consider the implications of utilizing LTE in an ecosystem comprising 2G, 3G and future “4G” wireless technologies. Therefore, operators planning an LTE deployment will need to offer multi-technology devices with networks that allow mobility and service continuity between GSM, EDGE, HSPA and LTE.

UICC and USIM in 3GPP Release 8 and Release 9

In good old days of GSM, SIM was physical card with GSM "application" (GSM 11.11)

In the brave new world of 3G+, UICC is the physical card with basic logical functionality (based on 3GPP TS 31.101) and USIM is 3G application on a UICC (3GPP TS 31.102). The UICC can contain multiple applications like the SIM (for GSM), USIM and ISIM (for IMS). There is an interesting Telenor presentation on current and future of UICC which may be worth the read. See references below.

UICC was originally known as "UMTS IC card". The incorporation of the ETSI UMTS activities into the more global perspective of 3GPP required a change of this name. As a result this was changed to "Universal Integrated Circuit Card". Similarly USIM (UMTS Subscriber Identity Module) changed to Universal Subscriber Identity Module.

The following is from the 3G Americas Whitepaper on Mobile Broadband:

UICC (3GPP TS 31.101) remains the trusted operator anchor in the user domain for LTE/SAE, leading to evolved applications and security on the UICC. With the completion of Rel-8 features, the UICC now plays significant roles within the network.

Some of the Rel-8 achievements from standards (ETSI, 3GPP) are in the following areas:

USIM (TS 31.102)
With Rel-8, all USIM features have been updated to support LTE and new features to better support non-3GPP access systems, mobility management, and emergency situations have been adopted.

The USIM is mandatory for the authentication and secure access to EPC even for non-3GPP access systems. 3GPP has approved some important features in the USIM to enable efficient network selection mechanisms. With the addition of CDMA2000 and HRPD access technologies into the PLMN, the USIM PLMN lists now enable roaming selection among CDMA, UMTS, and LTE access systems.

Taking advantage of its high security, USIM now stores mobility management parameters for SAE/LTE. Critical information like location information or EPS security context is to be stored in USIM rather than the device.

USIM in LTE networks is not just a matter of digital security but also physical safety. The USIM now stores the ICE (In Case of Emergency) user information, which is now standardized. This feature allows first responders (police, firefighters, and emergency medical staff) to retrieve medical information such as blood type, allergies, and emergency contacts, even if the subscriber lies unconscious.

3GPP has also approved the storage of the eCall parameters in USIM. When activated, the eCall system establishes a voice connection with the emergency services and sends critical data including time, location, and vehicle identification, to speed up response times by emergency services. ECalls can be generated manually by vehicle occupants or automatically by in-vehicle sensors.

TOOLKIT FEATURES IMPROVEMENT (TS 31.111)
New toolkit features have been added in Rel-8 for the support of NFC, M2M, OMA-DS, DM and to enhance coverage information.

The contactless interface has now been completely integrated with the UICC to enable NFC use cases where UICC applications proactively trigger contactless interfaces.

Toolkit features have been updated for terminals with limited capabilities (e.g. datacard or M2M wireless modules). These features will be notably beneficial in the M2M market where terminals often lack a screen or a keyboard.

UICC applications will now be able to trigger OMA-DM and DS sessions to enable easier device support and data synchronization operations, as well as interact in DVB networks.

Toolkit features have been enriched to help operators in their network deployments, particularly with LTE. A toolkit event has been added to inform a UICC application of a network rejection, such as a registration attempt failure. This feature will provide important information to operators about network coverage. Additionally, a UICC proactive command now allows the reporting of the signal strength measurement from an LTE base station.

CONTACT MANAGER
Rel-8 defined a multimedia phone book (3GPP TS 31.220) for the USIM based on OMA-DS and its corresponding JavaCard API (3GPP TS 31.221).

REMOTE MANAGEMENT EVOLUTION (TS 31.115 AND TS 31.116)
With IP sessions becoming prominent, an additional capability to multiplex the remote application and file management over a single CAT_TP link in a BIP session has been completed. Remote sessions to update the UICC now benefit from additional flexibility and security with the latest addition of the AES algorithm rather than a simple DES algorithm.

CONFIDENTIAL APPLICATION MANAGEMENT IN UICC FOR THIRD PARTIES
The security model in the UICC has been improved to allow the hosting of confidential (e.g. third party) applications. This enhancement was necessary to support new business models arising in the marketplace, with third party MVNOs, M-Payment and Mobile TV applications. These new features notably enable UICC memory rental, remote secure management of this memory and its content by the third party vendor, and support new business models supported by the Trusted Service Manager concept.

SECURE CHANNEL BETWEEN THE UICC AND TERMINAL
A secure channel solution has been specified that enables a trusted and secure communication between the UICC and the terminal. The secure channel is also available between two applications residing respectively on the UICC and on the terminal. The secure channel is applicable to both ISO and USB interfaces.

RELEASE 9 ENHANCEMENTS: UICC: ENABLING M2M AND FEMTOCELLS
The role of femtocell USIM is increasing in provisioning information for Home eNodeB, the 3GPP name for femtocell. USIMs inside handsets provide a simple and automatic access to femtocells based on operator and user-controlled Closed Subscriber Group list.

Work is ongoing in 3GPP for the discovery of surrounding femtocells using toolkit commands. Contrarily to macro base stations deployed by network operators, a femtocell location is out of the control of the operator since a subscriber can purchase a Home eNodeB and plug it anywhere at any time. A solution based on USIM toolkit feature will allow the operator to identify the femtocells serving a given subscriber. Operators will be able to adapt their services based on the femtocells available.

The upcoming releases will develop and capitalize on the IP layer for UICC remote application management (RAM) over HTTP or HTTPS. The network can also send a push message to UICC to initiate a communication using TCP protocol.

Additional guidance is also expected from the future releases with regards to the M2M dedicated form factor for the UICC that is currently under discussion to accommodate environments with temperature or mechanical constraints surpassing those currently specified by the 3GPP standard.

Some work is also expected to complete the picture of a full IP UICC integrated in IP-enabled terminal with the migration of services over EEM/USB and the capability for the UICC to register on multicast based services (such as mobile TV).

Further Reading:

• Business perspective and Mobile service offer through Future SIM - Telenor (http://www.ux.uis.no/atc08/workshop/Larsen.pdf)
• The role of the UICC in Long Term Evolution all IP networks - Gemalto (http://www.gemalto.com/telecom/download/lte_gemalto_whitepaper.pdf)
• Technical White Paper: Smart Card in IMS - 3G Americas (http://www.3gamericas.org/documents/GEM_WP_IMS.pdf)
• 3GPP TS 31.101: UICC-terminal interface; Physical and logical characteristics (http://www.3gpp.org/ftp/Specs/archive/31_series/31.101/)
• 3GPP TS 31.102: Universal Subscriber Identity Module (USIM) application (http://www.3gpp.org/ftp/Specs/archive/31_series/31.102/)
• 3GPP TS 31.111: Universal Subscriber Identity Module (USIM) Application Toolkit (USAT) (http://www.3gpp.org/ftp/Specs/archive/31_series/31.111/)
• 3GPP TS 31.115: Secured packet structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications (http://www.3gpp.org/ftp/Specs/archive/31_series/31.115/)
• 3GPP TS 31.116: Remote APDU Structure for (U)SIM Toolkit applications (http://www.3gpp.org/ftp/Specs/archive/31_series/31.116/)
• 3GPP TS 31.220: Characteristics of the Contact Manager for 3GPP UICC applications (http://www.3gpp.org/ftp/Specs/archive/31_series/31.220/)
• 3GPP TS 31.221: Contact Manager Application Programming Interface (API); Contact Manager API for Java Card™ (http://www.3gpp.org/ftp/Specs/archive/31_series/31.221/)

TD-SCDMA, TDD and FDD

After my posting on TD-SCDMA so many people asked me about what TD-SCDMA is. I am surprised that so many people are not aware of TD-SCDMA. So here is a quick posting on that.

TDD and FDD Mode of Operation

Basically most of the UMTS networks in operation are Frequency Division Duplex (FDD) based. There is also another variant called the Time Division Duplex or TDD. In reality there is more than one variant of TDD, so the normal 5MHz bandwidth TDD is called Wideband TDD of WTDD. There is also another name for WTDD to confuse people, called the High Chip Rate TDD (HCR-TDD). There is another variant of TDD as would have guessed known as the Narrowband TDD (NTDD). NTDD is also known as Low Chip Rate TDD (LCR-TDD) and most popularly its known as TD-SCDMA or Time Division Synchronous CDMA.

"Synchronous" implies that uplink signals are synchronized at the base station receiver, achieved by continuous timing adjustments. This reduces the interference between users of the same timeslot using different codes by improving the orthogonality between the codes, therefore increasing system capacity, at the cost of some hardware complexity in achieving uplink synchronization.

The normal bandwidth of FDD or TDD mode of operation is 5 MHz. This gives a chip rate of 3.84 Mcps (Mega chips per second). The corresponding figure for TD-SCDMA is 1.66 Mhz and 1.28 Mcps.

Assymetric operation in TDD mode

The advantage of TDD over FDD are:

• Does not require paired spectrum because FDD uses different frequencies for UL and DL whereas TDD uses the same frequency hence its more easy to deploy
• Channel charachteristics is the same in both directions due to same band
• You can dynamically change the UL and the DL bandwidth allocation depending on the traffic.
  

The dis-advantage of TDD over FDD are:

• Switching between transmission directions requires time, and the switching transients must be controlled. To avoid corrupted transmission, the uplink and downlink transmissions require a common means of agreeing on transmission direction and allowed time to transmit. Corruption of transmission is avoided by allocating a guard period which allows uncorrupted propagation to counter the propagation delay. Discontinuous transmission may also cause audible interference to audio equipment that does not comply with electromagnetic susceptibility requirements.
• Base stations need to be synchronised with respect to the uplink and downlink transmission times. If neighbouring base stations use different uplink and downlink assignments and share the same channel, then interference may occur between cells. This can increase the complexity of the system and the cost.
• Also it does not support soft/softer handovers

Timing Synchronisation between different terminals

By the way, in Release 7 a new TDD mode of operation with 10 MHz bandwidth (7.86 Mcps) has been added. Unfortunately I dont know much about it.

You can read more about TD-SCDMA in whitepaper 'TD-SCDMA: the Solution for TDD bands'

You can find more information on TD-SCDMA at: http://www.td-forum.org/en/

UK: Ofcom releases 3G coverage maps

Ofcom has just released (or as The Register puts it; found under the sofa) 3G coverage maps for UK. Its useful for people who dont live in big towns but planning to take out contracts on dongles/data services. They can now quickly check which operator to go for.

These 3G coverage maps by mobile operator were prepared in January 2009. They represent the area where we have assessed the mobile operators met a minimum coverage threshold set by Ofcom (see technical notes below). The shaded areas on the maps indicate areas where customers have the possibility of making and receiving a call outside over a 3G network (but with no guarantee of being able to do so). They do not indicate areas where customers are able to access higher data rate services.

All operators produce their own coverage indicators on their websites which are likely to provide more reliable guidance to network availability in any given area. The accuracy and detail of the maps are not to the same level as the mobile operators publish. These maps show UK-wide general coverage and are not suitable for zooming in to see specific locations i.e. a particular house or street. Also they are not suitable for assessing the quality or depth of coverage within the indicated areas (e.g. different operators may be able to offer better or worse data rate services or support a smaller or greater number of users).

You can see the PDF of the coverage maps here.

Wireless Cellular Security

Arvind, an old colleague recently spoke in ACM, Bangalore on the topic of Security. Here is his presentation:

Securing Wireless Cellular Systems

View more documents from ACMBangalore.

There are lots of interesting Questions and Answers. One interesting one is:

Does number portability mean that data within an AuC is compromised?

Not really. Number portability does not mean sensitive data from old AuC are transferred to the new AuC. The new operator will issue a new USIM which will have a new IMSI. Number portability only means that MSISDN is kept the same for others to call the mobile. The translation between MSISDN and IMSI is done at a national level register. Such a translation will identify the Home PLMN and the HLR that’s needs to be contacted for an incoming call.
That’s the theory and that’s how it should be done. It will be interesting to know how operators in India do this.

You can read all Q&A's here.

I wrote a tutorial on UMTS security many years back. Its available here.

Testing UMTS protocols

Testing UMTS by Dan Fox, Anritsu

Its nearly three years since I wrote an FAQ on UMTS Testing. So when I got my hands on this book the other day, I so wanted to read it. It would be a while before I manage to go through the book in detail but my initial impression is that this book looks quite good.

Since the book deals with Protocol Testing, the testing has been grouped into three categories:

1. Integration Testing
2. Conformance Testing
3. Interoperability Testing

There is a chapter explaining each of these. The Conformance testing is of interest to me as I have been involved directly and indirectly with this for quite some years now. The book explains the process, standards required and submission of tests to GCF/PTCRB.

For those whom testing does not hold much charm, they can gain greater understanding of the concepts by reading Part II of the book. One thing I really liked in this book is that the diagrams explain the concepts very well. Rather than copying them straight from the 3GPP specifications, they have been improved and re-done by the author. Basic things like 'Dynamic TFCI selection' and 'Layer 2 transport channel processing flow for the 12.2 kbps RMC' are explained clearly using the diagrams.

There is just the right amount of detail in the chapters for Physical Layer, Layer 2 (MAC, RLC, PDCP) and Layer 3 (RRC, NAS). Further chapters show message flow sequence charts explaining things like 'setting up of speech call' and 'location updating procedure'. I have some basic sequence diagrams for message flow in the Tutorial section but the ones in the book are comparatively more detailed.

The book mainly covers UMTS, with an introduction to HSPA. It would be worthwhile to have the next edition covering LTE in detail. The main reason being that there are lots of changes in the case of LTE. The Air Interface has changed, the channels are different. The NAS messages and entities are different. UMTS (and HSPA) use TTCN-2 for testing but LTE uses TTCN-3. UMTS does not use MIMO (MIMO available for HSPA from Release 7 onwards) but LTE would generally always use MIMO.

Overall, this seems to be a useful book and I am looking forward to reading it in detail.