Monday, 22 August 2011

MU-MIMO (and DIDO)

Late last month a guy called Steve Perlman announced of a new technology called DIDO (Distributed-Input-Distributed-Output) that could revolutionise the way wireless transmission works and can help fix the channel capacity problem as described by Shannon's formula. A whitepaper describing this technology is available here.

I havent gone through the paper in any detail nor do I understand this DIDO very well but what many experienced engineers have pointed out is that this is MU-MIMO in disguise. Without going into any controversies, lets look at MU-MIMO as its destined to play an important part in LTE-Advanced (the real '4G').

Also, I have been asked time and again about this Shannon's channel capacity formula. This formula is better known by its name Shannon-Hartley theorem. It states:

C <= B log2 (1 + S/N)
where:
C = channel capacity (bits per second)
B = bandwidth (hertz)
S/N = Signal to Noise ratio (SNR)

In a good channel, SNR will be high. Take for example a case when SNR is 20db then log2 (1 + 100) = 6.6. In an extremely noisy channel SNR will be low which would in turn reduce the channel capacity.

In should be pointed out that the Shannon's formula holds true for all wireless technologies except for when multiuser transmission like MU-MIMO (or DIDO) is used.

Anyway, I gave a simple explanation on MU-MIMO before. Another simple explanation of what an MU-MIMO is as explained in this video below:




The picture below (from NTT) gives a good summary of the different kinds of MIMO technology and their advantages and disadvantages. More details could be read from here.

Click to enlarge

As we can see, MU-MIMO is great but it is complex in implementation.

Click to enlarge

Multiuser MIMO technology makes it possible to raise wireless transmission speed by increasing the number of antennas at the base station, without consuming more frequency bandwidth or increasing modulation multiple-values. It is therefore a promising technology for incorporating broadband wireless transmission that will be seamlessly connected with wired transmission in the micro waveband (currently used for mobile phones and wireless LAN, and well suited to mobile communications use), where frequency resources are in danger of depletion. Since it also allows multiple users to be connected simultaneously, it is seen as a solution to the problem specific to wireless communications, namely, slow or unavailable connections when the number of terminals in the same area increases (see Figure 9 above).

There is a good whitepaper in NTT Docomo technical journal that talks about Precoding and Scheduling techniques for increasing the capacity of MIMO channels. Its available here. There is also a simple explanation of MIMO including MU-MIMO on RadioElectronics here. If you want to do a bit more indepth study of MU-MIMO then there is a very good research paper in the EURASIP Journal that is available here (Click on Full text PDF on right for FREE download).

Finally, there is a 3GPP study item on MIMO Enhancements for LTE-Advanced which is a Release-11 item that will hopefully be completed by next year. That report should give a lot more detail about how practical would it be to implement it as part of LTE-Advanced. The following is the justification of doing this study:

The Rel-8 MIMO and subsequent MIMO enhancements in Rel-10 were designed mostly with homogenous macro deployment in mind. Recently, the need to enhance performance also for non-uniform network deployments (e.g. heterogeneous deployment) has grown. It would therefore be beneficial to study and optimize the MIMO performance for non-uniform deployments where the channel conditions especially for low-power node deployments might typically differ from what is normally encountered in scenarios considered so far.

Downlink MIMO in LTE-Advanced has been enhanced in Release 10 to support 8-layer SU-MIMO transmission and dynamic SU-MU MIMO switching. For the 8-tx antenna case, the CSI feedback to support downlink MIMO has been enhanced with a new dual-codebook structure aimed at improving CSI accuracy at the eNB without increasing the feedback overhead excessively. Precoded reference symbols are provided for data demodulation, allowing arbitrary precoders to be used by the eNB for transmission. In many deployment scenarios, less than 8 tx antennas will be employed. It is important to focus on the eNB antenna configurations of highest priority for network operators.

The enhancement of MIMO performance through improved CSI feedback for high priority scenarios not directly targeted by the feedback enhancements in Release 10, especially the case of 4 tx antennas in a cross-polarised configuration, in both homogeneous and heterogeneous scenarios should be studied.

MU-MIMO operation is considered by many network operators as important to further enhance system capacity. It is therefore worth studying further potential enhancement for MU-MIMO, which includes UE CSI feedback enhancement and control signaling enhancement. Furthermore, open-loop MIMO enhancements were briefly mentioned but not thoroughly investigated in Rel-10.

In addition, the experience from real-life deployments in the field has increased significantly since Rel-8. It would be beneficial to discuss the experience from commercial MIMO deployments, and identify if there are any potential short-comings and possible ways to address those. For example, it can be discussed if robust rank adaptation works properly in practice with current UE procedures that allow a single subframe of data to determine the rank. In addition the impact of calibration error on the performance could be discussed.

This work will allow 3GPP to keep MIMO up to date with latest deployments and experience.


Saturday, 20 August 2011

Lobbying for more Spectrum

The following Video is prepared by Mobile Future which is a coalition in the US of some major companies and have been lobbying for increase in the availability of the Spectrum.


Friday, 19 August 2011

Patent Wars Part 2 - Who is suing whom

Continuing from the earlier post on the Patent Wars, here is a chart on who is suing whom.


Via: ReadWrite Mobile & Reuters

Wednesday, 17 August 2011

Patent Wars!

Patent wars has picked up force in the recent few months. Last week the Samsung Galaxy S2 Android phone was banned from the EU due to a suit from Apple but this ban has now been lifted. HTC has sued Apple over patents infringement and is asking for a ban in the US.

Patents are becoming more and more important. In June, Apple and Microsoft (once cut-throat rivals) teamed up with four other companies to pay $4.5 billion for the 6,000 patents held by the bankrupt Nortel Networks. This works out to $750,000 a patent. Google is now in the process of buying Motorola

NY Times report says:

Motorola Mobility in no small part because of its stockpile of 17,000 patents. The patent portfolio, some analysts estimate, could represent more than half of the value of the deal, or more than $400,000 a patent. If so, it was a relative bargain compared to the Apple and Microsoft aquisition of Nortel patents.

In the case of Motorola, Google was under pressure from its big handset partners, including HTC and Samsung, to protect them from patent-infringement suits based on their use of Google’s Android software. And Motorola has an impressive collection of mobile phone patents, a powerful weapon in patent negotiations.

Handset makers and mobile carriers are certainly hoping that Google’s purchase of Motorola will ease tensions in the smartphone market — a patent armistice among rival powers. Verizon on Tuesday welcomed the deal as a move that might well “bring some stability to the ongoing smartphone patent disputes,” John Thorne, senior vice president and deputy general counsel, said in a statement. Verizon Wireless, owned by the Vodafone Group and Verizon Communications, sells both Android-powered phones and iPhones.

In a recent blog post, David Drummond, Google’s chief legal officer, wrote that a modern smartphone might be susceptible to as many as 250,000 potential patent claims (see picture below), depending on how broadly those patents and claims were interpreted.

There was some interesting analysis on the Google Motorola deal by one Josh Pritchard in Quora:

Assuming Google would find value in the patent portfolio and not the operating businesses, an acquisition would presumably only make sense if Google had another partner (or partners), like HTC or Samsung, that wanted Motorola Mobility's operating businesses. If they could work out an arrangement with Google getting the patents and a partner (or partners) taking the other assets, then I'll argue that an acquisition could make a lot of sense based on a sum of the parts analysis.

Motorola Mobility has ~$3.2B in cash (~$170M are hiding as "cash deposits" on a separate line in the balance sheet, and are easily overlooked) with another $225M in additional payments from MSI still pending. They have $2.4B in deferred tax assets, though without reasonable expectations for operational profitability, they carry a $2.3B valuation allowance (again, easily overlooked). If the patents portfolio is worth anywhere near what Google [and Intel] bid on the Nortel patents, say $3.5B, then the sum of those parts is well over $11B in potential value. That's before assigning *any* value to the mobile and set-top operating businesses themselves.

But the operating businesses are almost certainly not worthless. They are set to generate ~$14B in revenue this year and the mobile business, with 41% Y/Y growth, is finally set to become profitable in Q4 of this year... if you believe the company's estimates. If a partner of Google's could reasonably expect to consume the operating businesses and then use their scale and/or superior supply chain to quickly bring them to even greater profitability, it's easy to imagine them being willing to pay at least some fraction of this year's revenue for the businesses, separate from the cash and tax assets. A multiple of .25X on this year's sales would be $3.5B. Seems low.

In total, that's in the neighborhood of $15B in value for a company that currently has a market cap under $7B. So, one might conclude that Google and its partner(s) could pay somewhere between those two numbers, providing a significant premium to market while still acquiring the assets below their fair value.

Of course, there are some restrictions on what MMI can do in its first 24 months as an independent entity, per the terms of the Tax Sharing Agreement documented in the 10-12B/A from the separation in January (when MOT became MSI and MMI). Per my understanding of those terms, if MMI takes actions that compromise the tax-free standing of the separation, as an outright acquisition might do, then they would be on the hook for any resulting tax liabilities. However, as the agreement states, "Though valid as between the parties, the Tax Sharing Agreement is not binding on the IRS" -- and, moreover, I believe there is quite a bit of leeway in terms of how an agreement could be structured in order to preserve the tax-free standing of the separation.


Whatever the case, a Twitter joke suggested that is people would want to retain jobs in Motorola, they better dress up as Patents and go to work.

Finally, patent pools is a good idea and can avoid lots of potential lawsuits and counter-suits. One such company very active in promoting a pool is Sisvel. A presentation from them in the LTE World Summit is embedded below.


Sunday, 14 August 2011

mHealth – Mobile Healthcare; consumer, doctors, healthcare providers, hardware and software tech enablers

The following is from a recent Mobile Internet SIG in the SV Forum.

You may want to get the presentations before listening to the video. Presentations available here.

Saturday, 13 August 2011

Wednesday, 10 August 2011

Self-Evolving Networks (SEN): Next step of SON

In a post last year, I listed the 3GPP features planned for the Self-Organising networks. Self-optimisation has been a part of the SON. It is becoming more of a common practice to refer to SON as Self-Optimising networks. A recent 4G Americas whitepaper was titled "Benefits of self-optimizing networks in LTE".

The next phase in the evolution of the Self-Configuring, Self-organizing and Self-optimizing network are the Self-Evolving Networks (aka. SEN) that will combine the Organizing and Optimizing features with the Self-testing and Self-Healing features. Self-testing and Self-healing have been recommended as subtasks of SON in the NGMN white paper. Self-testing and self-healing means that a system detects itself problems and mitigates or solves them avoiding user impact and significantly reducing maintenance costs.

We may still be a long way away from achieving this SEN as there are quite a few items being still standardised in 3GPP. Some of the standardised items have not yet been fully implemented and tested as well. Some of this new features that will help are listed as follows:

Automatic Radio Network Configuration Data Preparation (Rel-9)

When radio Network Elements (e.g. cells and/or eNBs) are inserted into an operational radio network, some network configuration parameters cannot be set before-hand because they have interdependencies with the configuration of operational NEs. "Dynamic Radio Network Configuration Data Preparation" comprises the generation and distribution of such interdependent parameters to the newly inserted network element and optionally already operational NEs.

This functionality allows fully automatic establishment of an eNB into a network. Otherwise an operator needs to set these configurations manually. Without this functionality self-configuration cannot be considered not fully as "self".


SON Self-healing management (Rel-10)

The target of Self-Healing (SH) is to recover from or mitigate errors in the network with a minimum of manual intervention from the operator.

Self-healing functionality will monitor and analyse relevant data like fault management data, alarms, notifications, and self-test results etc. and will automatically trigger or perform corrective actions on the affected network element(s) when necessary. This will significantly reduce manual interventions and replace them with automatically triggered re-s, re-configurations, or software reloads/upgrades thereby helping to reduce operating expense.


LTE Self Optimizing Networks (SON) enhancements (Rel-10)

This WI continues work started in Rel-9. Some cases that were considered in the initial phases of SON development are listed in the TR 36.902. From this list, almost all use cases are already specified. Capacity and Coverage Optimization (CCO) was already nominally part of the Rel-9 WI, but could not be completed due to amount of work related to other use cases. Energy Savings are a very important topic, especially for operators, as solutions derived for this use case can significantly limit their expenses. According to TR 36.902 this solution should concern switching off cells or whole base stations. This may require additional standardised methods, once there is need identified for.

Basic functionality of Mobility Load Balancing (MLB) and Mobility Robustness Optimization (MRO), also listed in TR 36.902, were defined in Rel-9. However, successful roll-out of the LTE network requires analysing possible enhancements to the Rel-9 solutions for MLB and MRO. In particular, enhancements that address inter-RAT scenarios and inter-RAT information exchange must be considered. These enhancements should be addressed in Rel-10. There may also be other use cases for LTE for which SON functionality would bring optimizations. The upcoming LTE-A brings about also new challenges that can be addressed by SON. However, since not all features are clearly defined yet, it is difficult to work on SON algorithms for them. It is therefore proposed to assign lower priority to the features specific for LTE-A.


UTRAN Self-Organizing Networks (SON) management (Rel-11)

For LTE, SON (Self-Organizing Networks) concept and many features have been discussed and standardised.

The SON target is to maintain network quality and performance with minimum manual intervention from the operator. Introducing SON functions into the UTRAN legacy is also very important for operators to minimize OPEX.

Automatic Neighbour Relation (ANR) function, specified in the LTE context, automates the discovery of neighbour relations. ANR can help the operators to avoid the burden of manual neighbour cell relations management.

Self-optimization functionalities will monitor and analyze performance measurements, notifications, and self-test results and will automatically trigger re-configuration actions on the affected network node(s) when necessary.

This will significantly reduce manual interventions and replace them with automatically triggered re-optimizations or re-configurations thereby helping to reduce operating expenses.

Minimization of Drive Tests (MDT) for E-UTRAN and UTRAN is an important topic in 3GPP Rel-10.

With the help of standardized UTRAN MDT solutions, Capacity and Coverage Optimization (CCO) for UTRAN should also be considered in UTRAN SON activities.


Study on IMS Evolution (Rel-11)

IMS network service availability largely relies on the reliability of network entity. If some critical network elements (e.g. S-CSCF, HSS) go out of service, service availability will be severely impacted. Moreover network elements are not fully utilized because network load is not usually well distributed, e.g. some nodes are often overloaded due to sudden traffic explosion, while others are under loaded to some extent. Though there’re some element level approaches to solve these problems, such as the ongoing work in CT4, the system level solution should be studied, for example, the method to distribute load between network elements in different regions especially when some disaster happens, such as earthquake.

The network expansion requires a great deal of manual configurations, and the network maintenance and upgrade are usually time-consuming and also costly for operators. Introducing self-organization features will improve the network intelligence and reduce the efforts of manual configuration. For example, upon discovering the entry point of the network, new nodes can join the network and auto-configure themselves without manual intervention. And if any node fails, other nodes will take over the traffic through the failed node timely and automatically.


The above mentioned features are just few ways in which we will achieve a truly zero-operational 4G network.

Monday, 8 August 2011

Radio-over-Fiber (RoF): The existing alternative to Femtocells

Recently while going through NTT Docomo Technical Journal, I came across an article on Radio over Fibre. This is the first time I have come across RoF but apparently this is a common way to provide indoor coverage before Femtocells.
My intention here is not to compare this with Femtocells as I can think of advantages and disadvantages of both of them.


I found the following extract in the book Femtocells: Technologies and Deployment:

Active Fibre DAS (Radio over Fibre)

Active fibre DAS is the most efficient in term of performance. Optical fibres are used to make the link between the MU and the RU. They can cover very long distances (up to 6 km) and support multiple radio services. With such a system the RU directly converts the optical signal into radio signal and vice versa. The other advantage is that optical fibre is very cheap and easy to install. Radio over fibre is now the most common technique used for indoor radio coverage. As detailed in [16], radio over fibre is today the optimal solution to extending indoor coverage, because it provides scalability, flexibility, easy expandability, and also because the signal degradation is very low compared with DAS using standard connections.


The following is from Wikipedia:

Radio over Fiber (RoF) refers to a technology whereby light is modulated by a radio signal and transmitted over an optical fiber link to facilitate wireless access. Although radio transmission over fiber is used for multiple purposes, such as in cable television (CATV) networks and in satellite base stations, the term RoF is usually applied when this is done for wireless access.

In RoF systems, wireless signals are transported in optical form between a central station and a set of base stations before being radiated through the air. Each base station is adapted to communicate over a radio link with at least one user's mobile station located within the radio range of said base station.

RoF transmission systems are usually classified into two main categories (RF-over-Fiber ; IF-over-Fiber) depending on the frequency range of the radio signal to be transported.

a) In RF-over-Fiber architecture, a data-carrying RF (Radio Frequency) signal with a high frequency (usually greater than 10 GHz) is imposed on a lightwave signal before being transported over the optical link. Therefore, wireless signals are optically distributed to base stations directly at high frequencies and converted to from optical to electrical domain at the base stations before being amplified and radiated by an antenna. As a result, no frequency up/down conversion is required at the various base station, thereby resulting in simple and rather cost-effective implementation is enabled at the base stations.

b) In IF-over-Fiber architecture, an IF (Intermediate Frequency) radio signal with a lower frequency (less than 10 GHz) is used for modulating light before being transported over the optical link. Therefore, wireless signals are transported at intermediate frequency over the optical.


Access to dead zones

An important application of RoF is its use to provide wireless coverage in the area where wireless backhaul link is not possible. These zones can be areas inside a structure such as a tunnel, areas behind buildings, Mountainous places or secluded areas such a jungle.


FTTA (Fiber to the Antenna)

By using an optical connection directly to the antenna, the equipment vendor can gain several advantages like low line losses, immunity to lightening strikes/electric discharges and reduced complexity of base station by attaching light weight Optical-to-Electrical (O/E) converter directly to antenna.


Saturday, 6 August 2011

Friday, 5 August 2011

TED talk: Wireless data from every light bulb

What if every light bulb in the world could also transmit data? At TEDGlobal, Harald Haas demonstrates, for the first time, a device that could do exactly that. By flickering the light from a single LED, a change too quick for the human eye to detect, he can transmit far more data than a cellular tower -- and do it in a way that's more efficient, secure and widespread.


See also :



Thursday, 4 August 2011

Detailed presentation on Femtocell Security from Black Hat 2011

Femtocells: a Poisonous Needle in the Operator's Hay Stack
View more presentations from Zahid Ghadialy
Presentation available to download from here.
Detailed write-up on: Exploiting the Ubiquisys/SFR femtocell webserver here.
My earlier blogpost 'Femto Hacking in UMTS and LTE' here.

Wednesday, 3 August 2011

A look at "Idle state Signalling Reduction" (ISR)

The following is from 3GPP TS 23.401, Annex J:

General description of the ISR concept

Idle state Signalling Reduction (or ISR) aims at reducing the frequency of Tracking Area Updates (TAU, in EUtran) and Routing Area Updates (RAU, in UTRAN/GERAN) procedures caused by UEs reselecting between E-UTRAN and GERAN/UTRAN which are operated together. Especially the update signalling between UE and network is reduced. But also network internal signalling is reduced. To some extent the reduction of network internal signalling is also available when ISR is not used or not activated by the network.

UMTS described already RAs containing GERAN and UTRAN cells, which also reduces update signalling between UE and network. The combination of GERAN and UTRAN into the same RAs implies however common scaling, dimensioning and configuration for GERAN and UTRAN (e.g. same RA coverage, same SGSN service area, no GERAN or UTRAN only access control, same physical node for GERAN and UTRAN). As an advantage it does not require special network interface functionality for the purpose of update signalling reduction.

ISR enables signalling reduction with separate SGSN and MME and also with independent TAs and RAs. Thereby the interdependency is drastically minimized compared with the GERAN/UTRAN RAs. This comes however with ISR specific node and interface functionality. SGSN and MME may be implemented together, which reduces some interface functions but results also in some dependencies.

ISR support is mandatory for E-UTRAN UEs that support GERAN and/or UTRAN and optional for the network. ISR requires special functionality in both the UE and the network (i.e. in the SGSN, MME and Serving GW) to activate ISR for a UE. For this activation, the MME/SGSN detects whether S-GW supports ISR based on the configuration and activates ISR only if the S-GW supports the ISR. The network can decide for ISR activation individually for each UE. Gn/Gp SGSNs do not support ISR functionality. No specific HSS functionality is required to support ISR.

NOTE. A Release 7 HSS needs additional functionality to support the 'dual registration' of MME and SGSN. Without such an upgrade, at least PS domain MT Location Services and MT Short Messages are liable to fail.

It is inherent functionality of the MM procedures to enable ISR activation only when the UE is able to register via E-UTRAN and via GERAN/UTRAN. For example, when there is no E-UTRAN coverage there will be also no ISR activation. Once ISR is activated it remains active until one of the criteria for deactivation in the UE occurs, or until SGSN or MME indicate during an update procedure no more the activated ISR, i.e. the ISR status of the UE has to be refreshed with every update.

When ISR is activated this means the UE is registered with both MME and SGSN. Both the SGSN and the MME have a control connection with the Serving GW. MME and SGSN are both registered at HSS. The UE stores MM parameters from SGSN (e.g. P-TMSI and RA) and from MME (e.g. GUTI and TA(s)) and the UE stores session management (bearer) contexts that are common for E-UTRAN and GERAN/UTRAN accesses. In idle state the UE can reselect between E-UTRAN and GERAN/UTRAN (within the registered RA and TAs) without any need to perform TAU or RAU procedures with the network. SGSN and MME store each other's address when ISR is activated.

When ISR is activated and downlink data arrive, the Serving GW initiates paging processes on both SGSN and MME. In response to paging or for uplink data transfer the UE performs normal Service Request procedures on the currently camped-on RAT without any preceding update signalling (there are however existing scenarios that may require to perform a RAU procedure prior to the Service Request even with ISR is activated when GERAN/UTRAN RAs are used together, as specified in clause 6.13.1.3 of TS 23.060 [7]).

The UE and the network run independent periodic update timers for GERAN/UTRAN and for E-UTRAN. When the MME or SGSN do not receive periodic updates MME and SGSN may decide independently for implicit detach, which removes session management (bearer) contexts from the CN node performing the implicit detach and it removes also the related control connection from the Serving GW. Implicit detach by one CN node (either SGSN or MME) deactivates ISR in the network. It is deactivated in the UE when the UE cannot perform periodic updates in time. When ISR is activated and a periodic updating timer expires the UE starts a Deactivate ISR timer. When this timer expires and the UE was not able to perform the required update procedure the UE deactivates ISR.

Part of the ISR functionality is also available when ISR is not activated because the MM contexts are stored in UE, MME and SGSN also when ISR is not active. This results in some reduced network signalling, which is not available for Gn/Gp SGSNs. These SGSNs cannot handle MM and session management contexts separately. Therefore all contexts on Gn/Gp SGSNs are deleted when the UE changes to an MME. The MME can keep their MME contexts in all scenarios.

Note:
Gn = IP Based interface between SGSN and other SGSNs and (internal) GGSNs. DNS also shares this interface. Uses the GTP Protocol.
Gp = IP based interface between internal SGSN and external GGSNs. Between the SGSN and the external GGSN, there is the border gateway (which is essentially a firewall). Also uses the GTP Protocol.


"Temporary Identity used in Next update" (TIN)

The UE may have valid MM parameters both from MME and from SGSN. The "Temporary Identity used in Next update" (TIN) is a parameter of the UE's MM context, which identifies the UE identity to be indicated in the next RAU Request or TAU Request message. The TIN also identifies the status of ISR activation in the UE.

The TIN can take one of the three values, "P-TMSI", "GUTI" or "RAT-related TMSI". The UE sets the TIN when receiving an Attach Accept, a TAU Accept or RAU Accept message as specified in table 4.3.5.6-1.


"ISR Activated" indicated by the RAU/TAU Accept message but the UE not setting the TIN to "RAT-related TMSI" is a special situation. By maintaining the old TIN value the UE remembers to use the RAT TMSI indicated by the TIN when updating with the CN node of the other RAT.

Only if the TIN is set to "RAT-related TMSI" ISR behaviour is enabled for the UE, i.e. the UE can change between all registered areas and RATs without any update signalling and it listens for paging on the RAT it is camped on. If the TIN is set to "RAT-related TMSI", the UE's P-TMSI and RAI as well as its GUTI and TAI(s) remain registered with the network and valid in the UE.

When ISR is not active the TIN is always set to the temporary ID belonging to the currently used RAT. This guarantees that always the most recent context data are used, which means during inter-RAT changes there is always context transfer from the CN node serving the last used RAT. The UE identities, old GUTI IE and additional GUTI IE, indicated in the next TAU Request message, and old P-TMSI IE and additional P-TMSI/RAI IE, indicated in the next RAU Request message depend on the setting of TIN.

The UE indicates also information elements "additional GUTI" or "additional P-TMSI" in the Attach Request, TAU or RAU Request. These information elements permit the MME/SGSN to find the already existing UE contexts in the new MME or SGSN, when the "old GUTI" or "old P-TMSI" indicate values that are mapped from other identities.


ISR activation

The information flow in Figure below shows an example of ISR activation. For explanatory purposes the figure is simplified to show the MM parts only.

The process starts with an ordinary Attach procedure not requiring any special functionality for support of ISR. The Attach however deletes any existing old ISR state information stored in the UE. With the Attach request message, the UE sets its TIN to "GUTI". After attach with MME, the UE may perform any interactions via E-UTRAN without changing the ISR state. ISR remains deactivated. One or more bearer contexts are activated on MME, Serving GW and PDN GW, which is not shown in the figure.

The first time the UE reselects GERAN or UTRAN it initiates a Routing Area Update. This represents an occasion to activate ISR. The TIN indicates "GUTI" so the UE indicates a P-TMSI mapped from a GUTI in the RAU Request. The SGSN gets contexts from MME. When the MME sends the context to the SGSN, the MME includes the ISR supported indication only if the involved S-GW supports the ISR. After the ISR activated, both CN nodes keep these contexts because ISR is being activated. The SGSN establishes a control relation with the Serving GW, which is active in parallel to the control connection between MME and Serving GW (not shown in figure). The RAU Accept indicates ISR activation to the UE. The UE keeps GUTI and P-TMSI as registered, which the UE memorises by setting the TIN to "RAT-related TMSI". The MME and the SGSN are registered in parallel with the HSS.

After ISR activation, the UE may reselect between E-UTRAN and UTRAN/GERAN without any need for updating the network as long as the UE does not move out of the RA/TA(s) registered with the network.

The network is not required to activate ISR during a RAU or TAU. The network may activate ISR at any RAU or TAU that involves the context transfer between an SGSN and an MME. The RAU procedure for this is shown in Figure above. ISR activation for a UE, which is already attached to GERAN/UTRAN, with a TAU procedure from E-UTRAN works in a very similar way.

Reference: 3GPP TS 23.401: General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access

Tuesday, 2 August 2011

Cellphone radiation and Cancer

There is an interesting graph in Scientific American (Via Bill Gross on Google+) showing the radiation spectrum of Cell phones and other devices. Click on the image to view full size.


Thing to note: As the graphic above shows, the radiation emitted in this region is nonionizing: it may heat molecules in the body but does not ionize them (that is, set electrons free). Ionizing radiation, which can tear molecules apart and therefore potentially damage DNA—is the greater worry.

In the comments of the discussion, someone pointed out this hand drawn Electromagnetic Spectrum which is very handy.


Click to enlarge

Finally, it is worthwhile checking out the total radiation that we can encounter in different events and their relative values.


Click to enlarge.

Saturday, 30 July 2011

Wi-Fi in Public Transport over LTE

Another interesting presentation from the LTE World Summit 2011 on how LTE can be used as a backhaul in the trains to provide passenger WiFi and other services.

Wednesday, 27 July 2011

MRO: Handover failures signalling

Continuing on the Self-organising Network (SON) feature of Mobility Robust Optimisation, Handover failures.


Click on image to enlarge

One of the discussions I had with a colleague is how would the signalling happen in case of Handover failures I mentioned earlier.

After the handover failure, when the connection is successfully established again either as a normal Setup or Re-Establishment or RRC Reconfiguration then a new optional field is available:

rlf-InfoAvailable-r10 ENUMERATED {true} OPTIONAL,

This is used to indicate to the network that the UE has some information relating to the RL Failure that occurred.

The network will then use the UE Information Request I blogged about earlier to ask for this information. The UE will send the information back in the response.

It should be noted that this UEInformationRequest and Response messages were introduced part of Release-9 but there has been since some updates in Release-10. The Response message now looks as follows:

RLF-Report-r9 ::= SEQUENCE {
measResultLastServCell-r9 SEQUENCE {
rsrpResult-r9 RSRP-Range,
rsrqResult-r9 RSRQ-Range OPTIONAL
},
measResultNeighCells-r9 SEQUENCE {
measResultListEUTRA-r9 MeasResultList2EUTRA-r9 OPTIONAL,
measResultListUTRA-r9 MeasResultList2UTRA-r9 OPTIONAL,
measResultListGERAN-r9 MeasResultListGERAN OPTIONAL,
measResultsCDMA2000-r9 MeasResultList2CDMA2000-r9 OPTIONAL
} OPTIONAL,
...,
[[ locationInfo-r10 LocationInfo-r10 OPTIONAL,
failedPCellId-r10 CHOICE {
cellGlobalId-r10 CellGlobalIdEUTRA,
pci-arfcn-r10 SEQUENCE {
physCellId-r10 PhysCellId,
carrierFreq-r10 ARFCN-ValueEUTRA
}
} OPTIONAL,
reestablishmentCellId-r10 CellGlobalIdEUTRA OPTIONAL,
timeConnFailure-r10 INTEGER (0..1023) OPTIONAL,
connectionFailureType-r10 ENUMERATED {rlf, hof} OPTIONAL,
previousPCellId-r10 CellGlobalIdEUTRA OPTIONAL
]]
}

Everything after the extension marker ellipses (...) is added in release 10. More information in Release-10 RRC specs (36.331)

Tuesday, 26 July 2011

Outline of GCF Certification Process


Click on Image to enlarge


From a presentation by Colin Hamling, Vice Chair, GCF Steering Group in LTE World Summit, Amsterdam, 18 May 2011

Monday, 25 July 2011

Femto Hacking in UMTS and LTE

Couple of weeks back, The Hacker’s Choice (THC) made available some documents about how the Vodafone's (UK) Femtocell (a.k.a. SureSignal) is unsecure and can be hacked. Everyone seemed to jump on this bandwagon with some news articles even sounding like the whole Vodafone network has been hacked and hackers may be sending messages and making calls via your phone number.

In the end it came to light that the problem was fixed over a year back when Vodafone was made aware of this problem. THC is still arguing that there is an architecture fault and the Femto can be compromised.

As a result I decided to think about what could happen if the Femtocell is hacked.

Lets take case of UMTS Femtocell. A simple network architecture with femtocell (oficially known as Home NodeB) is as follows:

As you can see, the signalling over the air interface is encrypted and integrity protected. If a hacker is able to get into the Femto and able to listen to all the packets using some tool like WireShark, he would be able to get hold of the Ciphering and Integrity Keys as they come in cleartext in the RANAP Security Mode Command message.

It wouldnt be difficult to have a device that can listen to the conversations once provided with this keys. In fact if the hacker is able to listen to the messages, there is no reason he cannot stick his own messages at the right interval (when a voice call is ongoing) to send SMS and would appear that the message actually went from the phone number. Note that this message would be inserted in the Home NodeB and would be a NAS message. The end user would generally never find out that a message has been sent on behalf of his phone.

One thing that should be remembered though is that the phone would have to be in the range of the Femtocell and connected successfully to the network (via the Femto). One question someone may have is that can I not reverse engineer the key so that I can clone the SIM card. Fortunately for us, this is not easily possible. There are multiple levels of protection and generally it would be difficult to get the algorithms for generating the key. Also it should be noted that the authentication algorithms are confidential and only the operators know the algorithm.


Now lets look at the LTE Femtocell (a.k.a. Home eNodeB) as shown below:

One of the differences you may notice is that the signalling from Femto to the Core Network over S1 is encrypted and Integrity Protected. In case of the LTE Femto, there are multiple keys and only the required key (Kenb) is provided to the Femto. See the key hierarchy below:

Source: RedYoda

This would sound like an ideal protection from the end user perspective but some of the problems still remain. If the hacker can get hold of the Kenb which is sent in cleartext over the S1 interface via Initial Context Setup Request message then he could easily use it to listen to the packets. Since there is no voice support as of yet in LTE, it would only be the packets that the hacker can listen to.

As you may notice, there is now an Integrity and Ciphering on the S1 interface for the UE messages, the hacker cannot get hold of the Kasme or the master keys K, CK and IK. This means that he cannot insert rouge messages that would for example send unsolicited SMS on behalf of the user as he would be able to do in case of UMTS.

There is a small caveat though. There are multiple Ciphering and Integrity algorithms defined in the standard. No ciphering is defined as eea0 algorithm. In Release-8 of LTE, there was no possibility to have Integrity switched off as there was no eia0 algorithm defined. In Release-9 though, the new eia0 has been defined which means that the network can set the Integrity to NULL. I am sure that the network would not want to do so as it makes absolutely no sense but the hacker can force it to do so.

When the Network requests the UE to send the capability information, the hacker can force it to say that it only supports eia0 and eea0 which would mean that the integrity and ciphering in the call would be off. To be honest, this is quite a difficult thing to do in real time and also the network would not accept a UE that does not support other Integrity and Ciphering algorithms.


3GPP has already forseen these kind of threats that could be affecting the networks in the future when they roll out the Femtocells. As a result they have produced 3GPP TR 33.820 that lists all the possible threats and the best practices that can help to minimise the chances of the network being compromised. If that document is too big and technical, you can go though this presentation as it summarises some of the problems.

Feel free to comment or correct any mistakes that you think I have made.

Friday, 22 July 2011

Mobility Robustness Optimization to avoid Handover failures

The following is from 4G Americas Whitepaper on SON:


Mobility Robustness Optimization (MRO) encompasses the automated optimization of parameters affecting active mode and idle mode handovers to ensure good end-user quality and performance, while considering possible competing interactions with other SON features such as, automatic neighbor relation and load balancing.

There is also some potential for interaction with Cell Outage Compensation and Energy Savings as these could also potentially adjust the handover boundaries in a way that conflicts with MRO. While the goal of MRO is the same regardless of radio technology namely, the optimization of end-user performance and system capacity, the specific algorithms and parameters vary with technology.

The objective of MRO is to dynamically improve the network performance of HO (Handovers) in order to provide improved end-user experience as well as increased network capacity. This is done by automatically adapting cell parameters to adjust handover boundaries based on feedback of performance indicators. Typically, the objective is to eliminate Radio Link Failures and reduce unnecessary handovers. Automation of MRO minimizes human intervention in the network management and optimization tasks.

The scope of mobility robustness optimization as described here assumes a well-designed network with overlapping RF coverage of neighboring sites. The optimization of handover parameters by system operators typically involves either focused drive-testing, detailed system log collection and postprocessing, or a combination of these manual and intensive tasks. Incorrect HO parameter settings can negatively affect user experience and waste network resources by causing HO ping-pongs, HO failures and Radio Link Failures (RLF). While HO failures that do not lead to RLFs are often recoverable and invisible to the user, RLFs caused by incorrect HO parameter settings have a combined impact on user experience and network resources. Therefore, the main objective of mobility robustness optimization should be the reduction of the number of HO-related radio link failures. Additionally, sub-optimal configuration of HO parameters may lead to degradation of service performance, even if it does not result in RLFs. One example is the incorrect setting of HO hysteresis, which may results in ping-pongs or excessively delayed handovers to a target cell. Therefore, the secondary objective of MRO is the reduction of the inefficient use of network resources due to unnecessary or missed handovers.

Most problems associated with HO failures or sub-optimal system performance can ultimately be categorized, as either too-early or too-late triggering of the handover, provided that the required fundamental network RF coverage exists. Thus, poor HO-related performance can generally be categorized by the following events:

* Intra-RAT late HO triggering
* Intra-RAT early HO triggering
* Intra-RAT HO to an incorrect cell
* Inter-RAT too late HO
* Inter RAT unnecessary HO

Up to Release 9, a UE is required to send RLF report only in case of successful RRC re-establishment after a connection failure. Release 10 allows support for RLF reports to be sent even when the RRC reestablishment does not succeed. The UE is required to report additional information to assist the eNB in determining if the problem is coverage related (no strong neighbors) or handover problems (too early, too late or wrong cell). Furthermore, Release 10 allows for precise detection of too early / wrong cell HO.

Thursday, 21 July 2011

Smart Deployment with Smart Antennas and ORI

This is from a presentation by Dr. Peter Meissner, Operating Officer, NGMN Alliance.

Its very interesting the way the Antennas are evolving.


If you are interested in reading more about ORI, see the earlier post here.

Wednesday, 20 July 2011

NSN Celebrating 20 years of GSM

Its been 20 years since the first GSM call was made and GSM is still as relevant today as it was 10 years back.My earlier post today was about the technology deployment and adoption trends and my guess is that GSM/GPRS will be still relevant for long time to come especially its de-facto fallback for the roaming calls. Some Facts about GSM that would should know:* First network launched in 1991* There are 838 GSM Networks in 234 countries with 4.4 Billion subscribers* In 2010, 1.44 million GSM subscribers were added every day* 545 EDGE networks in 198 countries with 1.5 Billion subscribers* By 2015, 1.5billion GSM M2M subscribers will be present

Here is a presentation from NSN about 20 years of GSM and since they had the privilege of launching the first commercial network I am sure they have a good reason to celebrate.

20 Years of GSM: Past, Present & Future
View more presentations from Nokia Siemens Networks
A new section on 3G4G website on GSM has been added here.

Technology Deployment and Adoption Trends

This informative slide shows the number of years it takes after the technology is launched to reach the peak volumes. Though we know this to be true for the 1G and 2G systems, I find it difficult to believe the same would be true for 3G and 4G systems.

If the LTE deployments are going to happen as per the plans then we may see the peak volumes for 3G/HSPA+ around 2016. It would be difficult to predict the same for '4G' systems as we do not know as of know what all would be part of 4G. As you would recall that LTE was supposed to be 3.9G but was too confusing so everyone adopted it as 4G. LTE-A, the real 4G, I guess would still be part of 4G. What else would end up as 4G is hard to predict so we will have to go with the prediction for the time being.

Tuesday, 19 July 2011

Dual-Mode and Multi-Mode Femtocells

Came across this slide in one of the presentations from MWC.


The Dual-Mode and maybe Multi-Mode solution (in future) may be very useful, not only from the point of view that it can serve LTE as well as 3G mobile devices but in case of a LTE mobile where for voice calls the UE may have to fall back on 3G network, if there is no 3G coverage then there would be no voice communication possible.

One of the ways to do have a voice communication in the initial phases of LTE is CS Fallback (CSFB). CSFB is possible by the UE establishing the call on UMTS or GSM network. If for some reason the coverage on those networks is non-existent then having a dual-mode femtocell can be really helpful as it would seamlessly transfer the voice call on the 3G.

Hopefully in the future when VoLTE is here these problems would be solved automatically.

The main problem that I can see with this Dual-mode or Multi-mode solution is that the operator would have to be supporting both Small Cells solution across both the networks and I guess they would be slightly expensive.

Monday, 18 July 2011

Infographic on 'The Internet of Things'


Very interesting Infographic from Cisco on the 'Internet of Things' that we have discussed before.

Since its not possible for me to put the whole Infographic here, you can check it out on Cisco blogs.