Professional Documents
Culture Documents
Module Objectives
After completing this module, the participant should be able to:
Introduce the concept of Tracking Area.
List different UE identifications.
Compare the terminology used in 3G and LTE when referring to Mobility
and Session Management.
Describe the LTE Mobility & Connection States.
Explain the LTE/SAE Bearer Architecture and Attributes.
Analyze different LTE/SAE procedures: Attach, S1 Release, Detach,
Service Request, Tracking Area Update, Dedicated SAE Bearer
Activation and inter eNB handover.
Review the LTE/SAE Authentication Procedure and the Security Keys
Generation.
2
Module Contents
The concept of Tracking Area
Different UE Identifications
Mobility & Connection Management Terminology
LTE/SAE Mobility & Connection States
LTE/SAE Bearer
LTE/SAE Procedures: Attach, S1 Release, Detach, Service
Request, Tracking Area Update, Dedicated SAE Bearer
Activation and inter eNB handover
Security: EPS Authentication and Key Agreement (AKA)
Tracking Areas
Tracking Area
HSS
TAI1
TAI1
TAI2
TAI2
TAI2
TAI2
TAI3
TAI3
TAI3
TAI3
Cell Identity
TAI1
eNB
1 2
MME
TAI1
TAI1
TAI2
eNB
TAI2
TAI2
TAI2
TAI3
TAI3
TAI3
S-eNB
MME
TAI1-2
TAI1-2
TAI2
TAI2
Cell Identity
TAI2
TAI2
TAI3
TAI3
TAI3
TAI3
TAI1
eNB
1 2
MME
TAI1
TAI1
TAI2
eNB
TAI2
TAI2
TAI2
TAI3
TAI3
TAI3
S-eNB
MME
HSS
eNB
TAI1-2
TAI1-2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI3
TAI3
Cell Identity
TAI1
1 2 3
TAI1
MME
TAI1
TAI2
eNB
TAI2
TAI2
TAI2
S-eNB
TAI2
1 2 3
TAI3
S-MME
TAI3
MME
Pooling:
several
MME
handle the
same
tracking
area
Module Contents
The concept of Tracking Area
Different UE Identifications
Mobility & Connection Management Terminology
LTE/SAE Mobility & Connection States
LTE/SAE Bearer
LTE/SAE Procedures: Attach, S1 Release, Detach, Service
Request, Tracking Area Update, Dedicated SAE Bearer
Activation and inter eNB handover
Security: EPS Authentication and Key Agreement (AKA)
UE Identifications
IMSI
S-TMSI
C-RNTI
S1-AP UE ID
UE Identifications : IMSI
IMSI
A subscriber can use the same IMSI for 2G, 3G and SAE access.
MME uses the IMSI to locate the HSS holding the subscribers permanent
registration data for tracking area updates and attaches.
IMSI
10
MCC
MNC
3 digits
2 digits
MSIN
10 digits
UE Identifications : S-TMSI
S-TMSI
32 bits
UE Identifications : C-RNTI
C-RNTI :
12
UE Identifications : S1-AP UE ID
S1-AP UE ID
eNB S1-AP UE ID
MME S1-AP IE ID
13
UE Identifications Summary
HSS
eNB
IMSI
MCC MNC
MSIN
Cell Identity
C-RNTI
TAI1
TAI1
TAI1
TAI1
TAI1
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI3
TAI3
TAI3
TAI3
MME
eNB
MME Identity
S-eNB
1 2 3
1 2 3
S-MME
eNB S1-AP UE-ID | MME S1-AP UE-ID
S-TMSI
MME-ID or
MME color code
Module Contents
The concept of Tracking Area
Different UE Identifications
Mobility & Connection Management Terminology
LTE/SAE Mobility & Connection States
LTE/SAE Bearer
LTE/SAE Procedures: Attach, S1 Release, Detach, Service
Request, Tracking Area Update, Dedicated SAE Bearer
Activation and inter eNB handover
Security: EPS Authentication and Key Agreement (AKA)
15
16
Module Contents
The concept of Tracking Area
Different UE Identifications
Mobility & Connection Management Terminology
LTE/SAE Mobility & Connection States
LTE/SAE Bearer
LTE/SAE Procedures: Attach, S1 Release, Detach, Service
Request, Tracking Area Update, Dedicated SAE Bearer
Activation and inter eNB handover
Security: EPS Authentication and Key Agreement (AKA)
17
EMM - REGISTERED:
MME holds location information for the UE at least to the accuracy of a tracking
area
In this state the UE performs TAU procedures, responds to paging messages
and performs the service request procedure if there is uplink data to be sent.
19
Attach
EMM
deregistered
EMM
registered
Detach
20
21
ECM - CONNECTED:
22
In this state there is a signalling connection between the UE and the MME which is
provided in the form of a Radio Resource Control (RRC) connection between the UE and
the E-UTRAN and an S1 connection for the UE between the E-UTRAN and the MME.
The location of the UE is known to within the accuracy of a cell.
Mobility is managed by handovers.
RRC States
RRC_IDLE:
RRC_CONNECTED:
23
eNB
MME
RRC Connection
S1 Connection
ECM Connected
24
Registration (Attach)
Allocate
C-RNTI, S_TMSI
Allocate IP addresses
Authentication
Establish security context
EMM_Deregistered
ECM_Idle
Release
RRC connection
Release C-RNTI
Configure DRX for paging
EMM_Registered
EMM_Registered
ECM_Connected
ECM_Idle
New Traffic
Deregistration (Detach)
Change PLMN
Release
C-RNTI, S-TMSI
Release IP addresses
Timeout of Periodic TA
Update
Release
S-TMSI
Release IP addresses
25
EMM_Registered
EMM_Registered
ECM_Idle
ECM_Connected
ECM_Idle
Network Context:
no context exists
Allocated IDs:
IMSI
UE Position:
unknown to network
Mobility:
PLMN/cell selection
UE Radio Activity:
none
26
Network Context:
all info for ongoing
transmission/reception
Allocated IDs:
IMSI, S-TMSI per TAI
1 or several IP
addresses
C-RNTI
UE Position:
known on cell level
Network Context:
security keys
enable fast transition to
ECM_CONNECTED
Allocated IDs:
IMSI, S-TMSI per TAI
1or several IP
addresses
UE Position:
known on TA level (TA
list)
Mobility:
NW controlled
handover
Mobility:
cell reselection
UE Radio Activity:
DL w/o DRX
UL w/o DTX
UE Radio Activity:
DL DRX for paging
no UL
Module Contents
The concept of Tracking Area
Different UE Identifications
Mobility & Connection Management Terminology
LTE/SAE Mobility & Connection States
LTE/SAE Bearer
LTE/SAE Procedures: Attach, S1 Release, Detach, Service
Request, Tracking Area Update, Dedicated SAE Bearer
Activation and inter eNB handover
Security: EPS Authentication and Key Agreement (AKA)
27
LTE/SAE Bearer
The main function of every mobile radio
PDN GW
LTE/SAE
Bearer
28
UE
SAE Bearer spans the complete network, from UE over EUTRAN and EPS up to
the connector of the external PDN.
The SAE bearer is associated with a quality of service (QoS) usually expressed by
a label or QoS Class Identifier (QCI).
LTE-Uu
eNB
S1-U
Serving
Gateway
S5
PDN
Gateway
cell
Sgi
PDN
End-to-End Service
External Bearer
Service
E-UTRAN
29
EPC
PDN
30
UE
eNB
MME
S1-MME
S11
S1-U
cell
S5
PDN
Gateway
Sgi
Serving
Gateway
SAE Bearer Service (EPS Bearer)
External Bearer
Service
UE: it is not mentioned in the draft standards yet, but is still under
discussion. Note here also the differences to GPRS in 2G/3G networks,
where only UE/MS initiated PDP context setup is defined. This led to a
lot of issues regarding QoS control especially with IMS.
31
PDN
One of the major requirements for EUTRAN and EPC to fulfill is that every SAE bearer must
be QoS aware.
All data transmitted within a SAE bearer will get the same QoS handling (scheduling,
prioritization, discarding probability, etc.).
Different applications (for example take a packet video streaming service and a ftp
download) have different QoS setting and cannot share the same SAE bearer.
Other applications with similar traffic characteristics will be able to be placed inside the same
SAE bearer provided that the bandwidth of the bearer is scaled accordingly .
Due to this fact, the standard will allow a UE to have several SAE bearers, each one with a
different QoS setting.
32
For all bearers together for one terminal, following QoS parameter is
available:
UE
eNB
S1-U
Serving
Gateway
cell
S5
PDN
Gateway
Sgi
PDN
End-to-End Service
SAE Bearer Service (EPS Bearer)
33
External Bearer
Service
34
GBR bearers will reserve some (physical or virtual) capacity along the transmission
path and thus guarantee some bit rate level.
This is required for streaming and conversational services with low upper delay and
delay jitter bounds.
For services that do not have so strong requirements regarding these values typically
NGBR bearers will be used.
The technical difference between GBR and NGBR will be seen in the admission control
functions of eNB, SAE GW and PDN GW.
GBR bearers will usually block more virtual resources for the same throughput and
peak bit rate than NGBR bearers.
35
Because a single UE can have multiple SAE bearers, the system requires some kind of
packet filter to decide which IP datagram has to go to which SAE bearer.
These packet filters are formed by the uplink and downlink TFT (Traffic Flow Template).
Each dedicated SAE bearer has to have one UL and one DL TFT.
Some criteria like source and destination IP address, flow labels, port numbers,
transport layer protocol type, etc. specifies, which IP datagrams will have to be sent in
the associated SAE bearer.
In the moment the concrete structure of the TFT is for further study, especially whether
additional QoS parameters might be inside or not.
This part of the SAE bearer will influence the priority for the setup and modification
procedures of the SAE bearer.
36
Specifies a maximum bandwidth per user considering all the simultaneous services
established by this user.
Priori
ty
Delay
budget
Loss rate
Application
GBR
100 ms
1e-2
VoIP
GBR
150 ms
1e-3
Video call
GBR
300 ms
1e-6
Streaming
GBR
50 ms
1e-3
Non-GBR
100 ms
1e-6
IMS signalling
Non-GBR
100 ms
1e-3
Interactive gaming
Non-GBR
300 ms
1e-6
Non-GBR
300 ms
1e-6
Non-GBR
300 ms
1e-6
TCP protocols :
browsing, email, file
download
SIP UA
SIP server
(IP:B, UDP Port:b)
VoIP
Codec
PDN
UL Packet Filter:
(UL TFT)
IP Dest Add.=C
UDP Dest. Port =c
Protocol = UDP/RTP
38
DL Packet Filter:
(DL TFT)
IP Source Add.=C
UDP Source Port =c
Protocol = UDP/RTP
Module Contents
The concept of Tracking Area
Different UE Identifications
Mobility & Connection Management Terminology
LTE/SAE Mobility & Connection States
LTE/SAE Bearer
LTE/SAE Procedures: Attach, S1 Release, Detach, Service
Request, Tracking Area Update, Dedicated SAE Bearer
Activation and inter eNB handover
Security: EPS Authentication and Key Agreement (AKA)
39
Attach (1/2)
eNB
UE
MME
new
MME
Serving
Gateway
(SGW)
PDN
Gateway
PCRF
EMM_Deregistered
RRC_Connected
Attach Request
S-TMSI/IMSI,old TAI, IP address allocation
ECM_Connected
Authentication Request
Authentication Response
Update Location
Insert Subscriber Data
IMSI, subscription data = default APN, tracking area restrictions,
Insert Subscriber Data Ack
Update Location Ack
40
HSS
Attach (2/2)
eNB
UE
MME
Serving
Gateway
(SGW)
new
MME
PDN
Gateway
PCRF
IP/TEID of SGW-S1u,
S-TMSI, security info,
PDN address, QoS,
PDN address, ,IP/TEID
of SGW-S1u (only for eNB)
RB Est. Resp.
Includes Attach Complete Attach Complete
IP/TEID of eNB for S1u
EMM_Deregistered
ECM_Connected
HSS
S1 Release
The default Bearer has been allocated (RRC_connected + ECM_connected) even it may not transmit or
receive data
If there is a longer period of inactivity by this UE, then we should free these admission control resources
(RRC_idle + ECM_idle)
The trigger for this procedure can come from eNB or from MME.
MME
Serving
Gateway
(SGW)
EMM_Registered
PDN
Gateway
ECM_Connected
S1 Release Request
cause
S1 Release Command
RRC Connection Release
cause
RRC Connection Release Ack
S1 Release Complete
EMM_Registered
ECM_Idle
42
Detach
During the detach procedure all SAE bearers with their associated tunnels and radio bearers will be
deleted.
EMM-Registered
MME
Serving
Gateway
(SGW)
PDN
Gateway
RRC_Connected
NAS Detach Request
switch off flag
ECM_Connected
43
Detach
Note: Detach procedure initiated by MME.
EMM-Registered
MME
Serving
Gateway
(SGW)
PDN
Gateway
RRC_Connected
NAS Detach Request
switch off flag
ECM_Connected
44
The reasons for this might be UL data is available, UL signaling is pending (e.g. tracking area update,
detach) or a paging from the network was received.
Serving
Gateway
(SGW)
MME
PDN
Gateway
RRC_Idle+ ECM_Idle
Paging
Paging
S-TMSI
S-TMSI, TAI/TAI-list
RRC_Connected
Service Request
S-TMSI, TAI, service type
ECM_Connected
Authentication Request
authentication challenge
Authentication Response
Authentication response
45
DL Packet Notification
DL Packet Data
RB Establishment Rsp.
Initial Context Setup Rsp.
eNB-S1 IP/TEID, ..
46
Serving
Gateway
(SGW)
PDN
Gateway
Tracking Area Identity = MCC (Mobile Country Code), MNC (Mobile Network Code) and TAC (Tracking
Area Code).
47
MME
new
MME
MME
old
MME
EMM_Registered
UE
new
Serving
Gateway
(SGW)
old
Serving PDN
Gateway Gateway
(SGW)
RRC_Idle + ECM_Idle
RRC_Connected
Tracking Area Update Request
S-TMSI/IMSI,old TAI, PDN (IP) address allocation
Context Request
ECM_Connected
S-TMSI/IMSI,old TAI
Context Response
Authentication Request
mobility/context data
authentication challenge
Authentication Response
Authentication response
Context Acknowledge
S-TMSI/IMSI,old TAI
Create Bearer Request
48
PDN GW IP/TEID
HSS
MME
new
MME
MME
old
MME
new
Serving
Gateway
(SGW)
old
Serving PDN
Gateway Gateway
(SGW)
Update Location
new MME identity, IMSI,
Cancel Location
IMSI, cancellation type = update
Cancel Location Ack
Delete Bearer Request
TEID
Delete Bearer Response
Update Location Ack
Tracking Area Update Accept
new S-TMSI, TA/TA-list
Tracking Area Update Complete
EMM_Registered
RRC_Idle + ECM_Idle
49
HSS
50
51
MME
RRC_Idle+ ECM_Idle
PDN
Gateway
PCRF
PCC
Decision
Paging
S-TMSI, TA-list,
Service Request
Service Request
Procedure
RRC_Connected + ECM_Connected
52
Serving
Gateway
(SGW)
PDN
Gateway
PCRF
RB Establishment Rsp.
Bearer Setup Rsp.
eNB IP/TEID2, QoS,
53
PCC
Provision
Ack
LTE/SAE Handover
Downlink Packets are forwarded from the source cell to the target cell.
2 Network Controlled
3 UE-assisted
55
Source
eNB
Handover
preparation
SAE GW
MME
SAE GW
MME
Late path
switching
SAE GW
MME
Target
eNB
= Data in radio
= Signalling in radio
56
Radio handover
= GTP tunnel
= GTP signalling
= S1 signalling
= X2 signalling
57
target
eNB
MME
ECM_Connected
RRC: Measurement Control
Packet Data
RRC: Measurement Report
X2AP: Handover Request
HO Decision
forward buffered
DL packets
58
DL Packet Data
buffering of DL
packets from old eNB
Serving
Gateway
(SGW)
target
eNB
MME
Serving
Gateway
(SGW)
Synchronization
UL Allocation + timing advance
S1AP: Handover Complete
Path Switch Request
flush DL buffers
DL Packet Data
release resources
Packet Data
59
forwards DL packets
and accepts UL
packets
Module Contents
The concept of Tracking Area
Different UE Identifications
Mobility & Connection Management Terminology
LTE/SAE Mobility & Connection States
LTE/SAE Bearer
LTE/SAE Procedures: Attach, S1 Release, Detach, Service
Request, Tracking Area Update, Dedicated SAE Bearer
Activation and inter eNB handover
Security: EPS Authentication and Key Agreement (AKA)
60
HSS
UE uses
KASME to verify
the Network
If RES(i)=XRES(i)
Authentication successful
63
K
: This is a permanent key stored on the USIM and in the Authorization Centre (AuC). The
AuC resides in the HSS.
CK, IK : A pair of keys derived in the AuC and on the USIM during an AKA run.
KASME
: This key is derived from the CK, IK and serving PLMNs identity by the UE and HSS
during an AKA run. It is transferred to the ASME (MME) by the HSS as part of the authentication
vector response. The serving PLMNs identity becomes known to the UE as part of the attachment
procedure.
65
KeNB : This key is derived from KASME by the UE and MME. It depends on the identity of the eNB.
This key is transferred to the eNB.
KUP-enc
: This key is derived from KeNB by the UE and eNB and is used for the encryption of Uplane data over the LTE-Uu interface. In order to derive this key an identifier for the encryption
algorithm is shared between the eNB and UE.
66
KNAS, int
: This key is derived from KASME by the UE and MME. It is used for the integrity
protection of NAS traffic.
KNAS, enc
: This key is derived from KASME by the UE and MME. It is used for the encryption of
NAS traffic.
KRRC-int
: This key is derived from KeNB by the UE and eNB and is used for the integrity
protection of RRC traffic. In order to derive this key an identifier for the integrity protection algorithm
is shared between the eNB and UE.
KRRC-enc
: This key is derived from KeNB by the UE and eNB and is used for the encryption of
RRC traffic. In order to derive this key an identifier for the encryption algorithm is shared between
the eNB and UE.
67