3 LTE Mobility Managment v1

1
Module Objectives
After completing this module, the participant should be able to:
Introduce the concept of Tracking Area.
List different UE identifications.
Compare the terminology used in 3G and LTE when referring to Mobility
and Session Management.
Describe the LTE Mobility & Connection States.
Explain the LTE/SAE Bearer Architecture and Attributes.
Analyze different LTE/SAE procedures: Attach, S1 Release, Detach,
Service Request, Tracking Area Update, Dedicated SAE Bearer
Activation and inter eNB handover.
Review the LTE/SAE Authentication Procedure and the Security Keys
Generation.
2
Module Contents
The concept of Tracking Area
Different UE Identifications
Mobility & Connection Management Terminology
LTE/SAE Mobility & Connection States
LTE/SAE Bearer
LTE/SAE Procedures: Attach, S1 Release, Detach, Service
Request, Tracking Area Update, Dedicated SAE Bearer
Activation and inter eNB handover
Security: EPS Authentication and Key Agreement (AKA)
LTE/SAE Mobility Areas

Two areas are defined for handling of mobility in LTE/SAE:
The Cell
Identified by the Cell Identity.
The format is not standardized yet.
Tracking Area (TA)
It is the successor of location and routing areas from 2G/3G.
When a UE is attached to the network, the MME will know the UEs
position on tracking area level.
In case the UE has to be paged, this will be done in the full tracking
area.
Tracking areas are identified by a Tracking Area Identity (TAI).
Tracking Areas
Tracking Area
HSS
TAI1
TAI1
TAI2
TAI2
TAI2
TAI2
TAI3
TAI3
TAI3
TAI3
Cell Identity
TAI1
eNB
1 2
MME
TAI1
TAI1
TAI2
eNB
TAI2
TAI2
TAI2
TAI3
TAI3
TAI3
S-eNB
MME
Tracking Areas Overlapping

2 - UE is told by the network to be in
several tracking areas simultaneously.
Gain: when the UE enters a new cell, it
checks which tracking areas the new
cell is part of. If this TA is on UEs TA
list, then no tracking area update is
necessary.
1 - Tracking areas are allowed to

overlap: one cell can belong to
multiple tracking areas
HSS
TAI1-2
TAI1-2
TAI2
TAI2
Cell Identity
TAI2
TAI2
TAI3
TAI3
TAI3
TAI3
TAI1
eNB
1 2
MME
TAI1
TAI1
TAI2
eNB
TAI2
TAI2
TAI2
TAI3
TAI3
TAI3
S-eNB
MME
Tracking Areas: Use of S1-flex Interface
HSS
eNB
TAI1-2
TAI1-2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI3
TAI3
Cell Identity
TAI1
1 2 3
TAI1
MME
TAI1
TAI2
eNB
TAI2
TAI2
TAI2
S-eNB
TAI2
1 2 3
TAI3
S-MME
TAI3
MME
Pooling:
several
MME
handle the
same
tracking
area
Module Contents
LTE/SAE Bearer
UE Identifications
IMSI
International Mobile Subscriber Identity
S-TMSI
SAE Temporary Mobile Subscriber Identity
C-RNTI
Cell Radio Network Temporary Identity
S1-AP UE ID
S1 Application Protocol User Equipment Identity
UE Identifications : IMSI
IMSI
International Mobile Subscriber Identity.
Used in SAE to uniquely identify a subscriber world-wide.

Its structure is kept in form of MCC+MNC+MSIN:
MCC: mobile country code

MNC: mobile network code
MSIN: mobile subscriber identification number
A subscriber can use the same IMSI for 2G, 3G and SAE access.
MME uses the IMSI to locate the HSS holding the subscribers permanent
registration data for tracking area updates and attaches.
IMSI
10
MCC
MNC
3 digits
2 digits
MSIN
10 digits
UE Identifications : S-TMSI
S-TMSI
SAE Temporary Mobile Subscriber Identity
Dynamically allocated by the serving MME (S-MME)

Main purpose is to avoid usage of IMSI on air
Internally the allocating MME can translate S-TMSI into IMSI and vice
versa.
Whether the S-TMSI is unique per MME or per TA is not clear yet.
In case the S1flex interface option is used, then the eNB must select the
right MME for a UE. This is done by using some bits of the S-TMSI to
identify the serving MME of the UE. This identifier might be a unique MME
ID or a form of MME color code. Under investigation.
S-TMSI
MME-ID or
MME color code
11
32 bits
UE Identifications : C-RNTI
C-RNTI :
C-RNTI is allocated by the eNB serving a UE when it is in active mode

(RRC_CONNECTED)
A temporary identity for the user only
Valid within the serving cell of the UE
Exclusively used for radio management procedures
X-RNTI identifications under investigation
12
UE Identifications : S1-AP UE ID
S1-AP UE ID
: S1 Application Protocol User Equipment Identity.
Two additional temporary identifiers allocated by eNB and MME:
eNB S1-AP UE ID
MME S1-AP IE ID
Purpose is to allow efficient implementation of S1 control signaling

(S1AP=S1 Application Protocol)
Allow easy distribution of S1 signaling messages inside MME and eNB.
NOTE: This concept is similar to SCCP local references known from Iu
or A interface in 3G/2G.
13
UE Identifications Summary
HSS
eNB
IMSI
MCC MNC
MSIN
Cell Identity
C-RNTI
TAI1
TAI1
TAI1
TAI1
TAI1
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI2
TAI3
TAI3
TAI3
TAI3
MME
eNB
MME Identity
S-eNB
IMSI International Mobile Subscriber Identity

S-TMSI
S-Temporary Mobile Subscriber Identity
C-RNTI
S-MME
Serving MME
S-eNB
Serving E-Node B
TAI Tracking Area Identity (MCC+MNC+TAC)
14
1 2 3
1 2 3
S-MME
eNB S1-AP UE-ID | MME S1-AP UE-ID
S-TMSI
MME-ID or
MME color code
Module Contents
LTE/SAE Bearer
15
Terminology for 3G & LTE: Connection & Mobility Management
16
Module Contents
LTE/SAE Bearer
17
LTE Mobility & Connection States

There are two sets of states defined for the UE based on the information
held by the MME.
1. EPS* Mobility Management (EMM) states
2. EPS* Connection Management (ECM) states
*EPS: Evolved Packet System

18
EPS Mobility Management (EMM) states

EMM - DEREGISTERED:
MME holds no valid location information about the UE
MME may keep some UE context when the UE moves to this state (e.g. to
avoid the need for Authentication and Key Agreement (AKA) during every attach
procedure)
Successful Attach and Tracking Area Update (TAU) procedures lead to
transition to EMM-REGISTERED
EMM - REGISTERED:
MME holds location information for the UE at least to the accuracy of a tracking
area
In this state the UE performs TAU procedures, responds to paging messages
and performs the service request procedure if there is uplink data to be sent.
19
EPS Mobility Management (EMM) states
Attach
EMM
deregistered
EMM
registered
Detach
20
EPS Connection Management (ECM) and LTE Radio Resource

Control States
UE and MME enter ECM-CONNECTED state when the signalling
connection is established between UE and MME
UE and E-UTRAN enter RRC-CONNECTED state when the signalling
connection is established between UE and E-UTRAN
21
EPS Connection Management (ECM) states

ECM - IDLE:
In this state there is no NAS signalling connection between the UE and the
network and there is no context for the UE held in the E-UTRAN.
The location of the UE is known to within the accuracy of a tracking area
Mobility is managed by tracking area updates.
ECM - CONNECTED:
22
In this state there is a signalling connection between the UE and the MME which is
provided in the form of a Radio Resource Control (RRC) connection between the UE and
the E-UTRAN and an S1 connection for the UE between the E-UTRAN and the MME.
The location of the UE is known to within the accuracy of a cell.
Mobility is managed by handovers.
RRC States
RRC_IDLE:
No signalling connection between the UE and the E-UTRAN.

I.e.: PLMN Selection.
UE Receives system information and listens for Paging.
Mobility based on Cell Re-selection performed by UE.
No RRC context stored in the eNB.
RACH procedure used on RRC connection establishment.
RRC_CONNECTED:
23
UE has an E-UTRAN RRC connection.

UE has context in E-UTRAN (C-RNTI allocated).
E-UTRAN knows the cell which the UE belongs to.
Network can transmit and/or receive data to/from UE.
Mobility based on handovers
UE reports neighbour cell measurements.
EPS Connection Management

ECM Connected = RRC Connected + S1 Connection
UE
eNB
MME
RRC Connection
S1 Connection
ECM Connected
24
EMM & ECM States Transitions

Power On
Release due to
Inactivity
Registration (Attach)
Allocate
C-RNTI, S_TMSI
Allocate IP addresses
Authentication
Establish security context
EMM_Deregistered
ECM_Idle
Release
RRC connection
Release C-RNTI
Configure DRX for paging
EMM_Registered
EMM_Registered
ECM_Connected
ECM_Idle
New Traffic
Deregistration (Detach)
Change PLMN
Release
C-RNTI, S-TMSI
Release IP addresses
Establish RRC Connection

Allocate C-RNTI
Timeout of Periodic TA
Update
Release
S-TMSI
Release IP addresses
25
EMM & ECM States Summary

EMM_Deregistered
EMM_Registered
EMM_Registered
ECM_Idle
ECM_Connected
ECM_Idle
Network Context:
no context exists
Allocated IDs:
IMSI
UE Position:
unknown to network
Mobility:
PLMN/cell selection
UE Radio Activity:
none
26
Network Context:
all info for ongoing
transmission/reception
Allocated IDs:
IMSI, S-TMSI per TAI
1 or several IP
addresses
C-RNTI
UE Position:
known on cell level
Network Context:
security keys
enable fast transition to
ECM_CONNECTED
Allocated IDs:
IMSI, S-TMSI per TAI
1or several IP
addresses
UE Position:
known on TA level (TA
list)
Mobility:
NW controlled
handover
Mobility:
cell reselection
UE Radio Activity:
DL w/o DRX
UL w/o DTX
UE Radio Activity:
DL DRX for paging
no UL
Module Contents
LTE/SAE Bearer
27
LTE/SAE Bearer
The main function of every mobile radio
PDN GW
telecommunication network is to provide

subscribers with transport bearers for their user
data.
In circuit switched networks users get a fixed
assigned portion of the networks bandwidth.
In packet networks users get a bearer with a
LTE/SAE
Bearer
certain quality of service (QoS) ranging from

fixed guaranteed bandwidth down to best effort
services without any guarantee.
LTE/SAE is a packet oriented system
28
UE
SAE Bearer Architecture
SAE Bearer spans the complete network, from UE over EUTRAN and EPS up to
the connector of the external PDN.
The SAE bearer is associated with a quality of service (QoS) usually expressed by
a label or QoS Class Identifier (QCI).
LTE-Uu
eNB
S1-U
Serving
Gateway
S5
PDN
Gateway
cell
Sgi
PDN
End-to-End Service
External Bearer
Service
SAE Bearer Service (EPS Bearer)

SAE Radio Bearer Service (SAE RB)
SAE Access Bearer Service
Physical Radio Bearer Service
S1 Physical Bearer Service
E-UTRAN
29
S5/S8 Bearer Service
EPC
PDN
SAE Bearer Sections

S5/S8 bearer
Between the PDN GW to SAE GW.
This is usually a GTP or MIP (Mobile IP) tunnel between the two network
elements.
SAE Access Bearer
Between eNB and SAE GW.
The SAE Access Bearer is implemented using the 2G/3G GTP (GPRS Tunneling
Protocol) protocol which builds a GTP tunnel between eNB and SAE GW.
The setup of this SAE Access Bearer is managed by the MME.
SAE GW and eNB do not directly exchange signaling to create it.
Radio bearers
Between UE and eNB.
The eNB connects a radio bearer internally with the associated SAE access
bearer on S1-U interface.
The mapping of radio bearers to physical resources on the air interface is the
major task of the eNB scheduler.
30
SAE Bearer Establishment can be triggered by.

PDN Gateway: The external data
network can request the setup of a
SAE bearer by issuing this request
via PCRF to the PDN gateway.
This request will include the quality
of service granted to the new
bearer.
MME:This happens typically

during the attach procedure of an
UE. Depending on the information
coming from HSS, the MME will
set up an initial SAE bearer, also
known as the default SAE bearer.
This SAE bearer provides the
initial connectivity of the UE with
its external data network.
UE
eNB
MME
S1-MME
S11
S1-U
cell
S5
PDN
Gateway
Sgi
Serving
Gateway
External Bearer
Service
UE: it is not mentioned in the draft standards yet, but is still under
discussion. Note here also the differences to GPRS in 2G/3G networks,
where only UE/MS initiated PDP context setup is defined. This led to a
lot of issues regarding QoS control especially with IMS.
31
PDN
SAE Bearer QoS Awareness
One of the major requirements for EUTRAN and EPC to fulfill is that every SAE bearer must
be QoS aware.
All data transmitted within a SAE bearer will get the same QoS handling (scheduling,
prioritization, discarding probability, etc.).
Different applications (for example take a packet video streaming service and a ftp
download) have different QoS setting and cannot share the same SAE bearer.
Other applications with similar traffic characteristics will be able to be placed inside the same
SAE bearer provided that the bandwidth of the bearer is scaled accordingly .
Due to this fact, the standard will allow a UE to have several SAE bearers, each one with a
different QoS setting.
32
SAE Bearer QoS Attributes

For every EPS bearer the following QoS parameters are available:
Dedicated or default EPS bearer

Guaranteed Bit Rate (GBR) or Non-Guaranteed Bit Rate (N-GBR)
Maximum Bit Rate (MBR)
Traffic Flow Template: UL/DL-TFT
Integer number indicating QoS category: Label or QoS Class identifier (QCI)
Allocation/Retention Priority (ARP)
For all bearers together for one terminal, following QoS parameter is
available:
Aggregate Maximum Bit Rate (AMBR)
UE
eNB
S1-U
Serving
Gateway
cell
S5
PDN
Gateway
Sgi
PDN
End-to-End Service
33
External Bearer
Service
SAE Bearer QoS Attributes (1/3)

Dedicated or Default bearer:
The default bearer is allocated during attach of a UE to the system.

Dedicated bearers on the other hand are created on demand by the external PDN
network.
Only dedicated bearers can be of GBR type.
GBR (Guaranteed Bit Rate) or NGBR (Non Guaranteed Bit Rate):
34
GBR bearers will reserve some (physical or virtual) capacity along the transmission
path and thus guarantee some bit rate level.
This is required for streaming and conversational services with low upper delay and
delay jitter bounds.
For services that do not have so strong requirements regarding these values typically
NGBR bearers will be used.
The technical difference between GBR and NGBR will be seen in the admission control
functions of eNB, SAE GW and PDN GW.
GBR bearers will usually block more virtual resources for the same throughput and
peak bit rate than NGBR bearers.

Maximum Bit Rate (MBR):
Can be only specified for GBR SAE Bearers

Not included in 3GPP Rel.8.
Traffic Flow Control (UL/DL-TFT):
35
Because a single UE can have multiple SAE bearers, the system requires some kind of
packet filter to decide which IP datagram has to go to which SAE bearer.
These packet filters are formed by the uplink and downlink TFT (Traffic Flow Template).
Each dedicated SAE bearer has to have one UL and one DL TFT.
Some criteria like source and destination IP address, flow labels, port numbers,
transport layer protocol type, etc. specifies, which IP datagrams will have to be sent in
the associated SAE bearer.
In the moment the concrete structure of the TFT is for further study, especially whether
additional QoS parameters might be inside or not.

Label or QCI:
The label is simply an integer number assigned to the SAE bearer.

This number indicates the QoS category the bearer belongs to.
It is up to the operator to define these labels, although some standard labels might be
provided by 3GPP.
This label can be translated into a DiffServ-tag used on S1-U and S5/S8 in the IP
header to implement IP differentiated service routing in the associated IP protocol
stacks.
Allocation/Retention Priority (ARP):
This part of the SAE bearer will influence the priority for the setup and modification
procedures of the SAE bearer.
Aggregate maximum Bit Rate (AMBR):
36
Specifies a maximum bandwidth per user considering all the simultaneous services
established by this user.
QoS Class Indentifier (QCI) Table in 3GPP

QCI Guarantee
Priori
ty
Delay
budget
Loss rate
Application
GBR
100 ms
1e-2
VoIP
GBR
150 ms
1e-3
Video call
GBR
300 ms
1e-6
Streaming
GBR
50 ms
1e-3
Real time gaming
Non-GBR
100 ms
1e-6
IMS signalling
Non-GBR
100 ms
1e-3
Interactive gaming
Non-GBR
300 ms
1e-6
Non-GBR
300 ms
1e-6
Non-GBR
300 ms
1e-6
TCP protocols :
browsing, email, file
download
Operators can define more QCIs

Several bearers can be aggregated together if they have the same QCI
37
LTE/SAE Bearer Usage Example

PDN
Gateway
IMAP server
(IP:A, UDP Port:a)
E-MAIL
Default EPS Bearer (N-GBR)
SIP UA
SIP server
(IP:B, UDP Port:b)
VoIP
Codec
PDN
UL Packet Filter:
(UL TFT)
IP Dest Add.=C
UDP Dest. Port =c
Protocol = UDP/RTP
38
Dedicated EPS Bearer (GBR)
DL Packet Filter:
(DL TFT)
IP Source Add.=C
UDP Source Port =c
Protocol = UDP/RTP
VoIP User Agent

(IP:C, UDP Port:c)
Module Contents
LTE/SAE Bearer
39
Attach (1/2)
eNB
UE
MME
new
MME
Serving
Gateway
(SGW)
PDN
Gateway
PCRF
EMM_Deregistered
RRC_Connected
Attach Request
S-TMSI/IMSI,old TAI, IP address allocation
ECM_Connected
Authentication Request
Authentication Vector Request (IMSI)

Authentication Vector Respond
Authentication Response
Update Location
Insert Subscriber Data
IMSI, subscription data = default APN, tracking area restrictions,
Insert Subscriber Data Ack
Update Location Ack
40
HSS
Attach (2/2)
eNB
UE
MME
Serving
Gateway
(SGW)
new
MME
PDN
Gateway
PCRF
Create Default Bearer Request

select SAE GW
IMSI, RAT type, default QoS, PDN address info
Create Def. Bearer Req.
IMSI, , IP/TEID of SGW-S5
PCRF Interaction
Create Def. Bearer Rsp.
Attach Accept
RB Est. Req.
Create Def. Bearer Rsp.
IP/TEID of SGW-S1u,
S-TMSI, security info,
PDN address, QoS,
PDN address, ,IP/TEID
of SGW-S1u (only for eNB)
Includes Attach Accept
PDN address, IP/TEID of PDN GW,

QoS according PCRF
RB Est. Resp.
Includes Attach Complete Attach Complete
IP/TEID of eNB for S1u
EMM_Deregistered
Update Bearer Request

IP/TEID of eNB for S1u
Update Bearer Response
ECM_Connected
UL/DL Packet Data via Default EPS Bearer

41
HSS
S1 Release
After attach UE is in EMM_Registered state.
The default Bearer has been allocated (RRC_connected + ECM_connected) even it may not transmit or
receive data
If there is a longer period of inactivity by this UE, then we should free these admission control resources
(RRC_idle + ECM_idle)
The trigger for this procedure can come from eNB or from MME.
MME
Serving
Gateway
(SGW)
EMM_Registered
PDN
Gateway
ECM_Connected
S1 Release Request
cause

release of eNB S1u resources
S1 Release Command
RRC Connection Release
cause
RRC Connection Release Ack
S1 Release Complete
S1 Signalling Connection Release
EMM_Registered
ECM_Idle
42
Detach
Can be triggered by UE or by MME.
During the detach procedure all SAE bearers with their associated tunnels and radio bearers will be
deleted.
Note: Detach procedure initiated by UE.
EMM-Registered
MME
Serving
Gateway
(SGW)
PDN
Gateway
RRC_Connected
NAS Detach Request
switch off flag
Delete Bearer Request

ECM_Connected
Delete Bearer Response

NAS: Detach Accepted

PCRF

EMM-Deregistered
RRC_Connected + ECM Idle
43
Detach
Note: Detach procedure initiated by MME.
EMM-Registered
MME
Serving
Gateway
(SGW)
PDN
Gateway
RRC_Connected
NAS Detach Request
switch off flag

ECM_Connected

NAS: Detach Accepted

PCRF

EMM-Deregistered
RRC_Connected + ECM Idle
44
Service Request (1/2)
From time to time a UE must switch from ECM_Idle to ECM_connected
The reasons for this might be UL data is available, UL signaling is pending (e.g. tracking area update,
detach) or a paging from the network was received.
Serving
Gateway
(SGW)
MME
PDN
Gateway
RRC_Idle+ ECM_Idle
Paging
Paging
S-TMSI
S-TMSI, TAI/TAI-list
RRC_Connected
Service Request
S-TMSI, TAI, service type
ECM_Connected
authentication challenge
Authentication response
45
DL Packet Notification
DL Packet Data
Service Request (2/2)

MME
Initial Context Setup Req.
RB Establishment Req.
SGW-S1 IP/TEID, QoS
RB Establishment Rsp.
Initial Context Setup Rsp.
eNB-S1 IP/TEID, ..

eNB-S1 IP/TEID
46
Serving
Gateway
(SGW)
PDN
Gateway
Tracking Area Update (TAU)
Tracking area (TA) is similar to Location/Routing area in 2G/3G .
Tracking Area Identity = MCC (Mobile Country Code), MNC (Mobile Network Code) and TAC (Tracking
Area Code).
47
When UE is in ECM-Idle, MME knows UE location with Tracking Area accuracy.
Tracking Area Update (1/2)

eNB
MME
new
MME
MME
old
MME
EMM_Registered
UE
new
Serving
Gateway
(SGW)
old
Serving PDN
Gateway Gateway
(SGW)
RRC_Idle + ECM_Idle
RRC_Connected
Tracking Area Update Request
S-TMSI/IMSI,old TAI, PDN (IP) address allocation
Context Request
ECM_Connected
S-TMSI/IMSI,old TAI
Context Response
mobility/context data
authentication challenge
Authentication response
Context Acknowledge
S-TMSI/IMSI,old TAI
Create Bearer Request
48
IMSI, bearer contexts
new SGW-S5 IP/TEID
Create Bearer Response
new SGW-S1 IP/TEID
PDN GW IP/TEID
HSS
Tracking Area Update (2/2)

eNB
MME
new
MME
MME
old
MME
new
Serving
Gateway
(SGW)
old
Serving PDN
Gateway Gateway
(SGW)
Update Location
new MME identity, IMSI,
Cancel Location
IMSI, cancellation type = update
Cancel Location Ack
TEID
Update Location Ack
Tracking Area Update Accept
new S-TMSI, TA/TA-list
Tracking Area Update Complete
EMM_Registered
RRC_Idle + ECM_Idle
49
HSS
Multi Tracking Area Registration Concept

UE only triggers TAU when
moving to a cell belonging to a
TA not in the TA list for that UE.
50
Dedicated SAE Bearer Activation

The default SAE bearer is created when the
UE performs the attach.
Subsequent SAE bearers are known as
dedicated SAE bearers.
They are expected to be allocated on a per
application base, with parameter that are
application dependent.
Dedicated SAE bearers are currently
supposed to be triggered by the external data
network, not only by the user, like PDP
contexts in GPRS.
51
Dedicated SAE Bearer Activation (1/2)

Serving
Gateway
(SGW)
MME
RRC_Idle+ ECM_Idle
PDN
Gateway
PCRF
PCC
Decision
Create Dedicated Bearer

Create Dedicated Bearer Request
Request
PDN GW IP/TEID2, QoS,
SGW-S1 IP/TEID2, QoS,
Paging
S-TMSI
Paging
S-TMSI, TA-list,
Service Request
Service Request
Procedure
S-TMSI, service type = paging response

Initial Context Setup Req.
SGW-S1 IP/TEID1, QoS
RB Establishment Rsp. Initial Context Setup Rsp.

eNB-S1 IP/TEID1, ..

eNB-S1 IP/TEID1
RRC_Connected + ECM_Connected
52
Dedicated SAE Bearer Activation (2/2)

MME
Serving
Gateway
(SGW)
PDN
Gateway
PCRF
Bearer Setup Req.

RB Establishment Rsp.
Bearer Setup Rsp.
eNB IP/TEID2, QoS,

Response
eNB IP/TEID2, QoS,

Response
53
PCC
Provision
Ack
LTE/SAE Handover
When the UE is in ECM_Connected state, mobility handling takes

place via network controlled handovers with UE assistance.
UE assistance here simply means that the UE sends

measurements and reports to the eNB to assist in the handover
decision.
Currently it is planned that neighbour cells are based on the UEs

cell detection capabilities rather than on a network supplied
neighbour cell list.
Intra LTE/SAE Network Handover Types:

1. Intra eNB handover.
2. Inter eNB handover with X2 interface and without CN
node relocation
3. Inter eNB handover without X2 Interface (with or
without CN node relocation).
54
LTE/SAE Handover principles

1 Lossless
Downlink Packets are forwarded from the source cell to the target cell.
2 Network Controlled
Target cell is selected by the network, not by the UE

Handover control in E-UTRAN (not in packet core)
3 UE-assisted
Measurements are collected by the UE and reported to the network.
4 Late path switch
55
Only once the handover is successful, the packet core is involved.
Handover Procedure: Inter eNB Handover with X2 Interface

and without CN Relocation
Before
handover
SAE GW
MME
Source
eNB
Handover
preparation
SAE GW
MME
SAE GW
MME
Late path
switching
SAE GW
MME
Target
eNB
= Data in radio
= Signalling in radio
56
Radio handover
= GTP tunnel
= GTP signalling
= S1 signalling
= X2 signalling
User plane switching in Handover
57
Inter eNB Handover with X2 interface & without CN Relocation

(1/2)
source
eNB
target
eNB
MME
ECM_Connected
RRC: Measurement Control
Packet Data
RRC: Measurement Report
X2AP: Handover Request
HO Decision
RRC: Handover Command
target cell, serving MME & SAE GW,

Admission Control: allocates
resources for incoming UE
X2AP: Handover Request Ack
HO-command, X2 data forwarding tunnel,
target cell description, C-RNTI,

detach source cell
forward buffered
DL packets
sync. target cell
58
DL Packet Data
buffering of DL
packets from old eNB
Serving
Gateway
(SGW)
Inter eNB Handover with X2 interface & without CN Relocation

(2/2)
source
eNB
target
eNB
MME
Serving
Gateway
(SGW)
Synchronization
UL Allocation + timing advance
S1AP: Handover Complete
Path Switch Request
RRC: Handover Confirm
target eNB IP/TEID,

Packet Data
X2AP: Release Resources
flush DL buffers
DL Packet Data
release resources
Packet Data
59
forwards DL packets
and accepts UL
packets

target eNB IP/TEID,
switch DL
Path
S1AP: Handover Complete Ack Update Bearer Response

Path Switch Req. Ack.
new SGW-S1 IP/TEID,
new SGW-S1 IP/TEID,
Module Contents
LTE/SAE Bearer
60
LTE/SAE Security: EPS Authentication and Key Agreement

EPS Authentication and Key Agreement (EPS
AKA) shall be based on UMTS AKA.
UMTS Authentication and Key Agreement is a

protocol designed to support roaming and fast
re-authentication.
It was originally designed to achieve maximum

compatibility with 2G security mechanisms.
The requirements on EPS AKA are:

EPS AKA shall be based on USIM and extensions to UMTS AKA
Access to E-UTRAN with 2G SIM shall not be granted. R99 USIM will be
accepted.
EPS AKA shall produce keys that are the basis of C-plane and U-plane protection
UMTS AKA achieves mutual authentication between the user and the network by
demonstrating knowledge of a pre-shared secret key K which is only known by the
USIM and the AuC in the users HSS.
61
EPS Authentication Procedure

MME
HSS
NAS: attach Request

User Id, UE Capabilities, etc.
Authentication Data Request

Authentication Data Response
Authentication Vectors: RAND(i), KASME(i), XRES(i)
UE uses
KASME to verify
the Network
NAS: USER Authentication Request

KASME(i), RAND(i)
NAS: USER Authentication Response
RES(i)
If RES(i)=XRES(i)
Authentication successful
RAND is a random value

KASME is an authentication parameter used, among other tasks, for
network authentication
XRES is the UE expected result of the authentication computation
62
Security Functions - Encryption

Signaling protection
For core network (NAS) signaling, integrity and confidentiality protection
terminate in MME.
For radio network (RRC) signaling, integrity and confidentiality protection
terminate in eNodeB.
User plane protection
Encryption terminates in eNodeB.
63
Proposed SAE/LTE Key Hierarchy(3GPP TR 33.821)
All keys used for security (crypto-algorithms) are 128 bits

Possibility to add 256-bit keys later.
64
SAE/LTE Keys (1/2)

Keys shared between the UE and HSS
K
: This is a permanent key stored on the USIM and in the Authorization Centre (AuC). The
AuC resides in the HSS.
CK, IK : A pair of keys derived in the AuC and on the USIM during an AKA run.
Intermediate Key shared by the UE and Access Security Management Entity

(ASME=MME)
KASME
: This key is derived from the CK, IK and serving PLMNs identity by the UE and HSS
during an AKA run. It is transferred to the ASME (MME) by the HSS as part of the authentication
vector response. The serving PLMNs identity becomes known to the UE as part of the attachment
procedure.
Intermediate Keys for Access Networks
65
KeNB : This key is derived from KASME by the UE and MME. It depends on the identity of the eNB.
This key is transferred to the eNB.
SAE/LTE Keys (2/2)

Keys for NAS Signaling
Keys for U-plane Traffic
KUP-enc
: This key is derived from KeNB by the UE and eNB and is used for the encryption of Uplane data over the LTE-Uu interface. In order to derive this key an identifier for the encryption
algorithm is shared between the eNB and UE.
Keys for RRC Signaling
66
KNAS, int
: This key is derived from KASME by the UE and MME. It is used for the integrity
protection of NAS traffic.
KNAS, enc
: This key is derived from KASME by the UE and MME. It is used for the encryption of
NAS traffic.
KRRC-int
: This key is derived from KeNB by the UE and eNB and is used for the integrity
protection of RRC traffic. In order to derive this key an identifier for the integrity protection algorithm
is shared between the eNB and UE.
KRRC-enc
: This key is derived from KeNB by the UE and eNB and is used for the encryption of
RRC traffic. In order to derive this key an identifier for the encryption algorithm is shared between
the eNB and UE.
Key Generation Procedure
67

3 LTE Mobility Managment v1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3 LTE Mobility Managment v1

Uploaded by

Copyright:

Available Formats

1

LTE/SAE Mobility Areas

Tracking Areas Overlapping

1 - Tracking areas are allowed to

Tracking Areas: Use of S1-flex Interface

International Mobile Subscriber Identity

SAE Temporary Mobile Subscriber Identity

Cell Radio Network Temporary Identity

S1 Application Protocol User Equipment Identity

International Mobile Subscriber Identity.

Used in SAE to uniquely identify a subscriber world-wide.

MCC: mobile country code

SAE Temporary Mobile Subscriber Identity

Dynamically allocated by the serving MME (S-MME)

Cell Radio Network Temporary Identity

C-RNTI is allocated by the eNB serving a UE when it is in active mode

: S1 Application Protocol User Equipment Identity.

Two additional temporary identifiers allocated by eNB and MME:

Purpose is to allow efficient implementation of S1 control signaling

IMSI International Mobile Subscriber Identity

Terminology for 3G & LTE: Connection & Mobility Management

LTE Mobility & Connection States

*EPS: Evolved Packet System

EPS Mobility Management (EMM) states

EPS Mobility Management (EMM) states

EPS Connection Management (ECM) and LTE Radio Resource

EPS Connection Management (ECM) states

No signalling connection between the UE and the E-UTRAN.

UE has an E-UTRAN RRC connection.

EPS Connection Management

EMM & ECM States Transitions

Establish RRC Connection

EMM & ECM States Summary

telecommunication network is to provide

certain quality of service (QoS) ranging from

SAE Bearer Architecture

SAE Bearer Service (EPS Bearer)

SAE Access Bearer Service

Physical Radio Bearer Service

S1 Physical Bearer Service

S5/S8 Bearer Service

SAE Bearer Sections

SAE Bearer Establishment can be triggered by.

MME:This happens typically

SAE Bearer QoS Awareness

SAE Bearer QoS Attributes

Dedicated or default EPS bearer

Aggregate Maximum Bit Rate (AMBR)

SAE Bearer QoS Attributes (1/3)

The default bearer is allocated during attach of a UE to the system.

GBR (Guaranteed Bit Rate) or NGBR (Non Guaranteed Bit Rate):

SAE Bearer QoS Attributes (2/3)

Can be only specified for GBR SAE Bearers

Traffic Flow Control (UL/DL-TFT):

SAE Bearer QoS Attributes (3/3)

The label is simply an integer number assigned to the SAE bearer.

Allocation/Retention Priority (ARP):

Aggregate maximum Bit Rate (AMBR):

QoS Class Indentifier (QCI) Table in 3GPP

Real time gaming

Operators can define more QCIs

LTE/SAE Bearer Usage Example

Default EPS Bearer (N-GBR)

Dedicated EPS Bearer (GBR)