LTE & EPC Architecture LTE Attach Procedure

Version: 3.0 (March 2013)

Irfan Ali

3GPP Network Architecture

Network

+
(U)SIM Mobile Equipment (ME)

Radio Access Network (RAN) Radio Resource Management

Core Network (CN)

Security, IP connectivity, Mobility

User Equipment (UE) or Mobile Station (MS)

SIM USIM

Subscriber Identity Module Universal Subscriber Identity Module

Irfan Ali Irfan Ali

LTE Network Architecture

Internet
HSS

P-GW

S6a S11

S5

S-GW S-GW Evolved Packet Core (EPC)

MME
S1-MME

S1-U

X2

X2

Evolved Universal Terrestrial Radio Access Network (E-UTRAN) eNB

eNB

eNB
LTE-Uu

Irfan Ali Irfan Ali

eNB MME S-GW P-GW HSS

3

Enhanced Node B Mobility Management Entity Serving Gateway Packet data network Gateway Home Subscriber System

LTE Network Architecture

HSS
Authenticator

P-GW
UE IP address Allocation Inter SGW Mobility Anchoring

IMS
HSS

Internet

Subscription
S6a S5

P-GW
S6a S11

MME
NAS Security

S-GW
Inter eNB Mobility Anchoring

S5

Idle Mode Mobility Mgmt

EPS Bearer Control

S-GW S-GW

MME
S1-MME

S1-MME

S1-U

S1-U

eNB
RB Control Radio Admission Control Inter Cell RRM Connected Mode Mobility Mgmt eNB Measurement OAM Radio Bearer Transmission (L1/L2/L3)

eNB

X2

eNB
LTE-Uu

eNB
Control-Plane Functional Entity User-Plane Functional Entity

Scheduler

Irfan Ali Irfan Ali

Block Diagram example: LTE Architecture

HSS Interfaces Reference Points
Operators IP Services
SGi

S1-MME

MME
S11 S10

S6a

UE
LTE-Uu

eNB
X2

S1u

Serving GW

S5

PDN GW

SGi

Internet

Functional Entity Logical Entity Network Entity

eNB MME S-GW PDN GW HSS

Enhanced Node B Mobility Management Entity Serving Gateway Packet data network GW Home Subscriber System

Irfan Ali Irfan Ali

LTE Architecture Key Concepts

All radio related functions are pushed down to the eNB

There is no centralized radio resource management element like the RNC.

In the core network, there is control-plane and user-plane separation

MME is the control-plane entity SGW and PGW are the user-plane entity To allow independent scaling of the control-plane and the user-plane.

LTE is a PS (Packet Switch) only system

No CS (Circuit switch) domain support

Irfan Ali Irfan Ali

Architecture Concept: Access Stratum vs Non-Access Stratum

IMS
HSS

Internet

P-GW

S-GW

MME

S-GW

Non-Access Stratum (NAS)

eNB eNB

eNB Radio Resource Control (RRC)

On the signaling plane, the UE communicates with two entities in the infrastructure: (a) the eNB and (b) the MME (via the eNB). Access-stratum (AS): UE <-> eNB. AS consists of both userplane and control-plane. The user-plane protocol is PDCP and control-plane protocol is RRC. Non-access Stratum (NAS): UE <-> MME. NAS is only in the controlplane. The protocol is called the NAS protocol.

UE

Access Stratum
7

Irfan Ali Irfan Ali

Protocol Stacks: Control Plane

NAS RRC PDCP RLC MAC PHY RRC PDCP RLC MAC PHY
LTE-Uu

NAS S1-AP SCTP IP L2 L1 S1-AP SCTP IP L2 L1

S1-MME

GTP-C UDP IP L2 L1

GTP-C UDP IP L2 L1
S11

GTP-C UDP IP L2 L1

GTP-C UDP IP L2 L1
S5

UE

eNB

MME

S-GW

P-GW

Non-Access Stratum (NAS): The key control interface between MME and UE Radio Resource Control (RRC): The main control interface between eNB and UE Packet Data Convergence Protocol (PDCP): Duplicate detection, ROHC Radio Link Control (RLC): Segmentation/re-assembly, ARQ, acknowledge mode (AM)/ unacknowledged mode (UAM), etc Medium Access Control (MAC): Access the channel Physical Layer (PHY): Radio layer, eg modulation etc.
S1-AP SCTP GTP-C GTP-U S1 Application protocol Stream Control Transport Protocol GPRS Tunneling Protocol-Control Plane GPRS Tunneling protocol- User Plane

Irfan Ali Irfan Ali

Protocol Stacks: Control Plane & User Plane

NAS RRC PDCP RLC MAC PHY RRC PDCP RLC MAC PHY
LTE-Uu

NAS S1-AP SCTP IP L2 L1 S1-AP SCTP IP L2 L1

S1-MME

GTP-C UDP IP L2 L1

GTP-C UDP IP L2 L1
S11

GTP-C UDP IP L2 L1

GTP-C UDP IP L2 L1
S5

UE

eNB

MME

S-GW

P-GW

Application

Application

TCP/UDP IP GTP-U PDCP RLC MAC PHY

LTE Uu

TCP/UDP IP GTP-U UDP IP L2 L1

S1-U

IP

GTP-U UDP IP L2 L1
S5

GTP-U UDP IP L2 L1

PDCP RLC MAC PHY

UDP IP L2 L1

UE

eNB 9

S-GW 9

P-GW

End Host

Irfan Ali Irfan Ali

User Identifier in the Network

Two important identifiers International Mobile Subscriber Identifier (IMSI)

Embedded in SIM card Stored in subscription data of HLR Used to index UEs information in most network nodes Format on the next page

Mobile Station Integrated Services Digital Network Number (MSISDN)

Your phone number Number used to identify a subscriber when making a call or sending an SMS

The mapping between IMSI and MSISDN is stored in HLR MSISDN is not required to be stored in the (U)SIM MSISDN is typically not needed in the LTE system

Irfan Ali Irfan Ali

10 10

(International Mobile Subscriber Identifier) IMSI Structure

World Country
310 286 3 digits

MCC
404

MCC: Mobile Country Code

US

Turkey

India
MCC

PLMN
2-3 digits

MNC

MNC: Mobile Network Code

Operator

01

02

03

Identifies an operator

Turkcell

Vodafone

Avea
9-10 digits

Subscriber

MCC

MNC
Max 15 digits

MSIN

Irfan

Alper

Erol

MSIN: Mobile Subscriber Identification Number

Uniquely identifies a subscriber

Source for MCC and MNC codes: http://en.wikipedia.org/wiki/Mobile_Network_Code http://en.wikipedia.org/wiki/Mobile_Country_Code

Irfan Ali Irfan Ali

11

11

Operator Identity

A mobile operators network is also known as a Public Land Mobile Network (PLMN). The identity used for an operators network is called the PLMNIdentity (PLMN-ID) and consists of the Mobile Country Code and the Mobile Network Code. An operator may be identified by more than one PLMN-ID

World Country
310 286

3 digits

MCC
404

MCC: Mobile Country Code

US

Turkey

India
MCC

PLMN
2-3 digits

MNC

MNC: Mobile Network Code

Operator

01

02

03

Identifies an operator

Turkcell

Vodafone

Avea

PLMN ID = MCC + MNC

Irfan Ali Irfan Ali
12 12

MSISDN Structure

World Country
1 90 91

1-3 digits

CC

CC: Country Code

US

Turkey

India
2-3 digits

CC

NDC

NDC: National Destination Code

Operator

533,

540,

505,

212,216, Identifies an operator

Turkcell
123 4567

Vodafone
123 4568

Avea

Turk Telecom
CC NDC
Max 15 digits +90 533

9-10 digits

Subscriber

SN

SN: Subscriber Number

Irfan

Alper

Erol

123 4567

Uniquely identifies a subscriber

List of country calling codes: http://en.wikipedia.org/wiki/List_of_country_calling_codes

Source for MCC and MNC codes: www.wikipedia.org

Irfan Ali Irfan Ali

13 13

Identities and Plumbing for LTE

IMSI GUTI GUTI IMSI IMSI

C-RNTI

C-RNTI

SRB-0 SRB-1 SRB-2

SRB Identity

HSS
S1-MME

MME
GTPC-1

NAS

GTPC-1
Data Radio Bearer 10

GTP-U-10

GTP-U-10

EPS Bearer Identity IMSI IMSI

UE

eNB
SRB DRB TEID GTP C-RNTI GUTI

S-GW
Signalling Radio Bearer Data Radio Beaer Tunnel Endpoint Identifier GPRS Tunneling Protocol Cell- Radio Network Temporary Identity Globally Unique Temporary Identity

P-GW

Irfan Ali Irfan Ali

14 14

Identities in LTE IMSI (International Mobile Subscription C-RNTI (Cell Radio Network
Identity) Permanent identity of UE in SIM (MCC+MNC+MSIN), where MCC+MNC = Home PLMN of subscriber. Kept secret from eNB. Max 15 digits

Temporary Identity)

Is created by eNB and only used to identify a UE within the scope of an eNB and provided to the UE during random access process and setup of RRC connection. C-RNTI is 16 bits long.

GUTI (Globally unique temporary

identity) Created by the MME for the UE. Used between MME and UE instead of IMSI. GUTI may be seen by eNB if NAS message is sent un-encrypted, eg when UE has moved to a new area and needs to be served by a new MME. 56 bits + MCC and MNC

Irfan Ali Irfan Ali

15 15

LTE Attach Procedure

Irfan Ali

16

Objective of UE Attach Procedure

Internet
UEs IP address

HSS

P-GW

The goal of attaching to the network is to obtain an IP address to communicate with outside world. During the process of attach

S-GW S-GW

MME

The UE is authenticated and authorized to use send/receive data. Data path created beteween UE<>eNB<->S-GW<->PGW UE Context created in all the nodes in the network UE is provided an IP address

eNB

X2

eNB
SRB DRB TEID GTP C-RNTI Signalling Radio Bearer Data Radio Beaer Tunnel Endpoint Identifier GPRS Tunneling Protocol Cell- Radio Network Temporary Identity

Bearer Setup at end of the Attach Procedure

Irfan Ali Irfan Ali

17 17

Objective of UE Attach Procedure

Internet
UEs IP address UE Context: KEY: IMSI ..

HSS

UE Context: KEY: IMSI ..

P-GW

The goal of attaching to the network is to obtain an IP address to communicate with outside world. During the process of attach
The UE is authenticated and authorized to use send/receive data. Data path created beteween UE<>eNB<->S-GW<->PGW UE Context created in all the nodes in the network UE is provided an IP address

S6a UE Context: KEY: IMSI ..

S-GW

MME
S1-MME

S-GW

UE Context: S1 Cntxt: S1AP TEID(key).. RB Cntxt: C-RNTI(key),..

eNB

X2

eNB

Bearer Setup at end of the Attach Procedure

SRB DRB TEID GTP C-RNTI

Signalling Radio Bearer Data Radio Beaer Tunnel Endpoint Identifier GPRS Tunneling Protocol Cell- Radio Network Temporary Identity

Irfan Ali Irfan Ali

18 18

UE Performs attach Part 1 of 4

UE
0. UE has selected eNB

eNB

MME

SGW

HSS

o UE has synchronized to the downlink frame of the eNB and hence knows 0. PGW the DL frame boundaries. The UE has read the MIB and from there the SIB2 of the eNB and knows when the random access channel (RACH) slots are in the uplink direction. 1. UE transmits a specific preamble sequence (RAPID) in a RACH slot. The subframe (0-9) in which the UE transmits is the RA-RNTI of the UE. Since multiple UEs could have transmitted on the same subframe and same RAPID, the UE listens on the downlink shared (DL-SCH) common control channel (CC) to see if the UEs preamble has been accepted by the eNB. 2. The eNB transmits (a) (echoes) the RAPID and RA-RNTI received in Step 1. (b) temporary identity (C-RNTI ), (c) the timing correction that the UE should use. (d) scheduling grant when the UE should transmit in the next message in UL direction. UE listens for RA-RNTI in the PDCCH channel. 3. The UE checks the RA-RNTI in PDCCH, and the RAPID in PDSCH to what it transmitted. If so, it knows the UL Radio Bearers to transmit the RRC connection request. The UE includes the Temporary C-RNTI.

Interne

RACH 1. Random Access Preamble RA-RNTI, RAPID

Random Access Procedure

PDCCH/PDSCH
2. Random Access Preamble RA-RNTI, RAPID, Temporary C-RNTI Temporary C-RNTI UL-SCH: SRB0 3. RRC Connection Request

DL-SCH: Common CCH

4. Contention Resolution ID C-RNTI 5. RRC Connection Setup

RRC Setup Procedure 4. The eNB echoes the Temporary C-RNTI and the contents of message 3
to the UE. When the UE receives its own transmitted message (unique) and C-RNTI, the contention resolution process is complete. 5. The eNB now transmits RRC Connection Setup message including the CRNTI that was received from the UE. This step resolves any contention that could have occurred due to two UEs using the same preamble sequence in RACH access step. 6. The UE now transmits a message to the MME in the time-slot allocated in the previous step. The UE also includes its IMSI in the message.

UL-SCH: SRB1
6. RRC Connection Complete NAS Msg Attach Request, IMSI NAS Msg PDN Connect Req

Irfan Ali Irfan Ali

19 19

RNTI RA-RNTI C-RNTI RAPID

Radio Network Temporary Identity Random Access RNTI Cell RNTI Random Access Preamble ID

UE Performs Attach Part 2 of 4

UE eNB
eNB selects MME

MME

SGW

HSS PGW

Interne

S1-MME
7. Initial UE Message NAS Msg: Attach Request, IMSI, .. NAS Msg PDN Connect Req

S6a
8. Auth Info Request IMSI, .. 9. Auth Info Answer Kasme, AUTN, RAND,XRES

DL-SCH:CCH SRB1
11. DL Info Xfer Authn Request: AUTN, RAND, 12. UL Info Transport Authn Response

10. DL NAS Xport Authn Request

User Authentication Procedure

13. UL NAS Xport

MME Compares RES with XRES. If same, AKA successful

UL-SCH: SRB1 DL-SCH:CCH SRB1

15. DL Info Transport Security Mode Command 16. UL Info Transport

Authn Response: RES

14. DL NAS Xport Security Mode Command

NAS Security Setup Procedure

Security Mode Complete

17. UL NAS Xport

SMC Complete

UL-SCH: SRB1 NAS Security

18. Location Update Request IMSI, 19. Location Update Response Subscription Data

Authorization

Encrypted Info Integrity Protected Info

Irfan Ali Irfan Ali

20 Key Agreement AKA: Authentication and

20

UE Performs Attach Part 3 of 4

UE eNB
NAS Security

MME
GTPC

SGW

HSS PGW
GTPC

Interne

20. Create Session Request (IMSI, TEIDs, PGW IP,)

21. Create Session Request (IMSI, TEIDs, ) 22. Create Session Response (IMSI, TEIDs)

DL-SCH:CCH SRB1
25. RRC Security Mode Command, AS Algorithm

S1-MME
24. Initial Context Setup Request (UE Context Info, TEIDs) NAS: Attach Accept NAS: Activate default bearer req

23. Create Session Response(IMSI, TEIDs)

UL-SCH: SRB1
26. RRC Security Mode Complete

Bearer Setup Procedure Start

GTPC Session GTPC-1 Session GTP-U-10 Tunnel

SRB-2

AS Security
27. Obtain UEs Radio Capability

AS Security Setup Procedure

DL-SCH:CCH SRB2
28. RRC Connection Reconfiguration NAS1

NAS2 UL-SCH: SRB2

30. Initial Context Setup Complete (S1U TEIDs) 32. UL NAS Xport NAS: Attach Complete NAS: Activate default bearer acpt

Attach Completion Data Radio Bearer Setup

29. RRC Reconfig Complete 31. UL Information Transfer

GTPC
33. Modify Bearer Req. (IMSI, TEIDs) 34. Modify Bearer Resp (IMSI,)

NAS1 SRB-0
SRB-1 SRB-2

NAS2

Bearer Setup Procedure Completion

Encrypted Info Integrity Protected Info

Irfan Ali Irfan Ali

Data Radio Bearer-10

GTPU-10 Tunnel

21 21

UE Performs Attach Part 4 of 4

UE
SRB-0 SRB-1 SRB-2 Data Radio Bearer-10 DHCP Data Radio Bearer-10 Client S1-MME GTPU-10 Tunnel
GTPU-10 Tunnel DHCP Messages

eNB

MME

SGW

HSS PGW

DHCP Server

Internet

GTPC Session

GTPC-1 Session GTP-U-10 Tunnel

GTP-U-10 Tunnel

DHCP DHCP Server Client

DHCP Server

IP address of the UE is routed to this interface

Irfan Ali Irfan Ali

22 22

Architecture key Concept: Roaming

3GPP architecture from early days has supported a subscriber going to a foreign network and still getting service Home PLMN: Subscribers home network (eg. Turkcell) Visited PLMN: Foreign/Roamed-to network (eg. Orange) What does roaming require: Ability from VPLMN to identify the HPLMN of the subscriber Ability to authenticate the subscriber from VPLMN Sharing of revenue between VPLMN and HPLMN (roaming charges)

PLMN VPLMN HPLMN

Public Land Mobile Network Visited PLMN Home PLMN

Irfan Ali Irfan Ali

23 23

Roaming Concept
IMS
HSS

HPLMN
Domain = epc.mnc01.mcc286.pub.3gppnetwork.org

Internet

HSS

IMS

Internet

P-GW
S6a

P-GW

S6a S11

S5

S5 S11

S-GW S-GW

S-GW S-GW

MME

MME

S1-MME S1-U

S1-MME

S1-U

HPLMN
Domain = epc.mnc01.mcc286.pub.3gppnetwork.org

VPLMN
Domain = epc.mnc01.mcc404.pub.3gppnetwork.org

X2

X2

X2

eNB

eNB
LTE-Uu

eNB

eNB

eNB
LTE-Uu

X2

eNB

Non-Roaming
Irfan Ali Irfan Ali

Roaming
HPLMN VPLMN Home PLMN Visited PLMN

IMSI = 286 + 01 + 1234567890

IMSI = 286 + 01 + 1234567890

Turkey Turkcell

Turkey Turkcell

Turkcell subscriber in Turkey

24 24

Turkcell subscriber in India

LTE/EPC Specifications
24.301 NAS

General: 23.003 Identifiers 29.303 DNS 33.401 Security Stage 2&3

HSS
S6a

SPR
Unspecified

PCC Stage 2: 23.203 Charging Stage 2: 32.240

Sp

36.410 General 36.411 Layer 1 36.412 (Sig xport) 36.413 (S1AP) 36.133 RRM Reqds

S1-MME

MME
S10 29.274 GTPC

29.272 S11 29.212 29.213 Sig Flow

PCRF
S9 Gx

Rx

29.214

Operator Services
29.215

UE
LTE-Uu 36.304 Idle 36.306 Capability 36.314 Measurement 23.122 Idle-NAS 36.201,211,213,214 PHY 36.321 MAC 36.322 RLC 36.323 PDCP 36.331 RRC

eNB
X2

S1u

Serving GW

S5

PDN GW

SGi 29.061 Gz/Rf Offline Charging Function

Internet

36.410 General 36.411 Layer 1 36.414 (Data xport) 29.281 GTPU 36.420 General 36.421 Layer 1 36.422 (Sig xport) 36.424 (Data xport) 36.423 (X2AP) 29.281 GTPU

29.274 GTPC 29.281 GTPU Gy/Ro

32.251 Online Charging Function

Bx 32.251

Billing Domain

E-UTRAN Stage-2: 36.300

Evolved Packet Core Stage 2: 23.401

Stage-1: 22.278

Stage-3 Specification Stage-2 Specification Stage-1 Specification

Link to get latest 3GPP specs per release: ftp://ftp.3gpp.org/Specs/latest Link to find out what a spec covers: http://www.3gpp.org/Specification-Numbering

Irfan Ali Irfan Ali

25 25