The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE"...
Transcript of The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE"...
![Page 1: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/1.jpg)
The Peril of Cellular Network Evolution
-‐ On CSFB and VoLTE
Chunyi Peng Fall 2015
![Page 2: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/2.jpg)
Emerging Problems in Network Evolu?on
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 2
• Circuit-‐switching for voice
• Packet-‐switching for everything
• IP-‐based
• Circuit-‐switching for voice
• Packet-‐switching for data
2G 3G 4G
Q1: Will existing techniques fail to well support emerging requirements? YES!
Q2: Will new features raise new side-effects?
![Page 3: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/3.jpg)
MUTUAL INTERFERENCE BETWEEN VOICE AND DATA IN 4G LTE NETWORKS
[mobicom’13] [CNS’15]
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 3
![Page 4: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/4.jpg)
Advancing toward 4G LTE • 4G LTE grows fast
– Better support for mobile Internet – 480 LTE networks (by 09/2015, 4gamerica)
4
![Page 5: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/5.jpg)
4G LTE’s Trouble in Voice • 4G LTE: Packet-‐switched (PS) only
– No circuit-‐switched (CS)
5
4G Base Station
4G PS Gateway
Internet
IP packets
Telephony Network Voice, traditionally via CS
No CS, ?
![Page 6: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/6.jpg)
Two Solu?ons: CSFB & VoLTE • #1. CSFB (Circuit-‐Switched Fallback): leverage 3G/2G CS to support voice
• #2. VoLTE (Voice over LTE): deliver voice directly in packets (over IP)
6
4G Base Station
4G PS Gateway
Internet
Telephony Network 3G CS Domain
![Page 7: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/7.jpg)
Coexis?ng Voice Solu?ons • Circuit-‐Switched Fallback (CSFB)
– Reuse the legacy 2G/3G networks – Broadly launched in many LTE networks – 1st-‐choice of LTE networks
• Voice over LTE (VoLTE) – Ul?mate solu?on, similar to (VoIP) in LTE – Need to deploy IMS (IP mul?media system) – Heavy cost and overhead – Ini?al rollout: AT&T, T-‐Mobile, Verizon since late 2014
7
...
![Page 8: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/8.jpg)
CSFB (Circuit-‐Switched Fallback)
8
3G Base Station 3G CS Gateway Telephony Network
3G PS Gateway
Internet
IP packets (data-plane) 3G voice (data-plane)
Signaling (control-plane)
![Page 9: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/9.jpg)
CSFB (Circuit-‐Switched Fallback)
9
3G Base Station 3G CS Gateway Telephony Network
3G PS Gateway
Internet
4G Base Station
4G PS Gateway
Control (MME) Internet
![Page 10: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/10.jpg)
CSFB (Circuit-‐Switched Fallback)
10
3G Base Station 3G CS Gateway Telephony Network
3G PS Gateway
Internet
4G Base Station
4G PS Gateway
Control (MME) Internet 4G Base Station
4G PS Gateway
Control (MME) Internet
![Page 11: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/11.jpg)
An Example: Incoming Call Comes During Downloading
• Expected flows on Bob
• [tu13-‐mobisys]: data transmission suspends and user traffic is over-‐accounted when inter-‐system handover, e.g., 4G <-‐>3G (step 3 and 6), occurs.
• What else? Impact on data or voice services?
11
![Page 12: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/12.jpg)
CSFB: Incoming Call Flow
12
1. Call Request 2. Paging Request (CS call)
5. Paging Response (CS call)
4G MME Callee 3G CS Gateways 4G BS
3. Extend Service Request
4. Switch to 3G 3G BS
6. Setup CS Call
7. Call Conversion
8. Switch back to 4G
![Page 13: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/13.jpg)
Seemingly Reasonable • Users only switch to 3G when needed (calls) • Users still obtain higher-speed 4G LTE for data • Carriers reuse the existing 3G (cost-effective)
By design: Independent voice & data • Expected data throughput slump during voice
– 4G downgrade to 3G
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 13
![Page 14: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/14.jpg)
Three Unexpected Issues in CSFB Unexpected: Interference btw. voice & data • #1: Data applica?on aborts
– When voice call ends
• #2: Lose 4G connec?vity – Got stuck in 10+ hours
• #3: Miss calls when turning on data
14
![Page 15: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/15.jpg)
#1: Applica?on Aborts
• 10-‐day abort ra?o – 2-‐5% on average – 15% in worst case
• Event: IP address change – “Implicit Detached” by cellular
– “Network re-‐akach” by mobile
15
App on 4G
App on 3G
Voice on 3G
Handoff (4G ->3G)
Handoff (3G ->4G)
App on 4G
✕
App aborts
![Page 16: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/16.jpg)
Cause • CS domain
– When CSFB call ends, implicit detach from network (occasionally)
– network reakach, assign a new IP address
• PS domain – Data service pauses with implicit detach – Abort due to a new IP
• TCP/UDP sessions cannot be recovered
• Root cause: shared states between CS and PS MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 16
![Page 17: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/17.jpg)
Circuit-Switching (CS)
Packet-Switching (PS)
17
Data Plane Data Plane Control Plane Control Plane
…
…
Implicit Detached
CSFB voice ends Detached
Data start
Data stops
Network-Reattach
Attached New IP addr.
Shared control states in CS and PS
STATE Data Voice
…
![Page 18: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/18.jpg)
Evalua?on: Data App Abort Due to Voice Call
• 8 popular data applica?ons – Browser, Gmail, Ftp, Youtube, Skype, PPS (Streaming), Pandora (internet radio), Facebook
• We find that Browsing, Gmail, FTP, Skype and Facebook may abort due to CSFB calls. – Browsing/Facebook: content is not displayed – FTP/Gmail: downloading is terminated – Skype: voice call is aborted
18
![Page 19: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/19.jpg)
#2: Lose 4G connec?vity
• Result – 10+ hour in 3G
• even handoff
• Events
– CS call state changes HO trigger
– PS data resets HO ?mer
19
PS Data on 4G
PS Data on 3G
Handoff (4G ->3G)
NO Handoff (3G ->4G)
Call & hang up
NoVoice on 3G
✕
PS Data on 4G
✕
![Page 20: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/20.jpg)
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 20
20
1. Call Request 2. Paging Request (CS call)
5. Paging Response (CS call)
4G MME Callee 3G CS Gateways 4G BS
3. Extend Service Request
4. Switch to 3G
3G BS
6. Setup CS Call
7. Call Conversion
8. Switch back to 4G
Data Plane (CS)
W-REQ
IDLE
W-PAGE
RECV
ALERT
Conn
F-REQ
F-PAGE
F-RECV
Fail
Call control setup: 6 signaling Handoff 4G->3G: 21 signaling Handoff 3G->4G: 21 signaling
![Page 21: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/21.jpg)
Cause • RRC states shared in CS and PS
– Voice calls: RRC connected – Data: RRC connected
• 4G-‐>3G procedure – RRC connected: handoff – RRC idle: cell-‐reselec?on
• 4G-‐>3G switches counts on handoff – Handoff’s ?mer sepngs – During data, no handoff is performed
• Root cause: shared states, complex signalings MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 21
Call & hang up: Change call state F-RECV
![Page 22: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/22.jpg)
Handoff State Machine 22 22
Data Plane (CS)
F-RECV
Data
3G IDLE
3G DATA FACH/DCH
4G DATA
4G IDLE
Call & hang up: Change call state
10 s
ec
5 sec
1st
>1st
L
S
Y
N
HO-‐in-‐3G reset Data
3G IDLE
3G DATA FACH/DCH
4G DATA
4G IDLE
10 s
ec
PS data: reset HO timer
Circuit-Switching (CS)
Packet-Switching (PS) Data Plane Data Plane Control Plane Control Plane
Complex signaling/control involved in both CS and PS
![Page 23: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/23.jpg)
Evalua?on • We conduct an experiment to track the dura?on Bob stays in 3G for 3 mins aqer Bob’s call conversa?on finishes. – Packet Size: 1B or 1KB – Packet Interval: 1~24 seconds
• Q: Why does it depend on traffic pattern ? 23
OP-I OP-II
19s-1KB 13s-1KB 14s-1B 7s-1B
![Page 24: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/24.jpg)
RRC State Transi?on • Go back to 4G LTE via Inter-‐RAT Handover or Cell reselec4on.
• RRC State Transi?ons observed in OP-‐I and OP-‐II
24
Simplified RRC State for OP-I Simplified RRC State for OP-II
Inter-RAT Handover
Inter-RAT Handover
![Page 25: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/25.jpg)
#3: Miss Voice Calls
25
4G LTE Phone
PS on 4G
Missed call
Turn on PS data
✕ Incoming Call
• Event – “Implicit Detached”
by cellular – Transient
unavailability
• Root cause: shared control states between CS and PS
![Page 26: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/26.jpg)
Security Implica?ons
C. Peng (OSU) 26
![Page 27: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/27.jpg)
Possible Problems
27
1. Call Request 2. Paging Request (CS call)
5. Paging Response (CS call)
3. Extend Service Request
4. Switch to 3G 3G BS
6. Setup Circuit-Switched Call
7. Call Conversion
8. Switch back to 4G
#1. Action before paging response (w/o user awareness and consent)
#2. Data over 3G; handoff causes Data service interruption
#3. What if 3G-4G handoff is deferred or cancelled?
4G MME Callee 3G CS Gateways 4G BS
![Page 28: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/28.jpg)
One Example
0
5
10
15
20
25
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75
4G
3G
X-th second
Speed (M
bps)
Call ends Ringing @callee 28
#1. Action before ringtones (w/o user awareness) #2. Data service interruption (6-7 seconds)
US OP-1
![Page 29: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/29.jpg)
Another Example
0
5
10
15
20
25
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75
4G
3G
X-th second
Speed (M
bps)
Call ends Ringing@ callee 29
#3. 3G->4G switch is deferred not back to 4G LTE in case of PS traffic
US OP-2
![Page 30: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/30.jpg)
So, possible exploit • Anyone can make a call without callee’s consent
• With CSFB, it can manipulate 4G-‐>3G handoff – Handoff already happens before the call setup
• So it is viable to impede data services – Long data service disruption
• It is even worse while repeating it – 3G – 4G – 3G – 4G … (ping-pong)
30
![Page 31: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/31.jpg)
Ping-Pong Attack
31
1. Call Request 2. Paging Request (CS call) 3. Extend Service Request
4. Switch to 3G 3G BS
1. Dial
2. Hang-‐up 5. Paging Response (CS call)
6. Setup CS Call
5. Stop call request
6. Switch back to 4G 3. Wait
1. Dial 2. Hang-‐up, 3. Wait
4G –> 3G
3G –> 4G …
4G MME Callee 3G CS Gateways 4G BS
![Page 32: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/32.jpg)
Ping-‐Pong Akacks (cont’d) • How to guarantee successive switch without
the victim’s awareness? • Two key timers:
– T1: dial time between dialing and hanging up – T2: wait time between hanging up and re-dialing
32
![Page 33: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/33.jpg)
Ping-‐Pong Akack Valida?on
33
0
5
10
15
20
25
30
35
40
0 10 20 30 40 50 60 70 80 90 100 110 120
Per Second
Moving Avg.
Speed (M
bps)
X-th second
TCP-w/o attack
0
5
10
15
20
25
30
35
0 10 20 30 40 50 60 70 80 90 100 110 120
Per Second
Moving Avg.
Speed (M
bps)
TCP-w/ attack
0.08 0.01
X-th second
TCP: from 31Mbps to 0.08 Mbps in 30s
![Page 34: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/34.jpg)
On Real Apps
App Task TCP/UDP w/o conn loss w/ conn loss
Web Access one CNN page TCP Abort Abort
Gmail Sending/receiving emails TCP Fail & mul?-‐entry
Abort & Auto Recovery
Fabebook Ongoing chat session TCP Slower slower
Whatsapp Ongoing chat session TCP Slower Abort & recover
AndFTP File download TCP Abort Abort
Youtube Video streaming TCP Freeze Abort
PPStream Video streaming UDP Freeze Abort
Skype Ongoing video calls UDP Freeze Abort
34
![Page 35: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/35.jpg)
Discussion • Any other side-‐effects from CSFB?
• What insights and lessons learnt from CSFB? – How should we design voice solu?ons? – How should we design cellular network arch?
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 35
![Page 36: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/36.jpg)
Takeaway • CSFB is a cost-‐effec?ve solu?on
– Seek to reuse the exis?ng architecture
• Unexpected consequence – Incompa?bility with exis?ng procedures – Mutual interference caused by shared states in CS and PS, as well as complex signaling
• Complex dependency and coupling effects
– Akacks: open access to control one’s state without consent
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 36
![Page 37: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/37.jpg)
INSECURITY OF VOICE SOLUTION VOLTE IN LTE MOBILE NETWORKS
[CCS’15]
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 37
![Page 38: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/38.jpg)
Recap: Voice Evolu?on in 4G LTE
• Legacy voice solu?on: Circuit-‐Switched (CS) – Carrier-‐grade quality
• 4G LTE: Packet-‐switched (PS) only
38
Telephony Network CS Gateway
Circuit Circuit Circuit
4G PS Gateway (aka. edge routers)
Internet Data Service Bearer
?
![Page 39: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/39.jpg)
39
4G PS Gateway (aka. edge routers)
Internet
Telephony Network
4G LTE PS Core
VoLTE Signaling Bearer VoLTE Voice Bearer
Normal Data Service Bearer
Signaling Servers
Media Gateway
VoLTE
VoLTE: Carry Voice in Packets
![Page 40: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/40.jpg)
“Carrier-‐Grade” Voice Quality in VoLTE • Via differen?ated QoS profiles
40
Delivery Priority VoLTE Voice Bearer Guaranteed-Bit-Rate 2 VoLTE Signaling Bearer Best Effort 1
(highest) Data Service Bearer Best Effort 6-9
Packet-switched (PS) Core
4G PS Gateway (aka. edge routers)
![Page 41: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/41.jpg)
Poten?al Security Threats in VoLTE
41
4G PS Gateway (aka. edge routers)
Internet
If yes, abuse its charging scheme (free) and higher-‐priority/QoS scheme for “data”?
#1: Carry “data” over VoLTE Signaling bearer?
![Page 42: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/42.jpg)
Poten?al Security Threats in VoLTE
42
4G PS Gateway (aka. edge routers)
Media Gateway
VoLTE
If yes, authen?c voice traffic will be blocked.
#2: Inject (junk) data into VoLTE voice bearer?
✗
![Page 43: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/43.jpg)
Overview of Our Findings
• Data: Carry data over VoLTE signaling bearer – Free data service – Higher-priority data service – Overbilling – Data Denial-of-Service
• Voice: Inject junk data into VoLTE voice bearer – Voice Denial-of-Service (muted voice)
• Vulnerabili?es from – VoLTE standards – Carrier networks – Mobile devices (software and hardware)
43
![Page 44: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/44.jpg)
CARRY DATA IN VOLTE SIGNALING BEARER
44
![Page 45: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/45.jpg)
Two Access Control at Device & Network
45
4G PS Gateway (aka. edge routers)
Internet
Q1: [Device] Will the phone allow an app (user-‐space) to send data packets out into VoLTE signaling bearer?
Q2: [Network] Will the network allow packets over VoLTE signaling bearer to non-‐VoLTE des?na?ons (Internet)?
![Page 46: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/46.jpg)
Har
dwar
e No Access Control on the Phone
Android OS
Softw
are
Apps IMS Client VoLTE app (dialing)
4G LTE Modem (chipset)
• #1: VoLTE signaling func?ons open to OS and Apps (soqware) – IP-‐based, a system app
IP for VoLTE
IP for Normal data
![Page 47: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/47.jpg)
Har
dwar
e No Access Control on the Phone
• #2: No proper permission control to VoLTE Signaling network interface in OS (soqware) – Given IP, app (w/Internet permission) send
packets • #3: No access control in chipset (hardware)
47
Android OS
Softw
are
Apps IMS Client
VoLTE app (dialing)
4G LTE Modem (chipset)
IP for VoLTE
![Page 48: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/48.jpg)
No Access Control in Network • #4: Imprudent rou?ng in network
– Simply rou?ng based on des?na?on IP – US-‐I: Internet and Mobile ✔– US-‐II: Mobile ✔
48
4G PS Gateway (aka. edge routers)
Internet
Signaling Servers
VoLTE
? ✔
![Page 49: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/49.jpg)
Finally, it works out! • Mobile-‐to-‐Internet
– Example: ping Google
49
4G-GW
![Page 50: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/50.jpg)
Finally, it works out! • Mobile-‐to-‐Internet
• Mobile-‐to-‐Mobile – VoLTE-‐to-‐VoLTE – VoLTE-‐to-‐PS
50
4G-GW
4G-GW
![Page 51: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/51.jpg)
Free Data Access Akack
51
• VoLTE Signaling free of charges – Voice calls: charged by minutes – Signaling: no charges (usually small volume) – Validated in two US carriers
• Ra?onal, but exploited for free data access
![Page 52: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/52.jpg)
Free Data Service: Skype as Demo
52
![Page 53: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/53.jpg)
Free Data Service
53
0 30 60 90
120 150 180 210 240
0 2 4 6 8 10 12 14 16
Uplink Downlink
Source Rate (Mbps)
Free
Dat
a (M
B)
0
100
200
300
400
500
0 1 2 3 4 5 6 7 8 9 10
Uplink Downlink
Time (Hours) Fr
ee D
ata
(MB
)
There exists NO signs of limit on the volume, throughput and dura.on for free data service
![Page 54: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/54.jpg)
4G PS Gateway (aka. edge routers)
Overbilling Akack • Spamming via Mobile-‐to-‐Mobile (VoLTE-‐to-‐PS)
– Bypass inbound traffic access control at border
Internet NAT/Firewall
$
![Page 55: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/55.jpg)
4G PS Gateway (aka. edge routers)
Data Denial-‐of-‐Service Akack • Spamming via Mobile-‐to-‐Mobile (VoLTE-‐to-‐VoLTE) – Exploit higher priority of VoLTE signaling bearer
Internet NAT/Firewall
Delivery Priority VoLTE Signaling Bearer Best Effort 1 Data Service Bearer Best Effort 6-9
![Page 56: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/56.jpg)
Data Denial-‐of-‐Service Akack
0 4 8 12 16 20 24 28 32
0 5 10 15 20 25 30 35 40 45 50 55 60
Data Bearer VoLTE Signaling Bearer Th
roughp
ut (M
bps)
X-‐th Second
0 Mbps
www.cnn.com
Youtube Logo
![Page 57: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/57.jpg)
INJECT JUNK DATA INTO VOLTE VOICE BEARER
57
![Page 58: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/58.jpg)
Similar, but Seemingly More Secure
4G PS Gateway (aka. edge routers)
Media Gateway
VoLTE ✗
Inject (junk) data packets into VoLTE voice bearer as to VoLTE signaling bearer
But, voice bearer info is confideneal Voice via RTP/RTCP (iden?fier unknown)
![Page 59: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/59.jpg)
4G LTE Modem (chipset)
Insufficient VoLTE Voice Access Control
• #1: only dest. port# needed – RTP Session Iden?fier: (IP,Port#) – Fixed dest. IP to media gateway
• #2: Sending data packets with correct port# is allowed – Same access control trouble
59 VoLTE voice bearer
Hardware
Android OS
Soqw
are
Apps IMS Client VoLTE app (dialing)
![Page 60: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/60.jpg)
Port# is Secret, but can be Easily Leaked
• #3: Same IP between voice and signaling bearers – Port# matched, è VoLTE voice bearer – Port# unmatched, è VoLTE signaling bearer
• #4: Be leaked through disenct behaviors caused by various QoS profiles – Guaranteed-‐Bit-‐Rate vs. High-‐Priority Best Effort – Low-‐rate voice traffic NOT affected by heavy VoLTE signaling
60
Delivery Priority VoLTE Voice Bearer Guaranteed-Bit-Rate 2 VoLTE Signaling Bearer Best Effort 1
![Page 61: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/61.jpg)
Infer RTP/RTCP Desenaeon Ports
61
Port Number (K)
One
Hop
RTT
(ms)
0
100
200
300
0 10000 20000 30000 40000 50000 60000
0
40
80
120
160
200
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Right-‐Port Min-‐RTT-‐for-‐Wrong-‐Port
x-th Run
One
Hop
RTT
(ms)
Ports 64580, 64581
![Page 62: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/62.jpg)
Voice DoS: Muted Call
62
![Page 63: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/63.jpg)
Root Causes & Recommended Solu?ons • VoLTE standards
– Design defects: lack protec?on when VoLTE makes open voice access; no speed limit on highest priority, ..
• Carrier networks – Imprudent rou?ng & charging for VoLTE signaling – Fix: disable rou?ng, limit speed, enable VoLTE volume accoun?ng
• Mobile Devices – Lack access control at both soqware (improper permission) and hardware (missing)
– Fix: VoLTE-‐specific permission, anomaly detec?on
63
![Page 64: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/64.jpg)
Updates • Report and work with 2 US carriers to fix problems
• Par?al solu?ons in place (07/2015, 08/2015) • US-‐I
– Disable routing to Non-VoLTE destination – Fixed: free data, overbilling, data DoS – Not fixed: voice DoS
• US-‐II – Limit the speed of Mobile-to-Mobile to 600 kbps – Fixed: data DoS – Not fixed: voice DoS, free data, overbilling
64
![Page 65: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/65.jpg)
Discussion • Why? What is new with VoLTE?
– Changes on network side – Changes on phone side (Chipset, OS)
• VoLTE designed to carry voice can be exploited to carry data – Real threats: free data, overbilling, data DoS, voice DoS …
• Lessons at its early deployment – Blame carrier network, device OS, chipset vendors and standards
• Peril of evolu?on
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 65
![Page 66: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/66.jpg)
BACKUP SLIDES
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 66
![Page 67: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/67.jpg)
Experimental Methodology • two major US 4G LTE operators
– Called as OP-‐I and OP-‐II in this work • Mobile devices:
– Apple iPhone5 – Samsung Galaxy S3/S4 – HTC One – LG Op?mus G.
67
![Page 68: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/68.jpg)
Throughput Slump
68
Logs of data throughput (4G:+, 3G:x) on Bob in OP-I
![Page 69: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/69.jpg)
One More Slump • In addi?on to two handovers, we observe one extra handover in the 40.6% of experiment runs (149/367) in OP-‐I.
69
Logs of data throughput (4G:+, 3G:x) in OP-I
![Page 70: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/70.jpg)
Even Worse • In OP-‐II, we observe that Bob cannot go back to 4G LTE aqer call ends.
70
Logs of data throughput (4G:+, 3G:x) in OP-II
Is it OP-II specific issue? How long it lasts for?
Lose 4G Connectivity
![Page 71: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/71.jpg)
Lose 4G Connec?vity • In OP-‐I, Bob cannot go back to 4G LTE if Alice cancels the outgoing call before call is fully established (i.e., Bob doesn’t hear ringtone yet).
• We find that Bob will stay in 3G longer than 10 hours under certain condi?ons.
71
Alice hangs out the outgoing call before call setup is finished
![Page 72: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/72.jpg)
Data Services • We find that it depends on whether data service is running on Bob’s phone.
• Specifically, the dura?on Bob stuck in 3G is dependent on packet size and packet interval of data service running.
• We conduct an experiment to track the dura?on Bob stays in 3G for 3 mins aqer Bob’s call conversa?on finishes. – Packet Size: 1B or 1KB – Packet Interval: 1~24 seconds
72
![Page 73: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/73.jpg)
Experiment Results
73
OP-I OP-II
Why does it depend on traffic pattern ?
19s-1KB 13s-1KB 14s-1B 7s-1B
![Page 74: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/74.jpg)
RRC State Transi?on • Bob can go back to 4G LTE via Inter-‐RAT Handover or Cell reselec4on.
• RRC State Transi?ons observed in OP-‐I and OP-‐II
74
Simplified RRC State for OP-I Simplified RRC State for OP-II
Inter-RAT Handover
Inter-RAT Handover
CSFB standards allow operators to decide how to move users back to 4G LTE
![Page 75: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/75.jpg)
Data Applica?ons Abort Due to Voice Call
• We are running eight popular data applica?ons – Browser, Gmail, Ftp, Youtube, Skype, PPS (Streaming), Pandora (internet radio), Facebook
• We find that Browsing, Gmail, FTP, Skype and Facebook may abort due to CSFB calls. – Browsing/Facebook: content is not displayed – FTP/Gmail: downloading is terminated – Skype: voice call is aborted
75
![Page 76: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/76.jpg)
How Oqen Applica?on Aborts • We run the experiment that user makes a call and hangs up later while data applica?ons are running.
• We observe the average abort ra?o around 3-‐5%.
76 10-day FTP downloading abort ratio (OP-I).
What happens?
![Page 77: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/77.jpg)
Detached • The users are detached by carriers and lose both of 3G and 4G LTE connec?vity for a while when this issue occurs.
77
Logs of network status at mobile phone (OP-I).
Detached
Reattached
How long does it recover the connectivity?
Resign into network (OP-II).
![Page 78: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/78.jpg)
Reakach Dura?on
78
¨ For OP-I, 95% of re-attaches finish within 11 seconds. ¨ For OP-II, 90% of re-attaches finish within 15 seconds.
Q: Is it big issue to lose connectivity for 11-15 seconds? It should be easily recovered by TCP retransmission.
![Page 79: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/79.jpg)
Invalid TCP retransmission
79
Wireshark traces at the FTP server
¨ FTP server retransmits packets to mobile devices, however it doesn’t receive any acks.
¨ OP-I assigns different IP address to the mobile devices after reattaches. ¨ OP-II assigns same IP address, however NAT mapping is gone after
reattaches, i.e., retransmitted packets are dropped without valid mapping.
![Page 80: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/80.jpg)
Miss Call • Under certain scenario, users may miss incoming calls without no?fica?ons.
• Alice is calling Bob and Bob is enabling PS network in the mean?me. – Bob may miss Alice’s call without no?fica?on (e.g., ringtone).
– However, Alice s?ll hears aler?ng tone. • She may think Bob inten?onally doesn’t answer the call.
80
![Page 81: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/81.jpg)
Aler?ng Tone Comes Early
• In the paging phase (Step 2), to avoid long period of silence at Alice, the Bob’s MSC# sends indica?on of user aler?ng to Alice
• Then Alice can hear aler?ng tone. • However, if Bob fails to handover to 3G networks (Step 3) then he will not hear ringtone.
81 #: On receipt of service request from MME.
CSFB Incoming Call flows on Bob
![Page 82: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/82.jpg)
Discussion • Key factors?
• Root cause?
• Solu?on?
• What else (other problems)? • Lessons and Insights?
C. Peng (OSU) 82
![Page 83: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/83.jpg)
Summary • Throughput slumps when voice call starts and ends.
– In OP-‐II, the throughput isn’t recovered even aqer call ends. • Users may lose 4G connec?vity for 10 hours (no signs of
limits) and may be u?lized by malicious akackers. • Users may be implicit detached by operators aqer CSFB
call ends – Some applica?ons abort due to unsuccessful receipt of packets from their applica?ons server aqer re-‐akach finishes.
• Users may miss voice call without indica?ons because aler?ng tone early comes to caller.
83
![Page 84: The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE" ChunyiPeng Fall!2015!](https://reader033.fdocuments.in/reader033/viewer/2022042106/5e851ac1a388a736dc35c8e4/html5/thumbnails/84.jpg)
Voice/Data Interference • Mutual interference between voice & data
– Shared radio resource – Shared network state – Complex control/signaling
• Complex dependency and coupling effects • Smart core in cellular networks, but
– Can be fragile
84