UMTS Traffic Management
86
3G SYSTRA 3G/UMTS Traffic Management Training Document 13-537364Issue 1.0 en Issue 4.0 © Nokia Networks Oy 1 (86)
-
Upload
tejpreettej -
Category
Documents
-
view
224 -
download
5
description
umts
Transcript of UMTS Traffic Management
3G/UMTS Traffic Management
3G SYSTRA3G/UMTS Traffic ManagementTraining Document SUBJECT \* MERGEFORMAT
The information in this document is subject to change without notice and describes only the product defined in the introduction of this documentation. This document is intended for the use of Nokia's customers only for the purposes of the agreement under which the document is submitted, and no part of it may be reproduced or transmitted in any form or means without the prior written permission of Nokia. The document has been prepared to be used by professional and properly trained personnel, and the customer assumes full responsibility when using it. Nokia welcomes customer comments as part of the process of continuous development and improvement of the documentation.
The information or statements given in this document concerning the suitability, capacity, or performance of the mentioned hardware or software products cannot be considered binding but shall be defined in the agreement made between Nokia and the customer. However, Nokia has made all reasonable efforts to ensure that the instructions contained in the document are adequate and free of material errors and omissions. Nokia will, if necessary, explain issues which may not be covered by the document.
Nokia's liability for any errors in the document is limited to the documentary correction of errors. NOKIA WILL NOT BE RESPONSIBLE IN ANY EVENT FOR ERRORS IN THIS DOCUMENT OR FOR ANY DAMAGES, INCIDENTAL OR CONSEQUENTIAL (INCLUDING MONETARY LOSSES), that might arise from the use of this document or the information in it.
This document and the product it describes are considered protected by copyright according to the applicable laws.
NOKIA logo is a registered trademark of Nokia Oyj.
Other product names mentioned in this document may be trademarks of their respective companies, and they are mentioned for identification purposes only.
Copyright Nokia Oyj 2004. All rights reserved.
Contents
51Module objectives
2Introduction to UMTS traffic management63Subscriber information and databases83.1Network databases83.2Subscriber addressing and identities104Network traffic and radio connection134.1Characteristic of a network bearer144.1.1Types and configuration of bearers154.2Bearer transmission in the network164.3Bearers and the different levels of QoS174.3.1The end-to-end service and UMTS bearer service184.3.2The radio access bearer service and the core network bearer service194.3.3The radio bearer service and the Iu-bearer service194.3.4The backbone network bearer service194.4Managing the bearer through the network204.5Managing the bearer over UTRAN214.5.1Example: Simplified bearer establishment for a call224.5.2Managing the bearer when the subscriber is moving245Mobility management255.1Cellular architecture265.1.1Network location areas275.1.2Network routing areas285.1.3UTRAN registration areas285.1.4Location based information services295.2Mobility procedure - Location updating305.2.1Location area based procedures315.2.2Routing area update (packet switched)335.2.3Location info retrieval (circuit and packet switched)355.2.4Management of the UTRAN registration areas355.3Mobility management - Paging the subscriber365.4Mobility management - Roaming in another network375.5Mobility management procedures386Session management396.1Initially accessing the network406.1.1IMSI attach for an existing subscriber416.1.2IMSI attach when roaming426.1.3Requesting for a dedicated bearer426.1.4Access security in UMTS436.1.4.1Mutual Authentication446.2Managing a real time (circuit switched) bearer486.3Managing a non-real time (packet) bearer517Communication management567.1Call control for circuit switched (real time) calls577.2Generation and collection of charging data587.3Note on handling emergency calls598Review questions60
2 Module objectives
The aim of this module is to give the student the conceptual knowledge needed for explaining how traffic management is visualised in a UMTS network. Topics to be covered in this module include understanding the network databases and the information stored within them. At an overview level, we will look at the different management layers in the network.
After completing the module, the participant should be able to:
List and identify the databases used within the UMTS network
Identify the subscriber addressing information
Name the characteristics of a bearer
Describe how the connection moves with the subscriber when a bearer is in use
Explain what is meant by the term URA
List the procedures used to maintain mobility management in the network
List the procedures done when the mobile gains access to the network. Also, identify how the network selection is made
With the help of the material, describe how the session management of real time and non-real time bearers are handled through the network
without using any references (if not otherwise stated).
3 Introduction to UMTS traffic management
When visualising a UMTS network, there are three ways to approach this. The first view is from the point of view of the architecture and the functions of the elements within the RAS and the core network subsystem. The second approach is through the different interfaces between the mobile, RAS, and the core network. The third approach is to look at how the data and signalling are carried through the network (management layers).
Figure 1.3G/UMTS network architectureThe above figure illustrates the UMTS Release 99 architecture, which is divided into two planes. The control plane is responsible for the control of the information through the network, whereas the gateway plane manages the user data or bearer through the network.
When thinking of managing the subscriber within a network, there are many procedures used for locating and paging, as well as for control activities such as moving and charging. We can think of all these activities as management functions that the network is performing. The functions and procedures are clearly defined in the specifications.
The functions can be divided into management layers. Each management layer is responsible for certain procedures. The following figure illustrates the four management layers in the network. The higher layers require the functions and procedures that are used on the lower layers. For example, you must have a connection to the mobile before you can send or receive signalling messages.
In UMTS networks, we can identify three network-wide layers of functionality.
Error! Objects cannot be created from editing field codes.Figure 2.3G-network management layers
The radio resource management (RRM) is completely covered between the radio access network (RAN) and the user equipment (UE), and it involves managing how the channels are allocated. The mobility management, session management and call control are maintained by the core network (CN) domains. There the function depends on whether the domain is CS (circuit switched) or PS (packet switched). The higher-layer functions performed between the UE and CN are often called as communication management (CM). The CM entity covers the topics like call control (CC), supplementary services (SS) and short message service (SMS).
The radio resource management is the lowest level and it is responsible for the network communication with the mobile over the air interface. We will discuss RRM only briefly in this module.
In this module we will first look at how the subscriber's information is stored. Also the structure of the cellular network and the functions of the management layers will be explained.
4 Subscriber information and databases
Information about the subscriber is stored in several parts of the network. This information is used to identify the location of the subscriber when transmitting the paging signal. The network uses unique information to identify a subscriber, and there are different types of databases throughout the network. Most of the procedures are similar compared with GSM and GPRS. Hence, this chapter is mainly of a repetitive nature.
4.1 Network databases
The databases are used all the time to control activities such as paging, channel set-up and authentication. Other information about the subscriber may include, for example, rights to services, security data, and identification numbers. The figure below summarises the databases that are found within the network.
Figure 3.Network registers
Since the core network will not change dramatically in the first release of UMTS, the registers are similar to those in GSM and GPRS.
The Visitor Location Register (VLR) is considered to be an integral part of the Serving MSC. The VLR maintains mobility management related procedures like location update, location registration, paging, and security activities. The VLR database contains temporary copies of the active subscribers, who have performed a location update in its area.
The Home Location Register (HLR) contains permanent data of the subscribers. One subscriber can always be in only one HLR. The HLR is responsible for mobility management related procedures in both the circuit switched and packet switched domains.
The Authentication Centre (AC/AuC) is a database handling the Authentication Vectors. These contain the parameters that the VLR uses for security activities performed over the Iu interface. The Equipment Identity Register (EIR) maintains the security information related to the user equipment (UE) hardware.
The Short Message Service Centre (SMSC) is an intermediate store for the received/sent short messages. Thus, it has signalling connections with the VLR, GPRS Support Nodes, and Gateway/Interworking MSC.
The IN Service Control Point (SCP) nowadays has INAP (Intelligent Network Application Part) and/or CAP (Camel Application Part) connections towards the core network circuit switched (CN-CS) domain elements. The CN-CS domain elements having the IN connection is called Service Switching Points (SSPs).
In the packet switched domain, the HLR is still a centralised source of information. However, two service nodes are used to supply the required IP access information: the Domain Name Server (DNS) and Firewalls. The DNS is used for APN name to GGSN IP address translation. The Serving GPRS Support Node (SGSN) needs to find out which Gateway GPRS Support Node (GGSN) that supports access to this a specific access point. The role of the DNS is therefore to give the SGSN the IP address to the GGSN. After this, the GGSN is able to route the user's request further. The border between the corporate networks, public IP, and 3G CN-PS domain is maintained by the GGSN which may use the RADIUS database for user authentication. Firewalls are used for security control of external network connections.
Other nodes (such as voice mail systems and application servers) can also contain subscriber and network information.
4.2 Subscriber addressing and identities
Each subscriber has to be uniquely identified. As in 2G networks, unique addressing codes are used to identify the subscriber. The figure below highlights the identities used and where the information is stored.
Figure 4.IMSI and MSISDN addresses in the network
The unique identity for the mobile subscriber is called IMSI (International Mobile Subscriber Identity), which is the same as the GSM:
IMSI = MCC + MNC + MSINWhere:
MCC = Mobile Country Code (3 digits)
MNC = Mobile Network Code (2 digits)
MSN = Mobile Subscriber Identity Number (normally 10 digits).
This number is stored in the SIM card (USIM).
The MSISDN (Mobile Subscriber international ISDN Number) is used for service separation. One subscriber may have several services provisioned and activated, with only one IMSI. For instance, the mobile user may have one MSISDN number for speech service, another MSISDN number for facsimile and so on.
The MSISDN consists of three parts:
MSISDN = CC + NDC + SNWhere:
CC = Country Code (1 to 3 digits)
NDC = National Destination Code (1 to 3 digits)
SN = Subscriber Number.
This number format follows the E.164 numbering specification. Very often this number is called directory number or just simply subscriber number.
Due to security reasons it is very important that the unique identity (IMSI/IMUI) is transferred in non-ciphered mode as less as possible. For this purpose, the UMTS system uses TMSI (Temporary Mobile Subscriber Identity) number, which is also called TMUI (Temporary Mobile User Identity). The packet switched domain of the core network allocates similar temporary identities for the same purpose. In order to separate this type from the TMSI/TMUI, it is named P-TMSI (Packet Temporary Mobile Subscriber Identity).
Figure 5.Temporary information stored in the network
TMSI/TMUI and P-TMSI are random-format numbers, which have limited validity time and validity area. The TMSI/TMUI numbers are allocated by the VLR and they are valid until the UE performs the next location update procedure. The TMSI/TMUI may also change earlier, and the network controls this pace of change. The P-TMSI is allocated by the SGSN and it is valid over the SGSN area. The P-TMSI is changed when the UE performs routing area update.
IMEI (International Mobile Equipment Identity) is a number uniquely identifying the user equipment's hardware. There is a separate register called EIR (Equipment Identity Register) handling these identities. The network may or may not ask the UE to identify itself with IMEI number either in context of every transaction or occasionally in the cases defined by the network operator.
Figure 6.Ensuring terminal equipment security
All the IMEI numbers are handled in three categories within the core network. These categories are called lists, that is, White List, Grey List and Black List. White listed IMEI numbers are normal identities, which do not have any troubles. The grey listed IMEI numbers are under observation, and every time a UE having grey listed IMEI used, the network produces an observation report about the transaction. If the accessing UE is on the black list, the network rejects the transaction, except in case of an emergency call.
There are several other addresses that are used. One is the MSRN (Mobile Subscriber Roaming Number), which is used for call routing purposes. The format of the MSRN is the same than MSISDN, that is, it consists of three parts (CC, NDC, and SN) and it follows E.164 numbering specification. The MSRN is used during a call set-up between the network and a subscriber on another MSC. The implementation of this explanation is beyond the scope of this module.
5 Network traffic and radio connection
In the previous chapter we looked at the type and location of information that is stored about a subscriber within the network. In this chapter, the focus is on how the user traffic (also known as the user plane) is visualised in the network and how the connection is managed in the air interface.
The first concept to clarify is the bearer. The figure below illustrates that a bearer is like a tunnel that goes through the different network elements and is carried on the different network interfaces.
Figure 7.Thinking in terms of a network bearer
The application (such as video) in the mobile has a point-to-point connection to a remote application (such as video on another terminal). From the physical network's point of view, the UMTS radio access network (UTRAN) must ensure that the bearer is maintained over the air interface and is correctly routed to the core network.
The core network ensures that the bearer is either connected into the service platform, Internet, external network or, in the case of a voice/video call, onto the PSTN (see the figure below). In the case of the PSTN, the information in the bearer pipe must be converted to a form that is understood by the outside world.
Figure 8.Data and speech through the bearer
5.1 Characteristic of a network bearer
If you think in terms of GSM, you probably consider the traffic channel to be the same as a bearer in the air interface. A traffic channel does share some same characteristics; for example, it can carry different types information (such as speech and circuit switched data). The fundamental difference between GSM and UMTS is that in UMTS, the bearer is flexible. The type of the bearer reserved and the way it is routed through the network depends on the subscriber's service need. To better understand this concept, let us take two examples.
Example 1: Voice traffic
Voice requires a data speed of, for instance, 12.2 kb/s. (The bit rate depends of course on which speech coding method we use.) If we add error correction information (to ensure quality), the total amount of data needed in the air interface is approximately 24 kb/s. For the interfaces within the radio access network (Iub, Iur) and towards the circuit switched core network (Iu), the bit rate required is around 16-19 kb/s, including overhead. Therefore, we need a connection from the mobile to the Media Gateway that can support these bit rates. Also, we have to take the delay factor into account. As subscribers we are not tolerant of delays in our speech or video conversations.
Figure 9.The different air interface classifications
Example 2: Internet connection
The first characteristic to remember is that Internet traffic is often bursty and asymmetric (there is usually more to download than to upload). Also, the delay factor is not as significant as for conversation, which means that we can tolerate more variable bit rates. On the other hand, the data may be very sensitive to errors, compared with, for instance, voice transmission. It means that we may need to apply more ambitious error correction.
As a conclusion from these two cases, the network will allocate the bearer based upon the request of the subscriber's need. To be more precise, it is the radio network controller (RNC) that makes the decision about the bearer allocation.
5.1.1 Types and configuration of bearers
As with all mobile systems, the largest bottlenecks in allocating resources to a mobile subscriber is in the air interface. This is the reason why the RNC is responsible for the bearer allocation. The air interface is limited in terms of the maximum amount of subscribers, the maximum data rates, the coverage area, and quality. In UMTS, all of these factors are linked together. If you introduce more people to a cell, then the size and bit rate reduces.
The UMTS specification defines four classifications of bearers. These were summarised in the previous figure. The below figure illustrates typical services and their required data rates. Of course the transmission and core networks must be capable to support the different needs; one of the important tasks for the network planners is to dimension the accurate capacity in the network beyond the air interface.
Figure 10.Typical data speeds needed for common 3G services
Let us assume that a video call is to be made through the network. A dedicated traffic channel for the air interface must then be requested. The UE must also inform the network about the needed classification and data speed. It is then the RNC's responsibility to allocate an air interface channel and to establish the connections through to the core network.
5.2 Bearer transmission in the network
On its journey throughout the network, the bearer 'sits' in a physical channel. On the connection between the BTS and the RNC and towards the MSC/SGSN, a frame-structure protocol (typically ATM) is used.
Figure 11.Transmission through the network
The air interface also has physical channels, which are used to carry signalling messages and data between the terminal and the network.
The above figure shows that between elements we have pipes. The network elements ensure that the right information is moved from one pipe to another. In the circuit switched core network (CS-CN) domain, there is always a dedicated circuit for the connection and it is only released at the end of the call.
In the packet switched core network (PS-CN), we use tunnelling to make a virtual connection between IP network elements. Although tunnelling ensures a semi-dedicated channel in an IP network, it is still not the same as having a dedicated circuit in the network. Basically, the tunnel enables a virtual circuit between the RNC via the Serving GPRS Support Node (SGSN), and towards the Gateway GPRS Support Node (GGSN).
Student Exercise:Why do you think the RNC makes the decision on the type of bearer that is allocated to a subscriber?
5.3 Bearers and the different levels of QoS
Network services are considered end-to-end, this means from terminal equipment (TE) to another TE. An end-to-end service may have a certain QoS, which is provided for the user of a network service. It is the user that decides whether he/she is satisfied with the provided QoS or not.
To realise a certain network QoS, a bearer service with clearly defined characteristics and functionality is to be set up from the source to the destination of a service.A bearer service includes all aspects to enable the provision of a contracted QoS. These aspects are among others the control signalling, user plane transport, and QoS management functionality. UMTS bearer service layered architecture is depicted in the below figure (taken from the specifications). Each bearer service on a specific layer offers its individual services and uses services provided by the layers below.
Figure 12.Layered architecture of the bearer services in UMTS
5.3.1 The end-to-end service and UMTS bearer service
On its way from the terminal equipment (TE) to another, the traffic has to pass different bearer services of the network(s). A TE is connected to the UMTS network by use of a mobile terminal (MT). The end-to-end service on the application level uses the bearer services of the underlying network(s). As the end-to-end service is conveyed over several networks (not only UMTS), it is not subject for further elaboration in the present document.
The end-to-end-service used by the TE will be realised using a TE/MT local bearer service, a UMTS bearer service, and an external bearer service.
TE/MT local bearer service is not further elaborated here as this bearer service is outside the scope of the UMTS network.
It is the various services offered by the UMTS bearer service that the UMTS operator offers. In other words, it provides the UMTS QoS.
The external bearer service is not further elaborated here as this bearer may be using several network services, such as another UMTS bearer service.
5.3.2 The radio access bearer service and the core network bearer service
The UMTS bearer service consists of two parts: the radio access bearer service and the core network bearer service. Both services reflects the optimised way to realise the UMTS bearer service over the respective cellular network topology taking into account such aspects as, for example, mobility and mobile subscriber profiles.
The radio access bearer service provides confidential transport of signalling and user data between MT and CN Iu Edge Node with the QoS adequate to the negotiated UMTS bearer service or with the default QoS for signalling. This service is based on the characteristics of the radio interface and is maintained for a moving MT.
5.3.3 The radio bearer service and the Iu-bearer service
The radio access bearer service is realised by a radio bearer service and anIu-bearer service.
The role of the radio bearer service is to cover all the aspects of the radio interface transport. This bearer service uses the UTRA FDD/TDD. UMTS Terrestrial Radio Access/Frequency Division Duplex will be forming the physical layer in the first phase of UMTS. Later also Time Division Duplex is expected to be implemented.
To support unequal error protection, UTRAN and MT shall have the ability to segment and reassemble the user flows into the different subflows requested by the radio access bearer service. The segmentation/reassemble is given by the SDU payload format signalled at radio access bearer establishment. The radio bearer service handles the part of the user flow belonging to one subflow, according to the reliability requirements for that subflow.
The Iu-bearer service together with the physical bearer service provides the transport between UTRAN and CN. Iu-bearer services for packet traffic shall provide different bearer services for variety of QoS.
5.3.4 The backbone network bearer service
The core network bearer service uses a generic backbone network service. The backbone network service covers the Layer 1/Layer 2 functionality and is selected according to operator's choice in order to fulfil the QoS requirements of the core network bearer service. The backbone network service is not specific to UMTS but may reuse an existing standard.
5.4 Managing the bearer through the network
The UMTS network is responsible to establish a flexible bearer for user data transport between the Mobile Terminal (MT) and the external networks. In the bearer set-up phase, the QoS parameters must be known, so that the individual network elements within the UMTS network know, how to set-up the bearer.
Figure 13.QoS management in the control plane
As can be seen, a hierarchical approach is used for bearer establishment: In order to establish a bearer in accordance to the QoS requirements of the users circuit switched application, a peer-to-peer bearer service (BS) signalling between the MT, MSC, and (G)MSC takes place. In case of a packet orientated service request, bearer related signalling and control information must be exchanged between the MT, SGSN, and GGSN. (In the next lines, we refer to MT, SGSN, and GGSN. Please note, that there is no significant difference for the circuit switched case.) The peer-to-peer signalling is necessary, so that the affected network elements can determine the required QoS parameters for the end-to-end bearer. If one network element is not capable to establish the bearer, a re-negotiation can be initiated to find an alternative bearer if the users application permits it or the UMTS PLMN is not capable to offer the requested service.
If the UMTS bearer service (BS) manager use the GPRS Tunnelling Protocol (GTP) for QoS negotiation between each other. If they have agreed on the QoS parameters for the bearer, the UMTS BS manager of the CN inform the CN BS manager about the QoS parameters for the bearer between SGSN and GGSN. It lies then in the responsibility of the CN BS manager to negotiate on how to make the bearer available, which route to take between the SGSN and GGSN. If they have agreed on the QoS parameter on their level, they inform then the Backbone network service (BB NS) manager about the set QoS parameter. Within the backbone, IP over ATM may be applied, IP over Frame Relay, etc. Depending on the underlying transmission technology and signalling protocols used, the network elements must conduct signalling to step by step establish the bearer between SGSN and GGSN.
A bearer also must be established between the MT and the SGSN. The RNC is responsible for the resource management within UTRAN. The RNC is managing so-called Radio Access Bearer (RAB). A RAB stand for one bearer/ connection between a MT and a core network edge element (SGSN, MSC). The RNC must establish the bearer on Uu, Iub, Iu, and if required on Iur. After determining the QoS parameter internally used from the QoS parameters set by the bearer service manager in the SGSN, it informs its Iu bearer service manager to negotiate and establish the bearer between itself and the SGSN. The RAB manager also informs the Radio BS manager about the required QoS parameter; the Radio BS manager then determines the radio QoS parameters. The physical parameters for the transmission via the radio interface are then determined in the underlying UTRA physical BS manager, parameters such as spreading codes, spreading factor, type of convolutionary coding.
The whole process is conducted to establish on every physical link within the UMTS operators network a bearer in accordance to the QoS required for the subscribers application.
Bearers for signalling can be negotiated, too. But often, they are made available during operation and maintenance.
5.5 Managing the bearer over UTRAN
In UMTS there may be a number of connections between the core network and the mobile. As an example, a subscriber may have a video, voice, and Internet connection bearer open. This means that the subscriber will be using multiple bearers to support each service. Each of this connection is known as a RAB, (radio access bearer).
The RABs for an individual subscriber are grouped together into a RRC (radio resource control). RRC is a stack structure, in which the RABs are located. Therefore, if we need to move the RRC (in the case of a handover from one BTS to another), then we need to move the whole RRC.
Figure 14.The relationship between the RAB and RRC in the UTRAN
As the above figure illustrates, the different RABs are received by the RNC and combined together to form a single RRC connection. The 3G Specifications make provision for procedures that allow for the RAB to be added, modified, and removed. This would happen if the subscriber needed an additional service (for example, downloading email).
To control the connection between the network and the mobile, a signalling protocol called radio resource control is used. By use of the protocol, the network can carry messages that are required to set up, modify and release radio resource connection.
Student Exercise:Can you think of an example where it may be necessary to modify the radio resource connection?
5.5.1 Example: Simplified bearer establishment for a call
The UMTS bearer service manager in the SGSN requests a bearer set-up between the MT and itself. It send a RAB Assignment request to the radio resource control unit RNC. The bearer control messages are exchanged between SGSN and RNC with RANAP messages. RANAP stands for Radio Access Network Application Protocol.
Following the UMTS specific RAB Assignment Request message, the Iu-PS bearer between SGSN and RNC can be set up in accordance to the required quality of service parameter. Between SGSN an RNC the Iu-PS bearer is currently an AAL5 virtual channel.
Then, an Iub bearer between Node B and RNC can be established. This bearer will be later on used for user data transport and is an AAL2 virtual channel.
A signalling connection already exists between the UE and the RNC. This connection is used to send the Radio Set-up Bearer message to the UE. The UE is informed about the physical layer characteristics, MAC layer characteristics (e.g. puncturing, data rate), RNC modus (e.g. acknowledged/unacknowledged mode), etc.
The Radio Link Reconfiguration message informs the Node B among others about the physical and MAC layer characteristics of the Uu interface transmission.
The Node B confirms this message by returning a Radio Link Configuration Complete message.
The UE confirms the Radio Bearer Set-up message with the Radio Bearer Set-up Complete message.
Now the bearer between the UE and the RNC exists. The RNC returns the RAB Assignment Complete message to the SGSN, with which the UMTS bearer between UE and SGSN is established.
Please note, that this example is highly simplified. The bearer establishment within UTRAN is very complex and allows a wide range of different options.
Figure 15.RAB establishment (simplified)
5.5.2 Managing the bearer when the subscriber is moving
As a subscriber moves through the network, the radio resource connection must follow. The below figure illustrates a network with the path of a bearer being connected from end to end (UE to MSC and UE to SGSN). As the mobile moves, the signal it receives from the serving BTS will change (possibly decrease as in the below example) and the signal received from a neighbouring BTS will increase.
It makes sense that the mobile should receive the signal from the BTS with the best signal quality and strength. One characteristic of a CDMA network is that there could be simultaneous connections between different base stations and the mobile. It is the same information, just being transmitted and received by different sources.
Figure 16.The initial situation of an end-to-end bearer connection
The base stations that have simultaneous radio resource connections to the same terminal are known to belong to an active set. As the mobile moves, the base stations are constantly being added and removed from the active set.
One common question that students ask is why use the extra resources, surely it would be better to just use the one connection? In principle this is true, but by transmitting the signal from different sources there are advantages in gain that can be achieved. In theory, we are able to decrease the interference and power in the radio network, therefore increasing capacity.
6 Mobility management
Note for self-studying
You will notice that this chapter quite much repeats the concepts from GSM and GPRS. But, please be aware that some new concepts are introduced in this chapter too.
As the user terminals are not fixed to certain positions, the network must keep track on where the mobile is located. The system must at least be capable of knowing the geographical area in which the subscriber is located. As in GSM networks, UMTS has a cellular architecture that allows the network to identify the subscriber. As discussed in the previous section, the network maintains information about the location of a subscriber, and the procedures are specified to allow a constant updating of these databases as the subscriber moves around the network, and also from one network to another.
Figure 17.The role of the HLR as the centralised database
The Home Location Register (HLR) is the central database that stores information on the subscriber, such as the IMSI and MSISDN. The HLR also stores information on which serving MSC and SGSN the subscriber can be found.
Also in the HLR we store information on the subscriber's service profile. In other words, we have a record of the different services (teleservices, supplementary and packet services) that the subscriber can/cannot use.
Therefore, if the network needs to locate the subscriber in the case of a mobile terminated call, or if the network needs to check if the subscriber is valid, then all requests are sent to the HLR.
6.1 Cellular architecture
The smallest entity within the radio network is known as a cell, which is being served by a base station. The operating size of the cell (CI) can change geographically depending on the parameters used. The cells are grouped together geographically into location areas (LA), routing areas (RA), and UTRAN registration areas (URA).
Figure 18.UMTS cellular architecture
The above figure illustrates the structure of the network. This may look confusing and overly complex. The reasoning behind the structure is to make UMTS backward compatible with GSM and GPRS. The location areas are used in the circuit switched domain as the routing areas are used in the packet switched domain. A single cell can belong to both a LA and RA and this information is used by the core network for routing information to the radio access network (RAN).
In GSM, two separate connections are made for circuit and packet switched data. In UMTS, there is a single connection that can carry multiple bearers. Therefore, to reduce the excessive amount of signalling that may occur, an UTRAN registration area (URA) is introduced to more intelligently monitor the location of a subscriber in the RAN.
Student Review:One MSC can have many LAs, but an LA cannot cross MSCs. A RA can cross BSCs, but not MSCs. A cell cannot belong to different LA or RA; they must be unique. A cell can belong to more than one URA.
6.1.1 Network location areas
The location area (LA) is used in the circuit switched domain. The LA consists of cells; minimum is one cell and the maximum is all the cells under one VLR. Thus, the maximum size of one LA could be the same than VLR area.
In the location update procedure the location of the UE is updated in the VLR with LA accuracy. This information is needed in case of mobile terminated call; the VLR pages the desired UE from the location area it has performed the latest location update.
It should be noted that in other respects than the VLR, the LA does not have any other hardware bindings. For instance, one RNC may have several location areas or one location area may cover several RNCs.
Where the MCC and MNC (see previous section) is the same as in IMSI number. The LA code is just a number identifying LA. LAI is unique number throughout the world.
To globally separate cells from each other, the identity must be expanded and in this case it is called cell global identity (CGI):
The CGI value covers the country of the network (MCC), the network within a country (MNC), location area in the network, and finally the cell number within the network.
6.1.2 Network routing areas
The packet switched domain has its own location definitions based on a routing area (RA). A routing area is definition-wise very similar than the LA, that is, it is the area where the UE may move without performing the routing area update.
On the other hand, the RA is kind of a 'subset' of LA: one LA may have several RAs within it, but not vice versa. In addition, one RA cannot belong to two LAs. The reason why these two definitions co-exist is the possibility to have a UE supporting either circuit or packet traffic, but not both. At the core network side the VLR and the SGSN can have a common optional interface, Gs, through which these nodes may change location information. For example, if the UE performs a location update, the VLR may inform SGSN through the Gs interface that the UE should also perform routing area update in order to guarantee packet traffic.
6.1.3 UTRAN registration areas
As mentioned before, the reasoning for having the CIs, LAs and RAs is to ensure compatibility to GSM and GPRS networks. In 3G/UMTS, an additional grouping of cells is introduced, the UTRAN registration area (URA).
As the RNC has greater mobility management functions, and it controls handovers between RNCs, it must identify which cells belong to which RNC. As a subscriber moves into the geographical range of the RNCs serving area, the subscriber is allocated into the serving URA. Only when the subscriber moves from the control or supervision of one RNC to another, the information has to be updated.
When transmitting the paging signal, the RNC can limit the paging to the URA area, thus reducing the amount of signalling in the network. SGSN uses the RNC address when routing packets for a designated user. With URA, it is also possible to create more accurate demographic areas within the network. It means that we can define an URA more flexibly than LA/RA with respect to where people are located (and what patterns of movement they have).
Figure 19.RNC and URA architecture in the networkNotes on GSM evolution of UMTS
The MSC and the VLR still use the LA-based method for mobility management functions for circuit switched operations such as CS call set-up. As for GPRS, the 3G-SGSN still works on the basis of RAs. Therefore, the only new entities are the URA and UTRAN positioning services. Unlike in GSM, the RNC can handle inter-RNC handovers via the Iur interface. In GSM, the MSC is always responsible for inter-BSC handovers. As UMTS networks are designed to work with different types of core network, the only way that the network can identify which cells belong to which RNC is based upon the use of URA.
6.1.4 Location based information services
Another characteristic of a 3G/UMTS network is that it is possible to determine a more accurate position of the subscriber by using the UTRAN positioning service. Unlike the URA, LA and RA, which are used for controlling mobility management (that is, subscriber location for call set-up), the future for UTRAN positioning service is for the provisioning of services that are based upon the subscriber's exact location. Examples of such services could be emergency calls, viewing maps, and locating the nearest doctor.
The aim is to be capable of locating the subscriber within a 50 - 70 m range. There are different techniques that can be used, such as GPS (Global Positioning System). However, this may have limitations due to line of sight, indoor coverage, and even political reasons. Other techniques exist, which use the triangulation between base stations to measure the delay in signals.
Figure 20.Service possibilities
6.2 Mobility procedure - Location updating
As the network maintains three layers of information on the subscriber's location (LA, RA and URA), there are multiple procedures used to track the subscriber's movements. In practice, there are three basic types of location update procedures:
Location registration (power on / cell attach)
Movement between area
Periodic updateThese are explained in more detail in the forthcoming pages. In a GSM network the BSC took no responsibility for mobility management; instead the mobile would contact the core networks directly to inform about a change in location.
In UMTS, the situation is different as the RNC not only keeps information on which subscribers are in which URA, but is also responsible for the location updating to the core network.
Figure 21.Location update generic procedures and information in the networkAs the RNC receives a location updating message, it takes responsibility for informing the core network. The RNC will update its own information about the subscriber within the URA and inform the SGSN and VLR, respectively, if the routing area / location area also change.
Why bother to keep updating a location? The reason is that the network's VLR and SGSN databases are only temporary. Depending on the parameters that the operator use, the information is only stored for a certain time. If there has been no updating, it is assumed that the information is old. Therefore, to stop having a huge amount of useless data in the network, the information is removed.
6.2.1 Location area based procedures
Location registration (IMSI attach) takes place when a user equipment (UE) is turned on and it informs the VLR that it is now back in service and is able to receive calls. Related to this process, the network sends the UE two numbers that are stored in the USIM (Subscriber Identity Module) card of the UE.
These two numbers are the current Location Area Identity (LAI) and the Temporary Mobile Subscriber Identity (TMSI). The network, via the control channels of the air interface, sends the LAI. The TMSI is used for security purposes, so that the IMSI of a subscriber does not have to be transmitted over the air interface. The TMSI is a temporary identity, which regularly changes.
Every time the mobile receives data through the control channels, it reads the LAI and compares it with the LAI stored in its USIM card. A generic location update is performed if they are different. The mobile starts a location update process by accessing the MSC/VLR that sent the location data.
A channel request message is sent that contains the subscriber identity (that is, IMSI/TMSI) and the LAI stored in the USIM card. When the target MSC/VLR receives the request, it reads the old LAI, which identifies the MSC/VLR that has served the mobile up to this point. A signalling connection is established between the two MSC/VLRs and the subscriber's IMSI is transferred from the old MSC to the new MSC. Using this IMSI, the new MSC requests the subscriber data from the HLR and then updates the VLR and HLR after successful authentication.
Periodic location update is carried out when the network does not receive any location update request from the mobile in a specified time. Such a situation is created when a mobile is switched on but no traffic is carried, in which case the mobile is only reading and measuring the information sent by the network. If the subscriber is moving within a single location area, there is no need to send a location update request.
A timer controls the periodic updates and the operator of the VLR sets the timer value. The network broadcasts this timer value so that a UE knows the periodic location update timer values.
The location registration procedure is similar for both circuit and packet switched domains. In case of packet switched domain the MSC/VLRs are replaced with SGSNs.
When the VLR/SGSN is changed, the new VLR/SGSN sends information about this change to the HLR. The HLR responds by sending the subscriber information to the VLR/SGSN. If the subscriber had earlier location information present in the HLR, the HLR cancels the previous location.
IMSI attach/detach (circuit switched)
In the circuit switched domain the UE may have two states, attached and detached. In the attached state the UE is able to handle transactions and it is active in the network. The UE continuously analyses its radio environment, LAC and cell identities being 'visible'. When the UE is switched off, detached, it stores the latest radio environment information into its memory and informs the network that it is now being switched off. The VLR stores this state change and the UE is not tried to be reached in case of mobile terminated transaction.
When the UE is switched on again, it first checks whether the radio environment matches to the one it has in its memory. If it matches, the UE just informs the VLR that it is now attached again and able to handle transactions. If not, the UE performs a location area update.
6.2.2 Routing area update (packet switched)
As a procedure, the routing area update is very similar to the location update and it is performed for the same purpose. Periodic routing area update is used for checking that a UE that has not performed any routing area updates for some period of time is still reachable.
The UE performs a cell update (also cell reselection) when it changes cell within a routing area in Ready mode. This could be compared to a handover in UMTS/GSM for circuit switched connections. Cell update and routing area updates halt possible reception or sending of data. The possibility of buffering data in the Serving GPRS Support Node (SGSN) can be in such cases.
Figure 22.The routing area update
When the UE changes cells between the different routing areas, it performs a routing area update. There are two types of routing area updates: the intra-SGSN routing area update and the inter-SGSN routing area update. One SGSN can manage many routing areas.
If the new routing area is managed by the same SGSN as the old one, an intra-SGSN routing area update is performed.
If the new routing area is managed by a different SGSN, an inter-SGSN routing area update is performed. The old SGSN then forwards user packets to the new SGSN.
Cell attach/detach
In the core network packet domain the MM-state changes during the packet switched connection, and it can be said that the MM-state mostly depends on the activity of the connection. That is, when there are packets to send or receive, the MM-state of the connection is MM-connected. When there is nothing to transfer, the MM-state of the connection is MM-idle. The MM-detached state has the same meaning in both of the CN domains.
Figure 23.Mobility management state diagram in packet domain
In order to utilise the 3G network resources (such as radio bandwidth) as effectively as possible, the MM-state management is as such not enough for the packet switched (PS) traffic. In PS traffic, the traffic delivered can be presented as occasional packet bursts. Between these bursts the connection is not used. This leads to the situation where it is reasonable to 'cut' the connection through the network in order to make the network resources available for other active connections. The way to suppress the packet connection, but still remain the necessary information in both ends of the connection, is called cell attach / detach.
Notes on GPRS evolution to UMTS
If you are familiar with GPRS, the above figure about the different states may seem confusing. In UMTS, the RNC has different RRC states depending on the traffic situation. Therefore, the two figures are purely from the point of view of the UE and the SGSN. From the point of view of SGSN, it is in MM-connected state when there is a packet attach/received message. Signalling may be opened to the RNC, but the MM-connected state is only used when there is actual traffic.
6.2.3 Location info retrieval (circuit and packet switched)
In case of mobile terminated transaction, the Gateway MSC (the first MSC to realise that this transaction is to be terminated to the same network the called subscriber belongs to) performs the location info retrieval procedure.
In case of the circuit switched domain:
This procedure starts when a MSC requests routing information for the called subscriber from the HLR. The HLR checks its database and finds out the destination MSC/VLR where the called subscriber has performed the location update. The HLR then asks the destination VLR to provide MSRN for call path connection purposes. The VLR responds by giving a MSRN, which the HLR forwards to the requesting MSC. Now the MSC may start the activities for call path connection towards the target MSC/VLR. When the call path is established up to the MSC/VLR, the called subscriber can be paged.
In case of the packet switched domain:
This procedure starts when the GGSN requests routing information for the called packet data subscriber from the HLR. The HLR checks its database and finds out the latest SGSN where the subscriber has performed the routing area update. The address of this SGSN is submitted to the GGSN for the data connection establishment. Now the GGSN has address information, with which it is able to establish the GTP tunnel between itself and the SGSN. (GTP = GPRS Tunnelling Protocol.) When the GTP tunnel is established up to the SGSN, the paging of the called subscriber can be started.
6.2.4 Management of the UTRAN registration areas
In UMTS the RNC can handle simultaneous CS and PS connections to the subscriber. Both domains use the LA and RA respectively to track the subscriber's location. The RNC, however, must track which URA the subscriber is within. In networks where the RNCs are connected through Iur interfaces (as opposed to the MSC controlling handovers), the subscribers drift through the radio network passing from one RNC to another. Therefore, the serving RNC must identify in which URA a subscriber is located when it receives traffic for him/her (that is, for a circuit switched connection).
6.3 Mobility management - Paging the subscriber
From the HLR, the network is able to determine at the very least in which location area/routing area the subscriber is located. The network (e.g. MSC) will contact the MSC/SGSN serving that area and request contact to the mobile. The VLR/SGSN will then send a paging message, which contains the ID of the subscriber on a dedicated channel in the air interface. A mobile in idle mode is always listening to this channel.
Figure 24.Paging in the network
If the mobile is able to detect that the network is trying to contact it, the mobile will request access to the network to gain a signalling channel to determine what the network is asking (such as set up a call, or receive the SMS).
In GSM, the VLR/SGSN would ask every cell in a certain location area to send the same paging message. In UMTS, if the subscriber is known to be located in a certain URA (UTRAN registration area), the RNC can intelligently page for the subscriber in the URA, therefore reducing the signalling in the network.
6.4 Mobility management - Roaming in another network
When a subscriber is in a foreign network, the procedures are the same. When the subscriber registers in the visiting network, it will in turn contact the home network (remember that part of the IMSI code specifies the home network). If the two operators have a roaming agreement and the subscriber is valid, the subscriber information is copied into the serving VLR of the MSC and the information on the subscriber is stored in the HLR.
Every VLR in the world has a unique address. As a subscriber moves from one network to another, the location updating proceeds as normal. The HLR is always informed of the unique VLR, in which the subscriber was last seen.
Figure 25.Roaming in another networkLet us take one example: A subscriber is roaming in another network. When the network needs to contact him/her (for example to receive a video call), the subscriber's location is always checked from the HLR. The HLR will then contact the serving MSC to check that the subscriber is still located in the VLR (HLR request). This information is returned to the MSC and a call is routed to the foreign MSC. So, the paging process can begin.
Even if the calling subscriber is located in the foreign network, the call still has to be initially placed back to the home MSC.
6.5 Mobility management procedures
There are several different mobility management procedures, some of which have been mentioned in this module. The following is a short list of UMTS specified procedures. In the following chapter we will look at some of the procedures in their context of the session management layer:
Location registration
(CS and PS)
Location update
(CS)
IMSI attach/detach
(CS)
Routing area update
(PS)
Cell attach/detach
(PS)
Location info retrieval
(CS and PS)
Paging
(CS)
Paging
(PS)
Authentication procedure
(CS/PS)
Ciphering procedure
(CS/PS)
UE identity checking
(CS/PS)
UE hardware (IMEI) checking(CS/PS)
This chapter has given the initial first look at how mobility management is achieved in a 3G network. If you require more information and a detailed look at different scenarios, please check the specifications.
The specification contains the so-called SDL figures. The figures illustrate how signalling messages are passed from one element to another, in the sequence of time and condition (that is, what happens in case of a failure). Also, the specifications give detailed information on the content of such messages.
7 Session management
In the previous chapter we looked at the mobility management and how the network keeps track of the location of the subscriber and the procedures it performs. In this chapter we look at how the mobile is able to access the network and to obtain a bearer. We will also cover two simplified cases of how real time and non-real time bearers are set up in the network.
Like the previous two chapters, the aim is to give an overall picture of the procedures used to set up a session. More details on these procedures can be found from the specifications.
Error! Objects cannot be created from editing field codes.Figure 26.Session management requires procedures from RRM and MMAs this chapter will look at the procedures used to obtain a bearer through the network, the first concept to clarify is how a terminal is capable of determining one network from another. If you remember, each country has its own MCC (mobile country code) and each operator within a country has a unique MNC (mobile network code). This information is broadcasted by every cell in the network. Therefore, when the mobile is activated, it is able to distinguish between operators by checking this information.
Through co-operation between operators, the network planning of frequencies and codes used/shared in inter-boarder areas are selected to reduce conflict.
7.1 Initially accessing the network
When the mobile is switched on, it starts the network selection procedure. Without going into too much detail about the air interface, the mobile is aware of the possible frequencies that are available in UMTS and all the possible codes (512) that are used by the cells.
The mobile will first check the last frequency and code (used to identify the cell), to check if it is still valid. If the cell cannot be found, the mobile will start applying each code to each possible frequency in an attempt to detect a signal that will indicate that there is a cell present.
Once the scanning process is over, the mobile will select as first choice its home network (information of this is on the SIM). If the home network is not present, then it can choose a preferred network (usually set by the home network operator). If that is not available, the mobile will randomly select another network providing the signal level is adequate.
The procedure of network selection can be made manually, but it is usually performed automatically.
Figure 27.Initial network access (switch on)On the selection of the network, the mobile will request a location update (IMSI attach) of its position. The RNC will then request for the location update, and if it is the home network and it is the first time, the update is made. The information on the subscriber will be copied to the serving VLR for the MSC area and the current information on the subscriber will be updated to the HLR. The subscriber will also be registered into the current URA.
7.1.1 IMSI attach for an existing subscriber
If the subscriber is already registered in the network and is still registered in the same VLR, the information is updated. Also the HLR is informed of the new information.
Figure 28.Moving the subscriber's information between VLRsLet us now assume that the mobile has moved between to VLR areas while being switched off. The figure above shows such a case. When the user switches on the mobile again, a location update request will be transmitted to the new VLR (1). Then the authentication and IMSI information is copied between the old and the new VLR (2). (Similar steps would take place between the UE and the SGSN in case of a routing area update.) After a successful authentication (3), the HLR is updated with the new location information, after which the HLR sends the subscriber information to the new VLR (4), and cancels the old VLR (5). Finally, an acknowledge message is sent to the mobile, together with the TMSI/TMUI number (6). The packet core domain is also updated with the new location information.
Moreover, the RNC is constantly keeping track of all the connected subscribers' current URAs.
7.1.2 IMSI attach when roaming
The procedure for updating the VLR/SGSN when the subscriber is in a visiting network is exactly the same as described above. As two operators have a dedicated signalling link, then information is copied into the visiting network.
The HLR is updated with information on the unique VLR/SGSN address where the subscriber is located.
7.1.3 Requesting for a dedicated bearer
When the mobile does not have a RRC (radio resource connection) to the network, it is known to be in idle mode. If we wish to have a service, we require a bearer. Therefore, when the subscriber requests a service (such as video call or Internet connection), the mobile must make a request to the network.
In the air interface there is a special physical channel that is used to receive request messages from the mobile, namely the RACH (Random Access Channel). Depending on the type of channel that the subscriber is interested in, the network will attempt to secure a bearer.
Figure 29.Requesting a bearer from the networkHow to gain access without interfering with other mobiles too much?
Technically, when the mobile attempts to gain access to the network, it is not aware of the power level to use. Hence, it estimates an appropriate level. Then the mobile sends a short burst of information, which includes a random sequence to the random access channel. When the network receives the request, it will re-transmit the random part of the initial burst on a separate channel. If the mobile detects this signal, it assumes that the network has heard it. If not, the mobile must re-transmit again, but using more power. This process continues until either the power level set by the network is reached or the network responds. Then, the network will transmit on a different channel information about the channel that the mobile can use, given that one is available.
7.1.4 Access security in UMTSIn UMTS requirements for access security are not changed. It is required that end users of the system are authenticated, i.e. identity of each subscriber is verified; nobody wants to pay for calls that are made by a cheating impostor.
The confidentiality of voice calls is protected in radio access network, as well as the confidentiality of transmitted user data. This means that the user has control of choosing the parties with whom he/she wants to communicate. Users also want to know that the confidentiality protection is really applied: visibility of applied security mechanisms is needed. Privacy of the user's whereabouts is generally appreciated. Most of the time an average citizen does not care whether anybody can trace where he/she is. But if a persistent tracking of users would occur, he/she would be quite irritated. Similarly, exact information about location of people would be useful, e.g., for burglars. Also, privacy of the user data is a critical issue when data is transferred through the network. Privacy and confidentiality are largely synonymous in this presentation.
Availability of the UMTS access is clearly important for a subscriber who is paying for it. Network operators consider reliability of the network functionality to be important: they want control inside network to function effectively. This is guaranteed by integrity of all radio network signalling; it is checked that all control messages have been created by authorised elements of the network. In general, integrity checking protects against any manipulation of a message, e.g., insertion, deletion or substitution.
The most important ingredient in providing security for network operators and subscribers is cryptography. That consists of various techniques which all have roots in the science and art of secret writing. It is sometimes useful to make communication deliberately incomprehensive, i.e. to use ciphering (or, synonymously, encryption). This is the most effective way to protect communications against malicious purposes.
Figure 30.Network authentication
UMTS security featuresThe most important security features in the access security of UMTS are the following:
Mutual authentication of the user and the network
Use of temporary identities
Radio access network encryption
Protection of signalling integrity inside UTRAN
Note that publicly available cryptographic algorithms are used for encryption and integrity protection. Algorithms for mutual authentication are operator-specific.
Each of these features are described in the following subsections.
7.1.4.1 Mutual AuthenticationThere are three entities involved in the authentication mechanism of the UMTS system being:
Home network
Serving network (SN)
Terminal, more specifically USIM (typically in a smart card)
The basic idea is that the serving network checks subscribers identity (as in GSM) by a so-called challenge-and-response technique while the terminal checks that serving network has been authorised by the home network to do so. The latter part is a new feature in UMTS (compared to GSM) and through it the terminal can check that it is connected to a legitimate network.
The security is based on the Quintet, UMTS authentication vector: temporary authentication and key agreement data that enables an VLR/SGSN to engage in UMTS AKA with a particular user. A quintet consists of five elements:
a network challenge RAND,
an expected user response XRES, a cipher key CK,
an integrity key IK
a network authentication token AUTNThe cornerstone of the authentication mechanism is a master key K that is shared between the USIM of the user and the home network database. This is a permanent secret with the length of 128 bits. The key K is never transferred out from the two locations. For instance, the user has no knowledge of her/his master key.
At the same time with mutual authentication, keys for encryption and integrity checking are derived. These are temporary keys with the same length of 128 bits. New keys are derived from the permanent key K during every authentication event. It is a basic principle in cryptography to limit the use of permanent keys to minimum and instead derive temporary keys from it for protection of bulk data.
We describe now the Authentication and Key Agreement (AKA) mechanism at general level. The authentication procedure can be started after the user is identified in the serving network. The identification occurs when the identity of the user, i.e. permanent identity IMSI or temporary identity TMSI, has been transmitted to VLR or SGSN. Then VLR and SGSN send an authentication data request to the Authentication Center (AuC) in the home network.
The AuC contains master keys of the users and based on the knowledge of IMSI the AuC is able to generate authentication vectors for the user. The generation process contains executions of several cryptographic algorithms. The generated vectors are sent back to VLR/SGSN in the authentication data response. This process is depicted in figure below. These control messages are carried on the MAP protocol.
Figure 6.31 Authentication Data Request and Authentication Data ResponseIn the serving network, one authentication vector is needed for each authentication instance, i.e. for each run of the authentication procedure. This means the (potentially long distance) signalling between SN and the AuC is not needed for every authentication event and it can in principle be done independently of the user actions after the initial registration. Indeed, the VLR/SGSN may fetch new authentication vectors from AuC well before the number of stored vectors runs out.
The serving network (VLR or SGSN) sends a user authentication request to the terminal. This message contains two parameters from the authentication vector, called RAND and AUTN. These parameters are transferred into the USIM that exists inside a tamper-resistant environment, i.e. in UMTS IC card (UICC). The USIM contains the master key K, and using it with the parameters RAND and AUTN as inputs, USIM carries out a computation that resembles the generation of authentication vectors in AuC. This process also contains executions of several algorithms, as is the case in the corresponding AuC computation. As the result of the computation USIM is able to verify whether the parameter AUTN was indeed generated in AuC and, in the positive case, the computed parameter RES is sent back to VLR/SGSN in the user authentication response. Now the VLR/SGSN is able to compare user response RES with the expected response XRES which is part of the authentication vector. In the case of match, authentication ends positively. This part of the process is depicted below.
Figure 6.32 User Authentication Request and User Authentication ResponseThe keys for radio access network encryption and integrity protection, namely CK and IK, are created as a by-product in the authentication process. These temporary keys are included in the authentication vector and, thus, are transferred to the VLR/SGSN. These keys are later transferred further into the RNC in the radio access network when the encryption and integrity protection are started. On the other side, the USIM is able to compute CK and IK as well after it has obtained RAND (and verified it through AUTN). Temporary keys are subsequently transferred from USIM to the mobile equipment where the encryption and integrity protection algorithms are implemented. The SQN is a counter. There are two SQNMS and SQNHE respectively to support network authentication. The sequence number SQNHE is an individual counter for each user and the sequence number SQNMS denotes the highest sequence number the USIM has accepted.
Figure 33.Ciphering in UMTS/UTRAN
7.2 Managing a real time (circuit switched) bearer
The following section describes how a real time bearer is allocated. The whole process is summarised in a figure at the end of this chapter, with brief descriptions of the steps. The next two pages discuss the process in more detail.
At the first stage of any mobile originated action, a signalling channel needs to set up between the mobile and the RNC. This channel is used to verify the USIM, to identify the subscriber, to find out what the subscriber needs, and to perform the authentication procedures.
The mobile will request a connection (1), the RNC will then instruct a BTS to reserve a signalling channel (2), and through a common channel (that is, all mobiles in the area can share), inform the mobile which channel to use (3). The mobile can then use the signalling channel to communicate with the RNC.
The mobile will now inform the RNC what are its service or bearer requirements. If the mobile just wishes to perform signalling, the already dedicated channel will be sufficient (that is, location update).
A subscriber wishing to access the Internet will be discussed in the next section. Should the subscriber wish a QoS assured service (such as voice), the RNC forwards the call set-up message to the CS-CN (5). Depending how the network is configured, the subscriber's identity is checked before any bearer set-up proceeds. These transactions are usually performed not by using the subscribers IMSI, but by the TMSI. If this is not available, then the IMSI is used.
The network will check if the subscriber is allowed to use the service. Also, it is possible that the user equipment can be crosschecked to ensure that it is valid. In the case of a call, the RNC informs the CS-CN (MSC) that a traffic channel is needed.
The MSC will respond to the RNC with information about the bearer it should provide (6). In return, the RNC will allocate the correct bearer service to mobile in the radio network (7). Once the connection is made, the RNC informs the MSC that the connection is complete and the transaction can start (8).
The system knows that a voice/video call is required, so the MSC or Media Gateway (MGW) understands where the end point should be.
In this case, the subscriber wants to call to another mobile. The procedure is the same as in GSM, where the HLR enquiry is sent from the MSC/VLR (9). The HLR will now request the MSRN (Mobile Station Roaming Number) from the target VLR (10). The HLR will also inform the requesting MSC of the MSRN of the target subscriber (11). The serving MSC will now contact the target MSC in order to make the final connection to the subscriber (12).
The target MSC will now page the called party. As the VLR only knows the location area of the subscriber, then all the cells in the target LA are requested to send a paging message (13). The mobile will then answer by requesting a signalling channel.
If the call terminates in a UMTS network, a similar bearer assignment procedure will happen as described in steps 1 - 8 above. The set-up procedure for the target subscriber starts with the allocation of a bearer for a signalling channel. The subscriber identity is checked and a bearer for the traffic channel is allocated. Once the radio access bearer is in place, the RNC will respond with a confirmation of the set-up. Now, the two parties can start the conversation.
This process provides a basis for UMTS to add easily into an existing GSM network. In case of services such as video, the core network will either have a direct connection via an ATM network, or through a server that supports video streaming.
In the next figure, a simplified UMTS originated - GSM terminated call set-up case is shown. This case clearly shows that specifications have as much as possible been based on the GSM procedures.
Figure 34.Simplified UMTS originated GSM terminated call set-up
Summary of the steps in the figure:
1.A radio resource connection request for a signalling channel is requested.
2.The RNC sets up the radio link between the base station and itself.
3-4.RRC set-up (downlink) and RRC set-up complete (uplink) messages.
5.Call set-up message to the MSC/VLR. Security procedures are also performed (not shown in the figure above).
6.Bearer assignment request. In this step, the bearer parameters are defined; also a binding identification number is allocated. Binding ID is used to tie together control information with user data for a certain connection.
7.Radio access bearer set-up and radio link modification. Given the inputs from the MSC/VLR concerning the bearer, the RNC allocates an appropriate radio access bearer (RAB) in the air interface. Also the radio link between the BTS and the RNC is modified in accordance with the bearer need.
8. The RNC informs the MSC/VLR that the bearer has been assigned.
9-17. Since the circuit switched core network (CS-CN) is common for UMTSand GSM, the call set-up procedures within the CN are the same, including HLR enquiry, MSRN allocation, etc. Note also that for calls terminating in a UMTS network, a bearer and a radio link in the terminating side should be allocated in a similar way as in the originating side.
Notes on GSM evolution in the Nokia solution
The function of the MSC is the same as in GSM. The new element Media Gateway (MGW) for 3G-MSC is responsible for converting the Iu (UMTS) messages to be compatible with the MSC (A-interface). The effect is that the MSC recognises and treats UMTS calls in a similar way than GSM calls.
The MGW for 3G-MSC (3G-IWU) also has to convert the ATM connection into PCM to make it compatible with the MSC. The Iu interfaces offer more service possibilities than the A-interface. Therefore MGW also supports these services. Unlike in GSM, the voice transcoders (which are based upon adaptive multi-rate codecs, AMR) are located in the Media Gateway.
Furthermore, the 3GPP Specifications have finally stated that the transcoding function also logically belongs to the core network, which is the most logical solution, as it allows more cost-efficient transmission.
7.3 Managing a non-real time (packet) bearer
This chapter describes the PDP context activation and the allocation of a non-real time bearer. The whole process is shown in figures at the end of the next page. References to the different steps are found in the text below. The PDP context terminology and the GTP (GPRS tunnelling protocol) are discussed after that. The last part of the chapter shows the signalling when the user quits the connection.
The same way as the circuit switched (CS) management is based upon GSM, the management of packet switched (PS) bearers is based upon GPRS. The process also starts in the similar way, as the mobile first requests a signalling channel from the network (1). At this stage the RNC is not yet aware what service the subscriber wishes to use, therefore it will allocate a dedicated signalling channel (2-3) and inform the mobile which channel to use. An acknowledgement is also sent from the mobile.
Now it is time for the mobile to request a bearer. In this request are, for example, access point name (APN) and the IP address (if the field is empty, then a dynamic IP address needs to be allocated). The APN is a symbolic name for a network interface in the GGSN. The interface leads to an external packet network. One GGSN could have several different access points to different networks (4).
Then, the SGSN checks the subscription data. Earlier, when the subscriber made a routing area update, the SGSN received the subscriber information from the Home Location Register (HLR). Also, security information for authentication and encryption is stored in the SGSN. It is thus possible to authenticate the UE (USIM) (5). Also IMEI checking may be performed. If IMEI checking is performed, then the Equipment Identity Register (in HLR) is interrogated (not shown in the figure).
The next step of context activation is to find the requested GGSN and send the request for context creation to it. The SGSN gets the GGSN IP address from the Domain Name Server (DNS) (6-7). The DNS finds the correct GGSN IP address based on the access point name (APN).
The SGSN now sends a 'Create PDP Context Request' message to the GGSN (8). The request includes the APN and the proposed tunnel identification (TID). TID consists of the IMSI number and the network service access point identifier (NSAPI). NSAPI is used as a reference number of the PDP context.
The GGSN now selects the access point it will use (not shown in the figure). The APN is associated with the external network the subscriber wants to use. It is a physical or logical interface in the GGSN. One could say that the access point is similar to the default gateway defined for a normal IP-subnetwork ( it is a point out from the subnetwork. For the UE, the access point is its default gateway. In the case of a dynamic address, the GGSN or an external network element can issue the IP address. The external element may be a Dynamic Host Configuration Protocol (DHCP) server, which issues dynamic addressing information. The external element might alternatively be a Remote Access Dial In User Service (RADIUS) server, whose primary function is user authentication.In (9) the GGSN sends a 'Create PDP Context Response' back to the 3G-SGSN, which includes given IP address, TID confirmation, and a charging ID.
This is followed by (10) the 3G-SGSN sending a bearer assignment request (Create) to the RNC.
The RNC will then modify the radio link and set up the bearer over the air interface (11).
When this is done, the RNC will send a message to 3G-SGSN to notify that the bearer assignment is completed (12).
Finally, the 3G-SGSN can send an 'Activate PDP Context Accept' message to the UE (13). The 3G-SGSN is now ready to route user traffic between the user equipment and the GGSN.
Figure 35.PDP context activation
A very important concept of the packet switched session management is PDP context (PDP = Packet Data Protocol). The PDP context is used for two purposes: for PDP address allocation to the user and to make a logical connection with the required/desired QoS (Quality of Service) level through the 3G network. The PDP context is an entity defining all required information for the UE network connection establishment. From the session management (SM) point of view, the PDP context has two states, active and inactive.
The inactive state means that the packet data services related to a certain PDP address are not active; the network does not have any routing information available for that PDP address and thus it is not possible to transfer any data. If the location of the UE changes, the PDP context information is not updated.
In SM active state the network has routing information available and it is possible to transfer data between the UE and the network. Also the UE location information is updated in the PDP context.
Figure 36.PDP context statesThe figure illustrates how the different PDP context procedures are used in different session management states. One allocated PDP address may have many PDP contexts and one PDP context always has one QoS class (QoS profile). This makes it possible to have many packet data connections, each of them simultaneously having a different QoS. The UE may, for instance, be used for software downloading and web browsing at the same time.
As the network connection is established, packets of data in the PDU are transferred through the network by using different types of protocols.
Between the mobile and the radio network controller (RNC), the packet data protocol is used. Between the RNC, 3G-SGSN, and the GGSN the packet of Internet data is transferred in the GPRS tunnelling protocol (GTP).
Figure 37.The GTP tunnel
The user data packets are carried from RNC to GGSN via 3G-SGSN in containers. When a packet from an external packet network arrives at the GGSN, it is inserted into a container and sent to the SGSN. The container is then opened and packed into a new container towards the RNC. The stream of containers from RNC all the way to the GGSN is totally transparent to the user. It seems as if the user is connected directly via a router to an external network, or to an application. In data communications this type of virtual stream of containers is called a tunnel the GSNs and RNC perform tunnelling of user packets.
Figure 38.The user quits the connection
Although the connection may remain active for some time, the mobile maydeactivate the PDP context. This is shown in the figure above. A request is sent from the mobile, through the RNC to the 3G-SGSN to release the resources(1-2). Once the mobile is deactivated, the radio resources are then released(3-4). Finally, the RNC sends an acknowledgement to the 3G-SGSN (5).
8 Communication management
A UMTS network is a platform to give the operator's the best solution to provide a varied amount of services. The subscriber's applications and control components sit upon the bearer. Therefore, communication management in UMTS is all about managing mobility, security and charging of a bearer.
The below figure illustrates the services and control of the services that sit upon the physical connection. It is the role of communication management to route the bearer to the high application layers, manage the connection through mobility management, and handle the bearer security and charging for the session.
Figure 39.Functions of communication management
The communication management needs the services of the lower layers, as these maintain the bearer.
This chapter exemplifies the high level functions in terms of the call control process for circuit switched calls. Also, there are a few notes about emergency calls and charging.
8.1 Call control for circuit switched (real time) calls
Call control is a high-level name describing the functions required for incoming and outgoing call handling within a switch. Generally speaking, the switch should perform three activities before a call can be connected through. Those activities are number analysis, routing, and charging. Call control can functionally be divided into three phases, which the call attempt must pass in order to perform through connection.
Number analysis is a collection of rules how the incoming call should be handled. Number analysis investigates both the calling and called numbers and makes decisions based on the rules defined. Number analysis is performed both in call control Phase I and Phase II. In Phase I the switch checks whether the called number is reasonable at all and if any restriction such as call barring is to be applied with the calling number.
Figure 40.Call control principles
In call control Phase II the system concentrates on the called number. The nature of the call is investigated: Is it an international or national call and is there any routing rule defined for the called number at all? In addition, the system checks if the call requires any inter-working equipment (like a modem) to be connected and if the call is chargeable or not. Also statistics for this call is initiated in this phase.
As a successful result of call control Phase II, the system knows where the call attempt should be routed. When the correct destination for the call is known, the system starts to set up channel(s)/bandwidth towards the desired destination by using, for instance, ISUP signalling protocol. During the call, the switch stores statistical information about the call and its connection and collects charging information (if the call was judged to be chargeable). When the call is finished, call control Phase III takes care of releasing all the resources related to the call.
8.2 Generation and collection of charging data
The 3GPP Specifications give a detailed list of requirements for the type of CDR (charging data record) to collect. The Charging Gateway, MSC, HLR and many elements within the service platform generate CDRs, which describe different events in the network. An event could be a call, SMS, data usage, location update, and in fact almost any different type of network activity.
Operators select what causes a CDR to be generated. The CDRs are transferred to the Billing Centre where the information is collected and priced.
Figure 41.Collection of charging data
As part of the evolution from GSM/GPRS towards UMTS, the amount of information contained in the CDR has been increased to include details of the service quality and the network elements used.
Also, the UMTS Specifications describe features that allow the subscriber to see more information on the cost of a service. This network feature is called AoC (Advice of Charge) and is a supplementary service, which give the subscriber details of the service cost almost immediately.
8.3 Note on handling emergency calls
In UMTS (and in the evolved GSM), when location based servers are in place, it will be possible to actually specifically locate the subscriber within 50-70 m. When an emergency call is received, the operator can check in which location the subscriber is based and hence direct the emergency services to the scene more quickly than today.
Figure 42. Handling emergency calls9 Review questions
Please spend some time to complete the following review questions. The aim of the review is for you to reflect and apply what you have studied.
1. In which network elements is security related information located?
a. USIM
b. RNC
c. AuC
d. SGSN
e. Node B
f. non of all above
2. Which parameter identifies the subscriber?
g. IMSI
h. IMEI
i. MCC
j. P-TMSI
k. TMSI
l. PIN
3. Which location information is known in the UE?
m. LA
n. RA
o. URA
p. 3G-MSC supply area
q. 3G-SGSN supply area
4. Which of the following is/are characteristic(s) of a UMTS bearer?
r. Variable data rate
s. Transparent through the RAN
t. Different lengths of delay
u. Asymmetric connection
v. None of the above.
5. In the following figure, fill in the missing names of the cellular network architecture.
6. Which of the following sentences about location update is not true?
w. IMSI attach is always made when the terminal is switched on.
x. Location/routing area update takes place when a subscriber moves between LAs and/or RAs.
y. Periodic location updates are not used in UMTS.
z. None of the above.
7. The URA (UTRAN registration area) is used by the core network to keep track of subscribers in the network.
True(
False(8. Which of the following sentences about the RRC (radio resource connection) is true?
aa. It is only used in GPRS networks.
ab. It is a collection of radio access bearers over the air interface.
ac. It is a wireless protocol.
ad. All of the above.
9. The operation of requesting a subscriber to contact the network is called:
ae. IMSI attach
af. Location update
ag. Paging
ah. Bearer allocation
10. Which of the following sentences best describes authentication?
a. Security of the user information on the air interface
b. IMSI and IMEI checking
c. Supplementary service status checking (by the subscriber)
d. A process used by the GGSN to determine firewall access
11. In UMTS a terminal has two states, idle and connected. In the following list, identify which state the mobile is in.
ai. The mobile is in ____________ mode when it is camping on a cell.
aj. The mobile is in ____________ mode when it does not have any connection state.
ak. If data is being transferred from the packet core to the mobile
