LTE & EPC Architecture LTE Attach Procedure

Version: 3.0 (March 2013)

Irfan Ali

1

3GPP Network Architecture

Network

+
(U)SIM Mobile Equipment (ME)

Radio Access Network (RAN) Radio Resource Management

Core Network (CN)
Security, IP connectivity, Mobility

User Equipment (UE) or Mobile Station (MS)

SIM USIM

Subscriber Identity Module Universal Subscriber Identity Module

Irfan Ali Irfan Ali

2

2

LTE Network Architecture Internet HSS P-GW S6a S11 S5 S-GW S-GW Evolved Packet Core (EPC) MME S1-MME S1-U X2 X2 Evolved Universal Terrestrial Radio Access Network (E-UTRAN) eNB eNB eNB LTE-Uu Irfan Ali Irfan Ali 3 eNB MME S-GW P-GW HSS 3 Enhanced Node B Mobility Management Entity Serving Gateway Packet data network Gateway Home Subscriber System .

LTE Network Architecture HSS Authenticator P-GW UE IP address Allocation Inter SGW Mobility Anchoring IMS HSS Internet Subscription S6a S5 P-GW S6a S11 MME NAS Security S-GW Inter eNB Mobility Anchoring S5 Idle Mode Mobility Mgmt EPS Bearer Control S-GW S-GW MME S1-MME S1-MME S1-U S1-U eNB RB Control Radio Admission Control Inter Cell RRM Connected Mode Mobility Mgmt eNB Measurement OAM Radio Bearer Transmission (L1/L2/L3) eNB X2 eNB LTE-Uu eNB Control-Plane Functional Entity User-Plane Functional Entity Scheduler Irfan Ali Irfan Ali 4 4 .

Block Diagram example: LTE Architecture HSS Interfaces Reference Points Operators IP Services SGi S1-MME MME S11 S10 S6a UE LTE-Uu eNB X2 S1u Serving GW S5 PDN GW SGi Internet Functional Entity Logical Entity Network Entity eNB MME S-GW PDN GW HSS Enhanced Node B Mobility Management Entity Serving Gateway Packet data network GW Home Subscriber System Irfan Ali Irfan Ali 5 5 .

LTE Architecture Key Concepts  All radio related functions are pushed down to the eNB • There is no centralized radio resource management element like the RNC.  In the core network.  LTE is a PS (Packet Switch) only system • No CS (Circuit switch) domain support Irfan Ali Irfan Ali 6 6 . there is control-plane and user-plane separation • MME is the control-plane entity • SGW and PGW are the user-plane entity • To allow independent scaling of the control-plane and the user-plane.

Non-access Stratum (NAS): UE <-> MME. Access-stratum (AS): UE <-> eNB. the UE communicates with two entities in the infrastructure:  (a) the eNB and  (b) the MME (via the eNB).  AS consists of both userplane and control-plane. UE Access Stratum 7 Irfan Ali Irfan Ali 7 .  NAS is only in the controlplane.Architecture Concept: Access Stratum vs Non-Access Stratum • IMS HSS Internet P-GW • S-GW MME S-GW Non-Access Stratum (NAS) • eNB eNB eNB Radio Resource Control (RRC) On the signaling plane. The protocol is called the NAS protocol. The user-plane protocol is PDCP and control-plane protocol is RRC.

eg modulation etc.Protocol Stacks: Control Plane NAS RRC PDCP RLC MAC PHY RRC PDCP RLC MAC PHY LTE-Uu NAS S1-AP SCTP IP L2 L1 S1-AP SCTP IP L2 L1 S1-MME GTP-C UDP IP L2 L1 GTP-C UDP IP L2 L1 S11 GTP-C UDP IP L2 L1 GTP-C UDP IP L2 L1 S5 UE eNB MME S-GW P-GW Non-Access Stratum (NAS): The key control interface between MME and UE Radio Resource Control (RRC): The main control interface between eNB and UE Packet Data Convergence Protocol (PDCP): Duplicate detection. ARQ. acknowledge mode (AM)/ unacknowledged mode (UAM). etc Medium Access Control (MAC): Access the channel Physical Layer (PHY): Radio layer. S1-AP SCTP GTP-C GTP-U S1 Application protocol Stream Control Transport Protocol GPRS Tunneling Protocol-Control Plane GPRS Tunneling protocol. ROHC Radio Link Control (RLC): Segmentation/re-assembly.User Plane Irfan Ali Irfan Ali 8 8 .

Protocol Stacks: Control Plane & User Plane NAS RRC PDCP RLC MAC PHY RRC PDCP RLC MAC PHY LTE-Uu NAS S1-AP SCTP IP L2 L1 S1-AP SCTP IP L2 L1 S1-MME GTP-C UDP IP L2 L1 GTP-C UDP IP L2 L1 S11 GTP-C UDP IP L2 L1 GTP-C UDP IP L2 L1 S5 UE eNB MME S-GW P-GW Application Application TCP/UDP IP GTP-U PDCP RLC MAC PHY LTE Uu TCP/UDP IP GTP-U UDP IP L2 L1 S1-U IP GTP-U UDP IP L2 L1 S5 GTP-U UDP IP L2 L1 PDCP RLC MAC PHY UDP IP L2 L1 UE eNB 9 S-GW 9 P-GW End Host Irfan Ali Irfan Ali .

User Identifier in the Network • Two important identifiers  International Mobile Subscriber Identifier (IMSI) • • • •  Embedded in SIM card Stored in subscription data of HLR Used to index UE’s information in most network nodes Format on the next page Mobile Station Integrated Services Digital Network Number (MSISDN) • Your phone number • Number used to identify a subscriber when making a call or sending an SMS • The mapping between IMSI and MSISDN is stored in HLR  MSISDN is not required to be stored in the (U)SIM • MSISDN is typically not needed in the LTE system Irfan Ali Irfan Ali 10 10 .

wikipedia.org/wiki/Mobile_Country_Code Irfan Ali Irfan Ali 11 11 .wikipedia.org/wiki/Mobile_Network_Code http://en.(International Mobile Subscriber Identifier) IMSI Structure World Country 310 286 3 digits MCC 404 MCC: Mobile Country Code US Turkey India MCC PLMN 2-3 digits MNC MNC: Mobile Network Code Operator 01 02 03 Identifies an operator Turkcell Vodafone Avea 9-10 digits Subscriber MCC MNC Max 15 digits MSIN Irfan Alper Erol MSIN: Mobile Subscriber Identification Number Uniquely identifies a subscriber Source for MCC and MNC codes: http://en.

An operator may be identified by more than one PLMN-ID World Country 310 286 3 digits MCC 404 MCC: Mobile Country Code US Turkey India MCC PLMN 2-3 digits MNC MNC: Mobile Network Code Operator 01 02 03 Identifies an operator Turkcell Vodafone Avea PLMN ID = MCC + MNC Irfan Ali Irfan Ali 12 12 . The identity used for an operator’s network is called the PLMNIdentity (PLMN-ID) and consists of the Mobile Country Code and the Mobile Network Code.Operator Identity    A mobile operator’s network is also known as a Public Land Mobile Network (PLMN).

MSISDN – Structure World Country 1 90 91 1-3 digits CC CC: Country Code US Turkey India 2-3 digits CC NDC NDC: National Destination Code Operator 533. … 212.wikipedia. … 540.wikipedia. … 505. Identifies an operator Turkcell 123 4567 Vodafone 123 4568 Avea Turk Telecom CC NDC Max 15 digits +90 533 9-10 digits Subscriber SN SN: Subscriber Number Irfan Alper Erol 123 4567 Uniquely identifies a subscriber List of country calling codes: http://en.org/wiki/List_of_country_calling_codes Source for MCC and MNC codes: www.org Irfan Ali Irfan Ali 13 13 .216.

Radio Network Temporary Identity Globally Unique Temporary Identity P-GW Irfan Ali Irfan Ali 14 14 .Identities and Plumbing for LTE IMSI GUTI GUTI IMSI IMSI C-RNTI C-RNTI SRB-0 SRB-1 SRB-2 SRB Identity HSS S1-MME MME GTPC-1 NAS GTPC-1 Data Radio Bearer 10 GTP-U-10 GTP-U-10 EPS Bearer Identity IMSI IMSI UE eNB SRB DRB TEID GTP C-RNTI GUTI S-GW Signalling Radio Bearer Data Radio Beaer Tunnel Endpoint Identifier GPRS Tunneling Protocol Cell.

• GUTI (Globally unique temporary identity)  Created by the MME for the UE.  Max 15 digits Temporary Identity)   Is created by eNB and only used to identify a UE within the scope of an eNB and provided to the UE during random access process and setup of RRC connection. C-RNTI is 16 bits long.  Kept secret from eNB. eg when UE has moved to a new area and needs to be served by a new MME. where MCC+MNC = Home PLMN of subscriber.Identities in LTE • IMSI (International Mobile Subscription • C-RNTI (Cell Radio Network Identity)  Permanent identity of UE in SIM (MCC+MNC+MSIN).  GUTI may be seen by eNB if NAS message is sent un-encrypted.  Used between MME and UE instead of IMSI.  56 bits + MCC and MNC Irfan Ali Irfan Ali 15 15 .

LTE Attach Procedure Irfan Ali 16 .

Objective of UE Attach Procedure Internet UE’s IP address HSS P-GW • The goal of “attaching” to the network is to obtain an IP address to communicate with outside world. • During the process of “attach” S-GW S-GW MME  The UE is authenticated and authorized to use send/receive data.Radio Network Temporary Identity Bearer Setup at end of the Attach Procedure Irfan Ali Irfan Ali 17 17 .  Data path created beteween UE<>eNB<->S-GW<->PGW  UE Context created in all the nodes in the network  UE is provided an IP address eNB X2 eNB SRB DRB TEID GTP C-RNTI Signalling Radio Bearer Data Radio Beaer Tunnel Endpoint Identifier GPRS Tunneling Protocol Cell.

... eNB X2 eNB Bearer Setup at end of the Attach Procedure SRB DRB TEID GTP C-RNTI Signalling Radio Bearer Data Radio Beaer Tunnel Endpoint Identifier GPRS Tunneling Protocol Cell. P-GW • The goal of “attaching” to the network is to obtain an IP address to communicate with outside world. RB Cntxt: C-RNTI(key).. HSS UE Context: KEY: IMSI ….Radio Network Temporary Identity Irfan Ali Irfan Ali 18 18 ... • During the process of “attach”  The UE is authenticated and authorized to use send/receive data.Objective of UE Attach Procedure Internet UE’s IP address UE Context: KEY: IMSI …. S-GW MME S1-MME S-GW UE Context: S1 Cntxt: S1AP TEID(key)….  Data path created beteween UE<>eNB<->S-GW<->PGW  UE Context created in all the nodes in the network  UE is provided an IP address S6a UE Context: KEY: IMSI ….

Random Access Preamble RA-RNTI. UE transmits a specific preamble sequence (RAPID) in a RACH slot. Random Access Preamble RA-RNTI. RRC Connection Request DL-SCH: Common CCH 4. (d) scheduling grant when the UE should transmit in the next message in UL direction. UE has selected eNB eNB MME SGW HSS o UE has synchronized to the downlink frame of the eNB and hence knows 0. 2. PGW the DL frame boundaries. the contention resolution process is complete. (c) the timing correction that the UE should use. The UE includes the Temporary C-RNTI. 6. RAPID Random Access Procedure PDCCH/PDSCH 2. the UE listens on the downlink shared (DL-SCH) common control channel (CC) to see if the UE’s preamble has been accepted by the eNB. Interne RACH 1. RRC Connection Complete NAS Msg Attach Request. (b) temporary identity (C-RNTI ). The subframe (0-9) in which the UE transmits is the RA-RNTI of the UE. The UE has read the MIB and from there the SIB2 of the eNB and knows when the random access channel (RACH) slots are in the uplink direction. Since multiple UEs could have transmitted on the same subframe and same RAPID. The eNB now transmits RRC Connection Setup message including the CRNTI that was received from the UE. it knows the UL Radio Bearers to transmit the RRC connection request. RRC Connection Setup RRC Setup Procedure 4. If so. Temporary C-RNTI Temporary C-RNTI UL-SCH: SRB0 3. When the UE receives its own transmitted message (unique) and C-RNTI. The UE now transmits a message to the MME in the time-slot allocated in the previous step. 5. This step resolves any contention that could have occurred due to two UEs using the same preamble sequence in RACH access step. RAPID. and the RAPID in PDSCH to what it transmitted.UE Performs attach – Part 1 of 4 UE 0. The eNB transmits (a) (echoes) the RAPID and RA-RNTI received in Step 1. The UE checks the RA-RNTI in PDCCH. IMSI NAS Msg PDN Connect Req Irfan Ali Irfan Ali 19 19 RNTI RA-RNTI C-RNTI RAPID Radio Network Temporary Identity Random Access RNTI Cell RNTI Random Access Preamble ID . Contention Resolution ID C-RNTI 5. 3. UE listens for RA-RNTI in the PDCCH channel. The eNB echoes the Temporary C-RNTI and the contents of message 3 to the UE. 1. The UE also includes its IMSI in the message. UL-SCH: SRB1 6.

IMSI. AKA successful UL-SCH: SRB1 DL-SCH:CCH SRB1 15. 9. Auth Info Answer Kasme. Auth Info Request IMSI. DL NAS Xport Authn Request User Authentication Procedure 13. . UL Info Transport Authn Response 10. DL NAS Xport Security Mode Command NAS Security Setup Procedure Security Mode Complete 17. . UL Info Transport Authn Response: RES 14.UE Performs Attach – Part 2 of 4 UE eNB eNB selects MME MME SGW HSS PGW Interne S1-MME 7.. 12.. UL NAS Xport SMC Complete UL-SCH: SRB1 NAS Security 18. AUTN.XRES DL-SCH:CCH SRB1 11. RAND. DL Info Transport Security Mode Command 16. RAND. Location Update Request IMSI. DL Info Xfer Authn Request: AUTN. If same. UL NAS Xport MME Compares RES with XRES. NAS Msg PDN Connect Req S6a 8. Initial UE Message NAS Msg: Attach Request. … 19. Location Update Response Subscription Data Authorization Encrypted Info Integrity Protected Info Irfan Ali Irfan Ali 20 Key Agreement AKA: Authentication and 20 .

UE Performs Attach – Part 3 of 4 UE eNB NAS Security MME GTPC SGW HSS PGW GTPC Interne 20. RRC Security Mode Complete Bearer Setup Procedure Start GTPC Session GTPC-1 Session GTP-U-10 Tunnel SRB-2 AS Security 27. TEIDs. RRC Security Mode Command. RRC Connection Reconfiguration NAS1 NAS2 UL-SCH: SRB2 30. TEIDs) DL-SCH:CCH SRB1 25. TEIDs. TEIDs) NAS: Attach Accept NAS: Activate default bearer req 23. Initial Context Setup Complete (S1U TEIDs) 32. UL Information Transfer GTPC 33. Create Session Request (IMSI. TEIDs…) 34. Modify Bearer Resp (IMSI.…) NAS1 SRB-0 SRB-1 SRB-2 NAS2 Bearer Setup Procedure Completion Encrypted Info Integrity Protected Info Irfan Ali Irfan Ali Data Radio Bearer-10 GTPU-10 Tunnel 21 21 . AS Algorithm S1-MME 24. Create Session Request (IMSI.…) 21. UL NAS Xport NAS: Attach Complete NAS: Activate default bearer acpt Attach Completion Data Radio Bearer Setup 29. …) 22. RRC Reconfig Complete 31. Create Session Response(IMSI. Obtain UE’s Radio Capability AS Security Setup Procedure DL-SCH:CCH SRB2 28. Initial Context Setup Request (UE Context Info. Create Session Response (IMSI. PGW IP. Modify Bearer Req. TEIDs) UL-SCH: SRB1 26. (IMSI.

UE Performs Attach – Part 4 of 4 UE SRB-0 SRB-1 SRB-2 Data Radio Bearer-10 DHCP Data Radio Bearer-10 Client S1-MME GTPU-10 Tunnel GTPU-10 Tunnel DHCP Messages eNB MME SGW HSS PGW DHCP Server Internet GTPC Session GTPC-1 Session GTP-U-10 Tunnel GTP-U-10 Tunnel DHCP DHCP Server Client DHCP Server IP address of the UE is routed to this interface Irfan Ali Irfan Ali 22 22 .

Turkcell)  Visited PLMN: Foreign/Roamed-to network (eg. Orange) • What does roaming require:  Ability from VPLMN to identify the HPLMN of the subscriber  Ability to authenticate the subscriber from VPLMN  Sharing of revenue between VPLMN and HPLMN (roaming charges) PLMN VPLMN HPLMN Public Land Mobile Network Visited PLMN Home PLMN Irfan Ali Irfan Ali 23 23 .Architecture key Concept: Roaming • 3GPP architecture from early days has supported a subscriber going to a foreign network and still getting service  Home PLMN: Subscriber’s home network (eg.

mnc01.pub.Roaming Concept IMS HSS HPLMN Domain = epc.pub.3gppnetwork.pub.mcc286.org X2 X2 X2 eNB eNB LTE-Uu eNB eNB eNB LTE-Uu X2 eNB Non-Roaming Irfan Ali Irfan Ali Roaming HPLMN VPLMN Home PLMN Visited PLMN IMSI = 286 + 01 + 1234567890 IMSI = 286 + 01 + 1234567890 Turkey Turkcell Turkey Turkcell Turkcell subscriber in Turkey 24 24 Turkcell subscriber in India .mcc286.3gppnetwork.mnc01.mnc01.org Internet HSS IMS Internet P-GW S6a P-GW S6a S11 S5 S5 S11 S-GW S-GW S-GW S-GW MME MME S1-MME S1-U S1-MME S1-U HPLMN Domain = epc.3gppnetwork.mcc404.org VPLMN Domain = epc.

422 (Sig xport) 36.304 Idle 36.421 Layer 1 36.301 NAS General: 23.240 Sp 36.411 Layer 1 36.061 Gz/Rf Offline Charging Function Internet 36.314 Measurement 23.LTE/EPC Specifications 24.org/Specs/latest Link to find out what a spec covers: http://www.133 RRM Reqds S1-MME MME S10 29.423 (X2AP) 29.424 (Data xport) 36.281 GTPU Gy/Ro 32.3gpp.003 Identifiers 29.414 (Data xport) 29.272 S11 29.278 Stage-3 Specification Stage-2 Specification Stage-1 Specification Link to get latest 3GPP specs per release: ftp://ftp.401 Stage-1: 22.281 GTPU 29.401 Security Stage 2&3 HSS S6a SPR Unspecified PCC Stage 2: 23.274 GTPC 29.251 Online Charging Function Bx 32.410 General 36.411 Layer 1 36.281 GTPU 36.306 Capability 36.323 PDCP 36.201.203 Charging Stage 2: 32.214 Operator Services 29.322 RLC 36.211.3gpp.org/Specification-Numbering Irfan Ali Irfan Ali 25 25 .420 General 36.213.274 GTPC 29.303 DNS 33.215 UE LTE-Uu 36.412 (Sig xport) 36.122 Idle-NAS 36.331 RRC eNB X2 S1u Serving GW S5 PDN GW SGi 29.212 29.213 Sig Flow PCRF S9 Gx Rx 29.300 Evolved Packet Core Stage 2: 23.214 PHY 36.321 MAC 36.410 General 36.251 Billing Domain E-UTRAN Stage-2: 36.413 (S1AP) 36.