1

Cellular Networks and Mobile Computing

COMS 6998-7, Spring 2014

Instructor: Li Erran Li
(lierranli@cs.columbia.edu)
http://www.cs.columbia.edu/~lierranli/coms
6998-7Spring2014/
3/7/2014: Introduction to Cellular Networks
 Review of Previous Lecture
• What are the different approaches of
virtualization?

3/7/14 Cellular Networks and Mobile Computing 2

(COMS 6998-10)
 Review of Previous Lecture
• What are the different approaches of
virtualization?
– Bear-metal hypervisor, hosted hypervisor, container
(Linux LXC, Samsung Knox)

3/7/14 Cellular Networks and Mobile Computing 3

(COMS 6998-10)
 Bare-Metal Hypervisor
poor device support / sharing

OS OS OS
Kernel Kernel Kernel

Hypervisor / VMM

Hardware

3/7/14 Cellular Networks and Mobile Computing 4

(COMS 6998-10) Courtesy: Jason Nieh et al.
 Hosted Hypervisor
poor device
performance

OS OS OS

Hypervisor / VMM

kernel emulated
Host OS Kernel module devices

Hardware
3/7/14 Cellular Networks and Mobile Computing
Courtesy: Jason Nieh et al. 5
(COMS 6998-10)
 Review of Previous Lecture
(Cont’d)
• What approach does Cell use?
• What are the key design choices for Cell’s
extremely low overhead?

3/7/14 Cellular Networks and Mobile Computing 6

(COMS 6998-10)
 Review of Previous Lecture
(Cont’d)
• Device namespace
– It is designed to be used by individual device drivers or
kernel subsystems to tag data structures and to register
callback functions. Callback functions are called when a
device namespace changes state.
– Each VP uses a unique device namespace for device
interaction.
• Cells leverages its foreground-background VP usage
model to register callback functions that are called
when the VP changes between foreground and
background state.

3/7/14 Cellular Networks and Mobile Computing 7

(COMS 6998-10)
 Device Namespaces
VP 1 VP 2 VP 3
safely, correctly
multiplex •••
access to
devices

Linux device namespaces

Kernel

RTC / Alarms
Framebuffer

Audio/Video
Cell Radio

Android...
Sensors
Power
Input
GPU
WiFi

•••

3/7/14 Cellular Networks and Mobile Computing 8

(COMS 6998-10) Courtesy: Jason Nieh et al.
 Review of Previous Lecture
(Cont’d)
• How to run iOS applications on Android OS?

3/7/14 Cellular Networks and Mobile Computing 9

(COMS 6998-10)
 Cider Architecture
• Interaction between app and OS is
defined by kernel app binary
interface (ABI)
– ABI includes: binary loader, async signal
delivery, and syscall
• Mach-O binary loader built into
Linux kernel
– Kernel tags current thread with iOS
persona
• Persona is an execution mode (exec foreign
or domestic code) assigned to each thread
• Translation layer for async signal
(illegal instruction, segmentation
fault) delivery
• Multiple syscall interface
– Wrapper mapping arguments from XNU
structures to Linux ones
3/7/14 Cellular Networks and Mobile Computing 10
(COMS 6998-10)
 Duct Tape
• Mach IPC missing in Linux
• Duct tape to the rescue
– Direct compilation of unmodified foreign kernel source code
into domestic kernel
– Direct translates foreign Kernel API such as sync, memory
allocation, processing control into domestic kernel API
• Duct tape has three steps:
– Create three distinct coding zones: foreign, domestic, duct
tape
• No cross access between foreign and domestic
• Cross access between foreign (domestic) and duct tape
– Identify foreign symbols conflicting with domestic code
– Remap conflicting symbols to unique domestic ones
• Duct tape advantages: easy to maintain and reusable
3/7/14 Cellular Networks and Mobile Computing 11
(COMS 6998-10)
 Duct Tape (Cont’d)
• Cider uses duct tape to add three subsystems
– pthread: differ from Linux, use kernel-level support
for mutexes, semaphores and condition variables
– Mach IPC: direct compilation; rewrite recursive
queuing structures
– Apple’s I/O Kit device driver framework
• Source code at:
http://www.opensource.apple.com/source/xnu/xnu-
2050.18.24/iokit/

3/7/14 Cellular Networks and Mobile Computing 12

(COMS 6998-10)
 Diplomatic Functions
• Mobile apps often use closed proprietary
hardware and software stacks
– OpenGL ES libraries directly communicate with GPU
through proprietary software and hardware
interfaces using device-specific ioctls (Android) or
opaque IPC messages (iOS)
• How to direct access to proprietary hardware?
• Diplomatic function temporarily switches the
persona of a calling thread to exec domestic
functions from within foreign app
3/7/14 Cellular Networks and Mobile Computing 13
(COMS 6998-10)
 Review of Previous Lecture
(Cont’d)
• What are the most expensive flash memory
operations?
– Random read
– Random write
– Sequential write
– Sequential read

3/7/14 Cellular Networks and Mobile Computing 14

(COMS 6998-10)
 Random versus Sequential
Disparity
Vendor Speed Cost Seq Rand
• Performance for random (16GB) Class US $ Write Write
I/O significantly worse Transcend 2 26 4.2 1.18
than seq; inherent with

Performance MB/s
RiData 2 27 7.9 0.02
flash storage Sandisk 4 23 5.5 0.70
• Mobile flash storage Kingston 4 25 4.9 0.01
classified into speed Wintec 6 25 15.0 0.01
classes based on A-Data 6 30 10.8 0.01
sequential throughput Patriot 10 29 10.5 0.01
 Random write performance is PNY 10 29 15.3 0.01
orders of magnitude worse
Consumer-grade SD performance

For several popular apps, substantial

fraction of I/O is random writes (including web browsing!)
3/7/14 Cellular Networks and Mobile Computing 15
(COMS 6998-10) Courtesy: Nitin Agrawal et al.
 Syllabus
• Mobile App Development (lecture 1,2,3)
– Mobile operating systems: iOS and Android
– Development environments: Xcode, Eclipse with Android SDK
– Programming: Objective-C and android programming
• System Support for Mobile App Optimization (lecture 4,5)
– Mobile device power models, energy profiling and ebug debugging
– Core OS topics: virtualization, storage and OS support for power and context management
• Interaction with Cellular Networks (lecture 6,7,8)
– Basics of 3G/LTE cellular networks
– Mobile application cellular radio resource usage profiling
– Measurement-based cellular network and traffic characterization
• Interaction with the Cloud (lecture 9,10)
– Mobile cloud computing platform services: push notification, iCloud and Google Cloud
Messaging
– Mobile cloud computing architecture and programming models
• Mobile Platform Security and Privacy (lecture 11,12,13)
– Mobile platform security: malware detection and characterization, attacks and defenses
– Mobile data and location privacy: attacks, monitoring tools and defenses
3/7/14 Cellular Networks and Mobile Computing 16
(COMS 6998-10)
 Outline
Goal of this lecture: understand the basics of current
networks and future directions
• Current Cellular Networks
– Introduction
– Radio Aspects
– Architecture
– Power Management
– Security
– QoS
• What Is Next?
• A Clean-Slate Design: Software-Defined Cellular
Networks
• Conclusion and Future Work
3/7/14 Cellular Networks and Mobile Computing 17
(COMS 6998-10)
Cellular Networks Impact our Lives
More Infrastructure
More Mobile Connection
Deployment
1010100100001011001
0101010101001010100
1010101010101011010
1010010101010101010
0101010101001010101

More Mobile Users More Mobile

Information
Sharing

3/7/14 Cellular Networks and Mobile Computing 18

(COMS 6998-10)
 Global Convergence
• LTE is the major technology for future mobile
broadband
– Convergence of 3GPP and 3GPP2 technology tracks
– Convergence of FDD and TDD into a single technology track

D-AMPS
PDC 3GPP

GSM WCDMA HSPA

LTE
TD-SCDMA HSPA/TDD FDD and TDD

IS-95 cdma2000 EV-DO

3GPP2
IEEE WiMAX ?
3/7/14 19
Cellular Networks and Mobile Computing
(COMS 6998-10)
 3GPP introduction
• 3rd Generation Partnership Program
– Established in 1998 to define UMTS
– Today also works on LTE and access-independent
IMS
– Still maintains GSM
• 3GPP standardizes systems
– Architecture, protocols
• Works in releases
– All specifications are consistent within a release

3/7/14 Cellular Networks and Mobile Computing 20

(COMS 6998-10)
 3GPP way of working
Stage 1 Stage 2 Stage 3
Requirements Architecture Protocols
• Nodes, functions
• “It shall be possible to...” • Message formats
• Reference points
• “It shall support…” • Error cases
• Procedures (no errors)

E.g., 22-series specs E.g., 23-series E.g., 29-series

specs specs
Specification numbering example:
3GPP TS 23.401 V11.2.0

TS=Technical Specification (normative) Updated after a meeting

TR=Technical Report (info only) Release
Spec. number • Consistent set of specs per releas
• New release every 1-2 years

3/7/14 Cellular Networks and Mobile Computing 21

Courtesy: Zoltán Turányi
(COMS 6998-10)
 3GPP specification groups
2G 3G/LTE System Protocols

3/7/14 Cellular Networks and Mobile Computing 22

(COMS 6998-10)
 Starting points on 3GPP
specifications
• http://www.3gpp.org/specification-numbering
– Pointers to the series of specifications
– Architecture documents in 23-series
• Main architecture references
– 23.002 – Overall architecture reference
– 23.401 – Evolved Packet Core with LTE access, GTP-
based core
– 23.060 – 2G/3G access, and integration to Evolved
Packet Core
– 23.402 – Non-3GPP access, and PMIP-based core
3/7/14 Cellular Networks and Mobile Computing Courtesy: Zoltán Turányi 23
(COMS 6998-10)
Example

A base station
with 3 sectors
(3 cells)

Courtesy: Zoltán Turányi

 Key challenges
• Large distances
– Terminals do not see each other
– Tight control of power and timing needed
– Highly variable radio channel – quick adaptation needed
• Many users in a cell
– A UMTS cell can carry roughly 100 voice calls on 5 MHz
– Resource sharing must be fine grained – but also flexible
• Quality of Service with resource management
– Voice – low delay, glitch-free handovers
– Internet traffic – more, more, more
• Battery consumption critical
– Low energy states, wake-up procedures
– Parsimonious signaling
Courtesy: Zoltán Turányi
 26

Radio basics

3/7/14 Cellular Networks and Mobile Computing

(COMS 6998-10)
 LTE air interface
• The key improvement in LTE radio is the use of OFDM
• Orthogonal Frequency Division Multiplexing
– 2D frame: frequency and time
– Narrowband channels: equal fading in a channel
• Allows simpler signal processing implementations
– Sub-carriers remain orthogonal under multipath
propagation One resource block
12 subcarriers during one slot
One resource element (180 kHz × 0.5 ms)

12 subcarriers Time domain structure

Frame (10 ms)
One OFDM
symbol
One slot time
3/7/14 Cellular Networks and Mobile Computing 27
(COMS 6998-10) Slot (0.5 ms) Subframe (1 ms)
 LTE air interface: Downlink
T large compared to Orthogonal Frequency Division
channel delay Multiple Access (OFDM)
1
spread
T Closely spaced sub-carriers without guard
band
 Each sub-carrier undergoes (narrow
band) flat fading
- Simplified receiver processing
Frequency
 Frequency or multi-user diversity through
Narrow Band (~10 Khz) coding or scheduling across sub-carriers
Wide Band (~ Mhz)  Dynamic power allocation across sub-
carriers allows for interference mitigation
Sub-carriers remain orthogonal under
across cells
multipath propagation
 Orthogonal multiple access
3/7/14 Cellular Networks and Mobile Computing Courtesy: Harish Vishwanath
(COMS 6998-10) 28
 LTE air interface: Uplink
User 1  Users are carrier
synchronized to the base
 Differential delay between
users’ signals at the base
need to be small compared W
to symbol duration
User 2
 Efficient use of spectrum by multiple
users
 Sub-carriers transmitted by different
users are orthogonal at the receiver
- No intra-cell interference
User 3
 CDMA uplink is non-orthogonal
since synchronization requirement is
~ 1/W and so difficult to achieve

3/7/14 Cellular Networks and Mobile Computing

(COMS 6998-10) 29
Courtesy: Harish Vishwanath
LTE air interface: Multiplexing
Each color represents a user
Each user is assigned a
frequency-time tile which
consists of pilot sub-carriers and
data sub-carriers
Block hopping of each user’s tile
for frequency diversity

Typical pilot ratio: 4.8 % (1/21)

for LTE for 1 Tx antenna and
9.5% for 2 Tx antennas
Time
Pilot sub-carriers
3/7/14 Cellular Networks and Mobile Computing Courtesy: Harish Vishwanath
(COMS 6998-10) 30
 LTE Scheduling
• Assign each Resource Block to one of the terminals
– LTE – channel-dependent scheduling in time and frequency
domain
– HSPA – scheduling in time-domain only
data1
data2
data3
data4
Time-frequency fading, user #2
Time-frequency fading, user #1

User #1 scheduled
User #2 scheduled

3/7/14 Cellular Networks and Mobile Computing Courtesy: Zoltán Turányi 31

(COMS 6998-10)
 Architecture

3/7/14 Cellular Networks and Mobile Computing

(COMS 6998-10) 32
 UMTS Architecture
PS Core Network • Why separate RAN and CN?
CS Gi •First-hop router – Two CNs with same RAN
•GW towards external PDNs
CN GGSN •VPN support over Gi – Multiple RANs with same CN
•IP address management
•Policy Control – Modularization
MSC
Gn/Gp – Independent scaling, deployment
•Manage CN procedures
•HSS connection (authenticator)
and vendor selection
•Idle mode state
SGSN •Lawful Intercept • Why two GSNs?
•Bearer management
– Roaming: traffic usually taken home
IuCS IuPS
•Real-time radio control – Independent scaling, deployment
•Radio Resource Management
RNC •Soft handover and vendor selection
•UP Ciphering
•Header Compression – User can connect to multiple PDNs
Iub
GPRS – Generic Packet Radio Service
•L1 GGSN – Gateway GPRS Support Node
NodeB •HSPA scheduling SGSN – Serving GPRS Support Node
RNC – Radio Network Controller
PDN – Packet Data Network
CN – Core Network
3G Radio Access Network PS – Packet Switched
CS – Circuit Switched
MSC – Mobile Switching Center
HSS – Home Subscriber Server
 Drivers for change
Overhead of
PS Coreseparate
Network CS core
Gi
when bulk of
CS •First-hop router
traffic
•GW towards is PS
external PDNs
CN GGSN •VPN support over Gi
•IP address management Too many
•Policy Control
specialized data
Gn/Gp
MSC •Manage CN procedures
plane nodes
•HSS connection (authenticator)
•Idle mode state
SGSN •Lawful Intercept
•Bearer management

IuCS IuPS
•Real-time radio control Complex, real-
•Radio Resource Management
RNC •Soft handover time RAN
•UP Ciphering
•Header Compression
Iub

•L1
NodeB •HSPA scheduling
Vendor lock-in
due to
3G Radio Access Network
proprietary Iub
features Courtesy: Zoltán Turányi
 From 3G to EPC/LTE architecture
Only two data
PS Core Network plane nodes in the Evolved Packet Core (EPC)
typical case.
Gi SGi
CS
GGSN PDN GW Packet Data Network GW
Serving GW
SGW
Gn/Gp
MSC S11
control plane Mobility
SGSN MME Management
Entity
IuCS IuPS Data plane/control
plane split for PS only
RNC better scalability. S1-UP S1-CP

Iub

NodeB eNodeB eNodeB – Evolved Node B

3G Radio RNC functions LTE Radio
Access Network moved down to Access Network
base station Courtesy: Zoltán Turányi
35
Why separate SGW and PDN GW?
Evolved Packet Core (EPC) SGi

PDN GW Packet Data Network GW

S5/S8

SGW Serving GW

S11
Mobility
MME Management SGW and PDN GW separate in
Entity
some special cases:
S1-UP S1-CP
• Roaming:
• PDN GW in home network,
• SGW in visited network
• Mobility to another region in a
eNodeB eNodeB – Evolved Node B large network
• Corporate connectivity
LTE Radio
Access Network
Courtesy: Zoltán Turányi
36
 Interworking with 3G
SGi

PDN GW HSS

S5 Gn

SGW S11 MME SGSN MSC

IuPS IuCS

S1-U S1-CP RNC

Iub

eNodeB NodeB

UE MSC – Mobile Switching Center

3/7/14 Cellular Networks and Mobile Computing Courtesy: Zoltán Turányi 37

(COMS 6998-10)
 Interworking with
non-3GPP accesses
SGi

PDN GW HSS

S5 Gn

S2
SGW S11 MME SGSN MSC
IuPS IuCS

S1-U S1-CP RNC

Non-3GPP
Access Iub

(cdma2000, WiMax,
WiFi) eNodeB NodeB

UE
PMIP – Proxy Mobile IP
3/7/14 Cellular Networks and Mobile Computing Courtesy: Zoltán Turányi 38
(COMS 6998-10)
 Debate of 2006:
GTP vs. PMIP
SGi

PDN GW HSS
GTP
GTP?
S5 GTP Gn
PMIP
PMIP?
S2
PMIP SGW S11 MME SGSN MSC
IuPS IuCS

S1-U S1-CP RNC

Non-3GPP GTP
Access Iub

(cdma2000, WiMax,
WiFi) eNodeB NodeB

UE • Conclusion: Specify both

3/7/14 Cellular Networks and Mobile Computing Courtesy: Zoltán Turányi 39
(COMS 6998-10)
 EPC + LTE: 23.401
EPC + 2G/3G: 23.060

SGi

PDN GW HSS

S5 GTP Gn
GTP

SGW S11 MME SGSN MSC

IuPS IuCS

S1-U S1-CP RNC

GTP
Iub

eNodeB NodeB

UE
3/7/14 Cellular Networks and Mobile Computing 40
Courtesy: Zoltán Turányi
(COMS 6998-10)
 41

EPC + non-3GPP: 23.402

SGi

PDN GW HSS

S5

PMIP
S2
PMIP SGW S11 MME

S1-U S1-CP
Non-3GPP GTP
Access
(cdma2000, WiMax,
WiFi) eNodeB

UE EPC – Evolved Packet Core

3/7/14 Cellular Networks and Mobile Computing Courtesy: Zoltán Turányi

(COMS 6998-10)
 Access Procedure

• Cell Search Base station

– Base station broadcasts
synchronization signals and cell
system information (similar to
WiFi)
– UE obtains physical layer
information
• UE acquires frequency and
synchronizes to a cell
• Determine the start of the UE 2
downlink frame UE 1
• Determine the cell identity

• Random access to establish a

radio link
3/7/14 Cellular Networks and Mobile Computing 42
(COMS 6998-10)
 Random Access
Client Base station Core network

Step 1: random access request (pick one of 64 preambles)

Step 2: random access response

Adjust uplink timing

Step 3: transmission of mobile ID

Only if UE is not known in Base station
Step 4: contention resolution msg

If ID in msg matches UE ID, succeed.

If collision, ID will not match!
Cellular Networks and Mobile Computing 43
3/7/14
(COMS 6998-10)
 Random Access (Cont’d)
Why not carrier sensing like
Base station
WiFi?
•Base station coverage is much
larger than WiFi AP
– UEs most likely cannot hear
each other
•How come base station can
hear UEs’ transmissions? UE 2
UE 1
– Base station receivers are much
more sensitive and expensive

3/7/14 Cellular Networks and Mobile Computing

(COMS 6998-10) 44
 Modes of operation

3/7/14 Cellular Networks and Mobile Computing

(COMS 6998-10) 45
 Connected mode
• Used during communication
• Signaling connection exists between network and UE
• Both CN and RAN keeps state about the UE
• UE location is tracked on a cell granularity
– Needed to deliver the data
• Network controlled mobility
SGW MME

3/7/14 Cellular Networks and Mobile Computing

(COMS 6998-10) 46
 Network controlled mobility
SGW 5 MME

• Procedure
5
1. UE measures nearby cells
2. UE sends measurement reports to network 3. 4.

3. Network decides on and controls handover 1. 5

2. 1.
4. Handover is prepared by network 1.
5
5. Handover executes
• Reason: To allow the network to tune handovers
1. Select proper target cell
2. Network has additional information for handover decision
3. Collect and analyze data for cell planning and troubleshooting
4. Penalize ping-ponging UEs
5. Penalize microcells for fast UEs
6. Cell breathing Courtesy: Zoltán Turányi
47
 Idle Mode
• Used when the UE is not communicating
• UE location is tracked on a Tracking Area (TA) granularity
– eNodeBs advertise their TA
– UE periodically listens to advertisements (every few seconds)
– UE sends Tracking Area Update (TAU) to MME, when TA
changes
– TAU also sent periodically (e.g., once every 2 hours)
• No eNodeB state is kept for UE
• When traffic arrives to the UE,
the UE is paged

48
 PAGING
• UE periodically checks if data is available for it
– Wakes up, (re)selects cell, reads broadcast and the paging
channel
– Exact timing is pseudo-random per UE
› If packet arrives to SGW…
– …it buffers the packet
– …and notifies MME. PDN GW
– MME sends a Paging Request to all eNodeBs
in the TA of the UE SGW MME
– eNodeBs page the UE on its paging slot
locally
– UE responds with a Service Request…
– …eNodeB state is built up…
– …and UE is moved to connected state. Courtesy: Zoltán Turányi
UE 49
 Idle mode issues
• Idle mode is a great power-saving feature
– A system-wide feature
– Also saves a lot of RAN resources
• Balancing of TA size is needed
– Too large: many paging messages
– Too small: many TAU messages from UE
– Lot of optimizations: per-UE TA, overlapping TA, etc.
• Connected  Idle transitions are costly
– Usually a timeout is used to go to idle
• Not a good fit for chatty packet traffic
• Easy to attack: an IP address range scan wakes up everyone
– Key application design goal: reduce chattyness
• The Phone OS also has responsibility
– However, can be very effective when combined with DRX
Cellular Networks and Mobile Computing
(COMS 6998-10) 50
 LTE RRC State Machine
• UE runs radio resource
control (RRC) state
machine
• Two states: IDLE,
CONNECTED
• Discontinuous reception
(DRX): monitor one
subframe per DRX cylce;
receiver sleeps in other
subframes

3/7/14 Courtesy:Morley Mao 51

 UMTS RRC State Machine

• State promotions have promotion delay

• State demotions incur tail times

Tail Time
Delay: 2s Delay: 1.5s
Channel Radio
Power
IDLE Not Almost
allocated zero
CELL_FACH Shared, Low
Tail Time Low Speed
CELL_DCH Dedicated, High
3/7/14
High Speed
Courtesy: Feng Qian Cellular Networks and Mobile Computing
52
(COMS 6998-10)
 Why Power Consumptions of RRC States
so different?
• IDLE: procedures based on reception rather
than transmission
– Reception of System Information messages
– Reception of paging messages with a DRX cycle
(may trigger RRC connection establishment)
– Location and routing area updates (requires RRC
connection establishment)
• CONNECTED: need to continuously receive, and
sent whenever there is data

3/7/14 Cellular Networks and Mobile Computing 53

(COMS 6998-10)
 Security

3/7/14 Cellular Networks and Mobile Computing

(COMS 6998-10) 54
 The SIM card
• Subscriber Identity Module
– Usually embedded in a physical SIM card
• Initially specified in 1990 for GSM (freeze date of TS 11.11)
• Carries subscriber credentials
– IMSI: International Mobile Subscriber Identity – 14-15 digits
• MCC: Mobile Country Code – 3 digits
• MNC: Mobile Network Code – 2 or 3 digits
• Rest of the digits identify the subscriber
– Keying material (essentially symmetric keys)
• In the network HSS stores subscriber data
– Including keying and phone number (MSISDN)
• Enables roaming and phone replacement
– Key features in GSM

55
MSISDN – Mobile Subscriber ISDN Number
 KEY hierarchy
SGi AuC
PDN GW HSS USIM / AuC K
S5
CK, IK AKA procedure
UE / HSS
SGW S11 MME KASME
UE / MME
KNASenc KNASint
S1-U S1-CP
KeNB / NH

UE / eNB

eNodeB KUPint KUPenc KRRCint KRRCenc

AuC – Authentication Centre

UE AKA – Authentication and Key Agreement
CK: Encryption, IK: integrity Protection
USIM
ASME: Access Security Management Entity
NH – Next Hop
56
Courtesy: Zoltán Turányi
Authentication at initial attach
UE eNodeB MME SGW PDN GW HSS
1: Attach Request
(GUTI or IMSI) old MME
2: Identity Request
(GUTI)
4: Identity Request 3: Identity Response
(GUTI) (IMSI)
5: Identity Response
(IMSI) 6: Security functions (incl. AKA)
7: KASME 8: KASME
computed computed 9: Update Location Request
10: Update Location Ack
(subscription data)
11: Create Sesstion Request 12: Create Sesstion Request

13: IP address allocation

15: Create Sesstion Response 14: Create Sesstion Response
16: Attach Accept
+ keying
17: KeNB
received
18: Attach Accept
19: KeNB
computed 20: Attach Complete
21: First uplink packet
22: Modify Bearer
23: First downlink packet

http://msc-generator.sourceforge.net v3.4.18 57
 handover
USIM / AuC K
UE source eNB target eNB MME SGW PDN GW
User Data CK, IK
UE / HSS
1: Measurement
KASME
report
UE / MME
2: Handover decision
KNASenc KNASint
3: Handover
Request KeNB / NH
{NH, NCC} UE / eNB
4: Allocate TEID
5: Handover KUPint KUPenc KRRCint KRRCenc
6: handover
command Request Ack
7: SN Status
Transfer
User Data
buffer DL data
• MME pre-calculates NH keys
8: Sync+RRC complete – From KASME and NCC
User Data – NCC: NH Chaining Counter
• 3: Source eNodeB sends
9: Path Switch
Request 10: Modify Bearer {NH, NCC} to target eNodeB
Request
User Data end marker
• Target eNB uses NH for KeNB
• UE also calculates new KeNB
stop fw stop fw

• 12: MME sends next

11: Modify Bearer
12: Path Switch
Response
{NH, NCC} to target eNB
13: UE Context Request Ack
Release (new {NH, NCC} pair)
http://msc-generator.sourceforge.net v3.4.18
 59

QoS architecture

3/7/14 Cellular Networks and Mobile Computing

(COMS 6998-10) 59
 Bearers SGi

PDN-GW HSS
• A bearer is a L2 packet transmission S5

channel
SGW S11 MME
– …to a specific external Packet Data Network,
– …using a specific IP address/prefix, S1-U S1-CP

– …carrying a specific set of IP flows (maybe all)

– …providing a specific QoS.
eNodeB
• In 2G/3G also known as “PDP Context”
• Bearer setup is explicitly signaled UE
– In LTE one bearer is always set up at
attachment
See more in: 23.107
QoS concept and architecture
Cellular Networks and Mobile Computing
(COMS 6998-10) Courtesy: Zoltán Turányi 60
 Traffic to the same
external network
Bearers Traffic with the
same IP address All traffic of a UE
A set of or IPv6 prefix
IP microflows
A set of
with the same QoS
IP microflows IP microflows Terminal
APN traffic
Service Data Flow default PDN traffic
Service Data Flow
bearer connection
External networks

Service Data Flow dedicated

PDN 1 PDN 2 bearer
Service Data Flow
APN1 SGi SGi APN2

PDN GW PDN GW
Dedicated bearer: bearer with special QoS
Default bearer: rest of traffic with default QoS

SGW MME

eNodeB
Two default bearers
to different APNs PDN – Packet Data Network
UE Courtesy: Zoltán Turányi APN – Access Point Name 61
 Why then no QoS today?
(Apart from voice)

• Terminal apps do not use QoS

– Original IP socket API has minimal QoS features
• No widespread QoS mechanism in fixed networks
• Usually IP app developers do not care about network QoS
– A number of QoS API failures
• Conceptual difficulties
– QoS must be authorized and charged
• QoS can only be effectively decided in the face of its price
– Complex QoS descriptors
• Determining QoS parameters is challenging
– E.g., 10-3 or 10-4 bit error rate?
– Yet not flexible enough to cater for e.g., VBR video
62
 #1: Simple parameters QCI Resource Priority Packet Packet Example Services
Type Delay Error Loss
Budget Rate
(NOTE 1) (NOTE 2)
1 2 100 ms -2 Conversational Voice
10
(NOTE 3)
2 4 150 ms -3 Conversational Video (Live Streaming)
10
(NOTE 3) GBR

• QCI: QoS Class Indicator 3

(NOTE 3)
4
3

5
50 ms

300 ms
10

10
-3

-6
Real Time Gaming

Non-Conversational Video (Buffered Streaming)

– Scalar value encompassing (NOTE 3)

5
(NOTE 3)
1 100 ms 10
-6 IMS Signalling

all packet treatment aspects 6

(NOTE 4) 6 300 ms 10
-6
Video (Buffered Streaming)
TCP-based (e.g., www, e-mail, chat, ftp, p2p file

– 9 mandatory,
sharing, progressive video, etc.)
7 Non-GBR Voice,
(NOTE 3) 7 100 ms -3 Video (Live Streaming)
10

operators can define new 8

(NOTE 5) 8
Interactive Gaming

Video (Buffered Streaming)

• MBR: Max bitrate 300 ms -6 TCP-based (e.g., www, e-mail, chat, ftp, p2p file
10
9 9 sharing, progressive video, etc.)
(NOTE 6)

• GBR: Guaranteed bitrate

– If nonzero, admission control is performed
• ARP: Allocation and Retention Priority
– priority (scalar): Governs priority at establishment and handover
– pre-emption capability (flag): can this bearer pre-empt another?
– pre-emption vulnerability (flag): can another bearer pre-empt this one?

• AMBR: Aggregated Maximum bitrate

– Both a per-terminal and per-APN value Source: 23.401, 23.203
GPRS Enhancements for E-UTRAN 63
Policy and Charging Control Architecture
#2: Network initiated bearers
• Allow a network application request QoS
– Terminal app can remain QoS un-aware
– Network can fully control QoS provided & payment charged

1. Session setup
No QoS API
App App

LTE LTE + EPC 2. Request QoS

3. Bearer
setup
UE Network

• First specified in Release 7 for 3G

– Not all terminals support it
• Mandatory mode in LTE
Courtesy: Zoltán Turányi
64
 Policy and Charging
•Flow descriptor (5-tuple)
App
• Policy and Charging Rules •Bandwidth
•Application (voice/video/etc.)

Function Rx

SGi

– Decides on QoS and PCRF Gx PDN GW

Charging S5
•Flow descriptor (5-tuple)
– Controls gating •QoS descriptor
•Charging rules
•Gating (on/off) SGW S11 MME
– Service Policy Based on
• Request
S1-U S1-MME
• Subscription data
– Makes no resource
decisions eNodeB

UE
Courtesy: Zoltán Turányi
65
 What Is Next?

3/7/14 Cellular Networks and Mobile Computing

(COMS 6998-10) 66
 LTE Evolution
• LTE-A – meeting and exceeding IMT-Advanced
requirements
– Carrier aggregation
– Enhanced multi-antenna support
LTE-C
– Relaying Rel-14

– Enhancements for heterogeneous deployments Rel-13

LTE-B
Rel-12

LTE-A
Rel-11
LTE
Rel-10

Rel-9
3/7/14 Cellular Networks and Mobile Computing 67
(COMS 6998-10) Rel-8
 LTE Evolution
• LTE-B
– Work starting fall 2012
• Topics (speculative)
– Device-to-device communication
LTE-C
– Enhancements for machine-to-machine
Rel-14

communication Rel-13
LTE-B
– Green networking: reduce energy use Rel-12

– And more… LTE-A

Rel-11
LTE
Rel-10

Rel-9
3/7/14 Cellular Networks and Mobile Computing 68
(COMS 6998-10) Rel-8
 Outline
Goal of this lecture: understand the basics of
current networks and future directions
• Current Cellular Networks
• What Is Next?
• A Clean-Slate Design: Software-Defined Cellular
Networks
– Radio Access Networks
– Core Networks
– Wide Access Networks
• Conclusion and Future Work
3/7/14 Cellular Networks and Mobile Computing 69
(COMS 6998-10)
 A Clean-Slate Design:
Software-Defined Radio Access
Networks

3/7/14 Cellular Networks and Mobile Computing

(COMS 6998-10) 70
 Carrier’s Dilemma

Exponential Traffic Growth Limited Capacity Gain

8
Exabyte
7
12 11.2
6 Shannon
10 Annual Growth 83%
5
8 7.4 Shannon (3dB)
4
6 4.7 4G
3
4 2.8
2
1.6
2 0.5 0.9 1
0.0 0.0 0.1 0.2
0 0
2015
2016
2007
2008
2009
2010
2011
2012
2013
2014

2017

10

15
17.5
2.5

12.5
0

5
7.5

20
-12.5
-15

-10
-5
-2.5
• Poor wireless connectivity if left unaddressed
71
 LTE Radio Access Networks
• Goal: high capacity wide-area wireless network
– Dense deployment of small cells
Base Station (BS)

Serving Gateway
Packet Data
User Equipment (UE) Network Gateway

Internet
Serving Gateway

72
access core
 Dense and Chaotic Deployments

• Dense: high SNR per user leads to higher

capacity
o Small cells, femto cells, repeaters, etc
73
 Problems
• Current LTE distributed control plane is ill-suited
o Hard to manage inter-cell interference
o Hard to optimize for variable load of cells
• Dense deployment is costly
o Need to share cost among operators
o Maintain direct control of radio resources
o Lacking in current 3gpp RAN sharing standards

74
 SoftRAN: Big Base Station Abstraction
Big Base Station

Radio Element 1

time

controller
frequency
Radio Element 2 Radio Element 3

time time
time

frequency frequency

75
 Radio Resource Allocation

Flows 3D Resource Grid

time

76
 SoftRAN: SDN Approach to RAN
Coordination :
X2 Interface

Control Algo Control Algo

PHY & MAC PHY & MAC
Control Algo
PHY & MAC
BS1
BS3
Control Algo Control Algo BS5
PHY & MAC PHY & MAC

BS2 BS4 77
 SoftRAN: SDN Approach to RAN
Control Algo Operator Inputs

Network OS

RadioVisor

PHY & MAC PHY & MAC

PHY & MAC

RE3
RE1 RE5
PHY & MAC PHY & MAC

Radio Element
(RE)
RE2 RE4 78
 SoftRAN Architecture Summary
CONTROLLER

RAN Information Base

Periodic Updates Controller • Bytes Network
API • Rate Operator
• Queue Inputs
RADIO ELEMENTS Size
Interference Flow QoS
Map Records Constraints

3D Resource Grid
Radio Element

Radio Radio Resource

Element Management
API POWER
FLOW
Algorithm
Frequency

79
 SoftRAN Architecture: Updates
• Radio element -> controller (updates)
– Flow information (downlink and uplink)
– Channel states (observed by clients)

• Network operator -> controller (inputs)

– QoS requirements
– Flow preferences

80
SoftRAN Architecture: Controller Design
• RAN information base (RIB)
– Update and maintain global network view
• Interference map
• Flow records
• Radio resource management
– Given global network view: maximize global utility
– Determine RRM at each radio element

81
 SoftRAN Architecture: Radio Element API

• Controller -> radio element

– Handovers to be performed
– RF configuration per resource block
• Power allocation and flow allocation
– Relevant information about neighboring radio
elements
• Transmit Power being used

82
 Refactoring Control Plane

• Controller responsibilities:
- Decisions influencing global network state
• Load balancing
• Interference management

• Radio element responsibilities:

- Decisions based on frequently varying local
network state
• Flow allocation based on channel states

83
 SoftRAN Advantages
• Logically centralized control plane:
– Global view on interference and load
• Easier coordination of radio resource management
• Efficient use of wireless resources
– Plug-and-play control algorithms
• Simplified network management
– Smoother handovers
• Better user-experience

84
 SoftRAN: Evolving the RAN
• Switching off radio elements based on load
– Energy savings
• Dynamically splitting the network into Big-BSs
– Handover radio elements between Big-BSs

85
 Implementation: Modifications
• SoftRAN is incrementally deployable with
current infrastructure
– No modification needed on client-side
– API definitions at base station
• Femto API : Standardized interface between scheduler
and L1 (http://www.smallcellforum.org/resources-
technical-papers)
• Minimal modifications to FemtoAPI required

86
 RadioVisor Design
• Slice manager
o Slice configuration, creation,
modification, deletion and multi-slice
operations
3D Resource • Traffic to slice mapping at RadioVisor
Grid Slice and radio elements
Traffic to
Slice Allocation & Manager • 3D resource grid allocation and
Mapping Isolation isolation
RadioVisor o Considers traffic demand, interference
graph and policy

87
 Slice Manager

• Slice definition
o Predicates on operator, device, subscriber, app
attributes
o A slice can be all M2M traffic of operator 1
• Slice configuration at data plane and control plane
o PHY and scheduler: narrow band PHY for M2M slice
o Interference management algorithm
• Slice algebra to support flexible slice operations
o Slice merge, split, (un)nest, duplicate

88
 Resource Grid Allocation and
Isolation
• Slices present resource Interference
Edge
demands every time window
• Max min fair allocation
• Example
Radio Radio Radio
o Red slice entitles 2/3 and Element 1 Element 2 Element 3
demands 2/3 RE1 only
o Blue slice entitles 1/3 and

Frequency
demand 1/3 RE2 and 1 RE3

89
 Conclusion
• Dense deployment calls for central control of radio
resources
• Deployment costs motivate RAN Sharing
• We present the design of RadioVisor
o Enables direct control of per slice radio resources
o Configures per slice PHY and MAC, and
interference management algorithm
o Supports flexible slice definitions and operations
 A Clean-Slate Design:
Software-Defined Cellular Core
Networks

3/7/14 Cellular Networks and Mobile Computing

(COMS 6998-10) 91
 Cellular Core Network Architecture
Base Station (BS)

Serving Gateway
Packet Data
User Equipment (UE) Network Gateway

Internet
Serving Gateway

access core 92
SoftCell Overview
Simple hardware
+ SoftCell software

Controller

Interne
t

93
 SoftCell Design Goal
Fine-grained service policy for diverse app needs
» Video transcoder, content filtering, firewall
» M2M services: fleet tracking, low latency medical
device updates

with diverse needs!

94
 Characteristics of Cellular Core
Networks
1. “North south” traffic pattern
2. Asymmetric edge
3. Traffic initiated from low-bandwidth access
edge
Gateway Edge
Internet
~1 million Users
~10 million flows
~400 Gbps – 2 Tbps

Access ~1K Users

Edge ~10K flows
~1 – 10 Gbps 95
 Challenge: Scalability
Packet classification: decide which service policy to
be applied to a flow
» How to classify millions of flows per second?

Traffic steering: generate switch rules to implement

policy paths, e.g. traversing a sequence of
middleboxes
» How to implement million of paths?
• Limited switch flow tables: ~1K – 4K TCAM, ~16K – 64K
L2/Ethernet

Network dynamics: setup policy paths for new 96

users and new flow?
SoftCell: Design-in-the-Large
1. Scalable system design Controller
» Classifying flows at access
edge LA

» Offloading controller tasks

to switch local agent LA
Gateway Edge
2. Intelligent algorithms LA
~1 million
» Enforcing policy LA Users
consistency under mobility ~10 million
flows
» Multi-dimension Access ~up to 2 Tbps
aggregation to reduce Edge
~1K Users
switch rule entries ~10K flows
~1 – 10 Gbps
97
 Multi-Dimensional Aggregation
Use multi-dimensional tags rather than flat tags

Policy Tag BS ID User ID

Aggregate Aggregate Aggregate

flows that flows going flows going
share a to the same to the same
common (group of) Users.
policy (even base
across Users stations
andlocality
Exploit BSs) in network topology and traffic pattern
Selectively match on one or multiple dimensions
» Supported by the multiple tables in today’s switch chipset
98
 Conclusion and Future Work
• SoftCell uses commodity switches and middelboxes to build
flexible and cost-effective cellular core networks

• SoftCell cleanly separates fine-grained service policies from

traffic management policies

• SoftCell achieves scalability with

Asymmetric Edge Design
Data Plane
Multi-dimensional Aggregation

Control Plane Hierarchical Controller Design

• Deploy SoftCell in real test bed

• Exploit multi-stage tables in modern switches
– Reduce m×n rules to m+n rules 99
 A Clean-Slate Design:
Software-Defined WAN

3/7/14 Cellular Networks and Mobile Computing

(COMS 6998-10) 100
 Current Mobile WANs
• Organized into rigid and very large regions
• Minimal interactions among regions
• Centralized policy enforcement at PGWs

Two Regions
101
 Mobile WANs Problems
• Suboptimal routing in large carriers
– Lack of sufficiently close PGW is a major cause of
path inflation
• Lack of support for seamless inter-region
mobility
– Users crossing regions experience service
interruption
• Scalability and reliability
– The sheer amount of traffic and centralized policy
enforcement
• Ill-suited to adapt to the rise of new
applications
– E.g., machine-to-machine
– All users’ outgoing traffic traverses a PGW to the 102
 SoftMoW Motivation
Question: How to make the packet core scalable, simple,
and flexible for tens of thousands of base stations and
millions of mobile users?
• Mobile networks should have fully connected core
topology, small logical regions, and more egress points
• Operators should leverage SDN to manage the whole
network with a logically-centralized controller:
– Directs traffic through efficient network paths that
might cross region boundaries
– Handles high amount of intra-region signaling load
from mobile users
– Supports seamless inter-region mobility and
optimizes its performance
– Performs network-wide application-based such as
region optimization
103
 SoftMoW Solution
• Hierarchically builds up a network-wide control
plane
– Lies in the family of recursive SDN designs (e.g. XBAR,
ONS’13)
• In each level, abstracts both control and data planes
and exposes a set of “dynamically-defined” logical
components to the control plane of the level above.
– Virtual Base stations (VBS), Gigantic Switches (GS), and
Virtual Middleboxes (VMB)
Latency Union of Sum of
Matrix Coverage capacities

GS VBS
VMB

Core Net Radio Net Policy

104
 SoftMoW Solution
• New Dynamic Feature: In each level, the
control logic can modify its logical
components for optimization purposes
– E.g., merge/spilt and move operations

GSW1 VBS1 GSW1

GSW2

VBS1
VBS2

VBS2
GSW1 GSW2
VBS3 GSW2
GSW3
VBS3
Merge/Split Move and Split

105
 First Level-SoftMoW Architecture
• Replace inflexible and expensive hardware devices (i.e.,
PGW, SGW) with SDN switches
• Perform distributed policy enforcement using middle-box
instances
• Partition the network into independent and dynamic logical
regions Events GS Rules &
• A child controller manages the data plane of each regions
Actions

Local
Bootstrapping Agent A Apps
phase: NIB Child A
based on location E2 E3
and processing Boundary
capabilities of child M 1 M
Region A 6 E4
controllers E1 Region B

I1 M M
M 2 M 3 7 8

M M
M 4 M 5 9 10

BS2 BS4 BS5 BS6

BS1 BS3
106
 Second Level-SoftMoW Architecture
• A parent runs a global link discovery protocol
– Inter-region links are not detected by BDDP and LLDP
• A parent participates in the inter-domain routing
protocol
• A parent builds virtual middlebox chains and egress-
point policies, and dictates to GSs
Events GS Rules &
Actions
I-Mobility
Local
Manager
Agent A Apps Middlebox Egress Region BGP
NIB Child A Optimizer Selection Optimizer
E2 sessions
E3
Boundary NIB Parent
M 1 M
6 E4 GS E1 E2
E1
Region A Region B Protocol
E3 E4
I1 M M ----- M M
M 2 M 3 7 8 I1
M M 2M M
GSA GSB
2M M
M M
M 4 M 5 9 10

BS2 BS4 BS5 BS6 Internal

BS1 BS3 Border Border Internal
107
VBS1 VBS VBS
1 2 VBS2
 Hierarchical Traffic Engineering
• A parent pushes a global label into each traffic group
• Child controllers perform label swapping
o Ingress point: pop the global label and push some local labels for
intra-region paths
o Egress point: pop the local labels and pushEvents
back Actionsthe global label
GS Rules &

I-Mobility Push W Local

Manager Agent A Apps
Middlebox Egress Region BGP Pop W2
NIB Child A
Optimizer Selection Optimizer E2 E3
sessions
Boundary
NIB Parent Push W M 1 M
Region A 6 E4
GS E1 E2 E1 Region B
Protocol
E3 E4
I1 M M
----- M M Pop W1
M 2 M 3 7 8
Web I1 2M M
M M GSA GSB
Voice 2M M GS M M
M 4 M 5 9 10
Latency
Rules
(P1,E2)=300
BS4 BS5 BS6
Latency Internal Border Border Internal BS1 BS2 BS3
(P1,E4)=100 VBS1 VBS VBS VBS2
1 2
Push W Push W2
Pop W Push W1 Pop W
108
 Time-of-day Handover
Optimization
Q: How can an operator reduce inter-region handovers in peak
hours?
E 1 E2 E3 E4
M 2M
GS A M 3M M
GSA GSB
M M
Min Cut Border Border Internal
300 Border 1000 Border 2000 Internal VBS VBS2 VBS2
Internal 1
VBS1 VBS1 VBS2 VBS2

Abstraction
Handover update
coordination
graph Child A Child B
E2 E3
Boundary

Parent M 1 M
Region A 6
E1 Region B

E1 E2 E3 E4 I1 M M
M 2 M 3 7 8
M M
I1 2M M GS Rule: M M
M M GSA GSB M 4 M 5 9 10
2M M
Move Border VBS1

BS2 BS4 BS5 BS6

BS1 BS3

Old
Internal Border Border Internal New
Border 109
VBS VBS1 VBS2 VBS Border
1 2
 Conclusion
SoftMoW:
• Brings both simplicity and scalability to the
control plane of very large cellular networks
– decouples control and data planes at multiple levels
( focused only on two levels here)
• Makes the deployment and design of network-
wide applications feasible
– E.g., seamless inter-region mobility, time-of-day
handover optimization, region optimization, and
traffic engineering
110
 Summary
• Mobile computing depends on cellular
networks
• Cellular network performance still far from
meeting demands of mobile computing
• Cellular network architecture is evolving to
meet demands of mobile computing
– SDN and NFV
• AT&T’s domain 2.0

3/7/14 Cellular Networks and Mobile Computing 111

(COMS 6998-10)