Cellular Networks and Mobile Computing COMS 6998-10, Spring 2013 (
advertisement
Cellular Networks and Mobile Computing
COMS 6998-10, Spring 2013
Instructor: Li Erran Li
(lierranli@cs.columbia.edu)
http://www.cs.columbia.edu/~lierranli/coms
6998-10Spring2013/
2/26/2013: Introduction to Cellular Networks
2
Announcements
• Programming assignment 2 will be due
tomorrow
• Programming assignment 3 will be due March
13. Please start early!
– Two lab sessions will be scheduled
• Please email me the presentation slides the day
before!
Review of Previous Lecture
• What are the different approaches of
virtualization?
Review of Previous Lecture
• What are the different approaches of
virtualization?
– Bear-metal hypervisor, hosted hypervisor, container
(Linux LXC, Samsung Knox)
Bare-Metal Hypervisor
poor device support / sharing
OS
Kernel
OS
Kernel
OS
Kernel
Hypervisor / VMM
Hardware
Courtesy: Jason Nieh et al.
Hosted Hypervisor
poor device
performance
OS
OS
OS
Hypervisor / VMM
Host OS Kernel
kernel
module
emulated
devices
Hardware
Courtesy: Jason Nieh et al.
Review of Previous Lecture
(Cont’d)
• What approach does Cell use?
• What are the key design choices for Cell’s
extremely low overhead?
Review of Previous Lecture
(Cont’d)
• Device namespace
– It is designed to be used by individual device drivers or
kernel subsystems to tag data structures and to register
callback functions. Callback functions are called when a
device namespace changes state.
– Each VP uses a unique device namespace for device
interaction.
• Cells leverages its foreground-background VP usage
model to register callback functions that are called
when the VP changes between foreground and
background state.
Device Namespaces
safely, correctly
multiplex
access to
devices
VP 1
VP 2
VP 3
•••
•••
Android...
RTC / Alarms
Audio/Video
Sensors
Input
Power
Framebuffer
Cell Radio
WiFi
GPU
device namespaces
Linux
Kernel
Courtesy: Jason Nieh et al.
Review of Previous Lecture
(Cont’d)
• What are the most expensive flash memory
operations?
– Random read
– Random write
– Sequential write
– Sequential read
• Performance for random
I/O significantly worse
than seq; inherent with
flash storage
• Mobile flash storage
classified into speed
classes based on
sequential throughput
Random write performance is
orders of magnitude worse
Vendor
(16GB)
Speed
Class
Cost
US $
Seq
Write
Rand
Write
Transcend
2
26
4.2
1.18
RiData
2
27
7.9
0.02
Sandisk
4
23
5.5
0.70
Kingston
4
25
4.9
0.01
Wintec
6
25
15.0
0.01
A-Data
6
30
10.8
0.01
Patriot
10
29
10.5
0.01
PNY
10
29
15.3
0.01
Consumer-grade SD performance
For several popular apps, substantial
fraction of I/O is random writes (including web browsing!)
Courtesy: Nitin Agrawal et al.
Performance MB/s
Random versus Sequential
Disparity
Should OS Manage Context?
• export Context Data Units (CDUs) rather than
raw sensor data
– higher-level abstraction than bytes
– apps query or subscribe to CDUs
• each CDU is defined by a CDU Generator: a
graph of processing components
– combine Generators into composite context
dataflow
– provide a base CDU vocabulary (that is extensible)
Logical LocationMotion State Interruptible
home, office, mallsitting, walking, running
yes, no
CondOS Design
app A
app G
…
app Z
User space
Kernel space
other OS services
Scheduling
I/O
Memory
Management
Energy
Security
Management
CDU1
CDU2
CDU3
Interruptible
Logical Location Motion State
yes, no
home, office, mall sitting, walking, running
Audio Features
context
dataflow
example
Context Data
Generators
Location DB Motion Features
Silence Filter
Geolocation
IMU
GPS, Cell, WiFi
accel, gyro, mag
Audio
14
Syllabus
• Mobile App Development (lecture 1,2,3)
– Mobile operating systems: iOS and Android
– Development environments: Xcode, Eclipse with Android SDK
– Programming: Objective-C and android programming
• System Support for Mobile App Optimization (lecture 4,5)
– Mobile device power models, energy profiling and ebug debugging
– Core OS topics: virtualization, storage and OS support for power and context management
• Interaction with Cellular Networks (lecture 6,7,8)
– Basics of 3G/LTE cellular networks
– Mobile application cellular radio resource usage profiling
– Measurement-based cellular network and traffic characterization
• Interaction with the Cloud (lecture 9,10)
– Mobile cloud computing platform services: push notification, iCloud and Google Cloud
Messaging
– Mobile cloud computing architecture and programming models
• Mobile Platform Security and Privacy (lecture 11,12,13)
– Mobile platform security: malware detection and characterization, attacks and defenses
– Mobile data and location privacy: attacks, monitoring tools and defenses
15
Outline
Goal of this lecture: understand the basics of current
networks and future directions
• Current Cellular Networks
–
–
–
–
–
–
Introduction
Radio Aspects
Architecture
Power Management
Security
QoS
• What Is Next?
• A Clean-Slate Design: Software-Defined Cellular
Networks
• Conclusion and Future Work
16
Cellular Networks Impact our Lives
More Mobile Connection
More Infrastructure
Deployment
1010100100001011001
0101010101001010100
1010101010101011010
1010010101010101010
0101010101001010101
More Mobile Users
More Mobile
Information
Sharing
Mobile Data Tsunami Challenges
Current Cellular Technologies
• Global growth 18 times from
2011 to 2016
Global Mobile Data Traffic Growth
2011 to 2016
• AT&T network:
10.8
Annual Growth 78%
10
Exabytes per Month
– Over the past five years,
wireless data traffic has
grown 20,000%
– At least doubling every year
since 2007
12
6.9
8
6
4.2
4
2
2.4
0.6
1.3
0
• Existing cellular technologies
are inadequate
– Fundamental redesign of
cellular networks is needed
2011
2012
2013
2014
2015
2016
Source: CISCO Visual Networking Index (VNI) Global Mobil Data
Traffic Forecast 2011 to 2016
17
Global Convergence
• LTE is the major technology for future mobile
broadband
– Convergence of 3GPP and 3GPP2 technology tracks
– Convergence of FDD and TDD into a single technology track
D-AMPS
3GPP
PDC
GSM
IS-95
WCDMA
HSPA
TD-SCDMA
HSPA/TDD
cdma2000
EV-DO
LTE
FDD and TDD
3GPP2
WiMAX
IEEE
?
LTE deployments
89 commercial networks launched
Courtesy: Zoltán Turányi
Mobile subscriptions by technology
2008-2017 (estimate)
Courtesy: Zoltán Turányi
3GPP introduction
• 3rd Generation Partnership Program
– Established in 1998 to define UMTS
– Today also works on LTE and access-independent
IMS
– Still maintains GSM
• 3GPP standardizes systems
– Architecture, protocols
• Works in releases
– All specifications are consistent within a release
3GPP way of working
Stage 1
Requirements
• “It shall be possible to...”
• “It shall support…”
E.g., 22-series specs
Stage 2
Architecture
Stage 3
Protocols
• Nodes, functions
• Reference points
• Procedures (no errors)
E.g., 23-series
specs
• Message formats
• Error cases
E.g., 29-series
specs
Specification numbering example:
3GPP TS 23.401 V11.2.0
Updated after a meeting
TS=Technical Specification (normative)
TR=Technical Report (info only)
Release
Spec. number • Consistent set of specs per releas
• New release every 1-2 years
Courtesy: Zoltán Turányi
3GPP specification groups
2G
3G/LTE
System
Protocols
Starting points on 3GPP
specifications
• http://www.3gpp.org/specification-numbering
– Pointers to the series of specifications
– Architecture documents in 23-series
• Main architecture references
– 23.002 – Overall architecture reference
– 23.401 – Evolved Packet Core with LTE access, GTPbased core
– 23.060 – 2G/3G access, and integration to Evolved
Packet Core
– 23.402 – Non-3GPP access, and PMIP-based core
Courtesy: Zoltán Turányi
Example
A base station
with 3 sectors
(3 cells)
Courtesy: Zoltán Turányi
Key challenges
• Large distances
– Terminals do not see each other
– Tight control of power and timing needed
– Highly variable radio channel – quick adaptation needed
• Many users in a cell
– A UMTS cell can carry roughly 100 voice calls on 5 MHz
– Resource sharing must be fine grained – but also flexible
• Quality of Service with resource management
– Voice – low delay, glitch-free handovers
– Internet traffic – more, more, more
• Battery consumption critical
– Low energy states, wake-up procedures
– Parsimonious signaling
Courtesy: Zoltán Turányi
Radio basics
28
Physical Layer: UMTS
Simultaneous meetings in different rooms
(FDMA)
Simultaneous
meetings in the
same room at
different times
(TDMA)
Multiple meetings in the
same room at the same time
(CDMA)
Courtesy: Harish Vishwanath
29
Physical Layer: UMTS (Cont’d)
Code Division Multiple Access (CDMA)
•Use of orthogonal codes to separate different
transmissions
•Each symbol or bit is transmitted as a larger number of
bits using the user specific code – Spreading
•Spread spectrum technology
– The bandwidth occupied by the signal is much
larger than the information transmission rate
– Example: 9.6 Kbps voice is transmitted over 1.25
MHz of bandwidth, a bandwidth expansion of
~100
Courtesy: Harish Vishwanath
Physical Layer: UMTS (Cont’d)
• Uses spread-spectrum to separate users
• Common 5 MHz channels
• Supports soft-handover
– Multiple base stations send/receive same data to the user
– Recombining the two paths result in better channel
– Requires real-time network between base station and RNC
RNC
RNC
RNC
UMTS – Universal Mobile Telecommunication System
CDMA – Code Division Multiple Access
UE – User Equipment
RNC – Radio Network Controller
Resource control
HSPA
DCH
DCH
HSPA channel
(packet-oriented high data rate)
Dedicated channels
(64, 128, 384 kbits/s, 2 Mbit/s)
Cost:
RNC processing
power when
switching between
states
FACH
Common channel
(low data rate, random access)
URA
Battery saving
IDLE
Battery saving
Cost:
More radio
resources
More battery need
(connected)
(disconnected)
Courtesy: Zoltán Turányi
HSPA
• High Speed Packet Access
– Packet oriented extension to WCDMA
– Time Division Multiplexing within a common channel
• Opportunistic scheduling
– Users with currently good reception receive more resources
– Higher overall capacity than equal share
• Hybrid ARQ with soft combining
– Only additional redundancy is transmitted on a frame error,
not the full frame
• Most radio functions moved to NodeB
• No soft handover in downlink
LTE air interface
• The key improvement in LTE radio is the use of OFDM
• Orthogonal Frequency Division Multiplexing
– 2D frame: frequency and time
– Narrowband channels: equal fading in a channel
• Allows simpler signal processing implementations
– Sub-carriers remain orthogonal under multipath
One resource block
propagation
One resource element
12 subcarriers during one slot
(180 kHz × 0.5 ms)
12 subcarriers
Time domain structure
Frame (10 ms)
One OFDM
symbol
One slot
time
Slot (0.5 ms)
Subframe (1 ms)
34
LTE air interface: Downlink
1
T
T large compared to
channel delay
spread
Orthogonal Frequency Division
Multiple Access (OFDM)
Closely spaced sub-carriers without guard
band
Each sub-carrier undergoes (narrow
band) flat fading
- Simplified receiver processing
Frequency
Narrow Band (~10 Khz)
Wide Band (~ Mhz)
Frequency or multi-user diversity through
coding or scheduling across sub-carriers
Dynamic power allocation across sub-
carriers allows for interference mitigation
Sub-carriers remain orthogonal under
across cells
multipath propagation
Orthogonal multiple access
Courtesy: Harish Vishwanath
35
LTE air interface: Uplink
User 1
Users are carrier
synchronized to the base
Differential delay between
users’ signals at the base
need to be small compared
to symbol duration
W
Efficient use of spectrum by multiple
User 2
users
Sub-carriers transmitted by different
users are orthogonal at the receiver
- No intra-cell interference
User 3
CDMA uplink is non-orthogonal
since synchronization requirement is
~ 1/W and so difficult to achieve
Courtesy: Harish Vishwanath
36
LTE air interface: Multiplexing
Each color represents a user
Each user is assigned a
frequency-time tile which
consists of pilot sub-carriers and
data sub-carriers
Block hopping of each user’s tile
for frequency diversity
Typical pilot ratio: 4.8 % (1/21)
for LTE for 1 Tx antenna and
9.5% for 2 Tx antennas
Time
Pilot sub-carriers
Courtesy: Harish Vishwanath
37
LTE vs UMTS (3G): Physical Layer
• UMTS has CELL_FACH
– Uplink un-synchronized
• Base station separates random access transmissions and
scheduled transmissions using CDMA codes
• LTE does not have CELL_FACH
– Uplink needs synchronization
• Random access transmissions will interfere with
scheduled transmissions
LTE Scheduling
• Assign each Resource Block to one of the terminals
– LTE – channel-dependent scheduling in time and frequency
domain
– HSPA – scheduling in time-domain only
data1
data2
data3
data4
Time-frequency fading, user #2
Time-frequency fading, user #1
User #1 scheduled
User #2 scheduled
Courtesy: Zoltán Turányi
LTE vs. WCDMA
• No Soft handover in OFDM
– All real-time functions can be done in the base station
– No need for a central RNC
– No need for a real-time network between the RNC and base
station
• Packet oriented
– Supports bursty traffic and statistical multiplexing by default
– No specific support for circuit switched traffic
• Much more flexible spectrum use
1.4 MHz
3 MHz
5 MHz
RB (1.4 MHz)
10 6
MHz
15 MHz
20 MHz
100 RB (20 MHz)
Courtesy: Zoltán Turányi
Architecture
Pre-rel.8 Architecture
PS Core Network
CS
CN
MSC
Gi
GGSN
Gn/Gp
SGSN
IuCS
•First-hop router
•GW towards external PDNs
•VPN support over Gi
•IP address management
•Policy Control
•Manage CN procedures
•HSS connection (authenticator)
•Idle mode state
•Lawful Intercept
•Bearer management
IuPS
RNC
•Real-time radio control
•Radio Resource Management
•Soft handover
•UP Ciphering
•Header Compression
Iub
NodeB
•L1
•HSPA scheduling
3G Radio Access Network
• Why separate RAN and CN?
–
–
–
–
Two CNs with same RAN
Multiple RANs with same CN
Modularization
Independent scaling, deployment
and vendor selection
• Why two GSNs?
– Roaming: traffic usually taken home
– Independent scaling, deployment
and vendor selection
– User can connect to multiple PDNs
GPRS – Generic Packet Radio Service
GGSN – Gateway GPRS Support Node
SGSN – Serving GPRS Support Node
RNC – Radio Network Controller
PDN – Packet Data Network
CN – Core Network
PS – Packet Switched
CS – Circuit Switched
MSC – Mobile Switching Center
HSS – Home Subscriber Server
Drivers for change
CS
CN
MSC
Overhead of
PS Coreseparate
Network CS core
when bulk of
Gi
•First-hop router
•GW towards
external PDNs
traffic
is PS
GGSN
Gn/Gp
SGSN
IuCS
•VPN support over Gi
•IP address management
•Policy Control
•Manage CN procedures
•HSS connection (authenticator)
•Idle mode state
•Lawful Intercept
•Bearer management
Too many
specialized user
plane nodes
IuPS
RNC
•Real-time radio control
•Radio Resource Management
•Soft handover
•UP Ciphering
•Header Compression
Complex, realtime RAN
Iub
NodeB
•L1
•HSPA scheduling
Vendor lock-in
due to
3G Radio Access Network
proprietary Iub
features
Courtesy: Zoltán Turányi
From 3G to EPC/LTE architecture
Only two user
PS Core Network plane nodes in the
typical case.
CS
CN
MSC
Gi
SGi
GGSN
PDN GW
SGW
Packet Data Network GW
Serving GW
Gn/Gp
S11
SGSN
IuCS
Evolved Packet Core (EPC)
IuPS
RNC
control plane
User plane/control
plane split for
better scalability.
MME
S1-UP
S1-CP
Mobility
Management
Entity
PS only
RAN and CN
Iub
NodeB
3G Radio
Access Network
eNodeB eNodeB – Evolved Node B
RNC functions
moved down to
base station
LTE Radio
Access Network
Courtesy: Zoltán Turányi
Why separate SGW and PDN GW?
Evolved Packet Core (EPC)
SGi
PDN GW
Packet Data Network GW
S5/S8
SGW
Serving GW
S11
MME
S1-UP
Mobility
Management
Entity
S1-CP
eNodeB eNodeB – Evolved Node B
LTE Radio
Access Network
SGW and PDN GW separate in
some special cases:
• Roaming:
• PDN GW in home network,
• SGW in visited network
• Mobility to another region in a
large network
• Corporate connectivity
Courtesy: Zoltán Turányi
Debate of 2005:
“B1 vs B2”
B1*: All accesses connected to EPC
GERAN
B2*: Inter-AS MM on top of GPRS Core
GERAN
SGSN
GPRS Core
SGSN
UTRAN
GGSN
UTRAN
Evolved Access
LTE
Non-3GPP
access
Evolved
Packet Core
Internet/
Op.nw.
LTE
Evolved
Packet Core
Inter-AS
MM
Internet/
Op.nw.
Non-3GPP
access
• Conclusion: B1.
• Better integration between 3GPP accesses
• Fewer user plane entities
Courtesy: Zoltán Turányi
*Note: Simplified view
Interworking with 3G
SGi
HSS
PDN GW
S5
Gn
SGW
S11
MME
SGSN
MSC
IuCS
IuPS
S1-U
S1-CP
RNC
Iub
eNodeB
UE
NodeB
MSC – Mobile Switching Center
Courtesy: Zoltán Turányi
Interworking with
non-3GPP accesses
SGi
HSS
PDN GW
S5
Gn
S2
SGW
S11
MME
SGSN
MSC
IuCS
IuPS
Non-3GPP
Access
(cdma2000, WiMax,
WiFi)
S1-U
S1-CP
RNC
Iub
eNodeB
UE
NodeB
PMIP – Proxy Mobile IP
Courtesy: Zoltán Turányi
Debate of 2006:
GTP vs. PMIP
SGi
HSS
PDN GW
GTP
GTP?
GTP
S5
Gn
PMIP
PMIP?
S2
PMIP
SGW
S11
MME
SGSN
MSC
IuCS
IuPS
Non-3GPP
Access
(cdma2000, WiMax,
WiFi)
S1-U
S1-CP
RNC
GTP
Iub
eNodeB
UE
NodeB
• Conclusion: Specify both
Courtesy: Zoltán Turányi
EPC + LTE: 23.401
EPC + 2G/3G: 23.060
SGi
HSS
PDN GW
GTP
S5
Gn
GTP
SGW
S11
MME
SGSN
MSC
IuCS
IuPS
S1-U
S1-CP
RNC
GTP
Iub
eNodeB
NodeB
UE
Courtesy: Zoltán Turányi
EPC + non-3GPP: 23.402
SGi
HSS
PDN GW
S5
S2
PMIP
Non-3GPP
Access
(cdma2000, WiMax,
WiFi)
PMIP
SGW
S1-U
S11
MME
S1-CP
GTP
eNodeB
UE
EPC – Evolved Packet Core
Courtesy: Zoltán Turányi
51
Access Procedure
• Cell Search
Base station
– Base station broadcasts
synchronization signals and cell
system information (similar to
WiFi)
– UE obtains physical layer
information
• UE acquires frequency and
synchronizes to a cell
• Determine the start of the
downlink frame
• Determine the cell identity
• Random access to establish a
radio link
UE 1
UE 2
52
Random Access
Client
Base station
Core network
Step 1: random access request (pick one of 64 preambles)
Step 2: random access response
Adjust uplink timing
Step 3: transmission of mobile ID
Only if UE is not known in Base station
Step 4: contention resolution msg
If ID in msg matches UE ID, succeed.
If collision, ID will not match!
53
Random Access (Cont’d)
Why not carrier sensing like
WiFi?
•Base station coverage is much
larger than WiFi AP
Base station
– UEs most likely cannot hear
each other
•How come base station can
hear UEs’ transmissions?
– Base station receivers are
much more sensitive and
expensive
UE 2
UE 1
Modes of operation
Connected mode
•
•
•
•
Used during communication
Signaling connection exists between network and UE
Both CN and RAN keeps state about the UE
UE location is tracked on a cell granularity
– Needed to deliver the data
• Network controlled mobility
SGW
MME
Network controlled mobility
SGW
5
MME
• Procedure
1.
2.
3.
4.
5.
•
UE measures nearby cells
UE sends measurement reports to network
Network decides on and controls handover
Handover is prepared by network
Handover executes
5
3.
1. 5
1.
2.
Reason: To allow the network to tune handovers
1.
2.
3.
4.
5.
6.
4.
Select proper target cell
Network has additional information for handover decision
Collect and analyze data for cell planning and troubleshooting
Penalize ping-ponging UEs
Penalize microcells for fast UEs
Cell breathing
Courtesy: Zoltán Turányi
1.
5
Handover Procedure
LTE
UE
source eNB
target eNB
Fast PMIPv6
MME
SGW PDN GW
User Data
1: Measurement
report
2: Handover decision
3: Handover
Request
4: Allocate TEID
6: handover
command
5: Handover
Request Ack
7: SN Status
Transfer
User Data
buffer DL data
8: Sync+RRC complete
User Data
9: Path Switch
Request
10: Modify Bearer
Request
User Data
end marker
stop fw
stop fw
12: Path Switch
13: UE Context Request Ack
Release
11: Modify Bearer
Response
http://msc-generator.sourceforge.net v3.4.18
Idle Mode
• Used when the UE is not communicating
• UE location is tracked on a Tracking Area (TA)
granularity
– eNodeBs advertise their TA
– UE periodically listens to advertisements (every few
seconds)
– UE sends Tracking Area Update to MME, when TA changes
– TAU also sent periodically (e.g., once every 2 hours)
• No eNodeB state is kept for UE
• When traffic arrives to the UE,
the UE is paged
PAGING
• UE periodically checks if data is available for it
– Wakes up, (re)selects cell, reads broadcast and the paging
channel
– Exact timing is pseudo-random per UE
› If packet arrives to SGW…
– …it buffers the packet
– …and notifies MME.
– MME sends a Paging Request to all eNodeBs
in the TA of the UE
– eNodeBs page the UE on its paging slot
locally
– UE responds with a Service Request…
– …eNodeB state is built up…
– …and UE is moved to connected state.
PDN GW
SGW
Courtesy: Zoltán Turányi
MME
UE
Idle mode issues
• Idle mode is a great power-saving feature
– A system-wide feature
– Also saves a lot of RAN resources
• Balancing of TA size is needed
– Too large: many paging messages
– Too small: many TAU messages from UE
– Lot of optimizations: per-UE TA, overlapping TA, etc.
• Connected Idle transitions are costly
– Usually a timeout is used to go to idle
• Not a good fit for chatty packet traffic
• Easy to attack: an IP address range scan wakes up everyone
– Key application design goal: reduce chattyness
• The Phone OS also has responsibility
– However, can be very effective when combined with DRX
61
LTE RRC State Machine
• UE runs radio resource
control (RRC) state
machine
• Two states: IDLE,
CONNECTED
• Discontinuous reception
(DRX): monitor one
subframe per DRX cylce;
receiver sleeps in other
subframes
Courtesy:Morley Mao
62
UMTS RRC State Machine
• State promotions have promotion delay
• State demotions incur tail times
Tail Time
Delay: 1.5s
Delay: 2s
Tail Time
Courtesy: Feng Qian
Channel
Radio
Power
IDLE
Not
allocated
Almost
zero
CELL_FACH
Shared,
Low Speed
Low
CELL_DCH
Dedicated,
High Speed
High
Why Power Consumptions of RRC States
so different?
• IDLE: procedures based on reception rather
than transmission
– Reception of System Information messages
– Cell selection registration (requires RRC connection
establishment)
– Reception of paging messages with a DRX cycle
(may trigger RRC connection establishment)
– Location and routing area updates (requires RRC
connection establishment)
63
64
UMTS RRC State Machine (Cont’d)
• CELL_FACH: need to continuously receive
(search for UE identity in messages on FACH),
data can be sent by RNC any time
– Can transfer small data
– UE and network resource required low
– Cell re-selections when a UE moves
– Inter-system and inter-frequency handoff possible
– Can receive paging messages without a DRX cycle
65
UMTS RRC State Machine (Cont’d)
• CELL_DCH: need to continuously receive, and
sent whenever there is data
– Possible to transfer large quantities of uplink and
downlink data
– UE and network resource requirement is relatively
high
– Soft handover possible for dedicated channels and
Inter-system and inter-frequency handover possible
– Paging messages without a DRX cycle are used for
paging purposes
Security
The SIM card
• Subscriber Identity Module
– Usually embedded in a physical SIM card
• Initially specified in 1990 for GSM (freeze date of TS 11.11)
• Carries subscriber credentials
– IMSI: International Mobile Subscriber Identity – 14-15 digits
• MCC: Mobile Country Code – 3 digits
• MNC: Mobile Network Code – 2 or 3 digits
• Rest of the digits identify the subscriber
– Keying material (essentially symmetric keys)
• In the network HSS stores subscriber data
– Including keying and phone number (MSISDN)
• Enables roaming and phone replacement
– Key features in GSM
MSISDN – Mobile Subscriber ISDN Number
KEY hierarchy
AuC
SGi
HSS
PDN GW
USIM / AuC
K
S5
CK, IK
AKA procedure
UE / HSS
SGW
MME
S11
KASME
UE / MME
S1-U
S1-CP
KNASenc
KNASint
KeNB / NH
UE / eNB
eNodeB
KUPint
KUPenc
KRRCenc
Source: 33.401
Security architecture
UE
USIM
KRRCint
AuC – Authentication Centre
AKA – Authentication and Key Agreement
NH – Next Hop
Courtesy: Zoltán Turányi
Authentication at initial attach
UE
eNodeB
1: Attach Request
(GUTI or IMSI)
MME
PDN GW
HSS
old MME
2: Identity Request
(GUTI)
3: Identity Response
(IMSI)
4: Identity Request
(GUTI)
5: Identity Response
(IMSI)
7: KASME
computed
SGW
6: Security functions (incl. AKA)
8: KASME
computed
9: Update Location Request
10: Update Location Ack
(subscription data)
11: Create Sesstion Request
12: Create Sesstion Request
13: IP address allocation
15: Create Sesstion Response 14: Create Sesstion Response
16: Attach Accept
+ keying
17: KeNB
received
18: Attach Accept
19: KeNB
computed
20: Attach Complete
21: First uplink packet
22: Modify Bearer
23: First downlink packet
http://msc-generator.sourceforge.net v3.4.18
S1 User Plane Security
Core Network
Gi
GGSN
S5
Gn/Gp
SGSN
HSS
PDN GW
•First-hop router
•GW towards external PDNs
•VPN support over Gi
•IP address management
•Policy Control
•Manage CN procedures
•HSS connection (authenticator)
•Idle mode state
•Lawful Intercept
•Bearer management
AuC
SGi
SGW
No UP ciphering!
MME
S11
S1-U
S1-CP
IuPS
RNC
Iub
NodeB
UE
•Real-time radio control
•Radio Resource Management
•Soft handover
•UP Ciphering
eNodeB
•Header Compression
•L1
•HSPA scheduling
RAN
UP ciphering
UE
USIM
Courtesy: Zoltán Turányi
S1 UP security
AuC
SGi
HSS
PDN GW
S5
SGW
IPsec tunnel
MME
S11
S1-U
S1-CP
eNodeB
UP ciphering
UE
USIM
Courtesy: Zoltán Turányi
handover
USIM / AuC
UE
source eNB
target eNB
MME
K
SGW PDN GW
CK, IK
User Data
UE / HSS
1: Measurement
report
KASME
UE / MME
2: Handover decision
KNASenc
3: Handover
Request
{NH, NCC}
KNASint
KeNB / NH
UE / eNB
4: Allocate TEID
6: handover
command
5: Handover
Request Ack
7: SN Status
Transfer
KUPint
User Data
•
buffer DL data
User Data
9: Path Switch
Request
User Data
•
10: Modify Bearer
Request
end marker
stop fw
stop fw
11: Modify Bearer
12: Path Switch
Response
Request
Ack
13: UE Context
(new
{NH,
NCC}
pair)
Release
http://msc-generator.sourceforge.net v3.4.18
•
•
•
KRRCint
MME pre-calculates NH keys
–
–
8: Sync+RRC complete
KUPenc
From KASME and NCC
NCC: NH Chaining Counter
3: Source eNodeB sends
{NH, NCC} to target eNodeB
Target eNB uses NH for KeNB
UE also calculates new KeNB
12: MME sends next
{NH, NCC} to target eNB
KRRCenc
QoS architecture
QoS MATTERS IN CELLULAR
• Overprovisioning is difficult
– Resources are scarce (few 10s of MHzs)
– Equipment and spectrum expensive
– You need to use well what you have
• Everything is more complicated
– Due to the wide-area radio delays are higher
– Primary application is delay sensitive
• Money
– People are (somewhat more) willing to pay
– There is an infrastructure to charge
– Service and price differentiation happens
Bearers
• A bearer is a L2 packet transmission
channel
–
–
–
–
…to a specific external Packet Data Network,
…using a specific IP address/prefix,
…carrying a specific set of IP flows (maybe all)
…providing a specific QoS.
• In 2G/3G also known as “PDP Context”
• Bearer setup is explicitly signaled
SGi
HSS
PDN-GW
S5
SGW
MME
S11
S1-U
S1-CP
eNodeB
UE
– In LTE one bearer is always set up at
attachment
Courtesy: Zoltán Turányi
See more in: 23.107
QoS concept and architecture
Traffic to the same
external network
Bearers
IP microflows
A set of
IP microflows
Traffic with the
same IP address
A set of or IPv6 prefix
IP microflows
with the same QoS
Service Data Flow
Service Data Flow
External networks
PDN 1
PDN
connection
APN
traffic
Terminal
traffic
Service Data Flow dedicated
bearer
Service Data Flow
PDN 2
APN1 SGi
default
bearer
All traffic of a UE
SGi APN2
PDN GW PDN GW
Dedicated bearer: bearer with special QoS
Default bearer: rest of traffic with default QoS
SGW
MME
eNodeB
Two default bearers
to different APNs
UE
Courtesy: Zoltán Turányi
PDN – Packet Data Network
APN – Access Point Name
Why then no QoS?
(Apart from voice)
• Terminal apps do not use QoS
– Original IP socket API has minimal QoS features
• No widespread QoS mechanism in fixed networks
• Usually IP app developers do not care about network QoS
– A number of QoS API failures
• Conceptual difficulties
– QoS must be authorized and charged
• QoS can only be effectively decided in the face of its price
– Complex QoS descriptors
• Determining QoS parameters is challenging
– E.g., 10-3 or 10-4 bit error rate?
– Yet not flexible enough to cater for e.g., VBR video
Pre-rel.8 QoS descriptor
8
7
6
5
4
3
2
1
Quality of service IEI
Length of quality of service IE
0
0
Delay
Reliability
spare
class
class
Peak
0
Precedence
throughput
spare
class
0
0
0
Mean
spare
throughput
Traffic Class
Delivery order
Delivery of erroneous
SDU
Maximum SDU size
Maximum bit rate for uplink
Maximum bit rate for downlink
Residual BER
SDU error ratio
Transfer delay
Traffic Handling
priority
octet 1
Octet 2
octet 3
octet 4
octet 5
Octet 6
Octet 7
Octet 8
Octet 9
Octet 10
Octet 11
Octet 12
0
Guaranteed bit rate for uplink
Guaranteed bit rate for downlink
0
0
SignalSource Statistics Descriptor
spare
ling
Indication
Maximum bit rate for downlink (extended)
Guaranteed bit rate for downlink (extended)
Maximum bit rate for uplink (extended)
Guaranteed bit rate for uplink (extended)
Octet 13
Octet 14
Octet 15
Octet 16
Octet 17
Octet 18
Delay Class
1. (Predictive)
2. (Predictive)
3. (Predictive)
4. (Best Effort)
Delay (maximum values)
SDU size: 128 octets
SDU size: 1024 octets
Mean
95 percentile Mean
95 percentile
Transfer
Delay (sec)
Transfer
Delay (sec)
Delay (sec)
Delay (sec)
< 0.5
< 1.5
<2
<7
<5
< 25
< 15
< 75
< 50
< 250
< 75
< 375
Unspecified
Maximum bit rate (octets 8-9)
0 0 0 0 0 0 0 1 The maximum bit rate is binary coded in
8 bits, using a granularity of 1 kbps
0 0 1 1 1 1 1 1 giving a range of values from 1 kbps to
63 kbps in 1 kbps increments.
0 1 0 0 0 0 0 0 The maximum bit rate is 64 kbps + ((the
binary coded value in 8 bits –01000000) * 8 kbps)
0 1 1 1 1 1 1 1 giving a range of values from 64 kbps to
568 kbps in 8 kbps increments.
1 0 0 0 0 0 0 0 The maximum bit rate is 576 kbps + ((the
binary coded value in 8 bits –10000000) * 64 kbps)
1 1 1 1 1 1 1 0 giving a range of values from 576 kbps
to 8640 kbps in 64 kbps increments.
1 1 1 1 1 1 1 1 0kbps
If the sending entity wants to indicate a Maximum bit
rate for uplink higher than 8640 kbps, it shall set octet 8
to ”11111110”, i.e. 8640 kbps, and shall encode the
value for the Maximum bit rate in octet 17.
Source: 24.008
Core network protocols; Stage 3
#1: Simple parameters
QCI
• QCI: QoS Class Indicator
– Scalar value encompassing
all packet treatment aspects
– 9 mandatory,
operators can define new
• MBR: Max bitrate
• GBR: Guaranteed bitrate
Resource
Type
1
(NOTE 3)
2
(NOTE 3)
3
(NOTE 3)
4
(NOTE 3)
5
(NOTE 3)
6
(NOTE 4)
7
(NOTE 3)
Priority
2
4
Packet
Delay
Budget
(NOTE 1)
100 ms
150 ms
Packet
Error Loss
Rate
(NOTE 2)
10
10
Example Services
-2
Conversational Voice
-3
Conversational Video (Live Streaming)
-3
Real Time Gaming
-6
Non-Conversational Video (Buffered Streaming)
-6
IMS Signalling
GBR
3
5
50 ms
300 ms
10
10
1
100 ms
10
6
300 ms
10
7
100 ms
10
300 ms
10
-6
Non-GBR
8
(NOTE 5)
9
(NOTE 6)
-3
8
9
-6
Video (Buffered Streaming)
TCP-based (e.g., www, e-mail, chat, ftp, p2p file
sharing, progressive video, etc.)
Voice,
Video (Live Streaming)
Interactive Gaming
Video (Buffered Streaming)
TCP-based (e.g., www, e-mail, chat, ftp, p2p file
sharing, progressive video, etc.)
– If nonzero, admission control is performed
• ARP: Allocation and Retention Priority
– priority (scalar): Governs priority at establishment and handover
– pre-emption capability (flag): can this bearer pre-empt another?
– pre-emption vulnerability (flag): can another bearer pre-empt this one?
• AMBR: Aggregated Maximum bitrate
– Both a per-terminal and per-APN value
Source: 23.401, 23.203
GPRS Enhancements for E-UTRAN
Policy and Charging Control Architecture
#2: Network initiated bearers
• Allow a network application request QoS
– Terminal app can remain QoS un-aware
– Network can fully control QoS provided & payment charged
No QoS API
1. Session setup
App
LTE
UE
3. Bearer
setup
App
LTE + EPC
2. Request QoS
Network
• First specified in Release 7 for 3G
– Not all terminals support it
• Mandatory mode in LTE
Courtesy: Zoltán Turányi
Policy and Charging
• Policy and Charging Rules
Function
– Decides on QoS and
Charging
– Controls gating
– Service Policy Based on
• Request
• Subscription data
– Makes no resource
decisions
App
•Flow descriptor (5-tuple)
•Bandwidth
•Application (voice/video/etc.)
Rx
SGi
PCRF
PDN GW
Gx
•Flow descriptor (5-tuple)
•QoS descriptor
•Charging rules
•Gating (on/off)
S5
SGW
MME
S11
S1-U
S1-MME
eNodeB
UE
Courtesy: Zoltán Turányi
Debate of 2007: On-path vs. off-path
for QoS/policy in 23.402
23.402
23.401
S9
S1-GTP
Filters
•
•
Serving
GW
GTP signalling
S8-GTP
PCRF
vPCRF
Gx
Gxc
S1-GTP
PDN
GW
Filters
GTP signalling on user plane path to
set up “bearers”
Packets are marked to belong to one
of the bearers
Filters
•
•
•
GTP signalling
Serving
GW
Filters
hPCRF
Gx
S8-PMIP
PDN
GW
Filters
No “bearer” with PMIP
Filters on SGW to classify into bearers
on S1
Motivation:
–
–
Alignment with other non-3GPP accesses
Be different from GTP, experiment
What Is Next?
LTE Evolution
• LTE-A – meeting and exceeding IMT-Advanced
requirements
– Carrier aggregation
– Enhanced multi-antenna support
LTE-C
– Relaying
– Enhancements for heterogeneous deployments
Rel-14
Rel-13
LTE-B
Rel-12
LTE-A
Rel-11
LTE
Rel-10
Rel-9
Rel-8
LTE Evolution
• LTE-B
– Work starting fall 2012
• Topics (speculative)
– Device-to-device communication
– Enhancements for machine-to-machine
communication
LTE-B
– Green networking: reduce energy use
LTE-A
– And more…
LTE
LTE-C
Rel-13
Rel-12
Rel-11
Rel-10
Rel-9
Rel-8
Rel-14
A Clean-Slate Design: SoftwareDefined Cellular Networks
87
LTE Data Plane is too Centralized
• Data plane is too centralized
•
•
•
eNodeB 1
Cellular Core Network
•
UE: user equipment
eNodeB: base station
S-GW: serving
gateway
P-GW: packet data
network gateway
Scalability challenges at P-GW on
charging and policy enforcement!
eNodeB 2
S-GW 1
UE 1
P-GW
eNodeB 3
S-GW 2
UE 2
GTP Tunnels
Internet and
Other IP Networks
88
LTE Control Plane is too Distributed
• No clear separation of control plane and data plane
Control Plane
Data Plane
Mobility
Management
Entity
(MME)
User
Equipme
nt (UE)
• Problem with Intertechnology (e.g. 3G
to LTE) handoff
• Problem of inefficient
radio resource
Policy Control and
allocation
Charging Rules
Function (PCRF)
Home
Subscriber
Server
(HSS)
Base
Serving
Station
(eNodeB)
Gateway
(S-GW)
Packet Data
Network
Gateway
(P-GW)
Advantages of SDN for Cellular
Networks
• Advantage of logically centralized control plane
– Flexible support of middleboxes
– Better inter-cell interference management
– Scalable distributed enforcement of QoS and firewall
policies in data plane
– Flexible support of virtual operators by partitioning flow
space
• Advantage of common control protocol
– Seamless subscriber mobility across technologies
• Advantage of SDN switch
– Traffic counters enable easy monitoring for network
control and billing
89
90
Flexible Middlebox Support
• SDN provides fine grained packet classification and
flexible routing
eNodeB 1
• Easy to control flow to middleboxes for
content adaptation, echo cancellation, etc
• Reduce traffic to middleboxes
eNodeB 2
Middlebox
UE 1
SDN Switch
eNodeB 3
UE 2
Path setup for UE
by SDN controller
Internet and
Other IP Networks
91
Flexible Middlebox Support (Cont’d)
• SDN switch can support some middlebox functionality
eNodeB 1
• Easy to satisfy policy for traffic
not leaving cellular network
• Reduce the need for extra devices
eNodeB 2
UE 1
SDN Switch
eNodeB 3
UE 2
Path setup for UE
by SDN controller
Internet and
Other IP Networks
92
Monitoring for Network Control & Billing
• Packet handling rules in SDN switches can efficiently monitor
traffic at different level of granularity
– Enable real time control and billing
Rule
Action
Stats
Packet + byte counters
1. Forward packet to port(s)
2. Encapsulate and forward to controller
3. Drop packet
4. Send to normal processing pipeline
Switch MAC
Port
src
+ mask
MAC
dst
Eth
type
VLAN
ID
IP
Src
IP
Dst
IP
Prot
TCP
sport
TCP
dport
93
Seamless Subscriber Mobility
• SDN provides a
SDN Control
common control
eNodeB 1
Plane
protocol works
across different
cellular
technologies
X+1-Gen Cellular Network • Forwarding rules
eNodeB 2
can be pushed to
switches in parallel
X-Gen Cellular Network
UE 1
eNodeB 3
SDN Switch
UE 2
Path setup for UE
by SDN controller
Internet and
Other IP Networks
94
Distributed QoS and ACL Enforcement
eNodeB 1
• LTE’s PCEF is
centralized at P-GW
which is inflexible
Access policy checked
In SDN switches distributedly
eNodeB 2
UE 1
SDN Switch
eNodeB 3
UE 2
Path setup for UE
by SDN controller
Internet and
Other IP Networks
95
Virtual Operators
• Flexible network virtualization by slicing flow space
eNodeB 1
Virtual
Operator(VO)
(Slice 1)
eNodeB 2
VO1
Virtual
Operator • Virtual operators
may want to
(Slice N)
innovate in mobility,
Slicing Layer: CellVisor
billing, charging,
radio access
UE 1
VO2
SDN Switch
eNodeB 3
UE 2
Internet and
Other IP Networks
96
Inter-Cell Interference Management
• Central base station control: better interference management
eNodeB 1
Radio
Resource
Manager
eNodeB 2
Global view and
more computing
power
Network Operating System:
CellOS
• LTE distributed
interference
management is
suboptimal
UE 1
SDN Switch
eNodeB 3
UE 2
Internet and
Other IP Networks
97
CellSDN Architecture
• CellSDN provides scalable, fine-grain real time
control with extensions:
– Controller: fine-grain policies on subscriber
attributes
– Switch software: local control agents to improve
control plane scalability
– Switch hardware: fine-grain packet processing to
support DPI
– Base stations: remote control and virtualization to
enable flexible real time radio resource
management
98
CellSDN Architecture (Cont’d)
Central control of radio
resource allocation
Radio
Resource
Manager
Mobility
Manager
Subscriber
Information
Base
Policy and
Charging
Rule
Function
Infrastructure
Routing
Network Operating System: CellOS
Translates policies on
subscriber attributes to
rules on packet header
SCTP instead of TCP to
avoid head of line blocking
Cell
Agent
Cell Agent
Cell Agent
Offloading controller
actions, e.g. change priority
if counter exceed threshold
Radio
Hardware
Packet
Forwarding
Hardware
Packet
Forwarding
Hardware
DPI to packet classification
based on application
99
CellSDN Virtualization
Network OS
(Slice 1)
Network OS
(Slice 2)
Network OS
(Slice N)
Slicing Layer: CellVisor
Cell
Agent
Cell Agent
Cell Agent
Radio
Hardware
Packet
Forwarding
Hardware
Packet
Forwarding
Hardware
Slice semantic space,
e.g. all roaming
subscribers, all
iPhone users
100
Conclusion and Future Work
• LTE promises hundreds of Mbps and 10s msec
latency
• There are key architecture problems need to
be solved
– Software-defined networking can help!
