Fourth Generation Mobile Communications

S E I R s E S

S d N a i r O I y d T n A m a C e e I N R d m

U l a M t e n i e M r O L b

a C a e E L t t G E t - T

o n l S D r a N

a e A

J h S E C K R O T W T L E N

Jean-Gabriel Remy Charlotte Letamendia LTE Standards , , r s s s 0 y s s s s ) d d y e e P n d E i l u e e 1 s r g k ( n n a a n i P b h t l

o T n e r x r a

a i t H a i

a a L l o b n G e a t o P r

I l i

o n d n

a d 3

n t o t i b u e I f e é e d

e s l h e e r a a w f F

p t o t g s

z n d t a m

o w c B o p h o i i r e n

i y d d

e a i s e r C t w e o t k

r r n

i o n - t s t t n w n g r l n a

t f - k n o s a a 8 t g l

a t o

u r r a h a r a o i f e

a t e d

o t

m e g i s a

o p 8

o s t y E a c m m . i v m n

y n r l n b i

, n

e t s m i

e c o w T a n l o i i r n s o

k t e s r m c f n t r l L y i . g a a n 7 c r

( d t i e e e t U a a s o

i i p l

n f r r R o Z G , n n i P n a e c s c r e g N i

F i o r i e t p 5 m

e e c l h o e u w

i t S r l E d o b i c e m o e

e s

e d o r c t r e n

m T t t h d

b , s n e s n s e t a h T i i ) c L o c i u l t

n c h m

t a a

m t u c

a n e e w

C a t

s r C l

)

i o m s n r i

a g t o p v H e

d n t f l a y V c e e P t s a n n f s . a l I i r n i n

o m T a n h a k

t 0 a ) F F a e t h b c l r e r s p

n o i i l

1 i f s i

b t f i i P o c h a c s s 0 I c r n t h u

a g d n t o d i ) i

r 2

s w t p u a a F

n e o (

r d n y w f l

i i o o s o i o f

n r c

a t e n e i t r

s e o , t n s s r i p l s u i r p a n s s a n

b i t n s o h t h i e u

( i k h a a t c m u e l t

n o t d b r e n t C c u i

f i v i a c v , e l t d g t n o

n h i i o o

n i o I s u

r n

a d o r f A M e ( a m s , t w a u d

a d c n

r P v m s i i u A n

h a o b w a M a e , c

E s n i G o r

m r c b i r T g d i

s i o u e d t r E - p D 4 n a a n i r y y e d i m e n n e

F H T s o p t t r c m U m l s r

e k

e r

o L l . o m

r o a f s a f F O l , T u i u h b

t c e

m e

I p o p e t m

i t . e e , a i o c f e l T e o d R

T a

g t c a

u o

l d c e t n i t o c

h i b l

a e

r . t t c c e d a n e d e a e

i r . s g k l a r i h s g g r u T e L c n . t

r a

d F t

e n e , . n )

o d n o

l n

t , a t b p e e i f m s c – y r E g u

e o n o t t a n e

a s t i I l e n i

e h t t a n y i i T f L ,

i e b i l t h t a

n g . G o . l r ( ) o m i L r R d r i - l k e l c e a s

t - o

M P u e r w é

r s e h n r v

i n . h t n i i u t m 2 E E a c t n r a a l e c a t U a w a e n

a h h r G S é o e t T e e c o o h M I s T n w ( m J ( y a g C i m s ( t c a s L 4 I U f s m T W588-Remy.qxp_Layout 1 29/08/2014 11:19 Page 1 1 29/08/2014 W588-Remy.qxp_Layout

LTE Standards

Series Editor Pierre-Noël Favennec

LTE Standards

Jean-Gabriel Remy Charlotte Letamendia

First published 2014 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:

ISTE Ltd John Wiley & Sons, Inc. 27-37 St George’s Road 111 River Street London SW19 4EU Hoboken, NJ 07030 UK USA www.iste.co.uk www.wiley.com

© ISTE Ltd 2014 The rights of Jean-Gabriel Remy and Charlotte Letamendia to be identified as the authors of this work have been asserted by them in accordance with the Copyright, Designs and Patents Act 1988.

Library of Congress Control Number: 2014945533

British Library Cataloguing-in-Publication Data A CIP record for this book is available from the British Library ISBN 978-1-84821-588-7

Contents

LIST OF FIGURES ...... xi

LIST OF TABLES ...... xix

INTRODUCTION ...... xxi

CHAPTER 1. LTE STANDARDS AND ARCHITECTURE ...... 1 1.1. 3rd generation partnership project (3GPP) ...... 1 1.1.1. 3GPP history ...... 1 1.1.2. 3GPP, the current organization ...... 3 1.1.3. 3GPP releases ...... 8 1.2. LTE – numbering and addressing ...... 10 1.2.1. The network IDs ...... 11 1.2.2. The MME IDs ...... 11 1.2.3. The tracking area IDs ...... 11 1.2.4. The Cell IDs ...... 12 1.2.5. The mobile equipment ID ...... 12 1.3. LTE architecture overview ...... 13 1.3.1. Overall high level description of LTE ...... 14 1.3.2. LTE performance ...... 22 1.3.3. LTE – QoS architecture ...... 23 1.3.4. FDD, TDD, LTE advanced ...... 23 1.3.5. Frequencies for LTE ...... 24 1.3.6. Basic parameters of LTE ...... 25 1.4. Radio access subsystem: eUTRAN (also called eUTRA) ...... 26 vi LTE Standards

1.4.1. LTE visualization tool from Rohde and Schwartz ...... 28 1.4.2. eUTRAN characteristics ...... 28 1.4.3. eUTRAN interfaces ...... 30 1.4.4. Signaling on the radio path ...... 35 1.4.5. Physical layer ...... 46 1.4.6. RLC and MAC layer ...... 49 1.4.7. Dynamic radio resource management in LTE ...... 51 1.4.8. MIMO ...... 52 1.4.9. Macrocells, microcells and femtocells ...... 53 1.5. Core network ...... 54 1.5.1. LTE network elements ...... 57 1.5.2. LTE interfaces [TS 23.401] ...... 59 1.5.3. Functional split between the E-UTRAN and the EPC ...... 69 1.5.4. S1 interface-based handover ...... 70 1.6. LTE – roaming architecture ...... 83 1.6.1. LTE network mobility management ...... 87 1.7. SIM for communications privacy ...... 89 1.7.1. SIM ...... 89 1.7.2. USIM ...... 95 1.7.3. ISIM ...... 96 1.8. Glossary ...... 96 1.9. Appendix 1: Complete submission of 3GPP LTE release 10 and beyond (LTE-advanced) under step 3 of the IMT-advanced process ...... 98 1.9.1. Summary of the candidate submission ...... 98 1.9.2. Classification of the candidate submission ...... 100 1.9.3. Detailed checklist for the required elements for each candidate RIT within the composite SRIT and/or for the composite SRIT of the candidate submission (to fulfill section 3.1 of ITU-R Report M.2133) ...... 100 1.9.4. Additional supporting information ...... 102 1.9.5. Contact person ...... 102 1.10. Appendix 2: GPRS Tunneling Protocol (GTP) ...... 102 1.11. Appendix 3: The SGW implementation by CISCO ...... 107 1.12. Appendix 4: AT&T has LTE small cells “in the lab”: Source Dan Janes, Site Editor, Light Reading mobile [JON 13] ...... 110 Contents vii

CHAPTER 2. OFDMA ...... 113 2.1. What is OFDM/OFDMA? ...... 113 2.1.1. Claimed OFDMA advantages ...... 115 2.1.2. Recognized disadvantages of OFDMA ...... 116 2.1.3. Characteristics and principles of operation ...... 117 2.2. General principles ...... 118 2.2.1. Cyclic prefixes ...... 122 2.3. LTE channel: bandwidths and characteristics ...... 124 2.3.1. LTE OFDM cyclic prefix, CP ...... 125 2.3.2. LTE OFDMA in the downlink ...... 126 2.3.3. Downlink carriers and resource blocks ...... 127 2.3.4. LTE SC-FDMA in the uplink ...... 128 2.3.5. Transmitter and receiver structure of LP-OFDMA/SC-FDMA ...... 130 2.4. OFDM applied to LTE ...... 132 2.4.1. General facts ...... 132 2.4.2. LTE downlink ...... 133 2.4.3. Uplink ...... 136 2.5. OFDMA in the LTE radio subsystem: OFDMA and SCFDMA in LTE ...... 138 2.5.1. The downlink physical-layer processing of transport channels ...... 138 2.5.2. Downlink multi-antenna transmission ...... 139 2.5.3. Uplink basic transmission scheme ...... 140 2.5.4. Physical-layer processing ...... 141 2.6. Appendix 1: the constraints of mobile radio ...... 143 2.6.1. Doppler effect ...... 144 2.6.2. Rayleigh/Rice fading ...... 145 2.6.3. Area of service ...... 151 2.6.4. Shadow effect ...... 153 2.7. Appendix 2: Example of OFDM/OFDMA technological implementation Innovative DSP ...... 153 2.8. Appendix 3: LTE error correction on the radio path [WIK 14d] ...... 154 2.8.1. Hybrid ARQ with soft combining ...... 156 2.9. Appendix 4: The 700 MHz frequencies in the USA for LTE ...... 157 2.9.1. Upper and lower 700 MHz ...... 158 viii LTE Standards

CHAPTER 3. THE FULL IP CORE NETWORK ...... 159 3.1. Fixed mobile convergence...... 159 3.2. IP multimedia subsystem ...... 160 3.2.1. General description of IMS...... 160 3.2.2. Session Initiation Protocol ...... 162 3.2.3. IMS components and interfaces ...... 163 3.3. Evolved packet system in 3GPP standards ...... 182 3.3.1. Policy and charging rules function ...... 182 3.3.2. Release 8 system architecture evolution and evolved packet system ...... 184 3.4. Telephony processing ...... 192 3.4.1. Enhanced voice quality ...... 192 3.4.2. Circuit-switched fallback (CSFB) ...... 192 3.4.3. Simultaneous voice and LTE (SVLTE) ...... 192 3.4.4. Over-The-Top (OTT) applications ...... 193 3.5. The requirements of VoLTE and V.VoIP applications ...... 195 3.6. Voice and video over LTE are achieved using voice on IP channels (VoLTE) ...... 196 3.7. Cut down version of IMS ...... 201 3.8. Latency management ...... 202 3.9. Appendix 1: VoIP tests in UK ...... 205

CHAPTER 4. LTE SECURITY. SIM/USIM SUBSYSTEM ...... 207 4.1. LTE security ...... 207 4.1.1. Principles of LTE security ...... 209 4.1.2. LTE EPC security ...... 210 4.1.3. Interfaces protection ...... 214 4.1.4. Femtocells and relays ...... 215 4.1.5. Specifications ...... 215 4.2. SIM card ...... 216 4.2.1. SIM-lock ...... 218 4.2.2. Electronic component of the UICC ...... 219 4.2.3. Form factor ...... 219 4.2.4. SIM card physical interface ...... 221 4.2.5. UICC communication protocol ...... 221 4.2.6. Operating system (OS) and virtual machines ...... 223 4.2.7. (U)SIM authentication ...... 224 4.2.8. LTE USIM ...... 225 4.2.9. ISIM ...... 226 Contents ix

4.2.10. Over the Air Activation (OTA) ...... 228 4.2.11. Security services ...... 228 4.2.12. USIM directories ...... 228 4.2.13. The UICC/SIM/USIM/ISIM industry ...... 237 4.2.14. EAP-SIM and EAP ...... 237

APPENDIX ...... 239

BIBLIOGRAPHY ...... 253

INDEX...... 257

List of Figures

Introduction I.1. LTE and LTE Advanced logo ...... xix I.2. The LTE project: milestones. Short history of the birth of a worldwide standard ...... xxxiii I.3. 3GGP logo ...... xxxiii

Chapter 1 1.1. Organizational Partners’ deliverables ...... 7 1.2. LTE architecture ...... 13 1.3. UTRAN and E-UTRAN ...... 14 1.4. LTE general architecture ...... 15 1.5. Protocol stacks operating at S1 and S5/S8 interfaces ...... 15 1.6. UE-MSC ...... 15 1.7. EPC/SAE ...... 17 1.8. The complete set of network elements and standardized signaling interfaces of LTE ...... 17 1.9. LTE subsystems and connections ...... 19 xii LTE Standards

1.10. LTE interfaces ...... 19 1.11. 3GPP image for eUTRAN ...... 20 1.12. Tools from Rohde & Schwartz ...... 28 1.13. Description of eUTRAN with its interfaces ...... 31 1.14. E-UTRAN architecture with HeNodeB GW and HeNodeB ...... 31 1.15. X2 interface ...... 32 1.16. This shows the enhancements in release 10 and release 11 ...... 32 1.17. Functional split between E-UTRAN and EPC [3GPP TS 36.300] ...... 33 1.18. Radio frequency protocol ...... 36 1.19. User plane ...... 37 1.20. Protocol stack for the control plane between the UE and MME ...... 38 1.21. Structure ...... 40 1.22. Token ...... 41 1.23. Physical layer ...... 47 1.24. Signaling channel mapping ...... 48 1.25. Functions of the different layers ...... 50 1.26. The protocol chain from IP packets to transport blocks ...... 50 1.27. Optimization of the repartition of carriers ...... 51 1.28. Single-user MIMO ...... 52 1.29. MIMO signal processing ...... 52 1.30. Spatial multiplexing MIMO sector rate ...... 53 1.31. Heterogeneous network (4G Americas) ...... 53 1.32. Core network ...... 55

List of Figures xiii

1.33. Three subsystems ...... 55 1.34. LTE network elements ...... 57 1.35. LTE interfaces ...... 59 1.36. Protocol stack of S1-MME interface ...... 61 1.37. Protocol stack of S3 interface ...... 62 1.38. Protocol stack of S4 interface ...... 62 1.39. Protocol stack of interface S5 or S8 ...... 63 1.40. Protocol stack of S10 interface ...... 64 1.41. Protocol stack of S11 interface ...... 64 1.42. Protocol stack of S6a interface ...... 65 1.43. Protocol stack of S13 interface ...... 65 1.44. Protocol stack of SBc interface ...... 66 1.45. User plane ...... 67 1.46. Protocol stack of S1-U interface ...... 67 1.47. Protocol stacks of S4 interfaces used to connect UE from 2G network to PDN ...... 68 1.48. Protocol stacks of S4 interfaces used to connect UE from 3G network to PDN ...... 68 1.49. Protocol stack of S12 interface used to connect UE from 3G network to PDN ...... 69 1.50. E-UTRAN and the EPC ...... 70 1.51. UE is moving from old to new RAN coverage provided by eNodeB ...... 70 1.52. S1-based handover ...... 73 1.53. S1-based handover reject scenario ...... 82 1.54. Rooming architecture ...... 84 1.55. Non-roaming architecture by 3GPP ...... 85 xiv LTE Standards

1.56. Roaming architecture scenario with home routed traffic ...... 85 1.57. Roaming architecture for local breakout, with home operator’s application functions only ...... 86 1.58. Roaming architecture for local breakout, with home visitor’s application functions only ...... 86 1.59. Security architecture ...... 90 1.60. The process for authentication and ciphering ...... 92 1.61. Kc Key ...... 92 1.62. RAND and Ki ...... 93 1.63. Ki ...... 93 1.64. TMSI, Kc, RAND and SRES ...... 94 1.65. Schema of the structure of a SIM card ...... 94 1.66. SIM ...... 95 1.67. GTP present at the interface between eNodeB and S-GW...... 102 1.68. GTP between S-GW and P-GW ...... 103 1.69. GPRS tunneling protocol in LTE ...... 104 1.70. GPRS tunneling protocol Types ...... 104

Chapter 2 2.1. OFDM frequency and time domain ...... 114 2.2. OFDMA subcarriers ...... 118 2.3. OFDM frequency ...... 119 2.4. Channels ...... 120 2.5. OFDM techniques ...... 122 2.6. Cyclic prefix ...... 123 2.7. Transformation ...... 123

List of Figures xv

2.8. Effect of multipath propagation ...... 125 2.9. LTE OFDMA in the downlink ...... 126 2.10. 16 QAM modulation: 4 bits per symbol ...... 127 2.11. LTE RB allocation ...... 127 2.12. Uplink ...... 128 2.13. SC-FDMA spreads the data symbols all over the system bandwidth ...... 129 2.14. Localized mapping and distributed mapping ...... 131 2.15. SC-FDMA and OFDMA. DFT: discrete Fourier transform ...... 132 2.16. LTE OFDMA physical layer structure LTE physical layer uses multiple OFDMA subcarriers and symbols separated by guard intervals ...... 135 2.17. LTE resource blocks and resource elements (from the 3GPP standard) ...... 135 2.18. CDF PAPR comparison for OFDMA used in the LTE downlink, and SC-FDMA localized mode (LFDMA) used in the LTE uplink – 256 total subcarriers, 64 subcarrier per user, 0.5 roll-off factor, a) QPSK, b) 16 QAM ...... 136 2.19. Some LTE resource elements are reserved for control channel and reference signals only a subset are used for user data, thus lowering actual throughput ...... 137 2.20. Conventional OFDMA with cyclic prefix ...... 138 2.21. Downlink: OFDMA transmission scheme: downlink physical layer processing chain ...... 139 2.22. Transmitter scheme of SC-FDMA ...... 140 2.23. OFDMA and SC-FDMA ...... 140 2.24. Number of DL/UL component carriers ...... 143 xvi LTE Standards

Chapter 3 3.1. IMS ...... 160 3.2. IMS wide scope ...... 163 3.3. IMS functions ...... 164 3.4. Security aspects of early IMS and non-3GPP systems ...... 181 3.5. Full scope of EPS ...... 183 3.6. PCRF connections in LTE’s EPC ...... 183 3.7. Evolved packet core ...... 185 3.8. EPC components ...... 186 3.9. Cut down version of IMS Reduced IMS network for VoLTE ...... 201 3.10. Latency (50 ms) ...... 204

Chapter 4 4.1. LTE needs a layered security ...... 209 4.2. Layered security model ...... 210 4.3. LTE eUTRAN protocole stack ...... 211 4.4. Derivation of successive keys ...... 212 4.5. LTE keys hierarchy as in 3GPP TS 36.300 ...... 212 4.6. EPS security ...... 213 4.7. IPsec ...... 214 4.8. (U)SIM cards as released by the operator ...... 216 4.9. Structure of the UICC electronic chip ...... 217 4.10. UICC form factors ...... 220 4.11. UICC contacts ...... 221 4.12. NFC applications of the UICC ...... 222 4.13. Example of UICC architecture ...... 223 List of Figures xvii

4.14. The complex structure of UICC applications in a modern device ...... 224 4.15. The complex links of (U)SIM with the LTE world as seen by Telenor ...... 226 4.16. UICC structure with ISIM ...... 227 4.17. Example of ISIM application: digital right management, as seen by Telenor ...... 227 4.18. Example of OTA use for non-telecommunication applications ...... 229

List of Tables

Introduction I.1. Mobile broadband explosion ...... xxxi

Chapter 1 1.1. 3GPP organizational partners ...... 3 1.2. Organization ...... 6 1.3. Releases ...... 9 1.4. Area and description ...... 10 1.5. The network ID ...... 11 1.6. The MME IDs ...... 11 1.7. The GUMMEI ...... 11 1.8. TAI ...... 12 1.9. M-TMSI ...... 12 1.10. GUTI ...... 12 1.11. Classes of mobiles ...... 21 1.12. E-UTRA band ...... 24 1.13. Basic parameters of LTA ...... 26 1.14. Control plane ...... 37 1.15. Logical channel name ...... 42 xx LTE Standards

1.16. Transport channel name ...... 43 1.17. Physical data channel name ...... 43 1.18. Control information field name ...... 44 1.19. Physical control channel name ...... 44 1.20. Images and memory recommendations for Cisco LTE SGW Release 1.x ...... 109

Chapter 2 2.1. Number of resource block by channel bandwidth ...... 128 2.2. LTE cyclic prefix lengths in number of symbols, subcarriers and time ...... 134 2.3. Comparison of LTE with Wi-Fi and WiMAX ...... 142

Chapter 3 3.1. The chart describes the interfaces involved in IMS and figure 3.4 shows their place in the overall processing system ...... 180 3.2. Priority ...... 203 3.3. Latency ...... 203 3.4. Measurement ...... 205

Chapter 4 4.1. SIM/USI Applicable standard ...... 220

Introduction

Long Term Evolution (LTE) is commonly marketed as fourth generation (4G). LTE and LTE Advanced have been recognized by International Telecommunications Union – Radiocommunications (ITU-R) and International Telecommunications Union – Telecommunications (ITU-T) as the principal solution for the future mobile communication networks standards. Thus, they are the framework of what marketing calls 4G and maybe also fifth generation (5G). They have registered logos:

Figure I.1. LTE and LTE Advanced logo

It seems interesting to look at the evolution of mobile communication systems from their appearance upto LTE. This move has obviously been driven by commercial motivations as well as by the extraordinary improvement of microelectronics, especially from xxii LTE Standards the 1960s to the present day. Functionalities, computing power and miniaturization have drastically progressed, while cost has constantly decreased.

I.1. Mobile communication systems: 0G, 1G, 2G, 3G, 4G and 5G

In this short introduction, many mobile communication systems will be omitted: – military communications and public utilities communications; – maritime and aviation communications; – trunk systems and more generally all kinds of professional dedicated radio systems.

It does not mean that LTE will not have specific adaptations in order to fit the special requirements of such systems, especially for its radio interface, avoiding expensive developments being invested for a limited population of users.

Only public land mobile network (PLMN) will be considered: the so-called “4G” belongs to this category as long as LTE is used for public communication.

Also, the impressive list of various systems, which did not reach a high level of success, especially outside their country of origin, has been avoided.

The classification of mobile systems into generations is not strictly related to any given metrics or parameters. It corresponds to marketing considerations. Therefore, it is commonly agreed upon, both by industry and by academia, and hence conceived to be an unwritten standard.

I.1.1. Rationale

Mobile communications have always been a wish for most of the people. Of course, at the beginning, the mobile networks have been invested for precise applications, such as military communications or professional management. The introduction of PLMN came later. But Introduction xxiii the requirements for mobile services are most common for public systems and more specific networks.

For a network addressing all citizens, the investment is very high, especially in research and development – millions of coded instructions have to be written and validated. Also, the precise areas where the service will be necessary have to be determined. Therefore, it is necessary to analyze what the customers are ready to pay for to avoid vain efforts and investments. Excluding applications that are just using the mobile network as a support, mobile services can be classified into three categories: – Mobile telephony: the mobile subscriber wants to discuss in real- time with distant interlocutors, who are connected with either a fixed telephone or a mobile set. Telephony offers the possibility to get immediate up-to-date information as well as the means to discuss any difficult item. Up until now it has been the most “money making” application. – Paging: by some means of collection of the information, the network offers the capacity to alert the mobile subscriber that something of interest is happening. The paging can be limited to a very simple binary signal – some tone or light – and the customer has to call an information center to get the message. It can also be accompanied by a short message, either written or vocal, giving the main details of the message. This paging is very popular and is now offered by the short message service (SMS) of Global System for Mobile communications (GSM) and further technologies. The SMS service is a “teleservice”, which means that the operator must carry it to destination. The multimedia messaging service (MMS) delivers much richer information, but it is not as reliable, because the delivery of messages is not guaranteed by the network operator; it is supported by a “bearer service”, the quality of service (QoS) is limited to the operator’s commitment. – The Internet, fax or any written dialog: in the latter case, the mobile network offers the possibility to carry the office environment of its customer anywhere. Like MMS, the Internet and Internet-like services are generally bearer services, which are sold with a certain grade of QoS. xxiv LTE Standards

For these services, the mobile network can provide two kinds of access: – nomadic access: the service is available anywhere inside the coverage of the network, but the customer must be static or is allowed to move very little; – full mobile access: the service is available when the customer is moving, eventually at any speed, again within the limits of the geographical coverage service.

The paradigm of mobile communications is simple to summarize: – be able to be connected to and receive information from any calling party; – be able to be connected to any called party; – full bidirectional access and real-time exchange of information; – be accessed anywhere, outdoor, indoor, in urban and rural environment; – full bidirectional access at anytime.

Going into detail shows a lot of issues: – size of the mobile device: devices such as smartphones or tablets such have limited space to support the broadband module; these days, the terminal can also be some communication part of a machine for machine to machine (M2M) communications; – nature and content of information to be transmitted, i.e. full telephony, television or data transmission, bilateral or unilateral.

I.1.2. Short history of mobile communications, milestones

I.1.2.1. 0G The systems that allow customers to communicate on the move depend on electronics and microelectronics technology. Therefore,

Introduction xxv before the mass production of semiconductors, only experimental services have been deployed. The first network appeared in the United States in 1940, with mobiles using electronic tubes for car mounted terminals. Connection to the called party was made by human operators, in a way similar to that ensured for maritime communications.

Between 1960 and 1980, quite a few mobile communication systems were designed and deployed for either telephony or paging. Most of the advanced countries installed a home-made network. These systems offered automatic dialing with a good communication quality, obtained with a frequency/phase modulation radio access network. The radio path consisted of narrow frequency channels – 30 kHz in Northern America and 25 kHz everywhere else in the world. With the advent of transistors, a few handheld mobiles were available, especially for paging.

Of course, the service was only operated by incumbent fixed telecommunication operators, which found a new service for wealthy customers.

These systems will be called 0G.

I.1.2.2. 1G During the 70s, some important innovations have brought a kind of revolution in the mobile communication world: – computer driven frequency tuning (frequency synthesis) allowing us to reach with precision a given radio frequency channel among many with only one quartz oscillator. This technology opened the way to high-capacity systems in so-called analog technology – where each individual communication is allocated one (time division multiplex (TDM) or simplex) or two (frequency division duplex (FDD) or duplex) precise narrow band frequency channels – managing hundreds of radio frequencies instead of a few tens in the previous systems. With such a number of channels, the radio communication system becomes able to cope with a large number of customers. Also, xxvi LTE Standards frequency synthetization opened a way for massive production of handheld terminals: – standardization and generalization of Signaling System No. 7 (SS7) designed for telephony, mainly the international version of ISDN; – availability of microcomputers and computing chips offering greater speed and power for real-time processing, thus allowing us to implement sophisticated encoding, error correction and new transmission standards.

All these innovations were applied to new designs including some important breakthroughs: – localization of the mobile terminal, which could be done manually, and automatically realized, in order to have the ability to route incoming calls; – detection of the need for changing the communication in progress from one radio base station (one “cell”) to another due to degradation of the radio link quality, and execution of the “handover” (US: hand off) to the other base station/cell, which is selected to provide a good quality communication.

With all these new developments, the cost of R&D skyrocketed and only a few systems could be studied and deployed with a worldwide impact. Among them two standards will dominate the market: – First, the advanced mobile phone system (AMPS), designed by the Bell Labs with a prototype rollout installed in Chicago in 1978, serving more than one thousand customers. AMPS has been the first system to offer real-time seamless handover. This network probably shows the best possible design for a system where each individual communication carried by an individual duplex frequency modulation (FM) (or phase modulation (PM)) channel, each channel being given a narrow frequency bandwidth. The main features were standardized by the American National Standard Institute (ANSI). This AMPS system has the particularity of being able to modify channel spacing and FM excursion very simply, which allowed us to adapt it to various Introduction xxvii frequency configurations (channel spacing of 30 kHz in the USA and 25 kHz in Europe and Japan). This is achieved simply by modifying the clock frequency driving the network. In North America, it was the genuine AMPS (initially, A stood for American). In Europe and Japan, it was a modified version with a 25 kHz channel spacing, called Total Access Communication System (TACS), Europe TACS (ETACS) and Japan TACS (JTACS)). Due to some specific US political process aiming at introducing competition, AMPS and TACS massive deployment was delayed to 1985. – However, the Scandinavian countries joined their strengths and developed the Nordic Mobile Telephone (NMT) system. This standard is by far simpler than the AMPS/TACS in all aspects of the technology. The spread of NMT is somehow due to the above- mentioned American political process, which delayed the mass deployment of AMPS. NMT became available around 1982 and was immediately rolled out in all Scandinavian countries.

Nevertheless, due to its transnational origin, NMT introduced a very interesting feature: automatic international roaming.

Another cellular system of the first generation was designed and deployed in Germany (C-Netz) and France (Radiocom, 2000) and counted a few hundred thousand subscribers. There was also a Japanese home-made “cellular” system.

These systems and their unlucky competitors are considered to be 1G.

I.1.2.3. 2G In the 1980s, with the spectacular increase of the computing power of integrated circuits, technology continued to progress with many breakthroughs: – Development of vocoders. In concordance with the design of very powerful processors. Instead of needing a bitrate of 64 kbps to correctly digitalize narrow band voice telephony as calculated from the ordinary Shannon sampling, a telephony 4 kHz analog signal can be coded with a very good quality with 12 kbps, and even 6 kbps xxviii LTE Standards

(GSM). For professional systems, vocoders provide a clear voice communication with a few hundred kilobits per second.

– Vocoders are the key to switch from analog FM (or PM) radio to full digital transmission for telephony. The compression of the voice signal is a question of processing power. Today, a very high quality sound can be coded with less than 10 kbps; and correct voice communications are now available for professional and military communications with a bitrate of less than 1 kbps. – Development of identity chips. The 1G German C-Netz had introduced a device to dissociate the subscription from the mobile terminal hardware. Such chips make it possible to encrypt communications and protect customers’ privacy. AMPS or NMT were identifying the mobile terminal by a number which was included inside it and was very easy to copy or modify; so, customers were often suffering from pirated use of their identity. Concerning the privacy of communications, 1G networks did not provide protection against eavesdropping.

In the meantime, continental European countries have been conscious of their technological backwardness compared with AMPS. In 1982 the “GSM” was created (at the beginning it was a “special mobile group” led by German FTZ and French Centre national d’études des télécommunications (CNET)), which was commissioned to study a revolutionary mobile system based on a fully digital radio access subsystem, since it was considered difficult to surpass AMPS as an analog system. This new system, also called GSM, passed through a lot of studies until 1991. Code division multiple access (CDMA), which was in the 1980s a spread spectrum technique in use for military purposes, was experienced in 1985. At that time, CDMA showed need for too much computing power, far over the performance of the available chips, thus a simpler process, time division multiple access (TDMA), was chosen.

In 1987, all countries of the European Union signed a Memorandum of Understanding (MoU), which was accepted

Introduction xxix afterward by all GSM operators, always labeled as MoU. In this MoU, these countries decided: – to roll out a GSM coverage from 1991 onward using the common frequency bands which had been decided in 1979 for a common mobile system; – to authorize without restriction automatic international roaming for GSM mobiles, all expenses being paid by the home country of the subscription.

GSM takes up the C-Netz innovation of selling the mobile terminal and the operator subscription separately, the latter being materialized by a SIM card, which is inserted into the mobile set. The chip of the SIM card controls all the telecommunication functions of the mobile and masters the encryption of the radio path for the calls.

GSM introduces a kind of paging with the “SMS”, which became a very important part of the communications.

As a response to the introduction of GSM, the AMPS industry designed the D-AMPS (IS-136 standard), where AMPS channels are used in TDMA mode in order to increase the overall network capacity.

Beside the TDMA systems, the American society Qualcomm introduced its proprietary design based on a CDMA encoding, later called CDMA 2000, which was standardized as IS-95 by ANSI. This standard was adopted by South Korea, which had to solve a lot of difficulties.

And again, Japanese NTT developed and rolled out a TDMA system, called PDC. They also rolled out a simpler system called PHS, which is probably the first implementation of a multiple input multiple output (MIMO) antenna system.

All these systems can be considered to be the 2G mobile standards.

I.1.2.4. 3G, the need for fast data transmission Of course, as time passed, the technology of chips continued to improve drastically. During the 1990s it finally delivered processors xxx LTE Standards having a sufficient computing power to cope with the Qualcomm CDMA mobile system.

In the 1990s, while GSM was being implemented all over the world including Northen America, the operators of fixed communications introduced the Internet services. At the beginning the available bitrate was limited to 50 kbps. Later it was increased to 10 Mbps downlink particularly with an Asymmetric Digital Subscriber Line (ADSL), provided the customer’s home is located a few hundred meters from the central office. The industry of mobile communications decided to adopt the internet service in their strategy, even when the response from the subscribers’ base surveys showed very little interest in telephony and SMS. GSM developed a “wart”, called General Packet Radio Service (GPRS), supporting data transmission upto 50 kbps. In response, CDMA 2000 introduced data transmission upto 144 kbps. As an answer, GSM standardized Enhanced Data Rates for GSM Evolution (EDGE), providing upto 240 kbps, which was rolled out massively by ATT Wireless in the USA, where it was facing the competition of Verizon Wireless, the CDMA 2000 champion.

The way Qualcomm system manages data transmission makes it easy to reach good performances since the data flow and the telephony are transmitted by different networks, at least in the Evolution Data Optimized (EVDO) version. This conception answers the difficult challenge of mobility: – telephony is a real-time communication, but accepts very short cuts, e.g. 300 ms; this is managed by a smooth handover process; – data transmission in Transmission Control Protocol-Internet Protocol (TCP-IP) shows very poor performance if the flow is cut, as is the case when the mobile travels from one cell to another. In that case, a reselection is necessary and the usable bitrate is very poor

Considering that in a town like Paris the mobile terminals process an average of four handovers for a 2 min call, the network

Introduction xxxi operator has to make a critical choice concerning the parameters of its network: – either the parameter set favors telephony with a change of cell achieved as soon as possible to give the customer a very good telephony quality; – or the parameters are stiffened and the mobile will drag its radio channel as far as possible in order to avoid reselection. It results in damaging the frequency planning, as well as creating poor quality telephone calls.

Of course, most of the GSM operators chose to favor telephone calls.

To examine what could be the future of mobile communications after the worldwide success of GSM, the European Union launched a consultation on the possible technologies which could be developed. Scandinavia pushed a variant of Qualcomm CDMA technology called wide band CDMA (WCDMA) very hard, which won the competition. This WCDMA technology immediately faced the issue of patents, since CEO of Qualcomm, who was a highly respected former professor of signal theory at MIT, had patented all possible implementation of CDMA. It also faced plenty of issues with the management of power, with the mobile needing too much energy, far more than GSM.

Nevertheless, the industry worked very hard and some 10 years later, beginning of the 2000s, the WCDMA, renamed High Speed Packet Access (HSPA) and HSPA+, could service data users correctly.

In the meantime, ATT had pushed in the 3rd Generation Partnership Project (3GPP) standard body, a variant of GSM, called EDGE, which had been rolled out by all GSM operators. The advantage of EDGE for the network operator is to keep the base stations of GSM for coverage and reuse the same backhaul infrastructure instead of deploying a new network. EDGE, described above, is a modification of GPRS (changing the modulation on the radio path) and provides 200 kbps and more. xxxii LTE Standards

EVDO, WCDMA and EDGE could be considered as the 3G mobile systems.

I.1.2.5. 4G As seen above, the work on Universal Mobile Telecommunications Service (UMTS) finally produced a competitive system, called HSPA, then HSPA+, that reached upto 7.2 Mbps, and even 14.4 Mbps per cell.

In the 3GPP studies, besides promoting EDGE, ATT called for a completely new system, strictly dedicated to mobile data transmission. Their concept at the beginning was to design something completely new with no backward compatibility with previous systems. The new system would be completely based on IP and would adopt a simple architecture. This project was called “LTE” and was the answer to ITU request of a future mobile system (called FPLMNTS in the 1990s, denomination replaced by IMT2000, then IMT Advanced).

The LTE standard was finalized only in 2008 with the release 8 of 3GPP.

When definitively designed in a viable release, LTE was immediately adopted by Qualcomm CDMA followers, especially Verizon, which will abandon CDMA 2000 progressively. So, de facto, LTE became the only standard of mobile communications for the future. The system is now widely deployed, mainly in Northern America with over 100 million subscribers there, and represents a very strong industry.

Having been badly fleeced with intellectual property rights (IPR) in the UMTS case by Qualcomm, and less seriously by Motorola for GSM, 3GPP’s “individual members” exert a certain control on the ETSI IPR database. In 2012, 50 companies had declared holding essential patents covering some parts of the LTE standards. Nevertheless, these declarations are left to the goodwill of the companies, even if at each TSG meeting participants are invited to declare their patents with a certain solemnity. Introduction xxxiii

The 4G mobile system follows the LTE standard.

I.1.2.6. 5G What about the “5G” on which many publications have already been edited? LTE radio access subsystem is based on different avatars of Orthogonal frequency-division multiplexing (OFDM), technology described in 1982 by the CCETT laboratory of Rennes (France). OFDM is now recognized as the best technique for transmitting high bitrate flows of data on wideband radio channels. It has been adopted for the last versions of Wi-Fi (IEEE 802.11n and further), by WiMAX (IEEE 802.16, beyond “e”), Communications over Power Lines (CPL, in UK power line communications (PLC),) and television broadcasters with the DVB-S2 and DVB-T2.

5G is probably what is considered as IMT-Advanced with the following requirements:

Table I.1. Mobile broadband explosion

(Source: mobile broadband explosion: the 3GPP wireless evolution, Rysavy Research/4G Americas, August 2012) Assuming that the “5G” will be allocated a large amount of spectrum (e.g. more than 20 MHz, or upto 100 MHz if such a quantity of spectrum can be found), the radio transmission scheme could be improved or upgraded as has been the case for the change from Digital xxxiv LTE Standards

Video Broadcasting Terrestre (DVB-T) to DVB-T2 and from Digital Video Broadcasting Satellite (DVB-S) to DVB-S2. From the measured performance of DVB-T2 an overall bitrate of 100 Mbps available for the individual subscriber could be expected with a reasonable spectrum allowance.

1 Gbps would probably need a big part of spectrum, which could not be foreseen some 10–20 years ago, except if the system adopts frequencies above 3 GHz and restricts mobility.

The difficulty to make a valuable forecast comes from 2 sides: – most smartphones and also mobiles can also communicate through Wi-Fi, and this communication cost nothing to the subscriber nor to the operator. This will probably impact the business plan of a possible 5G; – the development cost of such systems reaches very high levels, only very few industrial companies can finance the necessary R&D. To date, only two or three companies are competing for delivering the LTE infrastructure.

LTE Advanced has been accepted as IMT-Advanced relevant solution in November 2010. LTE_advanced must be both backward and forward compatible with existing LTE. Devices must operate on both kinds of networks.

A few operators and manufacturers claim that their research and development laboratories have already tested IMT-Advanced solutions with: – wider bandwidth support for up to 100 MHz via aggregation of 20 MHz blocks (carrier aggregation); – uplink MIMO (two or four transmit antennas in the device); – higher order downlink MIMO of up to 8 by 8 as described in release 10; – coordinated multipoint transmission (CoMP) with two proposed approaches: coordinated scheduling and/or beamforming, and joint processing/transmission (in release 11); Introduction xxxv

– heterogeneous network (Het-net) support including enhanced inter-cell interference coordination (eICIC); – relay.

Figure I.2 shows the evolution flow:

Technology

Increasingly powerful services for consumers

Music, File sharing, video, etc. social Video High QoS, real networks conferencing, time services, Simple streaming video high end VOD, communication Download Download MOD, etc. & Upload Real time Latency Sensitive Seamless fixed mobile convergence Mobile services

Figure I.2. The LTE project: milestones. Short history of the birth of a worldwide standard

What is now called LTE had been proposed in 1998 as a successor to GSM, but was not chosen and 3G has been based on WCDMA mainly. LTE has been developed by 3GPP.

Figure I.3. 3GGP logo

After a long and difficult process in the 3GPP, ATT engineers succeeded to introduce LTE as a work item (3GPP, http://www.3gpp.org/specifications). Their concept was to describe a xxxvi LTE Standards

“green field” system, which would have replaced all existing techniques and would provide, at last, a worldwide accepted technology. The emergence of LTE has been delayed by European actors, both mobile operators and industrial manufacturers, which had spent a huge amount of money for WCDMA, the 3G system called UMTS. Operators had to pay enormous fees for UMTS licenses; industrial companies had to pay high patent dues to Qualcomm for the use of a patented technology, even if UMTS is quite different from the Qualcomm’s CDMA2000.

The Europeans insisted that LTE would be (and now is) quite compatible with GSM and its successors (WCDMA or TD-SCDMA, even when this second development seems strictly applicable to China).

LTE is by many sides a revolutionary technology.

Parallel to the 3GPP work, ITU-T set a work item for the future mobile communication system, first called FPLMNTS then renamed IMT to finish with IMT2000, followed by IMT Advanced.

LTE release 8 is the first standard describing a working technology. Issued in 2008, this release 8 showed a system, which had no telephony service and was fully dedicated to Internet communications, and therefore had to fall back to GSM or WCDMA for telephony if not leaving the task to OTT applications. LTE was and is a pure Internet-based system deliberately designed for packet data communications. Packet communications are no longer a kind of wart added to a telephony system, like GPRS or EDGE for GSM, but the principal objective of a full “Internet multimedia system”.

LTE had to wait for release 11 (at the end of 2012) to be able to provide a telephony service. Nevertheless, it has been recognized as the practical incarnation of IMT Advanced in 2010. This recognition has been eased by the renunciation of Qualcomm’s 3GPP2, the experts of which could not follow the breakthroughs obtained by the hundreds (maybe thousands) of engineers working on LTE. Moreover, the champion of CDMA2000, the American operator Verizon Wireless, was among the first in the world to roll out LTE. Introduction xxxvii

Some features will only be available in release 12 (at end of 2014) and probably later. It is expected that the “change requests” on LTE standards will continue to flourish until 2020.

But now, the only competing standard is WIMAX, the IEEE 802.16 standard, which has evolved recently to somehow adopt the same technological choices as LTE on the radio path, especially OFDMA. Also, Wi-Fi, 802.11, in its last avatar has also switched to OFDMA. Wi-Fi is more in a position to compete since it has not at all the same business model, offering mainly free communications carried by unlicensed frequencies. The advantage of LTE on all competitors is that it is the only system which has a fully described and standardized core network, based on IMS.

LTE has been the substrate of the frequency battle in ITU-R world radio conference 2007 with the American pushing for allocating the 700 MHz band to mobile communications (i.e. LTE) and the European deciding to offer to LTE high frequencies such as 2.6 GHz, 3.8 GHz and even higher. These frequencies may only be suitable for “Wi-Fi like” communications because at these high frequencies tens of thousands of base stations are needed with little chance to cover each more than one stretch of a street. They are obviously inadequate for the coverage of wide spaces, like a full country. Of course, on the opposite, the 700 MHz is excellent for the coverage of wide areas, e.g. the Middle West area. In urban areas, frequencies under 1 GHz are also much more efficient, as they better penetrate the buildings or the underground.

The consequence of these choices is that LTE/4G is, in 2014, mainly rolled out in the United States and Canada using 700 MHz and 1800 MHz base stations. The market of many tens of millions of subscribers is a strong incentive to provide cheap and excellent smartphones following the American choices. The customers’ base in Northern America is already far over 100 million subscribers and increasing sharply.

Not surprisingly, at the 2012 world radio conference (WRC 2012), African and Middle East countries pushed a motion requiring that, in Region 1, the 700 MHz band be allocated to mobile services, i.e. LTE, xxxviii LTE Standards like in the USA. European delegations were not aware of this initiative and had to follow the movement.

In Europe, at last the 800 MHz band has been freed for LTE, and the take off of LTE may be expected for the next five years. With around 20 million subscribers, LTE is far behind GSM and UMTS, considering the relative penetration rate. It will probably wait for 2015 when the next WRC 2015 will definitively allow the 700 MHz worldwide to LTE/4G. Already now, LTE is offered in the main European countries, such as the United Kingdom, Germany, France, Italy, Spain Belgium and Switzerland.

In Europe, frequencies for LTE in the 800 MHz band are not optimal: while LTE allows us to engineer LTE with bandwidths from 1.4 MHz to 20 MHz, the allocations are limited to 5 MHz or 10 MHz. Of course, two allocations of 10 MHz, not adjacent, will carry less than one of 20 MHz and the ongoing proposals for the 700 MHz band do not seem to provide large bandwidths.

Let us recall that “LTE Advanced” is supposed to receive 2 × 100 MHz in order to reach 1 Gbps downlink.

I.2. High speed broadband mobile services: what the customers are waiting for

I.2.1. Customers’ expectancies

Demands for wireless data services are showing rapid growth due to evolved networks for high-speed connectivity, wide-scale deployment, flat-rate pricing plans and Internet-friendly devices (smartphones). Consumers rely heavily, and often exclusively, on mobile devices for their communications needs. Therefore, the normal trend is to require, from the mobile system, the same performances as the one offered by fixed networks with ADSL. Very high bit-rate DSL (VDSL), fiber optics or coaxial cable. This comparison raises the level of the bitrate upto 10 Mbps in the first step, and increases upto 30 Mbps. Officially, the target stands at 100 Mbps, the requirement assigned by ITU-T IMT Advanced, but as observed on the fixed networks, very few customers can make a proper use of such a bitrate. Introduction xxxix

Applications are developed to follow the technical improvement of the systems. They offer a whole range of services, which subsequently increases the request for more bandwidth and more capacity. Basically, they are composed of: – Internet applications, as for the fixed networks, including mail, downloads and interactive services; this covers laptops, PDAs and fixed broadband services: the most intuitive set of services that can be provided are related to all the fixed wired Digital Subscriber Line (DSL) Internet services that we have today, except that they should be provided wireless and should support mobility; – multimedia uploads and exchange services. The high uplink data rates of LTE allow for multimedia upload and exchange services such as file sharing, mobile blogging, social networking etc; – Internet applications specially designed for the mobile user, in particular location based services. The high data rates combined with mobility of LTE spurs a growth in development of newer and better consumer electronic goods leveraging these advantages. Better gaming consoles, vehicular entertainment systems, portable multimedia players, digital cameras with network capabilities and the likes will be introduced, which will add value to the technology; – television, especially download of movies; and real-time television needing some 4 Mbps or 5 Mbps with H264 or H265 encoding. In this category are premium video on demand/music on demand (VOD/MOD) services. LTE provides effective high data rates and differentiated QoS services. Operators can provide premium multimedia-based services such as VOD and MOD to subscribers who wish to avail such services. The critical point for these services will be superior quality coupled with ease of mobility; – and of course, telephony, with the possibility of wide band telephony (7 kHz instead of 4 kHz). It will support business applications for vertical markets. LTE allows operators to provide services to vertical business markets through business applications such as video conferencing to enterprise customers, video surveillance, services to homes. The list of services that can be provided through, is only restricted by our imagination. Limitless xl LTE Standards applications can be supported through a truly mobile broadband infrastructure.

Whichever are the services, wireless operators must also provide a high-quality cellular coverage anywhere customers want to communicate. This requirement is not related to broadband mobile services, it is the principal need for any mobile subscriber and for any service to be provided.

Due to the high costs of backhaul, alternative means to improve cellular coverage in locations, which are difficult to reach, as well as to off-load traffic from the wireless networks. A way to fit to the subscribers’ wishes is to install femtocells, taking advantage of the home Internet high-speed link. It is a way to better support residential and small/home office applications. Vodafone UK was the first operator to launch a commercial femtocell service in Europe (July 2009). AT&T (2H 2009) and Verizon (early 2010) also launched commercial femtocell offerings.

From a competitive perspective, femtocells can help mobile operators seize residential minutes from fixed providers, increase market share and respond to emerging Voice over Internet Protocol (VoIP) and Wi-Fi offerings. This of course implies a sharing agreement to be negotiated with the Internet service provider.

From a QoS perspective, femtocells will improve the user experience in the home. This is essential for reducing churn and providing new revenues. Just recall that with the advent of smartphones, mobile communications are heavily using the Internet and high bitrates.

A rapid increase of mobile data usage and the emergence of new applications such as Multimedia Online Gaming (MMOG), mobile TV, web 2.0, streaming contents have motivated the 3GPP to work on the LTE on the way toward 4G mobile. Introduction xli

I.2.2. Advantages of LTE for fulfilling these expectancies

The main goal of LTE is to provide a high data rate, low latency and packet optimized radio access technology supporting flexible bandwidth deployments. At the same time its network architecture has been designed with the goal to support packet-switched traffic with seamless mobility and great QoS.

LTE provides: – High throughput: high data rates can be achieved in both downlink as well as uplink. This causes high throughput. – Low latency: time required to connect to the network is in the range of a few hundred milliseconds and power saving states can now be entered and exited very quickly. – FDD and TDD in the same platform: FDD and Time Division Duplex (TDD), both schemes can be used on same platform. – Superior end-user experience: optimized signaling for connection establishment and other air interface and mobility management procedures have further improved the user experience. Reduced latency (to 10 ms) for better user experience. – Seamless Connection: LTE will also support seamless connection to existing networks such as GSM, CDMA and WCDMA. – Plug and play: the user does not have to manually install drivers for the device. Instead the system automatically recognizes the device, loads new drivers for the hardware if needed and begins to work with the newly connected device. – Simple architecture: because of simple architecture low operating expenditure (OPEX).

I.2.3. How the advent of smartphones impacts customers’ expectations

In recent years, the revolutionary event has been the introduction of the iPhone on the mobile market. Earlier, the mobile industry was under the constraints of operators, due to the common practice of xlii LTE Standards operators buying millions of mobiles and including their delivery to the subscriber within the monthly subscription bill, especially in Europe. By these means, they have been able to banish many of the services, which the customer was very keen to obtain. Such applications were relatively easy to include in high-end mobiles, technically speaking.

With the iPhone, Steve Jobs introduced a different paradigm. This paradigm has been the same as the one underlying the phenomenal success of “Minitel” in France. Developers are free to post applications into a common store – such as the “Applestore”, managed by Apple. Apple collects the fees from the customers and pays back a certain percentage to the author. In that value chain, the operator is limited to provision of the telecommunication duct and receives little money for the use of its network.

Of course, operators adapted themselves to the new framework. They are now selling iPhones the same way as the other mobile terminals.

Following the path opened by Apple, Google introduced Android, mainly based on Linux software, opened to any manufacturer without fee. As a result, Android is now the dominant standard for smartphones. Microsoftand Blackberry show little success in their smartphones at present. The Android world offers nearly the same applications as the Apple world.

Among thousands of applications, it seems that location services and location based services are the key services. For this purpose, the smartphones include a GPS receiver and the necessary processor of the satellite signals, combined with precise maps of different areas of interest.

However, smartphones include a Wi-Fi access, which is generally put as a priority choice. When Wi-Fi is present, the smartphone will automatically try to connect via the Wi-Fi, instead of the mobile network.

Other successful applications are all kinds of games. 1

LTE Standards and Architecture

1.1. 3rd generation partnership project (3GPP)

1.1.1. 3GPP history

3rd generation partnership project (3GPP) is a “de facto standard body”. It is not the only organization of this kind; let us quote OMA for the mobile services, 3rd generation partnership project 2 (3GPP2) for the Qualcomm CDMA IS95 system, and IEEE with its very successful 802 series. More selective for the choice of its members is “liberty alliance”. And there are plenty of others, with a more or less long lifetime.

ITU-T has been the only worldwide body for telecommunication standards since 1866. International Telecommunication Union (ITU) has the possibility to consider the proposals rising from regional standardization bodies, which are backed by their state, like ANSI for the United States. ETSI was established by the European Union in order to fulfill this kind of task.

“De facto standard bodies” are popping up and proliferating due to the will of industry and of the operators, without any recognition from the legal authorities. Nevertheless, the work they are realizing makes technology progress.

The development of the Global System for Mobile communication (GSM) standard in the 1980s has been obtained essentially through a 2 LTE Standards common work of state owned laboratories, in the framework of post and telecommunication administrations, such as CNET in France and FTZ in Germany.

When the continuation of the drafting of various change requests was transferred to European Telecommunication Standard Institute (ETSI), it was returning somehow to the normal process.

To elaborate the post-GSM standards, there was no suitable body because the aim of the promoters of Universal Mobile Telecommunications System (UMTS) was to associate non-European actors of the mobile business, in fact Chinese, North American, Japanese and South Korean representatives. The aim was to associate all the world’s actors in the mobile business. Therefore, the European manufacturers and mobile operators had to find a trick. They used a possibility offered by the ETSI rules a way it was not expected: the creation of a kind of temporary ad hoc group dedicated to a precise project, which was called 3GPP1. With the consensus of operators and manufacturers, the 3GPP was created in 1998. Of course, this 3GPP had no precise mandate at the beginning. At its first meeting, the delegates had to define the tasks and elaborate the rules. The short document settling the scope and objectives of 3GPP for its today’s activity has been signed in 2007. As a first legacy work, the 3GPP inherited the ETSI task of standardizing the evolution of GSM, now denominated global system for mobile communications. Among this evolution, the big inclusions have been general packet radio service (GPRS), then enhanced data rates for GSM evolution (EDGE). 3GPP had to provide contributions to the ITU work on the so called IMT 2000 project, and further to IMT advanced.

1 The 3GPP website contains all 3GPP specifications. They can be downloaded for free at http://www.3gpp.org/specifications. Descriptions of all 3GPP releases can be found at http://www.3gpp.org/ftp/Information. LTE Standards and Architecture 3

Organization Country

European Telecommunications Standards Institute ETSI Europe Telecommunication Technology Committee TTC Japan Association of Radio Industries and Businesses ARIB Japan Alliance for Telecommunications Industry ATIS USA Solutions China Communications Standards Association CCSA China Telecommunications Technology Association TTA Korea

Table 1.1. 3GPP organizational partners

1.1.2. 3GPP, the current organization

The 3GPP is presented as a collaboration working group between different standard bodies specialized in telecommunication. These organizations are called the organizational partners.

These six 3GPP organizational partners meet regularly and ensure the completion of the following tasks: – approval and maintenance of the 3GPP scope; – maintenance of the partnership project description; – decision to create or cease technical specification groups; – approval of the scope and terms of reference of the technical specification groups; – approval of organizational partner funding requirements; – allocation of human and financial resources provided by the organizational partners to the project coordination group; – act as a body of appeal on procedural matters referred to them; – maintenance of the partnership project agreement; – approval of applications for 3GPP partnership; – decision on a possible dissolution of 3GPP. 4 LTE Standards

In fact, the standardization work has been done by experts coming from prominent mobile operators and from industry leaders. There has been no contribution from universities or academic research centers.

The big contributions came from the mobile operators. Among them, the most active have been: – the Vodafone Group, having bought expensive third Generation (3G) licenses in Germany and in the United Kingdom, needed to control the Wideband Code Division Multiple Access (WCDMA) development; – China Telecom, the biggest mobile operator in the world; – ATT Wireless, which adopted GSM as an answer to Verizon Wireless commitment in CDMA 2000. Verizon was leading the 3GPP2, the standardization group copied on 3GPP dealing with CDMA 2000; – NTT DoCoMo, the main Japanese incumbent operator, facing the competition of KDDI and its CDMA 2000 network; – France Telecom (now Orange); – Deutsche Telekom; – And also Telecom Italia, Telefonica, British Telecom, SFR, Telenor, and most of the European mobile operators.

For the industry counterpart, contributions mainly came from: – Ericsson; – Nokia; – Hua Wei; – ZTE; – LG; – Samsung; – Motorola; – NEC; LTE Standards and Architecture 5

– Alcatel; – Lucent; – Nortel.

The standards, at least at the beginning, are based on the GSM core specifications and the already available software, which had been successfully developed already, making GSM fully operational in 1998. It would have been crazy not to take advantage of the already optimized subsystems, such as the MAP. The mobile application part (MAP) is an SS7 protocol that provides an application layer for the various nodes in GSM and UMTS mobile core networks and GPRS core networks to communicate with each other in order to provide services to mobile phone users. The MAP is the application-layer protocol used to access the home location register (HLR), visitor location register, mobile switching center (MSC), equipment identity register, authentication centre, short message service center and serving GPRS support node (SGSN).

From an agreement of all the organizational partners, ETSI hosts the “mobile competence center” (MCC) in Sophia Antipolis. This MCC has the task of keeping the whole standard documentation updated. MCC support team is also ensuring the logistics of the various 3GPP meetings, which take place in the different countries where they are invited. The MCC experts serve for a limited duration. They come from different countries, but the core team is composed of British citizens.

The 3GPP organizational partners invite different market representation partners to provide advices on the market tendencies or requirements for the mobile communication business, mainly services, features and functionalities. These market representation partners have to sign the partnership project agreement, by which they commit themselves to all or part of 3GPP scope. They have no capability, nor authority to define, publish or set standards within the 3GPP scope, nationally or regionally. To date, these market representation partners include:

6 LTE Standards

Organization Purpose Website IMS Forum IMS dvpt imsforum TD-Forum TDSCDMA system tdscdma GSM industry GSA gsacom representatives GSM Association GSM operators gsmworld IPV6 Forum IPV6 ipv6forum UMTS Forum WCDMA umts 4G Americas 4G for America 4gamericas TD SCDMA Industry TDSCDMA system dscdma Alliance Info Communication Union icu Small Cell Forum (formerly Femtocells smallcellforum Femto Forum) CDMA Development Group cdg Cellular Operators Operators in India coai Association of India (COAI) Next Generation Mobile ngmn Networks (NGMN) TETRA and Critical TETRA evolution Communications Association tcca (TCCA)

Table 1.2. Organization

The highest decision making body in 3GPP is the Project Coordination Group. Is manages the overall timeframe and work progress.

The work of 3GPP is orchestrated around four meetings a year (spring, summer, autumn and winter) of four technical specification groups (TSG). Three of them meet at the same time and in the same location: – radio access network (RAN); – core network and terminals (CT); – service and system aspects(SA). LTE Standards and Architecture 7

Figure 1.1. Organizational Partners’ deliverables

The fourth takes care of GSM, GPRS and EDGE and is called GERAN. It manages independently its agenda and planning.

During the three months between TSG plenary meetings, study groups (up to five per TSG) hold different meetings somewhere in the world in order to study in detail precise items. There are three WG for GERAN, five WG for RAN, four for CT and five for SA.

SA summarizes the whole work. It specifies the service requirements and the overall architecture of 3GPP systems. It is responsible for the coordination of the whole project.

3GPP standardization work is contribution driven. “Individual members”, such as companies bring their contribution, officially under the umbrella of one particular organization partner. For each of the TSG meetings, the number of participants exceeds one hundred experts. For SA meetings, it reaches 200 or more. This important contribution shows the interest of most of the telecommunication actors in obtaining as soon as possible specifications of efficient mobile systems. These

8 LTE Standards experts provide “change requests” to the standards, either to propose a modification or to mend errors. At each TSG meeting, hundreds of CR are presented and discussed.

3GPP follows the three stage methodology that has been defined by ITU-T recommendation I.130: – stage 1: specifications define the service requirements from the user point of view; – stage 2: specifications define an architecture that supports the service requirements; – stage 3: specifications define an implementation of the architecture by specifying protocols in detail.

3GPP also include test specifications, which describe how to verify the compliance of the industrial realization.

Specifications are then put into releases that present each a set of features and specifications, which is internally consistent.

Each release is frozen at a precise freezing date. Once it is frozen, only essential corrections are allowed.

Each release is composed of hundreds of individual standard documents. Each document may have supported many revisions. Current 3GPP standards include the latest version of GSM, UMTS and Long-Term Evolution (LTE) standards.

1.1.3. 3GPP releases

Each year, in December, the meetings of TSG SA with an active contribution of MCC set the situation of the standards. When possible, the corpus is considered sufficiently coherent to be called a release.

Releases of 3GPP follow more or less a yearly time frame.

LTE Standards and Architecture 9

Release Date Features Release 98 1Q1999 GSM features with AMR, EDGE and GPRS for PCS 1900 Release 99 1Q2000 First UMTS 3G network specification with WCDMA air interface Release 4 1Q2001 UMTS with added features, including all-IP core network Release 5 1Q2002 UMTS with IMS and HSDPA Release 6 1Q2004 Integrated operation with wireless LAN networks; HSUPA; MBMS; enhancements to IMS; push to talk over cellular (PoC); GAN Release 7 1Q2007 Decreased latency; improvements to QoS and real- time applications (such as VoIP); focus on HSPA+ (High Speed Packet Access evolution); SIM high- speed protocol and contactless front end interface (near-field communication, enabling operators to deliver contactless services like mobile payments); EDGE evolution Release 8 4Q2008 First LTE release; All-IP network; new OFDMA based radio interface; FDE; MIMO; no backwards compatibility with previous CDMA interfaces; dual cell HSPA Release 9 4Q2009 SAES enhancements; WIMAX and LTE/UMTS interoperability; dual cell HSPDA with MIMO; dual cell HSUPA Release 10 1Q2011 LTE advanced fulfilling IMT advanced 4G requirements backwards compatible with release 8 LTE; multi cell HSDPA with 4 carriers Release 11 3Q2012 Advanced IP interconnection of services; service layer interconnection between national operators/carriers as well as third party application providers; heterogeneous networks (HetNet) improvements; coordinated multipoint operation (CoMP; in-device coexistence Release 12 3Q2014 Group calls (GCSE); proximity services (ProSe) Release 13 1Q2016 Push to talk (MCPTToLTE; IOPS) Release 14 TBD TBD

Table 1.3. Releases 10 LTE Standards

Step by step, 3GPP worked on the introduction of an “all IP protocol” to provide “wireless internet”.

3GPP standards can be obtained freely on 3GPP’s website. 3GPP specifications are transposed into deliverables by the Organizational Partners, e.g. ETSI for Europe, which edit the corresponding “EN” European standards.

As far as the links with ITU-T and ITU-R are concerned, 3GPP corresponds directly with ITU. In annex is a copy of the submission of 3GPP LTE release 10 and beyond under step 3 of the IMT-advanced process.

1.2. LTE – numbering and addressing

An LTE network area is divided into three different types of geographical areas.

Area and description The MME pool area Within this is area the mobile can move without a change of serving 1 MME. Every MME pool area is controlled by one or more MMEs on the network The S-GW service area 2 Area served by one or more serving gateways (S-GW). No change of serving gateway inside the S-GW area. The tracking area (TA) Similar to the location and routing areas of UMTS and GSM. They give 3 the location of mobiles for incoming calls (mobiles in standby mode). They are not overlapping

Table 1.4. Area and description

The Mobility Management Entity (MME) pool areas and the S-GW service areas both include many tracking areas. A LTE PLMN topology comprises many MME pool areas, many S-GW service areas and many tracking areas. LTE Standards and Architecture 11

1.2.1. The network IDs

The network itself will be identified using public land mobile network identity (PLMN-ID) that will have a three digit mobile country code (MCC) and a two or three digit mobile network code (MNC). For example, the MCC for the UK is 234, while Vodafone’s UK network uses a MNC of 15.

Table 1.5. The network ID

1.2.2. The MME IDs

Each MME has three main identities. An MME code (MMEC) uniquely identifies the MME within all the pool areas. A group of MMEs is assigned an MME group identity (MMEGI), which works along with MMEC to make MME identifier (MMEI). A MMEI uniquely identifies the MME within a particular network.

Table 1.6. The MME IDs

If we compile PLMN-ID with the MMEI then we arrive at a globally unique MME identifier (GUMMEI), which identifies an MME anywhere in the world.

Table 1.7. The GUMMEI

1.2.3. The tracking area IDs

Each tracking area has two main identities. The tracking area code (TAC) identifies a tracking area within a particular network and if we combining this with the PLMN-ID then we arrive at a Globally Unique Tracking Area Identity (TAI). 12 LTE Standards

Table 1.8. TAI

1.2.4. The Cell IDs

Each cell in the network has three types of identity. The E-UTRAN cell identity (ECI) identifies a cell within a particular network, while the E-UTRAN cell global identifier (ECGI) identifies a cell anywhere in the world.

The physical cell identity, which is a number from 0 to 503 and it distinguishes a cell from its immediate neighbors.

1.2.5. The mobile equipment ID

The international mobile equipment identity (IMEI) is a unique identity for the mobile equipment and the international mobile subscriber identity (IMSI) is a unique identity for the UICC and the USIM. It is provided by the manufacturer. The PLMN records it in the EIR data base.

The M temporary mobile subscriber identity (M-TMSI) identifies a mobile to its serving MME. Adding the MME code in M-TMSI results in an S temporary mobile subscriber identity (S-TMSI), which identifies the mobile within an MME pool area.

Table 1.9. M-TMSI

Finally, adding the MME group identity and the PLMN identity with S-TMSI results in the globally unique temporary identity (GUTI).

Table 1.10. GUTI LTE Standards and Architecture 13

1.3. LTE architecture overview

The LTE specification provides downlink peak rates of 300 Mbit/s, uplink peak rates of 75 Mbit/s and Quality-of-Service (QoS) provisions permitting a transfer latency of less than 5 ms in the RAN. LTE has the ability to manage fast-moving mobiles and supports multicast and broadcast streams. LTE access network supports scalable carrier baandwidths, from 1.4 MHz to 20 MHz and also supports both frequency division duplexing (FDD) and time division duplexing (TDD). LTE’s Internet Protocol (IP)-based network architecture supports seamless handovers for both voice and data. The simpler architecture results in lower operating costs (for example, each E-UTRA cell will support up to four times the data and voice capacity supported by High Speed Packet Access (HSPA)).

LTE has been designed to be a successor of GSM and UMTS, taking into account the enormous improvement of digital components. The following schema from 3GPP describes the evolution from GSM to LTE via UMTS.

Figure 1.2. LTE architecture

Due to the progress of digital processors, especially integrated circuits, DSP, FPGA and other, LTE is able to manage its network with a flat packet only RAN architecture. 14 LTE Standards

LTE follows the 3GPP architecture with: – a core network (CN), called evolved packet core network (EPC); – a radio access network (RAN), called eUTRA; – mobile terminals user equipment (UE), which include a universal subscriber identity module (USIM), an application running on a support called UICC. USIM and UICC replace the subscriber identity module (SIM) of GSM.

1.3.1. Overall high level description of LTE

Long-Term Evolution (LTE) is a complex technology. LTE relies on a novel radio access and its non-radio aspects are based on a new paradigm, called system architecture evolution (SAE), which includes the evolved packet core (EPC) network. LTE is an evolution of the GSM/UMTS standards. The goal of LTE was to increase the capacity and speed of wireless data networks using new digital signal processing (DSP) techniques and modulations that were developed around the turn of the millennium. A further goal was the redesign and simplification of the network architecture to an IP-based system with significantly reduced transfer latency compared to the 3G architecture. The whole LTE system is also called evolved packet system (EPS).

Figure 1.3. UTRAN and E-UTRAN LTE Standards and Architecture 15

Figure 1.4. LTE general architecture

Figure 1.5. Protocol stacks operating at S1 and S5/S8 interfaces

For voice calls, the mobile networks that have both LTE and GSM/UMTS elements, the interfaces are as follows:

Figure 1.6. UE-MSC

Overall control of the UE within the LTE architecture is handled by the core network. The core network (known as EPC in the SAE architecture of LTE) is also responsible for establishing the bearers. 16 LTE Standards

1.3.1.1. LTE network elements Since the EPS2 only provides a bearer path associated with a certain QoS, control of multimedia applications such as VoIP is provided by the IP multimedia subsystem (IMS), which is considered to be outside the EPS itself.

The EPC is composed of routers. It is completely compliant with Internet standards. This is called “full IP”. The main components of the EPC are: – PDN gateway (P-GW); – Serving gateway (S-GW); – Mobility Management Entity (MME).

Other essential functions and nodes within the EPC include: – Home Subscriber Server (HSS), which is the successor of the home location register (HLR) of GSM, registers all the parameters of the subscriber, its rights, its services and of course its identity. It is mirroring the content of the telecommunication part of the USIM. – Policy and charging rules function (PCRF) is a software node, which operates in real time. It accesses subscribers’ database, charging system and other related devices. It aggregates information provided by the network and other sources. It also provides information to the network, like the applicable quality of service for a certain subscriber. It is connected with the billing system.

The different LTE network elements are dedicated to control or transmission functions and linked together and with the outside world accordingly.

2 3GPP TS 23.002 (http://www.3gpp.org/ftp/Specs/html-...) gives an overview the architecture of the 3GPP system. In particular, it describes all the network elements used in the EPC and also in legacy core networks. 3GPP TS 23.401 (http://www.3gpp.org/ftp/Specs/html-...) defines the architecture of the EPC for E-UTRAN access. 3GPP TS 23.402 (http://www.3gpp.org/ftp/Specs/html-...) defines the architecture enhancements for non-3GPP accesses. LTE Standards and Architecture 17

Figure 1.7. EPC/SAE

EPS relies heavily on bearers. The EPS uses these bearers to route IP traffic from a gateway in the packet data network (PDN) to the UE. A bearer is an IP packet flow with a defined QoS between the gateway and the UE. These bearers allow Internet access. They also run services such as voice over IP (VoIP), and are associated with a QoS level.

Multiple bearers can be established for a user in order to provide different QoS streams or connectivity to different PDNs. For example, a user might be engaged in a VoIP call while at the same time performing web browsing or FTP download.

Figure 1.8. The complete set of network elements and standardized signaling interfaces of LTE 18 LTE Standards

All the above interfaces, of the S series are detailed in 3GPP standards. Their monitoring can be very useful to troubleshoot disfunctioning of the signaling.

1.3.1.2. LTE connection with outside communication networks Coming into a more detailed study of LTE’s key network element, four different cases are to be considered.

The normal connection of LTE with other telecommunication networks is ensured by a high-speed internet link to some fixed IP network.

To ensure fallback compatibility with GSM, UMTS and CDMA2000, direct links and signaling protocols have been designed.

The architecture becomes therefore a little more complicated, when entering into details. The 3GPP standard includes the connection of LTE networks with former mobile systems, WCDMA (and GSM) as well as CDMA2000.

1.3.1.3. LTE access network The access network of LTE, known as eUTRAN, consists of a flat network of eNodeBs. For normal, user traffic, there is no centralized controller in eUTRAN; therefore the eUTRAN architecture is considered flat. The eNodeBs are interconnected with each other by an interface known as “X2” and to the EPC by the S1 interface — more specifically, to the MME by the S1-MME interface, and to the S-GW by the S1-U interface.

The eUTRAN is described in detail further in this chapter. OFDMA is the main topic of Chapter 3.

For all those connections, 3GPP has described standardized interfaces.

1.3.1.4. LTE mobile terminals Of course, a great variety of mobile terminals are made available. Their telecommunication functions are strictly standardized by 3GPP. LTE Standards and Architecture 19

It is expected that most of them will be smartphones, taking advantage of the excellent Internet link accessible on the move. In that case, the smartphones include GPS receiver and Wi-Fi connection capabilities.

Figure 1.9. LTE subsystems and connections

Figure 1.10. LTE interfaces 20 LTE Standards

Figure 1.11. 3GPP image for eUTRAN

In the 3GPP vocabulary, the mobile terminal is called UE. The UE is any device used directly by an end-user to communicate, such as a hand-held telephone, a laptop computer equipped with a mobile broadband adapter (dongle or “key”), or any other device (e.g. M2M connecting appliance).

For LTE, the UE connects to the base station eNodeB as specified in the 3GPP 36-series of specifications (ETSI standards 136-series).

The radio interface between the UE and the eNodeB is called LTE-Uu.

The UE handles the following tasks toward the core network: – Mobility management (MM); – Call control (CC); – Session management (SM); – Identity management (IM). LTE Standards and Architecture 21

The corresponding protocols are transmitted transparently via an eNode B, that is, eNode B does not change, use or understand the information. These protocols are also referred to as non-access stratum protocols.

For price reasons, LTE standard offers the possibility to use five different classes of mobiles:

Class 1 2 3 4 5 Peak bitrate Downlink 10 50 100 150 300 (Mbps) Uplink 5 25 50 50 75 Functional characteristics Radio bandwidth 1, 4 to 20 MHz Modulation Downlink QPSK, 16 QAM, 64 QAM QPSK, 16 QAM Uplink QPSK, 16QAM 64 QAM Antennas MIMO 2 × 2 No Yes MIMO 4 × 4 No Yes

Table 1.11. Classes of mobiles

All LTE terminals must be able to operate on the standardized bandwidths: – 1.4 MHz (six resource blocks or RB); – 3 MHz (15 resource blocks or RB); – 5 MHz (25 resource blocks or RB); – 10 MHz (50 resource blocks or RB); – 15 MHZ (75 resource blocks or RB); – 20 MHz (100 resource blocks or RB).

At the beginning of 2008, all LTE mobiles get the telephony service via circuit switched fall back (CSFB): they take the telephony on a 3G network when available (and if they have the functionality, not useful for internet keys). 22 LTE Standards

Voice on LTE (VOLTE) is offered with release 12.

1.3.1.5. USIM Introduced inside the UE, LTE has standardized the USIM, which ensures privacy and provides the keys to connect to the network.

1.3.2. LTE performance

The main aim of LTE has been to reduce considerably the latency for the Internet access as well as providing an increased throughput.

The claimed performances of LTE are as follows: – peak downlink bit rate up to 326.4 Mbps (300 Mbps usable bit rate) with MIMO 4 × 4; – peak uplink bit rate up to 86.4 Mbps (75 Mbps usable bit rate); – round trip time of 10 ms, providing a good latency performance; (to be compared with some 70 ms or 200 ms of the other mobile systems); – LTE can manage more than 200 active mobiles in each cell; – support of fast travelling mobiles (e.g. high-speed trains) up to 350 km/h. If necessary, LTE can support mobiles travelling at 500 km/h, with a suitable choice of the frequency band in service in the concerned eNodeBs; – LTE can be deployed in 27 FDD frequency bands and 11 TDD frequency bands, ranging from 600 MHz to 3.8 GHz.

Of course, these performances suppose the availability of 2 × 20 MHz frequency sub-bands for the LTE eNodeB. Multi-antenna technology multiple input multiple output (MIMO) has to be implemented both in the mobile terminal and in the eNodeB.

NOTE.– the above-mentioned bit rates have to be shared between all the subscribers who are active under the coverage of the cell. Imagine 200 customers, at full activity, they obtain 15 MHz downlink and 375 kbps uplink. Better than ADSL but less than FTTH. These top LTE Standards and Architecture 23 performance values need the implementation of MIMO 4 × 4 both at the eNodeB and mobile. The available bitrates also decrease when the mobile is moving and in poor reception conditions (cell limit). Also, both the network and the UE have to be able to support these maximum bitrates.

1.3.3. LTE – QoS architecture

LTE architecture supports hard QoS, with end-to-end QoS and guaranteed bit rate (GBR) for radio bearers. Just as Ethernet and the Internet have different types of QoS, for example, various levels of QoS can be applied to LTE traffic for different applications. Because, the LTE MAC is fully scheduled, QoS is a natural fit.

EPS bearers provide one-to-one correspondence with RLC radio bearers and provide support for traffic flow templates (TFT). There are four types of EPS bearers: – GBR bearer: resources permanently allocated by admission control; – Non-GBR bearer: no admission control; – Dedicated bearer: associated with specific TFT (GBR or non- GBR); – Default bearer: non-GBR, catch-all for unassigned traffic.

1.3.4. FDD, TDD, LTE advanced

LTE Advanced is a modified standard from the existing LTE, which has been rolled out by tens of operators. LTE Advanced has the capacity to work on a very wide frequency band, i.e. 100 MHz with a target of more than 1 Gbps per cell.

Currently, the standard proposes two variants: – Frequency division duplex (FDD), with one frequency band for the uplink and another for the downlink. The two duplex bands must 24 LTE Standards be separated by more than 30 MHz. It has been deployed in Northern America and in Europe. – Time division duplex (TDD), where uplink and downlink are multiplexed in time. It has the advantage of giving a wide channel for downloads. To implement it, the operator must synchronize very precisely all the network elements. This variant seems to be preferred by China

1.3.5. Frequencies for LTE

LTE has been designed by 3GPP to operate in 40 E-UTRA operating bands. Notwithstanding the fact that all LTE rolled out networks have chosen a FDD eUTRA, eight possible frequency bands are listed for TDD.

Table 1.12 presents E-UTRA operating bands taken from LTE specification 36.101(v860) Table 5.5.1.

Table 1.12. E-UTRA band LTE Standards and Architecture 25

1.3.5.1. Frequency allocation for LTE/IMT in ITU world radio conferences (WRCs) The allocation of frequencies for the new LTE system has been and is still the subject of international battles.

The first battle took place in Geneva for the WRC 2007. US delegates announced that they would allocate the frequency band from 698 MHz to 806 MHz to mobile communications as primary use. The European did not accept to free more than 790–862 MHz from terrestrial television. As compensation, they offered to roll out LTE over 3 GHz, creating problems for satellite communications (C-band).

At the WRC 2012, African and Middle East countries, which are part of Region 1 like Europe, announced that they would allocate the 700 MHz band to mobile communications like in the US. Asia – Pacific (Region 3) followed the proposal. European countries were surprised, but they obtained only the postponement the application of the decision to the WRC 2015.

In between, the US FCC issued its plan for the planification of the 700 MHz band. This plan is incompatible with the 790–862 MHz plan as designed by European countries. Right now, the North American operators count over 100 million LTE subscribers, more than half of the world’s total number. Therefore, the US frequency plan is the basis of mass production of mobiles, which are thus far cheaper than those following the 800 MHz plan for Europe.

1.3.6. Basic parameters of LTE

Parameters Description UMTS FDD bands and TDD bands Frequency range defined in 36.101(v860) Table 1.12, given below Duplexing FDD, TDD, half-duplex FDD Channel coding Turbo code 350 km/h Mobility 26 LTE Standards

1.4 3 5 Channel bandwidth (MHz) 10 15 20 6 15 Transmission bandwidth 25 configuration NRB: (1 resource 50 block = 180 kHz in 1 ms TTI) 75 100 UL: QPSK, 16 QAM, 64 QAM (optional) Modulation schemes DL: QPSK, 16 QAM, 64 QAM UL: SC-FDMA (single-carrier frequency division multiple access) supports 50 Mbps + (20 MHz spectrum) Multiple access schemes DL: OFDM (orthogonal frequency division multiple access) supports 100 Mbps + (20 MHz spectrum) UL: multi-user collaborative MIMO Multi-antenna technology DL: T × AA, spatial multiplexing, CDD, max 4 × 4 array UL: 75 Mbps (20 MHz bandwidth) DL: 150 Mbps (UE Category 4, 2 × 2 Peak data rate in LTE MIMO, 20 MHz bandwidth) DL: 300 Mbps (UE category 5, 4 × 4 MIMO, 20 MHz bandwidth) MIMO UL: 1 × 2, 1 × 4 (multiple input multiple output) DL: 2 × 2, 4 × 2, 4 × 4 5–100 km with slight degradation after Coverage 30 km E2E QOS allowing prioritization of QoS different classes of service Latency End-user latency < 10 ms

Table 1.13. Basic parameters of LTA

1.4. Radio access subsystem: eUTRAN (also called eUTRA)

The RAN has included the management of the radio subsystem into the base stations, which are called eNodeB. Exit the RNC of UMTS or the BSC of GSM. LTE Standards and Architecture 27

The E-UTRAN architecture consists of eNBs that provide the air interface user plane and control plane protocol terminations toward the UE. On one side, the user plane protocols consist of packet data control plane (PDCP), radio link control (RLC), medium access control (MAC) and Physical Layer (PHY) protocols. On the other side, the control plane protocol refers to the Radio Resource Control (RRC) protocol.

Each of the eNBs is logical network components that serve one or several E-UTRAN cells and are interconnected by the X2 interface. Additionally, Home eNBs (also called femtocells), which are eNBs of lower cost, can be connected to the EPC directly or via a gateway that provides additional support for a large number of HeNBs.

The main functionalities hosted by the E-UTRAN are enumerated as follows: – Inter-cell radio resource management (RRM). – Resource block control. – Connection mobility control. – Radio admission control. – eNB measurement configuration and provisioning. – Dynamic resource allocation (scheduling).

eNodeBs are linked together directly by links according to the interface X2, which is IP compliant.

They are connected to the EPC at the S-GW using the IP protocol.

The connection with the mobile follows OFDMA. In the downlink, there is a broadcasting of all the information and the mobile will extract the items, which are relevant to it.

In the uplink, the mechanism is a modified version of OFDMA called SC-FDMA. The mobile is allocated some of the frequencies to communicate with the eNodeB. 28 LTE Standards

The antennas from the eNodeB can be locally installed or placed on a different location, linked through an optical fiber link. Typically this link can transfer the transmit/receive function as far as 20 km.

The links between eNodeBs and between eNodeB and EPC build the backhaul of the mobile network. It is a major investment for the operator.

Figure 1.12. Tools from Rohde & Schwartz

1.4.1. LTE visualization tool from Rohde and Schwartz

This tool is free to download and use. It models the allocation of downlink resource elements to the set of signals and physical channels. The user can configure each of the variables that have an impact on the allocation of resource elements, e.g. channel bandwidth, number of transmit antennas and cell identity. The tool quantifies the throughput for each modulation scheme and for a range of assumed coding rates.

1.4.2. eUTRAN characteristics

– Peak download rates up to 299.6 Mbit/s and upload rates up to 75.4 Mbit/s depending on the UE category (with MIMO 4 × 4 antennas using 20 MHz of spectrum). Five different terminall classes have been defined from a voice centric class up to a high-end terminal LTE Standards and Architecture 29 that supports the peak data rates. All terminals will be able to process 20 MHz bandwidth. – Low data transfer latencies (sub-5 ms latency for small IP packets in optimal conditions), lower latencies for handover and connection setup time than with previous radio access technologies. – Improved support for mobility, exemplified by support for terminals moving at up to 350 km/h (220 mph) or 500 km/h (310 mph), depending on the frequency band. – eUTRAN adopts OFDMA for the downlink, and SC-FDMA for the uplink (to conserve power).

Support for both FDD and TDD communication systems as well as half-duplex FDD with the same radio access technology.

Support for all frequency bands currently used by IMT systems by ITU-R.

Increased spectrum flexibility: 1.4 MHz, 3 MHz, 5 MHz, 10 MHz, 15 MHz and 20 MHz wide cell frequency allocations are standardized.

Support for cell sizes from tens of meters radius (femto and picocells), up to 100 km (62 miles) radius macrocells using the lower frequency bands in rural areas.

Cell size of 5 km (3.1 miles) radius is the optimal size, 30 km (19 miles) have reasonable performances. Up to 100 km cell sizes offer acceptable performances.

In urban areas, higher frequency bands (such as 2.6 GHz in EU) are used to support high-speed mobile broadband. Cell sizes may be 1 km (0.62 miles) or even less.

Supports at least 200 active data clients in every 5 MHz cell.

Simplified architecture: The network side of E-UTRAN is composed only of eNodeBs. 30 LTE Standards

Support for inter-operation and co-existence with legacy standards (e.g. GSM/EDGE, UMTS and CDMA2000). Users can start a call or transfer of data in an area using an LTE standard, and, should coverage be unavailable, continue the operation without any action on their part using GSM/GPRS or W-CDMA-based UMTS or even 3GPP2 networks such as cdmaOne or CDMA2000).

Packet switched radio interface.

Support for multicast-broadcast single frequency network (MBSFN). This feature can deliver services such as Mobile TV using the LTE infrastructure.

1.4.3. eUTRAN interfaces

1.4.3.1. X2 and S1 interface implementation According to 3GPP TR 25.912, E-UTRAN is described as follows:

“The evolved UTRAN consists of eNB, providing the evolved UTRAN U-plane and C-plane protocol terminations towards the UE. The eNBs are interconnected with each other by means of the X2 interfaces. It is assumed that there always exist an X2 interface between the eNBs that need to communicate with each other, e.g., for support of handover of UEs in LTE_ACTIVE. The eNBs are also connected by means of the S1 interface to the EPC (Evolved Packet Core). The S1 interface supports a many-to-many relation between GWs and eNBs.” – X2 Interface (Interface between eNodeB’s); – S1 Interface; – S1-MME Interface (Interface between eNodeB and MME); – S1-U Interface (Interface between eNodeB and S-GW). LTE Standards and Architecture 31

Figure 1.13. Description of eUTRAN with its interfaces

This general design has a variant in case of deployment of HeNodeB (home eNB, or femtocell). Femtocells do not always have a direct link to MME nor S-GW.

The X2 interface enables eNodeBs de to communicate directly between each other, which is good for interference management (especially in HetNets) and seamless handover.

The X2 interface is defined between two neighbor eNBs. Figure 1.15 shows the control and user plane protocol stack of the X2 interface.

Figure 1.14. E-UTRAN architecture with HeNodeB GW and HeNodeB 32 LTE Standards

Figure 1.15. X2 interface

Both X2 and S1 are logical interface i.e. they do not need to be connected directly with one (physical) cable. As can be read in 3GPP specs, they run over IP. So, even though you see X2 interface as a direct connection from one eNB to another eNB, in the real case it might be going to same backhaul as S1.

In the Release-8/9 of 3GPP, X2 interface between small cells and between small cells and macrocells was not available. In Release-10 and 11 (and further), it was made available.

More details on this enhancement is available in 3GPP TS 36.300.

Figure 1.16. This figure shows the enhancements in release 10 and release 11 LTE Standards and Architecture 33

X2 is not only useful for lossless handovers in LTE/LTE-A but is also very useful for Interference management using enhanced Inter Cell Interference Management (eICIC), a feature introduced in Rel-10.

The E-UTRAN uses a simplified single-node architecture consisting of the eNodeBs (E-UTRAN Node B). The eNodeB communicates with the evolved packet core (EPC) using the S1 interface; specifically with the MME and the user plane entity (UPE) identified as S-GW using S1-C and S1-U for control plane and user plane respectively. The MME and the UPE are preferably implemented as separate network nodes so as to facilitate independent scaling of the control and user plane. Also the eNB communicates with other eNB using the X2 interface (X2-C and X2-U for control and user plane respectively).

1.4.3.2. Overall architecture [3GPP TS 36.300] LTE supports an option of multicast/broadcast over a single frequency network (MBSFN), where a common signal is transmitted from multiple cells with appropriate time synchronization. The eNB being the only entity of the E-UTRAN supports all the functions in a typical radio network such as radio bearer control, mobility management, admission control and scheduling. The access stratum resides completely at the eNB.

Figure 1.17. Functional split between E-UTRAN and EPC [ 3GPP TS 36.300] 34 LTE Standards

1.4.3.2.1. eNB functionality – Functions for radio resource management: radio bearer control, radio admission control, connection. – Mobility control, dynamic allocation of resources to UEs in both uplink and downlink (scheduling). – IP header compression and encryption of user data stream. – Selection of an MME at UE attachment when no routing to an MME can be determined from the information. – Provided by the UE. – Routing of user plane data toward S-GW. – Scheduling and transmission of paging messages (originated from the MME). – Scheduling and transmission of broadcast information (originated from the MME or O and M). – Measurement and measurement reporting configuration for mobility and scheduling. – Scheduling and transmission of PWS (which includes ETWS and CMAS) messages (originated from the MME). – Closed subscriber group (CSG) handling. – Transport level packet marking in the uplink.

1.4.3.2.2. MME functionality – NAS signaling. – NAS signaling security. – AS security control. – Inter CN node signaling for mobility between 3GPP access networks. – Idle mode UE reachability (including control and execution of paging retransmission). – Tracking area list management (for UE in idle and active mode). LTE Standards and Architecture 35

– PDN GW and S-GW selection. – MME selection for handovers with MME change. – SGSN selection for handovers to 2G or 3G 3GPP access networks. – Roaming – Authentication – Bearer management functions including dedicated bearer establishment. – Support for PWS (which includes ETWS and CMAS) message transmission. – Optionally performing paging optimization.

1.4.3.2.3. S-GW functionality – The local mobility anchor point for inter-eNB handover. – Mobility anchoring for inter-3GPP mobility. – E-UTRAN idle mode downlink packet buffering and initiation of network triggered service request procedure. – Lawful interception. – Packet routing and forwarding. – Transport level packet marking in the uplink and the downlink. – Accounting on user and QCI granularity for inter-operator charging. – UL and DL charging per UE, PDN, and QCI.

1.4.4. Signaling on the radio path

The radio protocol architecture for LTE can be separated into control plane architecture and user plane architecture as shown below: 36 LTE Standards

At user plane side, the application creates data packets that are processed by protocols such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP) and IP, while in the control plane, the radio resource control (RRC) protocol writes the signaling messages that are exchanged between the base station and the mobile. In both cases, the information is processed by the packet data convergence protocol (PDCP), the radio link control (RLC) protocol and the medium access control (MAC) protocol, before being passed to the physical layer for transmission.

Figure 1.18. Radio frequency protocol

1.4.4.1. User plane The user plane protocol stack between the e-Node B and UE consists of the following sublayers: – Packet Data Convergence Protocol (PDCP); – radio link control (RLC); – medium access control (MAC).

On the user plane, packets in the core network (EPC) are encapsulated in a specific EPC protocol and tunneled between the P-GW and the eNodeB. Different tunneling protocols are used depending on the interface. GPRS Tunneling Protocol (GTP) is used on the S1 interface between the eNodeB and S-GW and on the S5/S8 interface between the S-GW and P-GW. LTE Standards and Architecture 37

Figure 1.19. User plane

Packets received by a layer are called service data unit (SDU) while the packet output of a layer is referred to by protocol data unit (PDU) and IP packets at user plane flow from top to bottom layers.

1.4.4.2. Control plane The control plane includes additionally the radio resource control layer (RRC) that is responsible for configuring the lower layers.

The control plane handles radio-specific functionality which depends on the state of the UE which includes two states: idle or connected.

Mode Description The user equipment camps on a cell after a cell selection or reselection process, where factors like radio link quality, cell status and radio access technology are considered. The UE also monitors a Idle paging channel to detect incoming calls and acquire system information. In this mode, control plane protocols include cell selection and reselection procedures. The UE supplies the E-UTRAN with downlink channel quality and neighbor cell information to enable the E-UTRAN to select the most Connected suitable cell for the UE. In this case, control plane protocol includes the Radio Link Control (RRC) protocol.

Table 1.14. Control plane 38 LTE Standards

The different protocols can also be categorized in their layer level:

Figure 1.20. Protocol stack for the control plane between the UE and MME

1.4.4.2.1. Physical layer (layer 1) Physical layer carries all information from the MAC transport channels over the air interface. It takes care of the link adaptation (AMC), power control, cell search (for initial synchronization and handover purposes) and other measurements (inside the LTE system and between systems) for the RRC layer.

1.4.4.2.2. Medium access layer (MAC) MAC layer is responsible for mapping between logical channels and transport channels, multiplexing of MAC SDUs from one or different logical channels onto transport blocks (TB) to be delivered to the physical layer on transport channels, demultiplexing of MAC SDUs from one or different logical channels from transport blocks (TB) delivered from the physical layer on transport channels, scheduling information reporting, error correction through HARQ, priority handling between UEs by means of dynamic scheduling, priority handling between logical channels of one UE, logical channel prioritization. LTE Standards and Architecture 39

1.4.4.2.3. Radio link control (RLC) RLC operates in three modes of operation: – Transparent mode (TM); – Unacknowledged mode (UM); – Acknowledged mode (AM).

RLC layer is responsible for transfer of upper layer PDUs, error correction through ARQ (only for AM data transfer), concatenation, segmentation and reassembly of RLC SDUs (only for UM and AM data transfer).

RLC is also responsible for resegmentation of RLC data PDUs (Only for AM data transfer), reordering of RLC data PDUs (only for UM and AM data transfer), duplicate detection (only for UM and AM data transfer), RLC SDU discard (only for UM and AM data transfer), RLC re-establishment, and protocol error detection (only for AM data transfer).

1.4.4.2.4. Radio resource control (RRC) The main services and functions of the RRC sublayer include broadcast of system information related to the non-access stratum (NAS), broadcast of system information related to the access stratum (AS), paging, establishment, maintenance and release of an RRC connection between the UE and E-UTRAN, security functions including key management, establishment, configuration, maintenance and release of point to point radio bearers.

1.4.4.2.5. Packet data convergence control (PDCP) PDCP Layer is responsible for header compression and decompression of IP data, transfer of data (user plane or control plane), maintenance of PDCP sequence numbers (SNs), in-sequence delivery of upper layer PDUs at re-establishment of lower layers, duplicate elimination of lower layer SDUs at re-establishment of lower layers for radio bearers mapped on RLC AM, ciphering and deciphering of user plane data and control plane data, integrity protection and integrity verification of control plane data, timer-based 40 LTE Standards discard, duplicate discarding, PDCP is used for SRBs and DRBs mapped on DCCH and DTCH type of logical channels.

1.4.4.2.6. Non-access stratum (NAS) protocols The non-access stratum (NAS) protocols form the highest stratum of the control plane between the UE and MME.

NAS protocols support the mobility of the UE and the session management procedures to establish and maintain IP connectivity between the UE and a PDN GW.

Figure 1.21. Structure

1.4.4.3. Channels Since information is processed by the different protocols, there is the need for a logical channel to follow the different packet contents in order to recover at the end the initial data stream. At the top level, IP packets structure the data flow, at the physical level, the information is mapped into slots, which are assembled into transport blocks.

From top to bottom: – IP layer submits PDCP SDUs (IP packets) to the PDCP layer. – PDCP layer does header compression and adds PDCP header to these PDCP SDUs. LTE Standards and Architecture 41

– PDCP layer submits PDCP PDUs (RLC SDUs) to RLC layer. – PDCP header compression: PDCP removes IP header (minimum 20 bytes) from PDU, and adds token of 1–4 bytes. From this action, the load on the air interface is reduced. – RLC layer performs segmentation of these SDUS to make the RLC PDUs. – RLC adds header based on RLC mode of operation. RLC submits these RLC PDUs (MAC SDUs) to the MAC layer. – RLC segmentation: if an RLC SDU is large, or the available radio data rate is low (resulting in small transport blocks), the RLC SDU may be split among several RLC PDUs. If the RLC SDU is small, or the available radio data rate is high, several RLC SDUs may be packed into a single PDU. – MAC layer adds header and performs padding to fit this MAC SDU in TTI. MAC layer submits MAC PDU to physical layer for transmitting it onto physical channels. – Physical channel transmits this data into slots of sub frame.

To reduce the useless information of the packet, LTE eUTRAN allows us to the packet a temporary token that replaces the IP header, thus diminishing considerably the size of the data flow to be transmitted.

The information flows between the different protocols are known as channels and signals. LTE uses several different types of logical, transport and physical channel, which are distinguished by the kind of information they carry and by the way in which the information is processed.

Figure 1.22. Token 42 LTE Standards

Logical channels define what type of information is transmitted over the air, e.g. traffic channels, control channels, system broadcast, etc. Data and signaling messages are carried on logical channels between the RLC and MAC protocols. These channels define the data- transfer services offered by the MAC layer. Data and signaling messages are carried on logical channels between the RLC and MAC protocols.

Logical channels can be divided into control channels and traffic channels: – Control channel can be either common channel or dedicated channel: - A common channel means common to all users in a cell (point to multipoint), - dedicated channel means channel can be used only by one user (point to point).

Logical channels are distinguished by the information they carry and can be classified in two ways. First, logical traffic channels carry data in the user plane, while logical control channels carry signaling messages in the control plane. Following table lists the logical channels that are used by LTE:

Logical Channel Name Acronym Control channel Traffic channel Broadcast control channel BCCH X Paging control channel PCCH X Common control channel CCCH X Dedicated control channel DCCH X Multicast control channel MCCH X Dedicated traffic channel DTCH X Multicast traffic channel MTCH X

Table 1.15. Logical channel name

– Transport channels define how something is transmitted over the air, e.g. what are encoding, interleaving options are used to transmit LTE Standards and Architecture 43 data. Data and signaling messages are carried on transport channels between the MAC and the physical layer.

Transport Channel Name Acronym Downlink Uplink Broadcast channel BCH X Downlink shared channel DL-SCH X Paging channel PCH X Multicast channel MCH X Uplink shared channel UL-SCH X Random access channel RACH X

Table 1.16. Transport channel name

– Physical channels define where something is transmitted over the air, e.g. first N symbols in the DL frame. Data and signaling messages are carried on physical channels between the different levels of the physical layer. There are: - physical data channels. Physical data channels are distinguished by the ways in which the physical channel processor manipulates them, and by the ways in which they are mapped onto the symbols and sub-carriers used by orthogonal frequency-division multiplexing (OFDMA).

Physical data channel name Acronym Downlink Uplink Physical downlink shared channel PDSCH X Physical broadcast channel PBCH X Physical multicast channel PMCH X Physical uplink shared channel PUSCH X Physical random access channel PRACH X

Table 1.17. Physical data channel name

The transport channel processor applies several types of control information, to support the low-level operation of the physical layer. 44 LTE Standards

Control information field name Acronym Downlink Uplink Downlink control information DCI X Control format indicator CFI X Hybrid ARQ indicator HI X Uplink control information UCI X

Table 1.18. Control information field name

- physical control channels. The transport channel processor also creates control information that supports the low-level operation of the physical layer and sends this information to the physical channel processor formatted as physical control channels.

Physical control channel name Acronym Downlink Uplink Physical control format indicator channel PCFICH X Physical hybrid ARQ indicator channel PHICH X Physical downlink control channel PDCCH X Relay physical downlink control channel R-PDCCH X Physical uplink control channel PUCCH X

Table 1.19. Physical control channel name

The information travels as far as the transport channel processor in the receiver, but is completely invisible to higher layers. Similarly, the physical channel processor creates physical signals, which support the lowest level aspects of the system.

The base station also transmits two other physical signals, which help the mobile acquire the base station after it first switches on. These are known as the primary synchronization signal (PSS) and the secondary synchronization signal (SSS).

1.4.4.3.1. Physical control format indicator channel The physical control format indicator channel (PCFICH) is one of the control channels that works at physical layer. It is used to dynamically indicate the number of symbols to be used for PDCCH. LTE Standards and Architecture 45

With the help of the PCFICH channel, following scenarios are possible: – Use less symbols for PDCCH if there are a few users with high data rates. Thus, leaving more resource elements to be used for user plane data (PDSCH). – Use more symbols for PDCCH if there are many users with lower data rates, e.g. VoIP calls in the cell, thus allowing more users capacity.

PCFICH signaled value depends on channel bandwidth. For channel bandwidth of 3MHz up to 20 MHz, it can carry value of 1, 2 or 3. But for 1.4 MHz, channel bandwidth it can carry value of 2, 3 or 4. Because, in the case of 1.4 MHz bandwidth, there are few subcarriers in the frequency domain. Therefore, more space is required in the time domain to carry PDCCH symbols.

PCFICH occupies 16 resource elements in frequency domain. These resource elements are divided into groups of four quadruplets distributed within first OFDMA symbol of each 1 ms subframe. The exact position of PCFICH can be measured from cell ID and bandwidth using formula given in 3GPP spec 36.211 as below.

where

NRBSC = number of frequency carriers per resource block

NDLRB = number of resource blocks per bandwidth

NcellID = physical cell id

It may look complicated but let us try to understand it with simple example. 46 LTE Standards

Suppose: Physical Cell id = 20

Bandwidth = 10 Mhz (NDLRB = 50)

According to 3GPP formula: k_Bar = (12/2).(20 mod 2*50) = 6*20 = 120

Then the four PCFICH mapping values are: 120 120 + (50/2)*(12/2) = 270 120 + 2*(50/2)*(12/2) = 420 120 + 3*(50/2)*(12/2) = 570

1.4.5. Physical layer

The LTE physical layer is based on the orthogonal frequency division multiplexing (OFDM) scheme to meet the targets of high data rate and improved spectral efficiency. The spectral resources are allocated/used as a combination of both time slots and frequency units (aka subcarrier). MIMO options with two or four antennas is supported. Multiuser MIMO is supported in both UL and DL. The modulation schemes supported in the downlink and uplink are QPSK, 16QAM and 64QAM.

1.4.5.1. Downlink physical channel The downlink transmission uses the OFDM with cyclic prefix. Some of the reasons for using OFDM are given below: – Multiple carrier modulation (MCM) helps in countering the frequency selective fading as the channel appears to have nearly flat frequency response for the narrow band subcarrier. – The frequency range of the resource block and the number of resource blocks can be changed (or adapted to the channel condition) allowing flexible spectrum allocation. LTE Standards and Architecture 47

– Higher peak data rates can be achieved by using multiple resource blocks and not by reducing the symbol duration or using still higher order modulation thereby reducing the receiver complexity. – The multiple orthogonal subcarriers inherently provide higher spectral efficiency. – The cyclic prefix (CP) is the partial repetition of the bit/symbol sequence from the end to the beginning. This makes the time domain input sequence to appear periodic over a duration so that the DFT representation is possible for any frequency domain processing. Also, the duration, if chosen larger than the channel delay spread, will help in reducing the inter-symbol interference.

Figure 1.23. Physical layer

LTE uses all the time on the downlink for conveying data. The downlink PHY is fully scheduled. There are no gaps due to arbitration or contention, except for the initial access on the random access procedure.

The downlink carries multiple logical channels over one link. A lot of information is multiplexed together in one transport block, as opposed to other networks where any given packet is multiplexed together in one transport block, for both the control plane and the user plane.

The following pilot signals are defined for the DL physical layer: – Reference signal: The reference signal consists of known symbols transmitted at a well-defined OFDM symbol position in the 48 LTE Standards slot. This assists the receiver at theuser terminal in estimating the channel impulse response so that channel distortion in the received signal can be compensated for. There is one reference signal transmitted per downlink antenna port and an exclusive symbol position is assigned for an antenna port (when one antenna port transmits a reference signal other ports are silent). – Synchronization signal: Primary and secondary synchronization signals are transmitted at a fixed subframes (first and sixth) position in a frame and assists in the cell search and synchronization process at the user terminal. Each cell is assigned a unique primary sync signal.

Figure 1.24. Signaling channel mapping. For a color version of this figure, see www.iste.co.uk/remy/LTEstandards.zip

1.4.5.2. Uplink physical channel The uplink transmission uses the single-carrier FDMA (SC-FDMA) scheme. The SC-FDMA scheme is realized as a two stage process where the first stage transforms the input signal to frequency LTE Standards and Architecture 49 domain (represented by DFT coefficients) and the second stage converts these DFT coefficients to an OFDM signal using the OFDM scheme. Because of this association with OFDM, the SC-FDMA is also called as DFT-spread OFDM. The reasons (in addition to those applicable for OFDM for downlink) for this choice are given below: – The two stage process allows selection of appropriate frequency range for the subcarriers while mapping the set of DFT coefficients to the resource blocks. Unique frequency can be allocated to different users at any given time so that there is no co-channel interference between users in the same cell. Also channels with significant co-channel interference can be avoided. – The transformation is equivalent to shift in the center frequency of the single-carrier input signal. The subcarriers do not combine in random phases to cause large variation in the instantaneous power of the modulated signal. This means lower peak-to-average power ratio (PAPR). – The PAPR of SC-FDMA is lesser than that of the conventional OFDMA, so the RF power amplifier (PA) can be operated at a point nearer to recommended operating point. This increases the efficiency of a PA thereby reducing the power consumption at the user terminal.

Following pilot signals are defined for the UL channel: – Demodulation reference signal: This signal send by the user terminal along with the uplink transmission, assists the network in estimating the channel impulse response for the uplink bursts so as to effectively demodulate the uplink channel. – Sounding reference signals: This signals send by the user terminal assists the network in estimating the overall channel conditions and to allocate appropriate frequency resources for uplink transmission.

1.4.6. RLC and MAC layer

Initial draft of the RLC [3GPP TS 36.322] and MAC [3GPP TS 36.321] specifications are available. The hybrid-ARQ is strongly suggested at the MAC layer in addition to the ARQ at the RLC layer. 50 LTE Standards

The LTE link-layer protocols abstract the physical layer and adapt its characteristics to match the requirements of the higher layer protocols. They are optimized to provide low delay and low overhead.

Figure 1.25. Functions of the different layers

Figure 1.26. The protocol chain from IP packets to transport blocks LTE Standards and Architecture 51

1.4.6.1. Radio resource management All the following functions are assigned to eNodeB(s) in the E-UTRAN: – Radio bearer control. – Radio admission control. – Connection mobility management. – Dynamic resource allocation. – Inter cell interference coordination. – Load balancing. – Inter RAT RRM functions.

1.4.6.2. S1 interface S1 interface uses SCTP/IP and GTP-U/UDP/IP for the control and user plane, respectively. The signaling protocol between eNB and MME is identified by S1-AP.

1.4.7. Dynamic radio resource management in LTE

Radio resource management includes transmission power management, mobility management and scheduling of radio resource.

In particular, the management of interferences between OFDMA and SC-FDMA carriers allocated to the different base station cells is a key to manage the capacity.

Figure 1.27. Optimization of the repartition of carriers 52 LTE Standards

1.4.8. MIMO

Multiple input multiple output (MIMO) is an antenna technology processing the signal received by 2 or more receiving antennas and also processing the transmitted signal. Making use of 2 transmitting antennas, or more, the first implementation of MIMO on an operational system was on the Japanese deployment.

Figure 1.28. Single-user MIMO

Figure 1.29. MIMO signal processing LTE Standards and Architecture 53

MIMO sends multiple streams on multiple transmit antennas – practically 2 or 4 – each stream travels on different paths. The processing allows us to enhance the quality of reception at the other side.

MIMO was first standardized in 3GPP Release 6 (Rel-6). It was then developed in Rel-7 with spatial multiplexing double transmit adaptive array (D-TxAA). The first MIMO transmission for the LTE network (2 × 2 closed loop SM) was considered to increase by 20%. The downlink sector spectral efficiency compared to a single antenna transmission and increasing the all edge efficiency by some 35%. The 3GPP Rel-9 LTE specifications include some of the most advanced forms of MIMO of any standard in the industry. 3GPP has since included even more advanced MIMO enhancements for LTE-Advanced.

Figure 1.30. Spatial multiplexing MIMO sector rate

1.4.9. Macrocells, microcells and femtocells

Figure 1.31. Heterogeneous network (4G Americas) 54 LTE Standards

LTE has designed a variety of cell sites, with macrocells (for distant mobiles), microcells (for hot spots) and pico cells/femtocells (for connection at home). Assembling all these components builds a heterogeneous network with eNodeBs transmitting/receiving with different power levels and possibly different frequencies. For a coverage of wide areas, macrocells and 700 MHz should be preferred. For picocells and femtocells, quasi-Wi-Fi frequencies (e.g. 2.6 GHz) may facilitate the mastering of heavy traffic loads on hotspots. Microcells offer a complement to the macrocell layer when there is locally a shortage of capacity. The problem of the microcell layer is its cost (many sites, important backhaul) as well as the difficult interworking with the macrocell layer.

This coverage paradigm is called heterogeneous network (HetNet).

Following the trend imposed by smartphone manufacturers, LTE cannot ignore the competition of Wi-Fi as a final radio link, especially when the subscriber takes advantage of the high-speed Internet link that is provided at home by some provider, which is not necessarily the operator of the LTE system.

1.5. Core network

The evolved architecture comprises evolved UTRAN (E-UTRAN) on the access side and evolved packet core (EPC) on the core side. Figure 1.32 shows the evolved system architecture included in the surrounding non-LTE environment, as well as the problematic of roaming:

– Trusted non-3GPP accesses can interact directly with the EPC. – Untrusted non-3GPP accesses interwork with the EPC via a network entity called the evolved packet data gateway (ePDG). The main role of the ePDG is to provide security mechanisms such as IPsec tunneling of connections with the UE over an untrusted non- 3GPP access. LTE Standards and Architecture 55

Figure 1.32. Core network

3GPP does not specify which non-3GPP technologies should be considered trusted or untrusted. This decision is made by the operator.

Figure 1.33. Three subsystems

The architecture of LTE shows only three subsystems:

– User equipment (UE). As for GSM and UMTS, the UE includes the mobile termination ((MT), handling the communication functions), the terminal equipment ((TE), terminating the data streams) and the universal integrated circuit card ((UICC), with USIM application). – E-UTRAN. The E-UTRAN handles the radio communications between the mobile and the evolved packet core. E-UTRAN shows no 56 LTE Standards more BSC nor RNC network element. It is composed of base stations only, which are called eNodeB. eNodeBs provide the E-UTRA user plane protocols (PDCP/RLC/MAC/PHY); and control plane (RRC) protocol, which terminates toward the UE. Every eNodeB controls the mobiles in one or more than one cell. Each mobile is controlled by its serving eNodeB. The eNodeB sends and receives radio transmissions to all the mobiles that it controls using the analog and digital signal processing functions of the LTE air interface. It sends them signaling messages such as those defined for handover.

The eNodeBs are interconnected with each other by means of the X2 interface. The eNodeBs are connected by the S1 interface to the evolved packet core (EPC). The eNodeB connects to the MME by means of the S1-MME interface and to the S-GW by means of the S1- U interface. The S1 interface supports a many-to-many relation between MMEs /S-GWs and eNodeBs. – EPC. The evolved packet core communicates with PDNs in the outside world such as the Internet, private corporate networks or the IP multimedia subsystem.

The interfaces between the different parts of the system are denoted by Uu, S1 and SGi.

1.5.1. LTE network elements

eNodeB (eNB) is the base station network element. It interfaces with the UE ( i.e. the mobile) and hosts the PHYsical (PHY), medium access control (MAC), radio link control (RLC) and packet data control protocol (PDCP) layers. It also hosts radio resource control (RRC) functionality corresponding to the control plane. It performs many functions including radio resource management, admission control, scheduling, enforcement of negotiated UL QoS, cell information broadcast, ciphering/deciphering of user and control plane data, and compression/decompression of DL/UL user plane packet headers. LTE Standards and Architecture 57

Figure 1.34. LTE network elements

The MME is in charge of managing and storing uE context (for idle state: uE/user identities uE mobility state, user security parameters). It produces temporary identities and allocates them to uE. It checks the authorization whether the UE may camp on the TA or on the PLMN. 23.401 General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access. Usually, the address of HSS is configured in MME statically.

LTE does not offer Gb-Flex similar function between MME and HSS. The purpose for Gb-Flex is to balance load between MMEs and make the network strong. But HSS is just a huge data base, it does not process any call.

Home Subscriber Server (HSS) Basically, the HSS is a database that contains user-related and subscriber-related information. It also provides support functions in mobility management, call and session setup, user authentication and access authorization. It is the concatenation of the home location 58 LTE Standards register (HLR) and the authentication center (AuC) – two functions being already present in pre-IMS 2G/GSM and 3G/UMTS networks. The HLR part of the HSS is in charge of storing and updating when necessary the database containing all the user subscription information, including (list is non-exhaustive): – User identification and addressing – this corresponds to the international mobile subscriber identity (IMSI) and mobile subscriber ISDN number (MSISDN) or mobile telephone number. – User profile information – this includes service subscription states and user-subscribed QoS information (such as maximum allowed bit rate or allowed traffic class).

The AuC part of the HSS is in charge of generating security information from user identity keys. This security information is provided to the HLR and further communicated to other entities in the network. Security information is mainly used for: – mutual network-terminal authentication; – radio path ciphering and integrity protection, to ensure data and signaling transmitted between the network and the terminal is neither eavesdropped nor altered.

The number of HSS is not big, usually less than 10 in a country (in most countries, less than three).

Serving GW (S-GW) The gateways (S-GW and PDN GW) deal with the user plane. They transport the IP data traffic between the UE and the external networks. The S-GW is the point of interconnect between the radio- side and the EPC. As its name indicates, this gateway serves the UE by routing the incoming and outgoing IP packets.

S-GW routes and forwards user data packets, while also acting as the mobility anchor for the user plane during inter-eNB handovers and as the anchor for mobility between LTE and other 3GPP technologies (terminating S4 interface and relaying the traffic between 2G/3G systems and PDN GW). LTE Standards and Architecture 59

Packet data network gateway (PDN GW) PDN GW provides connectivity of the UE to external PDNs by being the point of exit and entry of traffic for the UE. A UE may have simultaneous connectivity with more than one PDN GW for accessing multiple PDNs. The PDN GW performs policy enforcement, packet filtering for each user, charging support, lawful interception and packet screening [WIK 14b].

Policy and charging rules function (PCRF) server is in charge of managing the service policy and sending QoS setting information for each user session and accounting rule information. The PCRF server groups functionalities for the policy decision function (PDF) and the charging rules function (CRF). The PDF is the network entity where the policy decisions are made. As the IMS session is being set up, SIP signaling containing media requirements are exchanged between the terminal and the P-CSCF. At some time in the session establishment process, the PDF receives those requirements from the P-CSCF and makes decisions based on network operator rules. For example, it allows or rejects the media request uses new or existing PDP contexts and checks the allocation of new resources. The CRF provides operator-defined charging rules applicable to each service data flow. The CRF selects the relevant charging rules based on information provided by the P-CSCF, such as application identifier, type of stream (audio, video, etc.) and application data rate, etc.

1.5.2. LTE interfaces [TS 23.401]

Figure 1.35. LTE interfaces 60 LTE Standards

With reference to 3GPP Ref: TS 23. 401v, 841, the list of LTE interfaces is: – S1-MME: Reference point for the control plane protocol between E-UTRAN and MME. – S1-U: Reference point between E-UTRAN and S-GW for the per bearer user plane tunneling and inter eNodeB path switching during handover. – S3: It enables user and bearer information exchange for inter 3GPP access network mobility in idle and/or active state. – S4: It provides related control and mobility support between GPRS core and the 3GPP anchor function of S-GW. In addition, if direct tunnel is not established, it provides the user plane tunneling. – S5: It provides user plane tunneling and tunnel management between S-GW and PDN GW. It is used for S-GW relocation due to UE mobility and if the S-GW needs to connect to a non-collocated PDN GW for the required PDN connectivity. – S6a: It enables transfer of subscription and authentication data for authenticating/authorizing user access to the evolved system (AAA interface) between MME and HSS. – Gx: It provides transfer of (QoS) policy and charging rules from PCRF to policy and charging enforcement function (PCEF) in the PDN GW. – S8: Inter-PLMN reference point providing user and control plane between the S-GW in the VPLMN and the PDN GW in the HPLMN. S8 is the inter PLMN variant of S5. – S9: It provides transfer of (QoS) policy and charging control information between the home PCRF and the visited PCRF in order to support local breakout function. – S10: Reference point between MMEs for MME relocation and MME to MME information transfer. – S11: Reference point between MME and S-GW.

LTE Standards and Architecture 61

– S12: Reference point between UTRAN and S-GW for user plane tunneling when direct tunnel is established. It is based on the Iu-u/Gn- u reference point using the GTP-U protocol as defined between SGSN and UTRAN or, respectively, between SGSN and GGSN. Usage of S12 is an operator configuration option. – S13: It enables UE identity check procedure between MME and EIR. – SGi: It is the reference point between the PDN GW and the PDN. PDN may be an operator external public or private PDN or an intra operator PDN, e.g. for provision of IMS services. This reference point corresponds to Gi for 3GPP accesses. – Rx: The Rx reference point resides between the AF and the PCRF in the TS 23.203. – SBc: Reference point between CBC and MME for warning message delivery and control functions.

1.5.2.1. Control plane interfaces: S1-MME interface between eNodeB and MME.

Reference point for the control plane protocol between E-UTRAN and MME.

Figure 1.36. Protocol stack of S1-MME interface where:

S1 application protocol (S1-AP): application layer protocol between the eNodeB and MME. 62 LTE Standards

Stream control transmission protocol (SCTP): this protocol guarantees delivery of signaling messages between MME and eNodeB (S1). SCTP is defined in RFC 4960.

S3 interface between SGSN and MME.

It enables user and bearer information exchange for inter 3GPP access network mobility in idle and/or active state.

Figure 1.37. Protocol stack of S3 interface

Where:

GPRS tunneling protocol for the control plane (GTP-C): this protocol tunnels signaling messages between SGSN and MME.

User datagram protocol (UDP): this protocol signaling messages. UDP is defined in RFC 768.

S4 interface between SGSN and Serving Gateway (SGW).

It provides related control and mobility support between GPRS core and the 3GPP anchor function of S-GW. In addition, if direct tunnel is not established, it provides the user plane tunneling.

Figure 1.38. Protocol stack of S4 interface LTE Standards and Architecture 63

GTP-C (mentioned above): this protocol tunnels signaling messages between SGSN and SGW. UDP: this protocol transfers signaling messages. UDP is defined in RFC 768.

S5 or S8 interface between SGW and Packet Data Network Gateway (PGW).

S5: it provides user plane tunneling and tunnel management between S-GW and PDN GW. It is used for S-GW relocation due to UE mobility and if the S-GW needs to connect to a non-collocated PDN GW for the required PDN connectivity.

S8: inter-PLMN reference point providing user and control plane between the S-GW in the visited PLMN (VPLMN) and the PDN GW in the home PLMN (HPLMN). S8 is the inter PLMN variant of S5.

The difference between these two interfaces is S5 is being used in one network entity (no roaming scenario), and S8 is being used to connect VPLMN where user is with his HPLMN.

Figure 1.39. Protocol stack of interface S5 or S8

GTP-C: this protocol tunnels signaling messages between S-GW and P- GW. UDP: this protocol transfers signaling messages between SGW and PGW. UDP is defined in RFC 768.

S10 interface between MME and other MME.

Reference point between MMEs for MME relocation (e.g. handover) and MME to MME information transfer. 64 LTE Standards

Figure 1.40. Protocol stack of S10 interface

Where:

GTP-C: this protocol tunnels signaling messages between MMEs.

UDP: this protocol transfers signaling messages between MMEs. UDP is defined in RFC 768.

S11 interface between MME and SGW.

Reference point between MME and Serving GW.

Figure 1.41. Protocol stack of S11 interface

Where:

GTP-C: this protocol tunnels signaling messages between MME and SGW.

UDP: This protocol transfers signaling messages between MME and SGW. UDP is defined in RFC 768.

S6a interface between MME and HSS. LTE Standards and Architecture 65

It enables transfer of subscription and authentication data for authenticating/authorizing user access to the evolved system (AAA interface) between MME and HSS.

Figure 1.42. Protocol stack of S6a interface

Where:

Diameter: this protocol supports transferring of subscription and authentication data for authenticating/authorizing user access to the evolved system between MME and HSS (S6a). Diameter is defined in RFC 3588.

SCTP: This protocol transfers signaling messages. SCTP is defined in RFC 4960.

S13 interface between MME and EIR.

It enables UE-EIR.

Figure 1.43. Protocol stack of S13 interface

Where:

Diameter: this protocol supports UE identity check procedure between MME and EIR (S13). Diameter is defined in RFC 3588. 66 LTE Standards

SCTP: this protocol transfers signaling messages. SCTP is defined in RFC 4960.

SBc interface between CBC and eNodeB.

Reference point between CBC and MME for warning message delivery and control functions.

Cell broadcast center (CBC) was a solution for the special requirement of an earthquake and tsunami warning system (ETWS) created for Japan, introduced in Rel. 8. It utilizes the existing interfaces between UE and MME in control plane. In addition, the MME is connected to the CBC via the SBc interface. In LTE/fourth Generation (4G) SBc interface is fully standardized and based on SCTP.

Figure 1.44. Protocol stack of SBc interface

Where:

SBc Application Protocol (SBc-AP): application layer protocol beetween CBC and MME. This protocol supports transfer of warning messages.

S1 Application Protocol (S1-AP): Application Layer Protocol beetween the eNodeB and the MME.

SCTP: this protocol guarantees delivery of signaling messages beetween MME and eNodeB (S1). SCTP is defined in RFC 4960. LTE Standards and Architecture 67

1.5.2.2. User plane interfaces:

Figure 1.45. User plane

S1-U interface between eNodeB and SGW.

Reference point between E-UTRAN and S-GW for the per bearer user plane tunneling and inter eNodeB path switching during handover.

Figure 1.46. Protocol stack of S1-U interface

Where:

GTP for the user plane (GTP-U): this protocol tunnels user data between eNodeB and SGW.

UDP: this protocol transfers user data. UDP is defined in RFC 768.

S4 interface between UE with 2G access and PGW.

It provides related control and mobility support between GPRS core and the 3GPP anchor function of S-GW. In addition, if direct tunnel is not established, it provides the user plane tunneling. 68 LTE Standards

Figure 1.47. Protocol stacks of S4 interfaces used to connect UE from 2G network to PDN

Where:

GTP U: this protocol tunnels user data between SGSN and the S GW as well as between the S GW and the P GW in the backbone network. GTP will encapsulate all end user IP packets.

UDP/IP: these are the backbone network protocols used for routing user data and control signaling.

Protocols on the Um and the Gb interfaces are described in TS 23.060.

S4 interface is also being used to connect UE with 3G access and PGW.

Figure 1.48. Protocol stacks of S4 interfaces used to connect UE from 3G network to PDN LTE Standards and Architecture 69

S12 interface between UE from 3G network and PGW.

It acts as a reference point between UTRAN the serving GW for user plane tunneling when direct tunnel is established. It is based on the Iu-u/Gn-u reference point using the GTP-U protocol.

Figure 1.49. Protocol stack of S12 interface used to connect UE from 3G network to PDN

Where:

GTP U: this protocol tunnels user data between UTRAN and the S GW as well as between the S GW and the P GW in the backbone network. GTP will encapsulate all end user IP packets

UDP/IP: these are the backbone network protocols used for routing user data and control signaling.

Protocols on the Uu interface are described in TS 23.060.

SGSN controls the user plane tunnel establishment and establish a direct tunnel between UTRAN and S GW as shown in Figure 1.19.

1.5.3. Functional split between the E-UTRAN and the EPC

The following diagram shows the functional split between the E-UTRAN and the EPC for an LTE network: 70 LTE Standards

Figure 1.50. E-UTRAN and the EPC

1.5.4. S1 interface-based handover

Figure 1.51. UE is moving from old to new RAN coverage provided by eNodeB

What happens when there is no X2 connection between old and new eNodeB? Answer to that is S1-based handover procedure, which you can find, is described below. LTE Standards and Architecture 71

All of this information you can find by reading specific section of 3GPP TS 23.401 document.

As it is now like a little tradition, we will start with high level of abstract image.

This image should look familiar for those who were reading about X2-based handover. The thing what has change in this scenario is that there is lack of connectivity between two eNBs between which UE moves.

That is why, in order to do the handover, the MME has to be involved directly. Here eNodeB is contacting MME, and the target eNodeB address is found from its SGW.

1.5.4.1. Successful handover The S1-based handover procedure is used when the X2-based handover cannot be used. The source eNodeB initiates a handover by sending a handover required message over the S1-MME reference point. This procedure may relocate the MME and/or the S-GW. The source MME selects the target MME. The MME should not be relocated during inter-eNodeB handover unless the UE leaves the MME pool area where the UE is served. The MME (target MME for MME relocation) determines if the S-GW needs to be relocated. If the S-GW needs to be relocated, the MME selects the target S-GW.

The source eNodeB decides which of the EPS bearers are subject for forwarding of downlink and optionally also uplink data packets from the source eNodeB to the target eNodeB. The EPC does not change the decisions taken by the RAN node. Packet forwarding can take place either directly from the source eNodeB to the target eNodeB, or indirectly from the source eNodeB to the target eNodeB via the source and target S-GWs (or if the S-GW is not relocated, only the single S-GW).

The availability of a direct forwarding path is determined in the source eNodeB and indicated to the source MME. If X2 connectivity is available between the source and target eNodeBs, a direct forwarding path is available. 72 LTE Standards

If a direct forwarding path is not available, indirect forwarding may be used. The source MME uses the indication from the source eNodeB to determine whether to apply indirect forwarding. The source MME indicates to the target MME whether indirect forwarding should apply. Based on this indication, the target MME determines whether it applies indirect forwarding.

If the MME receives a rejection to an S1 interface procedure (e.g. dedicated bearer establishment/modification/release; location reporting control; NAS message transfer, etc.) from the eNodeB with an indication that an S1 handover is in progress, the MME will reattempt the same S1 interface procedure when either the handover is complete or is deemed to have failed if the MME is still the serving MME, except in case of S-GW relocation.

To minimize the number of procedures rejected by the eNodeB, the MME should pause non-handover related S1 interface procedures (e.g. downlink NAS message transfer, E-RAB setup/modify/release, etc.) while a handover is ongoing (i.e. from the time that a handover required has been received until either the handover procedure has succeeded (handover notify) or failed (handover failure)) and continue them once the handover procedure has completed if the MME is still the serving MME, except in case of S-GW relocation.

If during the handover procedure the MME detects that the S-GW or/and the MME needs be relocated, the MME will reject any PDN GW initiated EPS bearer(s) request received since handover started and will include an indication that the request has been temporarily rejected due to handover procedure in progress. The rejection is forwarded by the S-GW to the PDN GW, with the same indication.

Upon receipt of a rejection for an EPS bearer(s) PDN GW initiated procedure with an indication that the request has been temporarily rejected due to handover procedure in progress, the PDN GW will start a locally configured guard timer. The PDN GW will reattempt the procedure, up to a pre-configured number of times, when either it detects that the handover is completed or has failed using message reception or at expiry of the guard timer. LTE Standards and Architecture 73

Figure 1.52. S1-based handover

If emergency bearer services are ongoing for the UE, handover to the target eNodeB is performed independent of the handover restriction list. The MME checks, as part of the tracking area update in the execution phase, if the handover is to a restricted area and if so MME releases the non-emergency bearers. 74 LTE Standards

If the MME receives a rejection from a UE context modification request message with a CS fallback indication from the eNodeB with an indication that an S1 handover is in progress, the MME will resend a UE context modification request message with CS fallback indicator to the target eNodeB when either the handover is complete or to the source eNodeB when the handover is deemed to have failed if the MME is still the serving MME.

The S1-based handover in the normal case is described below:.

Step 1. The source eNodeB decides to initiate an S1-based handover to the target eNodeB. This can be triggered e.g. by no X2 connectivity to the target eNodeB, or by an error indication from the target eNodeB after an unsuccessful X2-based handover, or by dynamic information learnt by the source eNodeB.

Step 2. The source eNodeB sends handover required (direct forwarding path availability, source to target transparent container, target eNodeB identity, CSG ID, CSG access mode, target TAI, S1AP cause) to the source MME. The source eNodeB indicates which bearers are subject to data forwarding. Direct forwarding path availability indicates whether direct forwarding is available from the source eNodeB to the target eNodeB. This indication from source eNodeB can be based on e.g. the presence of X2. The target TAI is sent to MME to facilitate the selection of a suitable target MME. When the target cell is a CSG cell or a hybrid cell, the source eNodeB will include the CSG ID of the target cell. If the target cell is a hybrid cell, the CSG access mode will be indicated.

Step 3. The source MME selects the target MME and if it has determined to relocate the MME, it sends a forward relocation request (FRR) (MME UE context, source to target transparent container, RAN cause, target eNodeB identity, CSG ID, CSG membership indication, target TAI, MS info change reporting action (if available), CSG information reporting action (if available), UE time zone, direct forwarding flag) message to the target MME. The target TAI is sent to the target MME to help it to determine whether S GW relocation is needed (and, if required, aid SGW selection). LTE Standards and Architecture 75

The source MME will perform access control by checking the UE’s CSG subscription when CSG ID is provided by the source eNodeB. If there is no subscription data for this CSG ID or the CSG subscription is expired, and the target cell is a CSG cell, the source MME will reject the handover with an appropriate cause.

The MME UE context includes IMSI, ME identity, UE security context, UE network capability, AMBR, selected CN operator ID, APN restriction, S-GW address and TEID for control signaling, and EPS bearer context(s).

An EPS bearer context includes the PDN GW addresses and TEIDs (for GTP-based S5/S8) or GRE keys (for PMIP-based S5/S8) at the PDN GW(s) for uplink traffic, APN, Serving GW addresses and TEIDs for uplink traffic, and TI.

RAN cause indicates the S1AP cause as received from source eNodeB.

The source MME includes the CSG ID in the FRR when the target cell is a CSG or hybrid cell. When the target cell is a hybrid cell, the CSG membership indication indicating whether the UE is a CSG member will be included in the FRR message.

The direct forwarding flag indicates if direct forwarding is applied, or if indirect forwarding is going to be set up by the source side.

The target MME will determine the maximum APN restriction based on the APN restriction of each bearer context in the FRR, and will subsequently store the new maximum APN restriction value.

If the UE receives only emergency services and the UE is UICCless, IMSI cannot be included in the MME UE context in FRR message. For emergency attached UEs, if the IMSI cannot be authenticated, then the IMSI will be marked as unauthenticated. Also, in this case, security parameters are included only if available.

Step 4. If the MME has been relocated, the target MME verifies whether the source S-GW can continue to serve the UE. If not, it 76 LTE Standards selects a new S-GW. If the MME has not been relocated, the source MME decides on this S-GW reselection.

If the source S-GW continues to serve the UE, no message is sent in this step. In this case, the target S-GW is identical to the source S- GW.

If a new S-GW is selected, the target MME sends a create session request (bearer context(s) with PDN GW addresses and TEIDs (for GTP-based S5/S8) or GRE keys (for PMIP-based S5/S8) at the PDN GW(s) for uplink traffic, serving network, UE time zone) message per PDN connection to the target S-GW. The target S-GW allocates the S-GW addresses and TEIDs for the uplink traffic on S1_U reference point (one TEID per bearer). The target S-GW sends a create session response (S-GW addresses and uplink TEID(s) for user plane) message back to the target MME.

Step 5. The target MME sends handover request (EPS bearers to setup, AMBR, S1AP cause, source to target transparent container, CSG ID, CSG membership indication, handover restriction list) message to the target eNodeB. This message creates the UE context in the target eNodeB, including information about the bearers, and the security context. For each EPS bearer, the bearers to setup includes S-GW address and uplink TEID for user plane, and EPS bearer QoS. If the direct forwarding flag indicates unavailability of direct forwarding and the target MME knows that there is no indirect data forwarding connectivity between source and target, the bearers to setup will include “data forwarding not possible” indication for each EPS bearer. Handover restriction list is sent if available in the target MME.

S1AP cause indicates the RAN cause as received from source MME.

The target MME will include the CSG ID and CSG membership indication when provided by the source MME in the FRR message.

The target eNodeB sends a handover request acknowledge (EPS bearer setup list, EPS bearers failed to setup list target to source transparent container) message to the target MME. The EPS bearer LTE Standards and Architecture 77 setup list includes a list of addresses and TEIDs allocated at the target eNodeB for downlink traffic on S1 U reference point (one TEID per bearer) and addresses and TEIDs for receiving forwarded data if necessary. If the UE AMBR is changed, e.g. all the EPS bearers, which are associated to the same APN, are rejected in the target eNodeB, the MME will recalculate the new UE-AMBR and signal the modified UE AMBR value to the target eNodeB.

If none of the default EPS bearers have been accepted by the target eNodeB, the target MME will reject the handover.

If the target cell is a CSG cell, the target eNodeB will verify the CSG ID provided by the target MME, and reject the handover with an appropriate cause if it does not match the CSG ID for the target cell. If the target eNodeB is in hybrid mode, it may use the CSG membership indication to perform differentiated treatment for CSG and non-CSG members.

Step 6. If indirect forwarding applies and the S-GW is relocated, the target MME sets up forwarding parameters by sending create indirect data forwarding tunnel request (target eNodeB addresses and TEIDs for forwarding) to the S-GW. The S-GW sends a create indirect data forwarding tunnel response (target S-GW addresses and TEIDs for forwarding) to the target MME. If the S-GW is not relocated, indirect forwarding may be set up in step 8 below.

Indirect forwarding may be performed via an S-GW that is different from the S-GW used as the anchor point for the UE.

Step 7. If the MME has been relocated, the target MME sends a forward relocation response (cause, target to source transparent container, S-GW change indication, EPS bearer setup list, addresses and TEIDs) message to the source MME. For indirect forwarding, this message includes S-GW address and TEIDs for indirect forwarding (source or target). S-GW change indication indicates a new S-GW has been selected.

Step 8. If indirect forwarding applies, the source MME sends a create indirect data forwarding tunnel request (addresses and TEIDs 78 LTE Standards for forwarding) to the Serving GW. If the Serving GW is relocated it includes the tunnel identifier to the target serving GW.

The S-GW responds with a create indirect data forwarding tunnel response (S-GW addresses and TEIDs for forwarding) message to the source MME.

Indirect forwarding may be performed via a S-GW that is different from the S-GW used as the anchor point for the UE.

Step 9. The source MME sends a handover command (target to source transparent container, bearers subject to forwarding, bearers to release) message to the source eNodeB. The bearer’s subject to forwarding includes list of addresses and TEIDs allocated for forwarding. The bearers to release include the list of bearers to be released.

Step 9a. The handover command is constructed using the target to source transparent container and is sent to the UE. Upon reception of this message the UE will remove any EPS bearers for which it did not receive the corresponding EPS radio bearers in the target cell.

Step 10. The source eNodeB sends the eNodeB status transfer message to the target eNodeB via the MME(s) to convey the PDCP and HFN status of the E-RABs for which PDCP status preservation applies. The source eNodeB may omit sending this message if none of the E-RABs of the UE will be treated with PDCP status preservation.

If there is an MME relocation, the source MME sends this information to the target MME via the forward access context notification message, which the target MME acknowledges. The source MME or, if the MME is relocated, the target MME, sends the information to the target eNodeB via the eNodeB status transfer message.

Step 11. The source eNodeB should start forwarding of downlink data from the source eNodeB toward the target eNodeB for bearers subject to data forwarding. This may be either direct (step 11a) or indirect forwarding (step 11b). LTE Standards and Architecture 79

Step 12. After the UE has successfully synchronized to the target cell, it sends a handover confirm message to the target eNodeB. Downlink packets forwarded from the source eNodeB can be sent to the UE. Also, uplink packets can be sent from the UE, which are forwarded to the target S-GW and on to the PDN GW.

Step 13. The target eNodeB sends a handover notify (TAI+ECGI) message to the target MME.

Step 14. If the MME has been relocated, the target MME sends a forward relocation complete notification message to the source MME. The source MME in response sends a forward relocation complete acknowledge message to the target MME. Regardless of whether the MME has been relocated or not, a timer in source MME is started to supervise when resources in source eNodeB and if the S-GW is relocated, also resources in source S-GW will be released.

Upon receipt of the forward relocation complete acknowledge message the target MME starts a timer if the target MME allocated S GW resources for indirect forwarding.

Step 15. The MME sends a modify bearer request (eNodeB address and TEID allocated at the target eNodeB for downlink traffic on S1 U for the accepted EPS bearers, ISR activated) message to the target S-GW for each PDN connection, including the PDN connections that need to be released. If the PDN GW requested UE’s location and/or user CSG information (determined from the UE context), the MME also includes the user location information IE and/or user CSG information IE in this message. If the UE time zone has changed, the MME includes the UE time zone IE in this message. For the case where neither MME nor S-GW changed, if ISR was activated before this procedure, MME should maintain ISR. The UE is informed about the ISR status in the tracking area update procedure.

The MME releases the non-accepted dedicated bearers by triggering the bearer release procedure. If the S-GW receives a DL packet for a non-accepted bearer, the S-GW drops the DL packet and does not send a downlink data notification to the MME. 80 LTE Standards

If the default bearer of a PDN connection has not been accepted by the target eNodeB and there are other PDN connections active, the MME will handle it in the same way as if all bearers of a PDN connection have not been accepted. The MME releases these PDN connections by triggering the MME requested PDN disconnection procedure.

When the modify bearer request does not indicate ISR activated the S-GW deletes any ISR resources by sending a delete bearer request to the other CN node that has bearer resources on the S-GW reserved.

Step 16. If the S-GW is relocated, the target S-GW assigns addresses and TEIDs (one per bearer) for downlink traffic from the PDN GW. It sends a modify bearer request (S-GW addresses for user plane and TEID(s), serving network) message per PDN connection to the PDN GW(s). The S-GW also includes user location information IE and/or UE time zone IE and/or user CSG information IE if they are present in step 15. The S-GW allocates DL TEIDs on S5/S8 even for non-accepted bearers. The PDN GW updates its context field and returns a modify bearer response (charging Id, MSISDN) message to the target S-GW. The MSISDN is included if the PDN GW has it stored in its UE context. The PDN GW starts sending downlink packets to the target GW using the newly received address and TEIDs. These downlink packets will use the new downlink path via the target S-GW to the target eNodeB.

If the S-GW is not relocated, but has received the user location information IE and/or UE time zone IE and/or user CSG information IE from the MME in step 15, the S-GW will inform the PDN GW(s) about these information that, e.g., can be used for charging, by sending the message modify bearer request (user location information IE, UE time zone IE, user CSG information IE) to the PDN GW(s) concerned. A modify bearer response message is sent back to the S-GW.

If the S-GW is not relocated and it has not received user location information IE nor UE time zone IE nor user CSG information IE from the MME in step 15, no message is sent in this step and LTE Standards and Architecture 81 downlink packets from the S-GW are immediately sent on to the target eNodeB.

Step 17. The target S-GW sends a modify bearer response message to the target MME. The message is a response to a message sent at step 15.

If the S-GW does not change, the S-GW will send one or more “end marker” packets on the old path immediately after switching the path in order to assist the reordering function in the target eNodeB.

Step 18. The UE initiates a tracking area update procedure when one of the conditions listed in clause “triggers for tracking area update” applies.

The target MME knows that it is a handover procedure that has been performed for this UE as it received the bearer context(s) by handover messages and therefore the target MME performs only a subset of the TA update procedure, specifically it excludes the context transfer procedures between source MME and target MME.

Step 19. When the timer started in step 14 expires the source, MME sends a UE context release command message to the source eNodeB. The source eNodeB releases its resources related to the UE and responds with a UE context release complete message. When the timer started in step 14 expires and if the source MME received the S-GW change indication in the forward relocation response message, it deletes the EPS bearer resources by sending delete session request (cause, LBI) messages to the source S-GW. Cause indicates to the source S-GW that the S-GW changes and the source S-GW will not initiate a delete procedure toward the PDN GW. The source S-GW acknowledges with delete session response messages. If ISR has been activated before this procedure, the cause also indicates to the source S-GW that the source S-GW will delete the bearer resources on the other old CN node by sending delete bearer request message(s) to that CN node.

Step 20. If indirect forwarding was used then the expiry of the timer at source MME started at step 14 triggers the source MME to 82 LTE Standards send a delete indirect data forwarding tunnel request message to the S- GW to release the temporary resources used for indirect forwarding that were allocated at step 8.

Step 21. If indirect forwarding was used and the S-GW is relocated, then the expiry of the timer at target MME started at step 14 triggers the target MME to send a delete indirect data forwarding tunnel request message to the target S GW to release temporary resources used for indirect forwarding that were allocated at step 6.

1.5.4.2. S1-based handover reject scenario The target eNodeB rejects the use of the handover procedure if none of the requested bearers in the handover request message could be established. In this case no UE context is established in the target MME/eNodeB and no resources are allocated. Furthermore, the target MME rejects the handover request and clears all resources in target eNodeB and target MME if the target eNodeB accepts the handover request but none of the default EPS bearers receive resources allocated. In both cases, the UE remains in the source eNodeB/MME.

Figure 1.53. S1-based handover reject scenario

Step 1–5. Steps 1 to 5 in the flow are identical to steps 1–5 mentioned in above scenario. LTE Standards and Architecture 83

Step 6a. If the target eNodeB fails to allocate any resources for any of the requested EPS bearers it sends a handover failure (cause) message to the target MME. The target MME clears any reserved resources for this UE in the target MME.

Step 6b. If the target MME receives a handover request acknowledge message from the target eNodeB but none of the default EPS bearers are in the EPS Bearer setup list IE, the target MME clears any reserved resources for this UE in both the target MME and the target eNodeB.

Step 7. This step is only performed for S-GW relocation, i.e. if steps 4/4a have been performed. The target MME deletes the EPS bearer resources by sending delete session request (cause) messages to the target S-GW. The target S-GW acknowledges with delete session response (cause) messages.

Step 8. The target MME sends the forward relocation response (cause) message to the source MME.

Step 9. When the source MME receives the forward relocation response message, it sends a handover preparation failure (cause) message to the source eNodeB.

1.5.4.3. S1-based handover cancel scenario Instead of completing the handover procedure, the source eNodeB may at any time during the handover procedure, up to the time when a handover command message is sent to the UE cancel the handover.

The MME will cancel the handover resources for cases where the source RAN is eNodeB.

1.6. LTE – roaming architecture

A network run by one operator in one country is known as a public land mobile network (PLMN). For its subscribers, it is the home- PLMN. Roaming is the process that allows users to move outside their 84 LTE Standards home network and get serviced by the resources from another operator’s network, called visited-PLMN.

A roaming user is connected to the E-UTRAN, MME and S-GW of the visited LTE network. However, LTE/SAE allows the P-GW of either the visited or the home network to be used.

Figure 1.54. Rooming architecture

The home network’s P-GW allows the user to access the home operator’s services even while in a visited network. A P-GW in the visited network allows a “local breakout” to the Internet in the visited network.

The interface between the serving and PDN gateways is known as S5/S8.

Roaming is one of the fundamental mobility management procedures of all cellular networks, if they support this feature. Roaming is defined as the ability for a cellular customer to automatically make and receive voice calls, send and receive data, or access other services, including home data services, when travelling outside the geographical coverage area of the home network, by means of using a visited network. This can be done by using a communication terminal or else just by using the subscriber identity in the visited network. Roaming is technically supported by mobility

LTE Standards and Architecture 85 management, authentication, authorization and billing procedures [WIK 14a].

Figure 1.55. Non-roaming architecture by 3GPP

Architecture standards describe two ways of dealing with roaming: – routing from home network to 58 interface; – local rupture between home operator and visited operator’s application.

Figure 1.56. Roaming architecture scenario with home routed traffic 86 LTE Standards

Figure 1.57. Roaming architecture for local breakout, with home operator’s application functions only

Figure 1.58. Roaming architecture for local breakout, with home visitor’s application functions only

Information flow could be divided into two groups: – Control plane: the control plane groups all the protocols for control and support of the user plane functions: - controlling the E-UTRA network access connection; LTE Standards and Architecture 87

- controlling the attributes of an established network access connection; - controlling the routing path of an established network connection in order to support user mobility; - controlling the assignment of network resources to meet the changing user demands. – User plane.

1.6.1. LTE network mobility management

Mobility management is one of the major functions of all mobile networks. It allows mobile phones – UEs – to work. The aim of mobility management is to track where the subscribers are, allowing calls, SMS and other mobile services to be delivered to them.

Location update procedure LTE, like all cellular networks, is a radio network rolled out with hundreds or thousands of individual cells, known as base stations. Each base station covers a small geographical area that is part of a uniquely identified location area. By integrating the coverage of each of these base stations, a cellular network provides a radio coverage over a much wider area. A group of base stations is called a location area, or a routing area. For LTE, it is the tracking area. A “location area” is a set of base stations that are grouped together to optimize signaling. To each location area, a unique number called a “location area code” is assigned. The location area code is broadcasted by each base station, known at regular intervals. If the location areas are very large, there will be many mobiles operating simultaneously, resulting in very high paging traffic, as every paging request has to be broadcasted to every base station in the location area. This wastes bandwidth and power on the mobile, by requiring it to listen for broadcast messages too much of the time. If on the other hand, there are too many small location areas, the mobile must contact the network very often for changes of location, which will also drain the mobile’s battery. A balance has therefore to be found and the 88 LTE Standards constitution of location areas on the field is an important task of the operator’s radio engineers.

The location update procedure is the process by which a mobile device informs the cellular network when it changes its location. The location code is rear by the mobile. When a mobile finds that the location area code is different from its last update, it performs another update by sending to the network, a location update request, together with its previous location, and the temporary identity it received from the network. Thus a subscriber has reliable access to the network and may be reached with a call.

A mobile will provide updated location information to the network. Whenever a mobile is switched on or off, the network may require it to perform an IMSI attach or IMSI detach location update procedure. Each mobile is required to regularly report its location at a set time interval using a periodic location update procedure. Whenever a mobile moves from one location area to the next while not on a call, a random location update is required. This is also required of a stationary mobile that reselects coverage from a cell in a different location area because of signal fade.

Tracking area The tracking area is the LTE counterpart of the location area and routing area. A tracking area is a set of cells. Tracking areas can be grouped into lists of tracking areas (TA lists), which can be configured on the UE. Tracking area updates are performed periodically or when the UE moves to a tracking area that is not included in its TA list.

Operators can allocate different TA lists to different UEs. This can avoid signaling peaks in some conditions: for instance, the UEs of passengers of a train may not perform tracking area updates simultaneously.

On the network side, the involved element is the MME. MME configures TA lists using NAS messages like attach accept, TAU accept or GUTI reallocation command. LTE Standards and Architecture 89

Non-access stratum (NAS) is a functional layer in LTE wireless telecom protocol stacks between the core network and UE. This layer is used to manage the establishment of communication sessions and for maintaining continuous communications with the UE as it moves. The NAS is defined in contrast to the access stratum that is responsible for carrying information over the wireless portion of the network. A further description of NAS is that it is a protocol for messages passed between the UE, also known as mobiles, and MME, that is passed transparently through the radio network. Examples of NAS messages include update or attach messages, authentication messages, service requests, etc. Once the UE establishes a radio connection, the UE uses the radio connection to communicate with the core nodes to coordinate service. The distinction is that the access stratum is for dialogue explicitly between the mobile equipment and the radio network and the NAS is for dialogue between the mobile equipment and core network nodes. For LTE, the technical standard for NAS is 3GPP TS 24.301 [WIK 14c].

The following functions exist in the non-access stratum: – Mobility management: maintaining connectivity and active sessions with UE as the user moves. – Call control. – Session management: establishing, maintaining and terminating communication links. – Identity management.

1.7. SIM for communications privacy

1.7.1. SIM

Subscriber’s identity module (SIM) is an important network element in the GSM system. It mirrors the information used in the authentication center (AUC) and home location register (HLR). 90 LTE Standards

Figure 1.59. Security architecture

GSM security is a 128 bits security. The Ki key and the A8 algorithm are permanent components of the SIM. A5 is built in the mobile terminal (ME in the GSM vocabulary). A5 is symmetrically implemented in the base station in order that the communications can be encoded and decoded for their radio transmission. The Ki is provided to the SIM with the international mobile subscriber identity (IMSI). Both are permanent data that characterize the subscriber – at least the subscription to be billed for the services.

The GSM family, of which LTE is part, defines a set of identifiers:

Mobile country code (MCC): MCC consists of three decimal numbers. It indicates the home country of the mobile subscriber. MCC is composed of three decimal numbers. The coding range is decimal 000–999.

MCC is used in IMSI and location area identity (LAI). 1) LAI. It is periodically transmitted in system information of each cell. MCC indicates the home country of GSM PLMN. MS uses the received information as the important basis for network selection. LTE Standards and Architecture 91

2) IMSI of MS. MS’s IMSI also contains MCC. It shows the resident country of the mobile subscriber. When MS logs on the network or applies for a certain service, it must report its IMSI to the network (when TMSI is unavailable). The network uses the MCC in IMSI to judge whether this subscriber is an international roaming subscriber.

As the unique country identity standard, MCCs are allocated and managed by the ITU. ITU recommendation E.212 (blue book) stipulated the MCC number for every country. Due to the special meaning of MCC, modification of it is prohibited once it has been set in the network.

Mobile network code (MNC): MNC is used to uniquely identify a specific GSM PLMN network in a certain country (decided by MCC). MNC is composed of two decimal numbers. The coding range is decimal 00–99.

MNC is used in IMSI and LAI.

IMSI also contains MNC. It shows the home GSM PLMN network of the subscriber. When MS logs on the network or applies for a certain service, it must report IMSI to the network (when TMSI is unavailable.). The network judges whether this subscriber is a roaming subscriber according to the MNC in IMSI, and uses it as one of the important parameters for addressing to subscriber HLR.

If a country has more than one GSM PLMN, different networks must have different MNC. MNC is allocated by relevant telecommunication management department of the country.

One operator can have one or more MNC (which regards to the scale provided by the service, usually one operator has one MNC). Different operators can share the same MNC. Due to the special meaning of MNC, modification is prohibited once it has been set in the network.

Location area identity (LAI). It is periodically transmitted in system information of each cell. Here, MNC indicates the network 92 LTE Standards number of GSM PLMN. MS uses the received information as an important basis for network selection.

The process for authentication and ciphering has been standardized in detail by 3GPP.

Figure 1.60. The process for authentication and ciphering

The Kc key, calculated with the A8 algorithm is introduced in the A5 ciphering algorithm, which encrypts the data on the radio path.

Figure 1.61. Kc Key

Figure 1.62 shows the different contributions to the privacy process of GSM. LTE Standards and Architecture 93

Figure 1.62. RAND and Ki

RAND is generated by the AUC. Ki is stored in the SIM with the IMSI of the subscriber. The SIM has the A3 algorithm implemented by the network operator during the personalization process.

RAND, SRES and Kc build a triplet. Triplets are provided to the VLR by the HLR/AUC in a limited number. When the VLR becomes dry from triplets, the mobile cannot register, so communications become impossible.

RAND and SRES are the inputs for authentication. Kc via the A5 algorithm ciphers the flow of transmitted data.

A3, A5 and A8 are secret algorithms.

Figure 1.63 shows the size of the components. Basically, the security process of GSM is a 128 bits process.

Figure 1.63. Ki 94 LTE Standards

Ki = individual key for authentication, stored with the IMSI.

SRES = signed response, is the result of a calculation made with the A3 algorithm on RAND and Ki.

The SIM also contains the TMSI, temporary identification, which is allocated to the mobile for a few minutes. TMSI is much shorter than the IMSI and saves radio resource.

Figure 1.64. TMSI, Kc, RAND and SRES

TMSI, Kc, RAND and SRES are non-permanent data.

Figure 1.65. Schema of the structure of a SIM card LTE Standards and Architecture 95

For GSM, the structure of the SIM files is relatively simple. The one for the LTE USIM is shown later and is much more complicated. (see 3GPP TS 51.011)

Figure 1.66. SIM

1.7.2. USIM

For 3G (UMTS) and 4G (LTE), 3GPP has divided the SIM in three entities, which of course are part of one smart card: – The UICC is the physical device, which may show different sizes, depending from the mobile terminal in which it is introduced. It also comprises the operating system, which is proprietary to the card manufacturer. 96 LTE Standards

– The USIM, which is the telecommunication application, widely speaking, since it includes the registers and applications for certain services provided by the network operator. – The ISIM, a different application running on the UICC, which allows us to access distant applications with a good level of security.

1.7.3. ISIM

An IP Multimedia Services Identity Module (ISIM) is an application running on an UICC smart card in the IP Multimedia Subsystem (IMS). Parameters identify and authenticate the user to the IMS. The ISIM application can co-exists with USIM on the same UICC.

ISIM includes an IP Multimedia Private Identity (IMPI), the home operator domain name, one or more IP Multimedia Public Identity (IMPU) and a long-term secret used to authenticate and calculate cipher keys. The first IMPU stored in the ISIM is used in emergency registration requests.

1.8. Glossary

Term Description 3GPP 3rd Generation Partnership Project 3GPP2 3rd Generation Partnership Project 2 ARIB Association of Radio Industries and Businesses ATIS Alliance for Telecommunication Industry Solutions AWS Advanced Wireless Services CAPEX Capital Expenditure CCSA China Communications Standards Association CDMA Code Division Multiple Access

LTE Standards and Architecture 97

CDMA2000 Code Division Multiple Access 2000 DAB Digital Audio Broadcast DSL Digital Subscriber Line DVB Digital Video Broadcast eHSPA evolved High Speed Packet Access ETSI European Telecommunications Standards Institute FDD frequency division duplex FWT fixed wireless terminal GSM Global System for Mobile communication HSPA High Speed Packet Access HSS Home Subscriber Server IEEE Institute of Electrical and Electronics Engineers IPTV Internet Protocol Television LTE Long Term Evolution MBMS Multimedia Broadcast Multicast Service MIMO Multiple input multiple output MME Mobility Management Entity NGMN Next generation mobile networks OFDM Orthogonal frequency division multiplexing OPEX Operational expenditure PAPR Peak-to-average power ratio PCI Peripheral component interconnect PCRF Policing and charging rules function PDSN Packet data serving node PS Packet switched QoS Quality-of-Service RAN Radio access network

98 LTE Standards

SAE System architecture evolution SC-FDMA Single-carrier frequency division multiple access SGSN Serving GPRS support node TDD Time division duplex TTA Telecommunications Technology Association TTC Telecommunication Technology Committee TTI Transmission time interval UTRA Universal Terrestrial Radio Access UTRAN Universal Terrestrial Radio Access Network WCDMA Wideband Code Division Multiple Access WLAN Wireless local area network

1.9. Appendix 1: Complete submission of 3GPP LTE release 10 and beyond (LTE-advanced) under step 3 of the IMT-advanced process

1.9.1. Summary of the candidate submission

In response to the ITU-R Circular Letter 5/LCCE/2, which invites proposals for candidate radio interface technologies for the terrestrial component of IMT-Advanced, the 3GPP is providing a complete submission of LTE release 10 and beyond (LTE-Advanced) under step 3 of the IMT-Advanced process in Document IMT-ADV/2(Rev.1)

This submission of the 3GPP candidate SRIT (which includes an FDD RIT component and a TDD RIT component) is based on the currently approved work within 3GPP and follows the ITU-R IMT- Advanced submission format and guidelines. LTE Standards and Architecture 99

The Proponent3 of the 3GPP submission (hereafter known as the 3GPP Proponent) is providing all the required parts of the complete submission for the first invitation by the final deadline as specified in Document IMT-ADV/2(Rev.1).

The 3GPP proponent has provided all required information within each of required major components either directly or by endorsement of this contribution made by 3GPP individual members on behalf of 3GPP: 1) The submission of the 3GPP candidate SRIT (which includes an FDD RIT component and a TDD RIT component) consists of completed templates as specified in section 3.2 together with any additional inputs that the proponent may consider relevant to the evaluation. 2) An initial self-evaluation endorsed by the 3GPP proponent is provided by 3GPP and based on the compliance templates in section 3.2.4. The initial self-evaluation has been performed using the same guidelines and criteria established for the evaluations under step 4 of the process as provided in Document IMT-ADV/2(Rev.1), based on the RIT/SRIT compliance template in section 3.2.4. 3) The constituent parties of the collective 3GPP proponent and IPR holders will indicate in separate correspondence their compliance with the ITU policy on intellectual property rights (see Appendix 1 of Resolution ITU-R 1), as specified in the Common Patent Policy for ITUT/ITU-R/ISO/IEC available at http://www.itu.int/ITU-T/dbase/ patent/patent-policy.html, in line with Article 55 of the 3GPP working procedures.

The 3GPP proponent is looking forward to continuing dialog with ITU-R WP5D through the entire process of the development of IMT-Advanced.

3 The 3GPP Proponent of the 3GPP submission is collectively the 3GPP Organizational Partners (OPs). The Organizational Partners of 3GPP are ARIB, ATIS, CCSA, ETSI, TTA and TTC (http://www.3gpp.org/partners). 100 LTE Standards

1.9.2. Classification of the candidate submission

The “LTE Release 10 & beyond (LTE-Advanced)” candidate technology submission is an SRIT and includes an FDD RIT component and a TDD RIT component.

1.9.3. Detailed checklist for the required elements for each candidate RIT within the composite SRIT and/or for the composite SRIT of the candidate submission (to fulfill section 3.1 of ITU-R Report M.2133)

– Minimum requirements: an RIT needs to fulfill the minimum requirements for at least one test environment. Furthermore, an SRIT is defined as a number of RITs each individually fulfilling the minimum requirements for at least one test environment and complementing each other. (IMT-ADV/2 Rev 1 Step 2) - Based on IMT-ADV/2 Rev 1 Step 2, for the “LTE Release 10 & beyond (LTE-Advanced)”, the FDD RIT component meets the minimum requirements of all four required test environments. - Based on IMT-ADV/2 Rev 1 Step 2, for the “LTE Release 10 & beyond (LTE-Advanced)” the TDD RIT component meets the minimum requirements of all four required test environments. - Based on IMT-ADV/2 Rev 1 Step 2, for the “LTE Release 10 & beyond (LTE-Advanced)”, the complete SRIT meets the minimum requirements of all four required test environments. – Templates: The submission of each candidate RIT or SRIT will be consisted of completed templates as specified in section 3.2 together with any additional inputs that the proponent may consider relevant to the evaluation. (M.2133, section 3.1 1)

- 3GPP has provided description templates – characteristics template (M.2133 section 3.1) for both the FDD and the TDD component. See Attachment 1, TR36.912 v9.0.0, Annex C1. - 3GPP has provided description templates – link budget template (M.2133 section 4.2.3.3) for both the FDD and the TDD component. See Attachment 1, TR36.912 v9.0.0, Annex C2. LTE Standards and Architecture 101

- 3GPP has provided compliance templates for services (M.2133 section 4.2.4.1) for both the FDD and the TDD component. See Attachment 1, TR36.912 v9.0.0, Annex C3. - 3GPP has provided Compliance templates for spectrum (M.2133 section 4.2.4.2) for both the FDD and the TDD component. See Attachment 1, TR36.912 v9.0.0, Annex C3. - 3GPP has provided compliance templates for technical performance (M.2133 section 4.2.4.3) for both the FDD and the TDD component. See Attachment 1, TR36.912 v9.0.0, Annex C3. – Version: Each proposal must also indicate the version of the minimum technical requirements and evaluation criteria of the IMT- advanced currently in force that it is intended for and make reference to the associated requirements.

The versions used are: Report ITU-R M.2133 Requirements, evaluation criteria and submission templates for the development of IMT-Advanced (approved 2008–11); Report ITU-R M.2134 Requirements related to technical performance for IMT-Advanced radio interface(s) (approved 2008–11); Report ITU-R M.2135 Guidelines for evaluation of radio interface technologies for IMT-Advanced (approved 2008–11) and Document ITU-R IMT- ADV/3 Correction of typographical errors and provision of missing texts of IMT-Advanced channel models in Report ITU-R M.2135 (July 2009). - Self-evaluation: The entity that proposes a candidate RIT or SRIT to the ITU-R (the proponent) will include with it either an initial self-evaluation or the proponents’ endorsement of an initial evaluation submitted by another entity and based on the compliance templates in section 3.2.4. (M.2133 Section 4.1 § 2).

The self-evaluation report of the 3GPP “LTE Release 10 & beyond (LTE-Advanced)” can be found in document 3GPP TR 36.912 v9.0.0, 3GPP; Technical Specification Group Radio Access Network; Feasibility study for Further Advancements for EUTRA (LTE-Advanced) (Release 9), section 16. 102 LTE Standards

1.9.4. Additional supporting information

3GPP provides in Attachment 1 additional supporting information in document 3GPP TR 36.912 v9.0.0, 3GGG, Technical Specification Group Radio Access Network; Feasibility study for Further Advancements for EUTRA(LTE-Advanced) (Release 9).

1.9.5. Contact person

Mr. Takehiro NAKAMURA, Chairman of 3GPP TSG RAN is the Contact Person designated by the 3GPP Proponent for any communication related to this submission.

Attachment 1 (RP-090939) 3GPP TR 36.912 v9.0.0, 3rd Generation Partnership Project; Technical Specification Group Radio Access Network; Feasibility study for Further Advancements for EUTRA (LTE-Advanced) (Release 9) and related information files.

1.10. Appendix 2: GPRS Tunneling Protocol (GTP)

GTP is present at all levels of LTE.

Figure 1.67. GTP present at the interface between eNodeB and S-GW LTE Standards and Architecture 103

Figure 1.68. GTP between S-GW and P-GW

The GTP stack assigns a unique tunnel endpoint identifier (TEID) to each GTP control connection to the peers. The GTP stack also assigns a unique TEID to each GTP user connection (bearer) to the peers. The TEID is a 32 bit number field in the GTP (GTP-C or GTP-U) packet.

GTP-C allocates a TEID to identify a set of endpoints for a GTP-C tunnel. For each bearer, a separate GTP-U tunnel with its own TEID is established.

An ingress Packet Forwarding Engine performs GTP-C TEID route lookup to identify the target services PIC for the received packet for the following types of GTP-C messages: – create PDP context request (for secondary); – update PDP context request and response (GTPv1); – delete PDP context request and response (GTPv1); – create session response (GTPv2); – create bearer request and response (GTPv2); – modify bearer request and response (GTPv2); – delete session request and response (GTPv2); 104 LTE Standards

– delete bearer request and response (GTPv2).

Each GTP-U tunnel is also assigned a TEID. For example, the GTP-U tunnel for a default bearer would have its own TEID.

Figure 1.69. GPRS tunneling protocol in LTE

GTP is an important IP/UDP-based protocol used in GSM, UMTS and LTE core networks. It is used to encapsulate user data when passing through core network and also carries bearer specific signaling traffic between various core network entities.

Figure 1.70. GPRS tunneling protocol Types LTE Standards and Architecture 105

GTP in LTE: – It provides mobility. When UE is mobile, the IP address remains the same and packets are still forwarded since tunneling is provided between PGW and eNB via SGW. – Multiple tunnels (bearers) can be used by same UE to obtain different network QoS. – Main IP remains hidden, so it provides security as well, – Creation, deletion and modification of tunnels in case of GTP-C.

GTP Interfaces in LTE:

In LTE, version 1 is used for GTP-U and version 2 is used for GTP-C.

In simple LTE network implementation, GTP-v2 is used on S5 and S11 interfaces and GTPv1 is used on S1-U, S5, X2-U interfaces (as shown below). In inter-RAT and inter PLMN connectivity, S3, S4, S8, S10, S12 and S16 interfaces also utilize GTP protocols.

How GTP-U works ? GTP-U encapsulation of UE user plane traffic can be easily understood by taking any simple example. Let us see what happens when IP packet generated by UE reaches to eNodeB and is then forwarded to SGW.

Consider any application on UE creates an IP/TCP packet. This packet consist of actual data by application, TCP or UDP header and the IP field information which has source address of UE and destination address of application server (e.g. Facebook).

When the eNodeB receives this packet over air interface, it will put the IP packet inside GTP header which has information related to tunnel IDs. Then further, it is encapsulated inside UDP and IP header and forwarded as Ethernet frame toward SGW. Here the IP header contains eNodeB IP as a source address and SGW IP as a destination address 106 LTE Standards

GTP-C signaling messages As GTP-Cv2 in LTE is used for tunnel management, some of the signaling messages are listed below which use GTP-Cv2 protocol.

LTE Standards and Architecture 107

1.11. Appendix 3: The SGW implementation by CISCO

The following is a list of acronyms used in the Figure in Appendix 3 (section 1.11) – Serving GPRS Support Node (SGSN); – UMTS Terrestrial Radio Access Network (UTRAN); – GSM EDGE Radio Access Network (GERAN); – Evolved UTRAN (E-UTRAN); – Mobility Management Entity (MME); – Serving Gateway (SGW); – PDN Gateway (PGW); – Charging Gateway Function (CGF); – Home Subscriber Server (HSS); – Policy and Charging Rules Function (PCRF); – Online Charging System (OCS); – Authentication, Authorization, and Accounting (AAA); – Diameter Credit Control Application (DCCA). 108 LTE Standards

Cisco LTE SGW description For each UE associated with the EPS, there is a single SGW at any given time.

The Cisco LTE SGW Release 1.x supports GTP-based non- roaming and roaming architectures, and control and data plane functions defined by 3GPP TS 23.401 for 3GPP access networks.

The Cisco LTE SGW provides the following support: – routes and forwards data packets from the UE; – terminates the interface toward Evolved UMTS Terrestrial Radio Access Network (E-UTRAN); – mobility anchor point for inter-3GPP mobility (terminating S4 and relaying traffic between 2.5G/3G and LTE networks; – ECM-IDLE mode downlink packet buffering and initiation of network triggered service request procedure; – user traffic replication for lawful intercept; – uplink (UL) and downlink (DL) charging per UE, PDN, and QoS Class Identifier (QCI) (for example, for roaming with home- routed traffic); – handling of various messages between the MME, eNodeB, serving GPRS support node (SGSN), and PGW; – processes both control and user plane messages.

The Cisco LTE SGW runs on the Cisco Service and Application Module for IP (SAMI), a new-generation high-performance service module for the Cisco 7600 Series Router platforms.

For more information about the Cisco SAMI, see the Cisco Service and Application Module for IP User Guide.

System requirements This section describes the system requirements for Cisco LTE SGW Release 1.x and includes the following sections: LTE Standards and Architecture 109

– memory recommendations; – hardware and software requirements; – determining the software version; – upgrading to a new software release;

For hardware requirements, such as power supply and environmental requirements and hardware installation instructions, see the Cisco Service and Application Module for IP User Guide.

Memory recommendations

Platforms Feature Software Recommended Recommended Runs sets image flash memory DRAM from (MB) memory (GB) Cisco SGW c7svcsami 128 2 RAM SAMI/ Standard -l4ik9s- Cisco Feature mz 7600 Set

Table 1.20. Images and memory recommendations for Cisco LTE SGW Release 1.x

Hardware and software requirements Implementing a Cisco LTE SGW Release 1.x on the Cisco 7600 series internet router platform requires the following hardware and software: – any module that has ports to connect to the network; – a Cisco 7600 series router and one of the following supervisor engines running Cisco IOS Release 15.0(1)S or later: - Cisco 7600 Series Supervisor Engine 720 with a Multiplayer Switch Feature Card 3 (WS-SUP720); - Cisco 7600 Series Supervisor Engine 720 with a Multilayer Switch Feature Card 3 and Policy Feature Card 3B (WS-SUP720-3B); - Cisco 7600 Series Supervisor Engine 720 with a Multilayer Switch Feature Card 3 and Policy Feature Card 3BXL (WS-SUP720- 3BXL); 110 LTE Standards

- Cisco 7600 Series Supervisor Engine 32 with a Multiplayer Switch Feature Card (WS-SUP32-GE-3B) with LCP ROMMON Version 12.2(121) or later on the Cisco SAMI; - Cisco 7600 Series Supervisor Engine 32 with a Multilayer Switch Feature Card and 10-Gigabit Ethernet Uplinks (WS-SUP32- 10GE-3B) with LCP ROMMON Version 12.2[121] or later on the Cisco SAMI.

Or one of the following Cisco 7600 series Route Switch Processors running Cisco IOS Release 15.0(1)S or later: – Cisco 7600 Series Route Switch Processor 720 with Distributed Forwarding Card 3C (RSP720-3C-GE); – Cisco 7600 Series Route Switch Processor 720 with Distributed Forwarding Card 3CXL (RSP720-3CXL-GE); – Cisco 7600 Series Route Switch Processor 720 with 10-Gigabit Ethernet Uplinks with Distributed Forwarding Card 3CXL (RSP720- 3CXL-10GE).

For details on upgrading the Cisco IOS release running on the supervisor engine, refer to the “Upgrading to a New Software Release” section in the Release Notes for Cisco IOS Release 15.0S. For information about verifying and upgrading the LCP ROMMON image on the Cisco SAMI, refer to the Cisco Service and Application Module for IP User Guide.

1.12. Appendix 4: AT&T has LTE small cells “in the lab”: Source Dan Janes, Site Editor, Light Reading mobile [JON 13]

AT&T Inc. now has small cells in the lab that combine 3G, 4G and Wi-Fi and is gearing up for a nationwide launch of the technology that will be part of its HSPA+ network.

“Small cells” have been the blanket term for a new breed of tiny base station that can be used to increase data speeds, voice coverage and network density as data traffic grows. As you will see, for AT&T these little radios will come in several flavors. LTE Standards and Architecture 111

The operator’s senior VP of small cells, Gordon Mansfield, was on hand at AT&T’s Innovation Showcase in downtown New York on Thursday morning to give Light Reading Mobile some more insight into the operator’s ambitions. (See AT&T’s Armada: 4G, Small Cells & More.)

“They’re currently in my lab”, Mansfield says of the combo LTE/3G/Wi-Fi small cells. AT&T defines these units as a Multi- Standard Metrocell (MSM). The operator intends for these multimode units to be deployed in public venues with indoor and outdoor versions that support up to 64 simultaneous calls.

LR Mobile asked Mansfield when the MSM units will start to move out of the lab and onto the network. “It would be foolish to think less than a year” but probably will not take two years, he said.

Metrocells that will increase voice coverage and data speeds on AT&T’s HSPA+ network, which it markets as “4G”, are coming much sooner. “We’ve got a significant portion of the country updated”, Mansfield says.

AT&T defines a “Metrocell” as a “4G” unit that can be deployed in big offices or neighborhoods, with indoor and outdoor versions that can support up to 32 simultaneous calls. At the showcase event, AT&T was boasting that the metrocells have achieved nearly 100% outdoor coverage in Crystal Park Lake, MO. The Crystal Park Lake area is a Missouri Class 4 city with a population of around 470 that covers an area of 64 acres. AT&T has also been testing small cells in an enterprise setting in the Milwaukee metro area and a high-rise business setting in NYC.

AT&T had an Alcatel-Lucent 9364 version 2 outdoor microcell on show at the event. Mansfield said that he is looking for both the MSM and metrocell deployments to be multivendor affairs.

Ahead of the nationwide switch-on for the HSPA+ metrocell deployment, AT&T has been working to update its data centers and roll out updates to its mobile switching centers (MSCs) in its core 112 LTE Standards network. The MSCs manage call services for phones roaming in its area.

This is necessary for the phone to work as the user would expect when roaming across the small-cell network. “If they dial 911, it better route to 911 and not somewhere else”, Mansfield notes.

“That’s coming pretty soon”, Mansfield says of these updates.

AT&T has famously – or maybe infamously – said that it will deploy 40,000 small cells by the end of 2015. So, we asked Mansfield how he sees that target moving along.

“At this point I see no reason to believe that we won’t hit that number... and we could revise it next year”, he said.

OFDMA

2.1. What is OFDM/OFDMA?

One of the key elements of Long Term Evolution (LTE) is the use of Orthogonal Frequency Division Multiplex (OFDM) as the signal bearer and the associated access schemes, OFDMA (Orthogonal Frequency Division Multiplex Access) and Single Carrier Frequency Division Multiple Access (SC-FDMA).

OFDM is a modulation format that is very suitable for carrying high data rates – one of the key requirements for LTE.

OFDM can be used in both frequency division duplex (FDD) and time division duplex (TDD) formats, and LTE operates in both FDD and TDD modes.

Therefore, LTE is an OFDMA-based technology standardized in 3rd Generation Partnership Project (3GPP) release 8 and the following releases 9, 10, 11 and 12 to date.

OFDMA stands for Orthogonal Frequency Division Multiplex Access. It is based on OFDM, a coding scheme invented in Centre Commun d’etudes en telecommunications et television (CCETT, Rennes, France) in 1982. The purpose of OFDM was, at that time, focused on digital television transmission. OFDM and OFDMA are two different variants of the same broadband wireless air interface that 114 LTE Standards are often mistaken for one another. OFDMA is a form of OFDM, which is the underlying technology.

OFDM is a superior air access, which has been chosen for LTE and now adopted by most radio communication systems, such as WiMax and Wi-Fi. OFDM is the coding scheme of all digital television systems, especially terrestrial (DVB-T and DVB-T2) and satellite (DVB-S2) broadcasting – and also of DAB. It is also the basis of the last avatars of Communications on Power Lines (CPL). Also, OFDM is one of the key technologies that enable non-line of sight wireless services making it possible to extend wireless access system over wide areas.

The interfaces of both OFDM and OFDMA work by separating a single signal into subcarriers, called subchannels, or, in other words, by dividing one extremely fast signal into numerous slow signals that optimize mobile access, as the subchannels can then transmit data without being subject to the same intensity of multipath distortion faced by single carrier transmission. The numerous subcarriers are then collected at the receiver and recombined to form one high-speed transmission.

Normally, the signals carried by the numerous subcarriers would be expected to interfere with each other, but by making the signals orthogonal to each other there is no mutual interference. The data to be transmitted is split across all the carriers to give resilience against selective fading from multipath effects.

Figure 2.1. OFDM frequency and time domain OFDMA 115

The difference between OFDM and OFDMA is that OFDMA has the ability to dynamically assign a subset of those subcarriers to individual users, making this the multiuser version of OFDM, using either Time Division Multiple Access (TDMA) (separate time frames) or Frequency Division Multiple Access (FDMA) (separate channels) for multiple users. OFDMA simultaneously supports multiple users by assigning them specific subchannels for intervals of time. Point-to-point systems are OFDM, and do not support OFDMA. Point-to-multipoint fixed and mobile systems use OFDMA.

2.1.1. Claimed OFDMA advantages

– Flexibility of deployment across various frequency bands with little necessary modification to the air interface. - The primary advantage of OFDM over single carrier schemes is its ability to cope with severe channel conditions (for example, attenuation of high frequencies in a long copper wire, narrowband interference and frequency-selective fading due to multipath) without complex equalization filters. - Channel equalization is simplified because OFDM may be viewed as using many slowly-modulated narrowband signals rather than one rapidly-modulated wideband signal. - The low symbol rate makes the use of a guard interval between symbols affordable, making it possible to eliminate intersymbol interference (ISI). - This mechanism also facilitates the design of single frequency networks (SFNs), where several adjacent transmitters send the same signal simultaneously at the same frequency, as the signals from multiple distant transmitters may be combined constructively, rather than interfering as would typically occur in a traditional single carrier system. - Averaging interferences from neighboring cells, by using different basic carrier permutations between users in different cells. - Interferences within the cell are averaged using allocation with cyclic permutations. 116 LTE Standards

- Enables SFN coverage, where coverage problem exists and gives excellent coverage. OFDM enables broadcast services on a synchronized SFN with the appropriate cyclic prefix (CP). Broadcast signals from different cells combine over the air, the received signal power and the data rate is thus increased. - Offers frequency diversity by spreading the carriers all over the used spectrum. – Allows per channel or per subchannel power.

2.1.2. Recognized disadvantages of OFDMA

– Higher sensitivity to frequency offsets and phase noise and Doppler shift as well. - Higher peak to average ratio (PAR). - Asynchronous data communication services such as web access are characterized by short communication bursts at high data rate. Few users in a base station cell are transferring data simultaneously at low constant data rate. - The complex OFDM electronics, including the fast Fourier transform (FFT) algorithm and forward error correction, are constantly active independent of the data rate, which is inefficient from power consumption point of view, while OFDM combined with data packet scheduling may allow FFT algorithm to hibernate during certain time intervals. - The OFDM diversity gain, and resistance to frequency-selective fading, may partly be lost if very few subcarriers are assigned to each user, and if the same carrier is used in every OFDM symbol. Adaptive subcarrier assignment based on fast feedback information about the channel, or subcarrier frequency hopping, is therefore desirable. - Dealing with co-channel interference from nearby cells is more complex in OFDM than in CDMA. It would require dynamic channel allocation with advanced coordination among adjacent base stations. – The fast channel feedback information and adaptive subcarrier assignment is more complex than CDMA fast power control. OFDMA 117

2.1.3. Characteristics and principles of operation

According to the channel performances, adaptive user-to-subcarrier assignment can be achieved. If the assignment is done sufficiently fast, this improves the OFDM robustness with fast fading and narrowband cochannel interference correction, and it makes it possible to achieve even better system spectral efficiency.

Different numbers of subcarriers can be assigned to different users, with a view to support differentiated Quality of Service (QoS), i.e. to control the data rate and error probability individually for each user.

OFDMA can be seen as an alternative to combining OFDM with TDMA or time-domain statistical multiplexing, i.e. packet mode communication. Low-data-rate users can send continuously with low transmission power instead of using a “pulsed” high-power carrier. Constant delay, and shorter delay, can be achieved.

OFDMA can also be described as a combination of frequency domain and time domain multiple access, where the resources are partitioned in the time-frequency space, and slots are assigned along the OFDM symbol index as well as OFDM subcarrier index.

OFDMA is considered as highly suitable for broadband wireless networks, due to advantages including scalability and use of multiple antennas (MIMO)-friendliness, and ability to take advantage of channel frequency selectivity.

In spectrum sensing cognitive radio, OFDMA is a possible approach to fill free radio frequency bands adaptively.

OFDMA is used in: – the mobility mode of the IEEE 802.16 Wireless MAN standard, commonly referred to as WiMAX; – the IEEE 802.20 mobile Wireless MAN standard, commonly referred to as MBWA; – MoCA 2.0; 118 LTE Standards

– the downlink of the 3GPP LTE fourth generation (4G) mobile broadband standard. The radio interface was formerly named High Speed OFDM Packet Access (HSOPA), now named Evolved Universal Mobile Telecommunications Service (UMTS) Terrestrial Radio Access (E-UTRA).

OFDMA is also a candidate access method for the IEEE 802.22 Wireless Regional Area Networks (WRAN). The project goal is to set the first radio-based standard that operates in the very high frequency (VHF) and spectrum ultra high frequency (UHF) TV spectrum.

Figure 2.2. OFDMA subcarriers

2.2. General principles

OFDM may be considered as a variant of the Frequency Division Multiplexing (FDM) scheme in which the frequency channel is divided into multiple smaller subchannels. In FDM, subchannelization requires provisioning of guard bands between two subchannels to avoid interference between them.

OFDM divides the frequency bandwidth in narrow orthogonal subparts called subcarriers. A subchannel is an aggregation of a number of these subcarriers. OFDM splits one fast carrier into many slow subcarriers. By spreading data across N carriers, one bit has N times the length of what would be using only a fast carrier, and this is achieved with roughly the same bandwidth. Being longer, each bit is more immune to noise and jamming.

OFDMA 119

Since the subcarriers that carry data are transmitted at a low rate, with higher symbol time, OFDM is more resilient to multipath effects. Therefore, it is more suitable for wide-area non-line of sight wireless access technology.

Also, using overlapping orthogonal subcarriers without guard bands makes it more efficient than the FDM scheme in terms of bits per Hertz. OFDM is a spread-spectrum technology in which energy generated at a particular bandwidth is spread across a wider bandwidth making it more resilient to interference and “jamming”.

Figure 2.3. OFDM frequency

OFDM is a technique for transmitting large amounts of digital data over a noisy channel, such as the power grid or Rayleigh/Rice radio channels. The technology works by splitting the signal into multiple smaller subsignals that are then transmitted simultaneously at different (orthogonal) frequencies. Each smaller data stream is then mapped to individual data subcarriers and modulated using some sort of Phase Shift Keying (PSK, e.g. BPSK, QPSK and 8 PSK) or Quadrature Amplitude Modulation (QAM, e.g. 16 QAM, 32 QAM, 64 QAM and event 256 QAM).

Besides its high spectral efficiency, an OFDM system reduces the amount of cross talk in signal transmissions and can efficiently overcome interference and frequency-selective fading caused by multipath. 120 LTE Standards

Figure 2.4. Channels

While OFDM addresses communications in noisy environments, it is still insufficient to achieve reliable communications in very harsh conditions. To further improve reliability, the OFDM method can be combined with a multiple access scheme. This approach is called OFDMA.

OFDMA exploits frequency selectivity of the multipath channel with low complexity receivers. It allows frequency selectivity on top of frequency diverse scheduling and one cell reuse of available bandwidth.

Furthermore, due to its frequency domain nature, OFDM enables flexible bandwidth operation with low complexity devices. Smart antenna technologies are also easier to support with OFDM, since each subcarrier becomes flat faded and the antenna weights can be optimized on a per subcarrier (or block of subcarriers) basis.

OFDMA is a multiuser version of the OFDM scheme. Multiple access is achieved in OFDMA by assigning subsets of subcarriers to individual data streams. This allows simultaneous transmission of several individual data streams. OFDMA further improves OFDM robustness to fading and interference, but more importantly the individual data streams can be used either to communicate with multiple nodes (power meters) simultaneously or for redundancy, thus, greatly improving the reliability of the system. OFDMA 121

The subcarriers include data carriers, pilot carriers and a data carrier (DC). The DCs are used to carry the traffic data; the pilot carriers are used for channel sensing purposes; and the DC marks the center of the channel. Each subcarrier is modulated with a conventional modulation scheme such as QAM or PSK at a low symbol rate. Each user is provided with an integer number of subchannels which is composed of a number of subcarriers. User data is carried in parallel on each subcarrier at a low rate. The combination of the parallel subcarriers at the destination provide for the high data rates.

OFDM allows adaptive assignment of subcarriers to subchannels based on channel conditions making it more robust and achieving higher spectral efficiency than all other schemes.

In order to share a piece of spectrum between many users, it is necessary that anyone does not suffer from the communications issued by the others. In 0 G or 1 G system, subscriber were given a precise frequency with the phase of frequency modulation, the different assigned frequencies, being sufficiently distant to avoid interferences.

With GSM and DAMS, voice has been digitized with vocoder. So the mobile systems are carrying only digital baseband signals for voice communication as well as data communication.

The allocated channels are set orthogonal, since they do not hamper one another. Orthogonal channel are provided by FDM (frequency division multiplex), TDM (time division multiplex) and CDM (code division multiplex). The last avatar of the orthogonal channel is provided by OFDM (offset frequency division multiplex). In OFDMA (offset frequency division multiplex access), the call is assigned a set of subcarrier frequencies, on which the different bits of the data stream are transmitted.

The advantage of DMA is that it mitigates or eventually eliminates the Rayleigh fading. This is due to the fact that the allocated subcarriers use different frequencies. 122 LTE Standards

In the OFDMA process, the data stream has to be buffered in order that a long stream of bits can be properly sent on the chosen subcarriers.

Figure 2.5. OFDM techniques

The transmitted signal is obtained by a Fourier transform. The distance between subcarriers is n / Ts (the smallest separation being 1/Ts).

In the real system, each subcarrier does not carry only one bit in a Ts interval since it is modulated (in LTE) in QPSK up to 64 QAM. This is achieved by just processing at the same time a longer stream of data bits at the entrance of encoder. Symmetrically the decoder at the receiving side is made aware of the phase (/Amplitude) modulation that has been applied.

Since the process applies in a binary environment, instead of a Fourier transform, a discrete Fourier transform DFT is used on the encoding side and the inverse Fourier transform (IFT) at the receiving side. More, the sampling is made with a power of two DFT and IFT which is just a regular FFT (Fast Fourier Transform). This calculation can be easily implemented in regular DSP.

2.2.1. Cyclic prefixes

Signal propagation phenomena are modelled as the Rayleigh fading or multipath interference. For LTE and OFDMA this is creating an overlab of 2 symbols which is called intersymbol interference or ISI. OFDMA 123

The modulation is based on the amplitude and the phase, so in case of overlapping there are two different amplitudes and phases. The receiver is not able to decode the state of the symbol.

Therefore, a few more standard techniques are used in combination with the above OFDM definition in practical radio systems: – guard limits ISI: added guard time allows for larger delay spread and limits multipath interference from one symbol to the next; – CP limits intercarrier interference (ICI): by transmitting a cyclical replica of the signal as a cyclical prefix, frequency orthogonality is improved between carriers; – data scrambling, FEC encoding, interleaving, puncturing, even MIMO are also typically used as in other modern radio systems; – the guard time is called the CP: it facilitates demodulation.

Figure 2.6. Cyclic prefix

The CP transforms the classical channel convolution into a cyclic convolution, which permits easy demodulation after FFT.

Figure 2.7. Transformation 124 LTE Standards

Therefore, OFDM systems are well suited to resolving rich multipath situations and slow time varying channels, which explains their popularity for standards like LTE. However, they are not ideal for Doppler shift and phase noise.

2.3. LTE channel: bandwidths and characteristics

One of the key parameters associated with the use of OFDM within LTE is the choice of bandwidth. The available bandwidth influences a variety of decisions including the number of carriers that can be accommodated in the OFDM signal and this in turn influences elements including the symbol length and so forth.

LTE defines a number of channel bandwidths. Obviously the greater the bandwidth, the greater the channel capacity.

The channel bandwidths that have been standardized for LTE are: – 1.4 MHz; – 3 MHz; – 5 MHz; – 10 MHz; – 15 MHz; – 20 MHz.

The subcarriers are spaced 15 kHz apart from each other. To maintain orthogonality, this gives a symbol rate of 1/15 kHz = 66.7 µs.

Each subcarrier is able to carry data at a maximum rate of 15 ksps (kilosymbols per second). This gives a 20 MHz bandwidth system a raw symbol rate of 18 Msps. In turn this is able to provide a raw data rate of 108 Mbps as each symbol using 64 QAM is able to represent six bits. OFDMA 125

These rates do not align with the figures given in the LTE specifications. The actual peak data rates are derived by first subtracting the coding and control overheads.

2.3.1. LTE OFDM cyclic prefix, CP

OFDM shows an excellent resilience to multipath delays and spread. However it is still necessary to implement methods of adding resilience to the system. This helps in overcoming the ISI.

In areas where ISI is expected, it can be avoided by inserting a guard period into the timing at the beginning of each data symbol. It is then possible to copy a section from the end of the symbol to the beginning. This is known as the CP. The receiver can then sample the waveform at the optimum time and avoid any ISI caused by reflections that are delayed by times up to the length of the CP.

Figure 2.8. Effect of multipath propagation

The length of the CP is important. If it is not long enough then it will not counteract the multipath reflection delay spread. If it is too long, then it will reduce the data throughput capacity. For LTE, the standard length of the CP has been chosen to be 4.69 µs. This enables the system to accommodate path variations of up to 1.4 km. With the symbol length in LTE set to 66.7 µs. 126 LTE Standards

The symbol length is defined by the fact that for OFDM systems the symbol length is equal to the reciprocal of the carrier spacing so that orthogonality is achieved. With a carrier spacing of 15 kHz, this gives the symbol length of 66.7 µs.

Figure 2.9. LTE OFDMA in the downlink

2.3.2. LTE OFDMA in the downlink

The OFDM signal used in LTE comprises a maximum of 2,048 different subcarriers having a spacing of 15 kHz. Although it is mandatory for the mobiles to have the capability to be able to receive all 2,048 subcarriers, not all need to be transmitted by the base station, which only needs to be able to support the transmission of 72 subcarriers. In this way all mobiles will be able to talk to any base station.

The LTE OFDM signal can be carried on three types of modulation: – QPSK (= 4 QAM) 2 bits per symbol; – 16 QAM 4 bits per symbol; – 64 QAM 6 bits per symbol. OFDMA 127

Figure 2.10. 16 QAM modulation: 4 bits per symbol

The exact format is chosen depending upon the prevailing conditions. The slower form of modulation (QPSK) does not require such a large signal-to-noise ratio but it is not able to send the data as fast. When there is a sufficient signal-to-noise ratio the higher order modulation format should be used.

2.3.3. Downlink carriers and resource blocks

In the downlink, the subcarriers are split into resource blocks (RBs). This enables the system to be able to compartmentalize the data across standard numbers of subcarriers.

Figure 2.11. LTE RB allocation 128 LTE Standards

RBs comprise 12 subcarriers, regardless of the overall LTE signal bandwidth. They also cover one slot in the time frame. This means that different LTE signal bandwidths will have different numbers of RBs.

Channel bandwidth (MHz) 1.4 3 5 10 15 20 Number of resource blocks 6 15 25 50 75 100

Table 2.1. Number of resource block by channel bandwidth

Figure 2.12. Uplink

2.3.4. LTE SC-FDMA in the uplink

For the LTE uplink, a different concept is used for the access technique. Although still using a form of OFDMA technology, the implementation is called SC-FDMA, a modified form of OFDMA, also called DFT-Spread OFDM (DFT_SOFDM). SC-FDMA improves the peak-to-average power ratio (PAPR) compared with OFDM. The PAPR will be equivalent to a single carrier’s one. It reduces the cost of the power amplifier of the mobile. It reduces power amplifier back- off and thus improves coverage.

One of the key parameters that affects all mobiles is that of battery life. Even though battery performance is improving all the time, it is still necessary to ensure that the mobiles use as little battery power as possible. With the RF power amplifier that transmits the radio frequency signal via the antenna to the base station being the highest OFDMA 129 power item within the mobile, it is necessary that it operates in as efficient mode as possible. This can be significantly affected by the form of radio frequency modulation and signal format. Signals that have a high PAR and require linear amplification do not lend themselves to the use of efficient RF power amplifiers.

As a result it is necessary to employ a mode of transmission that has as near a constant power level as possible when operating.

OFDM has a high PAR. While this is not a problem for the base station where power is not a particular problem, it is unacceptable for the mobile. As a result, LTE uses a modulation scheme known as SC- FDMA – Single Carrier Frequency Division Multiplex – which is a hybrid format. This combines the low PAR offered by single carrier systems with the multipath interference resilience and flexible subcarrier frequency allocation that OFDM provides.

SC-FDMA groups together the RBs in such a way that reduces the need for linearity, and so power consumption, in the power amplifier. A low PAPR also improves coverage and the cell-edge performance. SC-FDMA can be interpreted as a linearly precoded OFDMA scheme, in the sense that it has an additional DFT processing step preceding the conventional OFDMA processing.

In OFDM, each modulation symbol “sees” a single 15 kHz subcarrier (flat channel). In SC-FDMA, each modulation symbol “sees” all the bandwidth (i.e. N blocks of 180 kHz). Therefore equalization is compulsory in the SC-FDMA receiver.

Figure 2.13. SC-FDMA spreads the data symbols all over the system bandwidth 130 LTE Standards

DFT-Spread OFDM (DFTS-OFDM) combines the desired properties for the mobile set: – Small variations in the instantaneous power of the transmitted signal (‘single carrier’ property). – Possibility for low-complexity high-quality equalization in the frequency domain. – Possibility for FDMA with flexible bandwidth assignment. – Allows simultaneous low-data-rate transmission from several users. – Pulsed carrier can be avoided. – Lower maximum transmission power for low data rate users. – Shorter delay, and constant delay. – Contention-based multiple access (collision avoidance) is simplified. – Further improves OFDM robustness to fading and interference. – Combat narrow-band interference.

2.3.5. Transmitter and receiver structure of LP-OFDMA/SC-FDMA

The transmission processing of SC-FDMA is very similar to that of OFDMA. For each user, the sequence of bits transmitted is mapped to a complex constellation of symbols (BPSK, QPSK or M-QAM). Then different transmitters (users) are assigned different Fourier coefficients. This assignment is carried out in the mapping and demapping blocks. The receiver side includes one demapping block, one IDFT block, and one detection block for each user signal to be received. Just like in OFDM, guard intervals (called CPs) with cyclic repetition are introduced between blocks of symbols with a view to efficiently eliminate ISI from time spreading (caused by multipath propagation) among the blocks.

In SC-FDMA, multiple access among users is made possible by assigning different users different sets of non-overlapping Fourier OFDMA 131 coefficients (subcarriers). This is achieved at the transmitter by inserting (prior to IFFT) silent Fourier coefficients (at positions assigned to other users), and removing them on the receiver side after the FFT.

Figure 2.14. Localized mapping and distributed mapping

The distinguishing feature of SC-FDMA is that it leads to a single carrier transmit signal, in contrast to OFDMA which is a multicarrier transmission scheme. Subcarrier mapping can be classified into two types: localized mapping and distributed mapping.

In localized mapping, the DFT outputs are mapped to a subset of consecutive subcarriers, thereby confining them to only a fraction of the system bandwidth. In distributed mapping, the DFT outputs of the input data are assigned to subcarriers over the entire bandwidth non- continuously, resulting in zero amplitude for the remaining subcarriers. A special case of distributed SC-FDMA is called interleaved SC-FDMA (IFDMA), where the occupied subcarriers are equally spaced over the entire bandwidth.

Owing to its inherent single carrier structure, a prominent advantage of SC-FDMA over OFDM and OFDMA is that its transmit signal has a lower PAPR, resulting in relaxed design parameters in the transmit path of a subscriber unit. Intuitively, the reason lies in the fact that where OFDM transmit symbols directly modulate multiple subcarriers, SC-FDMA transmit symbols are first processed by an N-point DFT block. 132 LTE Standards

In OFDM, as well as SC-FDMA, equalization is achieved on the receiver side, after the FFT calculation, by multiplying each Fourier coefficient by a complex number. Thus, frequency-selective fading and phase distortion can easily be combatted. The advantage is that frequency domain equalization (FDE) using FFTs requires less computation than conventional time-domain equalization.

Figure 2.15. SC-FDMA and OFDMA. DFT: discrete Fourier transform

IDFT: inverse discrete Fourier Transform CP: Cyclic Prefix PS: Pulse Shaping DAC: Digital to analog Conversion RF: Radio Frequency SIGNAL ADC: Analog to Digital Conversion LP-OFDMA: Linearly Precoded OFDMA

2.4. OFDM applied to LTE

2.4.1. General facts

Subsequent releases of 3GPP LTE: – December 2008, is the first release describing LTE; – December 2009, added location services, MBMS support, multi- standard support, and regional requirements for North America; OFDMA 133

– March 2011, is the first release for LTE-Advanced, and includes carrier aggregation, and MIMO; – the next releases continue improvements on LTE-Advanced.

The goal of LTE is to provide 3GPP with further evolutions, improving its architecture, throughput and spectrum efficiency. LTE can: – provide throughput up to 100 Mbps downlink and 50 Mbps uplink in 20 MHz (2 × 20 MHz FDD); – achieve spectral efficiencies of 5 bps/Hz downlink, 2.5 bps/Hz uplink while maintaining coding rates exceeding ½; – LTE Advanced, release 10, further increases these goals to: 1 Gpbs/500 Mbps, and 30/15 bps/Hz for downlink/uplink; – optimized for user speeds around 15 km/h, but supports high performance up to 120 km/h, and supports even higher; – scalable capacity 1.4 MHz to 20 MHz RF channels (FDD)

LTE’s air interface, like other 4G standards, revolves around OFDMA.

MIMO is used to either enhance data rates or increase data integrity (diversity and MRC). And the other usual tools are used as well: convolutional and turbo codes, and adaptive modulation (QPSK, 16 QAM, 64 QAM).

LTE offers a flexible range of channel bandwidth (1.4, 3, 5, 10 or 20 MHz), which is well adapted to the current cellular bands and to the future newly opened bands.

2.4.2. LTE downlink

LTE FDD uses 10 ms frames, divided into 20 subframes or slots (of 0.5 ms each). Each subframe uses 7 OFDM symbols, each with a CP. Subchannels separation is Δf = 1⁄T =15 kHz, where T is the

134 LTE Standards

OFDM symbol period. (For multimedia broadcast multicast service MBMS dedicated ell, reduced carrier spacing can be used in the downlink Δf = 7.5 kHz). A CP is used to duplicate part of the symbol: total symbol duration Ts = Tu + Tcp. For normal 15 kHz subcarrier spacing, the normal CP is 7 OFDM symbols per slot, which works well in typical urban multipath (Tu = 66.7 μs, and Tcp = 5.21 μs for first symbol, 4.7 μs for the following symbols). An extended CP for larger cells or heavy multipath is available: Tcp = 16.67 μs.

This splits radio resources into time and frequency elements, called RBs. On the frequency scale a RB is 12 subcarriers wide (180 kHz), on the time scale it is one slot (0.5 ms)

CP OFDMA Subcx CP symbols CP (μs) symbols Δf=15 kHz, normal 7 12 160 first 5.2 first 144 after 4.7 after Δf=15 kHz, extended 6 12 512 16.7

Table 2.2. LTE cyclic prefix lengths in number of symbols, subcarriers and time

There are three downlink channels in the physical layer, shared, control and common control. And there are two uplink channels, the shared and the control channel. Modulation techniques used for uplink and downlink are QPSK, 16 QAM, 64 QAM while the broadcast channel uses only QPSK.

OFDMA 135

Figure 2.16. LTE OFDMA physical layer structure LTE physical layer uses multiple OFDMA subcarriers and symbols separated by guard intervals

Figure 2.17. LTE resource blocks and resource elements (from the 3GPP standard) 136 LTE Standards

2.4.3. Uplink

The uplink standard is departing from the usual OFDMA approach: it uses SC-FDMA. SC-FDMA is a type of FDE. In SC-FDMA, a bit stream is converted into single carrier symbols, then a DFT is applied to it, subcarriers are mapped to these DFT tones and an inverse DFT (IDFT) is performed to convert back for transmission. Much like in OFDMA, the signal has a CP to limit ICI, and pulse shaping is used to limit ISI.

Similar parameters are used as for downlink: subcarrier spacing 15 kHz, CP normal or extended (note that CP is the same for all UE in cell, and the same as downlink). The uplink uses the same symbol period and resource elements as in the downlink. RBs are defined in the same manner, with NSCRB = 12 subcarriers and NRB depends on bandwidth: 6, 15, 25, 50, 75 or 100.

Figure 2.18. CDF PAPR comparison for OFDMA used in the LTE downlink, and SC- FDMA localized mode (LFDMA) used in the LTE uplink – 256 total subcarriers, 64 subcarrier per user, 0.5 roll-off factor, a) QPSK, b) 16 QAM

LTE physical layer throughput calculations are easily derived from the 3GPP specifications: 1 Radio Frame has 10 subframes, each subframe has 2 time-slots, each time-slot is 0.5 ms long, 1 time-slot has 7 modulation symbols or OFDMA symbols (when normal CP length is used). Each modulation symbol = 6 bits at 64 QAM (note that these are physical layer bits, not actual user information). OFDMA 137

An RB uses 12 subcarriers. Assume 20 MHz channel bandwidth (100 RBs), normal CP. The number of bits in a 1 ms subframe is 100 RBs × 12 subcarriers × 2 slots × 7 modulation symbols × 6 bits = 100,800 bits. So the data rate is 100.8 Mbps. For 4 × 4 MIMO the peak data rate is simply four time that, or 403 Mbps. (Of course, a more robust FEC coding lowers the bitrate to 336 Mbps at 64 QAM 5/6, or 302 Mbps at 64 QAM 3/4).

Note that the above accounts for every RB, which has to carry overhead signaling, reference signals, etc. Practically, looking at resource elements in a RB for one (1 ms) subframe, some resource elements are reserved (for instance with control frame indicator CFI = 2).

Figure 2.19. Some LTE resource elements are reserved for control channel and reference signals only a subset are used for user data, thus lowering actual throughput

Out of the 12 × 14 RB, 36 are used for control (PDCCH) and reference signals, so only 132 can carry data. So 20% of the physical layer data rate is reserved. So the commonly cited numbers are 75 Mbps uplink, and 300 Mbps downlink for LTE, this because layer 138 LTE Standards

2 has additional transport block size (TBS) restrictions and frame overhead – typically around 9–10%, leading to 75 Mbps and 300 Mbps rates (for 4 × 4 MIMO in 20 MHz).

Figure 2.20. Conventional OFDMA with cyclic prefix

2.5. OFDMA in the LTE radio subsystem: OFDMA and SCFDMA in LTE

– Conventional OFDM with CP: - carrier spacing 15 KHz, Tcp = 4.8 μs. - extended CP needed for broadcast/multicast and environments with extreme delay spread, TECP = 16.7 μs. – Channel dependent scheduling in time and frequency domain: - scheduler assigns a number of (possibly noncontiguous) chunks to a user. - each user is assigned a chunk (colored blocks) in time and frequency plane.

2.5.1. The downlink physical-layer processing of transport channels

The downlink physical-layer processing of transport channels consists of the following steps: – CRC insertion: 24 bit CRC is the baseline for PDSCH; OFDMA 139

– Channel coding: turbo coding based on quadratic permutation polynomial (QPP) inner interleaving with trellis termination. – Physical-layer hybrid-ARQ processing; – Channel interleaving; – Scrambling: transport-channel specific scrambling on DL-SCH, BCH, and PCH. Common MCH scrambling for all cells involved in a specific MBSFN transmission; – Modulation: QPSK, 16 QAM, and 64 QAM; – Layer mapping and pre-coding; – Mapping to assigned resources and antenna ports.

Figure 2.21. Downlink: OFDMA transmission scheme: downlink physical layer processing chain

2.5.2. Downlink multi-antenna transmission

Multi-antenna transmission with 2 and 4 transmit antennas is supported. The maximum number of codewords is two, irrespective of the number of antennas with fixed mapping between code words to layers. 140 LTE Standards

Spatial division multiplexing (SDM) of multiple modulation symbol streams to a single user using the same time-frequency (-code) resource, also referred to as single user MIMO (SU-MIMO), is supported.

2.5.3. Uplink basic transmission scheme

For both FDD and TDD, the uplink transmission scheme is based on single carrier FDMA, more specifically DFTS-OFDM, SC-FDMA, low PAR and good qualities of OFDM like multipath resistance and flexible subcarrier allocation.

The uplink subcarrier spacing f = 15 kHz. The subcarriers are grouped into sets of 12 consecutive subcarriers, corresponding to the uplink RB. 12 consecutive subcarriers during one slot correspond to one uplink RB.

Figure 2.22. Transmitter scheme of SC-FDMA

Figure 2.23. OFDMA and SC-FDMA OFDMA 141

OFDMA transmits the four QPSK data symbols in parallel, one per subcarrier.

SC-FDMA transmits the four QPSK data symbols in series at four times the rate, with each data symbol occupying N × 15 kHz bandwidth.

Visually, the OFDMA signal is clearly multi-carrier and the SC- FDMA signal looks more like single carrier, which explains the “SC” in its name.

One SC-FDMA symbol in the time domain by computing the trajectory traced by moving from one QPSK data symbol to the next. This is done at N times the rate of the SC-FDMA symbol such that one SC-FDMA symbol contains N consecutive QPSK data symbols.

2.5.4. Physical-layer processing

The uplink physical layer processing of transport channels consists of the following steps: – CRC insertion: 24 bit CRC is the baseline for PUSCH; – Channel coding: turbo coding based on QPP inner interleaving with trellis termination; – Physical-layer hybrid-ARQ processing; – Scrambling: UE-specific scrambling; – Modulation: QPSK, 16 QAM, and 64 QAM (64 QAM optional in UE); – Mapping to assigned resources [and antennas].

2.5.4.1 Uplink multi-antenna transmission The baseline antenna configuration for uplink MIMO is MU-MIMO. To allow for MU-MIMO reception at Node B, allocation of the same time and frequency resource to several UEs, each of which is transmitting on a single antenna, is supported. 142 LTE Standards

Closed loop type adaptive antenna selection transmit diversity shall be supported for FDD (optional in UE).

2.5.4.2. Comparison of LTE with Wi-Fi and WiMAX, the latest versions of which also use OFDM techniques

Table 2.3. Comparison of LTE with Wi-Fi and WiMAX

2.5.4.3. Carrier aggregation in LTE Advanced LTE Advanced has been specified to fulfill ITU requirements for a “4G” standard (“IMT-advanced”): – increase the maximum throughputs of LTE: 300 Mbps ↓, 50 Mbps/s ↑; – throughput to reach 1 Gbps ↓ and 100 Mbps ↑ LTE evolutions (release 10 and further); OFDMA 143

– improve existing networks and ensuring compatibility between LTE and LTE-Advanced equipment; – extend bandwidth to 100 MHz, by “carrier aggregation”; – introduce relays.

Spectrum aggregation scenarios: – intra-band adjacent; – intra-band non adjacent; – inter-band.

Asymmetric bandwidth for FDD: – number of DL component carriers > number of UL component carriers.

Figure 2.24. Number of DL/UL component carriers

2.6. Appendix 1: the constraints of mobile radio

Any mobile communication system has to be designed and deployed taking into account the constraints that are a consequence of the laws of physics. Electromagnetic wave propagation follows complicated rules, depending from the frequency. The description of these phenomena is the subject of many studies and books. Cellular systems do not operate in low frequencies, so they avoid plenty of

144 LTE Standards singularities, such as long distance propagation, which affects low frequencies, up to the lower part of VHF. Cellular systems are deployed mainly in UHF, where the propagation is less dependent of fancy effects.

Cellular systems use high speed data communication over radio waves. The transmission of data is suffering of fading and also of frequency shift. Fading and frequency shift are related with well- known processes, inherent to the fact that the mobile is moving in its environment.

2.6.1. Doppler effect

The Doppler effect impacts all kinds of electromagnetic wave received or transmitted by a mobile terminal on the move. The received frequency is shifted from the transmitted value F by:

v fdi= Fcos α i c where v is the speed of the mobile, c the speed of the light, in the air c = 3.108 m/s, and i the angle between the direction of the speed vector of the mobile and the direction of the transmitted wave.

For terrestrial mobiles, the waves are coming from a set of diffractors and reflectors, the position of which is at random around the mobile. Therefore, the angle of arrival may be considered to be equally distributed around the mobile, producing a distribution of

OFDMA 145 energy on a frequency bandwidth (F – fd, F + fd). A monochromatic wave is transformed by the Doppler effect into a distribution of power on a frequency interval.

The Doppler effect has little impact on mobile communications when frequency (or phase) modulation is used. The Doppler shift is negligible compared to the imprecision of the carrier frequency.

However, on the contrary, when OFDMA is the access scheme, the Doppler effect has its importance and has to be managed, e.g. by introducing the guard interval.

2.6.2. Rayleigh/Rice fading

The transmission between the mobile and the base station is subject to multipath travel due to the many diffractors and reflectors in the environment. The resulting reception shows a variation of amplitude, which is very characteristic of mobile communications. It is called the Rice channel when the mobile and the base station are in line of sight without having the direct beam completely obstructed by buildings or natural obstacles. When there is no direct line of sight beam, the phenomenon is called Rayleigh fading. The received amplitude shows deep changes of level, often 40 dB.

Rayleigh fading results from the resonance pattern of the electromagnetic wave being radiated either by the base station or by the mobile. The wave incoming to the mobile is reflected or diffracted by a lot of obstacles. To have a representation of the situation, just

146 LTE Standards look to the Kundt tube experience where sound waves are reflected inside a glass tube: the “bellies” (maxima) and “knots” (minima) of the sound wave are made visible with some powder. The distance between two consecutive “knots” is half the wavelength of the signal. Of course, the frequency of mobile communications is far higher and the electromagnetic wave does not propagate as slowly as the sound wave, but the resonance pattern phenomenon is the same.

The mobile is moving in an array of stationary waves. Therefore, it comes through peaks and nulls of the signal power. The result is a random distribution of the received amplitudes.

Rayleigh fading

With a recording receiver, it is easy to keep track of the signal variation.

Recorded received signal amplitude in mobile multipath environment OFDMA 147

At the transmitter, the electromagnetic wave is produced for digital symbols with a constant amplitude. The received amplitude is a random variable, which is characterized by short and deep fadings. The mobile integrates the different contributions: – the direct wave Ea, received in line of sight from the transmitter, if any; – many waves Ei, resulting from reflections or diffractions produced by a large number of obstacles. This multiple paths propagation brings to the mobile receptor a quasi-infinite number of waves having different Doppler staggering and different phases.

The received field is Ez = Ea + ∑ = Ea + Er with Ea = cos22 ∅ and cos2 2 .

Ea and Er are independent random variables, when measured at different times on an interval which is sufficiently short to avoid the shadow effect on top of the Rayleigh fading, a few wavelengths covers at the speed v.

The characteristic function of Ez is the product of the characteristic functions of Ea and Er. The one for Ea is a Bessel function .

For Er, the calculation is less simple. The received field from Ei has a cosine component and a sine component: . 2 . 2

Ec and Es are centered processes.

The total received field R has an amplitude of .

The probability of receiving an amplitude in the interval , is:

exp ) 148 LTE Standards

where Eo is the variance of Er, supposed to be Gaussian = .

The calculations were made by Rice in 1944 and give the following curves with :

In a town, the direct wave is most often absent. In that case, Ec and Es can be approximated by a Gaussian process with as variance and a probability density:

1 √ and a cumulative function:

(1 +rf ) with the error function being:

√ 2 erf . √2

OFDMA 149

The density of probability of the envelope is given by the curve:

More detailed calculations are available in [REM 92].

Some practical results:

n(dB) 20 10 –3 –10 99% 90.5% 13.5% 0%

P is the probability of receiving a signal with an amplitude lower than average. (The real average value is Eo – 1 dB). This means that to receive the signal with 99% probability having tuned the receiver on, the average strength needs a margin of 19 dB.

To transmit data packets, we are more interested by the duration of the fading. When the signal disappears in a fading hole, the data are lost. So, focus has to be put on the duration of the Rayleigh fading holes.

The calculation made by Rice introduces NR, number of crossings of a value R by the envelope, ascending. Considering Ti to be the duration of the ith hole: R2 Ti = T.P(r > R) = T.1−− exp( ) E 02 T being the length of the observation. 150 LTE Standards

R2 1−− exp( ) ti E 2 The average length of the hole will be t ==∑ 0 NR. T NR

This result shows that the network engineering, including the performance of the error correcting code, should provide a protection against holes of 2t, which appear 10% of the time. The issue is that t depends of the speed of the mobile. For a car travelling at 50 km/h in a network using 900 MHz frequencies, T can be approximated to 1 ms. With lower frequencies, t will obviously be lower.

NOTE.– Multipath propagation, which is the doomed fate of mobile services, also introduces another fading, which is selective in frequencies. This is due to the discrepancies in the length of each individual path, in the range of microseconds. The consequence is the existence of a coherence band of a few tens of thousand kHz.

How can we combat Rayleigh fading and frequency selective fading?

In LTE, the different subcarriers have different distributions of peaks and nulls of the received signal. The distance between one null and the consecutive peak is function of the wavelength. It is λ/4. OFDMA 151

c Having , this gives for 900 MHz λ = 0.3 m = 30 c and F λ = 7 cm. 4

The different subcarriers in the OFDM of LTE are 15 kHz apart, approximately the distance between two subsequent peaks of subcarriers is less than 10−7 m, under one micron. For this reason, the data flow transmitted by LTE (OFDM) is never subject to heavy losses needing an error correcting code able to correct error bursts.

On top of that, LTE makes use of correction of two powerful means: – turbocodes, which adapt dynamically the output bitstream to the instantaneous radio propagation condition; for example LDPC; – multiple antennas on the mobile which receive the incoming signal in different positions with a sufficient distance to avoid having all of them in a fading hole. At the base station, diversity, both spatial and of polarization, has been used for decades, MIMO is a more sophisticated means there. MIMO is particularly well adapted to OFDM transmission (including OFDMA and SC-FDMA).

2.6.3. Area of service

Electromagnetic waves show a propagation, which becomes more and more quasi-optical as the frequency rises. On top of this, some 152 LTE Standards terrains absorb the energy. An example in the north of France, a high tower radiates very far to the north in Belgium and Netherland having just a flat country to cover, but the signal disappears completely in the south east direction behind a small hill covered with forest.

The usual process for evaluating the effective service provided by a base station tower is to realize vertical cuts of the surrounding land in a set of azimuths. For radio waves, the Earth shows an “increased” radius of 8,500 km. Travelling further and further from the tower, the signal dims depending of the different terrain it travels through (swamps, lakes, forestry, etc.). If the line of sight ray is obstructed by some obstacle, behind that obstacle the signal is severely dimmed, depending of the shape and nature of this obstacle. Typically for 900 MHz, one diffraction costs 20 dB, maybe more. For higher frequencies, the damage is worse; over 3 GHz, the propagation may be considered optical. The modeling of the propagation in general adopts a logarithmic formula which has the advantage of providing easy computer calculation. There are quite a few of these formulas, the most well-known of which are Okumura-Hata or COSR231. Many others are available, e.g. Epstein & Peterson, Millington and Deygout. Generally, mobile operators implement their own variant which is based on the measurements actually made in the field.

For the coverage of urban areas, such formulas are not accurate enough. The area of service is calculated from ray tracing computer calculation. For this purpose, the exact location of the base stations OFDMA 153 has to be very accurate (a few centimetres) as well as the digitized terrain including all existing buildings. Moreover, since the request from the customers includes the servicing of underground parking spaces or the service in cellars, inside shops and shopping malls, the prediction of the service area has to take many sophisticated processes.

2.6.4. Shadow effect

When the coverage is calculated with a simple algorithm, the results have to be mitigated to take into account the variation of the situation on a given area. Digitized maps are sold with a certain level of quantization. The usual available granulometry is scarcely under 5 × 5 m; prediction systems make use of 10 × 10 m, 50 × 50 m, 100 × 100 m, 200 × 200 m or 500 × 500 m. On each square, an average ground height is provided. Of course, the mobile may stand anywhere in this square, therefore its service is modeled as a Gaussian distribution in dB (log-normal law). The calculation gives the mean value of the electromagnetic field, and the Gaussian law provides the standard deviation σ. σ ranges from 4 dB to 6 dB in a rural environment, but up to 10 dB in difficult urban environments.

The shadow effect must be taken into account when measurements are made in order to calibrate the prediction tool. To obtain a valid value for the mean of the field strength, some 100 individual pieces of data have to be collected along a distance coherent with the size of the quantization square.

2.7. Appendix 2: Example of OFDM/OFDMA technological implementation Innovative DSP

This implementation uses FPGA from Xilink (Virtex-5 and Virtex-6).

A maximum likehood algorithm is implemented which provides superior performance in nosy and impaired channel conditions. For more details, see www.innovative-dsp.com. 154 LTE Standards

2.8. Appendix 3: LTE error correction on the radio path [WIK 14d]

Hybrid automatic repeat request (hybrid ARQ or HARQ) is a combination of high-rate forward error-correcting coding and ARQ error-control. In standard ARQ, redundant bits are added to data to be transmitted using an error-detecting (ED) code such as a cyclic redundancy check (CRC). Receivers detecting a corrupted message will request a new message from the sender. In Hybrid ARQ, the original data is encoded with a forward error correction (FEC) code, and the parity bits are either immediately sent along with the message or only transmitted upon request when a receiver detects an erroneous message. The ED code may be omitted when a code is used that can perform both FEC in addition to error detection, such as a Reed-Solomon code. The FEC code is chosen to correct an expected subset of all errors that may occur, while the ARQ method is used as a fall-back to correct errors that are uncorrectable using only the redundancy sent in the initial transmission. As a result, hybrid ARQ performs better than ordinary ARQ in poor signal conditions, but in its simplest form this comes at the expense of significantly lower throughput in good signal conditions. There is typically a signal quality cross-over point below which simple hybrid ARQ is better, and above which basic ARQ is better. OFDMA 155

The simplest version of HARQ, Type I HARQ, adds both ED and FEC information to each message prior to transmission. When the coded data block is received, the receiver first decodes the error- correction code. If the channel quality is good enough, all transmission errors should be correctable, and the receiver can obtain the correct data block. If the channel quality is bad, and not all transmission errors can be corrected, the receiver will detect this situation using the error-detection code, then the received coded data block is rejected and a retransmission is requested by the receiver, similar to ARQ.

In a more sophisticated form, Type II HARQ, the message originator alternates between message bits along with error detecting parity bits and only FEC parity bits. When the first transmission is received error free, the FEC parity bits are never sent. Also, two consecutive transmissions can be combined for error correction if neither is error free.

To understand the difference between Type I and Type II Hybrid ARQ, consider the size of ED and FEC added information: error detection typically only adds a couple of bytes to a message, which is only an incremental increase in length. FEC, however, can often double or triple the message length with error correction parities. In terms of throughput, standard ARQ typically expends a few percent of channel capacity for reliable protection against error, while FEC ordinarily expends half or more than half of all channel capacity for channel improvement.

In standard ARQ a transmission must be received error free on any given transmission for the error detection to pass. In Type II Hybrid ARQ, the first transmission contains only data and error detection (no different from standard ARQ). If received error free, it is done. If data is received in error, the second transmission will contain FEC parities and error detection. If received error free, it is done. If received in error, error correction can be attempted by combining the information received from both transmissions.

Only Type I Hybrid ARQ suffers capacity loss in strong signal conditions. Type II Hybrid ARQ does not, because FEC bits are only 156 LTE Standards transmitted on subsequent retransmissions as needed. In strong signal conditions, Type II Hybrid ARQ performs with as good capacity as standard ARQ. In poor signal conditions, Type II Hybrid ARQ performs with as good sensitivity as standard FEC.

2.8.1. Hybrid ARQ with soft combining

In practice, incorrectly received coded data blocks are often stored at the receiver rather than discarded, and when the retransmitted block is received, the two blocks are combined. This is called Hybrid ARQ with soft combining. While it is possible that two given transmissions cannot be independently decoded without error, it may happen that the combination of the previously erroneously received transmissions gives us enough information to correctly decode. There are two main soft combining methods in HARQ: – Chase combining: every retransmission contains the same information (data and parity bits). The receiver uses maximum-ratio combining to combine the received bits with the same bits from previous transmissions. Because all transmissions are identical, chase combining can be seen as additional repetition coding. We could think of every retransmission as adding extra energy to the received transmission through an increased Eb/N0. – Incremental redundancy: every retransmission contains different information than the previous one. Multiple sets of coded bits are generated, each representing the same set of information bits. The retransmission typically uses a different set of coded bits than the previous transmission, with different redundancy versions generated by puncturing the encoder output. Thus, at every retransmission the receiver gains extra information.

Several variants of the two main methods exist. For example, in partial chase combining only a subset of the bits in the original transmission are retransmitted. In partial incremental redundancy, the systematic bits are always included so that each retransmission is self- decodable. OFDMA 157

HARQ can be used in stop-and-wait mode or in selective repeat mode. Stop-and-wait is simpler, but waiting for the receiver’s acknowledgment reduces efficiency. Thus multiple stop-and-wait HARQ processes are often done in parallel in practice: when one HARQ process is waiting for an acknowledgment, another process can use the channel to send some more data.

There are other forward error correction codes that can be used in an HARQ scheme besides Turbo codes, e.g. extended irregular repeat- accumulate (eIRA) code and efficiently-encodable rate-compatible (E2RC) code, both of which are low density parity check (LDPC) code. LTE has standardized LDPC, processing the received data. The original bitstream is previously encoded with Bose Chauduri Hockenghem (BCH).

2.9. Appendix 4: The 700 MHz frequencies in the USA for LTE

The 700 MHz frequency band is depicted in the following figure.

158 LTE Standards

2.9.1. Upper and lower 700 MHz

The 700 MHz band is divided into 2 bands by the FCC upper 700 MHz and lower 700 MHz.

The Full IP Core Network

3.1. Fixed mobile convergence

Fixed mobile convergence (FMC) is set of a technology bringing seamless connectivity between fixed and wireless communication networks.

FMC is the answer to the desire of consumers to be connected anytime anywhere and from any device.

This requires: – fixed and wireless broadband; – IP Multimedia Subsystem (IMS); – Session Initiation Protocol (SIP): - Voice over Internet Protocol (VoIP), - common service delivery platform.

FMC, to be seamless to the end user, involves personalization for the user services.

FMC includes: − Unlicenced Mobile Access (UMA), with UMA-capable devices;

160 LTE Standards

− SIP-based services; − seamless roaming between mobile accesses (cellular, WiFi, etc.).

3.2. IP multimedia subsystem

3.2.1. General description of IMS

3GPP has taken IMS (Internet Multimedia Subsystem) as the core of its telecommunication standards. This trend has been followed by ETSI and other standardization bodies such as ANSI.

Figure 3.1. IMS

IMS was introduced by 3GPP with release 5 and developed to date. It is also developed by ETSI TISPAN (for fixed telecommunication). IMS is based on IETF protocols. OMA specify the service layer application.

Although originally specified by 3GPP, a number of other organizations around the world support IMS. In addition to the IETF, which specifies key protocols such as SIP, and the OMA, which

The Full IP Core Network 161 specifies end-to-end service-layer applications, other organizations supporting IMS include the GSM Association (GSMA), the ETSI, CableLabs, 3GPP2, the Parlay Group, the International Telecommunication Union (ITU), the American National Standards Institute (ANSI), the TISPAN and the Java Community Process (JCP).

According to an ABI Research analyst, an advantage of IMS is that it enables rapid development and deployment of new services and is essential to the success of mobile and fixed operators who are losing revenue from traditional sources. It is forecast by ABI that mobile operators will reap $300 billion revenues over five years ending in 2013 due to new services delivered with IMS.

The benefits of using IMS include handling all communication in the packet domain, tighter integration with the Internet and a lower cost infrastructure that is based on IP building blocks used for both voice and data services. This allows operators to potentially deliver data and voice services at lower cost, in turn providing these services at lower prices and further driving demand and usage.

IMS applications can reside either in the operator’s network or in third-party networks.

IMS separates the access network from the service layer. The horizontal control layer isolates the access from the service. It is a common horizontal control layer. Logically, services do not need to have their own control functions.

IMS uses IETF protocols wherever possible, especially SIP. But other technologies apply, in particular soft switches or Generic Access Network.

However in implementation this does not necessarily map into greater reduced cost and complexity. IMS is unable to master the OTT mechanisms, which provide access to contents and contacts outside the control of wireless/fixed operators.

162 LTE Standards

3.2.2. Session Initiation Protocol

SIP is the core networking protocol used within the IMS and is one of the more widely known examples of a session control protocol. Session control refers to the process used to create, modify and terminate IP-based communication sessions, and a session can include two-way voice communication, multimedia (text, audio or video) conference collaboration, instant messaging, application sharing and other contemplated but not yet fully specified services. Session control is accomplished through signaling between various network elements and endpoints using a session control protocol.

Although SIP is the most widely known session control protocol, SIP has a major limitation that is of great importance to any GSM- UMTS operator. It does not provide any method of directly interworking with the Public Switched Telephone Network (PSTN) because it was not created with the intention of it being fully backwards-compatible with legacy PSTN signaling mechanisms.

In addition to SIP, other examples of session control protocols include BICC, SIP-I and SIP-T.

BICC, or Bearer Independent Call Control, is the protocol standardized in the 3GPP Release 4 architecture and deployed in some networks today. BICC, however, is not an optimal choice for ongoing evolution because it has been limited to, and is predicted to remain limited to, operation within a GSM-UMTS context. BICC does not address domains beyond GSM-UMTS such as LTE; as a result, it does not automatically offer the future level of flexibility of continued development and evolution that would accompany the SIP with ISUP encapsulation variants (i.e. either SIP-T, SIP for Telephones or SIP-I, SIP with ISUP encapsulation).

With a technical analysis of capabilities existing within the two SIP technologies with ISUP encapsulation variants, 4G Americas recommends SIP-I as the direction for evolution. There are four areas

The Full IP Core Network 163 where SIP-I is better suited for a GSM-UMTS environment than SIP-T: – assumptions regarding the trust and security environment; – encapsulation procedures and message mapping; – Support of Request for Comments (RFCs); – user plane interoperability.

3.2.3. IMS components and interfaces

The IMS is an architectural framework for delivering IP multimedia services. It was originally designed by 3GPP as a part of the vision for evolving mobile networks beyond GSM. Its original formulation appears in Release 5. This vision was later updated by 3GPP and TISPAN. In particular, IMS applies to fixed lines standards (3GPP Release 7 and TISPAN R1.1), and further updates.

Since it is becoming increasingly easier to access content and contacts using mechanisms outside the control of traditional wireless/fixed operators, the interest of IMS is being challenged.

Figure 3.2. IMS wide scope 164 LTE Standards

Figure 3.3. IMS functions

The IP multimedia CN subsystem is a collection of different functions, linked by standardized interfaces, which grouped form one IMS administrative network. A function is not a node (hardware box). An implementer is free to combine two functions in one node, or to split a single function into two or more nodes. Each node can also be present multiple times in a single network, for dimensioning, load balancing or organizational issues.

3.2.3.1. Access network The user can connect to IMS in various ways, most of which use the standard IP. IMS terminals (such as mobile phones, personal digital assistants (PDAs) and computers) can register directly on IMS, even when they are roaming in another network or country (the visited network). The only requirement is that they can use IP and run SIP user agents (SIP UAs). Fixed access (e.g., Digital Subscriber Line (DSL), cable modems, Ethernet), mobile access and wireless access (e.g. WiMAX) are all supported. Other phone systems like plain old telephone service (POTS—the old analog telephones), H.323 and non IMS-compatible VoIP systems, are supported through gateways. The Full IP Core Network 165

3.2.3.2. Core network The Home Subscriber Server (HSS), or User Profile Server Function (UPSF), is a master user database that supports the IMS network entities that actually handle calls. It contains the subscription- related information (subscriber profiles), performs authentication and authorization of the user, and can provide information about the subscribers location and IP information. It is similar to the GSM Home Location Register (HLR) and Authentication Centre (AuC).

A Subscriber Location Function (SLF) is needed to map user addresses when multiple HSSs are used.

Various User identities may be associated with IMS: IP Multimedia Private Identity (IMPI), IP Multimedia Public Identity (IMPU), Globally Routable User Agent URI (GRUU), Wildcarded Public User Identity. Both IMPI and IMPU are not phone numbers or other series of digits, but Uniform Resource Identifiers (URIs), that can be digits (a Tel. URI, such as Tel.: +1-555-123-4567) or alphanumeric identifiers (a SIP URI, such as sip:john.doe@ example.com).

The IMPI is a unique permanently allocated global identity assigned by the home network operator, and is used, for example, for Registration, Authorization, Administration and Accounting purposes. Every IMS user will have one IMPI.

The IMPU is used by any user for requesting communications to other users (e.g. this might be included on a business card). There can be multiple IMPU per IMPI. The IMPU can also be shared with another phone, so that both can be reached with the same identity (for example, a single phone-number for an entire family).

GRUU is an identity that identifies a unique combination of IMPU and UE instance. There are two types of GRUU: Public-GRUU (P-GRUU) and Temporary GRUU (T-GRUU): – P-GRUU reveal the IMPU and are very long lived.

166 LTE Standards

– T-GRUU do not reveal the IMPU and are valid until the contact is explicitly de-registered or the current registration expires.

A wildcarded Public User Identity expresses a set of IMPU grouped together.

The HSS subscriber database contains the IMPU, IMPI, IMSI, MSISDN, subscriber service profiles, service triggers and other information.

CSCF – Call Session Control Function The Call Session Control Function (CSCF) is a collection of functional capabilities that play an essential role in the IMS CN. The CSCF is responsible for the signaling controlling the communication of IMS User Equipment (UE) with IMS enhanced services across different network accesses and domains. The CSCF controls the session establishment and teardown, as well as user authentication, network security and Quality of Service (QoS).

Several roles of SIP servers or proxies, collectively called CSCF, are used to process SIP signaling packets in the IMS. – A Proxy-CSCF (P-CSCF) is a SIP proxy that is the first point of contact for the IMS terminal and can be located either in the visited network (in full IMS networks) or in the home network (when the visited network is not IMS compliant yet). Some networks may use a Session Border Controller (SBC) for this function. The P-CSCF is at its core a specialized SBC for the user–network interface which not only protects the network, but also the IMS terminal. The use of an additional SBC between the IMS terminal and the P-CSCF is unnecessary and infeasible due to the signaling being encrypted on this leg. The terminal discovers its P-CSCF with either DHCP, or it may be configured (e.g. during initial provisioning or via a 3GPP IMS Management Object (MO)) or in the ISIM or assigned in the PDP Context (e.g. General Packet Radio Service (GPRS)). – It is assigned to an IMS terminal before registration, and does not change for the duration of the registration. The Full IP Core Network 167

– It sits on the path of all signaling, and can inspect every signal; the IMS terminal must ignore any other unencrypted signaling. – It provides subscriber authentication and may establish an IPsec or TLS security association with the IMS terminal. This prevents spoofing attacks and replay attacks and protects the privacy of the subscriber. – It inspects the signaling and ensures that the IMS terminals do not misbehave (e.g. change normal signaling routes, do not obey home network’s routing policy). – It can also compress and decompress SIP messages using SigComp, which reduces the round-trip over slow radio links. – It may include a Policy Decision Function (PDF), which authorizes media plane resources, for example, QoS over the media plane. It is used for policy control, bandwidth management, etc. The PDF can also be a separate function. – It also generates charging records.

To summarize, the P-CSCF is the first point of contact between the UEs and the IMS network. Acting as a SIP proxy, all the SIP requests and responses from/to UEs traverse the P-CSCF. The P-CSCF may be located in either the user’s home network or in the visited network for handling roaming.

The P-CSCF supports several important functions: – validates the correctness of SIP messages with IMS UEs according to SIP standard rules; – ensures the security of the messages between UEs and the IMS network using IPsec or TLS security associations; – authenticates and asserts the identity of the UE; – compresses the messages ensuring the efficient transmission of SIP messages over narrowband channels.

The P-CSCF may support Policy Enforcement capabilities for authorizing media plane resources, bandwidth and QoS management. 168 LTE Standards

In addition, the P-CSCF can also generate charging information to be collected by charging network nodes.

A Serving-CSCF (S-CSCF) is the central node of the signaling plane. It is a SIP server, but performs session control too. It is always located in the home network. It uses Diameter Cx and Dx interfaces to the HSS to download user profiles and upload user-to-S-CSCF associations (the user profile is only cached locally for processing reasons only and is not changed). All necessary subscriber profile information is loaded from the HSS. – It handles SIP registrations, which allows it to bind the user location (e.g., the IP address of the terminal) and the SIP address; – It sits on the path of all signaling messages of the locally registered users, and can inspect every message. – It decides to which application server(s) the SIP message will be forwarded, in order to provide their services. – It provides routing services, typically using Electronic Numbering (ENUM) lookups. – It enforces the policy of the network operator. – There can be multiple S-CSCFs in the network for load distribution and high availability reasons. It is the HSS that assigns the S-CSCF to a user, when it is queried by the I-CSCF. There are multiple options for this purpose, including a mandatory/optional capabilities to be matched between subscribers and S-CSCFs.

To summarize, the S-CSCF is a central function of the signaling plane in the IMS CN. A S-CSCF node acts as a SIP registrar, and in some cases as a SIP redirect server. It is responsible for processing the location registration of each UE, user authentication and call routing and processing. Similar to the I-CSCF, the S-CSCF supports Diameter Cx and Dx interfaces to the HSS to download the authentication information and user profile of the registering UEs from the HSS for authentication purpose. All of the SIP signaling from/to the IMS UEs traverses their serving S-CSCF allocated during the registration process. The S-CSCF also provides SIP message routing and services The Full IP Core Network 169 triggering. It also enforces the policy of the network operator and keep users from performing unauthorized operations.

The S-CSCF is always located in the home network. A number of S-CSCFs may be deployed for the sake of scalability and redundancy.

An Interrogating-CSCF (I-CSCF) is another SIP function located at the edge of an administrative domain. Its IP address is published in the Domain Name System (DNS) of the domain (using NAPTR and SRV type of DNS records), so that remote servers can find it, and use it as a forwarding point (e.g. registering) for SIP packets to this domain. – It queries the HSS to retrieve the address of the S-CSCF and assign it to a user performing SIP registration. – It also forwards SIP request or response to the S-CSCF. – Up to Release 6 it can also be used to hide the internal network from the outside world (encrypting parts of the SIP message), in which case it is called a Topology Hiding Inter-network Gateway (THIG). From Release 7 onwards this “entry point” function is removed from the I-CSCF and is now part of the Interconnection Border Control Function (IBCF). The IBCF is used as gateway to external networks, and provides NAT and firewall functions (pinholing). The IBCF is practically a Session Border Controller specialized for the NNI.

To summarize, The I-CSCF is a SIP proxy located in the edge of an administrative IMS domain. Its IP address is published in the DNS of the domain (using NAPTR and SRV type of DNS records), so that remote servers can find and use it as a forwarding point (e.g., registering) for SIP packets to this IMS domain. The I-CSCF implements a Diameter (RFC 3588) interface to the HSS, and queries the HSS to retrieve the address of the S-CSCF for an UE to perform SIP registration. Being a SIP proxy, the I-CSCF forwards SIP message requests and responses to the S-CSCF. Additionally, the I-CSCF may encrypt parts of the SIP messages securing any sensitive information. 170 LTE Standards

Typically the IMS network includes a number of I-CSCF nodes for the purpose of scalability and redundancy. The I-CSCF is usually located in the IMS home network.

An Emergency-CSCF, the E-CSCF is a newly defined entity in the IMS network. As its name indicates, the E-CSCF is responsible for handling of emergency call service. Once the P-CSCF detects that the received SIP message request is for an emergency call it forwards that SIP message to the E-CSCF. Then, the E-CSCF contacts the Locating Retrieval Function (LRF) to get the location of the UE for routing the emergency call appropriately. The E-CSCF can be located either in a home network or in a visited network.

SIP ASs host and execute services (Next Generation Network Services), and interface with the S-CSCF using SIP. An example of an AS that is being developed in 3GPP is the Voice call continuity Function (VCC Server). Depending on the actual service, the AS can operate in SIP proxy mode, SIP UA mode or SIP B2BUA mode. An AS can be located in the home network or in an external third-party network. If located in the home network, it can query the HSS with the Diameter Sh or Si interfaces (for a SIP-AS). – SIP AS: host and execute IMS specific services. – IP Multimedia Service Switching Function (IM-SSF): interfaces SIP to CAP to communicate with CAMEL ASs. – OSA Service Capability Server (OSA SCS): interfaces SIP to the OSA framework.

Functional model: the AS-ILCM and AS-OLCM store the transaction state, and may optionally store the session state depending on the specific service being executed. The AS-ILCM interfaces to the S-CSCF (ILCM) for an incoming leg and the AS-OLCM interfaces to the S-CSCF (OLCM) for an outgoing leg. Application Logic provides the service(s) and interacts between the AS-ILCM and AS-OLCM.

Public Service Identities (PSI) are identities that identify services, which are hosted by ASs. As user identities, PSIs will take the form of The Full IP Core Network 171 either a SIP or Tel URI. PSIs are stored in the HSS either as a distinct PSI or as a wildcarded PSI: – a distinct PSI contains the PSI that is used in routing; – a wildcarded PSI represents a collection of PSIs.

Media servers The Media Resource Function (MRF) provides media-related functions such as media manipulation (e.g. voice stream mixing) and playing of tones and announcements.

Each MRF is further divided into a Media Resource Function Controller (MRFC) and a Media Resource Function Processor (MRFP). – The MRFC is a signaling plane node that interprets information coming from an AS and S-CSCF to control the MRFP. – The MRFP is a media plane node used to mix, source or process media streams. It can also manage access rights to shared resources.

The Media Resource Broker (MRB) is a functional entity that is responsible for both collection of appropriate published MRF information and supplying of appropriate MRF information to consuming entities such as the AS. MRB can be used in two modes: – Query mode: AS queries the MRB for media and sets up the call using the response of MRB. – In-Line Mode: AS sends a SIP INVITE to the MRB. The MRB sets up the call.

A Breakout Gateway Control Function (BGCF) is a SIP proxy which processes requests for routing from an S-CSCF when the S-CSCF has determined that the session cannot be routed using DNS or ENUM/DNS. It includes routing functionality based on telephone numbers.

A PSTN/CS gateway interfaces with PSTN circuit switched (CS) networks. For signaling, CS networks use ISDN User Part (ISUP) (or BICC) over Message Transfer Part (MTP), while IMS uses SIP over 172 LTE Standards

IP. For media, CS networks use Pulse-code modulation (PCM), while IMS uses Real-time Transport Protocol (RTP). – A Signaling Gateway (SGW) interfaces with the signaling plane of the CS. It transforms lower layer protocols as Stream Control Transmission Protocol (SCTP, an IP protocol) into MTP (a Signaling System 7 (SS7) protocol), to pass ISDN User Part (ISUP) from the MGCF to the CS network. – A Media Gateway Controller Function (MGCF) is a SIP endpoint that does call control protocol conversion between SIP and ISUP/BICC and interfaces with the SGW over SCTP. It also controls the resources in a Media Gateway (MGW) across an H.248 interface. – A Media Gateway (MGW) interfaces with the media plane of the CS network, by converting between RTP and PCM. It can also transcode when the codecs don’t match (e.g., IMS might use AMR, PSTN might use G.711).

Media Resources are those components that operate on the media plane and are under the control of IMS Core functions. Specifically, Media Server (MS) and MGW.

IMS has two types of Next Generation Networking interconnection: – Service oriented Interconnection (SoIx): the physical and logical linking of next generation networks (NGN) domains that allows carriers and service providers to offer services over NGN (i.e., IMS and PES) platforms with control, signaling (i.e., session based), which provides defined levels of interoperability. For instance, this is the case of “carrier grade” voice and/or multimedia services over IP interconnection. “Defined levels of interoperability” are dependent upon the service or the QoS or the Security, etc. – Connectivity oriented Interconnection (CoIx): the physical and logical linking of carriers and service providers based on simple IP connectivity irrespective of the levels of interoperability. For example, an IP interconnection of this type is not aware of the specific end to end service and, as a consequence, service specific network performance, QoS and security requirements are not necessarily The Full IP Core Network 173 assured. This definition does not exclude that some services may provide a defined level of interoperability. However only SoIx fully satisfies NGN interoperability requirements.

An NGN interconnection mode can be direct or indirect. Direct interconnection refers to the interconnection between two network domains without any intermediate network domain. Indirect interconnection at one layer refers to the interconnection between two network domains with one or more intermediate network domain(s) acting as transit networks. The intermediate network domain(s) provide(s) transit functionality to the two other network domains. Different interconnection modes may be used for carrying service layer signaling and media traffic.

Offline charging is applied to users who pay for their services periodically (e.g. at the end of the month). Online charging, also known as credit-based charging, is used for prepaid services, or real- time credit control of postpaid services. Both may be applied to the same session.

Charging function addresses are addresses distributed to each IMS entitly and provide a common location for each entity to send charging information. Charging Data Function (CDF) addresses are used for offline billing and Online Charging Function (OCF) for online billing. – Offline Charging: all the SIP network entities (P-CSCF, I-CSCF, S-CSCF, BGCF, MRFC, MGCF and AS) involved in the session use the Diameter Rf interface to send accounting information to a CDF located in the same domain. The CDF will collect all this information, and build a Call Detail Record (CDR), which is sent to the billing system (BS) of the domain. Each session carries an IMS Charging Identifier (ICID) as a unique identifier generated by the first IMS entity involved in a SIP transaction and used for the correlation with CDRs. Inter Operator Identifier (IOI) is a globally unique identifier shared between sending and receiving networks. Each domain has its own charging network. BSs in different domains will also exchange information, so that roaming charges can be applied. 174 LTE Standards

– Online charging: The S-CSCF talks to a IMS Gateway Function (IMS-GWF) which looks like a regular SIP application server. The IMS-GWF can signal the S-CSCF to terminate the session when the user runs out of credits during a session. The AS and MRFC use the Diameter Ro interface toward an OCF. – When Immediate Event Charging (IEC) is used, a number of credit units is immediately deducted from the users account by the ECF and the MRFC or AS is then authorized to provide the service. The service is not authorized when not enough credit units are available. – When Event Charging with Unit Reservation (ECUR) is used, the Event Charging Function (ECF) first reserves a number of credit units in the user’s account and then authorizes the MRFC or the AS. After the service is over, the number of spent credit units is reported and deducted from the account; the reserved credit units are then cleared.

IMS-based PSTN Emulation System (PES) provides IP network services to analog devices. IMS-based PES allows non-IMS devices to appear to IMS as normal SIP users. Analog terminal using standard analog interfaces can connect to IMS-based PES in two ways: – Via Access Media Gateway (A-MGW) that is linked and controlled by AGCF. AGCF is placed within the operators’ network and controls multiple A-MGW. A-MGW and AGCF communicate using H.248.1 (Megaco) over the P1 reference point. POTS phone connect to A-MGW over the z interface. The signaling is converted to H.248 in the A-MGW and passed to AGCF. AGCF interprets the H.248 signal and other inputs from the A-MGW to format H.248 messages into appropriate SIP messages. AGCF presents itself as P- CSCF to the S-CSCF and passes generated SIP messages to S-CSCF or to IP border via IBCF. Service presented to S-CSCF in SIP messages trigger PES AS. AGCF also has a certain service independent logic, for example on receipt of an off-hook event from A-MGW, the AGCF requests the A-MGW to play a dial tone. – Via VoIP-Gateway (VGW) or SIP Gateway/Adapter on customer premises. POTS phones via VOIP Gateway connect to P-CSCF The Full IP Core Network 175 directly. Operators mostly use Session Border Controllers between VoIP Gateways and P-CSCFs for security and to hide network topology. VGW link to IMS using SIP over Gm reference point. The conversion from POTS service over the z interface to SIP occurs in the customer premises VoIP Gateway. POTS signaling is converted to SIP and passed on to P-CSCF. VGW acts as SIP UA and appears to P-CSCF as SIP terminal.

Both A-MGW and VGW are unaware of the services. They only relay call control signaling to and from the PSTN terminal. Session control and handling is done by IMS components.

Session handling One of the most important features of IMS, that of allowing for a SIP application to be dynamically and differentially (based on the user’s profile) triggered, is implemented as a filter-and-redirect signaling mechanism in the S-CSCF.

The S-CSCF might apply filter criteria to determine the need to forward SIP requests to AS. It is important to note that services for the originating party will be applied in the originating network, while the services for the terminating party will be applied in the terminating network, all in the respective S-CSCFs.

An initial filter criteria (iFC) is an XML-based format used for describing control logic. iFCs represent a provisioned subscription of a user to an application. They are stored in the HSS as part of the IMS Subscription Profile and are downloaded to the S-CSCF upon user registration (for registered users) or on processing demand (for services, acting as unregistered users). iFCs are valid throughout the registration lifetime or until the User Profile is changed.

The iFC is composed of: – Priority: determines the order of checking the trigger. – Trigger Point: logical condition(s) which is verified against initial dialog creating SIP requests or stand-alone SIP requests. 176 LTE Standards

– AS URI: specifies the AS to be forwarded to when the Trigger Point matches.

There are two types of iFCs: – Shared: when provisioning, only a reference number (the Shared iFC number) is assigned to the subscriber. During registration, only the number is sent to the CSCF, not the entire XML description. The complete XML will have previously been stored on the CSCF. – Non-Shared: when provisioning, the entire XML description of the iFC is assigned to the subscriber. During registration, the entire XML description is sent to the CSCF.

Technical Interface IMS entities Description Protocol Specificatio name n Used by MRFC to fetch documents (e.g. scripts, announcement files, and TCP/SCTP Cr MRFC, AS other resources) from an channels AS. Also used for media control related commands. Used to send subscriber data to the S-CSCF; (I-CSCF, including Filter criteria and Cx S-CSCF), Diameter their priority. Also used to HSS furnish CDF and/or OCF addresses. Used by AS to find the HSS holding the User AS (SIP AS, Profile information in a OSA, IM- multi-HSS environment. Dh Diameter SSF) <-> DH_SLF_QUERY SLF indicates an IMPU and DX_SLF_RESP return the HSS name. Used by I-CSCF or S- CSCF to find a correct HSS in a multi-HSS (I-CSCF or S- environment. Dx CSCF) <-> Diameter DX_SLF_QUERY SLF indicates an IMPU and DX_SLF_RESP return the HSS name. The Full IP Core Network 177

Used to exchange UE, P- messages between SIP user Gm SIP CSCF equipment (UE) or Voip Gateway and P-CSCF. Allows operators to control QoS in a user plane and PDF, exchange charging COPS (Rel5), Go GGSN correlation information Diameter (Rel6+) between IMS and GPRS network. Used to exchange policy P-CSCF, decisions-related Gq Diameter PDF information between P-CSCF and PDF. Used to exchange policy PCEF, decisions-related TS29.211, Gx Diameter PCRF information between PCEF TS29.212 and PCRF. Used for online flow based bearer charging. TS23.203, Gy PCEF, OCS Diameter Functionally equivalent to TS32.299 Ro interface. Reference point between S-CSCF and AS. Main functions are to: – Notify the AS of the registered IMPU, S-CSCF <- registration state and UE ISC SIP > AS capabilities. – Supply the AS with information to allow it to execute multiple services. – Convey charging function addresses. Used to exchange messages between an IBCF Ici IBCFs and another IBCF SIP belonging to a different IMS network.

Used to forward media streams from a TrGW to Izi TrGWs RTP another TrGW belonging to a different IMS network.

Main functions are to: I-CSCF <-> Ma – Forward SIP requests SIP AS which are destined to a 178 LTE Standards

Public Service Identity hosted by the AS – Originate a session on behalf of a user or Public Service Identity, if the AS has no knowledge of a S-CSCF assigned to that user or Public Service Identity – Convey charging function addresses. ISUP signaling to SIP MGCF -> Mg signaling and forwards SIP SIP I,S-CSCF signaling to I-CSCF. Used to exchange S-CSCF -> Mi messages between S-CSCF SIP BGCF and BGCF. Used for the interworking with the PSTN/CS Domain, when the BGCF BGCF -> has determined that a Mj SIP MGCF breakout should occur in the same IMS network to send SIP message from BGCF to MGCF. Used for the interworking with the PSTN/CS Domain, when the BGCF has determined that a BGCF -> Mk breakout should occur in SIP BGCF another IMS network to send SIP message from BGCF to the BGCF in the other network. I-CSCF, Used for exchanging S-CSCF, Mm messages between IMS SIP external IP and external IP networks. network MGCF, Allows control of user- Mn H.248 IM-MGW plane resources. Allows an MRFC to MRFC, control media stream Mp H.248 MRFP resources provided by an MRFP.

S-CSCF, Used to exchange Application Server Mr MRFC information between sends SIP message SIP Mr' AS, MRFC S-CSCF and MRFC to MRFC to play The Full IP Core Network 179

Used to exchange session tone and controls between AS and announcement. MRFC. This SIP message contains sufficient information to play tone and announcement or provide information to MRFC, so that it can ask more information from Application Server through Cr Interface. P-CSCF, Used to exchange messages I-CSCF, between CSCFs. AGCF Mw SIP S-CSCF, appears as a P-CSCF to the AGCF other CSCFs. Used for the interworking with another IMS network, when the BGCF has BGCF/CSC determined that a breakout Mx SIP F, IBCF should occur in the other IMS network to send SIP message from BGCF to the IBCF in the other network. Used for call control AGCF, A- services by AGCF to P1 H.248 MGW control H.248 A-MGW and Residential Gateways. AGCF, Reference point between P2 SIP CSCF AGCF and CSCF. Used by the AS to request that media resources be SIP, In Query Rc MRB, AS assigned to a call when mode (Not utilizing MRB In-Line specified) mode or In Query mode. P-CSCF, I- CSCF, S- Used to exchange offline CSCF, Rf charging information with Diameter TS32.299 BGCF, CDF. MRFC, MGCF, AS Used to exchange online AS, MRFC, Ro charging information with Diameter TS32.299 S-CSCF OCF. 180 LTE Standards

Used to exchange policy and charging related P-CSCF, information between P- Rx Diameter TS29.214 PCRF CSCF and PCRF Replacement for the Gq reference point. Used to exchange User Profile information (e.g., user related data, group lists, user service related information or user location information or charging function AS (SIP addresses (used when the Sh AS, OSA Diameter AS has not received the SCS), HSS third party REGISTER for a user)) between an AS (SIP AS or OSA SCS) and HSS. Also allow AS to activate/deactivate filter criteria stored in the HSS on a per subscriber basis. Transports CAMEL subscription information IM-SSF, including triggers for use Si MAP HSS by CAMEL based application services information. Used by MRFC to fetch documents (scripts and Sr MRFC, AS HTTP other resources) from an AS. UE and SIP AS (SIP Facilitates the management AS, OSA of subscriber information Ut SCS, IM- HTTP(s), XCAP related to services and SSF) PES settings. AS and AGCF POTS, Analog Conversion of POTS z phones and services to SIP messages. VoIP Gateways

Table 3.1. The chart describes the interfaces involved in IMS and figure 3.4 shows their place in the overall processing system The Full IP Core Network 181

It is envisaged that security defined in TS 33.203 may not be available for a while especially because of the lack of USIM/ISIM interfaces and prevalence of devices that support IPv4. For this situation, to provide some protection against the most significant threats, 3GPP defines some security mechanisms, which are informally known as “early IMS security”, in TR33.978. This mechanism relies on the authentication performed during the network attachment procedures, which binds between the user’s profile and its IP address. This mechanism is also weak because the signaling is not protected on the User–network interface.

Figure 3.4. Security aspects of early IMS and non-3GPP systems

CableLabs in PacketCable 2.0, which also adopted the IMS architecture but has no USIM/ISIM capabilities in their terminals, published deltas to the 3GPP specifications where the Digest-MD5 is a valid authentication option. Later on, TISPAN also made a similar effort given their Fixed Networks scopes, although the procedures are different. To compensate for the lack of IPsec capabilities, TLS has been added as an option for securing the Gm interface. Later 3GPP 182 LTE Standards

Releases have included the Digest-MD5 method, toward a Common- IMS platform, yet in its own and again different approach. Although all 3 variants of Digest-MD5 authentication have the same functionality and are the same from the IMS terminal’s perspective, the implementations on the Cx interface between the S-CSCF and the HSS are different.

For a more detailed description see: – 3GPP TS 23.228, IP Multimedia Subsystem (IMS), Stage 2; – 3GPP TS 29.228, Stage 2 specifications ; – 3GPP TS 24.229, IP multimedia call control protocol based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP).

3.3. Evolved packet system in 3GPP standards

The new blocks specific to Evolved UMTS evolution, also known as the evolved packet system (EPS), are the evolved packet core (EPC) and the Evolved UTRAN (or E-UTRAN). Other blocks from the classical UMTS architecture are also displayed, such as the UTRAN (the UMTS Access Network), the PS and the CS CNs, respectively, connected to the public (or any private) IP and Telephone Networks. The IMS (IP Multimedia Subsystem) is located on top of the Packet Core blocks and provide access to both public or private IP networks, and the public telephone network via Media Gateway network entities. The HSS, managing user subscription information is shown as a central node, providing services to all CN blocks of 3G and evolved 3G architecture.

3.3.1. Policy and charging rules function

EPS introduces the Policy and Charging Rules Function (PCRF) as a software node designed to determine in real-time the policy rules in an IMS network. Earlier policy engines were added onto an existing network, which was sometimes cumbersome to manage and update. The Full IP Core Network 183

Figure 3.5. Full scope of EPS

Being a policy tool, PCRF plays a central role in the NGN. It accesses subscribers’ databases and charging system. In real-time, PCRF aggregates information to and from the network, from operational support systems and other sources such as portals. It supports the creation of rules and automatically makes policy decisions for each active subscriber on the network, e.g. authorization to access one or more among the multiple services and QoSs levels offered by the network with application of the charging rules.

Figure 3.6. PCRF connections in LTE’s EPC 184 LTE Standards

PCRF is available both on wired and wireless networks. It can be integrated in different platforms (billing, rating, charging, subscribers’ database) or operate on a stand alone device.

3.3.2. Release 8 system architecture evolution and evolved packet system

System Architecture Evolution (SAE) is synonymous with Evolved Packet Core (EPC). SAE/EPC is defined by 3GPP in Release 8 (Rel-8) as an entirely new CN with a flatter all-IP architecture enabling a higher data rate, lower latency packet-optimized system that supports multiple radio-access technologies, focusing on the packet-switched domain, with the assumption that the system will support all services – including voice – in this domain.

3GPP has made significant progress in Rel-8 toward the standards development and definition of a new flatter-IP CN to support the Evolved UMTS Terrestrial Radio Access Network (EUTRAN) through the SAE work item, which was later renamed the EPC Architecture. In parallel, 3GPP has made significant progress toward the standards development and definition of a new OFDMA-based technology through the Long Term Evolution (LTE) work item. This new OFDMA based air interface (LTE) is also often referred to as the EUTRAN. Note that the complete packet system consisting of the EUTRAN/LTE and the SAE/EPC is called the EPS.

The combination of LTE and SAE/EPC provides the long-term vision for 3GPP to an all-IP, packet only wideband OFDMA system expected to further improve performance by providing higher data rates, improved spectral efficiency and reduced latency. LTE’s ability to support bandwidths wider than 5 MHz is of particular importance as the demands for higher wireless data speeds and spectral efficiencies continue to grow.

As mobile operators add LTE to their radio access networks, they will simultaneously evolve the rest of their networks and subscriber devices. They will update their core and backhaul networks to handle the exponential increases in IP traffic enabled by LTE. To keep their The Full IP Core Network 185 networks performing optimally, mobile operators will flatten their CN architectures considerably by using EPC technology. EPC reduces the number of nodes in the core, which reduces latency even as the amount of data traffic increases. It simplifies deployment of IP-based networks and reduces the cost of their deployments.

Figure 3.7. Evolved packet core

EPC uses IMS as a component. It also manages QoS across the whole system, which will be essential for enabling a rich set of multimedia-based services. The EPS will be optimized for all services to be delivered via IP in a manner that is as efficient as possible – through minimization of latency within the system, for example.

Although it will most likely be deployed in conjunction with LTE, EPC may also be deployed for use with HSPA+, where it would provide a stepping-stone to LTE. It will support service continuity across heterogeneous networks, important for LTE operators that must simultaneously support GSM/GPRS/EDGE/UMTS/HSPA customers.

The key features and capabilities of SAE/EPC include: – reduced latency and higher data performance through a flatter all- IP architecture. 3GPP has targeted user-plane latency at 10 ms; 186 LTE Standards

– support for both LTE radio-access networks and interworking with GSM-UMTS radio-access networks; – the ability to integrate non-3GPP networks; – optimization for all services provided via IP.

The EPC is a flat all-IP-based CN that can be accessed through 3GPP radio access (LTE, 3G and 2G) and non-3GPP radio access (e.g. WiMAX and WLAN), allowing handover procedures within and between both radio access types. The access flexibility to the EPC is attractive for operators since it enables them to have a single CN through which different services are supported. The main components of the EPC are: (1) Mobility Management Entity; (2) Serving Gateway; and (3) Packet Data Network.

Figure 3.8. EPC components

3.3.2.1. Mobility Management Entity (MME) Mobility Management Entity (MME) is a key control element. It is in charge of managing security functions (authentication, authorization and Network Access Server (NAS) signaling security), idle state mobility handling, roaming and handovers among other functions. The S1-MME interface connects the EPC with the evolved Node Bs (eNBs, base stations in LTE).

MME is responsible for tracking and paging procedure including retransmissions, and also for idle mode of UE. MME is also involved in bearer activation and deactivation procedures. Its task also belongs to choosing the SGW for a UE in the initial attach process and when the intra-handover takes place which involves CN node relocation. The Full IP Core Network 187

MME is responsible for authenticating the user to the HSS, if the user is roaming MME terminates S6a interface to the user’s home HSS. All Non Access Stratum (NAS) signaling terminates at the MME point, which is also responsible for generation and allocation of temporary UE identities (GUTI). Among its duties is also authorization UE to Public Land Mobile Network (PLMN) and enforcing UE roaming restrictions if there are any. MME is also the termination point of ciphering and integrity protection for NAS signaling. Lawful interception (LI) of signaling could also be supported by MME entity. It also provides the control plane function for mobility between LTE and 2G/3G networks by the S3 interface (from SGSN to MME).

MME functions, according to 23.401 3GPP documentation, include: – NAS signaling; – NAS signaling security; MME acts the termination point for ciphering protection for NAS signaling; – inter CN node signaling for mobility between 3GPP access networks (terminating S3); the S3 interface terminates in the MME, providing the control plane function for mobility between LTE and 2G/3G access networks; – UE Reach ability in ECM-IDLE state (including control and execution of paging retransmission); – paging procedure; – providing temporary identities for UEs; – tracking area list management; – mapping from UE location (e.g. TAI) to time zone, and signaling a UE time zone change associated with mobility; – PDN GW and serving GW selection for the UE; – MME selection for handovers with MME change; intra-LTE handover involving core network node location; 188 LTE Standards

– SGSN selection for handovers to GSM or UMTS access networks; – roaming (S6a toward home HSS); interaction with HSS to authenticate user on attachment; implement roaming restrictions; – authentication; – authorization; – bearer management functions including dedicated bearer establishment, activation/deactivation; – lawful interception of signaling traffic; MME is the point at which lawful interception of signaling may be made; – warning message transfer function (including selection of appropriate eNodeB); – UE reach ability procedures.

The MME will signal a change is UE time zone only in case of mobility and in case of UE triggered service request, PDN disconnection and UE detach. If the MME cannot determine whether the UE time zone has changed (e.g. the UE time zone is not sent by the old MME during MME relocation), the MME should not signal a change in UE time zone. A change in UE time zone caused by a regulatory mandated time change (e.g. daylight saving time or summer time change) will not trigger the MME to initiate signaling procedures due to the actual change. Instead the MME will wait for the UE’s next mobility event or service request procedure and then use these procedures to update the UE time zone information in PDN GW.

3.3.2.2. Serving Gateway (S-GW or SGW) SGW is the gateway that terminates the EPC interface toward the E-UTRAN via an interface called the S1-U. For each UE that is associated with the EPS there will be a unique S-GW hosting several functions, including mobility anchor point for both local inter-eNB handover and inter-3GPP mobility, inter-operator charging and packet routing and forwarding. The Full IP Core Network 189

SGW is responsible for handovers with neighboring eNodeBs, also for data transfer in terms of all packets across the user plane. To its duties belongs taking care of mobility interface to other networks such as 2G/3G. SGW is monitoring and maintaining context information related to UE during its idle state and generates paging requests when data arrives for the UE in downlink direction (e.g. somebody’s calling). SGW is also responsible for replication of user traffic in case of LI.

SGW functions, according to 23.401 3GPP documentation include: – the local Mobility Anchor point for inter-eNodeB handover: - sending of one or more “end marker” to the source eNodeB, source SGSN or source RNC immediately after switching the path during inter-eNodeB and inter-RAT handover, especially to assist the reordering function in eNodeB; - mobility anchoring for inter-3GPP mobility (terminating S4 and relaying the traffic between 2G/3G system and PDN GW); - ECM-IDLE mode downlink packet buffering and initiation of network triggered service request procedure; – lawful interception; – packet routing and forwarding; – transport level packet marking in the uplink and the downlink, e.g. setting the DiffServ Code Point, based on the QCI of the associated EPS bearer; – accounting for inter-operator charging. For GTP-based S5/S8, the Serving GW generates accounting data per UE and bearer; – interfacing OFCS according to charging principles and through reference points specified in TS 32.240.

3.3.2.3. Packet Data Network Gateway (PDN-GW or PGW) Packet Data Network Gateway (PGW) provides the UE with access to a packet data network (PDN) by assigning an IP address from the PDN to the UE among other functions. Additionally, the Evolved Packet Data Gateway (ePDG) provides a security connection 190 LTE Standards between an UE connected from an untrusted non-3GPP access network with the EPC by using IPSec tunnels.

The PGW is the gateway which terminates the SGi interface toward PDN. If UE is accessing multiple PDNs, there may be more than one PGW for that UE, however a mix of S5/S8 connectivity and Gn/Gp connectivity is not supported for that UE simultaneously.

PGW is responsible for acting as an “anchor” of mobility between 3GPP and non-3GPP technologies. PGW provides connectivity from the UE to external PDN by being the point of entry or exit of traffic for the UE. The PGW manages policy enforcement, packet filtration for users, charging support and LI.

Possible non-3GPP technologies are: WiMAX, CDMA 1X and EvDO.

PGW functions, as a list, according to 23.401 3GPP documentation, include: – per-user based packet filtering (by e.g. deep packet inspection); – lawful interception; – UE IP address allocation; – transport level packet marking in the uplink and downlink, e.g. setting the DiffServ Code Point, based on the QCI of the associated EPS bearer; – accounting for inter-operator charging; – UL and DL service level charging as defined in TS 23.203 (e.g. based on SDFs defined by the PCRF, or based on deep packet inspection defined by local policy); – interfacing OFCS through according to charging principles and through reference points specified in TS 32.240 [51]; – UL and DL service level gating control as defined in TS 23. 203 [6]; – UL and DL service level rate enforcement as defined in TS 23.203 [6] (e.g. by rate policing/shaping per SDF); The Full IP Core Network 191

– UL and DL rate enforcement based on APN-AMBR (e.g. by rate policing/shaping per aggregate of traffic of all SDFs of the same APN that are associated with Non-GBR QCIs); – DL rate enforcement based on the accumulated MBRs of the aggregate of SDFs with the same GBR QCI (e.g. by rate policing/shaping); – DHCPv4 (server and client) and DHCPv6 (client and server) functions; – PPP functionality; – packet screening.

Additionally the PDN GW includes the following functions for the GTP-based S5/S8: – UL and DL bearer binding as defined in TS 23.203; – UL bearer binding verification as defined in TS 23.203; – functionality as defined in RFC 4861 [32]; – accounting per UE and bearer.

The PGW provides PDN connectivity to both GERAN/UTRAN only UEs and E-UTRAN capable UEs using any of E-UTRAN, GERAN or UTRAN. The PGW provides PDN connectivity to E- UTRAN capable UEs using E-UTRAN only over the S5/S8 interface.

However, from a user-plane perspective, there are only the base station (eNodeB) and the gateways. The system is considered “flat”. This results in a reduced complexity compared to previous architectures.

For further details regarding these elements and other elements of the EPC, the official specifications can be found in: – 3GPP TS 23.401 GPRS enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access; – 3GPP TS 23.402 Architecture enhancements for non-3GPP accesses. 192 LTE Standards

3.4. Telephony processing

3.4.1. Enhanced voice quality

To ensure compatibility, 3GPP demands at least AMR-NB codec (narrow band), but the recommended speech codec for VoLTE is Adaptive Multi-Rate Wideband, also known as HD Voice. This codec is mandated in 3GPP networks that support 16 kHz sampling.

Fraunhofer IIS has proposed and demonstrated Full-HD Voice, an implementation of the AAC-ELD (Advanced Audio Coding – Enhanced Low Delay) codec for LTE handsets. Where previous cellphone voice codecs only supported frequencies up to 3.5 kHz and upcoming wideband audio services branded as HD Voice up to 7 kHz, Full-HD Voice supports the entire bandwidth range from 20 Hz to 20 kHz. For end-to-end Full-HD Voice calls to succeed however, both the caller and recipient’s handsets as well as networks have to support the feature.

3.4.2. Circuit-switched fallback (CSFB)

In this approach, LTE just provides data services, and when a voice call is to be initiated or received, 192 twill fall back to the circuit switched domain. When using this solution, operators, which have both LTE and 3G systems, just need to upgrade the MSC (in the GSM case) instead of deploying the IMS, and therefore, can provide services quickly. However, the disadvantage is that the subscriber suffers longer call setup delay.

3.4.3. Simultaneous voice and LTE (SVLTE)

The handset works simultaneously in the LTE and circuit switched modes, with the LTE mode providing data services and the circuit switched mode providing the voice service. This is a solution solely based on the handset, which does not have special requirements on the network and does not require the deployment of IMS either. The disadvantage of this solution is that the phone can become expensive with high power consumption. The Full IP Core Network 193

While the industry has seemingly standardized on VoLTE for the future, the demand for voice calls today has led LTE carriers to introduce Circuit-switched fallback (CSFB) as a stopgap measure. When placing or receiving a voice call, LTE handsets will fall back to old 2G or 3G networks for the duration of the call.

3.4.4. Over-The-Top (OTT) applications

There are multiple options available today for mobile applications. This includes Over-The-Top (OTT) applications, services that are generally offered by third party (non-operator) developers (e.g. Skype) that can be downloaded from popular app stores, often for free. Second, we have Web-based applications. These applications run directly from a Web browser, or are included as part of Cloud-based services that run thin client applications on a device platform. Third are pre-loaded applications which are bundled with a platform and cannot be deleted or disabled. This includes applications such as camera, maps, mail and calendar. Finally, there are embedded applications, which are deeply integrated applications that are part of the native dialer; VoLTE falls in this category.

Today we are seeing explosive growth in OTT applications for VoIP/Video/Messaging apps. By quickly browsing through Google Play and Apple Store, we see a couple of hundred (or more) VoIP/Video/Messaging apps available for free. Most of these apps use their own proprietary protocols/infrastructure/network and use the operator’s best-effort data network. Most consumers today have one or more of these apps installed on their mobile device.

OTT VoIP over LTE: – voice +video packets/data packets/steaming web browsing; – wireless channel: Wi-Fi or LTE ; single pipe for data and real- time voice; – output: congestion of packets, packet losses, out of sequence packets. 194 LTE Standards

3.4.4.1. OTT Mobile VoIP Mobile VoIP or simply mVoIP is an extension of mobility to a VoIP network. There are several methodologies that allow a mobile handset to be integrated into a VoIP network. One implementation turns the mobile device into a standard SIP client, which then uses a data network to send and receive SIP messaging, and to send and receive RTP for the voice path. This methodology of turning a mobile handset into a standard SIP client requires that the mobile handset support, at minimum, high speed IP communications. In this application, standard VoIP protocols (typically SIP) are used over any broadband IP-capable wireless network connection.

High speed services from mobile operators using LTE may have better audio quality and capabilities for metropolitan-wide coverage including fast handoffs among mobile base stations, yet it will cost more than the typical Wi-Fi-based VoIP service.

As device manufacturers exploited more powerful processors and less costly memory, smartphones became capable of sending and receiving email, browsing the Web (albeit at low rates) and allowing a user to watch TV. Mobile VoIP users were predicted to exceed 100 million by 2012 and InStat projects 288 million subscribers by 2013.

The mobile operator industry business model conflicts with the expectations of Internet users that access is free and fast without extra charges for visiting specific sites.

Mobile VoIP, like all VoIP, relies on SIP — the standard used by most VoIP services, and now being implemented on mobile handsets and smartphones.

When moving between IP-based networks, as is typically the case for outdoor applications, two other protocols are required: – IEEE 802.21 handoff, permitting one network to do call setup and initial traffic, handing off to another when the first is about to fall out of range – the underlying network need not be IP-based, but typically the IP stream is guaranteed a certain QoS during the handoff process; The Full IP Core Network 195

– IEEE 802.11u call initiation when the initial contact with a network is not one that the user has subscribed to or been in contact with before.

For indoor or campus (cordless phone equivalent) use, the IEEE P1905 protocol establishes QoS guarantees for home area networks: Wi-Fi, Bluetooth, 3G, 4G and wired backbones using AC powerline networking/HomePlug/IEEE P1901, Ethernet and Power over Ethernet/IEEE 802.3af/IEEE 802.3at, MoCA and G.hn. In combination with IEEE 802.21, P1905 permits a call to be initiated on a wired phone and transferred to a wireless one and then resumed on a wired one, perhaps with additional capabilities such as videoconferencing in another room. In this case the use of mobile VoIP enables a continuous conversation that originates, and ends with, a wired terminal device.

A more popular approach has been full-spectrum handsets that can communicate with any wireless network including mobile VoIP, DECT and satellite phone networks, but which have limited handoff capabilities between networks. The intent of IEEE 802.21 and IEEE 802.11u is that they can be added to such phones running iPhone, QNX, Android or other smartphone operating systems, yielding a phone that is capable of communicating with literally any digital network and maintaining a continuous call at high reliability at a low access cost.

3.5. The requirements of VoLTE and V.VoIP applications

VoLTE requirements: – data packets/steaming web browsing; – dedicated bearer for voice + video; wireless channel (IMS APN); – output: flow of data packets.

VoLTE is based on the IMS network, with specific profiles for control and media planes of voice service on LTE defined by GSMA in PRD IR.92. This approach results in the voice service (control and media planes) being delivered as data flows within the LTE data 196 LTE Standards bearer. This means that there is no dependency on (or ultimately, requirement for) the legacy Circuit Switch voice network to be maintained.

One of the most important requirements for VoIP applications is that they must have guaranteed QoS. Since all OTT apps use VoIP over LTE (on the operators’ data networks) do not offer QoS because the same pipe is used for real-time voice/video communication as is used for web browsing and audio/video streaming. This leads to competition for bandwidth – meaning there can be no guaranteed QoS. Conversely, carrier-grade VoLTE utilizes dedicated bearer/bandwidth thus guaranteeing superior voice and video quality.

Low latency is also a key requirement for V.VoIP. With OTT apps, latency suffers as tasks queue up in the pipeline as they compete for bandwidth. OTT apps are integrated at high-level user space interfaces, whereas the embedded VoLTE integrates with low-level audio drivers for audio capture/rendering and network interfaces, thus reducing the TX/RX processing delays considerably. OTT end-to-end latency is approximately 3x higher than with embedded VoLTE.

Interoperability must also be considered. Almost all OTT apps use proprietary methods, and hence do not interoperate with each other. To overcome this, and make calling a hassle-free experience for consumers, embedded VoLTE has the opportunity to thrive through ecosystem collaboration between chipset, OEM and infrastructure vendors and mobile operators.

3.6. Voice and video over LTE are achieved using voice on IP channels (VoLTE)

The advantages of LTE are high throughput, low latency, plug and play capabilities, a superior end user experience and a simplified network architecture resulting in a 10X improvement cost-per- megabyte to carry data traffic.

Given its ability to effectively carry VoIP, LTE provides mobile carriers with a single network infrastructure for all services, including The Full IP Core Network 197 voice, short message service (SMS), and broadband data for both mobile and fixed end users. Finally, mobile operators can migrate voice and SMS from their congested and costly circuit switched core networks to a more efficient IP-based core. – The de facto standard for delivering voice and video over LTE using IMS is specified in GSMA IR.92; – IMS Profile for Voice and SMS and IR.94: – IMS Profile for Conversational Video Services. Endorsed by the world’s leading mobile operators and network equipment vendors, the goals of IR.92 and IR.94 are to identify the minimum requirements in the 3GPP standards needed to deliver LTE voice, video and SMS services over IMS that is consistent with what is offered today by mobile operators on their circuit switched networks, but at the same time offer additional services that are not currently available such as HD (High Definition) voice and video.

Key technical requirements for Voice and Video over LTE include: – 3GPP IMS Release 9 or greater; – MMTel services; – SMS over IP; – IMS Media support for AMR audio codecs. Including AMR-WB for HD; – IMS Media support for H.264 video codec; – Service Centralization and Continuity AS (SCC-AS) support for Single Radio VCC (SRVCC), providing seamless voice handoff between LTE and circuit-switch networks.

Inside the smartphone (or mobile), standards can obviously help in the collaboration between the different applications. Embedded carrier grade VoLTE/Video over LTE and Rich Communication Suite (RCS) applications are compliant to GSMA PRD IR.92 (IMS Profile for Voice, and SMS), GSMA PRD IR.94 (IMS Profile for Conversational Video Service) and RCS 5.1 (Advanced Communications Services and Client Specification) respectively. 198 LTE Standards

As these apps are running on mobile devices, it is clear that optimizing for low-power consumption and optimal bandwidth is key. Some of the techniques that embedded VoLTE/Video over LTE/RCS uses to reduce power consumption and increase bandwidth include: – integration with hardware accelerators (such as video) thus reducing the overall CPU MHz requirements and enabling higher- resolution/fps video; – hand-coding assembly for CPU-intensive algorithms (media engine), since the power consumption increases for every MHz used; – discontinuous reception (DRX) in connected mode – stopping the transmission during silence packets and aggregation of packets; – semi-persistent scheduling (SPS) – assignment of a predefined chunk of radio resources for VoIP users with an interval of 20 ms so that devices are not required to request resources at each Transmission Time Interval (TTI); – Robust Header Compression (RoHC) – For VoIP packets, the size of headers (IP/UDP/RTP) is usually larger than the data itself— for IPv4, UDP and RTP, the amount of overhead due to headers is 40 bytes, and RoHC can compress this to 2 or 3 bytes.

Network integration is also critical. All OTT apps drop the real- time voice/video calls when migrating from one network to the other, which is an obvious problem. Embedded VoLTE supports SRVCC which enables a seamless handover to legacy 2G/3G cellular networks when there is no LTE coverage, as well as handover to Wi-Fi with IP2IP and Access Network Discovery and Selection Function (ANDSF).

For a smooth user experience, it is also important to have a single user interface for both circuit switched and packet switched calls. As an integrated native application, embedded VoLTE uses one interface for both circuit switched and packet switched VoLTE calls. However, OTT applications have their own dialer/user interface for VoIP over LTE/Wi-Fi calling, but a native dialer must be used for circuit- switched calls. The Full IP Core Network 199

The RCS is the operators’ response to real-time VoIP/Video/Messaging OTT apps. It not only supports VoIP/Video/Messaging, but also integrates an enhanced phonebook which includes capability discovery exchange and social presence information. It also supports enhanced messaging (1-1 chat, group chat, emoticons, location share and file sharing and enriched calls) and enables multimedia content sharing during a voice call, video call and video sharing. It also addresses a much larger subscriber base (more than 5 billion) compared to a fragmented OTT user base.

More and more operators across the world are following this track. Trials are ongoing for Video over LTE, with the ultimate goal of providing an integrated super-app that provides a unified VoLTE, Video over LTE and RCS functionality. The community developing Rich Communication Services is called Joyn, it is working under the umbrella of the GSMA with the leadership of prominent operators (Vodafone, Orange, Telefonica, Deutsche Telekom and Telecom Italia) and major manufacturers (Sony, Samsung, HTC, Huawei, Nokia, LG, BlackBerry, ZTE, Apple with the I-Phone).

To further increase customer satisfaction, operators’ embedded VoLTE provides the same user experience across the platforms. It supports all circuit-switched features (voice calling, and supplementary call features – call waiting, transfer, forwarding, emergency calling and SMS). It also supports some of the enhanced features such as HD Voice (AMR-WB) and HD Video, with reduced call setup times and improved voice quality that is 40% better than 3G due to using a wider bandwidth (50–7000 Hz instead of 300–2400 Hz).

Operators have adopted different approaches to migrate from the full circuit-switched voice + data to full LTE voice and data. From a high-level perspective, there are three categories: – the first category includes operators who have gone ahead and launched the VoLTE service even though the LTE coverage is spotty (using CSFB for voice calling). – the second category of operators is planning to adopt the SRVCC to fall back to 2G/3G where there is no LTE coverage. 200 LTE Standards

– the last group includes more conservative carriers who are busy rolling-out the LTE data-only service so that they initially provide the same coverage as their existing 3G network and then deploy VoLTE for LTE-only handsets. But CSFB, SVLTE and SRVCC are expensive interim solutions; operators will have to quickly migrate to full VoLTE-only solutions in order to provide the carrier-grade user experience.

As realization in the field, embedded VoLTE was launched in August 2012 by MetroPCS, LGU+, SK Telecom. The world’s first country-wide interoperable RCS network was launched in Spain by Movistar, Orange and Vodafone. This was followed by deployments in Korea – KT, LGU+, SK Telecom, Germany – Vodafone, T-Mobile and US – MetroPCS.

The largest LTE operator, Verizon is already testing VoLTE in trials and plans to launch the service commercially in 2014, at first using traditional CDMA-LTE combo phones, unlike other carriers, Verizon’s LTE-CDMA combo does not support a feature called SRVCC, which would hand over a VoLTE call to the 2G network if a customer walked out of 4G network range. For Verizon, launching VoLTE is dependent on matching its LTE coverage to its 2G coverage, so customers would rarely, if ever, be forced off the 4G network. Most of Verizon’s data traffic (57%) has already migrated to its LTE network. Verizon 4G now covers 95% of the US population (298 million POP).

CDMA traffic has hit its peak and has started declining. Eventually Verizon will shut down a portion of its 3G CDMA data networks, and as voice traffic moves to VoLTE it can do the same with its 2G networks. That PCS spectrum can then be re-farmed for LTE or other purposes.

VoLTE would not just support voice calls. Verizon’s service would include video-casting and other real-time multimedia communications features. As an IP service, VoLTE could be integrated into other applications and could reproduce many of the enhanced messaging and video features in over-the-top applications. The Full IP Core Network 201

3.7. Cut down version of IMS

In order that IMS was implemented in a fashion that would be acceptable to operators, a cut down version was defined. This not only reduced the number of entities required in the IMS network, but it also simplified the interconnectivity – focusing on the elements required for VoLTE.

Figure 3.9. Cut down version of IMS Reduced IMS network for VoLTE

As can be seen there are several entities within the reduced IMS network used for VoLTE: – IP-CAN IP, Connectivity Access Network: this consists of the EUTRAN and the MME. – P-CSCF, Proxy Call State Control Function: the P-CSCF is the user to network proxy. In this respect all SIP signaling to and from the user runs via the P-CSCF whether in the home or a visited network. – I-CSCF, Interrogating Call State Control Function: the I-CSCF is used for forwarding an initial SIP request to the S-CSCF. When the initiator does not know which S-CSCF should receive the request. – S-CSCF, Serving Call State Control Function: the S-CSCF undertakes a variety of actions within the overall system, and it has a number of interfaces to enable it to communicate with other entities within the overall system. – AS, Application Server: it is the AS that handles the voice as an application. – HSS, Home Subscriber Server: the IMS HSS or home subscriber server is the main subscriber database used within IMS. The IMS HSS provides details of the subscribers to the other entities within the IMS 202 LTE Standards network, enabling users to be granted access or not dependent upon their status.

The IMS calls for VoLTE are processed by the subscriber’s S-CSCF in the home network. The connection to the S-CSCF is via the P-CSCF. Dependent upon the network in use and overall location within a network, the P-CSCF will vary, and a key element in the enablement of voice calling capability is the discovery of the P-CSCF.

3.8. Latency management

While much attention has been focused on LTE data rates, another important parameter, latency, is critical to enable a number of applications particularly voice services (VoLTE) or real time television

Latency depends on a number of parameter. It is a statistical measure. Some of the parameters impacting latency include traffic and subscriber load, the type of traffic and the channel radio frequency condition.

LTE includes QoS management with up to 9 classes of service. Conversational voice is very susceptible to delay and packet error loss, particularly for low bit-rate vocoders. Real-time gaming is another highly demanding application both in terms of delay budget and packet error rate.

LTE is supposed to provide a round trip time of less than 10 ms. According to LTE system specification and requirements, user plane latency is defined to be sub-10 ms for two way radio delay. Although this value excludes the latency to the core, the bulk of latency typically occurs on the air interface. Hence, there is much more room for improvements and optimization when it comes to LTE latency. This is a key issue and even failure of the LTE standard if latency is not improved. After all, LTE was designed with a 1 ms subframe to meet the low latency requirement. So far, this goal has not been achieved. The Full IP Core Network 203

Packet Resource Packet error QCI Priority delay Example services type loss rate budget 1 2 100 ms 10-2 Conversational Voice Conversational Video (Live 2 4 150 ms 10-3 Streaming) GBR 3 3 50 ms 10-3 Real-Time Gaming Non-Conversational Video 4 5 300 ms 10-6 (Buffered Streaming) 5 1 100 ms 10-6 IMS Signaling Video (Buffered Streaming) TCP-based (e.g., www, e-mail, 6 6 300 ms 10-6 chat, ftp, p2p file sharing, progressive video, etc.) Voice, Non-GBR 7 7 100 ms 10-3 Video (Live Streaming) Interactive Gaming 8 8 Video (Buffered Streaming) TCP-based (e.g., www, e-mail, 300 ms 10-6 9 9 chat, ftp, p2p file sharing, progressive video, etc.)

Table 3.2. Priority

The measured values exceed this limit.

Reported Latency Network / Reference Comments Average: 49 ms AT&T Houston (Signals Latency measured to servers in the Min: 40 ms Research) operators local market. These are reported as “Network Latency” and defined as “the time it Average: 23 ms TeliaSonera Finland takes for a network to respond.” I Max: 38 ms (Epitiro) believe this measurement was done under very controlled conditions since they reported relatively stable average. Average: 143 ms Tests were conducted in-building and Verizon (BTIG) Min: 79 ms near a window.

Table 3.3. Latency 204 LTE Standards

Figure 3.10. Latency (50 ms) The Full IP Core Network 205

Table 3.4. Measurement

3.9. Appendix 1: VoIP tests in UK

For more details about the methodology and results, please visit David Martland’s website: www.sipcentric.com/2013/04/how–well– does–Uoip–work–ove–4g/.

LTE Security. SIM/USIM Subsystem

4.1. LTE security

It is necessary to ensure that Long Term Evolution (LTE) security measures provide the level of security required without impacting the user as this could drive users away. LTE must provide authentication, ciphering, encryption and identity protection.

With the level of sophistication of security attacks becoming increasingly imaginative, it is necessary to ensure that LTE security allows users to operate freely and without fear of attack from hackers. In addition, the network must also be organized in such a way that it is secure against a variety of attacks. – LTE security had to provide at least the same level of security that was provided by second generation (2G) and third generation (3G) services. – The LTE security measures should not affect user convenience. – The LTE security measures taken must provide defense from attacks from the Internet. – The security functions provided by LTE should not affect the transition from existing 3G services to LTE.

208 LTE Standards

– The Universal Subscriber Identity Module (USIM) currently used for (3G) services should still be used.

Security has to take into account some functions outside the core operation of LTE: – lawful interception of sessions and signaling in the core network; – emergency calls management with mobiles that are unable to be authenticated, thus the session has no ciphering nor integrity control; – broadcasted warning messages, e.g. tsunami or earthquake advice.

LTE security is developed into all areas of the system from the user equipment (UE) to the core network. – A new hierarchical key system has been introduced in which keys can be changed for different purposes. – The LTE security functions for the non-access stratum (NAS) and access stratum (AS) have been separated. The NAS functions are those functions for which the processing is accomplished between the core network and the mobile terminal or UE. The AS functions encompass the communications between the network edge, i.e. the eNodeB, and the UE. – The concept of forward security has been introduced for LTE security. – LTE is facing the issue of the dramatic increase of the number of interfaces, Internet Protocol (IP), interfaces with multiple technologies, roaming with hundreds of operators (more than 800 MNO in more than 200 countries, according to GSMA). – An issue is also coming from the convergence of the operating system (OS) toward Linux, making them “known” environments. It is the same for mobiles, with more than 50% of smartphones based on the android and iPhone OS. LTE Security. SIM/USIM Subsystem 209

4.1.1. Principles of LTE security

LTE is a flat IP system, no longer having a circuit domain. Communications are routed to Internet multimedia subsystem (IMS), the Internet and private networks.

No longer intermediate radio controller, base stations eNodeB are interconnected (X2 interface), and they are directly connected to the core network.

LTE carries the subscribers’ sessions via General Packet Radio Service (GPRS) Tunneling Protocol (GTP) for the management of mobility.

LTE interfaces with Universal Mobile Telecommunications System (UMTS) and Global System for Mobile communication (GSM), which makes it compulsory to have a USIM card. It also interfaces with other networks, especially CDMA2000. The mobility there is managed with mobile IP.

Figure 4.1. LTE needs a layered security 210 LTE Standards

Figure 4.2. Layered security model

4.1.2. LTE EPC security

LTE is reusing the UMTS authentication based on a USIM card inserted into the mobile UE and mutual authentication with the Home Subscriber Server (HSS). This mutual authentication produces two derived keys: Ck and Ik.

From Ck and Ik, LTE generates a master key KASME for the LTE- evolved packet core (EPC), which is differentiated from mobile country code (MCC) and mobile network code (MNC) network identifiers.

High level signaling protection is provided with special attention to NAS signaling (management of mobility and sessions), end-to-end security (from UR to Mobility Management Entity (MME) (MME)). LTE applies there integrity control and ciphering.

The protection of the radio interface applies on packet data control plane (PDCP) frames. The user session is encrypted. Radio signaling LTE Security. SIM/USIM Subsystem 211 of the Radio Resource Control (RRC) has an integrity control and is encrypted.

Figure 4.3. LTE eUTRAN protocole stack

4.1.2.1. Derivation of successive keys HMAC-SHA-256 is used for the derivation of successive keys. K being the authentication key of the subscriber, it is supposed to be valid for 3 to 10 years.

KASME, which is the master key for LTE/EPC sessions, has a lifetime of a few hours, eventually a few days.

KNAS for NAS signaling has the same lifetime as KASME.

KRRC for RRC radio signaling has a lifetime of a few seconds, up to a few hours; same for KUP which encrypts session data. eNodeB keys are renewed at every antenna change. Recalculation of UP and RRC keys is done by successive eNodeB.

Diversification parameter NH is managed by the MME with the same level of quality as NAS keys.

212 LTE Standards

Figure 4.4. Derivation of successive keys

4.1.2.2. Handover security

Each time an active UE moves to a new LTE cell, new KeNB and

(KRRCenc/int, KUPenc) are computed. This process offers backward security (that was established with previous eNodeB) as well as forward security (will be established with forthcoming eNodeB). So, a compromised eNodeB has almost no security impact on the communication.

Figure 4.5. LTE keys hierarchy as in 3GPP TS 36.300

KeNB recomputation depends on handover type (S1 or X2) and on fresh data provided by MME to the source eNodeB. LTE Security. SIM/USIM Subsystem 213

Renewal of radio keys also occur when intra-eNodeB handover, intracell handover are made.

4.1.2.3. EPS security

Figure 4.6. EPS security

4.1.2.4. Security levels and algorithms Authentication key K is 128 bits, like for GSM.

KASME and the keys derivation function: 256 bits and public algorithm can be easily replaced by a full 256 bits system.

Ciphering and integrity control; 128 bits keys and public algorithms: – ciphering algorithms for NAS and PDCP: EEA0, EEA1 (SNOW 3G), EEA2 (AES-CTR), EEA3 (ZUC); – integrity control algorithms for NAS and PDCP: EIA1 (SNOW3G, MAC mode), EIA2 (AES-CMAC), EIA3 (ZUC, MAC mode).

To date, there have been no realistic attacks on SNOW3G, AES and ZUC.

All terminals, eNodeB and MME must support EEA0? SNOW3G and AES. ZUC also in China. 214 LTE Standards

Nevertheless, some weaknesses may be found in certain procedures or implementations with the acceptation of replay for the initialization vector, with known initialization vectors (padding and signaling messages) – and of course when there are software bugs or corrupted memory.

4.1.3. Interfaces protection

LTE interfaces are accessible: – from an antenna: X2 and S1; – from other access networks: core network interfaces when applying IP mobility (MIPv4, DSMIPv6 and PMIP). Issue with trusted/untrusted interface concept; – from public IP network: roaming interfaces (DIAMETER messages to HSS; signaling messages to MME; GTP sessions to packet data network (PDN)-gateway).

The only solution is to use IPsec ESP and IKEv2 (exchange of certificates between network equipments; Extensible Authentication Protocol (EAP) and USIM between mobiles and network equipments).

Figure 4.7. IPsec LTE Security. SIM/USIM Subsystem 215

4.1.4. Femtocells and relays

Miniaturized eNodeB manage user sessions without encryption, allowing eavesdropping. They have no access to high-level signaling (NAS), which eliminates fraud. They have access to eNodeB signaling (S1-AP and X2-AP).

Femtocells connect to the core network via the Internet (ADSL or other access). The protection of the wired access is ensured by IPsec.

Relays connect to eNodeB via a wideband LTE radio connection. They multiplex users’ sessions in one single session. They may be mobile.

Neither femtocells nor relays encrypt users’ sessions, so IPsec would be recommended between eNodeB and core network.

All these pieces of equipment must be checked the software development quality and system security.

4.1.5. Specifications

http://www.3gpp.org/specification-numbering – TS 43.020: GSM and GPRS security; - TS 33.102: UMTS security; - TS 33.210 and TS 33.310: core network security; - TS 33.401: LTE and EPC security; - TS 33.402: security of non-3rd generation partnership project (3GPP) accesses to EPC; - TS 33 series: security; - TS 35 series: cryptography; - TS 24 series: signalling between mobile and core network; - TS 45 series: GSM and GPRS access network; - TS 25 series: UMTS access network; 216 LTE Standards

- TS 36 series: LTE access network; – TS 31 series: (U)SIM cards.

4.2. SIM card

At first sight, a subscriber identity module (SIM)/USIM card generally shows some logo from the issuing operator as well as a printed number, in France it is called “numéro de série de carte externe” (NSCE) and is made by a row of 14 digits, which identify the card.

Figure 4.8. (U)SIM cards as released by the operator

The SIM card (ETSI/3GPP TS 51.011) was one of the very important innovations of GSM. It was the first worldwide mobile system where the mobile terminal is split in two subsystems: – the UE providing all the telecommunication functions, especially the management of the radio access and the follow-up of communications; – the SIM holding the identity of the customer as well as the keys and processes for authentication. The SIM (or USIM) is provided by one single operator (or mobile virtual network operator (MVNO)).

The access to its content is protected by a pin code of 4 to 8 digits. But this pin may be deactivated.

SIM cards are used by the GSM family of standards (GSM, UMTS and LTE). CDMA 2000 and the Japanese PDC optionally use SIM cards. LTE Security. SIM/USIM Subsystem 217

Figure 4.9. Structure of the UICC electronic chip

SIM bears a microelectronic component with a microcontroller and memory. It contains specific data related to the subscriber and the subscribed network. It also contains data and applications provided by the user, the network or other sources.

The major information stored in the SIM is the subscriber’s identifier, called international mobile subscriber identity (IMSI) and the identity of the subscribed network, given by its MCC and its MNC. The SIM is issued by a mobile network operator (MNO) or by an MVNO (which has no real network deployed in the country).

Today, the SIM card system is split in three subsystems: – universal integrated circuit card (UICC): the UICC covers the hardware of the card and electronic chip, the OS of the microcomputer. UICC has a role in the management of authentication. UICC can also execute applications, which are based on the (U)SIM application toolkit and a Java Card environment. UICC is described in the standard ETSI TS 102 221; – USIM is the UMTS and LTE telecommunication application. USIM follows 3GPP TS 21.111 and TS 21.1112 standards (USIM card requirements) and 3GPP TS 31.102 USIM application. – IP Multimedia Services Identity Module (ISIM) is a set of non- telecommunication applications provided by third parties. 218 LTE Standards

The vocable “SIM” is now covering only the GSM application, which is described in 3GPP TS 51.0111.

The SIM/USIM: UICC device provides: – a safe element to store identifiers and the connection data of the subscriber; – a removable element; this particularity allows us to personalize a new mobile set with the data of the subscriber. It is now possible to dissociate the choice of the operator (network operator or MVNO having no physical network in the field) from the choice of the terminal; – a space to store personal data of the subscriber; – a space where the operator can store its applications; – a space to store the personalization of the terminal, e.g. for voice mail management. In particular, the operator will implement on the UICC specific (proprietary) application with the SIM toolkit (or USIM toolkit) with a JAVA Card environment. In JAVA Card, executable are installed on the UICC. The SIM/USIM works in that case like a virtual machine.

4.2.1. SIM-lock

The European operators in the early 1990s decided to sell the mobile terminals at a subsidized price. In order to avoid cheating from dishonest customers, they urged the mobile manufacturers to implement an application binding the UE to the SIM/USIM. This is called SIM-lock. In this process, the SIM/USIM has no active part, it just provides the IMSI to the UE and the UE checks if this IMSI is accepted. Generally, the SIM-lock only checks the MCC–MNC couple, but in some cases it has been more restrictive. The calculation done by the mobile set makes use of the international mobile equipment identity (IMEI) number implemented in the device by the manufacturer which identifies the mobile and that is available when typing *#06# on the mobile. From government directive, the LTE Security. SIM/USIM Subsystem 219 operator must provide a de-SIM-lock process. This process is to enter a series of digits in the mobile touchpad.

4.2.2. Electronic component of the UICC

Due to the fast increase of electronic chip capabilities, the electronic component of the card has been drastically improved since the introduction of the SIM in 1990. There are three constraints: – size of the chip: since the card may be extracted from the mobile equipment (ME for GSM or UE for LTE), it is not possible to insert chips larger than 5 × 5 mm. Bigger chips are at risk of being broken; – power consumption: no way to insert such chips as PC Intel powerful chips need 1 W or more. The technology has evolved from 5 V components to 3 V, then 1.8 V and the increased capabilities of the UICC do not carry along energy consumption. – cost: the SIM cannot be as expansive as the mobile, which compels the chip to stay in the range of one euro or lower.

The memory technology is now mainly Flash NAND, with relatively high capacity (up to around 1 MB).

4.2.3. Form factor

The UICC is manufactured along four different shapes (from left to right on the images hereafter): – standard SIM (ID-1), following the requirements established for credit cards no longer in use; – mini SIM (2 form factor (FF) or ID-000), made necessary by the size of hand portable terminals; – micro SIM (3FF, mini-UICC), in particular for connected tablets; used by the iPad of Apple; – nano SIM (4FF), the last and the smallest sized component to date. It is used by Apple for the iPhone. 220 LTE Standards

Figure 4.10. UICC form factors

The last avatars of UICC are FFs 1 and 2 (MFF 1 and MFF 2), designed for integration in various machine or robot cases. For example, the SIM installed in the dedicated “boxes” designed for the European emergency service and installed in vehicles.

SIM/USIM Length Width Thickness Applicable standard Card (UICC) (mm) (mm) (mm) Full size/1FF/ID-1 ISO/CEI 7810:2003, ID-1 85.60 53.98 0.76 UICC Mini SIM/2FF/ ISO/CEI 7810:2003, 25.00 15.00 0.76 Plug-in UICC ID-000 Micro SIM/3FF/ ETSI TS 102 221 15.00 12.00 0.76 Mini-UICC Nano ETSI TS 102 221 12.30 8.80 0.67 SIM/4FF JEDEC Design Guide Embedded SIM 6.00 5.00 <1.0 4.8, SON-8

Table 4.1. SIM/USI Applicable standard

The card is still delivered with the credit card size. Smaller devices are just to be pulled out.

Nano SIM has been introduced for the iPhone. Initially, Apple tried to embed the GSM/UMTS/LTE applications inside the ME/UE like it is with CDMA 2000, but accepted to use the SIM card with the reduced size. LTE Security. SIM/USIM Subsystem 221

4.2.4. SIM card physical interface

Figure 4.11. UICC contacts

The UICC physical interface provides eight contacts: 1) VCC (power supply); 2) RST (reset); 3) CLK (clock); 4) D+ (USB Inter-chip); 5) GND (ground); 6) VPP (voltage programming power); 7) I/O (input/output); 8) D- (USB Inter-chip).

4.2.5. UICC communication protocol

UICC and ME/UE exchange information following defined protocols.

The historic SIM-ME transmission, designed for bank card followed the T = 0 protocol: – asynchronous; – character mode; – half duplex.

222 LTE Standards

The newly standardized USB interface follows the ETSI TD 102.600. Using contacts C4 and C8, it is called the fast interface. Called USB interchip (IC), it provides 12 Mbps half duplex. To reduce energy consumption, the physical electrical interface has been modified from the standard USB. It offers three classes: – integrated circuit card device (ICCD) emulates the original SIM- ME interface along ISO/IEC 7816-4; – mass storage to emulate a storage key; – Ethernet emulation mode (EEM) allows us to carry IP packets, thus supporting User Datagram Protocol (UDP)/IP and Transmission Control Protocol (TCP)/IP.

C6 is used to interface with a contactless module to provide NFC services. The suitable interfaces are described in standards TS 102.613 single wire protocol (SWP) and TS 102.622 (HCI). Its characteristics are: – full duplex; – upto 1.6 Mbps; – packets transmission (bit oriented).

Figure 4.12. NFC applications of the UICC

LTE Security. SIM/USIM Subsystem 223

The UICC is a very small computer including a microprocessor, memories and interfaces. The OS is proprietary. It is designed and maintained by the card producer. The capacity of the memory ranges from 64 kb upto 1024 kb and even more. Considering the decreasing cost of microelectronics, higher sizes will probably be available. The memory is organized with tables and files.

The UICC is engineered to resist all kinds of attacks, both software and hardware born. It has an OS, e.g. JAVA, supporting the applications which are provided by the operator.

UICC memory technology is mainly Flash NAND. For multimedia applications an additional Flash card may be added for flexibility.

4.2.6. Operating system (OS) and virtual machines

UICC operates under the management of its OS. That OS is optimized for the relatively small size of the memory and the computing power of the module. Such OSs are proprietary and take benefit of the large experience of card manufacturers.

Figure 4.13. Example of UICC architecture 224 LTE Standards

The memory is organized in directories and files. The rather simple file list of the GSM SIM is now enlarged to a very large number of items. (See further USIM directories).

Recent UICC includes virtual machines, generally designed in Java as specified by the Java Card Forum.

Figure 4.14. The complex structure of UICC applications in a modern device

4.2.7. (U)SIM authentication

The basic application manages the subscription and the rights of the customer. It is the reflection of the subscription data, which is registered in the HSS of the operator’s core network. The IMSI counts a maximum of 10 digits, beginning with MCC, then MNC, followed by the mobile subscriber identity number (MSIN) of maximum 10 digits (2 digits H1 identifying the home location register (HLR) holding the mobile subscriber’s information and up to 8 digits for H2 for the number of the subscription in the HLR). The HSS covers the functions of HLR, home location register and authentication center (AuC). LTE Security. SIM/USIM Subsystem 225

The basic SIM application provides identification of the subscriber with the IMSI, which is stored in its memory as well as the identity of the mobile operator holding the subscription. The operator edits the card. It is referenced with MCC + MNC with 3 digits, from 000 to 999 – 208 for France metro; MNC with 2 digits, from 00 to 99).

The basic SIM application manages authentication of the customer and then ciphering parameters of the communication, providing the necessary keys.

Added value services can be implemented on top of this basic application, such as the delivery of information updated by the network operator (e.g. weather forecast, stock data and location related data).

Due to the progress of microelectronics, with technology constantly improving, from the micron size transistor of the 1980s to nanotechnologies of the 2010s, the computing power of the UICC has drastically improved and offers new specificities: – some specificities are improvements, e.g. the subscriber’s table of contact will be improved from a few telephone numbers to more than 250 contacts storing fixed and mobile telephone numbers as well as e-mail addresses; – some specificities are related to the evolution of the system, better management of the subscriber’s identity; – also with the evolution of the system stand evolutions of authentication, like EAP-SIM allowing secure communications both on LTE and Wi-Fi.

4.2.8. LTE USIM

One of the key elements within the security of GSM, UMTS and now LTE was the concept of the subscriber identity module, SIM. This card carried the identity of the subscriber in an encrypted fashion and this could allow the subscriber to keep his/her identity while transferring or upgrading phones. 226 LTE Standards

With the transition from 2G – GSM to 3G – UMTS, the idea of the SIM was upgraded and a UMTS Subscriber Identity Module (USIM) – was used. This gave more functionality, had a larger memory, etc.

For LTE, only the USIM may be used – the older SIM cards are not compatible and may not be used. USIM standard is to be found in 3GPP TS 21.111 – USIM card requirements.

USIM includes a new authentication process: EAP SIM.

4.2.9. ISIM

ISIM stands for IP Multimedia Services Identity Module and is an application running on the UICC. ISIM is on the UICC the counterpart of the IMS. In particular, ISIM is the repository of the parameters, which identify and authenticate the user of IMS. The ISIM application coexists with USIM on the same UICC. With USIM and ISIM, the UICC provides the security parameters both for the mobile network and for the Internet

Figure 4.15. The complex links of (U)SIM with the LTE world as seen by Telenor LTE Security. SIM/USIM Subsystem 227

Figure 4.16. UICC structure with ISIM

ISIM owns in its records the IP Multimedia Private Identity (IMPI), the home operator domain name, one or more IP Multimedia Public Identity (IMPU) and a long-term secret used to authenticate and calculate cipher keys. The first IMPU stored in the ISIM is used in emergency registration requests.

The detailed standard for ISIM is in TS31.103.

Figure 4.17. Example of ISIM application: digital right management, as seen by Telenor 228 LTE Standards

4.2.10. Over the Air Activation (OTA)

An important feature is over the air activation (OTA). Initially, this feature had been necessary to ease subscriber’s activation. Now, OTA is used to modify and/or update the content of a number of files that are stored on the UICC.

The operator’s network can communicate with the SIM/USIM via: – short message service (SMS); – GPRS or EDGE and now LTE with the bearer independent protocol (BIP). Particularly useful to save the content of the SIM/USIM on a centralized memory in order to give it back in case of destruction of the card; – USB IC offers the possibility of fast transfer of data between the card and the terminal.

OTA is also widely used for refreshing the data stored in the USIM and possibly the ISIM. It allows us to keep a copy of the subscriber’s information, such as the agenda and the address book/phonebook on a central server. If the USIM is damaged, the central repository will be able to feed the new UICC/USIM with the saved information.

The SIM toolkit can be associated with the OTA to provide flexible and powerful services.

4.2.11. Security services

The USIM provides the parameters, which are involved in the authentication of the customer as well as for encryption of the information on the radio path. This has been described before.

4.2.12. USIM directories

3GPP provides the description of UICC and USIM directories in documents 31102-C30 – Characteristics of the Universal Subscriber Identity Module (USIM) application – and LTE Security. SIM/USIM Subsystem 229

31111-C30 –(Universal Subscriber Identity Module (USIM) Application Toolkit (USAT). These two documents give the detail of all files in the USIM/UICC.

Figure 4.18. Example of OTA use for non-telecommunication applications

The structure of directories and identifiers in the UICC has been very precisely standardized, as follows:

NOTE 4.1.– Files under DFTELECOM with shaded background are defined in TS 51.011 [18].

NOTE 4.2.– The value “6F65” under ADFUSIM was used in earlier versions of this specification, and should not be reassigned in future versions.

NOTE 4.3.– Files under DFMMSS are defined in C.S0074-A [53]. 230 LTE Standards

LTE Security. SIM/USIM Subsystem 231

Figure 4.19. 232 LTE Standards

The USIM application makes use of the following directories and identifiers.

LTE Security. SIM/USIM Subsystem 233

234 LTE Standards

LTE Security. SIM/USIM Subsystem 235

236 LTE Standards

Figure 4.20.

Of course, this structure is far more complicated than the structure of GSM. Nevertheless, the USIM keeps the storage of the principal key K for the security of communications. When the subscriber registers to the network, the master key K, which is associated with the IMSI on the USIM, is sent to the HSS via the MME. The HSS in return sends a random number RAND as well as the expected response XRES, confidentiality and integrity keys Ck and Ik, respectively, and produces an authentication token (AUTN) for the network. From RAND and AUTN, the USIM calculates the response RES and the keys Ck and Ik. The MME verifies that RES is identical to XRES.

AUTN, Ck and Ik are combined with the serving network identity SNid to calculate the Kasme, master key for LTE/EPC sessions, using the HMAC-SHA-256 algorithm both in the UE and in the HSS. From Kasme, the UE and the MME calculate Knas enc, Knas int, Kenb and NH. The UE and the eNodeB calculate Kup enc, Krrc enc and Krrc int. Kenb and NH produce Kenb* through NCC. The keys for UP (key of the session), for RRC (radio signaling) and for eNB are recalculated by the successive eNodeB involved in the communication.

Relevant detailed description of the processes can to be found in the TS36 series, dealing with LTE/EPC access. Also in TS33.401, LTE Security. SIM/USIM Subsystem 237 security of LTE and EPC access, completed with TS33.402, security of access to EPC by non-3GPP networks.

TS31 series is devoted to USIM.

4.2.13. The UICC/SIM/USIM/ISIM industry

To finish this general presentation, let us quote the most important actors in the business of the SIM/USIM. At the beginning are the manufacturers of microchips. For a SIM/USIM, the size of the chip is limited due to risks of breaking a “large” chip during the tough use of the mobile. ST Microelectronics is an important producer of those chips. Its advantage is the low consumption of its products. The German card manufacturers will use Infineon products. On distant markets, Samsung has a share. Nevertheless, the UICC does not implement the latest technology for cost reasons. Many UICC designs are still based on 100 nm technology (to be compared to 7 to 10 nm available for decoders).

On the component, the card maker will implement the OS and the applications.

The next step is to stick the microchip on a plastic support. Easy to express and difficult to realize. Silicon and plastic do not like to be married. On top of that comes the printing of logos and numbers, which is typically the skill of printers. Among the producers of cards, Gemalto is an important actor.

The last step is to personalize the card, with the introduction of network generated information personalizing each individual card. A very precise database must be kept of all that has been put in the UICC for further process in case of problem.

4.2.14. EAP-SIM and EAP

EAP is a universal mechanism for identification. 238 LTE Standards

The protocol exchanges frames with a specific EAP format. At its origin, EAP has been designed to be carried by PPP (RFC-2284). It has been extended by RFC-3748 to be used on all wired networks. Nevertheless, it is mostly in use on wireless systems.

WPA and WPA2, well-known standards of Wi-Fi authentication have adopted EAP with five identification mechanisms:

EAT-TLS creates a secure tunnel with two certificates (one on the server side and the other on the client side) before authentication; – EAP-TTLS/MSCHAPv2 is an IETF standard (EAP-tunneled transport layer security). It uses X-509 certificates solely on the server side. The certificate on the client side is optional; – TEAPv0/EAP-MS-CHAPv2; – PEAPv1/EAP-GTC, also an IETF standard (protected extensible authentication protocol (PEAP) or protected RAP) is similar to EAP- TTLS, they both use a public key infrastructure (PKI) only on the server side for the creation of a TLS encrypted tunnel that protects identification; – EAP-SIM is an EAP method for subscribers of Wi-Fi and mobile systems like GSM, UMTS and LTE. It is described in RFC-4186. This protocol allows subscribers of mobile networks to access the Wi-Fi access of the high-speed Internet access provided by the same operator. The key length in EAP-SIM is 64 bits.

Another version, called lightweight extensible authentication protocol (LEAP) has been strongly promoted by CISCO. This protocol seems less secure than the others.

Appendix

Sorting of ETSI/3GPP Specifications

X2 Spec no. Title

36.420 Evolved Universal Terrestrial Radio Access Network (E-UTRAN); X2 general aspects and principles

36.421 Evolved Universal Terrestrial Radio Access Network (E-UTRAN); X2 layer 1

36.422 Evolved Universal Terrestrial Radio Access Network (E-UTRAN); X2 signaling transport

36.423 Evolved Universal Terrestrial Radio Access Network (E-UTRAN); X2 Application Protocol (X2AP)

36.424 Evolved Universal Terrestrial Radio Access Network (E-UTRAN); X2 data transport

E-UTRAN Spec no. Title WG

22.897 Study on Resilient E-UTRAN Operation for Public S1 Safety 240 LTE Standards

23.401 General Packet Radio Service (GPRS) enhancements S2 for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access

23.833 Feasibility study of SR-VCC for UTRAN/GERAN to S2 E-UTRAN/HSPA service continuity spec withdrawn

23.860 Enabling coder selection and rate adaptation for S2 UTRAN and E-UTRAN for load adaptive applications; Stage 2

23.885 Feasibility Study of Single Radio Voice Call S2 Continuity (SRVCC) from UTRAN/GERAN to E- UTRAN/HSPA; Stage 2

25.813 Evolved Universal Terrestrial Radio Access (E- R2 UTRA) and Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Radio interface protocol aspects

25.913 Requirements for Evolved UTRA (E-UTRA) and RP Evolved UTRAN (E-UTRAN)

28.657 Telecommunication management; Evolved Universal S5 Terrestrial Radio Access Network (E-UTRAN) Network Resource Model (NRM) Integration Reference Point (IRP); Requirements

28.658 Telecommunication management; Evolved Universal S5 Terrestrial Radio Access Network (E-UTRAN) Network Resource Model (NRM) Integration Reference Point (IRP); Information Service (IS)

28.659 Telecommunication management; Evolved Universal S5 Terrestrial Radio Access Network (E-UTRAN) Network Resource Model (NRM) Integration Reference Point (IRP); Solution Set (SS) definitions Appendix 241

29.276 3GPP Evolved Packet System (EPS); Optimized C4 handover procedures and protocols between E- UTRAN access and cdma2000 HRPD Access; Stage 3

32.425 Telecommunication management; Performance S5 Management (PM); Performance measurements Evolved Universal Terrestrial Radio Access Network (E-UTRAN)

32.450 Telecommunication management; Key Performance S5 Indicators (KPI) for Evolved Universal Terrestrial Radio Access Network (E-UTRAN): Definitions

32.451 Telecommunication management; Key Performance S5 Indicators (KPI) for Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Requirements

32.761 Telecommunication management; Evolved Universal S5 Terrestrial Radio Access Network (E-UTRAN) Network Resource Model (NRM) Integration Reference Point (IRP); Requirements

32.762 Telecommunication management; Evolved Universal S5 Terrestrial Radio Access Network (E-UTRAN) Network Resource Model (NRM) Integration Reference Point (IRP); Information Service (IS)

32.763 Telecommunication management; Evolved Universal S5 Terrestrial Radio Access Network (E-UTRAN) Network Resource Model (NRM) Integration Reference Point (IRP): Common Object Request Broker Architecture (CORBA) Solution Set (SS)

32.765 Telecommunication management; Evolved Universal S5 Terrestrial Radio Access Network (E-UTRAN) Network Resource Model (NRM) Integration Reference Point (IRP); eXtensible Markup Language (XML) definitions 242 LTE Standards

32.766 Telecommunication management; Evolved Universal S5 Terrestrial Radio Access Network (E-UTRAN) Network Resource Model (NRM) Integration Reference Point (IRP); Solution Set (SS) definitions

32.816 Telecommunication management; Study on S5 management of Evolved Universal Terrestrial Radio Access Network (E-UTRAN) and Evolved Packet Core (EPC)

36.111 Location Measurement Unit (LMU) performance R4 specification; Network based positioning systems in Evolved Universal Terrestrial Radio Access Network (E-UTRAN)

36.112 Location Measurement Unit (LMU) conformance R4 specification; Network based positioning systems in Evolved Universal Terrestrial Radio Access Network (E-UTRAN)

36.300 Evolved Universal Terrestrial Radio Access (E- R2 UTRA) and Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Overall description; Stage 2

36.305 Evolved Universal Terrestrial Radio Access Network R2 (E-UTRAN); Stage 2 functional specification of User Equipment (UE) positioning in E-UTRAN

36.401 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); Architecture description

36.410 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); S1 general aspects and principles

36.411 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); S1 layer 1

36.412 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); S1 signaling transport Appendix 243

36.413 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); S1 Application Protocol (S1AP)

36.414 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); S1 data transport

36.420 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); X2 general aspects and principles

36.421 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); X2 layer 1

36.422 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); X2 signaling transport

36.423 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); X2 Application Protocol (X2AP)

36.424 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); X2 data transport

36.440 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); General aspects and principles for interfaces supporting Multimedia Broadcast Multicast Service (MBMS) within E-UTRAN

36.441 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); Layer 1 for interfaces supporting Multimedia Broadcast Multicast Service (MBMS) within E-UTRAN

36.442 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); Signaling Transport for interfaces supporting Multimedia Broadcast Multicast Service (MBMS) within E-UTRAN

36.443 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); M2 Application Protocol (M2AP) 244 LTE Standards

36.444 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); M3 Application Protocol (M3AP)

36.445 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); M1 data transport

36.446 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); M1 User Plane protocol spec withdrawn

36.456 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); SLm interface general aspects and principles

36.457 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); SLm interface layer 1

36.458 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); SLm interface signaling transport

36.459 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); SLm interface Application Protocol (SLmAP)

36.842 Study on Small Cell enhancements for E-UTRA and R2 E-UTRAN; Higher layer aspects

36.848 Study on smart congestion mitigation in E-UTRAN R2

36.872 Small cell enhancements for E-UTRA and E-UTRAN – R1 Physical layer aspects

36.887 Study on Energy Saving Enhancement for E-UTRAN R3

36.902 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); Self-configuring and self-optimizing network (SON) use cases and solutions

36.903 Evolved Universal Terrestrial Radio Access (E- R5 UTRA) and Evolved Universal Terrestrial Radio Appendix 245

Access Network (E-UTRAN); Derivation of test tolerances for Radio Resource Management (RRM) conformance tests

36.927 Evolved Universal Terrestrial Radio Access (E- R3 UTRA); Potential solutions for energy saving for E-UTRAN

36.932 Scenarios and requirements for small cell RP enhancements for E-UTRA and E-UTRAN

36.938 Evolved Universal Terrestrial Radio Access Network R2 (E-UTRAN); Improved network controlled mobility between E-UTRAN and 3GPP2/mobile WiMAX radio technologies

37.813 Evolved Universal Terrestrial Radio Access Network R3 (E-UTRAN); Study on LTE – High Rate Packet Data in 3GPP2 (HRPD) Inter-Radio-Access- Technology (RAT) self-configuring and self- optimizing network (SON) use cases and solutions

S1 Spec no. Title

36.410 Evolved Universal Terrestrial Radio Access Network (E-UTRAN); S1 general aspects and principles

36.411 Evolved Universal Terrestrial Radio Access Network (E-UTRAN); S1 layer 1

36.412 Evolved Universal Terrestrial Radio Access Network (E-UTRAN); S1 signaling transport

36.413 Evolved Universal Terrestrial Radio Access Network (E-UTRAN); S1 Application Protocol (S1AP)

36.414 Evolved Universal Terrestrial Radio Access Network (E-UTRAN); S1 data transport 246 LTE Standards

SAE Spec no. Title WG

23.882 3GPP system architecture evolution (SAE): Report on S2 technical options and conclusions

24.801 3GPP System Architecture Evolution (SAE); CT WG1 C1 aspects

29.803 3GPP System Architecture Evolution (SAE): CT WG4 C4 aspects spec withdrawn

29.804 3GPP System Architecture Evolution (SAE): CT WG3 C3 aspects

33.401 3GPP System Architecture Evolution (SAE); Security S3 architecture

33.402 3GPP System Architecture Evolution (SAE); Security S3 aspects of non-3GPP accesses

33.821 Rationale and track of security decisions in Long Term S3 Evolution (LTE) RAN/3GPP System Architecture Evolution (SAE)

EPS Spec no. Title WG

21.201 Technical Specifications and Technical Reports for an SP Evolved Packet System (EPS) based 3GPP system

22.278 Service requirements for the Evolved Packet System S1 (EPS)

22.813 Study of use cases and requirements for enhanced S1 voice codecs for the Evolved Packet System (EPS) Appendix 247

23.272 Circuit Switched (CS) fallback in Evolved Packet S2 System (EPS); Stage 2

23.869 Support for Internet Protocol (IP) based IP Multimedia S2 Subsystem (IMS) Emergency calls over General Packet Radio Service (GPRS) and Evolved Packet Service (EPS)

23.891 Evaluation of LCS Control Plane Solutions for EPS S2

24.171 Control Plane Location Services (LCS) procedures in C4 the Evolved Packet System (EPS)

24.301 Non-Access-Stratum (NAS) protocol for Evolved C1 Packet System (EPS); Stage 3

29.216 3GPP EPS Sv interface (MME to MSC) for SRVCC S4 spec withdrawn

29.272 Evolved Packet System (EPS); Mobility Management C4 Entity (MME) and Serving GPRS Support Node (SGSN) related interfaces based on Diameter protocol

29.273 Evolved Packet System (EPS); 3GPP EPS AAA C4 interfaces

29.274 3GPP Evolved Packet System (EPS); Evolved General C4 Packet Radio Service (GPRS) Tunnelling Protocol for Control plane (GTPv2-C); Stage 3

29.276 3GPP Evolved Packet System (EPS); Optimized C4 handover procedures and protocols between E- UTRAN access and cdma2000 HRPD Access; Stage 3

29.280 Evolved Packet System (EPS); 3GPP Sv interface C4 (MME to MSC, and SGSN to MSC) for SRVCC

248 LTE Standards

EPC Spec no. Title WG

22.814 Location Services (LCS) support in Evolved Packet S1 Core (EPC) for non-3GPP accesses

22.913 Location Services (LCS) support in Evolved Packet S1 Core (EPC) for non-3GPP accesses spec withdrawn

23.852 Study on S2a Mobility based on GPRS Tunnelling S2 Protocol (GTP) and Wireless Local Area Network (WLAN) access to the Enhanced Packet Core (EPC) network (SaMOG); Stage 2

23.857 Study of Evolved Packet Core (EPC) nodes restoration C4

23.862 Evolved Packet Core (EPC) enhancements to support S2 interworking with data application providers; Stage 2

24.244 Wireless LAN control plane protocol for trusted C1 WLAN access to EPC

24.302 Access to the 3GPP Evolved Packet Core (EPC) via C1 non-3GPP access networks; Stage 3

28.402 Telecommunication management; Performance S5 Management (PM); Performance measurements for Evolved Packet Core (EPC) and non-3GPP access Interworking System

28.611 Telecommunication management; Evolved Packet Core S5 (EPC) and non-3GPP access interworking system Network Resource Model (NRM) Integration Reference Point (IRP); Requirements

28.612 Telecommunication management; Evolved Packet Core S5 (EPC) and non-3GPP access interworking system Network Resource Model (NRM) Integration Reference Point (IRP); Information Service (IS) Appendix 249

28.616 Telecommunication management; Evolved Packet Core S5 (EPC) and non-3GPP access interworking system Network Resource Model (NRM) Integration Reference Point (IRP); Solution Set (SS) definitions

28.707 Telecommunication management; Evolved Packet Core S5 (EPC) Network Resource Model (NRM) Integration Reference Point (IRP); Requirements

28.708 Telecommunication management; Evolved Packet Core S5 (EPC) Network Resource Model (NRM) Integration Reference Point (IRP); Information Service (IS)

28.709 Telecommunication management; Evolved Packet Core S5 (EPC) Network Resource Model (NRM) Integration Reference Point (IRP); Solution Set (SS) definitions

29.172 Location Services (LCS); Evolved Packet Core (EPC) C4 LCS Protocol (ELP) between the Gateway Mobile Location Centre (GMLC) and the Mobile Management Entity (MME); SLg interface

32.426 Telecommunication management; Performance S5 Management (PM); Performance measurements Evolved Packet Core (EPC) network

32.455 Telecommunication management; Key Performance S5 Indicators (KPI) for the Evolved Packet Core (EPC); Definitions

32.751 Telecommunication management; Evolved Packet Core S5 (EPC) Network Resource Model (NRM) Integration Reference Point (IRP); Requirements

32.752 Telecommunication management; Evolved Packet Core S5 (EPC) Network Resource Model (NRM) Integration Reference Point (IRP); Information Service (IS) 250 LTE Standards

32.753 Telecommunication management; Evolved Packet Core S5 (EPC) Network Resource Model (NRM) Integration Reference Point (IRP); Common Object Request Broker Architecture (CORBA) Solution Set (SS)

32.755 Telecommunication management; Evolved Packet Core S5 (EPC) Network Resource Model (NRM) Integration Reference Point (IRP); eXtensible Markup Language (XML) definitions

32.756 Telecommunication management; Evolved Packet Core S5 (EPC) Network Resource Model (NRM) Integration Reference Point (IRP); Solution Set (SS) Definitions

32.816 Telecommunication management; Study on S5 management of Evolved Universal Terrestrial Radio Access Network (E-UTRAN) and Evolved Packet Core (EPC)

32.820 Telecommunication management; Study on charging S5 management; 3GPP Evolved Packet Core (EPC): Charging aspects

36.508 Evolved Universal Terrestrial Radio Access (E-UTRA) R5 and Evolved Packet Core (EPC); Common test environments for User Equipment (UE) conformance testing

36.509 Evolved Universal Terrestrial Radio Access (E-UTRA) R5 and Evolved Packet Core (EPC); Special conformance testing functions for User Equipment (UE)

36.523-1 Evolved Universal Terrestrial Radio Access (E-UTRA) R5 and Evolved Packet Core (EPC); User Equipment (UE) conformance specification; Part 1: Protocol conformance specification Appendix 251

36.523-2 Evolved Universal Terrestrial Radio Access (E-UTRA) R5 and Evolved Packet Core (EPC); User Equipment (UE) conformance specification; Part 2: Implementation Conformance Statement (ICS) proforma specification

36.523-3 Evolved Universal Terrestrial Radio Access (E-UTRA) R5 and Evolved Packet Core (EPC); User Equipment (UE) conformance specification; Part 3: Test suites

37.571-1 Universal Terrestrial Radio Access (UTRA) and R5 Evolved UTRA (E-UTRA) and Evolved Packet Core (EPC); User Equipment (UE) conformance specification for UE positioning; Part 1: Conformance test specification

37.571-2 Universal Terrestrial Radio Access (UTRA) and R5 Evolved UTRA (E-UTRA) and Evolved Packet Core (EPC); User Equipment (UE) conformance specification for UE positioning; Part 2: Protocol conformance

37.571-3 Universal Terrestrial Radio Access (UTRA) and R5 Evolved UTRA (E-UTRA) and Evolved Packet Core (EPC); User Equipment (UE) conformance specification for UE positioning; Part 3: Implementation Conformance Statement (ICS)

37.571-4 Universal Terrestrial Radio Access (UTRA) and R5 Evolved UTRA (E-UTRA) and Evolved Packet Core (EPC); User Equipment (UE) conformance specification for UE positioning; Part 4: Test suites

37.571-5 Universal Terrestrial Radio Access (UTRA) and R5 Evolved UTRA (E-UTRA) and Evolved Packet Core (EPC); User Equipment (UE) conformance specification for UE positioning; Part 5: Test scenarios and assistance data

252 LTE Standards

MME

29.272 Evolved Packet System (EPS); Mobility Management C4 Entity (MME) and Serving GPRS Support Node (SGSN) related interfaces based on Diameter protocol

29.280 Evolved Packet System (EPS); 3GPP Sv interface C4 (MME to MSC, and SGSN to MSC) for SRVCC

29.338 Diameter based protocols to support Short Message C4 Service (SMS) capable Mobile Management Entities (MMEs)

HSS Spec no. Title WG

29.336 Home Subscriber Server (HSS) diameter interfaces for C4 interworking with packet data networks and applications

PCRF Spec no. Title WG

29.816 Study on PCRF failure and restoration C3

29.817 Study on XML based access of AF to the PCRF C3

Bibliography

[3GP 14a] 3GPP TS 36.300, “E-UTRA and E-UTRAN Overall Description”, Stage 2, www.3gpp.org/DynaReport/36300.html, 2014.

[3GP 14b] 3GPP TR 25.913, “Requirements for Evolved UTRA (E-UTRA) and Evolved UTRAN (E-UTRAN)”, www.3gpp.org/DynaReport/ 25913.html, 2014.

[3GP 14c] 3GPP TS 36.201, “Evolved Universal Terrestrial Radio Access (E-UTRA); physical layer; general description”, www.3gpp.org/Dyna Report/36201.html, 2014.

[3GP 14d] 3GPP TS 36.211, “Evolved Universal Terrestrial Radio Access (E-UTRA); physical channels and modulation”, www.3gpp.org/Dyna Report/36211.html, 2014.

[3GP 14e] 3GPP TS 36.212 “Evolved Universal Terrestrial Radio Access (E-UTRA); multiplexing and channel coding”, www.3gpp.org/Dyna Report/36212.html, 2014.

[3GP 14f] 3GPP TS 36.213, “Evolved Universal Terrestrial Radio Access (E-UTRA); physical layer procedures”, www.3gpp.org/DynaReport/ 36213.html, 2014.

[3GP 14g] 3GPP TS 36.214, “Evolved Universal Terrestrial Radio Access (E-UTRA); physical layer; measurements”, www.3gpp.org/DynaReport/ 36214.html, 2014.

[AGI 09] AGILENT TECHNOLOGIES, LTE and the Evolution to 4G Wireless: Design and Measurement Challenges, John Wiley & Sons, 2009. 254 LTE Standards

[AN 10] “An introduction to LTE”, 3GPP LTE Encyclopedia, 3 December 2010. [AT 11] “AT&T commits to LTE-Advanced deployment in 2013, Hesse and Mead unfazed”, Engadget, 8 November 2011.

[BAR 06] BARTH U., “3GPP Long-Term Evolution/System Architecture Evolution: overview”, Alcatel, 2006.

[BEA 11] BEAVER, PAUL, “What is TD-LTE?”, RF&Microwave Designline, September 2011.

[COR 97] CORREIA L.M., PRASAD R., “An overview of wireless broadband communications”, Communications Magazine, IEEE, vol. 35, no. 1, pp. 28–33, January 1997.

[DAH 05] DAHLMAN E., “3G Long-Term Evolution”, Ericsson Research, 2005.

[DAH 06] DAHLMAN E., EKSTRÖM H., FURUSKÄR A., et al., “The 3G Long- Term Evolution – radio interface concepts and performance evaluation”, IEEE Vehicular Technology Conference (VTC) 2006 Spring, Melbourne, Australia, May 2006.

[DAH 11] DAHLMAN E., PARKVALL S., SKÖLD J., 4G – LTE/LTE-Advanced for Mobile Broadband, Academic Press, 2011. [DIF XX] “Difference between FDD-LTE and TDD-LTE”.

[EKS 06] EKSTRÖM H., FURUSKAR A., KARLSSON J., et al., “Technical solutions for the 3G Long-Term Evolution”, Communications Magazine, IEEE, vol. 44, no. 3, pp. 38–45, March 2006.

[ERG 09] ERGEN M., Mobile Broadband – Including WiMAX and LTE, Springer, NY, 2009. [EVO 11] “Evolution of LTE”, LTE World, 24 October 2011.

[FAZ 08] FAZEL K., KAISER S., Multi-Carrier and Spread Spectrum Systems: from OFDM and MC-CDMA to LTE and WiMAX, 2nd ed., John Wiley & Sons, 2008.

[FOR 13] FORSBERG D., HORN G., MOELLER W.-D., et al., LTE Security, 2nd ed., John Wiley & Sons Ltd, Chichester 2013.

[FUR 09] FURHT B., AHSON S.A., Long Term Evolution: 3GPP LTE Radio and Cellular Technology, CRC Press, 2009. [HUA 11] Huawei Communicate Magazine, no. 61, September 2011. Bibliography 255

[INN 08] INNOVATIVE INTEARATION, IP of DM-LTE-RX (IP Cores), www.innovative-dsp.com, 2008. [ITU 10] “ITU-R confers IMT-Advanced (4G) status to 3GPP LTE”, [Press release], 3GPP, 20 October 2010.

[JON 13] JONES D., AT&T has LTE small cells ‘in the lab’, www. lightreading.com/atandt-has-ite-small-cells-in-the-lab/d/d-d/702076, 2013.

[KHA 09] KHAN F., LTE for 4G Mobile Broadband – Air Interface Technologies and Performance, Cambridge University Press, 2009.

[KUM 98] KUMAR D.N., LAHA S., NANDA S., et al., “Evolution of wireless data services: IS-95 to cdma2000”, Communications Magazine, IEEE, vol. 36, no. 10, pp. 140–149, October 1998. [LON 10] “Long Term Evolution (LTE): a technical overview”, Motorola, 3 July 2010. [LON 11] “Long Term Evolution (LTE)”, Motorola, 11 April 2011. [LTE a] LTE homepage from the 3GPP website. www.3gpp.org. [LTE b] “LTE A-Z description 3GPP LTE encyclopedia”, https.//sites.google.com/site/lteencyclopedia/home.

[LTE c] LTE ARCHITECTURE, available at http://www.queryhome.com/ 27165/high-level-architecture-of-lte. [LTE 09a] “LTE – an end-to-and description of network architecture and elements”, 3GPP LTE Encyclopedia, 2009. [LTE 09b] “LTE – an introduction”, Ericsson, 2009.

[MAI 13] MAITLAND D., “How well does Vol P work over, SIP centric, www.sipcentric.com, 2013.

[PAL XX] PALAT S., GODIN P., “The LTE network architecture: a comprehensive tutorial”, Alcatel Lucent’s strategic white paper.

[PAR 05] PARKVALL S., “Long-Term 3G Evolution – radio access” Ericsson Research, 2005.

[REM 92] REMY J.G., CUEUGNIET J., Siben C., Systémes de radio communications avec les mobiles, Eyrolles, 1992

[SAJ 10] DAS S.K., Mobile Handset Design, John Wiley & Sons, April 2010.

[SES 09] SESIA, TOUFIK, BAKER, LTE – The UMTS Long Term Evolution; from Theory to Practice, p. 11, Wiley, 2009. 256 LTE Standards

[SES 11] SESIA S., TOUFIK I., BAKER M., LTE – The UMTS Long Term Evolution – from Theory to Practice, 2nd ed., including Release 10 for LTE-Advanced, John Wiley & Sons, 2011. [TEC] “Technical Q&A portal for information sharing, collaboration, and networking”, LTE Q&A – LTE questions. [THE 05] “The Long Term Evolution of 3G”, Ericsson Review, no. 2, 2005. [VOI 11] “Voice and SMS in LTE technology”, white paper, Rohde & Schwarz, 2011.

[WIK 14a] WIKIPEDIA, Mobility Management, http://en.wikipedia.org/wiki/ Mobility-management, 2014.

[WIK 14b] WIKIPEDIA, System architecture Evaluation, http:// en.wikipedia.org/Wikipedia.org/wiki/system_Architecture_Evolution, 2014.

[WIK 14c] WIKIPEDIA, Non-access stratum, http//en.wikipedia.org/Non- access_stratrum, 2014.

[WIK 14d] WIKIPEDIA, Hybrid Automatic Repeat Request, http.// en.wikipedia.org/wiki/Hybrid_automatic_repeat_request, 2014.

[WOY 14] WOYKE E., SIWACH G., ESMAILPOUR A., “LTE security potential vulnerability and algorithm enhancements”, IEEE Canadian Conference on Electrical and Computer Engineering (IEEE CCECE), Toronto, Canada, May 2014. [WOR 12] “Work plan 3GPP (Release 8)”, 16 January 2012.

Index

E MME, 10–12, 16, 18, 30, 31, 33– 35, 38, 40, 51, 56, 57, 60–66, eNodeB, 20, 22, 23, 26–28, 30, 71–84, 88, 89, 97, 107, 108, 33, 36, 51, 56, 60–62, 66, 67, 186–188, 201, 210, 211–214, 70, 71–83, 102, 105, 108, 188, 236 189, 191, 208, 209, 211–213, 215, 236 P, R, S EPC, 14–18, 27, 28, 30, 33, 36, 54, 56, 58, 69–71, 182–186, PCRF, 16, 59–61, 97, 107, 177, 188, 190, 191, 210, 211, 215, 180, 182–184, 190 236 Rx, 61, 180, 196 EPS, 14, 16, 17, 23, 71, 72, 75– S1 interface, 18, 30, 33, 36, 51, 79, 81–83, 108, 182–185, 188– 56, 70, 72 190, 213 S11, 60, 64, 105 eUTRAN, 18, 20, 26, 28, 29, 30, S1-based handover, 70, 71, 73, 31, 41, 184, 201, 211 74, 82, 83 S5, 15, 36, 60, 63, 75, 76, 80, 84, H, M 105, 189, 190, 191 S6a, 60, 64, 65, 187, 188 HenodeB, 31 S8, 15, 36, 60, 63, 75, 76, 80, 84, HSS, 16, 57, 58, 60, 64, 65, 97, 105, 189, 190, 191 107, 165, 166, 168–171, 175, SAE, 14, 15, 17, 84, 98, 184, 185 176, 180, 182, 187, 188, 201, SGi, 56, 61, 190 210, 214, 224, 236 Serving Gateway (SGW), 62, 107 SS7, 5, 172

258 LTE Standards

U, X USIM, 12, 14, 16, 22, 56, 95, 96, 181, 207–210, 214, 216–218, UE, 14, 15, 17, 20, 22, 23, 26–28, 220, 224–226, 228, 232, 236, 30, 34–40, 55–61, 63, 65–71, 237 73–83, 88, 89, 105, 108, 136, X2-based handover, 71, 74 141, 142, 165–170, 177, 180, X2 interface, 27, 30–33, 56, 209 186–191, 208, 210, 212, 216, 218–221, 236 Other titles from

in Networks and Telecommunications

2014 BITAM Salim, MELLOUK Abdelhamid Bio-inspired Routing Protocols for Vehicular Ad-Hoc Networks

CAMPISTA Miguel Elias Mitre, RUBINSTEIN Marcelo Gonçalves Advanced Routing Protocols for Wireless Networks

CHETTO Maryline Real-time Systems Scheduling 1: Fundamentals Real-time Systems Scheduling 2: Focuses

EXPOSITO Ernesto, DIOP Codé Smart SOA Platforms in Cloud Computing Architectures

MELLOUK Abdelhamid, CUADRA-SANCHEZ Antonio Quality of Experience Engineering for Customer Added Value Services

OTEAFY Sharief M.A., HASSANEIN Hossam S. Dynamic Wireless Sensor Networks

REMY Jean-Gabriel, LETAMENDIA Charlotte LTE Services TANWIR Savera, PERROS Harry VBR Video Traffic Models

VAN METER Rodney Quantum Networking

XIONG Kaiqi Resource Optimization and Security for Cloud Services

2013 ASSING Dominique, CALÉ Stéphane Mobile Access Safety: Beyond BYOD

BEN MAHMOUD Mohamed Slim, LARRIEU Nicolas, PIROVANO Alain Risk Propagation Assessment for Network Security: Application to Airport Communication Network Design

BEYLOT André-Luc, LABIOD Houda Vehicular Networks: Models and Algorithms

BRITO Gabriel M., VELLOSO Pedro Braconnot, MORAES Igor M. Information-Centric Networks: A New Paradigm for the Internet

BERTIN Emmanuel, CRESPI Noël Architecture and Governance for Communication Services

DEUFF Dominique, COSQUER Mathilde User-Centered Agile Method

DUARTE Otto Carlos, PUJOLLE Guy Virtual Networks: Pluralistic Approach for the Next Generation of Internet

FOWLER Scott A., MELLOUK Abdelhamid, YAMADA Naomi LTE-Advanced DRX Mechanism for Power Saving

JOBERT Sébastien et al. Synchronous Ethernet and IEEE 1588 in Telecoms: Next Generation Synchronization Networks

MELLOUK Abdelhamid, HOCEINI Said, TRAN Hai Anh Quality-of-Experience for Multimedia: Application to Content Delivery Network Architecture NAIT-SIDI-MOH Ahmed, BAKHOUYA Mohamed, GABER Jaafar, WACK Maxime Geopositioning and Mobility

PEREZ André Voice over LTE: EPS and IMS Networks

2012 AL AGHA Khaldoun Network Coding

BOUCHET Olivier Wireless Optical Communications

DECREUSEFOND Laurent, MOYAL Pascal Stochastic Modeling and Analysis of Telecoms Networks

DUFOUR Jean-Yves Intelligent Video Surveillance Systems

EXPOSITO Ernesto Advanced Transport Protocols: Designing the Next Generation

JUMIRA Oswald, ZEADALLY Sherali Energy Efficiency in Wireless Networks

KRIEF Francine Green Networking PEREZ André Mobile Networks Architecture 2011 BONALD Thomas, FEUILLET Mathieu Network Performance Analysis CARBOU Romain, DIAZ Michel, EXPOSITO Ernesto, ROMAN Rodrigo Digital Home Networking CHABANNE Hervé, URIEN Pascal, SUSINI Jean-Ferdinand RFID and the Internet of Things GARDUNO David, DIAZ Michel Communicating Systems with UML 2: Modeling and Analysis of Network Protocols LAHEURTE Jean-Marc Compact Antennas for Wireless Communications and Terminals: Theory and Design RÉMY Jean-Gabriel, LETAMENDIA Charlotte Home Area Networks and IPTV PALICOT Jacques Radio Engineering: From Software Radio to Cognitive Radio PEREZ André IP, Ethernet and MPLS Networks: Resource and Fault Management TOUTAIN Laurent, MINABURO Ana Local Networks and the Internet: From Protocols to Interconnection 2010 CHAOUCHI Hakima The Internet of Things FRIKHA Mounir Ad Hoc Networks: Routing, QoS and Optimization KRIEF Francine Communicating Embedded Systems / Network Applications 2009 CHAOUCHI Hakima, MAKNAVICIUS Maryline Wireless and Mobile Network Security VIVIER Emmanuelle Radio Resources Management in WiMAX 2008 CHADUC Jean-Marc, POGOREL Gérard The Radio Spectrum GAÏTI Dominique Autonomic Networks LABIOD Houda Wireless Ad Hoc and Sensor Networks LECOY Pierre Fiber-optic Communications MELLOUK Abdelhamid End-to-End Quality of Service Engineering in Next Generation Heterogeneous Networks PAGANI Pascal et al. Ultra-wideband Radio Propagation Channel

2007

BENSLIMANE Abderrahim Multimedia Multicast on the Internet PUJOLLE Guy Management, Control and Evolution of IP Networks SANCHEZ Javier, THIOUNE Mamadou UMTS VIVIER Guillaume Reconfigurable Mobile Radio Systems