Professional Documents
Culture Documents
UMTS INTRODUCTION
1-1 1-3 1-8 1-9 1-10 1-12 1-13 1-14 1-14 1-15 1-16 1-17 1-18 1-19 1-20 1-21 1-22 1-23 1-24 1-25 1-26 1-27 1-28 1-29 1-30 1-31 1-32 1-33 1-34 1-35 1-36 1-37 1-38 1-39 1-40 1-41 1-43 1-44 1-45 1-46 1-47 1-48 1-49 1-50
1.1 IMT-2000 1.2 2G MOBILE NETWORK ARCHITECTURE, GSM AND GPRS 1.3 UMTS NETWORK ARCHITECTURE AND INTERFACES 1.3.1 RELEASE 4 & 5 1.4 UMTS DOMAINS 1.5 UTRAN COMPONENTS 1.6 FUNCTION OF NEW NETWORK ELEMENTS: 1.6.1 RADIO NETWORK CONTROLLER 1.6.2 NODE B 1.6.3 MEDIA GATEWAY 1.6.4 CHARGING GATEWAY 1.6.5 GATEWAY LOCATION REGISTER 1.7 AREA CONCEPT 1.7.1 CELL CONCEPT 1.8 UMTS USER EQUIPMENT FEATURES AND USIM PARAMETER 1.8.1 UE REFERENCE ARCHITECTURE 1.8.2 USIM 1.8.3 TYPES OF MOBILE TERMINATIONS 1.8.4 MOBILE CAPABILITIES 1.9 UMTS BEARER AND QOS ARCHITECTURE 1.9.1 QOS PRINCIPLES 1.9.2 QOS CLASSES 1.9.3 QOS ATTRIBUTES 1.10 UMTS SERVICES 1.10.1 MOBILE EXECUTION ENVIRONMENT (MEXE) 1.10.2 USIM APPLICATION TOOLKIT (USAT) 1.10.3 VIRTUAL HOME ENVIRONMENT (VHE) 1.10.3.1 Personal Service Environment 1.10.3.2 Open System Architecture 1.10.4 LOCATION SERVICES (LCS) 1.10.4.1 Positioning methods 1.10.4.2 LCS Accuracy 1.10.4.3 LCS Architecture in UMTS 1.11 UMTS SECURITY 1.11.1 MUTUAL AUTHENTICATION 1.11.2 CIPHERING 1.11.3 INTEGRITY PROTECTION 1.12 ABSTRACT DESCRIPTION OF PROCEDURES 1.12.1 MICRO DIVERSITY MULTIPATH 1.12.2 MICRO DIVERSITY SOFTER HANDOVER 1.12.3 MACRO DIVERSITY SOFT HANDOVER 1.12.4 UMTS NETWORK TRANSACTIONS 1.12.5 GENERAL NETWORK POSITIONING
Chapter 1
UMTS Introduction
Figure 1-1
UMTS Introduction
This chapter will give a general introduction to UMTS, the network architecture and its network components. Special features of UMTS like new functions of the mobile equipment as well as security functions will be described.
Tektronix
1-1
Chapter contents
IMT2000 Network Architecture UMTS Equipment Bearer and QoS Architecture UMTS Services UMTS Security UMTS Specials
Figure 1-2
Chapter contents
1-2
Tektronix
1.1
IMT-2000
IMT2000
International Mobile Telecommunication at 2000 MHz
Order Result
IMT2000 Standards
Figure 1-3
IMT-2000
China Wireless Telecommunication Standard group Association of Radio Industries and Businesses, Japan Standards Committee T1 Telecommunications, USA Telecommunications Technology Association, Korea Telecommunication Technology Committee, Japan European Telecommunications Standards Institute
On behalf of ITU several international organisations were requested to give their ideas of a third generation mobile network. ITU decided which standards would be used as for International Mobile Telecommunication at 2000 MHz. Mainly different technologies were combined in IMT-2000 standards.
Tektronix
1-3
General
Simplification of Network Architecture Standardization of a worldwide System Increase of potential Market for Vendors
User
Figure 1-4
The main advantage of IMT-2000 is that it specifies international standards and also the interworking with existing PLMN standards, e.g. GSM. This gives specific advantages for different groups of interest. In general the quality of transmission will be improved. Especially the data transfer will increase. Values like 144 kbit/s or 384 kbit/s will be available in short time whereas the value of 2Mbit/s will only be available in certain small areas or will stay a theoretically value for a long time. New service will help UMTS to become successful. Because of the international standard vendor and operators can increase their market size. The improvement for the user will be the worldwide access with its mobile and also the look and feel of services will be the same wherever he or she may be.
1-4
Tektronix
IMT2000 Goals
Data rates from 144 kBit/s up to 2 MBit/s Symmetric and asymmetric services Circuit Switched (CS) and Packet Switched (PS) transmission High Quality of Speech High Spectrum Efficiency Seamless transition from 2G-Systems Global Access in all IMT2000 Networks Service independent of used network (Virtual Home Environment) Standardisation of a worldwide System
Figure 1-5
IMT-2000 Goals
To reach these goals in a minimum of time existing PLMN will be used as core networks (CN). For circuit switched transmission GSM can be used and GPRS is used as packet switched core network. The challenge will be the implementation of different air interface standards into a mobile station.
Tektronix
1-5
IMT2000 Family
The IMT2000 family has several members All of them belongs to 3G mobile systems
WCDMA
UTRAFDD cdma2000
TDCDMA UMTS
UTRATDD TD-SCDMA
TDMA
UWC136 GSM EDGE
FDTDMA
DECT+
Figure 1-6
IMT-2000 Family
Four groups of technologies represent the members of the IMT-2000 family. WCDMA TD-CDMA TDMA FD-TDMA Wideband Code Division Multiple Access Time Division, Code Division Multiple Access Time Division Multiple Access Frequency Division, Time Division Multiple Access
For UMTS the systems UMTS Terrestrial Radio Access-Frequency Division Duplex (UTRA-FDD) andTime Division Duplex (TDD) will be used. UTRA-FDD will have priority because it offers symmetric and asymmetric services and it offers greater coverage with less effort. UTRA-TDD will be realised later for asymmetric internet services. Cdma2000 will be implemented in USA and probably in parts of Asia. TD-SCDMA, Time Division Synchronised Code Division Multiple Access, will be used in China. UWC-136, Universal Wireless Communication, a development of IS-136 will be used in USA and represents an enhanced mobile network for packet transmission. The parallel development of ETSI is EDGE (Enhanced Data Rates for GSM Evolution). For very small cells an evolved DECT technology called DECT+ is also a member of IMT-2000.
1-6
Tektronix
Migration from 2G to 3G
2G
TDMA GSM PDC Cdma2000 1X
2.5G
GPRS
3G
EDGE UMTS (WCDMA) Cdma2000 3X
cdmaOne
Figure 1-7
Migration 2G 3G
PDC
Tektronix
1-7
1.2
NSS
A
MSC VLR STP
E
GMSC
PSTN ISDN
D,C
HLR AuC
SMSC
Gs Gb
SGSN SLR
Gr Gn
Gc Gi
GGSN
IP
GPRS PLMN
Figure 1-8
The second generation of PLMN is represented by a GSM network consisting of Network Switching Subsystem (NSS) and a Base Station System (BSS). The first evolution step (2.5G) is a GPRS PLMN connected to a GSM PLMN for packet oriented transmission. Main instance in the NSS is the Mobile Switching Center (MSC) which contains the Visitor Location Register (VLR). The MSC represents the edge towards the BSS and on the other side as Gateway MSC (GMSC) the connection point to all external networks, like the Public Switched Telephone Network or ISDN. GSM is a circuit switched network which means that there are two different types of physical links to transport control information (signalling) and traffic data (circuit). The signalling links are connected to Signalling Transfer Points (STP) for centralised routing whereas circuits are connected to special switching equipment. HLR Home Location Register SGSN Service GPRS Support Node AuC Authentication Center SLR SGSN Location Register SCP Service Control Center GGSN Gateway GPRS Support Node CSE CAMEL Service Entity SMSC Short Message Service Center Main entity in BSS is the Base Station Controller (BSC) which is together with the Packet Control Unit (PCU) also the interface towards the GPRS PLMN. Several Base Stations (BTS) can be connected to the BSC.
1-8
Tektronix
1.3
E
GMSC
PSTN ISDN
D,C
HLR AuC
SMSC
Iu-CS
Iub
NodeB RNC
Iu-PS
Gs Gb
SGSN SLR
Gr Gn
Gc Gi
GGSN
Iur
NodeB RNC
IP
UTRAN
Figure 1-9
To implement UMTS means to set up an UMTS Terrestrial Radio Access Network (UTRAN) which is connected to a circuit switched core network (GSM) i.e. UMSC/VLR, and to a packet switched core network (GPRS) i.e. SGSN/SLR. The interfaces are named Iu whereas IuCS goes to the UMSC and IuPS goes to the SGSN. The corresponding edge within UTRAN is the Radio Network Controller (RNC). Other than in the BSS the RNCs are connected with each other via the Iur interface. The base stations in UMTS are called NodeB, which is its working name and has no other meaning. The interface between NodeB and RNC is the Iub interface.
Tektronix
1-9
1.3.1
Release 4 & 5
Nc Nb
PSTN ISDN
Iu-CS
SCP CAP
HSS
VAS
IMS Iu-PS
NodeB RNC SGSN NodeB RNC GGSN
IP
UTRAN
Figure 1-10
The development steps after 3GPP Rel99 are somewhat unclear in the level of details, but some major trends are visible. The main trend is separation of control and services of CS connections and at the same time the conversation of the network to be completely IP based. In CS CN the user data flow will go through Media Gateways (MGW), which are elements maintaining the connection and performing switching functions when required. The process is controlled by a separate e element evolved from MSC/VLR called MSC Server. One MSC Server can handle numerous MGWs. To increment control capacities new MSC Server will be add. To increase the switching capacity one has to add MGWs. The databases known from GSM/GPRS will be centralised in a Home Subscriber Server (HSS). Together with Value Added Services and CAMEL it represents the Home Environment (HE). The communication with the HE could be performed by CAMEL completely. When the network has remarkably changed towards IP the relationship between circuit and packet switched traffic will change. The majority of traffic will be packet oriented because some traditionally circuit switched services, speech, will become packet switched (VoIP). To offer uniform methods of IP application transport Rel.4 will contain an IP Multimedia Subsystem (IMS). The CS MGWs will be connected to the IMS for transmission of VoIP calls. The BSS area will change in a form that the air interface will have to be changed. Like in the core network more packet oriented data needs to be transmitted via the old GSM air interface. The new BSS is by than called GSM/EDGE Radio Access Network (GERAN).
1-10
Tektronix
CN PS Domain
IMS
NodeB RNC
IP
IP/ATM
NodeB RNC
UTRAN
PSTN ISDN
Figure 1-11
In 3GPP Rel.5 the evolution continues and all traffic coming from UTRAN is supposed to be IP based. By changing GERAN the BSC will be able to generate IP based application packets. That is why the circuit switched core network will not be part of UMTS Rel 5 anymore. All interfaces will be IP over ATM based.
Tektronix
1-11
1.4
UMTS Domains
Iu
Yu
USIM Domain
ME Domain
UE Domain
Infrastructure Domain
Figure 1-12
UMTS tried from its beginning to be very modular in its structure. This is the base of becoming an international standard even though certain modules will be national specific. The two important big modules are the Access Stratum, Mobile and UTRAN, and the Non-Access Stratum, containing serving core network, Access Stratum and USIM.
1-12
Tektronix
1.5
UTRAN Components
UTRAN
UTRAN RNS
NodeB NodeB
Iub RNC
Iu-CS
CN CS Domain
Uu
NodeB
Iur Iub
NodeB
RNC
NodeB
CN PS Domain
Iu-PS
RNS
Figure 1-13
UTRAN
UTRAN tasks: Admission Control: admit or deny new users, new radio access bearers or new radio links. The admission control should try to avoid overload situations and base its decisions on interference and resource measurements. The admission control is employed at for example initial UE access, RAB assignment/reconfiguration and at handover. Functionality is located in RNC. Congestion Control: to monitor, detect and handle situations when the system is reaching a near overload or an overload situation with the already connected users. System Information Broadcasting: provides the UE with the Access Stratum and Non Access Stratum information which are needed by the UE for its operation within the network. Ciphering: function is located between UE and RNC. Handover: manages the mobility of the radio interface. It is based on radio measurements and it is used to maintain the Quality of Service requested by the Core Network. Handover may be directed to/from another system (e.g. UMTS to GSM handover). Further functions of UTRAN are configuration and maintenance of the radio interface, power control, paging and macro diversity.
Tektronix
1-13
1.6 1.6.1
Radio Resource Management (RRC) Call Admission Control Radio Bearer Management (Set Up & Release) Code Allocation Power Control (Outer Loop) Congestion Control Handover Control incl. SRNS Relocation Ciphering ATM switching & multiplexing O&M tasks
Figure 1-14
Call Admission Control: the air interface technology CDMA requires resource check procedures before new users can access the network. Radio Bearer Management: the responsibility of setting up and disconnecting radio bearers and to manage their QoS is in within the RNC. Code Allocation: the CDMA technology requires code planning. The management of these codes is in the responsibility of RNC. Power Control: the outer loop power control, definition of SIR for a given QoS, is performed by RNC. This function is performed 10-100 times per second. Congestion Control: packet scheduling for PS CN data transmission. O&M tasks: general management functions and connection to OMC. Furthermore the RNC can act as macro diversity point, i.e. collection data from one UE which are received via several NodeBs.
1-14
Tektronix
1.6.2
Node B
NodeB
Physical unit implements 1 or more cells FDD, TDD or Dual Mode operation Data conversion for Uu transmission Power Control (Inner Loop) Measures connection quality & strength Generates Measurement Report for RNC FDD: Micro Diversity (Softer Handover)
Figure 1-15
NodeB
NodeB is the physical unit to generate one or more cells. There are three types of NodeBs: UTRA-FDD NodeB, UTRA-TDD NodeB and Dual Mode NodeB (UTRATDD and UTRA-FDD). Power Control: performs the inner loop power control which measures the actual SIR, compares it with the specific defined value and may trigger changes in the TX-Power of a UE. Measurement Report: the measured values are given to the RNC for Handover decision etc. Micro Diversity: in case of softer handover a UE is connected to more then one sector of an antenna, respectively one NodeB. Micro diversity means to combine the different signals to one data stream before transmitting the sum-signal to the RNC.
Tektronix
1-15
1.6.3
Media Gateway
Figure 1-16
MGW and MSC Server will be part of circuit switched CN in 3GPP UMTS Rel.4 even though the realisation can be performed even before IP is used all over the network. The given protocols on Mc and on Nc interface are only examples. The real situation could also work with proprietary or other standard protocol variants.
1-16
Tektronix
1.6.4
Charging Gateway
Charging Gateway
IP Gi
GGSN
Gn Gp
Ga
CGF
CDR
Billing System
SGSN
Charging Gateway Function transfers charging information from SGSN and GGSN as Call Detail Records (CDR) to a Billing System (BS) CGF can be stand alone network element or implemented in all or several GSNs; in CS CN the CGF is implemented in MSC Protocol on Ga Interface: GTP (Prot. Discriminator = 1) CGF BS Interface: FTP on TCP/IP; ASN.1 coded International charging information is performed between Billing Systems by using Transferred Account Procedures (TAP)
Figure 1-17
Charging Gateway
GTP GPRS Tunnelling Protocol ASN.1 Abstract Syntax Notation One Another important network component is the Charging Gateway. It represents the interface between PS core network and any Billing System. In circuit switched CN the MSC contains the charging gateway function. The Charging Gateway is collecting call specific information from SGSN and GGSN and is generating Call Detail Records (CDR) which is transmitted to the Billing System.
Tektronix
1-17
1.6.5
HPLMN B
HLR
HPLMN C
HLR
VPLMN a
VPLMN b
GLR is located between HLR and VLR to optimise inter-network signalling for location management GLR is a pseudo-HLR located in visited network GLR is invisible for the other network, i.e. SSN is VLR or HLR Stores Subscriber Data, etc. Delivers Roaming Number, etc.
Figure 1-18
The Gateway Location Register simulates HLR and VLR for international roaming. By this it decreases international signalling (Mobile Application Part MAP) between Home-PLMN and Visited-PLMN.
1-18
Tektronix
1.7
Area Concept
Area concept
URA RA
URA
URA RA LA
URA
URA
URA RA LA
URA
URA
Figure 1-19
Area concept
LA RA URA
The areas of 2G will continuously be used in UMTS. UMTS will add a new group of location specifying the UTRAN Registration Areas. These areas will be smaller Routing or Location Areas and will be maintained by UTRAN itself, i.e. RNC.
Tektronix
1-19
1.7.1
Cell Concept
Cell concept
NodeB
Figure 1-20
Cell concept
UMTS has specified so far three types of cells: Pico-, Micro- and Macro-Cells. Their differences are size, maximum data rate and maximum speed of the moving subscriber. At the beginning of UMTS Macro- and Micro-Cells will be implemented because a huge coverage area can be guaranteed by using them. Pico-Cells will follow later, probably also using UTRA-TDD transmission.
1-20
Tektronix
1.8
User Equipment UE
Application interface Mobile Equipment ME Terminal Equipment TE Terminal Adapter TA Network Termination NT Radio Termination RT
Tu
Uu
Mobile Termination MT Cu
Figure 1-21
In UMTS the mobile station is called User Equipment (UE). It is constructed very much modular. Mobile Termination: represents the termination of the radio interface and by that am IMT-2000 family specific unit, e.g. different MT for UMTS in Europe and USA. Terminal Adapter: represents the termination of the application specific service protocols, e.g. AMR for speech. This function will perform all necessary modifications to the data. Terminal Equipment: represents the termination of the service.
Tektronix
1-21
1.8.1
UE Reference Architecture
UE Reference Architecture
Transit CN
Iu
Figure 1-22
UE Reference Architecture
DTE
1-22
Tektronix
1.8.2
USIM
Information, stored in USIM: - Administrative - Temporary network data - Service related data - Applications - Personal
UTRAN
Profiles
The main difference between USIM and a GSM-SIM is that the USIM is by default downloadable and that it can be accessed via the air interface and also be modified by the network. The USIM is a Universal Integrated Circuit Card (UICC) which has much more capacity than a GSM SIM. It can store applications (Java) and profiles describing the way applications shall be used and also by whom their may be used (user rights).
Tektronix
1-23
1.8.3
Mode MT
UTRAN FDD
Multi Radio
Mode MT
Single Network
MT
PSDomain
Multi Network
CSDomain PSDomain
MT
Figure 1-24
Single Radio Mode MT: the UE can work with one type of network, i.e. only one Radio Access Technology (RAT) is implemented. Multi Radio Mode MT: more than one RAT is supported. 3GPP has specified handover between different RATs very much in detail. Single Network MT: independent of the Radio Mode the Single Network MT is capable of using only one type of core network, e.g. only the packet switched CN (PC-Card). Multi Network MT: independent of the Radio Mode the Multi Network MT can work with different types of core network. At the beginning of UMTS the multi network operations will have to be performed sequentially but at a later stage also parallel operations could be possible. This depends a lot on the overall performance of UE and network capacity. The first UMTS mobiles should be Multi Radio - Multi Network mobiles.
1-24
Tektronix
1.8.4
Mobile Capabilities
Mobile Capabilities
System Information MS Classmark, MS Radio Access Capability
CN UTRAN
Available WCDMA modes, FDD or/and TDD Dual mode capabilities, support of different GSM frequencies Support of GSM PS features, GPRS or/and HSCSD Available encryption algorithms Properties of measurement functions, timing Ability of positioning methods Ability to use universal character set 2
Figure 1-25
Mobile Capabilities
The possible features of UTRAN and CN will be transmitted via System Information on the radio interface. A UE can by listening on these channels configure its own settings to work with the actual network. On the other hand the UE will also indicate its own capabilities to the network by sending MS Classmark and MS Radio Access Capability information to the network. In GSM MS Classmark 1 and 2 were used. In UMTS MS Classmark 2 and the new MS Classmark 3 is used. The difference is the number of parameter for different features can be transmitted. The example parameters shown in the figure are taken of a MS Classmark 3 message.
Tektronix
1-25
1.9
TE
MT
NodeB
UTRAN
RNC
SGSN
CN
GGSN
TE
End-to-end Service Local Bearer Service UMTS Bearer Service External Bearer Service CN Bearer Service Backbone Bearer Service Backbone Phys. Bearer Service
UTRA Service
Figure 1-26
Bearer Service and Quality of Service (QoS) are in UMTS more or less the same. Other than in 2G systems where a Bearer was a traffic channel in 3G the Bearer represents a selected QoS for a specific service. First on the physical layer a Bearer is a type of channel. The End-to-end Service will define the constraints for the QoS. These constraints will be given to the lower Bearer Services, translated into their configuration parameters and again passed to the lower layer. By that UMTS sets up a connection through its own layer architecture fulfilling the requested QoS. Problems are foreseen in the External Bearer Services because they are outside of UMTS and the responsibility of the UMTS network operator. To realise this concept the constraints have been specified in QoS Classes with QoS Attributes.
1-26
Tektronix
1.9.1
QoS Principles
Figure 1-27
QoS Principles
The modular concept was also used when defining the principles of QoS. By that parts of the network can evolve independently in the future allowing new applications to become realised even without changing the whole network.
Tektronix
1-27
1.9.2
QoS Classes
Conversational class
Voice Video Conference
Streaming class
Video Streams
Interactive class
Web Browsing
Background class
E-Mail download
Figure 1-28
QoS Classes
Conversational class: real-time applications with short predictable response time. Symmetric transmission without buffering of data and guaranteed data rate. Streaming class: real-time applications with short predictable response time. Asymmetric transmission with possible buffering of data and guaranteed data rate. Interactive class: non-real-time applications with acceptable variable response time. Asymmetric transmission with possible buffering of data but without guaranteed data rate. Background class: non-real-time applications with long response time. Asymmetric transmission with possible buffering of data but without guaranteed data rate.
1-28
Tektronix
1.9.3
QoS Attributes
Figure 1-29
QoS Attributes
SDU
A Bearer Service is a service which guarantees a Quality of Service between two endpoints of communication. Several parameters will have to be defined from operators.
Tektronix
1-29
UMTS Services
Mobile Application Execution Environment UMTS SIM Application Toolkit Virtual Home Environment Personal Service Environment Open System Architecture Location Services
Figure 1-30
UMTS Services
Some services have been defined for UMTS. Applications can be developed using these standard UMTS network services. An important role in the service concept will be the CAMEL protocol which will be used as the main communication protocol on the service and application platform.
1-30
Tektronix
Service
HTTP
Figure 1-31
MExE represents a central function in the service platform of UMTS. It decides whether and how information is presented to the user. A service will have to interact with MExE before providing information to a user. From MExE point of view the service provider is a MExE Service Environment (MSE). MExE knows two types of Classmarks which specifies the UE capabilities of presenting information. MExE can also act as a service portal by using the UE profiles.
Tektronix
1-31
Service
UMTS
Modify menu structure for special services Modify subscription parameters, e.g. IMSI
Figure 1-32
The UMTS USIM Application Toolkit allows modifications of the USIM from the network. This is necessary by subscribing to new services or by network modifications. It will be even possible to change the IMSI with this toolkit.
1-32
Tektronix
between terminals
Figure 1-33
Virtual Home Environment is not a real service. It is more a description of how new services shall be implemented. Main idea of the VHE is that the look-and-feel of services shall be the same independent of the location or the terminal of the user. By using MExE the VHE could become true. To guarantee that future services follow these constraints open interfaces for service providers have been specified.
Tektronix
1-33
User
Local-VASP
HE
User Profiles
HE-VASP
Service Profiles
Figure 1-34
The Personal Service Environment (PSE) is an international service structure. Within this structure there is the Home Environment (HE) with its Value Added Service Provider (HE-VASP). On the other side roaming subscriber should be able to use local services, Local-VASP. Both sides will have access to the user and service profiles to get the user specific service subscriptions and configuration settings.
1-34
Tektronix
OSA API
Home Environment
USAT
LCS
MExE
WAP
3G PLMN
Visited PLMN
Figure 1-35
The interface between UMTS and service provider is defined as the Open System Architecture Application Programming Interface (OSA API). This interface is located between the HE-VASPs and the Home Environment containing the basic services, e.g. MExE and Location Services (LCS). All UMTS networks, independent of H-PLMN or V-PLMN, will communicate with the VASPs via the Home Environment. The protocol used for this communication will be CAMEL, the international form of INAP. Older services, e.g. SMS, could also use MAP.
Tektronix
1-35
LoCation Services
Two main drivers for this evolution path:
Advanced position based services
Fleet Management Nearest Service Traffic Information Management Follow Me Service
Figure 1-36
Location Services (LCS) is a keyword for different kinds of positioning methods and for services based on the knowledge of the user location. Because of the CDMA technology in UMTS also network operators are interested in knowing where subscribers are located.
1-36
Tektronix
RTT
NodeB
Figure 1-37
Round Trip Time Speed of light Measurement error margin Time Difference of Arrival Relative Time Difference (unsynchronised NodeBs) Geometric Time Difference (geometry, landscape)
In UMTS three different methods of positioning shall be used. Cell ID based positioning: possible with every UE. Cell ID can be mapped by the network to a Service Area (SA). OTDOA-IPDL: based on Time Difference of Arrival (TDOA) the UE measures the Pilot Channel arrival time of the serving NodeB and also neighbour NodeBs and calculates the difference. The problem in CDMA-FDD is that it is not easy to hear neighbour pilot signals because the serving NodeB is too loud. That is why 3GPP has defined a method where the serving NodeB stops transmission in downlink for a short time in which the UE can hear the other NodeBs. NB: this is not the Compressed Mode, which indicates that UE stops transmission in Uplink direction for a while. Nevertheless during the time of Compressed Mode the UE is listening to the neighbour NodeBs! Together with a possible Round Trip Time (RTT) positioning measurement the UE can calculate its location quite well. Assisted GPS: with a GPS Receiver in the UE and assisting location information either in the UE or in the network (UTRAN) the position can be calculated either by UE or UTRAN.
Tektronix
1-37
LCS Accuracy
Rural
TO A ing ,D Ce llu lar Po sit i on
GPS
Urban
Indoor
0,001 0,01 0,1 1 10 100
Ce ll I D
Accuracy / km
Figure 1-38
LCS Accuracy
1-38
Tektronix
CN
CN CS Domain
PSTN ISDN
Iub
SRNC SMLC
UMSC VLR
GMSC
Le
LCS internal client
Lg Lh
Le
Iur Iub
SRNC SMLC
GMLC
Lg
SGSN SLR GGSN
NodeB LMU
IP
CN PS Domain
NodeB LMU
Figure 1-39
GMLC Gateway Mobile Location Center SMLC Serving Mobile Location Center LMU Position (Location) Measurement Unit The interfaces in the LCS infrastructure are called L-interfaces. In GSM the communication between the LCS components had to be performed with LCS specific protocols (see UMTS Signalling chapter). In UMTS the communication is performed by the standard UTRAN protocols (MSC-SMLC, SMLC-LMU) or by using MAP and CAMEL (Lg, Le, Lh). GMLC: is the main controlling point for LCS application. It has a connection to the external LCS clients, value-added LCS service provider. It will control the first access towards the UE. SMLC: is controlling the LCS procedure between UE and UTRAN and will perform the main positioning calculations. It is connected to internal LCS clients for operator relevant LCS. SMLC/SRNC will decide which positioning method shall be performed. LMU: is the unit to receive the measurement values from the UE. Can be implemented in a NodeB or can be stand-alone.
Tektronix
1-39
UMTS Security
The most important security features in the access security of UMTS are the following:
Use of temporary identities (TMSI, PTMSI) Mutual authentication of the user and the network Radio access network encryption Protection of signalling integrity inside UTRAN
Figure 1-40
UMTS Security
Having the experience of GSM 3GPP could improve the security aspects for UMTS. Especially the man-in-the-middle problem, i.e. BTS fake, could be overcome by introducing a signalling integrity function.
1-40
Tektronix
VLR
Initiating procedure [IMSI or TMSI / P-TMSI]
SLR
MAP Request [IMSI or TMSI / P-TMSI]
AuC
Figure 1-41
After the initial message from UE has been indicated to the VLR resp. SLR, a MAP request is performed towards the Authentication Center (AuC) in the Home Environment (HE). The calculation of the key parameter starts. Input values: K 128 bit. User specific Master Key. Located in AuC and on USIM. SQN Sequence number, used with increased value than previous time. Values get marked as fresh. RAND 128 bit. Random value. AMF 16 bit. Authentication Management Function. Parameter which AuC uses to change USIM settings or indicate certain methods of authentication. Algorithm: f1-f5 One-way-procedures. It shall not be possible to perform backward engineering of algorithm from output values. Output values: XRES 32-128 bit. Expected Result. CK 128 bit. Cipher Key. IK 128 bit. Integrity Key AK 64 bit. Anonymity Key MAC 64 bit. Message Authentication Code
Tektronix
1-41
The output values are given to VLR/SLR. This unit will hide certain values by building the Authentication Token (AUTN) which contains SQN, AK, AMF and MAC. The RAND and AUTN are given to the UE which starts extracting the values.
VLR
Authentication request [RAND,AUTN] RAND AUTN SQN + AK AMF f5 AK + SQN K f2 f3 f4 XMAC RES CK IK Authentication response [RES] =? f1 MAC
SLR
AuC
RES = XRES ?
Figure 1-42
UE performs the authentication procedure in the opposite way than AuC making a consistency check by comparing the calculated XMAC with the received MAC value. Only if the values are equal, CK and IK will be used in the future. The authentication response is the calculated RESult which is compared within VLR/SLR. If the value is the same the procedure was successful.
1-42
Tektronix
1.11.2
Ciphering
UTRAN Encryption
(De)Encryption is performed in UE and RNC.
COUNT-C
DIRECTION LENGTH
RNC
BEARER
CK
f8
KEYSTREAM BLOCK (MASK) Plaintext MAC SDU (Transparent Mode) or Data Part of RLC PDU (Ack / Unack. Mode) Ciphered message
Figure 1-43
The ciphering process is performed in UE and RNC. Input values: CK Was generated in AuC. Was transmitted to RNC via RANAP Security Mode Command. Count-C 32 bit. Counter which changes by every PDU. Created by using the long Hyper frame Number (HFN) and a short number. This is when using MAC protocol the Connection Frame Number (CFN) and when using the RLC protocol the RLC Sequence Number (RLC-SN). Bearer 5 bit. Identification of the used Bearer Service. Multiple Bearers will be counted independently. Direction 1 bit. Uplink or Downlink. Length 16 bit. Length of Keystream Block. NB: not number of bits to be transmitted! Algorithm: f8 uses the KASUMI-Method. Generates a bit-mask. Output values: Keystream Block (Mask). Will be added to the message bit-by-bit. Advantage of this method: 1. The key can be generated even before the message is available to the algorithm 2. For the deciphering the receiving side generates the same Keystream Block (Mask) and adds it bitby-bit to the received encrypted message. Twice bit-by-bit addition gives no addition!
Tektronix
1-43
1.11.3
Integrity Protection
Integrity Protection
Integrity protection of RRC Signalling against man-in-the-middle attack.
NodeB NodeB
RNC
f9
RRC message
MAC I
Figure 1-44
Integrity Protection
By this procedure the man-in-the-middleproblem can be solved by assigning a signature to every message. This means to enhance the RRC message by a 32-bit parameter. Input values: The Radio Resource Control message! Direction 1 bit. Uplink or Downlink. IK Integrity Key. Was generated in the AuC and by a RANAP procedure given to the RNC. Count-I 32 bit. Theoretically identical with Count-C Fresh 32 bit. Random value, generated in the RNC and given to the UE. Fresh is generated newly for every new connection so that the intruder can not use old Count-I values for another signalling exchange. Algorithm: f9 KASUMI block cipher Algorithm, used in a special mode. Output values: MAC-I 32 bit. RRC message specific signature looks random.
1-44
Tektronix
UMTS Specials
Micro Diversity
Multipath Radio Channels Softer Handover
Macro Diversity Soft Handover UMTS Network Transactions General Network Positioning
Figure 1-45
UMTS Specials
The given procedures represent some new features of UMTS which were not known in 2G or in 2.5G networks.
Tektronix
1-45
NodeB
Figure 1-46
The transmission of a radio wave is not straight. Because of reflection, diffraction, and scattering of the radio wave the received signal appears as a multiple of the sent signal, different in time. This phenomenon is called Multipath. In UMTS it means that UE and NodeB receive multiple signals of the other. A special RAKE receiver is implemented in both units to overcome this problem. It receives each of the parallel signals in a finger and combines them to one strong output signal which will be given to the higher layer. Micro Diversity stands for the small diversity the receiver has to deal with, e.g. half the wavelength stands for about 7 cm.
1-46
Tektronix
NodeB
Figure 1-47
A special case where micro diversity is used is the Softer Handover. In this situation the UE is connected to more than one sectors of a NodeB. The advantage is to get a stronger RX signal. The disadvantage is that more radio resources are in use than necessary. It is up to the network planning if and when this feature shall be used.
Tektronix
1-47
NodeB
SRNC
NodeB
CN
NodeB
DRNC
Figure 1-48
The Macro Diversity function is to collect data from one UE coming into the network via different NodeBs, i.e. it is implemented in the Serving RNC. The maximum number of parallel serving NodeBs is 3. This situation is called Soft Handover. It will again use more resources than necessary. In the downlink direction several NodeBs may send data to the UE but UE will only receive the data of the sender with the strongest RX signal.
1-48
Tektronix
RRC Connection Setup Iub Bearer Establishment Transaction reasoning Authentication and Security Control Radio Bearer Establishment Iu CS/PS Bearer Establishment End-to-end connection Iu CS/PS Bearer Release Iub Bearer Release Clearing of RRC Connection
Figure 1-49
RRC
The figure shows the order of the necessary transactions of a connection. It further indicates the interworking of pure signalling exchange and Radio Bearer procedures. The procedures running between UE, NodeB and RNC will exchange Access-Stratum (AS) message whereas procedures going through to the core network, MSc and SGSN, will exchange Non-Access Stratum (NAS) messages. The procedure will be explained in the UMTS Signalling chapter.
Tektronix
1-49
LCS Service Req. Get Info about serving MSC/VLR Request subscriber location Paging of UE and preparation for LCS Individual positioning methods Request & Get location info
Figure 1-50
The figure illustrates the general procedure flow of a positioning request from an external LCS client. The procedure will be explained in the UMTS Signalling chapter.
1-50
Tektronix