Session 5

The evolved Packet Core (EPC): The allall-IP based Core Network of LTE
IT# !SP C$E Trainin% on &Technology, Standardization and Deployment of Long Term Evolution (IMT)' Sa i T!""!NE

9-11 December 2013 Islamic Republic of Iran

1

!%enda

() #ser Plane $verview *) LTE Interfaces +) LTE Identities ,) LTE-EPC "earers 5) Network Entities .) "ackha/lin% and "ackbone 0) Sec/rit1
2

Network and 2rotocol architect/re

() #ser 2lane $verview

#ser 2lane $verview

User plane Architecture:

Traffic

ost efficient 2 t!pes of no"es architecture

#ull! meshe" approach $ith tunnelin% mechanism o&er I' transport net$or) Iu #le* approach !ccess 3atewa1 +A,-. Enhanced Node " +/01.

#ser 2lane $verview

S(-fle4 5echanis Allo$s:

0et$or) re"un"anc!2 3oa" sharin% of traffic across net$or) elements in the 02 the 55/ an" the 6,-2

reates 2ools of 55/s an" 6,-s2 /ach e01 connecte" to multiple 55/s an" 6,-s in a pool7
4

55E Poolin% 6 S( 7le4

#le*ible architecture 61 #le* 9 55/ 'oolin% net$or) re"un"anc! an" traffic loa" sharin% 61 #le*: e01 can connect to a ma*imum of 18 55/s In practice %eo%raphical re"un"anc! is "esire"2 connectin% each e01 to 2 55/s2 in "ifferent locations7
8

5/lti2le $2erator Core Network

5$CN ser&ice pro&i"ers can ha&e se2arate core networks +55/2 6,-2 'D0 ,-. an" E-#T8!N (eN"s) 9ointl1 shared7 /nable" b! the 61-fle* mechanism +each e01 can be connecte" to multiple core net$or)s entities.7
:

Network sharin% benefits

Network and 2rotocol architect/re

*) LTE Interfaces

LTE-S!E network interfaces

HSS Gr S6

PCRF S7 S4 S3 Iu CP MME S11

I' net$or)s SGi SAE GW S2a/b

SGSN

Gb 2, net$or)s

Iu UP 3, net$or)s

S1 CP Iu CP 3T/ net$or)s

non 3,'' net$or)s

10

LTE-S!E network interfaces

S1 fle!: e01 +enhanced Node B. an" a,- +access Gateway. multipointto-multipoint lin)s2 "#: inter-e01s "irect interface for <= mana%ement an" RR57 $$S%, S$S% and &%' element() uni>ue an" central no"e A ,5 +Access Core Gateway. or a $* +in 3,'' 3T/?6A/2 a,- refers to the Serving $ate+ay +6,-.)7 , $*: terminates control an" use" planes for U/ an" mana%es the core net$or) features implemente" in the ,,60 an" 6,60 in Release 87 #E Control 2lane protocol similar to Release 8 RR Control.: mobilit! control an" ra"io bearer confi%uration7 !C3: /ser 2lane: hea"er compression2 cipherin%2 inte%rit! an" AR@
11

+Radio Resource

Core Network Interface

Two interfaces: S1 for the control plane X2 for the user plane Inter-eNode Bs X2 interface (includes Control and user planes)

12

E-#T8!N Network interfaces

Interfaces

User plane carries u(er data an" high layer( (ignaling:

Aoice an" "ata pac)ets Application le&el si%nalin% +6I'2 6D' or RT ' +Real-time Transport Control Protocol. pac)ets.

1efore transmission on 61 interface2 user plane pac)ets are transmitte" to the transport la!er $ithout processin%2 ontrol plane is lin)e" to the messa%es an" proce"ures relate" to the interface operation:
<an"o&er mana%ement control messa%es B1earerC control messa%es

13

E-#T8!N Network interfaces

Interfaces

'h!sical la!er +part of the transport la!er. is common to the user an" control planes2 Control plane signaling: more constraints in terms of securit!2 reliabilit! an" "ata loss2 User plane information: less secure" routin% protocols 61 an" D2 interfaces specifie" b! the 3,'' e0o"e1 of &arious &en"ors ma! be: Interconnecte" throu%h D2 interface onnecte" to the 55/ or 6-,- +61 interface.7

1(

E-#T8!N Network interfaces

S( interface: /ser 2lane

User plane 61 interface or 61-U:

arries user "ata pac)ets bet$een e0o"e1 an" 6er&in% ,-2 Uses ,T' +GPR Tunneling Protocol. inherite" from 2,?,'R6 an" 3,?U5T6 net$or)s top of UD'?I'2 $ith user "ata encapsulation2 0o flo$ control2 no error control an" no "ata "eli&er! %uarantee"7

14

3TP
All variants of GTP have certain features in common. The structure of the messages is the same, with a GTP header following the UDP/TCP header. GTPv1 headers contain the following fields:
+ 0 32 64 Sequence number Bit 0-2 Version 3 4 5 Extension Header Flag 6 7 8-15 Sequence N-PDU Message Type Number Flag Number Flag TEID N-PDU number Next extension header type 16-23 24-31 Total length

Protocol type Reserved

Version: 3-bit field. For GTPv1, this has a value of 1. Protocol Type (PT): 1-bit value that differentiates GTP (value 1) from GTP' (value 0). Reserved a 1-bit reserved field (must be 0). Extension header flag (E): 1-bit value that states whether there is an extension header optional field. Sequence number flag (S): 1-bit value that states whether there is a Sequence Number optional field. N-PDU number flag (PN): 1-bit value that states whether there is a N-PDU number optional field. Message Type: 8-bit field to indicate the type of GTP message. Different types of messages are defined in 3GPP TS 29.060 section Length a 16-bit field that indicates the length of the payload in bytes (rest of the packet following the mandatory 8-byte GTP header). Includes the optional fields. Tunnel endpoint identifier (TEID): 32-bit(4-octet) field used to multiplex different connections in the same GTP tunnel. Sequence number: optional 16-bit field. Exists if any of the E, S, or PN bits are on. N-PDU number: optional 8-bit field. This field exists if any of the E, S, or PN bits are on. Next extension header type: optional 8-bit field. This field exists if any of the E, S, or PN bits are on.
18

3TP 2rinci2le

1:

E-#T8!N Network interfaces

S( interface: Control 2lane

ontrol plane 61 interface2 or 61- : si%nalin% interface supportin% a set of features an" proce"ures bet$een e0o"e1 an" 55/2 ( main %roups 61- si%nalin% proce"ures:
Bearer related procedures: bearer establishment2 chan%e an" release2 !ando"er procedures: all 61 features relate" to the mobilit! of the users bet$een e0o"e1s or $ith the 2,?3, technolo%ies2 NA +Non Access tratum. signaling transfer: si%nalin% bet$een a terminal an" 55/2 throu%h 61 interface +e0o"e1 transparent si%nalin%.2 Paging procedure: use" for 5T sessions +the 55/ re>uest from e0o"e1 to pa%e a terminal in a %i&en cell.

1;

Network and 2rotocol architect/re

+) LTE Identities

19

#ser Identities

International Mo-ile Su-(cri-er Identity +I56I. allocate" to each mobile subscriber in e&er! +,652 U5T62 an" /'6. s!stem7 A3Rs2 6,60s an" 55/s ma! allocate Temporary Mo-ile Su-(cri-er Identitie( +D-T56I. for subscriber i"entit! confi"entialit!7 An 56 ma! be allocate" three T56Is throu%h the:
A3R +T56I. 6,60 +'-T56I. 55/ +6-T56I2 5-T56I2 part of ,UTI2 Glo#ally Uni$ue Temporary U% &dentity.7
20

#ser Identities

I5SI is compose" of three parts:

Mo-ile 'ountry 'ode +5 . consistin% of three "i%its2 Mo-ile %et+or. 'ode +50 . consistin% of t$o or three "i%its for ,65?U5T6 applications7 Mo-ile Su-(cri-er Identification %um-er +56I0. i"entif!in% the mobile subscriber $ithin a '3507

National 'o#ile u#scri#er &dentity +056I. E 50 an" 056I7

21

#ser Identities
Te 2orar1 5obile S/bscriber Identit1 +T56I. structure an" co"in% is chosen b! a%reement bet$een operator an" 5/ manufacturer in or"er to meet local nee"s7 The T56I consists of ( octets7 It can be co"e" usin% a he*a"ecimal representation7 The net$or) shall not allocate a T56I $ith all 32 bits e>ual to 12 because T56I must be store" in the 6I52 an" 6I5 uses ( octets $ith all bits e>ual to 1 to in"icate that no &ali" T56I is a&ailable7 3loball1 #ni;/e Te 2orar1 #E Identit1 +,UTI .: unambi%uous i"entification of the U/ that "oes not re&eal the U/ or the userFs permanent i"entit! in the %"ol"ed Pac(et ystem +/'6.7 It allo$s the i"entification of the 55/ an" net$or)7 $/TI ) $/MMEI * M TMSI2 $here GU''%& E 5 9 50 9 55/ I"entifier ''% &dentifier E 55/ ,roup ID 9 55/ o"e 5 an" 50 shall ha&e the same fiel" siGe as in earlier 3,'' s!stems7 '-T' & shall be of 32 bits len%th7 55/ ,roup ID shall be of 18 bits len%th7 55/ o"e shall be of ; bits len%th7
22

LTE Identities
I< I5SI 5eanin% International 5obile 6ubscriber I"entit! 'ublic 3an" 5obile 0et$or) I"entifier <escri2tion Uni>ue i"entification of mobile +3T/. subscriber 0et$or) +55/. %ets the '350 of the subscriber Uni>ue i"entification of '350 Str/ct/re I56I +not more than 14 "i%its. E '350 ID 9 56I0 E 5 9 50 9 56I0 '350 ID +not more than 8 "i%its. E 5 9 50 3 "i%its 2 or 3 "i%its 9 or 10 "i%its ,UTI +not more than ;0 bits. E ,U55/I 9 5T56I TI0 E ,UTI

PL5N I< 5CC 5NC

5obile ountr! o"e assi%ne" b! ITU 5obile 0et$or) o"e assi%ne" b! 0ational Authorit! 5obile 6ubscriber 5SIN assi%ne" b! operator I"entification 0umber To i"entif! a U/ bet$een the U/ an" ,loball! Uni>ue 3#TI the 55/ on behalf of I56I for securit! Temporar! U/ I"entit! reason ,UTI is store" in TI0 parameter of U/Cs Temporar! I"entit! 55 conte*t7 TI0 in"icates $hich TIN use" in 0e*t Up"ate temporar! ID $ill be use" in the ne*t up"ate7 To locall! i"entif! a U/ in short $ithin a 6A/ Temporar! 5obile 55/ %roup +Uni>ue $ithin a 55/ S-T5SI 6ubscriber I"entit! 'ool.

6-T56I +(0 bits. E 55/ 9 5-T56I

23

LTE Identities
I< 5-T56I 5eanin% 55/ 5obile 6ubscriber I"entit! <escri2tion Uni>ue $ithin a 55/ 32 bits ,U55/I +not more than (; bits.E '350 ID 9 55/I 55/I +2( bits. E 55/,I 9 55/ 18 bits ; bits 0*0001 H 0*###3 +18 bits. I5/I +14 "i%its. E TA 9 60R 9 D I5/I?6A +18 "i%its. E TA 9 60R 9 6A0 / ,I +not more than 42 bits. E '350 I D9 / I
2(

Str/ct/re

,loball! Uni>ue 55/ To i"entif! a 55/ uni>uel! in %lobal ,U55/I I"entit! ,UTI contains ,U55/I 55/I 55/,I 55/ -R0TI I5/I I5/I?6A To i"entif! a 55/ uni>uel! $ithin a 55/ I"entifier '350 =perator commissions at e0155/I 55/ ,roup I"entifier Uni>ue $ithin a '350 To i"entif! a 55/ uni>uel! $ithin a 55/ o"e 55/ ,roup7 6-T56I contains 55/ ; ell- Ra"io 0et$or) To i"entif! an U/ uni>uel! in a cell Temporar! I"entifier International 5obile To i"entif! a 5/ +5obile />uipment. />uipment I"entit! uni>uel! To i"entif! a 5/ +5obile />uipment. I5/I?6oft$are Aersion uni>uel! To i"entif! a ell in %lobal +,loball! /-UTRA0 ell ,lobal Uni>ue. I"entifier /' can )no$ U/ location base" of / ,I

/ ,I

LTE Identities
I< / I 5eanin% /-UTRA0 ell I"entifier <escri2tion To i"entif! a ell $ithin a '350 To i"entif! a specific 'D0 ,- +',-. <66 assi%ns '-,- for 'D0 +I' net$or). connection of each U/ To i"entif! Trac)in% Area ,loball! uni>ueTAI Str/ct/re / I +2; 1its. E e01 ID 9 ell ID I' a""ress +( b!tes. or #@D0 +&ariable len%th. TAI +not more than 32 bits. E '350 ID 9 TA '-,-

',- ID 'D0 ,- I"entit!

TAI

Trac)in% Area I"entit!

TA

TAI 3ist

To in"icate e01 to $hich Trac)in% Trac)in% Area o"e Area the e01 belon%s +per ell. 18 bits Uni>ue $ithin a '35018 U/ can mo&e into the cells Trac)in% Area inclu"e" in TA3 list $ithout Aariable len%th I"entit! 3ist location up"ate +TA up"ate. ,loball! uni>ue

24

LTE Identities
<escri2tion To i"entif! an 'D0 +I' net$or).2 that mobile "ata user $ants to communicate $ith 'D0 I"entit! +A'0. is use" to 'ac)et Data 0et$or) "etermine the '-,- an" point of 'D0 ID I"entit! interconnection $ith a 'D0 -ith A'0 as >uer! parameter to the D06 proce"ures2 the 55/ $ill recei&e a list of can"i"ate '-,-s2 an" then a ',- is selecte" b! 55/ $ith polic! /'6 /&ol&e" 'ac)et 6!stem To i"entif! an /'6 bearer +Default or 1earer ID 1earer I"entifier De"icate". per an U/( /-UTRA0 Ra"io Access /-RA1 ID To i"entif! an /-RA1 per an U/ 1earer I"entifierI Data Ra"io 1earer DR1 ID To i"entif! a DR1 per an U/ I"entifier To i"entif! the "efault bearer 31I 3in)e" /'6 1earer ID associate" $ith a "e"icate" /'6 bearer Tunnel /n" 'oint To i"entif! the en" point of a ,T' T/ID i"entifier tunnel $hen the tunnel is establishe" I< 5eanin% Str/ct/re

'D0 I"entif! E A'0 E A'070I 9 A'07=I +&ariable len%th.

( bits ( bits ( bits ( bits 32 bits

28

LTE Identities

2:

Control Plane Protocols

,) Network Entities

2;

55E 55E host the followin% f/nctions: 0A6 si%nalin% securit! A6 securit! control Inter 0 no"e si%nalin% for mobilit! bet$een 3,'' access net$or)s Trac)in% Area list mana%ement 'D0 ,- an" 6er&in% ,- selection 55/ selection for han"o&ers $ith 55/ chan%e 6,60 selection for han"o&ers to 2, or 3, 3,'' access net$or)s Roamin% Authentication 1earer mana%ement functions inclu"in% "e"icate" bearer establishment 6upport '-6 +$hich inclu"es /T-6 an" 5A6. messa%e transmission U/ reachabilit! in i"le state +inclu"in% control an" pa%in% retransmission.
29

S-3:

Servin% 3atewa1 (S-3:) hosts the followin% f/nctions: The local 5obilit! Anchor point for inter-e01 han"o&er 5obilit! anchorin% for inter-3,'' mobilit! /-UTRA0 i"le mo"e "o$nlin) pac)et bufferin% an" initiation of net$or) tri %%ere" ser&ice re>uest proce"ure 3a$ful Interception 'ac)et routein% an" for$ar"in% Transport le&el pac)et mar)in% in the uplin) an" the "o$nlin) Accountin% on user an" @ I %ranularit! for inter-operator char%in% U3 an" D3 char%in% per U/2 'D02 an" @ I

30

P-3:

P<N 3atewa1 hosts the followin% f/nctions: 'er-user base" pac)et filterin% +b! e7%7 "eep pac)et inspection. 3a$ful Interception U/ I' a""ress allocation Transport le&el pac)et mar)in% in the "o$nlin) U3 an" D3 ser&ice le&el char%in%2 %atin% an" rate enforcement D3 rate enforcement base" on A'0-A51R re"it control for online char%in% The 6-,- an" '-,- are usuall! inte%rate" in the same e>uipment +"irect tunnel.7 'h!sical separation is "one in the case of roamin%7

Note

31

PC87 6 =SS
PCRF (Policy Control and Charging Rules Function) Policy control decision-making, Control the flow-based charging functionalities in the Policy Control Enforcement Function (PCEF), which resides in the P-GW Provides the QoS authorization (QoS class identifier [QCI] and bit rates) that decides how a certain data flow will be treated in the PCEF and ensures that this is in accordance with the users subscription profile. Contains users SAE subscription data such as the EPS-subscribed QoS profile and any access restrictions for roaming Holds information about the PDNs to which the user can connect (in the form of an access point name (APN) (which is a label according to DNS naming conventions describing the access point to the PDN) or a PDN address (indicating subscribed IP address(es)) Holds dynamic information such as the identity of the MME to which the user is currently attached or registered Integrates the authentication center (AUC), which generates the vectors for authentication and security keys.
32

HSS (Home Subscriber Server) -

LTE Entit1 7/nctions S/

ar1

RR: Ra"io Resource RR : Ra"io Resource ontrol /55: /&ol&e" 5obilit! 5ana%ement / 5: /&ol&e" onnection 5ana%ement
33

Network and 2rotocol architect/re

5) LTE-EPC "earers

3(

Control 2lane 2rotocols

8adio Protocol Stack $verview

34

88C $verview ((-*)

5ain RR ser&ices an" functions: 6!stem Information "roadcast:

Throu%h the lo%ical channel 1 < Relate" to the access net$or) +6ettin%s relate" to the ra"io. or core net$or) +'350 I"entit!2 777.

Pa%in%: Throu%h the ' < +lo%ical channel. Establish ent> aintenance and release of an 88C connection bet$een the U/ an" /-UTRA0:
Allocation of temporar! i"entifiers bet$een U/ an" /-UTRA0 onfi%uration of si%nalin% ra"io bearer+s. for RR connection

Sec/rit1 f/nctions inclu"in% )e! mana%ement2 5obilit1 f/nctions inclu"in%:

U/ measurement reportin% for han"o&er RR tal)s "irectl! $ith '<J to obtain measurement results U/ cell selection an" reselection an" control of cell selection an" reselection
38

88C $verview (*-*)

Transmission of si%nalin% messa%es to an" from the /'6: 0A6 5essa%es +Non Access tratum. han"le" transparentl! b! the RR +Radio Resource Control.: control information e*chan%e" bet$een U/ an" /-UTRA0 /-UTRA0 RR si%nificantl! simplifie" compare" to UTRA0: Re"uction in the number of messa%es
3:

<efa/lt-<edicated "earer

Default 0earer &s Dedicated 0earer A default -earer carries all )in"s of traffic +no filter. witho/t ?oS7 It is t!picall! create" "urin% the Attach proce"ure A dedicated -earer carries a specific "ata flo$2 i"entif! b! the T#T +Traffic +low Template.2 with a %iven ?oS7
/*7: Aoice2 streamin% an be establishe":
Durin% the Attach proce"ure +"epen"in% on the user profile. After the Attach proce"ure2 on "eman"7

3;

<efa/lt-<edicated bearer

39

<efa/lt-<edicated "earer

-hen the U/ establishes a 'D0 onnection this creates a lo%ical en" to en" KpipeK bet$een the U/ an" the ',-7 The U/ is assi%ne" an I' a""ress +I'&( or I'&8. an" the defa/lt bearer is setup +al$a!s #est effort.7 If the U/ re>uires some @o6 "ifferent than best effort2 a dedicated bearer can be setup7 This $ill be a necessit! for &oice ser&ices o&er 3T/ for e*ample but coul" also be use" $hen a streamin% session is setup2 or a 6)!pe session etc7 The net$or) )no$s that a dedicated #earer is nee"e" b! D1I2 most li)el! b! the PC87 no"e7
(0

<PI (<ee2 Packet Ins2ection) D'I E <- an" 6- solution that:

5onitors a net$or)Fs "ata stream2 I"entifies protocols an" applications2 inappropriate UR3s2 intrusion attempts an" mal$are

D'I inspects2 reassembles an" "ecompresses incomin% pac)ets2 anal!Ges the co"e an" passes "ata to appropriate applications an" ser&ices7 If malicious UR3s or co"e are "etecte"2 the s!stem can bloc) them entirel!7 D'I can also be use" b! ser&ice pro&i"ers to offer subscribers "ifferent le&els of access +such as t!pe of usa%e2 "ata limits or ban"$i"th le&el.2 compl! $ith re%ulations2 prioritiGe traffic2 a"Lust loa"s an" %ather statistical information7 D'I can reco%niGe applications as "ata passes throu%h the s!stem2 allocatin% each the resources the! nee"7
(1

<efa/lt "earer ?oS Control

Total &olume limit e*cee"e" !%%re%ated bandwidth ell capacit! Aggregated load in the cell

Nor al /sers

T=P@* T=P@*

T=P@* T=P@+ =eav1 /ser

<ea&! users are "!namicall! "o$nprioritiGe" at net$or) con%estion

(2

Network and 2rotocol architect/re

.) 5obile "ackha/l -"ackbone

(3

:ireless "ackha/l

Access Network
Co22er 7iber =andset> P<! or La2to2 Carrier Base Station 'ublic 6$itche" Telephone 0et$or) Mobile Switching Office (provisioning, call routing, etc)

ource, +i#ertower &n"estor Presentation- April .//01

Three 5ain Transport 5etho"s opper +T1s. #iber 5icro$a&e opper?#iber <!bri" 6olution opper TD5 %reat for &oice2 not so %reat for "ata #iber /thernet %reat for "ata2 allo$s transition to A=I'
((

:ireless "ackha/l Infrastr/ct/re Trends

#iber >uic)l! replacin% copper to meet 3T/ ban"$i"th re>uirements 'oint-to-point micro$a&e bac)haule" to fiber to sa&e cost - /thernet o&er /1 "ri&in% sa&in%s2 %reater "ata flo$ an" %reater reliabilit!

(4

LTE !rchitect/re: 5obile backha/l trends Conver%ence of backha/l-backbone

In 2,?3, mobile net$or)s2 the 16 ?R0 perform RR57 The! resi"e at the local s$itch an" the

connection bet$een the base station an" the controllers is enable" &ia the backha/l network7 The backbone network is not in&ol&e" an" can be functionall! (eparate2 bein% utiliGe" primaril! for interconnection of switch7

5obile bac)haul is increasin%l! becomin% a strate%ic invest ent for ser&ice pro&i"ers +source: M2orld 'o#ile Bac(haul &nfrastructure 'ar(etN2 #rost O 6ulli&an2 #ebruar! 2009. an" hence the nee" for fle*ibilit! is e&er %ro$in%7
(8

LTE !rchitect/re: The 5obile broadband backha/l "roadband 5obile Network Evol/tion

1ac)haul s!stems "esi%ne" to ser&e 3T/ "eplo!ments shoul" a""ress three basic re>uirements: =i%her ca2acities: 1ac)haul to a sin%le site shoul" be able scale to 1005bps an" e&en be!on" Lower Latencies: The re>uirement for 10 millisecon" en"to-en" lea"s to select a solution that supports e*tremel! lo$ latenc! !ll IP: 6upport I' traffic from the %et-%o7
(:

E4a 2les of

icrowave ca2acities Ca2acit1 1245bps Up to ( 5iles+P5. Up%ra"e to ,i%-/ 1245bps Up to 4 5iles+;70P5. Up%ra"e to ,i%-/ Up to 4 miles+; )m. Up to 8 miles+97: )m. Up to ( miles+ )m. Up to 4 miles+; )m. Up to 4 miles+; )m. 100 5bps 100 5bps 1000 5bps 1000 5bps 100?1000 5bps <istance

"rid%e:ave <escri2tion ;0 ,<G #ast /thernet e*ten"e" ran%e $ireless bri"%e ;0 ,<G #ast /thernet e*ten"e" ran%e $ireless bri"%e ;0 ,<G #ast /thernet me"ium ran%e $ireless bri"%e ;0 ,<G #ast /thernet me"ium ran%e $ireless bri"%e ;0 ,<G #ast /thernet me"ium ran%e $ireless bri"%e ;0 ,<G #ast /thernet me"ium ran%e $ireless bri"%e ;0 ,<G A"aptRate 100?1000 5bps e*ten"e" ran%e $ireless bri"%e ;0 ,<G A"aptRate 100?1000 5bps e*ten"e" ran%e $ireless bri"%e

Up to 8 miles+97: )m. 100?1000 5bps

(;

S/

ar1
The /-UTRA0 consists of e0o"e1s $hich pro&i"e /-UTRA user plane +'D '?R3 ?5A ?'<J. an" control plane +RR . protocol terminations to$ar" the user e>uipment +U/.7 The e01s are interconnecte" $ith each other b! means of the D2 interface7 The e01s connecte" throu%h 61 interface to the /&ol&e" 'ac)et ore +/' .2 more specificall! to the 5obilit! 5ana%ement /ntit! +55/. b! means of the 61-55/ interface an" to the 6er&in% ,ate$a! +6,-. b! means of the 61-U interface7

The E-#T8!N

The EPC (Evolved Packet Core)

The 3T/ architecture "efines the /&ol&e" 'ac)et 6!stem +/'6. as a combination of the 3T/ access s!stem +ra"io part. an" an I'-base" core net$or)2 the /&ol&e" 'ac)et ore +/' .7 The /' is an all-I' mobile core net$or) for 3T/2 allo$in% the con&er%ence of pac)et-base" realtime an" non-real-time ser&ices7 All /'6 transactions are I'-base": from the mobile han"sets2 o&er e0o"e 1s2 across the /' 2 an" throu%hout the application "omain2 for both I56 an" non-I567 The /' is a multi-access core I'-base" net$or) that enables operators to "eplo! an" operate one common pac)et core net$or) for 3,'' ra"io access +3T/2 3,2 an" 2,. an" non-3,'' ra"io access +<R'D2 -3A02 an" -i5AD.2 an" fi*e" access +/thernet2 D632 cable an" fiber.

LTE !rchitect/re
(9

Control Plane Protocols

0) Sec/rit1

40

Sec/rit1 !s2ects and 2ara eters in LTE

IPsec

6ecurit! concerns:
As U5T62 U/ authentication +U6I5: 12; bits )e! impose".Q The internal si%nalin% protection +inte%rit!.2 si%nalin% an" traffic encr!ptionQ A""itional si%nalin% encr!ption for RR an" 0A67

A#Penc

eNode"
AN!Senc

S-3:
AN!Sint

A88Cenc A88Cint

88C

55E

#SI5 - !/C

A CA> IA

6afet! is enhance" protectin% all entities

b!
#E - =SS A!S5E #E - 55E AN!Senc AN!Sint AeN" #E - eN" A#Penc A88Cint A88Cenc

<ierarchical protection +U/2 e012 A65/2 <662 Au .Q /nsure transport securit! on all interfaces7

!S5E: !ccess Sec/rit1 5an%e ent Entit1

41

Sec/rit1 !s2ects and 2ara eters in LTE

5ain chan%es an" a""itions for securit! in 3T/ &ersus 3,:

Intro"uction of a hierarchical ke1 s1ste can be chan%e" for "ifferent purposes2 Se2aration of the securit! functions for the 0A62 Intro"uction of the concept of forward sec/rit1: limits the securit! issues $hen a "isclose" )e! is use" A""itional securit! functions for 3, an" 3T/ net$or) interconnection
42

in $hich )e!s

Sec/rit1 !s2ects and 2ara eters in LTE Characteristics

Re-use of U5T6 ,uthentication and 2ey ,greement +APA. Use of U6I5 re>uire" +,65 6I5 e*clu"e". /*ten"e" )e! hierarch! 3on%er )e!s ,reater protection for bac)haul Inte%rate" inter$or)in% securit! for le%ac! an" non-3,'' net$or)s

43

Sec/rit1 !s2ects in LTE

/ncr!ption is performe" at the e%ode07 56's +'o#ile er"ices Pro"ider. shoul" support encr!ption $ithin the transport net$or)2 especiall! if usin% thir"-part! bac)haul transport pro&i"ers or public Internet transport7 I1Sec tunneling bet$een the e0o"e1 an" the securit! %ate$a! use" to secure "ata an" pro&i"e @o6 to mana%e the securit! centrall!7
4(

Sec/rit1 !s2ects and 2ara eters in LTE N!S sec/rit1 0A6 messa%es2 #E an" 55E scope 7 0A6 messa%e communication bet$een U/ an" 55/ are Integrity protecte" an" 'iphered $ith e*tra 0A6 securit! hea"er7 !S sec/rit1 RR an" user plane "ata2 #E an" eN" scope 7 'D ' la!er in U/ an" e01 si"e responsible for cipherin% an" inte%rit!7 RR messa%es inte%rit! protecte" an" ciphere" but U-'lane "ata is onl! ciphere"7 <ifferent Sec/rit1 al%orith s (inte%rit1-ci2herin%) Inte%rit1 +EI!: /'6 Inte%rit! Al%orithm.
&BBBBC /IA0 0ull Inte%rit! 'rotection al%orithm &BBB(C 12;-/IA1 60=- 3, &BB(BC 12;-/IA2 A/6

Ci2herin% +EE!: /'6 /ncr!ption Al%orithm.

&BBBBC //A0 0ull cipherin% al%orithm &BBB(C 12;-//A1 60=- 3, base" al%orithm &BB(BC 12;-//A2 A/6 base" al%orithm
44

Sec/rit1 !s2ects and 2ara eters in LTE Ae1-2ara eters distrib/tion in LTE nodes

,M3 +Authentication 5ana%ement #iel". S?N +6e>uence 0umber.

48

Ae1 hierarch1
#aster han"o&ers an" )e! chan%es2 in"epen"ent of APA A""e" comple*it! in han"lin% of securit! conte*ts
#SI5 - !/C A

CA> IA #E - =SS

A!S5E #E - 55E AN!Senc AN!Sint AeN" #E - eN" A#Penc A88Cint A88Cenc

!S5E: !ccess Sec/rit1 5an%e ent Entit1

4:

Sec/rit1 !s2ects and 2ara eters in LTE Sec/rit1 as2ects in LTE

4;

Sec/rit1 !s2ects and 2ara eters in LTE !A! 2roced/re

49

Sec/rit1 !s2ects and 2ara eters in LTE

LTE Ci2herin% and Inte%rit1 !l%orith s

80

Sec/rit1 !s2ects and 2ara eters in LTE

6ecurit! )e!s for A6 +Access tratum.

User "ata an" control Different from those use" in /' 7

e0o"e1 )e!s:
3e01: Deri&e" b! the terminal an" the 55/ from 3A65/ +4'aster 3eyF. an" issue" b! the 55/ in e0o"e1 +B'aster 3eyC. 3e01 is use" to "eri&e the A6 traffic )e!s an" han"o&er )e! 3e01 R 3e01R: Deri&e" from the terminal an" the source from e0o"e1 3e01 or &ali" 0< +0e*t <op. Durin% the han"o&er2 the terminal an" the tar%et e0o"e1 "eri&e a ne$ 3e01R from 3e01

81

Sec/rit1 !s2ects and 2ara eters in LTE

3U'enc: Deri&e" from 3e01 an" use" to encr12t the /ser 2lane 3RR
int:

Deri&e" from 3e01 an" use" to ensure the inte%rit1 of 88C

essa%e 3RR
enc:

Deri&e" from Pe01 an" use" to encr12t 88C

essa%es

0e*t <op +0<.: Interme"iate )e! use" to "eri&e 3e01R "urin% intra-LTE handover sec/rit1 The 0 +Ne5t !op Chaining Counter. "etermines if the ne*t 3e01R

must be base" on a current 3e01R or fresh 0<:

If no fresh 0< a&ailable #resh 0< tar%et ' I +Physical Cell &dentity. 9 3e01

Tar%et ' I 9 0<

82

Sec/rit1 !s2ects and 2ara eters in LTE Ae1s derivation sche e

83

Sec/rit1 !s2ects and 2ara eters in LTE

LTE: Initial !ttach P

eNB - Does AUTN come from HSS?

- Have I seen it before? ATTACH REQUEST (IMSI, SUPPORTED_ALGS) 1. Check (AES1(K, RAND), SQN, AUTN)) 2. RES = AES2(K, RAND) 3. (Ck, Ik) = AES3(K, RAND) RES, Ck, Ik RES Derive KASME, KeNB .... OK, SELECTED_ALG, SUPPORTED_ALGS RAND, AUTN

MME

HSS

AUTH VECT REQUEST (IMSI) RAND, XRES, AUTN, KASME RAND = RANDOM() Check: RES == XRES ?? SQN = SQN + 1 AUTN = AES1(K, RAND, SQN) RES = AES2(K, RAND) (Ck, Ik) = AES3(K, KA RAND) KASME = F(Ck, Ik, ...) F
Ke KN-int KN-enc

- Verify OK - Switch on security [OK] KeNB Protected signaling Protected traffic

KeUP-enc KeNB

F
KeRRC-int KeRRC-enc
8(

"ackha/lin% Sec/rit1
Technologie(: I'?5'36 +1ac)bone.2 5etro /thernet +1ac)haul. I/T# has "efine" a suite of securit! protocols: Internet 'rotocol 6ecurit! or MIPsec7N 'ro&i"e en"-to-en" securit! at the pac)et processin% la!er to protect the net$or) an" hi%herla!er applications7 6ecures communications on a host-to-host2 net$or)-to-net$or) an" net$or)-to-host basis7 Ipsec authenticates an" encr!pts each I' pac)et $ithin a communications session7

IPsec t/nnel with "3P-5PLS IPDPN

84

Thank 1o/

88