LTE NAS


With Google Analytics I noticed that LTE related articles are the most popular ones at our blog Express YourSelf ! These articles are written in colloquial language and they are more informal. So let me write a single article with more formal language. Here I have tried to make this white paper concise with lucid language. 

Comments, suggestions are always welcome. 

Direct Link to the white paper "LTE NAS Procedures"
LTE_NAS



By chance, if you do not have access to Scribd, then read this article below. 


LTE NAS Procedures

Abstract

Non-Access Stratum is a functional layer protocol stack between core network and UE in LTE. For LTE, It is the highest stratum in the control plane between UE and MME. NAS layer runs over Uu interface between UE and eNB, and over S1-MME interface between eNB and MME. The main functions for NAS protocols are (1)mobility management, (2)session management, (3)connection management and (4)security. Security has two aspects: integrity and ciphering. This article describes all the NAS procedures and relevant concepts.

1.     Introduction

UTRAN is access network for LTE. Whenever UE does any signaling message exchanges related to radio resources and accessing the UTRAN, those are Access Stratum procedures. After acquiring radio resources, UE needs to communicate to core network nodes. All signaling message exchanges related to accessing the core network are Non-Access Stratum procedures. The subsequent chapters of this article describe EMM, ECM and ESM NAS procedures, their sub-categories and other related concepts.

2.     EMM

EMM protocol provides elementary procedures for UE’s mobility, when UE uses E-UTRAN. Such procedures include determining UE's location, user's authentication, confidentiality, and connection management. The procedure is a group of NAS messages exchange, like request and response, with specific purpose. There are two kinds of EMM elementary procedures: common procedures and specific procedures.

a.     Relationship among EMM procedures

The EMM common procedures are invoked optionally by some of the EMM specific procedures. If one look at this, from object oriented design point of view, this is like aggregation relationship, where specific procedures are “whole” and common procedure(s) are “part”. The below diagrams depicts this relationship with UML notations.



The class diagram looks like Composite design pattern. This diagram does not indicate any specific NAS module design neither at UE nor at MME. The italic fonts indicates abstract class. All the procedures in the diagrams are just categories. The subsequent sections describe all procedures, which belong to these categories.

EMM specific procedure has specific purpose of (1) mobility management and (2) connection management.

b.     EMM Mobility Management

The mobility management specific procedures are (1)Attach, (2)Detach and (3) TAU. The attach procedures and detach procedures are similar to such procedures in GPRS and UMTS. When UE is powered ON, or, enters to LTE coverage area, it performs attach procedure. At the time of power OFF, UE performs detach procedure. UMTS coverage area is subdivided in multiple Routing Areas (RAs), same way, LTE coverage area is subdivided in multiple Trekking Areas (TAs). Any TA is formed by coverage are of a group of cell sites (eNBs). The eNB broadcasts TAI. Whenever the any UE detects the TAI change, due to UE’s mobility, UE informs the network about its new TA or TA list. UE invokes the “normal TAU procedure”. Even the stationary UE periodically reports its TA with “periodic TAU procedure”.


·         Combined procedures

The LTE network also supports combined attach, combined detach and combined TAU procedure. The combined procedures differ from the normal procedures by presence of few optional IEs. The combined procedures save radio resources, as the LTE networks, intimate the legacy GPRS / UMTS network about UE attach, detach and periodic update over wireline interface. So UE does not need to perform similar procedures over legacy network. Thus, the combined procedures also save UE’s battery. However such supports are optional for LTE network deployment.

GPRS MS have three categories: class A, class B and class C. The similar way LTE UE belongs to three categories. The “PS only mode” UE works only with LTE networks. These UEs are not mobile handsets but they are USB dongle or PC card. They never perform combined procedure. The “PS only mode” UE is similar to class C GPRS MS. The other two LTE UE categories are “CS/PS mode 1 UE” and “CS/PS mode 2 UE”. They are dual mode UEs. If UE is under coverage of both LTE and legacy GPRS/UMTS, then “CS/PS mode 1 UE” prefers non-EPS (GPRS/UMTS) service and mode 2 UE prefers EPS(LTE) service. However, they can attach to both networks, (1) EPS(LTE) network and (2) non-EPS (legacy GPRS/UMTS) network.

·         EMM FSM

EMM FSM has seven states. (1) EMM Null, (2) EMM DeRegistered, (3) EMM DeRegistered initiated, (4) EMM Registered, (5) EMM Registered initiated, (6) EMM TAU initiated, (7) EMM Service Request initiated. Out of these seven states, most of them are transient states. EMM FSM has major two states only. EMM DeRegistered and EMM Registered. They are correspond to UE is detached from LTE network and UE is attached to LTE network respectively.

c.      EMM Connection Management (ECM)

The connection is established between UE and MME for session management and for SMS transfer. The connection management specific procedures are: paging, CS service notification, service request, extended service request and transport of NAS.

·         Paging

The LTE networks supports only PS data call. The UE can receive paging signal for incoming PS data call. The legacy networks (GSM and UMTS) support both CS voice call and PS data call. The network can send paging signal to UE for incoming CS voice call using LTE E-UTRAN. Thus, paging procedure is used for incoming CS voice call and PS data call both.

The Paging ECM specific procedure is used by network to establish NAS context for incoming CS or PS call. The NAS context consists of security parameters between UE and MME for NAS message exchanges. In the absence of NAS context, the first message will not be encrypted. The EMM procedures may invoke other common EMM procedure for security purpose. Over the air interface Uu RRC protocol carries NAS messages and provides ciphering and data integrity both. In addition to that the NAS security module provides data integrity and optionally ciphering of the NAS messages.

Generally LTE network address the UE with its S-TMSI in “Paging” procedure. However if MME restart or somehow, MME lost S-TMSI of UE, then it uses IMSI. The usage of IMSI over air interface is rare case and is used to only recover from the error, in abnormal conditions.

·         CS Service Notification

The paging procedure is used to establish NAS context. If MME already has valid NAS context for a UE, then MME does not invoke paging procedure for incoming CS call. Instead of paging procedure, MME invokes ‘CS Service Notification’ procedure for incoming CS call from legacy GSM and UMTS networks.

·         Service Request

UE initiates “Service Request” ECM specific procedure, in response to paging. After successful “Service Request” procedure for connection management, the ECM FSM transits to ECM connected (EMM connected) state.

·         Extended Service Request

The “Extended Service Request” procedure is a variant of “Service Request” procedure. It is used for CS fallback for voice call and handoff with non-3GPP networks. The examples of non-3GPP networks are CDMA network, EVDO (HRPD) network, WiMAX network, etc.

·         Transport of NAS

The “Transport of NAS” ECM specific procedure is used for sending or receiving SMS over LTE network.

·         ECM FSM

ECM can have its FSM. For EMM Registered state, ECM FSM has two states. (1) ECM idle and (2) ECM connected. They are also known as EMM Idle and EMM Connected respectively.

d.     Common Procedure

The EMM common procedures are invoked optionally by EMM specific procedures. They are related to security aspects like authentication and ciphering. For example, EMM mobility management specific procedure named Attach may invoke other EMM common procedure(s) like (1)GUTI relocation, (2)Authentication, (3)Security Mode control, (4)Identification, (5)EMM Information and (6)ESM Information. Another example, EMM connection management specific procedure, “Service Request” may initiate optional common procedure(s):  (1) Authentication and/or (2) Security Mode Control. All the common procedures are optional. These common procedures set security parameters at NAS context.

e.     EMM Summary

Most of the EMM specific procedures for mobility management and connection management are initiated by UE. “Paging” and “CS service notification” procedures are always initiated by network. “Detach” and “Transport of NAS” procedures can be invoked by either network or UE.

Here, the quick recap of all EMM specific procedures.

EMM Elementary procedures:

  1. Mobility management specific procedure
    1. Attach
                                                              i.      Attach
                                                             ii.      Combined Attach
    1. Detach
                                                              i.      Detach
                                                             ii.      Combined Detach
    1. TAU
                                                              i.      Normal TAU
                                                             ii.      Periodic TAU

  1. Connection Management specific procedure
    1. Service Request
                                                              i.      Service Request
                                                             ii.      Extended Service Request
    1. Paging
                                                              i.      With S-TMSI
                                                             ii.      With IMSI
    1. CS Service Notification
    2. Transport of NAS (for SMS)

  1. Common procedure
    1. GUTI reallocation
    2. Authentication
    3. Security Mode control
    4. Identification
    5. EMM information
    6. ESM information

3.     ESM: Useful concepts

a.     Multiple ESM

The NAS procedures for EMM and ECM apply per UE, so UE software can have single instance of ECM module and single instance of EMM module. However the NAS procedures for ESM are for session management. A UE can have multiple active sessions (EPS bearers). Each bearer has its own ESM FSM. So UE software can have multiple instances of ESM module.

b.     PDN and APN

LTE infrastructure includes eUTRAN and EPC. PDN is some network external to operator’s LTE infrastructure. The Internet is the most common example of PDN. Other possible PDN examples can be IMS network, corporate VPN, MMS etc. If one look at the big picture, LTE or any other wireless network just provides layer-2 connectivity between UE and PDN. So the UE can transfer its layer-3 user packets (most likely IP packets) to external network PDN (most likely Internet). The ‘name of PDN’ is ‘APN value’. The P-GW node is at boundary between LTE network and PDN. So generally APN value is FQDN, which map to IP address of P-GW by DNS server. This DNS server is private one, and accessible only within PLMN.

c.      EPS bearer

An EPS bearer connects UE and exit gateway (P-GW) of LTE network. Unlike, UMTS, in LTE one default bearer is established during attach procedure itself. LTE NAS procedure standard also recommends bundling of LTE EMM NAS procedure and ESM NAS procedure in a single packet. The default bearer has neither QoS treatment nor TFT filters for user data. The default bearer just provides a basic connectivity between UE and P-GW for a single PDN.

Some mobile applications need QoS treatment for user data. E.g. VoIP call. The dedicated bearer provides QoS treatment and TFT for user data.

UE has single IP address per PDN, regardless of multiple bearers (default bearer and dedicated bearer). However, if UE and PDN both support IPv4 and IPv6 dual stack, then only, UE can have two default bearers and two IP addresses (IPv4 address and IPv6 address) per PDN.

If UE and network both capable to provide connectivity to multiple PDNs, then UE can have multiple default bearers and multiple IP addresses. It is analogous to having multiple Ethernet card to a desktop PC, so one can connect the PC to multiple networks and configure it with multiple IP address. Ethernet cards are layer-2 entities. Here, LTE network appears a single layer-2 interface consisting of E-UTRAN and EPC. However still LTE network can emulate like multiple different layer-2 entities. So, a UE can have multiple layer-3 network layers (IP layers) at user plane. Each layer-3 entity can be connected to different P-GWs and so to different PDNs. Within a single layer-3, UE can have default bearer for best effort treatment and optional dedicated bearer(s) for QoS treatment and TFT

d.     EPS Bearer ID

All EPS bearers (i.e. default and dedicated) have EPS Bearer ID (EBI), assigned by the network. The legacy GPRS and UMTS networks were assigning NSAPI value for each PDP context.  EBI is analogous to NSAPI. UE can have one default bearer and zero or more dedicated bearer(s) per PDN. So at UE side few EBI values are used for default bearer(s) and rest are for dedicated bearer(s). It is not possible to discriminate between default bearer and dedicated bearer just by EBI values. LBI plays important role to link EBI values and bundle them together. All dedicated bearer related messages contain LBI IE. The value of LBI IE is EBI value of default bearer for that PDN.

e.     IP address

UE may have static IP address configured APN/PDN. Generally, P-GW acts as DHCP server and assigns dynamic IP address to UE. P-GW consults external DHCP server or radius server or diameter server to allocate dynamic IP address for UE. Dynamic IP address is allocated during default bearer creation. This IP address does not change for all other subsequent new dedicated bearer(s) for that PDN.

PCO IE is used to carry UE address. It also carries Primary and Secondary DNS addresses for that particular PDN. So the application can query and resolve any domain name to IP address by contacting the DNS server, within that PDN. All these three IP addresses can be IPv4 address or IPv6 address or both. If UE already knows their values, it mentions them in PCO, to confirm. Else, UE mention value as 0.0.0.0 (for IPv4 case) and/or ::0 (for IPv6 case) to request network for new assignment. PCO IE contains PPP. The PPP contains IPCP for all these IP addresses. PPP can also contain PAP and/or CHAP protocol(s) for user authentication. The PCO and TFT are important IEs, that are exchanged between P-GW and UE. They are transparently carried by eNB, MME and S-GW.

f.       Summary
The following tree makes this concept clearer.

  1. LTE layer-2 connectivity using eUTRAN+EPC
    1. Layer-3 IP (IPv4 or IPv6)connectivity to PDN1, UE IP = ip1 (ip1 is IPv4 address or IPv6 address)
                                                              i.      Default bearer. No QoS and no TFT. EBI = ebi1
                                                             ii.      Dedicated bearer 1 with QoS1, EBI = ebi2, LBI = ebi1
                                                           iii.      Dedicated bearer 2 with QoS2, EBI = ebi3, LBI = ebi1
    1. Layer-3 IP (IPv4 or IPv6)connectivity to PDN2, UE IP = ip2 (ip2 is IPv4 address or IPv6 address)
                                                              i.      Only single default bearer. No QoS and no TFT, EBI = ebi4
    1. Layer-3 IP (IPv4)connectivity to PDN3, UE IP = ip3 (ip3 is IPv4 address)
                                                              i.      Default bearer. No QoS, EBI = ebi5
                                                             ii.      Dedicated bearer 1 with QoS3, EBI = ebi6, LBI = ebi5
    1. Layer-3 IP (IPv6)connectivity to PDN3, UE IP = ip4 (ip4 is IPv6 address)
                                                              i.      Default bearer. No QoS EBI = ebi7
                                                             ii.      Dedicated bearer 1 with QoS4, EBI = ebi8, LBI = ebi7

Here PDN1, PDN2 and PDN3 all are different, having different APN values. The values for ip1, ip2, ip3 and ip4 may or may not be different. QoS1, QoS2, QoS3 and QoS4 may or may not different. EBI1 to EBI8 all are different values, not necessary they are in sequence.

The minimum implementation without QoS can be as below:

  1. LTE layer-2 connectivity using eUTRAN+EPC
    1. Layer-3 IP (IPv4)connectivity to only single PDN 1, UE IP = ip1
                                                              i.      Only single Default bearer. No QoS, EBI = ebi1


4.     ESM procedures

ESM procedures also have two categories. (1) “Procedures related to EPS Bearer Context”. As the name suggest, these ESM procedures are used for EPS bearer. (2) “Procedures related to transaction”. However these ESM procedure categories are quite different from EMM procedures category. In case of EMM, the specific procedures are optionally made up of common procedure. So first, an EMM specific procedure starts. Then it optionally invokes one more EMM common procedure(s). Then EMM common procedure(s) get completed and finally the EMM specific procedure also gets completed.

If a UE wants to manipulate EPS bearer context, then first UE invokes ESM specific “Procedure relate to transaction”. UE includes PTI IE in the first message. In the response to that network invokes ESM specific “Procedure related to EPS Bearer Context”. Network also includes PTI IE with same value, so that UE can correlate to ongoing “Procedure relate to transaction”. Once network invokes the “Procedure related to EPS Bearer Context”, then at UE side, the “Procedure relate to transaction” is declared/assumed as completed. These both categories of procedures are in sequence. Thus, indirectly UE can also invoke EPS procedure !!! Once, the “Procedure relate to transaction” is completed, then PTI IE is discarded. Then UE and network, both start using, EBI, which is allocated by the network to that particular (default or dedicated) bearer. If network itself initiates “Procedure related to EPS Bearer Context”, then PTI IE is absent and EBI IE is mandatory. The examples of such procedures are (1) EPS bearer context modification (2) EPS bearer context deactivation. As mentioned earlier, LBI IE is used in “Procedure related to dedicated EPS Bearer Context” to point to default bearer for that particular PDN.

This table provides a relationship among UE initiated “Procedures related to transaction” and network initiated “Procedures related to EPS Bearer Context”



Procedures related to EPS Bearer Cxt -->
Default EPS bearer context activation
Dedicated EPS bearer context activation
EPS bearer context modification
EPS bearer context deactivation
1
Procedures related to Transaction
PDN connectivity

X



2
PDN disconnect



X
3
Bearer resource allocation

x
x

4
Bearer resource modification

x
x
X
5
ESM information request
x



6

ESM status message





As one can see at above table, generally “transaction related procedures” are invoked by UE with two exceptions. (1) ESM Status message. It can be sent by both UE and network. (2) “ESM information request” is always sent from network to UE. UE responds with “ESM information response”.

5.     Summary

The author has put his best efforts to describe NAS concepts with correct information in lucid language. Any comments, suggestions are welcome. The author is thankful to his colleagues, supervisors and friends for all supports and encouragement to write this article. Let all the software professionals and telecom professionals use this article as reference material.

Reference



3 comments:

Suresh Panara said...

Hey very nice article. I like this and looking forward for some more interesting articles like this....

Anonymous said...

Thnx

shreyas ns said...

good article. Please provide updates in future as well

Post a Comment