LTE NAS
With Google Analytics I noticed that LTE related articles are the most popular ones at our blog Express YourSelf ! These articles are written in colloquial language and they are more informal. So let me write a single article with more formal language. Here I have tried to make this white paper concise with lucid language.
Comments, suggestions are always welcome.
Direct Link to the white paper "LTE NAS Procedures"
LTE_NAS
By chance, if you do not have access to Scribd, then read this article below.
Comments, suggestions are always welcome.
Direct Link to the white paper "LTE NAS Procedures"
LTE_NAS
By chance, if you do not have access to Scribd, then read this article below.
LTE NAS Procedures
Abstract
Non-Access Stratum
is a functional layer protocol stack between core network and UE in LTE. For
LTE, It is the highest stratum in the control plane between UE and MME. NAS
layer runs over Uu interface between UE and eNB, and over S1-MME interface
between eNB and MME. The main functions for NAS protocols are (1)mobility
management, (2)session management, (3)connection management and (4)security. Security
has two aspects: integrity and ciphering. This article describes all the NAS
procedures and relevant concepts.
1. Introduction
UTRAN is access network for LTE. Whenever UE does any
signaling message exchanges related to radio resources and accessing the UTRAN,
those are Access Stratum procedures. After acquiring radio resources, UE needs
to communicate to core network nodes. All signaling message exchanges related
to accessing the core network are Non-Access Stratum procedures. The subsequent
chapters of this article describe EMM, ECM and ESM NAS procedures, their
sub-categories and other related concepts.
2. EMM
EMM protocol provides elementary procedures for UE’s
mobility, when UE uses E-UTRAN. Such procedures include determining UE's
location, user's authentication, confidentiality, and connection management. The
procedure is a group of NAS messages exchange, like request and response, with
specific purpose. There are two kinds of EMM elementary procedures: common
procedures and specific procedures.
a. Relationship among EMM procedures
The EMM common procedures are invoked optionally by some
of the EMM specific procedures. If one look at this, from object oriented
design point of view, this is like aggregation relationship, where specific
procedures are “whole” and common procedure(s) are “part”. The below diagrams
depicts this relationship with UML notations.
The class diagram looks like Composite design pattern.
This diagram does not indicate any specific NAS module design neither at UE nor
at MME. The italic fonts indicates abstract class. All the procedures in the
diagrams are just categories. The subsequent sections describe all procedures, which
belong to these categories.
EMM specific procedure has specific purpose of (1)
mobility management and (2) connection management.
b. EMM Mobility Management
The mobility management specific procedures are (1)Attach,
(2)Detach and (3) TAU. The attach procedures and detach procedures are similar
to such procedures in GPRS and UMTS. When UE is powered ON, or, enters to LTE
coverage area, it performs attach procedure. At the time of power OFF, UE
performs detach procedure. UMTS coverage area is subdivided in multiple Routing
Areas (RAs), same way, LTE coverage area is subdivided in multiple Trekking
Areas (TAs). Any TA is formed by coverage are of a group of cell sites (eNBs). The
eNB broadcasts TAI. Whenever the any UE detects the TAI change, due to UE’s
mobility, UE informs the network about its new TA or TA list. UE invokes the “normal
TAU procedure”. Even the stationary UE periodically reports its TA with
“periodic TAU procedure”.
·
Combined procedures
The LTE network also supports combined attach, combined
detach and combined TAU procedure. The combined procedures differ from the
normal procedures by presence of few optional IEs. The combined procedures save
radio resources, as the LTE networks, intimate the legacy GPRS / UMTS network
about UE attach, detach and periodic update over wireline interface. So UE does
not need to perform similar procedures over legacy network. Thus, the combined
procedures also save UE’s battery. However such supports are optional for LTE
network deployment.
GPRS MS have three categories: class A, class B and class
C. The similar way LTE UE belongs to three categories. The “PS only mode” UE
works only with LTE networks. These UEs are not mobile handsets but they are
USB dongle or PC card. They never perform combined procedure. The “PS only
mode” UE is similar to class C GPRS MS. The other two LTE UE categories are “CS/PS
mode 1 UE” and “CS/PS mode 2 UE”. They are dual mode UEs. If UE is under
coverage of both LTE and legacy GPRS/UMTS, then “CS/PS mode 1 UE” prefers
non-EPS (GPRS/UMTS) service and mode 2 UE prefers EPS(LTE) service. However, they
can attach to both networks, (1) EPS(LTE) network and (2) non-EPS (legacy
GPRS/UMTS) network.
·
EMM FSM
EMM FSM has seven states. (1) EMM Null, (2) EMM
DeRegistered, (3) EMM DeRegistered initiated, (4) EMM Registered, (5) EMM
Registered initiated, (6) EMM TAU initiated, (7) EMM Service Request initiated.
Out of these seven states, most of them are transient states. EMM FSM has major
two states only. EMM DeRegistered and EMM Registered. They are correspond to UE
is detached from LTE network and UE is attached to LTE network respectively.
c. EMM Connection Management (ECM)
The connection is established between UE and MME for
session management and for SMS transfer. The connection management specific
procedures are: paging, CS service notification, service request, extended
service request and transport of NAS.
·
Paging
The LTE networks supports only PS data call. The UE can
receive paging signal for incoming PS data call. The legacy networks (GSM and
UMTS) support both CS voice call and PS data call. The network can send paging
signal to UE for incoming CS voice call using LTE E-UTRAN. Thus, paging
procedure is used for incoming CS voice call and PS data call both.
The Paging ECM specific procedure is used by network to
establish NAS context for incoming CS or PS call. The NAS context consists of
security parameters between UE and MME for NAS message exchanges. In the
absence of NAS context, the first message will not be encrypted. The EMM
procedures may invoke other common EMM procedure for security purpose. Over the
air interface Uu RRC protocol carries NAS messages and provides ciphering and
data integrity both. In addition to that the NAS security module provides data
integrity and optionally ciphering of the NAS messages.
Generally LTE network address the UE with its S-TMSI in
“Paging” procedure. However if MME restart or somehow, MME lost S-TMSI of UE,
then it uses IMSI. The usage of IMSI over air interface is rare case and is used
to only recover from the error, in abnormal conditions.
·
CS Service Notification
The paging procedure is used to establish NAS context. If
MME already has valid NAS context for a UE, then MME does not invoke paging
procedure for incoming CS call. Instead of paging procedure, MME invokes ‘CS
Service Notification’ procedure for incoming CS call from legacy GSM and UMTS
networks.
·
Service Request
UE initiates “Service Request” ECM specific procedure, in
response to paging. After successful “Service Request” procedure for connection
management, the ECM FSM transits to ECM connected (EMM connected) state.
·
Extended Service Request
The “Extended Service Request” procedure is a variant of “Service
Request” procedure. It is used for CS fallback for voice call and handoff with
non-3GPP networks. The examples of non-3GPP networks are CDMA network, EVDO
(HRPD) network, WiMAX network, etc.
·
Transport of NAS
The “Transport of NAS” ECM
specific procedure is used for sending or receiving SMS over LTE network.
·
ECM FSM
ECM can have its FSM. For EMM Registered state, ECM FSM
has two states. (1) ECM idle and (2) ECM connected. They are also known as EMM
Idle and EMM Connected respectively.
d. Common Procedure
The EMM common procedures are invoked optionally by EMM specific
procedures. They are related to security aspects like authentication and
ciphering. For example, EMM mobility management specific procedure named Attach
may invoke other EMM common procedure(s) like (1)GUTI relocation, (2)Authentication,
(3)Security Mode control, (4)Identification, (5)EMM Information and (6)ESM
Information. Another example, EMM connection management specific procedure,
“Service Request” may initiate optional common procedure(s): (1) Authentication and/or (2) Security Mode
Control. All the common procedures are optional. These common procedures set
security parameters at NAS context.
e.
EMM Summary
Most of the EMM specific procedures for mobility
management and connection management are initiated by UE. “Paging” and “CS
service notification” procedures are always initiated by network. “Detach” and
“Transport of NAS” procedures can be invoked by either network or UE.
Here, the quick recap of all EMM specific procedures.
EMM Elementary procedures:
- Mobility
management specific procedure
- Attach
i.
Attach
ii.
Combined
Attach
- Detach
i.
Detach
ii.
Combined
Detach
- TAU
i.
Normal
TAU
ii.
Periodic
TAU
- Connection
Management specific procedure
- Service
Request
i.
Service
Request
ii.
Extended
Service Request
- Paging
i.
With
S-TMSI
ii.
With
IMSI
- CS
Service Notification
- Transport
of NAS (for SMS)
- Common
procedure
- GUTI
reallocation
- Authentication
- Security
Mode control
- Identification
- EMM
information
- ESM
information
3. ESM: Useful concepts
a. Multiple ESM
The NAS procedures for EMM and ECM apply per UE, so UE
software can have single instance of ECM module and single instance of EMM
module. However the NAS procedures for ESM are for session management. A UE can
have multiple active sessions (EPS bearers). Each bearer has its own ESM FSM. So
UE software can have multiple instances of ESM module.
b. PDN and APN
LTE infrastructure includes eUTRAN and EPC. PDN is some
network external to operator’s LTE infrastructure. The Internet is the most
common example of PDN. Other possible PDN examples can be IMS network,
corporate VPN, MMS etc. If one look at the big picture, LTE or any other
wireless network just provides layer-2 connectivity between UE and PDN. So the
UE can transfer its layer-3 user packets (most likely IP packets) to external
network PDN (most likely Internet). The ‘name of PDN’ is ‘APN value’. The P-GW
node is at boundary between LTE network and PDN. So generally APN value is FQDN,
which map to IP address of P-GW by DNS server. This DNS server is private one,
and accessible only within PLMN.
c. EPS bearer
An EPS bearer connects UE and exit gateway (P-GW) of LTE
network. Unlike, UMTS, in LTE one default bearer is established during attach
procedure itself. LTE NAS procedure standard also recommends bundling of LTE
EMM NAS procedure and ESM NAS procedure in a single packet. The default bearer
has neither QoS treatment nor TFT filters for user data. The default bearer
just provides a basic connectivity between UE and P-GW for a single PDN.
Some mobile applications need QoS treatment for user data.
E.g. VoIP call. The dedicated bearer provides QoS treatment and TFT for user
data.
UE has single IP address per PDN, regardless of multiple
bearers (default bearer and dedicated bearer). However, if UE and PDN both
support IPv4 and IPv6 dual stack, then only, UE can have two default bearers
and two IP addresses (IPv4 address and IPv6 address) per PDN.
If UE and network both capable to provide connectivity to multiple
PDNs, then UE can have multiple default bearers and multiple IP addresses. It
is analogous to having multiple Ethernet card to a desktop PC, so one can
connect the PC to multiple networks and configure it with multiple IP address. Ethernet
cards are layer-2 entities. Here, LTE network appears a single layer-2
interface consisting of E-UTRAN and EPC. However still LTE network can emulate
like multiple different layer-2 entities. So, a UE can have multiple layer-3 network
layers (IP layers) at user plane. Each layer-3 entity can be connected to
different P-GWs and so to different PDNs. Within a single layer-3, UE can have
default bearer for best effort treatment and optional dedicated bearer(s) for QoS
treatment and TFT
d. EPS Bearer ID
All EPS bearers (i.e. default and dedicated) have EPS
Bearer ID (EBI), assigned by the network. The legacy GPRS and UMTS networks
were assigning NSAPI value for each PDP context. EBI is analogous to NSAPI. UE can have one
default bearer and zero or more dedicated bearer(s) per PDN. So at UE side few
EBI values are used for default bearer(s) and rest are for dedicated bearer(s).
It is not possible to discriminate between default bearer and dedicated bearer
just by EBI values. LBI plays important role to link EBI values and bundle them
together. All dedicated bearer related messages contain LBI IE. The value of
LBI IE is EBI value of default bearer for that PDN.
e. IP address
UE may have static IP address configured APN/PDN. Generally,
P-GW acts as DHCP server and assigns dynamic IP address to UE. P-GW consults
external DHCP server or radius server or diameter server to allocate dynamic IP
address for UE. Dynamic IP address is allocated during default bearer creation.
This IP address does not change for all other subsequent new dedicated
bearer(s) for that PDN.
PCO IE is used to carry UE address. It also carries
Primary and Secondary DNS addresses for that particular PDN. So the application
can query and resolve any domain name to IP address by contacting the DNS
server, within that PDN. All these three IP addresses can be IPv4 address or
IPv6 address or both. If UE already knows their values, it mentions them in
PCO, to confirm. Else, UE mention value as 0.0.0.0 (for IPv4 case) and/or ::0
(for IPv6 case) to request network for new assignment. PCO IE contains PPP. The
PPP contains IPCP for all these IP addresses. PPP can also contain PAP and/or
CHAP protocol(s) for user authentication. The PCO and TFT are important IEs,
that are exchanged between P-GW and UE. They are transparently carried by eNB,
MME and S-GW.
f. Summary
The following tree makes this
concept clearer.
- LTE
layer-2 connectivity using eUTRAN+EPC
- Layer-3
IP (IPv4 or IPv6)connectivity to PDN1, UE IP = ip1 (ip1 is IPv4 address
or IPv6 address)
i.
Default
bearer. No QoS and no TFT. EBI = ebi1
ii.
Dedicated
bearer 1 with QoS1, EBI = ebi2, LBI = ebi1
iii.
Dedicated
bearer 2 with QoS2, EBI = ebi3, LBI = ebi1
- Layer-3
IP (IPv4 or IPv6)connectivity to PDN2, UE IP = ip2 (ip2 is IPv4 address
or IPv6 address)
i.
Only
single default bearer. No QoS and no TFT, EBI = ebi4
- Layer-3
IP (IPv4)connectivity to PDN3, UE IP = ip3 (ip3 is IPv4 address)
i.
Default bearer. No QoS, EBI = ebi5
ii.
Dedicated
bearer 1 with QoS3, EBI = ebi6, LBI = ebi5
- Layer-3
IP (IPv6)connectivity to PDN3, UE IP = ip4 (ip4 is IPv6 address)
i.
Default bearer. No QoS EBI = ebi7
ii.
Dedicated
bearer 1 with QoS4, EBI = ebi8, LBI = ebi7
Here PDN1, PDN2 and PDN3 all are different, having
different APN values. The values for ip1, ip2, ip3 and ip4 may or may not be
different. QoS1, QoS2, QoS3 and QoS4 may or may not different. EBI1 to EBI8 all
are different values, not necessary they are in sequence.
The minimum implementation without QoS can be as below:
- LTE
layer-2 connectivity using eUTRAN+EPC
- Layer-3
IP (IPv4)connectivity to only single PDN 1, UE IP = ip1
i.
Only
single Default bearer. No QoS, EBI = ebi1
4. ESM procedures
ESM procedures also have two categories. (1) “Procedures
related to EPS Bearer Context”. As the name suggest, these ESM procedures are used
for EPS bearer. (2) “Procedures related to transaction”. However these ESM
procedure categories are quite different from EMM procedures category. In case
of EMM, the specific procedures are optionally made up of common procedure. So first,
an EMM specific procedure starts. Then it optionally invokes one more EMM
common procedure(s). Then EMM common procedure(s) get completed and finally the
EMM specific procedure also gets completed.
If a UE wants to manipulate EPS bearer context, then first
UE invokes ESM specific “Procedure relate to transaction”. UE includes PTI IE
in the first message. In the response to that network invokes ESM specific “Procedure
related to EPS Bearer Context”. Network also includes PTI IE with same value,
so that UE can correlate to ongoing “Procedure relate to transaction”. Once network
invokes the “Procedure related to EPS Bearer Context”, then at UE side, the
“Procedure relate to transaction” is declared/assumed as completed. These both
categories of procedures are in sequence. Thus, indirectly UE can also invoke
EPS procedure !!! Once, the “Procedure relate to transaction” is completed,
then PTI IE is discarded. Then UE and network, both start using, EBI, which is
allocated by the network to that particular (default or dedicated) bearer. If
network itself initiates “Procedure related to EPS Bearer Context”, then PTI IE
is absent and EBI IE is mandatory. The examples of such procedures are (1) EPS
bearer context modification (2) EPS bearer context deactivation. As mentioned
earlier, LBI IE is used in “Procedure related to dedicated EPS Bearer Context”
to point to default bearer for that particular PDN.
This table provides a relationship among UE initiated
“Procedures related to transaction” and network initiated “Procedures related
to EPS Bearer Context”
Procedures related to EPS Bearer Cxt -->
|
Default EPS bearer context
activation
|
Dedicated EPS bearer context
activation
|
EPS bearer context modification
|
EPS bearer context deactivation
|
||
1
|
Procedures related to Transaction
|
PDN connectivity
|
X
|
|||
2
|
PDN disconnect
|
X
|
||||
3
|
Bearer resource allocation
|
x
|
x
|
|||
4
|
Bearer resource modification
|
x
|
x
|
X
|
||
5
|
ESM information request
|
x
|
||||
6
|
ESM status message
|
As one can see at above table, generally “transaction
related procedures” are invoked by UE with two exceptions. (1) ESM Status message.
It can be sent by both UE and network. (2) “ESM information request” is always
sent from network to UE. UE responds with “ESM information response”.
5. Summary
The author has put his best efforts to describe NAS
concepts with correct information in lucid language. Any comments, suggestions
are welcome. The author is thankful to his colleagues, supervisors and friends
for all supports and encouragement to write this article. Let all the software
professionals and telecom professionals use this article as reference material.
Reference
3 comments:
Hey very nice article. I like this and looking forward for some more interesting articles like this....
Thnx
good article. Please provide updates in future as well
Post a Comment