Overview of the Evolved packet core network

miststizzaMobile - Wireless

Dec 10, 2013 (3 years and 8 months ago)

301 views

Page |




UNIVERSITY OF ALBERT
A

Overview of the Evolved
packet core network

Project report submitted to the Faculty of graduate studies and research

University of Alberta

I
n partial
fulfillment of the requirements of the degree of
Masters of Engineering (Specialization: Communications)



A
mandeep Singh, ECE, Student ID: 1275809

Department of Electrical and Computer Engineering, University of Alberta

.

Page |
i






Abstract



Since the advent of Mobile internet technologies, the users and their demand for the data
access with high rate has been growing exponentially. This study explores the
evolution
of all IP core network named Evolution Packet Core (EPC). EPC is developed by
3GPP
under work item System Architecture Evolution (SAE). Various aspects of the EPC
which includes its
architecture,
interworking with other radio access technologies e.g.
GSM/ WCDMA or CDMA, major services and functions are included
, in a brief manner,
a
re included in this study project.


Keywords
-

System Architecture Evolution (SAE)
,
Evolution Packet Core (EPC)
,
Long
Term Evolution (
LTE
)
,
Mobility Management Equipment (
MME
)
,
Serving Gateway
(
SGW
)
,

Packet Data Network Gateway (
PDN
-
GW
)
,
Home Subscriber Ser
ver (
HSS
)
,
eNODEB




Page |
ii



Table of contents




1.

Introduction to Evol
ved packet core networks (EPC)

................................
.....................
1

1.1


Overal
l cellular system architecture
................................
................................
....
1

1.2


Bac
kground of development of EPC

................................
................................
.
2

1.3


Objectives set by 3GPP for EPC

................................
................................
.........
3

2.

EPC architecture

................................
................................
................................
..............
3

2.1


MME

................................
................................
................................
...................
5

2.2


Serving gateway (SGW)

................................
................................
.....................
6

2.3


Packet data network gateway (PDN
-
GW)

................................
..........................
6

2.4


Home subscriber server (HSS)
................................
................................
............
7

3.

Interworking with 2G and 3G tech
nologies

................................
................................
.....
7

3.1


Interworking between LTE and GSM or WCDMA

networks

............................
7

3.2


Interworki
ng with LTE and CDMA networks

................................
....................
10

4.

Major services of EPC

................................
................................
................................
....
11

4.1


Data services

................................
................................
................................
.......
12

4.2


Voice services

................................
................................
................................
.....
12

4.3


Message services

................................
................................
................................
.
13

5.

Major Functions of EPC

................................
................................
................................
..
14

5.1


Authentication and security

................................
................................
................
14

5.2


Policy an
d charging control and QoS

................................
................................
.
17

5.3


Packet routing

................................
................................
................................
.....
19

5.4


Mobility management

................................
................................
.........................
19

5.5


IP address allocation

................................
................................
...........................
20

Conclusion

................................
................................
................................
.............................
22

References

................................
................................
................................
..............................
23


Page |
iii








List of
Figures




Figure 1
-

Basic cellular architecture

................................
................................
...................

1

Figure 2
-

Architecture Domains by 3GPP

................................
................................
..........

3

Figure 3
-

Basic EPC architecture for LTE

................................
................................
..........

4

Figure 4
-

Interworking of LTE with GSM or WCDMA networks

................................
.....

8

Figure 5
-

Interworking of LTE with GSM or WCDMA networks by GTPv2

...................

9

Figure 6
-

Interworking of LTE with CDMA networks

................................
....................

10

Figure 7
-

Application and services on mobile broadband

................................
................

12

Figure 8
-

Flow of message services via circuit and IP domain

................................
........

14

Figure 9
-

Different security domains

................................
................................
................

15

Figure 10
-

Flow of Authentication process messages

................................
......................

16

Figure 11
-

Example of two security domains by employing NDS/IP

..............................

17

Figure 12
-

Policy architecture

................................
................................
...........................

18

Figure 13
-

EPS bearer model

................................
................................
............................

19



Page |
1





1.

Introduction
to Evolved

P
acket
C
ore
network (
EPC)


1.1.

Overall cellular system architecture


In 1897, when Guglielmo

Marconi first showed the world the ability to communicate
on radio with ships sailing the English Channel since then the evolution in the field
of wireless has been growing by leaps and bounds.

The first ever wireless system operated commercially in late

1970’s was AMPS
(Advanced mobile phone system) which was developed by Bell Labs. Since then
o
ther various other standards
e.g.
global

system for mobile
communication (
GSM),
GPRS,

CDMA

etc.

have been
developed and

even at present the

process of
development

is
on progress.

The basic cellular architecture

of different wireless standards consists

of three parts

a
s

shown in Figure 1 below
. These are
:



Mobile station.



Base station subsystem.



Network subsystem.

























Mobile Station
:
Mobile station is
equipment

in the cellular system which is intended
for use while in motion. It may be hand held device or installed in vehicles. It contains
an

integrated chip called subscriber identity module (SIM) which contains
International mobile subscriber identity (IMSI) an
d encryption keys for authorization.

Base station subsystem
:
Base station subsystem mainly consists of two entities Base
transceiver station (BTS) and base station controller (BSC). BTS is a fixed station in a
cellular network
and
used for communication wi
th mobile stations over air interface. It
Figure
1
-

Basic cellular architecture

Base Station Subsystem

Network Subsystem

Mobile
Station


BTS

BSC


HLR

VLR

MSC


EIR


AuC

PSTN

BTS

BSC

Page |
2



consists of radio channels and antennas

(transmitting and receiving simultaneously)

mounted on a tower.

BSC provides the functions like handover, control of RF power
levels and cell configuration data in BTS and ph
ysical connectivity between BTS and
Mobile switching center (MSC). One BSC can handle various BTS simultaneously.

Network Subsystem
:
Network subsystem consists of Mobile Switching C
enter

(MSC)
which provides the functions of call routing and mobile mana
ge
men
t. It is
connected
to Public Switched Telephone N
etwork

(PSTN) to provide access to external n
etworks
to the end users.

Home Location R
egister

(HLR) which stores the data related to each
and every subscriber registered in a n
etwork and provide

the current location
of each
user.

Visitor Location R
egister

(VLR)

is
database which temporarily stores the
information of a subscriber who is visiting the coverage area of
MSC other than its
home MSC.

The Authentication Center

(AuC)

is a database which i
s strongly
protected
and handles

the authentication and encryption keys for every single
subscriber in the HLR and VLR. The Authentication Center contains a register called
the
Equipment Identity Register

(EIR) which identifies stolen phones that transmit
identity data that does not match with information contained in either the HLR or
VLR.


1.2

Background of development of

EPC


In 1990’s the various standards of cellular
system e.g
. GSM,
CDMA etc
. were based
on circuit switching and the services developed were

specifically concentrated on the
typical applications of telecommunications. But the
introduction of

mobile internet in
early 1990’s brought a huge change or we can say the revolution in
telecommunication world. But at that time the mobile equipment were
not
designed

enough to support the services
. Another reason was the bandwidth; the BW of radio
was not enough to support the services.

Now the trend has been changed with the evolution of new mobile broadband access
technologies and developments in
semiconductor chips made it possible to support he
mobile internet services.

In November 2004, 3GPP(Third generation partnership project) started its work on
4G technologies that was like a successor of Universal mobile telecommunication
system(UMTS), part
icularly a work item named system architecture evolution(SAE)

along with LTE

which is responsible for evolution of packet core network(EPC)
,
which will support the high bandwidth services at high data rate.

3GPP wanted to create a global standard for 4G te
chnologies. Because, firstly, to give
an operator a full freedom to choose a vendor. It means whatever vendor the operator
will use, its end users would not have any disruption in services in moving from one
vendor equipment to another.

It will also increa
se the competition between vendors.
Secondly, the creation of global standard will be helping in removing the separation
between various players like operators and vendors involved in providing services to
the end users. As an example, in no separation cas
e, the semiconductor chip maker
company will have one larger market. So the larger the market is then larger its users.
It would help
in reducing overall cost of the production and the company can achieve
high profits at lowest price levels. So the main ta
rget behind the evolution of core
networks is to
provide affordable

and reliable communications
networks to

the users.

Page |
3



In the standardization process of the EPC
,

various bodies like
3GPP2 (
Third
generation partnership project 2), Internet engineering task

force (
IETF), WiMAX

forum and

open mobile
alliance (
OMA) took part very actively.

3
GPP ‘owns


the
EPS specifications and

refers to IETF and occasionally OMA specifications where
necessary, while 3GPP2 complements these EPS specifications with their own
do
cuments that

cover the impact on EPS and GPP2
-
based systems. WiMAX forum
also refers

to 3GPP documentation where appropriate for their specification work

1
.


1.3

Objectives set by
3GPP for
EPC:


The three main promises made by
3GPP for
development of SAE or EPC

were

to
deliver
:



New core network architecture to support high data rate and reduced latency in a
time frame of next 10 years to ensure the co
mpetiveness of the 3GPP systems



To support mobility between multiple heterogeneous access systems for e.g. like
b
etween 3GPP and 3GPP2 sy
stems or between 3GPP and WiMAX



All IP architecture, to enhance
the capability

of 3GPP systems to cope with r
apid
growths in IP data traffic


2.

EPC architecture

Before we will go into the details of

architecture of the EPC, we will
briefly
see the
high
-
level perspective of the complete system as defined in the SAE work item. It is called
EPS architecture. EPS stands for Evolved Packet system, which represents all IP network
and
contains
both EPC

and
LTE.

It consists of different domains and each domain
again
consists

of logical nodes. These

nodes are

inter
worked with each other to perform any
specific set of functions
. The basic network which implements the 3GPP specification is
shown below in the fig
ure

2
.




















1
Olsson,M., Sultana, S., Frid, L. &Mulligan,C.(2009). SAE and Evolved packet core: Driving the mobile
broadband revolution. Oxford, UK: Elsevier Ltd.


RAN Domains


Core network domains

Figure
2
-

Architecture Domains by 3GPP

GSM/GPRS

WCDMA/HSPA

LTE

Non
-
3GPP

Circuit core domain

User
Domain

Packet core

domain

IMS domain

CS
networks

IP
networks

Page |
4




As shown in the
figure

2
,

there are four domains
.
First,
GSM/GPRS

represents 2G
technology domain
whereas
second,
WCDMA/HSPA (W
ide CDMA/ High speed packet
Access
)

represents 3G or 3.5G RAN (Radio access network).

Third,

LTE

(Long term
evolution) is the latest domain specified by
3GPP

and the fourth,

Non
-
3GPP domain
consists of access networks,

e.g. WiMAX and WLAN, Which are not specified by 3GPP
but actually provid
ed
by other st
andardization bodies like 3GPP2, IEEE. All four
domains are connected to packet core domain (EPC). The core domain also consists of
four basic domains.

These are C
ircuit core domain, User domain, IMS (IP multimedia
subsystem)

and P
acket core
domain.

The circuit core domain is linked to GSM/GPRS and
WCDMA/HSPA. It supports and provides the circuit switch services in 2G and 3G
technologies.

The packet core domain provides IP services over GSM, WCDMA/
HSPA,

LTE and Non
-
3GPP
technologies while the
user domain provides the complete updated
info
rmation of users on request. It maintains the database to support roaming mobility of
the subscriber whether they are moving in a single network or in between different
network.

The IMS provides support to serv
ices based on Session initiation protocol (SIP).
Since

IMS

supports

IP services
so it uses the IP connectivity with packet core domain to
use its function provided by its node.

Now we will turn our attention to the EPC architecture. The EPC architecture co
nsists of
packet core domain and user domain. The following figure

3

is showing the
basic
architecture of the EPC

for LTE
.





SGi






S5



CP

UP











S6

S11



S1



CP

UP




















In packet domain, it consists of:

eNODEB


eNODEB


Mobile Device

HSS

MME

PDN
-
GW

SGW

Internet

Figure
3
-

Basic EPC architecture for LTE

Page |
5





Mobility manag
ement equipment(MME)



Serving Gateway(SGW)



Packet data network gateway(PDN
-
GW)


In user domain, it has only one node named Home subscriber server (HSS).


The role and function of each component of EPC is as follows:


2.1


M
obility

Management Equipment


It is
the

node which is responsible for the signal exchanges between base stations and
core networks and between the subscriber and core network.

Basically MME does not
involve in air interface matters so it is the non
-

access stratum (NAS) signalling
which is e
xchanged between MME and radio network. In brief following are the
basics tasks which MME performs.



Authentication
: When for the first time subscriber attached with LTE network

in
particular we can say when it comes under the coverage of
eNODEB

for first t
ime
then
eNODEB

helps in exchanging the information between the subscriber and
MME through its S1
-
CP (S1 control plane) interface with MME. Then MME which
is connected to HSS through S6 interface requests the authentication information
from HSS and authent
icate the subscriber. After the authentication, it forwards th
e
encryption keys to the eNODE
B

so that the data and signalling exchanges between
the
eNODEB

and subscriber over the air interface can be ciphered or calculated
numerically.



Establishment of Be
arers
:

MME actually deals with the control data instead of the
user data
. For the establishment of
bearer

it actually communicates with other
entities of the core
network

(SGW and PDN
-
GW)

to

establish a user IP tunnel
between a mobile subscriber and internet. It also helps in selecting a gateway router
if more than one gateway
router is

there in network.



NAS mobility management
:

In case when there is no communication happening
between a mobil
e and radio network for a decided amount of time then any
connection and resources between subscriber and radio network are released by the
networ
k. In a same tracking area (TA)

the subscriber can move freely between
different base stations without notifyi
ng the MME. It saves the battery power of the
mobile device and helps in reducing the signal traffic in the network. If there is any
data arrive from the internet for this device then MME send a paging message to
every
eNODEB

in same tracking area

then mo
bile device responds to the paging
message and connection re
-
establishes.



Interworking support:

Whenever a mobile device is reaching the boundary of LTE
then the
eNODEB

decides for the suitable cell, for the
device
or
for
the network
(GSM or UMTS). MME con
tinuously
makes communication with other core
ne
twork components of GSM, UMTS and

CDMA to support the traffic.



Handover suppo
rt:

There are some cases in which there is no X2 interface
available between two
eNODEB
s and mobile device is going from one
eNODE
B

to
other
eNODEB

then in that case two
eNODEB
s transfer messages between each
other through MME.

Page |
6





Supporting traditional services like voice and
messages:

As LTE is pure IP
network and it should be compatible to GSM and UMTS to support the voice and
other services.

MME plays the role of mapping the services from GSM or UMTS to
LTE. Details
of how

it supports the services are provided under major services
se
ction of EPC.


2.2


Serving gateway (SGW)


The basic function of serving gateway is to manage the user IP tunnels between
eNODEB

and

packet data network gateway
. Serving gateway is connected to
eNODEB

through S1
-
UP (S1
-

user interface) and to PDN gateway throu
gh S5
-
UP
interface
.

S1 and S5 tunnels for
an

individual user are independent of each other

and
it can be modified as required.
It is connected to MME through S11 interface which
provides the function of creation and modification the

tunnels. The S11 interf
ace
uses GTP
-
C

(GPRS tunnelling protocol
-
control) to transfer the messages sent by
MME to SGW.

Generally in the standard MME and SGW are defined independently
but these entities can be defined on a same

or different

network node depends on the
operator choice.

This allows the wireless standardization bodies to

work on

the
signalling

traffic and user traffic independently
.

This was done because the
additional signalling increases the load of the processors which proce
sses the
signalling traffic and on the other hand rising user
traffic demands

the evolution of
more network interfaces and routing capacity.


2.3


Packet data network gateway(PDN
-
GW)




The functions of PDN
-
GW are as follows:




This is the gateway to I
nternet. It connects to the SGW through S5
-
UP

interface and
to I
nternet through SGi interface. In forward direction,
it takes user data packets
from SGW and transfer to internet through SGi interface. In back ward direction,
data packets are encapsulated i
nto S5 GTP tunnel and forwarded it to SGW which is
responsible for that intended user.



PDN gateway is also responsible for assigning IP addresses to the mobile devices.
This happens when a subscriber switched ON his/her mobile device. Mobile device
sends i
ts request to
eNODEB

which uses the S1
-
CP and forwards to MME.

MME,
after authentication,

request the PDN gateway on a control plane protocol for IP
address. If PDN gateway approves the request then it sends back
an

assigned IP
address to MME. MME forwards

it to
eNODEB

and
eNODEB

further forwards it to
the subscriber. Multiple IP addresses can be assigned to a single mobile device
. This
is the case which happens
when a

subscriber is using a multiple services provided by
its network operator’s
network such

as IP multimedia
sub
system
.



It plays an important role in case of international roaming scenarios. A roaming
interface is used to connect the GSM/GPRS, UMTS/HSPA, or LTE networks of
different network operators of different countries. For example, if a sub
scriber has
moved to another country and wants to connect to an internet
then a

foreign
network
will

query the user data base in the home network for authentication purposes
. After
Page |
7



authentication
a bearer is established and GTP user tunnel is created betwe
en SGW of
visitor’s network and PDN
-
GW of
subscriber’s

home network over an interface
called S8.


2.4


Home subscriber server

(HSS)





HSS

is a data base that stores
the
information

of each and
every user in the network.
I
t also does

the authentication and authorization
of the users and services provided to
them. In UMTS and
GSM, the database is referred to as Home location register
(HLR). In LTE, a protocol named DIAMETER is used to exchange the information
between MME and HSS on S6a

interface. In practise, HSS and HLR are combined
physically so that the seamless roaming can be made possible between different
radio
access networks.
HSS
stores the user parameters like IMSI, authentication
information to authenticate the subscribe
r, cir
cuit switch properties
e.g. user
telephone number and the services a user

is allowed to use
e.g. SMS
,

call forwarding
etc.
,
Identity of current MSC so that incoming circuit switch calls can be routed
correctly, ID of MME or SGSN which is used in case user’
s HSS profile is updated
and the changes could be notified to these nodes(MME or SGSN) and packet
switched properties
such as Access point name(APN) the subscriber is allowed to use
which in turn references the properties of a connection to the Internet o
r other
external packet

data network.


3.

Interworking with 2G and 3G technologies


The deployment of LTE networks are still in very early stage so it is very imperative that
LTE should be connected to 2G and 3G technologies to provide the complete services
like voice. Take a case when a user makes a call in LTE coverage and moving out of the
LTE coverage then the call should not be disco
nnected. So for LTE deployment
interworking with existing access networks, supporting IP connectivity becomes very
crucial.

The EPS architecture provides two kinds of distinct solutions to address this
problem. The first on
e is

LTE interworking with GSM or
WCDMA access technologies
and second one describes interworking with CDMA access technologies. In the following
we will di
scuss these interworking in a brief manner.


3.1

Interworking between

LTE and GSM or WCDMA

networks


3GPP has defined two different solutions about how to do interworking between LTE
and GSM or WCDMA access networks. Before we will go further

to discuss those
two solutions

we just need to recall that if a terminal connects to the LTE then it will
be served by MME and in case if terminal connects to GSM or WCDMA then it will
be served by SGSN (Serving GPRS Supporting Node).

In the first solutio
n
,
SGSN connects to the
GSM or WCDMA networks over Gb
interfaces. The MME and PDN
-
GW nodes of LTE networks

acts as an SGSN and
GGSN respectively.
The SGSN takes MME

and PDN
-
GW just likes as another
Page |
8



SGSN and GGSN and connects to these over Gn interface. The

following diagram
represents the clear picture of how LTE network is connected to GSM or WCDMA

networks
.









Gn

SGi





Gr








Gn



S6a





Gn


Gn


Gb Iu



S5/S8



S11








S10





S1
-
MME









Signalling



Voice/Data




The EPC
architecture supports the IP session which is established over any access
network. It is also referred as session continuity. “This is done by retaining a stable IP
anchor point in the network which allows for not having to change the IP address of
the dev
ice at all”
2
.

To make this solution work, it is very necessary for SGSN that it
should distinguish

between
a

terminal that can attach to GSM or WCDMA access network only
i.e.it
cannot move to LTE from
a

terminal that can connect to LTE but is currently
att
aching to GSM or WCDMA networks due to lack of LTE coverage. The latter
terminal must always be using PDN
-
GW as the anchor point. It cannot u
se GGSN for
that because

there is no logical connection between LTE and GGSN. SGSN uses
APN (Access Point Name) to
choose either GGSN or PDN
-
GW as an IP anchor point
for a terminal.
APN is a part of configuration data related to a user subscription so for
the terminals which can support LTE radio access network should be configured with
APN that is associated to PDN
-
GW
. This actually helps the SGSN in making correct



2
Olsson
,M., Sultana, S., Frid, L. &Mulligan,C.(2009). SAE and Evolved packet core: Driving the mobile
broadband revolution. Oxford, UK: Elsevier Ltd.

GGSN

SGSN

WCDMA

GSM

HSS


HLR

PDN

SGW

MME

LTE


eNODEB

External

Networks

Figure
4
-

Interworking of LTE with GSM or WCDMA networks

Page |
9



decision and ensuring that terminals that support LTE radio access network uses the
PDN
-
GW as an IP anchor point not the GGSN.

Another very critical part of the solution is to provide single set of
user and
subscriber
data. When
a

terminal moves between different

radio

access networks then there
should not be any inconsistent information in the network about
to what access
network a specific terminal is attached. In GSM or WCDMA network, SGSN is
connected to
HLR through Gr interface and in LTE network, MME is connected to
HSS over S6 interfac
e. So according to the solution
,

HLR and HSS needs either to
share a single set of data or to make sure the consistency through other means such as
close interaction betwe
en these two entities. The 3GPP specification avoids the
problem through defining HLR as a subset of HSS in later versions of the LTE
standards.

In second solution
, SGSN introduces four new interfaces. These are S3,

S4,

S16 and
S6d.

The S3, S4 and S16 rely

on updated version of GTP (Gateway Tunnel
Protocol).It is referred as GTPv2. The following figure

5

shows the details of the new
solution










SGi










S6d

S6a


S5/S8




S4





Gb


Iu






S3


S11

S16








S1
-
U



S10





S1
-
MME






Signalling



Voice/data






The S3 interface is
signalling

only interface which is used to support inter
-
system
mobility between MME and SGSN. S16 i
s a SGSN
-

SGSN interface. S4 interface is
used to connect the SGW and SGSN. The fourth interface S6d is alike a MME S6a

Figure
5
-

Interworking of LTE w
ith GSM or WCDMA networks by
GTPv2

SGSN

WCDMA

GSM

HSS


PDN


SGW

MME

LTE

eNODEB

External

Networks

Page |
10



interface towards HSS to retrieve the subscriber data. The protocol used for S6d
interface to exchange messages is IETF’s DIAMETER prot
ocol.

In this provided solution,

the connection between the SGSN and SGW creates a
common anchor point for LTE, GSM or WCDMA in the SGW. Now, regardless the
access network to be used, all the traffic related to a particular roaming subscriber
will pass through a common point in the netwo
rk. It allows the visited network’s
operator to control and monitor the traffic in a consistent way. In this solution, by a
careful look, the user traffic needs to pass through a one additional

network node on
its way to PDN
-
GW which can be consider as a

drawback of

this solution. But for

the WCDMA networks
the solution is available to address this problem. The RNC
(Radio network Controller) of WCDMA can be directly connected to SGW through
S12 interface. By doing this, SGSN will only
considers

the contro
l signalling for
WCDMA networks not
its

user traffic.


3.2

Interworki
ng with LTE and CDMA networks


As the EPC was being developed by 3GPP under the framework of SAE, strong
efforts were made to design a solution for interworking between LTE and CDMA
technologies developed by 3GPP2 to allow smooth handover between these
different
technologies.

The follow
ing figure shows the interworking of LTE and 1x/1x EVDO
(eHRPD which stands for enhanced high rate packet data) networks. This figure
6
includes only details of CDMA network relevant to SAE framework.












SWx


STa






SGi


Gx





S6b




S6a


S10







S5/S8


S2a


Gxa




Gxc













S103




S1
-
C



S1
-
U








S102





S101





Figure
6
-

Interworking
of LTE with CDMA networks

AAA

HSS

MME

SGW

eNODEB

PDN
-
GW

PCRF

External

Networks

HSGW

eHRPD

Page |
11



To provide the interworking

between LTE and CDMA, 3GPP defined number of
additional interface in EPC architecture. The interfaces S101, S102, S103 are unique
for CDMA networks and used to provide

optimal performance during ha
ndover. The
interfaces S2a, Gxa and

STa are generic and ma
y be used for any non
-
3GPP access
networking.

For efficient interworking between LTE and CDMA, there should be common set of
subscriber data to be used for authentication and to locate the user to know which
network is currently user attached to. For this
purpose, HSS should be allowed to
common to act as a common database for all subscription data. In 3GPP2, if a
terminal is attaching over an eHRPD network then its access authentic
ation are
handled by mechanisms
which are based on IETF’s AAA (Authenticatio
n
Authorization and Accounting) functionality. For this purpose, eHRPD network is
connected to 3GPP AAA server over STa interface. In real life implementations AAA
can be a s
oftware feature inside the HSS

or a different

entity connected to HSS over
SWx int
erface. The PDN
-
GW is also connected to AAA server over S6b interface to
retrieve certain subscription data and also use the interface to store information
regarding the
PDN
-
GW,
the user is connected to
,

so that in case when a user moves
and attaches over
LTE

then the

MME would

be able
to select the same PDN
-
GW

as
was used in eHRPD network and IP session can be maintained. The user data
between eHRPD serving gateway (HSGW) and PDN
-
GW, which also act as
a

common anchor point for eHRPD network, are transporte
d over S2a interface via
PMIPV6 protocol.

To apply common policies in eHRPD network, EPC architecture
also allows for a common policy controller (PCRF) over a
Gxa

interface

to the
HSGW.

In addition to the core interfac
es, there were three interfaces
S101,

S102, S103
defined to support LTE
-

eHRPD interworking. The S101 interface, between MME
and eHRPD, is used when a packet data handover between LTE and eHRPD network
is to take place. Before the handover, the terminal pre
-
register itself in the visited
net
work to reduce the perceived interruption time. This pre
-
registration and the actual
handover signalling are carried over S101
interface. The

S102 interface, between
MME and eHRPD, is used to support the voice services in CDMA 1xRTT
networks.
“The

S103 int
erface, between SGW and HSGW, is used to forward any IP packets
destined to the terminal that happened to end up in

SGW

while

the user terminal was
executing the handover to eHRPD”
3
. This interface is used to further optimize the
packet data handover performance. These packets can then be forwarded to the
HSGW in the eHRPD network


4.

Major Services of EPC



The three major services provided by EPC are following:





3
Olsson,M., Sultana, S., Frid, L. &Mulligan,C.(2009). SAE and Evolved packet core: Driving the mobile
broadband

revolution. Oxford, UK: Elsevier Ltd.


Page |
12



4.1

Data Services


As we know that EPC has flat IP architecture. It is designed to support any
application which depends on IP
communications.
Radio access network
(LTE)
and
packet core network

(EPC)

in 4G communications has role to provide complete IP
communication between
two end
users. The IP based application which a mobile
subscriber can access can either be provided by mobile operator or accessible over
internet or residing in corporate IP network. A following
figure 7

shows as an
example how an end user on a lower leve
l accesses the IP applications by using the IP
services provided by EPC.







Application level communication




IP in p
oint to point link

Routing of IP packets











In figure 7
, all the communications

between the two end users are point to point (by
passing first through a gateway then to application server). EPC architecture makes
assure to the subscriber that he/she can move with same IP address with same or
different radio access network.


4.2


Voice

services


As EPC has flat IP architecture, there is no dedicated channel to support the voice
services like in oth
er radio access
technologies have

e.g. GSM. But for the network
operator voice services have been the largest revenue generator. So in EPC tw
o
approaches have been used

to support the voice services. Either we can use the
existing c
ircuit switched structure or the

IMS technology. IMS uses MMTel
(Multimedia Telephony) developed by 3GPP to support the voice services in IMS.



Voice services support
ed by IMS technology
: IMS uses MMTel service for
voice calls. As IMS has IP architecture, so it offers additional media components
like video including voice component. In this way
,

it adds value to the end user
and is the best option for offering voice services under LTE coverage. 3GPP also
Figure
7
-

Application and services on mobile broadband

Application




IP



Radio

Mobile Equipment

Gatewa
y

Mobile

Network

Application



IP

Application server

Page |
13



defined single radio voice call continuity (SRVCC)

to support the voice service
.
This comes into a picture when
a caller who has made call in LT
E networ
k and
going out to GSM or WCDMA
.



Voice
services supported

by circuit switched technology
:

3GPP has defined a
function named circuit switched fall back (CSFB) for co
mbining EPC supporting
LTE and c
ircuit switched services like 3G services.

CSFB is a
n alternative
solution to IMS and SRVCC to provide voice services to LTE users.

CSFB based
on the fact that

LTE users are registered in circuit switched domain when
powered
ON and

attaching to LTE.

This is done through interaction between
MME and MSC serve
r in circuit switched domain. There are two cases we can
consider here. In first case, when a subscriber initiated a call in LTE network and
moving out of LTE to GSM, UMTS or
CDMA

network
. In this case
,

packet
services can either
hand

over to GSM, UMTS or
CDMA

network

but on lower
data rate or suspended until voice call is completed. In second case, if an
incoming call is coming to a subscriber’s device which is currently attached to
LTE. In this case
,

MSC will request the paging in LTE through the interfac
e
between MSC and MME. The mobile after receiving page, on temporary basis,
switches from LTE to circuit switched d
omain. Once the call terminates
,

the

mob
ile device attaches back to LTE
.


4.3

Message

services


Like voice services, EPC either uses IP based
solution (SMS over IP based on
IMS) or circuit switch technology which is normally used to deliver SMS over
GSM and CDMA.


In case of IMS, sending a message from server to client is very transparent and
the message is just treated like as
an

IP packet. There are no specific features
required in EPC for that.


I
n case of circuit switching, the MME interacts with MSC which further
connected to messaging center via control channels in GSM or CDMA

and by
interaction with MME
,

this solution

c
an be used for LTE.
Then these messages
are included in NAS signalling messages

(which is between MME and mobile
device)

and delivered to the destination subscriber. Note that this solution
supports only SMS text services because multimedia messages are ba
sed on IP.
The following
figure 8

shows the message
service
flow in both above mentioned
solutions.

The dotted
lines express

SMS transmission using signalling interfaces
whereas
solid lines refer

to message over IP.










Page |
14




























5.

Major functions of EPC


5.1

Authentication and security



The 3GPP TS 33.401 divide
s

the EPS security architecture into different groups and

domains. Each domain has its own threat and security solutions. These domains are
as
follows

and shown in following diagram

9
:

a.

Network acc
e
ss

security

b.

Network domain security

c.

User domain security

d.

Application domain security

e.

Visibility and configurability of security





LTE

SMSC

MSC

GSM/CDMA

Mobile
device

SGSN


Messaging over
IP application

SAE Gateways

MME

Figure
8
-

Flow of message services via circuit and IP domain

Page |
15
















d






a




a




b












USIM

a








The security domains related to EPC are Network access security and Network
domain security. We will discuss these in a brief
manner.

Network access security
:

Network access security means providing a user a secure
access to EPS. In UMTS
,

a new concept named mutual authentication was
introduced, which was later developed in LTE
, in which UE (User Equipment)

and
network authenticate each other. In addition to mutual authentication, it includes
protection of signalling traffic and user traffic. Now here we will try to figure out the
authentication and security process in
E
-
UTRAN

(evolved universal terrestrial
radio
access network

which is a work item under which 4G access network was developed
)
only and role
of
EPC in that.

Mutual authentication which is between UE and MME
is based on the fact that both USIM

card (universal subscriber identity module) and
netwo
rk have access to same security key K
. This key K is permanently stored in
USIM and H
SS
/A
u
C. In LTE networks, terminals ha
ve

provision to use same SIM
card which was in use in UMTS (i.e. USIM).
This key is not visible to end user.
During authentication pro
cedure
,

many keys are derived from key K and these keys
are used for ciphering and integrity protection of user plane and control plane traffic
.

The mechanism for authentication as well as key generation in
E
-
UTRAN

is called
EPS authentication and key agre
ement

(EPSAKA).

When a user attaches with EPS via
E
-
UTRAN

access then the MME sends the IMSI
to HSS. HSS looks up key K
and a sequence number (SQN) associated with
that
IMSI. HSS/A
u
C

then uses crypto functions and key derivation functions and
generates EPS

AV (EPS authentication vector). EPS

AV includes K
ASME
, XRES

Figure
9
-

Different security domains



Mobile
Terminal

E
-
UTRAN




EPC Home
Network





Services

Page |
16



(Expected Result), a network

authentication token (AUTN) ,

RAND

and
ciphering
and integrity

keys

(CK and IK)
. HSS/AuC sends EPS AV to MME.

Mutual
Authentication in
E
-
UTRAN

is performed using the parameter RAND, AUTN and
XRES. MME then forwards the AUTN and RAND to the terminal via
eNODEB
.

The
USIM in terminal calculates its own

version of AUTN using its own key K and SQN
and then compare it with AUTN received from MME. If t
hese are equal to each other
in values then it means USIM has authenticated the network. Now USIM generates a
response key (RES) by using
cryptographic functions with key K and RAND as input
parameters. It sends RES back to MME.
T
he

MME
a
uthenticate the te
rminal by
verifying that RES is equal to XRES.

This completes the process of mutual
authentication.

The following diagram

10
, in brief manner,
shows the flow of these
messages.








Attach request


IMSI






K
ASME
,



AUTN, XRES,






K
ASME
, RAND







AUTN, RAND





RES








Network domain security:

When GSM was developed, as it was controlled by small
number of larger institutions,

the threat to user traffic was not perceived
at all.
Because as GSM is circuit switched network, the interfaces and the protocols it is
using are specifically for circuit switched network only and only the big telecom
operators have access to those interfaces and protocols.
But with the introduction
of
GPRS, IP architecture was introduced. Now user and control traffic run over more
open and

accessible protocols. So there
,

a need came up which required the security
of the traffic. 3GPP developed some specifications about how the IP based traffic is
to
be secured in core network or bet
ween different core networks
.
These
specifications are referred a
s

Network domain security for IP based control planes

(NDS/IP)
.

In this specification, a new concept was introduced named as security
domain that would be managed by single administrative authority. It makes sure that
the level of security and available security services will remain same within a security
domain. An e
xample of the security domain could be the network of the single
operator.

Security gateways (SEG
s
) are placed on border of the security domains
to
protect the control plane traffic that passes in and out of the domain
.

All IP traffic
from network entities

is routed via SEGs before entering in and existing out of
network.

The traffic between SEGs

is

protected via IPsec protocol (IP security
Figure
10
-

Flow of Authentication process messages





Terminal






E
-
UTRAN







MME






HSS/AuC

Page |
17



protocol)
. To set up

the
IPsec security session
s
,

I
nternet key exchange
(IKE)
protocols
are used. This is shown in the

following figure

11



















Intra
-
domain IPsec SA




Intra
-
domain IKE connection



Int
er
-
domain IPsec SA



Inter
-
domain IKE connection





The end to end path between two network entities in two security domains is
protected in hop by hop form.
B
ecause

the operator may choose the
IPsec
to protect
the traffic
between two network entities
or

network entity and

SEG

in a single
security domain.




5.2

Policy and charging control

and Qo
S


On the top of EPS bearer, LTE can make use of extensive policy management
architecture. This architecture provides a very fine control over user and services it
provides. The policy
architecture is shown below

in figure 12.






Figure
11
-

Example of two
security domains by employing NDS/IP


Security Domain A

Security Domain B

Network Entity B

Network Entity A

S
EG A

SEG B

Network Entity B

Network Entity A

Page |
18










Sp


Rx








Gx




SGi


Gy







Gz







The Subscription profile repository (SPR) contains information such as user
specific
policies and data. Online charging system is credit management system for prepaid
charging. Network operators can offer prepaid billing and usage tracking in near real
time. The policy enforcement function (PCEF) interacts with offline charging sy
stem

(
which
receives events from the PCEF and generates charging data records (CDRs)
for the billing system)
on Gy interface to check out credit and report credit status.

The
PCEF is located in the PDN
-
GW which makes PDN
-
GW a logical element to
perform tra
ffic management functions such as deep packet inspection.

PCEF

enforces

gating and QoS for individual IP flows on the behalf of the PCRF. It also provides
usage measurement to support charging
. The PCRF (Policy and rule function)
provides

policy control
and flow based charging control decisions.

It receives session
information from Application func
tion (AF) over Rx interface,
subscription
information from SPR

over Sp interface
as well as information from the access network
via the Gx
.
It
takes all

the inf
ormation and configured operator policies then creates a
service session level policy decisions which are being enforced by PCEF.

The
Application function here represents the network element that supports applications
that require dynamic policy or chargin
g control.


3GPP has defined an extensive ‘bearer model’ for EPS. W
henever user

equipment
attaches to a LTE network at each time LTE assigned a bearer to t
he UE for
communication.

An EPS bearer is the level of granularity for bearer level QoS
control in t
he

EPC/
E
-
UTRAN
.
The decision to establish or modify a dedicated bearer
can only be taken by

the EPC, and the bearer level QoS parameter values are always
assigned by

the EPC
.
The bearer
levels per QoS parameters are

QCI

(Qos class
identifier)
,
ARP (Allocation and Retention Priority), GBR (Guaranteed Bit Rate),

Figure
12
-

Policy architecture


SPR

Application
function


PCRF




PGW

PCEF

Online charging
system

Offline charging
system

External
Network
s

Page |
19



MBR (Maximum Bit Rate), and AMBR (
Aggregate Maximum Bit Rate)

4
.

According to this model, the services can be allocated a particular bearer and each
EPS bearer has assigned one of the QCI
. QCI defines parameters like bit rate, packet
loss and delay.

The following figure

13

depicts the EPS bearer model:





Default QCI9


APN 3







Dedicated QCI3

APN 2



Dedicated QCI2



Dedicated QCI1




APN1















In the above figure

13
, EPS beare
r assigned for voice has assigne
d

QCI 1 which
means a dedicated bit rate,
100ms delay, 10
-
2
packet loss and priority 2 in overall
model. In
total there

are three different QCI

classes specified in EPS and in most of
the cases operators prefer

first class i.e. signalling, voice and data.


5.3

Packet routing


On the
IP transport
layer

SGW

act as a packet router. User plane packets are
forwarded transparently in upper link and downlink direction and their underlying
transport units are marked by SGW with parameters like DiffservCode

point based on
QOS indicator of the associated EPS bearer.


5.4

Mobility management


In LTE, mobility management can be divided based on mobility state of the user
equipment
. These are LTE_detached, LTE_IDLE, LTE_ACTIVE. If UE is in
LTE_ACTIVE state, it is
re
gistered

with the MME and has RRC (
Radio

resource
control) connection with
eNODEB. The HSS has very clear information about to
which cell the UE belongs and MME can transmit/ receive data from UE after getting
location information from home subscriber serv
er via eNODEB. In second state,
when UE is in LTE_IDLE state, UE has no air
-
interface connection with eNODEB

to



4
Farooq Bari, SAE and Evolved Packet core, Seattle communications (COM
-
19) society chapter, 2009,
http://www.ee.washington.edu/research/ieee
-
comm/event_nov_13_2008_files/IEEE%20
-
%20SAE%20and%20Enhanced%20Packet%20Cor
e.pdf
.

Figure
13
-

EPS bearer model



UE




E
-
NODEB



SGW

PDN
-
GW

PDN
-
GW

Corporate
network

Internet

IMS
operator
services

Page |
20



save power consumption of the battery and reducing signalling traffic to MME. It can
change its cell in same tracking area without informing the

EPC. From logical point
of view, the connection is still esta
blished and all logical bearers’

remains in place
. I
t
means that the IP address allocated to UE by PDN
-
GW remain in place
,

in case a
mobile

device wants to send IP packet
. When there is IP packe
t arrives for UE in
IDLE state, it can be routed through core network up to the SGW. But as SGW has no
S1
-

user data tunnel then it requests MME to re
-
establish the tunnel. On the other
hand MME knows only about the TA. It send paging request to every cell

of TA. The
eNODEB forwards that message to mobile device over air interface and when mobile
device responds to the paging message then S1 tunnel re
-
establishes. MME contacts
the SGW via S11 interface which then forwards the waiting IP packets to the mobil
e
device.


5.5

IP address allocation



In LTE
-
EPC networks
,

on basic level,
one of the following ways are used to allocate
the

IP addresses to user equipment



If UE is in its home network then its local
HPLMN (Home public land mobile
network)
allocates IP
address when the default bearer is established



If UE is in visitor
network,

then VPLMN (visitor public land
mobile network
)

allocates IP address when th
e default bearer is established



The PDN operator allocates IP address to UE w
hen default bearer is activ
ated


In LTE
-
EPC network
,

packet data network (PDN) types IPv4, IPv6 and IPv4v6 are
supported. EPS bearer of PDN type IPv4v6 may be associated with one IPv6 prefix
only or both IPv4 address and one EPS bearer of PDN type IPv4and IPv6 is
associated with IPv
4 addresses and IPv6 prefix respectively.

During a PDN
connection establishment
,

UE sets the requested PDN type that may be pre
-
configured in the device per APN or
otherwise

it sets the PDN types based on its IP
stack configuration i.e. if UE supports

both

IPv6 and IPv4

then it can request for PDN
type IPV4 and IPv6,
if UE supports only IPv4 or IPv6 then it can request for IPv4 or
IPv6 respectively and in case if UE’s

TP version capability is unknown then UE can
request for IPv4v6.

In EPC, HSS stores the
one or more PDN types per APN in the subscription data.
During the PDN connection establishment procedure
,

MME compares the requested
PDN type to the stored PDN type in HSS and set the PDN type as follows



If the requested PDN type is allowed by the HSS the
n MME

sets the PDN type as
requested



If UE is requesting PDN type IPv4v6 and subscription allows only IPv4 only
then MME sets the PDN type IPv4 and send the reason back to UE. The
procedure is same in case

when only IPv6 is allowed



If in the subscriber
data of UE, It is not allowed any PDN type then the request
send by

the UE will be rejected by MME



If the UE requests PDN type IPv4v6 and both IPv4 and IPv6 PDN types are
allowed but not IPv4v6 then MME shall s
et the PDN type to IPv4 or IPv6


Page |
21



PDN
-
GW also p
lays a role during allocation.
It may restrict the usage of PDN type
IPv4v6.
This is discussed in the following:



If UE

send on request of PDN type of IP4v6 but the PDN
-
GW operator
preferences

dictate the use of IPv4 addressing only or IPv6 prefix only for
this
APN then PDN type will change to single address i.e. either IPv4 or IPv6 and
reaso
n cause shall be returned to UE



In case when MME does not set the dual address bearer flag to support
interworking with nodes and UE requests PDN type IPv4v6

from PDN
-
GW

then
PDN type will be changed to single version and

reason shall be returned to UE





Page |
22



C
onclusion


It is very much clear from the study of EPC, which is developed under a work item
named SAE, is a major achievement carried out by 3GPP and its partners. 3G
PP achieves
the three main objectives set by it before the start of this SAE project in December 2004.
SAE work successfully delivered an evolved packet only core for the next generation of
mobile broadband access. Interworking with other access technologi
es like GSM or
UMTS and CDMA is another major breakthrough. By interworking the EPC network can
be shared across a wide community. This also opens a path of global roaming. Now a
user can access and use the services everywhere with his/her mobile equipment
. The
global uptake of single technology assures more competition among different equipment
vendors and results in cost efficient network equipment and solutions.




Page |
23



References


[1]

Olsson, M.,

Sultana, S., Frid, L. &

Mulligan,C.

(2009). SAE and Evolved
packet

core
: Driving the mobile broadband revolution
. Oxford, UK:
Elsevier Ltd.


[2]

Sauter,

Martin
.
(2011). From GSM to LTE:
An Introduction to mobile
networks and mobile broadband
(pp. 205
-
274).

West Sussex, UK: John
Wiley & sons.


[3]

Faroor
,

Bari
. (2009).
SAE

and Ev
olved Packet core, Seattle
communications (COM
-
19) society chapter. Retrieved from
http://www.ee.washington.edu/re
search/ieee
-

comm/event_nov_13_2008_files/IEEE%20
-
20SAE%20and20Enhanced%20Packet%20core.pdf.


[4]

3GPP,
Technical Specification Group Services and System Aspects
;
Network Architecture (Release 9), TS 23.002.


[5]

3GPP,
Technical Specification Group Services and Sy
stem Aspects
;
System Architecture Evolution; Security Architecture (Release 11), TS
33.401.


[6]

Brown, Gabriel

(n.d)
. Heaving Reading on behalf of Cisco:
Evolved
packet core & Policy Management for LTE.

White paper,

http://www.cisco.com/en/US/solutions/collateral/ns341/ns973/Cisco_LTE
_Policy_Management_WP.pdf



[7]

Alcatel
-
Lucent(2009):
Introduction to Evolved Packet core
: White paper,
http://lte.alcatel
-
lucent.com/locale/en_us/downloads/wp_evolved_packet_core.pdf


[8]

Fritze, Gerhard. (2008). SAE
-

The Core Network for LTE, Ericsson
.
Retrieved
from
http://www.3g4g.co.uk/Lte/SAE_Pres_0804_Ericsson.pdf
.


[9]

Motorola (2007): Long Term Evolution (LTE): A Technical overview:
White Paper, Retrieved from
http://www.motorola.com/web/Business/Solutions/Industry%20Solutions/
Service%20Providers/Wireless%20Operators/LTE/_Document/Static%20
Files
/6834_MotDoc_New.pdf


[10]

IP Address Allocation. (2012, 07 26). Retrieved from

http://lte
-
epc.blogspot.com/2011/07/ip
-
address
-
allocation.html



[11]

Jain, Raj. (2008). Wireless cellular architecture: 1G and 2G. Retrieved
from
http://www.cse.wustl.edu/~jain/cse574
-
08/ftp/j_fwan.pdf

Page |
24



[12]

LTE SAE System Architecture Evolution

(n.d). Retrie
ved from
http://www.radio
-
electronics.com/info/cellulartelecomms/lte
-
long
-
term
-
evolution/sae
-
system
-
architecture
-
evolution
-
network.php



[13]

Rappaport, Theodore.
(
2002
).
Wireless Communication Principle and
Practise.

Upper

Saddle

River,

NJ

07458
:
Prentice
-
Hall Inc.


[14]

Kurniawan, Y
ousuf. The development of cellular mobile communication
sys
tem. Retrieved

from
http://www.slideshare.net/yusuf_k/the
-
development
-
of
-
cellular
-
mobile
-
communication
-
system


[15]

GSM Glossary. Retrieved from
http://www.argospress.com/Resources/gsm/gsmbstatiocontro.htm