Wednesday, December 28, 2011

Resource Blocks | Radio Interface Basics



This section describes how LTE defines and divides the bandwidth from physical subcarriers of the OFDM symbol in the logical abstract sense used for scheduling shared channel data.
The smallest division of the LTE spectrum carrying data is a subcarrier, as described in more detail in the sections above. OFDM systems modulate all data in the frequency domain on the subcarrier of the OFDM spectrum. A modulated subcarrier is defined as a Resource Element (RE) and is the smallest logical unit of the LTE spectrum. One subcarrier or RE has a bandwidth of 15 kHz in normal and extended CP mode, but a special 7.5 kHz subcarrier spacing mode is defined with extended CP transmission. All physical LTE channels use REs to modulate the data. Each RE of the shared channel is modulated using a variable modulation scheme from Quadrature Phase Shift Keying (QPSK) to 64QAM as assigned by the scheduling process of the eNB. REs carry a variable number of data bits, due to the variable number of bits mapped to a RE because of the modulation order, but also because of applied CSs. CSs are used to make the data transmission more robust against transmission errors. They add redundancy to the transmitted information, which increases the probability of the receiver to retrieve the information error-free. LTE defines an Adaptive Modulation and Coding (AMC) process.
A physical Resource Block (RB) defines the smallest unit used by the scheduling algorithm. Therefore, the minimal scheduled user transmission on the shared channels is one RB. A RB consists of 12 adjacent REs on the frequency axis. Consequently, it has a bandwidth of 180 kHz, since one RE is 15 kHz wide in normal and extended CP mode (additionally a mode with 7.5 kHz is defined for extended CP). The possible configurations of CPs are given in Table 1.
Table 1: Configuration of cyclic prefix. Reproduced with permission from © 3GPP 
Configuration
 
NRBsc
NDLsymb
Normal cyclic prefix
Δf = 15 kHz
12
7
Extended cyclic prefix
Δf = 15 kHz
24
6
 
Δf = 7.5 kHz
 
3
From a time perspective, a RB spans one scheduling period which is defined as one subframe. One subframe has a duration of 1 ms. A subframe is divided into two slots of 0.5 ms. Within a subframe 14 OFDM symbols are transmitted in the case of normal CP length and 12 OFDM symbols in the case of extended CP length, hence a RB covers an area of, respectively, 12 × 14 and 12 × 12 REs. 
A third dimension is introduced by using multiple antenna ports with MIMO. The MIMO transport layers depend on and correlate with the number of used transmit antenna ports. Each antenna port layer adds additional RB elements to the antenna port dimension. Figure 1 shows the two-dimensional (frequency and time) area of a RB.

 
Figure 1: Downlink resource grid. Reproduced with permission from © 3GPP
RBs have a primary role in the scheduling process, but are also used for describing the LTE overall cell bandwidth. The cell bandwidth is announced in the data transmitted in the Physical Broadcast Channel (PBCH) in number of resource blocks. Table 2 maps the number of RBs to the LTE spectrum bandwidth in megahertz.
Table 2: Commonly used number of resource blocks 
Bandwidth (MHz)
Resource blocks
1.4
6
3
13
5
25
10
50
15
75
20
100
The scheduling procedure defines virtual resource blocks. Virtual resource blocks and physical resource blocks are of equal size. The scheduler always uses virtual resource blocks for defining user allocations. There are two different types of virtual resource blocks:
  • Localized virtual resource blocks.
  • Distributed virtual resource blocks.
Localized virtual RBs are equal to physical RBs. Therefore, localized virtual RBs address physical RBs directly. Distributed RB mapping enables the usage of frequency diversity without scheduling distributed RBs directly. Distributed virtual RBs split a physical RB at the slot boundary into two halves. The first half of the scheduled distributed virtual RB directly equals the physical RBs. The second slot is hopped to another second slot of another UE which is virtually scheduled in the distributed way. There is one hopping gap between the scheduled RBs at system bandwidths smaller 50 RBs and two gaps at systems with a larger number of RBs. Virtual RBs are used with resource allocation type 2.
Resource Element Groups (REGs) are defined to map physical channels to OFDM symbols, this is done especially in the first OFDM symbols used by the PDCCH. The maximum length of the PDCCH is three OFDM symbols, thus other PHY channels are mapped into the resources of the PDCCH. A REG is defined in such a way that it spreads the information over a bigger frequency range to gain frequency diversity

Friday, December 23, 2011

Multiple Access in OFDM – OFDMA | Radio Interface Basics



LTE uses OFDM as the transmission scheme, as described in the section above. Multiple access is realized with OFDMA with the base station (eNB) taking care of the resources within its cell; this procedure is also called scheduling as the eNB schedules the transmission of user data in the DL and UL direction on the transmission medium used by all users within this cell. The transmission is done on the basis of a shared channel. The control information for granting an UL transmission on the UL-SCH, or informing a UE about data that is transmitted for it on the DL-SCH, is done within the DL control channel with designated control information.  Figure 1 shows the principle of an OFDM shared channel-based multiple user communication.
 
Figure 1: OFDM shared channel-based multiple user communication. Reproduced with permission from Nomor
Resources to be scheduled with OFDMA systems are units of frequency resources and time units describing a time slot for which the scheduled frequency units are valid.
This scheduling procedure not only adds overhead, but also enables the system to be more efficient by introducing a frequency-selective scheduling algorithm with feedback from the UEs regarding current reception quality, rather than use only diversity gains by spreading transmitted data.
Figure 2 compares a shared channel of an OFDMA system using localized and distributed scheduling of user data. In the localized mode, granted areas belonging to one user allocate adjacent frequency resources within one block. The distributed mode is used when frequency diversity is to be used by spreading the user data of the shared channel to distributed non-adjacent frequency resources. Simulations show that systems with frequency-selective scheduling with a fast channel quality feedback report from users can achieve higher cell throughput compared to systems just spreading data over the spectrum in order to achieve frequency diversity.

 
Figure 2: Localized vs. distributed shared channel scheduling
LTE defines both localized and distributed scheduling in the DL direction but only localized scheduling in the UL direction in order to keep the PAPR small in the SC-FDMA symbols of each user.

Tuesday, December 20, 2011

OFDM Principles and Modulation | Radio Interface Basics



Most recent communication systems like WiFi, WiMAX, and digital audio and video broadcasts make use of OFDM, as in the LTE DL transmission scheme and a slightly modified version in the LTE UL transmission scheme.
OFDM systems have some advantages for mobile wireless transmission as signals are robust against frequency-selective fading. Systems which make use of OFDM have been known since the 1950s and 1960s in military applications. Their realization was expensive as all components and filters were implemented as analog circuits. Nowadays, a wide range of applications profit from the benefits of OFDM systems since digital signal processing has become inexpensive and available in consumer products.
Information is modulated on very small adjacent carriers within the allocated bandwidth (baseband). The intrinsic design of an OFDM system prevents interference among the carriers (also called subcarriers or tones). This is the reason why the subcarriers are orthogonal to each other. Figure 1 shows the basic components needed for OFDM signal generation. The realization of an OFDM signal generator and analyzer is simple to achieve as the main computational functions are transformations between time and frequency spectra which are easy to implement in modern digital signal processing integrated circuits by using the Fast Fourier Transform (FFT) algorithm.

 
Figure 1: Block diagram of OFDM signal generation
The first step in the transmit chain is the serial-to-parallel conversion of the data to be transmitted. This is usually done within the transmit buffer. This binary data is now quadrature amplitude modulated by mapping bits to complex data symbols. The characteristic of complex data symbols is that each symbol describes a two-dimensional vector with a phase and amplitude. A complex data symbol is described with an in-phase and a quadrature component. These symbols are called IQ samples, as the modulated symbols are digitally sampled. It is possible to map a higher number of bits to symbols by using a higher modulation order like 16 or 64QAM resulting in a higher spectral efficiency, which means transmitting more bits per hertz of the utilized bandwidth. A higher spectral efficiency allows greater user and cell data throughput. The number of bits which are carried by the different modulation schemes can be seen in Table 1. Those numbers are OFDM independent and are equal to other transmission schemes.
Table 1: Bits to be carried by the modulation schemes used with LTE 
Modulation scheme
Number of bits which can be carried by one complex symbol
BPSK
1
QPSK
2
16QAM
4
64QAM
6
Mobile cell phone standards which do not use OFDM, like GSM, CDMA2000, or UMTS, modulate the data to complex symbols in the time domain. This means that the resulting sinusoid over time after modulation is the time domain signal of the baseband to be transmitted on the RF carrier frequency. OFDM systems interpret the modulated symbols as modulated frequency tones, which are to be transformed to a signal over time in order to be transmitted. Thus, the modulated symbols are mapped to orthogonal subcarriers (tones) of the baseband spectrum. The transformation to the time domain is done with an n-point inverse Fast Fourier Transform (iFFT). The Fourier transformation adds the orthogonal spectrum of each subcarrier to the resulting baseband spectrum. The spectrum of each subtone is a si(x) function (sin(x)/x), thus the resulting spectrum is an addition of si(x) functions as depicted in Figure 2. The inherent behavior of the Fourier transformation lets each si(x) maximum match zero transitions of all other si(x)functions, resulting in non-interfering subtones since the data was modulated to individual subcarriers (peaks of the si(x) functions). This characteristic is known as orthogonal behavior, which means data is perfectly demodulatable and no guard band between subcarriers is needed, in contrast to FDM, where intercarrier interference needs to be taken care of, for example, with guard bands.

 
Figure 2: OFDM signal of orthogonal Si functions (subcarriers); subcarriers do not interfere because at each subcarrier the signals from other subcarriers are zero
The designated system bandwidth (baseband bandwidth) is divided into m subcarriers which are sampled with an n-point Fourier transformation, where n > m, indicating oversampling. System bandwidth is defined by a number of resource blocks from 6 to 110, each resource block grouping 12 subcarriers. For approximately 20 MHz system bandwidth (100 resource blocks), 1200 subcarriers are defined and a common FFT size is 2048 samples. LTE defines the sampling frequency as fs = 1/Ts = 30.72 MHz, which leads to a LTE OFDM symbol length of 66.67μs for normal CP (Cyclic Prefix). The CP is 5.2 μs or 160 samples in the first symbol and 4.7 μs or 144 samples in the other symbols for normal CP. The CP lasts 16.7 μs or 512 samples for extended CP. 
OFDM systems show robust characteristics against frequency-selective fading caused by the wireless channel, because fading holes are bigger compared to the subcarrier bandwidth, leading to a flat fading of individual subcarriers which is equalized by interpolating between defined reference symbols (reference subcarriers).
LTE defines a set of reference symbols in order to distinguish between various entities: cell-specific, UE-specific, antenna-port-specific, and MBMS-specific (Multimedia Broadcast/Multicast Service) reference symbols. MBMS data and reference symbols are always transmitted on antenna port 4 if MBMS data transmission is enabled.
In other words, the time domain is just the "transmit domain" for OFDM systems. The resulting time domain signal after transforming the modulated frequency signal representing the data is, so to say, "just noise" and cannot be interpreted without transformation back to the frequency domain. All channel estimation, equalization, and interpretation of the data are done in the frequency domain within OFDM systems.
A timely guard interval or GP between OFDM symbols is needed to prevent intersymbol interference due to channel delay spread (arrival of all reflections). This is realized by copying the end of each OFDM symbol in front of the OFDM samples to be transmitted. This GP, also known as the CP (Cyclic Prefix), decreases alias effects caused by a windowing effect of the Fourier spectrum as the Fourier transformation expects an infinite repeated spectrum, but the OFDM symbol has a time-limited duration. LTE defines two CP lengths, a normal CP and an extended CP, for cells with a larger channel delay spread. Additionally, the CP is used for frame synchronization using an auto/cross-correlation function.
OFDM systems have the drawback of a high dynamic range after transforming the frequency signal to a time domain signal which is amplified and transmitted. This high Peak-to-Average Power Ratio (PAPR) (squared peak signal amplitude to average signal power level) leads to cost-intense RF amplifiers and shorter battery life. This is especially a disadvantage for mobile handset devices; thus, another transmission scheme needs to be found for the UL.
LTE uses Single Carrier Frequency Division Multiple Access (SC-FDMA) or Discrete Fourier Transform (DFT) spread OFDM as the UL transmission scheme to overcome some drawbacks of pure OFDM systems. 
Figure 3 presents an overview of the functional steps needed for physical channel processing.

 
Figure 3: Overview of physical channel processing. Reproduced with permission from © 3GPP

Saturday, December 17, 2011

Multiple Access Methods | Radio Interface Basics



Multiple access has to be performed in systems where a medium is shared for transmission and reception by multiple users or entities. Those entities or users, sometimes also called nodes, are accessing the very same medium to transmit their information, other than, for example, in CS communication schemes. For example, within classical CS communications like Plain Old Telephone Systems (POTSs), each communication node gets a dedicated resource (a telephone landline) to dedicatedly access for the complete communication session. On the other hand, it is necessary to apply a multiple access method when multiple nodes share the same medium for their information transfer, in order to prevent or detect collisions on the shared medium.
This implies that the users share the same resources for communication in a certain way. Multiple access methods are mainly used with PS data transmission, as multiple nodes usually share the same resources for efficiency reasons. Packet Switched (PS) data transmission is mostly characterized by bursty traffic patterns. There are different schemes which can be applied to share those resources. These access schemes are known as multiple access methods.
Multiple access methods introduce rules for accessing the shared medium, generally resources. Care has to be taken not to use the same resources by two or more nodes at once, because this would result in distortion of the transferred information.
Transmission/reception resources are one or multiples of the following: time, code, frequency, space, etc.
One of the first radio-based multiple access scheme is Aloha. Early research in these schemes was carried out at the University of Hawaii in the early 1970s. In the Hawaiian language Aloha means "Hello" which indicates a fundamental mechanism: the university ran several campuses on different islands where an early radio-based packet data network was established. Stations immediately transmitted packets to be sent and waited for a fixed time (double the round-trip time of the most distant stations in the network plus the transmission and processing time of packets) for an acknowledgment (ACK) from the receiving station. If an ACK was received, the packet was retransmitted. Aloha shows that many collisions of packets occur when applying this scheme.
Most modern access methods use mechanisms of avoiding, detecting, or preventing collisions within the shared medium, in order to reach a certain system efficiency. A basic method to avoid collisions is sensing the medium before starting a transmission, to avoid interrupting or interfering with an ongoing transmission of other communication peers.
This scheme is known as Carrier Sense Multiple Access (CSMA). Sensing the medium before transmission adds Collision Avoidance functionality (i.e., CSMA/CA). In addition to sensing the medium before transmission, one has to take care with detecting collisions when two terminals have started a transmission at the same time. This scheme, for example, is used with Ethernet local area networks, CSMA/CD. If a collision is detected from both transmit entities, a collision resolution mechanism must be applied. Both peers select a random time in a defined range in order to restart their transmission after this randomly selected period of time. The process starts by sensing the medium again, as the other collision peer (or a new transmission of a third node) could already have (re)started its transmission as it has selected a shorter back-off period. The efficiency can be increased by introducing discrete back-off slots.
A special effect of wireless networks without infrastructure has to be taken care of. As mentioned above, a station listens to the channel before sending data to avoid a collision with an ongoing transmission from two other stations at that time. But this behavior is not fully sufficient to avoid collisions at all stations within the transmission range. If a node within the transmission range receives a data frame from another station which is not in the range of a node also trying to allocate the channel, this node will interfere with reception of the other node without warning. This unrecognized collision scenario is called the hidden terminal effect, because the sending node is "hidden" or out of range.
Figure 1 shows a typical scenario for the hidden terminal effect. The circles around the stations demonstrate the transmission ranges of the nodes. Node A has a link to node B but does not know about the existence of node C, which is the hidden terminal from the point of view of node A. Node B has a link to both node A and node C. In this scenario node C attempts to transmit data to node B and indicates this with a Request to Send (RTS) packet with the destination address of node B. The designated destination node B confirms this request with a Clear to Send (CTS) packet to node C; this CTS packet is also received by node A. Thereby, node A detects that there is another station while transmitting, until the reception node B sends an ACK packet to complete this transmission. Within that time, node A will not initiate any transmission, not to node B nor to any other possible node, in order not to corrupt reception at node B.

 
Figure 1: Illustration of the hidden terminal effect
Note that this effect only occurs in mobile networks without fixed infrastructure, for example, mobile ad-hoc networks. Thus, the hidden terminal effect does not affect LTE.
One way of sharing the same resources between communication entities is to introduce a master entity, which takes care of the usage of the shared medium. This scheme is widely used within mobile cell phone networks, as the base station controls and grants the access of resources within its cell. Within a Time Division Multiple Access (TDMA) mobile network, one frequency resource is divided into time slots which are used by different users. Mobile networks of the second generation (GSM) share eight time slots within a certain frequency band. Figure 2 illustrates the DL frame of a TDMA system which uses FDD. Thus, UL and DL utilize different frequency bands and both use TDMA. A Guard Period (GP) used between time slots serves to reduce the risk of multi-user interference. The training sequence in the middle of the time slot is used to estimate the wireless channel conditions. This information is extrapolated time-wise to the adjacent data sections.

 
Figure 2: Schematic example of a Time Division Multiple Access (TDMA) system
Non-overlapping frequency bands are assigned to different UEs within Frequency Division Multiple Access (FDMA). A single user allocates one frequency resource which is used for the complete active time. Guard bands need to be designed for the system in order to prevent multi-user interference. Systems (as GSM) often use a mixture of TDMA and FDMA, as multiple frequency channels with, for example, eight time slots serve as cell resources. Figure 3 depicts a FDMA system with five users assigned to five different frequency bands.

 
Figure 3: Schematic of Frequency Division Multiple Access (FDMA)
UMTS users share orthogonal codes which are used to spread transmission data in order to be transmitted on the same frequency resources within one cell. Picture this as a metaphor: each user uses the same time, space, and frequency resources, but communicates in a different language. This multiple access method is known as Code Division Multiple Access (CDMA) and illustrated in Figure 4.

 
Figure 4: Code Division Multiple Access (CDMA)
The shared resources in LTE are very small frequency bands and small transmission time slots. Thus, the method combines FDMA and TDMA behavior, but in a very agile way. Frequency and time resources are often reassigned for diversity or efficiency reasons during ongoing user transmissions. This method is known as Orthogonal Frequency Division Multiple Access (OFDMA). 
Within mobile cell phone network systems, time slot resources, frequency resources, and code resources are controlled by the base station. This controlled multiple access method is known as scheduling. This scheduling case allows active transmission collision protection, as well as other parameters, to be taken into account when granting transmissions between users. These parameters can be fairness, QoS requests of nodes, medium/channel quality or (charging) policies.

Tuesday, December 13, 2011

Duplex Methods | Radio Interface Basics



A valuable communication feature is bidirectional communication between peers. Feedback is the major difference to unicast or broadcast systems, such as TV or radio transmission. Bidirectional information transfer can occur either simultaneously or consecutively. Both in data networks and especially for human communication, simultaneous bidirectional communication is very basic and essential. Systems with the nature of simultaneous bidirectional information transfer are full-duplex systems, in contrast to half-duplex systems, which allow only one-by-one bidirectional communication.
A full-duplex application visible to the user does not need to imply a full-duplex transmission scheme on lower layers. In mobile networks two basic methods of multiplexing and handling the duplex streams are used. Here duplex means the sense of UL and DL transmission from the handset to the base station and vice versa.
Frequency Division Duplex (FDD) divides the available frequency spectrum in a frequency range dedicated to UL transmission and a separate range for DL transmission only. A guard band is used between the frequency bands allocated for the UL and DL direction in order to prevent UL and DL interference. Figure 1 depicts a divided frequency spectrum as is typically used with FDD.

 
Figure 1: FDD system
Time Division Duplex (TDD) makes use of the same frequency resources for both transmission directions. This method divides the time domain into slots allocated for UL and DL transmission as shown in Figure 2. A guard interval is implemented to prevent UL and DL interference, especially for larger cells with a longer propagation delay spread (larger cells have a longer duration behavior until all echo reflections of the transmitted signal are received) and cases of non-ideal UL synchronization.

 
Figure 2: TDD system with example duplex slot structure
TDD defines various slot configurations of switching between UL and DL transmission. Different configurations are possible depending on the mixture between UL and DL traffic; usually the UL data volume is much smaller compared to DL data consumption. A change in transmission resources for the UL and DL direction are just one manner of soft system configuration with TDD, instead of FDD, which uses fixed frequency resources.
TDD systems have the advantage of a synchronous channel between the UL and DL direction because the wireless channel characteristic is frequency dependent and TDD uses the same frequency band for UL and DL transmission. This is especially interesting in systems which use frequency-selective scheduling and smart antennas (MIMO (Multiple Input, Multiple Output) transmission with multiple antennas) as they are defined in LTE. The base station needs to know the reception conditions of the UE in order to make an efficient frequency resource scheduling decision and for selecting the best antenna configuration for multiple antenna layer precoding.

Friday, December 9, 2011

Radio Interface Basics



Wireless transmissions within mobile networks make use of electromagnetic waves to carry the transmitted information from source to destination. The data is modulated to complex waves (in a mathematical sense) using a modulation scheme. Furthermore, a duplex method and a multiple access scheme or multiplex scheme are applied to those complex waves. The resulting modulated spectrum is called baseband. The baseband carries all information and the utilized bandwidth of this baseband depends on the amount of information and spectral efficiency of the modulation scheme. The spectral efficiency is measured in bits per hertz. The baseband is multiplied by a carrier frequency, resulting in a frequency shift in the amount of the carrier frequency. This signal is amplified with an RF amplifier and is transmitted via an antenna. Before the signal is received by the receiving station, the electromagnetic waves carrying the information are distorted by the wireless channel.
The wireless channel is characterized by various time-variant and time-invariant parameters. This section gives only a short introduction to the characteristics of the wireless channel. The properties of the mobile wireless channel can be roughly characterized by the following two attributes:
  • Large-scale fading: This is due to loss of signal strength by distance and shadowing of large objects like hills or buildings. It is typically frequency independent, but a function of time and space which fluctuates by means of cell areas.
  • Small-scale fading: This is due to the constructive and destructive interference of the multiple signal paths between the transmitting node and the receiving one, resulting in signal strength changes on a spatial scale of the wavelength. Therefore, signal strength variation greatly increases with faster moving stations and is frequency selective.
Free space attenuation as a function of distance d and wavelength λ is shown in the following equation. This basic attenuation (part of large-scale fading) denotes the signal decrease between source and destination without taking any shadowing, multipath fading, or scattering into account:

Especially, the small-scale fading introduces distortion in the received signal to such an extent that it needs to be eliminated, or at least reduced by entities called channel estimator and channel equalizer described later in this section.
Figure 1 shows a typical received wireless channel quality as a function of frequency and time. The channel quality (received signal strength of certain frequencies) changes on a large scale (large-scale fading) and is superposed by the small-scale fading of a moving node. The physical layer of mobile wireless transmission systems have to deal with these characteristics of mobile channels to ensure data transmission to a specific subscriber velocity. Because small-scale fading spatially changes by means of the wavelength, typically by several centimeters in mobile networks, the user velocity introduces fast fading to the received signal. As an example, a user velocity of 100 km/h (27.8 m/s) can result in signal fading changes of 250 times a second. As a result, the received signal is additionally amplitude modulated (a fast amplitude change) caused by the fast fading of a moving user. The amplitude modulated due to the time-variant wireless channel causes additionally frequency dispersion. Entities like fast power control and fast frequency-selective scheduling are introduced into mobile systems in order to counteract this.

 
Figure 1: Time-variant frequency-selective wireless channel. Reproduced with permission from Nomor
A multipath channel is time dispersive, which means that a single transmitted signal is received more than once with different strong echoes (reflections). The electromagnetic waves are reflected by obstacles like buildings, hills, and mountains. The direct beam between the transmit antenna and receiver is called the LOS (Line Of Sight). The LOS is usually the strongest pattern within the brought field of received reflections. h(τ, t) is the time-variant (t and τ) impulse response of the wireless channel with i paths (reflections) and an attenuation ai(t) of each path i. The impulse response denotes the characteristic behavior of a system (in a mathematical sense), like the wireless channel when an impulse (delta peak) is given as input. In theory, this impulse is so steep that all possible frequencies are included, thus it shows the behavior of all transmitted patterns. τ is the delay of the signal between the source and receiver. This delay is called the propagation delay. τi is the additional delay of the reflection path i. Thus,

The transmitted baseband signal is distorted by the wireless channel because different reflections of the signal are interfering at the receiver. Thus, the time-continuous received complex baseband signal yb(t) of a transmitted signal xb(t) with additive white Gaussian noise n(t) is

fc is the frequency which is used to transmit the information. It is referred to as the carrier frequency, as mentioned above. The term exp[j2πfcτi (t)] denotes the time-variant phase shift of each reflection path i.
By knowing the distortion h(τ, t) which was applied to the received signal due to wireless transmission, the receiving entity is able to reverse this distortion and retrieve the transmitted information. In order to estimate the wireless impulse response by the receiver, the transmitter entity inserts known patterns into the transmit signal. Those signals are referred to as pilot or reference signals. Additionally, pilot, reference, or synchronization signals can be applied for time and frame synchronization (in LTE special synchronization signals are used. The receiver scans the received signal for the pilot or synchronization signals by using correlation functions. Once frame synchronization is established, the channel estimator unit of the receiver analyzes the known signal part in order to estimate h(τ, t).
The channel estimator passes the results of the process of estimation to the channel equalizer. The channel equalizer is the entity which removes the distortion due to wireless transmission. Thus, the quality of channel equalization depends on the provided information of the estimator unit. Almost every mobile cell phone standard uses different estimators and equalizers depending on the structure of reference symbols and slot structure. In LTE, channel estimation and equalization are done in the frequency domain and interpolated between adjacent time domain transmission symbols, resulting in a two-dimensional channel equalization. 

Monday, December 5, 2011

LTE Security | Standards, Protocols, and Functions


What are the new security functions in the E-UTRAN? This question can briefly be answered as follows.
The first feature we see is a completely new ciphering mechanism and integrity protection for NAS signaling messages that was never seen in any 2G or 3G radio access network. On the radio interface this new NAS security leads to situations with double ciphering. On top of the protocol stack the NAS messages exchanged between the UE and MME are encrypted and the underlying RRC that acts as the transport layer for NAS is secured by ciphering mechanisms as well, so that the ciphered NAS message is ciphered together with its RRC transport message a second time.
The second new security feature is the option to secure the complete IP-based transport of the control plane and user plane on the S1 reference point using Secure IP (IPsec). There is no way to decipher IPsec by just monitoring the data that is exchanged between two endpoints of an IPsec connection. To decipher IPsec requires the monitoring software to be informed about which IPsec ciphering parameters (which can be changed frequently) are currently used in each of the involved endpoints of the IP connection. In a typical case these endpoints are the eNB and the MME or S-GW. To allow deciphering, there must be a dedicated Application Programming Interface (API) installed that allows the monitoring software to access IPsec-relevant parameters for deciphering. To design such an API requires close cooperation between the NEMs of eNB and MME/S-GW and the manufacturers of the monitoring software. The conclusion related to this fact is that free-of-charge monitoring software like WireShark will not be able to decipher IPsec. However, to obtain statistics of S1 control plane and user plane performance it is crucial to have metrics for E-UTRAN QoS and QoE (Quality of Experience). Consequently, IPsec deciphering will become one of the key differentiators for E-UTRAN monitoring software.
Besides these new security features, all the security elements from previous standards such as mutual authentication and masking of subscriber identity by using temporary identities can be found in the E-UTRAN. There is only a minor change here: the TMSI will be replaced by the new GUTI parameter.
To understand how the overall LTE security concept works, it is crucial to understand the hierarchy of LTE security keys first. This LTE security key hierarchy, shown in Figure 1, includes the following keys: KeNB, KNASint, KNASenc, KUPenc, KRRCint, and KRRCenc:
  • KeNB is a key derived by the UE and MME from KASME or by the UE and target eNB from KeNB* during eNB handover. KeNB should only be used for the derivation of keys for RRC traffic and the derivation of keys for UP (User Plane) traffic, or to derive a transition key KeNB* during an eNB handover.


Figure 1: LTE security key hierarchy (according to 3GPP 33.401). Reproduced with permission from © 3GPP
Keys for NAS traffic:
  • KNASint is a key which should only be used for the protection of NAS traffic with a particular integrity algorithm. This key is derived by the UE and MME from Kasme, as well as an identifier for the integrity algorithm.
  • KNASenc is a key which should only be used for the protection of NAS traffic with a particular encryption algorithm. This key is derived by the UE and MME from Kasme, as well as an identifier for the encryption algorithm.
Keys for UP traffic:
  • KUPenc is a key which should only be used for the protection of UP traffic with a particular encryption algorithm. This key is derived by the UE and eNB from KeNB, as well as an identifier for the encryption algorithm.
Keys for RRC traffic:
  • KRRCint is a key which should only be used for the protection of RRC traffic with a particular integrity algorithm. KRRCint is derived by the UE and eNB from KeNB, as well as an identifier for the integrity algorithm.
  • KRRCenc is a key which should only be used for the protection of RRC traffic with a particular encryption algorithm. KRRCenc is derived by the UE and eNB from KeNB as well as an identifier for the encryption algorithm.
Now, whenever a call is established the security functions will work as shown in Figures 2–4. The start trigger of the security functions is when an initial NAS signaling message sent by the UE that contains UE security capability information arrives at the MME. The security capability list informs the MME for instance about which ciphering and integrity protection algorithms are supported by this UE.


Figure 2: Subscriber authentication


Figure 3: NAS security initiation and RRC security initiation


Figure 4: RRC security completion
After the MME has received the initial NAS message and it has not been in contact with this subscriber before, or if all previously received security tokens sent by the HSS have been used, the MME must contact the HSS to receive new tokens. Thus, the MME sends a DIAMETER authentication information request message to the HSS that contains the subscriber's identity. The HSS holds the secret network key "K" that is also stored on the USIM card of each subscriber. "K" is unique to every network operator.
From "K" and the subscriber's identity the HSS derives three of the four parameters found inside the DIAMETER authentication information response message: the security key KASME, the Authentication Token (AUTN), and the Expected Response (XRES) parameter. The random number parameter RAND is truly just a random number.
After the MME has received these four parameters, it produces three more derivatives from KASME. These derivatives are the NAS encryption key KNASenc, the NAS integrity protection key KNASint, and the security key for the eNB KeNB.
What follows is the authentication procedure between the MME and the UE. The MME sends the unciphered NAS authentication request message that includes the random number RAND and the AUTN. Now the UE must use its secret key "K" from the USIM card to calculate another number based on "K," AUTN, and RAND. The number is the UE's authentication response number RES.
RES is sent back to the MME by using the authentication response message, and in the last step of the authentication procedure the MME compares the value of RES to the value of XRES, which is the XRES value computed previously by the HSS. If RES and XRES have the same value the UE has successfully authenticated itself to the network and the NAS signaling connection can proceed.
At this point, after successful authentication, it is time to activate the NAS security functions: namely, NAS ciphering and NAS integrity protection. Thus, the MME sends the NAS security mode command message to the UE including the security key Kasme received previously from the HSS, and the algorithms for EPS encryption and EPS integrity protection that have been selected from the UE capability list and will be used to secure this NAS signaling connection.
After the UE has received the NAS security command, it computes on behalf of the assigned EPS encryption/integrity algorithms and the Kasme key the keys for NAS encryption and NAS integrity protection that are identical to those already stored in the MME. Now NAS security is in service the UE sends back the NAS security mode complete message, which is the encrypted and integrity protected NAS message. It is not mandatory to use NAS encryption and integrity protection. It is always up to the operator to decide what is required to secure the network.
After the NAS security functions are in service, the underlying RRC connection and the ciphering for user plane traffic need to be activated. For this purpose, first a so-called security context is installed between the MME and eNB. Since security is not the only context-related information to be exchanged between these two network elements, the S1AP initial context setup message will also contain other parameters besides the UE security capabilities and the eNB's security key KeNB. Note that the UE security capabilities so far are unknown to the eNB.
Now the eNB derives the keys for RRC encryption (KRRCenc), RRC integrity protection (KRRCint), and user plane encryption (KUPenc) from KASME. Then the eNB sends the RRC security mode command message to the UE. This message contains the AS encryption algorithm and AS integrity protection algorithm bundled with the START parameters for the AS security activation procedure.
The UE computes the keys for RRC encryption (KRRCenc), RRC integrity protection (KRRCint), and user plane encryption (KUPenc) from the KASME together with the received keys and activates the requested security functions using these parameters. After successful activation, the UE sends the RRC security mode complete message (i.e., ciphered and/or integrity protected) back to the eNB. And the eNB confirms the successful establishment of the security context to the MME by sending the S1AP successful outcome message for the procedure code "Initial Context Setup."