Showing posts with label Functions. Show all posts
Showing posts with label Functions. Show all posts

Friday, December 9, 2011

Radio Interface Basics



Wireless transmissions within mobile networks make use of electromagnetic waves to carry the transmitted information from source to destination. The data is modulated to complex waves (in a mathematical sense) using a modulation scheme. Furthermore, a duplex method and a multiple access scheme or multiplex scheme are applied to those complex waves. The resulting modulated spectrum is called baseband. The baseband carries all information and the utilized bandwidth of this baseband depends on the amount of information and spectral efficiency of the modulation scheme. The spectral efficiency is measured in bits per hertz. The baseband is multiplied by a carrier frequency, resulting in a frequency shift in the amount of the carrier frequency. This signal is amplified with an RF amplifier and is transmitted via an antenna. Before the signal is received by the receiving station, the electromagnetic waves carrying the information are distorted by the wireless channel.
The wireless channel is characterized by various time-variant and time-invariant parameters. This section gives only a short introduction to the characteristics of the wireless channel. The properties of the mobile wireless channel can be roughly characterized by the following two attributes:
  • Large-scale fading: This is due to loss of signal strength by distance and shadowing of large objects like hills or buildings. It is typically frequency independent, but a function of time and space which fluctuates by means of cell areas.
  • Small-scale fading: This is due to the constructive and destructive interference of the multiple signal paths between the transmitting node and the receiving one, resulting in signal strength changes on a spatial scale of the wavelength. Therefore, signal strength variation greatly increases with faster moving stations and is frequency selective.
Free space attenuation as a function of distance d and wavelength λ is shown in the following equation. This basic attenuation (part of large-scale fading) denotes the signal decrease between source and destination without taking any shadowing, multipath fading, or scattering into account:

Especially, the small-scale fading introduces distortion in the received signal to such an extent that it needs to be eliminated, or at least reduced by entities called channel estimator and channel equalizer described later in this section.
Figure 1 shows a typical received wireless channel quality as a function of frequency and time. The channel quality (received signal strength of certain frequencies) changes on a large scale (large-scale fading) and is superposed by the small-scale fading of a moving node. The physical layer of mobile wireless transmission systems have to deal with these characteristics of mobile channels to ensure data transmission to a specific subscriber velocity. Because small-scale fading spatially changes by means of the wavelength, typically by several centimeters in mobile networks, the user velocity introduces fast fading to the received signal. As an example, a user velocity of 100 km/h (27.8 m/s) can result in signal fading changes of 250 times a second. As a result, the received signal is additionally amplitude modulated (a fast amplitude change) caused by the fast fading of a moving user. The amplitude modulated due to the time-variant wireless channel causes additionally frequency dispersion. Entities like fast power control and fast frequency-selective scheduling are introduced into mobile systems in order to counteract this.

 
Figure 1: Time-variant frequency-selective wireless channel. Reproduced with permission from Nomor
A multipath channel is time dispersive, which means that a single transmitted signal is received more than once with different strong echoes (reflections). The electromagnetic waves are reflected by obstacles like buildings, hills, and mountains. The direct beam between the transmit antenna and receiver is called the LOS (Line Of Sight). The LOS is usually the strongest pattern within the brought field of received reflections. h(τ, t) is the time-variant (t and τ) impulse response of the wireless channel with i paths (reflections) and an attenuation ai(t) of each path i. The impulse response denotes the characteristic behavior of a system (in a mathematical sense), like the wireless channel when an impulse (delta peak) is given as input. In theory, this impulse is so steep that all possible frequencies are included, thus it shows the behavior of all transmitted patterns. τ is the delay of the signal between the source and receiver. This delay is called the propagation delay. τi is the additional delay of the reflection path i. Thus,

The transmitted baseband signal is distorted by the wireless channel because different reflections of the signal are interfering at the receiver. Thus, the time-continuous received complex baseband signal yb(t) of a transmitted signal xb(t) with additive white Gaussian noise n(t) is

fc is the frequency which is used to transmit the information. It is referred to as the carrier frequency, as mentioned above. The term exp[j2πfcτi (t)] denotes the time-variant phase shift of each reflection path i.
By knowing the distortion h(τ, t) which was applied to the received signal due to wireless transmission, the receiving entity is able to reverse this distortion and retrieve the transmitted information. In order to estimate the wireless impulse response by the receiver, the transmitter entity inserts known patterns into the transmit signal. Those signals are referred to as pilot or reference signals. Additionally, pilot, reference, or synchronization signals can be applied for time and frame synchronization (in LTE special synchronization signals are used. The receiver scans the received signal for the pilot or synchronization signals by using correlation functions. Once frame synchronization is established, the channel estimator unit of the receiver analyzes the known signal part in order to estimate h(τ, t).
The channel estimator passes the results of the process of estimation to the channel equalizer. The channel equalizer is the entity which removes the distortion due to wireless transmission. Thus, the quality of channel equalization depends on the provided information of the estimator unit. Almost every mobile cell phone standard uses different estimators and equalizers depending on the structure of reference symbols and slot structure. In LTE, channel estimation and equalization are done in the frequency domain and interpolated between adjacent time domain transmission symbols, resulting in a two-dimensional channel equalization. 

Monday, December 5, 2011

LTE Security | Standards, Protocols, and Functions


What are the new security functions in the E-UTRAN? This question can briefly be answered as follows.
The first feature we see is a completely new ciphering mechanism and integrity protection for NAS signaling messages that was never seen in any 2G or 3G radio access network. On the radio interface this new NAS security leads to situations with double ciphering. On top of the protocol stack the NAS messages exchanged between the UE and MME are encrypted and the underlying RRC that acts as the transport layer for NAS is secured by ciphering mechanisms as well, so that the ciphered NAS message is ciphered together with its RRC transport message a second time.
The second new security feature is the option to secure the complete IP-based transport of the control plane and user plane on the S1 reference point using Secure IP (IPsec). There is no way to decipher IPsec by just monitoring the data that is exchanged between two endpoints of an IPsec connection. To decipher IPsec requires the monitoring software to be informed about which IPsec ciphering parameters (which can be changed frequently) are currently used in each of the involved endpoints of the IP connection. In a typical case these endpoints are the eNB and the MME or S-GW. To allow deciphering, there must be a dedicated Application Programming Interface (API) installed that allows the monitoring software to access IPsec-relevant parameters for deciphering. To design such an API requires close cooperation between the NEMs of eNB and MME/S-GW and the manufacturers of the monitoring software. The conclusion related to this fact is that free-of-charge monitoring software like WireShark will not be able to decipher IPsec. However, to obtain statistics of S1 control plane and user plane performance it is crucial to have metrics for E-UTRAN QoS and QoE (Quality of Experience). Consequently, IPsec deciphering will become one of the key differentiators for E-UTRAN monitoring software.
Besides these new security features, all the security elements from previous standards such as mutual authentication and masking of subscriber identity by using temporary identities can be found in the E-UTRAN. There is only a minor change here: the TMSI will be replaced by the new GUTI parameter.
To understand how the overall LTE security concept works, it is crucial to understand the hierarchy of LTE security keys first. This LTE security key hierarchy, shown in Figure 1, includes the following keys: KeNB, KNASint, KNASenc, KUPenc, KRRCint, and KRRCenc:
  • KeNB is a key derived by the UE and MME from KASME or by the UE and target eNB from KeNB* during eNB handover. KeNB should only be used for the derivation of keys for RRC traffic and the derivation of keys for UP (User Plane) traffic, or to derive a transition key KeNB* during an eNB handover.


Figure 1: LTE security key hierarchy (according to 3GPP 33.401). Reproduced with permission from © 3GPP
Keys for NAS traffic:
  • KNASint is a key which should only be used for the protection of NAS traffic with a particular integrity algorithm. This key is derived by the UE and MME from Kasme, as well as an identifier for the integrity algorithm.
  • KNASenc is a key which should only be used for the protection of NAS traffic with a particular encryption algorithm. This key is derived by the UE and MME from Kasme, as well as an identifier for the encryption algorithm.
Keys for UP traffic:
  • KUPenc is a key which should only be used for the protection of UP traffic with a particular encryption algorithm. This key is derived by the UE and eNB from KeNB, as well as an identifier for the encryption algorithm.
Keys for RRC traffic:
  • KRRCint is a key which should only be used for the protection of RRC traffic with a particular integrity algorithm. KRRCint is derived by the UE and eNB from KeNB, as well as an identifier for the integrity algorithm.
  • KRRCenc is a key which should only be used for the protection of RRC traffic with a particular encryption algorithm. KRRCenc is derived by the UE and eNB from KeNB as well as an identifier for the encryption algorithm.
Now, whenever a call is established the security functions will work as shown in Figures 2–4. The start trigger of the security functions is when an initial NAS signaling message sent by the UE that contains UE security capability information arrives at the MME. The security capability list informs the MME for instance about which ciphering and integrity protection algorithms are supported by this UE.


Figure 2: Subscriber authentication


Figure 3: NAS security initiation and RRC security initiation


Figure 4: RRC security completion
After the MME has received the initial NAS message and it has not been in contact with this subscriber before, or if all previously received security tokens sent by the HSS have been used, the MME must contact the HSS to receive new tokens. Thus, the MME sends a DIAMETER authentication information request message to the HSS that contains the subscriber's identity. The HSS holds the secret network key "K" that is also stored on the USIM card of each subscriber. "K" is unique to every network operator.
From "K" and the subscriber's identity the HSS derives three of the four parameters found inside the DIAMETER authentication information response message: the security key KASME, the Authentication Token (AUTN), and the Expected Response (XRES) parameter. The random number parameter RAND is truly just a random number.
After the MME has received these four parameters, it produces three more derivatives from KASME. These derivatives are the NAS encryption key KNASenc, the NAS integrity protection key KNASint, and the security key for the eNB KeNB.
What follows is the authentication procedure between the MME and the UE. The MME sends the unciphered NAS authentication request message that includes the random number RAND and the AUTN. Now the UE must use its secret key "K" from the USIM card to calculate another number based on "K," AUTN, and RAND. The number is the UE's authentication response number RES.
RES is sent back to the MME by using the authentication response message, and in the last step of the authentication procedure the MME compares the value of RES to the value of XRES, which is the XRES value computed previously by the HSS. If RES and XRES have the same value the UE has successfully authenticated itself to the network and the NAS signaling connection can proceed.
At this point, after successful authentication, it is time to activate the NAS security functions: namely, NAS ciphering and NAS integrity protection. Thus, the MME sends the NAS security mode command message to the UE including the security key Kasme received previously from the HSS, and the algorithms for EPS encryption and EPS integrity protection that have been selected from the UE capability list and will be used to secure this NAS signaling connection.
After the UE has received the NAS security command, it computes on behalf of the assigned EPS encryption/integrity algorithms and the Kasme key the keys for NAS encryption and NAS integrity protection that are identical to those already stored in the MME. Now NAS security is in service the UE sends back the NAS security mode complete message, which is the encrypted and integrity protected NAS message. It is not mandatory to use NAS encryption and integrity protection. It is always up to the operator to decide what is required to secure the network.
After the NAS security functions are in service, the underlying RRC connection and the ciphering for user plane traffic need to be activated. For this purpose, first a so-called security context is installed between the MME and eNB. Since security is not the only context-related information to be exchanged between these two network elements, the S1AP initial context setup message will also contain other parameters besides the UE security capabilities and the eNB's security key KeNB. Note that the UE security capabilities so far are unknown to the eNB.
Now the eNB derives the keys for RRC encryption (KRRCenc), RRC integrity protection (KRRCint), and user plane encryption (KUPenc) from KASME. Then the eNB sends the RRC security mode command message to the UE. This message contains the AS encryption algorithm and AS integrity protection algorithm bundled with the START parameters for the AS security activation procedure.
The UE computes the keys for RRC encryption (KRRCenc), RRC integrity protection (KRRCint), and user plane encryption (KUPenc) from the KASME together with the received keys and activates the requested security functions using these parameters. After successful activation, the UE sends the RRC security mode complete message (i.e., ciphered and/or integrity protected) back to the eNB. And the eNB confirms the successful establishment of the security context to the MME by sending the S1AP successful outcome message for the procedure code "Initial Context Setup."

Wednesday, November 16, 2011

QoS Architecture | Standards, Protocols, and Functions



The EPS bearer service layered architecture is depicted in Figure 1. Besides the different names of bearers and reference points, this architecture does not look very different from the bearer service architecture defined in Release 99. However, there is a major difference that is not obvious at first sight.

 
Figure 1: LTE QoS architecture (according to 3GPP 23.401). Reproduced with permission from © 3GPP
In 3G UMTS the request of a subscriber for a defined QoS of an end-to-end service starts the QoS negotiation procedure. This depends on the subscriber's subscribed QoS stored in the HLR and the available network resources which QoS is granted to a particular connection at the end. The QoS negotiation and control process starts on the NAS layer with the first SM message sent by the UE.
In LTE – different to 2.5 and 3G PS connections – a default bearer with a default QoS is already established when the UE attaches to the network. The QoS attributes of this default bearer are determined by the subscribed QoS parameters stored in the HSS. This is still as seen in 2.5/3G networks.
However, if now the first user plane packet is sent by the UE it is routed toward the PDN where the PCRF analyzes the requested end-to-end service. Depending on this service, the PCRF may now trigger a modification of QoS parameters in all the involved bearers. There is no option for the subscriber to request a particular QoS; only the network is in charge of QoS control. There is also no way for the UE to request something known as a secondary context in 3G (see Section 3.26 in Kreher and Ruedebusch, 2007). In LTE all QoS management is tied to the application, not to SM signaling.
It is important to understand that one UE in LTE can have multiple end-to-end services active and each of these services will have its own individual bearer. It is not intended by LTE standards that, for example, non-real-time services like web-browsing and e-mail will be mapped onto the same bearer (e.g., the same S1-U GTP tunnel) as we have seen in 3G UMTS. For this reason also 256 individual E-RABs for a single UE can be addressed by E-UTRAN protocols while in UMTS only 15 different RAB-IDs had been defined by the standard organizations.
In the 3GPP specs there is also a Traffic Flow Template (TFT) mentioned for the UL as well as for the DL part of the connection. These TFTs are bound to the EPS bearers. In general, a TFT can be described as a set of filters for a particular end-to-end service. Each TFT consists of a destination IP address and a set of source/destination port numbers. On the DL, the IP address is the address assigned to the UE; on the UL, it is the address of a server on the PDN. If we assume, for example, an HTTP 1.1 end-to-end service, the DL TFT of this service consists of the UE's IP address, the TCP source port number is 80, and the TCP destination port number is 80. On the UL, the port numbers are the same, but the IP address is the address of the server that hosts the web site.
To standardize the QoS handling, a set of nine QCIs have been defined by 3GPP. There are four classes with a Guaranteed Bit Rate (GBR) and five classes with a Non-Guaranteed Bit Rate (Non-GBR).
Besides the bit rate, the parameter priority, packet delay budget, and packet error loss rate are critical factors as given in Table 1.
Table 1: Standardized QCI, QoS parameter thresholds, and example services (according to 3GPP 23.203). Reproduced with permission from © 3GPP 
QCI
Resource type
Priority
Packet delay budget (ms)
Packet error loss rate
Example services
1
GBR
2
100
10−2
Conversational voice
2
 
4
150
10−3
Conversational video (live streaming)
3
 
3
50
10−3
Real-time gaming
4
 
5
300
10−6
Non-conversational video (buffered streaming)
5
Non-GBR
1
100
10−6
IMS signaling
6
 
6
300
10−6
Video (buffered streaming) TCP based (e.g., www, e-mail, chat, ftp, p2p file sharing, progressive video, etc.)
7
 
7
100
10−3
Voice, video (live streaming) interactive gaming
8
 
8
300
10−6
Video (buffered streaming) TCP based
9
 
9
  
(e.g., www, e-mail, chat, ftp, p2p file sharing, progressive video, etc.)

Sunday, November 13, 2011

User Equipment



As in UMTS, the LTE mobile station is called User Equipment (UE). It is constructed using a modular architecture that consists of three main components (see Figure 1):
  • Mobile Termination: The MT represents termination of the radio interface. In this entity the RRC signaling is terminated and RRC messages are sent/received.
  • Terminal Adapter: The terminal adapter represents the termination of the application-specific service protocols, for example, SIP signaling for VoIP. The terminal adapter might be constructed as an external interface, for example, USB to connect a laptop PC using LTE technology with a mobile network.
  • Terminal Equipment: The TE represents termination of the service. Depending on the UE's application capabilities, it may act as the TE or not. For instance, the Apple iPhone with its browser functionalities has full TE capability while a simple USB stick for mobile data transmission has no TE capability at all. In the case of the USB stick, the connected laptop PC is the TE.

 
Figure 1.: Modular architecture of a UE

1) UE Categories

The UE categories stand for an abstract grouping of common UE radio access capabilities and are defined in 3GPP 36.306.
In particular, the handset-type groups vary in maximum possible throughput (the maximum number of DL-SCH transport blocks bits received within a Time Transmission Interval (TTI)). Assuming a TTI of 1 ms for category 1, the maximum possible throughput is 10 296 bits/1 ms which is approximately 10Mbps of physical layer DL throughput (including the RLC/MAC header information-so the payload throughput will be slightly less).
Category 5 mobiles are the only handsets that support 64 Quadrature Amplitude Modulation (QAM) on the UL as highlighted in Tables 1 and 2. The maximum possible bit rate ranges from 5 Mbps (Cat. 1) to 75 Mbps (Cat. 5).
Table 1: UE categories and DL capabilities (according to 3GPP 36.306). Reproduced with permission from © 3GPP 
UE category
Maximum number of DL-SCH transport block bits received within a TTI
Maximum number of bits of a DL-SCH transport block received within a TTI
Approximate maximum bit rate DL (Mbps)
Category 1
10 296
10 296
10
Category 2
51 024
51 024
50
Category 3
102 048
75 376
75
Category 4
150 752
75 376
75
Category 5
302 752
151 376
150

Table 2: UE categories and UL capabilities (according to 3GPP 36.306). Reproduced with permission from © 3GPP 
UE category
Maximum number of bits of an UL-SCH transport block transmitted within a TTI
Support for 64QAM in UL
Approximate maximum bit rate UL (Mbps)
Category 1
5 160
No
5
Category 2
25 456
No
25
Category 3
51 024
No
50
Category 4
51 024
No
50
Category 5
75 376
Yes
75

Tuesday, October 11, 2011

Interfaces and Reference Points



As already explained, the E-UTRAN is an all-IP network. Figure 1 shows the network elements that are typically involved in the signaling procedures and routing of payload data from the UE to the PDN and vice versa. The figure also shows the reference points for inter-RAT handover (and inter-RAT packet routing) between E-UTRAN, UTRAN, and GERAN.
The pipeline symbols in the figure illustrate the different signaling connections and tunnels for IP payload transport established and maintained during the connection. The signaling on Gx and Rx used to negotiate specific QoS policies is ignored for reasons of better understandability. Besides, the existence of the PCRF is optional. Due to the fact that the MME and the S-GW may also be combined into a single physical entity, the S11 interface is also optional. The lab test scenarios existing at the time of writing (spring 2010) all have separated physical entities for the MME and S-GW.
The signaling connection across the LTE-Uu interface is the RRC signaling connection, represented by a set of Signaling Radio Bearers (SRBs). The user plane tunnel across LTE-Uu is the radio bearer. The other user plane tunnels are named after the appropriate reference points: namely, S1 bearer and S5 bearer. After the PDN-GW the connection is carried by the external bearer on SGi. S1AP signaling between the E-UTRAN and MME will be used to establish the tunnel on S1-U and GTP-C signaling will be used to create the tunnel on S5. On SGi we can see already plain IP traffic – pure payload, so to say.
The reference points can be briefly described as follows:
  • S1-MME: Reference point for the control plane protocol between the E-UTRAN and MME. This control plane protocol is the S1AP, which is quite similar to UTRAN RANAP. Indeed, in early drafts of LTE specs this protocol was called "E-RANAP."
  • S1-U: Reference point between the E-UTRAN and S-GW for the per bearer user plane tunneling and inter-eNB path switching during handover. The protocol used at this reference point is the GPRS Tunneling Protocol for the User Plane (GTP-U).
  • S3: This is the reference point between the MME and SGSN. The SGSN may serve UTRAN, GERAN, or both. On S3 we can see plain control plane information for user and bearer information exchange for inter-3GPP access network mobility (inter-RAT handover) in the idle and/or active state. If the connection was set up originally in the E-UTRAN and is handed over to UTRAN/GERAN the appropriate user plane streams are routed across the S4 reference point. What happens in the case of UTRAN/GERAN to E-UTRAN handover depends on whether S-GW also acts as the anchor for UTRAN/GERAN traffic. If this is true the user plane tunnel can be switched smoothly between S4 and S1-U during the handover. The protocol used at the S3 reference point is the GTP-C.
  • S4: The S4 reference point provides related control and mobility support between the GPRS core and the 3GPP anchor function of the S-GW using GTP-C. In addition, if a direct tunnel across S12 is not established, it provides user plane tunneling using GTP-U.
  • S5: The S5 reference point provides user plane tunneling and tunnel management between the S-GW and PDN-GW. It is used in case of S-GW relocation due to UE mobility and if the S-GW needs to connect to a non-collocated PDN-GW for the required PDN connectivity. The protocol used at this reference point is GTP for both the control plane and user plane.
  • S6a: The S6a reference point enables the transfer of subscription and authentication data for authorizing user access to the network. The reference point can be also described as the AAA interface between the MME and HSS. Compared to the legacy core network of 2G/3G standards, the functionality provided by S6a is similar to the one on the Gr interface, but due to the all-IP concept of EPC the protocol used at this reference point is the DIAMETER protocol. In the IP world DIAMETER is known as the successor of RADIUS, a protocol for granting access and authentication. However, the DIAMETER used on S6a does not have much in common with what is found in the IP world. The protocol header is based on IP standards, but the messages and parameters on the application layer are defined in a 3GPP-specific DIAMETER standard that has no meaning in the IP world.
  • Gx: This point provides transfer of (QoS) policy and charging rules from the PCRF to the Policy and Charging Enforcement Function (PCEF) in the PDN-GW. This means that a set of rules for charging the transmission of a particular user data stream (called service flow) will be requested by the PDN-GW upon bearer establishment and the PCRF will provide the required parameters for the charging process. Especially, it will signal which of the following charging models will apply:
    • – Volume-based charging.
    • – Time-based charging.
    • – Volume-and time-based charging.
    • – Event-based charging.
    • – No charging (if the user pays at a monthly flat rate).
    • Also, information about prepaid limits and other thresholds can be included.
  • S8: The S8 reference point is used by roaming subscribers only. It is the inter-PLMN reference point providing the user plane and control plane between the S-GW in the Visited PLMN (VPLMN) and the PDN-GW in the Home PLMN (HPLMN). S8 is the inter-PLMN variant of S5, based on GTP as well, and can be compared to the Gp interface defined for GERAN GPRS.
  • S8: The S8 reference point is also used by roaming subscribers only. It provides transfer of (QoS) policy and charging control information between the home PCRF and the visited PCRF in order to support the local breakout function. For example, imagine a prepaid limit that can only be known by the home PCRF and must be provided to the visited PCRF to allow roaming services for this user.
  • S10: This is the reference point between MMEs for MME relocation and MME-to-MME information transfer. This reference point provides mobility functions for intra-E-UTRAN handover/relocation. In other words, signaling procedures on this interface are triggered by UE mobility. It should be noted that this kind of MME relocation in 3GPP 23.401 is called S1 handover. Hence, S10 is seen as special kind of S1 interface and the S1AP is used at this reference point.
  • S11: This is the reference point between the MME and S-GW. The protocol used here is the GTP-C. The appropriate user plane is routed across S1-U.
  • S12: The S12 reference point is located between the RNC in the 3G UTRAN and the S-GW for user plane tunneling when a "direct tunnel" is established. It is based on the Iu user plane and Gn user plane reference points using the GTP-U as defined between the SGSN and RNC, or between the SGSN and GGSN in the 3G core network. Use of the S12 reference point is an operator configuration option. On S12 only GTP-U traffic can be monitored, as on S1-U.
  • S13: This point enables a UE identity check procedure between the MME and EIR (Equipment Identity Register). Typically there is no EIR installed in public networks due to the high administrative efforts, but this network element is found in some private networks. For instance, the GSM-based mobile network of the railway company Deutsche Bahn is equipped with an EIR. The purpose is to ensure that only staff of Deutsche Bahn can use the company's PLMN, but no private persons and staff of other European railway companies such as France's SNCF that also runs trains through Germany.
  • SGi: This is the reference point between the PDN-GW and the packet data network. This network may be an operator external public or private packet data network or an intra-operator packet data network, for example for the provision of IP Multimedia Subsystem (IMS) services. To simplify the definition, it can be said that for many user plane connections SGi is the interface to the public Internet. This reference point corresponds to Gi for 3GPP access. Typically the complete TCP/IP suite can be monitored at this point.
  • Rx: The Rx reference point resides between the Application Function (AF) and the PCRF defined in 3GPP 23.203. It is for instance mandatory if real-time communication services such as Voice over IP (VoIP) are to be charged differently than common PS data transfer.
  • SBc: The SBc reference point lies between the Cell Broadcast Center (CBC) and MME for warning message delivery and control functions. This interface is used to broadcast warning messages to subscribers (not to send warning messages about network element status to the operation and maintenance center). A typical example of such warning messages could be the broadcast of bush fire or tsunami alarms.

 
Figure 1: Connection via E-UTRAN non-roaming architecture


 
Figure 2: Connection after inter-RAT handover from E-UTRAN to UTRAN/GERAN

 
Figure 3: Connection via E-UTRAN with roaming in EPC
The special anchor function of the S-GW can be illustrated when looking at a connection that was handed over from the E-UTRAN to UTRAN or GERAN as shown in Figure 1.12. In this case the connections on S5 and SGi remain the same, but the payload is now routed through a tunnel across S4 or S12 while the signaling necessary to execute the inter-RAT mobility will be sent across S3. The old bearers and signaling connections on S1 and LTE-Uu will be deleted after successful handover of the connection.
Figure 1.13 illustrates the basic connection of a roaming subscriber. Signaling and payload take the same route as in Figure 1.12, but the HSS and PDN-GW and, thus, the connection to the public packet network are located in a foreign network. The IP tunneling from the S-GW to PDN-GW and vice versa is realized through the S8 interface, which has identical protocol structure and functions to S5. The only difference is that S8 must fulfill higher requirements in terms of inter-operability, because equipment from different manufacturers must be interconnected through this reference point.