1 / 42

Diversity : Cellular and Wireless LANs

Bringing Cellular Service to Wireless Habitat Networks Understanding, evaluating & extending the Unlicensed Mobile Access (UMA) architecture Anshuman B. Saxena anshuman.saxena@dk-tcs.com TCS Euro-labs. Diversity : Cellular and Wireless LANs.

dea
Download Presentation

Diversity : Cellular and Wireless LANs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bringing Cellular Service to Wireless Habitat NetworksUnderstanding, evaluating & extending the Unlicensed Mobile Access (UMA) architectureAnshuman B. Saxenaanshuman.saxena@dk-tcs.comTCS Euro-labs

  2. Diversity : Cellular and Wireless LANs Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  3. Motivation for Convergence GSM/GPRS WLAN Global Identity Low Cost A Unified Architecture Wireless Habitat Networks represent the notion of Wireless networks in regions of dominant habitat e.g. home & office WLANs. Availability of such low cost wireless networks in areas significantly longer and more frequently inhabited by a user provides a lucrative opportunity to forward the services associated with the global identity of a GSM/GPRS network. Use Case Scenario GGSN A cellular service subscriber while in active GSM/GPRS session enters one of it’s many wireless habitat networks, e.g. his home/office WLAN. The same session (without any perceivable disruption) is now routed to his WLAN. All services associated with his subscription with the cellular network are delivered to him at a lower cost through the currently available Wireless Habitat Network. As a result the user remains reachable through his global IMSI identity; however, while in home or office he can avail the same services (voice calls, SMS service, and other location dependent services) at a much reduced cost through his home or office WLAN. SGSN BTS VLR BTS BSC Convergence Block MSC BTS HLR GSM/GPRS Broad band IP N/W AP AP AP AP WLAN Background > Motivation> Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  4. Foreseen Challenges • Issues of discovery and Registration of WLAN APs – trust issues • Issues related to incorporating these WLAN APs with the cellular infrastructure - probably providing a BSS like abstraction • Delivery of cellular signalling information to WLAN APs like paging, flow control, SMS etc. • Notion of cell to assist the delivery of location dependent services – may be some kind of overlay of cells on the WLAN network. • Support for seamless handover of ongoing voice/data sessions back and forth • Security of user data – issues related to maintaining the confidentiality, integrity and accountability of data routed over self administered WLANs. • Support for personalized network table for each user – context based network lookup. • Dynamic association and disassociation of user specific wireless habitat networks. • Battery lifetime of mobile stations equipped with additional WLAN radios must be comparable to those with a single 3G radio. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  5. Outlining the remaining presentation • Overview of individuals involved >> GSM/GPRS >> WLAN (not included) >> Bluetooth (not included) • Related Work : candidate architectures >> Unlicensed Mobile Access (UMA) >> Underlying Assumptions >> Thoughts and Concerns • An alternate proposition >> The approach >> Rationale >> Architecture >> Network Discovery and GERAN interaction • Action Plan (TBD) >> Simulation >> Prototyping >> Dissemination Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  6. GSM: Architectural overview GMSC BTS EIR BTS BSC MSC PSTN, PSPDN, CSPDN, ISDN VLR BTS HLR AuC MS NSS: Network and Switching Subsystem BSS: Base Station Subsystem GSM operates in circuit switched mode i.e. a channel is allocated to a single user for the entire duration of the connection. This exclusive access to radio resource is not necessary for data applications with the use of packet switched techniques. GSM Network Architecture Network Switching Sub-systemresponsible for call control, service control and subscriber mobility management fns. HLR:Home Location Register is a database used to store and manage permanent data of subscribers such as service profiles, location information, and activity status. VLR: Visited Location Register is a database used to store temporary information about the visiting subscribers. MSC: Mobile Switching Centre is responsible for telephony switching functions. AuC: Authentication Center assists MSC in performing various authentication functions. EIR: Equipment Identity Register is a database that contains list of blacklisted mobile equipments. GMSC: Gateway Mobile Switching Center is a gateway to external networks, such as ISDN or wire line networks. Base Station Subsystem performs radio related functions BTS: Base Transceiver Station handles the radio interface to the MS. It consists of radio equipment (transceivers and antennas) required to service each cell in the network. BSC: Base Station Controller provides the control functions and physical links between the MSC and the BTS. A number of BSCs are served by one MSC while several BTSs can be controlled by one BSC. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  7. GSM Network Service Areas BTS BTS BTS BTS BSC BSC BTS BTS BTS BTS BTS BTS BTS BTS BSC BSC SA5 LA2 LA3 MSC/ VLR-1 SA4 LA1 SA3 SA1 SA2 Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  8. GPRS: Architectural Overview BSS: Base Station Subsystem NSS: Network and Switching Subsystem SGSN PDN PCU GGSN SGSN MSC MS VLR HLR RA4 RA3 RA9 LA3 LA5 MSC/VLR SGSN (2) MSC/VLR RA2 RA5 LA4 RA1 SGSN (1) RA6 LA2 SGSN (3) RA7 LA1 BTS BTS BSC BTS GPRS has minor impact on the existing GSM BSS because it uses the same frequency bands and hopping techniques, the same TDMA frame structure, the same radio modulation and burst structure as GSM. However, unlike the GSM circuit switched connections, connections in GPRS have to be established and released between the BSS and the MS only when data needs to be transported over the air interface. PCU (Packet Control Unit) supports the handling of data packets. GPRS Network Architecture • GPRS NSS can be viewed as an overlay network • GSN (GPRS Support Node) can be of two types a SGSN (Serving GSN) or a GGSN (Gateway-GSN). • SGSN controls a service area and is primarily responsible for keeping track of the MSs it serves, and for access control to data services. • GGSN provides the interface to external PDNs (Packet Data Networks). The SGSN is connected to the BSS by Frame Relay and to possibly several GGSNs via a GPRS backbone n/w. • There may not be a direct mapping between SGSN and MSC/VLR areas. • Introduction of RAs allows signalling and paging over geographically smaller areas and thus a better optimization of radio resources. RA8 Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  9. GPRS Subscription and Attach Precondition • Each user must have at least one GPRS subscription record containing information such as a list of networks to which access is required and the subscribed Quality of Service (QoS). • Further optional information may be available such as the user's static IP address. Sequence of procedures for GPRS attach • MS requests for enough radio resources to send the Attach Request signaling message • MS uses the assigned radio channel to send the Attach Request message which includes user’s identity, MS capabilities and current location. • The SGSN sends an Update Location message to the appropriate HLR • HLR is updated and the users’ GPRS subscription record is provided to the SGSN. • The SGSN signals the attach completion to the MS. • The network is now able to track the MS (via subsequent location updates) and is aware of the services and networks that the user has access to. However, at this point the user is not able to send or receive data. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  10. GPRS PDP context activation • In order for the user to be able to transfer data, a Packet Data Protocol (PDP) Context must be activated in the MS, SGSN and GGSN. • The user initiates this procedure, which is similar to logging on to the required destination network. • On completion, a virtual connection is established between the MS and the GGSN. • MS requests sufficient radio resources to support the Context Activation procedure. • MS uses the assigned radio channel to send the Activate PDP context request to the SGSN which includes the user's static IP address (if applicable), the QoS requested for this context, the APN of the external network to which connectivity is requested, the user's identity and any necessary IP configuration parameters (e.g. for security reasons). • The SGSN then checks the received request against the user's subscription record and, if valid, queries the DNS server for the IP address of the requested APN. • The DNS server responds to the SGSN with the IP address of at least one GGSN that will provide the required connectivity to the external network (the APN). • The SGSN requests a connection Tunnel to that GGSN. • GGSN establishes the tunnel and returns an IP address to be conveyed to the MS. The GGSN associates this tunnel with the required external network connection. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  11. GPRS: Security • GPRS users expect the data they transmit and receive to be protected against eavesdropping and tampering. • Also GPRS operators will need to prevent unauthorized subscribers gaining access to the GPRS network. • The GPRS Subscriber Authentication and service request validation. These controls (which use existing GSM mechanisms) request validation when users connect to the GPRS network. • A Restricted Access Point Control facility. This ensures that only terminals authorized by an individual company are able to access that company's network from the GPRS network. This is under the direct control of the GPRS network. • A Non transparent access technique, linking the GPRS session/bearer set-up with standard IP access and authentication servers such as RADIUS (Remote Authentication Dial-In User Service). • Network encryption. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  12. GPRS QoS support: Reliability and Latency Integrity of received data is ensured through two reliable modes of operation: • RLC acknowledged mode is used by default to ensure that the data received by/from the MS is without error. • LLC acknowledged mode is an optional feature which ensures that all LLC frames are received without error. However, use of this protocol has an impact on throughput since the correct receipt of all LLC frames has to be acknowledged. Factors contributing to the overall latency in GPRS include: • Mobile Station(MS) delay - time taken by the MS to process an IP datagram and request radio resource. Specific off MS, and hence the supplier. • Radio resource procedures are the major source of delay in GPRS. For the MS to be capable of sending or receiving data, radio resource known as a Temporary Block Flow (TBF) must be made available to the MS. Establishing a TBF from scratch is entails exchange of signaling messages and depends on the availability of radio resources. Also it will be different for the uplink and downlink directions. Once established, the TBF generally remains active for as long as data is made available to the layer (i.e. for as long as there are LLC frames to transmit). • Effective data throughput (over-the-air delay) is the rate at which user data is physically transmitted between the MS and the SGSN over an active TBF. The delay associated with this throughput is directly related to the size of the IP datagram being sent. Smaller packets cause less delay. The delay is proportionally reduced when multiple timeslots are used. The effective throughput is also dependent on the number of re-transmissions resulting from the hostile radio environment (i.e. the RLC Block Error Rate). • Core network delay occurs as packets transit through the SGSN and GGSN. These nodes effectively operate as IP routers and as such will have a relatively low impact on the overall latency. However, under high load conditions the transit delay may increase. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  13. GPRS: Latency Breakdown This table illustrates a breakdown of the round-trip latency associated with the transmission and reception of a 500 byte IP packet in a system employing 1 uplink and 2 downlink timeslots. Note that any delay associated with external servers (i.e. the Internet) is not included. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  14. Unlicensed Mobile Access (UMA) Architecture GERAN: GSM/GPRS radio access N/W MSC A AP AP VPLMN/HPLMN Broad band IP N/W Up SGSN SECURE TUNNEL Gb AAA SERVER VLR / HLR MS AP AP Wm UMA N/W AAA HLR Roaming HPLMN UNC SGW A: Interface for circuit switched services Gb: Interface for packet switched services Wm: Interface for AAA server • Mobile Station (MS) • includes dual mode (GSM and unlicensed) radios and the capability to switch between them • supports an IP interface to the access point • Access Point (AP) • provides the radio link towards the mobile station using unlicensed spectrum. • connects through the broadband IP network to the UNC • UMA Network Controller (UNC) • allows the MS to obtain all GSM services (via the ‘A’ interface) that it can obtain from direct connection to the GERAN MSC • allows MS to obtain all GPRS services (via the ‘Gb’ interface) that it can obtain from direct connection to the GERAN SGSN • includes a Security Gateway (SGW) that terminates secure remote access tunnels from the MS, providing mutual authentication, encryption and data integrity for signaling, voice and data traffic Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  15. UNC: coupling between the UMA N/W and GERAN - I A interface Up interface CC/SS/SMS CC/SS/SMS MM MM Up interface BSSAP BSSAP UMA RR UMA RR Transcoding (if reqd.) A interface GERAN Codec GERAN Codec AUDIO SCCP SCCP TCP TCP RTP/UDP RTP/UDP AUDIO MTP 3 MTP 3 Remote IP Remote IP Remote IP Remote IP IPSec ESP IPSec ESP IPSec ESP IPSec ESP MTP 2 MTP 2 Transport IP Transport IP Transport IP Transport IP Transport IP Transport IP Transport IP Transport IP PHYSICAL LAYERS PHYSICAL LAYERS MTP 1 MTP 1 Unlicensed Lower Layers Unlicensed Lower Layers Unlicensed Lower layers Unlicensed Lower layers Access Layers Access Layers Access Layers Access Layers Unlicensed Lower Layers Unlicensed Lower Layers MS MS Standard AP Standard AP Broadband IP N/W Broadband IP N/W UNC UNC MSC MSC • GSM signalling • GSM protocols MM and above are carried transparently between the MS and MSC. • GSM-RR protocol is replaced with a UMA-RR protocol which is specific to Unlicensed Radio access. The UNC, acting like a GERAN BSC, terminates the UMA-RR protocol and inter-works it to the A-interface using BSSAP messaging. • GSM speech bearer • Audio transported as RTP frames • Support for GERAN codecs • When operating in UMA mode AMR FR is the preferred codec type. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  16. UNC: coupling between the UMA N/W and GERAN - II Up interface Gb interface UPPER LAYERS Upper Layers Up interface Gb interface To GGSN IP LLC LLC SNDCP SNDCP RELAY LLC LLC UMA RLC UMA RLC BSSGP BSSGP UMA RLC UMA RLC BSSGP BSSGP TCP TCP UDP UDP REMOTE IP Remote IP NETWORK SERVICE NETWORK SERVICE NETWORK SERVICE REMOTE IP IPSec REMOTE IP IPSec NETWORK SERVICE IPSec ESP IPSec ESP TRANSPORT IP TRANSPORT IP TRANSPORT IP TRANSPORT IP TRANSPORT IP TRANSPORT IP TRANSPORT IP Transport IP Unlicensed Lower Layers Unlicensed Lower Layers Unlicensed Lower layers Unlicensed Lower layers Access Layers Access Layers ACCESS LAYERS ACCESS LAYERS Unlicensed Lower Layers Unlicensed Lower Layers PHYSICAL PHYSICAL PHYSICAL PHYSICAL MS MS Standard AP Standard AP Broadband IP N/W Broadband IP N/W UNC UNC SGSN SGSN • GPRS signalling • GPRS LLC PDUs for signalling and higher layer protocols are carried transparently between the MS and SGSN. • GPRS-RLC protocol is replaced with an equivalent UMA-RLC protocol. Given the transport characteristics over Up interface the GPRS TBF abstraction is not applicable and reliability is ensured by TCP. Therefore the UMA-RLC is significantly lighter than GPRS-RLC. As in a GERAN BSS, the UNC, acting like a BSC, terminates the UMA-RLC protocol and inter-works it to the Gb-interface using BSSGP. • GPRS data • GPRS LLC PDUs carrying data, and higher layer protocols, are carried transparently between the MS and the SGSN. • GPRS LLC PDUs are carried over UMA-RLC from the MS to the UNC, which relays it over the SGSN using BSSGP messaging. • UMA-RLC runs directly over UDP to leverage the IP bearer service. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  17. UMA: Protocols Involved • Standard 3GPP Protocols • (requires no changes in MS or MSC/SGSN) • Existing GSM MM, CM and higher layer protocols • GSM voice encoding carried over IP between the MS and UNC. • - Existing GPRS LLC and higher layer protocols • - Existing A-interface protocols • Existing Gb-interface protocols • Existing Wm interface protocols • UMA specific protocols • UMA-RR (peer of GSM-RR) • A protocol specific to the characteristics of the unlicensed radio link which are quite different from that of the GERAN radio link. Provides the following services: • registration with UNC • setup of bearer path for CS traffic between the MS and UNC • handover support between GERAN and UMA; e.g. functions such as GPRS suspension, paging, ciphering configuration, classmark change, application level keep-alive etc. • support for identification of the AP being used for UMA access. • UMA-RLC (peer of GSM-RLC) • protocol provides the following services: • delivery of GPRS signaling, SMS messages over the secure tunnel • paging, flow control, GPRS transport channel management • transfer of GPRS user plane data. Standard IP based protocols - IP over standard lower layers - TCP to provide a tunnel for GSM/GPRS signaling and SMS - IPsec ESP to provide a secure tunnel for GERAN bearer (speech and data) and signaling traffic. - IKEv2 [IKEv2] and EAP-SIM [EAP SIM] for authentication and establishing and maintaining a SA between MS and UNC - UDP for IPsec NAT traversal - UDP for GPRS data transfer - RTP/UDP for transfer of GSM vocoder frames over IP transport • Standard Unlicensed Radio Access Protocols • - 802.11 protocols for PHY and MAC, including functions for association, authentication, encryption, data transfer and traffic prioritization. • Bluetooth protocols for PHY, Baseband, LMP, L2CAP and SDP, including functions for discovery, paging, pairing (authentication), encryption, ACL and data and voice traffic transfer. Additionally, BNEP is used to provide Ethernet emulation over Bluetooth ACL links as per the PAN profile. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  18. UMA: Security Mechanisms Interfaces A, Gb IP N/W MSC/ VLR & SGSN IP N/W APP SERVER MS AP UNC 1. Unlicensed Interface Security 2. Up Interface Security 3. CN authentication, GPRS ciphering 4. Data Application Security (e.g. HTTPS) 1. Security mechanisms over the unlicensed radio interface (between the MS and the AP) • Include the authentication and encryption functions defined for the unlicensed mode radio interface protocols applied. • Apply to voice, data and signaling over the radio interface. 2.Security mechanisms over the Up interface (between the MA and UNC) • include both authentication and encryption functions to protect signaling, voice and data traffic flows. 3. Authentication of MS by the core network (between MS and the MSC/VLR or MS and SGSN) • remains transparent to the UNC • a cryptographic binding between the MS-CN authentication and the MS-UNC authentication to prevent man-in-the-middle attacks. • GPRS ciphering (a LLC layer ciphering scheme) operates between the MS and the SGSN. 4.Application level security mechanisms (between the MS and the application server or gateway) • can be employed to secure the end-to-end communication, e.g. the MS may run the HTTP protocol over an SSL session for secure web access. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  19. UMA: Addressing Issues – MS and AP MS addressing parameters • The IMSI associated with the SIM in the terminal This identifier is provided by the MS to the UNC when it registers to a UNC. The UNC maintains a record for each registered MS. For example, IMSI is used by the UNC to find the appropriate MS record when the UNC receives a BSSMAP PAGING message. • Public IP Address of the MS The Public IP address of MS is the source IP present in the outermost IP header of packets received from the MS by the UNC-SGW. If available, this identifier may be used by the UNC to support locations services and fraud detection. It may also be used by service providers to signal Managed IP networks IP flows that require QoS treatment. AP addressing parameters • The “Access Point (AP) ID” The AP-ID is the MAC address of the unlicensed mode access point through which the MS is accessing UMA service. This identifier is provided by the MS (obtained via broadcast from the AP) to the UNC via the Up interface, when it requests UMA service. The AP-ID may be used by the UNC to support location services. The AP-ID may also be used by the service provider to restrict UMA service access via only authorized APs. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  20. UMA: Cell Identifiers Why maintain the GERAN notion of cell in UMA network? • Support for location dependent services such as emergency calling, operator announcements and free phone numbers. • Help identify the location of the call for billing purposes. • Handover assistance In UMA the notion of a “cell” is defined by some logical grouping of MSs being served by a UNC. The cell assignment can be based on the • overlapping GSM cell that the MS is located in. • identity or location of the AP, or GPS co-ordinates of the MS Determining cell-id for handover (ARFCN allocation to UMA cell) • Handover makes use of an RF channel number (ARFCN) and BSIC (base station identity code) to identify the target cell. • UMA operates in a different frequency band hence a virtual ARFCN is assigned to each UMA cell (i.e. each UNC; assuming each UNC forms a separate UMA cell). This ARFCN/BSIC is indicated to the MS by the UNC during registration. • This assigned ARFCN is never used it should not be allocated from the operator’s BCCH pool. Also same ARFCN number is preferred across the entire network to avoid BSS configuration. Can be assigned from the frequency band not used by the operator. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  21. UMA: Network Discovery and Registration SERVING UNC DEFAULT UNC PROVISIONING UNC DNS MS 1. DNS query (provisioned or derived SGW FQDN) 2. DNS 3. Establish secure tunnel SGW SGW SGW UNC UNC UNC DNS DNS DNS 4. DNS query (provisioning UNC FQDN) 5. DNS response 6. URR Discovery Request (CID, LAI, IMSI) 7. URR Discovery Accept (Default SGW IP address, Default UNC IP address) 8. URR Discovery Reject (Cause) 9. Establish secure tunnel 10. URR Register Request (CID, LAI, IMSI) 11. URR Register Redirect (SGW IP address, Serving UNC IP address) 12. Establish secure tunnel 13. URR Register Request (CID, LAI, IMSI) 14. URR Register Accept 15. URR Register Reject/URR Register Redirect MS initiates the discovery and serves the following purpose • informs the UNC that a MS is now connected through a particular AP and is available at a particular IP address; required for providing GERAN services, e.g. mobile-terminated calls. • provides the MS with the operating parameters associated with the UMA service. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  22. UMA: Registration Update and De-register Registration Update MS MS MS MS MS S-UNC S-UNC S-UNC S-UNC S-UNC Registration Update Uplink MS updates the UNC with changes about the AP or the identity of the overlapping GSM cell. 1. URR REGISTER UPDATE UPLINK 1. URR KEEP ALIVE 1. URR REGISTER UPDATE DOWNLINK 1. URR DEREGISTER 1. URR DEREGISTER De-registration 2. URR REGISTER REDIRECT Registration Update Downlink UNC updates MS with changes in related to system information or status of location services. 3. URR DEREGISTER De-Registration initiated by the MS MS explicitly informs the UNC about leaving the UMA mode; the UNC frees the resources assigned to the MS. The UNC may also implicitly deregister the MS when the TCP connection to the MS is abruptly lost. De-Registration initiated by the UNC The Deregistration procedure can also be initiated by the Serving UNC. Keep Alive Messages The Keep Alive messages indicate to the peer URR entities that the MS remains registered to the UNC. The MS in turn remains informed that the UNC is still available using the currently established lower layer connection. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  23. UMA: EAP-SIM authentication MS AP UNC- SGW AAA HLR 1. Unlicensed link establishment 2. IKE_SA_INIT 3. Select appropriate AAA server 4. EAP Response/Identity [NAI based on IMSI] 5. EAP Request/SIM Start 6. EAP Request/SIM Start 7. EAP Response/SIM Start [NONCE_MT] 8. EAP Response/SIM Start [NONCE_MT] 9. Send Auth Info 11. EAP Request/SIM-Challenge [RAND, MAC, Next re-auth ID] 10. Response (triplets) 12. EAP Request/SIM-Challenge [RAND, MAC, Next re-auth ID] 13. Execute EAP/SIM 14. EAP SIM/Response-Challenge [MAC] 15. EAP SIM/Response-Challenge [MAC] 16. Verify MAC 17. EAP Success + keying material 18. EAP Success 19. Complete IKE signaling 20. UMAN REGISTRATION EAP-SIM authentication procedure • EAP-SIM mechanism authenticates the MS with the UNC using GSM credentials. • EAP-SIM procedure is performed between the MS and the AAA and the UNC-SGW relays the associated messages • When the EAP-SIM procedure has completed successfully, the IKEv2 procedure can be continued to completion and the signaling channel between MS and UNC-SGW is secured. The MS and UMAN can then continue with the discovery or registration procedure. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  24. UMA: EAP-SIM Fast Re-authentication MS UNC HLR 1. IKE_SA_INIT 2. EAP Response/Identity [Re-authentication ID] 3. EAP Request/SIM/Re-authentication [Counter, NONCE, MAC, Next re-auth ID] 4. EAP Request/SIM/Re-authentication [Counter, NONCE, MAC, Next re-auth ID] 5. Verify Counter, MAC 6. EAP SIM/Response-Challenge [Counter, MAC] 7. EAP SIM/Response-Challenge [Counter, MAC] 8. Verify Counter, MAC 9. EAP Success 10. EAP Success • In Fast re-authentication, the AAA server and MS re-authenticate each other based on the keys derived on the preceding full authentication. • Fast re-authentication is provided by EAP-SIM, and does not make use of the GSM A3/A8 procedures. The decision to make use of the fast re-authentication procedure is taken by the AAA server. • The MS initiates a new SA with a UNC-SGW that it was previously connected to and uses the re-authentication ID (received during the previous full authentication procedure) in the IKE_SA_INIT exchange. • Suitability of fast re-authentication can be demonstrated in a number of scenarios for e.g. when setting up a new SA because the IP address of the MS has changed as a result of a handover between APs connected to different IP subnets. In the presence of large number of mobile stations, the network load (more specifically the authentication related network load)reduced by avoiding such frequent re-keying can be significant. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  25. UMA: Encryption MS UNC GERAN CN Cipher mode command URR-CIPHERING-MODE-COMMAND [algorithms, cipher response, rand, …] URR-CIPHERING-MODE-COMPLETE [algorithm, IMEI, MAC(rand, …) ] Verify MAC Cipher mode complete • During a GERAN to UMAN handover, the MS first authenticates with the UMAN using EAP-SIM authentication and then acquires an IP address on the subnet protected by the UNC-SGW (acts as a NAT) and initiates creation of SA between itself and the UNC-SGW. • Various security configuration parameters are negotiated while connection establishment e.g. ciphering mode, specific encryption algorithms etc. • During a handover from UMAN to GERAN, MS authenticates with the core network using established GERAN procedures. • During an intra UMAN handover i.e. when the point of attachment of MS changes from one subnet to the other (hence acquiring new IP address), EAP-SIM based fast re-authentication procedures are used. Ciphering Configuration • The Cipher mode command from CN contains the cipher key Kc, and the encryption algorithms that the UNC may use. • UNC indicates to the MS whether stream • ciphering shall be started or not (after handover to GERAN) and if so, which algorithm to use, and a random number. • The MS computes a MAC based on the random number, the MS IMSI, the FQDN of the UNC and the key Kc. MS then sends a message to signal its selected algorithm, the computed MAC, and the IMEI. • UNC verifies the MAC, if found correct sends Cipher mode complete message to the CN. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  26. UMA: Mobile Originated Speech Call MS UNC CN 1. URR UPLINK DIRECT TRANSFER (CM Service Request) 2. Complete Layer 3 Info 3. Authentication 4. Cipher-Mode Command 5. URR CIPHERING MODE COMMAND 6. URR CIPHERING MODE COMPLETE 7. Cipher-Mode Complete 8. URR DOWNLINK DIRECT TRANSFER (CM Service Accept) 9. URR UPLINK DIRECT TRANSFER (Setup) 10. URR DOWNLINK DIRECT TRANSFER (Call Proceeding) 11. Assignment Request 12. URR ACTIVATE CHANNEL 13. Uplink user plane RTP Stream 14. URR ACTIVATE CHANNEL ACK 15. Downlink user plane RTP Stream 16. Assignment Complete 17. URR ACTIVATE CHANNEL COMPLETE 18. URR DOWNLINK DIRECT TRANSFER (Alerting) 19. URR DOWNLINK DIRECT TRANSFER (Connect) 20. URR UPLINK DIRECT TRANSFER (Connect Ack) 21. VOICE TRAFFIC Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  27. UMA: Mobile Terminated Speech Call MS UNC CN 1. Paging Request 2. URR PAGING REQUEST 3. URR PAGING RESPONSE 4. Complete Layer 3 Info 5. Authentication 6. Ciphering Configuration 7. URR DOWNLINK DIRECT TRANSFER (Setup) 8. URR UPLINK DIRECT TRANSFER (Call Confirmed) 9. RTP stream setup Assignment Procedure 10. URR UPLINK DIRECT TRANSFER (Alerting) 11. URR UPLINK DIRECT TRANSFER (Connect) 12. URR DOWNLINK DIRECT TRANSFER (Connect Ack) 13. VOICE TRAFFIC Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  28. UMA: Handover to UMAN MS UNC BSC CN UMAN Registered 1. Um: Measurement Report 2. Handover Reqd. 3. Handover Request 4. Handover Request Ack 5. Handover Command 6. Um: Handover Command 7. URR HANDOVER ACCESS 8. RTP stream setup 9. URR HANDOVER COMPLETE 10. Handover Detect 11. VOICE 12. Handover Complete 13. Clear Command 14. Clear Complete Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  29. UMA: Handover to GERAN MS UNC BSC CN Ongoing UMAN Connection 1. URR UPLINK QUALITY INDICATION 2. URR HANDOVER REQUIRED 3. Handover Required. 4. Handover Request 5. Handover Request Ack 6. Handover Command 7. URR HANDOVER COMMAND 8. Um: Handover Access 9. Handover Detect 10. VOICE 11. Um: Physical Information 12. Um: Handover Complete 13. Handover Complete 14. VOICE 15. Clear Command 16. URR RELEASE 17. Clear Complete 18. URR RELEASE COMPLETE 19. URR DEREGISTER Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  30. UMA: Unlicensed Radio Link Control for GPRS data Whenever GPRS data transfer is initiated a UDP based URLC connection is established between the MS and the UNC. Following are required for URLC connection establishment. • The MS knows the destination IP address, destination UDP port to be used for GPRS related data and value of the URLC-CHANNEL-TIMER. • The UNC knows the destination UDP port to be used for GPRS data transfer for a specific MS. URLC can be in the following two states: In URLC-STANDBY state • the MS is not able to send or receive GPRS data to and from the UNC. The UNC or the MS needs to activate the URLC Transport Channel before sending any GPRS data. • the corresponding URLC Transport Channel does not exist. When the URLC Transport Channel is activated, the MS enters the URLC-ACTIVE state. In URLC-ACTIVE state • the MS is able to send and receive GPRS data to and from the UNC. A URLC channel timer controls the transition from URLC-ACTIVE to URLC-STANDBY state as follows: The MS URLC layer implements a timer that is started when the MS enters URLC-ACTIVE state and restarted each time a non-NULL LLC-PDU is transmitted to or received from the network. When the timer expires, the MS deactivates the URLC Transport Channel and the MS URLC enters URLC-STANDBY state. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  31. UMA: GPRS Data Transport MS MS AP AP UNC UNC CN CN 1. URLC Transport Channel activation 1. URLC- DATA (QoS, priority, TLLI, PFI, LLC- PDU) URLC channel timer started 2. URLC-UNITDATA (QoS, priority, TLLI, PFI, LLC-PDU) 2. BSSGP (LLC- PDU) 3. BSSGP (LLC-PDU) URLC channel timer started 5. URLC-UNITDATA (TLLI, PFI, LLC-PDU) 4. BSSGP (LLC-PDU) 2. BSSGP (LLC- PDU) 4. URLC-DATA (TLLI, PFI, LLC-PDU) URLC channel timer started 6. Additional URLC user data transport URLC channel timer expires 7. URLC Transport Channel deactivation User Data Transport • MS sends an uplink LLC PDU to the UNC (relayed to CN) with parameters required for Gb interface and TLLI as MS identifier. Restarts the URLC channel timer. • CN sends the downlink LLC PDU to the UNC (relayed to MS) that contains GPRS user data via the Gb interface. The MS is identified with the TLLI and restarts the URLC channel timer on data reception. • In the absence of any link level data, the URLC channel timer expires and the corresponding URLC TC is deactivated. Signalling and SMS Transport • The MS LLC requests the URLC layer to transfer an uplink GMM/SM signaling message or SMS Message (e.g. a GMM attach request or SM PDP context activation message). • The MS URLC sends a LLC PDU encapsulated within a URLC-DATA message via the Gb interface to the UNC (relayed to the CN). • The CN replies with a GMM/SM signaling or SMS message (e.g. GMM attach accept or SM PDP context activation accept message) – relayed via the UNC (encapsulated within a URLC-DATA message) to the MS. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  32. UMA: Packet Paging Support MS MS AP AP UNC UNC CN CN 1. BSSGP (Paging-PS-PDU) 1. BSSGP (Paging-CS-PDU) 2. URLC-PS-PAGE (Mobile Identity) 2. URR PAGING REQUEST 3. URR PAGING RESPONSE 3. LLC_PDU Transport 4. BSSMAP (Complete L3 Info) 4. BSSGP (LLC-PDU) Packet Paging for GPRS • CN sends a PS page (identified by PTMSI or IMSI) via the UMAN for a GPRS attached MS. • The UNC (after verification for MS registration) forwards the corresponding URLC-PS-PAGE msg. to the MS using the TCP signaling connection. • The MS sends any LLC PDU (forwarded to the UNC) to respond to the page, activating a channel as needed. Packet Paging for Circuit Mode service • CN sends a CS page (identified by PTMSI or IMSI) for a UMA registered and currently GPRS attached MS via the Gb interface. The mobile station is currently GPRS attached via the UMAN. • The UNC (after verification for MS registration) forwards the corresponding URR PAGING REQUEST msg. (channel needed and IMSI/TMSI id) to the MS using the signaling TCP connection. • The MS initiates the standard CS page response procedure via the UMAN. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  33. UMA: Flow Control MS MS AP AP UNC UNC CN CN 1. Flow control condition detected 1. Uplink Flow control condition detected 2. URLC-FC-REQ (FC Adjustment) 3. BSSGP- Flow-Control URLC DL FC timer 2. URLC-FC-REQ (FC Adjustment) 4. URLC-FC-REQ (FC Adjustment) 3. URLC-FC-REQ (FC Adjustment) 5. BSSGP- Flow-Control URLC DL FC timer 4. URLC-FC-REQ (FC Adjustment) 6. URLC DL FC timer expires 5. Flow control condition resolved 7. Flow control condition resolved MS Initiated Downlink Flow Control • The MS sends a flow control request message (URLC-FC-REQ, specifying the required data rate correction) to the UNC via the URLC TC and starts a URLC DL FC timer to continue monitoring the flow control condition. • The UNC calculates the adjusted flow control parameters for the MS and sends the corresponding request to the CN to reduce the downlink data rate for the MS. • If the CN does resolve the downlink data rate before the expiry of the URLS DL FC timer at the MS, MS forwards another request to the UNC. UNC Initiated Downlink Flow Control • The UNC sends a flow control request message (URLC-FC-REQ, specifying the required data rate correction) to the MS via the URLC TC and starts a URLC DL FC timer to continue monitoring the flow control condition. • Upon receiving the message, the MS adjusts the uplink data rate accordingly. • If the MS does resolve the downlink data rate before the expiry of the URLS DL FC timer at the UNC, UNC forwards another request to the MS. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  34. UMA: GPRS Suspend and Resume Support MS MS AP AP UNC UNC CN CN 1. Clear Command 1. URR-GPRS-SUSPENSION-REQUEST 2. Clear Complete 2. BSSGP GPRS Suspend 4. URR-RELEASE (GPRS_resumption) 3. BSSGP GPRS Resume 5. URR-RELEASE-COMPLETE 6. Resume GPRS service if required GPRS Suspend • While transitioning to dedicated mode and if unable to support simultaneous voice and data services, the MS sends a URR-GPRS-SUSPENSION-REQUEST message to the UNC to suspend downlink GPRS traffic. The request is transferred via the signaling TCP connection and includes TLLI and suspension cause parameters. • The UNC initiates and completes the BSSGP GPRS suspend procedure. GPRS Resume • Initially, the MS is in the dedicated mode and the GPRS service is suspended. • On receiving a resume instruction from the CN, the UNC releases the resources associated with the dedicated mode and sends a URR-RELEASE message to instruct the MS to release the RR connection. • The MS replies with a URR-RELEASE-COMPLETE message and resumes GPRS service internally. • Optionally, if the CN indicated unsuccessful resumption, the MS initiates GPRS service resumption as per standard GPRS. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  35. UMA : Underlying Assumptions GERAN: GSM/GPRS radio access N/W MSC A AP AP VPLMN/HPLMN Broad band IP N/W Up SGSN SECURE TUNNEL Gb AAA SERVER VLR / HLR MS AP AP Wm UMA N/W AAA HLR Roaming HPLMN UNC SGW • Two radios: The proposed UMA architecture assumes that there are two radios (one each for GERAN and WLAN) and hence a scheme on the lines of ‘make before break’ paradigm is proposed. • WLAN detection: Detection of Unlicensed Mobile Coverage is the sole responsibility of the Mobile Station. It is expected that while in GSM mode, the MS would periodically scan for 802.11 coverage and any successful unlicensed link establishment can be reported back to the UMAN controller (UNC) for initiating a handover from the GSM/GPRS network to the newly registered WLAN. • MS reported IP address: Once the MS joins the WLAN, it reports the IP address assigned by the AP to the UNC. A security association is subsequently established between the MS and the UNC. UNC assumes the IP address reported by MS to be trust worthy and does not require any prior trust relationship between itself and the WLAN. • Resource availability : Unlicensed link establishment is assumed to have negotiated enough and sustainable resources required to support the session. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  36. Thoughts/Concerns • Authorized GERAN WLAN: Periodic scanning for WLAN availability throughout the operating (battery) life time would be beneficial if there are prospects of finding hotspots very often. Even with almost an exponential increase in the WLAN hotspot deployment, it remains doubtful if the user would be willing to offload critical and delay sensitive voice calls to any or all WLANs that he might successfully authenticate without co-authorization from the GERAN service provider. The quality/security of session will be the main concern. • Soliciting Attacks:Also frequent scanning provides more opportunity for attacks, more significantly resource consuming authentication process which is initiated only to be discarded in the end when the prospective WLAN identity cannot be verified. • Exploiting Low Power Modes: An obvious approach towards keeping the WLAN radio in low power mode only to wake up periodically for quick scanning might reduce the associated power consumed but still the overhead involved from a second radio point of view would be too large. • Trusting the weakest link: WLAN security is weak and easy to compromise when compared to cellular access schemes. Easy to befool a MS to believe it has found an authenticated WLAN to request session transfer from GERAN to newly found UMAN. GERAN blindly accepts the request without having any trust relationship of it’s own. • Resolving accountability: As per the new architecture, two (mutually un trusted) parties (GERAN and UMAN) will be involved in carrying the voice/data session to the end user. It is unclear how call related disputes would be resolved. GERAN can argue that it’s responsibility ends at the UNC while UMAN would view this as any other broadband service provided to the subscriber with best effort delivery. For the UMAN to guarantee accountable call handling it is necessary to have some arrangement binding on both the parties. • Secure tunnel carrying TCP over wireless link:It is well established that TCP performs poorly on wireless links since it interprets any packet loss (even those occurring due to bit errors and handoffs) as a sign of congestion and responds by invoking the congestion control and avoidance algorithm, resulting in degraded end-to-end performance in wireless and lossy systems. It is unclear how this problem can be addressed with the proposed UNC to MS IPSEC tunnel that encrypts the IP payload and hence none of the proposed enhancements (Splitting TCP connections, Snooping TCP at Base Stations, Selective acknowledgement and Transport aware Link Layer protocols) can be applied. • Working with a single configurable radio: H/W developments bring along single radio then how do they work, such periodic radio switching without any hint about possibility of preferred WLAN nearby would result in extremely high switching overheads . Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  37. An Alternate Approach • The notion of Wireless Habitat Network (WHN) is based on the observation that integration of unlicensed mobile access (WLAN or Bluetooth) is both pressing and practical for regions where the user spends considerable time. To begin with we include the following in WHN. • (a) Office WLAN • (b) Home LAN • WHN Characterisation: • Areas significantly longer and more frequently inhabited by a user (Regions of dominant habitat e.g. home & office WLANs) • Indoor environment where unlicensed low power radios like blue-tooth work effectively. • Not necessarily well administered, e.g. home WLANs. • Opportunities/Challenges: • Current mobile devices (PDAs, cell phones) already come with an inbuilt (alternate) radio (Bluetooth or Infrared) primarily for synchronization with desktops or notebooks. We view this as a low power radio which can be used to wake the more power consuming WLAN radio only when a trusted WLAN has been identified within range. • The Unlicensed Networks will have to be made more secure. • Access Points will have to be integrated with an additional low power radio e.g. blue-tooth. • Motivation: • The primary objective of the proposed approach is to reduce the energy consumed in locating a trusted WLAN. • Rationale: • WLAN even in power save mode consumes far more energy than say Bluetooth in power save mode. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  38. Rationale: Low Power Modes of Unlicensed Radio Bluetooth low-power mode Transition time (ms) Avg. power (W) Active Mode 0.09 – 0.24 Hold Mode 0.061 Hold mode entry 1.68 0.068 Hold mode exit 11.62 0.216 Park Mode 0.061 Park mode entry 2.16 0.077 Park mode exit 4.12 0.126 Sniff Mode 0.061 Sniff mode entry 0.94 0.078 Sniff mode exit 7.36 0.194 Hold mode: stop data transfer by the requested device for a negotiated interval Sniff mode: useful for low data rate links where a quick response is required whenever data is present. Park Mode: used to enhance the number of simultaneous connected slaves. No data transfer takes place as it gives up it’s connection id but remains synchronized link (setup takes about 10s in blue-tooth) 802.11b low-power mode Doze: In 802.11b a synchronization beacon is transmitted by a central access point (AP) every 100ms. The beacon is followed by a traffic indication map (TIM) indicating any required data transfers. Doze mode is activated until the next beacon if no data transfer is required. Off: Transitions to the off mode either from active or doze mode Transition time (ms) Avg. power (W) Transmit state - 2.25 Receive state - 1.4 Doze state - 0.75 – 1.4 Doze state entry 0.1 1.4 Doze state exit 1 1.6 Off state - - Off state entry 1 1.7 Off state exit 300 2.3 Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  39. The architecture WLAN Bluetooth MSC A VPLMN/HPLMN IP NW SGSN Gb HLR AAA Wm U N C AAA HLR S G W Roaming HPLMN • MS joins the existing blue-tooth PAN and polls for any GERAN related signalling. • On receiving a relevant event, the blue-tooth interface wakes the WLAN radio in the MS and a WLAN specific connection is established with the access point. • The procedures of UMA specification are followed. • The blue-tooth radio goes back to periodic polling mode i.e. hold (low power mode) – scan – hold. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  40. Network Discovery and GERAN interaction MS WHN UNC GERAN WLAN GERAN BLUE TOOTH BLUETOOTH PAN WLAN AP AAA HLR Bluetooth Link Establishment Wake up WLAN radio ON WLAN Link Establishment EAP-SIM based authentication and UMA registration WLAN radio OFF Bluetooth radio ON Bluetooth radio HOLD mode Incoming call request Incoming Call Resource Allocation Bluetooth Radio Scan mode WLAN re-establish and Ready Accept signal to UNC Call ends Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  41. Action Plan (TBD) >> Simulation >> Prototyping >> Dissemination Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

  42. References [1] Qadeer W., Rosing T. S., and Ankcorn J. “Heterogeneous Wireless network management”, PACS `03, San Deigo, December 2003. [2] Venkitaraman N., Almaula J., Haneef A. and Mysore J., “Session Aware Network Controlled Interface Selection for Multi-homed hosts”, WCNC 2004 IEEE Communications Society. [3] Engelstad P., Egeland G., and Thanh D. V. “Investigating Race Conditions in Multi-homed On Demand Ad-hoc Networks”, WCNC 2004 IEEE Communications Society. [4] Smith M., and Hunt R. “Network Security using NAT and NAPT”, 2002 IEEE [5] Unlicensed Mobile Access Specifications, http://www.umatechnology.org/, September 2004. [6] Shih E., Bahl P., and Sinclair MJ., “An Event Driven Energy Saving. Strategy for Battery Operated Devices”, Proceedings of ACM MOBICOM, 2002 [7] Ghribi B., and Logrippo L., “Understanding GPRS: the GSM packet radio service”, Computer Networks, 2000. [8] Balakrishnan H., Padmanabhan VN., Seshan S., and Katz RH., “A Comparison of Mechanisms for Improving TCP Performance over Wireless Links ”, IEEE/ACM Transactions on Networking, 1997. [9] Woesner H., Ebert JP., Schlager M., and Wolisz A., “Power Saving Mechanisms in Emerging Standards for Wireless. LANs: the MAC Level Perspective”, IEEE Personal Communications, 1998. [10] Potlapally NR., Ravi S., Raghunathan A., and Jha NK., “Analyzing the Energy Consumption of Security Protocols”, Proc. Int. Symp. Low Power Electronics & Design, 2003. Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

More Related