Vous êtes sur la page 1sur 163

0

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
With the robust development of the current services and diversification of requirements, however, the 3G
universal mobile telecommunications system (UMTS) architecture is encumbered with the following
limitations:
Insufficient support for packet switched (PS) domain services. Generally, the 3G UMTS system supports
only non-real time services. Voice services are carried in the circuit switched (CS) domain;
Low efficiency of routes in forwarding data due to the over-layered networks;

Incapability of supporting multiple radio access systems.

The LTE/SAE project of 3GPP aims to work out a long term evolution program and explore key
technologies in the coming 10 years. According to the 3GPP evolution design, the LTE/SAE system
provides the following features:
Overall packetization of the network architecture: the all-IP network contains the PS. Voice services are
jointly provided by the PS and the IP Multimedia Subsystem (IMS). In this case, the network efficiency
and performance can be enhanced;
Flattened network architecture: the network architecture becomes simpler. Thus, networks can be
deployed more easily and the data transmission delay is greatly shortened;
Support of the multiple access technologies: the LTE/SAE system supports the interworking with the
existing 3GPP system. In addition, it supports the access of users in non-3GPP networks and supports
the roaming and switching of users between 3GPP and non-3GPP networks;
High data transmission rate: the peak rate of the downlink traffic reaches 100 Mbps and the peak rate
of the uplink traffic reaches 100 Mbps.

Confidential Information of Huawei. No Spreading Without Permission


The EPS (Evolved Packet System) consists of the following three parts:
UE: The user equipment (UE) in the EPS is a mobile terminal that originates or receives calls
over the air interface;
LTE subsystem: The long term evolution (LTE) subsystem is the part that supports radio
access and is also called the E-UTRAN. The LTE subsystem completes all the functions related
to radio access;
SAE: The system architecture evolution (SAE) subsystem connects all external packet data
networks (PDNs), for example, the Internet. The SAE subsystem consists of NEs such as the
MME, S-GW, P-GW, and the HSS. The SAE also call as EPC (Evolved Packet Core).

UE: user equipment eNodeB: evolved NodeB


LTE: long term evolution SAE: system architecture evolution
MME: mobility management entity S-GW: serving gateway
HSS: home subscriber server P-GW: packet data network gateway
PCRF: policy control and charging rule
function

Confidential Information of Huawei. No Spreading Without Permission


Network access control functions:
Network/Access network selection;

Authentication and authorization function;

Admission control function: The purpose of admission control is to determine if the


requested resources are available, and then reserve those resources;
Policy and Charging Enforcement Function;

Lawful Interception.

Radio Resource Management functions:


Radio resource management functions are concerned with the allocation and maintenance of
radio communication paths, and are performed by the radio access network. The RRM
strategy in E-UTRAN may be based on user specific information.

Network management functions:


Network management functions provide mechanisms to support O&M functions related to
the Evolved Packet System.

Confidential Information of Huawei. No Spreading Without Permission


In the early stage of EPS deployment, the LTE network has smaller coverage and supports a
relatively small number of subscribers, and therefore the capacity usage of the P-GW is very low.
Also, the demand for mobility is light.
When the S-GW and the P-GW are co-installed, the S5 interface becomes an internal interface
and therefore does not require the deployment of transmission equipment for implementation.
This simplifies network deployment and management, saves the overhead on signaling and data
packet forwarding, reduces system delay, and saves the deployment cost for network carriers.

Confidential Information of Huawei. No Spreading Without Permission


In the mid-stage of EPS deployment, the number of subscribers keeps increasing and the
capacity of the P-GW gradually becomes the bottleneck of system performance. This can be
seen from the following two aspects:
Service performance requirements. As the number of subscribers increases, the demand for
service performance also become intense, including the requirements on throughput,
content-based charging, deep packet inspection (DPI), and online-charging. To meet the
requirements, the service processing capabilities of the S-GW and the P-GW need to be
improved. However, the improvement is not supported by existing hardware.
Mobility requirements. As the LTE network is able to cover increasingly large areas, the

demand for mobility escalates, including the requirements on intra-LTE handovers,


handovers between 2G/3G networks and the LTE network, and handovers between non-
3GPP networks and the LTE network. This results in the dramatic increase of signaling traffic
on the S-GW and the P-GW.
Therefore, the S-GW needs to be separately installed as the access anchor point, which
processes the signaling and data on the access side and a large amount of handover signaling.
The P-GW is the service anchor point, which provides extensive service functions, including IP
address allocation, DPI, content-based charging, online-charging, service policy control, firewall,
and network address translation (NAT).

Confidential Information of Huawei. No Spreading Without Permission


The MME implements mobile management on the control plane, including the management
over user contexts and mobile status and the allocation of temporary user identities.

Confidential Information of Huawei. No Spreading Without Permission


The S-GW is the user-plane anchor point for different 3GPP access networks, which terminates
all the interfaces towards 3GPP access networks. The S-GW is the gateway of the SAE network
and terminates the interface towards the E-UTRAN.

Confidential Information of Huawei. No Spreading Without Permission


The P-GW is the user-plane anchor point for different access networks of non-3GPP
networks. It is the NE that provides external PDN connections, functions as the gateway
of the SAE network, and terminates the SGi interface bound for the PDN.

Confidential Information of Huawei. No Spreading Without Permission


The home subscriber server (HSS) stores all service-related data for subscribers on the
EPS network and provides subscription data management and location management for
subscribers.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
First step (dotted line): subscriber perform registration to MME, MME then select a
Serving GW and a PDN GW, allocate resource, and PDN GW gives the UE an IP address,
after everything is ready, MME send accept message to UE.
Second step (solid line): UE use the IP address from core network, and access the
external network, like internet.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Home Routed traffic accesses the PDN from the home public land mobile network
(HPLMN). Though the visited PLMN (VPLMN) provides VPN connections for the access of
the SAE subsystem, the HPLMN also needs to provide the external network access
function. This ensures that subscribers in both roaming and non-roaming scenarios can
enjoy services, be charged, and obtain consistent policy and charging control (PCC)
policies.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
In EPS/2G/3G Packet Core, this IP network is called a "Packet Data Network" (PDN). In
EPS, the IP connection to this PDN is called a "PDN connection".
A terminal may access a single PDN at a time or it may have multiple PDN connections
open simultaneously, for example one PDN connection to internet and another PDN
connection to IMS network for voice service.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
A PDN connection is a logical connection for IP address(es) and the PDN, during the
establishment of the PDN connection APN also plays an key role.
The APN is defined in the HSS by operator and configured in the UE and PDN GW;

For requesting a PDN connection, the APN will be included in the request message

from UE to core network. The core use APN to select an appropriate PDN GW by DNS
resolution;
PDN GW use APN to select the destination PDN.

Confidential Information of Huawei. No Spreading Without Permission


In a PDN connection, at least one IP address should be allocated to the UE. EPC support
3 types of PDN connection:
IPv4 only;

IPv6 only;

Dual stack IPv4/IPv6.

Different methods can be used to assign IP address(es) to UE, for IPv4 addresses:
The PDN GW can assign IPv4 address to the UE during attach procedure, the IPv4
address is sent to the UE as part of the attach accept message;
Or the UE does not receive an IPv4 address during attach, instead the UE uses
DHCPv4 to request an IP address after attach;
The IP address can also be provided by AAA server, for PDN GW sending a

authentication request including the username and password to AAA server, the AAA
server can response IP address for the UE.

For IPv6 addresses:


Stateless IPv6 address auto configuration is used, a /64 IPv6 prefix is allocated for

each PDN connection and UE. For more information about IPv6 stateless auto
configuration, refer to RFC4862.

Confidential Information of Huawei. No Spreading Without Permission


Bearer is one of the key components in EPS. More than one bearers can be existed in the
same PDN connection simultaneously.
The EPS bearer provides a logical transport channel between the UE and the PDN for
transporting IP traffic.
Each EPS bearer is associated with a set of QoS parameters that describe the properties
of the transport channel, for example bit rates, delay and bit error rate, scheduling policy
in the radio base station, etc.

Confidential Information of Huawei. No Spreading Without Permission


There are two types of bearers:
Default bearer: default bearer is created in the attach procedure, the default bearer

will remains established for the lifetime of the PDN connection. In most cases, the
QoS associated with the default bearer is for user traffic that does not need special
treatment, like web browsing.
Dedicated bearer: the bearers that created for a already existed PDN connection is
called dedicated bearer, these bearers are activated on demand. For example, some
VoIP applications (like Skype) might need some specific guaranteed bit rate that the
default bearer cannot satisfy, in this case, it will try to establish a dedicated bearer.
They will de deactivated after they are no longer needed, for example, the VoIP call
finishes.

Confidential Information of Huawei. No Spreading Without Permission


In case more than one EPS bearers created for the same PDN connection, UE, serving
GW and PDN GW should distinguish IP traffic and the related EPS bearer to provide
differentiated QoS treatment. For example, web browsing traffic will use default bearer
which has 1Mbps bandwidth, voice over IP traffic will use a dedicated bearer which has
2Mbps and less than 100ms QoS attribute. Each EPS bearer is associated with a Traffic
Flow Template (TFT) that includes the packet filters for the bearer.
An packet filter may include the following attributes:
Remote IP address and subnet mask;

Protocol ID for IPv4 or next header for IPv6;

Local port range;

Remote port range;

IPSec security parameter index;

Type of Service (ToS) for IPv4 or traffic class for IPv6;

Flow label for IPv6.

Each packet filter in a TFT is associated with a precedence value that determines in
which order the filters shall be tested for a match.

Confidential Information of Huawei. No Spreading Without Permission


How to identify different EPS bearer context?
TFT is also used to identify different EPS bearer contexts corresponding to one PDP

address. The difference lies in that TFT is used by a PGW or an MS to match a


received downlink G-PDU with a corresponding EPS bearer context so that the PGW
or MS can use the relevant tunnel for transmission.EPS bearer ID is used by an MME
or a SGW/PGW to match different EPS bearer contexts.

In which situation TFT is used?


TFT is used in dedicated bearer activation procedure.

Dedicated bearer activation procedure is triggered in the case that the same IP
address is used to initiate an activation request with the same APN but QoS in this
activation is different from existing bearer.

Confidential Information of Huawei. No Spreading Without Permission


Here illustrates two TFTs:
The left one is used to identify an HTTP stream, in this TFT, destining IP is set as any,

protocol ID is 6 (TCP), destination port is 80 (HTTP).


The right one is used to identify a VoIP stream, the destination IP is a specific IP

address, 212.50.31.226; protocol ID is 17 (UDP), and the destination port is 5070.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
The TAD indicates one requested operation (add, modify, delete). In case flows are
added, the TAD includes the packet filter(s) (consisting of a packet filter identifier and
the packet filter information) to be added.

The TAD is released when the procedure is completed.

Confidential Information of Huawei. No Spreading Without Permission


The PDN GW routes downlink packets to the different EPS bearers based on the
downlink packet filters in the TFTs assigned to the EPS bearers in the PDN connection.
Upon reception of a downlink data packet, the PDN GW evaluates for a match, first the
downlink packet filter that has the lowest evaluation precedence index and, if no match
is found, proceeds with the evaluation of downlink packet filters in increasing order of
their evaluation precedence index. This procedure shall be executed until a match is
found, in which case the downlink data packet is tunneled to the Serving GW on the EPS
bearer that is associated with the TFT of the matching downlink packet filter. If no match
is found, the downlink data packet shall be sent via the EPS bearer that does not have
any downlink packet filter assigned. If all EPS bearers (including the default EPS bearer
for that PDN) have been assigned a downlink packet filter, the PDN GW shall discard the
downlink data packet.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
In mobile system, cell is the least unit. Several neighboring cell can be grouped together
into a Registration area. The base station will broadcast the registration area
information, and UE compares the broadcast registration area information with that
previously stored, if they are different, the UE will initiate a registration area update
procedure.
In 2G/3G system, the registration area for packet service is called routing area (RA), the
registration area update is called routing area update (RAU); while in EPS, the
registration area is called tracking area (TA), the registration area update is called
tracking area update (TAU).
In EPS, a new concept existed, the tracking area list. A tracking area list contains more
than one tracking area, as long as the UE moves within its list of allocated TA list, it does
not have to perform tracking area update.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Subscriptions (the USIM cards) are identified with an IMSI (International Mobile
Subscriber Identity). Each USIM card is assigned a unique IMSI. The IMSI is an E.164
number (basically a string of digits like a phone number) with a maximum length of 15
digits. The IMSI is constructed by an MCC (Mobile Country Code) and MNC (Mobile
Network Code) and an MSIN (mobile subscriber identity). MCC and MNC together is
used to identify a operator uniquely.
IMSI is subscribed in HSS.

Confidential Information of Huawei. No Spreading Without Permission


To provide a level of privacy since the permanent identity that does not need to be sent
over the radio interface, some temporary subscriber identifiers are used. Also, it provide
a mechanism to find the resources where the subscribers temporary context is stored,
for example, eNodeB can use GUTI to send signaling from UE to the correct MME.
The temporary context for the subscriber is allocated by the MME, and stored in both UE
and MME.
GUTI can be used to identify an MME globally. GUTI contains the following parts:
GUMMEI: uniquely identifies the MME which allocated the GUTI;

MMEI: constructed from an MMEGI (MME group ID) and an MMEC (MME Code);

MMEGI: in most cases, MME group ID is used to identify the pool ID when MME pool
is implemented;
MMEC: to identify a single MME in the specific MME pool;

M-TMSI: identifies the subscriber within the MME, the generation of M-TMSI is
manufacture dependent, e.g. randomly.

Confidential Information of Huawei. No Spreading Without Permission


The S-TMSI is the shortened form of the GUTI to enable more efficient radio signaling
procedures (e.g. paging and Service Request). For paging purposes, the mobile is paged
with the S-TMSI. The S-TMSI shall be constructed from the MMEC and the M-TMSI.

Confidential Information of Huawei. No Spreading Without Permission


In LTE network, a new location area is produced, the tracking area. A TAI is used to
identify a tracking area globally.
A tracking area is very similar with routing area in GERAN/UTRAN.
The TAI should be planned by operators.

Confidential Information of Huawei. No Spreading Without Permission


The purpose of the GUTI is to provide an unambiguous identification of the UE that does
not reveal the UE or the user's permanent identity in the Evolved Packet System (EPS).
MCC and MNC shall have the same field size as in earlier 3GPP systems.

M-TMSI shall be of 32 bits length.

MME Group ID shall be of 16 bits length.

MME Code shall be of 8 bits length.

The TAC is a 16 bit integer.

TA List: A TA List consists of several Tracking Areas (TAs). When a UE moves among TAs
belonging to the same TA List, the TA update procedure is not triggered. When the
paging procedure is triggered, the UE is paged in all TAs belonging to one TA List. The
MME sends the Attach Accept, TAU Accept, or GUTI Relocation message, carrying the TA
List, to the UE.

Confidential Information of Huawei. No Spreading Without Permission


APN is used by UE to request a connection to the selected external PDN.
When requesting a PDN connection, UE should include the PDN in the request message
to identify the external PDN which to be accessed.

APN include two parts, APN-NI and APN-OI:


APN-NI: determined by operators to identify the destination PDN, e.g. 4GNET can be
used to identify the PDN is internet, and 4GVOICE can be used to identify the PDN to
be accessed is IMS network. APN-NI is subscribed in HSS
APN-OI: cause the MNC and MCC value for an operator is fixed, the APN-OI can be

used to identify an operator globally, which is specially useful in inter-PLMN roaming


cases.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
There are two security associations of two different levels between a UE and the
network.
Radio resource control (RRC) and user plane (UP) security associations between the
UE and the E-UTRAN. The RRC security association protects RRC signaling between
the UE and the E-UTRAN. The UP security association provides the security function
for the user plane between the UE and the E-UTRAN.
Non-access stratum (NAS) security association between the UE and the MME. It

provides ciphering and integrity protection for the NAS signaling.

Confidential Information of Huawei. No Spreading Without Permission


EPS authentication quaternary
Random Challenge (RAND): A RAND is an unpredictable random value that the

network provides to a UE. The length is 16 octets.


Authentication Token (AUTN): An AUTN is used to provide the authentication

information to a UE, and thus the UE can use the AUTN to authenticate the network.
The length is 17 octets.
Expected Response (XRES): An XRES is an expected response parameter of UE

authentication. It is compared with the RES or RES+RES_EXT generated by a UE to


determine whether the authentication is successful. The length ranges from 4 to 16
octets.
Kasme: A KASME is a root ciphering key deduced according to the CK/IK and the
PLMN ID of the ASME (MME). The length is 32 octets.
An ASME (Access Security Management Entity) receives the top-level key from

the HSS. In the E-UTRAN access mode, the MME serves as an ASME.
CK: It is the ciphering key of the UMTS. The length is 16 octets.

IK: It is the integrity protection key of the UMTS. The length is 16 octets.

During the authentication process, the MME sends RAND and AUTN to the USIM. The
USIM responds to the MMS or rejects the authentication.

Confidential Information of Huawei. No Spreading Without Permission


The key hierarchy includes following keys: KeNB, KNASint, KNASenc, KUPenc, KRRCint and
KRRCenc
KeNB is a key derived by ME and MME from KASME or by ME and target eNB.
Keys for NAS traffic:
KNASint is a key, which shall only be used for the protection of NAS traffic with a
particular integrity algorithm. This key is derived by ME and MME from KASME.
KNASenc is a key, which shall only be used for the protection of NAS traffic with a
particular encryption algorithm. This key is derived by ME and MME from KASME.
Keys for UP traffic:
KUPenc is a key, which shall only be used for the protection of UP traffic with a
particular encryption algorithm. This key is derived by ME and eNB from KeNB.
KUPint is a key, which shall only be used for the protection of UP traffic between RN
and DeNB with a particular integrity algorithm. This key is derived by RN and DeNB
from KeNB.
Keys for RRC traffic:
KRRCint is a key, which shall only be used for the protection of RRC traffic with a
particular integrity algorithm. KRRCint is derived by ME and eNB from KeNB.
KRRCenc is a key, which shall only be used for the protection of RRC traffic with a
particular encryption algorithm. KRRCenc is derived by ME and eNB from KeNB.

Confidential Information of Huawei. No Spreading Without Permission


The purpose of this procedure is to provide the MME with one or more EPS
authentication vectors (RAND, AUTN, XRES, KASME) from the user's HSS to perform user
authentication. Each EPS authentication vector can be used to authenticate the UE.

1. MME initiate authentication data request message to HSS, this message shall include
the IMSI, the Serving Network identity i.e. MCC + MNC, and the Network Type (i.e. E-
UTRAN).
2. Upon the receipt of the authentication data request from the MME, the HSS sends
an authentication response back to the MME that contains the requested
information. If multiple EPS authentication vectors had been requested then they are
ordered based on their sequence numbers. The MME shall be aware of the order of
the EPS authentication vectors and shall use that the EPS authentication vectors in
order.
3. The MME sends to the USIM the RAND and an authentication token AUTN for
network authentication.
4. At receipt of this message, the USIM shall verify the authentication vector by
checking whether AUTN can be accepted. The MME checks that the RES equals XRES.
If so the authentication is successful. If not, depending on type of identity used by
the UE in the initial NAS message, the MME may initiate further identity requests or
send an authentication reject message towards the UE.

Confidential Information of Huawei. No Spreading Without Permission


After the security mode command procedure, the encryption algorithm has been
selected, the ciphering and integrity can be done.

For more detail, please refer to TS 33.401 (3GPP System Architecture Evolution (SAE),
Security architecture) protocol.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Take a internet access for example, a UEs session include two parts: the session inside
EPS, and the session inside the internet. The EPS only covers QoS requirement for the
traffic with in the EPS, that is, between UE and PDN GW, the session in the internet is
beyond the scope of EPS.

While the QoS is an end-to-end concept, to guarantee the QoS for a subscriber, some
other mechanisms are necessary, e.g. a service level agreement (SLA) between the
mobile operator and the ISP.

Confidential Information of Huawei. No Spreading Without Permission


Traffic flow and bearer is associated and mapped with TFT, and TFT associate
with RB-Id in Radio side and with TEID in CN side.

Confidential Information of Huawei. No Spreading Without Permission


In GPRS/UMTS system, 3GPP had defined 4 traffic classes and 13 different QoS
parameters, each PDP context (bearer) is assigned with one of the four traffic classes
together with related QoS attribute values. This design turned out to introduce a
complex system, and a lot of QoS parameters are in practice not used.
In EPS, the QoS parameters are greatly simplified. Each EPS bearer is associated with
only two QoS parameters, a QoS class and a allocation/retention parameter.

Confidential Information of Huawei. No Spreading Without Permission


In SAE QoS, the most important parameters are QCI and ARP
QCI is defined to relate with throughput, delay and packet loss for user traffic
transmitted in each bearer.
Depended on different services, bearers can be divided into two categories:

GBR (Guaranteed bit rate) bearer and Non-GBR bearer.


For GBR bearers, we use GBR and MBR (Maximum bit rate) to control the

bandwidth
For Non-GBR bearers, we use AMBR (Aggregate maximum bit rate) to control

the bandwidth
ARP is used for admission control, when node receive a signaling message, drop it or
not.

Confidential Information of Huawei. No Spreading Without Permission


In GPRS/UTRAN, QoS is subscribed in HLR. For each PDP context, separated QoS should
be assigned. That is, you need to set different values like bit rate, delay etc. for each PDP
context in each APN.

In EPS, the QoS is subscribed in HSS and PCRF.


The HSS only contains QoS profile for default bearer that established while users
attach the network.
If the QoS for default bearers can not meet the requirement for a certain service (for
example, the default bearer can not satisfy the delay need for VoIP service), UE may
request to establish a dedicated bearer. The PDN GW that determines the QoS of the
dedicated bearer based on the authorized QoS received from the PCRF. So there is no
need to have specific subscription parameters for dedicated bearers in the HSS.

Confidential Information of Huawei. No Spreading Without Permission


A QCI is a scalar that is used as a reference to access node-specific parameters that
control bearer level packet forwarding treatment (e.g. scheduling weights, admission
thresholds, queue management thresholds, link layer protocol configuration, etc.), and
that have been pre-configured by the operator owning the access node (e.g. eNodeB).

Confidential Information of Huawei. No Spreading Without Permission


The primary purpose of ARP is to decide whether a bearer establishment / modification
request can be accepted or needs to be rejected due to resource limitations
The priority level information of the ARP is used for this decision to ensure that the
request of the bearer with the higher priority level is preferred. In addition, the ARP
can be used (e.g. by the eNodeB) to decide which bearer(s) to drop during
exceptional resource limitations (e.g. at handover)
The pre-emption capability information of the ARP defines whether a bearer with a

lower ARP priority level should be dropped to free up the required resources
The preemption vulnerability information of the ARP defines whether a bearer is

applicable for such dropping by a pre-emption capable bearer with a higher ARP
priority value

Once successfully established, a bearer's ARP shall not have any impact on the bearer
level packet forwarding treatment (e.g. scheduling and rate control). Such packet
forwarding treatment should be solely determined by the other EPS bearer QoS
parameters: QCI, GBR and MBR, and by the AMBR parameters. The ARP is not included
within the EPS QoS Profile sent to the UE.

Confidential Information of Huawei. No Spreading Without Permission


GBR bearers are bearers with a certain amount of bandwidth is reserved, independently
of whether it is utilized or not. The GBR bearer thus always takes up resources over the
radio link, even if no traffic is sent. The MBR limits the bit rate that can be expected for a
GBR bearer, any traffic in excess of the MBR may be discarded by a rate shaping
function. EPC currently only supports the case where the MBR and GBR are equal.

A non-GBR bearer does not have a fixed bandwidth allocated and there is thus no
guarantee for how much traffic it can carry. The non-GBR bearer may therefore
experience packet loss in case of congestion. No transmission resources are reserved for
non-GBR bearers. In EPS, non-GBR bearers are rate policed on aggregate level instead of
on a per bearer level. Although non-GBR bearers do not have any associated MBR, the
operator may still police the utilized bandwidth of non-GBR bearers using the Aggregate
Maximum Bit Rate (AMBR).

Confidential Information of Huawei. No Spreading Without Permission


For the non-GBR bearers, there is no way to control the actual bit rate as the GBR
bearers do using GBR or MBR parameters. EPS defined the AMBR parameter to limit
the utilization for network resource. Two AMBR parameters are defined, APN-AMBR
and UE-AMBR. All these parameters are subscribed in HSS.
APN-AMBR defines the total bit rate that is allowed to be used for all non-GBR
bearers associated with a specific APN, independent of number of PDN
connections and opened non-GBR bearers for that APN. Operator can limit the
total bandwidth for that APN to prevent the UE from increasing its accessible
bandwidth by just opening new PDN connections to the same APN. The APN-
AMBR is enforced by the PDN GW.
UE-AMBR defines the total bit rate allowed to be consumed for all non-GBR
bearers of a certain UE. the UE-AMBR function is enforced by eNodeB.
Different AMBR values are defined for uplink and downlink directions. There are thus
in total four AMBR values defined: UL APN-AMBR, DL APN-AMBR, UL UE-AMBR and
DL UE-AMBR.

Confidential Information of Huawei. No Spreading Without Permission


The QCI values 14 are allocated for traffic that require dedicated resource allocation for
a GBR, while values 59 are not associated with GBR requirements.
Each standardized QCI is associated with a priority level, where priority level 1 is the
highest priority level.
The Packet Delay Budget (PDB) defines an upper bound for the time that a packet
may be delayed between the UE and the PCEF (Policy and Charging Enforcement
Function, in EPS, the PDN GW). For a certain QCI the value of the PDB is the same in
uplink and downlink. The purpose of the PDB is to support the configuration of
scheduling and link layer functions (e.g. the setting of scheduling priority weights and
HARQ operation options). The PDB shall be interpreted as a maximum delay with a
confidence level of 98 percent.
The Packet Error Loss Rate (PELR) defines an upper bound for the rate of SDUs (e.g. IP

packets) that have been processed by the sender of a link layer protocol (e.g. RLC in E
UTRAN) but that are not successfully delivered by the corresponding receiver to the
upper layer (e.g. PDCP in E UTRAN). Thus, the PELR defines an upper bound for a rate
of non congestion related packet losses. The purpose of the PELR is to allow for
appropriate link layer protocol configurations (e.g. RLC and HARQ in E-UTRAN). For a
certain QCI the value of the PELR is the same in uplink and downlink.

Confidential Information of Huawei. No Spreading Without Permission


One reason for why an aggregate rate policing of non-GBR bearers is preferable.
Over a per-bearer policing is that network planning becomes easier. With a
subscribed.
Per-bearer MBR (as in GPRS) it is difficult to estimate the total bit rate.
The subscribers will use. Also, an AMBR can provide a more understandable
subscription for the end-user compared to an MBR that is per bearer.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
In wireless networks, different services have very different requirements on the QoS for
the packet transport. Since a network in general carries many different services for
different users simultaneously, it is important to ensure that the services can co-exist
and that each service is provided with an appropriate transport path.

PCC enables a centralized control to ensure that the service sessions, which means the
bandwidth are controlled by network side instead of terminal.

Also, PCC provide means to control charging at service level which greatly helps content
based charging (CBC).

Confidential Information of Huawei. No Spreading Without Permission


The Application Function (AF) interacts (or intervenes) with applications or services
that require dynamic PCC.
The Subscription Profile Repository (SPR) contains subscription information, such as
user specific policies and data.
The Online Charging System (OCS) is a credit management system for pre-paid
charging. The PCEF interacts with the OCS to check out credit and report credit status.
The Offline Charging System (OFCS) is used for offline charging. It receives charging
events from the PCEF and generates Charging Data Records (CDRs) that can be
transferred to the billing system.
The Policy and Charging Rules Function (PCRF) is the policy control function of PCC. It
receives session information over Rx and the information from the access network via
the Gx interface.
The Policy and Charging Enforcement Function (PCEF) enforces policy decisions (e.g.
gating, maximum bit rate policing) received from the PCRF
The Bearer Binding and Event Reporting Function (BBERF) is for bear binding and
event report to PCRF.

In SAE network, PDN GW plays the role of PCEF, and the serving GW act as BBERF. In
other networks (like CDMA, WiMAX, etc.), the related gateway to the PDN is BBERF.
The connection between PCRF and BBERF is optional while the the Gx interface
between PCEF and PDN GW is necessary in PCC architecture.

Confidential Information of Huawei. No Spreading Without Permission


The PCRF provides network control regarding the service data flow detection, gating,
QoS and flow based charging (except credit management) towards the PCEF
Gating:

PCRF can use some information to determine whether a certain IP flow will be
forwarded by PCEF or rejected for some reasons, e.g. a subscriber who has only
data service subscribed will be rejected when initiating a IMS based voice call.
QoS Control:

As LTE/SAE network performs network-centered QoS control, the HSS provides


authorized QoS for default bearer, while PCRF provides authorized QoS for all
dedicated bearers. When the service flow can be recognized by the PCRF, it may
provide QoS rule for the service to PCEF for enforcement. For example, when
user initiate a IMS based voice call, once the service been recognized by PCRF, it
will provide the PCEF with appropriate rule for bit rate, QoS class, ARP, etc. to
support VoIP service.

Confidential Information of Huawei. No Spreading Without Permission


The PCRF provides network control regarding the service data flow detection, gating,
QoS and flow based charging (except credit management) towards the PCEF.
Besides policy control, PCRF also determines how the service flow will be charged for.
PCRF can determine the following charging information for the selected service:
Online charging or offline charging;

Charging characteristic;

To provide content based charging, determine cbb-id which used by billing

system. Different service has its own cbb-id, for example, HTTP traffic and
VoIP use different cbb-ids, in the billing system, different tariff can de
determined.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
eNodeB Select MME
The MME Load Balancing functionality permits UEs that are entering into an

MME Pool Area to be directed to an appropriate MME in a manner that


achieves load balancing between MMEs. This is achieved by setting a Weight
Factor for each MME, such that the probability of the eNodeB selecting an
MME is proportional to its Weight Factor. The Weight Factor is typically set
according to the capacity of an MME node relative to other MME nodes. The
Weight Factor is sent from the MME to the eNodeB via S1-AP messages.
MME Selection another MME
The MME selection function selects an available MME for serving a UE. The

selection is based on network topology, i.e. the selected MME serves the UEs
location and for overlapping MME service areas, the selection may prefer
MMEs with service areas that reduce the probability of changing the MME.
When a MME/SGSN selects a target MME, the selection function performs a
simple load balancing between the possible target MMEs.

Confidential Information of Huawei. No Spreading Without Permission


The Serving GW selection function selects an available Serving GW to serve a UE. The
selection bases on network topology, i.e. the selected Serving GW serves the UE's
location and for overlapping Serving GW service areas, the selection may prefer Serving
GWs with service areas that reduce the probability of changing the Serving GW. Other
criteria for Serving GW selection should include load balancing between Serving GWs.
When the Serving GW IP addresses returned from the DNS server include Weight
Factors, the MME should use it if load balancing is required. The Weight Factor is
typically set according to the capacity of a Serving GW node relative to other Serving GW
nodes serving the same Tracking area.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
This diagram illustrate the interfaces in EPS and between EPS and 3GPP accesses like
GPRS or WCDMA.

Confidential Information of Huawei. No Spreading Without Permission


The original version of the GTP protocol is what the GSM standards developed to cater
to the specific needs such as mobility and bearer management and tunneling of user
data traffic for GPRS. Then 3GPP further enhanced GTP for usage in 3G UMTS. During
the development of EPS, the GTP track of the architecture was enhanced considerably to
improve the bearer handling and thus the GTP control plane protocol was upgraded to
GTPv2-C.

GTP protocol provide the following functions:


Mobility management: in GERAN/UTRAN packet core and in EPC, SGSN/MME use

GTP to provide mobility management with SGSN/MME/Serving GW, e.g. routing area
update, tracking area update.
Tunnel management: users traffic are transmitted in logical tunnels, GTP can be used

to create/update/release the tunnels.


Service specific functions: for 2G/3G, GTPv1-C is used for MBMS (Multimedia

Broadcast and Multicast Service), for EPS, GTPv2-C can be used for CS fallback
service.
System maintenance: path management/error handling/restoration and
recovering/etc.

Confidential Information of Huawei. No Spreading Without Permission


For EPC, GTPv2-C is used for control plane messages, and GTPv1-U is used for user
plane.

For GERAN/UTRAN, either GTPv0-C or GTPv1-C can be used for control plane, and for
user plane, the same, GTPv0-U or GTPv1-U.

GTPv0 is too old and hardly used in the live network, so the GTP-U in most cases means
GTPv1-U.

Confidential Information of Huawei. No Spreading Without Permission


The S10 interface is defined between two MMEs and this interface exclusively uses
GTPv2-C and for LTE access only, this interface is primarily used when MME is relocated.

The S11 interface is defined between MME and the Serving GW, this interface exclusively
uses GTPv2-C and for LTE access only.

The S5/S8 interface is defined between the Serving GW and the PDN GW. The S5
interface is used in non-roaming scenarios where the Serving GW is located in the home
network, or in roaming scenarios with both Serving GW and PDN GW located in the
visited network. The latter scenario is also referred to as Local Breakout. The S8 interface
is the roaming variant of S5 and is used in roaming scenarios with the Serving GW in the
visited network and the PDN GW in the home network.

The S3 and S4 interfaces are only used when EPS co-operate with GERAN/UTRAN.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Diameter is a protocol originally designed for Authentication, Authorization and
Accounting (AAA) purposes, it was designed to overcome several shortcomings of
RADIUS such as failover, reliability, security, flexibility, extensibility and others.

Diameter use AVP to carry information elements.

The Diameter protocol is constructed as a base standard and additional extensions


called applications. The core of the Diameter protocol is defined in the Diameter base
standard, RFC 3588 [3588]. Extensions (called Applications in Diameter) are then created
on top of the Diameter base protocol to support specific requirements. The applications
may define new commands as well as new AVPs as needed.

Confidential Information of Huawei. No Spreading Without Permission


Three roles are defined for diameter node: client, server and agent.
The client is typically the entity requesting a service from a Diameter server and thus
originates the request to initiate a Diameter session with a server.
Servers response the request from client to provide correct information.

The agents examine the received requests and determine the right target.

The content of the Diameter commands consists of a Diameter header followed by AVP(s):
The Diameter header contains a unique command code that identifies the command and
consequently the intention of the message. The actual data is carried by the AVPs contained
in the message. The Diameter base protocol defines a set of commands and AVPs but a
Diameter application can define new commands and/or new AVPs. For example, some
special AVPs for 3GPP are defined in some diameter applications;
The Application ID identifies for which Diameter application the message is for;

The hop-by-hop identifier is used for matching requests with responses;

The end-to-end identifier is used to detect duplicate messages;

Each AVP is identified using a unique AVP code; the AVPs contain some flags, for example to

identify whether the AVP is mandatory or not; an AVP length to identify the length of the
AVP; vendor ID is used when the AVP is vendor specific or vendor proprietary; and AVP data
is the exact content of the information element.

Confidential Information of Huawei. No Spreading Without Permission


The S6a interface is the signaling interface between the MME and the HSS.

The protocol layers are described as follows:


Diameter: supports the subscription and authentication data transmitted between

the MME and the HSS, and thus authorizes the access to the EPS network. The
Diameter protocol is defined in RFC 3588;
SCTP: guarantees the transmission of signaling messages between the MME and the

HSS.

Confidential Information of Huawei. No Spreading Without Permission


PCRF (policy control and charging rules function) is the policy and charging control
element.
The Gx interface is the interface between P-GW and PCRF.
The Gxc interface is the interface between S-GW and PCRF.
Gxc is used only in the case of PMIP variant of S5 or S8.

If the S5/S8 interface is adopting GTP protocol, the Gxc interface is no needed.
Because the GTP protocol can transfer the QoS information while the PMIP protocol
cant.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
In contrast to many of the other protocols in EPS, the S1-AP protocol is designed for a
single interface, namely the MME to eNodeB interface. The protocol is named after the
interface name (S1) and the addition of AP (Application Part) which is the 3GPP term for
signaling protocol between two nodes.

S1-AP supports all mechanisms necessary for the procedures between MME and
eNodeB and it also supports transparent transport for procedures that are executed
between the MME and the UE.

The reliability of transmission for S1-AP is provided by SCTP (Stream Control


Transmission Protocol).

Confidential Information of Huawei. No Spreading Without Permission


NAS denotes the protocols between the UE and the MME, which implements the
mobility management and session management procedures. The NAS protocols, EPS
Mobility management (EMM) and EPS Session Management (ESM), are designed for E-
UTRAN access and defined in 3GPP TS 24.301.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
The SGi interface is an interface between the P-GW and the PDN. It can also serve as the
interface connecting the P-GW and the AAA server, transmitting authentication and
charging control messages.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
The EPS Mobility Management (EMM) states describe the Mobility Management states
that result from the mobility management procedures e.g. Attach and Tracking Area
Update procedures.

The EPS Connection Management (ECM) states describe the signaling connectivity
between the UE and the EPC.

In general, the ECM and EMM states are independent of each other. Transition from
EMM-REGISTERED to EMM-DEREGISTERED can occur regardless of the ECM state, e.g.
by explicit detach signaling in ECM-CONNECTED or by implicit detach locally in the MME
during ECM-IDLE. However there are some relations, e.g. to transition from EMM-
DEREGISTERED to EMM-REGISTERED the UE has to be in the ECM-CONNECTED state.

Confidential Information of Huawei. No Spreading Without Permission


EMM-DEREGISTERED
In the EMM DEREGISTERED state, the EMM context in MME holds no valid location or

routeing information for the UE. The UE is not reachable by a MME, as the UE
location is not known.
In the EMM-DEREGISTERED state, some UE context can still be stored in the UE and
MME, e.g. to avoid running an AKA procedure during every Attach procedure.

EMM-REGISTERED
The UE enters the EMM-REGISTERED state by a successful registration with an Attach

procedure to either E-UTRAN or GERAN/UTRAN. The MME enters the EMM-


REGISTERED state by a successful Tracking Area Update procedure for a UE selecting
an E-UTRAN cell from GERAN/UTRAN or by an Attach procedure via E-UTRAN. In the
EMM-REGISTERED state, the UE can receive services that require registration in the
EPS.
The UE location is known in the MME to at least an accuracy of the tracking area list
allocated to that UE.

Confidential Information of Huawei. No Spreading Without Permission


ECM-IDLE
A UE is in ECM-IDLE state when no NAS signaling connection between UE and

network exists.
There exists no UE context in E-UTRAN for the UE in the ECM-IDLE state. There is no

S1_MME and no S1_U connection for the UE in the ECM-IDLE state.

ECM-CONNECTED
For a UE in the ECM-CONNECTED state, there exists a signaling connection between
the UE and the MME. The signaling connection is made up of two parts: an RRC
connection and an S1_MME connection.
The UE shall enter the ECM-IDLE state when its signaling connection to the MME has
been released or broken. This release or failure is explicitly indicated by the eNodeB
to the UE or detected by the UE.
The S1 release procedure changes the state at both UE and MME from ECM-

CONNECTED to ECM-IDLE.
After a signaling procedure, the MME may decide to release the signaling connection
to the UE, after which the state at both the UE and the MME is changed to ECM-IDLE.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
The MM context includes the IMSI, MSISDN, authentication vector, TAI, subscription
information, etc.
The EPS bearer context includes the bearer related information, for example, the PGW IP,
SGW IP.
For more detail, please refer to R8 TS 23.401 protocol.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
A UE/user needs to register with the network to receive services that require
registration. This registration is described as Network Attachment. The always-on IP
connectivity for UE/users of the EPS is enabled by establishing a default EPS bearer
during Network Attachment. The PCC rules applied to the default EPS bearer may be
predefined in the PDN GW and activated in the attachment by the PDN GW itself. The
Attach procedure may trigger one or multiple Dedicated Bearer Establishment
procedures to establish dedicated EPS bearer(s) for that UE. During the attach procedure,
the UE may request for an IP address allocation. Terminals utilizing only IETF based
mechanisms for IP address allocation are also supported.

Confidential Information of Huawei. No Spreading Without Permission


1. The UE initiates the Attach procedure by the transmission, to the eNodeB, of an Attach Request
message together with RRC parameters indicating the Selected Network and the old GUMMEI. The
eNodeB derives the MME from the RRC parameters carrying the old GUMMEI and the indicated
Selected Network.
2. If the UE identifies itself with GUTI and the MME has changed since detach, the new MME uses the
GUTI received from the UE to derive the old MME/SGSN address, and send an Identification
Request to the old MME/SGSN to request the IMSI.
3. If the UE is unknown in both the old MME/SGSN and new MME, the new MME sends an Identity
Request to the UE to request the IMSI. The UE responds with Identity Response, in which, IMSI is
included.
4. A optional stop which used for authentication and integration check.
5. If the MME has changed since the last detach, the MME sends an Update Location Request message
to the HSS.
6. The HSS sends Cancel Location to the old MME. The old MME acknowledges with Cancel Location
Ack and removes the MM and bearer contexts.
7. The HSS acknowledges the Update Location message by sending an Update Location Ack message to
the new MME. The Subscription Data contain one or more PDN subscription contexts.
8. The new MME selects a Serving GW on Serving GW selection function and allocates an EPS Bearer
Identity for the Default Bearer associated with the UE. Then it sends a Create Session Request
message to the selected Serving GW.
9. The Serving GW creates a new entry in its EPS Bearer table and sends a Create Session Request
message to the PDN GW.
10. The P-GW creates a new entry in its EPS bearer context table and generates a Charging Id. The PDN
GW returns a Create Session Response message to the Serving GW.
11. The Serving GW returns a Create Session Response message to the new MME.

Confidential Information of Huawei. No Spreading Without Permission


12. The new MME sends an Attach Accept message to the eNodeB. This message is contained in
an S1_MME control message Initial Context Setup Request.
13. The eNodeB sends the RRC Connection Reconfiguration message including the EPS Radio
Bearer Identity to the UE, and the Attach Accept message will be sent along to the UE, and
the UE sends the RRC Connection Reconfiguration Complete message to the eNodeB.
14. The eNodeB sends the Initial Context Response message to the new MME. This Initial
Context Response message includes the TEID of the eNodeB and the address of the eNodeB
used for downlink traffic on the S1_U reference point.
15. The UE sends a Direct Transfer message to the eNodeB, which includes the Attach Complete
message.
16. The eNodeB forwards the Attach Complete message to the new MME in an Uplink NAS
Transport message. After the Attach Accept message and once the UE has obtained a PDN
Address, the UE can then send uplink packets towards the eNodeB which will then be
tunneled to the Serving GW and PDN GW.
17. Upon reception of both, the Initial Context Response message in step 14 and the Attach
Complete message in step 16, the new MME sends a Modify Bearer Request message to the
Serving GW. The Serving GW acknowledges by sending Update Bearer Response message
including the eNodeB information to the new MME. The Serving GW can then send its
buffered downlink packets.

Confidential Information of Huawei. No Spreading Without Permission


On EPS network, the basic unit of location management is tracking area (TA) List.
A TA List consists of one or more TAs.
A TA list prevents a UE from initiating the TAU procedure frequently.

Confidential Information of Huawei. No Spreading Without Permission


The detach procedure is used in the following scenarios:
A UE is detached from the EPS service;

A UE is disconnected from the last PDN connection;

The network informs a UE that the UE cannot access to the EPS.

A UE can be detached explicitly or implicitly.


Explicit detach: A UE or network side requests the detach and the one that initiates

the detach procedure informs the other one;


Implicit detach: A network side detaches a UE without informing the UE. For example,

the network side performs implicit detach when it determines that the UE is
unreachable.

The Detach procedure can be classified into the following three types:
UE initiated Detach procedure;

MME initiated Detach procedure;

HSS initiated Detach procedure.

Confidential Information of Huawei. No Spreading Without Permission


1. The UE sends NAS message Detach Request to the MME. This NAS message is used
to trigger the establishment of the S1 connection if the UE was in ECM-IDLE mode.
The eNodeB forwards this NAS message to the MME along with the TAI+ECGI of the
cell which the UE is using.
2. The active EPS Bearers in the Serving GW regarding this particular UE are deactivated
by the MME sending Delete Session Request per PDN connection to the Serving GW
3. When the S-GW receives the first Delete Session Request message from the MME,
the Serving GW releases the related EPS Bearer context information and responds
with Delete Session Response.
4. The Serving GW sends Delete Session Request per PDN connection to the PDN GW
5. The PDN GW acknowledges with Delete Session Response
6. If Switch Off indicates that detach is not due to a switch off situation, the MME
sends a Detach Accept to the UE.
7. The MME releases the S1-MME signaling connection for the UE by sending S1
Release Command to the eNodeB with Cause set to Detach.

Confidential Information of Huawei. No Spreading Without Permission


As EPS will create a default bearer when user attach to the destination network. A lot of
default bearers will be established, if those default bearers are not used for data
transmission, it is reasonable to release the resource allocated, specially for radio
interface. The S1-release procedure is designed for such purpose.

This procedure is used to release the logical S1-AP signaling connection (over S1-MME)
and all S1 bearers (in S1-U) for a UE. The procedure will move the UE from ECM-
CONNECTED to ECM-IDLE in both the UE and MME, and all UE related context
information is deleted in the eNodeB.

After the S1-release procedure is performed, the resource for radio interface and S1-U
will be released. The UE will initiate service request procedure if UE has traffic send to
the PDN, or the CN will initiate paging procedure if traffic from PDN is received.

Confidential Information of Huawei. No Spreading Without Permission


1. If the eNodeB detects a need to release the UE's signaling connection and all radio
bearers for the UE, the eNodeB sends an S1 UE Context Release Request (Cause)
message to the MME. Cause indicates the reason for the release (e.g. user
inactivity).
2. The MME sends a Release Access Bearers Request message to the S-GW that
requests the release of all S1-U bearers for the UE. The S-GW releases all eNodeB
related information (address and TEIDs) for the UE and responds with a Release
Access Bearers Response message to the MME. Other elements of the UE's S-GW
context are not affected. The S-GW retains the S1-U configuration that the S-GW
allocated for the UE's bearers.
3. The MME releases S1 by sending the S1 UE Context Release Command (Cause)
message to the eNodeB.
4. If the RRC connection is not already released, the eNodeB sends a RRC Connection
Release message to the UE in Acknowledged Mode. Once the message is
acknowledged by the UE, the eNodeB deletes the UE's context.
5. The eNodeB confirms the S1 Release by returning an S1 UE Context Release
Complete message to the MME. With this, the signaling connection between the
MME and the eNodeB for that UE is released.

Confidential Information of Huawei. No Spreading Without Permission


After the S1 release procedure is performed, the signaling connection for S1-MME
interface and the S1-U bearers are removed, if UE has some data sent to the PDN, it will
initiate a Service Request Procedure.

The service request procedure can be triggered by UE or by network


Triggered by UE: UE has data to be sent after S1 release is performed;

Triggered by network: Serving GW received data from PDN to a certain UE that in

ECM-IDLE state, Serving GW informs MME, and the MME initiate a paging to all TAs in
the TA list that the user registered in, when UE received the paging message, it will
initiate a service request procedure.

Confidential Information of Huawei. No Spreading Without Permission


1. The UE sends NAS message Service Request towards the MME encapsulated in an
RRC message to the eNodeB, the eNodeB forwards NAS message to MME.
2. Authentication is an optional step.
3. The MME sends S1-AP Initial Context Setup Request message to the eNodeB. This
step activates the radio and S1 bearers for all the active EPS Bearers.
4. The eNodeB performs the radio bearer establishment procedure.
5. The uplink data from the UE can now be forwarded by eNodeB to the Serving GW.
The eNodeB sends the uplink data to the Serving GW and the Serving GW forwards
the uplink data to the PDN GW.
6. The eNodeB sends an S1-AP message Initial Context Setup Complete to the MME, in
this message, eNodeB downlink TEIDs will be included.
7. The MME sends a Modify Bearer Request message including eNodeB address, S1
TEID(s) per PDN connection to the Serving GW. The Serving GW is now able to
transmit downlink data towards the UE.
8. The Serving GW sends a Modify Bearer Response to the MME.

Confidential Information of Huawei. No Spreading Without Permission


1. When the Serving GW receives a downlink data packet for a UE known as not user
plane connected (i.e. the S-GW context data indicates no downlink user plane TEID),
it buffers the downlink data packet and identifies which MME is serving that UE.
2. The Serving GW sends a Downlink Data Notification message to the MME for which
it has control plane connectivity for the given UE. The MME and SGSN respond to the
S-GW with a Downlink Data Notification Ack message.
3. If the UE is registered in the MME, the MME sends a Paging message to each
eNodeB belonging to the tracking area(s) in which the UE is registered. If eNodeBs
receive paging messages from the MME, the UE is paged by the eNodeBs.
4. When UE is in the ECM-IDLE state, upon reception of paging indication in E-UTRAN
access, the UE initiates the UE triggered Service Request procedure.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
In the inter MME TAU with SGW change procedure, the new MME needs to create a new
bearer for the UE in the new SGW.
In the inter MME TAU without SGW change procedure, the new MME needs to update
the bearer for the UE in the old SGW.

Confidential Information of Huawei. No Spreading Without Permission


1. The UE initiates a TAU procedure by sending, to the eNodeB, a Tracking Area Update
Request message together with RRC parameters indicating the Selected Network and the old
GUMMEI. The eNodeB forwards the TAU Request message to MME
2. The new MME uses the GUTI received from the UE to derive the old MME/S4 SGSN address
and sends a Context Request message to the old MME/S4 SGSN to retrieve the user
information
3. If the Context Request is sent to an old MME the old MME responds with a Context
Response message
4. If the integrity check of TAU Request message (sent in step 1) failed, then authentication is
mandatory, otherwise, its optional
5. The new MME sends a Context Acknowledge message to the old MME. The old MME marks
in its context that the information in the GWs and the HSS are invalid. This ensures that the
MME updates the GWs and the HSS if the UE initiates a TAU procedure back to the MME
before completing the ongoing TAU procedure.
6. If the MME has changed the new MME sends a Modify Bearer Request message per PDN
connection to the Serving GW. The PDN GW address is indicated in the bearer contexts
7. If the RAT type has changed, or the Serving GW has received the User Location Information
IE or User CSG Information IE from the MME in step 6, the Serving GW informs the PDN GW
about this information to the PDN GW concerned.
8. The PDN GW updates its context field to allow DL PDUs to be routed to the correct Serving
GW and returns a Modify Bearer Response to the Serving GW.
9. The Serving GW updates its bearer context. The Serving GW returns a Modify Bearer
Response message to the new MME.

Confidential Information of Huawei. No Spreading Without Permission


10. The new MME informs the HSS of the change of MME by sending an Update
Location Request message to the HSS.
11. The HSS sends a Cancel Location message to the old MME with a Cancellation Type
set to Update Procedure.
12. When receiving a Cancel Location message, the old MME removes the MM and
bearer contexts. The old MME acknowledges with a Cancel Location Ack message.
13. The HSS acknowledges the Update Location Request by returning an Update
Location Ack message to the new MME after the cancelling of the old MME context
is finished.
14. The MME responds to the UE with a Tracking Area Update Accept message.
15. If the GUTI was changed the UE acknowledges the new GUTI by returning a Tracking
Area Update Complete message to the MME.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
X2 interface is between two eNodeBs, X2-based handover means the handover resource
preparation are forwarded from source eNodeB to the target eNodeB.

S1-based handover is used when X2-based handover can not be used. The handover
procedures rely on the presence of S1-MME reference point between the MME and the
source eNodeB as well as between the MME and the target eNodeB. This procedure
may relocate the MME and/or the Serving GW.

These procedures are used to hand over a UE from a source eNodeB to a target eNodeB
using the X2 reference point. In these procedures the MME is unchanged.

Confidential Information of Huawei. No Spreading Without Permission


1. The target eNodeB sends a Path Switch Request message to MME to inform that the UE has
changed cell, including the TAI+ECGI of the target cell and the list of EPS bearers to be
switched. The MME determines that the Serving GW can continue to serve the UE.
2. The MME sends a Modify Bearer Request including eNodeB address(es) and TEIDs to the
Serving GW for each PDN connection. The Serving GW starts sending downlink packets to
the target eNodeB using the newly received address and TEIDs. A Modify Bearer Response
message is sent back to the MME.
3. In order to assist the reordering function in the target eNodeB, the Serving GW shall send
one or more end marker packets on the old path immediately after switching the path.
After completing the sending of the end marker, the GW shall not send any further
user data packets via the old path;
upon receiving the "end marker" packets, the source eNodeB shall forward it toward
the target eNodeB;
On receiving the "end marker, the target eNB shall initiate any necessary processing
to maintain in sequence delivery of user data forwarded over X2 interface and user
data received from the serving GW over S1 as a result of the path switch.
4. The MME confirms the Path Switch Request message with the Path Switch Request Ack
message.
5. By sending Release Resource the target eNodeB informs success of the handover to source
eNodeB and triggers the release of resources.
6. The UE initiates a Tracking Area Update procedure when one of the conditions that triggers
for tracking area update applies.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
1. The source eNodeB decides to initiate an S1-based handover to the target eNodeB.
This can be triggered e.g. by no X2 connectivity to the target eNodeB.
2. The source eNodeB sends Handover Required to the source MME. The source
eNodeB indicates which bearers are subject to data forwarding. The target TAI is sent
to MME to facilitate the selection of a suitable target MME.
3. The source MME selects the target MME and sends a Forward Relocation Request
message to the target MME. The target TAI is sent to the target MME to help it to
determine whether S-GW relocation is needed.
4. If the MME has been relocated, the target MME verifies whether the source Serving
GW can continue to serve the UE. If not, it selects a new Serving GW; If the source
Serving GW continues to serve the UE, no message is sent in this step. In this case,
the target Serving GW is identical to the source Serving GW. If a new Serving GW is
selected, the target MME sends a Create Session Request message per PDN
connection to the target Serving GW. The target Serving GW allocates the S-GW
addresses and TEIDs for the uplink traffic on S1_U reference point (one TEID per
bearer). The target Serving GW sends a Create Session Response (Serving GW
addresses and uplink TEID(s) for user plane) message back to the target MME.
5. The Target MME sends Handover Request message to the target eNodeB. This
message creates the UE context in the target eNodeB, including information about
the bearers, and the target eNodeB sends a Handover Request Acknowledge
message to the target MME.

Confidential Information of Huawei. No Spreading Without Permission


6. The target MME sets up forwarding parameters by sending Create Indirect Data
Forwarding Tunnel Request with target eNodeB information to the Serving GW. The
Serving GW sends a Create Indirect Data Forwarding Tunnel Response with target
Serving GW information to the target MME.
7. If the MME has been relocated, the target MME sends a Forward Relocation
Response message to the source MME, this message includes Serving GW Address
and TEIDs for indirect forwarding (source or target).
8. The source MME sends Create Indirect Data Forwarding Tunnel Request to the
Serving GW. If the Serving GW is relocated it includes the tunnel identifier to the
target serving GW. The Serving GW responds with a Create Indirect Data Forwarding
Tunnel Response message to the source MME.
9. The source MME sends a Handover Command message to the source eNodeB,
including addresses and TEIDs for the Bearers subject to forwarding. The Handover
Command is sent to the UE.

Confidential Information of Huawei. No Spreading Without Permission


10. The source eNodeB should start forwarding of downlink data from the source
eNodeB towards the target eNodeB for bearers subject to data forwarding, in this
case it is an indirect forwarding (via S-GW).
11. After the UE has successfully synchronized to the target cell, it sends a Handover
Confirm message to the target eNodeB. Downlink packets forwarded from the
source eNodeB can be sent to the UE. Also, uplink packets can be sent from the UE,
which are forwarded to the target Serving GW and on to the PDN GW.

Confidential Information of Huawei. No Spreading Without Permission


12. The target eNodeB sends a Handover Notify (TAI+ECGI) message to the target MME
13. If the MME has been relocated, the target MME sends a Forward Relocation
Complete Notification message to the source MME. The source MME in response
sends a Forward Relocation Complete Acknowledge message to the target MME.
14. The MME sends a Modify Bearer Request message to the target Serving GW for each
PDN connection to identify the information the target eNodeB for downlink traffic on
S1-U interface;
15. If the Serving GW is relocated, the target Serving GW assigns addresses and TEIDs
(one per bearer) for downlink traffic from the PDN GW. It sends a Modify Bearer
Request to identify itself message per PDN connection to the PDN GW(s). If the
Serving GW is not relocated and it has not received User Location Information IE nor
User CSG Information IE from the MME in step 14, no message is sent in this step
and downlink packets from the Serving-GW are immediately sent on to the target
eNodeB.
16. The target Serving GW sends a Modify Bearer Response message to the target MME.
The message is a response to a message sent at step 14

Now the data path has been established and UE will initiate the tracking are update
procedure.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Bearer modification procedure includes:
UE requested bearer resource modification: for dedicated bearer only;

PDN GW initiated bearer modification with bearer QoS update;

HSS Initiated Subscribed QoS Modification;

PDN GW initiated bearer modification without bearer QoS update.

Bearer deactivation procedure includes:


UE requested bearer resource modification: for dedicated bearer only;

PDN GW initiated bearer deactivation: for default bearer or dedicated bearer;

MME Initiated Dedicated Bearer Deactivation: for dedicated bearer only.

UE requested PDN connectivity procedure: a default bearer will be established, one or


several dedicated bearer may be established.
UE or MME requested PDN disconnection procedure: all the bearer will be released.

Confidential Information of Huawei. No Spreading Without Permission


A dedicated bearer is usually initiated when the QoS of current bearer cannot satisfy the
service requested.
For example, the default bearer is for web browser, the default bearer is non-GBR
bearer, and the delay may vary greatly. If UE want to make a voice call, the default
bearer cannot used for voice service, cause voice service need a GBR bearer and the
delay must be strictly controlled. In this case, a dedicated bearer should be created.

Confidential Information of Huawei. No Spreading Without Permission


The default bearer will be activated during the attach procedure or UE requested PDN
connectivity procedure. So there are no stand along procedure to activate the default
bearer. Dedicated Bearer Activation is for dedicated bearer.

Trigger condition of IP-CAN Session Modification; PDN GW( PCEF) initiated


Local PCC is deployed;

Dynamic PCC is deployed.

Confidential Information of Huawei. No Spreading Without Permission


1. The PDN GW sends a Create Bearer Request message to the Serving GW.
2. The Serving GW sends the Create Bearer Request message to the MME.
3. The MME selects an EPS Bearer Identity, which has not yet been assigned to the UE.
The MME then builds a Session Management Request including the PTI, TFT, EPS
Bearer QoS parameters (excluding ARP), Protocol Configuration Options, the EPS
Bearer Identity and the Linked EPS Bearer Identity (LBI). The MME then signals the
Bearer Setup Request message to the eNodeB.
4. The eNodeB maps the EPS Bearer QoS to the Radio Bearer QoS. It then signals a RRC
Connection Reconfiguration message to the UE.

Confidential Information of Huawei. No Spreading Without Permission


5. The UE acknowledges the radio bearer activation to the eNodeB with a RRC
Connection Reconfiguration Complete message.
6. The eNodeB acknowledges the bearer activation to the MME with a Bearer Setup
Response message. The eNodeB indicates whether the requested EPS Bearer QoS
could be allocated or not.
7. The UE NAS layer builds a Session Management Response including EPS Bearer
Identity. The UE then sends a Direct Transfer message to the eNodeB.
8. The eNodeB sends an Uplink NAS Transport (Session Management Response)
message to the MME.
9. Upon reception of the Bearer Setup Response message in step 6 and the Session
Management Response message in step 8, the MME acknowledges the bearer
activation to the Serving GW by sending a Create Bearer Response message.
10. The Serving GW acknowledges the bearer activation to the PDN GW by sending a
Create Bearer Response message.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Case 1:
MS download FTP files;

After finishing FTP service, MS initiates streaming service with the same
QCI&ARP before the dedicated bearer age , So P-GW Initiated Bearer
Modification With QoS Update.
Case 2:
PCRF send IP-CAN modification (QCI or GBR or MBR or ARP change) for
the online user, for example PCRF configure FUP service. In this case PGW
initiate P-GW Initiated Bearer Modification With QoS Update.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
1. The PDN GW sends a Update bearer request message to the Serving GW because
QCI or GBR or MBR or ARP change.
2. The Serving GW sends the Update Bearer Request message to the MME
3. The MME builds a Session Management Request including the PTI, EPS Bearer QoS
parameters (excluding ARP), TFT, APN-AMBR and EPS Bearer Identity. The MME then
sends the Bearer Modify Request (EPS Bearer Identity, EPS Bearer QoS, Session
Management Request, UE-AMBR) message to the eNodeB.
4. The eNodeB maps the EPS Bearer QoS to the Radio Bearer QoS. It then signals a RRC
Connection Reconfiguration message to the UE
5. The UE acknowledges the radio bearer activation to the eNodeB with a RRC
Connection Reconfiguration Complete message.
6. The eNodeB acknowledges the bearer modification to the MME with a Bearer
Modify Response message. The eNodeB indicates whether the requested EPS Bearer
QoS could be allocated or not.

Confidential Information of Huawei. No Spreading Without Permission


7. The UE NAS layer builds a Session Management Response including EPS Bearer
Identity. The UE then sends a Direct Transfer message to the eNodeB.
8. The eNodeB sends an Uplink NAS Transport (Session Management Response)
message to the MME.
9. Upon reception of the Bearer Modify Response message in step 6 and the Session
Management Response message in step 8, the MME acknowledges the bearer
modification to the Serving GW by sending a Update Bearer Response message.
10. The Serving GW acknowledges the bearer modification to the PDN GW by sending a
Update Bearer Response message.

Confidential Information of Huawei. No Spreading Without Permission


1. The PDN GW sends a Update bearer request message to the Serving GW because
TFT or APN-AMBR change.
2. The Serving GW sends the Update Bearer Request message to the MME
3. The MME builds a Session Management Request including the PTI, EPS Bearer QoS
parameters (excluding ARP), TFT, APN-AMBR and EPS Bearer Identity. The MME then
sends the Bearer Modify Request (EPS Bearer Identity, EPS Bearer QoS, Session
Management Request, UE-AMBR) message to the eNodeB.
4. The eNodeB maps the EPS Bearer QoS to the Radio Bearer QoS. It then signals a RRC
Connection Reconfiguration message to the UE.
5. The UE acknowledges the radio bearer activation to the eNodeB with a RRC
Connection Reconfiguration Complete message.
6. The eNodeB acknowledges the bearer modification to the MME with a Bearer
Modify Response message. The eNodeB indicates whether the requested EPS Bearer
QoS could be allocated or not.
7. Upon reception of the Bearer Modify Response message in step 6, the MME
acknowledges the bearer modification to the Serving GW by sending a Update
Bearer Response message.
8. The Serving GW acknowledges the bearer modification to the PDN GW by sending a
Update Bearer Response message.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
1. The PDN GW sends a Delete bearer request message to the Serving GW.
2. The Serving GW sends the Delete Bearer Request message to the MME
3. The MME builds a NAS Deactivate EPS Bearer Context Request message including
the EPS Bearer Identity, and includes it in the S1-AP Deactivate Bearer Request
message
4. The eNodeB sends the RRC Connection Reconfiguration message including the EPS
Radio Bearer Identity to release and the NAS Deactivate EPS Bearer Context Request
message to the UE.
5. The UE RRC releases the radio bearers, and the UE NAS removes the UL TFTs and EPS
Bearer Identity. The UE responds to the RRC Connection Reconfiguration Complete
message to the eNodeB.
6. The eNodeB acknowledges the bearer deactivation to the MME with a Deactivate
Bearer Response message.
7. The UE NAS layer builds a Deactivate EPS Bearer Context Accept message and sends
a Direct Transfer message to the eNodeB.
8. The eNodeB sends an Uplink NAS Transport (Deactivate EPS Bearer Context Accept)
message to the MME
9. The MME deletes the bearer context related to the deactivated EPS bearer and
acknowledges the bearer deactivation to the Serving GW by sending a Delete Bearer
Response message
10. After receiving the Delete Bearer Response messages from the MME, the Serving
GW deletes the bearer context related to the deactivated EPS bearer acknowledges
the bearer deactivation to the PDN GW by sending a Delete Bearer Response
message.
Confidential Information of Huawei. No Spreading Without Permission
Command of all bearer deactivation also can be sent by OAM. So MME Initiated
Dedicated Bearer Deactivation(all bearer except default bearer).

Confidential Information of Huawei. No Spreading Without Permission


1. MME sends a Delete bearer command to S-GW.
2. The S-GW sends a Delete bearer request message to the MME.
3. MME sends the Delete Bearer Request message to the eNodeB, including the EPS
Bearer Identity, and includes it in the S1-AP Deactivate Bearer Request message.
4. The eNodeB sends the RRC Connection Reconfiguration message including the EPS
Radio Bearer Identity to release and the NAS Deactivate EPS Bearer Context Request
message to the UE.
5. The UE RRC releases the radio bearers, and the UE NAS removes the UL TFTs and EPS
Bearer Identity. The UE responds to the RRC Connection Reconfiguration Complete
message to the eNodeB.
6. The eNodeB acknowledges the bearer deactivation to the MME with a Deactivate
Bearer Response message.
7. The UE NAS layer builds a Deactivate EPS Bearer Context Accept message and sends
a Direct Transfer message to the eNodeB.
8. The eNodeB sends an Uplink NAS Transport (Deactivate EPS bearer context accept)
message to the MME.
9. The MME deletes the bearer context related to the deactivated EPS bearer and
acknowledges the bearer deactivation to the Serving GW by sending a Delete Bearer
Response message.

Confidential Information of Huawei. No Spreading Without Permission


If QCI or ARP is changed, one dedicated bearer activation is initiated.
If QCI and ARP is same, other different QoS is changed, dedicated bearer modification
is initiated.
If there is no any stream transmission until to bearer aging or handover from 3GPP to
non-3GPP procedure, dedicated bearer deactivation is initiated.

Confidential Information of Huawei. No Spreading Without Permission


1. The UE initiates the UE Requested PDN procedure by the transmission of a PDN
Connectivity Request message.
2. The MME allocates a Bearer Id, and sends a Create Session Request message to the
Serving GW.
3. The Serving GW creates a new entry in its EPS Bearer table and sends a Create
Session Request message to the PDN GW indicated in the PDN GW address received
in the previous step. After this step, the Serving GW buffers any downlink packets it
may receive from the PDN GW until receives the message in step 12 below.
4. The P-GW creates a new entry in its EPS bearer context table and generates a
Charging Id. The PDN GW returns a Create Session Response message to the Serving
GW.
5. The Serving GW returns a Create Session Response message to the MME.
6. The MME sends PDN Connectivity Accept message to the UE. This message is
contained in an S1_MME control message Bearer Setup Request to the eNodeB. This
S1 control message includes the TEID at the Serving GW used for user plane and the
address of the Serving GW for user plane.
7. The eNodeB sends RRC Connection Reconfiguration to the UE including the PDN
Connectivity Accept message.
8. The UE sends the RRC Connection Reconfiguration Complete to the eNodeB.
9. The eNodeB send an S1-AP Bearer Setup Response to the MME. The S1-AP message
includes the TEID of the eNodeB and the address of the eNodeB used for downlink
traffic on the S1_U reference point.

Confidential Information of Huawei. No Spreading Without Permission


10. The UE NAS layer builds a PDN Connectivity Complete message including EPS Bearer
Identity. The UE then sends a Direct Transfer (PDN Connectivity Complete) message
to the eNodeB.
11. The eNodeB sends an Uplink NAS Transport (PDN Connectivity Complete) message
to the MME.
12. Upon reception of the Bearer Setup Response message in step 9 and the PDN
Connectivity Complete message in step 11, the MME sends a Modify Bearer Request
message to the Serving GW.
13. If the Handover Indication is included in step 12, the Serving GW sends a Modify
Bearer Request message to the PDN GW to prompt the PDN GW to tunnel packets
from non 3GPP IP access to 3GPP access system and immediately start routing
packets to the Serving GW for the default and any dedicated EPS bearers established.
14. The PDN GW acknowledges by sending Modify Bearer Response to the Serving GW.
15. The Serving GW acknowledges by sending Modify Bearer Response to the MME. The
Serving GW can then send its buffered downlink packets.

Confidential Information of Huawei. No Spreading Without Permission


1. The UE initiates the UE requested PDN disconnection procedure by the transmission
of a PDN Disconnection Request message.
2. The EPS Bearers in the Serving GW for the particular PDN connection are deactivated
by the MME by sending Delete Session Request to the Serving GW. This message
includes an indication that all bearers belonging to that PDN connection shall be
released.
3. The Serving GW sends Delete Session Request to the PDN GW.
4. The PDN GW acknowledges with Delete Session Response.
5. The Serving GW acknowledges with Delete Session Response.
6. The MME initiates the deactivation of all Bearers associated with the PDN
connection to the eNodeB by sending the Deactivate Bearer Request message to the
eNodeB.
7. The eNodeB sends the RRC Connection Reconfiguration message including the
corresponding bearers to be released and the NAS Deactivate EPS Bearer Context
Request message to the UE.
8. The UE releases all resources corresponding to the PDN connection and
acknowledges this by sending the RRC Connection Reconfiguration Complete
message to the eNodeB.
9. The eNodeB sends an acknowledgement of the deactivation to the MME.
10. The UE NAS layer builds a Deactivate EPS Bearer Context Accept message. The UE
then sends a Direct Transfer (Deactivate EPS Bearer Context Accept) message to the
eNodeB.
11. The eNodeB sends an Uplink NAS Transport (Deactivate EPS Bearer Context Accept)
message to the MME.
Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
SRVCC is used to provide the function of VoIMS, so the LTE subscriber will able to make
phone calls, here is a typical example for SRVCC traffic.

An VoIMS call flow has two general steps:


The UE initiate a request, SIP signaling message is used in CN and IMS to find the
called party, and to establish a bearer for voice traffic;
One bearer for voice been established, the UE can talk with the called party.

Confidential Information of Huawei. No Spreading Without Permission


Subscribers are always moving. If user stays in LTE coverage, everything is OK. How
about user move from LTE to 2G/3G network?

If SRVCC is used, an additional NE is needed: the enhanced MSC (EMSC). The EMSC
connects to MME in EPC and IMS nodes, when user handover to 2G/3G coverage, the
voice traffic will be passed through EMSC.
Sv interface: Sv interface between the Mobility Management Entity (MME) or Serving

GPRS Support Node (SGSN) and 3GPP MSC server enhanced for SRVCC. Sv interface is
used to support Inter-RAT handover from VoIP/IMS over EPS to CS domain over 3GPP
UTRAN/GERAN access or from UTRAN (HSPA) to 3GPP UTRAN/GERAN access. Its
based on GTPv2 protocol.
S6a interface: The SRVCC STN-SR, C MSISDN and optional ICS flag are downloaded to

MME from HSS during E-UTRAN attach procedure.


eNB/UE: UE enhanced for SRVCC, 3GPP SRVCC UE is needed to perform SRVCC. When

E UTRAN selects a target cell for SRVCC handover, it needs to send an indication to
MME that this handover procedure requires SRVCC.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission
Unlike with SRVCC, by which voice traffic is transmitted over EPC. With CS fallback, data
service is still carried over EPC while voice service is carried over traditional 2G/3G CS
core, which is suitable for the operators that already own their 2G/3G networks.
With CSFB, the MME is connected to the MSC server in 2G/3G network;

UE are required to attach to both SAE and G/U network, which require a combined
attach;
With CSFB, SMS is delivered from EPC to MSC over SGs interface, and then to short

message center (SMC).

Confidential Information of Huawei. No Spreading Without Permission


1. UE send Attach Request to MMEattached type is combined EPS/IMSI Attach.
2. Location Update is transferred between MME and MSC Server. After that, UE register
to MSC Server and HLR.
3. MME send attach accept to UE in which LAI and TMSI is included.

Confidential Information of Huawei. No Spreading Without Permission


1. UE send Extended Service Request to MME and indicate MME to execute CSFB.
2. MME send S1-AP request to eNB with CSFB indication and require eNB to fallback UE
to 2G/3G.
3. eNB fallback UE to 2G/3G with three method by PS HO, NACC or RRC Release.
4. UE send CM Service Request to MSC Server after fallback to 2G/3G and initiate
normal call.

Confidential Information of Huawei. No Spreading Without Permission


1. MSC Server receive IAM message.
2. MSC Server send Paging to MME.
3. MME send EPS paging in TAI List which is covered by LTE network.
4. UE send Extended Service Request to MME as paging response.
5. eNB select one cell with PS HO/NACC/RRC Release to fallback UE to 2G/3G.
6. After fallback to 2G/3GUE send Paging Response to MSC server and initiate normal
call.

Confidential Information of Huawei. No Spreading Without Permission


Confidential Information of Huawei. No Spreading Without Permission
Confidential Information of Huawei. No Spreading Without Permission