THE CHALLENGES OF LTE TECHNOLOGIES - …with the implementation of the new LTE system and its long...
Transcript of THE CHALLENGES OF LTE TECHNOLOGIES - …with the implementation of the new LTE system and its long...
POLYTECHNIC OF ZAGREB
PROFESSIONAL STUDY IN ELECTRICAL ENGINEERING
Mateo Šoša
THE CHALLENGES OF LTE TECHNOLOGIES
FINAL THESIS no.: 1517
Zagreb, June 2013
POLYTECHNIC OF ZAGREB
PROFESSIONAL STUDY IN ELECTRICAL ENGINEERING
Mateo Šoša
Student ID, JMBAG: 0246024264
THE CHALLENGES OF LTE TECHNOLOGIES
FINAL THESIS no.: 1517
Zagreb, June 2013
(This page was left blank intentionally)
Summary
Mobile telecommunication plays a major role in everyday life since the early 1980s. With the rapidly
rising number of users and the even higher increase of yearly data traffic, a new approach to mobile
communication systems is needed. The high-level demands of these circumstances are met with the
realisation of the Long Term Evolution system, whose structures and technologies are explained in
this work. The main aim of this thesis is to give an insight into the challenges and issues emerging
with the implementation of the new LTE system and its long run operation, as well as possible
solutions and compensations.
Contents
Table of Figures IV
List of abbreviations VI
1. An Introduction to LTE 1
1.1 The Importance of Mobile Communication Systems 1
1.2 The Increase of Mobile Subscribers and Data Traffic 1
1.3 The Need for LTE 2
1.4 Requirements and Standardisation 3
1.4.1 Third Generation Partnership Project 3
1.4.2 Targets of the LTE system 4
1.4.3 LTE Standardisation 5
1.5 Thesis Overview 6
2. LTE System Architecture 7
2.1 Introduction 7
2.2 LTE System Architecture Overview and EPS 7
2.3 LTE Radio Access Network 8
2.3.1 User Equipment 9
2.3.2 Evolved UMTS Radio Access Network 10
2.4 LTE Evolved Packet Core 11
2.4.1 Mobility Management Entity 12
2.4.2 Serving Gateway 12
2.4.3 Packet Data Network Gateway 12
2.4.4 Policy and Charging Resource Function 13
2.4.5 Home Subscription Server (HSS) 13
2.5 Frequency and Time Division Duplex 13
2.5.1 Frequency Division Duplex 13
2.5.2 Time Division Duplex 14
2.5.3 FDD and TDD Frame Structure 15
2.6 Self Organising Networks 16
2.6.1 SON Self-Configuration 16
2.6.2 SON Self-Optimisation 17
II
2.6.3 SON Self-Healing 18
2.7 LTE System Problems and Disadvantages 19
2.8 Summary 20
3. Orthogonal Frequency Division Multiple Access 21
3.1 Introduction 21
3.2 The concept of Orthogonal Frequency Division Multiplexing 21
3.3 OFDM implementation with Discrete (Fast) Fourier Transformation 22
3.4 Guard-period and Cyclic-prefix Insertion 25
3.5 OFDMA Resource Grid and Resource Blocks 26
3.6 Single Carrier Frequency Division Multiple Access 27
3.7 Problems, Issues and Challenges of OFDMA and SC-FDMA 28
3.8 Summary 29
4. Multiple Antenna Techniques 30
4.1 Introduction 30
4.2 Basics of Multiple Antenna Techniques 30
4.3 Receive and Transmit Diversity Processing 30
4.3.1 Receive Diversity 31
4.3.2 Transmit Diversity 32
4.3.3 Space-Time Processing 34
4.4 Beamforming 35
4.5 Spatial Multiplexing 36
4.6 Multiple-User MIMO 39
4.7 Problems and Issues of Multiple Antenna Techniques 41
4.8 Summary 42
5. VoIP and Voice over LTE 43
5.1 Introduction 43
5.2 Voice and Messaging Basics in LTE 43
5.3 Voice over IP Approach in LTE 43
5.3.1 Partnership with existing VoIP service providers 43
5.3.2 The IP Multimedia Subsystem 44
5.4 Fallback to Other Mobile Networks 46
5.4.1 Circuit Switched Fallback 46
III
5.4.2 Voice over LTE via Generic Access 48
5.5 Additional Solutions 48
5.6 Problems and Challenges of Voice and Text Services in LTE 49
5.7 Summary 50
6. Security of the LTE System 51
6.1 Introduction 51
6.2 LTE Security Concept 51
6.3 Security architecture 52
6.4 Key Hierarchy 53
6.5 Authentication and Security Activation 54
6.5.1 EPS Authentication and Key Agreement 54
6.5.2 Authentication Failure 55
6.5.3 Security Activation 56
6.6 Idle-State Mobility and Handover Scenarios 57
6.6.1 Connected and Idle State 57
6.6.2 UE Mobility in Idle State 58
6.6.3 Handover Security Requirements 59
6.6.4 Handover Key Management 59
6.7 Additional Security Measures of EPC and RAN 61
6.7.1 IP security mechanisms 61
6.7.2 Evolved Packet Core Roaming 61
6.7.3 Ciphering techniques 62
6.8 Problems, Flaws and Difficulties 63
6.9 Summary 64
7. Conclusion 65
Bibliography 66
Quoted References 66
Additional Literature 66
IV
Table of Figures
Figure 1.1 Mobile subscriber data growth in comparison to voice traffic 2
Figure 1.2 Workgroups and theme division of TSGs in 3GPP 4
Figure 2.1 Differences of individual system architecture components between GSM/UMTS and LTE 8
Figure 2.2 The main elements of the Radio Access Network in LTE 9
Figure 2.3 The main elements of the Evolved Packet core in LTE 11
Figure 2.4 Frequency Division Duplex diagram (a) and Time Division Duplex diagram (b) 14
Figure 2.5 Frame and time slot structure of LTE-FDD 15
Figure 2.6 Frame, half-frame and time slot structure of LTE-TDD 15
Figure 3.1 Orthogonal layout of subcarriers, frequency domain 22
Figure 3.2 Signal subcarrier pulse shaping in time domain (a) and spectrum shaping in frequency
domain (b) 22
Figure 3.3 Scheme and phases of an analogue OFDM signal transmitting process 23
Figure 3.4 Scheme and phases of a digital OFDM signal transmitting process 24
Figure 3.5 The cyclic-prefix insertion mechanism 25
Figure 3.6 Comparison of OFDM and OFDMA in the time and frequency domain 26
Figure 3.7 Resource allocation of OFDMA in LTE, containing a cyclic prefix 26
Figure 3.8 Time Division Multiple Access (a) and Frequency Division Multiple Access (b) 27
Figure 3.9 Block diagram of a SC-FDMA transmitter and receiver 28
Figure 4.1 Fading reduction using 2-antenna receive diversity transmission 31
Figure 4.2 Phase shift adjustment using closed loop transmit diversity 32
Figure 4.3 Time step divided transmission using open loop transmit diversity 33
Figure 4.4 Delay diversity transmission over two antennas 33
Figure 4.5 Cyclic-delay diversity transmission in an OFDM system, over two antennas 34
Figure 4.6 Space-time transmit diversity transmission with block coding, over two antennas 34
Figure 4.7 The problem of destructive interference, beamforming with multiple antennas 35
Figure 4.8 Spatial multiplexing on a 2×2 MIMO system 37
Figure 4.9 Block diagram of an open loop spatial multiplexing system 39
Figure 4.10 Block diagram of a closed loop spatial multiplexing system 39
Figure 4.11 Uplink MIMO-MAC in a 2×2 spatial multiplexing system 40
Figure 4.12 MIMO-BC on the downlink of a 2×2 spatial multiplexing system 41
Figure 5.1 The structure of external VoIP subsystems in EPS 44
Figure 5.2 The IMS system architecture 45
Figure 5.3 SMS messaging using the IMS system setup 46
Figure 5.4 Circuit switched fallback architecture, attach request route 47
Figure 5.5 SMS messaging using the SMS over SGs technique 47
Figure 5.6 Voice over LTE via Generic Access system architecture 48
Figure 5.7 Block diagram of the SR-VCC architecture 49
V
Figure 6.1 Key hierarchy of the LTE system 53
Figure 6.2 Security activation procedure of the Non-Access Stratum 56
Figure 6.3 Security activation procedure of the Access Stratum 57
Figure 6.4 Horizontal and vertical key derivation during handover 60
Figure 6.5 Security interfaces Za and Zb of secure domains as a implementation of network domain
security 62
Table 2.1 UE classes set by 3GPP 10
Table 2.2 Uplink-downlink sub-frame configuration sets of LTE TDD 16
Table 3.1 Bandwidths of the LTE standard 27
VI
List of abbreviations
2G Second Generation of Mobile Communication Technologies 3G Third Generation of Mobile Communication Technologies 3GPP Third Generation Partnership Project AAS Adaptive Array Smart Antenna Systems AES Advanced Encryption System AF Application Function AKA Authentication and Key Agreement ANR Automatic Neighbour Relation AR Authentication Request AS Application Server AS Access Stratum AuC Authentication Centre AV Authentication Vector B Bandwidth BBERF Bearer Binding and Event Reporting Function BPSK Binary Phase Shift Keying BS Base Station BW Bandwidth C Channel Capacity CAPEX Capital Expenditure CDMA Code Division Multiple Access cdma2000 CDMA International Mobile Telecommunications-2000 CK Ciphering Key CP Cyclic-Prefix C-RNTI Cell Radio Network Temporary Identity CS Circuit Switched CS Cyclic Shift CSCF Call Session Control Function CSFB Circuit Switched Fallback CSIR Channel State Information on the Receiver CSIT Channel State Information on the Transmitter CT Core Networks and Terminals D Downlink Slot DFT Discrete Fourier Transformation DL Downlink DPC Dirty Paper Coding DRC Dynamic Radio Configuration DS Doppler Shift DTFS-OFDM Discrete Time Fourier Series Orthogonal Frequency Division Multiplex EEA0 EPS Encryption Algorithm Type 0, Null Algorithm EEA1 EPS Encryption Algorithm Type 1, SNOW3 Encryption EEA2 EPS Encryption Algorithm Type 2, Advanced Encryption System EEA3 EPS Encryption Algorithm Type 3, ZU stream cipher eNodeB Evolved Node B (base station) EMM Evolved Packet System Mobility Management EPC Evolved Packet Core EPS Evolved Packet System
VII
EPS AKA Evolved Packet System Authentication and Key Agreement E-UTRA Evolved Universal Terrestrial Radio Access E-UTRAN Evolved Universal (UMTS) Terrestrial Radio Access Network FD Frequency Domain FDD Frequency Division Duplex FFT Fast Fourier Transform GAN Generic Access Network GB Gigabyte GERAN GSM/EDGE Radio Access Network GI Guard Interval GP Guard Period GSM Global System for Mobile Communications GUTI Globally Unique Temporary Identity GW Gateway HeNB Home Evolved NodeB, Micro Base Station HSPA High Speed Packet Access HSPA+ High Speed Packet Access Evolution HSS Home Subscriber Server ICI Inter-carrier Interference I-CSCF Interrogating Call Session Control Function ID Identity IDFT Inverse Discrete Fourier Transformation IETF Internet Engineering Task Force IFFT Inverse Fast Fourier Transform IK Integrity Protection Key IKEv2 Internet Key Exchange version 2 Protocols IMS IP Multimedia Subsystem IMSI International Mobile Subscriber Identity IP Internet Protocol IPSec Internet Protocol Security IPSec ESP Internet Protocol Security Encapsulating Security Payload IP-SM-GW Internet Protocol Short Message Gateway ISIM IP Multimedia Service Identity Module K Secure Key KASME Access Security Management Entity Key KDF Key Derivation Function KPI Key Performance Indicator LTE Long Term Evolution LTE* Long Term Evolution, air interface LTE-FDD LTE applied Frequency Division Duplex LTE-TDD LTE applied Time Division Duplex MBMS Multimedia Broadcast Multicast Service MDT Minimised Drive Test ME Mobile Equipment MGCF Media Gateway Control Functions MIMO Multiple Input Multiple Output MIMO-BC Multiple Input Multiple Output Broadcast Channel Spatial Multiplexing MIMO-MAC Multiple Input Multiple Output Multiple Access Channel MM Mobility Management MME Mobility Management Entity MSC Mobile Switching Centre MT Mobile Terminal
VIII
MU-MIMO Multiuser MIMO NA Null Algorithm NAS Non-access Stratum NCC Next Hop Chaining Count NDS Network Domain Security NH Next Hop OFDM Orthogonal Frequency Division Multiplexing OFDMA Orthogonal Frequency Division Multiple Access OPEX Operational Expenditure PAPR Peak to Average Power Ratio PAS Phased Array Smart Antenna Systems PCI Physical Cell Identity PCEF Policy and Charging Enforcement Function PCRF Policy and Charging Resource Function P-CSCF Proxy Call Session Control Function PD Packet Delay PDN Packet Data Network P-GW Packet Data Network Gateway PI Private Identity PKI Public Key Infrastructure PLMN Public Land Mobile Network PLMNI Public Land Mobile Network Identity PMI Precoding Matrix Indicator PMIP Proxy Mobile IP PS Packet Switched PSTN Public Switched Telephone Network QAM Quadrature Amplitude Modulation QoS Quality of Service QPSK Quadrature Phase Shift Keying RAN Radio Access Network RB Resource Block RE Resource Element RET Remote Electrical Tilt RNC Radio Network Controller RRC Radio Resource Control RRM Radio Resource Management Rx Receiver S Special Slot S1 E-UTRAN interface (EPC side) SA Service and System Aspects SA Smart Antennas SAE System Architecture Evolution SC Serving Centre SC-FDMA Single Carrier Frequency Division Multiple Access S-CSCF Serving Call Session Control Function SD Services Domain SDMA Space Division Multiple Access SE Spectral Efficiency SFBC Space-Frequency Block Coding SFTD Space- Frequency Transmit Diversity S-GW Serving Gateway shortMAC-I Short Multiple Access Channel Identifier
IX
SIM Subscriber Identity Module SINR Signal to Interference and Noise Ratio S-IWF Single Radio Voice Call Continuity Enhanced MSC Server SMS Short Message Service SNR Signal to Noise Ratio SON Self Organizing Networks SR-VCC Single Radio Voice Call Continuity STBC Space-Time Block Coding S-TMSI S-Temporary Mobile Subscriber Identity STTD Space-Time Transmit Diversity SV-LTE Simultaneous Voice and LTE TA Tracking Area TAI Tracking Area Identifier TAU Tracking Area Update TD Time Domain TDD Time Division Duplex TD-LTE Time Division Long Term Evolution TD-SCDMA Time Division Synchronous Code Division Multiple Access TE Terminal Equipment TSG Technical Specification Group Tx Transmitter U Uplink Slot UE User Equipment UI User interface UICC Universal Integrated Circuit Card UL Uplink UMTS Universal Mobile Telecommunications System USB Universal Serial Bus USIM Universal Subscriber Identity Module UTRA Universal Terrestrial Radio Access UTRAN Universal Terrestrial Radio Access Network VANC Voice over LTE via Generic Access Network Controller VCC Voice Call Continuity VoIP Voice over IP VoLGA Voice over LTE via Generic Access VoLTE Voice over LTE WCDMA Wideband Code Division Multiple Access WG Workgroup WLAN Wireless Local Area Network X2 E-UTRAN Interface (eNodeB side) ZFD Zero Forcing Detector ZUC ZU Stream Cipher
1
1. An Introduction to LTE
1.1 The Importance of Mobile Communication Systems
Mobile telephony and mobile communication systems have been part of the modern
telecommunication spectrum since the mid-twentieth century. These prime approaches were based
on analogue systems and car-borne implementations. As they became increasingly popular, a
number of new systems was introduced, improving and evolving the existing approaches. The new
concepts were based on digital data propagation and innovative user-friendly devices, which soon
became available for an average wage earner. In the early 1980s, the so-called second generation of
mobile communication systems (2G) emerged, represented through the Global System for Mobile
Communications, i.e. GSM. The introduction of the new generation simultaneously marked the
beginning of a mobile communication technology boom, resulting in the constant development and
evolution of both existing and new systems.
During the last three decades, the interest for mobile communication has grown even more. The
appearing of the so called third generation of mobile communication systems (3G and 3.5G), which
introduced packet switched data transmission alongside with the traditional circuit switched
transmission, brought the world one step closer to the merging of telecom and datacom domains.
This new feature caused a nearly exponential growth and worldwide spread of 3G mobile
communication standards (e.g. WCDMA, HSPA), reaching approximately half of the world’s
population in mid-2007.
1.2 The Increase of Mobile Subscribers and Data Traffic
With the increasing popularity of mobile communication systems and technologies, it is estimated
that to date nearly 75% of the world’s population is an active user of their services1. Accordingly, due
to the introduction of mobile packet data transmissions in 3G, data traffic quickly overcame the
traffic volume of voice calls and text messaging services, comprising approximately 90% of the total
traffic in 2011. Caused by the continuing evolution and enhancement of mobile communication
systems and their techniques, the overall data traffic increases tremendously with every year (Fig.
1.1).
The data traffic increase is directly connected to the improvement of data transmission speeds. The
initial rate of 12 kbps, necessary for voice distribution in GSM, was insufficient for packet data
propagation, which soon resulted in the development of data rate improving systems. These
improvements were also driven by innovations and new approaches of wired communication and
data transmission technologies, to which radio access technologies and mobile communication
networks can be seen as equivalents. Furthermore, through the introduction of so called flat-rate
1 This calculation is based on the total number of active users in comparison to the world’s population, meaning
that one person can simultaneously have one or multiple subscriptions.
2
data plans, a mobile subscriber can transmit and receive an infinite amount of data offered through
personal broadband access, regardless of his location.
Figure 1.1 Mobile subscriber data growth in comparison to voice traffic
Mobile data transfer peaks are predicted to rise even higher, as a result to Moore’s law, which states
that mobile communication data rates are doubled approximately every eighteen months. To enable
such continuous improvement, a new approach to traditional mobile communication systems has to
be introduced.
1.3 The Need for LTE
Even though mobile packet data transmission grew slowly in the beginning, its tremendous growth
made evident that the existing mobile communication systems and networks are not suited to
support both needed capacity and a constantly high quality of service (QoS) for their users at the
same time. The previously mentioned user-amount-triggered improvement and evolution of data
rates was overcome by the vast number of those very users. Networks soon became oversaturated,
causing additional costs for operators and providers, which countered the problem with additional
elements and components in the means of infrastructure.
The real solution of this phenomenon and system situation is provided by a technology evolution,
which is based on the existing, modern mobile communication standards, but only uses their
beneficial characteristics and components which are elementary for operation. Such a technology is
introduced as 3GPP Long Term Evolution (in further text LTE), which is a real mobile packet-data-
oriented communication system and standard. LTE covers the evolved system requirements in terms
of sufficient capacity, increase of data rates and bandwidth, as well as the support of exclusively the
3
packet switched domain. This ensures the simplicity of the system, which also positively reflects on
possible transmission delays, i.e. directly on the QoS. Furthermore, the LTE technology enables a
more efficient utilisation of the existing and new infrastructure, as well as of the air interface,
including the frequency spectrum. With the satisfaction of these requirements, the LTE system
surpasses all previous mobile communication systems in the majority of functions, services and
mechanisms.
1.4 Requirements and Standardisation
1.4.1 Third Generation Partnership Project
The introduction, standardisation and theoretical background of LTE are managed by the Third
Generation Partnership Project (3GPP). The main function of this governing body is the development
and maintaining of specifications and standards of mobile communication systems and technologies.
3GPP is comprised of so called Technical Specification Groups (TSGs), which are covering the
following areas:
Core Networks and Terminals (3GPP TSG CT),
GSM/EDGE Radio Access Networks (3GPP TSG GERAN),
Radio Access Networks (3GPP TSG RAN) and
Service and System Aspects (3GPP TSG SA).
Each of these categories is further divided into specific Workgroups (WGs), which hold different
responsibilities in terms of mobile communication system applications, specification and
standardisation (Fig. 1.2). For LTE, the most important branches are RAN and SA, which completely
address LTE’s primary functions, interfaces and implementation; as well as CT, being responsible for
the evolution of LTE’s core network (see Chapter 2).
4
Figure 1.2 Workgroups and theme division of TSGs in 3GPP
1.4.2 Targets of the LTE system
Driven by the previously mentioned need for improved capacity and data transmission speeds,
specific requirements for the new system have emerged. These requirements are a direct evolution
of previous mobile communication generations’ and systems’ characteristics, applied in the following
aspects:
Increased data rates and decreased latencies. These improvements are to be realised
through the simplification of the overall system, the decrease of complexity and the
automated process of system management (i.e. optimisation).
Packet switched domain utilisation. To eliminate additional system complexity, introduced
through the support of both the circuit switched and packet switched domain, the circuit
switched domain will not be included into the LTE system. The traditional voice and text
messaging services must be replaced with system-external subsystems (e.g. IMS).
High-level security and mobility. As the mobile communication system is now similar to a
data network (e.g. internet), additional emphasis will be set on new security measures in
combination with IP-security functions. Mobility efficiency is provided through the use of
evolved base stations, i.e. eNodeBs (see Chapter 2).
Mobile terminal power efficiency. The mobile terminal is being associated with mobile
phones and similar devices which have limited battery capacities. Therefore a flexible
bandwidth system (with lower frequencies used for uplink transmission) and automated
signal power-level optimisation have to be included into LTE.
5
Infrastructure-building economy. Although the implementation of every new system brings
construction and building costs, LTE should be realised through minimal investment and use
as much of the existing mobile communication infrastructure as possible.
These main targets resulted in the creation of additional requirements and spin-off functionalities,
whose realisations were researched, developed and evolved by 3GPP and hence introduced in LTE’s
specifications and standardisation upgrades.
1.4.3 LTE Standardisation
LTE standardisation procedures and management are realised in a manner similar to specification
publishing and feature upgrades of previous mobile communication systems (e.g. HSPA); the results,
i.e. major updates and improvements, are known as 3GPP Releases 8 and 9. Before the specifications
and contents of these Releases are published, different standardisation phases and aspects have to
be fulfilled. These phases include the selection of suitable architectural applications (i.e.
determination of main structures, core network and air interface, as well as the selection of
frequency bands), the setting up of system requirements, the creation of detailed specifications and
the verification of these specifications through thorough testing and examination of different system
settings. All four phases are interconnected, overlapping each other, and are constantly being
changed until the completion of the final system setup2.
For Release 8, i.e. the initial LTE Release, the following general system improvement requirements
were set and additional projects were proposed:
peak data rates of 100 Mbps in the downlink and 50 Mbps in the uplink (later 300 Mbps
downlink and 75 Mbps uplink),
latencies within the system below 10 ms and for air interface transmission below 300 ms,
inter-system mobility support to previous mobile communication systems such as GSM and
cdma2000,
flexible frequency allocation, through bandwidths of 1.4, 3, 5, 10, 15 and 20 MHz;
capacity improvement to 2-5 times the capacity of HSPA systems,
evolution of micro and femtocells, i.e. Home eNodeBs (HeNB),
introduction of Multiple Antenna Techniques,
introduction of the IP Multimedia System (IMS) and other techniques which support voice
call services,
introduction of five User Equipment (UE) classes for further system simplification,
support for lawful interception, and
charging and roaming management optimisation.
These improvements were further evolved and enhanced in Release 9, which contained additional
techniques, functionalities and technology approaches to enable a quick, efficient and low-cost
implementation of the LTE system. The following techniques are included:
2 A system setup is considered as completed if the verification phase provides stable results, sufficient for
commercial rollout.
6
introduction to Self Organising Networks (SON),
improved approach to emergency calls, as they oppose the system’s security policy,
multiple-eNodeB broadcast signal combination (LTE MBMS),
further improvement of Frequency Division Duplex (LTE-FDD) and Time Division Duplex (LTE-
TDD),
improvement of SON technologies and mechanisms, and
minimisation of system drive-tests (MDT).
The LTE system and its standardisation are 3GPP’s most significant milestone achieved so far,
triggering an increase of participation in their further projects and worldwide acknowledgement of
their existing work. Takahiro Nakamura, the 3GPP RAN Chairman, states: “Operators need to work on
the problems created in signalling and the volume of data being carried. So, further enhancements to
the 3GPP system are being driven by that data explosion”. A continued evolution of the system is
given in Releases 10, 11 and 12, introducing an improved mobile communication standard named
LTE-Advanced. As this topic is not in the scope of this thesis, it is not further discussed.
1.5 Thesis Overview
With LTE being commercially deployed all around the world and the daily increase of its users and
subscribers, specific issues and difficulties have emerged. As the implementation of LTE and the
system itself are rather new, the number of these issues will predictably increase over time. Since the
challenges and disadvantages of the new mobile communication system are directly connected with
its architecture, implementation and characteristics, this thesis describes LTE innovations in terms of
system structure, its realisation and functionalities once deployed. A thorough explanation of the
unconventional architecture approach in LTE is given in Chapter 2. Furthermore, Chapters 3 and 4
cover the concepts and LTE realisation of hardware and software enhancements, as well as new
techniques and mechanisms needed to meet the system’s high-performance requirements, such as
the utilisation of OFDM transmission formats and Multiple Antenna Techniques. A separate chapter,
Chapter 5, is dedicated to the different applications and the realisation of voice services in LTE.
Moreover, a detailed description of LTE’s security measures and functions is given in Chapter 6.
The chief aim of this thesis is the description and explanation of challenges introduced with the
appearance of the LTE mobile communication system. Therefore, a thorough overview of
technology- and function-specific implementation, realisation and operation issues; as well as other
disadvantages and problems is given at the end of every chapter.
7
2. LTE System Architecture
2.1 Introduction
With the concept of developing a new mobile communication system which improves all functions
and characteristics featured in existing systems and networks, a different approach regarding every
component of traditional system architectures has to be used. This chapter gives an insight into the
main functions and elements of the LTE system architecture, known as the Evolved Packet System
(i.e. EPS). Furthermore, two types of duplex transmission crucial for real-time two-party
communications are explained. Moreover, the main concepts of the Self Organising Network
technology, as well as the benefits of its implementation into the LTE system are explained.
Additionally, a list of problems and issues regarding all of these topics is given on the end of this
chapter.
2.2 LTE System Architecture Overview and EPS
With the first approach in further evolution of existing mobile communication standards, networks
and structures in 2004, the Third Generation Partnership Project (3GPP) decided to realise future
networks in the most simple and efficient way possible. This approach was initiated by a study whose
goal was to start the design and development of a competitive system over the period of ten to
fifteen years. In further processing and stages of development, the final layout and characteristics of
the specific structure elements were determined (Fig. 2.1). These elements, named Long Term
Evolution (LTE*) and System Architecture Evolution (SAE) were included and improved in the 3GPP
Release 8 and Release 9 specifications of mobile communication system infrastructure
standardisation.
The process of Long Term Evolution includes the improvement and implementation of the new Radio
Access Network named E-UTRAN, which is an essential air interface network structure of the LTE
system. It is a direct improvement of the beneficial techniques and mechanisms of GERAN and
UTRAN structures used in GSM and UMTS mobile communication systems. Although there is no
obvious difference between the terms LTE* and LTE, the first acronym particularly refers to the
mentioned evolution of the air interface, while the second term is an abbreviation which became the
colloquial name for the new mobile communication system.
The System Architecture Evolution is a process of evolving and improvement of different GSM an
UMTS structures, including their core network system. The application SAE technology resulted in the
development of the so called Evolved Packet Core, which is the integral data transmission network
structure of the LTE system. Although the core network is not directly related to the technologies
used of radio access networks, their functions are interconnected and needed for LTE RAN
realisation. EPC functions include the always-on availability of the user (i.e. User Equipment), the
management of its data transmissions and the control of communication characteristics. A more
detailed explanation is given in Section 2.4.
8
The components of these two network aspects can be seen as one logical structure called the
Evolved Packet System (EPS). As its name implies, the EPS, i.e. the LTE system architecture is based
on solely the packet switched domain, which is more suited for high data rate transmissions than the
traditionally used circuit switched domain. Another characteristic approach is the flat network
realisation, which is optimal for the reduction of latencies and transmission delays.
Figure 2.1 Differences of individual system architecture components between GSM/UMTS and LTE
Although the Service Domain is not precisely a part of the LTE architecture, it represents all external
systems to which the EPC and RAN can connect. It contains a various number of subsystems and
application platforms which mostly include services that are not provided by a mobile
communication network operator. These services include: IP multimedia subsystem operation, VoIP
applications and other internet services (e.g. web browsing, video streaming). Further discussion on
this topic can be found in Chapter 5.
2.3 LTE Radio Access Network
The air interface and communication environment used in LTE mobile communication systems is
called the LTE Radio Access Network. As part of the new approach of flat system architecture
components, it is comprised of a minimal number of required elements. This architecture
simplification positively reflects on the network’s characteristics, enabling higher data rates and
lower latencies. Furthermore, unnecessary techniques that were only introducing low improvements
and additional complexity (e.g. macro diversity used in HSPA and WCDMA systems, anchor station
approach, etc.) were excluded.
As an integral part of LTE’s system architecture, the requirements of RAN development are directly
connected to the targets set for LTE system design and implementation. These are as follows:
9
the enabling of higher peak data rates (i.e. 100Mbps on the downlink (DL) and 50Mbps on
the uplink (UL); later 300Mbps DL and 75Mbps UL) ,
the reduction of latencies (i.e. maximum data travelling time between user and system set to
5ms, the transfer from idle to connected state of a device must be less than 100ms),
the improvement of spectral efficiency (i.e. the improvement of typical cell-capacity-per-unit
bandwidth, to 3-4 times greater than WCDMA DL and 2-3 times greater than its UL), and
the improvement of coverage, spectrum utilisation and mobility (i.e. cell ranges between 5
and 100km, distribution speeds of 15 to 350 kmh-1 and operation on flexible bandwidths
between 1,4 and 20 MHz).
LTE’s RAN consists of two elements, the User Equipment (i.e. the end-user device) and the Evolved
UMTS Radio Access Network, manifested in evolved NodeB base stations. The structure of these
elements in connection to other aspects of the LTE system is shown on Figure 2.2. Additional
explanations are given in the sections below.
Figure 2.2 The main elements of the Radio Access Network in LTE
2.3.1 User Equipment
The term User Equipment (i.e. UE) is the joint name for all devices which enable a user to utilise the
services of mobile communication networks (e.g. voice calls, text messaging, mobile internet
browsing, etc.). These devices can be stand-alone equipment (such as mobile phones and internet
tablets) or additional hardware equipment (e.g. LTE-internet sticks). Even though the function and
application of these devices may be different; their architecture is comprised of the same elements:
the Mobile Equipment (ME) and the Universal Integrated Circuit Card (UICC). The ME consists of the
Mobile Terminal (MT), which is responsible for all communications of an UE, and the Terminal
Equipment (TE), which manages the directing and steering of data streams. The UICC is the key
element for user identification and authentication in LTE systems, as it contains the Universal
Subscriber Identity Module (USIM) in which a user’s mobile number and other specific identification
information is stored.
To enable an optimal network environment for data transmission and the utilisation of internet-
based services, the RAN (i.e. the base station) requires every UE’s capabilities and characteristics,
such as the maximum allowed data rate or supported radio access technologies. Therefore, UEs with
10
similar abilities are grouped together into so called LTE UE Categories and Classes (CC), which simplify
the mentioned process. These classes, defined by the Third Generation Partnership Project (3GPP),
are shown in Table 2.1.
UE class Peak data rate [Mbps] Soft buffer
size [Gbits]
Multiple antenna streams
Highest downlink
modulation
Highest uplink
modulation Downlink Uplink
1 10 5 0,25 1
64QAM 16QAM
2 50 25 1,24 2
3 100 50 1,24 2
4 150 50 1,83 2
5 300 75 3,67 4 64QAM
Table 2.1 UE classes set by 3GPP
2.3.2 Evolved UMTS Radio Access Network
The Evolved UMTS Radio Access Network (E-UTRAN) is the main structure of LTE’s Radio Access
Network. It is an evolved form of the access network structures used for UMTS and HSPA; designed
to support the requirements and targets which drive the LTE development. Its uplink and downlink
transmission technologies and mechanisms, namely OFDMA and Multiple Antenna Techniques, are
explained in Chapters 3 and 4.
The E-UTRAN is realised through the flat architecture approach, consisting of only one element, the
evolved NodeB (in further text eNodeB). The eNodeB base station is an equivalent to both NodeB
base stations and RNC elements used in HSPA mobile communication networks. Although this
approach greatly simplifies the internal structure of the RAN, the complexity of its functions is not
reduced. Moreover, the eNodeB is responsible for the control and management of all radio access
related functions, i.e. all radio communication between a user (i.e. the UE) and the Evolved Packet
Core. This includes processes typical for previous generation’s base stations (e.g. ciphering and
deciphering of user data, modulation and demodulation of information to and off the signal,
interleaving and deinterleaving, etc.) and RNC3 functions (e.g. monitoring of network functions,
traffic scheduling, UE power level control, etc.), as well as additional functions such as Mobility
Management (MM), on behalf of which handover decisions are made (e.g. management of necessary
signalling, selection of suitable MMEs, etc.).
Two interfaces are used to enable the eNodeB to communicate with other LTE system elements.
These are the S1 interface, used to connect an eNodeB to the core network, i.e. EPC; and the X2
interface which connects an eNodeB to a neighbouring eNodeB, allowing loss-less mobility and swift
handovers. While the X2 interface is optional, the S1 interface is mandatory, as it is utilised for all
necessary signalling and data exchange. Furthermore, the S1 interface can also take over the
3 The Radio Network Controller functions used in LTE are called Radio Resource Management functions (RRM),
which were made part of the eNodeB to reduce latencies caused by the required signalling exchange between the RNC and NodeB used in HSPA and WCDMA mobile communication systems.
11
functions of X2, but manages its connections indirectly and slower. The use of these interfaces in
terms of security is discussed in Chapter 6.
2.4 LTE Evolved Packet Core
The Evolved Packet Core (in further text EPC) is LTE’s equivalent to the GSM (i.e. UMTS) Core
Network. The radical development and evolution in comparison to mentioned core network is
manifested in its flat, single-node architecture and the utilisation of only the packet switched
domain. This means that the EPC is exclusively used for packet data transmission to and from the UE,
not being concerned with its utilisation. One essential drawback of this approach is the lack of voice
call service support, which was traditionally part of the circuit switched domain; this topic is further
addressed in Chapter 5.
With the EPC being an essential part of LTE’s architecture, it has to meet the following requirements:
Access Stratum signalling and messaging,
Non-Access Stratum security functions,
user information management and profiling,
mobility and handover management,
bearer management and policy control,
QoS handling, and
Interconnectivity to external networks (Service Domain).
The main elements of the Evolved Packet Core are the MME (i.e. the control plane node), data
tunnelling gateways (S-GW, connecting the EPC to RAN; and P-GW, connecting the EPC to the Service
Domain) and the HSS (the only element that is located inside a single node). The interconnection of
these elements, i.e. the EPC architecture is shown on Figure 2.3. Further explanation of each EPC
element is given below.
Figure 2.3 The main elements of the Evolved Packet core in LTE
12
2.4.1 Mobility Management Entity
The Mobility Management Entity (MME) is the main control element of the LTE Access Stratum, as it
manages all radio communication unrelated signalling and messaging from and to the UE. This
management is manifested in the following functions:
authentication and security measures (special MME signalling is used for the identification,
authentication and integrity protection of an UE, i.e. user),
mobility management (the MME is responsible for UE tracking, applied in both connected
and idle state. This provides a serving MME the ability to reconnect an idle-state UE in the
event of an incoming transmission),
management of subscriber profiles and service connectivity (i.e. the automatic setup od
bearers provided by the Policy and Charging Resource Function (PCRF, see Section 2.4.4), as
well as management of IP connectivity and always-on mode provided by the P-GW), and
handover control signalling.
A MME covers an area of several eNodeBs and is connected to every UE within its range, but a UE is
only assigned to one MME, named serving MME. This serving MME changes in the event of
handovers, which are further discussed in Chapter 6.
2.4.2 Serving Gateway
Another element of the EPC, which serves as a router for tunnelling and management of user data is
known as the Serving Gateway (S-GW). It forwards all connected-state UE originated and terminated
data between the eNodeB and P-GW. Moreover, if the UE is currently in the idle state, the S-GW
buffers all incoming data in its internal memory and initiates a UE state-change request to the
respective MME, continuing the transmission when the UE reconnects to the connected state. Each
active UE is connected to one S-GW, which can be changed in the event of handovers.
The S-GW is also responsible for the setup of the Bearer Binding and Event Reporting Function
(BBERF) and hence partially for policy and charging settings, as well as for bearer management,
which is based on the information computed by the PCRF. Furthermore, since all traffic is routed
through this interface, it also represents the optimal point for lawful interception.
2.4.3 Packet Data Network Gateway
The interface which enables the EPC and its elements to interact with and connect to the services of
the Service Domain (i.e. to Packet Data Networks) is called the Packet Data Network Gateway (in
further text P-GW). It is the main router that performs traffic directing and filtering functions
required by some external services, and through which a UE obtains an IP address at start-up,
enabling its always-on connectivity and allowing it to browse the web or use IMS operation.
Furthermore, to enable the UE to establish simultaneous connections to multiple PDNs, it can also
connect to more than one P-GW. At the same time, each P-GW can only be connected to one S-GW,
if it is used for data exchange between an UE and a PDN. The P-GW is also partially responsible for
13
policy and charging settings, as it contains the Policy and Charging Enforcement Function (PCEF) and
applies the changes determined by the PCRF.
2.4.4 Policy and Charging Resource Function
The process responsible for the Policy and Charging Control of the elements in the EPC is called Policy
and Charging Resource Function (PCRF). This function addresses all services in terms of QoS, setting
up the most suitable signal bearers and appropriate policing, and hands the information to BBERF (S-
GW) and PCEF (of the P-GW). This information is formed into so called PCC Rules which are sent on
request of the S-GW, P-GW and Service Domain (i.e. as part of a service, subsystem or application,
collectively called Application Function), each time a new bearer is set up. Even though each PCRF
can be connected to one or more S-GWs, P-GWs and AFs; only one PCRF is associated for each PDN
connection of the UE.
2.4.5 Home Subscription Server (HSS)
The Home Subscription Server (HSS) is in its essence a database or data repository which stores the
master copy of all permanent data received from a subscriber (i.e. user). Its main element is the so
called Authentication Centre (AuC), where a UE’s permanent root key K is stored. Based on the
received data, the HSS creates a user profile for each subscriber, which contains information about
the UE’s capabilities, allowed PDN connections, roaming restrictions and the UE’s current location.
Therefore, the HSS is allowed to connect to any UE (through the MME) in its range, but can only be
connected to one MME per UE. In handover scenarios (i.e. if the serving MME of an UE is changed) all
connections to this MME are terminated and the HSS automatically connects to the new serving
MME.
2.5 Frequency and Time Division Duplex
An essential characteristic of every mobile communication system is the ability to maintain
communications in both directions, i.e. to transmit and receive data to or from both involved parties
simultaneously. Such communication models are called duplex communications and are realised in
different applications. The two types used in the LTE system are known as the Frequency Division
Duplex (FDD) and the Time Division Duplex (TDD), each being used in different adaptations and
scenarios. FDD is considered as an upgradable element used in previous mobile communication
systems, while TDD is expected to provide further evolution in parallel to the TD-SCDMA standard.
2.5.1 Frequency Division Duplex
The first application of duplex communication technologies is called Frequency Division Duplex. It is a
type of full-duplex based on the concept of simultaneous transmission and reception of signals by
using different frequencies. This means that the transmitted signal is being sent on a different carrier
14
frequency than the signal which is to be received. To make this technique resistant to interference
between the transmitted and received signal, a specific spacing between these two frequencies is
used (Fig. 2.4a). This spacing is called FDD Guard Period and does not noticeably impact the overall
capacity of the system. An additional frame structure of this technique is given in Section 2.5.3.
Figure 2.4 Frequency Division Duplex diagram (a) and Time Division Duplex diagram (b)
The nature of FDD is rather inefficient, as every communication is realised with twice as many
channels for transmission and reception. The uplink frequency is usually lower than the frequency
used for the downlink, as this meets a UE’s energy consumption capabilities. Also, since the
communication is managed by the same system components (of either eNodeB or UE) there is no
difference between uplink and downlink communication, making separate capacity changes
impossible. Moreover, additional hardware in form of antenna filters that isolate the transmitter
from the receiver, has to be added to the existing system.
2.5.2 Time Division Duplex
The second duplex communication technology application in LTE is called Time Division Duplex. The
concept of this full-duplex type utilises only one frequency and enables the simultaneous
transmission and reception of signals through sending data on a time-based difference. The
transmission periods, which can be seen as short data bursts, are not introducing any noticeable
delays for the receiver, thus making this technique optimal for real-time related communication (e.g.
VoIP services).
Similar to FDD, a TDD Guard Period or Guard Interval is used to eliminate possible interference
between incoming and outgoing signals, whose duration has to be sufficient for the reception signal
to arrive before the transmission of another signal has started (Fig. 2.4b). The guard period is divided
into two parts: the propagation delay part (3 - 15µs) and the function swapping part (transmitter-to-
receiver and vice versa, 2 - 5µs). The length of the guard period therefore depends on the duration
between a signal’s transmission and its reception, which introduces certain issues for long distance
telecommunication, and the routing delays caused by swapping between transmitter and receiver
functions, depending on the frame and time slot structure explained below.
15
2.5.3 FDD and TDD Frame Structure
To maintain the communication efficiency and resiliency to interference in LTE systems, different
sets of special frame structures are used for the FDD and TDD transmission approaches. The
utilisation of such frame structures directly affects the data distribution schemes used by the UE and
eNodeB to transmit and receive the respective signals.
Figure 2.5 Frame and time slot structure of LTE-FDD
The frame structure of LTE-FDD is quite straightforward: one frame with an overall length of 10ms is
comprised of 10 sub-frames, each containing 2 individual time slots (Fig. 2.5). These durations are
not flexible, i.e. they are the same for uplink and downlink transmission, making FDD unable to
perform capacity changes.
Figure 2.6 Frame, half-frame and time slot structure of LTE-TDD
A different frame structure is used for LTE-TDD, where the 10ms frame is divided into two half-
frames. Each of these contains 5 sub-frames, which are comprised of three time slot fields: the
Downlink Pilot Time Slot, the Uplink Pilot Time Slot and the TDD Guard Period, which is between the
first two (Fig. 2.6). Unlike in LTE-FDD, these fields are of individually configurable length4 which
allows the system to dynamically change the uplink and downlink configurations to meet the capacity
requirements. Even though these parameters can be modified manually, several predefined
4 Although the duration and length of the Downlink Pilot Time Slot, Uplink Pilot Time Slot and TDD Guard
Period can be changed to the respective needs, their total length must always be 1ms.
16
transmission formats have been included in the eNodeB and UE to automate this process. Table 2.2
shows a number of these formats, with sub-frame durations of one or two half-frames which are
comprised of downlink slots (D), uplink slots (U) and special slots that contain the guard period (S).
Uplink-downlink configuration
Uplink-downlink switch periodicity
Sub-frame number
0 1 2 3 4 5 6 7 8 9
0 5 ms D S U U U D S U U U 1 5 ms D S U U D D S U U D 2 5 ms D S U D D D S U D D 3 10 ms D S U U U D D D D D 4 10 ms D S U U D D D D D D 5 10 ms D S U D D D D D D D 6 5 ms D S U U U D S U U D
Table 2.2 Uplink-downlink sub-frame configuration sets of LTE TDD
2.6 Self Organising Networks
The evolution of mobile communication networks such as LTE, whose structures become more and
more complex with every release update, introduces the necessity of more efficient network
planning and less difficult implementation of new elements into the existing system. It has also set
new aims for the upgrade of existing and future networks:
the reduction of operating costs in terms of network design, implementation, operation and
maintenance,
the reduction of both capital expenditure (CAPEX) and operational expenditure (OPEX), and
the reduction of human intervention and errors, which protects an operator’s revenue.
Therefore, a technology that automates the processes of network planning, configuration,
optimisation, healing and further management has been developed and integrated in the LTE
standard. The technology called Self Organising Network (SON) represents a set of several techniques
and procedures which supervise and control a network’s elements, optimising their performance to
meet current requirements. Although the implementation of such a technology is connected to
significant investment, it still provides large OPEX returns over a longer time period, making it an
essential upgrade for every mobile communication network operator.
2.6.1 SON Self-Configuration
One of the major improvements of the SON technology compared to manually set-up mobile
communication networks is the technique called SON Self-Configuration. This technique enables the
implementation of new cell sites with the concept of plug and play mechanisms. While it is foremost
reducing installation time and costs, this technique also guarantees the correct network integration
of the newly added components. SON self-configuration includes the following elements and
processes:
17
the automatic configuration of all new network components with initial parameters and
values, needed for radio transmission and connection to the core network (this setup is
based on the Dynamic Radio Configuration (DRC) process, which measures the current
network and radio interface, determining the most suitable values and parameters such as
the initial antenna tilt and power settings; and the initial eNodeB measurement),
the automatic neighbour relation management, i.e. ANR (fully automated creation of
neighbour cell lists and relationship tables, which are then provided to both the UE and
eNodeB to make handovers less complicated and trigger less handover failures),
the automatic inventory query (this technique checks the hardware and software
specifications of the newly added components to determine their capabilities and
characteristic parameters which are used for automatic configuration and optimisation
processes),
self-testing (a system check is issued to ensure that the correct operation is issued before the
final activation takes place) and
the automatic connection establishment (this setup enables the new network components to
automatically connect to the domain management system, obtaining required identification
and addresses, as well as other important parameters).
As this aspect of SON involves all previously mentioned elements of the LTE system (i.e. the EPC, E-
UTRAN and UE), its utilisation includes the individual upgrade of each of them. A more detailed
explanation of SON self-configuration processes can be found in [1] and [2].
2.6.2 SON Self-Optimisation
Another important application of SON, which is often used in combination with self-configuration
processes, is called SON Self-Optimisation. Similarly to self-configuration, self-optimisation involves
the whole system, but its effects can mostly be recognised on the LTE air interface, i.e. the E-UTRAN.
This set of techniques optimises the settings and preferences of different network components,
previously set up by self-configuration processes, which were rendered inefficient due to possible
system and interface inconsistencies. These fluctuations include changes of existing propagation
characteristics (e.g. due to the construction of new buildings), temporary capacity requirements (e.g.
due to the increased number of users during concerts or sport events) and the changes of the
existing network structure (as additionally added base stations affect the neighbouring ones). SON
self-optimisation is based on the characteristics determined beforehand with the help of SON self-
configuration inventory queries, as well as on its own performance and parameter analyses
explained further below.
To enable the most efficient operation of the system, SON self-optimisation introduces the following
different functions and procedures:
Mobility load balancing. This procedure is applied in the event of oversaturation of single
eNodeB base stations. As heavily loaded base stations, i.e. hotspots, negatively affect the
system stability and user experience, this technique is used to even out the load and
maximise the capacity by combining them with one or more neighbouring base stations.
Although the routing of data streams to alternate eNodeBs (i.e. off-roading) causes higher
18
latencies and possible lower data rates compared to the connection with the most suitable
eNodeB, these characteristics provide an actual improvement in event of hotspot overload.
Coverage and capacity optimisation. The processes of this technique include the automated
adaptation and change of parameters such as antenna settings adjustment (e.g. automated
tilt correction using Remote Electrical Tilt mechanisms) and power level adjustment (i.e. the
utilisation of several power level schemes on the eNodeB and the UE), to improve the
systems transmission characteristics. This aspect is very important for maintaining a mobile
communication system, as manual management and optimisation of base station and
individual cells is time consuming and expensive.
Mobility robustness optimisation. As its name indicates, this application of SON self-
optimisation affects the mobility procedures of the LTE air interface. This includes the
elimination or minimisation of parameters and events of system instability such as dropped
calls during handover procedures, unnecessary handovers in coverage limit areas and
handovers to wrong cells. To achieve the minimisation of these events and the elimination of
so called ping-pong effects, the technique includes mechanisms of cell boundary and
coverage limit optimisation and introduces improvements to periodic cell area measurement
and analysis.
Energy saving. The solutions for reduced power consumption introduced with this
application of self-optimisation can be applied to the whole system. This adaptation is based
on the approach of on-demand service distribution, i.e. saving operational expenses of
system operation in the event of the services not being needed. The following techniques are
included: the reduction of distribution resources at off-peak times (e.g. less carriers are
required in residential areas at night) and the reduction of active base stations (more radical
approach, as the eNodeBs are set into sleep mode, e.g. in business areas at night).
Furthermore, the concept of “green energy” can be supported by local energy generation,
using solar panels and wind power plants.
2.6.3 SON Self-Healing
With the realisation and implementation of LTE systems into existing mobile communication
networks, the question of solving network problems and issues emerges. Therefore, another SON
application, called SON Self-Healing, is gaining increased importance. The techniques of self-healing
are carried out on the components of LTE’s air interface, where they introduce procedures of
network fault detection and problem masking. These procedures are: an automated software
recovery (a backup is made before every major software update), cell outage detection (a problem
log is sent to the maintenance server), cell outage compensation (in the events of eNodeB5 outage,
one or more neighbouring eNodeBs take over its functions), the return from outage compensation
(enabling the system’s recovery to its default state) and cell outage recovery (diagnosis of the fault,
calculation of the reparation chance and remote recovery of the system).
5 The compensation is first issued for the cell with the reported error, i.e. other cells of the same eNodeB take
over its functions. If that is not possible, due to capacity overload or cell orientation, the compensation technique contacts one or more of the neighbouring eNodeB’s cells to take over the traffic.
19
This approach is based on the technique’s own signalling and analysis function, manifested in so
called Key Performance Indicators (KPIs), which monitor the most important parameters and values
of the network to detect failures and faults. If a KPI value is outside of its pre-set limitations, e.g. due
to cell degradations or unusual interference, an alarm flag is set and a problem report is sent to the
maintenance server. This allows the mobile network operator to quickly react and solve existing
issues, while the network automatically compensates the all lost functions.
2.7 LTE System Problems and Disadvantages
Since the utilisation of the Evolved Packet System, realised through the Self Organising Network
technology, is rather new and has yet to be tested in the long run, its techniques and functions still
harbour specific problems and implementation challenges. The negative effects, drawbacks and
issues are as follows:
Utilisation of packet switched domain only. As traditional circuit switched services still have a
great impact on a mobile communication operator’s revenue, this drawback can be seen as
one of the main problems of the EPS. Support for voice and messaging services is given
through applications and subsystems of the Service Domain, i.e. externally. These
approaches are further discussed in Chapter 5.
Flat architecture infrastructure. Even though the concept of flat architecture implementation
introduces significant simplifications, which are directly resulting in network-wide benefits,
the combinations of more system components into one multi-function element disables the
use of the existing infrastructure. The production of new hardware and software brings
additional costs for a mobile communication network operator.
Single base station connections. Since the system architecture is being kept flat, the UE is
connected to only one eNodeB base station, making soft-handovers (as in UMTS) impossible.
The only exception is during hard handover scenarios, where a UE, which is still connected to
its first eNodeB, send signalling messages to the net MME/eNodeB to which it wants to
connect. Also, the possibility of macro diversity, used in WCDMA and HSPA systems, has
been excluded, due to the additional system complexity that this procedure introduces.
Real data rates. The LTE system requirement regarding the peak data rates of the system,
mentioned in Section 2.3, is only giving a theoretical calculation of speeds, which are only
possible in laboratory conditions. Accordingly, the real data transmission rate will be fairly
lower, decreasing linearly with every user connected to the system.
Transmitter and receiver spacing for FDD. As the additional filters used in eNodeBs are
implemented quickly and without additional difficulties, the approach for UEs is more
complex. Since the transmitter and receiver parts of a UE are close together, the need for
additional filtering is realised through an overall redesign and upgrade of the traditionally
used UE antennas, which represents another cost factor.
Long distance inefficiency. For TDD transmissions, mentioned in Section 2.5.2, the beneficial
guard period can also be the cause of an efficiency drop. If used on long distance
transmissions, the TDD guard period is automatically longer, resulting in shorter uplink and
downlink transmission frames.
20
Power level optimisation. The automatic power level adjustment technique, introduced as
part of SON self-optimisation, is based on a compromise calculation. Since the optimal power
settings for an eNodeB (i.e. high-power usage) negatively reflect on the UE (i.e. more energy
consumption on high-power operation) and the most suitable power settings for a UE (i.e.
low, constant power usage) result in efficiency loss if applied on the eNodeB, these
calculated compromise settings provide the most acceptable solution.
Analysis and monitoring application. Another significant cost introducing factor is the
additional hardware and software needed for the data collection and analysis techniques of
SON self-healing. This issue solves itself over a specific period of time, as the additions are
used for the detection and recovery of system and network faults.
Further information about issues regarding LTE air interface transmission formats and techniques
that are used to compensate LTE’s lack of circuit switched domain services support is given in the
following chapters.
2.8 Summary
The system architecture of LTE, called Evolved Packet System, introduces the improvement and
evolution of all beneficial aspects regarding both air interface technologies and core network
structures of previous generations’ mobile communication networks. These changes are
implemented with the help of Self Organising Network technologies and functionalities, which
provide a simpler and cheaper adaptation of infrastructural changes, as well as the maintaining of
existing system components. Furthermore, this chapter describes two duplex transmission formats
used for packet data transmission and reception, with special emphasis to their frame and time slot
structures. Additionally, an overview of issues and problems that appeared with the realisation of
this system is given.
21
3. Orthogonal Frequency Division Multiple
Access
3.1 Introduction
One of the improvements and key elements in LTE is the use of OFDMA (Orthogonal Frequency
Division Multiple Access) as its downlink transmission scheme and SC-FDMA (Single Carrier
Frequency Division Multiple Access) as its uplink transmission scheme. This chapter describes both
techniques and processes and their functions in LTE multiple access transmission. Furthermore,
problems and issues regarding multiple access transmission and OFDM in LTE are explained.
OFDMA has also been adopted in various other radio technologies, e.g. WLAN (IEEE 802.11
standards), WiMAX (IEEE 802.16) and digital television broadcasting. SC-FDMA, however, found its
first use in the LTE standard.
3.2 The concept of Orthogonal Frequency Division Multiplexing
Orthogonal frequency division multiplexing (OFDM) is a powerful modulation format (in further text:
format) chosen as the signal bearer of LTE. Due to its high resiliency against selective fading and
inter-symbol interference, which occurs at LTE’s high data transmission rates and is caused by multi-
path crossing effects, it was the optimal candidate for this function. For multiple access
transmissions, the following characteristics of the format are significant:
The use of a large number of close-spaced, narrowband subcarriers that can range from a
two figure number up to several thousand.
Choice of available bandwidth within LTE. This influences the number of carriers
accommodated, thus impacting the overall symbol length.
Orthogonal creation of subcarriers, for more efficient transmission rate and elimination of
inter-carrier interference, allowing their frequency domain spectrums to overlap (Fig. 3.1).
Simple rectangular subcarrier pulse shaping in the time domain (Fig. 3.2a).
Low sensitivity to time-related synchronization problems.
Link adaptation and frequency domain scheduling.
The main principle of multiple access transmissions using OFDM is to use narrowband, mutually
orthogonal subcarriers. Regardless of the bandwidth, subcarriers in LTE are spaced with a 15 kHz
distance between peaks (Fig. 3.1). To achieve and maintain orthogonality, the symbol rate is 66.7 µs
(as in
), i.e. two subcarriers are mutually orthogonal over the time interval
;
∫
∫
22
Figure 3.1 Orthogonal layout of subcarriers, frequency domain
Figure 3.2 Signal subcarrier pulse shaping in time domain (a) and spectrum shaping in frequency domain (b)
The number of subcarriers directly depends on the bandwidth and can vary between a two figure
number (e.g. a LTE base station transmits approximately 72 subcarriers to stay in contact with the
UE) and 20486 (maximal number of subcarriers in one LTE band), averaging at approximately 600
subcarriers for operation in a 10 MHz spectrum. Each of them is able to transport information at a
maximum rate of 15 ksps (kilosymbols per second). Theoretically, given a 20 MHz bandwidth system
with maximum load and throughput, a raw symbol rate of 18 Msps (megasymbols per second) can be
achieved. Accordingly, using the 64QAM for modulation (each symbol representing 6 bits), a data
rate of approximately 108 Mbps is provided.
3.3 OFDM implementation with Discrete (Fast) Fourier Transformation
To understand the data transmission process of an OFDM signal, understanding the phases of
analogue and digital transmission is essential. In the following block diagrams (Fig. 3.3 and Fig. 3.4), a
simplified overview of an analogue and a digital transmission is displayed. The transmitter receives a
6 2048 subcarriers with 15 kHz spacing still fit into the 20 MHz bandwidth, as only about 60% are used for signal
carrying, taking up a total of approximately 18 MHz; see Section 3.5.
23
string of bits from a physical protocol (i.e. channel) and converts them to symbols, using a
modulation format. Within OFDM, three modulation types are possible:
QPSK (Quadrature Phase Shift Keying, i.e. 4QAM – 22 Quadrature Amplitude Modulation),
modulating 2 bits per second.
16QAM (24 Quadrature Amplitude Modulation), modulating 4 bits per second.
64QAM (26 Quadrature Amplitude Modulation), modulating 6 bits per second.
After the modulation, the newly-formed block of symbols is converted in the serial-to-parallel
interface and mixed with one of the subcarriers, where its amplitude and phase are adjusted to meet
the requirements of the system. Since the symbol rate (i.e. symbol duration) is 66.7 µs (see Section
3.2), which stands for the reciprocal value of the subcarrier spacing (15 kHz in LTE), said subcarrier
will go through one cycle in duration of the symbol rate. Accordingly, the subcarriers at 30 and 45
kHz (Fig. 3.3) will go through two and three cycles respectively. The four signal waves are then added
together and enhanced to the radio frequency (RF), as they form a low frequency waveform which
cannot be transmitted.
Figure 3.3 Scheme and phases of an analogue OFDM signal transmitting process
Figure 3.4 is displaying four more subcarriers, featuring a total of eight frequencies in the range
between -60 kHz and 45 kHz. To be able to distinguish them in later calculations, the quadrature and
in-phase components of each subcarrier have to be retained. In this block diagram, the processing of
the signal is done digitally; the previously retained characteristics are sampled eight times per
symbol. The minimum number of samples per symbol directly depends on the number of subcarriers.
24
To obtain an analogue waveform that can be transmitted, the digital signal is first mixed and
converted back to the analogue form, followed by filtering and enhancing to RF for transmission.
In both types of processing the data is represented in two different aspects. After modulation, the
information is represented by the amplitude and phase of the subcarriers, as a frequency function.
Before enhancement to the radio frequency, the information is represented by the quadrature and
in-phase components, as a time function. Concluding from these two aspects, the mixing and
addition phases have converted the data from a frequency function to a time function.
Alongside with eliminating inter-carrier interference, subcarrier orthogonality allows the
implementation of low-complexity digital processing of signals, using Discrete Fourier Transformation
(DFT) and its counterpart, Inverse Discrete Fourier Transformation (IDFT). The time to compute the
transformation of a signal from time to frequency domain representation and vice versa, using DFT
and IDFT, has to take less than the time for each symbol that signal carries. Thus, for the practical
implementation in the system, the Fast Fourier Transformation (FFT) and Inverse Fast Fourier
Transformation (IFFT) algorithms are used. The FFT operation can be carried out back and forth
without any loss of the original information, if the requirements of minimum sampling rate and word
length are met. Using this algorithm, the mixing and adding steps from Figure 3.3 and Figure 3.4 can
be ignored, as the symbols passed through the IFFT directly result in a time-domain signal on the
output.
Figure 3.4 Scheme and phases of a digital OFDM signal transmitting process
25
3.4 Guard-period and Cyclic-prefix Insertion
In Section 3.2, subcarrier orthogonality was introduced as the key to conquering inter-symbol
interference of signals in the frequency domain. However, due to the overlapping of symbol paths
(i.e. correlation intervals, mentioned in [3]) in the time domain, the orthogonality between
subcarriers will be partially lost, causing interference between subcarriers. As this specific time
dispersion of a radio channel is equivalent to a frequency response of a frequency-selective channel,
it can also be described by analysing the radiation pattern of an eNodeB base station. If, due to that
frequency selectivity, the side lobes of an OFDM subcarrier are corrupted, the orthogonality will be
lost, resulting in inter-carrier interference. Since the side lobes of each subcarrier are relatively large,
even a discreet amount of time dispersion or frequency selectivity of a radio channel will precipitate
significant interference.
As an answer to that issue, a technique called cyclic-prefix insertion is used. This adjustable duration
guard-period is used at the beginning of every data symbol, being the part that overlaps a previous
symbol and causes interference. Cyclic-prefix insertion therefore increases the size of the data
symbol from to , being the duration of the guard-period containing the cyclic-prefix.
The standard length of the guard-period in LTE is defined to be 4.69 µs, allowing the system to
tolerate path variations up to 1.4 km (considering the standard LTE symbol length of 66.7 µs,
previously introduced in Section 3.2). When a cyclic extension longer than a channel impulse
response is added, the negative effect of the previous symbol can be avoided by simply removing
that extension. Cyclic-prefix insertion implies the copying of the last part of the OFDM data symbol
and attaching it to the timing at the beginning of the symbol, creating a break between signals
(hence: guarding-period). The receiver can then sample the incoming waveform at optimum time, as
time-dispersion problems (i.e. delays caused by reflections of the signal) up to the length of the
guarding-period are ignored.
Figure 3.5 The cyclic-prefix insertion mechanism
26
3.5 OFDMA Resource Grid and Resource Blocks
The variation of the OFDM format chosen for the downlink in LTE is called Orthogonal Frequency
Division Multiple Access (OFDMA). As its name already states, OFDMA has been developed with
multi-user operation as its purpose, allowing a flexible assignment of bandwidth to users according
to their needs.
Figure 3.6 Comparison of OFDM and OFDMA in the time and frequency domain
An important benefit of the OFDMA technology tailored to LTE’s requirements is its specific method
of organising information (Fig. 3.6). Additionally to the scheduler operation used in HSDPA (user
allocations in time and code domain, always occupying the whole bandwidth), OFDMA allows the
allocation of users to any subcarrier in the frequency domain, transforming a part of the momentary
interference and fading effects into positive diversity. The organisation of information in the time
and frequency domain, using a resource grid, containing a cyclic prefix, is shown on Figure 3.7.
Figure 3.7 Resource allocation of OFDMA in LTE, containing a cyclic prefix
27
The basic unit of the resource organisation in OFDMA is a resource element (RE), which binds one
symbol to one subcarrier. Depending on the modulation format, a RE can carry two, four or six bits of
information (see Section 3.3). A group of resource elements that contains 12 subcarriers is called a
resource block (RB), each with a span of 0.5 ms and a minimum bandwidth allocation of 180 kHz.
These resource blocks are the main components which permit the use of frequency-dependent
scheduling, being allocated with symbols and subcarriers by the eNodeB base station. The standard
numbers of subcarriers split into resource blocks are shown in Table 3.1.
Total bandwidth
Number of resource blocks
Number of subcarriers
Occupied bandwidth
Usual guard bands
1.4 MHz 6 ~72 1.08 MHz 2 × 0.16 MHz 3 MHz 15 ~180 2.7 MHz 2 × 0.15 MHz 5 MHz 25 ~300 4.5 MHz 2 × 0.25 MHz 10 MHz 50 ~600 9 MHz 2 × 0.5 MHz 15 MHz 75 ~900 13.5 MHz 2 × 0.75 MHz 20 MHz 100 ~1200 18 MHz 2 × 1 MHz
Table 3.1 Bandwidths of the LTE standard
3.6 Single Carrier Frequency Division Multiple Access
One of the main parameters that affects all mobile UE devices is their battery life. It is therefore
necessary to ensure an economic and efficient power use in the transmission and reception of
signals. With the RF power amplifier (i.e. enhancer of mixed signals) and the transmitter being the
parts with the highest energy consumption within the mobile UE, it is essential to establish a
transmission model with near constant operating power level. In LTE, a new concept is used for the
access technique of the uplink, called Single Carrier Frequency Division Multiple Access (SC-FDMA).
Its characteristics combine the low peak-to-average ratio of single-carrier systems (which allows
maintaining a lower operating power level than OFDMA) with immunity to multipath interference, as
well as flexible subcarrier frequency allocation (as a crucial part of OFDM). Since SC-FDMA is a hybrid
format between the FDMA technology (Frequency Division Multiple Access) and TDMA (Time
Division Multiple Access, Fig. 3.8), a similarity to mobile network standards of previous generations
can be noticed (e.g. GSM, where every symbol is sent one at a time).
Figure 3.8 Time Division Multiple Access (a) and Frequency Division Multiple Access (b)
28
SC-FDMA differs from OFDMA in one additional transmission step, caused by the single-path
transmission of single-carrier systems. That transmission step, called resource element mapping (and
its counterpart, resource element selection), shifts all symbols obtained through the FFT to the
desired centre frequency and passes them on to the IFFT for further conversion (Fig. 3.9). Since the
power of the modulation signals used in this process is constant (QPSK, 16QAM and 64QAM) and the
result of the resource element mapping step is a waveform similar to the original, on another centre
frequency; the required result of a constant-power signal is achieved.
Figure 3.9 Block diagram of a SC-FDMA transmitter and receiver
3.7 Problems, Issues and Challenges of OFDMA and SC-FDMA
Despite all previously mentioned benefits and improvements that OFDM formats introduce and
define for LTE, the technology also has its flaws and challenges, such as:
Sensitivity to frequency offset. To eliminate this factor, the spacing of subcarriers in LTE was
set to 15 kHz, providing enough tolerance against frequency-synchronization problems.
29
Sensitivity to Doppler shift. This problem was previously addressed in Chapter 2 (Section
2.6.2), as the solution is part of the SON (Self Organizing Network) and eNodeB (base station)
structure of LTE.
High peak-to-average power ratio (PAPR), requiring the use of low-efficient linear transmitter
circuitry. The use of SC-FDMA on the uplink removes the negative effect of this problem,
lowering the PAPR by several dB (inverse proportional with the level of modulation).
Efficiency loss caused by the guard-period and cyclic-prefix. Adding length to the OFDM data
symbol causes additional demodulation time, resulting in a power loss (i.e. a loss of signal
rate occurs, as the reciprocal reduction of overall signal bandwidth does not take place).
Inter-carrier (i.e. subcarrier) interference, despite orthogonality and cyclic-suffix insertion,
caused by phase noise and transmission inaccuracies.
Input for Fast Fourier Transformation (FFT). For the transformation to be efficient, the
number of data points used for the calculation has to be an exact power of two or at least a
product of small prime numbers. This results in an uneconomic use of subcarriers and
resource blocks, where the additional free blocks, that were added to round the sum up to a
power of two, are filled with zeroes.
Non-standardised duration of a resource block slot. The span of a resource block in OFDMA
and SC-FDMA varies from its standard 0.5 ms to durations of 1 ms and above, caused by the
specific resource allocation period in the time domain (further explanation can be found in
[3]).
SC-FDMA unsuitable for the downlink. The eNodeB has to support multi-user operation, as it
is communicating with several UEs at the same time. To make SC-FDMA usable in the
downlink, an additional FFT process would have to be added, causing high power variations
and adding complexity to the system (longer computation times equals to a drop in
efficiency). More important, such transmission would spread every UE’s data to the whole
system, causing an enormous security flaw.
3.8 Summary
OFDMA and SC-FDMA are variations of the OFDM modulation format used for signal bearing in LTE.
Since they share the basic principles of Frequency Division Multiple Access techniques, they are very
much related in terms of technical implementation and realisation. The OFDMA standard is used in
the downlink of the LTE Air Interface, allowing multi-user operation and minimizing receiver
complexity, while SC-FDMA is used on the uplink to provide a more efficient and low energy-
consuming transmission from the UE to the eNodeB base station. As they are part of the relatively
new and emerging LTE system, an insight of issues and flaws is given in this chapter.
30
4. Multiple Antenna Techniques
4.1 Introduction
Another key element and integral part of LTE is the use of multiple antenna techniques. These
techniques have one process in common: transmitting and receiving signals using two or more
antennas. The main objective behind this approach is the improvement of system performance,
capacity and efficiency, as for the base stations, as well as for the user equipment. In this chapter,
the processes, functions and characteristics of the three leading multiple antenna techniques are
described and discussed.
Multiple antenna techniques have been in development since 1984. Triggered with the fast evolution
and growing availability of processing power, these techniques soon found their place in various
radio technologies, e.g. in HSPA+, WCMDA, WLAN (IEEE 802.11) and WiMAX (IEEE 802.16).
4.2 Basics of Multiple Antenna Techniques
The three leading techniques described in this chapter are diversity processing, beamforming and
spatial multiplexing (also known as Multiple-input multiple-output, i.e. MIMO). The LTE standard was
developed while closely considering these techniques, giving them a special emphasis and priority, so
they could be implemented and supported without significant modification. Each of these techniques
can be utilised to achieve different results, with the main aims being:
the improvement of system performance, which positively reflects on data rates
the improvement of data throughput and link capacity without a reduction of signal
coverage
the improvement of spectral efficiency on top of the benefits introduced with OFDMA
the improvement of link reliability
the elimination of interference between UEs which are transmitting data to the same
channel, using SDMA (Space Division Multiple Access)
the prevention of incoming interference at the receiver, using smart antennas with flexible
transmitter/receiver gain and orientation
partial support on the uplink in LTE realised with “virtual” MIMO
4.3 Receive and Transmit Diversity Processing
Diversity processing is one of the main techniques used in mobile communications altogether. The
general purpose of any kind of diversity in mobile communications is the suppression of channel
fading, which occurs in terrestrial systems. Since that phenomenon directly impacts the signal-to-
noise ratio (SNR) of the system, and respectively the error rate of transmitted data, it is clearly
marked as a factor that has to be conquered in a modern, evolving mobile communication system.
31
Several different diversity modes were developed alongside with the evolution of mobile
communication systems:
Time diversity. The same signal is transmitted multiple times, in different timeslots and with
a different channel coding.
Frequency diversity. The signal is transmitted using multiple frequencies of the whole
spectrum, in different channels or technologies (e.g. OFDM, spread spectrum)
Space diversity. The signal is transmitted in copies over multiple different propagation paths
between one or more transmitters and receivers, utilising them as additional channels to
distribute data. This diversity mode is divided into receive diversity and transmit diversity,
and is truly representing a multiple antenna technique, since multiple antennas have to be
used at the receiver and transmitter, enabling them to use the propagation paths as
channels.
4.3.1 Receive Diversity
The first adaptation of spatial diversity in the LTE standard is the use of receive diversity on the
uplink, i.e. from the UE to the eNodeB base station. Two or more receiving antennas of the base
station pick up two or more copies of the signal transmitted by an UE. Since the processing power of
a base station exceeds the UE’s, allowing it to calculate complicated channel-estimations, phase
shifts that happen to the copies of the transmitted signal are ignored. As a consequence, the
received signals can be added together without the negative influences of destructive interference.
Figure 4.1 Fading reduction using 2-antenna receive diversity transmission
If the receiving antennas are not placed too close to each other (distance of a few wavelengths of the
carrier) the fading of the transmitted signal copies will not take place at the same times. The amount
of fading on the combined signal will therefore be reduced in comparison to the individual signals
(Fig. 4.1). A more detailed description can be found in [1].
The LTE standard was developed considering the benefits of multiple antenna technologies, which
also includes the use of multiple receiving antennas on the UE (see Chapter 2, Section 2.3.1). This
32
means that adaptations of receive diversity are even possible on its downlink. Further explanation
and problems of this approach are documented in Section 4.7.
4.3.2 Transmit Diversity
The second adaptation of spatial diversity in the LTE standard is the use of transmit diversity on the
downlink, i.e. between the eNodeB base station and the UE. Since in this scenario multiple transmit
antennas are used to send the signal to the UE without additional receive antennas, this adaptation
is sensitive to destructive interference (i.e. the incoming signals are added together in a single
receive antenna, resulting in a low-power signal). To conquer those negative effects, the following
techniques were developed: closed loop transmit diversity, open loop transmit diversity, delay
diversity and cyclic-delay diversity.
The basic approach against this negative effect is the use of the so called Closed Loop Transmit
Diversity. This is a technique where two copies of the signal are transmitted with a predefined phase
shift between them (Fig 4.2). As they get distorted by fading, both signals reach the receiver in phase.
The mechanism which determines if a phase shift should or should not be applied is known as the
precoding matrix indicator (PMI) and is calculated by the receiver. Once the receiver has set the PMI
for the incoming signal, it answers the transmitter (hence loop) with two possible options:
1. to add no phase shift to outgoing signals
2. to add a phase shift of 180° to outgoing signals
Figure 4.2 Phase shift adjustment using closed loop transmit diversity
The optimal choice of the PMI directly depends on the frequency of the signal (frequency, i.e.
wavelength is the factor of the signal which gets distorted by fading) and on the position of the UE in
relation to the base station (as fast moving UE’s frequencies change more often).
33
Another special solution against the negative effects of fading and destructive interference is named
Open Loop Transmit Diversity, also known as Alamouti’s technique. As in every variation of transmit
diversity, two copies of the same signal are transmitted by two transmitting antennas. This happens
in two time steps, which are specific for this approach:
1. The transmitter sends symbol from antenna and symbol from antenna .
2. The transmitter sends symbol from antenna and symbol
from antenna (the
symbol * stands for the complex conjugated value of the signal).
Figure 4.3 Time step divided transmission using open loop transmit diversity
This technique allows the receiver to measure what appear to be two different symbol combinations,
making it possible to fully recover the two originally transmitted symbols. The requirements for the
technique to bear results are the subjection of both signals to roughly the same fading pattern and,
again, the assumption that the fading does not happen at the same time.
Closed and open loop transmit diversity on the downlink can be combined with the receive diversity
of the uplink, resulting in a system carrying out diversity processing by utilising multiple antennas at
the transmitter and receiver.
Figure 4.4 Delay diversity transmission over two antennas
In the specific case of a system with no time and frequency dispersion of the channel, the possibility
of using multi-path propagation does not exist. Therefore, a transmit diversity mode called Delay
Diversity is used to create a certain time dispersion artificially. This is achieved by transmitting copies
of signals from multiple antennas containing different relative delays (Fig. 4.4). Since the fading of
signals transmitted by different antennas takes place at different times, this can also be transformed
into frequency diversity, creating artificial frequency selectivity. The applicable version, used
together with OFDM and SC-FDMA (i.e. DFTS-OFDM) in the LTE standard, is a variation named Cyclic-
Delay Diversity. The linear delays used in delay diversity are replaced by operating blocks with cyclic
shifts (Fig 4.5).
34
Both delay diversity and cyclic-delay diversity are invisible to the UE, which only recognises the
resulting time and frequency dispersion and hence does not need any further support enabling it to
use their benefits. Both techniques can also be extended to more than two antennas, with respective
linear/cyclic shifts between them.
Figure 4.5 Cyclic-delay diversity transmission in an OFDM system, over two antennas
4.3.3 Space-Time Processing
Space-Time Processing or Space-Time Block Coding (STBC) is a process in multiple antenna systems
where the symbols are mapped with the time and space domain (at the transmitter) to benefit from
the combined antenna diversity. It is also known as Space-Time Transmit Diversity (STTD), although
its use of transmit diversity’s requirements and techniques is rather unorthodox. The technique
utilises paired modulation symbols, encoded into blocks, transmitted from two transmission
antennas. As shown on Figure 4.6, the second antenna’s pairs are transmitted in reverse order (with
applied sign-reverse coding and complex conjugation).
Figure 4.6 Space-time transmit diversity transmission with block coding, over two antennas
A technique similar to space-time processing, and also part of the LTE standard, is called Space-
Frequency Processing or Space-Frequency Transmit Diversity (SFTD). Since the encoding of symbols is
35
done in the frequency domain, it is also referred to as Space-Frequency Block Coding (SFBC). Before
those symbols they are transmitted, modulation symbol blocks are mapped by subcarriers on the
first and reversed-order modulation symbol blocks on the second antenna (again, with applied sign-
reverse coding and complex conjugation). The only difference between those two processes is that
space-frequency processing provides diversity on the modulation-symbol level, since they directly
depend on the frequency of the system (OFDM approach).
All of these modes are alternate-domain adaptations of the same communication model: providing
multiple versions of the transmitted signal to the receiver, thus making the system less sensitive to
errors.
4.4 Beamforming
The strive to improve the characteristics of either transmitting or receiving antennas is of utmost
importance in every mobile communication system. Previous mobile network generations introduced
implementations of directive antennas with techniques of cell site division, allowing the capacity of a
single base station to increase. The antenna was divided into three sectors, which contained two cells
with 60° illumination span, providing a theoretical 360° coverage. With the rapid rise of processing
power, new implementations enabling the use of techniques for a more adaptive and efficient
system have emerged. One of those implementations, included in the LTE standard, is a process
called beamforming.
Figure 4.7 The problem of destructive interference, beamforming with multiple antennas
Beamforming, as an improvement of multiple antenna techniques, presents a unique approach to
the use of multiple antennas by the base station. The process is used to counter the negative phase
distortion effects of transmitted signals, which are causing destructive interference at the receiver,
resulting in signal quality loss and a higher error rate (Fig. 4.7). As its name states, the solution to this
problem is the directing of a narrow beam towards the receiver, eliminating the interference
between UEs communicating with the same base station. To make that possible, the amplitudes and
36
phases of the signal’s wavelength are adjusted7, altering the direction of the signal that has to be
transmitted.
In the LTE’ beamforming system, the directing of beams is realised with the use of so called Smart
Antennas, which adjust their settings automatically and are powered by OFDMA8. That adjustment is
a result of following processes:
Direction-of-arrival estimation. This process is required to meet the functionality and
performance required by the UE. The analysis of those requirements and estimation
calculation is done by the signal processor of the antenna.
Reference signal technique. As an alternative to direction-of-arrival estimation, the base
station can reconstruct the reference symbols received from an UE with the correct phase
and the best possible signal-to-interference pulse-noise-ratio (SINR)
Beam steering. When the process of requirement-analysis and direction-of-arrival estimation
is finished, the control processor within the antenna optimises and changes the directional
beam pattern, depending on the type of smart antenna.
Due to the impact of cost, performance and complexity in a mobile communication system, different
approaches of the smart antenna concept have been developed:
phased array smart antenna systems (PAS), which use switch technology and a definite
number of pre-defined beam patterns, and
adaptive array smart antenna systems (AAS), containing a mechanism that allows adaptive
beamforming and the ability of using infinite numbers of beam patterns. This enables the
smart antenna to determine and send a signal towards the exact position of the receiver in
real time.
To reach the optimal performance and requirements of the UE, manifested in high signal correlation,
the spacing of multiple antennas used to transmit the signal has to be as close as possible, preferably
the same as λ (i.e. the wavelength). This is the opposite setting to diversity processing, where receive
and transmit antennas, to ensure low signal correlation, have to be spaced with a distance of at least
multiple wavelengths.
4.5 Spatial Multiplexing
Spatial multiplexing (i.e. Multiple-input multiple-output spatial multiplexing, in further text MIMO) is
a multiple antenna technique with the opposite purpose than diversity processing, as it utilises all
available transmit and receive antennas to gain additional data capacity. This is achieved by turning
multiple propagation paths of a signal between those antennas into additional transmission
channels, thus increasing the overall throughput of the radio channel. Both the gain of data capacity
and the increase of channel throughput are within the boundaries given with the Shannon-Hartley
theorem, which defines the maximum rate at which information can be transmitted over a specified
bandwidth in the presence of noise:
7 This alteration is realised through the application of a phase ramp.
8 Different subcarriers are used to point antenna beams into different directions.
37
(
)
In this formula C is the channel capacity, B is the specified bandwidth and
is the signal-to-noise
ratio (SNR). If the throughput reaches the boundaries set with this theorem, the resulting negative
effect will be manifested as symbol segmentation.
Although the LTE standard promotes the use of four antennas, two-antenna MIMO (i.e. 2 × 2 MIMO)
is the most common setting (Fig. 4.8). In this setting, the symbol mapper (or encoder) of the
transmitter is sending two modulated symbols to each antenna, which transmit the symbols
simultaneously, thus doubling the data rate. There are no drawbacks by adding more antennas, as
long as the number of receiving antennas (NR) is equal or greater than the number of transmitting
antennas (NT). The theoretical maximum data rate (i.e. throughput, T) of such a system is:
Due to noise and interference in terrestrial communications the SNR of given systems is not constant
but fluctuates. This fact changes the approach for defining the maximum data rate, as for low SNR
the capacity grows approximately proportionally to the SNR, although for larger SNR the capacity
grows logarithmically with the SNR.
Figure 4.8 Spatial multiplexing on a 2×2 MIMO system
For its transmission format spatial multiplexing utilises a matrix mathematical model. While this
model is optimal for the transmission process, it introduces certain difficulties to the receiver. To be
able to recover the transmitted symbols, the receiver first has to estimate the transfer characteristics
of the individual channels to determine the transfer matrix, create said matrix and reconstruct the
received symbols by multiplying the information with the inverse transfer matrix. Since in a real
mobile communication system every symbol represents a data stream (i.e. layer), this process gains
complexity and needs a significant amount of processing.
Although the main principle of spatial multiplexing is opposite to the principle of diversity processing,
two specific types called Open Loop Spatial Multiplexing and Closed Loop Spatial Multiplexing
partially rely on spatial diversity in particular cases. This happens when the transfer channel
38
estimation, done by a zero-forcing detector in the receiver, does not bear sufficient information for
the symbols to be reconstructed. Both types are included in the LTE standard, as they form an
adaptive system, capable of “falling back” to diversity processing if required.
In an Open Loop Spatial Multiplexing system the number of symbols which can successfully be
received is indicated by the Rank Indication variable (RI). Once it is determined, the RI is fed back to
the transmitter, triggering two possible scenarios:
If the RI = 2, the symbol mapper (i.e. layer mapper) creates two independent data streams
(i.e. layers) from two symbols and sends them to each transmit antenna, from where they
are propagated to the receiver (Fig. 4.9). The mapping scheme is applied as follows: x1 = s1
and x2 = s2.
If the RI = 1, the mapping scheme changes to: x1 = s1 and x2 = s1. Accordingly, spatial diversity
is applied, since the RI indicates two measurements of the same signal.
In the special case when both the zero-forcing detector and open loop spatial multiplexing
techniques fail to deliver sufficient results for symbol reconstruction on the receiver, a technique
named Closed Loop Spatial Multiplexing is introduced (Fig. 4.10). In its essence, this technique is a
combination of the open loop spatial multiplexing technique, combined with the inverse-signing
operation and the use of PMI (see Section 4.3.2). Again, the RI fed back to the transmitter can trigger
two possible scenarios:
If the RI = 2, the mapping scheme varies from the open loop spatial multiplexing approach in
a slight difference: while is x1 = s1, the second symbol is x2 = s2.
If the RI = 1, spatial diversity is applied.
In both cases the symbols are pre-modulated with an adaptive antenna mapping, implemented
through PMI, ensuring the simultaneously transmitted signals to reach the receiver without
cancellation.
39
Figure 4.9 Block diagram of an open loop spatial multiplexing system
Figure 4.10 Block diagram of a closed loop spatial multiplexing system
4.6 Multiple-User MIMO
The LTE standard contains another special version of spatial multiplexing called multiple-user MIMO
(in further text MU-MIMO). This adaptation is used in slightly different forms on both the uplink and
downlink of the LTE air interface. A new technique known as spatial sharing of channels is
introduced, allowing the elimination of interference between users of the same channel, using
40
additional antennas and signal processing. This means that, given a 2 × 2 MIMO system
configuration, all four antennas are using the same transmission times and frequencies, sending data
to two individual UEs instead of one (Figures 4.11 and 4.12). Concluding from the given example, the
transmission approach in multiple-user MIMO is the same as in single-user MIMO, except that the
multiple antennas at one receiver are now represented by individual receiving antennas of multiple
UEs.
The use of MU-MIMO in the LTE standard offers the following advantages and benefits:
Additional gain of cell capacity, obtained through multiple-user multiplexing formats in
combination with beamforming.
Possible use of spatial multiplexing with UEs that have only one receive/transmit antenna.
This ensures the use of low-cost UEs, as the processing power is included in the eNodeB base
station.
Resolving of propagation issues (e.g. channel rank loss, high antenna correlation) which
affected single-user MIMO systems.
The MU-MIMO adaptation for the uplink in a LTE system is called Multiple Access Channel (MIMO-
MAC) and is based on single-user MIMO concepts (Fig. 4.11). The majority of signal processing in this
adaptation is done by the receiver, which estimates the characteristics of the transmission channel
using the Channel State Information on the Receiver technique (i.e. CSIR). The process of determining
the CSIR takes up a significant amount of uplink capacity, since the credentials of all UEs covered by
the base station have to be acquired.
Figure 4.11 Uplink MIMO-MAC in a 2×2 spatial multiplexing system
41
The opposite principle, used for the downlink in LTE systems, is named Broadcast Channel Spatial
Multiplexing, i.e. MIMO-BC (Fig. 4.12). This technique offers solutions to the more demanding
downlink transmission, improving transmission quality through the combination of single-user MIMO
concepts with pre-coding9, user-scheduling used in SDMA and power-loading algorithms. The
transmitter determines the Channel State Information on the Transmitter (i.e. CSIT), allowing the
efficient use of mentioned techniques, resulting in the improvement of cell throughput.
Figure 4.12 MIMO-BC on the downlink of a 2×2 spatial multiplexing system
4.7 Problems and Issues of Multiple Antenna Techniques
As multiple antenna techniques are still in their infancy, the implementation of such techniques does
not only bear advantages and benefits. The following issues apply:
Additional complexity of the system, caused by the needed processing of multiple antennas.
Although this is a mostly ignored issue, it poses a threat in situations with oversaturated
networks, i.e. in conditions where too many UEs connect to a base station, as it causes a
quality drop for every user.
Problems with antenna spacing. For an optimal use of diversity processing the signal
correlation has to be low, i.e. the multiple receiving antennas have to be placed with spacing
of at least a few wavelengths. As this is not always possible within an UE (limited space), this
9 Dirty Paper Coding (DPC); provides additional efficiency improvements in terms of digital data transmission.
Using Channel State Information (CSIT or CSIR), the type of interference of a system is determined allowing the pre-coding of the data stream and therefore negating the ignoring the effects of interference. The name of the technique is an analogy of writing black text on a white sheet of paper. If the paper gets dirty, i.e. black, the black text will not be readable any more. However, if the white text is written over the black paper, the message will be readable again. Accordingly, the signal is DPC pre-coded in a format that can be deciphered by the receiver even in the presence of interference.
42
problem is encountered with the polarisation estimation of incoming signals. Contrariwise,
for spatial multiplexing, the signal correlation has to be high, so antenna spacing of one
wavelength is sufficient.
Space-Time (and –Frequency) Processing. This technique is not entirely considered a multiple
antenna technique, since it only offers improvements if manifested using two antennas and
the QPSK (or 16QAM/64QAM) modulation format. Furthermore, if the input symbol rate is
equal to the symbol rate of both antennas, it would render all answering transmissions
useless, as the bandwidth utilisation would reach 100%.
Delayed PMI resolve. If a UE is moving through the base stations’ coverage area too quickly,
the time delay caused by the PMI feedback is resulting in the resolved PMI being out-dated
even before its use. This problem is solved by using the Open Loop Transmit Diversity.
Open Loop Transmit Diversity realisation with more than two antennas. As it is described for
space-time processing, this technique also does not entirely count as a multiple antenna
technique. However, if it is applied on a four antenna system, it will only use two at a time,
whilst swapping between two equivalent antenna pairs.
Beamforming transmission. If too many signal scattering objects are around the transmitting
base station, the azimuth spread of the narrow beam becomes too large, resulting in signal
cancellation. This issue is solved with pre-coding operation prior to the signal transmission.
Cost and performance questions. A compromise has to be made while selecting the smart
antenna type suitable for the system’s beamforming approach; as PAS systems do not match
the requirement with a 100% suitable beam pattern, AAS systems provide an uneconomically
costly alternative. Similarly, the use of system-improving MIMO techniques is not only
connected with expenses for additional antennas and processing, but also with a decrease of
available bandwidth.
4.8 Summary
This chapter describes the objective, principles and techniques of multiple antenna transmission
within the LTE system. Each of these techniques is based on the concept of two or more antennas
used for transmission and receiving of signals. The relationship and differences between those
techniques are shown, as well as their benefits and improvements, manifested in higher system
performance, more efficient transmission and easy implementation in the existing system structure.
In addition, basic block diagrams and mathematical equations regarding the realisation of different
techniques are given. Furthermore, specific issues and implementation problems are presented, as
well as additional system flaws.
43
5. VoIP and Voice over LTE
5.1 Introduction
The LTE system was optimised for high data rates and high quality voice services from the beginning
of its development. Since LTE represents an all-IP mobile communication system, i.e. a system that is
only concerned with the reception and transmission of packet data from and to the user, traditional
circuit switched voice and messaging capabilities are not supported. This chapter describes two
possible approaches that enable the use of voice and SMS services in LTE: the utilisation of VoIP
techniques and the use of the existing 2G or 3G mobile network infrastructures. Furthermore, an
insight on the problems and concerns of their techniques is given.
5.2 Voice and Messaging Basics in LTE
Despite of the rapidly growing mobile data traffic (see Chapter 1), voice calls and SMS messaging still
comprises a large percentage of a mobile operators’ revenue. Due to this fact, enabling voice and
messaging services in LTE became one of the main priorities in LTE development. Several techniques
that allow the use of mentioned services, which have been introduced and tested on the LTE air
interface, are divided into two approaches:
Treating voice and messaging processes as data services. This approach is based on Voice
over IP techniques and realised through a separate network (IP multimedia subsystem, i.e.
IMS) or a third party service provider (e.g. Skype).
Reverting to mobile networks of previous generations (e.g. GSM, WCDMA or CDMA). This
approach allows the use of traditional circuit switched voice calls and SMS messaging.
5.3 Voice over IP Approach in LTE
The utilisation of VoIP as LTE’s voice bearer is causing both sympathy and aversion of mobile
operators. Although it is the simplest approach which does not require many changes of the existing
infrastructure, the certain lack of standardisation and problems with specific scenarios (e.g. roaming)
steer the operators’ opposition. However, the following two solutions that use the VoIP interface
have been accepted and implemented into LTE.
5.3.1 Partnership with existing VoIP service providers
One possible implementation is realised through the support of existing VoIP services such as Skype.
A similar partnership would bring minimal changes to the existing system, as the communication
between the external VoIP server and the UE takes place on a data transmission level. The
communication concept is based on a two-stage interaction between the two communicating UEs
44
and the external VoIP server in between. To set up a call, the LTE UE transmits VoIP signalling
messages (in form of normal packet data) to the VoIP server, which then exchanges similar messages
with the other UE (either packet data or a circuit switched signal stream). A block diagram of the
system is given on Figure 5.1.
Figure 5.1 The structure of external VoIP subsystems in EPS
To keep the Quality of Service (i.e. QoS) at a constant high level, a new process is introduced, named
Policy and Charging Rules Function (in further text PCRF). This function receives and analyses VoIP
signalling messages sent by the communicating UEs and applies the required number of signal
bearers to improve the data transmission (LTE side), i.e. voice call transportation (circuit switched
side). The conversion of these data streams is handled by media gateways as part of the external
VoIP system, which enable the communication between an LTE based UE and UEs based on mobile
networks of previous generations.
One major omission of this implementation are the so called Fallback Techniques, which would allow
the continuation of VoIP voice calls in the event of coverage loss, through “falling back” to 2G or 3G
mobile networks. These techniques are further explained in Section 5.4.1.
5.3.2 The IP Multimedia Subsystem
The IP multimedia subsystem (IMS) acts as a standalone network, interconnected with the packet
core of LTE and the packet switched domains of GSM and UMTS. Since it is a separate
communication system, implementing it means adding a whole new part to the existing
infrastructure. Before this technique was considered for the voice and messaging services in LTE, it
was a small project with the main goal to improve the characteristics of 3G mobile networks. As it
introduced additional complexity in contrast to only few improvements, the project was frozen in
2002. It was reassessed in the beginnings of LTE development and immediately determined to be the
long-term solution for its voice and messaging requirements.
The most important component of IMS is known as the Call Session Control Function (CSCF), which is
distributed in three specific sub-functions:
The Serving CSCF (S-CSCF), managing the UE and the signalling for incoming or outgoing calls.
45
The Proxy CSCF (P-CSCF), managing the signalling of the IMS, compressing and encrypting the
signalling messages to reduce the network load and provide additional security. It also
communicates with the PCRF, granting a high QoS.
The Interrogating CSCF (I-CSCF), managing the incoming signalling messages between the
other UE and the IMS.
These three sub-functions are interconnected with signalling protocols called Session Initiation
Protocols, which are responsible for the intercommunication between IMS elements and carry out
UE transmission requests. Furthermore, these protocols are used to expand the system with
additional services such as voicemail, located in Application Servers (AS).
Another important component is the so called IMS Media Gateway, a version of the VoIP media
gateway specifically tailored to the requirements of the IMS system, which uses Media Gateway
Control Functions (MGCF) to communicate with circuit switched networks, i.e. PSTNs (Fig. 5.2). Since
the MGCFs control the conversion of signalling messages, they are managed by the previously
mentioned S-CSCF.
Figure 5.2 The IMS system architecture
The system layout designed for voice calls is also very suitable for text messaging, as no major
additions have to be made. The only extension is manifested as the IP Short Message Gateway (i.e.
IP-SM-GW) which connects the IMS with the standard SMS network components. Those components
are mainly the SMS Interworking MSC for outgoing messages and the SMS Gateway MSC for
incoming messages (Fig. 5.3).
46
Figure 5.3 SMS messaging using the IMS system setup
The utilisation of IMS also introduced the need of a new user-definition system; two new
identification elements have been adopted. First, the Private Identity, similar to the IMSI in circuit
switched networks, serves to identify the UE to the IMS. Second, the Public Identity, similar to mobile
phone numbers or email addresses, serves to identify the UE to the outside world (i.e. beyond the
IMS). Both elements are stored in the IP Multimedia Service Identity Module, abbreviated ISIM, to
imply the parallels to the previously used USIM.
5.4 Fallback to Other Mobile Networks
The second approach to enable voice and messaging services in LTE was introduced as an interim
solution until the new IMS structure is fully integrated in the existing infrastructure. It is based on the
possibility to hand over users between different mobile networks without many additions in the
existing systems and is fully relying on the voice capabilities of these networks. The transmission of
text messages, however, is based on specific principles of the individual techniques, explained
further below.
5.4.1 Circuit Switched Fallback
The Circuit Switched Fallback technique (in further text CS fallback) is the widely accepted solution
for voice and messaging services within LTE. It uses a fallback function to revert users (i.e. the calls of
a UE) from the LTE network to circuit switched networks (GSM, WCDMA) and vice-versa. To support
that fallback function, the system architecture is built on top of so called 2G and 3G inter-operation
architectures.
To use these procedures, a new network element has to be added to the LTE system: the Mobile
Switching Centre server (MSC) which communicates with the Mobility Management Entity (MME) of
LTE’s packet core system (Fig. 5.4). When a UE initiates a voice call (i.e. a Mobile Terminated Call
takes place), it first sends a combined EPS/IMSI attach request to the MME which indicates whether
a fallback is possible. If the request is accepted, the MME issues a location update that informs the
circuit switched network of the new UE’s position, simultaneously searching for a suitable MSC. After
additional steps of identification and security, the UE registers to the MSC by sending out so called
SGs messages, using it as a gateway to connect to a circuit switched mobile network. At this moment,
47
the eNodeB base station starts the packet handover from LTE to the chosen network, triggering an
incoming call to the target UE and setting up a call.
Figure 5.4 Circuit switched fallback architecture, attach request route
The procedure of an incoming call (i.e. Mobile Originated Call) can be seen as exactly reverse to the
outgoing call scenario. When the calling UE sends a voice call request to the eNodeB base station, it
starts the packet handover, matching the previously described call establishment procedure. After
the call has ended, the UE connects to LTE again.
Figure 5.5 SMS messaging using the SMS over SGs technique
The CS fallback technique requires only minor upgrades of the existing system infrastructure, but
introduces a number of drawbacks as well. With these issues mostly being service degradations, its
acceptability is questionable. One of these issues is the implementation of SMS messaging. Due to
the large number of reselections and handovers between LTE and GSM or WCDMA in the event of
sending large amounts of SMS messages, the CS fallback process was classified as inefficient. This
issue is encountered with the proposal of a technique known as SMS over SGs, which can be applied
to the existing interface. The messages are therefore incorporated into the signalling messages sent
to the MME, which forwards them to the MSC (Fig. 5.5). This process is an equivalent to the
technique for SMS messaging used in the IMS structure.
48
5.4.2 Voice over LTE via Generic Access
Another fallback technique suitable for LTE is called the Voice over LTE via Generic Access method
(i.e. VoLGA), an industry based initiative introduced in 2009. As it is based on the easy-to-implement
3GPP Generic Access Network architecture (GAN), which was developed to support circuit switched
services such as SMS messaging in an IP-based network, it quickly gained attention and became one
possible candidate for LTE’s voice and messaging requirements. The GAN techniques enable the UE
to register to a GSM network through a WLAN connection, allowing the use of its services. In the
VoLGA implementation, however, the traffic is routed through the LTE network instead.
The only hardware addition to the existing network is an interface known as the VoLGA Access
Network Controller (VANC). This element behaves as an extra network node which is connected to
LTE’s core network through the PDN gateway, its main function being the inter-system handover. A
block diagram of the VoLGA architecture is given on Figure 5.6.
Figure 5.6 Voice over LTE via Generic Access system architecture
In comparison to the CS fallback technique, VoLGA offers a whole range of advantages. Since the
data stream of a voice call is a normal packet data stream, the UE is not limited to only one
connection, but can also use multiple connections simultaneously. More importantly, for this kind of
communication, no fallback to GSM or WCDMA is required. A fallback is only issued in situations of
LTE coverage loss, i.e. a continuation of the current voice call is realised through the packet domains
of GSM or WCDMA.
5.5 Additional Solutions
Even though the previously mentioned approaches and techniques form a monopole that will most
likely be implemented into the LTE system, several other possible solutions and additions have
emerged. One of the most important additions to the IMS system and VoIP in LTE is a technique
named Single Radio Voice Call Continuity (SR-VCC). This functionality enables a seamless inter-system
handover from VoIP services of the packet domain to the circuit switched domain in the event of
coverage loss. The name “Single Radio” implies that the UE is not required to support dual-mode
transmission, since the technique just affects the data stream.
49
The main element in this architecture is the SR-VCC enhanced MSC server (i.e. S-IWF), which is an
equivalent to the MSC server in CS fallback techniques. The S-IWF is based on already available CS
core network components, requiring minimal software and hardware enhancements of the existing
system. Its functions are the triggering of the SR-VCC handover procedure and the fallback process to
GSM, UMTS or CDMA, as well as typical MSC functions such as connecting the voice call streams from
one UE within LTE to the other UE in the CS network. To save pointless processing and keep the voice
call latency low, the S-IWF is not included in the call structure if no handover is required.
Figure 5.7 Block diagram of the SR-VCC architecture
The use of SR-VCC also enables the simultaneous use of voice and non-voice connections. The
process which allows this type of multiplexing is carried out by the signal splitting functions in the
MME. In cases of an inter-system handover, the non-voice transmission could get suppressed if the
circuit switched target network does not support simultaneous voice and data functionality (e.g.
GSM). The handover procedure for non-voice transmissions is carried out as for a normal inter-
system handover. Additional information about the SR-VCC technology can be found in [2].
Another technique that supports simultaneous transmission of voice and non-voice data is called
Simultaneous Voice LTE (SV-LTE). The main difference to SR-VCC lies in the separate utilisation of
multiple antennas, i.e. “Multiple Radio”, which enables the UE to connect to both packet switched
and circuit switched domain services. The SV-LTE concept is therefore a combination of the main two
aspects mentioned above, providing the facilities of IMS and CS fallback at the same time. However,
this advantage can also be seen as a disadvantage; since at least two antennas are used to support
two different types of connection, the required processing is increased proportionally. The technique
was therefore declared inefficient, as two active connections and twice the processing significantly
impact the energy consumption of an UE.
5.6 Problems and Challenges of Voice and Text Services in LTE
As the above mentioned techniques evolve and slowly merge with the LTE system, their benefits but
also their flaws are influencing a steady increasing number of UEs. To perfect these techniques, the
following issues and flaws have to be addressed:
50
Call preservation in events of coverage loss. This is a major problem in adaptations with third
party VoIP providers, as no fallback function is applied. Its solution lies in the use of SR-VCC
functionalities.
Dual-mode transmission. Circuit switched fallback can only be used when the UE is within the
coverage of both the LTE and GSM/WCDMA network. Otherwise, the attach procedure
would fail, making the fallback and therefore the utilisation of voice calls impossible.
Voice call latency. The delay during inter-system handover in circuit switched fallback can
reach a few seconds, impacting the total delay budget.
Fallback procedure. Since inter-system handovers represent one of the least reliable
procedures in all of mobile communications, this issue results in a high number of dropped
calls.
Low network resiliency. This issue occurs when a MME connects to only one MSC. To solve
this issue, support to add multiple MSC connection to the MME has to be provided, resulting
in an improved network resiliency.
SMS messaging via CS fallback. As discussed in Section 5.4.1, the sending of a large amount of
messages would cause a large number of network reselections and handovers, rendering the
service inefficient. This problem was solved by using the so called SMS over SGs technique.
5.7 Summary
Voice call and text messaging services still comprise most of a mobile operator’s revenue, making the
LTE implementation of these services a priority. Two main approaches have been introduced and
applied in different adaptations: the use of packet related VoIP services and the utilisation of existing
circuit switched networks through fallback techniques. As neither of these particular approaches
provide all required features, different combinations of their adaptations are most likely to be
standardised and used in the LTE system. Furthermore, this chapter describes the specific additions
and upgrades of the existing system architecture, as well as the techniques’ problems and flaws.
51
6. Security of the LTE System
6.1 Introduction
Security measures are of utmost importance in every mobile communication system, which also
includes LTE. Since the LTE system represents an all-IP structured network, traditional security
measures from previous mobile communication systems are combined with additional security
procedures covering the IP-architecture and techniques. Their main aim is to offer optimum security
without reducing the QoS or negatively impacting the user. This chapter explains LTE security
approaches, processes and requirements, as well as the key hierarchy and management in different
scenarios.
6.2 LTE Security Concept
With the development of LTE mobile networks, new communication standards were set and
combined with existing IP-related standards, thus creating a broad spectrum of required security
measures. The concept of security within the system is therefore based on the following
requirements:
High security level. The lowest security level allowed is the utilisation of security techniques
and measures from previous mobile communication networks such as 2G and 3G. Additional
measures apply to the use of the IP structure within the Evolved Packet System.
Security does not affect the QoS and user experience. As one of the main goals of LTE is the
decrease in latency, security mechanisms are not allowed to cause noticeable impacts on the
establishment of a communication and the transmission during the communication, as well
as on the quality of LTE’s services.
Identification and authentication of every data transmission. Every transmission from the UE
to the network and vice versa needs to be authenticated prior to establishment. This secures
the identities of the UE, network and ultimately all user information.
Protection against internet based threats and attacks. A double layer security structure is set
up in combination with reliable IP-security protocols to avoid threats and attacks from
outside the network.
User privacy, integrity and confidentiality. This prevents eavesdroppers from identifying the
communicating parties and their information. To ensure that the signalling messages are
genuine and not modified due to external access, a verification procedure is initiated.
Enabled lawful interception. This requirement is a controlled exception to the previously
mentioned security features, as it identifies the communicating parties and further
information such as duration and time of communicating, the base station identities, etc. To
allow this special case, a court order and additional legislation matters are required.
Support for emergency calls. As another contrast to user information privacy and integrity,
emergency calls need to be available both with and without the presence of UICC, which
triggers authentication. It was therefore decided that no authentication will be applied in this
52
case. Also, the possibility of utilising emergency calls depends on which voice call technique
the UE is supporting (see Chapter 5).
A detailed explanation of these specific requirements, as well as their implementation and realisation
in the LTE system, is given in further text.
6.3 Security architecture
The security architecture of LTE can be subdivided into the network access security (explained
further below) and the network domain security (introduced in Section 6.7), which form the two
main aspects. In the 3GPP TS 33.401 standard, the LTE security architecture is differentiated into five
security feature groups, namely the network access, network domain, user domain, application
domain securities and the visibility/configurability of overall security, which is basically a more
detailed distribution of the two elements mentioned above.
The network access security consists of three interconnected parts: the Access Stratum (i.e. the first
layer), the Non-Access Stratum (i.e. the second layer) and the Key Management, acting as both part
of these layers and a separate element. Furthermore, network access security can also be seen as a
set of security mechanisms on the LTE air interface, including:
Authentication. The UE exchanges premier signalling messages with the EPC of a network.
This allows both parties to determine the identity of the respective other, as the UE checks if
the receiver of the messaging is a real or fake network, and the network checks if the UE is
authorised for its services or if it is a UE clone.
Confidentiality. Special priority is given to the protection of user credentials and their unique
identity. A special emphasis lies in the use of the term “unique”: confidentiality is based on
the International Mobile Subscriber Identity (IMSI) located in a user’s Universal Subscriber
Identity Module (USIM), which guarantees that the user is unique. To keep possible attackers
from compromising this factor, the IMSI is not directly sent over the air interface if not
explicitly required. Instead, one of two possible temporary identities is used. Depending on
whether the EPC knows the location of an UE (determined through the localisation update
and TAU procedure, see Section 6.6) or not, it will use the S-TMSI or the GUTI temporary
identifiers.
Ciphering. Encryption of all data transmissions is realised through the use of specific keys
(from the key hierarchy), as a preventive measure in the event of data theft and misuse of
sensitive user information. Further explanation is given in Section 6.5.
Integrity protection. Detection and prevention of network intrusion attempts such as the
modification of signalling messages or man-in-the-middle attacks. This matter is described in
Section 6.5.
All four security mechanisms are active in the previously mentioned Access Stratum (AS) and Non-
Access Stratum (NAS), providing double layer security and cryptography. This is an important feature
in LTE, as it reduces the risk of data theft and intrusion (the attacker would have to pass through
both security layers, which is realistically not plausible as the encryption and keys change on-the-fly
and after every use). The authentication and confidentiality processes are newly introduced with LTE,
53
while ciphering and integrity protection were part of previous mobile communication networks, such
as GSM and UMTS.
6.4 Key Hierarchy
The utilisation of authentication- and ciphering-keys is known from UMTS mobile communications,
where they were first introduced with smart encryption and integrity protection. An enhanced
version of this security element was also introduced in LTE. The key security techniques are based on
the distribution of a UE-specific10 key “K”, which is incorporated in the Universal Integrated Circuit
Card (i.e. UICC) of an UE and stored in the Home Subscriber Server (i.e. HSS) for further use.
The UE-specific, initial (i.e. root) security key “K” is derived from the IMSI number, located in the
USIM of the UE, through 1:1 mapping. Due to the equality with IMSI, it is never sent through the
network to avoid possible identity theft and integrity misuse. Instead, it is used by the UICC and HSS
to compute two session keys, named cipher-key (CK) and integrity-key (IK). As their names already
imply, these keys are exclusively used for data ciphering and UE integrity protection. Furthermore,
they are used to calculate the Access Security Management Entity Key (in further text KASME), which is
derived during a process called Evolved Packet System Authentication and Key Management (EPS
AKA) explained in Section 6.5, and used for Next Hop parameterisation (NH), which is described in
Section 6.6.
The KASME key also serves to contribute additional keys which provide a secured attach procedure:
KNASenc and KNASint, used with signalling messages between a UE and a MME, and KeNB, used for
communications with the eNodeB (Fig. 6.1). Last-mentioned is also used for encryption and integrity
protection of TCC signalling messages in the AS layer.
Figure 6.1 Key hierarchy of the LTE system
10
The initial key K is derived from the IMSI of a UE (e.g. form a mobile phone), which means that it is not user-specific, but UE-specific.
54
The root key K and its derivations CK and IK contain 128 bits, while intermediate and leaf keys (KASME,
KNASenc, KNASint, KeNB and others) contain 256 bits. However, since the current ciphering and integrity
protection mechanisms in the LTE system use 128-bit keys, only the last significant bits are utilised
for these operations. The sizing of system-crucial keys was chosen as prearrangement to support the
future 256-bit key mechanisms.
6.5 Authentication and Security Activation
6.5.1 EPS Authentication and Key Agreement
When an UE wants to communicate with the network, it first has to go through authentication and
security setups. To provide confidentiality of both the UE and network, their respective credentials
are not directly transmitted over the LTE air interface. Therefore, a permanent authentication key K
is declared, being stored in the network’s Authentication Centre (AuC) and the UE’s USIM, whose
derivations are used for further transmissions. However, to enable their identification to each other,
temporary identifiers such as the GUTI, C-RNTI and S-TMSI are used. While the GUTI and S-TMSI are
used for user identity confidentiality, the C-RNTI is used to identify an UE which is currently in a RRC
connection with the eNodeB during handover processes (see Section 6.6).
The main authentication mechanism of LTE is called EPS Authentication and Key Agreement
procedure (EPS AKA). This procedure is used whenever a UE and a network want to communicate
with each other and no shared security context is present. Therefore, EPS AKA is used to refresh (i.e.
set up if non-existent) the security key structure stored in both UE and different elements of the
network. A similar process was used in 2G and 3G mobile communication networks, but contained
less evolved functions. One of the upgrades in the LTE adaptation is the Implicit Serving Network
Authentication and its main element, the local master key KASME, used for the identification of serving
networks during the authentication exchange. Moreover, additional cryptographic upgrades were
introduced, which allow KASME derivation in the MME and HSS.
The EPS AKA procedure contains the following three processes:
the generation of EPS authentication vectors (AVs) on behalf of the MME,
the authentication and setting-up of a new shared key (i.e. security context) between the UE
and the network, and
the transmission of authentication messages in the serving networks.
The procedure is invoked by a MME, which sends an EPS authentication vectors demand to a HSS.
This message is known as the Authentication Information Request and contains the secure key K, as
well as the MME’s serving network identity. The receiver (i.e. HSS) stores the respective secure key K
and forms an authentication vector (either a completely new AV or one of the predefined system
AVs), which contains four elements:
RAND, a random number used by the MME to query the UE.
55
XRES, the expected response to RAND, which the UE can only calculate if it has the right
value of K.
AUTN, the authentication token containing a specific sequence number, which prevents
intruders from reproducing copied authentication requests. It can also only be calculated by
using the right value of K.
KASME, the Access Security Management Entity Key, which is derived from the intermediate
keys CK and IK, i.e. indirectly from the root key K and RAND (see Section 6.4).
The authentication vector is then transmitted to the MME. In previous mobile communication
networks, several AVs were sent to a MME-equivalent. However, in LTE system authentication
messaging, the HSS sends only a few authentication vectors to one MME, as the storage of the KASME
key significantly reduces the needed signalling exchange.
After it received the AV, the MME sends a so called EMM Authentication Request to the UE,
containing the RAND and AUTN values. If the authentication succeeds (the UICC checks if the
received values are genuine), the UE combines the RAND value with its secure key K into a value
named RES, and transmits it together with its self-generated CK, IK and KASME keys in the EMM
Authentication Response addressed to the MME. The RES value is then compared to the XRES value
obtained from the authentication vector, what completes the process and the connection is
authenticated.
6.5.2 Authentication Failure
Although the authentication success rate of LTE based communication is remarkably high, it still
introduces an increase of authentication failures, caused by the quantity of new security parameters,
values, and rules. The most common authentication failure types are as follows:
Synchronisation failure. This error occurs when the UICC determines that the sequence
number of AUTN, received in the authentication vector, is not equal to the sequence in
which it arrived at the UE. The UE then forms an AUTS value and sends it to the MME in form
of an Authentication Failure message. The AUTS is then passed on to the HSS to which it
serves as a request to create new AVs.
Invalid authentication response. This failure manifests when the MME detects a difference
between the values of RES and XRES. In this scenario, the MME can issue a new identification
and authentication procedure directed from the network (i.e. HSS) towards the UE or send a
Authentication Reject message to cancel the procedure.
Reuse and retransmission of parameters. As the authentication vector are usable only once,
repeated RAND and AUTN values cannot be included in the KASME derivation process, which
then results in an error. However, there is one exception to this rule: when the MME
transmits an Authentication Request but does not receive an answer (i.e. an Authentication
Response or Authentication Reject message), the request may be retransmitted.
56
6.5.3 Security Activation
Security activation takes place in the same moment in which EPS AKA marks the connection as
authenticated. It is a process in which the UE and network separately derive and set up the ciphering
(i.e. encryption) and integrity protection keys, as the premier step of securing the transmitted
information.
Non-Access Stratum security is activated first, with the MME triggering the derivation of its ciphering
and integrity protection keys KNASenc and KNASint, enabled through the parameters and security context
determined in the EPS AKA. A so called EMM Security Mode Command message is sent to the UE,
ordering it to activate NAS security. Simultaneously, the UE derives its own KNASenc and KNASint keys
with the help of KASME, replies the MME with an EMM Security Mode Complete message and
activating its ciphering and integrity protection mechanisms (Fig. 6.2).
If the UE disconnects from the MME, both parties delete their NAS security context (keys KNASenc and
KNASint), but keep their intermediate security keys (CK and IK), as well as KASME. This allows the UE to
re-connect to the MME faster, due to the already activated NAS security, skipping most of the
security activation procedure.
Figure 6.2 Security activation procedure of the Non-Access Stratum
Access Stratum security is triggered after Non-Access Stratum security has been successfully
established. This happens due to the MME deriving the eNodeB secure key KeNB and sending it in a so
called S1-AP Initial Context Setup Request to the base station (Fig. 6.3). The KeNB is then used to
calculate additional ciphering and integrity protection keys KUPenc, KRRCenc and KRRCint, in a process
similar to the key derivation feature described for NAS security activation. The base station then
transmits a RRC Security Mode Command (equivalent to the EMM Security Mode Command
mentioned above) which is acknowledged by the UE with a RRC Security Mode Complete message.
The UE also derives its own keys and activates its ciphering and integrity protection mechanisms.
Simultaneously, downlink encryption is initiated.
57
Figure 6.3 Security activation procedure of the Access Stratum
In case of handovers, the current base station derives a special key denoted KeNB* and sends it to the
target base station, which then uses this key as the new KeNB. Further explanation of this technique
can be found in Section 6.6.4.
6.6 Idle-State Mobility and Handover Scenarios
6.6.1 Connected and Idle State
Security measures and context management has to be applied to every transmission between the UE
and the network, including the transitions to and from connected and idle states. These are two
possible conditions to which the UE changes whenever it needs to transmit or receive data from the
network or save energy if no communication is necessary. While the UE is in idle state, no security
context is shared with the network, except with the MME, which stores the root and intermediate
keys to allow a seamless state transfer of the UE whenever that is required.
To initiate the transfer into connected state (in either situation, whether the UE may transfer from
idle state or register to the network for the first time after starting up), the MME retrieves the NAS
uplink COUNT value (that is either 0 or 1) which is then combined with the KASME key forming the KeNB
key. Together with the security capabilities of the UE (also determined by the MME, through
authentication signalling messages from the UE, see Section 6.5), the KeNB key is sent to the eNodeB,
which then selects the most suitable pre-defined security algorithm and answers the UE with a so
called Access Stratum Security Mode Command request. The UE accepts this request by replying with
the Security Mode Complete message. For a more detailed explanation, refer to [4].
The UE is transferred to idle state due to two possible reasons: if its connection to the MME was
released or if the connection was broken. This state change is also recognised by the eNodeB, which
deletes all stored security context parameters of the AS, related to the idle UE. Simultaneously, the
same security context is discarded from the UE, with the addition of the {NH, NCC} pair. Since the UE
58
always needs intermediate key parameters when reconnecting to a network, it issues a EPS NAS
security update, and stores the new values in its USIM (i.e. in the non-volatile EM memory).
6.6.2 UE Mobility in Idle State
A special set of security measures is applied in the case of communication between the network and
an idle UE. This happens when the idle UE is moving and thus changes its Tracking Area Identifier (i.e.
TAI). As an idle UE is not actively connected to any eNodeB, it still periodically listens to broadcasted
system information messages sent from the network(s), which include an eNodeB’s TAI. Given that
the network needs to connect to the idle UE (e.g. incoming voice call or text message, data
transmission), it pages the UE based on the tracking areas in which the UE is registered, by sending
specific connection initiation11 messages. The UE answers with a transfer message, requesting the
state change from RCC_IDLE to RCC_CONNECTED (on the radio level) and ECM_CONNECTED (of the
Non-Access Stratum). This mechanism was developed to allow network-to-UE communication in
situations where the UE is currently not connected to any eNodeB base station.
Each time a UE changes its position from one tracking area to another, it needs to notify the network
of its current position. As this process is done automatically (being part of the location update
process) when the UE is in connected state, an idle UE has to issue a NAS level Tracking Area Update
request (TAU) itself. This technique grants idle state mobility for the UE, as well as a periodic update
of TAIs for the network. Furthermore, it is part of the network efficiency enhancement introduced in
LTE, as it informs the network if the UE is still registered and within the coverage of an eNodeB,
allowing it to discard the UE and save resources. The periodic TAU request can only be sent from
connected state, meaning that the UE must change to RCC_CONNECTED and ECM_CONNECTED
state. After request transmission12, the UE automatically changes back to RCC_IDLE, i.e. the idle
state.
Due to the preferences of the EPS, an eNodeB can be connected to multiple MMEs at the same time.
This feature was introduced to encourage the utilisation of one eNodeB by several operators. Thus,
to enable the connection of an idle UE with its destined MME, the TAU request sent by the UE has to
include specific identification and security strings. These are included in the so called the Globally
Unique Temporary Identity (GUTI), which contains the Public Land Mobile Network Identity (PLMN)
and the MME identity, and the EPS security context element named key set identifier eKSI. In
addition, the network can locate and connect to the previously used MME and retrieve the UE’s
authentication information, which then allows the transmission of the TAU Accept message. If this
process fails, the sequence is not repeated, as an EPS AKA request is sent instead.
11
The purpose of these initiation messages is the same as the function of magical packets used in the 802.11 standard, as they both initiate an idle-to-connected state change. 12
The TAU does not include the functions of EPS AKA, which also requires the UE to go into connected state and serves as the key hierarchy refreshing process and USIM registration acknowledgement.
59
6.6.3 Handover Security Requirements
Handover security is one of the most important security applications in the LTE system, as the whole
security context gets transmitted to the destined eNodeB. This transmission process is targeted by
attackers, posing a big threat to the integrity of a single user and to the confidentiality of their
information. To encounter this threat, special key separation techniques are introduced and applied
to all security keys marked as “shared security context”. Since LTE is not based on the Radio Network
Controller elements (RNCs), the process of key separation called Key Derivation Function (KDF)
happens directly in an eNodeB and is fulfilling the following premise: two keys, e.g. X and Y, are
separate if key X cannot be derived from key Y and key Y cannot be derived from key X. In LTE, key
separation is applied:
between UEs,
between eNodeBs,
between access network technologies,
between ciphering13 and integrity protection,
between the control and user plane and
between the AS and NAS.
Furthermore, LTE introduces a new security aspect in terms of handover scenarios, that being the
processing of implementation-specific security requirements. This ensures the that the steps before
and after transmission (key derivations, integrity protection, encryption and decryption) are carried
out in a secure environment.
6.6.4 Handover Key Management
The LTE air interface includes two handover scenarios, namely the X2 handover (between two
eNodeBs which are connected with the X2 interface) and the S1 handover (between an eNodeB and
the EPC, connected over a MME in the S1 interface). The main difference of these two models is the
particular time in which an MME is informed about the use of a technique called path switching. This
process is used to issue the location update procedure, which the eNodeB requests from the MME.
In strict security terms: the MME provides fresh keying material to the eNodeB before the radio
break in S1 handovers and after the radio break in X2 handovers (sent together with the path switch
acknowledgement message).
Fresh keying material computing is the derivation process of new (i.e. fresh) intermediate and leaf
keys from the existing security context stored in the UE and the MME. This includes security
elements such as the NH key and KASME local master key, as well as the NAS uplink COUNT value
described in Section 6.6.1. The key derivation stages are shown with the following equations:
13 All keystreams used in the derivation process are to be fresh, as the must not be used twice to encrypt data.
60
The first KeNB is derived from the KASME and the current NAS uplink COUNT. This key, named KeNB-0, is
then used for the calculation of the initial NH, named NH1, and its NH Chaining Count value (NCC).
Since the NCC is a 3-bit key index, it can have integer values between 0 and 7, which are used during
the handover command to determine which key derivation approach will be used. The first NCC is set
to “1”, as the KeNB-0 is associated with the NCC value “0” and the value can only increase. If the NCC
received with a handover command is greater than the NCC of the KeNB currently in use, vertical key
derivation will take place (Fig. 6.4). In case of the received NCC being smaller than the currently used
NCC, the system proceeds with the synchronisation of {NH, NCC} parameters after which horizontal
key derivation is applied.
In S1 handovers and the signalling process of X2 handovers, the previous NH and KASME keys provide
fresh {NH, NCC} pairs to the eNodeB. For X2 handovers, this pair can only be used once, for the next
handover, as it is directly used in the vertical derivation process:
For S1 handovers, the fresh {NH, NCC} is used to derive the next KeNB, which is then used in the
horizontal derivation process:
The variables PCI (i.e. Physical Cell Identity) and EARFCN-DL (E-UTRAN Absolute Radio Frequency
Channel Number on the Download) are additional identification and frequency-related cell (i.e.
eNodeB base station) parameters.
Figure 6.4 Horizontal and vertical key derivation during handover
61
If the handover procedure fails, due to the UE not being able to connect to the targeted cell, the
handover sequence is repeated for either the same cell or a different cell. This procedure is called
RRC Connection Re-establishment and uses no security encryption or integrity protection. It is sent
together with the shortMAC-I token, which provides sufficient security while the UE is authenticated
to the targeted cell.
6.7 Additional Security Measures of EPC and RAN
6.7.1 IP security mechanisms
The network domain security measures of the LTE system are based on existing security processes
and techniques used in wired and wireless static communication systems. Since the data
transmission and voice services (see Chapter 5) utilise the packet data and IP-based structure of LTE,
standard Internet Engineering Task Force (IETF) security protocols are applied without special
tailoring. Furthermore, during authentication (Section 6.5), two devices identify each other with help
of the Internet Key Exchange version 2 (IKEv2) protocols, which have been adapted for the use with
pre-shared secure keys.
Given special circumstances, LTE also utilises the Internet Protocol Security Encapsulating Security
Payload (IPSec ESP) for its ciphering and integrity protection procedures. However, this process of
packet data encryption places a significant burden on the base stations, as it introduces additional
processing prior to transmission (i.e. encrypting the data) and after receiving (i.e. decryption to
original form), causing a throughput downgrade of approximately 50%14.
6.7.2 Evolved Packet Core Roaming
Special attention is given to the roaming procedure and security between networks of different
providers. To support both functions simultaneously, the EPC is distributed into security domains.
One EPC of a mobile network provider usually corresponds to one security domain, although it can
also be aligned onto multiple security domains. Furthermore, the security domains are separated by
the so called Za interface, which represents all network domain security functions between two
domains. Za requires the use of IPSec ESP, in its tunnel mode (which protects the payload and the
header of an IP packet).
For the securing of network elements within the security domains themselves, an application called
Zb interface is used. This interface also requires the utilization of IPSec ESP tunnel mode, as it covers
all traffic inside an operator’s subnet. Since it does so, it is not required to embed the security of the
Zb interface in single network elements, as this would involve an additional processing burden.
14
The percentage is even higher if vast amounts of small packet data have to be sent, such as in the application of Voice over LTE and similar techniques.
62
Figure 6.5 Security interfaces Za and Zb of secure domains as a implementation of network domain security
6.7.3 Ciphering techniques
Even through the key structure and management in LTE differs from those used in previous mobile
communication systems, their encryption mechanisms are very similar. LTE uses these mechanisms
on both the AS and NAS level, providing an optimal secure environment for communications
between a UE and the network. Depending on the sort of communication and between which
elements it is established, four different ciphering techniques and algorithms are used: the null
algorithm, SNOW 3G, AES and ZUC.
Null Algorithms (i.e. NAs) represent a technique used in the event of emergency calls, in which the
connection must not be secured. Since an MME in LTE is obligated to let the UE know if the air
interface will be secured or not, explicit messages which contain “security off” commands are sent
instead of not sending a “security on” command. The procedure of starting a non-protected
transmission is similar to the procedure of establishing a protected connection, except for the first
step, in which a NA is selected instead of the most suitable protection algorithm. Although the NA
contains “algorithm” in its name, it is in fact just a keystream with a simple equation function. This
function depends on the type of NA realisation, as there are different NA applications in LTE.
The first type, known as EPS Encryption Algorithm Type 0 (EEA0), enables a non-protected
transmission through the specific contents of its message, where the usual ciphertext is exchanged
with plaintext. Another possible application of this type contains a keystream of all zeroes, taking
advantage of the ciphertext formation which is calculated with a xor operation from the plaintext
and keystream. The second type of NAs is realised through the use of simple mathematical
63
operations, such as the appending of a 32-bit string of all zeroes to the end of the message. This way,
a fake integrity protection is triggered15.
A specific approach is introduced regarding AS and NAS security. To successfully provide a secure
environment, two different encryption techniques are used, meeting the requirement of sufficient
cryptographic diversity. This ensures that a possible attacker is hindered of compromising the
identities (i.e. information) of the UE and network, as there is no realistic possibility of decrypting
both parts in an acceptable time. These ciphering algorithms are called SNOW 3G and AES, and are
explained below.
The SNOW 3G ciphering algorithm was taken over from 3G mobile communication networks with
minimal adaptation changes to be fully supported by the EPS architecture. The LTE version is called
128-EEA1, which implies that 128-bit keys are used. As mentioned in Section 6.4, a future upgrade to
256-bit keys is foreseen, thus the algorithms have been chosen accordingly.
AES (i.e. Advanced Encryption System) ciphering algorithms were partially redesigned for the use in
LTE, as its original functions were not designed for mobile packet data communications. The LTE
version is called 128-EEA2 Counter Mode, also implying on the 128-bit nature of secure keys.
“Counter Mode” indicates the specific bit allocation, where the message is comprised out of the
ciphering algorithm input parameters (BEARER, COUNT and DIRECTION), located in the most
significant part, and all zeroes, located in the least significant part.
The latest implementation in terms of ciphering algorithms is the ZUC stream cipher (i.e.
cryptographic) set, building the core of two new LTE algorithms: the encryption algorithm called 128-
EEA3 (i.e. ZUC) and the integrity protection algorithm known as 128-EIA3. These were designed as an
alternative to AES, in order to enable cryptographic diversity of LTE systems and the use of LTE
systems itself in as many countries as possible16.
6.8 Problems, Flaws and Difficulties
The security aspect of LTE is mainly comprised of security procedures which were already used in
previous mobile communication and IP systems. These procedures were upgraded and adapted to
the new EPS structure, as well as complemented with additional new security mechanisms. Since
these techniques were never combined before and were not actively used together for a relatively
long time, different issues and challenges may occur. Further integration and functioning problems
may arise:
Performance issues. The explicit need (i.e. requirement) of securing all data transfers,
including signalling messages, through identification, authentication, ciphering and integrity
protection places a processing and resource usage burden on the whole system which
15
The possible genuine integrity sequence would occur once in 232
cases, where the device identity happens to be a string of all zeroes, resulting in a non-protection activation error. Since the possibility of this event is practically 0%, it is not playing a leading role in the calculation of LTE’s 99,999% efficiency rate. 16
ZUC was designed in China, as a reaction to the standardisation of AES in LTE, since the use of algorithms that were not designed in their country is prohibited.
64
cannot be neglected. This problem is solved by using the most suitable encryption and
decryption techniques supported with additional hardware (on the EPC and RAN side).
Energy consumption. During processes such as the Evolved Packet System Authentication
and Key Agreement procedure (EPS AKA) the UE has to continuously send and receive
signalling messages and calculate security keys to successfully adapt its settings and connect
to the network. Due to a certain failure rate and possible disconnections, double or multiple
executions of the AKA protocol have to be avoided. This is realised through the use of special
adaptations of the AKA, such as the EAP-AKA and the EAP-AKA’, which contain special Secure
Hash Algorithms and sequencing settings to counter this issue. Furthermore, the utilisation
of the newly introduced ESIM greatly decreases the signalling traffic, as it provides a direct
online mutual authentication.
Lack of standardisation. Many security measures and algorithms used in LTE are still open
research issues, public evaluated solutions and internationally not adopted techniques. This
causes a lack of unique technology standardisation which poses the question of a universally
available mobile communication network model.
Security of flat all-IP networks. In its essence, LTE is a textbook example of an IP network –
with all its flaws and problems. This makes it vulnerable to Denial of service,
desynchronisation and reply attacks from the internet. To counter these threats, special
tailored versions of network analysis and client puzzling are used, together with the further
evolution of key management and handover authentication scenarios.
Throughput loss. As mentioned in Section 6.7, the utilisation of Internet Protocol Security
Encapsulating Security Payload (IPSec ESP) procedures greatly impacts the data rate of the
system with capacity losses over 50%. This issue is encountered in an area between the EPC
and the RAN, named Evolved Packet Edge (i.e. EPE). The EPE introduces a High Performance
Interface (which contains additional hardware to satisfy the processing requirement) and a
Secure Perimeter, which offers additional securing processes before EPC security is activated.
6.9 Summary
While developing and designing the LTE system, special attention was given to security measures and
their most efficient implementation means. All functions and network elements were involved with
equal priority. This approach resulted in special security applications for every aspect of the system,
as each of them has its own requirements and processing capabilities. Moreover, already existing
security measures such as ciphering algorithms and the authentication methods were taken over
from previous mobile generation networks, applied with minimal changes to be supported by the
new Evolved Packet System structure. Additionally, possible problems and flaws of these security
measures are discussed in this chapter.
65
7. Conclusion
The main reasons for the development of LTE are the situation and problems caused by previous
mobile communication systems. This mainly includes the oversaturation of mentioned systems with
the amount of users, introduced due to the worldwide availability of GSM, and their overall data
traffic, rapidly increasing as a side effect of high-speed data transmissions introduced by HSPA, which
allows the end-user to upload and download great amounts of data. The LTE system therefore
addresses current system issues such as the improvement of capacity, of single base stations and
system-wide, additional improvement of data rates and delay reductions, as well as new means of
low-cost network implementation.
The evolution of existing beneficial system technologies and the introduction of new applications to
different aspects of the system are part of the modern mobile communication network approach in
LTE. This approach is realised from LTE’s very system architecture and network elements through to
external services and security measures of the realised system. The Evolved Packet System, as LTE’s
new system architecture, is the manifestation of a flat structure implementation and results in a
reduced network complexity. Similarly, the support of exclusively the packet switched domain brings
further system simplification, positively reflecting on the QoS.
Further improvements, such as the utilisation of modern transmission formats, which are specifically
tailored for LTE’s Radio Access Network, are primary included due to their beneficial effects on both
the network infrastructure and end-user and secondary as they offer additional enhancements.
Moreover, the implementation of Multiple Antenna Techniques and mechanisms of multi-
propagation are simultaneously introducing multiple improvements to different network structure
aspects.
As the LTE system evolves and its commercial applications become available all around the globe, it is
evident that it cannot only provide advantages and enhancements to previous mobile
communication systems, but also introduces several disadvantages and regressions. The exclusion of
the circuit switched domain, traditionally used to enable voice call and text messaging services, is
often seen as such a drawback. Furthermore, since the Evolved Packet System is similar to the
internet, an end-user’s security is endangered through additional web-bases threats and attacks.
These issues and problems are solved with the utilisation of external subsystems, such as IMS or
VoLTE, and the inclusion of existing IP-based security measures. Moreover, possible system flaws and
shortcomings are predicted, corrected or avoided with help of the techniques and mechanisms
introduced by Self Optimising Networks.
Finally, the overall standards and technologies introduced with the new LTE system provide more
positive results than negative matters. Obviously, there are several aspects with room left for further
improvements and system components which need to be tested in the long run. These topics will be
addressed in further evolution of LTE, i.e. in 3GPP LTE-Advanced (Releases 10, 11 and 12), and future
mobile communication systems.
66
Bibliography
Quoted References
[1] Cox, Christopher; “An Introduction to LTE – LTE, LTE-Advanced, SAE and 4G Mobile
Communications”, John Wiley & Sons Ltd, Chichester, 2012
[2] Holma, Harry; Toskala, Antti; “LTE for UMTS – Evolution to LTE-Advanced”, Second Edition,
John Wiley & Sons Ltd, Chichester, 2011
[3] Dahlman, Erik; Parkvall, Stefan; Sköld, Johan; Beming, Per; “3G Evolution – HSPA and LTE for
Mobile Broadband”, Second Edition, Academic Press by Elsevier, Oxford, 2008
[4] Forsberg, Dan; Horn, Günther; Moeller, Wolf-Dietrich; Niemi, Valtteri; “LTE Security”, John
Wiley & Sons Ltd, Chichester, 2010
Additional Literature
[5] “Overview of 3GPP Release 8”, 3GPP, TR 21.101 and TR 41.101, Version 0.2.10, 2013
[6] “Overview of 3GPP Release 9”, 3GPP, TR 21.101 and TR 41.101, Version 0.2.9, 2013
[7] “3GPP System Architecture Evolution (SAE); Security Architecture”, ETSI, TS 33.401, Version
10.3.0, 2012
[8] Flore, Dino; “LTE RAN Architecture Aspects”, 3GPP, Beijing, 2009
[9] Myung, Hyung; Lim, Junsung; Goodman, David; „Single Carrier FDMA for Uplink Wireless
Transmission“, IEEE, New York, 2006
[10] Oestges, Claude; Clerckx, Bruno; “MIMO Wireless Communications – From Real-World
Propagation to Space-Time Code Design”, Academic Press by Elsevier, Oxford, 2007
[11] Kiziltan, Baran; Khan Majid; Velotti, Francesco; “Voice over IP – WLAN, 3G and LTE Issues”,
Chalmers University of Technology, Göteborg, 2011
[12] Bilogrevid, Igor; Jadliwala, Murtuza; Hubaux, Jean-Pierre; “Security Issues in Next Generation
Mobile Networks: LTE and Femtocells”, EPFL, Lausanne, 2010
[13] Orhanou, Ghizlane; El Hajji, Said; Bentaleb, Youssef; “SNOW 3G Stream Cipher Operation and
Complexity Study”, Universite Mohammed V Agdal, Rabat, 2010
[14] Rizzo, Carmine; Brookson, Charles; “Security for ICT – the Work of ETSI”, Fifth Edition, ETSI,
Sophia Antipolis Cedex, 2013
[15] Poole, Ian; “Celular Telecoms”, from the Internet, http://www.radio-
electronics.com/info/cellulartelecomms, 20.5.2013
(This page was left blank intentionally)