Intro to _evolved_packet_core_network

Page |

UNIVERSITY OF ALBERTA

Overview of the Evolved packet core network

Project report submitted to the Faculty of graduate studies and research

University of Alberta In partial fulfillment of the requirements of the degree of Masters of Engineering (Specialization: Communications)

Amandeep Singh, ECE, Student ID: 1275809

Department of Electrical and Computer Engineering, University of Alberta .

Page | i

Abstract

Since the advent of Mobile internet technologies, the users and their demand for the data

access with high rate has been growing exponentially. This study explores the evolution

of all IP core network named Evolution Packet Core (EPC). EPC is developed by 3GPP

under work item System Architecture Evolution (SAE). Various aspects of the EPC

which includes its architecture, interworking with other radio access technologies e.g.

GSM/ WCDMA or CDMA, major services and functions are included, in a brief manner,

are included in this study project.

Keywords- System Architecture Evolution (SAE), Evolution Packet Core (EPC), Long

Term Evolution (LTE), Mobility Management Equipment (MME), Serving Gateway

(SGW), Packet Data Network Gateway (PDN-GW), Home Subscriber Server (HSS),

eNODEB

Page | ii

Table of contents

1. Introduction to Evolved packet core networks (EPC) .....................................................1

1.1 Overall cellular system architecture....................................................................1

1.2 Background of development of EPC .................................................................2

1.3 Objectives set by 3GPP for EPC .........................................................................3

2. EPC architecture ..............................................................................................................3

2.1 MME ...................................................................................................................5

2.2 Serving gateway (SGW) .....................................................................................6

2.3 Packet data network gateway (PDN-GW) ..........................................................6

2.4 Home subscriber server (HSS)............................................................................7

3. Interworking with 2G and 3G technologies .....................................................................7

3.1 Interworking between LTE and GSM or WCDMA networks ............................7

3.2 Interworking with LTE and CDMA networks ....................................................10

4. Major services of EPC ....................................................................................................11

4.1 Data services .......................................................................................................12

4.2 Voice services .....................................................................................................12

4.3 Message services .................................................................................................13

5. Major Functions of EPC ..................................................................................................14

5.1 Authentication and security ................................................................................14

5.2 Policy and charging control and QoS .................................................................17

5.3 Packet routing .....................................................................................................19

5.4 Mobility management .........................................................................................19

5.5 IP address allocation ...........................................................................................20

Conclusion .............................................................................................................................22

References ..............................................................................................................................23

Page | iii

List of Figures

Figure 1- Basic cellular architecture ................................................................................... 1 Figure 2- Architecture Domains by 3GPP .......................................................................... 3 Figure 3- Basic EPC architecture for LTE .......................................................................... 4 Figure 4- Interworking of LTE with GSM or WCDMA networks ..................................... 8

Figure 5- Interworking of LTE with GSM or WCDMA networks by GTPv2 ................... 9 Figure 6- Interworking of LTE with CDMA networks .................................................... 10

Figure 7- Application and services on mobile broadband ................................................ 12 Figure 8- Flow of message services via circuit and IP domain ........................................ 14 Figure 9- Different security domains ................................................................................ 15

Figure 10- Flow of Authentication process messages ...................................................... 16 Figure 11- Example of two security domains by employing NDS/IP .............................. 17

Figure 12- Policy architecture ........................................................................................... 18 Figure 13- EPS bearer model ............................................................................................ 19

Page | 1

1. Introduction to Evolved Packet Core network (EPC)

1.1. Overall cellular system architecture

In 1897, when Guglielmo Marconi first showed the world the ability to communicate

on radio with ships sailing the English Channel since then the evolution in the field

of wireless has been growing by leaps and bounds.

The first ever wireless system operated commercially in late 1970’s was AMPS

(Advanced mobile phone system) which was developed by Bell Labs. Since then

other various other standards e.g. global system for mobile communication (GSM),

GPRS, CDMA etc. have been developed and even at present the process of

development is on progress.

The basic cellular architecture of different wireless standards consists of three parts as

shown in Figure 1 below. These are:

Mobile station.

Base station subsystem.

Network subsystem.

Mobile Station: Mobile station is equipment in the cellular system which is intended

for use while in motion. It may be hand held device or installed in vehicles. It contains

an integrated chip called subscriber identity module (SIM) which contains

International mobile subscriber identity (IMSI) and encryption keys for authorization.

Base station subsystem: Base station subsystem mainly consists of two entities Base

transceiver station (BTS) and base station controller (BSC). BTS is a fixed station in a

cellular network and used for communication with mobile stations over air interface. It

Figure 1- Basic cellular architecture

Base Station Subsystem

Network Subsystem

Mobile

Station

BTS

BSC

HLR VLR

MSC

EIR

AuC

PSTN

BTS

BSC

Page | 2

consists of radio channels and antennas (transmitting and receiving simultaneously)

mounted on a tower. BSC provides the functions like handover, control of RF power

levels and cell configuration data in BTS and physical connectivity between BTS and

Mobile switching center (MSC). One BSC can handle various BTS simultaneously.

Network Subsystem: Network subsystem consists of Mobile Switching Center (MSC)

which provides the functions of call routing and mobile management. It is connected

to Public Switched Telephone Network (PSTN) to provide access to external networks

to the end users. Home Location Register (HLR) which stores the data related to each

and every subscriber registered in a network and provide the current location of each

user. Visitor Location Register (VLR) is database which temporarily stores the

information of a subscriber who is visiting the coverage area of MSC other than its

home MSC. The Authentication Center (AuC) is a database which is strongly

protected and handles the authentication and encryption keys for every single

subscriber in the HLR and VLR. The Authentication Center contains a register called

the Equipment Identity Register (EIR) which identifies stolen phones that transmit

identity data that does not match with information contained in either the HLR or

VLR.

1.2 Background of development of EPC

In 1990’s the various standards of cellular system e.g. GSM, CDMA etc. were based

on circuit switching and the services developed were specifically concentrated on the

typical applications of telecommunications. But the introduction of mobile internet in

early 1990’s brought a huge change or we can say the revolution in

telecommunication world. But at that time the mobile equipment were not designed

enough to support the services. Another reason was the bandwidth; the BW of radio

was not enough to support the services.

Now the trend has been changed with the evolution of new mobile broadband access

technologies and developments in semiconductor chips made it possible to support he

mobile internet services.

In November 2004, 3GPP(Third generation partnership project) started its work on

4G technologies that was like a successor of Universal mobile telecommunication

system(UMTS), particularly a work item named system architecture evolution(SAE)

along with LTE which is responsible for evolution of packet core network(EPC),

which will support the high bandwidth services at high data rate.

3GPP wanted to create a global standard for 4G technologies. Because, firstly, to give

an operator a full freedom to choose a vendor. It means whatever vendor the operator

will use, its end users would not have any disruption in services in moving from one

vendor equipment to another. It will also increase the competition between vendors.

Secondly, the creation of global standard will be helping in removing the separation

between various players like operators and vendors involved in providing services to

the end users. As an example, in no separation case, the semiconductor chip maker

company will have one larger market. So the larger the market is then larger its users.

It would help in reducing overall cost of the production and the company can achieve

high profits at lowest price levels. So the main target behind the evolution of core

networks is to provide affordable and reliable communications networks to the users.

Page | 3

In the standardization process of the EPC, various bodies like 3GPP2 (Third

generation partnership project 2), Internet engineering task force (IETF), WiMAX

forum and open mobile alliance (OMA) took part very actively.”3GPP ‘owns’ the

EPS specifications and refers to IETF and occasionally OMA specifications where

necessary, while 3GPP2 complements these EPS specifications with their own

documents that cover the impact on EPS and GPP2-based systems. WiMAX forum

also refers to 3GPP documentation where appropriate for their specification work”1.

1.3 Objectives set by3GPP for EPC:

The three main promises made by 3GPP for development of SAE or EPC were to deliver:

New core network architecture to support high data rate and reduced latency in a

time frame of next 10 years to ensure the competiveness of the 3GPP systems

To support mobility between multiple heterogeneous access systems for e.g. like

between 3GPP and 3GPP2 systems or between 3GPP and WiMAX

All IP architecture, to enhance the capability of 3GPP systems to cope with rapid

growths in IP data traffic

2. EPC architecture

Before we will go into the details of architecture of the EPC, we will briefly see the high-

level perspective of the complete system as defined in the SAE work item. It is called

EPS architecture. EPS stands for Evolved Packet system, which represents all IP network

and contains both EPC and LTE. It consists of different domains and each domain again

consists of logical nodes. These nodes are interworked with each other to perform any

specific set of functions. The basic network which implements the 3GPP specification is

shown below in the figure 2.

1Olsson,M., Sultana, S., Frid, L. &Mulligan,C.(2009). SAE and Evolved packet core: Driving the mobile

broadband revolution. Oxford, UK: Elsevier Ltd.

RAN Domains Core network domains

Figure 2- Architecture Domains by 3GPP

GSM/GPRS

WCDMA/HSPA

LTE

Non-3GPP

Circuit core domain

User

Domain

Packet core domain

IMS domain

CS

networks

IP

networks

Page | 4

As shown in the figure 2, there are four domains. First, GSM/GPRS represents 2G

technology domain whereas second, WCDMA/HSPA (Wide CDMA/ High speed packet

Access) represents 3G or 3.5G RAN (Radio access network). Third, LTE (Long term

evolution) is the latest domain specified by 3GPP and the fourth, Non-3GPP domain

consists of access networks, e.g. WiMAX and WLAN, Which are not specified by 3GPP

but actually provided by other standardization bodies like 3GPP2, IEEE. All four

domains are connected to packet core domain (EPC). The core domain also consists of

four basic domains. These are Circuit core domain, User domain, IMS (IP multimedia

subsystem) and Packet core domain. The circuit core domain is linked to GSM/GPRS and

WCDMA/HSPA. It supports and provides the circuit switch services in 2G and 3G

technologies. The packet core domain provides IP services over GSM, WCDMA/HSPA,

LTE and Non-3GPP technologies while the user domain provides the complete updated

information of users on request. It maintains the database to support roaming mobility of

the subscriber whether they are moving in a single network or in between different

network. The IMS provides support to services based on Session initiation protocol (SIP).

Since IMS supports IP services so it uses the IP connectivity with packet core domain to

use its function provided by its node.

Now we will turn our attention to the EPC architecture. The EPC architecture consists of

packet core domain and user domain. The following figure 3 is showing the basic

architecture of the EPC for LTE.

SGi

S5

CP UP

S6 S11

S1

CP UP

In packet domain, it consists of:

eNODEB eNODEB

Mobile Device

HSS MME

PDN-GW

SGW

Internet

Figure 3- Basic EPC architecture for LTE

Page | 5

Mobility management equipment(MME)

Serving Gateway(SGW)

Packet data network gateway(PDN-GW)

In user domain, it has only one node named Home subscriber server (HSS).

The role and function of each component of EPC is as follows:

2.1 Mobility Management Equipment

It is the node which is responsible for the signal exchanges between base stations and

core networks and between the subscriber and core network. Basically MME does not

involve in air interface matters so it is the non- access stratum (NAS) signalling

which is exchanged between MME and radio network. In brief following are the

basics tasks which MME performs.

Authentication: When for the first time subscriber attached with LTE network in

particular we can say when it comes under the coverage of eNODEB for first time

then eNODEB helps in exchanging the information between the subscriber and

MME through its S1-CP (S1 control plane) interface with MME. Then MME which

is connected to HSS through S6 interface requests the authentication information

from HSS and authenticate the subscriber. After the authentication, it forwards the

encryption keys to the eNODEB so that the data and signalling exchanges between

the eNODEB and subscriber over the air interface can be ciphered or calculated

numerically.

Establishment of Bearers: MME actually deals with the control data instead of the

user data. For the establishment of bearer it actually communicates with other

entities of the core network (SGW and PDN-GW) to establish a user IP tunnel

between a mobile subscriber and internet. It also helps in selecting a gateway router

if more than one gateway router is there in network.

NAS mobility management: In case when there is no communication happening

between a mobile and radio network for a decided amount of time then any

connection and resources between subscriber and radio network are released by the

network. In a same tracking area (TA) the subscriber can move freely between

different base stations without notifying the MME. It saves the battery power of the

mobile device and helps in reducing the signal traffic in the network. If there is any

data arrive from the internet for this device then MME send a paging message to

every eNODEB in same tracking area then mobile device responds to the paging

message and connection re-establishes.

Interworking support: Whenever a mobile device is reaching the boundary of LTE

then the eNODEB decides for the suitable cell, for the device or for the network

(GSM or UMTS). MME continuously makes communication with other core

network components of GSM, UMTS and CDMA to support the traffic.

Handover support: There are some cases in which there is no X2 interface

available between two eNODEBs and mobile device is going from one eNODEB to

other eNODEB then in that case two eNODEBs transfer messages between each

other through MME.

Page | 6

Supporting traditional services like voice and messages: As LTE is pure IP

network and it should be compatible to GSM and UMTS to support the voice and

other services. MME plays the role of mapping the services from GSM or UMTS to

LTE. Details of how it supports the services are provided under major services

section of EPC.

2.2 Serving gateway (SGW)

The basic function of serving gateway is to manage the user IP tunnels between

eNODEB and packet data network gateway. Serving gateway is connected to

eNODEB through S1-UP (S1- user interface) and to PDN gateway through S5-UP

interface. S1 and S5 tunnels for an individual user are independent of each other and

it can be modified as required. It is connected to MME through S11 interface which

provides the function of creation and modification the tunnels. The S11 interface

uses GTP-C (GPRS tunnelling protocol-control) to transfer the messages sent by

MME to SGW. Generally in the standard MME and SGW are defined independently

but these entities can be defined on a same or different network node depends on the

operator choice. This allows the wireless standardization bodies to work on the

signalling traffic and user traffic independently. This was done because the

additional signalling increases the load of the processors which processes the

signalling traffic and on the other hand rising user traffic demands the evolution of

more network interfaces and routing capacity.

2.3 Packet data network gateway(PDN-GW)

The functions of PDN-GW are as follows:

This is the gateway to Internet. It connects to the SGW through S5-UP interface and

to Internet through SGi interface. In forward direction, it takes user data packets

from SGW and transfer to internet through SGi interface. In back ward direction,

data packets are encapsulated into S5 GTP tunnel and forwarded it to SGW which is

responsible for that intended user.

PDN gateway is also responsible for assigning IP addresses to the mobile devices.

This happens when a subscriber switched ON his/her mobile device. Mobile device

sends its request to eNODEB which uses the S1-CP and forwards to MME. MME,

after authentication, request the PDN gateway on a control plane protocol for IP

address. If PDN gateway approves the request then it sends back an assigned IP

address to MME. MME forwards it to eNODEB and eNODEB further forwards it to

the subscriber. Multiple IP addresses can be assigned to a single mobile device. This

is the case which happens when a subscriber is using a multiple services provided by

its network operator’s network such as IP multimedia subsystem.

It plays an important role in case of international roaming scenarios. A roaming

interface is used to connect the GSM/GPRS, UMTS/HSPA, or LTE networks of

different network operators of different countries. For example, if a subscriber has

moved to another country and wants to connect to an internet then a foreign network

will query the user data base in the home network for authentication purposes. After

Page | 7

authentication a bearer is established and GTP user tunnel is created between SGW of

visitor’s network and PDN-GW of subscriber’s home network over an interface

called S8.

2.4 Home subscriber server (HSS)

HSS is a data base that stores the information of each and every user in the network.

It also does the authentication and authorization of the users and services provided to

them. In UMTS and GSM, the database is referred to as Home location register

(HLR). In LTE, a protocol named DIAMETER is used to exchange the information

between MME and HSS on S6a interface. In practise, HSS and HLR are combined

physically so that the seamless roaming can be made possible between different radio

access networks. HSS stores the user parameters like IMSI, authentication

information to authenticate the subscriber, circuit switch properties e.g. user

telephone number and the services a user is allowed to use e.g. SMS, call forwarding

etc., Identity of current MSC so that incoming circuit switch calls can be routed

correctly, ID of MME or SGSN which is used in case user’s HSS profile is updated

and the changes could be notified to these nodes(MME or SGSN) and packet

switched properties such as Access point name(APN) the subscriber is allowed to use

which in turn references the properties of a connection to the Internet or other

external packet data network.

3. Interworking with 2G and 3G technologies

The deployment of LTE networks are still in very early stage so it is very imperative that

LTE should be connected to 2G and 3G technologies to provide the complete services

like voice. Take a case when a user makes a call in LTE coverage and moving out of the

LTE coverage then the call should not be disconnected. So for LTE deployment

interworking with existing access networks, supporting IP connectivity becomes very

crucial. The EPS architecture provides two kinds of distinct solutions to address this

problem. The first one is LTE interworking with GSM or WCDMA access technologies

and second one describes interworking with CDMA access technologies. In the following

we will discuss these interworking in a brief manner.

3.1 Interworking between LTE and GSM or WCDMA networks

3GPP has defined two different solutions about how to do interworking between LTE

and GSM or WCDMA access networks. Before we will go further to discuss those

two solutions we just need to recall that if a terminal connects to the LTE then it will

be served by MME and in case if terminal connects to GSM or WCDMA then it will

be served by SGSN (Serving GPRS Supporting Node).

In the first solution, SGSN connects to the GSM or WCDMA networks over Gb

interfaces. The MME and PDN-GW nodes of LTE networks acts as an SGSN and

GGSN respectively. The SGSN takes MME and PDN-GW just likes as another

Page | 8

SGSN and GGSN and connects to these over Gn interface. The following diagram

represents the clear picture of how LTE network is connected to GSM or WCDMA

networks.

Gn SGi

Gr

Gn S6a Gn

Gn Gb Iu S5/S8

S11

S10

S1-MME

Signalling

Voice/Data

The EPC architecture supports the IP session which is established over any access

network. It is also referred as session continuity. “This is done by retaining a stable IP

anchor point in the network which allows for not having to change the IP address of

the device at all”2.

To make this solution work, it is very necessary for SGSN that it should distinguish

between a terminal that can attach to GSM or WCDMA access network only i.e.it

cannot move to LTE from a terminal that can connect to LTE but is currently

attaching to GSM or WCDMA networks due to lack of LTE coverage. The latter

terminal must always be using PDN-GW as the anchor point. It cannot use GGSN for

that because there is no logical connection between LTE and GGSN. SGSN uses

APN (Access Point Name) to choose either GGSN or PDN-GW as an IP anchor point

for a terminal. APN is a part of configuration data related to a user subscription so for

the terminals which can support LTE radio access network should be configured with

APN that is associated to PDN-GW. This actually helps the SGSN in making correct

2Olsson,M., Sultana, S., Frid, L. &Mulligan,C.(2009). SAE and Evolved packet core: Driving the mobile

broadband revolution. Oxford, UK: Elsevier Ltd.

GGSN

SGSN

WCDMA GSM

HSS

HLR

PDN

SGW MME

LTE

eNODEB

External

Networks

Figure 4- Interworking of LTE with GSM or WCDMA networks

Page | 9

decision and ensuring that terminals that support LTE radio access network uses the

PDN-GW as an IP anchor point not the GGSN.

Another very critical part of the solution is to provide single set of user and subscriber

data. When a terminal moves between different radio access networks then there

should not be any inconsistent information in the network about to what access

network a specific terminal is attached. In GSM or WCDMA network, SGSN is

connected to HLR through Gr interface and in LTE network, MME is connected to

HSS over S6 interface. So according to the solution, HLR and HSS needs either to

share a single set of data or to make sure the consistency through other means such as

close interaction between these two entities. The 3GPP specification avoids the

problem through defining HLR as a subset of HSS in later versions of the LTE

standards.

In second solution, SGSN introduces four new interfaces. These are S3, S4, S16 and

S6d. The S3, S4 and S16 rely on updated version of GTP (Gateway Tunnel

Protocol).It is referred as GTPv2. The following figure 5 shows the details of the new

solution

SGi

S6d S6a S5/S8

S4

Gb Iu S3 S11

S16

S1-U

S10

S1-MME

Signalling

Voice/data

The S3 interface is signalling only interface which is used to support inter-system

mobility between MME and SGSN. S16 is a SGSN - SGSN interface. S4 interface is

used to connect the SGW and SGSN. The fourth interface S6d is alike a MME S6a

Figure 5- Interworking of LTE with GSM or WCDMA networks by GTPv2

SGSN

WCDMA GSM

HSS

PDN

SGW MME

LTE

eNODEB

External

Networks

Page | 10

interface towards HSS to retrieve the subscriber data. The protocol used for S6d

interface to exchange messages is IETF’s DIAMETER protocol.

In this provided solution, the connection between the SGSN and SGW creates a

common anchor point for LTE, GSM or WCDMA in the SGW. Now, regardless the

access network to be used, all the traffic related to a particular roaming subscriber

will pass through a common point in the network. It allows the visited network’s

operator to control and monitor the traffic in a consistent way. In this solution, by a

careful look, the user traffic needs to pass through a one additional network node on

its way to PDN-GW which can be consider as a drawback of this solution. But for

the WCDMA networks the solution is available to address this problem. The RNC

(Radio network Controller) of WCDMA can be directly connected to SGW through

S12 interface. By doing this, SGSN will only considers the control signalling for

WCDMA networks not its user traffic.

3.2 Interworking with LTE and CDMA networks

As the EPC was being developed by 3GPP under the framework of SAE, strong

efforts were made to design a solution for interworking between LTE and CDMA

technologies developed by 3GPP2 to allow smooth handover between these different

technologies. The following figure shows the interworking of LTE and 1x/1x EVDO

(eHRPD which stands for enhanced high rate packet data) networks. This figure 6

includes only details of CDMA network relevant to SAE framework.

SWx STa

SGi Gx S6b S6a S10

S5/S8 S2a Gxa

Gxc

S103 S1-C S1-U

S102 S101

Figure 6- Interworking of LTE with CDMA networks

AAA HSS

MME SGW

eNODEB

PDN-GW

PCRF

External

Networks

HSGW

eHRPD

Page | 11

To provide the interworking between LTE and CDMA, 3GPP defined number of

additional interface in EPC architecture. The interfaces S101, S102, S103 are unique

for CDMA networks and used to provide optimal performance during handover. The

interfaces S2a, Gxa and STa are generic and may be used for any non-3GPP access

networking.

For efficient interworking between LTE and CDMA, there should be common set of

subscriber data to be used for authentication and to locate the user to know which

network is currently user attached to. For this purpose, HSS should be allowed to

common to act as a common database for all subscription data. In 3GPP2, if a

terminal is attaching over an eHRPD network then its access authentication are

handled by mechanisms which are based on IETF’s AAA (Authentication

Authorization and Accounting) functionality. For this purpose, eHRPD network is

connected to 3GPP AAA server over STa interface. In real life implementations AAA

can be a software feature inside the HSS or a different entity connected to HSS over

SWx interface. The PDN-GW is also connected to AAA server over S6b interface to

retrieve certain subscription data and also use the interface to store information

regarding the PDN-GW, the user is connected to, so that in case when a user moves

and attaches over LTE then the MME would be able to select the same PDN-GW as

was used in eHRPD network and IP session can be maintained. The user data

between eHRPD serving gateway (HSGW) and PDN-GW, which also act as a

common anchor point for eHRPD network, are transported over S2a interface via

PMIPV6 protocol. To apply common policies in eHRPD network, EPC architecture

also allows for a common policy controller (PCRF) over a Gxa interface to the

HSGW.

In addition to the core interfaces, there were three interfaces S101, S102, S103

defined to support LTE - eHRPD interworking. The S101 interface, between MME

and eHRPD, is used when a packet data handover between LTE and eHRPD network

is to take place. Before the handover, the terminal pre-register itself in the visited

network to reduce the perceived interruption time. This pre-registration and the actual

handover signalling are carried over S101 interface. The S102 interface, between

MME and eHRPD, is used to support the voice services in CDMA 1xRTT networks.

“The S103 interface, between SGW and HSGW, is used to forward any IP packets

destined to the terminal that happened to end up in SGW while the user terminal was

executing the handover to eHRPD”3. This interface is used to further optimize the

packet data handover performance. These packets can then be forwarded to the

HSGW in the eHRPD network

4. Major Services of EPC

The three major services provided by EPC are following:

3Olsson,M., Sultana, S., Frid, L. &Mulligan,C.(2009). SAE and Evolved packet core: Driving the mobile

broadband revolution. Oxford, UK: Elsevier Ltd.

Page | 12

4.1 Data Services

As we know that EPC has flat IP architecture. It is designed to support any

application which depends on IP communications. Radio access network (LTE) and

packet core network (EPC) in 4G communications has role to provide complete IP

communication between two end users. The IP based application which a mobile

subscriber can access can either be provided by mobile operator or accessible over

internet or residing in corporate IP network. A following figure 7 shows as an

example how an end user on a lower level accesses the IP applications by using the IP

services provided by EPC.

Application level communication

IP in point to point link Routing of IP packets

In figure 7, all the communications between the two end users are point to point (by

passing first through a gateway then to application server). EPC architecture makes

assure to the subscriber that he/she can move with same IP address with same or

different radio access network.

4.2 Voice services

As EPC has flat IP architecture, there is no dedicated channel to support the voice

services like in other radio access technologies have e.g. GSM. But for the network

operator voice services have been the largest revenue generator. So in EPC two

approaches have been used to support the voice services. Either we can use the

existing circuit switched structure or the IMS technology. IMS uses MMTel

(Multimedia Telephony) developed by 3GPP to support the voice services in IMS.

Voice services supported by IMS technology: IMS uses MMTel service for

voice calls. As IMS has IP architecture, so it offers additional media components

like video including voice component. In this way, it adds value to the end user

and is the best option for offering voice services under LTE coverage. 3GPP also

Figure 7- Application and services on mobile broadband

Application

IP

Radio

Mobile Equipment

Gateway

Mobile

Network

Application

IP

Application server

Page | 13

defined single radio voice call continuity (SRVCC) to support the voice service.

This comes into a picture when a caller who has made call in LTE network and

going out to GSM or WCDMA.

Voice services supported by circuit switched technology: 3GPP has defined a

function named circuit switched fall back (CSFB) for combining EPC supporting

LTE and circuit switched services like 3G services. CSFB is an alternative

solution to IMS and SRVCC to provide voice services to LTE users. CSFB based

on the fact that LTE users are registered in circuit switched domain when

powered ON and attaching to LTE. This is done through interaction between

MME and MSC server in circuit switched domain. There are two cases we can

consider here. In first case, when a subscriber initiated a call in LTE network and

moving out of LTE to GSM, UMTS or CDMA network. In this case, packet

services can either hand over to GSM, UMTS or CDMA network but on lower

data rate or suspended until voice call is completed. In second case, if an

incoming call is coming to a subscriber’s device which is currently attached to

LTE. In this case, MSC will request the paging in LTE through the interface

between MSC and MME. The mobile after receiving page, on temporary basis,

switches from LTE to circuit switched domain. Once the call terminates, the

mobile device attaches back to LTE.

4.3 Message services

Like voice services, EPC either uses IP based solution (SMS over IP based on

IMS) or circuit switch technology which is normally used to deliver SMS over

GSM and CDMA.

In case of IMS, sending a message from server to client is very transparent and

the message is just treated like as an IP packet. There are no specific features

required in EPC for that.

In case of circuit switching, the MME interacts with MSC which further

connected to messaging center via control channels in GSM or CDMA and by

interaction with MME, this solution can be used for LTE. Then these messages

are included in NAS signalling messages (which is between MME and mobile

device) and delivered to the destination subscriber. Note that this solution

supports only SMS text services because multimedia messages are based on IP.

The following figure 8 shows the message service flow in both above mentioned

solutions. The dotted lines express SMS transmission using signalling interfaces

whereas solid lines refer to message over IP.

Page | 14

5. Major functions of EPC

5.1 Authentication and security

The 3GPP TS 33.401 divides the EPS security architecture into different groups and

domains. Each domain has its own threat and security solutions. These domains are as

follows and shown in following diagram 9:

a. Network access security

b. Network domain security

c. User domain security

d. Application domain security

e. Visibility and configurability of security

LTE

SMSC

MSC

GSM/CDMA Mobile

device

SGSN

Messaging over

IP application

SAE Gateways

MME

Figure 8- Flow of message services via circuit and IP domain

Page | 15

d

a a

b

USIM a

The security domains related to EPC are Network access security and Network

domain security. We will discuss these in a brief manner.

Network access security: Network access security means providing a user a secure

access to EPS. In UMTS, a new concept named mutual authentication was

introduced, which was later developed in LTE, in which UE (User Equipment) and

network authenticate each other. In addition to mutual authentication, it includes

protection of signalling traffic and user traffic. Now here we will try to figure out the

authentication and security process in E-UTRAN (evolved universal terrestrial radio

access network which is a work item under which 4G access network was developed)

only and role of EPC in that. Mutual authentication which is between UE and MME

is based on the fact that both USIM card (universal subscriber identity module) and

network have access to same security key K. This key K is permanently stored in

USIM and HSS/AuC. In LTE networks, terminals have provision to use same SIM

card which was in use in UMTS (i.e. USIM). This key is not visible to end user.

During authentication procedure, many keys are derived from key K and these keys

are used for ciphering and integrity protection of user plane and control plane traffic.

The mechanism for authentication as well as key generation in E-UTRAN is called

EPS authentication and key agreement (EPSAKA).

When a user attaches with EPS via E-UTRAN access then the MME sends the IMSI

to HSS. HSS looks up key K and a sequence number (SQN) associated with that

IMSI. HSS/AuC then uses crypto functions and key derivation functions and

generates EPS AV (EPS authentication vector). EPS AV includes KASME, XRES

Figure 9- Different security domains

Mobile

Terminal E-UTRAN

EPC Home

Network

Services

Page | 16

(Expected Result), a network authentication token (AUTN) , RAND and ciphering

and integrity keys (CK and IK). HSS/AuC sends EPS AV to MME. Mutual

Authentication in E-UTRAN is performed using the parameter RAND, AUTN and

XRES. MME then forwards the AUTN and RAND to the terminal via eNODEB. The

USIM in terminal calculates its own version of AUTN using its own key K and SQN

and then compare it with AUTN received from MME. If these are equal to each other

in values then it means USIM has authenticated the network. Now USIM generates a

response key (RES) by using cryptographic functions with key K and RAND as input

parameters. It sends RES back to MME. The MME authenticate the terminal by

verifying that RES is equal to XRES. This completes the process of mutual

authentication. The following diagram 10, in brief manner, shows the flow of these

messages.

Attach request IMSI KASME,

AUTN, XRES,

KASME, RAND

AUTN, RAND

RES

Network domain security: When GSM was developed, as it was controlled by small

number of larger institutions, the threat to user traffic was not perceived at all.

Because as GSM is circuit switched network, the interfaces and the protocols it is

using are specifically for circuit switched network only and only the big telecom

operators have access to those interfaces and protocols. But with the introduction of

GPRS, IP architecture was introduced. Now user and control traffic run over more

open and accessible protocols. So there, a need came up which required the security

of the traffic. 3GPP developed some specifications about how the IP based traffic is

to be secured in core network or between different core networks. These

specifications are referred as Network domain security for IP based control planes

(NDS/IP). In this specification, a new concept was introduced named as security

domain that would be managed by single administrative authority. It makes sure that

the level of security and available security services will remain same within a security

domain. An example of the security domain could be the network of the single

operator. Security gateways (SEGs) are placed on border of the security domains to

protect the control plane traffic that passes in and out of the domain. All IP traffic

from network entities is routed via SEGs before entering in and existing out of

network. The traffic between SEGs is protected via IPsec protocol (IP security

Figure 10- Flow of Authentication process messages

Terminal

E-UTRAN

MME

HSS/AuC

Page | 17

protocol). To set up the IPsec security sessions, Internet key exchange (IKE)

protocols are used. This is shown in the following figure 11

Intra-domain IPsec SA

Intra-domain IKE connection

Inter-domain IPsec SA

Inter-domain IKE connection

The end to end path between two network entities in two security domains is

protected in hop by hop form. Because the operator may choose the IPsec to protect

the traffic between two network entities or network entity and SEG in a single

security domain.

5.2 Policy and charging control and QoS

On the top of EPS bearer, LTE can make use of extensive policy management

architecture. This architecture provides a very fine control over user and services it

provides. The policy architecture is shown below in figure 12.

Figure 11- Example of two security domains by employing NDS/IP

Security Domain A Security Domain B

Network Entity B

Network Entity A

SEG A SEG B

Network Entity B

Network Entity A

Page | 18

Sp

Rx

Gx

SGi Gy

Gz

The Subscription profile repository (SPR) contains information such as user specific

policies and data. Online charging system is credit management system for prepaid

charging. Network operators can offer prepaid billing and usage tracking in near real

time. The policy enforcement function (PCEF) interacts with offline charging system

(which receives events from the PCEF and generates charging data records (CDRs)

for the billing system) on Gy interface to check out credit and report credit status. The

PCEF is located in the PDN-GW which makes PDN-GW a logical element to

perform traffic management functions such as deep packet inspection. PCEF enforces

gating and QoS for individual IP flows on the behalf of the PCRF. It also provides

usage measurement to support charging. The PCRF (Policy and rule function)

provides policy control and flow based charging control decisions. It receives session

information from Application function (AF) over Rx interface, subscription

information from SPR over Sp interface as well as information from the access network

via the Gx. It takes all the information and configured operator policies then creates a

service session level policy decisions which are being enforced by PCEF. The

Application function here represents the network element that supports applications

that require dynamic policy or charging control.

3GPP has defined an extensive ‘bearer model’ for EPS. Whenever user equipment

attaches to a LTE network at each time LTE assigned a bearer to the UE for

communication. “An EPS bearer is the level of granularity for bearer level QoS

control in the EPC/E-UTRAN. The decision to establish or modify a dedicated bearer

can only be taken by the EPC, and the bearer level QoS parameter values are always

assigned by the EPC. The bearer levels per QoS parameters are QCI (Qos class

identifier), ARP (Allocation and Retention Priority), GBR (Guaranteed Bit Rate),

Figure 12- Policy architecture

SPR

Application

function

PCRF

PGW

PCEF

Online charging

system

Offline charging

system

External

Network

s

Page | 19

MBR (Maximum Bit Rate), and AMBR (Aggregate Maximum Bit Rate)”4

.

According to this model, the services can be allocated a particular bearer and each

EPS bearer has assigned one of the QCI. QCI defines parameters like bit rate, packet

loss and delay. The following figure 13 depicts the EPS bearer model:

Default QCI9 APN 3

Dedicated QCI3 APN 2

Dedicated QCI2

Dedicated QCI1

APN1

In the above figure 13, EPS bearer assigned for voice has assigned QCI 1 which

means a dedicated bit rate, 100ms delay, 10-2

packet loss and priority 2 in overall

model. In total there are three different QCI classes specified in EPS and in most of

the cases operators prefer first class i.e. signalling, voice and data.

5.3 Packet routing

On the IP transport layer SGW act as a packet router. User plane packets are

forwarded transparently in upper link and downlink direction and their underlying

transport units are marked by SGW with parameters like DiffservCode point based on

QOS indicator of the associated EPS bearer.

5.4 Mobility management

In LTE, mobility management can be divided based on mobility state of the user

equipment. These are LTE_detached, LTE_IDLE, LTE_ACTIVE. If UE is in

LTE_ACTIVE state, it is registered with the MME and has RRC (Radio resource

control) connection with eNODEB. The HSS has very clear information about to

which cell the UE belongs and MME can transmit/ receive data from UE after getting

location information from home subscriber server via eNODEB. In second state,

when UE is in LTE_IDLE state, UE has no air-interface connection with eNODEB to

4Farooq Bari, SAE and Evolved Packet core, Seattle communications (COM-19) society chapter, 2009,

http://www.ee.washington.edu/research/ieee-comm/event_nov_13_2008_files/IEEE%20-

%20SAE%20and%20Enhanced%20Packet%20Core.pdf.

Figure 13- EPS bearer model

UE

E-NODEB

SGW

PDN-

GW

PDN-

GW

Corporate

network

Internet

IMS

operator

services

Page | 20

save power consumption of the battery and reducing signalling traffic to MME. It can

change its cell in same tracking area without informing the EPC. From logical point

of view, the connection is still established and all logical bearers’ remains in place. It

means that the IP address allocated to UE by PDN-GW remain in place, in case a

mobile device wants to send IP packet. When there is IP packet arrives for UE in

IDLE state, it can be routed through core network up to the SGW. But as SGW has no

S1- user data tunnel then it requests MME to re-establish the tunnel. On the other

hand MME knows only about the TA. It send paging request to every cell of TA. The

eNODEB forwards that message to mobile device over air interface and when mobile

device responds to the paging message then S1 tunnel re-establishes. MME contacts

the SGW via S11 interface which then forwards the waiting IP packets to the mobile

device.

5.5 IP address allocation

In LTE-EPC networks, on basic level, one of the following ways are used to allocate

the IP addresses to user equipment

If UE is in its home network then its local HPLMN (Home public land mobile

network)allocates IP address when the default bearer is established

If UE is in visitor network, then VPLMN (visitor public land mobile network)

allocates IP address when the default bearer is established

The PDN operator allocates IP address to UE when default bearer is activated

In LTE-EPC network, packet data network (PDN) types IPv4, IPv6 and IPv4v6 are

supported. EPS bearer of PDN type IPv4v6 may be associated with one IPv6 prefix

only or both IPv4 address and one EPS bearer of PDN type IPv4and IPv6 is

associated with IPv4 addresses and IPv6 prefix respectively. During a PDN

connection establishment, UE sets the requested PDN type that may be pre-

configured in the device per APN or otherwise it sets the PDN types based on its IP

stack configuration i.e. if UE supports both IPv6 and IPv4 then it can request for PDN

type IPV4 and IPv6, if UE supports only IPv4 or IPv6 then it can request for IPv4 or

IPv6 respectively and in case if UE’s TP version capability is unknown then UE can

request for IPv4v6.

In EPC, HSS stores the one or more PDN types per APN in the subscription data.

During the PDN connection establishment procedure, MME compares the requested

PDN type to the stored PDN type in HSS and set the PDN type as follows

If the requested PDN type is allowed by the HSS then MME sets the PDN type as

requested

If UE is requesting PDN type IPv4v6 and subscription allows only IPv4 only

then MME sets the PDN type IPv4 and send the reason back to UE. The

procedure is same in case when only IPv6 is allowed

If in the subscriber data of UE, It is not allowed any PDN type then the request

send by the UE will be rejected by MME

If the UE requests PDN type IPv4v6 and both IPv4 and IPv6 PDN types are

allowed but not IPv4v6 then MME shall set the PDN type to IPv4 or IPv6

Page | 21

PDN-GW also plays a role during allocation. It may restrict the usage of PDN type

IPv4v6. This is discussed in the following:

If UE send on request of PDN type of IP4v6 but the PDN-GW operator

preferences dictate the use of IPv4 addressing only or IPv6 prefix only for this

APN then PDN type will change to single address i.e. either IPv4 or IPv6 and

reason cause shall be returned to UE

In case when MME does not set the dual address bearer flag to support

interworking with nodes and UE requests PDN type IPv4v6 from PDN-GW then

PDN type will be changed to single version and reason shall be returned to UE

Page | 22

Conclusion

It is very much clear from the study of EPC, which is developed under a work item

named SAE, is a major achievement carried out by 3GPP and its partners. 3GPP achieves

the three main objectives set by it before the start of this SAE project in December 2004.

SAE work successfully delivered an evolved packet only core for the next generation of

mobile broadband access. Interworking with other access technologies like GSM or

UMTS and CDMA is another major breakthrough. By interworking the EPC network can

be shared across a wide community. This also opens a path of global roaming. Now a

user can access and use the services everywhere with his/her mobile equipment. The

global uptake of single technology assures more competition among different equipment

vendors and results in cost efficient network equipment and solutions.

Page | 23

References

[1] Olsson, M., Sultana, S., Frid, L. & Mulligan,C. (2009). SAE and Evolved

packet core: Driving the mobile broadband revolution. Oxford, UK:

Elsevier Ltd.

[2] Sauter, Martin. (2011). From GSM to LTE: An Introduction to mobile

networks and mobile broadband (pp. 205-274). West Sussex, UK: John

Wiley & sons.

[3] Faroor, Bari. (2009). SAE and Evolved Packet core, Seattle

communications (COM-19) society chapter. Retrieved from

http://www.ee.washington.edu/research/ieee-

comm/event_nov_13_2008_files/IEEE%20-

20SAE%20and20Enhanced%20Packet%20core.pdf.

[4] 3GPP, Technical Specification Group Services and System Aspects;

Network Architecture (Release 9), TS 23.002.

[5] 3GPP, Technical Specification Group Services and System Aspects;

System Architecture Evolution; Security Architecture (Release 11), TS

33.401.

[6] Brown, Gabriel (n.d). Heaving Reading on behalf of Cisco: Evolved

packet core & Policy Management for LTE. White paper,

http://www.cisco.com/en/US/solutions/collateral/ns341/ns973/Cisco_LTE

_Policy_Management_WP.pdf

[7] Alcatel-Lucent(2009): Introduction to Evolved Packet core: White paper,

http://lte.alcatel-

lucent.com/locale/en_us/downloads/wp_evolved_packet_core.pdf

[8] Fritze, Gerhard. (2008). SAE- The Core Network for LTE, Ericsson.

Retrieved from http://www.3g4g.co.uk/Lte/SAE_Pres_0804_Ericsson.pdf.

[9] Motorola (2007): Long Term Evolution (LTE): A Technical overview:

White Paper, Retrieved from

http://www.motorola.com/web/Business/Solutions/Industry%20Solutions/

Service%20Providers/Wireless%20Operators/LTE/_Document/Static%20

Files/6834_MotDoc_New.pdf

[10] IP Address Allocation. (2012, 07 26). Retrieved from

http://lte-epc.blogspot.com/2011/07/ip-address-allocation.html

[11] Jain, Raj. (2008). Wireless cellular architecture: 1G and 2G. Retrieved

from http://www.cse.wustl.edu/~jain/cse574-08/ftp/j_fwan.pdf

Page | 24

[12] LTE SAE System Architecture Evolution (n.d). Retrieved from

http://www.radio-electronics.com/info/cellulartelecomms/lte-long-term-

evolution/sae-system-architecture-evolution-network.php

[13] Rappaport, Theodore. (2002). Wireless Communication Principle and

Practise. Upper Saddle River, NJ 07458: Prentice-Hall Inc.

[14] Kurniawan, Yousuf. The development of cellular mobile communication

system. Retrieved from http://www.slideshare.net/yusuf_k/the-

development-of-cellular-mobile-communication-system

[15] GSM Glossary. Retrieved from

http://www.argospress.com/Resources/gsm/gsmbstatiocontro.htm