1. Page 1 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 PhD Course: UMTS and IP based mobile networks Werner Mohr, Ljupco Jorguseski, and Hans-Peter Schwefel Day 1 Architecture and Core Network Aspects (HPS) Day 2 Radio Resource Management and Radio Planning (LJ) Day 3 Radio Propagation (WM) Day 4W-CDMA & TD-CDMA (WM) Day 5Cell Structure & Outlook Beyond 3G (WM) Organized by Ramjee Prasad

2. Page 2 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Content 1.Introduction Cellular Concepts, GSM, GPRS 2.UMTS architecture & Components Standardisation Architecture 3.IP transmission in UMTS PDP contexts, APNs, TFTs Bearer and Parameters Mobility Support 4.Security in UMTS Basic requirements and threats UMTS-AKA Network Protection Example: Overbilling attack

3. Page 3 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Intro: Cellular systems Geographic region subdivided in radio cells Base Station provides radio connectivity to Mobile Station within cell Handover to neighbouring base station when necessary Base Stations connected by some networking infrastructure

4. Page 4 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 GSM: Global System for Mobile Communication 2nd Generation of Mobile Telephony Networks 1982: Groupe Spèciale Mobile (GSM) founded 1987: First Standards defined 1991: Global System for Mobile Communication, Standardisation by ETSI (European Telecommunications Standardisation Institute) - First European Standard 1995: Fully in Operation History:

5. Page 5 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 GSM – Architecture Components: BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR/VLR: Home/Visitor Location Register AuC: Authentication Center EIR: Equipment Identity Register OMC: Operation and Maintenance Center Transmission: Circuit switched transfer Radio link capacity: 9.6 kb/s (FDMA/TDMA) Duration based charging

6. Page 6 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 GPRS: General Packet Radio Service Packet Switched Extension of GSM 1996: new standard developed by ETSI Components integrated in GSM architecture Improvements: –Packet-switched transmission –Higher transmission rates on radio link (multiple time-slots) –Volume based charging  ‚Always ON‘ mode possible Operation started in 2001 (Germany)

7. Page 7 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 GPRS - Architecture Components: CCU: Channel Coding Unit PCU: Packet Control Unit SGSN: Serving GPRS Support Node GGSN: Gateway GPRS Support Node GR: GPRS Register Transmission: Packet Based Transmission Radio link: – Radio transmission identical to GSM – Different coding schemes (CS1-4) – Use of Multiple Time Slots Volume Based Charging

8. Page 8 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Universal Mobile Telecommunication System (UMTS) Currently standardized by 3rd Generation Partnership Project (3GPP), see http://www.3GPP.org [North America: 3GPP2] So far, three releases: R’99, R4, R5 Modifications: New methods & protocols on radio link  increased access bandwidth Coexistence of two domains in the core network –Packets Switched (PS) –Circuit Switched (CS) New Services IP Service Infrastructure: IP Based Multimedia Subsystems (IMS) (R5)

9. Page 9 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Standardisation: 3GPP Collaboration Agreement, Partners: ARIB, CCSA, ETSI, T1, TTA, and TTC Technical Work Done in WGs Deliverables –Technical Reports/Technical Specifications –Approval by Consensus or Vote –Change Control When Sufficiently Stable Inter-WG Coordination –In TSGs –Information Exchange through Liaison Statements

10. Page 10 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Releases

11. Page 11 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Time line of a Release – Example of Rel 99 Subsequent Releases became stable more quickly (UTRAN newly introduced in Rel 99) Feature content frozen Release functionally frozen Rel. stable? Number of Change Requests against 3GPP Rel 99 specifications Source: Siemens ICM

12. Page 12 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Domains

13. Page 13 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Radio Access Network –Node B (Base station) –Radio Network Controller (RNC) Mobile Core Network –Serving GPRS Support Node (SGSN) –Gateway GPRS Support Node (GGSN) –Mobile Switching Center (MSC) –Home/Visited Location Register (HLR/VLR) –Routers/Switches, DNS Server, DHCP Server, Radius Server, NTP Server, Firewalls/VPN Gateways Application/Services IP-Based Multimedia Subsystem (IMS) –[see Lecture 2] Operation, Administration & Maintenance (OAM) Charging Network [Legal Interception] UMTS Network Domains

14. Page 14 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Radio Access Network (UTRAN): architecture W-CDMA (Wideband Code Division Multiple Access) on Radio Link transmission rate theoretically up to 2Mbit/s (realistic up to  300kb/s)

15. Page 15 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Content 1.Introduction Cellular Concepts, GSM, GPRS 2.UMTS architecture & Components Standardisation Architecture 3.IP transmission in UMTS PDP contexts, APNs, TFTs Bearer and Parameters Mobility Support 4.Security in UMTS Basic requirements and threats UMTS-AKA Network Protection Example: Overbilling attack

16. Page 16 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Transport of IP packets Application Server GGSN Terminal SGSNUTRAN GTP-U User IP (v4 or v6) Radio Bearer IP tackets are tunnelled through the UMTS network (GTP – GPRS tunneling protocol) L1 RLC PDCP MAC IP v4 or v6 Application L1 RLC PDCP MAC ATM UDP/IP v4 or v6 GTP ‑ U AAL5 Relay L1 UDP/IP v4 or v6 L2 GTP ‑ U IP v4 or v6 Iu-PSUuGn Gi ATM UDP/IP v4 or v6 GTP ‑ U AAL5 L1 UDP/IP v4 or v6 GTP ‑ U L2 Relay L1 L2 IP v4 or v6 [Source: 3GPP]

17. Page 17 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 IP Transport: Concepts PDP contexts (Packet Data Protocol) activation done by UE before data transmission specification of APN and traffic parameters GGSN delivers IP address to UE set-up of bearers and mobility contexts in SGSN and GGSN activation of multiple PDP contexts possible Access Point Names (APN) APNs identify external networks (logical Gi interfaces of GGSN) At PDP context activation, the SGSN performs a DNS query to find out the GGSN(s) serving the APN requested by the terminal. The DNS response contains a list of GGSN addresses from which the SGSN selects one address in a round-robin fashion (for this APN). Traffic Flow Templates (TFTs) set of packet filters (source address, subnet mask, destination port range, source port range, SPI, TOS (IPv4), Traffic Class (v6), Flow Label (v6) used by GGSN to assign IP packets from external networks to proper PDP context GPRS tunneling protocol (GTP) For every UE, one GTP-C tunnel is established for signalling and a number of GTP-U tunnels, one per PDP context (i.e. session), are established for user traffic.

18. Page 18 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 GGSN IP Transport: PDP Context & APNs Terminal SGSN GGSN PDP Context X 2 (APN X, IP address X, QoS 2 ) PDP Context X 1 (APN X, IP address X, QoS 1 ) ISP X ISP Z ISP Y PDP Context Z (APN Z, IP address Z, QoS) PDP Context Y (APN Y, IP address Y, QoS) APN Y APN Z APN X Same PDP (IP) address and APN PDP Context selection based on TFT (downstream) [Source: 3GPP]

19. Page 19 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Data Transport: Bearer Hierarchy TEMTUTRAN/ GERAN CNIu EDGE NODE CN Gateway TE/AS End-to-End Service (IP Bearer Service) TE/MT Local Bearer Service UMTS Bearer Service External Bearer Service UMTS Bearer Service Radio Access Bearer Service CN Bearer Service Backbone Bearer Service Iu Bearer Service Radio Bearer Service Physical Radio Service Physical Bearer Service Air Interface 3G GGSN 3G SGSN RAN User Equipment

20. Page 20 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Bearer: Traffic Classes (Source TS23.107, V5.2.0) UMTS Bearer: Selected Traffic/QoS Parameters Maximum Bitrate (kb/s) Guaranteed Bitrate (kb/s) Source statistics descriptor (`speech´, `unknown´) Transfer delay (ms) SDU error ratio Maximum SDU size (bytes)

21. Page 21 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Bearer: Parameters (Source TS23.107, V5.2.0) Selected Traffic/QoS Parameters Maximum Bitrate (kb/s) Token bucket: bucket size = MaxSDUsize; token rate=Maximum Bitrate Guaranteed Bitrate (kb/s) Token bucket: bucket size = k*MaxSDUsize; token rate=guaranteed bitrate k=1 in Rel. 99; Note: for speech traffic, maximum bitrate = guaranteed bitrate (25.413) Source statistics descriptor (`speech´, `unknown´) Could be used to compute effective bandwidths (multiplex gain) Transfer delay (ms) limit 95percentile of delay distribution of all delivered SDUs SDU error ratio fraction of lost or detected erroneous SDUs Maximum SDU size (bytes)

22. Page 22 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Bearer: Range of Traffic/QoS Parameters (Source TS23.107, V5.2.0)

23. Page 23 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 The ’full picture’ of the UMTS packet switched domain Roaming Support: UE attaches with SGSN in visited network PDP context is set-up to GGSN in home network (via Gp interface, GRX network)

24. Page 24 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Message Flow: PDP Context Setup … …

25. Page 25 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Content 1.Introduction Cellular Concepts, GSM, GPRS 2.UMTS architecture & Components Standardisation Architecture 3.IP transmission in UMTS PDP contexts, APNs, TFTs Bearer and Parameters Mobility Support 4.Security in UMTS Basic requirements and threats UMTS-AKA Network Protection Example: Overbilling attack

26. Page 26 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Security: Main Requirements Availability: Network and services shall be available whenever needed. Authentication: The user and the network want to be sure that the other party is indeed the one claimed. Confidentiality: Only sender and receiver shall be able to read the transferred data. Integrity: The user wants to be sure that the data haven‘t been changed on the way from the sender to the receiver. Non-repudiation: A user can‘t deny having used a certain service. Network Protection: The network shall be protected against intrusion, DoS attacks, etc. Legal requirements: Country specific legal security requirements shall be met.

27. Page 27 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Threats: Examples Eavesdropping user traffic or signalling traffic Modifying messages on their path from sender to receiver Using somebody else’ identity Manipulate charging –Use services without payment or with payment from third person’s account –‘overcharge’ third persons account (without use of services) Block certain functionality (Denial of Service Attacks) Possible Origin/Point of Attack –Via external Interfaces: Gi interface, Gp interface –While passing through untrusted intermediate networks (e.g. bacbone connecting site networks) –Air interface –Mobile subscriber –OAM Network

28. Page 28 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Network Architecture HSS BTS BSC Abis BSS (RAN/GERAN) Node B RNC Iub Iur RNS (UTRAN) SIM USIM ME Cu SIM-ME MS Uu IMS Domain Release 5 IuPS IuCS A Gb Gs user equipment domainaccess network domaincore network domain SGSN GGSN PS Domain Gn Cx Mb/GiGc Gr CS-MGW MSC server VLR Nb G/E/Nc Mc G-MSC server CS-MGW MSC server VLR Nc Mc CS Domain CD Nb

29. Page 29 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Security Domains Network Domain Security –Secure exchange of signaling traffic between network elements –Protection against attacks on the wireline network Application Security – Secure exchange of messages between applications in the user and provider domain Network Access Security –Mutual authentication of user and network –Confidentiality and integrity on the radio access link User Domain Security –Secure access to terminal

30. Page 30 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Overview of UMTS Security Mechanisms (R5) Mutual Authentication (UE--SGSN): UMTS AKA Encryption on air interface (data and signalling, UE--RNC) Integrity protection of signalling data on the air-interface Network protection (secure topologies, firewalls, etc.) up to operator Integrity protection and encryption of signalling traffic on external interfaces (Gp, Gi) via IPsec tunnels (ESP)

31. Page 31 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Air interface: Integrity Protection

32. Page 32 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Air interface: Encryption

33. Page 33 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Authentication and Key Agreement (AKA) Based on long-term pre-shared key K on USIM and in HLR/AuC Authentication vector: Quintuplet (random number RAND, expected response XRES=f2(K,RAND), cipher key CK, integrity key IK, authentication token AUTN) generated in HLR/AuC using a sequence number SQN, RAND, and K VLR/SGSN downloads authentication vectors from HLR/AuC during Attach VLR / SGSN Authentication Data Request Authentication Data Response (AV 1..n) store AV‘s HLR/AuC

34. Page 34 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS AKA: Message flow during Attach

35. Page 35 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Network Protection Layered security architecture At domain boundaries –State-less packet filters (first barrier) –Demilitarized Zone (DMZ) and main firewall –Logging and intrusion detection Network internal packet filters and monitoring devices Host-based security mechanisms, e.g. –Access Control Lists (ACLs) –Application specific configurations (e.g. disabling DNS aliases)

36. Page 36 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Network Protection II Firewall types –State-less packet filters based on Layer 3 and 4 header fields (IP addresses, port numbers, etc.) –State-full packet filters: e.g. allow TCP connections initiated from inside the network –Application layer filtering: check payload of specific applications –Application proxies: split end-2-end connection Demilitarized Zones –Application Proxies –External DNS servers –VPN Gateways

37. Page 37 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Example Topology Shown: DMZ, Main Firewall, internal packet filters, split-DNS, application proxies

38. Page 38 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Internet (IP-Addr: 10.1.1.1) Activate/Create PDP Context Example: Overbilling Attack (1) SGSN FW GGSN 2. Malicious UE opens TCP session to cooperating malicious server 3. Malicious UE detaches. Malicious Server keeps firewall open by sending TCP/FIN messages 4. Eventually, some victim UE attaches and receives same IP-address 5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE Malicious UE Victim UE Malicious Server 1. Malicious UE attaches to GPRS network and is assigned an IP-address (IP-Addr: 139.1.2.3) Source: Siemens CT IC 3

39. Page 39 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Internet (IP-Addr: 10.1.1.1) Overbilling Attack (2) SGSN FW GGSN 2. Malicious UE opens TCP session to cooperating malicious server 3. Malicious UE detaches. Malicious Server keeps firewall open by sending TCP/FIN messages 4. Eventually, some victim UE attaches and receives same IP-address 5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE Malicious UE Victim UE Malicious Server (IP-Addr: 139.1.2.3) Create TCP Connection to malicious server Firewall is opened for TCP between 10.1.1.1 and 139.1.2.3 1. Malicious UE attaches to GPRS network and is assigned an IP-address Source: Siemens CT IC 3

40. Page 40 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Internet Deactivate/Delete PDP Context Overbilling Attack (3) SGSN FW GGSN 2. Malicious UE opens TCP session to cooperating malicious server 3. Malicious UE detaches. Malicious Server keeps firewall open by sending TCP/FIN messages 4. Eventually, some victim UE attaches and receives same IP-address 5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE Malicious UE Victim UE Malicious Server 1. Malicious UE attaches to GPRS network and is assigned an IP-address (IP-Addr: 139.1.2.3) TCP/FIN Open for TCP between 10.1.1.1 and 139.1.2.3 Source: Siemens CT IC 3

41. Page 41 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Internet (IP-Addr: 10.1.1.1) Activate/Create PDP Context Overbilling Attack (4) SGSN FW GGSN 2. Malicious UE opens TCP session to cooperating malicious server 3. Malicious UE detaches. Malicious Server keeps firewall open by sending TCP/FIN messages 4. Eventually, some victim UE attaches and receives same IP-address 5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE Malicious UE Victim UE Malicious Server 1. Malicious UE attaches to GPRS network and is assigned an IP-address (IP-Addr: 139.1.2.3) TCP/FIN Open for TCP between 10.1.1.1 and 139.1.2.3 Source: Siemens CT IC 3

42. Page 42 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Internet (IP-Addr: 10.1.1.1) Overbilling Attack (5) SGSN FW GGSN 4. Eventually, some victim UE attaches and receives same IP-address 5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE Malicious UE Victim UE Malicious Server (IP-Addr: 139.1.2.3) TCP/FIN Open for TCP between 10.1.1.1 and 139.1.2.3 2. Malicious UE opens TCP session to cooperating malicious server 3. Malicious UE detaches. Malicious Server keeps firewall open by sending TCP/FIN messages 1. Malicious UE attaches to GPRS network and is assigned an IP-address Source: Siemens CT IC 3

43. Page 43 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Contermeasures: Overbilling attack  Exercise

44. Page 44 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Summary 1.Introduction Cellular Concepts, GSM, GPRS 2.UMTS architecture & Components Standardisation Architecture 3.IP transmission in UMTS PDP contexts, APNs, TFTs Bearer and Parameters Mobility Support 4.Security in UMTS Basic requirements and threats UMTS-AKA Network Protection Example: Overbilling attack