1. Bringing Cellular Service to Wireless Habitat Networks Understanding, evaluating & extending the Unlicensed Mobile Access (UMA) architecture Anshuman B. Saxena TCS Euro-labs

2. Diversity : Cellular and Wireless LANs
Features
Cellular Networks (GSM/GPRS)
Personal Wireless Networking (WLAN)
Coverage
Wide, available in most parts
Limited, typically homes and offices
Administration
Registered (licensed) service provider
Widely self administered
Network Identity
License based – network code
MAC based - Access point
MS Identity
SIM based – IMSI
MAC based - WLAN card
User Identity
IMSI based – globally verifiable and valid
Non verifiable, valid within the local network
Critical Resource
Licensed Radio Spectrum
Unlicensed spectrum – no such critical resource
Deployment
Often lose signal strength indoors due to absorption of RF signals
Better suited for indoor communication and can be easily deployed within buildings.
Operation modes
Infrastructure mode
Both Infrastructure and adhoc (p2p) mode
Access Cost
Shared Public Network – high access cost
Devoted Network, no contention – low access cost
Power consumption
Standby lifetimes of up to several days
Standby lifetimes of up to only a few hours
Service Capacity
Bounded reuse (cell constraints) – limited capacity
Coverage limitation – unlimited reuse
Service Quality
Restricted – low data rates
Comparatively high data rates
Billing ($ cost)
High - Dominant part attributed to recurring critical resource consumption in the last mile
Low - Home Broadband Access involves one time cost (cable laying + hardware equipment cost) for last mile solution
Hotspots
Uniform availability in all areas
Availability only in areas significantly longer and more frequently inhabited – home and office
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

3. Motivation for Convergence
Wireless Habitat Networks represent the notion of Wireless networks in regions of dominant habitat e.g. home & office WLANs. Availability of such low cost wireless networks in areas significantly longer and more frequently inhabited by a user provides a lucrative opportunity to forward the services associated with the global identity of a GSM/GPRS network.
Global Identity
Low Cost
WLAN
GSM/GPRS
A Unified Architecture
Use Case Scenario
GGSN
A cellular service subscriber while in active GSM/GPRS session enters one of it’s many wireless habitat networks, e.g. his home/office WLAN. The same session (without any perceivable disruption) is now routed to his WLAN. All services associated with his subscription with the cellular network are delivered to him at a lower cost through the currently available Wireless Habitat Network.
As a result the user remains reachable through his global IMSI identity; however, while in home or office he can avail the same services (voice calls, SMS service, and other location dependent services) at a much reduced cost through his home or office WLAN.
SGSN
BTS
BTS
BSC
VLR
Convergence
Block
MSC
BTS
HLR
GSM/GPRS
Broad band IP N/W AP AP AP AP
WLAN
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

4. Foreseen Challenges
Issues of discovery and Registration of WLAN APs – trust issues
Issues related to incorporating these WLAN APs with the cellular infrastructure - probably providing a BSS like abstraction
Delivery of cellular signalling information to WLAN APs like paging, flow control, SMS etc.
Notion of cell to assist the delivery of location dependent services – may be some kind of overlay of cells on the WLAN network.
Support for seamless handover of ongoing voice/data sessions back and forth
Security of user data – issues related to maintaining the confidentiality, integrity and accountability of data routed over self administered WLANs.
Support for personalized network table for each user – context based network lookup.
Dynamic association and disassociation of user specific wireless habitat networks.
Battery lifetime of mobile stations equipped with additional WLAN radios must be comparable to those with a single 3G radio.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

5. Outlining the remaining presentation
Overview of individuals involved
>> GSM/GPRS
>> WLAN (not included)
>> Bluetooth (not included)
Related Work : candidate architectures
>> Unlicensed Mobile Access (UMA)
>> Underlying Assumptions
>> Thoughts and Concerns
An alternate proposition
>> The approach
>> Rationale
>> Architecture
>> Network Discovery and GERAN interaction
Action Plan (TBD)
>> Simulation
>> Prototyping
>> Dissemination
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

6. GSM: Architectural overviewMS
NSS: Network and Switching Subsystem
HLR
EIR
GMSC
AuC
BTS
BSC
BSS: Base Station Subsystem
PSTN, PSPDN, CSPDN, ISDN
MSC
VLR
GSM operates in circuit switched mode i.e. a channel is allocated to a single user for the entire duration of the connection. This exclusive access to radio resource is not necessary for data applications with the use of packet switched techniques.
GSM Network Architecture
Network Switching Sub-system responsible for call control, service control and subscriber mobility management fns.
HLR: Home Location Register is a database used to store and manage permanent data of subscribers such as service profiles, location information, and activity status.
VLR: Visited Location Register is a database used to store temporary information about the visiting subscribers.
MSC: Mobile Switching Centre is responsible for telephony switching functions.
AuC: Authentication Center assists MSC in performing various authentication functions.
EIR: Equipment Identity Register is a database that contains list of blacklisted mobile equipments.
GMSC: Gateway Mobile Switching Center is a gateway to external networks, such as ISDN or wire line networks.
Base Station Subsystem performs radio related functions
BTS: Base Transceiver Station handles the radio interface to the MS. It consists of radio equipment (transceivers and antennas) required to service each cell in the network.
BSC: Base Station Controller provides the control functions and physical links between the MSC and the BTS. A number of BSCs are served by one MSC while several BTSs can be controlled by one BSC.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

7. GSM Network Service Areas
SA5
BTS
BSC
BTS
BSC
LA2
LA3
SA4
MSC/ VLR-1
BTS
BSC
LA1
BTS
BSC
SA3
SA1
SA2
SA1 (MSC/VLR-1) = LA1+LA2+LA3
LA: Location Area SA: Service Area
Cell < LA < SA
Representative GSM Network Service Areas
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

8. GPRS: Architectural Overview
VLR
BTS
BSC
GGSN
MSC
SGSN
PDN
NSS: Network and Switching Subsystem
BSS: Base Station Subsystem
HLR MS
PCU
GPRS has minor impact on the existing GSM BSS because it uses the same frequency bands and hopping techniques, the same TDMA frame structure, the same radio modulation and burst structure as GSM. However, unlike the GSM circuit switched connections, connections in GPRS have to be established and released between the BSS and the MS only when data needs to be transported over the air interface.
PCU (Packet Control Unit) supports the handling of data packets.
GPRS Network Architecture
GPRS NSS can be viewed as an overlay network
GSN (GPRS Support Node) can be of two types a SGSN (Serving GSN) or a GGSN (Gateway-GSN).
SGSN controls a service area and is primarily responsible for keeping track of the MSs it serves, and for access control to data services.
GGSN provides the interface to external PDNs (Packet Data Networks). The SGSN is connected to the BSS by Frame Relay and to possibly several GGSNs via a GPRS backbone n/w.
There may not be a direct mapping between SGSN and MSC/VLR areas.
Introduction of RAs allows signalling and paging over geographically smaller areas and thus a better optimization of radio resources.
SGSN (3)
RA1
RA2
RA3
RA4
RA5
RA6
RA7
RA9
MSC/VLR
SGSN (1)
SGSN (2)
LA1
LA2
LA3
LA4
LA5
RA8
SGSN(1) service area = RA6 + RA7+ RA8+ RA9
SGSN(2) service area = RA1+ RA3+ RA4
SGSN(3) service area = RA2 + RA5
Cell<Routeing Area (RA) <Location Area (LA) <Service Area (SA)
Representative GPRS Network Service Areas
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

9. GPRS Subscription and Attach
Precondition
Each user must have at least one GPRS subscription record containing information such as a list of networks to which access is required and the subscribed Quality of Service (QoS).
Further optional information may be available such as the user's static IP address.
Sequence of procedures for GPRS attach
MS requests for enough radio resources to send the Attach Request signaling message
MS uses the assigned radio channel to send the Attach Request message which includes user’s identity, MS capabilities and current location.
The SGSN sends an Update Location message to the appropriate HLR
HLR is updated and the users’ GPRS subscription record is provided to the SGSN.
The SGSN signals the attach completion to the MS.
The network is now able to track the MS (via subsequent location updates) and is aware of the services and networks that the user has access to. However, at this point the user is not able to send or receive data.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

10. GPRS PDP context activation
In order for the user to be able to transfer data, a Packet Data Protocol (PDP) Context must be activated in the MS, SGSN and GGSN.
The user initiates this procedure, which is similar to logging on to the required destination network.
On completion, a virtual connection is established between the MS and the GGSN.
MS requests sufficient radio resources to support the Context Activation procedure.
MS uses the assigned radio channel to send the Activate PDP context request to the SGSN which includes the user's static IP address (if applicable), the QoS requested for this context, the APN of the external network to which connectivity is requested, the user's identity and any necessary IP configuration parameters (e.g. for security reasons).
The SGSN then checks the received request against the user's subscription record and, if valid, queries the DNS server for the IP address of the requested APN.
The DNS server responds to the SGSN with the IP address of at least one GGSN that will provide the required connectivity to the external network (the APN).
The SGSN requests a connection Tunnel to that GGSN.
GGSN establishes the tunnel and returns an IP address to be conveyed to the MS. The GGSN associates this tunnel with the required external network connection.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

11. GPRS: Security
GPRS users expect the data they transmit and receive to be protected against eavesdropping and tampering.
Also GPRS operators will need to prevent unauthorized subscribers gaining access to the GPRS network.
The GPRS Subscriber Authentication and service request validation. These controls (which use existing GSM mechanisms) request validation when users connect to the GPRS network.
A Restricted Access Point Control facility. This ensures that only terminals authorized by an individual company are able to access that company's network from the GPRS network. This is under the direct control of the GPRS network.
A Non transparent access technique, linking the GPRS session/bearer set-up with standard IP access and authentication servers such as RADIUS (Remote Authentication Dial-In User Service).
Network encryption.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

12. GPRS QoS support: Reliability and Latency
Integrity of received data is ensured through two reliable modes of operation:
RLC acknowledged mode is used by default to ensure that the data received by/from the MS is without error.
LLC acknowledged mode is an optional feature which ensures that all LLC frames are received without error. However, use of this protocol has an impact on throughput since the correct receipt of all LLC frames has to be acknowledged.
Factors contributing to the overall latency in GPRS include:
Mobile Station (MS) delay - time taken by the MS to process an IP datagram and request radio resource. Specific off MS, and hence the supplier.
Radio resource procedures are the major source of delay in GPRS. For the MS to be capable of sending or receiving data, radio resource known as a Temporary Block Flow (TBF) must be made available to the MS. Establishing a TBF from scratch is entails exchange of signaling messages and depends on the availability of radio resources. Also it will be different for the uplink and downlink directions. Once established, the TBF generally remains active for as long as data is made available to the layer (i.e. for as long as there are LLC frames to transmit).
Effective data throughput (over-the-air delay) is the rate at which user data is physically transmitted between the MS and the SGSN over an active TBF. The delay associated with this throughput is directly related to the size of the IP datagram being sent. Smaller packets cause less delay. The delay is proportionally reduced when multiple timeslots are used. The effective throughput is also dependent on the number of re-transmissions resulting from the hostile radio environment (i.e. the RLC Block Error Rate).
Core network delay occurs as packets transit through the SGSN and GGSN. These nodes effectively operate as IP routers and as such will have a relatively low impact on the overall latency. However, under high load conditions the transit delay may increase.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

13. GPRS: Latency Breakdown
Latency Element
Uplink TBF Establishment 1TS
Ongoing Uplink Latency 1TS
Downlink TBF Establishment 2TS
Ongoing Downlink Latency 2TS
MS Delay
Average
215 ms
110 ms
65 ms
TBF establishment
530 ms
1000 ms
Variability ms ms
Over the Air Delay
480 ms
260 ms
SGSN/GGSN Latency
20 ms
Total (average)
1.3 seconds
0.6 seconds
1.3 second
0.4 seconds
This table illustrates a breakdown of the round-trip latency associated with the transmission and reception of a 500 byte IP packet in a system employing 1 uplink and 2 downlink timeslots. Note that any delay associated with external servers (i.e. the Internet) is not included.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

14. Unlicensed Mobile Access (UMA) ArchitectureWm Gb A
UNC
SGW
MSC
SGSN
AAA SERVER
VLR / HLR
AAA
HLR AP
Broad band IP N/W
Roaming HPLMN
VPLMN/HPLMN
UMA N/W
SECURE
TUNNEL MS
GERAN: GSM/GPRS radio access N/W Up
A: Interface for circuit switched services
Gb: Interface for packet switched services
Wm: Interface for AAA server
Mobile Station (MS)
includes dual mode (GSM and unlicensed) radios and the capability to switch between them
supports an IP interface to the access point
Access Point (AP)
provides the radio link towards the mobile station using unlicensed spectrum.
connects through the broadband IP network to the UNC
UMA Network Controller (UNC)
allows the MS to obtain all GSM services (via the ‘A’ interface) that it can obtain from direct connection to the GERAN MSC
allows MS to obtain all GPRS services (via the ‘Gb’ interface) that it can obtain from direct connection to the GERAN SGSN
includes a Security Gateway (SGW) that terminates secure remote access tunnels from the MS, providing mutual authentication, encryption and data integrity for signaling, voice and data traffic
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

15. UNC: coupling between the UMA N/W and GERAN - I
Transport IP
IPSec ESP
Remote IP
Unlicensed Lower Layers
TCP
UMA RR MM
CC/SS/SMS
MTP 2
MTP 1
SCCP
BSSAP
MTP 3
Unlicensed Lower layers
Access Layers MS
Standard AP
Broadband IP N/W
UNC
MSC
Up interface
A interface
GSM signalling
GSM protocols MM and above are carried transparently between the MS and MSC.
GSM-RR protocol is replaced with a UMA-RR protocol which is specific to Unlicensed Radio access. The UNC, acting like a GERAN BSC, terminates the UMA-RR protocol and inter-works it to the A-interface using BSSAP messaging.
Transport IP
IPSec ESP
Remote IP
Unlicensed Lower Layers
RTP/UDP
GERAN Codec
AUDIO
PHYSICAL
LAYERS
Unlicensed Lower layers
Access Layers MS
Standard AP
Broadband IP N/W
UNC
MSC
Up interface
A interface
Transcoding (if reqd.)
GSM speech bearer
Audio transported as RTP frames
Support for GERAN codecs
When operating in UMA mode AMR FR is the preferred codec type.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

16. UNC: coupling between the UMA N/W and GERAN - II
TRANSPORT IP
IPSec ESP
REMOTE IP
Unlicensed Lower Layers
TCP
UMA RLC
LLC
UPPER LAYERS
Transport IP
Remote IP
NETWORK SERVICE
PHYSICAL
Upper Layers
BSSGP
Unlicensed Lower layers
Access Layers
ACCESS LAYERS MS
Standard AP
Broadband IP N/W
UNC
SGSN
Up interface
Gb interface
RELAY
GPRS signalling
GPRS LLC PDUs for signalling and higher layer protocols are carried transparently between the MS and SGSN.
GPRS-RLC protocol is replaced with an equivalent UMA-RLC protocol. Given the transport characteristics over Up interface the GPRS TBF abstraction is not applicable and reliability is ensured by TCP. Therefore the UMA-RLC is significantly lighter than GPRS-RLC. As in a GERAN BSS, the UNC, acting like a BSC, terminates the UMA-RLC protocol and inter-works it to the Gb-interface using BSSGP.
TRANSPORT IP
REMOTE IP IPSec
Unlicensed Lower Layers
UDP
UMA RLC
LLC
SNDCP
NETWORK SERVICE
PHYSICAL
BSSGP
Unlicensed Lower layers
Access Layers
ACCESS LAYERS MS
Standard AP
Broadband IP N/W
UNC
SGSN
Up interface
Gb interface IP
To GGSN
GPRS data
GPRS LLC PDUs carrying data, and higher layer protocols, are carried transparently between the MS and the SGSN.
GPRS LLC PDUs are carried over UMA-RLC from the MS to the UNC, which relays it over the SGSN using BSSGP messaging.
UMA-RLC runs directly over UDP to leverage the IP bearer service.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

17. UMA: Protocols Involved
Standard 3GPP Protocols
(requires no changes in MS or MSC/SGSN)
Existing GSM MM, CM and higher layer protocols
GSM voice encoding carried over IP between the MS and UNC.
- Existing GPRS LLC and higher layer protocols
- Existing A-interface protocols
Existing Gb-interface protocols
Existing Wm interface protocols
UMA specific protocols
UMA-RR (peer of GSM-RR)
A protocol specific to the characteristics of the unlicensed radio link which are quite different from that of the GERAN radio link. Provides the following services:
registration with UNC
setup of bearer path for CS traffic between the MS and UNC
handover support between GERAN and UMA; e.g. functions such as GPRS suspension, paging, ciphering configuration, classmark change, application level keep-alive etc.
support for identification of the AP being used for UMA access.
UMA-RLC (peer of GSM-RLC)
protocol provides the following services:
delivery of GPRS signaling, SMS messages over the secure tunnel
paging, flow control, GPRS transport channel management
transfer of GPRS user plane data.
Standard IP based protocols
- IP over standard lower layers
- TCP to provide a tunnel for GSM/GPRS signaling and SMS
- IPsec ESP to provide a secure tunnel for GERAN bearer (speech and data) and signaling traffic.
- IKEv2 [IKEv2] and EAP-SIM [EAP SIM] for authentication and establishing and maintaining a SA between MS and UNC
- UDP for IPsec NAT traversal
- UDP for GPRS data transfer
- RTP/UDP for transfer of GSM vocoder frames over IP transport
Standard Unlicensed Radio Access Protocols
protocols for PHY and MAC, including functions for association, authentication, encryption, data transfer and traffic prioritization.
Bluetooth protocols for PHY, Baseband, LMP, L2CAP and SDP, including functions for discovery, paging, pairing (authentication), encryption, ACL and data and voice traffic transfer. Additionally, BNEP is used to provide Ethernet emulation over Bluetooth ACL links as per the PAN profile.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

18. UMA: Security Mechanisms
Interfaces A, Gb
4. Data Application Security (e.g. HTTPS)
3. CN authentication, GPRS ciphering
2. Up Interface Security
1. Unlicensed MS AP
UNC
MSC/ VLR & SGSN
APP SERVER
IP N/W
Interface Security
1. Security mechanisms over the unlicensed radio interface (between the MS and the AP)
Include the authentication and encryption functions defined for the unlicensed mode radio interface protocols applied.
Apply to voice, data and signaling over the radio interface.
2. Security mechanisms over the Up interface (between the MA and UNC)
include both authentication and encryption functions to protect signaling, voice and data traffic flows.
3. Authentication of MS by the core network (between MS and the MSC/VLR or MS and SGSN)
remains transparent to the UNC
a cryptographic binding between the MS-CN authentication and the MS-UNC authentication to prevent man-in-the-middle attacks.
GPRS ciphering (a LLC layer ciphering scheme) operates between the MS and the SGSN.
4. Application level security mechanisms (between the MS and the application server or gateway)
can be employed to secure the end-to-end communication, e.g. the MS may run the HTTP protocol over an SSL session for secure web access.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

19. UMA: Addressing Issues – MS and AP
MS addressing parameters
The IMSI associated with the SIM in the terminal
This identifier is provided by the MS to the UNC when it registers to a UNC. The UNC maintains a record for each registered MS. For example, IMSI is used by the UNC to find the appropriate MS record when the UNC receives a BSSMAP PAGING message.
Public IP Address of the MS
The Public IP address of MS is the source IP present in the outermost IP header of packets received from the MS by the UNC-SGW. If available, this identifier may be used by the UNC to support locations services and fraud detection. It may also be used by service providers to signal Managed IP networks IP flows that require QoS treatment.
AP addressing parameters
The “Access Point (AP) ID”
The AP-ID is the MAC address of the unlicensed mode access point through which the MS is accessing UMA service. This identifier is provided by the MS (obtained via broadcast from the AP) to the UNC via the Up interface, when it requests UMA service. The AP-ID may be used by the UNC to support location services. The AP-ID may also be used by the service provider to restrict UMA service access via only authorized APs.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

20. UMA: Cell Identifiers
Why maintain the GERAN notion of cell in UMA network?
Support for location dependent services such as emergency calling, operator announcements and free phone numbers.
Help identify the location of the call for billing purposes.
Handover assistance
In UMA the notion of a “cell” is defined by some logical grouping of MSs being served by a UNC.
The cell assignment can be based on the
overlapping GSM cell that the MS is located in.
identity or location of the AP, or GPS co-ordinates of the MS
Determining cell-id for handover (ARFCN allocation to UMA cell)
Handover makes use of an RF channel number (ARFCN) and BSIC (base station identity code) to identify the target cell.
UMA operates in a different frequency band hence a virtual ARFCN is assigned to each UMA cell (i.e. each UNC; assuming each UNC forms a separate UMA cell). This ARFCN/BSIC is indicated to the MS by the UNC during registration.
This assigned ARFCN is never used it should not be allocated from the operator’s BCCH pool. Also same ARFCN number is preferred across the entire network to avoid BSS configuration. Can be assigned from the frequency band not used by the operator.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

21. UMA: Network Discovery and RegistrationMS
SGW
UNC
DNS
SERVING UNC
DEFAULT UNC
PROVISIONING UNC
1. DNS query (provisioned or derived SGW FQDN)
2. DNS
3. Establish secure tunnel
6. URR Discovery Request (CID, LAI, IMSI)
7. URR Discovery Accept (Default SGW IP address, Default UNC IP address)
5. DNS response
8. URR Discovery Reject (Cause)
4. DNS query (provisioning UNC FQDN)
9. Establish secure tunnel
12. Establish secure tunnel
11. URR Register Redirect (SGW IP address, Serving UNC IP address)
10. URR Register Request (CID, LAI, IMSI)
13. URR Register Request (CID, LAI, IMSI)
15. URR Register Reject/URR Register Redirect
14. URR Register Accept
MS initiates the discovery and serves the following purpose
informs the UNC that a MS is now connected through a particular AP and is available at a particular IP address; required for providing GERAN services, e.g. mobile-terminated calls.
provides the MS with the operating parameters associated with the UMA service.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

22. UMA: Registration Update and De-registerMS
S-UNC
1. URR REGISTER UPDATE UPLINK
2. URR REGISTER REDIRECT
3. URR DEREGISTER
Registration Update Uplink
MS updates the UNC with changes about the AP or the identity of the overlapping GSM cell.
1. URR REGISTER UPDATE DOWNLINK
Registration Update Downlink
UNC updates MS with changes in related to system information or status of location services.
Registration Update
De-registration MS
S-UNC
1. URR DEREGISTER
De-Registration initiated by the MS
MS explicitly informs the UNC about leaving the UMA mode; the UNC frees the resources assigned to the MS. The UNC may also implicitly deregister the MS when the TCP connection to the MS is abruptly lost. MS
S-UNC
1. URR DEREGISTER
De-Registration initiated by the UNC
The Deregistration procedure can also be initiated by the Serving UNC.
Keep Alive Messages
The Keep Alive messages indicate to the peer URR entities that the MS remains registered to the UNC. MS
S-UNC
1. URR KEEP ALIVE
The MS in turn remains informed that the UNC is still available using the currently established lower layer connection.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

23. UMA: EAP-SIM authenticationMS AP
UNC-
SGW
AAA
HLR
1. Unlicensed link establishment
2. IKE_SA_INIT
3. Select appropriate AAA server
4. EAP Response/Identity
[NAI based on IMSI]
5. EAP Request/SIM Start
6. EAP Request/SIM Start
7. EAP Response/SIM Start [NONCE_MT]
8. EAP Response/SIM Start [NONCE_MT]
9. Send Auth Info
10. Response (triplets)
20. UMAN REGISTRATION
11. EAP Request/SIM-Challenge [RAND, MAC, Next re-auth ID]
12. EAP Request/SIM-Challenge
[RAND, MAC, Next re-auth ID]
14. EAP SIM/Response-Challenge [MAC]
15. EAP SIM/Response-Challenge [MAC]
17. EAP Success + keying material
18. EAP Success
13. Execute EAP/SIM
16. Verify MAC
19. Complete IKE signaling
EAP-SIM authentication procedure
EAP-SIM mechanism authenticates the MS with the UNC using GSM credentials.
EAP-SIM procedure is performed between the MS and the AAA and the UNC-SGW relays the associated messages
When the EAP-SIM procedure has completed successfully, the IKEv2 procedure can be continued to completion and the signaling channel between MS and UNC-SGW is secured. The MS and UMAN can then continue with the discovery or registration procedure.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

24. UMA: EAP-SIM Fast Re-authenticationMS
UNC
HLR
1. IKE_SA_INIT
6. EAP SIM/Response-Challenge
[Counter, MAC]
3. EAP Request/SIM/Re-authentication
[Counter, NONCE, MAC, Next re-auth ID]
4. EAP Request/SIM/Re-authentication
7. EAP SIM/Response-Challenge
9. EAP Success
2. EAP Response/Identity
[Re-authentication ID]
5. Verify
Counter, MAC
8. Verify
10. EAP Success
In Fast re-authentication, the AAA server and MS re-authenticate each other based on the keys derived on the preceding full authentication.
Fast re-authentication is provided by EAP-SIM, and does not make use of the GSM A3/A8 procedures. The decision to make use of the fast re-authentication procedure is taken by the AAA server.
The MS initiates a new SA with a UNC-SGW that it was previously connected to and uses the re-authentication ID (received during the previous full authentication procedure) in the IKE_SA_INIT exchange.
Suitability of fast re-authentication can be demonstrated in a number of scenarios for e.g. when setting up a new SA because the IP address of the MS has changed as a result of a handover between APs connected to different IP subnets. In the presence of large number of mobile stations, the network load (more specifically the authentication related network load) reduced by avoiding such frequent re-keying can be significant.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

25. Ciphering Configuration
UMA: Encryption
During a GERAN to UMAN handover, the MS first authenticates with the UMAN using EAP-SIM authentication and then acquires an IP address on the subnet protected by the UNC-SGW (acts as a NAT) and initiates creation of SA between itself and the UNC-SGW.
Various security configuration parameters are negotiated while connection establishment e.g. ciphering mode, specific encryption algorithms etc.
During a handover from UMAN to GERAN, MS authenticates with the core network using established GERAN procedures.
During an intra UMAN handover i.e. when the point of attachment of MS changes from one subnet to the other (hence acquiring new IP address), EAP-SIM based fast re-authentication procedures are used.
Ciphering Configuration
The Cipher mode command from CN contains the cipher key Kc, and the encryption algorithms that the UNC may use.
UNC indicates to the MS whether stream
ciphering shall be started or not (after handover to GERAN) and if so, which algorithm to use, and a random number.
The MS computes a MAC based on the random number, the MS IMSI, the FQDN of the UNC and the key Kc. MS then sends a message to signal its selected algorithm, the computed MAC, and the IMEI.
UNC verifies the MAC, if found correct sends Cipher mode complete message to the CN. MS
UNC
GERAN CN
Cipher mode command
URR-CIPHERING-MODE-COMMAND
[algorithms, cipher response, rand, …]
URR-CIPHERING-MODE-COMPLETE
[algorithm, IMEI, MAC(rand, …) ]
Verify MAC
Cipher mode complete
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

26. UMA: Mobile Originated Speech CallMS
UNC CN
1. URR UPLINK DIRECT TRANSFER (CM Service Request)
2. Complete Layer 3 Info
3. Authentication
4. Cipher-Mode Command
5. URR CIPHERING MODE COMMAND
6. URR CIPHERING MODE COMPLETE
7. Cipher-Mode Complete
8. URR DOWNLINK DIRECT TRANSFER (CM Service Accept)
10. URR DOWNLINK DIRECT TRANSFER (Call Proceeding)
11. Assignment Request
12. URR ACTIVATE CHANNEL
13. Uplink user plane RTP Stream
18. URR DOWNLINK DIRECT TRANSFER (Alerting)
20. URR UPLINK DIRECT TRANSFER (Connect Ack)
19. URR DOWNLINK DIRECT TRANSFER (Connect)
15. Downlink user plane RTP Stream
16. Assignment Complete
17. URR ACTIVATE CHANNEL COMPLETE
14. URR ACTIVATE CHANNEL ACK
21. VOICE TRAFFIC
9. URR UPLINK DIRECT TRANSFER (Setup)
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

27. UMA: Mobile Terminated Speech CallMS
UNC CN
1. Paging Request
2. URR PAGING REQUEST
5. Authentication
6. Ciphering Configuration
3. URR PAGING RESPONSE
4. Complete Layer 3 Info
7. URR DOWNLINK DIRECT TRANSFER (Setup)
Assignment Procedure
11. URR UPLINK DIRECT TRANSFER (Connect)
12. URR DOWNLINK DIRECT TRANSFER (Connect Ack)
10. URR UPLINK DIRECT TRANSFER (Alerting)
9. RTP stream setup
8. URR UPLINK DIRECT TRANSFER (Call Confirmed)
13. VOICE TRAFFIC
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

28. 1. Um: Measurement Report
UMA: Handover to UMAN MS
UNC CN
13. Clear Command
BSC
14. Clear Complete
9. URR HANDOVER COMPLETE
12. Handover Complete
11. VOICE
1. Um: Measurement Report
10. Handover Detect
2. Handover Reqd.
8. RTP stream setup
5. Handover Command
7. URR HANDOVER ACCESS
4. Handover Request Ack
6. Um: Handover Command
3. Handover Request
UMAN Registered
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

29. UMA: Handover to GERAN MS UNC CN 11. Um: Physical Information BSC
12. Um: Handover Complete
7. URR HANDOVER COMMAND
9. Handover Detect
10. VOICE
1. URR UPLINK QUALITY INDICATION
8. Um: Handover Access
2. URR HANDOVER REQUIRED
6. Handover Command
4. Handover Request
5. Handover Request Ack
Ongoing UMAN Connection
3. Handover Required.
13. Handover Complete
15. Clear Command
16. URR RELEASE
19. URR DEREGISTER
17. Clear Complete
18. URR RELEASE COMPLETE
14. VOICE
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

30. UMA: Unlicensed Radio Link Control for GPRS data
Whenever GPRS data transfer is initiated a UDP based URLC connection is established between the MS and the UNC. Following are required for URLC connection establishment.
The MS knows the destination IP address, destination UDP port to be used for GPRS related data and value of the URLC-CHANNEL-TIMER.
The UNC knows the destination UDP port to be used for GPRS data transfer for a specific MS.
URLC can be in the following two states:
In URLC-STANDBY state
the MS is not able to send or receive GPRS data to and from the UNC. The UNC or the MS needs to activate the URLC Transport Channel before sending any GPRS data.
the corresponding URLC Transport Channel does not exist. When the URLC Transport Channel is activated, the MS enters the URLC-ACTIVE state.
In URLC-ACTIVE state
the MS is able to send and receive GPRS data to and from the UNC.
A URLC channel timer controls the transition from URLC-ACTIVE to URLC-STANDBY state as follows:
The MS URLC layer implements a timer that is started when the MS enters URLC-ACTIVE state and restarted each time a non-NULL LLC-PDU is transmitted to or received from the network. When the timer expires, the MS deactivates the URLC Transport Channel and the MS URLC enters URLC-STANDBY state.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

31. UMA: GPRS Data Transport
User Data Transport
1. URLC Transport Channel activation MS AP
UNC CN
2. URLC-UNITDATA (QoS, priority, TLLI, PFI, LLC-PDU)
3. BSSGP (LLC-PDU)
4. BSSGP (LLC-PDU)
7. URLC Transport Channel deactivation
5. URLC-UNITDATA (TLLI, PFI, LLC-PDU)
6. Additional URLC user data transport
URLC channel timer started
URLC channel timer expires
MS sends an uplink LLC PDU to the UNC (relayed to CN) with parameters required for Gb interface and TLLI as MS identifier. Restarts the URLC channel timer.
CN sends the downlink LLC PDU to the UNC (relayed to MS) that contains GPRS user data via the Gb interface. The MS is identified with the TLLI and restarts the URLC channel timer on data reception.
In the absence of any link level data, the URLC channel timer expires and the corresponding URLC TC is deactivated.
Signalling and SMS Transport
The MS LLC requests the URLC layer to transfer an uplink GMM/SM signaling message or SMS Message (e.g. a GMM attach request or SM PDP context activation message).
The MS URLC sends a LLC PDU encapsulated within a URLC-DATA message via the Gb interface to the UNC (relayed to the CN).
The CN replies with a GMM/SM signaling or SMS message (e.g. GMM attach accept or SM PDP context activation accept message) – relayed via the UNC (encapsulated within a URLC-DATA message) to the MS.
1. URLC- DATA (QoS, priority, TLLI, PFI, LLC- PDU) MS AP
UNC CN
2. BSSGP (LLC- PDU)
4. URLC-DATA (TLLI, PFI, LLC-PDU)
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

32. UMA: Packet Paging Support
Packet Paging for GPRS
2. URLC-PS-PAGE (Mobile Identity) MS AP
UNC CN
1. BSSGP (Paging-PS-PDU)
3. LLC_PDU Transport
4. BSSGP (LLC-PDU)
CN sends a PS page (identified by PTMSI or IMSI) via the UMAN for a GPRS attached MS.
The UNC (after verification for MS registration) forwards the corresponding URLC-PS-PAGE msg. to the MS using the TCP signaling connection.
The MS sends any LLC PDU (forwarded to the UNC) to respond to the page, activating a channel as needed.
Packet Paging for Circuit Mode service
CN sends a CS page (identified by PTMSI or IMSI) for a UMA registered and currently GPRS attached MS via the Gb interface. The mobile station is currently GPRS attached via the UMAN.
The UNC (after verification for MS registration) forwards the corresponding URR PAGING REQUEST msg. (channel needed and IMSI/TMSI id) to the MS using the signaling TCP connection.
The MS initiates the standard CS page response procedure via the UMAN.
2. URR PAGING REQUEST MS AP
UNC CN
1. BSSGP (Paging-CS-PDU)
3. URR PAGING RESPONSE
4. BSSMAP (Complete L3 Info)
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

33. MS Initiated Downlink Flow Control UNC Initiated Downlink Flow Control
UMA: Flow Control
MS Initiated Downlink Flow Control
2. URLC-FC-REQ (FC Adjustment) MS AP
UNC CN
1. Flow control condition detected
URLC DL FC timer
7. Flow control condition resolved
3. BSSGP-
Flow-Control
5. BSSGP-
6. URLC DL FC timer expires
4. URLC-FC-REQ (FC Adjustment)
The MS sends a flow control request message (URLC-FC-REQ, specifying the required data rate correction) to the UNC via the URLC TC and starts a URLC DL FC timer to continue monitoring the flow control condition.
The UNC calculates the adjusted flow control parameters for the MS and sends the corresponding request to the CN to reduce the downlink data rate for the MS.
If the CN does resolve the downlink data rate before the expiry of the URLS DL FC timer at the MS, MS forwards another request to the UNC.
UNC Initiated Downlink Flow Control MS AP
UNC CN
1. Uplink Flow control condition detected
5. Flow control condition resolved
3. URLC-FC-REQ (FC Adjustment)
2. URLC-FC-REQ (FC Adjustment)
4. URLC-FC-REQ (FC Adjustment)
The UNC sends a flow control request message (URLC-FC-REQ, specifying the required data rate correction) to the MS via the URLC TC and starts a URLC DL FC timer to continue monitoring the flow control condition.
Upon receiving the message, the MS adjusts the uplink data rate accordingly.
If the MS does resolve the downlink data rate before the expiry of the URLS DL FC timer at the UNC, UNC forwards another request to the MS.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

34. UMA: GPRS Suspend and Resume SupportMS AP
UNC CN
1. URR-GPRS-SUSPENSION-REQUEST
2. BSSGP GPRS Suspend
While transitioning to dedicated mode and if unable to support simultaneous voice and data services, the MS sends a URR-GPRS-SUSPENSION-REQUEST message to the UNC to suspend downlink GPRS traffic. The request is transferred via the signaling TCP connection and includes TLLI and suspension cause parameters.
The UNC initiates and completes the BSSGP GPRS suspend procedure.
GPRS Resume MS AP
UNC CN
1. Clear Command
2. Clear Complete
3. BSSGP GPRS Resume
4. URR-RELEASE
(GPRS_resumption)
5. URR-RELEASE-COMPLETE
6. Resume GPRS service if required
Initially, the MS is in the dedicated mode and the GPRS service is suspended.
On receiving a resume instruction from the CN, the UNC releases the resources associated with the dedicated mode and sends a URR-RELEASE message to instruct the MS to release the RR connection.
The MS replies with a URR-RELEASE-COMPLETE message and resumes GPRS service internally.
Optionally, if the CN indicated unsuccessful resumption, the MS initiates GPRS service resumption as per standard GPRS.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

35. UMA : Underlying AssumptionsWm Gb A
UNC
SGW
MSC
SGSN
AAA SERVER
VLR / HLR
AAA
HLR AP
Roaming HPLMN
VPLMN/HPLMN
UMA N/W
SECURE
TUNNEL MS
GERAN: GSM/GPRS radio access N/W Up
Broad band IP N/W
Two radios: The proposed UMA architecture assumes that there are two radios (one each for GERAN and WLAN) and hence a scheme on the lines of ‘make before break’ paradigm is proposed.
WLAN detection: Detection of Unlicensed Mobile Coverage is the sole responsibility of the Mobile Station. It is expected that while in GSM mode, the MS would periodically scan for coverage and any successful unlicensed link establishment can be reported back to the UMAN controller (UNC) for initiating a handover from the GSM/GPRS network to the newly registered WLAN.
MS reported IP address: Once the MS joins the WLAN, it reports the IP address assigned by the AP to the UNC. A security association is subsequently established between the MS and the UNC. UNC assumes the IP address reported by MS to be trust worthy and does not require any prior trust relationship between itself and the WLAN.
Resource availability : Unlicensed link establishment is assumed to have negotiated enough and sustainable resources required to support the session.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

36. Thoughts/Concerns
Authorized GERAN WLAN: Periodic scanning for WLAN availability throughout the operating (battery) life time would be beneficial if there are prospects of finding hotspots very often. Even with almost an exponential increase in the WLAN hotspot deployment, it remains doubtful if the user would be willing to offload critical and delay sensitive voice calls to any or all WLANs that he might successfully authenticate without co-authorization from the GERAN service provider. The quality/security of session will be the main concern.
Soliciting Attacks: Also frequent scanning provides more opportunity for attacks, more significantly resource consuming authentication process which is initiated only to be discarded in the end when the prospective WLAN identity cannot be verified.
Exploiting Low Power Modes: An obvious approach towards keeping the WLAN radio in low power mode only to wake up periodically for quick scanning might reduce the associated power consumed but still the overhead involved from a second radio point of view would be too large.
Trusting the weakest link: WLAN security is weak and easy to compromise when compared to cellular access schemes. Easy to befool a MS to believe it has found an authenticated WLAN to request session transfer from GERAN to newly found UMAN. GERAN blindly accepts the request without having any trust relationship of it’s own.
Resolving accountability: As per the new architecture, two (mutually un trusted) parties (GERAN and UMAN) will be involved in carrying the voice/data session to the end user. It is unclear how call related disputes would be resolved. GERAN can argue that it’s responsibility ends at the UNC while UMAN would view this as any other broadband service provided to the subscriber with best effort delivery. For the UMAN to guarantee accountable call handling it is necessary to have some arrangement binding on both the parties.
Secure tunnel carrying TCP over wireless link: It is well established that TCP performs poorly on wireless links since it interprets any packet loss (even those occurring due to bit errors and handoffs) as a sign of congestion and responds by invoking the congestion control and avoidance algorithm, resulting in degraded end-to-end performance in wireless and lossy systems. It is unclear how this problem can be addressed with the proposed UNC to MS IPSEC tunnel that encrypts the IP payload and hence none of the proposed enhancements (Splitting TCP connections, Snooping TCP at Base Stations, Selective acknowledgement and Transport aware Link Layer protocols) can be applied.
Working with a single configurable radio: H/W developments bring along single radio then how do they work, such periodic radio switching without any hint about possibility of preferred WLAN nearby would result in extremely high switching overheads .
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

37. An Alternate Approach
The notion of Wireless Habitat Network (WHN) is based on the observation that integration of unlicensed mobile access (WLAN or Bluetooth) is both pressing and practical for regions where the user spends considerable time. To begin with we include the following in WHN.
(a) Office WLAN
(b) Home LAN
WHN Characterisation:
Areas significantly longer and more frequently inhabited by a user (Regions of dominant habitat e.g. home & office WLANs)
Indoor environment where unlicensed low power radios like blue-tooth work effectively.
Not necessarily well administered, e.g. home WLANs.
Opportunities/Challenges:
Current mobile devices (PDAs, cell phones) already come with an inbuilt (alternate) radio (Bluetooth or Infrared) primarily for synchronization with desktops or notebooks. We view this as a low power radio which can be used to wake the more power consuming WLAN radio only when a trusted WLAN has been identified within range.
The Unlicensed Networks will have to be made more secure.
Access Points will have to be integrated with an additional low power radio e.g. blue-tooth.
Motivation:
The primary objective of the proposed approach is to reduce the energy consumed in locating a trusted WLAN.
Rationale:
WLAN even in power save mode consumes far more energy than say Bluetooth in power save mode.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

38. Rationale: Low Power Modes of Unlicensed Radio
Bluetooth low-power mode
Transition time (ms) Avg. power (W)
Active Mode – 0.24
Hold Mode
Hold mode entry
Hold mode exit
Park Mode
Park mode entry
Park mode exit
Sniff Mode
Sniff mode entry
Sniff mode exit
Hold mode: stop data transfer by the requested device for a negotiated interval
Sniff mode: useful for low data rate links where a quick response is required whenever data is present.
Park Mode: used to enhance the number of simultaneous connected slaves. No data transfer takes place as it gives up it’s connection id but remains synchronized link (setup takes about 10s in blue-tooth)
802.11b low-power mode
Doze: In b a synchronization beacon is transmitted by a central access point (AP) every 100ms. The beacon is followed by a traffic indication map (TIM) indicating any required data transfers. Doze mode is activated until the next beacon if no data transfer is required.
Off: Transitions to the off mode either from active or doze mode
Transition time (ms) Avg. power (W)
Transmit state
Receive state
Doze state – 1.4
Doze state entry
Doze state exit
Off state
Off state entry
Off state exit
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

39. The architecture Wm Gb A U N C
S G W
MSC
SGSN
AAA
HLR
IP NW
Roaming HPLMN
VPLMN/HPLMN
Bluetooth
WLAN
MS joins the existing blue-tooth PAN and polls for any GERAN related signalling.
On receiving a relevant event, the blue-tooth interface wakes the WLAN radio in the MS and a WLAN specific connection is established with the access point.
The procedures of UMA specification are followed.
The blue-tooth radio goes back to periodic polling mode i.e. hold (low power mode) – scan – hold.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

40. Network Discovery and GERAN interaction
Call ends
Wake up
Bluetooth Link
Establishment
GERAN
WHN MS
WLAN
BLUE TOOTH
BLUETOOTH PAN
WLAN AP
UNC
AAA
HLR
WLAN Link Establishment
EAP-SIM based authentication and UMA registration
Incoming call request
Incoming
Call
Resource
Allocation
WLAN re-establish and Ready Accept signal to UNC
WLAN radio ON
WLAN radio OFF
Bluetooth radio ON
Bluetooth radio HOLD mode
Bluetooth Radio Scan mode
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

41. Action Plan (TBD) >> Simulation >> Prototyping
>> Dissemination
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach

42. References
[1] Qadeer W., Rosing T. S., and Ankcorn J. “Heterogeneous Wireless network management”, PACS `03, San Deigo, December 2003.
[2] Venkitaraman N., Almaula J., Haneef A. and Mysore J., “Session Aware Network Controlled Interface Selection for Multi-homed hosts”, WCNC 2004 IEEE Communications Society.
[3] Engelstad P., Egeland G., and Thanh D. V. “Investigating Race Conditions in Multi-homed On Demand Ad-hoc Networks”, WCNC 2004 IEEE Communications Society.
[4] Smith M., and Hunt R. “Network Security using NAT and NAPT”, 2002 IEEE
[5] Unlicensed Mobile Access Specifications, September 2004.
[6] Shih E., Bahl P., and Sinclair MJ., “An Event Driven Energy Saving. Strategy for Battery Operated Devices”, Proceedings of ACM MOBICOM, 2002
[7] Ghribi B., and Logrippo L., “Understanding GPRS: the GSM packet radio service”, Computer Networks, 2000.
[8] Balakrishnan H., Padmanabhan VN., Seshan S., and Katz RH., “A Comparison of Mechanisms for Improving TCP Performance over Wireless Links ”, IEEE/ACM Transactions on Networking, 1997.
[9] Woesner H., Ebert JP., Schlager M., and Wolisz A., “Power Saving Mechanisms in Emerging Standards for Wireless. LANs: the MAC Level Perspective”, IEEE Personal Communications, 1998.
[10] Potlapally NR., Ravi S., Raghunathan A., and Jha NK., “Analyzing the Energy Consumption of Security Protocols”, Proc. Int. Symp. Low Power Electronics & Design, 2003.
Background > Motivation > Index > GSM > GPRS > UMA > UMA assumptions > UMA concerns > Alternate Approach