lte r di i t flte radio interface - deepsec · pdf filelte r di i t flte radio interface and...
TRANSCRIPT
Content•Comparison of 2G,3G and LTE Packed Domain•EPSEPS•LTE Requirements•Main Characteristics of LTE Physical LayerMain Characteristics of LTE Physical Layer•The MME•LTE and SAE ID´s•LTE and SAE ID s•Latency Considerations•DL Resource Elements•DL Resource Elements•Keys in LTE•Security for Voice over LTE•Security for Voice over LTE•Future
Deepsec 2010 2Herbert Koblmiller, 26. November 2010
Comparison of 2G, 3G, LTE – PACKET DOMAIN
2G
BTS
2G
BSC
3G
Serving GPRSSupport
Gateway GPRSSupport
NodeB RNC
Node Node
Internet
LTE
eNodeBServing Gateway
PDNGateway
Deepsec 2010 3Herbert Koblmiller, 26. November 2010
EPS – Evolved Packet System
E-UTRAN EPC(LTE) (SAE)
HomeSubscriber
Server
MobilityManagementEntity
S6a
Internet
eNodeB
X2
Server
S1-MME
Entity
S11
eNodeBPDNGateway
Serving G
X2
S1-U S5eNodeB GatewayGateway
U l
Deepsec 2010 4Herbert Koblmiller, 26. November 2010
User planeContrrol plane
LTE Requirements
InternetServices
TelephonyMobility up to 250km/hBroadcast (eg MBMS)
Up to >100 Mbit/s DL (2x2 Ant)
High Data Rates
Up to >100 Mbit/s DL (2x2 Ant)Up to >300 Mbit/s DL (4x4 Ant)Up to >50 Mbit/s ULHigher spectral Efficiency than R6
PS Services only
User plane latency <10msControl plane latency < 100ms
Deepsec 2010 5Herbert Koblmiller, 26. November 2010
Main characteristics of LTE Physical Layer
DL: OFDMAAir Interface
DL: OFDMAUL: SC-FDMA
Bandwith: Scalable
20, 10, 5, 3, 1.4 MHz
Bandwith: Scalable
MIMO, AAS
Smart Antenna Technology:
No BSC or RNC
Low Complexity
No Soft(er) HandoverLess Protocol overhead Self organizing network
Deepsec 2010 6Herbert Koblmiller, 26. November 2010
The MMEMME
NAS SignallingOther Mobility
•EPS bearer management - QOS control
•Generation of Paging•Idle State Mobility managemant- UE tracking
yManagementEntity
S10
eNodeB
HomeSubscriber
ServerS1-MME
S6a
U g
Inter CN node Signalling
Serving Gateway
ServerS11•Selection of Serving GW and
MME/SGSN (Handover)•Roaming
Inter CN node Signalling
Gateway
•Authentication•Ciphering + Integrity Protection
Security managemantServing GPRS
S3
of NAS signalling GPRSSupportNode
Deepsec 2010 7Herbert Koblmiller, 26. November 2010
LTE and SAE ID´s
PLMN ID ( MCC + MNC) 24 bitEPS BE ID
Network
Network Entities
EPS BEarer ID
User Equipment
IMEI = MMEGI +MMEC 16 + 8 bitGUMMEI = MCC + MNC + MMEIPhysical Cell ID 9bit
IMSI 60bitS-TMSI = MMEC + M-TMSIIMEI 60bitGUTI GUMMEI M TMSITAI = MCC + MNC + TAC 32bit GUTI = GUMMEI + M-TMSI
E-UTRANC-RNTI 16 bitRA-RNTI 16bitSI-RNTI 16bit
E UTRAN
P-RNTI 16bitTPC-PUCCH-RNTI 16bitTPC-PUSCH-RNTI 16bitRandom Value 4bit
Deepsec 2010 8Herbert Koblmiller, 26. November 2010
Random Value 4bit
User Plane Latency
Serving G t eNodeB
S1-UGateway eNodeB
data 0 5ms 1-15ms 1ms 1ms 1msdata 0.5ms 1 15ms 1ms 1ms 1msup to 8ms
HARQ
5ms to 20ms
Deepsec 2010 9Herbert Koblmiller, 26. November 2010
Control Plane Latency compared to 3G
CELL_FACHca 270ms ca 200ms
3GRRC_IDLE CELL_DCH
ca 460ms
LTEEMM-Registered
andRRC_IDLE
LTEEMM-Registered
andRRC_IDLE
51.5ms to 77.5ms
Deepsec 2010 10Herbert Koblmiller, 26. November 2010
DL Spectrum Layout - OFDMA
Pilots at predefined DC Subcarrier
Pilots at predefined subcarrier numbersE
LowerGuard
UpperGuard
f
GuardBand
GuardBand
Bandwith = N * fN variable 1.4-20MHz
Deepsec 2010 11Herbert Koblmiller, 26. November 2010
DL Resource Element and Resource Blockst
1 Resource Block
T( l t) 0 5T(slot) = 0.5ms
f
LowerGuard
UpperG ard
7 OFDMASymbols= 0.5ms
DC
GuardBand
GuardBand
12 Subcarrier= 180kHz
Deepsec 2010 12Herbert Koblmiller, 26. November 2010
Keys in LTE Ki AMF SQN RAND
AK
XRES
USIM, AuC
CK IK
HSS
K(ASME)
MME
K(eNodeB)
MME
eNodeBK(NASenc) K(NASint)
K(RRCint)K(UPenc) K(RRCenc)
Deepsec 2010 13Herbert Koblmiller, 26. November 2010
Cryptographic Key Separation
Differenciate User Traffic from SignallingPurpos
Keys stored in different locationsKey Renewal (Key change on the fly)Variable SecurityMore Independence of Radio InterfaceMore Independence of Radio Interface
Negotiations2 mandatory sets of Security•128-EEA1 and 128-EIA1 based ond SNOW 3G•128-EEA2 and 128-EIA2 based on FIPS 197
Supported by all UE eNodeB and MME Supported by all UE, eNodeB and MME Algorithm negotiated separately between UE
and eNodeBAlgorithm negotiated separately between UE
and MME (eg. NAS level)UE Security Capabilities sent in Setup procedureAlgorithm can only change during Handover
Deepsec 2010 14Herbert Koblmiller, 26. November 2010
Security for Voice over LTE
Methods for voice over LTEIMS over LTE• IP Multimedia Subsystem is an independent
service control architecture
Methods for voice over LTE
Circuit Switched Fallback (CSFB)• this provides voice service by fallback from
LTE to 3G or 2G (3GPP2-defined networks)
S b ib A th ti ti i IMSSIP-layer AuthenticationAccess-Network bundled AuthenticationTrusted Node Authentication
Subscriber Authentication in IMS
Trusted Node Authentication
Deepsec 2010 15Herbert Koblmiller, 26. November 2010
Flow for Registration with IMS AKA
Proxy CSCF
UEServing CSCF
HomeSubscriber
ServerServerRegister
Unprotected
Register
Protected by NDS/IP
Cx-AuthDataRequy
Protected by NDS/IP
Cx-AuthDataRespProtected by NDS/IPAuth Challenge:
Auth_Challenge:RAND,AUTNUnprotected
CreateIPsec SAs
Protected by NDS/IPAuth_Challenge:RAND,AUTN,CK,IKProtected by NDS/IP
p
Register:Digest-Resp(RES,RAND) Protected By IPsec SA
Register:
Digest-Resp(RES,RAND) Protected Auth
Ch k C P t C P llIPsec SA )by NDS/IP Check Cx-Put + Cx-Pull
Protected by NDS/IP
Cx-PutResp + Cx-PullResp
200 OKProtected by NDS/IP
200 OKProtected By
Deepsec 2010 16Herbert Koblmiller, 26. November 2010
Cx PutResp + Cx PullRespProtected by NDS/IP
IPsec SA
Security for Home Base Station Deployment
MobilityManagementEntity
S11UnsecureNetwork S1-MME
HomeeNodeB
Serving Gateway
SecurityGateway
S1-U
yy
U l
Device Autentication mandatory
Deepsec 2010 17Herbert Koblmiller, 26. November 2010
User planeContrrol plane
Security for Relay Node Architecture
MobilityMobilityManagementEntity
S1 MME
S11
S1-MME
RelayNode
Serving GatewayDonor
eNodeB
S1-U
ll d d bl h
U l
Still under study to prevent possible threats
Deepsec 2010 18Herbert Koblmiller, 26. November 2010
User planeContrrol plane
Speaker
Dipl.-Ing. Herbert KoblmillerM bil N k Pl iMobile Network PlanningOptimisation & Network Performance
A1 Telekom Austria AGObere Donaustraße 29 1020 Wien
Deepsec 2010 19Herbert Koblmiller, 26. November 2010