2 LO_NP2005 LTE Signaling Analysis (79P)

LTE Signaling Analysis

Objectives 

Understanding LTE interfaces and protocols



Understanding RRC protocol status, the probability of bearing, and common signaling of the SM and MM protocols



Understanding the components of broadcast messages and signaling analysis of SIBs



Understanding RRC layer signaling and signaling analysis of the RRC connection establishment flow, RRC connection reestablishment flow, RRC connection reconfiguration flow, and RRC Connection Release flow



Understanding signaling analysis of common Attach, Detach, ServiceRequest, and bearer establishment flows

Contents 

LTE Interfaces and Protocols



Broadcast Message Analysis



RRC Signaling Analysis



Common Signaling Flows and Analysis

LTE Protocol Stack Structure 

The eNodeB is the only NE on the LTE wireless side. The core network (EPC) control plane and user plane are divided into two NEs: the MME and SGW. The protocol interfaces supported by the eNodeB include the control plane and user plane of the Uu, S1, and X2 interfaces. UE

MME NAS

eNB

S1AP

NAS APP RRC

RRC

S1AP

SCTP

X2AP

IP PDCP

PDCP

SCTP

RLC

RLC

MAC

MAC

GTPU

PHY

PHY

UDP

IP SGW GTPU UDP IP

Signaling flow © ZTE Corporation. All rights reserved

Data flow

E-UTRAN: Control Plane Protocol Stack

MME/ eNodeB

UE 24.301

NAS 36.331 36.323

PDCP

36.322

RLC

36.321

MAC PHY

NAS

eNodeB

RRC

36.211~36.214 LTE-Uu

© ZTE Corporation. All rights reserved

RRC

PDN/SGW

29.274

S1AP X2AP

36.413 36.423

S1AP X2AP

SCTP

36.412 36.422

SCTP

UDP

IP

IP

IP

MAC

L2

L2

L2

PHY

L1

L1

L1

PDCP RLC

S1-MME/X2-C

GTP-C

RRC Protocol Functions 

RRC protocol functions can be divided into three categories: 

Providing connection management and messaging for the NAS layer   



Providing parameter configurations for the lower-layer protocol entities  





Sends paging and system information Establishes, modifies, and releases RRC connection and radio data bearer Transfers NAS messages between the UE and NAS Radio configuration control (physical layer and L2 configurations) Common cell parameters and user-specific parameters QoS management (such as semi-persistent scheduling and rate control configurations)

Providing measurement and control related to UE mobility management  

IDLE status: cell selection and reselection CONNECTED status: handover


RRC Status Transition 

RRC_IDLE status  

 





Broadcast messages are sent. Power is saved through Discontinuous Reception (DRX) (related to the paging cycle) . Mobility control is dominated by the UE. The UE monitors a paging channel, performs cell selection and cell reselection, and obtains system information. Neighboring cell measurement is performed.

RRC_CONNECTED status 

Broadcast messages are sent, and unicast data is sent and received.



Power is saved by configuring DRX (related to service activity).



Mobility control is dominated by the network.



The UE monitors and shares control channel related to channel allocation, provides channel quality and feedback information, performs neighboring cell measurements, and obtains system information.


LTE Bearers 

The Signal Radio Bearer carries air interface RRC and NAS signaling.



The S1 Bearer carries the S1-AP signaling between the eNB and MME.



NAS messages can also be sent as NAS PDU in RRC messages. E-UTRAN

UE

EPC

eNB

S-GW

Internet

P-GW

Peer Entity

End-to-end Service

EPS Bearer

E-RAB Radio Bearer

Radio © ZTE Corporation. All rights reserved

External Bearer

S5/S8 Bearer S1 Bearer

S1

S5/S8

Gi

Radio Bearer Classification Bearer content 

The data bearer is DRB, carried by the PDSCH assigned by the eNB.



Signaling is carried by SRB. Three types of SRBs exist in the LTE network: 

SRB0: carries RRC messages, mapped to the CCCH channel



SRB1: carries RRC messages or NAS message, mapped to the DCCH channel



SRB2: carries NAS messages, mapped to the DCCH channel



Before UE's RRC connection is established, RRC signaling is carried by SRB0. Before SRB2 is established, NAS signaling is carried by SRB1.

Bearer methods of NAS messages 

Thanks to increased bandwidth and enhanced data transfer performance, the data carrying capacity of LTE RRC messages has been significantly improved. Therefore, all LTE NAS messages can be carried and transmitted in RRC messages, further simplifying the signaling process.



NAS messages are transmitted through the following four RRC messages: 

ULInformationTransfer and DLInformationTransfer (carried by SRB2 or SRB1 before SRB2 is established)



RRCConnectionSetupComplete and RRCConnectionReconfiguration (carried by SRB1)



RRCConnectionSetupComplete (carries only the initial direct transfer message of NAS messages)


RRC Signaling Messages 

RRC signaling involves the following messages: 

System broadcast message



Paging message



RRC connection message (request, establishment, and release)



RRC connection reestablishment

message 

RRC connection reconfiguration message



Inter-system mobility management message



Measurement message

Refer to the 3GPP 36.311 protocol. © ZTE Corporation. All rights reserved

NAS EPS MM Signaling Messages Common procedures 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5

GUTI reallocation procedure Authentication procedure Security mode control procedure Identification procedure EMM information procedure

Specific procedures

5.5.1 Attach procedure 5.5.1.2 Attach procedure for EPS services 5.5.1.3 Combined attach procedure for EPS services and non-EPS services 5.5.2 Detach procedure 5.5.2.2 UE initiated detach procedure 5.5.2.3 Network initiated detach procedure 5.5.3 Tracking area updating procedure 5.5.3.2 Normal and periodic tracking area updating procedure 5.5.3.3 Combined tracking area updating procedure

Connection management (ECM) procedures 5.6.1 5.6.2 5.6.3 5.6.4

Service request procedure Paging procedure Transport of NAS messages procedure Generic transport of NAS messages procedure

3GPP 24.301 © ZTE Corporation. All rights reserved

NAS EPS SM Signaling Messages Network initiated ESM procedures(Procedures related to EPS bearer contexts)

6.4.1Default EPS bearer context activation procedure 6.4.2Dedicated EPS bearer context activation procedure 6.4.3EPS bearer context modification procedure 6.4.4EPS bearer context deactivation procedure UE requested ESM procedures(Transaction related procedures)

6.5.1UE requested PDN connectivity procedure

6.5.2UE requested PDN disconnect procedure 6.5.3UE requested bearer resource allocation procedure 6.5.4UE requested bearer resource modification procedure Miscellaneous procedures

6.6.1.2

ESM information request procedure

6.6.1.3

Exchange of protocol configuration options in other messages

6.6.2Notification procedure

3GPP 24.301 © ZTE Corporation. All rights reserved

Contents 











System Broadcast Message 

The UE in either idle or connected status needs to receive system messages. The UE needs to receive broadcast messages in the following cases: 

The UE selects or reselects to a cell.



Handover completes.



The UE enters the E-UTRAN from other systems.



The UE returns to the coverage area from outside.



The UE receives system message change instructions.



The UE receives ETWS or CMAS notifications.



The maximum validity period is exceeded.


Connected to a new cell

System message changes

System Message Flow 

System message acquisition and change UE

E-UTRAN

MasterInformationBlock SystemInformationBlockType1

SystemInformation


Change notification

Updated information

BCCH modification period (n)

BCCH modification period (n+1)

LTE System Message Components 

A system broadcast message is divided into multiple System Information Blocks (SIBs), with a "block" named the Master Information Block (MIB). Therefore, the system broadcast information is divided into an MIB and several SIBs. System Information Broadcast Message

MIB

SIB 1


SIB 2

SIB 3

SIB 4

SIB 5

SIB 6

SIB 7

SIB 8

SIB 9

SIB 10

SIB 11

MIB and SIB1 

The MIB scheduling period is 40 ms, and the MIB is sent repeatedly on other frames. As for the time domain, the MIB is transmitted in slot1 of subframe #0. As for the frequency domain, the MIB occupies six RBs in the middle.



The SIB1 scheduling period is 80 ms, and the SIB1 is sent repeatedly on SFN%2 = 0. As for the time domain, the SIB1 is transmitted in subframe #5. Initial scheduling sending Repeated sending

MIB

4N

#0

#1

Repeated sending

4N+1

#2

#3

4N+2

#4

Slot0 Slot1 Initial scheduling sending

SIB1

8N

#0


#1

#5

#6

4N+3

#7

#8

4(N+1)

#3

#4

#6

4(N+1)+1

8N+3

#7

#8

Repeated sending

4(N+1)+2

4(N+1)+3

……

#9

8N+4

Initial scheduling sending

Repeated sending

Repeated sending

8N+2

#5

Repeated sending

#9

Repeated sending 8N+1

#2

Initial scheduling sending Repeated Repeated sending sending

8N+5

8N+6

8N+7

……

SIBn 

Other SIBs (except the MIB and SIB1) should be mapped to the SIs before they are sent.



The System Information (SI) can be seen as a group consisting of multiple SIBs, which are mapped to an SI for unified scheduling.



The scheduling period of each SI can be configured dynamically, and the Tn = 2 ^ n * 4. Therefore SIBn messages are scheduled as follows:

SIB1 80ms SIB2 160ms SIB3 320ms SIB4/5 640ms SIB6/7/8 1280ms


MIB Message Analysis 

The MIB is sent through BCHs, carrying several important SI parameters: 1. Downlink system bandwidth

2. PHICH configuration information 3. System frame number


SIB1 Message Analysis 

The SIB1 contains other necessary information, and is sent through the DL-SCH. The SIB1 evaluates whether a UE is allowed to access a cell and the scheduling information of other SIs. • Cell access information • Cell selection information • SIB scheduling information • TDD parameter configuration • SI window length • ValueTag


SIB1 Signaling Analysis


SIBn Message Components

SIB2

SIB3

SIB4

SIB5

SIB6


Radio cell configuration, and other basic configurations Cell reselection information, mainly about the serving cell

Intra-frequency neighboring cell list, whitelist/blacklist Inter-frequency neighboring cell list

UTRAN neighboring cell list (W+TD)

SIB7

GSM neighboring cell list

SIB8

CDMA2000 neighboring cell list

SIB9

Home eNB identifier

SIB10

SIB11

ETWS notification

ETWS information, voice, and images

SIB2 Signaling Analysis 

The SIB2 message contains the configuration information of barring parameters related to cell selection and access, common parameters related to radio resources, physical channels, uplink power control, and timers and counters on the UE side. • Barring parameters • Public radio resource configuration parameters • BCCH channel configuration • PCCH channel configuration information • Paging nB configuration information • PRACH configuration information • PDSCH channel configuration information • PUSCH configuration information • PUCCH channel configuration • Uplink power control configuration information • Timers and counters on the UE side


SIB2 Message Analysis


Contents 











RRC Connection Establishment 

Cause for triggering 



RRC connection establishment succeeded 







This process is initiated when the UE transits from idle to connected status, such as calling, responding to paging, TAU, and Attach, with the purpose of establishing SRB1. RRC connection request: The UE sends the request on SRB0 through the UL_CCCH, carrying the initial NAS identifier and establishment reasons. This message corresponds to Msg3 in the random access process. RRC connection establishment: The eNB sends this message on SRB0 through the DL_CCCH, carrying complete SRB1 configuration information. This message corresponds to Msg4 in the random access process. RRC connection establishment completion: The UE sends this message on SRB1 through the UL-DCCH, carrying uplink NAS messages such as the Attach Request, TAU Request, Service Request, and Detach Request. The eNB establishes the S1 interface according to these messages.

RRC connection establishment failed 

If the eNB rejects to establish RRC connection for the UE, it returns an RRC connection rejection message on SRB0 through the DL_CCCH.


RRC Connection Establishment Flow

UE

EUTRAN

RRCConnectionRequest

Succeeded RRCConnectionSetup

RRCConnectionSetupComplete

UE

Failed


RRCConnectionReject


EUTRAN

RRC Connection Request Analysis 

The RRC Connection Request message contains ue_Identity and establishmentCause. 

The options for ue_Identity include s-TMSI and randomValue. If valid STMSI exists on the UE side, select S-

TMSI. Otherwise, select randomValue. 

The options for establishmentCause include:




emergency



highPriorityAccess



mt-Access



mo-Signalling



mo-Data

RRC Connection Setup Analysis 

rrc_TransactionIdentifier identifies the RRC signaling sending and receiving processes.

Value range: 0–3. 

The dedicated resource configurations carried by radioResourceConfigDedicated is used to establish SRB1.





RRC Connection Setup is used to establish SRB1, and therefore should carry srb_ToAddModList. The srb_Identity has two options: 1 indicates SRB1, and 2 indicates SRB2. PhysicalConfigDedicated includes pdsch, pucch, pusch, uplinkPowerControlDedicated, tpc_PDCCH_ConfigPUCCH, tpc_PDCCH_ConfigPUSCH, cqi_ReportConfig, soundingRS_UL_ConfigDedicated, antennaInfo, schedulingRequestConfig, and other dedicated configurations.



P_a downlink power allocation parameter



tddAckNackFeedbackMode: This

parameter indicates the TDD ACK/NACK feedback mode. Options: bundling and multiplexing. 

transmissionMode { tm1, tm2, tm3, tm4, tm5, tm6, tm7, tm8}: indicates the transmission mode. For example, tm1 indicates transmission mode 1, and tm2 indicates transmission mode 2.


RRC Connection Setup Complete Message Analysis 







The rrc_TransactionIdentifier field is the same as that in RRC Connection Setup. SelectedPLMN_Identity is the index of plmn-IdentityList in SIB1 broadcast messages. If SelectedPLMN_Identity is set to 1, it indicates the first one in the plmn-IdentityList of SIB1. RegisterMME indicates the MME to which the UE has registered.

The NAS message carried by dedicatedInfoNAS includes ATTACH REQUEST, TAU REQUEST, and SERVICE REQUEST messages.


RRC Connection Reject Message Analysis 

WaitTime in seconds indicates the wait time for reinitiate access after the connection is rejected.


RRC Connection Reestablishment 




RRC connection reestablishment succeeded 







In the RRC connected status, this process is triggered if handover failure, radio link failure, integrity protection failure, or RRC reconfiguration failure occurs. RRC connection reestablishment request: The UE sends the request on SRB0 through the UL_CCCH, carrying the initial AS-layer identifier and establishment reasons. This message corresponds to Msg3 in the random access process. RRC connection reestablishment: The eNB sends this message on SRB0 through the DL_CCCH, carrying complete SRB1 configuration information. This message corresponds to Msg4 in the random access process. RRC connection reestablishment completion: The UE sends this message on SRB1 through the UL-DCCH without carrying any practical information, but provides the function of RRC layer confirmation.

RRC connection reestablishment rejected 

If the eNB does not provide context information of the UE, RRC connection establishment for the UE is rejected, and the eNB returns an RRC connection reestablishment rejection message on SRB0 through the DL_CCCH.


RRC Connection Reestablishment Flow

UE

EUTRAN

Succeeded

RRCConnectionReestablishmentRequest RRCConnectionReestablishment

RRCConnectionReestablishmentComplete

UE

Failed

EUTRAN

RRCConnectionReestablishmentRequest RRCConnectionReestablishmentReject


RRC Connection Reestablishment Request Analysis 

The RRC Connection reestablishment Request message contains ReestabUe_Identity and ReestablishmentCause.



The options for ReestabUe_Identity include CRNTI, PCI, and ShortMAC-I.



The options for

ReestablishmentCause include:




reconfigurationFailure,



handoverFailure,



otherFailure

RRC Connection Reestablishment Analysis 

Similar to the RRC Connection Setup messages, this message contains the rrc_TransactionIdentifier and radioResourceConfigDedicated.



NextHopChainingCount is used for updating KeNB. Value range: 0–7.


RRC Connection Reestablishment Complete and RRC Connection Reestablishment Reject Analysis 

RRC connection reestablishment completion and the messages carried by reestablishment rejection


RRC Connection Release 


This process is triggered when the network releases RRC connection from the UE.



RRC connection release 

RRC connection release: The eNB sends this request on SRB1 through the DL_DCCH, carrying the redirection information or dedicated priority allocation information (for controlling UE cell selection and reselection).



In some cases, the RRC layer of the UE releases RRC connection as instructed by the NAS layer without notifying the network side, and enters idle status. For example, authentication check fails during the NAS layer authentication

process. UE

RRCConnectionRelease © ZTE Corporation. All rights reserved

EUTRAN

RRC Connection Release Analysis 





RedirectedCarrierInfo carries the frequency point information for redirecting to the E-UTRA, UTRA-FDD, UTRA-TDD, and CDMA networks, and the frequency point group information for redirecting to the GSM network. idleModeMobilityControlInfo carries the frequency point priority information for cell reselection. The frequency point priority information contained in this message is valid before T320 expires. releaseCause carries the causes for release, including loadBalancingTAUrequired and other.


RRC Connection Reconfiguration 


This process is triggered when SRB and DRB management, low-level parameter configuration, handover execution, and measurement control are initiated.



RRC connection reconfiguration 

RRC connection reconfiguration: The eNB sends this message on SRB1 through the DL_DCCH, carrying different configuration information depending on the functions. A message may carry the information units for multiple functions.



RRC connection reconfiguration completion: The UE sends this message on SRB1 through the UL_DCCH without carrying any practical information, and provides the function of RRC layer confirmation.



RRC connection reconfiguration exception 

If the UE fails to execute the content carried in the RRC connection reconfiguration message, the UE rolls back to the previous configuration, and initiates RRC connection reestablishment.


RRC Signaling Message Simplification Radio Bearer Setup

Radio Bearer Release

Radio Bearer Reconfiguration

Transport Channel Reconfiguration Transport Format Combination Control Physical Channel Reconfiguration

Measurement Control


RRC signaling simplification

RRC Connection Reconfiguration

RRC Connection Reconfiguration Signaling Flow UE

Succeeded

EUTRAN

RRCConnectionReconfiguration

RRCConnectionReconfigurationComplete

UE

Failed

EUTRAN

RRCConnectionReconfiguration

RRC connection re-establishment


RRC Connection Reconfiguration Analysis 

RRC connection reconfiguration contains the following configuration items: 

measConfig: measurement configuration



mobilityControlInfo: mobility control configuration



dedicatedInfoNASList: carries NAS messages



radioResourceConfigDedicated: dedicated radio resource configuration



securityConfigHO: security parameters configured during handover (handover within the EUTRAN or to the E-UTRAN)


Different configuration items are carried in different cases.

Measurement Overview 





In RRC_IDLE status, UE measurement parameters are obtained through E-UTRAN broadcast. In RRC_CONNECTED status, the E-UTRAN sends the measurement configuration information to the UE through dedicated signaling, for example, carried in the RRCConnectionReconfiguration message. Measurement types to be executed by the UE 



Intra-frequency measurement: measures the downlink frequency point of a neighboring cell, whose downlink frequency point is the same as that of the current serving cell. Inter-frequency measurement: measures the downlink frequency point of the local cell or a neighboring cell, whose downlink frequency point is the different from that of the current serving cell.



Inter-system measurement with the UTRA



Inter-system measurement with the GERAN



Inter-system measurement with the CDMA2000 HRPD or CDMA2000 1xRTT system


Measurement Configuration 



A measurement configuration database is maintained on the UE side, where each measId corresponds to a measObjectId and a reportConfigId. MeasId is the index of database measurement configuration entries, and measObjectId indicates the measurement object ID, corresponding to a measurement object configuration item. ReportConfigId indicates the measurement report ID, corresponding to a measurement report configuration item. In addition, common configuration items unrelated to measId are also included, such as quantityConfig, measurement amount configuration, and s-Measure serving cell quality threshold control. Measurement objects: 





For intra-frequency and inter-frequency measurement, the measurement object is a single E-UTRA bearer frequency. For inter-RAT UTRA measurement, the measurement object is a cell set on a single UTRA bearer frequency. For Inter-RAT GERAN measurement, the measurement object is a GERAN bearer frequency set.


Measurement Configuration 

Reporting configurations: 

Report standard: The standard triggers a measurement report sent by the UE. It describes a single event or periodical events.



Report format: the number of UEs contained in the measurement report and related information (such as the

number of report cells).


mobilityControlInfo 

The mobilityControlInfo field is involved in handover rather than initial access. It contains the

following parts: 

targetphyscellid: target cell ID



carrierFreq: carrier frequency



carrierBandwidth: carrier bandwidth



T304 timer



newUE-Identity: new UE ID, C-RNTI



radioResourceConfigCommon: sets the radio resource information of

some target cells


NAS and Security Configuration Information Carried in Reconfiguration 

dedicatedInfoNASList 

The NAS request response of InitialUeMessage is carried in the reconfiguration message for the initial access process.



securityConfigHO 

This field is included for handover rather than the initial access process.



Two options: intraLTE or interRAT.


Major Paging Flow 

Initiated by the network to the UE in idle or connected status 

Paging messages are sent to all cells with UE registration (in the TA List).



Triggered by the core network: The UE receives paging requests (called, data

push). 

Triggered by the eNodeB: The system is notified of message updates, and the UE is notified to receive ETWS and other information. 

In an S1AP Interface message, the MME sends paging messages to the eNB, with each message carrying the information of a paged UE.



The eNB reads the TA list from a paging message, and pages the air interfaces from the cells in the list.



If the UE has notified the MME of the DRX message through the NAS, the MME notifies the eNB of the information through the paging message.



When the air interface transmits the paging message, the eNB maps the UE paging content on the same paging occasions to a paging message.



The paging message is mapped to the logical PCCH, and sent through the PDSCH according to UE DRX period.


Paging Message Analysis 

The eNodeB sends paging messages to the terminal through the Uu interface, carrying pagingRecordList, system information updates, and ETWS notifications.



The pagingRecordList field indicates the number of paging records, with a maximum value of 16. The UE identification information carried can be IMSI or S-TMSI.


Security Mode 

The main purpose of security mode is to activate AS security after an RRC connection is established. UE

EUTRAN

Succeeded SecurityModeCommand

SecurityModeComplete

UE

Failed

EUTRAN

SecurityModeCommand

SecurityModeFailure © ZTE Corporation. All rights reserved

Security Mode Signaling Analysis 

This message is sent by the eNodeB to the UE, and contains negotiated security algorithms, including ciphering algorithms and integrity protection algorithms.



cipheringAlgorithm = 0: ciphering algorithms (0: eea0; 1: eea1; 2: eea2)



integrityProtAlgorithm = 0: integrity protection algorithms (0: served; 1: eia1; 2:

eia1)


Contents 










Common Signaling Flows and Analysis 

Attach and Detach Signaling Flow Analysis



Service Request Signaling Flow Analysis



Bearer Establishment Signaling Flow Analysis

Attach and Detach 

In the Attach process, the UE completes registration in the network, and the EPC establishes the default bearer for the UE.



In the Detach process, the UE cancels registration on the network side and deletes all EPS bearers.



Attach descriptions: 

In LTE networks, Attach accompanies the establishment of the default bearer in the core network.



Detach descriptions: 

The UE/MME/SGSN/HSS can initiate the detach process.

Here we take the Attach flow and Detach flow in idle status for signaling analysis. © ZTE Corporation. All rights reserved

Normal Attach Flow UE

eNB

MME

MSG1 MSG2-Random Access Response RRCConnectionRequest RRCConnectionSetup RRCConnectionSetupComplete (Attach request)

INITIAL UE MESSAGE （Attach request）

Identity/Authentication/Security INITIAL CONTEXT SETUP REQUEST (Attach Accept） UECapabilityEnquiry UECapabilityInformation UE CAPABILITY INFO INDICATION SecurityModeCommand

SecurityModeComplete RRCConnectionReconfiguration (Attach accept) RRCConnectionReconfigurationComplete INITIAL CONTEXT SETUP RESPONSE ULInformationTransfer (Attach Complete) UPLINK NAS TRANSPORT (Attach Complete)


For RRC layer signaling, refer to the previous slides (such as RRC connection establishment)

Attach Signaling


Initial UE Message Analysis 

Analysis of major signaling contents: 









 

eNB_UE_SAP_ID indicates the UE context ID on the S1 interface of the eNodeB.

NAS_PDU indicates the NAS PDU information carried in the RRCConnectionSetupComplete message. TAI indicates the tracing area information of the UE, including PLMN Identity and TAC: TAC: tracing area code. Uniquely identifies a tracing area. EUTRAN_CGI: globally identifies a cell in the EUTRAN, including PLMN Identity and CellID.

CellID: cell ID. RRC_ESTABLISHMENT_CAUSE: indicates the causes for RRC reestablishment, including emergency, highPriorityAccess, mt-Access, mo-Signalling, and mo-Data.


Initial Context Setup Request Analysis 

UE Aggregate Maximum Bit Rate: applicable to all non-GBR E-RABs of the UE.



E-RAB to Be Setup List: E-RAB list to be established in the initial context.



E-RAB to Be Setup List: E-RAB list to be established in the initial context. 





ERAB ID: This element uniquely identifies a radio access bearer for a UE, and generates the only E-RAB ID for S1 connection. The E-RAB ID remains the same as that in the E-RAB duration, even if the logical S1 connection related to the UE is released or removed through S1 handover. Value range: 0–15. The default bearer starts from 5, with the previous ones reserved. E-RAB Level QoS Parameters: ERAB QoS parameters, including QCI, ARP, and GBR QoS Information.

NAS_PDU: NAS message content carried in the InitialUeMessage.



UE Security Capabilities: defines the encryption and integrity protection algorithms supported

by the UE. 

Encryption Algorithms: indicates an encryption algorithm.



Integrity Protection Algorithms:

indicates an integrity protection algorithm. 

Security Key: security key of the eNB.


Initial Context Setup Response Analysis 

E-RAB Setup List: E-RAB list that has been established. 

TransportLayerAddress: The radio

network layer does not resolve the address information but transmits it to the network layer for resolution. This is the IP address. 

GTP_TEID: This is the GTP Tunnel Endpoint Identifier, which is used for user plane transmission on the eNB and service gateway.


Initial Context Setup Failure Analysis 

MME_UE_S1AP_ID = 0: UE context ID of the S1 interface in the MME.



ENB_UE_SAP_ID = 0: UE context ID of the S1 interface in the eNodeB.



Cause .t = 1: release at the wireless network layer (1: Wireless network layer; 2: Transport layer; 3: NAS layer; 4: protocol)



Cause.u = 32: Security algorithms are not supported.


UE Context Release Command 









The message is sent by the MME to the eNodeB to release UE context on the S1 interface. This message carries context ID on the S1 interfaces of the MME and eNodeB, and the cause for release. MME_UE_S1AP_ID = 16810618: UE context ID of the S1 interface in the MME. ENB_UE_SAP_ID = 66: UE context ID of the S1 interface in the eNodeB. Cause.t = 3: release at the NAS layer (1: Wireless network layer; 2: Transport layer; 3: NAS layer; 4: protocol). Cause.u = 2: The cause for release is Detach.


UE Context Release Complete 

Releases the communication context of the UE. MME_UE_S1AP_ID = 16810618:

UE context ID on the S1 interface of the MME. ENB_UE_SAP_ID = 66: UE context ID on the S1 interface of the eNodeB.


Detach Flow: Idle Status 

The initial UE message, UE

UE

MME

MSG1

context release command, and

MSG2-Random Access Response

UE context release complete


signaling messages are similar to those in the Attach flow, but the

eNB

RRCConnectionSetup

RRCConnectionSetupComplete (Detach request)

information carried is about the

INITIAL UE MESSAGE （Detach request）

Detach process.

UE CONTEXT RELEASE COMMAND UE CONTEXT RELEASE COMPLETE

RRCConnectionRelease

The signaling display sequence is not adjusted © ZTE Corporation. All rights reserved

Signaling Analysis


Contents 


















Normal Service Request Flow 

This flow is similar to the Attach flow, and the difference lies in the NAS message carried in the initial UE message. UE

eNB

MME

MSG1 MSG2-Random Access Response RRCConnectionRequest RRCConnectionSetup RRCConnectionSetupComplete (Service request)

INITIAL UE MESSAGE (Service request) INITIAL CONTEXT SETUP REQUEST

UECapabilityEnquiry UECapabilityInformation

UE CAPABILITY INFO INDICATION

SecurityModeCommand SecurityModeComplete RRCConnectionReconfiguration RRCConnectionReconfigurationComplete INITIAL CONTEXT SETUP RESPONSE


Service Request Signaling


Service Request Signaling 

It can be seen from the initial UE message that this is the service request flow.


Contents 


















Second Default Bearer Establishment 

The second default bearer is transmitted through direct transfer messages, and

UE

eNB

EPC

1. ULInformationTransfer (PDN CONNECTIVITY REQUEST) 2. UPLINK NAS TRANSPORT

completed through E-RAB

(PDN CONNECTIVITY REQUEST)

3. Bearer Allocation request

establishment messages.

4. E-RAB SETUP REQUEST (ACTIVATE DEFAULT EPS BEARER CONTEXT REQUEST)

5. RRCConnectionReconfiguration (ACTIVATE DEFAULT EPS BEARER CONTEXT REQUEST)

6. RRCConnectionReconfigurationComplete 7. E-RAB SETUP RESPONSE

8. ULInformationTransfer (Activate DEFAULT EPS bearer context accept)

9. UPLINK NAS TRANSPORT (Activate DEFAULT EPS bearer context accept)

Uplink Data 10. Bearer Allocation Response

Downlink Data



Resolves the signaling in the red box

Second Default Bearer Establishment Flow 













The UE in connected status transfers the PDNConnectivity Request message to the eNB through the ULinformationTransfer message. The eNB sends the PDN Connectivity Request message to the EPC through the UPLINK NAS TRANSPORT message. The EPC transfers the Activate default EPS bearer context request message to the eNB through the E-RAB SETUP REQUEST. The eNB sends the Activate default EPS bearer context request of the NAS message to the UE through reconfiguration messages. The UE establishes the default bearer, and returns the RRCConnectionReconfigurationComplete message. The eNB sends the E-RAB SETUP RESPONSE message to the EPC, indicating that the radio bearer is established. After sending the reconfiguration message, the UE sends Activate default EPS bearer context accept message to the eNB through the ULinformationTransfer message.


E-RAB SETUP REQUEST Message Analysis 

E-RAB_ID is the bearer identifier.



QCI indicates the QoS level.



AllocationRetentionPriority is the allocated QoS parameter.


E-RAB SETUP RESPONSE Message Analysis


Dedicated Bearer Establishment and Modification UE



Similar to the establishment of the second default bearer, the NAS message carried in the

eNB

1. ULInformationTransfer (Bearer resource allocation request) 2. UPLINK NAS TRANSPORT (Including bearer resource allocation request)

UPLINK NAS TRANSPORT

3. Bearer resource allocation request

message is different. For establishment of the second default bearer, the PDN Connectivity Request is carried. For establishment of the dedicated bearer, the Bearer

4. E-RAB SETUP REQUEST (Activate dedicated EPS bearer context request) 5. RRCConnectionReconfiguration (Activate dedicated EPS bearer Context request)

6. RRCConnectionReconfigurationComplete 7. E-RAB SETUP RESPONSE

8. ULInformationTransfer (Activate dedicated EPS bearer context accept)

resource allocation Request message (or the Bearer resource

9. UPLINK NAS TRANSPORT (Activate dedicated EPS bearer context accept) Uplink Data

modification request message) is carried and sent to the eNB. © ZTE Corporation. All rights reserved

EPC

Downlink Data

10. Bearer resource allocation response

2 LO_NP2005 LTE Signaling Analysis (79P)

Recommend Documents